Hello Fabrice, hello Antoine,
unfortunately, I can't configure Nac state. My WLC (ver. 5.0.148.0)
don't support the "Nac state" option.
Searching in documentation pages, I found:
- from
http://www.packetfence.org/documentation/pod/pf/Switch/Cisco/WLC_http.html
:
...
Status
Developed and tested on firmware version 7.6.100 (should work on
7.4.100).
- from
http://www.packetfence.org/documentation/pod/pf/Switch/Cisco/WLC.html :
...
Status
Developed and tested on firmware version 4.2.130 altought the new
RADIUS RFC3576 support requires firmware v5 and later.
Supports
Deauthentication with RADIUS Disconnect (RFC3576)
Deauthentication with SNMP
I get a correct Radius answer configuring switch type as "WLC HTTP" ,
but probably my WLC 4402 firmware is not supported. Configuring it as
"WLC 4400", here is the answer:
...
# raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3600
Received Access-Request packet from host 10.1.0.10 port 32770, id=77,
length=176
User-Name = "b0c5591cbc05"
Called-Station-Id = "00-1b-2b-68-be-70:OnlyForTest"
Calling-Station-Id = "b0-c5-59-1c-bc-05"
NAS-Port = 1
NAS-IP-Address = 10.1.0.10
NAS-Identifier = "WLC1-RETTORATO"
Airespace-Wlan-Id = 6
User-Password = "b0c5591cbc05"
Service-Type = Call-Check
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "33"
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb//sites-enabled/packetfence
+group authorize {
[suffix] No '@' in User-Name = "b0c5591cbc05", skipping NULL due to
config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "b0c5591cbc05", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] = noop
++[preprocess] = ok
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry DEFAULT at line 5
++[files] = ok
++[expiration] = noop
++[logintime] = noop
++update request {
expand: %{Packet-Src-IP-Address} -> 10.1.0.10
++} # update request = noop
++update control {
++} # update control = noop
++[packetfence] = noop
+} # group authorize = ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
} # server packetfence
# Executing section post-auth from file
/usr/local/pf/raddb//sites-enabled/packetfence
+group post-auth {
++[exec] = noop
++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP))
? Evaluating !(EAP-Type ) -> TRUE
?? Skipping (EAP-Type != EAP-TTLS )
?? Skipping (EAP-Type != PEAP)
++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) -> TRUE
++if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) {
+++update control {
+++} # update control = noop
+++[packetfence] = ok
++} # if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) = ok
+} # group post-auth = ok
Sending Access-Accept packet to host 10.1.0.10 port 32770, id=77,
length=0
Airespace-ACL-Name = "Pre-Auth-For-WebRedirect"
Finished request 66.
Cleaning up request 66 ID 77 with timestamp +342092
Received Access-Request packet from host 10.1.0.10 port 32770, id=78,
length=176
User-Name = "60af6df041e8"
Called-Station-Id = "00-1b-2b-68-be-70:OnlyForTest"
Calling-Station-Id = "60-af-6d-f0-41-e8"
NAS-Port = 1
NAS-IP-Address = 10.1.0.10
NAS-Identifier = "WLC1-RETTORATO"
Airespace-Wlan-Id = 6
User-Password = "60af6df041e8"
Service-Type = Call-Check
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "33"
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb//sites-enabled/packetfence
+group authorize {
[suffix] No '@' in User-Name = "60af6df041e8", skipping NULL due to
config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "60af6df041e8", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] = noop
++[preprocess] = ok
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry DEFAULT at line 5
++[files] = ok
++[expiration] = noop
++[logintime] = noop
++update request {
expand: %{Packet-Src-IP-Address} -> 10.1.0.10
++} # update request = noop
++update control {
++} # update control = noop
++[packetfence] = noop
+} # group authorize = ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
} # server packetfence
# Executing section post-auth from file
/usr/local/pf/raddb//sites-enabled/packetfence
+group post-auth {
++[exec] = noop
++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP))
? Evaluating !(EAP-Type ) -> TRUE
?? Skipping (EAP-Type != EAP-TTLS )
?? Skipping (EAP-Type != PEAP)
++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) -> TRUE
++if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) {
+++update control {
+++} # update control = noop
+++[packetfence] = ok
++} # if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) = ok
+} # group post-auth = ok
Sending Access-Accept packet to host 10.1.0.10 port 32770, id=78,
length=0
Airespace-ACL-Name = "Pre-Auth-For-WebRedirect"
Finished request 67.
Cleaning up request 67 ID 78 with timestamp +342162
...
I'm connected and free to access the internet, without http
redirection. I can ping the ip address of portal page, but I can't
reach the web page. Netstat says ports 80 and 443 are open...
Thanks,
Umberto
Il 10/12/2015 16:16, Fabrice DURAND ha scritto:
Hello Umberto,
did you configure Nac State: Radius NAC ?
Regards
Fabrice
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
