Re: [PacketFence-users] Unifi APs and CoA

[E.P. via PacketFence-users]

Hi Tim,

I’ve added the portal interface to be on the same network with management and 
from the perspective of PF I believe it is accepted

 



My current problem now is that haproxy service doesn’t start and the attempt to 
start it from CLI in debugging mode throws out weird messages about errors in 
haproxy.conf file

 

[root@PacketFence-ZEN ~]# /usr/sbin/haproxy -f 
/usr/local/pf/var/conf/haproxy.conf -p /usr/local/pf/var/run/haproxy.pid -d

[ALERT] 050/125925 (9596) : Parsing [/usr/local/pf/var/conf/haproxy.conf:142]: 
frontend 'portal-http-172.16.0.223' has the same name as frontend 
'portal-http-172.16.0.223' declared at /usr/local/pf/var/conf/haproxy.conf:96.

[ALERT] 050/125925 (9596) : parsing [/usr/local/pf/var/conf/haproxy.conf:144] : 
stick-table name 'portal-http-172.16.0.223' conflicts with table declared in 
frontend 'portal-http-172.16.0.223' at /usr/local/pf/var/conf/haproxy.conf:96.

[ALERT] 050/125925 (9596) : Parsing [/usr/local/pf/var/conf/haproxy.conf:159]: 
frontend 'portal-https-172.16.0.223' has the same name as frontend 
'portal-https-172.16.0.223' declared at /usr/local/pf/var/conf/haproxy.conf:113.

[ALERT] 050/125925 (9596) : parsing [/usr/local/pf/var/conf/haproxy.conf:161] : 
stick-table name 'portal-https-172.16.0.223' conflicts with table declared in 
frontend 'portal-https-172.16.0.223' at /usr/local/pf/var/conf/haproxy.conf:113.

[ALERT] 050/125925 (9596) : Parsing [/usr/local/pf/var/conf/haproxy.conf:176]: 
backend '172.16.0.223-backend' has the same name as backend 
'172.16.0.223-backend' declared at /usr/local/pf/var/conf/haproxy.conf:130.

[ALERT] 050/125925 (9596) : Error(s) found in configuration file : 
/usr/local/pf/var/conf/haproxy.conf

[ALERT] 050/125925 (9596) : Proxy 'portal-http-172.16.0.223': table 
'portal-http-172.16.0.223' used but not configured.

[ALERT] 050/125925 (9596) : parsing [/usr/local/pf/var/conf/haproxy.conf:151] : 
no table in proxy 'portal-http-172.16.0.223' referenced in arg 1 of ACL keyword 
'src_clr_gpc0' in proxy 'portal-http-172.16.0.223'.

[ALERT] 050/125925 (9596) : parsing [/usr/local/pf/var/conf/haproxy.conf:153] : 
no table in proxy 'portal-http-172.16.0.223' referenced in arg 1 of ACL keyword 
'src_get_gpc0' in proxy 'portal-http-172.16.0.223'.

[ALERT] 050/125925 (9596) : Proxy 'portal-https-172.16.0.223': table 
'portal-https-172.16.0.223' used but not configured.

[ALERT] 050/125925 (9596) : parsing [/usr/local/pf/var/conf/haproxy.conf:168] : 
no table in proxy 'portal-https-172.16.0.223' referenced in arg 1 of ACL 
keyword 'src_clr_gpc0' in proxy 'portal-https-172.16.0.223'.

[ALERT] 050/125925 (9596) : parsing [/usr/local/pf/var/conf/haproxy.conf:170] : 
no table in proxy 'portal-https-172.16.0.223' referenced in arg 1 of ACL 
keyword 'src_get_gpc0' in proxy 'portal-https-172.16.0.223'.

[WARNING] 050/125925 (9596) : Proxy 'stats': in multi-process mode, stats will 
be limited to process assigned to the current request.

[ALERT] 050/125925 (9596) : Fatal errors found in configuration.

 

Secondly, I didn’t find anything you advised me, namely “Additional listeners” 
under the network tab in PF

On the other hand, under “Advanced access configuration” in “Captive portal” 
there’s a field like this. Should I fill it with the IP address that I want to 
listen as a captive portal ?

It is not explicitly clear said what should be in there. As far as I understand 
captive portal is enabled by default as long as the portal interface is added. 

 



 

Eugene

 

From: Timothy Mullican [mailto:tjmullic...@yahoo.com] 
Sent: Tuesday, February 20, 2018 6:46 AM
To: packetfence-users@lists.sourceforge.net
Cc: Eugene Pefti <ype...@gmail.com>
Subject: Re: [PacketFence-users] Unifi APs and CoA

 

Eugene,

 

Make sure that PacketFence (not your own infrastructure DCHP server) is handing 
out IP addresses on the registration network. Also, make sure that you added 
the portal module to your wireless VLAN in PacketFence under the Networks tab 
(I think the box is labeled “Additional listeners”). Please let me know if this 
doesn’t work.

 

Sent from mobile phone


On Feb 18, 2018, at 20:32, Eugene Pefti via PacketFence-users 
<packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> > wrote:

Good job, Chris and thanks for sharing your progress.

I dare asking my stupid question again ;)

Why users which associated to guest WiFi (Open with a redirect to PF captive 
portal) can’t reach PF via HTTP ?

They receive IP address from the local DHCP server and then can ping PF but 
there’s no way to go through self-registration

 

Eugene

 

From: "packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> " 
<packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> >
Reply-To: "packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> " 
<p

Re: [PacketFence-users] Unifi APs and CoA

[Timothy Mullican via PacketFence-users]

Eugene,

Make sure that PacketFence (not your own infrastructure DCHP server) is handing 
out IP addresses on the registration network. Also, make sure that you added 
the portal module to your wireless VLAN in PacketFence under the Networks tab 
(I think the box is labeled “Additional listeners”). Please let me know if this 
doesn’t work.

Sent from mobile phone

> On Feb 18, 2018, at 20:32, Eugene Pefti via PacketFence-users 
> <packetfence-users@lists.sourceforge.net> wrote:
> 
> Good job, Chris and thanks for sharing your progress.
> I dare asking my stupid question again ;)
> Why users which associated to guest WiFi (Open with a redirect to PF captive 
> portal) can’t reach PF via HTTP ?
> They receive IP address from the local DHCP server and then can ping PF but 
> there’s no way to go through self-registration
> 
> Eugene
> 
> From: "packetfence-users@lists.sourceforge.net" 
> <packetfence-users@lists.sourceforge.net>
> Reply-To: "packetfence-users@lists.sourceforge.net" 
> <packetfence-users@lists.sourceforge.net>
> Date: Thursday, February 15, 2018 at 8:00 AM
> To: "packetfence-users@lists.sourceforge.net" 
> <packetfence-users@lists.sourceforge.net>
> Cc: Chris Abel <ca...@wildwoodprograms.org>
> Subject: Re: [PacketFence-users] Unifi APs and CoA
> 
> Hey All,
> 
> I was able to get deauth working with my Unifi APs and it seems everything is 
> working smoothly. Here is the configuration I used for the switch in 
> packetfence:
> 
> [Unifi AP IP Address or subnet]
> description=Unifi Access Points
> group=Unifi
> radiusSecret=RaidusPassword
> controllerIp=Unifi Controller IP Address
> useCoA=N
> wsTransport=HTTPS
> deauthMethod=HTTPS
> wsUser=Unifi Controller Username
> wsPwd=Unifi Controller Password
> 
> Hope this helps someone. I hope Packetfence releases some documentation on 
> Unifi AP's because with the necessary applied patch and the unifi controller 
> changes to config.properties, everything seems to be working well. Actually 
> in my opinion, it seems to be working better than the hostapd setup in 
> packetfence and is way easier to setup.
> 
> 
>> On Wed, Feb 14, 2018 at 3:52 PM, Chris Abel <ca...@wildwoodprograms.org> 
>> wrote:
>> Hello all,
>> 
>> I am also trying to get my Unifi APs working with packetfence. It seems that 
>> I am very close. I am able to get the portal to show up on the client when 
>> in the registration vlan, but after registering, the client never deauth's 
>> and disconnects from the access point. I can disable my wireless and enable 
>> it again and the client is assigned the correct role and put into the right 
>> vlan, so that part seems to be working. I have applied the patch in the 
>> following way:
>> 
>> in /usr/local/pf I ran "curl 
>> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.diff
>>  | patch -p1"
>> 
>> Is this the correct patch and the correct way to apply it? If so, why is 
>> this patch not disconnecting the client from the AP?
>> 
>> I have also applied the following to my AP's in Unifi:
>> 
>> /var/lib/unifi/sites//config.properties
>> config.system_cfg.1=aaa.1.auth_cache=disabled
>> config.system_cfg.2=aaa.2.auth_cache=disabled
>> config.system_cfg.3=aaa.1.dynamic_vlan=1
>> config.system_cfg.4=aaa.2.dynamic_vlan=1
>> config.system_cfg.5=aaa.1.radius.acct.1.ip=
>> config.system_cfg.6=aaa.1.radius.acct.1.port=
>> config.system_cfg.7=aaa.1.radius.acct.1.secret=> password>
>> config.system_cfg.8=aaa.2.radius.acct.1.ip=
>> config.system_cfg.9=aaa.2.radius.acct.1.port=
>> config.system_cfg.10=aaa.2.radius.acct.1.secret=> password>
>> 
>> 
>> What should the configuration be in packetfence when setting up the switch? 
>> Should I use hostapd or Unifi Controller? Should I enable COA or not? 
>> 
>> 
>> Does anyone have a working setup of Unifi APs with an out of band setup of 
>> packetfence at this point? If so, could you shed some light and post your 
>> configurations?
>> 
>> Thanks!
>> 
>>> On Sat, Feb 10, 2018 at 1:33 AM, E.P. via PacketFence-users 
>>> <packetfence-users@lists.sourceforge.net> wrote:
>>> Yes, David, this is my plan to test the captive portal on wired connections 
>>> to rule out the unruly Unifi APs
>>> 
>>> Ideally I would love to make it also work with HP switches 1820/1920 model 
>>> because this is the majority of switches installed in our organization.
>>> 
>>> But will try it on Cisco switch as a beginnin

Re: [PacketFence-users] Unifi APs and CoA

[Eugene Pefti via PacketFence-users]

Good job, Chris and thanks for sharing your progress.
I dare asking my stupid question again ;)
Why users which associated to guest WiFi (Open with a redirect to PF captive
portal) can’t reach PF via HTTP ?
They receive IP address from the local DHCP server and then can ping PF but
there’s no way to go through self-registration

Eugene

From:  "packetfence-users@lists.sourceforge.net"
<packetfence-users@lists.sourceforge.net>
Reply-To:  "packetfence-users@lists.sourceforge.net"
<packetfence-users@lists.sourceforge.net>
Date:  Thursday, February 15, 2018 at 8:00 AM
To:  "packetfence-users@lists.sourceforge.net"
<packetfence-users@lists.sourceforge.net>
Cc:  Chris Abel <ca...@wildwoodprograms.org>
Subject:  Re: [PacketFence-users] Unifi APs and CoA

Hey All,

I was able to get deauth working with my Unifi APs and it seems everything
is working smoothly. Here is the configuration I used for the switch in
packetfence:

[Unifi AP IP Address or subnet]

description=Unifi Access Points

group=Unifi

radiusSecret=RaidusPassword

controllerIp=Unifi Controller IP Address

useCoA=N

wsTransport=HTTPS

deauthMethod=HTTPS

wsUser=Unifi Controller Username

wsPwd=Unifi Controller Password



Hope this helps someone. I hope Packetfence releases some documentation on
Unifi AP's because with the necessary applied patch and the unifi controller
changes to config.properties, everything seems to be working well. Actually
in my opinion, it seems to be working better than the hostapd setup in
packetfence and is way easier to setup.


On Wed, Feb 14, 2018 at 3:52 PM, Chris Abel <ca...@wildwoodprograms.org>
wrote:
> Hello all,
> 
> I am also trying to get my Unifi APs working with packetfence. It seems that I
> am very close. I am able to get the portal to show up on the client when in
> the registration vlan, but after registering, the client never deauth's and
> disconnects from the access point. I can disable my wireless and enable it
> again and the client is assigned the correct role and put into the right vlan,
> so that part seems to be working. I have applied the patch in the following
> way:
> 
> in /usr/local/pf I ran "curl
> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735
> .diff | patch -p1"
> 
> Is this the correct patch and the correct way to apply it? If so, why is this
> patch not disconnecting the client from the AP?
> 
> I have also applied the following to my AP's in Unifi:
> 
> /var/lib/unifi/sites//config.properties
> config.system_cfg.1=aaa.1.auth_cache=disabled
> config.system_cfg.2=aaa.2.auth_cache=disabled
> config.system_cfg.3=aaa.1.dynamic_vlan=1
> config.system_cfg.4=aaa.2.dynamic_vlan=1
> config.system_cfg.5=aaa.1.radius.acct.1.ip=
> config.system_cfg.6=aaa.1.radius.acct.1.port=
> config.system_cfg.7=aaa.1.radius.acct.1.secret= password>
> config.system_cfg.8=aaa.2.radius.acct.1.ip=
> config.system_cfg.9=aaa.2.radius.acct.1.port=
> config.system_cfg.10=aaa.2.radius.acct.1.secret= password>
> 
> 
> What should the configuration be in packetfence when setting up the switch?
> Should I use hostapd or Unifi Controller? Should I enable COA or not?
> 
> 
> Does anyone have a working setup of Unifi APs with an out of band setup of
> packetfence at this point? If so, could you shed some light and post your
> configurations?
> 
> Thanks!
> 
> On Sat, Feb 10, 2018 at 1:33 AM, E.P. via PacketFence-users
> <packetfence-users@lists.sourceforge.net> wrote:
>> Yes, David, this is my plan to test the captive portal on wired connections
>> to rule out the unruly Unifi APs
>> Ideally I would love to make it also work with HP switches 1820/1920 model
>> because this is the majority of switches installed in our organization.
>> But will try it on Cisco switch as a beginning
>> Thanks again, for your sharing.
>> There’s apparently something wrong with mailing list for packetfence as
>> there’s nothing coming in and I don’t believe it’s only me who persists in
>> making things work and asking for advices 
>>  
>> Eugene
>>  
>> From: David Harvey [mailto:da...@thoughtmachine.net]
>> Sent: Friday, February 09, 2018 4:37 AM
>> To: E.P. <ype...@gmail.com>; fdur...@inverse.ca
>> Subject: Re: [PacketFence-users] Unifi APs and CoA
>>  
>> 
>> Hi Eugene,
>> 
>>  
>> 
>> I'm including Fabrice in case anything I have covered is misleading or plain
>> untrue! I don't want to give you bad advice..
>> 
>>  
>> 
>> I'm running Unifi AP-AC Pros on 3.9.19.8123. I'm pretty sure most of my
>> functionality worked fine from 3.8.x, but bear in mind I'm running EAP-TLS
>> and so haven't had the same open

Re: [PacketFence-users] Unifi APs and CoA

[Durand fabrice via PacketFence-users]

Hello All,

There is already a documentation in the PR 
(https://github.com/inverse-inc/packetfence/pull/2735/files) but i 
don't  like the way to change the config.properties file because there 
is a lack of configuration parameters in the controller admin GUI.


I know that it works by "hacking" the controller but i don't want to 
merge it and have multiples questions on the mailling list because it's 
complicate to configure.


Also for your information, i made a change in the PR to fix an issue 
when you do web authentication.


Regards
Fabrice

Le 2018-02-15 à 11:00, Chris Abel via PacketFence-users a écrit :

Hey All,

I was able to get deauth working with my Unifi APs and it seems 
everything is working smoothly. Here is the configuration I used for 
the switch in packetfence:


[Unifi AP IP Address or subnet]

description=Unifi Access Points

group=Unifi

radiusSecret=RaidusPassword

controllerIp=Unifi Controller IP Address

useCoA=N

wsTransport=HTTPS

deauthMethod=HTTPS

wsUser=Unifi Controller Username

wsPwd=Unifi Controller Password


Hope this helps someone. I hope Packetfence releases some 
documentation on Unifi AP's because with the necessary applied patch 
and the unifi controller changes to config.properties, everything 
seems to be working well. Actually in my opinion, it seems to be 
working better than the hostapd setup in packetfence and is way easier 
to setup.




On Wed, Feb 14, 2018 at 3:52 PM, Chris Abel 
<ca...@wildwoodprograms.org <mailto:ca...@wildwoodprograms.org>> wrote:


Hello all,

I am also trying to get my Unifi APs working with packetfence. It
seems that I am very close. I am able to get the portal to show up
on the client when in the registration vlan, but after
registering, the client never deauth's and disconnects from the
access point. I can disable my wireless and enable it again and
the client is assigned the correct role and put into the right
vlan, so that part seems to be working. I have applied the patch
in the following way:

in /usr/local/pf I ran "curl

https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.diff

<https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.diff>
| patch -p1"

Is this the correct patch and the correct way to apply it? If so,
why is this patch not disconnecting the client from the AP?

I have also applied the following to my AP's in Unifi:

/var/lib/unifi/sites//config.properties
config.system_cfg.1=aaa.1.auth_cache=disabled
config.system_cfg.2=aaa.2.auth_cache=disabled
config.system_cfg.3=aaa.1.dynamic_vlan=1
config.system_cfg.4=aaa.2.dynamic_vlan=1
config.system_cfg.5=aaa.1.radius.acct.1.ip=
config.system_cfg.6=aaa.1.radius.acct.1.port=
config.system_cfg.7=aaa.1.radius.acct.1.secret=
config.system_cfg.8=aaa.2.radius.acct.1.ip=
config.system_cfg.9=aaa.2.radius.acct.1.port=
config.system_cfg.10=aaa.2.radius.acct.1.secret=



What should the configuration be in packetfence when setting up
the switch? Should I use hostapd or Unifi Controller? Should I
enable COA or not?


Does anyone have a working setup of Unifi APs with an out of band
setup of packetfence at this point? If so, could you shed some
light and post your configurations?

Thanks!

On Sat, Feb 10, 2018 at 1:33 AM, E.P. via PacketFence-users
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>> wrote:

Yes, David, this is my plan to test the captive portal on
wired connections to rule out the unruly Unifi APs

Ideally I would love to make it also work with HP switches
1820/1920 model because this is the majority of switches
installed in our organization.

But will try it on Cisco switch as a beginning

Thanks again, for your sharing.

There’s apparently something wrong with mailing list for
packetfence as there’s nothing coming in and I don’t believe
it’s only me who persists in making things work and asking for
advices 

Eugene

*From:* David Harvey [mailto:da...@thoughtmachine.net
<mailto:da...@thoughtmachine.net>]
*Sent:* Friday, February 09, 2018 4:37 AM
*To:* E.P. <ype...@gmail.com <mailto:ype...@gmail.com>>;
    fdur...@inverse.ca <mailto:fdur...@inverse.ca>
*Subject:* Re: [PacketFence-users] Unifi APs and CoA

Hi Eugene,

I'm including Fabrice in case anything I have covered is
misleading or plain untrue! I don't want to give you bad advice..

I'm running Unifi AP-AC Pros on 3.9.19.8123. I'm pretty sure
most of my functionality worked fine from 3.8.x, but bear in
mind I'm running EAP-TLS and so haven't had the same open SSID
guest portal aspect (which might 

Re: [PacketFence-users] Unifi APs and CoA

[Chris Abel via PacketFence-users]

Hey All,

I was able to get deauth working with my Unifi APs and it seems everything
is working smoothly. Here is the configuration I used for the switch in
packetfence:

[Unifi AP IP Address or subnet]

description=Unifi Access Points

group=Unifi

radiusSecret=RaidusPassword

controllerIp=Unifi Controller IP Address

useCoA=N

wsTransport=HTTPS

deauthMethod=HTTPS

wsUser=Unifi Controller Username

wsPwd=Unifi Controller Password


Hope this helps someone. I hope Packetfence releases some documentation on
Unifi AP's because with the necessary applied patch and the unifi
controller changes to config.properties, everything seems to be working
well. Actually in my opinion, it seems to be working better than the
hostapd setup in packetfence and is way easier to setup.


On Wed, Feb 14, 2018 at 3:52 PM, Chris Abel <ca...@wildwoodprograms.org>
wrote:

> Hello all,
>
> I am also trying to get my Unifi APs working with packetfence. It seems
> that I am very close. I am able to get the portal to show up on the client
> when in the registration vlan, but after registering, the client never
> deauth's and disconnects from the access point. I can disable my wireless
> and enable it again and the client is assigned the correct role and put
> into the right vlan, so that part seems to be working. I have applied the
> patch in the following way:
>
> in /usr/local/pf I ran "curl https://patch-diff.githubusercontent.com/raw/
> inverse-inc/packetfence/pull/2735.diff | patch -p1"
>
> Is this the correct patch and the correct way to apply it? If so, why is
> this patch not disconnecting the client from the AP?
>
> I have also applied the following to my AP's in Unifi:
>
> /var/lib/unifi/sites//config.properties
> config.system_cfg.1=aaa.1.auth_cache=disabled
> config.system_cfg.2=aaa.2.auth_cache=disabled
> config.system_cfg.3=aaa.1.dynamic_vlan=1
> config.system_cfg.4=aaa.2.dynamic_vlan=1
> config.system_cfg.5=aaa.1.radius.acct.1.ip=
> config.system_cfg.6=aaa.1.radius.acct.1.port=
> config.system_cfg.7=aaa.1.radius.acct.1.secret= password>
> config.system_cfg.8=aaa.2.radius.acct.1.ip=
> config.system_cfg.9=aaa.2.radius.acct.1.port=
> config.system_cfg.10=aaa.2.radius.acct.1.secret= password>
>
>
>
> What should the configuration be in packetfence when setting up the
> switch? Should I use hostapd or Unifi Controller? Should I enable COA or
> not?
>
>
> Does anyone have a working setup of Unifi APs with an out of band setup of
> packetfence at this point? If so, could you shed some light and post your
> configurations?
>
> Thanks!
>
> On Sat, Feb 10, 2018 at 1:33 AM, E.P. via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Yes, David, this is my plan to test the captive portal on wired
>> connections to rule out the unruly Unifi APs
>>
>> Ideally I would love to make it also work with HP switches 1820/1920
>> model because this is the majority of switches installed in our
>> organization.
>>
>> But will try it on Cisco switch as a beginning
>>
>> Thanks again, for your sharing.
>>
>> There’s apparently something wrong with mailing list for packetfence as
>> there’s nothing coming in and I don’t believe it’s only me who persists in
>> making things work and asking for advices 
>>
>>
>>
>> Eugene
>>
>>
>>
>> *From:* David Harvey [mailto:da...@thoughtmachine.net]
>> *Sent:* Friday, February 09, 2018 4:37 AM
>> *To:* E.P. <ype...@gmail.com>; fdur...@inverse.ca
>> *Subject:* Re: [PacketFence-users] Unifi APs and CoA
>>
>>
>>
>> Hi Eugene,
>>
>>
>>
>> I'm including Fabrice in case anything I have covered is misleading or
>> plain untrue! I don't want to give you bad advice..
>>
>>
>>
>> I'm running Unifi AP-AC Pros on 3.9.19.8123. I'm pretty sure most of my
>> functionality worked fine from 3.8.x, but bear in mind I'm running EAP-TLS
>> and so haven't had the same open SSID guest portal aspect (which might make
>> my advice less relevant).
>>
>> I've been fumbling through, so I'm sure Fabrice can offer better advice
>> but I would start by saying..
>>
>>
>>
>> My understanding of the additional functionality this patch affords, is
>> dealing with kicking the client off an AP so it will then re-auth and
>> hopefully get put onto the correct VLAN.  So before worrying about if the
>> patch is working, I'd see if you can get to a state where you can reach the
>> portal as a new device/user, and after registering it puts you on the
>> correct VLAN if you toggle WiFi off and back on (thus skipping the kick
&g

Re: [PacketFence-users] Unifi APs and CoA

[Chris Abel via PacketFence-users]

Hello all,

I am also trying to get my Unifi APs working with packetfence. It seems
that I am very close. I am able to get the portal to show up on the client
when in the registration vlan, but after registering, the client never
deauth's and disconnects from the access point. I can disable my wireless
and enable it again and the client is assigned the correct role and put
into the right vlan, so that part seems to be working. I have applied the
patch in the following way:

in /usr/local/pf I ran "curl
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.diff
| patch -p1"

Is this the correct patch and the correct way to apply it? If so, why is
this patch not disconnecting the client from the AP?

I have also applied the following to my AP's in Unifi:

/var/lib/unifi/sites//config.properties
config.system_cfg.1=aaa.1.auth_cache=disabled
config.system_cfg.2=aaa.2.auth_cache=disabled
config.system_cfg.3=aaa.1.dynamic_vlan=1
config.system_cfg.4=aaa.2.dynamic_vlan=1
config.system_cfg.5=aaa.1.radius.acct.1.ip=
config.system_cfg.6=aaa.1.radius.acct.1.port=
config.system_cfg.7=aaa.1.radius.acct.1.secret=
config.system_cfg.8=aaa.2.radius.acct.1.ip=
config.system_cfg.9=aaa.2.radius.acct.1.port=
config.system_cfg.10=aaa.2.radius.acct.1.secret=



What should the configuration be in packetfence when setting up the switch?
Should I use hostapd or Unifi Controller? Should I enable COA or not?


Does anyone have a working setup of Unifi APs with an out of band setup of
packetfence at this point? If so, could you shed some light and post your
configurations?

Thanks!

On Sat, Feb 10, 2018 at 1:33 AM, E.P. via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Yes, David, this is my plan to test the captive portal on wired
> connections to rule out the unruly Unifi APs
>
> Ideally I would love to make it also work with HP switches 1820/1920 model
> because this is the majority of switches installed in our organization.
>
> But will try it on Cisco switch as a beginning
>
> Thanks again, for your sharing.
>
> There’s apparently something wrong with mailing list for packetfence as
> there’s nothing coming in and I don’t believe it’s only me who persists in
> making things work and asking for advices 
>
>
>
> Eugene
>
>
>
> *From:* David Harvey [mailto:da...@thoughtmachine.net]
> *Sent:* Friday, February 09, 2018 4:37 AM
> *To:* E.P. <ype...@gmail.com>; fdur...@inverse.ca
> *Subject:* Re: [PacketFence-users] Unifi APs and CoA
>
>
>
> Hi Eugene,
>
>
>
> I'm including Fabrice in case anything I have covered is misleading or
> plain untrue! I don't want to give you bad advice..
>
>
>
> I'm running Unifi AP-AC Pros on 3.9.19.8123. I'm pretty sure most of my
> functionality worked fine from 3.8.x, but bear in mind I'm running EAP-TLS
> and so haven't had the same open SSID guest portal aspect (which might make
> my advice less relevant).
>
> I've been fumbling through, so I'm sure Fabrice can offer better advice
> but I would start by saying..
>
>
>
> My understanding of the additional functionality this patch affords, is
> dealing with kicking the client off an AP so it will then re-auth and
> hopefully get put onto the correct VLAN.  So before worrying about if the
> patch is working, I'd see if you can get to a state where you can reach the
> portal as a new device/user, and after registering it puts you on the
> correct VLAN if you toggle WiFi off and back on (thus skipping the kick
> from AP part of the process).
>
>
>
> As far as I understand, to achieve this you need:
>
>
>
> Ideally to have shown it works with your wired network, something like:
>
> Clients are placed on a registration network which hits the portal, and
> that is able to register them properly as a node in packetfence associated
> with a role which belongs to an authenticated VLAN.
>
> This is a really useful way to show that the core functionality works.
>
>
>
> My setup from there added EAP-TLS to the Radius config, but I understand
> you're not looking to do that.. The setup should be similar though, as
> UniFi controller or AP will still have a RADIUS profile - in your case it
> will just be doing the MAC auth bit to decide on VLAN rather than having
> that layered on top of the certificate part. From there I am guessing a
> bit, as I understand there were some changes made to make the pure MAC auth
> bits work which I'd have to collate from the other posts on this topic..
> Specifically, my clients change VLAN on the same SSID, they don't join a
> different SSID after registration..
>
>
>
> I hope this is of some help,
>
>
>
> David
>
>
>
>
>
> On Fri, Feb 9, 2018 at 8:23 AM, E.P. <ype..

Re: [PacketFence-users] Unifi APs and CoA

[E.P. via PacketFence-users]

Thank you very much, Nathan. I almost reached the same conclusion by vigorously 
testing this stupid Unifi AP on different firmware levels with the captive 
portal.

Very inconsistent behavior

 

Eugene

 

From: Nathan, Josh via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Saturday, February 10, 2018 10:49 PM
To: packetfence-users@lists.sourceforge.net
Cc: Nathan, Josh <josh.nat...@bfacademy.de>
Subject: Re: [PacketFence-users] Unifi APs and CoA

 

Hey Just FYI... Running both the Guest and RADIUS-Assigned VLANs on the same AP 
(separate SSIDs, of course), does NOT work on Unifi's 3.8.15 firmware.  It 
works with firmware version 3.8.3, broke at 3.8.6, and it's working again at 
least as of 3.9.19.

 

So if you need that firmware version, it won't work on the same AP.  If you 
disable the Guest portal, the RADIUS-Assigned can function properly, but if you 
enable the Guest portal on the one SSID, it somehow breaks the RADIUS-Assigned 
functionality on the other SSID.




 


  <http://bfacademy.com/wp-content/uploads/2017/09/BFA_LogoSignature.png> 


Joshua Nathan


IT Technician


Black Forest Academy


p:

+49 (0) 7626 9161 630  m: +49 (0) 152 3452 0056


a:
w:

Hammersteiner Straße 50, 79400 Kandern
 <http://bfacademy.de/> bfacademy.de



 

 

On Sat, Feb 10, 2018 at 7:33 AM, E.P. via PacketFence-users 
<packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> > wrote:

Yes, David, this is my plan to test the captive portal on wired connections to 
rule out the unruly Unifi APs

Ideally I would love to make it also work with HP switches 1820/1920 model 
because this is the majority of switches installed in our organization.

But will try it on Cisco switch as a beginning

Thanks again, for your sharing. 

There’s apparently something wrong with mailing list for packetfence as there’s 
nothing coming in and I don’t believe it’s only me who persists in making 
things work and asking for advices 

 

Eugene

 

From: David Harvey [mailto:da...@thoughtmachine.net 
<mailto:da...@thoughtmachine.net> ] 
Sent: Friday, February 09, 2018 4:37 AM
To: E.P. <ype...@gmail.com <mailto:ype...@gmail.com> >; fdur...@inverse.ca 
<mailto:fdur...@inverse.ca> 
Subject: Re: [PacketFence-users] Unifi APs and CoA

 

Hi Eugene,

 

I'm including Fabrice in case anything I have covered is misleading or plain 
untrue! I don't want to give you bad advice..

 

I'm running Unifi AP-AC Pros on 3.9.19.8123. I'm pretty sure most of my 
functionality worked fine from 3.8.x, but bear in mind I'm running EAP-TLS and 
so haven't had the same open SSID guest portal aspect (which might make my 
advice less relevant).

I've been fumbling through, so I'm sure Fabrice can offer better advice but I 
would start by saying..

 

My understanding of the additional functionality this patch affords, is dealing 
with kicking the client off an AP so it will then re-auth and hopefully get put 
onto the correct VLAN.  So before worrying about if the patch is working, I'd 
see if you can get to a state where you can reach the portal as a new 
device/user, and after registering it puts you on the correct VLAN if you 
toggle WiFi off and back on (thus skipping the kick from AP part of the 
process).

 

As far as I understand, to achieve this you need:

 

Ideally to have shown it works with your wired network, something like: 

Clients are placed on a registration network which hits the portal, and that is 
able to register them properly as a node in packetfence associated with a role 
which belongs to an authenticated VLAN.

This is a really useful way to show that the core functionality works.

 

My setup from there added EAP-TLS to the Radius config, but I understand you're 
not looking to do that.. The setup should be similar though, as UniFi 
controller or AP will still have a RADIUS profile - in your case it will just 
be doing the MAC auth bit to decide on VLAN rather than having that layered on 
top of the certificate part. From there I am guessing a bit, as I understand 
there were some changes made to make the pure MAC auth bits work which I'd have 
to collate from the other posts on this topic.. Specifically, my clients change 
VLAN on the same SSID, they don't join a different SSID after registration..

 

I hope this is of some help,

 

David

 

 

On Fri, Feb 9, 2018 at 8:23 AM, E.P. <ype...@gmail.com 
<mailto:ype...@gmail.com> > wrote:

Hi David,

Sorry to bother you again, I’m a bit desperate here.

Thought that it will be a breeze to implement guest WiFi with captive portal 
but I’m still at nowhere.

Can you please tell me what Unifi AP you are using? Is it a show stopper for me 
if I use older APs with firmware 3.8.15 ?

I installed that required patch on PF as per Fabrice. Anything else I’m missing 
?

 

Eugene

 

From: David Harvey [mailto:da...@thoughtmachine.net 
<mailto

Re: [PacketFence-users] Unifi APs and CoA

[Nathan, Josh via PacketFence-users]

Hey Just FYI... Running both the Guest and RADIUS-Assigned VLANs on the
same AP (separate SSIDs, of course), does NOT work on Unifi's 3.8.15
firmware.  It works with firmware version 3.8.3, broke at 3.8.6, and it's
working again at least as of 3.9.19.

So if you need that firmware version, it won't work on the same AP.  If you
disable the Guest portal, the RADIUS-Assigned can function properly, but if
you enable the Guest portal on the one SSID, it somehow breaks the
RADIUS-Assigned functionality on the other SSID.


Joshua Nathan
*IT Technician*
Black Forest Academy

p: +49 (0) 7626 9161 630  m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de



On Sat, Feb 10, 2018 at 7:33 AM, E.P. via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Yes, David, this is my plan to test the captive portal on wired
> connections to rule out the unruly Unifi APs
>
> Ideally I would love to make it also work with HP switches 1820/1920 model
> because this is the majority of switches installed in our organization.
>
> But will try it on Cisco switch as a beginning
>
> Thanks again, for your sharing.
>
> There’s apparently something wrong with mailing list for packetfence as
> there’s nothing coming in and I don’t believe it’s only me who persists in
> making things work and asking for advices 
>
>
>
> Eugene
>
>
>
> *From:* David Harvey [mailto:da...@thoughtmachine.net]
> *Sent:* Friday, February 09, 2018 4:37 AM
> *To:* E.P. <ype...@gmail.com>; fdur...@inverse.ca
> *Subject:* Re: [PacketFence-users] Unifi APs and CoA
>
>
>
> Hi Eugene,
>
>
>
> I'm including Fabrice in case anything I have covered is misleading or
> plain untrue! I don't want to give you bad advice..
>
>
>
> I'm running Unifi AP-AC Pros on 3.9.19.8123. I'm pretty sure most of my
> functionality worked fine from 3.8.x, but bear in mind I'm running EAP-TLS
> and so haven't had the same open SSID guest portal aspect (which might make
> my advice less relevant).
>
> I've been fumbling through, so I'm sure Fabrice can offer better advice
> but I would start by saying..
>
>
>
> My understanding of the additional functionality this patch affords, is
> dealing with kicking the client off an AP so it will then re-auth and
> hopefully get put onto the correct VLAN.  So before worrying about if the
> patch is working, I'd see if you can get to a state where you can reach the
> portal as a new device/user, and after registering it puts you on the
> correct VLAN if you toggle WiFi off and back on (thus skipping the kick
> from AP part of the process).
>
>
>
> As far as I understand, to achieve this you need:
>
>
>
> Ideally to have shown it works with your wired network, something like:
>
> Clients are placed on a registration network which hits the portal, and
> that is able to register them properly as a node in packetfence associated
> with a role which belongs to an authenticated VLAN.
>
> This is a really useful way to show that the core functionality works.
>
>
>
> My setup from there added EAP-TLS to the Radius config, but I understand
> you're not looking to do that.. The setup should be similar though, as
> UniFi controller or AP will still have a RADIUS profile - in your case it
> will just be doing the MAC auth bit to decide on VLAN rather than having
> that layered on top of the certificate part. From there I am guessing a
> bit, as I understand there were some changes made to make the pure MAC auth
> bits work which I'd have to collate from the other posts on this topic..
> Specifically, my clients change VLAN on the same SSID, they don't join a
> different SSID after registration..
>
>
>
> I hope this is of some help,
>
>
>
> David
>
>
>
>
>
> On Fri, Feb 9, 2018 at 8:23 AM, E.P. <ype...@gmail.com> wrote:
>
> Hi David,
>
> Sorry to bother you again, I’m a bit desperate here.
>
> Thought that it will be a breeze to implement guest WiFi with captive
> portal but I’m still at nowhere.
>
> Can you please tell me what Unifi AP you are using? Is it a show stopper
> for me if I use older APs with firmware 3.8.15 ?
>
> I installed that required patch on PF as per Fabrice. Anything else I’m
> missing ?
>
>
>
> Eugene
>
>
>
> *From:* David Harvey [mailto:da...@thoughtmachine.net]
> *Sent:* Friday, February 02, 2018 7:10 AM
> *To:* Eugene Pefti <ype...@gmail.com>
>
>
> *Subject:* Re: [PacketFence-users] Unifi APs and CoA
>
>
>
> Hi Eugene,
>
>
>
> No problem at all, although I'm not sure how much detail I can add.  Tim
> and Fabrice seem to have the best grasp of this with the most comprehensive
> guid

Re: [PacketFence-users] Unifi APs and CoA

[E.P. via PacketFence-users]

Yes, David, this is my plan to test the captive portal on wired connections to 
rule out the unruly Unifi APs

Ideally I would love to make it also work with HP switches 1820/1920 model 
because this is the majority of switches installed in our organization.

But will try it on Cisco switch as a beginning

Thanks again, for your sharing. 

There’s apparently something wrong with mailing list for packetfence as there’s 
nothing coming in and I don’t believe it’s only me who persists in making 
things work and asking for advices 

 

Eugene

 

From: David Harvey [mailto:da...@thoughtmachine.net] 
Sent: Friday, February 09, 2018 4:37 AM
To: E.P. <ype...@gmail.com>; fdur...@inverse.ca
Subject: Re: [PacketFence-users] Unifi APs and CoA

 

Hi Eugene,

 

I'm including Fabrice in case anything I have covered is misleading or plain 
untrue! I don't want to give you bad advice..

 

I'm running Unifi AP-AC Pros on 3.9.19.8123. I'm pretty sure most of my 
functionality worked fine from 3.8.x, but bear in mind I'm running EAP-TLS and 
so haven't had the same open SSID guest portal aspect (which might make my 
advice less relevant).

I've been fumbling through, so I'm sure Fabrice can offer better advice but I 
would start by saying..

 

My understanding of the additional functionality this patch affords, is dealing 
with kicking the client off an AP so it will then re-auth and hopefully get put 
onto the correct VLAN.  So before worrying about if the patch is working, I'd 
see if you can get to a state where you can reach the portal as a new 
device/user, and after registering it puts you on the correct VLAN if you 
toggle WiFi off and back on (thus skipping the kick from AP part of the 
process).

 

As far as I understand, to achieve this you need:

 

Ideally to have shown it works with your wired network, something like: 

Clients are placed on a registration network which hits the portal, and that is 
able to register them properly as a node in packetfence associated with a role 
which belongs to an authenticated VLAN.

This is a really useful way to show that the core functionality works.

 

My setup from there added EAP-TLS to the Radius config, but I understand you're 
not looking to do that.. The setup should be similar though, as UniFi 
controller or AP will still have a RADIUS profile - in your case it will just 
be doing the MAC auth bit to decide on VLAN rather than having that layered on 
top of the certificate part. From there I am guessing a bit, as I understand 
there were some changes made to make the pure MAC auth bits work which I'd have 
to collate from the other posts on this topic.. Specifically, my clients change 
VLAN on the same SSID, they don't join a different SSID after registration..

 

I hope this is of some help,

 

David

 

 

On Fri, Feb 9, 2018 at 8:23 AM, E.P. <ype...@gmail.com 
<mailto:ype...@gmail.com> > wrote:

Hi David,

Sorry to bother you again, I’m a bit desperate here.

Thought that it will be a breeze to implement guest WiFi with captive portal 
but I’m still at nowhere.

Can you please tell me what Unifi AP you are using? Is it a show stopper for me 
if I use older APs with firmware 3.8.15 ?

I installed that required patch on PF as per Fabrice. Anything else I’m missing 
?

 

Eugene

 

From: David Harvey [mailto:da...@thoughtmachine.net 
<mailto:da...@thoughtmachine.net> ] 
Sent: Friday, February 02, 2018 7:10 AM
To: Eugene Pefti <ype...@gmail.com <mailto:ype...@gmail.com> >


Subject: Re: [PacketFence-users] Unifi APs and CoA

 

Hi Eugene,

 

No problem at all, although I'm not sure how much detail I can add.  Tim and 
Fabrice seem to have the best grasp of this with the most comprehensive 
guidance in The thread "[PacketFence-users] Ubiquiti UniFi AP Captive Portal".

The draft docs were also quite handy: 
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc#ubiquiti-1

 

Now my setup

I've been running EAP-TLS for some time now for wired and wifi, so not using 
the MAC based authentication.  I already had a functional packetfence setup 
which does MAC based and EAP based auth for wired (partially inherited setup), 
but ignore the MAB/MAC part as I don't use it in the wifi setup.

 

>From here it wasn't too bad to add the Access points to packetfence as 
>switches - initially as hostapd devices (before the Unify module existed) and 
>using the common RADIUS config the ciscos are using.  I also had to create the 
>profile on the unifi controller side with the RADIUS login details for auth 
>and accounting.

Doing it this was has been less complicated as I don't need an open SSID - 
clients have certs so get onto my registration VLAN where they can hit the 
portal and login to find their eventual VLANs.

I can try and pull more detail together when I have time, but I think the Tim 
guide 

Re: [PacketFence-users] Unifi APs and CoA

[Timothy Mullican via PacketFence-users]

Also have a look at the “[PacketFence-users] Ubiquiti UniFi AP Captive Portal” 
thread for my steps taken. 

Tim

Sent from mobile phone

> On Feb 1, 2018, at 10:17, David Harvey  wrote:
> 
> Many thanks for the tips. With your guidance I've been following the 
> "Packetfence RADIUS and Unifi Out of Band" and am 90% of the way there. 
> For anyone curious, please check in on that thread, as it's got more of the 
> case history and steps outlined.
> 
> Best,
> 
> David
> 
>> On Thu, Feb 1, 2018 at 1:39 AM, Timothy Mullican  
>> wrote:
>> David,
>> Your understanding is correct. Currently the UniFi only supports 
>> deauthenticating a client using the controller API and not using CoA. It is 
>> possible to enable RADIUS CoA for a single SSID and frequency, but this may 
>> not be useful for you. This is because the UniFi runs a separate hostapd 
>> instance for all of the different SSIDs and frequencies. See: 
>> https://community.ubnt.com/t5/UniFi-Wireless/RADIUS-Interim-updates/m-p/1860205/highlight/true#M216003
>> 
>> Sent from mobile phone
>> 
>>> On Jan 31, 2018, at 17:46, Durand fabrice via PacketFence-users 
>>>  wrote:
>>> 
>>> Hello David,
>>> 
>>> the unifi AP is not yet correctly supported, there is some code about that 
>>> but you have to do some custom config on the Unifi controller.
>>> Have a look at the mailing list archive about unifi.
>>> 
>>> Regards
>>> Fabrice
>>> 
 Le 2018-01-31 à 13:02, David Harvey via PacketFence-users a écrit :
 I should also note. I've just changed our APs from switch type hostapd to 
 ubiquity::unify, added the controller IP (a docker image in my case), and 
 also attempted to add the webservices field as details in the 
 documentation:
 
 wsTransport=HTTPS
 wsUser=admin
 wsPwd=admin
 
> On Wed, Jan 31, 2018 at 6:00 PM, David Harvey  
> wrote:
> Hi packetfence users,
> 
> I just wanted to confirm a feature (or my undertsnading of).
> 
> I'm using unifi access points with great success for portal login paired 
> with EAP-TLS.
> 
> Unregistered clients with certs land on the registration VLAN, and then 
> have their proper vlans assigned by the portal login.
> After the portal login has been performed the client needs the wifi 
> toggling off and on at present to reauth and get put onto the correct 
> VLAN. subsequent reconnects work fine...
> 
> If I've read the archives correctly, the wifi down/up is required becuase 
> CoA is not supported by unifi, nor does the controller allow RADIUS 
> disconnect events to force a client to reauth.
> Have I understood correctly, and is there any other magic I could try in 
> order to smooth the portal sign in experience?
> 
> Thanks in advnce,
> 
> David
 
 
 
 --
 Check out the vibrant tech community on one of the world's most
 engaging tech sites, Slashdot.org! http://sdm.link/slashdot
 
 
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>> 
>>> --
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unifi APs and CoA

[David Harvey via PacketFence-users]

Many thanks for the tips. With your guidance I've been following the
"Packetfence RADIUS and Unifi Out of Band" and am 90% of the way there.
For anyone curious, please check in on that thread, as it's got more of the
case history and steps outlined.

Best,

David

On Thu, Feb 1, 2018 at 1:39 AM, Timothy Mullican 
wrote:

> David,
> Your understanding is correct. Currently the UniFi only supports
> deauthenticating a client using the controller API and not using CoA. It is
> possible to enable RADIUS CoA for a single SSID and frequency, but this may
> not be useful for you. This is because the UniFi runs a separate hostapd
> instance for all of the different SSIDs and frequencies. See:
> https://community.ubnt.com/t5/UniFi-Wireless/RADIUS-Interi
> 
> m-updates/m-p/1860205/highlight/true#M216003
> 
>
> Sent from mobile phone
>
> On Jan 31, 2018, at 17:46, Durand fabrice via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> Hello David,
>
> the unifi AP is not yet correctly supported, there is some code about that
> but you have to do some custom config on the Unifi controller.
> Have a look at the mailing list archive about unifi.
>
> Regards
> Fabrice
>
> Le 2018-01-31 à 13:02, David Harvey via PacketFence-users a écrit :
>
> I should also note. I've just changed our APs from switch type hostapd to
> ubiquity::unify, added the controller IP (a docker image in my case), and
> also attempted to add the webservices field as details in the
> documentation:
>
> wsTransport=HTTPS
> wsUser=admin
> wsPwd=admin
>
>
> On Wed, Jan 31, 2018 at 6:00 PM, David Harvey 
> wrote:
>
>> Hi packetfence users,
>>
>> I just wanted to confirm a feature (or my undertsnading of).
>>
>> I'm using unifi access points with great success for portal login paired
>> with EAP-TLS.
>>
>> Unregistered clients with certs land on the registration VLAN, and then
>> have their proper vlans assigned by the portal login.
>> After the portal login has been performed the client needs the wifi
>> toggling off and on at present to reauth and get put onto the correct VLAN.
>> subsequent reconnects work fine...
>>
>> If I've read the archives correctly, the wifi down/up is required becuase
>> CoA is not supported by unifi, nor does the controller allow RADIUS
>> disconnect events to force a client to reauth.
>> Have I understood correctly, and is there any other magic I could try in
>> order to smooth the portal sign in experience?
>>
>> Thanks in advnce,
>>
>> David
>>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unifi APs and CoA

[Timothy Mullican via PacketFence-users]

David,
Your understanding is correct. Currently the UniFi only supports 
deauthenticating a client using the controller API and not using CoA. It is 
possible to enable RADIUS CoA for a single SSID and frequency, but this may not 
be useful for you. This is because the UniFi runs a separate hostapd instance 
for all of the different SSIDs and frequencies. See: 
https://community.ubnt.com/t5/UniFi-Wireless/RADIUS-Interim-updates/m-p/1860205/highlight/true#M216003

Sent from mobile phone

> On Jan 31, 2018, at 17:46, Durand fabrice via PacketFence-users 
>  wrote:
> 
> Hello David,
> 
> the unifi AP is not yet correctly supported, there is some code about that 
> but you have to do some custom config on the Unifi controller.
> Have a look at the mailing list archive about unifi.
> 
> Regards
> Fabrice
> 
>> Le 2018-01-31 à 13:02, David Harvey via PacketFence-users a écrit :
>> I should also note. I've just changed our APs from switch type hostapd to 
>> ubiquity::unify, added the controller IP (a docker image in my case), and 
>> also attempted to add the webservices field as details in the documentation:
>> 
>> wsTransport=HTTPS
>> wsUser=admin
>> wsPwd=admin
>> 
>>> On Wed, Jan 31, 2018 at 6:00 PM, David Harvey  
>>> wrote:
>>> Hi packetfence users,
>>> 
>>> I just wanted to confirm a feature (or my undertsnading of).
>>> 
>>> I'm using unifi access points with great success for portal login paired 
>>> with EAP-TLS.
>>> 
>>> Unregistered clients with certs land on the registration VLAN, and then 
>>> have their proper vlans assigned by the portal login.
>>> After the portal login has been performed the client needs the wifi 
>>> toggling off and on at present to reauth and get put onto the correct VLAN. 
>>> subsequent reconnects work fine...
>>> 
>>> If I've read the archives correctly, the wifi down/up is required becuase 
>>> CoA is not supported by unifi, nor does the controller allow RADIUS 
>>> disconnect events to force a client to reauth.
>>> Have I understood correctly, and is there any other magic I could try in 
>>> order to smooth the portal sign in experience?
>>> 
>>> Thanks in advnce,
>>> 
>>> David
>> 
>> 
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> 
>> 
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unifi APs and CoA

[Durand fabrice via PacketFence-users]

Hello David,

the unifi AP is not yet correctly supported, there is some code about 
that but you have to do some custom config on the Unifi controller.


Have a look at the mailing list archive about unifi.

Regards
Fabrice

Le 2018-01-31 à 13:02, David Harvey via PacketFence-users a écrit :
I should also note. I've just changed our APs from switch type hostapd 
to ubiquity::unify, added the controller IP (a docker image in my 
case), and also attempted to add the webservices field as details in 
the documentation:


wsTransport=HTTPS
wsUser=admin
wsPwd=admin

On Wed, Jan 31, 2018 at 6:00 PM, David Harvey 
> wrote:


Hi packetfence users,

I just wanted to confirm a feature (or my undertsnading of).

I'm using unifi access points with great success for portal login
paired with EAP-TLS.

Unregistered clients with certs land on the registration VLAN, and
then have their proper vlans assigned by the portal login.
After the portal login has been performed the client needs the
wifi toggling off and on at present to reauth and get put onto the
correct VLAN. subsequent reconnects work fine...

If I've read the archives correctly, the wifi down/up is required
becuase CoA is not supported by unifi, nor does the controller
allow RADIUS disconnect events to force a client to reauth.
Have I understood correctly, and is there any other magic I could
try in order to smooth the portal sign in experience?

Thanks in advnce,

David




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unifi APs and CoA

[David Harvey via PacketFence-users]

I should also note. I've just changed our APs from switch type hostapd to
ubiquity::unify, added the controller IP (a docker image in my case), and
also attempted to add the webservices field as details in the documentation:

wsTransport=HTTPS
wsUser=admin
wsPwd=admin


On Wed, Jan 31, 2018 at 6:00 PM, David Harvey 
wrote:

> Hi packetfence users,
>
> I just wanted to confirm a feature (or my undertsnading of).
>
> I'm using unifi access points with great success for portal login paired
> with EAP-TLS.
>
> Unregistered clients with certs land on the registration VLAN, and then
> have their proper vlans assigned by the portal login.
> After the portal login has been performed the client needs the wifi
> toggling off and on at present to reauth and get put onto the correct VLAN.
> subsequent reconnects work fine...
>
> If I've read the archives correctly, the wifi down/up is required becuase
> CoA is not supported by unifi, nor does the controller allow RADIUS
> disconnect events to force a client to reauth.
> Have I understood correctly, and is there any other magic I could try in
> order to smooth the portal sign in experience?
>
> Thanks in advnce,
>
> David
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users