Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

RADIUS reassignment fails with Packetfence

This thread has been viewed 21 times
  • 1.  RADIUS reassignment fails with Packetfence

    Posted Jul 15, 2019 08:01 AM
      |   view attached

    Hi guys,

     

    we are running an Aruba Instant 6.5.4.3 virtual controller with some Access Points (305 series).

    We want do integrate an extern RADIUS Server (Packetfence v9) for guest authentification.

     

    The configuration of Packetfence works, the server accepts the RADIUS request from the test client and forces a VLAN reassignment (registration VLAN --> guest VLAN).

     

    But the next step fails with the error message „Error-Cause = Session-Context-Not-Found " or

    " Error handling desAssociate : Undefined subroutine &pf::Switch::Aruba::Instant_Access::perform_disconnect called at /usr/local/pf/lib/pf/Switch/Aruba/Instant_Access.pm line 85.".

    A log file you can find as a attachment.

     

    I read, that Aruba controllers/access points need specific RADIUS atributes, which Packetfence can’t deliver with standard settings.

     

    How can I configure the Aruba Controller/Packetfence, so that the RADIUS Reply of Packetfence will accepted?

     

    Thank you in advance!

    Attachment(s)

    txt
    packetfence.txt   2 KB 1 version


  • 2.  RE: RADIUS reassignment fails with Packetfence
    Best Answer

    EMPLOYEE
    Posted Jul 16, 2019 03:04 AM

    I'm not familiar with Packetfence, but reading the error message it seems to me that it does not have the code programmed (yet) to issue a CoA to an Aruba Instant. You may try configuring your Instant AP as a controller and see if CoA work for a controller. If that doesn't work, you probably will need request support in Packetfence.

     

    By the way, switching VLANs is a very poor way to implement guest, and switching VLANs on a live connection is asking for trouble in general as clients mostly won't see that they need to get a new IP address after the switch. With Aruba, you have user roles, which can change firewall rules to open after authentication while keeping the AP in the same VLAN, which I would use instead. 



  • 3.  RE: RADIUS reassignment fails with Packetfence

    Posted Jul 23, 2019 01:43 AM

    Hi,

     

    you are right, there was a part of code missing in Packetfence. I updated the progamm code, now it's working fine.

    Thank you very much for your reply!



  • 4.  RE: RADIUS reassignment fails with Packetfence

    Posted Jul 29, 2020 09:12 AM

    Hi Jona,

     

    We are very interested in implementing a similar (if not identical) setup to what you have done.  We are running instant (100 AP-515) and would like to implement PacketFence.  Would you be willing to share the modifications you needed to make?  Did you end up implementing using Aruba roles (vs. VLAN change)?

     

    Thank you!



  • 5.  RE: RADIUS reassignment fails with Packetfence

    Posted Sep 21, 2023 06:59 AM

    Hi,

    OSPimenta | Operating System Pimenta

    Ospimenta remove preview
    OSPimenta | Operating System Pimenta
    Linux, redes, Cloud, DigitalOcean, cafezinho, pão de queijo, histórias, cerveja, artigos, tudo misturado.
    View this on Ospimenta >

    OSPimenta | Operating System Pimenta

    Ospimenta remove preview
    OSPimenta | Operating System Pimenta
    Linux, redes, Cloud, DigitalOcean, cafezinho, pão de queijo, histórias, cerveja, artigos, tudo misturado.
    View this on Ospimenta >

    OSPimenta | Operating System Pimenta

    Ospimenta remove preview
    OSPimenta | Operating System Pimenta
    Linux, redes, Cloud, DigitalOcean, cafezinho, pão de queijo, histórias, cerveja, artigos, tudo misturado.
    View this on Ospimenta >

     

     

    The above article is a good one for the Aruba VC with PacketFence Configuration