Hi Louis, Here you are:
(don’t be irritated, due to a restart, i changed the PID…) # lsof -nPp 15000 | grep IPv4 tells: httpd 15000 root 7u IPv4 139071 0t0 TCP 127.0.0.1:7070 (LISTEN) httpd 15000 root 8u IPv4 139073 0t0 TCP 172.20.1.20:7070 (LISTEN) pf.conf (slightly “anonymized”): [general] # # general.domain # # Domain name of PacketFence system. domain=adminnet.nicedomain.de # # general.hostname # # Hostname of PacketFence system. This is concatenated with the domain in Apache rewriting rules and therefore must be resolvable by clients. hostname=mypf-server # # general.dnsservers # # Comma-delimited list of DNS servers. Passthroughs are created to allow queries to these servers from even "trapped" nodes. dnsservers=127.0.0.1,172.20.10.22 # # general.dhcpservers # # Comma-delimited list of DHCP servers. Passthroughs are created to allow DHCP transactions from even "trapped" nodes. dhcpservers=127.0.0.1,172.20.10.22 # # general.timezone # # System's timezone in string format. Supported list: # http://www.php.net/manual/en/timezones.php timezone=Stardate [trapping] # # trapping.detection # # Enables snort-based worm detection. If you don't have a span interface available, don't bother enabling it. If you do, # you'll most definately want this on. detection=enabled # # trapping.range # # Comma-delimited list of address ranges/CIDR blocks that Snort/Suricata will monitor/detect/trap on. Gateway, network, and # broadcast addresses are ignored. range=172.20.9.20-254/24 # # trapping.interception_proxy # # When enabled, packetfence will intercept proxy request to somes specified port interception_proxy=enabled [alerting] # # alerting.emailaddr # # Email address to which notifications of rogue DHCP servers, violations with an action of "email", or any other # PacketFence-related message goes to. emailaddr=someu...@mypf-server.internal.nicedomain.de # # alerting.wins_server # # WINS server to resolve NetBIOS name of administrative workstation to IP address. wins_server=172.20.10.22 # # alerting.admin_netbiosname # # NetBIOS name of administrative workstation to send alerts with "winpopup" action assigned. admin_netbiosname=someworkstation [database] # # database.pass # # Password for the mysql database used by PacketFence. is set [expire] # # expire.node # # Time before a node is removed due to inactivity. # A value of 0D disables expiration. # example: # node=90D node=90D # # expire.iplog # # Time which you would like to keep logs on IP/MAC information. # A value of 0D disables expiration. # example: # iplog=180D iplog=90D # # expire.traplog # # Time which you would like to keep logs on trap information. # A value of 0D disables expiration. # example: # traplog=180D traplog=90D # # expire.locationlog # # Time which you would like to keep logs on location information # Please note that this table should not become too big since it # could degrade pfsetvlan performance. # A value of 0D disables expiration. # example: # locationlog=180D locationlog=90D # # expire.httpd_admin # # Please note that this table should not become too big since it httpd_admin=disabled [services] # # services.pfsetvlan # # Should pfsetvlan be managed by PacketFence? pfsetvlan=enabled [captive_portal] # # captive_portal.network_detection_ip # # This IP is used as the webserver who hosts the common/network-access-detection.gif which is used to detect if network # access was enabled. # It cannot be a domain name since it is used in registration or quarantine where DNS is blackholed. # It is recommended that you allow your users to reach your packetfence server and put your LAN's PacketFence IP. # By default we will make this reach PacketFence's website as an easy solution. # network_detection_ip=172.20.11.20 [webservices] # # webservices.user # # username to use to connect to the webAPI user=websrv_user # # webservices.pass # # password of the username is set, too # # webservices.proto # # proto to use proto=https [interface eth0] enforcement=vlan ip=172.20.9.20 type=monitor mask=255.255.255.0 [interface eth1] enforcement=vlan ip=172.20.13.20 type=internal mask=255.255.255.0 [interface eth2] enforcement=vlan ip=172.20.17.20 type=monitor mask=255.255.255.0 [interface eth3] enforcement=vlan ip=172.20.10.20 type=monitor mask=255.255.255.0 [interface eth4] enforcement=vlan ip=172.20.13.20 type=monitor mask=255.255.255.0 [interface eth5] enforcement=vlan ip=172.20.11.20 type=internal mask=255.255.255.0 [interface eth6] enforcement=vlan ip=172.20.15.20 type=portal,monitor mask=255.255.255.0 [interface eth7] ip=172.20.1.20 type=management mask=255.255.255.0 From: Louis Munro [mailto:lmu...@inverse.ca] Sent: Wednesday, October 21, 2015 3:52 PM To: packetfence-users@lists.sourceforge.net Subject: Re: [PacketFence-users] AD auth fails On Oct 21, 2015, at 9:33 , <holger.patz...@t-systems.com> <holger.patz...@t-systems.com> wrote: httpd.aaa|1|8993 Ok, so that’s the one that matters. The error you are seeing is caused by a failure of the radiusd process to connect over http to the httpd.aaa service that provides things like VLANs and ACLs to add to the radius reply. What does this return? # lsof -nPp 8993 | grep IPv4 Please post your conf/pf.conf file too. Regards, -- Louis Munro lmu...@inverse.ca :: www.inverse.ca +1.514.447.4918 x125 :: +1 (866) 353-6153 x125 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users