I've tested both Cisco and Unifi and the issue seems to lie with Connection profiles - when trying to do MAC/MAB authentication, it falls through to default profile, and never hits the MACAuth ones to check local DB credentials.
Just connects and gives SSID vlan assignment, default profile doesn't have attributes to return so explains the behavior but not the solution to pick the correct connection profile? Cory White Sr. Network Engineer 904.735.1600 c...@xpodigital.com On Thu, Jun 1, 2023 at 11:03 AM Cory White <c...@xpodigital.com> wrote: > I seem to have run into another issue on MAC based Authentication - 802.1x > w/ Dynamic tested and working on Cisco and Unifi. When I try to migrate our > 'IoT Wireless' I am unable to get PF to MAC Auth onto the SSID. I have a > MAC user/pw locally in PF but I don't think it ever hits/tries to look for > it. Devices just spin trying to connect to the SSID. Audit shows device > success and registered but only returns status 200 and no attributes and > self-assigned IP - never actually get connected. There is nothing in the > packetfence/radiu slogs other than 'Device OK'. I've tried > different combinations of switches/nodes/nas and Connection Profiles with > 'local' source hardset, etc to no avail. If I simply change the SSID RADIUS > back to our freeRADIUS instance everything works as expected. > > Thanks in advance for any direction, > > Cory White > Sr. Network Engineer > 904.735.1600 > c...@xpodigital.com > > > On Tue, May 30, 2023 at 9:37 AM Cory White <c...@xpodigital.com> wrote: > >> Fabrice - >> >> Much appreciated - after back tracking into the docs it was obvious I >> was trying to make something more complicated than needed! Once I rolled >> back what I 'thought' was needed, I was able to successfully test Cisco and >> Unifi Dynamic VLAN (802.1x) assignments against local DB. I started >> testing/deploying Captive Portal and WebAuth with success as well. I plan >> to start playing with the portal modules/customizations after, hopefully, >> being successful in the iPSK (Dynamic PSK) deployment on Cisco >> infrastructure.....all in all everything is on track to turn up an instance >> and deploy into production networks with some more vetting. >> >> Thank you for your quick reply.... >> >> Cory White >> Sr. Network Engineer >> 904.735.1600 >> c...@xpodigital.com >> >> >> On Fri, May 26, 2023 at 3:58 PM Fabrice Durand <oeufd...@gmail.com> >> wrote: >> >>> Hello Cory, >>> >>> Yes, of course you can use PacketFence local authentication without any >>> Windows AD integration. >>> There are multiple ways but the simplest is to use the local PacketFence >>> database to authenticate the users. >>> It's also possible to interact with a LDAP server to do the 802.1x >>> authentication and PacketFence also provides an internal PKI to do eap-tls >>> auth. >>> >>> For the "Authentication Source RADIUS", it depends how you use it, if >>> it's on the portal then it will do PAP authentication, but you can also use >>> the RADIUS source in the REALM section to proxy the request to another >>> server. >>> >>> Btw i don't see any blocking point for you to use PacketFence, but i >>> recommend starting with something simple (like mac-auth + portal then >>> 802.1x after). >>> >>> Regards >>> Fabrice >>> >>> >>> >>> Le ven. 26 mai 2023 à 15:13, Cory White via PacketFence-users < >>> packetfence-users@lists.sourceforge.net> a écrit : >>> >>>> Hello - >>>> >>>> I've followed packetfence since 2015 but we never fully adopted its >>>> feature sets due to various reasons. Our original interest was for Captive >>>> Portals - but at the time it felt like overkill and we did not want in-band >>>> switch port management to deploy a simple 'coffee shop' portal. >>>> >>>> Times have changed and personally I thought Captive Portals would have >>>> died off in requests by now but they are more prevalent now than ever with >>>> BYOD and user-initiated on-boarding. >>>> >>>> Since COVID we have shifted into various vertical markets and are >>>> finding the need to consolidate our deployments into a more scalable >>>> resource/deployment for various installs in these markets. Our requirements >>>> - >>>> >>>> - Portal Page and User management - whether manually >>>> onboarded/import and/or through user initiated portal pages. >>>> - MAC bypass - manually bypass portals for authorized MAC >>>> identified hosts. If there is a user onboarding for this as well through >>>> already AUTH credentials that is a plus. >>>> - 802.1X auth for dynamically assigned VLANs (w/ and w/o MAC >>>> filtering) over wireless only - mix of vendors Unifi, Peplink, Cisco, >>>> Meraki, etc. Common thread is that all are managed through a controller >>>> - >>>> no autonomous APs. >>>> >>>> We currently employ Mikrotik hotspots and Peplink InControl portals - >>>> depending on the installation router. User accounts are added via script, >>>> API, ssh, etc manually not by a user request/portal interaction. All >>>> dynamic VLAN assignments/RADIUS attributes (radchecks, radreply, >>>> radgroupreply,etc) are handled in freeRADIUS based on user credentials - >>>> typically only a couple VLAN options, most of these installs have no more >>>> than 5 total VLANs. >>>> >>>> I've spun up a VM of 12.2, the maturation is impressive but >>>> documentation for our actual deployment needs to migrate from freeRADIUS >>>> stand-alone DB is non-existent - at least from my searching in the last >>>> week. I understand the concepts (I believe), my big question is using just >>>> 'local to Packetfence install' freeRADIUS possible as AUTH? We do not >>>> deploy anything Windows based - we are a UNIX/Open-Source/In-house DEV >>>> company. So AD is not an option, we do have some LDAP/freeRADIUS servers >>>> running for internal use (linux) but don't want to expose that cluster to >>>> end user accounts. I feel that the current version will suit our needs to >>>> do what we want for the most part and give us a unified platform; but can't >>>> really seem to find any documentation to move forward on testing. >>>> >>>> Specific to "Authentication Source RADIUS' - docs seem to skim over >>>> this as an option or its possible I need to be looking elsewhere? Any >>>> direction is appreciated - I've been testing with UniFi (which I know >>>> Ubiquiti has its own issues), I see it's a recent integration as well. I >>>> can see request come in but always rejected auth in wrong eap/mshcap (even >>>> though I've removed them as auth options). I also see my Internal RADIUS >>>> source constantly in 'wrong shared secret' ( client localhost). >>>> >>>> I'm going to migrate to a Cisco test lab to verify its not a tunnel, >>>> remote resource issue and keep everything in the same subnet (nodes/nas). >>>> >>>> Thank you for any assistance - >>>> >>>> Cory White >>>> >>>> Senior Network Engineer >>>> 904-735-1600 >>>> c...@xpodigital.com >>>> www.xpodigital.com >>>> [image: facebook] <https://www.facebook.com/xpodigital> >>>> [image: twitter] <https://www.twitter.com/xpodigital> >>>> [image: linkedin] <https://www.linkedin.com/company/xpodigita> >>>> [image: instagram] <https://www.instagram.com/xpodigital/> >>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> PacketFence-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> >>>
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
