It shows up fine for me using the linuxserver/UniFi docker container (running
5.6.22 on CentOS 7.3). Weird it disappeared for you. They did just release
5.6.26 two days ago though. I haven’t upgraded to the latest yet. Perhaps they
changed something.
Sent from mobile phone
> On Dec 13, 2017, at 10:08, E.P. via PacketFence-users
> <[email protected]> wrote:
>
> Hm…
> This is interesting. I’m building the whole packetfence solution for a large
> WiFi network distributed through 20 sites and built on Ubiquiti Unifi. What
> was your previous controller version, Fabrice ? I’m also on 5.6.22 now
>
> Eugene
>
> From: Fabrice Durand via PacketFence-users
> [mailto:[email protected]]
> Sent: Wednesday, December 13, 2017 7:51 AM
> To: [email protected]
> Cc: Fabrice Durand
> Subject: Re: [PacketFence-users] Ubiquiti UniFi AP Captive Portal
>
> Hello Guys,
>
> just upgraded my controller and oh surprise dynamic vlan assignment disappear
> ....
>
>
> Regards
> Fabrice
>
>
> Le 2017-12-13 à 02:40, Timothy Mullican via PacketFence-users a écrit :
> Geert,
> First in order to use 802.1x (and MAC-based auth for the open network) with
> the UniFi you must apply the patch at:
> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.diff
>
> You can run the following commands to accomplish this:
> # sudo wget -P /usr/local/pf/
> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.diff
> # cd /usr/local/pf
> # sudo patch -p1 < 2735.diff
>
> Also have a look at:
> https://community.ubnt.com/t5/UniFi-Wireless/Packetfence-7-1-Out-of-Band-Dynamic-VLAN-with-Unifi/td-p/1990175
> https://community.ubnt.com/t5/UniFi-Wireless/Feature-request-disable-pmksa-caching/m-p/2112479
>
> You might need to restart your PacketFence box here (or at least the
> services), since it won't respond to new RADIUS requests from the UniFi
> without the patch.
>
> Next go to
> https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc#ubiquiti-1
> and read through the VLAN enforcement "Secure SSID" section. On the UniFi
> controller you have to create a file called "config.properties" in the
> current site (e.g., /usr/lib/unifi/data/sites/default/config.properties or
> C:\Users\<username>\Ubiquiti Unifi\data\sites\default\config.properties) and
> insert the appropriate "config.system_cfg.[number (start with 1 and increment
> each line)]=aaa.[profile id].auth_cache=disabled" to disable pmksa caching
> ONLY for the 802.1x SSIDs, otherwise RADIUS deauth won't work. Once you do
> that you need to force re-provision the UniFi AP by clicking on it (from the
> controller web ui), selecting config->Manage Device, and click Provision.
>
> On the PacketFence web UI, make sure the interface connected to your UniFi
> controller/AP has the RADIUS daemon enabled (click on the interface under
> Configuration->Network Configuration->Interfaces and click the text box next
> to "Additional listening daemons").
>
> Next, make sure you trunk the port going to the Ubiquiti controller/AP
> allowing the necessary registration and guest VLANs. This shouldn't be an
> issue as long as you don't use native VLAN tagging on your switches.
>
> This is how I have the UniFi setup in my PacketFence instance:
>
> https://i.imgsafe.org/0c/0cff2c7f19.png
> https://i.imgsafe.org/0c/0cff2dfd99.png
>
> UniFi Controller IP: 192.168.20.7
> UniFi AP: 192.168.20.6
>
> From how I read the new draft documentation, you need to create a new switch
> entry for every access point with it's IP address. Set the type as "Unifi
> Controller" for each and enter enter the IP address of the UniFi controller
> towards the bottom. Make sure to set the deauthentication method to HTTPS and
> specify the username and password for the UniFi controller on the "Web
> Services" tab. I do not have a separate entry for both the controller and AP
> on the switches page, just a single entry for each AP. Review the above photo
> links if you have any questions.
>
> You can refer to the image links earlier in the thread to see how I set my
> UniFi controller up. The only issue I'm having is with the open network.
> MAC-based authentication is used and I can see PacketFence RADIUS returning
> the correct VLANs, but the UniFi AP is throwing errors about the VLAN not
> existing. It's weird since 802.1x secure SSID works correctly with the VLANs
> and both the secure and open SSID are on the same AP. Hopefully Fabrice or
> someone else can help shed some light.
>
> Please let me know if you have any other questions or need help with
> anything. I'm still trying to get my demo environment setup correctly myself!
>
> Thanks!
>
>
> On Wednesday, December 13, 2017, 12:49:33 AM CST, Geert Heremans
> <[email protected]> wrote:
>
>
> Hi Timothy,
>
> I'm also running unifi at my school and I'm trying to implement PF. Could you
> help me with the following questions:
> In the switches menu I've added the unifi controller IP and assigned the
> Unifi Profile that's available in PF. This seem correct.
> I've also added the AP's IP-addresses to the switches. Do I need to assign
> the Unifi profile here as well?
>
>
> Radius assigned VLAN's are only possible on 802.1x configured WIFI-networks
> I'm afraid.
>
> If I'm correct I need to setup 2 WIFI-SSID's to get PF to work:
> One open SSID where users can register their device on the captive portal page
> One 802.1X protected SSID with Radius assigned VLAN's and mac-address
> authentication. When the user has registered his or her device they now can
> connect to this protected SSID.
> Best regards,
> Geert
>
> 2017-12-12 23:53 GMT+01:00 Timothy Mullican via PacketFence-users
> <[email protected]>:
> Fabrice,
> I am running UniFi controller version 5.6.22 and UniFi AP-AC-Pro firmware
> 3.9.3.7537, both of which should be the latest. It appears that the Radius
> assigned VLAN option only shows up as an option in the UniFi controller when
> you choose WPA Enterprise. You can see screenshots of my setup below:
>
> https://i.imgsafe.org/05/ 05bb81f5b4.png
> https://i.imgsafe.org/05/ 05bbd86ab4.png
> https://i.imgsafe.org/05/ 05bbb5eafe.png
> https://i.imgsafe.org/05/ 05bbc22129.png
>
> The running config from the UniFi AP is also available at:
>
> https://pastebin.com/Zz0cRLSM
>
> Thanks!
> On Tuesday, December 12, 2017 10:13:36 AM CST, Fabrice
> Durand via PacketFence-users <packetfence-users@lists. sourceforge.net> wrote:
>
>
> You probably have to update the controller version.
>
>
>
>
> Le 2017-12-12 à 10:30, Timothy Mullican via PacketFence-users a écrit :
> Fabrice,
> On the UniFi controller the “Use dynamic VLAN assignment” option only shows
> up on SSIDs using 802.1x. Is there any way to also use dynamic vlan
> assignment on open SSIDs? For open networks it only lets me specify a static
> VLAN to use.
>
> Thanks!
>
> Sent from mobile phone
>
> On Dec 12, 2017, at 07:41, Fabrice Durand via PacketFence-users
> <packetfence-users@lists. sourceforge.net> wrote:
>
> Hello Timothy,
>
> you must enable that:
>
> https://raw.githubusercontent. com/inverse-inc/packetfence/
> ae18f50b4879cc2d4132490fcee33f 2fbe53b36f/docs/images/unifi- radius.png
>
> Regards
>
> Fabrice
>
>
> Le 2017-12-12 à 01:37, Timothy Mullican via PacketFence-users a écrit :
> Hello all,
> I am trying to setup a proof of concept using an Ubiquiti UniFi UAP-PRO with
> the following setup:
>
> Cisco 3560-E L3 Switch
> UniFi UAP-PRO
> UniFi Controller running on CentOS 7.3 (docker) on ESXi
> PacketFence running on CentOS 7.3 on ESXi
>
> The Cisco switch has the following VLANs:
> VLAN 2 - registration
> VLAN 3 - isolation
> VLAN 4 - guest
> VLAN 10 - enterprise
> VLAN 20 - wireless
> VLAN 100 - out of band management
>
> I have created two SSIDs on the UniFi AP, a secure 802.1x SSID and an open
> SSID. I was able to apply the patch available at https://github.com/inverse-
> inc/packetfence/pull/2735 to enable 802.1x for the secure network and this is
> working correctly. However, for the open guest SSID, I am trying to do a
> captive portal with dynamic vlan assignment. The user would initially be
> placed in the registration vlan (2) and then moved to another vlan based on
> their user role (vlan 4 or 10). Both the UniFi controller VM and the UniFi AP
> are in VLAN 20. On the UniFi controller, dynamic VLAN assignment appears to
> only be an option under 802.1x networks, otherwise you must choose a static
> VLAN. I saw the external captive portal setup for the UniFi under the
> PacketFence Network Devices documentation, but I don’t believe this supports
> dynamic VLAN assignment. Does anyone know of any way to do dynamic VLAN
> assignment on an open wireless network with the UniFi AP, or have any
> suggestions?
>
> Thanks!
>
>
> ------------------------------ ------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ______________________________ _________________
> PacketFence-users mailing list
> PacketFence-users@lists. sourceforge.net
> https://lists.sourceforge.net/ lists/listinfo/packetfence- users
>
> --
> Fabrice Durand
> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
> ------------------------------ ------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ______________________________ _________________
> PacketFence-users mailing list
> PacketFence-users@lists. sourceforge.net
> https://lists.sourceforge.net/ lists/listinfo/packetfence- users
>
>
>
> ------------------------------ ------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ______________________________ _________________
> PacketFence-users mailing list
> PacketFence-users@lists. sourceforge.net
> https://lists.sourceforge.net/ lists/listinfo/packetfence- users
>
> --
> Fabrice Durand
> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
> ------------------------------ ------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ______________________________ _________________
> PacketFence-users mailing list
> PacketFence-users@lists. sourceforge.net
> https://lists.sourceforge.net/ lists/listinfo/packetfence- users
>
> ------------------------------ ------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ______________________________ _________________
> PacketFence-users mailing list
> PacketFence-users@lists. sourceforge.net
> https://lists.sourceforge.net/ lists/listinfo/packetfence- users
>
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice Durand
> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
