Thanks I tried that and rebooted packetfence. Aruba had me upgrade the IAPs and switch the preferred VC to a later model IAP (from 105 to 325) and do another packet capture but still the same result.
admin@ip-10-11-8-37:/usr/local/pf/conf$ less switches.conf [172.28.5.250] cliTransport=SSH radiusSecret=packetfence defaultRole=gbst-test group=AIP SNMPCommunityRead=sh0wme always_trigger=1 VlanMap=N registrationRole=registration defaultAccessList=default SNMPVersion=2c RoleMap=Y description=Aruba Instant Access Points ExternalPortalEnforcement=Y guestUrl=http://pf-poc.aws.gbst.net/Aruba::Instant_Access coaPort=3799 guestRole=test-guest UrlMap=Y type=Aruba::Instant_Access SNMPCommunityTrap=sh0wme SNMPVersionTrap=2c cliPwd=SlyF0x. cliUser=admin controllerIp=172.28.5.250 #SNMPVersion = 3 #SNMPEngineID = 0000000000000 #SNMPUserNameRead = readUser #SNMPAuthProtocolRead = MD5 #SNMPAuthPasswordRead = authpwdread #SNMPPrivProtocolRead = DES #SNMPPrivPasswordRead = privpwdread #SNMPUserNameWrite = writeUser #SNMPAuthProtocolWrite = MD5 #SNMPAuthPasswordWrite = authpwdwrite #SNMPPrivProtocolWrite = DES #SNMPPrivPasswordWrite = privpwdwrite #SNMPVersionTrap = 3 #SNMPUserNameTrap = readUser #SNMPAuthProtocolTrap = MD5 #SNMPAuthPasswordTrap = authpwdread #SNMPPrivProtocolTrap = DES #SNMPPrivPasswordTrap = privpwdread [192.168.1.0/24] description=Test Range Switch type=Cisco::Catalyst_2900XL mode=production uplink=23,24 VoIPLLDPDetect=N [group AIP] VlanMap=N radiusSecret=packetfence always_trigger=1 type=Aruba::Instant_Access description=Aruba Instant Access Points defaultRole=gbst-test guestRole=test-guest switches.conf Frame 842: 96 bytes on wire (768 bits), 96 bytes captured (768 bits) on interface 0 Ethernet II, Src: JuniperN_fd:9c:01 (54:e0:32:fd:9c:01), Dst: HewlettP_cd:7a:a0 (b0:b8:67:cd:7a:a0) Internet Protocol Version 4, Src: 10.11.8.37, Dst: 172.28.5.250 User Datagram Protocol, Src Port: 41134, Dst Port: 3799 Source Port: 41134 Destination Port: 3799 Length: 62 Checksum: 0xc54f [unverified] [Checksum Status: Unverified] [Stream index: 34] [Timestamps] RADIUS Protocol Code: Disconnect-Request (40) Packet identifier: 0x2d (45) Length: 54 Authenticator: a8a602034d97608c81e99f6ea8da338a Attribute Value Pairs AVP: t=Calling-Station-Id(31) l=14 val=30074d744c55 AVP: t=NAS-IP-Address(4) l=6 val=172.28.5.250 AVP: t=User-Name(1) l=14 val=30074d744c55 Frame 843: 191 bytes on wire (1528 bits), 191 bytes captured (1528 bits) on interface 0 Ethernet II, Src: HewlettP_cd:7a:a0 (b0:b8:67:cd:7a:a0), Dst: JuniperN_fd:9c:01 (54:e0:32:fd:9c:01) Internet Protocol Version 4, Src: 172.28.5.9, Dst: 172.20.96.34 User Datagram Protocol, Src Port: 514, Dst Port: 514 Syslog message: LOCAL1.ERR: Aug 28 10:05:00 2019 172.28.5.9 stm[3795]: <121014> <ERRS> <172.28.5.9 B0:B8:67:CD:7A:A0> |aaa| Received invalid reply digest from RADIUS server 1000 1... = Facility: LOCAL1 - reserved for local use (17) .... .011 = Level: ERR - error conditions (3) Message: Aug 28 10:05:00 2019 172.28.5.9 stm[3795]: <121014> <ERRS> <172.28.5.9 B0:B8:67:CD:7A:A0> |aaa| Received invalid reply digest from RADIUS server Syslog timestamp (RFC3164): Aug 28 10:05:00 Syslog hostname: 2019 Syslog process id: 172 Syslog message id: .28.5.9 stm[3795]: <121014> <ERRS> <172.28.5.9 B0:B8:67:CD:7A:A0> |aaa| Received invalid reply digest from RADIUS server Frame 844: 253 bytes on wire (2024 bits), 253 bytes captured (2024 bits) on interface 0 Ethernet II, Src: HewlettP_cd:7a:a0 (b0:b8:67:cd:7a:a0), Dst: JuniperN_fd:9c:01 (54:e0:32:fd:9c:01) Internet Protocol Version 4, Src: 172.28.5.9, Dst: 172.20.96.34 User Datagram Protocol, Src Port: 514, Dst Port: 514 Syslog message: LOCAL1.ERR: Aug 28 10:05:00 2019 172.28.5.9 stm[3795]: <199802> <ERRS> <172.28.5.9 B0:B8:67:CD:7A:A0> rc_rfc3576_instant.c, rc_process_rfc3576_request:99: disconnect packet dropped 10.11.8.37 found for disconnect msg 1000 1... = Facility: LOCAL1 - reserved for local use (17) .... .011 = Level: ERR - error conditions (3) Message: Aug 28 10:05:00 2019 172.28.5.9 stm[3795]: <199802> <ERRS> <172.28.5.9 B0:B8:67:CD:7A:A0> rc_rfc3576_instant.c, rc_process_rfc3576_request:99: disconnect packet dropped 10.11.8.37 found for disconnect msg Syslog timestamp (RFC3164): Aug 28 10:05:00 Syslog hostname: 2019 Syslog process id: 172 Syslog message id: .28.5.9 stm[3795]: <199802> <ERRS> <172.28.5.9 B0:B8:67:CD:7A:A0> rc_rfc3576_instant.c, rc_process_rfc3576_request:99: disconnect packet dropped 10.11.8.37 found for disconnect msg -----Original Message----- From: Nicolas Quiniou-Briand <[email protected]> Sent: Tuesday, 27 August 2019 9:51 PM To: Peter Reissenweber <[email protected]>; [email protected] Subject: Re: [PacketFence-users] DesAssociating mac on switch Hello Peter, On 2019-08-27 7:03 a.m., Peter Reissenweber wrote: > RADIUS Protocol > Code: Disconnect-Request (40) According to this capture, PacketFence is sending a Disconnect-Request (40) and not a CoA-Request (43) (see [0] for details) I saw in your switches.conf that you used: #v+ deauthMethod=RADIUS #v- Leave "Deauthentication method" empty and enable "Use CoA", you should see that PF send a CoA-Request to your controller. I hope that will fix your issue. [0] https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc5176%23section-2&data=02%7C01%7CPeter.Reissenweber%40gbst.com%7Cbb147160780743952c2b08d72ae4c75e%7C1c2da354196b481891e4f760cbaac9e4%7C0%7C0%7C637025034402780880&sdata=uMek83UXI7m0am0uGcX44Q%2BnhKWEU%2BF6K66YV1l8ZdQ%3D&reserved=0 -- Nicolas Quiniou-Briand [email protected] :: +1.514.447.4918 *140 :: https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Finverse.ca&data=02%7C01%7CPeter.Reissenweber%40gbst.com%7Cbb147160780743952c2b08d72ae4c75e%7C1c2da354196b481891e4f760cbaac9e4%7C0%7C0%7C637025034402780880&sdata=A93oWOfPn8y%2Byvbub4RFizKK%2BNgS2swtghpjaC93Ky0%3D&reserved=0 Inverse inc. :: Leaders behind SOGo (https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsogo.nu&data=02%7C01%7CPeter.Reissenweber%40gbst.com%7Cbb147160780743952c2b08d72ae4c75e%7C1c2da354196b481891e4f760cbaac9e4%7C0%7C0%7C637025034402780880&sdata=siRUv%2BEmC9KwftZ2awThrDXO7ts1HCf%2FbYkDWZ%2BFAB8%3D&reserved=0), PacketFence (https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpacketfence.org&data=02%7C01%7CPeter.Reissenweber%40gbst.com%7Cbb147160780743952c2b08d72ae4c75e%7C1c2da354196b481891e4f760cbaac9e4%7C0%7C0%7C637025034402780880&sdata=cQaqA6MfjORVa7ZtBmHZERmS0en%2B22aBaR4KZGFCYg4%3D&reserved=0) and Fingerbank (https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ffingerbank.org&data=02%7C01%7CPeter.Reissenweber%40gbst.com%7Cbb147160780743952c2b08d72ae4c75e%7C1c2da354196b481891e4f760cbaac9e4%7C0%7C0%7C637025034402780880&sdata=8%2FOR5%2FzcUpBP%2Fn2AxD46%2F8FlTB0FihnyAqqd6Ue8qG0%3D&reserved=0) The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and / or privileged material that may be governed by confidential information provisions contained in the agreement between GBST and your company. Any disclosure, copying, distribution, or other use without the express consent of the sender is prohibited. If you received this in error, please contact the sender and delete the material from any computer. All rights in the information transmitted, including copyright, are reserved. Nothing in this message should be interpreted as a digital signature that can be used to authenticate a document. No warranty is given by the sender that any attachments to this email are free from viruses or other defects. _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
