Hello Cory,
Le 2017-02-02 à 22:39, Cory White a écrit :
> Small update - exported ZEN package into our VM environment - have
> Out-fo-Band working on a test 2960G. Get reg, redirect then see Radius
> config switch port and access - GREAT!.
> questions
> 1. I noticed if client device is on a configured port not on REG (Vl2)
> by default. The Radius configures back to Vl2 but it takes a release
> renew on the client device to get the PF VL2 IP from pf and start the
> auth process - is this by design?
Maybe you can try "authentication open" on the switch port config.
Also do you know that you can do exactly the same thing (web auth) on
the wire side too !
> 2. I am having trouble with WebAuth portion on wireless side - I can
> see log in packetfence.log without actually ever getting connected to
> the SSID?
>
> Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] handling
> radius autz request: from switch_ip => (10.218.0.2), connection_type
> => Wireless-802.11-NoEAP,switch_mac => (a4:18:75:42:af:20), mac =>
> [bc:9f:ef:56:b0:fc], port => 1, username => "bc9fef56b0fc", ssid =>
> PF90 (pf::radius::authorize)
> Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] is of
> status unreg; belongs into registration VLAN
> (pf::role::getRegistrationRole)
> Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc]
> (10.218.0.2) Added role Pre_Auth to the returned RADIUS Access-Accept
> (pf::Switch::returnRadiusAccessAccept)
> Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] Adding
> web authentication redirection to reply using role: 'Pre_Auth' and
> URL: 'http://10.218.100.100/sid93100c'
> (pf::Switch::Cisco::WLC::returnRadiusAccessAccept)
Change the registration url to that :
registrationUrl=http://10.218.100.100/Cisco::WLC
>
> The log stops and I get the unable to connect dialog on my device
> (never actual associate to SSID) - no logs are leading me anywhere
> else unless I'm looking at the wrong ones. I used WEbAuth Device
> Config Guide to no avail and am a bit stuck. My switches.conf is below
> as well - 10.218.0.2 is WLC, 10.218.100.100 - pf admin gui
>
> [10.218.0.2]
> mode=production
> SNMPCommunityRead=harley
> SNMPCommunityWrite=harleyrw
> defaultVlan=10
> deauthMethod=RADIUS
> description=WLC
> type=Cisco::WLC_5500
> radiusSecret=packetfence
> SNMPVersion=2c
> ExternalPortalEnforcement=Y
> defaultRole=Authorized
> registrationRole=Pre_Auth
> registrationUrl=http://10.218.100.100/<http://10.218.100.100/>
> controllerIp=10.218.0.2
> UrlMap=Y
> VlanMap=N
> controllerPort=3799
>
> [10.218.100.4]
> mode=production
> SNMPCommunityRead=harley
> description=100.4
> cliAccess=Y
> SNMPCommunityWrite=harley
> defaultVlan=10
> deauthMethod=RADIUS
> type=Cisco::Catalyst_2960G
> radiusSecret=packetfence
> SNMPVersion=2c
> controllerPort=3799
> RoleMap=N
> ~
>
> Cory White
> Xponet
> P: 904.735.1600
> E: [email protected] <mailto:[email protected]>
>
>
> On Wed, Feb 1, 2017 at 10:10 AM, Cory White <[email protected]
> <mailto:[email protected]>> wrote:
>
> Hello All -
>
> Been awhile since I posted for version 4 testing and inline
> deployment. We did deploy PF sparingly in production environment
> but have yet to go 'all-in' as a permanent replacement. Roughly
> couple hundred users - we're looking for multiple thousands to
> test now.
>
> Its been sometime and I'm revisiting PF with 6.4 release - I am
> having some sticking points where I see communication between our
> WLC and PF, can associate to SSID and see Pre-Auth ACL applied but
> never get presented with a portal - "Unable to contact server
> under iOS". Preview of default does not display and shows a 'too
> many redirects error'.
>
> We're testing with dual NIC as eth0 is management interface and
> eth1 being portal/vlan specific to SSID - is this possible or do I
> need to use one trunked eth0 and add VLAN identifiers/deamon
> assignments accordingly?
>
> We're running Cisco 5520 server WLC on latest 8.3 code so there
> are some differences from documentation examples but straight
> forward. We 'think' WebAuth is the way we want to test/deploy
> leaving essentially the WLC do all the work on our backbone,
> leaving PF just portal for to assign Auth ACLs. Is this possible
> over multiple NICs and VLANs? Or is this a more inline thought
> process where management, portal and SSID/VLAN need to reside on
> one LAN to accomplish?
>
> Basically if we want to scale past one network for captive portal
> (multiple guest VLANs) do we need to go with O-o-B VLAN
> enforcement and still use WLC/server backbone for everything else
> ILO WebAuth?
>
>
> Cory White
> Xponet
> P: 904.735.1600 <tel:%28904%29%20735-1600>
> E: [email protected] <mailto:[email protected]>
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
Regards
Fabrice
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
