search

inverse-inc / packetfence

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.
https://packetfence.org
GNU General Public License v2.0
1.39k stars 291 forks source link

reevaluate access doesn't work #7344

Closed nqb closed 2 years ago

nqb commented 2 years ago

Describe the bug If you try to reevaluate access from web admin (button) or through captive portal, it failed.

To Reproduce Steps to reproduce the behavior:

Logs in packetfence.log:

Nov  7 10:09:17 pfel8dev pfperl-api-docker-wrapper[2076]: pfperl-api(12) INFO: [mac:[undef]] re-evaluating access (admin_modify called) (pf::enforcement::reevaluate_access)
Nov  7 10:09:17 pfel8dev pfperl-api-docker-wrapper[2076]: pfperl-api(12) INFO: [mac:[undef]] Instantiate profile catch_wired_mac_authentication (pf::Connection::ProfileFactory::_from_profile)
Nov  7 10:09:17 pfel8dev pfperl-api-docker-wrapper[2076]: pfperl-api(12) INFO: [mac:[undef]] VLAN reassignment is forced. (pf::enforcement::_should_we_reassign_vlan)
Nov  7 10:09:17 pfel8dev pfqueue[13365]: pfqueue(13365) ERROR: [mac:00:03:00:11:11:01] WARNING ! Unknown switch(es) cumulus_switch_group (pf::SwitchFactory::instantiate)
Nov  7 10:09:17 pfel8dev pfqueue[13365]: pfqueue(13365) ERROR: [mac:00:03:00:11:11:01] switch cumulus_switch_group not found for ReAssignVlan (pf::api::ReAssignVlan)

Expected behavior Access is reevaluated

Additional context

Actual: switch cumulus_switch_group not found for ReAssignVlan Expected: switch 172.18.200.201 not found for ReAssignVlan

nqb commented 2 years ago

This is what I see in packetfence.log after I received a RADIUS request:

Nov  7 13:17:52 pfel8dev httpd.aaa-docker-wrapper[3603]: httpd.aaa(9) INFO: [mac:00:03:00:11:11:01] Username was defined "000300111101" - returning role 'guest' (pf::role::getRegisteredRole)
[..]
Nov  7 13:17:52 pfel8dev httpd.aaa-docker-wrapper[3603]: httpd.aaa(9) WARN: [mac:00:03:00:11:11:01] Warning: 1265: Data truncated for column 'switch' at row 1 (pf::dal::db_execute)
Nov  7 13:17:52 pfel8dev httpd.aaa-docker-wrapper[3603]: httpd.aaa(9) WARN: [mac:00:03:00:11:11:01] Warning: 1265: Data truncated for column 'switch' at row 1 (pf::dal::db_execute)
Nov  7 13:17:52 pfel8dev httpd.aaa-docker-wrapper[3603]: httpd.aaa(9) INFO: [mac:00:03:00:11:11:01] (cumulus_switch_group) Added VLAN 100 to the returned RADIUS Access-Accept (pf::Switch::Template::returnRadiusAccessAccept)

I wonder if this is not the root cause.

julsemaan commented 2 years ago

Access reevaluation has regressed for me too on the latest builds.

This is my error:

Nov 07 17:22:26 tests-v12-ga-1 pfqueue[3258684]: pfqueue(3258684) INFO: [mac:20:f4:78:1b:8a:96] [20:f4:78:1b:8a:96] DesAssociating mac on switch (192.168.3.0/24) (pf::api::desAssociate)
Nov 07 17:22:26 tests-v12-ga-1 pfqueue[3258684]: pfqueue(3258684) INFO: [mac:20:f4:78:1b:8a:96] deauthenticating (pf::Switch::Meraki::MR_v2::radiusDisconnect)
Nov 07 17:22:26 tests-v12-ga-1 pfqueue[3258684]: pfqueue(3258684) WARN: [mac:20:f4:78:1b:8a:96] Unable to perform RADIUS CoA-Request on (192.168.3.0/24): must specify key and code at /usr/local/pf/lib/pf/Switch.pm line 3208. (pf::Switch::Meraki::MR_v2::catch {...} )

Looks like the $send_disconnect_to is undef. I checked my locationlog and it seems OK to me but maybe I'm missing something. Here it is:

MariaDB [pf]> select * from locationlog;
+-------------------+----------------+------+------+--------------+-----------------------+---------------------+----------------+----------------------+---------------------+---------------------+--------------+---------------+-------------------+--------------------+-------+------------+--------+------+
| mac               | switch         | port | vlan | role         | connection_type       | connection_sub_type | dot1x_username | ssid                 | start_time          | end_time            | switch_ip    | switch_ip_int | switch_mac        | stripped_user_name | realm | session_id | ifDesc | voip |
+-------------------+----------------+------+------+--------------+-----------------------+---------------------+----------------+----------------------+---------------------+---------------------+--------------+---------------+-------------------+--------------------+-------+------------+--------+------+
| 20:f4:78:1b:8a:96 | 192.168.3.0/24 | 0    | 0    | registration | Wireless-802.11-NoEAP | NULL                | 20f4781b8a96   | Boulette-PFCONNECTOR | 2022-11-07 17:05:12 | 0000-00-00 00:00:00 | 192.168.3.12 |    3232236300 | 8a:15:04:4e:0e:04 | 20f4781b8a96       | null  | e6d467     | NULL   | no   |
+-------------------+----------------+------+------+--------------+-----------------------+---------------------+----------------+----------------------+---------------------+---------------------+--------------+---------------+-------------------+--------------------+-------+------------+--------+------+
1 row in set (0.000 sec)
julsemaan commented 2 years ago

I don't see much that has changed since last week when it was working. Only this here: 848ae194fa01f9dfef9c0e36d53fed24a74b411c

Not sure how it impacts that but maybe @jrouzierinverse will see something I don't

julsemaan commented 2 years ago

I dumped the switch object and it looks like _ip is undef in it:

'_ip' => undef,
jrouzierinverse commented 2 years ago

This should be fixed by 8a3dbaa93e7295aea5806319d0fd148511e294de please retest

julsemaan commented 2 years ago

@nqb, please take a final look at this and close

nqb commented 2 years ago

Work as expected.