Re: [PacketFence-users] 802.1x auth on inline packetfence network

[Louis Munro]

I am sure “something” is happening somewhere.

What do the radius logs show? 
What does tcpdump indicate? 
Is there any radius request coming in from that controller when you connect 
something to it? 

If not then the issue is with the controller’s configuration.
If there is anything coming from it, make sure radius accepts it.
Unless an entry for that controller exists in conf/switches.conf the radius 
request will be dropped.

I see nothing impossible in  what you are trying to accomplish.
This looks like a configuration issue.

--
Louis Munro
lmu...@inverse.ca  ::  www.inverse.ca 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

> On Nov 10, 2015, at 6:34 , mourik jan heupink  wrote:
> 
> Hi,
> 
> We have packetfence 3.5.1 on debian, running with both
> - 802.1x auth on our wired chassis (hp 5400)
> - inline on our wifi network
> 
> On the HP 5412 chassis, I have one module to packetfence inline, with 
> untagged VLAN6 on all ports (packetfence_inline) plus tagged VLAN1 (the 
> 802.1x 'main' network).
> 
> I have added a secondary (hidden) SSID on our wifi, and bridged that to 
> VLAN1, and that seems to work: The accesspoints receive ip addresses in 
> our wired vlan1 range.
> 
> Next I enabled 802.1x auth on that secondary ssid, provided the 
> packetfence ip address, port number and shared secret.
> 
> This however does not work at all. Basically nothing happens. I've 
> thought about it, and my guess I need to add a switch of some sort for 
> this to work too..? (similar to our HP5400 config?)
> 
> However...I have no idea what kind of switch to add, where, and if this 
> is possible at all.
> 
> What I would like to have a normal inline wlan network with packetfence 
> registration (and this works already) BUT ADDITIONALLY a hidden wlan 
> ssid with 802.1x auth, that would get me on to VLAN1.
> 
> Anyone with ideas how do proceed?
> 
> MJ
> 
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] radius authorization interval

[Derek Wuelfrath]

Andi,

Quick question, maybe not related at all but still.
Is this happening on “busy” AP ? Do you know if there’s a lot of clients 
connected at the same time on the AP / radios of the AP ?
Do you have any sort of Maximum Allowed Clients configurations ? (Advanced 
section of the WLAN) ?

Cheers!
dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

> On Nov 9, 2015, at 12:09 PM, Morris, Andi  wrote:
> 
> Hi all,
> I’m getting reports of users being briefly disconnected from the wireless 
> network every few minutes, which is something that didn’t used to happen when 
> users were connected to another SSID using exactly the same hardware (Cisco 
> WLC). I’m wondering if it’s something like radius authorization, as we see it 
> on not just our dot1x SSID, but our SSID that is mac authenticated through 
> PFs device registration setup.
>  
> According to users it’s around every 5 minutes, however looking at some logs 
> for one client using the mac_auth network I can see it seems to re-auth every 
> 11/12 minutes. Log snippet below:
>  
> Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Can't find 
> provisioner (pf::vlan::getNormalVlan)
> Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Connection type is 
> WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
> Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Username was 
> defined "3059b782141a" - returning user based role 'gaming' 
> (pf::vlan::getNormalVlan)
> Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] PID: "st12345678", 
> Status: reg Returned VLAN: 713, Role: gaming (pf::vlan::fetchVlanForNode)
> Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] (192.168.1.1) 
> Returning ACCEPT with VLAN 713 and role  
> (pf::Switch::returnRadiusAccessAccept)
> Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] handling radius 
> autz request: from switch_ip => (192.168.1.1), connection_type => 
> Wireless-802.11-NoEAP,switch_mac => (e8:65:49:e9:2c:60), mac => 
> [30:59:b7:82:14:1a], port => 13, username => "3059b782141a" 
> (pf::radius::authorize)
> Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Can't find 
> provisioner (pf::vlan::getNormalVlan)
> Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Connection type is 
> WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
> Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Username was 
> defined "3059b782141a" - returning user based role 'gaming' 
> (pf::vlan::getNormalVlan)
> Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] PID: "st12345678", 
> Status: reg Returned VLAN: 713, Role: gaming (pf::vlan::fetchVlanForNode)
> Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] (192.168.1.1) 
> Returning ACCEPT with VLAN 713 and role  
> (pf::Switch::returnRadiusAccessAccept)
> Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] handling radius 
> autz request: from switch_ip => (192.168.1.1), connection_type => 
> Wireless-802.11-NoEAP,switch_mac => (e8:65:49:e9:2c:60), mac => 
> [30:59:b7:82:14:1a], port => 13, username => "3059b782141a" 
> (pf::radius::authorize)
> Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Can't find 
> provisioner (pf::vlan::getNormalVlan)
> Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Connection type is 
> WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
> Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Username was 
> defined "3059b782141a" - returning user based role 'gaming' 
> (pf::vlan::getNormalVlan)
> Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] PID: "st12345678", 
> Status: reg Returned VLAN: 713, Role: gaming (pf::vlan::fetchVlanForNode)
> Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] (192.168.1.1) 
> Returning ACCEPT with VLAN 713 and role  
> (pf::Switch::returnRadiusAccessAccept)
> Nov 09 12:32:58 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] handling radius 
> autz request: from switch_ip => (192.168.1.1), connection_type => 
> Wireless-802.11-NoEAP,switch_mac => (e8:65:49:e9:2c:60), mac => 
> [30:59:b7:82:14:1a], port => 13, username => "3059b782141a" 
> (pf::radius::authorize)
> Nov 09 12:32:58 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Can't find 
> provisioner (pf::vlan::getNormalVlan)
> Nov 09 12:32:58 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Connection type is 
> WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
> Nov 09 12:32:58 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Username was 
> defined "3059b782141a" - returning user based role 'gaming' 
> (pf::vlan::getNormalVlan)
> Nov 09 12:32:58 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] PID: "st12345678", 
> Status: reg Returned VLAN: 713, Role: gaming (pf::vlan::fetchVlanForNode)
> Nov 09 12:32:58 

Re: [PacketFence-users] Adding a session variable

[Derek Wuelfrath]

What I mean by request is the HTTP call.

The stash is being initialized when the HTTP call comes in and then is 
“destroyed” once the page is loaded on the client side. You can’t then use the 
stash to pass values from call to call…

Is that better ? :P

Cheers!
dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

> On Nov 6, 2015, at 12:38 PM, Andy A  wrote:
> 
> Sorry, I don't undersatnd what you mean. Can you explain what you mean by 
> 'stash lives the time of request'?
> 
> From: dwuelfr...@inverse.ca
> Date: Fri, 30 Oct 2015 10:19:44 -0400
> To: packetfence-users@lists.sourceforge.net
> Subject: Re: [PacketFence-users] Adding a session variable
> 
> The stash “lives” the time of the request.
> 
> Cheers!
> dw.
> 
> —
> Derek Wuelfrath
> dwuelfr...@inverse.ca  :: +1.514.447.4918 
> (x110) :: +1.866.353.6153 (x110)
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
> PacketFence (www.packetfence.org )
> 
> On Oct 29, 2015, at 6:04 AM, Andy A  > wrote:
> 
> Hi.
> 
> Thanks for the explanation. I want to set (in login.html) and get (in 
> release.html)  the value in the view.
> So should I use stash in that case?
> 
> From: dwuelfr...@inverse.ca 
> Date: Fri, 23 Oct 2015 10:52:14 -0400
> To: packetfence-users@lists.sourceforge.net 
> 
> Subject: Re: [PacketFence-users] Adding a session variable
> 
> Hello Andy,
> 
> Something like 
> 
> $c->session->{"paidup"} = “DEFAULT_VALUE";
> 
> Should work just fine.
> 
> You should then be able to access it using:
> 
> my $custom_value = $c->session->{"paidup"};
> 
> The stash is mainly used to pass values to the “view"
> 
> Cheers!
> dw.
> 
> —
> Derek Wuelfrath
> dwuelfr...@inverse.ca  :: +1.514.447.4918 
> (x110) :: +1.866.353.6153 (x110)
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
> PacketFence (www.packetfence.org )
> 
> On Oct 22, 2015, at 8:16 AM, Andy A  > wrote:
> 
> Hi.
> 
> I would like to set a session variable called 'paidup' on login.html in the 
> captive portal and access it's value on release.html page.
> 
> I have seen there's a lib/pf/web/custom.pm where I can add the session 
> variable.
> 
> pf::web::stash_template_vars = sub {
> my ($portalSession, $template) = @_;
> return { 'paidup' => DEFAULT_VALUE };
> };
> 
> Then, in login.html I can set it to a value based on user input and in 
> release.html I can access it?
> Is that the best way to do it or is there any other better way?
> 
> Thanks
> 
> 
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
> 
> 
> --
> ___ PacketFence-users mailing 
> list PacketFence-users@lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>  
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
> 
> 
> --
> ___ PacketFence-users mailing 
> list PacketFence-users@lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>  
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
> 
--

Re: [PacketFence-users] radius authorization interval

[Derek Wuelfrath]

Also,

As i can see, included log snippet only shows relevant radius authz requests. 
Is there anyway you can check in that same log just to make sure PacketFence 
does not send a COA or anything else that can lead the client to reauthz ?

Cheers!
dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

> On Nov 9, 2015, at 12:09 PM, Morris, Andi  wrote:
> 
> Hi all,
> I’m getting reports of users being briefly disconnected from the wireless 
> network every few minutes, which is something that didn’t used to happen when 
> users were connected to another SSID using exactly the same hardware (Cisco 
> WLC). I’m wondering if it’s something like radius authorization, as we see it 
> on not just our dot1x SSID, but our SSID that is mac authenticated through 
> PFs device registration setup.
>  
> According to users it’s around every 5 minutes, however looking at some logs 
> for one client using the mac_auth network I can see it seems to re-auth every 
> 11/12 minutes. Log snippet below:
>  
> Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Can't find 
> provisioner (pf::vlan::getNormalVlan)
> Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Connection type is 
> WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
> Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Username was 
> defined "3059b782141a" - returning user based role 'gaming' 
> (pf::vlan::getNormalVlan)
> Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] PID: "st12345678", 
> Status: reg Returned VLAN: 713, Role: gaming (pf::vlan::fetchVlanForNode)
> Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] (192.168.1.1) 
> Returning ACCEPT with VLAN 713 and role  
> (pf::Switch::returnRadiusAccessAccept)
> Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] handling radius 
> autz request: from switch_ip => (192.168.1.1), connection_type => 
> Wireless-802.11-NoEAP,switch_mac => (e8:65:49:e9:2c:60), mac => 
> [30:59:b7:82:14:1a], port => 13, username => "3059b782141a" 
> (pf::radius::authorize)
> Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Can't find 
> provisioner (pf::vlan::getNormalVlan)
> Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Connection type is 
> WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
> Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Username was 
> defined "3059b782141a" - returning user based role 'gaming' 
> (pf::vlan::getNormalVlan)
> Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] PID: "st12345678", 
> Status: reg Returned VLAN: 713, Role: gaming (pf::vlan::fetchVlanForNode)
> Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] (192.168.1.1) 
> Returning ACCEPT with VLAN 713 and role  
> (pf::Switch::returnRadiusAccessAccept)
> Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] handling radius 
> autz request: from switch_ip => (192.168.1.1), connection_type => 
> Wireless-802.11-NoEAP,switch_mac => (e8:65:49:e9:2c:60), mac => 
> [30:59:b7:82:14:1a], port => 13, username => "3059b782141a" 
> (pf::radius::authorize)
> Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Can't find 
> provisioner (pf::vlan::getNormalVlan)
> Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Connection type is 
> WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
> Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Username was 
> defined "3059b782141a" - returning user based role 'gaming' 
> (pf::vlan::getNormalVlan)
> Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] PID: "st12345678", 
> Status: reg Returned VLAN: 713, Role: gaming (pf::vlan::fetchVlanForNode)
> Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] (192.168.1.1) 
> Returning ACCEPT with VLAN 713 and role  
> (pf::Switch::returnRadiusAccessAccept)
> Nov 09 12:32:58 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] handling radius 
> autz request: from switch_ip => (192.168.1.1), connection_type => 
> Wireless-802.11-NoEAP,switch_mac => (e8:65:49:e9:2c:60), mac => 
> [30:59:b7:82:14:1a], port => 13, username => "3059b782141a" 
> (pf::radius::authorize)
> Nov 09 12:32:58 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Can't find 
> provisioner (pf::vlan::getNormalVlan)
> Nov 09 12:32:58 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Connection type is 
> WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
> Nov 09 12:32:58 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Username was 
> defined "3059b782141a" - returning user based role 'gaming' 
> (pf::vlan::getNormalVlan)
> Nov 09 12:32:58 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] PID: "st12345678", 
> Status: reg Returned VLAN: 713, Role: gaming (pf::vlan::fetchVlanForNode)
> Nov 09 12:32:58 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] (192.168.1.1) 
> 

Re: [PacketFence-users] PacketFence PKI issue

[Durand fabrice]

Hi Jonathan,

based on the log i thing that extendedKeyUsage is not correctly defined.
Can you check that ?

Regards
Fabrice


Le 2015-11-09 20:45, Jonathan Mahady a écrit :

Hi,

I'm having an issue with the assignment of certificates using the 
packetfence PKI plugin. The plugin resides on the same box as 
Packetfence. The distro is Debian Wheezy and the version of 
packetfence is 5.4. I've configured the CA, the templates and a radius 
server cert. I've then added the PKI details into packetfence but when 
I try to onboard a test user the certificate assignment fails with the 
error that the certificate server cannot be reach. I've trolled 
through the logs and this is a section of the error its reporting:


"
  Error at /pki/cert/rest/get/denver/
  [(asn1 encoding routines, 
a2d_ASN1_OBJECT, first num too large), (X509 
V3 routines, V2I_EXTENDED_KEY_USAGE, invalid 
object identifier), (X509 V3 routines, 
X509V3_EXT_nconf, error in extension)]

  


  Request Method:
  POST


  Request URL:
  https://127.0.0.1:9393/pki/cert/rest/get/denver/



  Django Version:
  1.7.1



  Exception Type:
  Error




  Exception Value:
  [(asn1 encoding routines, 
a2d_ASN1_OBJECT, first num too large), (X509 
V3 routines, V2I_EXTENDED_KEY_USAGE, invalid 
object identifier), (X509 V3 routines, 
X509V3_EXT_nconf, error in extension)]





  Exception Location:
  /usr/local/packetfence-pki/pki/models.py in sign, line 328



  Python Executable:
  /usr/bin/python


  Python Version:
  2.7.3


  Python Path:
[/usr/lib/python2.7,
 /usr/lib/python2.7/plat-linux2,
 /usr/lib/python2.7/lib-tk,
 /usr/lib/python2.7/lib-old,
 /usr/lib/python2.7/lib-dynload,
 /usr/local/lib/python2.7/dist-packages,
 /usr/lib/python2.7/dist-packages,
 /usr/lib/python2.7/dist-packages/PIL,
"

The cert does get generated as I can see it in the packetfence PKI gui 
but it doesn't get assigned to the user. I'm not sure what the issue 
is as I'm not great with this REST API/Python stuff. I would be 
extremely grateful for any advice or pointers.


Cheers,

Jonathan


--


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Radius authentication

[Durand fabrice]

Hello Ismael,

you created a user in radius but it probably doesn't exist on 
packetfence side. (check packetfence.log)
So remove what you did in /usr/local/pf/raddb/users and follow this 
documentation:

https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Administration_Guide.asciidoc#option-5-eap-local-user-authentication

Also don't forget to create a portal profile with a specific filter 
(like SSID, switch ... that match your connection) and add local 
authentication source.


Then retry.

Regards
Fabrice


Le 2015-11-10 21:04, ismael flavio silva a écrit :

Hello :)

I am locally test the radius. He appears to accept any user or 
password, and log accuses a problem with the mac-address.

I see in the community but everybody uses AD or an equivalent server.

LOG

/usr/local/pf/logs/radius.log

Tue Nov 10 20:56:47 2015 : Auth: Login OK: [ismael] (from client 
PacketFence-ZEN-5-3.local port 0)
Tue Nov 10 20:56:47 2015 : Info: rlm_perl: MAC address is empty or 
invalid in this request. It could be normal on certain radius calls


---

/usr/sbin/radiusd -d /usr/local/pf/raddb/ -X

..
..

radiusd:  Opening IP addresses and Ports 
listen {
type = "auth"
virtual_server = "packetfence"
ipaddr = 192.168.100.5
port = 0
}
listen {
type = "acct"
virtual_server = "packetfence"
ipaddr = 192.168.100.5
port = 0
}
listen {
type = "control"
 listen {
socket = "/usr/local/pf/var/run/radiusd.sock"
mode = "rw"
 }
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
 ... adding new socket proxy address * port 49410
Listening on authentication address 192.168.100.5 port 1812 as server 
packetfence
Listening on accounting address 192.168.100.5 port 1813 as server 
packetfence

Listening on command file /usr/local/pf/var/run/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server 
inner-tunnel

Listening on proxy address 192.168.100.5 port 1814
Ready to process requests.

configs

/usr/local/pf/raddb/users

ismael Cleartext-Password := "12345678"

Configuration → Advanced -> plaintext

Thanks



--


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] 802.1x auth on inline packetfence network

[mourik jan heupink]

Hi,

We have packetfence 3.5.1 on debian, running with both
- 802.1x auth on our wired chassis (hp 5400)
- inline on our wifi network

On the HP 5412 chassis, I have one module to packetfence inline, with 
untagged VLAN6 on all ports (packetfence_inline) plus tagged VLAN1 (the 
802.1x 'main' network).

I have added a secondary (hidden) SSID on our wifi, and bridged that to 
VLAN1, and that seems to work: The accesspoints receive ip addresses in 
our wired vlan1 range.

Next I enabled 802.1x auth on that secondary ssid, provided the 
packetfence ip address, port number and shared secret.

This however does not work at all. Basically nothing happens. I've 
thought about it, and my guess I need to add a switch of some sort for 
this to work too..? (similar to our HP5400 config?)

However...I have no idea what kind of switch to add, where, and if this 
is possible at all.

What I would like to have a normal inline wlan network with packetfence 
registration (and this works already) BUT ADDITIONALLY a hidden wlan 
ssid with 802.1x auth, that would get me on to VLAN1.

Anyone with ideas how do proceed?

MJ

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users