<<

NAME

pf::Switch::Cisco::WLC - Object oriented module to parse SNMP traps and manage Cisco Wireless Controllers (WLC) and Wireless Service Modules (WiSM)

STATUS

Developed and tested on firmware version 4.2.130 altought the new RADIUS RFC3576 support requires firmware v5 and later.

Supports
Deauthentication with RADIUS Disconnect (RFC3576)
Deauthentication with SNMP

BUGS AND LIMITATIONS

Version specific issues
< 5.x

Issue with Windows 7: 802.1x+WPA2. It's not a PacketFence issue.

6.0.182.0

We had intermittent issues with DHCP. Disabling DHCP Proxy resolved it. Not a PacketFence issue.

7.0.116 and 7.0.220

SNMP deassociation is not working in WPA2. It only works if using an Open (unencrypted) SSID.

NOTE: This is no longer relevant since we rely on RADIUS Disconnect by default now.

7.2.103.0 (and maybe up but it is currently the latest firmware)

SNMP de-authentication no longer works. It it believed to be caused by the new firmware not accepting SNMP requests with 2 bytes request-id. Doing the same SNMP set with `snmpset` command issues a 4 bytes request-id and the controllers are happy with these. Not a PacketFence issue. I would think it relates to the following open caveats CSCtw87226: http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2.html#wp934687

NOTE: This is no longer relevant since we rely on RADIUS Disconnect by default now.

FlexConnect (H-REAP) limitations before firmware 7.2

Access Points in Hybrid Remote Edge Access Point (H-REAP) mode, now known as FlexConnect, don't support RADIUS dynamic VLAN assignments (AAA override).

Customer specific work-arounds are possible. For example: per-SSID registration, auto-registration, etc. The goal being that only one VLAN is ever 'assigned' and that is the local VLAN set on the AP for the SSID.

Update: FlexConnect AAA Override support was introduced in firmware 7.2 series

FlexConnect issues with firmware 7.2.103.0

There's an issue with this firmware regarding the AAA Override functionality required by PacketFence. The issue is fixed in 7.2.104.16 which is not released as the time of this writing.

The workaround mentioned by Cisco is to downgrade to 7.0.230.0 but it doesn't support the FlexConnect AAA Override feature...

So you can use 7.2.103.0 with PacketFence but not in FlexConnect mode.

Caveat CSCty44701

SEE ALSO

Version 7.2 - Configuring AAA Overrides for FlexConnect
Cisco's RADIUS Packet of Disconnect documentation

SUBROUTINES

deauthenticateMacDefault

De-authenticate a MAC address from wireless network (including 802.1x).

New implementation using RADIUS Disconnect-Request.

_deauthenticateMacSNMP

deauthenticate a MAC address from wireless network (including 802.1x)

This implementation is deprecated since RADIUS Disconnect-Request (aka RFC3576 aka CoA) is better and also it no longer worked with firmware 7.2 and up. See "BUGS AND LIMITATIONS" for details.

returnRoleAttribute

What RADIUS Attribute (usually VSA) should the role returned into.

deauthTechniques

Return the reference to the deauth technique or the default deauth technique.

parseUrl

This is called when we receive a http request from the device and return specific attributes:

client mac address SSID client ip address redirect url grant url status code

AUTHOR

Inverse inc. <info@inverse.ca>

COPYRIGHT

Copyright (C) 2005-2015 Inverse inc.

LICENSE

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

<<