Re: [PacketFence-users] Mikrotik: de-association of node fails due to missing SSH credentials

Adrian D'Atri-Guiran via PacketFence-users Tue, 15 Dec 2020 10:46:37 -0800

Hi Fabrice,

Thanks for your help!

# radsniff -i any -f "port 3799" -x
Logging all events
Sniffing on (any)
2020-12-14 20:51:45.371391 (1) Disconnect-Request Id 47
any:10.2.2.254:50066 -> 10.2.2.1:3799 +0.000
        User-Name = "5C:E0:C5:C1:D6:FD"
        Authenticator-Field = 0xdf1a6f19c9705f995d3ec5404fbae7fa
2020-12-14 20:51:45.381915 (2) Disconnect-NAK Id 47
any:10.2.2.254:50066 <- 10.2.2.1:3799 +0.010 +0.010
        NAS-Identifier = "MikroTik"
        Error-Cause = Unsupported-Extension
        Authenticator-Field = 0x3843256beb137e164cb9af92c97329bd
2020-12-14 20:51:50.581915 (1) Cleaning up request packet ID 47

and at the same time in the packetfence log:
Dec 14 20:51:45 radius packetfence_httpd.webservices:
httpd.webservices(4434) INFO: [mac:5c:e0:c5:c1:d6:fd]
[5c:e0:c5:c1:d6:fd] DesAssociating mac on switch (10.2.2.1)
(pf::api::desAssociate)
Dec 14 20:51:45 radius packetfence_httpd.webservices:
httpd.webservices(4434) INFO: [mac:5c:e0:c5:c1:d6:fd] deauthenticating
5c:e0:c5:c1:d6:fd (pf::Switch::Mikrotik::radiusDisconnect)
Dec 14 20:51:45 radius packetfence_httpd.webservices:
httpd.webservices(4434) INFO: [mac:5c:e0:c5:c1:d6:fd] controllerIp is
set, we will use controller 10.2.2.1 to perform deauth
(pf::Switch::Mikrotik::radiusDisconnect)
Dec 14 20:51:45 radius packetfence_httpd.webservices:
httpd.webservices(4434) ERROR: [mac:5c:e0:c5:c1:d6:fd] Trying to save
a NULL value in a non nullable field radius_audit_log.mac
(pf::dal::validate_field)
Dec 14 20:51:45 radius packetfence_httpd.webservices:
httpd.webservices(4434) ERROR: [mac:5c:e0:c5:c1:d6:fd] Skipping
invalid value (NULL) in when inserting field radius_audit_log.mac
(pf::dal::_insert_data)
Dec 14 20:51:45 radius packetfence_httpd.webservices:
httpd.webservices(4434) WARN: [mac:5c:e0:c5:c1:d6:fd] Warning: 1364:
Field 'mac' doesn't have a default value (pf::dal::db_execute)
Dec 14 20:51:45 radius packetfence_httpd.webservices:
httpd.webservices(4434) WARN: [mac:5c:e0:c5:c1:d6:fd] Unable to
perform RADIUS Disconnect-Request. Disconnect-NAK received with
Error-Cause: Unsupported-Extension.
(pf::Switch::Mikrotik::radiusDisconnect)
Dec 14 20:51:45 radius packetfence_httpd.webservices:
httpd.webservices(4434) INFO: [mac:5c:e0:c5:c1:d6:fd]
[5c:e0:c5:c1:d6:fd] DesAssociating mac on switch (10.2.2.1)
(pf::api::desAssociate)
Dec 14 20:51:45 radius packetfence_httpd.webservices:
httpd.webservices(4434) INFO: [mac:5c:e0:c5:c1:d6:fd] deauthenticating
5c:e0:c5:c1:d6:fd (pf::Switch::Mikrotik::radiusDisconnect)
Dec 14 20:51:45 radius packetfence_httpd.webservices:
httpd.webservices(4434) INFO: [mac:5c:e0:c5:c1:d6:fd] controllerIp is
set, we will use controller 10.2.2.1 to perform deauth
(pf::Switch::Mikrotik::radiusDisconnect)
Dec 14 20:51:45 radius packetfence_httpd.webservices:
httpd.webservices(4434) ERROR: [mac:5c:e0:c5:c1:d6:fd] Trying to save
a NULL value in a non nullable field radius_audit_log.mac
(pf::dal::validate_field)
Dec 14 20:51:45 radius packetfence_httpd.webservices:
httpd.webservices(4434) ERROR: [mac:5c:e0:c5:c1:d6:fd] Skipping
invalid value (NULL) in when inserting field radius_audit_log.mac
(pf::dal::_insert_data)
Dec 14 20:51:45 radius packetfence_httpd.webservices:
httpd.webservices(4434) WARN: [mac:5c:e0:c5:c1:d6:fd] Warning: 1364:
Field 'mac' doesn't have a default value (pf::dal::db_execute)
Dec 14 20:51:45 radius packetfence_httpd.webservices:
httpd.webservices(4434) WARN: [mac:5c:e0:c5:c1:d6:fd] Unable to
perform RADIUS Disconnect-Request. Disconnect-NAK received with
Error-Cause: Unsupported-Extension.
(pf::Switch::Mikrotik::radiusDisconnect)

by the way, why does everything print twice in this log?

On Wed, Dec 9, 2020 at 5:32 PM Durand fabrice <fdur...@inverse.ca> wrote:
>
> Hello Adrian,
>
> try:
>
> radsniff -i any -f "port 3799" -x
>
> and paste the debug.
>
> Regards
> Fabrice
>
> Le 20-12-08 à 16 h 19, Adrian D'Atri-Guiran a écrit :
>
> Hi Fabrice,
>
> When I use RADIUS instead of SSH for deauthentication method, I receive the 
> following errors in my packetfence log:
> Dec  8 16:13:42 radius packetfence_httpd.webservices: httpd.webservices(4423) 
> INFO: [mac:5c:e0:c5:c1:d6:fd] [5c:e0:c5:c1:d6:fd] DesAssociating mac on 
> switch (10.2.2.60) (pf::api::desAssociate)
> Dec  8 16:13:42 radius packetfence_httpd.webservices: httpd.webservices(4423) 
> INFO: [mac:5c:e0:c5:c1:d6:fd] deauthenticating 5c:e0:c5:c1:d6:fd 
> (pf::Switch::Mikrotik::radiusDisconnect)
> Dec  8 16:13:42 radius packetfence_httpd.webservices: httpd.webservices(4423) 
> INFO: [mac:5c:e0:c5:c1:d6:fd] controllerIp is set, we will use controller 
> 10.2.2.60 to perform deauth (pf::Switch::Mikrotik::radiusDisconnect)
> Dec  8 16:13:42 radius packetfence_httpd.webservices: httpd.webservices(4423) 
> ERROR: [mac:5c:e0:c5:c1:d6:fd] Trying to save a NULL value in a non nullable 
> field radius_audit_log.mac (pf::dal::validate_field)
> Dec  8 16:13:42 radius packetfence_httpd.webservices: httpd.webservices(4423) 
> ERROR: [mac:5c:e0:c5:c1:d6:fd] Skipping invalid value (NULL) in when 
> inserting field radius_audit_log.mac (pf::dal::_insert_data)
> Dec  8 16:13:42 radius packetfence_httpd.webservices: httpd.webservices(4423) 
> WARN: [mac:5c:e0:c5:c1:d6:fd] Warning: 1364: Field 'mac' doesn't have a 
> default value (pf::dal::db_execute)
> Dec  8 16:13:42 radius packetfence_httpd.webservices: httpd.webservices(4423) 
> INFO: [mac:5c:e0:c5:c1:d6:fd] [5c:e0:c5:c1:d6:fd] DesAssociating mac on 
> switch (10.2.2.60) (pf::api::desAssociate)
> Dec  8 16:13:42 radius packetfence_httpd.webservices: httpd.webservices(4423) 
> INFO: [mac:5c:e0:c5:c1:d6:fd] deauthenticating 5c:e0:c5:c1:d6:fd 
> (pf::Switch::Mikrotik::radiusDisconnect)
> Dec  8 16:13:42 radius packetfence_httpd.webservices: httpd.webservices(4423) 
> INFO: [mac:5c:e0:c5:c1:d6:fd] controllerIp is set, we will use controller 
> 10.2.2.60 to perform deauth (pf::Switch::Mikrotik::radiusDisconnect)
> Dec  8 16:13:42 radius packetfence_httpd.webservices: httpd.webservices(4423) 
> ERROR: [mac:5c:e0:c5:c1:d6:fd] Trying to save a NULL value in a non nullable 
> field radius_audit_log.mac (pf::dal::validate_field)
> Dec  8 16:13:42 radius packetfence_httpd.webservices: httpd.webservices(4423) 
> ERROR: [mac:5c:e0:c5:c1:d6:fd] Skipping invalid value (NULL) in when 
> inserting field radius_audit_log.mac (pf::dal::_insert_data)
> Dec  8 16:13:42 radius packetfence_httpd.webservices: httpd.webservices(4423) 
> WARN: [mac:5c:e0:c5:c1:d6:fd] Warning: 1364: Field 'mac' doesn't have a 
> default value (pf::dal::db_execute)
>
> And on the mikrotik side, I receive this error in the log:
> Radius disconnect with no ip provided
>
> Thanks!
>
> On Mon, Dec 7, 2020 at 6:12 PM Durand fabrice via PacketFence-users 
> <packetfence-users@lists.sourceforge.net> wrote:
>>
>> Try that instead:
>>
>>
>> $logger->info("SSH connection to mikrotik access point with credentials: 
>> username ".$self->{_cliUser}." password ", $self->{_cliPwd}");
>>
>>
>> Also why you don't use the RADIUS disconnect method ?
>>
>>
>> Le 20-12-07 à 19 h 10, Adrian D'Atri-Guiran via PacketFence-users a écrit :
>>
>> Hello,
>>
>> I have followed the guide as per:
>> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_command_line_interface_telnet_and_ssh
>> and I cannot find the place in Configuration → Policies and Access Control → 
>> Switches
>> to add the credentials, so I have added them to my switches.conf file
>> grep '10.2.2.60' /usr/local/pf/conf/switches.conf -A 9
>> [10.2.2.60]
>> deauthMethod=SSH
>> description=CAP AC
>> controllerIp=10.2.2.60
>> type=Mikrotik
>> cliTransport=SSH
>> cliUser=admin
>> cliPwd=<redacted>
>> ExternalPortalEnforcement=Y
>> radiusSecret=<redacted>
>> registrationVlan=102
>> isolationVlan=103
>>
>> But when I try to de-associate a node I receive an error:
>> ERROR: [mac:12:e1:f9:6d:95:4a] Can't call method "exec" on an undefined 
>> value at /usr/local/pf/lib/pf/Switch/Mikrotik.pm line 343.
>>
>> I did a bit of digging and added a line of debugging here:
>> https://github.com/inverse-inc/packetfence/blob/1369b3819f3b1986d11da2bd75925187d7a62b00/lib/pf/Switch/Mikrotik.pm#L337
>> I added:
>> $logger->info("SSH connection to mikrotik access point with 
>> credentials:$self->{_cliUser}, $self->{_cliPwd}");
>> then retarted.  I see the line printing in my logs, but the login and 
>> password are blank.  Somehow my settings from switches.conf is not making it 
>> to the deauthenticateMacSSH subroutine.
>> Dec  7 18:39:24 radius packetfence_httpd.webservices: 
>> httpd.webservices(4423) INFO: [mac:12:e1:f9:6d:95:4a] SSH connection to 
>> mikrotik access point with credentials:,  
>> (pf::Switch::Mikrotik::deauthenticateMacSSH)
>>
>> Thank you for your help,
>> Adrian
>>
>>
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Mikrotik: de-association of node fails due to missing SSH credentials

Reply via email to