Hello Enrique, No, at the moment I am not matching SSID or anything like that. However, I just enabled radius service on the trunk interface where PF talks to unifi AP and controller. Now when I try connecting a client to the open wifi I see the following in the logs.
Jul 19 11:26:14 controller auth[7653]: Ignoring request to auth address * port 1812 bound to server packetfence from unknown client 10.2.0.6 port 35316 proto udp Jul 19 11:26:17 controller auth[7653]: Ignoring request to auth address * port 1812 bound to server packetfence from unknown client 10.2.0.6 port 35316 proto udp Jul 19 11:26:23 controller auth[7653]: Ignoring request to auth address * port 1812 bound to server packetfence from unknown client 10.2.0.6 port 35316 proto udp However, this unknown client is 10.2.0.6 is my Unifi AP added by Mac Address. Do I need to remove it and add it via the controller using IP? Warm regards, Rexford A. Nyarko. On Fri, Jul 19, 2024 at 6:12 AM Enrique Gross via PacketFence-users < packetfence-users@lists.sourceforge.net> wrote: > And in your connection profile are you matching like SSID? > > El jue, 18 jul 2024 a las 15:57, Rexford Nyarko (<rexfordn...@gmail.com>) > escribió: > >> Hello Enrique, >> >> Yes, they are all reachable one to the other, AP, Unifi controller and >> PF. This is quite weird for me considering the Web auth works fine without >> problems. >> The radius server is using PF's IP. apart from setting the radius >> password on the switch in PF and the Unifi controller is there anything >> else I need to do for radius config? >> >> Warm regards, >> Rexford A. Nyarko. >> >> >> On Thu, Jul 18, 2024 at 6:03 PM Enrique Gross <egr...@jcc-advance.com.ar> >> wrote: >> >>> Hi Rexford >>> >>> Try to troubleshoot connection between APs and Radius server IP (PF >>> management address). Can you ICMP that ip address? the radius server you >>> configured on the radius profile on Unifi controller, and applied to SSID. >>> >>> El jue, 18 jul 2024 a las 14:48, Rexford Nyarko (<rexfordn...@gmail.com>) >>> escribió: >>> >>>> Hello Enrique, >>>> >>>> Thanks again for getting back to me. >>>> Yes I have mapped the VLAN ID on the switch config for the AP. But >>>> still, the client devices are unable to get an IP. so they just disconnect >>>> once you try to connect. >>>> >>>> I have also checked the logs, there isn't anything happening when I try >>>> to connect a client to the open SSID. I can't figure out what I am missing. >>>> >>>> Warm regards, >>>> Rexford A. Nyarko. >>>> >>>> >>>> On Thu, Jul 18, 2024 at 4:07 PM Enrique Gross via PacketFence-users < >>>> packetfence-users@lists.sourceforge.net> wrote: >>>> >>>>> Hi Rexford >>>>> >>>>> You don't need to put registration VLAN as default/untagged, >>>>> registration vlan goes with tag. >>>>> >>>>> Have you mapped roles and VLAN ID on the switch config, on the PF side? >>>>> >>>>> Looking at packetfence.log, will help you to know what is happening >>>>> with the user/device when connecting to AP. >>>>> >>>>> Enrique >>>>> >>>>> El jue, 18 jul 2024 a las 11:10, Rexford Nyarko (< >>>>> rexfordn...@gmail.com>) escribió: >>>>> >>>>>> Hello Enrique, >>>>>> Thank you for your response. >>>>>> Yes I have AP the AP connected via Trunk. However the same still >>>>>> happens, clients are not able to connect to the Open network in order to >>>>>> access the registration portal. >>>>>> Do I need to make the registration VLAN 20 the default /untagged >>>>>> VLAN on the trunk ports? In that case, the AP can directly communicate >>>>>> with >>>>>> PF on the default network. Thanks in advance. >>>>>> >>>>>> Warm regards, >>>>>> Rexford A. Nyarko. >>>>>> >>>>>> >>>>>> On Wed, Jul 17, 2024 at 8:14 AM Enrique Gross via PacketFence-users < >>>>>> packetfence-users@lists.sourceforge.net> wrote: >>>>>> >>>>>>> Hi Rexford >>>>>>> >>>>>>> Hope you are doing well >>>>>>> >>>>>>> When configuring SSID on the Unifi side with Radius, it is ok that >>>>>>> you can not set VLAN 20 as registration. On the PF side, it's in the >>>>>>> roles >>>>>>> (Role mapping by VLAN ID) when configuring APs that you will set up your >>>>>>> VLAN for registration, prod or other vlan. So, as long registration >>>>>>> vlan, >>>>>>> prod, etc vlans are vlan trunk to AP, that's fine. >>>>>>> >>>>>>> So, an unreg user will be evaluated upon connection, as the >>>>>>> condition is unreg it will be placed on registration vlan that is >>>>>>> defined >>>>>>> on your Switch roles. >>>>>>> >>>>>>> Sorry for my bad english, hope it helps. >>>>>>> >>>>>>> Enrique. >>>>>>> >>>>>>> >>>>>>> >>>>>>> El lun, 15 jul 2024 a las 5:22, Rexford Nyarko via PacketFence-users >>>>>>> (<packetfence-users@lists.sourceforge.net>) escribió: >>>>>>> >>>>>>>> Hello All, >>>>>>>> >>>>>>>> First, my user environment consists mostly of Linux, windows users >>>>>>>> and occasionally Mac. Network hardware consists of Cisco 2960 switches >>>>>>>> for >>>>>>>> LAN and Unifi AP AC Pro for wireless connectivity. I need to have an >>>>>>>> authentication setup such that users log in with their LDAP >>>>>>>> credentials and >>>>>>>> users are assigned VLANS based on their *memberOf* LDAP attribute. >>>>>>>> >>>>>>>> Here's what I have done so far, >>>>>>>> 1. Installed PF 13.2 with two interfaces, 1 separate for management >>>>>>>> and another trunk with all VLAN interfaces added. >>>>>>>> 2. Configured LDAP Authentication source >>>>>>>> 3. Configured a connection Profile using the LDAP auth source. >>>>>>>> 4. Added Unifi APs individually to PF via MAC Address. (Initially, >>>>>>>> I tried adding the controller IP method but that didn't work with some >>>>>>>> weird errors about not being able to instantiate Switch) >>>>>>>> 5. Configured Unifi Controller and Wifi with guest profile and >>>>>>>> external Captive portal pointing to PF as instructed in the >>>>>>>> documentation. >>>>>>>> 6. Enabled the captive portal and respective services on the trunk >>>>>>>> interface. >>>>>>>> All to this point everything works great. As soon as a user >>>>>>>> connects to the open SSID they get redirected to the captive portal on >>>>>>>> PF >>>>>>>> and authenticate successfully with LDAP. This works great no problem. I >>>>>>>> intend to keep that and later change the auth source for guest Portal. >>>>>>>> >>>>>>>> Now I am trying to do vlan assignment. I followed the PF >>>>>>>> documentation for Ubiquity to set up the controller with the Raduis >>>>>>>> profile >>>>>>>> SSID and all. However, things are not working as expected. I am a bit >>>>>>>> confused here. >>>>>>>> 1. I have created interfaces, registration VLAN - 20 and Isolation >>>>>>>> VLAN - 30 on the trunk interface. >>>>>>>> 2. I also have added 3 other production VLANs where I manage DNS >>>>>>>> and DHCP >>>>>>>> 3. the open SSID on unifi controller cannot be set to the >>>>>>>> Registration VLAN 20 when Radius is enabled. So there is no way to >>>>>>>> communicate with PF via the Registration VLAN hence users cannot get >>>>>>>> IPs >>>>>>>> from PF on the open SSID and therefore cannot log in. >>>>>>>> I need advice on how to get this working. Do I have to make the >>>>>>>> registration VLAN the native or default vlan on the trunk and >>>>>>>> configure the >>>>>>>> guest captive portal on a different vlan which i can assign in the >>>>>>>> unifi >>>>>>>> controller? >>>>>>>> >>>>>>>> Also, I have a problem where DNS queries on each vlan/subnet points >>>>>>>> to the PF interface outside that subnet. eg pf.example.com - >>>>>>>> 192.168.0.1/24 on registration vlan, and PF on captive portal vlan >>>>>>>> 40 the IP is 192.168.1.1/24 but DNS query from captive portal >>>>>>>> interface gives registration vlan IP of PF. >>>>>>>> I would prefer that queries from each vlan would provide the >>>>>>>> respective PF interface on that vlan, >>>>>>>> Any help is appreciated. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Warm regards, >>>>>>>> Rexford. >>>>>>>> _______________________________________________ >>>>>>>> PacketFence-users mailing list >>>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> [image: Imágenes integradas 1] >>>>>>> _______________________________________________ >>>>>>> PacketFence-users mailing list >>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>> >>>>>> >>>>> >>>>> -- >>>>> >>>>> [image: Imágenes integradas 1] >>>>> _______________________________________________ >>>>> PacketFence-users mailing list >>>>> PacketFence-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>> >>>> >>> >>> -- >>> >>> [image: Imágenes integradas 1] >>> >> > > -- > > [image: Imágenes integradas 1] > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
