[prev in list] [next in list] [prev in thread] [next in thread]
List: packetfence-users
Subject: [PacketFence-users] Issues with Meraki WiFi using IPSK and Radius Mac Auth
From: "Bergen, Ryan via PacketFence-users" <packetfence-users () lists ! sourceforge ! net>
Date: 2023-07-31 21:39:27
Message-ID: YQBPR0101MB94885A163546CBD2D9B708069105A () YQBPR0101MB9488 ! CANPRD01 ! PROD ! OUTLOOK ! COM
[Download RAW message or body]
Hello, has anyone had success with setting up Meraki Wifi using MAC based Auth and \
Identity PSK with RADIUS?
I have wired mac based auth working fine with meraki switches.
Also my logs are show the wireless clients connect and authenticate, its just windows \
10 client reports back “Can’t Connecto to this network”
Jul 31 16:28:45 STB01NAC01 httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) WARN: \
[mac:10:6f:d9:a1:52:a1] Unable to extract audit-session-id for module \
pf::Switch::Meraki::MS220_8. SSID-based VLAN assignments won't work. Make sure you \
enable Vendor Specific Attributes (VSA) on the AP if you want them to work. \
(pf::Switch::getCiscoAvPairAttribute)
Jul 31 16:28:45 STB01NAC01 httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) INFO: \
[mac:10:6f:d9:a1:52:a1] handling radius autz request: from switch_ip => \
(10.109.19.251), connection_type => Wireless-802.11-NoEAP,switch_mac => \
(e4:55:a8:12:b8:3c), mac => [10:6f:d9:a1:52:a1], port => 0, username => \
"106fd9a152a1", ssid => RAD-TEST (pf::radius::authorize)
Jul 31 16:28:45 STB01NAC01 httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) INFO: \
[mac:10:6f:d9:a1:52:a1] Instantiate profile default \
(pf::Connection::ProfileFactory::_from_profile)
Jul 31 16:28:45 STB01NAC01 httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) INFO: \
[mac:10:6f:d9:a1:52:a1] Found authentication source(s) : 'local,file1' for realm \
'null' (pf::config::util::filter_authentication_sources)
Jul 31 16:28:45 STB01NAC01 httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) INFO: \
[mac:10:6f:d9:a1:52:a1] Connection type is MAC-AUTH. Getting role from node_info \
(pf::role::getRegisteredRole)
Jul 31 16:28:45 STB01NAC01 httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) INFO: \
[mac:10:6f:d9:a1:52:a1] Username was defined "106fd9a152a1" - returning role \
'Corp-Wifi' (pf::role::getRegisteredRole)
Jul 31 16:28:45 STB01NAC01 httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) INFO: \
[mac:10:6f:d9:a1:52:a1] PID: "ryan.bergen", Status: reg Returned VLAN: (undefined), \
Role: Corp-Wifi (pf::role::fetchRoleForNode)
Jul 31 16:28:45 STB01NAC01 httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) INFO: \
[mac:10:6f:d9:a1:52:a1] (10.109.19.251) Added VLAN 512 to the returned RADIUS \
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Jul 31 16:28:45 STB01NAC01 httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) INFO: \
[mac:10:6f:d9:a1:52:a1] (10.109.19.251) Added role 512 to the returned RADIUS \
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Meraki SSID is “RAD-TEST” and in Meraki I have it configured the following:
Security: Identity PSK with RADIUS
WPA encryption: WPA2 only
Splash page: none (direct access)
Radius Servers: [packetfence IP] port 1812, with Secret
Radius Accounting server: [packetfence IP] port 1813, with Secret
Radius testing: enabled
Radius CoA Support: enabled
Radius attribute: Filter-Id
IP Assignment: Bridge w/ Radius override vlan tag
Vlan tagging: disabled
Packetfence Configuration:
Switch:
Type: Meraki MS220_8
Mode: Production
Deauth method: RADIUS
Roles: VLAN ID
Radius: Secret matching above Meraki SSID Configuration
Node: Manually added node, athorized it, associated to user
User: input PSK entry
Anything Im missing to get this working?
We have it working with our legacy custom built free-radius/mysql setup.
Client is requred a manual mac entry, with role and is authenticated using a generic \
PSK , MAC is looked up, then put on the proper VLAN mapped.
Thanks
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-CA" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<div>
<div>
<p class="MsoNormal"><b><span \
style="font-family:"Arial",sans-serif;color:black;mso-ligatures:none">Hello, \
has anyone had success with setting up Meraki Wifi using MAC based Auth and Identity \
PSK with RADIUS?<o:p></o:p></span></b></p> <p class="MsoNormal"><b><span \
style="font-family:"Arial",sans-serif;color:black;mso-ligatures:none"><o:p> </o:p></span></b></p>
<p class="MsoNormal"><b><span \
style="font-family:"Arial",sans-serif;color:black;mso-ligatures:none">I \
have wired mac based auth working fine with meraki \
switches.<o:p></o:p></span></b></p> <p class="MsoNormal"><b><span \
style="font-family:"Arial",sans-serif;color:black;mso-ligatures:none"><o:p> </o:p></span></b></p>
<p class="MsoNormal"><b><span \
style="font-family:"Arial",sans-serif;color:black;mso-ligatures:none">Also \
my logs are show the wireless clients connect and authenticate, its just windows 10 \
client reports back “Can’t Connecto to this network” <o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span \
style="font-family:"Arial",sans-serif;color:black;mso-ligatures:none"><o:p> </o:p></span></b></p>
<p class="MsoNormal"><span style="color:black;mso-ligatures:none">Jul 31 16:28:45 \
STB01NAC01 httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) WARN: [mac:10:6f:d9:a1:52:a1] \
Unable to extract audit-session-id for module pf::Switch::Meraki::MS220_8. SSID-based \
VLAN assignments won't work. Make sure you enable Vendor Specific Attributes (VSA) \
on the AP if you want them to work. \
(pf::Switch::getCiscoAvPairAttribute)<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:black;mso-ligatures:none">Jul 31 16:28:45 \
STB01NAC01 httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) INFO: [mac:10:6f:d9:a1:52:a1] \
handling radius autz request: from switch_ip => (10.109.19.251), connection_type \
=> Wireless-802.11-NoEAP,switch_mac => (e4:55:a8:12:b8:3c), mac => \
[10:6f:d9:a1:52:a1], port => 0, username => "106fd9a152a1", ssid \
=> RAD-TEST (pf::radius::authorize)<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:black;mso-ligatures:none">Jul 31 16:28:45 \
STB01NAC01 httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) INFO: [mac:10:6f:d9:a1:52:a1] \
Instantiate profile default \
(pf::Connection::ProfileFactory::_from_profile)<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:black;mso-ligatures:none">Jul 31 16:28:45 \
STB01NAC01 httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) INFO: [mac:10:6f:d9:a1:52:a1] \
Found authentication source(s) : 'local,file1' for realm 'null' \
(pf::config::util::filter_authentication_sources)<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:black;mso-ligatures:none">Jul 31 16:28:45 \
STB01NAC01 httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) INFO: [mac:10:6f:d9:a1:52:a1] \
Connection type is MAC-AUTH. Getting role from node_info \
(pf::role::getRegisteredRole)<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:black;mso-ligatures:none">Jul 31 16:28:45 STB01NAC01 \
httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) INFO: [mac:10:6f:d9:a1:52:a1] Username \
was defined "106fd9a152a1" - returning role 'Corp-Wifi' \
(pf::role::getRegisteredRole)<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:black;mso-ligatures:none">Jul 31 16:28:45 STB01NAC01 \
httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) INFO: [mac:10:6f:d9:a1:52:a1] PID: \
"ryan.bergen", Status: reg Returned VLAN: (undefined), Role: Corp-Wifi \
(pf::role::fetchRoleForNode)<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:black;mso-ligatures:none">Jul 31 16:28:45 STB01NAC01 \
httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) INFO: [mac:10:6f:d9:a1:52:a1] \
(10.109.19.251) Added VLAN 512 to the returned RADIUS Access-Accept \
(pf::Switch::returnRadiusAccessAccept)<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:black;mso-ligatures:none">Jul 31 16:28:45 \
STB01NAC01 httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) INFO: [mac:10:6f:d9:a1:52:a1] \
(10.109.19.251) Added role 512 to the returned RADIUS Access-Accept \
(pf::Switch::returnRadiusAccessAccept)<o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="color:black;mso-ligatures:none"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span \
style="color:black;mso-ligatures:none"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="color:black;mso-ligatures:none">Meraki SSID is \
“RAD-TEST” and in Meraki I have it configured the following:<o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="color:black;mso-ligatures:none"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="color:black;mso-ligatures:none">Security: </span> \
<span style="font-size:10.0pt;font-family:"Segoe \
UI",sans-serif;color:#222222;background:white">Identity PSK with \
RADIUS<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Segoe \
UI",sans-serif;color:#222222;background:white">WPA encryption: WPA2 \
only<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Segoe \
UI",sans-serif;color:#222222;background:white">Splash page: none (direct \
access)<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Segoe \
UI",sans-serif;color:#222222;background:white">Radius Servers: [packetfence IP] \
port 1812, with Secret<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Segoe \
UI",sans-serif;color:#222222;background:white">Radius Accounting server: \
[packetfence IP] port 1813, with Secret<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-size:10.0pt;font-family:"Segoe \
UI",sans-serif;color:#222222;background:white">Radius testing: \
enabled<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Segoe \
UI",sans-serif;color:#222222;background:white">Radius CoA Support: \
enabled<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Segoe \
UI",sans-serif;color:#222222;background:white">Radius attribute: \
Filter-Id<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:black;mso-ligatures:none">IP Assignment: Bridge w/ Radius override vlan \
tag<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:black;mso-ligatures:none">Vlan tagging: disabled<o:p></o:p></span></p> \
<p class="MsoNormal"><span \
style="color:black;mso-ligatures:none"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="color:black;mso-ligatures:none">Packetfence \
Configuration:<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:black;mso-ligatures:none"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="color:black;mso-ligatures:none">Switch: \
<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:black;mso-ligatures:none">Type: Meraki MS220_8<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:black;mso-ligatures:none">Mode: \
Production<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:black;mso-ligatures:none">Deauth method: RADIUS<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:black;mso-ligatures:none">Roles: VLAN \
ID<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:black;mso-ligatures:none">Radius: Secret matching above Meraki SSID \
Configuration<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:black;mso-ligatures:none"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="color:black;mso-ligatures:none">Node: Manually added \
node, athorized it, associated to user<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:black;mso-ligatures:none">User: input PSK \
entry<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:black;mso-ligatures:none"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span \
style="color:black;mso-ligatures:none"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="color:black;mso-ligatures:none">Anything Im missing to \
get this working? <o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="color:black;mso-ligatures:none"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="color:black;mso-ligatures:none">We have it working \
with our legacy custom built free-radius/mysql setup.<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:black;mso-ligatures:none">Client is requred a \
manual mac entry, with role and is authenticated using a generic PSK , MAC is looked \
up, then put on the proper VLAN mapped.<o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="color:black;mso-ligatures:none"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span \
style="color:black;mso-ligatures:none">Thanks<o:p></o:p></span></p> </div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>
[Attachment #4 (--===============4236372434812766328==)]
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic