New information, I realized that based on the documentation and/or network devices guide, it said to configure source NAT on the controller for when destined to Packetfence using 443 and that is why I am seeing the controller IP only. Makes sense that the controller’s MAC address wasn’t seen as a “node” in the database.
After disabling source NAT, I now see the default AUP page showing up. Not sure why this (source NAT) was a configuration step in the guide, but I haven’t had to do this with Clearpass before with the controller. Maybe behavior has changed since the documentation was compiled. More testing to follow. Louis Scaringella > On May 13, 2019, at 9:49 PM, Louis Scaringella > <lscaringe...@yellowdognetworks.com> wrote: > > Hello, > > I’m relatively new to PacketFence, but not NAC in general. I’m having some > difficulty getting PacketFence to work in my lab environment with the Captive > Portal correctly. > > I have a single interface that i’ve setup for management, RADIUS, and the > portal. I have an Aruba wireless controller that works well with Aruba > Clearpass in the same manner so this config is very well tested already > although I understand there may be differences. > > In my lab, the laptop I am testing with and the wireless controller are in > the same VLAN and subnet which is 198.18.255.0/24. So DHCP relays shouldn’t > really play a part here because PacketFence should be seeing the exact MAC > address in requests or in the DHCP messages themselves since its the same > VLAN. > > ---------------- > **So, what happens is when I connect, I do get redirected to the portal but > see the below message: > > An error occured > Your computer was not found in the PacketFence database. Please reboot to > solve this issue. > > If you have questions about this page, contact your local support staff for > assistance. Please provide the following information: > > IP 198.18.255.67 > > MAC 0 > > > IP 198.18.255.67 is my Aruba wireless controller. In the logs, it sees the > MAC address just fine of this. I’m wondering if this is normal or should I > see the endpoint IP here which is 198.18.255.113 in this case. Lots of other > posts show this being a DHCP relay/iP helper problem with PacketFence not > seeing this information, but this is all one flat VLAN so it should. > > Any ideas here? I can provide any additional information you’d like. I > greatly appreciate any assistance. > > > Here is the snippet from a log entry in packetfence.log > > > May 14 02:36:54 PacketFence-ZEN pfqueue: pfqueue(3748) INFO: > [mac:00:24:d6:5b:30:bc] controllerIp is set, we will use controller > 198.18.255.67 to perform deauth (pf::Switch::Aruba::radiusDisconnect) > May 14 02:36:54 PacketFence-ZEN pfqueue: pfqueue(3748) WARN: > [mac:00:24:d6:5b:30:bc] Unable to perform RADIUS Disconnect-Request. > Disconnect-NAK received with Error-Cause: Session-Context-Not-Found. > (pf::Switch::Aruba::radiusDisconnect) > May 14 02:37:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: > [mac:00:24:d6:5b:30:bc] handling radius autz request: from switch_ip => > (198.18.255.67), connection_type => Wireless-802.11-NoEAP,switch_mac => > (00:0b:86:de:65:00), mac => [00:24:d6:5b:30:bc], port => 0, username => > "00-24-d6-5b-30-bc", ssid => PacketFence-Guest (pf::radius::authorize) > May 14 02:37:11 PacketFence-ZEN pfqueue: pfqueue(2970) WARN: > [mac:00:24:d6:5b:30:bc] Unable to match MAC address to IP '198.18.250.10' > (pf::ip4log::ip2mac) > May 14 02:37:11 PacketFence-ZEN pfqueue: pfqueue(2970) INFO: > [mac:00:24:d6:5b:30:bc] oldip (198.18.200.11) and newip (198.18.250.10) are > different for 00:24:d6:5b:30:bc - closing ip4log entry > (pf::api::update_ip4log) > May 14 02:37:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: > [mac:00:24:d6:5b:30:bc] Instantiate profile Aruba-Guest > (pf::Connection::ProfileFactory::_from_profile) > May 14 02:37:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: > [mac:00:24:d6:5b:30:bc] is of status unreg; belongs into registration VLAN > (pf::role::getRegistrationRole) > May 14 02:37:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: > [mac:00:24:d6:5b:30:bc] (198.18.255.67) Added VLAN 1255 to the returned > RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) > May 14 02:37:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: > [mac:00:24:d6:5b:30:bc] (198.18.255.67) Added role PFence-Guest-PreAuth to > the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) > May 14 02:37:14 PacketFence-ZEN pfqueue: pfqueue(2970) INFO: [mac:unknown] > Device Windows OS is a Windows OS (pf::fingerbank::__ANON__) > May 14 02:38:28 PacketFence-ZEN pfipset[2359]: t=2019-05-14T02:38:28+0000 > lvl=info msg="No Inline Network bypass ipsets reload" pid=2359 > May 14 02:39:16 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: > [mac:00:24:d6:5b:30:bc] handling radius autz request: from switch_ip => > (198.18.255.67), connection_type => Wireless-802.11-NoEAP,switch_mac => > (00:0b:86:de:65:00), mac => [00:24:d6:5b:30:bc], port => 0, username => > "00-24-d6-5b-30-bc", ssid => PacketFence-Guest (pf::radius::authorize) > May 14 02:39:17 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: > [mac:00:24:d6:5b:30:bc] Instantiate profile Aruba-Guest > (pf::Connection::ProfileFactory::_from_profile) > May 14 02:39:17 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: > [mac:00:24:d6:5b:30:bc] is of status unreg; belongs into registration VLAN > (pf::role::getRegistrationRole) > May 14 02:39:17 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: > [mac:00:24:d6:5b:30:bc] (198.18.255.67) Added VLAN 1255 to the returned > RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) > May 14 02:39:17 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: > [mac:00:24:d6:5b:30:bc] (198.18.255.67) Added role PFence-Guest-PreAuth to > the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) > May 14 02:39:20 PacketFence-ZEN pfqueue: pfqueue(2970) WARN: > [mac:00:24:d6:5b:30:bc] Unable to match MAC address to IP '198.18.255.113' > (pf::ip4log::ip2mac) > May 14 02:39:20 PacketFence-ZEN pfqueue: pfqueue(2970) INFO: > [mac:00:24:d6:5b:30:bc] oldip (198.18.250.10) and newip (198.18.255.113) are > different for 00:24:d6:5b:30:bc - closing ip4log entry > (pf::api::update_ip4log) > May 14 02:39:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: > [mac:00:24:d6:5b:30:bc] handling radius autz request: from switch_ip => > (198.18.255.67), connection_type => Wireless-802.11-NoEAP,switch_mac => > (00:0b:86:de:65:00), mac => [00:24:d6:5b:30:bc], port => 0, username => > "00-24-d6-5b-30-bc", ssid => PacketFence-Guest (pf::radius::authorize) > May 14 02:39:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: > [mac:00:24:d6:5b:30:bc] Instantiate profile Aruba-Guest > (pf::Connection::ProfileFactory::_from_profile) > May 14 02:39:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: > [mac:00:24:d6:5b:30:bc] is of status unreg; belongs into registration VLAN > (pf::role::getRegistrationRole) > May 14 02:39:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: > [mac:00:24:d6:5b:30:bc] (198.18.255.67) Added VLAN 1255 to the returned > RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) > May 14 02:39:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: > [mac:00:24:d6:5b:30:bc] (198.18.255.67) Added role PFence-Guest-PreAuth to > the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) > May 14 02:40:09 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3341) > INFO: [mac:unknown] Instantiate profile Aruba-Guest > (pf::Connection::ProfileFactory::_from_profile) > May 14 02:40:09 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3341) > WARN: [mac:unknown] Unable to match MAC address to IP '198.18.255.67' > (pf::ip4log::ip2mac) > May 14 02:40:09 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3341) > WARN: [mac:0] Unable to match MAC address to IP '198.18.255.67' > (pf::ip4log::ip2mac) > May 14 02:40:09 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3341) > INFO: [mac:0] Instantiate profile default > (pf::Connection::ProfileFactory::_from_profile) > May 14 02:40:09 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3341) > ERROR: [mac:0] Error while communicating with the Fingerbank collector. 404 > Not Found (pf::fingerbank::endpoint_attributes) > May 14 02:40:09 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3341) > WARN: [mac:0] Use of uninitialized value in string ne at > /usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm > line 137. > (captiveportal::PacketFence::DynamicRouting::Application::process_fingerbank) > May 14 02:40:09 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3341) > ERROR: [mac:0] Error while communicating with the Fingerbank collector. 404 > Not Found (pf::fingerbank::update_collector_endpoint_data) > May 14 02:40:09 PacketFence-ZEN pfqueue: pfqueue(2969) ERROR: [mac:unknown] > Error while communicating with the Fingerbank collector. 404 Not Found > (pf::fingerbank::endpoint_attributes) > May 14 02:40:09 PacketFence-ZEN pfqueue: pfqueue(2969) ERROR: [mac:unknown] > Unable to fetch query arguments for Fingerbank query. Aborting. > (pf::fingerbank::process) > May 14 02:40:09 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3340) > WARN: [mac:unknown] Unable to match MAC address to IP '198.18.255.67' > (pf::ip4log::ip2mac) > May 14 02:40:10 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3340) > WARN: [mac:0] Unable to match MAC address to IP '198.18.255.67' > (pf::ip4log::ip2mac) > May 14 02:40:10 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3340) > INFO: [mac:0] Instantiate profile default > (pf::Connection::ProfileFactory::_from_profile) > May 14 02:40:10 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3340) > ERROR: [mac:0] Error while communicating with the Fingerbank collector. 404 > Not Found (pf::fingerbank::endpoint_attributes) > May 14 02:40:10 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3340) > WARN: [mac:0] Use of uninitialized value in string ne at > /usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm > line 137. > (captiveportal::PacketFence::DynamicRouting::Application::process_fingerbank) > May 14 02:40:10 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3340) > ERROR: [mac:0] Error while communicating with the Fingerbank collector. 404 > Not Found (pf::fingerbank::update_collector_endpoint_data) > May 14 02:40:10 PacketFence-ZEN pfqueue: pfqueue(2966) ERROR: [mac:unknown] > Error while communicating with the Fingerbank collector. 404 Not Found > (pf::fingerbank::endpoint_attributes) > May 14 02:40:10 PacketFence-ZEN pfqueue: pfqueue(2966) ERROR: [mac:unknown] > Unable to fetch query arguments for Fingerbank query. Aborting. > (pf::fingerbank::process) > May 14 02:43:28 PacketFence-ZEN pfipset[2359]: t=2019-05-14T02:43:28+0000 > lvl=info msg="No Inline Network bypass ipsets reload" pid=2359 > [root@PacketFence-ZEN ~]# > [root@PacketFence-ZEN ~]# > > > 198.18.255.67-controller > 198.18.255.113-laptop > > > Louis Scaringella > Security Systems Engineer > Yellow Dog Networks, Inc > 785-342-7903 > > > > > > The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
