Hello Paul, let's do a: su - pf ssh [email protected] and accept the key then retry.
Regards Fabrice Le 2015-07-30 05:19, Polar Geek a écrit : > > Hello again, > > > > Thanks for all the help so far. I’m happily nearly completely > functional with my initial testing of PF 5.3.1 but I’ve got a couple > remaining issues. > > > > My wireless infrastructure is an HP MSM760 mobility control with 55 > MSM460 access points. Currently I have added the controller and the AP > on my desk to the system for testing. The configuration mostly works > except for one issue. When I connect a new device to the SSID is have > configured for mac-authentication, I am successfully connected to the > captive portal. I can then authorize the system and PF appears to be > making the necessary changes for network access. The problem is that > disassociation never occurs because the server is ignoring the > Controller IP Address set in the switch config and is instead > attempting to connect to the AP directly, which will not work as > direct SSH connections to the Aps are not available when the APs are > in controlled mode. If I manually disconnect/reconnect or restart the > device the system works as expected. As you can see from the logs > below the PF server is attempting to contact 10.10..10.120 but should > be contacting 10.10.10.2 > > What I believe to be the relevant logs and config file excerpts are > below. > > > > Any ideas what I’m missing here? > > Thanks, > > Paul > > > > ****Initial Connection**** > > Jul 30 02:29:24 httpd.portal(3485) INFO: [LCHS-DC00 EmployeeDevReg] > Found a match > (CN=StaffRegistration,OU=Staff,OU=LutherUsers,DC=luthercollege,DC=edu) > (pf::Authentication::Source::LDAPSource::match_in_subclass) > > Jul 30 02:29:24 httpd.portal(3485) INFO: Matched rule (EmployeeDevReg) > in source LCHS-DC00, returning actions. > (pf::Authentication::Source::match) > > Jul 30 02:29:24 httpd.portal(3485) INFO: Just finished seting the node > up > (captiveportal::PacketFence::Controller::Authenticate::postAuthentication) > > Jul 30 02:29:24 httpd.portal(3485) INFO: Passed by the provisioning > (captiveportal::PacketFence::Controller::Authenticate::postAuthentication) > > Jul 30 02:29:24 httpd.portal(3485) INFO: person staffregistration > modified to StaffRegistration (pf::person::person_modify) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] > re-evaluating access (manage_register called) > (pf::enforcement::reevaluate_access) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] is > currentlog connected at (10.10.10.120) ifIndex 0 in VLAN 50 > (pf::enforcement::_should_we_reassign_vlan) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] Can't > find provisioner (pf::vlan::getNormalVlan) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] Can't > find scan engine (pf::vlan::getNormalVlan) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] > Connection type is WIRELESS_MAC_AUTH. Getting role from node_info > (pf::vlan::getNormalVlan) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] Username > was defined "503cc47125c3" - returning user based role > 'EmployeeRegistration' (pf::vlan::getNormalVlan) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] PID: > "staffregistration", Status: reg Returned VLAN: 5, Role: > EmployeeRegistration (pf::vlan::fetchVlanForNode) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] VLAN > reassignment required (current VLAN = 50 but should be in VLAN 5) > (pf::enforcement::_should_we_reassign_vlan) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] switch > port is (10.10.10.120) ifIndex unknown connection type: WiFi MAC Auth > (pf::enforcement::_vlan_reevaluation) > > Jul 30 02:29:25 httpd.webservices(2088) INFO: Memory configuration is > not valid anymore for key config::Switch in local cached_hash > (pfconfig::cached::is_valid) > > Jul 30 02:29:25 httpd.portal(3699) INFO: Matched IP '10.10.50.20' to > MAC address '50:3c:c4:71:25:c3' using OMAPI (pf::iplog::ip2mac) > > Jul 30 02:29:25 httpd.portal(3485) INFO: Matched IP '10.10.50.20' to > MAC address '50:3c:c4:71:25:c3' using OMAPI (pf::iplog::ip2mac) > > Jul 30 02:29:25 httpd.portal(3699) INFO: Matched IP '10.10.50.20' to > MAC address '50:3c:c4:71:25:c3' using OMAPI (pf::iplog::ip2mac) > > Jul 30 02:29:25 httpd.portal(3485) INFO: Matched IP '10.10.50.20' to > MAC address '50:3c:c4:71:25:c3' using OMAPI (pf::iplog::ip2mac) > > Jul 30 02:29:26 httpd.webservices(2088) INFO: [50:3c:c4:71:25:c3] > DesAssociating mac on switch (10.10.10.120) (pf::api::desAssociate) > > Jul 30 02:29:26 httpd.webservices(2088) ERROR: ERROR: Can not connect > to controller 10.10.10.120 using SSH > (pf::Switch::HP::MSM::_deauthenticateMacWithSSH) > > > > ****Reconnection**** > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] handling > radius autz request: from switch_ip => (10.10.10.120), connection_type > => Wireless-802.11-NoEAP,switch_mac => (2c:44:fd:3f:e2:90), mac => > [50:3c:c4:71:25:c3], port => 0, username => "503cc47125c3" > (pf::radius::authorize) > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] Can't find > provisioner (pf::vlan::getNormalVlan) > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] Can't find > scan engine (pf::vlan::getNormalVlan) > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] Connection > type is WIRELESS_MAC_AUTH. Getting role from node_info > (pf::vlan::getNormalVlan) > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] Username was > defined "503cc47125c3" - returning user based role > 'EmployeeRegistration' (pf::vlan::getNormalVlan) > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] PID: > "staffregistration", Status: reg Returned VLAN: 5, Role: > EmployeeRegistration (pf::vlan::fetchVlanForNode) > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] > (10.10.10.120) Returning ACCEPT with VLAN 5 and role > (pf::Switch::returnRadiusAccessAccept) > > > > ****Switch.conf**** > > [10.10.10.2] > > RoleMap=N > > deauthMethod=HTTPS > > AccessListMap=N > > description=MSM Controller > > type=HP::Controller_MSM710 > > VoIPEnabled=N > > radiusSecret=******* > > EmployeeVlan=5 > > Dorm StudentVlan=2 > > macDetectionVlan=4000 > > Day StudentVlan=2 > > isolationVlan=51 > > EmployeeRegistrationVlan=5 > > NetAdminVlan=1 > > registrationVlan=50 > > voiceVlan=99 > > cliUser=admin > > cliPwd=******* > > cliTransport=SSH > > cliEnablePwd=******* > > mode=production > > SNMPCommunityRead=readwrite > > SNMPCommunityWrite=readwrite > > SNMPVersionTrap=3 > > SNMPVersion=3 > > SNMPCommunityTrap=readwrite > > > > [10.10.10.120] > > RoleMap=N > > controllerIp=10.10.10.2 > > deauthMethod=RADIUS > > AccessListMap=N > > description=BasementTemp > > type=HP::MSM > > VoIPEnabled=N > > radiusSecret=****** > > mode=production > > EmployeeVlan=5 > > macDetectionVlan=4000 > > Day StudentVlan=2 > > isolationVlan=51 > > registrationVlan=50 > > voiceVlan=99 > > Dorm StudentVlan=2 > > EmployeeRegistrationVlan=5 > > NetAdminVlan=1 > > cliUser=admin > > cliPwd=******* > > cliEnablePwd=******* > > cliTransport=SSH > > wsPwd=******* > > wsTransport=HTTPS > > wsUser=admin > > > > ------------------------------------------------------------------------------ > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
0xF78F957E.asc
Description: application/pgp-keys
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
