Fabrice, here it is in its entirety. Although the only relevant entries should be for 10.10.10.2 and 10.10.10.120 and have no changes made to their setup since the original email.
# # Copyright (C) 2005-2015 Inverse inc. # # See the enclosed file COPYING for license information (GPL). # If you did not receive this file, see # http://www.fsf.org/licensing/licenses/gpl.html [default] description=Switches Default Values vlans=1,2,3,4,5 normalVlan=1 registrationVlan=2 isolationVlan=3 macDetectionVlan=4 voiceVlan=5 inlineVlan=6 inlineTrigger= normalRole=normal registrationRole=registration isolationRole=isolation macDetectionRole=macDetection voiceRole=voice inlineRole=inline VoIPEnabled=no VlanMap=Y RoleMap=Y mode=testing macSearchesMaxNb=30 macSearchesSleepInterval=2 uplink=dynamic # # Command Line Interface # # cliTransport could be: Telnet, SSH or Serial cliTransport=Telnet cliUser= cliPwd= cliEnablePwd= # # SNMP section # # PacketFence -> Switch SNMPVersion=1 SNMPCommunityRead=public SNMPCommunityWrite=private #SNMPEngineID = 0000000000000 #SNMPUserNameRead = readUser #SNMPAuthProtocolRead = MD5 #SNMPAuthPasswordRead = authpwdread #SNMPPrivProtocolRead = DES #SNMPPrivPasswordRead = privpwdread #SNMPUserNameWrite = writeUser #SNMPPrivPasswordRead = privpwdread #SNMPUserNameWrite = writeUser #SNMPAuthProtocolWrite = MD5 #SNMPAuthPasswordWrite = authpwdwrite #SNMPPrivProtocolWrite = DES #SNMPPrivPasswordWrite = privpwdwrite # Switch -> PacketFence SNMPVersionTrap=1 SNMPCommunityTrap=public #SNMPAuthProtocolTrap = MD5 #SNMPAuthPasswordTrap = authpwdread #SNMPPrivProtocolTrap = DES #SNMPPrivPasswordTrap = privpwdread # # Web Services Interface # # wsTransport could be: http or https wsTransport=http wsUser= wsPwd= # # RADIUS NAS Client config # # RADIUS shared secret with switch radiusSecret= [10.10.10.2] RoleMap=N deauthMethod=HTTPS AccessListMap=N description=MSM Controller type=HP::Controller_MSM710 VoIPEnabled=N radiusSecret=Luther@456 EmployeeVlan=5 Dorm StudentVlan=2 macDetectionVlan=4000 Day StudentVlan=2 isolationVlan=51 EmployeeRegistrationVlan=5 NetAdminVlan=1 registrationVlan=50 voiceVlan=99 cliUser=admin cliPwd=luthernet4 cliTransport=SSH cliEnablePwd=luthernet4 mode=production SNMPCommunityRead=readwrite SNMPCommunityWrite=readwrite SNMPVersionTrap=3 SNMPCommunityWrite=readwrite SNMPVersionTrap=3 SNMPVersion=3 SNMPCommunityTrap=readwrite [10.10.10.8] RoleMap=N EmployeeVlan=5 mode=production SNMPCommunityWrite=public cliUser=manager deauthMethod=Telnet AccessListMap=N description=OldGreenRoom type=HP::Procurve_2500 Dorm StudentVlan=2 macDetectionVlan=4000 cliPwd=luthernet4 Day StudentVlan=2 VoIPEnabled=N isolationVlan=51 uplink_dynamic=0 SNMPAuthPasswordWrite=luthernet4 SNMPPrivPasswordWrite=luthernet4 cliEnablePwd=luthernet4 uplink=1,2 registrationVlan=50 voiceVlan=99 radiusSecret=Luther@456 NetAdminVlan=1 EmployeeRegistrationVlan=5 guestVlan=51 [10.10.10.15] RoleMap=N cliUser=manager deauthMethod=Telnet AccessListMap=N description=New48 type=HP::Procurve_2500 macDetectionVlan=4000 cliPwd=luthernet4 VoIPEnabled=N isolationVlan=51 uplink_dynamic=0 SNMPAuthPasswordWrite=luthernet4 SNMPPrivPasswordWrite=luthernet4 cliEnablePwd=luthernet4 uplink=1,2,3 registrationVlan=50 voiceVlan=99 mode=production SNMPCommunityWrite=public EmployeeVlan=5 Dorm StudentVlan=2 Day StudentVlan=2 radiusSecret=Luther@456 NetAdminVlan=1 EmployeeRegistrationVlan=5 guestVlan=51 [10.10.10.120] RoleMap=N controllerIp=10.10.10.2 deauthMethod=RADIUS AccessListMap=N description=BasementTemp type=HP::MSM VoIPEnabled=N radiusSecret=Luther@456 mode=production EmployeeVlan=5 macDetectionVlan=4000 Day StudentVlan=2 isolationVlan=51 registrationVlan=50 voiceVlan=99 Dorm StudentVlan=2 EmployeeRegistrationVlan=5 NetAdminVlan=1 Paul Taylor IT Support Luther College High School From: Durand fabrice [mailto:[email protected]] Sent: July 31, 2015 8:50 PM To: [email protected] Subject: Re: [PacketFence-users] HP MSM DeAuthentication issue Can you paste your switches.conf ? fabrice Le 2015-07-31 22:30, Polar Geek a écrit : Fabrice, As I stated in the original message the Controller is set in the switch configuration it just appears to be ignoring that setting and is attempting to connect to the AP directly still Jul 30 02:29:26 httpd.webservices(2088) INFO: [50:3c:c4:71:25:c3] DesAssociating mac on switch (10.10.10.120) (pf::api::desAssociate) Jul 30 02:29:26 httpd.webservices(2088) ERROR: ERROR: Can not connect to controller 10.10.10.120 using SSH (pf::Switch::HP::MSM::_deauthenticateMacWithSSH) Or are you saying that the error message in itself contains an error and is attempting to connect to the controller as specified but the log still shows the AP ip? Paul From: Durand fabrice [mailto:[email protected]] Sent: July 31, 2015 8:22 PM To: [email protected] <mailto:[email protected]> Subject: Re: [PacketFence-users] HP MSM DeAuthentication issue Hi Paul, Ok you have a controller , so use it as the controller ip in switch configuration And try: su - pf ssh admin@controller_ip Regards Fabrice Le 2015-07-31 22:14, Polar Geek a écrit : Fabrice, Sorry missed your reply until now. At any rate the connection to the AP is refused. ssh: connect to host 10.10.10.120 port 22: Connection refused I don’t think connecting to the AP directly will ever work in controlled mode. Per the manual In controlled mode, access to the CLI is possible only before the control channel to the controller is established, which can occur in the following scenarios: Network failures prevent a control channel from being created. After an AP is restarted, prior to establishment of the control channel (during the brief controller discovery process). When the AP is in controlled mode, a reduced number of CLI commands are available. The most notable command is switch operational mode, which enables you to switch the AP to autonomous mode. The config context is not available. So the setup really needs to honor the controller IP setting and send the commands there, which is does not appear to be doing. Thanks, Paul From: Fabrice DURAND [mailto:[email protected]] Sent: July 30, 2015 6:20 AM To: [email protected] <mailto:[email protected]> Subject: Re: [PacketFence-users] HP MSM DeAuthentication issue Hello Paul, let's do a: su - pf ssh [email protected] <mailto:[email protected]> and accept the key then retry. Regards Fabrice Le 2015-07-30 05:19, Polar Geek a écrit : Hello again, Thanks for all the help so far. I’m happily nearly completely functional with my initial testing of PF 5.3.1 but I’ve got a couple remaining issues. My wireless infrastructure is an HP MSM760 mobility control with 55 MSM460 access points. Currently I have added the controller and the AP on my desk to the system for testing. The configuration mostly works except for one issue. When I connect a new device to the SSID is have configured for mac-authentication, I am successfully connected to the captive portal. I can then authorize the system and PF appears to be making the necessary changes for network access. The problem is that disassociation never occurs because the server is ignoring the Controller IP Address set in the switch config and is instead attempting to connect to the AP directly, which will not work as direct SSH connections to the Aps are not available when the APs are in controlled mode. If I manually disconnect/reconnect or restart the device the system works as expected. As you can see from the logs below the PF server is attempting to contact 10.10..10.120 but should be contacting 10.10.10.2 What I believe to be the relevant logs and config file excerpts are below. Any ideas what I’m missing here? Thanks, Paul ****Initial Connection**** Jul 30 02:29:24 httpd.portal(3485) INFO: [LCHS-DC00 EmployeeDevReg] Found a match (CN=StaffRegistration,OU=Staff,OU=LutherUsers,DC=luthercollege,DC=edu) (pf::Authentication::Source::LDAPSource::match_in_subclass) Jul 30 02:29:24 httpd.portal(3485) INFO: Matched rule (EmployeeDevReg) in source LCHS-DC00, returning actions. (pf::Authentication::Source::match) Jul 30 02:29:24 httpd.portal(3485) INFO: Just finished seting the node up (captiveportal::PacketFence::Controller::Authenticate::postAuthentication) Jul 30 02:29:24 httpd.portal(3485) INFO: Passed by the provisioning (captiveportal::PacketFence::Controller::Authenticate::postAuthentication) Jul 30 02:29:24 httpd.portal(3485) INFO: person staffregistration modified to StaffRegistration (pf::person::person_modify) Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] re-evaluating access (manage_register called) (pf::enforcement::reevaluate_access) Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] is currentlog connected at (10.10.10.120) ifIndex 0 in VLAN 50 (pf::enforcement::_should_we_reassign_vlan) Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] Can't find provisioner (pf::vlan::getNormalVlan) Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] Can't find scan engine (pf::vlan::getNormalVlan) Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] Connection type is WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan) Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] Username was defined "503cc47125c3" - returning user based role 'EmployeeRegistration' (pf::vlan::getNormalVlan) Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] PID: "staffregistration", Status: reg Returned VLAN: 5, Role: EmployeeRegistration (pf::vlan::fetchVlanForNode) Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] VLAN reassignment required (current VLAN = 50 but should be in VLAN 5) (pf::enforcement::_should_we_reassign_vlan) Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] switch port is (10.10.10.120) ifIndex unknown connection type: WiFi MAC Auth (pf::enforcement::_vlan_reevaluation) Jul 30 02:29:25 httpd.webservices(2088) INFO: Memory configuration is not valid anymore for key config::Switch in local cached_hash (pfconfig::cached::is_valid) Jul 30 02:29:25 httpd.portal(3699) INFO: Matched IP '10.10.50.20' to MAC address '50:3c:c4:71:25:c3' using OMAPI (pf::iplog::ip2mac) Jul 30 02:29:25 httpd.portal(3485) INFO: Matched IP '10.10.50.20' to MAC address '50:3c:c4:71:25:c3' using OMAPI (pf::iplog::ip2mac) Jul 30 02:29:25 httpd.portal(3699) INFO: Matched IP '10.10.50.20' to MAC address '50:3c:c4:71:25:c3' using OMAPI (pf::iplog::ip2mac) Jul 30 02:29:25 httpd.portal(3485) INFO: Matched IP '10.10.50.20' to MAC address '50:3c:c4:71:25:c3' using OMAPI (pf::iplog::ip2mac) Jul 30 02:29:26 httpd.webservices(2088) INFO: [50:3c:c4:71:25:c3] DesAssociating mac on switch (10.10.10.120) (pf::api::desAssociate) Jul 30 02:29:26 httpd.webservices(2088) ERROR: ERROR: Can not connect to controller 10.10.10.120 using SSH (pf::Switch::HP::MSM::_deauthenticateMacWithSSH) ****Reconnection**** Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] handling radius autz request: from switch_ip => (10.10.10.120), connection_type => Wireless-802.11-NoEAP,switch_mac => (2c:44:fd:3f:e2:90), mac => [50:3c:c4:71:25:c3], port => 0, username => "503cc47125c3" (pf::radius::authorize) Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] Can't find provisioner (pf::vlan::getNormalVlan) Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] Can't find scan engine (pf::vlan::getNormalVlan) Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] Connection type is WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan) Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] Username was defined "503cc47125c3" - returning user based role 'EmployeeRegistration' (pf::vlan::getNormalVlan) Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] PID: "staffregistration", Status: reg Returned VLAN: 5, Role: EmployeeRegistration (pf::vlan::fetchVlanForNode) Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] (10.10.10.120) Returning ACCEPT with VLAN 5 and role (pf::Switch::returnRadiusAccessAccept) ****Switch.conf**** [10.10.10.2] RoleMap=N deauthMethod=HTTPS AccessListMap=N description=MSM Controller type=HP::Controller_MSM710 VoIPEnabled=N radiusSecret=******* EmployeeVlan=5 Dorm StudentVlan=2 macDetectionVlan=4000 Day StudentVlan=2 isolationVlan=51 EmployeeRegistrationVlan=5 NetAdminVlan=1 registrationVlan=50 voiceVlan=99 cliUser=admin cliPwd=******* cliTransport=SSH cliEnablePwd=******* mode=production SNMPCommunityRead=readwrite SNMPCommunityWrite=readwrite SNMPVersionTrap=3 SNMPVersion=3 SNMPCommunityTrap=readwrite [10.10.10.120] RoleMap=N controllerIp=10.10.10.2 deauthMethod=RADIUS AccessListMap=N description=BasementTemp type=HP::MSM VoIPEnabled=N radiusSecret=****** mode=production EmployeeVlan=5 macDetectionVlan=4000 Day StudentVlan=2 isolationVlan=51 registrationVlan=50 voiceVlan=99 Dorm StudentVlan=2 EmployeeRegistrationVlan=5 NetAdminVlan=1 cliUser=admin cliPwd=******* cliEnablePwd=******* cliTransport=SSH wsPwd=******* wsTransport=HTTPS wsUser=admin ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x135) :: www.inverse.ca <http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
