Hi all,
Many thanks for your responses, really helpful.
We are using Ruckus APs, with a Virtual SmartZone controller hosted in AWS.
What I have found is the following:
My device configuration is set up to process requests from the Ruckus
wireless access points, identifying them by their local IP address
CIDR (/24 subnet). Between the APs and PacketFence, there is a
firewall, so the APs local IP addresses are not locally routable from
PacketFence.
[10.5.100.0/24]
RoleMap=Y
VlanMap=N
description=Ruckus APs
Widget-CompanyRole=widget-company
group=Ruckus-APs
isolationRole=isolation
defaultRole=default
deauthMethod=RADIUS
registrationRole=registration
type=Ruckus::SmartZone
radiusSecret=[**asecret**]
guestRole=guest
VoIPDHCPDetect=N
ExcellSalesRole=excellsales
ExcellEngineeringRole=excellengineering
OpenRole=open
useCoA=N
So when I check packetfence.log I see this:
Mar 5 15:13:29 A3 packetfence_httpd.portal: httpd.portal(22727) INFO:
[mac:c0:a6:00:e6:57:c1] User default has authenticated on the portal.
(Class::MOP::Class:::after)
Mar 5 15:13:29 A3 packetfence_httpd.portal: httpd.portal(22727) INFO:
[mac:c0:a6:00:e6:57:c1] Reevaluating access of device.
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Mar 5 15:13:29 A3 packetfence_httpd.portal: httpd.portal(22727) INFO:
[mac:c0:a6:00:e6:57:c1] re-evaluating access (manage_register called)
(pf::enforcement::reevaluate_access)
Mar 5 15:13:29 A3 packetfence_httpd.portal: httpd.portal(22727) INFO:
[mac:c0:a6:00:e6:57:c1] VLAN reassignment is forced.
(pf::enforcement::_should_we_reassign_vlan)
Mar 5 15:13:29 A3 packetfence_httpd.portal: httpd.portal(22727) INFO:
[mac:c0:a6:00:e6:57:c1] switch port is (10.5.100.120) ifIndex unknown
connection type: WiFi MAC Auth (pf::enforcement::_vlan_reevaluation)
Mar 5 15:13:30 A3 packetfence_httpd.portal: httpd.portal(30941) INFO:
[mac:c0:a6:00:e6:57:c1] Instantiate profile hana-test
(pf::Connection::ProfileFactory::_from_profile)
Mar 5 15:13:30 A3 pfqueue: pfqueue(31120) WARN:
[mac:c0:a6:00:e6:57:c1] Unable to perform RADIUS Disconnect-Request:
Timeout waiting for a reply from 10.5.100.120 on port 3799 at
/usr/local/pf/lib/pf/util/radius.pm line 166.
(pf::Switch::Ruckus::SmartZone::catch {...} )
Mar 5 15:13:30 A3 pfqueue: pfqueue(31120) ERROR:
[mac:c0:a6:00:e6:57:c1] Wrong RADIUS secret or unreachable network
device... (pf::Switch::Ruckus::SmartZone::catch {...} )
It looks like it's trying to send the RADIUS Disconnect-Request to
10.5.100.120, which is just an arbitrary IP address as I'm trying to
just allow APs within the /24 CIDR (10.5.10.120/24) to communicate
with PF.
So I guess my question is, do I need to provide a statically assigned
IP address to each Ruckus AP which is routable from PF and then in PF
create device configurations for each individual AP? If that's the
case, I will probably be pretty stuck as it doesn't really fit with
the network design that I have in place (PF is hosted centrally in our
DC, and is intended to provide NAC services to APs which are NAT'd
behind a firewall - we've deployed PF to enforce captive portal via
DNS on the registration VLAN, doing the routing via DHCP Relays).
Is there an alternative? I have looked at using the Ruckus Virtual
SmartZone controller as an AAA proxy instead and I am still testing to
see if I can get this working. I wonder if anyone has any experience
with this?
Thanks again for any input, it's all greatly appreciated.
Jonathan
On Thu, Mar 5, 2020 at 6:14 AM Truax, Peter via PacketFence-users
<[email protected]> wrote:
>
> Hi Jonathan,
>
> It all depends on how you have deauthenication set up and what your switching
> gear supports. Here, we use snmp as a deauthentication method for our
> switches. But, you can choose from a few different methods.
>
> Look in here to see what your switch or wireless supports:
>
> https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html
>
> Regards,
>
> Peter Truax
> Network Administrator
> Saint Martin’s University
> 5000 Abbey Way E
> Lacey, WA 98503
>
>
>
>
> -----Original Message-----
> From: Jonathan Nathanson via PacketFence-users
> <[email protected]>
> Sent: Tuesday, March 3, 2020 3:02 AM
> To: [email protected]
> Cc: Jonathan Nathanson <[email protected]>
> Subject: [External] [PacketFence-users] Re-assigning network via DHCP across
> routed network
>
> CAUTION: This email is from an outside sender. Do not click on links or open
> attachments unless you recognize the sender and know the content is safe.
>
>
>
>
> Hi there,
>
> I am using PacketFence configured to provide services over a routed network.
> The issue I am seeing is the client device connects to an SSID, they are
> presented with the captive portal, the client authenticates and is presented
> with the “Your network access is being set up” screen.
>
> However, at this point I would expect PacketFence to use DHCP to move the
> client from the registration VLAN in to whatever VLAN has been provided via
> radius-filter-id. However, this isn’t happening, instead the screen just says
> in red text “Your network access should be enabled within the next couple of
> minutes”…
>
> The only way to get the client device to pick up the new VLAN/IP address is
> to turn Wi-Fi off and on again, forcing the client to make a DHCP request.
>
> Has anyone seen this before, and can provide advice on how to enable the
> correct behaviour post-authentication?
>
> Many thanks
> Jonathan
>
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
