I think you can rule out an issue with the role mapping or your connection profile since PF seems to be getting the correct role and VLAN:
(10.10.80.251) Added VLAN XXX_GUEST to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) (10.10.80.251) Added role 255 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Packetfence does default to 3799, but ISE defaults to 1700. In one screenshot for WebAuth in the Network Device Conf Guide, it looks like PF wants the device configured to think PF is an ISE system. So, it makes sense to match that with 1700. I definitely agree that something is wrong with the process of de-authenticating and changing the auth of a node. Can you confirm - are you using the WebAuth (6.17.1) or VLAN-based role mappings (6.17.2) ? *Nicholas P. Pier* Network Architect CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 On Tue, Mar 17, 2020 at 10:05 AM Brandt Winchell < [email protected]> wrote: > Hi Nicholas, > > I did see that. The document was unclear if this needs to be the > disconnect port and/or the CoA port. According to the Cisco docs, ISE uses > 1700 but PacketFence uses 3799 ( > https://documentation.meraki.com/MR/Encryption_and_Authentication/Change_of_Authorization_with_RADIUS_(CoA)_on_MR_Access_Points > ). > > So I have tried all kinds of combinations, no luck. Still get the webpage > login but no change afterwards. > > > > Here is an output of the packetfence.log. > > User POTD_GUEST has authenticated on the portal. > (Class::MOP::Class:::after) > > Instantiate profile XXX_GUEST > (pf::Connection::ProfileFactory::_from_profile) > > Releasing device > (captiveportal::PacketFence::DynamicRouting::Module::Root::release) > > Switch type 'pf::Switch::Meraki::MR_v2' does not support > WebFormRegistration (pf::SwitchSupports::__ANON__) > > re-evaluating access (manage_register called) > (pf::enforcement::reevaluate_access) > > Instantiate profile XXX_GUEST > (pf::Connection::ProfileFactory::_from_profile) > > VLAN reassignment is forced. (pf::enforcement::_should_we_reassign_vlan) > > DesAssociating mac on switch (10.10.80.251) (pf::api::desAssociate) > > deauthenticating (pf::Switch::Meraki::MR_v2::radiusDisconnect) > > controllerIp is set, we will use controller 10.10.80.251 to perform deauth > (pf::Switch::Meraki::MR_v2::radiusDisconnect) > > Use of uninitialized value in concatenation (.) or string at > /usr/local/pf/lib/pf/Switch/Meraki/MR_v2.pm line 110. > > (pf::Switch::Meraki::MR_v2::try {...} ) > > Use of uninitialized value in concatenation (.) or string at > /usr/local/pf/lib/pf/Switch/Meraki/MR_v2.pm line 110. > > Unknown general attribute 80 for unpack() > > Unable to extract audit-session-id for module pf::Switch::Meraki::MR_v2. > SSID-based VLAN assignments won't work. Make sure you enable Vendor > Specific Attributes (VSA) on the AP if you want them to work. > (pf::Switch::getCiscoAvPairAttribute) > > Switch type 'pf::Switch::Meraki::MR_v2' does not support > MABFloatingDevices (pf::SwitchSupports::__ANON__) > > Found authentication source(s) : 'POTD_GUEST' for realm 'null' > (pf::config::util::filter_authentication_sources) > > Connection type is MAC-AUTH. Getting role from node_info > (pf::role::getRegisteredRole) > > Username was defined "345g345ds4" - returning role 'guest' > (pf::role::getRegisteredRole) > > PID: "POTD_GUEST", Status: reg Returned VLAN: (undefined), Role: guest > (pf::role::fetchRoleForNode) > > (10.10.80.251) Added VLAN XXX_GUEST to the returned RADIUS Access-Accept > (pf::Switch::returnRadiusAccessAccept) > > (10.10.80.251) Added role 255 to the returned RADIUS Access-Accept > (pf::Switch::returnRadiusAccessAccept) > > External portal enforcement either not supported '1' or not configured 'N' > on network equipment '10.0.1.251' (pf::Switch::externalPortalEnforcement) > > > > > > Current conclusion: > > - Something in the MR_v2.pm file concerning the VSA is not correct > > > > Current issue: > > - High level workflow > - Computer connects to SSID and gets assigned vlan 4081 > - Redirected to PF captive portal at 10.10.181.250/24 > - Authenticates with POTD > - PF send AP a CoA to tag traffic with VLAN 255 > - It seems the command to flip the VLAN on the AP does not occur. The > computer stays on VLAN4081 and retains its IP from the PF DHCP > > > > Thanks > > > > > > > > > > > > *From:* Nicholas Pier <[email protected]> > *Sent:* Monday, March 16, 2020 8:33 PM > *To:* [email protected] > *Cc:* Brandt Winchell <[email protected]> > *Subject:* Re: [PacketFence-users] PacketFence 9.3 Captive Portal for > Guests > > > > Hi Brandt, > > > > It sounds like your Meraki device isn't getting a message from Packetfence > to switch the user's VLAN after authentication. This usually done through > a radius CoA or disconnect message. Did you catch this caveat on the > network configuration guide? It looks like you need to specify port 1700 > for Disconnect and your deauth type should be set to "Radius": > > "The 'Disconnect port' field must be set to '1700'." > > > > Also, you can tail this log to see what happens when the user enters that > password of the day: > > /usr/local/pf/logs/packetfence.log > > > > I hope this helps! > > > > *Nicholas P. Pier* > Network Architect > CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 > > > > > > On Mon, Mar 16, 2020 at 7:58 PM Brandt Winchell via PacketFence-users < > [email protected]> wrote: > > Hello, > > I have a 9.3 NAC deployment. > > Isolation vlan:4080 > > PF DHCP 10.10.180.100 – 199 > > PF int IP: 10.10.180.250 > > Registration vlan:4081 > > PF DHCP 10.10.181.100 – 199 > > PF int IP: 10.10.181.250 > > Mgmt. vlan: 80 > > PF int IP: 10.10.80.250 > > Guest vlan: 255 > > Network: 10.10.255.0/24 > > > > I currently have 802.1x_wired working correctly and assigning VLANs based > on authentication. > > I also have 802.1x_wifi working in the same manner. > > > > In the switch profile: > > Cisco (Meraki) MR53 > > Role by VLAN – guest=4081, reg=4081, iso-4080 > > Role by switch – default=”Authorized devices”, guest=”COMPANY_GUEST” > > Role by Web Auth – registration=http://10.10.181.250/Meraki::MR_v2, > guest=”COMPANY_GUEST” > > > > I am having an issue getting the “Guest” environment to work correctly. > > The wifi client is getting a DHCP address from the PF on VLAN 4081. The > client then gets redirected to the captive portal. The internal source for > the connection profile is “Password of the Day” (PotD). The user logs in > with the POTD creds and then nothing. The system does not assign them the > correct VLAN. > > If I change the Role by switch – guest=255 ; then the end-user gets put > directly onto VLAN255 and no redirection occurs (essentially bypassing the > NAC). > > > > Thanks > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
