Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

[E.P. via PacketFence-users]

niper EX3200 Switches here and I would like to discuss a security 
issue in your example conf for Juniper in the documentation referenced by your 
posting below:

 

your doc suggests the option „mac radius“ to be activated. I would rather NOT 
suggest that, because:

MAC Authentication is subject to spoofing attacks, which one exactly wants to 
get rid of by using 802.1x. 

It is exactly the wrong way to activate the mac radius option, as in this case 
a juniper switch would use simple mac radius as a fallback, if 802.1x would 
fail, which is exactly what you would NOT want to have, if you want to be sure 
NOT to be vulnerable to mac spoofing attacks.

 

So is there a reason you suggest that option for i didn get?

 

Bye,

Holger

 

PS:

A additional personal hint: using interface ranges in the „protocols / dot1x / 
interface“ config did not work with our switches, we had to explicitly name the 
interfaces there.

 

 

Von: Timothy Mullican via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Gesendet: Donnerstag, 1. Februar 2018 18:11
An: packetfence-users@lists.sourceforge.net
Cc: Timothy Mullican ; Frederic Hermann 

Betreff: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

 

By the way,

Fabrice Durand already added code to do this in pull request #2735 on github. 
See 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch

You can apply that patch to get it working. Also see 
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc
 for the updated documentation. You can read though my earlier thread to see 
the steps I took to get it working. 

 

Tim

Sent from mobile phone


On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users 
 wrote:

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

[E.P. via PacketFence-users]

Hi Tim and gang,

Any idea where I should start looking into PF to troubleshoot WebAuth for WiFi ?

I finally had time to prepare UniFi according to screenshots published at github

https://github.com/inverse-inc/packetfence/tree/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images

 

Namely this is what I did in Unifi:

1)  New SSID (wireless network) is created and set as “Open” and checked 
for Guest policy “Appy guest policies” and set VLAN ID to be assigned.

2)  Created Guest policy and set authentication to point it to “External 
portal server” and put the IP address of PF into Custom portal field, checked 
“Use Secure Portal”, added the IP address of PF into “Pre-Authorization access” 
field.

 

Now, on PF just for the sake of testing guets self-registration which should be 
enabled by default I’m not supposed to do anything other than creating a 
connection profile, correct ?

So, I created “guests” connection profile, anything specific to set within this 
profile ? I checked “Active preregistration” in the profile settings but my 
pf.conf file (/usr/local/pf/conf/pf.conf) doesn’t have this (as it says in PF 
admin guide)

 

[guests_self_registration]

preregistration=enabled

 

Ideally we would like to enable PF send SMS/text messages to users with their 
passwords

 

So, with all above set my connection attempts to the said SSID result in no 
redirection to the captive portal. What am I missing and what am I setting in 
“Captive portal” in the connection profile and how would PF start processing 
the connection being forwarded by UniFi controller ?

 

Eugene

 

From: Timothy Mullican [mailto:tjmullic...@yahoo.com] 
Sent: Friday, February 02, 2018 8:06 AM
To: ype...@gmail.com
Cc: packetfence-users@lists.sourceforge.net; frederic.herm...@neptune.fr; 
holger.patz...@t-systems.com
Subject: Re: AW: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

 

Eugene:





You should use the IP address of your AP instead of the MAC address. The 
pictures are available at:





 
<https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-open.png>
 
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-open.png





 
<https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-radius.png>
 
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-radius.png





 
<https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-secure.png>
 
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-secure.png





My thread probably has more in depth images though.





—

Holger:





You are correct that MAC auth is vulnerable to attack. I believe PacketFence 
can detect a host name change as one mitigation and trigger a violation. 
Another mitigation is to put your network behind 802.1x or WPA2. I have to auth 
people against G Suite, so I can’t currently use 802.1x (Oauth). For the guest 
network, spoofing isn’t as much of an issue since it’s separated from my 
corporate lan. I would start a separate thread for this though.

 

Sent from mobile phone


On Feb 2, 2018, at 03:15,  
 wrote:

Hello Tim,

hi all,

 

we do use Juniper EX3200 Switches here and I would like to discuss a security 
issue in your example conf for Juniper in the documentation referenced by your 
posting below:

 

your doc suggests the option „mac radius“ to be activated. I would rather NOT 
suggest that, because:

MAC Authentication is subject to spoofing attacks, which one exactly wants to 
get rid of by using 802.1x. 

It is exactly the wrong way to activate the mac radius option, as in this case 
a juniper switch would use simple mac radius as a fallback, if 802.1x would 
fail, which is exactly what you would NOT want to have, if you want to be sure 
NOT to be vulnerable to mac spoofing attacks.

 

So is there a reason you suggest that option for i didn get?

 

Bye,

Holger

 

PS:

A additional personal hint: using interface ranges in the „protocols / dot1x / 
interface“ config did not work with our switches, we had to explicitly name the 
interfaces there.

 

 

Von: Timothy Mullican via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Gesendet: Donnerstag, 1. Februar 2018 18:11
An: packetfence-users@lists.sourceforge.net
Cc: Timothy Mullican ; Frederic Hermann 

Betreff: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

 

By the way,

Fabrice Durand already added code to do this in pull request #2735 on github. 
See 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch

You can apply that patch to get it working. Also see 
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee

Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

[Timothy Mullican via PacketFence-users]

Fabrice,
Do you know if PacketFence caches authentication tokens for the https de-auth 
method? For instance, if the UniFi AP is de-authenticating 5 clients at one 
time via the controller, will it login 5 separate times or 1 time to the 
controller and issue 5 separate API calls? I’m wondering if the 400 error he is 
getting sometimes is due to excessive login attempts to the controller to issue 
the kick command for every client. Not sure since it is happening 
intermittently. 

Sent from mobile phone

> On Feb 2, 2018, at 12:12, David Harvey  wrote:
> 
> Feeding update as requested.
> 
> Thanks again!
> -- Forwarded message --
> From: "David Harvey" 
> Date: 2 Feb 2018 16:08
> Subject: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band
> To: 
> Cc: "E.P." , "Frederic Hermann" 
> 
> 
> Update: 
> My changes in the unifi config.properties weren't being pushed due to a 
> failure on my part to understand how the item/line numbers work :)
> "Note that each line has it's own number just before the equals sign, so for 
> a second customization you would enter 2, etc."
> It seems to be working a bit better now, with somewhat more of a delay 
> switching than expected, and the kicks not being accepted consistently - 
> order of events perhaps (not liking two kicks in a row?)
> 
> Feb  2 16:06:24 pf pfqueue: pfqueue(3962) INFO: [mac:78:31:c1:cb:12:dc] 
> Switched status on the Unifi controller using command kick-sta 
> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
> Feb  2 16:06:54 pf pfqueue: pfqueue(3977) ERROR: [mac:78:31:c1:cb:12:dc] 
> Can't send request on the Unifi controller: 400 Bad Request 
> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
> 
> 
>> On Fri, Feb 2, 2018 at 2:59 PM, David Harvey  
>> wrote:
>> Yes, thank you Tim,
>> 
>> I've reverted my manual hacks of Unifi.pm in favour of applying the patch 
>> which seems to be successful in maintaining the same behaviour as the manual 
>> changes had.  I'm seeing a failure on other (cisco) switches to restart 
>> switchports, but I think that is unrelated, or relates to recent packetfence 
>> upgrade perhaps.
>> I've also now added the changes in the draft documentation to my unifi 
>> controller in order to try and disable pmksa caching, and enabling dynamic 
>> VLAN assignment.  So far however the wireless clients have not been reliably 
>> being de-authed, and usually stubbornly remain on the same VLAN. I suspect 
>> I've got something wrong on the unifi side of things as just like fdurand 
>> notes in 
>> https://community.ubnt.com/t5/UniFi-Wireless/Feature-request-disable-pmksa-caching/m-p/2112479#M257628
>>  I cannot see the relevant config updates applied at the AP level after 
>> updating them on the controller as prescribed.
>> 
>> On with the digging and ideas always welcome. Great to see how many people 
>> are stuck getting in to making this work.
>> 
>> Best,
>> 
>> David
>> 
>>> On Fri, Feb 2, 2018 at 7:14 AM, E.P. via PacketFence-users 
>>>  wrote:
>>> Hi Tim,
>>> 
>>> As usual, your comments are invaluable ;)
>>> 
>>> Looking at the guide which is in asciidoc to see how to properly deal with 
>>> Unifi. Would be nice to see pictures as they are missing.
>>> 
>>> Also, do I need to replace IP addresses for AP in the switches.conf with 
>>> their MAC addresses ?
>>> 
>>>  
>>> 
>>> Eugene
>>> 
>>>  
>>> 
>>> From: Timothy Mullican via PacketFence-users 
>>> [mailto:packetfence-users@lists.sourceforge.net] 
>>> Sent: Thursday, February 01, 2018 9:11 AM
>>> To: packetfence-users@lists.sourceforge.net
>>> Cc: Timothy Mullican; Frederic Hermann
>>> Subject: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band
>>> 
>>>  
>>> 
>>> By the way,
>>> 
>>> Fabrice Durand already added code to do this in pull request #2735 on 
>>> github. See 
>>> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch
>>> 
>>> You can apply that patch to get it working. Also see 
>>> https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc
>>>  for the updated documentation. You can read though my earlier thread to 
>>> see the steps I took to get it working. 
>>> 
>>>  
>>> 
>>> Tim
>>> 
>&

Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

[Timothy Mullican via PacketFence-users]

Eugene:

You should use the IP address of your AP instead of the MAC address. The 
pictures are available at:

https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-open.png

https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-radius.png

https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-secure.png

My thread probably has more in depth images though.

—
Holger:

You are correct that MAC auth is vulnerable to attack. I believe PacketFence 
can detect a host name change as one mitigation and trigger a violation. 
Another mitigation is to put your network behind 802.1x or WPA2. I have to auth 
people against G Suite, so I can’t currently use 802.1x (Oauth). For the guest 
network, spoofing isn’t as much of an issue since it’s separated from my 
corporate lan. I would start a separate thread for this though.

Sent from mobile phone

> On Feb 2, 2018, at 03:15,  
>  wrote:
> 
> Hello Tim,
> hi all,
>  
> we do use Juniper EX3200 Switches here and I would like to discuss a security 
> issue in your example conf for Juniper in the documentation referenced by 
> your posting below:
>  
> your doc suggests the option „mac radius“ to be activated. I would rather NOT 
> suggest that, because:
> MAC Authentication is subject to spoofing attacks, which one exactly wants to 
> get rid of by using 802.1x.
> It is exactly the wrong way to activate the mac radius option, as in this 
> case a juniper switch would use simple mac radius as a fallback, if 802.1x 
> would fail, which is exactly what you would NOT want to have, if you want to 
> be sure NOT to be vulnerable to mac spoofing attacks.
>  
> So is there a reason you suggest that option for i didn get?
>  
> Bye,
> Holger
>  
> PS:
> A additional personal hint: using interface ranges in the „protocols / dot1x 
> / interface“ config did not work with our switches, we had to explicitly name 
> the interfaces there.
>  
>  
> Von: Timothy Mullican via PacketFence-users 
> [mailto:packetfence-users@lists.sourceforge.net] 
> Gesendet: Donnerstag, 1. Februar 2018 18:11
> An: packetfence-users@lists.sourceforge.net
> Cc: Timothy Mullican ; Frederic Hermann 
> 
> Betreff: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band
>  
> By the way,
> Fabrice Durand already added code to do this in pull request #2735 on github. 
> See 
> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch
> You can apply that patch to get it working. Also see 
> https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc
>  for the updated documentation. You can read though my earlier thread to see 
> the steps I took to get it working. 
>  
> Tim
> 
> Sent from mobile phone
> 
> On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users 
>  wrote:
> 
> This has been a fantastic resource for the thread I recently started (sorry 
> for the repetition in it)
> I would add:
> I've added kick-sta to replace both the authorize and unauthorize guest 
> commands in Unifi.pm
>  
> It transpired my in house cert was upsetting things until I updated ca certs 
> on the debian container I'm using. The symptom was the following in 
> packetfence.log:
> before:
> Can't login on the Unifi controller: 500 Can't connect to 10.100.103.33:8443 
> (certificate verify failed) 
> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
> after:
> Switched status on the Unifi controller using command kick-sta 
> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
>  
> After this the kick events come through and I get a brief drop in packets 
> whilst pinging.  I'm still fighting the final issue - which is increasing the 
> duration of the kick, or ensuring a full re-auth occurs, as currently the 
> device I'm testing with drops packets, but remains on the same VLAN still 
> until the device is toggled. 
>  
> Thanks for the guidance and let me know if you face/overcame anything similar.
>  
> Cheers,
>  
> David
>  
>  
> On Mon, Jul 17, 2017 at 3:54 PM, Frederic Hermann via PacketFence-users 
>  wrote:
> > De: "Michael Westergaard via PacketFence-users" 
> > 
> Hi Michael,
> 
> 
> > I am trying to see if Packetfence is a proper way to do NAC with Unifi 
> > UAP-AC
> > with dynamic VLAN. According to the new Unifi Controller 5.5.19 release,
> > Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence is 
> > using
> > for authenticating users over w

Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

[David Harvey via PacketFence-users]

Update:
My changes in the unifi config.properties weren't being pushed due to a
failure on my part to understand how the item/line numbers work :)
"Note that each line has it's own number just before the equals sign, so
for a second customization you would enter 2, etc."
<https://help.ubnt.com/hc/en-us/articles/205223330-UniFi-How-to-make-persistent-changes-to-UAP-s-system-cfg>
It seems to be working a bit better now, with somewhat more of a delay
switching than expected, and the kicks not being accepted consistently -
order of events perhaps (not liking two kicks in a row?)

Feb  2 16:06:24 pf pfqueue: pfqueue(3962) INFO: [mac:78:31:c1:cb:12:dc]
Switched status on the Unifi controller using command kick-sta
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
Feb  2 16:06:54 pf pfqueue: pfqueue(3977) ERROR: [mac:78:31:c1:cb:12:dc]
Can't send request on the Unifi controller: 400 Bad Request
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)


On Fri, Feb 2, 2018 at 2:59 PM, David Harvey 
wrote:

> Yes, thank you Tim,
>
> I've reverted my manual hacks of Unifi.pm in favour of applying the patch
> which seems to be successful in maintaining the same behaviour as the
> manual changes had.  I'm seeing a failure on other (cisco) switches to
> restart switchports, but I think that is unrelated, or relates to recent
> packetfence upgrade perhaps.
> I've also now added the changes in the draft documentation to my unifi
> controller in order to try and disable pmksa caching, and enabling dynamic
> VLAN assignment.  So far however the wireless clients have not been
> reliably being de-authed, and usually stubbornly remain on the same VLAN. I
> suspect I've got something wrong on the unifi side of things as just like
> fdurand notes in https://community.ubnt.com/t5/UniFi-Wireless/Feature-
> request-disable-pmksa-caching/m-p/2112479#M257628 I cannot see the
> relevant config updates applied at the AP level after updating them on the
> controller as prescribed.
>
> On with the digging and ideas always welcome. Great to see how many people
> are stuck getting in to making this work.
>
> Best,
>
> David
>
> On Fri, Feb 2, 2018 at 7:14 AM, E.P. via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hi Tim,
>>
>> As usual, your comments are invaluable ;)
>>
>> Looking at the guide which is in asciidoc to see how to properly deal
>> with Unifi. Would be nice to see pictures as they are missing.
>>
>> Also, do I need to replace IP addresses for AP in the switches.conf with
>> their MAC addresses ?
>>
>>
>>
>> Eugene
>>
>>
>>
>> *From:* Timothy Mullican via PacketFence-users [mailto:
>> packetfence-users@lists.sourceforge.net]
>> *Sent:* Thursday, February 01, 2018 9:11 AM
>> *To:* packetfence-users@lists.sourceforge.net
>> *Cc:* Timothy Mullican; Frederic Hermann
>> *Subject:* Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of
>> Band
>>
>>
>>
>> By the way,
>>
>> Fabrice Durand already added code to do this in pull request #2735 on
>> github. See https://patch-diff.githubusercontent.com/raw/inverse-
>> inc/packetfence/pull/2735.patch
>>
>> You can apply that patch to get it working. Also see
>> https://github.com/inverse-inc/packetfence/blob/ae18f50b
>> 4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_
>> Devices_Configuration_Guide.asciidoc for the updated documentation. You
>> can read though my earlier thread to see the steps I took to get it
>> working.
>>
>>
>>
>> Tim
>>
>> Sent from mobile phone
>>
>>
>> On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>> This has been a fantastic resource for the thread I recently started
>> (sorry for the repetition in it)
>>
>> I would add:
>>
>> I've added kick-sta to replace both the authorize and unauthorize guest
>> commands in Unifi.pm
>>
>>
>>
>> It transpired my in house cert was upsetting things until I updated ca
>> certs on the debian container I'm using. The symptom was the following in
>> packetfence.log:
>>
>> before:
>>
>> Can't login on the Unifi controller: 500 Can't connect to
>> 10.100.103.33:8443 (certificate verify failed)
>> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
>>
>> after:
>>
>> Switched status on the Unifi controller using command kick-sta
>> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
>>
>>
>&g

Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

[Timothy Mullican via PacketFence-users]

David,
Just to check a few things:

1) have you linked all of the APs to your UniFi controller?
2) have you created the config.properties file on the controller?
3) have you manually re-provisioned all of the APs in the UniFi controller 
software after editing config.properties?
4) have you set deauthentication method to HTTPS and specified UniFi Controller 
username and password for all APs in PacketFence?
5) have you specified the UniFi controller IP for all of the APs in PacketFence?
6) have you added all APs in PacketFence by IP or MAC address?

Thanks,
Tim

Sent from mobile phone

> On Feb 2, 2018, at 08:59, David Harvey via PacketFence-users 
>  wrote:
> 
> Yes, thank you Tim,
> 
> I've reverted my manual hacks of Unifi.pm in favour of applying the patch 
> which seems to be successful in maintaining the same behaviour as the manual 
> changes had.  I'm seeing a failure on other (cisco) switches to restart 
> switchports, but I think that is unrelated, or relates to recent packetfence 
> upgrade perhaps.
> I've also now added the changes in the draft documentation to my unifi 
> controller in order to try and disable pmksa caching, and enabling dynamic 
> VLAN assignment.  So far however the wireless clients have not been reliably 
> being de-authed, and usually stubbornly remain on the same VLAN. I suspect 
> I've got something wrong on the unifi side of things as just like fdurand 
> notes in 
> https://community.ubnt.com/t5/UniFi-Wireless/Feature-request-disable-pmksa-caching/m-p/2112479#M257628
>  I cannot see the relevant config updates applied at the AP level after 
> updating them on the controller as prescribed.
> 
> On with the digging and ideas always welcome. Great to see how many people 
> are stuck getting in to making this work.
> 
> Best,
> 
> David
> 
>> On Fri, Feb 2, 2018 at 7:14 AM, E.P. via PacketFence-users 
>>  wrote:
>> Hi Tim,
>> 
>> As usual, your comments are invaluable ;)
>> 
>> Looking at the guide which is in asciidoc to see how to properly deal with 
>> Unifi. Would be nice to see pictures as they are missing.
>> 
>> Also, do I need to replace IP addresses for AP in the switches.conf with 
>> their MAC addresses ?
>> 
>>  
>> 
>> Eugene
>> 
>>  
>> 
>> From: Timothy Mullican via PacketFence-users 
>> [mailto:packetfence-users@lists.sourceforge.net] 
>> Sent: Thursday, February 01, 2018 9:11 AM
>> To: packetfence-users@lists.sourceforge.net
>> Cc: Timothy Mullican; Frederic Hermann
>> Subject: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band
>> 
>>  
>> 
>> By the way,
>> 
>> Fabrice Durand already added code to do this in pull request #2735 on 
>> github. See 
>> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch
>> 
>> You can apply that patch to get it working. Also see 
>> https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc
>>  for the updated documentation. You can read though my earlier thread to see 
>> the steps I took to get it working. 
>> 
>>  
>> 
>> Tim
>> 
>> Sent from mobile phone
>> 
>> 
>> On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users 
>>  wrote:
>> 
>> This has been a fantastic resource for the thread I recently started (sorry 
>> for the repetition in it)
>> 
>> I would add:
>> 
>> I've added kick-sta to replace both the authorize and unauthorize guest 
>> commands in Unifi.pm
>> 
>>  
>> 
>> It transpired my in house cert was upsetting things until I updated ca certs 
>> on the debian container I'm using. The symptom was the following in 
>> packetfence.log:
>> 
>> before:
>> 
>> Can't login on the Unifi controller: 500 Can't connect to 10.100.103.33:8443 
>> (certificate verify failed) 
>> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
>> 
>> after:
>> 
>> Switched status on the Unifi controller using command kick-sta 
>> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
>> 
>>  
>> 
>> After this the kick events come through and I get a brief drop in packets 
>> whilst pinging.  I'm still fighting the final issue - which is increasing 
>> the duration of the kick, or ensuring a full re-auth occurs, as currently 
>> the device I'm testing with drops packets, but remains on the same VLAN 
>> still until the device is toggled. 
>> 
>>  
>> 
>> 

Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

[David Harvey via PacketFence-users]

Yes, thank you Tim,

I've reverted my manual hacks of Unifi.pm in favour of applying the patch
which seems to be successful in maintaining the same behaviour as the
manual changes had.  I'm seeing a failure on other (cisco) switches to
restart switchports, but I think that is unrelated, or relates to recent
packetfence upgrade perhaps.
I've also now added the changes in the draft documentation to my unifi
controller in order to try and disable pmksa caching, and enabling dynamic
VLAN assignment.  So far however the wireless clients have not been
reliably being de-authed, and usually stubbornly remain on the same VLAN. I
suspect I've got something wrong on the unifi side of things as just like
fdurand notes in
https://community.ubnt.com/t5/UniFi-Wireless/Feature-request-disable-pmksa-caching/m-p/2112479#M257628
I cannot see the relevant config updates applied at the AP level after
updating them on the controller as prescribed.

On with the digging and ideas always welcome. Great to see how many people
are stuck getting in to making this work.

Best,

David

On Fri, Feb 2, 2018 at 7:14 AM, E.P. via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hi Tim,
>
> As usual, your comments are invaluable ;)
>
> Looking at the guide which is in asciidoc to see how to properly deal with
> Unifi. Would be nice to see pictures as they are missing.
>
> Also, do I need to replace IP addresses for AP in the switches.conf with
> their MAC addresses ?
>
>
>
> Eugene
>
>
>
> *From:* Timothy Mullican via PacketFence-users [mailto:packetfence-users@
> lists.sourceforge.net]
> *Sent:* Thursday, February 01, 2018 9:11 AM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Timothy Mullican; Frederic Hermann
> *Subject:* Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of
> Band
>
>
>
> By the way,
>
> Fabrice Durand already added code to do this in pull request #2735 on
> github. See https://patch-diff.githubusercontent.com/raw/
> inverse-inc/packetfence/pull/2735.patch
>
> You can apply that patch to get it working. Also see https://github.com/
> inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f
> 2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc for
> the updated documentation. You can read though my earlier thread to see the
> steps I took to get it working.
>
>
>
> Tim
>
> Sent from mobile phone
>
>
> On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> This has been a fantastic resource for the thread I recently started
> (sorry for the repetition in it)
>
> I would add:
>
> I've added kick-sta to replace both the authorize and unauthorize guest
> commands in Unifi.pm
>
>
>
> It transpired my in house cert was upsetting things until I updated ca
> certs on the debian container I'm using. The symptom was the following in
> packetfence.log:
>
> before:
>
> Can't login on the Unifi controller: 500 Can't connect to
> 10.100.103.33:8443 (certificate verify failed)
> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
>
> after:
>
> Switched status on the Unifi controller using command kick-sta
> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
>
>
>
> After this the kick events come through and I get a brief drop in packets
> whilst pinging.  I'm still fighting the final issue - which is increasing
> the duration of the kick, or ensuring a full re-auth occurs, as currently
> the device I'm testing with drops packets, but remains on the same VLAN
> still until the device is toggled.
>
>
>
> Thanks for the guidance and let me know if you face/overcame anything
> similar.
>
>
>
> Cheers,
>
>
>
> David
>
>
>
>
>
> On Mon, Jul 17, 2017 at 3:54 PM, Frederic Hermann via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> > De: "Michael Westergaard via PacketFence-users" <
> packetfence-users@lists.sourceforge.net>
> Hi Michael,
>
>
> > I am trying to see if Packetfence is a proper way to do NAC with Unifi
> UAP-AC
> > with dynamic VLAN. According to the new Unifi Controller 5.5.19 release,
> > Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence
> is using
> > for authenticating users over wireless and then changing the VLAN.
>
> > However I cannot find any documentation anywhere if this is possible in
> > Packetfence Documentation?
>
> > Especially Packetfence Out of Band (Dynamic VLAN) with Unifi. Have
> anybody been
> > able to make it work?
>
> We made some test a few weeks ago, and w

Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

[E.P. via PacketFence-users]

Hi Tim,

As usual, your comments are invaluable ;)

Looking at the guide which is in asciidoc to see how to properly deal with 
Unifi. Would be nice to see pictures as they are missing.

Also, do I need to replace IP addresses for AP in the switches.conf with their 
MAC addresses ?

 

Eugene

 

From: Timothy Mullican via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Thursday, February 01, 2018 9:11 AM
To: packetfence-users@lists.sourceforge.net
Cc: Timothy Mullican; Frederic Hermann
Subject: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

 

By the way,

Fabrice Durand already added code to do this in pull request #2735 on github. 
See 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch

You can apply that patch to get it working. Also see 
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc
 for the updated documentation. You can read though my earlier thread to see 
the steps I took to get it working. 

 

Tim

Sent from mobile phone


On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users 
 wrote:

This has been a fantastic resource for the thread I recently started (sorry for 
the repetition in it)

I would add:

I've added kick-sta to replace both the authorize and unauthorize guest 
commands in Unifi.pm

 

It transpired my in house cert was upsetting things until I updated ca certs on 
the debian container I'm using. The symptom was the following in 
packetfence.log:

before:

Can't login on the Unifi controller: 500 Can't connect to 10.100.103.33:8443 
(certificate verify failed) 
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)

after:

Switched status on the Unifi controller using command kick-sta 
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)

 

After this the kick events come through and I get a brief drop in packets 
whilst pinging.  I'm still fighting the final issue - which is increasing the 
duration of the kick, or ensuring a full re-auth occurs, as currently the 
device I'm testing with drops packets, but remains on the same VLAN still until 
the device is toggled. 

 

Thanks for the guidance and let me know if you face/overcame anything similar.

 

Cheers,

 

David

 

 

On Mon, Jul 17, 2017 at 3:54 PM, Frederic Hermann via PacketFence-users 
 wrote:

> De: "Michael Westergaard via PacketFence-users" 
> 
Hi Michael,


> I am trying to see if Packetfence is a proper way to do NAC with Unifi UAP-AC
> with dynamic VLAN. According to the new Unifi Controller 5.5.19 release,
> Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence is 
> using
> for authenticating users over wireless and then changing the VLAN.

> However I cannot find any documentation anywhere if this is possible in
> Packetfence Documentation?

> Especially Packetfence Out of Band (Dynamic VLAN) with Unifi. Have anybody 
> been
> able to make it work?

We made some test a few weeks ago, and we've been able to manage an Unifi 
controler using Radius mode ( rather than the Portal mode described in 
PacketFence documentation).

This allow you to use dynamic VLAN with WPA2-Enterprise, as it seems that 
dynamic VLAN are only available in secure mode on unifi.

The only change we had to do (on the packetfence side) was


That means you have to configure your AP type as "Unifi Controller" in 
packetfence, and set the Deauth method to "HTTPS", instead of Radius.
Of course you will also define the unifi controller IP in the same location.
Then you will have to edit (or override) the Unifi.pm module to change the 
webservice command used to auth/deauth users : this is in the 
"_deauthenticateMacWithHTTP" method, and you should use the "kick-sta" unifi 
command through the webservice, instead of the 
"authorize-guest/unauthorise-guest".

Hope this help,

Regards

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world

Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

[Holger Patzelt via PacketFence-users]

Hello Tim,
hi all,

we do use Juniper EX3200 Switches here and I would like to discuss a security 
issue in your example conf for Juniper in the documentation referenced by your 
posting below:

your doc suggests the option „mac radius“ to be activated. I would rather NOT 
suggest that, because:
MAC Authentication is subject to spoofing attacks, which one exactly wants to 
get rid of by using 802.1x.
It is exactly the wrong way to activate the mac radius option, as in this case 
a juniper switch would use simple mac radius as a fallback, if 802.1x would 
fail, which is exactly what you would NOT want to have, if you want to be sure 
NOT to be vulnerable to mac spoofing attacks.

So is there a reason you suggest that option for i didn get?

Bye,
Holger

PS:
A additional personal hint: using interface ranges in the „protocols / dot1x / 
interface“ config did not work with our switches, we had to explicitly name the 
interfaces there.


Von: Timothy Mullican via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Gesendet: Donnerstag, 1. Februar 2018 18:11
An: packetfence-users@lists.sourceforge.net
Cc: Timothy Mullican ; Frederic Hermann 

Betreff: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

By the way,
Fabrice Durand already added code to do this in pull request #2735 on github. 
See 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch
You can apply that patch to get it working. Also see 
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc
 for the updated documentation. You can read though my earlier thread to see 
the steps I took to get it working.

Tim
Sent from mobile phone

On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
This has been a fantastic resource for the thread I recently started (sorry for 
the repetition in it)
I would add:
I've added kick-sta to replace both the authorize and unauthorize guest 
commands in Unifi.pm

It transpired my in house cert was upsetting things until I updated ca certs on 
the debian container I'm using. The symptom was the following in 
packetfence.log:
before:
Can't login on the Unifi controller: 500 Can't connect to 
10.100.103.33:8443<http://10.100.103.33:8443> (certificate verify failed) 
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
after:
Switched status on the Unifi controller using command kick-sta 
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)

After this the kick events come through and I get a brief drop in packets 
whilst pinging.  I'm still fighting the final issue - which is increasing the 
duration of the kick, or ensuring a full re-auth occurs, as currently the 
device I'm testing with drops packets, but remains on the same VLAN still until 
the device is toggled.

Thanks for the guidance and let me know if you face/overcame anything similar.

Cheers,

David


On Mon, Jul 17, 2017 at 3:54 PM, Frederic Hermann via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
> De: "Michael Westergaard via PacketFence-users" 
> mailto:packetfence-users@lists.sourceforge.net>>
Hi Michael,


> I am trying to see if Packetfence is a proper way to do NAC with Unifi UAP-AC
> with dynamic VLAN. According to the new Unifi Controller 5.5.19 release,
> Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence is 
> using
> for authenticating users over wireless and then changing the VLAN.

> However I cannot find any documentation anywhere if this is possible in
> Packetfence Documentation?

> Especially Packetfence Out of Band (Dynamic VLAN) with Unifi. Have anybody 
> been
> able to make it work?

We made some test a few weeks ago, and we've been able to manage an Unifi 
controler using Radius mode ( rather than the Portal mode described in 
PacketFence documentation).

This allow you to use dynamic VLAN with WPA2-Enterprise, as it seems that 
dynamic VLAN are only available in secure mode on unifi.

The only change we had to do (on the packetfence side) was


That means you have to configure your AP type as "Unifi Controller" in 
packetfence, and set the Deauth method to "HTTPS", instead of Radius.
Of course you will also define the unifi controller IP in the same location.
Then you will have to edit (or override) the Unifi.pm module to change the 
webservice command used to auth/deauth users : this is in the 
"_deauthenticateMacWithHTTP" method, and you should use the "kick-sta" unifi 
command through the webservice, instead of the 
"authorize-guest/unauthorise-guest".

Hope this help,

Regards

Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

[Timothy Mullican via PacketFence-users]

By the way,
Fabrice Durand already added code to do this in pull request #2735 on github. 
See 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch
You can apply that patch to get it working. Also see 
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc
 for the updated documentation. You can read though my earlier thread to see 
the steps I took to get it working. 

Tim

Sent from mobile phone

> On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users 
>  wrote:
> 
> This has been a fantastic resource for the thread I recently started (sorry 
> for the repetition in it)
> I would add:
> I've added kick-sta to replace both the authorize and unauthorize guest 
> commands in Unifi.pm
> 
> It transpired my in house cert was upsetting things until I updated ca certs 
> on the debian container I'm using. The symptom was the following in 
> packetfence.log:
> before:
> Can't login on the Unifi controller: 500 Can't connect to 10.100.103.33:8443 
> (certificate verify failed) 
> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
> after:
> Switched status on the Unifi controller using command kick-sta 
> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
> 
> After this the kick events come through and I get a brief drop in packets 
> whilst pinging.  I'm still fighting the final issue - which is increasing the 
> duration of the kick, or ensuring a full re-auth occurs, as currently the 
> device I'm testing with drops packets, but remains on the same VLAN still 
> until the device is toggled. 
> 
> Thanks for the guidance and let me know if you face/overcame anything similar.
> 
> Cheers,
> 
> David
> 
> 
>> On Mon, Jul 17, 2017 at 3:54 PM, Frederic Hermann via PacketFence-users 
>>  wrote:
>> > De: "Michael Westergaard via PacketFence-users" 
>> > 
>> Hi Michael,
>> 
>> 
>> > I am trying to see if Packetfence is a proper way to do NAC with Unifi 
>> > UAP-AC
>> > with dynamic VLAN. According to the new Unifi Controller 5.5.19 release,
>> > Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence is 
>> > using
>> > for authenticating users over wireless and then changing the VLAN.
>> 
>> > However I cannot find any documentation anywhere if this is possible in
>> > Packetfence Documentation?
>> 
>> > Especially Packetfence Out of Band (Dynamic VLAN) with Unifi. Have anybody 
>> > been
>> > able to make it work?
>> 
>> We made some test a few weeks ago, and we've been able to manage an Unifi 
>> controler using Radius mode ( rather than the Portal mode described in 
>> PacketFence documentation).
>> 
>> This allow you to use dynamic VLAN with WPA2-Enterprise, as it seems that 
>> dynamic VLAN are only available in secure mode on unifi.
>> 
>> The only change we had to do (on the packetfence side) was
>> 
>> 
>> That means you have to configure your AP type as "Unifi Controller" in 
>> packetfence, and set the Deauth method to "HTTPS", instead of Radius.
>> Of course you will also define the unifi controller IP in the same location.
>> Then you will have to edit (or override) the Unifi.pm module to change the 
>> webservice command used to auth/deauth users : this is in the 
>> "_deauthenticateMacWithHTTP" method, and you should use the "kick-sta" unifi 
>> command through the webservice, instead of the 
>> "authorize-guest/unauthorise-guest".
>> 
>> Hope this help,
>> 
>> Regards
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

[David Harvey via PacketFence-users]

This has been a fantastic resource for the thread I recently started (sorry
for the repetition in it)
I would add:
I've added kick-sta to replace both the authorize and unauthorize guest
commands in Unifi.pm

It transpired my in house cert was upsetting things until I updated ca
certs on the debian container I'm using. The symptom was the following in
packetfence.log:
before:
Can't login on the Unifi controller: 500 Can't connect to 10.100.103.33:8443
(certificate verify failed)
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
after:
Switched status on the Unifi controller using command kick-sta
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)

After this the kick events come through and I get a brief drop in packets
whilst pinging.  I'm still fighting the final issue - which is increasing
the duration of the kick, or ensuring a full re-auth occurs, as currently
the device I'm testing with drops packets, but remains on the same VLAN
still until the device is toggled.

Thanks for the guidance and let me know if you face/overcame anything
similar.

Cheers,

David


On Mon, Jul 17, 2017 at 3:54 PM, Frederic Hermann via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> > De: "Michael Westergaard via PacketFence-users" <
> packetfence-users@lists.sourceforge.net>
> Hi Michael,
>
>
> > I am trying to see if Packetfence is a proper way to do NAC with Unifi
> UAP-AC
> > with dynamic VLAN. According to the new Unifi Controller 5.5.19 release,
> > Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence
> is using
> > for authenticating users over wireless and then changing the VLAN.
>
> > However I cannot find any documentation anywhere if this is possible in
> > Packetfence Documentation?
>
> > Especially Packetfence Out of Band (Dynamic VLAN) with Unifi. Have
> anybody been
> > able to make it work?
>
> We made some test a few weeks ago, and we've been able to manage an Unifi
> controler using Radius mode ( rather than the Portal mode described in
> PacketFence documentation).
>
> This allow you to use dynamic VLAN with WPA2-Enterprise, as it seems that
> dynamic VLAN are only available in secure mode on unifi.
>
> The only change we had to do (on the packetfence side) was
>
>
> That means you have to configure your AP type as "Unifi Controller" in
> packetfence, and set the Deauth method to "HTTPS", instead of Radius.
> Of course you will also define the unifi controller IP in the same
> location.
> Then you will have to edit (or override) the Unifi.pm module to change the
> webservice command used to auth/deauth users : this is in the
> "_deauthenticateMacWithHTTP" method, and you should use the "kick-sta"
> unifi command through the webservice, instead of the
> "authorize-guest/unauthorise-guest".
>
> Hope this help,
>
> Regards
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

[Frederic Hermann via PacketFence-users]

> De: "Michael Westergaard via PacketFence-users" 
> 
Hi Michael, 


> I am trying to see if Packetfence is a proper way to do NAC with Unifi UAP-AC
> with dynamic VLAN. According to the new Unifi Controller 5.5.19 release,
> Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence is 
> using
> for authenticating users over wireless and then changing the VLAN.

> However I cannot find any documentation anywhere if this is possible in
> Packetfence Documentation?

> Especially Packetfence Out of Band (Dynamic VLAN) with Unifi. Have anybody 
> been
> able to make it work?

We made some test a few weeks ago, and we've been able to manage an Unifi 
controler using Radius mode ( rather than the Portal mode described in 
PacketFence documentation). 

This allow you to use dynamic VLAN with WPA2-Enterprise, as it seems that 
dynamic VLAN are only available in secure mode on unifi. 

The only change we had to do (on the packetfence side) was 


That means you have to configure your AP type as "Unifi Controller" in 
packetfence, and set the Deauth method to "HTTPS", instead of Radius. 
Of course you will also define the unifi controller IP in the same location. 
Then you will have to edit (or override) the Unifi.pm module to change the 
webservice command used to auth/deauth users : this is in the 
"_deauthenticateMacWithHTTP" method, and you should use the "kick-sta" unifi 
command through the webservice, instead of the 
"authorize-guest/unauthorise-guest". 

Hope this help, 

Regards 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users