Hi Tim,
I’ve added the portal interface to be on the same network with management and
from the perspective of PF I believe it is accepted
My current problem now is that haproxy service doesn’t start and the attempt to
start it from CLI in debugging mode throws out weird messages about errors in
haproxy.conf file
[root@PacketFence-ZEN ~]# /usr/sbin/haproxy -f
/usr/local/pf/var/conf/haproxy.conf -p /usr/local/pf/var/run/haproxy.pid -d
[ALERT] 050/125925 (9596) : Parsing [/usr/local/pf/var/conf/haproxy.conf:142]:
frontend 'portal-http-172.16.0.223' has the same name as frontend
'portal-http-172.16.0.223' declared at /usr/local/pf/var/conf/haproxy.conf:96.
[ALERT] 050/125925 (9596) : parsing [/usr/local/pf/var/conf/haproxy.conf:144] :
stick-table name 'portal-http-172.16.0.223' conflicts with table declared in
frontend 'portal-http-172.16.0.223' at /usr/local/pf/var/conf/haproxy.conf:96.
[ALERT] 050/125925 (9596) : Parsing [/usr/local/pf/var/conf/haproxy.conf:159]:
frontend 'portal-https-172.16.0.223' has the same name as frontend
'portal-https-172.16.0.223' declared at /usr/local/pf/var/conf/haproxy.conf:113.
[ALERT] 050/125925 (9596) : parsing [/usr/local/pf/var/conf/haproxy.conf:161] :
stick-table name 'portal-https-172.16.0.223' conflicts with table declared in
frontend 'portal-https-172.16.0.223' at /usr/local/pf/var/conf/haproxy.conf:113.
[ALERT] 050/125925 (9596) : Parsing [/usr/local/pf/var/conf/haproxy.conf:176]:
backend '172.16.0.223-backend' has the same name as backend
'172.16.0.223-backend' declared at /usr/local/pf/var/conf/haproxy.conf:130.
[ALERT] 050/125925 (9596) : Error(s) found in configuration file :
/usr/local/pf/var/conf/haproxy.conf
[ALERT] 050/125925 (9596) : Proxy 'portal-http-172.16.0.223': table
'portal-http-172.16.0.223' used but not configured.
[ALERT] 050/125925 (9596) : parsing [/usr/local/pf/var/conf/haproxy.conf:151] :
no table in proxy 'portal-http-172.16.0.223' referenced in arg 1 of ACL keyword
'src_clr_gpc0' in proxy 'portal-http-172.16.0.223'.
[ALERT] 050/125925 (9596) : parsing [/usr/local/pf/var/conf/haproxy.conf:153] :
no table in proxy 'portal-http-172.16.0.223' referenced in arg 1 of ACL keyword
'src_get_gpc0' in proxy 'portal-http-172.16.0.223'.
[ALERT] 050/125925 (9596) : Proxy 'portal-https-172.16.0.223': table
'portal-https-172.16.0.223' used but not configured.
[ALERT] 050/125925 (9596) : parsing [/usr/local/pf/var/conf/haproxy.conf:168] :
no table in proxy 'portal-https-172.16.0.223' referenced in arg 1 of ACL
keyword 'src_clr_gpc0' in proxy 'portal-https-172.16.0.223'.
[ALERT] 050/125925 (9596) : parsing [/usr/local/pf/var/conf/haproxy.conf:170] :
no table in proxy 'portal-https-172.16.0.223' referenced in arg 1 of ACL
keyword 'src_get_gpc0' in proxy 'portal-https-172.16.0.223'.
[WARNING] 050/125925 (9596) : Proxy 'stats': in multi-process mode, stats will
be limited to process assigned to the current request.
[ALERT] 050/125925 (9596) : Fatal errors found in configuration.
Secondly, I didn’t find anything you advised me, namely “Additional listeners”
under the network tab in PF
On the other hand, under “Advanced access configuration” in “Captive portal”
there’s a field like this. Should I fill it with the IP address that I want to
listen as a captive portal ?
It is not explicitly clear said what should be in there. As far as I understand
captive portal is enabled by default as long as the portal interface is added.
Eugene
From: Timothy Mullican [mailto:tjmullic...@yahoo.com]
Sent: Tuesday, February 20, 2018 6:46 AM
To: packetfence-users@lists.sourceforge.net
Cc: Eugene Pefti <ype...@gmail.com>
Subject: Re: [PacketFence-users] Unifi APs and CoA
Eugene,
Make sure that PacketFence (not your own infrastructure DCHP server) is handing
out IP addresses on the registration network. Also, make sure that you added
the portal module to your wireless VLAN in PacketFence under the Networks tab
(I think the box is labeled “Additional listeners”). Please let me know if this
doesn’t work.
Sent from mobile phone
On Feb 18, 2018, at 20:32, Eugene Pefti via PacketFence-users
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net> > wrote:
Good job, Chris and thanks for sharing your progress.
I dare asking my stupid question again ;)
Why users which associated to guest WiFi (Open with a redirect to PF captive
portal) can’t reach PF via HTTP ?
They receive IP address from the local DHCP server and then can ping PF but
there’s no way to go through self-registration
Eugene
From: "packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net> "
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net> >
Reply-To: "packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net> "
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net> >
Date: Thursday, February 15, 2018 at 8:00 AM
To: "packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net> "
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net> >
Cc: Chris Abel <ca...@wildwoodprograms.org <mailto:ca...@wildwoodprograms.org> >
Subject: Re: [PacketFence-users] Unifi APs and CoA
Hey All,
I was able to get deauth working with my Unifi APs and it seems everything is
working smoothly. Here is the configuration I used for the switch in
packetfence:
[Unifi AP IP Address or subnet]
description=Unifi Access Points
group=Unifi
radiusSecret=RaidusPassword
controllerIp=Unifi Controller IP Address
useCoA=N
wsTransport=HTTPS
deauthMethod=HTTPS
wsUser=Unifi Controller Username
wsPwd=Unifi Controller Password
Hope this helps someone. I hope Packetfence releases some documentation on
Unifi AP's because with the necessary applied patch and the unifi controller
changes to config.properties, everything seems to be working well. Actually in
my opinion, it seems to be working better than the hostapd setup in packetfence
and is way easier to setup.
On Wed, Feb 14, 2018 at 3:52 PM, Chris Abel <ca...@wildwoodprograms.org
<mailto:ca...@wildwoodprograms.org> > wrote:
Hello all,
I am also trying to get my Unifi APs working with packetfence. It seems that I
am very close. I am able to get the portal to show up on the client when in the
registration vlan, but after registering, the client never deauth's and
disconnects from the access point. I can disable my wireless and enable it
again and the client is assigned the correct role and put into the right vlan,
so that part seems to be working. I have applied the patch in the following way:
in /usr/local/pf I ran "curl
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.diff
| patch -p1"
Is this the correct patch and the correct way to apply it? If so, why is this
patch not disconnecting the client from the AP?
I have also applied the following to my AP's in Unifi:
/var/lib/unifi/sites/XXXXXXXX/config.properties
config.system_cfg.1=aaa.1.auth_cache=disabled
config.system_cfg.2=aaa.2.auth_cache=disabled
config.system_cfg.3=aaa.1.dynamic_vlan=1
config.system_cfg.4=aaa.2.dynamic_vlan=1
config.system_cfg.5=aaa.1.radius.acct.1.ip=<radius accounting server IP>
config.system_cfg.6=aaa.1.radius.acct.1.port=<radius accounting server port>
config.system_cfg.7=aaa.1.radius.acct.1.secret=<radius accounting server
password>
config.system_cfg.8=aaa.2.radius.acct.1.ip=<radius accounting server IP>
config.system_cfg.9=aaa.2.radius.acct.1.port=<radius accounting server port>
config.system_cfg.10=aaa.2.radius.acct.1.secret=<radius accounting server
password>
What should the configuration be in packetfence when setting up the switch?
Should I use hostapd or Unifi Controller? Should I enable COA or not?
Does anyone have a working setup of Unifi APs with an out of band setup of
packetfence at this point? If so, could you shed some light and post your
configurations?
Thanks!
On Sat, Feb 10, 2018 at 1:33 AM, E.P. via PacketFence-users
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net> > wrote:
Yes, David, this is my plan to test the captive portal on wired connections to
rule out the unruly Unifi APs
Ideally I would love to make it also work with HP switches 1820/1920 model
because this is the majority of switches installed in our organization.
But will try it on Cisco switch as a beginning
Thanks again, for your sharing.
There’s apparently something wrong with mailing list for packetfence as there’s
nothing coming in and I don’t believe it’s only me who persists in making
things work and asking for advices 😉
Eugene
From: David Harvey [mailto:da...@thoughtmachine.net
<mailto:da...@thoughtmachine.net> ]
Sent: Friday, February 09, 2018 4:37 AM
To: E.P. <ype...@gmail.com <mailto:ype...@gmail.com> >; fdur...@inverse.ca
<mailto:fdur...@inverse.ca>
Subject: Re: [PacketFence-users] Unifi APs and CoA
Hi Eugene,
I'm including Fabrice in case anything I have covered is misleading or plain
untrue! I don't want to give you bad advice..
I'm running Unifi AP-AC Pros on 3.9.19.8123. I'm pretty sure most of my
functionality worked fine from 3.8.x, but bear in mind I'm running EAP-TLS and
so haven't had the same open SSID guest portal aspect (which might make my
advice less relevant).
I've been fumbling through, so I'm sure Fabrice can offer better advice but I
would start by saying..
My understanding of the additional functionality this patch affords, is dealing
with kicking the client off an AP so it will then re-auth and hopefully get put
onto the correct VLAN. So before worrying about if the patch is working, I'd
see if you can get to a state where you can reach the portal as a new
device/user, and after registering it puts you on the correct VLAN if you
toggle WiFi off and back on (thus skipping the kick from AP part of the
process).
As far as I understand, to achieve this you need:
Ideally to have shown it works with your wired network, something like:
Clients are placed on a registration network which hits the portal, and that is
able to register them properly as a node in packetfence associated with a role
which belongs to an authenticated VLAN.
This is a really useful way to show that the core functionality works.
My setup from there added EAP-TLS to the Radius config, but I understand you're
not looking to do that.. The setup should be similar though, as UniFi
controller or AP will still have a RADIUS profile - in your case it will just
be doing the MAC auth bit to decide on VLAN rather than having that layered on
top of the certificate part. From there I am guessing a bit, as I understand
there were some changes made to make the pure MAC auth bits work which I'd have
to collate from the other posts on this topic.. Specifically, my clients change
VLAN on the same SSID, they don't join a different SSID after registration..
I hope this is of some help,
David
On Fri, Feb 9, 2018 at 8:23 AM, E.P. <ype...@gmail.com
<mailto:ype...@gmail.com> > wrote:
Hi David,
Sorry to bother you again, I’m a bit desperate here.
Thought that it will be a breeze to implement guest WiFi with captive portal
but I’m still at nowhere.
Can you please tell me what Unifi AP you are using? Is it a show stopper for me
if I use older APs with firmware 3.8.15 ?
I installed that required patch on PF as per Fabrice. Anything else I’m missing
?
Eugene
From: David Harvey [mailto:da...@thoughtmachine.net
<mailto:da...@thoughtmachine.net> ]
Sent: Friday, February 02, 2018 7:10 AM
To: Eugene Pefti <ype...@gmail.com <mailto:ype...@gmail.com> >
Subject: Re: [PacketFence-users] Unifi APs and CoA
Hi Eugene,
No problem at all, although I'm not sure how much detail I can add. Tim and
Fabrice seem to have the best grasp of this with the most comprehensive
guidance in The thread "[PacketFence-users] Ubiquiti UniFi AP Captive Portal".
The draft docs were also quite handy:
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc#ubiquiti-1
Now my setup....
I've been running EAP-TLS for some time now for wired and wifi, so not using
the MAC based authentication. I already had a functional packetfence setup
which does MAC based and EAP based auth for wired (partially inherited setup),
but ignore the MAB/MAC part as I don't use it in the wifi setup.
>From here it wasn't too bad to add the Access points to packetfence as
>switches - initially as hostapd devices (before the Unify module existed) and
>using the common RADIUS config the ciscos are using. I also had to create the
>profile on the unifi controller side with the RADIUS login details for auth
>and accounting.
Doing it this was has been less complicated as I don't need an open SSID -
clients have certs so get onto my registration VLAN where they can hit the
portal and login to find their eventual VLANs.
I can try and pull more detail together when I have time, but I think the Tim
guide covers it well, although my setup is subtly different without the open
SSID / MAC based auth aspects :)
It's only now that I've tried fighting the bugbear of mine which was portal
authentication registering properly in packetfence, but wireless clients having
to be toggled off and on to re-auth and find their correct VLANS.
I hope this makes some sense, I feel like the whole capability and support is
coming together rapidly now on the PF and unifi side.
Cheers,
David
On Thu, Feb 1, 2018 at 7:43 PM, Eugene Pefti <ype...@gmail.com
<mailto:ype...@gmail.com> > wrote:
Hi David,
Forgive me for bothering you
I’m actively monitoring this thread while deploying PF with Unify.
Yes, Unifi AP and controller have a lot of challenges and I’m trying to
understand them all while marrying to PF.
Can you please describe in brief you experience you described in this post ?
We would like to implement something very similar
Cheers,
Eugene
From: "packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net> "
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net> >
Reply-To: "packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net> "
<packetfence-users@lists.sourceforge.net>
Date: Thursday, February 1, 2018 at 8:17 AM
To: Timothy Mullican <tjmullic...@yahoo.com <mailto:tjmullic...@yahoo.com> >,
Fabrice Durand <fdur...@inverse.ca <mailto:fdur...@inverse.ca> >
Cc: David Harvey <da...@thoughtmachine.net <mailto:da...@thoughtmachine.net> >,
"packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net> "
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net> >
Subject: Re: [PacketFence-users] Unifi APs and CoA
Many thanks for the tips. With your guidance I've been following the
"Packetfence RADIUS and Unifi Out of Band" and am 90% of the way there.
For anyone curious, please check in on that thread, as it's got more of the
case history and steps outlined.
Best,
David
On Thu, Feb 1, 2018 at 1:39 AM, Timothy Mullican <tjmullic...@yahoo.com
<mailto:tjmullic...@yahoo.com> > wrote:
David,
Your understanding is correct. Currently the UniFi only supports
deauthenticating a client using the controller API and not using CoA. It is
possible to enable RADIUS CoA for a single SSID and frequency, but this may not
be useful for you. This is because the UniFi runs a separate hostapd instance
for all of the different SSIDs and frequencies. See:
https://community.ubnt.com/t5/UniFi-Wireless/RADIUS-Interi
<https://community.ubnt.com/t5/UniFi-Wireless/RADIUS-Interim-updates/m-p/1860205/highlight/true#M216003>
m-updates/m-p/1860205/highlight/true#M216003
<https://community.ubnt.com/t5/UniFi-Wireless/RADIUS-Interim-updates/m-p/1860205/highlight/true#M216003>
Sent from mobile phone
On Jan 31, 2018, at 17:46, Durand fabrice via PacketFence-users
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net> > wrote:
Hello David,
the unifi AP is not yet correctly supported, there is some code about that but
you have to do some custom config on the Unifi controller.
Have a look at the mailing list archive about unifi.
Regards
Fabrice
Le 2018-01-31 à 13:02, David Harvey via PacketFence-users a écrit :
I should also note. I've just changed our APs from switch type hostapd to
ubiquity::unify, added the controller IP (a docker image in my case), and also
attempted to add the webservices field as details in the documentation:
wsTransport=HTTPS
wsUser=admin
wsPwd=admin
On Wed, Jan 31, 2018 at 6:00 PM, David Harvey <da...@thoughtmachine.net
<mailto:da...@thoughtmachine.net> > wrote:
Hi packetfence users,
I just wanted to confirm a feature (or my undertsnading of).
I'm using unifi access points with great success for portal login paired with
EAP-TLS.
Unregistered clients with certs land on the registration VLAN, and then have
their proper vlans assigned by the portal login.
After the portal login has been performed the client needs the wifi toggling
off and on at present to reauth and get put onto the correct VLAN. subsequent
reconnects work fine...
If I've read the archives correctly, the wifi down/up is required becuase CoA
is not supported by unifi, nor does the controller allow RADIUS disconnect
events to force a client to reauth.
Have I understood correctly, and is there any other magic I could try in order
to smooth the portal sign in experience?
Thanks in advnce,
David
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org <http://Slashdot.org> !
http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org <http://Slashdot.org> !
http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most engaging tech
sites, Slashdot.org <http://Slashdot.org> !
http://sdm.link/slashdot_______________________________________________
PacketFence-users mailing list PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org <http://Slashdot.org> !
http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Chris Abel
Systems and Network Administrator
Wildwood Programs
2995 Curry Road Extension
Schenectady, NY 12303
518-836-2341 <tel:(518)%20836-2341>
--
Chris Abel
Systems and Network Administrator
Wildwood Programs
2995 Curry Road Extension
Schenectady, NY 12303
518-836-2341
<http://www.wildwood.edu/files/cql.png>
<https://www.wildwood.edu/files/wildwood50.jpg>
IMPORTANT NOTICE: This message and any attachments are solely for the intended
recipient and may contain confidential information, which is, or may be,
legally privileged or otherwise protected by law from further disclosure. If
you are not the intended recipient, any disclosure, copying, use, or
distribution of the information included in this email and any attachments is
prohibited. If you have received this communication in error, please notify the
sender by reply email and immediately and permanently delete this email and any
attachments.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most engaging tech
sites, Slashdot.org <http://Slashdot.org> !
http://sdm.link/slashdot_______________________________________________
PacketFence-users mailing list PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org <http://Slashdot.org> !
http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users