Re: [PacketFence-users] Access to PF captive portal is blocked

2018-02-19 Thread Eugene Pefti via PacketFence-users 
Yes, Fabrice. I will send it shortly once get home

Sent from iPhone

From:  "packetfence-users@lists.sourceforge.net"

Reply-To:  "packetfence-users@lists.sourceforge.net"

Date:  Sunday, February 18, 2018 at 10:51 AM
To:  "packetfence-users@lists.sourceforge.net"

Cc:  Fabrice Durand 
Subject:  Re: [PacketFence-users] Access to PF captive portal is blocked


 

Hello Eugene,
 do you have the capture ?
 
 Regards
 Fabrice
 
 
Le 2018-02-15 à 23:12, E.P. via PacketFence-users a écrit :
 
 
> 
>  
> 
> Hi Fabrice,
>  
> I dare sending it again believing my previous email fell into cracks.
>  
> Can you please advise what could be wrong (see below)
>  
>  
>  
> Eugene
>  
>  
>  
>  
>  
>  
>  
> 
> From: E.P. [mailto:ype...@gmail.com]
>  Sent: Wednesday, February 14, 2018 1:08 AM
>  To: packetfence-users@lists.sourceforge.net
>  Subject: Access to PF captive portal is blocked
>  
>  
>  
>  
>  
> Hello folks,
>  
> I really hope someone who ran into a similar problem will shed some light.
>  
> Feeling bad we don¹t hear anything from Fabrice or someone from inverse.
>  
> I have an out-of-band deployment of PF and my WiFi client gets connected and
> redirected to PF
>  
> I see redirects by capturing the traffic on PF by tcpdump.
>  
> ButŠ I see that PF sends TCP resets even for TCP SYN packet coming from the
> client.
>  
> It seems to me it is just iptables firewall that blocks it.
>  
> Why ? Where am I supposed to enter those IP addresses that are allowed to go
> through captive portal registration?
>  
> I do allow PF IP address in the pre-authorization access list and my ping to
> FQDN of PF succeeds normally.
>  
> It is only HTTP(s) doesn¹t go through.
>  
> Even manually entered URL in the client browser doesn¹t open up any page, i.e.
> https://pf.blabla.com/captive-portal or https://172.16.0.222/captive-portal
>  
>  
>  
> Eugene
>  
>  
>   
>  
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>  
>   
>  
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/lis
> tinfo/packetfence-users
>  
 
 

-- Check out the vibrant tech community on one of the world's most engaging
tech sites, Slashdot.org!
http://sdm.link/slashdot___
PacketFence-users mailing list PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unifi APs and CoA

2018-02-19 Thread Eugene Pefti via PacketFence-users 
Good job, Chris and thanks for sharing your progress.
I dare asking my stupid question again ;)
Why users which associated to guest WiFi (Open with a redirect to PF captive
portal) can’t reach PF via HTTP ?
They receive IP address from the local DHCP server and then can ping PF but
there’s no way to go through self-registration

Eugene

From:  "packetfence-users@lists.sourceforge.net"

Reply-To:  "packetfence-users@lists.sourceforge.net"

Date:  Thursday, February 15, 2018 at 8:00 AM
To:  "packetfence-users@lists.sourceforge.net"

Cc:  Chris Abel 
Subject:  Re: [PacketFence-users] Unifi APs and CoA

Hey All,

I was able to get deauth working with my Unifi APs and it seems everything
is working smoothly. Here is the configuration I used for the switch in
packetfence:

[Unifi AP IP Address or subnet]

description=Unifi Access Points

group=Unifi

radiusSecret=RaidusPassword

controllerIp=Unifi Controller IP Address

useCoA=N

wsTransport=HTTPS

deauthMethod=HTTPS

wsUser=Unifi Controller Username

wsPwd=Unifi Controller Password



Hope this helps someone. I hope Packetfence releases some documentation on
Unifi AP's because with the necessary applied patch and the unifi controller
changes to config.properties, everything seems to be working well. Actually
in my opinion, it seems to be working better than the hostapd setup in
packetfence and is way easier to setup.


On Wed, Feb 14, 2018 at 3:52 PM, Chris Abel 
wrote:
> Hello all,
> 
> I am also trying to get my Unifi APs working with packetfence. It seems that I
> am very close. I am able to get the portal to show up on the client when in
> the registration vlan, but after registering, the client never deauth's and
> disconnects from the access point. I can disable my wireless and enable it
> again and the client is assigned the correct role and put into the right vlan,
> so that part seems to be working. I have applied the patch in the following
> way:
> 
> in /usr/local/pf I ran "curl
> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735
> .diff | patch -p1"
> 
> Is this the correct patch and the correct way to apply it? If so, why is this
> patch not disconnecting the client from the AP?
> 
> I have also applied the following to my AP's in Unifi:
> 
> /var/lib/unifi/sites//config.properties
> config.system_cfg.1=aaa.1.auth_cache=disabled
> config.system_cfg.2=aaa.2.auth_cache=disabled
> config.system_cfg.3=aaa.1.dynamic_vlan=1
> config.system_cfg.4=aaa.2.dynamic_vlan=1
> config.system_cfg.5=aaa.1.radius.acct.1.ip=
> config.system_cfg.6=aaa.1.radius.acct.1.port=
> config.system_cfg.7=aaa.1.radius.acct.1.secret= password>
> config.system_cfg.8=aaa.2.radius.acct.1.ip=
> config.system_cfg.9=aaa.2.radius.acct.1.port=
> config.system_cfg.10=aaa.2.radius.acct.1.secret= password>
> 
> 
> What should the configuration be in packetfence when setting up the switch?
> Should I use hostapd or Unifi Controller? Should I enable COA or not?
> 
> 
> Does anyone have a working setup of Unifi APs with an out of band setup of
> packetfence at this point? If so, could you shed some light and post your
> configurations?
> 
> Thanks!
> 
> On Sat, Feb 10, 2018 at 1:33 AM, E.P. via PacketFence-users
>  wrote:
>> Yes, David, this is my plan to test the captive portal on wired connections
>> to rule out the unruly Unifi APs
>> Ideally I would love to make it also work with HP switches 1820/1920 model
>> because this is the majority of switches installed in our organization.
>> But will try it on Cisco switch as a beginning
>> Thanks again, for your sharing.
>> There’s apparently something wrong with mailing list for packetfence as
>> there’s nothing coming in and I don’t believe it’s only me who persists in
>> making things work and asking for advices 
>>  
>> Eugene
>>  
>> From: David Harvey [mailto:da...@thoughtmachine.net]
>> Sent: Friday, February 09, 2018 4:37 AM
>> To: E.P. ; fdur...@inverse.ca
>> Subject: Re: [PacketFence-users] Unifi APs and CoA
>>  
>> 
>> Hi Eugene,
>> 
>>  
>> 
>> I'm including Fabrice in case anything I have covered is misleading or plain
>> untrue! I don't want to give you bad advice..
>> 
>>  
>> 
>> I'm running Unifi AP-AC Pros on 3.9.19.8123. I'm pretty sure most of my
>> functionality worked fine from 3.8.x, but bear in mind I'm running EAP-TLS
>> and so haven't had the same open SSID guest portal aspect (which might make
>> my advice less relevant).
>> 
>> I've been fumbling through, so I'm sure Fabrice can offer better advice but I
>> would start by saying..
>> 
>>  
>> 
>> My understanding of the additional functionality this patch affords, is
>> dealing with kicking the client off an AP so it will then re-auth and
>> hopefully get put onto the correct VLAN.  So before