Hello Michael,
you can try with the hostapd switch module, this one use tunnel-password
(https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Hostapd.pm#L189)
If it works then it will be easy to adapt the meraki switch module.
Regards
Fabrice
Le 20-11-17 à 11 h 53, Michael Brown via PacketFence-users a écrit :
Hey Guys,
Just checking in one more time on this one. Any ideas?
Thanks,
Mike
On Thursday, November 12, 2020, 11:38:23 AM EST, Michael Brown
<[email protected]> wrote:
Based off the auditing log below it looks like PacketFence sends the
PSK back to the Meraki access point as Cisco-AVPair. Is there anyway
to change PacketFence to send the PSK as tunnel-password instead of
Cisco-AVPair?
RADIUS Request
RADIUS Request
User-Name = "00e04c19dddd"
User-Password = "******"
NAS-IP-Address = 172.20.10.20
Called-Station-Id = "68:3a:1e:85:cc:cc:WIFI-BYOD"
Calling-Station-Id = "00:e0:4c:19:dd:dd"
NAS-Port-Type = Wireless-802.11
Event-Timestamp = "Nov 12 2020 09:58:47 EST"
Connect-Info = "CONNECT 11Mbps 802.11b"
Message-Authenticator = 0x2458d1c2852dfb55ec85d8484624cccc
Meraki-Network-Name = "Network"
Meraki-Ap-Name = "AP-01"
Stripped-User-Name = "00e04c19dddd"
Realm = "null"
FreeRADIUS-Client-IP-Address = 172.20.10.20
Called-Station-SSID = "WIFI-BYOD"
PacketFence-KeyBalanced = "8e4b512c5636628cd16b291bf294eeee"
PacketFence-Radius-Ip = "172.20.100.2"
SQL-User-Name = "00e04c19dddd"
RADIUS Reply
Tunnel-Type = VLAN
Tunnel-Private-Group-Id = "118"
Tunnel-Medium-Type = IEEE-802
Cisco-AVPair = "psk=otahreeddttreeee"
Cisco-AVPair = "psk-mode=ascii"
On Wednesday, November 11, 2020, 01:26:30 PM EST, Michael Brown
<[email protected]> wrote:
Checking in on this.
I put a message up on Meraki and it looks like the problem is the
RADIUS Access-Accept message is not returning the Tunnel-Password with
the user's dpsk. It is only returning the VLAN ID. Is there
something missing in my config to make that happen?
Thanks.
On Tuesday, October 20, 2020, 12:07:27 PM EDT, Michael Brown
<[email protected]> wrote:
Hi Guys,
Has anyone been able to get DPSK working with Meraki access points?
The provisioner portion is working where the user joins a network,
signs in to the portal and then once they are signed in they are
presented with the name of the network that uses DPSK and their DPSK
password.The problem is when I try to join the DPSK network with the
provided DPSK I receive can't connect to this network (Windows 10 device).
We have one PacketFence server set up out of band.
Here are my profiles:
PROVIDES DPSK
[Auth-Wireless]
locale=
sources=BYOD-Wireless-User-Authentication
advanced_filter=
provisioners=DPSK
filter=ssid:Auth
DPSK NETWORK PROFILE
[BYOD-Wireless]
locale=
advanced_filter=
filter=ssid:WIFI-BYOD
dpsk=enabled
autoregister=enabled
default_psk_key=testing12345678!
unreg_on_acct_stop=disabled
filter_match_style=all
HERE IS THE AUTH SOURCE FOR Auth-Wireless PROFILE:
[BYOD-Wireless-User-Authentication]
cache_match=0
read_timeout=10
realms=null,domain.com
basedn=DC=domain,DC=local
monitor=1
password=password
shuffle=0
searchattributes=
set_access_durations_action=
scope=sub
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=1
binddn=CN=Admin\,
PacketFence,OU=IT,Accounts,OU=Domain_Users,DC=domain,DC=local
encryption=none
description=BYOD Wireless User Authentication
port=389
host=dc.domain.com
write_timeout=5
type=AD
[BYOD-Wireless-User-Authentication rule Network-Administrators]
action0=set_role=WIFI-IT-STAFF-DISTRICT
condition0=memberOf,equals,CN=Network Administrators,OU=Domain
Groups,DC=domain,DC=local
status=enabled
match=all
class=authentication
action1=set_access_duration=1h
description=Active Directory - Network Administrators Group
[BYOD-Wireless-User-Authentication rule Faculty-All]
action0=set_role=WIFI-STAFF-GUESTS
condition0=memberOf,equals,CN=Faculty - All,OU=Domain
Groups,DC=domain,DC=local
status=enabled
match=all
class=authentication
action1=set_access_duration=1h
description=Active Directory - Faculty All
HERE IS THE MERAKI SSID CONFIG FOR THE DPSK NETWORK:
Association requirements: Identity PSK with RADIUS
WPA encryption mode: WPA2
Splash page: None
Readius server set to PacketFence management
Radius testing: disabled
Radius CoA: disabled
Client IP assignment: Bridge mode
VLAN tagging: Don't use
Radius override: Radius response can override VLAN tag
HERE IS WHAT THE PF LOG SAYS WHEN I TRY TO JOIN:
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) WARN:
[mac:a8:1e:84:a6:ca:7d] Unable to extract audit-session-id for module
pf::Switch::Meraki::MR_v2. SSID-based VLAN assignments won't work.
Make sure you enable Vendor Specific Attributes (VSA) on the AP if you
want them to work. (pf::Switch::getCiscoAvPairAttribute)
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56] handling radius autz request: from switch_ip
=> (172.20.110.19), connection_type =>
Wireless-802.11-NoEAP,switch_mac => (e2:cb:ac:91:85:df), mac =>
[00:e0:4c:19:dd:56], port => 0, username => "00e04c19dd56", ssid =>
WIFI-BYOD (pf::radius::authorize)
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56] Instantiate profile BYOD-Wireless
(pf::Connection::ProfileFactory::_from_profile)
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56] Found authentication source(s) :
'local,file1,Faculty-All,Wifi-Sponsors,District-Wireless-User-Authentication,Guest-Wireless-User-Authentication,BYOD-Wireless-User-Authentication'
for realm 'null' (pf::config::util::filter_authentication_sources)
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) WARN:
[mac:00:e0:4c:19:dd:56] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56] Found authentication source(s) :
'local,file1,Faculty-All,Wifi-Sponsors,District-Wireless-User-Authentication,Guest-Wireless-User-Authentication,BYOD-Wireless-User-Authentication'
for realm 'null' (pf::config::util::filter_authentication_sources)
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56] Connection type is MAC-AUTH. Getting role from
node_info (pf::role::getRegisteredRole)
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56] Username was defined "00e04c19dd56" -
returning role 'WIFI-IT-STAFF-DISTRICT' (pf::role::getRegisteredRole)
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56] PID: "user", Status: reg Returned VLAN:
(undefined), Role: WIFI-IT-STAFF-DISTRICT (pf::role::fetchRoleForNode)
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56] (172.20.110.19) Added VLAN 118 to the returned
RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56] security_event 1300003 force-closed for
00:e0:4c:19:dd:56 (pf::security_event::security_event_force_close)
HERE IS WHAT THE RADIUS LOG SAYS:
Oct 17 22:18:07 srv-pf-02 auth[2992]: [mac:00:e0:4c:19:dd:56] Accepted
user:and returned VLAN 118
Oct 17 22:18:07 srv-pf-02 auth[2992]: (12467) Login OK: [00e04c19dd56]
(from client 172.20.110.19/32 port 0 cli 00:e0:4c:19:dd:56)
Thanks for your help.
Mike
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
