[PacketFence-users] PF 7.2 +PF-PKI Android Provisioning questions
Hi, I am trying to configure a BYOD connection profile. I have created a connection profile with chained portal module that first asks for users to authenticate against an external ldap source and after shows a provisioning portal module that generates an user certificate and after configures another SSID with eap-tls and given certificate for Android and IOS. The connection profile works well, it authenticates users, shows the provisioning module where the certificate is generated and shows a button to install the wireless profile that launches packetfence's android app, installs the CA and user certificate on the deive, disconnects the user from the current SSID and changes to new SSID authenticating user over EAP-TLS with generated certificate but in nodes the device has not been registered, nor assigned to a role neither assigned to authenticated user. I have to connect back to original SSID where shows again the android provisioning module and click in “continue” button to register, assign the role and assign the user. What am I doing wrong? Can not this be done automatically? Here is the configuration of profile, modules…. Thanks in advance! . profiles.conf [BYOD] locale= root_module=Root_Byod filter=ssid:ATARIA description=Portal BYOD logo=/common/logo.png block_interval=10s provisioners=Android_GerBYOD,IOS_GerBYOD … portal_modules.conf [Byod] skipable=enabled actions=set_role(Byod,set_unregdate(2030-05-31) type=Provisioning description=Byod [Login_Byod] actions=set_role(Byod),set_unregdate(2030-05-31) custom_fields= description=Portal de Autenticacion para usuarios BYOD with_aup=0 signup_template=signin.html pid_field=username aup_template=aup_text.html type=Authentication::Login source_id=metaldap [chain_byod] modules=Login_Byod,Byod actions= type=Chained description=chain_byod [Root_Byod] modules=chain_byod type=Root description=Portal BYOD provisioning.conf [android] type=android description=android provisioner [ios] type=mobileconfig description=mobileconfig provisioner [accept] type=accept description=accept provisioner [deny] type=deny description=deny provisioner [Android_GerBYOD] eap_type=13 can_sign_profile=0 security_type=WPA broadcast=1 oses= type=android category=Byod pki_provider=EAP-TLS_PacketFence ssid=GerBYOD [IOS_GerBYOD] broadcast=1 oses= category=Byod eap_type=13 can_sign_profile=0 security_type=WPA type=mobileconfig ssid=GerBYOD pki_provider=EAP-TLS_PacketFence -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] PF 7.2 +PF-PKI Android Provisioning questions
Hi, I am trying to configure a BYOD connection profile. The profile works but devices are not registered automatically. I have created a connection profile with chained portal module that first asks for users to autenticate against an external ldap source and after shows a provisioning portal module where I have published provisioning profiles for Android & Apple Devices. Connection Profile BYOD -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Captive Portal with WLC5500 ( 7.0 )
Hello fellows, I suppose in this version of the wlc ( 7.0 ) I cant use Radius Nac without use wpa2. However , Im using the layer3 security to redirect to the packetfence captive portal. Can you tell me Why the devices always go to the node mac 00:11:22:33:44:55 ? everything now works fine but I always get this error on the logs: Aug 31 11:11:16 packetfence packetfence_httpd.portal: httpd.portal(42936) WARN: [mac:00:11:22:33:44:55] Can't re-evaluate access because no open locationlog entry was found (pf::enforcement::reevaluate_access) I checked in the locationlog table and isnt there..., also I deleted from nodes but it always came back LT -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Packetfence 7.2.0 Cannot set authentication rules in radius source.
Packetfence 7.1.0 version has no problems with that. Maybe it's some kind of bug? From: Tomasz Karczewski via PacketFence-users [mailto:packetfence-users@lists.sourceforge.net] Sent: Wednesday, August 30, 2017 1:06 PM To: packetfence-users@lists.sourceforge.net Cc: Tomasz Karczewski Subject: [PacketFence-users] Packetfence 7.2.0 Cannot set authentication rules in radius source. Hi, I'm deploying new version of packetfence and when i adding new radius authentication source and set authentication rules I got message "Error! An error condition has occured. See server side logs for details." Logs from httpd.admin.log are as follows Aug 30 09:01:33 PacketFence-ZEN httpd_admin: httpd.admin(2349) ERROR: [mac:unknown] Caught exception in pfappserver::Controller::Config::Source->update "Attribute (timeout) does not pass the type constraint because: Validation failed for 'Maybe[Int]' with value at constructor pf::Authentication::Source::RADIUSSource::new (defined at /usr/local/pf/lib/pf/Authentication/Source/RADIUSSource.pm line 233) line 136. pf::Authentication::Source::RADIUSSource::new('pf::Authentication::Source::R ADIUSSource', 'HASH(0x7ffb9b826ae8)') called at /usr/local/pf/lib/pf/authentication.pm line 121 pf::authentication::newAuthenticationSource('RADIUS', 'source', 'HASH(0x7ffb9b826530)') called at /usr/local/pf/html/pfappserver/lib/pfappserver/Form/Config/Source.pm line 346 pfappserver::Form::Config::Source::get_source('pfappserver::Form::Config::So urce::RADIUS=HASH(0x7ffb9b6ee2a0)') called at /usr/local/pf/html/pfappserver/lib/pfappserver/Form/Field/SourceRuleConditio n.pm line 72 pfappserver::Form::Field::SourceRuleCondition::options_attributes('HTML::For mHandler::Field::Select::16=HASH(0x7ffb9b825ee8)') called at native delegation method HTML::FormHandler::Field::Select::get_options (execute_method) of attribute options_method (defined at /usr/share/perl5/vendor_perl/HTML/FormHandler/Field/Select.pm line 52) line 3 HTML::FormHandler::Field::Select::get_options('HTML::FormHandler::Field::Sel ect::16=HASH(0x7ffb9b825ee8)') called at /usr/share/perl5/vendor_perl/HTML/FormHandler/Field/Select.pm line 265 HTML::FormHandler::Field::Select::_load_options('HTML::FormHandler::Field::S elect::16=HASH(0x7ffb9b825ee8)') called at /usr/share/perl5/vendor_perl/HTML/FormHandler/Field/Select.pm line 251 HTML::FormHandler::Field::Select::_result_from_input('HTML::FormHandler::Fie ld::Select::16=HASH(0x7ffb9b825ee8)', 'HTML::FormHandler::Field::Result=HASH(0x7ffb9b825ed0)', 'username', 1) called at /usr/share/perl5/vendor_perl/HTML/FormHandler/InitResult.pm line 59 HTML::FormHandler::InitResult::_result_from_input('pfappserver::Form::Field: :SourceRuleCondition::22=HASH(0x7ffb...', 'HTML::FormHandler::Field::Result=HASH(0x7ffb9b804d28)', 'HASH(0x7ffb9b73ea00)', 1) called at /usr/share/perl5/vendor_perl/HTML/FormHandler/Field/Compound.pm line 74 Class::MOP::Class:::around('CODE(0x7ffb798c81c0)', 'pfappserver::Form::Field::SourceRuleCondition::22=HASH(0x7ffb...', 'HTML::FormHandler::Field::Result=HASH(0x7ffb9b804d28)', 'HASH(0x7ffb9b73ea00)', 1) called at /usr/lib64/perl5/vendor_perl/Class/MOP/Method/Wrapped.pm line 162 Class::MOP::Method::Wrapped::__ANON__('pfappserver::Form::Field::SourceRuleC ondition::22=HASH(0x7ffb...', 'HTML::FormHandler::Field::Result=HASH(0x7ffb9b804d28)', 'HASH(0x7ffb9b73ea00)', 1) called at /usr/lib64/perl5/vendor_perl/Class/MOP/Method/Wrapped.pm line 91 HTML::FormHandler::Field::Compound::_result_from_input('pfappserver::Form::F ield::SourceRuleCondition::22=HASH(0x7ffb...', 'HTML::FormHandler::Field::Result=HASH(0x7ffb9b804d28)', 'HASH(0x7ffb9b73ea00)', 1) called at /usr/share/perl5/vendor_perl/HTML/FormHandler/Field/Repeatable.pm line 159 HTML::FormHandler::Field::Repeatable::_result_from_input('pfappserver::Form: :Field::DynamicList::18=HASH(0x7ffb9b814880)', 'HTML::FormHandler::Field::Result=HASH(0x7ffb9b81d618)', 'ARRAY(0x7ffb9b73e940)', 1) called at /usr/share/perl5/vendor_perl/HTML/FormHandler/InitResult.pm line 59 HTML::FormHandler::InitResult::_result_from_input('pfappserver::Form::Field: :SourceRule::21=HASH(0x7ffb9b49cba0)', 'HTML::FormHandler::Field::Result=HASH(0x7ffb9b793108)', 'HASH(0x7ffb9b761180)', 1) called at /usr/share/perl5/vendor_perl/HTML/FormHandler/Field/Compound.pm line 74 Class::MOP::Class:::around('CODE(0x7ffb798c81c0)', 'pfappserver::Form::Field::SourceRule::21=HASH(0x7ffb9b49cba0)', 'HTML::FormHandler::Field::Result=HASH(0x7ffb9b793108)', 'HASH(0x7ffb9b761180)', 1) called at /usr/lib64/perl5/vendor_perl/Class/MOP/Method/Wrapped.pm line 162 Class::MOP::Method::Wrapped::__ANON__('pfappserver::Form::Field::SourceRule: :21=HASH(0x7ffb9b49cba0)', 'HTML::FormHandler::Field::Result=HASH(0x7ffb9b793108)', 'HASH(0x7ffb9b761180)', 1) called at /usr/lib64/perl5/vendor_perl/Class/MOP/Method/Wrapped.pm line 91
Re: [PacketFence-users] Restricting users to specific interfaces In-Line setup
Hello Michael, you will have to play with the iptables rules. check in conf/iptables.conf and the current rules in var/conf/iptables.conf, you will see what to do. Also have a look at ipset -L , there is some ipset session for each different network / roles. Regards Fabrice Le 2017-08-31 à 04:55, HD | Michael Westergaard via PacketFence-users a écrit : > > Hi All > > > > We have a specific scenario where Wireless network Equipment does not > support of band mode with Packetfence. > > > > We want to do the following with the packetfence server using multiple > in-line interfaces on different VLAN if it is possible. > > > > Guest (VLAN20) on eth1 in-line mode packetfence connected with > Wireless AP with SSID in VLAN 20 > > > > These users must only register to this interface and is able to access > internet only. > > > > > > Production (VLAN30) on eth2 in-line mode packetfence connected with > Wireless AP with SSID in VLAN 30 > > > > Internal users are able to access internal ressources, but we want to > restrict them not allow any mobile device. > > > > > > It seems to me that user groups are not able to accomplish this > design. Is it even possible or do you have other suggestions? The > Packetfence server will be in routed mode to make ACL’s easier. > > > > > > Best > > > > Mike > > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] domain trouble shooting commands fail
Fabrice, If I understand your question, yes, there are several winbind processes running: root 7006 14.0 0.2 430736 182228 ? Ss 14:17 0:04 winbindd-wrapper root 8653 0.0 0.0 52120 3680 ?S14:18 0:00 sudo chroot /chroots/PUCAD /usr/sbin/winbindd -s /etc/samba/PUCAD.conf -l /var/log/sambaPUCAD --foreground root 8654 0.0 0.0 243960 7776 ?R14:18 0:00 /usr/sbin/winbindd -s /etc/samba/PUCAD.conf -l /var/log/sambaPUCAD --foreground And in the PF management web portal, Status > Services indicates that winbindd is started. Jon -Original Message- From: Fabrice Durand via PacketFence-users [mailto:packetfence-users@lists.sourceforge.net] Sent: Wednesday, August 30, 2017 5:48 AM To: packetfence-users@lists.sourceforge.net Cc: Fabrice DurandSubject: Re: [PacketFence-users] domain trouble shooting commands fail Hello Jon, does winbind run ? Regards Fabrice Le 2017-08-28 à 23:19, Jon Falconer via PacketFence-users a écrit : > Greetings all, > > I have done a fresh install of Packet Fence 7.2.0, and in configuring it, > have setup an Active Directory domain join. Packet Fence seems to think that > the domain join succeeded since it says "Test join succeed!" for the domain > (the only domain) configured on the Configuration > Policies and Access > Control > Active Directory Domains page. However, when I run the trouble > shooting commands listed on page 34 of the Administration Guide for version > 7.2.0, I get the following results: > > root@pf2:/etc/samba# chroot /chroots/PUCAD/ wbinfo -u could not obtain > winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE could not > obtain winbind domain name! > Error looking up domain users > root@pf2:/etc/samba# > > root@pf2:/etc/samba# chroot /chroots/PUCAD/ ntlm_auth > --username=joetest > Password: > could not obtain winbind separator! > Reading winbind reply failed! (0x01) > : (0x0) > root@pf2:/etc/samba# > > This is all running on Debian 8 with all updates as of mid August 2017. > > ---domain.conf--- > root@pf2:/usr/local/pf/conf# cat domain.conf [PUCAD] > ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(userAccount > Control:1.2.840.113556.1.4.803:=2 > registration=0 > sticky_dc=10.xxx.yyy.zzz > ou=Computers > ntlm_cache_batch_one_at_a_time=disabled > ad_server=10. xxx.yyy.zzz > dns_name=puc.edu > ntlm_cache_expiry=3600 > bind_dn= > workgroup=PUC > ntlm_cache_batch=disabled > bind_pass= > ntlm_cache=disabled > server_name=%h > ntlm_cache_on_connection=disabled > dns_servers=10. xxx.yyy.zzz > root@pf2:/usr/local/pf/conf# > > > -realm.conf--- > root@pf2:/usr/local/pf/conf# cat realm.conf [DEFAULT] > source=PUC_AD1 > domain=PUCAD > options=strip > root@pf2:/usr/local/pf/conf# > > > Any other info needed to diagnose this problem? > > Thanks, > > Jon > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsdm.link%2Fslashdot=02%7C01%7Cjfalconer%40puc.edu%7C986a026b105a489dacdd08d4efa5536e%7Ca0c272d027684743b621bdb1af3751ef%7C1%7C0%7C636396940739225280=8ljS1cIJ6wmaC985b1EOaEv90ug8bT6GmA3u0DJK684%3D=0 > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users=02%7C01%7Cjfalconer%40puc.edu%7C986a026b105a489dacdd08d4efa5536e%7Ca0c272d027684743b621bdb1af3751ef%7C1%7C0%7C636396940739225280=kqIQHKlnWvj6wk%2Feko6qvhW1wd0WQzIG4FQtDltmWss%3D=0 -- Fabrice Durand fdur...@inverse.ca :: +1.514.447.4918 (x135) :: https://na01.safelinks.protection.outlook.com/?url=www.inverse.ca=02%7C01%7Cjfalconer%40puc.edu%7C986a026b105a489dacdd08d4efa5536e%7Ca0c272d027684743b621bdb1af3751ef%7C1%7C0%7C636396940739225280=IZnRk1XgfdLNl15wral7gZqTyko%2FvcQZSW7SKNQbFlQ%3D=0 Inverse inc. :: Leaders behind SOGo (https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.sogo.nu=02%7C01%7Cjfalconer%40puc.edu%7C986a026b105a489dacdd08d4efa5536e%7Ca0c272d027684743b621bdb1af3751ef%7C1%7C0%7C636396940739225280=tgMRPTQ4HjuBsnXeKzMZEIT7jJnSz162qtUlxuhQeTA%3D=0) and PacketFence (https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpacketfence.org=02%7C01%7Cjfalconer%40puc.edu%7C986a026b105a489dacdd08d4efa5536e%7Ca0c272d027684743b621bdb1af3751ef%7C1%7C0%7C636396940739225280=4NefNxTz3UvQoQS%2Bgm4zH4nks5A2X3hN9yaXyWwEs2Y%3D=0) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org!
[PacketFence-users] {Disarmed} Re: Sponsor email validation
Hello Kehindle, the hostname "packetfence" is maped to an internal IP . What you mean with reachable over the internet? thank you Em 2017-08-30 18:37, Akala Kehinde escreveu: > Hello Luis, > > Your PF server needs to be reachable over the internet. > > Regards, > Kehinde > > On Wed, Aug 30, 2017 at 3:49 PM, Luís Torres via PacketFence-userswrote: > >> Hello, >> >> Im rookie on packetfence configuration. I facing a "problem" regarding the sponsor validation email. >> >> Everything works fine until I receveid ( as a sponsor ) an email to validate de guest access. When I hit the but it redirects to an url ( ex https://packetfence/activate/email/sponsor/74696188aa93e8abdf64ad1016d7962c [1] ) but it dont work. >> >> I checked the open ports and I got: >> >> tcp 0 0 MAILSCANNER WARNING: NUMERICAL LINKS ARE OFTEN MALICIOUS: 127.0.0.1:443 [2] 0.0.0.0:* LISTEN >> tcp 0 0 MAILSCANNER WARNING: NUMERICAL LINKS ARE OFTEN MALICIOUS: 10.1.2.130:443 [3] 0.0.0.0:* LISTEN >> tcp 0 0 MAILSCANNER WARNING: NUMERICAL LINKS ARE OFTEN MALICIOUS: 10.1.2.130:1443 [4] 0.0.0.0:* LISTEN >> tcp 0 0 MAILSCANNER WARNING: NUMERICAL LINKS ARE OFTEN MALICIOUS: 10.252.2.45:1443 [5] 0.0.0.0:* LISTEN >> >> I manually changed the packetfence url with the 10.1.2.130 but still doesnt work... >> >> Can you point me some directions? >> >> regards to all >> >> LT >> -- >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot [6] >> ___ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users [7] Links: -- [1] https://packetfence/activate/email/sponsor/74696188aa93e8abdf64ad1016d7962c [2] http://127.0.0.1:443 [3] http://10.1.2.130:443 [4] http://10.1.2.130:1443 [5] http://10.252.2.45:1443 [6] http://sdm.link/slashdot [7] https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Restricting users to specific interfaces In-Line setup
Hi All We have a specific scenario where Wireless network Equipment does not support of band mode with Packetfence. We want to do the following with the packetfence server using multiple in-line interfaces on different VLAN if it is possible. Guest (VLAN20) on eth1 in-line mode packetfence connected with Wireless AP with SSID in VLAN 20 These users must only register to this interface and is able to access internet only. Production (VLAN30) on eth2 in-line mode packetfence connected with Wireless AP with SSID in VLAN 30 Internal users are able to access internal ressources, but we want to restrict them not allow any mobile device. It seems to me that user groups are not able to accomplish this design. Is it even possible or do you have other suggestions? The Packetfence server will be in routed mode to make ACL's easier. Best Mike -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users