Hello Reeyon,
For the issue with fingerbank, you can start by checking the rights and
content of the p0f file, which is under
/usr/local/fingerbank/conf/fingerbank-p0f.fp, it should be
fingerbank:fingerbank as owner.
Can you open the file to confirm that the content looks like that(with a
lot more lines!):
classes = win,unix,other
[tcp:request]
label = s:unix:5:nil
sig = *:64:0:*:mss*20,10:mss,sok,ts,nop,ws:df,id+:0
sig = *:64:0:*:mss*20,7:mss,sok,ts,nop,ws:df,id+:0
label = s:unix:5:nil
If the rights are not correct, try the following:
bin/pfcmd fixpermissions (from /usr/loca/pf directory)
chown fingerbank:fingerbank /usr/local/fingerbank/conf/*
Thank you.
On 01/26/2016 12:59 AM, Reeyon Lim wrote:
Hi Fabrice,
Updated to version 5.6.1.
Your guide is working. In my case, I have to edit the following in
vlan_filters.conf to make it work:
[EthernetEAP]
filter = connection_type
operator = is
value = Ethernet-EAP
[reg:EthernetEAP]
scope = AutoRegister
role = default
It is working and serve my purpose perfectly :)
---------------------------------
New problem arise:
Fingerbank p0f map update failed on web gui, error shown: *Error!*An
error occured while updating file
'/usr/local/fingerbank/conf/fingerbank-p0f.fp'
Update Fingerbank DB failed as well, I got the email says that "*An
error occured while updating file
'/usr/local/fingerbank/db/fingerbank_Upstream.db'"*
Thank you.
Regards,
Reeyon
On Tue, Jan 26, 2016 at 9:55 AM, Durand fabrice <[email protected]
<mailto:[email protected]>> wrote:
Hi Reeyon,
with the command: "raddebug -f /usr/local/pf/var/run/radiusd.sock
-t 3600" you will see what happen with the authentication process.
If you want to use -X then use this command:
/usr/sbin/radiusd -d /usr/local/pf/raddb/ -n auth -X
Le 2016-01-25 20:27, Reeyon Lim a écrit :
Hi Ludovic,
For the radius debug try : raddebug -f
/usr/local/pf/var/run/radiusd.sock -t 3600
*Ans: Where can I look for upon the above command? If i run
"radiusd -X -d /usr/local/pf/raddb, I got the error for the last
two lines*
*
radiusd: #### Opening IP addresses and Ports ####
The server is not configured to listen on any ports. Cannot start.
*
Are you trying to do a 802.1x authentication ?
*Ans: Yes, I would like to do a wired 802.1x, and captive portal
login as failover. For example, if domain PC connected to the
network, they will authenticate against AD, otherwise it will pop
up the captive portal page. Guest will need to input the
username/password which stored in /usr/local/pf/raddb/users file.
(in this case for example, by default is "demouser/demouser")*
So you want to do autoreg on 802.1x and mac auth for guest access
but instead of using /usr/local/pf/raddb/users for guest create a
local user.
*
*
*_New problem arise:_*
*My wired 802.1x authentication against AD is successful, however
PF will never assign the port to default vlan(118), but instead
assign to Registration Vlan(2)*
Below is my switchport configuration from Cisco
interface GigabitEthernet0/33
switchport access vlan 118
switchport mode access
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 10800
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3
spanning-tree portfast
end
*_Switch log:_*
.Jan 26 09:22:54.696 SG: %DOT1X-5-SUCCESS: Authentication
successful for client (d4be.d939.37c6) on Interface Gi0/33
AuditSessionID
.Jan 26 09:22:54.696 SG: %AUTHMGR-7-RESULT: Authentication result
'success' from 'dot1x' for client (d4be.d939.37c6) on Interface
Gi0/33 AuditSessionID 0AB876FB0000007714341E60
.Jan 26 09:22:54.705 SG: %AUTHMGR-5-VLANASSIGN: VLAN 2 assigned
to Interface Gi0/33 AuditSessionID 0AB876FB0000007714341E60
.Jan 26 09:22:55.753 SG: %AUTHMGR-5-SUCCESS: Authorization
succeeded for client (d4be.d939.37c6) on Interface Gi0/33
AuditSessionID 0AB876FB0000007714341E60
Make sure that :
- Your user exist on the local/external source --*I have included
Radius for Internal, because the method I use is Radius*
Wrong, don't use packetfence itself as a authentication source.
- That you put the correct source on your portal profile (try ton
create one with your SSID/ Switch IP) - *Done*
- Use bin/pftest authentication username password to see which
source you match -
*Ans: the command i run: pftest authenticate demouser demouser
cdppl, the output is*
* Authentication FAILED against cdppl (Unable to validate
credentials at the moment)*
* Did not match against cdppl*
* Did not match against cdppl*
Hope to hear from you, thank you !
Ok so what you will have to do:
Create 2 portal profiles:
One for wire 802.1x (name wire-secure):
Filter: Connection type => Ethernet-EAP
Authentication source => AD
...
one for mac-auth (name wire-open):
Filter: Connection Type => WIRED_MAC_AUTH
Authentication source => Local
...
So if your connection is 802.1x then it will use the wire-secure
portal with AD source and if your connection is mac-auth it will
use the wire-open portal with local source (Local is the person
tab in packetfence).
Next you have to autoregister wire 802.1x connection, so you will
use vlan filters.
Let's create vlan_filters rules:
[EthernetEAP]
filter = connection_type
operator = is
value = Ethernet-EAP
[5:EthernetEAP&EAPTLS]
scope = AutoRegister
role = default
I hope it will help.
Also update to pf 5.6.1
Regards
Fabrice
Regards,
Reeyon
On Mon, Jan 25, 2016 at 10:08 PM, Ludovic Zammit
<[email protected] <mailto:[email protected]>> wrote:
Hi Reeyon,
For the radius debug try : raddebug -f
/usr/local/pf/var/run/radiusd.sock -t 3600
Are you trying to do a 802.1x authentication ?
Make sure that :
- Your user exist on the local/external source
- That you put the correct source on your portal profile (try
ton create one with your SSID/ Switch IP)
- Use bin/pftest authentication username password to see
which source you match
Thanks,
Ludovic Zammit
[email protected] <mailto:[email protected]> ::+1.514.447.4918
<tel:%2B1.514.447.4918> (x145) ::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
Le 24 janv. 2016 à 21:05, Reeyon Lim <[email protected]
<mailto:[email protected]>> a écrit :
Hi All,
I have successfully setup a lab using ZEN 5.5 version on
ESXi. Everything is working fine such as VLAN enforcement
and the captive portal page for registration.
I did followed
http://www.packetfence.org/downloads/PacketFence/doc/PacketFence_Out-of-Band_Deployment_Quick_Guide_ZEN-5.6.0.pdf
manual guide, when the landing page pop up and I key in the
default "demouser/demouser", it shows unable to validate
credentials at the moment.
So, going in to shell and run radiusd -X -d /usr/local/pf/raddb/
The output at the last two line is:
/
/
/radiusd: #### Opening IP addresses and Ports ####/
/The server is not configured to listen on any ports.
Cannot start./
I run radtest command and it didn't work as well
Please help!
Regards,
Reeyon
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application
Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just
$35/Month
Monitor end-to-end web transactions and take corrective
actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application
Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective
actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
[email protected] :: +1.514.447.4918 *130 :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
