Discussion:
[PacketFence-users] Issue with deauthenticating clients via RADIUS on WISM2
Fletcher Haynes
2013-09-16 15:38:49 UTC
Permalink
Hi everyone,

Since the transition to 4.0.6, I am seeing an issue where deauthenticating
a client is not removing them from our Cisco WISM2. So, after someone
registers via the the captive portal, they are disconnected, but the WISM2
is not immediately removing their session. The result is that the user is
put back on the registration VLAN, because the WISM never asks PF for their
VLAN unless the client changes SSIDs or stayed disconnected for 5-10
minutes.

I have a case open with Cisco, but since this was working fine with 4.0.5,
I was wondering if there were any changes in 4.0.6 with how RADIUS deauth
works? Or has anyone encountered this issue? I plan to try SNMP
deauthentication to see if that makes a difference...


Thanks!
--
Fletcher Haynes <***@willamette.edu>
Systems Administrator/Network Services Consultant
Willamette Integrated Technology Services
Willamette University, Salem, OR
Phone: 503.370.6016
Ludovic Marcotte
2013-09-16 18:39:52 UTC
Permalink
Post by Fletcher Haynes
Since the transition to 4.0.6, I am seeing an issue where
deauthenticating a client is not removing them from our Cisco WISM2.
So, after someone registers via the the captive portal, they are
disconnected, but the WISM2 is not immediately removing their session.
Which version of the Cisco IOS are you using? 7.4.110.0 is buggy and if
you're using this version, you'll need to have a fix from Cisco.
--
Ludovic Marcotte
***@inverse.ca :: +1.514.755.3630 :: http://inverse.ca
Inverse inc. :: Leaders behind SOGo (http://sogo.nu) and PacketFence (http://packetfence.org)
Fletcher Haynes
2013-09-16 18:43:15 UTC
Permalink
Yup! That is the exact version I have. Could you give me a link to the bug
or more details so I can give specifics to Cisco?
Post by Ludovic Marcotte
Post by Fletcher Haynes
Since the transition to 4.0.6, I am seeing an issue where
deauthenticating a client is not removing them from our Cisco WISM2.
So, after someone registers via the the captive portal, they are
disconnected, but the WISM2 is not immediately removing their session.
Which version of the Cisco IOS are you using? 7.4.110.0 is buggy and if
you're using this version, you'll need to have a fix from Cisco.
--
Ludovic Marcotte
Inverse inc. :: Leaders behind SOGo (http://sogo.nu) and PacketFence (
http://packetfence.org)
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fletcher Haynes <***@willamette.edu>
Systems Administrator/Network Services Consultant
Willamette Integrated Technology Services
Willamette University, Salem, OR
Phone: 503.370.6016
Ludovic Marcotte
2013-09-16 18:46:07 UTC
Permalink
Post by Fletcher Haynes
Yup! That is the exact version I have. Could you give me a link to the
bug or more details so I can give specifics to Cisco?
Look for CHG0031277 and you would need 7.4.110.2 which is unreleased AFAIK.
--
Ludovic Marcotte
***@inverse.ca :: +1.514.755.3630 :: http://inverse.ca
Inverse inc. :: Leaders behind SOGo (http://sogo.nu) and PacketFence (http://packetfence.org)
Fletcher Haynes
2013-09-16 18:56:53 UTC
Permalink
Hrm, I can't seem to find it in the Cisco bug toolkit, which I suppose
might be the case if they haven't released the bug yet. Do you happen to
have the text of that bug available?
Post by Fletcher Haynes
Yup! That is the exact version I have. Could you give me a link to the bug
or more details so I can give specifics to Cisco?
Look for CHG0031277 and you would need 7.4.110.2 which is unreleased AFAIK.
--
Inverse inc. :: Leaders behind SOGo (http://sogo.nu) and PacketFence (http://packetfence.org)
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fletcher Haynes <***@willamette.edu>
Systems Administrator/Network Services Consultant
Willamette Integrated Technology Services
Willamette University, Salem, OR
Phone: 503.370.6016
Ludovic Marcotte
2013-09-16 19:03:38 UTC
Permalink
Post by Fletcher Haynes
Hrm, I can't seem to find it in the Cisco bug toolkit, which I suppose
might be the case if they haven't released the bug yet. Do you happen
to have the text of that bug available?
No.
--
Ludovic Marcotte
***@inverse.ca :: +1.514.755.3630 :: http://inverse.ca
Inverse inc. :: Leaders behind SOGo (http://sogo.nu) and PacketFence (http://packetfence.org)
Derek Wuelfrath
2013-09-19 14:24:32 UTC
Permalink
Hrm, I can't seem to find it in the Cisco bug toolkit, which I suppose might be the case if they haven't released the bug yet. Do you happen to have the text of that bug available?
Refer to them with something like:
Users are trapped in the registration vlan after quicly disassociating and then re-associating.

Cheers!
dw.

--
Derek Wuelfrath
***@inverse.ca :: +1.514.447.4918 (x110) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
Hrm, I can't seem to find it in the Cisco bug toolkit, which I suppose might be the case if they haven't released the bug yet. Do you happen to have the text of that bug available?
Yup! That is the exact version I have. Could you give me a link to the bug or more details so I can give specifics to Cisco?
Look for CHG0031277 and you would need 7.4.110.2 which is unreleased AFAIK.
--
Ludovic Marcotte
Inverse inc. :: Leaders behind SOGo (http://sogo.nu) and PacketFence (http://packetfence.org)
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Systems Administrator/Network Services Consultant
Willamette Integrated Technology Services
Willamette University, Salem, OR
Phone: 503.370.6016
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
Fletcher Haynes
2013-09-19 15:12:41 UTC
Permalink
TAC is trying to get us a build with the relevant bugfix from their
development group...hopefully they will soon. In the interim, I wrote an
ugly hack that manually purges the cached info after someone registers.
Post by Fletcher Haynes
Hrm, I can't seem to find it in the Cisco bug toolkit, which I suppose
might be the case if they haven't released the bug yet. Do you happen to
have the text of that bug available?
Users are trapped in the registration vlan after quicly disassociating and
then re-associating.
Cheers!
dw.
--
Derek Wuelfrath
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
www.packetfence.org)
Hrm, I can't seem to find it in the Cisco bug toolkit, which I suppose
might be the case if they haven't released the bug yet. Do you happen to
have the text of that bug available?
Post by Fletcher Haynes
Yup! That is the exact version I have. Could you give me a link to the
bug or more details so I can give specifics to Cisco?
Look for CHG0031277 and you would need 7.4.110.2 which is unreleased AFAIK.
--
Inverse inc. :: Leaders behind SOGo (http://sogo.nu) and PacketFence (http://packetfence.org)
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Systems Administrator/Network Services Consultant
Willamette Integrated Technology Services
Willamette University, Salem, OR
Phone: 503.370.6016
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fletcher Haynes <***@willamette.edu>
Systems Administrator/Network Services Consultant
Willamette Integrated Technology Services
Willamette University, Salem, OR
Phone: 503.370.6016
Fletcher Haynes
2013-09-23 19:34:39 UTC
Permalink
This is very strange. I was doing more investigation into this and turned
DEBUG logging on in log.conf. I then applied the patch to fix the service
restarting problems (in services.pm), restarted the services, and now
everything is working. Prior to the restart, PF was not sending CoA
requests on port 3799 according to tcpdump, but after the service restart,
I now see the CoA requests.

So maybe it was something weird with PF as opposed to a bug in Cisco? I am
very confused at this point.
Post by Fletcher Haynes
TAC is trying to get us a build with the relevant bugfix from their
development group...hopefully they will soon. In the interim, I wrote an
ugly hack that manually purges the cached info after someone registers.
Post by Fletcher Haynes
Hrm, I can't seem to find it in the Cisco bug toolkit, which I suppose
might be the case if they haven't released the bug yet. Do you happen to
have the text of that bug available?
Users are trapped in the registration vlan after quicly disassociating
and then re-associating.
Cheers!
dw.
--
Derek Wuelfrath
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
www.packetfence.org)
Hrm, I can't seem to find it in the Cisco bug toolkit, which I suppose
might be the case if they haven't released the bug yet. Do you happen to
have the text of that bug available?
Post by Fletcher Haynes
Yup! That is the exact version I have. Could you give me a link to the
bug or more details so I can give specifics to Cisco?
Look for CHG0031277 and you would need 7.4.110.2 which is unreleased AFAIK.
--
Inverse inc. :: Leaders behind SOGo (http://sogo.nu) and PacketFence (http://packetfence.org)
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Systems Administrator/Network Services Consultant
Willamette Integrated Technology Services
Willamette University, Salem, OR
Phone: 503.370.6016
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Systems Administrator/Network Services Consultant
Willamette Integrated Technology Services
Willamette University, Salem, OR
Phone: 503.370.6016
--
Fletcher Haynes <***@willamette.edu>
Systems Administrator/Network Services Consultant
Willamette Integrated Technology Services
Willamette University, Salem, OR
Phone: 503.370.6016
Loading...