Ludovic,
Here are the results of radsniff -x -p 3799.
Sniffing on (eth0 Domain1-b Domain2-b Domain3-b Domain4-b eth0.247 eth0.248 lo)
2020-11-06 09:54:26.285552 (1) Disconnect-Request Id 17 eth0:1.1.1.1:58488 ->
2.2.2.2:3799 +0.000
NAS-IP-Address = 2.2.2.2
Calling-Station-Id = "33:33:33:33:33:33"
Acct-Session-Id = "8O2.1x81bb00cb000d8d1c"
Authenticator-Field = 0x607bb51b501008ae307bd616097f1456
2020-11-06 09:54:26.376235 (2) Disconnect-ACK Id 17 eth0:1.1.1.1:58488 <-
2.2.2.2:3799 +0.090 +0.090
EAP-Message = 0x03010004
Message-Authenticator = 0x66e8bfbce673406812b197ae6b179ded
Authenticator-Field = 0x01ee9a70ea49ea387c2689cf767022c4
2020-11-06 09:54:31.576235 (1) Cleaning up request packet ID 17
^CDone sniffing
Thank you,
Jeff
From: Ludovic Zammit <[email protected]>
Sent: Friday, November 6, 2020 8:44 AM
To: [email protected]
Cc: Jeff Linden <[email protected]>
Subject: Re: [PacketFence-users] Juniper Port-Bounce Vendor Attribute no longer
working
Hello Jeff,
I would like you to do a test please:
radsniff -x -p 3799
Then in your web admin, click on the Mac address connected on that switch and
then click on the bottom “Reevaluate Access”
Show me the radsniff capture please.
Thanks,
Ludovic Zammit
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x145) ::
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
On Nov 5, 2020, at 4:51 PM, Jeff Linden via PacketFence-users
<[email protected]<mailto:[email protected]>>
wrote:
Hello,
Previously, I was successfully running PacketFence 9.2 using the EX2300.pm
module to manage my Juniper EX4300 switches. The test switch for the results
presented below is running Junos 18.2R3.4. This is the version I upgraded to
when trying to get PacketFence 9.2 working. It was successful with this Junos
version.
Now, I have upgraded to PacketFence version 10.2 AND implemented a 3 node
distributed cluster.
The Vendor Specific Attribute, Port-Bounce, is not being created and sent to
the Juniper switch any longer. Without the port bounce, wired Captive Portal
client devices do not get moved to the VLAN that will allow them temporary
Internet access to complete registration. One of the steps I took to get this
working in version 9.2 was to update the radiusDisconnect method in EX2300.pm
to include the VSA. The default implementation of radiusDisconnect does not
include the VSA, only the implementation of setAdminStatus does.
My testing includes both going through the captive portal process which
executes radiusDisconnect and also just using the Restart Switch Port button in
the web interface which executes setAdminStatus. Both methods behave the same
in not sending the VSA.
The Juniper switch is receiving and acknowledging the disconnect request and
changing the VLAN assigned to the port. But, the request does not contain the
Port-Bounce Vendor Specific Attribute so the client isn’t triggered to perform
a fresh DHCP request. Physically disconnecting the client and re-connecting
works as expected, the client is placed on the proper VLAN and given temporary
Internet access.
Here is some log data and packet capture data that has led me to be able to ask
for help with this. I’ve added some of my own log entries to EX2300.pm and
pf/lib/pf/util/radius.pm. These are prefaced with DNA - . With them, I’ve
dumped the results of variables in some of the functions to show the VSA
doesn’t seem to be created.
Packet Capture (radiusDisconnect method)
--------------------------------------------
Frame 9: 123 bytes on wire (984 bits), 123 bytes captured (984 bits)
Juniper Ethernet
Internet Protocol Version 4, Src: <PacketFence DNS Name> (1.1.1.1), Dst:
2.2.2.2 (2.2.2.2)
User Datagram Protocol, Src Port: 53334 (53334), Dst Port: radius-dynauth (3799)
RADIUS Protocol
Code: Disconnect-Request (40)
Packet identifier: 0xe8 (232)
Length: 69
Authenticator: c36c08dde526a31eae96271be3d341c0
[The response to this request is in frame 11]
Attribute Value Pairs
AVP: t=Acct-Session-Id(44) l=24 val=8O2.1x81bb00c30005098f
AVP: t=NAS-IP-Address(4) l=6 val=2.2.2.2
AVP: t=Calling-Station-Id(31) l=19 val=11:11:11:11:11:11
Frame 11: 112 bytes on wire (896 bits), 112 bytes captured (896 bits)
Juniper Ethernet
Ethernet II, Src: JuniperN_37:ad:41 (<22:22:22:22:22:22>), Dst:
JuniperN_23:dc:b0 (<Router MAC>)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 1
Internet Protocol Version 4, Src: 2.2.2.2 (2.2.2.2), Dst: <PacketFence DNS
Name> (1.1.1.1)
User Datagram Protocol, Src Port: radius-dynauth (3799), Dst Port: 53334 (53334)
RADIUS Protocol
Code: Disconnect-ACK (41)
Packet identifier: 0xe8 (232)
Length: 44
Authenticator: 76d3877b583ee8c4d24d860584e837b9
[This is a response to a request in frame 9]
[Time from request: 0.066431000 seconds]
Attribute Value Pairs
AVP: t=EAP-Message(79) l=6 Last Segment[1]
AVP: t=Message-Authenticator(80) l=18
val=c1a8dc4a5e2ceac4f3824a63f9a89186
Log message showing the EX2300 radiusDisconnect method is executing
------------------------------------------------------------------------------------------------
Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO:
[mac:11:11:11:11:11:11] DNA - Performing Disconnect
(pf::Switch::Juniper::EX2300::try {...} )
Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO:
[mac:11:11:11:11:11:11] DNA - Deauthenticating 11:11:11:11:11:11
(pf::Switch::Juniper::EX2300::radiusDisconnect)
Dump the value of the standard RADIUS attributes in radiusDisconnect
-----------------------------------------------------------------------------------------------
Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO:
[mac:11:11:11:11:11:11] DNA - Start attribute dump
(pf::Switch::Juniper::EX2300::try {...} )
Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO:
[mac:11:11:11:11:11:11] $VAR1 = \{
'Acct-Session-Id' => '8O2.1x81bb00c30005098f',
'NAS-IP-Address' => '2.2.2.2',
'Calling-Station-Id' => '11:11:11:11:11:11'
};
(pf::Switch::Juniper::EX2300::try {...} )
Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO:
[mac:11:11:11:11:11:11] DNA - End attribute dump
(pf::Switch::Juniper::EX2300::try {...} )
Dump the value of the Vendor Specific attributes in radiusDisconnect
--------------------------------------------------------------------------------------------
Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO:
[mac:11:11:11:11:11:11] DNA - Start VSA dump (pf::Switch::Juniper::EX2300::try
{...} )
Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO:
[mac:11:11:11:11:11:11] $VAR1 = \[
{
'attribute' => 'Juniper-AV-Pair',
'value' => 'Port-Bounce',
'vendor' => 'Juniper'
}
];
(pf::Switch::Juniper::EX2300::try {...} )
Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO:
[mac:11:11:11:11:11:11] DNA - End VSA dump (pf::Switch::Juniper::EX2300::try
{...} )
Dump the value of the standard RADIUS attributes when they reach the
perform_dynauth method in pf\lib\pf\util\radius.pm
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO:
[mac:11:11:11:11:11:11] DNA - Start DynAuth dump attributes
(pf::util::radius::perform_dynauth)
Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO:
[mac:11:11:11:11:11:11] $VAR1 = \{
'Acct-Session-Id' => '8O2.1x81bb00c30005098f',
'NAS-IP-Address' => '2.2.2.2',
'Calling-Station-Id' => '11:11:11:11:11:11'
};
(pf::util::radius::perform_dynauth)
Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO:
[mac:11:11:11:11:11:11] DNA - End DynAuth dump attributes
(pf::util::radius::perform_dynauth)
Dump the value of the Vendor Specific Attributes when they reach the
perform_dynauth method in pf\lib\pf\util\radius.pm
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO:
[mac:11:11:11:11:11:11] DNA - Start DynAuth dump vsa
(pf::util::radius::perform_dynauth)
Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO:
[mac:11:11:11:11:11:11] $VAR1 = \[
{
'attribute' => 'Juniper-AV-Pair',
'value' => 'Port-Bounce',
'vendor' => 'Juniper'
}
];
(pf::util::radius::perform_dynauth)
Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO:
[mac:11:11:11:11:11:11] DNA - End DynAuth dump vsa
(pf::util::radius::perform_dynauth)
I added a call to radius_request->vsattr() right after the call to set_vsattr()
where, I expect, the VSAs are created and added to the radius_request object
I expected the vsattr() call to return the Juniper VSA that was sent in
My changes look like this
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# Warning: untested
# TODO deal with attribute merging
foreach my $vsa_ref (@$vsa) {
my $result = $radius_request->set_vsattr($vsa_ref->{'vendor'},
$vsa_ref->{'attribute'}, $vsa_ref->{'value'});
$logger->info("DNA - start result of set_vsattr");
my $jl1 = $radius_request->vsattr();
if (!defined $jl1) {
$logger->info("DNA - result of radius_request->vsattr() is not
defined");
}
else {
$logger->info(Dumper(\$jl1));
}
$logger->info("DNA - end result of set_vsattr");
}
And here is the resulting log entry showing that radius_request->vsattr()
return an undefined value, not a VSA
---------------------------------------------------------------------------------------------------------------------------------------------------
Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO:
[mac:11:11:11:11:11:11] DNA - start result of set_vsattr
(pf::util::radius::perform_dynauth)
Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO:
[mac:11:11:11:11:11:11] DNA - result of radius_request->vsattr() is not defined
(pf::util::radius::perform_dynauth)
Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO:
[mac:11:11:11:11:11:11] DNA - end result of set_vsattr
(pf::util::radius::perform_dynauth)
Finally, some log entries to show the result of the perform_disconnect method
(success)
----------------------------------------------------------------------------------------------------------------------
Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO:
[mac:11:11:11:11:11:11] DNA - Returned from performing Disconnect
(pf::Switch::Juniper::EX2300::try {...} )
Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO:
[mac:11:11:11:11:11:11] DNA - response is defined and the code is
Disconnect-ACK (pf::Switch::Juniper::EX2300::radiusDisconnect)
I will appreciate your review of this information and any advice you can offer
to point me in the right direction.
Thank you,
Jeff
PRIVACY NOTICE: The information contained in this e-mail, including any
attachments, is confidential and intended only for the named recipient(s).
Unauthorized use, disclosure, forwarding, or copying is strictly prohibited and
may be unlawful. If you are not the intended recipient, please delete the
e-mail and any attachments and notify us immediately by return e-mail.
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
