Thank you, Federico. I read it all from the PF document 😉
All my APs are added as switches by IP addresses and belong to the same switch group. Unifi controller is also member of this group. Type is Ubiquity:Unifi And I’m having little challenges with the SSL certificate that I want to use for RADIUS. It appears that the wildcard certificate that is in full use by the organization network devices can’t be used by PF. I uploaded it but after that all Windows OS supplicants stopped being able to login to RADIUS protected SSID using PEAP. Thinking of a workaround but nothing comes to my mind mind Eugene From: Federico Alberto Sayd <fs...@fca.uncu.edu.ar> Sent: Tuesday, November 02, 2021 7:18 AM To: ype...@gmail.com Cc: packetfence-users@lists.sourceforge.net Subject: Re: [PacketFence-users] Trouble trying to enable captive portal with Unifi Controller (WebAuth) Hello Eugene That is the format that Unifi Controller uses to redirect to an external captive portal. You shouldn't worry about the URL format because PF redirects this request to the PF portal. You have two ways to add APs to PacketFence. You can add every AP as a switch. You need to specify the AP MAC address and the parameters to connect to Unifi Controller (IP, user and password). The second method is adding the controller as a switch. You need to add the controller's ip address in "IP Address/MAC Address/Range (CIDR)", select "Ubiquiti::Unifi" as type and also specify the controller's address again in the "Controller IP Address" Then you need to restart pfcron, run the task pfcron ubiquiti_ap_ma_to_ip and check the cached APs with the command "/usr/local/pf/bin/pfcmd cache switch_distributed list" You can configure the certificates used for the portal in https:// <https://%3cPF-IP-ADDRESS%3e:1443/admin#/configuration/certificate/http> <PF-IP-ADDRESS>:1443/admin#/configuration/certificate/http El mar, 2 nov 2021 a las 2:26, E.P. (<ype...@gmail.com <mailto:ype...@gmail.com> >) escribió: I’m jumping into this thread as it got my interest as well because we are with Unifi and planning to deploy guest WiFi with WebAuth via the portal. In the URL that Fabrice advised to configure I believe “s” is for the site name ? http:// <http://%3cPF-IP-PORTAL%3e/guest/s/default/> <PF-IP-PORTAL>/guest/s/default/ which is normally a random alphanumeric string ? Also, the output of “usr/local/pf/bin/pfcmd cache switch_distributed list” doesn’t show me any lists of APs. Is it supposed to be empty ? I have few AP already serving users and acting as RADIUS clients. I have them added by IP address. I ran this one as well before: /usr/local/pf/bin/pfcmd pfcron ubiquiti_ap_mac_to_ip For the certificates I understand it has to be placed into this folder, am I correct ? Captive portal = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + intermediate) Eugene From: Federico Alberto Sayd via PacketFence-users <packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> > Sent: Monday, November 01, 2021 9:59 AM To: Fabrice Durand <oeufd...@gmail.com <mailto:oeufd...@gmail.com> > Cc: Federico Alberto Sayd <fs...@fca.uncu.edu.ar <mailto:fs...@fca.uncu.edu.ar> >; egr...@jcc.com.ar <mailto:egr...@jcc.com.ar> ; packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> Subject: Re: [PacketFence-users] Trouble trying to enable captive portal with Unifi Controller (WebAuth) Hi Fabrice: I am running Unifi Controller 6.4.54 I reworked my setup from scratch following Enrique's directions and it worked ok, then I rebooted the server and it didn't work anymore. Now the packetfence.log shows this error when I want to authenticate clients using APs managed by Unifi Controller: Nov 1 13:39:33 srv-packetfence packetfence_httpd.portal[1512]: httpd.portal(1512) ERROR: [mac:XX:XX:XX:XX:XX:XX] Can not load perl module for switch f0:9f:c2:f0:07:42, type: Ubiquiti::Unifi . The type is unknown or the perl module has compilation errors. (pf::SwitchFactory::instantiate) Nov 1 13:39:33 srv-packetfence packetfence_httpd.portal[1512]: httpd.portal(1512) ERROR: [mac:XX:XX:XX:XX:XX:XX] Unable to instantiate switch object using switch_id 'f0:9f:c2:f0:07:42' (pf::web::externalportal::handle) Can you help me with this error? Thank you Federico El vie, 29 oct 2021 a las 9:31, Fabrice Durand (<oeufd...@gmail.com <mailto:oeufd...@gmail.com> >) escribió: Hello Frederico, what version of the ubiquiti controller are you running ? Also did you define the switch in the packetfence configuration (like by ip or mac ?) Last thing, can you try that http:// <http://%3cPF-IP-PORTAL%3e/guest/s/default/> <PF-IP-PORTAL>/guest/s/default/ (notice the / at the end). Regards Fabrice Le mer. 27 oct. 2021 à 02:27, Federico Alberto Sayd via PacketFence-users <packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> > a écrit : Hi Enrique: I followed the docs and added Unifi Controller as a switch and configured the web service credentials. PF automatically retrieves the APs managed by Unifi Controller (I checked with the command "/usr/local/pf/bin/pfcmd cache switch_distributed list". I don't know if there is some difference in adding every AP as a switch. What do you mean by "valid certificate"? An HTTPS certificate for the captive portal? I don't know how to configure the roles tab for the Unifi Controller in PF. I don't know how to construct the URL that goes in "Registration" in "Role Mapping by WebAuth URL". Did you configure the roles tab in your setup? Thanks for your help El mar, 26 oct 2021 a las 10:10, Enrique Gross (<egr...@jcc-advance.com.ar <mailto:egr...@jcc-advance.com.ar> >) escribió: Hi Federico We don't use webauth with Unifi, but i remember there was a post about this issue After adding the Unifi Controller to PF, have you tried to add the unifi APs as a switch (by mac address)? Also, have you got a valid certificate on PF? On the unifi side i use "use secure portal option" and dns redirect option I have done a quick test on this, I'm redirected to the pf portal. Enrique El lun, 25 oct 2021 a las 2:33, Federico Alberto Sayd via PacketFence-users (<packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> >) escribió: Hello: I am trying to configure Packetfence as a captive portal for a guest wifi network managed with Unifi Controller (WebAuth Enforcement) I want to redirect my guest wifi users to the captive portal in PacketFence and authenticate them with Google Workspace LDAP. I followed the Network Device Configuration Guide and I added Unifi Controller as a switch in Packetfence config. The connection between Unifi Contoller and PF is working fine, I can retrieve the list of AP's managed by Unifi Controller with the command "/usr/local/pf/bin/pfcmd cache switch_distributed list" I added a second interface in PF and enabled the portal service on it. I configured the portal IP as an external guest portal on Unifi Controller. Also, I configured Google Workspace LDAP as auth source. I didn't specify any rules because I want the same auth source for all users. In "Standard Connections Profile" I changed the default profile to point to Google-LDAP as auth source. When I preview the portal I can confirm the Google LDAP authentication is working fine. But when I try to test the setup, the client's URL is rewritten to http:// <http://%3cPF-IP-PORTAL%3e/guest/s/default> <PF-IP-PORTAL>/guest/s/default and PF shows a 501 error as follow: Not Implemented GET Nos supported for current URL I don't know if I have to configure the roles tab in the switch config and specify a webauth URL. What do I have to put in registration in "Role mapping by Web Auth URL?? Do I need to configure additional roles (by Vlan?? by switch role, etc.) ?? To be frank, I don't understand the roles config and I can't infer from the examples given in the installation guide. Can you help me o provide me with some hint? Thanks in advance. Federico. Additional info: PacketFence: 11.0 SO: Debian 11 Unifi Controller: 6.0.45 _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users -- _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
