search

inverse-inc / packetfence

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.
https://packetfence.org
GNU General Public License v2.0
1.39k stars 291 forks source link

PF9.0.0 - Standalone - Code in Switch/Cisco/Catalyst_2960.pm does not initialise COA port settings in call to perform_dynauth() so default value 3799 is imposed #4723

Open apkt opened 5 years ago

apkt commented 5 years ago 
sub perform_dynauth {
    my ($connection_info, $radius_code, $attributes, $vsa) = @_;

    # setting up defaults
    $connection_info->{'nas_port'} ||= $default_port;
    $connection_info->{'timeout'} ||= $default_timeout;

Routine is called by perform_coa:-

sub perform_coa {
    my ($connection_info, $attributes, $vsa) = @_;

    return perform_dynauth($connection_info, 'CoA-Request', $attributes, $vsa);
}

The code in perform_dynauth overrides any NAS_PORT value stored in the $connection_info variable and consequently from the settings in the SWITCH/SWITCHGROUP config pages.

The code imposes 3799 for CoA and consequently requires specific overrides on switches - Not clever.

Please fix or REMOVE the CoA port option from the SWITCH/SWITCHGROUP config pages

apkt commented 5 years ago

Code in Switch/Cisco/Catalyst_2960.pm seems to be missing a line in radiusdisconnect():-

    my $connection_info = {
        nas_ip => $send_disconnect_to,
        nas_port => $self->{'_disconnectPort'},     **<---- Added this and it now works as it should**
        secret => $self->{'_radiusSecret'},
        LocalAddr => $self->deauth_source_ip($send_disconnect_to),
    };