Thanks Fabrice -
I'll try something different - my NAC options are SNMP or ISE (which is
Radius since IOS 7.3). SNMP gives WLAN error needing a quarantine VLAN, ISE
gives me the 'loop' authentication without actually connecting to the SSID.
Maybe there is something added in latest releases of firmware - I'll try a
roll back to 7 and see if it works.
Cory White
Xponet
P: 904.735.1600
E: [email protected]
On Fri, Feb 3, 2017 at 6:45 PM, Durand fabrice <[email protected]> wrote:
> Hello Cory,
>
> you don't have to define the URL on the WLC, this is set by the radius
> attribute.
>
> Just follow the doc and don't forget to set NAC state to Radius NAC.
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-02-03 à 14:45, Cory White a écrit :
>
> Thank You Fabrice -
>
> I attempted the changes and wired has same behavior - I'll play with some
> options there.
> The wireless WebAuth same behavior but after tailing I see what appears to
> be a loop - I see as I try to connect I get the below, then after log stops
> I get unable to connect on the device (iOS).
>
> Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] Memory
> configuration is not valid anymore for key config::Switch in local
> cached_hash (pfconfig::cached::is_valid)
> Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] handling
> radius autz request: from switch_ip => (10.218.0.2), connection_type =>
> Wireless-802.11-NoEAP,switch_mac => (a4:18:75:42:af:20), mac =>
> [bc:9f:ef:56:b0:fc], port => 1, username => "bc9fef56b0fc", ssid => PF90
> (pf::radius::authorize)
> Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] Instantiate
> profile default (pf::Portal::ProfileFactory::_from_profile)
> Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] is of status
> unreg; belongs into registration VLAN (pf::role::getRegistrationRole)
> Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] (10.218.0.2)
> Added role Pre_Auth to the returned RADIUS Access-Accept (pf::Switch::
> returnRadiusAccessAccept)
> Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] Adding web
> authentication redirection to reply using role: 'Pre_Auth' and URL: '
> http://10.218.100.100/Cisco::WLC/sid44a116' (pf::Switch::Cisco::WLC::
> returnRadiusAccessAccept)
> Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] handling
> radius autz request: from switch_ip => (10.218.0.2), connection_type =>
> Wireless-802.11-NoEAP,switch_mac => (a4:18:75:42:af:20), mac =>
> [bc:9f:ef:56:b0:fc], port => 1, username => "bc9fef56b0fc", ssid => PF90
> (pf::radius::authorize)
> Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] Instantiate
> profile default (pf::Portal::ProfileFactory::_from_profile)
> Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] is of status
> unreg; belongs into registration VLAN (pf::role::getRegistrationRole)
> Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] (10.218.0.2)
> Added role Pre_Auth to the returned RADIUS Access-Accept (pf::Switch::
> returnRadiusAccessAccept)
> Feb 03 14:36:07 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] Adding web
> authentication redirection to reply using role: 'Pre_Auth' and URL: '
> http://10.218.100.100/Cisco::WLC/sid720a4e' (pf::Switch::Cisco::WLC::
> returnRadiusAccessAccept)
>
> Also I'm assuming the actual WLC Security-> WebAuth -> redirect needs to
> be set to external with the same URL "http://10.218.100.100/Cisco::WLC";
> since its not in the documentation.
> I've tested the Pre-Auth locally on internal portal and works as expected
> so its interaction between the 2 that I'm missing?
>
>
> Cory White
> Xponet
> P: 904.735.1600 <(904)%20735-1600>
> E: [email protected]
>
>
> On Fri, Feb 3, 2017 at 8:39 AM, Fabrice Durand <[email protected]> wrote:
>
>> Hello Cory,
>>
>> Le 2017-02-02 à 22:39, Cory White a écrit :
>>
>> Small update - exported ZEN package into our VM environment - have
>> Out-fo-Band working on a test 2960G. Get reg, redirect then see Radius
>> config switch port and access - GREAT!.
>> questions
>> 1. I noticed if client device is on a configured port not on REG (Vl2) by
>> default. The Radius configures back to Vl2 but it takes a release renew on
>> the client device to get the PF VL2 IP from pf and start the auth process -
>> is this by design?
>>
>> Maybe you can try "authentication open" on the switch port config.
>> Also do you know that you can do exactly the same thing (web auth) on the
>> wire side too !
>>
>> 2. I am having trouble with WebAuth portion on wireless side - I can see
>> log in packetfence.log without actually ever getting connected to the SSID?
>>
>> Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] handling
>> radius autz request: from switch_ip => (10.218.0.2), connection_type =>
>> Wireless-802.11-NoEAP,switch_mac => (a4:18:75:42:af:20), mac =>
>> [bc:9f:ef:56:b0:fc], port => 1, username => "bc9fef56b0fc", ssid => PF90
>> (pf::radius::authorize)
>> Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] Instantiate
>> profile default (pf::Portal::ProfileFactory::_from_profile)
>> Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] is of
>> status unreg; belongs into registration VLAN (pf::role::getRegistrationRole
>> )
>> Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc]
>> (10.218.0.2) Added role Pre_Auth to the returned RADIUS Access-Accept
>> (pf::Switch::returnRadiusAccessAccept)
>> Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] Adding web
>> authentication redirection to reply using role: 'Pre_Auth' and URL: '
>> http://10.218.100.100/sid93100c' (pf::Switch::Cisco::WLC::retur
>> nRadiusAccessAccept)
>>
>> Change the registration url to that : registrationUrl=http://10.218.
>> 100.100/Cisco::WLC
>>
>>
>> The log stops and I get the unable to connect dialog on my device (never
>> actual associate to SSID) - no logs are leading me anywhere else unless I'm
>> looking at the wrong ones. I used WEbAuth Device Config Guide to no avail
>> and am a bit stuck. My switches.conf is below as well - 10.218.0.2 is WLC,
>> 10.218.100.100 - pf admin gui
>>
>> [10.218.0.2]
>> mode=production
>> SNMPCommunityRead=harley
>> SNMPCommunityWrite=harleyrw
>> defaultVlan=10
>> deauthMethod=RADIUS
>> description=WLC
>> type=Cisco::WLC_5500
>> radiusSecret=packetfence
>> SNMPVersion=2c
>> ExternalPortalEnforcement=Y
>> defaultRole=Authorized
>> registrationRole=Pre_Auth
>> registrationUrl=http://10.218.100.100/
>> controllerIp=10.218.0.2
>> UrlMap=Y
>> VlanMap=N
>> controllerPort=3799
>>
>> [10.218.100.4]
>> mode=production
>> SNMPCommunityRead=harley
>> description=100.4
>> cliAccess=Y
>> SNMPCommunityWrite=harley
>> defaultVlan=10
>> deauthMethod=RADIUS
>> type=Cisco::Catalyst_2960G
>> radiusSecret=packetfence
>> SNMPVersion=2c
>> controllerPort=3799
>> RoleMap=N
>> ~
>>
>> Cory White
>> Xponet
>> P: 904.735.1600 <%28904%29%20735-1600>
>> E: [email protected]
>>
>>
>> On Wed, Feb 1, 2017 at 10:10 AM, Cory White <[email protected]> wrote:
>>
>>> Hello All -
>>>
>>> Been awhile since I posted for version 4 testing and inline deployment.
>>> We did deploy PF sparingly in production environment but have yet to go
>>> 'all-in' as a permanent replacement. Roughly couple hundred users - we're
>>> looking for multiple thousands to test now.
>>>
>>> Its been sometime and I'm revisiting PF with 6.4 release - I am having
>>> some sticking points where I see communication between our WLC and PF, can
>>> associate to SSID and see Pre-Auth ACL applied but never get presented with
>>> a portal - "Unable to contact server under iOS". Preview of default does
>>> not display and shows a 'too many redirects error'.
>>>
>>> We're testing with dual NIC as eth0 is management interface and eth1
>>> being portal/vlan specific to SSID - is this possible or do I need to use
>>> one trunked eth0 and add VLAN identifiers/deamon assignments accordingly?
>>>
>>> We're running Cisco 5520 server WLC on latest 8.3 code so there are some
>>> differences from documentation examples but straight forward. We 'think'
>>> WebAuth is the way we want to test/deploy leaving essentially the WLC do
>>> all the work on our backbone, leaving PF just portal for to assign Auth
>>> ACLs. Is this possible over multiple NICs and VLANs? Or is this a more
>>> inline thought process where management, portal and SSID/VLAN need to
>>> reside on one LAN to accomplish?
>>>
>>> Basically if we want to scale past one network for captive portal
>>> (multiple guest VLANs) do we need to go with O-o-B VLAN enforcement and
>>> still use WLC/server backbone for everything else ILO WebAuth?
>>>
>>>
>>> Cory White
>>> Xponet
>>> P: 904.735.1600 <%28904%29%20735-1600>
>>> E: [email protected]
>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>
>> _______________________________________________
>> PacketFence-users mailing
>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> Regards Fabrice
>>
>> --
>> Fabrice [email protected] :: +1.514.447.4918 <%28514%29%20447-4918>
>> (x135) :: www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>> (http://packetfence.org)
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most engaging
>> tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________ PacketFence-users
>> mailing list [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
