Hi Brandt, >From the log message, it almost sounds to me like Packetfence doesn't know the MAC of the device it's trying to move to the guest VLAN. I'm referring to this: "Unable to extract audit-session-id"
Maybe something isn't getting passed with WebAuth that would normally be passed with Radius or the internal reg portal? Have you tried only doing the vlan by role configuration in the network device configuration guide? *Nicholas P. Pier* Network Architect CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 On Tue, Mar 17, 2020 at 11:21 AM Brandt Winchell < [email protected]> wrote: > Hi Nicholas, > > For the PF and port number: > > - I have tried AP=ISE & PF switch config with either and both port > options to be 1700 > - I have also tried AP=No splash with either and both port options to > be 3799 > > > > Depending on the combination, I get the same results as described or I do > not get the initial redirection to the captive portal. > > > > This is where my “noobness” comes out with PF. > In the PF switch identifier: > > - I have Role by VLAN to allow 802.1x for internal users. There is a > connection profile that basically says if 802.1x and AD auth puts them as > part of AD group “X”, then allow them on and assign the appropriate VLAN. > This seems to work fine for both wireless clients using 802.1x and > connected to SSID=Internal. > - I also have Role by Switch and Role by Web Auth based on the > PacketFence based on the FP network device guide. > > > > > > > > Mar 17 14:47:02 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(14843) > INFO: [mac:4c:34:88:c7:8c:24] PID: "POTD_GUEST", Status: reg Returned VLAN: > (undefined), Role: guest (pf::role::fetchRoleForNode) > > Mar 17 14:47:02 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(14843) > INFO: [mac:4c:34:88:c7:8c:24] (10.0.1.251) Added VLAN XXX_GUEST to the > returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) > > Mar 17 14:47:02 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(14843) > INFO: [mac:4c:34:88:c7:8c:24] External portal enforcement either not > supported '1' or not configured 'N' on network equipment '10.0.1.251' > (pf::Switch::externalPortalEnforcement) > > Mar 17 14:47:02 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(14843) > WARN: [mac:4c:34:88:c7:8c:24] Unable to extract audit-session-id for module > pf::Switch::Meraki::MR_v2. SSID-based VLAN assignments won't work. Make > sure you enable Vendor Specific Attributes (VSA) on the AP if you want them > to work. (pf::Switch::getCiscoAvPairAttribute) > > > > > > > > *From:* Nicholas Pier <[email protected]> > *Sent:* Tuesday, March 17, 2020 10:24 AM > *To:* Brandt Winchell <[email protected]> > *Cc:* [email protected] > *Subject:* Re: [PacketFence-users] PacketFence 9.3 Captive Portal for > Guests > > > > I think you can rule out an issue with the role mapping or your connection > profile since PF seems to be getting the correct role and VLAN: > > (10.10.80.251) Added VLAN XXX_GUEST to the returned RADIUS Access-Accept > (pf::Switch::returnRadiusAccessAccept) > > (10.10.80.251) Added role 255 to the returned RADIUS Access-Accept > (pf::Switch::returnRadiusAccessAccept) > > > > Packetfence does default to 3799, but ISE defaults to 1700. In one > screenshot for WebAuth in the Network Device Conf Guide, it looks like PF > wants the device configured to think PF is an ISE system. So, it makes > sense to match that with 1700. > > > > I definitely agree that something is wrong with the process of > de-authenticating and changing the auth of a node. Can you confirm - are > you using the WebAuth (6.17.1) or VLAN-based role mappings (6.17.2) ? > > > > > > *Nicholas P. Pier* > Network Architect > CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 > > > > > > On Tue, Mar 17, 2020 at 10:05 AM Brandt Winchell < > [email protected]> wrote: > > Hi Nicholas, > > I did see that. The document was unclear if this needs to be the > disconnect port and/or the CoA port. According to the Cisco docs, ISE uses > 1700 but PacketFence uses 3799 ( > https://documentation.meraki.com/MR/Encryption_and_Authentication/Change_of_Authorization_with_RADIUS_(CoA)_on_MR_Access_Points > ). > > So I have tried all kinds of combinations, no luck. Still get the webpage > login but no change afterwards. > > > > Here is an output of the packetfence.log. > > User POTD_GUEST has authenticated on the portal. > (Class::MOP::Class:::after) > > Instantiate profile XXX_GUEST > (pf::Connection::ProfileFactory::_from_profile) > > Releasing device > (captiveportal::PacketFence::DynamicRouting::Module::Root::release) > > Switch type 'pf::Switch::Meraki::MR_v2' does not support > WebFormRegistration (pf::SwitchSupports::__ANON__) > > re-evaluating access (manage_register called) > (pf::enforcement::reevaluate_access) > > Instantiate profile XXX_GUEST > (pf::Connection::ProfileFactory::_from_profile) > > VLAN reassignment is forced. (pf::enforcement::_should_we_reassign_vlan) > > DesAssociating mac on switch (10.10.80.251) (pf::api::desAssociate) > > deauthenticating (pf::Switch::Meraki::MR_v2::radiusDisconnect) > > controllerIp is set, we will use controller 10.10.80.251 to perform deauth > (pf::Switch::Meraki::MR_v2::radiusDisconnect) > > Use of uninitialized value in concatenation (.) or string at > /usr/local/pf/lib/pf/Switch/Meraki/MR_v2.pm line 110. > > (pf::Switch::Meraki::MR_v2::try {...} ) > > Use of uninitialized value in concatenation (.) or string at > /usr/local/pf/lib/pf/Switch/Meraki/MR_v2.pm line 110. > > Unknown general attribute 80 for unpack() > > Unable to extract audit-session-id for module pf::Switch::Meraki::MR_v2. > SSID-based VLAN assignments won't work. Make sure you enable Vendor > Specific Attributes (VSA) on the AP if you want them to work. > (pf::Switch::getCiscoAvPairAttribute) > > Switch type 'pf::Switch::Meraki::MR_v2' does not support > MABFloatingDevices (pf::SwitchSupports::__ANON__) > > Found authentication source(s) : 'POTD_GUEST' for realm 'null' > (pf::config::util::filter_authentication_sources) > > Connection type is MAC-AUTH. Getting role from node_info > (pf::role::getRegisteredRole) > > Username was defined "345g345ds4" - returning role 'guest' > (pf::role::getRegisteredRole) > > PID: "POTD_GUEST", Status: reg Returned VLAN: (undefined), Role: guest > (pf::role::fetchRoleForNode) > > (10.10.80.251) Added VLAN XXX_GUEST to the returned RADIUS Access-Accept > (pf::Switch::returnRadiusAccessAccept) > > (10.10.80.251) Added role 255 to the returned RADIUS Access-Accept > (pf::Switch::returnRadiusAccessAccept) > > External portal enforcement either not supported '1' or not configured 'N' > on network equipment '10.0.1.251' (pf::Switch::externalPortalEnforcement) > > > > > > Current conclusion: > > - Something in the MR_v2.pm file concerning the VSA is not correct > > > > Current issue: > > - High level workflow > > > - Computer connects to SSID and gets assigned vlan 4081 > - Redirected to PF captive portal at 10.10.181.250/24 > - Authenticates with POTD > - PF send AP a CoA to tag traffic with VLAN 255 > > > - It seems the command to flip the VLAN on the AP does not occur. The > computer stays on VLAN4081 and retains its IP from the PF DHCP > > > > Thanks > > > > > > > > > > > > *From:* Nicholas Pier <[email protected]> > *Sent:* Monday, March 16, 2020 8:33 PM > *To:* [email protected] > *Cc:* Brandt Winchell <[email protected]> > *Subject:* Re: [PacketFence-users] PacketFence 9.3 Captive Portal for > Guests > > > > Hi Brandt, > > > > It sounds like your Meraki device isn't getting a message from Packetfence > to switch the user's VLAN after authentication. This usually done through > a radius CoA or disconnect message. Did you catch this caveat on the > network configuration guide? It looks like you need to specify port 1700 > for Disconnect and your deauth type should be set to "Radius": > > "The 'Disconnect port' field must be set to '1700'." > > > > Also, you can tail this log to see what happens when the user enters that > password of the day: > > /usr/local/pf/logs/packetfence.log > > > > I hope this helps! > > > > *Nicholas P. Pier* > Network Architect > CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 > > > > > > On Mon, Mar 16, 2020 at 7:58 PM Brandt Winchell via PacketFence-users < > [email protected]> wrote: > > Hello, > > I have a 9.3 NAC deployment. > > Isolation vlan:4080 > > PF DHCP 10.10.180.100 – 199 > > PF int IP: 10.10.180.250 > > Registration vlan:4081 > > PF DHCP 10.10.181.100 – 199 > > PF int IP: 10.10.181.250 > > Mgmt. vlan: 80 > > PF int IP: 10.10.80.250 > > Guest vlan: 255 > > Network: 10.10.255.0/24 > > > > I currently have 802.1x_wired working correctly and assigning VLANs based > on authentication. > > I also have 802.1x_wifi working in the same manner. > > > > In the switch profile: > > Cisco (Meraki) MR53 > > Role by VLAN – guest=4081, reg=4081, iso-4080 > > Role by switch – default=”Authorized devices”, guest=”COMPANY_GUEST” > > Role by Web Auth – registration=http://10.10.181.250/Meraki::MR_v2, > guest=”COMPANY_GUEST” > > > > I am having an issue getting the “Guest” environment to work correctly. > > The wifi client is getting a DHCP address from the PF on VLAN 4081. The > client then gets redirected to the captive portal. The internal source for > the connection profile is “Password of the Day” (PotD). The user logs in > with the POTD creds and then nothing. The system does not assign them the > correct VLAN. > > If I change the Role by switch – guest=255 ; then the end-user gets put > directly onto VLAN255 and no redirection occurs (essentially bypassing the > NAC). > > > > Thanks > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
