Re: [PacketFence-users] DHCP service not listed

2017-11-17 Thread Fabrice Durand via PacketFence-users 
Hello,

this is normal, the dhcp can run only on 2 off them.

Regards

Fabrice



Le 2017-11-17 à 14:35, Tobias Friede via PacketFence-users a écrit :
> Hi,
>
> I have the same problem, maybe that behavior is normal?
>
> My Cluster is a PF 7.2 Cluster. 
>
> Greetings
> Tobias
>
> 2017-11-17 16:34 GMT+01:00 Stephen Appleby via PacketFence-users
>  >:
>
> I've created a 3 node PF cluster. On one of the nodes DHCP is not
> listed as a service on the Status-Services page, and on the
> cluster status page that node's DHCP service status 
>
> show unknown. If I run 'pfcmd service pf restart' on that node it
> doesn't list the DHCP service either.
>
>
> Any idea as to what the problem might be?
>
>
>
> Stephen 
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] DHCP service not listed

2017-11-17 Thread Tobias Friede via PacketFence-users 
Hi,

I have the same problem, maybe that behavior is normal?

My Cluster is a PF 7.2 Cluster.

Greetings
Tobias

2017-11-17 16:34 GMT+01:00 Stephen Appleby via PacketFence-users <
packetfence-users@lists.sourceforge.net>:

> I've created a 3 node PF cluster. On one of the nodes DHCP is not listed
> as a service on the Status-Services page, and on the cluster status page
> that node's DHCP service status
>
> show unknown. If I run 'pfcmd service pf restart' on that node it doesn't
> list the DHCP service either.
>
>
> Any idea as to what the problem might be?
>
>
>
> Stephen
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] DHCP service not listed

2017-11-17 Thread Stephen Appleby via PacketFence-users 
I've created a 3 node PF cluster. On one of the nodes DHCP is not listed as a 
service on the Status-Services page, and on the cluster status page that node's 
DHCP service status

show unknown. If I run 'pfcmd service pf restart' on that node it doesn't list 
the DHCP service either.


Any idea as to what the problem might be?



Stephen
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive portal not redirecting after registration

2017-11-17 Thread Fabrice Durand via PacketFence-users 
Hello Pedro,

it looks that it's a reevaluation issue, can you provide the
packetfence.log ?

What controler/AP are you using in your POC ?

Regards

Fabrice



Le 2017-11-17 à 13:03, Pedro Trindade via PacketFence-users a écrit :
> Hello all, I've been trying to make a Packetfence 7.3.0 POC on a
> Centos7.0 server.
>
> However after the registration process the user is not redirected both
> in ios and android devices.
>
> Any help would be appreciated :)
>
> Thanks,
>
> Pedro C. Trindade
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] R: R: R: R: Switch Compatibility

2017-11-17 Thread Alessandro Canella via PacketFence-users 
Hi,


I've tested with Cisco 2960, same error.

I've found some difference in log:

correct auth credentials
1 Nov 17 10:03:37 NO authentication: SSH authentication failure [username: 
newuser, IP address = 153.47.30.125]
  2 Nov 17 10:03:37 WA authentication: Invalid Service Type: USER [ 
  newuser]


wrong auth credentials
   1 Nov 17 10:04:44 NO authentication: SSH authentication failure [username: 
root, IP address = 153.47.30.125]


I've find another thing : in a conf, switch is still listed as nastype "other" 
corrected, no change. I've checked also for Typo or Uppercase.




Da: Fabrice Durand [mailto:fdur...@inverse.ca]
Inviato: lunedì 13 novembre 2017 14.37
A: Alessandro Canella ; 
packetfence-users@lists.sourceforge.net
Oggetto: Re: R: [PacketFence-users] R: R: Switch Compatibility


Hello Alessandro,

i saw that cisco attributes are also compatible with the Zyxel switches.

So if you choose Cisco_2960 as switch type to make a test.

Regards

Fabrice



Le 2017-11-13 à 07:06, Alessandro Canella a écrit :
Hello All,

I' ve created new switch under PF\ folder.

All seems fine, but no cli login.

Switch Log reports

   1 Nov 13 12:44:23 NO authentication: SSH authentication failure [username: 
newuser, IP address = 153.47.30.125]
   2 Nov 13 12:44:23 WA authentication: Invalid Service Type: USER [
   newuser]

PF GUI Reports


RADIUS Request

User-Name = "newuser"
User-Password = "**"
NAS-IP-Address = 10.206.1.136
NAS-Identifier = "K873MUXSW1"
Event-Timestamp = "Nov 13 2017 11:45:37 UTC"
Stripped-User-Name = "newuser"
Realm = "null"
FreeRADIUS-Client-IP-Address = 10.206.1.136
SQL-User-Name = "newuser"

RADIUS Reply

Reply-Message = "Switch enable access granted by PacketFence"
Zyxel-Privilege-AVPair = "shell:priv-lvl=15"


PF LOG respond :

Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2712) INFO: 
[mac:[undef]] Authentication successful for newuser in source file1 (Htpasswd) 
(pf::authentication::authenticate)
Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2712) INFO: 
[mac:[undef]] Using sources file1 for matching (pf::authentication::match2)
Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2712) INFO: 
[mac:[undef]] Matched rule (admins) in source file1, returning actions. 
(pf::Authentication::Source::match)
Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2712) INFO: 
[mac:[undef]] User newuser logged in 10.206.1.136 with write access 
(pf::Switch::Zyxel::returnAuthorizeWrite)
Nov 13 11:44:21 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2712) INFO: 
[mac:[undef]] Authentication successful for newuser in source file1 (Htpasswd) 
(pf::authentication::authenticate)

Da: Alessandro Canella via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Inviato: domenica 12 novembre 2017 23.26
A: Durand fabrice ; 
packetfence-users@lists.sourceforge.net
Cc: Alessandro Canella 

Oggetto: [PacketFence-users] R: R: Switch Compatibility

I will try tomorrow.

Don't sure where is file, I will check documentation.


Da: Durand fabrice [mailto:fdur...@inverse.ca]
Inviato: sabato 11 novembre 2017 13.51
A: Alessandro Canella 
>; 
packetfence-users@lists.sourceforge.net
Oggetto: Re: R: [PacketFence-users] Switch Compatibility


Hello Alessandro,



you will need to edit the switch module and add this:

=item returnAuthorizeWrite
Return radius attributes to allow write access
=cut

sub returnAuthorizeWrite {
my ($self, $args) = @_;
my $logger = $self->logger;
my $radius_reply_ref;
my $status;
$radius_reply_ref->{'Zyxel-Privilege-AVPair'} = 'shell:priv-lvl=15';
$radius_reply_ref->{'Reply-Message'} = "Switch enable access granted by 
PacketFence";
$logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} 
with write access");
my $filter = pf::access_filter::radius->new;
my $rule = $filter->test('returnAuthorizeWrite', $args);
($radius_reply_ref, $status) = 
$filter->handleAnswerInRule($rule,$args,$radius_reply_ref);
return [$status, %$radius_reply_ref];

}

=item returnAuthorizeRead
Return radius attributes to allow read access
=cut

sub returnAuthorizeRead {
my ($self, $args) = @_;
my $logger = $self->logger;
my $radius_reply_ref;
my $status;
$radius_reply_ref->{'Zyxel-Privilege-AVPair'} = 'shell:priv-lvl=3';
$radius_reply_ref->{'Reply-Message'} = "Switch read access granted by 
PacketFence";
$logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} 
with read access");
my $filter = pf::access_filter::radius->new;
my $rule = $filter->test('returnAuthorizeRead', $args);

[PacketFence-users] Captive portal not redirecting after registration

2017-11-17 Thread Pedro Trindade via PacketFence-users 
Hello all, I've been trying to make a Packetfence 7.3.0 POC on a Centos7.0
server.

However after the registration process the user is not redirected both in
ios and android devices.

Any help would be appreciated :)

Thanks,

Pedro C. Trindade
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] R: R: R: R: Switch Compatibility

2017-11-17 Thread Fabrice Durand via PacketFence-users 
Hello Alessandro,

retry by removing this line:

$radius_reply_ref->{'Reply-Message'} = "Switch enable access granted by
PacketFence";

and also try with this line:

$radius_reply_ref->{'Zyxel-Privilege-AVPair'} = 'shell:priv-lvl=14';

cf:
https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=011559=EN

Regards
Fabrice

Le 2017-11-17 à 04:39, Alessandro Canella a écrit :
>
> Hi,
>
>  
>
>  
>
> I’ve tested with Cisco 2960, same error.
>
>  
>
> I’ve found some difference in log:
>
>  
>
> correct auth credentials
>
> 1 Nov 17 10:03:37 NO authentication: SSH authentication failure
> [username: newuser, IP address = 153.47.30.125]
>
>   2 Nov 17 10:03:37 WA authentication: Invalid Service Type: USER
> [   newuser]
>
>  
>
>  
>
> wrong auth credentials
>
>    1 Nov 17 10:04:44 NO authentication: SSH authentication failure
> [username: root, IP address = 153.47.30.125]
>
>  
>
>  
>
> I’ve find another thing : in a conf, switch is still listed as nastype
> “other” corrected, no change. I’ve checked also for Typo or Uppercase.
>
>  
>
>  
>
>  
>
>  
>
> *Da:*Fabrice Durand [mailto:fdur...@inverse.ca]
> *Inviato:* lunedì 13 novembre 2017 14.37
> *A:* Alessandro Canella ;
> packetfence-users@lists.sourceforge.net
> *Oggetto:* Re: R: [PacketFence-users] R: R: Switch Compatibility
>
>  
>
> Hello Alessandro,
>
> i saw that cisco attributes are also compatible with the Zyxel switches.
>
> So if you choose Cisco_2960 as switch type to make a test.
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-11-13 à 07:06, Alessandro Canella a écrit :
>
> Hello All,
>
>  
>
> I’ ve created new switch under PF\ folder.
>
>  
>
> All seems fine, but no cli login.
>
>  
>
> Switch Log reports
>
>  
>
>    1 Nov 13 12:44:23 NO authentication: SSH authentication failure
> [username: newuser, IP address = 153.47.30.125]
>
>    2 Nov 13 12:44:23 WA authentication: Invalid Service Type: USER
> [   newuser]
>
>  
>
> PF GUI Reports
>
>  
>
>  
>
> RADIUS Request
>
>   
>
> User-Name = "newuser"
>
> User-Password = "**"
>
> NAS-IP-Address = 10.206.1.136
>
> NAS-Identifier = "K873MUXSW1"
>
> Event-Timestamp = "Nov 13 2017 11:45:37 UTC"
>
> Stripped-User-Name = "newuser"
>
> Realm = "null"
>
> FreeRADIUS-Client-IP-Address = 10.206.1.136
>
> SQL-User-Name = "newuser"
>
> RADIUS Reply
>
>   
>
> Reply-Message = "Switch enable access granted by PacketFence"
>
> Zyxel-Privilege-AVPair = "shell:priv-lvl=15"
>
>  
>
> PF LOG respond :
>
>  
>
> Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2712) INFO: [mac:[undef]] Authentication successful for
> newuser in source file1 (Htpasswd) (pf::authentication::authenticate)
>
> Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2712) INFO: [mac:[undef]] Using sources file1 for
> matching (pf::authentication::match2)
>
> Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2712) INFO: [mac:[undef]] Matched rule (admins) in
> source file1, returning actions. (pf::Authentication::Source::match)
>
> Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2712) INFO: [mac:[undef]] User newuser logged in
> 10.206.1.136 with write access
> (pf::Switch::Zyxel::returnAuthorizeWrite)
>
> Nov 13 11:44:21 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2712) INFO: [mac:[undef]] Authentication successful for
> newuser in source file1 (Htpasswd) (pf::authentication::authenticate)
>
> * *
>
> *Da:*Alessandro Canella via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* domenica 12 novembre 2017 23.26
> *A:* Durand fabrice 
> ;
> packetfence-users@lists.sourceforge.net
> 
> *Cc:* Alessandro Canella 
> 
> *Oggetto:* [PacketFence-users] R: R: Switch Compatibility
>
>  
>
> I will try tomorrow.
>
>  
>
> Don’t sure where is file, I will check documentation.
>
>  
>
>  
>
> *Da:*Durand fabrice [mailto:fdur...@inverse.ca]
> *Inviato:* sabato 11 novembre 2017 13.51
> *A:* Alessandro Canella  >;
> packetfence-users@lists.sourceforge.net
> 
> *Oggetto:* Re: R: [PacketFence-users] Switch Compatibility
>
>  
>
> Hello Alessandro,
>
>  
>
> you will need to edit the switch module and add this:
>
> =item returnAuthorizeWrite
> Return radius attributes to allow write access
> =cut
>
> sub returnAuthorizeWrite {
>     my ($self, $args) = @_;
>    

Re: [PacketFence-users] auth request from wrong switch

2017-11-17 Thread Fabrice Durand via PacketFence-users 
Hum ok, really weird.

It looks that first when the device connect on the port 2/43 802.1x
failed so it start mac auth but just after that the port goes down and a
new request is coming from the port 5/3.

When this happen, can you check in the mac-address-table where is the
mac address (before and after) ?

Is it a stack of switches ?

Does the issue occur all the time on the same physical switch ?


Le 2017-11-16 à 22:52, Sokolowski, Darryl a écrit :
> Hi Fabrice,
> Yes, those ports are switchports plugged directly to pcs. Not uplink.
> Show cdp neighbors returns expected ports, but none of those in
> question here.
>
> Thanks
> Darryl
>
>
>
>  Original message 
> From: Durand fabrice via PacketFence-users
> 
> Date: 11/16/17 7:48 PM (GMT-05:00)
> To: packetfence-users@lists.sourceforge.net
> Cc: Durand fabrice 
> Subject: Re: [PacketFence-users] auth request from wrong switch
>
> Just to be sure, the port 5/3 and 2/43 are switch port , no uplink ?
>
> Does "show cdp neighbors" return one of these ports ?
>
>
>
> Le 2017-11-16 à 17:46, Sokolowski, Darryl via PacketFence-users a écrit :
>>
>> Another thing I noticed is that if I go into PF and restart the
>> switchport from the node details, it will authenticate as dot1x.
>>
>> When it fails, it seems it is trying wired mac auth. When it does
>> wired mac auth, it says it’s successful, but on a port that is
>> something other than where it is really plugged in, so no network access.
>>
>> If I unplug the nic, and plug it back in, it does not work, only when
>> I restart the port from PF does it work properly and authenticate as
>> dot1x.
>>
>>  
>>
>>  
>>
>>  
>>
>> *From:*Sokolowski, Darryl via PacketFence-users
>> [mailto:packetfence-users@lists.sourceforge.net]
>> *Sent:* Thursday, November 16, 2017 10:34 AM
>> *To:* packetfence-users@lists.sourceforge.net; Jason Sloan
>> 
>> *Cc:* Sokolowski, Darryl 
>> *Subject:* Re: [PacketFence-users] auth request from wrong switch
>>
>>  
>>
>> Hi again,
>>
>> This is weird, I don’t know what it means.
>>
>> A machine starts up, shows up on port 2/43, then it appears for some
>> reason it gets authorized on a different port right after that. The
>> first port it appears on, 2/43 is the real port it’s plugged into.
>> Then right after that, it appears on 5/3, and that’s when I think it
>> gets kicked off the network, since now the switch thinks it’s on 5/3.
>> There are no minihubs in the way, these machines plug directly into
>> their respective ports.
>>
>>  
>>
>> I attached a good bit of the debug log, but didn’t want to send the
>> whole thing, it’s very long. Let me know if I need to send more.
>> There is more in the attachment than I pasted below.
>>
>> I can’t figure out why these machines are getting seen on multiple ports.
>>
>>  
>>
>> Thanks for any insight.
>>
>> Darryl
>>
>>  
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350287: 350087: Nov 16
>> 12:53:00.279: dot1x-packet:[0026.2d15.049b, Gi2/43] EAPOL canned
>> status packet sent to client 0xAC94"
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350288: 350088: Nov 16
>> 12:53:00.279: dot1x-ev:[0026.2d15.049b, Gi2/43] Deleting client
>> 0xAC94 (0026.2d15.049b)"
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350289: 350089: Nov 16
>> 12:53:00.279: dot1x-ev:[0026.2d15.049b, Gi2/43] Delete auth client
>> (0xAC94) message"
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350290: 350090: Nov 16
>> 12:53:00.279: dot1x-ev:Auth client ctx destroyed
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350291: 350091: Nov 16
>> 12:53:00.279: RADIUS/ENCODE():Orig. component type = Invalid
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350292: 350092: Nov 16
>> 12:53:00.279: RADIUS(): Config NAS IP: 172.16.0.200
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350293: 350093: Nov 16
>> 12:53:00.279: RADIUS(): Config NAS IPv6: ::
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350294: 350094: Nov 16
>> 12:53:00.279: RADIUS(): sending
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350295: 350095: Nov 16
>> 12:53:00.279: RADIUS(): Send Access-Request to
>> 172.16.1.73:1812 onvrf(0) id 1645/251, len 259"
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350296: 350096: Nov 16
>> 12:53:00.279: RADIUS:  authenticator 7A 07 65 33 17 CD 20 47 - 3C 6A
>> 23 4C 46 19 31 B0
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350297: 350097: Nov 16
>> 12:53:00.279: RADIUS:  User-Name   [1]   14  "00262d15049b"
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350298: 350098: Nov 16
>> 12:53:00.279: RADIUS:  User-Password   [2]   18  *
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350299: 350099: Nov 16
>> 12:53:00.279: RADIUS:  Service-Type    [6]   6   Call
>> Check    [10]
>>
>> 2017-11-16