Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band
niper EX3200 Switches here and I would like to discuss a security issue in your example conf for Juniper in the documentation referenced by your posting below: your doc suggests the option „mac radius“ to be activated. I would rather NOT suggest that, because: MAC Authentication is subject to spoofing attacks, which one exactly wants to get rid of by using 802.1x. It is exactly the wrong way to activate the mac radius option, as in this case a juniper switch would use simple mac radius as a fallback, if 802.1x would fail, which is exactly what you would NOT want to have, if you want to be sure NOT to be vulnerable to mac spoofing attacks. So is there a reason you suggest that option for i didn get? Bye, Holger PS: A additional personal hint: using interface ranges in the „protocols / dot1x / interface“ config did not work with our switches, we had to explicitly name the interfaces there. Von: Timothy Mullican via PacketFence-users [mailto:packetfence-users@lists.sourceforge.net] Gesendet: Donnerstag, 1. Februar 2018 18:11 An: packetfence-users@lists.sourceforge.net Cc: Timothy Mullican ; Frederic Hermann Betreff: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band By the way, Fabrice Durand already added code to do this in pull request #2735 on github. See https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch You can apply that patch to get it working. Also see https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc for the updated documentation. You can read though my earlier thread to see the steps I took to get it working. Tim Sent from mobile phone On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users wrote: -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band
Hi Tim and gang, Any idea where I should start looking into PF to troubleshoot WebAuth for WiFi ? I finally had time to prepare UniFi according to screenshots published at github https://github.com/inverse-inc/packetfence/tree/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images Namely this is what I did in Unifi: 1) New SSID (wireless network) is created and set as “Open” and checked for Guest policy “Appy guest policies” and set VLAN ID to be assigned. 2) Created Guest policy and set authentication to point it to “External portal server” and put the IP address of PF into Custom portal field, checked “Use Secure Portal”, added the IP address of PF into “Pre-Authorization access” field. Now, on PF just for the sake of testing guets self-registration which should be enabled by default I’m not supposed to do anything other than creating a connection profile, correct ? So, I created “guests” connection profile, anything specific to set within this profile ? I checked “Active preregistration” in the profile settings but my pf.conf file (/usr/local/pf/conf/pf.conf) doesn’t have this (as it says in PF admin guide) [guests_self_registration] preregistration=enabled Ideally we would like to enable PF send SMS/text messages to users with their passwords So, with all above set my connection attempts to the said SSID result in no redirection to the captive portal. What am I missing and what am I setting in “Captive portal” in the connection profile and how would PF start processing the connection being forwarded by UniFi controller ? Eugene From: Timothy Mullican [mailto:tjmullic...@yahoo.com] Sent: Friday, February 02, 2018 8:06 AM To: ype...@gmail.com Cc: packetfence-users@lists.sourceforge.net; frederic.herm...@neptune.fr; holger.patz...@t-systems.com Subject: Re: AW: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band Eugene: You should use the IP address of your AP instead of the MAC address. The pictures are available at: <https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-open.png> https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-open.png <https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-radius.png> https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-radius.png <https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-secure.png> https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-secure.png My thread probably has more in depth images though. — Holger: You are correct that MAC auth is vulnerable to attack. I believe PacketFence can detect a host name change as one mitigation and trigger a violation. Another mitigation is to put your network behind 802.1x or WPA2. I have to auth people against G Suite, so I can’t currently use 802.1x (Oauth). For the guest network, spoofing isn’t as much of an issue since it’s separated from my corporate lan. I would start a separate thread for this though. Sent from mobile phone On Feb 2, 2018, at 03:15, wrote: Hello Tim, hi all, we do use Juniper EX3200 Switches here and I would like to discuss a security issue in your example conf for Juniper in the documentation referenced by your posting below: your doc suggests the option „mac radius“ to be activated. I would rather NOT suggest that, because: MAC Authentication is subject to spoofing attacks, which one exactly wants to get rid of by using 802.1x. It is exactly the wrong way to activate the mac radius option, as in this case a juniper switch would use simple mac radius as a fallback, if 802.1x would fail, which is exactly what you would NOT want to have, if you want to be sure NOT to be vulnerable to mac spoofing attacks. So is there a reason you suggest that option for i didn get? Bye, Holger PS: A additional personal hint: using interface ranges in the „protocols / dot1x / interface“ config did not work with our switches, we had to explicitly name the interfaces there. Von: Timothy Mullican via PacketFence-users [mailto:packetfence-users@lists.sourceforge.net] Gesendet: Donnerstag, 1. Februar 2018 18:11 An: packetfence-users@lists.sourceforge.net Cc: Timothy Mullican ; Frederic Hermann Betreff: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band By the way, Fabrice Durand already added code to do this in pull request #2735 on github. See https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch You can apply that patch to get it working. Also see https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee
Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band
Fabrice, Do you know if PacketFence caches authentication tokens for the https de-auth method? For instance, if the UniFi AP is de-authenticating 5 clients at one time via the controller, will it login 5 separate times or 1 time to the controller and issue 5 separate API calls? I’m wondering if the 400 error he is getting sometimes is due to excessive login attempts to the controller to issue the kick command for every client. Not sure since it is happening intermittently. Sent from mobile phone > On Feb 2, 2018, at 12:12, David Harvey wrote: > > Feeding update as requested. > > Thanks again! > -- Forwarded message -- > From: "David Harvey" > Date: 2 Feb 2018 16:08 > Subject: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band > To: > Cc: "E.P." , "Frederic Hermann" > > > Update: > My changes in the unifi config.properties weren't being pushed due to a > failure on my part to understand how the item/line numbers work :) > "Note that each line has it's own number just before the equals sign, so for > a second customization you would enter 2, etc." > It seems to be working a bit better now, with somewhat more of a delay > switching than expected, and the kicks not being accepted consistently - > order of events perhaps (not liking two kicks in a row?) > > Feb 2 16:06:24 pf pfqueue: pfqueue(3962) INFO: [mac:78:31:c1:cb:12:dc] > Switched status on the Unifi controller using command kick-sta > (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP) > Feb 2 16:06:54 pf pfqueue: pfqueue(3977) ERROR: [mac:78:31:c1:cb:12:dc] > Can't send request on the Unifi controller: 400 Bad Request > (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP) > > >> On Fri, Feb 2, 2018 at 2:59 PM, David Harvey >> wrote: >> Yes, thank you Tim, >> >> I've reverted my manual hacks of Unifi.pm in favour of applying the patch >> which seems to be successful in maintaining the same behaviour as the manual >> changes had. I'm seeing a failure on other (cisco) switches to restart >> switchports, but I think that is unrelated, or relates to recent packetfence >> upgrade perhaps. >> I've also now added the changes in the draft documentation to my unifi >> controller in order to try and disable pmksa caching, and enabling dynamic >> VLAN assignment. So far however the wireless clients have not been reliably >> being de-authed, and usually stubbornly remain on the same VLAN. I suspect >> I've got something wrong on the unifi side of things as just like fdurand >> notes in >> https://community.ubnt.com/t5/UniFi-Wireless/Feature-request-disable-pmksa-caching/m-p/2112479#M257628 >> I cannot see the relevant config updates applied at the AP level after >> updating them on the controller as prescribed. >> >> On with the digging and ideas always welcome. Great to see how many people >> are stuck getting in to making this work. >> >> Best, >> >> David >> >>> On Fri, Feb 2, 2018 at 7:14 AM, E.P. via PacketFence-users >>> wrote: >>> Hi Tim, >>> >>> As usual, your comments are invaluable ;) >>> >>> Looking at the guide which is in asciidoc to see how to properly deal with >>> Unifi. Would be nice to see pictures as they are missing. >>> >>> Also, do I need to replace IP addresses for AP in the switches.conf with >>> their MAC addresses ? >>> >>> >>> >>> Eugene >>> >>> >>> >>> From: Timothy Mullican via PacketFence-users >>> [mailto:packetfence-users@lists.sourceforge.net] >>> Sent: Thursday, February 01, 2018 9:11 AM >>> To: packetfence-users@lists.sourceforge.net >>> Cc: Timothy Mullican; Frederic Hermann >>> Subject: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band >>> >>> >>> >>> By the way, >>> >>> Fabrice Durand already added code to do this in pull request #2735 on >>> github. See >>> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch >>> >>> You can apply that patch to get it working. Also see >>> https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc >>> for the updated documentation. You can read though my earlier thread to >>> see the steps I took to get it working. >>> >>> >>> >>> Tim >>> >&
Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band
Eugene: You should use the IP address of your AP instead of the MAC address. The pictures are available at: https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-open.png https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-radius.png https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-secure.png My thread probably has more in depth images though. — Holger: You are correct that MAC auth is vulnerable to attack. I believe PacketFence can detect a host name change as one mitigation and trigger a violation. Another mitigation is to put your network behind 802.1x or WPA2. I have to auth people against G Suite, so I can’t currently use 802.1x (Oauth). For the guest network, spoofing isn’t as much of an issue since it’s separated from my corporate lan. I would start a separate thread for this though. Sent from mobile phone > On Feb 2, 2018, at 03:15, > wrote: > > Hello Tim, > hi all, > > we do use Juniper EX3200 Switches here and I would like to discuss a security > issue in your example conf for Juniper in the documentation referenced by > your posting below: > > your doc suggests the option „mac radius“ to be activated. I would rather NOT > suggest that, because: > MAC Authentication is subject to spoofing attacks, which one exactly wants to > get rid of by using 802.1x. > It is exactly the wrong way to activate the mac radius option, as in this > case a juniper switch would use simple mac radius as a fallback, if 802.1x > would fail, which is exactly what you would NOT want to have, if you want to > be sure NOT to be vulnerable to mac spoofing attacks. > > So is there a reason you suggest that option for i didn get? > > Bye, > Holger > > PS: > A additional personal hint: using interface ranges in the „protocols / dot1x > / interface“ config did not work with our switches, we had to explicitly name > the interfaces there. > > > Von: Timothy Mullican via PacketFence-users > [mailto:packetfence-users@lists.sourceforge.net] > Gesendet: Donnerstag, 1. Februar 2018 18:11 > An: packetfence-users@lists.sourceforge.net > Cc: Timothy Mullican ; Frederic Hermann > > Betreff: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band > > By the way, > Fabrice Durand already added code to do this in pull request #2735 on github. > See > https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch > You can apply that patch to get it working. Also see > https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc > for the updated documentation. You can read though my earlier thread to see > the steps I took to get it working. > > Tim > > Sent from mobile phone > > On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users > wrote: > > This has been a fantastic resource for the thread I recently started (sorry > for the repetition in it) > I would add: > I've added kick-sta to replace both the authorize and unauthorize guest > commands in Unifi.pm > > It transpired my in house cert was upsetting things until I updated ca certs > on the debian container I'm using. The symptom was the following in > packetfence.log: > before: > Can't login on the Unifi controller: 500 Can't connect to 10.100.103.33:8443 > (certificate verify failed) > (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP) > after: > Switched status on the Unifi controller using command kick-sta > (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP) > > After this the kick events come through and I get a brief drop in packets > whilst pinging. I'm still fighting the final issue - which is increasing the > duration of the kick, or ensuring a full re-auth occurs, as currently the > device I'm testing with drops packets, but remains on the same VLAN still > until the device is toggled. > > Thanks for the guidance and let me know if you face/overcame anything similar. > > Cheers, > > David > > > On Mon, Jul 17, 2017 at 3:54 PM, Frederic Hermann via PacketFence-users > wrote: > > De: "Michael Westergaard via PacketFence-users" > > > Hi Michael, > > > > I am trying to see if Packetfence is a proper way to do NAC with Unifi > > UAP-AC > > with dynamic VLAN. According to the new Unifi Controller 5.5.19 release, > > Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence is > > using > > for authenticating users over w
Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band
Update: My changes in the unifi config.properties weren't being pushed due to a failure on my part to understand how the item/line numbers work :) "Note that each line has it's own number just before the equals sign, so for a second customization you would enter 2, etc." <https://help.ubnt.com/hc/en-us/articles/205223330-UniFi-How-to-make-persistent-changes-to-UAP-s-system-cfg> It seems to be working a bit better now, with somewhat more of a delay switching than expected, and the kicks not being accepted consistently - order of events perhaps (not liking two kicks in a row?) Feb 2 16:06:24 pf pfqueue: pfqueue(3962) INFO: [mac:78:31:c1:cb:12:dc] Switched status on the Unifi controller using command kick-sta (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP) Feb 2 16:06:54 pf pfqueue: pfqueue(3977) ERROR: [mac:78:31:c1:cb:12:dc] Can't send request on the Unifi controller: 400 Bad Request (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP) On Fri, Feb 2, 2018 at 2:59 PM, David Harvey wrote: > Yes, thank you Tim, > > I've reverted my manual hacks of Unifi.pm in favour of applying the patch > which seems to be successful in maintaining the same behaviour as the > manual changes had. I'm seeing a failure on other (cisco) switches to > restart switchports, but I think that is unrelated, or relates to recent > packetfence upgrade perhaps. > I've also now added the changes in the draft documentation to my unifi > controller in order to try and disable pmksa caching, and enabling dynamic > VLAN assignment. So far however the wireless clients have not been > reliably being de-authed, and usually stubbornly remain on the same VLAN. I > suspect I've got something wrong on the unifi side of things as just like > fdurand notes in https://community.ubnt.com/t5/UniFi-Wireless/Feature- > request-disable-pmksa-caching/m-p/2112479#M257628 I cannot see the > relevant config updates applied at the AP level after updating them on the > controller as prescribed. > > On with the digging and ideas always welcome. Great to see how many people > are stuck getting in to making this work. > > Best, > > David > > On Fri, Feb 2, 2018 at 7:14 AM, E.P. via PacketFence-users < > packetfence-users@lists.sourceforge.net> wrote: > >> Hi Tim, >> >> As usual, your comments are invaluable ;) >> >> Looking at the guide which is in asciidoc to see how to properly deal >> with Unifi. Would be nice to see pictures as they are missing. >> >> Also, do I need to replace IP addresses for AP in the switches.conf with >> their MAC addresses ? >> >> >> >> Eugene >> >> >> >> *From:* Timothy Mullican via PacketFence-users [mailto: >> packetfence-users@lists.sourceforge.net] >> *Sent:* Thursday, February 01, 2018 9:11 AM >> *To:* packetfence-users@lists.sourceforge.net >> *Cc:* Timothy Mullican; Frederic Hermann >> *Subject:* Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of >> Band >> >> >> >> By the way, >> >> Fabrice Durand already added code to do this in pull request #2735 on >> github. See https://patch-diff.githubusercontent.com/raw/inverse- >> inc/packetfence/pull/2735.patch >> >> You can apply that patch to get it working. Also see >> https://github.com/inverse-inc/packetfence/blob/ae18f50b >> 4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_ >> Devices_Configuration_Guide.asciidoc for the updated documentation. You >> can read though my earlier thread to see the steps I took to get it >> working. >> >> >> >> Tim >> >> Sent from mobile phone >> >> >> On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users < >> packetfence-users@lists.sourceforge.net> wrote: >> >> This has been a fantastic resource for the thread I recently started >> (sorry for the repetition in it) >> >> I would add: >> >> I've added kick-sta to replace both the authorize and unauthorize guest >> commands in Unifi.pm >> >> >> >> It transpired my in house cert was upsetting things until I updated ca >> certs on the debian container I'm using. The symptom was the following in >> packetfence.log: >> >> before: >> >> Can't login on the Unifi controller: 500 Can't connect to >> 10.100.103.33:8443 (certificate verify failed) >> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP) >> >> after: >> >> Switched status on the Unifi controller using command kick-sta >> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP) >> >> >&g
Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band
David, Just to check a few things: 1) have you linked all of the APs to your UniFi controller? 2) have you created the config.properties file on the controller? 3) have you manually re-provisioned all of the APs in the UniFi controller software after editing config.properties? 4) have you set deauthentication method to HTTPS and specified UniFi Controller username and password for all APs in PacketFence? 5) have you specified the UniFi controller IP for all of the APs in PacketFence? 6) have you added all APs in PacketFence by IP or MAC address? Thanks, Tim Sent from mobile phone > On Feb 2, 2018, at 08:59, David Harvey via PacketFence-users > wrote: > > Yes, thank you Tim, > > I've reverted my manual hacks of Unifi.pm in favour of applying the patch > which seems to be successful in maintaining the same behaviour as the manual > changes had. I'm seeing a failure on other (cisco) switches to restart > switchports, but I think that is unrelated, or relates to recent packetfence > upgrade perhaps. > I've also now added the changes in the draft documentation to my unifi > controller in order to try and disable pmksa caching, and enabling dynamic > VLAN assignment. So far however the wireless clients have not been reliably > being de-authed, and usually stubbornly remain on the same VLAN. I suspect > I've got something wrong on the unifi side of things as just like fdurand > notes in > https://community.ubnt.com/t5/UniFi-Wireless/Feature-request-disable-pmksa-caching/m-p/2112479#M257628 > I cannot see the relevant config updates applied at the AP level after > updating them on the controller as prescribed. > > On with the digging and ideas always welcome. Great to see how many people > are stuck getting in to making this work. > > Best, > > David > >> On Fri, Feb 2, 2018 at 7:14 AM, E.P. via PacketFence-users >> wrote: >> Hi Tim, >> >> As usual, your comments are invaluable ;) >> >> Looking at the guide which is in asciidoc to see how to properly deal with >> Unifi. Would be nice to see pictures as they are missing. >> >> Also, do I need to replace IP addresses for AP in the switches.conf with >> their MAC addresses ? >> >> >> >> Eugene >> >> >> >> From: Timothy Mullican via PacketFence-users >> [mailto:packetfence-users@lists.sourceforge.net] >> Sent: Thursday, February 01, 2018 9:11 AM >> To: packetfence-users@lists.sourceforge.net >> Cc: Timothy Mullican; Frederic Hermann >> Subject: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band >> >> >> >> By the way, >> >> Fabrice Durand already added code to do this in pull request #2735 on >> github. See >> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch >> >> You can apply that patch to get it working. Also see >> https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc >> for the updated documentation. You can read though my earlier thread to see >> the steps I took to get it working. >> >> >> >> Tim >> >> Sent from mobile phone >> >> >> On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users >> wrote: >> >> This has been a fantastic resource for the thread I recently started (sorry >> for the repetition in it) >> >> I would add: >> >> I've added kick-sta to replace both the authorize and unauthorize guest >> commands in Unifi.pm >> >> >> >> It transpired my in house cert was upsetting things until I updated ca certs >> on the debian container I'm using. The symptom was the following in >> packetfence.log: >> >> before: >> >> Can't login on the Unifi controller: 500 Can't connect to 10.100.103.33:8443 >> (certificate verify failed) >> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP) >> >> after: >> >> Switched status on the Unifi controller using command kick-sta >> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP) >> >> >> >> After this the kick events come through and I get a brief drop in packets >> whilst pinging. I'm still fighting the final issue - which is increasing >> the duration of the kick, or ensuring a full re-auth occurs, as currently >> the device I'm testing with drops packets, but remains on the same VLAN >> still until the device is toggled. >> >> >> >>
Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band
Yes, thank you Tim, I've reverted my manual hacks of Unifi.pm in favour of applying the patch which seems to be successful in maintaining the same behaviour as the manual changes had. I'm seeing a failure on other (cisco) switches to restart switchports, but I think that is unrelated, or relates to recent packetfence upgrade perhaps. I've also now added the changes in the draft documentation to my unifi controller in order to try and disable pmksa caching, and enabling dynamic VLAN assignment. So far however the wireless clients have not been reliably being de-authed, and usually stubbornly remain on the same VLAN. I suspect I've got something wrong on the unifi side of things as just like fdurand notes in https://community.ubnt.com/t5/UniFi-Wireless/Feature-request-disable-pmksa-caching/m-p/2112479#M257628 I cannot see the relevant config updates applied at the AP level after updating them on the controller as prescribed. On with the digging and ideas always welcome. Great to see how many people are stuck getting in to making this work. Best, David On Fri, Feb 2, 2018 at 7:14 AM, E.P. via PacketFence-users < packetfence-users@lists.sourceforge.net> wrote: > Hi Tim, > > As usual, your comments are invaluable ;) > > Looking at the guide which is in asciidoc to see how to properly deal with > Unifi. Would be nice to see pictures as they are missing. > > Also, do I need to replace IP addresses for AP in the switches.conf with > their MAC addresses ? > > > > Eugene > > > > *From:* Timothy Mullican via PacketFence-users [mailto:packetfence-users@ > lists.sourceforge.net] > *Sent:* Thursday, February 01, 2018 9:11 AM > *To:* packetfence-users@lists.sourceforge.net > *Cc:* Timothy Mullican; Frederic Hermann > *Subject:* Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of > Band > > > > By the way, > > Fabrice Durand already added code to do this in pull request #2735 on > github. See https://patch-diff.githubusercontent.com/raw/ > inverse-inc/packetfence/pull/2735.patch > > You can apply that patch to get it working. Also see https://github.com/ > inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f > 2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc for > the updated documentation. You can read though my earlier thread to see the > steps I took to get it working. > > > > Tim > > Sent from mobile phone > > > On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users < > packetfence-users@lists.sourceforge.net> wrote: > > This has been a fantastic resource for the thread I recently started > (sorry for the repetition in it) > > I would add: > > I've added kick-sta to replace both the authorize and unauthorize guest > commands in Unifi.pm > > > > It transpired my in house cert was upsetting things until I updated ca > certs on the debian container I'm using. The symptom was the following in > packetfence.log: > > before: > > Can't login on the Unifi controller: 500 Can't connect to > 10.100.103.33:8443 (certificate verify failed) > (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP) > > after: > > Switched status on the Unifi controller using command kick-sta > (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP) > > > > After this the kick events come through and I get a brief drop in packets > whilst pinging. I'm still fighting the final issue - which is increasing > the duration of the kick, or ensuring a full re-auth occurs, as currently > the device I'm testing with drops packets, but remains on the same VLAN > still until the device is toggled. > > > > Thanks for the guidance and let me know if you face/overcame anything > similar. > > > > Cheers, > > > > David > > > > > > On Mon, Jul 17, 2017 at 3:54 PM, Frederic Hermann via PacketFence-users < > packetfence-users@lists.sourceforge.net> wrote: > > > De: "Michael Westergaard via PacketFence-users" < > packetfence-users@lists.sourceforge.net> > Hi Michael, > > > > I am trying to see if Packetfence is a proper way to do NAC with Unifi > UAP-AC > > with dynamic VLAN. According to the new Unifi Controller 5.5.19 release, > > Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence > is using > > for authenticating users over wireless and then changing the VLAN. > > > However I cannot find any documentation anywhere if this is possible in > > Packetfence Documentation? > > > Especially Packetfence Out of Band (Dynamic VLAN) with Unifi. Have > anybody been > > able to make it work? > > We made some test a few weeks ago, and w
Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band
Hi Tim, As usual, your comments are invaluable ;) Looking at the guide which is in asciidoc to see how to properly deal with Unifi. Would be nice to see pictures as they are missing. Also, do I need to replace IP addresses for AP in the switches.conf with their MAC addresses ? Eugene From: Timothy Mullican via PacketFence-users [mailto:packetfence-users@lists.sourceforge.net] Sent: Thursday, February 01, 2018 9:11 AM To: packetfence-users@lists.sourceforge.net Cc: Timothy Mullican; Frederic Hermann Subject: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band By the way, Fabrice Durand already added code to do this in pull request #2735 on github. See https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch You can apply that patch to get it working. Also see https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc for the updated documentation. You can read though my earlier thread to see the steps I took to get it working. Tim Sent from mobile phone On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users wrote: This has been a fantastic resource for the thread I recently started (sorry for the repetition in it) I would add: I've added kick-sta to replace both the authorize and unauthorize guest commands in Unifi.pm It transpired my in house cert was upsetting things until I updated ca certs on the debian container I'm using. The symptom was the following in packetfence.log: before: Can't login on the Unifi controller: 500 Can't connect to 10.100.103.33:8443 (certificate verify failed) (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP) after: Switched status on the Unifi controller using command kick-sta (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP) After this the kick events come through and I get a brief drop in packets whilst pinging. I'm still fighting the final issue - which is increasing the duration of the kick, or ensuring a full re-auth occurs, as currently the device I'm testing with drops packets, but remains on the same VLAN still until the device is toggled. Thanks for the guidance and let me know if you face/overcame anything similar. Cheers, David On Mon, Jul 17, 2017 at 3:54 PM, Frederic Hermann via PacketFence-users wrote: > De: "Michael Westergaard via PacketFence-users" > Hi Michael, > I am trying to see if Packetfence is a proper way to do NAC with Unifi UAP-AC > with dynamic VLAN. According to the new Unifi Controller 5.5.19 release, > Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence is > using > for authenticating users over wireless and then changing the VLAN. > However I cannot find any documentation anywhere if this is possible in > Packetfence Documentation? > Especially Packetfence Out of Band (Dynamic VLAN) with Unifi. Have anybody > been > able to make it work? We made some test a few weeks ago, and we've been able to manage an Unifi controler using Radius mode ( rather than the Portal mode described in PacketFence documentation). This allow you to use dynamic VLAN with WPA2-Enterprise, as it seems that dynamic VLAN are only available in secure mode on unifi. The only change we had to do (on the packetfence side) was That means you have to configure your AP type as "Unifi Controller" in packetfence, and set the Deauth method to "HTTPS", instead of Radius. Of course you will also define the unifi controller IP in the same location. Then you will have to edit (or override) the Unifi.pm module to change the webservice command used to auth/deauth users : this is in the "_deauthenticateMacWithHTTP" method, and you should use the "kick-sta" unifi command through the webservice, instead of the "authorize-guest/unauthorise-guest". Hope this help, Regards -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Check out the vibrant tech community on one of the world
Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band
Hello Tim, hi all, we do use Juniper EX3200 Switches here and I would like to discuss a security issue in your example conf for Juniper in the documentation referenced by your posting below: your doc suggests the option „mac radius“ to be activated. I would rather NOT suggest that, because: MAC Authentication is subject to spoofing attacks, which one exactly wants to get rid of by using 802.1x. It is exactly the wrong way to activate the mac radius option, as in this case a juniper switch would use simple mac radius as a fallback, if 802.1x would fail, which is exactly what you would NOT want to have, if you want to be sure NOT to be vulnerable to mac spoofing attacks. So is there a reason you suggest that option for i didn get? Bye, Holger PS: A additional personal hint: using interface ranges in the „protocols / dot1x / interface“ config did not work with our switches, we had to explicitly name the interfaces there. Von: Timothy Mullican via PacketFence-users [mailto:packetfence-users@lists.sourceforge.net] Gesendet: Donnerstag, 1. Februar 2018 18:11 An: packetfence-users@lists.sourceforge.net Cc: Timothy Mullican ; Frederic Hermann Betreff: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band By the way, Fabrice Durand already added code to do this in pull request #2735 on github. See https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch You can apply that patch to get it working. Also see https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc for the updated documentation. You can read though my earlier thread to see the steps I took to get it working. Tim Sent from mobile phone On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> wrote: This has been a fantastic resource for the thread I recently started (sorry for the repetition in it) I would add: I've added kick-sta to replace both the authorize and unauthorize guest commands in Unifi.pm It transpired my in house cert was upsetting things until I updated ca certs on the debian container I'm using. The symptom was the following in packetfence.log: before: Can't login on the Unifi controller: 500 Can't connect to 10.100.103.33:8443<http://10.100.103.33:8443> (certificate verify failed) (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP) after: Switched status on the Unifi controller using command kick-sta (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP) After this the kick events come through and I get a brief drop in packets whilst pinging. I'm still fighting the final issue - which is increasing the duration of the kick, or ensuring a full re-auth occurs, as currently the device I'm testing with drops packets, but remains on the same VLAN still until the device is toggled. Thanks for the guidance and let me know if you face/overcame anything similar. Cheers, David On Mon, Jul 17, 2017 at 3:54 PM, Frederic Hermann via PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> wrote: > De: "Michael Westergaard via PacketFence-users" > mailto:packetfence-users@lists.sourceforge.net>> Hi Michael, > I am trying to see if Packetfence is a proper way to do NAC with Unifi UAP-AC > with dynamic VLAN. According to the new Unifi Controller 5.5.19 release, > Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence is > using > for authenticating users over wireless and then changing the VLAN. > However I cannot find any documentation anywhere if this is possible in > Packetfence Documentation? > Especially Packetfence Out of Band (Dynamic VLAN) with Unifi. Have anybody > been > able to make it work? We made some test a few weeks ago, and we've been able to manage an Unifi controler using Radius mode ( rather than the Portal mode described in PacketFence documentation). This allow you to use dynamic VLAN with WPA2-Enterprise, as it seems that dynamic VLAN are only available in secure mode on unifi. The only change we had to do (on the packetfence side) was That means you have to configure your AP type as "Unifi Controller" in packetfence, and set the Deauth method to "HTTPS", instead of Radius. Of course you will also define the unifi controller IP in the same location. Then you will have to edit (or override) the Unifi.pm module to change the webservice command used to auth/deauth users : this is in the "_deauthenticateMacWithHTTP" method, and you should use the "kick-sta" unifi command through the webservice, instead of the "authorize-guest/unauthorise-guest". Hope this help, Regards
Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band
By the way, Fabrice Durand already added code to do this in pull request #2735 on github. See https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch You can apply that patch to get it working. Also see https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc for the updated documentation. You can read though my earlier thread to see the steps I took to get it working. Tim Sent from mobile phone > On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users > wrote: > > This has been a fantastic resource for the thread I recently started (sorry > for the repetition in it) > I would add: > I've added kick-sta to replace both the authorize and unauthorize guest > commands in Unifi.pm > > It transpired my in house cert was upsetting things until I updated ca certs > on the debian container I'm using. The symptom was the following in > packetfence.log: > before: > Can't login on the Unifi controller: 500 Can't connect to 10.100.103.33:8443 > (certificate verify failed) > (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP) > after: > Switched status on the Unifi controller using command kick-sta > (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP) > > After this the kick events come through and I get a brief drop in packets > whilst pinging. I'm still fighting the final issue - which is increasing the > duration of the kick, or ensuring a full re-auth occurs, as currently the > device I'm testing with drops packets, but remains on the same VLAN still > until the device is toggled. > > Thanks for the guidance and let me know if you face/overcame anything similar. > > Cheers, > > David > > >> On Mon, Jul 17, 2017 at 3:54 PM, Frederic Hermann via PacketFence-users >> wrote: >> > De: "Michael Westergaard via PacketFence-users" >> > >> Hi Michael, >> >> >> > I am trying to see if Packetfence is a proper way to do NAC with Unifi >> > UAP-AC >> > with dynamic VLAN. According to the new Unifi Controller 5.5.19 release, >> > Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence is >> > using >> > for authenticating users over wireless and then changing the VLAN. >> >> > However I cannot find any documentation anywhere if this is possible in >> > Packetfence Documentation? >> >> > Especially Packetfence Out of Band (Dynamic VLAN) with Unifi. Have anybody >> > been >> > able to make it work? >> >> We made some test a few weeks ago, and we've been able to manage an Unifi >> controler using Radius mode ( rather than the Portal mode described in >> PacketFence documentation). >> >> This allow you to use dynamic VLAN with WPA2-Enterprise, as it seems that >> dynamic VLAN are only available in secure mode on unifi. >> >> The only change we had to do (on the packetfence side) was >> >> >> That means you have to configure your AP type as "Unifi Controller" in >> packetfence, and set the Deauth method to "HTTPS", instead of Radius. >> Of course you will also define the unifi controller IP in the same location. >> Then you will have to edit (or override) the Unifi.pm module to change the >> webservice command used to auth/deauth users : this is in the >> "_deauthenticateMacWithHTTP" method, and you should use the "kick-sta" unifi >> command through the webservice, instead of the >> "authorize-guest/unauthorise-guest". >> >> Hope this help, >> >> Regards >> >> -- >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> ___ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band
This has been a fantastic resource for the thread I recently started (sorry for the repetition in it) I would add: I've added kick-sta to replace both the authorize and unauthorize guest commands in Unifi.pm It transpired my in house cert was upsetting things until I updated ca certs on the debian container I'm using. The symptom was the following in packetfence.log: before: Can't login on the Unifi controller: 500 Can't connect to 10.100.103.33:8443 (certificate verify failed) (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP) after: Switched status on the Unifi controller using command kick-sta (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP) After this the kick events come through and I get a brief drop in packets whilst pinging. I'm still fighting the final issue - which is increasing the duration of the kick, or ensuring a full re-auth occurs, as currently the device I'm testing with drops packets, but remains on the same VLAN still until the device is toggled. Thanks for the guidance and let me know if you face/overcame anything similar. Cheers, David On Mon, Jul 17, 2017 at 3:54 PM, Frederic Hermann via PacketFence-users < packetfence-users@lists.sourceforge.net> wrote: > > De: "Michael Westergaard via PacketFence-users" < > packetfence-users@lists.sourceforge.net> > Hi Michael, > > > > I am trying to see if Packetfence is a proper way to do NAC with Unifi > UAP-AC > > with dynamic VLAN. According to the new Unifi Controller 5.5.19 release, > > Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence > is using > > for authenticating users over wireless and then changing the VLAN. > > > However I cannot find any documentation anywhere if this is possible in > > Packetfence Documentation? > > > Especially Packetfence Out of Band (Dynamic VLAN) with Unifi. Have > anybody been > > able to make it work? > > We made some test a few weeks ago, and we've been able to manage an Unifi > controler using Radius mode ( rather than the Portal mode described in > PacketFence documentation). > > This allow you to use dynamic VLAN with WPA2-Enterprise, as it seems that > dynamic VLAN are only available in secure mode on unifi. > > The only change we had to do (on the packetfence side) was > > > That means you have to configure your AP type as "Unifi Controller" in > packetfence, and set the Deauth method to "HTTPS", instead of Radius. > Of course you will also define the unifi controller IP in the same > location. > Then you will have to edit (or override) the Unifi.pm module to change the > webservice command used to auth/deauth users : this is in the > "_deauthenticateMacWithHTTP" method, and you should use the "kick-sta" > unifi command through the webservice, instead of the > "authorize-guest/unauthorise-guest". > > Hope this help, > > Regards > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band
> De: "Michael Westergaard via PacketFence-users" > Hi Michael, > I am trying to see if Packetfence is a proper way to do NAC with Unifi UAP-AC > with dynamic VLAN. According to the new Unifi Controller 5.5.19 release, > Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence is > using > for authenticating users over wireless and then changing the VLAN. > However I cannot find any documentation anywhere if this is possible in > Packetfence Documentation? > Especially Packetfence Out of Band (Dynamic VLAN) with Unifi. Have anybody > been > able to make it work? We made some test a few weeks ago, and we've been able to manage an Unifi controler using Radius mode ( rather than the Portal mode described in PacketFence documentation). This allow you to use dynamic VLAN with WPA2-Enterprise, as it seems that dynamic VLAN are only available in secure mode on unifi. The only change we had to do (on the packetfence side) was That means you have to configure your AP type as "Unifi Controller" in packetfence, and set the Deauth method to "HTTPS", instead of Radius. Of course you will also define the unifi controller IP in the same location. Then you will have to edit (or override) the Unifi.pm module to change the webservice command used to auth/deauth users : this is in the "_deauthenticateMacWithHTTP" method, and you should use the "kick-sta" unifi command through the webservice, instead of the "authorize-guest/unauthorise-guest". Hope this help, Regards -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users