Hi, After upgrading to 13.0 from 12.2, the firewall SSO is broken. Though packetfence logs show SSO sent out, I don't see any accounting packets received on FW so I did tcpdump on packetfence and that as well shows no packet was sent out from the packetfence. Your expedited help is requested. Thanks in advance, - Arun
Pacektfence Log: Aug 22 08:57:41 aolicnac httpd.webservices-docker-wrapper[4245]: httpd.webservices(7902) INFO: [mac:94:c6:91:a8:e4:a3] Sending a firewall SSO 'Update' request for MAC '94:c6:91:a8:e4:a3' and IP '10.0.100.13' (pf::firewallsso::do_sso) Aug 22 08:57:41 aolicnac httpd.webservices-docker-wrapper[4245]: httpd.webservices(7902) INFO: [mac:94:c6:91:a8:e4:a3] Request to /api/v1/firewall_sso/update is unauthorized, will perform a login (pf::api::unifiedapiclient::call) Aug 22 08:57:42 aolicnac pfqueue[43619]: pfqueue(43619) INFO: [mac:94:c6:91:a8:e4:a3] Trying generic MIB to force 802.1x port re-authentication. Your mileage may vary. If it doesn't work open a bug report with your hardware type. (pf::Switch::_dot1xPortReauthenticate) Aug 22 08:57:42 aolicnac httpd.aaa-docker-wrapper[3329]: httpd.aaa(8) INFO: [mac:94:c6:91:a8:e4:a3] handling radius autz request: from switch_ip => (192.168.2.12), connection_type => Ethernet-EAP,switch_mac => (c0:62:6b:68:f4:07), mac => [94:c6:91:a8:e4:a3], port => 10005, username => "hodtest" (pf::radius::authorize) Aug 22 08:57:42 aolicnac httpd.aaa-docker-wrapper[3329]: httpd.aaa(8) INFO: [mac:94:c6:91:a8:e4:a3] Instantiate profile dot1x-eap (pf::Connection::ProfileFactory::_from_profile) Aug 22 08:57:42 aolicnac httpd.aaa-docker-wrapper[3329]: httpd.aaa(8) INFO: [mac:94:c6:91:a8:e4:a3] Found authentication source(s) : 'set-group-based-role' for realm 'null' (pf::config::util::filter_authentication_sources) Aug 22 08:57:42 aolicnac httpd.aaa-docker-wrapper[3329]: httpd.aaa(8) INFO: [mac:94:c6:91:a8:e4:a3] Using sources set-group-based-role for matching (pf::authentication::match2) Aug 22 08:57:42 aolicnac httpd.aaa-docker-wrapper[3329]: httpd.aaa(8) WARN: [mac:94:c6:91:a8:e4:a3] [set-group-based-role set-role-Bypassed] Searching for (&(sAMAccountName=hodtest)(memberOf=CN=Bypassed,OU=AOL-Group,DC=AOLIC,DC=NET)), from DC=AOLIC,DC=NET, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass) Aug 22 08:57:42 aolicnac httpd.aaa-docker-wrapper[3329]: httpd.aaa(8) WARN: [mac:94:c6:91:a8:e4:a3] [set-group-based-role set-role-HOD] Searching for (&(sAMAccountName=hodtest)(memberOf=CN=HOD,OU=AOL-Group,DC=AOLIC,DC=NET)), from DC=AOLIC,DC=NET, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass) Aug 22 08:57:42 aolicnac httpd.aaa-docker-wrapper[3329]: httpd.aaa(8) INFO: [mac:94:c6:91:a8:e4:a3] Matched rule (set-role-HOD) in source set-group-based-role, returning actions. (pf::Authentication::Source::match_rule) Aug 22 08:57:42 aolicnac httpd.aaa-docker-wrapper[3329]: httpd.aaa(8) INFO: [mac:94:c6:91:a8:e4:a3] Matched rule (set-role-HOD) in source set-group-based-role, returning actions. (pf::Authentication::Source::match) Aug 22 08:57:42 aolicnac httpd.aaa-docker-wrapper[3329]: httpd.aaa(8) INFO: [mac:94:c6:91:a8:e4:a3] Found authentication source(s) : 'set-group-based-role' for realm 'null' (pf::config::util::filter_authentication_sources) Aug 22 08:57:42 aolicnac httpd.aaa-docker-wrapper[3329]: httpd.aaa(8) INFO: [mac:94:c6:91:a8:e4:a3] Role has already been computed and we don't want to recompute it. Getting role from node_info (pf::role::getRegisteredRole) Aug 22 08:57:42 aolicnac httpd.aaa-docker-wrapper[3329]: httpd.aaa(8) INFO: [mac:94:c6:91:a8:e4:a3] Username was defined "hodtest" - returning role 'HOD' (pf::role::getRegisteredRole) Aug 22 08:57:42 aolicnac httpd.aaa-docker-wrapper[3329]: httpd.aaa(8) INFO: [mac:94:c6:91:a8:e4:a3] PID: "hodtest", Status: reg Returned VLAN: (undefined), Role: HOD (pf::role::fetchRoleForNode) Aug 22 08:57:42 aolicnac httpd.aaa-docker-wrapper[3329]: httpd.aaa(8) INFO: [mac:94:c6:91:a8:e4:a3] (192.168.2.12) Added VLAN 20 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Aug 22 08:57:42 aolicnac httpd.aaa-docker-wrapper[3329]: httpd.aaa(8) WARN: [mac:94:c6:91:a8:e4:a3] No parameter HODRole found in conf/switches.conf for the switch 192.168.2.12 (pf::Switch::getRoleByName) Aug 22 08:57:42 aolicnac httpd.aaa-docker-wrapper[3329]: httpd.aaa(8) INFO: [mac:94:c6:91:a8:e4:a3] security_event 1300003 force-closed for 94:c6:91:a8:e4:a3 (pf::security_event::security_event_force_close) Aug 22 08:57:42 aolicnac httpd.aaa-docker-wrapper[3329]: httpd.aaa(8) INFO: [mac:94:c6:91:a8:e4:a3] Instantiate profile dot1x-eap (pf::Connection::ProfileFactory::_from_profile) Aug 22 08:57:43 aolicnac httpd.aaa-docker-wrapper[3329]: httpd.aaa(8) INFO: [mac:94:c6:91:a8:e4:a3] Sending a firewall SSO 'Stop' request for MAC '94:c6:91:a8:e4:a3' and IP '10.0.100.13' (pf::firewallsso::do_sso) Aug 22 08:57:43 aolicnac httpd.aaa-docker-wrapper[3329]: httpd.aaa(8) WARN: [mac:94:c6:91:a8:e4:a3] Firewall SSO Notify (pf::api::firewallsso_accounting) Aug 22 08:57:43 aolicnac httpd.aaa-docker-wrapper[3329]: httpd.aaa(8) INFO: [mac:94:c6:91:a8:e4:a3] Sending a firewall SSO 'Update' request for MAC '94:c6:91:a8:e4:a3' and IP '169.254.187.138' (pf::firewallsso::do_sso) Aug 22 08:57:46 aolicnac httpd.aaa-docker-wrapper[3329]: httpd.aaa(8) WARN: [mac:94:c6:91:a8:e4:a3] Firewall SSO Notify (pf::api::firewallsso_accounting) Aug 22 08:57:46 aolicnac httpd.aaa-docker-wrapper[3329]: httpd.aaa(8) INFO: [mac:94:c6:91:a8:e4:a3] Sending a firewall SSO 'Update' request for MAC '94:c6:91:a8:e4:a3' and IP '10.0.100.13' (pf::firewallsso::do_sso) TCP dump on packetfence: root@aolicnac:~# tcpdump -i any -c40 -nn host 172.16.30.18 tcpdump: data link type LINUX_SLL2 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes Firewall Conf file: root@aolicnac:~# more /usr/local/pf/conf/firewall_sso.conf [172.16.30.18] categories=Bypassed,HOD,Regular,AGuest,Regular-multi,Bypassed-Multi,HOD_multi port=1813 cache_updates=0 password=xxxxxxx username_format=$pf_username type=FortiGate networks=10.0.0.0/16 use_connector=1 # Copyright (C) Inverse inc. #[192.168.1.254] #type=FortiGate #password=s3cr3t #port=1813 #[192.168.1.253] #type=PaloAlto #key= # Specific to the PaloAlto firewall , you must use a username and password to fetch the key to use (see PaloAlto documentation).
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
