Small update - exported ZEN package into our VM environment - have
Out-fo-Band working on a test 2960G. Get reg, redirect then see Radius
config switch port and access - GREAT!.
questions
1. I noticed if client device is on a configured port not on REG (Vl2) by
default. The Radius configures back to Vl2 but it takes a release renew on
the client device to get the PF VL2 IP from pf and start the auth process -
is this by design?
2. I am having trouble with WebAuth portion on wireless side - I can see
log in packetfence.log without actually ever getting connected to the SSID?
Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] handling
radius autz request: from switch_ip => (10.218.0.2), connection_type =>
Wireless-802.11-NoEAP,switch_mac => (a4:18:75:42:af:20), mac =>
[bc:9f:ef:56:b0:fc], port => 1, username => "bc9fef56b0fc", ssid => PF90
(pf::radius::authorize)
Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] is of status
unreg; belongs into registration VLAN (pf::role::getRegistrationRole)
Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] (10.218.0.2)
Added role Pre_Auth to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] Adding web
authentication redirection to reply using role: 'Pre_Auth' and URL: '
http://10.218.100.100/sid93100c'
(pf::Switch::Cisco::WLC::returnRadiusAccessAccept)
The log stops and I get the unable to connect dialog on my device (never
actual associate to SSID) - no logs are leading me anywhere else unless I'm
looking at the wrong ones. I used WEbAuth Device Config Guide to no avail
and am a bit stuck. My switches.conf is below as well - 10.218.0.2 is WLC,
10.218.100.100 - pf admin gui
[10.218.0.2]
mode=production
SNMPCommunityRead=harley
SNMPCommunityWrite=harleyrw
defaultVlan=10
deauthMethod=RADIUS
description=WLC
type=Cisco::WLC_5500
radiusSecret=packetfence
SNMPVersion=2c
ExternalPortalEnforcement=Y
defaultRole=Authorized
registrationRole=Pre_Auth
registrationUrl=http://10.218.100.100/
controllerIp=10.218.0.2
UrlMap=Y
VlanMap=N
controllerPort=3799
[10.218.100.4]
mode=production
SNMPCommunityRead=harley
description=100.4
cliAccess=Y
SNMPCommunityWrite=harley
defaultVlan=10
deauthMethod=RADIUS
type=Cisco::Catalyst_2960G
radiusSecret=packetfence
SNMPVersion=2c
controllerPort=3799
RoleMap=N
~
Cory White
Xponet
P: 904.735.1600
E: [email protected]
On Wed, Feb 1, 2017 at 10:10 AM, Cory White <[email protected]> wrote:
> Hello All -
>
> Been awhile since I posted for version 4 testing and inline deployment. We
> did deploy PF sparingly in production environment but have yet to go
> 'all-in' as a permanent replacement. Roughly couple hundred users - we're
> looking for multiple thousands to test now.
>
> Its been sometime and I'm revisiting PF with 6.4 release - I am having
> some sticking points where I see communication between our WLC and PF, can
> associate to SSID and see Pre-Auth ACL applied but never get presented with
> a portal - "Unable to contact server under iOS". Preview of default does
> not display and shows a 'too many redirects error'.
>
> We're testing with dual NIC as eth0 is management interface and eth1 being
> portal/vlan specific to SSID - is this possible or do I need to use one
> trunked eth0 and add VLAN identifiers/deamon assignments accordingly?
>
> We're running Cisco 5520 server WLC on latest 8.3 code so there are some
> differences from documentation examples but straight forward. We 'think'
> WebAuth is the way we want to test/deploy leaving essentially the WLC do
> all the work on our backbone, leaving PF just portal for to assign Auth
> ACLs. Is this possible over multiple NICs and VLANs? Or is this a more
> inline thought process where management, portal and SSID/VLAN need to
> reside on one LAN to accomplish?
>
> Basically if we want to scale past one network for captive portal
> (multiple guest VLANs) do we need to go with O-o-B VLAN enforcement and
> still use WLC/server backbone for everything else ILO WebAuth?
>
>
> Cory White
> Xponet
> P: 904.735.1600 <(904)%20735-1600>
> E: [email protected]
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
