Hi Timothy,
I’m really-really grateful to you and your comments.
May I ask you what firmware level you run on your Unifi AP ?
And by the way, just out of curiosity, why we need controller IP address in the
settings for AP/switch ?
I thought that the real RADIUS client is the AP and the controller’s only job
is to push settings including WPA-Enterprise/RADIUS to AP
Eugene
From: Timothy Mullican [mailto:[email protected]]
Sent: Friday, December 29, 2017 9:34 AM
To: [email protected]
Cc: E.P.; Fabrice Durand
Subject: Re: [PacketFence-users] Need an advice and maybe assistance with
FreeRADIUS
Eugene,
Just a thought, but can you change the deauthentication method to HTTPS and
specify the UniFi controller IP? See my setup below:
https://i.imgsafe.org/0c/0cff2c7f19.png
https://i.imgsafe.org/0c/0cff2dfd99.png
My UniFi AP is 192.168.20.7
My UniFi controller is 192.168.20.6
This is my UniFi AP setup:
https://i.imgsafe.org/05/05bbb5eafe.png
https://i.imgsafe.org/05/05bbd86ab4.png
Also please make sure you have the latest UniFi AP and controller firmware as
they were just updated a few days ago.
See my earlier post on the PacketFence-Users forum if you have questions.
Tim
Sent from mobile phone
On Dec 29, 2017, at 07:59, Fabrice Durand via PacketFence-users
<[email protected]> wrote:
For me it looks that 172.19.254.2 is define twice.
Can you do in /usr/local/pf/raddb:
grep 172.19.254.2 * -r
Also can you try to run radiusd in debug mode and see if you can see
172.19.254.2 (radiusd -d /usr/local/pf/raddb -n auth -X)
Regards
Fabrice
Le 2017-12-29 à 01:26, E.P. a écrit :
Nah…
No luck at all, Fabrice. I’m becoming desperate ;)
I thought it has to do with Unifi controller (reading it here in other threads
that it is far from being error-free) but I pointed it to FreeRADIUS running on
DaloRADIUS host and the regular user authentication worked nice.
I just don’t like DaloRADIUS due to its limitations and support and hold my
aspiration towards PF.
Well, here we go again, I reconfigured the entry in switches file and it looks
very simplistic, 172.19.254.2 is the IP address of Unifi AP.
[root@PacketFence-ZEN conf]# cat ./switches.conf
[172.19.254.2]
VoIPCDPDetect=N
VoIPDHCPDetect=N
deauthMethod=RADIUS
description=Test-WAP
VoIPLLDPDetect=N
radiusSecret=1234567890
VlanMap=N
Someone who uses Unifi may be jump in to validate my settings please.
In the settings for a specific wireless network I select “WPA Enterprise” and
select RADIUS profile that I configured separately pointing to PF IP address.
The RADIUS profile is configured as usual, i.e.
IP address, ports which are 1812/1813 and shared secret, nothing fancy about it.
Both radius log files show the same consistent error:
Dec 29 06:10:24 PacketFence-ZEN acct[13247]: Dropping packet without response
because of error: Received Accounting-Request packet from client 172.19.254.2
with invalid Request Authenticator! (Shared secret is incorrect.)
Dec 29 06:20:29 PacketFence-ZEN auth[13273]: Dropping packet without response
because of error: Received packet from 172.19.254.2 with invalid
Message-Authenticator! (Shared secret is incorrect.)
I don’t think I have to start radius in debugging mode to have more output, do
I ?
Eugene
From: Durand fabrice [mailto:[email protected]]
Sent: Thursday, December 28, 2017 5:17 PM
To: E.P.; [email protected]
Subject: Re: [PacketFence-users] Need an advice and maybe assistance with
FreeRADIUS
Can you try pfcmd configreload hard and restart radius. (pfcmd service radiusd
restart)
Le 2017-12-28 à 19:20, E.P. a écrit :
I should have made my previous email shorter because my main question fell into
cracks.
Why do I have an error with the shared secret? Quoting it here again:
When I test this with a real network device, Unifi WAP for example, I don’t go
anywhere.
I see that NAD is added, here’s an entry from radius.log
Dec 28 07:42:46 PacketFence-ZEN auth[16806]: Adding client 172.19.254.2/32 with
shared secret "123456"
When I try to authenticate from an endpoint to a specific SSID I see this error
in radius-acct.log
Dec 28 07:38:58 PacketFence-ZEN acct[16780]: Dropping packet without response
because of error: Received Accounting-Request packet from client 172.19.254.2
with invalid Request Authenticator! (Shared secret is incorrect.)
I added this WAP under “Policies and access control” in Switches section using
the shared secret as shown above and following the admin guide. What am I doing
wrong ?
Here’s how the switches.conf file looks like after I added this WAP:
[root@PacketFence-ZEN conf]# cat ./switches.conf
[172.19.254.2]
VoIPCDPDetect=N
VoIPDHCPDetect=N
deauthMethod=RADIUS
description=Test-WAP
VoIPLLDPDetect=N
radiusSecret=123456
VlanMap=N
Eugene
From: Durand fabrice via PacketFence-users
[mailto:[email protected]]
Sent: Thursday, December 28, 2017 3:30 PM
To: [email protected]
Cc: Durand fabrice
Subject: Re: [PacketFence-users] Need an advice and maybe assistance with
FreeRADIUS
Hello Eugene,
in fact for 802.1x you need to use eapol_test instead of radtest.
(http://deployingradius.com/scripts/eapol_test/)
Also use the port 1812 instead of 18120.
Regards
Fabrice
Le 2017-12-28 à 03:07, E.P. via PacketFence-users a écrit :
Guys,
I still hope someone with more experience with PF give me a hand with this
trivial issue (if it is an issue)
I’m on my way to test PF with baby steps and just created a user under Users
section in PF GUI.
Then I test it using a simple command like this and it seems to work using the
local identity store.
[root@PacketFence-ZEN bin]# ./pftest authentication test1 123456
Testing authentication for "test1"
Authenticating against local
Authentication SUCCEEDED against local (Authentication successful.)
Matched against local for 'authentication' rules
set_access_level : User Manager
set_unreg_date : 0000-00-00 00:00:00
Matched against local for 'administration' rules
set_access_level : User Manager
set_unreg_date : 0000-00-00 00:00:00
Then I’m following the admin guide and want to test this user authentication
using radtest command as in
[root@PacketFence-ZEN bin]# radtest test1 123456 localhost:18120 12 testing123
Sent Access-Request Id 136 from 0.0.0.0:45055 to 127.0.0.1:18120 length 75
User-Name = "test1"
User-Password = "123456"
NAS-IP-Address = 172.16.0.222
NAS-Port = 12
Message-Authenticator = 0x00
Cleartext-Password = "123456"
Received Access-Reject Id 136 from 127.0.0.1:18120 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject
Why am I rejected here ? Am I not supposed to use this test1 user to test
RADIUS with the proxy module ?
And finally, when I test this with a real network device, Unifi WAP for
example, I don’t go anywhere.
I see that NAD is added, here’s an entry from radius.log
Dec 28 07:42:46 PacketFence-ZEN auth[16806]: Adding client 172.19.254.2/32 with
shared secret "123456"
When I try to authenticate for an endpoint to a specific SSID I see this error
in radius-acct.log
Dec 28 07:38:58 PacketFence-ZEN acct[16780]: Dropping packet without response
because of error: Received Accounting-Request packet from client 172.19.254.2
with invalid Request Authenticator! (Shared secret is incorrect.)
I added this WAP under “Policies and access control” in Switches section using
the shared secret as shown above and following the admin guide. What am I doing
wrong ?
Here’s how the switches.conf file looks like after I added this WAP:
[root@PacketFence-ZEN conf]# cat ./switches.conf
[172.19.254.2]
VoIPCDPDetect=N
VoIPDHCPDetect=N
deauthMethod=RADIUS
description=Test-WAP
VoIPLLDPDetect=N
radiusSecret=123456
VlanMap=N
Just to confirm, I’m not doing any inline mode, nor guest or web
authentication, just pure WPA-Enterprise with RADIUS internal users identity
store.
Eugene
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
