[PacketFence-users] radius authorization interval

Morris, Andi Mon, 09 Nov 2015 09:12:11 -0800

Hi all,
I'm getting reports of users being briefly disconnected from the wireless 
network every few minutes, which is something that didn't used to happen when 
users were connected to another SSID using exactly the same hardware (Cisco 
WLC). I'm wondering if it's something like radius authorization, as we see it 
on not just our dot1x SSID, but our SSID that is mac authenticated through PFs 
device registration setup.


According to users it's around every 5 minutes, however looking at some logs 
for one client using the mac_auth network I can see it seems to re-auth every 
11/12 minutes. Log snippet below:

Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Can't find 
provisioner (pf::vlan::getNormalVlan)
Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Connection type is 
WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Username was defined 
"3059b782141a" - returning user based role 'gaming' (pf::vlan::getNormalVlan)
Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] PID: "st12345678", 
Status: reg Returned VLAN: 713, Role: gaming (pf::vlan::fetchVlanForNode)
Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] (192.168.1.1) 
Returning ACCEPT with VLAN 713 and role  (pf::Switch::returnRadiusAccessAccept)
Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] handling radius autz 
request: from switch_ip => (192.168.1.1), connection_type => 
Wireless-802.11-NoEAP,switch_mac => (e8:65:49:e9:2c:60), mac => 
[30:59:b7:82:14:1a], port => 13, username => "3059b782141a" 
(pf::radius::authorize)
Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Can't find 
provisioner (pf::vlan::getNormalVlan)
Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Connection type is 
WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Username was defined 
"3059b782141a" - returning user based role 'gaming' (pf::vlan::getNormalVlan)
Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] PID: "st12345678", 
Status: reg Returned VLAN: 713, Role: gaming (pf::vlan::fetchVlanForNode)
Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] (192.168.1.1) 
Returning ACCEPT with VLAN 713 and role  (pf::Switch::returnRadiusAccessAccept)
Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] handling radius autz 
request: from switch_ip => (192.168.1.1), connection_type => 
Wireless-802.11-NoEAP,switch_mac => (e8:65:49:e9:2c:60), mac => 
[30:59:b7:82:14:1a], port => 13, username => "3059b782141a" 
(pf::radius::authorize)
Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Can't find 
provisioner (pf::vlan::getNormalVlan)
Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Connection type is 
WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Username was defined 
"3059b782141a" - returning user based role 'gaming' (pf::vlan::getNormalVlan)
Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] PID: "st12345678", 
Status: reg Returned VLAN: 713, Role: gaming (pf::vlan::fetchVlanForNode)
Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] (192.168.1.1) 
Returning ACCEPT with VLAN 713 and role  (pf::Switch::returnRadiusAccessAccept)
Nov 09 12:32:58 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] handling radius autz 
request: from switch_ip => (192.168.1.1), connection_type => 
Wireless-802.11-NoEAP,switch_mac => (e8:65:49:e9:2c:60), mac => 
[30:59:b7:82:14:1a], port => 13, username => "3059b782141a" 
(pf::radius::authorize)
Nov 09 12:32:58 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Can't find 
provisioner (pf::vlan::getNormalVlan)
Nov 09 12:32:58 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Connection type is 
WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
Nov 09 12:32:58 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Username was defined 
"3059b782141a" - returning user based role 'gaming' (pf::vlan::getNormalVlan)
Nov 09 12:32:58 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] PID: "st12345678", 
Status: reg Returned VLAN: 713, Role: gaming (pf::vlan::fetchVlanForNode)
Nov 09 12:32:58 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] (192.168.1.1) 
Returning ACCEPT with VLAN 713 and role  (pf::Switch::returnRadiusAccessAccept)
Nov 09 12:44:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] handling radius autz 
request: from switch_ip => (192.168.1.1), connection_type => 
Wireless-802.11-NoEAP,switch_mac => (e8:65:49:e9:2c:60), mac => 
[30:59:b7:82:14:1a], port => 13, username => "3059b782141a" 
(pf::radius::authorize)
Nov 09 12:44:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Can't find 
provisioner (pf::vlan::getNormalVlan)
Nov 09 12:44:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Connection type is 
WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
Nov 09 12:44:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Username was defined 
"3059b782141a" - returning user based role 'gaming' (pf::vlan::getNormalVlan)
Nov 09 12:44:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] PID: "st12345678", 
Status: reg Returned VLAN: 713, Role: gaming (pf::vlan::fetchVlanForNode)
Nov 09 12:44:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] (192.168.1.1) 
Returning ACCEPT with VLAN 713 and role  (pf::Switch::returnRadiusAccessAccept)
Nov 09 12:55:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] handling radius autz 
request: from switch_ip => (192.168.1.1), connection_type => 
Wireless-802.11-NoEAP,switch_mac => (e8:65:49:e9:2c:60), mac => 
[30:59:b7:82:14:1a], port => 13, username => "3059b782141a" 
(pf::radius::authorize)
Nov 09 12:55:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Can't find 
provisioner (pf::vlan::getNormalVlan)
Nov 09 12:55:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Connection type is 
WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
Nov 09 12:55:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Username was defined 
"3059b782141a" - returning user based role 'gaming' (pf::vlan::getNormalVlan)
Nov 09 12:55:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] PID: "st12345678", 
Status: reg Returned VLAN: 713, Role: gaming (pf::vlan::fetchVlanForNode)
Nov 09 12:55:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] (192.168.1.1) 
Returning ACCEPT with VLAN 713 and role  (pf::Switch::returnRadiusAccessAccept)

Is this something that is configurable so that I can try changing it and see if 
it is what's causing these brief interruptions?

The session-timeout variable on the WLC is set to 1800 seconds.

Cheers,
Andi
________________________________

[Cardiff Metropolitan University - 150 years of nurturing 
talent]<http://www.cardiffmet.ac.uk/cardiffmet150>

------------------------------------------------------------------------------
Presto, an open source distributed SQL query engine for big data, initially
developed by Facebook, enables you to easily query your data on Hadoop in a 
more interactive manner. Teradata is also now providing full enterprise
support for Presto. Download a free open source copy now.
http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140

_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] radius authorization interval

Reply via email to