Discussion:
[PacketFence-users] WebAuth & CoA
Ruth Tsai
2017-05-07 18:48:08 UTC
Permalink
Hi,

We are considering using PacketFence as hotspot for wireless client. I have question on CoA. We will register AP or management station as switch Web Auth role.
Will PacketFence notify switch by using CoA after client authentication completion (authorize or reject)? Or there is any other way switch is notified of the authentication status?

Thanks

Ruth
Durand fabrice
2017-05-08 13:04:17 UTC
Permalink
Hello Ruth,

it depend if the AP support CoA.

Regards

Fabrice
Post by Ruth Tsai
Hi,
We are considering using PacketFence as hotspot for wireless client. I
have question on CoA. We will register AP or management station as
switch Web Auth role.
Will PacketFence notify switch by using CoA after client
authentication completion (authorize or reject)? Or there is any other
way switch is notified of the authentication status?
Thanks
Ruth
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
Ruth Tsai
2017-05-15 17:17:37 UTC
Permalink
Hi Fabrice,

Our AP or management station will support CoA. Do I need to enable any configuration for PacketFence to send CoA to switch?

I installed PacketFence 7.0.0 and tried it and received "invalid login or password" from browser login page.
The "guest Cleartext-Password := "guest"" was added to raddb/users file.
The /usr/local/pf/logs/radius.log does not have login failure log.

I tried the "radtest" command and got Access-Reject on the post authentication.
The "/usr/local/pf/logs/radius.log" showed the following error logs.
(1) rest: ERROR: {"control:PacketFence-Authorization-Status":"allow","Reply-Message":"CLI Access is not allowed by PacketFence on this switch"}
(1) Rejected in post-auth: [guest] (from client localhost port 12)

[***@pretoria ~]$ radtest guest guest localhost:18120 12 testing123
Sent Access-Request Id 85 from 0.0.0.0:34835 to 127.0.0.1:18120 length 75
User-Name = "guest"
User-Password = "guest"
NAS-IP-Address = 172.21.7.53
NAS-Port = 12
Message-Authenticator = 0x00
Cleartext-Password = "guest"
Received Access-Reject Id 85 from 127.0.0.1:18120 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject

Attached are the radius log from "radiusd -X" and screen shot of login failure page.

Do I need to configure anything else?

Thanks

Ruth
From: Durand fabrice <***@inverse.ca>
Reply-To: "packetfence-***@lists.sourceforge.net" <packetfence-***@lists.sourceforge.net>
Date: Monday, May 8, 2017 at 6:04 AM
To: "packetfence-***@lists.sourceforge.net" <packetfence-***@lists.sourceforge.net>
Subject: Re: [PacketFence-users] WebAuth & CoA


Hello Ruth,

it depend if the AP support CoA.

Regards

Fabrice



Le 2017-05-07 à 14:48, Ruth Tsai a écrit :
Hi,

We are considering using PacketFence as hotspot for wireless client. I have question on CoA. We will register AP or management station as switch Web Auth role.
Will PacketFence notify switch by using CoA after client authentication completion (authorize or reject)? Or there is any other way switch is notified of the authentication status?

Thanks

Ruth




------------------------------------------------------------------------------

Check out the vibrant tech community on one of the world's most

engaging tech sites, Slashdot.org! http://sdm.link/slashdot




_______________________________________________

PacketFence-users mailing list

PacketFence-***@lists.sourceforge.net<mailto:PacketFence-***@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users
Fabrice Durand
2017-05-16 12:43:02 UTC
Permalink
Hello Ruth,

First you need to check if the code of the AP in PacketFence support
CoA, if no then it's not something really complicate to add.

Next , remove the local user you created in radius and create a local
account in PacketFence in order to use it on the portal (User tab).

Next configure your AP to talk to the radius server (mac auth) and when
you will hit the portal then use the credential of the local user.

Regards

Fabrice
Post by Ruth Tsai
Hi Fabrice,
Our AP or management station will support CoA. Do I need to enable any
configuration for PacketFence to send CoA to switch?
I installed PacketFence 7.0.0 and tried it and received "invalid login
or password" from browser login page.
The "guest Cleartext-Password := "guest"" was added to raddb/users file.
The /usr/local/pf/logs/radius.log does not have login failure log.
I tried the "radtest" command and got Access-Reject on the post authentication.
The "/usr/local/pf/logs/radius.log" showed the following error logs.
{"control:PacketFence-Authorization-Status":"allow","Reply-Message":"CLI
Access is not allowed by PacketFence on this switch"}
(1) Rejected in post-auth: [guest] (from client localhost port 12)
Sent Access-Request Id 85 from 0.0.0.0:34835 to 127.0.0.1:18120 length 75
User-Name = "guest"
User-Password = "guest"
NAS-IP-Address = 172.21.7.53
NAS-Port = 12
Message-Authenticator = 0x00
Cleartext-Password = "guest"
Received Access-Reject Id 85 from 127.0.0.1:18120 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject
Attached are the radius log from "radiusd -X" and screen shot of login failure page.
Do I need to configure anything else?
Thanks
Ruth
*Date: *Monday, May 8, 2017 at 6:04 AM
*Subject: *Re: [PacketFence-users] WebAuth & CoA
Hello Ruth,
it depend if the AP support CoA.
Regards
Fabrice
Hi,
We are considering using PacketFence as hotspot for wireless
client. I have question on CoA. We will register AP or management
station as switch Web Auth role.
Will PacketFence notify switch by using CoA after client
authentication completion (authorize or reject)? Or there is any
other way switch is notified of the authentication status?
Thanks
Ruth
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
***@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
Durand fabrice
2017-05-20 02:33:03 UTC
Permalink
Hello Ruth,

first , what is the AP ?

Next the radtest send a radius request without calling-station-id so
PacketFence think that it's a CLI access.

Regards

Fabrice
Post by Ruth Tsai
Hi Fabrice,
Our AP or management station will support CoA. Do I need to enable any
configuration for PacketFence to send CoA to switch?
I installed PacketFence 7.0.0 and tried it and received "invalid login
or password" from browser login page.
The "guest Cleartext-Password := "guest"" was added to raddb/users file.
The /usr/local/pf/logs/radius.log does not have login failure log.
I tried the "radtest" command and got Access-Reject on the post authentication.
The "/usr/local/pf/logs/radius.log" showed the following error logs.
{"control:PacketFence-Authorization-Status":"allow","Reply-Message":"CLI
Access is not allowed by PacketFence on this switch"}
(1) Rejected in post-auth: [guest] (from client localhost port 12)
Sent Access-Request Id 85 from 0.0.0.0:34835 to 127.0.0.1:18120 length 75
User-Name = "guest"
User-Password = "guest"
NAS-IP-Address = 172.21.7.53
NAS-Port = 12
Message-Authenticator = 0x00
Cleartext-Password = "guest"
Received Access-Reject Id 85 from 127.0.0.1:18120 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject
Attached are the radius log from "radiusd -X" and screen shot of login failure page.
Do I need to configure anything else?
Thanks
Ruth
*Date: *Monday, May 8, 2017 at 6:04 AM
*Subject: *Re: [PacketFence-users] WebAuth & CoA
Hello Ruth,
it depend if the AP support CoA.
Regards
Fabrice
Hi,
We are considering using PacketFence as hotspot for wireless
client. I have question on CoA. We will register AP or management
station as switch Web Auth role.
Will PacketFence notify switch by using CoA after client
authentication completion (authorize or reject)? Or there is any
other way switch is notified of the authentication status?
Thanks
Ruth
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
Loading...