Sntp server primary address 192.168.1.5 sntp enable radius server host 192.168.1.5 acct-enable radius server host key useStrongerSecret radius server host key useStrongerSecret used-by eapol radius server host key useStrongerSecret used-by non-eapol radius dynamic-server client 192.168.1.5 radius dynamic-server client 192.168.1.5 secret useStrongerSecret radius dynamic-server client 192.168.1.5 enable radius dynamic-server client 192.168.1.5 process-change-of-auth-requests radius dynamic-server client 192.168.1.5 process-disconnect-requests. Interface FastEthernet ALL vlan ports 1 tagging tagAll vlan members 2,3,4,5 1 vlan ports 1 pvid 2 eapol multihost port 1 enable eap-mac-max 8 allow-non-eap-enable non-eap-mac-max 8 radius-non-eap-enable use-radius-assigned-vlan non-eap-use-radius-assigned-vlan eap-packet-mode unicast adac-non-eap-enable eapol port 1 status auto traffic-control in re-authentication enable eapol port 1 radius-dynamic-server enable lldp port 1 vendor-specific avaya dot1q-framing tagged no adac detection port 1 mac adac port 1 tagged-frames-tagging tag-all adac port 1 enable spanning-tree port 1 learning fast. Class-map type control subscriber match-any INCRITICALAUTH match activated-service-template DEFAULTCRITICALVOICETEMPLATE match activated-service-template CRITICALAUTHVLAN match activated-service-template CRITICAL-ACCESS!
Class-map type control subscriber match-none NOTINCRITICALAUTH match activated-service-template DEFAULTCRITICALVOICETEMPLATE match activated-service-template CRITICALAUTHVLAN match activated-service-template CRITICAL-ACCESS! Class-map type control subscriber match-all AAASVRDOWNUNAUTHDHOST match result-type aaa-timeout match authorization-status unauthorized! Class-map type control subscriber match-all AAASVRDOWNAUTHDHOST match result-type aaa-timeout match authorization-status authorized! Class-map type control subscriber match-all DOT1XNORESP match method dot1x match result-type method dot1x agent-not-found! Class-map type control subscriber match-all MABFAILED match method mab match result-type method mab authoritative!
The access points with roaming system. On the back of each access point there is a MAC address. Until now I have tried to use many applications to get the MAC address but the results are not accurate. Also a mbile application to find access point MAC address I failed. Lightweight access point have a dedicated controller, which is shared by a number of access points. You access the controller to find the devices accessing each access point. The controller may be a physical device on premise, such as in Cisco or Aruba shops, or in the cloud, as in a.
Class-map type control subscriber match-all DOT1XFAILED match method dot1x match result-type method dot1x authoritative. Aaa group server radius packetfence server name packetfence! Aaa accounting update newinfo aaa accounting identity default start-stop group packetfence!! Device-sensor filter-list dhcp list dhcp-list option name host-name option name parameter-request-list option name class-identifier! Device-sensor filter-list lldp list lldp-list tlv name system-description!
Device-sensor filter-list cdp list cdp-list tlv name version-type tlv name platform-type! Device-sensor filter-list dhcp list lldp-list device-sensor filter-spec dhcp include list dhcp-list device-sensor filter-spec lldp include list lldp-list device-sensor filter-spec cdp include list cdp-list device-sensor notify all-changes. Nothing is required to activate VoIP on the switch, you must simply configure the voice VLAN you want PacketFence to assign in the PacketFence switch configuration as well as enabling VoIP there. Note that your phones must not tag their packets on the network and should send their traffic untagged when connected into a PacketFence enabled port. This means you should not have the voice VLAN capabilities enabled on the switch itself as they might conflict with the authorization attributes returned by PacketFence. Snmp-server authentication-trap disable snmp-server host 192.168.1.5 'public' snmp trap link-status port 1-24 disable no mac-security mac-address-table interface FastEthernet ALL mac-security port ALL disable mac-security port 1-24 enable default mac-security auto-learning port ALL max-addrs exit mac-security enable mac-security snmp-lock disable mac-security intrusion-detect disable mac-security filtering enable mac-security snmp-trap enable mac-security auto-learning aging-time 60 mac-security learning-ports NONE mac-security learning disable VoIP support. Dot1x port-control mac-based dot1x re-authentication dot1x timeout reauth-period 1800 dot1x timeout supp-timeout 10 dot1x timeout guest-vlan-period 3 dot1x timeout server-timeout 1800 dot1x mac-auth-bypass dot1x unauthenticated-vlan 4 vlan participation include 1,2,3,4,5,100 voice vlan 100 auto-voip protocol-based lldp transmit lldp receive lldp transmit-tlv port-desc lldp transmit-tlv sys-name lldp transmit-tlv sys-desc lldp transmit-tlv sys-cap lldp transmit-mgmt lldp notification lldp med lldp med confignotification exit.
The appropriate VLANs must exist. Allow controller to honor VLAN assignments from AAA (sometimes called AAA override).
Put your open SSID (if any) in MAC-Authentication mode and authenticate against the FreeRADIUS hosted on PacketFence. Put your secure SSID (if any) in 802.1X mode and authenticate against FreeRADIUS hosted on PacketFence. On registration / isolation VLANs the DHCP traffic must reach the PacketFence server.
On your production VLANs a copy of the DHCP traffic must reach PacketFence where a pfdhcplistener listens (configurable in pf.conf under interfaces). PacketFence Management VLAN: 1 IP address: 192.168.1.5. registration VLAN ID 2, subnet 192.168.2.0/24. isolation VLAN ID 3, subnet 192.168.3.0/24. production VLAN ID 10, subnet 172.16.1.0/24.
the VLANs are spanned in the switches and switching L2 equipments, from the Production Network to the PacketFence server(s). the VLANs are allowed in the trunks. Aerohive Access Point is loaded with HiveOS with version 6 or later. HiveManager with version 6 or later. Wireless AP: 172.16.1.1. RADIUS Secret: useStrongerSecret.
You will need to create one User Profile for each VLANs used, for us, we will create 3 Users Profiles, Registration, Isolation and Production. from name, give the name of a rule to manage the VLANs with PacketFence (Registration; Isolation; Production). from Attribute Name, give the VLAN ID of the VLAN.
from Default VLan, Click on the ( +) (New). as a VLAN ID, give the VLAN ID earlier Registration(2), Isolation(3) or Production(10). click on Save and click on Save again on the Configure interfaces and User Access.
Note Aerohive have a session replication feature to ease the EAP session roaming between two access points. However, this may cause problems when you bounce the wireless card of a client, it will not do a new RADIUS request. Two settings can be tweaked to reduce the caching impact, it is the roaming cache update interval and roaming cache ageout. They are located in Configuration → SSIDs → SSID Name → Optional Settings → Advanced. The other way to support Roaming is to enable SNMP trap in the Aerohive configuration to PacketFence server. PacketFence will recognize the ahConnectionChangeEvent and will change the location of the node in his base. First because there is no way to detect in the RADIUS request that the request is for an SSID configured for IPSK, you need to configure PacketFence to trigger IPSK on a connection profile.
To do that, create a new connection profile, set a Filter based on the SSID (Example SSID PSKSSID), enable IPSK and set a default PSK key. So each time a device will connect on this specific SSID PacketFence will know that it has to answer with specific VSA attributes. Second step is to associate the device to a user, you have two ways to do it, the first one is to manually edit an user and in Miscellaneous tab fill the PSK entry (8 characters minimum) then edit a node and change the owner with the one you just edit before. The second way to associate the device is to use a provisioner. There are also 2 ways to do it, use the 'IPSK' provisioner (it will show you a page on the portal with the PSK key to use and the SSID to connect to, or use the 'Windows/Apple Devices/Android' provisioner and configure it to do IPSK.
FGT50E # config user radius FGT50E (radius) # edit packetfence new entry 'packetfence' added FGT50E (packetfence) # set server 192.168.1.5 FGT50E (packetfence) # set secret useStrongerSecret FGT50E (packetfence) # set nas-ip 192.168.1.1 FGT50E (packetfence) # set radius-coa enable FGT50E (packetfence) # config accounting-server FGT50E (accounting-server) # edit 1 new entry '1' added FGT50E (1) # set status enable FGT50E (1) # set server 192.168.1.5 FGT50E (1) # set secret useStrongerSecret FGT50E (1) # end FGT50E (packetfence) # end. FGT50E #config wireless-controller vap FGT50E (vap) # edit PF-Secure new entry 'PF-Secure' added FGT50E (PF-Secure) # edit 'PF-Secure' FGT50E (PF-Secure) # set vdom 'root' FGT50E (PF-Secure) # set ssid 'PF-Secure' FGT50E (PF-Secure) # set security wpa2-only-enterprise FGT50E (PF-Secure) # set auth radius FGT50E (PF-Secure) # set radius-server 'packetfence' FGT50E (PF-Secure) # set schedule 'always' FGT50E (PF-Secure) # set local-bridging enable FGT50E (PF-Secure) # set dynamic-vlan enable FGT50E (PF-Secure) # end. $(if chap-id) JavaScript required. Enable JavaScript to continue.
$(endif) If you are not redirected in a few seconds, click 'continue' below ![Point Point](/uploads/1/2/5/5/125580097/326940488.jpg)
![For For](http://slideplayer.com/1667208/7/images/22/MAC+address+format+DS%3A+Distribution+System+AP%3A+Access+Point.jpg)
![Point Point](/uploads/1/2/5/5/125580097/326940488.jpg)
Edit the device configuration, and go to Interface → Ethernet Ports. Ensure that the up1 interface is set as trunk, with all the allowed VLANs. Next, create the VLAN under Interface → Virtual Interfaces. Roles (Per-User Firewall). Since PacketFence 3.3.0, we now support roles for the Motorola hardware using WiNGS 5.x.
To add roles, go in Configuration → Security → Wireless Client Roles. First create a global policy that will contain your roles. Next, create your Roles by clicking on the Add button on the bottom right.
It is important to configure the Group Configuration line properly by setting the string name that we will use in the RADIUS packet. For example, for a Guests Role, you can put Group Configuration Exact Guests, and for a Staff Roles, you can put Group Configuration Exact Staff. In the roles configuration in switches.conf, you would have something like. wsTransport is the protocol used to connect to port 8443 of the Unifi controller and should be HTTPS.
This is configured in the Web Services tab of the switch. wsUser is a valid administrator username on your Unifi controller. This is configured in the Web Services tab of the switch. wsPwd is the password that is associated to the wsUser. This is configured in the Web Services tab of the switch.
controllerIp is the IP address of your Unifi controller. This is configured in the Definition tab of the switch. BZ.v3.9.3# cat /tmp/system.cfg grep ssid aaa.1.ssid=PacketFence-Secure wireless.1.ssid=PacketFence-Secure wireless.1.hidessid=false aaa.2.ssid=PacketFence-Public wireless.2.ssid=PacketFence-Public wireless.2.hidessid=false aaa.3.ssid=vport-802AA8863D5B wireless.3.ssid=vport-802AA8863D5B wireless.3.hidessid=true aaa.4.ssid=PacketFence-Secure wireless.4.ssid=PacketFence-Secure wireless.4.hidessid=false aaa.5.ssid=PacketFence-Public wireless.5.ssid=PacketFence-Public wireless.5.hidessid=false.
Welcome to my first blog entry! This is going be a fun, and no doubt educational experience. The purpose of this blog is to document my experiences and lessons as I journey through my career as a Wireless Professional. As this is a journey, I welcome my fellow travelers and their input. I welcome any feedback on improvement, and corrections on any mistakes made. With that let’s get to my first topic: Recently I have had the privilege of taking the CWAP bootcamp at the Wireless LAN Professionals conference in Phoenix, taught by one of the CWAP PW0-270 Certification Guide Authors, Peter Mackenzie.
Through the course and in the subsequent studying, I have learned the value of capturing 802.11 traffic. My previous experience had been strictly in capturing wired traffic using wireshark, and had only briefly touched on 802.11 MAC headers in studying for my CWSP certification.
I am still in the process of building my own setup where I can capture directly from a notebook, but in the meantime I utilized the Dell Powerconnect-W(Aruba OEM) equipment in my work lab and put together a small configuration consisting of a Campus AP, an Instant AP, local controller, capturing notebook running wireshark, and test client that can connect to my test SSIDs. Lab: 1 Aruba 7030 controller – Firmware version 6.4.3.6 1 Aruba 225 Access Point – IP 100.72.29.200, AP name is Sharktest 1 Aruba 225 Instant Access Point – IP 100.72.29.24 AP name is Shark(I’m super original). Firmware version 6.5.4.2 1 Test client, Wireless MAC is 00:21:5c:70:12:4f. WLAN IP is 100.29.29.215 We will be capturing packets from this device. 1 Wireshark monitoring notebook.
IP address 100.72.29.219. Campus SSID is Sharktest Instant SSID is Sharktest2 Topology: The purpose of this demonstration is to show how to capture client traffic for troubleshooting analysis.
The actual Analysis of the packets is not covered in this blog entry. Many characteristics of client behavior can be learned through capturing the wireless communication between the Access Point and the wireless client. Management, Control, and Data Frame Packets provide a wealth of information in their MAC-layer headers. Such details as signal strength, client capabilities, QoS parameters, authentication and association details, roaming processes, and more can be ascertained through this form of monitoring. The 802.11 standard exists at the Link layer and the MAC sublayer of the Data Link layer in the ISO model. For that reason, we need to capture the communication details between the Access Point and the client Radios.
With a traditional packet capture using promiscuous mode, we are capturing the 802.3 Ethernet communication and the layer 3 information between devices. For the purposes of wireless troubleshooting, we need to have the wireless network card in “monitor mode”. This is an RF listening mode that will not only allow us to 802.11 information, but it will hear all nearby transmissions as well. Ideally, you would want to capture the packets using a notebook and WLAN card being as close to the client device as possible. But if a WLAN card is not available, or you are not onsite, the next best thing is to capture at the access point. Aruba Access Points allow packets captures by essentially making a copy of the of the packet and forwarding it to your capturing device.
They are encapsulated in a UDP header address and use port 5555. We will talk a bit more about this during the configuration setup. To perform the packet capture process, do the following. Find the client MAC address. Find out what Radio and AP that the test client is associated with. Radio 0 is for 5GHz, and Radio 1 is for 2.4GHz. You can run s how ap association client-mac in the CLI to find out this information.
If you have access to the windows client, you can alternatively issue the “ netsh wlan show interface” command at a command prompt to learn what BSSID and channel that windows client is in. From the above screenshot, you can see the client is associated to the SSID Sharktest and is on the 5GHz band, channel 36. You can also find the client in the GUI: Go to Monitor Client then enter the MAC address in the search field. Or whatever character you want to use for a search. For this test, the client MAC address is 00:21:5c:70:12:4f As can see the test client MAC address is 00:21:5c:70:12:4f, it is connected to an AP named Sharktest and it is using the.11a radio, or radio 0.
These parameters will be used in our capture. Important Note: The packet capture is initiated by the controller, but the captured packets will not go through the controller; they will be routed from the Access Point to the capturing PC station.
So, it is important that you can make sure that your Access Point can route to the PC that you are capturing to. The simplest method to determine this is to ping the access point from the capturing device. To start the packet capture process from the GUI, go to monitoring, Access Points, and then select your Access Point and click on the packet capture button: In the next window, we will want to select BSSID that we will be performing the capture from. In our case, we will select the 802.11a-VHT radio, as our client is connected to the 5GHz channel 36.
Select a new Raw Packet Capture: Note: If you are using Wireshark, then you must do a Raw Packet Capture. The reason is the way that the AP sends the packets to the capturing device. The capturing method isn’t an exact mirrored process. The AP will make a copy of the frames that are being transmitted and received. In doing so it fails to append the four-byte “frame check sequence” (FCS). This was remedied to allow format 1 and 3 to include the FCS.
This is discussed on the Aruba Airheads forums: and here: Only a Raw packet capture will allow you to change the format. I personally like the Peek+11n/11ac header(format 5) because it provides detailed HT information that is more specific than number 3, which is the pcap+radio header and doesn’t have the malformed problem that format version 0 has. It also makes it so that you do not have to use the PEEKREMOTE decode in Wireshark(See Paul Stanley’s YouTube Video, referenced at the end of this article). Formats that will work for Wireshark are 1,3, and 5. Enter the following into the highlighted fields:. Target IP: this is the IP address of the PC that will be performing the packet capture.
You should have already verified that the PC can ping the Access Point’s IP address. Port: This is the port that Wireshark will be listening on. You will use 5555 for Wireshark. If we were using OmniPeek, we would use port 5000. Format: I prefer Peek+11n/11ac header.
This is the best option to get the most information about HT devices. If you are troubleshooting legacy devices, then option 1(pcap Ethereal) or 3(pcap+radio header) will work, though in my troubleshooting I have seen that option 1 will show the current data rate whereas option 3 will not. Setting the option to Peek+11n/11ac will also make it so you do not have to use the PEEKREMOTE decode in Wireshark. Choose the radio that you will be listening in on. Our client is on channel 36, so we will be listening on the 802.11a radio. Channel: This can only be set if you are capturing from an air monitor.
In our case we are capturing from an access point, so we will leave this field blank. Maxlength: we want to be able to capture Aggregate MPDU’s, which are usually between 3839 to 7035 bytes, So I left plenty of overhead in there. To set up capturing in the CLI, perform the following commands. Remember that our PC runing wireshark has an IP address of 100.72.29.219, our Test AP has a name of Sharktest. We need to use port 5555 and option 5 for the Peek+11n/11ac header format.
(Local7030) #ap packet-capture raw-start ap-name Sharktest 100.72.29.219 5555 5 radio 0 Packet capture has started for pcap-id:25 Take note of the pcap-id, as you will need that to stop the packet capture from the CLI. Example: (Local7030) #ap packet-capture stop ap-name Sharktest 25 Viewing packets on Capturing PC using Wireshark Moving on to our capturing PC. We will open up Wireshark and enter a capture filter of port 5555, as we need to be able to view only the wireless captured packets and not any erroneous packets that enter the Ethernet port. After selecting the local area connection and starting the capture, you will see the captured data. You can use the filter wlan.addr00:21:5c:70:12:4f to filter specifically for the client that we are troubleshooting. For additional filters, you can use the following reference sheet: Important note: An Access Point can only run a single capture per radio, and it will not be able to capture the roam to another Access Point.
So, if you are troubleshooting client roaming issues, it might be best to also run the packet capture on any neighboring Access Points. Capturing Packets from an Instant Access Point The steps are similar when capturing from an IAP, but the whole process must be done at the CLI:. Connect to the IAP GUI and see what SSID and channel your client is connected to:. Connect to the CLI of the IAP. This must be the Actual IP address of the IAP that the client is connected to, and not the Virtual IP address of the controller.
Nebojsa Markovic says: Hi Lance, First off all congratulations on starting blog and sharing your knowledge with the rest of us. Secondly, the topic you picked is perfect match as far as I am concerned, as I am just beginning to work towards CWAP certifications, and as my lab consist of Aruba WLAN infrastructure. The only question I have is related to LAN connectivity of your IAP. It is shown as connected to an MC, and I am wondering in which mode are you running it (e.g.
Converted to Campus, or not)? Somehow I was expecting it to be connected to a LAN switch above and create its own cluster (to test L3 roaming, maybe). Sorry if I missed something obvious, and all looking forward to your new posts.
![For For](http://slideplayer.com/1667208/7/images/22/MAC+address+format+DS%3A+Distribution+System+AP%3A+Access+Point.jpg)
Regards, Nebojsa Markovic Liked. And thank you for commenting on my post! The IAP is running as an IAP in this diagram, and is actually connected to a separate switch that is not showing in the topology. I will fix the diagram to reflect this.
The IAP could be connected directly to a controller for the purposes of obtaining POE if you wanted to(if the controller were POE capable). As long as the IAP were still functioning as an IAP and hadn’t been converted to a campus AP and been provisioned on said controller.
It would be a waste of resources in a deployment, but perfectly fine in a quick lab.