[prev in list] [next in list] [prev in thread] [next in thread]
List: packetfence-users
Subject: [PacketFence-users] DPSK Authentication - Meraki Access Points
From: Michael Brown via PacketFence-users <packetfence-users () lists ! sourceforge ! net>
Date: 2020-10-20 16:07:26
Message-ID: 34990496.1083096.1603210046950 () mail ! yahoo ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Guys,
Has anyone been ableto get DPSK working with Meraki access points?
The provisionerportion is working where the user joins a network, signs in to the \
portal andthen once they are signed in they are presented with the name of the \
networkthat uses DPSK and their DPSK password. The problem is when I try to join the \
DPSK network with the providedDPSK I receive can't connect to this network (Windows \
10 device).
We have onePacketFence server set up out of band.
Here are myprofiles:
PROVIDES DPSK
[Auth-Wireless]
locale=
sources=BYOD-Wireless-User-Authentication
advanced_filter=
provisioners=DPSK
filter=ssid:Auth
DPSK NETWORK PROFILE
[BYOD-Wireless]
locale=
advanced_filter=
filter=ssid:WIFI-BYOD
dpsk=enabled
autoregister=enabled
default_psk_key=testing12345678!
unreg_on_acct_stop=disabled
filter_match_style=all
HERE IS THE AUTHSOURCE FOR Auth-Wireless PROFILE:
[BYOD-Wireless-User-Authentication]
cache_match=0
read_timeout=10
realms=null,domain.com
basedn=DC=domain,DC=local
monitor=1
password=password
shuffle=0
searchattributes=
set_access_durations_action=
scope=sub
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=1
binddn=CN=Admin\,PacketFence,OU=IT,Accounts,OU=Domain_Users,DC=domain,DC=local
encryption=none
description=BYODWireless User Authentication
port=389
host=dc.domain.com
write_timeout=5
type=AD
[BYOD-Wireless-User-Authenticationrule Network-Administrators]
action0=set_role=WIFI-IT-STAFF-DISTRICT
condition0=memberOf,equals,CN=NetworkAdministrators,OU=Domain \
Groups,DC=domain,DC=local
status=enabled
match=all
class=authentication
action1=set_access_duration=1h
description=ActiveDirectory - Network Administrators Group
[BYOD-Wireless-User-Authenticationrule Faculty-All]
action0=set_role=WIFI-STAFF-GUESTS
condition0=memberOf,equals,CN=Faculty- All,OU=Domain Groups,DC=domain,DC=local
status=enabled
match=all
class=authentication
action1=set_access_duration=1h
description=ActiveDirectory - Faculty All
HERE IS THE MERAKISSID CONFIG FOR THE DPSK NETWORK:
Associationrequirements: Identity PSK with RADIUS
WPA encryption mode:WPA2
Splash page: None
Readius server setto PacketFence management
Radius testing:disabled
Radius CoA: disabled
Client IPassignment: Bridge mode
VLAN tagging: Don'tuse
Radius override:Radius response can override VLAN tag
HERE IS WHAT THE PFLOG SAYS WHEN I TRY TO JOIN:
Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) WARN: \
[mac:a8:1e:84:a6:ca:7d]Unable to extract audit-session-id for module \
pf::Switch::Meraki::MR_v2.SSID-based VLAN assignments won't work. Make sure you \
enable Vendor SpecificAttributes (VSA) on the AP if you want them to \
work.(pf::Switch::getCiscoAvPairAttribute)
Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: \
[mac:00:e0:4c:19:dd:56]handling radius autz request: from switch_ip => \
(172.20.110.19),connection_type => Wireless-802.11-NoEAP,switch_mac \
=>(e2:cb:ac:91:85:df), mac => [00:e0:4c:19:dd:56], port => 0, username=> \
"00e04c19dd56", ssid => WIFI-BYOD (pf::radius::authorize)
Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: \
[mac:00:e0:4c:19:dd:56]Instantiate profile \
BYOD-Wireless(pf::Connection::ProfileFactory::_from_profile)
Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: \
[mac:00:e0:4c:19:dd:56]Found authentication source(s) \
:'local,file1,Faculty-All,Wifi-Sponsors,District-Wireless-User-Authentication,Guest-Wireless-User-Authentication,BYOD-Wireless-User-Authentication'for \
realm 'null' (pf::config::util::filter_authentication_sources)
Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) WARN: \
[mac:00:e0:4c:19:dd:56]No category computed for autoreg \
(pf::role::getNodeInfoForAutoReg)
Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: \
[mac:00:e0:4c:19:dd:56]Found authentication source(s) \
:'local,file1,Faculty-All,Wifi-Sponsors,District-Wireless-User-Authentication,Guest-Wireless-User-Authentication,BYOD-Wireless-User-Authentication'for \
realm 'null' (pf::config::util::filter_authentication_sources)
Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: \
[mac:00:e0:4c:19:dd:56]Connection type is MAC-AUTH. Getting role from \
node_info(pf::role::getRegisteredRole)
Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: \
[mac:00:e0:4c:19:dd:56]Username was defined "00e04c19dd56" - returning \
role'WIFI-IT-STAFF-DISTRICT' (pf::role::getRegisteredRole)
Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: \
[mac:00:e0:4c:19:dd:56]PID: "user", Status: reg Returned VLAN: (undefined), \
Role:WIFI-IT-STAFF-DISTRICT (pf::role::fetchRoleForNode)
Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: \
[mac:00:e0:4c:19:dd:56](172.20.110.19) Added VLAN 118 to the returned RADIUS \
Access-Accept(pf::Switch::returnRadiusAccessAccept)
Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: \
[mac:00:e0:4c:19:dd:56]security_event 1300003 force-closed for \
00:e0:4c:19:dd:56(pf::security_event::security_event_force_close)
HERE IS WHAT THERADIUS LOG SAYS:
Oct 17 22:18:07srv-pf-02 auth[2992]: [mac:00:e0:4c:19:dd:56] Accepted user: and \
returned VLAN 118
Oct 17 22:18:07srv-pf-02 auth[2992]: (12467) Login OK: [00e04c19dd56] (from \
client172.20.110.19/32 port 0 cli 00:e0:4c:19:dd:56)
Thanks for your help.
Mike
[Attachment #5 (text/html)]
<html><head></head><body><div class="yahoo-style-wrap" style="font-family:Helvetica \
Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div dir="ltr" \
data-setdir="false"><div>
<!--StartFragment-->
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Hi Guys,</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Has anyone been able
to get DPSK working with Meraki access points?</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">The provisioner
portion is working where the user joins a network, signs in to the portal and
then once they are signed in they are presented with the name of the network
that uses DPSK and their DPSK password.<span>
</span>The problem is when I try to join the DPSK network with the provided
DPSK I receive can't connect to this network (Windows 10 device).</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">We have one
PacketFence server set up out of band.</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"><span> </span></p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Here are my
profiles:</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">PROVIDES DPSK</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">[Auth-Wireless]</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">locale=</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">sources=BYOD-Wireless-User-Authentication</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">advanced_filter=</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">provisioners=DPSK</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">filter=ssid:Auth</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">DPSK NETWORK PROFILE</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">[BYOD-Wireless]</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">locale=</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">advanced_filter=</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">filter=ssid:WIFI-BYOD</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">dpsk=enabled</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">autoregister=enabled</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">default_psk_key=testing12345678!</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">unreg_on_acct_stop=disabled</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">filter_match_style=all</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">HERE IS THE AUTH
SOURCE FOR Auth-Wireless PROFILE:</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">[BYOD-Wireless-User-Authentication]</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">cache_match=0</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">read_timeout=10</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">realms=null,domain.com</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">basedn=DC=domain,DC=local</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">monitor=1</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">password=password</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">shuffle=0</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">searchattributes=</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">set_access_durations_action=</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">scope=sub</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">email_attribute=mail</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">usernameattribute=sAMAccountName</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">connection_timeout=1</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">binddn=CN=Admin\,
PacketFence,OU=IT,Accounts,OU=Domain_Users,DC=domain,DC=local</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">encryption=none</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">description=BYOD
Wireless User Authentication</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">port=389</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">host=dc.domain.com</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">write_timeout=5</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">type=AD</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">[BYOD-Wireless-User-Authentication
rule Network-Administrators]</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">action0=set_role=WIFI-IT-STAFF-DISTRICT</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">condition0=memberOf,equals,CN=Network
Administrators,OU=Domain Groups,DC=domain,DC=local</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">status=enabled</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">match=all</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">class=authentication</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">action1=set_access_duration=1h</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">description=Active
Directory - Network Administrators Group</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">[BYOD-Wireless-User-Authentication
rule Faculty-All]</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">action0=set_role=WIFI-STAFF-GUESTS</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">condition0=memberOf,equals,CN=Faculty
- All,OU=Domain Groups,DC=domain,DC=local</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">status=enabled</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">match=all</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">class=authentication</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">action1=set_access_duration=1h</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">description=Active
Directory - Faculty All</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">HERE IS THE MERAKI
SSID CONFIG FOR THE DPSK NETWORK:</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Association
requirements: Identity PSK with RADIUS</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">WPA encryption mode:
WPA2</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Splash page: None</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Readius server set
to PacketFence management</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Radius testing:
disabled</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Radius CoA: disabled</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Client IP
assignment: Bridge mode</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">VLAN tagging: Don't
use</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Radius override:
Radius response can override VLAN tag</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"><span> </span></p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">HERE IS WHAT THE PF
LOG SAYS WHEN I TRY TO JOIN:</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Oct 17 22:18:07
srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) WARN: [mac:a8:1e:84:a6:ca:7d]
Unable to extract audit-session-id for module pf::Switch::Meraki::MR_v2.
SSID-based VLAN assignments won't work. Make sure you enable Vendor Specific
Attributes (VSA) on the AP if you want them to work.
(pf::Switch::getCiscoAvPairAttribute)</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Oct 17 22:18:07
srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:56]
handling radius autz request: from switch_ip => (172.20.110.19),
connection_type => Wireless-802.11-NoEAP,switch_mac =>
(e2:cb:ac:91:85:df), mac => [00:e0:4c:19:dd:56], port => 0, username
=> "00e04c19dd56", ssid => WIFI-BYOD (pf::radius::authorize)</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Oct 17 22:18:07
srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:56]
Instantiate profile BYOD-Wireless
(pf::Connection::ProfileFactory::_from_profile)</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Oct 17 22:18:07
srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:56]
Found authentication source(s) :
'local,file1,Faculty-All,Wifi-Sponsors,District-Wireless-User-Authentication,Guest-Wireless-User-Authentication,BYOD-Wireless-User-Authentication'
for realm 'null' (pf::config::util::filter_authentication_sources)</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Oct 17 22:18:07
srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) WARN: [mac:00:e0:4c:19:dd:56]
No category computed for autoreg (pf::role::getNodeInfoForAutoReg)</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Oct 17 22:18:07
srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:56]
Found authentication source(s) :
'local,file1,Faculty-All,Wifi-Sponsors,District-Wireless-User-Authentication,Guest-Wireless-User-Authentication,BYOD-Wireless-User-Authentication'
for realm 'null' (pf::config::util::filter_authentication_sources)</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Oct 17 22:18:07
srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:56]
Connection type is MAC-AUTH. Getting role from node_info
(pf::role::getRegisteredRole)</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Oct 17 22:18:07
srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:56]
Username was defined "00e04c19dd56" - returning role
'WIFI-IT-STAFF-DISTRICT' (pf::role::getRegisteredRole)</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Oct 17 22:18:07
srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:56]
PID: "user", Status: reg Returned VLAN: (undefined), Role:
WIFI-IT-STAFF-DISTRICT (pf::role::fetchRoleForNode)</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Oct 17 22:18:07
srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:56]
(172.20.110.19) Added VLAN 118 to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Oct 17 22:18:07
srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:56]
security_event 1300003 force-closed for 00:e0:4c:19:dd:56
(pf::security_event::security_event_force_close)</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">HERE IS WHAT THE
RADIUS LOG SAYS:</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Oct 17 22:18:07
srv-pf-02 auth[2992]: [mac:00:e0:4c:19:dd:56] Accepted user:<span> </span>and \
returned VLAN 118</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Oct 17 22:18:07
srv-pf-02 auth[2992]: (12467) Login OK: [00e04c19dd56] (from client
172.20.110.19/32 port 0 cli 00:e0:4c:19:dd:56)</p>
<div style="margin:0in;font-family:Calibri;font-size:11.0pt"> </div><div \
style="margin:0in;font-family:Calibri;font-size:11.0pt"><br></div><div \
style="margin:0in;font-family:Calibri;font-size:11.0pt" dir="ltr" \
data-setdir="false">Thanks for your help.</div><div \
style="margin:0in;font-family:Calibri;font-size:11.0pt" dir="ltr" \
data-setdir="false"><br></div><div \
style="margin:0in;font-family:Calibri;font-size:11.0pt" dir="ltr" \
data-setdir="false">Mike</div>
<!--EndFragment--></div><br></div></div></body></html>
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic