This has been a fantastic resource for the thread I recently started (sorry
for the repetition in it)
I would add:
I've added kick-sta to replace both the authorize and unauthorize guest
commands in Unifi.pm

It transpired my in house cert was upsetting things until I updated ca
certs on the debian container I'm using. The symptom was the following in
packetfence.log:
before:
Can't login on the Unifi controller: 500 Can't connect to 10.100.103.33:8443
(certificate verify failed)
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
after:
Switched status on the Unifi controller using command kick-sta
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)

After this the kick events come through and I get a brief drop in packets
whilst pinging.  I'm still fighting the final issue - which is increasing
the duration of the kick, or ensuring a full re-auth occurs, as currently
the device I'm testing with drops packets, but remains on the same VLAN
still until the device is toggled.

Thanks for the guidance and let me know if you face/overcame anything
similar.

Cheers,

David


On Mon, Jul 17, 2017 at 3:54 PM, Frederic Hermann via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> > De: "Michael Westergaard via PacketFence-users" <
> packetfence-users@lists.sourceforge.net>
> Hi Michael,
>
>
> > I am trying to see if Packetfence is a proper way to do NAC with Unifi
> UAP-AC
> > with dynamic VLAN. According to the new Unifi Controller 5.5.19 release,
> > Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence
> is using
> > for authenticating users over wireless and then changing the VLAN.
>
> > However I cannot find any documentation anywhere if this is possible in
> > Packetfence Documentation?
>
> > Especially Packetfence Out of Band (Dynamic VLAN) with Unifi. Have
> anybody been
> > able to make it work?
>
> We made some test a few weeks ago, and we've been able to manage an Unifi
> controler using Radius mode ( rather than the Portal mode described in
> PacketFence documentation).
>
> This allow you to use dynamic VLAN with WPA2-Enterprise, as it seems that
> dynamic VLAN are only available in secure mode on unifi.
>
> The only change we had to do (on the packetfence side) was
>
>
> That means you have to configure your AP type as "Unifi Controller" in
> packetfence, and set the Deauth method to "HTTPS", instead of Radius.
> Of course you will also define the unifi controller IP in the same
> location.
> Then you will have to edit (or override) the Unifi.pm module to change the
> webservice command used to auth/deauth users : this is in the
> "_deauthenticateMacWithHTTP" method, and you should use the "kick-sta"
> unifi command through the webservice, instead of the
> "authorize-guest/unauthorise-guest".
>
> Hope this help,
>
> Regards
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to