That's it Fabrice. Hostapd worked like a charm. Got any advice on how to
adapt the Meraki Cloud Controller V2 module?
On Friday, November 20, 2020, 09:48:01 PM EST, Durand fabrice
<[email protected]> wrote:
Hello Michael,
you can try with the hostapd switch module, this one use
tunnel-password(https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Hostapd.pm#L189)
If it works then it will be easy to adapt the meraki switch module.
Regards
Fabrice
Le 20-11-17 à 11 h 53, Michael Brown via PacketFence-users a écrit :
Hey Guys,
Just checking in one more time on this one. Any ideas?
Thanks, Mike
On Thursday, November 12, 2020, 11:38:23 AM EST, Michael Brown
<[email protected]> wrote:
Based off the auditing log below it looks like PacketFence sends the PSK
back to the Meraki access point as Cisco-AVPair. Is there anyway to change
PacketFence to send the PSK as tunnel-password instead of Cisco-AVPair?
RADIUS Request RADIUS Request User-Name = "00e04c19dddd" User-Password =
"******" NAS-IP-Address = 172.20.10.20 Called-Station-Id =
"68:3a:1e:85:cc:cc:WIFI-BYOD" Calling-Station-Id = "00:e0:4c:19:dd:dd"
NAS-Port-Type = Wireless-802.11 Event-Timestamp = "Nov 12 2020 09:58:47 EST"
Connect-Info = "CONNECT 11Mbps 802.11b" Message-Authenticator =
0x2458d1c2852dfb55ec85d8484624cccc Meraki-Network-Name = "Network"
Meraki-Ap-Name = "AP-01" Stripped-User-Name = "00e04c19dddd" Realm = "null"
FreeRADIUS-Client-IP-Address = 172.20.10.20 Called-Station-SSID = "WIFI-BYOD"
PacketFence-KeyBalanced = "8e4b512c5636628cd16b291bf294eeee"
PacketFence-Radius-Ip = "172.20.100.2" SQL-User-Name = "00e04c19dddd"
RADIUS Reply Tunnel-Type = VLAN Tunnel-Private-Group-Id = "118"
Tunnel-Medium-Type = IEEE-802 Cisco-AVPair = "psk=otahreeddttreeee"
Cisco-AVPair = "psk-mode=ascii"
On Wednesday, November 11, 2020, 01:26:30 PM EST, Michael Brown
<[email protected]> wrote:
Checking in on this.
I put a message up on Meraki and it looks like the problem is the RADIUS
Access-Accept message is not returning the Tunnel-Password with the user's
dpsk. It is only returning the VLAN ID. Is there something missing in my
config to make that happen?
Thanks.
On Tuesday, October 20, 2020, 12:07:27 PM EDT, Michael Brown
<[email protected]> wrote:
Hi Guys,
Has anyone been able to get DPSK working with Meraki access points?
The provisioner portion is working where the user joins a network, signs in to
the portal and then once they are signed in they are presented with the name of
the network that uses DPSK and their DPSK password. The problem is when I try
to join the DPSK network with the provided DPSK I receive can't connect to this
network (Windows 10 device).
We have one PacketFence server set up out of band.
Here are my profiles:
PROVIDES DPSK
[Auth-Wireless]
locale=
sources=BYOD-Wireless-User-Authentication
advanced_filter=
provisioners=DPSK
filter=ssid:Auth
DPSK NETWORK PROFILE
[BYOD-Wireless]
locale=
advanced_filter=
filter=ssid:WIFI-BYOD
dpsk=enabled
autoregister=enabled
default_psk_key=testing12345678!
unreg_on_acct_stop=disabled
filter_match_style=all
HERE IS THE AUTH SOURCE FOR Auth-Wireless PROFILE:
[BYOD-Wireless-User-Authentication]
cache_match=0
read_timeout=10
realms=null,domain.com
basedn=DC=domain,DC=local
monitor=1
password=password
shuffle=0
searchattributes=
set_access_durations_action=
scope=sub
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=1
binddn=CN=Admin\,PacketFence,OU=IT,Accounts,OU=Domain_Users,DC=domain,DC=local
encryption=none
description=BYOD Wireless User Authentication
port=389
host=dc.domain.com
write_timeout=5
type=AD
[BYOD-Wireless-User-Authentication rule Network-Administrators]
action0=set_role=WIFI-IT-STAFF-DISTRICT
condition0=memberOf,equals,CN=Network
Administrators,OU=DomainGroups,DC=domain,DC=local
status=enabled
match=all
class=authentication
action1=set_access_duration=1h
description=Active Directory - Network Administrators Group
[BYOD-Wireless-User-Authentication rule Faculty-All]
action0=set_role=WIFI-STAFF-GUESTS
condition0=memberOf,equals,CN=Faculty - All,OU=Domain Groups,DC=domain,DC=local
status=enabled
match=all
class=authentication
action1=set_access_duration=1h
description=Active Directory - Faculty All
HERE IS THE MERAKI SSID CONFIG FOR THE DPSK NETWORK:
Association requirements: Identity PSK with RADIUS
WPA encryption mode: WPA2
Splash page: None
Readius server set to PacketFence management
Radius testing: disabled
Radius CoA: disabled
Client IP assignment: Bridge mode
VLAN tagging: Don't use
Radius override: Radius response can override VLAN tag
HERE IS WHAT THE PF LOG SAYS WHEN I TRY TO JOIN:
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) WARN:
[mac:a8:1e:84:a6:ca:7d] Unable to extract audit-session-id for module
pf::Switch::Meraki::MR_v2. SSID-based VLAN assignments won't work. Make sure
you enable Vendor Specific Attributes (VSA) on the AP if you want them to
work.(pf::Switch::getCiscoAvPairAttribute)
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56] handling radius autz request: from switch_ip =>
(172.20.110.19), connection_type => Wireless-802.11-NoEAP,switch_mac =>
(e2:cb:ac:91:85:df), mac => [00:e0:4c:19:dd:56], port => 0, username =>
"00e04c19dd56", ssid => WIFI-BYOD (pf::radius::authorize)
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56] Instantiate profile
BYOD-Wireless(pf::Connection::ProfileFactory::_from_profile)
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56] Found authentication source(s)
:'local,file1,Faculty-All,Wifi-Sponsors,District-Wireless-User-Authentication,Guest-Wireless-User-Authentication,BYOD-Wireless-User-Authentication'
for realm 'null' (pf::config::util::filter_authentication_sources)
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) WARN:
[mac:00:e0:4c:19:dd:56] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56] Found authentication source(s)
:'local,file1,Faculty-All,Wifi-Sponsors,District-Wireless-User-Authentication,Guest-Wireless-User-Authentication,BYOD-Wireless-User-Authentication'
for realm 'null' (pf::config::util::filter_authentication_sources)
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56] Connection type is MAC-AUTH. Getting role from
node_info(pf::role::getRegisteredRole)
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56] Username was defined "00e04c19dd56" - returning role
'WIFI-IT-STAFF-DISTRICT'(pf::role::getRegisteredRole)
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56] PID: "user", Status: reg Returned VLAN: (undefined),
Role: WIFI-IT-STAFF-DISTRICT (pf::role::fetchRoleForNode)
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56] (172.20.110.19) Added VLAN 118 to the returned RADIUS
Access-Accept(pf::Switch::returnRadiusAccessAccept)
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO:
[mac:00:e0:4c:19:dd:56] security_event 1300003 force-closed for
00:e0:4c:19:dd:56(pf::security_event::security_event_force_close)
HERE IS WHAT THE RADIUS LOG SAYS:
Oct 17 22:18:07 srv-pf-02 auth[2992]: [mac:00:e0:4c:19:dd:56] Accepted user:
and returned VLAN 118
Oct 17 22:18:07 srv-pf-02 auth[2992]: (12467) Login OK: [00e04c19dd56] (from
client 172.20.110.19/32 port 0 cli 00:e0:4c:19:dd:56)
Thanks for your help.
Mike
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
