Thank You Fabrice -
I attempted the changes and wired has same behavior - I'll play with some
options there.
The wireless WebAuth same behavior but after tailing I see what appears to
be a loop - I see as I try to connect I get the below, then after log stops
I get unable to connect on the device (iOS).
Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] Memory
configuration is not valid anymore for key config::Switch in local
cached_hash (pfconfig::cached::is_valid)
Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] handling
radius autz request: from switch_ip => (10.218.0.2), connection_type =>
Wireless-802.11-NoEAP,switch_mac => (a4:18:75:42:af:20), mac =>
[bc:9f:ef:56:b0:fc], port => 1, username => "bc9fef56b0fc", ssid => PF90
(pf::radius::authorize)
Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] is of status
unreg; belongs into registration VLAN (pf::role::getRegistrationRole)
Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] (10.218.0.2)
Added role Pre_Auth to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] Adding web
authentication redirection to reply using role: 'Pre_Auth' and URL: '
http://10.218.100.100/Cisco::WLC/sid44a116'
(pf::Switch::Cisco::WLC::returnRadiusAccessAccept)
Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] handling
radius autz request: from switch_ip => (10.218.0.2), connection_type =>
Wireless-802.11-NoEAP,switch_mac => (a4:18:75:42:af:20), mac =>
[bc:9f:ef:56:b0:fc], port => 1, username => "bc9fef56b0fc", ssid => PF90
(pf::radius::authorize)
Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] is of status
unreg; belongs into registration VLAN (pf::role::getRegistrationRole)
Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] (10.218.0.2)
Added role Pre_Auth to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] Adding web
authentication redirection to reply using role: 'Pre_Auth' and URL: '
http://10.218.100.100/Cisco::WLC/sid720a4e'
(pf::Switch::Cisco::WLC::returnRadiusAccessAccept)
Also I'm assuming the actual WLC Security-> WebAuth -> redirect needs to be
set to external with the same URL "http://10.218.100.100/Cisco::WLC"; since
its not in the documentation.
I've tested the Pre-Auth locally on internal portal and works as expected
so its interaction between the 2 that I'm missing?
Cory White
Xponet
P: 904.735.1600
E: [email protected]
On Fri, Feb 3, 2017 at 8:39 AM, Fabrice Durand <[email protected]> wrote:
> Hello Cory,
>
> Le 2017-02-02 à 22:39, Cory White a écrit :
>
> Small update - exported ZEN package into our VM environment - have
> Out-fo-Band working on a test 2960G. Get reg, redirect then see Radius
> config switch port and access - GREAT!.
> questions
> 1. I noticed if client device is on a configured port not on REG (Vl2) by
> default. The Radius configures back to Vl2 but it takes a release renew on
> the client device to get the PF VL2 IP from pf and start the auth process -
> is this by design?
>
> Maybe you can try "authentication open" on the switch port config.
> Also do you know that you can do exactly the same thing (web auth) on the
> wire side too !
>
> 2. I am having trouble with WebAuth portion on wireless side - I can see
> log in packetfence.log without actually ever getting connected to the SSID?
>
> Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] handling
> radius autz request: from switch_ip => (10.218.0.2), connection_type =>
> Wireless-802.11-NoEAP,switch_mac => (a4:18:75:42:af:20), mac =>
> [bc:9f:ef:56:b0:fc], port => 1, username => "bc9fef56b0fc", ssid => PF90
> (pf::radius::authorize)
> Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] Instantiate
> profile default (pf::Portal::ProfileFactory::_from_profile)
> Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] is of status
> unreg; belongs into registration VLAN (pf::role::getRegistrationRole)
> Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] (10.218.0.2)
> Added role Pre_Auth to the returned RADIUS Access-Accept (pf::Switch::
> returnRadiusAccessAccept)
> Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] Adding web
> authentication redirection to reply using role: 'Pre_Auth' and URL: '
> http://10.218.100.100/sid93100c' (pf::Switch::Cisco::WLC::
> returnRadiusAccessAccept)
>
> Change the registration url to that : registrationUrl=http://10.218.
> 100.100/Cisco::WLC
>
>
> The log stops and I get the unable to connect dialog on my device (never
> actual associate to SSID) - no logs are leading me anywhere else unless I'm
> looking at the wrong ones. I used WEbAuth Device Config Guide to no avail
> and am a bit stuck. My switches.conf is below as well - 10.218.0.2 is WLC,
> 10.218.100.100 - pf admin gui
>
> [10.218.0.2]
> mode=production
> SNMPCommunityRead=harley
> SNMPCommunityWrite=harleyrw
> defaultVlan=10
> deauthMethod=RADIUS
> description=WLC
> type=Cisco::WLC_5500
> radiusSecret=packetfence
> SNMPVersion=2c
> ExternalPortalEnforcement=Y
> defaultRole=Authorized
> registrationRole=Pre_Auth
> registrationUrl=http://10.218.100.100/ <http://10.218.100.100/>
> controllerIp=10.218.0.2
> UrlMap=Y
> VlanMap=N
> controllerPort=3799
>
> [10.218.100.4]
> mode=production
> SNMPCommunityRead=harley
> description=100.4
> cliAccess=Y
> SNMPCommunityWrite=harley
> defaultVlan=10
> deauthMethod=RADIUS
> type=Cisco::Catalyst_2960G
> radiusSecret=packetfence
> SNMPVersion=2c
> controllerPort=3799
> RoleMap=N
> ~
>
> Cory White
> Xponet
> P: 904.735.1600 <(904)%20735-1600>
> E: [email protected]
>
>
> On Wed, Feb 1, 2017 at 10:10 AM, Cory White <[email protected]> wrote:
>
>> Hello All -
>>
>> Been awhile since I posted for version 4 testing and inline deployment.
>> We did deploy PF sparingly in production environment but have yet to go
>> 'all-in' as a permanent replacement. Roughly couple hundred users - we're
>> looking for multiple thousands to test now.
>>
>> Its been sometime and I'm revisiting PF with 6.4 release - I am having
>> some sticking points where I see communication between our WLC and PF, can
>> associate to SSID and see Pre-Auth ACL applied but never get presented with
>> a portal - "Unable to contact server under iOS". Preview of default does
>> not display and shows a 'too many redirects error'.
>>
>> We're testing with dual NIC as eth0 is management interface and eth1
>> being portal/vlan specific to SSID - is this possible or do I need to use
>> one trunked eth0 and add VLAN identifiers/deamon assignments accordingly?
>>
>> We're running Cisco 5520 server WLC on latest 8.3 code so there are some
>> differences from documentation examples but straight forward. We 'think'
>> WebAuth is the way we want to test/deploy leaving essentially the WLC do
>> all the work on our backbone, leaving PF just portal for to assign Auth
>> ACLs. Is this possible over multiple NICs and VLANs? Or is this a more
>> inline thought process where management, portal and SSID/VLAN need to
>> reside on one LAN to accomplish?
>>
>> Basically if we want to scale past one network for captive portal
>> (multiple guest VLANs) do we need to go with O-o-B VLAN enforcement and
>> still use WLC/server backbone for everything else ILO WebAuth?
>>
>>
>> Cory White
>> Xponet
>> P: 904.735.1600 <%28904%29%20735-1600>
>> E: [email protected]
>>
>>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> Regards
> Fabrice
>
> --
> Fabrice [email protected] :: +1.514.447.4918 <(514)%20447-4918>
> (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
