Greetings, I'm currently trying to implement a captive portal authentication for my wired clients on a Dell N2048P in my test lab. I followed the instructions provided by the packetfence documentation (https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_enabling_the_captive_portal) but the client does not receive an ip address. PacketFence accepts the authentication request and returns the following RADiUS Reply: REST-HTTP-Status-Code = 200 REST-HTTP-Status-Code = 200 Cisco-AVPair = "url-redirect-acl=registration" Cisco-AVPair = "url-redirect=http://10.22.11.250/captive-portal/sidc01cbc"; Tunnel-Private-Group-Id = "66" Reply-Message = "Request processed by PacketFence" Session-Timeout = 60 Tunnel-Medium-Type = IEEE-802 Tunnel-Type = VLAN Termination-Action = RADIUS-Request
My switch configuration looks like this: no ip http server ip access-list registration 1000 deny ip any 10.22.11.250 0.0.0.0 1010 permit tcp any any eq http 1020 permit tcp any any eq 443 exit aaa authentication login "defaultList" local aaa accounting dot1x default start-stop radius aaa accounting update newinfo periodic 10 aaa authorization exec "dfltExecAuthList" radius local authentication enable dot1x system-auth-control aaa authentication dot1x default radius aaa authorization network default radius switchport voice vlan aaa server radius dynamic-author client 10.22.11.250 server-key 7 "*****" auth-type any exit radius server auth 10.22.11.250 name "IN" key 7 "*****" exit radius server acct 10.22.11.250 name "IN" key 7 "*****" exit interface Gi1/0/1 spanning-tree portfast switchport mode general authentication host-mode multi-domain authentication event fail action authorize vlan 66 authentication periodic authentication timer reauthenticate 82800 authentication timer restart 3600 dot1x timeout supp-timeout 5 dot1x timeout tx-period 5 mab auth-type pap authentication order mab lldp tlv-select system-description system-capabilities management-address lldp notification lldp med confignotification switchport voice vlan 12 exit I'm a bit confused about the "deny ip any 10.22.11.250" Rule in my access-list but its written like this in the official documentation. My best guess is that the switch does not recognize the client as authenticated and therefore blocks any traffic going in and out. I've already experimented with the "authentication allow-unauth dhcp" command but this does not seem to help. Any hints into the right direction would be appreciated. Kind Regards Heiko Matthies [cid:2018_Signatur_ASAP_Engineering_607ba42f-d9c6-4abe-af16-b2b0953d2657.png] [cid:MK_FB_Podcast_20210201_70f02930-dafd-4abf-9139-c2414fbba13c.png]<https://asap.podigee.io/> ASAP Engineering GmbH Sachsstra?e 1A | 85080 Gaimersheim Tel. +49 8458 3389 252<tel:+49%208458%203389%20252> | Fax. +49 (8458) 3389 399<fax:+49%20(8458)%203389%20399> | Mobil. +49 (173) 6729650<tel:+49%20(173)%206729650> heiko.matth...@asap.de<mailto:heiko.matth...@asap.de> | www.asap.de<http://www.asap.de> Gesch?ftsf?hrer: Michael Neisen, Robert Werner, Christian Schweiger | Sitz der Gesellschaft: Gaimersheim | Amtsgericht: Ingolstadt HRB 5408 Datenschutz: Ausf?hrliche Informationen zum Umgang mit Ihren personenbezogenen Daten bei ASAP erhalten Sie auf unserer Website unter Datenschutz.<http://www.asap.de/datenschutz/>
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
