Looks like we are on to something.
During registration
[root@PacketFence-ZEN-6-0-0 ~]# radsniff -x -f 'host 172.22.0.201 and port
3799'
Logging all events
Defaulting to capture on all interfaces
Sniffing on (eth0 eth0.97 eth0.98 fcc-radius-b lo)
2016-05-11 16:03:58.379930 (1) Disconnect-Request Id 78 eth0:
172.30.40.10:34211 -> 172.22.0.201:3799 +0.000
NAS-IP-Address = 172.22.0.201
Calling-Station-Id = "00:21:cc:be:a1:3f"
Authenticator-Field = 0xff41af5cfacbac548dfd8b5455700340
2016-05-11 16:03:58.396590 (2) Disconnect-NAK Id 78 eth0:172.30.40.10:34211
<- 172.22.0.201:3799 +0.001 +0.001
Error-Cause = Missing-Attribute
Authenticator-Field = 0x372a2a7088936bad8ace3669bc09cbcc
2016-05-11 16:04:03.239659 (1) Cleaning up request packet ID 78
During disconnect
2016-05-11 16:09:25.802890 (3) Disconnect-Request Id 82 eth0:
172.30.40.10:52484 -> 172.22.0.201:3799 +327.764
NAS-IP-Address = 172.22.0.201
Calling-Station-Id = "00:21:cc:be:a1:3f"
Authenticator-Field = 0x198194c64549fde7d34b5f62587f2b67
2016-05-11 16:09:25.804656 (4) Disconnect-NAK Id 82 eth0:172.30.40.10:52484
<- 172.22.0.201:3799 +327.766 +0.001
Error-Cause = Missing-Attribute
Authenticator-Field = 0x699c096b8510616ee359b9e37b80642b
2016-05-11 16:09:31.465600 (3) Cleaning up request packet ID 82
On Wed, May 11, 2016 at 3:29 PM, Louis Munro <[email protected]> wrote:
>
>
> On May 11, 2016, at 14:23 , Dustin Berube <[email protected]> wrote:
>
> Hi Louis,
>
> After changing the type to Juniper::EX2200 I get the following in
> packetfence.log
>
> May 11 13:59:45 httpd.aaa(2637) INFO: [mac:00:21:cc:be:a1:3f] Found method
> CODE(0x7f1f30c207d8) for REST path /radius/rest/authorize
> (pf::WebAPI::REST::handler)
> May 11 13:59:45 httpd.aaa(2637) INFO: [mac:00:21:cc:be:a1:3f] handling
> radius autz request: from switch_ip => (172.22.0.201), connection_type =>
> Ethernet-EAP,switch_mac => (54:e0:32:9c:1d:80), mac => [00:21:cc:be:a1:3f],
> port => ge-0/0/2.0, username => "FCC\dberube" (pf::radius::authorize)
> May 11 13:59:45 httpd.aaa(2637) INFO: [mac:00:21:cc:be:a1:3f] Could not
> find any IP phones through discovery protocols for ifIndex ge-0/0/2.0
> (pf::Switch::getPhonesDPAtIfIndex)
> May 11 13:59:45 httpd.aaa(2637) INFO: [mac:00:21:cc:be:a1:3f] is of status
> unreg; belongs into registration VLAN (pf::role::getRegistrationRole)
> May 11 13:59:45 httpd.aaa(2637) INFO: [mac:00:21:cc:be:a1:3f]
> (172.22.0.201) Added VLAN 98 to the returned RADIUS Access-Accept
> (pf::Switch::returnRadiusAccessAccept)
> May 11 13:59:45 httpd.aaa(2637) INFO: [mac:00:21:cc:be:a1:3f] Updating
> locationlog from accounting request (pf::api::handle_accounting_metadata)
> May 11 13:59:45 httpd.portal(2871) INFO: [mac:00:21:cc:be:a1:3f] Dealing
> with a endpoint / browser with captive-portal detection capabilities while
> having a self-signed SSL certificate. Using HTTP instead of HTTPS
> (pf::web::dispatcher::handler)
> May 11 13:59:45 httpd.portal(2871) INFO: [mac:00:21:cc:be:a1:3f]
> Instantiate a new iptables modification method. pf::ipset
> (pf::inline::get_technique)
> May 11 13:59:46 httpd.portal(2992) INFO: [mac:00:21:cc:be:a1:3f] Dealing
> with a endpoint / browser with captive-portal detection capabilities while
> having a self-signed SSL certificate. Using HTTP instead of HTTPS
> (pf::web::dispatcher::handler)
> May 11 13:59:46 httpd.portal(2992) INFO: [mac:00:21:cc:be:a1:3f]
> Instantiate a new iptables modification method. pf::ipset
> (pf::inline::get_technique)
>
> Here's the output from raddebug:
> https://gist.github.com/dberube1/25f9959fa769171e49bae5cacfe68b6e
>
> Just for the sake of being through I have tried authenticating through the
> captive portal and the port never gets moved out of the registration vlan
> until you physically unplug and replug the cable or disable/enable the port
> on the cli.
>
>
>
>
>
> Ok, so that indicates that radius itself is working properly now but you
> need to find a way to deauthenticate the device from the switch.
>
> Since you have configured PacketFence to try radius disconnect there
> should be a radius request sent from your server to the switch.
> Start by making sure that is really the case.
>
> Try unregistering and reregistering on the portal while running
>
> radsniff -x -f 'host $IP_OF_YOUR_SWITCH and port 3799’
>
> You should see if there are disconnection requests and replies going
> between the two.
>
> Regards,
> --
> Louis Munro
> [email protected] :: www.inverse.ca
> +1.514.447.4918 x125 :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
>
>
> ------------------------------------------------------------------------------
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data
> untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
