Thanks for the help..looks like I tracked it down to good old clock skew.
On Thu, Mar 3, 2016 at 1:12 PM, Louis Munro <[email protected]> wrote:
> Hi Casey,
>
> It looks like the devices are being assigned a very short registration
> time.
>
> Can you check what is the value of email_activation_timeout in
> conf/authentication.conf for the email source?
> Check the rules too. It could be that the access duration is set too low.
>
> Post your conf/authentication.conf file if you are not sure.
> Make sure to remove the passwords from it...
>
>
> Regards,
> --
> Louis Munro
> [email protected] :: www.inverse.ca
> +1.514.447.4918 x125 :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
> On Mar 3, 2016, at 14:29 , Casey Feskens <[email protected]> wrote:
>
> I've recently run into an issue with guest registration and vlan
> enforcement on our packetfence installation, since upgrading to 5.5.2. As
> opposed to providing 10 minutes of network access after accessing the
> registration portal, packetfence seems to be consistently setting ports
> back to the registration VLAN after 10-30 seconds.
>
> Here's the example output from packetfence.log from the time the node
> joins the network, through the initial registration. In this case, VLAN 84
> is the registration VLAN and 244 is the access VLAN:
>
> Mar 03 10:20:22 httpd.aaa(32978) INFO: [mac:00:23:6c:85:ff:9d] handling
> radius autz request: from switch_ip => (158.104.249.7), connection_type =>
> Wireless-802.11-NoEAP,switch_mac => (e4:c7:22:aa:60:20), mac =>
> [00:23:6c:85:ff:9d], port => 13, username => "00236c85ff9d", ssid => WITS
> Guest Test (pf::radius::authorize)
> Mar 03 10:20:22 httpd.aaa(32978) INFO: [mac:00:23:6c:85:ff:9d] is of
> status unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan)
> Mar 03 10:20:22 httpd.aaa(32978) INFO: [mac:00:23:6c:85:ff:9d]
> (158.104.249.7) Added VLAN 84 to the returned RADIUS reply
> (pf::Switch::returnRadiusAccessAccept)
> Mar 03 10:20:22 httpd.aaa(32978) INFO: [mac:00:23:6c:85:ff:9d]
> (158.104.249.7) Returning ACCEPT with VLAN 84 and role
> (pf::Switch::returnRadiusAccessAccept)
> Mar 03 10:20:28 httpd.portal(41370) INFO: [mac:00:23:6c:85:ff:9d] Memory
> configuration is not valid anymore for key config::Profiles in local
> cached_hash (pfconfig::cached::is_valid)
> Mar 03 10:20:28 httpd.portal(41380) INFO: [mac:00:23:6c:85:ff:9d] Memory
> configuration is not valid anymore for key config::Profiles in local
> cached_hash (pfconfig::cached::is_valid)
> Mar 03 10:20:28 httpd.portal(41380) INFO: [mac:00:23:6c:85:ff:9d]
> Instantiate profile wuguest (pf::Portal::ProfileFactory::_from_profile)
> Mar 03 10:20:28 httpd.portal(41370) INFO: [mac:00:23:6c:85:ff:9d]
> Instantiate profile wuguest (pf::Portal::ProfileFactory::_from_profile)
> Mar 03 10:20:29 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d] Memory
> configuration is not valid anymore for key config::Profiles in local
> cached_hash (pfconfig::cached::is_valid)
> Mar 03 10:20:29 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d]
> Instantiate profile wuguest (pf::Portal::ProfileFactory::_from_profile)
> Mar 03 10:20:29 httpd.portal(41380) INFO: [mac:00:23:6c:85:ff:9d] Updating
> node user_agent with useragent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X
> 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116
> Safari/537.36'
> (captiveportal::PacketFence::Controller::CaptivePortal::nodeRecordUserAgent)
> Mar 03 10:20:31 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d]
> redirected to guests self registration page on wuguest portal
> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
> Mar 03 10:20:31 httpd.portal(41370) INFO: [mac:00:23:6c:85:ff:9d]
> redirected to guests self registration page on wuguest portal
> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
> Mar 03 10:20:31 httpd.portal(41380) INFO: [mac:00:23:6c:85:ff:9d]
> redirected to guests self registration page on wuguest portal
> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
> Mar 03 10:20:31 httpd.portal(41916) INFO: [mac:00:23:6c:85:ff:9d] Memory
> configuration is not valid anymore for key config::Profiles in local
> cached_hash (pfconfig::cached::is_valid)
> Mar 03 10:20:31 httpd.portal(41916) INFO: [mac:00:23:6c:85:ff:9d]
> Instantiate profile wuguest (pf::Portal::ProfileFactory::_from_profile)
> Mar 03 10:20:31 httpd.portal(41916) INFO: [mac:00:23:6c:85:ff:9d]
> redirected to guests self registration page on wuguest portal
> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
> Mar 03 10:20:32 httpd.portal(41916) INFO: [mac:00:23:6c:85:ff:9d]
> Instantiate profile wuguest (pf::Portal::ProfileFactory::_from_profile)
> Mar 03 10:20:32 httpd.portal(41916) INFO: [mac:00:23:6c:85:ff:9d]
> Instantiate profile wuguest (pf::Portal::ProfileFactory::_from_profile)
> Mar 03 10:20:32 httpd.portal(41916) INFO: [mac:00:23:6c:85:ff:9d]
> redirected to guests self registration page on wuguest portal
> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
> Mar 03 10:20:49 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d]
> Instantiate profile wuguest (pf::Portal::ProfileFactory::_from_profile)
> Mar 03 10:20:49 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d]
> Instantiate profile wuguest (pf::Portal::ProfileFactory::_from_profile)
> Mar 03 10:20:49 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d]
> Validating mandatory and custom fields for 'email' based self-registration
> (captiveportal::PacketFence::Controller::Signup::validateMandatoryFields)
> Mar 03 10:20:49 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d]
> registering 00:23:6c:85:ff:9d guest by email
> (captiveportal::PacketFence::Controller::Signup::doEmailSelfRegistration)
> Mar 03 10:20:49 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d] Matched
> rule (catchall) in source email, returning actions.
> (pf::Authentication::Source::match)
> Mar 03 10:20:49 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d] new
> activation code successfully generated (pf::activation::create)
> Mar 03 10:20:49 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d] Email
> sent to [email protected] (lan.willamette.edu: Email activation
> required) (pf::activation::__ANON__)
> Mar 03 10:20:49 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d]
> Instantiate profile wuguest (pf::Portal::ProfileFactory::_from_profile)
> Mar 03 10:20:50 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d]
> re-evaluating access (manage_register called)
> (pf::enforcement::reevaluate_access)
> Mar 03 10:20:50 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d] is
> currentlog connected at (158.104.249.7) ifIndex 13 in VLAN 84
> (pf::enforcement::_should_we_reassign_vlan)
> Mar 03 10:20:50 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d] PID: "
> [email protected]", Status: reg Returned VLAN: 244, Role:
> (undefined) (pf::vlan::fetchVlanForNode)
> Mar 03 10:20:50 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d] VLAN
> reassignment required (current VLAN = 84 but should be in VLAN 244)
> (pf::enforcement::_should_we_reassign_vlan)
> Mar 03 10:20:50 httpd.portal(41416) INFO: [mac:00:23:6c:85:ff:9d] switch
> port is (158.104.249.7) ifIndex 13 connection type: WiFi MAC Auth
> (pf::enforcement::_vlan_reevaluation)
> Mar 03 10:20:51 httpd.webservices(33008) INFO: [00:23:6c:85:ff:9d]
> DesAssociating mac on switch (158.104.249.7) (pf::api::desAssociate)
> Mar 03 10:20:55 httpd.aaa(32978) INFO: [mac:00:23:6c:85:ff:9d] handling
> radius autz request: from switch_ip => (158.104.249.7), connection_type =>
> Wireless-802.11-NoEAP,switch_mac => (e4:c7:22:aa:60:20), mac =>
> [00:23:6c:85:ff:9d], port => 13, username => "00236c85ff9d", ssid => WITS
> Guest Test (pf::radius::authorize)
> Mar 03 10:20:55 httpd.aaa(32978) INFO: [mac:00:23:6c:85:ff:9d] PID: "
> [email protected]", Status: reg Returned VLAN: 244, Role:
> (undefined) (pf::vlan::fetchVlanForNode)
> Mar 03 10:20:55 httpd.aaa(32978) INFO: [mac:00:23:6c:85:ff:9d]
> (158.104.249.7) Added VLAN 244 to the returned RADIUS reply
> (pf::Switch::returnRadiusAccessAccept)
> Mar 03 10:20:55 httpd.aaa(32978) INFO: [mac:00:23:6c:85:ff:9d]
> (158.104.249.7) Returning ACCEPT with VLAN 244 and role
> (pf::Switch::returnRadiusAccessAccept)
> Mar 03 10:20:58 httpd.webservices(33008) INFO: [00:23:6c:85:ff:9d]
> DesAssociating mac on switch (158.104.249.7) (pf::api::desAssociate)
> Mar 03 10:21:02 httpd.aaa(32978) INFO: [mac:00:23:6c:85:ff:9d] handling
> radius autz request: from switch_ip => (158.104.249.7), connection_type =>
> Wireless-802.11-NoEAP,switch_mac => (e4:c7:22:aa:60:20), mac =>
> [00:23:6c:85:ff:9d], port => 13, username => "00236c85ff9d", ssid => WITS
> Guest Test (pf::radius::authorize)
> Mar 03 10:21:02 httpd.aaa(32978) INFO: [mac:00:23:6c:85:ff:9d] is of
> status unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan)
> Mar 03 10:21:02 httpd.aaa(32978) INFO: [mac:00:23:6c:85:ff:9d]
> (158.104.249.7) Added VLAN 84 to the returned RADIUS reply
> (pf::Switch::returnRadiusAccessAccept)
> Mar 03 10:21:02 httpd.aaa(32978) INFO: [mac:00:23:6c:85:ff:9d]
> (158.104.249.7) Returning ACCEPT with VLAN 84 and role
> (pf::Switch::returnRadiusAccessAccept)
>
> The switch in this case is a Cisco WiSM2. My profiles.conf:
>
>
> [wuguest]
> sources=email
> filter=ssid:WITS Guest Test
> description=Willamette Guest Profile
> filter_match_style=any
> dot1x_recompute_role_from_portal=enabled
> sms_pin_retry_limit=0
> sms_request_limit=0
> login_attempt_limit=0
> reuse_dot1x_credentials=0
> block_interval=10m
> provisioners=
> custom_fields_authentication_sources=
> billing_tiers=
> scans=
>
> I'm not quite sure what is setting the VLAN back to the registration VLAN
> so quickly. Any advice on where else I should be looking?
>
> Thanks in advance,
>
> Casey
>
> --
>
> ---------------------------------------------
> Casey Feskens <[email protected]>
> Associate Director of Systems Services
> Willamette Integrated Technology Services
> Willamette University, Salem, OR
> ---------------------------------------------
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
>
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140_______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
---------------------------------------------
Casey Feskens <[email protected]>
Associate Director of Systems Services
Willamette Integrated Technology Services
Willamette University, Salem, OR
Phone: (503) 370-6950
---------------------------------------------
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
