Hi Frabrice, I think I managed to figure out most of the things I asked you but I hit another error:
As I told you I’d like to use vlan enforcement with hostapd. I changed my radius to local eap. I’m still able to register a device (when auto registration with radius credentials is activated) but after successful authentication nothing happens. My log files: Log of /usr/local/pf/logs/packetfence.log: Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: [mac:90:8d:6c:7c:09:9b] handling radius autz request: from switch_ip => (10.0.0.105), connection_type => Wireless-802.11-EAP,switch_mac => (64:70:02:b5:d4:eb), mac => [90:8d:6c:7c:09:9b], port => 1, username => "john", ssid => LabTest (pf::radius::authorize) Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: [mac:90:8d:6c:7c:09:9b] Instantiate profile MAWIFI (pf::Connection::ProfileFactory::_from_profile) Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) WARN: [mac:90:8d:6c:7c:09:9b] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match2) Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: [mac:90:8d:6c:7c:09:9b] Using sources local for matching (pf::authentication::match2) Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: [mac:90:8d:6c:7c:09:9b] Using sources local for matching (pf::authentication::match2) Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: [mac:90:8d:6c:7c:09:9b] Username was defined "john" - returning role 'Mitarbeiter' (pf::role::getRegisteredRole) Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: [mac:90:8d:6c:7c:09:9b] PID: "john", Status: reg Returned VLAN: (undefined), Role: Mitarbeiter (pf::role::fetchRoleForNode) Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: [mac:90:8d:6c:7c:09:9b] (10.0.0.105) Added VLAN 100 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: [mac:90:8d:6c:7c:09:9b] violation 1300003 force-closed for 90:8d:6c:7c:09:9b (pf::violation::violation_force_close) Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: [mac:90:8d:6c:7c:09:9b] Instantiate profile MAWIFI (pf::Connection::ProfileFactory::_from_profile) Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: [mac:00:13:ce:ec:9e:27] Updating locationlog from accounting request (pf::api::handle_accounting_metadata) And the log of hostapd: Mon Aug 28 16:16:28 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b RADIUS: stopped accounting session 59A408DF-00000015 Mon Aug 28 16:16:28 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b IEEE 802.11: authenticated Mon Aug 28 16:16:28 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b IEEE 802.11: associated (aid 1) Mon Aug 28 16:16:28 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b RADIUS: VLAN ID 100 Mon Aug 28 16:16:28 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b WPA: pairwise key handshake completed (RSN) Mon Aug 28 16:16:28 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b RADIUS: starting accounting session 59A408DF-00000016 Mon Aug 28 16:16:28 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b IEEE 802.1X: authenticated - EAP type: 25 (PEAP) Mon Aug 28 16:16:39 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b IEEE 802.11: disassociated Mon Aug 28 16:16:39 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b RADIUS: stopped accounting session 59A408DF-00000016 Mon Aug 28 16:16:40 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE) Regards, Moritz > On 26. Aug 2017, at 18:41, Moritz Schmid via PacketFence-users > <[email protected]> wrote: > > Hello Fabrice, > > Thanks for your reply but I’m still wrestling with the config at all and I’m > having so further questions.First let me tell you my plans. I’d like to use > pf in the vlan-enf mode with a openwrt router with hostapd and the radius > with local auth (for testing). > > I configurated the network as I wrote in my last mail. So pf and the openwrt > ap are in the 10.0.0.x network without any vlan. I created a vlan each for > registration and isolation as described in this guide: > https://packetfence.org/doc/PacketFence_Out-of-Band_Deployment_Quick_Guide_ZEN.html#_configuring_your_packetfence_environment > and the linking of the ap after that guide > https://packetfence.org/doc/PacketFence_OpenWrt-Hostapd-15-05_Quick_Install_Guide.html > which contains two errors I’d like to report. The linking of the ap works > fine so far. Initially I plan to use default role which I allowed to register > up to 10 devices. Here my troubles are starting: Which Authentication Sources > shall use? > > At the moment I’m using the default connection profile with the local source. > If I connect a device via wifi to the network I can see the following lines > in the log of hostapd: > > Sat Aug 26 18:09:37 2017 daemon.info hostapd: wlan0: STA 00:13:ce:ec:9e:27 > IEEE 802.11: authenticated > Sat Aug 26 18:09:37 2017 daemon.info hostapd: wlan0: STA 00:13:ce:ec:9e:27 > IEEE 802.11: associated (aid 1) > Sat Aug 26 18:09:37 2017 daemon.info hostapd: wlan0: STA 00:13:ce:ec:9e:27 > RADIUS: starting accounting session 59A1541A-0000001E > > If I check auto registration of new devices in the connection profile the > device even gets registrated but no the wifi won’t connect. I stored the > radius credentials as demanded in the /usr/local/pf/raddb/users file. Which > point am I missing? Do I need further configurations? Honestly sometimes I’m > feeling lost in the guides of pf. > > Two last questions for my own understanding. The users section in pf web > menu. Is it the “local” auth source? And If I use the auth source htpasswd do > I need to create a user in the users section? > > Best regards and sorry for the large amount of questions/problems > > Moritz > > > > > > > > > >> On 25. Aug 2017, at 18:49, Fabrice Durand via PacketFence-users >> <[email protected]> wrote: >> >> Hello Moritz, >> >> just keep in mind that the registration and isolation vlan is managed by >> packetfence (dhcp/dns/gateway), after that the production vlan can be >> what you want. >> >> Regards >> >> Fabrice >> >> >> >> Le 2017-08-25 à 10:39, Moritz Schmid via PacketFence-users a écrit : >>> Hey guys, >>> >>> I’m new to pf and a little bit confused about a proper vlan setup for the >>> vlan enforcement. So far I’d like to have my setup checked please. My >>> Question: Is it possible that the management vlan and the “normal” aka >>> production vlan are the same? I know it is possible to have several prod >>> vlans but in my case I just want to have one. >>> >>> In the Network Device Conf Guide its: Normal VLAN: 1, Registration VLAN: 2 >>> & Isolation VLAN: 3 >>> In the OoB Zen Guide its: Mgmt VLAN 1, Reg VLAN 2, Isolation VLAN 3 & >>> Normal VLAN 10 >>> >>> My plans and my understanding is the following: >>> >>> Pf server (following the guide): >>> Eth0 as mgmt/normal with ip 10.0.0.x >>> Eth0 vlan 2 as registration with dhcp from pf (192.168.2.x) >>> Eth0 vlan 3 as isolation with dhcp from pf >>> (192.168.3.x) >>> >>> Switch >>> Default vlan (1) with ip 10.0.0.x >>> … >>> … >>> >>> On uplink (Port 1) which is in the default vlan 1 and Port 2 as the trunk >>> port in all three vlans. >>> >>> Regards, >>> Moritz >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> -- >> Fabrice Durand >> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >> (http://packetfence.org) >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
