Re: [PacketFence-users] Cisco ASA VPN Configuration in PF 9.0

2019-05-17 Thread Fabrice Durand via PacketFence-users 

Hello Cristian,

first you need to fix your authentication source apra-user-auth-dc01 and 
add a authentication rule that return a role and an access duration. 
(use:  /usr/local/pf/bin/pftest authentication c.mammoli bob  
apra-user-auth-dc01)


After that you should be able to see a role associated to your device 
and probably something better in the radius audit log and we will see 
for the next steps.


Regards

Fabrice


Le 19-05-17 à 12 h 37, Cristian Mammoli via PacketFence-users a écrit :

Cisco ASA VPN Configuration in 9.0

Hi, I'm trying to configure our ASA for VPN authentication but the 
docs are a little bit vague considering this is a new concept


Steps I did:

* Added the asa in the switch group, configured PSK etc
* Configured access list in "Role by Access List"
* Added a connection profile with the following filter: switch=address>

* I used an existing authentication source with LDAP role assignment
* Configured the Packetfence Radius server in the ASA and the vpn as 
in the example provided


Now what?

I can connect via vpn and surf the Internet
In the audit log I see my authentication:

Request Time
0
RADIUS Request
User-Name = "c.mammoli"
User-Password = "**"
NAS-IP-Address = 10.11.10.254
NAS-Port = 186806272
Called-Station-Id = "X.X.X.X"
Calling-Station-Id = "5.90.220.187"
NAS-Port-Type = Virtual
Tunnel-Client-Endpoint:0 = "5.90.220.187"
Event-Timestamp = "May 17 2019 18:27:47 CEST"
Cisco-AVPair = "audit-session-id=0a0b0afe0b2270005cdee105"
Cisco-AVPair = "ip:source-ip=5.90.220.187"
Cisco-AVPair = "coa-push=true"
ASA-TunnelGroupName = "VPN"
ASA-ClientType = AnyConnect-Client-SSL-VPN
Stripped-User-Name = "c.mammoli"
Realm = "null"
FreeRADIUS-Client-IP-Address = 10.11.10.254
SQL-User-Name = "c.mammoli"

RADIUS Reply

But the reply is empty

In the logs:
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] Unable to extract MAC 
from Called-Station-Id: 89.97.236.20 
(pf::radius::extractApMacFromRadiusRequest)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] LDAP testing connection 
(pf::LDAP::expire_if)
httpd.aaa(6766) WARN: [mac:c4:86:e9:96:61:e1] [apra-machine-auth-dc01] 
No entries found (0) with filter (servicePrincipalName=c.mammoli) from 
dc=apra,dc=it on 192.168.0.76:389 
(pf::Authentication::Source::LDAPSource::authenticate)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] LDAP testing connection 
(pf::LDAP::expire_if)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] [apra-user-auth-dc01] 
Authentication successful for c.mammoli 
(pf::Authentication::Source::LDAPSource::authenticate)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] Authentication 
successful for c.mammoli in source apra-user-auth-dc01 (AD) 
(pf::authentication::authenticate)
httpd.aaa(6766) WARN: [mac:c4:86:e9:96:61:e1] Use of uninitialized 
value $roleName in hash element at /usr/local/pf/lib/pf/Switch.pm line 
783.


httpd.aaa(6766) WARN: [mac:c4:86:e9:96:61:e1] Use of uninitialized 
value $roleName in concatenation (.) or string at 
/usr/local/pf/lib/pf/Switch.pm line 786.

 (pf::Switch::getRoleByName)

It looks like the connection profile isn't even matched, and all 
authentication sources are tried even if I only specified one


BTW, what is the redirect acl int he docs used for?? It is not applied 
anywhere and I can't see it int he ASA.pm code


The docs say: "You can force VPN users to authenticate first on the 
captive portal and based on the role of the device allow it and/or set 
dynamic ACL."
Is the portal authentication a requirement? I would like to 
authenticate users and assign a dynamic ACL without external portal 
authentication


Thanks

C.





___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Cisco ASA VPN Configuration in PF 9.0

2019-05-17 Thread Cristian Mammoli via PacketFence-users 

Cisco ASA VPN Configuration in 9.0

Hi, I'm trying to configure our ASA for VPN authentication but the docs 
are a little bit vague considering this is a new concept


Steps I did:

* Added the asa in the switch group, configured PSK etc
* Configured access list in "Role by Access List"
* Added a connection profile with the following filter: switch=address>

* I used an existing authentication source with LDAP role assignment
* Configured the Packetfence Radius server in the ASA and the vpn as in 
the example provided


Now what?

I can connect via vpn and surf the Internet
In the audit log I see my authentication:

Request Time
0
RADIUS Request
User-Name = "c.mammoli"
User-Password = "**"
NAS-IP-Address = 10.11.10.254
NAS-Port = 186806272
Called-Station-Id = "X.X.X.X"
Calling-Station-Id = "5.90.220.187"
NAS-Port-Type = Virtual
Tunnel-Client-Endpoint:0 = "5.90.220.187"
Event-Timestamp = "May 17 2019 18:27:47 CEST"
Cisco-AVPair = "audit-session-id=0a0b0afe0b2270005cdee105"
Cisco-AVPair = "ip:source-ip=5.90.220.187"
Cisco-AVPair = "coa-push=true"
ASA-TunnelGroupName = "VPN"
ASA-ClientType = AnyConnect-Client-SSL-VPN
Stripped-User-Name = "c.mammoli"
Realm = "null"
FreeRADIUS-Client-IP-Address = 10.11.10.254
SQL-User-Name = "c.mammoli"

RADIUS Reply

But the reply is empty

In the logs:
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] Unable to extract MAC from 
Called-Station-Id: 89.97.236.20 (pf::radius::extractApMacFromRadiusRequest)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] LDAP testing connection 
(pf::LDAP::expire_if)
httpd.aaa(6766) WARN: [mac:c4:86:e9:96:61:e1] [apra-machine-auth-dc01] 
No entries found (0) with filter (servicePrincipalName=c.mammoli) from 
dc=apra,dc=it on 192.168.0.76:389 
(pf::Authentication::Source::LDAPSource::authenticate)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] LDAP testing connection 
(pf::LDAP::expire_if)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] [apra-user-auth-dc01] 
Authentication successful for c.mammoli 
(pf::Authentication::Source::LDAPSource::authenticate)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] Authentication successful 
for c.mammoli in source apra-user-auth-dc01 (AD) 
(pf::authentication::authenticate)
httpd.aaa(6766) WARN: [mac:c4:86:e9:96:61:e1] Use of uninitialized value 
$roleName in hash element at /usr/local/pf/lib/pf/Switch.pm line 783.


httpd.aaa(6766) WARN: [mac:c4:86:e9:96:61:e1] Use of uninitialized value 
$roleName in concatenation (.) or string at 
/usr/local/pf/lib/pf/Switch.pm line 786.

 (pf::Switch::getRoleByName)

It looks like the connection profile isn't even matched, and all 
authentication sources are tried even if I only specified one


BTW, what is the redirect acl int he docs used for?? It is not applied 
anywhere and I can't see it int he ASA.pm code


The docs say: "You can force VPN users to authenticate first on the 
captive portal and based on the role of the device allow it and/or set 
dynamic ACL."
Is the portal authentication a requirement? I would like to authenticate 
users and assign a dynamic ACL without external portal authentication


Thanks

C.





___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] change packetfence Enforcement Modes

2019-05-17 Thread Domingos Varela via PacketFence-users 
Hi,

The client was not redirected to the portal because the 'External Portal
Enforcement' function was not active on the switch, after activating it
started working!
I had the help of a pf channel user on IRC.
Thank you very much for your support.
Best regards

Cumprimentos,

*Domingos Varela*
Tel. +244 923 229 330 | Luanda - Angola


Stuart Gendron  escreveu no dia quinta, 16/05/2019
à(s) 18:00:

> How are your network interfaces setup?
>
> You should have a MGMT interface (what you actually connect to) then
> another interface for registration/portal.
>
> I don't believe there's a way to change it after you've already started
> setting up, but setting up an interface with the registration/portal type
> will do the same thing.
>
>
>
> On Thu, May 16, 2019 at 12:36 PM Domingos Varela via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hi,
>>>
>>> How can i change packetfence Enforcement Modes?
>>>
>>> I am configuring pf with cisco wlc for web authentication, the client
>>> connects to the network, I received the ip, but it is not redirected to the
>>> portal. I did several searches on google and the suggestion I found was to
>>> change the mode for webauth
>>>
>>> Thanks
>>>
>>>
>>> Cumprimentos,
>>>
>>> *Domingos Varela*
>>> Tel. +244 923 229 330 | Luanda - Angola
>>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
>
> --
>
> *Stuart Gendron*
> IT Support Specialist
>
> *You.i Labs*
> 307 Legget Drive, Kanata, ON, K2K 3C8
> 
> t (613) 228-9107 x258 | c (613) 697-6853
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal-Computer not found in database

2019-05-17 Thread Louis Scaringella via PacketFence-users 
I can tell you that I removed the section of code in the Aruba.pm file for the 
sessid and now the CoA went through fine. I am running 6.4 Aruba code on a 7010 
controller. I found that post with another person having the same exact problem.

 Happy to provide any help with this or validation on the Aruba side.

Thank you,

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks
785-342-7903

> On May 16, 2019, at 9:17 PM, Durand fabrice  wrote:
>
> Yes, it's why we created an Aruba Instant Access module  because it has been 
> reported only on this kind of equipment.
>
> Btw on a Aruba controller i never noticed this issue.
>
>> Le 19-05-16 à 21 h 46, Louis Scaringella a écrit :
>> Thanks! Do you happen to know about the CoA problem with the main Aruba 
>> switch module and the sessid causing an issue?
>>
>> Thank you,
>>
>> Louis Scaringella
>> Security Systems Engineer
>> Yellow Dog Networks
>> 785-342-7903
>>
>>> On May 16, 2019, at 8:11 PM, Durand fabrice via PacketFence-users 
>>>  wrote:
>>>
>>> hello Louis,
>>>
>>> i fixed the issue with the aruba instant access, just need to run 
>>> /usr/local/pf/addons/pf-main.pl , restart packetfence and use the aruba 
>>> instant access module.
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>>
 Le 19-05-16 à 02 h 30, Louis Scaringella via PacketFence-users a écrit :
 Found my answer finally from an old post in the mailing list:


 [PacketFence-users] reply:Unable to disconnect a device during initial 
 logon
 From: <1136723602@qq...> - 2017-10-15 07:09:14
 Attachments: 2dfff...@6737594b.8f09e359.jpg Message as HTML
 Hi all,

 Since we've solved our problem by ourselves, here I post it in case 
 someone else meet the same issue.


 For question 1, for "Unable to perform RADIUS Disconnect-Request. 
 Disconnect-NAK received with Error-Cause: Session-Context-Not-Found" 
 issue, as we are sure our issue was caused by the wrong acct-session-id pf 
 got when sending radius-disconnect request, we modified the 
 /usr/local/pf/lib/pf/Switch/Aruba.pm, comment out line 491, exclude the 
 acct-session-id from radius disconnect request when disconnecting a 
 device, and it works well now.


 That was it. The Aruba controller expects no sessid in it’s CoA request so 
 this was what I had pointed out earlier, but modifying the Perl module for 
 “Aruba Networks” or Aruba.pm  fixes the issue.

 Is there anyway this might be fixed in future versions? Also, i’m still 
 noticing the error in the Aruba Instant module when the CoA is performed. 
 The module itself errors out according to the Packetfence.log.

 Louis Scaringella
 Security Systems Engineer
 Yellow Dog Networks, Inc
 785-342-7903






> On May 15, 2019, at 11:55 PM, Louis Scaringella 
>  wrote:
>
> Here is a document from Aruba explaining the reason or this:
>
> https://community.arubanetworks.com/t5/Controller-Based-WLANs/Possible-reasons-for-controller-sending-a-Disconnect-NAK/ta-p/272242
>
> ""Jun 20 17:49:56 :520001:   |authmgr|  [rc_rfc3576.c:683] 
> IP:0.0.0.0, Name:d0:25:98:b3:5b:6b sessid=<>, sta_id=d0:25:98:b3:5b:6b, 
> reqcode=40, rspcode=42,  nack=1, error_cause=missing session"
>
> • Further debugging this on the Controller and Server end, it was found 
> the format in 'calling-station-id' attribute was inccorect.
> • 'Calling-sation-id' in the radius packet sent from the Controller was 
> of the format 'd02598b35b6b', wherease 'Calling-station-id' from Server 
> in "Disconnect-Req" was in format 'd0:25:98:b3:5b:6b’.”
>
> This is exactly what I am seeing and why the CoA is failing. This would 
> need adjusted in the .pm files I suppose, but I am not well versed in 
> Perl to do this myself. Anyway we can create a module specifically for 
> Aruba 6.5+ that would work with Instant and Controllers?
>
> Louis Scaringella
> Security Systems Engineer
> Yellow Dog Networks, Inc
> 785-342-7903
>
>
>
>
>
>
>> On May 15, 2019, at 6:19 PM, Louis Scaringella via PacketFence-users 
>>  wrote:
>>
>> That makes sense as to why PacketFence wouldn’t be seeing it. I don’t 
>> have that issue in my lab just yet because everything is on one VLAN and 
>> subnet so the actual user request is in the same VLAN as Packetfence so 
>> PacketFence sees the MAC of the user each time it tries to connect.
>>
>> In a prod environment like yours, I can definitely see this being an 
>> issue. I wonder what Windows 10 is doing when the computer comes back to 
>> the network if the lease is still valid. It should still be sending 
>> something to DHCP to make sure the lease is still valid no? I think only 
>> if the machine reboots or is woken from sleep would this happen, but 
>> behavior could vary