Re: [PacketFence-users] Machine authentication not getting role

[Sokolowski, Darryl via PacketFence-users]

Aah, perfect! I don’t know what I was doing wrong.  I had been failing 
previously, and I removed my rule and started over again and this time it 
worked!
Now I can assign the role according to what OU the machine account resides in 
and assign a different role according to that ou.

This may be a basic question, but what’s the difference between “contains” and 
“regexp” when writing the conditions?
“contains” does not match on my ou name, but “regexp” does.

Thanks a million!
Darryl

From: Ludovic Zammit [mailto:lzam...@inverse.ca]
Sent: Monday, August 14, 2017 2:57 PM
To: Sokolowski, Darryl 
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Machine authentication not getting role

Hello Darryl,

Sorry I was not that clear, I admit it.

If you want to auto-register domain joined computers without seeing the captive 
portal, configure the following:

- an AD source with Username Attribute = servicePrincipalName with a rule that 
will match and give role and an unreg date

[AD]
description=Microsoft Active Directory
password=*
scope=sub
binddn=cn=administrator,cn=users,dc=domain,dc=local
basedn=cn=users,dc=inverse,dc=local
email_attribute=mail
usernameattribute=serviceprincipalname
connection_timeout=5
stripped_user_name=yes
encryption=none
dynamic_routing_module=AuthModule
port=389
type=AD
host=10.0.0.1

[AD rule catchall]
class=authentication
match=all
action0=set_access_duration=1h
action1=set_role=default

- Configure your domain:

[mylovelyAD]
ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(userAccountControl:1.2.840.113556.1.4.803:=2
ntlm_cache=disabled
dns_server=10.0.0.1
registration=0
ntlm_cache_expiry=3600
dns_name=domain.local
ou=Computers
bind_pass=
ntlm_cache_on_connection=disabled
bind_dn=
workgroup=inverse
ad_server=10.0.0.1
ntlm_cache_batch_one_at_a_time=disabled
ntlm_cache_batch=disabled
server_name=unicorn13
dns_servers=10.0.0.1
sticky_dc=*

- Configure the REALMs:

[DEFAULT]
domain=mylovelyAD

[NULL]
domain=mylovelyAD

- Configure a connection profile that matches the Switch,SSID,etc...

[SecureSSID]
locale=
filter=ssid:PF-Secure
description=Secure-SSID
sources=mylovelyAD
autoregister=enabled

- Keep in mind that if you edit your file by the CLI, you will need to push the 
new config with:

/usr/local/pf/bin/pfcmd configreload hard

Once you have done that config restart PF:

/usr/local/pf/bin/pfcmd service pf restart

Here what should happen:

- Radius request from your equipment
- PF authenticate your computer against the AD and brings the role default
- PF return the VLAN ID for the default role on your equipment based on the 
switches.conf
- VLAN applied on the connection
- DHCP in that VLAN
- Access on the network

You don't need to switch a role for each device manually, if the device match 
the catchall rule you're golden!

I skipped a lot of steps but I hope it will help you.

Thanks!

Ludovic Zammit

lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  
www.inverse.ca

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



On Aug 14, 2017, at 2:22 PM, Sokolowski, Darryl 
> wrote:

Hi, thanks.
Forgive me for my questions, the concept of NAC is new to me.
I guess I am still confused about assigning (or not assigning) the role. “you 
cannot switch a node role because it will be recomputed on every radius 
request” has me confused. What is the role being computed from? I was under the 
impression from reading, that the role could be “automatically” computed and 
assigned by using various LDAP or AD attributes. And so having it recomputed is 
a good thing, because if it finds a change in the AD, then it would compute it 
to the new role based on the AD attributes.
From what you said here, it sounds like I would have to edit each node record 
to assign the role manually?
Am I thinking about this the wrong way?

Thanks
Darryl


From: Ludovic Zammit [mailto:lzam...@inverse.ca]
Sent: Monday, August 14, 2017 10:43 AM
To: Sokolowski, Darryl >
Cc: 
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Machine authentication not getting role

Hello,

If you are doing machine authentication with auto registration, you can not 
switch a node role because it will be recomputed on every radius request.

You could use the bypass role if you want to drop the device into a specific 
role. You will find in Under Nodes > MAC > Bypass Role.

For your AD source, if you are doing machine authentication on a microsoft AD, 
make sure that you are checking the correct LDAP attribute.

Username Attribute = servicePrincipalName

Thanks,

Ludovic Zammit

lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  
www.inverse.ca

Inverse inc. 

Re: [PacketFence-users] Machine authentication not getting role

[Ludovic Zammit via PacketFence-users]

Hello Darryl,

Sorry I was not that clear, I admit it.

If you want to auto-register domain joined computers without seeing the captive 
portal, configure the following:

- an AD source with Username Attribute = servicePrincipalName with a rule that 
will match and give role and an unreg date

[AD]
description=Microsoft Active Directory
password=*
scope=sub
binddn=cn=administrator,cn=users,dc=domain,dc=local
basedn=cn=users,dc=inverse,dc=local
email_attribute=mail
usernameattribute=serviceprincipalname
connection_timeout=5
stripped_user_name=yes
encryption=none
dynamic_routing_module=AuthModule
port=389
type=AD
host=10.0.0.1

[AD rule catchall]
class=authentication
match=all
action0=set_access_duration=1h
action1=set_role=default

- Configure your domain:

[mylovelyAD]
ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(userAccountControl:1.2.840.113556.1.4.803:=2
ntlm_cache=disabled
dns_server=10.0.0.1
registration=0
ntlm_cache_expiry=3600
dns_name=domain.local
ou=Computers
bind_pass=
ntlm_cache_on_connection=disabled
bind_dn=
workgroup=inverse
ad_server=10.0.0.1
ntlm_cache_batch_one_at_a_time=disabled
ntlm_cache_batch=disabled
server_name=unicorn13
dns_servers=10.0.0.1
sticky_dc=*

- Configure the REALMs:

[DEFAULT]
domain=mylovelyAD

[NULL]
domain=mylovelyAD

- Configure a connection profile that matches the Switch,SSID,etc...

[SecureSSID]
locale=
filter=ssid:PF-Secure
description=Secure-SSID
sources=mylovelyAD
autoregister=enabled

- Keep in mind that if you edit your file by the CLI, you will need to push the 
new config with:

/usr/local/pf/bin/pfcmd configreload hard

Once you have done that config restart PF:

/usr/local/pf/bin/pfcmd service pf restart

Here what should happen:

- Radius request from your equipment 
- PF authenticate your computer against the AD and brings the role default
- PF return the VLAN ID for the default role on your equipment based on the 
switches.conf
- VLAN applied on the connection
- DHCP in that VLAN
- Access on the network

You don't need to switch a role for each device manually, if the device match 
the catchall rule you're golden!

I skipped a lot of steps but I hope it will help you.

Thanks!
Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 



> On Aug 14, 2017, at 2:22 PM, Sokolowski, Darryl  wrote:
> 
> Hi, thanks.
> Forgive me for my questions, the concept of NAC is new to me.
> I guess I am still confused about assigning (or not assigning) the role. “you 
> cannot switch a node role because it will be recomputed on every radius 
> request” has me confused. What is the role being computed from? I was under 
> the impression from reading, that the role could be “automatically” computed 
> and assigned by using various LDAP or AD attributes. And so having it 
> recomputed is a good thing, because if it finds a change in the AD, then it 
> would compute it to the new role based on the AD attributes.
> From what you said here, it sounds like I would have to edit each node record 
> to assign the role manually?
> Am I thinking about this the wrong way?
>  
> Thanks
> Darryl
>  
>  
> From: Ludovic Zammit [mailto:lzam...@inverse.ca ] 
> Sent: Monday, August 14, 2017 10:43 AM
> To: Sokolowski, Darryl >
> Cc: packetfence-users@lists.sourceforge.net 
> 
> Subject: Re: [PacketFence-users] Machine authentication not getting role
>  
> Hello,
>  
> If you are doing machine authentication with auto registration, you can not 
> switch a node role because it will be recomputed on every radius request.
>  
> You could use the bypass role if you want to drop the device into a specific 
> role. You will find in Under Nodes > MAC > Bypass Role.
>  
> For your AD source, if you are doing machine authentication on a microsoft 
> AD, make sure that you are checking the correct LDAP attribute.
>  
> Username Attribute = servicePrincipalName
> 
> Thanks,
> Ludovic Zammit
> lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
> www.inverse.ca 
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu 
> ) and PacketFence (http://packetfence.org 
> ) 
>  
>  
>  
> On Aug 14, 2017, at 9:10 AM, Sokolowski, Darryl  > wrote:
>  
> Hi Ludovic. Thanks. I'm using machine authentication against active 
> directory. Right now I'm trying to get a catch all rule to assign a role just 
> to make sure I have that part working, so that I can ultimately assign 
> different roles according to the OU that the machine account resides in. 
> Right now I'm not 

Re: [PacketFence-users] Caught exception in captiveportal... when choosing sms method

[Louis Munro via PacketFence-users]

Hi Will,
Can you try this patch please?

https://github.com/inverse-inc/packetfence/commit/b9642f12ed9bd3ec62f800bd4a5dfd36702553c2.diff
 


Apply it by downloading it and then using patch, i.e:

# cd /usr/local/pf
# wget 
https://github.com/inverse-inc/packetfence/commit/b9642f12ed9bd3ec62f800bd4a5dfd36702553c2.diff
 

# patch -p1 < b9642f12ed9bd3ec62f800bd4a5dfd36702553c2.diff 

# bin/pfcmd service pf restart

Then you can try deleting the source from the GUI and then recreating it again.
If it works we've got ourselves a fix.

Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 

+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Aug 14, 2017, at 14:29, Rossing, Will  wrote:
> 
> Hey Louis, Yes I was just going to report that that works, just comma 
> separation, the GUI won't show the list but it still works.Thanks for 
> your reply!
> 
> On Mon, Aug 14, 2017 at 12:37 PM, Louis Munro  > wrote:
> Hi Will,
> This looks like a bug from the GUI that saves the list of carriers the wrong 
> way.
> 
> Can you try to change the source to this (manually edit the file):
> 
> 
> [sms]
> description=SMS-based registration
> sms_carriers=100061,100107
> type=SMS
> create_local_account=no
> set_access_level_action=
> local_account_logins=0
> 
> Then run this command:
> 
> # /usr/local/pf/bin/pfcmd configreload hard
> 
> 
> 
> And try again?
> 
> The bug, if that's what it is, is in the code that saves the config.
> So editing the file and reloading it should be a (temporary) workaround.
> 
> Please confirm if this works for you.
> If it does we'll open an issue on GitHub for tracking and issue a maintenance 
> patch.
> 
> 
> Regards,
> --
> Louis Munro
> lmu...@inverse.ca   ::  www.inverse.ca 
> 
> +1.514.447.4918 x125   :: +1 (866) 353-6153 x125 
> 
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
> PacketFence (www.packetfence.org )
> 
>> On Aug 14, 2017, at 12:51, Rossing, Will via PacketFence-users 
>> > > wrote:
>> 
>> More info, it works when we only put one SMS provider in the list, if we add 
>> more than one, it gets the exception error.
>> This is how it writes multiple carriers to the config file and seems like it 
>> can't parse it properly or something:
>> 
>> [sms]
>> description=SMS-based registration
>> sms_carriers= <> 100061
>> 100107
>> EOT
>> type=SMS
>> create_local_account=no
>> set_access_level_action=
>> local_account_logins=0
>> 
>> 
>> 
>> One provider works:
>> [sms]
>> description=SMS-based registration
>> sms_carriers=100107
>> type=SMS
>> create_local_account=no
>> set_access_level_action=
>> local_account_logins=0
>> 
>> 
>> On Mon, Aug 14, 2017 at 10:59 AM, Rossing, Will > > wrote:
>> Just deploying 7.2 to production and am getting the following when choosing 
>> the sms authentication in the captive portal.
>> 
>> Caught exception in captiveportal::Controller::Root>dynamic_application 
>> "Can't call method "fetchall_arrayref" on an undefined value at 
>> /usr/local/pf/lib/pf/sms_carrier.pm  line 88."
>> 
>> I swear this worked last week when I put the box in production temporarily.  
>> I've tried removing and adding back in carriers, etc.Any ideas?   I hate 
>> to have to roll back if I can avoid it!
>> 
>> Thanks
>> 
>> Will
>> 
>> --
>> 
>> 
>> Will Rossing
>> Manager, Network Services  | 218.723.6729  | 
>> wross...@css.edu 
>> 
>> 
>> --
>> 
>> 
>> Will Rossing
>> Manager, Network Services  | 218.723.6729  | 
>> wross...@css.edu 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org ! 
>> http://sdm.link/slashdot___ 
>> 
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net 
>> 
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
>> 

Re: [PacketFence-users] Caught exception in captiveportal... when choosing sms method

[Rossing, Will via PacketFence-users]

Hey Louis, Yes I was just going to report that that works, just comma
separation, the GUI won't show the list but it still works.Thanks for
your reply!

On Mon, Aug 14, 2017 at 12:37 PM, Louis Munro  wrote:

> Hi Will,
> This looks like a bug from the GUI that saves the list of carriers the
> wrong way.
>
> Can you try to change the source to this (manually edit the file):
>
>
> [sms]
> description=SMS-based registration
> sms_carriers=100061,100107
> type=SMS
> create_local_account=no
> set_access_level_action=
> local_account_logins=0
>
> Then run this command:
>
> # /usr/local/pf/bin/pfcmd configreload hard
>
>
>
> And try again?
>
> The bug, if that's what it is, is in the code that saves the config.
> So editing the file and reloading it should be a (temporary) workaround.
>
> Please confirm if this works for you.
> If it does we'll open an issue on GitHub for tracking and issue a
> maintenance patch.
>
>
> Regards,
> --
> Louis Munro
> lmu...@inverse.ca  ::  www.inverse.ca
> +1.514.447.4918 x125 <(514)%20447-4918>  :: +1 (866) 353-6153 x125
> <(866)%20353-6153>
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
> On Aug 14, 2017, at 12:51, Rossing, Will via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> More info, it works when we only put one SMS provider in the list, if we
> add more than one, it gets the exception error.
> This is how it writes multiple carriers to the config file and seems like
> it can't parse it properly or something:
>
> [sms]
> description=SMS-based registration
> sms_carriers= < 100061
> 100107
> EOT
> type=SMS
> create_local_account=no
> set_access_level_action=
> local_account_logins=0
>
>
>
> One provider works:
> [sms]
> description=SMS-based registration
> sms_carriers=100107
> type=SMS
> create_local_account=no
> set_access_level_action=
> local_account_logins=0
>
>
> On Mon, Aug 14, 2017 at 10:59 AM, Rossing, Will  wrote:
>
>> Just deploying 7.2 to production and am getting the following when
>> choosing the sms authentication in the captive portal.
>>
>> Caught exception in captiveportal::Controller::Root>dynamic_application
>> "Can't call method "fetchall_arrayref" on an undefined value at
>> /usr/local/pf/lib/pf/sms_carrier.pm line 88."
>>
>> I swear this worked last week when I put the box in production
>> temporarily.  I've tried removing and adding back in carriers, etc.Any
>> ideas?   I hate to have to roll back if I can avoid it!
>>
>> Thanks
>>
>> Will
>>
>> --
>>
>>
>> Will Rossing
>> *Manager, Network Services * | 218.723.6729 <(218)%20723-6729> | wro
>> ss...@css.edu
>>
>
>
>
> --
>
>
> Will Rossing
> *Manager, Network Services * | 218.723.6729 <(218)%20723-6729> | wro
> ss...@css.edu
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot__
> _
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>


-- 


Will Rossing
*Manager, Network Services * | 218.723.6729 | wross...@css.edu
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] PIN confirmation not received via SMS on phone

[Akala Kehinde via PacketFence-users]

Hello guys,

Need your help urgently on this one. I tried testing the SMS external
authentication source but does not work.
My mobile carrier's SMS gateway is in the sms_carrier database but I don't
receive PIN confirmation to my phone when I test.

Any ideas what the problem may be.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Machine authentication not getting role

[Sokolowski, Darryl via PacketFence-users]

Hi, thanks.
Forgive me for my questions, the concept of NAC is new to me.
I guess I am still confused about assigning (or not assigning) the role. “you 
cannot switch a node role because it will be recomputed on every radius 
request” has me confused. What is the role being computed from? I was under the 
impression from reading, that the role could be “automatically” computed and 
assigned by using various LDAP or AD attributes. And so having it recomputed is 
a good thing, because if it finds a change in the AD, then it would compute it 
to the new role based on the AD attributes.
From what you said here, it sounds like I would have to edit each node record 
to assign the role manually?
Am I thinking about this the wrong way?

Thanks
Darryl


From: Ludovic Zammit [mailto:lzam...@inverse.ca]
Sent: Monday, August 14, 2017 10:43 AM
To: Sokolowski, Darryl 
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Machine authentication not getting role

Hello,

If you are doing machine authentication with auto registration, you can not 
switch a node role because it will be recomputed on every radius request.

You could use the bypass role if you want to drop the device into a specific 
role. You will find in Under Nodes > MAC > Bypass Role.

For your AD source, if you are doing machine authentication on a microsoft AD, 
make sure that you are checking the correct LDAP attribute.

Username Attribute = servicePrincipalName

Thanks,

Ludovic Zammit

lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  
www.inverse.ca

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



On Aug 14, 2017, at 9:10 AM, Sokolowski, Darryl 
> wrote:

Hi Ludovic. Thanks. I'm using machine authentication against active directory. 
Right now I'm trying to get a catch all rule to assign a role just to make sure 
I have that part working, so that I can ultimately assign different roles 
according to the OU that the machine account resides in. Right now I'm not 
testing for the ou, just assigning a role to test that my rule works.

In the packetfence log I see the authentication success, but no role assignment.

Machine auth works, as I can autoregister and I get on the management network, 
but any role I put in the authentication rule doesn't get assigned to the 
machine.

Thanks
Darryl




 Original message 
From: Ludovic Zammit via PacketFence-users 
>
Date: 8/14/17 7:47 AM (GMT-05:00)
To: 
packetfence-users@lists.sourceforge.net
Cc: Ludovic Zammit >
Subject: Re: [PacketFence-users] Machine authentication not getting role

PS: /usr/local/pf/bin/pftest authentication username password

You can put "" if you don't want to display the password in the CLI.

Thanks,

Ludovic Zammit

lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  
www.inverse.ca

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) 
and PacketFence (http://packetfence.org)



On Aug 14, 2017, at 7:43 AM, Ludovic Zammit via PacketFence-users 
>
 wrote:

Hello,

Are you doing user authentication ? If yes, please check the tool 
/usr/local/pf/bin/pftest username password you will see if your username bring 
any access settings.

If you check in the /usr/local/pf/logs/packetfence.log you should be able to 
see all the action taken after the radius request.

Thanks,

Ludovic Zammit

lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  
www.inverse.ca

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) 
and PacketFence (http://packetfence.org)



On Aug 11, 2017, at 4:13 PM, Sokolowski, Darryl via PacketFence-users 
>
 wrote:

Hi everyone,
Can anyone help me with this please?
I have the machine authentication source looking at active directory,  and a 
rule to assign role and access duration.
I am able to automatically register the device via machine authentication, but 
I can’t get the role assigned when it registers.
On the switch I see
%AUTHMGR-5-START: Starting 'dot1x' for client
%DOT1X-5-SUCCESS: Authentication successful for client
%AUTHMGR-5-SUCCESS: Authorization succeeded for client

But the role is not sent.

Raddebug shows the correct realm is identified and used, and the machine 
authentication source is defined in the realm.

In the nodes in packetfence, I see the node is registered with the owner as the 
machine 

Re: [PacketFence-users] Caught exception in captiveportal... when choosing sms method

[Louis Munro via PacketFence-users]

Hi Will,
This looks like a bug from the GUI that saves the list of carriers the wrong 
way.

Can you try to change the source to this (manually edit the file):


[sms]
description=SMS-based registration
sms_carriers=100061,100107
type=SMS
create_local_account=no
set_access_level_action=
local_account_logins=0

Then run this command:

# /usr/local/pf/bin/pfcmd configreload hard



And try again?

The bug, if that's what it is, is in the code that saves the config.
So editing the file and reloading it should be a (temporary) workaround.

Please confirm if this works for you.
If it does we'll open an issue on GitHub for tracking and issue a maintenance 
patch.


Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 

+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Aug 14, 2017, at 12:51, Rossing, Will via PacketFence-users 
>  wrote:
> 
> More info, it works when we only put one SMS provider in the list, if we add 
> more than one, it gets the exception error.
> This is how it writes multiple carriers to the config file and seems like it 
> can't parse it properly or something:
> 
> [sms]
> description=SMS-based registration
> sms_carriers= < 100061
> 100107
> EOT
> type=SMS
> create_local_account=no
> set_access_level_action=
> local_account_logins=0
> 
> 
> 
> One provider works:
> [sms]
> description=SMS-based registration
> sms_carriers=100107
> type=SMS
> create_local_account=no
> set_access_level_action=
> local_account_logins=0
> 
> 
> On Mon, Aug 14, 2017 at 10:59 AM, Rossing, Will  > wrote:
> Just deploying 7.2 to production and am getting the following when choosing 
> the sms authentication in the captive portal.
> 
> Caught exception in captiveportal::Controller::Root>dynamic_application 
> "Can't call method "fetchall_arrayref" on an undefined value at 
> /usr/local/pf/lib/pf/sms_carrier.pm  line 88."
> 
> I swear this worked last week when I put the box in production temporarily.  
> I've tried removing and adding back in carriers, etc.Any ideas?   I hate 
> to have to roll back if I can avoid it!
> 
> Thanks
> 
> Will
> 
> --
> 
> 
> Will Rossing
> Manager, Network Services  | 218.723.6729  | 
> wross...@css.edu 
> 
> 
> --
> 
> 
> Will Rossing
> Manager, Network Services  | 218.723.6729 | wross...@css.edu 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! 
> http://sdm.link/slashdot___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users



signature.asc
Description: Message signed with OpenPGP
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Caught exception in captiveportal... when choosing sms method

[Rossing, Will via PacketFence-users]

More info, it works when we only put one SMS provider in the list, if we
add more than one, it gets the exception error.
This is how it writes multiple carriers to the config file and seems like
it can't parse it properly or something:

[sms]
description=SMS-based registration
sms_carriers= < wrote:

> Just deploying 7.2 to production and am getting the following when
> choosing the sms authentication in the captive portal.
>
> Caught exception in captiveportal::Controller::Root>dynamic_application
> "Can't call method "fetchall_arrayref" on an undefined value at
> /usr/local/pf/lib/pf/sms_carrier.pm line 88."
>
> I swear this worked last week when I put the box in production
> temporarily.  I've tried removing and adding back in carriers, etc.Any
> ideas?   I hate to have to roll back if I can avoid it!
>
> Thanks
>
> Will
>
> --
>
>
> Will Rossing
> *Manager, Network Services * | 218.723.6729 <(218)%20723-6729> | wro
> ss...@css.edu
>



-- 


Will Rossing
*Manager, Network Services * | 218.723.6729 | wross...@css.edu
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Caught exception in captiveportal... when choosing sms method

[Rossing, Will via PacketFence-users]

Just deploying 7.2 to production and am getting the following when choosing
the sms authentication in the captive portal.

Caught exception in captiveportal::Controller::Root>dynamic_application
"Can't call method "fetchall_arrayref" on an undefined value at
/usr/local/pf/lib/pf/sms_carrier.pm line 88."

I swear this worked last week when I put the box in production
temporarily.  I've tried removing and adding back in carriers, etc.Any
ideas?   I hate to have to roll back if I can avoid it!

Thanks

Will

-- 


Will Rossing
*Manager, Network Services * | 218.723.6729 | wross...@css.edu
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Problem with radius certificate. Time to renew.

[Antoine Amacher via PacketFence-users]

Hello Dominic,

try to apply the maintenance perl addons/pf-maint.pl

This should fix the actual issue.

To renew the certificate you can do it via openssl commands.

create a conf_file.cnf in which you need the following:

[cert]

extendedKeyUsage = serverAuth

then do this command:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 
365 -config conf_file.cnf


then fill in the requested informations and move your certificate/key to 
replace the old one.


Thanks

On 08/14/2017 10:56 AM, dominic--- via PacketFence-users wrote:


Hi All,

I am running version 6.2.1 on CentOS with great success. Untill today!

After a restart of the system Packetfence services fail to start.

 service packetfence start
Redirecting to /bin/systemctl start  packetfence.service
Job for packetfence.service failed because the control process exited 
with error code. See "systemctl status packetfence.service" and 
"journalctl -xe" for details.

[root@pf pf]#

[root@pf pf]#
[root@pf pf]# systemctl status packetfence.service
● packetfence.service - PacketFence Service
   Loaded: loaded (/usr/lib/systemd/system/packetfence.service; 
enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Mon 2017-08-14 16:52:00 
CEST; 46s ago
  Process: 2940 ExecStart=/usr/local/pf/bin/pfcmd service pf start 
(code=exited, status=255)


Aug 14 16:51:39 pf.kalmar.se pfcmd[2940]: [Mon Aug 14 16:51:39 2017] 
pfappserver.pm: Cannot determine desired terminal width, using default 
of 80 columns
Aug 14 16:51:40 pf.kalmar.se pfcmd[2940]: AH00548: NameVirtualHost has 
no effect and will be removed in the next release 
/usr/local/pf/var/conf/httpd.conf.d/httpd.admin:194

Aug 14 16:51:52 pf.kalmar.se pfcmd[2940]: httpd.admin|start
Aug 14 16:51:52 pf.kalmar.se pfcmd[2940]: Checking configuration sanity...
Aug 14 16:51:59 pf.kalmar.se pfcmd[2940]: FATAL - The certificate used 
by FreeRADIUS (/usr/local/pf/raddb/certs/server.crt) has expired.
Aug 14 16:51:59 pf.kalmar.se pfcmd[2940]: Regenerate a new self-signed 
certificate or update your current certificate.
Aug 14 16:51:59 pf.kalmar.se systemd[1]: packetfence.service: control 
process exited, code=exited status=255
Aug 14 16:52:00 pf.kalmar.se systemd[1]: Failed to start PacketFence 
Service.
Aug 14 16:52:00 pf.kalmar.se systemd[1]: Unit packetfence.service 
entered failed state.

Aug 14 16:52:00 pf.kalmar.se systemd[1]: packetfence.service failed.
[root@pf pf]#

S it seems i have a problem with the radius cert?

Does anyone know how to renew this certificate?

best regards

Dominic Kilbride



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Error communicatin with Nessus

[Akala Kehinde via PacketFence-users]

Hallo James,

Thanks for your reply.

Juan Valencia and I have troubleshooted this last week and below is the
current status:

   - Can now connect. Had to had to instruct the LWG agent not to verify
   hostname via ssl. -> resolved
   - Violation  id 120005 and custom violation id got triggered after I
   added the nessus6 id in violation.pm file. -> resolved
   - Violation id 120005 is triggered but never closes, even after
   violation is fixed. -> not resolved

Will appreciate if you can lab this up and test why the violation id 120005
never closes.


Regards,
Kehinde

On Fri, Aug 11, 2017 at 8:47 PM, jrouzier via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Kehinde,
>
> I am looking into this. By next tuesday I should have a good solution.
>
> Thanks
>
> James
>
> On 2017-07-17 8:58 AM, Akala Kehinde via PacketFence-users wrote:
>
> Hallo Guys,
>
> Quick one..
> I get this error when PF tries triggering a violation:
>
> Checked line 96 and seems it's an error with the creds, but creds seems
> right. Or is the creds not supposed to be that on the Nessus server?
>
> Jul  8 13:57:58 pfence pfqueue: pfqueue(10450) INFO:
> [mac:00:50:ff:25:ce:00] New ID generated: 149951507810ce00
> (pf::util::generate_id)
> Jul  8 13:57:58 pfence pfqueue: pfqueue(10450) ERROR:
> [mac:00:50:ff:25:ce:00] communication error: Can't connect to
> 172.16.100.10:8834 at /usr/local/pf/lib/pf/scan/nessus6.pm line 96.
>  (pf::api::can_fork::notify)
>
>
> Regards,
> Kehinde
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Problem with radius certificate. Time to renew.

[dominic--- via PacketFence-users]

Hi All, 

I am running version 6.2.1 on CentOS with great success. Untill today! 

After a restart of the system Packetfence services fail to start. 

 service packetfence start
Redirecting to /bin/systemctl start  packetfence.service
Job for packetfence.service failed because the control process exited
with error code. See "systemctl status packetfence.service" and
"journalctl -xe" for details.
[root@pf pf]# 

[root@pf pf]#
[root@pf pf]# systemctl status packetfence.service
● packetfence.service - PacketFence Service
   Loaded: loaded (/usr/lib/systemd/system/packetfence.service; enabled;
vendor preset: disabled)
   Active: failed (Result: exit-code) since Mon 2017-08-14 16:52:00
CEST; 46s ago
  Process: 2940 ExecStart=/usr/local/pf/bin/pfcmd service pf start
(code=exited, status=255) 

Aug 14 16:51:39 pf.kalmar.se pfcmd[2940]: [Mon Aug 14 16:51:39 2017]
pfappserver.pm: Cannot determine desired terminal width, using default
of 80 columns
Aug 14 16:51:40 pf.kalmar.se pfcmd[2940]: AH00548: NameVirtualHost has
no effect and will be removed in the next release
/usr/local/pf/var/conf/httpd.conf.d/httpd.admin:194
Aug 14 16:51:52 pf.kalmar.se pfcmd[2940]: httpd.admin|start
Aug 14 16:51:52 pf.kalmar.se pfcmd[2940]: Checking configuration
sanity...
Aug 14 16:51:59 pf.kalmar.se pfcmd[2940]: FATAL - The certificate used
by FreeRADIUS (/usr/local/pf/raddb/certs/server.crt) has expired.
Aug 14 16:51:59 pf.kalmar.se pfcmd[2940]: Regenerate a new self-signed
certificate or update your current certificate.
Aug 14 16:51:59 pf.kalmar.se systemd[1]: packetfence.service: control
process exited, code=exited status=255
Aug 14 16:52:00 pf.kalmar.se systemd[1]: Failed to start PacketFence
Service.
Aug 14 16:52:00 pf.kalmar.se systemd[1]: Unit packetfence.service
entered failed state.
Aug 14 16:52:00 pf.kalmar.se systemd[1]: packetfence.service failed.
[root@pf pf]# 

S it seems i have a problem with the radius cert? 

Does anyone know how to renew this certificate? 

best regards 

Dominic Kilbride--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Machine authentication not getting role

[Ludovic Zammit via PacketFence-users]

Hello,

If you are doing machine authentication with auto registration, you can not 
switch a node role because it will be recomputed on every radius request.

You could use the bypass role if you want to drop the device into a specific 
role. You will find in Under Nodes > MAC > Bypass Role.

For your AD source, if you are doing machine authentication on a microsoft AD, 
make sure that you are checking the correct LDAP attribute.

Username Attribute = servicePrincipalName

Thanks,
Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 



> On Aug 14, 2017, at 9:10 AM, Sokolowski, Darryl  wrote:
> 
> Hi Ludovic. Thanks. I'm using machine authentication against active 
> directory. Right now I'm trying to get a catch all rule to assign a role just 
> to make sure I have that part working, so that I can ultimately assign 
> different roles according to the OU that the machine account resides in. 
> Right now I'm not testing for the ou, just assigning a role to test that my 
> rule works.
> 
> In the packetfence log I see the authentication success, but no role 
> assignment. 
> 
> Machine auth works, as I can autoregister and I get on the management 
> network, but any role I put in the authentication rule doesn't get assigned 
> to the machine.
> 
> Thanks
> Darryl
> 
> 
> 
> 
>  Original message 
> From: Ludovic Zammit via PacketFence-users 
> 
> Date: 8/14/17 7:47 AM (GMT-05:00)
> To: packetfence-users@lists.sourceforge.net
> Cc: Ludovic Zammit 
> Subject: Re: [PacketFence-users] Machine authentication not getting role
> 
> PS: /usr/local/pf/bin/pftest authentication username password
> 
> You can put "" if you don't want to display the password in the CLI.
> 
> Thanks,
> Ludovic Zammit
> lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
> www.inverse.ca 
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu 
> ) and PacketFence (http://packetfence.org 
> ) 
> 
> 
> 
>> On Aug 14, 2017, at 7:43 AM, Ludovic Zammit via PacketFence-users 
>> > > wrote:
>> 
>> Hello,
>> 
>> Are you doing user authentication ? If yes, please check the tool 
>> /usr/local/pf/bin/pftest username password you will see if your username 
>> bring any access settings.
>> 
>> If you check in the /usr/local/pf/logs/packetfence.log you should be able to 
>> see all the action taken after the radius request.
>> 
>> Thanks,
>> Ludovic Zammit
>> lzam...@inverse.ca  ::  +1.514.447.4918 (x145) :: 
>>  www.inverse.ca 
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu 
>> ) and PacketFence (http://packetfence.org 
>> ) 
>> 
>> 
>> 
>>> On Aug 11, 2017, at 4:13 PM, Sokolowski, Darryl via PacketFence-users 
>>> >> > wrote:
>>> 
>>> Hi everyone,
>>> Can anyone help me with this please?
>>> I have the machine authentication source looking at active directory,  and 
>>> a rule to assign role and access duration.
>>> I am able to automatically register the device via machine authentication, 
>>> but I can’t get the role assigned when it registers.
>>> On the switch I see 
>>> %AUTHMGR-5-START: Starting 'dot1x' for client
>>> %DOT1X-5-SUCCESS: Authentication successful for client
>>> %AUTHMGR-5-SUCCESS: Authorization succeeded for client
>>>  
>>> But the role is not sent.
>>>  
>>> Raddebug shows the correct realm is identified and used, and the machine 
>>> authentication source is defined in the realm.
>>>  
>>> In the nodes in packetfence, I see the node is registered with the owner as 
>>> the machine name but no role is assigned.
>>>  
>>> I don’t know what I’m missing.
>>>  
>>> Thanks
>>> Darryl
>>>  
>>> --
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org ! 
>>> http://sdm.link/slashdot___ 
>>> 
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net 
>>> 
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
>>> 
>> --
>> Check out the vibrant tech 

Re: [PacketFence-users] Machine authentication not getting role

[Sokolowski, Darryl via PacketFence-users]

Hi Ludovic. Thanks. I'm using machine authentication against active directory. Right now I'm trying to get a catch all rule to assign a role just to make sure I have that part working, so that I can ultimately assign different roles according to the OU
 that the machine account resides in. Right now I'm not testing for the ou, just assigning a role to test that my rule works.


In the packetfence log I see the authentication success, but no role assignment. 


Machine auth works, as I can autoregister and I get on the management network, but any role I put in the authentication rule doesn't get assigned to the machine.


Thanks
Darryl










 Original message 
From: Ludovic Zammit via PacketFence-users 

Date: 8/14/17 7:47 AM (GMT-05:00) 
To: packetfence-users@lists.sourceforge.net 
Cc: Ludovic Zammit  
Subject: Re: [PacketFence-users] Machine authentication not getting role 


PS: /usr/local/pf/bin/pftest authentication username password


You can put "" if you don't want to display the password in the CLI.



Thanks,

Ludovic Zammit
lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) 








On Aug 14, 2017, at 7:43 AM, Ludovic Zammit via PacketFence-users  wrote:


Hello,


Are you doing user authentication ? If yes, please check the tool /usr/local/pf/bin/pftest username password you will see if your username bring any access settings.


If you check in the /usr/local/pf/logs/packetfence.log you should be able to see all the action taken after the radius request.



Thanks,

Ludovic Zammit
lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) 








On Aug 11, 2017, at 4:13 PM, Sokolowski, Darryl via PacketFence-users  wrote:




Hi everyone,

Can anyone help me with this please?

I have the machine authentication source looking at active directory,  and a rule to assign role and access duration.

I am able to automatically register the device via machine authentication, but I can’t get the role assigned when it registers.

On the switch I see 

%AUTHMGR-5-START: Starting 'dot1x' for client

%DOT1X-5-SUCCESS: Authentication successful for client

%AUTHMGR-5-SUCCESS: Authorization succeeded for client

 

But the role is not sent.

 

Raddebug shows the correct realm is identified and used, and the machine authentication source is defined in the realm.

 

In the nodes in packetfence, I see the node is registered with the owner as the machine name but no role is assigned.

 

I don’t know what I’m missing.

 

Thanks

Darryl

 

--
Check
 out the vibrant tech community on one of the world's most
engaging
 tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users
 mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users





--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! 
http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users










--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Machine authentication not getting role

[Ludovic Zammit via PacketFence-users]

Hello,

Are you doing user authentication ? If yes, please check the tool 
/usr/local/pf/bin/pftest username password you will see if your username bring 
any access settings.

If you check in the /usr/local/pf/logs/packetfence.log you should be able to 
see all the action taken after the radius request.

Thanks,
Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 



> On Aug 11, 2017, at 4:13 PM, Sokolowski, Darryl via PacketFence-users 
>  wrote:
> 
> Hi everyone,
> Can anyone help me with this please?
> I have the machine authentication source looking at active directory,  and a 
> rule to assign role and access duration.
> I am able to automatically register the device via machine authentication, 
> but I can’t get the role assigned when it registers.
> On the switch I see 
> %AUTHMGR-5-START: Starting 'dot1x' for client
> %DOT1X-5-SUCCESS: Authentication successful for client
> %AUTHMGR-5-SUCCESS: Authorization succeeded for client
>  
> But the role is not sent.
>  
> Raddebug shows the correct realm is identified and used, and the machine 
> authentication source is defined in the realm.
>  
> In the nodes in packetfence, I see the node is registered with the owner as 
> the machine name but no role is assigned.
>  
> I don’t know what I’m missing.
>  
> Thanks
> Darryl
>  
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org ! 
> http://sdm.link/slashdot___ 
> 
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
> 
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users