'Re: [PacketFence-users] Wired online/offline status not working'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       packetfence-users
Subject:    Re: [PacketFence-users] Wired online/offline status not working
From:       Kenny Wallrath via PacketFence-users <packetfence-users () lists ! sourceforge ! net>
Date:       2020-10-21 10:07:45
Message-ID: CAGAZVbEqRqpScuiJgH3=mLz8M1ZOwr8VY0i8oS=j_wQ3R=rFPA () mail ! gmail ! com
[Download RAW message or body]

Hi Ludovic,

I am currently running a relatively fresh installation of the 10.2 ZEN
Appliance.

Unfortunately the work around with enabling radiusd-acct didn't work.
Yes I did receive accounting replies and accounting ok messages in
radsniff, but the online/offline state didn't change.
What worked for me was disabling my eth1 interface and moving back
radius completely to my management interface. This is now working with
the pfacct again.

Best regards

Am Di., 20. Okt. 2020 um 21:54 Uhr schrieb Ludovic Zammit <lzammit@inverse.ca>:
> 
> Hello Kenny,
> 
> What's your packetfence version ?
> 
> Thanks,
> 
> 
> Ludovic Zammit
> lzammit@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence \
> (http://packetfence.org) 
> 
> 
> 
> 
> On Oct 20, 2020, at 3:00 PM, Ludovic Zammit <lzammit@inverse.ca> wrote:
> 
> As a work around, you could disable PFacct in the services and enable radius-acct \
> and it should work. 
> It's fixed in 10.2 version.
> 
> Thanks,
> 
> 
> Ludovic Zammit
> lzammit@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence \
> (http://packetfence.org) 
> 
> 
> 
> 
> On Oct 20, 2020, at 12:14 PM, Ludovic Zammit via PacketFence-users \
> <packetfence-users@lists.sourceforge.net> wrote: 
> Hello Kenny,
> 
> I did open a bug for it, thanks for reporting it.
> 
> https://github.com/inverse-inc/packetfence/issues/5930
> 
> Thanks,
> 
> 
> Ludovic Zammit
> lzammit@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence \
> (http://packetfence.org) 
> 
> 
> 
> 
> On Oct 20, 2020, at 9:58 AM, Kenny Wallrath <kenny@human-rodeo.de> wrote:
> 
> Here you go:
> 
> [root@packetfence ~]# netstat -nlp | grep 1813
> udp        0      0 10.0.21.20:1813         0.0.0.0:*
> 1660/pfacct
> 
> 
> It seems that pfacct is only bound towards my management interface and
> not my "radius interface"
> If I check the udp-1812 port I can see following:
> 
> [root@packetfence ~]# netstat -nlp | grep 1812
> udp        0      0 127.0.0.1:18121         0.0.0.0:*
> 2651/radiusd
> udp        0      0 10.0.21.20:1812         0.0.0.0:*
> 2651/radiusd
> udp        0      0 10.0.20.14:1812         0.0.0.0:*
> 2651/radiusd
> 
> my radius network interface is following:
> --> pf.conf
> [interface eth1]
> ip=10.0.20.14
> type=none,radius,dhcp-listener
> mask=255.255.255.0
> 
> On raddb/acct.conf
> I found a listen block for the radius interface
> 
> listen {
> ipaddr = 10.0.20.14
> port = 0
> type = acct
> virtual_server = packetfence
> }
> this explains why I receive accounting-replies at my switch, when I
> enable the radiusd-acct service.
> But I couldn't find any conf files for pfacct
> 
> Is my interface correctly configured?
> 
> If I restart pfacct service over the GUI I can see the deamon
> listening on the right interface
> [root@packetfence raddb]# netstat -nlp | grep 1813
> udp        0      0 10.0.21.20:1813         0.0.0.0:*
> 4133/pfacct
> udp     4352      0 10.0.20.14:1813         0.0.0.0:*
> 4133/pfacct
> 
> But if I power cycle my device or reevaluate switchport the netstat
> looks the same like in the beginning...
> 
> Best regards
> 
> Am Di., 20. Okt. 2020 um 14:41 Uhr schrieb Ludovic Zammit <lzammit@inverse.ca>:
> 
> 
> Hello,
> 
> Can you show me the output of:
> 
> netstat -nlp | grep 1813
> 
> Thanks,
> 
> 
> Ludovic Zammit
> lzammit@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence \
> (http://packetfence.org) 
> 
> 
> 
> 
> On Oct 18, 2020, at 5:21 AM, Kenny Wallrath <kenny@human-rodeo.de> wrote:
> 
> Hi Ludovic,
> 
> I took another debug on the switch and packetfence. It seems that
> Radius Accounting Start Packets are sent from
> the switch to PF, anyways the online/offline state still is not
> getting updated and PF is not sending accounting-response.
> Also the pfacct.log remains empty
> I attached the radsniff and my cisco debug below.
> 
> This is what I configured on the switch side:
> 
> aaa new-model
> aaa group server radius PACKETFENCE
> server name PACKETFENCE
> aaa authentication login default local group radius
> aaa authentication enable default enable
> aaa authentication dot1x default group PACKETFENCE
> aaa authorization console
> aaa authorization exec default local group radius if-authenticated
> aaa authorization network default group PACKETFENCE
> aaa accounting update newinfo
> aaa accounting dot1x default start-stop group PACKETFENCE
> aaa accounting network default start-stop group PACKETFENCE
> aaa accounting connection default start-stop group PACKETFENCE
> aaa server radius dynamic-author
> client 10.0.20.14 server-key xxxxxxxxxxxxxxxx
> port 3799
> aaa session-id common
> radius-server vsa send accounting
> radius-server vsa send authentication
> 
> 
> 
> Cisco "debug aaa accounting"
> Oct 18 11:00:02.554: AAA/ACCT/DOT1X(0000005A): Pick method list 'default'
> Oct 18 11:00:02.554: AAA/ACCT/SETMLIST(0000005A): Handle 0, mlist
> 05861080, Name default
> Oct 18 11:00:02.554: Getting session id for DOT1X(0000005A) : db=55391F0
> Oct 18 11:00:02.554: AAA/ACCT/DOT1X(0000005A): add, count 2
> Oct 18 11:00:03.513: AAA/ACCT/EVENT/(0000005A): ATTR REPLACE
> Oct 18 11:00:03.513: AAA/ACCT(0000005A): Accounting response status = FAILURE
> Oct 18 11:00:03.513: AAA/ACCT(0000005A): Send NEWINFO accounting
> notification to EM failed
> 
> Oct 18 11:00:03.550: %AUTHMGR-5-SUCCESS: Authorization succeeded for
> client (b827.eb3f.01c8) on Interface Gi1/0/2 Aud itSessionID
> 0A0014FD0000002ED5397B59
> Oct 18 11:00:03.550: AAA/ACCT/EVENT/(0000005A): NET UP
> Oct 18 11:00:03.550: AAA/ACCT/HC(0000005A): Update Dot1X/2E00002F
> Oct 18 11:00:03.550: AAA/ACCT/HC(0000005A): no HC Dot1X/2E00002F
> Oct 18 11:00:03.550: AAA/ACCT/DOT1X(0000005A): Queueing record is START
> Oct 18 11:00:03.550: AAA/ACCT(0000005A): Accounting method=PACKETFENCE (RADIUS)
> Oct 18 11:00:15.011: AAA/ACCT/EVENT/(0000005A): ATTR REPLACE
> Oct 18 11:00:15.011: AAA/ACCT/HC(0000005A): Update Dot1X/2E00002F
> Oct 18 11:00:15.011: AAA/ACCT/HC(0000005A): no HC Dot1X/2E00002F
> Oct 18 11:00:15.011: AAA/ACCT/DOT1X(0000005A): Queueing record is NEWINFO
> Oct 18 11:00:15.011: AAA/ACCT/EVENT/(0000005A): SESSION INFO
> Oct 18 11:00:15.011: AAA/ACCT/HC(0000005A): Update Dot1X/2E00002F
> Oct 18 11:00:15.011: AAA/ACCT/HC(0000005A): no HC Dot1X/2E00002F
> Oct 18 11:00:15.011: AAA/ACCT/DOT1X(0000005A): Queueing record is UPDATE
> Oct 18 11:00:15.016: AAA/ACCT(0000005A): Accounting method=PACKETFENCE (RADIUS)
> Oct 18 11:00:15.016: AAA/ACCT(0000005A): Accounting method=PACKETFENCE (RADIUS)
> Oct 18 11:00:23.719: AAA/ACCT/DOT1X(0000005A): START protocol reply FAIL
> Oct 18 11:00:23.719: AAA/ACCT(0000005A): Accounting method=NOT_SET
> Oct 18 11:00:23.719: AAA/ACCT(0000005A): Accounting response status = FAILURE
> Oct 18 11:00:23.719: AAA/ACCT(0000005A): Send START accounting
> notification to EM failed
> Oct 18 11:00:23.719: AAA/ACCT(0000005A): mlist_periodic is not set, interval 0
> Oct 18 11:00:30.095: %RADIUS-4-RADIUS_DEAD: RADIUS server
> 10.0.20.14:1812,1813 is not responding.
> Oct 18 11:00:30.152: %RADIUS-4-RADIUS_ALIVE: RADIUS server
> 10.0.20.14:1812,1813 is being marked alive.
> Oct 18 11:00:35.107: AAA/ACCT/DOT1X(0000005A): NEWINFO protocol reply FAIL
> Oct 18 11:00:35.107: AAA/ACCT(0000005A): Accounting method=NOT_SET
> Oct 18 11:00:35.107: AAA/ACCT(0000005A): mlist_periodic is not set, interval 0
> 
> 
> Packetfence radsniff:
> 2020-10-18 11:00:32.445522 (5) Accounting-Request Id 158
> eth1:10.0.20.253:1646 -> 10.0.20.14:1813 +23.614
> User-Name = "b8:27:eb:3f:01:c8"
> NAS-IP-Address = 10.0.20.253
> NAS-Port = 50102
> Service-Type = Framed-User
> Framed-IP-Address = 169.254.118.80
> Called-Station-Id = "3C-0E-23-5A-3E-02"
> Calling-Station-Id = "B8-27-EB-3F-01-C8"
> NAS-Port-Type = Ethernet
> Acct-Status-Type = Start
> Acct-Delay-Time = 0
> Acct-Session-Id = "00000050"
> Acct-Authentic = RADIUS
> NAS-Port-Id = "GigabitEthernet1/0/2"
> PMIP6-Home-HN-Prefix = 3039:4330:3842::/56
> Cisco-AVPair = "audit-session-id=0A0014FD0000002ED5397B59"
> Cisco-AVPair = "connect-progress=Call Up"
> Authenticator-Field = 0x603bc2274431edd546dc9c758d86191f
> 2020-10-18 11:00:37.497158 (6) Accounting-Request Id 159
> eth1:10.0.20.253:1646 -> 10.0.20.14:1813 +28.665
> User-Name = "b8:27:eb:3f:01:c8"
> NAS-IP-Address = 10.0.20.253
> NAS-Port = 50102
> Service-Type = Framed-User
> Framed-IP-Address = 169.254.118.80
> Called-Station-Id = "3C-0E-23-5A-3E-02"
> Calling-Station-Id = "B8-27-EB-3F-01-C8"
> NAS-Port-Type = Ethernet
> Acct-Status-Type = Start
> Acct-Delay-Time = 5
> Acct-Session-Id = "00000050"
> Acct-Authentic = RADIUS
> NAS-Port-Id = "GigabitEthernet1/0/2"
> PMIP6-Home-HN-Prefix = 3039:4330:3842::/56
> Cisco-AVPair = "audit-session-id=0A0014FD0000002ED5397B59"
> Cisco-AVPair = "connect-progress=Call Up"
> Authenticator-Field = 0xfb92fbb9cc7ef65439c9c4e49d8283c6
> 2020-10-18 11:00:37.645522 (5) ** norsp ** Accounting-Request Id 158
> eth1:10.0.20.253:1646 -> 10.0.20.14:1813
> 2020-10-18 11:00:37.645522 (5) Cleaning up request packet ID 158
> 2020-10-18 11:00:42.551582 (7) Accounting-Request Id 160
> eth1:10.0.20.253:1646 -> 10.0.20.14:1813 +33.720
> User-Name = "b8:27:eb:3f:01:c8"
> NAS-IP-Address = 10.0.20.253
> NAS-Port = 50102
> Service-Type = Framed-User
> Framed-IP-Address = 169.254.118.80
> Called-Station-Id = "3C-0E-23-5A-3E-02"
> Calling-Station-Id = "B8-27-EB-3F-01-C8"
> NAS-Port-Type = Ethernet
> Acct-Status-Type = Start
> Acct-Delay-Time = 10
> Acct-Session-Id = "00000050"
> Acct-Authentic = RADIUS
> NAS-Port-Id = "GigabitEthernet1/0/2"
> PMIP6-Home-HN-Prefix = 3039:4330:3842::/56
> Cisco-AVPair = "audit-session-id=0A0014FD0000002ED5397B59"
> Cisco-AVPair = "connect-progress=Call Up"
> Authenticator-Field = 0x42233d99f083a7639d3684208165238f
> 2020-10-18 11:00:42.697158 (6) ** norsp ** Accounting-Request Id 159
> eth1:10.0.20.253:1646 -> 10.0.20.14:1813
> 2020-10-18 11:00:42.697158 (6) Cleaning up request packet ID 159
> 2020-10-18 11:00:43.911491 (8) Accounting-Request Id 161
> eth1:10.0.20.253:1646 -> 10.0.20.14:1813 +35.080
> User-Name = "b8:27:eb:3f:01:c8"
> NAS-IP-Address = 10.0.20.253
> NAS-Port = 50102
> Service-Type = Framed-User
> Framed-IP-Address = 10.0.40.61
> Called-Station-Id = "3C-0E-23-5A-3E-02"
> Calling-Station-Id = "B8-27-EB-3F-01-C8"
> NAS-Port-Type = Ethernet
> Acct-Status-Type = Interim-Update
> Acct-Delay-Time = 0
> Acct-Input-Octets = 2857
> Acct-Output-Octets = 9508
> Acct-Session-Id = "00000050"
> Acct-Authentic = RADIUS
> Acct-Session-Time = 12
> Acct-Input-Packets = 17
> Acct-Output-Packets = 35
> NAS-Port-Id = "GigabitEthernet1/0/2"
> PMIP6-Home-HN-Prefix = 3039:4330:3842::/56
> Cisco-AVPair = "audit-session-id=0A0014FD0000002ED5397B59"
> Cisco-AVPair = "connect-progress=Call Up"
> Authenticator-Field = 0x2dbd87095bebf4a1b6ee64255131b410
> 2020-10-18 11:00:43.912010 (9) Accounting-Request Id 162
> eth1:10.0.20.253:1646 -> 10.0.20.14:1813 +35.080
> User-Name = "b8:27:eb:3f:01:c8"
> NAS-IP-Address = 10.0.20.253
> NAS-Port = 50102
> Service-Type = Framed-User
> Framed-IP-Address = 10.0.40.61
> Called-Station-Id = "3C-0E-23-5A-3E-02"
> Calling-Station-Id = "B8-27-EB-3F-01-C8"
> NAS-Port-Type = Ethernet
> Acct-Status-Type = Interim-Update
> Acct-Delay-Time = 0
> Acct-Input-Octets = 2857
> Acct-Output-Octets = 9508
> Acct-Session-Id = "00000050"
> Acct-Authentic = RADIUS
> Acct-Session-Time = 12
> Acct-Input-Packets = 17
> Acct-Output-Packets = 35
> NAS-Port-Id = "GigabitEthernet1/0/2"
> PMIP6-Home-HN-Prefix = 3039:4330:3842::/56
> Cisco-AVPair = "audit-session-id=0A0014FD0000002ED5397B59"
> Cisco-AVPair = "connect-progress=Call Up"
> Authenticator-Field = 0xb0a63e46552c8152ef507257f9e10b72
> 2020-10-18 11:00:47.595411 (10) Accounting-Request Id 163
> eth1:10.0.20.253:1646 -> 10.0.20.14:1813 +38.763
> User-Name = "b8:27:eb:3f:01:c8"
> NAS-IP-Address = 10.0.20.253
> NAS-Port = 50102
> Service-Type = Framed-User
> Framed-IP-Address = 169.254.118.80
> Called-Station-Id = "3C-0E-23-5A-3E-02"
> Calling-Station-Id = "B8-27-EB-3F-01-C8"
> NAS-Port-Type = Ethernet
> Acct-Status-Type = Start
> Acct-Delay-Time = 15
> Acct-Session-Id = "00000050"
> Acct-Authentic = RADIUS
> NAS-Port-Id = "GigabitEthernet1/0/2"
> PMIP6-Home-HN-Prefix = 3039:4330:3842::/56
> Cisco-AVPair = "audit-session-id=0A0014FD0000002ED5397B59"
> Cisco-AVPair = "connect-progress=Call Up"
> Authenticator-Field = 0xdc631f70c7df87de580a8d5c38561393
> 2020-10-18 11:00:47.751582 (7) ** norsp ** Accounting-Request Id 160
> eth1:10.0.20.253:1646 -> 10.0.20.14:1813
> 2020-10-18 11:00:47.751582 (7) Cleaning up request packet ID 160
> 
> Am Fr., 16. Okt. 2020 um 14:30 Uhr schrieb Ludovic Zammit <lzammit@inverse.ca>:
> 
> 
> Hello Kenny,
> 
> PacketFence is looking for Accouting start / stop packet for the online offline.
> 
> It looks like the device does not send the Acct-Status-Type: Start or Stop.
> 
> Thanks,
> 
> 
> Ludovic Zammit
> lzammit@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence \
> (http://packetfence.org) 
> 
> 
> 
> 
> On Oct 15, 2020, at 5:52 AM, Kenny Wallrath via PacketFence-users \
> <packetfence-users@lists.sourceforge.net> wrote: 
> Hi everyone,
> 
> I am currently trying to get the online/offline state working. It
> seems that the state is working if requests are coming from Wireless
> AccessPoints (My device gets registered when online and unregistered
> when offline)
> But if I try the same with my Cisco 2960S switches the nodes remain "unknown".
> 
> From what I understood pfacct supersedes radiusd-acct. The service
> pfacct is running and there is no firewall in between. Switch is
> configured to send accounting to PF on port 1813.
> My switch debug tells me that there is no response from Server, which
> I also can verify on PF side. A TCPDUMP shows that Radius Accounting
> Requests arrive at the PF but no response is being generated.
> If I check the pfacct.log it is empty... I pasted a radsniff on port
> 1813 below...
> 
> Interestingly, if I disable pfacct and enable radiusd-acct a
> Accounting-Reply is generated to the switch but the online/offline
> state remains unknown.
> 
> 2020-10-15 11:42:21.448660 (5) Accounting-Request Id 49
> eth1:10.0.20.253:1646 -> 10.0.20.14:1813 +10.924
> User-Name = "b8:27:eb:3f:01:c8"
> NAS-IP-Address = 10.0.20.253
> NAS-Port = 50102
> Service-Type = Framed-User
> Framed-IP-Address = 10.0.40.61
> Called-Station-Id = "3C-0E-23-5A-3E-02"
> Calling-Station-Id = "B8-27-EB-3F-01-C8"
> NAS-Port-Type = Ethernet
> Acct-Status-Type = Interim-Update
> Acct-Delay-Time = 10
> Acct-Input-Octets = 15178
> Acct-Output-Octets = 1620296
> Acct-Session-Id = "0000004B"
> Acct-Authentic = RADIUS
> Acct-Session-Time = 6229
> Acct-Input-Packets = 225
> Acct-Output-Packets = 9530
> NAS-Port-Id = "GigabitEthernet1/0/2"
> PMIP6-Home-HN-Prefix = 3831:3437:4232::/57
> Cisco-AVPair = "audit-session-id=0A0014FD0000002AC57E41EC"
> Cisco-AVPair = "connect-progress=Auth Open"
> Authenticator-Field = 0xe184ba9b392f14f26741c4f7c64c815a
> 2020-10-15 11:42:21.214706 (4) ** norsp ** Accounting-Request Id 48
> eth1:10.0.20.253:1646 -> 10.0.20.14:1813
> 2020-10-15 11:42:21.214706 (4) Cleaning up request packet ID 48
> 2020-10-15 11:42:26.606010 (6) Accounting-Request Id 50
> eth1:10.0.20.253:1646 -> 10.0.20.14:1813 +15.940
> User-Name = "b8:27:eb:3f:01:c8"
> NAS-IP-Address = 10.0.20.253
> NAS-Port = 50102
> Service-Type = Framed-User
> Framed-IP-Address = 10.0.40.61
> Called-Station-Id = "3C-0E-23-5A-3E-02"
> Calling-Station-Id = "B8-27-EB-3F-01-C8"
> NAS-Port-Type = Ethernet
> Acct-Status-Type = Interim-Update
> Acct-Delay-Time = 15
> Acct-Input-Octets = 15178
> Acct-Output-Octets = 1620296
> Acct-Session-Id = "0000004B"
> Acct-Authentic = RADIUS
> Acct-Session-Time = 6229
> Acct-Input-Packets = 225
> Acct-Output-Packets = 9530
> NAS-Port-Id = "GigabitEthernet1/0/2"
> PMIP6-Home-HN-Prefix = 3831:3437:4232::/57
> Cisco-AVPair = "audit-session-id=0A0014FD0000002AC57E41EC"
> Cisco-AVPair = "connect-progress=Auth Open"
> Authenticator-Field = 0xe77e42cc33f62dcd1164461139b59e6d
> 2020-10-15 11:42:26.244866 (5) ** norsp ** Accounting-Request Id 49
> eth1:10.0.20.253:1646 -> 10.0.20.14:1813
> 2020-10-15 11:42:26.244866 (5) Cleaning up request packet ID 49
> 2020-10-15 11:42:31.260601 (6) ** norsp ** Accounting-Request Id 50
> eth1:10.0.20.253:1646 -> 10.0.20.14:1813
> 2020-10-15 11:42:31.260601 (6) Cleaning up request packet ID 50
> 
> 
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 
> 
> 
> 
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 
> 
> 


_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic