Hi Fabrice,
Updated to version 5.6.1.
Your guide is working. In my case, I have to edit the following in
vlan_filters.conf to make it work:
[EthernetEAP]
filter = connection_type
operator = is
value = Ethernet-EAP
[reg:EthernetEAP]
scope = AutoRegister
role = default
It is working and serve my purpose perfectly :)
---------------------------------
New problem arise:
Fingerbank p0f map update failed on web gui, error shown: *Error!* An error
occured while updating file '/usr/local/fingerbank/conf/fingerbank-p0f.fp'
Update Fingerbank DB failed as well, I got the email says that "*An error
occured while updating file
'/usr/local/fingerbank/db/fingerbank_Upstream.db'"*
Thank you.
Regards,
Reeyon
On Tue, Jan 26, 2016 at 9:55 AM, Durand fabrice <[email protected]> wrote:
> Hi Reeyon,
>
> with the command: "raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3600"
> you will see what happen with the authentication process.
> If you want to use -X then use this command:
> /usr/sbin/radiusd -d /usr/local/pf/raddb/ -n auth -X
>
>
> Le 2016-01-25 20:27, Reeyon Lim a écrit :
>
> Hi Ludovic,
> For the radius debug try : raddebug -f /usr/local/pf/var/run/radiusd.sock
> -t 3600
> *Ans: Where can I look for upon the above command? If i run "radiusd -X -d
> /usr/local/pf/raddb, I got the error for the last two lines*
> * radiusd: #### Opening IP addresses and Ports #### The server is not
> configured to listen on any ports. Cannot start. *
>
> Are you trying to do a 802.1x authentication ?
> *Ans: Yes, I would like to do a wired 802.1x, and captive portal login as
> failover. For example, if domain PC connected to the network, they will
> authenticate against AD, otherwise it will pop up the captive portal page.
> Guest will need to input the username/password which stored in
> /usr/local/pf/raddb/users file. (in this case for example, by default is
> "demouser/demouser")*
>
> So you want to do autoreg on 802.1x and mac auth for guest access but
> instead of using /usr/local/pf/raddb/users for guest create a local user.
>
>
> *New problem arise:*
> *My wired 802.1x authentication against AD is successful, however PF will
> never assign the port to default vlan(118), but instead assign to
> Registration Vlan(2)*
> Below is my switchport configuration from Cisco
> interface GigabitEthernet0/33
> switchport access vlan 118
> switchport mode access
> authentication order dot1x mab
> authentication priority dot1x mab
> authentication port-control auto
> authentication periodic
> authentication timer restart 10800
> authentication timer reauthenticate 10800
> mab
> no snmp trap link-status
> dot1x pae authenticator
> dot1x timeout quiet-period 2
> dot1x timeout tx-period 3
> spanning-tree portfast
> end
>
> *Switch log:*
> .Jan 26 09:22:54.696 SG: %DOT1X-5-SUCCESS: Authentication successful for
> client (d4be.d939.37c6) on Interface Gi0/33 AuditSessionID
> .Jan 26 09:22:54.696 SG: %AUTHMGR-7-RESULT: Authentication result
> 'success' from 'dot1x' for client (d4be.d939.37c6) on Interface Gi0/33
> AuditSessionID 0AB876FB0000007714341E60
> .Jan 26 09:22:54.705 SG: %AUTHMGR-5-VLANASSIGN: VLAN 2 assigned to
> Interface Gi0/33 AuditSessionID 0AB876FB0000007714341E60
> .Jan 26 09:22:55.753 SG: %AUTHMGR-5-SUCCESS: Authorization succeeded for
> client (d4be.d939.37c6) on Interface Gi0/33 AuditSessionID
> 0AB876FB0000007714341E60
>
> Make sure that :
>
> - Your user exist on the local/external source --* I have included Radius
> for Internal, because the method I use is Radius*
>
> Wrong, don't use packetfence itself as a authentication source.
>
> - That you put the correct source on your portal profile (try ton create
> one with your SSID/ Switch IP) - *Done*
> - Use bin/pftest authentication username password to see which source you
> match -
> *Ans: the command i run: pftest authenticate demouser demouser cdppl, the
> output is*
> * Authentication FAILED against cdppl (Unable to validate credentials at
> the moment)*
> * Did not match against cdppl*
> * Did not match against cdppl*
>
> Hope to hear from you, thank you !
>
>
> Ok so what you will have to do:
> Create 2 portal profiles:
>
> One for wire 802.1x (name wire-secure):
> Filter: Connection type => Ethernet-EAP
> Authentication source => AD
> ...
>
> one for mac-auth (name wire-open):
> Filter: Connection Type => WIRED_MAC_AUTH
> Authentication source => Local
> ...
>
> So if your connection is 802.1x then it will use the wire-secure portal
> with AD source and if your connection is mac-auth it will use the wire-open
> portal with local source (Local is the person tab in packetfence).
>
> Next you have to autoregister wire 802.1x connection, so you will use vlan
> filters.
> Let's create vlan_filters rules:
>
> [EthernetEAP]
> filter = connection_type
> operator = is
> value = Ethernet-EAP
>
> [5:EthernetEAP&EAPTLS]
> scope = AutoRegister
> role = default
>
>
> I hope it will help.
> Also update to pf 5.6.1
>
> Regards
> Fabrice
>
>
> Regards,
> Reeyon
>
> On Mon, Jan 25, 2016 at 10:08 PM, Ludovic Zammit <[email protected]>
> wrote:
>
>> Hi Reeyon,
>>
>> For the radius debug try : raddebug -f
>> /usr/local/pf/var/run/radiusd.sock -t 3600
>>
>> Are you trying to do a 802.1x authentication ?
>>
>> Make sure that :
>>
>> - Your user exist on the local/external source
>> - That you put the correct source on your portal profile (try ton create
>> one with your SSID/ Switch IP)
>> - Use bin/pftest authentication username password to see which source you
>> match
>>
>> Thanks,
>>
>> Ludovic [email protected] <[email protected]> :: +1.514.447.4918
>> (x145) :: www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>> (http://packetfence.org)
>>
>>
>>
>>
>>
>>
>> Le 24 janv. 2016 à 21:05, Reeyon Lim < <[email protected]>
>> [email protected]> a écrit :
>>
>> Hi All,
>>
>> I have successfully setup a lab using ZEN 5.5 version on ESXi. Everything
>> is working fine such as VLAN enforcement and the captive portal page for
>> registration.
>> I did followed
>> <http://www.packetfence.org/downloads/PacketFence/doc/PacketFence_Out-of-Band_Deployment_Quick_Guide_ZEN-5.6.0.pdf>
>> http://www.packetfence.org/downloads/PacketFence/doc/PacketFence_Out-of-Band_Deployment_Quick_Guide_ZEN-5.6.0.pdf
>> manual guide, when the landing page pop up and I key in the default
>> "demouser/demouser", it shows unable to validate credentials at the moment.
>>
>> So, going in to shell and run radiusd -X -d /usr/local/pf/raddb/
>> The output at the last two line is:
>>
>> *radiusd: #### Opening IP addresses and Ports ####*
>> *The server is not configured to listen on any ports. Cannot start.*
>>
>> I run radtest command and it didn't work as well
>> Please help!
>>
>> Regards,
>> Reeyon
>>
>> ------------------------------------------------------------------------------
>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> Monitor end-to-end web transactions and take corrective actions now
>> Troubleshoot faster and improve end-user experience. Signup Now!
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140_______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> Monitor end-to-end web transactions and take corrective actions now
>> Troubleshoot faster and improve end-user experience. Signup Now!
>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup
> Now!http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
