Re: [PacketFence-users] Unifi APs and CoA

Eugene Pefti via PacketFence-users Mon, 19 Feb 2018 15:57:27 -0800

Good job, Chris and thanks for sharing your progress.
I dare asking my stupid question again ;)
Why users which associated to guest WiFi (Open with a redirect to PF captive
portal) can’t reach PF via HTTP ?
They receive IP address from the local DHCP server and then can ping PF but
there’s no way to go through self-registration


Eugene

From:  "packetfence-users@lists.sourceforge.net"
<packetfence-users@lists.sourceforge.net>
Reply-To:  "packetfence-users@lists.sourceforge.net"
<packetfence-users@lists.sourceforge.net>
Date:  Thursday, February 15, 2018 at 8:00 AM
To:  "packetfence-users@lists.sourceforge.net"
<packetfence-users@lists.sourceforge.net>
Cc:  Chris Abel <ca...@wildwoodprograms.org>
Subject:  Re: [PacketFence-users] Unifi APs and CoA

Hey All,

I was able to get deauth working with my Unifi APs and it seems everything
is working smoothly. Here is the configuration I used for the switch in
packetfence:

[Unifi AP IP Address or subnet]

description=Unifi Access Points

group=Unifi

radiusSecret=RaidusPassword

controllerIp=Unifi Controller IP Address

useCoA=N

wsTransport=HTTPS

deauthMethod=HTTPS

wsUser=Unifi Controller Username

wsPwd=Unifi Controller Password



Hope this helps someone. I hope Packetfence releases some documentation on
Unifi AP's because with the necessary applied patch and the unifi controller
changes to config.properties, everything seems to be working well. Actually
in my opinion, it seems to be working better than the hostapd setup in
packetfence and is way easier to setup.


On Wed, Feb 14, 2018 at 3:52 PM, Chris Abel <ca...@wildwoodprograms.org>
wrote:
> Hello all,
> 
> I am also trying to get my Unifi APs working with packetfence. It seems that I
> am very close. I am able to get the portal to show up on the client when in
> the registration vlan, but after registering, the client never deauth's and
> disconnects from the access point. I can disable my wireless and enable it
> again and the client is assigned the correct role and put into the right vlan,
> so that part seems to be working. I have applied the patch in the following
> way:
> 
> in /usr/local/pf I ran "curl
> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735
> .diff | patch -p1"
> 
> Is this the correct patch and the correct way to apply it? If so, why is this
> patch not disconnecting the client from the AP?
> 
> I have also applied the following to my AP's in Unifi:
> 
> /var/lib/unifi/sites/XXXXXXXX/config.properties
> config.system_cfg.1=aaa.1.auth_cache=disabled
> config.system_cfg.2=aaa.2.auth_cache=disabled
> config.system_cfg.3=aaa.1.dynamic_vlan=1
> config.system_cfg.4=aaa.2.dynamic_vlan=1
> config.system_cfg.5=aaa.1.radius.acct.1.ip=<radius accounting server IP>
> config.system_cfg.6=aaa.1.radius.acct.1.port=<radius accounting server port>
> config.system_cfg.7=aaa.1.radius.acct.1.secret=<radius accounting server
> password>
> config.system_cfg.8=aaa.2.radius.acct.1.ip=<radius accounting server IP>
> config.system_cfg.9=aaa.2.radius.acct.1.port=<radius accounting server port>
> config.system_cfg.10=aaa.2.radius.acct.1.secret=<radius accounting server
> password>
> 
> 
> What should the configuration be in packetfence when setting up the switch?
> Should I use hostapd or Unifi Controller? Should I enable COA or not?
> 
> 
> Does anyone have a working setup of Unifi APs with an out of band setup of
> packetfence at this point? If so, could you shed some light and post your
> configurations?
> 
> Thanks!
> 
> On Sat, Feb 10, 2018 at 1:33 AM, E.P. via PacketFence-users
> <packetfence-users@lists.sourceforge.net> wrote:
>> Yes, David, this is my plan to test the captive portal on wired connections
>> to rule out the unruly Unifi APs
>> Ideally I would love to make it also work with HP switches 1820/1920 model
>> because this is the majority of switches installed in our organization.
>> But will try it on Cisco switch as a beginning
>> Thanks again, for your sharing.
>> There’s apparently something wrong with mailing list for packetfence as
>> there’s nothing coming in and I don’t believe it’s only me who persists in
>> making things work and asking for advices 😉
>>  
>> Eugene
>>  
>> From: David Harvey [mailto:da...@thoughtmachine.net]
>> Sent: Friday, February 09, 2018 4:37 AM
>> To: E.P. <ype...@gmail.com>; fdur...@inverse.ca
>> Subject: Re: [PacketFence-users] Unifi APs and CoA
>>  
>> 
>> Hi Eugene,
>> 
>>  
>> 
>> I'm including Fabrice in case anything I have covered is misleading or plain
>> untrue! I don't want to give you bad advice..
>> 
>>  
>> 
>> I'm running Unifi AP-AC Pros on 3.9.19.8123. I'm pretty sure most of my
>> functionality worked fine from 3.8.x, but bear in mind I'm running EAP-TLS
>> and so haven't had the same open SSID guest portal aspect (which might make
>> my advice less relevant).
>> 
>> I've been fumbling through, so I'm sure Fabrice can offer better advice but I
>> would start by saying..
>> 
>>  
>> 
>> My understanding of the additional functionality this patch affords, is
>> dealing with kicking the client off an AP so it will then re-auth and
>> hopefully get put onto the correct VLAN.  So before worrying about if the
>> patch is working, I'd see if you can get to a state where you can reach the
>> portal as a new device/user, and after registering it puts you on the correct
>> VLAN if you toggle WiFi off and back on (thus skipping the kick from AP part
>> of the process).
>> 
>>  
>> 
>> As far as I understand, to achieve this you need:
>> 
>>  
>> 
>> Ideally to have shown it works with your wired network, something like:
>> 
>> Clients are placed on a registration network which hits the portal, and that
>> is able to register them properly as a node in packetfence associated with a
>> role which belongs to an authenticated VLAN.
>> 
>> This is a really useful way to show that the core functionality works.
>> 
>>  
>> 
>> My setup from there added EAP-TLS to the Radius config, but I understand
>> you're not looking to do that.. The setup should be similar though, as UniFi
>> controller or AP will still have a RADIUS profile - in your case it will just
>> be doing the MAC auth bit to decide on VLAN rather than having that layered
>> on top of the certificate part. From there I am guessing a bit, as I
>> understand there were some changes made to make the pure MAC auth bits work
>> which I'd have to collate from the other posts on this topic.. Specifically,
>> my clients change VLAN on the same SSID, they don't join a different SSID
>> after registration..
>> 
>>  
>> 
>> I hope this is of some help,
>> 
>>  
>> 
>> David
>> 
>>  
>> 
>>  
>> 
>> On Fri, Feb 9, 2018 at 8:23 AM, E.P. <ype...@gmail.com> wrote:
>>> 
>>> Hi David,
>>> Sorry to bother you again, I’m a bit desperate here.
>>> Thought that it will be a breeze to implement guest WiFi with captive portal
>>> but I’m still at nowhere.
>>> Can you please tell me what Unifi AP you are using? Is it a show stopper for
>>> me if I use older APs with firmware 3.8.15 ?
>>> I installed that required patch on PF as per Fabrice. Anything else I’m
>>> missing ?
>>>  
>>> Eugene
>>>  
>>> From: David Harvey [mailto:da...@thoughtmachine.net]
>>> Sent: Friday, February 02, 2018 7:10 AM
>>> To: Eugene Pefti <ype...@gmail.com>
>>> 
>>> 
>>> Subject: Re: [PacketFence-users] Unifi APs and CoA
>>> 
>>>  
>>> 
>>> Hi Eugene,
>>> 
>>>  
>>> 
>>> No problem at all, although I'm not sure how much detail I can add.  Tim and
>>> Fabrice seem to have the best grasp of this with the most comprehensive
>>> guidance in The thread "[PacketFence-users] Ubiquiti UniFi AP Captive
>>> Portal".
>>> 
>>> The draft docs were also quite handy:
>>> https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee3
>>> 3f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc#u
>>> biquiti-1
>>> 
>>>  
>>> 
>>> Now my setup....
>>> 
>>> I've been running EAP-TLS for some time now for wired and wifi, so not using
>>> the MAC based authentication.  I already had a functional packetfence setup
>>> which does MAC based and EAP based auth for wired (partially inherited
>>> setup), but ignore the MAB/MAC part as I don't use it in the wifi setup.
>>> 
>>>  
>>> 
>>> From here it wasn't too bad to add the Access points to packetfence as
>>> switches - initially as hostapd devices (before the Unify module existed)
>>> and using the common RADIUS config the ciscos are using.  I also had to
>>> create the profile on the unifi controller side with the RADIUS login
>>> details for auth and accounting.
>>> 
>>> Doing it this was has been less complicated as I don't need an open SSID -
>>> clients have certs so get onto my registration VLAN where they can hit the
>>> portal and login to find their eventual VLANs.
>>> 
>>> I can try and pull more detail together when I have time, but I think the
>>> Tim guide covers it well, although my setup is subtly different without the
>>> open SSID / MAC based auth aspects :)
>>> 
>>>  
>>> 
>>> It's only now that I've tried fighting the bugbear of mine which was portal
>>> authentication registering properly in packetfence, but wireless clients
>>> having to be toggled off and on to re-auth and find their correct VLANS.
>>> 
>>> I hope this makes some sense, I feel like the whole capability and support
>>> is coming together rapidly now on the PF and unifi side.
>>> 
>>>  
>>> 
>>> Cheers,
>>> 
>>>  
>>> 
>>> David
>>> 
>>>  
>>> 
>>> On Thu, Feb 1, 2018 at 7:43 PM, Eugene Pefti <ype...@gmail.com> wrote:
>>>> 
>>>> Hi David,
>>>> 
>>>> Forgive me for bothering you
>>>> 
>>>> I’m actively monitoring this thread while deploying PF with Unify.
>>>> 
>>>> Yes, Unifi AP and controller have a lot of challenges and I’m trying to
>>>> understand them all while marrying to PF.
>>>> 
>>>> Can you please describe in brief you experience you described in this post
>>>> ?
>>>> 
>>>> We would like to implement something very similar
>>>> 
>>>>  
>>>> 
>>>> Cheers,
>>>> 
>>>> Eugene
>>>> 
>>>>  
>>>> 
>>>> From: "packetfence-users@lists.sourceforge.net"
>>>> <packetfence-users@lists.sourceforge.net>
>>>> Reply-To: "packetfence-users@lists.sourceforge.net"
>>>> <packetfence-users@lists.sourceforge.net>
>>>> Date: Thursday, February 1, 2018 at 8:17 AM
>>>> To: Timothy Mullican <tjmullic...@yahoo.com>, Fabrice Durand
>>>> <fdur...@inverse.ca>
>>>> Cc: David Harvey <da...@thoughtmachine.net>,
>>>> "packetfence-users@lists.sourceforge.net"
>>>> <packetfence-users@lists.sourceforge.net>
>>>> Subject: Re: [PacketFence-users] Unifi APs and CoA
>>>> 
>>>>  
>>>> 
>>>> Many thanks for the tips. With your guidance I've been following the
>>>> "Packetfence RADIUS and Unifi Out of Band" and am 90% of the way there.
>>>> 
>>>> For anyone curious, please check in on that thread, as it's got more of the
>>>> case history and steps outlined.
>>>> 
>>>>  
>>>> 
>>>> Best,
>>>> 
>>>>  
>>>> 
>>>> David
>>>> 
>>>>  
>>>> 
>>>> On Thu, Feb 1, 2018 at 1:39 AM, Timothy Mullican <tjmullic...@yahoo.com>
>>>> wrote:
>>>>> 
>>>>> David,
>>>>> 
>>>>> Your understanding is correct. Currently the UniFi only supports
>>>>> deauthenticating a client using the controller API and not using CoA. It
>>>>> is possible to enable RADIUS CoA for a single SSID and frequency, but this
>>>>> may not be useful for you. This is because the UniFi runs a separate
>>>>> hostapd instance for all of the different SSIDs and frequencies. See:
>>>>> https://community.ubnt.com/t5/UniFi-Wireless/RADIUS-Interi
>>>>> <https://community.ubnt.com/t5/UniFi-Wireless/RADIUS-Interim-updates/m-p/1
>>>>> 860205/highlight/true#M216003>
>>>>> m-updates/m-p/1860205/highlight/true#M216003
>>>>> <https://community.ubnt.com/t5/UniFi-Wireless/RADIUS-Interim-updates/m-p/1
>>>>> 860205/highlight/true#M216003>
>>>>> 
>>>>>  
>>>>> 
>>>>> Sent from mobile phone
>>>>> 
>>>>> 
>>>>> On Jan 31, 2018, at 17:46, Durand fabrice via PacketFence-users
>>>>> <packetfence-users@lists.sourceforge.net> wrote:
>>>>>> 
>>>>>> Hello David,
>>>>>> 
>>>>>> the unifi AP is not yet correctly supported, there is some code about
>>>>>> that but you have to do some custom config on the Unifi controller.
>>>>>> 
>>>>>> Have a look at the mailing list archive about unifi.
>>>>>> 
>>>>>> Regards
>>>>>> Fabrice
>>>>>> 
>>>>>> Le 2018-01-31 à 13:02, David Harvey via PacketFence-users a écrit :
>>>>>>> 
>>>>>>> I should also note. I've just changed our APs from switch type hostapd
>>>>>>> to ubiquity::unify, added the controller IP (a docker image in my case),
>>>>>>> and also attempted to add the webservices field as details in the
>>>>>>> documentation:
>>>>>>> 
>>>>>>>  
>>>>>>> wsTransport=HTTPS
>>>>>>> wsUser=admin
>>>>>>> wsPwd=admin
>>>>>>>  
>>>>>>> 
>>>>>>> On Wed, Jan 31, 2018 at 6:00 PM, David Harvey <da...@thoughtmachine.net>
>>>>>>> wrote:
>>>>>>> 
>>>>>>> Hi packetfence users,
>>>>>>> 
>>>>>>>  
>>>>>>> 
>>>>>>> I just wanted to confirm a feature (or my undertsnading of).
>>>>>>> 
>>>>>>>  
>>>>>>> 
>>>>>>> I'm using unifi access points with great success for portal login paired
>>>>>>> with EAP-TLS.
>>>>>>> 
>>>>>>>  
>>>>>>> 
>>>>>>> Unregistered clients with certs land on the registration VLAN, and then
>>>>>>> have their proper vlans assigned by the portal login.
>>>>>>> 
>>>>>>> After the portal login has been performed the client needs the wifi
>>>>>>> toggling off and on at present to reauth and get put onto the correct
>>>>>>> VLAN. subsequent reconnects work fine...
>>>>>>> 
>>>>>>>  
>>>>>>> 
>>>>>>> If I've read the archives correctly, the wifi down/up is required
>>>>>>> becuase CoA is not supported by unifi, nor does the controller allow
>>>>>>> RADIUS disconnect events to force a client to reauth.
>>>>>>> 
>>>>>>> Have I understood correctly, and is there any other magic I could try in
>>>>>>> order to smooth the portal sign in experience?
>>>>>>> 
>>>>>>>  
>>>>>>> 
>>>>>>> Thanks in advnce,
>>>>>>> 
>>>>>>>  
>>>>>>> 
>>>>>>> David
>>>>>>>  
>>>>>>>  
>>>>>>> ------------------------------------------------------------------------
>>>>>>> ------
>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>> engaging tech sites, Slashdot.org <http://Slashdot.org> !
>>>>>>> http://sdm.link/slashdot
>>>>>>>  
>>>>>>> _______________________________________________
>>>>>>> PacketFence-users mailing list
>>>>>>> PacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lis
>>>>>>> ts/listinfo/packetfence-users
>>>>>>  
>>>>>> 
>>>>>> -------------------------------------------------------------------------
>>>>>> -----
>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>> engaging tech sites, Slashdot.org <http://Slashdot.org> !
>>>>>> http://sdm.link/slashdot
>>>>>> 
>>>>>> _______________________________________________
>>>>>> PacketFence-users mailing list
>>>>>> PacketFence-users@lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>  
>>>> ---------------------------------------------------------------------------
>>>> --- Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org!
>>>> http://sdm.link/slashdot_______________________________________________
>>>> PacketFence-users mailing list PacketFence-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>  
>>  
>> 
>> 
----------------------------------------------------------------------------->>
-
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> 
> 
> 
> 
> -- 
> Chris Abel
> Systems and Network Administrator
> Wildwood Programs
> 2995 Curry Road Extension
> Schenectady, NY  12303
> 518-836-2341 <tel:(518)%20836-2341>



-- 
Chris Abel
Systems and Network Administrator
Wildwood Programs 
2995 Curry Road Extension
Schenectady, NY  12303
518-836-2341

     
IMPORTANT NOTICE: This message and any attachments are solely for the
intended recipient and may contain confidential information, which is, or
may be, legally privileged or otherwise protected by law from further
disclosure. If you are not the intended recipient, any disclosure, copying,
use, or distribution of the information included in this email and any
attachments is prohibited. If you have received this communication in error,
please notify the sender by reply email and immediately and permanently
delete this email and any attachments.
----------------------------------------------------------------------------
-- Check out the vibrant tech community on one of the world's most engaging
tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
PacketFence-users mailing list PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unifi APs and CoA

Reply via email to