Thanks Fabrice - working perfectly Last quick thing if I may
To change the sponsor allowed email address, where can I do that? I have asked that question before in this list, but it seems to have changed from 3.6. The pf box is located in ad.sub.domain.com and I would like all of domain.com to be sponsors... Thanks again for all your help!! -----Original Message----- From: Fabrice DURAND [mailto:[email protected]] Sent: Thursday, 17 December 2015 3:18 PM To: [email protected] Subject: Re: [PacketFence-users] Password reset portal Hi Anton, can you try something like that: [regnetwork] filter = ssid operator = is value = ess_pf_MacAuth [unregnode:regnetwork] scope = NormalVlan role = registration action = deregister_node action_param = mac = $mac Regards Fabrice Le 2015-12-17 04:16, Anton Dreyer a écrit : > Hi Fabrice > > Thanks for taking the time to answer. The idea of simply unregistering > everyone connecting to the openssid is ingenious. > > I have spent a good couple of hours on this, but I am just not making any > progress. The below info is from a meru controller with an open ssid and mac > auth. I presume I need to target Called-Station-Id as it seems to be the only > variable identifying that it's the open SSID in question - but I am not sure > if I am using it correctly. When using the below PF fails to start. Am I on > the right track here? > > Thanks again > > > --- vlan filter --- > > [reg_network] > filter = radius_request > operator = regex > Called-Station-Id = .ess_pf_MacAuth$ > > [unreg_node:reg_network] > scope = NormalVlan > role = change_pass > action = deregister_node > action_param = mac = $mac > > > --- radius info --- > > [root@packetfence conf]# raddebug -t 300 -f > /usr/local/pf/var/run/radiusd.sock > Thu Dec 17 08:56:59 2015 : Debug: Received Access-Request packet from host > 10.41.250.1 port 60509, id=69, length=197 > Thu Dec 17 08:56:59 2015 : Debug: Service-Type = Login-User > Thu Dec 17 08:56:59 2015 : Debug: Framed-MTU = 1250 > Thu Dec 17 08:56:59 2015 : Debug: User-Name = "38:0f:4a:ac:f9:87" > Thu Dec 17 08:56:59 2015 : Debug: User-Password = "38:0f:4a:ac:f9:87" > Thu Dec 17 08:56:59 2015 : Debug: Calling-Station-Id = > "38:0f:4a:ac:f9:87" > Thu Dec 17 08:56:59 2015 : Debug: Called-Station-Id = > "00:50:56:a7:57:a6:ess_pf_MacAuth" > Thu Dec 17 08:56:59 2015 : Debug: Connect-Info = "CONNECT Unknown Radio" > Thu Dec 17 08:56:59 2015 : Debug: NAS-IP-Address = 10.41.250.1 > Thu Dec 17 08:56:59 2015 : Debug: NAS-Port-Type = Wireless-802.11 > Thu Dec 17 08:56:59 2015 : Debug: NAS-Port = 0 > Thu Dec 17 08:56:59 2015 : Debug: Message-Authenticator = > 0xf2641737048b6f95215126eb23a17310 > Thu Dec 17 08:56:59 2015 : Debug: server packetfence { Thu Dec 17 > 08:56:59 2015 : Debug: # Executing section authorize from file > /usr/local/pf/raddb//sites-enabled/packetfence > Thu Dec 17 08:56:59 2015 : Debug: +group authorize { Thu Dec 17 > 08:56:59 2015 : Debug: [suffix] No '@' in User-Name = "38:0f:4a:ac:f9:87", > skipping NULL due to config. > Thu Dec 17 08:56:59 2015 : Debug: ++[suffix] = noop Thu Dec 17 > 08:56:59 2015 : Debug: [ntdomain] No '\' in User-Name = > "38:0f:4a:ac:f9:87", looking up realm NULL Thu Dec 17 08:56:59 2015 : Debug: > [ntdomain] Found realm "null" > Thu Dec 17 08:56:59 2015 : Debug: [ntdomain] Adding Realm = "null" > Thu Dec 17 08:56:59 2015 : Debug: [ntdomain] Authentication realm is LOCAL. > Thu Dec 17 08:56:59 2015 : Debug: ++[ntdomain] = ok Thu Dec 17 > 08:56:59 2015 : Debug: ++[preprocess] = ok Thu Dec 17 08:56:59 2015 : > Debug: [eap] No EAP-Message, not doing EAP Thu Dec 17 08:56:59 2015 : > Debug: ++[eap] = noop Thu Dec 17 08:56:59 2015 : Debug: [files] users: > Matched entry DEFAULT at line 5 Thu Dec 17 08:56:59 2015 : Debug: > ++[files] = ok Thu Dec 17 08:56:59 2015 : Debug: ++[expiration] = noop > Thu Dec 17 08:56:59 2015 : Debug: ++[logintime] = noop Thu Dec 17 > 08:56:59 2015 : Debug: ++update request { > Thu Dec 17 08:56:59 2015 : Debug: expand: %{Packet-Src-IP-Address} -> > 10.41.250.1 > Thu Dec 17 08:56:59 2015 : Debug: ++} # update request = noop Thu Dec > 17 08:56:59 2015 : Debug: ++update control { Thu Dec 17 08:56:59 2015 > : Debug: ++} # update control = noop Thu Dec 17 08:56:59 2015 : Debug: > ++[packetfence] = noop Thu Dec 17 08:56:59 2015 : Debug: +} # group > authorize = ok Thu Dec 17 08:56:59 2015 : Debug: Found Auth-Type = > Accept Thu Dec 17 08:56:59 2015 : Debug: Auth-Type = Accept, accepting > the user Thu Dec 17 08:56:59 2015 : Debug: } # server packetfence Thu > Dec 17 08:56:59 2015 : Debug: # Executing section post-auth from file > /usr/local/pf/raddb//sites-enabled/packetfence > Thu Dec 17 08:56:59 2015 : Debug: +group post-auth { Thu Dec 17 > 08:56:59 2015 : Debug: ++[exec] = noop Thu Dec 17 08:56:59 2015 : > Debug: ++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != > PEAP)) Thu Dec 17 08:56:59 2015 : Debug: ? Evaluating !(EAP-Type ) -> > TRUE Thu Dec 17 08:56:59 2015 : Debug: ?? Skipping (EAP-Type != > EAP-TTLS ) Thu Dec 17 08:56:59 2015 : Debug: ?? Skipping (EAP-Type != > PEAP) Thu Dec 17 08:56:59 2015 : Debug: ++? if (!EAP-Type || (EAP-Type > != EAP-TTLS && EAP-Type != PEAP)) -> TRUE Thu Dec 17 08:56:59 2015 : > Debug: ++if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) > { Thu Dec 17 08:56:59 2015 : Debug: +++update control { Thu Dec 17 > 08:56:59 2015 : Debug: +++} # update control = noop Thu Dec 17 > 08:56:59 2015 : Debug: +++[packetfence] = ok Thu Dec 17 08:56:59 2015 > : Debug: ++} # if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != > PEAP)) = ok Thu Dec 17 08:56:59 2015 : Debug: +} # group post-auth = ok Thu > Dec 17 08:56:59 2015 : Debug: Sending Access-Accept packet to host > 10.41.250.1 port 60509, id=69, length=0 > Thu Dec 17 08:56:59 2015 : Debug: Tunnel-Private-Group-Id:0 = "301" > Thu Dec 17 08:56:59 2015 : Debug: Tunnel-Type:0 = VLAN > Thu Dec 17 08:56:59 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802 > Thu Dec 17 08:56:59 2015 : Debug: Finished request 65. > Thu Dec 17 08:57:04 2015 : Debug: Cleaning up request 65 ID 69 with > timestamp +63544 > > > -----Original Message----- > From: Fabrice DURAND [mailto:[email protected]] > Sent: Tuesday, 15 December 2015 8:29 PM > To: [email protected] > Subject: Re: [PacketFence-users] Password reset portal > > Hello Anton, > > yes it should be possible to do it with the vlan filters, like unreg devices > that is trying to connect on the openssid. > Then after that you should use something like that to reset the > password (with passthrough): https://github.com/pwm-project/pwm > > Regards > Fabrice > > Le 2015-12-15 13:00, Anton Dreyer a écrit : >> Good day collective mind >> >> >> >> I was hoping to find out how you guys handle password resets? >> >> >> >> If you have a single 802.1x SSID, and your password expires - you >> naturally cannot get ON the wireless network to visit a password >> reset portal of some sort. >> >> Obviously you would have to create a second open SSID without >> internet and then some sort of portal profile that forces you to hit >> it regardless if your device is still 'registered' with packetfence. >> >> >> >> Any thoughts? >> >> >> >> Thanks >> >> Anton >> >> >> >> --------------------------------------------------------------------- >> - >> -------- >> >> >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > -- > Fabrice Durand > [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and > PacketFence (http://packetfence.org) > > > ---------------------------------------------------------------------- > -------- _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
