Hello, I’m relatively new to PacketFence, but not NAC in general. I’m having some difficulty getting PacketFence to work in my lab environment with the Captive Portal correctly.
I have a single interface that i’ve setup for management, RADIUS, and the portal. I have an Aruba wireless controller that works well with Aruba Clearpass in the same manner so this config is very well tested already although I understand there may be differences. In my lab, the laptop I am testing with and the wireless controller are in the same VLAN and subnet which is 198.18.255.0/24. So DHCP relays shouldn’t really play a part here because PacketFence should be seeing the exact MAC address in requests or in the DHCP messages themselves since its the same VLAN. ---------------- **So, what happens is when I connect, I do get redirected to the portal but see the below message: An error occured Your computer was not found in the PacketFence database. Please reboot to solve this issue. If you have questions about this page, contact your local support staff for assistance. Please provide the following information: IP 198.18.255.67 MAC 0 IP 198.18.255.67 is my Aruba wireless controller. In the logs, it sees the MAC address just fine of this. I’m wondering if this is normal or should I see the endpoint IP here which is 198.18.255.113 in this case. Lots of other posts show this being a DHCP relay/iP helper problem with PacketFence not seeing this information, but this is all one flat VLAN so it should. Any ideas here? I can provide any additional information you’d like. I greatly appreciate any assistance. Here is the snippet from a log entry in packetfence.log May 14 02:36:54 PacketFence-ZEN pfqueue: pfqueue(3748) INFO: [mac:00:24:d6:5b:30:bc] controllerIp is set, we will use controller 198.18.255.67 to perform deauth (pf::Switch::Aruba::radiusDisconnect) May 14 02:36:54 PacketFence-ZEN pfqueue: pfqueue(3748) WARN: [mac:00:24:d6:5b:30:bc] Unable to perform RADIUS Disconnect-Request. Disconnect-NAK received with Error-Cause: Session-Context-Not-Found. (pf::Switch::Aruba::radiusDisconnect) May 14 02:37:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: [mac:00:24:d6:5b:30:bc] handling radius autz request: from switch_ip => (198.18.255.67), connection_type => Wireless-802.11-NoEAP,switch_mac => (00:0b:86:de:65:00), mac => [00:24:d6:5b:30:bc], port => 0, username => "00-24-d6-5b-30-bc", ssid => PacketFence-Guest (pf::radius::authorize) May 14 02:37:11 PacketFence-ZEN pfqueue: pfqueue(2970) WARN: [mac:00:24:d6:5b:30:bc] Unable to match MAC address to IP '198.18.250.10' (pf::ip4log::ip2mac) May 14 02:37:11 PacketFence-ZEN pfqueue: pfqueue(2970) INFO: [mac:00:24:d6:5b:30:bc] oldip (198.18.200.11) and newip (198.18.250.10) are different for 00:24:d6:5b:30:bc - closing ip4log entry (pf::api::update_ip4log) May 14 02:37:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: [mac:00:24:d6:5b:30:bc] Instantiate profile Aruba-Guest (pf::Connection::ProfileFactory::_from_profile) May 14 02:37:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: [mac:00:24:d6:5b:30:bc] is of status unreg; belongs into registration VLAN (pf::role::getRegistrationRole) May 14 02:37:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: [mac:00:24:d6:5b:30:bc] (198.18.255.67) Added VLAN 1255 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) May 14 02:37:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: [mac:00:24:d6:5b:30:bc] (198.18.255.67) Added role PFence-Guest-PreAuth to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) May 14 02:37:14 PacketFence-ZEN pfqueue: pfqueue(2970) INFO: [mac:unknown] Device Windows OS is a Windows OS (pf::fingerbank::__ANON__) May 14 02:38:28 PacketFence-ZEN pfipset[2359]: t=2019-05-14T02:38:28+0000 lvl=info msg="No Inline Network bypass ipsets reload" pid=2359 May 14 02:39:16 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: [mac:00:24:d6:5b:30:bc] handling radius autz request: from switch_ip => (198.18.255.67), connection_type => Wireless-802.11-NoEAP,switch_mac => (00:0b:86:de:65:00), mac => [00:24:d6:5b:30:bc], port => 0, username => "00-24-d6-5b-30-bc", ssid => PacketFence-Guest (pf::radius::authorize) May 14 02:39:17 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: [mac:00:24:d6:5b:30:bc] Instantiate profile Aruba-Guest (pf::Connection::ProfileFactory::_from_profile) May 14 02:39:17 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: [mac:00:24:d6:5b:30:bc] is of status unreg; belongs into registration VLAN (pf::role::getRegistrationRole) May 14 02:39:17 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: [mac:00:24:d6:5b:30:bc] (198.18.255.67) Added VLAN 1255 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) May 14 02:39:17 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: [mac:00:24:d6:5b:30:bc] (198.18.255.67) Added role PFence-Guest-PreAuth to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) May 14 02:39:20 PacketFence-ZEN pfqueue: pfqueue(2970) WARN: [mac:00:24:d6:5b:30:bc] Unable to match MAC address to IP '198.18.255.113' (pf::ip4log::ip2mac) May 14 02:39:20 PacketFence-ZEN pfqueue: pfqueue(2970) INFO: [mac:00:24:d6:5b:30:bc] oldip (198.18.250.10) and newip (198.18.255.113) are different for 00:24:d6:5b:30:bc - closing ip4log entry (pf::api::update_ip4log) May 14 02:39:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: [mac:00:24:d6:5b:30:bc] handling radius autz request: from switch_ip => (198.18.255.67), connection_type => Wireless-802.11-NoEAP,switch_mac => (00:0b:86:de:65:00), mac => [00:24:d6:5b:30:bc], port => 0, username => "00-24-d6-5b-30-bc", ssid => PacketFence-Guest (pf::radius::authorize) May 14 02:39:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: [mac:00:24:d6:5b:30:bc] Instantiate profile Aruba-Guest (pf::Connection::ProfileFactory::_from_profile) May 14 02:39:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: [mac:00:24:d6:5b:30:bc] is of status unreg; belongs into registration VLAN (pf::role::getRegistrationRole) May 14 02:39:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: [mac:00:24:d6:5b:30:bc] (198.18.255.67) Added VLAN 1255 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) May 14 02:39:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2573) INFO: [mac:00:24:d6:5b:30:bc] (198.18.255.67) Added role PFence-Guest-PreAuth to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) May 14 02:40:09 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3341) INFO: [mac:unknown] Instantiate profile Aruba-Guest (pf::Connection::ProfileFactory::_from_profile) May 14 02:40:09 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3341) WARN: [mac:unknown] Unable to match MAC address to IP '198.18.255.67' (pf::ip4log::ip2mac) May 14 02:40:09 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3341) WARN: [mac:0] Unable to match MAC address to IP '198.18.255.67' (pf::ip4log::ip2mac) May 14 02:40:09 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3341) INFO: [mac:0] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) May 14 02:40:09 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3341) ERROR: [mac:0] Error while communicating with the Fingerbank collector. 404 Not Found (pf::fingerbank::endpoint_attributes) May 14 02:40:09 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3341) WARN: [mac:0] Use of uninitialized value in string ne at /usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm line 137. (captiveportal::PacketFence::DynamicRouting::Application::process_fingerbank) May 14 02:40:09 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3341) ERROR: [mac:0] Error while communicating with the Fingerbank collector. 404 Not Found (pf::fingerbank::update_collector_endpoint_data) May 14 02:40:09 PacketFence-ZEN pfqueue: pfqueue(2969) ERROR: [mac:unknown] Error while communicating with the Fingerbank collector. 404 Not Found (pf::fingerbank::endpoint_attributes) May 14 02:40:09 PacketFence-ZEN pfqueue: pfqueue(2969) ERROR: [mac:unknown] Unable to fetch query arguments for Fingerbank query. Aborting. (pf::fingerbank::process) May 14 02:40:09 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3340) WARN: [mac:unknown] Unable to match MAC address to IP '198.18.255.67' (pf::ip4log::ip2mac) May 14 02:40:10 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3340) WARN: [mac:0] Unable to match MAC address to IP '198.18.255.67' (pf::ip4log::ip2mac) May 14 02:40:10 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3340) INFO: [mac:0] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) May 14 02:40:10 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3340) ERROR: [mac:0] Error while communicating with the Fingerbank collector. 404 Not Found (pf::fingerbank::endpoint_attributes) May 14 02:40:10 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3340) WARN: [mac:0] Use of uninitialized value in string ne at /usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm line 137. (captiveportal::PacketFence::DynamicRouting::Application::process_fingerbank) May 14 02:40:10 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3340) ERROR: [mac:0] Error while communicating with the Fingerbank collector. 404 Not Found (pf::fingerbank::update_collector_endpoint_data) May 14 02:40:10 PacketFence-ZEN pfqueue: pfqueue(2966) ERROR: [mac:unknown] Error while communicating with the Fingerbank collector. 404 Not Found (pf::fingerbank::endpoint_attributes) May 14 02:40:10 PacketFence-ZEN pfqueue: pfqueue(2966) ERROR: [mac:unknown] Unable to fetch query arguments for Fingerbank query. Aborting. (pf::fingerbank::process) May 14 02:43:28 PacketFence-ZEN pfipset[2359]: t=2019-05-14T02:43:28+0000 lvl=info msg="No Inline Network bypass ipsets reload" pid=2359 [root@PacketFence-ZEN ~]# [root@PacketFence-ZEN ~]# 198.18.255.67-controller 198.18.255.113-laptop Louis Scaringella Security Systems Engineer Yellow Dog Networks, Inc 785-342-7903 The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
