Hello Guys,
just upgraded my controller and oh surprise dynamic vlan assignment
disappear ....
Regards
Fabrice
Le 2017-12-13 à 02:40, Timothy Mullican via PacketFence-users a écrit :
> Geert,
> First in order to use 802.1x (and MAC-based auth for the open network)
> with the UniFi you must apply the patch at:
> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.diff
>
> You can run the following commands to accomplish this:
> # sudo wget -P /usr/local/pf/
> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.diff
>
> # cd /usr/local/pf
> # sudo patch -p1 < 2735.diff
>
> Also have a look at:
> https://community.ubnt.com/t5/UniFi-Wireless/Packetfence-7-1-Out-of-Band-Dynamic-VLAN-with-Unifi/td-p/1990175
> https://community.ubnt.com/t5/UniFi-Wireless/Feature-request-disable-pmksa-caching/m-p/2112479
>
> You might need to restart your PacketFence box here (or at least the
> services), since it won't respond to new RADIUS requests from the
> UniFi without the patch.
>
> Next go to
> https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc#ubiquiti-1
> and read through the VLAN enforcement "Secure SSID" section. On the
> UniFi controller you have to create a file called "config.properties"
> in the current site (e.g.,
> /usr/lib/unifi/data/sites/default/config.properties or
> C:\Users\<username>\Ubiquiti
> Unifi\data\sites\default\config.properties) and insert the appropriate
> "config.system_cfg.[number (start with 1 and increment each
> line)]=aaa.[profile id].auth_cache=disabled" to disable pmksa caching
> ONLY for the 802.1x SSIDs, otherwise RADIUS deauth won't work. Once
> you do that you need to force re-provision the UniFi AP by clicking on
> it (from the controller web ui), selecting config->Manage Device, and
> click Provision.
>
> On the PacketFence web UI, make sure the interface connected to your
> UniFi controller/AP has the RADIUS daemon enabled (click on the
> interface under Configuration->Network Configuration->Interfaces and
> click the text box next to "Additional listening daemons").
>
> Next, make sure you trunk the port going to the Ubiquiti controller/AP
> allowing the necessary registration and guest VLANs. This shouldn't be
> an issue as long as you don't use native VLAN tagging on your switches.
>
> This is how I have the UniFi setup in my PacketFence instance:
>
> https://i.imgsafe.org/0c/0cff2c7f19.png
> https://i.imgsafe.org/0c/0cff2dfd99.png
>
> UniFi Controller IP: 192.168.20.7
> UniFi AP: 192.168.20.6
>
> From how I read the new draft documentation, you need to create a new
> switch entry for every access point with it's IP address. Set the type
> as "Unifi Controller" for each and enter enter the IP address of the
> UniFi controller towards the bottom. Make sure to set the
> deauthentication method to HTTPS and specify the username and password
> for the UniFi controller on the "Web Services" tab. I do not have a
> separate entry for both the controller and AP on the switches page,
> just a single entry for each AP. Review the above photo links if you
> have any questions.
>
> You can refer to the image links earlier in the thread to see how I
> set my UniFi controller up. The only issue I'm having is with the open
> network. MAC-based authentication is used and I can see PacketFence
> RADIUS returning the correct VLANs, but the UniFi AP is throwing
> errors about the VLAN not existing. It's weird since 802.1x secure
> SSID works correctly with the VLANs and both the secure and open SSID
> are on the same AP. Hopefully Fabrice or someone else can help shed
> some light.
>
> Please let me know if you have any other questions or need help with
> anything. I'm still trying to get my demo environment setup correctly
> myself!
>
> Thanks!
>
>
> On Wednesday, December 13, 2017, 12:49:33 AM CST, Geert Heremans
> <heremans.ge...@gmail.com> wrote:
>
>
> Hi Timothy,
>
> I'm also running unifi at my school and I'm trying to implement PF.
> Could you help me with the following questions:
>
> 1. In the switches menu I've added the unifi controller IP and
> assigned the Unifi Profile that's available in PF. This seem correct.
>
> 1. I've also added the AP's IP-addresses to the switches. Do I need
> to assign the Unifi profile here as well?
>
>
>
> Radius assigned VLAN's are only possible on 802.1x configured
> WIFI-networks I'm afraid.
>
> If I'm correct I need to setup 2 WIFI-SSID's to get PF to work:
>
> 1. One open SSID where users can register their device on the captive
> portal page
> 2. One 802.1X protected SSID with Radius assigned VLAN's and
> mac-address authentication. When the user has registered his or
> her device they now can connect to this protected SSID.
>
> Best regards,
> Geert
>
> 2017-12-12 23:53 GMT+01:00 Timothy Mullican via PacketFence-users
> <packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>>:
>
> Fabrice,
> I am running UniFi controller version 5.6.22 and UniFi AP-AC-Pro
> firmware 3.9.3.7537, both of which should be the latest. It
> appears that the Radius assigned VLAN option only shows up as an
> option in the UniFi controller when you choose WPA Enterprise. You
> can see screenshots of my setup below:
>
> https://i.imgsafe.org/05/ 05bb81f5b4.png
> <https://i.imgsafe.org/05/05bb81f5b4.png>
> https://i.imgsafe.org/05/ 05bbd86ab4.png
> <https://i.imgsafe.org/05/05bbd86ab4.png>
> https://i.imgsafe.org/05/ 05bbb5eafe.png
> <https://i.imgsafe.org/05/05bbb5eafe.png>
> https://i.imgsafe.org/05/ 05bbc22129.png
> <https://i.imgsafe.org/05/05bbc22129.png>
>
> The running config from the UniFi AP is also available at:
>
> https://pastebin.com/Zz0cRLSM
>
> Thanks!
> On Tuesday, December 12, 2017 10:13:36 AM CST,
> Fabrice Durand via PacketFence-users <packetfence-users@lists.
> sourceforge.net <mailto:packetfence-users@lists.sourceforge.net>>
> wrote:
>
>
> You probably have to update the controller version.
>
>
>
> Le 2017-12-12 à 10:30, Timothy Mullican via PacketFence-users a
> écrit :
> Fabrice,
> On the UniFi controller the “Use dynamic VLAN assignment” option
> only shows up on SSIDs using 802.1x. Is there any way to also use
> dynamic vlan assignment on open SSIDs? For open networks it only
> lets me specify a static VLAN to use.
>
> Thanks!
>
> Sent from mobile phone
>
> On Dec 12, 2017, at 07:41, Fabrice Durand via PacketFence-users
> <packetfence-users@lists. sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>
> Hello Timothy,
>
> you must enable that:
>
> https://raw.githubusercontent. com/inverse-inc/packetfence/
> ae18f50b4879cc2d4132490fcee33f 2fbe53b36f/docs/images/unifi-
> radius.png
>
> <https://raw.githubusercontent.com/inverse-inc/packetfence/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-radius.png>
>
> Regards
>
> Fabrice
>
>
> Le 2017-12-12 à 01:37, Timothy Mullican via PacketFence-users a
> écrit :
> Hello all,
> I am trying to setup a proof of concept using an Ubiquiti UniFi
> UAP-PRO with the following setup:
>
> Cisco 3560-E L3 Switch
> UniFi UAP-PRO
> UniFi Controller running on CentOS 7.3 (docker) on ESXi
> PacketFence running on CentOS 7.3 on ESXi
>
> The Cisco switch has the following VLANs:
> VLAN 2 - registration
> VLAN 3 - isolation
> VLAN 4 - guest
> VLAN 10 - enterprise
> VLAN 20 - wireless
> VLAN 100 - out of band management
>
> I have created two SSIDs on the UniFi AP, a secure 802.1x SSID and
> an open SSID. I was able to apply the patch available
> at https://github.com/inverse- inc/packetfence/pull/2735
> <https://github.com/inverse-inc/packetfence/pull/2735> to enable
> 802.1x for the secure network and this is working correctly.
> However, for the open guest SSID, I am trying to do a captive
> portal with dynamic vlan assignment. The user would initially be
> placed in the registration vlan (2) and then moved to another vlan
> based on their user role (vlan 4 or 10). Both the UniFi controller
> VM and the UniFi AP are in VLAN 20. On the UniFi controller,
> dynamic VLAN assignment appears to only be an option under 802.1x
> networks, otherwise you must choose a static VLAN. I saw the
> external captive portal setup for the UniFi under the PacketFence
> Network Devices documentation, but I don’t believe this supports
> dynamic VLAN assignment. Does anyone know of any way to do dynamic
> VLAN assignment on an open wireless network with the UniFi AP, or
> have any suggestions?
>
> Thanks!
>
>
> ------------------------------ ------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org <http://Slashdot.org>!
> http://sdm.link/slashdot
>
>
>
> ______________________________ _________________
> PacketFence-users mailing list
> PacketFence-users@lists. sourceforge.net
> <mailto:PacketFence-users@lists.sourceforge.net>
> https://lists.sourceforge.net/ lists/listinfo/packetfence- users
> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>
>
> --
> Fabrice Durand
> fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135)
> :: www.inverse.ca <http://www.inverse.ca>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
>> ------------------------------ ------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org <http://Slashdot.org>!
>> http://sdm.link/slashdot
>> ______________________________ _________________
>> PacketFence-users mailing list
>> PacketFence-users@lists. sourceforge.net
>> <mailto:PacketFence-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/ lists/listinfo/packetfence- users
>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>>
>
>
> ------------------------------ ------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ______________________________ _________________
> PacketFence-users mailing list
> PacketFence-users@lists. sourceforge.net
> <mailto:PacketFence-users@lists.sourceforge.net>
> https://lists.sourceforge.net/ lists/listinfo/packetfence- users
> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>
>
> --
> Fabrice Durand
> fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135)
> :: www.inverse.ca <http://www.inverse.ca>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
> ------------------------------ ------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ______________________________ _________________
> PacketFence-users mailing list
> PacketFence-users@lists. sourceforge.net
> <mailto:PacketFence-users@lists.sourceforge.net>
> https://lists.sourceforge.net/ lists/listinfo/packetfence- users
> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>
> ------------------------------ ------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ______________________________ _________________
> PacketFence-users mailing list
> PacketFence-users@lists. sourceforge.net
> <mailto:PacketFence-users@lists.sourceforge.net>
> https://lists.sourceforge.net/ lists/listinfo/packetfence- users
> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users