Jeff, Do you have the CoA checked on your switch / switch group ?
You are doing a Radius Disconnect, If I understand correctly you want to do a Radius CoA. We don’t see the Juniper-AV-Pair because it’s not a CoA packet. Thanks, Ludovic Zammit [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Nov 6, 2020, at 9:58 AM, Jeff Linden <[email protected]> wrote: > > Ludovic, > > Here are the results of radsniff -x -p 3799. > > Sniffing on (eth0 Domain1-b Domain2-b Domain3-b Domain4-b eth0.247 eth0.248 > lo) > 2020-11-06 09:54:26.285552 (1) Disconnect-Request Id 17 eth0:1.1.1.1:58488 -> > 2.2.2.2:3799 +0.000 > NAS-IP-Address = 2.2.2.2 > Calling-Station-Id = "33:33:33:33:33:33" > Acct-Session-Id = "8O2.1x81bb00cb000d8d1c" > Authenticator-Field = 0x607bb51b501008ae307bd616097f1456 > 2020-11-06 09:54:26.376235 (2) Disconnect-ACK Id 17 eth0:1.1.1.1:58488 <- > 2.2.2.2:3799 +0.090 +0.090 > EAP-Message = 0x03010004 > Message-Authenticator = 0x66e8bfbce673406812b197ae6b179ded > Authenticator-Field = 0x01ee9a70ea49ea387c2689cf767022c4 > 2020-11-06 09:54:31.576235 (1) Cleaning up request packet ID 17 > ^CDone sniffing > > Thank you, > > Jeff > > > From: Ludovic Zammit <[email protected]> > Sent: Friday, November 6, 2020 8:44 AM > To: [email protected] > Cc: Jeff Linden <[email protected]> > Subject: Re: [PacketFence-users] Juniper Port-Bounce Vendor Attribute no > longer working > > Hello Jeff, > > I would like you to do a test please: > > radsniff -x -p 3799 > > Then in your web admin, click on the Mac address connected on that switch and > then click on the bottom “Reevaluate Access” > > Show me the radsniff capture please. > > Thanks, > > Ludovic Zammit > [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: > www.inverse.ca <http://www.inverse.ca/> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu > <http://www.sogo.nu/>) and PacketFence (http://packetfence.org > <http://packetfence.org/>) > > > > > > On Nov 5, 2020, at 4:51 PM, Jeff Linden via PacketFence-users > <[email protected] > <mailto:[email protected]>> wrote: > > Hello, > > Previously, I was successfully running PacketFence 9.2 using the EX2300.pm > module to manage my Juniper EX4300 switches. The test switch for the results > presented below is running Junos 18.2R3.4. This is the version I upgraded to > when trying to get PacketFence 9.2 working. It was successful with this > Junos version. > > Now, I have upgraded to PacketFence version 10.2 AND implemented a 3 node > distributed cluster. > > The Vendor Specific Attribute, Port-Bounce, is not being created and sent to > the Juniper switch any longer. Without the port bounce, wired Captive Portal > client devices do not get moved to the VLAN that will allow them temporary > Internet access to complete registration. One of the steps I took to get > this working in version 9.2 was to update the radiusDisconnect method in > EX2300.pm to include the VSA. The default implementation of radiusDisconnect > does not include the VSA, only the implementation of setAdminStatus does. > > My testing includes both going through the captive portal process which > executes radiusDisconnect and also just using the Restart Switch Port button > in the web interface which executes setAdminStatus. Both methods behave the > same in not sending the VSA. > > The Juniper switch is receiving and acknowledging the disconnect request and > changing the VLAN assigned to the port. But, the request does not contain > the Port-Bounce Vendor Specific Attribute so the client isn’t triggered to > perform a fresh DHCP request. Physically disconnecting the client and > re-connecting works as expected, the client is placed on the proper VLAN and > given temporary Internet access. > > Here is some log data and packet capture data that has led me to be able to > ask for help with this. I’ve added some of my own log entries to EX2300.pm > and pf/lib/pf/util/radius.pm. These are prefaced with DNA - . With them, > I’ve dumped the results of variables in some of the functions to show the VSA > doesn’t seem to be created. > > Packet Capture (radiusDisconnect method) > -------------------------------------------- > Frame 9: 123 bytes on wire (984 bits), 123 bytes captured (984 bits) > Juniper Ethernet > Internet Protocol Version 4, Src: <PacketFence DNS Name> (1.1.1.1), Dst: > 2.2.2.2 (2.2.2.2) > User Datagram Protocol, Src Port: 53334 (53334), Dst Port: radius-dynauth > (3799) > RADIUS Protocol > Code: Disconnect-Request (40) > Packet identifier: 0xe8 (232) > Length: 69 > Authenticator: c36c08dde526a31eae96271be3d341c0 > [The response to this request is in frame 11] > Attribute Value Pairs > AVP: t=Acct-Session-Id(44) l=24 val=8O2.1x81bb00c30005098f > AVP: t=NAS-IP-Address(4) l=6 val=2.2.2.2 > AVP: t=Calling-Station-Id(31) l=19 val=11:11:11:11:11:11 > > > Frame 11: 112 bytes on wire (896 bits), 112 bytes captured (896 bits) > Juniper Ethernet > Ethernet II, Src: JuniperN_37:ad:41 (<22:22:22:22:22:22>), Dst: > JuniperN_23:dc:b0 (<Router MAC>) > 802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 1 > Internet Protocol Version 4, Src: 2.2.2.2 (2.2.2.2), Dst: <PacketFence DNS > Name> (1.1.1.1) > User Datagram Protocol, Src Port: radius-dynauth (3799), Dst Port: 53334 > (53334) > RADIUS Protocol > Code: Disconnect-ACK (41) > Packet identifier: 0xe8 (232) > Length: 44 > Authenticator: 76d3877b583ee8c4d24d860584e837b9 > [This is a response to a request in frame 9] > [Time from request: 0.066431000 seconds] > Attribute Value Pairs > AVP: t=EAP-Message(79) l=6 Last Segment[1] > AVP: t=Message-Authenticator(80) l=18 > val=c1a8dc4a5e2ceac4f3824a63f9a89186 > > > Log message showing the EX2300 radiusDisconnect method is executing > ------------------------------------------------------------------------------------------------ > Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO: > [mac:11:11:11:11:11:11] DNA - Performing Disconnect > (pf::Switch::Juniper::EX2300::try {...} ) > Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO: > [mac:11:11:11:11:11:11] DNA - Deauthenticating 11:11:11:11:11:11 > (pf::Switch::Juniper::EX2300::radiusDisconnect) > > > Dump the value of the standard RADIUS attributes in radiusDisconnect > ----------------------------------------------------------------------------------------------- > Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO: > [mac:11:11:11:11:11:11] DNA - Start attribute dump > (pf::Switch::Juniper::EX2300::try {...} ) > Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO: > [mac:11:11:11:11:11:11] $VAR1 = \{ > 'Acct-Session-Id' => '8O2.1x81bb00c30005098f', > 'NAS-IP-Address' => '2.2.2.2', > 'Calling-Station-Id' => '11:11:11:11:11:11' > }; > (pf::Switch::Juniper::EX2300::try {...} ) > Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO: > [mac:11:11:11:11:11:11] DNA - End attribute dump > (pf::Switch::Juniper::EX2300::try {...} ) > > > > > Dump the value of the Vendor Specific attributes in radiusDisconnect > -------------------------------------------------------------------------------------------- > Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO: > [mac:11:11:11:11:11:11] DNA - Start VSA dump > (pf::Switch::Juniper::EX2300::try {...} ) > Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO: > [mac:11:11:11:11:11:11] $VAR1 = \[ > { > 'attribute' => 'Juniper-AV-Pair', > 'value' => 'Port-Bounce', > 'vendor' => 'Juniper' > } > ]; > (pf::Switch::Juniper::EX2300::try {...} ) > Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO: > [mac:11:11:11:11:11:11] DNA - End VSA dump (pf::Switch::Juniper::EX2300::try > {...} ) > > > > > Dump the value of the standard RADIUS attributes when they reach the > perform_dynauth method in pf\lib\pf\util\radius.pm > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- > Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO: > [mac:11:11:11:11:11:11] DNA - Start DynAuth dump attributes > (pf::util::radius::perform_dynauth) > Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO: > [mac:11:11:11:11:11:11] $VAR1 = \{ > 'Acct-Session-Id' => '8O2.1x81bb00c30005098f', > 'NAS-IP-Address' => '2.2.2.2', > 'Calling-Station-Id' => '11:11:11:11:11:11' > }; > (pf::util::radius::perform_dynauth) > Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO: > [mac:11:11:11:11:11:11] DNA - End DynAuth dump attributes > (pf::util::radius::perform_dynauth) > > > > > Dump the value of the Vendor Specific Attributes when they reach the > perform_dynauth method in pf\lib\pf\util\radius.pm > --------------------------------------------------------------------------------------------------------------------------------------------------------------------- > Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO: > [mac:11:11:11:11:11:11] DNA - Start DynAuth dump vsa > (pf::util::radius::perform_dynauth) > Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO: > [mac:11:11:11:11:11:11] $VAR1 = \[ > { > 'attribute' => 'Juniper-AV-Pair', > 'value' => 'Port-Bounce', > 'vendor' => 'Juniper' > } > ]; > (pf::util::radius::perform_dynauth) > Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO: > [mac:11:11:11:11:11:11] DNA - End DynAuth dump vsa > (pf::util::radius::perform_dynauth) > > > > > I added a call to radius_request->vsattr() right after the call to > set_vsattr() where, I expect, the VSAs are created and added to the > radius_request object > I expected the vsattr() call to return the Juniper VSA that was sent in > My changes look like this > -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > # Warning: untested > # TODO deal with attribute merging > foreach my $vsa_ref (@$vsa) { > my $result = $radius_request->set_vsattr($vsa_ref->{'vendor'}, > $vsa_ref->{'attribute'}, $vsa_ref->{'value'}); > $logger->info("DNA - start result of set_vsattr"); > my $jl1 = $radius_request->vsattr(); > if (!defined $jl1) { > $logger->info("DNA - result of radius_request->vsattr() is not > defined"); > } > else { > $logger->info(Dumper(\$jl1)); > } > $logger->info("DNA - end result of set_vsattr"); > > } > > > > And here is the resulting log entry showing that radius_request->vsattr() > return an undefined value, not a VSA > --------------------------------------------------------------------------------------------------------------------------------------------------- > Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO: > [mac:11:11:11:11:11:11] DNA - start result of set_vsattr > (pf::util::radius::perform_dynauth) > Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO: > [mac:11:11:11:11:11:11] DNA - result of radius_request->vsattr() is not > defined (pf::util::radius::perform_dynauth) > Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO: > [mac:11:11:11:11:11:11] DNA - end result of set_vsattr > (pf::util::radius::perform_dynauth) > > > Finally, some log entries to show the result of the perform_disconnect method > (success) > ---------------------------------------------------------------------------------------------------------------------- > Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO: > [mac:11:11:11:11:11:11] DNA - Returned from performing Disconnect > (pf::Switch::Juniper::EX2300::try {...} ) > Nov 5 16:11:40 nadc1-pf-01 pfqueue: pfqueue(42867) INFO: > [mac:11:11:11:11:11:11] DNA - response is defined and the code is > Disconnect-ACK (pf::Switch::Juniper::EX2300::radiusDisconnect) > > > I will appreciate your review of this information and any advice you can > offer to point me in the right direction. > > Thank you, > > Jeff > > PRIVACY NOTICE: The information contained in this e-mail, including any > attachments, is confidential and intended only for the named recipient(s). > Unauthorized use, disclosure, forwarding, or copying is strictly prohibited > and may be unlawful. If you are not the intended recipient, please delete the > e-mail and any attachments and notify us immediately by return e-mail. > _______________________________________________ > PacketFence-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
