Re: [PacketFence-users] Issue with PacketFence 12 and Cisco WLC
RESTRICTED
HI Fabrice,
Long time since I did anything with our PF server but we are having to upgrade
from 6.5 and I am unsure how to code the override in WLC.pm.
I have simply added a 'tweaked' copy of the 'extractSSIDFromCalledStationId'
subroutine into the WLC.pm file assuming it will take precedence over the
definition in Switch.pm but it does not appear to be working as we are still
getting:-
packetfence.log:Feb 28 10:33:48 packetfence httpd.aaa-docker-wrapper[4185393]:
httpd.aaa(7) INFO: [mac:[undef]] Unable to extract MAC from Called-Station-Id:
Tremough_HSE_0_MG29_AP1:ISETest (pf::radius::extractApMacFromRadiusRequest)
packetfence.log:Feb 28 10:33:48 packetfence httpd.aaa-docker-wrapper[4185393]:
httpd.aaa(7) INFO: [mac:ee:d5:c7:dc:8f:84] Unable to extract SSID of
Called-Station-Id: Tremough_HSE_0_MG29_AP1:ISETest
(pf::Switch::extractSSIDFromCalledStationId)
packetfence.log:Feb 28 10:33:48 packetfence httpd.aaa-docker-wrapper[4185393]:
httpd.aaa(7) WARN: [mac:ee:d5:c7:dc:8f:84] Unable to extract SSID for module
pf::Switch::Cisco::WLC_5500. SSID-based VLAN assignments won't work. Please let
us know so we can add support for it. (pf::Switch::extractSsid)
In WLC.pm we now have:-
.
.
.
Snip
.
.
.
=item extractSSIDFromCalledStationId
Parse the Called-Station-Id attribute sent by a Cisco WLC differently as it can
be configured to send a
non-standard string that can be anything rather than a formatted MAC Address
followed by :SSID
=cut
sub extractSSIDFromCalledStationId {
my ($self, $radius_request) = @_;
# it's put in Called-Station-Id
# ie: Called-Station-Id = "aa-bb-cc-dd-ee-ff:Secure SSID" or
"aa:bb:cc:dd:ee:ff:Secure SSID"
if (defined($radius_request->{'Called-Station-Id'})) {
if ($radius_request->{'Called-Station-Id'} =~ /^
# below is MAC Address with supported separators: :, - or nothing
#
[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}
.*
:
# : delimiter
(.*)
# SSID
$/ix) {
return $1;
} else {
my $logger = $self->logger;
$logger->info("Unable to extract SSID of Called-Station-Id:
".$radius_request->{'Called-Station-Id'});
}
}
return undef;
}
I am not Perl expert so may be missing something here.
Regards
Andrew
From: Fabrice Durand
Sent: 28 February 2023 01:42
To: packetfence-users@lists.sourceforge.net
Cc: Andrew Torry ; Angus Hibberd
Subject: Re: [PacketFence-users] Issue with PacketFence 12 and Cisco WLC
CAUTION: This email originated from outside of the organisation. Do not click
links or open attachments unless you recognise the sender and know the content
is safe.
Hello Andrew,
since it's just cisco wlc related, then you can put this function in WLC.pm
instead.
What you can do is to open a PR on github with your change, we will review it
and merge it in the code base.
Regards
Fabrice
Le lun. 27 févr. 2023 à 16:14, Andrew Torry via PacketFence-users
mailto:packetfence-users@lists.sourceforge.net>>
a écrit :
RESTRICTED
Greetings fellow PF users,
We have an issue that I was wondering if there is any chance of someone from
the dev team to look at for me.
The Cisco WLC provide for the transmission of the CalledStationID field of a
RADIUS packet to be based on different formats:-
[cid:image001.png@01D94B61.048E0EF0]
In our specific case with a campus stretched out over a huge areas containing
about 1300 AP's it is very useful to have the RADIUS logs refer to the NAME of
an AP rather than simply it's MAC address.
This works find with all our systems except PF.
The code inside Switch.pm is hardwired to recognise XX:XX:XX:XX:XX:XX:SSID or
:SSDI or XX-XX-XX-XX-XX-XX:SSID but rejects any other format (such
as AP Name:SSID) above.
This renders our WLC configuration incompatible with PF.
There is a simple tweak to the code that we can perform by replacing the REGEXP
in the code from:-
sub extractSSIDFromCalledStationId {
my ($self, $radius_request) = @_;
# it's put in Called-Station-Id
# ie: Called-Station-Id = "aa-bb-cc-dd-ee-ff:Secure SSID" or
"aa:bb:cc:dd:ee:ff:Secure SSID"
if (defined($radius_request->{'Called-Station-Id'})) {
if ($radius_request->{'Called-Station-Id'} =~ /^
# below is MAC Address with supported separators: :, - or nothing
[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}
:
# : delimiter
(.*)
Re: [PacketFence-users] Issue with PacketFence 12 and Cisco WLC
Hello Andrew,
since it's just cisco wlc related, then you can put this function in WLC.pm
instead.
What you can do is to open a PR on github with your change, we will review
it and merge it in the code base.
Regards
Fabrice
Le lun. 27 févr. 2023 à 16:14, Andrew Torry via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :
> RESTRICTED
>
> Greetings fellow PF users,
>
>
>
> We have an issue that I was wondering if there is any chance of someone
> from the dev team to look at for me.
>
>
>
> The Cisco WLC provide for the transmission of the CalledStationID field of
> a RADIUS packet to be based on different formats:-
>
>
>
>
>
> In our specific case with a campus stretched out over a huge areas
> containing about 1300 AP’s it is very useful to have the RADIUS logs refer
> to the NAME of an AP rather than simply it’s MAC address.
>
>
>
> This works find with all our systems except PF.
>
>
>
> The code inside Switch.pm is hardwired to recognise XX:XX:XX:XX:XX:XX:SSID
> or :SSDI or XX-XX-XX-XX-XX-XX:SSID but rejects any other format
> (such as AP Name:SSID) above.
>
>
>
> This renders our WLC configuration incompatible with PF.
>
>
>
> There is a simple tweak to the code that we can perform by replacing the
> REGEXP in the code from:-
>
>
>
> sub extractSSIDFromCalledStationId {
>
> my ($self, $radius_request) = @_;
>
> # it's put in Called-Station-Id
>
> # ie: Called-Station-Id = "aa-bb-cc-dd-ee-ff:Secure SSID" or
> "aa:bb:cc:dd:ee:ff:Secure SSID"
>
> if (defined($radius_request->{'Called-Station-Id'})) {
>
> if ($radius_request->{'Called-Station-Id'} =~ /^
>
> # below is MAC Address with supported separators: :, - or
> nothing
>
>
> [a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}
>
> :
>
> #
> : delimiter
>
>
> (.*)
> # SSID
>
> $/ix) {
>
> return $1;
>
> } else {
>
> my $logger = $self->logger;
>
> $logger->info("Unable to extract SSID of Called-Station-Id:
> ".$radius_request->{'Called-Station-Id'});
>
> }
>
> }
>
>
>
> return undef;
>
> }
>
>
>
> To:-
>
>
>
> sub extractSSIDFromCalledStationId {
>
> my ($self, $radius_request) = @_;
>
> # it's put in Called-Station-Id
>
> # ie: Called-Station-Id = "aa-bb-cc-dd-ee-ff:Secure SSID" or
> "aa:bb:cc:dd:ee:ff:Secure SSID"
>
> if (defined($radius_request->{'Called-Station-Id'})) {
>
> if ($radius_request->{'Called-Station-Id'} =~ /^
>
> # below is MAC Address with supported separators: :, - or
> nothing
>
> #
> [a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}
>
> .*
>
> :
> # : delimiter
>
>
> (.*)
> # SSID
>
> $/ix) {
>
> return $1;
>
> } else {
>
> my $logger = $self->logger;
>
> $logger->info("Unable to extract SSID of Called-Station-Id:
> ".$radius_request->{'Called-Station-Id'});
>
> }
>
> }
>
>
>
> return undef;
>
> }
>
>
>
> But we are reluctant to modify CORE code as this will be lost at upgrades.
>
>
>
> What would be nice is to have some sort of ‘Called-Station-ID format
> specifier’ included in the Configuration system.
>
>
>
> Andrew
>
> RESTRICTED
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Issue with PacketFence 12 and Cisco WLC
RESTRICTED
Greetings fellow PF users,
We have an issue that I was wondering if there is any chance of someone from
the dev team to look at for me.
The Cisco WLC provide for the transmission of the CalledStationID field of a
RADIUS packet to be based on different formats:-
[cid:image003.png@01D94ACB.45CC1740]
In our specific case with a campus stretched out over a huge areas containing
about 1300 AP's it is very useful to have the RADIUS logs refer to the NAME of
an AP rather than simply it's MAC address.
This works find with all our systems except PF.
The code inside Switch.pm is hardwired to recognise XX:XX:XX:XX:XX:XX:SSID or
:SSDI or XX-XX-XX-XX-XX-XX:SSID but rejects any other format (such
as AP Name:SSID) above.
This renders our WLC configuration incompatible with PF.
There is a simple tweak to the code that we can perform by replacing the REGEXP
in the code from:-
sub extractSSIDFromCalledStationId {
my ($self, $radius_request) = @_;
# it's put in Called-Station-Id
# ie: Called-Station-Id = "aa-bb-cc-dd-ee-ff:Secure SSID" or
"aa:bb:cc:dd:ee:ff:Secure SSID"
if (defined($radius_request->{'Called-Station-Id'})) {
if ($radius_request->{'Called-Station-Id'} =~ /^
# below is MAC Address with supported separators: :, - or nothing
[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}
:
# : delimiter
(.*)
# SSID
$/ix) {
return $1;
} else {
my $logger = $self->logger;
$logger->info("Unable to extract SSID of Called-Station-Id:
".$radius_request->{'Called-Station-Id'});
}
}
return undef;
}
To:-
sub extractSSIDFromCalledStationId {
my ($self, $radius_request) = @_;
# it's put in Called-Station-Id
# ie: Called-Station-Id = "aa-bb-cc-dd-ee-ff:Secure SSID" or
"aa:bb:cc:dd:ee:ff:Secure SSID"
if (defined($radius_request->{'Called-Station-Id'})) {
if ($radius_request->{'Called-Station-Id'} =~ /^
# below is MAC Address with supported separators: :, - or nothing
#
[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}
.*
:
# : delimiter
(.*)
# SSID
$/ix) {
return $1;
} else {
my $logger = $self->logger;
$logger->info("Unable to extract SSID of Called-Station-Id:
".$radius_request->{'Called-Station-Id'});
}
}
return undef;
}
But we are reluctant to modify CORE code as this will be lost at upgrades.
What would be nice is to have some sort of 'Called-Station-ID format specifier'
included in the Configuration system.
Andrew
RESTRICTED
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
