subject:"\[PacketFence\-users\] users stay in registration VLAN after authentication success"

Re: [PacketFence-users] users stay in registration VLAN after authentication success

2018-02-06 Thread Fabrice Durand via PacketFence-users

Hello Tom,

sorry, this is a really busy period.

What we can try to find the issue is to put the log in debug, since it
looks that is on the portal that you have the issue we can try it first.

So in conf/log.conf.d/httpd.portal.conf , replace INFO per TRACE (2nd
line) and restart the portal.

Once done do another test and paste me the log (probably a huge amount
of lines).

Regards

Fabrice


Le 2018-02-02 à 07:19, tom lo a écrit :
> Hi Fabrice,
>
> Just to see if you have any idea or suggestions for us to troubleshoot
> the issues.
>
>
>
> Regards,
> Tom
>
> On Thu, Jan 25, 2018 at 12:21 PM, tom lo  wrote:
>> Hi Fabrice,
>>
>> Here is the content from the log file httpd.portal.access when the
>> user hit the portal.
>>
>>
>> 172.18.x.y - - [23/Jan/2018:11:31:37]  "captive.apple.com" "GET
>> /hotspot-detect.html HTTP/1.0" 302 1080 "-"
>> "CaptiveNetworkSupport-355.30.1 wispr" 4896
>> 172.18.x.y - - [23/Jan/2018:11:32:22]  "www.apple.com" "GET /
>> HTTP/1.1" 302 1101 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like
>> Mac OS X) AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 5069
>> 172.18.x.y - - [23/Jan/2018:11:32:22]  "byod.a_domain.com" "GET
>> /captive-portal?destination_url=http://www.apple.com/; HTTP/1.1" 200
>> 31211 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
>> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 2823405
>> 172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
>> /common/styles.css HTTP/1.1" 200 22524
>> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
>> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
>> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 8248
>> 172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
>> /content/captiveportal.js HTTP/1.1" 200 2771
>> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
>> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
>> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 2990
>> 172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
>> /common/pf.js HTTP/1.1" 200 4259
>> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
>> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
>> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 4216
>> 172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
>> /common/A_Logo_Black_trans_med.png HTTP/1.1" 200 6418
>> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
>> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
>> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 3465
>> 172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
>> /common/jquery-1.11.3.min.js HTTP/1.1" 200 95957
>> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
>> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
>> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 19690
>> 172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
>> /common/img/sprite.svg HTTP/1.1" 200 27622
>> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
>> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
>> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 6047
>> 172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "POST
>> /record_destination_url HTTP/1.1" 200 -
>> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
>> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
>> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 35716
>> 172.18.x.y - - [23/Jan/2018:11:32:25]  "www.apple.com" "GET
>> /library/test/success.html HTTP/1.0" 302 1080 "-"
>> "CaptiveNetworkSupport-355.30.1 wispr" 4852
>> 172.18.x.y - - [23/Jan/2018:11:33:26]  "www.apple.com" "GET
>> /library/test/success.html HTTP/1.0" 302 1080 "-"
>> "CaptiveNetworkSupport-355.30.1 wispr" 4972
>> 172.18.x.y - - [23/Jan/2018:11:33:26]  "byod.a_domain.com" "POST
>> /signup HTTP/1.1" 302 294
>> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
>> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
>> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 210063
>> 172.18.x.y - - [23/Jan/2018:11:33:26]  "byod.a_domain.com" "GET
>> /captive-portal HTTP/1.1" 302 286
>> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
>> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
>> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 52410
>> 172.18.x.y - - [23/Jan/2018:11:33:27]  "byod.a_domain.com" "GET
>> /access HTTP/1.1" 200 6351
>> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
>> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
>> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 51125
>> 172.18.x.y - - [23/Jan/2018:11:33:27]  "byod.a_domain.com" "GET
>>

Re: [PacketFence-users] users stay in registration VLAN after authentication success

2018-02-02 Thread tom lo via PacketFence-users

Hi Fabrice,

Just to see if you have any idea or suggestions for us to troubleshoot
the issues.



Regards,
Tom

On Thu, Jan 25, 2018 at 12:21 PM, tom lo  wrote:
> Hi Fabrice,
>
> Here is the content from the log file httpd.portal.access when the
> user hit the portal.
>
>
> 172.18.x.y - - [23/Jan/2018:11:31:37]  "captive.apple.com" "GET
> /hotspot-detect.html HTTP/1.0" 302 1080 "-"
> "CaptiveNetworkSupport-355.30.1 wispr" 4896
> 172.18.x.y - - [23/Jan/2018:11:32:22]  "www.apple.com" "GET /
> HTTP/1.1" 302 1101 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like
> Mac OS X) AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 5069
> 172.18.x.y - - [23/Jan/2018:11:32:22]  "byod.a_domain.com" "GET
> /captive-portal?destination_url=http://www.apple.com/; HTTP/1.1" 200
> 31211 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 2823405
> 172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
> /common/styles.css HTTP/1.1" 200 22524
> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 8248
> 172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
> /content/captiveportal.js HTTP/1.1" 200 2771
> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 2990
> 172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
> /common/pf.js HTTP/1.1" 200 4259
> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 4216
> 172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
> /common/A_Logo_Black_trans_med.png HTTP/1.1" 200 6418
> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 3465
> 172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
> /common/jquery-1.11.3.min.js HTTP/1.1" 200 95957
> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 19690
> 172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
> /common/img/sprite.svg HTTP/1.1" 200 27622
> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 6047
> 172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "POST
> /record_destination_url HTTP/1.1" 200 -
> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 35716
> 172.18.x.y - - [23/Jan/2018:11:32:25]  "www.apple.com" "GET
> /library/test/success.html HTTP/1.0" 302 1080 "-"
> "CaptiveNetworkSupport-355.30.1 wispr" 4852
> 172.18.x.y - - [23/Jan/2018:11:33:26]  "www.apple.com" "GET
> /library/test/success.html HTTP/1.0" 302 1080 "-"
> "CaptiveNetworkSupport-355.30.1 wispr" 4972
> 172.18.x.y - - [23/Jan/2018:11:33:26]  "byod.a_domain.com" "POST
> /signup HTTP/1.1" 302 294
> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 210063
> 172.18.x.y - - [23/Jan/2018:11:33:26]  "byod.a_domain.com" "GET
> /captive-portal HTTP/1.1" 302 286
> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 52410
> 172.18.x.y - - [23/Jan/2018:11:33:27]  "byod.a_domain.com" "GET
> /access HTTP/1.1" 200 6351
> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 51125
> 172.18.x.y - - [23/Jan/2018:11:33:27]  "byod.a_domain.com" "GET
> /content/timerbar.js HTTP/1.1" 200 4089
> "https://byod.a_domain.com/access; "Mozilla/5.0 (iPhone; CPU iPhone OS
> 11_2_2 like Mac OS X) AppleWebKit/604.4.7 (KHTML, like Gecko)
> Mobile/15C202" 2634
> 172.18.x.y - - [23/Jan/2018:11:33:27]  "www.apple.com" "GET
> /library/test/success.html HTTP/1.0" 302 1080 "-"
> "CaptiveNetworkSupport-355.30.1 wispr" 4374
> 172.18.x.y - - [23/Jan/2018:11:34:25]  "www.apple.com" "GET
> /library/test/success.html HTTP/1.0" 302 1080 "-"
> "CaptiveNetworkSupport-355.30.1 wispr" 3925
> 172.18.x.y

Re: [PacketFence-users] users stay in registration VLAN after authentication success

2018-01-25 Thread tom lo via PacketFence-users

Hi Fabrice,

Here is the content from the log file httpd.portal.access when the
user hit the portal.


172.18.x.y - - [23/Jan/2018:11:31:37]  "captive.apple.com" "GET
/hotspot-detect.html HTTP/1.0" 302 1080 "-"
"CaptiveNetworkSupport-355.30.1 wispr" 4896
172.18.x.y - - [23/Jan/2018:11:32:22]  "www.apple.com" "GET /
HTTP/1.1" 302 1101 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like
Mac OS X) AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 5069
172.18.x.y - - [23/Jan/2018:11:32:22]  "byod.a_domain.com" "GET
/captive-portal?destination_url=http://www.apple.com/; HTTP/1.1" 200
31211 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 2823405
172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
/common/styles.css HTTP/1.1" 200 22524
"https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 8248
172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
/content/captiveportal.js HTTP/1.1" 200 2771
"https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 2990
172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
/common/pf.js HTTP/1.1" 200 4259
"https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 4216
172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
/common/A_Logo_Black_trans_med.png HTTP/1.1" 200 6418
"https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 3465
172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
/common/jquery-1.11.3.min.js HTTP/1.1" 200 95957
"https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 19690
172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
/common/img/sprite.svg HTTP/1.1" 200 27622
"https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 6047
172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "POST
/record_destination_url HTTP/1.1" 200 -
"https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 35716
172.18.x.y - - [23/Jan/2018:11:32:25]  "www.apple.com" "GET
/library/test/success.html HTTP/1.0" 302 1080 "-"
"CaptiveNetworkSupport-355.30.1 wispr" 4852
172.18.x.y - - [23/Jan/2018:11:33:26]  "www.apple.com" "GET
/library/test/success.html HTTP/1.0" 302 1080 "-"
"CaptiveNetworkSupport-355.30.1 wispr" 4972
172.18.x.y - - [23/Jan/2018:11:33:26]  "byod.a_domain.com" "POST
/signup HTTP/1.1" 302 294
"https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 210063
172.18.x.y - - [23/Jan/2018:11:33:26]  "byod.a_domain.com" "GET
/captive-portal HTTP/1.1" 302 286
"https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 52410
172.18.x.y - - [23/Jan/2018:11:33:27]  "byod.a_domain.com" "GET
/access HTTP/1.1" 200 6351
"https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 51125
172.18.x.y - - [23/Jan/2018:11:33:27]  "byod.a_domain.com" "GET
/content/timerbar.js HTTP/1.1" 200 4089
"https://byod.a_domain.com/access; "Mozilla/5.0 (iPhone; CPU iPhone OS
11_2_2 like Mac OS X) AppleWebKit/604.4.7 (KHTML, like Gecko)
Mobile/15C202" 2634
172.18.x.y - - [23/Jan/2018:11:33:27]  "www.apple.com" "GET
/library/test/success.html HTTP/1.0" 302 1080 "-"
"CaptiveNetworkSupport-355.30.1 wispr" 4374
172.18.x.y - - [23/Jan/2018:11:34:25]  "www.apple.com" "GET
/library/test/success.html HTTP/1.0" 302 1080 "-"
"CaptiveNetworkSupport-355.30.1 wispr" 3925
172.18.x.y - - [23/Jan/2018:11:34:25]  "byod.a_domain.com" "GET
/captive-portal?destination_url=http://www.apple.com/; HTTP/1.1" 200
3770 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 48716
172.18.x.y - - [23/Jan/2018:11:34:25]  "byod.a_domain.com" "POST
/record_destination_url HTTP/1.1" 200 -

Re: [PacketFence-users] users stay in registration VLAN after authentication success

2018-01-24 Thread Durand fabrice via PacketFence-users




Le 2018-01-23 à 04:41, tom lo a écrit :

Hi Fabrice,

We tried to uncheck the box "locationlog Close On Accounting Stop",
and restarted packetfence, but found the users are still stuck in
registration VLAN.
The queue count was zero at the moment.

We got the mysql output during each steps in the registration process.

1. When user connects to WiFi, there was a new locationlog, end_time
is -00-00 00:00:00.

2. After user go to captive portal, before doing any authentication,
the locationlog was changed with end_time marked.  (Does it mean the
locationlog was closed here?)
yes ... do you have the content of the httpd.portal.access when the user 
hit the portal ?


3. And right after authentication, no new locationlog and no change to
existing locationlog.
Warning messages "Can't re-evaluate access because no open locationlog
entry was found" shown in log

4. We let the device connected to WiFi, and after few minutes, the
device is moved to the working VLAN, a new locationlog shown, end_time
is -00-00 00:00:00.




### right after user connects to WiFi

+---+-+--+--+--+---+-+---+--+-+-+-+---++---++
| mac   | switch  | port | vlan | role |
connection_type   | connection_sub_type | dot1x_username| ssid
 | start_time  | end_time| switch_ip   |
switch_mac| stripped_user_name | realm | session_id |
+---+-+--+--+--+---+-+---+--+-+-+-+---++---++
| 7c:04:00:11:22:33 | 172.18.4.61 | 0| 501  | registration |
Wireless-802.11-NoEAP | NULL| 7c:04:00:11:22:33 |
SSID_A | 2018-01-23 11:31:32 | -00-00 00:00:00 | 172.18.4.61 |
84:18:3a:aa:bb:cc | 7c:04:00:11:22:33  | null  | NULL   |
+---+-+--+--+--+---+-+---+--+-+-+-+---++---++


###  after User goes to captive portal, before authentication

+---+-+--+--+--+---+-+---+--+-+-+-+---++---++
| mac   | switch  | port | vlan | role |
connection_type   | connection_sub_type | dot1x_username| ssid
 | start_time  | end_time| switch_ip   |
switch_mac| stripped_user_name | realm | session_id |
+---+-+--+--+--+---+-+---+--+-+-+-+---++---++
| 7c:04:00:11:22:33 | 172.18.4.61 | 0| 501  | registration |
Wireless-802.11-NoEAP | NULL| 7c:04:00:11:22:33 |
SSID_A | 2018-01-23 11:31:32 | 2018-01-23 11:32:10 | 172.18.4.61 |
84:18:3a:aa:bb:cc | 7c:04:00:11:22:33  | null  | NULL   |
+---+-+--+--+--+---+-+---+--+-+-+-+---++---++


###  right after authentication, User stuck in registration vlan, no
new locationlog entry

+---+-+--+--+--+---+-+---+--+-+-+-+---++---++
| mac   | switch  | port | vlan | role |
connection_type   | connection_sub_type | dot1x_username| ssid
 | start_time  | end_time| switch_ip   |
switch_mac| stripped_user_name | realm | session_id |
+---+-+--+--+--+---+-+---+--+-+-+-+---++---++
| 7c:04:00:11:22:33 | 172.18.4.61 | 0| 501  | registration |
Wireless-802.11-NoEAP | NULL| 7c:04:00:11:22:33 |
SSID_A | 2018-01-23 11:31:32 | 2018-01-23 11:32:10 | 172.18.4.61 |
84:18:3a:aa:bb:cc | 7c:04:00:11:22:33  | null  | NULL   |

Re: [PacketFence-users] users stay in registration VLAN after authentication success

2018-01-23 Thread tom lo via PacketFence-users

Hi Fabrice,

We tried to uncheck the box "locationlog Close On Accounting Stop",
and restarted packetfence, but found the users are still stuck in
registration VLAN.
The queue count was zero at the moment.

We got the mysql output during each steps in the registration process.

1. When user connects to WiFi, there was a new locationlog, end_time
is -00-00 00:00:00.

2. After user go to captive portal, before doing any authentication,
the locationlog was changed with end_time marked.  (Does it mean the
locationlog was closed here?)

3. And right after authentication, no new locationlog and no change to
existing locationlog.
Warning messages "Can't re-evaluate access because no open locationlog
entry was found" shown in log

4. We let the device connected to WiFi, and after few minutes, the
device is moved to the working VLAN, a new locationlog shown, end_time
is -00-00 00:00:00.




### right after user connects to WiFi

+---+-+--+--+--+---+-+---+--+-+-+-+---++---++
| mac   | switch  | port | vlan | role |
connection_type   | connection_sub_type | dot1x_username| ssid
| start_time  | end_time| switch_ip   |
switch_mac| stripped_user_name | realm | session_id |
+---+-+--+--+--+---+-+---+--+-+-+-+---++---++
| 7c:04:00:11:22:33 | 172.18.4.61 | 0| 501  | registration |
Wireless-802.11-NoEAP | NULL| 7c:04:00:11:22:33 |
SSID_A | 2018-01-23 11:31:32 | -00-00 00:00:00 | 172.18.4.61 |
84:18:3a:aa:bb:cc | 7c:04:00:11:22:33  | null  | NULL   |
+---+-+--+--+--+---+-+---+--+-+-+-+---++---++


###  after User goes to captive portal, before authentication

+---+-+--+--+--+---+-+---+--+-+-+-+---++---++
| mac   | switch  | port | vlan | role |
connection_type   | connection_sub_type | dot1x_username| ssid
| start_time  | end_time| switch_ip   |
switch_mac| stripped_user_name | realm | session_id |
+---+-+--+--+--+---+-+---+--+-+-+-+---++---++
| 7c:04:00:11:22:33 | 172.18.4.61 | 0| 501  | registration |
Wireless-802.11-NoEAP | NULL| 7c:04:00:11:22:33 |
SSID_A | 2018-01-23 11:31:32 | 2018-01-23 11:32:10 | 172.18.4.61 |
84:18:3a:aa:bb:cc | 7c:04:00:11:22:33  | null  | NULL   |
+---+-+--+--+--+---+-+---+--+-+-+-+---++---++


###  right after authentication, User stuck in registration vlan, no
new locationlog entry

+---+-+--+--+--+---+-+---+--+-+-+-+---++---++
| mac   | switch  | port | vlan | role |
connection_type   | connection_sub_type | dot1x_username| ssid
| start_time  | end_time| switch_ip   |
switch_mac| stripped_user_name | realm | session_id |
+---+-+--+--+--+---+-+---+--+-+-+-+---++---++
| 7c:04:00:11:22:33 | 172.18.4.61 | 0| 501  | registration |
Wireless-802.11-NoEAP | NULL| 7c:04:00:11:22:33 |
SSID_A | 2018-01-23 11:31:32 | 2018-01-23 11:32:10 | 172.18.4.61 |
84:18:3a:aa:bb:cc | 7c:04:00:11:22:33  | null  | NULL   |

Re: [PacketFence-users] users stay in registration VLAN after authentication success

2018-01-22 Thread Fabrice Durand via PacketFence-users

Hello Tom,

there : https://pf_mgmt:1443/admin/configuration#configuration/main/advanced

Regards
Fabrice

Le 2018-01-20 à 19:03, tom lo a écrit :
> Hi Durand,
>
> What change should I make on PF to "disable update locationlog on accounting"?
>
>
> Regards,
> Tom
>
> On Sun, Jan 21, 2018 at 4:31 AM, Durand fabrice  wrote:
>> Hello Tom,
>>
>>
>> Le 2018-01-20 à 03:02, tom lo a écrit :
>>> Hi Durand,
>>>
>>>
>>> Thanks for your reply and please see if my understanding is correct
>>> about the locationlog.
>>> If the locationlog is correct, from mysql, I should see one entry when
>>> a device reach captive portal, and another entry immediately after the
>>> authentication complete, with matching start / end time?
>>> If the locationlog is wrong, the new entry may be missing even the
>>> authentication is completed?
>> In fact when PacketFence receive a radius request , it will update the
>> location log, so just after the registration on the captive portal
>> Packetfence need to know where the device is to send a disconnection.
>> And if the disconnection succeed you will see a new entry in the
>> locationlog.
>>>
>>> I checked a log from an issue reported few hours ago. User
>>> "12:34:56:33:22:11" completed the authentication at 11:11am, but there
>>> is no entry about the updated role (staff) for this device until the
>>> user retry the connection at 13:06.  Is this a kind of wrong
>>> locationlog?
>> Yes probably if you see no locationlog entry was found in the log.
>> But it can also be a issue with a cache on the controller,if there is no new
>> radius request each time the device connect on the ssid per example.
>>>
>>> I also found another mysql output for a device which had a smooth VLAN
>>> re-direction in its 1st try. mysql output shows one entry when a
>>> device reach captive portal, and another entry after the
>>> authentication complete with matching start / end time.
>>>
>>> Also, for your information, we are using Ruckus ZoneDirector and the
>>> SSID setting is mac-auth.
>>>
>>> I'll check with users in real-time to see about the queue and mysql
>>> output, and let you know the result.
>>>
>>>
>>> The following is the related log / mysql output for the issue reported.
>> Before "Jan 20 11:11:59" do you see "INFO: [mac:12:34:56:33:22:11] handling
>> radius autz request" ? if no then the device is on the registration network
>> but PacketFence never receive the radius request !
>>>
>>> Jan 20 11:11:59 httpd.portal(6296) INFO: [mac:12:34:56:33:22:11]
>>> re-evaluating access (manage_register called)
>>> (pf::enforcement::reevaluate_access)
>>> Jan 20 11:11:59 httpd.portal(6296) WARN: [mac:12:34:56:33:22:11] Can't
>>> re-evaluate access because no open locationlog entry was found
>>> (pf::enforcement::reevaluate_access)
>>> Jan 20 11:15:29 httpd.aaa(2033) INFO: [mac:12:34:56:33:22:11] Updating
>>> locationlog from accounting request
>>> (pf::api::handle_accounting_metadata)
>>> Jan 20 13:06:53 httpd.aaa(2033) INFO: [mac:12:34:56:33:22:11] handling
>>> radius autz request...
>>>
>>> select * from locationlog where mac="12:34:56:33:22:11";
>>>
>>> +---+-+--+--+--+---+-+---+--+-+-+-+---++---++
>>> | mac   | switch  | port | vlan | role
>>> |connection_type   | connection_sub_type | dot1x_username| ssid
>>> | start_time  | end_time| switch_ip   |switch_mac
>>> | stripped_user_name | realm | session_id |
>>>
>>> +---+-+--+--+--+---+-+---+--+-+-+-+---++---++
>>> | 12:34:56:33:22:11 | 172.18.4.61 | 0| 50   | staff
>>> |Wireless-802.11-NoEAP | NULL| 12:34:56:33:22:11 |SSID_A
>>> | 2018-01-20 13:06:53 | -00-00 00:00:00 | 172.18.4.61| 11:22:33:44:55:0d
>>> | 12:34:56:33:22:11  | null  | NULL   |
>>> | 12:34:56:33:22:11 | 172.18.4.61 | 0| 501  | registration
>>> |Wireless-802.11-NoEAP | NULL| 12:34:56:33:22:11 |SSID_A
>>> | 2018-01-20 11:10:51 | 2018-01-20 11:11:12 | 172.18.4.61| 11:22:33:44:55:09
>>> | 12:34:56:33:22:11  | null  | NULL   |
>>> | 12:34:56:33:22:11 | 172.18.4.61 | 0| 501  | registration
>>> |Wireless-802.11-NoEAP | NULL| 12:34:56:33:22:11 |SSID_A
>>> | 2018-01-20 11:11:12 | 2018-01-20 11:11:38 | 172.18.4.61| 11:22:33:44:55:0d
>>> | 12:34:56:33:22:11  | null  | NULL   |
>>>
>>>

Re: [PacketFence-users] users stay in registration VLAN after authentication success

2018-01-22 Thread tom lo via PacketFence-users

Hi Durand,

What change should I make on PF to "disable update locationlog on accounting"?


Regards,
Tom

On Sun, Jan 21, 2018 at 4:31 AM, Durand fabrice  wrote:
> Hello Tom,
>
>
> Le 2018-01-20 à 03:02, tom lo a écrit :
>>
>> Hi Durand,
>>
>>
>> Thanks for your reply and please see if my understanding is correct
>> about the locationlog.
>> If the locationlog is correct, from mysql, I should see one entry when
>> a device reach captive portal, and another entry immediately after the
>> authentication complete, with matching start / end time?
>> If the locationlog is wrong, the new entry may be missing even the
>> authentication is completed?
>
> In fact when PacketFence receive a radius request , it will update the
> location log, so just after the registration on the captive portal
> Packetfence need to know where the device is to send a disconnection.
> And if the disconnection succeed you will see a new entry in the
> locationlog.
>>
>>
>> I checked a log from an issue reported few hours ago. User
>> "12:34:56:33:22:11" completed the authentication at 11:11am, but there
>> is no entry about the updated role (staff) for this device until the
>> user retry the connection at 13:06.  Is this a kind of wrong
>> locationlog?
>
> Yes probably if you see no locationlog entry was found in the log.
> But it can also be a issue with a cache on the controller,if there is no new
> radius request each time the device connect on the ssid per example.
>>
>>
>> I also found another mysql output for a device which had a smooth VLAN
>> re-direction in its 1st try. mysql output shows one entry when a
>> device reach captive portal, and another entry after the
>> authentication complete with matching start / end time.
>>
>> Also, for your information, we are using Ruckus ZoneDirector and the
>> SSID setting is mac-auth.
>>
>> I'll check with users in real-time to see about the queue and mysql
>> output, and let you know the result.
>>
>>
>> The following is the related log / mysql output for the issue reported.
>
> Before "Jan 20 11:11:59" do you see "INFO: [mac:12:34:56:33:22:11] handling
> radius autz request" ? if no then the device is on the registration network
> but PacketFence never receive the radius request !
>>
>>
>> Jan 20 11:11:59 httpd.portal(6296) INFO: [mac:12:34:56:33:22:11]
>> re-evaluating access (manage_register called)
>> (pf::enforcement::reevaluate_access)
>> Jan 20 11:11:59 httpd.portal(6296) WARN: [mac:12:34:56:33:22:11] Can't
>> re-evaluate access because no open locationlog entry was found
>> (pf::enforcement::reevaluate_access)
>> Jan 20 11:15:29 httpd.aaa(2033) INFO: [mac:12:34:56:33:22:11] Updating
>> locationlog from accounting request
>> (pf::api::handle_accounting_metadata)
>> Jan 20 13:06:53 httpd.aaa(2033) INFO: [mac:12:34:56:33:22:11] handling
>> radius autz request...
>>
>> select * from locationlog where mac="12:34:56:33:22:11";
>>
>> +---+-+--+--+--+---+-+---+--+-+-+-+---++---++
>> | mac   | switch  | port | vlan | role
>> |connection_type   | connection_sub_type | dot1x_username| ssid
>> | start_time  | end_time| switch_ip   |switch_mac
>> | stripped_user_name | realm | session_id |
>>
>> +---+-+--+--+--+---+-+---+--+-+-+-+---++---++
>> | 12:34:56:33:22:11 | 172.18.4.61 | 0| 50   | staff
>> |Wireless-802.11-NoEAP | NULL| 12:34:56:33:22:11 |SSID_A
>> | 2018-01-20 13:06:53 | -00-00 00:00:00 | 172.18.4.61| 11:22:33:44:55:0d
>> | 12:34:56:33:22:11  | null  | NULL   |
>> | 12:34:56:33:22:11 | 172.18.4.61 | 0| 501  | registration
>> |Wireless-802.11-NoEAP | NULL| 12:34:56:33:22:11 |SSID_A
>> | 2018-01-20 11:10:51 | 2018-01-20 11:11:12 | 172.18.4.61| 11:22:33:44:55:09
>> | 12:34:56:33:22:11  | null  | NULL   |
>> | 12:34:56:33:22:11 | 172.18.4.61 | 0| 501  | registration
>> |Wireless-802.11-NoEAP | NULL| 12:34:56:33:22:11 |SSID_A
>> | 2018-01-20 11:11:12 | 2018-01-20 11:11:38 | 172.18.4.61| 11:22:33:44:55:0d
>> | 12:34:56:33:22:11  | null  | NULL   |
>>
>> +---+-+--+--+--+---+-+---+--+-+-+-+---++---++
>
> Really strange , it look that something closed the locationlog just before
> you register on the portal.
> Can you disable update locationlog on accounting and retry ?
> Regards
> Fabrice
>
>
>>
>>

Re: [PacketFence-users] users stay in registration VLAN after authentication success

2018-01-20 Thread Durand fabrice via PacketFence-users


Hello Tom,


Le 2018-01-20 à 03:02, tom lo a écrit :

Hi Durand,


Thanks for your reply and please see if my understanding is correct
about the locationlog.
If the locationlog is correct, from mysql, I should see one entry when
a device reach captive portal, and another entry immediately after the
authentication complete, with matching start / end time?
If the locationlog is wrong, the new entry may be missing even the
authentication is completed?
In fact when PacketFence receive a radius request , it will update the 
location log, so just after the registration on the captive portal 
Packetfence need to know where the device is to send a disconnection.
And if the disconnection succeed you will see a new entry in the 
locationlog.


I checked a log from an issue reported few hours ago. User
"12:34:56:33:22:11" completed the authentication at 11:11am, but there
is no entry about the updated role (staff) for this device until the
user retry the connection at 13:06.  Is this a kind of wrong
locationlog?

Yes probably if you see no locationlog entry was found in the log.
But it can also be a issue with a cache on the controller,if there is no 
new radius request each time the device connect on the ssid per example.


I also found another mysql output for a device which had a smooth VLAN
re-direction in its 1st try. mysql output shows one entry when a
device reach captive portal, and another entry after the
authentication complete with matching start / end time.

Also, for your information, we are using Ruckus ZoneDirector and the
SSID setting is mac-auth.

I'll check with users in real-time to see about the queue and mysql
output, and let you know the result.


The following is the related log / mysql output for the issue reported.

Before "Jan 20 11:11:59" do you see "INFO: [mac:12:34:56:33:22:11] handling
radius autz request" ? if no then the device is on the registration 
network but PacketFence never receive the radius request !


Jan 20 11:11:59 httpd.portal(6296) INFO: [mac:12:34:56:33:22:11]
re-evaluating access (manage_register called)
(pf::enforcement::reevaluate_access)
Jan 20 11:11:59 httpd.portal(6296) WARN: [mac:12:34:56:33:22:11] Can't
re-evaluate access because no open locationlog entry was found
(pf::enforcement::reevaluate_access)
Jan 20 11:15:29 httpd.aaa(2033) INFO: [mac:12:34:56:33:22:11] Updating
locationlog from accounting request
(pf::api::handle_accounting_metadata)
Jan 20 13:06:53 httpd.aaa(2033) INFO: [mac:12:34:56:33:22:11] handling
radius autz request...

select * from locationlog where mac="12:34:56:33:22:11";
+---+-+--+--+--+---+-+---+--+-+-+-+---++---++
| mac   | switch  | port | vlan | role |connection_type 
  | connection_sub_type | dot1x_username| ssid| start_time  
| end_time| switch_ip   |switch_mac| stripped_user_name 
| realm | session_id |
+---+-+--+--+--+---+-+---+--+-+-+-+---++---++
| 12:34:56:33:22:11 | 172.18.4.61 | 0| 50   | staff
|Wireless-802.11-NoEAP | NULL| 12:34:56:33:22:11 |SSID_A   
| 2018-01-20 13:06:53 | -00-00 00:00:00 | 172.18.4.61| 11:22:33:44:55:0d | 
12:34:56:33:22:11  | null  | NULL   |
| 12:34:56:33:22:11 | 172.18.4.61 | 0| 501  | registration 
|Wireless-802.11-NoEAP | NULL| 12:34:56:33:22:11 |SSID_A   
| 2018-01-20 11:10:51 | 2018-01-20 11:11:12 | 172.18.4.61| 11:22:33:44:55:09 | 
12:34:56:33:22:11  | null  | NULL   |
| 12:34:56:33:22:11 | 172.18.4.61 | 0| 501  | registration 
|Wireless-802.11-NoEAP | NULL| 12:34:56:33:22:11 |SSID_A   
| 2018-01-20 11:11:12 | 2018-01-20 11:11:38 | 172.18.4.61| 11:22:33:44:55:0d | 
12:34:56:33:22:11  | null  | NULL   |
+---+-+--+--+--+---+-+---+--+-+-+-+---++---++
Really strange , it look that something closed the locationlog just 
before you register on the portal.

Can you disable update locationlog on accounting and retry ?
Regards
Fabrice



Regards,
Tom


On Sat, Jan 20, 2018 at 10:01 AM, Durand fabrice via PacketFence-users
 wrote:

Hello Tom,

just after a radius request, can you check in the database if the
locationlog is correct ? (the radius request is suppose to update the
locationlog)

And also when it failed.

select * from locationlog where

Re: [PacketFence-users] users stay in registration VLAN after authentication success

2018-01-20 Thread tom lo via PacketFence-users

Hi Durand,

Thanks for your reply and please see if my understanding is correct
about the locationlog.
If the locationlog is correct, from mysql, I should see one entry when
a device reach captive portal, and another entry immediately after the
authentication complete, with matching start / end time?
If the locationlog is wrong, the new entry may be missing even the
authentication is completed?

I checked a log from an issue reported few hours ago. User
"12:34:56:33:22:11" completed the authentication at 11:11am, but there
is no entry about the updated role (staff) for this device until the
user retry the connection at 13:06.  Is this a kind of wrong
locationlog?

I also found another mysql output for a device which had a smooth VLAN
re-direction in its 1st try. mysql output shows one entry when a
device reach captive portal, and another entry after the
authentication complete with matching start / end time.

Also, for your information, we are using Ruckus ZoneDirector and the
SSID setting is mac-auth.

I'll check with users in real-time to see about the queue and mysql
output, and let you know the result.

The following is the related log / mysql output for the issue reported.

Jan 20 11:11:59 httpd.portal(6296) INFO: [mac:12:34:56:33:22:11]
re-evaluating access (manage_register called)
(pf::enforcement::reevaluate_access)
Jan 20 11:11:59 httpd.portal(6296) WARN: [mac:12:34:56:33:22:11] Can't
re-evaluate access because no open locationlog entry was found
(pf::enforcement::reevaluate_access)
Jan 20 11:15:29 httpd.aaa(2033) INFO: [mac:12:34:56:33:22:11] Updating
locationlog from accounting request
(pf::api::handle_accounting_metadata)
Jan 20 13:06:53 httpd.aaa(2033) INFO: [mac:12:34:56:33:22:11] handling
radius autz request...

select * from locationlog where mac="12:34:56:33:22:11";
+---+-+--+--+--+---+-+---+--+-+-+-+---++---++
| mac   | switch  | port | vlan | role |
connection_type   | connection_sub_type | dot1x_username| ssid
| start_time  | end_time| switch_ip   |
switch_mac| stripped_user_name | realm | session_id |
+---+-+--+--+--+---+-+---+--+-+-+-+---++---++
| 12:34:56:33:22:11 | 172.18.4.61 | 0| 50   | staff|
Wireless-802.11-NoEAP | NULL| 12:34:56:33:22:11 |
SSID_A   | 2018-01-20 13:06:53 | -00-00 00:00:00 | 172.18.4.61
| 11:22:33:44:55:0d | 12:34:56:33:22:11  | null  | NULL   |
| 12:34:56:33:22:11 | 172.18.4.61 | 0| 501  | registration |
Wireless-802.11-NoEAP | NULL| 12:34:56:33:22:11 |
SSID_A   | 2018-01-20 11:10:51 | 2018-01-20 11:11:12 | 172.18.4.61
| 11:22:33:44:55:09 | 12:34:56:33:22:11  | null  | NULL   |
| 12:34:56:33:22:11 | 172.18.4.61 | 0| 501  | registration |
Wireless-802.11-NoEAP | NULL| 12:34:56:33:22:11 |
SSID_A   | 2018-01-20 11:11:12 | 2018-01-20 11:11:38 | 172.18.4.61
| 11:22:33:44:55:0d | 12:34:56:33:22:11  | null  | NULL   |
+---+-+--+--+--+---+-+---+--+-+-+-+---++---++

Regards,
Tom

On Sat, Jan 20, 2018 at 10:01 AM, Durand fabrice via PacketFence-users
 wrote:
> Hello Tom,
>
> just after a radius request, can you check in the database if the
> locationlog is correct ? (the radius request is suppose to update the
> locationlog)
>
> And also when it failed.
>
> select * from locationlog where mac="ab:cd:ef:12:34:56";
>
> Last thing, can you verify if the queue is full when this problem occur
> (from the admin gui in queue)
>
> Regards
> Fabrice
>
>
> Le 2018-01-16 à 20:33, tom lo via PacketFence-users a écrit :
>>
>> Hi,
>>
>>
>> We checked packetfence.log and did a comparison between working and
>> non-working VLAN redirection.
>>
>> When VLAN redirection works properly, "re-evaluating access" related
>> log has no warning.
>>
>> Jan 12 12:07:18 httpd.portal(3102) INFO: [mac:ab:cd:ef:12:34:56]
>> re-evaluating access (manage_register called)
>> (pf::enforcement::reevaluate_access)
>> Jan 12 12:07:18 httpd.portal(3102) INFO: [mac:ab:cd:ef:12:34:56] is
>> currentlog connected at (172.18.4.62) ifIndex 0 registration
>> (pf::enforcement::_should_we_reassign_vlan)
>> Jan 12 12:07:18 httpd.portal(3102) INFO: [mac:ab:cd:ef:12:34:56]
>> Instantiate profile default
>> (pf::Portal::ProfileFactory::_from_profile)
>> Jan 12

Re: [PacketFence-users] users stay in registration VLAN after authentication success

2018-01-19 Thread Durand fabrice via PacketFence-users


Hello Tom,

just after a radius request, can you check in the database if the 
locationlog is correct ? (the radius request is suppose to update the 
locationlog)


And also when it failed.

select * from locationlog where mac="ab:cd:ef:12:34:56";

Last thing, can you verify if the queue is full when this problem occur 
(from the admin gui in queue)


Regards
Fabrice

Le 2018-01-16 à 20:33, tom lo via PacketFence-users a écrit :

Hi,


We checked packetfence.log and did a comparison between working and
non-working VLAN redirection.

When VLAN redirection works properly, "re-evaluating access" related
log has no warning.

Jan 12 12:07:18 httpd.portal(3102) INFO: [mac:ab:cd:ef:12:34:56]
re-evaluating access (manage_register called)
(pf::enforcement::reevaluate_access)
Jan 12 12:07:18 httpd.portal(3102) INFO: [mac:ab:cd:ef:12:34:56] is
currentlog connected at (172.18.4.62) ifIndex 0 registration
(pf::enforcement::_should_we_reassign_vlan)
Jan 12 12:07:18 httpd.portal(3102) INFO: [mac:ab:cd:ef:12:34:56]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 12 12:07:18 httpd.portal(3102) INFO: [mac:ab:cd:ef:12:34:56]
Connection type is WIRELESS_MAC_AUTH. Getting role from node_info
(pf::role::getRegisteredRole)
Jan 12 12:07:18 httpd.portal(3102) INFO: [mac:ab:cd:ef:12:34:56]
Username was defined "ab:cd:ef:12:34:56" - returning role 'edu-intern'
(pf::role::getRegisteredRole)
Jan 12 12:07:18 httpd.portal(3102) INFO: [mac:ab:cd:ef:12:34:56] PID:
"user001", Status: reg Returned VLAN: (undefined), Role: edu-intern
(pf::role::fetchRoleForNode)
Jan 12 12:07:18 httpd.portal(3102) INFO: [mac:ab:cd:ef:12:34:56] VLAN
reassignment required (current VLAN = 501 but should be in VLAN 50)
(pf::enforcement::_should_we_reassign_vlan)
Jan 12 12:07:18 httpd.portal(3102) INFO: [mac:ab:cd:ef:12:34:56]
switch port is (172.18.4.62) ifIndex unknown connection type: WiFi MAC
Auth (pf::enforcement::_vlan_reevaluation)


But if VLAN redirection fail, we found warning "Can't re-evaluate
access because no open locationlog entry was found".

Jan 12 14:28:20 httpd.portal(2273) INFO: [mac:ab:cd:ef:12:34:56]
re-evaluating access (manage_register called)
(pf::enforcement::reevaluate_access)
Jan 12 14:28:20 httpd.portal(2273) WARN: [mac:ab:cd:ef:12:34:56] Can't
re-evaluate access because no open locationlog entry was found
(pf::enforcement::reevaluate_access)



The full log of both success and failed VLAN redirection are as below.

 1st try, authentication success and being moved to production VLAN (50)

Jan 12 12:06:48 httpd.aaa(8040) INFO: [mac:ab:cd:ef:12:34:56] handling
radius autz request: from switch_ip => (172.18.4.62), connection_type
=> Wireless-802.11-NoEAP,switch_mac => (84:18:3a:12:34:56), mac =>
[ab:cd:ef:12:34:56], port => 0, username => "ab:cd:ef:12:34:56", ssid
=> SSID_A (pf::radius::authorize)
Jan 12 12:06:48 httpd.aaa(8040) INFO: [mac:ab:cd:ef:12:34:56]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 12 12:06:48 httpd.aaa(8040) INFO: [mac:ab:cd:ef:12:34:56] is of
status unreg; belongs into registration VLAN
(pf::role::getRegistrationRole)
Jan 12 12:06:48 httpd.aaa(8040) INFO: [mac:ab:cd:ef:12:34:56]
(172.18.4.62) Added VLAN 501 to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)

Jan 12 12:07:05 httpd.portal(3099) INFO: [mac:unknown] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Jan 12 12:07:05 httpd.portal(3099) INFO: [mac:ab:cd:ef:12:34:56]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 12 12:07:05 httpd.portal(3099) INFO: [mac:ab:cd:ef:12:34:56]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 12 12:07:05 httpd.portal(3099) INFO: [mac:ab:cd:ef:12:34:56]
Updating node user_agent with useragent: 'Mozilla/5.0 (Macintosh;
Intel Mac OS X 10_11_6) AppleWebKit/601.7.8 (KHTML, like Gecko)'
(captiveportal::PacketFence::DynamicRouting::Application::process_user_agent)
Jan 12 12:07:05 httpd.portal(3102) INFO: [mac:unknown] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Jan 12 12:07:05 httpd.portal(3102) INFO: [mac:ab:cd:ef:12:34:56]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 12 12:07:05 httpd.portal(3102) INFO: [mac:ab:cd:ef:12:34:56]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)

Jan 12 12:07:18 httpd.portal(3099) INFO: [mac:ab:cd:ef:12:34:56]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 12 12:07:18 httpd.portal(3099) INFO: [mac:ab:cd:ef:12:34:56]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 12 12:07:18 httpd.portal(3099) INFO: [mac:ab:cd:ef:12:34:56]
Authenticating user using sources : edu_intern_AD,edu_Staff_AD
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
Jan 12 12:07:18 httpd.portal(3099) INFO: [mac:ab:cd:ef:12:34:56]
[edu_intern_AD] Authentication successful for user001

Re: [PacketFence-users] users stay in registration VLAN after authentication success

2018-01-19 Thread Durand fabrice via PacketFence-users


Hello Tom,

how did you configured the Ruckus smartzone, are you doing web-auth, 
mac-auth or 802.1x ?


Regards

Fabrice



Le 2018-01-16 à 09:57, tom lo via PacketFence-users a écrit :

Hi Ludovic,

We are still using ZoneDirector, not the newer SmartZone controller,
and seems Packetfence start supporting SmartZone from version 6.5
In version 6.4, which we are using, there are only one switch type for
select "Ruckus Wireless Controllers".
So you would suggest we to try another switch module?


Regards,
Tom


On Tue, Jan 16, 2018 at 10:48 PM, Ludovic Zammit  wrote:

Hello there,

PacketFence two different switch module, there is a legacy one and the other
one is meant for the SmartZone controller.

Have you tried to change the switch module ?

Thanks,


Ludovic Zammit
lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)





On Jan 16, 2018, at 9:32 AM, tom lo via PacketFence-users
 wrote:

Hi,


We've been using Packetfence ZEN 6.4 with Ruckus ZoneDirector for a
while, to authentication user against AD before putting them into
production VLAN.
It was working fine until recently that users report that when they
doing authentication in captive portal, they start seeing the message
"Unable to detect network connectivity. Try to restarting your web
browser or opening a new tab to see if your access has been
successfully enabled."
They tried to turn off/on WiFi and they will see "Your network should
be enabled within a minute or two. If it is not reboot your computer",
if they wait for around 15 mins, sometimes they found their device
could fall into production VLAN.
During the issue happens to user, we could see in ZoneDirector that
the client device were still in registration VLN,
and from packetfence admin portal, user mac address "Info" page, the
role is set to a registered role.
If we delete the client connection manually from ZoneDirector GUI, we
found the client device will re-connect and fall into the production
VLAN.

We tried one suggestion from this mailing list, toggle $TRUE and
$FALSE for synchronize_locationlog in /Switch/Ruckus.pm#L190, and
restart httpd.portal, but made no difference.

We captured the packetfence.log, and found some warning but not sure
if it's related to the issue.
httpd.portal(2282) WARN: [mac:ab:cd:00:00:12:34] Use of uninitialized
value in concatenation (.) or string at
/usr/local/pf/lib/pf/authentication.pm line 284.
httpd.portal(2282) WARN: [mac:ab:cd:00:00:12:34] Calling match with
empty/invalid rule class. Defaulting to 'authentication'
(pf::authentication::match)
httpd.portal(2245) WARN: [mac:ab:cd:00:00:12:34] Can't re-evaluate
access because no open locationlog entry was found
(pf::enforcement::reevaluate_access)

Please advise what we could do to troubleshoot the issue.  Thanks for your
time.


Regards,
Tom

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] users stay in registration VLAN after authentication success

2018-01-17 Thread tom lo via PacketFence-users

Hi,


We checked packetfence.log and did a comparison between working and
non-working VLAN redirection.

When VLAN redirection works properly, "re-evaluating access" related
log has no warning.

Jan 12 12:07:18 httpd.portal(3102) INFO: [mac:ab:cd:ef:12:34:56]
re-evaluating access (manage_register called)
(pf::enforcement::reevaluate_access)
Jan 12 12:07:18 httpd.portal(3102) INFO: [mac:ab:cd:ef:12:34:56] is
currentlog connected at (172.18.4.62) ifIndex 0 registration
(pf::enforcement::_should_we_reassign_vlan)
Jan 12 12:07:18 httpd.portal(3102) INFO: [mac:ab:cd:ef:12:34:56]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 12 12:07:18 httpd.portal(3102) INFO: [mac:ab:cd:ef:12:34:56]
Connection type is WIRELESS_MAC_AUTH. Getting role from node_info
(pf::role::getRegisteredRole)
Jan 12 12:07:18 httpd.portal(3102) INFO: [mac:ab:cd:ef:12:34:56]
Username was defined "ab:cd:ef:12:34:56" - returning role 'edu-intern'
(pf::role::getRegisteredRole)
Jan 12 12:07:18 httpd.portal(3102) INFO: [mac:ab:cd:ef:12:34:56] PID:
"user001", Status: reg Returned VLAN: (undefined), Role: edu-intern
(pf::role::fetchRoleForNode)
Jan 12 12:07:18 httpd.portal(3102) INFO: [mac:ab:cd:ef:12:34:56] VLAN
reassignment required (current VLAN = 501 but should be in VLAN 50)
(pf::enforcement::_should_we_reassign_vlan)
Jan 12 12:07:18 httpd.portal(3102) INFO: [mac:ab:cd:ef:12:34:56]
switch port is (172.18.4.62) ifIndex unknown connection type: WiFi MAC
Auth (pf::enforcement::_vlan_reevaluation)


But if VLAN redirection fail, we found warning "Can't re-evaluate
access because no open locationlog entry was found".

Jan 12 14:28:20 httpd.portal(2273) INFO: [mac:ab:cd:ef:12:34:56]
re-evaluating access (manage_register called)
(pf::enforcement::reevaluate_access)
Jan 12 14:28:20 httpd.portal(2273) WARN: [mac:ab:cd:ef:12:34:56] Can't
re-evaluate access because no open locationlog entry was found
(pf::enforcement::reevaluate_access)



The full log of both success and failed VLAN redirection are as below.

 1st try, authentication success and being moved to production VLAN (50)

Jan 12 12:06:48 httpd.aaa(8040) INFO: [mac:ab:cd:ef:12:34:56] handling
radius autz request: from switch_ip => (172.18.4.62), connection_type
=> Wireless-802.11-NoEAP,switch_mac => (84:18:3a:12:34:56), mac =>
[ab:cd:ef:12:34:56], port => 0, username => "ab:cd:ef:12:34:56", ssid
=> SSID_A (pf::radius::authorize)
Jan 12 12:06:48 httpd.aaa(8040) INFO: [mac:ab:cd:ef:12:34:56]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 12 12:06:48 httpd.aaa(8040) INFO: [mac:ab:cd:ef:12:34:56] is of
status unreg; belongs into registration VLAN
(pf::role::getRegistrationRole)
Jan 12 12:06:48 httpd.aaa(8040) INFO: [mac:ab:cd:ef:12:34:56]
(172.18.4.62) Added VLAN 501 to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)

Jan 12 12:07:05 httpd.portal(3099) INFO: [mac:unknown] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Jan 12 12:07:05 httpd.portal(3099) INFO: [mac:ab:cd:ef:12:34:56]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 12 12:07:05 httpd.portal(3099) INFO: [mac:ab:cd:ef:12:34:56]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 12 12:07:05 httpd.portal(3099) INFO: [mac:ab:cd:ef:12:34:56]
Updating node user_agent with useragent: 'Mozilla/5.0 (Macintosh;
Intel Mac OS X 10_11_6) AppleWebKit/601.7.8 (KHTML, like Gecko)'
(captiveportal::PacketFence::DynamicRouting::Application::process_user_agent)
Jan 12 12:07:05 httpd.portal(3102) INFO: [mac:unknown] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Jan 12 12:07:05 httpd.portal(3102) INFO: [mac:ab:cd:ef:12:34:56]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 12 12:07:05 httpd.portal(3102) INFO: [mac:ab:cd:ef:12:34:56]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)

Jan 12 12:07:18 httpd.portal(3099) INFO: [mac:ab:cd:ef:12:34:56]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 12 12:07:18 httpd.portal(3099) INFO: [mac:ab:cd:ef:12:34:56]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 12 12:07:18 httpd.portal(3099) INFO: [mac:ab:cd:ef:12:34:56]
Authenticating user using sources : edu_intern_AD,edu_Staff_AD
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
Jan 12 12:07:18 httpd.portal(3099) INFO: [mac:ab:cd:ef:12:34:56]
[edu_intern_AD] Authentication successful for user001
(pf::Authentication::Source::LDAPSource::authenticate)
Jan 12 12:07:18 httpd.portal(3099) INFO: [mac:ab:cd:ef:12:34:56]
Authentication successful for 'user001' in source edu_intern_AD (AD)
(pf::authentication::authenticate)
Jan 12 12:07:18 httpd.portal(3099) INFO: [mac:ab:cd:ef:12:34:56] User
user001 has authenticated on the portal. (Class::MOP::Class:::after)
Jan 12 12:07:18 httpd.portal(3099) INFO: [mac:ab:cd:ef:12:34:56] Found
source

Re: [PacketFence-users] users stay in registration VLAN after authentication success

2018-01-16 Thread tom lo via PacketFence-users

Hi Ludovic,

We are still using ZoneDirector, not the newer SmartZone controller,
and seems Packetfence start supporting SmartZone from version 6.5
In version 6.4, which we are using, there are only one switch type for
select "Ruckus Wireless Controllers".
So you would suggest we to try another switch module?


Regards,
Tom


On Tue, Jan 16, 2018 at 10:48 PM, Ludovic Zammit  wrote:
> Hello there,
>
> PacketFence two different switch module, there is a legacy one and the other
> one is meant for the SmartZone controller.
>
> Have you tried to change the switch module ?
>
> Thanks,
>
>
> Ludovic Zammit
> lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
>
>
>
>
> On Jan 16, 2018, at 9:32 AM, tom lo via PacketFence-users
>  wrote:
>
> Hi,
>
>
> We've been using Packetfence ZEN 6.4 with Ruckus ZoneDirector for a
> while, to authentication user against AD before putting them into
> production VLAN.
> It was working fine until recently that users report that when they
> doing authentication in captive portal, they start seeing the message
> "Unable to detect network connectivity. Try to restarting your web
> browser or opening a new tab to see if your access has been
> successfully enabled."
> They tried to turn off/on WiFi and they will see "Your network should
> be enabled within a minute or two. If it is not reboot your computer",
> if they wait for around 15 mins, sometimes they found their device
> could fall into production VLAN.
> During the issue happens to user, we could see in ZoneDirector that
> the client device were still in registration VLN,
> and from packetfence admin portal, user mac address "Info" page, the
> role is set to a registered role.
> If we delete the client connection manually from ZoneDirector GUI, we
> found the client device will re-connect and fall into the production
> VLAN.
>
> We tried one suggestion from this mailing list, toggle $TRUE and
> $FALSE for synchronize_locationlog in /Switch/Ruckus.pm#L190, and
> restart httpd.portal, but made no difference.
>
> We captured the packetfence.log, and found some warning but not sure
> if it's related to the issue.
> httpd.portal(2282) WARN: [mac:ab:cd:00:00:12:34] Use of uninitialized
> value in concatenation (.) or string at
> /usr/local/pf/lib/pf/authentication.pm line 284.
> httpd.portal(2282) WARN: [mac:ab:cd:00:00:12:34] Calling match with
> empty/invalid rule class. Defaulting to 'authentication'
> (pf::authentication::match)
> httpd.portal(2245) WARN: [mac:ab:cd:00:00:12:34] Can't re-evaluate
> access because no open locationlog entry was found
> (pf::enforcement::reevaluate_access)
>
> Please advise what we could do to troubleshoot the issue.  Thanks for your
> time.
>
>
> Regards,
> Tom
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] users stay in registration VLAN after authentication success

2018-01-16 Thread Ludovic Zammit via PacketFence-users

Hello there,

PacketFence two different switch module, there is a legacy one and the other 
one is meant for the SmartZone controller.

Have you tried to change the switch module ?

Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On Jan 16, 2018, at 9:32 AM, tom lo via PacketFence-users 
>  wrote:
> 
> Hi,
> 
> 
> We've been using Packetfence ZEN 6.4 with Ruckus ZoneDirector for a
> while, to authentication user against AD before putting them into
> production VLAN.
> It was working fine until recently that users report that when they
> doing authentication in captive portal, they start seeing the message
> "Unable to detect network connectivity. Try to restarting your web
> browser or opening a new tab to see if your access has been
> successfully enabled."
> They tried to turn off/on WiFi and they will see "Your network should
> be enabled within a minute or two. If it is not reboot your computer",
> if they wait for around 15 mins, sometimes they found their device
> could fall into production VLAN.
> During the issue happens to user, we could see in ZoneDirector that
> the client device were still in registration VLN,
> and from packetfence admin portal, user mac address "Info" page, the
> role is set to a registered role.
> If we delete the client connection manually from ZoneDirector GUI, we
> found the client device will re-connect and fall into the production
> VLAN.
> 
> We tried one suggestion from this mailing list, toggle $TRUE and
> $FALSE for synchronize_locationlog in /Switch/Ruckus.pm#L190, and
> restart httpd.portal, but made no difference.
> 
> We captured the packetfence.log, and found some warning but not sure
> if it's related to the issue.
> httpd.portal(2282) WARN: [mac:ab:cd:00:00:12:34] Use of uninitialized
> value in concatenation (.) or string at
> /usr/local/pf/lib/pf/authentication.pm line 284.
> httpd.portal(2282) WARN: [mac:ab:cd:00:00:12:34] Calling match with
> empty/invalid rule class. Defaulting to 'authentication'
> (pf::authentication::match)
> httpd.portal(2245) WARN: [mac:ab:cd:00:00:12:34] Can't re-evaluate
> access because no open locationlog entry was found
> (pf::enforcement::reevaluate_access)
> 
> Please advise what we could do to troubleshoot the issue.  Thanks for your 
> time.
> 
> 
> Regards,
> Tom
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] users stay in registration VLAN after authentication success

2018-01-16 Thread tom lo via PacketFence-users

Hi,


We've been using Packetfence ZEN 6.4 with Ruckus ZoneDirector for a
while, to authentication user against AD before putting them into
production VLAN.
It was working fine until recently that users report that when they
doing authentication in captive portal, they start seeing the message
"Unable to detect network connectivity. Try to restarting your web
browser or opening a new tab to see if your access has been
successfully enabled."
They tried to turn off/on WiFi and they will see "Your network should
be enabled within a minute or two. If it is not reboot your computer",
if they wait for around 15 mins, sometimes they found their device
could fall into production VLAN.
During the issue happens to user, we could see in ZoneDirector that
the client device were still in registration VLN,
and from packetfence admin portal, user mac address "Info" page, the
role is set to a registered role.
If we delete the client connection manually from ZoneDirector GUI, we
found the client device will re-connect and fall into the production
VLAN.

We tried one suggestion from this mailing list, toggle $TRUE and
$FALSE for synchronize_locationlog in /Switch/Ruckus.pm#L190, and
restart httpd.portal, but made no difference.

We captured the packetfence.log, and found some warning but not sure
if it's related to the issue.
httpd.portal(2282) WARN: [mac:ab:cd:00:00:12:34] Use of uninitialized
value in concatenation (.) or string at
/usr/local/pf/lib/pf/authentication.pm line 284.
httpd.portal(2282) WARN: [mac:ab:cd:00:00:12:34] Calling match with
empty/invalid rule class. Defaulting to 'authentication'
(pf::authentication::match)
httpd.portal(2245) WARN: [mac:ab:cd:00:00:12:34] Can't re-evaluate
access because no open locationlog entry was found
(pf::enforcement::reevaluate_access)

Please advise what we could do to troubleshoot the issue.  Thanks for your time.


Regards,
Tom

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] users stay in registration VLAN after authentication success

Re: [PacketFence-users] users stay in registration VLAN after authentication success

Re: [PacketFence-users] users stay in registration VLAN after authentication success

Re: [PacketFence-users] users stay in registration VLAN after authentication success

Re: [PacketFence-users] users stay in registration VLAN after authentication success

Re: [PacketFence-users] users stay in registration VLAN after authentication success

Re: [PacketFence-users] users stay in registration VLAN after authentication success

Re: [PacketFence-users] users stay in registration VLAN after authentication success

Re: [PacketFence-users] users stay in registration VLAN after authentication success

Re: [PacketFence-users] users stay in registration VLAN after authentication success

Re: [PacketFence-users] users stay in registration VLAN after authentication success

Re: [PacketFence-users] users stay in registration VLAN after authentication success

Re: [PacketFence-users] users stay in registration VLAN after authentication success

Re: [PacketFence-users] users stay in registration VLAN after authentication success

[PacketFence-users] users stay in registration VLAN after authentication success

15 matches

Site Navigation

Mail list logo

Footer information