Hello Everyone, So this what I got setup wise
I got a datacenter, where both the Unifi Contorller and the NAC are. The datacenter is in a basement, where I got a office, hence its in the same network not over VPN, the APs in the office work fine. No issues, I can connect to the wifi using the TLS user cert that I get over SCEP I am using OpenVPN if that matters as the site to site but I can siwitch over to IPSec for testing. Problem is that anything in a remote office just dose not work I get the requested coming in but the AP dose not get anything back. I did some digging on the internet and it complained about EAP Fragmentation https://www.ietf.org/proceedings/71/slides/radext-4.pdf https://www.reddit.com/r/networking/comments/gougg3/issues_with_ip_fragmentation_when_using_eaptls_in/ There is no option to change the MTU on the AP site, its currently at 1400 It seems that also Framed-MTU is telling the radius client what size to use during the initial requests, so it is suppose to influence the client side of things. This is why I was looking in that direction Regards Adrian From: Fabrice Durand via PacketFence-users <packetfence-users@lists.sourceforge.net> Sent: Wednesday, 23 March 2022 02:12 To: packetfence-users <packetfence-users@lists.sourceforge.net> Cc: Fabrice Durand <oeufd...@gmail.com> Subject: Re: [PacketFence-users] Unifi APs and Packetfence Hello Adrian, I deal with that sometimes and it's supposed to be the NAS that sends the Framed-MTU attribute. Are you able to see it in the request ? Can you change it on the AP side ? Also if you change it on the freeradius side i don´t think it will change anything. Regards Fabrice Le mar. 22 mars 2022 à 20:41, Enrique Gross via PacketFence-users <mailto:packetfence-users@lists.sourceforge.net> a écrit : Hi Adrián I have a group of unifi APs doing radius packetfence magic vía L2TP/IPSEC tunnel. No issues so far. Maybe I can help you, it's your routing ok? any NAT between your APs and packetfence management address? Where is your UNIFI controller located? I'm not really a fragmentation/MTU expert, why do you think this is causing problems? Enrique El mar, 22 de mar. de 2022 17:26, Adrian Damaschek via PacketFence-users <mailto:packetfence-users@lists.sourceforge.net> escribió: Hello Everyone, I started this topic in my previous thred, but since its now a different issue and more specific I decided to split it off. (the issue with SECP Certs got fixed fo thanks everyone) Following problem. I got packetfence installed in my main Datacenter, now I would like to have a central NAC for all my wifi, I use Unifi Access point and the problem is that it seems not to work over VPN connections From all I could find its related to Fragmentation and MTU. Its suggested to set the atribute of FramedMTU to something like 1300 or lower. To tell the client as the MTU needs to be lower. People seem to say that you set this on the radius server, and it tells the client to use a lower frameMTU. Not a expert on radius so I don’t know. Anyone managed to get unifi APs to work with radius from offsite ? I would not want to deal with having to have a NAC per site. A radius proxy fowarding the requests might be a option but I prefer to use that as a last resort Thanks for any responses Adrian _______________________________________________ PacketFence-users mailing list mailto:PacketFence-users@lists.sourceforge.net https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7C3cbf358716c245af002c08da0c6a8334%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637835948852305901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2B8IasqXX9uLE5LY1MwfLQtHsDOt1P5JzykSdmpTDW8M%3D&reserved=0 _______________________________________________ PacketFence-users mailing list mailto:PacketFence-users@lists.sourceforge.net https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7C3cbf358716c245af002c08da0c6a8334%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637835948852305901%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2B8IasqXX9uLE5LY1MwfLQtHsDOt1P5JzykSdmpTDW8M%3D&reserved=0 _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
