Hi Nicholas,
I did see that. The document was unclear if this needs to be the disconnect
port and/or the CoA port. According to the Cisco docs, ISE uses 1700 but
PacketFence uses 3799
(https://documentation.meraki.com/MR/Encryption_and_Authentication/Change_of_Authorization_with_RADIUS_(CoA)_on_MR_Access_Points).
So I have tried all kinds of combinations, no luck. Still get the webpage
login but no change afterwards.
Here is an output of the packetfence.log.
User POTD_GUEST has authenticated on the portal. (Class::MOP::Class:::after)
Instantiate profile XXX_GUEST (pf::Connection::ProfileFactory::_from_profile)
Releasing device
(captiveportal::PacketFence::DynamicRouting::Module::Root::release)
Switch type 'pf::Switch::Meraki::MR_v2' does not support WebFormRegistration
(pf::SwitchSupports::__ANON__)
re-evaluating access (manage_register called)
(pf::enforcement::reevaluate_access)
Instantiate profile XXX_GUEST (pf::Connection::ProfileFactory::_from_profile)
VLAN reassignment is forced. (pf::enforcement::_should_we_reassign_vlan)
DesAssociating mac on switch (10.10.80.251) (pf::api::desAssociate)
deauthenticating (pf::Switch::Meraki::MR_v2::radiusDisconnect)
controllerIp is set, we will use controller 10.10.80.251 to perform deauth
(pf::Switch::Meraki::MR_v2::radiusDisconnect)
Use of uninitialized value in concatenation (.) or string at
/usr/local/pf/lib/pf/Switch/Meraki/MR_v2.pm line 110.
(pf::Switch::Meraki::MR_v2::try {...} )
Use of uninitialized value in concatenation (.) or string at
/usr/local/pf/lib/pf/Switch/Meraki/MR_v2.pm line 110.
Unknown general attribute 80 for unpack()
Unable to extract audit-session-id for module pf::Switch::Meraki::MR_v2.
SSID-based VLAN assignments won't work. Make sure you enable Vendor Specific
Attributes (VSA) on the AP if you want them to work.
(pf::Switch::getCiscoAvPairAttribute)
Switch type 'pf::Switch::Meraki::MR_v2' does not support MABFloatingDevices
(pf::SwitchSupports::__ANON__)
Found authentication source(s) : 'POTD_GUEST' for realm 'null'
(pf::config::util::filter_authentication_sources)
Connection type is MAC-AUTH. Getting role from node_info
(pf::role::getRegisteredRole)
Username was defined "345g345ds4" - returning role 'guest'
(pf::role::getRegisteredRole)
PID: "POTD_GUEST", Status: reg Returned VLAN: (undefined), Role: guest
(pf::role::fetchRoleForNode)
(10.10.80.251) Added VLAN XXX_GUEST to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
(10.10.80.251) Added role 255 to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
External portal enforcement either not supported '1' or not configured 'N' on
network equipment '10.0.1.251' (pf::Switch::externalPortalEnforcement)
Current conclusion:
* Something in the MR_v2.pm file concerning the VSA is not correct
Current issue:
* High level workflow
* Computer connects to SSID and gets assigned vlan 4081
* Redirected to PF captive portal at 10.10.181.250/24
* Authenticates with POTD
* PF send AP a CoA to tag traffic with VLAN 255
* It seems the command to flip the VLAN on the AP does not occur. The
computer stays on VLAN4081 and retains its IP from the PF DHCP
Thanks
From: Nicholas Pier <[email protected]>
Sent: Monday, March 16, 2020 8:33 PM
To: [email protected]
Cc: Brandt Winchell <[email protected]>
Subject: Re: [PacketFence-users] PacketFence 9.3 Captive Portal for Guests
Hi Brandt,
It sounds like your Meraki device isn't getting a message from Packetfence to
switch the user's VLAN after authentication. This usually done through a
radius CoA or disconnect message. Did you catch this caveat on the network
configuration guide? It looks like you need to specify port 1700 for Disconnect
and your deauth type should be set to "Radius":
"The 'Disconnect port' field must be set to '1700'."
Also, you can tail this log to see what happens when the user enters that
password of the day:
/usr/local/pf/logs/packetfence.log
I hope this helps!
Nicholas P. Pier
Network Architect
CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10
On Mon, Mar 16, 2020 at 7:58 PM Brandt Winchell via PacketFence-users
<[email protected]<mailto:[email protected]>>
wrote:
Hello,
I have a 9.3 NAC deployment.
Isolation vlan:4080
PF DHCP 10.10.180.100 – 199
PF int IP: 10.10.180.250
Registration vlan:4081
PF DHCP 10.10.181.100 – 199
PF int IP: 10.10.181.250
Mgmt. vlan: 80
PF int IP: 10.10.80.250
Guest vlan: 255
Network: 10.10.255.0/24<http://10.10.255.0/24>
I currently have 802.1x_wired working correctly and assigning VLANs based on
authentication.
I also have 802.1x_wifi working in the same manner.
In the switch profile:
Cisco (Meraki) MR53
Role by VLAN – guest=4081, reg=4081, iso-4080
Role by switch – default=”Authorized devices”, guest=”COMPANY_GUEST”
Role by Web Auth – registration=http://10.10.181.250/Meraki::MR_v2,
guest=”COMPANY_GUEST”
I am having an issue getting the “Guest” environment to work correctly.
The wifi client is getting a DHCP address from the PF on VLAN 4081. The client
then gets redirected to the captive portal. The internal source for the
connection profile is “Password of the Day” (PotD). The user logs in with the
POTD creds and then nothing. The system does not assign them the correct VLAN.
If I change the Role by switch – guest=255 ; then the end-user gets put
directly onto VLAN255 and no redirection occurs (essentially bypassing the NAC).
Thanks
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
