Hi Paul,
Ok you have a controller , so use it as the controller ip in switch
configuration
And try:
su - pf
ssh admin@controller_ip
Regards
Fabrice
Le 2015-07-31 22:14, Polar Geek a écrit :
Fabrice,
Sorry missed your reply until now.
At any rate the connection to the AP is refused.
ssh: connect to host 10.10.10.120 port 22: Connection refused
I don’t think connecting to the AP directly will ever work in
controlled mode. Per the manual
In controlled mode, access to the CLI is possible only before the
control channel to the
controller is established, which can occur in the following scenarios:
Network failures prevent a control channel from being created.
After an AP is restarted, prior to establishment of the control
channel (during the brief
controller discovery process).
When the AP is in controlled mode, a reduced number of CLI commands
are available. The
most notable command is *switch operational mode*, which enables you
to switch the AP to
autonomous mode. The *config *context is not available.
So the setup really needs to honor the controller IP setting and send
the commands there, which is does not appear to be doing.
Thanks,
Paul
*From:*Fabrice DURAND [mailto:[email protected]]
*Sent:* July 30, 2015 6:20 AM
*To:* [email protected]
*Subject:* Re: [PacketFence-users] HP MSM DeAuthentication issue
Hello Paul,
let's do a:
su - pf
ssh [email protected] <mailto:[email protected]>
and accept the key then retry.
Regards
Fabrice
Le 2015-07-30 05:19, Polar Geek a écrit :
Hello again,
Thanks for all the help so far. I’m happily nearly completely
functional with my initial testing of PF 5.3.1 but I’ve got a
couple remaining issues.
My wireless infrastructure is an HP MSM760 mobility control with
55 MSM460 access points. Currently I have added the controller and
the AP on my desk to the system for testing. The configuration
mostly works except for one issue. When I connect a new device to
the SSID is have configured for mac-authentication, I am
successfully connected to the captive portal. I can then authorize
the system and PF appears to be making the necessary changes for
network access. The problem is that disassociation never occurs
because the server is ignoring the Controller IP Address set in
the switch config and is instead attempting to connect to the AP
directly, which will not work as direct SSH connections to the
Aps are not available when the APs are in controlled mode. If I
manually disconnect/reconnect or restart the device the system
works as expected. As you can see from the logs below the PF
server is attempting to contact 10.10..10.120 but should be
contacting 10.10.10.2
What I believe to be the relevant logs and config file excerpts
are below.
Any ideas what I’m missing here?
Thanks,
Paul
****Initial Connection****
Jul 30 02:29:24 httpd.portal(3485) INFO: [LCHS-DC00
EmployeeDevReg] Found a match
(CN=StaffRegistration,OU=Staff,OU=LutherUsers,DC=luthercollege,DC=edu)
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Jul 30 02:29:24 httpd.portal(3485) INFO: Matched rule
(EmployeeDevReg) in source LCHS-DC00, returning actions.
(pf::Authentication::Source::match)
Jul 30 02:29:24 httpd.portal(3485) INFO: Just finished seting the
node up
(captiveportal::PacketFence::Controller::Authenticate::postAuthentication)
Jul 30 02:29:24 httpd.portal(3485) INFO: Passed by the
provisioning
(captiveportal::PacketFence::Controller::Authenticate::postAuthentication)
Jul 30 02:29:24 httpd.portal(3485) INFO: person staffregistration
modified to StaffRegistration (pf::person::person_modify)
Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3]
re-evaluating access (manage_register called)
(pf::enforcement::reevaluate_access)
Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] is
currentlog connected at (10.10.10.120) ifIndex 0 in VLAN 50
(pf::enforcement::_should_we_reassign_vlan)
Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] Can't
find provisioner (pf::vlan::getNormalVlan)
Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] Can't
find scan engine (pf::vlan::getNormalVlan)
Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3]
Connection type is WIRELESS_MAC_AUTH. Getting role from node_info
(pf::vlan::getNormalVlan)
Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3]
Username was defined "503cc47125c3" - returning user based role
'EmployeeRegistration' (pf::vlan::getNormalVlan)
Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] PID:
"staffregistration", Status: reg Returned VLAN: 5, Role:
EmployeeRegistration (pf::vlan::fetchVlanForNode)
Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] VLAN
reassignment required (current VLAN = 50 but should be in VLAN 5)
(pf::enforcement::_should_we_reassign_vlan)
Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3]
switch port is (10.10.10.120) ifIndex unknown connection type:
WiFi MAC Auth (pf::enforcement::_vlan_reevaluation)
Jul 30 02:29:25 httpd.webservices(2088) INFO: Memory configuration
is not valid anymore for key config::Switch in local cached_hash
(pfconfig::cached::is_valid)
Jul 30 02:29:25 httpd.portal(3699) INFO: Matched IP '10.10.50.20'
to MAC address '50:3c:c4:71:25:c3' using OMAPI (pf::iplog::ip2mac)
Jul 30 02:29:25 httpd.portal(3485) INFO: Matched IP '10.10.50.20'
to MAC address '50:3c:c4:71:25:c3' using OMAPI (pf::iplog::ip2mac)
Jul 30 02:29:25 httpd.portal(3699) INFO: Matched IP '10.10.50.20'
to MAC address '50:3c:c4:71:25:c3' using OMAPI (pf::iplog::ip2mac)
Jul 30 02:29:25 httpd.portal(3485) INFO: Matched IP '10.10.50.20'
to MAC address '50:3c:c4:71:25:c3' using OMAPI (pf::iplog::ip2mac)
Jul 30 02:29:26 httpd.webservices(2088) INFO: [50:3c:c4:71:25:c3]
DesAssociating mac on switch (10.10.10.120) (pf::api::desAssociate)
Jul 30 02:29:26 httpd.webservices(2088) ERROR: ERROR: Can not
connect to controller 10.10.10.120 using SSH
(pf::Switch::HP::MSM::_deauthenticateMacWithSSH)
****Reconnection****
Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] handling
radius autz request: from switch_ip => (10.10.10.120),
connection_type => Wireless-802.11-NoEAP,switch_mac =>
(2c:44:fd:3f:e2:90), mac => [50:3c:c4:71:25:c3], port => 0,
username => "503cc47125c3" (pf::radius::authorize)
Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] Can't
find provisioner (pf::vlan::getNormalVlan)
Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] Can't
find scan engine (pf::vlan::getNormalVlan)
Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3]
Connection type is WIRELESS_MAC_AUTH. Getting role from node_info
(pf::vlan::getNormalVlan)
Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] Username
was defined "503cc47125c3" - returning user based role
'EmployeeRegistration' (pf::vlan::getNormalVlan)
Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] PID:
"staffregistration", Status: reg Returned VLAN: 5, Role:
EmployeeRegistration (pf::vlan::fetchVlanForNode)
Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3]
(10.10.10.120) Returning ACCEPT with VLAN 5 and role
(pf::Switch::returnRadiusAccessAccept)
****Switch.conf****
[10.10.10.2]
RoleMap=N
deauthMethod=HTTPS
AccessListMap=N
description=MSM Controller
type=HP::Controller_MSM710
VoIPEnabled=N
radiusSecret=*******
EmployeeVlan=5
Dorm StudentVlan=2
macDetectionVlan=4000
Day StudentVlan=2
isolationVlan=51
EmployeeRegistrationVlan=5
NetAdminVlan=1
registrationVlan=50
voiceVlan=99
cliUser=admin
cliPwd=*******
cliTransport=SSH
cliEnablePwd=*******
mode=production
SNMPCommunityRead=readwrite
SNMPCommunityWrite=readwrite
SNMPVersionTrap=3
SNMPVersion=3
SNMPCommunityTrap=readwrite
[10.10.10.120]
RoleMap=N
controllerIp=10.10.10.2
deauthMethod=RADIUS
AccessListMap=N
description=BasementTemp
type=HP::MSM
VoIPEnabled=N
radiusSecret=******
mode=production
EmployeeVlan=5
macDetectionVlan=4000
Day StudentVlan=2
isolationVlan=51
registrationVlan=50
voiceVlan=99
Dorm StudentVlan=2
EmployeeRegistrationVlan=5
NetAdminVlan=1
cliUser=admin
cliPwd=*******
cliEnablePwd=*******
cliTransport=SSH
wsPwd=*******
wsTransport=HTTPS
wsUser=admin
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x135)
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
