Re: [PacketFence-users] packetfence-dhcpd.service restarting endlessly on PF 7.4.0 / Debian 9

2018-02-21 Thread Ian MacDonald via PacketFence-users 
In addition to below,

It looks like this might be this issue, previously resolved with mariadb
but possibly not with packetfence-dhcpd.

https://github.com/inverse-inc/packetfence/issues/2792

Our short term workaround was to just turn off the broken systemd process
notification by changing the service type to "simple", executing a systemd
daemon-reload and restarting the packetfence-dhcpd.service.

Seems to be good for now.

cheers,
Ian

On Wed, Feb 21, 2018 at 10:28 AM, Ian MacDonald  wrote:

> Hello,
>
> Our PF instance(s) run in an out-of-band configuration, providing a
> captive portal to hostapd/CoA enabled switches using connection profiles
> with SSID filters and an email source for activation.
>
> We are not clustering, but instead have a qa instance where we stage and
> test upgrades and configuration changes.
>
> Since at least pf 7.3.0 we have noticed that the dhcpd service is
> constantly restarting every couple of minutes.  We just completed our
> upgrade to 7.4.0 and we still continue to see this dhcpd service restarting
> every couple of minutes.  This service provides connectivity to the
> registration and isolation VLANs by default.
>
> In our logs we see the lines captured below; I have included a capture
> from both our instances which behave the same way.
>
> Out best guess is that for some reason the dhcpd service monitoring is not
> quite functioning correctly, and restarting the service on a periodic
> basis.  The "Failed to start" message even though  it has started, seems to
> be an indication of perhaps some issue with the startup/systemd integration
> where it is not properly detecting the service start and simply restarting
> after the holdoff timer has expired.
>
> The net impact is that we believe this is causing some inconsistencies in
> portal registration / authorization timing that we may have previously
> worked around by increasing our redirect delay on activation.
>
> Now that we are on the latest version, we are posting here to see if there
> is a known quick fix while we continue to poke around with the dhcpd
> service startup configuration.
>
> cheers,
> Ian
>
> Instance 1:
> Feb 21 10:05:18 pf2 systemd[1]: packetfence-dhcpd.service start operation
> timed out. Terminating.
> Feb 21 10:05:18 pf2 systemd[1]: Failed to start PacketFence DHCPv4 Server
> Daemon.
> Feb 21 10:05:18 pf2 systemd[1]: Unit packetfence-dhcpd.service entered
> failed state.
> Feb 21 10:05:18 pf2 systemd[1]: packetfence-dhcpd.service holdoff time
> over, scheduling restart.
> Feb 21 10:05:18 pf2 systemd[1]: Stopping PacketFence DHCPv4 Server
> Daemon...
> Feb 21 10:05:18 pf2 systemd[1]: Starting PacketFence DHCPv4 Server
> Daemon...
> Feb 21 10:05:21 pf2 pfcmd[1952]: service|command
> Feb 21 10:05:21 pf2 pfcmd[1952]: dhcpd|config generated
>
> Instance 2:
> Feb 21 10:01:11 pf4 systemd[1]: packetfence-dhcpd.service start operation
> timed out. Terminating.
> Feb 21 10:01:11 pf4 systemd[1]: Failed to start PacketFence DHCPv4 Server
> Daemon.
> Feb 21 10:01:11 pf4 systemd[1]: Unit packetfence-dhcpd.service entered
> failed state.
> Feb 21 10:01:11 pf4 systemd[1]: packetfence-dhcpd.service holdoff time
> over, scheduling restart.
> Feb 21 10:01:11 pf4 systemd[1]: Stopping PacketFence DHCPv4 Server
> Daemon...
> Feb 21 10:01:11 pf4 systemd[1]: Starting PacketFence DHCPv4 Server
> Daemon...
> Feb 21 10:01:15 pf4 pfcmd[16671]: service|command
> Feb 21 10:01:15 pf4 pfcmd[16671]: dhcpd|config generated
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] WISPr not working on PF 7.4.0

2018-02-21 Thread Chris Abel via PacketFence-users 
I am also seeing this with many android devices including my Samsung s8+.
LG phones are working fine though. I just installed pf 7.4 on a new CentOS
install.

On Wed, Feb 21, 2018 at 2:51 PM, Ian MacDonald via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

>
> We two pf instances running 7.4.0 on Debian 8.10 (not Debian 9 as I may
> have suggested in previous posts), both recently upgraded from 7.3.0.
>  They both have been running packetfence on Debian since being staged with
> 6.5.0.
>
> Our PF instance(s) run in an out-of-band configuration, providing a
> captive portal to hostapd/CoA enabled switches using connection profiles
> with SSID filters and an email source for activation.
>
> At some point in the past captive portal with WISPr worked great;  Now it
> seems we just have captive-portal functionality, which requires the user to
> open a browser on a phone and go to a non-HSTS enabled site to hit the
> captive portal.   With more and more HSTS enabled sites, users are
> complaining and we would like to get the WISPr back.
>
> It seems we may have had this issue since our rebuild at version 6.5.0.
>
> We have secure_redirect enabled with our SSL certs installed on the
> server.
>
> On our Samsung S8/S8+ devices I am testing with, instead of WISPr, we get
> the "Internet may not be availale" message (screenshot attached), and using
> the browser, on a non-HSTS page jumps to the portal.  Most of the popular
> ones deliver a MITM warning with no ability to click through.
>
> I read a few threads on this issue and it seems like we should be able to
> get this to work like it used to:
>
> https://sourceforge.net/p/packetfence/mailman/message/35504842/
>
> https://sourceforge.net/p/packetfence/mailman/packetfence-users/thread/
> A94B03A5-62EA-4549-84EB-59B590DE340B%40depaul.edu/#msg34694877
>
> It would seem that the following in our pf.conf should work,
>
> detection_mecanism_bypass=disabled
> wispr_redirection=enabled
>
> But we don't get the WISPr prompt on these Samsung phones.  And these same
> phones do WISPr on our local subway, so I know they have the functionality.
>
> My Ubuntu 17.10 laptop pops up a "Hotspot Login" window, but based on the
> httpd_portal log on the registration vlan below, I think it is just
> captive-portal detection.
>
> Feb 21 14:31:03 pf4 httpd_portal: 10.2.2.13 127.0.0.1 - -
> [21/Feb/2018:14:31:01 -0500] "pf4.netstatz.com" "GET
> /captive-portal?destination_url=http://nmcheck.gnome.org/ HTTP/1.1" 200
> 7889 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/605.1 (KHTML, like
> Gecko) Version/11.0 Safari/605.1" 1387175
> Feb 21 14:31:03 pf4 httpd_portal: 10.2.2.13 127.0.0.1 - -
> [21/Feb/2018:14:31:03 -0500] "pf4.netstatz.com" "POST
> /record_destination_url HTTP/1.1" 200 - "https://pf4.netstatz.com/
> captive-portal?destination_url=http://nmcheck.gnome.org/; "Mozilla/5.0
> (X11; Linux x86_64) AppleWebKit/605.1 (KHTML, like Gecko) Version/11.0
> Safari/605.1" 214434
> Feb 21 14:31:41 pf4 httpd_portal: 10.2.2.13 127.0.0.1 - -
> [21/Feb/2018:14:31:40 -0500] "pf4.netstatz.com" "GET
> /captive-portal?destination_url=https://cloud.netstatz.com/status.php
> HTTP/1.1" 200 8281 "-" "Mozilla/5.0 (Linux) mirall/2.3.2" 929109
> Feb 21 14:32:13 pf4 httpd_portal: 10.2.2.13 127.0.0.1 - -
> [21/Feb/2018:14:32:12 -0500] "pf4.netstatz.com" "GET
> /captive-portal?destination_url=https://cloud.netstatz.com/status.php
> HTTP/1.1" 200 8281 "-" "Mozilla/5.0 (Linux) mirall/2.3.2" 252936
> Feb 21 14:32:45 pf4 httpd_portal: 10.2.2.13 127.0.0.1 - -
> [21/Feb/2018:14:32:44 -0500] "pf4.netstatz.com" "GET
> /captive-portal?destination_url=https://cloud.netstatz.com/status.php
> HTTP/1.1" 200 8281 "-" "Mozilla/5.0 (Linux) mirall/2.3.2" 265497
> Feb 21 14:33:17 pf4 httpd_portal: 10.2.2.13 127.0.0.1 - -
> [21/Feb/2018:14:33:16 -0500] "pf4.netstatz.com" "GET
> /captive-portal?destination_url=https://cloud.netstatz.com/status.php
> HTTP/1.1" 200 8281 "-" "Mozilla/5.0 (Linux) mirall/2.3.2" 261760
>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>


-- 
Chris Abel
Systems and Network Administrator
Wildwood Programs
2995 Curry Road Extension
Schenectady, NY  12303
518-836-2341

-- 
 
IMPORTANT NOTICE: This message and any attachments are solely for the 
intended recipient and may contain confidential information, which is, or 
may be, legally privileged or otherwise protected by law from further 
disclosure. If you are not the intended recipient, any disclosure, copying, 
use, or distribution of the information included in this email and any 
attachments is prohibited. If you have received this communication in 
error, please

Re: [PacketFence-users] Unifi APs and CoA

2018-02-21 Thread Timothy Mullican via PacketFence-users 
Eugene,

Make sure that PacketFence (not your own infrastructure DCHP server) is handing 
out IP addresses on the registration network. Also, make sure that you added 
the portal module to your wireless VLAN in PacketFence under the Networks tab 
(I think the box is labeled “Additional listeners”). Please let me know if this 
doesn’t work.

Sent from mobile phone

> On Feb 18, 2018, at 20:32, Eugene Pefti via PacketFence-users 
>  wrote:
> 
> Good job, Chris and thanks for sharing your progress.
> I dare asking my stupid question again ;)
> Why users which associated to guest WiFi (Open with a redirect to PF captive 
> portal) can’t reach PF via HTTP ?
> They receive IP address from the local DHCP server and then can ping PF but 
> there’s no way to go through self-registration
> 
> Eugene
> 
> From: "packetfence-users@lists.sourceforge.net" 
> 
> Reply-To: "packetfence-users@lists.sourceforge.net" 
> 
> Date: Thursday, February 15, 2018 at 8:00 AM
> To: "packetfence-users@lists.sourceforge.net" 
> 
> Cc: Chris Abel 
> Subject: Re: [PacketFence-users] Unifi APs and CoA
> 
> Hey All,
> 
> I was able to get deauth working with my Unifi APs and it seems everything is 
> working smoothly. Here is the configuration I used for the switch in 
> packetfence:
> 
> [Unifi AP IP Address or subnet]
> description=Unifi Access Points
> group=Unifi
> radiusSecret=RaidusPassword
> controllerIp=Unifi Controller IP Address
> useCoA=N
> wsTransport=HTTPS
> deauthMethod=HTTPS
> wsUser=Unifi Controller Username
> wsPwd=Unifi Controller Password
> 
> Hope this helps someone. I hope Packetfence releases some documentation on 
> Unifi AP's because with the necessary applied patch and the unifi controller 
> changes to config.properties, everything seems to be working well. Actually 
> in my opinion, it seems to be working better than the hostapd setup in 
> packetfence and is way easier to setup.
> 
> 
>> On Wed, Feb 14, 2018 at 3:52 PM, Chris Abel  
>> wrote:
>> Hello all,
>> 
>> I am also trying to get my Unifi APs working with packetfence. It seems that 
>> I am very close. I am able to get the portal to show up on the client when 
>> in the registration vlan, but after registering, the client never deauth's 
>> and disconnects from the access point. I can disable my wireless and enable 
>> it again and the client is assigned the correct role and put into the right 
>> vlan, so that part seems to be working. I have applied the patch in the 
>> following way:
>> 
>> in /usr/local/pf I ran "curl 
>> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.diff
>>  | patch -p1"
>> 
>> Is this the correct patch and the correct way to apply it? If so, why is 
>> this patch not disconnecting the client from the AP?
>> 
>> I have also applied the following to my AP's in Unifi:
>> 
>> /var/lib/unifi/sites//config.properties
>> config.system_cfg.1=aaa.1.auth_cache=disabled
>> config.system_cfg.2=aaa.2.auth_cache=disabled
>> config.system_cfg.3=aaa.1.dynamic_vlan=1
>> config.system_cfg.4=aaa.2.dynamic_vlan=1
>> config.system_cfg.5=aaa.1.radius.acct.1.ip=
>> config.system_cfg.6=aaa.1.radius.acct.1.port=
>> config.system_cfg.7=aaa.1.radius.acct.1.secret=> password>
>> config.system_cfg.8=aaa.2.radius.acct.1.ip=
>> config.system_cfg.9=aaa.2.radius.acct.1.port=
>> config.system_cfg.10=aaa.2.radius.acct.1.secret=> password>
>> 
>> 
>> What should the configuration be in packetfence when setting up the switch? 
>> Should I use hostapd or Unifi Controller? Should I enable COA or not? 
>> 
>> 
>> Does anyone have a working setup of Unifi APs with an out of band setup of 
>> packetfence at this point? If so, could you shed some light and post your 
>> configurations?
>> 
>> Thanks!
>> 
>>> On Sat, Feb 10, 2018 at 1:33 AM, E.P. via PacketFence-users 
>>>  wrote:
>>> Yes, David, this is my plan to test the captive portal on wired connections 
>>> to rule out the unruly Unifi APs
>>> 
>>> Ideally I would love to make it also work with HP switches 1820/1920 model 
>>> because this is the majority of switches installed in our organization.
>>> 
>>> But will try it on Cisco switch as a beginning
>>> 
>>> Thanks again, for your sharing.
>>> 
>>> There’s apparently something wrong with mailing list for packetfence as 
>>> there’s nothing coming in and I don’t believe it’s only me who persists in 
>>> making things work and asking for advices 
>>> 
>>>  
>>> 
>>> Eugene
>>> 
>>>  
>>> 
>>> From: David Harvey [mailto:da...@thoughtmachine.net] 
>>> Sent: Friday, February 09, 2018 4:37 AM
>>> To: E.P. ; fdur...@inverse.ca
>>> Subject: Re: [PacketFence-users] Unifi APs and CoA
>>> 
>>>  
>>> 
>>> Hi Eugene,
>>> 
>>>  
>>> 
>>> I'm including Fabrice in

Re: [PacketFence-users] Meru 3200 & packetfence 7.4 ssh & telnet not working

2018-02-21 Thread Derek Brabrook via PacketFence-users 

No Fabrice, 
same issue and logs look the same fails to even connect to the Meru host 
I've reverted the changes now as they didn't make any difference 

do you need any more information from me to help you resolve this ? 

and yes the mailing list seems a bit weird, I keep getting bursts of emails 
every other day 





From: "packetfence-users"  
To: "packetfence-users"  
Cc: "Durand fabrice"  
Sent: Monday, 19 February, 2018 23:35:51 
Subject: Re: [PacketFence-users] Meru 3200 & packetfence 7.4 ssh & telnet not 
working 



Hello Derek, 

it looks that we got issue on the mailling list , does it works now ? 

Regards 

Fabrice 



Le 2018-02-16 à 09:22, Derek Brabrook via PacketFence-users a écrit : 



My bad I found the "no station" in the new Meru.pm you pointed me to 

Derek 


From: "packetfence-users"  
To: "packetfence-users"  
Cc: "Durand fabrice"  
Sent: Friday, 16 February, 2018 03:02:55 
Subject: Re: [PacketFence-users] Meru 3200 & packetfence 7.4 ssh & telnet not 
working 



Hello Derek, 

it looks that the per library has been updated and is not still compatible with 
the packetfence code. 

You can try to use the Transport and personality parameter when it use 
Net::Appliance::Session there 
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Meru.pm#L158
 . 




http://search.cpan.org/~oliver/Net-Appliance-Session-4.31/lib/Net/Appliance/Session.pm
 

Regards 
Fabrice 

Le 2018-02-13 à 14:34, Derek Brabrook via PacketFence-users a écrit : 

BQ_BEGIN


We run a Meru 3200 controller (software Version 5.1-75), I have Packetfence 
(7.4) running from 
an ESXi VM on a trunked connection on a Debian Jessie flavour of linux and 
everything seems to be working. 

except for de-association via telnet or ssh on the Meru, every time it attempts 
to de-associate via telnet or ssh 
it throws this in 

/usr/local/pf/logs/packetfence.log 

Feb 10 17:15:58 packet pfqueue: pfqueue(14065) INFO: [mac:d0:df:9a:66:af:d4] 
[d0:df:9a:66:af:d4] DesAssociating mac on switch (10.11.60.2) 
(pf::api::desAssociate) 
Feb 10 17:15:58 packet pfqueue: pfqueue(14065) ERROR: [mac:d0:df:9a:66:af:d4] 
Unable to connect to 10.11.60.2 using SSH. Failed with Missing required 
arguments: personality, transport at (eval 1979) line 75. 
(pf::Switch::Meru::deauthenticateMacDefault) 

or 


Feb 8 16:11:12 packet pfqueue: pfqueue(7868) ERROR: [mac:d0:df:9a:66:af:d4] 
Unable to connect to 10.11.60.2 using Telnet. 
Failed with Missing required arguments: personality, transport at (eval 2035) 
line 75. 




I've tried all combinations in the Switches settings from SNMP to Telnet and 
SSH I've even logged into the packetfence server 
su'd to the packetfence user and initiated an SSH connection to the Meru to 
accept the keys, but always the same error in packetfence.log 

functionally it works if you connect to the wifi then register on the portal, 
then turn off your wifi, turn back on and connect to the same SSID 
it puts you in the right VLAN and everything works as it should, it just won't 
de-associate on the Meru with ssh or telnet. 

I'm aware of the PMK caching issues, our version allows you to turn off PMK 
caching, and I'm aware that Meru doesn't pass the SSID with the radius 
request on an open wifi and only supports CLI de-association via telnet or SSH, 
but I've run out of steam on this one I cannot see how I can get it to 
de-associate 
if it won't connect to the Meru CLI. 

the user I've created on the Meru has level 15 access so it doesn't need 
elevated privs on the meru but it never gets that far 


switches.conf 

[10.11.60.2] 
registrationVlan=10 
defaultVlan=40 
isolationVlan=20 
description=Meru 
radiusSecret=redacted 
deauthMethod=Telnet 
cliUser=pf 
cliPwd=redacted 
cliEnablePwd=redacted 
guestVlan=248 
VoIPLLDPDetect=N 
controllerIp=10.11.60.2 
cliAccess=Y 
VoIPCDPDetect=N 
ExternalPortalEnforcement=Y 
VoIPDHCPDetect=N 
macDetectionVlan=232 
type=Meru::MC 

Am I missing something glaringly obvious here ? Any help appreciated 


Regards 

Derek 



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot 


___
PacketFence-users mailing list PacketFence-users@lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/packetfence-users 




-- 
Check out the vibrant tech community on one of the world's most 
engaging tech sites, Slashdot.org! http://sdm.link/slashdot 
___ 
PacketFence-users mailing list 
PacketFence-users@lists.sourceforge.net

Re: [PacketFence-users] Detecting WIFI Routers using violations

2018-02-21 Thread Tomasz Karczewski via PacketFence-users 
>Does you device that you want to catch does display the proper device type and 
>device class ?

 

Yes, it does „Routers and APs”.

 

>Which PacketFence version are you running ?

 

Now it is 6.5.1 but i will migrate to 7.4.

 

Tomasz Karczewski

Administrator Sieci

 



 

tkarczew...@man.olsztyn.pl

http://www.man.olsztyn.pl   http://www.uwm.edu.pl

tel. (89) 523 45 55  fax. (89) 523 43 47

 

Ośrodek Eksploatacji i Zarządzania

Miejską Siecią Komputerową OLMAN w Olsztynie

Uniwersytet Warmińsko-Mazurski w Olsztynie

 

From: Ludovic Zammit  
Sent: Friday, February 16, 2018 3:20 PM
To: packetfence-users@lists.sourceforge.net
Cc: Tomasz Karczewski 
Subject: Re: [PacketFence-users] Detecting WIFI Routers using violations

 

Hello Tomasz,

 

The violation will be trigger on the DHCP traffic of the device when they are 
in the registration VLAN.

 

Does you device that you want to catch does display the proper device type and 
device class ?

 

Which PacketFence version are you running ?

 

Thanks,


Ludovic Zammit
lzam...@inverse.ca   ::  +1.514.447.4918 (x145) ::  
www.inverse.ca  
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

 









On Feb 8, 2018, at 6:07 AM, Tomasz Karczewski via PacketFence-users 
 > wrote:

 

Hi,

 

I would like to create a violation that will automatically detect wireless 
routers in the cable network. 

I would like to apply this violation for "Smartphones / PDAs / Tablets" and 
"Routers and APs" connected to a particular switch group. 

I tried to run this but the violation does not start automatically. Did anyone 
of you run something like this and could help me?

 

Below is example that doesn’t work:

 

[307]

priority=1

trigger=(device::11::4),(switch_group::SWITCHES)

actions=unreg,email_admin,reevaluate_access,log

desc=Block WIFI Routers

enabled=Y

template=banned_devices

auto_enable=N

 

Tnx

 

Tomasz Karczewski

Administrator Sieci

 



 

  tkarczew...@man.olsztyn.pl

  http://www.man.olsztyn.pl
 http://www.uwm.edu.pl

tel. (89) 523 45 55  fax. (89) 523 43 47

 

Ośrodek Eksploatacji i Zarządzania

Miejską Siecią Komputerową OLMAN w Olsztynie

Uniwersytet Warmińsko-Mazurski w Olsztynie

 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites,   Slashdot.org!  
 
http://sdm.link/slashdot___
PacketFence-users mailing list
  
PacketFence-users@lists.sourceforge.net
  
https://lists.sourceforge.net/lists/listinfo/packetfence-users

 



smime.p7s
Description: S/MIME cryptographic signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Access to PF captive portal is blocked

2018-02-21 Thread E.P. via PacketFence-users 
I think it is slowly coming to me, Fabrice.

My PF is pure for RADIUS enforcement and PF has only one IP address of
management type.

Now if I want WebAuth enforcement I would need to create one more interface
of portal type

The question is can I create this portal type interface in the same subnet
as the management interface ?

I would want to have them both in the same VLAN

 

Eugene

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Sunday, February 18, 2018 7:20 PM
To: 'packetfence-users@lists.sourceforge.net'

Cc: 'Durand fabrice' 
Subject: RE: [PacketFence-users] Access to PF captive portal is blocked

 

Here it is, Fabrice

10.0.254.3 is the WiFi client and 172.16.0.222 is PF.

Tcpdump.pcap is attached and it is made right on PF

The second capture is made on the laptop connected to guest WiFi.

It contains pings to PF but all TCP SYN requests all are answered with RST.

 

Eugene

 

From: Durand fabrice via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Sunday, February 18, 2018 10:51 AM
To: packetfence-users@lists.sourceforge.net
 
Cc: Durand fabrice  >
Subject: Re: [PacketFence-users] Access to PF captive portal is blocked

 

Hello Eugene,

do you have the capture ?

Regards
Fabrice

Le 2018-02-15 à 23:12, E.P. via PacketFence-users a écrit :

Hi Fabrice,

I dare sending it again believing my previous email fell into cracks.

Can you please advise what could be wrong (see below)

 

Eugene

 

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Wednesday, February 14, 2018 1:08 AM
To: packetfence-users@lists.sourceforge.net
 
Subject: Access to PF captive portal is blocked

 

Hello folks,

I really hope someone who ran into a similar problem will shed some light.

Feeling bad we don’t hear anything from Fabrice or someone from inverse.

I have an out-of-band deployment of PF and my WiFi client gets connected and
redirected to PF

I see redirects by capturing the traffic on PF by tcpdump.

But… I see that PF sends TCP resets even for TCP SYN packet coming from the
client.

It seems to me it is just iptables firewall that blocks it. 

Why ? Where am I supposed to enter those IP addresses that are allowed to go
through captive portal registration?

I do allow PF IP address in the pre-authorization access list and my ping to
FQDN of PF succeeds normally.

It is only HTTP(s) doesn’t go through. 

Even manually entered URL in the client browser doesn’t open up any page,
i.e. https://pf.blabla.com/captive-portal or
https://172.16.0.222/captive-portal

 

Eugene






--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot





___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Checkup warning on legacy redirtimer option in PF 7.4.0

2018-02-21 Thread Ian MacDonald via PacketFence-users 
Hello,

We have two pf instances running 7.4.0 on Debian 9, both recently upgraded
from 7.3.0.   They both have been running packetfence since 6.5.0.

In both cases, they have the following in pf.conf that has been retained
over the upgrades:

[fencing]
#
# trapping.redirtimer
#
# How long to display the progress bar during trap release. Default value is
# based on VLAN enforcement techniques. Inline enforcement only users could
# lower the value.
redirtimer=30s


Since upgrading to 7.4.0, we now see a warning when using the "Perform
check-up" function in the admin GUI that states  *WARNING: unknown
configuration parameter fencing.redirtimer*

A quick review of the upgrade doc did not reveal any steps related to this
change, but we do note that this setting seems to now exist with a
different name with the same description in pf.conf.defaults shown below.

# captive_portal.network_redirect_delay
#
# How long to display the progress bar during trap release. Default value
is
# based on VLAN enforcement techniques. Inline enforcement only users could
# lower the value.
network_redirect_delay = 20s

It looks like it is a legacy option that possibly changed sections twice
(trapping->fencing->captive_portal) and names once
(redirtimer->network_redirect_delay) and was not modified in the upgrade
scripts cleanly along the way.

We are just removing the section from our pf.conf, but noting here in the
off chance that was in error and/or the intent was to have it cleaned up in
the upgrade scripts for other users.

cheers,
Ian
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] packetfence-dhcpd.service restarting endlessly on PF 7.4.0 / Debian 9

2018-02-21 Thread Ian MacDonald via PacketFence-users 
Hello,

Our PF instance(s) run in an out-of-band configuration, providing a captive
portal to hostapd/CoA enabled switches using connection profiles with SSID
filters and an email source for activation.

We are not clustering, but instead have a qa instance where we stage and
test upgrades and configuration changes.

Since at least pf 7.3.0 we have noticed that the dhcpd service is
constantly restarting every couple of minutes.  We just completed our
upgrade to 7.4.0 and we still continue to see this dhcpd service restarting
every couple of minutes.  This service provides connectivity to the
registration and isolation VLANs by default.

In our logs we see the lines captured below; I have included a capture from
both our instances which behave the same way.

Out best guess is that for some reason the dhcpd service monitoring is not
quite functioning correctly, and restarting the service on a periodic
basis.  The "Failed to start" message even though  it has started, seems to
be an indication of perhaps some issue with the startup/systemd integration
where it is not properly detecting the service start and simply restarting
after the holdoff timer has expired.

The net impact is that we believe this is causing some inconsistencies in
portal registration / authorization timing that we may have previously
worked around by increasing our redirect delay on activation.

Now that we are on the latest version, we are posting here to see if there
is a known quick fix while we continue to poke around with the dhcpd
service startup configuration.

cheers,
Ian

Instance 1:
Feb 21 10:05:18 pf2 systemd[1]: packetfence-dhcpd.service start operation
timed out. Terminating.
Feb 21 10:05:18 pf2 systemd[1]: Failed to start PacketFence DHCPv4 Server
Daemon.
Feb 21 10:05:18 pf2 systemd[1]: Unit packetfence-dhcpd.service entered
failed state.
Feb 21 10:05:18 pf2 systemd[1]: packetfence-dhcpd.service holdoff time
over, scheduling restart.
Feb 21 10:05:18 pf2 systemd[1]: Stopping PacketFence DHCPv4 Server Daemon...
Feb 21 10:05:18 pf2 systemd[1]: Starting PacketFence DHCPv4 Server Daemon...
Feb 21 10:05:21 pf2 pfcmd[1952]: service|command
Feb 21 10:05:21 pf2 pfcmd[1952]: dhcpd|config generated

Instance 2:
Feb 21 10:01:11 pf4 systemd[1]: packetfence-dhcpd.service start operation
timed out. Terminating.
Feb 21 10:01:11 pf4 systemd[1]: Failed to start PacketFence DHCPv4 Server
Daemon.
Feb 21 10:01:11 pf4 systemd[1]: Unit packetfence-dhcpd.service entered
failed state.
Feb 21 10:01:11 pf4 systemd[1]: packetfence-dhcpd.service holdoff time
over, scheduling restart.
Feb 21 10:01:11 pf4 systemd[1]: Stopping PacketFence DHCPv4 Server Daemon...
Feb 21 10:01:11 pf4 systemd[1]: Starting PacketFence DHCPv4 Server Daemon...
Feb 21 10:01:15 pf4 pfcmd[16671]: service|command
Feb 21 10:01:15 pf4 pfcmd[16671]: dhcpd|config generated
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] portal error after upgrade

2018-02-21 Thread luca comes via PacketFence-users 
Hi all,

I have another problem after my technical partner has update the master machine 
of my cluster. I don't know what they updated but I think perl is involved so 
the portal page show a 503 Service Unavailable from the haproxy. After checking 
and restarting httpd.portal I can see it start but with the error shown below:


Feb 21 09:46:46 pfnac01 httpd_portal_err: [Wed Feb 21 09:46:45.991369 2018] 
[mpm_prefork:notice] [pid 28326] AH00170: caught SIGWINCH, shutting down 
gracefully
Feb 21 09:46:46 pfnac01 httpd_portal_err: [Wed Feb 21 09:46:45.991346 2018] 
[mpm_prefork:emerg] [pid 28358] (4)Interrupted system call: AH00144: couldn't 
grab the accept mutex
Feb 21 09:46:46 pfnac01 httpd_portal_err: [Wed Feb 21 09:46:45.991444 2018] 
[mpm_prefork:emerg] [pid 28359] (4)Interrupted system call: AH00144: couldn't 
grab the accept mutex
Feb 21 09:47:09 pfnac01 httpd_portal_err: [Wed Feb 21 09:47:09.523661 2018] 
[mpm_prefork:notice] [pid 29657] AH00163: Apache/2.4.6 (CentOS) 
OpenSSL/1.0.2k-fips mod_apreq2-20090110/2.8.0 mod_perl/2.0.10 Perl/v5.16.3 
configured -- resuming normal operations
Feb 21 09:47:09 pfnac01 httpd_portal_err: [Wed Feb 21 09:47:09.524070 2018] 
[core:notice] [pid 29657] AH00094: Command line: '/usr/sbin/httpd -f 
/usr/local/pf/var/conf/httpd.conf.d/httpd.portal -D FOREGROUND -D rhel'

Also a systemctl status packetfence-httpd.portal show the same:

[root@pfnac01 ~]# systemctl status packetfence-httpd.portal
● packetfence-httpd.portal.service - PacketFence Captive Portal Apache HTTP 
Server
   Loaded: loaded (/usr/lib/systemd/system/packetfence-httpd.portal.service; 
enabled; vendor preset: disabled)
   Active: active (running) since Wed 2018-02-21 09:47:09 CET; 10min ago
 Docs: man:httpd(8)
   man:apachectl(8)
  Process: 29615 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, 
status=0/SUCCESS)
  Process: 29650 ExecStartPre=/usr/local/pf/bin/pfcmd service httpd.portal 
generateconfig (code=exited, status=0/SUCCESS)
 Main PID: 29657 (/usr/sbin/httpd)
   Status: "Total requests: 60; Current requests/sec: 0.1; Current traffic: 102 
B/sec"
   CGroup: /packetfence.slice/packetfence-httpd.portal.service
   ├─29657 /usr/sbin/httpd -f 
/usr/local/pf/var/conf/httpd.conf.d/httpd.portal -DFOREGROUND -Drhel
   ├─29681 /usr/bin/logger -thttpd_portal_err -plocal5.err
   ├─29682 /usr/bin/logger -thttpd_portal_err-plocal5.err
   ├─29683 /usr/bin/logger -thttpd_portal -plocal5.info
   ├─29684 /usr/bin/logger -thttpd_portal -plocal5.info
   ├─29685 /usr/bin/logger -thttpd_portal -plocal5.info
   ├─29686 /usr/bin/logger -thttpd_portal -plocal5.info
   ├─29687 /usr/bin/logger -thttpd_portal -plocal5.info
   ├─29688 /usr/bin/logger -thttpd_portal -plocal5.info
   ├─29689 /usr/bin/logger -thttpd_portal -plocal5.info
   ├─29691 /usr/sbin/httpd -f 
/usr/local/pf/var/conf/httpd.conf.d/httpd.portal -DFOREGROUND -Drhel
   ├─29692 /usr/sbin/httpd -f 
/usr/local/pf/var/conf/httpd.conf.d/httpd.portal -DFOREGROUND -Drhel
   ├─29693 /usr/sbin/httpd -f 
/usr/local/pf/var/conf/httpd.conf.d/httpd.portal -DFOREGROUND -Drhel
   └─29694 /usr/sbin/httpd -f 
/usr/local/pf/var/conf/httpd.conf.d/httpd.portal -DFOREGROUND -Drhel

Feb 21 09:46:58 pfnac01 packetfence[29650]: INFO pfcmd.pl(29650): generating 
/usr/local/pf/var/conf/captive-po...nfig)
Feb 21 09:46:58 pfnac01 pfcmd[29650]: httpd.portal|config generated
Feb 21 09:47:03 pfnac01 portal_catalyst[29657]: httpd.portal(29657) WARN: 
[mac:[undef]] Unicode::Encoding plugi...ins)
Feb 21 09:47:03 pfnac01 portal_catalyst[29657]: httpd.portal(29657) WARN: 
[mac:[undef]] Deprecated 'static' con...ore)
Feb 21 09:47:09 pfnac01 portal_catalyst[29657]: httpd.portal(29657) WARN: 
[mac:[undef]] Unicode::Encoding plugi...ins)
Feb 21 09:47:09 pfnac01 portal_catalyst[29657]: httpd.portal(29657) WARN: 
[mac:[undef]] Deprecated 'static' con...ore)
Feb 21 09:47:09 pfnac01 systemd[1]: Started PacketFence Captive Portal Apache 
HTTP Server.
Feb 21 09:47:09 pfnac01 httpd_portal_err[29681]: [Wed Feb 21 09:47:09.523661 
2018] [mpm_prefork:notice] [pid 29...ions
Feb 21 09:47:09 pfnac01 httpd_portal_err[29681]: [Wed Feb 21 09:47:09.524070 
2018] [core:notice] [pid 29657] AH...hel'
Feb 21 09:49:44 pfnac01 httpd_portal[29689]: 10.255.20.90 10.255.20.5 - - 
[21/Feb/2018:09:49:44 +0100] "10.255...20729
Hint: Some lines were ellipsized, use -l to show in full.

Do you know how can I fix this issue? At the moment my sponsor guest network is 
not working.

Thanks

Luca



Inviato da Outlook
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net