Hi Elia
I enabled CoA on Unifi Controller and on PacketFence "Switches" section I
> added the AP through his IP, then I configured: SNMP strings, WebServices
> (https), RADIUS secret password, associated VLAN IDs with Roles, specified
> Unifi Controller IP address, enabled deauth wih CoA, specified "RADIUS"
> under Deauthentication Method option, choosed "Production" mode and "Unifi
> Controller" as type.
If your deauth method is RADIUS, just configure a RADIUS secret password,
use CoA, and your VLANS per role. There is no need to configure web
services or SNMP, controller ip address.
You can debug CoA on the UAPS, with tcpdump so you can check if RADIUS
messages are reaching APs, something like this:
IP pf.your-server.com.ar.53203 > 192.168.96.XX.3799: RADIUS,
Disconnect-Request (40), id: 0x7d length: 53
IP pf.your-server.com.ar.53203 > 192.168.96.XX.3799: RADIUS,
Disconnect-Request (40), id: 0x7d length: 53
IP 192.168.96.XX.3799 > pf.your-server.com.ar.53203: RADIUS, Disconnect-ACK
(41), id: 0x7d length: 44
IP pf.your-server.com.ar.50594 > 192.168.96.XX.3799: RADIUS,
Disconnect-Request (40), id: 0x72 length: 53
IP pf.your-server.com.ar.50594 > 192.168.96.XX.3799: RADIUS,
Disconnect-Request (40), id: 0x72 length: 53
IP 192.168.96.XX.3799 > pf.your-server.com.ar.50594: RADIUS, Disconnect-ACK
(41), id: 0x72 length: 44
IP 192.168.96.XX.3799 > pf.your-server.com.ar.50594: RADIUS, Disconnect-ACK
(41), id: 0x72 length: 44
and on PF side
(7) Disconnect-Request Id 1 ens192:10.100.0.2:46904 -> 192.168.96.XX:3799
+10.748
Calling-Station-Id = "F8-59-71-C4-56-3F"
NAS-Identifier = "18e829677602"
Authenticator-Field = 0x776e35f33d6376547f3c57e46402ea49
(9) Disconnect-ACK Id 1 ens192:10.100.0.2:46904 <- 192.168.96.XX:3799
+10.764 +0.016
Event-Timestamp = "Feb 22 2024 19:11:43 -03"
Message-Authenticator = 0xa5a19f1c4f9c253ca6bfce2033d74a3c
Authenticator-Field = 0x5384dccc7ce36e404d3ea859b818793b
It's working ok, sometimes, you can find devices that won't disconnect from
AP but it works, you can try lowering DHCP lease times on your registration
networks too.
This being said, actual state of CoA on Unifi is unknown, on new version of
the Unifi Network app, new UI won't include an option to enable/disable
CoA, you have to switch to old UI, and Unifi is stating that old UI is out
of support. As CoA is part of a feature that is on UAPs firmware, maybe
support is still there.
I'm working with new versions so I can test if CoA is still there on the
new versions and compatible with the new range of UAPs and PF version, i
will try to share my results in the next few weeks.
Enrique.
El sáb, 13 abr 2024 a las 18:58, Elia via PacketFence-users (<
packetfence-users@lists.sourceforge.net>) escribió:
> Hello there,
> I'm struggling with configuring Wireless MAB with Ubiquiti Access Points,
> my goal is to authenticate wireless supplicants through Ubiquiti APs with
> PacketFence's Captive Portal and dynamic VLAN, in this way they can be
> moved into the right VLAN (after a successful authentication with
> credentials).
>
> Some infos:
> Unifi controller version: 7.29
> Ubiquiti AP nanohd firmware version: 6.6
> PacketFence version: 13.2
>
> To setup the environment (specifically the SSIDs) I followed the section
> 6.28 under the Network Devices Configuration Guide, specifically 6.28.2
> VLAN Enforcement.
>
> I enabled CoA on Unifi Controller and on PacketFence "Switches" section I
> added the AP through his IP, then I configured: SNMP strings, WebServices
> (https), RADIUS secret password, associated VLAN IDs with Roles, specified
> Unifi Controller IP address, enabled deauth wih CoA, specified "RADIUS"
> under Deauthentication Method option, choosed "Production" mode and "Unifi
> Controller" as type.
>
> For now, a supplicant which connect to open SSID is correctly redirected
> to Captive Portal, but, after login, it isn't dynamically moved into the
> correct VLAN, instead, it needs to switch off and switch on WiFi in order
> to reconnect to the SSID and to take the IP in the right VLAN through our
> DHCP server.
>
> Is there a way to fix this behaviour and make the supplicant dynamically
> moved?
>
> One strange behaviour is that sometimes a supplicant is correctly
> dynamically moved into the assigned Role (so the assigned VLAN) after login
> (I don't know why sometimes it works without changing anything on Unifi
> side neither PF side). For example: 2 supplicants are correctly moved into
> thw VLAN, while the third supplicant which come after them, after a
> successful login, is not dynamically moved into the assigned VLAN. Any
> suggestions with this?
>
> Another issue: if I delete a node after a successful authentication,
> PacketFence RADIUS server send a Disconnect Request to the Ubiquiti AP, the
> Ubituiti AP replies with a "Disconnect-ACK" packet but the supplicant still
> connected to WiFi without being disconnected. How can I successfully
> disconnect a client?
>
> Eventually, I have a suspect that is all properly configured on PF and on
> Unifi Controller, at this point my question is: which is the actual status
> of integration between PF and Unifi? Does the MAB authentication ever
> worked? Thanks!
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--
[image: Imágenes integradas 1]
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
