Re: [PacketFence-users] problem with source definition

2017-01-16 Thread Antoine Amacher 

Hello Denis,

Make sure your ad-blocker(if you have one) is disable for the admin of 
PF, it may, sometimes create weird interactions and not allow you to 
access a source to edit for instance.


What does logs/httpd.admin.log tells you when the error appear?

Thanks


On 01/16/2017 11:38 AM, denis wrote:


Hello,

With PF 6.4, I have a problem with sources configuration :

- The first time a source is configured, a rule can be added and 
everything is ok.


- when a second rule is added to this source, and "save" button 
clicked, an error is displayed : "*Error!* The authentication source 
was not found"


removing rule or source doesn't solve the problem, in fact all the 
interface seems to be dead, the only way is recover is to restart the 
services.


Here is a a exemple of my conf file :

[se3]
description=test
port=389
stripped_user_name=yes
type=LDAP
connection_timeout=5
basedn=ou=People,dc=xxx,dc=org
email_attribute=mail
scope=sub
dynamic_routing_module=AuthModule
binddn=cn=,dc=xxx,dc=org
password=
host=172.x.x.x
usernameattribute=uid
encryption=none

[se3 rule eleve]
description=dd
class=authentication
match=any
action0=set_role=mobiles_eleves
action1=set_access_duration=12h
condition0=uid,is member of,cn=eleves,ou=groups,dc=xxx,dc=org

[se3 rule profs]
description=p
class=authentication
match=any
action0=set_role=mobiles_profs
action1=set_access_duration=12h
condition0=uid,is member of,cn=profs,ou=Groups,dc=xxx,dc=org

The same rules were working perfectly with PF 4.6

Denis




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF on Ubiquity AP

2017-01-16 Thread Sallee, Jake 
Your setup intrigues me.

It may be possible to do what you want using existing features in PF.

This is just a thought and I have not tested it, but it may at least point you 
in the right direction.

>From your description you have 2 portals with different auth sources, right?

In auth source "A" assign a role like "Reg-A" and in the other something like 
"Reg-B"

Then write a vlan filter that checks for the role and matches it to the current 
portal (owner.portal?). If it matches all is good; if not then you set the 
action to de-register and proceed as normal.  If you can't check for the 
portal, you could try checking against the switch group(?).

If I understand your requirement correctly something like that SHOULD work.  A 
side effect will be that ANY TIME a user roams between portals they will have 
to re-register the device. 

I hope that helps.

Also, if you haven't already, you can reach out to Inverse for this kind of 
custom stuff and they can get you fixed up in no time.  They are also able to 
do custom development for very fair price.

I seriously suggest having Inverse professional support, it has saved my bacon 
a few times when I have made a fat fingered mistake.

I'm really curious if this will work, I may lab it out on my own ... if you do 
get it working let me know.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: viny 
Sent: Friday, January 13, 2017 4:01 PM
To: packetfence-users@lists.sourceforge.net
Cc: radius@gmail.com
Subject: Re: [PacketFence-users] PF on Ubiquity AP

In principle, in the hospital where I work, what we wanted was to use
PacketFence to manage both of our wireless networks, as I reported
here: https://sourceforge.net/p/packetfence/mailman/message/35511813/

> Unless you configure PacketFence otherwise [...]

We would like to configure PacketFence so that it automatically
unregisters any node that leaves a first network and enters a second
one, showing that node the second network's captive portal so it must
register again to use the second network. But we don't know how to
achieve that. Do you have any idea on how to do it?

If you could shed some light on that problem, we would be very
thankful. We could shutdown pfSense and use only PacketFence.

Let me explain our setup.

In our first experiment with PacketFence, we have set up its interfaces
this way:

- eth0: Management
- eth0 VLAN ID 500: Inline Layer 2, IP address 10.100.32.1/20
- eth0 VLAN ID 600: Inline Layer 2, IP address 10.100.64.1/20

And we have set up Ubiquiti APs to serve two wireless networks:

(1) SSID Corporative Wi-Fi: VLAN ID 500
(2) SSID Patients Wi-Fi: VLAN ID 600

Following the Administration Guide, in PacketFence:

- We have created two user roles: (1) Employee and (2) Patient
- We have added two authentication sources: (1) Active Directory with a
rule so that Role = Employee and (2) external HTTP API with a rule so
that Role = Patient
- We have created two portal profiles: (1) Employee, with a filter
Network = 10.100.32.0/20 and Source = Active Directory and (2) Patient
with a filter Network = 10.100.64.0/20 and Source = external HTTP API

So, what happens? (let me retype the relevant portion of my first
email)

> We have noticed that if we connect to the Corporative Wi-Fi and
authenticate through the captive portal, then disconnect and connect
to the Patients Wi-Fi, its captive portal is not shown and access to
that second network is granted. In the end, the device is shown on the
Nodes table with an IP Address from the Patients network, but Role =
Corporative.
> 
> Enabling the option Reauthenticate node (Should have to reauthenticate
the node if vlan change) in Configuration > Main > Inline did not
help.
> 
> Is there any way we could enforce reauthentication if the user exits
one network and enters another?

Thank you in advance!


Antonio


Em Sex, 2017-01-13 às 14:53 -0500, Derek Wuelfrath escreveu:
> > As we realized a bug on PacketFence that if we logged in one
> > network
> > then switched to the other the captive portal was not shown and
> > access
> > was automatically granted, now we have PacketFence managing only
> > one of
> > those networks and we came back to pfSense (the other server we
> > used to
> > present a captive portal to our Wi-Fi users) to manage the other
> > one.
>
> Just as a side information, what you call a “bug” is actually the
> normal workflow.
> If the device you logged with is registered in PacketFence and you
> changed connection from one network to another, the device will still
> be registered in PacketFence and it will be granted access.
> Unless you configure PacketFence otherwise, there is no “automatic
> unregistration of a device” if you connect to a different SSID.
> Devices registration (the process which shows the portal) are
> “global” and

[PacketFence-users] problem with source definition

2017-01-16 Thread denis 

Hello,

With PF 6.4, I have a problem with sources configuration :

- The first time a source is configured, a rule can be added and 
everything is ok.


- when a second rule is added to this source, and "save" button clicked, 
an error is displayed : "*Error!* The authentication source was not found"


removing rule or source doesn't solve the problem, in fact all the 
interface seems to be dead, the only way is recover is to restart the 
services.


Here is a a exemple of my conf file :

[se3]
description=test
port=389
stripped_user_name=yes
type=LDAP
connection_timeout=5
basedn=ou=People,dc=xxx,dc=org
email_attribute=mail
scope=sub
dynamic_routing_module=AuthModule
binddn=cn=,dc=xxx,dc=org
password=
host=172.x.x.x
usernameattribute=uid
encryption=none

[se3 rule eleve]
description=dd
class=authentication
match=any
action0=set_role=mobiles_eleves
action1=set_access_duration=12h
condition0=uid,is member of,cn=eleves,ou=groups,dc=xxx,dc=org

[se3 rule profs]
description=p
class=authentication
match=any
action0=set_role=mobiles_profs
action1=set_access_duration=12h
condition0=uid,is member of,cn=profs,ou=Groups,dc=xxx,dc=org

The same rules were working perfectly with PF 4.6

Denis


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] eap.conf

2017-01-16 Thread Fabrice Durand 
Hello Grant,

it's on the supplicant side.

Regards

Fabrice



Le 2017-01-16 à 04:07, Grant Hathaway a écrit :
>
> Thanks Fabrice, that’s very helpful.
>
>  
>
> How do I disable the certificate check for the time being?
>
>  
>
> Grant Hathaway
> Network and Infrastructure Analyst
>
> Certas Energy UK Limited
> The Switch
> 1-7 The Grove - Slough - SL1 1QP
> Phone : 01753756965 - Mobile : 07920075818 
> grant.hatha...@certasenergy.co.uk
> 
>
>  
>
> *From:*Fabrice Durand [mailto:fdur...@inverse.ca]
> *Sent:* Thursday, January 12, 2017 4:34 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] eap.conf
>
>  
>
> Hello Grant,
>
>  
>
> Le 2017-01-12 à 10:51, Grant Hathaway a écrit :
>
> Hi all,
>
>  
>
> I think this is a common issue..
>
> I’m getting the below error in the radius log when I connect a
> windows 7 client to packetfence.
>
> /usr/local/pf/logs/radius.log
>
>  
>
>  
>
> There’s obviously a certificate trust issue causing the problem.
> Short term: Can I disable the certificate check for testing purposes?
>
>  
>
> yes
>
> Long term: Is there any information or guides you can provide on
> configuring a self-signed SSL certificate in eap.conf to work with
> our Windows domain joined machines when using a wired connection
> and domain user login?
>
> We have an ADCS root certification authority in place,s it a case
> of raising a CSR for an apache website, I’ve done this once
> previously but my mind has gone blank.
>
> create and a certificate for radius from your AD PKI and install it on pf.
> After that configure your supplicant to verify with the AD certificate.
>
> (you can follow 3.1.7
> https://packetfence.org/doc/PacketFence_MSPKI_Quick_Install_Guide.html)
>
> Regards
> Fabrice
>
>
>  
>
> Thanks
>
>  
>
>  
>
> Grant Hathaway
> Network and Infrastructure Analyst
>
> Certas Energy UK Limited
> The Switch
> 1-7 The Grove - Slough - SL1 1QP
> Phone : 01753756965 - Mobile : 07920075818 
> grant.hatha...@certasenergy.co.uk
> 
>
>  
>
>
>   ­­  
>
>
> 
> --
>
> Developer Access Program for Intel Xeon Phi Processors
>
> Access to Intel Xeon Phi processor-based developer platforms.
>
> With one year of Intel Parallel Studio XE.
>
> Training and support from Colfax.
>
> Order your platform today. http://sdm.link/xeonphi
>
>
>
>
> ___
>
> PacketFence-users mailing list
>
> PacketFence-users@lists.sourceforge.net
> 
>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> -- 
> Fabrice Durand
> fdur...@inverse.ca  ::  +1.514.447.4918 (x135) ::  
> www.inverse.ca 
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org) 
>
>   ­­  
>
>
> --
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] eap.conf

2017-01-16 Thread Grant Hathaway 
Thanks Fabrice, that's very helpful.

How do I disable the certificate check for the time being?


Grant Hathaway
Network and Infrastructure Analyst

Certas Energy UK Limited
The Switch
1-7 The Grove - Slough - SL1 1QP
Phone : 01753756965 - Mobile : 07920075818
grant.hatha...@certasenergy.co.uk

[cid:certas_76080deb-6dcc-42fd-a96d-7a823f6a7a45.gif][cid:safetyf1rst_50886216-b7ea-4c50-abc3-78998a1b9b88.gif]
  [cid:finalist-logo_c2180ca4-c389-40e0-a9d4-ca51ef41c8ff.gif]
From: Fabrice Durand [mailto:fdur...@inverse.ca]
Sent: Thursday, January 12, 2017 4:34 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] eap.conf


Hello Grant,

Le 2017-01-12 à 10:51, Grant Hathaway a écrit :
Hi all,

I think this is a common issue..
I'm getting the below error in the radius log when I connect a windows 7 client 
to packetfence.
/usr/local/pf/logs/radius.log

[cid:image001.png@01D26FD8.003F4050]

There's obviously a certificate trust issue causing the problem. Short term: 
Can I disable the certificate check for testing purposes?

yes

Long term: Is there any information or guides you can provide on configuring a 
self-signed SSL certificate in eap.conf to work with our Windows domain joined 
machines when using a wired connection and domain user login?
We have an ADCS root certification authority in place,s it a case of raising a 
CSR for an apache website, I've done this once previously but my mind has gone 
blank.
create and a certificate for radius from your AD PKI and install it on pf.
After that configure your supplicant to verify with the AD certificate.

(you can follow 3.1.7 
https://packetfence.org/doc/PacketFence_MSPKI_Quick_Install_Guide.html)

Regards
Fabrice



Thanks



Grant Hathaway
Network and Infrastructure Analyst

Certas Energy UK Limited
The Switch
1-7 The Grove - Slough - SL1 1QP
Phone : 01753756965 - Mobile : 07920075818
grant.hatha...@certasenergy.co.uk

[cid:image002.gif@01D26FD8.003F4050][cid:image003.gif@01D26FD8.003F4050]  
[cid:image004.gif@01D26FD8.003F4050]

  ­­



--

Developer Access Program for Intel Xeon Phi Processors

Access to Intel Xeon Phi processor-based developer platforms.

With one year of Intel Parallel Studio XE.

Training and support from Colfax.

Order your platform today. http://sdm.link/xeonphi




___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users



--

Fabrice Durand

fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  
www.inverse.ca

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users