Based off the auditing log below it looks like PacketFence sends the PSK back to the Meraki access point as Cisco-AVPair. Is there anyway to change PacketFence to send the PSK as tunnel-password instead of Cisco-AVPair? RADIUS RequestRADIUS RequestUser-Name = "00e04c19dddd"User-Password = "******"NAS-IP-Address = 172.20.10.20Called-Station-Id = "68:3a:1e:85:cc:cc:WIFI-BYOD"Calling-Station-Id = "00:e0:4c:19:dd:dd"NAS-Port-Type = Wireless-802.11Event-Timestamp = "Nov 12 2020 09:58:47 EST"Connect-Info = "CONNECT 11Mbps 802.11b"Message-Authenticator = 0x2458d1c2852dfb55ec85d8484624ccccMeraki-Network-Name = "Network"Meraki-Ap-Name = "AP-01"Stripped-User-Name = "00e04c19dddd"Realm = "null"FreeRADIUS-Client-IP-Address = 172.20.10.20Called-Station-SSID = "WIFI-BYOD"PacketFence-KeyBalanced = "8e4b512c5636628cd16b291bf294eeee"PacketFence-Radius-Ip = "172.20.100.2"SQL-User-Name = "00e04c19dddd" RADIUS ReplyTunnel-Type = VLANTunnel-Private-Group-Id = "118"Tunnel-Medium-Type = IEEE-802Cisco-AVPair = "psk=otahreeddttreeee"Cisco-AVPair = "psk-mode=ascii"
On Wednesday, November 11, 2020, 01:26:30 PM EST, Michael Brown <michaelbrow...@yahoo.com> wrote: Checking in on this. I put a message up on Meraki and it looks like the problem is the RADIUS Access-Accept message is not returning the Tunnel-Password with the user's dpsk. It is only returning the VLAN ID. Is there something missing in my config to make that happen? Thanks. On Tuesday, October 20, 2020, 12:07:27 PM EDT, Michael Brown <michaelbrow...@yahoo.com> wrote: Hi Guys, Has anyone been ableto get DPSK working with Meraki access points? The provisionerportion is working where the user joins a network, signs in to the portal andthen once they are signed in they are presented with the name of the networkthat uses DPSK and their DPSK password. The problem is when I try to join the DPSK network with the providedDPSK I receive can't connect to this network (Windows 10 device). We have onePacketFence server set up out of band. Here are myprofiles: PROVIDES DPSK [Auth-Wireless] locale= sources=BYOD-Wireless-User-Authentication advanced_filter= provisioners=DPSK filter=ssid:Auth DPSK NETWORK PROFILE [BYOD-Wireless] locale= advanced_filter= filter=ssid:WIFI-BYOD dpsk=enabled autoregister=enabled default_psk_key=testing12345678! unreg_on_acct_stop=disabled filter_match_style=all HERE IS THE AUTHSOURCE FOR Auth-Wireless PROFILE: [BYOD-Wireless-User-Authentication] cache_match=0 read_timeout=10 realms=null,domain.com basedn=DC=domain,DC=local monitor=1 password=password shuffle=0 searchattributes= set_access_durations_action= scope=sub email_attribute=mail usernameattribute=sAMAccountName connection_timeout=1 binddn=CN=Admin\,PacketFence,OU=IT,Accounts,OU=Domain_Users,DC=domain,DC=local encryption=none description=BYODWireless User Authentication port=389 host=dc.domain.com write_timeout=5 type=AD [BYOD-Wireless-User-Authenticationrule Network-Administrators] action0=set_role=WIFI-IT-STAFF-DISTRICT condition0=memberOf,equals,CN=NetworkAdministrators,OU=Domain Groups,DC=domain,DC=local status=enabled match=all class=authentication action1=set_access_duration=1h description=ActiveDirectory - Network Administrators Group [BYOD-Wireless-User-Authenticationrule Faculty-All] action0=set_role=WIFI-STAFF-GUESTS condition0=memberOf,equals,CN=Faculty- All,OU=Domain Groups,DC=domain,DC=local status=enabled match=all class=authentication action1=set_access_duration=1h description=ActiveDirectory - Faculty All HERE IS THE MERAKISSID CONFIG FOR THE DPSK NETWORK: Associationrequirements: Identity PSK with RADIUS WPA encryption mode:WPA2 Splash page: None Readius server setto PacketFence management Radius testing:disabled Radius CoA: disabled Client IPassignment: Bridge mode VLAN tagging: Don'tuse Radius override:Radius response can override VLAN tag HERE IS WHAT THE PFLOG SAYS WHEN I TRY TO JOIN: Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) WARN: [mac:a8:1e:84:a6:ca:7d]Unable to extract audit-session-id for module pf::Switch::Meraki::MR_v2.SSID-based VLAN assignments won't work. Make sure you enable Vendor SpecificAttributes (VSA) on the AP if you want them to work.(pf::Switch::getCiscoAvPairAttribute) Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:56]handling radius autz request: from switch_ip => (172.20.110.19),connection_type => Wireless-802.11-NoEAP,switch_mac =>(e2:cb:ac:91:85:df), mac => [00:e0:4c:19:dd:56], port => 0, username=> "00e04c19dd56", ssid => WIFI-BYOD (pf::radius::authorize) Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:56]Instantiate profile BYOD-Wireless(pf::Connection::ProfileFactory::_from_profile) Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:56]Found authentication source(s) :'local,file1,Faculty-All,Wifi-Sponsors,District-Wireless-User-Authentication,Guest-Wireless-User-Authentication,BYOD-Wireless-User-Authentication'for realm 'null' (pf::config::util::filter_authentication_sources) Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) WARN: [mac:00:e0:4c:19:dd:56]No category computed for autoreg (pf::role::getNodeInfoForAutoReg) Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:56]Found authentication source(s) :'local,file1,Faculty-All,Wifi-Sponsors,District-Wireless-User-Authentication,Guest-Wireless-User-Authentication,BYOD-Wireless-User-Authentication'for realm 'null' (pf::config::util::filter_authentication_sources) Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:56]Connection type is MAC-AUTH. Getting role from node_info(pf::role::getRegisteredRole) Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:56]Username was defined "00e04c19dd56" - returning role'WIFI-IT-STAFF-DISTRICT' (pf::role::getRegisteredRole) Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:56]PID: "user", Status: reg Returned VLAN: (undefined), Role:WIFI-IT-STAFF-DISTRICT (pf::role::fetchRoleForNode) Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:56](172.20.110.19) Added VLAN 118 to the returned RADIUS Access-Accept(pf::Switch::returnRadiusAccessAccept) Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:56]security_event 1300003 force-closed for 00:e0:4c:19:dd:56(pf::security_event::security_event_force_close) HERE IS WHAT THERADIUS LOG SAYS: Oct 17 22:18:07srv-pf-02 auth[2992]: [mac:00:e0:4c:19:dd:56] Accepted user: and returned VLAN 118 Oct 17 22:18:07srv-pf-02 auth[2992]: (12467) Login OK: [00e04c19dd56] (from client172.20.110.19/32 port 0 cli 00:e0:4c:19:dd:56) Thanks for your help. Mike
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users