Hi Rexford, sorry I don't understand where you enabled Radius. Its ok to add APs by IP address on the pf side.
I was asking about connection profile to check if its matching a condition for devices connecting to your open ssid. El vie, 19 de jul de 2024, 08:52, Rexford Nyarko via PacketFence-users < packetfence-users@lists.sourceforge.net> escribió: > Hello Enrique, > No, at the moment I am not matching SSID or anything like that. > However, I just enabled radius service on the trunk interface where PF > talks to unifi AP and controller. Now when I try connecting a client to the > open wifi I see the following in the logs. > > Jul 19 11:26:14 controller auth[7653]: Ignoring request to auth address * > port 1812 bound to server packetfence from unknown client 10.2.0.6 port > 35316 proto udp > Jul 19 11:26:17 controller auth[7653]: Ignoring request to auth address * > port 1812 bound to server packetfence from unknown client 10.2.0.6 port > 35316 proto udp > Jul 19 11:26:23 controller auth[7653]: Ignoring request to auth address * > port 1812 bound to server packetfence from unknown client 10.2.0.6 port > 35316 proto udp > > However, this unknown client is 10.2.0.6 is my Unifi AP added by Mac > Address. > Do I need to remove it and add it via the controller using IP? > > > Warm regards, > Rexford A. Nyarko. > > > On Fri, Jul 19, 2024 at 6:12 AM Enrique Gross via PacketFence-users < > packetfence-users@lists.sourceforge.net> wrote: > >> And in your connection profile are you matching like SSID? >> >> El jue, 18 jul 2024 a las 15:57, Rexford Nyarko (<rexfordn...@gmail.com>) >> escribió: >> >>> Hello Enrique, >>> >>> Yes, they are all reachable one to the other, AP, Unifi controller and >>> PF. This is quite weird for me considering the Web auth works fine without >>> problems. >>> The radius server is using PF's IP. apart from setting the radius >>> password on the switch in PF and the Unifi controller is there anything >>> else I need to do for radius config? >>> >>> Warm regards, >>> Rexford A. Nyarko. >>> >>> >>> On Thu, Jul 18, 2024 at 6:03 PM Enrique Gross <egr...@jcc-advance.com.ar> >>> wrote: >>> >>>> Hi Rexford >>>> >>>> Try to troubleshoot connection between APs and Radius server IP (PF >>>> management address). Can you ICMP that ip address? the radius server you >>>> configured on the radius profile on Unifi controller, and applied to SSID. >>>> >>>> El jue, 18 jul 2024 a las 14:48, Rexford Nyarko (<rexfordn...@gmail.com>) >>>> escribió: >>>> >>>>> Hello Enrique, >>>>> >>>>> Thanks again for getting back to me. >>>>> Yes I have mapped the VLAN ID on the switch config for the AP. But >>>>> still, the client devices are unable to get an IP. so they just disconnect >>>>> once you try to connect. >>>>> >>>>> I have also checked the logs, there isn't anything happening when I >>>>> try to connect a client to the open SSID. I can't figure out what I am >>>>> missing. >>>>> >>>>> Warm regards, >>>>> Rexford A. Nyarko. >>>>> >>>>> >>>>> On Thu, Jul 18, 2024 at 4:07 PM Enrique Gross via PacketFence-users < >>>>> packetfence-users@lists.sourceforge.net> wrote: >>>>> >>>>>> Hi Rexford >>>>>> >>>>>> You don't need to put registration VLAN as default/untagged, >>>>>> registration vlan goes with tag. >>>>>> >>>>>> Have you mapped roles and VLAN ID on the switch config, on the PF >>>>>> side? >>>>>> >>>>>> Looking at packetfence.log, will help you to know what is happening >>>>>> with the user/device when connecting to AP. >>>>>> >>>>>> Enrique >>>>>> >>>>>> El jue, 18 jul 2024 a las 11:10, Rexford Nyarko (< >>>>>> rexfordn...@gmail.com>) escribió: >>>>>> >>>>>>> Hello Enrique, >>>>>>> Thank you for your response. >>>>>>> Yes I have AP the AP connected via Trunk. However the same still >>>>>>> happens, clients are not able to connect to the Open network in order to >>>>>>> access the registration portal. >>>>>>> Do I need to make the registration VLAN 20 the default /untagged >>>>>>> VLAN on the trunk ports? In that case, the AP can directly communicate >>>>>>> with >>>>>>> PF on the default network. Thanks in advance. >>>>>>> >>>>>>> Warm regards, >>>>>>> Rexford A. Nyarko. >>>>>>> >>>>>>> >>>>>>> On Wed, Jul 17, 2024 at 8:14 AM Enrique Gross via PacketFence-users < >>>>>>> packetfence-users@lists.sourceforge.net> wrote: >>>>>>> >>>>>>>> Hi Rexford >>>>>>>> >>>>>>>> Hope you are doing well >>>>>>>> >>>>>>>> When configuring SSID on the Unifi side with Radius, it is ok that >>>>>>>> you can not set VLAN 20 as registration. On the PF side, it's in the >>>>>>>> roles >>>>>>>> (Role mapping by VLAN ID) when configuring APs that you will set up >>>>>>>> your >>>>>>>> VLAN for registration, prod or other vlan. So, as long registration >>>>>>>> vlan, >>>>>>>> prod, etc vlans are vlan trunk to AP, that's fine. >>>>>>>> >>>>>>>> So, an unreg user will be evaluated upon connection, as the >>>>>>>> condition is unreg it will be placed on registration vlan that is >>>>>>>> defined >>>>>>>> on your Switch roles. >>>>>>>> >>>>>>>> Sorry for my bad english, hope it helps. >>>>>>>> >>>>>>>> Enrique. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> El lun, 15 jul 2024 a las 5:22, Rexford Nyarko via >>>>>>>> PacketFence-users (<packetfence-users@lists.sourceforge.net>) >>>>>>>> escribió: >>>>>>>> >>>>>>>>> Hello All, >>>>>>>>> >>>>>>>>> First, my user environment consists mostly of Linux, windows >>>>>>>>> users and occasionally Mac. Network hardware consists of Cisco 2960 >>>>>>>>> switches for LAN and Unifi AP AC Pro for wireless connectivity. I >>>>>>>>> need to >>>>>>>>> have an authentication setup such that users log in with their LDAP >>>>>>>>> credentials and users are assigned VLANS based on their *memberOf* >>>>>>>>> LDAP >>>>>>>>> attribute. >>>>>>>>> >>>>>>>>> Here's what I have done so far, >>>>>>>>> 1. Installed PF 13.2 with two interfaces, 1 separate for >>>>>>>>> management and another trunk with all VLAN interfaces added. >>>>>>>>> 2. Configured LDAP Authentication source >>>>>>>>> 3. Configured a connection Profile using the LDAP auth source. >>>>>>>>> 4. Added Unifi APs individually to PF via MAC Address. (Initially, >>>>>>>>> I tried adding the controller IP method but that didn't work with some >>>>>>>>> weird errors about not being able to instantiate Switch) >>>>>>>>> 5. Configured Unifi Controller and Wifi with guest profile and >>>>>>>>> external Captive portal pointing to PF as instructed in the >>>>>>>>> documentation. >>>>>>>>> 6. Enabled the captive portal and respective services on the >>>>>>>>> trunk interface. >>>>>>>>> All to this point everything works great. As soon as a user >>>>>>>>> connects to the open SSID they get redirected to the captive portal >>>>>>>>> on PF >>>>>>>>> and authenticate successfully with LDAP. This works great no problem. >>>>>>>>> I >>>>>>>>> intend to keep that and later change the auth source for guest Portal. >>>>>>>>> >>>>>>>>> Now I am trying to do vlan assignment. I followed the PF >>>>>>>>> documentation for Ubiquity to set up the controller with the Raduis >>>>>>>>> profile >>>>>>>>> SSID and all. However, things are not working as expected. I am a bit >>>>>>>>> confused here. >>>>>>>>> 1. I have created interfaces, registration VLAN - 20 and >>>>>>>>> Isolation VLAN - 30 on the trunk interface. >>>>>>>>> 2. I also have added 3 other production VLANs where I manage DNS >>>>>>>>> and DHCP >>>>>>>>> 3. the open SSID on unifi controller cannot be set to the >>>>>>>>> Registration VLAN 20 when Radius is enabled. So there is no way to >>>>>>>>> communicate with PF via the Registration VLAN hence users cannot get >>>>>>>>> IPs >>>>>>>>> from PF on the open SSID and therefore cannot log in. >>>>>>>>> I need advice on how to get this working. Do I have to make the >>>>>>>>> registration VLAN the native or default vlan on the trunk and >>>>>>>>> configure the >>>>>>>>> guest captive portal on a different vlan which i can assign in the >>>>>>>>> unifi >>>>>>>>> controller? >>>>>>>>> >>>>>>>>> Also, I have a problem where DNS queries on each vlan/subnet >>>>>>>>> points to the PF interface outside that subnet. eg pf.example.com >>>>>>>>> - 192.168.0.1/24 on registration vlan, and PF on captive portal >>>>>>>>> vlan 40 the IP is 192.168.1.1/24 but DNS query from captive >>>>>>>>> portal interface gives registration vlan IP of PF. >>>>>>>>> I would prefer that queries from each vlan would provide the >>>>>>>>> respective PF interface on that vlan, >>>>>>>>> Any help is appreciated. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Warm regards, >>>>>>>>> Rexford. >>>>>>>>> _______________________________________________ >>>>>>>>> PacketFence-users mailing list >>>>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> [image: Imágenes integradas 1] >>>>>>>> _______________________________________________ >>>>>>>> PacketFence-users mailing list >>>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> [image: Imágenes integradas 1] >>>>>> _______________________________________________ >>>>>> PacketFence-users mailing list >>>>>> PacketFence-users@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>> >>>>> >>>> >>>> -- >>>> >>>> [image: Imágenes integradas 1] >>>> >>> >> >> -- >> >> [image: Imágenes integradas 1] >> _______________________________________________ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
