Re: [PacketFence-users] packetfence and cisco switches

2016-12-14 Thread Tim DeNike 
Use RADIUS. Way better!

Sent from my iPhone

On Dec 14, 2016, at 4:03 PM, Tobias Friede  wrote:

Hi,

I think that's not possible because Port Security creates a static entry in
the Mac Table of the switch.
That's how port security is working ;)

You could enable aging. That means if the client is inactive, the mac
adress is removed from the switch port (after a specific time)

=> http://packetlife.net/blog/2010/may/3/port-security/


Greetings
Tobias


2016-12-14 19:57 GMT+01:00 Cuttler, Brian R (HEALTH) <
brian.cutt...@health.ny.gov>:

> Packetfence users,
>
> We are using PF 5.0.2 and have a variety of Cisco switches in place.
>
> We have the access ports (vs trunk ports) configured with “sticky mac”
> addresses, and find (we per documentation) that when we make any changes to
> the switch config and save those changes “write memory” that the dynamic
> addresses of the end point devices get written into the switch boot config
> file.
>
> Typical changes we’d want to save are things like adding vlans to the
> trunk, adding a port description for a special end point device, adding a
> new vlan to the switch, etc.
>
> The problem we are seeing is that if a device (typical PC or printer) is
> moved to another port on the switch, then the MAC address of the device
> which is “dynamic” on the port, conflicts with the now static address on
> the old port.
>
> I am going to see if configuring a test switch with “dynamic secure”
> rather than “sticky secure”, I think just a matter of unsetting “sticky”
> for the interface.
>
> Does anyone have any experience with this?
>
> How do you prevent the learned MAC addresses from getting written into the
> config file?
>
> Thank you,
>
> Brian
>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] packetfence and cisco switches

2016-12-14 Thread Tobias Friede 
Hi,

I think that's not possible because Port Security creates a static entry in
the Mac Table of the switch.
That's how port security is working ;)

You could enable aging. That means if the client is inactive, the mac
adress is removed from the switch port (after a specific time)

=> http://packetlife.net/blog/2010/may/3/port-security/


Greetings
Tobias


2016-12-14 19:57 GMT+01:00 Cuttler, Brian R (HEALTH) <
brian.cutt...@health.ny.gov>:

> Packetfence users,
>
> We are using PF 5.0.2 and have a variety of Cisco switches in place.
>
> We have the access ports (vs trunk ports) configured with “sticky mac”
> addresses, and find (we per documentation) that when we make any changes to
> the switch config and save those changes “write memory” that the dynamic
> addresses of the end point devices get written into the switch boot config
> file.
>
> Typical changes we’d want to save are things like adding vlans to the
> trunk, adding a port description for a special end point device, adding a
> new vlan to the switch, etc.
>
> The problem we are seeing is that if a device (typical PC or printer) is
> moved to another port on the switch, then the MAC address of the device
> which is “dynamic” on the port, conflicts with the now static address on
> the old port.
>
> I am going to see if configuring a test switch with “dynamic secure”
> rather than “sticky secure”, I think just a matter of unsetting “sticky”
> for the interface.
>
> Does anyone have any experience with this?
>
> How do you prevent the learned MAC addresses from getting written into the
> config file?
>
> Thank you,
>
> Brian
>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Please verify the provided MAC address

2016-12-14 Thread Antoine Amacher 
Hello Morgan,

The way how this works is you usually provide MAC vendor in the oui 
file. For instance you want to allow Xbox to register, add the following 
list inside conf/allowed_device_oui.txt:

00:12:5A  # Microsoft-Xbox
00:0D:3A  # Microsoft-Xbox
00:50:F2  # Microsoft-Xbox
00:17:FA  # Microsoft-Xbox
00:1D:D8  # Microsoft-Xbox
00:22:48  # Microsoft-Xbox

Example are available from conf/allowed_device_oui.txt.example

As long as the first 6 digits of the MAC you are trying to register are 
in the file, then the device will be able to register via the 
device-registration page.

Let us know is that help.

Thanks

On 12/08/2016 12:08 PM, Morgan, Joel P. wrote:
> It looks like blanking the file /usr/local/pf/conf/allowed_device_oui.txt 
> doesn't allow any MAC to register. Renaming the file allows any MAC to 
> register.
>
> -Original Message-
> From: Morgan, Joel P.
> Sent: Thursday, December 8, 2016 10:01 AM
> To: 'packetfence-users@lists.sourceforge.net' 
> 
> Subject: Please verify the provided MAC address
>
> I'm using PF version 6.2.1 on CentOS 6.8.
>
> When manually registering a device using the device-registration URL I get an 
> error when I submit the MAC address.
>
> "Please verify the provided MAC address."
>
> A tail of packetfence.log gives the following output.
>
> Dec 08 09:23:44 httpd.portal(2555) WARN: [mac:unknown] Unable to match MAC 
> address to IP '192.168.1.10' (pf::iplog::ip2mac) Dec 08 09:23:44 
> httpd.portal(2555) INFO: [mac:unknown] Instantiate profile default 
> (pf::Portal::ProfileFactory::_from_profile)
> Dec 08 09:23:44 httpd.portal(2555) WARN: [mac:unknown] Unable to match MAC 
> address to IP '192.168.1.10' (pf::iplog::ip2mac) Dec 08 09:23:44 
> httpd.portal(2555) WARN: [mac:0] Unable to match MAC address to IP 
> '192.168.1.10' (pf::iplog::ip2mac) Dec 08 09:23:44 httpd.portal(2555) INFO: 
> [mac:0] Instantiate profile default 
> (pf::Portal::ProfileFactory::_from_profile)
> Dec 08 09:23:44 httpd.portal(2555) WARN: [mac:0] Unable to match MAC address 
> to IP '192.168.1.10' (pf::iplog::ip2mac) Dec 08 09:23:44 httpd.portal(2555) 
> INFO: [mac:0] Instantiate profile default 
> (pf::Portal::ProfileFactory::_from_profile)
>
> The file /usr/local/pf/conf/allowed_device_oui.txt is empty.
>
> Does anyone have any suggestions for fixing this?
>
> --
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today.http://sdm.link/xeonphi
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] packetfence and cisco switches

2016-12-14 Thread Cuttler, Brian R (HEALTH) 
Packetfence users,

We are using PF 5.0.2 and have a variety of Cisco switches in place.

We have the access ports (vs trunk ports) configured with "sticky mac" 
addresses, and find (we per documentation) that when we make any changes to the 
switch config and save those changes "write memory" that the dynamic addresses 
of the end point devices get written into the switch boot config file.

Typical changes we'd want to save are things like adding vlans to the trunk, 
adding a port description for a special end point device, adding a new vlan to 
the switch, etc.

The problem we are seeing is that if a device (typical PC or printer) is moved 
to another port on the switch, then the MAC address of the device which is 
"dynamic" on the port, conflicts with the now static address on the old port.

I am going to see if configuring a test switch with "dynamic secure" rather 
than "sticky secure", I think just a matter of unsetting "sticky" for the 
interface.

Does anyone have any experience with this?

How do you prevent the learned MAC addresses from getting written into the 
config file?

Thank you,

Brian


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Adding roles from CLI

2016-12-14 Thread Antoine Amacher 

Hello Bob,

The roles are not stored in a config files, they are store in the DB in 
the table "node_category".


So you would need to add some SQL queries to add a new role.

Thanks


On 12/13/2016 11:29 AM, B McLellan wrote:

Hi,

I've been looking at creating a script to deploy multiple PacketFence 
instances. I have pretty much everything in place now there's just one 
thing that is still puzzling me.
Is there away to create 'roles' from the CLI using pfcmd? In which 
config files are the roles stored?


I can only see references to the roles which have associated rules in 
the authentication.conf file.


Any hints gratefully received.

;)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] How to create own billing source?

2016-12-14 Thread Antoine Amacher 
Hello Rolando,

Documentation about the billing source is available here, 
https://packetfence.org/doc/PacketFence_Administration_Guide.html#_billing_engine

There are examples on how to configure a PayPal, Stripe and 
Authorize.net source.

Thanks


On 12/14/2016 01:50 AM, Rolando Palencia wrote:
> Hi,
>
> How to create own billing source?
>
> Regards,
> 
> Rolando
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] packetfence dhcp violations

2016-12-14 Thread Cuttler, Brian R (HEALTH) 
Packetfence users,

We are running PF 5.0.2 and use the ISC dhcp server on a linux platform.

We are seeing that some of our (really really old) Jetdirect printers, while 
begin identified as jetdirect printers are also tripping our violation rule for 
"non-compliant OS" and begin put into our non-compliant vlan rather than 
dropping into the default_vlan as the rest of our printers do, as we want them 
to do.

Is there a way to put the MAC on a white list or have its MAC identified so 
that it is assigned the correct vlan rather than falling into the trap and 
begin assign to the other vlan?

Thanks in advance,

Brian


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] How to create own billing source?

2016-12-14 Thread Rolando Palencia 
Hi,

How to create own billing source?

Regards,

Rolando

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] PF and Juniper SRX SSO

2016-12-14 Thread Tomasz Karczewski 
Hi,

 

Do you know how to integrate Juniper SRX with Packetfence in SSO?

Do anyone have tried to do this?

 

BR

Tomasz Karczewski



smime.p7s
Description: S/MIME cryptographic signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users