Hello, I’m just wondering if anyone has gotten the following features to work with PacketFence and Aruba (HP) ProCurve switches and has some sample configuration that they could share (or if anyone knows if PacketFence even supports this configuration with HP - I’m running out of ideas).
Our goal is to have 802.1x authentication with MAC-based 802.1x fallback for printers and phones, and then if the 802.1x authentication fails, have PacketFence send back the HP-Captive-Portal-URL VSA to have the user redirected to the PacketFence captive portal. Once the user authenticates to the captive portal, we want it to send a CoA back to the switch to put the client in the correct VLAN. I also want to allow what HP calls “user-based authentication” (that is, the switch can place different devices on the same port onto different VLANs based on the VLAN returned by RADIUS, as opposed to the default “port-based authentication”) along with what HP calls “mixed port access mode”, which allows a mix of authenticated and unauthenticated clients on a single port. I know that the switch supports all of these options together after scouring HP’s documentation as well as resources related to Aruba ClearPass (Aruba’s NAC solution, which advertises these capabilities alongside Aruba / HP switches). I’m fairly certain that I’ve got the correct options on the switch, though I don’t discount that I may be missing something. In PacketFence, I’m attempting to use the VLAN enforcement mode with WebAuth enforcement mode. I don’t want inline enforcement. So far, I’ve followed the PacketFence installation guide through section 6 (“Enabling the Captive Portal”). I can successfully authenticate an AD domain-joined computer with 802.1x computer authentication. For non-domain-joined computers, I can see that the switches is still trying to authenticate against the RADIUS server using the computer’s MAC address as the username. When the authentication fails, the RADIUS server is sending back the Tunnel-Private-Group-Id of 127, which is my registration VLAN. It is not sending back the HP-Captive-Portal-URL VSA to the switch (determined via packet capture). The client never receives a DHCP address when it is placed onto VLAN 127. Here's the relevant switch config (including SNMP, although I think this setup would not use SNMP due to using HP’s user-mode). I am connecting the computer to port C1. radius-server host 10.10.16.20 key "SuperSecretPassphrase" radius-server host 10.10.16.20 dyn-authorization # This allows CoAs from this RADIUS server snmpv3 enable snmpv3 only snmpv3 restricted-access snmpv3 group managerpriv user "packetfence" sec-model ver3 snmpv3 user "packetfence" aaa server-group radius "packetfence" host 10.10.16.20 aaa authentication port-access eap-radius server-group "packetfence" aaa authentication mac-based chap-radius server-group "packetfence" aaa authentication captive-portal enable # This enables support for the “HP-Captive-Portal-URL” VSA and captive portal redirection aaa port-access authenticator C1 aaa port-access authenticator C1 client-limit 32 # This enables “user-based authentication” aaa port-access authenticator active aaa port-access mac-based C1 aaa port-access mac-based C1 addr-limit 3 aaa port-access mac-based C1 addr-moves aaa port-access mac-based C1 unauth-vid 127 aaa port-access C1 mixed vlan 127 name "Registration" untagged A24 tagged A1 ip address 10.10.127.1 255.255.255.0 exit In the switch’s configuration in PacketFence, “Use CoA” is checked, I have the type set to “HP ProCurve 5400 Series”, “External Portal Enforcement” is checked, CoA port is set to 3799. Under “Roles”, “Role by VLAN ID” is checked with registration set to 127, isolation set to 126, and default set to 104. “Role by Web Auth URL” is checked with “registration” set to “http://10.10.16.2/HP::Procurve_5400”. I’ve browsed PacketFence’s HP ProCurve specific documentation and didn’t find anyone trying to do such a complex setup. I suppose the first step is to figure out why PacketFence/FreeRADIUS is not sending back the HP-Captive-Portal-URL VSA to the switch. Any thoughts or ideas that might help here? Todd R. James Systems Architect Howard & Howard Attorneys 450 West Fourth Street, Royal Oak, MI 48067 E: t...@h2law.com D: 248.723.0544 F: 248.645.1568 NOTICE: Information contained in this transmission to the named addressee is proprietary information and is subject to attorney-client privilege and work product confidentiality. If the recipient of this transmission is not the named addressee, the recipient should immediately notify the sender and destroy the information transmitted without making any copy or distribution thereof. ELECTRONIC SIGNATURE: Nothing contained in this communication is intended to constitute an electronic signature unless a specific statement to the contrary is included in this message. _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
