> On May 11, 2016, at 16:10 , Dustin Berube <[email protected]> wrote:
>
> [root@PacketFence-ZEN-6-0-0 ~]# radsniff -x -f 'host 172.22.0.201 and port
> 3799'
> Logging all events
> Defaulting to capture on all interfaces
> Sniffing on (eth0 eth0.97 eth0.98 fcc-radius-b lo)
> 2016-05-11 16:03:58.379930 (1) Disconnect-Request Id 78
> eth0:172.30.40.10:34211 <http://172.30.40.10:34211/> -> 172.22.0.201:3799
> <http://172.22.0.201:3799/> +0.000
> NAS-IP-Address = 172.22.0.201
> Calling-Station-Id = "00:21:cc:be:a1:3f"
> Authenticator-Field = 0xff41af5cfacbac548dfd8b5455700340
> 2016-05-11 16:03:58.396590 (2) Disconnect-NAK Id 78 eth0:172.30.40.10:34211
> <http://172.30.40.10:34211/> <- 172.22.0.201:3799 <http://172.22.0.201:3799/>
> +0.001 +0.001
> Error-Cause = Missing-Attribute
> Authenticator-Field = 0x372a2a7088936bad8ace3669bc09cbcc
> 2016-05-11 16:04:03.239659 (1) Cleaning up request packet ID 78
So the switch rejects (NAKs) our disconnect request.
We need to find which attribute to send it to ask it to disconnect you.
This is where it gets “fun”.
Each vendor seems to have it’s own idea about that.
If I read this correctly, we need the session id:
http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/aaa-radius-coa-overview.html
You would find that in the accounting tables of the database.
Look in the “radacct” table, under acctsessionid using the mac address of the
device (lowercase and without any delimiter).
Then what you can do as a proof of concept is to manually send a disconnect
request using radclient.
Save the attributes and values to send into a file, like this:
User-Name=$USER-NAME
Acct-Session-ID=$sessionid
and then pipe the file into radclient:
# cat file | radclient -c1 -r1 -x 172.22.0.201 disconnect $RADIUS_SHARED_SECRET
If you can get it to disconnect, I can get you a patch that would fix the
EX4220, probably tomorrow.
--
Louis Munro
[email protected] :: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
