Hi Not running Cloud key, running on a Debian server, yes, security with no time and resources, sometimes is challenging , but we try to secure infrastructure, not software. I will try to further test with new versions.
Regarding the provision of config file, it seems it is possible to mass provision via config file on the Unifi network software, I understand this is still not practical. I will try to do some testing. I agree that if Unifi lost support for a feature (CoA) that never left beta, it would be bad news. Enrique. El jue, 29 feb 2024 a las 0:01, Lucas Guimaraes (<lucas.guimar...@kavak.com>) escribió: > > Hi, > > Thank you for your help and keeping the support alive too ^^ > > Don't worry about your English, it's fine ;) > > I'm glad that you showed some results of your quick test, and setup. It looks > good and functional \0/ I really appreciate it :D > > But I don't know if I understood correctly your controller firmware setup but > you were saying your Unifi controller (Cloud Key) is with the firmware 6.5.55 > version or you were walking about the Network Application version 6.5.55 ? > Sorry for that but I might be a little sticky with this point to understand > it better because I only found this version only for Unifi Network release > history and that concerns me alot if so. (Pls, correct me if I'm wrong) > > https://community.ui.com/releases/UniFi-Network-Application-6-5-55/48c64137-4a4a-41f7-b7e4-3bee505ae16e > > If that's the case, I wouldn't recommend using this version from 2 years ago > or older in any production environment due to some CVE that has been seen > over the years where high level vulnerabilities have been found. Sorry again > but if that is all correct, that is a high security level which will create a > certain concern to deploy a Captive Portal. > > Now, if that's not the case, even so, I'm not kind willing to rollback some > old firmwares version to deploy the Captive Portal in a Global Scale. Sorry > but I can't. > > Now, besides the old firmware story, just commenting about some parts from > the log story: > > "I'm not sure, but i think CoA is implemented on AP firmware, as on a UAP/AP > "running config":" > > - I think so too :D > > "As UNIFI is not supporting the old UI anymore, and, in the new UI CoA is not > implemented, I think is possible to provision UAPs via config text file on > controller side, but have not tested:" > > - I think the old UI is still supported on the new UI yet to enable the > option CoA but looks like a dead feature if you ask me. Changing interface > UI: https://www.youtube.com/watch?v=uXAdDql-WDg > > About the text, thank you for sharing the config file. I'll keep that in mind > but to change each config file from each AP active in a place where there are > tons of APs installed. It sounds kind of an unbearable task to execute hehehe > but for Controllers might not. Even so, the warnings from the file are kind > of scary for today or the future's firmwares ahead since it's not official. > As well-known, Unifi is very changeable with many updates in a short period > of time where everyone might feel too that sometimes the Unifi updates are > quite right but others are not. In my opinion, it feels like Russian roulette > sometimes. > > "CoA is enabled when Radius profile is created?" > > - If I'm not mistaken, in the new UI, after you create the Radius profile and > go back to the old UI interface, I saw the box option from the CoA feature > unchecked!!! > > For me, even after checking the box option, nothing has worked as expected. > Then, after many tentatives, days after days, I just used my last resource > asking for help here :) and here we are ^^ > > But, just to let you know, I did a workaround from the FreeRadius problem I > was having before and today I just finished my POC with FreeRadius. But using > EAP-TLS instead and so far it has been a good choice to replace the old LDAP > Infrastructure that I had when I lost the LDAP Secure feature in > GoogleWorkspace due to the plan downgrade. > > Thank you again > > Regards, > > On Mon, 26 Feb 2024 at 20:43, Enrique Gross <egr...@jcc-advance.com.ar> wrote: >> >> Hi, >> >> I did some quick testing, it`s a little old on updates, but working. >> >> I apologize for my bad english. I have removed timestamps from logs. >> >> -PF server version: 11.0.0 >> >> -Unifi Controller: 6.5.55 on Debian >> -UAP/AP Model: UAP-AC-Pro >> -UAP/AP Firmware: 6.6.55.15189 >> >> -Switch config on PF: >> >> IP ADDRESS: "UAP_ip_address" >> MAC ADDRESS: 18:e8:29:66:XX:XX >> Type: Ubiquiti:Unifi >> Deauthentication Method: RADIUS >> Use CoA: Yes >> Radius, secret Passohrase: "your_passphrase" >> Roles by VLAN ID as needed >> >> -SSID: "regtest", MAC-AUTH, radius assigned VLAN. >> >> -Client Device: Windows 10 Laptop >> MAC address: f8:59:71:c4:XX:XX >> >> -Client connects first, as unreg condition and no role: >> >> -Not registered, placed in reg vlan: >> >> pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: >> [mac:f8:59:71:c4:XX:XX] handling radius autz request: from switch_ip => >> (192.168.96.XX), connection_type => Wireless-802.11-NoEAP,switch_mac => >> (18:e8:29:67:XX:XX), mac => [f8:59:71:c4:XX:XX], port => 0, username => >> "f8:59:71:c4:XX:XX", ssid => regtest (pf::radius::authorize) >> pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: >> [mac:f8:59:71:c4:XX:XX] Instantiate profile IBERA-TEST >> (pf::Connection::ProfileFactory:_from_profile) >> pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: >> [mac:f8:59:71:c4:XX:XX] is of status unreg; belongs into registration VLAN >> (pf::role::getRegistrationRole) >> pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: >> [mac:f8:59:71:c4:XX:XX] (192.168.96.XX) Added VLAN 102 to the returned >> RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) >> >> >> -Client proceeds with portal auth, is registered and placed in "guest" vlan: >> >> pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: >> [mac:f8:59:71:c4:XX:XX] Username was defined "f8:59:71:c4:XX:XX" - returning >> role 'guest' (pf::role::getRegisteredRole) >> pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: >> [mac:f8:59:71:c4:XX:XX] PID: "default", Status: reg Returned VLAN: >> (undefined), Role: guest (pf::role::fetchRoleForNode) >> pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: >> [mac:f8:59:71:c4:XX:XX] (192.168.96.XX) Added VLAN 100 to the returned >> RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) >> >> >> I'm not sure, but i think CoA is implemented on AP firmware, as on a UAP/AP >> "running config": >> >> aaa.radius.dad.status=enabled >> aaa.radius.dad.port=3799 >> aaa.1.radius.das.status=enabled >> aaa.1.radius.das.port=3801 >> aaa.1.radius.dad.status=enabled >> >> >> As UNIFI is not supporting the old UI anymore, and, in the new UI CoA is not >> implemented, I think is possible to provision UAPs via config text file on >> controller side, but have not tested: >> >> https://gist.github.com/modest/d6ffb2cdd5e38b213f24c29be38e3b1d >> >> Not sure if this is possible on new controller versions, as I'm a little >> behind on that. But CoA is working on this test env: firmware/versions >> ecosystem. >> Or maybe on new Unifi network software, CoA is enabled when Radius profile >> is created? >> >> PF side: >> >> (7) Disconnect-Request Id 1 ens192:10.100.0.2:46904 -> 192.168.96.XX:3799 >> +10.748 >> Calling-Station-Id = "F8-59-71-C4-56-3F" >> NAS-Identifier = "18e829677602" >> Authenticator-Field = 0x776e35f33d6376547f3c57e46402ea49 >> >> (9) Disconnect-ACK Id 1 ens192:10.100.0.2:46904 <- 192.168.96.XX:3799 >> +10.764 +0.016 >> Event-Timestamp = "Feb 22 2024 19:11:43 -03" >> Message-Authenticator = 0xa5a19f1c4f9c253ca6bfce2033d74a3c >> Authenticator-Field = 0x5384dccc7ce36e404d3ea859b818793b >> >> >> UAP side: >> >> IP pf.your-server.com.ar.53203 > 192.168.96.XX.3799: RADIUS, >> Disconnect-Request (40), id: 0x7d length: 53 >> IP pf.your-server.com.ar.53203 > 192.168.96.XX.3799: RADIUS, >> Disconnect-Request (40), id: 0x7d length: 53 >> IP 192.168.96.XX.3799 > pf.your-server.com.ar.53203: RADIUS, Disconnect-ACK >> (41), id: 0x7d length: 44 >> IP pf.your-server.com.ar.50594 > 192.168.96.XX.3799: RADIUS, >> Disconnect-Request (40), id: 0x72 length: 53 >> IP pf.your-server.com.ar.50594 > 192.168.96.XX.3799: RADIUS, >> Disconnect-Request (40), id: 0x72 length: 53 >> IP 192.168.96.XX.3799 > pf.your-server.com.ar.50594: RADIUS, Disconnect-ACK >> (41), id: 0x72 length: 44 >> IP 192.168.96.XX.3799 > pf.your-server.com.ar.50594: RADIUS, Disconnect-ACK >> (41), id: 0x72 length: 44 >> >> I will be out for a few weeks, but i'm glad to help on integrating Unifi and >> Mikrotik with PF, and keep support alive. I also have spare HW, to perform >> some testing, maybe I could get an U6 new gen Unifi UAP or a Mikrotik CAP AX >> too. >> I can also spare some cloud resources to run new PF versions along with new >> UNIFI/MIKROTIK software. >> >> Enrique >> >> El vie, 16 feb 2024 a las 23:44, Lucas Guimaraes >> (<lucas.guimar...@kavak.com>) escribió: >>> >>> Hi Enrique, >>> >>> Yes, switching to the legacy interface, we can see the Radius CoA (Beta for >>> ages hehehe) in the SSID as soon as you enable the Radius option. However, >>> even if you enable this feature on Unifi Controller, the issue "Can't login >>> on the Unifi controller: 404 Not Found '' is still there. Consequently, the >>> device which is trying to go out to the internet is still stuck inside of >>> the portal. >>> >>> In other words, even with CoA on from Unifi, the deauthentication doesn't >>> work. At that point, pf tries to send a command to the Unifi Controller but >>> it doesn't respond. >>> >>> Also, I've tried to do with all the methods of deauthentication in pf >>> available instead and none of them has worked either with the latest >>> firmware stable in Unifi Controller or Network software. I was putting my >>> faith in Radius deauthentication in pf to see if that works too with web >>> auth enabled as we know Radius works in Unifi but it still shows the same >>> error yet. >>> >>> It's kind frustrating tbh :/ >>> >>> I hope someday any dev from pf / unifi could help us with that. >>> >>> I think many people are looking forward to that ^^ >>> >>> On Fri, 16 Feb 2024, 08:17 Enrique Gross via PacketFence-users, >>> <packetfence-users@lists.sourceforge.net> wrote: >>>> >>>> Hi Mike, Hi Lucas >>>> >>>> I have read somewhere that there were issues with web authentication >>>> and Unifi appliances like UDM. I remember configuring web auth but I >>>> now use RADIUS CoA and it works well. I admit I'm a few versions >>>> behind on my Unifi controller, and this double UI issue is kind of a >>>> headache. But the CoA option is still there on the UI on Unifi >>>> controller 8.X when you switch to the old one, does the config don't >>>> provision anymore? >>>> >>>> Enrique >>>> >>>> >>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> PacketFence-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> >>> >>> >>> >>> AVISO DE CONFIDENCIALIDAD >>> Este mensaje de correo electrónico y sus adjuntos pueden contener >>> información confidencial o legalmente privilegiada y está destinado >>> únicamente al uso de los destinatarios. Esta prohibido a las personas o >>> entidades que no sean los destinatarios de este correo cualquier tipo de >>> modificación, copia, distribución, divulgación, retención o uso de la >>> información que contiene. La divulgación no autorizada, difusión, >>> distribución, copia o la adopción de cualquier acción basada en la >>> información aquí contenida, está prohibida. No puede garantizarse que los >>> correos electrónicos estén libres de errores, ya que pueden ser >>> interceptados, enmendados o contener virus. Cualquier persona que se >>> comunique con nosotros por correo electrónico se considera que ha aceptado >>> estos riesgos. El Propietario de los datos no se hace responsable de >>> errores u omisiones en este mensaje y niega cualquier responsabilidad por >>> cualquier daño que surja del uso del correo electrónico y no se >>> responsabiliza por su uso abusivo, contrario a la moral, a las buenas >>> costumbres o a la ley, o realizado fuera de las competencias laborales del >>> autor del mail. >>> CONFIDENTIALITY NOTICE >>> This e-mail message and any attachments may contain confidential or legally >>> privileged information and is intended only for the use of the intended >>> recipient(s). Any unauthorized disclosure, dissemination, distribution, >>> copying or any action in reliance on the information herein is prohibited. >>> It is prohibited to persons or entities that are not the recipient(s) of >>> this email any modification, copying, distribution, disclosure, retention >>> or use of the information contained therein. E-mails are not secure and >>> cannot be guaranteed to be error free as they can be intercepted, amended, >>> or contain viruses. Anyone who communicates with us by e-mail is deemed to >>> have accepted these risks. The Data Owner is not responsible for errors or >>> omissions in this message and denies any responsibility for any damage >>> arising from the use of e-mail. Any opinion and other statement contained >>> in this message and any attachment are solely those of the author and do >>> not necessarily represent those of the company. >> >> >> >> -- >> >> > > > -- > Atenciosamente, > IT Technical Support > > +55 11 96797-7832 > > > > > > > AVISO DE CONFIDENCIALIDAD > Este mensaje de correo electrónico y sus adjuntos pueden contener información > confidencial o legalmente privilegiada y está destinado únicamente al uso de > los destinatarios. Esta prohibido a las personas o entidades que no sean los > destinatarios de este correo cualquier tipo de modificación, copia, > distribución, divulgación, retención o uso de la información que contiene. La > divulgación no autorizada, difusión, distribución, copia o la adopción de > cualquier acción basada en la información aquí contenida, está prohibida. No > puede garantizarse que los correos electrónicos estén libres de errores, ya > que pueden ser interceptados, enmendados o contener virus. Cualquier persona > que se comunique con nosotros por correo electrónico se considera que ha > aceptado estos riesgos. El Propietario de los datos no se hace responsable de > errores u omisiones en este mensaje y niega cualquier responsabilidad por > cualquier daño que surja del uso del correo electrónico y no se > responsabiliza por su uso abusivo, contrario a la moral, a las buenas > costumbres o a la ley, o realizado fuera de las competencias laborales del > autor del mail. > CONFIDENTIALITY NOTICE > This e-mail message and any attachments may contain confidential or legally > privileged information and is intended only for the use of the intended > recipient(s). Any unauthorized disclosure, dissemination, distribution, > copying or any action in reliance on the information herein is prohibited. It > is prohibited to persons or entities that are not the recipient(s) of this > email any modification, copying, distribution, disclosure, retention or use > of the information contained therein. E-mails are not secure and cannot be > guaranteed to be error free as they can be intercepted, amended, or contain > viruses. Anyone who communicates with us by e-mail is deemed to have accepted > these risks. The Data Owner is not responsible for errors or omissions in > this message and denies any responsibility for any damage arising from the > use of e-mail. Any opinion and other statement contained in this message and > any attachment are solely those of the author and do not necessarily > represent those of the company. -- _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users