subject:"\[PacketFence\-users\] freeRADIUS Migration \- PacketFence Deployment"

Re: [PacketFence-users] freeRADIUS Migration - PacketFence Deployment

2023-06-01 Thread Cory White via PacketFence-users

I've tested both Cisco and Unifi and the issue seems to lie with Connection
profiles - when trying to do MAC/MAB authentication, it falls through to
default profile, and never hits the MACAuth ones to check local DB
credentials.

Just connects and gives SSID vlan assignment, default profile doesn't have
attributes to return so explains the behavior but not the solution to pick
the correct connection profile?

Cory White
Sr. Network Engineer
904.735.1600
c...@xpodigital.com

On Thu, Jun 1, 2023 at 11:03 AM Cory White  wrote:

> I seem to have run into another issue on MAC based Authentication - 802.1x
> w/ Dynamic tested and working on Cisco and Unifi. When I try to migrate our
> 'IoT Wireless' I am unable to get PF to MAC Auth onto the SSID. I have a
> MAC user/pw locally in PF but I don't think it ever hits/tries to look for
> it. Devices just spin trying to connect to the SSID. Audit shows device
> success and registered but only returns status 200 and no attributes and
> self-assigned IP - never actually get connected. There is nothing in the
> packetfence/radiu slogs other than 'Device OK'. I've tried
> different combinations of switches/nodes/nas and Connection Profiles with
> 'local' source hardset, etc to no avail. If I simply change the SSID RADIUS
> back to our freeRADIUS instance everything works as expected.
>
> Thanks in advance for any direction,
>
> Cory White
> Sr. Network Engineer
> 904.735.1600
> c...@xpodigital.com
>
>
> On Tue, May 30, 2023 at 9:37 AM Cory White  wrote:
>
>> Fabrice -
>>
>> Much appreciated  - after back tracking into the docs it was obvious I
>> was trying to make something more complicated than needed! Once I rolled
>> back what I 'thought' was needed, I was able to successfully test Cisco and
>> Unifi Dynamic VLAN (802.1x) assignments against local DB. I started
>> testing/deploying Captive Portal and WebAuth with success as well. I plan
>> to start playing with the portal modules/customizations after, hopefully,
>> being successful in the iPSK (Dynamic PSK) deployment on Cisco
>> infrastructure.all in all everything is on track to turn up an instance
>> and deploy into production networks with some more vetting.
>>
>> Thank you for your quick reply
>>
>> Cory White
>> Sr. Network Engineer
>> 904.735.1600
>> c...@xpodigital.com
>>
>>
>> On Fri, May 26, 2023 at 3:58 PM Fabrice Durand 
>> wrote:
>>
>>> Hello Cory,
>>>
>>> Yes, of course you can use PacketFence local authentication without any
>>> Windows AD integration.
>>> There are multiple ways but the simplest is to use the local PacketFence
>>> database to authenticate the users.
>>> It's also possible to interact with a LDAP server to do the 802.1x
>>> authentication and PacketFence also provides an internal PKI to do eap-tls
>>> auth.
>>>
>>> For the "Authentication Source RADIUS", it depends how you use it, if
>>> it's on the portal then it will do PAP authentication, but you can also use
>>> the RADIUS source in the REALM section to proxy the request to another
>>> server.
>>>
>>> Btw i don't see any blocking point for you to use PacketFence, but i
>>> recommend starting with something simple (like mac-auth + portal then
>>> 802.1x after).
>>>
>>> Regards
>>> Fabrice
>>>
>>>
>>>
>>> Le ven. 26 mai 2023 à 15:13, Cory White via PacketFence-users <
>>> packetfence-users@lists.sourceforge.net> a écrit :
>>>
 Hello -

 I've followed packetfence since 2015 but we never fully adopted its
 feature sets due to various reasons. Our original interest was for Captive
 Portals - but at the time it felt like overkill and we did not want in-band
 switch port management to deploy a simple 'coffee shop' portal.

 Times have changed and personally I thought Captive Portals would have
 died off in requests by now but they are more prevalent now than ever with
 BYOD and user-initiated on-boarding.

 Since COVID we have shifted into various vertical markets and are
 finding the need to consolidate our deployments into a more scalable
 resource/deployment for various installs in these markets. Our requirements
 -

- Portal Page and User management - whether manually
onboarded/import and/or through user initiated portal pages.
- MAC bypass - manually bypass portals for authorized MAC
identified hosts. If there is a user onboarding for this as well through
already AUTH credentials that is a plus.
- 802.1X auth for dynamically assigned VLANs (w/ and w/o MAC
filtering) over wireless only - mix of vendors Unifi, Peplink, Cisco,
Meraki, etc. Common thread is that all are managed through a controller 
 -
no autonomous APs.

 We currently employ Mikrotik hotspots and Peplink InControl portals -
 depending on the installation router. User accounts are added via script,
 API, ssh, etc manually not by a user request/portal interaction. All
 dynamic VLAN assignments/RADIUS

Re: [PacketFence-users] freeRADIUS Migration - PacketFence Deployment

2023-06-01 Thread Cory White via PacketFence-users

I seem to have run into another issue on MAC based Authentication - 802.1x
w/ Dynamic tested and working on Cisco and Unifi. When I try to migrate our
'IoT Wireless' I am unable to get PF to MAC Auth onto the SSID. I have a
MAC user/pw locally in PF but I don't think it ever hits/tries to look for
it. Devices just spin trying to connect to the SSID. Audit shows device
success and registered but only returns status 200 and no attributes and
self-assigned IP - never actually get connected. There is nothing in the
packetfence/radiu slogs other than 'Device OK'. I've tried
different combinations of switches/nodes/nas and Connection Profiles with
'local' source hardset, etc to no avail. If I simply change the SSID RADIUS
back to our freeRADIUS instance everything works as expected.

Thanks in advance for any direction,

Cory White
Sr. Network Engineer
904.735.1600
c...@xpodigital.com


On Tue, May 30, 2023 at 9:37 AM Cory White  wrote:

> Fabrice -
>
> Much appreciated  - after back tracking into the docs it was obvious I was
> trying to make something more complicated than needed! Once I rolled back
> what I 'thought' was needed, I was able to successfully test Cisco and
> Unifi Dynamic VLAN (802.1x) assignments against local DB. I started
> testing/deploying Captive Portal and WebAuth with success as well. I plan
> to start playing with the portal modules/customizations after, hopefully,
> being successful in the iPSK (Dynamic PSK) deployment on Cisco
> infrastructure.all in all everything is on track to turn up an instance
> and deploy into production networks with some more vetting.
>
> Thank you for your quick reply
>
> Cory White
> Sr. Network Engineer
> 904.735.1600
> c...@xpodigital.com
>
>
> On Fri, May 26, 2023 at 3:58 PM Fabrice Durand  wrote:
>
>> Hello Cory,
>>
>> Yes, of course you can use PacketFence local authentication without any
>> Windows AD integration.
>> There are multiple ways but the simplest is to use the local PacketFence
>> database to authenticate the users.
>> It's also possible to interact with a LDAP server to do the 802.1x
>> authentication and PacketFence also provides an internal PKI to do eap-tls
>> auth.
>>
>> For the "Authentication Source RADIUS", it depends how you use it, if
>> it's on the portal then it will do PAP authentication, but you can also use
>> the RADIUS source in the REALM section to proxy the request to another
>> server.
>>
>> Btw i don't see any blocking point for you to use PacketFence, but i
>> recommend starting with something simple (like mac-auth + portal then
>> 802.1x after).
>>
>> Regards
>> Fabrice
>>
>>
>>
>> Le ven. 26 mai 2023 à 15:13, Cory White via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> a écrit :
>>
>>> Hello -
>>>
>>> I've followed packetfence since 2015 but we never fully adopted its
>>> feature sets due to various reasons. Our original interest was for Captive
>>> Portals - but at the time it felt like overkill and we did not want in-band
>>> switch port management to deploy a simple 'coffee shop' portal.
>>>
>>> Times have changed and personally I thought Captive Portals would have
>>> died off in requests by now but they are more prevalent now than ever with
>>> BYOD and user-initiated on-boarding.
>>>
>>> Since COVID we have shifted into various vertical markets and are
>>> finding the need to consolidate our deployments into a more scalable
>>> resource/deployment for various installs in these markets. Our requirements
>>> -
>>>
>>>- Portal Page and User management - whether manually
>>>onboarded/import and/or through user initiated portal pages.
>>>- MAC bypass - manually bypass portals for authorized MAC identified
>>>hosts. If there is a user onboarding for this as well through already 
>>> AUTH
>>>credentials that is a plus.
>>>- 802.1X auth for dynamically assigned VLANs (w/ and w/o MAC
>>>filtering) over wireless only - mix of vendors Unifi, Peplink, Cisco,
>>>Meraki, etc. Common thread is that all are managed through a controller -
>>>no autonomous APs.
>>>
>>> We currently employ Mikrotik hotspots and Peplink InControl portals -
>>> depending on the installation router. User accounts are added via script,
>>> API, ssh, etc manually not by a user request/portal interaction. All
>>> dynamic VLAN assignments/RADIUS attributes (radchecks, radreply,
>>> radgroupreply,etc) are handled in freeRADIUS based on user credentials -
>>> typically only a couple VLAN options, most of these installs have no more
>>> than 5 total VLANs.
>>>
>>> I've spun up a VM of 12.2, the maturation is impressive but
>>> documentation for our actual deployment needs to migrate from freeRADIUS
>>> stand-alone DB is non-existent - at least from my searching in the last
>>> week. I understand the concepts (I believe), my big question is using just
>>> 'local to Packetfence install' freeRADIUS possible as AUTH? We do not
>>> deploy anything Windows based - we are a UNIX/Open-Source/In-house

Re: [PacketFence-users] freeRADIUS Migration - PacketFence Deployment

2023-05-31 Thread Cory White via PacketFence-users

Yogendra -

Thank you for the link, this looks to fill in some of the missing pieces in
my learning curve, much appreciated.

Cory White
Sr. Network Engineer
904.735.1600
c...@xpodigital.com


On Fri, May 26, 2023 at 11:33 PM Yogendra Singh 
wrote:

> Dear Cory,
>
> As an alternate guide for installation, you can use Extreme Networks " A3
> Installation and Usage Guide". The A3 is completely built upon Packetfence.
> The URL for the guide is
> https://documentation.extremenetworks.com/a3/4.1.1/A3-v4.1.0-InstallationAndUsageGuide-NV.pdf
>
> Thanks and regards
>
> On Sat, May 27, 2023 at 12:39 AM Cory White via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hello -
>>
>> I've followed packetfence since 2015 but we never fully adopted its
>> feature sets due to various reasons. Our original interest was for Captive
>> Portals - but at the time it felt like overkill and we did not want in-band
>> switch port management to deploy a simple 'coffee shop' portal.
>>
>> Times have changed and personally I thought Captive Portals would have
>> died off in requests by now but they are more prevalent now than ever with
>> BYOD and user-initiated on-boarding.
>>
>> Since COVID we have shifted into various vertical markets and are finding
>> the need to consolidate our deployments into a more scalable
>> resource/deployment for various installs in these markets. Our requirements
>> -
>>
>>- Portal Page and User management - whether manually onboarded/import
>>and/or through user initiated portal pages.
>>- MAC bypass - manually bypass portals for authorized MAC identified
>>hosts. If there is a user onboarding for this as well through already AUTH
>>credentials that is a plus.
>>- 802.1X auth for dynamically assigned VLANs (w/ and w/o MAC
>>filtering) over wireless only - mix of vendors Unifi, Peplink, Cisco,
>>Meraki, etc. Common thread is that all are managed through a controller -
>>no autonomous APs.
>>
>> We currently employ Mikrotik hotspots and Peplink InControl portals -
>> depending on the installation router. User accounts are added via script,
>> API, ssh, etc manually not by a user request/portal interaction. All
>> dynamic VLAN assignments/RADIUS attributes (radchecks, radreply,
>> radgroupreply,etc) are handled in freeRADIUS based on user credentials -
>> typically only a couple VLAN options, most of these installs have no more
>> than 5 total VLANs.
>>
>> I've spun up a VM of 12.2, the maturation is impressive but documentation
>> for our actual deployment needs to migrate from freeRADIUS stand-alone DB
>> is non-existent - at least from my searching in the last week. I understand
>> the concepts (I believe), my big question is using just 'local to
>> Packetfence install' freeRADIUS possible as AUTH? We do not deploy
>> anything Windows based - we are a UNIX/Open-Source/In-house DEV company. So
>> AD is not an option, we do have some LDAP/freeRADIUS servers running for
>> internal use (linux) but don't want to expose that cluster to end user
>> accounts. I feel that the current version will suit our needs to do what we
>> want for the most part and give us a unified platform; but can't really
>> seem to find any documentation to move forward on testing.
>>
>> Specific to "Authentication Source RADIUS' - docs seem to skim over this
>> as an option or its possible I need to be looking elsewhere? Any direction
>> is appreciated - I've been testing with UniFi (which I know Ubiquiti has
>> its own issues), I see it's a recent integration as well. I can see request
>> come in but always rejected auth in wrong eap/mshcap (even though I've
>> removed them as auth options). I also see my Internal RADIUS source
>> constantly in 'wrong shared secret' ( client localhost).
>>
>> I'm going to migrate to a Cisco test lab to verify its not a tunnel,
>> remote resource issue and keep everything in the same subnet (nodes/nas).
>>
>> Thank you for any assistance -
>>
>> Cory White
>>
>> Senior Network Engineer
>> 904-735-1600
>> c...@xpodigital.com
>> www.xpodigital.com
>> [image: facebook] 
>> [image: twitter] 
>> [image: linkedin] 
>> [image: instagram] 
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
>
> --
> Yogendra Singh
> Deputy IT Officer
> Certified Data Centre Professional (CDCP)
> Indian Institute of Technology Indore
> Contact No: +91 94248 18088
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] freeRADIUS Migration - PacketFence Deployment

2023-05-30 Thread Yogendra Singh via PacketFence-users

Dear Cory,

As an alternate guide for installation, you can use Extreme Networks " A3
Installation and Usage Guide". The A3 is completely built upon Packetfence.
The URL for the guide is
https://documentation.extremenetworks.com/a3/4.1.1/A3-v4.1.0-InstallationAndUsageGuide-NV.pdf

Thanks and regards

On Sat, May 27, 2023 at 12:39 AM Cory White via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello -
>
> I've followed packetfence since 2015 but we never fully adopted its
> feature sets due to various reasons. Our original interest was for Captive
> Portals - but at the time it felt like overkill and we did not want in-band
> switch port management to deploy a simple 'coffee shop' portal.
>
> Times have changed and personally I thought Captive Portals would have
> died off in requests by now but they are more prevalent now than ever with
> BYOD and user-initiated on-boarding.
>
> Since COVID we have shifted into various vertical markets and are finding
> the need to consolidate our deployments into a more scalable
> resource/deployment for various installs in these markets. Our requirements
> -
>
>- Portal Page and User management - whether manually onboarded/import
>and/or through user initiated portal pages.
>- MAC bypass - manually bypass portals for authorized MAC identified
>hosts. If there is a user onboarding for this as well through already AUTH
>credentials that is a plus.
>- 802.1X auth for dynamically assigned VLANs (w/ and w/o MAC
>filtering) over wireless only - mix of vendors Unifi, Peplink, Cisco,
>Meraki, etc. Common thread is that all are managed through a controller -
>no autonomous APs.
>
> We currently employ Mikrotik hotspots and Peplink InControl portals -
> depending on the installation router. User accounts are added via script,
> API, ssh, etc manually not by a user request/portal interaction. All
> dynamic VLAN assignments/RADIUS attributes (radchecks, radreply,
> radgroupreply,etc) are handled in freeRADIUS based on user credentials -
> typically only a couple VLAN options, most of these installs have no more
> than 5 total VLANs.
>
> I've spun up a VM of 12.2, the maturation is impressive but documentation
> for our actual deployment needs to migrate from freeRADIUS stand-alone DB
> is non-existent - at least from my searching in the last week. I understand
> the concepts (I believe), my big question is using just 'local to
> Packetfence install' freeRADIUS possible as AUTH? We do not deploy
> anything Windows based - we are a UNIX/Open-Source/In-house DEV company. So
> AD is not an option, we do have some LDAP/freeRADIUS servers running for
> internal use (linux) but don't want to expose that cluster to end user
> accounts. I feel that the current version will suit our needs to do what we
> want for the most part and give us a unified platform; but can't really
> seem to find any documentation to move forward on testing.
>
> Specific to "Authentication Source RADIUS' - docs seem to skim over this
> as an option or its possible I need to be looking elsewhere? Any direction
> is appreciated - I've been testing with UniFi (which I know Ubiquiti has
> its own issues), I see it's a recent integration as well. I can see request
> come in but always rejected auth in wrong eap/mshcap (even though I've
> removed them as auth options). I also see my Internal RADIUS source
> constantly in 'wrong shared secret' ( client localhost).
>
> I'm going to migrate to a Cisco test lab to verify its not a tunnel,
> remote resource issue and keep everything in the same subnet (nodes/nas).
>
> Thank you for any assistance -
>
> Cory White
>
> Senior Network Engineer
> 904-735-1600
> c...@xpodigital.com
> www.xpodigital.com
> [image: facebook] 
> [image: twitter] 
> [image: linkedin] 
> [image: instagram] 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>


-- 
Yogendra Singh
Deputy IT Officer
Certified Data Centre Professional (CDCP)
Indian Institute of Technology Indore
Contact No: +91 94248 18088
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] freeRADIUS Migration - PacketFence Deployment

2023-05-30 Thread Cory White via PacketFence-users

Fabrice -

Much appreciated  - after back tracking into the docs it was obvious I was
trying to make something more complicated than needed! Once I rolled back
what I 'thought' was needed, I was able to successfully test Cisco and
Unifi Dynamic VLAN (802.1x) assignments against local DB. I started
testing/deploying Captive Portal and WebAuth with success as well. I plan
to start playing with the portal modules/customizations after, hopefully,
being successful in the iPSK (Dynamic PSK) deployment on Cisco
infrastructure.all in all everything is on track to turn up an instance
and deploy into production networks with some more vetting.

Thank you for your quick reply

Cory White
Sr. Network Engineer
904.735.1600
c...@xpodigital.com


On Fri, May 26, 2023 at 3:58 PM Fabrice Durand  wrote:

> Hello Cory,
>
> Yes, of course you can use PacketFence local authentication without any
> Windows AD integration.
> There are multiple ways but the simplest is to use the local PacketFence
> database to authenticate the users.
> It's also possible to interact with a LDAP server to do the 802.1x
> authentication and PacketFence also provides an internal PKI to do eap-tls
> auth.
>
> For the "Authentication Source RADIUS", it depends how you use it, if it's
> on the portal then it will do PAP authentication, but you can also use the
> RADIUS source in the REALM section to proxy the request to another server.
>
> Btw i don't see any blocking point for you to use PacketFence, but i
> recommend starting with something simple (like mac-auth + portal then
> 802.1x after).
>
> Regards
> Fabrice
>
>
>
> Le ven. 26 mai 2023 à 15:13, Cory White via PacketFence-users <
> packetfence-users@lists.sourceforge.net> a écrit :
>
>> Hello -
>>
>> I've followed packetfence since 2015 but we never fully adopted its
>> feature sets due to various reasons. Our original interest was for Captive
>> Portals - but at the time it felt like overkill and we did not want in-band
>> switch port management to deploy a simple 'coffee shop' portal.
>>
>> Times have changed and personally I thought Captive Portals would have
>> died off in requests by now but they are more prevalent now than ever with
>> BYOD and user-initiated on-boarding.
>>
>> Since COVID we have shifted into various vertical markets and are finding
>> the need to consolidate our deployments into a more scalable
>> resource/deployment for various installs in these markets. Our requirements
>> -
>>
>>- Portal Page and User management - whether manually onboarded/import
>>and/or through user initiated portal pages.
>>- MAC bypass - manually bypass portals for authorized MAC identified
>>hosts. If there is a user onboarding for this as well through already AUTH
>>credentials that is a plus.
>>- 802.1X auth for dynamically assigned VLANs (w/ and w/o MAC
>>filtering) over wireless only - mix of vendors Unifi, Peplink, Cisco,
>>Meraki, etc. Common thread is that all are managed through a controller -
>>no autonomous APs.
>>
>> We currently employ Mikrotik hotspots and Peplink InControl portals -
>> depending on the installation router. User accounts are added via script,
>> API, ssh, etc manually not by a user request/portal interaction. All
>> dynamic VLAN assignments/RADIUS attributes (radchecks, radreply,
>> radgroupreply,etc) are handled in freeRADIUS based on user credentials -
>> typically only a couple VLAN options, most of these installs have no more
>> than 5 total VLANs.
>>
>> I've spun up a VM of 12.2, the maturation is impressive but documentation
>> for our actual deployment needs to migrate from freeRADIUS stand-alone DB
>> is non-existent - at least from my searching in the last week. I understand
>> the concepts (I believe), my big question is using just 'local to
>> Packetfence install' freeRADIUS possible as AUTH? We do not deploy
>> anything Windows based - we are a UNIX/Open-Source/In-house DEV company. So
>> AD is not an option, we do have some LDAP/freeRADIUS servers running for
>> internal use (linux) but don't want to expose that cluster to end user
>> accounts. I feel that the current version will suit our needs to do what we
>> want for the most part and give us a unified platform; but can't really
>> seem to find any documentation to move forward on testing.
>>
>> Specific to "Authentication Source RADIUS' - docs seem to skim over this
>> as an option or its possible I need to be looking elsewhere? Any direction
>> is appreciated - I've been testing with UniFi (which I know Ubiquiti has
>> its own issues), I see it's a recent integration as well. I can see request
>> come in but always rejected auth in wrong eap/mshcap (even though I've
>> removed them as auth options). I also see my Internal RADIUS source
>> constantly in 'wrong shared secret' ( client localhost).
>>
>> I'm going to migrate to a Cisco test lab to verify its not a tunnel,
>> remote resource issue and keep everything in the same subnet (nodes/nas).
>>
>>

Re: [PacketFence-users] freeRADIUS Migration - PacketFence Deployment

2023-05-26 Thread Fabrice Durand via PacketFence-users

Hello Cory,

Yes, of course you can use PacketFence local authentication without any
Windows AD integration.
There are multiple ways but the simplest is to use the local PacketFence
database to authenticate the users.
It's also possible to interact with a LDAP server to do the 802.1x
authentication and PacketFence also provides an internal PKI to do eap-tls
auth.

For the "Authentication Source RADIUS", it depends how you use it, if it's
on the portal then it will do PAP authentication, but you can also use the
RADIUS source in the REALM section to proxy the request to another server.

Btw i don't see any blocking point for you to use PacketFence, but i
recommend starting with something simple (like mac-auth + portal then
802.1x after).

Regards
Fabrice



Le ven. 26 mai 2023 à 15:13, Cory White via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello -
>
> I've followed packetfence since 2015 but we never fully adopted its
> feature sets due to various reasons. Our original interest was for Captive
> Portals - but at the time it felt like overkill and we did not want in-band
> switch port management to deploy a simple 'coffee shop' portal.
>
> Times have changed and personally I thought Captive Portals would have
> died off in requests by now but they are more prevalent now than ever with
> BYOD and user-initiated on-boarding.
>
> Since COVID we have shifted into various vertical markets and are finding
> the need to consolidate our deployments into a more scalable
> resource/deployment for various installs in these markets. Our requirements
> -
>
>- Portal Page and User management - whether manually onboarded/import
>and/or through user initiated portal pages.
>- MAC bypass - manually bypass portals for authorized MAC identified
>hosts. If there is a user onboarding for this as well through already AUTH
>credentials that is a plus.
>- 802.1X auth for dynamically assigned VLANs (w/ and w/o MAC
>filtering) over wireless only - mix of vendors Unifi, Peplink, Cisco,
>Meraki, etc. Common thread is that all are managed through a controller -
>no autonomous APs.
>
> We currently employ Mikrotik hotspots and Peplink InControl portals -
> depending on the installation router. User accounts are added via script,
> API, ssh, etc manually not by a user request/portal interaction. All
> dynamic VLAN assignments/RADIUS attributes (radchecks, radreply,
> radgroupreply,etc) are handled in freeRADIUS based on user credentials -
> typically only a couple VLAN options, most of these installs have no more
> than 5 total VLANs.
>
> I've spun up a VM of 12.2, the maturation is impressive but documentation
> for our actual deployment needs to migrate from freeRADIUS stand-alone DB
> is non-existent - at least from my searching in the last week. I understand
> the concepts (I believe), my big question is using just 'local to
> Packetfence install' freeRADIUS possible as AUTH? We do not deploy
> anything Windows based - we are a UNIX/Open-Source/In-house DEV company. So
> AD is not an option, we do have some LDAP/freeRADIUS servers running for
> internal use (linux) but don't want to expose that cluster to end user
> accounts. I feel that the current version will suit our needs to do what we
> want for the most part and give us a unified platform; but can't really
> seem to find any documentation to move forward on testing.
>
> Specific to "Authentication Source RADIUS' - docs seem to skim over this
> as an option or its possible I need to be looking elsewhere? Any direction
> is appreciated - I've been testing with UniFi (which I know Ubiquiti has
> its own issues), I see it's a recent integration as well. I can see request
> come in but always rejected auth in wrong eap/mshcap (even though I've
> removed them as auth options). I also see my Internal RADIUS source
> constantly in 'wrong shared secret' ( client localhost).
>
> I'm going to migrate to a Cisco test lab to verify its not a tunnel,
> remote resource issue and keep everything in the same subnet (nodes/nas).
>
> Thank you for any assistance -
>
> Cory White
>
> Senior Network Engineer
> 904-735-1600
> c...@xpodigital.com
> www.xpodigital.com
> [image: facebook] 
> [image: twitter] 
> [image: linkedin] 
> [image: instagram] 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] freeRADIUS Migration - PacketFence Deployment

2023-05-26 Thread Cory White via PacketFence-users

Hello -

I've followed packetfence since 2015 but we never fully adopted its feature
sets due to various reasons. Our original interest was for Captive Portals
- but at the time it felt like overkill and we did not want in-band switch
port management to deploy a simple 'coffee shop' portal.

Times have changed and personally I thought Captive Portals would have died
off in requests by now but they are more prevalent now than ever with BYOD
and user-initiated on-boarding.

Since COVID we have shifted into various vertical markets and are finding
the need to consolidate our deployments into a more scalable
resource/deployment for various installs in these markets. Our requirements
-

   - Portal Page and User management - whether manually onboarded/import
   and/or through user initiated portal pages.
   - MAC bypass - manually bypass portals for authorized MAC identified
   hosts. If there is a user onboarding for this as well through already AUTH
   credentials that is a plus.
   - 802.1X auth for dynamically assigned VLANs (w/ and w/o MAC filtering)
   over wireless only - mix of vendors Unifi, Peplink, Cisco, Meraki, etc.
   Common thread is that all are managed through a controller - no
   autonomous APs.

We currently employ Mikrotik hotspots and Peplink InControl portals -
depending on the installation router. User accounts are added via script,
API, ssh, etc manually not by a user request/portal interaction. All
dynamic VLAN assignments/RADIUS attributes (radchecks, radreply,
radgroupreply,etc) are handled in freeRADIUS based on user credentials -
typically only a couple VLAN options, most of these installs have no more
than 5 total VLANs.

I've spun up a VM of 12.2, the maturation is impressive but documentation
for our actual deployment needs to migrate from freeRADIUS stand-alone DB
is non-existent - at least from my searching in the last week. I understand
the concepts (I believe), my big question is using just 'local to
Packetfence install' freeRADIUS possible as AUTH? We do not deploy
anything Windows based - we are a UNIX/Open-Source/In-house DEV company. So
AD is not an option, we do have some LDAP/freeRADIUS servers running for
internal use (linux) but don't want to expose that cluster to end user
accounts. I feel that the current version will suit our needs to do what we
want for the most part and give us a unified platform; but can't really
seem to find any documentation to move forward on testing.

Specific to "Authentication Source RADIUS' - docs seem to skim over this as
an option or its possible I need to be looking elsewhere? Any direction is
appreciated - I've been testing with UniFi (which I know Ubiquiti has its
own issues), I see it's a recent integration as well. I can see request
come in but always rejected auth in wrong eap/mshcap (even though I've
removed them as auth options). I also see my Internal RADIUS source
constantly in 'wrong shared secret' ( client localhost).

I'm going to migrate to a Cisco test lab to verify its not a tunnel, remote
resource issue and keep everything in the same subnet (nodes/nas).

Thank you for any assistance -

Cory White

Senior Network Engineer
904-735-1600
c...@xpodigital.com
www.xpodigital.com
[image: facebook] 
[image: twitter] 
[image: linkedin] 
[image: instagram] 
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] freeRADIUS Migration - PacketFence Deployment

Re: [PacketFence-users] freeRADIUS Migration - PacketFence Deployment

Re: [PacketFence-users] freeRADIUS Migration - PacketFence Deployment

Re: [PacketFence-users] freeRADIUS Migration - PacketFence Deployment

Re: [PacketFence-users] freeRADIUS Migration - PacketFence Deployment

Re: [PacketFence-users] freeRADIUS Migration - PacketFence Deployment

[PacketFence-users] freeRADIUS Migration - PacketFence Deployment

7 matches

Site Navigation

Mail list logo

Footer information