Here’s an unexpected change in the development.
I upgraded PF to ver 7.4
I start seeing VLAN ID assignment in RADIUS audit log which is already good but
endpoint completes authentication only when this VLAN is assigned by Unifi
controller.
If I have it dynamically assigned by RADIUS it still shows in debugs but the
endpoint keeps connecting without success.
Just FYI, I do believe we are all getting there and with Fabrice and his
colleagues are in good hands ;)
Eugene
From: E.P. [mailto:ype...@gmail.com]
Sent: Monday, January 29, 2018 11:30 PM
To: 'Durand fabrice'; packetfence-users@lists.sourceforge.net
Subject: RE: [PacketFence-users] VLAN assigment by RADIUS
I think there’s one rule.
Here’s what the pftest produces when I run “./pftest authentication it.tech
password”:
And it matches the conditions in the authentication source:
So far, I don’t have a problem understanding the process of querying AD during
the user authentication. I’d love to see the response coming from AD in the
RADIUS outputs but as long as the test says that the correct role is assigned
I’m OK.
There’s a gap in my knowledge as to what happens when PF assigns a role? The
only VLAN ID binding to the role is set in “switches.conf” file for a specific
switch or WAP, correct ?
Once again, I’m doing only 802.1x, no captive portal.
Eugene
From: Durand fabrice [mailto:fdur...@inverse.ca]
Sent: Monday, January 29, 2018 5:55 PM
To: E.P.; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] VLAN assigment by RADIUS
So it mean that there is no rule that match it.tech username in your AD source.
Try pftest authentication it.tech bob and see if the AD source return a role
and an unregdate.
Fabrice
Le 2018-01-29 à 20:39, E.P. a écrit :
Well, that’s my problem, Fabrice,
I’ve already checked that log, nothing in there ;)
RADIUS Request
User-Name = "it.tech" NAS-IP-Address = 172.19.254.2 NAS-Port = 0 Framed-MTU =
1400 State = 0xe7795756e6bf4d151b0bfaeaef977462 Called-Station-Id =
"24:a4:3c:5e:c1:11:staff-secured" Calling-Station-Id = "3c:2e:ff:3b:c7:ca"
NAS-Identifier = "24a43c507608" NAS-Port-Type = Wireless-802.11 Event-Timestamp
= "Jan 30 2018 01:36:24 UTC" Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message
= 0x02c600061a03 FreeRADIUS-Proxied-To = 127.0.0.1 EAP-Type = MSCHAPv2
Stripped-User-Name = "it.tech" Realm = "default" Called-Station-SSID =
"staff-secured" PacketFence-Domain = "optionsad" User-Password = "******"
SQL-User-Name = "it.tech"
RADIUS Reply
EAP-Message = 0x03c60004 Message-Authenticator =
0x00000000000000000000000000000000 Stripped-User-Name = "it.tech"
From: Durand fabrice via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net]
Sent: Monday, January 29, 2018 5:18 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice
Subject: Re: [PacketFence-users] VLAN assigment by RADIUS
Hello Eugene,
check in the radius audit log, you will see the radius answer.
Regards
Fabrice
Le 2018-01-29 à 19:41, E.P. via PacketFence-users a écrit :
Guys,
How can I see if a specific VLAN ID that I assigned to the switch (or rather
WAP) in “Role by VLAN ID” setting.
I have it as follows (extract from switches.conf file)
StaffRole=10
StaffVlan=10
Should I take into account not a very good marriage of Ubiquiti Unifi and
FreeRADIUS when it comes to VLAN ID assignment?
I see in the RADIUS debugs that VLAN is indeed assigned to the user session
(see below) but what is its ID ?
(88) attr_filter.packetfence_post_auth: EXPAND %{User-Name}
(88) attr_filter.packetfence_post_auth: --> it.tech
(88) attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10
(88) [attr_filter.packetfence_post_auth] = updated
(88) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default}
(88) linelog: --> messages.Access-Accept
(88) linelog: EXPAND [mac:%{Calling-Station-Id}] Accepted user:
%{reply:User-Name} and returned VLAN %{reply:Tunnel-Private-Group-ID}
(88) linelog: --> [mac:3c:2e:ff:3b:c7:ca] Accepted user: and returned VLAN
(88) [linelog] = ok
(88) } # post-auth = updated
(88) Login OK: [it.tech] (from client 172.19.254.2 port 0 cli 3c:2e:ff:3b:c7:ca)
(88) Sent Access-Accept Id 46 from 172.16.0.222:1812 to 172.19.254.2:32784
length 0
Eugene
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
