We need some assistance / have questions using packetfence with OpenWRT and
dynamic VLANs. We are at the point where we are hopeful a few config
tweaks should get us up and running.
Our initial lab configuration will authenticate against OpenLDAP source and
allow guest registration using dynamic Registration/Isolation VLANs and
Packetfence's captive portal.
The first problem we seem to have it that OpenWRT does not appear to be
doing anything when we connect wirelessly. Although not mentioned in the
docs, we think the VLANs may need to be setup as interfaces or bridges,
some layer3 stuff like dhcp should be disabled and we are not sure if the
current 15.05 hostapd.sh is up to the task, but seems to have CoA bits in
it, so we think so.
First a few details on our setup and current configuration and five
questions we have on the OpenWRT setup.
Management/NORMAL - VLAN83 (102.244.196.144/28)
Registration - VLAN81 - (10.2.2.0/24)
Isolation - VLAN82 - (10.2.3.0/23)
We have setup a new role and the openldap source with a catchall rule
following the docs. Captive portal preview works fine. On our packetfence
server, each VLAN appears as the native VLAN on a phyiscal port.
We are using OpenWRT 15.05 on TPLINK Archer C7s. kmod-8021q, wpad,
hostapd-common are installed.
On the network, wan=eth0 and lan=eth1 and all three VLANs are part of a
trunk connected to eth0, and eth0.83 (MGMT) has been configured.
*/etc/config/network*
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd53:aa5f:9819::/48'
config interface 'lan'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth1'
config interface 'wan'
option proto 'static'
option dns '32.64.191.81 32.64.191.82'
option ifname 'eth0.83'
option ipaddr '102.244.196.147'
option netmask '255.255.255.240'
option gateway '102.244.196.145'
option broadcast '102.244.196.159'
config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 2 3 4 5'
config switch_vlan
option device 'switch0'
option vlan '83'
option vid '83'
option ports '1t 6t'
config switch_vlan
option device 'switch0'
option vlan '81'
option vid '81'
option ports '1t 6t'
config switch_vlan
option device 'switch0'
option vlan '82'
option vid '82'
option ports '1t 6t'
1. Do we need to setup interfaces on the Isolation VLAN or Registration
VLAN in OpenWRT?
2. How is the lan interface supposed to be configured or disabled, noting
we probably don't need any layer 3 services or forwarding in OpenWRT?
*/etc/config/wireless*
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'pci0000:01/0000:01:00.0'
option htmode 'VHT80'
option txpower '17'
option country 'US'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/qca955x_wmac'
option htmode 'HT20'
option txpower '24'
option country 'US'
config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt-OPEN'
option encryption 'none'
option vlan_file '/etc/config/hostapd.vlan'
option network 'lan'
option macfilter '2'
option auth_port '1812'
option auth_server '102.244.196.146'
option auth_secret 'testing123'
option dynamic_vlan '2'
option vlan_tagged_interface 'eth0'
option radius_das_port '3799'
option radius_das_client '102.244.196.146 testing123'
config wifi-iface
option device 'radio1'
option mode 'ap'
option ssid 'OpenWrt-OPEN'
option encryption 'none'
option vlan_file '/etc/config/hostapd.vlan'
option network 'lan'
option macfilter '2'
option auth_port '1812'
option auth_server '102.244.196.146'
option auth_secret 'testing123'
option dynamic_vlan '2'
option vlan_tagged_interface 'eth0'
option radius_das_port '3799'
option radius_das_client '102.244.196.146 testing123'
config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt-SECURE'
option vlan_file '/etc/config/hostapd.vlan'
option encryption 'wpa2'
option auth_server '102.244.196.146'
option auth_port '1812'
option auth_secret 'testing123'
option acct_server '102.244.196.146'
option acct_secret 'testing123'
option acct_port '1813'
option nasid 'Archer1632'
option network 'lan'
option vlan_tagged_interface 'eth0'
option radius_das_port '3799'
option radius_das_client '102.244.196.146 testing123'
config wifi-iface
option device 'radio1'
option mode 'ap'
option ssid 'OpenWrt-SECURE'
option vlan_file '/etc/config/hostapd.vlan'
option encryption 'wpa2'
option auth_server '102.244.196.146'
option auth_port '1812'
option auth_secret 'testing123'
option acct_server '102.244.196.146'
option acct_secret 'testing123'
option acct_port '1813'
option nasid 'Archer1632'
option network 'lan'
option vlan_tagged_interface 'eth0'
option radius_das_port '3799'
option radius_das_client '102.244.196.146 testing123'
3. We have seen posts about issues with multiple SSIDs using
radius_das_client in older OpenWRT builds, is this still an issue as we do
not get errors?
4. Is the vlan_tagged_interface supposed to be the WAN Trunk (eth0 in our
case) noting some OpenWRT routers use eth0 for the LAN switch port. Is the
network supposed to be 'lan' and assuming yet, what is the lan network
config supposed to be, if not default OpenWRT?
5. Does 15.05 hostapd.sh work or does it still need to be replaced with
something?
Our packetfence configuraiton is posted here too, but we don't have any
issues yet, since not much is happening until the wireless switches start
being managed by pf. All we see is our logins on the preview portal
profile generating log events. We have one question on radius attributes.
*conf/profiles.conf*
[default]
description=Default Profile
logo=/common/packetfence-cp.png
redirecturl=http://www.packetfence.org/
always_use_redirecturl=disabled
mandatory_fields=firstname,lastname,phone,email
locale=en_US
nbregpages=0
filter_match_style=any
block_interval=10m
sms_pin_retry_limit=0
sms_request_limit=0
login_attempt_limit=0
*conf/switches.conf*
#
# Copyright (C) 2005-2015 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
[default]
type=Generic
description=Switches Default Values
vlans=1,2,3,4,5
normalVlan=1
registrationVlan=81
isolationVlan=82
macDetectionVlan=4
voiceVlan=5
inlineVlan=6
inlineTrigger=
normalRole=normal
registrationRole=registration
isolationRole=isolation
macDetectionRole=macDetection
voiceRole=voice
inlineRole=inline
VoIPEnabled=N
cliAccess=N
VlanMap=Y
RoleMap=Y
mode=testing
macSearchesMaxNb=30
macSearchesSleepInterval=2
uplink=dynamic
#
# Command Line Interface
#
# cliTransport could be: Telnet, SSH or Serial
cliTransport=Telnet
#
# SNMP section
#
# PacketFence -> Switch
SNMPVersion=1
SNMPCommunityRead=public
SNMPCommunityWrite=private
#SNMPEngineID = 0000000000000
#SNMPUserNameRead = readUser
#SNMPAuthProtocolRead = MD5
#SNMPAuthPasswordRead = authpwdread
#SNMPPrivProtocolRead = DES
#SNMPPrivPasswordRead = privpwdread
#SNMPUserNameWrite = writeUser
#SNMPAuthProtocolWrite = MD5
#SNMPAuthPasswordWrite = authpwdwrite
#SNMPPrivProtocolWrite = DES
#SNMPPrivPasswordWrite = privpwdwrite
# Switch -> PacketFence
SNMPVersionTrap=1
SNMPCommunityTrap=public
#
# RADIUS NAS Client config
#
# RADIUS shared secret with switch
radiusSecret=testing123
AccessListMap=N
defaultVlan=83
[102.244.196.147]
description=Archer1632
group=OpenWRT_APs
radiusSecret=testing123
[group OpenWRT_APs]
mode=production
description=OpenWRT Devices
cliTransport=SSH
cliUser=root
deauthMethod=RADIUS
type=Hostapd
customersVlan=83
*conf/authentication.conf*
[local]
description=Local Users
type=SQL
[sms]
description=SMS-based registration
sms_carriers=100056,100057,100061,100058,100059,100060,100062,100063,100071,100064,100116,100066,100117,100112,100067,100065,100068,100069,100070,100118,100115,100072,100073,100074,100075,100076,100077,100085,100086,100080,100079,100081,100083,100082,100084,100087,100088,100111,100089,100090,100091,100092,100093,100094,100095,100096,100098,100097,100099,100100,100101,100113,100102,100103,100104,100106,100105,100107,100108,100109,100114,100110,100078
type=SMS
create_local_account=no
[sms rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
[email]
description=Email-based registration
email_activation_timeout=10m
type=Email
create_local_account=no
allow_localdomain=yes
[email rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
[sponsor]
description=Sponsor-based registration
type=SponsorEmail
create_local_account=no
allow_localdomain=yes
[sponsor rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
[null]
description=Null Source
type=Null
email_required=no
[null rule catchall]
description=catchall
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
[test_employees]
description=LDAP Server
password=ldappassword
scope=children
binddn=cn=admin,dc=domain,dc=com
basedn=ou=Users,dc=domain,dc=com
email_attribute=mail
usernameattribute=uid
connection_timeout=5
stripped_user_name=no
encryption=ssl
port=636
type=LDAP
host=162.235.68.198
[test_employees rule employees]
description=Rule for all employees
class=authentication
match=all
action0=set_role=customers
action1=set_unreg_date=2020-01-01
[file1]
description=Legacy Source
stripped_user_name=yes
path=/usr/local/pf/conf/admin.conf
type=Htpasswd
[file1 rule admins]
description=All admins
class=administration
match=all
action0=set_access_level=ALL
6. Will the radius require any additional configuration or are the VLANs
and other attributes passed to and from the radius server all controlled
via the GUI?
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
