We have a 2504 running 7.0.252.0 and now the 5508 running 8.0.120.0 code. Both controllers are using PacketFence.
All of the other settings you mentioned checking are good as far as I can tell. We don't have IP helper in use on the registration VLAN since our PacketFence machine has a NIC directly in that VLAN. On the SSID, we have WPA2 and 802.1X configured. It's working OK this way on the 2504, so we set the 5508 up in the same fashion. On PacketFence, under the Roles tab on the switch configuration screen, there was the value "registration" in the Registration field under the "Role mapping by switch role" section. This evening during a maintenance period we removed this text, and now the unregistered devices are able to connect OK thru the 5508. Also, everything appears to be working normally on the 2504. So I think we fixed the 5508 connectivity and I don't think we broke anything else. The only side effect has been some warning messages in the packetfence.log file. Aug 04 18:01:07 pf::WebAPI(7005) WARN: No parameter registrationRole found in conf/switches.conf for the switch 10.10.0.xxx (pf::Switch::getRoleByName) I'm not seeing anything in the documentation that shows how to disable the "roles by name" section entirely. I'll spend some more time tomorrow looking into that. So the Cisco engineer's suggestion to have PacketFence not send the "Airespace / ACL-Name" attribute appears to have been a good fix. I just wasn't sure how to turn it off until I thought about removing that "registration" text from the "roles by name" section. It appears that the Cisco 7.0.252.0 (and older) software silently ignores the "Airespace / ACL-Name" attribute when it's not needed, whereas the newer software (including the 7.4, 7.6, and 8.0 trains) does not ignore it. Thanks for your reply! --- Jason On 8/4/2015 1:05 PM, Tedder, Eric wrote: > I run a 5508 and 4404 with Vlan management and radius authentication. I have > no problems. > I am currently running 8.0.120.0 on the 5508. Please describe your setup. > > Config on the 5508 should be > Define all the vlans that you want to use in the interface section of the > controller > Make sure that your iphelper for your registration network is the PF server > (this is done on the core switch for my site) > > > On the ssid you need to set security for layer 2 to none and Mac Filtering > needs to be checked. > For aaa servers set the packetfence server as auth and accounting. > Set the order for auth to radius only on the ssid. > In Advanced make sure to allow aaa override > For radius I use "AP eth mac address:ssid" and delimiter is Colon > > > On the PF side of things you need to make sure that you are defining the > switch vlans-ids and not switch roles for your (switches/controller) > Then make sure that your radius passphrase is not longer than 15 characters > as this has caused me issues in the past. > > I believe I am running PF version 4.7 > > Thanks > Eric > > -----Original Message----- > From: Jason Skretta [mailto:[email protected]] > Sent: Tuesday, August 04, 2015 12:29 PM > To: [email protected] > Subject: [PacketFence-users] Device connection problems with Cisco 5508 > > Hi all, > > I'm having some difficulty integrating a Cisco 5508 with PacketFence. It's > running 8.0.120.0 WLC software. > > The main problem is when a device is not registered, then it is unable to > connect to the WLAN through the 5508. A registered device is able to connect > to the WLAN just fine. On our production equipment, a non-registered device > is able to connect to the WLAN just fine. After a non-registered device gets > connected, then we go through the registration process with no problems. > > I've been working with a Cisco engineer, and we tried changing several > things. The Cisco engineer had decided that I need to make PacketFence not > send the "Airespace / ACL-Name" attribute during the RADIUS exchange. > > I'm not certain where to make this change. Is someone able to offer some > guidance on how to make this kind of change to PacketFence? > > > Thanks, > Jason Skretta > AmesLab Information Systems > [email protected] > 515-294-5090 > ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
