Hey Just FYI... Running both the Guest and RADIUS-Assigned VLANs on the
same AP (separate SSIDs, of course), does NOT work on Unifi's 3.8.15
firmware. It works with firmware version 3.8.3, broke at 3.8.6, and it's
working again at least as of 3.9.19.
So if you need that firmware version, it won't work on the same AP. If you
disable the Guest portal, the RADIUS-Assigned can function properly, but if
you enable the Guest portal on the one SSID, it somehow breaks the
RADIUS-Assigned functionality on the other SSID.
Joshua Nathan
*IT Technician*
Black Forest Academy
p: +49 (0) 7626 9161 630 m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de
On Sat, Feb 10, 2018 at 7:33 AM, E.P. via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:
> Yes, David, this is my plan to test the captive portal on wired
> connections to rule out the unruly Unifi APs
>
> Ideally I would love to make it also work with HP switches 1820/1920 model
> because this is the majority of switches installed in our organization.
>
> But will try it on Cisco switch as a beginning
>
> Thanks again, for your sharing.
>
> There’s apparently something wrong with mailing list for packetfence as
> there’s nothing coming in and I don’t believe it’s only me who persists in
> making things work and asking for advices 😉
>
>
>
> Eugene
>
>
>
> *From:* David Harvey [mailto:da...@thoughtmachine.net]
> *Sent:* Friday, February 09, 2018 4:37 AM
> *To:* E.P. <ype...@gmail.com>; fdur...@inverse.ca
> *Subject:* Re: [PacketFence-users] Unifi APs and CoA
>
>
>
> Hi Eugene,
>
>
>
> I'm including Fabrice in case anything I have covered is misleading or
> plain untrue! I don't want to give you bad advice..
>
>
>
> I'm running Unifi AP-AC Pros on 3.9.19.8123. I'm pretty sure most of my
> functionality worked fine from 3.8.x, but bear in mind I'm running EAP-TLS
> and so haven't had the same open SSID guest portal aspect (which might make
> my advice less relevant).
>
> I've been fumbling through, so I'm sure Fabrice can offer better advice
> but I would start by saying..
>
>
>
> My understanding of the additional functionality this patch affords, is
> dealing with kicking the client off an AP so it will then re-auth and
> hopefully get put onto the correct VLAN. So before worrying about if the
> patch is working, I'd see if you can get to a state where you can reach the
> portal as a new device/user, and after registering it puts you on the
> correct VLAN if you toggle WiFi off and back on (thus skipping the kick
> from AP part of the process).
>
>
>
> As far as I understand, to achieve this you need:
>
>
>
> Ideally to have shown it works with your wired network, something like:
>
> Clients are placed on a registration network which hits the portal, and
> that is able to register them properly as a node in packetfence associated
> with a role which belongs to an authenticated VLAN.
>
> This is a really useful way to show that the core functionality works.
>
>
>
> My setup from there added EAP-TLS to the Radius config, but I understand
> you're not looking to do that.. The setup should be similar though, as
> UniFi controller or AP will still have a RADIUS profile - in your case it
> will just be doing the MAC auth bit to decide on VLAN rather than having
> that layered on top of the certificate part. From there I am guessing a
> bit, as I understand there were some changes made to make the pure MAC auth
> bits work which I'd have to collate from the other posts on this topic..
> Specifically, my clients change VLAN on the same SSID, they don't join a
> different SSID after registration..
>
>
>
> I hope this is of some help,
>
>
>
> David
>
>
>
>
>
> On Fri, Feb 9, 2018 at 8:23 AM, E.P. <ype...@gmail.com> wrote:
>
> Hi David,
>
> Sorry to bother you again, I’m a bit desperate here.
>
> Thought that it will be a breeze to implement guest WiFi with captive
> portal but I’m still at nowhere.
>
> Can you please tell me what Unifi AP you are using? Is it a show stopper
> for me if I use older APs with firmware 3.8.15 ?
>
> I installed that required patch on PF as per Fabrice. Anything else I’m
> missing ?
>
>
>
> Eugene
>
>
>
> *From:* David Harvey [mailto:da...@thoughtmachine.net]
> *Sent:* Friday, February 02, 2018 7:10 AM
> *To:* Eugene Pefti <ype...@gmail.com>
>
>
> *Subject:* Re: [PacketFence-users] Unifi APs and CoA
>
>
>
> Hi Eugene,
>
>
>
> No problem at all, although I'm not sure how much detail I can add. Tim
> and Fabrice seem to have the best grasp of this with the most comprehensive
> guidance in The thread "[PacketFence-users] Ubiquiti UniFi AP Captive
> Portal".
>
> The draft docs were also quite handy: https://github.com/
> inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f
> 2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_
> Guide.asciidoc#ubiquiti-1
>
>
>
> Now my setup....
>
> I've been running EAP-TLS for some time now for wired and wifi, so not
> using the MAC based authentication. I already had a functional packetfence
> setup which does MAC based and EAP based auth for wired (partially
> inherited setup), but ignore the MAB/MAC part as I don't use it in the wifi
> setup.
>
>
>
> From here it wasn't too bad to add the Access points to packetfence as
> switches - initially as hostapd devices (before the Unify module existed)
> and using the common RADIUS config the ciscos are using. I also had to
> create the profile on the unifi controller side with the RADIUS login
> details for auth and accounting.
>
> Doing it this was has been less complicated as I don't need an open SSID -
> clients have certs so get onto my registration VLAN where they can hit the
> portal and login to find their eventual VLANs.
>
> I can try and pull more detail together when I have time, but I think the
> Tim guide covers it well, although my setup is subtly different without the
> open SSID / MAC based auth aspects :)
>
>
>
> It's only now that I've tried fighting the bugbear of mine which was
> portal authentication registering properly in packetfence, but wireless
> clients having to be toggled off and on to re-auth and find their correct
> VLANS.
>
> I hope this makes some sense, I feel like the whole capability and support
> is coming together rapidly now on the PF and unifi side.
>
>
>
> Cheers,
>
>
>
> David
>
>
>
> On Thu, Feb 1, 2018 at 7:43 PM, Eugene Pefti <ype...@gmail.com> wrote:
>
> Hi David,
>
> Forgive me for bothering you
>
> I’m actively monitoring this thread while deploying PF with Unify.
>
> Yes, Unifi AP and controller have a lot of challenges and I’m trying to
> understand them all while marrying to PF.
>
> Can you please describe in brief you experience you described in this post
> ?
>
> We would like to implement something very similar
>
>
>
> Cheers,
>
> Eugene
>
>
>
> *From: *"packetfence-users@lists.sourceforge.net" <
> packetfence-users@lists.sourceforge.net>
> *Reply-To: *"packetfence-users@lists.sourceforge.net" <
> packetfence-users@lists.sourceforge.net>
> *Date: *Thursday, February 1, 2018 at 8:17 AM
> *To: *Timothy Mullican <tjmullic...@yahoo.com>, Fabrice Durand <
> fdur...@inverse.ca>
> *Cc: *David Harvey <da...@thoughtmachine.net>, "packetfence-users@lists.
> sourceforge.net" <packetfence-users@lists.sourceforge.net>
> *Subject: *Re: [PacketFence-users] Unifi APs and CoA
>
>
>
> Many thanks for the tips. With your guidance I've been following the
> "Packetfence RADIUS and Unifi Out of Band" and am 90% of the way there.
>
> For anyone curious, please check in on that thread, as it's got more of
> the case history and steps outlined.
>
>
>
> Best,
>
>
>
> David
>
>
>
> On Thu, Feb 1, 2018 at 1:39 AM, Timothy Mullican <tjmullic...@yahoo.com>
> wrote:
>
> David,
>
> Your understanding is correct. Currently the UniFi only supports
> deauthenticating a client using the controller API and not using CoA. It is
> possible to enable RADIUS CoA for a single SSID and frequency, but this may
> not be useful for you. This is because the UniFi runs a separate hostapd
> instance for all of the different SSIDs and frequencies. See:
> https://community.ubnt.com/t5/UniFi-Wireless/RADIUS-Interi
> <https://community.ubnt.com/t5/UniFi-Wireless/RADIUS-Interim-updates/m-p/1860205/highlight/true#M216003>
> m-updates/m-p/1860205/highlight/true#M216003
> <https://community.ubnt.com/t5/UniFi-Wireless/RADIUS-Interim-updates/m-p/1860205/highlight/true#M216003>
>
>
>
> Sent from mobile phone
>
>
> On Jan 31, 2018, at 17:46, Durand fabrice via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> Hello David,
>
> the unifi AP is not yet correctly supported, there is some code about that
> but you have to do some custom config on the Unifi controller.
>
> Have a look at the mailing list archive about unifi.
>
> Regards
> Fabrice
>
> Le 2018-01-31 à 13:02, David Harvey via PacketFence-users a écrit :
>
> I should also note. I've just changed our APs from switch type hostapd to
> ubiquity::unify, added the controller IP (a docker image in my case), and
> also attempted to add the webservices field as details in the
> documentation:
>
>
>
> wsTransport=HTTPS
>
> wsUser=admin
>
> wsPwd=admin
>
>
>
> On Wed, Jan 31, 2018 at 6:00 PM, David Harvey <da...@thoughtmachine.net>
> wrote:
>
> Hi packetfence users,
>
>
>
> I just wanted to confirm a feature (or my undertsnading of).
>
>
>
> I'm using unifi access points with great success for portal login paired
> with EAP-TLS.
>
>
>
> Unregistered clients with certs land on the registration VLAN, and then
> have their proper vlans assigned by the portal login.
>
> After the portal login has been performed the client needs the wifi
> toggling off and on at present to reauth and get put onto the correct VLAN.
> subsequent reconnects work fine...
>
>
>
> If I've read the archives correctly, the wifi down/up is required becuase
> CoA is not supported by unifi, nor does the controller allow RADIUS
> disconnect events to force a client to reauth.
>
> Have I understood correctly, and is there any other magic I could try in
> order to smooth the portal sign in experience?
>
>
>
> Thanks in advnce,
>
>
>
> David
>
>
>
>
>
> ------------------------------------------------------------------------------
>
> Check out the vibrant tech community on one of the world's most
>
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
>
> PacketFence-users mailing list
>
> PacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most engaging
> tech sites, Slashdot.org! http://sdm.link/slashdot______
> _________________________________________ PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/
> lists/listinfo/packetfence-users
>
>
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
