Re: [PacketFence-users] Node Manager Lockdown

2019-06-12 Thread Fabrice Durand via PacketFence-users 

Hello Stuart,

we still working on it: https://github.com/inverse-inc/packetfence/pull/4558

Regards

Fabrice


Le 19-06-12 à 12 h 10, Stuart Gendron via PacketFence-users a écrit :
Playing around with the Node Manager Admin Role to try and lock things 
down so the user can only change nodes to specific roles.


Here's an excerpt from the adminroles.conf file:

*[VPN Node Manager]
actions=NODES_READ,NODES_UPDATE,SECURITY_EVENTS_READ,SWITCHES_READ,DHCP_OPTION_82_READ
allowed_roles=Youi_US01,Youi_SA01,Youi_SA02
allowed_node_roles=Youi_US01,Youi_SA01,Youi_SA02
description=Allows you to manage only VPN nodes
allowed_access_levels=
allowed_actions=*

So attempting this I get an error when trying to change roles that I 
don't have NODES_CREATE and NODES_DELETE.


Adding those 2 actions in I can then change roles, but I can change 
them to ones not listed in the allowed_node_roles (like Default and 
Guest).


Any help would be greatly appreciated!

--

*Stuart Gendron*
IT Support Specialist

*You.i Labs*
307 Legget Drive, Kanata, ON, K2K 3C8 


t (613) 228-9107 x258 | c (613) 697-6853



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Device not terminated after email registration failed.

2019-06-12 Thread Fabrice Durand via PacketFence-users 

Hello Scott,

i will need to see the content of packetfence.log to see what happen.

Regards

Fabrice


Le 19-06-12 à 12 h 59, Lu, Scott via PacketFence-users a écrit :

Hi,

I have configured PF9 captive-portal for Guest registration and send 
email for "Network access activation",


1. Guest click "Activate Access" then network access is good.
2. Guest not click Activate Access" then network access is good too.
3. If guest send email to "a...@xyz.com , a@b.c, 
any fake/makeup email account", guest still have network access too.
No termination at all after fail to register, Could you help me on 
this issue?


We are using Ruckus Smartzone with version 3.6.2.0.78 & PacketFence 9.0.1

Much appreciated!

Scott Lu


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Is RADIUS account from packet fence deployed inline possible?

2019-06-12 Thread Fabrice Durand via PacketFence-users 

Hello Steve,

it's already suppose to send the ip address of the device in the radius 
accounting packet:


https://github.com/inverse-inc/packetfence/blob/devel/go/firewallsso/checkpoint.go#L45

Regards

Fabrice


Le 19-06-12 à 05 h 06, AOL a écrit :

Thanks Fabrice.

that started the RADIUS accounting working. I can see the accounting packets in 
wireshark (although there are a little sporadic). Our solution needs to see the 
client IP within the payload to accept the packet. In Wireshark I can see the 
domain/realm, username and what looks like a MAC address within the packet but 
not the IP. Is there a $ variable I can include in the RADIUYS accounting 
options to include the IP?

Thanks,

Steve


On 11 Jun 2019, at 02:16, Durand fabrice via PacketFence-users 
 wrote:

Hello Steve,

it looks that it's the firewall sso you are looking for.

Try to configure the checkpoint firewall sso in packetfence, it send radius 
accounting packet.

Regards

Fabrice


Le 19-06-10 à 16 h 44, AOL via PacketFence-users a écrit :

Hi,

I’ve been trying to get a PacketFence server to send RADIUS accounting 
information to another server. The PF is deployed inline. The aim is to pass 
the user source IP address within the RADIUS accounting info, so it can be used 
for user tracking on a web proxy. Does anyone know if this is possible?

The configuration pages seem to suggest it’s possible to send accounting to 
another server, but I found an email buried in an pf email archive saying that 
PF only receives RADIUS accounting.

Thanks,

Steve

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Device not terminated after email registration failed.

2019-06-12 Thread Lu, Scott via PacketFence-users 
Hi,

I have configured PF9 captive-portal for Guest registration and send email
for "Network access activation",

1. Guest click "Activate Access" then network access is good.
2. Guest not click Activate Access" then network access is good too.
3. If guest send email to "a...@xyz.com, a@b.c, any fake/makeup email
account", guest still have network access too.
No termination at all after fail to register, Could you help me on this
issue?

We are using Ruckus Smartzone with version 3.6.2.0.78 & PacketFence 9.0.1

Much appreciated!

Scott Lu
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Authentication Source - Weird Behaviour

2019-06-12 Thread Stuart Gendron via PacketFence-users 
Hey all,

Was troubleshooting an issue as I couldn't authenticate a test user
account, that was previously working without issue.

Was using the pftest tool to test authentication and kept getting
'Authentication failed' or 'Did not match'.

Finally what did it was setting up the Authentication Source like so:

[image: Screen Shot 2019-06-12 at 9.42.59 AM.png]

I had to add sAMAccountName a second time under Username Attribute. This
then allowed me to authenticate successfully.

Was just wondering if this is on purpose, or something else is going on?

-- 

*Stuart Gendron*
IT Support Specialist

*You.i Labs*
307 Legget Drive, Kanata, ON, K2K 3C8

t (613) 228-9107 x258 | c (613) 697-6853
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Per AP VLAN assignment

2019-06-12 Thread Enrico Pasqualotto via PacketFence-users 
On 20/05/19 13:22, Nicolas Quiniou-Briand via PacketFence-users wrote:

Hello Enrico,

On 2019-05-20 10:29 a.m., Enrico Pasqualotto via PacketFence-users wrote:


Anyone has already done something like this? Can I make a custom VLAN
assignment to match that value (Called-Station-ID)?



Yes, you can use VLAN filters, see [0]. You will find some examples in
/usr/local/pf/conf/vlan_filters.conf.example.

[0]
https://packetfence.org/doc/PacketFence_Installation_Guide.html#_vlan_filter_definition


Hello, I'm trying to setup the configuration in these days.

I saw with my Cisco Mobility Express WLC I already have the AP MAC into the 
request (switch_mac) without checking the radius attribute

handling radius autz request: from switch_ip => (10.X.X.X), connection_type => 
Wireless-802.11-EAP,switch_mac => (2c:3e:cf:1d:92:d0), mac => 
[12:12:12:12:12:12], port => 1, username => "domain\username", ssid => MySSID 
(pf::radius::authorize)

Into VLAN_Filter I can use the switch._switchMac in condition but how integrate 
it with my configuration where using authentication I assing custom VLAN based 
on AD Group?

For example in authentication.conf I have:

[_Auth_PF_Guest rule PF-GUEST]
action0=set_role=XXX-GUEST
condition0=memberOf,matches regexp,PF-Guest
condition1=SSID,equals,XXX
match=all
class=authentication
action1=set_access_duration=12h

(so I assign role XXX-GUEST in user is in PF-Guest AD Group)

My GOAL is to have a config like:

If user in group PF-GUEST authenticate to WIFI on AP X set role XXX-GUEST

if user in group PF-GUEST authenticate to WIFI on AP Y set role YYY-GUEST

Is this possibile? I need this because some AP are in other site by connected 
on same WIFI controller (so for PacketFence is the same "switch" but sending 
different switch_mac)

I hope I was clear.

Thanks
--

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Is RADIUS account from packet fence deployed inline possible?

2019-06-12 Thread AOL via PacketFence-users 
Thanks Fabrice.

that started the RADIUS accounting working. I can see the accounting packets in 
wireshark (although there are a little sporadic). Our solution needs to see the 
client IP within the payload to accept the packet. In Wireshark I can see the 
domain/realm, username and what looks like a MAC address within the packet but 
not the IP. Is there a $ variable I can include in the RADIUYS accounting 
options to include the IP?

Thanks,

Steve

> On 11 Jun 2019, at 02:16, Durand fabrice via PacketFence-users 
>  wrote:
> 
> Hello Steve,
> 
> it looks that it's the firewall sso you are looking for.
> 
> Try to configure the checkpoint firewall sso in packetfence, it send radius 
> accounting packet.
> 
> Regards
> 
> Fabrice
> 
> 
> Le 19-06-10 à 16 h 44, AOL via PacketFence-users a écrit :
>> Hi,
>> 
>> I’ve been trying to get a PacketFence server to send RADIUS accounting 
>> information to another server. The PF is deployed inline. The aim is to pass 
>> the user source IP address within the RADIUS accounting info, so it can be 
>> used for user tracking on a web proxy. Does anyone know if this is possible?
>> 
>> The configuration pages seem to suggest it’s possible to send accounting to 
>> another server, but I found an email buried in an pf email archive saying 
>> that PF only receives RADIUS accounting.
>> 
>> Thanks,
>> 
>> Steve
>> 
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Node Manager Lockdown

2019-06-12 Thread Stuart Gendron via PacketFence-users 
Playing around with the Node Manager Admin Role to try and lock things down
so the user can only change nodes to specific roles.

Here's an excerpt from the adminroles.conf file:







*[VPN Node
Manager]actions=NODES_READ,NODES_UPDATE,SECURITY_EVENTS_READ,SWITCHES_READ,DHCP_OPTION_82_READallowed_roles=Youi_US01,Youi_SA01,Youi_SA02allowed_node_roles=Youi_US01,Youi_SA01,Youi_SA02description=Allows
you to manage only VPN nodesallowed_access_levels=allowed_actions=*

So attempting this I get an error when trying to change roles that I don't
have NODES_CREATE and NODES_DELETE.

Adding those 2 actions in I can then change roles, but I can change them to
ones not listed in the allowed_node_roles (like Default and Guest).

Any help would be greatly appreciated!

-- 

*Stuart Gendron*
IT Support Specialist

*You.i Labs*
307 Legget Drive, Kanata, ON, K2K 3C8

t (613) 228-9107 x258 | c (613) 697-6853
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users