I was able to manually update my docker container, and I can confirm dynamic
VLAN assignment is still present for 802.1x SSIDs, at least in my instance
running the latest firmware (5.6.26). See photo below:
https://i.imgsafe.org/1b/1b9c0cf761.png
I wonder if some kind of configuration on your controller got messed up. Not
sure.
On Wednesday, December 13, 2017, 10:35:21 AM CST, Timothy Mullican
<[email protected]> wrote:
It shows up fine for me using the linuxserver/UniFi docker container (running
5.6.22 on CentOS 7.3). Weird it disappeared for you. They did just release
5.6.26 two days ago though. I haven’t upgraded to the latest yet. Perhaps they
changed something.
Sent from mobile phone
On Dec 13, 2017, at 10:08, E.P. via PacketFence-users
<[email protected]> wrote:
#yiv9027254960 #yiv9027254960 -- _filtered #yiv9027254960 {panose-1:2 4 5 3 5 4
6 3 2 4;} _filtered #yiv9027254960 {font-family:Calibri;panose-1:2 15 5 2 2 2 4
3 2 4;} _filtered #yiv9027254960 {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4
2 4;} _filtered #yiv9027254960 {font-family:Consolas;panose-1:2 11 6 9 2 2 4 3
2 4;} _filtered #yiv9027254960 {}#yiv9027254960 #yiv9027254960
p.yiv9027254960MsoNormal, #yiv9027254960 li.yiv9027254960MsoNormal,
#yiv9027254960 div.yiv9027254960MsoNormal
{margin:0in;margin-bottom:.0001pt;font-size:12.0pt;color:black;}#yiv9027254960
a:link, #yiv9027254960 span.yiv9027254960MsoHyperlink
{color:blue;text-decoration:underline;}#yiv9027254960 a:visited, #yiv9027254960
span.yiv9027254960MsoHyperlinkFollowed
{color:purple;text-decoration:underline;}#yiv9027254960 p
{margin-right:0in;margin-left:0in;font-size:12.0pt;color:black;}#yiv9027254960
pre
{margin:0in;margin-bottom:.0001pt;font-size:10.0pt;color:black;}#yiv9027254960
span.yiv9027254960HTMLPreformattedChar
{font-family:Consolas;color:black;}#yiv9027254960
span.yiv9027254960EmailStyle20 {color:#1F497D;}#yiv9027254960
.yiv9027254960MsoChpDefault {font-size:10.0pt;} _filtered #yiv9027254960
{margin:56.7pt 42.5pt 56.7pt 85.05pt;}#yiv9027254960
div.yiv9027254960WordSection1 {}#yiv9027254960 _filtered #yiv9027254960 {}
_filtered #yiv9027254960 {} _filtered #yiv9027254960 {}#yiv9027254960 ol
{margin-bottom:0in;}#yiv9027254960 ul {margin-bottom:0in;}#yiv9027254960
Hm…
This is interesting. I’m building the whole packetfence solution for a large
WiFi network distributed through 20 sites and built on Ubiquiti Unifi. What was
your previous controller version, Fabrice ? I’m also on 5.6.22 now
Eugene
From: Fabrice Durand via PacketFence-users
[mailto:[email protected]]
Sent: Wednesday, December 13, 2017 7:51 AM
To: [email protected]
Cc: Fabrice Durand
Subject: Re: [PacketFence-users] Ubiquiti UniFi AP Captive Portal
Hello Guys,
just upgraded my controller and oh surprise dynamic vlan assignment disappear
....
Regards
Fabrice
Le 2017-12-13 à 02:40, Timothy Mullican via PacketFence-users a écrit :
Geert,
First in order to use 802.1x (and MAC-based auth for the open network) with the
UniFi you must apply the patch at:
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.diff
You can run the following commands to accomplish this:
# sudo wget -P /usr/local/pf/
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.diff
# cd /usr/local/pf
# sudo patch -p1 < 2735.diff
Also have a look at:
https://community.ubnt.com/t5/UniFi-Wireless/Packetfence-7-1-Out-of-Band-Dynamic-VLAN-with-Unifi/td-p/1990175
https://community.ubnt.com/t5/UniFi-Wireless/Feature-request-disable-pmksa-caching/m-p/2112479
You might need to restart your PacketFence box here (or at least the services),
since it won't respond to new RADIUS requests from the UniFi without the patch.
Next go to
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc#ubiquiti-1
and read through the VLAN enforcement "Secure SSID" section. On the UniFi
controller you have to create a file called "config.properties" in the current
site (e.g., /usr/lib/unifi/data/sites/default/config.properties or
C:\Users\<username>\Ubiquiti Unifi\data\sites\default\config.properties) and
insert the appropriate "config.system_cfg.[number (start with 1 and increment
each line)]=aaa.[profile id].auth_cache=disabled" to disable pmksa caching ONLY
for the 802.1x SSIDs, otherwise RADIUS deauth won't work. Once you do that you
need to force re-provision the UniFi AP by clicking on it (from the controller
web ui), selecting config->Manage Device, and click Provision.
On the PacketFence web UI, make sure the interface connected to your UniFi
controller/AP has the RADIUS daemon enabled (click on the interface under
Configuration->Network Configuration->Interfaces and click the text box next to
"Additional listening daemons").
Next, make sure you trunk the port going to the Ubiquiti controller/AP allowing
the necessary registration and guest VLANs. This shouldn't be an issue as long
as you don't use native VLAN tagging on your switches.
This is how I have the UniFi setup in my PacketFence instance:
https://i.imgsafe.org/0c/0cff2c7f19.png
https://i.imgsafe.org/0c/0cff2dfd99.png
UniFi Controller IP: 192.168.20.7
UniFi AP: 192.168.20.6
>From how I read the new draft documentation, you need to create a new switch
>entry for every access point with it's IP address. Set the type as "Unifi
>Controller" for each and enter enter the IP address of the UniFi controller
>towards the bottom. Make sure to set the deauthentication method to HTTPS and
>specify the username and password for the UniFi controller on the "Web
>Services" tab. I do not have a separate entry for both the controller and AP
>on the switches page, just a single entry for each AP. Review the above photo
>links if you have any questions.
You can refer to the image links earlier in the thread to see how I set my
UniFi controller up. The only issue I'm having is with the open network.
MAC-based authentication is used and I can see PacketFence RADIUS returning the
correct VLANs, but the UniFi AP is throwing errors about the VLAN not existing.
It's weird since 802.1x secure SSID works correctly with the VLANs and both the
secure and open SSID are on the same AP. Hopefully Fabrice or someone else can
help shed some light.
Please let me know if you have any other questions or need help with anything.
I'm still trying to get my demo environment setup correctly myself!
Thanks!
On Wednesday, December 13, 2017, 12:49:33 AM CST, Geert Heremans
<[email protected]> wrote:
Hi Timothy,
I'm also running unifi at my school and I'm trying to implement PF. Could you
help me with the following questions:
- In the switches menu I've added the unifi controller IP and assigned the
Unifi Profile that's available in PF. This seem correct.
- I've also added the AP's IP-addresses to the switches. Do I need to assign
the Unifi profile here as well?
Radius assigned VLAN's are only possible on 802.1x configured WIFI-networks I'm
afraid.
If I'm correct I need to setup 2 WIFI-SSID's to get PF to work:
- One open SSID where users can register their device on the captive portal
page
- One 802.1X protected SSID with Radius assigned VLAN's and mac-address
authentication. When the user has registered his or her device they now can
connect to this protected SSID.
Best regards,
Geert
2017-12-12 23:53 GMT+01:00 Timothy Mullican via PacketFence-users
<[email protected]>:
Fabrice,
I am running UniFi controller version 5.6.22 and UniFi AP-AC-Pro firmware
3.9.3.7537, both of which should be the latest. It appears that the Radius
assigned VLAN option only shows up as an option in the UniFi controller when
you choose WPA Enterprise. You can see screenshots of my setup below:
https://i.imgsafe.org/05/ 05bb81f5b4.png
https://i.imgsafe.org/05/ 05bbd86ab4.png
https://i.imgsafe.org/05/ 05bbb5eafe.png
https://i.imgsafe.org/05/ 05bbc22129.png
The running config from the UniFi AP is also available at:
https://pastebin.com/Zz0cRLSM
Thanks!
On Tuesday, December 12, 2017 10:13:36 AM CST, Fabrice Durand
via PacketFence-users <packetfence-users@lists. sourceforge.net> wrote:
You probably have to update the controller version.
Le 2017-12-12 à 10:30, Timothy Mullican via PacketFence-users a écrit :
Fabrice,
On the UniFi controller the “Use dynamic VLAN assignment” option only shows up
on SSIDs using 802.1x. Is there any way to also use dynamic vlan assignment on
open SSIDs? For open networks it only lets me specify a static VLAN to use.
Thanks!
Sent from mobile phone
On Dec 12, 2017, at 07:41, Fabrice Durand via PacketFence-users
<packetfence-users@lists. sourceforge.net> wrote:
Hello Timothy,
you must enable that:
https://raw.githubusercontent. com/inverse-inc/packetfence/
ae18f50b4879cc2d4132490fcee33f 2fbe53b36f/docs/images/unifi- radius.png
Regards
Fabrice
Le 2017-12-12 à 01:37, Timothy Mullican via PacketFence-users a écrit :
Hello all,
I am trying to setup a proof of concept using an Ubiquiti UniFi UAP-PRO with
the following setup:
Cisco 3560-E L3 Switch
UniFi UAP-PRO
UniFi Controller running on CentOS 7.3 (docker) on ESXi
PacketFence running on CentOS 7.3 on ESXi
The Cisco switch has the following VLANs:
VLAN 2 - registration
VLAN 3 - isolation
VLAN 4 - guest
VLAN 10 - enterprise
VLAN 20 - wireless
VLAN 100 - out of band management
I have created two SSIDs on the UniFi AP, a secure 802.1x SSID and an open
SSID. I was able to apply the patch available at https://github.com/inverse-
inc/packetfence/pull/2735 to enable 802.1x for the secure network and this is
working correctly. However, for the open guest SSID, I am trying to do a
captive portal with dynamic vlan assignment. The user would initially be placed
in the registration vlan (2) and then moved to another vlan based on their user
role (vlan 4 or 10). Both the UniFi controller VM and the UniFi AP are in VLAN
20. On the UniFi controller, dynamic VLAN assignment appears to only be an
option under 802.1x networks, otherwise you must choose a static VLAN. I saw
the external captive portal setup for the UniFi under the PacketFence Network
Devices documentation, but I don’t believe this supports dynamic VLAN
assignment. Does anyone know of any way to do dynamic VLAN assignment on an
open wireless network with the UniFi AP, or have any suggestions?
Thanks!
------------------------------ ------------------------------
------------------Check out the vibrant tech community on one of the world's
mostengaging tech sites, Slashdot.org! http://sdm.link/slashdot
______________________________ _________________PacketFence-users mailing
listPacketFence-users@lists. sourceforge.nethttps://lists.sourceforge.net/
lists/listinfo/packetfence- users
-- Fabrice [email protected] :: +1.514.447.4918 (x135) ::
www.inverse.caInverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
------------------------------ ------------------------------ ------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
______________________________ _________________
PacketFence-users mailing list
PacketFence-users@lists. sourceforge.net
https://lists.sourceforge.net/ lists/listinfo/packetfence- users
------------------------------ ------------------------------
------------------Check out the vibrant tech community on one of the world's
mostengaging tech sites, Slashdot.org! http://sdm.link/slashdot
______________________________ _________________PacketFence-users mailing
listPacketFence-users@lists. sourceforge.nethttps://lists.sourceforge.net/
lists/listinfo/packetfence- users
-- Fabrice [email protected] :: +1.514.447.4918 (x135) ::
www.inverse.caInverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
------------------------------ ------------------------------ ------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
______________________________ _________________
PacketFence-users mailing list
PacketFence-users@lists. sourceforge.net
https://lists.sourceforge.net/ lists/listinfo/packetfence- users
------------------------------ ------------------------------ ------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
______________________________ _________________
PacketFence-users mailing list
PacketFence-users@lists. sourceforge.net
https://lists.sourceforge.net/ lists/listinfo/packetfence- users
------------------------------------------------------------------------------Check
out the vibrant tech community on one of the world's mostengaging tech sites,
Slashdot.org! http://sdm.link/slashdot
_______________________________________________PacketFence-users mailing
[email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
-- Fabrice [email protected] :: +1.514.447.4918 (x135) ::
www.inverse.caInverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
