From: David S. <ey...@uc...> - 2012-12-13 21:30:16
|
I tried deleting the Radius Auth server in the GUI, and recreating it in the CLI. Interestingly, when you create it in the GUI, it automatically has RFC3576 enabled, and you can toggle it on and off in the GUI. But, when you create it in the CLI, it has RFC3576 disabled, and if I run the command to enable it, I get: (WiSM-slot6-1) >config radius auth rfc3576 enable 1 Unable to set server's RFC 3576 state. I can't disable it from the CLI either if it was enabled in the GUI. I am thinking that it isn't really ever turning on. On Thu, Dec 13, 2012 at 1:09 PM, David Schiller <ey...@uc...> wrote: > Some more info: > > (WiSM-slot6-1) >show radius rfc3576 statistics > RFC-3576 Servers: > > Server Index..................................... 1 > Server Address................................... 10.93.0.1 > Disconnect-Requests.............................. 0 > COA-Requests..................................... 0 > Retransmitted Requests........................... 0 > Malformed Requests............................... 0 > Bad Authenticator Requests....................... 0 > Other Drops...................................... 0 > Sent Disconnect-Ack.............................. 0 > Sent Disconnect-Nak.............................. 0 > Sent CoA-Ack..................................... 0 > Sent CoA-Nak..................................... 0 > > (WiSM-slot6-1) >show radius summary > > Vendor Id Backward Compatibility................. Disabled > Call Station Id Type............................. IP Address > Aggressive Failover.............................. Enabled > Keywrap.......................................... Disabled > Fallback Test: > Test Mode.................................... Off > Probe User Name.............................. cisco-probe > Interval (in seconds)........................ 300 > > Authentication Servers > > Idx Type Server Address Port State Tout RFC3576 IPSec - > AuthMode/Phase1/Group/Lifetime/Auth/Encr > --- ---- ---------------- ------ -------- ---- ------- > ------------------------------------------------ > 1 NM 10.93.0.1 1812 Enabled 10 Enabled Disabled - > none/unknown/group-0/0 none/none > > Accounting Servers > > Idx Type Server Address Port State Tout RFC3576 IPSec - > AuthMode/Phase1/Group/Lifetime/Auth/Encr > --- ---- ---------------- ------ -------- ---- ------- > ------------------------------------------------ > > > On Thu, Dec 13, 2012 at 11:33 AM, David Schiller <ey...@uc...> wrote: > >> Francois, please read the entire thread... I have posted the output from >> debug aaa on the WiSM: >> >> $ cat pod.txt | radclient -x 10.93.0.252:3799 disconnect >> useStrongerSecret >> Sending Disconnect-Request of id 61 to 10.93.0.252 port 3799 >> >> Calling-Station-Id = "00:11:22:33:44:55" >> Service-Type = Login-User >> Sending Disconnect-Request of id 61 to 10.93.0.252 port 3799 >> >> Calling-Station-Id = "00:11:22:33:44:55" >> Service-Type = Login-User >> Sending Disconnect-Request of id 61 to 10.93.0.252 port 3799 >> >> Calling-Station-Id = "00:11:22:33:44:55" >> Service-Type = Login-User >> radclient: no response from server for ID 61 socket 3 >> >> Interestingly, on the WiSM I am debugging AAA: >> >> (WiSM-slot6-1) > >> *Dec 07 19:35:43.962: Received a 'RFC-3576 Disconnect-Request' from >> unknown server 10.93.0.1:50253 >> *Dec 07 19:35:48.966: Received a 'RFC-3576 Disconnect-Request' from >> unknown server 10.93.0.1:50253 >> *Dec 07 19:35:53.971: Received a 'RFC-3576 Disconnect-Request' from >> unknown server 10.93.0.1:50253 >> >> Here's the nmap for the WiSM management interface: >> >> sudo nmap -sU -p3799 10.93.0.252 >> >> Starting Nmap 5.21 ( http://nmap.org ) at 2012-12-13 12:09 PST >> Nmap scan report for 10.93.0.252 >> Host is up (0.00047s latency). >> PORT STATE SERVICE >> 3799/udp open|filtered unknown >> MAC Address: 00:17:E0:0C:4F:2B (Cisco Systems) >> >> Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds >> >> >> I'm not sure how I can test for the CoA packet problem you suggested. >> >> Is it possible that I need a switches.conf entry for each individual >> access point? So that it sends the deauth directly to the AP instead of >> the WiSM? >> >> >> On Thu, Dec 13, 2012 at 11:14 AM, Francois Gaudreault < >> fga...@sy...> wrote: >> >>> Is it possible that the PoD port on your WiSM is not 3799 (use nmap >>> -sU)? Is there a missing attribute in the CoA packet that would be >>> mandatory to the WiSM (ie. Service-Type = Login)? What if you run a debug >>> client <mac> or any relevant debug aaa/radius thing? >>> >>> I know that PoD is working flawless on the WLCs. >>> >>> Francois >>> >>> On 2012-12-13 1:58 PM, David Schiller wrote: >>> >>> Yes, it is the management interface for PF, here is the entry in pf.conf: >>> >>> [interface eth0.93] >>> ip=10.93.0.1 >>> type=management >>> mask=255.255.255.0 >>> >>> I noticed that I do not have an entry for the 10.93.0.0 network in >>> networks.conf... is that necessary perhaps? Again, this was working before >>> with deauth when I was directly talking to the access points, but not with >>> the wism. Based on my findings, the problem is definitely on the WiSM, >>> because it is not seeing the deauth request from PF as being legitimate for >>> some reason. But the request is at least getting there. >>> >>> PF seems to handle the Radius stuff from the WiSM just fine... there >>> must be a setting somewhere that I need to turn on to get the WiSM to >>> accept the Radius stuff from PF. >>> >>> >>> On Thu, Dec 13, 2012 at 8:42 AM, Francois Gaudreault < >>> fga...@sy...> wrote: >>> >>>> I didn't read the entire thread, but is this IP 10.93.0.1<http://10.93.0.1:33194>configured in your WiSM as a valid RADIUS server? Is this the management IP >>>> of the PF server (or the VIP)? >>>> >>>> On 2012-12-13 10:48 AM, David Schiller wrote: >>>> >>>> Hi folks, still cannot get this to work... any other ideas? >>>> >>>> On Tue, Dec 11, 2012 at 8:21 AM, David Schiller <ey...@uc...> wrote: >>>> >>>>> Do you mean is the management IP for the WiSM what is defined in >>>>> switches.conf? Yes... the whole first part of the 802.1x is working. It >>>>> seems like the WiSM can talk to PF, but not the other way around. >>>>> On Dec 11, 2012 4:10 AM, "Fabrice Durand" <fd...@in...> wrote: >>>>> >>>>>> Are you trying on the management interface of the controller , not a >>>>>> vlan interface ? >>>>>> >>>>>> David Schiller <ey...@uc...> a écrit : >>>>>> >>>>>> OK, I just want to get this straight... these things are what need to >>>>>> be setup: >>>>>> >>>>>> 1) On PF, there needs to be a switches.conf entry for the WiSM, with >>>>>> type=Cisco::WiSM and the radiusSecret set to something. >>>>>> 2) On the WiSM, the Radius Authentication server needs to point to >>>>>> the correct PF interface, and have RFC 3576 turned on. >>>>>> >>>>>> That's it? Where I'm at is that I click on the SSID to associate, I >>>>>> get prompted for my Radius user password which is set in raddb/users, and >>>>>> that works totally fine... I get associated to the registration VLAN and I >>>>>> see all the correct traffic in packetfence.log. Then, I get the captive >>>>>> portal, enter in my credentials, which get accepted, and packetfence.log >>>>>> indicates that appropriately and tries to deauthenticate me to temporarily >>>>>> kick me off so I can rejoin with the new Normal VLAN. This is where it >>>>>> stops working... on packetfence.log I see: >>>>>> >>>>>> Dec 10 14:57:49 pfcmd_vlan(1711) INFO: wireless deauthentication of a >>>>>> 802.1x MAC (main::) >>>>>> Dec 10 14:57:59 pfcmd_vlan(1711) WARN: Unable to perform RADIUS >>>>>> Disconnect-Request: Timeout waiting for a reply from 10.93.0.252 on port >>>>>> 3799 at /usr/local/pf/lib/pf/util/radius.pm line 160. >>>>>> (pf::SNMP::__ANON__) >>>>>> Dec 10 14:57:59 pfcmd_vlan(1711) ERROR: Wrong RADIUS secret or >>>>>> unreachable network device... (pf::SNMP::__ANON__) >>>>>> Dec 10 14:58:00 pfsetvlan(5) INFO: finished (main::cleanupAfterThread) >>>>>> >>>>>> and in the WiSM debug output I see: >>>>>> >>>>>> *Dec 10 21:27:57.826: Received a 'RFC-3576 Disconnect-Request' from >>>>>> unknown server 10.93.0.1:33194 >>>>>> >>>>>> It seems to me like the Radius Disconnect-Request is getting sent, >>>>>> but the WiSM is dropping it because it's an "unknown server". Passwords >>>>>> match, IP's are correct... where could the problem be? >>>>>> >>>>>> On Mon, Dec 10, 2012 at 12:18 PM, David Schiller <ey...@uc...>wrote: >>>>>> >>>>>>> I still cannot figure this out... the debug dump from the WiSM still >>>>>>> says: >>>>>>> >>>>>>> *Dec 10 20:15:49.580: Received a 'RFC-3576 Disconnect-Request' from >>>>>>> unknown server 10.93.0.1:35940 >>>>>>> >>>>>>> How do I make it "known"? PF seems to be receiving RADIUS stuff >>>>>>> just fine. >>>>>>> >>>>>>> >>>>>>> On Fri, Dec 7, 2012 at 3:47 PM, Fabrice Durand <fd...@in...>wrote: >>>>>>> >>>>>>>> I recommend you to first try with mac-auth (follow >>>>>>>> >>>>>>>> http://www.packetfence.org/downloads/PacketFence/doc/PacketFence_Network_Devices_Configuration_Guide-3.6.0.pdf >>>>>>>> ). >>>>>>>> Remove what you put in clients.conf, it's useless. >>>>>>>> After on packetfence server kill radius process and launch it in >>>>>>>> debug >>>>>>>> mode. >>>>>>>> radiusd -d /usr/local/pf/raddb/ -X >>>>>>>> You could see in the debug that your controller appear in the debug. >>>>>>>> After try to connect to your SSID , you could see the radius request >>>>>>>> and the access-accept. >>>>>>>> On the first time packetfence return the registration vlan , on the >>>>>>>> pc >>>>>>>> you fall into the captive portal. >>>>>>>> Put your username and password and look at pacetfence.log if the >>>>>>>> deauth >>>>>>>> work. (you can try with pod.txt with your mac's pc address) >>>>>>>> If the deauth work you will see another radius request from the >>>>>>>> controller with an answer with the normal vlan. >>>>>>>> >>>>>>>> The deauth must be set on the management's controller interface. >>>>>>>> If this workflow is working than you can try with 802.1x. >>>>>>>> If there is no way with radius deauth than you can try SNMP (just >>>>>>>> select snmp in deauth method) >>>>>>>> >>>>>>>> Courage, you are on the right way. >>>>>>>> >>>>>>>> Regards >>>>>>>> Fabrice >>>>>>>> Le vendredi 7 décembre 2012 18:22:24, David Schiller a écrit : >>>>>>>> > FYI, 10.93.0.252 is the WiSM management interface... should this >>>>>>>> > deauth stuff be sent to the WiSM, or to the Access Point that the >>>>>>>> user >>>>>>>> > is associated to? It seems to me like it should go to the AP, >>>>>>>> because >>>>>>>> > that's what it was doing in the old setup. >>>>>>>> > >>>>>>>> > On Fri, Dec 7, 2012 at 2:46 PM, David Schiller <ey...@uc... >>>>>>>> > <mailto:ey...@uc...>> wrote: >>>>>>>> > >>>>>>>> > Actually, disregard this last one, restarting PF fixed that. >>>>>>>> > >>>>>>>> > >>>>>>>> > On Fri, Dec 7, 2012 at 2:40 PM, David Schiller <ey...@uc... >>>>>>>> > <mailto:ey...@uc...>> wrote: >>>>>>>> > >>>>>>>> > When I have nothing in raddb/clients.conf, and I have >>>>>>>> > conf/switches.conf with RadiusSecret=Secret and the >>>>>>>> matching >>>>>>>> > secret on the WiSM for AAA Auth config, then it does >>>>>>>> something >>>>>>>> > really odd... The initial 802.1x authentication seems to >>>>>>>> never >>>>>>>> > complete, but then it gives me an IP in the normal vlan >>>>>>>> > instead of the registration vlan, and internet access >>>>>>>> works! >>>>>>>> > Even though 802.1x never says it's connected on the >>>>>>>> client.... >>>>>>>> > >>>>>>>> > It just seems like it needs the entry in >>>>>>>> raddb/clients.conf. >>>>>>>> > >>>>>>>> > >>>>>>>> > On Fri, Dec 7, 2012 at 1:30 PM, David Schiller < >>>>>>>> ey...@uc... >>>>>>>> > <mailto:ey...@uc...>> wrote: >>>>>>>> > >>>>>>>> > Here's something weird... I tried deleting my AAA auth >>>>>>>> > server and recreating it in the CLI instead of >>>>>>>> through the >>>>>>>> > webgui... it will not let me set RFC3576: >>>>>>>> > >>>>>>>> > (WiSM-slot6-1) >config radius auth rfc3576 enable 1 >>>>>>>> > Unable to set server's RFC 3576 state. >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > On Fri, Dec 7, 2012 at 1:23 PM, David Schiller >>>>>>>> > <ey...@uc... <mailto:ey...@uc...>> wrote: >>>>>>>> > >>>>>>>> > I have looked through that thread... Can you clear >>>>>>>> > something up for me? I thought that the Radius >>>>>>>> shared >>>>>>>> > secret in PF was defined in raddb/clients.conf and >>>>>>>> > then on the WiSM in the obvious place. But you >>>>>>>> say I >>>>>>>> > can get rid of the entry in raddb/clients.conf, >>>>>>>> which >>>>>>>> > I have, and it still works. Where else is it >>>>>>>> defined >>>>>>>> > in PF? In switches.conf, it doesn't seem to make >>>>>>>> a >>>>>>>> > difference if I have it or not in the definition >>>>>>>> for >>>>>>>> > 10.93.0.252... it is still able to do the initial >>>>>>>> > authentication to associate to the AP. >>>>>>>> > >>>>>>>> > >>>>>>>> > On Fri, Dec 7, 2012 at 1:13 PM, Durand Fabrice >>>>>>>> > <fd...@in... <mailto:fd...@in...>> >>>>>>>> wrote: >>>>>>>> > >>>>>>>> > Have you looked this thread >>>>>>>> > >>>>>>>> http://www.mail-archive.com/pac...@li.../msg03329.html >>>>>>>> > It´s look like your problem. >>>>>>>> > >>>>>>>> > Regards >>>>>>>> > >>>>>>>> > Le 2012-12-07 15:47, David Schiller a écrit : >>>>>>>> >> Yes... I think the secret here is in the >>>>>>>> debug >>>>>>>> >> message: >>>>>>>> >> >>>>>>>> >> *Dec 07 19:35:43.962: Received a 'RFC-3576 >>>>>>>> >> Disconnect-Request' from unknown server >>>>>>>> >> 10.93.0.1:50253 <http://10.93.0.1:50253> >>>>>>>> >> >>>>>>>> >> It says "unknown server", despite the fact >>>>>>>> that >>>>>>>> >> it previously does a bunch of aaa stuff just >>>>>>>> fine >>>>>>>> >> with 10.93.0.1 to initially associate the >>>>>>>> user to >>>>>>>> >> the AP. >>>>>>>> >> >>>>>>>> >> Is there some other location where I need to >>>>>>>> >> define 10.93.0.1 as being OK? >>>>>>>> >> >>>>>>>> >> On Fri, Dec 7, 2012 at 12:19 PM, Durand >>>>>>>> Fabrice >>>>>>>> >> <fd...@in... <mailto: >>>>>>>> fd...@in...>> >>>>>>>> >> wrote: >>>>>>>> >> >>>>>>>> >> Have you removed what you did in >>>>>>>> clients.conf ? >>>>>>>> >> Regards >>>>>>>> >> >>>>>>>> >> Le 2012-12-07 14:56, David Schiller a >>>>>>>> écrit : >>>>>>>> >>> 10.93.0.1 is the Packetfence interface >>>>>>>> which >>>>>>>> >>> is running the Radius server... here is >>>>>>>> the >>>>>>>> >>> netstat: >>>>>>>> >>> >>>>>>>> >>> udp 0 0 10.93.0.1:1812 >>>>>>>> >>> <http://10.93.0.1:1812> 0.0.0.0:* >>>>>>>> >>> udp 0 0 10.93.0.1:1813 >>>>>>>> >>> <http://10.93.0.1:1813> 0.0.0.0:* >>>>>>>> >>> udp 0 0 10.93.0.1:1814 >>>>>>>> >>> <http://10.93.0.1:1814> 0.0.0.0:* >>>>>>>> >>> >>>>>>>> >>> That is configured with RFC 3576 and >>>>>>>> >>> useStrongerSecret on the WiSM. >>>>>>>> >>> >>>>>>>> >>> On Fri, Dec 7, 2012 at 11:46 AM, Durand >>>>>>>> >>> Fabrice <fd...@in... >>>>>>>> >>> <mailto:fd...@in...>> wrote: >>>>>>>> >>> >>>>>>>> >>> What is this address 10.93.0.1 >>>>>>>> >>> <http://10.93.0.1:50253> ? >>>>>>>> >>> Your controller must know 10.93.0.1 >>>>>>>> as a >>>>>>>> >>> radius server. < >>>>>>>> http://10.93.0.1:50253> >>>>>>>> >>> >>>>>>>> >>> Regards >>>>>>>> >>> >>>>>>>> >>> Le 2012-12-07 14:36, David Schiller >>>>>>>> a >>>>>>>> >>> écrit : >>>>>>>> >>>> Hi, thanks... I do have RFC 3576 >>>>>>>> >>>> enabled. I did as you suggested >>>>>>>> but it >>>>>>>> >>>> didn't seem to work: >>>>>>>> >>>> >>>>>>>> >>>> $ cat pod.txt | radclient -x >>>>>>>> >>>> 10.93.0.252:3799 >>>>>>>> >>>> <http://10.93.0.252:3799> >>>>>>>> disconnect >>>>>>>> >>>> useStrongerSecret >>>>>>>> >>>> Sending Disconnect-Request of id >>>>>>>> 61 to >>>>>>>> >>>> 10.93.0.252 port 3799 >>>>>>>> >>>> Calling-Station-Id = >>>>>>>> >>>> "00:11:22:33:44:55" >>>>>>>> >>>> Service-Type = Login-User >>>>>>>> >>>> Sending Disconnect-Request of id >>>>>>>> 61 to >>>>>>>> >>>> 10.93.0.252 port 3799 >>>>>>>> >>>> Calling-Station-Id = >>>>>>>> >>>> "00:11:22:33:44:55" >>>>>>>> >>>> Service-Type = Login-User >>>>>>>> >>>> Sending Disconnect-Request of id >>>>>>>> 61 to >>>>>>>> >>>> 10.93.0.252 port 3799 >>>>>>>> >>>> Calling-Station-Id = >>>>>>>> >>>> "00:11:22:33:44:55" >>>>>>>> >>>> Service-Type = Login-User >>>>>>>> >>>> radclient: no response from server >>>>>>>> for >>>>>>>> >>>> ID 61 socket 3 >>>>>>>> >>>> >>>>>>>> >>>> Interestingly, on the WiSM I am >>>>>>>> >>>> debugging AAA: >>>>>>>> >>>> >>>>>>>> >>>> (WiSM-slot6-1) > >>>>>>>> >>>> *Dec 07 19:35:43.962: Received a >>>>>>>> >>>> 'RFC-3576 Disconnect-Request' from >>>>>>>> >>>> unknown server 10.93.0.1:50253 >>>>>>>> >>>> <http://10.93.0.1:50253> >>>>>>>> >>>> *Dec 07 19:35:48.966: Received a >>>>>>>> >>>> 'RFC-3576 Disconnect-Request' from >>>>>>>> >>>> unknown server 10.93.0.1:50253 >>>>>>>> >>>> <http://10.93.0.1:50253> >>>>>>>> >>>> *Dec 07 19:35:53.971: Received a >>>>>>>> >>>> 'RFC-3576 Disconnect-Request' from >>>>>>>> >>>> unknown server 10.93.0.1:50253 >>>>>>>> >>>> <http://10.93.0.1:50253> >>>>>>>> >>>> >>>>>>>> >>>> So it seems to be getting there... >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>>> On Fri, Dec 7, 2012 at 7:47 AM, >>>>>>>> Durand >>>>>>>> >>>> Fabrice <fd...@in... >>>>>>>> >>>> <mailto:fd...@in...>> >>>>>>>> wrote: >>>>>>>> >>>> >>>>>>>> >>>> Hello David, >>>>>>>> >>>> First you don´t have to set >>>>>>>> radius >>>>>>>> >>>> secret in raddb/clients.conf. >>>>>>>> >>>> Radius is configured to get the >>>>>>>> >>>> clients configuration in >>>>>>>> >>>> packetfence database. >>>>>>>> >>>> >>>>>>>> >>>> You also have to enable RFC >>>>>>>> 3576 in >>>>>>>> >>>> the controller and you can >>>>>>>> make a >>>>>>>> >>>> test by using this command: >>>>>>>> >>>> >>>>>>>> >>>> Create a file pod.txt >>>>>>>> >>>> >>>>>>>> >>>> Calling-Station-Id = >>>>>>>> "00:11:22:33:44:55" >>>>>>>> >>>> Service-Type = "Login-User" >>>>>>>> >>>> >>>>>>>> >>>> And launch >>>>>>>> >>>> >>>>>>>> >>>> cat pod.txt | radclient -x >>>>>>>> >>>> 10.93.0.252:3799 >>>>>>>> >>>> <http://10.93.0.252:3799> >>>>>>>> >>>> disconnect useStrongerSecret >>>>>>>> >>>> >>>>>>>> >>>> Regards >>>>>>>> >>>> Fabrice >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>>> Le 2012-12-06 16:46, David >>>>>>>> Schiller >>>>>>>> >>>> a écrit : >>>>>>>> >>>>> Hi, I am in the process of >>>>>>>> moving >>>>>>>> >>>>> our standalone AP setup to a >>>>>>>> LWAPP >>>>>>>> >>>>> setup with a Cisco WiSM. I >>>>>>>> >>>>> actually have managed to get >>>>>>>> >>>>> everything pretty much >>>>>>>> working, >>>>>>>> >>>>> but one thing I have not been >>>>>>>> able >>>>>>>> >>>>> to figure out is how to get >>>>>>>> PF to >>>>>>>> >>>>> properly Deauth users once >>>>>>>> they >>>>>>>> >>>>> register, to place them in the >>>>>>>> >>>>> proper VLAN. If I manually, >>>>>>>> leave >>>>>>>> >>>>> the SSID and come back, then >>>>>>>> it >>>>>>>> >>>>> makes the switch OK, but we >>>>>>>> >>>>> obviously want this to be >>>>>>>> >>>>> automated like with the >>>>>>>> standalone >>>>>>>> >>>>> setup. I am getting this in >>>>>>>> the >>>>>>>> >>>>> packetfence.log: >>>>>>>> >>>>> >>>>>>>> >>>>> Dec 06 14:16:09 pfcmd(19120) >>>>>>>> INFO: >>>>>>>> >>>>> trying to dissociate a >>>>>>>> wireless >>>>>>>> >>>>> 802.1x user, this might not >>>>>>>> work >>>>>>>> >>>>> depending on hardware >>>>>>>> support. If >>>>>>>> >>>>> its your case please file a >>>>>>>> bug >>>>>>>> >>>>> >>>>>>>> (pf::enforcement::_vlan_reevaluation) >>>>>>>> >>>>> Dec 06 14:16:11 pfsetvlan(21) >>>>>>>> >>>>> INFO: local (127.0.0.1) trap >>>>>>>> for >>>>>>>> >>>>> switch 10.93.0.252 >>>>>>>> (main::parseTrap) >>>>>>>> >>>>> Dec 06 14:16:11 pfsetvlan(1) >>>>>>>> INFO: >>>>>>>> >>>>> nb of items in queue: 1; nb of >>>>>>>> >>>>> threads running: 0 >>>>>>>> >>>>> (main::startTrapHandlers) >>>>>>>> >>>>> Dec 06 14:16:11 pfsetvlan(1) >>>>>>>> INFO: >>>>>>>> >>>>> desAssociate trap received on >>>>>>>> >>>>> 10.93.0.252 for wireless >>>>>>>> client >>>>>>>> >>>>> 00:1e:52:xx:xx:xx >>>>>>>> (main::handleTrap) >>>>>>>> >>>>> Dec 06 14:16:13 >>>>>>>> pfcmd_vlan(19129) >>>>>>>> >>>>> INFO: wireless >>>>>>>> deauthentication of >>>>>>>> >>>>> a 802.1x MAC (main::) >>>>>>>> >>>>> Dec 06 14:16:23 >>>>>>>> pfcmd_vlan(19129) >>>>>>>> >>>>> WARN: Unable to perform RADIUS >>>>>>>> >>>>> Disconnect-Request: Timeout >>>>>>>> >>>>> waiting for a reply from >>>>>>>> >>>>> 10.93.0.252 on port 3799 at >>>>>>>> >>>>> /usr/local/pf/lib/pf/util/ >>>>>>>> radius.pm <http://radius.pm> >>>>>>>> >>>>> line 160. >>>>>>>> (pf::SNMP::__ANON__) >>>>>>>> >>>>> Dec 06 14:16:23 >>>>>>>> pfcmd_vlan(19129) >>>>>>>> >>>>> ERROR: Wrong RADIUS secret or >>>>>>>> >>>>> unreachable network device... >>>>>>>> >>>>> (pf::SNMP::__ANON__) >>>>>>>> >>>>> >>>>>>>> >>>>> It is a little unclear to me >>>>>>>> >>>>> whether or not the WiSM uses >>>>>>>> >>>>> RADIUS or SNMP for Deauth... >>>>>>>> it >>>>>>>> >>>>> looks like it is trying >>>>>>>> RADIUS but >>>>>>>> >>>>> I have seen other threads that >>>>>>>> >>>>> seemed to indicate that this >>>>>>>> is >>>>>>>> >>>>> done with SNMP. I have double >>>>>>>> >>>>> checked that my shared secret >>>>>>>> in >>>>>>>> >>>>> raddb/clients.conf and in the >>>>>>>> WiSM >>>>>>>> >>>>> config is correct. Also, IP >>>>>>>> >>>>> connectivity between >>>>>>>> everything >>>>>>>> >>>>> seems to be fine. I have this >>>>>>>> in >>>>>>>> >>>>> my switches.conf: >>>>>>>> >>>>> >>>>>>>> >>>>> [10.93.0.252] >>>>>>>> >>>>> mode=production >>>>>>>> >>>>> type=Cisco::WiSM >>>>>>>> >>>>> vlans=92,93,94,95,96 >>>>>>>> >>>>> normalVlan=94 >>>>>>>> >>>>> isolationVlan=92 >>>>>>>> >>>>> radiusSecret=useStrongerSecret >>>>>>>> >>>>> SNMPVersion=1 >>>>>>>> >>>>> SNMPCommunityRead=public >>>>>>>> >>>>> SNMPCommunityWrite=private >>>>>>>> >>>>> SNMPVersionTrap=1 >>>>>>>> >>>>> SNMPCommunityTrap=public >>>>>>>> >>>>> >>>>>>>> >>>>> One other thing I have >>>>>>>> noticed, >>>>>>>> >>>>> which may or may not be >>>>>>>> related, >>>>>>>> >>>>> is that in Packetfence under >>>>>>>> >>>>> Nodes, before it would show >>>>>>>> me the >>>>>>>> >>>>> IP address of the last AP the >>>>>>>> user >>>>>>>> >>>>> was on, but now with the WiSM >>>>>>>> it >>>>>>>> >>>>> only shows the IP address of >>>>>>>> the >>>>>>>> >>>>> WiSM instead of the particular >>>>>>>> >>>>> IP. Can this be fixed? It is >>>>>>>> >>>>> useful to know which AP a >>>>>>>> user is >>>>>>>> >>>>> associated with, and I am >>>>>>>> >>>>> wondering if this is actually >>>>>>>> >>>>> maybe a problem. >>>>>>>> >>>>> >>>>>>>> >>>>> Please let me know if you need >>>>>>>> >>>>> more info... thanks, >>>>>>>> >>>>> >>>>>>>> >>>>> David >>>>>>>> >>>>> >>>>>>>> >>>>> >>>>>>>> >>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> >>>>> LogMeIn Rescue: Anywhere, >>>>>>>> Anytime Remote support for IT. Free Trial >>>>>>>> >>>>> Remotely access PCs and >>>>>>>> mobile devices and provide instant support >>>>>>>> >>>>> Improve your efficiency, and >>>>>>>> focus on delivering more value-add services >>>>>>>> >>>>> Discover what IT >>>>>>>> Professionals Know. Rescue delivers >>>>>>>> >>>>> >>>>>>>> http://p.sf.net/sfu/logmein_12329d2d >>>>>>>> >>>>> >>>>>>>> >>>>> >>>>>>>> >>>>> >>>>>>>> _______________________________________________ >>>>>>>> >>>>> PacketFence-users mailing list >>>>>>>> >>>>> >>>>>>>> Pac...@li... <mailto: >>>>>>>> Pac...@li...> >>>>>>>> >>>>> >>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>>> -- >>>>>>>> >>>> Fabrice Durand >>>>>>>> >>>> fd...@in... <mailto: >>>>>>>> fd...@in...> ::+1.514.447.4918 <tel:%2B1.514.447.4918><%2B1.514.447.4918> (x135) :: >>>>>>>> www.inverse.ca <http://www.inverse.ca> >>>>>>>> >>>> Inverse inc. :: Leaders behind >>>>>>>> SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> >>>> LogMeIn Rescue: Anywhere, >>>>>>>> Anytime >>>>>>>> >>>> Remote support for IT. Free >>>>>>>> Trial >>>>>>>> >>>> Remotely access PCs and mobile >>>>>>>> >>>> devices and provide instant >>>>>>>> support >>>>>>>> >>>> Improve your efficiency, and >>>>>>>> focus >>>>>>>> >>>> on delivering more value-add >>>>>>>> services >>>>>>>> >>>> Discover what IT Professionals >>>>>>>> >>>> Know. Rescue delivers >>>>>>>> >>>> >>>>>>>> http://p.sf.net/sfu/logmein_12329d2d >>>>>>>> >>>> >>>>>>>> _______________________________________________ >>>>>>>> >>>> PacketFence-users mailing list >>>>>>>> >>>> >>>>>>>> Pac...@li... >>>>>>>> >>>> <mailto: >>>>>>>> Pac...@li...> >>>>>>>> >>>> >>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> >>>> LogMeIn Rescue: Anywhere, Anytime >>>>>>>> Remote support for IT. Free Trial >>>>>>>> >>>> Remotely access PCs and mobile >>>>>>>> devices and provide instant support >>>>>>>> >>>> Improve your efficiency, and focus >>>>>>>> on delivering more value-add services >>>>>>>> >>>> Discover what IT Professionals >>>>>>>> Know. Rescue delivers >>>>>>>> >>>> >>>>>>>> http://p.sf.net/sfu/logmein_12329d2d >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> _______________________________________________ >>>>>>>> >>>> PacketFence-users mailing list >>>>>>>> >>>> >>>>>>>> Pac...@li... <mailto: >>>>>>>> Pac...@li...> >>>>>>>> >>>> >>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> -- >>>>>>>> >>> Fabrice Durand >>>>>>>> >>> fd...@in... <mailto: >>>>>>>> fd...@in...> ::+1.514.447.4918 <tel:%2B1.514.447.4918><%2B1.514.447.4918> (x135) :: >>>>>>>> www.inverse.ca <http://www.inverse.ca> >>>>>>>> >>> Inverse inc. :: Leaders behind SOGo >>>>>>>> (http://www.sogo.nu) and PacketFence (http://packetfence.org) >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> >>> LogMeIn Rescue: Anywhere, Anytime >>>>>>>> Remote >>>>>>>> >>> support for IT. Free Trial >>>>>>>> >>> Remotely access PCs and mobile >>>>>>>> devices >>>>>>>> >>> and provide instant support >>>>>>>> >>> Improve your efficiency, and focus >>>>>>>> on >>>>>>>> >>> delivering more value-add services >>>>>>>> >>> Discover what IT Professionals Know. >>>>>>>> >>> Rescue delivers >>>>>>>> >>> >>>>>>>> http://p.sf.net/sfu/logmein_12329d2d >>>>>>>> >>> >>>>>>>> _______________________________________________ >>>>>>>> >>> PacketFence-users mailing list >>>>>>>> >>> >>>>>>>> Pac...@li... >>>>>>>> >>> <mailto: >>>>>>>> Pac...@li...> >>>>>>>> >>> >>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> >>> LogMeIn Rescue: Anywhere, Anytime >>>>>>>> Remote support for IT. Free Trial >>>>>>>> >>> Remotely access PCs and mobile devices >>>>>>>> and provide instant support >>>>>>>> >>> Improve your efficiency, and focus on >>>>>>>> delivering more value-add services >>>>>>>> >>> Discover what IT Professionals Know. >>>>>>>> Rescue delivers >>>>>>>> >>> http://p.sf.net/sfu/logmein_12329d2d >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> _______________________________________________ >>>>>>>> >>> PacketFence-users mailing list >>>>>>>> >>> >>>>>>>> Pac...@li... <mailto: >>>>>>>> Pac...@li...> >>>>>>>> >>> >>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> -- >>>>>>>> >> Fabrice Durand >>>>>>>> >> fd...@in... <mailto: >>>>>>>> fd...@in...> ::+1.514.447.4918 <tel:%2B1.514.447.4918><%2B1.514.447.4918> (x135) :: >>>>>>>> www.inverse.ca <http://www.inverse.ca> >>>>>>>> >> Inverse inc. :: Leaders behind SOGo ( >>>>>>>> http://www.sogo.nu) and PacketFence (http://packetfence.org) >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> >> LogMeIn Rescue: Anywhere, Anytime Remote >>>>>>>> >> support for IT. Free Trial >>>>>>>> >> Remotely access PCs and mobile devices >>>>>>>> and >>>>>>>> >> provide instant support >>>>>>>> >> Improve your efficiency, and focus on >>>>>>>> >> delivering more value-add services >>>>>>>> >> Discover what IT Professionals Know. >>>>>>>> Rescue >>>>>>>> >> delivers >>>>>>>> >> http://p.sf.net/sfu/logmein_12329d2d >>>>>>>> >> >>>>>>>> _______________________________________________ >>>>>>>> >> PacketFence-users mailing list >>>>>>>> >> Pac...@li... >>>>>>>> >> <mailto: >>>>>>>> Pac...@li...> >>>>>>>> >> >>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> >> LogMeIn Rescue: Anywhere, Anytime Remote >>>>>>>> support for IT. Free Trial >>>>>>>> >> Remotely access PCs and mobile devices and >>>>>>>> provide instant support >>>>>>>> >> Improve your efficiency, and focus on >>>>>>>> delivering more value-add services >>>>>>>> >> Discover what IT Professionals Know. Rescue >>>>>>>> delivers >>>>>>>> >> http://p.sf.net/sfu/logmein_12329d2d >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> _______________________________________________ >>>>>>>> >> PacketFence-users mailing list >>>>>>>> >> Pac...@li... <mailto: >>>>>>>> Pac...@li...> >>>>>>>> >> >>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>> > >>>>>>>> > >>>>>>>> > -- >>>>>>>> > Fabrice Durand >>>>>>>> > fd...@in... <mailto: >>>>>>>> fd...@in...> ::+1.514.447.4918 <tel:%2B1.514.447.4918><%2B1.514.447.4918> (x135) :: >>>>>>>> www.inverse.ca <http://www.inverse.ca> >>>>>>>> > Inverse inc. :: Leaders behind SOGo ( >>>>>>>> http://www.sogo.nu) and PacketFence (http://packetfence.org) >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> > LogMeIn Rescue: Anywhere, Anytime Remote >>>>>>>> support >>>>>>>> > for IT. Free Trial >>>>>>>> > Remotely access PCs and mobile devices and >>>>>>>> provide >>>>>>>> > instant support >>>>>>>> > Improve your efficiency, and focus on >>>>>>>> delivering >>>>>>>> > more value-add services >>>>>>>> > Discover what IT Professionals Know. Rescue >>>>>>>> delivers >>>>>>>> > http://p.sf.net/sfu/logmein_12329d2d >>>>>>>> > >>>>>>>> _______________________________________________ >>>>>>>> > PacketFence-users mailing list >>>>>>>> > Pac...@li... >>>>>>>> > <mailto: >>>>>>>> Pac...@li...> >>>>>>>> > >>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free >>>>>>>> Trial >>>>>>>> > Remotely access PCs and mobile devices and provide instant support >>>>>>>> > Improve your efficiency, and focus on delivering more value-add >>>>>>>> services >>>>>>>> > Discover what IT Professionals Know. Rescue delivers >>>>>>>> > http://p.sf.net/sfu/logmein_12329d2d >>>>>>>> > >>>>>>>> > >>>>>>>> > _______________________________________________ >>>>>>>> > PacketFence-users mailing list >>>>>>>> > Pac...@li... >>>>>>>> > https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial >>>>>>>> Remotely access PCs and mobile devices and provide instant support >>>>>>>> Improve your efficiency, and focus on delivering more value-add >>>>>>>> services >>>>>>>> Discover what IT Professionals Know. Rescue delivers >>>>>>>> http://p.sf.net/sfu/logmein_12329d2d >>>>>>>> _______________________________________________ >>>>>>>> PacketFence-users mailing list >>>>>>>> Pac...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial >>>> Remotely access PCs and mobile devices and provide instant support >>>> Improve your efficiency, and focus on delivering more value-add services >>>> Discover what IT Professionals Know. Rescue delivershttp://p.sf.net/sfu/logmein_12329d2d >>>> >>>> >>>> >>>> _______________________________________________ >>>> PacketFence-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial >>>> Remotely access PCs and mobile devices and provide instant support >>>> Improve your efficiency, and focus on delivering more value-add services >>>> Discover what IT Professionals Know. Rescue delivers >>>> http://p.sf.net/sfu/logmein_12329d2d >>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> Pac...@li... >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial >>> Remotely access PCs and mobile devices and provide instant support >>> Improve your efficiency, and focus on delivering more value-add services >>> Discover what IT Professionals Know. Rescue delivershttp://p.sf.net/sfu/logmein_12329d2d >>> >>> >>> >>> _______________________________________________ >>> PacketFence-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial >>> Remotely access PCs and mobile devices and provide instant support >>> Improve your efficiency, and focus on delivering more value-add services >>> Discover what IT Professionals Know. Rescue delivers >>> http://p.sf.net/sfu/logmein_12329d2d >>> _______________________________________________ >>> PacketFence-users mailing list >>> Pac...@li... >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> >> > |