Re: [PacketFence-users] DesAssociating mac on switch

[Durand fabrice via PacketFence-users]

Hello Peter,

if you do vlan by role then PacketFence will send a Disconnect, if it's 
role by switch role then it will be a CoA. (just to explain the logic)

Also "Received invalid reply digest from RADIUS server" sounds me that 
the shared secret is invalid.

What you set in the radius tab (swicth config) needs to be the same when 
you define packetfence as a radius server in the Aruba AP and for the 
CoA/Disconnect. (there is no way in the code to have a different shared 
secret for auth/acct and coa/disconnect)

Did you test the command Nicolas gave you and did it worked ? If no can 
you just try the same command but with only the Calling_Station-Id 
attribute ?

Regards

Fabice



Le 19-08-28 à 18 h 38, Peter Reissenweber via PacketFence-users a écrit :
I can't really expect users or network team to do this for guest access 
everytime it is needed.

There were some maintenance patches that were mentioned in other threads were 
these applied to the Debian repositories the same as Centos repos?

There seems to be other issues if I disable CoA via the GUI it is still active 
after a reboot and the same if I change the CoA port number to 5999 or anything 
else it still uses port 3799 after a reboot.

I will still try work with Aruba but I don't think they can really assist when 
it is PF that is sending code 40 instead of 43.

Please can I get a better solution as management is keen to use this product to 
replace our existing clearpass solution.

-----Original Message-----
From: Nicolas Quiniou-Briand <n...@inverse.ca>
Sent: Wednesday, 28 August 2019 9:59 PM
To: Peter Reissenweber <peter.reissenwe...@gbst.com>; 
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] DesAssociating mac on switch



On 2019-08-28 2:23 a.m., Peter Reissenweber wrote:
RADIUS Protocol
      Code: Disconnect-Request (40)
It looks like PF is still not sending a CoA-Request (43).
What you can do is to use `radclient` to forge a CoA-Request after your device 
is connected to network.

#v+
echo "Calling-Station-Id = 30074d744c55" >> /tmp/disconnect.txt echo "User-Name = 30074d744c55" 
>> /tmp/disconnect.txt echo "NAS-IP-Address = 172.28.5.250" >> /tmp/disconnect.txt

# this will send a CoA-Request message
cat /tmp/disconnect.txt | radclient -x IP_OF_YOUR_IAP coa RADIUS_SECRET_KEY
#v-
--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  
https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Finverse.ca&amp;data=02%7C01%7CPeter.Reissenweber%40gbst.com%7C55a431890d0c48b7b49508d72baf1c4b%7C1c2da354196b481891e4f760cbaac9e4%7C0%7C0%7C637025903418601218&amp;sdata=HDNHlq4p2uKXQ7xnc%2B%2BOewndmkg9QDqgUfgD99W%2Blqk%3D&amp;reserved=0
Inverse inc. :: Leaders behind SOGo 
(https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsogo.nu&amp;data=02%7C01%7CPeter.Reissenweber%40gbst.com%7C55a431890d0c48b7b49508d72baf1c4b%7C1c2da354196b481891e4f760cbaac9e4%7C0%7C0%7C637025903418601218&amp;sdata=Ew%2FUWRTR2ckaEJ9%2FejCd9ZMyesIc4yBFhddF9q4n8eA%3D&amp;reserved=0),
 PacketFence
(https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpacketfence.org&amp;data=02%7C01%7CPeter.Reissenweber%40gbst.com%7C55a431890d0c48b7b49508d72baf1c4b%7C1c2da354196b481891e4f760cbaac9e4%7C0%7C0%7C637025903418601218&amp;sdata=7i8jrcX4%2B4jDjlDNV6VvYQO1qM57StDkq4uA7MhinoE%3D&amp;reserved=0)
 and Fingerbank 
(https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ffingerbank.org&amp;data=02%7C01%7CPeter.Reissenweber%40gbst.com%7C55a431890d0c48b7b49508d72baf1c4b%7C1c2da354196b481891e4f760cbaac9e4%7C0%7C0%7C637025903418601218&amp;sdata=rZ4wfYVgxzkJ5A8hBbAreKStwrw4uzrQqaRQ1a5yU4c%3D&amp;reserved=0)
The information transmitted is intended only for the person or entity to which 
it is addressed and may contain confidential and / or privileged material that 
may be governed by confidential information provisions contained in the 
agreement between GBST and your company. Any disclosure, copying, distribution, 
or other use without the express consent of the sender is prohibited. If you 
received this in error, please contact the sender and delete the material from 
any computer. All rights in the information transmitted, including copyright, 
are reserved. Nothing in this message should be interpreted as a digital 
signature that can be used to authenticate a document. No warranty is given by 
the sender that any attachments to this email are free from viruses or other 
defects.

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users