Hello Jason,

It looks like you are missing a radius shared in your switch config in PF.

Make sure it set every where.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:         <https://community.akamai.com/>  
<http://blogs.akamai.com/>  <https://twitter.com/akamai>  
<http://www.facebook.com/AkamaiTechnologies>  
<http://www.linkedin.com/company/akamai-technologies>  
<http://www.youtube.com/user/akamaitechnologies?feature=results_main>

> On Sep 25, 2025, at 2:18 PM, Jason Maxfield <thejasonmaxfi...@gmail.com> 
> wrote:
> 
> This Message Is From an Untrusted Sender
> You have not previously corresponded with this sender.
> Hi Ludovic,
> 
> Yes I do see the Acct-Session-Id. I also see it in all other connections as 
> well. 
> 
> Here is some more info:
> 
> radsniff log:
> 
> Accounting-Request Id 111 eth0:172.17.1.6:42214 
> <https://urldefense.com/v3/__http://172.17.1.6:42214__;!!GjvTz_vk!UiGLp9h2kQzM2iepMELVQhU1lTM9dDX9gAyw-tn-dIHw32JR6nGhEPSI1PYED5tQtYlIdFp99fV43QQb8w3M81tIJA$>
>  -> 172.17.1.9:1813 
> <https://urldefense.com/v3/__http://172.17.1.9:1813__;!!GjvTz_vk!UiGLp9h2kQzM2iepMELVQhU1lTM9dDX9gAyw-tn-dIHw32JR6nGhEPSI1PYED5tQtYlIdFp99fV43QQb8w2oy9Wlog$>
>  +0.028
>         User-Name = "aa:90:2d:xx:xx:xx"
>         NAS-IP-Address = 172.17.1.6
>         NAS-Port = 72
>         Framed-IP-Address = 172.17.2.48
>         Called-Station-Id = "C8-84-8C-xx-xx-xx:xxxxx"
>         Calling-Station-Id = "AA-90-2D-xx-xx-xx"
>         NAS-Identifier = "C8-84-8C-xx-xx-xx"
>         Proxy-State = 0x323533
>         NAS-Port-Type = Wireless-802.11
>         Acct-Status-Type = Interim-Update
>         Acct-Input-Octets = 2286535
>         Acct-Output-Octets = 71838619
>         Acct-Session-Id = "68D580B5-3765D001"
>         Acct-Authentic = Local
>         Acct-Session-Time = 300
>         Acct-Input-Packets = 6893
>         Acct-Output-Packets = 140404
>         Acct-Multi-Session-Id = "c88x"
>         Acct-Link-Count = 1
>         Event-Timestamp = "Sep 25 2025 10:54:41 PDT"
>         Connect-Info = "CONNECT 802.11a/n/ac/ax"
>         Ruckus-Sta-RSSI = 37
>         Ruckus-SSID = "xxxxxx"
>         Ruckus-Location = "xxxxx"
>         Ruckus-SCG-CBlade-IP = xxxxxxx
>         Ruckus-VLAN-ID = 1
>         Ruckus-BSSID = 0xc88x
>         Authenticator-Field = 0x4f2x
> 2025-09-25 10:54:41.708585 (4) Accounting-Response Id 111 
> eth0:172.17.1.6:42214 
> <https://urldefense.com/v3/__http://172.17.1.6:42214__;!!GjvTz_vk!UiGLp9h2kQzM2iepMELVQhU1lTM9dDX9gAyw-tn-dIHw32JR6nGhEPSI1PYED5tQtYlIdFp99fV43QQb8w3M81tIJA$>
>  <- 172.17.1.9:1813 
> <https://urldefense.com/v3/__http://172.17.1.9:1813__;!!GjvTz_vk!UiGLp9h2kQzM2iepMELVQhU1lTM9dDX9gAyw-tn-dIHw32JR6nGhEPSI1PYED5tQtYlIdFp99fV43QQb8w2oy9Wlog$>
>  +0.029 +0.000
>         Reply-Message = "Accounting OK"
>         Proxy-State = 0x323533
>         Authenticator-Field = 0x73bx
> 
> RADIUS Audit log in PF:
> RADIUS
> RADIUS Request
> Called-Station-Id = "c8:84:8c:xx:xx:xx:xxxxx",
> Called-Station-SSID = "xxxxx",
> Calling-Station-Id = "aa:90:2d:xx:xx:xx",
> Event-Timestamp = "Sep 25 2025 10:49:41 PDT",
> FreeRADIUS-Client-IP-Address = "172.17.1.6",
> Location-Data = "0x313x",
> Location-Data = "0x323x",
> Message-Authenticator = "0x355x",
> NAS-IP-Address = "172.17.1.6",
> NAS-Identifier = "C8-84-8C-xx-xx-xx",
> NAS-Port-Type = "Wireless-802.11",
> PacketFence-KeyBalanced = "cb9x",
> PacketFence-Radius-Ip = "172.17.1.9",
> Proxy-State = "0x313x",
> Realm = "null",
> Ruckus-BSSID = "0xc88x",
> Ruckus-Cluster-Name = "xxxxxx",
> Ruckus-Domain-Name = "xxxxxxx",
> Ruckus-Location = "xxxxxxx",
> Ruckus-SCG-CBlade-IP = "2.88x",
> Ruckus-SSID = "xxxxxx",
> Ruckus-VLAN-ID = "1",
> Ruckus-Wlan-Name = "xxxxx",
> Ruckus-Zone-Name = "xxxxxxx",
> Service-Type = "Framed-User",
> Stripped-User-Name = "aa:90:2d:xx:xx:xx",
> User-Name = "aa:90:2d:xx:xx:xx",
> User-Password = "******"
> RADIUS Reply
> Proxy-State = "0x313x",
> REST-HTTP-Status-Code = "200",
> Tunnel-Medium-Type = "IEEE-802",
> Tunnel-Private-Group-Id = "1",
> Tunnel-Type = "VLAN"
> 
> Node Information
> MAC Address aa:90:2d:xx:xx:xx
> Auth Status Accept
> Auth Type Accept
> Auto Registration No
> Calling Station Identifier aa:90:2d:xx:xx:xx
> Computer Name N/A
> EAP Type
> Event Type Radius-Access-Request
> IP Address N/A
> Is a Phone No
> Created at 2025-09-25T10:49:45-07:00
> Node Status reg
> Domain
> Profile Wireless
> Realm null
> Reason
> Role Faculty
> Source N/A
> Stripped User Name aa:90:2d:xx:xx:xx
> User Name aa:90:2d:xx:xx:xx
> Unique Identifier
> 
> 
> This is the code that errors (specific lines bolded):
> 
> sub node_accounting_dynauth_attr {
>     my ($mac) = @_;
>     if(my $entry = pf::accounting->cache->get($mac)){
>         return {username => $entry->{'User-Name'}, acctsessionid => 
> $entry->{'Acct-Session-Id'}};
>     }
>     return _db_item(
>         -columns => [qw(username acctsessionid)],
>         -where => {
>             acctstoptime => undef,
>             callingstationid => $mac,
>         },
>         -limit => 1,
>         -order_by => {-desc => 'acctstarttime'},
>     );
> }
> 
> 
> 
> On Wed, Sep 24, 2025, 11:58 AM Zammit, Ludovic <luza...@akamai.com 
> <mailto:luza...@akamai.com>> wrote:
>> Hello Jason,
>> 
>> Try that:
>> 
>> radnsiff -x -p 1813
>> 
>> Disconnect and reconnect.
>> 
>> Do you see the accounting start packet with the Session Id?
>> 
>> Thanks,
>> 
>> Ludovic Zammit
>> Product Support Engineer Principal Lead
>> 
>> Cell: +1.613.670.8432
>> Akamai Technologies - Inverse
>> 145 Broadway 
>> <https://urldefense.com/v3/__https://www.google.com/maps/search/145*Broadway*Cambridge,*MA*02142?entry=gmail&source=g__;KysrKw!!GjvTz_vk!UiGLp9h2kQzM2iepMELVQhU1lTM9dDX9gAyw-tn-dIHw32JR6nGhEPSI1PYED5tQtYlIdFp99fV43QQb8w298blN9A$>
>> Cambridge, MA 02142 
>> <https://urldefense.com/v3/__https://www.google.com/maps/search/145*Broadway*Cambridge,*MA*02142?entry=gmail&source=g__;KysrKw!!GjvTz_vk!UiGLp9h2kQzM2iepMELVQhU1lTM9dDX9gAyw-tn-dIHw32JR6nGhEPSI1PYED5tQtYlIdFp99fV43QQb8w298blN9A$>
>> Connect with Us:      <https://community.akamai.com/>  
>> <http://blogs.akamai.com/>  
>> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!UiGLp9h2kQzM2iepMELVQhU1lTM9dDX9gAyw-tn-dIHw32JR6nGhEPSI1PYED5tQtYlIdFp99fV43QQb8w3qG1FIog$>
>>   
>> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!UiGLp9h2kQzM2iepMELVQhU1lTM9dDX9gAyw-tn-dIHw32JR6nGhEPSI1PYED5tQtYlIdFp99fV43QQb8w0QWYboog$>
>>   
>> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!UiGLp9h2kQzM2iepMELVQhU1lTM9dDX9gAyw-tn-dIHw32JR6nGhEPSI1PYED5tQtYlIdFp99fV43QQb8w3YQi1aXg$>
>>   
>> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!UiGLp9h2kQzM2iepMELVQhU1lTM9dDX9gAyw-tn-dIHw32JR6nGhEPSI1PYED5tQtYlIdFp99fV43QQb8w0YoGLTQA$>
>> 
>>> On Sep 12, 2025, at 12:14 PM, Jason Maxfield via PacketFence-users 
>>> <packetfence-users@lists.sourceforge.net 
>>> <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>>> 
>>> This Message Is From an External Sender
>>> This message came from outside your organization.
>>> I realize now that I'm not getting Acct-Session-Id. Anyone have any insight 
>>> on this? 
>>> 
>>> This is what shows up in RADIUS Audit Logs:
>>> <Screenshot_20250912-090220.png>
>>> 
>>> I'm getting online/offline status of nodes so accounting is working. I feel 
>>> like there's a config setting somewhere that I'm missing.
>>> 
>>> On Wed, Jul 9, 2025, 1:56 PM Jason Maxfield <thejasonmaxfi...@gmail.com 
>>> <mailto:thejasonmaxfi...@gmail.com>> wrote:
>>>> PF version: 14.1
>>>> SmartZone version: 6.1.2
>>>> 
>>>> 
>>>> 
>>>> I can't figure out why PF isn't sending the deauth to SmartZone.
>>>> 
>>>> Here is the log during a successful authentication:
>>>> 
>>>> 2025-07-09T09:57:40.411141-07:00 packetfence 
>>>> httpd.portal-docker-wrapper[3640743]: httpd.portal(16) INFO: 
>>>> [mac:b6:28:df:72:70:17] User test has authenticated on the portal. 
>>>> (captiveportal::PacketFence::DynamicRouting::Module::_username_set)
>>>> 2025-07-09T09:57:40.422941-07:00 packetfence 
>>>> httpd.portal-docker-wrapper[3640743]: httpd.portal(16) INFO: 
>>>> [mac:b6:28:df:72:70:17] security_event 1300003 force-closed for 
>>>> b6:28:df:72:70:17 (pf::security_event::security_event_force_close)
>>>> 2025-07-09T09:57:40.427742-07:00 packetfence 
>>>> httpd.portal-docker-wrapper[3640743]: httpd.portal(16) INFO: 
>>>> [mac:b6:28:df:72:70:17] Instantiate profile Wireless 
>>>> (pf::Connection::ProfileFactory::_from_profile)
>>>> 2025-07-09T09:57:40.557972-07:00 packetfence 
>>>> httpd.portal-docker-wrapper[3640743]: httpd.portal(14) INFO: 
>>>> [mac:b6:28:df:72:70:17] Instantiate profile Wireless 
>>>> (pf::Connection::ProfileFactory::_from_profile)
>>>> 2025-07-09T09:57:40.558489-07:00 packetfence 
>>>> httpd.portal-docker-wrapper[3640743]: httpd.portal(14) WARN: 
>>>> [mac:b6:28:df:72:70:17] locale from the URL is not supported 
>>>> (captiveportal::PacketFence::Controller::Root::getLanguages)
>>>> 2025-07-09T09:57:40.569495-07:00 packetfence 
>>>> httpd.portal-docker-wrapper[3640743]: httpd.portal(14) INFO: 
>>>> [mac:b6:28:df:72:70:17] Releasing device 
>>>> (captiveportal::PacketFence::DynamicRouting::Module::Root::release)
>>>> 2025-07-09T09:57:40.581710-07:00 packetfence 
>>>> httpd.portal-docker-wrapper[3640743]: httpd.portal(14) INFO: 
>>>> [mac:b6:28:df:72:70:17] re-evaluating access (manage_register called) 
>>>> (pf::enforcement::reevaluate_access)
>>>> 2025-07-09T09:57:40.592158-07:00 packetfence 
>>>> httpd.portal-docker-wrapper[3640743]: httpd.portal(14) INFO: 
>>>> [mac:b6:28:df:72:70:17] Instantiate profile Wireless 
>>>> (pf::Connection::ProfileFactory::_from_profile)
>>>> 2025-07-09T09:57:40.592478-07:00 packetfence 
>>>> httpd.portal-docker-wrapper[3640743]: httpd.portal(14) INFO: 
>>>> [mac:b6:28:df:72:70:17] VLAN reassignment is forced. 
>>>> (pf::enforcement::_should_we_reassign_vlan)
>>>> 2025-07-09T09:57:40.592478-07:00 packetfence 
>>>> httpd.portal-docker-wrapper[3640743]: httpd.portal(14) INFO: 
>>>> [mac:b6:28:df:72:70:17] switch port is (172.17.1.6) ifIndex 0connection 
>>>> type: WiFi MAC Auth (pf::enforcement::_vlan_reevaluation)
>>>> 2025-07-09T09:57:41.712067-07:00 packetfence pfqueue-backend[3698633]: 
>>>> pfqueue(3698633) INFO: [mac:b6:28:df:72:70:17] [b6:28:df:72:70:17] 
>>>> DesAssociating mac on switch (172.17.1.6) (pf::api::desAssociate)
>>>> 2025-07-09T09:57:41.716073-07:00 packetfence pfqueue-backend[3698633]: 
>>>> pfqueue(3698633) ERROR: [mac:b6:28:df:72:70:17] Error handling 
>>>> desAssociate : must specify key at /usr/local/pf/lib/pf/accounting.pm 
>>>> <https://urldefense.com/v3/__http://accounting.pm/__;!!GjvTz_vk!QHNi8l-XARQZocBjU-SwsD7cboLke1x1Xp-NyQsIyBRTxLI9FmR3Rqp-UrsBfYRKQXwbwqWSbviJtHHFfWEGgfgruxpdtX22aah2Cg$>
>>>>  line 262.
>>>> 
>>>> 
>>>> As you can see something is getting hung when trying to get the session 
>>>> from accounting. The line in question leads me to believe it's not sending 
>>>> the MAC properly? 
>>>> 
>>>> if(my $entry = pf::accounting->cache->get($mac)){
>>>> 
>>>> 
>>>> 
>>>> Here is my switches.conf:
>>>> 
>>>> [172.17.1.6]
>>>> FacultyVlan=1
>>>> group=Wireless
>>>> radiusSecret=PF_ENC[data:xxxx,tag:xxxx,iv:xxxx,ad:]
>>>> defaultVlan=1
>>>> 
>>>> [group Wireless]
>>>> description=Wireless Controllers
>>>> isolationVlan=107
>>>> defaultVlan=3
>>>> registrationVlan=105
>>>> type=Ruckus::SmartZone
>>>> 
>>>> I've tried clearing accounting cache: pmcmd cache accounting clear
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net 
>>> <mailto:PacketFence-users@lists.sourceforge.net>
>>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!QHNi8l-XARQZocBjU-SwsD7cboLke1x1Xp-NyQsIyBRTxLI9FmR3Rqp-UrsBfYRKQXwbwqWSbviJtHHFfWEGgfgruxpdtX3eAzxp-w$

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to