Can you paste your switches.conf ?
fabrice
Le 2015-07-31 22:30, Polar Geek a écrit :
Fabrice,
As I stated in the original message the Controller is set in the
switch configuration it just appears to be ignoring that setting and
is attempting to connect to the AP directly still
Jul 30 02:29:26 httpd.webservices(2088) INFO: [50:3c:c4:71:25:c3]
DesAssociating mac on switch (10.10.10.120) (pf::api::desAssociate)
Jul 30 02:29:26 httpd.webservices(2088) ERROR: ERROR: Can not connect
to controller 10.10.10.120 using SSH
(pf::Switch::HP::MSM::_deauthenticateMacWithSSH)
Or are you saying that the error message in itself contains an error
and is attempting to connect to the controller as specified but the
log still shows the AP ip?
Paul
*From:*Durand fabrice [mailto:[email protected]]
*Sent:* July 31, 2015 8:22 PM
*To:* [email protected]
*Subject:* Re: [PacketFence-users] HP MSM DeAuthentication issue
Hi Paul,
Ok you have a controller , so use it as the controller ip in switch
configuration
And try:
su - pf
ssh admin@controller_ip
Regards
Fabrice
Le 2015-07-31 22:14, Polar Geek a écrit :
Fabrice,
Sorry missed your reply until now.
At any rate the connection to the AP is refused.
ssh: connect to host 10.10.10.120 port 22: Connection refused
I don’t think connecting to the AP directly will ever work in
controlled mode. Per the manual
In controlled mode, access to the CLI is possible only before the
control channel to the
controller is established, which can occur in the following scenarios:
Network failures prevent a control channel from being created.
After an AP is restarted, prior to establishment of the control
channel (during the brief
controller discovery process).
When the AP is in controlled mode, a reduced number of CLI
commands are available. The
most notable command is *switch operational mode*, which enables
you to switch the AP to
autonomous mode. The *config *context is not available.
So the setup really needs to honor the controller IP setting and
send the commands there, which is does not appear to be doing.
Thanks,
Paul
*From:*Fabrice DURAND [mailto:[email protected]]
*Sent:* July 30, 2015 6:20 AM
*To:* [email protected]
<mailto:[email protected]>
*Subject:* Re: [PacketFence-users] HP MSM DeAuthentication issue
Hello Paul,
let's do a:
su - pf
ssh [email protected] <mailto:[email protected]>
and accept the key then retry.
Regards
Fabrice
Le 2015-07-30 05:19, Polar Geek a écrit :
Hello again,
Thanks for all the help so far. I’m happily nearly completely
functional with my initial testing of PF 5.3.1 but I’ve got a
couple remaining issues.
My wireless infrastructure is an HP MSM760 mobility control
with 55 MSM460 access points. Currently I have added the
controller and the AP on my desk to the system for testing.
The configuration mostly works except for one issue. When I
connect a new device to the SSID is have configured for
mac-authentication, I am successfully connected to the captive
portal. I can then authorize the system and PF appears to be
making the necessary changes for network access. The problem
is that disassociation never occurs because the server is
ignoring the Controller IP Address set in the switch config
and is instead attempting to connect to the AP directly,
which will not work as direct SSH connections to the Aps are
not available when the APs are in controlled mode. If I
manually disconnect/reconnect or restart the device the system
works as expected. As you can see from the logs below the PF
server is attempting to contact 10.10..10.120 but should be
contacting 10.10.10.2
What I believe to be the relevant logs and config file
excerpts are below.
Any ideas what I’m missing here?
Thanks,
Paul
****Initial Connection****
Jul 30 02:29:24 httpd.portal(3485) INFO: [LCHS-DC00
EmployeeDevReg] Found a match
(CN=StaffRegistration,OU=Staff,OU=LutherUsers,DC=luthercollege,DC=edu)
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Jul 30 02:29:24 httpd.portal(3485) INFO: Matched rule
(EmployeeDevReg) in source LCHS-DC00, returning actions.
(pf::Authentication::Source::match)
Jul 30 02:29:24 httpd.portal(3485) INFO: Just finished seting
the node up
(captiveportal::PacketFence::Controller::Authenticate::postAuthentication)
Jul 30 02:29:24 httpd.portal(3485) INFO: Passed by the
provisioning
(captiveportal::PacketFence::Controller::Authenticate::postAuthentication)
Jul 30 02:29:24 httpd.portal(3485) INFO: person
staffregistration modified to StaffRegistration
(pf::person::person_modify)
Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3]
re-evaluating access (manage_register called)
(pf::enforcement::reevaluate_access)
Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3]
is currentlog connected at (10.10.10.120) ifIndex 0 in VLAN 50
(pf::enforcement::_should_we_reassign_vlan)
Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3]
Can't find provisioner (pf::vlan::getNormalVlan)
Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3]
Can't find scan engine (pf::vlan::getNormalVlan)
Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3]
Connection type is WIRELESS_MAC_AUTH. Getting role from
node_info (pf::vlan::getNormalVlan)
Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3]
Username was defined "503cc47125c3" - returning user based
role 'EmployeeRegistration' (pf::vlan::getNormalVlan)
Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3]
PID: "staffregistration", Status: reg Returned VLAN: 5, Role:
EmployeeRegistration (pf::vlan::fetchVlanForNode)
Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3]
VLAN reassignment required (current VLAN = 50 but should be in
VLAN 5) (pf::enforcement::_should_we_reassign_vlan)
Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3]
switch port is (10.10.10.120) ifIndex unknown connection type:
WiFi MAC Auth (pf::enforcement::_vlan_reevaluation)
Jul 30 02:29:25 httpd.webservices(2088) INFO: Memory
configuration is not valid anymore for key config::Switch in
local cached_hash (pfconfig::cached::is_valid)
Jul 30 02:29:25 httpd.portal(3699) INFO: Matched IP
'10.10.50.20' to MAC address '50:3c:c4:71:25:c3' using OMAPI
(pf::iplog::ip2mac)
Jul 30 02:29:25 httpd.portal(3485) INFO: Matched IP
'10.10.50.20' to MAC address '50:3c:c4:71:25:c3' using OMAPI
(pf::iplog::ip2mac)
Jul 30 02:29:25 httpd.portal(3699) INFO: Matched IP
'10.10.50.20' to MAC address '50:3c:c4:71:25:c3' using OMAPI
(pf::iplog::ip2mac)
Jul 30 02:29:25 httpd.portal(3485) INFO: Matched IP
'10.10.50.20' to MAC address '50:3c:c4:71:25:c3' using OMAPI
(pf::iplog::ip2mac)
Jul 30 02:29:26 httpd.webservices(2088) INFO:
[50:3c:c4:71:25:c3] DesAssociating mac on switch
(10.10.10.120) (pf::api::desAssociate)
Jul 30 02:29:26 httpd.webservices(2088) ERROR: ERROR: Can not
connect to controller 10.10.10.120 using SSH
(pf::Switch::HP::MSM::_deauthenticateMacWithSSH)
****Reconnection****
Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3]
handling radius autz request: from switch_ip =>
(10.10.10.120), connection_type =>
Wireless-802.11-NoEAP,switch_mac => (2c:44:fd:3f:e2:90), mac
=> [50:3c:c4:71:25:c3], port => 0, username => "503cc47125c3"
(pf::radius::authorize)
Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3]
Can't find provisioner (pf::vlan::getNormalVlan)
Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3]
Can't find scan engine (pf::vlan::getNormalVlan)
Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3]
Connection type is WIRELESS_MAC_AUTH. Getting role from
node_info (pf::vlan::getNormalVlan)
Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3]
Username was defined "503cc47125c3" - returning user based
role 'EmployeeRegistration' (pf::vlan::getNormalVlan)
Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] PID:
"staffregistration", Status: reg Returned VLAN: 5, Role:
EmployeeRegistration (pf::vlan::fetchVlanForNode)
Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3]
(10.10.10.120) Returning ACCEPT with VLAN 5 and role
(pf::Switch::returnRadiusAccessAccept)
****Switch.conf****
[10.10.10.2]
RoleMap=N
deauthMethod=HTTPS
AccessListMap=N
description=MSM Controller
type=HP::Controller_MSM710
VoIPEnabled=N
radiusSecret=*******
EmployeeVlan=5
Dorm StudentVlan=2
macDetectionVlan=4000
Day StudentVlan=2
isolationVlan=51
EmployeeRegistrationVlan=5
NetAdminVlan=1
registrationVlan=50
voiceVlan=99
cliUser=admin
cliPwd=*******
cliTransport=SSH
cliEnablePwd=*******
mode=production
SNMPCommunityRead=readwrite
SNMPCommunityWrite=readwrite
SNMPVersionTrap=3
SNMPVersion=3
SNMPCommunityTrap=readwrite
[10.10.10.120]
RoleMap=N
controllerIp=10.10.10.2
deauthMethod=RADIUS
AccessListMap=N
description=BasementTemp
type=HP::MSM
VoIPEnabled=N
radiusSecret=******
mode=production
EmployeeVlan=5
macDetectionVlan=4000
Day StudentVlan=2
isolationVlan=51
registrationVlan=50
voiceVlan=99
Dorm StudentVlan=2
EmployeeRegistrationVlan=5
NetAdminVlan=1
cliUser=admin
cliPwd=*******
cliEnablePwd=*******
cliTransport=SSH
wsPwd=*******
wsTransport=HTTPS
wsUser=admin
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x135)
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
