[PacketFence-users] CoA missing the Message-Authenticator field

Thu, 07 Jan 2016 10:02:32 -0800 

Good day,


I'm setting up PacketFence 5.5.2, on CentOS 6.7 in an out-of-band 
configuration, talking to a Cisco 2960 switch (15.0(1)SE3), following the 
instructions in 'Out of Band deployment Quick Guide'.  Compliments on the 
docs.. very thorough.


Pretty good so far, when a device connects to the switchport, the switch sends 
the 802.1 mab request and the device gets placed on the Registration VLAN (2).  
I then proceed to log in using the captive portal, from the device.  At this 
point, PF sends a 'Change of Authorization' request to instruct the switch to 
place the device on the 'Data' VLAN.  This is the message that include the 
field 'Cisco-AVPair: subscriber:command=reauthenticate'.


The problem is that this request is rejected, because the switch says 'COA: 
Message Authenticator missing or failed decode'.  Trace provided below.  The 
reason I believe is that I'm running a recent Cisco release (15.0(1)SE3), where 
they have likely made this a mandatory field to increase security.


>From what I can tell, this request is constructed by 
>.../lib/pf/Switch/Cisco/Catalyst_2960.pm : radiusDisconnect.  Unfortunately, 
>there is no evidence in this file, or elsewhere that PF ever creates a 
>message-authenticator.


Reason for this email is two-fold. 1 - does that sound right? 2 - if so, any 
thoughts on what a proper implementation will look like?  or possible provide 
skeleton code?  I'm not finding a way to tell the switch to ignore it.


Let me know if you'd need configuration or logging information.


Thanks a bunch.

-henning



*Mar  1 22:47:21.590: COA: 192.168.0.2 request queued
*Mar  1 22:47:21.590: RADIUS:  authenticator 47 5E 40 2C 31 CF CD 57 - 77 F8 D08
*Mar  1 22:47:21.590: RADIUS:  Acct-Terminate-Cause[49]  6   admin-reset       ]
*Mar  1 22:47:21.590: RADIUS:  Calling-Station-Id  [31]  19  "00-50-B6-15-AD-5E"
*Mar  1 22:47:21.590: RADIUS:  NAS-IP-Address      [4]   6   192.168.0.3
*Mar  1 22:47:21.590: RADIUS:  Vendor, Cisco       [26]  41
*Mar  1 22:47:21.590: RADIUS:   Cisco AVpair       [1]   35  "subscriber:comman"
*Mar  1 22:47:21.590: COA: Message Authenticator missing or failed decode

*Mar  1 22:47:21.590:  ++++++ CoA Attribute List ++++++
*Mar  1 22:47:21.590: 0336A210 0 00000001 disc-cause(431) 4 admin-reset
*Mar  1 22:47:21.590: 0336A4F0 0 00000009 formatted-clid(38) 17 00-50-B6-15-AD-E
*Mar  1 22:47:21.590: 0336A500 0 00000001 nas-ip-address(597) 4 192.168.0.3
*Mar  1 22:47:21.590: 0336A510 0 00000009 ssg-command-code(487) 1 32
*Mar  1 22:47:21.590:
*Mar  1 22:47:21.590: COA: Added NACK Error Cause: Success
*Mar  1 22:47:21.590: COA: Sending NAK from port 3799 to 192.168.0.2/56033
*Mar  1 22:47:21.590: RADIUS:  101 6   000000C8


------------------------------------------------------------------------------

_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to