PacketFence does not send framed ip address attribute for FortiGate in disconnect request

[heiko-ma]

Describe the bug When sending a RADIUS disconnect request for a client authenticated via captive portal to a FortiGate device, the FortiGate answers with a Disconnect-NAK, the error message is like below:

Error-Cause = Session-Context-Not-Found " Event-Timestamp = 1670438933 " Code = Disconnect-NAK

This is because PacketFence does not send the framed ip address attribute in the request, but Fortinet requires it to.

To Reproduce Steps to reproduce the behavior:

1. Select a node which is currently authenticated via captive-portal
2. Reevaluate the access
3. Review the audit log
4. See the error

Screenshots

Expected behavior The PacketFence receives a Disconnect-ACK

Additional context I fixed this issue locally by editing /usr/local/pf/lib/pf/Switch/Fortinet/FortiGate.pm:

#start of file with imports (ip4log must be included)
...
use pf::ip4log qw(mac2ip);
...

sub deauthenticateMacDefault {
    my ( $self, $mac, $is_dot1x ) = @_;
    my $logger = $self->logger;

    if ( !$self->isProductionMode() ) {
        $logger->info("not in production mode... we won't perform deauthentication");
        return 1;
    }

    #Fetching the acct-session-id
    my $dynauth = node_accounting_dynauth_attr($mac);

    ##This is new
    #Fetching the ip address
    my $ipAddress = pf::ip4log::mac2ip($mac);

    $logger->debug("deauthenticate $mac using RADIUS Disconnect-Request deauth method");
    ##This was changed
    return $self->radiusDisconnect(
        $mac, { 'Acct-Session-Id' => $dynauth->{'acctsessionid'}, 'User-Name' => $dynauth->{'username'}, 'Framed-IP-Address' => $ipAddress },
    );
}

This probably needs some polishing and also support for ipv6 but I guess it's a start.

[heiko-ma]

@fdurand I've noticed that this issue is open since 2022 and I haven't received any feedback. The fix is already in my comment, so I suppose this should be quite an easy implementation for PacketFence 13.2. Thank you!