Hello Jes,
what i can suggest is to use snmp for deauth and from the pf server
capture snmp traffic to see what happen exactly (maybe community write
issue).
Also check the log in pfqueue.log , this is the place where you will see
error about the deauth.
Regards
Fabrice
Le 2017-03-02 à 11:22, Jes Kasper Klittum a écrit :
Hey folks,
So I am almost there with my PF setup. Lodovic helped me on the way to
get machine and AD user auth/switching working. Thank you very much. J
Now, the thing I am now struggling with is the switch from
registration vlan to guest network not functioning correctly.
The only source I have in the default captive portal is email, so when
I plug an unregistered device into the network, I am lead to the
portal to register using email. I have set a 10 minute windows for
accepting the registration.
I get to the portal fine, on VLAN 102, and enter my email address, at
which point I am told that the network access is being enabled. After
waiting a while, I am told that it did not work, and I should try to
refresh or open a new tab. No matter what I do, I stay in the
registration VLAN?
Packetfence.log shows this:
Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:unknown] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79]
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79]
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79]
Releasing device
(captiveportal::PacketFence::DynamicRouting::Module::Root::release)
Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79] User
default has authenticated on the portal. (Class::MOP::Class:::after)
Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79]
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79]
re-evaluating access (manage_register called)
(pf::enforcement::reevaluate_access)
Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79] is
currentlog connected at (10.4.100.11) ifIndex 23 registration
(pf::enforcement::_should_we_reassign_vlan)
Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79]
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79]
Connection type is WIRED_MAC_AUTH. Getting role from node_info
(pf::role::getRegisteredRole)
Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79]
Username was defined "d067e5366f79" - returning role 'guest'
(pf::role::getRegisteredRole)
Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79] PID:
"j...@klittum.dk", Status: reg Returned VLAN: (undefined), Role: guest
(pf::role::fetchRoleForNode)
Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79] VLAN
reassignment required (current VLAN = 102 but should be in VLAN 105)
(pf::enforcement::_should_we_reassign_vlan)
Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79]
switch port is (10.4.100.11) ifIndex 23 connection type: Wired MAC
Auth (pf::enforcement::_vlan_reevaluation)
So packetfence knows it should switch to VLAN 105 – it just does not
happen?
The switch, an HP 1920, shows this in the console:
%Apr 27 18:48:24:397 2000 GW-X1-1920-2 PORTSEC/5/PORTSEC_VIOLATION:
-IfName=GigabitEthernet1/0/23-MACAddr=D0:67:E5:36:6F:79-VlanId=-102-IfStatus=Up;
Intrusion detected.
If I unplug the Ethernet cable, and plug it back in, then I get
access, and VLAN is changed to 105.
I have tried both radius and SNMP as deauth metod on the switch.
By the way, I should not that VLAN switching on the switch works
perfectly when using a domain joined computer, and logging in/out with
users with different roles, so it seems the switch is able to get the
information from packetfence under those circumstances.
Hope someone is able to help me with this issue…
Jes
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
