> On May 11, 2016, at 14:23 , Dustin Berube <[email protected]> wrote:
>
> Hi Louis,
>
> After changing the type to Juniper::EX2200 I get the following in
> packetfence.log
>
> May 11 13:59:45 httpd.aaa(2637) INFO: [mac:00:21:cc:be:a1:3f] Found method
> CODE(0x7f1f30c207d8) for REST path /radius/rest/authorize
> (pf::WebAPI::REST::handler)
> May 11 13:59:45 httpd.aaa(2637) INFO: [mac:00:21:cc:be:a1:3f] handling radius
> autz request: from switch_ip => (172.22.0.201), connection_type =>
> Ethernet-EAP,switch_mac => (54:e0:32:9c:1d:80), mac => [00:21:cc:be:a1:3f],
> port => ge-0/0/2.0, username => "FCC\dberube" (pf::radius::authorize)
> May 11 13:59:45 httpd.aaa(2637) INFO: [mac:00:21:cc:be:a1:3f] Could not find
> any IP phones through discovery protocols for ifIndex ge-0/0/2.0
> (pf::Switch::getPhonesDPAtIfIndex)
> May 11 13:59:45 httpd.aaa(2637) INFO: [mac:00:21:cc:be:a1:3f] is of status
> unreg; belongs into registration VLAN (pf::role::getRegistrationRole)
> May 11 13:59:45 httpd.aaa(2637) INFO: [mac:00:21:cc:be:a1:3f] (172.22.0.201)
> Added VLAN 98 to the returned RADIUS Access-Accept
> (pf::Switch::returnRadiusAccessAccept)
> May 11 13:59:45 httpd.aaa(2637) INFO: [mac:00:21:cc:be:a1:3f] Updating
> locationlog from accounting request (pf::api::handle_accounting_metadata)
> May 11 13:59:45 httpd.portal(2871) INFO: [mac:00:21:cc:be:a1:3f] Dealing with
> a endpoint / browser with captive-portal detection capabilities while having
> a self-signed SSL certificate. Using HTTP instead of HTTPS
> (pf::web::dispatcher::handler)
> May 11 13:59:45 httpd.portal(2871) INFO: [mac:00:21:cc:be:a1:3f] Instantiate
> a new iptables modification method. pf::ipset (pf::inline::get_technique)
> May 11 13:59:46 httpd.portal(2992) INFO: [mac:00:21:cc:be:a1:3f] Dealing with
> a endpoint / browser with captive-portal detection capabilities while having
> a self-signed SSL certificate. Using HTTP instead of HTTPS
> (pf::web::dispatcher::handler)
> May 11 13:59:46 httpd.portal(2992) INFO: [mac:00:21:cc:be:a1:3f] Instantiate
> a new iptables modification method. pf::ipset (pf::inline::get_technique)
>
> Here's the output from raddebug:
> https://gist.github.com/dberube1/25f9959fa769171e49bae5cacfe68b6e
> <https://gist.github.com/dberube1/25f9959fa769171e49bae5cacfe68b6e>
>
> Just for the sake of being through I have tried authenticating through the
> captive portal and the port never gets moved out of the registration vlan
> until you physically unplug and replug the cable or disable/enable the port
> on the cli.
Ok, so that indicates that radius itself is working properly now but you need
to find a way to deauthenticate the device from the switch.
Since you have configured PacketFence to try radius disconnect there should be
a radius request sent from your server to the switch.
Start by making sure that is really the case.
Try unregistering and reregistering on the portal while running
radsniff -x -f 'host $IP_OF_YOUR_SWITCH and port 3799’
You should see if there are disconnection requests and replies going between
the two.
Regards,
--
Louis Munro
[email protected] :: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
