[PacketFence-users] PF 7.2 +PF-PKI Android Provisioning questions

2017-08-31 Thread Rokkhan via PacketFence-users 
Hi,

I am trying to configure a BYOD connection profile.

I have created a connection profile with chained portal module that first
asks for users to authenticate against an external ldap source and after
shows a provisioning portal module that generates an user certificate and
after configures another SSID with eap-tls and given certificate for
Android and IOS.

The connection profile works well, it authenticates users, shows the
provisioning module where the certificate is generated and shows a button
to install the wireless profile that launches packetfence's android app,
installs the CA and user certificate on the deive, disconnects the user
from the current SSID and changes to new SSID authenticating user over
EAP-TLS with generated certificate but in nodes the device has not been
registered, nor assigned to a role neither assigned to authenticated user.
I have to connect back to original SSID where shows again the android
provisioning module and click in “continue” button to register, assign the
role and assign the user.

What am I doing wrong? Can not this be done automatically?

Here is the configuration of profile, modules….

Thanks in advance!

.
profiles.conf
[BYOD]
locale=
root_module=Root_Byod
filter=ssid:ATARIA
description=Portal BYOD
logo=/common/logo.png
block_interval=10s
provisioners=Android_GerBYOD,IOS_GerBYOD

…

portal_modules.conf
[Byod]
skipable=enabled
actions=set_role(Byod,set_unregdate(2030-05-31)
type=Provisioning
description=Byod

[Login_Byod]
actions=set_role(Byod),set_unregdate(2030-05-31)
custom_fields=
description=Portal de Autenticacion para usuarios BYOD
with_aup=0
signup_template=signin.html
pid_field=username
aup_template=aup_text.html
type=Authentication::Login
source_id=metaldap

[chain_byod]
modules=Login_Byod,Byod
actions=
type=Chained
description=chain_byod

[Root_Byod]
modules=chain_byod
type=Root
description=Portal BYOD



provisioning.conf
[android]
type=android
description=android provisioner

[ios]
type=mobileconfig
description=mobileconfig provisioner

[accept]
type=accept
description=accept provisioner

[deny]
type=deny
description=deny provisioner

[Android_GerBYOD]
eap_type=13
can_sign_profile=0
security_type=WPA
broadcast=1
oses=
type=android
category=Byod
pki_provider=EAP-TLS_PacketFence
ssid=GerBYOD

[IOS_GerBYOD]
broadcast=1
oses=
category=Byod
eap_type=13
can_sign_profile=0
security_type=WPA
type=mobileconfig
ssid=GerBYOD
pki_provider=EAP-TLS_PacketFence
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] PF 7.2 +PF-PKI Android Provisioning questions

2017-08-31 Thread Rokkhan via PacketFence-users 
Hi,

I am trying to configure a BYOD connection profile.
The profile works but devices are not registered automatically.

I have created a connection profile with chained portal module that first
asks for users to autenticate against an external ldap source and after
shows a provisioning portal module where I have published provisioning
profiles for Android & Apple Devices.

Connection Profile BYOD
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal with WLC5500 ( 7.0 )

2017-08-31 Thread Luís Torres via PacketFence-users 
 

Hello fellows, 

I suppose in this version of the wlc ( 7.0 ) I cant
use Radius Nac without use wpa2. However , Im using the layer3 security
to redirect to the packetfence captive portal. 

Can you tell me Why the
devices always go to the node mac 00:11:22:33:44:55 ? everything now
works fine but I always get this error on the logs: 

Aug 31 11:11:16
packetfence packetfence_httpd.portal: httpd.portal(42936) WARN:
[mac:00:11:22:33:44:55] Can't re-evaluate access because no open
locationlog entry was found (pf::enforcement::reevaluate_access) 

I
checked in the locationlog table and isnt there..., also I deleted from
nodes but it always came back 

LT 
 --
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence 7.2.0 Cannot set authentication rules in radius source.

2017-08-31 Thread Tomasz Karczewski via PacketFence-users 
Packetfence 7.1.0 version has no problems with that.

Maybe it's some kind of bug?

 

From: Tomasz Karczewski via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Wednesday, August 30, 2017 1:06 PM
To: packetfence-users@lists.sourceforge.net
Cc: Tomasz Karczewski
Subject: [PacketFence-users] Packetfence 7.2.0 Cannot set authentication
rules in radius source.

 

Hi,

 

I'm deploying new version of packetfence and when i adding new radius
authentication source and 

set authentication rules I got message "Error! An error condition has
occured. See server side logs for details."

 

Logs from httpd.admin.log are as follows

 

Aug 30 09:01:33 PacketFence-ZEN httpd_admin: httpd.admin(2349) ERROR:
[mac:unknown] Caught exception in
pfappserver::Controller::Config::Source->update "Attribute (timeout) does
not pass the type constraint because: Validation failed for 'Maybe[Int]'
with value  at constructor pf::Authentication::Source::RADIUSSource::new
(defined at /usr/local/pf/lib/pf/Authentication/Source/RADIUSSource.pm line
233) line 136.

 
pf::Authentication::Source::RADIUSSource::new('pf::Authentication::Source::R
ADIUSSource', 'HASH(0x7ffb9b826ae8)') called at
/usr/local/pf/lib/pf/authentication.pm line 121

pf::authentication::newAuthenticationSource('RADIUS', 'source',
'HASH(0x7ffb9b826530)') called at
/usr/local/pf/html/pfappserver/lib/pfappserver/Form/Config/Source.pm line
346

 
pfappserver::Form::Config::Source::get_source('pfappserver::Form::Config::So
urce::RADIUS=HASH(0x7ffb9b6ee2a0)') called at
/usr/local/pf/html/pfappserver/lib/pfappserver/Form/Field/SourceRuleConditio
n.pm line 72

 
pfappserver::Form::Field::SourceRuleCondition::options_attributes('HTML::For
mHandler::Field::Select::16=HASH(0x7ffb9b825ee8)') called at native
delegation method HTML::FormHandler::Field::Select::get_options
(execute_method) of attribute options_method (defined at
/usr/share/perl5/vendor_perl/HTML/FormHandler/Field/Select.pm line 52) line
3

 
HTML::FormHandler::Field::Select::get_options('HTML::FormHandler::Field::Sel
ect::16=HASH(0x7ffb9b825ee8)') called at
/usr/share/perl5/vendor_perl/HTML/FormHandler/Field/Select.pm line 265

 
HTML::FormHandler::Field::Select::_load_options('HTML::FormHandler::Field::S
elect::16=HASH(0x7ffb9b825ee8)') called at
/usr/share/perl5/vendor_perl/HTML/FormHandler/Field/Select.pm line 251

 
HTML::FormHandler::Field::Select::_result_from_input('HTML::FormHandler::Fie
ld::Select::16=HASH(0x7ffb9b825ee8)',
'HTML::FormHandler::Field::Result=HASH(0x7ffb9b825ed0)', 'username', 1)
called at /usr/share/perl5/vendor_perl/HTML/FormHandler/InitResult.pm line
59

 
HTML::FormHandler::InitResult::_result_from_input('pfappserver::Form::Field:
:SourceRuleCondition::22=HASH(0x7ffb...',
'HTML::FormHandler::Field::Result=HASH(0x7ffb9b804d28)',
'HASH(0x7ffb9b73ea00)', 1) called at
/usr/share/perl5/vendor_perl/HTML/FormHandler/Field/Compound.pm line 74

Class::MOP::Class:::around('CODE(0x7ffb798c81c0)',
'pfappserver::Form::Field::SourceRuleCondition::22=HASH(0x7ffb...',
'HTML::FormHandler::Field::Result=HASH(0x7ffb9b804d28)',
'HASH(0x7ffb9b73ea00)', 1) called at
/usr/lib64/perl5/vendor_perl/Class/MOP/Method/Wrapped.pm line 162

 
Class::MOP::Method::Wrapped::__ANON__('pfappserver::Form::Field::SourceRuleC
ondition::22=HASH(0x7ffb...',
'HTML::FormHandler::Field::Result=HASH(0x7ffb9b804d28)',
'HASH(0x7ffb9b73ea00)', 1) called at
/usr/lib64/perl5/vendor_perl/Class/MOP/Method/Wrapped.pm line 91

 
HTML::FormHandler::Field::Compound::_result_from_input('pfappserver::Form::F
ield::SourceRuleCondition::22=HASH(0x7ffb...',
'HTML::FormHandler::Field::Result=HASH(0x7ffb9b804d28)',
'HASH(0x7ffb9b73ea00)', 1) called at
/usr/share/perl5/vendor_perl/HTML/FormHandler/Field/Repeatable.pm line 159

 
HTML::FormHandler::Field::Repeatable::_result_from_input('pfappserver::Form:
:Field::DynamicList::18=HASH(0x7ffb9b814880)',
'HTML::FormHandler::Field::Result=HASH(0x7ffb9b81d618)',
'ARRAY(0x7ffb9b73e940)', 1) called at
/usr/share/perl5/vendor_perl/HTML/FormHandler/InitResult.pm line 59

 
HTML::FormHandler::InitResult::_result_from_input('pfappserver::Form::Field:
:SourceRule::21=HASH(0x7ffb9b49cba0)',
'HTML::FormHandler::Field::Result=HASH(0x7ffb9b793108)',
'HASH(0x7ffb9b761180)', 1) called at
/usr/share/perl5/vendor_perl/HTML/FormHandler/Field/Compound.pm line 74

Class::MOP::Class:::around('CODE(0x7ffb798c81c0)',
'pfappserver::Form::Field::SourceRule::21=HASH(0x7ffb9b49cba0)',
'HTML::FormHandler::Field::Result=HASH(0x7ffb9b793108)',
'HASH(0x7ffb9b761180)', 1) called at
/usr/lib64/perl5/vendor_perl/Class/MOP/Method/Wrapped.pm line 162

 
Class::MOP::Method::Wrapped::__ANON__('pfappserver::Form::Field::SourceRule:
:21=HASH(0x7ffb9b49cba0)',
'HTML::FormHandler::Field::Result=HASH(0x7ffb9b793108)',
'HASH(0x7ffb9b761180)', 1) called at
/usr/lib64/perl5/vendor_perl/Class/MOP/Method/Wrapped.pm line 91

Re: [PacketFence-users] Restricting users to specific interfaces In-Line setup

2017-08-31 Thread Fabrice Durand via PacketFence-users 
Hello Michael,

you will have to play with the iptables rules.

check in conf/iptables.conf and the current rules in
var/conf/iptables.conf, you will see what to do.

Also have a look at ipset -L , there is some ipset session for each
different network / roles.

Regards

Fabrice



Le 2017-08-31 à 04:55, HD | Michael Westergaard via PacketFence-users a
écrit :
>
> Hi All
>
>  
>
> We have a specific scenario where Wireless network Equipment does not
> support of band mode with Packetfence.
>
>  
>
> We want to do the following with the packetfence server using multiple
> in-line interfaces on different VLAN if it is possible.
>
>  
>
> Guest (VLAN20) on eth1 in-line mode packetfence connected with
> Wireless AP with SSID in VLAN 20
>
>  
>
> These users must only register to this interface and is able to access
> internet only.
>
>  
>
>  
>
> Production (VLAN30) on eth2 in-line mode packetfence connected with
> Wireless AP with SSID in VLAN 30
>
>  
>
> Internal users are able to access internal ressources, but we want to
> restrict them not allow any mobile device.
>
>  
>
>  
>
> It seems to me that user groups are not able to accomplish this
> design. Is it even possible or do you have other suggestions? The
> Packetfence server will be in routed mode to make ACL’s easier.
>
>  
>
>  
>
> Best
>
>  
>
> Mike
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] domain trouble shooting commands fail

2017-08-31 Thread Jon Falconer via PacketFence-users 
Fabrice,

If I understand your question, yes, there are several winbind processes running:

root  7006 14.0  0.2 430736 182228 ?   Ss   14:17   0:04 
winbindd-wrapper
root  8653  0.0  0.0  52120  3680 ?S14:18   0:00 sudo chroot 
/chroots/PUCAD /usr/sbin/winbindd -s /etc/samba/PUCAD.conf -l 
/var/log/sambaPUCAD --foreground
root  8654  0.0  0.0 243960  7776 ?R14:18   0:00 
/usr/sbin/winbindd -s /etc/samba/PUCAD.conf -l /var/log/sambaPUCAD --foreground

And in the PF management web portal, Status > Services indicates that winbindd 
is started.

Jon

-Original Message-
From: Fabrice Durand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Wednesday, August 30, 2017 5:48 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand 
Subject: Re: [PacketFence-users] domain trouble shooting commands fail

Hello Jon,

does winbind run ?

Regards

Fabrice



Le 2017-08-28 à 23:19, Jon Falconer via PacketFence-users a écrit :
> Greetings all,
>
> I have done a fresh install of Packet Fence 7.2.0, and in configuring it, 
> have setup an Active Directory domain join. Packet Fence seems to think that 
> the domain join succeeded since it says "Test join succeed!" for the domain 
> (the only domain) configured on the Configuration > Policies and Access 
> Control > Active Directory Domains page. However, when I run the trouble 
> shooting commands listed on page 34 of the Administration Guide for version 
> 7.2.0, I get the following results:
>
> root@pf2:/etc/samba# chroot /chroots/PUCAD/ wbinfo -u could not obtain 
> winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE could not 
> obtain winbind domain name!
> Error looking up domain users
> root@pf2:/etc/samba#
>
> root@pf2:/etc/samba# chroot /chroots/PUCAD/ ntlm_auth 
> --username=joetest
> Password:
> could not obtain winbind separator!
> Reading winbind reply failed! (0x01)
> :  (0x0)
> root@pf2:/etc/samba#
>
> This is all running on Debian 8 with all updates as of mid August 2017.
>
> ---domain.conf---
> root@pf2:/usr/local/pf/conf# cat domain.conf [PUCAD]
> ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(userAccount
> Control:1.2.840.113556.1.4.803:=2
> registration=0
> sticky_dc=10.xxx.yyy.zzz
> ou=Computers
> ntlm_cache_batch_one_at_a_time=disabled
> ad_server=10. xxx.yyy.zzz
> dns_name=puc.edu
> ntlm_cache_expiry=3600
> bind_dn=
> workgroup=PUC
> ntlm_cache_batch=disabled
> bind_pass=
> ntlm_cache=disabled
> server_name=%h
> ntlm_cache_on_connection=disabled
> dns_servers=10. xxx.yyy.zzz
> root@pf2:/usr/local/pf/conf#
>
>
> -realm.conf---
> root@pf2:/usr/local/pf/conf# cat realm.conf [DEFAULT]
> source=PUC_AD1
> domain=PUCAD
> options=strip
> root@pf2:/usr/local/pf/conf#
>
>
> Any other info needed to diagnose this problem?
>
> Thanks,
>
> Jon
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! 
> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsdm.link%2Fslashdot=02%7C01%7Cjfalconer%40puc.edu%7C986a026b105a489dacdd08d4efa5536e%7Ca0c272d027684743b621bdb1af3751ef%7C1%7C0%7C636396940739225280=8ljS1cIJ6wmaC985b1EOaEv90ug8bT6GmA3u0DJK684%3D=0
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users=02%7C01%7Cjfalconer%40puc.edu%7C986a026b105a489dacdd08d4efa5536e%7Ca0c272d027684743b621bdb1af3751ef%7C1%7C0%7C636396940739225280=kqIQHKlnWvj6wk%2Feko6qvhW1wd0WQzIG4FQtDltmWss%3D=0

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  
https://na01.safelinks.protection.outlook.com/?url=www.inverse.ca=02%7C01%7Cjfalconer%40puc.edu%7C986a026b105a489dacdd08d4efa5536e%7Ca0c272d027684743b621bdb1af3751ef%7C1%7C0%7C636396940739225280=IZnRk1XgfdLNl15wral7gZqTyko%2FvcQZSW7SKNQbFlQ%3D=0
Inverse inc. :: Leaders behind SOGo 
(https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.sogo.nu=02%7C01%7Cjfalconer%40puc.edu%7C986a026b105a489dacdd08d4efa5536e%7Ca0c272d027684743b621bdb1af3751ef%7C1%7C0%7C636396940739225280=tgMRPTQ4HjuBsnXeKzMZEIT7jJnSz162qtUlxuhQeTA%3D=0)
 and PacketFence 
(https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpacketfence.org=02%7C01%7Cjfalconer%40puc.edu%7C986a026b105a489dacdd08d4efa5536e%7Ca0c272d027684743b621bdb1af3751ef%7C1%7C0%7C636396940739225280=4NefNxTz3UvQoQS%2Bgm4zH4nks5A2X3hN9yaXyWwEs2Y%3D=0)
 


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!

[PacketFence-users] {Disarmed} Re: Sponsor email validation

2017-08-31 Thread Luís Torres via PacketFence-users 
 

Hello Kehindle, 

the hostname "packetfence" is maped to an internal
IP . What you mean with reachable over the internet? 

thank you 

Em
2017-08-30 18:37, Akala Kehinde escreveu: 

> Hello Luis, 
> 
> Your PF
server needs to be reachable over the internet. 
> 
> Regards, 
>
Kehinde 
> 
> On Wed, Aug 30, 2017 at 3:49 PM, Luís Torres via
PacketFence-users  wrote:
> 
>>
Hello, 
>> 
>> Im rookie on packetfence configuration. I facing a
"problem" regarding the sponsor validation email. 
>> 
>> Everything
works fine until I receveid ( as a sponsor ) an email to validate de
guest access. When I hit the but it redirects to an url ( ex
https://packetfence/activate/email/sponsor/74696188aa93e8abdf64ad1016d7962c
[1] ) but it dont work. 
>> 
>> I checked the open ports and I got: 
>>

>> tcp 0 0 MAILSCANNER WARNING: NUMERICAL LINKS ARE OFTEN MALICIOUS:
127.0.0.1:443 [2] 0.0.0.0:* LISTEN
>> tcp 0 0 MAILSCANNER WARNING:
NUMERICAL LINKS ARE OFTEN MALICIOUS: 10.1.2.130:443 [3] 0.0.0.0:*
LISTEN
>> tcp 0 0 MAILSCANNER WARNING: NUMERICAL LINKS ARE OFTEN
MALICIOUS: 10.1.2.130:1443 [4] 0.0.0.0:* LISTEN
>> tcp 0 0 MAILSCANNER
WARNING: NUMERICAL LINKS ARE OFTEN MALICIOUS: 10.252.2.45:1443 [5]
0.0.0.0:* LISTEN 
>> 
>> I manually changed the packetfence url with the
10.1.2.130 but still doesnt work... 
>> 
>> Can you point me some
directions? 
>> 
>> regards to all 
>> 
>> LT 
>>
--
>>
Check out the vibrant tech community on one of the world's most
>>
engaging tech sites, Slashdot.org! http://sdm.link/slashdot [6]
>>
___
>> PacketFence-users
mailing list
>> PacketFence-users@lists.sourceforge.net
>>
https://lists.sourceforge.net/lists/listinfo/packetfence-users [7]




Links:
--
[1]
https://packetfence/activate/email/sponsor/74696188aa93e8abdf64ad1016d7962c
[2]
http://127.0.0.1:443
[3] http://10.1.2.130:443
[4]
http://10.1.2.130:1443
[5] http://10.252.2.45:1443
[6]
http://sdm.link/slashdot
[7]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Restricting users to specific interfaces In-Line setup

2017-08-31 Thread HD | Michael Westergaard via PacketFence-users 
Hi All

 

We have a specific scenario where Wireless network Equipment does not
support of band mode with Packetfence. 

 

We want to do the following with the packetfence server using multiple
in-line interfaces on different VLAN if it is possible. 

 

Guest (VLAN20) on eth1 in-line mode packetfence connected with Wireless AP
with SSID in VLAN 20

 

These users must only register to this interface and is able to access
internet only. 

 

 

Production (VLAN30) on eth2 in-line mode packetfence connected with Wireless
AP with SSID in VLAN 30

 

Internal users are able to access internal ressources, but we want to
restrict them not allow any mobile device. 

 

 

It seems to me that user groups are not able to accomplish this design. Is
it even possible or do you have other suggestions? The Packetfence server
will be in routed mode to make ACL's easier. 

 

 

Best 

 

Mike

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users