Hi Tim and gang,
Any idea where I should start looking into PF to troubleshoot WebAuth for WiFi ?
I finally had time to prepare UniFi according to screenshots published at github
https://github.com/inverse-inc/packetfence/tree/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images
Namely this is what I did in Unifi:
1) New SSID (wireless network) is created and set as “Open” and checked
for Guest policy “Appy guest policies” and set VLAN ID to be assigned.
2) Created Guest policy and set authentication to point it to “External
portal server” and put the IP address of PF into Custom portal field, checked
“Use Secure Portal”, added the IP address of PF into “Pre-Authorization access”
field.
Now, on PF just for the sake of testing guets self-registration which should be
enabled by default I’m not supposed to do anything other than creating a
connection profile, correct ?
So, I created “guests” connection profile, anything specific to set within this
profile ? I checked “Active preregistration” in the profile settings but my
pf.conf file (/usr/local/pf/conf/pf.conf) doesn’t have this (as it says in PF
admin guide)
[guests_self_registration]
preregistration=enabled
Ideally we would like to enable PF send SMS/text messages to users with their
passwords
So, with all above set my connection attempts to the said SSID result in no
redirection to the captive portal. What am I missing and what am I setting in
“Captive portal” in the connection profile and how would PF start processing
the connection being forwarded by UniFi controller ?
Eugene
From: Timothy Mullican [mailto:tjmullic...@yahoo.com]
Sent: Friday, February 02, 2018 8:06 AM
To: ype...@gmail.com
Cc: packetfence-users@lists.sourceforge.net; frederic.herm...@neptune.fr;
holger.patz...@t-systems.com
Subject: Re: AW: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band
Eugene:
You should use the IP address of your AP instead of the MAC address. The
pictures are available at:
<https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-open.png>
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-open.png
<https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-radius.png>
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-radius.png
<https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-secure.png>
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-secure.png
My thread probably has more in depth images though.
—
Holger:
You are correct that MAC auth is vulnerable to attack. I believe PacketFence
can detect a host name change as one mitigation and trigger a violation.
Another mitigation is to put your network behind 802.1x or WPA2. I have to auth
people against G Suite, so I can’t currently use 802.1x (Oauth). For the guest
network, spoofing isn’t as much of an issue since it’s separated from my
corporate lan. I would start a separate thread for this though.
Sent from mobile phone
On Feb 2, 2018, at 03:15, <holger.patz...@t-systems.com>
<holger.patz...@t-systems.com> wrote:
Hello Tim,
hi all,
we do use Juniper EX3200 Switches here and I would like to discuss a security
issue in your example conf for Juniper in the documentation referenced by your
posting below:
your doc suggests the option „mac radius“ to be activated. I would rather NOT
suggest that, because:
MAC Authentication is subject to spoofing attacks, which one exactly wants to
get rid of by using 802.1x.
It is exactly the wrong way to activate the mac radius option, as in this case
a juniper switch would use simple mac radius as a fallback, if 802.1x would
fail, which is exactly what you would NOT want to have, if you want to be sure
NOT to be vulnerable to mac spoofing attacks.
So is there a reason you suggest that option for i didn get?
Bye,
Holger
PS:
A additional personal hint: using interface ranges in the „protocols / dot1x /
interface“ config did not work with our switches, we had to explicitly name the
interfaces there.
Von: Timothy Mullican via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net]
Gesendet: Donnerstag, 1. Februar 2018 18:11
An: packetfence-users@lists.sourceforge.net
Cc: Timothy Mullican <tjmullic...@yahoo.com>; Frederic Hermann
<frederic.herm...@neptune.fr>
Betreff: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band
By the way,
Fabrice Durand already added code to do this in pull request #2735 on github.
See
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch
You can apply that patch to get it working. Also see
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc
for the updated documentation. You can read though my earlier thread to see
the steps I took to get it working.
Tim
Sent from mobile phone
On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users
<packetfence-users@lists.sourceforge.net> wrote:
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
