Hi Fabrice Thanks for taking the time to answer. The idea of simply unregistering everyone connecting to the openssid is ingenious.
I have spent a good couple of hours on this, but I am just not making any progress. The below info is from a meru controller with an open ssid and mac auth. I presume I need to target Called-Station-Id as it seems to be the only variable identifying that it's the open SSID in question - but I am not sure if I am using it correctly. When using the below PF fails to start. Am I on the right track here? Thanks again --- vlan filter --- [reg_network] filter = radius_request operator = regex Called-Station-Id = .ess_pf_MacAuth$ [unreg_node:reg_network] scope = NormalVlan role = change_pass action = deregister_node action_param = mac = $mac --- radius info --- [root@packetfence conf]# raddebug -t 300 -f /usr/local/pf/var/run/radiusd.sock Thu Dec 17 08:56:59 2015 : Debug: Received Access-Request packet from host 10.41.250.1 port 60509, id=69, length=197 Thu Dec 17 08:56:59 2015 : Debug: Service-Type = Login-User Thu Dec 17 08:56:59 2015 : Debug: Framed-MTU = 1250 Thu Dec 17 08:56:59 2015 : Debug: User-Name = "38:0f:4a:ac:f9:87" Thu Dec 17 08:56:59 2015 : Debug: User-Password = "38:0f:4a:ac:f9:87" Thu Dec 17 08:56:59 2015 : Debug: Calling-Station-Id = "38:0f:4a:ac:f9:87" Thu Dec 17 08:56:59 2015 : Debug: Called-Station-Id = "00:50:56:a7:57:a6:ess_pf_MacAuth" Thu Dec 17 08:56:59 2015 : Debug: Connect-Info = "CONNECT Unknown Radio" Thu Dec 17 08:56:59 2015 : Debug: NAS-IP-Address = 10.41.250.1 Thu Dec 17 08:56:59 2015 : Debug: NAS-Port-Type = Wireless-802.11 Thu Dec 17 08:56:59 2015 : Debug: NAS-Port = 0 Thu Dec 17 08:56:59 2015 : Debug: Message-Authenticator = 0xf2641737048b6f95215126eb23a17310 Thu Dec 17 08:56:59 2015 : Debug: server packetfence { Thu Dec 17 08:56:59 2015 : Debug: # Executing section authorize from file /usr/local/pf/raddb//sites-enabled/packetfence Thu Dec 17 08:56:59 2015 : Debug: +group authorize { Thu Dec 17 08:56:59 2015 : Debug: [suffix] No '@' in User-Name = "38:0f:4a:ac:f9:87", skipping NULL due to config. Thu Dec 17 08:56:59 2015 : Debug: ++[suffix] = noop Thu Dec 17 08:56:59 2015 : Debug: [ntdomain] No '\' in User-Name = "38:0f:4a:ac:f9:87", looking up realm NULL Thu Dec 17 08:56:59 2015 : Debug: [ntdomain] Found realm "null" Thu Dec 17 08:56:59 2015 : Debug: [ntdomain] Adding Realm = "null" Thu Dec 17 08:56:59 2015 : Debug: [ntdomain] Authentication realm is LOCAL. Thu Dec 17 08:56:59 2015 : Debug: ++[ntdomain] = ok Thu Dec 17 08:56:59 2015 : Debug: ++[preprocess] = ok Thu Dec 17 08:56:59 2015 : Debug: [eap] No EAP-Message, not doing EAP Thu Dec 17 08:56:59 2015 : Debug: ++[eap] = noop Thu Dec 17 08:56:59 2015 : Debug: [files] users: Matched entry DEFAULT at line 5 Thu Dec 17 08:56:59 2015 : Debug: ++[files] = ok Thu Dec 17 08:56:59 2015 : Debug: ++[expiration] = noop Thu Dec 17 08:56:59 2015 : Debug: ++[logintime] = noop Thu Dec 17 08:56:59 2015 : Debug: ++update request { Thu Dec 17 08:56:59 2015 : Debug: expand: %{Packet-Src-IP-Address} -> 10.41.250.1 Thu Dec 17 08:56:59 2015 : Debug: ++} # update request = noop Thu Dec 17 08:56:59 2015 : Debug: ++update control { Thu Dec 17 08:56:59 2015 : Debug: ++} # update control = noop Thu Dec 17 08:56:59 2015 : Debug: ++[packetfence] = noop Thu Dec 17 08:56:59 2015 : Debug: +} # group authorize = ok Thu Dec 17 08:56:59 2015 : Debug: Found Auth-Type = Accept Thu Dec 17 08:56:59 2015 : Debug: Auth-Type = Accept, accepting the user Thu Dec 17 08:56:59 2015 : Debug: } # server packetfence Thu Dec 17 08:56:59 2015 : Debug: # Executing section post-auth from file /usr/local/pf/raddb//sites-enabled/packetfence Thu Dec 17 08:56:59 2015 : Debug: +group post-auth { Thu Dec 17 08:56:59 2015 : Debug: ++[exec] = noop Thu Dec 17 08:56:59 2015 : Debug: ++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) Thu Dec 17 08:56:59 2015 : Debug: ? Evaluating !(EAP-Type ) -> TRUE Thu Dec 17 08:56:59 2015 : Debug: ?? Skipping (EAP-Type != EAP-TTLS ) Thu Dec 17 08:56:59 2015 : Debug: ?? Skipping (EAP-Type != PEAP) Thu Dec 17 08:56:59 2015 : Debug: ++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) -> TRUE Thu Dec 17 08:56:59 2015 : Debug: ++if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) { Thu Dec 17 08:56:59 2015 : Debug: +++update control { Thu Dec 17 08:56:59 2015 : Debug: +++} # update control = noop Thu Dec 17 08:56:59 2015 : Debug: +++[packetfence] = ok Thu Dec 17 08:56:59 2015 : Debug: ++} # if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) = ok Thu Dec 17 08:56:59 2015 : Debug: +} # group post-auth = ok Thu Dec 17 08:56:59 2015 : Debug: Sending Access-Accept packet to host 10.41.250.1 port 60509, id=69, length=0 Thu Dec 17 08:56:59 2015 : Debug: Tunnel-Private-Group-Id:0 = "301" Thu Dec 17 08:56:59 2015 : Debug: Tunnel-Type:0 = VLAN Thu Dec 17 08:56:59 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802 Thu Dec 17 08:56:59 2015 : Debug: Finished request 65. Thu Dec 17 08:57:04 2015 : Debug: Cleaning up request 65 ID 69 with timestamp +63544 -----Original Message----- From: Fabrice DURAND [mailto:fdur...@inverse.ca] Sent: Tuesday, 15 December 2015 8:29 PM To: packetfence-users@lists.sourceforge.net Subject: Re: [PacketFence-users] Password reset portal Hello Anton, yes it should be possible to do it with the vlan filters, like unreg devices that is trying to connect on the openssid. Then after that you should use something like that to reset the password (with passthrough): https://github.com/pwm-project/pwm Regards Fabrice Le 2015-12-15 13:00, Anton Dreyer a écrit : > > Good day collective mind > > > > I was hoping to find out how you guys handle password resets? > > > > If you have a single 802.1x SSID, and your password expires - you > naturally cannot get ON the wireless network to visit a password reset > portal of some sort. > > Obviously you would have to create a second open SSID without internet > and then some sort of portal profile that forces you to hit it > regardless if your device is still 'registered' with packetfence. > > > > Any thoughts? > > > > Thanks > > Anton > > > > ---------------------------------------------------------------------- > -------- > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users