Hey All,
I was able to get deauth working with my Unifi APs and it seems
everything is working smoothly. Here is the configuration I used for
the switch in packetfence:
[Unifi AP IP Address or subnet]
description=Unifi Access Points
group=Unifi
radiusSecret=RaidusPassword
controllerIp=Unifi Controller IP Address
useCoA=N
wsTransport=HTTPS
deauthMethod=HTTPS
wsUser=Unifi Controller Username
wsPwd=Unifi Controller Password
Hope this helps someone. I hope Packetfence releases some
documentation on Unifi AP's because with the necessary applied patch
and the unifi controller changes to config.properties, everything
seems to be working well. Actually in my opinion, it seems to be
working better than the hostapd setup in packetfence and is way easier
to setup.
On Wed, Feb 14, 2018 at 3:52 PM, Chris Abel
<ca...@wildwoodprograms.org <mailto:ca...@wildwoodprograms.org>> wrote:
Hello all,
I am also trying to get my Unifi APs working with packetfence. It
seems that I am very close. I am able to get the portal to show up
on the client when in the registration vlan, but after
registering, the client never deauth's and disconnects from the
access point. I can disable my wireless and enable it again and
the client is assigned the correct role and put into the right
vlan, so that part seems to be working. I have applied the patch
in the following way:
in /usr/local/pf I ran "curl
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.diff
<https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.diff>
| patch -p1"
Is this the correct patch and the correct way to apply it? If so,
why is this patch not disconnecting the client from the AP?
I have also applied the following to my AP's in Unifi:
/var/lib/unifi/sites/XXXXXXXX/config.properties
config.system_cfg.1=aaa.1.auth_cache=disabled
config.system_cfg.2=aaa.2.auth_cache=disabled
config.system_cfg.3=aaa.1.dynamic_vlan=1
config.system_cfg.4=aaa.2.dynamic_vlan=1
config.system_cfg.5=aaa.1.radius.acct.1.ip=<radius accounting server IP>
config.system_cfg.6=aaa.1.radius.acct.1.port=<radius accounting server port>
config.system_cfg.7=aaa.1.radius.acct.1.secret=<radius accounting server
password>
config.system_cfg.8=aaa.2.radius.acct.1.ip=<radius accounting server IP>
config.system_cfg.9=aaa.2.radius.acct.1.port=<radius accounting server port>
config.system_cfg.10=aaa.2.radius.acct.1.secret=<radius accounting server
password>
What should the configuration be in packetfence when setting up
the switch? Should I use hostapd or Unifi Controller? Should I
enable COA or not?
Does anyone have a working setup of Unifi APs with an out of band
setup of packetfence at this point? If so, could you shed some
light and post your configurations?
Thanks!
On Sat, Feb 10, 2018 at 1:33 AM, E.P. via PacketFence-users
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>> wrote:
Yes, David, this is my plan to test the captive portal on
wired connections to rule out the unruly Unifi APs
Ideally I would love to make it also work with HP switches
1820/1920 model because this is the majority of switches
installed in our organization.
But will try it on Cisco switch as a beginning
Thanks again, for your sharing.
There’s apparently something wrong with mailing list for
packetfence as there’s nothing coming in and I don’t believe
it’s only me who persists in making things work and asking for
advices 😉
Eugene
*From:* David Harvey [mailto:da...@thoughtmachine.net
<mailto:da...@thoughtmachine.net>]
*Sent:* Friday, February 09, 2018 4:37 AM
*To:* E.P. <ype...@gmail.com <mailto:ype...@gmail.com>>;
fdur...@inverse.ca <mailto:fdur...@inverse.ca>
*Subject:* Re: [PacketFence-users] Unifi APs and CoA
Hi Eugene,
I'm including Fabrice in case anything I have covered is
misleading or plain untrue! I don't want to give you bad advice..
I'm running Unifi AP-AC Pros on 3.9.19.8123. I'm pretty sure
most of my functionality worked fine from 3.8.x, but bear in
mind I'm running EAP-TLS and so haven't had the same open SSID
guest portal aspect (which might make my advice less relevant).
I've been fumbling through, so I'm sure Fabrice can offer
better advice but I would start by saying..
My understanding of the additional functionality this patch
affords, is dealing with kicking the client off an AP so it
will then re-auth and hopefully get put onto the correct
VLAN. So before worrying about if the patch is working, I'd
see if you can get to a state where you can reach the portal
as a new device/user, and after registering it puts you on the
correct VLAN if you toggle WiFi off and back on (thus skipping
the kick from AP part of the process).
As far as I understand, to achieve this you need:
Ideally to have shown it works with your wired network,
something like:
Clients are placed on a registration network which hits the
portal, and that is able to register them properly as a node
in packetfence associated with a role which belongs to an
authenticated VLAN.
This is a really useful way to show that the core
functionality works.
My setup from there added EAP-TLS to the Radius config, but I
understand you're not looking to do that.. The setup should be
similar though, as UniFi controller or AP will still have a
RADIUS profile - in your case it will just be doing the MAC
auth bit to decide on VLAN rather than having that layered on
top of the certificate part. From there I am guessing a bit,
as I understand there were some changes made to make the pure
MAC auth bits work which I'd have to collate from the other
posts on this topic.. Specifically, my clients change VLAN on
the same SSID, they don't join a different SSID after
registration..
I hope this is of some help,
David
On Fri, Feb 9, 2018 at 8:23 AM, E.P. <ype...@gmail.com
<mailto:ype...@gmail.com>> wrote:
Hi David,
Sorry to bother you again, I’m a bit desperate here.
Thought that it will be a breeze to implement guest WiFi
with captive portal but I’m still at nowhere.
Can you please tell me what Unifi AP you are using? Is it
a show stopper for me if I use older APs with firmware
3.8.15 ?
I installed that required patch on PF as per Fabrice.
Anything else I’m missing ?
Eugene
*From:* David Harvey [mailto:da...@thoughtmachine.net
<mailto:da...@thoughtmachine.net>]
*Sent:* Friday, February 02, 2018 7:10 AM
*To:* Eugene Pefti <ype...@gmail.com
<mailto:ype...@gmail.com>>
*Subject:* Re: [PacketFence-users] Unifi APs and CoA
Hi Eugene,
No problem at all, although I'm not sure how much detail I
can add. Tim and Fabrice seem to have the best grasp of
this with the most comprehensive guidance in The thread
"[PacketFence-users] Ubiquiti UniFi AP Captive Portal".
The draft docs were also quite handy:
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc#ubiquiti-1
<https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc#ubiquiti-1>
Now my setup....
I've been running EAP-TLS for some time now for wired and
wifi, so not using the MAC based authentication. I
already had a functional packetfence setup which does MAC
based and EAP based auth for wired (partially inherited
setup), but ignore the MAB/MAC part as I don't use it in
the wifi setup.
From here it wasn't too bad to add the Access points to
packetfence as switches - initially as hostapd devices
(before the Unify module existed) and using the common
RADIUS config the ciscos are using. I also had to create
the profile on the unifi controller side with the RADIUS
login details for auth and accounting.
Doing it this was has been less complicated as I don't
need an open SSID - clients have certs so get onto my
registration VLAN where they can hit the portal and login
to find their eventual VLANs.
I can try and pull more detail together when I have time,
but I think the Tim guide covers it well, although my
setup is subtly different without the open SSID / MAC
based auth aspects :)
It's only now that I've tried fighting the bugbear of mine
which was portal authentication registering properly in
packetfence, but wireless clients having to be toggled off
and on to re-auth and find their correct VLANS.
I hope this makes some sense, I feel like the whole
capability and support is coming together rapidly now on
the PF and unifi side.
Cheers,
David
On Thu, Feb 1, 2018 at 7:43 PM, Eugene Pefti
<ype...@gmail.com <mailto:ype...@gmail.com>> wrote:
Hi David,
Forgive me for bothering you
I’m actively monitoring this thread while deploying PF
with Unify.
Yes, Unifi AP and controller have a lot of challenges
and I’m trying to understand them all while marrying
to PF.
Can you please describe in brief you experience you
described in this post ?
We would like to implement something very similar
Cheers,
Eugene
*From: *"packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>"
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>>
*Reply-To: *"packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>"
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>>
*Date: *Thursday, February 1, 2018 at 8:17 AM
*To: *Timothy Mullican <tjmullic...@yahoo.com
<mailto:tjmullic...@yahoo.com>>, Fabrice Durand
<fdur...@inverse.ca <mailto:fdur...@inverse.ca>>
*Cc: *David Harvey <da...@thoughtmachine.net
<mailto:da...@thoughtmachine.net>>,
"packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>"
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>>
*Subject: *Re: [PacketFence-users] Unifi APs and CoA
Many thanks for the tips. With your guidance I've been
following the "Packetfence RADIUS and Unifi Out of
Band" and am 90% of the way there.
For anyone curious, please check in on that thread, as
it's got more of the case history and steps outlined.
Best,
David
On Thu, Feb 1, 2018 at 1:39 AM, Timothy Mullican
<tjmullic...@yahoo.com <mailto:tjmullic...@yahoo.com>>
wrote:
David,
Your understanding is correct. Currently the UniFi
only supports deauthenticating a client using the
controller API and not using CoA. It is possible
to enable RADIUS CoA for a single SSID and
frequency, but this may not be useful for you.
This is because the UniFi runs a separate hostapd
instance for all of the different SSIDs and
frequencies. See:
https://community.ubnt.com/t5/UniFi-Wireless/RADIUS-Interi
<https://community.ubnt.com/t5/UniFi-Wireless/RADIUS-Interim-updates/m-p/1860205/highlight/true#M216003>m-updates/m-p/1860205/highlight/true#M216003
<https://community.ubnt.com/t5/UniFi-Wireless/RADIUS-Interim-updates/m-p/1860205/highlight/true#M216003>
Sent from mobile phone
On Jan 31, 2018, at 17:46, Durand fabrice via
PacketFence-users
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>>
wrote:
Hello David,
the unifi AP is not yet correctly supported,
there is some code about that but you have to
do some custom config on the Unifi controller.
Have a look at the mailing list archive about
unifi.
Regards
Fabrice
Le 2018-01-31 à 13:02, David Harvey via
PacketFence-users a écrit :
I should also note. I've just changed our
APs from switch type hostapd to
ubiquity::unify, added the controller IP
(a docker image in my case), and also
attempted to add the webservices field as
details in the documentation:
wsTransport=HTTPS
wsUser=admin
wsPwd=admin
On Wed, Jan 31, 2018 at 6:00 PM, David
Harvey <da...@thoughtmachine.net
<mailto:da...@thoughtmachine.net>> wrote:
Hi packetfence users,
I just wanted to confirm a feature (or
my undertsnading of).
I'm using unifi access points with
great success for portal login paired
with EAP-TLS.
Unregistered clients with certs land
on the registration VLAN, and then
have their proper vlans assigned by
the portal login.
After the portal login has been
performed the client needs the wifi
toggling off and on at present to
reauth and get put onto the correct
VLAN. subsequent reconnects work fine...
If I've read the archives correctly,
the wifi down/up is required becuase
CoA is not supported by unifi, nor
does the controller allow RADIUS
disconnect events to force a client to
reauth.
Have I understood correctly, and is
there any other magic I could try in
order to smooth the portal sign in
experience?
Thanks in advnce,
David
------------------------------------------------------------------------------
Check out the vibrant tech community on
one of the world's most
engaging tech sites, Slashdot.org
<http://Slashdot.org>!
http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of
the world's most
engaging tech sites, Slashdot.org
<http://Slashdot.org>! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the
world's most engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
<http://sdm.link/slashdot_______________________________________________>
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
--
Chris Abel
Systems and Network Administrator
Wildwood Programs
2995 Curry Road Extension
Schenectady, NY 12303
518-836-2341 <tel:%28518%29%20836-2341>
--
Chris Abel
Systems and Network Administrator
Wildwood Programs
2995 Curry Road Extension
Schenectady, NY 12303
518-836-2341
IMPORTANT NOTICE: This message and any attachments are solely for the
intended recipient and may contain confidential information, which is,
or may be, legally privileged or otherwise protected by law from
further disclosure. If you are not the intended recipient, any
disclosure, copying, use, or distribution of the information included
in this email and any attachments is prohibited. If you have received
this communication in error, please notify the sender by reply email
and immediately and permanently delete this email and any attachments.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
