I solved this and now works as it is supposed to. New nodes authenticated via Captive-Portal without MAC address previously added to Packetfence. Bu the problem is how to assign the role after successful authentication? I guess I need it because I need to hit that Authorize_any access list. Correct me if I am thinking in wrong direction. I will need this Authorize_any access list in order to install wireless profile assigned by the provisioner, because when I click on it it redirects me to the Google Play>
---- On Tue, 25 Dec 2018 13:50:42 +0100 Kalcho <[email protected]> wrote ---- > Ok, > > Sorry for this late reply but I haven't had access to the environment during > the weekend. > Apparently I succeeded to set this up. > > Now it works like this: > You need to add Node MAC address, prior to connecting, to this open SSID in > the Packetfence. Beside this I had to mark NAC State: ISE NAC in the > Advanced WLAN profile settings under NAC. Without this (it was set to none) > it was not possible to connect to network. Now MAC address is passed to > Packetfence for authentication. The right profile is hit, but how to force > opening of captive portal? I have followed "Wireless LAN Controller (WLC) > Web Auth" section in "Network Devices Configuration Guide". And used my > Packetfence registration interface, same I am using for wired mac > authentication, for Captive-Portal. The only different thing here is that I > am using pfdhcp on this VLAN. But after connecting in logs I see this log: > > Dec 25 13:40:59 packetfence-server packetfence_httpd.aaa: httpd.aaa(2051) > INFO: [mac:cc:fd:17:ef:b3:e5] handling radius autz request: from switch_ip > => (10.20.0.20), connection_type => Wireless-802.11-NoEAP,switch_mac => > (88:90:8d:a1:59:d0), mac => [cc:fd:17:ef:b3:e5], port => 1, username => > "cc:fd:17:ef:b3:e5", ssid => ONBOARDING (pf::radius::authorize) > Dec 25 13:40:59 packetfence-server packetfence_httpd.aaa: httpd.aaa(2051) > INFO: [mac:cc:fd:17:ef:b3:e5] Instantiate profile wifi-onboarding > (pf::Connection::ProfileFactory::_from_profile) > Dec 25 13:40:59 packetfence-server packetfence_httpd.aaa: httpd.aaa(2051) > INFO: [mac:cc:fd:17:ef:b3:e5] is of status unreg; belongs into registration > VLAN (pf::role::getRegistrationRole) > Dec 25 13:40:59 packetfence-server packetfence_httpd.aaa: httpd.aaa(2051) > INFO: [mac:cc:fd:17:ef:b3:e5] (10.20.0.20) Added role > Pre-Auth-For-WebRedirect-PF to the returned RADIUS Access-Accept > (pf::Switch::returnRadiusAccessAccept) > Dec 25 13:40:59 packetfence-server packetfence_httpd.aaa: httpd.aaa(2051) > INFO: [mac:cc:fd:17:ef:b3:e5] External portal enforcement either not > supported '1' or not configured 'N' on network equipment '10.20.0.20' > (pf::Switch::externalPortalEnforcement) > > WLC IP: 10.20.0.20 > SSID: ONBOARDING (open ssid with Mac authentication using radius) > Pre-Auth-For-WebRedirect-PF -> ACL defined on WLC to deny everything except > DHCP and DNS on 192.168.0.1 which is Packetfence registration interface used > by that open SSID. > I also have Authorize_any ACL which permits everything. > On WLC in Packetfence it is marked Role by Web Auth URL: > registration: http://192.168.0.1/Cisco::WLC > > and Role mapping by Switch role: > Registration: Pre-Auth-For-WebRedirect-PF > default: Authorize_any > > Is there anything more I need to do? I have literally used settings > described in "Network Devices Config Guide". > > > ---- On Fri, 21 Dec 2018 20:56:48 +0100 Fabrice Durand via > PacketFence-users <[email protected]> wrote ---- > > Hello Kalcho, > > > > first take a look in the radius audit log and see what is the radius > > request sent by the WLC. > > > > Also mac filtering is mandatory to do mac auth on an openssid. > > > > So enable it and go back in the radius audit log to see the radius > > request and what packetfence answered. > > > > Regards > > > > Fabrice > > > > > > Le 18-12-21 à 12 h 19, Kalcho via PacketFence-users a écrit : > > > Hello all, > > > > > > I am using Cisco WLC 2500 as the authenticator with Packetfence 8.1 for > the WiFi. The WiFi profile is configured to be Open, with Radius and AAA > Override settings. I intend to use it for MAC Authentication to bring a > Captive Portal for registration. All that I have configured, but I have > problem with hitting the right profile. If I configure this - call it > boyd_profile with Connection Type Wireless-802.1-NoEAP, this profile wont be > matched, instead default profile is matched. If I changed Connection Type > Wireless-802.1-EAP the other profile that has also the same connection type > is matched because it has higher priority. But if I set this profile with > higher priority it will be matched. My question is why it is matched, > despite I am using MAC Authentication (Captive Portal) and not EAP? Why it > is not matched when using Wireless-802.1-NoEAP? > > > > > > Also all Packetfence guides for this open network setup instruct to > mark "Mac Filtering", but when using this I am not even able to connect to > that SSID. I guess this is because the host MAC needs to be entered before > in MAC Filtering table. Is this intended to work like this or I am missing > some point here? Is it meant to work by first adding the MAC of the host > wishing to connect and then after it is added to the MAC filtering table he > will connect and hit the Captive Portal, where he can authenticate using > RADIUS, eg EAP-PEAP and after that provisioning agent can provide it > configuration profile? > > > > > > > > > > > > > > > > > > _______________________________________________ > > > PacketFence-users mailing list > > > [email protected] > > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > -- > > Fabrice Durand > > [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca > > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > > > > > _______________________________________________ > > PacketFence-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
