[PacketFence-users] R: R: No client IP update in cluster

2018-01-25 Thread luca comes via PacketFence-users 
Hi Fabrice,
I then installed dhcp forwarder on my DHCP and I can see traffic arrive with 
tcpdump. The client IP on the gui has changed but after a long long time. It's 
strange because in a standalone configuration this feature was really quick is 
there something else I can check?

Thanks

Luca


Da: Durand fabrice via PacketFence-users 

Inviato: martedì 23 gennaio 2018 03:46
A: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice
Oggetto: Re: [PacketFence-users] R: No client IP update in cluster


Hello Luca,


it's also available for Linux: 
https://github.com/inverse-inc/packetfence-dhcp-forwarder/tree/master/dhcp-forwarder
 so you can install it on each cluster's member.


Le 2018-01-22 à 10:34, luca comes via PacketFence-users a écrit :
Hi Fabrice,
I'm using a cluster of ISC DHCPD on CentOS 7 so think I can't use your dhcp 
forwarder. I understand is it only for windows isn't it? Anyway I did a test, 
when the client change role it send a dhcp request to the server:

[root@dhcp01 ~]# tail -f /var/log/dhcp/dhcpd.log | grep 00:9c:02:92:ea:b0
Jan 22 12:23:54 dhcp01 dhcpd: DHCPACK to 172.20.251.192 (00:9c:02:92:ea:b0) via 
ens160
Jan 22 12:24:00 dhcp01 dhcpd: DHCPREQUEST for 172.20.251.192 from 
00:9c:02:92:ea:b0 (LAB3-NB) via 192.168.167.1: wrong network.
Jan 22 12:24:00 dhcp01 dhcpd: DHCPNAK on 172.20.251.192 to 00:9c:02:92:ea:b0 
via 192.168.167.1
Jan 22 12:24:00 dhcp01 dhcpd: DHCPDISCOVER from 00:9c:02:92:ea:b0 via 
192.168.167.1
Jan 22 12:24:01 dhcp01 dhcpd: DHCPOFFER on 192.168.167.190 to 00:9c:02:92:ea:b0 
(LAB3-NB) via 192.168.167.1
Jan 22 12:24:01 dhcp01 dhcpd: DHCPREQUEST for 192.168.167.190 (172.27.112.17) 
from 00:9c:02:92:ea:b0 (LAB3-NB) via 192.168.167.1
Jan 22 12:24:01 dhcp01 dhcpd: DHCPACK on 192.168.167.190 to 00:9c:02:92:ea:b0 
(LAB3-NB) via 192.168.167.1

Instead I can't see any packet on the pfdhcplistener for that MAC Address. The 
strange thing is that it is receiving traffic from the DHCP on port 767. At the 
moment I put an helper address on the switch so a copy of the traffic is sent 
directly to the pfdhcplistener and the client IP is updated. It's always showed 
as offline but I don't understand why.
If you didn't install the forwarder , from where do you receive the copy of the 
dhcp traffic on the port 767 ?
Also inline/offline is based on the accounting , not from the dhcp.

Regards
Fabrice


Luca


Inviato da Outlook


Da: Durand fabrice via PacketFence-users 

Inviato: sabato 20 gennaio 2018 03:21
A: 
packetfence-users@lists.sourceforge.net
Cc: Durand fabrice
Oggetto: Re: [PacketFence-users] No client IP update in cluster


Hello Lucas,


first use that instead:

https://github.com/inverse-inc/packetfence-dhcp-forwarder


And there is no listening process on UDP 767 but pfdhcplistener capture the 
traffic on 67/68 and 767.

If you tail pfdhcplistener on the server where the vip is , do you see some 
updates from te hproduction dhcp server ?

Also do a capture on the management interface to see if you receive something 
on the port 767. (tshark -i eth0 -f "port 767")


Regards

Fabrice


Le 2018-01-18 à 09:43, luca comes via PacketFence-users a écrit :
Hi all,
I've migrated my single node infrastructure to a 3 node cluster. At the moment 
I'm testing 802.1x with a Cisco catalyst 2950 and the authentication is working 
fine. I also have in production a wireless guest access with sponsor on Cisco 
WLC taht is working really well. Unfortunately I noticed that the client IP 
address is never updated on the nodes page. I have a production DHCP server on 
the same management VLAN with udp_reflector pointing to the new VIP on the 
cluster. With single node the problem wasn't showed and the IP was correctly 
updated after a few seconds. The command I'm using on the DHCP server is:

/usr/local/bin/udp_reflector -s pcap2:67 -d 172.27.17.7:767 -b 25000 &

Where 172.27.17.7 is the VIP exposed by the cluster.

I would expect UDP port 767 on PF nodes in listening but they are not. Is 
something missing in my configuration?

Thanks

Luca


Inviato da Outlook



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users





--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!

Re: [PacketFence-users] Read Only Unregistered Nodes

2018-01-25 Thread Jeremy Plumley via PacketFence-users 
I'm attempting to setup a custom Admin Role in the webgui under Configuration | 
System Configuration | Admin Access. I cloned Node Manager into a new Admin 
Role called Desktop Node Mgmt. When I try to restrict the "Allowed node 
options" to specific roles my Admin users are unable to register a node that 
has "no role" selected. They show up as read only. My goal is to have two 
groups, one that can approve for any role and one that has restrictions to a 
handful of roles. Hope that makes more since.

Jeremy Plumley
ITS Network Administrator
Ext 50024

From: Fabrice Durand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Sent: Thursday, January 25, 2018 9:43 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand 
Subject: Re: [PacketFence-users] Read Only Unregistered Nodes


Hello Jeremy,

i am not sure to understand , you mix device role and administration access 
that is completely different.
Regards
Fabrice
E-Mail correspondence to and from this address may be subject to the North 
Carolina Public Records Law and shall be disclosed to third parties when 
required by the statutes (G.S. 132-1.)
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Read Only Unregistered Nodes

2018-01-25 Thread Fabrice Durand via PacketFence-users 
can i have your adminroles.conf file ?

Regards

Fabrice



Le 2018-01-25 à 09:49, Jeremy Plumley a écrit :
>
> I’m attempting to setup a custom Admin Role in the webgui under
> Configuration | System Configuration | Admin Access. I cloned Node
> Manager into a new Admin Role called Desktop Node Mgmt. When I try to
> restrict the “Allowed node options” to specific roles my Admin users
> are unable to register a node that has “no role” selected. They show
> up as read only. My goal is to have two groups, one that can approve
> for any role and one that has restrictions to a handful of roles. Hope
> that makes more since.
>
>  
>
> Jeremy Plumley
>
> ITS Network Administrator
>
> Ext 50024
>
>  
>
> *From:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Thursday, January 25, 2018 9:43 AM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Fabrice Durand 
> *Subject:* Re: [PacketFence-users] Read Only Unregistered Nodes
>
>  
>
> Hello Jeremy,
>
> i am not sure to understand , you mix device role and administration
> access that is completely different.
>
> Regards
> Fabrice
>
> E-Mail correspondence to and from this address may be subject to the
> North Carolina Public Records Law and shall be disclosed to third
> parties when required by the statutes (G.S. 132-1.) 

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Re?? Image broken in PF status dashboard

2018-01-25 Thread Yan via PacketFence-users 
Is there any other dependence besides just run "yum update libdrm" ? This 
command can't save me...

[root@pf-3 script]# yum update libdrm
fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.163.com
 * epel: ftp.cuhk.edu.hk
 * extras: mirrors.cn99.com
 * updates: mirrors.163.com
No packages marked for update
[root@pf-3 script]# rpm -qa |grep libdrm
libdrm-2.4.74-1.el7.x86_64
[root@pf-3 script]# yum list installed | grep graphit
graphite-web.noarch0.9.16-1.el7 @epel
graphite2.x86_64   1.3.10-1.el7_3   @updates--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Re: Image broken in PF status dashboard

2018-01-25 Thread Fabrice Durand via PacketFence-users 
yum update libdrm is suppose to fix the issue.



Le 2018-01-25 ?? 09:00, Yan a ??crit?0?2:
> Hi Fabrice,
> It seems to be the same issue you said. The error is as below. I run
> "yum?0?2--exclude=collectd*?0?2update" but the image is still broken. Is
> there any other way to fix it ?
>
> Python 2.7.5 (default, Nov 20 2015, 02:00:19)
> [GCC 4.8.5 20150623 (Red Hat 4.8.5-4)] on linux2
> Type "help", "copyright", "credits" or "license" for more information.
> >>> import cairo
> Traceback (most recent call last):
> ?0?2 File "", line 1, in 
> ?0?2 File "/usr/lib64/python2.7/site-packages/cairo/__init__.py", line 1,
> in 
> ?0?2 ?0?2 from _cairo import *
> ImportError: /lib64/libgbm.so.1: undefined symbol: drmGetDevice

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Read Only Unregistered Nodes

2018-01-25 Thread Fabrice Durand via PacketFence-users 
Hello Jeremy,

i am not sure to understand , you mix device role and administration
access that is completely different.

Regards
Fabrice

Le 2018-01-25 à 08:48, Jeremy Plumley via PacketFence-users a écrit :
>
> Wanted to follow up on this and see if there is a way to add “no role”
> access so I can create role limitations for admin users.
>
>  
>
> Jeremy Plumley
>
> ITS Network Administrator
>
> Ext 50024
>
>  
>
> *From:* Jeremy Plumley via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Wednesday, January 10, 2018 3:44 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Jeremy Plumley 
> *Subject:* Re: [PacketFence-users] Read Only Unregistered Nodes
>
>  
>
> I found that by removing my select roles limitations and allowed all
> roles it started working again. Seems brand new nodes that show up as
> unregistered start with “no role.” This is what was causing an issue
> and appearing read only. Is there a way to allow “no role” access if
> you decide to restrict node manager roles. Thanks.
>
>  
>
> Jeremy Plumley
>
> ITS Network Administrator
>
> Ext 50024
>
> E-Mail correspondence to and from this address may be subject to the
> North Carolina Public Records Law and shall be disclosed to third
> parties when required by the statutes (G.S. 132-1.)
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Problem with Certificates

2018-01-25 Thread Fabrice Durand via PacketFence-users 
Hello Hubert,

it will be cat server.crt intermediate1.cert intermediate2.crt
server.key > server.pem

Regards
Fabrice

Le 2018-01-25 à 08:40, Hubert Kupper via PacketFence-users a écrit :
> Hello Fabrice,
>
> thanks. I did: cat server.crt server.key > server.pem. Now packetfence
> starts and the registration page pop up. How can I add the ca chain?
>
> Best regards,
> Hubert
>
> Am 25.01.2018 um 03:22 schrieb Durand fabrice via PacketFence-users:
>> Hello Hubert,
>>
>> Haproxy terminate the ssl connection , so the certificate must be use
>> by haproxy.
>>
>> Take a look there
>> https://github.com/inverse-inc/packetfence/blob/devel/Makefile#L78 to
>> see how to do it.
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2018-01-23 à 00:26, Hubert Kupper via PacketFence-users a écrit :
>>> Hello,
>>>
>>> we have the following problem:
>>> We want to replace the packetfence certs with certs from our PKI
>>> provider because the security warnings confuse some of our users. We
>>> copied the certs to /conf/ssl, checked
>>> /conf/httpd.conf.d/ssl-certificates.conf and the hostname in
>>> pf.conf. All seems to be ok. After restarting packetfence the
>>> registration page for the users doesn't pop up. Packetfence.log
>>> shows no entries. When we use the original certs from packetfence,
>>> the registration page pop up and all things are fine. Did we forget
>>> a step when changing the certs?
>>>
>>> Regards,
>>> Hubert
>>>
>>> --
>>>
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
>
> --
>
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Problem getting Radius MacAuth to work.

2018-01-25 Thread Fabrice Durand via PacketFence-users 


Le 2018-01-25 à 05:41, Schenkelberg, Martin via PacketFence-users a écrit :
>
> Hello all, i hope you can give me a hint of what im doing wrong.
>
>  
>
> We are evaluating to use PacketFence 7.3.0 Zen to authenticate users
> connecting to our lan and wifi infrastructure and to assign them the
> right vlans. (Guest / Productive ….)
>
>  
>
> For Wifi we use a Cisco Wlc and everything works fine.
>
>  
>
> For LAN Access we use different HP / ARUBA Switches.
>
>  
>
> One Switch (Aruba 2530-24g) Works fine with SNMP (Link Up Down)
> unknown users will be redirected to the portal and after login the
> right vlan is assigned tot he switch port.
>
You should use 802.1x/mac auth.
>
>  
>
> Now i try to do the same with a HP 5130 Series Switch which is a
> rebranded H3C Switch using Comware OS.
>
>  
>
> I followed the  H3C section of the Network Device Configuration Guide
> to configure my Switch but i´m not able to get it to work.
>
>  
>
> If i plug in Network Device i receive the following log Messages:
>
>  
>
> *Switch Console: *
>
> %Jan 25 11:23:33:305 2018 Testswitch MACA/6/MACA_LOGIN_FAILURE:
> -IfName=GigabitEthernet1/0/1-MACAddr=98e7-f48e-3c2f-VLANId=200-UserName=98e7f48e3c2f-UserNameFormat=MAC
> address; The user failed the MAC address authentication.
>
>  
>
> *Packetfence.log:*
>
> PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(3450) INFO:
> [mac:[undef]] User 98e7f48e3c2f tried to login in 172.20.14.66 but
> authentication failed (pf::radius::switch_access)
>
>  
>
>  
>
> *Radius.log:*
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_rest (rest): Closing
> connection (320): Hit idle_timeout, was idle for 68 seconds
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: (316) rest: ERROR: Server
> returned:
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: (316) rest: ERROR:
> {"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Authentication
> failed on PacketFence"}
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: Need 4 more connections
> to reach 10 spares
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_rest (rest): Opening
> additional connection (324), 1 of 58 pending slots used
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_sql (sql): Closing
> connection (322): Hit idle_timeout, was idle for 68 seconds
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: Need 4 more connections
> to reach 10 spares
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_sql (sql): Opening
> additional connection (326), 1 of 58 pending slots used
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: [mac:98-E7-F4-8E-3C-2F]
> Rejected user: 98e7f48e3c2f
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: (316) Rejected in
> post-auth: [98e7f48e3c2f] (from client 172.20.14.66 port 16781512 cli
> 98-E7-F4-8E-3C-2F)
>
>  
>
>  
>
> *Radius Debug Log: (There is an Error 500 inside regarding REST)*
>
> * *
>
> [root@PacketFence-ZEN radius]# raddebug -f
> /usr/local/pf/var/run/radiusd.sock -t 300
>
> (76) Thu Jan 25 08:28:15 2018: Debug: Received Access-Request Id 160
> from 172.20.14.66:39936 to 172.20.1.230:1812 length 166
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   User-Name = "98e7f48e3c2f"
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   User-Password = "98e7f48e3c2f"
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   Service-Type = Call-Check
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   NAS-Identifier = "Testswitch"
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   NAS-Port = 16781512
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   NAS-Port-Type = Ethernet
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   Calling-Station-Id =
> "98-E7-F4-8E-3C-2F"
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   Called-Station-Id =
> "5C-8A-38-D8-B7-45"
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   NAS-Port-Id =
> "slot=1;subslot=0;port=1;vlanid=200"
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   NAS-IP-Address = 172.20.14.66
>
> (76) Thu Jan 25 08:28:15 2018: Debug: # Executing section authorize
> from file /usr/local/pf/raddb/sites-enabled/packetfence
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   authorize {
>
> (76) Thu Jan 25 08:28:15 2018: Debug: update {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   EXPAND
> %{Packet-Src-IP-Address}
>
> (76) Thu Jan 25 08:28:15 2018: Debug:  --> 172.20.14.66
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   EXPAND %l
>
> (76) Thu Jan 25 08:28:15 2018: Debug:  --> 1516868895
>
> (76) Thu Jan 25 08:28:15 2018: Debug: } # update = noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug: policy
> rewrite_calling_station_id {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   if ( &&
> ( =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   if ( &&
> ( =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>  
> -> FALSE
>
This is not normal, the regexp is supposed to match !! do

[PacketFence-users] Re?? Image broken in PF status dashboard

2018-01-25 Thread Yan via PacketFence-users 
Hi Fabrice,
It seems to be the same issue you said. The error is as below. I run "yum 
--exclude=collectd* update" but the image is still broken. Is there any other 
way to fix it ?


Python 2.7.5 (default, Nov 20 2015, 02:00:19)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-4)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import cairo
Traceback (most recent call last):
  File "", line 1, in 
  File "/usr/lib64/python2.7/site-packages/cairo/__init__.py", line 1, in 

from _cairo import *
ImportError: /lib64/libgbm.so.1: undefined symbol: drmGetDevice--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Problem with Certificates

2018-01-25 Thread Hubert Kupper via PacketFence-users 

Hello Fabrice,

thanks. I did: cat server.crt server.key > server.pem. Now packetfence 
starts and the registration page pop up. How can I add the ca chain?


Best regards,
Hubert

Am 25.01.2018 um 03:22 schrieb Durand fabrice via PacketFence-users:

Hello Hubert,

Haproxy terminate the ssl connection , so the certificate must be use 
by haproxy.


Take a look there 
https://github.com/inverse-inc/packetfence/blob/devel/Makefile#L78 to 
see how to do it.


Regards

Fabrice



Le 2018-01-23 à 00:26, Hubert Kupper via PacketFence-users a écrit :

Hello,

we have the following problem:
We want to replace the packetfence certs with certs from our PKI 
provider because the security warnings confuse some of our users. We 
copied the certs to /conf/ssl, checked 
/conf/httpd.conf.d/ssl-certificates.conf and the hostname in pf.conf. 
All seems to be ok. After restarting packetfence the registration 
page for the users doesn't pop up. Packetfence.log shows no entries. 
When we use the original certs from packetfence, the registration 
page pop up and all things are fine. Did we forget a step when 
changing the certs?


Regards,
Hubert

-- 


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users





--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Read Only Unregistered Nodes

2018-01-25 Thread Jeremy Plumley via PacketFence-users 
Wanted to follow up on this and see if there is a way to add "no role" access 
so I can create role limitations for admin users.

Jeremy Plumley
ITS Network Administrator
Ext 50024

From: Jeremy Plumley via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Sent: Wednesday, January 10, 2018 3:44 PM
To: packetfence-users@lists.sourceforge.net
Cc: Jeremy Plumley 
Subject: Re: [PacketFence-users] Read Only Unregistered Nodes

I found that by removing my select roles limitations and allowed all roles it 
started working again. Seems brand new nodes that show up as unregistered start 
with "no role." This is what was causing an issue and appearing read only. Is 
there a way to allow "no role" access if you decide to restrict node manager 
roles. Thanks.

Jeremy Plumley
ITS Network Administrator
Ext 50024
E-Mail correspondence to and from this address may be subject to the North 
Carolina Public Records Law and shall be disclosed to third parties when 
required by the statutes (G.S. 132-1.)
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Number of devices to connect to the network

2018-01-25 Thread Fabrice Durand via PacketFence-users 


Le 2018-01-25 à 04:04, E.P. a écrit :
>
> One more stupid question from me, Fabrice, regarding the same subject J
>
> How is the role assigned to the user session?
>
It's with the source's rules, like you did with the staff role.
Let's say you hit the portal then fill b...@options.bc.ca and use the AD
source to authenticate then if a rule match then it will assign a role
and an access duration.
>
> I don’t see it in the debugs output but I see it in the results of the
> pftest like I showed it before
>
> Am I supposed to see it the RADIUS reply message or somewhere in the
> debug outputs ?
>
In radius you will see the vlan id of the staff role.
A source assign a role and an access duration, a switch configuration
will convert the role to a vlan id (role tab in switch config).

> Still trying to implement the limitation of devices that the staff
> user is supposed to connect.
>
>  
>
>  
>
> And finally, when will the node become registered ? As far as I
> understand it doesn’t have anything to do with a user that owns it and
> successfully authenticates using dot1x supplicant?
>
> Just wondering if we can have hosts/nodes registered after VLAN
> assignment to dot1x session ?
>
Create a connection profile with a filter SSID = secure ssid and check
autoregister 802.1x then add your AD source in the connection profile.
It will autoreg your device and assign the role that the rule of your AD
source returned.
Regards
Fabrice

>  
>
> Eugene
>
>  
>
> *From:*Durand fabrice [mailto:fdur...@inverse.ca]
> *Sent:* Friday, January 19, 2018 6:05 PM
> *To:* E.P.; packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] Number of devices to connect to the
> network
>
>  
>
> In your AD authentication source, create a rule that match a staff
> group and assign the staff role and an access duration. (memberof
> equal cn=staff,dc=...)
>
> Regards
>
> Fabrice
>
>  
>
> Le 2018-01-17 à 01:07, E.P. a écrit :
>
> Great!
>
> That confirms my train of thought. But it is still not clear to me
> how will it affect the user that authenticates against AD.
>
> Yes, I have created a new role, called “staff” and yes, I have set
> a limit of 2 devices for this role.
>
> Then, the end-user just connects to SSID, authenticates and gets
> on the network. How would I assign the user to the “staff” role?
>
> Is this where provisioners come to help ?
>
>  
>
> Eugene
>
>  
>
> *From:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Tuesday, January 16, 2018 6:42 AM
> *To:* packetfence-users@lists.sourceforge.net
> 
> *Cc:* Fabrice Durand
> *Subject:* Re: [PacketFence-users] Number of devices to connect to
> the network
>
>  
>
> Hello Eugene,
>
> this is exactly where you have to control that.
>
> So just set a limit on the roles where you want to limit the
> number of devices per users.
>
> Regards
>
> Fabrice
>
>  
>
> Le 2018-01-16 à 02:01, E.P. via PacketFence-users a écrit :
>
> It sounds close to the number of devices/nodes a user can
> register which is configurable under Configuration-Policies
> and access control-Roles, but we don’t allow this luxury to
> anyone yet. Just regular network admission control based on
> the active AD account
>
>  
>
> *From:*E.P. [mailto:ype...@gmail.com]
> *Sent:* Monday, January 15, 2018 10:54 PM
> *To:* packetfence-users@lists.sourceforge.net
> 
> *Subject:* Number of devices to connect to the network
>
>  
>
> Guys,
>
> We are still at the early phases of PF deployment and only now
> looking into AD based authentication for wireless devices
>
> Is there any way to limit the number of user devices that can
> be connected by one user?
>
> Let’s say the user uses his/her laptop and roams around remote
> sites where we provide WiFi with WPA2-Enterprise and we also
> allow him/her use the phone (iPhone/Android). No more devices
> to connect
>
>  
>
> Eugene
>
>  
>
>  
>

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] NULL realm

2018-01-25 Thread Fabrice Durand via PacketFence-users 
Hello Eugene,

in fact the REALM is used in 2 cases, if you add the option STRIP in the
realm config and restart radius then you will see that radius will strip it.

When you assign a REALM to a domain then if the realm match then it will
use the domain you define (options.bc.ca -> use AD OPTIONS) in
freeradius to do ntlm_auth.

Next you can associate realm to a authentication source, so if you
created a connection with multiples sources then if you fill the
username with b...@options.bc.ca then the first source with options.bc.ca
enabled will be used. (same if you do autoreg 802.1x).

So in your case because there is just on AD you can just assign the
DEFAULT realm to your AD domain.


Regards

Fabrice




Le 2018-01-25 à 03:49, E.P. a écrit :
>
> Thanks, Fabrice.
>
> Found it and deleted NULL realm from this file and it is gone from the
> webpage.
>
> But essentially this is not what I wanted to achieve.
>
> And perhaps there’s something I don’t understand.
>
> I thought that without the NULL realm the processing of realms will
> skip it and it will match my realm – options.bc.ca which is in the end
> of the list of realms.
>
> Still, if I authenticate as it.tech and I see in the debug of radius
> that it uses NULL realm.
>
> If I authenticate as it.t...@options.bc.ca
>  I see that correct realm use.
>
> But both authentication attempts go through. What the use of
> options.bc.ca realm then ?
>
> It looks like with only one AD in our organization we may easily
> disregard it ?
>
>  
>
> Eugene
>
>  
>
> *From:*Durand fabrice via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Wednesday, January 24, 2018 6:34 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Durand fabrice
> *Subject:* Re: [PacketFence-users] NULL realm
>
>  
>
> Hello Eugene,
>
> the NULL realm is located in realm.conf.defaults
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2018-01-23 à 14:14, E.P. via PacketFence-users a écrit :
>
> Guys,
>
> I wonder if I can make PF bypass NULL realm processing?
>
> The reason is that we want to use only the user ID in the username
> field.
>
> If we use like this then the authentication attempt hits NULL realm.
>
> I tried to remove it from PF GUI but it still stays there.
>
> Interesting that it is not listed in the realm.conf file
>
>  
>
> ++
>
> [root]@[PacketFence-ZEN conf]#cat realm.conf
>
> [DEFAULT]
>
> domain=optionsas
>
> options=strip
>
>  
>
> [options]
>
> domain=optionsad
>
>  
>
> [options.bc.ca]
>
> domain=optionsad
>
> +
>
>  
>
> Eugene
>
>
>
>
> 
> --
>
> Check out the vibrant tech community on one of the world's most
>
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
>
> ___
>
> PacketFence-users mailing list
>
> PacketFence-users@lists.sourceforge.net
> 
>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>  
>

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Number of devices to connect to the network

2018-01-25 Thread Fabrice Durand via PacketFence-users 
Ok in this case fill an issue on github
https://github.com/inverse-inc/packetfence/issues


Le 2018-01-25 à 03:02, E.P. a écrit :
>
> Three different ones ;)
>
> IE 11, Firefox and Chrome.
>
>  
>
> *From:*Durand fabrice [mailto:fdur...@inverse.ca]
> *Sent:* Wednesday, January 24, 2018 6:25 PM
> *To:* E.P.; packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] Number of devices to connect to the
> network
>
>  
>
> Weird, i am not able to reproduce it, wish browser are you using ?
>
> Fabrice
>
>  
>
> Le 2018-01-23 à 03:10, E.P. a écrit :
>
> I figured it out, Fabrice. Thanks for the ldapsearch tool guidance
> but it was my haste as usual ;)
>
> I set “Matches” parameter to “All” and it turned out that the
> reply for the query against AD returned a membership in more than
> one group.
>
> And of course this condition didn’t evaluate as true. I changed it
> to “Any” and it is all good .
>
>  
>
> I guess Administration rule is not very important here but I found
> that the value for the “Access level” doesn’t show and I tried it
> in two different browsers:
>
>  
>
>  
>
> Eugene
>
>  
>
> *From:*Durand fabrice [mailto:fdur...@inverse.ca]
> *Sent:* Monday, January 22, 2018 6:59 PM
> *To:* E.P.; packetfence-users@lists.sourceforge.net
> 
> *Subject:* Re: [PacketFence-users] Number of devices to connect to
> the network
>
>  
>
> Hello Eugene,
>
> Use adsiedit.msc on the AD in order to have a ldap view of your AD
> and check the exact attribute/values.
>
> On my side i use ldapsearch to fix that sort of issue
> 
> (http://www.vinidox.com/ldap/querying-an-ldap-server-from-the-command-line-with-ldap-utils-ldapsearch-ldapadd-ldapmodify/)
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2018-01-22 à 16:54, E.P. a écrit :
>
> I’m observing a weird behavior while doing it, Fabrice.
>
> I did create a rule that should match for just one condition,
> i.e. memberOf
>
>  
>
>  
>
> The user I’m authenticating does belong to Users CN in AD and
> I can authenticate normally, here’s the output of pftest
> authentication it.tech XXX command
>
>  
>
>  
>
> But for some reason rules are not matched. I even tried to set
> the condition to distingishedName with value taken from AD
>
>  
>
>  
>
> To be like this
>
>  
>
>  
>
>  
>
> What bothers me is that I don’t see any LDAP related details
> coming from AD server while debugging radius and
> authenticating as it.tech user.
>
> Could it be the source of the problem ?
>
>  
>
> Eugene
>
> *From:*Durand fabrice [mailto:fdur...@inverse.ca]
> *Sent:* Friday, January 19, 2018 6:05 PM
> *To:* E.P.; packetfence-users@lists.sourceforge.net
> 
> *Subject:* Re: [PacketFence-users] Number of devices to
> connect to the network
>
>  
>
> In your AD authentication source, create a rule that match a
> staff group and assign the staff role and an access duration.
> (memberof equal cn=staff,dc=...)
>
> Regards
>
> Fabrice
>
>  
>
>  
>
>  
>
> Le 2018-01-17 à 01:07, E.P. a écrit :
>
> Great!
>
> That confirms my train of thought. But it is still not
> clear to me how will it affect the user that authenticates
> against AD.
>
> Yes, I have created a new role, called “staff” and yes, I
> have set a limit of 2 devices for this role.
>
> Then, the end-user just connects to SSID, authenticates
> and gets on the network. How would I assign the user to
> the “staff” role?
>
> Is this where provisioners come to help ?
>
>  
>
> Eugene
>
>  
>
> *From:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Tuesday, January 16, 2018 6:42 AM
> *To:* packetfence-users@lists.sourceforge.net
> 
> *Cc:* Fabrice Durand
> *Subject:* Re: [PacketFence-users] Number of devices to
> connect to the network
>
>  
>
> Hello Eugene,
>
> this is exactly where you have to control that.
>
> So just set a limit on the roles where you want to limit
> the number of devices per users.
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2018-01-16 à 02:01, E.P. via PacketFence-users a écrit :
>
> It

Re: [PacketFence-users] Problem getting Radius MacAuth to work.

2018-01-25 Thread Morgan, Darren via PacketFence-users 
Hi Martin,
We use those switches and I think it could be a problem with the port config.  
Here's ours;

interface GigabitEthernet1/0/1
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 60 untagged
port hybrid pvid vlan 60
mac-vlan enable
broadcast-suppression pps 3000
stp edged-port
lldp compliance admin-status cdp txrx
poe enable
undo dot1x handshake
dot1x mandatory-domain packetfence
dot1x max-user 3
undo dot1x multicast-trigger
dot1x re-authenticate
dot1x guest-vlan 60
mac-authentication guest-vlan 60
port-security max-mac-count 3
port-security port-mode mac-else-userlogin-secure
loopback-detection enable vlan 1 to 4094
 loopback-detection action shutdown
dhcp snooping information enable

Our VLAN 60 is the registration VLAN and it looks like your VLAN 200 is your 
guest VLAN - Try changing it to your registration VLAN (10)

Hope this helps.

Darren Morgan
Systems Manager
Oundle School
Tel: 01832 277349
ü Please consider the environment before printing this e-mail



From: Schenkelberg, Martin via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Sent: 25 January 2018 10:41
To: 'PacketFence-users@lists.sourceforge.net' 

Cc: Schenkelberg, Martin 
Subject: [PacketFence-users] Problem getting Radius MacAuth to work.

Hello all, i hope you can give me a hint of what im doing wrong.

We are evaluating to use PacketFence 7.3.0 Zen to authenticate users connecting 
to our lan and wifi infrastructure and to assign them the right vlans. (Guest / 
Productive )

For Wifi we use a Cisco Wlc and everything works fine.

For LAN Access we use different HP / ARUBA Switches.

One Switch (Aruba 2530-24g) Works fine with SNMP (Link Up Down) unknown users 
will be redirected to the portal and after login the right vlan is assigned tot 
he switch port.

Now i try to do the same with a HP 5130 Series Switch which is a rebranded H3C 
Switch using Comware OS.

I followed the  H3C section of the Network Device Configuration Guide to 
configure my Switch but i´m not able to get it to work.

If i plug in Network Device i receive the following log Messages:

Switch Console:
%Jan 25 11:23:33:305 2018 Testswitch MACA/6/MACA_LOGIN_FAILURE: 
-IfName=GigabitEthernet1/0/1-MACAddr=98e7-f48e-3c2f-VLANId=200-UserName=98e7f48e3c2f-UserNameFormat=MAC
 address; The user failed the MAC address authentication.

Packetfence.log:
PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(3450) INFO: [mac:[undef]] User 
98e7f48e3c2f tried to login in 172.20.14.66 but authentication failed 
(pf::radius::switch_access)


Radius.log:
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_rest (rest): Closing 
connection (320): Hit idle_timeout, was idle for 68 seconds
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: (316) rest: ERROR: Server returned:
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: (316) rest: ERROR: 
{"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Authentication
 failed on PacketFence"}
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: Need 4 more connections to reach 
10 spares
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_rest (rest): Opening 
additional connection (324), 1 of 58 pending slots used
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_sql (sql): Closing connection 
(322): Hit idle_timeout, was idle for 68 seconds
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: Need 4 more connections to reach 
10 spares
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_sql (sql): Opening additional 
connection (326), 1 of 58 pending slots used
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: [mac:98-E7-F4-8E-3C-2F] Rejected 
user: 98e7f48e3c2f
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: (316) Rejected in post-auth: 
[98e7f48e3c2f] (from client 172.20.14.66 port 16781512 cli 98-E7-F4-8E-3C-2F)


Radius Debug Log: (There is an Error 500 inside regarding REST)

[root@PacketFence-ZEN radius]# raddebug -f /usr/local/pf/var/run/radiusd.sock 
-t 300
(76) Thu Jan 25 08:28:15 2018: Debug: Received Access-Request Id 160 from 
172.20.14.66:39936 to 
172.20.1.230:1812 length 166
(76) Thu Jan 25 08:28:15 2018: Debug:   User-Name = "98e7f48e3c2f"
(76) Thu Jan 25 08:28:15 2018: Debug:   User-Password = "98e7f48e3c2f"
(76) Thu Jan 25 08:28:15 2018: Debug:   Service-Type = Call-Check
(76) Thu Jan 25 08:28:15 2018: Debug:   NAS-Identifier = "Testswitch"
(76) Thu Jan 25 08:28:15 2018: Debug:   NAS-Port = 16781512
(76) Thu Jan 25 08:28:15 2018: Debug:   NAS-Port-Type = Ethernet
(76) Thu Jan 25 08:28:15 2018: Debug:   Calling-Station-Id = "98-E7-F4-8E-3C-2F"
(76) Thu Jan 25 08:28:15 2018: Debug:   Called-Station-Id = "5C-8A-38-D8-B7-45"
(76) Thu Jan 25 08:28:15 2018: Debug:   NAS-Port-Id = 
"slot=1;subslot=0;port=1;vlanid=200"
(76) Thu Jan 25 08:28:15 2018: Debug:   NAS-IP-Address = 172.20.14.66
(76) Thu Jan 25 08:28:15 2018: Debug: # Executing section authorize from file

[PacketFence-users] Problem getting Radius MacAuth to work.

2018-01-25 Thread Schenkelberg, Martin via PacketFence-users 
Hello all, i hope you can give me a hint of what im doing wrong.

We are evaluating to use PacketFence 7.3.0 Zen to authenticate users connecting 
to our lan and wifi infrastructure and to assign them the right vlans. (Guest / 
Productive )

For Wifi we use a Cisco Wlc and everything works fine.

For LAN Access we use different HP / ARUBA Switches.

One Switch (Aruba 2530-24g) Works fine with SNMP (Link Up Down) unknown users 
will be redirected to the portal and after login the right vlan is assigned tot 
he switch port.

Now i try to do the same with a HP 5130 Series Switch which is a rebranded H3C 
Switch using Comware OS.

I followed the  H3C section of the Network Device Configuration Guide to 
configure my Switch but i´m not able to get it to work.

If i plug in Network Device i receive the following log Messages:

Switch Console:
%Jan 25 11:23:33:305 2018 Testswitch MACA/6/MACA_LOGIN_FAILURE: 
-IfName=GigabitEthernet1/0/1-MACAddr=98e7-f48e-3c2f-VLANId=200-UserName=98e7f48e3c2f-UserNameFormat=MAC
 address; The user failed the MAC address authentication.

Packetfence.log:
PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(3450) INFO: [mac:[undef]] User 
98e7f48e3c2f tried to login in 172.20.14.66 but authentication failed 
(pf::radius::switch_access)


Radius.log:
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_rest (rest): Closing 
connection (320): Hit idle_timeout, was idle for 68 seconds
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: (316) rest: ERROR: Server returned:
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: (316) rest: ERROR: 
{"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Authentication
 failed on PacketFence"}
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: Need 4 more connections to reach 
10 spares
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_rest (rest): Opening 
additional connection (324), 1 of 58 pending slots used
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_sql (sql): Closing connection 
(322): Hit idle_timeout, was idle for 68 seconds
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: Need 4 more connections to reach 
10 spares
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_sql (sql): Opening additional 
connection (326), 1 of 58 pending slots used
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: [mac:98-E7-F4-8E-3C-2F] Rejected 
user: 98e7f48e3c2f
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: (316) Rejected in post-auth: 
[98e7f48e3c2f] (from client 172.20.14.66 port 16781512 cli 98-E7-F4-8E-3C-2F)


Radius Debug Log: (There is an Error 500 inside regarding REST)

[root@PacketFence-ZEN radius]# raddebug -f /usr/local/pf/var/run/radiusd.sock 
-t 300
(76) Thu Jan 25 08:28:15 2018: Debug: Received Access-Request Id 160 from 
172.20.14.66:39936 to 172.20.1.230:1812 length 166
(76) Thu Jan 25 08:28:15 2018: Debug:   User-Name = "98e7f48e3c2f"
(76) Thu Jan 25 08:28:15 2018: Debug:   User-Password = "98e7f48e3c2f"
(76) Thu Jan 25 08:28:15 2018: Debug:   Service-Type = Call-Check
(76) Thu Jan 25 08:28:15 2018: Debug:   NAS-Identifier = "Testswitch"
(76) Thu Jan 25 08:28:15 2018: Debug:   NAS-Port = 16781512
(76) Thu Jan 25 08:28:15 2018: Debug:   NAS-Port-Type = Ethernet
(76) Thu Jan 25 08:28:15 2018: Debug:   Calling-Station-Id = "98-E7-F4-8E-3C-2F"
(76) Thu Jan 25 08:28:15 2018: Debug:   Called-Station-Id = "5C-8A-38-D8-B7-45"
(76) Thu Jan 25 08:28:15 2018: Debug:   NAS-Port-Id = 
"slot=1;subslot=0;port=1;vlanid=200"
(76) Thu Jan 25 08:28:15 2018: Debug:   NAS-IP-Address = 172.20.14.66
(76) Thu Jan 25 08:28:15 2018: Debug: # Executing section authorize from file 
/usr/local/pf/raddb/sites-enabled/packetfence
(76) Thu Jan 25 08:28:15 2018: Debug:   authorize {
(76) Thu Jan 25 08:28:15 2018: Debug: update {
(76) Thu Jan 25 08:28:15 2018: Debug:   EXPAND %{Packet-Src-IP-Address}
(76) Thu Jan 25 08:28:15 2018: Debug:  --> 172.20.14.66
(76) Thu Jan 25 08:28:15 2018: Debug:   EXPAND %l
(76) Thu Jan 25 08:28:15 2018: Debug:  --> 1516868895
(76) Thu Jan 25 08:28:15 2018: Debug: } # update = noop
(76) Thu Jan 25 08:28:15 2018: Debug: policy rewrite_calling_station_id {
(76) Thu Jan 25 08:28:15 2018: Debug:   if ( && 
( =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
 {
(76) Thu Jan 25 08:28:15 2018: Debug:   if ( && 
( =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
  -> FALSE
(76) Thu Jan 25 08:28:15 2018: Debug:   else {
(76) Thu Jan 25 08:28:15 2018: Debug: [noop] = noop
(76) Thu Jan 25 08:28:15 2018: Debug:   } # else = noop
(76) Thu Jan 25 08:28:15 2018: Debug: } # policy rewrite_calling_station_id 
= noop
(76) Thu Jan 25 08:28:15 2018: Debug: policy rewrite_called_station_id {
(76) Thu Jan 25 08:28:15 2018: Debug:   if (() && 
( =~

Re: [PacketFence-users] Number of devices to connect to the network

2018-01-25 Thread E.P. via PacketFence-users 
Three different ones ;)

IE 11, Firefox and Chrome.

 

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Wednesday, January 24, 2018 6:25 PM
To: E.P.; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Number of devices to connect to the network

 

Weird, i am not able to reproduce it, wish browser are you using ?

Fabrice

 

Le 2018-01-23 à 03:10, E.P. a écrit :

I figured it out, Fabrice. Thanks for the ldapsearch tool guidance but it
was my haste as usual ;)

I set “Matches” parameter to “All” and it turned out that the reply for the
query against AD returned a membership in more than one group.

And of course this condition didn’t evaluate as true. I changed it to “Any”
and it is all good .

 

I guess Administration rule is not very important here but I found that the
value for the “Access level” doesn’t show and I tried it in two different
browsers:

 



 

Eugene

 

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Monday, January 22, 2018 6:59 PM
To: E.P.; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Number of devices to connect to the network

 

Hello Eugene,

Use adsiedit.msc on the AD in order to have a ldap view of your AD and check
the exact attribute/values.

On my side i use ldapsearch to fix that sort of issue
(http://www.vinidox.com/ldap/querying-an-ldap-server-from-the-command-line-w
ith-ldap-utils-ldapsearch-ldapadd-ldapmodify/)

Regards

Fabrice

 

 

Le 2018-01-22 à 16:54, E.P. a écrit :

I’m observing a weird behavior while doing it, Fabrice.

I did create a rule that should match for just one condition, i.e. memberOf

 



 

The user I’m authenticating does belong to Users CN in AD and I can
authenticate normally, here’s the output of pftest authentication it.tech
XXX command

 



 

But for some reason rules are not matched. I even tried to set the condition
to distingishedName with value taken from AD

 



 

To be like this

 



 

 

What bothers me is that I don’t see any LDAP related details coming from AD
server while debugging radius and authenticating as it.tech user.

Could it be the source of the problem ?

 

Eugene

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Friday, January 19, 2018 6:05 PM
To: E.P.; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Number of devices to connect to the network

 

In your AD authentication source, create a rule that match a staff group and
assign the staff role and an access duration. (memberof equal
cn=staff,dc=...)

Regards

Fabrice

 

 

 

Le 2018-01-17 à 01:07, E.P. a écrit :

Great!

That confirms my train of thought. But it is still not clear to me how will
it affect the user that authenticates against AD.

Yes, I have created a new role, called “staff” and yes, I have set a limit
of 2 devices for this role. 

Then, the end-user just connects to SSID, authenticates and gets on the
network. How would I assign the user to the “staff” role?

Is this where provisioners come to help ?

 

Eugene

 

From: Fabrice Durand via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Tuesday, January 16, 2018 6:42 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand
Subject: Re: [PacketFence-users] Number of devices to connect to the network

 

Hello Eugene,

this is exactly where you have to control that.

So just set a limit on the roles where you want to limit the number of
devices per users.

Regards

Fabrice

 

 

Le 2018-01-16 à 02:01, E.P. via PacketFence-users a écrit :

It sounds close to the number of devices/nodes a user can register which is
configurable under Configuration-Policies and access control-Roles, but we
don’t allow this luxury to anyone yet. Just regular network admission
control based on the active AD account

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Monday, January 15, 2018 10:54 PM
To: packetfence-users@lists.sourceforge.net
Subject: Number of devices to connect to the network

 

Guys,

We are still at the early phases of PF deployment and only now looking into
AD based authentication for wireless devices

Is there any way to limit the number of user devices that can be connected
by one user?

Let’s say the user uses his/her laptop and roams around remote sites where
we provide WiFi with WPA2-Enterprise and we also allow him/her use the phone
(iPhone/Android). No more devices to connect

 

Eugene










--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot









___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users








-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence

[PacketFence-users] Problem getting Radius MacAuth to work.

2018-01-25 Thread Schenkelberg, Martin via PacketFence-users 
Hello all, i hope you can give me a hint of what im doing wrong.

We are evaluating to use PacketFence 7.3.0 Zen to authenticate users connecting 
to our lan and wifi infrastructure and to assign them the right vlans. (Guest / 
Productive )

For Wifi we use a Cisco Wlc and everything works fine.

For LAN Access we use different HP / ARUBA Switches.

One Switch (Aruba 2530-24g) Works fine with SNMP (Link Up Down) unknown users 
will be redirected to the portal and after login the right vlan is assigned tot 
he switch port.

Now i try to do the same with a HP 5130 Series Switch which is a rebranded H3C 
Switch using Comware OS.

I followed the  H3C section of the Network Device Configuration Guide to 
configure my Switch but i´m not able to get it to work.

If i plug in Network Device i receive the following log Messages:

Switch Console:
%Jan 25 11:23:33:305 2018 Testswitch MACA/6/MACA_LOGIN_FAILURE: 
-IfName=GigabitEthernet1/0/1-MACAddr=98e7-f48e-3c2f-VLANId=200-UserName=98e7f48e3c2f-UserNameFormat=MAC
 address; The user failed the MAC address authentication.

Packetfence.log:
PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(3450) INFO: [mac:[undef]] User 
98e7f48e3c2f tried to login in 172.20.14.66 but authentication failed 
(pf::radius::switch_access)


Radius.log:
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_rest (rest): Closing 
connection (320): Hit idle_timeout, was idle for 68 seconds
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: (316) rest: ERROR: Server returned:
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: (316) rest: ERROR: 
{"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Authentication
 failed on PacketFence"}
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: Need 4 more connections to reach 
10 spares
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_rest (rest): Opening 
additional connection (324), 1 of 58 pending slots used
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_sql (sql): Closing connection 
(322): Hit idle_timeout, was idle for 68 seconds
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: Need 4 more connections to reach 
10 spares
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_sql (sql): Opening additional 
connection (326), 1 of 58 pending slots used
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: [mac:98-E7-F4-8E-3C-2F] Rejected 
user: 98e7f48e3c2f
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: (316) Rejected in post-auth: 
[98e7f48e3c2f] (from client 172.20.14.66 port 16781512 cli 98-E7-F4-8E-3C-2F)


Radius Debug Log: (There is an Error 500 inside regarding REST)

[root@PacketFence-ZEN radius]# raddebug -f /usr/local/pf/var/run/radiusd.sock 
-t 300
(76) Thu Jan 25 08:28:15 2018: Debug: Received Access-Request Id 160 from 
172.20.14.66:39936 to 172.20.1.230:1812 length 166
(76) Thu Jan 25 08:28:15 2018: Debug:   User-Name = "98e7f48e3c2f"
(76) Thu Jan 25 08:28:15 2018: Debug:   User-Password = "98e7f48e3c2f"
(76) Thu Jan 25 08:28:15 2018: Debug:   Service-Type = Call-Check
(76) Thu Jan 25 08:28:15 2018: Debug:   NAS-Identifier = "Testswitch"
(76) Thu Jan 25 08:28:15 2018: Debug:   NAS-Port = 16781512
(76) Thu Jan 25 08:28:15 2018: Debug:   NAS-Port-Type = Ethernet
(76) Thu Jan 25 08:28:15 2018: Debug:   Calling-Station-Id = "98-E7-F4-8E-3C-2F"
(76) Thu Jan 25 08:28:15 2018: Debug:   Called-Station-Id = "5C-8A-38-D8-B7-45"
(76) Thu Jan 25 08:28:15 2018: Debug:   NAS-Port-Id = 
"slot=1;subslot=0;port=1;vlanid=200"
(76) Thu Jan 25 08:28:15 2018: Debug:   NAS-IP-Address = 172.20.14.66
(76) Thu Jan 25 08:28:15 2018: Debug: # Executing section authorize from file 
/usr/local/pf/raddb/sites-enabled/packetfence
(76) Thu Jan 25 08:28:15 2018: Debug:   authorize {
(76) Thu Jan 25 08:28:15 2018: Debug: update {
(76) Thu Jan 25 08:28:15 2018: Debug:   EXPAND %{Packet-Src-IP-Address}
(76) Thu Jan 25 08:28:15 2018: Debug:  --> 172.20.14.66
(76) Thu Jan 25 08:28:15 2018: Debug:   EXPAND %l
(76) Thu Jan 25 08:28:15 2018: Debug:  --> 1516868895
(76) Thu Jan 25 08:28:15 2018: Debug: } # update = noop
(76) Thu Jan 25 08:28:15 2018: Debug: policy rewrite_calling_station_id {
(76) Thu Jan 25 08:28:15 2018: Debug:   if ( && 
( =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
 {
(76) Thu Jan 25 08:28:15 2018: Debug:   if ( && 
( =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
  -> FALSE
(76) Thu Jan 25 08:28:15 2018: Debug:   else {
(76) Thu Jan 25 08:28:15 2018: Debug: [noop] = noop
(76) Thu Jan 25 08:28:15 2018: Debug:   } # else = noop
(76) Thu Jan 25 08:28:15 2018: Debug: } # policy rewrite_calling_station_id 
= noop
(76) Thu Jan 25 08:28:15 2018: Debug: policy rewrite_called_station_id {
(76) Thu Jan 25 08:28:15 2018: Debug:   if (() && 
( =~

[PacketFence-users] ?????? Image broken in PF status dashboard

2018-01-25 Thread Yan via PacketFence-users 
Hi Fabrice,


Below attached is error detail. Any solution on this ?
Traceback (most recent call last):   File 
"/usr/lib/python2.7/site-packages/django/core/handlers/base.py", line 99, in 
get_response resolver_match = resolver.resolve(request.path_info)   File 
"/usr/lib/python2.7/site-packages/django/core/urlresolvers.py", line 339, in 
resolve sub_match = pattern.resolve(new_path)   File 
"/usr/lib/python2.7/site-packages/django/core/urlresolvers.py", line 339, in 
resolve sub_match = pattern.resolve(new_path)   File 
"/usr/lib/python2.7/site-packages/django/core/urlresolvers.py", line 223, in 
resolve return ResolverMatch(self.callback, args, kwargs, self.name)   File 
"/usr/lib/python2.7/site-packages/django/core/urlresolvers.py", line 230, in 
callback self._callback = get_callable(self._callback_str)   File 
"/usr/lib/python2.7/site-packages/django/utils/functional.py", line 32, in 
wrapper result = func(*args)   File 
"/usr/lib/python2.7/site-packages/django/core/urlresolvers.py", line 97, in 
get_callable mod = import_module(mod_name)   File 
"/usr/lib/python2.7/site-packages/django/utils/importlib.py", line 40, in 
import_module __import__(name)   File 
"/usr/lib/python2.7/site-packages/graphite/render/views.py", line 34, in 
 from graphite.render.evaluator import evaluateTarget, 
extractPathExpressions   File 
"/usr/lib/python2.7/site-packages/graphite/render/evaluator.py", line 72, in 
 from graphite.render.functions import 
SeriesFunctions,NormalizeEmptyResultError   File 
"/usr/lib/python2.7/site-packages/graphite/render/functions.py", line 34, in 
 from graphite.render.glyph import format_units   File 
"/usr/lib/python2.7/site-packages/graphite/render/glyph.py", line 20, in 
 import cairocffi as cairo ImportError: No module named 
cairocffiAfter I run "pip install cairocffi" and "pip install constants" the 
issue is still there.Traceback (most recent call last):   File 
"/usr/lib/python2.7/site-packages/django/core/handlers/base.py", line 99, in 
get_response resolver_match = resolver.resolve(request.path_info)   File 
"/usr/lib/python2.7/site-packages/django/core/urlresolvers.py", line 339, in 
resolve sub_match = pattern.resolve(new_path)   File 
"/usr/lib/python2.7/site-packages/django/core/urlresolvers.py", line 339, in 
resolve sub_match = pattern.resolve(new_path)   File 
"/usr/lib/python2.7/site-packages/django/core/urlresolvers.py", line 223, in 
resolve return ResolverMatch(self.callback, args, kwargs, self.name)   File 
"/usr/lib/python2.7/site-packages/django/core/urlresolvers.py", line 230, in 
callback self._callback = get_callable(self._callback_str)   File 
"/usr/lib/python2.7/site-packages/django/utils/functional.py", line 32, in 
wrapper result = func(*args)   File 
"/usr/lib/python2.7/site-packages/django/core/urlresolvers.py", line 97, in 
get_callable mod = import_module(mod_name)   File 
"/usr/lib/python2.7/site-packages/django/utils/importlib.py", line 40, in 
import_module __import__(name)   File 
"/usr/lib/python2.7/site-packages/graphite/render/views.py", line 34, in 
 from graphite.render.evaluator import evaluateTarget, 
extractPathExpressions   File 
"/usr/lib/python2.7/site-packages/graphite/render/evaluator.py", line 72, in 
 from graphite.render.functions import 
SeriesFunctions,NormalizeEmptyResultError   File 
"/usr/lib/python2.7/site-packages/graphite/render/functions.py", line 34, in 
 from graphite.render.glyph import format_units   File 
"/usr/lib/python2.7/site-packages/graphite/render/glyph.py", line 20, in 
 import cairocffi as cairo   File 
"/usr/lib/python2.7/site-packages/cairocffi/__init__.py", line 16, in   
   from . import constants ImportError: cannot import name constants--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] NULL realm

2018-01-25 Thread E.P. via PacketFence-users 
Thanks, Fabrice.

Found it and deleted NULL realm from this file and it is gone from the
webpage.

But essentially this is not what I wanted to achieve.

And perhaps there’s something I don’t understand.

I thought that without the NULL realm the processing of realms will skip it
and it will match my realm – options.bc.ca which is in the end of the list
of realms.

Still, if I authenticate as it.tech and I see in the debug of radius that it
uses NULL realm.

If I authenticate as it.t...@options.bc.ca I see that correct realm use.

But both authentication attempts go through. What the use of options.bc.ca
realm then ?

It looks like with only one AD in our organization we may easily disregard
it ?

 

Eugene

 

From: Durand fabrice via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Wednesday, January 24, 2018 6:34 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice
Subject: Re: [PacketFence-users] NULL realm

 

Hello Eugene,

the NULL realm is located in realm.conf.defaults

Regards

Fabrice

 

 

Le 2018-01-23 à 14:14, E.P. via PacketFence-users a écrit :

Guys,

I wonder if I can make PF bypass NULL realm processing?

The reason is that we want to use only the user ID in the username field.

If we use like this then the authentication attempt hits NULL realm.

I tried to remove it from PF GUI but it still stays there.

Interesting that it is not listed in the realm.conf file

 

++

[root]@[PacketFence-ZEN conf]#cat realm.conf

[DEFAULT]

domain=optionsas

options=strip

 

[options]

domain=optionsad

 

[options.bc.ca]

domain=optionsad

+

 

Eugene







--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot






___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Number of devices to connect to the network

2018-01-25 Thread E.P. via PacketFence-users 
One more stupid question from me, Fabrice, regarding the same subject J

How is the role assigned to the user session?

I don’t see it in the debugs output but I see it in the results of the
pftest like I showed it before

Am I supposed to see it the RADIUS reply message or somewhere in the debug
outputs ?

Still trying to implement the limitation of devices that the staff user is
supposed to connect.

 



 

And finally, when will the node become registered ? As far as I understand
it doesn’t have anything to do with a user that owns it and successfully
authenticates using dot1x supplicant?

Just wondering if we can have hosts/nodes registered after VLAN assignment
to dot1x session ?

 

Eugene

 

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Friday, January 19, 2018 6:05 PM
To: E.P.; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Number of devices to connect to the network

 

In your AD authentication source, create a rule that match a staff group and
assign the staff role and an access duration. (memberof equal
cn=staff,dc=...)

Regards

Fabrice

 

Le 2018-01-17 à 01:07, E.P. a écrit :

Great!

That confirms my train of thought. But it is still not clear to me how will
it affect the user that authenticates against AD.

Yes, I have created a new role, called “staff” and yes, I have set a limit
of 2 devices for this role. 

Then, the end-user just connects to SSID, authenticates and gets on the
network. How would I assign the user to the “staff” role?

Is this where provisioners come to help ?

 

Eugene

 

From: Fabrice Durand via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Tuesday, January 16, 2018 6:42 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand
Subject: Re: [PacketFence-users] Number of devices to connect to the network

 

Hello Eugene,

this is exactly where you have to control that.

So just set a limit on the roles where you want to limit the number of
devices per users.

Regards

Fabrice

 

Le 2018-01-16 à 02:01, E.P. via PacketFence-users a écrit :

It sounds close to the number of devices/nodes a user can register which is
configurable under Configuration-Policies and access control-Roles, but we
don’t allow this luxury to anyone yet. Just regular network admission
control based on the active AD account

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Monday, January 15, 2018 10:54 PM
To: packetfence-users@lists.sourceforge.net
Subject: Number of devices to connect to the network

 

Guys,

We are still at the early phases of PF deployment and only now looking into
AD based authentication for wireless devices

Is there any way to limit the number of user devices that can be connected
by one user?

Let’s say the user uses his/her laptop and roams around remote sites where
we provide WiFi with WPA2-Enterprise and we also allow him/her use the phone
(iPhone/Android). No more devices to connect

 

Eugene

 

 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] users stay in registration VLAN after authentication success

2018-01-25 Thread tom lo via PacketFence-users 
Hi Fabrice,

Here is the content from the log file httpd.portal.access when the
user hit the portal.


172.18.x.y - - [23/Jan/2018:11:31:37]  "captive.apple.com" "GET
/hotspot-detect.html HTTP/1.0" 302 1080 "-"
"CaptiveNetworkSupport-355.30.1 wispr" 4896
172.18.x.y - - [23/Jan/2018:11:32:22]  "www.apple.com" "GET /
HTTP/1.1" 302 1101 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like
Mac OS X) AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 5069
172.18.x.y - - [23/Jan/2018:11:32:22]  "byod.a_domain.com" "GET
/captive-portal?destination_url=http://www.apple.com/; HTTP/1.1" 200
31211 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 2823405
172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
/common/styles.css HTTP/1.1" 200 22524
"https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 8248
172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
/content/captiveportal.js HTTP/1.1" 200 2771
"https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 2990
172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
/common/pf.js HTTP/1.1" 200 4259
"https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 4216
172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
/common/A_Logo_Black_trans_med.png HTTP/1.1" 200 6418
"https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 3465
172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
/common/jquery-1.11.3.min.js HTTP/1.1" 200 95957
"https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 19690
172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
/common/img/sprite.svg HTTP/1.1" 200 27622
"https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 6047
172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "POST
/record_destination_url HTTP/1.1" 200 -
"https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 35716
172.18.x.y - - [23/Jan/2018:11:32:25]  "www.apple.com" "GET
/library/test/success.html HTTP/1.0" 302 1080 "-"
"CaptiveNetworkSupport-355.30.1 wispr" 4852
172.18.x.y - - [23/Jan/2018:11:33:26]  "www.apple.com" "GET
/library/test/success.html HTTP/1.0" 302 1080 "-"
"CaptiveNetworkSupport-355.30.1 wispr" 4972
172.18.x.y - - [23/Jan/2018:11:33:26]  "byod.a_domain.com" "POST
/signup HTTP/1.1" 302 294
"https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 210063
172.18.x.y - - [23/Jan/2018:11:33:26]  "byod.a_domain.com" "GET
/captive-portal HTTP/1.1" 302 286
"https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 52410
172.18.x.y - - [23/Jan/2018:11:33:27]  "byod.a_domain.com" "GET
/access HTTP/1.1" 200 6351
"https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&;
"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 51125
172.18.x.y - - [23/Jan/2018:11:33:27]  "byod.a_domain.com" "GET
/content/timerbar.js HTTP/1.1" 200 4089
"https://byod.a_domain.com/access; "Mozilla/5.0 (iPhone; CPU iPhone OS
11_2_2 like Mac OS X) AppleWebKit/604.4.7 (KHTML, like Gecko)
Mobile/15C202" 2634
172.18.x.y - - [23/Jan/2018:11:33:27]  "www.apple.com" "GET
/library/test/success.html HTTP/1.0" 302 1080 "-"
"CaptiveNetworkSupport-355.30.1 wispr" 4374
172.18.x.y - - [23/Jan/2018:11:34:25]  "www.apple.com" "GET
/library/test/success.html HTTP/1.0" 302 1080 "-"
"CaptiveNetworkSupport-355.30.1 wispr" 3925
172.18.x.y - - [23/Jan/2018:11:34:25]  "byod.a_domain.com" "GET
/captive-portal?destination_url=http://www.apple.com/; HTTP/1.1" 200
3770 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 48716
172.18.x.y - - [23/Jan/2018:11:34:25]  "byod.a_domain.com" "POST
/record_destination_url HTTP/1.1" 200 -