Hi Casey,
It looks like the devices are being assigned a very short registration time.
Can you check what is the value of email_activation_timeout in
conf/authentication.conf for the email source?
Check the rules too. It could be that the access duration is set too low.
Post your conf/authentication.conf file if you are not sure.
Make sure to remove the passwords from it...
Regards,
--
Louis Munro
[email protected] :: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
> On Mar 3, 2016, at 14:29 , Casey Feskens <[email protected]> wrote:
>
> I've recently run into an issue with guest registration and vlan enforcement
> on our packetfence installation, since upgrading to 5.5.2. As opposed to
> providing 10 minutes of network access after accessing the registration
> portal, packetfence seems to be consistently setting ports back to the
> registration VLAN after 10-30 seconds.
>
> Here's the example output from packetfence.log from the time the node joins
> the network, through the initial registration. In this case, VLAN 84 is the
> registration VLAN and 244 is the access VLAN:
>
> Mar 03 10:20:22 httpd.aaa(32978) INFO: [mac:00:23:6c:85:ff:9d] handling
> radius autz request: from switch_ip => (158.104.249.7), connection_type =>
> Wireless-802.11-NoEAP,switch_mac => (e4:c7:22:aa:60:20), mac =>
> [00:23:6c:85:ff:9d], port => 13, username => "00236c85ff9d", ssid => WITS
> Guest Test (pf::radius::authorize)
> Mar 03 10:20:22 httpd.aaa(32978) INFO: [mac:00:23:6c:85:ff:9d] is of status
> unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan)
> Mar 03 10:20:22 httpd.aaa(32978) INFO: [mac:00:23:6c:85:ff:9d]
> (158.104.249.7) Added VLAN 84 to the returned RADIUS reply
> (pf::Switch::returnRadiusAccessAccept)
> Mar 03 10:20:22 httpd.aaa(32978) INFO: [mac:00:23:6c:85:ff:9d]
> (158.104.249.7) Returning ACCEPT with VLAN 84 and role
> (pf::Switch::returnRadiusAccessAccept)
> Mar 03 10:20:28 httpd.portal(41370) INFO: [mac:00:23:6c:85:ff:9d] Memory
> configuration is not valid anymore for key config::Profiles in local
> cached_hash (pfconfig::cached::is_valid)
> Mar 03 10:20:28 httpd.portal(41380) INFO: [mac:00:23:6c:85:ff:9d] Memory
> configuration is not valid anymore for key config::Profiles in local
> cached_hash (pfconfig::cached::is_valid)
> Mar 03 10:20:28 httpd.portal(41380) INFO: [mac:00:23:6c:85:ff:9d] Instantiate
> profile wuguest (pf::Portal::ProfileFactory::_from_profile)
> Mar 03 10:20:28 httpd.portal(41370) INFO: [mac:00:23:6c:85:ff:9d] Instantiate
> profile wuguest (pf::Portal::ProfileFactory::_from_profile)
> Mar 03 10:20:29 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d] Memory
> configuration is not valid anymore for key config::Profiles in local
> cached_hash (pfconfig::cached::is_valid)
> Mar 03 10:20:29 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d] Instantiate
> profile wuguest (pf::Portal::ProfileFactory::_from_profile)
> Mar 03 10:20:29 httpd.portal(41380) INFO: [mac:00:23:6c:85:ff:9d] Updating
> node user_agent with useragent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X
> 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116
> Safari/537.36'
> (captiveportal::PacketFence::Controller::CaptivePortal::nodeRecordUserAgent)
> Mar 03 10:20:31 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d] redirected
> to guests self registration page on wuguest portal
> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
> Mar 03 10:20:31 httpd.portal(41370) INFO: [mac:00:23:6c:85:ff:9d] redirected
> to guests self registration page on wuguest portal
> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
> Mar 03 10:20:31 httpd.portal(41380) INFO: [mac:00:23:6c:85:ff:9d] redirected
> to guests self registration page on wuguest portal
> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
> Mar 03 10:20:31 httpd.portal(41916) INFO: [mac:00:23:6c:85:ff:9d] Memory
> configuration is not valid anymore for key config::Profiles in local
> cached_hash (pfconfig::cached::is_valid)
> Mar 03 10:20:31 httpd.portal(41916) INFO: [mac:00:23:6c:85:ff:9d] Instantiate
> profile wuguest (pf::Portal::ProfileFactory::_from_profile)
> Mar 03 10:20:31 httpd.portal(41916) INFO: [mac:00:23:6c:85:ff:9d] redirected
> to guests self registration page on wuguest portal
> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
> Mar 03 10:20:32 httpd.portal(41916) INFO: [mac:00:23:6c:85:ff:9d] Instantiate
> profile wuguest (pf::Portal::ProfileFactory::_from_profile)
> Mar 03 10:20:32 httpd.portal(41916) INFO: [mac:00:23:6c:85:ff:9d] Instantiate
> profile wuguest (pf::Portal::ProfileFactory::_from_profile)
> Mar 03 10:20:32 httpd.portal(41916) INFO: [mac:00:23:6c:85:ff:9d] redirected
> to guests self registration page on wuguest portal
> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
> Mar 03 10:20:49 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d] Instantiate
> profile wuguest (pf::Portal::ProfileFactory::_from_profile)
> Mar 03 10:20:49 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d] Instantiate
> profile wuguest (pf::Portal::ProfileFactory::_from_profile)
> Mar 03 10:20:49 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d] Validating
> mandatory and custom fields for 'email' based self-registration
> (captiveportal::PacketFence::Controller::Signup::validateMandatoryFields)
> Mar 03 10:20:49 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d] registering
> 00:23:6c:85:ff:9d guest by email
> (captiveportal::PacketFence::Controller::Signup::doEmailSelfRegistration)
> Mar 03 10:20:49 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d] Matched
> rule (catchall) in source email, returning actions.
> (pf::Authentication::Source::match)
> Mar 03 10:20:49 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d] new
> activation code successfully generated (pf::activation::create)
> Mar 03 10:20:49 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d] Email sent
> to [email protected] <mailto:[email protected]>
> (lan.willamette.edu <http://lan.willamette.edu/>: Email activation required)
> (pf::activation::__ANON__)
> Mar 03 10:20:49 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d] Instantiate
> profile wuguest (pf::Portal::ProfileFactory::_from_profile)
> Mar 03 10:20:50 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d]
> re-evaluating access (manage_register called)
> (pf::enforcement::reevaluate_access)
> Mar 03 10:20:50 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d] is
> currentlog connected at (158.104.249.7) ifIndex 13 in VLAN 84
> (pf::enforcement::_should_we_reassign_vlan)
> Mar 03 10:20:50 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d] PID:
> "[email protected] <mailto:[email protected]>", Status: reg
> Returned VLAN: 244, Role: (undefined) (pf::vlan::fetchVlanForNode)
> Mar 03 10:20:50 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d] VLAN
> reassignment required (current VLAN = 84 but should be in VLAN 244)
> (pf::enforcement::_should_we_reassign_vlan)
> Mar 03 10:20:50 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d] switch port
> is (158.104.249.7) ifIndex 13 connection type: WiFi MAC Auth
> (pf::enforcement::_vlan_reevaluation)
> Mar 03 10:20:51 httpd.webservices(33008) INFO: [00:23:6c:85:ff:9d]
> DesAssociating mac on switch (158.104.249.7) (pf::api::desAssociate)
> Mar 03 10:20:55 httpd.aaa(32978) INFO: [mac:00:23:6c:85:ff:9d] handling
> radius autz request: from switch_ip => (158.104.249.7), connection_type =>
> Wireless-802.11-NoEAP,switch_mac => (e4:c7:22:aa:60:20), mac =>
> [00:23:6c:85:ff:9d], port => 13, username => "00236c85ff9d", ssid => WITS
> Guest Test (pf::radius::authorize)
> Mar 03 10:20:55 httpd.aaa(32978) INFO: [mac:00:23:6c:85:ff:9d] PID:
> "[email protected] <mailto:[email protected]>", Status: reg
> Returned VLAN: 244, Role: (undefined) (pf::vlan::fetchVlanForNode)
> Mar 03 10:20:55 httpd.aaa(32978) INFO: [mac:00:23:6c:85:ff:9d]
> (158.104.249.7) Added VLAN 244 to the returned RADIUS reply
> (pf::Switch::returnRadiusAccessAccept)
> Mar 03 10:20:55 httpd.aaa(32978) INFO: [mac:00:23:6c:85:ff:9d]
> (158.104.249.7) Returning ACCEPT with VLAN 244 and role
> (pf::Switch::returnRadiusAccessAccept)
> Mar 03 10:20:58 httpd.webservices(33008) INFO: [00:23:6c:85:ff:9d]
> DesAssociating mac on switch (158.104.249.7) (pf::api::desAssociate)
> Mar 03 10:21:02 httpd.aaa(32978) INFO: [mac:00:23:6c:85:ff:9d] handling
> radius autz request: from switch_ip => (158.104.249.7), connection_type =>
> Wireless-802.11-NoEAP,switch_mac => (e4:c7:22:aa:60:20), mac =>
> [00:23:6c:85:ff:9d], port => 13, username => "00236c85ff9d", ssid => WITS
> Guest Test (pf::radius::authorize)
> Mar 03 10:21:02 httpd.aaa(32978) INFO: [mac:00:23:6c:85:ff:9d] is of status
> unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan)
> Mar 03 10:21:02 httpd.aaa(32978) INFO: [mac:00:23:6c:85:ff:9d]
> (158.104.249.7) Added VLAN 84 to the returned RADIUS reply
> (pf::Switch::returnRadiusAccessAccept)
> Mar 03 10:21:02 httpd.aaa(32978) INFO: [mac:00:23:6c:85:ff:9d]
> (158.104.249.7) Returning ACCEPT with VLAN 84 and role
> (pf::Switch::returnRadiusAccessAccept)
>
> The switch in this case is a Cisco WiSM2. My profiles.conf:
>
>
> [wuguest]
> sources=email
> filter=ssid:WITS Guest Test
> description=Willamette Guest Profile
> filter_match_style=any
> dot1x_recompute_role_from_portal=enabled
> sms_pin_retry_limit=0
> sms_request_limit=0
> login_attempt_limit=0
> reuse_dot1x_credentials=0
> block_interval=10m
> provisioners=
> custom_fields_authentication_sources=
> billing_tiers=
> scans=
>
> I'm not quite sure what is setting the VLAN back to the registration VLAN so
> quickly. Any advice on where else I should be looking?
>
> Thanks in advance,
>
> Casey
>
> --
> ---------------------------------------------
> Casey Feskens <[email protected] <mailto:[email protected]>>
> Associate Director of Systems Services
> Willamette Integrated Technology Services
> Willamette University, Salem, OR
> ---------------------------------------------
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140_______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
