Re: [PacketFence-users] Proper VLAN config
Hi Frabrice, I think I managed to figure out most of the things I asked you but I hit another error: As I told you I’d like to use vlan enforcement with hostapd. I changed my radius to local eap. I’m still able to register a device (when auto registration with radius credentials is activated) but after successful authentication nothing happens. My log files: Log of /usr/local/pf/logs/packetfence.log: Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: [mac:90:8d:6c:7c:09:9b] handling radius autz request: from switch_ip => (10.0.0.105), connection_type => Wireless-802.11-EAP,switch_mac => (64:70:02:b5:d4:eb), mac => [90:8d:6c:7c:09:9b], port => 1, username => "john", ssid => LabTest (pf::radius::authorize) Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: [mac:90:8d:6c:7c:09:9b] Instantiate profile MAWIFI (pf::Connection::ProfileFactory::_from_profile) Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) WARN: [mac:90:8d:6c:7c:09:9b] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match2) Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: [mac:90:8d:6c:7c:09:9b] Using sources local for matching (pf::authentication::match2) Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: [mac:90:8d:6c:7c:09:9b] Using sources local for matching (pf::authentication::match2) Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: [mac:90:8d:6c:7c:09:9b] Username was defined "john" - returning role 'Mitarbeiter' (pf::role::getRegisteredRole) Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: [mac:90:8d:6c:7c:09:9b] PID: "john", Status: reg Returned VLAN: (undefined), Role: Mitarbeiter (pf::role::fetchRoleForNode) Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: [mac:90:8d:6c:7c:09:9b] (10.0.0.105) Added VLAN 100 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: [mac:90:8d:6c:7c:09:9b] violation 133 force-closed for 90:8d:6c:7c:09:9b (pf::violation::violation_force_close) Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: [mac:90:8d:6c:7c:09:9b] Instantiate profile MAWIFI (pf::Connection::ProfileFactory::_from_profile) Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: [mac:00:13:ce:ec:9e:27] Updating locationlog from accounting request (pf::api::handle_accounting_metadata) And the log of hostapd: Mon Aug 28 16:16:28 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b RADIUS: stopped accounting session 59A408DF-0015 Mon Aug 28 16:16:28 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b IEEE 802.11: authenticated Mon Aug 28 16:16:28 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b IEEE 802.11: associated (aid 1) Mon Aug 28 16:16:28 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b RADIUS: VLAN ID 100 Mon Aug 28 16:16:28 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b WPA: pairwise key handshake completed (RSN) Mon Aug 28 16:16:28 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b RADIUS: starting accounting session 59A408DF-0016 Mon Aug 28 16:16:28 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b IEEE 802.1X: authenticated - EAP type: 25 (PEAP) Mon Aug 28 16:16:39 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b IEEE 802.11: disassociated Mon Aug 28 16:16:39 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b RADIUS: stopped accounting session 59A408DF-0016 Mon Aug 28 16:16:40 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE) Regards, Moritz > On 26. Aug 2017, at 18:41, Moritz Schmid via PacketFence-users >wrote: > > Hello Fabrice, > > Thanks for your reply but I’m still wrestling with the config at all and I’m > having so further questions.First let me tell you my plans. I’d like to use > pf in the vlan-enf mode with a openwrt router with hostapd and the radius > with local auth (for testing). > > I configurated the network as I wrote in my last mail. So pf and the openwrt > ap are in the 10.0.0.x network without any vlan. I created a vlan each for > registration and isolation as described in this guide: > https://packetfence.org/doc/PacketFence_Out-of-Band_Deployment_Quick_Guide_ZEN.html#_configuring_your_packetfence_environment > and the linking of the ap after that guide > https://packetfence.org/doc/PacketFence_OpenWrt-Hostapd-15-05_Quick_Install_Guide.html > which contains two errors I’d like to report. The linking of the ap works > fine so far. Initially I plan to use default role which I allowed to register > up to 10 devices. Here my troubles are starting: Which Authentication Sources > shall use? > > At the moment I’m using the default connection
Re: [PacketFence-users] Proper VLAN config
Hello Fabrice, Thanks for your reply but I’m still wrestling with the config at all and I’m having so further questions.First let me tell you my plans. I’d like to use pf in the vlan-enf mode with a openwrt router with hostapd and the radius with local auth (for testing). I configurated the network as I wrote in my last mail. So pf and the openwrt ap are in the 10.0.0.x network without any vlan. I created a vlan each for registration and isolation as described in this guide: https://packetfence.org/doc/PacketFence_Out-of-Band_Deployment_Quick_Guide_ZEN.html#_configuring_your_packetfence_environment and the linking of the ap after that guide https://packetfence.org/doc/PacketFence_OpenWrt-Hostapd-15-05_Quick_Install_Guide.html which contains two errors I’d like to report. The linking of the ap works fine so far. Initially I plan to use default role which I allowed to register up to 10 devices. Here my troubles are starting: Which Authentication Sources shall use? At the moment I’m using the default connection profile with the local source. If I connect a device via wifi to the network I can see the following lines in the log of hostapd: Sat Aug 26 18:09:37 2017 daemon.info hostapd: wlan0: STA 00:13:ce:ec:9e:27 IEEE 802.11: authenticated Sat Aug 26 18:09:37 2017 daemon.info hostapd: wlan0: STA 00:13:ce:ec:9e:27 IEEE 802.11: associated (aid 1) Sat Aug 26 18:09:37 2017 daemon.info hostapd: wlan0: STA 00:13:ce:ec:9e:27 RADIUS: starting accounting session 59A1541A-001E If I check auto registration of new devices in the connection profile the device even gets registrated but no the wifi won’t connect. I stored the radius credentials as demanded in the /usr/local/pf/raddb/users file. Which point am I missing? Do I need further configurations? Honestly sometimes I’m feeling lost in the guides of pf. Two last questions for my own understanding. The users section in pf web menu. Is it the “local” auth source? And If I use the auth source htpasswd do I need to create a user in the users section? Best regards and sorry for the large amount of questions/problems Moritz > On 25. Aug 2017, at 18:49, Fabrice Durand via PacketFence-users >wrote: > > Hello Moritz, > > just keep in mind that the registration and isolation vlan is managed by > packetfence (dhcp/dns/gateway), after that the production vlan can be > what you want. > > Regards > > Fabrice > > > > Le 2017-08-25 à 10:39, Moritz Schmid via PacketFence-users a écrit : >> Hey guys, >> >> I’m new to pf and a little bit confused about a proper vlan setup for the >> vlan enforcement. So far I’d like to have my setup checked please. My >> Question: Is it possible that the management vlan and the “normal” aka >> production vlan are the same? I know it is possible to have several prod >> vlans but in my case I just want to have one. >> >> In the Network Device Conf Guide its: Normal VLAN: 1, Registration VLAN: 2 & >> Isolation VLAN: 3 >> In the OoB Zen Guide its: Mgmt VLAN 1, Reg VLAN 2, Isolation VLAN 3 & Normal >> VLAN 10 >> >> My plans and my understanding is the following: >> >> Pf server (following the guide): >> Eth0 as mgmt/normal withip 10.0.0.x >> Eth0 vlan 2 as registrationwith dhcp from pf (192.168.2.x) >> Eth0 vlan3 as isolation withdhcp from pf >> (192.168.3.x) >> >> Switch >> Default vlan (1) with ip 10.0.0.x >> … >> … >> >> On uplink (Port 1) which is in the default vlan 1 and Port 2 as the trunk >> port in all three vlans. >> >> Regards, >> Moritz >> -- >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> ___ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > -- > Fabrice Durand > fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net
Re: [PacketFence-users] Proper VLAN config
Hello Moritz, just keep in mind that the registration and isolation vlan is managed by packetfence (dhcp/dns/gateway), after that the production vlan can be what you want. Regards Fabrice Le 2017-08-25 à 10:39, Moritz Schmid via PacketFence-users a écrit : > Hey guys, > > I’m new to pf and a little bit confused about a proper vlan setup for the > vlan enforcement. So far I’d like to have my setup checked please. My > Question: Is it possible that the management vlan and the “normal” aka > production vlan are the same? I know it is possible to have several prod > vlans but in my case I just want to have one. > > In the Network Device Conf Guide its: Normal VLAN: 1, Registration VLAN: 2 & > Isolation VLAN: 3 > In the OoB Zen Guide its: Mgmt VLAN 1, Reg VLAN 2, Isolation VLAN 3 & Normal > VLAN 10 > > My plans and my understanding is the following: > > Pf server (following the guide): > Eth0 as mgmt/normal withip 10.0.0.x > Eth0 vlan 2 as registrationwith dhcp from pf (192.168.2.x) > Eth0 vlan 3 as isolation withdhcp from pf > (192.168.3.x) > > Switch > Default vlan (1) with ip 10.0.0.x > … > … > > On uplink (Port 1) which is in the default vlan 1 and Port 2 as the trunk > port in all three vlans. > > Regards, > Moritz > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users