Re: [PacketFence-users] Mac Book Pro Air Portal

[Derek Wuelfrath]

Moi,

Can you specify if that happens when using the “Apple reduced captive-portal 
browser” thingy ?
I mean, when you first connect to an SSID, MacBook will try to detect if you 
have Internet access or not, and if not, will popup a simili browser containing 
the portal.

We already encountered some kind of issues with this “simili browser” so that’s 
why I ask.

Cheers!
dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

> On Oct 20, 2015, at 12:50 AM, Moises Moreno  wrote:
> 
> 
> Hi, 
> 
> We installed the packet system in web auth mode. We use a Cisco WLC and APs. 
> We use one vlan and access is managed by DACL's. It works great, with most 
> devices. However, with Apple Mac Book Pros' and air there is an issue. Once a 
> user goes through the guest form ( the one they get directed to) They fill 
> out the form and when they select email they get the message that tells them 
> to check their email. After that, the browser gets stuck, nothing happens 
> other than another message stating that the system can't find the network 
> connection. After this the browser is just stuck. If the user disables and 
> then re enables their wireless nics then they are allowed to the net to go to 
> email and verify. 
> 
> I found some info on this forum about pass through and setting several 
> settings. However, this is from last year. Any idea how to fix this, will the 
> article motioned help. They renamed their domain from a .local which we have, 
> a .local domain. Lastly, they disabled their network connection, then re 
> enabled and it worked. 
> 
> Thanks in advance for your assistance. 
> 
> Moi
> 
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] AD auth fails

[Holger.Patzelt]

Hi Louis,

Here you are:

(don’t be irritated, due to a restart, i changed the PID…)
# lsof -nPp 15000 | grep IPv4 tells:

httpd   15000 root7u  IPv4 139071  0t0 TCP 
127.0.0.1:7070 (LISTEN)
httpd   15000 root8u  IPv4 139073  0t0 TCP 
172.20.1.20:7070 (LISTEN)


pf.conf (slightly “anonymized”):
[general]
#
# general.domain
#
# Domain name of PacketFence system.
domain=adminnet.nicedomain.de
#
# general.hostname
#
# Hostname of PacketFence system.  This is concatenated with the domain in 
Apache rewriting rules and therefore must be resolvable by clients.
hostname=mypf-server
#
# general.dnsservers
#
# Comma-delimited list of DNS servers.  Passthroughs are created to allow 
queries to these servers from even "trapped" nodes.
dnsservers=127.0.0.1,172.20.10.22
#
# general.dhcpservers
#
# Comma-delimited list of DHCP servers.  Passthroughs are created to allow DHCP 
transactions from even "trapped" nodes.
dhcpservers=127.0.0.1,172.20.10.22
#
# general.timezone
#
# System's timezone in string format. Supported list:
# http://www.php.net/manual/en/timezones.php
timezone=Stardate

[trapping]
#
# trapping.detection
#
# Enables snort-based worm detection.  If you don't have a span interface 
available, don't bother enabling it.  If you do, 
# you'll most definately want this on.
detection=enabled
#
# trapping.range
#
# Comma-delimited list of address ranges/CIDR blocks that Snort/Suricata will 
monitor/detect/trap on.  Gateway, network, and 
# broadcast addresses are ignored.
range=172.20.9.20-254/24
#
# trapping.interception_proxy
#
# When enabled, packetfence will intercept proxy request to somes specified port
interception_proxy=enabled

[alerting]
#
# alerting.emailaddr
#
# Email address to which notifications of rogue DHCP servers, violations with 
an action of "email", or any other 
# PacketFence-related message goes to.
emailaddr=someu...@mypf-server.internal.nicedomain.de
#
# alerting.wins_server
#
# WINS server to  resolve NetBIOS name of administrative workstation to IP 
address.
wins_server=172.20.10.22
#
# alerting.admin_netbiosname
#
# NetBIOS name of administrative workstation to send alerts with "winpopup" 
action assigned.
admin_netbiosname=someworkstation

[database]
#
# database.pass
#
# Password for the mysql database used by PacketFence.
is set

[expire]
#
# expire.node
#
# Time before a node is removed due to inactivity.
# A value of 0D disables expiration.
# example:
# node=90D
node=90D
#
# expire.iplog
#
# Time which you would like to keep logs on IP/MAC information.
# A value of 0D disables expiration.
# example:
# iplog=180D
iplog=90D
#
# expire.traplog
#
# Time which you would like to keep logs on trap information.
# A value of 0D disables expiration.
# example:
# traplog=180D
traplog=90D
#
# expire.locationlog
#
# Time which you would like to keep logs on location information
# Please note that this table should not become too big since it 
# could degrade pfsetvlan performance.
# A value of 0D disables expiration.
# example:
# locationlog=180D
locationlog=90D
#
# expire.httpd_admin
#
# Please note that this table should not become too big since it 
httpd_admin=disabled

[services]
#
# services.pfsetvlan
#
# Should pfsetvlan be managed by PacketFence?
pfsetvlan=enabled

[captive_portal]
#
# captive_portal.network_detection_ip
#
# This IP is used as the webserver who hosts the 
common/network-access-detection.gif which is used to detect if network
# access was enabled. 
# It cannot be a domain name since it is used in registration or quarantine 
where DNS is blackholed.
# It is recommended that you allow your users to reach your packetfence server 
and put your LAN's PacketFence IP.
# By default we will make this reach PacketFence's website as an easy solution.
#
network_detection_ip=172.20.11.20

[webservices]
#
# webservices.user
#
# username to use to connect to the webAPI
user=websrv_user
#
# webservices.pass
#
# password of the username
is set, too
#
# webservices.proto
#
# proto to use
proto=https

[interface eth0]
enforcement=vlan
ip=172.20.9.20
type=monitor
mask=255.255.255.0

[interface eth1]
enforcement=vlan
ip=172.20.13.20
type=internal
mask=255.255.255.0

[interface eth2]
enforcement=vlan
ip=172.20.17.20
type=monitor
mask=255.255.255.0

[interface eth3]
enforcement=vlan
ip=172.20.10.20
type=monitor
mask=255.255.255.0

[interface eth4]
enforcement=vlan
ip=172.20.13.20
type=monitor
mask=255.255.255.0

[interface eth5]
enforcement=vlan
ip=172.20.11.20
type=internal
mask=255.255.255.0

[interface eth6]
enforcement=vlan
ip=172.20.15.20
type=portal,monitor
mask=255.255.255.0

[interface eth7]
ip=172.20.1.20
type=management
mask=255.255.255.0



From: Louis Munro [mailto:lmu...@inverse.ca] 
Sent: Wednesday, October 21, 2015 3:52 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] AD auth fails



On Oct 21, 2015, at 9:33 ,  
 wrote:

httpd.aaa|1|8993

Re: [PacketFence-users] AD auth fails

[Louis Munro]

> On Oct 21, 2015, at 9:33 ,  
>  wrote:
> 
> httpd.aaa|1|8993

Ok, so that’s the one that matters.
The error you are seeing is caused by a failure of the radiusd process to 
connect over http to the httpd.aaa service that provides things like VLANs and 
ACLs to add to the radius reply.

What does this return? 
# lsof -nPp 8993 | grep IPv4

Please post your conf/pf.conf file too.



Regards,
--
Louis Munro
lmu...@inverse.ca  ::  www.inverse.ca 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Recommended setup for HA and efficiency

[Morris, Andi]

Hi all,
I've recently come into some issues with the load on my PacketFence setup 
during peak times and so we're now looking at seeing if we can split the 
service into separate components across servers, and also across our two sites 
for high availability.

Loads are currently around 2000 devices concurrently at peak times, all using 
802.1x through the freeradius mschap component to our backend active directory 
server. At peak times there are sometimes 500 devices sitting in the captive 
portal.

Our current setup is a VMWare server with 4vCPUs & 32GB of memory. Inverse have 
had a look and have suggested that our server is being battered by devices in 
our captive portal. However I'm not sure there's much we can do to alleviate 
this, as it's a BYOD environment, and we have little to no control over the 
devices that come into the network. I've added some apache filters to 501 
certain apps that are hitting the portal, but it doesn't seem to be making a 
huge difference, and some apps are still hitting the portal even after the 501 
error is given.

So, some quick questions regarding this:

-  Will moving the MySQL component of the setup onto a dedicated server 
make a marked difference to the performance?

-  If I gave each university site a PF httpd/radius service, would they 
both need to access one single central MySQL server or would this cause 
deadlocks?

-  Is splitting PF into 3 separate components: apache, freeradius and 
MySQL also an option to bring server load down?

Has anyone else run into this sort of issue with devices sitting in the captive 
portal, and if so how do you combat it? Larger environments, what is your setup 
regarding PF hardware and services?

Cheers,
Andi


[Cardiff Metropolitan University - 150 years of nurturing 
talent]
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Recommended setup for HA and efficiency

[Tim DeNike]

Move MySQL to a different server on fast storage.  I run 2 MySQL vms in ha
on ssd storage and that helps.

Sent from my iPhone

On Oct 21, 2015, at 12:37 PM, Morris, Andi  wrote:

Hi all,

I’ve recently come into some issues with the load on my PacketFence setup
during peak times and so we’re now looking at seeing if we can split the
service into separate components across servers, and also across our two
sites for high availability.



Loads are currently around 2000 devices concurrently at peak times, all
using 802.1x through the freeradius mschap component to our backend active
directory server. At peak times there are sometimes 500 devices sitting in
the captive portal.



Our current setup is a VMWare server with 4vCPUs & 32GB of memory. Inverse
have had a look and have suggested that our server is being battered by
devices in our captive portal. However I’m not sure there’s much we can do
to alleviate this, as it’s a BYOD environment, and we have little to no
control over the devices that come into the network. I’ve added some apache
filters to 501 certain apps that are hitting the portal, but it doesn’t
seem to be making a huge difference, and some apps are still hitting the
portal even after the 501 error is given.



So, some quick questions regarding this:

-  Will moving the MySQL component of the setup onto a dedicated
server make a marked difference to the performance?

-  If I gave each university site a PF httpd/radius service, would
they both need to access one single central MySQL server or would this
cause deadlocks?

-  Is splitting PF into 3 separate components: apache, freeradius
and MySQL also an option to bring server load down?



Has anyone else run into this sort of issue with devices sitting in the
captive portal, and if so how do you combat it? Larger environments, what
is your setup regarding PF hardware and services?



Cheers,

Andi
--

[image: Cardiff Metropolitan University - 150 years of nurturing talent]


--

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] How to enforce guest role on mobile devices after registration?

[Fabrice DURAND]

Hello Dale,

i am not sure to understand the workflow you want to achieve.

What i think you can do is the following:
On the secure SSID you must have a way to detect that the device who is
trying to connect is a corporate device.
Per example for windows device you must do machine auth and after user
auth to be able to have access to the vlan employee or developer. And
for other devices you must have a valid certificate.

So if a try to only do user auth and your category is not employee or
not developer it will be refuse on the secure SSID.

So the open SSID will only be able to set the guest role.

regards
Fabrice

 


 
Le 2015-10-20 16:36, Dale Whiteaker-Lewis a écrit :
> Thank you so much for the feedback, Fabrice.  
> So, that would redirect the mobile device user that authenticated to the 
> secure SSID to the guest role/VLAN.  But, I dont' think that would 
> accommodate registration first, would it?  
> Can I auto-register from vlan_filters.conf, based on the 802.1x username? 
> Ideally, I'd like to be able to show the user a captive portal message 
> indicating that they are being redirected to unprivileged access, based on 
> the violation, but I wasn't able to get that to work  in the settings under 
> "Violations" for violation 301. 
> I think I may need to be satisfied with just redirecting them, rather than 
> warning and redirecting them.
> >Hello Dale,
> >
> >You probably have to create a vlan filter (vlan_filters.conf) for that, like 
> >if the device try to connect on the Secure SSID but it's a mobile then 
> >refuse the connection (or force guest role).
> >
> >Something like:
> >
> >[SECURESSID]
> >filter = ssid
> >operator = is
> >value = SECURE
> >
> >[mobile]
> >filter = node_info
> >attribute = device_class
> >operator = is
> >value = Smartphones/PDAs/Tablets
> >
> >[1:SECURESSID]
> >scope = NormalVlan
> >role = guest
> >
> >
> >Regards
> >Fabrice
> >
> >Le Mardi, Octobre 20, 2015 10:29 EDT, Dale Whiteaker-Lewis  a 
> >écrit: 
> > 
> >> I'm using PacketFence 5.4.0, and here is the scenario:
> >> 
> >>- I have separate wireless SSIDs for guests and employees.  The guest
> >>SSID is open (using MAC Authentication for registration with PF), and 
> >> the
> >>employee SSID is WPA2 Enterprise (with 802.1x auth).
> >>- I have "guest," "employee," and "developer" roles, with associated
> >>VLANs on my wireless controller and network switches.
> >>- I need to allow all devices (including BYOD mobile devices like
> >>smartphones) to be registered from any of these VLANs.
> >>- I need to divert all registered mobile devices into the "guest" role,
> >>so that mobile devices do not have access to my "employee," or, 
> >> "developer"
> >>VLANs.
> >> 
> >> So far, I've tried the following approaches:
> >> 
> >>1. Use Violation 301 (Block all mobile devices) to set the role to
> >>guest, without a trap.  In some ways this is closest to working, since 
> >> it
> >>sets the role to "guest" correctly, but it does not allow for 
> >> registration,
> >>so I don't know who is on the device.
> >>2. Use 301 to set the role to a newly created role "unregistered
> >>mobile," then use a clone of 301 (3000101) to trap all other mobile
> >>devices (that aren't in that role) after a 30 second grace period, and 
> >> set
> >>the role to "guest."  This allowed the new device to be registered, but
> >>violation 3000101 never triggered after the next successful dot1x auth.
> >>3. ...about 20 other permutations of numbers 1 and 2.
> >> 
> >> So, does this even sound possible?  The basic requirement seems pretty
> >> straightforward, "divert all mobile devices after registration to the guest
> >> role and its associated VLAN."  It seems to me that the main dysfunction is
> >> that the RADIUS-provided VLAN attribute overrides any assignment of the
> >> node to the "guest" role.  If the user is in the "developer" AD group, and
> >> PF tells the controller that via RADIUS Option 81, this seems to override
> >> any violation-based role assignment.
> >> 
> >> Has anyone else attempted this?  I'm happy to provide any details about my
> >> install, but didn't want to dump a crap-ton of config files on the list,
> >> only to have someone say, "it's not possible."
> >> 
> >> Have others taken a different approach that works to keeping BYOD devices
> >> on the guest role, or similar?
> >> 
> >> 
> >> Dale Whiteaker-Lewis
> >> 
> >> Security Engineering Lead
> >> 
> >> Indeed, Inc.
> >> 
> >> One Search, All Jobs
>
>
>
>
>
> --
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users


-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo 

[PacketFence-users] SMS gateway configuration

[Ing. Vanen Vythilingum]

How and where to setup sms gateway?

 

Would like to use
http://www.skebby.com/sms-gateway/sms-api/sending-text-messaging/  for
sending sms registration.

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Issue with dhcp sending wrong DNS in clustered mode

[Simon Gottschlag]

Hi,

I think PF works with DNS interception in inline mode, forcing all queries to 
123.123.123.123 or something like that and by that, forcing it to the Captive 
Portal.
In my case, DNS doesn’t work after registration when the PacketFence-nodes are 
the DNS servers.

Either I need to get the packetfence nodes to act as DNS servers, or I’ll need 
to use other DNS server.

What would you like to know about the environment? I’m not sure what is 
interesting in the configuration?

Regards,
Simon Gottschlag

From: Tim DeNike [mailto:tim.den...@mcc.edu]
Sent: den 21 oktober 2015 14:26
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Issue with dhcp sending wrong DNS in clustered 
mode

When a device is in registration vlan, the DHCP assigned dns server is the PF 
server.  This is so they can redirect to the captive portal.

Im not sure how it operates in inline mode.

What is your setup?

On Wed, Oct 21, 2015 at 7:23 AM, Simon Gottschlag 
> wrote:
Hi all!

I’m using the latest version of PacketFence (ZEN) and have setup a cluster.
Registration works, and after that I’m able to ping the internet (example 
8.8.8.8).

My problem is that I’m not able to resolve anything else. The DHCP server 
(packetfence server) are sending the cluster nodes IPs as the DNS servers, even 
though I’ve specified another one in networks.conf.

Are the nodes in the cluster meant to handle all DNS queries? If not, what do 
you think could be the problem?

Best regards,
Simon Gottschlag

--

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Recommended setup for HA and efficiency

[Arthur Emerson]

On 10/21/15, 12:35 PM, "Morris, Andi" 
> wrote:

Has anyone else run into this sort of issue with devices sitting in the captive 
portal, and if so how do you combat it?

I made a local portal user ID for unregistered devices that are hanging
around for too long without registering.  Once the device is manually
registered to that user, I set a violation on the device, which sends it
to an unused VLAN (mac-detect?).  You can do the same thing with RADIUS
VLAN settings for the special user, as long as the device gets sent to
the naughty room (isolated on a dead VLAN).

I never automated this process, but it shouldn't be too difficult...

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 8A

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] multiple dc's in domain.conf

[Louis Munro]

That is not supported at this time, in part because the templated files 
themselves don’t necessarily support it.


But more to the point, that is not how ntlm authentication works.
The winbind process finds it’s DC dynamically using dns SRV records.
So changing the config files on the client side of it will not help you much.

Have a look at this for some background: 
https://technet.microsoft.com/en-us/library/cc961719.aspx 

https://support.microsoft.com/en-us/kb/247811 


Obviously this was written for windows but winbind emulates it.

--
Louis Munro
lmu...@inverse.ca  ::  www.inverse.ca 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

> On Oct 21, 2015, at 8:30 , mourik jan heupink  wrote:
> 
> Hi,
> 
> Are we able to provide multiple ip's and ad_server names in domain.conf? 
> I would like to add more dc's, to make things more stable. Currently my 
> file looks like this:
> 
> [intech]
> bind_pass=
> dns_server=192.x.z.15
> bind_dn=username
> workgroup=WRKGRP
> ad_server=dc2.samba.company.com
> server_name=pf
> dns_name=SAMBA.COMPANY.COM
> 
> Can i type multiple dns_server lines, or perhaps comma/space seperated 
> ip's..? And likewise for ad_server..?
> 
> Reason: we've recently had a Domain Controller outage on the configured 
> DC, causing the whole packetfence system to go down as well... Not so nice.
> 
> Regards,
> MJ
> 
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Erro trying to install Packetfence

[Mercadeo - Magellan]

I get this error when i try to install packetfence complete with the
following command...

 

yum groupinstall -enablerepo=PacketFence,rpmforge PacketFence-complete

 

--> Finished Dependency Resolution

Error: Package: packetfence-5.4.0-1.el6.noarch (packetfence)

   Requires: freeradius >= 2.2.8-34

  Installed: freeradius-2.2.6-6.el6_7.x86_64 (@updates)

   freeradius = 2.2.6-6.el6_7

   Available: freeradius-2.2.6-4.el6.x86_64 (base)

   freeradius = 2.2.6-4.el6

You could try using --skip-broken to work around the problem

You could try running: rpm -Va --nofiles -nodigest

 

Ten I run in order to try to solve it...

 

yum install
http://www.packetfence.org/downloads/PacketFence/RHEL6/x86_64/RPMS/freeradiu
s-2.2.8-34.1.x86_64.rpm

 

And get this error...

 

---> Package freeradius.x86_64 0:2.2.8-34.1 will be an update

--> Finished Dependency Resolution

Error: Package: freeradius-perl-2.2.6-6.el6_7.x86_64 (@updates)

   Requires: freeradius = 2.2.6-6.el6_7

   Removing: freeradius-2.2.6-6.el6_7.x86_64 (@updates)

   freeradius = 2.2.6-6.el6_7

   Updated By: freeradius-2.2.8-34.1.x86_64
(/freeradius-2.2.8-34.1.x86_64)

   freeradius = 2.2.8-34.1

   Available: freeradius-2.2.6-4.el6.x86_64 (base)

   freeradius = 2.2.6-4.el6

Error: Package: freeradius-ldap-2.2.6-6.el6_7.x86_64 (@updates)

   Requires: freeradius = 2.2.6-6.el6_7

   Removing: freeradius-2.2.6-6.el6_7.x86_64 (@updates)

   freeradius = 2.2.6-6.el6_7

   Updated By: freeradius-2.2.8-34.1.x86_64
(/freeradius-2.2.8-34.1.x86_64)

   freeradius = 2.2.8-34.1

   Available: freeradius-2.2.6-4.el6.x86_64 (base)

   freeradius = 2.2.6-4.el6

Error: Package: freeradius-ldap-2.2.6-6.el6_7.x86_64 (@updates)

   Requires: libfreeradius-radius-020206.so()(64bit)

   Removing: freeradius-2.2.6-6.el6_7.x86_64 (@updates)

   libfreeradius-radius-020206.so()(64bit)

   Updated By: freeradius-2.2.8-34.1.x86_64
(/freeradius-2.2.8-34.1.x86_64)

   Not found

   Available: freeradius-2.2.6-4.el6.x86_64 (base)

   libfreeradius-radius-020206.so()(64bit)

Error: Package: freeradius-mysql-2.2.6-6.el6_7.x86_64 (@updates)

   Requires: freeradius = 2.2.6-6.el6_7

   Removing: freeradius-2.2.6-6.el6_7.x86_64 (@updates)

   freeradius = 2.2.6-6.el6_7

   Updated By: freeradius-2.2.8-34.1.x86_64
(/freeradius-2.2.8-34.1.x86_64)

   freeradius = 2.2.8-34.1

   Available: freeradius-2.2.6-4.el6.x86_64 (base)

   freeradius = 2.2.6-4.el6

Error: Package: freeradius-utils-2.2.6-6.el6_7.x86_64 (@updates)

   Requires: freeradius = 2.2.6-6.el6_7

   Removing: freeradius-2.2.6-6.el6_7.x86_64 (@updates)

   freeradius = 2.2.6-6.el6_7

   Updated By: freeradius-2.2.8-34.1.x86_64
(/freeradius-2.2.8-34.1.x86_64)

   freeradius = 2.2.8-34.1

   Available: freeradius-2.2.6-4.el6.x86_64 (base)

   freeradius = 2.2.6-4.el6

Error: Package: freeradius-utils-2.2.6-6.el6_7.x86_64 (@updates)

   Requires: libfreeradius-eap-2.2.6.so()(64bit)

   Removing: freeradius-2.2.6-6.el6_7.x86_64 (@updates)

   libfreeradius-eap-2.2.6.so()(64bit)

   Updated By: freeradius-2.2.8-34.1.x86_64
(/freeradius-2.2.8-34.1.x86_64)

   Not found

   Available: freeradius-2.2.6-4.el6.x86_64 (base)

   libfreeradius-eap-2.2.6.so()(64bit)

Error: Package: freeradius-utils-2.2.6-6.el6_7.x86_64 (@updates)

   Requires: libfreeradius-radius-020206.so()(64bit)

   Removing: freeradius-2.2.6-6.el6_7.x86_64 (@updates)

   libfreeradius-radius-020206.so()(64bit)

   Updated By: freeradius-2.2.8-34.1.x86_64
(/freeradius-2.2.8-34.1.x86_64)

   Not found

   Available: freeradius-2.2.6-4.el6.x86_64 (base)

   libfreeradius-radius-020206.so()(64bit)

Error: Package: freeradius-perl-2.2.6-6.el6_7.x86_64 (@updates)

   Requires: libfreeradius-radius-020206.so()(64bit)

   Removing: freeradius-2.2.6-6.el6_7.x86_64 (@updates)

   libfreeradius-radius-020206.so()(64bit)

   Updated By: freeradius-2.2.8-34.1.x86_64
(/freeradius-2.2.8-34.1.x86_64)

   Not found

   Available: freeradius-2.2.6-4.el6.x86_64 (base)

   libfreeradius-radius-020206.so()(64bit)

You could try using --skip-broken to work around the problem

 

Please any help will be appreciated.

 

Best regards.

 

 

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] How to enforce guest role on mobile devices after registration?

[Dale Whiteaker-Lewis]

Here is the process:

   - Employee has a company-issued laptop
   - Employee has a personal phone with WiFi.
   - We have a WPA2 Enterprise SSID using 802.1x/EAP-PEAP-MSCHAPv2 for
   authentication, with PF as the RADIUS server.
   - We want to allow employee VLAN access for the laptop after 802.1x
   authentication.
   - We want to prevent employee VLAN access for the phone after 802.1x
   authentication, and force it to the guest VLAN.
   - We want all devices to be registered, to link the MAC Address with the
   user name.
   - There are "guest", "employee," and "developer" VLANs available on the
   wireless controller.  Packetfence assigns these to the user based on AD
   group membership, via RADIUS Option 81 attribute, passed to the wireless
   controller.

My observation is that RADIUS Option 81 VLAN assignment seems to override
all other assignments, including the node's default VLAN assignment, the
VLAN resulting from a violation, or the VLAN resulting from
vlan_filters.conf settings.

Optimally, an employee would see the following, if attempting to access the
WPA2 Enterprise SSID from a mobile devices:

   1. The device begins in the registration role, on the registration
   VLAN.
   2. The user is diverted to the captive portal, and registers the device
   under their name.
   3. The device is granted access--based on a successful 802.1x
   authentication, however...
   4. ...the device is diverted to the guest role (and guest VLAN), because
   it is a mobile device (using the vlan_filters.conf function).

It seems like step 4 doesn't work, because the RADIUS assigned VLAN is
preferred to the vlan_filters.conf VLAN, but I could be misunderstanding
what's happening.

It's good to type this out for myself as a summary, even if a full answer
is not possible.

On Wed, Oct 21, 2015 at 10:37 AM, Fabrice DURAND  wrote:

> Hello Dale,
>
> i am not sure to understand the workflow you want to achieve.
>
> What i think you can do is the following:
> On the secure SSID you must have a way to detect that the device who is
> trying to connect is a corporate device.
> Per example for windows device you must do machine auth and after user
> auth to be able to have access to the vlan employee or developer. And
> for other devices you must have a valid certificate.
>
> So if a try to only do user auth and your category is not employee or
> not developer it will be refuse on the secure SSID.
>
> So the open SSID will only be able to set the guest role.
>
> regards
> Fabrice
>
>
>
>
>
> Le 2015-10-20 16:36, Dale Whiteaker-Lewis a écrit :
> > Thank you so much for the feedback, Fabrice.
> > So, that would redirect the mobile device user that authenticated to the
> secure SSID to the guest role/VLAN.  But, I dont' think that would
> accommodate registration first, would it?
> > Can I auto-register from vlan_filters.conf, based on the 802.1x username?
> > Ideally, I'd like to be able to show the user a captive portal message
> indicating that they are being redirected to unprivileged access, based on
> the violation, but I wasn't able to get that to work  in the settings under
> "Violations" for violation 301.
> > I think I may need to be satisfied with just redirecting them, rather
> than warning and redirecting them.
> > >Hello Dale,
> > >
> > >You probably have to create a vlan filter (vlan_filters.conf) for that,
> like if the device try to connect on the Secure SSID but it's a mobile then
> refuse the connection (or force guest role).
> > >
> > >Something like:
> > >
> > >[SECURESSID]
> > >filter = ssid
> > >operator = is
> > >value = SECURE
> > >
> > >[mobile]
> > >filter = node_info
> > >attribute = device_class
> > >operator = is
> > >value = Smartphones/PDAs/Tablets
> > >
> > >[1:SECURESSID]
> > >scope = NormalVlan
> > >role = guest
> > >
> > >
> > >Regards
> > >Fabrice
> > >
> > >Le Mardi, Octobre 20, 2015 10:29 EDT, Dale Whiteaker-Lewis 
> a écrit:
> > >
> > >> I'm using PacketFence 5.4.0, and here is the scenario:
> > >>
> > >>- I have separate wireless SSIDs for guests and employees.  The
> guest
> > >>SSID is open (using MAC Authentication for registration with PF),
> and the
> > >>employee SSID is WPA2 Enterprise (with 802.1x auth).
> > >>- I have "guest," "employee," and "developer" roles, with
> associated
> > >>VLANs on my wireless controller and network switches.
> > >>- I need to allow all devices (including BYOD mobile devices like
> > >>smartphones) to be registered from any of these VLANs.
> > >>- I need to divert all registered mobile devices into the "guest"
> role,
> > >>so that mobile devices do not have access to my "employee," or,
> "developer"
> > >>VLANs.
> > >>
> > >> So far, I've tried the following approaches:
> > >>
> > >>1. Use Violation 301 (Block all mobile devices) to set the
> role to
> > >>guest, without a trap.  In some ways this is closest to working,
> since it
> > >>sets the role 

Re: [PacketFence-users] AD auth fails

[Holger.Patzelt]

Hi Louis,

Yes Services do run
(I suppose that snort does not impact the auth processes...)

service|shouldBeStarted|pid
carbon-cache|1|8964
carbon-relay|1|8971
collectd|1|8974
dhcpd|1|8991
haproxy|0|0
httpd.aaa|1|8993
httpd.admin|1|8935
httpd.graphite|1|9004
httpd.portal|1|9018
httpd.proxy|1|9030
httpd.webservices|1|9149
iptables|1|-1
memcached|1|8918
pfbandwidthd|0|0
pfdetect|1|9174
pfdhcplistener_eth1|1|9178
pfdhcplistener_eth5|1|9183
pfdhcplistener_eth7|1|9191
pfdns|1|9194
pfmon|1|9198
pfsetvlan|1|9213
radiusd|1|9674
radsniff3|1|9235
snmptrapd|0|9211
snort|1|0
statsd|1|9247
suricata|0|0
winbindd-dtpublic2.conf|1|9383
keepalived|0|0

Regards,
Holger



From: Louis Munro [mailto:lmu...@inverse.ca]
Sent: Tuesday, October 20, 2015 7:08 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] AD auth fails


On Oct 20, 2015, at 13:03 , 
> 
> wrote:


What have I done wrong?
Please help!!!


Are all PacketFence services running?

Please post the output of
# service packetfence status

Regards,
--
Louis Munro
lmu...@inverse.ca  ::  
www.inverse.ca
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and 
PacketFence (www.packetfence.org)


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Mac Book Pro Air Portal

[Moises Moreno]

Derek, 

When we connect to the SSID, the apple portal window pops up automatically. We 
fill out the information and hit the register by email button. It then attempts 
to allow us access but it just gets stuck at that point. Wet get a message 
stating our network access will be enabled, the wlan seems to disconnect for a 
moment and then reconects at that point we get another message stating that the 
system is unable to detect network connectivity. The network looks like it has 
access but it doesnt, we have to disable the nic and then re enable and then 
the pc has full access. 

We also tried to close the pop up window and use a broweser and we get the same 
result. 

Thanks for your help. 



On Wed, 10/21/15, Derek Wuelfrath  wrote:

 Subject: Re: [PacketFence-users] Mac Book Pro Air Portal
 To: "ML PF" 
 Date: Wednesday, October 21, 2015, 7:52 AM
 
 Moi,
 Can
 you specify if that happens when using the “Apple reduced
 captive-portal browser” thingy ?I mean, when you first connect to an
 SSID, MacBook will try to detect if you have Internet access
 or not, and if not, will popup a simili browser containing
 the portal.
 We
 already encountered some kind of issues with this “simili
 browser” so that’s why I ask.
 
 Cheers!dw.
 —Derek
 wuelfrathdwuelfr...@inverse.ca
 :: +1.514.447.4918 (x110) :: +1.866.353.6153
 (x110)Inverse
 inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
 (www.packetfence.org)
 
 
 
 On Oct
 20, 2015, at 12:50 AM, Moises Moreno 
 wrote:
 
 Hi, 
 We
 installed the packet system in web auth mode. We use a Cisco
 WLC and APs. We use one vlan and access is managed by
 DACL's. It works great, with most devices. However, with
 Apple Mac Book Pros' and air there is an issue. Once a
 user goes through the guest form ( the one they get directed
 to) They fill out the form and when they select email they
 get the message that tells them to check their email. After
 that, the browser gets stuck, nothing happens other than
 another message stating that the system can't find the
 network connection. After this the browser is just stuck. If
 the user disables and then re enables their wireless nics
 then they are allowed to the net to go to email and
 verify. 
 I found
 some info on this forum about pass through and setting
 several settings. However, this is from last year. Any idea
 how to fix this, will the article motioned help. They
 renamed their domain from a .local which we have, a .local
 domain. Lastly, they disabled their network connection, then
 re enabled and it worked. 
 Thanks in
 advance for your assistance. 
 Moi
 --
 ___
 PacketFence-users mailing
 list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users
 
 
 -Inline Attachment Follows-
 
 --
 
 -Inline Attachment Follows-
 
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users
 

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Issue with dhcp sending wrong DNS in clustered mode

[Simon Gottschlag]

Hi All,

It was an issue with the inline detection.

@fdurand solved it!

https://github.com/inverse-inc/packetfence/issues/975

Best regards,
Simon Gottschlag

From: Simon Gottschlag
Sent: den 21 oktober 2015 18:00
To: packetfence-users@lists.sourceforge.net
Subject: RE: [PacketFence-users] Issue with dhcp sending wrong DNS in clustered 
mode

Hi,

I think PF works with DNS interception in inline mode, forcing all queries to 
123.123.123.123 or something like that and by that, forcing it to the Captive 
Portal.
In my case, DNS doesn’t work after registration when the PacketFence-nodes are 
the DNS servers.

Either I need to get the packetfence nodes to act as DNS servers, or I’ll need 
to use other DNS server.

What would you like to know about the environment? I’m not sure what is 
interesting in the configuration?

Regards,
Simon Gottschlag
From: Tim DeNike [mailto:tim.den...@mcc.edu]
Sent: den 21 oktober 2015 14:26
To: 
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Issue with dhcp sending wrong DNS in clustered 
mode

When a device is in registration vlan, the DHCP assigned dns server is the PF 
server.  This is so they can redirect to the captive portal.

Im not sure how it operates in inline mode.

What is your setup?

On Wed, Oct 21, 2015 at 7:23 AM, Simon Gottschlag 
> wrote:
Hi all!

I’m using the latest version of PacketFence (ZEN) and have setup a cluster.
Registration works, and after that I’m able to ping the internet (example 
8.8.8.8).

My problem is that I’m not able to resolve anything else. The DHCP server 
(packetfence server) are sending the cluster nodes IPs as the DNS servers, even 
though I’ve specified another one in networks.conf.

Are the nodes in the cluster meant to handle all DNS queries? If not, what do 
you think could be the problem?

Best regards,
Simon Gottschlag

--

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] email registration always as 'guest'`

[mourik jan heupink]

On 10/21/2015 10:19 AM, Timur Gubaev wrote:
> The same issue, and also cannot guess, why it happens
>

Then a reaction from inverse would be even more appreciated...
Thanks for replying.

MJ

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] email registration always as 'guest'`

[mourik jan heupink]

ok, done here:

https://github.com/inverse-inc/packetfence/issues/969

On 10/21/2015 01:39 PM, Durand fabrice wrote:
> Hello, good morning from inverse !
>
> So it's a bug then open an issue there :
> https://github.com/inverse-inc/packetfence/issues
>
> Regards
> Fabrice
>
>
> Le 2015-10-21 07:29, mourik jan heupink a écrit :
>>
>> On 10/21/2015 10:19 AM, Timur Gubaev wrote:
>>> The same issue, and also cannot guess, why it happens
>>>
>> Then a reaction from inverse would be even more appreciated...
>> Thanks for replying.
>>
>> MJ
>>
>> --
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Issue with dhcp sending wrong DNS in clustered mode

[Tim DeNike]

When a device is in registration vlan, the DHCP assigned dns server is the
PF server.  This is so they can redirect to the captive portal.

Im not sure how it operates in inline mode.

What is your setup?

On Wed, Oct 21, 2015 at 7:23 AM, Simon Gottschlag  wrote:

> Hi all!
>
>
>
> I’m using the latest version of PacketFence (ZEN) and have setup a cluster.
>
> Registration works, and after that I’m able to ping the internet (example
> 8.8.8.8).
>
>
>
> My problem is that I’m not able to resolve anything else. The DHCP server
> (packetfence server) are sending the cluster nodes IPs as the DNS servers,
> even though I’ve specified another one in networks.conf.
>
>
>
> Are the nodes in the cluster meant to handle all DNS queries? If not, what
> do you think could be the problem?
>
>
>
> Best regards,
> Simon Gottschlag
>
>
> --
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] multiple dc's in domain.conf

[mourik jan heupink]

Hi,

Are we able to provide multiple ip's and ad_server names in domain.conf? 
I would like to add more dc's, to make things more stable. Currently my 
file looks like this:

[intech]
bind_pass=
dns_server=192.x.z.15
bind_dn=username
workgroup=WRKGRP
ad_server=dc2.samba.company.com
server_name=pf
dns_name=SAMBA.COMPANY.COM

Can i type multiple dns_server lines, or perhaps comma/space seperated 
ip's..? And likewise for ad_server..?

Reason: we've recently had a Domain Controller outage on the configured 
DC, causing the whole packetfence system to go down as well... Not so nice.

Regards,
MJ

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] email registration always as 'guest'`

[Timur Gubaev]

The same issue, and also cannot guess, why it happens



>Hi,

>

>On packetfence 5.3.1, inline, using email registration I would like

>different roles to be applied, based on the kind of email address the

>user used. But all registrations end up as type 'guest', and the roles I

>configured are never applied
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Issue with dhcp sending wrong DNS in clustered mode

[Simon Gottschlag]

Hi all!

I'm using the latest version of PacketFence (ZEN) and have setup a cluster.
Registration works, and after that I'm able to ping the internet (example 
8.8.8.8).

My problem is that I'm not able to resolve anything else. The DHCP server 
(packetfence server) are sending the cluster nodes IPs as the DNS servers, even 
though I've specified another one in networks.conf.

Are the nodes in the cluster meant to handle all DNS queries? If not, what do 
you think could be the problem?

Best regards,
Simon Gottschlag
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] email registration always as 'guest'`

[Durand fabrice]

Hello, good morning from inverse !

So it's a bug then open an issue there : 
https://github.com/inverse-inc/packetfence/issues

Regards
Fabrice


Le 2015-10-21 07:29, mourik jan heupink a écrit :
>
> On 10/21/2015 10:19 AM, Timur Gubaev wrote:
>> The same issue, and also cannot guess, why it happens
>>
> Then a reaction from inverse would be even more appreciated...
> Thanks for replying.
>
> MJ
>
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users