That's it Fabrice.  Hostapd worked like a charm.  Got any advice on how to 
adapt the Meraki Cloud Controller V2 module? 
    On Friday, November 20, 2020, 09:48:01 PM EST, Durand fabrice 
<[email protected]> wrote:  
 
  
Hello Michael,
 
you can try with the hostapd switch module, this one use 
tunnel-password(https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Hostapd.pm#L189)
 
If it works then it will be easy to adapt the meraki switch module.
 
Regards
 
Fabrice
 

 
 Le 20-11-17 à 11 h 53, Michael Brown via PacketFence-users a écrit :
  
 
 Hey Guys, 
  Just checking in one more time on this one.  Any ideas?  
  Thanks, Mike 
      On Thursday, November 12, 2020, 11:38:23 AM EST, Michael Brown 
<[email protected]> wrote:  
  
      Based off the auditing log below it looks like PacketFence sends the PSK 
back to the Meraki access point as Cisco-AVPair.  Is there anyway to change 
PacketFence to send the PSK as tunnel-password instead of Cisco-AVPair? 
    RADIUS Request RADIUS Request User-Name = "00e04c19dddd" User-Password = 
"******" NAS-IP-Address = 172.20.10.20 Called-Station-Id = 
"68:3a:1e:85:cc:cc:WIFI-BYOD" Calling-Station-Id = "00:e0:4c:19:dd:dd" 
NAS-Port-Type = Wireless-802.11 Event-Timestamp = "Nov 12 2020 09:58:47 EST" 
Connect-Info = "CONNECT 11Mbps 802.11b" Message-Authenticator = 
0x2458d1c2852dfb55ec85d8484624cccc Meraki-Network-Name = "Network" 
Meraki-Ap-Name = "AP-01" Stripped-User-Name = "00e04c19dddd" Realm = "null" 
FreeRADIUS-Client-IP-Address = 172.20.10.20 Called-Station-SSID = "WIFI-BYOD" 
PacketFence-KeyBalanced = "8e4b512c5636628cd16b291bf294eeee" 
PacketFence-Radius-Ip = "172.20.100.2" SQL-User-Name = "00e04c19dddd"     
RADIUS Reply Tunnel-Type = VLAN Tunnel-Private-Group-Id = "118" 
Tunnel-Medium-Type = IEEE-802 Cisco-AVPair = "psk=otahreeddttreeee" 
Cisco-AVPair = "psk-mode=ascii"   
   
  
       On Wednesday, November 11, 2020, 01:26:30 PM EST, Michael Brown 
<[email protected]> wrote:  
  
      Checking in on this.  
  I put a message up on Meraki and it looks like the problem is the RADIUS 
Access-Accept message is not returning the Tunnel-Password with the user's 
dpsk.  It is only returning the VLAN ID.   Is there something missing in my 
config to make that happen? 
  Thanks. 
  
         On Tuesday, October 20, 2020, 12:07:27 PM EDT, Michael Brown 
<[email protected]> wrote:  
  
        
Hi Guys,
 
 
 
Has anyone been able to get DPSK working with Meraki access points?
 
 
 
The provisioner portion is working where the user joins a network, signs in to 
the portal and then once they are signed in they are presented with the name of 
the network that uses DPSK and their DPSK password.  The problem is when I try 
to join the DPSK network with the provided DPSK I receive can't connect to this 
network (Windows 10 device).
 
 
 
We have one PacketFence server set up out of band.
 
 
 
Here are my profiles:
 
 
 
PROVIDES DPSK
 
[Auth-Wireless]
 
locale=
 
sources=BYOD-Wireless-User-Authentication
 
advanced_filter=
 
provisioners=DPSK
 
filter=ssid:Auth
 
 
 
DPSK NETWORK PROFILE
 
[BYOD-Wireless]
 
locale=
 
advanced_filter=
 
filter=ssid:WIFI-BYOD
 
dpsk=enabled
 
autoregister=enabled
 
default_psk_key=testing12345678!
 
unreg_on_acct_stop=disabled
 
filter_match_style=all
 
 
 
 
 
HERE IS THE AUTH SOURCE FOR Auth-Wireless PROFILE:
 
[BYOD-Wireless-User-Authentication]
 
cache_match=0
 
read_timeout=10
 
realms=null,domain.com
 
basedn=DC=domain,DC=local
 
monitor=1
 
password=password
 
shuffle=0
 
searchattributes=
 
set_access_durations_action=
 
scope=sub
 
email_attribute=mail
 
usernameattribute=sAMAccountName
 
connection_timeout=1
 
binddn=CN=Admin\,PacketFence,OU=IT,Accounts,OU=Domain_Users,DC=domain,DC=local
 
encryption=none
 
description=BYOD Wireless User Authentication
 
port=389
 
host=dc.domain.com
 
write_timeout=5
 
type=AD
 
 
 
[BYOD-Wireless-User-Authentication rule Network-Administrators]
 
action0=set_role=WIFI-IT-STAFF-DISTRICT
 
condition0=memberOf,equals,CN=Network 
Administrators,OU=DomainGroups,DC=domain,DC=local
 
status=enabled
 
match=all
 
class=authentication
 
action1=set_access_duration=1h
 
description=Active Directory - Network Administrators Group
 
 
 
[BYOD-Wireless-User-Authentication rule Faculty-All]
 
action0=set_role=WIFI-STAFF-GUESTS
 
condition0=memberOf,equals,CN=Faculty - All,OU=Domain Groups,DC=domain,DC=local
 
status=enabled
 
match=all
 
class=authentication
 
action1=set_access_duration=1h
 
description=Active Directory - Faculty All
 
 
 
 
 
HERE IS THE MERAKI SSID CONFIG FOR THE DPSK NETWORK:
 
Association requirements: Identity PSK with RADIUS
 
WPA encryption mode: WPA2
 
Splash page: None
 
Readius server set to PacketFence management
 
Radius testing: disabled
 
Radius CoA: disabled
 
Client IP assignment: Bridge mode
 
VLAN tagging: Don't use
 
Radius override: Radius response can override VLAN tag
 
 
 
 
 
 
 
 
 
HERE IS WHAT THE PF LOG SAYS WHEN I TRY TO JOIN:
 
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) WARN: 
[mac:a8:1e:84:a6:ca:7d] Unable to extract audit-session-id for module 
pf::Switch::Meraki::MR_v2. SSID-based VLAN assignments won't work. Make sure 
you enable Vendor Specific Attributes (VSA) on the AP if you want them to 
work.(pf::Switch::getCiscoAvPairAttribute)
 
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56] handling radius autz request: from switch_ip => 
(172.20.110.19), connection_type => Wireless-802.11-NoEAP,switch_mac => 
(e2:cb:ac:91:85:df), mac => [00:e0:4c:19:dd:56], port => 0, username => 
"00e04c19dd56", ssid => WIFI-BYOD (pf::radius::authorize)
 
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56] Instantiate profile 
BYOD-Wireless(pf::Connection::ProfileFactory::_from_profile)
 
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56] Found authentication source(s) 
:'local,file1,Faculty-All,Wifi-Sponsors,District-Wireless-User-Authentication,Guest-Wireless-User-Authentication,BYOD-Wireless-User-Authentication'
 for realm 'null' (pf::config::util::filter_authentication_sources)
 
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) WARN: 
[mac:00:e0:4c:19:dd:56] No category computed for autoreg 
(pf::role::getNodeInfoForAutoReg)
 
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56] Found authentication source(s) 
:'local,file1,Faculty-All,Wifi-Sponsors,District-Wireless-User-Authentication,Guest-Wireless-User-Authentication,BYOD-Wireless-User-Authentication'
 for realm 'null' (pf::config::util::filter_authentication_sources)
 
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56] Connection type is MAC-AUTH. Getting role from 
node_info(pf::role::getRegisteredRole)
 
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56] Username was defined "00e04c19dd56" - returning role 
'WIFI-IT-STAFF-DISTRICT'(pf::role::getRegisteredRole)
 
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56] PID: "user", Status: reg Returned VLAN: (undefined), 
Role: WIFI-IT-STAFF-DISTRICT (pf::role::fetchRoleForNode)
 
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56] (172.20.110.19) Added VLAN 118 to the returned RADIUS 
Access-Accept(pf::Switch::returnRadiusAccessAccept)
 
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56] security_event 1300003 force-closed for 
00:e0:4c:19:dd:56(pf::security_event::security_event_force_close)
 
 
 
 
 
HERE IS WHAT THE RADIUS LOG SAYS:
 
Oct 17 22:18:07 srv-pf-02 auth[2992]: [mac:00:e0:4c:19:dd:56] Accepted user:  
and returned VLAN 118
 
Oct 17 22:18:07 srv-pf-02 auth[2992]: (12467) Login OK: [00e04c19dd56] (from 
client 172.20.110.19/32 port 0 cli 00:e0:4c:19:dd:56)
   
  Thanks for your help. 
  Mike  
                    
  
  _______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
   
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to