Menu
▾
▴
Re: [PacketFence-users] HP MSM DeAuthentication issue
|
From: Durand f. <fd...@in...> - 2015-08-01 02:50:24
|
Can you paste your switches.conf ? fabrice Le 2015-07-31 22:30, Polar Geek a écrit : > > Fabrice, > > As I stated in the original message the Controller is set in the > switch configuration it just appears to be ignoring that setting and > is attempting to connect to the AP directly still > > Jul 30 02:29:26 httpd.webservices(2088) INFO: [50:3c:c4:71:25:c3] > DesAssociating mac on switch (10.10.10.120) (pf::api::desAssociate) > > Jul 30 02:29:26 httpd.webservices(2088) ERROR: ERROR: Can not connect > to controller 10.10.10.120 using SSH > (pf::Switch::HP::MSM::_deauthenticateMacWithSSH) > > Or are you saying that the error message in itself contains an error > and is attempting to connect to the controller as specified but the > log still shows the AP ip? > > Paul > > *From:*Durand fabrice [mailto:fd...@in...] > *Sent:* July 31, 2015 8:22 PM > *To:* pac...@li... > *Subject:* Re: [PacketFence-users] HP MSM DeAuthentication issue > > Hi Paul, > > Ok you have a controller , so use it as the controller ip in switch > configuration > And try: > su - pf > ssh admin@controller_ip > > Regards > Fabrice > > Le 2015-07-31 22:14, Polar Geek a écrit : > > Fabrice, > > Sorry missed your reply until now. > > At any rate the connection to the AP is refused. > > ssh: connect to host 10.10.10.120 port 22: Connection refused > > I don’t think connecting to the AP directly will ever work in > controlled mode. Per the manual > > In controlled mode, access to the CLI is possible only before the > control channel to the > > controller is established, which can occur in the following scenarios: > > Network failures prevent a control channel from being created. > > After an AP is restarted, prior to establishment of the control > channel (during the brief > > controller discovery process). > > When the AP is in controlled mode, a reduced number of CLI > commands are available. The > > most notable command is *switch operational mode*, which enables > you to switch the AP to > > autonomous mode. The *config *context is not available. > > So the setup really needs to honor the controller IP setting and > send the commands there, which is does not appear to be doing. > > Thanks, > > Paul > > *From:*Fabrice DURAND [mailto:fd...@in...] > *Sent:* July 30, 2015 6:20 AM > *To:* pac...@li... > <mailto:pac...@li...> > *Subject:* Re: [PacketFence-users] HP MSM DeAuthentication issue > > Hello Paul, > > let's do a: > su - pf > ssh admin@10.10.10.120 <mailto:admin@10.10.10.120> > and accept the key then retry. > > Regards > Fabrice > > Le 2015-07-30 05:19, Polar Geek a écrit : > > Hello again, > > Thanks for all the help so far. I’m happily nearly completely > functional with my initial testing of PF 5.3.1 but I’ve got a > couple remaining issues. > > My wireless infrastructure is an HP MSM760 mobility control > with 55 MSM460 access points. Currently I have added the > controller and the AP on my desk to the system for testing. > The configuration mostly works except for one issue. When I > connect a new device to the SSID is have configured for > mac-authentication, I am successfully connected to the captive > portal. I can then authorize the system and PF appears to be > making the necessary changes for network access. The problem > is that disassociation never occurs because the server is > ignoring the Controller IP Address set in the switch config > and is instead attempting to connect to the AP directly, > which will not work as direct SSH connections to the Aps are > not available when the APs are in controlled mode. If I > manually disconnect/reconnect or restart the device the system > works as expected. As you can see from the logs below the PF > server is attempting to contact 10.10..10.120 but should be > contacting 10.10.10.2 > > What I believe to be the relevant logs and config file > excerpts are below. > > Any ideas what I’m missing here? > > Thanks, > > Paul > > ****Initial Connection**** > > Jul 30 02:29:24 httpd.portal(3485) INFO: [LCHS-DC00 > EmployeeDevReg] Found a match > (CN=StaffRegistration,OU=Staff,OU=LutherUsers,DC=luthercollege,DC=edu) > (pf::Authentication::Source::LDAPSource::match_in_subclass) > > Jul 30 02:29:24 httpd.portal(3485) INFO: Matched rule > (EmployeeDevReg) in source LCHS-DC00, returning actions. > (pf::Authentication::Source::match) > > Jul 30 02:29:24 httpd.portal(3485) INFO: Just finished seting > the node up > (captiveportal::PacketFence::Controller::Authenticate::postAuthentication) > > Jul 30 02:29:24 httpd.portal(3485) INFO: Passed by the > provisioning > (captiveportal::PacketFence::Controller::Authenticate::postAuthentication) > > Jul 30 02:29:24 httpd.portal(3485) INFO: person > staffregistration modified to StaffRegistration > (pf::person::person_modify) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] > re-evaluating access (manage_register called) > (pf::enforcement::reevaluate_access) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] > is currentlog connected at (10.10.10.120) ifIndex 0 in VLAN 50 > (pf::enforcement::_should_we_reassign_vlan) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] > Can't find provisioner (pf::vlan::getNormalVlan) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] > Can't find scan engine (pf::vlan::getNormalVlan) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] > Connection type is WIRELESS_MAC_AUTH. Getting role from > node_info (pf::vlan::getNormalVlan) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] > Username was defined "503cc47125c3" - returning user based > role 'EmployeeRegistration' (pf::vlan::getNormalVlan) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] > PID: "staffregistration", Status: reg Returned VLAN: 5, Role: > EmployeeRegistration (pf::vlan::fetchVlanForNode) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] > VLAN reassignment required (current VLAN = 50 but should be in > VLAN 5) (pf::enforcement::_should_we_reassign_vlan) > > Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] > switch port is (10.10.10.120) ifIndex unknown connection type: > WiFi MAC Auth (pf::enforcement::_vlan_reevaluation) > > Jul 30 02:29:25 httpd.webservices(2088) INFO: Memory > configuration is not valid anymore for key config::Switch in > local cached_hash (pfconfig::cached::is_valid) > > Jul 30 02:29:25 httpd.portal(3699) INFO: Matched IP > '10.10.50.20' to MAC address '50:3c:c4:71:25:c3' using OMAPI > (pf::iplog::ip2mac) > > Jul 30 02:29:25 httpd.portal(3485) INFO: Matched IP > '10.10.50.20' to MAC address '50:3c:c4:71:25:c3' using OMAPI > (pf::iplog::ip2mac) > > Jul 30 02:29:25 httpd.portal(3699) INFO: Matched IP > '10.10.50.20' to MAC address '50:3c:c4:71:25:c3' using OMAPI > (pf::iplog::ip2mac) > > Jul 30 02:29:25 httpd.portal(3485) INFO: Matched IP > '10.10.50.20' to MAC address '50:3c:c4:71:25:c3' using OMAPI > (pf::iplog::ip2mac) > > Jul 30 02:29:26 httpd.webservices(2088) INFO: > [50:3c:c4:71:25:c3] DesAssociating mac on switch > (10.10.10.120) (pf::api::desAssociate) > > Jul 30 02:29:26 httpd.webservices(2088) ERROR: ERROR: Can not > connect to controller 10.10.10.120 using SSH > (pf::Switch::HP::MSM::_deauthenticateMacWithSSH) > > ****Reconnection**** > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] > handling radius autz request: from switch_ip => > (10.10.10.120), connection_type => > Wireless-802.11-NoEAP,switch_mac => (2c:44:fd:3f:e2:90), mac > => [50:3c:c4:71:25:c3], port => 0, username => "503cc47125c3" > (pf::radius::authorize) > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] > Can't find provisioner (pf::vlan::getNormalVlan) > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] > Can't find scan engine (pf::vlan::getNormalVlan) > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] > Connection type is WIRELESS_MAC_AUTH. Getting role from > node_info (pf::vlan::getNormalVlan) > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] > Username was defined "503cc47125c3" - returning user based > role 'EmployeeRegistration' (pf::vlan::getNormalVlan) > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] PID: > "staffregistration", Status: reg Returned VLAN: 5, Role: > EmployeeRegistration (pf::vlan::fetchVlanForNode) > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] > (10.10.10.120) Returning ACCEPT with VLAN 5 and role > (pf::Switch::returnRadiusAccessAccept) > > ****Switch.conf**** > > [10.10.10.2] > > RoleMap=N > > deauthMethod=HTTPS > > AccessListMap=N > > description=MSM Controller > > type=HP::Controller_MSM710 > > VoIPEnabled=N > > radiusSecret=******* > > EmployeeVlan=5 > > Dorm StudentVlan=2 > > macDetectionVlan=4000 > > Day StudentVlan=2 > > isolationVlan=51 > > EmployeeRegistrationVlan=5 > > NetAdminVlan=1 > > registrationVlan=50 > > voiceVlan=99 > > cliUser=admin > > cliPwd=******* > > cliTransport=SSH > > cliEnablePwd=******* > > mode=production > > SNMPCommunityRead=readwrite > > SNMPCommunityWrite=readwrite > > SNMPVersionTrap=3 > > SNMPVersion=3 > > SNMPCommunityTrap=readwrite > > [10.10.10.120] > > RoleMap=N > > controllerIp=10.10.10.2 > > deauthMethod=RADIUS > > AccessListMap=N > > description=BasementTemp > > type=HP::MSM > > VoIPEnabled=N > > radiusSecret=****** > > mode=production > > EmployeeVlan=5 > > macDetectionVlan=4000 > > Day StudentVlan=2 > > isolationVlan=51 > > registrationVlan=50 > > voiceVlan=99 > > Dorm StudentVlan=2 > > EmployeeRegistrationVlan=5 > > NetAdminVlan=1 > > cliUser=admin > > cliPwd=******* > > cliEnablePwd=******* > > cliTransport=SSH > > wsPwd=******* > > wsTransport=HTTPS > > wsUser=admin > > > > > > ------------------------------------------------------------------------------ > > > > > > _______________________________________________ > > PacketFence-users mailing list > > Pac...@li... <mailto:Pac...@li...> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > -- > > Fabrice Durand > > fd...@in... <mailto:fd...@in...> :: +1.514.447.4918 (x135) ::www.inverse.ca <http://www.inverse.ca> > > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) > > > > > ------------------------------------------------------------------------------ > > > > > _______________________________________________ > > PacketFence-users mailing list > > Pac...@li... <mailto:Pac...@li...> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > ------------------------------------------------------------------------------ > > > _______________________________________________ > PacketFence-users mailing list > Pac...@li... > https://lists.sourceforge.net/lists/listinfo/packetfence-users |
