Ok, Sorry for this late reply but I haven't had access to the environment during the weekend. Apparently I succeeded to set this up.
Now it works like this: You need to add Node MAC address, prior to connecting, to this open SSID in the Packetfence. Beside this I had to mark NAC State: ISE NAC in the Advanced WLAN profile settings under NAC. Without this (it was set to none) it was not possible to connect to network. Now MAC address is passed to Packetfence for authentication. The right profile is hit, but how to force opening of captive portal? I have followed "Wireless LAN Controller (WLC) Web Auth" section in "Network Devices Configuration Guide". And used my Packetfence registration interface, same I am using for wired mac authentication, for Captive-Portal. The only different thing here is that I am using pfdhcp on this VLAN. But after connecting in logs I see this log: Dec 25 13:40:59 packetfence-server packetfence_httpd.aaa: httpd.aaa(2051) INFO: [mac:cc:fd:17:ef:b3:e5] handling radius autz request: from switch_ip => (10.20.0.20), connection_type => Wireless-802.11-NoEAP,switch_mac => (88:90:8d:a1:59:d0), mac => [cc:fd:17:ef:b3:e5], port => 1, username => "cc:fd:17:ef:b3:e5", ssid => ONBOARDING (pf::radius::authorize) Dec 25 13:40:59 packetfence-server packetfence_httpd.aaa: httpd.aaa(2051) INFO: [mac:cc:fd:17:ef:b3:e5] Instantiate profile wifi-onboarding (pf::Connection::ProfileFactory::_from_profile) Dec 25 13:40:59 packetfence-server packetfence_httpd.aaa: httpd.aaa(2051) INFO: [mac:cc:fd:17:ef:b3:e5] is of status unreg; belongs into registration VLAN (pf::role::getRegistrationRole) Dec 25 13:40:59 packetfence-server packetfence_httpd.aaa: httpd.aaa(2051) INFO: [mac:cc:fd:17:ef:b3:e5] (10.20.0.20) Added role Pre-Auth-For-WebRedirect-PF to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Dec 25 13:40:59 packetfence-server packetfence_httpd.aaa: httpd.aaa(2051) INFO: [mac:cc:fd:17:ef:b3:e5] External portal enforcement either not supported '1' or not configured 'N' on network equipment '10.20.0.20' (pf::Switch::externalPortalEnforcement) WLC IP: 10.20.0.20 SSID: ONBOARDING (open ssid with Mac authentication using radius) Pre-Auth-For-WebRedirect-PF -> ACL defined on WLC to deny everything except DHCP and DNS on 192.168.0.1 which is Packetfence registration interface used by that open SSID. I also have Authorize_any ACL which permits everything. On WLC in Packetfence it is marked Role by Web Auth URL: registration: http://192.168.0.1/Cisco::WLC and Role mapping by Switch role: Registration: Pre-Auth-For-WebRedirect-PF default: Authorize_any Is there anything more I need to do? I have literally used settings described in "Network Devices Config Guide". ---- On Fri, 21 Dec 2018 20:56:48 +0100 Fabrice Durand via PacketFence-users <[email protected]> wrote ---- > Hello Kalcho, > > first take a look in the radius audit log and see what is the radius > request sent by the WLC. > > Also mac filtering is mandatory to do mac auth on an openssid. > > So enable it and go back in the radius audit log to see the radius > request and what packetfence answered. > > Regards > > Fabrice > > > Le 18-12-21 à 12 h 19, Kalcho via PacketFence-users a écrit : > > Hello all, > > > > I am using Cisco WLC 2500 as the authenticator with Packetfence 8.1 for > > the WiFi. The WiFi profile is configured to be Open, with Radius and AAA > > Override settings. I intend to use it for MAC Authentication to bring a > > Captive Portal for registration. All that I have configured, but I have > > problem with hitting the right profile. If I configure this - call it > > boyd_profile with Connection Type Wireless-802.1-NoEAP, this profile wont > > be matched, instead default profile is matched. If I changed Connection > > Type Wireless-802.1-EAP the other profile that has also the same > > connection type is matched because it has higher priority. But if I set > > this profile with higher priority it will be matched. My question is why > > it is matched, despite I am using MAC Authentication (Captive Portal) and > > not EAP? Why it is not matched when using Wireless-802.1-NoEAP? > > > > Also all Packetfence guides for this open network setup instruct to mark > > "Mac Filtering", but when using this I am not even able to connect to that > > SSID. I guess this is because the host MAC needs to be entered before in > > MAC Filtering table. Is this intended to work like this or I am missing > > some point here? Is it meant to work by first adding the MAC of the host > > wishing to connect and then after it is added to the MAC filtering table > > he will connect and hit the Captive Portal, where he can authenticate > > using RADIUS, eg EAP-PEAP and after that provisioning agent can provide it > > configuration profile? > > > > > > > > > > > > _______________________________________________ > > PacketFence-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > -- > Fabrice Durand > [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
