I seem to have run into another issue on MAC based Authentication - 802.1x w/ Dynamic tested and working on Cisco and Unifi. When I try to migrate our 'IoT Wireless' I am unable to get PF to MAC Auth onto the SSID. I have a MAC user/pw locally in PF but I don't think it ever hits/tries to look for it. Devices just spin trying to connect to the SSID. Audit shows device success and registered but only returns status 200 and no attributes and self-assigned IP - never actually get connected. There is nothing in the packetfence/radiu slogs other than 'Device OK'. I've tried different combinations of switches/nodes/nas and Connection Profiles with 'local' source hardset, etc to no avail. If I simply change the SSID RADIUS back to our freeRADIUS instance everything works as expected.
Thanks in advance for any direction, Cory White Sr. Network Engineer 904.735.1600 c...@xpodigital.com On Tue, May 30, 2023 at 9:37 AM Cory White <c...@xpodigital.com> wrote: > Fabrice - > > Much appreciated - after back tracking into the docs it was obvious I was > trying to make something more complicated than needed! Once I rolled back > what I 'thought' was needed, I was able to successfully test Cisco and > Unifi Dynamic VLAN (802.1x) assignments against local DB. I started > testing/deploying Captive Portal and WebAuth with success as well. I plan > to start playing with the portal modules/customizations after, hopefully, > being successful in the iPSK (Dynamic PSK) deployment on Cisco > infrastructure.....all in all everything is on track to turn up an instance > and deploy into production networks with some more vetting. > > Thank you for your quick reply.... > > Cory White > Sr. Network Engineer > 904.735.1600 > c...@xpodigital.com > > > On Fri, May 26, 2023 at 3:58 PM Fabrice Durand <oeufd...@gmail.com> wrote: > >> Hello Cory, >> >> Yes, of course you can use PacketFence local authentication without any >> Windows AD integration. >> There are multiple ways but the simplest is to use the local PacketFence >> database to authenticate the users. >> It's also possible to interact with a LDAP server to do the 802.1x >> authentication and PacketFence also provides an internal PKI to do eap-tls >> auth. >> >> For the "Authentication Source RADIUS", it depends how you use it, if >> it's on the portal then it will do PAP authentication, but you can also use >> the RADIUS source in the REALM section to proxy the request to another >> server. >> >> Btw i don't see any blocking point for you to use PacketFence, but i >> recommend starting with something simple (like mac-auth + portal then >> 802.1x after). >> >> Regards >> Fabrice >> >> >> >> Le ven. 26 mai 2023 à 15:13, Cory White via PacketFence-users < >> packetfence-users@lists.sourceforge.net> a écrit : >> >>> Hello - >>> >>> I've followed packetfence since 2015 but we never fully adopted its >>> feature sets due to various reasons. Our original interest was for Captive >>> Portals - but at the time it felt like overkill and we did not want in-band >>> switch port management to deploy a simple 'coffee shop' portal. >>> >>> Times have changed and personally I thought Captive Portals would have >>> died off in requests by now but they are more prevalent now than ever with >>> BYOD and user-initiated on-boarding. >>> >>> Since COVID we have shifted into various vertical markets and are >>> finding the need to consolidate our deployments into a more scalable >>> resource/deployment for various installs in these markets. Our requirements >>> - >>> >>> - Portal Page and User management - whether manually >>> onboarded/import and/or through user initiated portal pages. >>> - MAC bypass - manually bypass portals for authorized MAC identified >>> hosts. If there is a user onboarding for this as well through already >>> AUTH >>> credentials that is a plus. >>> - 802.1X auth for dynamically assigned VLANs (w/ and w/o MAC >>> filtering) over wireless only - mix of vendors Unifi, Peplink, Cisco, >>> Meraki, etc. Common thread is that all are managed through a controller - >>> no autonomous APs. >>> >>> We currently employ Mikrotik hotspots and Peplink InControl portals - >>> depending on the installation router. User accounts are added via script, >>> API, ssh, etc manually not by a user request/portal interaction. All >>> dynamic VLAN assignments/RADIUS attributes (radchecks, radreply, >>> radgroupreply,etc) are handled in freeRADIUS based on user credentials - >>> typically only a couple VLAN options, most of these installs have no more >>> than 5 total VLANs. >>> >>> I've spun up a VM of 12.2, the maturation is impressive but >>> documentation for our actual deployment needs to migrate from freeRADIUS >>> stand-alone DB is non-existent - at least from my searching in the last >>> week. I understand the concepts (I believe), my big question is using just >>> 'local to Packetfence install' freeRADIUS possible as AUTH? We do not >>> deploy anything Windows based - we are a UNIX/Open-Source/In-house DEV >>> company. So AD is not an option, we do have some LDAP/freeRADIUS servers >>> running for internal use (linux) but don't want to expose that cluster to >>> end user accounts. I feel that the current version will suit our needs to >>> do what we want for the most part and give us a unified platform; but can't >>> really seem to find any documentation to move forward on testing. >>> >>> Specific to "Authentication Source RADIUS' - docs seem to skim over this >>> as an option or its possible I need to be looking elsewhere? Any direction >>> is appreciated - I've been testing with UniFi (which I know Ubiquiti has >>> its own issues), I see it's a recent integration as well. I can see request >>> come in but always rejected auth in wrong eap/mshcap (even though I've >>> removed them as auth options). I also see my Internal RADIUS source >>> constantly in 'wrong shared secret' ( client localhost). >>> >>> I'm going to migrate to a Cisco test lab to verify its not a tunnel, >>> remote resource issue and keep everything in the same subnet (nodes/nas). >>> >>> Thank you for any assistance - >>> >>> Cory White >>> >>> Senior Network Engineer >>> 904-735-1600 >>> c...@xpodigital.com >>> www.xpodigital.com >>> [image: facebook] <https://www.facebook.com/xpodigital> >>> [image: twitter] <https://www.twitter.com/xpodigital> >>> [image: linkedin] <https://www.linkedin.com/company/xpodigita> >>> [image: instagram] <https://www.instagram.com/xpodigital/> >>> _______________________________________________ >>> PacketFence-users mailing list >>> PacketFence-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
