[PacketFence-users] 802.11x autoregister

[Jan-Patrick Perisse]

Hello people, 
I have ZEN 6.0.1 installed and I am currently testing.
I don’t want people on the network to get to the portal for registration. So, I 
have setup a config to auto register anyone that can authenticate on AD. 
Besides that, I will setup printers and other devices to auto register via MAC.
My setup is working properly for wired workstation (although they 
re-authenticate every minute and I can’t get rid of it).
But for wireless, I have WPA2 Enterprise on unifi and PF doesn’t seem to apply 
the rule.
Thank you.

[etherneteap]
filter = connection_type
operator = is
value = Ethernet-EAP

[reg:etherneteap]
scope = AutoRegister
role = default

[wetherneteap]
filter = connection_type
operator = is
value = Wireless-802.11-EAP

[reg:wetherneteap]
scope = AutoRegister
role = default

You can see it’s the same rule but LOG says:
For wireless
May 24 12:21:36 httpd.aaa(14492) DEBUG: [mac:c0:f2:fb:b4:d7:04] instantiating 
new pf::access_filter::vlan (pf::access_filter::new)
May 24 12:21:36 httpd.aaa(14492) DEBUG: [mac:c0:f2:fb:b4:d7:04] No rule matched 
for scope AutoRegister (pf::access_filter::test)

For wired
May 24 12:24:54 httpd.aaa(14492) DEBUG: [mac:e8:40:f2:3a:b1:77] instantiating 
new pf::access_filter::vlan (pf::access_filter::new)
May 24 12:24:54 httpd.aaa(14492) INFO: [mac:e8:40:f2:3a:b1:77] Match rule 
reg:etherneteap (pf::access_filter::test)
May 24 12:24:54 httpd.aaa(14492) INFO: [mac:e8:40:f2:3a:b1:77] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
May 24 12:24:54 httpd.aaa(14492) DEBUG: [mac:e8:40:f2:3a:b1:77] instantiating 
new pf::Portal::Profile object (pf::Portal::Profile::new)
May 24 12:24:54 httpd.aaa(14492) DEBUG: [mac:e8:40:f2:3a:b1:77] instantiating 
new pf::access_filter::vlan (pf::access_filter::new)
May 24 12:24:54 httpd.aaa(14492) DEBUG: [mac:e8:40:f2:3a:b1:77] No engine found 
for NodeInfoForAutoReg (pf::access_filter::test)




JAN-PATRICK PÉRISSÉ
Diretor técnico
www.aeon.com.br    +55 21 2705-3139



--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Best wifi device for openWrt / Packetfence give me your feedbacks boys !

[Frederic Hermann]

We successfully use packetfence with Ubiquity devices (mostly unifi, running 
with openwrt 14.07) and Mikrotik devices (with RouterOS 6.35). 

If you go with Mikrotik, that would be an error to use openwrt, IMHO, as 
RouterOS provides probably more features you will need. 

The learning curve for mikrotik management can be shallow, however. 

Regards, 
--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Best wifi device for openWrt / Packetfence give me your feedbacks boys !

[Antoine Amacher]

Hello Pierrick,

This was tested only with Ubiquity on our side, you can try to do it on 
other devices but we can't confirm that it will work.


Thanks

On 05/24/2016 08:38 AM, PROST pierrick wrote:


Hi everyone,

We want buy and deploy packet fence with out of band configuration…. 
We are looking for new wifi device with OpenWRT 14.07 compatibility to 
math with this documentation


http://packetfence.org/doc/PacketFence_OpenWrt-Hostapd_Quick_Install_Guide.html

Have you some feedbacks ? Ubiquity ? Linksys ? Microtik ?

Have good day !

Pierrick Prost

CNRS



--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  +1.514.447.4918 *130  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Registration Portal

[Fabrice Durand]

Hi Manfred,

when your device is in the reg vlan, what are the ip parameters of the 
device ?


What is the ip of your captive portal ?

Can you see something in packetfence.log ? (Paste the log please)

Regards
Fabrice


Le 2016-05-23 06:04, Schannen, Manfred a écrit :


hi,

i have a fresh ZEN6.01 installation, konfigured as it is descriped in 
the out of band deployment quick guide.


when i connect with a unregistered device, i get an ip adress from the 
registration vlan.


When i start the browser i did not get redirected to the registration 
portal!


the network detection is marked an i fille din the IP of oft he 
management network


can someone help me?

Thanks

Manfred



--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Auto registration

[Fabrice Durand]

Hello Anton,
Can you try that:

[regnetwork]

filter = ssid

operator = is

value = ess_pf_MacAuth

[normalnetwork]

filter = ssid

operator = is

value = ess_pf_Dot1x

[is_staff]

filter = node_info.category

operator = is

value = admin_wlan

[is_student]

filter = node_info.category

operator = is

value = student_wlan

# unregister all staff nodes when connecting to open ssid

[unregnode:regnetwork_staff]

scope = NormalVlan

role = registration

action = modify_node

action_param = mac = $mac, status = 'unreg'

# unregister all student nodes when connecting to open ssid

[unregnode:regnetwork_student]

scope = NormalVlan

role = registration

action = modify_node

action_param = mac = $mac, status = 'unreg'

# if a registered device connects to open ssid change role to default 
<< this doesn’t work


[unsetautoreg:regnetwork&(is_student|is_staff)]

scope = RegisteredRole

role = registration

action = modify_node

action_param = mac = $mac, autoreg = no, status =  'unreg'

#--auto register on 
Dot1x---


[1:normalnetwork]

scope = AutoRegister

role = admin_wlan

[nodeinfoadmin]

scope = NodeInfoForAutoReg

filter = node_info.category

operator = is

value = admin_wlan

[nodeinfostudent]

scope = NodeInfoForAutoReg

filter = node_info.category

operator = is

value = student_wlan

[autoreg]

filter = node_info

attribute = autoreg

operator = match

value = yes


[2:autoreg]

scope = NormalVlan

role = admin_wlan

action = register_node

action_param = mac = $mac

[3:autoreg]

scope = NormalVlan

role = student_wlan

action = register_node

action_param = mac = $mac



Regards
Fabrice


Le 2016-05-23 10:36, Anton Dreyer a écrit :


Thanks Fabrice

I managed to get the auto registration working with your help as per 
below. I have one last problem I am hoping you can help resolve. After 
testing the auto deregistration again it seems that it only properly 
shows the guest portal page if you set the role also. When the role is 
set to admin/student the portal that pops up when trying to connect to 
the open SSID just says “your access will be enabled shortly”. What 
does work is that the node registers and de-registers when swapping 
between the SSID’s.


I have compiled the highlighted section below trying to set the node 
back to the registration role without any luck. (I have tried all the 
examples I could find in the mailing list also)


How do I go about forcing the node role back to registration or even 
to guest when it connects to the open SSID?


Thanks again for all your assistance

Anton

-

[regnetwork]

filter = ssid

operator = is

value = ess_pf_MacAuth

[normalnetwork]

filter = ssid

operator = is

value = ess_pf_Dot1x

[is_staff]

filter = node_info.category

operator = is

value = admin_wlan

[is_student]

filter = node_info.category

operator = is

value = student_wlan

# unregister all staff nodes when connecting to open ssid

[unregnode:regnetwork_staff]

scope = NormalVlan

role = registration

action = modify_node

action_param = mac = $mac, status = 'unreg'

# unregister all student nodes when connecting to open ssid

[unregnode:regnetwork_student]

scope = NormalVlan

role = registration

action = modify_node

action_param = mac = $mac, status = 'unreg'

# if a registered device connects to open ssid change role to default 
<< this doesn’t work


[unsetautoreg:regnetwork&(is_student|is_staff)]

scope = RegisteredRole

role = registration

action = modify_node

action_param = mac = $mac, category = registration, autoreg = no

#--auto register on 
Dot1x---


[1:normalnetwork]

scope = AutoRegister

role = admin_wlan

[nodeinfoadmin]

scope = NodeInfoForAutoReg

filter = node_info.category

operator = is

value = admin_wlan

[nodeinfostudent]

scope = NodeInfoForAutoReg

filter = node_info.category

operator = is

value = student_wlan

[autoreg]

filter = node_info

attribute = autoreg

operator = match

value = yes

[2:autoreg]

scope = NormalVlan

role = admin_wlan

action = register_node

action_param = mac = $mac

[3:autoreg]

scope = NormalVlan

role = student_wlan

action = register_node

action_param = mac = $mac

# bin/pfcmd service httpd.aaa restart



--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  

[PacketFence-users] Best wifi device for openWrt / Packetfence give me your feedbacks boys !

[PROST pierrick]

Hi everyone,

We want buy and deploy packet fence with out of band configuration We are 
looking for new wifi device with OpenWRT 14.07 compatibility to math with this 
documentation
http://packetfence.org/doc/PacketFence_OpenWrt-Hostapd_Quick_Install_Guide.html

Have you some feedbacks ? Ubiquity ? Linksys ? Microtik ?

Have good day !


Pierrick Prost

CNRS
--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] FW: Packetfence WPA2-EAP Errors

[Fabrice Durand]

Hello Evan,

can i have the content of raddb/sites-enables/packetfence-tunnel and 
what did you configured for the password in Advanced ? (it must be 
plaintext instead of  bcrypt)


Regards
Fabrice


Le 2016-05-23 11:02, Evan Linwood a écrit :


Hello,
I'm having a problem getting WPA2-EAP working with my OpertWRT 
wireless router, and hoping that someone could please help.


Some background:

My router is a Linksys unit running OpenWRT Chaos Chalmer.

(I've already configured this with a local RADIUS server and confirmed 
that WPA2-EAP works as expected against the local radius server).


I'm having problems when I reconfigure the router to use the 
Packetfence server as the RADIUS auth server.


The PF server is release 5.7.0, running on Ubuntu 12.04.5 LTS.

According to the PacketFence Administration Guide v4.1.0, 
Configuration/FreeRADIUS Configuration, Option 3. Local 
Authentication, it is only necessary to configure the raddb/users file.


The contents of my /usr/local/pf/raddb/users file is as follows:

username Cleartext-Password := "password"

I'm seeing errors appear in my RADIUS Audit Log as follows:

MAC Address xxx
Auth Status REJECT
Auth Type EAP
Auto Registration no
Calling Station ID xxx
Computer name
EAP Type MS-CHAP-V2
Event Type Radius-Access-Request
IP Address
Is a Phone no
Node status
Domain
Profile
Realm default
Reason mschap: External script says 
NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc0da)

Role
Source
Stripped User Name username
User Name username
Unique ID


I've seen the thread in the Packetfence mailing list re the 
NT_STATUS_CANT_ACCESS_DOMAIN_INFO error, but don't think I can apply 
the same approach because I am not running an Active Directory server 
in my configuration (hence why I'm using Option 3 for local auth as 
described above).


I have configured a RADIUS Realm called 'default'. This has no domain 
configured, and is configured with Source 'local'.


I haven't created any RADIUS Domains.

If anyone could offer any help or thoughts it would be much appreciated!

Thanks Evan





--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Centos 6.7 shutting down itself after install snort

[Fabrice Durand]

Hi Amidou,

you must have logs about what happen.
Check in /var/log/messages

Regards
Fabrice

Le 2016-05-23 16:19, TOURE Amidou Florian a écrit :
Hi all I have a problem on my packetfence 6.0.0.after installing snort 
and nessus my centos 6.7 machine shutdowns after few minutes. I have 
seen on the logs but nothing. Someone can help me ?

Thanks

Envoyé depuis Yahoo Mail pour Android 




--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Need help with iPhones

[Torry, Andrew]

Hi folks,

When someone connects to our 'guest' WiFi network they fill out the portal 
registration form
with their name and e-mail address as normal.
After the PF 6.0.1 server has sent them an activation E-Mail it moves the 
device off of the registration
VLAN onto the production VLAN. I presume it is using the RADIUS-CoA protocol to 
send a CoA request
to the Cisco WLC which seems to drop the device off of the 'Guest' SSID briefly.

Windows PC's and laptops and the like seem to behave properly ion that they 
simply obtain a new (and correct)
IP address, but iPhones just fall off the SSDI and home onto the next available 
WiFi they can and never return
to the production network.
The user then gets confused because they have been dumped onto a WiFi SSID that 
has no
internet access and keep trying to register.

Is this something to do with the iPhone's 'Captive Portal Detection' mechanism 
and how can
I avoid this behaviour.

Regards

Andrew
--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Centos 6.7 shutting down itself after install snort

[TOURE Amidou Florian]

Hi all I have a problem on my packetfence 6.0.0.after installing snort and 
nessus my centos 6.7 machine shutdowns after few minutes. I have seen on the 
logs but nothing. Someone can help me ? Thanks 

Envoyé depuis Yahoo Mail pour Android--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users