Re: [PacketFence-users] Traffic logging of authenticated users

[Fabrice Durand]

For your info:

https://github.com/inverse-inc/packetfence/compare/feature/pmacct-integration?expand=1


Le 2016-08-04 à 17:22, Farzan Doroodgar a écrit :
Thanks for your detailed and full of information reply. I am currently 
evaluating PMACCT and I will post the results here as soon as I get a 
clear understanding of it.


On Thu, Jul 28, 2016 at 2:22 AM, Damiano Verzulli > wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Il 27/07/2016 20:53, Farzan Doroodgar ha scritto:
> You are right, after investigating a lot on this I must admit
that it
> is not a simple to do thing. [...]

In my opinion, one of the best option you have to gather the
information
you need, is "pmacct": http://pmacct.net/

You could employ PMACCT as both a Netflow PROBE and COLLECTOR, running
exactly on the very same PF box. In such a way, PMACCT can record
all the
FLOWS of IP traffic (IPv4 and IPv6), collecting traffic statistics
(bytes
and packets) in both directons (inbound/outbound) and associating such
flows to IP (src and dst), MAC (src and dst) and port (src and
dst)...and
other things (if needed)

You're also free to:
- - configure PMACCT so to store flow data directly in MySQL;
- - configure some script to store data in TXT file for your own batch
post-processing.

Unfortunately there's no simple way to keep track of authenticated
users
associated to a "flow": that's way too much for a "standard"
netfilter/iptables installation (BTW: netfilter _CAN_ be setup
with rules
dealing with "users" but... such "users" are, actually, UID of a
process
running on the system. As PF in inline mode simply act as a
firewall/router --basically, working [routing/firewalling] as
"root"--,
it simply cannot be done).

Anyway, once you have MAC and IP inside your flows, and once you
have a
time-reference for such a flow, than it's relatively easy to check
PF LOG
to see which user were using what IP at such a time.

Also, if you will collect "flows" at your "internal" network side,
than
you'll have no problem with NAT-translations, as you'll record
"internal"
IPs.

As for PMACCT, as I've described here:
http://serverfault.com/questions/652168/monitor-network-traffic-usage-by-po
rt
"just to give you some real numbers, I've succesfully used
PMACCT on
a server with a XEON X3350; 4GB of RAM; 4 broadcom GigaEth interfaces;
nearly 70 VLANs configured on eth0 and pmacct listening on all of
them;
+/- 300GB of various IP traffic routed on a daily basis; PMACCT
generating accounting EVERY_MINUTE, for EVERY_VLAN, for EVERY tuple
(src_mac, dst_mac, src_ip, dst_ip, src_port, dst_port); +/- 60.000.000
accounting records per day. All of this, without any issue (but
writing
on text-files, not in MySQL). In smaller environments, anyway,
there are
no problems in writing directly to MySQL"


As for NAT-translation and related need to keep track of them
another
approach (an alternative to PMACCT) is described here:
https://home.regit.org/2014/02/logging-connection-tracking-event-with-ulogd
/
However, I've not tested it but it looks interesting.



> I need to create a new daemon monitoring NATed traffic and do a
> accouting per IP/MAC and storing the results in db and join it with
> internal packetfence logs to retrieve username.

1) unless you're a "kernel-hacker"... I kindly suggest you to...
carefully evaluate such an option as... it's... really hard (in my
opinion)
;

2) basically, what you described is very in-line with PMACCT structure
(...and, believe me, despite the fact that it's not a well-known
product,
PMACCT is really rock-solid!)


> Regarding TLS [...]

As for SSL/TLS/Encryption, obviously such a traffic are not
accounted in
any means but please, consider that if you rely on "flow-like"
technologies/approaches, than your traffic-analysis tools will _NOT_
check the payload of IP packets traveling allalong the FLOW-PROBE,
as the
"probe" will consider "only" header fields. This is way-much
in-line with
"privacy" laws/reqquirements (BTW: IANAL) with respect to, for
example,
HTTP proxies!

That's all. HTH.

Bye,
DV

P.S.: should something not be clear, please, don't hesitate to ask for
details.

- --
Damiano Verzulli
e-mail: dami...@verzulli.it 
- ---
possible?ok:while(!possible){open_mindedness++}
- ---
"Technical people tend to fall into two categories: Specialists
and Generalists. The Specialist learns more and more about a
narrower and narrower field, until he eventually, in the limit,
knows everything about nothing. The Generalist learns less 

Re: [PacketFence-users] Computer was not found in PacketFence database - Smartphones NOT PROTECTIVELY MARKED

[Fabrice Durand]

Hello Paul,


when the device is reg, what is his ip address ? is it an ip address 
from the prod vlan ?



Regards

Fabrice



Le 2016-08-04 à 09:42, Bargewell Paul a écrit :

  NOT PROTECTIVELY MARKED
===

I've spent a long week setting up PacketFence in our environment. Was quite a 
challenge to get everything working together. We have Avaya VoIP phones, 
AeroHive Wi-Fi and Extreme switches and finally they all work as they should do.

The last hurdle just seems to be with Android devices connecting into Wi-Fi.

Our setup uses the PF RADIUS for MAC authentication. This drops devices into 
either a PFRegistration or GUEST vlan depending if they've registered 
successfully.

If the device belongs is a domain PC or Laptop then by using realms it gets 
picked up as either domain\user or host/machine and the PF RADIUS proxies the 
auth onto our MS NPS.

I expected the Android device to act like any other MAC level device and simply 
register through the portal and off it goes. Well it does register on the 
portal perfectly well. It appears in the PF Nodes as unregistered with a mac 
address, name, owner and IP address eg.

c4:9a:02:0f:5e:f7   android-e94a9330245d1dfddefault 
10.255.12.17Smartphones/PDAs/Tablets

But on the Android device when it finishes the registration process it comes up 
with a red warning:

"Your computer was not found in the PacketFence Database. Please reboot to solve 
this issue."

The IP is populated in the footer but the MAC shows as 0.

I've now just repeated this with a fruit based device and seems to have a similar 
affliction. It got through the registration process, sent the sponsor an email, got 
authorised. It didn't update the database that it was registered and the owner is down as 
"default"

5c:8d:4e:47:cd:e0   Brians-iPhone   default 10.255.12.18
Smartphones/PDAs/Tablets

On the fruit browser it constantly gets redirected back to the registration 
page.

Am I missing a step with the configuration of Smartphones?

--
TIA
Paul


--


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Different weight for traffic to different destinations

[info]

Hi dear PacketFence users and developers
i have an small wisp with few users
and a local file server available for users to download from
i want to sell traffic on local server about a quarter of the price of 
internet traffic
with my current configuration (without PacketFence) it's not possible
but i hope to do this with PacketFence
for more detail my authentication method is pppoe
if possible please give me a link to needed documentation.
Best regards.

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] authentication on portal captive trough LDAP

[Oumy Coulibaly]

hello fabrice,
even in the node tab there are no informations about users, maybe i miss
some config

2016-08-04 12:53 GMT+00:00 Fabrice Durand :

> Hello Oumy,
>
> the information for the device is in node tab, not in audit tab.
>
> Regards
>
> Fabrice
>
>
>
> Le 2016-08-04 à 03:39, Oumy Coulibaly a écrit :
>
> Actually  while users attempt to connect to the network through wifi,
> they give username and password if that match with a user of the LDAP they
> get access to the network if they don't they won't get access until this
> point everything work well. The problem is all that events should be
> visible trough the web administration of packetfence under auditing section
> where i should be able to see registered user their mac adress,ip adress...
> right? But for me there is nothing so even if a user was authenticated by
> pf i can't see any information about that user such as mac address ou ip
> adress, registered date, I want to know where does this problem come
> from
>
> Sorry for the longer of this message i just wanted to explain as possible
> i can.
>
> Best regards
> OUMY
>
> 2016-08-03 12:56 GMT+00:00 Oumy Coulibaly :
>
>> hello Fabrice,
>> yes that  was that i fix it now. But i can't get access log i mean
>> auditing interface of the web admin are empty. any idea of where the
>> problem can come from?
>>
>
>
> --
> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org)
>
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Computer was not found in PacketFence database - Smartphones NOT PROTECTIVELY MARKED

[Bargewell Paul]

 NOT PROTECTIVELY MARKED
===

Just some more info on this.

Aug 05 08:06:45 httpd.portal(18437) INFO: [mac:0] Updating node user_agent with 
useragent: 'LG-D855 Mozilla/5.0 (Linux; Android 6.0; LG-D855 Build/MRA58K) 
AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile 
Safari/537.36' 
(captiveportal::PacketFence::DynamicRouting::Application::process_user_agent)
Aug 05 08:06:45 httpd.portal(18431) INFO: [mac:0] Updating node user_agent with 
useragent: 'LG-D855 Mozilla/5.0 (Linux; Android 6.0; LG-D855 Build/MRA58K) 
AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile 
Safari/537.36' 
(captiveportal::PacketFence::DynamicRouting::Application::process_user_agent)
Aug 05 08:06:45 httpd.portal(18431) INFO: [mac:0] database query failed with: 
Duplicate entry '0' for key 'PRIMARY' (errno: 1062) (pf::db::db_query_execute) 
Aug 05 08:06:45 httpd.portal(18437) INFO: [mac:0] database query failed with: 
Duplicate entry '0' for key 'PRIMARY' (errno: 1062) (pf::db::db_query_execute) 
Aug 05 08:06:45 httpd.portal(18431) INFO: [mac:0] Static User-Agent lookup data 
initialized (pf::useragent::_init)

So I'm not quite sure what it's looking for. But it already has a MAC address 
of 0 in the database :(

I've read other posts where it suggests setting up OMAPI. Which I already have 
done. But I don't see any activity in the log files relating to it trying to do 
a lookup using it.

--
Regards

Paul Bargewell


-Original Message-
From: Bargewell Paul
Sent: Thursday, August 04, 2016 2:43 PM
To: 'packetfence-users@lists.sourceforge.net'
Subject: Computer was not found in PacketFence database - Smartphones NOT 
PROTECTIVELY MARKED

 NOT PROTECTIVELY MARKED
===

I've spent a long week setting up PacketFence in our environment. Was quite a 
challenge to get everything working together. We have Avaya VoIP phones, 
AeroHive Wi-Fi and Extreme switches and finally they all work as they should do.

The last hurdle just seems to be with Android devices connecting into Wi-Fi.

Our setup uses the PF RADIUS for MAC authentication. This drops devices into 
either a PFRegistration or GUEST vlan depending if they've registered 
successfully.

If the device belongs is a domain PC or Laptop then by using realms it gets 
picked up as either domain\user or host/machine and the PF RADIUS proxies the 
auth onto our MS NPS.

I expected the Android device to act like any other MAC level device and simply 
register through the portal and off it goes. Well it does register on the 
portal perfectly well. It appears in the PF Nodes as unregistered with a mac 
address, name, owner and IP address eg.

c4:9a:02:0f:5e:f7   android-e94a9330245d1dfddefault 
10.255.12.17Smartphones/PDAs/Tablets

But on the Android device when it finishes the registration process it comes up 
with a red warning:

"Your computer was not found in the PacketFence Database. Please reboot to 
solve this issue."

The IP is populated in the footer but the MAC shows as 0.

I've now just repeated this with a fruit based device and seems to have a 
similar affliction. It got through the registration process, sent the sponsor 
an email, got authorised. It didn't update the database that it was registered 
and the owner is down as "default"

5c:8d:4e:47:cd:e0   Brians-iPhone   default 10.255.12.18
Smartphones/PDAs/Tablets

On the fruit browser it constantly gets redirected back to the registration 
page.

Am I missing a step with the configuration of Smartphones?

--
TIA
Paul


pgpEFG7bRW_bm.pgp
Description: PGP signature
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users