Hello All, @Enrique Gross <egr...@jcc-advance.com.ar> 1. I have two interfaces on my PF box. one is management (connected to a management DMZ) and the second interface is Trunk with all VLANs, that is the interface through which PF is connected to the Unifi APs and controller. I enabled the radius on this interface and started getting the error in my previous mail.
2. No my connection profile only checks for connection types for wireless clients. Due to the radius error ignoring requests from my APs, I decided to remove the AP added by MAC and this time add it by IP. Doing this eliminated that error. I now see auth requests reaching PF from AP and the open network, which is good. However from the logs, it seems PF returns the unauthenticated client info to the AP with the registration VLAN but somehow the client doesn't seem to get to the Registration portal. I am not sure if Unifi is placing the client in the right VLAN. Below are the logs. Jul 20 20:01:09 controller httpd.aaa-docker-wrapper[3778]: httpd.aaa(7) > INFO: [mac:b6:da:e2:07:07:84] handling radius autz request: from switch_ip > => (10.2.0.6), connection_type => Wireless-802.11-NoEAP, switch_mac => > (74:83:c2:84:e2:29), mac => [b6:da:e2:07:07:84], port => 0, username => > "b6:da:e2:07:07:84", ssid => testing_vlan (pf::radius::authorize) > Jul 20 20:01:09 controller httpd.aaa-docker-wrapper[3778]: httpd.aaa(7) > INFO: [mac:b6:da:e2:07:07:84] Instantiate profile > VlanEnforcement-Registration (pf::Connection::ProfileFactory::_from_profile) > Jul 20 20:01:09 controller httpd.aaa-docker-wrapper[3778]: httpd.aaa(7) > INFO: [mac:b6:da:e2:07:07:84] is of status unreg; belongs into registration > VLAN (pf::role::getRegistrationRole) > Jul 20 20:01:09 controller httpd.aaa-docker-wrapper[3778]: httpd.aaa(7) > INFO: [mac:b6:da:e2:07:07:84] (10.2.0.6) Added VLAN 20 to the returned > RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) > Jul 20 20:01:09 controller auth[139176]: (6582) Login OK: > [b6:da:e2:07:07:84] (from client 10.2.0.6/32 port 0 cli b6:da:e2:07:07:84) Is there a way I could check what's happening on the Unifi controller or AP stack? Warm regards, Rexford A. Nyarko. On Sat, Jul 20, 2024 at 8:46 AM Enrique Gross via PacketFence-users < packetfence-users@lists.sourceforge.net> wrote: > Hi Rexford, sorry I don't understand where you enabled Radius. > > Its ok to add APs by IP address on the pf side. > > I was asking about connection profile to check if its matching a condition > for devices connecting to your open ssid. > > > El vie, 19 de jul de 2024, 08:52, Rexford Nyarko via PacketFence-users < > packetfence-users@lists.sourceforge.net> escribió: > >> Hello Enrique, >> No, at the moment I am not matching SSID or anything like that. >> However, I just enabled radius service on the trunk interface where PF >> talks to unifi AP and controller. Now when I try connecting a client to the >> open wifi I see the following in the logs. >> >> Jul 19 11:26:14 controller auth[7653]: Ignoring request to auth address * >> port 1812 bound to server packetfence from unknown client 10.2.0.6 port >> 35316 proto udp >> Jul 19 11:26:17 controller auth[7653]: Ignoring request to auth address * >> port 1812 bound to server packetfence from unknown client 10.2.0.6 port >> 35316 proto udp >> Jul 19 11:26:23 controller auth[7653]: Ignoring request to auth address * >> port 1812 bound to server packetfence from unknown client 10.2.0.6 port >> 35316 proto udp >> >> However, this unknown client is 10.2.0.6 is my Unifi AP added by Mac >> Address. >> Do I need to remove it and add it via the controller using IP? >> >> >> Warm regards, >> Rexford A. Nyarko. >> >> >> On Fri, Jul 19, 2024 at 6:12 AM Enrique Gross via PacketFence-users < >> packetfence-users@lists.sourceforge.net> wrote: >> >>> And in your connection profile are you matching like SSID? >>> >>> El jue, 18 jul 2024 a las 15:57, Rexford Nyarko (<rexfordn...@gmail.com>) >>> escribió: >>> >>>> Hello Enrique, >>>> >>>> Yes, they are all reachable one to the other, AP, Unifi controller and >>>> PF. This is quite weird for me considering the Web auth works fine without >>>> problems. >>>> The radius server is using PF's IP. apart from setting the radius >>>> password on the switch in PF and the Unifi controller is there anything >>>> else I need to do for radius config? >>>> >>>> Warm regards, >>>> Rexford A. Nyarko. >>>> >>>> >>>> On Thu, Jul 18, 2024 at 6:03 PM Enrique Gross < >>>> egr...@jcc-advance.com.ar> wrote: >>>> >>>>> Hi Rexford >>>>> >>>>> Try to troubleshoot connection between APs and Radius server IP (PF >>>>> management address). Can you ICMP that ip address? the radius server you >>>>> configured on the radius profile on Unifi controller, and applied to SSID. >>>>> >>>>> El jue, 18 jul 2024 a las 14:48, Rexford Nyarko (< >>>>> rexfordn...@gmail.com>) escribió: >>>>> >>>>>> Hello Enrique, >>>>>> >>>>>> Thanks again for getting back to me. >>>>>> Yes I have mapped the VLAN ID on the switch config for the AP. But >>>>>> still, the client devices are unable to get an IP. so they just >>>>>> disconnect >>>>>> once you try to connect. >>>>>> >>>>>> I have also checked the logs, there isn't anything happening when I >>>>>> try to connect a client to the open SSID. I can't figure out what I am >>>>>> missing. >>>>>> >>>>>> Warm regards, >>>>>> Rexford A. Nyarko. >>>>>> >>>>>> >>>>>> On Thu, Jul 18, 2024 at 4:07 PM Enrique Gross via PacketFence-users < >>>>>> packetfence-users@lists.sourceforge.net> wrote: >>>>>> >>>>>>> Hi Rexford >>>>>>> >>>>>>> You don't need to put registration VLAN as default/untagged, >>>>>>> registration vlan goes with tag. >>>>>>> >>>>>>> Have you mapped roles and VLAN ID on the switch config, on the PF >>>>>>> side? >>>>>>> >>>>>>> Looking at packetfence.log, will help you to know what is happening >>>>>>> with the user/device when connecting to AP. >>>>>>> >>>>>>> Enrique >>>>>>> >>>>>>> El jue, 18 jul 2024 a las 11:10, Rexford Nyarko (< >>>>>>> rexfordn...@gmail.com>) escribió: >>>>>>> >>>>>>>> Hello Enrique, >>>>>>>> Thank you for your response. >>>>>>>> Yes I have AP the AP connected via Trunk. However the same still >>>>>>>> happens, clients are not able to connect to the Open network in order >>>>>>>> to >>>>>>>> access the registration portal. >>>>>>>> Do I need to make the registration VLAN 20 the default /untagged >>>>>>>> VLAN on the trunk ports? In that case, the AP can directly communicate >>>>>>>> with >>>>>>>> PF on the default network. Thanks in advance. >>>>>>>> >>>>>>>> Warm regards, >>>>>>>> Rexford A. Nyarko. >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Jul 17, 2024 at 8:14 AM Enrique Gross via PacketFence-users >>>>>>>> <packetfence-users@lists.sourceforge.net> wrote: >>>>>>>> >>>>>>>>> Hi Rexford >>>>>>>>> >>>>>>>>> Hope you are doing well >>>>>>>>> >>>>>>>>> When configuring SSID on the Unifi side with Radius, it is ok that >>>>>>>>> you can not set VLAN 20 as registration. On the PF side, it's in the >>>>>>>>> roles >>>>>>>>> (Role mapping by VLAN ID) when configuring APs that you will set up >>>>>>>>> your >>>>>>>>> VLAN for registration, prod or other vlan. So, as long registration >>>>>>>>> vlan, >>>>>>>>> prod, etc vlans are vlan trunk to AP, that's fine. >>>>>>>>> >>>>>>>>> So, an unreg user will be evaluated upon connection, as the >>>>>>>>> condition is unreg it will be placed on registration vlan that is >>>>>>>>> defined >>>>>>>>> on your Switch roles. >>>>>>>>> >>>>>>>>> Sorry for my bad english, hope it helps. >>>>>>>>> >>>>>>>>> Enrique. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> El lun, 15 jul 2024 a las 5:22, Rexford Nyarko via >>>>>>>>> PacketFence-users (<packetfence-users@lists.sourceforge.net>) >>>>>>>>> escribió: >>>>>>>>> >>>>>>>>>> Hello All, >>>>>>>>>> >>>>>>>>>> First, my user environment consists mostly of Linux, windows >>>>>>>>>> users and occasionally Mac. Network hardware consists of Cisco 2960 >>>>>>>>>> switches for LAN and Unifi AP AC Pro for wireless connectivity. I >>>>>>>>>> need to >>>>>>>>>> have an authentication setup such that users log in with their LDAP >>>>>>>>>> credentials and users are assigned VLANS based on their >>>>>>>>>> *memberOf* LDAP attribute. >>>>>>>>>> >>>>>>>>>> Here's what I have done so far, >>>>>>>>>> 1. Installed PF 13.2 with two interfaces, 1 separate for >>>>>>>>>> management and another trunk with all VLAN interfaces added. >>>>>>>>>> 2. Configured LDAP Authentication source >>>>>>>>>> 3. Configured a connection Profile using the LDAP auth source. >>>>>>>>>> 4. Added Unifi APs individually to PF via MAC Address. >>>>>>>>>> (Initially, I tried adding the controller IP method but that didn't >>>>>>>>>> work >>>>>>>>>> with some weird errors about not being able to instantiate Switch) >>>>>>>>>> 5. Configured Unifi Controller and Wifi with guest profile and >>>>>>>>>> external Captive portal pointing to PF as instructed in the >>>>>>>>>> documentation. >>>>>>>>>> 6. Enabled the captive portal and respective services on the >>>>>>>>>> trunk interface. >>>>>>>>>> All to this point everything works great. As soon as a user >>>>>>>>>> connects to the open SSID they get redirected to the captive portal >>>>>>>>>> on PF >>>>>>>>>> and authenticate successfully with LDAP. This works great no >>>>>>>>>> problem. I >>>>>>>>>> intend to keep that and later change the auth source for guest >>>>>>>>>> Portal. >>>>>>>>>> >>>>>>>>>> Now I am trying to do vlan assignment. I followed the PF >>>>>>>>>> documentation for Ubiquity to set up the controller with the Raduis >>>>>>>>>> profile >>>>>>>>>> SSID and all. However, things are not working as expected. I am a bit >>>>>>>>>> confused here. >>>>>>>>>> 1. I have created interfaces, registration VLAN - 20 and >>>>>>>>>> Isolation VLAN - 30 on the trunk interface. >>>>>>>>>> 2. I also have added 3 other production VLANs where I manage DNS >>>>>>>>>> and DHCP >>>>>>>>>> 3. the open SSID on unifi controller cannot be set to the >>>>>>>>>> Registration VLAN 20 when Radius is enabled. So there is no way to >>>>>>>>>> communicate with PF via the Registration VLAN hence users cannot get >>>>>>>>>> IPs >>>>>>>>>> from PF on the open SSID and therefore cannot log in. >>>>>>>>>> I need advice on how to get this working. Do I have to make the >>>>>>>>>> registration VLAN the native or default vlan on the trunk and >>>>>>>>>> configure the >>>>>>>>>> guest captive portal on a different vlan which i can assign in the >>>>>>>>>> unifi >>>>>>>>>> controller? >>>>>>>>>> >>>>>>>>>> Also, I have a problem where DNS queries on each vlan/subnet >>>>>>>>>> points to the PF interface outside that subnet. eg pf.example.com >>>>>>>>>> - 192.168.0.1/24 on registration vlan, and PF on captive portal >>>>>>>>>> vlan 40 the IP is 192.168.1.1/24 but DNS query from captive >>>>>>>>>> portal interface gives registration vlan IP of PF. >>>>>>>>>> I would prefer that queries from each vlan would provide the >>>>>>>>>> respective PF interface on that vlan, >>>>>>>>>> Any help is appreciated. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Warm regards, >>>>>>>>>> Rexford. >>>>>>>>>> _______________________________________________ >>>>>>>>>> PacketFence-users mailing list >>>>>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>>> [image: Imágenes integradas 1] >>>>>>>>> _______________________________________________ >>>>>>>>> PacketFence-users mailing list >>>>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> [image: Imágenes integradas 1] >>>>>>> _______________________________________________ >>>>>>> PacketFence-users mailing list >>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>> >>>>>> >>>>> >>>>> -- >>>>> >>>>> [image: Imágenes integradas 1] >>>>> >>>> >>> >>> -- >>> >>> [image: Imágenes integradas 1] >>> _______________________________________________ >>> PacketFence-users mailing list >>> PacketFence-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >> _______________________________________________ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
