Hello Cory,
you don't have to define the URL on the WLC, this is set by the radius
attribute.
Just follow the doc and don't forget to set NAC state to Radius NAC.
Regards
Fabrice
Le 2017-02-03 à 14:45, Cory White a écrit :
Thank You Fabrice -
I attempted the changes and wired has same behavior - I'll play with
some options there.
The wireless WebAuth same behavior but after tailing I see what
appears to be a loop - I see as I try to connect I get the below, then
after log stops I get unable to connect on the device (iOS).
Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] Memory
configuration is not valid anymore for key config::Switch in local
cached_hash (pfconfig::cached::is_valid)
Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] handling
radius autz request: from switch_ip => (10.218.0.2), connection_type
=> Wireless-802.11-NoEAP,switch_mac => (a4:18:75:42:af:20), mac =>
[bc:9f:ef:56:b0:fc], port => 1, username => "bc9fef56b0fc", ssid =>
PF90 (pf::radius::authorize)
Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc]
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] is of
status unreg; belongs into registration VLAN
(pf::role::getRegistrationRole)
Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc]
(10.218.0.2) Added role Pre_Auth to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] Adding
web authentication redirection to reply using role: 'Pre_Auth' and
URL: 'http://10.218.100.100/Cisco::WLC/sid44a116'
(pf::Switch::Cisco::WLC::returnRadiusAccessAccept)
Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] handling
radius autz request: from switch_ip => (10.218.0.2), connection_type
=> Wireless-802.11-NoEAP,switch_mac => (a4:18:75:42:af:20), mac =>
[bc:9f:ef:56:b0:fc], port => 1, username => "bc9fef56b0fc", ssid =>
PF90 (pf::radius::authorize)
Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc]
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] is of
status unreg; belongs into registration VLAN
(pf::role::getRegistrationRole)
Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc]
(10.218.0.2) Added role Pre_Auth to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] Adding
web authentication redirection to reply using role: 'Pre_Auth' and
URL: 'http://10.218.100.100/Cisco::WLC/sid720a4e'
(pf::Switch::Cisco::WLC::returnRadiusAccessAccept)
Also I'm assuming the actual WLC Security-> WebAuth -> redirect needs
to be set to external with the same URL
"http://10.218.100.100/Cisco::WLC"; since its not in the documentation.
I've tested the Pre-Auth locally on internal portal and works as
expected so its interaction between the 2 that I'm missing?
Cory White
Xponet
P: 904.735.1600
E: [email protected] <mailto:[email protected]>
On Fri, Feb 3, 2017 at 8:39 AM, Fabrice Durand <[email protected]
<mailto:[email protected]>> wrote:
Hello Cory,
Le 2017-02-02 à 22:39, Cory White a écrit :
Small update - exported ZEN package into our VM environment -
have Out-fo-Band working on a test 2960G. Get reg, redirect then
see Radius config switch port and access - GREAT!.
questions
1. I noticed if client device is on a configured port not on REG
(Vl2) by default. The Radius configures back to Vl2 but it takes
a release renew on the client device to get the PF VL2 IP from pf
and start the auth process - is this by design?
Maybe you can try "authentication open" on the switch port config.
Also do you know that you can do exactly the same thing (web auth)
on the wire side too !
2. I am having trouble with WebAuth portion on wireless side - I
can see log in packetfence.log without actually ever getting
connected to the SSID?
Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc]
handling radius autz request: from switch_ip => (10.218.0.2),
connection_type => Wireless-802.11-NoEAP,switch_mac =>
(a4:18:75:42:af:20), mac => [bc:9f:ef:56:b0:fc], port => 1,
username => "bc9fef56b0fc", ssid => PF90 (pf::radius::authorize)
Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] is
of status unreg; belongs into registration VLAN
(pf::role::getRegistrationRole)
Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc]
(10.218.0.2) Added role Pre_Auth to the returned RADIUS
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc]
Adding web authentication redirection to reply using role:
'Pre_Auth' and URL: 'http://10.218.100.100/sid93100c
<http://10.218.100.100/sid93100c>'
(pf::Switch::Cisco::WLC::returnRadiusAccessAccept)
Change the registration url to that :
registrationUrl=http://10.218.100.100/Cisco::WLC
<http://10.218.100.100/Cisco::WLC>
The log stops and I get the unable to connect dialog on my device
(never actual associate to SSID) - no logs are leading me
anywhere else unless I'm looking at the wrong ones. I used
WEbAuth Device Config Guide to no avail and am a bit stuck. My
switches.conf is below as well - 10.218.0.2 is WLC,
10.218.100.100 - pf admin gui
[10.218.0.2]
mode=production
SNMPCommunityRead=harley
SNMPCommunityWrite=harleyrw
defaultVlan=10
deauthMethod=RADIUS
description=WLC
type=Cisco::WLC_5500
radiusSecret=packetfence
SNMPVersion=2c
ExternalPortalEnforcement=Y
defaultRole=Authorized
registrationRole=Pre_Auth
registrationUrl=http://10.218.100.100/ <http://10.218.100.100/>
controllerIp=10.218.0.2
UrlMap=Y
VlanMap=N
controllerPort=3799
[10.218.100.4]
mode=production
SNMPCommunityRead=harley
description=100.4
cliAccess=Y
SNMPCommunityWrite=harley
defaultVlan=10
deauthMethod=RADIUS
type=Cisco::Catalyst_2960G
radiusSecret=packetfence
SNMPVersion=2c
controllerPort=3799
RoleMap=N
~
Cory White
Xponet
P: 904.735.1600 <tel:%28904%29%20735-1600>
E: [email protected] <mailto:[email protected]>
On Wed, Feb 1, 2017 at 10:10 AM, Cory White <[email protected]
<mailto:[email protected]>> wrote:
Hello All -
Been awhile since I posted for version 4 testing and inline
deployment. We did deploy PF sparingly in production
environment but have yet to go 'all-in' as a permanent
replacement. Roughly couple hundred users - we're looking for
multiple thousands to test now.
Its been sometime and I'm revisiting PF with 6.4 release - I
am having some sticking points where I see communication
between our WLC and PF, can associate to SSID and see
Pre-Auth ACL applied but never get presented with a portal -
"Unable to contact server under iOS". Preview of default does
not display and shows a 'too many redirects error'.
We're testing with dual NIC as eth0 is management interface
and eth1 being portal/vlan specific to SSID - is this
possible or do I need to use one trunked eth0 and add VLAN
identifiers/deamon assignments accordingly?
We're running Cisco 5520 server WLC on latest 8.3 code so
there are some differences from documentation examples but
straight forward. We 'think' WebAuth is the way we want to
test/deploy leaving essentially the WLC do all the work on
our backbone, leaving PF just portal for to assign Auth ACLs.
Is this possible over multiple NICs and VLANs? Or is this a
more inline thought process where management, portal and
SSID/VLAN need to reside on one LAN to accomplish?
Basically if we want to scale past one network for captive
portal (multiple guest VLANs) do we need to go with O-o-B
VLAN enforcement and still use WLC/server backbone for
everything else ILO WebAuth?
Cory White
Xponet
P: 904.735.1600 <tel:%28904%29%20735-1600>
E: [email protected] <mailto:[email protected]>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
RegardsFabrice
--
Fabrice Durand
[email protected] <mailto:[email protected]> ::+1.514.447.4918
<tel:%28514%29%20447-4918> (x135) ::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ PacketFence-users
mailing list [email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
