Re: [PacketFence-users] Unifi switch CoA support
Well, it works with 802.1x but I have an issue for devices not managed by IT. I configured the switch to fallback to registration vlan when 802.1x is not supported by the device. The guest gets access to the captive portal and can authenticate but PF is unable to tell the switch to change the port to the guest vlan, so the guest is stuck inside the registration vlan. I found an old post[1] on ubiquiti forums saying the switch doesn't support vlan configuration over SNMP. Not sure if this is still true today. 1. https://community.ui.com/questions/Change-VLAN-on-Port-via-SNMP-or-API/bb84fa27-7321-48d2-9752-4819f6308f43 I understand that when doing 802.1x, the switch gets the vlan from the radius server, so there is no SNMP involved contrary to my guest registration scenario. This is my packetfence.log when trying to register a guest wired client: Mar 27 13:00:23 nac httpd.portal-docker-wrapper[6904]: httpd.portal(1056) INFO: [mac:00:24:32:xx:xx:xx] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Mar 27 13:00:24 nac pfqueue[2509762]: pfqueue(2509762) INFO: [mac:unknown] Database /usr/local/fingerbank/db/fingerbank_Local.db was changed or handles weren't initialized. Creating handle. (fingerbank::DB::SQLite::build_handle) Mar 27 13:00:24 nac pfqueue[2509762]: pfqueue(2509762) WARN: [mac:unknown] Cannot find any combination ID in any schemas (fingerbank::Source::LocalDB::_getCombinationID) Mar 27 13:00:24 nac pfqueue[2509762]: pfqueue(2509762) INFO: [mac:unknown] Upstream is configured and unable to fullfil an exact match locally. Will ignore result from local database (fingerbank::Source::LocalDB::match) Mar 27 13:00:24 nac pfqueue[2509762]: pfqueue(2509762) INFO: [mac:unknown] Successfully interrogate upstream Fingerbank project for matching. Got device : 7406 (fingerbank::Source::Collector::match) Mar 27 13:00:24 nac pfqueue[2509762]: pfqueue(2509762) INFO: [mac:00:24:32:xx:xx:xx] Database /usr/local/fingerbank/db/fingerbank_Upstream.db was changed or handles weren't initialized. Creating handle. (fingerbank::DB::SQLite::build_handle) Mar 27 13:00:24 nac pfqueue[2509762]: pfqueue(2509762) WARN: [mac:00:24:32:xx:xx:xx] Unable to pull accounting history for device 00:24:32:xx:xx:xx. The history set doesn't exist yet. (pf::accounting_events_history::latest_mac_history) Mar 27 13:00:25 nac httpd.portal-docker-wrapper[6904]: httpd.portal(1056) INFO: [mac:00:24:32:xx:xx:xx] Found authentication source(s) : 'Utilisateurs-AD' for realm 'null' (pf::config::util::filter_authentication_sources) Mar 27 13:00:25 nac httpd.portal-docker-wrapper[6904]: httpd.portal(1056) INFO: [mac:00:24:32:xx:xx:xx] Authenticating user using sources : Utilisateurs-AD (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate) Mar 27 13:00:25 nac httpd.portal-docker-wrapper[6904]: httpd.portal(1056) INFO: [mac:00:24:32:xx:xx:xx] [Utilisateurs-AD] Authentication successful for testuserid (pf::Authentication::Source::LDAPSource::authenticate) Mar 27 13:00:25 nac httpd.portal-docker-wrapper[6904]: httpd.portal(1056) INFO: [mac:00:24:32:xx:xx:xx] Authentication successful for testuserid in source Utilisateurs-AD (AD) (pf::authentication::authenticate) Mar 27 13:00:25 nac httpd.portal-docker-wrapper[6904]: httpd.portal(1056) INFO: [mac:00:24:32:xx:xx:xx] User testuserid has authenticated on the portal. (captiveportal::PacketFence::DynamicRouting::Module::_username_set) Mar 27 13:00:25 nac httpd.portal-docker-wrapper[6904]: httpd.portal(1056) INFO: [mac:00:24:32:xx:xx:xx] Found source Utilisateurs-AD in session. (Class::MOP::Class:::around) Mar 27 13:00:25 nac httpd.portal-docker-wrapper[6904]: httpd.portal(1056) INFO: [mac:00:24:32:xx:xx:xx] Found source Utilisateurs-AD in session. (Class::MOP::Class:::around) Mar 27 13:00:25 nac httpd.portal-docker-wrapper[6904]: httpd.portal(1056) INFO: [mac:00:24:32:xx:xx:xx] Successfully authenticated testuserid (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate) Mar 27 13:00:25 nac httpd.portal-docker-wrapper[6904]: httpd.portal(1056) INFO: [mac:00:24:32:xx:xx:xx] Found source Utilisateurs-AD in session. (Class::MOP::Class:::around) Mar 27 13:00:25 nac httpd.portal-docker-wrapper[6904]: httpd.portal(1056) INFO: [mac:00:24:32:xx:xx:xx] Found source Utilisateurs-AD in session. (Class::MOP::Class:::around) Mar 27 13:00:25 nac pfqueue[2509585]: pfqueue(2509585) INFO: [mac:unknown] Already did a person lookup for testuserid (pf::lookup::person::lookup_person) Mar 27 13:00:25 nac httpd.portal-docker-wrapper[6904]: httpd.portal(1056) INFO: [mac:00:24:32:xx:xx:xx] Found source Utilisateurs-AD in session. (Class::MOP::Class:::around) Mar 27 13:00:25 nac httpd.portal-docker-wrapper[6904]: httpd.portal(1056) WARN: [mac:00:24:32:xx:xx:xx] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match) Mar 27 13:00:25 nac httpd.portal-docker-wrapper[6904]: httpd.portal(1056) INFO:
Re: [PacketFence-users] Unifi switch CoA support
Oh, great! I was able to enable CoA for an Unifi AP with the legacy UI then I was able to configure PF. My PF configuration now works great to manage a wifi network. Now I wonder if CoA is also supported for unifi switch/wired networks? I would like to use 802.1x with device authentication and a captive portal for guest users. Can I use Unifi switches with PF? I can successfully authenticate my device to the radius server with 802.1x, but without CoA support, I understand that PF is unable to move the device to the required vlan (my device gets no IP from the dhcp server). Thank you! Le mar. 14 mars 2023 à 16:08, Fabrice Durand a écrit : > Hello Francis, > > if i am not wrong you should be able to see the option if you switch to > the legacy view of the controller. > Also you can connect on the AP (ssh) and see if the port 3799 UDP is > listening. > > Regards > > Fabrice > > > Le mar. 14 mars 2023 à 15:50, Francis via PacketFence-users < > packetfence-users@lists.sourceforge.net> a écrit : > >> Hello, >> >> I wonder if someone is using Unifi switches with packetfence? I >> understand I need to activate CoA support to make it working with PF. >> >> I found release notes that say it was added by Ubiquiti in version >> 5.12.22 of Unifi Controller. I found old screenshots that show the options >> but I fail to find it in the newest version (Unifi controller 7.3.83 with >> all firmware up to date). >> >> I found some posts in the UI forums of others wondering the same thing >> but they never got answers and Ubiquiti support failed to reply to my >> ticket for almost a week. So I wonder... maybe they just silently dropped >> CoA support? >> >> Thanks! >> >> -- >> Francis >> ___ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Unifi switch CoA support
Based on the code, it's not supported (i did it a long time ago) and you have to use the snmp method to reevaluate the access. Btw if you are able to configure it on the switch side then the packetfence switch module will need to be adapted. Regards Fabrice Le mer. 15 mars 2023 à 16:29, Francis a écrit : > Oh, great! I was able to enable CoA for an Unifi AP with the legacy UI > then I was able to configure PF. My PF configuration now works great to > manage a wifi network. > > Now I wonder if CoA is also supported for unifi switch/wired networks? I > would like to use 802.1x with device authentication and a captive portal > for guest users. Can I use Unifi switches with PF? I can successfully > authenticate my device to the radius server with 802.1x, but without CoA > support, I understand that PF is unable to move the device to the required > vlan (my device gets no IP from the dhcp server). > > Thank you! > > > Le mar. 14 mars 2023 à 16:08, Fabrice Durand a > écrit : > >> Hello Francis, >> >> if i am not wrong you should be able to see the option if you switch to >> the legacy view of the controller. >> Also you can connect on the AP (ssh) and see if the port 3799 UDP is >> listening. >> >> Regards >> >> Fabrice >> >> >> Le mar. 14 mars 2023 à 15:50, Francis via PacketFence-users < >> packetfence-users@lists.sourceforge.net> a écrit : >> >>> Hello, >>> >>> I wonder if someone is using Unifi switches with packetfence? I >>> understand I need to activate CoA support to make it working with PF. >>> >>> I found release notes that say it was added by Ubiquiti in version >>> 5.12.22 of Unifi Controller. I found old screenshots that show the options >>> but I fail to find it in the newest version (Unifi controller 7.3.83 with >>> all firmware up to date). >>> >>> I found some posts in the UI forums of others wondering the same thing >>> but they never got answers and Ubiquiti support failed to reply to my >>> ticket for almost a week. So I wonder... maybe they just silently dropped >>> CoA support? >>> >>> Thanks! >>> >>> -- >>> Francis >>> ___ >>> PacketFence-users mailing list >>> PacketFence-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >> ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Unifi switch CoA support
Hello Francis, if i am not wrong you should be able to see the option if you switch to the legacy view of the controller. Also you can connect on the AP (ssh) and see if the port 3799 UDP is listening. Regards Fabrice Le mar. 14 mars 2023 à 15:50, Francis via PacketFence-users < packetfence-users@lists.sourceforge.net> a écrit : > Hello, > > I wonder if someone is using Unifi switches with packetfence? I understand > I need to activate CoA support to make it working with PF. > > I found release notes that say it was added by Ubiquiti in version 5.12.22 > of Unifi Controller. I found old screenshots that show the options but I > fail to find it in the newest version (Unifi controller 7.3.83 with all > firmware up to date). > > I found some posts in the UI forums of others wondering the same thing but > they never got answers and Ubiquiti support failed to reply to my ticket > for almost a week. So I wonder... maybe they just silently dropped CoA > support? > > Thanks! > > -- > Francis > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users