Hi dear mate,
My packetfence is installed in CentOS 7 with V7.2. My config file is listed as
below. When I connected pf-public ssid, the device was put into registration
role and user was redirected to pf portal page. Once the user completed
auth(where I set authentication source NULL,just click the button), PF can't
deauthenticate device and the device can't be changed to production VLAN from
registration VLAN.
BTW I have enabled RFC 3576 setting in Aruba AC. Got below error from AC side:
"Sep 18 18:39:16 :520001: <DBUG> |authmgr| [rc_rfc3576.c:683] IP:0.0.0.0,
Name:(null) sessid=test12364B0A6D324BD-59BF760B, sta_id=64-B0-A6-D3-24-BD,
reqcode=43, rspcode=45, nack=1, error_cause=missing session"
I have tested all day long but still no luck to work it out...
[root@localhost conf]# more authentication.conf
[null]
description=Null Source
type=Null
email_required=no
set_access_level_action=
[null rule catchall]
action0=set_role=guest
condition0=mac,equals,64:b0:a6:d3:24:bd
match=all
class=authentication
action1=set_access_duration=1h
description=catchall
[root@localhost conf]# more networks.conf
[192.168.2.0]
dns=192.168.2.1
dhcp_start=192.168.2.10
gateway=192.168.2.1
domain-name=vlan-registration.didichuxing.com
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=192.168.2.246
type=vlan-registration
netmask=255.255.255.0
dhcp_default_lease_time=30
[192.168.3.0]
dns=192.168.3.1
dhcp_start=192.168.3.10
gateway=192.168.3.1
domain-name=vlan-isolation.didichuxing.com
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=192.168.3.246
type=vlan-isolation
netmask=255.255.255.0
dhcp_default_lease_time=30
[root@localhost conf]# more profiles.conf
[mac-auth]
locale=
filter=ssid:pf-public
sources=null
redirecturl=https://172.30.1.5/
always_use_redirecturl=enabled
dot1x_recompute_role_from_portal=0
autoregister=enabled
[802.1x]
locale=
filter=ssid:pf-secure
sources=radius
always_use_redirecturl=enabled
redirecturl=http://172.30.1.5
autoregister=enabled
dot1x_recompute_role_from_portal=0
[root@localhost conf]# tail -f /usr/local/pf/logs/packetfence.log
Sep 18 20:55:20 localhost packetfence_httpd.aaa: httpd.aaa(18831) INFO:
[mac:64:b0:a6:d3:24:bd] handling radius autz request: from switch_ip =>
(172.30.1.250), connection_type => Wireless-802.11-NoEAP,switch_mac =>
(00:0b:86:b7:78:6f), mac => [64:b0:a6:d3:24:bd], port => 0, username =>
"64-b0-a6-d3-24-bd", ssid => pf-public (pf::radius::authorize)
Sep 18 20:55:20 localhost packetfence_httpd.aaa: httpd.aaa(18831) INFO:
[mac:64:b0:a6:d3:24:bd] Instantiate profile mac-auth
(pf::Connection::ProfileFactory::_from_profile)
Sep 18 20:55:20 localhost packetfence_httpd.aaa: httpd.aaa(18831) INFO:
[mac:64:b0:a6:d3:24:bd] Match rule
pf_deauth_from_wireless_secure:pf_wireless_mac_auth&pf_node_wireless_eap&pf_node_reg&pf_node_auto_reg
(pf::access_filter::test)
Sep 18 20:55:20 localhost packetfence_httpd.aaa: httpd.aaa(18831) INFO:
[mac:64:b0:a6:d3:24:bd] PID: "default", Status: reg Returned VLAN: (undefined),
Role: registration (pf::role::fetchRoleForNode)
Sep 18 20:55:20 localhost packetfence_httpd.aaa: httpd.aaa(18831) INFO:
[mac:64:b0:a6:d3:24:bd] (172.30.1.250) Added role registration to the returned
RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
Sep 18 20:55:20 localhost packetfence_httpd.aaa: httpd.aaa(18831) INFO:
[mac:64:b0:a6:d3:24:bd] violation 1300003 force-closed for 64:b0:a6:d3:24:bd
(pf::violation::violation_force_close)
Sep 18 20:55:20 localhost packetfence_httpd.aaa: httpd.aaa(18831) INFO:
[mac:64:b0:a6:d3:24:bd] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)
Sep 18 20:55:22 localhost pfqueue: pfqueue(25108) INFO: [mac:64:b0:a6:d3:24:bd]
oldip (192.168.3.12) and newip (192.168.2.12) are different for
64:b0:a6:d3:24:bd - closing ip4log entry (pf::api::update_ip4log)
Sep 18 20:55:24 localhost packetfence_httpd.portal: httpd.portal(18973) INFO:
[mac:64:b0:a6:d3:24:bd] Instantiate profile mac-auth
(pf::Connection::ProfileFactory::_from_profile)
Sep 18 20:55:24 localhost packetfence_httpd.portal: httpd.portal(18973) INFO:
[mac:64:b0:a6:d3:24:bd] Replacing destination URL since it points to the
captive portal
(captiveportal::PacketFence::DynamicRouting::Application::process_destination_url)
Sep 18 20:55:25 localhost packetfence_httpd.portal: httpd.portal(18969) INFO:
[mac:64:b0:a6:d3:24:bd] Instantiate profile mac-auth
(pf::Connection::ProfileFactory::_from_profile)
Sep 18 20:55:25 localhost packetfence_httpd.portal: httpd.portal(18969) INFO:
[mac:64:b0:a6:d3:24:bd] Replacing destination URL since it points to the
captive portal
(captiveportal::PacketFence::DynamicRouting::Application::process_destination_url)
Sep 18 20:55:30 localhost packetfence_httpd.portal: httpd.portal(18972) INFO:
[mac:64:b0:a6:d3:24:bd] Instantiate profile mac-auth
(pf::Connection::ProfileFactory::_from_profile)
Sep 18 20:55:30 localhost packetfence_httpd.portal: httpd.portal(18972) INFO:
[mac:64:b0:a6:d3:24:bd] Replacing destination URL since it points to the
captive portal
(captiveportal::PacketFence::DynamicRouting::Application::process_destination_url)
Sep 18 20:55:30 localhost packetfence_httpd.portal: httpd.portal(18972) INFO:
[mac:64:b0:a6:d3:24:bd] User default has authenticated on the portal.
(Class::MOP::Class:::after)
Sep 18 20:55:30 localhost packetfence_httpd.portal: httpd.portal(18972) INFO:
[mac:64:b0:a6:d3:24:bd] User default has authenticated on the portal.
(Class::MOP::Class:::after)
Sep 18 20:55:30 localhost packetfence_httpd.portal: httpd.portal(18972) WARN:
[mac:64:b0:a6:d3:24:bd] Calling match with empty/invalid rule class. Defaulting
to 'authentication' (pf::authentication::match)
Sep 18 20:55:30 localhost packetfence_httpd.portal: httpd.portal(18972) INFO:
[mac:64:b0:a6:d3:24:bd] Using sources null for matching
(pf::authentication::match)
Sep 18 20:55:30 localhost packetfence_httpd.portal: httpd.portal(18972) INFO:
[mac:64:b0:a6:d3:24:bd] Matched rule (catchall) in source null, returning
actions. (pf::Authentication::Source::match)
Sep 18 20:55:30 localhost packetfence_httpd.portal: httpd.portal(18972) INFO:
[mac:64:b0:a6:d3:24:bd] User default has authenticated on the portal.
(Class::MOP::Class:::after)
Sep 18 20:55:30 localhost packetfence_httpd.portal: httpd.portal(18972) WARN:
[mac:64:b0:a6:d3:24:bd] Calling match with empty/invalid rule class. Defaulting
to 'authentication' (pf::authentication::match)
Sep 18 20:55:30 localhost packetfence_httpd.portal: httpd.portal(18972) INFO:
[mac:64:b0:a6:d3:24:bd] Using sources null for matching
(pf::authentication::match)
Sep 18 20:55:30 localhost packetfence_httpd.portal: httpd.portal(18972) INFO:
[mac:64:b0:a6:d3:24:bd] Matched rule (catchall) in source null, returning
actions. (pf::Authentication::Source::match)
Sep 18 20:55:30 localhost packetfence_httpd.portal: httpd.portal(18972) INFO:
[mac:64:b0:a6:d3:24:bd] User default has authenticated on the portal.
(Class::MOP::Class:::after)
Sep 18 20:55:30 localhost packetfence_httpd.portal: httpd.portal(18972) WARN:
[mac:64:b0:a6:d3:24:bd] Calling match with empty/invalid rule class. Defaulting
to 'authentication' (pf::authentication::match)
Sep 18 20:55:30 localhost packetfence_httpd.portal: httpd.portal(18972) INFO:
[mac:64:b0:a6:d3:24:bd] Using sources null for matching
(pf::authentication::match)
Sep 18 20:55:30 localhost packetfence_httpd.portal: httpd.portal(18972) INFO:
[mac:64:b0:a6:d3:24:bd] User default has authenticated on the portal.
(Class::MOP::Class:::after)
Sep 18 20:55:30 localhost packetfence_httpd.portal: httpd.portal(18972) WARN:
[mac:64:b0:a6:d3:24:bd] Calling match with empty/invalid rule class. Defaulting
to 'authentication' (pf::authentication::match)
Sep 18 20:55:30 localhost packetfence_httpd.portal: httpd.portal(18972) INFO:
[mac:64:b0:a6:d3:24:bd] Using sources null for matching
(pf::authentication::match)
Sep 18 20:55:30 localhost packetfence_httpd.portal: httpd.portal(18973) INFO:
[mac:64:b0:a6:d3:24:bd] Instantiate profile mac-auth
(pf::Connection::ProfileFactory::_from_profile)
Sep 18 20:55:31 localhost packetfence_httpd.portal: httpd.portal(18973) INFO:
[mac:64:b0:a6:d3:24:bd] Replacing destination URL since it points to the
captive portal
(captiveportal::PacketFence::DynamicRouting::Application::process_destination_url)
Sep 18 20:55:31 localhost packetfence_httpd.portal: httpd.portal(18973) INFO:
[mac:64:b0:a6:d3:24:bd] User default has authenticated on the portal.
(Class::MOP::Class:::after)
Sep 18 20:55:31 localhost packetfence_httpd.portal: httpd.portal(18973) INFO:
[mac:64:b0:a6:d3:24:bd] No provisioner found for 64:b0:a6:d3:24:bd. Continuing.
(captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
Sep 18 20:55:31 localhost packetfence_httpd.portal: httpd.portal(18973) INFO:
[mac:64:b0:a6:d3:24:bd] User default has authenticated on the portal.
(Class::MOP::Class:::after)
Sep 18 20:55:31 localhost packetfence_httpd.portal: httpd.portal(18973) INFO:
[mac:64:b0:a6:d3:24:bd] User default has authenticated on the portal.
(Class::MOP::Class:::after)
Sep 18 20:55:31 localhost packetfence_httpd.portal: httpd.portal(18973) INFO:
[mac:64:b0:a6:d3:24:bd] User default has authenticated on the portal.
(Class::MOP::Class:::after)
Sep 18 20:55:31 localhost packetfence_httpd.portal: httpd.portal(18973) INFO:
[mac:64:b0:a6:d3:24:bd] User default has authenticated on the portal.
(Class::MOP::Class:::after)
Sep 18 20:55:31 localhost packetfence_httpd.portal: httpd.portal(18973) INFO:
[mac:64:b0:a6:d3:24:bd] violation 1300003 force-closed for 64:b0:a6:d3:24:bd
(pf::violation::violation_force_close)
Sep 18 20:55:31 localhost packetfence_httpd.portal: httpd.portal(18973) INFO:
[mac:64:b0:a6:d3:24:bd] Instantiate profile mac-auth
(pf::Connection::ProfileFactory::_from_profile)
Sep 18 20:55:31 localhost packetfence_httpd.portal: httpd.portal(18969) INFO:
[mac:64:b0:a6:d3:24:bd] Instantiate profile mac-auth
(pf::Connection::ProfileFactory::_from_profile)
Sep 18 20:55:32 localhost packetfence_httpd.portal: httpd.portal(18969) INFO:
[mac:64:b0:a6:d3:24:bd] Replacing destination URL since it points to the
captive portal
(captiveportal::PacketFence::DynamicRouting::Application::process_destination_url)
Sep 18 20:55:32 localhost packetfence_httpd.portal: httpd.portal(18969) INFO:
[mac:64:b0:a6:d3:24:bd] Releasing device
(captiveportal::PacketFence::DynamicRouting::Module::Root::release)
Sep 18 20:55:32 localhost packetfence_httpd.portal: httpd.portal(18969) INFO:
[mac:64:b0:a6:d3:24:bd] User default has authenticated on the portal.
(Class::MOP::Class:::after)
Sep 18 20:55:32 localhost packetfence_httpd.portal: httpd.portal(18969) INFO:
[mac:64:b0:a6:d3:24:bd] re-evaluating access (manage_register called)
(pf::enforcement::reevaluate_access)
Sep 18 20:55:32 localhost packetfence_httpd.portal: httpd.portal(18969) INFO:
[mac:64:b0:a6:d3:24:bd] is currentlog connected at (172.30.1.250) ifIndex 0
registration (pf::enforcement::_should_we_reassign_vlan)
Sep 18 20:55:32 localhost packetfence_httpd.portal: httpd.portal(18969) INFO:
[mac:64:b0:a6:d3:24:bd] Instantiate profile mac-auth
(pf::Connection::ProfileFactory::_from_profile)
Sep 18 20:55:32 localhost packetfence_httpd.portal: httpd.portal(18969) INFO:
[mac:64:b0:a6:d3:24:bd] Connection type is WIRELESS_MAC_AUTH. Getting role from
node_info (pf::role::getRegisteredRole)
Sep 18 20:55:32 localhost packetfence_httpd.portal: httpd.portal(18969) INFO:
[mac:64:b0:a6:d3:24:bd] Username was defined "64-b0-a6-d3-24-bd" - returning
role 'guest' (pf::role::getRegisteredRole)
Sep 18 20:55:32 localhost packetfence_httpd.portal: httpd.portal(18969) INFO:
[mac:64:b0:a6:d3:24:bd] PID: "default", Status: reg Returned VLAN: (undefined),
Role: guest (pf::role::fetchRoleForNode)
Sep 18 20:55:32 localhost packetfence_httpd.portal: httpd.portal(18969) INFO:
[mac:64:b0:a6:d3:24:bd] VLAN reassignment required (current VLAN = 0 but should
be in VLAN 801) (pf::enforcement::_should_we_reassign_vlan)
Sep 18 20:55:32 localhost packetfence_httpd.portal: httpd.portal(18969) INFO:
[mac:64:b0:a6:d3:24:bd] switch port is (172.30.1.250) ifIndex unknown
connection type: WiFi MAC Auth (pf::enforcement::_vlan_reevaluation)
Sep 18 20:55:33 localhost pfqueue: pfqueue(25612) INFO: [mac:64:b0:a6:d3:24:bd]
[64:b0:a6:d3:24:bd] DesAssociating mac on switch (172.30.1.250)
(pf::api::desAssociate)
Sep 18 20:55:33 localhost pfqueue: pfqueue(25612) INFO: [mac:64:b0:a6:d3:24:bd]
deauthenticating 64:b0:a6:d3:24:bd (pf::Switch::Aruba::radiusDisconnect)
Sep 18 20:55:33 localhost pfqueue: pfqueue(25612) INFO: [mac:64:b0:a6:d3:24:bd]
[172.30.1.250] Returning ACCEPT with role: internet-only
(pf::Switch::Aruba::try {...} )
Sep 18 20:55:33 localhost pfqueue: pfqueue(25612) WARN: [mac:64:b0:a6:d3:24:bd]
Unable to perform RADIUS Disconnect-Request. CoA-NAK received with Error-Cause:
Session-Context-Not-Found. (pf::Switch::Aruba::radiusDisconnect)------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
