Based off the auditing log below it looks like PacketFence sends the PSK back
to the Meraki access point as Cisco-AVPair. Is there anyway to change
PacketFence to send the PSK as tunnel-password instead of Cisco-AVPair?
RADIUS RequestRADIUS RequestUser-Name = "00e04c19dddd"User-Password =
"******"NAS-IP-Address = 172.20.10.20Called-Station-Id =
"68:3a:1e:85:cc:cc:WIFI-BYOD"Calling-Station-Id =
"00:e0:4c:19:dd:dd"NAS-Port-Type = Wireless-802.11Event-Timestamp = "Nov 12
2020 09:58:47 EST"Connect-Info = "CONNECT 11Mbps 802.11b"Message-Authenticator
= 0x2458d1c2852dfb55ec85d8484624ccccMeraki-Network-Name =
"Network"Meraki-Ap-Name = "AP-01"Stripped-User-Name = "00e04c19dddd"Realm =
"null"FreeRADIUS-Client-IP-Address = 172.20.10.20Called-Station-SSID =
"WIFI-BYOD"PacketFence-KeyBalanced =
"8e4b512c5636628cd16b291bf294eeee"PacketFence-Radius-Ip =
"172.20.100.2"SQL-User-Name = "00e04c19dddd" RADIUS ReplyTunnel-Type =
VLANTunnel-Private-Group-Id = "118"Tunnel-Medium-Type = IEEE-802Cisco-AVPair =
"psk=otahreeddttreeee"Cisco-AVPair = "psk-mode=ascii"
On Wednesday, November 11, 2020, 01:26:30 PM EST, Michael Brown
<michaelbrow...@yahoo.com> wrote:
Checking in on this.
I put a message up on Meraki and it looks like the problem is the RADIUS
Access-Accept message is not returning the Tunnel-Password with the user's
dpsk. It is only returning the VLAN ID. Is there something missing in my
config to make that happen?
Thanks.
On Tuesday, October 20, 2020, 12:07:27 PM EDT, Michael Brown
<michaelbrow...@yahoo.com> wrote:
Hi Guys,
Has anyone been ableto get DPSK working with Meraki access points?
The provisionerportion is working where the user joins a network, signs in to
the portal andthen once they are signed in they are presented with the name of
the networkthat uses DPSK and their DPSK password. The problem is when I try to
join the DPSK network with the providedDPSK I receive can't connect to this
network (Windows 10 device).
We have onePacketFence server set up out of band.
Here are myprofiles:
PROVIDES DPSK
[Auth-Wireless]
locale=
sources=BYOD-Wireless-User-Authentication
advanced_filter=
provisioners=DPSK
filter=ssid:Auth
DPSK NETWORK PROFILE
[BYOD-Wireless]
locale=
advanced_filter=
filter=ssid:WIFI-BYOD
dpsk=enabled
autoregister=enabled
default_psk_key=testing12345678!
unreg_on_acct_stop=disabled
filter_match_style=all
HERE IS THE AUTHSOURCE FOR Auth-Wireless PROFILE:
[BYOD-Wireless-User-Authentication]
cache_match=0
read_timeout=10
realms=null,domain.com
basedn=DC=domain,DC=local
monitor=1
password=password
shuffle=0
searchattributes=
set_access_durations_action=
scope=sub
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=1
binddn=CN=Admin\,PacketFence,OU=IT,Accounts,OU=Domain_Users,DC=domain,DC=local
encryption=none
description=BYODWireless User Authentication
port=389
host=dc.domain.com
write_timeout=5
type=AD
[BYOD-Wireless-User-Authenticationrule Network-Administrators]
action0=set_role=WIFI-IT-STAFF-DISTRICT
condition0=memberOf,equals,CN=NetworkAdministrators,OU=Domain
Groups,DC=domain,DC=local
status=enabled
match=all
class=authentication
action1=set_access_duration=1h
description=ActiveDirectory - Network Administrators Group
[BYOD-Wireless-User-Authenticationrule Faculty-All]
action0=set_role=WIFI-STAFF-GUESTS
condition0=memberOf,equals,CN=Faculty- All,OU=Domain Groups,DC=domain,DC=local
status=enabled
match=all
class=authentication
action1=set_access_duration=1h
description=ActiveDirectory - Faculty All
HERE IS THE MERAKISSID CONFIG FOR THE DPSK NETWORK:
Associationrequirements: Identity PSK with RADIUS
WPA encryption mode:WPA2
Splash page: None
Readius server setto PacketFence management
Radius testing:disabled
Radius CoA: disabled
Client IPassignment: Bridge mode
VLAN tagging: Don'tuse
Radius override:Radius response can override VLAN tag
HERE IS WHAT THE PFLOG SAYS WHEN I TRY TO JOIN:
Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) WARN:
[mac:a8:1e:84:a6:ca:7d]Unable to extract audit-session-id for module
pf::Switch::Meraki::MR_v2.SSID-based VLAN assignments won't work. Make sure you
enable Vendor SpecificAttributes (VSA) on the AP if you want them to
work.(pf::Switch::getCiscoAvPairAttribute)
Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56]handling radius autz request: from switch_ip =>
(172.20.110.19),connection_type => Wireless-802.11-NoEAP,switch_mac
=>(e2:cb:ac:91:85:df), mac => [00:e0:4c:19:dd:56], port => 0, username=>
"00e04c19dd56", ssid => WIFI-BYOD (pf::radius::authorize)
Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56]Instantiate profile
BYOD-Wireless(pf::Connection::ProfileFactory::_from_profile)
Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56]Found authentication source(s)
:'local,file1,Faculty-All,Wifi-Sponsors,District-Wireless-User-Authentication,Guest-Wireless-User-Authentication,BYOD-Wireless-User-Authentication'for
realm 'null' (pf::config::util::filter_authentication_sources)
Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) WARN:
[mac:00:e0:4c:19:dd:56]No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56]Found authentication source(s)
:'local,file1,Faculty-All,Wifi-Sponsors,District-Wireless-User-Authentication,Guest-Wireless-User-Authentication,BYOD-Wireless-User-Authentication'for
realm 'null' (pf::config::util::filter_authentication_sources)
Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56]Connection type is MAC-AUTH. Getting role from
node_info(pf::role::getRegisteredRole)
Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56]Username was defined "00e04c19dd56" - returning
role'WIFI-IT-STAFF-DISTRICT' (pf::role::getRegisteredRole)
Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56]PID: "user", Status: reg Returned VLAN: (undefined),
Role:WIFI-IT-STAFF-DISTRICT (pf::role::fetchRoleForNode)
Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56](172.20.110.19) Added VLAN 118 to the returned RADIUS
Access-Accept(pf::Switch::returnRadiusAccessAccept)
Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56]security_event 1300003 force-closed for
00:e0:4c:19:dd:56(pf::security_event::security_event_force_close)
HERE IS WHAT THERADIUS LOG SAYS:
Oct 17 22:18:07srv-pf-02 auth[2992]: [mac:00:e0:4c:19:dd:56] Accepted user:
and returned VLAN 118
Oct 17 22:18:07srv-pf-02 auth[2992]: (12467) Login OK: [00e04c19dd56] (from
client172.20.110.19/32 port 0 cli 00:e0:4c:19:dd:56)
Thanks for your help.
Mike
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
