Hello Eugene,
First did you uncomment packetfence-local-auth in
/usr/local/pf/conf/radiusd/packetfence-tunnel ?
Also what type of hashing password did you choose ? (Configuration ->
System configuration -> Advanced ) only ntlm and plaintext are supported
by local auth.
Regards
Fabrice
Le 2018-01-03 à 00:21, E.P. a écrit :
>
> I applied the patch, Tim, and it was successful, I mean the patch
> installation.
>
> Then I restarted RADIUS daemon and tried the local user
> authentication. As I described it in the other email to Fabrice it was
> rejected due to MSCHAPv2. For me it is a sign that I’m getting closer ;)
>
> And yes, Unifi is indeed ubiquitous ;) I inherited the organization
> WiFi setup based on distributed deployment of Unifi in L3 mode and now
> the management is pushing for more security without any significant
> investments.
>
>
>
> Eugene
>
>
>
> *From:*Timothy Mullican [mailto:[email protected]]
> *Sent:* Tuesday, January 02, 2018 7:04 PM
> *To:* E.P.
> *Cc:* [email protected]; Fabrice Durand
> *Subject:* Re: [PacketFence-users] Need an advice and maybe assistance
> with FreeRADIUS
>
>
>
> Eugene,
>
>
>
> The patch is mandatory in order for PacketFence to recognize that the
> UniFi supports 802.1x (and MAC-based auth). As for the controller, you
> should be able to get away without it if you do not need dynamic VLAN
> assignment. However, without the controller, PacketFence will not be
> able to disassociate or deauthenticate any clients, so keep this in
> mind for any temporary sessions (if applicable). Try applying the
> patch, restarting all the PacketFence services, and see if it fixes
> your problems. Based on the lack of Ubiquiti support for various
> integration issues (802.1x and MAC auth dynamic vlan assignment), the
> patch has been delayed being merged into the core code (per Fabrice),
> so you have to apply it manually. Please let me know if you have any
> additional questions.
>
>
>
> Thanks,
>
> Tim
>
>
>
> Sent from mobile phone
>
>
> On Jan 2, 2018, at 16:06, E.P. <[email protected]
> <mailto:[email protected]>> wrote:
>
> Appreciate those screenshots as well, Tim!
>
> I’m running latest code of the Unifi controller as well and latest
> firmware supported on all WAP.
>
> Quick question, is the IP address of the controller mandatory when
> I configure WAP in PF switches section?
>
>
>
> Eugene
>
>
>
> *From:*Timothy Mullican [mailto:[email protected]]
> *Sent:* Friday, December 29, 2017 9:34 AM
> *To:* [email protected]
> <mailto:[email protected]>
> *Cc:* E.P.; Fabrice Durand
> *Subject:* Re: [PacketFence-users] Need an advice and maybe
> assistance with FreeRADIUS
>
>
>
> Eugene,
>
>
>
> Just a thought, but can you change the deauthentication method to
> HTTPS and specify the UniFi controller IP? See my setup below:
>
>
>
> https://i.imgsafe.org/0c/0cff2c7f19.png
>
> https://i.imgsafe.org/0c/0cff2dfd99.png
>
>
>
> My UniFi AP is 192.168.20.7
>
> My UniFi controller is 192.168.20.6
>
>
>
> This is my UniFi AP setup:
>
> https://i.imgsafe.org/05/05bbb5eafe.png
>
> https://i.imgsafe.org/05/05bbd86ab4.png
>
>
>
> Also please make sure you have the latest UniFi AP and controller
> firmware as they were just updated a few days ago.
>
>
>
> See my earlier post on the PacketFence-Users forum if you have
> questions.
>
>
>
> Tim
>
>
>
> Sent from mobile phone
>
>
> On Dec 29, 2017, at 07:59, Fabrice Durand via PacketFence-users
> <[email protected]
> <mailto:[email protected]>> wrote:
>
> For me it looks that 172.19.254.2 is define twice.
>
> Can you do in /usr/local/pf/raddb:
>
> grep 172.19.254.2 * -r
>
> Also can you try to run radiusd in debug mode and see if you
> can see 172.19.254.2 (radiusd -d /usr/local/pf/raddb -n auth -X)
>
>
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-12-29 à 01:26, E.P. a écrit :
>
> Nah…
>
> No luck at all, Fabrice. I’m becoming desperate ;)
>
> I thought it has to do with Unifi controller (reading it
> here in other threads that it is far from being
> error-free) but I pointed it to FreeRADIUS running on
> DaloRADIUS host and the regular user authentication worked
> nice.
>
> I just don’t like DaloRADIUS due to its limitations and
> support and hold my aspiration towards PF.
>
> Well, here we go again, I reconfigured the entry in
> switches file and it looks very simplistic, 172.19.254.2
> is the IP address of Unifi AP.
>
>
>
> /[root@PacketFence-ZEN conf]# cat ./switches.conf/
>
> /[172.19.254.2]/
>
> /VoIPCDPDetect=N/
>
> /VoIPDHCPDetect=N/
>
> /deauthMethod=RADIUS/
>
> /description=Test-WAP/
>
> /VoIPLLDPDetect=N/
>
> /radiusSecret=1234567890/
>
> /VlanMap=N/
>
>
>
> Someone who uses Unifi may be jump in to validate my
> settings please.
>
> In the settings for a specific wireless network I select
> “WPA Enterprise” and select RADIUS profile that I
> configured separately pointing to PF IP address. The
> RADIUS profile is configured as usual, i.e.
>
> IP address, ports which are 1812/1813 and shared secret,
> nothing fancy about it.
>
>
>
> Both radius log files show the same consistent error:
>
>
>
> /Dec 29 06:10:24 PacketFence-ZEN acct[13247]: Dropping
> packet without response because of error: Received
> Accounting-Request packet from client 172.19.254.2 with
> invalid Request Authenticator! (Shared secret is incorrect.)/
>
> / /
>
> /Dec 29 06:20:29 PacketFence-ZEN auth[13273]: Dropping
> packet without response because of error: Received packet
> from 172.19.254.2 with invalid Message-Authenticator!
> (Shared secret is incorrect.)/
>
>
>
> I don’t think I have to start radius in debugging mode to
> have more output, do I ?
>
>
>
> Eugene
>
>
>
> *From:*Durand fabrice [mailto:[email protected]]
> *Sent:* Thursday, December 28, 2017 5:17 PM
> *To:* E.P.; [email protected]
> <mailto:[email protected]>
> *Subject:* Re: [PacketFence-users] Need an advice and
> maybe assistance with FreeRADIUS
>
>
>
> Can you try pfcmd configreload hard and restart radius.
> (pfcmd service radiusd restart)
>
>
>
> Le 2017-12-28 à 19:20, E.P. a écrit :
>
> I should have made my previous email shorter because
> my main question fell into cracks.
>
> Why do I have an error with the shared secret? Quoting
> it here again:
>
>
>
> When I test this with a real network device, Unifi WAP
> for example, I don’t go anywhere.
>
> I see that NAD is added, here’s an entry from radius.log
>
>
>
> /Dec 28 07:42:46 PacketFence-ZEN auth[16806]: Adding
> client 172.19.254.2/32 with shared secret "123456"/
>
>
>
> When I try to authenticate from an endpoint to a
> specific SSID I see this error in radius-acct.log
>
>
>
> /Dec 28 07:38:58 PacketFence-ZEN acct[16780]: Dropping
> packet without response because of error: Received
> Accounting-Request packet from client 172.19.254.2
> with invalid Request Authenticator! (Shared secret is
> incorrect.)/
>
>
>
> I added this WAP under “Policies and access control”
> in Switches section using the shared secret as shown
> above and following the admin guide. What am I doing
> wrong ?
>
> Here’s how the switches.conf file looks like after I
> added this WAP:
>
>
>
> /[root@PacketFence-ZEN conf]# cat ./switches.conf/
>
> /[172.19.254.2]/
>
> /VoIPCDPDetect=N/
>
> /VoIPDHCPDetect=N/
>
> /deauthMethod=RADIUS/
>
> /description=Test-WAP/
>
> /VoIPLLDPDetect=N/
>
> /radiusSecret=123456/
>
> /VlanMap=N/
>
>
>
> Eugene
>
>
>
> *From:*Durand fabrice via PacketFence-users
> [mailto:[email protected]]
> *Sent:* Thursday, December 28, 2017 3:30 PM
> *To:* [email protected]
> <mailto:[email protected]>
> *Cc:* Durand fabrice
> *Subject:* Re: [PacketFence-users] Need an advice and
> maybe assistance with FreeRADIUS
>
>
>
> Hello Eugene,
>
> in fact for 802.1x you need to use eapol_test instead
> of radtest.
> (http://deployingradius.com/scripts/eapol_test/)
>
> Also use the port 1812 instead of 18120.
>
> Regards
>
> Fabrice
>
>
>
>
>
> Le 2017-12-28 à 03:07, E.P. via PacketFence-users a
> écrit :
>
> Guys,
>
> I still hope someone with more experience with PF
> give me a hand with this trivial issue (if it is
> an issue)
>
> I’m on my way to test PF with baby steps and just
> created a user under Users section in PF GUI.
>
> Then I test it using a simple command like this
> and it seems to work using the local identity store.
>
>
>
> /[//root@PacketFence-ZEN bin]# ./pftest
> authentication test1 123456/
>
> /Testing authentication for "test1"/
>
> / /
>
> /Authenticating against local/
>
> / Authentication SUCCEEDED against local
> (Authentication successful.)/
>
> / Matched against local for 'authentication' rules/
>
> / set_access_level : User Manager/
>
> / set_unreg_date : 0000-00-00 00:00:00/
>
> / Matched against local for 'administration' rules/
>
> / set_access_level : User Manager/
>
> / set_unreg_date : 0000-00-00 00:00:00/
>
>
>
> Then I’m following the admin guide and want to
> test this user authentication using radtest
> command as in
>
>
>
>
>
> /[root@PacketFence-ZEN bin]# radtest test1 123456
> localhost:18120 12 testing123/
>
> /Sent Access-Request Id 136 from 0.0.0.0:45055 to
> 127.0.0.1:18120 length 75/
>
> / User-Name = "test1"/
>
> / User-Password = "123456"/
>
> / NAS-IP-Address = 172.16.0.222/
>
> / NAS-Port = 12/
>
> / Message-Authenticator = 0x00/
>
> / Cleartext-Password = "123456"/
>
> /Received Access-Reject Id 136 from
> 127.0.0.1:18120 to 0.0.0.0:0 length 20/
>
> (0) /-: Expected Access-Accept got Access-Reject/
>
>
>
> Why am I rejected here ? Am I not supposed to use
> this test1 user to test RADIUS with the proxy module ?
>
>
>
> And finally, when I test this with a real network
> device, Unifi WAP for example, I don’t go anywhere.
>
> I see that NAD is added, here’s an entry from
> radius.log
>
>
>
> /Dec 28 07:42:46 PacketFence-ZEN auth[16806]:
> Adding client 172.19.254.2/32 with shared secret
> "123456"/
>
>
>
> When I try to authenticate for an endpoint to a
> specific SSID I see this error in radius-acct.log
>
>
>
> /Dec 28 07:38:58 PacketFence-ZEN acct[16780]:
> Dropping packet without response because of error:
> Received Accounting-Request packet from client
> 172.19.254.2 with invalid Request Authenticator!
> (Shared secret is incorrect.)/
>
>
>
> I added this WAP under “Policies and access
> control” in Switches section using the shared
> secret as shown above and following the admin
> guide. What am I doing wrong ?
>
> Here’s how the switches.conf file looks like after
> I added this WAP:
>
>
>
> /[root@PacketFence-ZEN conf]# cat ./switches.conf/
>
> /[172.19.254.2]/
>
> /VoIPCDPDetect=N/
>
> /VoIPDHCPDetect=N/
>
> /deauthMethod=RADIUS/
>
> /description=Test-WAP/
>
> /VoIPLLDPDetect=N/
>
> /radiusSecret=123456/
>
> /VlanMap=N/
>
>
>
> Just to confirm, I’m not doing any inline mode,
> nor guest or web authentication, just pure
> WPA-Enterprise with RADIUS internal users identity
> store.
>
>
>
> Eugene
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
>
> Check out the vibrant tech community on one of the
> world's most
>
> engaging tech sites, Slashdot.org <http://Slashdot.org>!
> http://sdm.link/slashdot
>
>
>
>
>
>
>
> _______________________________________________
>
> PacketFence-users mailing list
>
> [email protected]
> <mailto:[email protected]>
>
>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
>
>
>
>
> --
>
> Fabrice Durand
>
> [email protected] <mailto:[email protected]> :: +1.514.447.4918
> (x135) :: www.inverse.ca <http://www.inverse.ca>
>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
> PacketFence (http://packetfence.org)
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org <http://Slashdot.org>!
> http://sdm.link/slashdot
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> <mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
