Update:
My changes in the unifi config.properties weren't being pushed due to a
failure on my part to understand how the item/line numbers work :)
"Note that each line has it's own number just before the equals sign, so
for a second customization you would enter 2, etc."
<https://help.ubnt.com/hc/en-us/articles/205223330-UniFi-How-to-make-persistent-changes-to-UAP-s-system-cfg>
It seems to be working a bit better now, with somewhat more of a delay
switching than expected, and the kicks not being accepted consistently -
order of events perhaps (not liking two kicks in a row?)
Feb 2 16:06:24 pf pfqueue: pfqueue(3962) INFO: [mac:78:31:c1:cb:12:dc]
Switched status on the Unifi controller using command kick-sta
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
Feb 2 16:06:54 pf pfqueue: pfqueue(3977) ERROR: [mac:78:31:c1:cb:12:dc]
Can't send request on the Unifi controller: 400 Bad Request
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
On Fri, Feb 2, 2018 at 2:59 PM, David Harvey <da...@thoughtmachine.net>
wrote:
> Yes, thank you Tim,
>
> I've reverted my manual hacks of Unifi.pm in favour of applying the patch
> which seems to be successful in maintaining the same behaviour as the
> manual changes had. I'm seeing a failure on other (cisco) switches to
> restart switchports, but I think that is unrelated, or relates to recent
> packetfence upgrade perhaps.
> I've also now added the changes in the draft documentation to my unifi
> controller in order to try and disable pmksa caching, and enabling dynamic
> VLAN assignment. So far however the wireless clients have not been
> reliably being de-authed, and usually stubbornly remain on the same VLAN. I
> suspect I've got something wrong on the unifi side of things as just like
> fdurand notes in https://community.ubnt.com/t5/UniFi-Wireless/Feature-
> request-disable-pmksa-caching/m-p/2112479#M257628 I cannot see the
> relevant config updates applied at the AP level after updating them on the
> controller as prescribed.
>
> On with the digging and ideas always welcome. Great to see how many people
> are stuck getting in to making this work.
>
> Best,
>
> David
>
> On Fri, Feb 2, 2018 at 7:14 AM, E.P. via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hi Tim,
>>
>> As usual, your comments are invaluable ;)
>>
>> Looking at the guide which is in asciidoc to see how to properly deal
>> with Unifi. Would be nice to see pictures as they are missing.
>>
>> Also, do I need to replace IP addresses for AP in the switches.conf with
>> their MAC addresses ?
>>
>>
>>
>> Eugene
>>
>>
>>
>> *From:* Timothy Mullican via PacketFence-users [mailto:
>> packetfence-users@lists.sourceforge.net]
>> *Sent:* Thursday, February 01, 2018 9:11 AM
>> *To:* packetfence-users@lists.sourceforge.net
>> *Cc:* Timothy Mullican; Frederic Hermann
>> *Subject:* Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of
>> Band
>>
>>
>>
>> By the way,
>>
>> Fabrice Durand already added code to do this in pull request #2735 on
>> github. See https://patch-diff.githubusercontent.com/raw/inverse-
>> inc/packetfence/pull/2735.patch
>>
>> You can apply that patch to get it working. Also see
>> https://github.com/inverse-inc/packetfence/blob/ae18f50b
>> 4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_
>> Devices_Configuration_Guide.asciidoc for the updated documentation. You
>> can read though my earlier thread to see the steps I took to get it
>> working.
>>
>>
>>
>> Tim
>>
>> Sent from mobile phone
>>
>>
>> On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>> This has been a fantastic resource for the thread I recently started
>> (sorry for the repetition in it)
>>
>> I would add:
>>
>> I've added kick-sta to replace both the authorize and unauthorize guest
>> commands in Unifi.pm
>>
>>
>>
>> It transpired my in house cert was upsetting things until I updated ca
>> certs on the debian container I'm using. The symptom was the following in
>> packetfence.log:
>>
>> before:
>>
>> Can't login on the Unifi controller: 500 Can't connect to
>> 10.100.103.33:8443 (certificate verify failed)
>> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
>>
>> after:
>>
>> Switched status on the Unifi controller using command kick-sta
>> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
>>
>>
>>
>> After this the kick events come through and I get a brief drop in packets
>> whilst pinging. I'm still fighting the final issue - which is increasing
>> the duration of the kick, or ensuring a full re-auth occurs, as currently
>> the device I'm testing with drops packets, but remains on the same VLAN
>> still until the device is toggled.
>>
>>
>>
>> Thanks for the guidance and let me know if you face/overcame anything
>> similar.
>>
>>
>>
>> Cheers,
>>
>>
>>
>> David
>>
>>
>>
>>
>>
>> On Mon, Jul 17, 2017 at 3:54 PM, Frederic Hermann via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>> > De: "Michael Westergaard via PacketFence-users" <
>> packetfence-users@lists.sourceforge.net>
>> Hi Michael,
>>
>>
>> > I am trying to see if Packetfence is a proper way to do NAC with Unifi
>> UAP-AC
>> > with dynamic VLAN. According to the new Unifi Controller 5.5.19 release,
>> > Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence
>> is using
>> > for authenticating users over wireless and then changing the VLAN.
>>
>> > However I cannot find any documentation anywhere if this is possible in
>> > Packetfence Documentation?
>>
>> > Especially Packetfence Out of Band (Dynamic VLAN) with Unifi. Have
>> anybody been
>> > able to make it work?
>>
>> We made some test a few weeks ago, and we've been able to manage an Unifi
>> controler using Radius mode ( rather than the Portal mode described in
>> PacketFence documentation).
>>
>> This allow you to use dynamic VLAN with WPA2-Enterprise, as it seems that
>> dynamic VLAN are only available in secure mode on unifi.
>>
>> The only change we had to do (on the packetfence side) was
>>
>>
>> That means you have to configure your AP type as "Unifi Controller" in
>> packetfence, and set the Deauth method to "HTTPS", instead of Radius.
>> Of course you will also define the unifi controller IP in the same
>> location.
>> Then you will have to edit (or override) the Unifi.pm module to change
>> the webservice command used to auth/deauth users : this is in the
>> "_deauthenticateMacWithHTTP" method, and you should use the "kick-sta"
>> unifi command through the webservice, instead of the
>> "authorize-guest/unauthorise-guest".
>>
>> Hope this help,
>>
>> Regards
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
