Hello Just tested and confirmed it works with enabling the CoA. Something has changed however with the portal, it no longer shows the acceptance page but rather goes straight to joining the network.
I was wondering prior to the deauth issue why I was getting a sign on page as I had selected reuse 802.1x creds, but without changing the Packetfence system the sign on page and acceptance page are now bypassed. Note: I did clear the users and node prior to testing. I would like the acceptance page showing then forwarding to network join based on 802.1x creds for an unknown user. Could you please advise on achieving this? Thanks for the help so far. -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Wednesday, 18 May 2016 1:28 AM To: [email protected] Subject: PacketFence-users Digest, Vol 97, Issue 44 Send PacketFence-users mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/packetfence-users or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of PacketFence-users digest..." Today's Topics: 1. 6.0.1, openldap and edirectory (Bebbet van Dinges) 2. Re: 6.0.1, openldap and edirectory (Louis Munro) 3. Re: Deauth with Cisco issue (Mr C) (Adam Coyle) ---------------------------------------------------------------------- Message: 1 Date: Tue, 17 May 2016 15:33:36 +0200 From: Bebbet van Dinges <[email protected]> Subject: [PacketFence-users] 6.0.1, openldap and edirectory To: [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset=utf-8 Hello, I'm trying to get people authorized to my wifi network, so far i've gotten this far. The configuration from 5.7 works, but my test server on 6.0.1 with the exact same configuration gives this error. Anyone got an idea that might help me forward? Yours sincerely, Bebbet from raddebug: (74) Tue May 17 12:19:27 2016: Debug: openldap: Performing unfiltered search in "", scope "sub" (74) Tue May 17 12:19:27 2016: Debug: openldap: Waiting for search result... (74) Tue May 17 12:19:30 2016: ERROR: openldap: Ambiguous search result, returned 1723 unsorted entries (should return 1 or 0). Enable sorting, or specify a more restrictive base_dn, filter or scope (74) Tue May 17 12:19:30 2016: ERROR: openldap: The following entries were returned: [All the records in our directory\ /usr/loca/pf/raddb/modules-enabled/ldap: ldap openldap { server = "dns3.desaad.nl" port = 636 identity = "cn=admin,o=desaad" password = "You wish.." basedn = "o=desaad" # filter = "(cn=%{mschap:User-Name})" filter ="(&(objectClass=inetOrgPerson)(uid=%{Stripped-User-Name:-%{User-Name}}))" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 access_attr = cn password_attribute = nspmPassword tls { start_tls = no require_cert = "allow" } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = yes keepalive { # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60 # LDAP_OPT_X_KEEPALIVE_PROBES probes = 3 # LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3 } } ------------------------------ Message: 2 Date: Tue, 17 May 2016 09:44:03 -0400 From: Louis Munro <[email protected]> Subject: Re: [PacketFence-users] 6.0.1, openldap and edirectory To: [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset="utf-8" I think Willy?s answer on the FreeRADIUS mailing list is correct. You have to fix your ldap search query. Try running your query with something such as ldapsearch and then narrowing it down to something that will return only one user. -- Louis Munro [email protected] :: www.inverse.ca +1.514.447.4918 x125 :: +1 (866) 353-6153 x125 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) > On May 17, 2016, at 9:33 , Bebbet van Dinges <[email protected]> wrote: > > Hello, > > I'm trying to get people authorized to my wifi network, so far i've > gotten this far. The configuration from 5.7 works, but my test server > on > 6.0.1 with the exact same configuration gives this error. > > Anyone got an idea that might help me forward? > > Yours sincerely, > Bebbet > > > from raddebug: > > (74) Tue May 17 12:19:27 2016: Debug: openldap: Performing unfiltered > search in "", scope "sub" > (74) Tue May 17 12:19:27 2016: Debug: openldap: Waiting for search result... > (74) Tue May 17 12:19:30 2016: ERROR: openldap: Ambiguous search > result, returned 1723 unsorted entries (should return 1 or 0). Enable > sorting, or specify a more restrictive base_dn, filter or scope > (74) Tue May 17 12:19:30 2016: ERROR: openldap: The following entries > were returned: > > > [All the records in our directory\ > > > /usr/loca/pf/raddb/modules-enabled/ldap: > > ldap openldap { > server = "dns3.desaad.nl" > port = 636 > identity = "cn=admin,o=desaad" > password = "You wish.." > basedn = "o=desaad" > # filter = "(cn=%{mschap:User-Name})" > filter > ="(&(objectClass=inetOrgPerson)(uid=%{Stripped-User-Name:-%{User-Name}}))" > ldap_connections_number = 5 > timeout = 4 > timelimit = 3 > net_timeout = 1 > > > access_attr = cn > password_attribute = nspmPassword > > > tls { > start_tls = no > require_cert = "allow" > } > dictionary_mapping = ${confdir}/ldap.attrmap > edir_account_policy_check = yes > > keepalive { > # LDAP_OPT_X_KEEPALIVE_IDLE > idle = 60 > > # LDAP_OPT_X_KEEPALIVE_PROBES > probes = 3 > > # LDAP_OPT_X_KEEPALIVE_INTERVAL > interval = 3 > } > } > > ---------------------------------------------------------------------- > -------- Mobile security can be enabling, not merely restricting. > Employees who bring their own devices (BYOD) to work are irked by the > imposition of MDM restrictions. Mobile Device Manager Plus allows you > to control only the apps on BYO-devices by containerizing them, > leaving personal data untouched! > https://ad.doubleclick.net/ddm/clk/304595813;131938128;j > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 3 Date: Tue, 17 May 2016 15:45:08 +0000 From: Adam Coyle <[email protected]> Subject: Re: [PacketFence-users] Deauth with Cisco issue (Mr C) To: "[email protected]" <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset="us-ascii" Hello Ludovic Thank you for your responses. Covering the first email: 1. This seems to be true for switches, however I like the idea on a short lease time to force a new request, it is a good plan B and also a good solution for HP MSMs which cannot handle a deauth and what I will be setting up after the Cisco. 2. Understood and it does not have an interface in production vlans. 3. Devices are Mac OSX 10.11 and Windows 10. Policies are setup for connection, they work with NPS as radius on the same Cisco configuration. No computer auth is being used, purely user. Covering your second email: Yes the IP address was sent for both the AP and later controller when I moved auth back to the controller for testing. As for AP options I chose every Cisco option just in case there was a difference. I know another site running PF and the same Cisco APs which works without issue so I know it should work. Their setup is a lot more bespoke than mine currently. I was double checking all your comments as I responded, and the CoA one surprised me as it was disabled in my test environment. I have corrected it and will test tomorrow when onsite. I suspect this is the small thing that I was looking for as I had been assuming I made the change. Will let you know. -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Tuesday, 17 May 2016 10:08 PM To: [email protected] Subject: PacketFence-users Digest, Vol 97, Issue 43 Send PacketFence-users mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/packetfence-users or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of PacketFence-users digest..." Today's Topics: 1. Re: Deauth with Cisco issue (Mr C) 2. Re: DHCP and authentication (Ludovic Zammit) 3. Re: Deauth with Cisco issue (Ludovic Zammit) ---------------------------------------------------------------------- Message: 1 Date: Tue, 17 May 2016 07:17:12 -0400 From: Mr C <[email protected]> Subject: Re: [PacketFence-users] Deauth with Cisco issue To: [email protected] Message-ID: <ca+5dvpablrwcbd2taxgzpm-ipm-qhwls8ghcwryarfdbbwt...@mail.gmail.com> Content-Type: text/plain; charset="utf-8" I'm also using a WLC so if you show your config I can take a look On Sun, May 15, 2016 at 9:47 PM, Adam Coyle <[email protected]> wrote: > Hello > > Setting up a Zen 6.0.1 environment which is near completion, keeping > it simple to avoid issues with customisation until everything works 100%. > Currently I cannot get it to deauth against either the Cisco 3702i AP > or virtual WLC controller. In both cases it is configured for local > switching on the AP. > > I connect to the test SSID, it displays the agreement page on the > portal, then a sign on page. At which point the bar flows across the > screen and errors on completion. Rejoining wireless at any point after > this stage I am placed on the correct VLAN, and if done immediately > after the sign on page I get the pf notification pop-up and redirected to the > default landing page. > > The logs from packetfence.log when I try to on-board: > > ay 16 11:15:15 httpd.portal(2176) INFO: [mac:c4:8e:8f:f4:a7:e1] is > currentlog connected at (172.21.0.253) ifIndex 1 registration > (pf::enforcement::_should_we_reassign_vlan) > May 16 11:15:15 httpd.portal(2176) INFO: [mac:c4:8e:8f:f4:a7:e1] > Instantiate profile SGC (pf::Portal::ProfileFactory::_from_profile) > May 16 11:15:15 httpd.portal(2176) INFO: [mac:c4:8e:8f:f4:a7:e1] Using > sources sgc-adc-01 for matching (pf::authentication::match) May 16 > 11:15:15 httpd.portal(2176) INFO: [mac:c4:8e:8f:f4:a7:e1] Matched rule > (Staff) in source sgc-adc-01, returning actions. > (pf::Authentication::Source::match) > May 16 11:15:15 httpd.portal(2176) INFO: [mac:c4:8e:8f:f4:a7:e1] Using > sources sgc-adc-01 for matching (pf::authentication::match) May 16 > 11:15:15 httpd.portal(2176) INFO: [mac:c4:8e:8f:f4:a7:e1] Matched rule > (Staff) in source sgc-adc-01, returning actions. > (pf::Authentication::Source::match) > May 16 11:15:15 httpd.portal(2176) INFO: [mac:c4:8e:8f:f4:a7:e1] > Username was defined "sgc\acoyle" - returning role 'staff' > (pf::role::getRegisteredRole) > May 16 11:15:15 httpd.portal(2176) INFO: [mac:c4:8e:8f:f4:a7:e1] PID: > "acoyle", Status: reg Returned VLAN: (undefined), Role: staff > (pf::role::fetchRoleForNode) > May 16 11:15:15 httpd.portal(2176) INFO: [mac:c4:8e:8f:f4:a7:e1] VLAN > reassignment required (current VLAN = 1688 but should be in VLAN 2106) > (pf::enforcement::_should_we_reassign_vlan) > May 16 11:15:15 httpd.portal(2176) INFO: [mac:c4:8e:8f:f4:a7:e1] > switch port is (172.21.0.253) ifIndex 1 connection type: WiFi 802.1X > (pf::enforcement::_vlan_reevaluation) > ? > > Being a common device I am sure I have missed a step, otherwise I > would be finding more info on it. > > Thanks > > Adam > > > > > > > > > > ---------------------------------------------------------------------- > -------- Mobile security can be enabling, not merely restricting. > Employees who bring their own devices (BYOD) to work are irked by the > imposition of MDM restrictions. Mobile Device Manager Plus allows you > to control only the apps on BYO-devices by containerizing them, > leaving personal data untouched! > https://ad.doubleclick.net/ddm/clk/304595813;131938128;j > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 2 Date: Tue, 17 May 2016 08:32:06 -0400 From: Ludovic Zammit <[email protected]> Subject: Re: [PacketFence-users] DHCP and authentication To: [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset="utf-8" Hello Sir, 1. Normally when you are sitting in the registration network and you try to do an authentication on the captive portal, PacketFence will send a CoA (Change of authorization) to the switch/equipment in order to switch the VLAN of the device. Most of the time it happen in Radius (CoA) but if the switch doesn?t support it, PacketFence tries to do just a shutdown and up on the port in order to regenerate the radius request to apply the new VLAN. In that case the device knows that he needs to redo the DHCP because the link is briefly cut. But when you use the CoA the device doesn?t know that the VLAN changed on the switch, the only option that you have is to put a short lease time on the registration network like PacketFence has a 30 secs lease time on the registration network by default. So every 30 secs your device ask for a new IP, if the VLAN changed, the device end up the production VLAN. 2. Basically PacketFence manages two VLANs the Registration and Isolation VLANs. Meaning he will be the DNS, Gateway and DHCP server in this VLAN. PacketFence will just return VLAN IDs to a switch or wireless controller, he doesn?t need to be part of your production having a network card in all those VLANs. 3. With 802.1x there is two types of authentication, User authentication and Computer authentication. With user authentication you will authenticate a user that belong to a specific domain. You can authenticate all the users you want on a computer with the User authentication mode, the process will verify if the user is in your Active directory and also if the password match. The Computer authentication is very similar but it?s the computer sending out the information as host/hostname.domain.name to PacketFence and PacketFence will try to authenticate this account in your AD. The particularity of both is that with computer authentication, your computer needs to be joined to only one domain (yours) and the other hand, the computer where you do the user authentication doesn?t need to be joined to the domain. On both cases you will need to configure your 802.1x supplicant on the computer where you try to do the authentication. Thanks and have a nice day! Ludovic Zammit [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > Le 16 mai 2016 ? 16:38, TOURE Amidou Florian <[email protected]> a > ?crit : > > Hi all,I have installed Packetfence 6.0 on my computer and it seems to be > worked fine since I can authenticate a user,But I don't understand 3 points > on my configuration: > -First when I plug a user on the switchport its put on the registration vlan > and I do the authentication but after the authentication the user mooves to > the correct vlan but doesn't get an IP from this vlan.When I do a second > authentication with the same user it gets an IP address from his vlan but > cannot access to the web captive portail(I think that it is my DNS > configuration).How can I do to authenticate the user directly and put it on > the correct vlan after the authentication? > -Second on my packetfence when I want to configure DNS for my vlans I can do > it only for one vlan but I cannot use this configuration to do the resolution > for all the vlans.Can I use packetfence DNS configuration to do the > resolution of my of personnal vlans?I'm very confused on this point. > -Third I remarked that on my Packetfence I cannot authenticate a user on the > same computer name.Would I create specifics account for all my users?I'm > using a Windows Server AD. > Thanks > Regards > Amidou > > > ---------------------------------------------------------------------- > -------- Mobile security can be enabling, not merely restricting. > Employees who bring their own devices (BYOD) to work are irked by the > imposition of MDM restrictions. Mobile Device Manager Plus allows you > to control only the apps on BYO-devices by containerizing them, > leaving personal data untouched! > https://ad.doubleclick.net/ddm/clk/304595813;131938128;j______________ > _________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 3 Date: Tue, 17 May 2016 08:37:56 -0400 From: Ludovic Zammit <[email protected]> Subject: Re: [PacketFence-users] Deauth with Cisco issue To: [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset="utf-8" Hello Adam, Make sure that you send the deauth to the correct IP address, you can force it under Configuration > Switch > IP > Controller IP. Also, the interface where you are sending the deauthentication on the WLC needs to be a management interface not a service one. Do a TCPDUMP capture to make sure it goes and use the correct IPs like : tcpdump -i any port 3799 I am assuming that you have enabled the CoA on your Radius server configuration, RFC-3576. Thanks, Ludovic Zammit [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > Le 15 mai 2016 ? 21:47, Adam Coyle <[email protected]> a ?crit : > > Hello > > Setting up a Zen 6.0.1 environment which is near completion, keeping it > simple to avoid issues with customisation until everything works 100%. > Currently I cannot get it to deauth against either the Cisco 3702i AP or > virtual WLC controller. In both cases it is configured for local switching on > the AP. > > I connect to the test SSID, it displays the agreement page on the portal, > then a sign on page. At which point the bar flows across the screen and > errors on completion. Rejoining wireless at any point after this stage I am > placed on the correct VLAN, and if done immediately after the sign on page I > get the pf notification pop-up and redirected to the default landing page. > > The logs from packetfence.log when I try to on-board: > > ay 16 11:15:15 httpd.portal(2176) INFO: [mac:c4:8e:8f:f4:a7:e1] is > currentlog connected at (172.21.0.253) ifIndex 1 registration > (pf::enforcement::_should_we_reassign_vlan) > May 16 11:15:15 httpd.portal(2176) INFO: [mac:c4:8e:8f:f4:a7:e1] > Instantiate profile SGC (pf::Portal::ProfileFactory::_from_profile) > May 16 11:15:15 httpd.portal(2176) INFO: [mac:c4:8e:8f:f4:a7:e1] Using > sources sgc-adc-01 for matching (pf::authentication::match) May 16 > 11:15:15 httpd.portal(2176) INFO: [mac:c4:8e:8f:f4:a7:e1] Matched rule > (Staff) in source sgc-adc-01, returning actions. > (pf::Authentication::Source::match) > May 16 11:15:15 httpd.portal(2176) INFO: [mac:c4:8e:8f:f4:a7:e1] Using > sources sgc-adc-01 for matching (pf::authentication::match) May 16 > 11:15:15 httpd.portal(2176) INFO: [mac:c4:8e:8f:f4:a7:e1] Matched rule > (Staff) in source sgc-adc-01, returning actions. > (pf::Authentication::Source::match) > May 16 11:15:15 httpd.portal(2176) INFO: [mac:c4:8e:8f:f4:a7:e1] > Username was defined "sgc\acoyle" - returning role 'staff' > (pf::role::getRegisteredRole) May 16 11:15:15 httpd.portal(2176) INFO: > [mac:c4:8e:8f:f4:a7:e1] PID: "acoyle", Status: reg Returned VLAN: > (undefined), Role: staff (pf::role::fetchRoleForNode) May 16 11:15:15 > httpd.portal(2176) INFO: [mac:c4:8e:8f:f4:a7:e1] VLAN reassignment > required (current VLAN = 1688 but should be in VLAN 2106) > (pf::enforcement::_should_we_reassign_vlan) > May 16 11:15:15 httpd.portal(2176) INFO: [mac:c4:8e:8f:f4:a7:e1] > switch port is (172.21.0.253) ifIndex 1 connection type: WiFi 802.1X > (pf::enforcement::_vlan_reevaluation) > ? > > Being a common device I am sure I have missed a step, otherwise I would be > finding more info on it. > > Thanks > > Adam > > > > > > > > ---------------------------------------------------------------------- > -------- Mobile security can be enabling, not merely restricting. > Employees who bring their own devices (BYOD) to work are irked by the > imposition of MDM restrictions. Mobile Device Manager Plus allows you > to control only the apps on BYO-devices by containerizing them, > leaving personal data untouched! > https://ad.doubleclick.net/ddm/clk/304595813;131938128;j______________ > _________________________________ > <https://ad.doubleclick.net/ddm/clk/304595813;131938128;j_____________ > __________________________________> > PacketFence-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > <https://lists.sourceforge.net/lists/listinfo/packetfence-users> -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j ------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users End of PacketFence-users Digest, Vol 97, Issue 43 ************************************************* -------------------------------Safe Stamp----------------------------------- Your Anti-virus Service scanned this email. It is safe from known viruses. For more information regarding this service, please contact your service provider. ------------------------------ ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j ------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users End of PacketFence-users Digest, Vol 97, Issue 44 ************************************************* -------------------------------Safe Stamp----------------------------------- Your Anti-virus Service scanned this email. It is safe from known viruses. For more information regarding this service, please contact your service provider. ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
