Hi Rexford Good Monday.
" Added VLAN 20 to the returned RADIUS Access-Accept" You can use tcpdump on the AP side to check if AP is receiving RADIUS Access-Accept Enrique El sáb, 20 jul 2024 a las 17:26, Rexford Nyarko (<rexfordn...@gmail.com>) escribió: > Hello All, > > @Enrique Gross <egr...@jcc-advance.com.ar> > 1. I have two interfaces on my PF box. one is management (connected to a > management DMZ) and the second interface is Trunk with all VLANs, that is > the interface through which PF is connected to the Unifi APs and > controller. I enabled the radius on this interface and started getting the > error in my previous mail. > > 2. No my connection profile only checks for connection types for wireless > clients. > > > Due to the radius error ignoring requests from my APs, I decided to remove > the AP added by MAC and this time add it by IP. Doing this eliminated that > error. I now see auth requests reaching PF from AP and the open network, > which is good. However from the logs, it seems PF returns the > unauthenticated client info to the AP with the registration VLAN but > somehow the client doesn't seem to get to the Registration portal. I am not > sure if Unifi is placing the client in the right VLAN. Below are the logs. > > Jul 20 20:01:09 controller httpd.aaa-docker-wrapper[3778]: httpd.aaa(7) >> INFO: [mac:b6:da:e2:07:07:84] handling radius autz request: from switch_ip >> => (10.2.0.6), connection_type => Wireless-802.11-NoEAP, switch_mac => >> (74:83:c2:84:e2:29), mac => [b6:da:e2:07:07:84], port => 0, username => >> "b6:da:e2:07:07:84", ssid => testing_vlan (pf::radius::authorize) >> Jul 20 20:01:09 controller httpd.aaa-docker-wrapper[3778]: httpd.aaa(7) >> INFO: [mac:b6:da:e2:07:07:84] Instantiate profile >> VlanEnforcement-Registration (pf::Connection::ProfileFactory::_from_profile) >> Jul 20 20:01:09 controller httpd.aaa-docker-wrapper[3778]: httpd.aaa(7) >> INFO: [mac:b6:da:e2:07:07:84] is of status unreg; belongs into registration >> VLAN (pf::role::getRegistrationRole) >> Jul 20 20:01:09 controller httpd.aaa-docker-wrapper[3778]: httpd.aaa(7) >> INFO: [mac:b6:da:e2:07:07:84] (10.2.0.6) Added VLAN 20 to the returned >> RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) >> Jul 20 20:01:09 controller auth[139176]: (6582) Login OK: >> [b6:da:e2:07:07:84] (from client 10.2.0.6/32 port 0 cli >> b6:da:e2:07:07:84) > > > Is there a way I could check what's happening on the Unifi controller or > AP stack? > > > Warm regards, > Rexford A. Nyarko. > > > On Sat, Jul 20, 2024 at 8:46 AM Enrique Gross via PacketFence-users < > packetfence-users@lists.sourceforge.net> wrote: > >> Hi Rexford, sorry I don't understand where you enabled Radius. >> >> Its ok to add APs by IP address on the pf side. >> >> I was asking about connection profile to check if its matching a >> condition for devices connecting to your open ssid. >> >> >> El vie, 19 de jul de 2024, 08:52, Rexford Nyarko via PacketFence-users < >> packetfence-users@lists.sourceforge.net> escribió: >> >>> Hello Enrique, >>> No, at the moment I am not matching SSID or anything like that. >>> However, I just enabled radius service on the trunk interface where PF >>> talks to unifi AP and controller. Now when I try connecting a client to the >>> open wifi I see the following in the logs. >>> >>> Jul 19 11:26:14 controller auth[7653]: Ignoring request to auth address >>> * port 1812 bound to server packetfence from unknown client 10.2.0.6 port >>> 35316 proto udp >>> Jul 19 11:26:17 controller auth[7653]: Ignoring request to auth address >>> * port 1812 bound to server packetfence from unknown client 10.2.0.6 port >>> 35316 proto udp >>> Jul 19 11:26:23 controller auth[7653]: Ignoring request to auth address >>> * port 1812 bound to server packetfence from unknown client 10.2.0.6 port >>> 35316 proto udp >>> >>> However, this unknown client is 10.2.0.6 is my Unifi AP added by Mac >>> Address. >>> Do I need to remove it and add it via the controller using IP? >>> >>> >>> Warm regards, >>> Rexford A. Nyarko. >>> >>> >>> On Fri, Jul 19, 2024 at 6:12 AM Enrique Gross via PacketFence-users < >>> packetfence-users@lists.sourceforge.net> wrote: >>> >>>> And in your connection profile are you matching like SSID? >>>> >>>> El jue, 18 jul 2024 a las 15:57, Rexford Nyarko (<rexfordn...@gmail.com>) >>>> escribió: >>>> >>>>> Hello Enrique, >>>>> >>>>> Yes, they are all reachable one to the other, AP, Unifi controller and >>>>> PF. This is quite weird for me considering the Web auth works fine without >>>>> problems. >>>>> The radius server is using PF's IP. apart from setting the radius >>>>> password on the switch in PF and the Unifi controller is there anything >>>>> else I need to do for radius config? >>>>> >>>>> Warm regards, >>>>> Rexford A. Nyarko. >>>>> >>>>> >>>>> On Thu, Jul 18, 2024 at 6:03 PM Enrique Gross < >>>>> egr...@jcc-advance.com.ar> wrote: >>>>> >>>>>> Hi Rexford >>>>>> >>>>>> Try to troubleshoot connection between APs and Radius server IP (PF >>>>>> management address). Can you ICMP that ip address? the radius server you >>>>>> configured on the radius profile on Unifi controller, and applied to >>>>>> SSID. >>>>>> >>>>>> El jue, 18 jul 2024 a las 14:48, Rexford Nyarko (< >>>>>> rexfordn...@gmail.com>) escribió: >>>>>> >>>>>>> Hello Enrique, >>>>>>> >>>>>>> Thanks again for getting back to me. >>>>>>> Yes I have mapped the VLAN ID on the switch config for the AP. But >>>>>>> still, the client devices are unable to get an IP. so they just >>>>>>> disconnect >>>>>>> once you try to connect. >>>>>>> >>>>>>> I have also checked the logs, there isn't anything happening when I >>>>>>> try to connect a client to the open SSID. I can't figure out what I am >>>>>>> missing. >>>>>>> >>>>>>> Warm regards, >>>>>>> Rexford A. Nyarko. >>>>>>> >>>>>>> >>>>>>> On Thu, Jul 18, 2024 at 4:07 PM Enrique Gross via PacketFence-users < >>>>>>> packetfence-users@lists.sourceforge.net> wrote: >>>>>>> >>>>>>>> Hi Rexford >>>>>>>> >>>>>>>> You don't need to put registration VLAN as default/untagged, >>>>>>>> registration vlan goes with tag. >>>>>>>> >>>>>>>> Have you mapped roles and VLAN ID on the switch config, on the PF >>>>>>>> side? >>>>>>>> >>>>>>>> Looking at packetfence.log, will help you to know what is happening >>>>>>>> with the user/device when connecting to AP. >>>>>>>> >>>>>>>> Enrique >>>>>>>> >>>>>>>> El jue, 18 jul 2024 a las 11:10, Rexford Nyarko (< >>>>>>>> rexfordn...@gmail.com>) escribió: >>>>>>>> >>>>>>>>> Hello Enrique, >>>>>>>>> Thank you for your response. >>>>>>>>> Yes I have AP the AP connected via Trunk. However the same still >>>>>>>>> happens, clients are not able to connect to the Open network in order >>>>>>>>> to >>>>>>>>> access the registration portal. >>>>>>>>> Do I need to make the registration VLAN 20 the default /untagged >>>>>>>>> VLAN on the trunk ports? In that case, the AP can directly >>>>>>>>> communicate with >>>>>>>>> PF on the default network. Thanks in advance. >>>>>>>>> >>>>>>>>> Warm regards, >>>>>>>>> Rexford A. Nyarko. >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wed, Jul 17, 2024 at 8:14 AM Enrique Gross via >>>>>>>>> PacketFence-users <packetfence-users@lists.sourceforge.net> wrote: >>>>>>>>> >>>>>>>>>> Hi Rexford >>>>>>>>>> >>>>>>>>>> Hope you are doing well >>>>>>>>>> >>>>>>>>>> When configuring SSID on the Unifi side with Radius, it is ok >>>>>>>>>> that you can not set VLAN 20 as registration. On the PF side, it's >>>>>>>>>> in the >>>>>>>>>> roles (Role mapping by VLAN ID) when configuring APs that you will >>>>>>>>>> set up >>>>>>>>>> your VLAN for registration, prod or other vlan. So, as long >>>>>>>>>> registration >>>>>>>>>> vlan, prod, etc vlans are vlan trunk to AP, that's fine. >>>>>>>>>> >>>>>>>>>> So, an unreg user will be evaluated upon connection, as the >>>>>>>>>> condition is unreg it will be placed on registration vlan that is >>>>>>>>>> defined >>>>>>>>>> on your Switch roles. >>>>>>>>>> >>>>>>>>>> Sorry for my bad english, hope it helps. >>>>>>>>>> >>>>>>>>>> Enrique. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> El lun, 15 jul 2024 a las 5:22, Rexford Nyarko via >>>>>>>>>> PacketFence-users (<packetfence-users@lists.sourceforge.net>) >>>>>>>>>> escribió: >>>>>>>>>> >>>>>>>>>>> Hello All, >>>>>>>>>>> >>>>>>>>>>> First, my user environment consists mostly of Linux, windows >>>>>>>>>>> users and occasionally Mac. Network hardware consists of Cisco 2960 >>>>>>>>>>> switches for LAN and Unifi AP AC Pro for wireless connectivity. I >>>>>>>>>>> need to >>>>>>>>>>> have an authentication setup such that users log in with their LDAP >>>>>>>>>>> credentials and users are assigned VLANS based on their >>>>>>>>>>> *memberOf* LDAP attribute. >>>>>>>>>>> >>>>>>>>>>> Here's what I have done so far, >>>>>>>>>>> 1. Installed PF 13.2 with two interfaces, 1 separate for >>>>>>>>>>> management and another trunk with all VLAN interfaces added. >>>>>>>>>>> 2. Configured LDAP Authentication source >>>>>>>>>>> 3. Configured a connection Profile using the LDAP auth source. >>>>>>>>>>> 4. Added Unifi APs individually to PF via MAC Address. >>>>>>>>>>> (Initially, I tried adding the controller IP method but that didn't >>>>>>>>>>> work >>>>>>>>>>> with some weird errors about not being able to instantiate Switch) >>>>>>>>>>> 5. Configured Unifi Controller and Wifi with guest profile and >>>>>>>>>>> external Captive portal pointing to PF as instructed in the >>>>>>>>>>> documentation. >>>>>>>>>>> 6. Enabled the captive portal and respective services on the >>>>>>>>>>> trunk interface. >>>>>>>>>>> All to this point everything works great. As soon as a user >>>>>>>>>>> connects to the open SSID they get redirected to the captive portal >>>>>>>>>>> on PF >>>>>>>>>>> and authenticate successfully with LDAP. This works great no >>>>>>>>>>> problem. I >>>>>>>>>>> intend to keep that and later change the auth source for guest >>>>>>>>>>> Portal. >>>>>>>>>>> >>>>>>>>>>> Now I am trying to do vlan assignment. I followed the PF >>>>>>>>>>> documentation for Ubiquity to set up the controller with the Raduis >>>>>>>>>>> profile >>>>>>>>>>> SSID and all. However, things are not working as expected. I am a >>>>>>>>>>> bit >>>>>>>>>>> confused here. >>>>>>>>>>> 1. I have created interfaces, registration VLAN - 20 and >>>>>>>>>>> Isolation VLAN - 30 on the trunk interface. >>>>>>>>>>> 2. I also have added 3 other production VLANs where I manage DNS >>>>>>>>>>> and DHCP >>>>>>>>>>> 3. the open SSID on unifi controller cannot be set to the >>>>>>>>>>> Registration VLAN 20 when Radius is enabled. So there is no way to >>>>>>>>>>> communicate with PF via the Registration VLAN hence users cannot >>>>>>>>>>> get IPs >>>>>>>>>>> from PF on the open SSID and therefore cannot log in. >>>>>>>>>>> I need advice on how to get this working. Do I have to make the >>>>>>>>>>> registration VLAN the native or default vlan on the trunk and >>>>>>>>>>> configure the >>>>>>>>>>> guest captive portal on a different vlan which i can assign in the >>>>>>>>>>> unifi >>>>>>>>>>> controller? >>>>>>>>>>> >>>>>>>>>>> Also, I have a problem where DNS queries on each vlan/subnet >>>>>>>>>>> points to the PF interface outside that subnet. eg >>>>>>>>>>> pf.example.com - 192.168.0.1/24 on registration vlan, and PF on >>>>>>>>>>> captive portal vlan 40 the IP is 192.168.1.1/24 but DNS query >>>>>>>>>>> from captive portal interface gives registration vlan IP of PF. >>>>>>>>>>> I would prefer that queries from each vlan would provide the >>>>>>>>>>> respective PF interface on that vlan, >>>>>>>>>>> Any help is appreciated. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Warm regards, >>>>>>>>>>> Rexford. >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> PacketFence-users mailing list >>>>>>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> >>>>>>>>>> [image: Imágenes integradas 1] >>>>>>>>>> _______________________________________________ >>>>>>>>>> PacketFence-users mailing list >>>>>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> [image: Imágenes integradas 1] >>>>>>>> _______________________________________________ >>>>>>>> PacketFence-users mailing list >>>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> [image: Imágenes integradas 1] >>>>>> >>>>> >>>> >>>> -- >>>> >>>> [image: Imágenes integradas 1] >>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> PacketFence-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> >>> _______________________________________________ >>> PacketFence-users mailing list >>> PacketFence-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >> _______________________________________________ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > -- [image: Imágenes integradas 1]
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
