[prev in list] [next in list] [prev in thread] [next in thread]
List: packetfence-users
Subject: Re: [PacketFence-users] Status of authentication through MAB with Ubiquiti Access points
From: Elia via PacketFence-users <packetfence-users () lists ! sourceforge ! net>
Date: 2024-04-16 11:03:34
Message-ID: 1c7d2081-a18a-41cc-a641-33d207ac3334 () Spark
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Enrique,
thanks for your precious informations!
In the next days, I'll try yo recreate two brand new VMs, one for PF and one for \
Unifi Controller, in order to avoid any precious misconfiguration.
I'll let you know if everything is working as espected, and I'll post every useful \
tcpdump output, either PF and Unifi side.
For now, I would like to share this GitHub issue with you, regarding \
Disconnect-Requests with Unifi controller, (the issue Is not from me, but from \
another user which apparantly has the same problem):
<https://github.com/inverse-inc/packetfence/issues/8065>
For now, I still using old Unifi Dashboard with CoA checked, and if I run "netstat \
-an | grep 3799" I can see the port successfully in listening mode on the socket.
Thanks again for your reply and tour time!
Il 13 apr 2024, 12:20 +0200, Elia <thelizardnerd.elia@gmail.com>, ha scritto:
> Hello there,
> I'm struggling with configuring Wireless MAB with Ubiquiti Access Points, my goal \
> is to authenticate wireless supplicants through Ubiquiti APs with PacketFence's \
> Captive Portal and dynamic VLAN, in this way they can be moved into the right VLAN \
> (after a successful authentication with credentials).
> Some infos:
> Unifi controller version: 7.29
> Ubiquiti AP nanohd firmware version: 6.6
> PacketFence version: 13.2
>
> To setup the environment (specifically the SSIDs) I followed the section 6.28 under \
> the Network Devices Configuration Guide, specifically 6.28.2 VLAN Enforcement.
> I enabled CoA on Unifi Controller and on PacketFence "Switches" section I added the \
> AP through his IP, then I configured: SNMP strings, WebServices (https), RADIUS \
> secret password, associated VLAN IDs with Roles, specified Unifi Controller IP \
> address, enabled deauth wih CoA, specified "RADIUS" under Deauthentication Method \
> option, choosed "Production" mode and "Unifi Controller" as type.
> For now, a supplicant which connect to open SSID is correctly redirected to Captive \
> Portal, but, after login, it isn't dynamically moved into the correct VLAN, \
> instead, it needs to switch off and switch on WiFi in order to reconnect to the \
> SSID and to take the IP in the right VLAN through our DHCP server.
> Is there a way to fix this behaviour and make the supplicant dynamically moved?
>
> One strange behaviour is that sometimes a supplicant is correctly dynamically moved \
> into the assigned Role (so the assigned VLAN) after login (I don't know why \
> sometimes it works without changing anything on Unifi side neither PF side). For \
> example: 2 supplicants are correctly moved into thw VLAN, while the third \
> supplicant which come after them, after a successful login, is not dynamically \
> moved into the assigned VLAN. Any suggestions with this?
> Another issue: if I delete a node after a successful authentication, PacketFence \
> RADIUS server send a Disconnect Request to the Ubiquiti AP, the Ubituiti AP replies \
> with a "Disconnect-ACK" packet but the supplicant still connected to WiFi without \
> being disconnected. How can I successfully disconnect a client?
> Eventually, I have a suspect that is all properly configured on PF and on Unifi \
> Controller, at this point my question is: which is the actual status of integration \
> between PF and Unifi? Does the MAB authentication ever worked? Thanks!
[Attachment #5 (text/html)]
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>
</head>
<body>
<div name="messageBodySection">
<div dir="auto">Hi Enrique,<br />
<br />
thanks for your precious informations!<br />
<br />
In the next days, I'll try yo recreate two brand new VMs, one for PF and one for \
Unifi Controller, in order to avoid any precious misconfiguration.<br /> <br />
I'll let you know if everything is working as espected, and I'll post every useful \
tcpdump output, either PF and Unifi side.<br /> <br />
For now, I would like to share this GitHub issue with you, regarding \
Disconnect-Requests with Unifi controller, (the issue Is not from me, but from \
another user which apparantly has the same problem):<br /> <br />
<https://github.com/inverse-inc/packetfence/issues/8065><br />
<br />
For now, I still using old Unifi Dashboard with CoA checked, and if I run "netstat \
-an | grep 3799" I can see the port successfully in listening mode on the socket.<br \
/> <br />
Thanks again for your reply and tour time!</div>
</div>
<div name="messageReplySection">Il 13 apr 2024, 12:20 +0200, Elia \
<thelizardnerd.elia@gmail.com>, ha scritto:<br /> <blockquote type="cite">
<div dir="ltr">Hello there,
<div>I'm struggling with configuring Wireless MAB with Ubiquiti Access Points, my \
goal is to authenticate wireless supplicants through Ubiquiti APs with PacketFence's \
Captive Portal and dynamic VLAN, in this way they can be moved into the right VLAN \
(after a successful authentication with credentials).</div> <div><br /></div>
<div>Some infos:</div>
<div>Unifi controller version: 7.29</div>
<div>Ubiquiti AP nanohd firmware version: 6.6</div>
<div>PacketFence version: 13.2</div>
<div><br /></div>
<div>To setup the environment (specifically the SSIDs) I followed the section 6.28 \
under the Network Devices Configuration Guide, specifically 6.28.2 VLAN \
Enforcement.</div> <div><br /></div>
<div>I enabled CoA on Unifi Controller and on PacketFence "Switches" section I added \
the AP through his IP, then I configured: SNMP strings, WebServices (https), RADIUS \
secret password, associated VLAN IDs with Roles, specified Unifi Controller IP \
address, enabled deauth wih CoA, specified "RADIUS" under Deauthentication Method \
option, choosed "Production" mode and "Unifi Controller" as type. </div> \
<div><br /></div> <div>For now, a supplicant which connect to open SSID is correctly \
redirected to Captive Portal, but, after login, it isn't dynamically moved into the \
correct VLAN, instead, it needs to switch off and switch on WiFi in order to \
reconnect to the SSID and to take the IP in the right VLAN through our DHCP \
server. </div> <div><br /></div>
<div>Is there a way to fix this behaviour and make the supplicant dynamically \
moved?</div> <div><br /></div>
<div>One strange behaviour is that sometimes a supplicant is correctly dynamically \
moved into the assigned Role (so the assigned VLAN) after login (I don't know why \
sometimes it works without changing anything on Unifi side neither PF side). For \
example: 2 supplicants are correctly moved into thw VLAN, while the third supplicant \
which come after them, after a successful login, is not dynamically moved into the \
assigned VLAN. Any suggestions with this?<br /></div> <div><br /></div>
<div>Another issue: if I delete a node after a successful authentication, PacketFence \
RADIUS server send a Disconnect Request to the Ubiquiti AP, the Ubituiti AP replies \
with a "Disconnect-ACK" packet but the supplicant still connected to WiFi without \
being disconnected. How can I successfully disconnect a client?</div> <div><br \
/></div> <div>Eventually, I have a suspect that is all properly configured on PF and \
on Unifi Controller, at this point my question is: which is the actual status of \
integration between PF and Unifi? Does the MAB authentication ever worked? \
Thanks!</div> </div>
</blockquote>
</div>
</body>
</html>
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic