I now have some info from the Aruba IAP from wireshark captures. So it seems
packetfence is sending an invalid reply digest to the Aruba VC. Any clues on
what might be the cause?
Frame 267: 96 bytes on wire (768 bits), 96 bytes captured (768 bits) on
interface 0
Ethernet II, Src: JuniperN_fd:9c:01 (54:e0:32:fd:9c:01), Dst: ArubaAHe_c4:ad:f8
(24:de:c6:c4:ad:f8)
Internet Protocol Version 4, Src: 10.11.8.37, Dst: 172.28.5.250
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 82
Identification: 0xb929 (47401)
Flags: 0x4000, Don't fragment
Time to live: 52
Protocol: UDP (17)
Header checksum: 0xc92b [validation disabled]
[Header checksum status: Unverified]
Source: 10.11.8.37
Destination: 172.28.5.250
User Datagram Protocol, Src Port: 52676, Dst Port: 3799
Source Port: 52676
Destination Port: 3799
Length: 62
Checksum: 0x9e8c [unverified]
[Checksum Status: Unverified]
[Stream index: 19]
[Timestamps]
RADIUS Protocol
Code: Disconnect-Request (40)
Packet identifier: 0x26 (38)
Length: 54
Authenticator: 25dc2d073b8c49b2a08a547919da693e
Attribute Value Pairs
AVP: t=Calling-Station-Id(31) l=14 val=30074d744c55
AVP: t=NAS-IP-Address(4) l=6 val=172.28.5.250
AVP: t=User-Name(1) l=14 val=30074d744c55
Frame 268: 191 bytes on wire (1528 bits), 191 bytes captured (1528 bits) on
interface 0
Ethernet II, Src: ArubaAHe_c4:ad:f8 (24:de:c6:c4:ad:f8), Dst: JuniperN_fd:9c:01
(54:e0:32:fd:9c:01)
Internet Protocol Version 4, Src: 172.28.5.4, Dst: 172.20.96.34
User Datagram Protocol, Src Port: 514, Dst Port: 514
Syslog message: LOCAL1.ERR: Aug 27 14:47:11 2019 172.28.5.4 stm[1660]: <121014>
<ERRS> <172.28.5.4 24:DE:C6:C4:AD:F8> |aaa| Received invalid reply digest from
RADIUS server
1000 1... = Facility: LOCAL1 - reserved for local use (17)
.... .011 = Level: ERR - error conditions (3)
Message: Aug 27 14:47:11 2019 172.28.5.4 stm[1660]: <121014> <ERRS>
<172.28.5.4 24:DE:C6:C4:AD:F8> |aaa| Received invalid reply digest from RADIUS
server
Frame 269: 253 bytes on wire (2024 bits), 253 bytes captured (2024 bits) on
interface 0
Ethernet II, Src: ArubaAHe_c4:ad:f8 (24:de:c6:c4:ad:f8), Dst: JuniperN_fd:9c:01
(54:e0:32:fd:9c:01)
Internet Protocol Version 4, Src: 172.28.5.4, Dst: 172.20.96.34
User Datagram Protocol, Src Port: 514, Dst Port: 514
Syslog message: LOCAL1.ERR: Aug 27 14:47:11 2019 172.28.5.4 stm[1660]: <199802>
<ERRS> <172.28.5.4 24:DE:C6:C4:AD:F8> rc_rfc3576_instant.c,
rc_process_rfc3576_request:99: disconnect packet dropped 10.11.8.37 found for
disconnect msg
1000 1... = Facility: LOCAL1 - reserved for local use (17)
.... .011 = Level: ERR - error conditions (3)
Message: Aug 27 14:47:11 2019 172.28.5.4 stm[1660]: <199802> <ERRS>
<172.28.5.4 24:DE:C6:C4:AD:F8> rc_rfc3576_instant.c,
rc_process_rfc3576_request:99: disconnect packet dropped 10.11.8.37 found for
disconnect msg
-----Original Message-----
From: Peter Reissenweber
Sent: Tuesday, 27 August 2019 8:02 AM
To: [email protected]
Cc: Nicolas Quiniou-Briand <[email protected]>
Subject: RE: [PacketFence-users] DesAssociating mac on switch
I have VC logs but there is no reference of any interest.
It is enabled on Aruba side via the "rfc3576" command. I think the "
cppm-rfc3576-port 3799" command may not be required. I have logged a case with
Aruba and hopefully get a response from them today.
wlan auth-server packetfence
ip 10.11.8.37
port 1812
acctport 1813
timeout 10
retry-count 5
key blablabla
nas-ip 172.28.5.250
rfc3576
cppm-rfc3576-port 3799
The following stats show the RFC3576 requests on the Aruba VC and that no CoA
requests have been received. So I will work with Aruba in the first instance
because the requests are making it to the VC.
*********************************************************************************************************
8/27/2019 8:00:21 AM Target: L4-East Command: show ap debug
rfc3576-radius-statistics
*********************************************************************************************************
RADIUS RFC3576 Statistics
-------------------------
Statistics InternalServer clearpass packetfence
---------- -------------- --------- -----------
In Service: Management Auth Not used Not used Not used
In Service: gbst-guest Not used Up 1097176s Not used
In Service: test-guest Not used Not used Up 410935s
In Service: Internal Not used Up 1097176s Not used
In Service: External Not used Up 1097176s Not used
In Service: gbst-test Not used Not used Up 410935s
Disconnect Requests 0 0 0
Disconnect Accepts 0 5 0
Disconnect Rejects 0 0 0
No Secret 0 0 0
No Session ID 0 0 0
Bad Authenticator 0 0 0
Invalid Request 0 0 0
Packets Dropped 0 0 0
Unknown service 0 0 0
CoA Requests 0 0 0
CoA Accepts 0 0 0
CoA Rejects 0 0 0
No permission 0 0 0
SEQ first/last/free 0/0/0 0/0/0 0/0/0
Packets received from unknown clients ::0 Packets received with unknown request
::0
Total RFC3576 packets Received ::274
-----Original Message-----
From: Nicolas Quiniou-Briand via PacketFence-users
<[email protected]>
Sent: Saturday, 24 August 2019 12:19 AM
To: [email protected]
Cc: Nicolas Quiniou-Briand <[email protected]>
Subject: Re: [PacketFence-users] DesAssociating mac on switch
Hello Peter,
1. Do you have some logs on your controller side ?
2. Are you sure CoA is enabled and allowed from PacketFence on Aruba side ?
--
Nicolas Quiniou-Briand
[email protected] :: +1.514.447.4918 *140 ::
https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Finverse.ca&data=02%7C01%7Cpeter.reissenweber%40gbst.com%7C90f07457d0854fa61e2708d727d519e1%7C1c2da354196b481891e4f760cbaac9e4%7C0%7C0%7C637021668549355021&sdata=fWsj2yK9zumgpwclCkgeBuHwfyQuPLnaRNhq0Y7y%2F%2BY%3D&reserved=0
Inverse inc. :: Leaders behind SOGo
(https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsogo.nu&data=02%7C01%7Cpeter.reissenweber%40gbst.com%7C90f07457d0854fa61e2708d727d519e1%7C1c2da354196b481891e4f760cbaac9e4%7C0%7C0%7C637021668549355021&sdata=ANK1grFfswE8ZamVybrfHGi8i9V3%2B7ZF079d%2FVVjF74%3D&reserved=0),
PacketFence
(https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpacketfence.org&data=02%7C01%7Cpeter.reissenweber%40gbst.com%7C90f07457d0854fa61e2708d727d519e1%7C1c2da354196b481891e4f760cbaac9e4%7C0%7C0%7C637021668549355021&sdata=2HgYI5vPCZ9FZlqkn%2Br5CEFgVYmRUEnf4KDx1BPYI%2B4%3D&reserved=0)
and Fingerbank
(https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ffingerbank.org&data=02%7C01%7Cpeter.reissenweber%40gbst.com%7C90f07457d0854fa61e2708d727d519e1%7C1c2da354196b481891e4f760cbaac9e4%7C0%7C0%7C637021668549355021&sdata=8UVefjTTS0DCTaJDfVQUXDitdToQqZB8Ry%2BmjIjuy5I%3D&reserved=0)
_______________________________________________
PacketFence-users mailing list
[email protected]
https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users&data=02%7C01%7Cpeter.reissenweber%40gbst.com%7C90f07457d0854fa61e2708d727d519e1%7C1c2da354196b481891e4f760cbaac9e4%7C0%7C0%7C637021668549355021&sdata=1iJQ%2F978aWwz%2F20uAql0x1wuyEiUSHtJBn082wRM4fc%3D&reserved=0
The information transmitted is intended only for the person or entity to which
it is addressed and may contain confidential and / or privileged material that
may be governed by confidential information provisions contained in the
agreement between GBST and your company. Any disclosure, copying, distribution,
or other use without the express consent of the sender is prohibited. If you
received this in error, please contact the sender and delete the material from
any computer. All rights in the information transmitted, including copyright,
are reserved. Nothing in this message should be interpreted as a digital
signature that can be used to authenticate a document. No warranty is given by
the sender that any attachments to this email are free from viruses or other
defects.
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
