Hi Nicholas, For the PF and port number: * I have tried AP=ISE & PF switch config with either and both port options to be 1700 * I have also tried AP=No splash with either and both port options to be 3799
Depending on the combination, I get the same results as described or I do not get the initial redirection to the captive portal. This is where my “noobness” comes out with PF. In the PF switch identifier: * I have Role by VLAN to allow 802.1x for internal users. There is a connection profile that basically says if 802.1x and AD auth puts them as part of AD group “X”, then allow them on and assign the appropriate VLAN. This seems to work fine for both wireless clients using 802.1x and connected to SSID=Internal. * I also have Role by Switch and Role by Web Auth based on the PacketFence based on the FP network device guide. Mar 17 14:47:02 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(14843) INFO: [mac:4c:34:88:c7:8c:24] PID: "POTD_GUEST", Status: reg Returned VLAN: (undefined), Role: guest (pf::role::fetchRoleForNode) Mar 17 14:47:02 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(14843) INFO: [mac:4c:34:88:c7:8c:24] (10.0.1.251) Added VLAN XXX_GUEST to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Mar 17 14:47:02 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(14843) INFO: [mac:4c:34:88:c7:8c:24] External portal enforcement either not supported '1' or not configured 'N' on network equipment '10.0.1.251' (pf::Switch::externalPortalEnforcement) Mar 17 14:47:02 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(14843) WARN: [mac:4c:34:88:c7:8c:24] Unable to extract audit-session-id for module pf::Switch::Meraki::MR_v2. SSID-based VLAN assignments won't work. Make sure you enable Vendor Specific Attributes (VSA) on the AP if you want them to work. (pf::Switch::getCiscoAvPairAttribute) From: Nicholas Pier <[email protected]> Sent: Tuesday, March 17, 2020 10:24 AM To: Brandt Winchell <[email protected]> Cc: [email protected] Subject: Re: [PacketFence-users] PacketFence 9.3 Captive Portal for Guests I think you can rule out an issue with the role mapping or your connection profile since PF seems to be getting the correct role and VLAN: (10.10.80.251) Added VLAN XXX_GUEST to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) (10.10.80.251) Added role 255 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Packetfence does default to 3799, but ISE defaults to 1700. In one screenshot for WebAuth in the Network Device Conf Guide, it looks like PF wants the device configured to think PF is an ISE system. So, it makes sense to match that with 1700. I definitely agree that something is wrong with the process of de-authenticating and changing the auth of a node. Can you confirm - are you using the WebAuth (6.17.1) or VLAN-based role mappings (6.17.2) ? Nicholas P. Pier Network Architect CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 On Tue, Mar 17, 2020 at 10:05 AM Brandt Winchell <[email protected]<mailto:[email protected]>> wrote: Hi Nicholas, I did see that. The document was unclear if this needs to be the disconnect port and/or the CoA port. According to the Cisco docs, ISE uses 1700 but PacketFence uses 3799 (https://documentation.meraki.com/MR/Encryption_and_Authentication/Change_of_Authorization_with_RADIUS_(CoA)_on_MR_Access_Points). So I have tried all kinds of combinations, no luck. Still get the webpage login but no change afterwards. Here is an output of the packetfence.log. User POTD_GUEST has authenticated on the portal. (Class::MOP::Class:::after) Instantiate profile XXX_GUEST (pf::Connection::ProfileFactory::_from_profile) Releasing device (captiveportal::PacketFence::DynamicRouting::Module::Root::release) Switch type 'pf::Switch::Meraki::MR_v2' does not support WebFormRegistration (pf::SwitchSupports::__ANON__) re-evaluating access (manage_register called) (pf::enforcement::reevaluate_access) Instantiate profile XXX_GUEST (pf::Connection::ProfileFactory::_from_profile) VLAN reassignment is forced. (pf::enforcement::_should_we_reassign_vlan) DesAssociating mac on switch (10.10.80.251) (pf::api::desAssociate) deauthenticating (pf::Switch::Meraki::MR_v2::radiusDisconnect) controllerIp is set, we will use controller 10.10.80.251 to perform deauth (pf::Switch::Meraki::MR_v2::radiusDisconnect) Use of uninitialized value in concatenation (.) or string at /usr/local/pf/lib/pf/Switch/Meraki/MR_v2.pm line 110. (pf::Switch::Meraki::MR_v2::try {...} ) Use of uninitialized value in concatenation (.) or string at /usr/local/pf/lib/pf/Switch/Meraki/MR_v2.pm line 110. Unknown general attribute 80 for unpack() Unable to extract audit-session-id for module pf::Switch::Meraki::MR_v2. SSID-based VLAN assignments won't work. Make sure you enable Vendor Specific Attributes (VSA) on the AP if you want them to work. (pf::Switch::getCiscoAvPairAttribute) Switch type 'pf::Switch::Meraki::MR_v2' does not support MABFloatingDevices (pf::SwitchSupports::__ANON__) Found authentication source(s) : 'POTD_GUEST' for realm 'null' (pf::config::util::filter_authentication_sources) Connection type is MAC-AUTH. Getting role from node_info (pf::role::getRegisteredRole) Username was defined "345g345ds4" - returning role 'guest' (pf::role::getRegisteredRole) PID: "POTD_GUEST", Status: reg Returned VLAN: (undefined), Role: guest (pf::role::fetchRoleForNode) (10.10.80.251) Added VLAN XXX_GUEST to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) (10.10.80.251) Added role 255 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) External portal enforcement either not supported '1' or not configured 'N' on network equipment '10.0.1.251' (pf::Switch::externalPortalEnforcement) Current conclusion: * Something in the MR_v2.pm file concerning the VSA is not correct Current issue: * High level workflow * Computer connects to SSID and gets assigned vlan 4081 * Redirected to PF captive portal at 10.10.181.250/24<http://10.10.181.250/24> * Authenticates with POTD * PF send AP a CoA to tag traffic with VLAN 255 * It seems the command to flip the VLAN on the AP does not occur. The computer stays on VLAN4081 and retains its IP from the PF DHCP Thanks From: Nicholas Pier <[email protected]<mailto:[email protected]>> Sent: Monday, March 16, 2020 8:33 PM To: [email protected]<mailto:[email protected]> Cc: Brandt Winchell <[email protected]<mailto:[email protected]>> Subject: Re: [PacketFence-users] PacketFence 9.3 Captive Portal for Guests Hi Brandt, It sounds like your Meraki device isn't getting a message from Packetfence to switch the user's VLAN after authentication. This usually done through a radius CoA or disconnect message. Did you catch this caveat on the network configuration guide? It looks like you need to specify port 1700 for Disconnect and your deauth type should be set to "Radius": "The 'Disconnect port' field must be set to '1700'." Also, you can tail this log to see what happens when the user enters that password of the day: /usr/local/pf/logs/packetfence.log I hope this helps! Nicholas P. Pier Network Architect CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 On Mon, Mar 16, 2020 at 7:58 PM Brandt Winchell via PacketFence-users <[email protected]<mailto:[email protected]>> wrote: Hello, I have a 9.3 NAC deployment. Isolation vlan:4080 PF DHCP 10.10.180.100 – 199 PF int IP: 10.10.180.250 Registration vlan:4081 PF DHCP 10.10.181.100 – 199 PF int IP: 10.10.181.250 Mgmt. vlan: 80 PF int IP: 10.10.80.250 Guest vlan: 255 Network: 10.10.255.0/24<http://10.10.255.0/24> I currently have 802.1x_wired working correctly and assigning VLANs based on authentication. I also have 802.1x_wifi working in the same manner. In the switch profile: Cisco (Meraki) MR53 Role by VLAN – guest=4081, reg=4081, iso-4080 Role by switch – default=”Authorized devices”, guest=”COMPANY_GUEST” Role by Web Auth – registration=http://10.10.181.250/Meraki::MR_v2, guest=”COMPANY_GUEST” I am having an issue getting the “Guest” environment to work correctly. The wifi client is getting a DHCP address from the PF on VLAN 4081. The client then gets redirected to the captive portal. The internal source for the connection profile is “Password of the Day” (PotD). The user logs in with the POTD creds and then nothing. The system does not assign them the correct VLAN. If I change the Role by switch – guest=255 ; then the end-user gets put directly onto VLAN255 and no redirection occurs (essentially bypassing the NAC). Thanks _______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
