Fabrice,
Do you know if PacketFence caches authentication tokens for the https de-auth
method? For instance, if the UniFi AP is de-authenticating 5 clients at one
time via the controller, will it login 5 separate times or 1 time to the
controller and issue 5 separate API calls? I’m wondering if the 400 error he is
getting sometimes is due to excessive login attempts to the controller to issue
the kick command for every client. Not sure since it is happening
intermittently.
Sent from mobile phone
> On Feb 2, 2018, at 12:12, David Harvey <da...@thoughtmachine.net> wrote:
>
> Feeding update as requested.
>
> Thanks again!
> ---------- Forwarded message ----------
> From: "David Harvey" <da...@thoughtmachine.net>
> Date: 2 Feb 2018 16:08
> Subject: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band
> To: <packetfence-users@lists.sourceforge.net>
> Cc: "E.P." <ype...@gmail.com>, "Frederic Hermann"
> <frederic.herm...@neptune.fr>
>
> Update:
> My changes in the unifi config.properties weren't being pushed due to a
> failure on my part to understand how the item/line numbers work :)
> "Note that each line has it's own number just before the equals sign, so for
> a second customization you would enter 2, etc."
> It seems to be working a bit better now, with somewhat more of a delay
> switching than expected, and the kicks not being accepted consistently -
> order of events perhaps (not liking two kicks in a row?)
>
> Feb 2 16:06:24 pf pfqueue: pfqueue(3962) INFO: [mac:78:31:c1:cb:12:dc]
> Switched status on the Unifi controller using command kick-sta
> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
> Feb 2 16:06:54 pf pfqueue: pfqueue(3977) ERROR: [mac:78:31:c1:cb:12:dc]
> Can't send request on the Unifi controller: 400 Bad Request
> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
>
>
>> On Fri, Feb 2, 2018 at 2:59 PM, David Harvey <da...@thoughtmachine.net>
>> wrote:
>> Yes, thank you Tim,
>>
>> I've reverted my manual hacks of Unifi.pm in favour of applying the patch
>> which seems to be successful in maintaining the same behaviour as the manual
>> changes had. I'm seeing a failure on other (cisco) switches to restart
>> switchports, but I think that is unrelated, or relates to recent packetfence
>> upgrade perhaps.
>> I've also now added the changes in the draft documentation to my unifi
>> controller in order to try and disable pmksa caching, and enabling dynamic
>> VLAN assignment. So far however the wireless clients have not been reliably
>> being de-authed, and usually stubbornly remain on the same VLAN. I suspect
>> I've got something wrong on the unifi side of things as just like fdurand
>> notes in
>> https://community.ubnt.com/t5/UniFi-Wireless/Feature-request-disable-pmksa-caching/m-p/2112479#M257628
>> I cannot see the relevant config updates applied at the AP level after
>> updating them on the controller as prescribed.
>>
>> On with the digging and ideas always welcome. Great to see how many people
>> are stuck getting in to making this work.
>>
>> Best,
>>
>> David
>>
>>> On Fri, Feb 2, 2018 at 7:14 AM, E.P. via PacketFence-users
>>> <packetfence-users@lists.sourceforge.net> wrote:
>>> Hi Tim,
>>>
>>> As usual, your comments are invaluable ;)
>>>
>>> Looking at the guide which is in asciidoc to see how to properly deal with
>>> Unifi. Would be nice to see pictures as they are missing.
>>>
>>> Also, do I need to replace IP addresses for AP in the switches.conf with
>>> their MAC addresses ?
>>>
>>>
>>>
>>> Eugene
>>>
>>>
>>>
>>> From: Timothy Mullican via PacketFence-users
>>> [mailto:packetfence-users@lists.sourceforge.net]
>>> Sent: Thursday, February 01, 2018 9:11 AM
>>> To: packetfence-users@lists.sourceforge.net
>>> Cc: Timothy Mullican; Frederic Hermann
>>> Subject: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band
>>>
>>>
>>>
>>> By the way,
>>>
>>> Fabrice Durand already added code to do this in pull request #2735 on
>>> github. See
>>> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch
>>>
>>> You can apply that patch to get it working. Also see
>>> https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc
>>> for the updated documentation. You can read though my earlier thread to
>>> see the steps I took to get it working.
>>>
>>>
>>>
>>> Tim
>>>
>>> Sent from mobile phone
>>>
>>>
>>> On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users
>>> <packetfence-users@lists.sourceforge.net> wrote:
>>>
>>> This has been a fantastic resource for the thread I recently started (sorry
>>> for the repetition in it)
>>>
>>> I would add:
>>>
>>> I've added kick-sta to replace both the authorize and unauthorize guest
>>> commands in Unifi.pm
>>>
>>>
>>>
>>> It transpired my in house cert was upsetting things until I updated ca
>>> certs on the debian container I'm using. The symptom was the following in
>>> packetfence.log:
>>>
>>> before:
>>>
>>> Can't login on the Unifi controller: 500 Can't connect to
>>> 10.100.103.33:8443 (certificate verify failed)
>>> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
>>>
>>> after:
>>>
>>> Switched status on the Unifi controller using command kick-sta
>>> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
>>>
>>>
>>>
>>> After this the kick events come through and I get a brief drop in packets
>>> whilst pinging. I'm still fighting the final issue - which is increasing
>>> the duration of the kick, or ensuring a full re-auth occurs, as currently
>>> the device I'm testing with drops packets, but remains on the same VLAN
>>> still until the device is toggled.
>>>
>>>
>>>
>>> Thanks for the guidance and let me know if you face/overcame anything
>>> similar.
>>>
>>>
>>>
>>> Cheers,
>>>
>>>
>>>
>>> David
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Jul 17, 2017 at 3:54 PM, Frederic Hermann via PacketFence-users
>>> <packetfence-users@lists.sourceforge.net> wrote:
>>>
>>> > De: "Michael Westergaard via PacketFence-users"
>>> > <packetfence-users@lists.sourceforge.net>
>>> Hi Michael,
>>>
>>>
>>> > I am trying to see if Packetfence is a proper way to do NAC with Unifi
>>> > UAP-AC
>>> > with dynamic VLAN. According to the new Unifi Controller 5.5.19 release,
>>> > Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence is
>>> > using
>>> > for authenticating users over wireless and then changing the VLAN.
>>>
>>> > However I cannot find any documentation anywhere if this is possible in
>>> > Packetfence Documentation?
>>>
>>> > Especially Packetfence Out of Band (Dynamic VLAN) with Unifi. Have
>>> > anybody been
>>> > able to make it work?
>>>
>>> We made some test a few weeks ago, and we've been able to manage an Unifi
>>> controler using Radius mode ( rather than the Portal mode described in
>>> PacketFence documentation).
>>>
>>> This allow you to use dynamic VLAN with WPA2-Enterprise, as it seems that
>>> dynamic VLAN are only available in secure mode on unifi.
>>>
>>> The only change we had to do (on the packetfence side) was
>>>
>>>
>>> That means you have to configure your AP type as "Unifi Controller" in
>>> packetfence, and set the Deauth method to "HTTPS", instead of Radius.
>>> Of course you will also define the unifi controller IP in the same location.
>>> Then you will have to edit (or override) the Unifi.pm module to change the
>>> webservice command used to auth/deauth users : this is in the
>>> "_deauthenticateMacWithHTTP" method, and you should use the "kick-sta"
>>> unifi command through the webservice, instead of the
>>> "authorize-guest/unauthorise-guest".
>>>
>>> Hope this help,
>>>
>>> Regards
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
