Hi Umberto, The RADIUS request seems fine.
Can you reach the portal page? By manually input the URL redirect address in your browser on the client. Also can you make sure the option 'Nac State' in the 'Advanced' tab is in 'Radius NAC' .(SSID configuration) Thanks, On Thursday, December 10, 2015 07:32 EST, Umberto Ciocca <[email protected]> wrote: Hi Antoine, I created two ACL : - Pre-Auth-For-WebRedirect, as from the guide - Pre-Auth_For_WebRedirect, a 'deny all' ACL (just for testing) To avoid misconfiguration, now I have only the first ACL. Radius authentication server is defined with support for RFC 3576 and WLAN has the option "Allow AAA override" enabled. I successfully ping WLC from packetfence server and vice versa. Here is the output of raddebug: # raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3600 Debug: Received Access-Request packet from host 10.1.0.10 port 32770, id=76, length=176 Debug: User-Name = "b0c5591cbc05" Called-Station-Id = "00-1b-2b-68-be-70:OnlyForTest" Debug: Calling-Station-Id = "b0-c5-59-1c-bc-05" Debug: NAS-Port = 1 Debug: NAS-IP-Address = 10.1.0.10 Debug: NAS-Identifier = "WLC1-RETTORATO" Debug: Airespace-Wlan-Id = 6 Debug: User-Password = "b0c5591cbc05" Debug: Service-Type = Call-Check Debug: Framed-MTU = 1300 Debug: NAS-Port-Type = Wireless-802.11 Debug: Tunnel-Type:0 = VLAN Debug: Tunnel-Medium-Type:0 = IEEE-802 Debug: Tunnel-Private-Group-Id:0 = "33" Debug: server packetfence { Debug: # Executing section authorize from file /usr/local/pf/raddb//sites-enabled/packetfence Debug: +group authorize { Debug: [suffix] No '@' in User-Name = "b0c5591cbc05", skipping NULL due to config. Debug: ++[suffix] = noop Debug: [ntdomain] No '\' in User-Name = "b0c5591cbc05", looking up realm NULL Debug: [ntdomain] No such realm "NULL" Debug: ++[ntdomain] = noop Debug: ++[preprocess] = ok Debug: [eap] No EAP-Message, not doing EAP Debug: ++[eap] = noop Debug: [files] users: Matched entry DEFAULT at line 5 Debug: ++[files] = ok Debug: ++[expiration] = noop Debug: ++[logintime] = noop Debug: ++update request { Debug: expand: %{Packet-Src-IP-Address} -> 10.1.0.10 Debug: ++} # update request = noop Debug: ++update control { Debug: ++} # update control = noop Debug: ++[packetfence] = noop Debug: +} # group authorize = ok Debug: Found Auth-Type = Accept Debug: Auth-Type = Accept, accepting the user Debug: } # server packetfence Debug: # Executing section post-auth from file /usr/local/pf/raddb//sites-enabled/packetfence Debug: +group post-auth { Debug: ++[exec] = noop Debug: ++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) Debug: ? Evaluating !(EAP-Type ) -> TRUE Debug: ?? Skipping (EAP-Type != EAP-TTLS ) Debug: ?? Skipping (EAP-Type != PEAP) Debug: ++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) -> TRUE Debug: ++if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) { Debug: +++update control { Debug: +++} # update control = noop Debug: +++[packetfence] = ok Debug: ++} # if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) = ok Debug: +} # group post-auth = ok Debug: Sending Access-Accept packet to host 10.1.0.10 port 32770, id=76, length=0 Debug: Cisco-AVPair += "url-redirect-acl=Pre-Auth-For-WebRedirect" Debug: Cisco-AVPair += "url-redirect=http://10.1.212.2/cepc129f3"; Debug: Finished request 65. Debug: Cleaning up request 65 ID 76 with timestamp +258443 Here is the output of show client detail: (Cisco Controller) >show client detail b0-c5-59-1c-bc-05 Client MAC Address............................... b0:c5:59:1c:bc:05 Client Username ................................. N/A AP MAC Address................................... 00:1b:2b:68:be:70 Client State..................................... Associated Wireless LAN Id.................................. 6 BSSID............................................ 00:1b:2b:68:be:75 Channel.......................................... 11 IP Address....................................... 10.1.212.29 Association Id................................... 21 Authentication Algorithm......................... Open System Reason Code...................................... 0 Status Code...................................... 0 Session Timeout.................................. 1800 Client CCX version............................... 4 Client E2E version............................... No E2E support Mirroring........................................ Disabled QoS Level........................................ Silver Diff Serv Code Point (DSCP)...................... disabled 802.1P Priority Tag.............................. disabled WMM Support...................................... Enabled U-APSD Support................................... Disabled Mobility State................................... Local Mobility Move Count.............................. 0 Security Policy Completed........................ Yes Policy Manager State............................. RUN Policy Manager Rule Created...................... Yes NPU Fast Fast Notified........................... Yes Policy Type...................................... N/A Encryption Cipher................................ None Management Frame Protection...................... No EAP Type......................................... Unknown Interface........................................ packetfence VLAN............................................. 33 Client Capabilities: CF Pollable................................ Not implemented CF Poll Request............................ Not implemented Short Preamble............................. Implemented PBCC....................................... Not implemented Channel Agility............................ Not implemented Listen Interval............................ 0 Client Statistics: Number of Bytes Received................... 42634 Number of Bytes Sent....................... 202930 Number of Packets Received................. 297 Number of Packets Sent..................... 220 Number of Policy Errors.................... 0 Radio Signal Strength Indicator............ -76 dBm Signal to Noise Ratio...................... 16 dBThanks, Umberto Hello Umberto, You need to track down the device you are testing on the WLC, we can see that PacketFence send the ACL for the URL redirect "Pre-Auth_For_WebRedirect".Does this device you are testing with have the ACL applied on the WLC(client list)? Does the ACL "Pre-Auth_For_WebRedirect" is written exactly the same way on the WLC? Note: When you are using the WLC 4400 module your ACL has - instead of _ The answer to those questions should help you to the solution. If it doesn't start by running "raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3600" on your terminal and watch the RADIUS exchange between the WLC and PF you should see "Cisco-AVPair = url-redirect="http://PacketFence_Portal_IP/cepXXXXXX";; in the radius answer. Thank you.
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
