On 2014-09-03, at 16:45 , Juan Camilo Valencia <[email protected]>
wrote:
> Hi Jake,
>
> Didn`t start yet, What I understand is:
>
> * Create the object in PF, i.e, configure a new switch with the type WLC.
> * Define the IP in the controller field, I think should be the same as for
> the object.
> * Configure a stronsecretpassword for RADIUS section in the PF switch
> definition.
> * SNMP shouldn`t be necessary, (I think that not, but previously in MAB for
> 2960 I was wrong, so I will configure anyway)
>
> In The side of the controller, I should.
>
> * Define the SSID.
> * Configure WPA + WPA2 for 802.1x Auth.
> * Point RADIUS servers to PF box.
> * Allow AAA override.
>
Hi Juan,
You are indeed on the right path.
The WLC is very common and well supported. A WISM is essentially the same thing
but as an addon module for a core switch.
Configuring ntlm authentication is usually easy.
1. Make sure the server is joined to the domain:
# net ads testjoin
2. Test ntlm authentication manually from the server with a valid account and
password:
# ntlm_auth --username=you
3. Once ntm_auth is working manually, make sure radius is correctly configured.
You can save some time by just copying this file to
/usr/local/pf/raddb/modules/mschap:
https://raw.githubusercontent.com/inverse-inc/packetfence/devel/raddb/modules/mschap
4. Test radius.
Start radius in debug mode with
# radiusd -d /usr/local/pf/raddb -X
Ideally I recommend using eapol_test for radius EAP testing as it makes it
easier to separate controller side issues from server side issues.
See here for a brief intro to eapol_test:
http://deployingradius.com/scripts/eapol_test/
I use it almost daily and it is so much better than fiddling with a test
device.
Once eapol_test works reliably, then you can test you SSID with a real
device.
You may have to disable certificate validation while testing if you haven't
distributed the radius certificate to the devices.
That should probably be addressed as a separate item.
You do not need LDAP for NTLM authentication. You may need it later if you
decide to assign VLANs based on group membership.
Regards,
--
Louis Munro
[email protected] :: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
