By the way,
Fabrice Durand already added code to do this in pull request #2735 on github.
See
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch
You can apply that patch to get it working. Also see
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc
for the updated documentation. You can read though my earlier thread to see
the steps I took to get it working.
Tim
Sent from mobile phone
> On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users
> <packetfence-users@lists.sourceforge.net> wrote:
>
> This has been a fantastic resource for the thread I recently started (sorry
> for the repetition in it)
> I would add:
> I've added kick-sta to replace both the authorize and unauthorize guest
> commands in Unifi.pm
>
> It transpired my in house cert was upsetting things until I updated ca certs
> on the debian container I'm using. The symptom was the following in
> packetfence.log:
> before:
> Can't login on the Unifi controller: 500 Can't connect to 10.100.103.33:8443
> (certificate verify failed)
> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
> after:
> Switched status on the Unifi controller using command kick-sta
> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
>
> After this the kick events come through and I get a brief drop in packets
> whilst pinging. I'm still fighting the final issue - which is increasing the
> duration of the kick, or ensuring a full re-auth occurs, as currently the
> device I'm testing with drops packets, but remains on the same VLAN still
> until the device is toggled.
>
> Thanks for the guidance and let me know if you face/overcame anything similar.
>
> Cheers,
>
> David
>
>
>> On Mon, Jul 17, 2017 at 3:54 PM, Frederic Hermann via PacketFence-users
>> <packetfence-users@lists.sourceforge.net> wrote:
>> > De: "Michael Westergaard via PacketFence-users"
>> > <packetfence-users@lists.sourceforge.net>
>> Hi Michael,
>>
>>
>> > I am trying to see if Packetfence is a proper way to do NAC with Unifi
>> > UAP-AC
>> > with dynamic VLAN. According to the new Unifi Controller 5.5.19 release,
>> > Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence is
>> > using
>> > for authenticating users over wireless and then changing the VLAN.
>>
>> > However I cannot find any documentation anywhere if this is possible in
>> > Packetfence Documentation?
>>
>> > Especially Packetfence Out of Band (Dynamic VLAN) with Unifi. Have anybody
>> > been
>> > able to make it work?
>>
>> We made some test a few weeks ago, and we've been able to manage an Unifi
>> controler using Radius mode ( rather than the Portal mode described in
>> PacketFence documentation).
>>
>> This allow you to use dynamic VLAN with WPA2-Enterprise, as it seems that
>> dynamic VLAN are only available in secure mode on unifi.
>>
>> The only change we had to do (on the packetfence side) was
>>
>>
>> That means you have to configure your AP type as "Unifi Controller" in
>> packetfence, and set the Deauth method to "HTTPS", instead of Radius.
>> Of course you will also define the unifi controller IP in the same location.
>> Then you will have to edit (or override) the Unifi.pm module to change the
>> webservice command used to auth/deauth users : this is in the
>> "_deauthenticateMacWithHTTP" method, and you should use the "kick-sta" unifi
>> command through the webservice, instead of the
>> "authorize-guest/unauthorise-guest".
>>
>> Hope this help,
>>
>> Regards
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users