[PacketFence-users] rules in vlan_filters.conf will only change role if device is NOT auto-registered, and auto-registration rules in vlan_filters.conf will only register a node as 'default' role desp

[Gary Stansbury]

Hello all,  Inverse folks,  6.5 is really looking good, well done as
usual!  I have noted the following on both PF5.4 and 6.5 and would like
some help determining how to accomplish the mission:

I am using the following filters and rules in
/usr/local/pf/conf/vlan_filters.conf:


[WirelessEAP]
filter = connection_type
operator = is
value = Wireless-802.11-EAP

[machineauth]
filter = user_name
operator = match
value = host/

[notempl]
filter=node_info.category
operator=is_not
value=employee

[notreg]
filter=node_info.status
operator=is_not
value=reg

[byod]
filter=ssid
operator=is
value=TCSS-BYOD

[chromebook]
filter=user_name
operator=is
value=chromebook

[notchromebook]
filter=user_name
operator=is_not
value=chromebook

[byod99]
filter=ssid
operator=is
value=TCSS-BYOD-Test99

[update:chromebook]
scope=RegisteredRole
role=employee
action=modify_node
action_param=mac=$mac,category=employee

[update2:WirelessEAP]
scope=RegisteredRole
role=employee
action=modify_node
action_param=mac=$mac,category=employee

###Machine Auth Autoregister (for onboarding new domain-joined pc) ###

[1:WirelessEAP]
scope = AutoRegister
role = employee

[2:WirelessEAP]
scope = NodeInfoForAutoReg
role = employee

###Autoregister BYOD as guest###

[autoreg:notempl]
scope=AutoRegister
role=guest

[autoreg:notempl]
scope=AutoRegister
role=guest

###Autoreg Chromebook as employee (for onboarding chromebooks)###
[autoreg:notempl]
scope=RegisteredRole
role=employee

[autoreg:chromebook]
scope=AutoRegister
role=employee

[autoreg:chromebook]
scope=NodeInfoForAutoReg
role=employee

###Catchall to force all to guest by default###

[auth:notempl]
scope=RegisteredRole
role=guest

[auth:notempl]
scope=RegisteredRole
role=guest

So far so good, devices are being auto-registered if they are
machine-auth'd or if they are authenticated as user "Chromebook".  1st
problem however, is they are all being auto-registered on the DEFAULT role
of "guest", despite my rule specifying role=employee:

###Machine Auth Autoregister (for onboarding new domain-joined pc) ###

[1:WirelessEAP]
scope = AutoRegister
role = employee

[2:WirelessEAP]
scope = NodeInfoForAutoReg
role = employee

###Autoreg Chromebook as employee (for onboarding chromebooks)###
[autoreg:notempl]
scope=RegisteredRole
role=employee

[autoreg:chromebook]
scope=AutoRegister
role=employee

[autoreg:chromebook]
scope=NodeInfoForAutoReg
role=employee

Which led me to the next problem when I started trying to work around this
pitfall using some update rules.  If the device is auto-registered, the
following update rules will *not* take effect (although packetfence.log
does mention that the authentication request matches the update rule):

[update:chromebook]
scope=RegisteredRole
role=employee
action=modify_node
action_param=mac=$mac,category=employee

[update2:WirelessEAP]
scope=RegisteredRole
role=employee
action=modify_node
action_param=mac=$mac,category=employee

Interesting part though!!  If I  manually update the nodes table and remove
the auto-registration parts for this node:

mysql> update node set autoreg='no',notes='' where mac like '%0d:c1';
Query OK, 1 row affected (0.11 sec)
Rows matched: 1  Changed: 1  Warnings: 0


then re-auth the device, the rule *DOES* take effect and the record is
updated in the nodes table to have category_id 4, which is our "employee"
role.

As I mentioned, I'm running into this problem in both PF 5.4 and in the
latest and greatest 6.5.  Can you guys have a look and see if you can
duplicate the issue, and if so let me know the easiest way to fix it?
Having this auto-registration working properly would ease our current
onboarding process for new devices tremendously.

Thanks,


-- 
Gary Stansbury
Network Engineer
Troup County Board of Education, LaGrange, GA
706-594-3928
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] rules in vlan_filters.conf will only change role if device is NOT auto-registered, and auto-registration rules in vlan_filters.conf will only register a node as 'default' role

[Gary Stansbury]

As a further update to this issue, adding in another filter and rule like
these:

[autoreg]
filter=node_info.autoreg
operator=is
value=yes

[u1:WirelessEAP]
scope=RegisteredRole
role=Employee
action=modify_node
action_param=mac=$mac,autoreg=no,notes=


actually (sort of, in time) resolves the situation - first auth a new
device gets auto-registered to default role, second auth hits this new rule
and clears the 'notes' field and sets 'autoreg' to 'no', and finally on the
third auth it hits the following rule and SUCCESSFULLY changes the
category_id to 4, which is our 'employee' vlan:

[update2:WirelessEAP]
scope=RegisteredRole
role=employee
action=modify_node
action_param=mac=$mac,category=employee


Kind of cludgy but useful for demonstrating the logic error at play.
Please advise!

Thanks,

Gary




On Wed, Feb 15, 2017 at 2:04 PM, Gary Stansbury 
wrote:

> Hello all,  Inverse folks,  6.5 is really looking good, well done as
> usual!  I have noted the following on both PF5.4 and 6.5 and would like
> some help determining how to accomplish the mission:
>
> I am using the following filters and rules in /usr/local/pf/conf/vlan_
> filters.conf:
>
>
> [WirelessEAP]
> filter = connection_type
> operator = is
> value = Wireless-802.11-EAP
>
> [machineauth]
> filter = user_name
> operator = match
> value = host/
>
> [notempl]
> filter=node_info.category
> operator=is_not
> value=employee
>
> [notreg]
> filter=node_info.status
> operator=is_not
> value=reg
>
> [byod]
> filter=ssid
> operator=is
> value=TCSS-BYOD
>
> [chromebook]
> filter=user_name
> operator=is
> value=chromebook
>
> [notchromebook]
> filter=user_name
> operator=is_not
> value=chromebook
>
> [byod99]
> filter=ssid
> operator=is
> value=TCSS-BYOD-Test99
>
> [update:chromebook]
> scope=RegisteredRole
> role=employee
> action=modify_node
> action_param=mac=$mac,category=employee
>
> [update2:WirelessEAP]
> scope=RegisteredRole
> role=employee
> action=modify_node
> action_param=mac=$mac,category=employee
>
> ###Machine Auth Autoregister (for onboarding new domain-joined pc) ###
>
> [1:WirelessEAP]
> scope = AutoRegister
> role = employee
>
> [2:WirelessEAP]
> scope = NodeInfoForAutoReg
> role = employee
>
> ###Autoregister BYOD as guest###
>
> [autoreg:notempl]
> scope=AutoRegister
> role=guest
>
> [autoreg:notempl]
> scope=AutoRegister
> role=guest
>
> ###Autoreg Chromebook as employee (for onboarding chromebooks)###
> [autoreg:notempl]
> scope=RegisteredRole
> role=employee
>
> [autoreg:chromebook]
> scope=AutoRegister
> role=employee
>
> [autoreg:chromebook]
> scope=NodeInfoForAutoReg
> role=employee
>
> ###Catchall to force all to guest by default###
>
> [auth:notempl]
> scope=RegisteredRole
> role=guest
>
> [auth:notempl]
> scope=RegisteredRole
> role=guest
>
> So far so good, devices are being auto-registered if they are
> machine-auth'd or if they are authenticated as user "Chromebook".  1st
> problem however, is they are all being auto-registered on the DEFAULT role
> of "guest", despite my rule specifying role=employee:
>
> ###Machine Auth Autoregister (for onboarding new domain-joined pc) ###
>
> [1:WirelessEAP]
> scope = AutoRegister
> role = employee
>
> [2:WirelessEAP]
> scope = NodeInfoForAutoReg
> role = employee
>
> ###Autoreg Chromebook as employee (for onboarding chromebooks)###
> [autoreg:notempl]
> scope=RegisteredRole
> role=employee
>
> [autoreg:chromebook]
> scope=AutoRegister
> role=employee
>
> [autoreg:chromebook]
> scope=NodeInfoForAutoReg
> role=employee
>
> Which led me to the next problem when I started trying to work around this
> pitfall using some update rules.  If the device is auto-registered, the
> following update rules will *not* take effect (although packetfence.log
> does mention that the authentication request matches the update rule):
>
> [update:chromebook]
> scope=RegisteredRole
> role=employee
> action=modify_node
> action_param=mac=$mac,category=employee
>
> [update2:WirelessEAP]
> scope=RegisteredRole
> role=employee
> action=modify_node
> action_param=mac=$mac,category=employee
>
> Interesting part though!!  If I  manually update the nodes table and
> remove the auto-registration parts for this node:
>
> mysql> update node set autoreg='no',notes='' where mac like '%0d:c1';
> Query OK, 1 row affected (0.11 sec)
> Rows matched: 1  Changed: 1  Warnings: 0
>
>
> then re-auth the device, the rule *DOES* take effect and the record is
> updated in the nodes table to have category_id 4, which is our "employee"
> role.
>
> As I mentioned, I'm running into this problem in both PF 5.4 and in the
> latest and greatest 6.5.  Can you guys have a look and see if you can
> duplicate the issue, and if so let me know the easiest way to fix it?
> Having this auto-registration working properly would ease our current
> onboarding process for new devices tremendously.
>
> Thanks,
>
>
> --
> Gary Stansbury
> Network Engineer
> Troup County Board of Education, LaGrange, GA
> 706-594-3928 

Re: [PacketFence-users] Lets Encrypt compatability

[Arthur Emerson]

Sallee, Jake  wrote:

Since it looks like I will need to be replacing my cert I was wondering about 
using Lets Encrypt.

It looks like a really nice project and the cost is right up my alley!

Is there any reason I should not use a LE cert? Anyone see a problem with this 
path?


I have cut/pasted the thread on this very subject from last fall.  I
personally haven't tried it (yet!), but it sounds like Michel in Norway
made it work...

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 008-A

From: Pedersen Michel 

Reply: packetfence-users@lists.sourceforge.net 

Date: November 16, 2016 at 11:00:54 AM
To: packetfence-users@lists.sourceforge.net 

Subject:  Re: [PacketFence-users] PacketFence with LetsEncrypt

Okay, I got this to work. It’s a bit of a “hack” though.
Since certbot wouldn’t let me use the standard apache plugin (it failed each 
time..) this is what I did:
(all to be setup in a weekly script when the portal is not in use meaning I can 
have a bit of downtime)


1.Stop packetfence : service packetfence stop

2.Use certbot to generate a standalone certificate : certbot certonly 
--standalone -d “server FQDN” -m “email for management of certificate”

3.Copy the now generated certificate files to /usr/local/pf/conf/ and 
rename them so that packetfence will use them on the next start (can probably 
be done better by changing the ssl config file in packetfence. I tried 
referencing them directly though and that did not work)
cp /etc/letsencrypt/live/”FQDN”/* /usr/local/pf/conf/ssl/
cp /etc/letsencrypt/live/”FQDN”/cert.pem /usr/local/pf/conf/ssl/server.crt
cp /etc/letsencrypt/live/”FQDN”/privkey.pem /usr/local/pf/conf/ssl/server.key
cp /etc/letsencrypt/live/”FQDN”/server.crt /usr/local/pf/conf/ssl/server.pem
cat /usr/local/pf/conf/ssl/server.key >> /usr/local/pf/conf/ssl/server.pem
cp /etc/letsencrypt/live/”FQDN”/chain.pem /usr/local/pf/conf/ssl/chain.crt

4.Update /usr/local/pf/conf/httpd.conf.d/ssl-certificates.conf and add the 
following line. This is very important or the certificate will fail validation 
on a lot of browsers/tablets. Only needs to be done once :
SSLCertificateChainFile  %%install_dir%%/conf/ssl/chain.crt

5.Start packetfence again. The magic now picks up the certificate files and 
uses them : service packetfence start

Since letsencrypt certificates are only valid for 90 days we’ll need to run the 
certbot regularly to update the certificate if needed. The new certificate only 
takes effect when restarting packetfence.

Voila :-)

(oh btw, the portal needs to be internt accessible on https for the 
certificates to be generated. Mine isn’t at the moment but looking at the FW 
I’ve opened up traffic (https) from outbound1.letsencrypt.org which seems to be 
originating the traffic when issuing the certificates)

Hope this can be of help to someone else. I’m running this on RHEL7 (so no ZEN 
installation)

-Michel

Fra: Durand fabrice [mailto:fdur...@inverse.ca]
Sendt: 16. november 2016 02:29
Til: packetfence-users@lists.sourceforge.net
Emne: Re: [PacketFence-users] PacketFence with LetsEncrypt


Hi Michel,

i am also interested about using a letsencrypt certificate for Packetfence 
(ZEN).

What you probably have to do is to follow the apache certificate generation 
instructions and check the conf/httpd.conf.d/ssl-certificates.conf file.

Regards

Fabrice

Le 2016-11-15 à 02:22, Pedersen Michel a écrit :
Hi everyone,

I’m looking at using certificates from letsencrypt.org with my PacketFence 
server and am currently trying to get them installed using certbot.
I must admit to not having done this before and having little experience with 
certificates (outside of generating/installing certificates from commercial 
vendors like comodo), so I was hoping that someone here had any experience with 
letsencrypt and packetfence and would be willing to share a bit of knowledge on 
how they did this.

Any help would be appreciated ☺


Best regards
Michel Pedersen

Norwegian Public Roads Administration
Postal address: Statens vegvesen Vegdirektoratet, Postboks 8142 Dep, 0033 OSLO
Office address: Brynsengfaret 6A, OSLO
Mobile: +47 99117502  e-mail/Lync: 
michel.peder...@vegvesen.no
www.vegvesen.no  e-mail: 
firmap...@vegvesen.no

[PacketFence-users] Lets Encrypt compatability

[Sallee, Jake]

Hello All!

My current captive portal cert is through Comodo, suddenly all kinds of devices 
are very upset about this fact.

Most mobile devices no longer trust my cert and now some desktop/laptop systems 
are complaining as well.

Since it looks like I will need to be replacing my cert I was wondering about 
using Lets Encrypt.

It looks like a really nice project and the cost is right up my alley! 

Is there any reason I should not use a LE cert?  Anyone see a problem with this 
path?

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] hostapd/Openwrt with Multiple SSIDs on same vlan Bug

[Louis Munro]

> On Feb 15, 2017, at 8:53 AM, Chris Abel  wrote:
> 
> I don't mean to be a pest, but is there any more information that you might 
> need? This seems like basic functionality that others would want working as 
> well.

A Pull Request would be nice.

Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PacketFence-users Digest, Vol 106, Issue 41

[Antoine Amacher]

Hello Erik,

you should try to look for the logs on the WLC side, you might have more 
information of why the CoA is not accepted, at least see if the CoA is 
received by the WLC.


Can you also link the 10.0.12.2 and the default section of 
conf/switches.conf ?


Thanks


On 02/14/2017 01:06 PM, Eric Koons wrote:
Thanks for the recommendation to look in pfqueue.log.  Seems like it 
is failing.  I’ve changed ports to 3799 and 1700 and neither works. 
 I’ve also tried changing the shared secret.



Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29] 
[28:cf:e9:14:7a:29] DesAssociating mac on switch (10.0.12.2) 
(pf::api::desAssociate)
Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29] 
deauthenticating (pf::Switch::Cisco::WLC::radiusDisconnect)
Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29] 
controllerIp is set, we will use controller 10.0.12.2 to perform 
deauth (pf::Switch::Cisco::WLC::radiusDisconnect)
Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29] Memory 
configuration is not valid anymore for key 
interfaces::management_network in local cached_hash 
(pfconfig::cached::is_valid)
Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29] Returning 
ACCEPT with Role: Authorize_any (pf::Switch::Cisco::WLC::try {...} )
Feb 14 13:05:01 pfqueue(10131) WARN: [mac:28:cf:e9:14:7a:29] Unable to 
perform RADIUS CoA-Request on (10.0.12.2): Timeout waiting for a reply 
from 10.0.12.2 on port 1700 at /usr/local/pf/lib/pf/util/radius.pm 
line 162. (pf::Switch::Cisco::WLC::catch {...} )
Feb 14 13:05:01 pfqueue(10131) ERROR: [mac:28:cf:e9:14:7a:29] Wrong 
RADIUS secret or unreachable network device (10.0.12.2)... On some 
Cisco Wireless Controllers you might have to set disconnectPort=1700 
as some versions ignore the CoA requests on port 3799 
(pf::Switch::Cisco::WLC::catch {...} )
Feb 14 13:05:06 pfqueue(9465) ERROR: [mac:18:66:da:81:67:01] Can't 
bind : IO::Socket::INET: connect: Connection refused


Eric Koons
Sr. Network Engineer | CCNA: Routing and Switching
Service Electric Cable TV and Communications | www.sectv.com 


eko...@sectv.com 
Office: 610-841-8355
Mobile: 610-533-6834
Fax: 610-797-2445






On Feb 14, 2017, at 11:24 AM, 
packetfence-users-requ...@lists.sourceforge.net 
 wrote:


Send PacketFence-users mailing list submissions to
packetfence-users@lists.sourceforge.net 



To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/packetfence-users
or, via email, send a message with subject or body 'help' to
packetfence-users-requ...@lists.sourceforge.net

You can reach the person managing the list at
packetfence-users-ow...@lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of PacketFence-users digest..."


Today's Topics:

  1. Re: Issue with Guest network on Packetfence 6.5 and Cisco WLC
 controller (Antoine Amacher)


--

Message: 1
Date: Tue, 14 Feb 2017 11:24:21 -0500
From: Antoine Amacher 
Subject: Re: [PacketFence-users] Issue with Guest network on
Packetfence 6.5 and Cisco WLC controller
To: packetfence-users@lists.sourceforge.net
Message-ID: <71e6dc2b-6cf3-4e22-3b4c-2d2da2bee...@inverse.ca>
Content-Type: text/plain; charset="windows-1252"

Hello Eric,

While upgrading from 6.1.2 to 6.5 there are multiples changes to
WebAuth, did you follow the UPGRADE.asciidoc? For instance your WLC(in
Switches) need to have "External Portal Enforcement" checked.

If everything has been applied, make sure you are still sending the CoA
on the right port. On the WLC it should be 3799 or 1700(depending on the
version of the WLC).

Also have a look in logs/pfqueue.log it should tell you if the CoA has
been received and taken into account by the WLC.

Thanks


On 02/14/2017 10:40 AM, Eric Koons wrote:

So, the scenario I?m about to explain worked fine on PacketFence
6.1.2.  The only thing that changed was I upgraded Packetfence to 6.5.
 I have an open SSID guest wifi network.  It?s authenticated with an
SMS pin via packetfence.  The issue is that it appears after
successful authentication Packetfence is not sending the COA or Radius
notification to the cisco WLC to change the ACL for the client.  The
only way to get it work is to disassociate from the wireless network
on the client and than re-associate, than I get full network access.

I?ve attached the packetfence log file.  Any help is appreciated.

Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
Instantiate profile SEGuestPortal
(pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
[28:cf:e9:14:7a:29] Activation code sent to email 6105336834 from
6105336834 successfully verified.  for activation 

Re: [PacketFence-users] hostapd/Openwrt with Multiple SSIDs on same vlan Bug

[Chris Abel]

I don't mean to be a pest, but is there any more information that you might
need? This seems like basic functionality that others would want working as
well.

On Fri, Feb 10, 2017 at 4:09 PM, Chris Abel 
wrote:

> Hi Ludovic,
>
> I'll do my best with the Use Case. Let me know if you don't understand.
>
>
>- OpenWRT AP has two SSIDs. SSID A and SSID B. Both of these SSIDs
>communicate with the freeradius server and packetfence to determine the
>role of the node.
>- User A connects to SSID A and is applied the role "Staff" and put
>into VLAN 50.
>- User A disconnects to SSID A and connects to SSID B. Packetfence
>sees that user is registered with the "Staff" role and returns VLAN 50.
>- Something happens here that completely breaks networking for the
>SSID. The AP itself does not lose networking and nodes are still able to
>see and connect to the SSID, but the node receives an immediate deauth and
>a self assigned IP. All other nodes are also unable to receive networking.
>If Wifi is restarted on the AP, networking works again.
>
>
> This behavior only happens when there are multiple SSIDs that could
> potentially host the same VLAN.
>
>
> I do not have any hostapd logs, but here is the log on the OpenWRT AP when
> it happens:
>
> Tue Jan 31 15:27:46 2017 daemon.info hostapd: wlan0-1: STA
> a0:99:9b:1a:7e:51 RADIUS: VLAN ID 50
> Tue Jan 31 15:27:46 2017 daemon.info hostapd: wlan0-1: STA
> a0:99:9b:1a:7e:51 IEEE 802.11: authenticated
> Tue Jan 31 15:27:46 2017 daemon.info hostapd: wlan0-1: STA
> a0:99:9b:1a:7e:51 RADIUS: stopped accounting session 588F75DB-0078
> Tue Jan 31 15:27:46 2017 daemon.info hostapd: wlan0-1: STA
> a0:99:9b:1a:7e:51 IEEE 802.11: associated (aid 12)
> Tue Jan 31 15:27:46 2017 kern.info kernel: [79642.46] device vlan50
> entered promiscuous mode
> Tue Jan 31 15:27:46 2017 kern.info kernel: [79642.46] breth0.50: port
> 1(vlan50) entered forwarding state
> Tue Jan 31 15:27:46 2017 kern.info kernel: [79642.47] breth0.50: port
> 1(vlan50) entered forwarding state
> Tue Jan 31 15:27:46 2017 kern.info kernel: [79642.48] breth0.50: port
> 1(vlan50) entered forwarding state
> Tue Jan 31 15:27:46 2017 kern.info kernel: [79642.48] device wlan0.50
> entered promiscuous mode
> Tue Jan 31 15:27:46 2017 kern.info kernel: [79642.49] breth0.50: port
> 2(wlan0.50) entered forwarding state
> Tue Jan 31 15:27:46 2017 kern.info kernel: [79642.49] breth0.50: port
> 2(wlan0.50) entered forwarding state
> Tue Jan 31 15:27:46 2017 kern.info kernel: [79642.50] breth0.50: port
> 2(wlan0.50) entered forwarding state
> Tue Jan 31 15:27:46 2017 kern.info kernel: [79642.52] device wlan0.50
> left promiscuous mode
> Tue Jan 31 15:27:46 2017 kern.info kernel: [79642.52] breth0.50: port
> 2(wlan0.50) entered disabled state
> Tue Jan 31 15:27:46 2017 kern.info kernel: [79642.53] device vlan50
> left promiscuous mode
> Tue Jan 31 15:27:46 2017 kern.info kernel: [79642.54] breth0.50: port
> 1(vlan50) entered disabled state
> Tue Jan 31 15:27:46 2017 daemon.info hostapd: wlan0-1: STA
> a0:99:9b:1a:7e:51 RADIUS: starting accounting session 588F75DB-0078
> Tue Jan 31 15:27:46 2017 daemon.info hostapd: wlan0-1: STA
> a0:99:9b:1a:7e:51 WPA: pairwise key handshake completed (RSN)
> Tue Jan 31 15:27:50 2017 daemon.info hostapd: wlan0-1: STA
> a0:99:9b:1a:7e:51 IEEE 802.11: disassociated
> Tue Jan 31 15:27:50 2017 daemon.info hostapd: wlan0-1: STA
> a0:99:9b:1a:7e:51 RADIUS: stopped accounting session 588F75DB-0078
> Tue Jan 31 15:27:51 2017 daemon.info hostapd: wlan0-1: STA
> a0:99:9b:1a:7e:51 IEEE 802.11: deauthenticated due to inactivity (timer
> DEAUTH/REMOVE)
>
>
> Hope this helps. Let me know if you would like any more information. I was
> able to replicate this on all of my openwrt access points.
> Regards,
> Chris
>
> On Thu, Feb 9, 2017 at 1:41 PM, Ludovic Zammit  wrote:
>
>> Hello Chris,
>>
>> Can you describe a detailed use case?
>>
>> Can you also post the hostapd error that you encounter?
>>
>> Thanks,
>>
>> Ludovic zammitlzam...@inverse.ca ::  +1.514.447.4918 <(514)%20447-4918> 
>> (x145) ::  www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>> (http://packetfence.org)
>>
>>
>>
>>
>> Le 7 févr. 2017 à 11:51, Chris Abel  a écrit
>> :
>>
>> There has been a bug with the hostapd.sh script that packetfence
>> provides. I've posted about it before, but I'm curious if there is any work
>> on resolving it? When 2 SSID's are configured and a node connects to both
>> SSIDs and put into the same vlan, networking breaks and they are given a
>> self assigned IP.
>>
>> Here is my set up:
>>
>> 1 hidden SSID for company owned devices
>> 1 public SSID for BYOB or company owned devices
>>
>> Here is what is supposed to happen: If a company owned device/node
>> connects to the public SSID, PF will recognize 

Re: [PacketFence-users] Active/Passive cluster - Slave server rejecting user Auth

[Campanaro, Michael]

So I'm still getting the same results. I've taken notice to the time of the log 
entries as well: After my test PC is registered and authenticated it will get 
rejected exactly 4 hours later. The last few times it's been kicked off the 
network it was always exactly 4 hours after the radius acceptance time. The 
node, however, has an unreg date of 1 year from now. I get errors saying PF 
can't connect to mysql at the time of the pc getting rejected but at the same 
time if I plug a separate PC into the same switch, it gets accepted fine by PF. 
 It seems like the rejected PC keeps trying to get authorized from the 
passive/slave server in my cluster setup.


Passive Server Radius logs:

Feb 15 08:02:08 httpd.aaa(3083) ERROR: [mac:c8:5b:76:6e:34:59] radius authorize 
failed with error: DBIx::Class::Storage::DBI::catch {...} (): DBI Connection 
failed: Can't connect to local MySQL server through socket 
'/var/lib/mysql/mysql.sock' (2) at 
/usr/share/perl5/vendor_perl/DBIx/Class/Storage/DBI.pm line 1492. at 
/usr/local/pf/lib/fingerbank/Base/CRUD.pm line 416
 (pf::api::radius_authorize)
Feb 15 08:02:08 httpd.aaa(3083) WARN: [mac:c8:5b:76:6e:34:59] Use of 
uninitialized value $radius_return in numeric eq (==) at 
/usr/local/pf/lib/pf/radius/rest.pm line 47.
 (pf::radius::rest::format_response)
Feb 15 08:02:08 httpd.aaa(3083) WARN: [mac:c8:5b:76:6e:34:59] Use of 
uninitialized value $radius_return in numeric eq (==) at 
/usr/local/pf/lib/pf/radius/rest.pm line 52.
 (pf::radius::rest::format_response)
[root@packetfence2 pf_admin]# tail /usr/local/pf/logs/radius.log
Wed Feb 15 08:02:08 2017 : ERROR: (20) rest: ERROR: 
{"reply:PacketFence-Authorization-Status":"allow"}
Wed Feb 15 08:02:08 2017 : Info: rlm_rest (rest): Need 2 more connections to 
reach 10 spares
Wed Feb 15 08:02:08 2017 : Info: rlm_rest (rest): Opening additional connection 
(45), 1 of 63 pending slots used
Wed Feb 15 08:02:08 2017 : Info: rlm_sql (sql): Closing connection (43): Hit 
idle_timeout, was idle for 71074 seconds
Wed Feb 15 08:02:08 2017 : Info: rlm_sql (sql): Closing connection (44): Hit 
idle_timeout, was idle for 71074 seconds
Wed Feb 15 08:02:08 2017 : Info: rlm_sql (sql): Opening additional connection 
(45), 1 of 64 pending slots used
Wed Feb 15 08:02:08 2017 : Info: rlm_sql (sql): Need 2 more connections to 
reach 10 spares
Wed Feb 15 08:02:08 2017 : Info: rlm_sql (sql): Opening additional connection 
(46), 1 of 63 pending slots used
Wed Feb 15 08:02:08 2017 : [mac:c8:5b:76:6e:34:59] Accepted user:  and returned 
VLAN
Wed Feb 15 08:02:08 2017 : Auth: (20) Rejected in post-auth: [c85b766e3459] 
(from client pf port 13 cli c8:5b:76:6e:34:59)


Master server Radius log from the same time period and a different PC:

Wed Feb 15 08:03:23 2017 : [mac:68:f7:28:85:34:78] Accepted user:  and returned 
VLAN 10
Wed Feb 15 08:03:23 2017 : Auth: (9) Login OK: [68f728853478] (from client pf 
port 19 cli 68:f7:28:85:34:78)



From: Campanaro, Michael 
Sent: Tuesday, February 14, 2017 8:10 AM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Active/Passive cluster - Slave server 
rejecting user Auth


​Fabrice,


I have no max_connections line set up in my /etc/my.cnf, should I add that line 
in with a set number? I'm not sure how that could cause it as the test PC I'm 
having problems with is the only PC I had connected to PacketFence at the 
moment as I'm still testing it before deployment. My two servers are on two 
CentOS 7 vm's so the disks are virtual, I don't think there should be any io 
issues. I'll try adding the max connections line though and see if I have 
better results.


Thanks,


Mike


From: Durand fabrice 
Sent: Monday, February 13, 2017 8:26 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Active/Passive cluster - Slave server 
rejecting user Auth


Michael,


so first check how many maximum connection are configured in my.cnf (or 
equivalent) then raise this value.

It can also be something related to the disk io, if the disk is slow then the 
number of threads can raise too.

Regards

Fabrice


Le 2017-02-13 à 15:34, Campanaro, Michael a écrit :

​Fabrice,


I checked the mariadb logs but don't see anything out of the ordinary in them. 
There are no errors or warnings. I looked at the DB graph on the status tab of 
the admin gui and what I noticed is that around the time I last had my issue 
the connected thread count increased considerably.


From: Fabrice Durand 
Sent: Monday, February 13, 2017 2:56 PM
To: 
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Active/Passive cluster - Slave server 
rejecting user Auth


Hello Michael,

there is probably some logs from mysql, also can you check the status tab on