Re: [PacketFence-users] Need an advice and maybe assistance with FreeRADIUS

[Timothy Mullican via PacketFence-users]

I just saw Fabrice’s response. Funny this is the second time we basically said 
the same thing within a few minutes of each other :) Good luck with you demo. 

Tim

Sent from mobile phone

> On Jan 3, 2018, at 20:36, Durand fabrice  wrote:
> 
> Hello Eugene,
> 
> Even if you will integrate PacketFence with AD you can use local users for 
> another purpose (like guest source with create local account enable in order 
> to use this account on a 802.1x ssid) 
> For mariadb, there are few services that are not managed by packetfence, like 
> packetfence-config, packetfence-redis-cache and packetfence-mariadb.
> 
> So if you want to restart one of them then you need to use systemctl restart 
> packetfence-mariadb
> 
> Regards
> 
> Fabrice
> 
> 
> 
>> Le 2018-01-03 à 20:36, E.P. a écrit :
>> The year started with boring and hectic problems, only now had time to get 
>> back to PF.
>> Well, I knew that I’m getting closer ;)
>> First of all I did uncomment “packefence-local-auth” sometime ago but when 
>> both Fabrice and you mentioned it again I went through the file and found a 
>> second line with this parameter that was commented.
>> In the section for “inner-tunnel server” it was still commented.
>> Now database password encryption type. For some reason it just doesn’t want 
>> to work to me when I had it set to NTLM.
>> Changed it to Plain-text and then had to recreate the local users to make it 
>> work.
>> I’m not very concerned about the passwords encryption type for now as we 
>> plan to integrate PF with AD.
>> By the way, is there any way to restart MariaDB service from PF GUI ? I 
>> couldn’t find it in the “Status-Services” section.
>> And CentOS says that it is pf-mariadb but it can’t be restarted with the 
>> regular OS script systemctl
>>  
>> Thank you very much, Fabrice and Timothy!
>> Eugene
>>  
>> From: Timothy Mullican [mailto:tjmullic...@yahoo.com] 
>> Sent: Wednesday, January 03, 2018 6:08 AM
>> To: packetfence-users@lists.sourceforge.net
>> Cc: Fabrice Durand; ype...@gmail.com
>> Subject: Re: [PacketFence-users] Need an advice and maybe assistance with 
>> FreeRADIUS
>>  
>> Eugene,
>>  
>> Did you uncomment the “packetfence-local-auth” line in 
>> /usr/local/pf/conf/radiusd/packetfence-tunnel ? 
>>  
>> Also you will have to change the database password encryption type to plain 
>> or NTLM under Configuration->System Configuration->Main 
>> Configuration->Database passwords hashing mechanism. 
>>  
>> I would then try restarting all the PacketFence services. Let me know if 
>> this doesn’t work. 
>>  
>> Thanks,
>> Tim
>> 
>> Sent from mobile phone
>> 
>> On Jan 3, 2018, at 07:50, Fabrice Durand via PacketFence-users 
>>  wrote:
>> 
>> I tried to add the DAS parameter directly in the configuration file of the 
>> AP and it works (CoA), but the limitation is that you can 
>> enable it only on one ssid.
>> 
>> https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
>> 
>> Regards
>> 
>> Fabrice
>> 
>>  
>> 
>>  
>> Le 2017-12-29 à 16:18, Timothy Mullican via PacketFence-users a écrit :
>> It may be possible to skip the controller and run the deauthentication 
>> command on the AP itself, but it is product specific as opposed to the 
>> controller API, which is cross-product. The UniFi code on PacketFence would 
>> have to be modified to support this. 
>>  
>> See 
>> https://community.ubnt.com/t5/UniFi-Wireless/Issue-manual-kick-sta-command/m-p/1197157/highlight/true#M95831
>> 
>> Sent from mobile phone
>> 
>> On Dec 29, 2017, at 15:12, Timothy Mullican via PacketFence-users 
>>  wrote:
>> 
>> I am running UniFi AP 3.9.15.8011 and Controller 5.6.26 (I’m using 
>> linuxserver/UniFi docker image on CentOS 7.4). 
>>  
>> First, make sure you applied the UniFi patch (see 
>> https://community.ubnt.com/t5/UniFi-Wireless/Packetfence-7-1-Out-of-Band-Dynamic-VLAN-with-Unifi/m-p/2134984/highlight/true#M261219).
>>  This enables dynamic VLAN assignment using radius and 802.1x on the 
>> PacketFence side. The latest UniFi firmware also allows dynamic vlan 
>> assignment using MAC authentication (i.e., guest access). If you have any 
>> questions about this let me know and I can help you (also see my earlier 
>> thread).
>>  
>> If you are using the PacketFence captive portal authentication to assign a 
>> user’s VLAN, PacketFence requires the UniFi controller to deauthenticate 
>> clients from the AP. If you look at  
>> https://github.com/inverse-inc/packetfence/pull/2735/files#diff-8b99f599546e7710d1df6b776d184569,
>>  you can see the deauthentication method used is an HTTPS API call to the 
>> controller running the “kick-sta” command on the client MAC address. As you 
>> are probably aware, the user must reauthenticate in order to be placed in 
>> the correct VLAN after successfully authenticating. PacketFence automates 
>> this process in several ways (HTTP/HTTPS, SNMP, Telnet/SSH, 

Re: [PacketFence-users] Need an advice and maybe assistance with FreeRADIUS

[Timothy Mullican via PacketFence-users]

Interesting you had to change to plaintext. I was able to use NTLM and just 
uncomment the first instance of the “packetfence-local-auth” line. Perhaps 
something else was modified in the radius config. Anyways, you can use the 
following command to restart mariadb (at least for CentOS/RHEL 7): “sudo 
systemctl restart packetfence-mariadb”. I did not see a way to restart mariadb 
via pfcmd (/usr/local/pf/bin/pfcmd) or the web interface. Please let me know if 
you have any other questions. 

Thanks,
Tim

Sent from mobile phone

> On Jan 3, 2018, at 19:36, E.P.  wrote:
> 
> The year started with boring and hectic problems, only now had time to get 
> back to PF.
> Well, I knew that I’m getting closer ;)
> First of all I did uncomment “packefence-local-auth” sometime ago but when 
> both Fabrice and you mentioned it again I went through the file and found a 
> second line with this parameter that was commented.
> In the section for “inner-tunnel server” it was still commented.
> Now database password encryption type. For some reason it just doesn’t want 
> to work to me when I had it set to NTLM.
> Changed it to Plain-text and then had to recreate the local users to make it 
> work.
> I’m not very concerned about the passwords encryption type for now as we plan 
> to integrate PF with AD.
> By the way, is there any way to restart MariaDB service from PF GUI ? I 
> couldn’t find it in the “Status-Services” section.
> And CentOS says that it is pf-mariadb but it can’t be restarted with the 
> regular OS script systemctl
>  
> Thank you very much, Fabrice and Timothy!
> Eugene
>  
> From: Timothy Mullican [mailto:tjmullic...@yahoo.com] 
> Sent: Wednesday, January 03, 2018 6:08 AM
> To: packetfence-users@lists.sourceforge.net
> Cc: Fabrice Durand; ype...@gmail.com
> Subject: Re: [PacketFence-users] Need an advice and maybe assistance with 
> FreeRADIUS
>  
> Eugene,
>  
> Did you uncomment the “packetfence-local-auth” line in 
> /usr/local/pf/conf/radiusd/packetfence-tunnel ? 
>  
> Also you will have to change the database password encryption type to plain 
> or NTLM under Configuration->System Configuration->Main 
> Configuration->Database passwords hashing mechanism. 
>  
> I would then try restarting all the PacketFence services. Let me know if this 
> doesn’t work. 
>  
> Thanks,
> Tim
> 
> Sent from mobile phone
> 
> On Jan 3, 2018, at 07:50, Fabrice Durand via PacketFence-users 
>  wrote:
> 
> I tried to add the DAS parameter directly in the configuration file of the AP 
> and it works (CoA), but the limitation is that you can enable it only on one 
> ssid.
> 
> https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
> 
> Regards
> 
> Fabrice
> 
>  
> 
>  
> Le 2017-12-29 à 16:18, Timothy Mullican via PacketFence-users a écrit :
> It may be possible to skip the controller and run the deauthentication 
> command on the AP itself, but it is product specific as opposed to the 
> controller API, which is cross-product. The UniFi code on PacketFence would 
> have to be modified to support this.  
>  
> See 
> https://community.ubnt.com/t5/UniFi-Wireless/Issue-manual-kick-sta-command/m-p/1197157/highlight/true#M95831
> 
> Sent from mobile phone
> 
> On Dec 29, 2017, at 15:12, Timothy Mullican via PacketFence-users 
>  wrote:
> 
> I am running UniFi AP 3.9.15.8011 and Controller 5.6.26 (I’m using 
> linuxserver/UniFi docker image on CentOS 7.4). 
>  
> First, make sure you applied the UniFi patch (see 
> https://community.ubnt.com/t5/UniFi-Wireless/Packetfence-7-1-Out-of-Band-Dynamic-VLAN-with-Unifi/m-p/2134984/highlight/true#M261219).
>  This enables dynamic VLAN assignment using radius and 802.1x on the 
> PacketFence side. The latest UniFi firmware also allows dynamic vlan 
> assignment using MAC authentication (i.e., guest access). If you have any 
> questions about this let me know and I can help you (also see my earlier 
> thread).
>  
> If you are using the PacketFence captive portal authentication to assign a 
> user’s VLAN, PacketFence requires the UniFi controller to deauthenticate 
> clients from the AP. If you look at  
> https://github.com/inverse-inc/packetfence/pull/2735/files#diff-8b99f599546e7710d1df6b776d184569,
>  you can see the deauthentication method used is an HTTPS API call to the 
> controller running the “kick-sta” command on the client MAC address. As you 
> are probably aware, the user must reauthenticate in order to be placed in the 
> correct VLAN after successfully authenticating. PacketFence automates this 
> process in several ways (HTTP/HTTPS, SNMP, Telnet/SSH, RADIUS CoA).
>  
> As far as I know, the only way to deauthenticate a client on the AP is using 
> the Controller API over HTTPS (no support for CoA yet). If CoA is implemented 
> we should be able to bypass the controller and send direct client RADIUS 
> deauthentication requests to the AP. 
>  
> If you are using 802.1x 

Re: [PacketFence-users] Need an advice and maybe assistance with FreeRADIUS

[Durand fabrice via PacketFence-users]

Hello Eugene,

Even if you will integrate PacketFence with AD you can use local users 
for another purpose (like guest source with create local account enable 
in order to use this account on a 802.1x ssid)


For mariadb, there are few services that are not managed by packetfence, 
like packetfence-config, packetfence-redis-cache and packetfence-mariadb.


So if you want to restart one of them then you need to use systemctl 
restart packetfence-mariadb


Regards

Fabrice



Le 2018-01-03 à 20:36, E.P. a écrit :


The year started with boring and hectic problems, only now had time to 
get back to PF.


Well, I knew that I’m getting closer ;)

First of all I did uncomment “packefence-local-auth” sometime ago but 
when both Fabrice and you mentioned it again I went through the file 
and found a second line with this parameter that was commented.


In the section for “inner-tunnel server” it was still commented.

Now database password encryption type. For some reason it just doesn’t 
want to work to me when I had it set to NTLM.


Changed it to Plain-text and then had to recreate the local users to 
make it work.


I’m not very concerned about the passwords encryption type for now as 
we plan to integrate PF with AD.


By the way, is there any way to restart MariaDB service from PF GUI ? 
I couldn’t find it in the “Status-Services” section.


And CentOS says that it is pf-mariadb but it can’t be restarted with 
the regular OS script systemctl


Thank you very much, Fabrice and Timothy!

Eugene

*From:*Timothy Mullican [mailto:tjmullic...@yahoo.com]
*Sent:* Wednesday, January 03, 2018 6:08 AM
*To:* packetfence-users@lists.sourceforge.net
*Cc:* Fabrice Durand; ype...@gmail.com
*Subject:* Re: [PacketFence-users] Need an advice and maybe assistance 
with FreeRADIUS


Eugene,

Did you uncomment the “packetfence-local-auth” line in 
/usr/local/pf/conf/radiusd/packetfence-tunnel ?


Also you will have to change the database password encryption type to 
plain or NTLM under Configuration->System Configuration->Main 
Configuration->Database passwords hashing mechanism.


I would then try restarting all the PacketFence services. Let me know 
if this doesn’t work.


Thanks,

Tim

Sent from mobile phone


On Jan 3, 2018, at 07:50, Fabrice Durand via PacketFence-users 
> wrote:


I tried to add the DAS parameter directly in the configuration
file of the AP and it works (CoA), but the limitation is that you
can enable it only on one ssid.

https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf

Regards

Fabrice

Le 2017-12-29 à 16:18, Timothy Mullican via PacketFence-users a
écrit :

It may be possible to skip the controller and run the
deauthentication command on the AP itself, but it is product
specific as opposed to the controller API, which is
cross-product. The UniFi code on PacketFence would have to be
modified to support this.

See

https://community.ubnt.com/t5/UniFi-Wireless/Issue-manual-kick-sta-command/m-p/1197157/highlight/true#M95831

Sent from mobile phone


On Dec 29, 2017, at 15:12, Timothy Mullican via
PacketFence-users > wrote:

I am running UniFi AP 3.9.15.8011 and Controller 5.6.26
(I’m using linuxserver/UniFi docker image on CentOS 7.4).

First, make sure you applied the UniFi patch (see

https://community.ubnt.com/t5/UniFi-Wireless/Packetfence-7-1-Out-of-Band-Dynamic-VLAN-with-Unifi/m-p/2134984/highlight/true#M261219).
This enables dynamic VLAN assignment using radius and
802.1x on the PacketFence side. The latest UniFi firmware
also allows dynamic vlan assignment using MAC
authentication (i.e., guest access). If you have any
questions about this let me know and I can help you (also
see my earlier thread).

If you are using the PacketFence captive portal
authentication to assign a user’s VLAN, PacketFence
requires the UniFi controller to deauthenticate clients
from the AP. If you look at

https://github.com/inverse-inc/packetfence/pull/2735/files#diff-8b99f599546e7710d1df6b776d184569,
you can see the deauthentication method used is an HTTPS
API call to the controller running the “kick-sta” command
on the client MAC address. As you are probably aware, the
user must reauthenticate in order to be placed in the
correct VLAN after successfully authenticating.
PacketFence automates this process in several ways
(HTTP/HTTPS, SNMP, Telnet/SSH, RADIUS CoA).

As far as I know, the only way to deauthenticate a client
on the AP is using the 

Re: [PacketFence-users] Need an advice and maybe assistance with FreeRADIUS

[E.P. via PacketFence-users]

The year started with boring and hectic problems, only now had time to get back 
to PF.

Well, I knew that I’m getting closer ;)

First of all I did uncomment “packefence-local-auth” sometime ago but when both 
Fabrice and you mentioned it again I went through the file and found a second 
line with this parameter that was commented.

In the section for “inner-tunnel server” it was still commented.

Now database password encryption type. For some reason it just doesn’t want to 
work to me when I had it set to NTLM.

Changed it to Plain-text and then had to recreate the local users to make it 
work.

I’m not very concerned about the passwords encryption type for now as we plan 
to integrate PF with AD.

By the way, is there any way to restart MariaDB service from PF GUI ? I 
couldn’t find it in the “Status-Services” section.

And CentOS says that it is pf-mariadb but it can’t be restarted with the 
regular OS script systemctl

 

Thank you very much, Fabrice and Timothy!

Eugene

 

From: Timothy Mullican [mailto:tjmullic...@yahoo.com] 
Sent: Wednesday, January 03, 2018 6:08 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand; ype...@gmail.com
Subject: Re: [PacketFence-users] Need an advice and maybe assistance with 
FreeRADIUS

 

Eugene,

 

Did you uncomment the “packetfence-local-auth” line in 
/usr/local/pf/conf/radiusd/packetfence-tunnel ? 

 

Also you will have to change the database password encryption type to plain or 
NTLM under Configuration->System Configuration->Main Configuration->Database 
passwords hashing mechanism. 

 

I would then try restarting all the PacketFence services. Let me know if this 
doesn’t work. 

 

Thanks,

Tim

Sent from mobile phone


On Jan 3, 2018, at 07:50, Fabrice Durand via PacketFence-users 
 wrote:

I tried to add the DAS parameter directly in the configuration file of the AP 
and it works (CoA), but the limitation is that you can enable it only on one 
ssid.

https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf

Regards

Fabrice

 

 

Le 2017-12-29 à 16:18, Timothy Mullican via PacketFence-users a écrit :

It may be possible to skip the controller and run the deauthentication command 
on the AP itself, but it is product specific as opposed to the controller API, 
which is cross-product. The UniFi code on PacketFence would have to be modified 
to support this.  

 

See 
https://community.ubnt.com/t5/UniFi-Wireless/Issue-manual-kick-sta-command/m-p/1197157/highlight/true#M95831

Sent from mobile phone


On Dec 29, 2017, at 15:12, Timothy Mullican via PacketFence-users 
 wrote:

I am running UniFi AP 3.9.15.8011 and Controller 5.6.26 (I’m using 
linuxserver/UniFi docker image on CentOS 7.4).  

 

First, make sure you applied the UniFi patch (see 
https://community.ubnt.com/t5/UniFi-Wireless/Packetfence-7-1-Out-of-Band-Dynamic-VLAN-with-Unifi/m-p/2134984/highlight/true#M261219).
 This enables dynamic VLAN assignment using radius and 802.1x on the 
PacketFence side. The latest UniFi firmware also allows dynamic vlan assignment 
using MAC authentication (i.e., guest access). If you have any questions about 
this let me know and I can help you (also see my earlier thread).

 

If you are using the PacketFence captive portal authentication to assign a 
user’s VLAN, PacketFence requires the UniFi controller to deauthenticate 
clients from the AP. If you look at  
https://github.com/inverse-inc/packetfence/pull/2735/files#diff-8b99f599546e7710d1df6b776d184569,
 you can see the deauthentication method used is an HTTPS API call to the 
controller running the “kick-sta” command on the client MAC address. As you are 
probably aware, the user must reauthenticate in order to be placed in the 
correct VLAN after successfully authenticating. PacketFence automates this 
process in several ways (HTTP/HTTPS, SNMP, Telnet/SSH, RADIUS CoA).

 

As far as I know, the only way to deauthenticate a client on the AP is using 
the Controller API over HTTPS (no support for CoA yet). If CoA is implemented 
we should be able to bypass the controller and send direct client RADIUS 
deauthentication requests to the AP. 

 

If you are using 802.1x without the captive portal, you may be able to get away 
without relying on the controller, since the VLAN is only assigned once at 
logon to the AP, but I have not tested this yet. 

 

Fabrice may be able to help if I didn’t explain something correctly above. 

 

Tim

 


On Dec 29, 2017, at 12:38, E.P.  wrote:

Hi Timothy,

I’m really-really grateful to you and your comments.

May I ask you what firmware level you run on your Unifi AP ?

And by the way, just out of curiosity, why we need controller IP address in the 
settings for AP/switch ?

I thought that the real RADIUS client is the AP and the controller’s only job 
is to push settings including WPA-Enterprise/RADIUS to AP

 

Eugene

 

From: Timothy Mullican 

Re: [PacketFence-users] PKI installation

[E.P. via PacketFence-users]

Great, will try to do it a bit later

Thanks, Fabrice

 

From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: Wednesday, January 03, 2018 12:26 PM
To: E.P.
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PKI installation

 

Just for information, i uploaded a new version of the packetfence-pki for 
centos7 who fix all the install issues.

Regards

Fabrice

 

 

Le 2017-12-12 à 23:58, E.P. a écrit :

Well, I’m taking my hat off in front of you, no kidding and pun intended ;)

Do you need traceback from the error page ?

 

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Tuesday, December 12, 2017 7:02 PM
To: E.P.
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PKI installation

 

ah ah don't worry , i like to have challenge like that to be able to fix the 
issue for better user experience.

I coded the pki so i want to make it work.

 

 

Le 2017-12-12 à 21:48, E.P. a écrit :

Sure, take your time, Fabrice. I have a special knack of running into troubles 
in cases when others didn’t have any :) 


Eugene

Sent from iPhone


On Dec 12, 2017, at 18:18, Durand fabrice  wrote:

Ok let me try to install the pki on the zen and i will be back to you.

i have installed the pki on 10 servers not a long time ago without any issue.

 

 

Le 2017-12-12 à 20:52, E.P. a écrit :

Yes, db.sqlite3 was owned by root

 

[root@PacketFence-ZEN packetfence-pki]# ls -al

total 56

drwxr-xr-x   7 pf   pf 128 Dec 12 08:49 .

drwxr-xr-x. 15 root root   182 Dec 12 01:33 ..

drwxrws---   2 pf   pf   6 Nov 15 14:20 ca

drwxr-xr-x   2 pf   pf 125 Dec 12 01:33 conf

-rw-r--r--   1 root root 43008 Dec 12 08:44 db.sqlite3

drwxr-xr-x   2 pf   pf 204 Dec 12 02:49 inverse

drwxrws---   2 pf   pf  90 Dec 12 01:35 logs

-rwxr--r--   1 pf   pf 250 Nov 15 14:20 manage.py

-rw-r--r--   1 root root 6 Dec 12 08:49 packetfence-pki.pid

drwxr-xr-x   5 pf   pf4096 Dec 12 02:49 pki

 

Changed the file ownership to pf:pf

 

[root@PacketFence-ZEN packetfence-pki]# ls -al

total 100

drwxr-xr-x   7 pf   pf 147 Dec 13 01:45 .

drwxr-xr-x. 15 root root   182 Dec 12 01:33 ..

drwxrws---   2 pf   pf   6 Nov 15 14:20 ca

drwxr-xr-x   2 pf   pf 125 Dec 12 01:33 conf

-rw-r--r--   1 pf   pf   43008 Dec 13 01:45 db.sqlite3

drwxr-xr-x   2 pf   pf 204 Dec 12 02:49 inverse

drwxrws---   2 pf   pf  90 Dec 12 01:35 logs

-rwxr--r--   1 pf   pf 250 Nov 15 14:20 manage.py

-rw-r--r--   1 root root 5 Dec 13 01:43 packetfence-pki.pid

drwxr-xr-x   5 pf   pf4096 Dec 12 02:49 pki

 

But trying to login to the PKI webpage brings me back to the same original 
error “no such table: pki_ca” which I showed earlier. I tried to follow your 
previous advise about renaming the db.sqlite3 file and running migration but 
the behavior is consistent.  Is it OK that the PKI process ID file is also 
owned by root ?

 

From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: Tuesday, December 12, 2017 5:35 AM
To: E.P.; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PKI installation

 

Just change the owner of the sqlite file to pf and it should be ok.

Btw all these steps are made in the packaging, so it probably failled or never 
finish correctly.

I will do a test on my side.

Regards

Fabrice

 

 

Le 2017-12-12 à 03:47, E.P. a écrit :

Well, we are getting closer ;)

Ran the python script to migrate the database it completed

 

[root@PacketFence-ZEN packetfence-pki]# python manage.py migrate

Operations to perform:

  Synchronize unmigrated apps: staticfiles, rest_framework, messages, bootstrap3

  Apply all migrations: authtoken, sessions, admin, auth, contenttypes, pki

Synchronizing apps without migrations:

  Creating tables...

Running deferred SQL...

  Installing custom SQL...

Running migrations:

  Rendering model states... DONE

  Applying contenttypes.0001_initial... OK

  Applying auth.0001_initial... OK

  Applying admin.0001_initial... OK

  Applying contenttypes.0002_remove_content_type_name... OK

  Applying auth.0002_alter_permission_name_max_length... OK

  Applying auth.0003_alter_user_email_max_length... OK

  Applying auth.0004_alter_user_username_opts... OK

  Applying auth.0005_alter_user_last_login_null... OK

  Applying auth.0006_require_contenttypes_0002... OK

  Applying authtoken.0001_initial... OK

  Applying pki.0001_initial... OK

  Applying sessions.0001_initial... OK

 

But the attempt to login to PKI failed again, now with a different error 
message:

 




OperationalError at /

attempt to write a readonly database

Request Method:

POST


Request URL:

https://192.168.2.25:9393/


Django Version:

1.8.1


Exception Type:

OperationalError


Exception Value:

attempt to write a readonly database

Exception Location:

/usr/lib/python2.7/site-packages/django/db/backends/sqlite3/base.py in 

Re: [PacketFence-users] Need help solving a problem with vlan enforcement

[Timothy Mullican via PacketFence-users]

André,

The message “Until CoA is implemented we will bounce the port on VLAN 
re-assignment traps for MAC-Auth 
(pf::Switch::handleReAssignVlanTrapForWiredMacAuth)” is thrown because your 
deauthentication method for the Switch (in PacketFence) is set to SNMP (see 
handleReAssignVlanTrapForWiredMacAuth in /usr/local/pf/lib/pf/Switch.pm and 
/usr/local/pf/lib/pf/Switch/Dell/N1500.pm).

Try changing your de-authentication method on the switch (under Configuration) 
in PacketFence to RADIUS and specify the secret key. Please let me know if this 
doesn’t work. 

Thanks,
Tim 

Sent from mobile phone

> On Jan 3, 2018, at 14:59, André Scrivener via PacketFence-users 
>  wrote:
> 
> Fabrice,
> 
> I used the configuration sent, still gave an error.
> 
> I saw some new logs:
> 
> Jan  3 18:41:44 packetfence pfqueue: pfqueue(25669) WARN: 
> [mac:84:7b:eb:e3:84:42] Until CoA is implemented we will bounce the port on 
> VLAN re-assignment traps for MAC-Auth 
> (pf::Switch::handleReAssignVlanTrapForWiredMacAuth)
> 
> You know, do you explain what it would be?
> 
> Soon I will update the firmware of the switch, to see if it resolves.
> 
> Is it also not a bug in the packetfence version? Did you hear from anyone 
> else with this problem?
> 
> Greetings!
> 
> 
> 
> 2018-01-03 17:24 GMT-03:00 Fabrice Durand :
>> Hello André,
>> 
>> yes i did that a long time ago:
>> 
>> https://github.com/inverse-inc/packetfence/commit/9d47649dd8d133b233d313d2c80e94421c38caaa#diff-53248f7bb6c533be6a5b55ec361b3238
>> 
>> Also the note i took:
>> 
>> 1 Enter global configuration mode and define the RADIUS server.
>> 
>> console#configure
>> console(config)#radius-server host auth 10.34.200.30
>> console(Config-auth-radius)#name PacketFence
>> console(Config-auth-radius)#usage 802.1x
>> console(Config-auth-radius)#key s3cr3t
>> console(Config-auth-radius)#exit
>> console(Config)#aaa server radius dynamic-author
>> console(config-radius-da)#client 10.34.200.30 server-key s3cr3t
>> console(config-radius-da)#auth-type all
>> console(config-radius-da)#exit
>> 
>> 
>> 
>> 
>> 2 Enable authentication and globally enable 802.1x client authentication via 
>> RADIUS:
>> 
>> console(config)#authentication enable
>> console(config)#aaa authentication dot1x default radius
>> console(config)#aaa authorization network default radius
>> console(config)#dot1x system-auth-control
>> 
>> (Optional)
>> console(Config)#dot1x dynamic-vlan enable
>> 
>> 3 On the interface, enable MAC based authentication mode, enable MAB, and 
>> set the order of authentication to 802.1X followed by MAC authentication. 
>> Also enable periodic re-authentication.
>> 
>> console(config)#interface te1/0/4
>> console(config-if-Te1/0/4)#dot1x port-control mac-based
>> console(config-if-Te1/0/4)#dot1x mac-auth-bypass
>> console(config-if-Te1/0/4)#authentication order dot1x mab
>> console(config-if-Te1/0/4)#dot1x reauthentication
>> console(config-if-Te1/0/4)#exit
>> 
>> authentication order mab
>> authentication priority mab
>> 
>> 
>> 
>>> Le 2018-01-03 à 09:18, André Scrivener a écrit :
>>> Hey,
>>> 
>>> I configured interface 15 manually to use only vlan 2 (registry), and I was 
>>> assigned registry address addressing (192.168.2.0/24)
>>> 
>>> Following config switch:
>>> 
>>> interface Gi1/0/15
>>> switchport access vlan 2
>>> dot1x port-control force-authorized
>>> exit   
>>> 
>>> 
>>> Following logs packetfence:
>>> 
>>> Jan  3 12:14:41 packetfence pfqueue: pfqueue(24777) INFO: 
>>> [mac:84:7b:eb:e3:84:42] oldip (172.16.0.10) and newip (192.168.2.10) are 
>>> different for 84:7b:eb:e3:84:42 - closing ip4log entry 
>>> (pf::api::update_ip4log)
>>> 
>>> 
>>> 
>>> console#show mac address-table  vlan 2
>>> 
>>> Aging time is 300 Sec
>>> 
>>> Vlan Mac Address   TypePort
>>>  - --- -
>>> 20800.2735.FCC4Dynamic Gi1/0/11 - Packetfence
>>> 2847B.EBE3.8442Dynamic Gi1/0/15 - Test machine
>>> 
>>> 
>>> You may notice that now the mac address of packetfence is in vlan 2.
>>> 
>>> Have you already configured dell switch switches?
>>> 
>>> Any idea??
>>> 
>>> 
>>> 2018-01-03 10:59 GMT-03:00 Fabrice Durand :
 Hum strange.
 
 What you can try is to define an interface in the vlan 2 (manually on an 
 switch port) and plug your test machine in it. (you must receive an ip 
 from PacketFence).
 If you receive an ip from the 172.16.0.0/24 then it mean that you have a 
 switch configuration issue. (any layer 3 interfaces defined in the vlan 2 
 ?).
 
 Also what i can see is that there is no mac in the vlan 2 and the vlan 3 
 for the interface 11.
 
 You should have something like that too:
 
 2 08:00:27:35:fc:c4 Dynamic Gi1/0/11 - PacketFence Reg
 
 3 08:00:27:35:fc:c4 Dynamic Gi1/0/11 - PacketFence Isol
 
 Regards
 

Re: [PacketFence-users] packetfence 7.3 configuration wizard - radius?

[Auger, Ivan (ITS) via PacketFence-users]

Here you go:

[root@esppkfence ~]# /usr/local/pf/bin/pfcmd service radiusd generateconfig
service|command
radiusd-acct|config generated
radiusd-auth|config generated
[root@esppkfence ~]# /usr/sbin/radiusd -d /usr/local/pf/raddb  -n auth -fxx -l 
stdout
FreeRADIUS Version 3.1.0
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /usr/local/pf/raddb/dictionary
including configuration file /usr/local/pf/raddb/auth.conf
including configuration file /usr/local/pf/raddb/radiusd.conf
including configuration file /usr/local/pf/raddb/proxy.conf
including configuration file /usr/local/pf/raddb/proxy.conf.inc
including configuration file /usr/local/pf/raddb/clients.conf
including configuration file /usr/local/pf/raddb/clients.conf.inc
including files in directory /usr/local/pf/raddb/mods-enabled/
including configuration file /usr/local/pf/raddb/mods-enabled/always
including configuration file /usr/local/pf/raddb/mods-enabled/attr_filter
including configuration file /usr/local/pf/raddb/mods-enabled/cache_eap
including configuration file /usr/local/pf/raddb/mods-enabled/cache_ntlm
including configuration file /usr/local/pf/raddb/mods-enabled/cache_password
including configuration file /usr/local/pf/raddb/mods-enabled/chap
including configuration file /usr/local/pf/raddb/mods-enabled/detail
including configuration file /usr/local/pf/raddb/mods-enabled/detail.log
including configuration file /usr/local/pf/raddb/mods-enabled/digest
including configuration file /usr/local/pf/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/pf/raddb/mods-enabled/eap
including configuration file /usr/local/pf/raddb/mods-enabled/echo
including configuration file /usr/local/pf/raddb/mods-enabled/exec
including configuration file /usr/local/pf/raddb/mods-enabled/expiration
including configuration file /usr/local/pf/raddb/mods-enabled/expr
including configuration file /usr/local/pf/raddb/mods-enabled/files
including configuration file /usr/local/pf/raddb/mods-enabled/linelog
including configuration file /usr/local/pf/raddb/mods-enabled/logintime
including configuration file /usr/local/pf/raddb/mods-enabled/mschap
including configuration file /usr/local/pf/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/pf/raddb/mods-enabled/pap
including configuration file /usr/local/pf/raddb/mods-enabled/passwd
including configuration file /usr/local/pf/raddb/mods-enabled/perl
including configuration file /usr/local/pf/raddb/mods-enabled/preprocess
including configuration file /usr/local/pf/raddb/mods-enabled/radutmp
including configuration file /usr/local/pf/raddb/mods-enabled/raw
including configuration file /usr/local/pf/raddb/mods-enabled/realm
including configuration file /usr/local/pf/raddb/mods-enabled/redis
including configuration file /usr/local/pf/raddb/mods-enabled/replicate
including configuration file /usr/local/pf/raddb/mods-enabled/rest
including configuration file /usr/local/pf/raddb/mods-enabled/soh
including configuration file /usr/local/pf/raddb/mods-enabled/sql
including configuration file 
/usr/local/pf/raddb/mods-config/sql/main/mysql/queries.conf
including configuration file 
/usr/local/pf/raddb/mods-config/sql/main/mysql/reject.conf
including configuration file /usr/local/pf/raddb/mods-enabled/sradutmp
including configuration file /usr/local/pf/raddb/mods-enabled/unix
including configuration file /usr/local/pf/raddb/mods-enabled/unpack
including configuration file /usr/local/pf/raddb/mods-enabled/utf8
including files in directory /usr/local/pf/raddb/policy.d/
including configuration file /usr/local/pf/raddb/policy.d/abfab-tr
including configuration file /usr/local/pf/raddb/policy.d/accounting
including configuration file /usr/local/pf/raddb/policy.d/canonicalization
including configuration file /usr/local/pf/raddb/policy.d/control
including configuration file /usr/local/pf/raddb/policy.d/cui
including configuration file /usr/local/pf/raddb/policy.d/debug
including configuration file /usr/local/pf/raddb/policy.d/dhcp
including configuration file /usr/local/pf/raddb/policy.d/eap
including configuration file /usr/local/pf/raddb/policy.d/filter
including configuration file /usr/local/pf/raddb/policy.d/operator-name
including configuration file /usr/local/pf/raddb/policy.d/packetfence
including files in directory /usr/local/pf/raddb/sites-enabled/
including configuration file /usr/local/pf/raddb/sites-enabled/dynamic-clients
including configuration file 

Re: [PacketFence-users] Aruba Switch Network Configuration

[Jeremy Plumley via PacketFence-users]

I have been working off guides I am finding online. Been finding lots of 
information about configuring from the guide below. Would I be able to see this 
VSA in a debug or log?

https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c05365313

Jeremy Plumley
ITS Network Administrator
Ext 50024

From: Fabrice Durand [mailto:fdur...@inverse.ca]
Sent: Wednesday, January 03, 2018 1:51 PM
To: Jeremy Plumley ; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Aruba Switch Network Configuration


Hello Jeremy,

do you have any documentation related to the support of the VoIP on the Aruba 
switch ?

There is probably a vsa attribute to return when PacketFence detect that a 
phone is plugged on a switch port.

If the vsa exist then it will be easy to add the VoIP support for the Aruba 
switches.

Regards

Fabrice

E-Mail correspondence to and from this address may be subject to the North 
Carolina Public Records Law and shall be disclosed to third parties when 
required by the statutes (G.S. 132-1.)
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Need help solving a problem with vlan enforcement

[André Scrivener via PacketFence-users]

Fabrice,

I used the configuration sent, still gave an error.

I saw some new logs:

Jan  3 18:41:44 packetfence pfqueue: pfqueue(25669) WARN:
[mac:84:7b:eb:e3:84:42] Until CoA is implemented we will bounce the port on
VLAN re-assignment traps for MAC-Auth
(pf::Switch::handleReAssignVlanTrapForWiredMacAuth)

You know, do you explain what it would be?

Soon I will update the firmware of the switch, to see if it resolves.

Is it also not a bug in the packetfence version? Did you hear from anyone
else with this problem?

Greetings!



2018-01-03 17:24 GMT-03:00 Fabrice Durand :

> Hello André,
>
> yes i did that a long time ago:
>
> https://github.com/inverse-inc/packetfence/commit/
> 9d47649dd8d133b233d313d2c80e94421c38caaa#diff-
> 53248f7bb6c533be6a5b55ec361b3238
>
> Also the note i took:
>
> 1 Enter global configuration mode and define the RADIUS server.
>
> console#configure
> console(config)#radius-server host auth 10.34.200.30
> console(Config-auth-radius)#name PacketFence
> console(Config-auth-radius)#usage 802.1x
> console(Config-auth-radius)#key s3cr3t
> console(Config-auth-radius)#exit
> console(Config)#aaa server radius dynamic-author
> console(config-radius-da)#client 10.34.200.30 server-key s3cr3t
> console(config-radius-da)#auth-type all
> console(config-radius-da)#exit
>
>
>
>
> 2 Enable authentication and globally enable 802.1x client authentication
> via RADIUS:
>
> console(config)#authentication enable
> console(config)#aaa authentication dot1x default radius
> console(config)#aaa authorization network default radius
> console(config)#dot1x system-auth-control
>
> (Optional)
> console(Config)#dot1x dynamic-vlan enable
>
> 3 On the interface, enable MAC based authentication mode, enable MAB, and
> set the order of authentication to 802.1X followed by MAC authentication.
> Also enable periodic re-authentication.
>
> console(config)#interface te1/0/4
> console(config-if-Te1/0/4)#dot1x port-control mac-based
> console(config-if-Te1/0/4)#dot1x mac-auth-bypass
> console(config-if-Te1/0/4)#authentication order dot1x mab
> console(config-if-Te1/0/4)#dot1x reauthentication
> console(config-if-Te1/0/4)#exit
>
> authentication order mab
> authentication priority mab
>
>
>
> Le 2018-01-03 à 09:18, André Scrivener a écrit :
>
> Hey,
>
> I configured interface 15 manually to use only vlan 2 (registry), and I
> was assigned registry address addressing (192.168.2.0/24)
>
> Following config switch:
>
> interface Gi1/0/15
> switchport access vlan 2
> dot1x port-control force-authorized
> exit
>
>
> Following logs packetfence:
>
> Jan  3 12:14:41 packetfence pfqueue: pfqueue(24777) INFO:
> [mac:84:7b:eb:e3:84:42] oldip (172.16.0.10) and newip (192.168.2.10) are
> different for 84:7b:eb:e3:84:42 - closing ip4log entry
> (pf::api::update_ip4log)
>
>
>
> console#show mac address-table  vlan 2
>
> Aging time is 300 Sec
>
> Vlan Mac Address   TypePort
>  - --- -
> 20800.2735.FCC4Dynamic Gi1/0/11* - Packetfence*
> 2847B.EBE3.8442Dynamic Gi1/0/15* - Test machine*
>
>
> You may notice that now the mac address of packetfence is in vlan 2.
>
> Have you already configured dell switch switches?
>
> Any idea??
>
>
> 2018-01-03 10:59 GMT-03:00 Fabrice Durand :
>
>> Hum strange.
>>
>> What you can try is to define an interface in the vlan 2 (manually on an
>> switch port) and plug your test machine in it. (you must receive an ip from
>> PacketFence).
>>
>> If you receive an ip from the 172.16.0.0/24 then it mean that you have a
>> switch configuration issue. (any layer 3 interfaces defined in the vlan 2
>> ?).
>>
>> Also what i can see is that there is no mac in the vlan 2 and the vlan 3
>> for the interface 11.
>>
>> You should have something like that too:
>>
>> 2 08:00:27:35:fc:c4 Dynamic Gi1/0/11
>> * - PacketFence Reg *
>> 3 08:00:27:35:fc:c4 Dynamic Gi1/0/11* - PacketFence Isol*
>>
>> Regards
>> Fabrice
>>
>>
>> Le 2018-01-02 à 13:55, André Scrivener a écrit :
>>
>> Opss, Fabrice!
>>
>> I forgot an information, the MAC addresses on the switch.
>>
>> By the logs, it is in VLAN 2, the correct vlan.
>>
>> Right now I do not understand, because it does not assign the correct
>> address
>>
>>
>> console#show mac address-table
>>
>> Aging time is 300 Sec
>>
>> Vlan Mac Address   TypePort
>>  - --- -
>> 10800.2700.58E2Dynamic Gi1/0/11 *- Windows Server
>> 2008*
>> 10800.2735.FCC4Dynamic Gi1/0/11* - PacketFence*
>> 11418.77EA.F0A3Management  Vl1*  - Switch Dell*
>> 1641C.XDynamic Gi1/0/11 *- My physical pc*
>> 2847B.EBE3.8442Dynamic Gi1/0/13 *- My test machine*
>>
>> Total MAC Addresses in use: 5
>>
>> console#show mac address-table interface Gi1/0/13
>>
>> Aging time is 300 Sec
>>
>> 

Re: [PacketFence-users] PKI installation

[Fabrice Durand via PacketFence-users]

Just for information, i uploaded a new version of the packetfence-pki
for centos7 who fix all the install issues.

Regards

Fabrice



Le 2017-12-12 à 23:58, E.P. a écrit :
>
> Well, I’m taking my hat off in front of you, no kidding and pun
> intended ;)
>
> Do you need traceback from the error page ?
>
>  
>
> *From:*Durand fabrice [mailto:fdur...@inverse.ca]
> *Sent:* Tuesday, December 12, 2017 7:02 PM
> *To:* E.P.
> *Cc:* packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] PKI installation
>
>  
>
> ah ah don't worry , i like to have challenge like that to be able to
> fix the issue for better user experience.
>
> I coded the pki so i want to make it work.
>
>  
>
>  
>
> Le 2017-12-12 à 21:48, E.P. a écrit :
>
> Sure, take your time, Fabrice. I have a special knack of running
> into troubles in cases when others didn’t have any :)
>
>
> Eugene
>
> Sent from iPhone
>
>
> On Dec 12, 2017, at 18:18, Durand fabrice  > wrote:
>
> Ok let me try to install the pki on the zen and i will be back
> to you.
>
> i have installed the pki on 10 servers not a long time ago
> without any issue.
>
>  
>
>  
>
> Le 2017-12-12 à 20:52, E.P. a écrit :
>
> Yes, db.sqlite3 was owned by root
>
>  
>
> [root@PacketFence-ZEN packetfence-pki]# ls -al
>
> total 56
>
> drwxr-xr-x   7 pf   pf 128 Dec 12 08:49 .
>
> drwxr-xr-x. 15 root root   182 Dec 12 01:33 ..
>
> drwxrws---   2 pf   pf   6 Nov 15 14:20 ca
>
> drwxr-xr-x   2 pf   pf 125 Dec 12 01:33 conf
>
> */-rw-r--r--   1 root root 43008 Dec 12 08:44 db.sqlite3/*
>
> drwxr-xr-x   2 pf   pf 204 Dec 12 02:49 inverse
>
> drwxrws---   2 pf   pf  90 Dec 12 01:35 logs
>
> -rwxr--r--   1 pf   pf 250 Nov 15 14:20 manage.py
>
> -rw-r--r--   1 root root 6 Dec 12 08:49
> packetfence-pki.pid
>
> drwxr-xr-x   5 pf   pf    4096 Dec 12 02:49 pki
>
>  
>
> Changed the file ownership to pf:pf
>
>  
>
> [root@PacketFence-ZEN packetfence-pki]# ls -al
>
> total 100
>
> drwxr-xr-x   7 pf   pf 147 Dec 13 01:45 .
>
> drwxr-xr-x. 15 root root   182 Dec 12 01:33 ..
>
> drwxrws---   2 pf   pf   6 Nov 15 14:20 ca
>
> drwxr-xr-x   2 pf   pf 125 Dec 12 01:33 conf
>
> */-rw-r--r--   1 pf   pf   43008 Dec 13 01:45 db.sqlite3/*
>
> /drwxr-xr-x   2 pf   pf 204 Dec 12 02:49 inverse/
>
> /drwxrws---   2 pf   pf  90 Dec 12 01:35 logs/
>
> /-rwxr--r--   1 pf   pf 250 Nov 15 14:20 manage.py/
>
> /-rw-r--r--   1 root root 5 Dec 13 01:43
> packetfence-pki.pid/
>
> /drwxr-xr-x   5 pf   pf    4096 Dec 12 02:49 pki/
>
>  
>
> But trying to login to the PKI webpage brings me back to
> the same original error “no such table: pki_ca” which I
> showed earlier. I tried to follow your previous advise
> about renaming the db.sqlite3 file and running migration
> but the behavior is consistent.  Is it OK that the PKI
> process ID file is also owned by root ?
>
>  
>
> *From:*Fabrice Durand [mailto:fdur...@inverse.ca]
> *Sent:* Tuesday, December 12, 2017 5:35 AM
> *To:* E.P.; packetfence-users@lists.sourceforge.net
> 
> *Subject:* Re: [PacketFence-users] PKI installation
>
>  
>
> Just change the owner of the sqlite file to pf and it
> should be ok.
>
> Btw all these steps are made in the packaging, so it
> probably failled or never finish correctly.
>
> I will do a test on my side.
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-12-12 à 03:47, E.P. a écrit :
>
> Well, we are getting closer ;)
>
> Ran the python script to migrate the database it completed
>
>  
>
> [root@PacketFence-ZEN packetfence-pki]# python
> manage.py migrate
>
> Operations to perform:
>
>   Synchronize unmigrated apps: staticfiles,
> rest_framework, messages, bootstrap3
>
>   Apply all migrations: authtoken, sessions, admin,
> auth, contenttypes, pki
>
> Synchronizing apps without migrations:
>
>   Creating tables...
>
>     Running deferred SQL...
>
>   Installing custom SQL...
>
> Running migrations:
>
>

Re: [PacketFence-users] Need help solving a problem with vlan enforcement

[Fabrice Durand via PacketFence-users]

Hello André,

yes i did that a long time ago:

https://github.com/inverse-inc/packetfence/commit/9d47649dd8d133b233d313d2c80e94421c38caaa#diff-53248f7bb6c533be6a5b55ec361b3238

Also the note i took:

1 Enter global configuration mode and define the RADIUS server.

console#configure
console(config)#radius-server host auth 10.34.200.30
console(Config-auth-radius)#name PacketFence
console(Config-auth-radius)#usage 802.1x
console(Config-auth-radius)#key s3cr3t
console(Config-auth-radius)#exit
console(Config)#aaa server radius dynamic-author
console(config-radius-da)#client 10.34.200.30 server-key s3cr3t
console(config-radius-da)#auth-type all
console(config-radius-da)#exit




2 Enable authentication and globally enable 802.1x client authentication
via RADIUS:

console(config)#authentication enable
console(config)#aaa authentication dot1x default radius
console(config)#aaa authorization network default radius
console(config)#dot1x system-auth-control

(Optional)
console(Config)#dot1x dynamic-vlan enable

3 On the interface, enable MAC based authentication mode, enable MAB,
and set the order of authentication to 802.1X followed by MAC
authentication. Also enable periodic re-authentication.

console(config)#interface te1/0/4
console(config-if-Te1/0/4)#dot1x port-control mac-based
console(config-if-Te1/0/4)#dot1x mac-auth-bypass
console(config-if-Te1/0/4)#authentication order dot1x mab
console(config-if-Te1/0/4)#dot1x reauthentication
console(config-if-Te1/0/4)#exit

authentication order mab
authentication priority mab



Le 2018-01-03 à 09:18, André Scrivener a écrit :
> Hey,
>
> I configured interface 15 manually to use only vlan 2 (registry), and
> I was assigned registry address addressing (192.168.2.0/24
> )
>
> Following config switch:
>
> interface Gi1/0/15
> switchport access vlan 2
> dot1x port-control force-authorized
> exit   
>
>
> Following logs packetfence:
>
> Jan  3 12:14:41 packetfence pfqueue: pfqueue(24777) INFO:
> [mac:84:7b:eb:e3:84:42] oldip (172.16.0.10) and newip (192.168.2.10)
> are different for 84:7b:eb:e3:84:42 - closing ip4log entry
> (pf::api::update_ip4log)
>
>
>
> console#show mac address-table  vlan 2
>
> Aging time is 300 Sec
>
> Vlan     Mac Address           Type        Port
>  - --- -
> 2        0800.2735.FCC4        Dynamic     Gi1/0/11/- Packetfence/
> 2        847B.EBE3.8442        Dynamic     Gi1/0/15/- Test machine/
>
>
> You may notice that now the mac address of packetfence is in vlan 2.
>
> Have you already configured dell switch switches?
>
> Any idea??
>
>
> 2018-01-03 10:59 GMT-03:00 Fabrice Durand  >:
>
> Hum strange.
>
> What you can try is to define an interface in the vlan 2 (manually
> on an switch port) and plug your test machine in it. (you must
> receive an ip from PacketFence).
>
> If you receive an ip from the 172.16.0.0/24 
> then it mean that you have a switch configuration issue. (any
> layer 3 interfaces defined in the vlan 2 ?).
>
> Also what i can see is that there is no mac in the vlan 2 and the
> vlan 3 for the interface 11.
>
> You should have something like that too:
>
> 2 08:00:27:35:fc:c4 Dynamic     Gi1/0/11/- PacketFence Reg
> /
>
> 3 08:00:27:35:fc:c4 Dynamic     Gi1/0/11/- PacketFence Isol/
>
> Regards
> Fabrice
>
>
> Le 2018-01-02 à 13:55, André Scrivener a écrit :
>> Opss, Fabrice!
>>
>> I forgot an information, the MAC addresses on the switch.
>>
>> By the logs, it is in VLAN 2, the correct vlan.
>>
>> Right now I do not understand, because it does not assign the
>> correct address
>>
>>
>> console#show mac address-table           
>>
>> Aging time is 300 Sec
>>
>> Vlan     Mac Address           Type        Port
>>  - --- -
>> 1        0800.2700.58E2        Dynamic     Gi1/0/11 /- Windows
>> Server 2008/
>> 1        0800.2735.FCC4        Dynamic     Gi1/0/11/- PacketFence/
>> 1        1418.77EA.F0A3        Management  Vl1    / - Switch Dell/
>> 1        641C.X        Dynamic     Gi1/0/11 /- My
>> physical pc/
>> 2        847B.EBE3.8442        Dynamic     Gi1/0/13 /- My test
>> machine/
>>
>> Total MAC Addresses in use: 5
>>
>> console#show mac address-table interface Gi1/0/13
>>
>> Aging time is 300 Sec
>>
>> Vlan     Mac Address           Type        Port
>>  - --- -
>> 2        847B.EBE3.8442        Dynamic     Gi1/0/13/- My test
>> machine/
>>
>>
>> console#
>>
>>
>> 2018-01-02 15:22 GMT-03:00 André Scrivener
>> >:
>>
>> Hello Fabrice, 
>>
>> I simplified the environment, I'm using only 1 interface!
>>
>>
>> enp0s3:   

Re: [PacketFence-users] Aruba Switch Network Configuration

[Fabrice Durand via PacketFence-users]

Hello Jeremy,

do you have any documentation related to the support of the VoIP on the
Aruba switch ?

There is probably a vsa attribute to return when PacketFence detect that
a phone is plugged on a switch port.

If the vsa exist then it will be easy to add the VoIP support for the
Aruba switches.

Regards

Fabrice



Le 2018-01-03 à 13:29, Jeremy Plumley a écrit :
>
> I have my demo HPE Aruba 2930M switch now. So far data vlan seems ok
> but I’m having issues with my Cisco VOIP Phones. The Packetfence log
> is throwing this error over my phones.
>
>  
>
> Jan  3 13:21:48 pf1 packetfence_httpd.aaa: httpd.aaa(3637) WARN:
> [mac:64:00:f1:ab:11:35] RADIUS Authentication of IP Phones is not
> supported on switch type pf::Switch::ArubaSwitch. Please let us know
> what hardware you are using. (pf::Switch::supportsRadiusVoip)
>
>  
>
> Any ideas on how to support phones on these or should I attempt
> another switch type?
>
>  
>
> Jeremy Plumley
>
> ITS Network Administrator
>
> Ext 50024
>
>  
>
> *From:*Durand fabrice via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Wednesday, December 06, 2017 9:07 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Durand fabrice 
> *Subject:* Re: [PacketFence-users] Aruba Switch Network Configuration
>
>  
>
> Ok so it should work.
>
> When i did the code the Aruba switches were really new and there were
> bugs in the Aruba OS.
>
> Btw i think that it's fully supported by Clear Pass so it will work
> with PacketFence.
>
> Regards
> Fabrice
>
> E-Mail correspondence to and from this address may be subject to the
> North Carolina Public Records Law and shall be disclosed to third
> parties when required by the statutes (G.S. 132-1.) 

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence-pki restore/ovewrite admin password

[Fabrice Durand via PacketFence-users]

Hello,

what you can do is to connect in the sqlite db and update the password.

sqlite3 db.sqlite3

UPDATE "auth_user" set
password='pbkdf2_sha256$2$Z2Lhr1cW8QM0$mN9PtNhxneIDzApqFa4uG8V44IXqHe+r7yootSoSzJQ='
where username='admin';

the password is p@ck3tf3nc3


Regards

Fabrice



Le 2018-01-03 à 10:12, Rokkhan via PacketFence-users a écrit :
> Hi,
>
> I am unable to login to packetfence-pki web interface with the admin
> password neither with another user I created after installation.
>
> Is there anyway to restore or overwirte the admin password? 
>
> I am using Packetfence-pki 1.0.5 in centos 7
>
> Greetings
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Aruba Switch Network Configuration

[Jeremy Plumley via PacketFence-users]

I have my demo HPE Aruba 2930M switch now. So far data vlan seems ok but I'm 
having issues with my Cisco VOIP Phones. The Packetfence log is throwing this 
error over my phones.

Jan  3 13:21:48 pf1 packetfence_httpd.aaa: httpd.aaa(3637) WARN: 
[mac:64:00:f1:ab:11:35] RADIUS Authentication of IP Phones is not supported on 
switch type pf::Switch::ArubaSwitch. Please let us know what hardware you are 
using. (pf::Switch::supportsRadiusVoip)

Any ideas on how to support phones on these or should I attempt another switch 
type?

Jeremy Plumley
ITS Network Administrator
Ext 50024

From: Durand fabrice via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Sent: Wednesday, December 06, 2017 9:07 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice 
Subject: Re: [PacketFence-users] Aruba Switch Network Configuration


Ok so it should work.

When i did the code the Aruba switches were really new and there were bugs in 
the Aruba OS.

Btw i think that it's fully supported by Clear Pass so it will work with 
PacketFence.
Regards
Fabrice
E-Mail correspondence to and from this address may be subject to the North 
Carolina Public Records Law and shall be disclosed to third parties when 
required by the statutes (G.S. 132-1.)
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Packetfence-pki restore/ovewrite admin password

[Rokkhan via PacketFence-users]

Hi,

I am unable to login to packetfence-pki web interface with the admin
password neither with another user I created after installation.

Is there anyway to restore or overwirte the admin password?

I am using Packetfence-pki 1.0.5 in centos 7

Greetings
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] packetfence 7.3 configuration wizard - radius?

[Fabrice Durand via PacketFence-users]

Hello Ivan,

what you can do is the following:

/usr/local/pf/bin/pfcmd service radiusd generateconfig

/usr/sbin/radiusd -d /usr/local/pf/raddb  -n auth -fxx -l stdout

And paste the debug if the service is not able to start.

Regards

Fabrice



Le 2018-01-03 à 09:31, Auger, Ivan (ITS) via PacketFence-users a écrit :
>
> Selected radius enforcement in configuration wizard – radius does not
> start in last step – everything else starts.  Is there something
> additional that needs to be defined in /usr/local/pf/conf/pf.conf or
> in /usr/local/pf/conf/raddb template directory?
>
>  
>
> Thanks….
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] packetfence 7.3 configuration wizard - radius?

[Auger, Ivan (ITS) via PacketFence-users]

Selected radius enforcement in configuration wizard - radius does not start in 
last step - everything else starts.  Is there something additional that needs 
to be defined in /usr/local/pf/conf/pf.conf or in /usr/local/pf/conf/raddb 
template directory?

Thanks
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Need help solving a problem with vlan enforcement

[André Scrivener via PacketFence-users]

Hey,

I configured interface 15 manually to use only vlan 2 (registry), and I was
assigned registry address addressing (192.168.2.0/24)

Following config switch:

interface Gi1/0/15
switchport access vlan 2
dot1x port-control force-authorized
exit


Following logs packetfence:

Jan  3 12:14:41 packetfence pfqueue: pfqueue(24777) INFO:
[mac:84:7b:eb:e3:84:42] oldip (172.16.0.10) and newip (192.168.2.10) are
different for 84:7b:eb:e3:84:42 - closing ip4log entry
(pf::api::update_ip4log)



console#show mac address-table  vlan 2

Aging time is 300 Sec

Vlan Mac Address   TypePort
 - --- -
20800.2735.FCC4Dynamic Gi1/0/11* - Packetfence*
2847B.EBE3.8442Dynamic Gi1/0/15* - Test machine*


You may notice that now the mac address of packetfence is in vlan 2.

Have you already configured dell switch switches?

Any idea??


2018-01-03 10:59 GMT-03:00 Fabrice Durand :

> Hum strange.
>
> What you can try is to define an interface in the vlan 2 (manually on an
> switch port) and plug your test machine in it. (you must receive an ip from
> PacketFence).
>
> If you receive an ip from the 172.16.0.0/24 then it mean that you have a
> switch configuration issue. (any layer 3 interfaces defined in the vlan 2
> ?).
>
> Also what i can see is that there is no mac in the vlan 2 and the vlan 3
> for the interface 11.
>
> You should have something like that too:
>
> 2 08:00:27:35:fc:c4 Dynamic Gi1/0/11
> * - PacketFence Reg *
> 3 08:00:27:35:fc:c4 Dynamic Gi1/0/11* - PacketFence Isol*
>
> Regards
> Fabrice
>
>
> Le 2018-01-02 à 13:55, André Scrivener a écrit :
>
> Opss, Fabrice!
>
> I forgot an information, the MAC addresses on the switch.
>
> By the logs, it is in VLAN 2, the correct vlan.
>
> Right now I do not understand, because it does not assign the correct
> address
>
>
> console#show mac address-table
>
> Aging time is 300 Sec
>
> Vlan Mac Address   TypePort
>  - --- -
> 10800.2700.58E2Dynamic Gi1/0/11 *- Windows Server
> 2008*
> 10800.2735.FCC4Dynamic Gi1/0/11* - PacketFence*
> 11418.77EA.F0A3Management  Vl1*  - Switch Dell*
> 1641C.XDynamic Gi1/0/11 *- My physical pc*
> 2847B.EBE3.8442Dynamic Gi1/0/13 *- My test machine*
>
> Total MAC Addresses in use: 5
>
> console#show mac address-table interface Gi1/0/13
>
> Aging time is 300 Sec
>
> Vlan Mac Address   TypePort
>  - --- -
> 2847B.EBE3.8442Dynamic Gi1/0/13* - My test machine*
>
>
> console#
>
>
> 2018-01-02 15:22 GMT-03:00 André Scrivener :
>
>> Hello Fabrice,
>>
>> I simplified the environment, I'm using only 1 interface!
>>
>>
>> enp0s3: Management - DHCP FROM WINDOWS SERVER
>> enp0s3 VLAN 2: Registration  - DHCP ENABLE
>> enp0s3 VLAN 3: Isolation   - DHCP ENABLE
>> enp0s3 VLAN 10: Normal   - NO DHCP
>>
>> IP Address Switch Managed: 172.16.0.50
>> Interface 11: My physical machine, and virtual machine (virtualbox) where
>> is the PacketFence  (interface mode bridge)
>> Interface 23: My client test Windows 8 (interface mode bridge)
>>
>>
>> Problem continue, in the logs it returns to vlan correct, but does not
>> assign to the computer, it stubborn in assigning the network
>> 172.16.0.0/24 (Management Network).
>>
>>
>> root@packetfence ~]# tailf  /usr/local/pf/logs/packetfence.log
>> Jan  2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
>> [mac:84:7b:eb:e3:84:42] handling radius autz request: from switch_ip =>
>> (172.16.0.50), connection_type => WIRED_MAC_AUTH,switch_mac =>
>> (14:18:77:ea:f0:a2), mac => [84:7b:eb:e3:84:42], port => 13, username =>
>> "847BEBE38442" (pf::radius::authorize)
>> Jan  2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
>> [mac:84:7b:eb:e3:84:42] Instantiate profile default
>> (pf::Connection::ProfileFactory::_from_profile)
>> Jan  2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
>> [mac:84:7b:eb:e3:84:42] is of status unreg; belongs into registration VLAN
>> (pf::role::getRegistrationRole)
>> Jan  2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
>> [mac:84:7b:eb:e3:84:42] (172.16.0.50) Added VLAN 2 to the returned RADIUS
>> Access-Accept (pf::Switch::returnRadiusAccessAccept)
>>
>>
>>
>> [root@packetfence ~]# tailf  /usr/local/pf/logs/radius.log
>> Jan  2 14:03:10 packetfence auth[31813]: Need 1 more connections to reach
>> min connections (3)
>> Jan  2 14:03:10 packetfence auth[31813]: rlm_rest (rest): Opening
>> additional connection (15), 1 of 62 pending slots used
>> Jan  2 14:03:10 packetfence auth[31813]: Need 7 more connections to reach
>> 10 spares
>> Jan  2 14:03:10 packetfence 

Re: [PacketFence-users] Need an advice and maybe assistance with FreeRADIUS

[E.P. via PacketFence-users]

I applied the patch, Tim, and it was successful, I mean the patch installation.

Then I restarted RADIUS daemon and tried the local user authentication. As I 
described it in the other email to Fabrice it was rejected due to MSCHAPv2. For 
me it is a sign that I’m getting closer ;)

And yes, Unifi is indeed ubiquitous ;) I inherited the organization WiFi setup 
based on distributed deployment of Unifi in L3 mode and now the management is 
pushing for more security without any significant investments.

 

Eugene

 

From: Timothy Mullican [mailto:tjmullic...@yahoo.com] 
Sent: Tuesday, January 02, 2018 7:04 PM
To: E.P.
Cc: packetfence-users@lists.sourceforge.net; Fabrice Durand
Subject: Re: [PacketFence-users] Need an advice and maybe assistance with 
FreeRADIUS

 

Eugene,

 

The patch is mandatory in order for PacketFence to recognize that the UniFi 
supports 802.1x (and MAC-based auth). As for the controller, you should be able 
to get away without it if you do not need dynamic VLAN assignment. However, 
without the controller, PacketFence will not be able to disassociate or 
deauthenticate any clients, so keep this in mind for any temporary sessions (if 
applicable). Try applying the patch, restarting all the PacketFence services, 
and see if it fixes your problems. Based on the lack of Ubiquiti support for 
various integration issues (802.1x and MAC auth dynamic vlan assignment), the 
patch has been delayed being merged into the core code (per Fabrice), so you 
have to apply it manually. Please let me know if you have any additional 
questions.

 

Thanks,

Tim

 

Sent from mobile phone


On Jan 2, 2018, at 16:06, E.P.  wrote:

Appreciate those screenshots as well, Tim!

I’m running latest code of the Unifi controller as well and latest firmware 
supported on all WAP.

Quick question, is the IP address of the controller mandatory when I configure 
WAP in PF switches section?

 

Eugene

 

From: Timothy Mullican [mailto:tjmullic...@yahoo.com] 
Sent: Friday, December 29, 2017 9:34 AM
To: packetfence-users@lists.sourceforge.net
Cc: E.P.; Fabrice Durand
Subject: Re: [PacketFence-users] Need an advice and maybe assistance with 
FreeRADIUS

 

Eugene,

 

Just a thought, but can you change the deauthentication method to HTTPS and 
specify the UniFi controller IP? See my setup below:

 

https://i.imgsafe.org/0c/0cff2c7f19.png

https://i.imgsafe.org/0c/0cff2dfd99.png

 

My UniFi AP is 192.168.20.7

My UniFi controller is 192.168.20.6

 

This is my UniFi AP setup:

https://i.imgsafe.org/05/05bbb5eafe.png

https://i.imgsafe.org/05/05bbd86ab4.png

 

Also please make sure you have the latest UniFi AP and controller firmware as 
they were just updated a few days ago. 

 

See my earlier post on the PacketFence-Users forum if you have questions. 

 

Tim

 

Sent from mobile phone


On Dec 29, 2017, at 07:59, Fabrice Durand via PacketFence-users 
 wrote:

For me it looks that 172.19.254.2 is define twice.

Can you do in /usr/local/pf/raddb:

grep 172.19.254.2 * -r 

Also can you try to run radiusd in debug mode and see if you can see 
172.19.254.2 (radiusd -d /usr/local/pf/raddb -n auth -X)

 

Regards

Fabrice

 

Le 2017-12-29 à 01:26, E.P. a écrit :

Nah…

No luck at all, Fabrice. I’m becoming desperate ;)

I thought it has to do with Unifi controller (reading it here in other threads 
that it is far from being error-free) but I pointed it to FreeRADIUS running on 
DaloRADIUS host and the regular user authentication worked nice.

I just don’t like DaloRADIUS due to its limitations and support and hold my 
aspiration towards PF.

Well, here we go again, I reconfigured the entry in switches file and it looks 
very simplistic, 172.19.254.2 is the IP address of Unifi AP.

 

[root@PacketFence-ZEN conf]# cat ./switches.conf

[172.19.254.2]

VoIPCDPDetect=N

VoIPDHCPDetect=N

deauthMethod=RADIUS

description=Test-WAP

VoIPLLDPDetect=N

radiusSecret=1234567890

VlanMap=N

 

Someone who uses Unifi may be jump in to validate my settings please.

In the settings for a specific wireless network I select “WPA Enterprise” and 
select RADIUS profile that I configured separately pointing to PF IP address. 
The RADIUS profile is configured as usual, i.e.

IP address, ports which are 1812/1813 and shared secret, nothing fancy about it.

 

Both radius log files show the same consistent error:

 

Dec 29 06:10:24 PacketFence-ZEN acct[13247]: Dropping packet without response 
because of error: Received Accounting-Request packet from client 172.19.254.2 
with invalid Request Authenticator!  (Shared secret is incorrect.)

 

Dec 29 06:20:29 PacketFence-ZEN auth[13273]: Dropping packet without response 
because of error: Received packet from 172.19.254.2 with invalid 
Message-Authenticator!  (Shared secret is incorrect.)

 

I don’t think I have to start radius in debugging mode to have more output, do 
I ? 

 

Eugene

 

From: Durand fabrice 

Re: [PacketFence-users] Need an advice and maybe assistance with FreeRADIUS

[Timothy Mullican via PacketFence-users]

Eugene,

Did you uncomment the “packetfence-local-auth” line in 
/usr/local/pf/conf/radiusd/packetfence-tunnel ? 

Also you will have to change the database password encryption type to plain or 
NTLM under Configuration->System Configuration->Main Configuration->Database 
passwords hashing mechanism. 

I would then try restarting all the PacketFence services. Let me know if this 
doesn’t work. 

Thanks,
Tim

Sent from mobile phone

> On Jan 3, 2018, at 07:50, Fabrice Durand via PacketFence-users 
>  wrote:
> 
> I tried to add the DAS parameter directly in the configuration file of the AP 
> and it works (CoA), but the limitation is that you can enable it only on one 
> ssid.
> 
> https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
> 
> Regards
> 
> Fabrice
> 
> 
> 
>> Le 2017-12-29 à 16:18, Timothy Mullican via PacketFence-users a écrit :
>> It may be possible to skip the controller and run the deauthentication 
>> command on the AP itself, but it is product specific as opposed to the 
>> controller API, which is cross-product. The UniFi code on PacketFence would 
>> have to be modified to support this. 
>> 
>> See 
>> https://community.ubnt.com/t5/UniFi-Wireless/Issue-manual-kick-sta-command/m-p/1197157/highlight/true#M95831
>> 
>> Sent from mobile phone
>> 
>> On Dec 29, 2017, at 15:12, Timothy Mullican via   PacketFence-users 
>>  wrote:
>> 
>>> I am running UniFi AP 3.9.15.8011 and Controller 5.6.26 (I’m using 
>>> linuxserver/UniFi docker image on CentOS 7.4). 
>>> 
>>> First, make sure you applied the UniFi patch (see 
>>> https://community.ubnt.com/t5/UniFi-Wireless/Packetfence-7-1-Out-of-Band-Dynamic-VLAN-with-Unifi/m-p/2134984/highlight/true#M261219).
>>>  This enables dynamic VLAN assignment using radius and 802.1x on the 
>>> PacketFence side. The latest UniFi firmware also allows dynamic vlan 
>>> assignment using MAC authentication (i.e., guest access). If you have any 
>>> questions about this let me know and I can help you (also see my earlier 
>>> thread).
>>> 
>>> If you are using the PacketFence captive portal authentication to assign a 
>>> user’s VLAN, PacketFence requires the UniFi controller to deauthenticate 
>>> clients from the AP. If you look at  
>>> https://github.com/inverse-inc/packetfence/pull/2735/files#diff-8b99f599546e7710d1df6b776d184569,
>>>  you can see the deauthentication method used is an HTTPS API call to the 
>>> controller running the “kick-sta” command on the client MAC address. As you 
>>> are probably aware, the user must reauthenticate in order to be placed in 
>>> the correct VLAN after successfully authenticating. PacketFence automates 
>>> this process in several ways (HTTP/HTTPS, SNMP, Telnet/SSH, RADIUS CoA).
>>> 
>>> As far as I know, the only way to deauthenticate a client on the AP is 
>>> using the Controller API over HTTPS (no support for CoA yet). If CoA is 
>>> implemented we should be able to bypass the controller and send direct 
>>> client RADIUS deauthentication requests to the AP. 
>>> 
>>> If you are using 802.1x without the captive portal, you may be able to get 
>>> away without relying on the controller, since the VLAN is only assigned 
>>> once at logon to the AP, but I have not tested this yet. 
>>> 
>>> Fabrice may be able to help if I didn’t explain something correctly above. 
>>> 
>>> Tim
>>> 
 
 On Dec 29, 2017, at 12:38, E.P.  wrote:
 
> Hi Timothy,
> I’m really-really grateful to you and your comments.
> May I ask you what firmware level you run on your Unifi AP ?
> And by the way, just out of curiosity, why we need controller IP address 
> in the settings for AP/switch ?
> I thought that the real RADIUS client is the AP and the controller’s only 
> job is to push settings including WPA-Enterprise/RADIUS to AP
>  
> Eugene
>  
> From: Timothy Mullican [mailto:tjmullic...@yahoo.com] 
>   
> Sent: Friday, December 29, 2017 9:34 AM
> To: packetfence-users@lists.sourceforge.net
> Cc: E.P.; Fabrice Durand
> Subject: Re: [PacketFence-users] Need an advice and maybe assistance with 
> FreeRADIUS
>  
> Eugene,
>  
> Just a thought, but can you change the deauthentication method to HTTPS 
> and specify the UniFi controller IP? See my setup below:
>  
> https://i.imgsafe.org/0c/0cff2c7f19.png
> https://i.imgsafe.org/0c/0cff2dfd99.png
>  
> My UniFi AP is 192.168.20.7
> My UniFi controller is 192.168.20.6
>  
> This is my UniFi AP setup:
> https://i.imgsafe.org/05/05bbb5eafe.png
> https://i.imgsafe.org/05/05bbd86ab4.png
>  
> Also please make sure you have the latest UniFi AP and controller 
> firmware as they were just updated a few days ago. 
>  
> See my earlier post on the PacketFence-Users forum if you have questions. 
>  
> Tim
>  

Re: [PacketFence-users] Need an advice and maybe assistance with FreeRADIUS

[Timothy Mullican via PacketFence-users]

To answer your question “Am I getting close to the point by reading that if I 
really want a user authenticated using PEAP (with MSCHAPv2 as an inner method) 
it has to be NOT a local user but a user from an external identity store (AD) 
?”, I would recommend you switch to AD (see 
https://packetfence.org/doc/PacketFence_Administration_Guide.html#_roles_management
 section 9.7) as it is easier to manage for most organizations (most already 
have accounts in AD). You can technically still do local auth using PEAP (see 
above link section 9.7.6), but you have to tweak a few things as shown in the 
link. Please let me know if you have any questions.

Thanks,
Tim

Sent from mobile phone

> On Jan 2, 2018, at 21:03, Timothy Mullican via PacketFence-users 
>  wrote:
> 
> Eugene,
> 
> The patch is mandatory in order for PacketFence to recognize that the UniFi 
> supports 802.1x (and MAC-based auth). As for the controller, you should be 
> able to get away without it if you do not need dynamic VLAN assignment. 
> However, without the controller, PacketFence will not be able to disassociate 
> or deauthenticate any clients, so keep this in mind for any temporary 
> sessions (if applicable). Try applying the patch, restarting all the 
> PacketFence services, and see if it fixes your problems. Based on the lack of 
> Ubiquiti support for various integration issues (802.1x and MAC auth dynamic 
> vlan assignment), the patch has been delayed being merged into the core code 
> (per Fabrice), so you have to apply it manually. Please let me know if you 
> have any additional questions.
> 
> Thanks,
> Tim
> 
> Sent from mobile phone
> 
>> On Jan 2, 2018, at 16:06, E.P.  wrote:
>> 
>> Appreciate those screenshots as well, Tim!
>> I’m running latest code of the Unifi controller as well and latest firmware 
>> supported on all WAP.
>> Quick question, is the IP address of the controller mandatory when I 
>> configure WAP in PF switches section?
>>  
>> Eugene
>>  
>> From: Timothy Mullican [mailto:tjmullic...@yahoo.com] 
>> Sent: Friday, December 29, 2017 9:34 AM
>> To: packetfence-users@lists.sourceforge.net
>> Cc: E.P.; Fabrice Durand
>> Subject: Re: [PacketFence-users] Need an advice and maybe assistance with 
>> FreeRADIUS
>>  
>> Eugene,
>>  
>> Just a thought, but can you change the deauthentication method to HTTPS and 
>> specify the UniFi controller IP? See my setup below:
>>  
>> https://i.imgsafe.org/0c/0cff2c7f19.png
>> https://i.imgsafe.org/0c/0cff2dfd99.png
>>  
>> My UniFi AP is 192.168.20.7
>> My UniFi controller is 192.168.20.6
>>  
>> This is my UniFi AP setup:
>> https://i.imgsafe.org/05/05bbb5eafe.png
>> https://i.imgsafe.org/05/05bbd86ab4.png
>>  
>> Also please make sure you have the latest UniFi AP and controller firmware 
>> as they were just updated a few days ago. 
>>  
>> See my earlier post on the PacketFence-Users forum if you have questions. 
>>  
>> Tim
>>  
>> Sent from mobile phone
>> 
>> On Dec 29, 2017, at 07:59, Fabrice Durand via PacketFence-users 
>>  wrote:
>> 
>> For me it looks that 172.19.254.2 is define twice.
>> 
>> Can you do in /usr/local/pf/raddb:
>> 
>> grep 172.19.254.2 * -r 
>> 
>> Also can you try to run radiusd in debug mode and see if you can see 
>> 172.19.254.2 (radiusd -d /usr/local/pf/raddb -n auth -X)
>> 
>>  
>> 
>> Regards
>> 
>> Fabrice
>> 
>>  
>> 
>> Le 2017-12-29 à 01:26, E.P. a écrit :
>> Nah…
>> No luck at all, Fabrice. I’m becoming desperate ;)
>> I thought it has to do with Unifi controller (reading it here in other 
>> threads that it is far from being error-free) but I pointed it to FreeRADIUS 
>> running on DaloRADIUS host and the regular user authentication worked nice.
>> I just don’t like DaloRADIUS due to its limitations and support and hold my 
>> aspiration towards PF.
>> Well, here we go again, I reconfigured the entry in switches file and it 
>> looks very simplistic, 172.19.254.2 is the IP address of Unifi AP.
>>  
>> [root@PacketFence-ZEN conf]# cat ./switches.conf
>> [172.19.254.2]
>> VoIPCDPDetect=N
>> VoIPDHCPDetect=N
>> deauthMethod=RADIUS
>> description=Test-WAP
>> VoIPLLDPDetect=N
>> radiusSecret=1234567890
>> VlanMap=N
>>  
>> Someone who uses Unifi may be jump in to validate my settings please.
>> In the settings for a specific wireless network I select “WPA Enterprise” 
>> and select RADIUS profile that I configured separately pointing to PF IP 
>> address. The RADIUS profile is configured as usual, i.e.
>> IP address, ports which are 1812/1813 and shared secret, nothing fancy about 
>> it.
>>  
>> Both radius log files show the same consistent error:
>>  
>> Dec 29 06:10:24 PacketFence-ZEN acct[13247]: Dropping packet without 
>> response because of error: Received Accounting-Request packet from client 
>> 172.19.254.2 with invalid Request Authenticator!  (Shared secret is 
>> incorrect.)
>>  
>> Dec 29 06:20:29 PacketFence-ZEN 

Re: [PacketFence-users] Need help solving a problem with vlan enforcement

[André Scrivener via PacketFence-users]

Opss, Fabrice!

I forgot an information, the MAC addresses on the switch.

By the logs, it is in VLAN 2, the correct vlan.

Right now I do not understand, because it does not assign the correct
address


console#show mac address-table

Aging time is 300 Sec

Vlan Mac Address   TypePort
 - --- -
10800.2700.58E2Dynamic Gi1/0/11 *- Windows Server 2008*
10800.2735.FCC4Dynamic Gi1/0/11* - PacketFence*
11418.77EA.F0A3Management  Vl1*  - Switch Dell*
1641C.XDynamic Gi1/0/11 *- My physical pc*
2847B.EBE3.8442Dynamic Gi1/0/13 *- My test machine*

Total MAC Addresses in use: 5

console#show mac address-table interface Gi1/0/13

Aging time is 300 Sec

Vlan Mac Address   TypePort
 - --- -
2847B.EBE3.8442Dynamic Gi1/0/13* - My test machine*


console#


2018-01-02 15:22 GMT-03:00 André Scrivener :

> Hello Fabrice,
>
> I simplified the environment, I'm using only 1 interface!
>
>
> enp0s3: Management - DHCP FROM WINDOWS SERVER
> enp0s3 VLAN 2: Registration  - DHCP ENABLE
> enp0s3 VLAN 3: Isolation   - DHCP ENABLE
> enp0s3 VLAN 10: Normal   - NO DHCP
>
> IP Address Switch Managed: 172.16.0.50
> Interface 11: My physical machine, and virtual machine (virtualbox) where
> is the PacketFence  (interface mode bridge)
> Interface 23: My client test Windows 8 (interface mode bridge)
>
>
> Problem continue, in the logs it returns to vlan correct, but does not
> assign to the computer, it stubborn in assigning the network 172.16.0.0/24
> (Management Network).
>
>
> root@packetfence ~]# tailf  /usr/local/pf/logs/packetfence.log
> Jan  2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
> [mac:84:7b:eb:e3:84:42] handling radius autz request: from switch_ip =>
> (172.16.0.50), connection_type => WIRED_MAC_AUTH,switch_mac =>
> (14:18:77:ea:f0:a2), mac => [84:7b:eb:e3:84:42], port => 13, username =>
> "847BEBE38442" (pf::radius::authorize)
> Jan  2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
> [mac:84:7b:eb:e3:84:42] Instantiate profile default (pf::Connection::
> ProfileFactory::_from_profile)
> Jan  2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
> [mac:84:7b:eb:e3:84:42] is of status unreg; belongs into registration VLAN
> (pf::role::getRegistrationRole)
> Jan  2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
> [mac:84:7b:eb:e3:84:42] (172.16.0.50) Added VLAN 2 to the returned RADIUS
> Access-Accept (pf::Switch::returnRadiusAccessAccept)
>
>
>
> [root@packetfence ~]# tailf  /usr/local/pf/logs/radius.log
> Jan  2 14:03:10 packetfence auth[31813]: Need 1 more connections to reach
> min connections (3)
> Jan  2 14:03:10 packetfence auth[31813]: rlm_rest (rest): Opening
> additional connection (15), 1 of 62 pending slots used
> Jan  2 14:03:10 packetfence auth[31813]: Need 7 more connections to reach
> 10 spares
> Jan  2 14:03:10 packetfence auth[31813]: rlm_sql (sql): Opening additional
> connection (18), 1 of 61 pending slots used
> Jan  2 14:03:10 packetfence auth[31813]: [mac:84:7b:eb:e3:84:42] Accepted
> user:  and returned VLAN 2
> Jan  2 14:03:10 packetfence auth[31813]: (32) Login OK: [847BEBE38442]
> (from client 172.16.0.50 port 13 cli 84:7b:eb:e3:84:42)
>
>
>
>
> Follow network settings:
>
> [root@packetfence ~]# ifconfig
> enp0s3: flags=4163  mtu 1500
> inet 172.16.0.2  netmask 255.255.255.0  broadcast 172.16.0.255
> inet6 fe80::a00:27ff:fe35:fcc4  prefixlen 64  scopeid 0x20
> ether 08:00:27:35:fc:c4  txqueuelen 1000  (Ethernet)
> RX packets 560936  bytes 711890423 (678.9 MiB)
> RX errors 0  dropped 0  overruns 0  frame 0
> TX packets 153523  bytes 23163746 (22.0 MiB)
> TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> enp0s3.2: flags=4163  mtu 1500
> inet 192.168.2.2  netmask 255.255.255.0  broadcast 192.168.2.255
> inet6 fe80::a00:27ff:fe35:fcc4  prefixlen 64  scopeid 0x20
> ether 08:00:27:35:fc:c4  txqueuelen 1000  (Ethernet)
> RX packets 0  bytes 0 (0.0 B)
> RX errors 0  dropped 0  overruns 0  frame 0
> TX packets 10  bytes 732 (732.0 B)
> TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> enp0s3.3: flags=4163  mtu 1500
> inet 192.168.3.2  netmask 255.255.255.0  broadcast 192.168.3.255
> inet6 fe80::a00:27ff:fe35:fcc4  prefixlen 64  scopeid 0x20
> ether 08:00:27:35:fc:c4  txqueuelen 1000  (Ethernet)
> RX packets 0  bytes 0 (0.0 B)
> RX errors 0  dropped 0  overruns 0  frame 0
> TX packets 10  bytes 732 (732.0 B)
> TX errors 0  dropped 

Re: [PacketFence-users] Need an advice and maybe assistance with FreeRADIUS

[Fabrice Durand via PacketFence-users]

Hello Eugene,

First did you uncomment packetfence-local-auth in
/usr/local/pf/conf/radiusd/packetfence-tunnel ?

Also what type of hashing password did you choose ? (Configuration ->
System configuration -> Advanced ) only ntlm and plaintext are supported
by local auth.

Regards

Fabrice



Le 2018-01-03 à 00:21, E.P. a écrit :
>
> I applied the patch, Tim, and it was successful, I mean the patch
> installation.
>
> Then I restarted RADIUS daemon and tried the local user
> authentication. As I described it in the other email to Fabrice it was
> rejected due to MSCHAPv2. For me it is a sign that I’m getting closer ;)
>
> And yes, Unifi is indeed ubiquitous ;) I inherited the organization
> WiFi setup based on distributed deployment of Unifi in L3 mode and now
> the management is pushing for more security without any significant
> investments.
>
>  
>
> Eugene
>
>  
>
> *From:*Timothy Mullican [mailto:tjmullic...@yahoo.com]
> *Sent:* Tuesday, January 02, 2018 7:04 PM
> *To:* E.P.
> *Cc:* packetfence-users@lists.sourceforge.net; Fabrice Durand
> *Subject:* Re: [PacketFence-users] Need an advice and maybe assistance
> with FreeRADIUS
>
>  
>
> Eugene,
>
>  
>
> The patch is mandatory in order for PacketFence to recognize that the
> UniFi supports 802.1x (and MAC-based auth). As for the controller, you
> should be able to get away without it if you do not need dynamic VLAN
> assignment. However, without the controller, PacketFence will not be
> able to disassociate or deauthenticate any clients, so keep this in
> mind for any temporary sessions (if applicable). Try applying the
> patch, restarting all the PacketFence services, and see if it fixes
> your problems. Based on the lack of Ubiquiti support for various
> integration issues (802.1x and MAC auth dynamic vlan assignment), the
> patch has been delayed being merged into the core code (per Fabrice),
> so you have to apply it manually. Please let me know if you have any
> additional questions.
>
>  
>
> Thanks,
>
> Tim
>
>  
>
> Sent from mobile phone
>
>
> On Jan 2, 2018, at 16:06, E.P.  > wrote:
>
> Appreciate those screenshots as well, Tim!
>
> I’m running latest code of the Unifi controller as well and latest
> firmware supported on all WAP.
>
> Quick question, is the IP address of the controller mandatory when
> I configure WAP in PF switches section?
>
>  
>
> Eugene
>
>  
>
> *From:*Timothy Mullican [mailto:tjmullic...@yahoo.com]
> *Sent:* Friday, December 29, 2017 9:34 AM
> *To:* packetfence-users@lists.sourceforge.net
> 
> *Cc:* E.P.; Fabrice Durand
> *Subject:* Re: [PacketFence-users] Need an advice and maybe
> assistance with FreeRADIUS
>
>  
>
> Eugene,
>
>  
>
> Just a thought, but can you change the deauthentication method to
> HTTPS and specify the UniFi controller IP? See my setup below:
>
>  
>
> https://i.imgsafe.org/0c/0cff2c7f19.png
>
> https://i.imgsafe.org/0c/0cff2dfd99.png
>
>  
>
> My UniFi AP is 192.168.20.7
>
> My UniFi controller is 192.168.20.6
>
>  
>
> This is my UniFi AP setup:
>
> https://i.imgsafe.org/05/05bbb5eafe.png
>
> https://i.imgsafe.org/05/05bbd86ab4.png
>
>  
>
> Also please make sure you have the latest UniFi AP and controller
> firmware as they were just updated a few days ago. 
>
>  
>
> See my earlier post on the PacketFence-Users forum if you have
> questions. 
>
>  
>
> Tim
>
>  
>
> Sent from mobile phone
>
>
> On Dec 29, 2017, at 07:59, Fabrice Durand via PacketFence-users
>  > wrote:
>
> For me it looks that 172.19.254.2 is define twice.
>
> Can you do in /usr/local/pf/raddb:
>
> grep 172.19.254.2 * -r 
>
> Also can you try to run radiusd in debug mode and see if you
> can see 172.19.254.2 (radiusd -d /usr/local/pf/raddb -n auth -X)
>
>  
>
> Regards
>
> Fabrice
>
>  
>
> Le 2017-12-29 à 01:26, E.P. a écrit :
>
> Nah…
>
> No luck at all, Fabrice. I’m becoming desperate ;)
>
> I thought it has to do with Unifi controller (reading it
> here in other threads that it is far from being
> error-free) but I pointed it to FreeRADIUS running on
> DaloRADIUS host and the regular user authentication worked
> nice.
>
> I just don’t like DaloRADIUS due to its limitations and
> support and hold my aspiration towards PF.
>
> Well, here we go again, I reconfigured the entry in
> switches file and it looks very simplistic, 172.19.254.2
> is the IP address of Unifi AP.
>
>  
>
> /[root@PacketFence-ZEN conf]# cat ./switches.conf/
>
>  

Re: [PacketFence-users] Need help solving a problem with vlan enforcement

[Fabrice Durand via PacketFence-users]

Hum strange.

What you can try is to define an interface in the vlan 2 (manually on an
switch port) and plug your test machine in it. (you must receive an ip
from PacketFence).

If you receive an ip from the 172.16.0.0/24 then it mean that you have a
switch configuration issue. (any layer 3 interfaces defined in the vlan
2 ?).

Also what i can see is that there is no mac in the vlan 2 and the vlan 3
for the interface 11.

You should have something like that too:

2 08:00:27:35:fc:c4 Dynamic     Gi1/0/11/- PacketFence Reg
/

3 08:00:27:35:fc:c4 Dynamic     Gi1/0/11/- PacketFence Isol/

Regards
Fabrice

Le 2018-01-02 à 13:55, André Scrivener a écrit :
> Opss, Fabrice!
>
> I forgot an information, the MAC addresses on the switch.
>
> By the logs, it is in VLAN 2, the correct vlan.
>
> Right now I do not understand, because it does not assign the correct
> address
>
>
> console#show mac address-table           
>
> Aging time is 300 Sec
>
> Vlan     Mac Address           Type        Port
>  - --- -
> 1        0800.2700.58E2        Dynamic     Gi1/0/11 /- Windows Server
> 2008/
> 1        0800.2735.FCC4        Dynamic     Gi1/0/11/- PacketFence/
> 1        1418.77EA.F0A3        Management  Vl1    / - Switch Dell/
> 1        641C.X        Dynamic     Gi1/0/11 /- My physical pc/
> 2        847B.EBE3.8442        Dynamic     Gi1/0/13 /- My test machine/
>
> Total MAC Addresses in use: 5
>
> console#show mac address-table interface Gi1/0/13
>
> Aging time is 300 Sec
>
> Vlan     Mac Address           Type        Port
>  - --- -
> 2        847B.EBE3.8442        Dynamic     Gi1/0/13/- My test machine/
>
>
> console#
>
>
> 2018-01-02 15:22 GMT-03:00 André Scrivener  >:
>
> Hello Fabrice, 
>
> I simplified the environment, I'm using only 1 interface!
>
>
> enp0s3:             Management - DHCP FROM WINDOWS SERVER
> enp0s3 VLAN 2: Registration  - DHCP ENABLE
> enp0s3 VLAN 3: Isolation       - DHCP ENABLE
> enp0s3 VLAN 10: Normal       - NO DHCP
>
> IP Address Switch Managed: 172.16.0.50
> Interface 11: My physical machine, and virtual machine
> (virtualbox) where is the PacketFence  (interface mode bridge)
> Interface 23: My client test Windows 8 (interface mode bridge)
>
>
> Problem continue, in the logs it returns to vlan correct, but does
> not assign to the computer, it stubborn in assigning the network
> 172.16.0.0/24  (Management Network).
>
>
> root@packetfence ~]# tailf  /usr/local/pf/logs/packetfence.log
> Jan  2 14:03:10 packetfence packetfence_httpd.aaa:
> httpd.aaa(30935) INFO: [mac:84:7b:eb:e3:84:42] handling radius
> autz request: from switch_ip => (172.16.0.50), connection_type =>
> WIRED_MAC_AUTH,switch_mac => (14:18:77:ea:f0:a2), mac =>
> [84:7b:eb:e3:84:42], port => 13, username => "847BEBE38442"
> (pf::radius::authorize)
> Jan  2 14:03:10 packetfence packetfence_httpd.aaa:
> httpd.aaa(30935) INFO: [mac:84:7b:eb:e3:84:42] Instantiate profile
> default (pf::Connection::ProfileFactory::_from_profile)
> Jan  2 14:03:10 packetfence packetfence_httpd.aaa:
> httpd.aaa(30935) INFO: [mac:84:7b:eb:e3:84:42] is of status unreg;
> belongs into registration VLAN (pf::role::getRegistrationRole)
> Jan  2 14:03:10 packetfence packetfence_httpd.aaa:
> httpd.aaa(30935) INFO: [mac:84:7b:eb:e3:84:42] (172.16.0.50) Added
> VLAN 2 to the returned RADIUS Access-Accept
> (pf::Switch::returnRadiusAccessAccept)
>
>
>
> [root@packetfence ~]# tailf  /usr/local/pf/logs/radius.log 
> Jan  2 14:03:10 packetfence auth[31813]: Need 1 more connections
> to reach min connections (3)
> Jan  2 14:03:10 packetfence auth[31813]: rlm_rest (rest): Opening
> additional connection (15), 1 of 62 pending slots used
> Jan  2 14:03:10 packetfence auth[31813]: Need 7 more connections
> to reach 10 spares
> Jan  2 14:03:10 packetfence auth[31813]: rlm_sql (sql): Opening
> additional connection (18), 1 of 61 pending slots used
> Jan  2 14:03:10 packetfence auth[31813]: [mac:84:7b:eb:e3:84:42]
> Accepted user:  and returned VLAN 2
> Jan  2 14:03:10 packetfence auth[31813]: (32) Login OK:
> [847BEBE38442] (from client 172.16.0.50 port 13 cli 84:7b:eb:e3:84:42)
>
>
>
>
> Follow network settings:
>
> [root@packetfence ~]# ifconfig 
> enp0s3: flags=4163  mtu 1500
>         inet 172.16.0.2  netmask 255.255.255.0  broadcast 172.16.0.255
>         inet6 fe80::a00:27ff:fe35:fcc4  prefixlen 64  scopeid
> 0x20
>         ether 08:00:27:35:fc:c4  txqueuelen 1000  (Ethernet)
>         RX packets 560936  bytes 711890423 (678.9 MiB)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 153523  bytes 

Re: [PacketFence-users] Need an advice and maybe assistance with FreeRADIUS

[Fabrice Durand via PacketFence-users]

I tried to add the DAS parameter directly in the configuration file of
the AP and it works (CoA), but the limitation is that you can enable it
only on one ssid.

https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf

Regards

Fabrice



Le 2017-12-29 à 16:18, Timothy Mullican via PacketFence-users a écrit :
> It may be possible to skip the controller and run the deauthentication
> command on the AP itself, but it is product specific as opposed to the
> controller API, which is cross-product. The UniFi code on PacketFence
> would have to be modified to support this. 
>
> See 
> https://community.ubnt.com/t5/UniFi-Wireless/Issue-manual-kick-sta-command/m-p/1197157/highlight/true#M95831
>
> Sent from mobile phone
>
> On Dec 29, 2017, at 15:12, Timothy Mullican via PacketFence-users
>  > wrote:
>
>> I am running UniFi AP 3.9.15.8011 and Controller 5.6.26 (I’m using
>> linuxserver/UniFi docker image on CentOS 7.4). 
>>
>> First, make sure you applied the UniFi patch
>> (see 
>> https://community.ubnt.com/t5/UniFi-Wireless/Packetfence-7-1-Out-of-Band-Dynamic-VLAN-with-Unifi/m-p/2134984/highlight/true#M261219).
>> This enables dynamic VLAN assignment using radius and 802.1x on the
>> PacketFence side. The latest UniFi firmware also allows dynamic vlan
>> assignment using MAC authentication (i.e., guest access). If you have
>> any questions about this let me know and I can help you (also see my
>> earlier thread).
>>
>> If you are using the PacketFence captive portal authentication to
>> assign a user’s VLAN, PacketFence requires the UniFi controller to
>> deauthenticate clients from the AP. If you look at
>>  
>> https://github.com/inverse-inc/packetfence/pull/2735/files#diff-8b99f599546e7710d1df6b776d184569,
>> you can see the deauthentication method used is an HTTPS API call to
>> the controller running the “kick-sta” command on the client MAC
>> address. As you are probably aware, the user must reauthenticate in
>> order to be placed in the correct VLAN after successfully
>> authenticating. PacketFence automates this process in several ways
>> (HTTP/HTTPS, SNMP, Telnet/SSH, RADIUS CoA).
>>
>> As far as I know, the only way to deauthenticate a client on the AP
>> is using the Controller API over HTTPS (no support for CoA yet). If
>> CoA is implemented we should be able to bypass the controller and
>> send direct client RADIUS deauthentication requests to the AP. 
>>
>> If you are using 802.1x without the captive portal, you may be able
>> to get away without relying on the controller, since the VLAN is only
>> assigned once at logon to the AP, but I have not tested this yet. 
>>
>> Fabrice may be able to help if I didn’t explain something correctly
>> above. 
>>
>> Tim
>>
>>>
>>> On Dec 29, 2017, at 12:38, E.P. >> > wrote:
>>>
 Hi Timothy,

 I’m really-really grateful to you and your comments.

 May I ask you what firmware level you run on your Unifi AP ?

 And by the way, just out of curiosity, why we need controller IP
 address in the settings for AP/switch ?

 I thought that the real RADIUS client is the AP and the
 controller’s only job is to push settings including
 WPA-Enterprise/RADIUS to AP

  

 Eugene

  

 *From:*Timothy Mullican [mailto:tjmullic...@yahoo.com]
 *Sent:* Friday, December 29, 2017 9:34 AM
 *To:* packetfence-users@lists.sourceforge.net
 
 *Cc:* E.P.; Fabrice Durand
 *Subject:* Re: [PacketFence-users] Need an advice and maybe
 assistance with FreeRADIUS

  

 Eugene,

  

 Just a thought, but can you change the deauthentication method to
 HTTPS and specify the UniFi controller IP? See my setup below:

  

 https://i.imgsafe.org/0c/0cff2c7f19.png

 https://i.imgsafe.org/0c/0cff2dfd99.png

  

 My UniFi AP is 192.168.20.7

 My UniFi controller is 192.168.20.6

  

 This is my UniFi AP setup:

 https://i.imgsafe.org/05/05bbb5eafe.png

 https://i.imgsafe.org/05/05bbd86ab4.png

  

 Also please make sure you have the latest UniFi AP and controller
 firmware as they were just updated a few days ago. 

  

 See my earlier post on the PacketFence-Users forum if you have
 questions. 

  

 Tim

  

 Sent from mobile phone


 On Dec 29, 2017, at 07:59, Fabrice Durand via PacketFence-users
 > wrote:

 For me it looks that 172.19.254.2 is define twice.

 Can you do in /usr/local/pf/raddb:

 grep 172.19.254.2 * -r 

 Also can you try to run radiusd in debug mode and see if you