Awesome, thanks for all the info. I'll redeploy one of my RADIUS SSIDs soon and see if the APs automatically enable CoA or not. Checking the running config now with no RADIUS SSIDs configured doesn't show any aaa.radius.dad.status or port info. Fingers crossed it'll show up. Of course, I'm also waiting on UI to release a new firmware to address a speed bug on their new U7-Pros when using PPSK or RADIUS assigned VLAN.
Mike On Wed, Feb 28, 2024 at 7:07 AM Enrique Gross via PacketFence-users < packetfence-users@lists.sourceforge.net> wrote: > Hi, > > I did some quick testing, it`s a little old on updates, but working. > > I apologize for my bad english. I have removed timestamps from logs. > > -PF server version: 11.0.0 > > -Unifi Controller: 6.5.55 on Debian > -UAP/AP Model: UAP-AC-Pro > -UAP/AP Firmware: 6.6.55.15189 > > -Switch config on PF: > > IP ADDRESS: "UAP_ip_address" > MAC ADDRESS: 18:e8:29:66:XX:XX > Type: Ubiquiti:Unifi > Deauthentication Method: RADIUS > Use CoA: Yes > Radius, secret Passohrase: "your_passphrase" > Roles by VLAN ID as needed > > -SSID: "regtest", MAC-AUTH, radius assigned VLAN. > > -Client Device: Windows 10 Laptop > MAC address: f8:59:71:c4:XX:XX > > -Client connects first, as unreg condition and no role: > > -Not registered, placed in reg vlan: > > pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: > [mac:f8:59:71:c4:XX:XX] handling radius autz request: from switch_ip => > (192.168.96.XX), connection_type => Wireless-802.11-NoEAP,switch_mac => > (18:e8:29:67:XX:XX), mac => [f8:59:71:c4:XX:XX], port => 0, username => > "f8:59:71:c4:XX:XX", ssid => regtest (pf::radius::authorize) > pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: > [mac:f8:59:71:c4:XX:XX] Instantiate profile IBERA-TEST > (pf::Connection::ProfileFactory:_from_profile) > pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: > [mac:f8:59:71:c4:XX:XX] is of status unreg; belongs into registration VLAN > (pf::role::getRegistrationRole) > pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: > [mac:f8:59:71:c4:XX:XX] (192.168.96.XX) Added VLAN 102 to the returned > RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) > > > -Client proceeds with portal auth, is registered and placed in "guest" > vlan: > > pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: > [mac:f8:59:71:c4:XX:XX] Username was defined "f8:59:71:c4:XX:XX" - > returning role 'guest' (pf::role::getRegisteredRole) > pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: > [mac:f8:59:71:c4:XX:XX] PID: "default", Status: reg Returned VLAN: > (undefined), Role: guest (pf::role::fetchRoleForNode) > pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: > [mac:f8:59:71:c4:XX:XX] (192.168.96.XX) Added VLAN 100 to the returned > RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) > > > I'm not sure, but i think CoA is implemented on AP firmware, as on a > UAP/AP "running config": > > aaa.radius.dad.status=enabled > aaa.radius.dad.port=3799 > aaa.1.radius.das.status=enabled > aaa.1.radius.das.port=3801 > aaa.1.radius.dad.status=enabled > > > As UNIFI is not supporting the old UI anymore, and, in the new UI CoA is > not implemented, I think is possible to provision UAPs via config text file > on controller side, but have not tested: > > https://gist.github.com/modest/d6ffb2cdd5e38b213f24c29be38e3b1d > > Not sure if this is possible on new controller versions, as I'm a little > behind on that. But CoA is working on this test env: firmware/versions > ecosystem. > Or maybe on new Unifi network software, CoA is enabled when Radius profile > is created? > > PF side: > > (7) Disconnect-Request Id 1 ens192:10.100.0.2:46904 -> 192.168.96.XX:3799 > +10.748 > Calling-Station-Id = "F8-59-71-C4-56-3F" > NAS-Identifier = "18e829677602" > Authenticator-Field = 0x776e35f33d6376547f3c57e46402ea49 > > (9) Disconnect-ACK Id 1 ens192:10.100.0.2:46904 <- 192.168.96.XX:3799 > +10.764 +0.016 > Event-Timestamp = "Feb 22 2024 19:11:43 -03" > Message-Authenticator = 0xa5a19f1c4f9c253ca6bfce2033d74a3c > Authenticator-Field = 0x5384dccc7ce36e404d3ea859b818793b > > > UAP side: > > IP pf.your-server.com.ar.53203 > 192.168.96.XX.3799: RADIUS, > Disconnect-Request (40), id: 0x7d length: 53 > IP pf.your-server.com.ar.53203 > 192.168.96.XX.3799: RADIUS, > Disconnect-Request (40), id: 0x7d length: 53 > IP 192.168.96.XX.3799 > pf.your-server.com.ar.53203: RADIUS, > Disconnect-ACK (41), id: 0x7d length: 44 > IP pf.your-server.com.ar.50594 > 192.168.96.XX.3799: RADIUS, > Disconnect-Request (40), id: 0x72 length: 53 > IP pf.your-server.com.ar.50594 > 192.168.96.XX.3799: RADIUS, > Disconnect-Request (40), id: 0x72 length: 53 > IP 192.168.96.XX.3799 > pf.your-server.com.ar.50594: RADIUS, > Disconnect-ACK (41), id: 0x72 length: 44 > IP 192.168.96.XX.3799 > pf.your-server.com.ar.50594: RADIUS, > Disconnect-ACK (41), id: 0x72 length: 44 > > I will be out for a few weeks, but i'm glad to help on integrating Unifi > and Mikrotik with PF, and keep support alive. I also have spare HW, to > perform some testing, maybe I could get an U6 new gen Unifi UAP or a > Mikrotik CAP AX too. > I can also spare some cloud resources to run new PF versions along with > new UNIFI/MIKROTIK software. > > Enrique > > El vie, 16 feb 2024 a las 23:44, Lucas Guimaraes (< > lucas.guimar...@kavak.com>) escribió: > >> Hi Enrique, >> >> Yes, switching to the legacy interface, we can see the Radius CoA (Beta >> for ages hehehe) in the SSID as soon as you enable the Radius option. >> However, even if you enable this feature on Unifi Controller, the issue >> "Can't login on the Unifi controller: 404 Not Found '' is still there. >> Consequently, the device which is trying to go out to the internet is still >> stuck inside of the portal. >> >> In other words, even with CoA on from Unifi, the deauthentication doesn't >> work. At that point, pf tries to send a command to the Unifi Controller but >> it doesn't respond. >> >> Also, I've tried to do with all the methods of deauthentication in pf >> available instead and none of them has worked either with the latest >> firmware stable in Unifi Controller or Network software. I was putting my >> faith in Radius deauthentication in pf to see if that works too with web >> auth enabled as we know Radius works in Unifi but it still shows the same >> error yet. >> >> It's kind frustrating tbh :/ >> >> I hope someday any dev from pf / unifi could help us with that. >> >> I think many people are looking forward to that ^^ >> >> On Fri, 16 Feb 2024, 08:17 Enrique Gross via PacketFence-users, < >> packetfence-users@lists.sourceforge.net> wrote: >> >>> Hi Mike, Hi Lucas >>> >>> I have read somewhere that there were issues with web authentication >>> and Unifi appliances like UDM. I remember configuring web auth but I >>> now use RADIUS CoA and it works well. I admit I'm a few versions >>> behind on my Unifi controller, and this double UI issue is kind of a >>> headache. But the CoA option is still there on the UI on Unifi >>> controller 8.X when you switch to the old one, does the config don't >>> provision anymore? >>> >>> Enrique >>> >>> >>> _______________________________________________ >>> PacketFence-users mailing list >>> PacketFence-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >> >> >> >> >> AVISO DE CONFIDENCIALIDAD >> Este mensaje de correo electrónico y sus adjuntos pueden contener >> información confidencial o legalmente privilegiada y está destinado >> únicamente al uso de los destinatarios. Esta prohibido a las personas o >> entidades que no sean los destinatarios de este correo cualquier tipo de >> modificación, copia, distribución, divulgación, retención o uso de la >> información que contiene. La divulgación no autorizada, difusión, >> distribución, copia o la adopción de cualquier acción basada en la >> información aquí contenida, está prohibida. No puede garantizarse que los >> correos electrónicos estén libres de errores, ya que pueden ser >> interceptados, >> enmendados o contener virus. Cualquier persona que se comunique con >> nosotros por correo electrónico se considera que ha aceptado estos riesgos. >> El Propietario de los datos no se hace responsable de errores u omisiones >> en este mensaje y niega cualquier responsabilidad por cualquier daño que >> surja del uso del correo electrónico y no se responsabiliza por su uso >> abusivo, contrario a la moral, a las buenas costumbres o a la ley, o >> realizado fuera de las competencias laborales del autor del mail. >> CONFIDENTIALITY NOTICE >> This e-mail message and any attachments may contain confidential or >> legally privileged information and is intended only for the use of the >> intended recipient(s). Any unauthorized disclosure, dissemination, >> distribution, copying or any action in reliance on the information herein >> is prohibited. It is prohibited to persons or entities that are not the >> recipient(s) of this email any modification, copying, distribution, >> disclosure, retention or use of the information contained therein. E-mails >> are not secure and cannot be guaranteed to be error free as they can be >> intercepted, amended, or contain viruses. Anyone who communicates with us >> by e-mail is deemed to have accepted these risks. The Data Owner is not >> responsible for errors or omissions in this message and denies any >> responsibility for any damage arising from the use of e-mail. Any opinion >> and other statement contained in this message and any attachment are solely >> those of the author and do not necessarily represent those of the company. >> > > > -- > > [image: Imágenes integradas 1] > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
