Menu
▾
▴
Re: [PacketFence-users] HP MSM DeAuthentication issue
|
From: Durand f. <fd...@in...> - 2015-08-02 16:52:36
|
Hello Paul, use HP::Controller_MSM710 type for each AP , HP::MSM is only for standalone Access Point without controller. Regards Fabrice Le 2015-07-31 23:10, Polar Geek a écrit : > > Fabrice, > > here it is in its entirety. Although the only relevant entries should > be for 10.10.10.2 and 10.10.10.120 and have no changes made to their > setup since the original email. > > # > > # Copyright (C) 2005-2015 Inverse inc. > > # > > # See the enclosed file COPYING for license information (GPL). > > # If you did not receive this file, see > > # http://www.fsf.org/licensing/licenses/gpl.html > > [default] > > description=Switches Default Values > > vlans=1,2,3,4,5 > > normalVlan=1 > > registrationVlan=2 > > isolationVlan=3 > > macDetectionVlan=4 > > voiceVlan=5 > > inlineVlan=6 > > inlineTrigger= > > normalRole=normal > > registrationRole=registration > > isolationRole=isolation > > macDetectionRole=macDetection > > voiceRole=voice > > inlineRole=inline > > VoIPEnabled=no > > VlanMap=Y > > RoleMap=Y > > mode=testing > > macSearchesMaxNb=30 > > macSearchesSleepInterval=2 > > uplink=dynamic > > # > > # Command Line Interface > > # > > # cliTransport could be: Telnet, SSH or Serial > > cliTransport=Telnet > > cliUser= > > cliPwd= > > cliEnablePwd= > > # > > # SNMP section > > # > > # PacketFence -> Switch > > SNMPVersion=1 > > SNMPCommunityRead=public > > SNMPCommunityWrite=private > > #SNMPEngineID = 0000000000000 > > #SNMPUserNameRead = readUser > > #SNMPAuthProtocolRead = MD5 > > #SNMPAuthPasswordRead = authpwdread > > #SNMPPrivProtocolRead = DES > > #SNMPPrivPasswordRead = privpwdread > > #SNMPUserNameWrite = writeUser > > #SNMPPrivPasswordRead = privpwdread > > #SNMPUserNameWrite = writeUser > > #SNMPAuthProtocolWrite = MD5 > > #SNMPAuthPasswordWrite = authpwdwrite > > #SNMPPrivProtocolWrite = DES > > #SNMPPrivPasswordWrite = privpwdwrite > > # Switch -> PacketFence > > SNMPVersionTrap=1 > > SNMPCommunityTrap=public > > #SNMPAuthProtocolTrap = MD5 > > #SNMPAuthPasswordTrap = authpwdread > > #SNMPPrivProtocolTrap = DES > > #SNMPPrivPasswordTrap = privpwdread > > # > > # Web Services Interface > > # > > # wsTransport could be: http or https > > wsTransport=http > > wsUser= > > wsPwd= > > # > > # RADIUS NAS Client config > > # > > # RADIUS shared secret with switch > > radiusSecret= > > [10.10.10.2] > > RoleMap=N > > deauthMethod=HTTPS > > AccessListMap=N > > description=MSM Controller > > type=HP::Controller_MSM710 > > VoIPEnabled=N > > radiusSecret=Luther@456 > > EmployeeVlan=5 > > Dorm StudentVlan=2 > > macDetectionVlan=4000 > > Day StudentVlan=2 > > isolationVlan=51 > > EmployeeRegistrationVlan=5 > > NetAdminVlan=1 > > registrationVlan=50 > > voiceVlan=99 > > cliUser=admin > > cliPwd=luthernet4 > > cliTransport=SSH > > cliEnablePwd=luthernet4 > > mode=production > > SNMPCommunityRead=readwrite > > SNMPCommunityWrite=readwrite > > SNMPVersionTrap=3 > > SNMPCommunityWrite=readwrite > > SNMPVersionTrap=3 > > SNMPVersion=3 > > SNMPCommunityTrap=readwrite > > [10.10.10.8] > > RoleMap=N > > EmployeeVlan=5 > > mode=production > > SNMPCommunityWrite=public > > cliUser=manager > > deauthMethod=Telnet > > AccessListMap=N > > description=OldGreenRoom > > type=HP::Procurve_2500 > > Dorm StudentVlan=2 > > macDetectionVlan=4000 > > cliPwd=luthernet4 > > Day StudentVlan=2 > > VoIPEnabled=N > > isolationVlan=51 > > uplink_dynamic=0 > > SNMPAuthPasswordWrite=luthernet4 > > SNMPPrivPasswordWrite=luthernet4 > > cliEnablePwd=luthernet4 > > uplink=1,2 > > registrationVlan=50 > > voiceVlan=99 > > radiusSecret=Luther@456 > > NetAdminVlan=1 > > EmployeeRegistrationVlan=5 > > guestVlan=51 > > [10.10.10.15] > > RoleMap=N > > cliUser=manager > > deauthMethod=Telnet > > AccessListMap=N > > description=New48 > > type=HP::Procurve_2500 > > macDetectionVlan=4000 > > cliPwd=luthernet4 > > VoIPEnabled=N > > isolationVlan=51 > > uplink_dynamic=0 > > SNMPAuthPasswordWrite=luthernet4 > > SNMPPrivPasswordWrite=luthernet4 > > cliEnablePwd=luthernet4 > > uplink=1,2,3 > > registrationVlan=50 > > voiceVlan=99 > > mode=production > > SNMPCommunityWrite=public > > EmployeeVlan=5 > > Dorm StudentVlan=2 > > Day StudentVlan=2 > > radiusSecret=Luther@456 > > NetAdminVlan=1 > > EmployeeRegistrationVlan=5 > > guestVlan=51 > > [10.10.10.120] > > RoleMap=N > > controllerIp=10.10.10.2 > > deauthMethod=RADIUS > > AccessListMap=N > > description=BasementTemp > > type=HP::MSM > > VoIPEnabled=N > > radiusSecret=Luther@456 > > mode=production > > EmployeeVlan=5 > > macDetectionVlan=4000 > > Day StudentVlan=2 > > isolationVlan=51 > > registrationVlan=50 > > voiceVlan=99 > > Dorm StudentVlan=2 > > EmployeeRegistrationVlan=5 > > NetAdminVlan=1 > > Paul Taylor > > IT Support > Luther College High School > > *From:*Durand fabrice [mailto:fd...@in...] > *Sent:* July 31, 2015 8:50 PM > *To:* pac...@li... > *Subject:* Re: [PacketFence-users] HP MSM DeAuthentication issue > > Can you paste your switches.conf ? > > fabrice > > Le 2015-07-31 22:30, Polar Geek a écrit : > > Fabrice, > > As I stated in the original message the Controller is set in the > switch configuration it just appears to be ignoring that setting > and is attempting to connect to the AP directly still > > Jul 30 02:29:26 httpd.webservices(2088) INFO: [50:3c:c4:71:25:c3] > DesAssociating mac on switch (10.10.10.120) (pf::api::desAssociate) > > Jul 30 02:29:26 httpd.webservices(2088) ERROR: ERROR: Can not > connect to controller 10.10.10.120 using SSH > (pf::Switch::HP::MSM::_deauthenticateMacWithSSH) > > Or are you saying that the error message in itself contains an > error and is attempting to connect to the controller as specified > but the log still shows the AP ip? > > Paul > > *From:*Durand fabrice [mailto:fd...@in...] > *Sent:* July 31, 2015 8:22 PM > *To:* pac...@li... > <mailto:pac...@li...> > *Subject:* Re: [PacketFence-users] HP MSM DeAuthentication issue > > Hi Paul, > > Ok you have a controller , so use it as the controller ip in > switch configuration > And try: > su - pf > ssh admin@controller_ip > > Regards > Fabrice > > > Le 2015-07-31 22:14, Polar Geek a écrit : > > Fabrice, > > Sorry missed your reply until now. > > At any rate the connection to the AP is refused. > > ssh: connect to host 10.10.10.120 port 22: Connection refused > > I don’t think connecting to the AP directly will ever work in > controlled mode. Per the manual > > In controlled mode, access to the CLI is possible only before > the control channel to the > > controller is established, which can occur in the following > scenarios: > > Network failures prevent a control channel from being created. > > After an AP is restarted, prior to establishment of the > control channel (during the brief > > controller discovery process). > > When the AP is in controlled mode, a reduced number of CLI > commands are available. The > > most notable command is *switch operational mode*, which > enables you to switch the AP to > > autonomous mode. The *config *context is not available. > > So the setup really needs to honor the controller IP setting > and send the commands there, which is does not appear to be doing. > > Thanks, > > Paul > > *From:*Fabrice DURAND [mailto:fd...@in...] > *Sent:* July 30, 2015 6:20 AM > *To:* pac...@li... > <mailto:pac...@li...> > *Subject:* Re: [PacketFence-users] HP MSM DeAuthentication issue > > Hello Paul, > > let's do a: > su - pf > ssh admin@10.10.10.120 <mailto:admin@10.10.10.120> > and accept the key then retry. > > Regards > Fabrice > > Le 2015-07-30 05:19, Polar Geek a écrit : > > Hello again, > > Thanks for all the help so far. I’m happily nearly > completely functional with my initial testing of PF 5.3.1 > but I’ve got a couple remaining issues. > > My wireless infrastructure is an HP MSM760 mobility > control with 55 MSM460 access points. Currently I have > added the controller and the AP on my desk to the system > for testing. The configuration mostly works except for one > issue. When I connect a new device to the SSID is have > configured for mac-authentication, I am successfully > connected to the captive portal. I can then authorize the > system and PF appears to be making the necessary changes > for network access. The problem is that disassociation > never occurs because the server is ignoring the Controller > IP Address set in the switch config and is instead > attempting to connect to the AP directly, which will not > work as direct SSH connections to the Aps are not > available when the APs are in controlled mode. If I > manually disconnect/reconnect or restart the device the > system works as expected. As you can see from the logs > below the PF server is attempting to contact 10.10..10.120 > but should be contacting 10.10.10.2 > > What I believe to be the relevant logs and config file > excerpts are below. > > Any ideas what I’m missing here? > > Thanks, > > Paul > > ****Initial Connection**** > > Jul 30 02:29:24 httpd.portal(3485) INFO: [LCHS-DC00 > EmployeeDevReg] Found a match > (CN=StaffRegistration,OU=Staff,OU=LutherUsers,DC=luthercollege,DC=edu) > (pf::Authentication::Source::LDAPSource::match_in_subclass) > > Jul 30 02:29:24 httpd.portal(3485) INFO: Matched rule > (EmployeeDevReg) in source LCHS-DC00, returning actions. > (pf::Authentication::Source::match) > > Jul 30 02:29:24 httpd.portal(3485) INFO: Just finished > seting the node up > (captiveportal::PacketFence::Controller::Authenticate::postAuthentication) > > Jul 30 02:29:24 httpd.portal(3485) INFO: Passed by the > provisioning > (captiveportal::PacketFence::Controller::Authenticate::postAuthentication) > > Jul 30 02:29:24 httpd.portal(3485) INFO: person > staffregistration modified to StaffRegistration > (pf::person::person_modify) > > Jul 30 02:29:25 httpd.portal(3485) INFO: > [50:3c:c4:71:25:c3] re-evaluating access (manage_register > called) (pf::enforcement::reevaluate_access) > > Jul 30 02:29:25 httpd.portal(3485) INFO: > [50:3c:c4:71:25:c3] is currentlog connected at > (10.10.10.120) ifIndex 0 in VLAN 50 > (pf::enforcement::_should_we_reassign_vlan) > > Jul 30 02:29:25 httpd.portal(3485) INFO: > [50:3c:c4:71:25:c3] Can't find provisioner > (pf::vlan::getNormalVlan) > > Jul 30 02:29:25 httpd.portal(3485) INFO: > [50:3c:c4:71:25:c3] Can't find scan engine > (pf::vlan::getNormalVlan) > > Jul 30 02:29:25 httpd.portal(3485) INFO: > [50:3c:c4:71:25:c3] Connection type is WIRELESS_MAC_AUTH. > Getting role from node_info (pf::vlan::getNormalVlan) > > Jul 30 02:29:25 httpd.portal(3485) INFO: > [50:3c:c4:71:25:c3] Username was defined "503cc47125c3" - > returning user based role 'EmployeeRegistration' > (pf::vlan::getNormalVlan) > > Jul 30 02:29:25 httpd.portal(3485) INFO: > [50:3c:c4:71:25:c3] PID: "staffregistration", Status: reg > Returned VLAN: 5, Role: EmployeeRegistration > (pf::vlan::fetchVlanForNode) > > Jul 30 02:29:25 httpd.portal(3485) INFO: > [50:3c:c4:71:25:c3] VLAN reassignment required (current > VLAN = 50 but should be in VLAN 5) > (pf::enforcement::_should_we_reassign_vlan) > > Jul 30 02:29:25 httpd.portal(3485) INFO: > [50:3c:c4:71:25:c3] switch port is (10.10.10.120) ifIndex > unknown connection type: WiFi MAC Auth > (pf::enforcement::_vlan_reevaluation) > > Jul 30 02:29:25 httpd.webservices(2088) INFO: Memory > configuration is not valid anymore for key config::Switch > in local cached_hash (pfconfig::cached::is_valid) > > Jul 30 02:29:25 httpd.portal(3699) INFO: Matched IP > '10.10.50.20' to MAC address '50:3c:c4:71:25:c3' using > OMAPI (pf::iplog::ip2mac) > > Jul 30 02:29:25 httpd.portal(3485) INFO: Matched IP > '10.10.50.20' to MAC address '50:3c:c4:71:25:c3' using > OMAPI (pf::iplog::ip2mac) > > Jul 30 02:29:25 httpd.portal(3699) INFO: Matched IP > '10.10.50.20' to MAC address '50:3c:c4:71:25:c3' using > OMAPI (pf::iplog::ip2mac) > > Jul 30 02:29:25 httpd.portal(3485) INFO: Matched IP > '10.10.50.20' to MAC address '50:3c:c4:71:25:c3' using > OMAPI (pf::iplog::ip2mac) > > Jul 30 02:29:26 httpd.webservices(2088) INFO: > [50:3c:c4:71:25:c3] DesAssociating mac on switch > (10.10.10.120) (pf::api::desAssociate) > > Jul 30 02:29:26 httpd.webservices(2088) ERROR: ERROR: Can > not connect to controller 10.10.10.120 using SSH > (pf::Switch::HP::MSM::_deauthenticateMacWithSSH) > > ****Reconnection**** > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] > handling radius autz request: from switch_ip => > (10.10.10.120), connection_type => > Wireless-802.11-NoEAP,switch_mac => (2c:44:fd:3f:e2:90), > mac => [50:3c:c4:71:25:c3], port => 0, username => > "503cc47125c3" (pf::radius::authorize) > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] > Can't find provisioner (pf::vlan::getNormalVlan) > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] > Can't find scan engine (pf::vlan::getNormalVlan) > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] > Connection type is WIRELESS_MAC_AUTH. Getting role from > node_info (pf::vlan::getNormalVlan) > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] > Username was defined "503cc47125c3" - returning user based > role 'EmployeeRegistration' (pf::vlan::getNormalVlan) > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] > PID: "staffregistration", Status: reg Returned VLAN: 5, > Role: EmployeeRegistration (pf::vlan::fetchVlanForNode) > > Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] > (10.10.10.120) Returning ACCEPT with VLAN 5 and role > (pf::Switch::returnRadiusAccessAccept) > > ****Switch.conf**** > > [10.10.10.2] > > RoleMap=N > > deauthMethod=HTTPS > > AccessListMap=N > > description=MSM Controller > > type=HP::Controller_MSM710 > > VoIPEnabled=N > > radiusSecret=******* > > EmployeeVlan=5 > > Dorm StudentVlan=2 > > macDetectionVlan=4000 > > Day StudentVlan=2 > > isolationVlan=51 > > EmployeeRegistrationVlan=5 > > NetAdminVlan=1 > > registrationVlan=50 > > voiceVlan=99 > > cliUser=admin > > cliPwd=******* > > cliTransport=SSH > > cliEnablePwd=******* > > mode=production > > SNMPCommunityRead=readwrite > > SNMPCommunityWrite=readwrite > > SNMPVersionTrap=3 > > SNMPVersion=3 > > SNMPCommunityTrap=readwrite > > [10.10.10.120] > > RoleMap=N > > controllerIp=10.10.10.2 > > deauthMethod=RADIUS > > AccessListMap=N > > description=BasementTemp > > type=HP::MSM > > VoIPEnabled=N > > radiusSecret=****** > > mode=production > > EmployeeVlan=5 > > macDetectionVlan=4000 > > Day StudentVlan=2 > > isolationVlan=51 > > registrationVlan=50 > > voiceVlan=99 > > Dorm StudentVlan=2 > > EmployeeRegistrationVlan=5 > > NetAdminVlan=1 > > cliUser=admin > > cliPwd=******* > > cliEnablePwd=******* > > cliTransport=SSH > > wsPwd=******* > > wsTransport=HTTPS > > wsUser=admin > > > > > > > ------------------------------------------------------------------------------ > > > > > > > _______________________________________________ > > PacketFence-users mailing list > > Pac...@li... <mailto:Pac...@li...> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > > -- > > Fabrice Durand > > fd...@in... <mailto:fd...@in...> :: +1.514.447.4918 (x135) ::www.inverse.ca <http://www.inverse.ca> > > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) > > > > > > ------------------------------------------------------------------------------ > > > > > > _______________________________________________ > > PacketFence-users mailing list > > Pac...@li... <mailto:Pac...@li...> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > ------------------------------------------------------------------------------ > > > > > _______________________________________________ > > PacketFence-users mailing list > > Pac...@li... <mailto:Pac...@li...> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > ------------------------------------------------------------------------------ > > > _______________________________________________ > PacketFence-users mailing list > Pac...@li... > https://lists.sourceforge.net/lists/listinfo/packetfence-users |
