I am trying to set up Packetfence In my corporate environment for guest users, with MAC access bypass. i have done everything like in the official Packetfence installation guide https://packetfence.org/doc/PacketFence_Installation_Guide.html#_getting_started .
802.1X with RADIUS VLAN enforcement working fine, but MAB with Web Authentication not showing Captive Portal. I am using the same interface as a management and portal. This management interface is in the same VLAN as the switch management interface, eg. VLANID is 2. i am using Cisco Catalyst 2960-S and using IOS 15. Portal is accessible from workstation from VLAN 3 which is connected on an access port which is not doing 802.1X, or MAB on the http://PF_MANAGEMENT_IP/captive-portal , but not accessible from a machine which is doing MAB authentication. I have on a switch registration ACL defined per instructions from the guide:
ip access-list extended registration
deny ip any host PF_MANAGEMENT_IP
permit tcp any any eq www
permit tcp any any eq 443
And added role by switch role to registration name of this ACL, and also role by Web Authentication registration URL:
http://PF_MANAGEMENT_IP/Cisco::Catalyst_2960
When I test this, with a supplicant it gets the right VLAN 3 which I defined as a registration, and browser pop-ups with a http://www.msftconnecttest.com/redirect url which is at the end change with http://PF_MANAGEMENT_IP/Cisco::Catalyst_2960 but connection time put in browser. I even tried explicitly to access that url but without success. Just to mention that supplicant gets the right IP/subnet DHCP and DNS, which are my production DHCP and DNS. But I can not get it to open Captive Portal. Also I have set on switch:
ip device tracking
ip http server
ip secure-server
I have checked packetfence.log and communication there is ok, no errors, right VLAN assigned. Also checked radius.log and all communication is right. Also I checked http.portal log and there is no log, except I am seeing that supplicant is not touching portal during registration, which is obvious.
I think the problem lies somewhere between Cisco switch redirection and portal. but I do not have anymore idea how to troubleshoot it.
if you need switch epm debug log feel free to request but to me that does not seem erroneous but I am not expert at this.
This is partial switch configuration which is relevant for dot1x, mab. I am doing this from head, as currently I do not have access to that switch:
dot1x system-auth-control
aaa new-model
aaa group server radius packetfence
server PF_MANAGEMENT_IP auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication dot1x default group packetfence
aaa authorization network default group packetfence
radius-server host PF_MANAGEMENT_IP auth-port 1812 acct-port 1813 timeout 2 key ExampleSecret
radius-server vsa send authentication
snmp-server community mysnmp RO
snmp-server community myWritesnmp RW
interface GigabitEthernet 1/0/1
switchport mode access
authentication host-mode single-host
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 10800
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3
aaa server radius dynamic-author
client PF_MANAGEMENT_IP server-key ExampleSecret
port 3799
ip device tracking
ip http server
ip http secure-server
ip access-list extended registration
deny ip any host PF_MANAGEMENT_IP
permit tcp any any eq www
permit tcp any any eq 443
As you can see I am using just one port Gi1/0/1 for the testing. Two VLANs are relevant in my setup:
VLAN ID 2:
PF_MANAGEMENT_IP -> PacketFence management interface and captive portal interface ip is in this VLAN.
SWITCH_MGMT_IP -> Switch management IP is in this VLAN.
VLAN ID 3:
TEST_WORKSTATION_IP -> supplicant IP address is in this VLAN.
VLAN ID 4: production DHCP and DNS are in this VLAN.
There are no restrictions/ACLs which prevents communication between these VLANs. VLAN management is done from the L3 Switch, and network architecture is collapsed core, where access switch is this switch which is used for testing.
Best Answer
I haven't succeeded to achieve this via switch Web Authentication facility, but I have achieved this via Packetfence registration VLAN and dns black holling. I have created registration VLAN on cisco switch which is not routed. Achieved this by not creating SVI for that VLAN, and not adding ip helper-address. After that I have created Registration interface on packetfence in this VLAN and added Packetfence dhcpd service to listen on it and assign ip addresses to nodes. This way Packetfence will assign ip address to new nodes and pass them Packetfence DNS server ip and using dns sinkhole technique will force to register using portal.