Hello Brant,
first i think you need to remove:
Role by switch – default=”Authorized devices”, guest=”COMPANY_GUEST”
Role by Web Auth – registration=http://10.10.181.250/Meraki::MR_v2,
guest=”COMPANY_GUEST”
your are doing vlan enforcement and not web auth.
Once done, connect your device on the ssid and in the admin gui hit
reevaluate access (in the same time run a capture tshark -i mgmt_int -f
"port 1700 or port 3799" -w /tmp/deauth,pcap)
We will see what happen.
Regards
Fabrice
Le 20-03-18 à 20 h 33, Nicholas Pier via PacketFence-users a écrit :
Hi Brandt,
From the log message, it almost sounds to me like Packetfence doesn't
know the MAC of the device it's trying to move to the guest VLAN. I'm
referring to this:
"Unable to extract audit-session-id"
Maybe something isn't getting passed with WebAuth that would normally
be passed with Radius or the internal reg portal?
Have you tried only doing the vlan by role configuration in the
network device configuration guide?
*Nicholas P. Pier*
Network Architect
CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10
On Tue, Mar 17, 2020 at 11:21 AM Brandt Winchell
<[email protected] <mailto:[email protected]>> wrote:
Hi Nicholas,
For the PF and port number:
* I have tried AP=ISE & PF switch config with either and both
port options to be 1700
* I have also tried AP=No splash with either and both port
options to be 3799
Depending on the combination, I get the same results as described
or I do not get the initial redirection to the captive portal.
This is where my “noobness” comes out with PF.
In the PF switch identifier:
* I have Role by VLAN to allow 802.1x for internal users. There
is a connection profile that basically says if 802.1x and AD
auth puts them as part of AD group “X”, then allow them on and
assign the appropriate VLAN. This seems to work fine for both
wireless clients using 802.1x and connected to SSID=Internal.
* I also have Role by Switch and Role by Web Auth based on the
PacketFence based on the FP network device guide.
Mar 17 14:47:02 PacketFence-ZEN packetfence_httpd.aaa:
httpd.aaa(14843) INFO: [mac:4c:34:88:c7:8c:24] PID: "POTD_GUEST",
Status: reg Returned VLAN: (undefined), Role: guest
(pf::role::fetchRoleForNode)
Mar 17 14:47:02 PacketFence-ZEN packetfence_httpd.aaa:
httpd.aaa(14843) INFO: [mac:4c:34:88:c7:8c:24] (10.0.1.251) Added
VLAN XXX_GUEST to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Mar 17 14:47:02 PacketFence-ZEN packetfence_httpd.aaa:
httpd.aaa(14843) INFO: [mac:4c:34:88:c7:8c:24] External portal
enforcement either not supported '1' or not configured 'N' on
network equipment '10.0.1.251' (pf::Switch::externalPortalEnforcement)
Mar 17 14:47:02 PacketFence-ZEN packetfence_httpd.aaa:
httpd.aaa(14843) WARN: [mac:4c:34:88:c7:8c:24] Unable to extract
audit-session-id for module pf::Switch::Meraki::MR_v2. SSID-based
VLAN assignments won't work. Make sure you enable Vendor Specific
Attributes (VSA) on the AP if you want them to work.
(pf::Switch::getCiscoAvPairAttribute)
*From:* Nicholas Pier <[email protected] <mailto:[email protected]>>
*Sent:* Tuesday, March 17, 2020 10:24 AM
*To:* Brandt Winchell <[email protected]
<mailto:[email protected]>>
*Cc:* [email protected]
<mailto:[email protected]>
*Subject:* Re: [PacketFence-users] PacketFence 9.3 Captive Portal
for Guests
I think you can rule out an issue with the role mapping or your
connection profile since PF seems to be getting the correct role
and VLAN:
(10.10.80.251) Added VLAN XXX_GUEST to the returned RADIUS
Access-Accept (pf::Switch::returnRadiusAccessAccept)
(10.10.80.251) Added role 255 to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Packetfence does default to 3799, but ISE defaults to 1700. In one
screenshot for WebAuth in the Network Device Conf Guide, it looks
like PF wants the device configured to think PF is an ISE system.
So, it makes sense to match that with 1700.
I definitely agree that something is wrong with the process of
de-authenticating and changing the auth of a node. Can you confirm
- are you using the WebAuth (6.17.1) or VLAN-based role mappings
(6.17.2) ?
*Nicholas P. Pier*
Network Architect
CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10
On Tue, Mar 17, 2020 at 10:05 AM Brandt Winchell
<[email protected] <mailto:[email protected]>>
wrote:
Hi Nicholas,
I did see that. The document was unclear if this needs to be
the disconnect port and/or the CoA port. According to the
Cisco docs, ISE uses 1700 but PacketFence uses 3799
(https://documentation.meraki.com/MR/Encryption_and_Authentication/Change_of_Authorization_with_RADIUS_(CoA)_on_MR_Access_Points).
So I have tried all kinds of combinations, no luck. Still get
the webpage login but no change afterwards.
Here is an output of the packetfence.log.
User POTD_GUEST has authenticated on the portal.
(Class::MOP::Class:::after)
Instantiate profile XXX_GUEST
(pf::Connection::ProfileFactory::_from_profile)
Releasing device
(captiveportal::PacketFence::DynamicRouting::Module::Root::release)
Switch type 'pf::Switch::Meraki::MR_v2' does not support
WebFormRegistration (pf::SwitchSupports::__ANON__)
re-evaluating access (manage_register called)
(pf::enforcement::reevaluate_access)
Instantiate profile XXX_GUEST
(pf::Connection::ProfileFactory::_from_profile)
VLAN reassignment is forced.
(pf::enforcement::_should_we_reassign_vlan)
DesAssociating mac on switch (10.10.80.251)
(pf::api::desAssociate)
deauthenticating (pf::Switch::Meraki::MR_v2::radiusDisconnect)
controllerIp is set, we will use controller 10.10.80.251 to
perform deauth (pf::Switch::Meraki::MR_v2::radiusDisconnect)
Use of uninitialized value in concatenation (.) or string at
/usr/local/pf/lib/pf/Switch/Meraki/MR_v2.pm line 110.
(pf::Switch::Meraki::MR_v2::try {...} )
Use of uninitialized value in concatenation (.) or string at
/usr/local/pf/lib/pf/Switch/Meraki/MR_v2.pm line 110.
Unknown general attribute 80 for unpack()
Unable to extract audit-session-id for module
pf::Switch::Meraki::MR_v2. SSID-based VLAN assignments won't
work. Make sure you enable Vendor Specific Attributes (VSA) on
the AP if you want them to work.
(pf::Switch::getCiscoAvPairAttribute)
Switch type 'pf::Switch::Meraki::MR_v2' does not support
MABFloatingDevices (pf::SwitchSupports::__ANON__)
Found authentication source(s) : 'POTD_GUEST' for realm 'null'
(pf::config::util::filter_authentication_sources)
Connection type is MAC-AUTH. Getting role from node_info
(pf::role::getRegisteredRole)
Username was defined "345g345ds4" - returning role 'guest'
(pf::role::getRegisteredRole)
PID: "POTD_GUEST", Status: reg Returned VLAN: (undefined),
Role: guest (pf::role::fetchRoleForNode)
(10.10.80.251) Added VLAN XXX_GUEST to the returned RADIUS
Access-Accept (pf::Switch::returnRadiusAccessAccept)
(10.10.80.251) Added role 255 to the returned RADIUS
Access-Accept (pf::Switch::returnRadiusAccessAccept)
External portal enforcement either not supported '1' or not
configured 'N' on network equipment '10.0.1.251'
(pf::Switch::externalPortalEnforcement)
Current conclusion:
* Something in the MR_v2.pm file concerning the VSA is not
correct
Current issue:
* High level workflow
o Computer connects to SSID and gets assigned vlan 4081
o Redirected to PF captive portal at 10.10.181.250/24
<http://10.10.181.250/24>
o Authenticates with POTD
o PF send AP a CoA to tag traffic with VLAN 255
* It seems the command to flip the VLAN on the AP does not
occur. The computer stays on VLAN4081 and retains its IP
from the PF DHCP
Thanks
*From:* Nicholas Pier <[email protected]
<mailto:[email protected]>>
*Sent:* Monday, March 16, 2020 8:33 PM
*To:* [email protected]
<mailto:[email protected]>
*Cc:* Brandt Winchell <[email protected]
<mailto:[email protected]>>
*Subject:* Re: [PacketFence-users] PacketFence 9.3 Captive
Portal for Guests
Hi Brandt,
It sounds like your Meraki device isn't getting a message from
Packetfence to switch the user's VLAN after authentication.
This usually done through a radius CoA or disconnect message.
Did you catch this caveat on the network configuration guide?
It looks like you need to specify port 1700 for Disconnect and
your deauth type should be set to "Radius":
"The 'Disconnect port' field must be set to '1700'."
Also, you can tail this log to see what happens when the user
enters that password of the day:
/usr/local/pf/logs/packetfence.log
I hope this helps!
*Nicholas P. Pier*
Network Architect
CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10
On Mon, Mar 16, 2020 at 7:58 PM Brandt Winchell via
PacketFence-users <[email protected]
<mailto:[email protected]>> wrote:
Hello,
I have a 9.3 NAC deployment.
Isolation vlan:4080
PF DHCP 10.10.180.100 – 199
PF int IP: 10.10.180.250
Registration vlan:4081
PF DHCP 10.10.181.100 – 199
PF int IP: 10.10.181.250
Mgmt. vlan: 80
PF int IP: 10.10.80.250
Guest vlan: 255
Network: 10.10.255.0/24 <http://10.10.255.0/24>
I currently have 802.1x_wired working correctly and
assigning VLANs based on authentication.
I also have 802.1x_wifi working in the same manner.
In the switch profile:
Cisco (Meraki) MR53
Role by VLAN – guest=4081, reg=4081, iso-4080
Role by switch – default=”Authorized devices”,
guest=”COMPANY_GUEST”
Role by Web Auth –
registration=http://10.10.181.250/Meraki::MR_v2,
guest=”COMPANY_GUEST”
I am having an issue getting the “Guest” environment to
work correctly.
The wifi client is getting a DHCP address from the PF on
VLAN 4081. The client then gets redirected to the captive
portal. The internal source for the connection profile is
“Password of the Day” (PotD). The user logs in with the
POTD creds and then nothing. The system does not assign
them the correct VLAN.
If I change the Role by switch – guest=255 ; then the
end-user gets put directly onto VLAN255 and no redirection
occurs (essentially bypassing the NAC).
Thanks
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
