Hi, Thank you for your help and keeping the support alive too ^^
Don't worry about your English, it's fine ;) I'm glad that you showed some results of your quick test, and setup. It looks good and functional \0/ I really appreciate it :D But I don't know if I understood correctly your controller firmware setup but you were saying your Unifi controller (Cloud Key) is with the firmware 6.5.55 version or you were walking about the Network Application version 6.5.55 ? Sorry for that but I might be a little sticky with this point to understand it better because I only found this version only for Unifi Network release history and that concerns me alot if so. (Pls, correct me if I'm wrong) https://community.ui.com/releases/UniFi-Network-Application-6-5-55/48c64137-4a4a-41f7-b7e4-3bee505ae16e If that's the case, I wouldn't recommend using this version from 2 years ago or older in any production environment due to some CVE that has been seen over the years where high level vulnerabilities have been found. Sorry again but if that is all correct, that is a high security level which will create a certain concern to deploy a Captive Portal. Now, if that's not the case, even so, I'm not kind willing to rollback some old firmwares version to deploy the Captive Portal in a Global Scale. Sorry but I can't. Now, besides the old firmware story, just commenting about some parts from the log story: "I'm not sure, but i think CoA is implemented on AP firmware, as on a UAP/AP "running config":" - I think so too :D "As UNIFI is not supporting the old UI anymore, and, in the new UI CoA is not implemented, I think is possible to provision UAPs via config text file on controller side, but have not tested:" - I think the old UI is still supported on the new UI yet to enable the option CoA but looks like a dead feature if you ask me. Changing interface UI: https://www.youtube.com/watch?v=uXAdDql-WDg About the text, thank you for sharing the config file. I'll keep that in mind but to change each config file from each AP active in a place where there are tons of APs installed. It sounds kind of an unbearable task to execute hehehe but for Controllers might not. Even so, the warnings from the file are kind of scary for today or the future's firmwares ahead since it's not official. As well-known, Unifi is very changeable with many updates in a short period of time where everyone might feel too that sometimes the Unifi updates are quite right but others are not. In my opinion, it feels like Russian roulette sometimes. "CoA is enabled when Radius profile is created?" - If I'm not mistaken, in the new UI, after you create the Radius profile and go back to the old UI interface, I saw the box option from the CoA feature unchecked!!! For me, even after checking the box option, nothing has worked as expected. Then, after many tentatives, days after days, I just used my last resource asking for help here :) and here we are ^^ But, just to let you know, I did a workaround from the FreeRadius problem I was having before and today I just finished my POC with FreeRadius. But using EAP-TLS instead and so far it has been a good choice to replace the old LDAP Infrastructure that I had when I lost the LDAP Secure feature in GoogleWorkspace due to the plan downgrade. Thank you again Regards, On Mon, 26 Feb 2024 at 20:43, Enrique Gross <[email protected]> wrote: > Hi, > > I did some quick testing, it`s a little old on updates, but working. > > I apologize for my bad english. I have removed timestamps from logs. > > -PF server version: 11.0.0 > > -Unifi Controller: 6.5.55 on Debian > -UAP/AP Model: UAP-AC-Pro > -UAP/AP Firmware: 6.6.55.15189 > > -Switch config on PF: > > IP ADDRESS: "UAP_ip_address" > MAC ADDRESS: 18:e8:29:66:XX:XX > Type: Ubiquiti:Unifi > Deauthentication Method: RADIUS > Use CoA: Yes > Radius, secret Passohrase: "your_passphrase" > Roles by VLAN ID as needed > > -SSID: "regtest", MAC-AUTH, radius assigned VLAN. > > -Client Device: Windows 10 Laptop > MAC address: f8:59:71:c4:XX:XX > > -Client connects first, as unreg condition and no role: > > -Not registered, placed in reg vlan: > > pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: > [mac:f8:59:71:c4:XX:XX] handling radius autz request: from switch_ip => > (192.168.96.XX), connection_type => Wireless-802.11-NoEAP,switch_mac => > (18:e8:29:67:XX:XX), mac => [f8:59:71:c4:XX:XX], port => 0, username => > "f8:59:71:c4:XX:XX", ssid => regtest (pf::radius::authorize) > pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: > [mac:f8:59:71:c4:XX:XX] Instantiate profile IBERA-TEST > (pf::Connection::ProfileFactory:_from_profile) > pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: > [mac:f8:59:71:c4:XX:XX] is of status unreg; belongs into registration VLAN > (pf::role::getRegistrationRole) > pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: > [mac:f8:59:71:c4:XX:XX] (192.168.96.XX) Added VLAN 102 to the returned > RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) > > > -Client proceeds with portal auth, is registered and placed in "guest" > vlan: > > pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: > [mac:f8:59:71:c4:XX:XX] Username was defined "f8:59:71:c4:XX:XX" - > returning role 'guest' (pf::role::getRegisteredRole) > pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: > [mac:f8:59:71:c4:XX:XX] PID: "default", Status: reg Returned VLAN: > (undefined), Role: guest (pf::role::fetchRoleForNode) > pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: > [mac:f8:59:71:c4:XX:XX] (192.168.96.XX) Added VLAN 100 to the returned > RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) > > > I'm not sure, but i think CoA is implemented on AP firmware, as on a > UAP/AP "running config": > > aaa.radius.dad.status=enabled > aaa.radius.dad.port=3799 > aaa.1.radius.das.status=enabled > aaa.1.radius.das.port=3801 > aaa.1.radius.dad.status=enabled > > > As UNIFI is not supporting the old UI anymore, and, in the new UI CoA is > not implemented, I think is possible to provision UAPs via config text file > on controller side, but have not tested: > > https://gist.github.com/modest/d6ffb2cdd5e38b213f24c29be38e3b1d > > Not sure if this is possible on new controller versions, as I'm a little > behind on that. But CoA is working on this test env: firmware/versions > ecosystem. > Or maybe on new Unifi network software, CoA is enabled when Radius profile > is created? > > PF side: > > (7) Disconnect-Request Id 1 ens192:10.100.0.2:46904 -> 192.168.96.XX:3799 > +10.748 > Calling-Station-Id = "F8-59-71-C4-56-3F" > NAS-Identifier = "18e829677602" > Authenticator-Field = 0x776e35f33d6376547f3c57e46402ea49 > > (9) Disconnect-ACK Id 1 ens192:10.100.0.2:46904 <- 192.168.96.XX:3799 > +10.764 +0.016 > Event-Timestamp = "Feb 22 2024 19:11:43 -03" > Message-Authenticator = 0xa5a19f1c4f9c253ca6bfce2033d74a3c > Authenticator-Field = 0x5384dccc7ce36e404d3ea859b818793b > > > UAP side: > > IP pf.your-server.com.ar.53203 > 192.168.96.XX.3799: RADIUS, > Disconnect-Request (40), id: 0x7d length: 53 > IP pf.your-server.com.ar.53203 > 192.168.96.XX.3799: RADIUS, > Disconnect-Request (40), id: 0x7d length: 53 > IP 192.168.96.XX.3799 > pf.your-server.com.ar.53203: RADIUS, > Disconnect-ACK (41), id: 0x7d length: 44 > IP pf.your-server.com.ar.50594 > 192.168.96.XX.3799: RADIUS, > Disconnect-Request (40), id: 0x72 length: 53 > IP pf.your-server.com.ar.50594 > 192.168.96.XX.3799: RADIUS, > Disconnect-Request (40), id: 0x72 length: 53 > IP 192.168.96.XX.3799 > pf.your-server.com.ar.50594: RADIUS, > Disconnect-ACK (41), id: 0x72 length: 44 > IP 192.168.96.XX.3799 > pf.your-server.com.ar.50594: RADIUS, > Disconnect-ACK (41), id: 0x72 length: 44 > > I will be out for a few weeks, but i'm glad to help on integrating Unifi > and Mikrotik with PF, and keep support alive. I also have spare HW, to > perform some testing, maybe I could get an U6 new gen Unifi UAP or a > Mikrotik CAP AX too. > I can also spare some cloud resources to run new PF versions along with > new UNIFI/MIKROTIK software. > > Enrique > > El vie, 16 feb 2024 a las 23:44, Lucas Guimaraes (< > [email protected]>) escribió: > >> Hi Enrique, >> >> Yes, switching to the legacy interface, we can see the Radius CoA (Beta >> for ages hehehe) in the SSID as soon as you enable the Radius option. >> However, even if you enable this feature on Unifi Controller, the issue >> "Can't login on the Unifi controller: 404 Not Found '' is still there. >> Consequently, the device which is trying to go out to the internet is still >> stuck inside of the portal. >> >> In other words, even with CoA on from Unifi, the deauthentication doesn't >> work. At that point, pf tries to send a command to the Unifi Controller but >> it doesn't respond. >> >> Also, I've tried to do with all the methods of deauthentication in pf >> available instead and none of them has worked either with the latest >> firmware stable in Unifi Controller or Network software. I was putting my >> faith in Radius deauthentication in pf to see if that works too with web >> auth enabled as we know Radius works in Unifi but it still shows the same >> error yet. >> >> It's kind frustrating tbh :/ >> >> I hope someday any dev from pf / unifi could help us with that. >> >> I think many people are looking forward to that ^^ >> >> On Fri, 16 Feb 2024, 08:17 Enrique Gross via PacketFence-users, < >> [email protected]> wrote: >> >>> Hi Mike, Hi Lucas >>> >>> I have read somewhere that there were issues with web authentication >>> and Unifi appliances like UDM. I remember configuring web auth but I >>> now use RADIUS CoA and it works well. I admit I'm a few versions >>> behind on my Unifi controller, and this double UI issue is kind of a >>> headache. But the CoA option is still there on the UI on Unifi >>> controller 8.X when you switch to the old one, does the config don't >>> provision anymore? >>> >>> Enrique >>> >>> >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >> >> >> >> >> AVISO DE CONFIDENCIALIDAD >> Este mensaje de correo electrónico y sus adjuntos pueden contener >> información confidencial o legalmente privilegiada y está destinado >> únicamente al uso de los destinatarios. Esta prohibido a las personas o >> entidades que no sean los destinatarios de este correo cualquier tipo de >> modificación, copia, distribución, divulgación, retención o uso de la >> información que contiene. La divulgación no autorizada, difusión, >> distribución, copia o la adopción de cualquier acción basada en la >> información aquí contenida, está prohibida. No puede garantizarse que los >> correos electrónicos estén libres de errores, ya que pueden ser >> interceptados, >> enmendados o contener virus. Cualquier persona que se comunique con >> nosotros por correo electrónico se considera que ha aceptado estos riesgos. >> El Propietario de los datos no se hace responsable de errores u omisiones >> en este mensaje y niega cualquier responsabilidad por cualquier daño que >> surja del uso del correo electrónico y no se responsabiliza por su uso >> abusivo, contrario a la moral, a las buenas costumbres o a la ley, o >> realizado fuera de las competencias laborales del autor del mail. >> CONFIDENTIALITY NOTICE >> This e-mail message and any attachments may contain confidential or >> legally privileged information and is intended only for the use of the >> intended recipient(s). Any unauthorized disclosure, dissemination, >> distribution, copying or any action in reliance on the information herein >> is prohibited. It is prohibited to persons or entities that are not the >> recipient(s) of this email any modification, copying, distribution, >> disclosure, retention or use of the information contained therein. E-mails >> are not secure and cannot be guaranteed to be error free as they can be >> intercepted, amended, or contain viruses. Anyone who communicates with us >> by e-mail is deemed to have accepted these risks. The Data Owner is not >> responsible for errors or omissions in this message and denies any >> responsibility for any damage arising from the use of e-mail. Any opinion >> and other statement contained in this message and any attachment are solely >> those of the author and do not necessarily represent those of the company. >> > > > -- > > [image: Imágenes integradas 1] > -- Atenciosamente, IT Technical Support +55 11 96797-7832 -- AVISO DE CONFIDENCIALIDAD Este mensaje de correo electrónico y sus adjuntos pueden contener información confidencial o legalmente privilegiada y está destinado únicamente al uso de los destinatarios. Esta prohibido a las personas o entidades que no sean los destinatarios de este correo cualquier tipo de modificación, copia, distribución, divulgación, retención o uso de la información que contiene. La divulgación no autorizada, difusión, distribución, copia o la adopción de cualquier acción basada en la información aquí contenida, está prohibida. No puede garantizarse que los correos electrónicos estén libres de errores, ya que pueden ser interceptados, enmendados o contener virus. Cualquier persona que se comunique con nosotros por correo electrónico se considera que ha aceptado estos riesgos. El Propietario de los datos no se hace responsable de errores u omisiones en este mensaje y niega cualquier responsabilidad por cualquier daño que surja del uso del correo electrónico y no se responsabiliza por su uso abusivo, contrario a la moral, a las buenas costumbres o a la ley, o realizado fuera de las competencias laborales del autor del mail. CONFIDENTIALITY NOTICE This e-mail message and any attachments may contain confidential or legally privileged information and is intended only for the use of the intended recipient(s). Any unauthorized disclosure, dissemination, distribution, copying or any action in reliance on the information herein is prohibited. It is prohibited to persons or entities that are not the recipient(s) of this email any modification, copying, distribution, disclosure, retention or use of the information contained therein. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, or contain viruses. Anyone who communicates with us by e-mail is deemed to have accepted these risks. The Data Owner is not responsible for errors or omissions in this message and denies any responsibility for any damage arising from the use of e-mail. Any opinion and other statement contained in this message and any attachment are solely those of the author and do not necessarily represent those of the company.
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
