Hi everyone.
I am trying to see if Packetfence is a proper way to do NAC with Unifi UAP-AC
with dynamic VLAN. According to the new Unifi Controller 5.5.19 release,
Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence is using
for authenticating users over wireless and then changing the VLAN.
However I cannot find any documentation anywhere if this is possible in
Packetfence Documentation?
Especially Packetfence Out of Band (Dynamic VLAN) with Unifi. Have anybody been
able to make it work?
I Have certain issues when using Out of Band with Unifi and Packetfence 7.1.
Where the big problem is the de-auth is not working, and clients are afterwards
caching attributes when connecting again (RADIUS VLAN assignment)
I have checked through the AP log just too see what happens from the
Packetfence server, when a client is authenticating.
Everything regarding VLAN and trunks has been set up correctly. Regarding
Packetfence it seems that I almost got it working.
However Packetfence wants to use RADIUS De-authentication to change from the
Registration VLAN (VLAN 5) to the Production VLAN (VLAN 5) when a user has
registered an allowed device after logging into the WPA-Enterprise SSID on the
Captive Portal.
The first time it is assigned VLAN 5 as expected according to AP log:
"IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
ieee80211_ioctl_setparam: VLANID32 = 5"
It seems not to be working. The client is disconnected, but when reconnecting
again it does not go into the correct VLAN.
Does Unifi support RADIUS CoA to deauth wireless clients correctly? I tried
also to wait 30 minutes to see if the wireless client (cell phone) is
reauthentiating by itself to pick up the new VLAN, however it does not seem to
be the case. From the PF logs it is sending the De-auth to the Unifi
Controller and it sends the
"ieee80211_ioctl_kickmac" to the AP to kick the client which is happening, but
does not look like a radius dauthentication message.
By Looking into the aaa1.cfg on the Unifi AC AP itself it seems that client are
never reauthenticating at all byi itself because it is disabled.
"eap_reauth_period=0"
When connecting the wireless again to the WPA-Enterprise SSID I notice in the
log of the AP, that it connecting and using PMKSA cache and using the same
registration VLAN (VLAN 5), which means it is not picking up the new VLAN at
all.
"IEEE 802.1X: authenticated - EAP type: 25 (PEAP) (PMKSA cache)
ieee80211_ioctl_setparam: VLANID32 = 5"
So to have above working I need to delete credentials to the SSID on the
wireless client (Cell phone) and manually connect to the SSID again
authenticating with the RADIUS user again to pick up the new VLAN (VLAN 10)
because not it is no longer cached.
IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
ieee80211_ioctl_setparam: VLANID32 = 10
Perhaps anyone could share any insights? I am not that RADIUS savvy and there
seem to be some caching issues either at the AP end or Packetfence/FreeRADIUS.
Best Regards
Mike
Best Regards
Michael
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
