Re: [PacketFence-users] Password reset portal

[Anton Dreyer]

Hi Fabrice

Thanks for taking the time to answer. The idea of simply unregistering everyone 
connecting to the openssid is ingenious.

I have spent a good couple of hours on this, but I am just not making any 
progress. The below info is from a meru controller with an open ssid and mac 
auth. I presume I need to target Called-Station-Id as it seems to be the only 
variable identifying that it's the open SSID in question - but I am not sure if 
I am using it correctly. When using the below PF fails to start. Am I on the 
right track here?

Thanks again


--- vlan filter ---

[reg_network]
filter = radius_request
operator = regex
Called-Station-Id = .ess_pf_MacAuth$

[unreg_node:reg_network]
scope = NormalVlan
role = change_pass
action = deregister_node
action_param = mac = $mac


--- radius info ---

[root@packetfence conf]# raddebug -t 300 -f /usr/local/pf/var/run/radiusd.sock
Thu Dec 17 08:56:59 2015 : Debug: Received Access-Request packet from host 
10.41.250.1 port 60509, id=69, length=197
Thu Dec 17 08:56:59 2015 : Debug:       Service-Type = Login-User
Thu Dec 17 08:56:59 2015 : Debug:       Framed-MTU = 1250
Thu Dec 17 08:56:59 2015 : Debug:       User-Name = "38:0f:4a:ac:f9:87"
Thu Dec 17 08:56:59 2015 : Debug:       User-Password = "38:0f:4a:ac:f9:87"
Thu Dec 17 08:56:59 2015 : Debug:       Calling-Station-Id = "38:0f:4a:ac:f9:87"
Thu Dec 17 08:56:59 2015 : Debug:       Called-Station-Id = 
"00:50:56:a7:57:a6:ess_pf_MacAuth"
Thu Dec 17 08:56:59 2015 : Debug:       Connect-Info = "CONNECT Unknown Radio"
Thu Dec 17 08:56:59 2015 : Debug:       NAS-IP-Address = 10.41.250.1
Thu Dec 17 08:56:59 2015 : Debug:       NAS-Port-Type = Wireless-802.11
Thu Dec 17 08:56:59 2015 : Debug:       NAS-Port = 0
Thu Dec 17 08:56:59 2015 : Debug:       Message-Authenticator = 
0xf2641737048b6f95215126eb23a17310
Thu Dec 17 08:56:59 2015 : Debug: server packetfence {
Thu Dec 17 08:56:59 2015 : Debug: # Executing section authorize from file 
/usr/local/pf/raddb//sites-enabled/packetfence
Thu Dec 17 08:56:59 2015 : Debug: +group authorize {
Thu Dec 17 08:56:59 2015 : Debug: [suffix] No '@' in User-Name = 
"38:0f:4a:ac:f9:87", skipping NULL due to config.
Thu Dec 17 08:56:59 2015 : Debug: ++[suffix] = noop
Thu Dec 17 08:56:59 2015 : Debug: [ntdomain] No '\' in User-Name = 
"38:0f:4a:ac:f9:87", looking up realm NULL
Thu Dec 17 08:56:59 2015 : Debug: [ntdomain] Found realm "null"
Thu Dec 17 08:56:59 2015 : Debug: [ntdomain] Adding Realm = "null"
Thu Dec 17 08:56:59 2015 : Debug: [ntdomain] Authentication realm is LOCAL.
Thu Dec 17 08:56:59 2015 : Debug: ++[ntdomain] = ok
Thu Dec 17 08:56:59 2015 : Debug: ++[preprocess] = ok
Thu Dec 17 08:56:59 2015 : Debug: [eap] No EAP-Message, not doing EAP
Thu Dec 17 08:56:59 2015 : Debug: ++[eap] = noop
Thu Dec 17 08:56:59 2015 : Debug: [files] users: Matched entry DEFAULT at line 5
Thu Dec 17 08:56:59 2015 : Debug: ++[files] = ok
Thu Dec 17 08:56:59 2015 : Debug: ++[expiration] = noop
Thu Dec 17 08:56:59 2015 : Debug: ++[logintime] = noop
Thu Dec 17 08:56:59 2015 : Debug: ++update request {
Thu Dec 17 08:56:59 2015 : Debug:       expand: %{Packet-Src-IP-Address} -> 
10.41.250.1
Thu Dec 17 08:56:59 2015 : Debug: ++} # update request = noop
Thu Dec 17 08:56:59 2015 : Debug: ++update control {
Thu Dec 17 08:56:59 2015 : Debug: ++} # update control = noop
Thu Dec 17 08:56:59 2015 : Debug: ++[packetfence] = noop
Thu Dec 17 08:56:59 2015 : Debug: +} # group authorize = ok
Thu Dec 17 08:56:59 2015 : Debug: Found Auth-Type = Accept
Thu Dec 17 08:56:59 2015 : Debug: Auth-Type = Accept, accepting the user
Thu Dec 17 08:56:59 2015 : Debug: } # server packetfence
Thu Dec 17 08:56:59 2015 : Debug: # Executing section post-auth from file 
/usr/local/pf/raddb//sites-enabled/packetfence
Thu Dec 17 08:56:59 2015 : Debug: +group post-auth {
Thu Dec 17 08:56:59 2015 : Debug: ++[exec] = noop
Thu Dec 17 08:56:59 2015 : Debug: ++? if (!EAP-Type || (EAP-Type != EAP-TTLS  
&& EAP-Type != PEAP))
Thu Dec 17 08:56:59 2015 : Debug: ? Evaluating !(EAP-Type ) -> TRUE
Thu Dec 17 08:56:59 2015 : Debug: ?? Skipping (EAP-Type != EAP-TTLS  )
Thu Dec 17 08:56:59 2015 : Debug: ?? Skipping (EAP-Type != PEAP)
Thu Dec 17 08:56:59 2015 : Debug: ++? if (!EAP-Type || (EAP-Type != EAP-TTLS  
&& EAP-Type != PEAP)) -> TRUE
Thu Dec 17 08:56:59 2015 : Debug: ++if (!EAP-Type || (EAP-Type != EAP-TTLS  && 
EAP-Type != PEAP)) {
Thu Dec 17 08:56:59 2015 : Debug: +++update control {
Thu Dec 17 08:56:59 2015 : Debug: +++} # update control = noop
Thu Dec 17 08:56:59 2015 : Debug: +++[packetfence] = ok
Thu Dec 17 08:56:59 2015 : Debug: ++} # if (!EAP-Type || (EAP-Type != EAP-TTLS  
&& EAP-Type != PEAP)) = ok
Thu Dec 17 08:56:59 2015 : Debug: +} # group post-auth = ok
Thu Dec 17 08:56:59 2015 : Debug: Sending Access-Accept packet to host 
10.41.250.1 port 60509, id=69, length=0
Thu Dec 17 08:56:59 2015 : Debug:       Tunnel-Private-Group-Id:0 = "301"
Thu Dec 17 08:56:59 2015 : Debug:       Tunnel-Type:0 = VLAN
Thu Dec 17 08:56:59 2015 : Debug:       Tunnel-Medium-Type:0 = IEEE-802
Thu Dec 17 08:56:59 2015 : Debug: Finished request 65.
Thu Dec 17 08:57:04 2015 : Debug: Cleaning up request 65 ID 69 with timestamp 
+63544


-----Original Message-----
From: Fabrice DURAND [mailto:fdur...@inverse.ca] 
Sent: Tuesday, 15 December 2015 8:29 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Password reset portal

Hello Anton,

yes it should be possible to do it with the vlan filters, like unreg devices 
that is trying to connect on the openssid.
Then after that you should use something like that to reset the password (with 
passthrough): https://github.com/pwm-project/pwm

Regards
Fabrice

Le 2015-12-15 13:00, Anton Dreyer a écrit :
>
> Good day collective mind
>
>  
>
> I was hoping to find out how you guys handle password resets?
>
>  
>
> If you have a single 802.1x SSID, and your password expires - you 
> naturally cannot get ON the wireless network to visit a password reset 
> portal of some sort.
>
> Obviously you would have to create a second open SSID without internet 
> and then some sort of portal profile that forces you to hit it 
> regardless if your device is still 'registered' with packetfence.
>
>  
>
> Any thoughts?
>
>  
>
> Thanks
>
> Anton
>
>
>
> ----------------------------------------------------------------------
> --------
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca Inverse inc. 
:: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 


------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users