Re: [PacketFence-users] Reeavulate Access Log Warning

2020-05-27 Thread Tanzanite Prime Gaming via PacketFence-users 
I also got this same issue. Interesting.

On Tue, May 26, 2020, 7:20 PM Chad Jemison via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> I have dyn-authorization enabled on the switches for the PacketFence
> server IP. I’ve enabled Radius Accounting service on PacketFence as it is
> now disabled by default. I’ve turned on debugging on my test switch and get
> the following when issuing a Reevaluate Accesss:
>
>
>
> DROPPED, Event-Timestamp Attribute is either missing or is not current.
>
>
>
>
>
>
>
>
>
>
>
>
>
> ---
>
> Chad Jemison
>
> Director of IT
>
> Seneca Gaming Authority 
>
> 345 Third Street, Suite 404
> Niagara Falls, New York 14303
>
> 716-299-1246 x267
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Reeavulate Access Log Warning

2020-05-26 Thread Chad Jemison via PacketFence-users 
This may have been the missing part in the switch config. Looking through the 
HP section of FreeRadius site, 
https://wiki.freeradius.org/vendor/HP#rfc-3576-change-of-authorisation-disconnect-message_switch-configuration_disable-event-timestamp-check-if-required,
 I added the following to my switch config:

Radius-server host x.x.x.x time-window 0

And now when I do a reevaluate access, the device, in this case a VoIP phone, 
restarts and the debug entries on the switch look clean.




---
Chad Jemison
Director of IT
Seneca Gaming Authority
345 Third Street, Suite 404
Niagara Falls, New York 14303
716-299-1246 x267

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Reeavulate Access Log Warning

2020-05-26 Thread Chad Jemison via PacketFence-users 
I have dyn-authorization enabled on the switches for the PacketFence server IP. 
I've enabled Radius Accounting service on PacketFence as it is now disabled by 
default. I've turned on debugging on my test switch and get the following when 
issuing a Reevaluate Accesss:

DROPPED, Event-Timestamp Attribute is either missing or is not current.






---
Chad Jemison
Director of IT
Seneca Gaming Authority
345 Third Street, Suite 404
Niagara Falls, New York 14303
716-299-1246 x267

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Reeavulate Access Log Warning

2020-05-26 Thread Nicolas Quiniou-Briand via PacketFence-users 




On 22/05/2020 16:59, Chad Jemison wrote:

I get the following when using the Aruba templates

May 22 10:58:08 nac pfqueue: pfqueue(13316) WARN: 
[mac:64:16:7f:57:cb:b8] Unable to perform RADIUS Disconnect/CoA Request: 
Timeout waiting for a reply from 192.168.101.30 on port 3799 at 
/usr/local/pf/lib/pf/util/radius.pm line 185. 
(pf::Switch::Template::catch {...} )


May 22 10:58:08 nac pfqueue: pfqueue(13316) ERROR: 
[mac:64:16:7f:57:cb:b8] Wrong RADIUS secret or unreachable network 
device... (pf::Switch::Template::catch {...} )


Certainly because you need to configure RFC 3576 (RADIUS Disconnect) on 
your network device. If you use the Aruba switch template previously 
mentioned, you will also need to enable accouting on your network device.

--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca
Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence 
(https://packetfence.org) and Fingerbank (http://fingerbank.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Reeavulate Access Log Warning

2020-05-22 Thread Chad Jemison via PacketFence-users 
I get the following when using the Aruba templates

May 22 10:58:08 nac pfqueue: pfqueue(13316) WARN: [mac:64:16:7f:57:cb:b8] 
Unable to perform RADIUS Disconnect/CoA Request: Timeout waiting for a reply 
from 192.168.101.30 on port 3799 at /usr/local/pf/lib/pf/util/radius.pm line 
185. (pf::Switch::Template::catch {...} )
May 22 10:58:08 nac pfqueue: pfqueue(13316) ERROR: [mac:64:16:7f:57:cb:b8] 
Wrong RADIUS secret or unreachable network device... 
(pf::Switch::Template::catch {...} )



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Reeavulate Access Log Warning

2020-05-21 Thread Nicolas Quiniou-Briand via PacketFence-users 

Hello Chad,

On 19/05/2020 17:02, Chad Jemison via PacketFence-users wrote:
From troubleshooting, I am able to 
get the proper VOICE VLAN assignment if I use the Packetfence::Standard 
switch template, but some other features are not functioning on the 
Aruba 2930 switches I have.


Which other features didn't work ?

Recently, I created the ArubaSwitchNG template which was tested on 2530 
using Aruba 0S 16.10. I didn't test the voice part but if it's working 
as expected with PacketFence::Standard, maybe you can try to add the 
voice part to the ArubaSwitchNG template and make a new test.

--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca
Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence 
(https://packetfence.org) and Fingerbank (http://fingerbank.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Reeavulate Access Log Warning

2020-05-19 Thread Chad Jemison via PacketFence-users 
Hello Chad,

If you check the code at the line mentioned:

sub getVoipVsa {
my ($self) = @_;
my $logger = $self->logger;
my $vlanid = sprintf( "%03x\n", $self->getVlanByName($VOICE_ROLE) );
my $hexvlan = hex( "31000" . $vlanid );
return ( 'Egress-VLANID' => $hexvlan, );
}

What is the VLAN id that you want to return ?

Thanks,


The VLAN ID for Voice should be 202. From troubleshooting, I am able to get the 
proper VOICE VLAN assignment if I use the Packetfence::Standard switch 
template, but some other features are not functioning on the Aruba 2930 
switches I have.  The main difference I see in the templates is:

Packetfence:: Standard::VOIP Scope uses Tunnel-Private-Group-Id  
$switch._voiceVlan

HP::Switch::VOIP Scope uses Egress-VLAN-Name  1$(switch._voiceRole)




---
Chad Jemison
Director of IT
Seneca Gaming Authority
345 Third Street, Suite 404
Niagara Falls, New York 14303
716-299-1246 x267

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Reeavulate Access Log Warning

2020-05-19 Thread Chad Jemison via PacketFence-users 
For simplicity sake, the VOICE VLAN is 202, the DATA VLAN is 1.


Could you check:
- in packetfence.log

VLAN 202 is not being assigned. I'm not sure why the time clocks Authentication 
Source is being called by the phone. Nothing in that rule would seem to 
associate the phone with the MAC address of one of the time clocks.

May 19 10:48:00 nac packetfence_httpd.aaa: httpd.aaa(2311) INFO: 
[mac:64:16:7f:57:c6:f5] handling radius autz request: from switch_ip => 
(192.168.101.30), connection_type => Ethernet-NoEAP,switch_mac => 
(08:f1:ea:0c:7a:7f), mac => [64:16:7f:57:c6:f5], port => 1, username => 
"64167f57c6f5" (pf::radius::authorize)
May 19 10:48:00 nac packetfence_httpd.aaa: httpd.aaa(2311) INFO: 
[mac:64:16:7f:57:c6:f5] Instantiate profile SGATimeClocks 
(pf::Connection::ProfileFactory::_from_profile)
May 19 10:48:00 nac packetfence_httpd.aaa: httpd.aaa(2311) INFO: 
[mac:64:16:7f:57:c6:f5] Found authentication source(s) : 'SGA_TimeClocks' for 
realm 'null' (pf::config::util::filter_authentication_sources)
May 19 10:48:00 nac packetfence_httpd.aaa: httpd.aaa(2311) INFO: 
[mac:64:16:7f:57:c6:f5] Using sources SGA_TimeClocks for matching 
(pf::authentication::match2)
May 19 10:48:00 nac packetfence_httpd.aaa: httpd.aaa(2311) WARN: 
[mac:64:16:7f:57:c6:f5] Illegal hexadecimal digit '
' ignored at /usr/local/pf/lib/pf/Switch/HP/Procurve_2920.pm line 57.
(pf::Switch::HP::Procurve_2920::getVoipVsa)
May 19 10:48:01 nac packetfence_httpd.aaa: httpd.aaa(2311) INFO: 
[mac:64:16:7f:57:c6:f5] security_event 133 force-closed for 
64:16:7f:57:c6:f5 (pf::security_event::security_event_force_close)
May 19 10:48:01 nac packetfence_httpd.aaa: httpd.aaa(2311) INFO: 
[mac:64:16:7f:57:c6:f5] Instantiate profile SGATimeClocks 
(pf::Connection::ProfileFactory::_from_profile)
May 19 10:48:02 nac packetfence_httpd.aaa: httpd.aaa(2311) INFO: 
[mac:64:16:7f:57:c6:f5] Updating locationlog from accounting request 
(pf::api::handle_accounting_metadata)
May 19 10:48:12 nac pfqueue: pfqueue(37322) WARN: [mac:64:16:7f:57:c6:f5] 
Unable to pull accounting history for device 64:16:7f:57:c6:f5. The history set 
doesn't exist yet. (pf::accounting_events_history::latest_mac_history)
May 19 10:48:13 nac pfqueue: pfqueue(37322) WARN: [mac:64:16:7f:57:c6:f5] 
Unable to pull accounting history for device 64:16:7f:57:c6:f5. The history set 
doesn't exist yet. (pf::accounting_events_history::latest_mac_history)


- in RADIUS audit log (on RADIUS reply tab)
RADIUS Reply
Egress-VLANID = 822083786


- on your switch

The port the phone is physically on does not have the proper VLAN 202 assigned 
as tagged and VLAN 1 assigned as untagged.


to see ID of VLAN returned





---
Chad Jemison
Director of IT
Seneca Gaming Authority
345 Third Street, Suite 404
Niagara Falls, New York 14303
716-299-1246 x267

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Reeavulate Access Log Warning

2020-05-19 Thread Ludovic Zammit via PacketFence-users 
Hello Chad,

If you check the code at the line mentioned:

sub getVoipVsa {
my ($self) = @_;
my $logger = $self->logger;
my $vlanid = sprintf( "%03x\n", $self->getVlanByName($VOICE_ROLE) );
my $hexvlan = hex( "31000" . $vlanid );
return ( 'Egress-VLANID' => $hexvlan, );
}

What is the VLAN id that you want to return ?

Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On May 18, 2020, at 11:22 AM, Chad Jemison via PacketFence-users 
>  wrote:
> 
> May 18 11:18:09 nac packetfence_httpd.aaa: httpd.aaa(2311) WARN: 
> [mac:64:16:7f:57:c7:a3] Illegal hexadecimal digit '
> ' ignored at /usr/local/pf/lib/pf/Switch/HP/Procurve_2920.pm line 57.
> (pf::Switch::HP::Procurve_2920::getVoipVsa)
>  
> The above is generated when I do a Reeavulate Access on a node. I am using a 
> mix of HP 2920 and Aruba 2930F switches with the Aruba::2930M template. CoA 
> is disabled and Deauthentitcation Method is SNMP. VOIP, VoIPLLDPDetect and 
> DHCPDetect are set to yes. Is this warning a concern?
>  
>  
>  
>  
> ---
> Chad Jemison
> Director of IT
> Seneca Gaming Authority 
> 345 Third Street, Suite 404
> Niagara Falls, New York 14303
> 716-299-1246 x267
>  
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
> 
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Reeavulate Access Log Warning

2020-05-19 Thread Nicolas Quiniou-Briand via PacketFence-users 




On 19/05/2020 13:50, Chad Jemison wrote:

1. What do you see in RADIUS Audit Log (RADIUS reply) when you
connect a VoIP device on your switch that use Procurve_2920.pm switch
template ? May 19 07:46:26 nac auth[136359]: [mac:64:16:7f:57:c6:f5]
Accepted user:  and returned VLAN May 19 07:46:26 nac auth[136359]:
(6046) Login OK: [64167f57c6f5] (from client 192.168.101.30/32 port 1
cli 64:16:7f:57:c6:f5)


Could you check:
- in packetfence.log
- in RADIUS audit log (on RADIUS reply tab)
- on your switch

to see ID of VLAN returned
--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca
Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence
(https://packetfence.org) and Fingerbank (http://fingerbank.org)


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Reeavulate Access Log Warning

2020-05-19 Thread Chad Jemison via PacketFence-users 
1. What do you see in RADIUS Audit Log (RADIUS reply) when you connect a VoIP 
device on your switch that use Procurve_2920.pm switch template ?

The following is when I power cycle the phone.

May 19 07:46:26 nac auth[136359]: rlm_sql (sql): Closing connection (695): Hit 
idle_timeout, was idle for 246 seconds
May 19 07:46:26 nac auth[136359]: rlm_sql (sql): Closing connection (696): Hit 
idle_timeout, was idle for 246 seconds
May 19 07:46:26 nac auth[136359]: rlm_sql (sql): Opening additional connection 
(697), 1 of 64 pending slots used
May 19 07:46:26 nac auth[136359]: Need 2 more connections to reach min 
connections (3)
May 19 07:46:26 nac auth[136359]: rlm_sql (sql): Opening additional connection 
(698), 1 of 63 pending slots used
May 19 07:46:26 nac auth[136359]: rlm_rest (rest): Closing connection (626): 
Hit idle_timeout, was idle for 246 seconds
May 19 07:46:26 nac auth[136359]: rlm_rest (rest): Closing connection (625): 
Hit idle_timeout, was idle for 246 seconds
May 19 07:46:26 nac auth[136359]: rlm_rest (rest): Opening additional 
connection (627), 1 of 64 pending slots used
May 19 07:46:26 nac auth[136359]: Need 2 more connections to reach min 
connections (3)
May 19 07:46:26 nac auth[136359]: rlm_rest (rest): Opening additional 
connection (628), 1 of 63 pending slots used
May 19 07:46:26 nac auth[136359]: [mac:64:16:7f:57:c6:f5] Accepted user:  and 
returned VLAN
May 19 07:46:26 nac auth[136359]: (6046) Login OK: [64167f57c6f5] (from client 
192.168.101.30/32 port 1 cli 64:16:7f:57:c6:f5)


2. Which VLAN is associated to voice role in your switch config ?

VLAN 202 is set as voice vlan on switches and associated with the voice role in 
PF.




-Original Message-
From: Nicolas Quiniou-Briand via PacketFence-users 
 
Sent: Tuesday, May 19, 2020 5:34 AM
To: packetfence-users@lists.sourceforge.net
Cc: Nicolas Quiniou-Briand 
Subject: Re: [PacketFence-users] Reeavulate Access Log Warning

Hello,

On 18/05/2020 17:22, Chad Jemison via PacketFence-users wrote:
> May 18 11:18:09 nac packetfence_httpd.aaa: httpd.aaa(2311) WARN:
> [mac:64:16:7f:57:c7:a3] Illegal hexadecimal digit '
>
> ' ignored at /usr/local/pf/lib/pf/Switch/HP/Procurve_2920.pm line 57.
>
> (pf::Switch::HP::Procurve_2920::getVoipVsa)
>
> The above is generated when I do a Reeavulate Access on a node. I am 
> using a mix of HP 2920 and Aruba 2930F switches with the Aruba::2930M 
> template. CoA is disabled and Deauthentitcation Method is SNMP. VOIP, 
> VoIPLLDPDetect and DHCPDetect are set to yes. Is this warning a concern?

1. What do you see in RADIUS Audit Log (RADIUS reply) when you connect a VoIP 
device on your switch that use Procurve_2920.pm switch template ?

2. Which VLAN is associated to voice role in your switch config ?
--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca Inverse inc. 
:: Leaders behind SOGo (https://sogo.nu), PacketFence
(https://packetfence.org) and Fingerbank (http://fingerbank.org)


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Reeavulate Access Log Warning

2020-05-19 Thread Nicolas Quiniou-Briand via PacketFence-users 

Hello,

On 18/05/2020 17:22, Chad Jemison via PacketFence-users wrote:
May 18 11:18:09 nac packetfence_httpd.aaa: httpd.aaa(2311) WARN: 
[mac:64:16:7f:57:c7:a3] Illegal hexadecimal digit '


' ignored at /usr/local/pf/lib/pf/Switch/HP/Procurve_2920.pm line 57.

(pf::Switch::HP::Procurve_2920::getVoipVsa)

The above is generated when I do a Reeavulate Access on a node. I am 
using a mix of HP 2920 and Aruba 2930F switches with the Aruba::2930M 
template. CoA is disabled and Deauthentitcation Method is SNMP. VOIP, 
VoIPLLDPDetect and DHCPDetect are set to yes. Is this warning a concern?


1. What do you see in RADIUS Audit Log (RADIUS reply) when you connect a 
VoIP device on your switch that use Procurve_2920.pm switch template ?


2. Which VLAN is associated to voice role in your switch config ?
--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca
Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence 
(https://packetfence.org) and Fingerbank (http://fingerbank.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users