Actually it was your hint about device registration that clicked and made me check my connection profile.
Still, it ALWAYS helps to ask questions and read answers and advices very carefully š Ludovic, please guide me through the connection profile creation for public WiFi with captive portal for guests. Just high level and mostly hints, like what modules are involved. I did everything as advised here on Unifi side https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_ubiquiti_2 But there are gaps in understanding of what to do on PacketFence side 1. I created/cloned the external authentication source for SMS based registration and included only Canadian cellular operators 2. Iām reusing the same switch group that includes Unifi APs, under āRole by VLAN IDā I put a VLAN ID 20 to guest, but I suspect this is wrong As far as I understand it, I need to create a condition for PacketFence to help it differentiate if the authentication comes via WebAuth and not Wireless-802.11-EAP. Is this where the connection profile comes into place ? Eugene From: Ludovic Zammit <lzam...@inverse.ca> Sent: Friday, October 30, 2020 11:11 AM To: ype...@gmail.com Cc: packetfence-users@lists.sourceforge.net Subject: Re: [PacketFence-users] Issues with roles and VLAN assignment The logs donāt lie ;-) Thanks, Ludovic Zammit lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) On Oct 30, 2020, at 2:00 PM, <ype...@gmail.com <mailto:ype...@gmail.com> > <ype...@gmail.com <mailto:ype...@gmail.com> > wrote: Thatās what I missed, namely the connection profile for devices registration wasnāt enabled. Thank you, Ludovic! From: Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca> > Sent: Friday, October 30, 2020 10:24 AM To: ype...@gmail.com <mailto:ype...@gmail.com> Cc: packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> Subject: Re: [PacketFence-users] Issues with roles and VLAN assignment If you node has: status = registered and a role, PacketFence would return the VLAN for the role from the switch (inherited configuration from switch groups or not). Do an authentication and send the logs.packetfence.log. Thanks, Ludovic Zammit lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/> ) and PacketFence (http://packetfence.org <http://packetfence.org/> ) On Oct 30, 2020, at 1:14 PM, <ype...@gmail.com <mailto:ype...@gmail.com> > <ype...@gmail.com <mailto:ype...@gmail.com> > wrote: Hi Ludovic, Thanks for looking into it. My search through packetfence.log didnāt produce any matches for the specific MAC address. Let me paraphrase my question. The group of switches (or rather Wireless AP) has a list of roles. The top is registration with VLAN 2. Then go three more, i.e. isolation, macDetection, inline and reject. Only then do I have Staff role with VLAN 10. I donāt have a way to change this order and my attempt to assign VLAN 10 to registration was reversed after I restarted PacketFence services. Essentially RADIUS assigns by default VLAN 2 which is against my logic and design. I donāt have registration and isolation interfaces/VLANs. It is pure dot1x/RADIUS authentication via management interface Eugene From: Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca> > Sent: Friday, October 30, 2020 4:47 AM To: packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> Cc: ype...@gmail.com <mailto:ype...@gmail.com> Subject: Re: [PacketFence-users] Issues with roles and VLAN assignment Hello Eugene, The answer is in your logs. grep MAC_ADDRESS /usr/local/pf/logs/packetfence.log Thanks, Ludovic Zammit lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/> ) and PacketFence (http://packetfence.org <http://packetfence.org/> ) On Oct 29, 2020, at 3:15 PM, ypefti--- via PacketFence-users <packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> > wrote: Folks, Can someone help me identify what Iām missing. My authentication session goes through but the endpoint that connects to WAP (Unifi) never gets an IP address. I investigated it and see that RADIUS assigns the wrong VLAN to the connection. This is what I see in the live session log Oct 29 12:04:29 packetfence auth[1201]: [mac:18:81:0e:7c:3c:ed] Accepted user: it.tech <http://it.tech/> and returned VLAN 2 But my authentication source has a rule with an action to set the Role Staff which is defined with a specific VLAN 10 VLAN 2 on the contrary is assigned to a registration role which Iām not using at the moment. My short term goal is dot1x WiFi authentication with RADIUS assigned VLAN. Eugene _______________________________________________ PacketFence-users mailing list <mailto:PacketFence-users@lists.sourceforge.net> PacketFence-users@lists.sourceforge.net <https://lists.sourceforge.net/lists/listinfo/packetfence-users> https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
