Hello Paul,
use HP::Controller_MSM710 type for each AP , HP::MSM is only for
standalone Access Point without controller.
Regards
Fabrice
Le 2015-07-31 23:10, Polar Geek a écrit :
Fabrice,
here it is in its entirety. Although the only relevant entries should
be for 10.10.10.2 and 10.10.10.120 and have no changes made to their
setup since the original email.
#
# Copyright (C) 2005-2015 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
[default]
description=Switches Default Values
vlans=1,2,3,4,5
normalVlan=1
registrationVlan=2
isolationVlan=3
macDetectionVlan=4
voiceVlan=5
inlineVlan=6
inlineTrigger=
normalRole=normal
registrationRole=registration
isolationRole=isolation
macDetectionRole=macDetection
voiceRole=voice
inlineRole=inline
VoIPEnabled=no
VlanMap=Y
RoleMap=Y
mode=testing
macSearchesMaxNb=30
macSearchesSleepInterval=2
uplink=dynamic
#
# Command Line Interface
#
# cliTransport could be: Telnet, SSH or Serial
cliTransport=Telnet
cliUser=
cliPwd=
cliEnablePwd=
#
# SNMP section
#
# PacketFence -> Switch
SNMPVersion=1
SNMPCommunityRead=public
SNMPCommunityWrite=private
#SNMPEngineID = 0000000000000
#SNMPUserNameRead = readUser
#SNMPAuthProtocolRead = MD5
#SNMPAuthPasswordRead = authpwdread
#SNMPPrivProtocolRead = DES
#SNMPPrivPasswordRead = privpwdread
#SNMPUserNameWrite = writeUser
#SNMPPrivPasswordRead = privpwdread
#SNMPUserNameWrite = writeUser
#SNMPAuthProtocolWrite = MD5
#SNMPAuthPasswordWrite = authpwdwrite
#SNMPPrivProtocolWrite = DES
#SNMPPrivPasswordWrite = privpwdwrite
# Switch -> PacketFence
SNMPVersionTrap=1
SNMPCommunityTrap=public
#SNMPAuthProtocolTrap = MD5
#SNMPAuthPasswordTrap = authpwdread
#SNMPPrivProtocolTrap = DES
#SNMPPrivPasswordTrap = privpwdread
#
# Web Services Interface
#
# wsTransport could be: http or https
wsTransport=http
wsUser=
wsPwd=
#
# RADIUS NAS Client config
#
# RADIUS shared secret with switch
radiusSecret=
[10.10.10.2]
RoleMap=N
deauthMethod=HTTPS
AccessListMap=N
description=MSM Controller
type=HP::Controller_MSM710
VoIPEnabled=N
radiusSecret=Luther@456
EmployeeVlan=5
Dorm StudentVlan=2
macDetectionVlan=4000
Day StudentVlan=2
isolationVlan=51
EmployeeRegistrationVlan=5
NetAdminVlan=1
registrationVlan=50
voiceVlan=99
cliUser=admin
cliPwd=luthernet4
cliTransport=SSH
cliEnablePwd=luthernet4
mode=production
SNMPCommunityRead=readwrite
SNMPCommunityWrite=readwrite
SNMPVersionTrap=3
SNMPCommunityWrite=readwrite
SNMPVersionTrap=3
SNMPVersion=3
SNMPCommunityTrap=readwrite
[10.10.10.8]
RoleMap=N
EmployeeVlan=5
mode=production
SNMPCommunityWrite=public
cliUser=manager
deauthMethod=Telnet
AccessListMap=N
description=OldGreenRoom
type=HP::Procurve_2500
Dorm StudentVlan=2
macDetectionVlan=4000
cliPwd=luthernet4
Day StudentVlan=2
VoIPEnabled=N
isolationVlan=51
uplink_dynamic=0
SNMPAuthPasswordWrite=luthernet4
SNMPPrivPasswordWrite=luthernet4
cliEnablePwd=luthernet4
uplink=1,2
registrationVlan=50
voiceVlan=99
radiusSecret=Luther@456
NetAdminVlan=1
EmployeeRegistrationVlan=5
guestVlan=51
[10.10.10.15]
RoleMap=N
cliUser=manager
deauthMethod=Telnet
AccessListMap=N
description=New48
type=HP::Procurve_2500
macDetectionVlan=4000
cliPwd=luthernet4
VoIPEnabled=N
isolationVlan=51
uplink_dynamic=0
SNMPAuthPasswordWrite=luthernet4
SNMPPrivPasswordWrite=luthernet4
cliEnablePwd=luthernet4
uplink=1,2,3
registrationVlan=50
voiceVlan=99
mode=production
SNMPCommunityWrite=public
EmployeeVlan=5
Dorm StudentVlan=2
Day StudentVlan=2
radiusSecret=Luther@456
NetAdminVlan=1
EmployeeRegistrationVlan=5
guestVlan=51
[10.10.10.120]
RoleMap=N
controllerIp=10.10.10.2
deauthMethod=RADIUS
AccessListMap=N
description=BasementTemp
type=HP::MSM
VoIPEnabled=N
radiusSecret=Luther@456
mode=production
EmployeeVlan=5
macDetectionVlan=4000
Day StudentVlan=2
isolationVlan=51
registrationVlan=50
voiceVlan=99
Dorm StudentVlan=2
EmployeeRegistrationVlan=5
NetAdminVlan=1
Paul Taylor
IT Support
Luther College High School
*From:*Durand fabrice [mailto:fdur...@inverse.ca]
*Sent:* July 31, 2015 8:50 PM
*To:* packetfence-users@lists.sourceforge.net
*Subject:* Re: [PacketFence-users] HP MSM DeAuthentication issue
Can you paste your switches.conf ?
fabrice
Le 2015-07-31 22:30, Polar Geek a écrit :
Fabrice,
As I stated in the original message the Controller is set in the
switch configuration it just appears to be ignoring that setting
and is attempting to connect to the AP directly still
Jul 30 02:29:26 httpd.webservices(2088) INFO: [50:3c:c4:71:25:c3]
DesAssociating mac on switch (10.10.10.120) (pf::api::desAssociate)
Jul 30 02:29:26 httpd.webservices(2088) ERROR: ERROR: Can not
connect to controller 10.10.10.120 using SSH
(pf::Switch::HP::MSM::_deauthenticateMacWithSSH)
Or are you saying that the error message in itself contains an
error and is attempting to connect to the controller as specified
but the log still shows the AP ip?
Paul
*From:*Durand fabrice [mailto:fdur...@inverse.ca]
*Sent:* July 31, 2015 8:22 PM
*To:* packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Subject:* Re: [PacketFence-users] HP MSM DeAuthentication issue
Hi Paul,
Ok you have a controller , so use it as the controller ip in
switch configuration
And try:
su - pf
ssh admin@controller_ip
Regards
Fabrice
Le 2015-07-31 22:14, Polar Geek a écrit :
Fabrice,
Sorry missed your reply until now.
At any rate the connection to the AP is refused.
ssh: connect to host 10.10.10.120 port 22: Connection refused
I don’t think connecting to the AP directly will ever work in
controlled mode. Per the manual
In controlled mode, access to the CLI is possible only before
the control channel to the
controller is established, which can occur in the following
scenarios:
Network failures prevent a control channel from being created.
After an AP is restarted, prior to establishment of the
control channel (during the brief
controller discovery process).
When the AP is in controlled mode, a reduced number of CLI
commands are available. The
most notable command is *switch operational mode*, which
enables you to switch the AP to
autonomous mode. The *config *context is not available.
So the setup really needs to honor the controller IP setting
and send the commands there, which is does not appear to be doing.
Thanks,
Paul
*From:*Fabrice DURAND [mailto:fdur...@inverse.ca]
*Sent:* July 30, 2015 6:20 AM
*To:* packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Subject:* Re: [PacketFence-users] HP MSM DeAuthentication issue
Hello Paul,
let's do a:
su - pf
ssh admin@10.10.10.120 <mailto:admin@10.10.10.120>
and accept the key then retry.
Regards
Fabrice
Le 2015-07-30 05:19, Polar Geek a écrit :
Hello again,
Thanks for all the help so far. I’m happily nearly
completely functional with my initial testing of PF 5.3.1
but I’ve got a couple remaining issues.
My wireless infrastructure is an HP MSM760 mobility
control with 55 MSM460 access points. Currently I have
added the controller and the AP on my desk to the system
for testing. The configuration mostly works except for one
issue. When I connect a new device to the SSID is have
configured for mac-authentication, I am successfully
connected to the captive portal. I can then authorize the
system and PF appears to be making the necessary changes
for network access. The problem is that disassociation
never occurs because the server is ignoring the Controller
IP Address set in the switch config and is instead
attempting to connect to the AP directly, which will not
work as direct SSH connections to the Aps are not
available when the APs are in controlled mode. If I
manually disconnect/reconnect or restart the device the
system works as expected. As you can see from the logs
below the PF server is attempting to contact 10.10..10.120
but should be contacting 10.10.10.2
What I believe to be the relevant logs and config file
excerpts are below.
Any ideas what I’m missing here?
Thanks,
Paul
****Initial Connection****
Jul 30 02:29:24 httpd.portal(3485) INFO: [LCHS-DC00
EmployeeDevReg] Found a match
(CN=StaffRegistration,OU=Staff,OU=LutherUsers,DC=luthercollege,DC=edu)
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Jul 30 02:29:24 httpd.portal(3485) INFO: Matched rule
(EmployeeDevReg) in source LCHS-DC00, returning actions.
(pf::Authentication::Source::match)
Jul 30 02:29:24 httpd.portal(3485) INFO: Just finished
seting the node up
(captiveportal::PacketFence::Controller::Authenticate::postAuthentication)
Jul 30 02:29:24 httpd.portal(3485) INFO: Passed by the
provisioning
(captiveportal::PacketFence::Controller::Authenticate::postAuthentication)
Jul 30 02:29:24 httpd.portal(3485) INFO: person
staffregistration modified to StaffRegistration
(pf::person::person_modify)
Jul 30 02:29:25 httpd.portal(3485) INFO:
[50:3c:c4:71:25:c3] re-evaluating access (manage_register
called) (pf::enforcement::reevaluate_access)
Jul 30 02:29:25 httpd.portal(3485) INFO:
[50:3c:c4:71:25:c3] is currentlog connected at
(10.10.10.120) ifIndex 0 in VLAN 50
(pf::enforcement::_should_we_reassign_vlan)
Jul 30 02:29:25 httpd.portal(3485) INFO:
[50:3c:c4:71:25:c3] Can't find provisioner
(pf::vlan::getNormalVlan)
Jul 30 02:29:25 httpd.portal(3485) INFO:
[50:3c:c4:71:25:c3] Can't find scan engine
(pf::vlan::getNormalVlan)
Jul 30 02:29:25 httpd.portal(3485) INFO:
[50:3c:c4:71:25:c3] Connection type is WIRELESS_MAC_AUTH.
Getting role from node_info (pf::vlan::getNormalVlan)
Jul 30 02:29:25 httpd.portal(3485) INFO:
[50:3c:c4:71:25:c3] Username was defined "503cc47125c3" -
returning user based role 'EmployeeRegistration'
(pf::vlan::getNormalVlan)
Jul 30 02:29:25 httpd.portal(3485) INFO:
[50:3c:c4:71:25:c3] PID: "staffregistration", Status: reg
Returned VLAN: 5, Role: EmployeeRegistration
(pf::vlan::fetchVlanForNode)
Jul 30 02:29:25 httpd.portal(3485) INFO:
[50:3c:c4:71:25:c3] VLAN reassignment required (current
VLAN = 50 but should be in VLAN 5)
(pf::enforcement::_should_we_reassign_vlan)
Jul 30 02:29:25 httpd.portal(3485) INFO:
[50:3c:c4:71:25:c3] switch port is (10.10.10.120) ifIndex
unknown connection type: WiFi MAC Auth
(pf::enforcement::_vlan_reevaluation)
Jul 30 02:29:25 httpd.webservices(2088) INFO: Memory
configuration is not valid anymore for key config::Switch
in local cached_hash (pfconfig::cached::is_valid)
Jul 30 02:29:25 httpd.portal(3699) INFO: Matched IP
'10.10.50.20' to MAC address '50:3c:c4:71:25:c3' using
OMAPI (pf::iplog::ip2mac)
Jul 30 02:29:25 httpd.portal(3485) INFO: Matched IP
'10.10.50.20' to MAC address '50:3c:c4:71:25:c3' using
OMAPI (pf::iplog::ip2mac)
Jul 30 02:29:25 httpd.portal(3699) INFO: Matched IP
'10.10.50.20' to MAC address '50:3c:c4:71:25:c3' using
OMAPI (pf::iplog::ip2mac)
Jul 30 02:29:25 httpd.portal(3485) INFO: Matched IP
'10.10.50.20' to MAC address '50:3c:c4:71:25:c3' using
OMAPI (pf::iplog::ip2mac)
Jul 30 02:29:26 httpd.webservices(2088) INFO:
[50:3c:c4:71:25:c3] DesAssociating mac on switch
(10.10.10.120) (pf::api::desAssociate)
Jul 30 02:29:26 httpd.webservices(2088) ERROR: ERROR: Can
not connect to controller 10.10.10.120 using SSH
(pf::Switch::HP::MSM::_deauthenticateMacWithSSH)
****Reconnection****
Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3]
handling radius autz request: from switch_ip =>
(10.10.10.120), connection_type =>
Wireless-802.11-NoEAP,switch_mac => (2c:44:fd:3f:e2:90),
mac => [50:3c:c4:71:25:c3], port => 0, username =>
"503cc47125c3" (pf::radius::authorize)
Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3]
Can't find provisioner (pf::vlan::getNormalVlan)
Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3]
Can't find scan engine (pf::vlan::getNormalVlan)
Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3]
Connection type is WIRELESS_MAC_AUTH. Getting role from
node_info (pf::vlan::getNormalVlan)
Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3]
Username was defined "503cc47125c3" - returning user based
role 'EmployeeRegistration' (pf::vlan::getNormalVlan)
Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3]
PID: "staffregistration", Status: reg Returned VLAN: 5,
Role: EmployeeRegistration (pf::vlan::fetchVlanForNode)
Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3]
(10.10.10.120) Returning ACCEPT with VLAN 5 and role
(pf::Switch::returnRadiusAccessAccept)
****Switch.conf****
[10.10.10.2]
RoleMap=N
deauthMethod=HTTPS
AccessListMap=N
description=MSM Controller
type=HP::Controller_MSM710
VoIPEnabled=N
radiusSecret=*******
EmployeeVlan=5
Dorm StudentVlan=2
macDetectionVlan=4000
Day StudentVlan=2
isolationVlan=51
EmployeeRegistrationVlan=5
NetAdminVlan=1
registrationVlan=50
voiceVlan=99
cliUser=admin
cliPwd=*******
cliTransport=SSH
cliEnablePwd=*******
mode=production
SNMPCommunityRead=readwrite
SNMPCommunityWrite=readwrite
SNMPVersionTrap=3
SNMPVersion=3
SNMPCommunityTrap=readwrite
[10.10.10.120]
RoleMap=N
controllerIp=10.10.10.2
deauthMethod=RADIUS
AccessListMap=N
description=BasementTemp
type=HP::MSM
VoIPEnabled=N
radiusSecret=******
mode=production
EmployeeVlan=5
macDetectionVlan=4000
Day StudentVlan=2
isolationVlan=51
registrationVlan=50
voiceVlan=99
Dorm StudentVlan=2
EmployeeRegistrationVlan=5
NetAdminVlan=1
cliUser=admin
cliPwd=*******
cliEnablePwd=*******
cliTransport=SSH
wsPwd=*******
wsTransport=HTTPS
wsUser=admin
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135)
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
