UPDATE
using aaa debug on WLC I saw:
(Cisco Controller) >*radiusRFC3576TransportThread: Sep 10 14:47:42.311:
processIncomingMessages: Received RFC3576 message from PacketFence_IP of len 57
with return 0
*radiusRFC3576TransportThread: Sep 10 14:47:42.312: Request
Authenticator(recv'd) - 96:35:c1:03:c3:31:12:08:dc:55:ea:88:af:91:a2:20
*radiusRFC3576TransportThread: Sep 10 14:47:42.312: Request
Authenticator(calc'd) - 96:35:c1:03:c3:31:12:08:dc:55:ea:88:af:91:a2:20
*radiusRFC3576TransportThread: Sep 10 14:47:42.312: Received a 'RFC-3576
Disconnect-Request' from PacketFence_IP port 46269
*radiusRFC3576TransportThread: Sep 10 14:47:42.312: Packet contains 4 AVPs:
*radiusRFC3576TransportThread: Sep 10 14:47:42.312: AVP[01]
Service-Type.............................0x00000001 (1) (4 bytes)
*radiusRFC3576TransportThread: Sep 10 14:47:42.312: AVP[02]
Calling-Station-Id.......................18-1D-EA-5D-4B-D9 (17 bytes)
*radiusRFC3576TransportThread: Sep 10 14:47:42.312: AVP[03]
Nas-Ip-Address...........................0x0a010176 (167838070) (4 bytes)
*radiusRFC3576TransportThread: Sep 10 14:47:42.312: AVP[04]
Nas-Port.................................0x00000001 (1) (4 bytes)
*radiusRFC3576TransportThread: Sep 10 14:47:42.312: RFC3576 - Received IP
Address : WLC_IP, Vlan ID: (received 0), management IP WLC_IP
*radiusRFC3576TransportThread: Sep 10 14:47:42.312: Handling a valid 'RFC-3576
Disconnect-Request' regarding station 18:1d:ea:5d:4b:d9
*radiusRFC3576TransportThread: Sep 10 14:47:42.312: Sent a RFC3576 message
'RFC-3576 Disconnect-Ack' to PacketFence_IP:(port:46269)
But into Packetfence logs I see always:
Sep 10 14:48:09 jit-pf pfqueue: pfqueue(19856) WARN: [mac:18:1d:ea:5d:4b:d9]
Unable to perform RADIUS CoA-Request on (WLC_IP): Timeout waiting for a reply
from WLC_IP on port 3799 at /usr/local/pf/lib/pf/util/radius.pm line 166.
(pf::Switch::Cisco::WLC::catch {...} )
Sep 10 14:48:09 jit-pf pfqueue: pfqueue(19856) ERROR: [mac:18:1d:ea:5d:4b:d9]
Wrong RADIUS secret or unreachable network device (WLC_IP)... On some Cisco
Wireless Controllers you might have to set disconnectPort=1700 as some versions
ignore the CoA requests on port 3799 (pf::Switch::Cisco::WLC::catch {...} )
>From TCPDUMP on PacketFence I saw these packets:
PF => WLC (Disconnect-Request)
WLC => PF (Disconnect-ACK)
WLC => PF (Access-Request)
PF => WLC (Access-Accept)
Is the CoA request what I see into tcpdump?
Thanks
Enrico.
On 10/09/19 07:13, Enrico Pasqualotto via PacketFence-users wrote:
Hello Ludovic, CoA can be the issue as I saw into the logs:
Sep 9 14:32:03 jit-pf pfqueue: pfqueue(13703) WARN: [mac:90:00:4e:c2:03:1d]
Unable to perform RADIUS CoA-Request on (WLC_IP): Timeout waiting for a reply
from WLC_IP on port 1700 at /usr/local/pf/lib/pf/util/radius.pm line 166.
(pf::Switch::Cisco::WLC::catch {...} )
Sep 9 14:32:03 jit-pf pfqueue: pfqueue(13703) ERROR: [mac:90:00:4e:c2:03:1d]
Wrong RADIUS secret or unreachable network device (WLC_IP)... On some Cisco
Wireless Controllers you might have to set disconnectPort=1700 as some versions
ignore the CoA requests on port 3799 (pf::Switch::Cisco::WLC::catch {...} )
I've tried with ports 1700 and 3799 but nothing works.
Also with radclient I got:
(0) No reply from server for ID 173 socket 3
Sent Disconnect-Request Id 173 from 0.0.0.0:54230 to WLC_IP:1700 length 44 Sent
Disconnect-Request Id 173 from 0.0.0.0:54230 to 10.1.1.118:1700 length 44 Sent
Disconnect-Request Id 173 from 0.0.0.0:54230 to WLC_IP:1700 length 44
(0) No reply from server for ID 157 socket 3
Sent Disconnect-Request Id 157 from 0.0.0.0:49841 to WLC_IP:3799 length 44 Sent
Disconnect-Request Id 157 from 0.0.0.0:49841 to 10.1.1.118:3799 length 44 Sent
Disconnect-Request Id 157 from 0.0.0.0:49841 to WLC_IP:3799 length 44
BUT if I go to WLC CoA seems enabled:
(Cisco Controller) >show radius summary
Vendor Id Backward Compatibility................. Disabled
Call Station Id Case............................. lower
Accounting Call Station Id Type.................. AP's Label Address:SSID
Auth Call Station Id Type........................ AP's Ethernet MAC Address:SSID
Extended Source Ports Support.................... Enabled
Aggressive Failover.............................. Disabled
Keywrap.......................................... Disabled
Fallback Test:
Test Mode.................................... Passive
Probe User Name.............................. cisco-probe
Interval (in seconds)........................ 300
MAC Delimiter for Authentication Messages........ hyphen
MAC Delimiter for Accounting Messages............ hyphen
RADIUS Authentication Framed-MTU................. 1300 Bytes
CALEA server info:
Server IP.................................... 0.0.0.0
Server Port.................................. 0
Venue........................................
State........................................ disabled
Timer Interval............................... 8 minutes
Authentication Servers
Idx Type Server Address Port State Tout MgmtTout RFC3576 IPSec -
state/Profile Name/RadiusRegionString
--- ---- ---------------- ------ -------- ---- -------- -------
-------------------------------------------------------
1 * NM PacketFence_IP 1812 Enabled 5 5 Enabled
Disabled - /none
Accounting Servers
Idx Type Server Address Port State Tout MgmtTout RFC3576 IPSec -
state/Profile Name/RadiusRegionString
--- ---- ---------------- ------ -------- ---- -------- -------
-------------------------------------------------------
(Cisco Controller) >
(Cisco Controller) >show radius rfc3576 statistics
RFC-3576 Servers:
Server Index..................................... 1
Server Address................................... PacketFence_IP
Disconnect-Requests.............................. 465
COA-Requests..................................... 0
Retransmitted Requests........................... 20
Malformed Requests............................... 0
Bad Authenticator Requests....................... 6
Other Drops...................................... 0
Sent Disconnect-Ack.............................. 394
Sent Disconnect-Nak.............................. 51
Sent CoA-Ack..................................... 0
Sent CoA-Nak..................................... 0
Can be Cisco bug/issue? Is there another way (other that CoA) to achieve that?
For ex. through HTTPS?
Thanks
On 08/09/19 13:36, Ludovic Zammit wrote:
Hello Enrico,
Did you enable the CoA correctly on the radius server where you defined the pf
IP address ?
Also known as RFC 3576.
Thanks,
On Sep 7, 2019, at 8:48 AM, Enrico Pasqualotto via PacketFence-users
<[email protected]><mailto:[email protected]>
wrote:
Dear all, I've a running setup with PF 9 in VLAN enforcement mode where
guest are approved by sponsor and moved to a guest VLAN (not inline).
Wireless is managed by Cisco WLC with ssid in open+mac-filter (radius
enabled).
Guest on first connection are redirected to captive-portal (on
registration VLAN) and after sponsor approval moved to the correct VLAN.
The issue appear if some guest reconnect to same ssid after some minutes
(simply reconnection after standby or out of signal) because it prompt
the captive-portal again with this error message:
Your network shoud be enabled within a minute or two. If it is not
reboot your computer.
After some retry users can register again by asking another approval
from sponsor.
I expect that returning users, if access duration isn't expired (12h in
my case), will be moved directly to the guest VLAN and can use Internet
without any other tasks. In this case seems that PF know that user is
registered but stay in registration VLAN.
I don't use any ACL (on WLC) or Web Auth URL in my setup, can generate
that issue? Any ideas?
Thanks a lot.
--
Enrico Pasqualotto
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Enrico Pasqualotto
[https://www.backloop.biz/backloop_loghi/LOGO_BackLoop_small.png]
Private mail: [email protected]<mailto:[email protected]>
Office: +39 045 9971269
Le informazioni contenute in questo messaggio di posta elettronica e negli
eventuali allegati sono riservate e confidenziali e sono indirizzate
esclusivamente al destinatario. Si prega di non fare copia, inoltrare a terzi o
conservare tale messaggio se non si è il legittimo destinatario dello stesso.
Qualora questo messaggio sia stato ricevuto per errore, si prega di rinviarlo
al mittente e di cancellarlo permanentemente dal proprio computer.
The information contained in this message and in any attachment is intended
exclusively for the recipient. If you are not the intended recipient you are
hereby notified not to copy, save, disclose, or distribute it to any third
party. If you erroneously received this message you are kindly requested to
return it to the sender and eliminate it permanently from your computer.
--
Enrico Pasqualotto
[https://www.backloop.biz/backloop_loghi/LOGO_BackLoop_small.png]
Private mail: [email protected]<mailto:[email protected]>
Office: +39 045 9971269
Le informazioni contenute in questo messaggio di posta elettronica e negli
eventuali allegati sono riservate e confidenziali e sono indirizzate
esclusivamente al destinatario. Si prega di non fare copia, inoltrare a terzi o
conservare tale messaggio se non si è il legittimo destinatario dello stesso.
Qualora questo messaggio sia stato ricevuto per errore, si prega di rinviarlo
al mittente e di cancellarlo permanentemente dal proprio computer.
The information contained in this message and in any attachment is intended
exclusively for the recipient. If you are not the intended recipient you are
hereby notified not to copy, save, disclose, or distribute it to any third
party. If you erroneously received this message you are kindly requested to
return it to the sender and eliminate it permanently from your computer.
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
