Hello Antoine,
the /usr/local/fingerbank/conf/fingerbank-p0f.fp looks good.
I have run command: pfcmd fixpermissions, and
I have run command: chown -R fingerbank:fingerbank /usr/local/fingerbank/*
Result still no good :-(
Regards,
Reeyon
On Tue, Jan 26, 2016 at 9:54 PM, Antoine Amacher <[email protected]>
wrote:
> Hello Reeyon,
>
> For the issue with fingerbank, you can start by checking the rights and
> content of the p0f file, which is under
> /usr/local/fingerbank/conf/fingerbank-p0f.fp, it should be
> fingerbank:fingerbank as owner.
> Can you open the file to confirm that the content looks like that(with a
> lot more lines!):
>
> classes = win,unix,other
> [tcp:request]
> label = s:unix:5:nil
> sig = *:64:0:*:mss*20,10:mss,sok,ts,nop,ws:df,id+:0
> sig = *:64:0:*:mss*20,7:mss,sok,ts,nop,ws:df,id+:0
> label = s:unix:5:nil
>
> If the rights are not correct, try the following:
> bin/pfcmd fixpermissions (from /usr/loca/pf directory)
> chown fingerbank:fingerbank /usr/local/fingerbank/conf/*
>
> Thank you.
>
>
> On 01/26/2016 12:59 AM, Reeyon Lim wrote:
>
> Hi Fabrice,
>
> Updated to version 5.6.1.
>
> Your guide is working. In my case, I have to edit the following in
> vlan_filters.conf to make it work:
>
> [EthernetEAP]
> filter = connection_type
> operator = is
> value = Ethernet-EAP
>
> [reg:EthernetEAP]
> scope = AutoRegister
> role = default
>
> It is working and serve my purpose perfectly :)
>
> ---------------------------------
>
> New problem arise:
> Fingerbank p0f map update failed on web gui, error shown: *Error!* An
> error occured while updating file
> '/usr/local/fingerbank/conf/fingerbank-p0f.fp'
> Update Fingerbank DB failed as well, I got the email says that "*An error
> occured while updating file
> '/usr/local/fingerbank/db/fingerbank_Upstream.db'"*
> Thank you.
>
> Regards,
> Reeyon
>
> On Tue, Jan 26, 2016 at 9:55 AM, Durand fabrice <[email protected]>
> wrote:
>
>> Hi Reeyon,
>>
>> with the command: "raddebug -f /usr/local/pf/var/run/radiusd.sock -t
>> 3600" you will see what happen with the authentication process.
>> If you want to use -X then use this command:
>> /usr/sbin/radiusd -d /usr/local/pf/raddb/ -n auth -X
>>
>>
>> Le 2016-01-25 20:27, Reeyon Lim a écrit :
>>
>> Hi Ludovic,
>> For the radius debug try : raddebug -f
>> /usr/local/pf/var/run/radiusd.sock -t 3600
>> *Ans: Where can I look for upon the above command? If i run "radiusd -X
>> -d /usr/local/pf/raddb, I got the error for the last two lines*
>> * radiusd: #### Opening IP addresses and Ports #### The server is not
>> configured to listen on any ports. Cannot start. *
>>
>> Are you trying to do a 802.1x authentication ?
>> *Ans: Yes, I would like to do a wired 802.1x, and captive portal login as
>> failover. For example, if domain PC connected to the network, they will
>> authenticate against AD, otherwise it will pop up the captive portal page.
>> Guest will need to input the username/password which stored in
>> /usr/local/pf/raddb/users file. (in this case for example, by default is
>> "demouser/demouser")*
>>
>> So you want to do autoreg on 802.1x and mac auth for guest access but
>> instead of using /usr/local/pf/raddb/users for guest create a local user.
>>
>>
>> *New problem arise:*
>> *My wired 802.1x authentication against AD is successful, however PF will
>> never assign the port to default vlan(118), but instead assign to
>> Registration Vlan(2)*
>> Below is my switchport configuration from Cisco
>> interface GigabitEthernet0/33
>> switchport access vlan 118
>> switchport mode access
>> authentication order dot1x mab
>> authentication priority dot1x mab
>> authentication port-control auto
>> authentication periodic
>> authentication timer restart 10800
>> authentication timer reauthenticate 10800
>> mab
>> no snmp trap link-status
>> dot1x pae authenticator
>> dot1x timeout quiet-period 2
>> dot1x timeout tx-period 3
>> spanning-tree portfast
>> end
>>
>> *Switch log:*
>> .Jan 26 09:22:54.696 SG: %DOT1X-5-SUCCESS: Authentication successful for
>> client (d4be.d939.37c6) on Interface Gi0/33 AuditSessionID
>> .Jan 26 09:22:54.696 SG: %AUTHMGR-7-RESULT: Authentication result
>> 'success' from 'dot1x' for client (d4be.d939.37c6) on Interface Gi0/33
>> AuditSessionID 0AB876FB0000007714341E60
>> .Jan 26 09:22:54.705 SG: %AUTHMGR-5-VLANASSIGN: VLAN 2 assigned to
>> Interface Gi0/33 AuditSessionID 0AB876FB0000007714341E60
>> .Jan 26 09:22:55.753 SG: %AUTHMGR-5-SUCCESS: Authorization succeeded for
>> client (d4be.d939.37c6) on Interface Gi0/33 AuditSessionID
>> 0AB876FB0000007714341E60
>>
>> Make sure that :
>>
>> - Your user exist on the local/external source --* I have included
>> Radius for Internal, because the method I use is Radius*
>>
>> Wrong, don't use packetfence itself as a authentication source.
>>
>> - That you put the correct source on your portal profile (try ton create
>> one with your SSID/ Switch IP) - *Done*
>> - Use bin/pftest authentication username password to see which source you
>> match -
>> *Ans: the command i run: pftest authenticate demouser demouser cdppl, the
>> output is*
>> * Authentication FAILED against cdppl (Unable to validate credentials at
>> the moment)*
>> * Did not match against cdppl*
>> * Did not match against cdppl*
>>
>> Hope to hear from you, thank you !
>>
>>
>> Ok so what you will have to do:
>> Create 2 portal profiles:
>>
>> One for wire 802.1x (name wire-secure):
>> Filter: Connection type => Ethernet-EAP
>> Authentication source => AD
>> ...
>>
>> one for mac-auth (name wire-open):
>> Filter: Connection Type => WIRED_MAC_AUTH
>> Authentication source => Local
>> ...
>>
>> So if your connection is 802.1x then it will use the wire-secure portal
>> with AD source and if your connection is mac-auth it will use the wire-open
>> portal with local source (Local is the person tab in packetfence).
>>
>> Next you have to autoregister wire 802.1x connection, so you will use
>> vlan filters.
>> Let's create vlan_filters rules:
>>
>> [EthernetEAP]
>> filter = connection_type
>> operator = is
>> value = Ethernet-EAP
>>
>> [5:EthernetEAP&EAPTLS]
>> scope = AutoRegister
>> role = default
>>
>>
>> I hope it will help.
>> Also update to pf 5.6.1
>>
>> Regards
>> Fabrice
>>
>>
>> Regards,
>> Reeyon
>>
>> On Mon, Jan 25, 2016 at 10:08 PM, Ludovic Zammit < <[email protected]>
>> [email protected]> wrote:
>>
>>> Hi Reeyon,
>>>
>>> For the radius debug try : raddebug -f
>>> /usr/local/pf/var/run/radiusd.sock -t 3600
>>>
>>> Are you trying to do a 802.1x authentication ?
>>>
>>> Make sure that :
>>>
>>> - Your user exist on the local/external source
>>> - That you put the correct source on your portal profile (try ton create
>>> one with your SSID/ Switch IP)
>>> - Use bin/pftest authentication username password to see which source
>>> you match
>>>
>>> Thanks,
>>>
>>> Ludovic [email protected] <[email protected]> :: +1.514.447.4918
>>> (x145) :: www.inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>> (http://packetfence.org)
>>>
>>>
>>>
>>>
>>>
>>>
>>> Le 24 janv. 2016 à 21:05, Reeyon Lim < <[email protected]>
>>> [email protected]> a écrit :
>>>
>>> Hi All,
>>>
>>> I have successfully setup a lab using ZEN 5.5 version on ESXi.
>>> Everything is working fine such as VLAN enforcement and the captive portal
>>> page for registration.
>>> I did followed
>>> <http://www.packetfence.org/downloads/PacketFence/doc/PacketFence_Out-of-Band_Deployment_Quick_Guide_ZEN-5.6.0.pdf>
>>> http://www.packetfence.org/downloads/PacketFence/doc/PacketFence_Out-of-Band_Deployment_Quick_Guide_ZEN-5.6.0.pdf
>>> manual guide, when the landing page pop up and I key in the default
>>> "demouser/demouser", it shows unable to validate credentials at the moment.
>>>
>>> So, going in to shell and run radiusd -X -d /usr/local/pf/raddb/
>>> The output at the last two line is:
>>>
>>> *radiusd: #### Opening IP addresses and Ports ####*
>>> *The server is not configured to listen on any ports. Cannot start.*
>>>
>>> I run radtest command and it didn't work as well
>>> Please help!
>>>
>>> Regards,
>>> Reeyon
>>>
>>> ------------------------------------------------------------------------------
>>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>>> Monitor end-to-end web transactions and take corrective actions now
>>> Troubleshoot faster and improve end-user experience. Signup Now!
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140_______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>>> Monitor end-to-end web transactions and take corrective actions now
>>> Troubleshoot faster and improve end-user experience. Signup Now!
>>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> Monitor end-to-end web transactions and take corrective actions now
>> Troubleshoot faster and improve end-user experience. Signup
>> Now!http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>>
>>
>>
>> _______________________________________________
>> PacketFence-users mailing
>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> Monitor end-to-end web transactions and take corrective actions now
>> Troubleshoot faster and improve end-user experience. Signup Now!
>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup
> Now!http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Antoine [email protected] :: +1.514.447.4918 *130 ::
> www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
> (www.packetfence.org)
>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
