Re: [PacketFence-users] Make PF function as NAT/Firewall with Radius and VLAN enforcement

2019-02-18 Thread Tony W via PacketFence-users 
Hi Fabrice,

Thank you for your help so far.

My interface naming is all good, however, I am still having a small
issue understanding correctly.

You indicate that I should make the management interface the one with
Internet access.
The management interface is also used to talk to my Ruckus controller.

According to the documentation, I can only have 1 management interface.

Example of what I am trying to do:

Ruckus 802.1x Auth eth0   <--> PF eth1 - No Internet access
Registration (VLAN 10) eth0.10 --> PF eth1 - No Internet access
User inline (VLAN 11)   eth0.11 --> PF eth1 - Internet Access
User inline (VLAN12)eth0.12 --> PF eth1 - Internet Access
User inline (VLAN13)eth0.13 --> PF eth1 - Internet Access
---
eth1 = - Management - Public IP address

The Ruckus controller will do the 802.1x auth and radius in PF will
give the correct VLAN to Ruckus on successful auth and the visitor
will end up in the assigned VLAN.

I can not get my head around getting the Ruckus controller to talk to
the management interface when that is assigned to eth1.
Something is missing in my understanding. I guess I am thinking
traditional NAT/Firewall with 2 interfaces.
I prefer management VLAN to be un-tagged and on eth0, not on eth1.
Internet access should be on eth1.
I have 2 more interfaces so I could let the Ruckus (And other
equipment) use one of those (eth2 and eth3)

Sorry to be asking this again

Tony


On Tue, 19 Feb 2019 at 01:20, Fabrice Durand via PacketFence-users
 wrote:
>
> Hello Tony,
>
> Le 19-02-17 à 23 h 22, Tony W via PacketFence-users a écrit :
> > Hi Fabrice,
> >
> > Thank you for that.
> >
> > So for PF, set 1 external interface (WAN) with Internet access (Inline)
> No a management one with internet access
> > Then set at least 1 internal interface (LAN) with VLAN's, say 10 for SSID,
> > 11, 12, 13, 14for the users to be allocated to once authenticated.
> 11,12,13,14 as inline
> >
> > I do not need (Or want) Internet access on VLAN 10, only DHCP for the
> > client devices.
> So 10 is a registration interface.
> > When the client device successfully authenticates, the client traffic
> > will go to the
> > selected/allocated VLAN (11, 12, 13 or ) and be given new IP
> > addresses by DHCP.
> It's what an inline interface do.
> > It is no big deal regarding people being on the initial VLAN 10 as not
> > many will be there at any one time.
> The registration interface on the vlan 10 will have short lease time, by
> default we set it to 30s.
> >
> > Just a quick question specific to CentOS 7.6 and PF.
> >
> > CentOS 7.x issues interface names like em1, em2, p2p1, p2p2 etc.,
> > instead of the old style eth0, eth1...
> >
> > Will PF still work OK, if I change this to the old style (See link below)?
> >
> > https://sites.google.com/site/syscookbook/rhel/rhel-network-interface-rename-rhel7
> Yes it will work.
> >
> > I feel more comfortable using the old interface naming convention and
> > the above procedure works well:-)
> >
> Regards
>
> Fabrice
>
>
> >
> >
> >
> >
> >
> > On Mon, 18 Feb 2019 at 12:09, Durand fabrice via PacketFence-users
> >  wrote:
> >> Hello Tony,
> >>
> >> you can set the vlan as inline in PacketFence.
> >>
> >> What i would do in this case is the following:
> >>
> >> - Create on pf all the VLAN's an inline interface, per example eth1.10,
> >> eth1.11, eth1.12  (the vlan's you return when authenticated)
> >>
> >> - Set these vlan's id on the switch config (PacketFence side).
> >>
> >> That's it.
> >>
> >> The only issue you will have is when you unreg a device then it will
> >> stay on the inline vlan but hit the portal on the inline interface.
> >>
> >> If the device reconnect then it will go on the reg vlan.
> >>
> >> Regards
> >>
> >> Fabrice
> >>
> >>
> >>
> >> Le 19-02-17 à 19 h 35, Tony W via PacketFence-users a écrit :
> >>> Hi there,
> >>>
> >>> Trying to work out how to get PF to work as NAT/Firewall to the
> >>> internet whilst doing Radius and VLAN enforcement.
> >>>
> >>> Is this possible? Reading the documentation, it appears that the
> >>> current version will work in hybrid mode
> >>> (A combination of both) but seems to be for "flat" networks on
> >>> switches that can not be managed.
> >>>
> >>> I run a wireless network controller, where visitors connect to an SSID
> >>> (Assigned to a specific VLAN). This VLAN has no
> >>> Internet access.
> >>> Authentication is 802.1x. Once authenticated, visitor is directed to
> >>> one of a number of predetermined VLAN's by PF.
> >>> Each of the VLAN's shall have Internet access through the same PF box.
> >>> PF tells Ruckus to put the visitor in the
> >>> assigned VLAn. DHCP is used on the initial connection and each of the
> >>> VLAN's shall have their own DHCP scope.
> >>>
> >>> I have done this before using FreeRadius with DaloRadius and a Ruckus
> >>> controller, configured manually on CentOS 7.3
> >>> with Firewall/NAT. That solution is lacking some of the nice extra
> >>> stuff integrated in PF.
> >>>

[PacketFence-users] Why am I having Duplicate Routes

2019-02-18 Thread Ismail Yushaw via PacketFence-users 

Hello Guys,

I like I said in my previous post, Clients are able to authenticate to 
the AD but cant have access to the intenet. I tried to print the routing 
table of the server. its as below and am having multiple apipa ip 
address that are unexplained.


[root@pf ~]# ip route show
10.1.0.0/22 dev eth1  proto kernel  scope link  src 10.1.1.148
169.254.0.0/30 dev AD-b  proto kernel  scope link  src 169.254.0.2
169.254.0.0/16 dev eth0  scope link  metric 1002
169.254.0.0/16 dev eth0.11  scope link  metric 1003
169.254.0.0/16 dev eth0.2  scope link  metric 1004
169.254.0.0/16 dev eth0.3  scope link  metric 1005
169.254.0.0/16 dev eth0.4  scope link  metric 1006
169.254.0.0/16 dev eth0.5  scope link  metric 1007
172.17.0.0/22 dev eth0  proto kernel  scope link  src 172.17.1.252
192.168.1.0/24 dev eth0.4  proto kernel  scope link  src 192.168.1.1
192.168.2.0/24 dev eth0.2  proto kernel  scope link  src 192.168.2.1
192.168.3.0/24 dev eth0.3  proto kernel  scope link  src 192.168.3.1
192.168.5.0/24 dev eth0.5  proto kernel  scope link  src 192.168.5.1

NOTE: 10.1.1.148 on eth1 is the interface with internet access.

172.17.1.252 on eth0 is the management interface

192.168.2.0/24 is the registration subnet.


I am stuck... really stuck



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] eap-tls machine authentication against AD

2019-02-18 Thread Durand fabrice via PacketFence-users 

Hello Carlos,

my remark below.

Le 19-02-18 à 09 h 04, Carlos Wetli via PacketFence-users a écrit :

Hello Fabrice,

Many thanks Fabrice for your reply on that matter, which is very 
appreciated.


Please find enclosed the extract as you suggested:


Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: 
[mac:80:ce:62:a1:2e:75] handling radius autz request: from switch_ip 
=> (172.29.180.68), connection_type => Ethernet-EAP,switch_mac => 
(70:35:09:b9:d2:03), mac => [80:ce:62:a1:2e:75], port => 50103, 
username => "M-1$@ad.cwe.local" (pf::radius::authorize)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: 
[mac:80:ce:62:a1:2e:75] Instantiate profile AD_LOGIN 
(pf::Connection::ProfileFactory::_from_profile)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: 
[mac:80:ce:62:a1:2e:75] Found authentication source(s) : '' for realm 
'null' (pf::config::util::filter_authentication_sources)


realm is null , do you have a realm ad.cwe.local configured in packetfence ?

Also in your AD_LOGIN connection profile, does the source you defined is 
configured to match the null realm ? (or ad.cwe.local) (edit the 
authentication source)


Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: 
[mac:80:ce:62:a1:2e:75] Calling match with empty/invalid rule class. 
Defaulting to 'authentication' (pf::authentication::match2)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: 
[mac:80:ce:62:a1:2e:75] Using sources  for matching 
(pf::authentication::match2)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: 
[mac:80:ce:62:a1:2e:75] Use of uninitialized value in string eq at 
/usr/local/pf/lib/pf/role.pm  line 736.

 (pf::role::_check_bypass)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: 
[mac:80:ce:62:a1:2e:75] Role has already been computed and we don't 
want to recompute it. Getting role from node_info 
(pf::role::getRegisteredRole)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: 
[mac:80:ce:62:a1:2e:75] Use of uninitialized value $role in 
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm 
 line 478.

 (pf::role::getRegisteredRole)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: 
[mac:80:ce:62:a1:2e:75] Username was NOT defined or unable to match a 
role - returning node based role '' (pf::role::getRegisteredRole)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: 
[mac:80:ce:62:a1:2e:75] PID: "M-1$@ad.cwe.local", Status: reg Returned 
VLAN: (undefined), Role: (undefined) (pf::role::fetchRoleForNode)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: 
[mac:80:ce:62:a1:2e:75] Use of uninitialized value $vlanName in hash 
element at /usr/local/pf/lib/pf/Switch.pm line 792.

 (pf::Switch::getVlanByName)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: 
[mac:80:ce:62:a1:2e:75] Use of uninitialized value $vlanName in 
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 795.

 (pf::Switch::getVlanByName)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: 
[mac:80:ce:62:a1:2e:75] No parameter Vlan found in conf/switches.conf 
for the switch 172.29.180.68 (pf::Switch::getVlanByName)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: 
[mac:80:ce:62:a1:2e:75] Use of uninitialized value $roleName in hash 
element at /usr/local/pf/lib/pf/Switch.pm line 775.

 (pf::Switch::getRoleByName)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: 
[mac:80:ce:62:a1:2e:75] Use of uninitialized value $roleName in 
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 778.

 (pf::Switch::getRoleByName)
Feb 18 13:43:49 srv1 pfqueue: pfqueue(11366) INFO: [mac:unknown] 
undefined source id provided (pf::lookup::person::lookup_person)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: 
[mac:80:ce:62:a1:2e:75] Match rule 1:eap (pf::access_filter::radius::test)


It match a rule in the radius filter but there is no answer1.

Can you share the radius filters ?

Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: 
[mac:80:ce:62:a1:2e:75] Use of uninitialized value $answer[1] in 
pattern match (m//) at /usr/local/pf/lib/pf/access_filter/radius.pm 
 line 69.

 (pf::access_filter::radius::handleAnswerInRule)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: 
[mac:80:ce:62:a1:2e:75] Use of uninitialized value $range in pattern 
match (m//) at /usr/local/pf/lib/pf/access_filter/radius.pm 
 line 174.

 (pf::access_filter::radius::rangeValidator)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: 
[mac:80:ce:62:a1:2e:75] Use of uninitialized value $item in pattern 
match (m//) at /usr/share/perl5/vendor_perl/Number/Range.pm line 43.

 (Number::Range::initialize)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: 
[mac:80:ce:62:a1:2e:75] Use of

Re: [PacketFence-users] Guest authorization via SMS / hidden e-mail subject

2019-02-18 Thread Durand fabrice via PacketFence-users 

Hello Likasz,

the phone number is $info->{'to'}

Regards

Fabrice

Le 19-02-18 à 04 h 02, Łukasz Wieczorek via PacketFence-users a écrit :

Hello FabriceThank you.
I am trying to modify the script, I'm already very close.
Unfortunately, I'm not a programmer. I can't find the "phone number"
variable to this function. I do not know what it's called.Maybe
someone will help?Lukasz
sob., 16 lut 2019 o 22:04 Durand fabrice via PacketFence-users
 napisał(a):

Hello Lukasz,

check that:

https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Authentication/Source/SMSSource.pm#L114

Just need to change few things.

Regards

Fabrice


Le 19-02-16 à 05 h 26, Łukasz Wieczorek via PacketFence-users a écrit :

I am a new user of packetfence and need help in configuring guest
authorization via SMS.
My SMS service provider requires a special email format, where in the
subject field I need to send the user and password  to my
provider.

I need a mail format:

ADRESS: sms...@smsapi.pl
SUBJECT: login@
Message content: from=sender=phone
nubmer=1=massage content

raport=1 is option

I know how only how to add a new supplier to the database ...
INSERT INTO sms_carrier
  (id, name, email_pattern, created)
VALUES
  (100xxx, 'MyGateway', '%s@...', now());

Thank you in advance for your help
Regards
Lukasz


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Can't link PacketFence with AD Server.

2019-02-18 Thread Durand fabrice via PacketFence-users 

Hello Adrian,

what is the switch model ?

Also you can try the generic one.

Regards

Fabrice


Le 19-02-18 à 03 h 52, Adrian Dessaigne via PacketFence-users a écrit :

Hello Fabrice,

I was given a cisco 2960 to bypass my issue. PacketFence is now set up 
and work has intended. It works very well.
However, if I use a Switch which is not listed in the type of switch 
of packetfence, will it work just for 802.1X ? I have read that coding 
a new Perl module was required to add an unknown switch.


Regards

Adrian.


*De: *"packetfence-users" 
*À: *"packetfence-users" 
*Cc: *"Durand fabrice" 
*Envoyé: *Jeudi 14 Février 2019 03:13:47
*Objet: *Re: [PacketFence-users] Can't link PacketFence with AD Server.

Hello Adrian,

i will check tomorrow the patch i gave you to be sure that it apply 
correctly.


Regards

Fabrice


Le 19-02-11 à 11 h 04, Adrian Dessaigne via PacketFence-users a écrit :

My bad, there is a difference,

Here is the debbug on pastbin:

The line 1749 tell the reason he got refused:
:Module-Failure-Message := "Failed retrieving values
required to evaluate condition"

Regards

Adrian

- Mail original -
De: "packetfence-users" 
À: "packetfence-users" 
Cc: "Durand fabrice" 
Envoyé: Samedi 9 Février 2019 02:17:51
Objet: Re: [PacketFence-users] Can't link PacketFence with AD Server.

Hello Adrian,

i did the patch based on the devel branch.

Here a new one based on packetfence 8.3.

Regards

Fabrice


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unable to detect network connectivity

2019-02-18 Thread Isma'il Yusha'u via PacketFence-users 
Caique,
I am not having AP but rather a normal Huawei s5700 switch. It's close to
the recommended kind only that it does not have the AP.

I have made the necessary configuration on the switch but it does not work.

On Mon, Feb 18, 2019, 16:25 Christian McDonald via PacketFence-users <
packetfence-users@lists.sourceforge.net wrote:

> Does your WLAN controller and APs support RADIUS CoA or Disconnect
> packets? Have you tried manually disconnecting and reconnecting to the WiFi
> network to see if connectivity is available?
>
> On Mon, Feb 18, 2019 at 9:59 AM Ismail Yushaw via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hi all,
>> I am running Packetfence Zen and am having the following problems.
>>
>> I have successfully presented users with a captive portal on a VLAN
>> enforcement and the users are able to login successful registration. But
>> the client is presented with
>> "‘Unable to detect network connectivity. Try to restarting your web
>> browser or opening a new tab to see if your access has been successfully
>> enabled.’"
>>
>> Below is the output of my ipset
>>
>>
>> [root@pf bin]# ipset -L
>> Name: parking
>> Type: hash:ip
>> Revision: 1
>> Header: family inet hashsize 1024 maxelem 65536
>> Size in memory: 16528
>> References: 2
>> Members:
>>
>> Name: pfsession_passthrough
>> Type: hash:ip,port
>> Revision: 2
>> Header: family inet hashsize 1024 maxelem 65536
>> Size in memory: 16528
>> References: 2
>> Members:
>>
>> Name: pfsession_isol_passthrough
>> Type: hash:ip,port
>> Revision: 2
>> Header: family inet hashsize 1024 maxelem 65536
>> Size in memory: 16528
>> References: 2
>> Members:
>>
>> and below is the network.conf
>>
>> [root@pf bin]# cat ../conf/networks.conf
>> [192.168.2.0]
>> dns=192.168.2.1
>> split_network=disabled
>> dhcp_start=192.168.2.10
>> gateway=192.168.2.1
>> domain-name=vlan-registration.nita.htb
>> nat_enabled=disabled
>> named=enabled
>> dhcp_max_lease_time=30
>> fake_mac_enabled=disabled
>> dhcpd=enabled
>> dhcp_end=192.168.2.246
>> type=vlan-registration
>> netmask=255.255.255.0
>> dhcp_default_lease_time=30
>>
>> [192.168.3.0]
>> dns=192.168.3.1
>> split_network=disabled
>> dhcp_start=192.168.3.10
>> gateway=192.168.3.1
>> domain-name=vlan-isolation.nita.htb
>> nat_enabled=disabled
>> named=enabled
>> dhcp_max_lease_time=30
>> fake_mac_enabled=disabled
>> dhcpd=enabled
>> dhcp_end=192.168.3.246
>> type=vlan-isolation
>> netmask=255.255.255.0
>> dhcp_default_lease_time=30
>>
>> [10.1.0.0]
>> dns=10.240.1.20
>> split_network=disabled
>> dhcp_start=10.1.0.10
>> gateway=10.1.2.211
>> domain-name=inlinel2.nita.htb
>> nat_enabled=enabled
>> named=enabled
>> dhcp_max_lease_time=86400
>> fake_mac_enabled=disabled
>> dhcpd=enabled
>> dhcp_end=10.1.3.246
>> type=inlinel2
>> netmask=255.255.252.0
>> dhcp_default_lease_time=86400
>>
>> Mind you that I have enabled ip4 forwarding
>>
>>
>>
>>
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
>
> --
> R. Christian McDonald
> *Director of Technology*
> Grand Rapids Adventist Academy
> C: (616) 856-9291
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unable to detect network connectivity

2019-02-18 Thread Christian McDonald via PacketFence-users 
Does your WLAN controller and APs support RADIUS CoA or Disconnect packets?
Have you tried manually disconnecting and reconnecting to the WiFi network
to see if connectivity is available?

On Mon, Feb 18, 2019 at 9:59 AM Ismail Yushaw via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hi all,
> I am running Packetfence Zen and am having the following problems.
>
> I have successfully presented users with a captive portal on a VLAN
> enforcement and the users are able to login successful registration. But
> the client is presented with
> "‘Unable to detect network connectivity. Try to restarting your web
> browser or opening a new tab to see if your access has been successfully
> enabled.’"
>
> Below is the output of my ipset
>
>
> [root@pf bin]# ipset -L
> Name: parking
> Type: hash:ip
> Revision: 1
> Header: family inet hashsize 1024 maxelem 65536
> Size in memory: 16528
> References: 2
> Members:
>
> Name: pfsession_passthrough
> Type: hash:ip,port
> Revision: 2
> Header: family inet hashsize 1024 maxelem 65536
> Size in memory: 16528
> References: 2
> Members:
>
> Name: pfsession_isol_passthrough
> Type: hash:ip,port
> Revision: 2
> Header: family inet hashsize 1024 maxelem 65536
> Size in memory: 16528
> References: 2
> Members:
>
> and below is the network.conf
>
> [root@pf bin]# cat ../conf/networks.conf
> [192.168.2.0]
> dns=192.168.2.1
> split_network=disabled
> dhcp_start=192.168.2.10
> gateway=192.168.2.1
> domain-name=vlan-registration.nita.htb
> nat_enabled=disabled
> named=enabled
> dhcp_max_lease_time=30
> fake_mac_enabled=disabled
> dhcpd=enabled
> dhcp_end=192.168.2.246
> type=vlan-registration
> netmask=255.255.255.0
> dhcp_default_lease_time=30
>
> [192.168.3.0]
> dns=192.168.3.1
> split_network=disabled
> dhcp_start=192.168.3.10
> gateway=192.168.3.1
> domain-name=vlan-isolation.nita.htb
> nat_enabled=disabled
> named=enabled
> dhcp_max_lease_time=30
> fake_mac_enabled=disabled
> dhcpd=enabled
> dhcp_end=192.168.3.246
> type=vlan-isolation
> netmask=255.255.255.0
> dhcp_default_lease_time=30
>
> [10.1.0.0]
> dns=10.240.1.20
> split_network=disabled
> dhcp_start=10.1.0.10
> gateway=10.1.2.211
> domain-name=inlinel2.nita.htb
> nat_enabled=enabled
> named=enabled
> dhcp_max_lease_time=86400
> fake_mac_enabled=disabled
> dhcpd=enabled
> dhcp_end=10.1.3.246
> type=inlinel2
> netmask=255.255.252.0
> dhcp_default_lease_time=86400
>
> Mind you that I have enabled ip4 forwarding
>
>
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>


-- 
R. Christian McDonald
*Director of Technology*
Grand Rapids Adventist Academy
C: (616) 856-9291
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Unable to detect network connectivity

2019-02-18 Thread Ismail Yushaw via PacketFence-users 

Hi all,
I am running Packetfence Zen and am having the following problems.

I have successfully presented users with a captive portal on a VLAN 
enforcement and the users are able to login successful registration. But 
the client is presented with
"‘Unable to detect network connectivity. Try to restarting your web 
browser or opening a new tab to see if your access has been successfully 
enabled.’"


Below is the output of my ipset


[root@pf bin]# ipset -L
Name: parking
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16528
References: 2
Members:

Name: pfsession_passthrough
Type: hash:ip,port
Revision: 2
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16528
References: 2
Members:

Name: pfsession_isol_passthrough
Type: hash:ip,port
Revision: 2
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16528
References: 2
Members:

and below is the network.conf

[root@pf bin]# cat ../conf/networks.conf
[192.168.2.0]
dns=192.168.2.1
split_network=disabled
dhcp_start=192.168.2.10
gateway=192.168.2.1
domain-name=vlan-registration.nita.htb
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=192.168.2.246
type=vlan-registration
netmask=255.255.255.0
dhcp_default_lease_time=30

[192.168.3.0]
dns=192.168.3.1
split_network=disabled
dhcp_start=192.168.3.10
gateway=192.168.3.1
domain-name=vlan-isolation.nita.htb
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=192.168.3.246
type=vlan-isolation
netmask=255.255.255.0
dhcp_default_lease_time=30

[10.1.0.0]
dns=10.240.1.20
split_network=disabled
dhcp_start=10.1.0.10
gateway=10.1.2.211
domain-name=inlinel2.nita.htb
nat_enabled=enabled
named=enabled
dhcp_max_lease_time=86400
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=10.1.3.246
type=inlinel2
netmask=255.255.252.0
dhcp_default_lease_time=86400

Mind you that I have enabled ip4 forwarding





___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Make PF function as NAT/Firewall with Radius and VLAN enforcement

2019-02-18 Thread Fabrice Durand via PacketFence-users 

Hello Tony,

Le 19-02-17 à 23 h 22, Tony W via PacketFence-users a écrit :

Hi Fabrice,

Thank you for that.

So for PF, set 1 external interface (WAN) with Internet access (Inline)

No a management one with internet access

Then set at least 1 internal interface (LAN) with VLAN's, say 10 for SSID,
11, 12, 13, 14for the users to be allocated to once authenticated.

11,12,13,14 as inline


I do not need (Or want) Internet access on VLAN 10, only DHCP for the
client devices.

So 10 is a registration interface.

When the client device successfully authenticates, the client traffic
will go to the
selected/allocated VLAN (11, 12, 13 or ) and be given new IP
addresses by DHCP.

It's what an inline interface do.

It is no big deal regarding people being on the initial VLAN 10 as not
many will be there at any one time.
The registration interface on the vlan 10 will have short lease time, by 
default we set it to 30s.


Just a quick question specific to CentOS 7.6 and PF.

CentOS 7.x issues interface names like em1, em2, p2p1, p2p2 etc.,
instead of the old style eth0, eth1...

Will PF still work OK, if I change this to the old style (See link below)?

https://sites.google.com/site/syscookbook/rhel/rhel-network-interface-rename-rhel7

Yes it will work.


I feel more comfortable using the old interface naming convention and
the above procedure works well:-)


Regards

Fabrice








On Mon, 18 Feb 2019 at 12:09, Durand fabrice via PacketFence-users
 wrote:

Hello Tony,

you can set the vlan as inline in PacketFence.

What i would do in this case is the following:

- Create on pf all the VLAN's an inline interface, per example eth1.10,
eth1.11, eth1.12  (the vlan's you return when authenticated)

- Set these vlan's id on the switch config (PacketFence side).

That's it.

The only issue you will have is when you unreg a device then it will
stay on the inline vlan but hit the portal on the inline interface.

If the device reconnect then it will go on the reg vlan.

Regards

Fabrice



Le 19-02-17 à 19 h 35, Tony W via PacketFence-users a écrit :

Hi there,

Trying to work out how to get PF to work as NAT/Firewall to the
internet whilst doing Radius and VLAN enforcement.

Is this possible? Reading the documentation, it appears that the
current version will work in hybrid mode
(A combination of both) but seems to be for "flat" networks on
switches that can not be managed.

I run a wireless network controller, where visitors connect to an SSID
(Assigned to a specific VLAN). This VLAN has no
Internet access.
Authentication is 802.1x. Once authenticated, visitor is directed to
one of a number of predetermined VLAN's by PF.
Each of the VLAN's shall have Internet access through the same PF box.
PF tells Ruckus to put the visitor in the
assigned VLAn. DHCP is used on the initial connection and each of the
VLAN's shall have their own DHCP scope.

I have done this before using FreeRadius with DaloRadius and a Ruckus
controller, configured manually on CentOS 7.3
with Firewall/NAT. That solution is lacking some of the nice extra
stuff integrated in PF.

Whilst not expecting someone to give me the whole solution, I am
looking for some pointers and confirmation that
PF is suitable for what I want to do.

Thanks in advance

Tony


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Make PF function as NAT/Firewall with Radius and VLAN enforcement

2019-02-18 Thread Tony W via PacketFence-users 
Hi Fabrice,

Thank you for that.

So for PF, set 1 external interface (WAN) with Internet access (Inline)
Then set at least 1 internal interface (LAN) with VLAN's, say 10 for SSID,
11, 12, 13, 14for the users to be allocated to once authenticated.

I do not need (Or want) Internet access on VLAN 10, only DHCP for the
client devices.
When the client device successfully authenticates, the client traffic
will go to the
selected/allocated VLAN (11, 12, 13 or ) and be given new IP
addresses by DHCP.

It is no big deal regarding people being on the initial VLAN 10 as not
many will be there at any one time.


Just a quick question specific to CentOS 7.6 and PF.

CentOS 7.x issues interface names like em1, em2, p2p1, p2p2 etc.,
instead of the old style eth0, eth1...

Will PF still work OK, if I change this to the old style (See link below)?

https://sites.google.com/site/syscookbook/rhel/rhel-network-interface-rename-rhel7

I feel more comfortable using the old interface naming convention and
the above procedure works well:-)







On Mon, 18 Feb 2019 at 12:09, Durand fabrice via PacketFence-users
 wrote:
>
> Hello Tony,
>
> you can set the vlan as inline in PacketFence.
>
> What i would do in this case is the following:
>
> - Create on pf all the VLAN's an inline interface, per example eth1.10,
> eth1.11, eth1.12  (the vlan's you return when authenticated)
>
> - Set these vlan's id on the switch config (PacketFence side).
>
> That's it.
>
> The only issue you will have is when you unreg a device then it will
> stay on the inline vlan but hit the portal on the inline interface.
>
> If the device reconnect then it will go on the reg vlan.
>
> Regards
>
> Fabrice
>
>
>
> Le 19-02-17 à 19 h 35, Tony W via PacketFence-users a écrit :
> > Hi there,
> >
> > Trying to work out how to get PF to work as NAT/Firewall to the
> > internet whilst doing Radius and VLAN enforcement.
> >
> > Is this possible? Reading the documentation, it appears that the
> > current version will work in hybrid mode
> > (A combination of both) but seems to be for "flat" networks on
> > switches that can not be managed.
> >
> > I run a wireless network controller, where visitors connect to an SSID
> > (Assigned to a specific VLAN). This VLAN has no
> > Internet access.
> > Authentication is 802.1x. Once authenticated, visitor is directed to
> > one of a number of predetermined VLAN's by PF.
> > Each of the VLAN's shall have Internet access through the same PF box.
> > PF tells Ruckus to put the visitor in the
> > assigned VLAn. DHCP is used on the initial connection and each of the
> > VLAN's shall have their own DHCP scope.
> >
> > I have done this before using FreeRadius with DaloRadius and a Ruckus
> > controller, configured manually on CentOS 7.3
> > with Firewall/NAT. That solution is lacking some of the nice extra
> > stuff integrated in PF.
> >
> > Whilst not expecting someone to give me the whole solution, I am
> > looking for some pointers and confirmation that
> > PF is suitable for what I want to do.
> >
> > Thanks in advance
> >
> > Tony
> >
> >
> > ___
> > PacketFence-users mailing list
> > PacketFence-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Guest authorization via SMS / hidden e-mail subject

2019-02-18 Thread Łukasz Wieczorek via PacketFence-users 
Hello FabriceThank you.
I am trying to modify the script, I'm already very close.
Unfortunately, I'm not a programmer. I can't find the "phone number"
variable to this function. I do not know what it's called.Maybe
someone will help?Lukasz
sob., 16 lut 2019 o 22:04 Durand fabrice via PacketFence-users
 napisał(a):
>
> Hello Lukasz,
>
> check that:
>
> https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Authentication/Source/SMSSource.pm#L114
>
> Just need to change few things.
>
> Regards
>
> Fabrice
>
>
> Le 19-02-16 à 05 h 26, Łukasz Wieczorek via PacketFence-users a écrit :
> > I am a new user of packetfence and need help in configuring guest
> > authorization via SMS.
> > My SMS service provider requires a special email format, where in the
> > subject field I need to send the user and password  to my
> > provider.
> >
> > I need a mail format:
> >
> > ADRESS: sms...@smsapi.pl
> > SUBJECT: login@
> > Message content: from=sender=phone
> > nubmer=1=massage content
> >
> > raport=1 is option
> >
> > I know how only how to add a new supplier to the database ...
> > INSERT INTO sms_carrier
> >  (id, name, email_pattern, created)
> > VALUES
> >  (100xxx, 'MyGateway', '%s@...', now());
> >
> > Thank you in advance for your help
> > Regards
> > Lukasz
> >
> >
> > ___
> > PacketFence-users mailing list
> > PacketFence-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Can't link PacketFence with AD Server.

2019-02-18 Thread Adrian Dessaigne via PacketFence-users 
Hello Fabrice, 

I was given a cisco 2960 to bypass my issue. PacketFence is now set up and work 
has intended. It works very well. 
However, if I use a Switch which is not listed in the type of switch of 
packetfence, will it work just for 802.1X ? I have read that coding a new Perl 
module was required to add an unknown switch. 

Regards 

Adrian. 


De: "packetfence-users"  
À: "packetfence-users"  
Cc: "Durand fabrice"  
Envoyé: Jeudi 14 Février 2019 03:13:47 
Objet: Re: [PacketFence-users] Can't link PacketFence with AD Server. 



Hello Adrian, 

i will check tomorrow the patch i gave you to be sure that it apply correctly. 

Regards 

Fabrice 


Le 19-02-11 à 11 h 04, Adrian Dessaigne via PacketFence-users a écrit : 



My bad, there is a difference, 

Here is the debbug on pastbin: 

The line 1749 tell the reason he got refused: 
:Module-Failure-Message := "Failed retrieving values required to 
evaluate condition" 

Regards 

Adrian 

- Mail original - 
De: "packetfence-users" [ mailto:packetfence-users@lists.sourceforge.net | 
 ] 
À: "packetfence-users" [ mailto:packetfence-users@lists.sourceforge.net | 
 ] 
Cc: "Durand fabrice" [ mailto:fdur...@inverse.ca |  ] 
Envoyé: Samedi 9 Février 2019 02:17:51 
Objet: Re: [PacketFence-users] Can't link PacketFence with AD Server. 

Hello Adrian, 

i did the patch based on the devel branch. 

Here a new one based on packetfence 8.3. 

Regards 

Fabrice 


___
PacketFence-users mailing list [ mailto:PacketFence-users@lists.sourceforge.net 
| PacketFence-users@lists.sourceforge.net ] [ 
https://lists.sourceforge.net/lists/listinfo/packetfence-users | 
https://lists.sourceforge.net/lists/listinfo/packetfence-users ] 




___ 
PacketFence-users mailing list 
PacketFence-users@lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/packetfence-users 
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users