[prev in list] [next in list] [prev in thread] [next in thread]
List: packetfence-users
Subject: Re: [PacketFence-users] Clients not disconnecting when deregistered
From: "Lierman, Andrew via PacketFence-users" <packetfence-users () lists ! sourceforge ! net
Date: 2020-01-17 14:27:43
Message-ID: CALmh1HSdtTXQ4aapvFwXLQtYqZ6U11KJpeoeU1xGVe8KwB2Ajg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
The device was still connected to the WLC, I did verify this.
I tried another client and I get a similar error message.
MAC address is: 4c:6b:e8:c7:67:e3
2020-01-17 08:18:36 Syslog.Info 172.20.0.39 ASD-WLC-5508: *pemReceiveTask:
Jan 17 08:20:27.879: %APF_HA-6-CLIENT_TEMP_DB_FIND_ERR:
[SA]apf_ha_api.c:258 Unable to find Mobile 4c:6b:e8:c7:67:e3 entry in the
temporary Client database used for APF HA
2020-01-17 08:18:36 Syslog.Info 172.20.0.39 ASD-WLC-5508:
*haSSOServiceTask3: Jan 17 08:20:27.880: %APF_HA-6-CLIENT_DB_FIND_ERR:
[SA]apf_ha.c:4745 Unable to find Mobile 4c:6b:e8:c7:67:e3 entry in the
database, could not process send update message for Mobile
Jan 17 08:18:33 nac packetfence: INFO pfperl-api(6611): Request to
/api/v1/dhcp/mac/4c:6b:e8:c7:67:e3 is unauthorized, will perform a login
(pf::api::unifiedapiclient::call)
Jan 17 08:18:33 nac packetfence: INFO pfperl-api(6611): re-evaluating
access (admin_modify called) (pf::enforcement::reevaluate_access)
Jan 17 08:18:35 nac pfqueue: pfqueue(13332) INFO: [mac:4c:6b:e8:c7:67:e3]
[4c:6b:e8:c7:67:e3] DesAssociating mac on switch (172.22.0.39)
(pf::api::desAssociate)
Jan 17 08:18:35 nac pfqueue: pfqueue(13332) INFO: [mac:4c:6b:e8:c7:67:e3]
deauthenticating (pf::Switch::Cisco::WLC::radiusDisconnect)
Jan 17 08:18:37 nac packetfence_httpd.aaa: httpd.aaa(7807) INFO:
[mac:4c:6b:e8:c7:67:e3] handling radius autz request: from switch_ip =>
(172.22.0.39), connection_type => Wireless-802.11-NoEAP,switch_mac =>
(78:bc:1a:1e:54:e0), mac => [4c:6b:e8:c7:67:e3], port => 13, username =>
"4c6be8c767e3", ssid => ASDGuest (pf::radius::authorize)
Jan 17 08:18:37 nac packetfence_httpd.aaa: httpd.aaa(7807) INFO:
[mac:4c:6b:e8:c7:67:e3] Instantiate profile guest
(pf::Connection::ProfileFactory::_from_profile)
Jan 17 08:18:37 nac packetfence_httpd.aaa: httpd.aaa(7807) WARN:
[mac:4c:6b:e8:c7:67:e3] Switch type 'pf::Switch::Cisco::WLC_5500' does not
support MABFloatingDevices (pf::SwitchSupports::__ANON__)
Jan 17 08:18:37 nac packetfence_httpd.aaa: httpd.aaa(7807) INFO:
[mac:4c:6b:e8:c7:67:e3] is of status unreg; belongs into registration VLAN
(pf::role::getRegistrationRole)
Jan 17 08:18:37 nac packetfence_httpd.aaa: httpd.aaa(7807) INFO:
[mac:4c:6b:e8:c7:67:e3] (172.22.0.39) Added VLAN 104 to the returned RADIUS
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Jan 17 08:18:37 nac packetfence_httpd.aaa: httpd.aaa(7807) INFO:
[mac:4c:6b:e8:c7:67:e3] (172.22.0.39) Added role Pre-Auth-For_WebRedirect
to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
Jan 17 08:18:37 nac packetfence_httpd.aaa: httpd.aaa(7807) INFO:
[mac:4c:6b:e8:c7:67:e3] Adding web authentication redirection to reply
using role: 'Pre-Auth-For_WebRedirect' and URL: '
https://nac.rails.altoona.k12.wi.us/Cisco::WLC/sid358caf'
(pf::Switch::Cisco::WLC::returnRadiusAccessAccept)
Jan 17 08:18:45 nac pfqueue: pfqueue(13332) WARN: [mac:4c:6b:e8:c7:67:e3]
Unable to perform RADIUS CoA-Request on (172.22.0.39): Timeout waiting for
a reply from 172.22.0.39 on port 3799 at /usr/local/pf/lib/pf/util/radius.pm
line 166. (pf::Switch::Cisco::WLC::catch {...} )
Jan 17 08:18:45 nac pfqueue: pfqueue(13332) ERROR: [mac:4c:6b:e8:c7:67:e3]
Wrong RADIUS secret or unreachable network device (172.22.0.39)... On some
Cisco Wireless Controllers you might have to set disconnectPort=1700 as
some versions ignore the CoA requests on port 3799
(pf::Switch::Cisco::WLC::catch {...} )
On Fri, Jan 17, 2020 at 2:05 AM Nicolas Quiniou-Briand via
PacketFence-users <packetfence-users@lists.sourceforge.net> wrote:
> Hi Andrew,
>
> 1. Is it possible this device was already disconnected from WLC ?
> 2. Could you try with another client that is connected to WLC when you
> unreg from PF ?
> 3. After you test 2, provide us packetfence.log with lines related to
> MAC of your other client and WLC logs.
>
> Thanks.
> --
> Nicolas Quiniou-Briand
> nqb@inverse.ca :: +1.514.447.4918 *140 :: https://inverse.ca
> Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence
> (https://packetfence.org) and Fingerbank (http://fingerbank.org)
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--
--
*Confidentiality Notice:* This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all copies
of the original message. The views
expressed in this transmission are not
necessarily the views of the School District of Altoona.
[Attachment #5 (text/html)]
<div dir="ltr">The device was still connected to the WLC, I did verify \
this.<div><br></div><div>I tried another client and I get a similar error \
message.</div><div><br></div><div>MAC address is:
4c:6b:e8:c7:67:e3
</div><div><br></div><div>2020-01-17 08:18:36 Syslog.Info 172.20.0.39 ASD-WLC-5508: \
*pemReceiveTask: Jan 17 08:20:27.879: %APF_HA-6-CLIENT_TEMP_DB_FIND_ERR: \
[SA]apf_ha_api.c:258 Unable to find Mobile 4c:6b:e8:c7:67:e3 entry in the temporary \
Client database used for APF HA</div><div><br>2020-01-17 \
08:18:36 Syslog.Info 172.20.0.39 ASD-WLC-5508: *haSSOServiceTask3: Jan 17 \
08:20:27.880: %APF_HA-6-CLIENT_DB_FIND_ERR: [SA]apf_ha.c:4745 Unable to find Mobile \
4c:6b:e8:c7:67:e3 entry in the database, could not process send update message for \
Mobile<br></div><div><br></div><div><br></div><div>Jan 17 08:18:33 nac packetfence: \
INFO pfperl-api(6611): Request to /api/v1/dhcp/mac/4c:6b:e8:c7:67:e3 is unauthorized, \
will perform a login (pf::api::unifiedapiclient::call)<br>Jan 17 08:18:33 nac \
packetfence: INFO pfperl-api(6611): re-evaluating access (admin_modify called) \
(pf::enforcement::reevaluate_access)<br></div><div>Jan 17 08:18:35 nac pfqueue: \
pfqueue(13332) INFO: [mac:4c:6b:e8:c7:67:e3] [4c:6b:e8:c7:67:e3] DesAssociating mac \
on switch (172.22.0.39) (pf::api::desAssociate)<br>Jan 17 08:18:35 nac pfqueue: \
pfqueue(13332) INFO: [mac:4c:6b:e8:c7:67:e3] deauthenticating \
(pf::Switch::Cisco::WLC::radiusDisconnect)<br></div><div>Jan 17 08:18:37 nac \
packetfence_httpd.aaa: httpd.aaa(7807) INFO: [mac:4c:6b:e8:c7:67:e3] handling radius \
autz request: from switch_ip => (172.22.0.39), connection_type => \
Wireless-802.11-NoEAP,switch_mac => (78:bc:1a:1e:54:e0), mac => \
[4c:6b:e8:c7:67:e3], port => 13, username => "4c6be8c767e3", ssid \
=> ASDGuest (pf::radius::authorize)<br>Jan 17 08:18:37 nac packetfence_httpd.aaa: \
httpd.aaa(7807) INFO: [mac:4c:6b:e8:c7:67:e3] Instantiate profile guest \
(pf::Connection::ProfileFactory::_from_profile)<br>Jan 17 08:18:37 nac \
packetfence_httpd.aaa: httpd.aaa(7807) WARN: [mac:4c:6b:e8:c7:67:e3] Switch type \
'pf::Switch::Cisco::WLC_5500' does not support MABFloatingDevices \
(pf::SwitchSupports::__ANON__)<br>Jan 17 08:18:37 nac packetfence_httpd.aaa: \
httpd.aaa(7807) INFO: [mac:4c:6b:e8:c7:67:e3] is of status unreg; belongs into \
registration VLAN (pf::role::getRegistrationRole)<br>Jan 17 08:18:37 nac \
packetfence_httpd.aaa: httpd.aaa(7807) INFO: [mac:4c:6b:e8:c7:67:e3] (172.22.0.39) \
Added VLAN 104 to the returned RADIUS Access-Accept \
(pf::Switch::returnRadiusAccessAccept)<br>Jan 17 08:18:37 nac packetfence_httpd.aaa: \
httpd.aaa(7807) INFO: [mac:4c:6b:e8:c7:67:e3] (172.22.0.39) Added role \
Pre-Auth-For_WebRedirect to the returned RADIUS Access-Accept \
(pf::Switch::returnRadiusAccessAccept)<br>Jan 17 08:18:37 nac packetfence_httpd.aaa: \
httpd.aaa(7807) INFO: [mac:4c:6b:e8:c7:67:e3] Adding web authentication redirection \
to reply using role: 'Pre-Auth-For_WebRedirect' and URL: '<a \
href="https://nac.rails.altoona.k12.wi.us/Cisco::WLC/sid358caf">https://nac.rails.altoona.k12.wi.us/Cisco::WLC/sid358caf</a>' \
(pf::Switch::Cisco::WLC::returnRadiusAccessAccept)<br></div><div>Jan 17 08:18:45 nac \
pfqueue: pfqueue(13332) WARN: [mac:4c:6b:e8:c7:67:e3] Unable to perform RADIUS \
CoA-Request on (172.22.0.39): Timeout waiting for a reply from 172.22.0.39 on port \
3799 at /usr/local/pf/lib/pf/util/<a href="http://radius.pm">radius.pm</a> line 166. \
(pf::Switch::Cisco::WLC::catch {...} )<br>Jan 17 08:18:45 nac pfqueue: pfqueue(13332) \
ERROR: [mac:4c:6b:e8:c7:67:e3] Wrong RADIUS secret or unreachable network device \
(172.22.0.39)... On some Cisco Wireless Controllers you might have to set \
disconnectPort=1700 as some versions ignore the CoA requests on port 3799 \
(pf::Switch::Cisco::WLC::catch {...} \
)<br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div \
dir="ltr" class="gmail_attr">On Fri, Jan 17, 2020 at 2:05 AM Nicolas Quiniou-Briand \
via PacketFence-users <<a \
href="mailto:packetfence-users@lists.sourceforge.net">packetfence-users@lists.sourceforge.net</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Andrew,<br> <br>
1. Is it possible this device was already disconnected from WLC ?<br>
2. Could you try with another client that is connected to WLC when you <br>
unreg from PF ?<br>
3. After you test 2, provide us packetfence.log with lines related to <br>
MAC of your other client and WLC logs.<br>
<br>
Thanks.<br>
-- <br>
Nicolas Quiniou-Briand<br>
<a href="mailto:nqb@inverse.ca" target="_blank">nqb@inverse.ca</a> :: \
+1.514.447.4918 *140 :: <a href="https://inverse.ca" rel="noreferrer" \
target="_blank">https://inverse.ca</a><br> Inverse inc. :: Leaders behind SOGo (<a \
href="https://sogo.nu" rel="noreferrer" target="_blank">https://sogo.nu</a>), \
PacketFence <br> (<a href="https://packetfence.org" rel="noreferrer" \
target="_blank">https://packetfence.org</a>) and Fingerbank (<a \
href="http://fingerbank.org" rel="noreferrer" \
target="_blank">http://fingerbank.org</a>)<br> <br>
<br>
_______________________________________________<br>
PacketFence-users mailing list<br>
<a href="mailto:PacketFence-users@lists.sourceforge.net" \
target="_blank">PacketFence-users@lists.sourceforge.net</a><br> <a \
href="https://lists.sourceforge.net/lists/listinfo/packetfence-users" \
rel="noreferrer" target="_blank">https://lists.sourceforge.net/lists/listinfo/packetfence-users</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" \
class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div \
dir="ltr"><div><div dir="ltr"><div><img \
src="https://docs.google.com/uc?export=download&id=0B-x5Hwn7Xa-eNVJzQ3VqZW1KVkE&revid=0B-x5Hwn7Xa-eOUdmUXJCSllwbFZKWW12VnV5RFVrMG8vSTA4PQ" \
width="420" height="171"></div></div></div></div></div></div></div></div></div>
<br>
<b style="color:rgb(34,34,34);font-family:monospace;font-size:small;white-space:pre-wrap;background-color:rgb(250,250,250)">Confidentiality \
Notice:</b><span style="color:rgb(34,34,34);font-family:monospace;font-size:small;white-space:pre-wrap;background-color:rgb(250,250,250)"> \
This e-mail message, including any attachments, is for the sole use of the intended \
recipient(s) and may contain confidential and privileged information. Any \
unauthorized review, use, disclosure or distribution is prohibited. If you are not \
the intended recipient, please contact the sender by reply e-mail and destroy all \
copies of the original message. The views expressed in this transmission are not \
necessarily the views of the School District of Altoona.</span>
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic