hi fabrice
thanks a lot and great work.
now i can login with my local realm and remote realm from other university.
i have another question,is it possible to limit device node per user in
eduroam?
i try with default role to limit 2 devices, but when third devices login
with the same username , user can still login but with blank role in
packetfence web.
On Tue, May 29, 2018 at 11:36 PM, Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:
> Hello Jabang,
>
> can you try that:
>
> https://github.com/inverse-inc/packetfence/compare/fix/
> eduroam_standalone.diff
>
> Regards
>
> Fabrice
>
>
>
> Le 2018-05-25 à 03:50, jabang konate via PacketFence-users a écrit :
>
> hi fabrice,
> ok i will wait for patch
>
> thank you
>
> On Fri, May 25, 2018 at 1:33 AM, Fabrice Durand via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Ok there is a bug, i need to fix it.
>>
>>
>>
>> Le 2018-05-24 à 11:33, jabang konate via PacketFence-users a écrit :
>>
>> hi fabrice.
>>
>> 10.18.23.60 is ip National Roaming Operator eduroam in my Country.
>>
>> attach my eduroam config file.
>>
>>
>> On Thu, May 24, 2018 at 7:43 PM, Fabrice Durand via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>>> What is 10.18.23.60 ?
>>>
>>> can you share with me your file /usr/local/pf/raddb/sites-enabled/eduroam
>>> ?
>>>
>>> Le 2018-05-24 à 00:46, jabang konate via PacketFence-users a écrit :
>>>
>>> Hi fabrice,
>>> today i try again with my packetfence.
>>>
>>> in packetfence-tunnel configuration i change configuration like this,
>>> if (update) {
>>> update control {
>>> &MS-CHAP-Use-NTLM-Auth := No
>>> }
>>> }
>>> }
>>> because from the output i don't see "ok", and then now i can login with
>>> my ldap account but with port 1812 in my access point, but not using port
>>> 11812.
>>> if i'm using 11812 my request always forward to Realm eduroam my home
>>> server, and not forward the request to packetfence virtual server
>>> (sites-enabled/packetfence then site-enabled/packetfence-tunnel) as you
>>> said in scenario 1.
>>>
>>> (1) Thu May 24 11:06:15 2018: Debug: suffix: Checking for suffix after
>>> "@"
>>> (1) Thu May 24 11:06:15 2018: Debug: suffix: Looking up realm "xyz.ac.id"
>>> for User-Name = "testu...@xyz.ac.id"
>>> (1) Thu May 24 11:06:15 2018: Debug: suffix: Found realm "xyz.ac.id"
>>> (1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Stripped-User-Name =
>>> "testuser"
>>> (1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Realm = "xyz.ac.id"
>>> (1) Thu May 24 11:06:15 2018: Debug: suffix: Authentication realm is
>>> LOCAL
>>> (1) Thu May 24 11:06:15 2018: Debug: [suffix] = ok
>>> (1) Thu May 24 11:06:15 2018: Debug: ntdomain: Request already has
>>> destination realm set. Ignoring
>>> (1) Thu May 24 11:06:15 2018: Debug: [ntdomain] = noop
>>> (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) {
>>> (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) -> TRUE
>>> (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) {
>>> (1) Thu May 24 11:06:15 2018: Debug: update control {
>>> (1) Thu May 24 11:06:15 2018: Debug: } # update control = noop
>>> (1) Thu May 24 11:06:15 2018: Debug: } # if (User-Name =~ /@/) =
>>> noop
>>> (1) Thu May 24 11:06:15 2018: Debug: ... skipping else: Preceding
>>> "if" was taken
>>> (1) Thu May 24 11:06:15 2018: Debug: eap: Request is supposed to be
>>> proxied to Realm eduroam. Not doing EAP.
>>> (1) Thu May 24 11:06:15 2018: Debug: [eap] = noop
>>>
>>> attach my radiusd-eduroam.sock log and picture of my configurutiaon
>>> exclusive source eduroam .
>>>
>>> Regards.
>>>
>>>
>>> On Thu, May 24, 2018 at 12:49 AM, Fabrice Durand via PacketFence-users <
>>> packetfence-users@lists.sourceforge.net> wrote:
>>>
>>>>
>>>>
>>>> Le 2018-05-23 à 13:36, jabang konate via PacketFence-users a écrit :
>>>>
>>>> Hi fabrice.
>>>>
>>>> Thanks for speedy response.
>>>>
>>>> > so i am not sure what you try to do with the ldap module.
>>>> ldap module for configuration user with openldap right? i read in EAP
>>>> Authentication against OpenLDAP.
>>>>
>>>> yes, the only difference is that you have to disable NTLM-Auth if ldap
>>>> return ok to avoid "ERROR: mschap: Program returned code (1) and output
>>>> 'Reading winbind reply failed! (0xc0000001)'".
>>>>
>>>>
>>>>
>>>> > You have 3 scenarios:
>>>> yes i want like that,
>>>>
>>>> I will try again and will share the results on this topic.
>>>>
>>>> thank you for your advice fabrice.
>>>>
>>>>
>>>> On Thu, May 24, 2018 at 12:22 AM, Fabrice Durand via PacketFence-users
>>>> <packetfence-users@lists.sourceforge.net> wrote:
>>>>
>>>>> Hello Jabang,
>>>>>
>>>>> so i am not sure what you try to do with the ldap module.
>>>>>
>>>>> You have 3 scenarios:
>>>>>
>>>>> 1: a user from your university connect on the ssid eduroam from your
>>>>> university. (the ap/controller use the port 11812)
>>>>> You need to configure the local realm (let's say myuniversity.org) in
>>>>> the eduroam authentication source and configure ldap in
>>>>> packetfence-tunnel.
>>>>> So when this user will try to connect on the eduroam ssid with
>>>>> u...@myuniversity.org then the eduroam virtual server will detect the
>>>>> realm myuniversity.org and forward the request to packetfence virtual
>>>>> server (sites-enabled/packetfence then site-enabled/packetfence-tunne
>>>>> l).
>>>>> And in packetfence-tunnel you have something like that:
>>>>>
>>>>> ```
>>>>> authorize {
>>>>> suffix
>>>>> ntdomain
>>>>> eap {
>>>>> ok = return
>>>>> }
>>>>> files
>>>>> ldap
>>>>> if (ok) {
>>>>> update control {
>>>>> &MS-CHAP-Use-NTLM-Auth := No
>>>>> }
>>>>> }
>>>>> }
>>>>> ```
>>>>>
>>>>> 2: u...@myuniversity.org is in travel and connect on the ssid eduroam
>>>>> in montreal university
>>>>> The local montreal radius server will forward to eduroam and eduroam
>>>>> will forward to your packetfence server on the port 1812 (you need to
>>>>> configure that on the eduroam side).
>>>>>
>>>>> 3: u...@univmontreal.org is connecting on your ssid eduroam, the
>>>>> realm in unknow then the request will be forwarded to eduroam then eduroam
>>>>> forward to the montreal radius server.
>>>>>
>>>>> Is it what you want to do ?
>>>>>
>>>>> Regards
>>>>> Fabrice
>>>>>
>>>>>
>>>>>
>>>>> Le 2018-05-23 à 12:57, jabang konate via PacketFence-users a écrit :
>>>>>
>>>>> Thanks Fabrice, let me clear my goals first. i'm still confuse which
>>>>> file i must to configure packetfence-tunnel or eduroam file in
>>>>> sites-available.
>>>>> my packetfence will be act as manage eduroam user so i will use port
>>>>> 11812 in my access point.
>>>>>
>>>>> here's my step how i configure my eduroam in packetfence.
>>>>> 1. setting my local REALM.
>>>>> 2. configure exclusive source eduroam, add my local realm at step 1.
>>>>> then create authentication rules "catch all" role default access duration
>>>>> 12 hours.
>>>>> 3. add switch configuration
>>>>> 4. configure ldap module in freeradius
>>>>> 5. configure file packetfence-tunnel ? or eduroam ?
>>>>> 6. restart freeradius and iptables
>>>>>
>>>>> in step 5 im still confuse if i'm using 11812 so i must configure
>>>>> eduroam file or still packetfence-tunnel ?
>>>>>
>>>>>
>>>>>
>>>>> On Wed, May 23, 2018 at 10:55 PM, Fabrice Durand via PacketFence-users
>>>>> <packetfence-users@lists.sourceforge.net> wrote:
>>>>>
>>>>>> If it's a server for eduroam (like the eduroam servers use this
>>>>>> server for your domain) then 1812, if it's to manage eduroam user how
>>>>>> connect on a eduroam ssid then 11812.
>>>>>>
>>>>>>
>>>>>> Also what you can do in packetfence-tunnel
>>>>>>
>>>>>>
>>>>>> # The ldap module reads passwords from the LDAP database.
>>>>>> ldap
>>>>>> if (ok) {
>>>>>> update control {
>>>>>> &MS-CHAP-Use-NTLM-Auth := No
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Fabrice
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Le 2018-05-23 à 11:38, jabang konate via PacketFence-users a écrit :
>>>>>>
>>>>>> thanks for your reply fabrice.
>>>>>> here i attach my packetfence-tunnel file.
>>>>>>
>>>>>> and which port should i use for my access point 1812 or 11812 in
>>>>>> radius configuration for eduroam?
>>>>>> thank you
>>>>>>
>>>>>> On Wed, May 23, 2018 at 7:33 PM, Fabrice Durand via PacketFence-users
>>>>>> <packetfence-users@lists.sourceforge.net> wrote:
>>>>>>
>>>>>>> Hello Jabang,
>>>>>>>
>>>>>>> can you paste your packetfence-tunnel file ?
>>>>>>> Regards
>>>>>>>
>>>>>>> Fabrice
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Le 2018-05-23 à 04:08, jabang konate via PacketFence-users a écrit :
>>>>>>>
>>>>>>> my packetfence server version is 8.0.1 and i want to configure
>>>>>>> packetfence as an eduroam server with openldap as user database,
>>>>>>> then i look into documentation eduroam section from packetfence and
>>>>>>> EAP Authentication against OpenLDAP.
>>>>>>>
>>>>>>> when im try to login with my laptop, i always get access reject.
>>>>>>>
>>>>>>> from log i see i can connect with my ldap server, then i see error
>>>>>>> like this
>>>>>>> (7) Wed May 23 14:32:55 2018: ERROR: mschap: Program returned code
>>>>>>> (1) and output 'Reading winbind reply failed! (0xc0000001)'
>>>>>>> (7) Wed May 23 14:32:55 2018: Debug: mschap: External script failed
>>>>>>> (7) Wed May 23 14:32:55 2018: ERROR: mschap: External script says:
>>>>>>> Reading winbind reply failed! (0xc0000001)
>>>>>>>
>>>>>>> is it the root cause why i alwayas get access reject?
>>>>>>> then i check winbindd service is not running, but i cant start
>>>>>>> winbindd service
>>>>>>> (Service 'winbindd' is not managed by PacketFence. Therefore, no
>>>>>>> action will be performed)
>>>>>>>
>>>>>>> attach my radius log.
>>>>>>> please give me some advice.
>>>>>>> thank you
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------------
>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> PacketFence-users mailing
>>>>>>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------
>>>>>>> ------------------
>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>>> _______________________________________________
>>>>>>> PacketFence-users mailing list
>>>>>>> PacketFence-users@lists.sourceforge.net
>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> PacketFence-users mailing
>>>>>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135) ::
>>>>>> www.inverse.ca
>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>>>>> (http://packetfence.org)
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------
>>>>>> ------------------
>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>> _______________________________________________
>>>>>> PacketFence-users mailing list
>>>>>> PacketFence-users@lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> PacketFence-users mailing
>>>>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>
>>>>>
>>>>> --
>>>>> Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135) ::
>>>>> www.inverse.ca
>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>>>> (http://packetfence.org)
>>>>>
>>>>>
>>>>> ------------------------------------------------------------
>>>>> ------------------
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>> _______________________________________________
>>>>> PacketFence-users mailing list
>>>>> PacketFence-users@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>
>>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> PacketFence-users mailing
>>>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>>
>>>> --
>>>> Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135) ::
>>>> www.inverse.ca
>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>>> (http://packetfence.org)
>>>>
>>>>
>>>> ------------------------------------------------------------
>>>> ------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> PacketFence-users mailing list
>>>> PacketFence-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>
>>>
>>>
>>> _______________________________________________
>>> PacketFence-users mailing
>>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>> --
>>> Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135) ::
>>> www.inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>> (http://packetfence.org)
>>>
>>>
>>> ------------------------------------------------------------
>>> ------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>>
>> _______________________________________________
>> PacketFence-users mailing
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>> --
>> Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135) ::
>> www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>> (http://packetfence.org)
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> PacketFence-users mailing
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
