Menu
▾
▴
Re: [PacketFence-users] HP MSM DeAuthentication issue
|
From: Durand f. <fd...@in...> - 2015-08-01 02:22:25
|
Hi Paul, Ok you have a controller , so use it as the controller ip in switch configuration And try: su - pf ssh admin@controller_ip Regards Fabrice Le 2015-07-31 22:14, Polar Geek a écrit : > > Fabrice, > > Sorry missed your reply until now. > > At any rate the connection to the AP is refused. > > ssh: connect to host 10.10.10.120 port 22: Connection refused > > I don’t think connecting to the AP directly will ever work in > controlled mode. Per the manual > > In controlled mode, access to the CLI is possible only before the > control channel to the > > controller is established, which can occur in the following scenarios: > > Network failures prevent a control channel from being created. > > After an AP is restarted, prior to establishment of the control > channel (during the brief > > controller discovery process). > > When the AP is in controlled mode, a reduced number of CLI commands > are available. The > > most notable command is *switch operational mode*, which enables you > to switch the AP to > > autonomous mode. The *config *context is not available. > > So the setup really needs to honor the controller IP setting and send > the commands there, which is does not appear to be doing. > > Thanks, > > Paul > > *From:*Fabrice DURAND [mailto:fd...@in...] > *Sent:* July 30, 2015 6:20 AM > *To:* pac...@li... > *Subject:* Re: [PacketFence-users] HP MSM DeAuthentication issue > > Hello Paul, > > let's do a: > su - pf > ssh admin@10.10.10.120 <mailto:admin@10.10.10.120> > and accept the key then retry. > > Regards > Fabrice > > Le 2015-07-30 05:19, Polar Geek a écrit : > > Hello again, > > Thanks for all the help so far. I’m happily nearly completely > functional with my initial testing of PF 5.3.1 but I’ve got a > couple remaining issues. > > My wireless infrastructure is an HP MSM760 mobility control with > 55 MSM460 access points. Currently I have added the controller and > the AP on my desk to the system for testing. The configuration > mostly works except for one issue. When I connect a new device to > the SSID is have configured for mac-authentication, I am > successfully connected to the captive portal. I can then authorize > the system and PF appears to be making the necessary changes for > network access. The problem is that disassociation never occurs > because the server is ignoring the Controller IP Address set in > the switch config and is instead attempting to connect to the AP > directly, which will not work as direct SSH connections to the > Aps are not available when the APs are in controlled mode. If I > manually disconnect/reconnect or restart the device the system > works as expected. As you can see from the logs below the PF > server is attempting to contact 10.10..10.120 but should be > contacting 10.10.10.2 > > What I believe to be the relevant logs and config file excerpts > are below. > > Any ideas what I’m missing here? > > Thanks, > > Paul > > ****Initial Connection**** > > Jul 30 02:29:24 httpd.portal(3485) INFO: [LCHS-DC00 > EmployeeDevReg] Found a match > (CN=StaffRegistration,OU=Staff,OU=LutherUsers,DC=luthercollege,DC=edu) > (pf::Authentication::Source::LDAPSource::match_in_subclass) > > Jul 30 02:29:24 httpd.portal(3485) INFO: Matched rule > (EmployeeDevReg) in source LCHS-DC00, returning actions. > (pf::Authentication::Source::match) > > Jul 30 02:29:24 httpd.portal(3485) INFO: Just finished seting the > node up > (captiveportal::PacketFence::Controller::Authenticate::postAuthentication) > > Jul 30 02:29:24 httpd.portal(3485) INFO: Passed by the > provisioning > (captiveportal::PacketFence::Controller::Authenticate::postAuthentication) > > Jul 30 02:29:24 httpd.portal(3485) INFO: person staffregistration > modified to StaffRegistration (pf::person::person_modify) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] > re-evaluating access (manage_register called) > (pf::enforcement::reevaluate_access) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] is > currentlog connected at (10.10.10.120) ifIndex 0 in VLAN 50 > (pf::enforcement::_should_we_reassign_vlan) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] Can't > find provisioner (pf::vlan::getNormalVlan) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] Can't > find scan engine (pf::vlan::getNormalVlan) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] > Connection type is WIRELESS_MAC_AUTH. Getting role from node_info > (pf::vlan::getNormalVlan) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] > Username was defined "503cc47125c3" - returning user based role > 'EmployeeRegistration' (pf::vlan::getNormalVlan) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] PID: > "staffregistration", Status: reg Returned VLAN: 5, Role: > EmployeeRegistration (pf::vlan::fetchVlanForNode) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] VLAN > reassignment required (current VLAN = 50 but should be in VLAN 5) > (pf::enforcement::_should_we_reassign_vlan) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] > switch port is (10.10.10.120) ifIndex unknown connection type: > WiFi MAC Auth (pf::enforcement::_vlan_reevaluation) > > Jul 30 02:29:25 httpd.webservices(2088) INFO: Memory configuration > is not valid anymore for key config::Switch in local cached_hash > (pfconfig::cached::is_valid) > > Jul 30 02:29:25 httpd.portal(3699) INFO: Matched IP '10.10.50.20' > to MAC address '50:3c:c4:71:25:c3' using OMAPI (pf::iplog::ip2mac) > > Jul 30 02:29:25 httpd.portal(3485) INFO: Matched IP '10.10.50.20' > to MAC address '50:3c:c4:71:25:c3' using OMAPI (pf::iplog::ip2mac) > > Jul 30 02:29:25 httpd.portal(3699) INFO: Matched IP '10.10.50.20' > to MAC address '50:3c:c4:71:25:c3' using OMAPI (pf::iplog::ip2mac) > > Jul 30 02:29:25 httpd.portal(3485) INFO: Matched IP '10.10.50.20' > to MAC address '50:3c:c4:71:25:c3' using OMAPI (pf::iplog::ip2mac) > > Jul 30 02:29:26 httpd.webservices(2088) INFO: [50:3c:c4:71:25:c3] > DesAssociating mac on switch (10.10.10.120) (pf::api::desAssociate) > > Jul 30 02:29:26 httpd.webservices(2088) ERROR: ERROR: Can not > connect to controller 10.10.10.120 using SSH > (pf::Switch::HP::MSM::_deauthenticateMacWithSSH) > > ****Reconnection**** > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] handling > radius autz request: from switch_ip => (10.10.10.120), > connection_type => Wireless-802.11-NoEAP,switch_mac => > (2c:44:fd:3f:e2:90), mac => [50:3c:c4:71:25:c3], port => 0, > username => "503cc47125c3" (pf::radius::authorize) > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] Can't > find provisioner (pf::vlan::getNormalVlan) > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] Can't > find scan engine (pf::vlan::getNormalVlan) > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] > Connection type is WIRELESS_MAC_AUTH. Getting role from node_info > (pf::vlan::getNormalVlan) > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] Username > was defined "503cc47125c3" - returning user based role > 'EmployeeRegistration' (pf::vlan::getNormalVlan) > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] PID: > "staffregistration", Status: reg Returned VLAN: 5, Role: > EmployeeRegistration (pf::vlan::fetchVlanForNode) > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] > (10.10.10.120) Returning ACCEPT with VLAN 5 and role > (pf::Switch::returnRadiusAccessAccept) > > ****Switch.conf**** > > [10.10.10.2] > > RoleMap=N > > deauthMethod=HTTPS > > AccessListMap=N > > description=MSM Controller > > type=HP::Controller_MSM710 > > VoIPEnabled=N > > radiusSecret=******* > > EmployeeVlan=5 > > Dorm StudentVlan=2 > > macDetectionVlan=4000 > > Day StudentVlan=2 > > isolationVlan=51 > > EmployeeRegistrationVlan=5 > > NetAdminVlan=1 > > registrationVlan=50 > > voiceVlan=99 > > cliUser=admin > > cliPwd=******* > > cliTransport=SSH > > cliEnablePwd=******* > > mode=production > > SNMPCommunityRead=readwrite > > SNMPCommunityWrite=readwrite > > SNMPVersionTrap=3 > > SNMPVersion=3 > > SNMPCommunityTrap=readwrite > > [10.10.10.120] > > RoleMap=N > > controllerIp=10.10.10.2 > > deauthMethod=RADIUS > > AccessListMap=N > > description=BasementTemp > > type=HP::MSM > > VoIPEnabled=N > > radiusSecret=****** > > mode=production > > EmployeeVlan=5 > > macDetectionVlan=4000 > > Day StudentVlan=2 > > isolationVlan=51 > > registrationVlan=50 > > voiceVlan=99 > > Dorm StudentVlan=2 > > EmployeeRegistrationVlan=5 > > NetAdminVlan=1 > > cliUser=admin > > cliPwd=******* > > cliEnablePwd=******* > > cliTransport=SSH > > wsPwd=******* > > wsTransport=HTTPS > > wsUser=admin > > > > > ------------------------------------------------------------------------------ > > > > > _______________________________________________ > > PacketFence-users mailing list > > Pac...@li... <mailto:Pac...@li...> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > -- > Fabrice Durand > fd...@in... <mailto:fd...@in...> :: +1.514.447.4918 (x135) ::www.inverse.ca <http://www.inverse.ca> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) > > > ------------------------------------------------------------------------------ > > > _______________________________________________ > PacketFence-users mailing list > Pac...@li... > https://lists.sourceforge.net/lists/listinfo/packetfence-users |
