[PacketFence-users] Help! email is not allowed to sponsor guest access

2019-07-22 Thread Helen Power via PacketFence-users 
Hi All,

We want to achieve guest self-registration feature via sponsor email. I defined 
one authentication source type to AD with action "Mark as sponsor" . However, 
when I use guest signup and put the sponsor email in then it says "Email XX is 
not allowed to sponsor guest access", which I'm sure the email address should 
can sponsor the guest access. One side note is I used to be successfully join 
my PF box intoActive Directory domain. However, I un-joined it one time and 
ever since then, I have no luck to join the AD domain again. The error says: 
Enter packetfence$@X.X.COM's password:Join to domain is not valid: NT code 
0xfff6. Would you please help so I can have the guest sponsor feature 
working? Please see some of the logs/ configuration below:

[root@packetfence PFdomain]# chroot /chroots/PFdomain wbinfo -u
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
Error looking up domain users

[root@packetfence PFdomain]# wbinfo -t
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
checking the trust secret for domain (null) via RPC calls failed
failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not check secret

Domain.conf:
[Test]
ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(userAccountControl:1.2.840.113556.1.4.803:=2
registration=0
ntlm_cache_expiry=3600
dns_name=x.x.com
dns_servers=172.16.100.X
ou=Computers
ntlm_cache_on_connection=disabled
workgroup=abc0
ntlm_cache_batch_one_at_a_time=disabled
sticky_dc=*
ad_server=172.16.100.X
ntlm_cache_batch=disabled
server_name=%h
~

Related info in Authentication.conf:
[Admin_Sponsor]
cache_match=0
read_timeout=10
realms=
basedn=DC=x,DC=x,DC=com
monitor=1
password=password
shuffle=0
searchattributes=
scope=sub
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=5
binddn=CN=wirelessauth,OU=System Function Account,OU=Special 
Account,DC=X,DC=X,DC=com
encryption=none
description=Group for sponsorship for guests
port=389
host=172.16.100.X
write_timeout=5
type=AD

[Admin_Sponsor rule Sponsorship]
action0=mark_as_sponsor=1
condition0=memberOf,equals,CN=WirelessSponsorGlobal,OU=Special Security 
Group,OU=Special Account,DC=X,DC=X,DC=com
match=all
class=administration
description=Global Tech, US_Cooperate and SDU manager

[Sponsor_RSP]
create_local_account=no
validate_sponsor=yes
password_length=8
allow_localdomain=yes
lang=en_US
local_account_logins=0
description=Sponsor-based registration
email_activation_timeout=30m
hash_passwords=plaintext
type=SponsorEmail

[Sponsor_RSP rule Sponsor]
action0=set_role=guest
match=all
class=authentication
action1=set_access_duration=5D


Please let me know if you need any other information.

Thank you very much for your help,

Helen
This email (including any attachments) contains confidential information 
intended for a specific individual and purpose. If you have received this email 
in error please notify the sender immediately and delete this e-mail. If you 
are not the intended recipient any disclosing, distributing, copying, or taking 
any action based on this e-mail is strictly prohibited. ReSource Pro, LLC. 60 E 
42nd Street, Suite 1500 New York, NY 10165 www.resourcepro.com
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] EAP-MD5 & Active Directory?

2019-07-22 Thread John Sayce via PacketFence-users 
Yes I'm interested in this.  Thanks

My IP phones are Avaya 1608 model.  The username is the mac address but the 
password is numeric only.

So is the active directory source just an LDAP connection?  (Renamed to help 
end users?)  I thought it'd be different.

-Original Message-
From: Fabrice Durand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: 22 July 2019 14:11
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand 
Subject: Re: [PacketFence-users] EAP-MD5 & Active Directory?

Hello John,

if your phone does eap-md5 with the username and the password equal to the mac 
address then it will work as is in PacketFence.

Also to use AD you need to be able to fetch the clear text password which is 
not possible with LDAP.

To be able to make it work then you will need to proxy the request to the NPS 
since it is to fetch the cleat text password.

It will require a little bit of unlang and realm configuration.

If you are interested to do that i will be able to explain you how to configure 
it.

Regards

Fabrice


Le 19-07-22 à 08 h 01, John Sayce via PacketFence-users a écrit :
> I've tried changing that setting (and restarting) but it doesn't seem to have 
> any effect.  I assume that's because it controls how packetfence stores user 
> passwords in its local database rather than in active directory.
>
> I appreciate that the password needs to be plain text, however I'm not sure 
> how that works with active directory from freeradius.  I've configured active 
> directory to store the password with reversible encryption so it can be 
> decrypted to plain text.  This in turn mean EAP-MD5 works when I use NPS 
> (which has the same requirements) but maybe that doesn't work with freeradius 
> because the mechanism to connect to the database doesn't support the way 
> windows is dealing with the password?
>
> The log tends to suggest to me that's it's not even trying actice directory 
> with EAP-MD5 despite there being no other authentication sources configured 
> "Info: rlm_sql (sql)"
>
> I can't seem to find any documentation about this.
>
>
> -Original Message-
> From: Nicolas Quiniou-Briand via PacketFence-users 
> [mailto:packetfence-users@lists.sourceforge.net]
> Sent: 22 July 2019 12:30
> To: packetfence-users@lists.sourceforge.net
> Cc: Nicolas Quiniou-Briand 
> Subject: Re: [PacketFence-users] EAP-MD5 & Active Directory?
>
> Hello John
>
> On 2019-07-22 11:34 a.m., John Sayce via PacketFence-users wrote:
>> Mon Jul 22 10:13:31 2019 : Auth: (13018) Login incorrect (eap_md5:
>> Cleartext-Password is required for EAP-MD5 authentication):
>> [asd\switch1] (from client 10.8.4.2 port 31 cli 54:80:28:9c:50:50)
> Try to change "Database passwords hashing method" setting to "plain" in 
> Configuration -> System configuration -> Main configuration -> Advanced.
>
> As mentioned here [0], EAP-MD5 is only compatible with clear text passwords.
>
> [0] http://deployingradius.com/documents/protocols/compatibility.html
> --
> Nicolas Quiniou-Briand
> n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca 
> Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence
> (https://packetfence.org) and Fingerbank (http://fingerbank.org)
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca Inverse inc. 
:: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] [PF 9.0.1] Cisco WLC and Virtual IP

2019-07-22 Thread pro fence via PacketFence-users 
Hi Fabrice,

Thanks for the reply,
here is what i have in the pre_auth ACL :
[image: acls.png]

do you see something wrong ?

On Mon, 22 Jul 2019 at 14:54, Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Pro fence,
>
> packetfence manage the port that needs to be open, so you don't have to do
> anything.
>
> Btw it looks that the issue you have is related to the acl you made on the
> WLC. (check is there is some hit)
>
> What you can do is to capture the traffic on the device your are testing
> with and see if you see any kind of redirection.
>
> Regards
>
> Fabrice
>
>
> Le 19-07-21 à 09 h 59, pro fence via PacketFence-users a écrit :
>
> Hi,
>
> For somebody who would encounter the same issue,
> to solve the last error, you need to add a new radius client.
>
> Does anybody know exactly what ports need to be open for the VIP besides
> radius, http for the portal to pop up ? I mean in the log i have the right
> ACL and the http://VIP-IP/CISCO::WLC  url but the portal is not showing.
>
> regards,
>
> On Thu, 18 Jul 2019 at 17:00, pro fence  wrote:
>
>> Hi Fabrice,
>>
>> to be more precise i am going to use the ip adresses of the installation
>> guide to show you my configuration :
>>
>> to answer your question, yes, cluster.conf is replicated on the 3 servers
>> with the command:
>> # /usr/local/pf/bin/cluster/sync --from=192.168.1.5 --api-user=user
>> --api-password=password
>>
>> here is the content of cluster.conf :
>> [CLUSTER]
>> management_ip=192.168.1.10
>> [CLUSTER interface eth0]
>> ip=192.168.1.10
>> [CLUSTER interface eth1.2]
>> ip=192.168.2.10
>> [CLUSTER interface eth1.3]
>> ip=192.168.3.10
>>
>> [pf1.example.com]
>> management_ip=192.168.1.5
>> [pf1.example.com interface eth0]
>> ip=192.168.1.5
>> [pf1.example.com interface eth1.2]
>> ip=192.168.2.5
>> [pf1.example.com interface eth1.3]
>> ip=192.168.3.5
>>
>> [pf2.example.com]
>> management_ip=192.168.1.6
>> [pf2.example.com interface eth0]
>> ip=192.168.1.6
>> [pf2.example.com interface eth1.2]
>> ip=192.168.2.6
>> [pf2.example.com interface eth1.3]
>> ip=192.168.3.6
>>
>> [pf3.example.com]
>> management_ip=192.168.1.7
>> [pf3.example.com interface eth0]
>> ip=192.168.1.7
>> [pf3.example.com interface eth1.2]
>> ip=192.168.2.7
>> [pf3.example.com interface eth1.3]
>> ip=192.168.3.7
>>
>> the error message becomes  :
>>
>> Ignoring request to auth address 192.168.1.5 port 1812 bound to server
>> packetfence from unknown client loadBalancer_IP port 8905 proto udp
>>
>> listening ip and port for the first server for example:
>>
>> tcp0  0 192.168.1.10:800.0.0.0:*
>> LISTEN  24615/haproxy
>> tcp0  0 192.168.2.10:80 0.0.0.0:*
>> LISTEN  24615/haproxy
>> tcp0  0 192.168.3.10:80  0.0.0.0:*
>> LISTEN  24615/haproxy
>>
>> tcp0  0 192.168.1.5:80   0.0.0.0:*   LISTEN
>>  1026/httpd
>> tcp0  0 192.168.2.5:80   0.0.0.0:*   LISTEN
>>  1026/httpd
>> tcp0  0 192.168.3.5:80   0.0.0.0:*   LISTEN
>>  1026/httpd
>>
>> thanks in advance,
>> Regards
>>
>> On Thu, 18 Jul 2019 at 15:03, Fabrice Durand via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>>> Hello Pro fence,
>>>
>>>
>>> it looks that you miss-configured your cluster.
>>>
>>> Did you copy the file cluster.conf on each servers ?
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>>
>>> Le 19-07-18 à 06 h 49, pro fence via PacketFence-users a écrit :
>>>
>>> Hello,
>>>
>>> does anyone ever encountered the following error using a VIP, from
>>> radius :
>>>
>>> " Ignoring request to auth address MANAGEMENT_IP port 1812 bound to
>>> server packetfence from unknown client loadBalancer_IP port 8905 proto udp"
>>>
>>> the VIP sends the request using a different ip than the one configured
>>> in cluster.conf, so maybe that's the reason ?
>>>
>>> Thanks,
>>> Regards,
>>>
>>>
>>> On Wed, 17 Jul 2019 at 14:32, pro fence  wrote:
>>>
 Fabrice,

 may god bless you ! thank you very much for your time and help,
 Regards,

 On Wed, 17 Jul 2019 at 13:28, Durand fabrice via PacketFence-users <
 packetfence-users@lists.sourceforge.net> wrote:

> Yes, only the VIP is need on the WLC.
>
> The WLC send a request to the VIP and the radius load-balancer will
> forward to one of the radius server in the cluster.
>
> Regards
>
> Fabrice
> Le 19-07-17 à 05 h 14, pro fence via PacketFence-users a écrit :
>
> Hi Fabrice,
>
> do you mean that the VIP needs to be configured as the radius server
> in the WLC ?
>
> Thanks,
> Regards,
>
> On Tue, 16 Jul 2019 at 23:16, Durand fabrice via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hello,
>>
>> only the VIP needs to be configured as the radius server.
>>
>> Regards
>>
>> Fabrice
>>
>>

Re: [PacketFence-users] Configuration help for Aruba Instant controller needed (guest access)

2019-07-22 Thread Stegmaier, Jona via PacketFence-users 
Hello Fabrice,

 

Nicolas Quiniou-Briand already told me, that I have to apply the maintenance 
patches. 

It works now, thank you very much for your help!

 

Best regards,

Jona

 

Von: Fabrice Durand via PacketFence-users 
 
Gesendet: Montag, 22. Juli 2019 15:02
An: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand 
Betreff: Re: [PacketFence-users] Configuration help for Aruba Instant 
controller needed (guest access)

 

Hello Jona,

you need to run pf-maint.pl on you system first.

Regards

Fabrice

 

Le 19-07-22 à 05 h 58, Stegmaier, Jona via PacketFence-users a écrit :

Hello,

 

thanks for your reply!

I tried the authentication with the help of roles, but nothing changed. 
Packetfence sends the role update, but the access points can’t enforce the VLAN 
change.

The only error message, that Packetfence creates, you can find in the last 
line: 

 

Jul 22 11:04:31 packetfence packetfence_httpd.portal: httpd.portal(24693) INFO: 
[mac:ac:7b:a1:55:25:9e] User default has authenticated on the portal. 
(Class::MOP::Class:::after)

Jul 22 11:04:31 packetfence packetfence_httpd.portal: httpd.portal(24693) WARN: 
[mac:ac:7b:a1:55:25:9e] Unknown network type for network 10.82.51.0 
(pf::config::get_network_type)

Jul 22 11:04:31 packetfence packetfence_httpd.portal: httpd.portal(24693) INFO: 
[mac:ac:7b:a1:55:25:9e] re-evaluating access (manage_register called) 
(pf::enforcement::reevaluate_access)

Jul 22 11:04:31 packetfence packetfence_httpd.portal: httpd.portal(24693) INFO: 
[mac:ac:7b:a1:55:25:9e] VLAN reassignment is forced. 
(pf::enforcement::_should_we_reassign_vlan)

Jul 22 11:04:31 packetfence packetfence_httpd.portal: httpd.portal(24693) INFO: 
[mac:ac:7b:a1:55:25:9e] switch port is (10.82.50.167) ifIndex unknown 
connection type: WiFi MAC Auth (pf::enforcement::_vlan_reevaluation)

Jul 22 11:04:32 packetfence pfqueue: pfqueue(28927) INFO: 
[mac:ac:7b:a1:55:25:9e] [ac:7b:a1:55:25:9e] DesAssociating mac on switch 
(10.82.50.167) (pf::api::desAssociate)

Jul 22 11:04:32 packetfence pfqueue: pfqueue(28927) INFO: 
[mac:ac:7b:a1:55:25:9e] [10.82.50.167] Returning ACCEPT with role: -test- 
(pf::Switch::Aruba::Instant_Access::radiusDisconnect)

Jul 22 11:04:32 packetfence pfqueue: pfqueue(28927) ERROR: 
[mac:ac:7b:a1:55:25:9e] Error handling desAssociate : Undefined subroutine 
::Switch::Aruba::Instant_Access::perform_coa called at 
/usr/local/pf/lib/pf/Switch/Aruba/Instant_Access.pm line 81.

 

Best regards,

Jona

 

Von: G PL via PacketFence-users  
 
 
Gesendet: Samstag, 20. Juli 2019 23:29
An: packetfence-users@lists.sourceforge.net 
 
Cc: G PL   
Betreff: Re: [PacketFence-users] Configuration help for Aruba Instant 
controller needed (guest access)

 

Hello, 

In my setup, I'm sending role to the iap and not using coa. The iap translate 
role to vlan. 

You need the register and guest role. 

Regards

Le vendredi 19 juillet 2019, Stegmaier, Jona via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > a écrit :

Hi all,

 

I try to configure a guest access (WLAN) with our Packetfence v9 system and our 
Aruba Instant Virtual Controller (Version 6.5.4) / 305 Access Points.

The steps of the official support document refer to an older version of Aruba 
Instant, so I want to ask, if anybody uses the Aruba Version 6 and can tell me, 
how to configure the Aruba controller. 

 

I tried an configuration, but the process fails, when Packetfence tries to 
enforce the guest VLAN. (no VLAN change is made). 

On the packetfence side, CoA is enabled (and all the necessary VLAN roles). 

 

 

Thanks and best regards,
Jona

 

-- 

Jona Stegmaier

Fraunhofer-Institut für Physikalische Messtechnik IPM; ITK 

Heidenhofstr. 8, 79110 Freiburg, Germany 

  

Phone +49 761 8857-132,   
jona.stegma...@ipm.fraunhofer.de

  https://www.ipm.fraunhofer.de

 






___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net 
 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca   ::  +1.514.447.4918 (x135) ::  
www.inverse.ca  
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 


smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Multi tenancy

2019-07-22 Thread Alina Haider via PacketFence-users 
Hi all,

Can anybody tell me how can we apply Multi tenancy using PacketFence?

Thanks and regards,

Alina Haider
Development Intern



[cid:d0484b68-1f67-417d-a8db-6280fcf1c389]

IOTA Solutions. Pvt. Ltd. (A Cloud9 Networks’ Company)
Mezzanine Floor, Khumrial Centre, Plot 3 & 4, I & T Centre, G-8/4 Islamabad

www.iotasolutions.io
www.cloud9net.com



[cid:75ad7a4e-7988-476e-ab73-92e1ae83feeb]
  [cid:61d8f37c-7d52-47ee-a905-2e9136ac78d9] 





Introducing
TRACE9 - UNIFIED IT INFRASTRUCTURE MONITORING 
SOLUTION

Get a unified 360 degree monitoring view for heterogeneous enterprise IT 
infrastructure; break down silos and accelerate your business.
Monitor Network, Servers, Applications, Databases, DC Infrastructure, Cloud, 
Websites & more from a single pane of glass.

For more information, visit: www.cloud9stack.io

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] EAP-MD5 & Active Directory?

2019-07-22 Thread Fabrice Durand via PacketFence-users 

Hello John,

if your phone does eap-md5 with the username and the password equal to 
the mac address then it will work as is in PacketFence.


Also to use AD you need to be able to fetch the clear text password 
which is not possible with LDAP.


To be able to make it work then you will need to proxy the request to 
the NPS since it is to fetch the cleat text password.


It will require a little bit of unlang and realm configuration.

If you are interested to do that i will be able to explain you how to 
configure it.


Regards

Fabrice


Le 19-07-22 à 08 h 01, John Sayce via PacketFence-users a écrit :

I've tried changing that setting (and restarting) but it doesn't seem to have 
any effect.  I assume that's because it controls how packetfence stores user 
passwords in its local database rather than in active directory.

I appreciate that the password needs to be plain text, however I'm not sure how 
that works with active directory from freeradius.  I've configured active 
directory to store the password with reversible encryption so it can be 
decrypted to plain text.  This in turn mean EAP-MD5 works when I use NPS (which 
has the same requirements) but maybe that doesn't work with freeradius because 
the mechanism to connect to the database doesn't support the way windows is 
dealing with the password?

The log tends to suggest to me that's it's not even trying actice directory with EAP-MD5 
despite there being no other authentication sources configured "Info: rlm_sql 
(sql)"

I can't seem to find any documentation about this.


-Original Message-
From: Nicolas Quiniou-Briand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Sent: 22 July 2019 12:30
To: packetfence-users@lists.sourceforge.net
Cc: Nicolas Quiniou-Briand 
Subject: Re: [PacketFence-users] EAP-MD5 & Active Directory?

Hello John

On 2019-07-22 11:34 a.m., John Sayce via PacketFence-users wrote:

Mon Jul 22 10:13:31 2019 : Auth: (13018) Login incorrect (eap_md5:
Cleartext-Password is required for EAP-MD5 authentication):
[asd\switch1] (from client 10.8.4.2 port 31 cli 54:80:28:9c:50:50)

Try to change "Database passwords hashing method" setting to "plain" in Configuration 
-> System configuration -> Main configuration -> Advanced.

As mentioned here [0], EAP-MD5 is only compatible with clear text passwords.

[0] http://deployingradius.com/documents/protocols/compatibility.html
--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca Inverse inc. 
:: Leaders behind SOGo (https://sogo.nu), PacketFence
(https://packetfence.org) and Fingerbank (http://fingerbank.org)


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] [pf 9.0.1] password of the day

2019-07-22 Thread pro fence via PacketFence-users 
hi,

when i fill out the form with the email and password i have the same message
in the httpd.portal log; i made the test with the password of the day and
with fake password, but the result is the same :

Authenticating user using sources : Password-of-the-day
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)

and it doesn't go further.

in the password portal module i specified a random name, could that be the
cause ?


Regards,

On Thu, 18 Jul 2019 at 17:34, pro fence  wrote:

> Hi,
>
> so i am trying a new authentication method, the password of the day but i
> am not sure if i am using the rigt module or understand how it is supposed
> to work :
>
> - i have created a potd source, added it to a connection profile : ok
> - in the portal module, i have added a password authentication one (with
> only the email as required field) but when i test it through the portal i
> have the email + a password field and when i enter the email + the potd
> received by mail, i have an error "invalid login or password"
>
> maybe i am using the wrong module ? i have noticed that i could've added a
> potd field so is the potd supposed to be used in a password textbox ?
>
> any help is welcomed,
> Regards
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Configuration help for Aruba Instant controller needed (guest access)

2019-07-22 Thread Fabrice Durand via PacketFence-users 

Hello Jona,

you need to run pf-maint.pl on you system first.

Regards

Fabrice


Le 19-07-22 à 05 h 58, Stegmaier, Jona via PacketFence-users a écrit :


Hello,

thanks for your reply!

I tried the authentication with the help of roles, but nothing 
changed. Packetfence sends the role update, but the access points 
can’t enforce the VLAN change.


The only error message, that Packetfence creates, you can find in the 
last line:


Jul 22 11:04:31 packetfence packetfence_httpd.portal: 
httpd.portal(24693) INFO: [mac:ac:7b:a1:55:25:9e] User default has 
authenticated on the portal. (Class::MOP::Class:::after)


Jul 22 11:04:31 packetfence packetfence_httpd.portal: 
httpd.portal(24693) WARN: [mac:ac:7b:a1:55:25:9e] Unknown network type 
for network 10.82.51.0 (pf::config::get_network_type)


Jul 22 11:04:31 packetfence packetfence_httpd.portal: 
httpd.portal(24693) INFO: [mac:ac:7b:a1:55:25:9e] re-evaluating access 
(manage_register called) (pf::enforcement::reevaluate_access)


Jul 22 11:04:31 packetfence packetfence_httpd.portal: 
httpd.portal(24693) INFO: [mac:ac:7b:a1:55:25:9e] VLAN reassignment is 
forced. (pf::enforcement::_should_we_reassign_vlan)


Jul 22 11:04:31 packetfence packetfence_httpd.portal: 
httpd.portal(24693) INFO: [mac:ac:7b:a1:55:25:9e] switch port is 
(10.82.50.167) ifIndex unknown connection type: WiFi MAC Auth 
(pf::enforcement::_vlan_reevaluation)


Jul 22 11:04:32 packetfence pfqueue: pfqueue(28927) INFO: 
[mac:ac:7b:a1:55:25:9e] [ac:7b:a1:55:25:9e] DesAssociating mac on 
switch (10.82.50.167) (pf::api::desAssociate)


Jul 22 11:04:32 packetfence pfqueue: pfqueue(28927) INFO: 
[mac:ac:7b:a1:55:25:9e] [10.82.50.167] Returning ACCEPT with role: 
-test- (pf::Switch::Aruba::Instant_Access::radiusDisconnect)


Jul 22 11:04:32 packetfence pfqueue: pfqueue(28927) ERROR: 
[mac:ac:7b:a1:55:25:9e] Error handling desAssociate : Undefined 
subroutine ::Switch::Aruba::Instant_Access::perform_coa called at 
/usr/local/pf/lib/pf/Switch/Aruba/Instant_Access.pm line 81.


Best regards,

Jona

*Von:*G PL via PacketFence-users 


*Gesendet:* Samstag, 20. Juli 2019 23:29
*An:* packetfence-users@lists.sourceforge.net
*Cc:* G PL 
*Betreff:* Re: [PacketFence-users] Configuration help for Aruba 
Instant controller needed (guest access)


Hello,

In my setup, I'm sending role to the iap and not using coa. The iap 
translate role to vlan.


You need the register and guest role.

Regards

Le vendredi 19 juillet 2019, Stegmaier, Jona via PacketFence-users 
> a écrit :


Hi all,

I try to configure a guest access (WLAN) with our Packetfence v9
system and our Aruba Instant Virtual Controller (Version 6.5.4) /
305 Access Points.

The steps of the official support document refer to an older
version of Aruba Instant, so I want to ask, if anybody uses the
Aruba Version 6 and can tell me, how to configure the Aruba
controller.

I tried an configuration, but the process fails, when Packetfence
tries to enforce the guest VLAN. (no VLAN change is made).

On the packetfence side, CoA is enabled (and all the necessary
VLAN roles).

Thanks and best regards,
Jona

-- 


Jona Stegmaier

Fraunhofer-Institut für Physikalische Messtechnik IPM; ITK

Heidenhofstr. 8, 79110 Freiburg, Germany




Phone +49 761 8857-132, jona.stegma...@ipm.fraunhofer.de


https://www.ipm.fraunhofer.de



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Dynamically lookup and register nodes from an external system

2019-07-22 Thread Fabrice Durand via PacketFence-users 

Hello Schmidt,

we did this king of workflow in PacketFence here: 
https://github.com/inverse-inc/packetfence/pull/2667/files


You will just need to adapt the code.

Regards

Fabrice


Le 19-07-22 à 04 h 22, Schmidt Korbinian via PacketFence-users a écrit :

Hello PacketFence users,

I am looking for ways to automatically synchronize pre-registered nodes with an 
external system like a database.

One way to achieve this would be an application that periodically calls pfcmd 
or the HTTP API to import nodes into PacketFence.
  
Now I was just wondering if there was a way to dynamically register nodes during the first encounter of their MAC address.


A possible workflow would be:
   1.   If no node is found for a given MAC address in the PacketFence 
database, the system asks the external source if the node is known there (e.g. 
with a script that searches for the MAC address in a database table).
   2a. When the MAC address is found in the external system, a new node is 
created and automatically registered. This way PacketFence can immediately 
evaluate the network access (just like it would do with imported nodes).
   2b. When the MAC address is not found, the system continues with the normal 
flow for unknown nodes (e. g. putting the switch port into the registration 
VLAN).

Has anyone ever implemented something similar and can tell me if it possible?
Or should I stick to the periodic update approach?

Thank you and
Best regards

Korbinian Schmidt

F.EE Industrieautomation GmbH & Co KG
In der Seugn 20, 92431 Neunburg  v. W.
Email: korbinian.schm...@fee.de



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] [PF 9.0.1] Cisco WLC and Virtual IP

2019-07-22 Thread Fabrice Durand via PacketFence-users 

Hello Pro fence,

packetfence manage the port that needs to be open, so you don't have to 
do anything.


Btw it looks that the issue you have is related to the acl you made on 
the WLC. (check is there is some hit)


What you can do is to capture the traffic on the device your are testing 
with and see if you see any kind of redirection.


Regards

Fabrice


Le 19-07-21 à 09 h 59, pro fence via PacketFence-users a écrit :

Hi,

For somebody who would encounter the same issue,
to solve the last error, you need to add a new radius client.

Does anybody know exactly what ports need to be open for the VIP 
besides radius, http for the portal to pop up ? I mean in the log i 
have the right ACL and the http://VIP-IP/CISCO::WLC url but the portal 
is not showing.


regards,

On Thu, 18 Jul 2019 at 17:00, pro fence > wrote:


Hi Fabrice,

to be more precise i am going to use the ip adresses of the
installation guide to show you my configuration :

to answer your question, yes, cluster.conf is replicated on the 3
servers with the command:
# /usr/local/pf/bin/cluster/sync --from=192.168.1.5
--api-user=user --api-password=password

here is the content of cluster.conf :
[CLUSTER]
management_ip=192.168.1.10
[CLUSTER interface eth0]
ip=192.168.1.10
[CLUSTER interface eth1.2]
ip=192.168.2.10
[CLUSTER interface eth1.3]
ip=192.168.3.10

[pf1.example.com ]
management_ip=192.168.1.5
[pf1.example.com  interface eth0]
ip=192.168.1.5
[pf1.example.com  interface eth1.2]
ip=192.168.2.5
[pf1.example.com  interface eth1.3]
ip=192.168.3.5

[pf2.example.com ]
management_ip=192.168.1.6
[pf2.example.com  interface eth0]
ip=192.168.1.6
[pf2.example.com  interface eth1.2]
ip=192.168.2.6
[pf2.example.com  interface eth1.3]
ip=192.168.3.6

[pf3.example.com ]
management_ip=192.168.1.7
[pf3.example.com  interface eth0]
ip=192.168.1.7
[pf3.example.com  interface eth1.2]
ip=192.168.2.7
[pf3.example.com  interface eth1.3]
ip=192.168.3.7

the error message becomes  :

Ignoring request to auth address 192.168.1.5 port 1812 bound to
server packetfence from unknown client loadBalancer_IP port 8905
proto udp

listening ip and port for the first server for example:

tcp        0      0 192.168.1.10:80       
 0.0.0.0:*               LISTEN      24615/haproxy
tcp        0      0 192.168.2.10:80       
  0.0.0.0:*               LISTEN      24615/haproxy
tcp        0      0 192.168.3.10:80       
   0.0.0.0:*               LISTEN      24615/haproxy

tcp        0      0 192.168.1.5:80       
0.0.0.0:*               LISTEN      1026/httpd
tcp        0      0 192.168.2.5:80       
0.0.0.0:*               LISTEN      1026/httpd
tcp        0      0 192.168.3.5:80       
0.0.0.0:*               LISTEN      1026/httpd

thanks in advance,
Regards

On Thu, 18 Jul 2019 at 15:03, Fabrice Durand via PacketFence-users
mailto:packetfence-users@lists.sourceforge.net>> wrote:

Hello Pro fence,


it looks that you miss-configured your cluster.

Did you copy the file cluster.conf on each servers ?

Regards

Fabrice


Le 19-07-18 à 06 h 49, pro fence via PacketFence-users a écrit :

Hello,

does anyone ever encountered the following error using a VIP,
from radius :

" Ignoring request to auth address MANAGEMENT_IP port 1812
bound to server packetfence from unknown client
loadBalancer_IP port 8905 proto udp"

the VIP sends the request using a different ip than the one
configured in cluster.conf, so maybe that's the reason ?

Thanks,
Regards,


On Wed, 17 Jul 2019 at 14:32, pro fence mailto:pfenc...@gmail.com>> wrote:

Fabrice,

may god bless you ! thank you very much for your time and
help,
Regards,

On Wed, 17 Jul 2019 at 13:28, Durand fabrice via
PacketFence-users
mailto:packetfence-users@lists.sourceforge.net>> wrote:

Yes, only the VIP is need on the WLC.

The WLC send a request to the VIP and the radius
load-balancer will forward to one of the radius
server in the cluster.

Regards

Fabrice

Le 19-07-17 à 05 h 14, pro fence via

Re: [PacketFence-users] Configuration help for Aruba Instant controller needed (guest access)

2019-07-22 Thread Stegmaier, Jona via PacketFence-users 
Hello Nicolas,

that's it, thank you so much! :)

Best regards,
Jona

-- 
Jona Stegmaier
Fraunhofer-Institut für Physikalische Messtechnik IPM; ITK 
Heidenhofstr. 8, 79110 Freiburg, Germany 
Phone +49 761 8857-132, jona.stegma...@ipm.fraunhofer.de
https://www.ipm.fraunhofer.de


-Ursprüngliche Nachricht-
Von: Nicolas Quiniou-Briand via PacketFence-users
 
Gesendet: Montag, 22. Juli 2019 13:22
An: packetfence-users@lists.sourceforge.net
Cc: Nicolas Quiniou-Briand 
Betreff: Re: [PacketFence-users] Configuration help for Aruba Instant
controller needed (guest access)

Hello Jona,

On 2019-07-22 11:58 a.m., Stegmaier, Jona via PacketFence-users wrote:
> Jul 22 11:04:32 packetfence pfqueue: pfqueue(28927) ERROR: 
> [mac:ac:7b:a1:55:25:9e] Error handling desAssociate : Undefined 
> subroutine ::Switch::Aruba::Instant_Access::perform_coa called at 
> /usr/local/pf/lib/pf/Switch/Aruba/Instant_Access.pm line 81.

This issue has been fixed in maintenance branch by Fabrice [0].

Apply maintenance patches by running $PF/addons/pf-maint.pl script twice if
you never run it before then restart your PF services.

[0]
https://github.com/inverse-inc/packetfence/commit/eaddda6b6b018fc564b3f57e43
4d637a685b9468#diff-940a8790f2fa932819c8c11c269ec232
--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca Inverse
inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence
(https://packetfence.org) and Fingerbank (http://fingerbank.org)


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] EAP-MD5 & Active Directory?

2019-07-22 Thread John Sayce via PacketFence-users 
I've tried changing that setting (and restarting) but it doesn't seem to have 
any effect.  I assume that's because it controls how packetfence stores user 
passwords in its local database rather than in active directory.

I appreciate that the password needs to be plain text, however I'm not sure how 
that works with active directory from freeradius.  I've configured active 
directory to store the password with reversible encryption so it can be 
decrypted to plain text.  This in turn mean EAP-MD5 works when I use NPS (which 
has the same requirements) but maybe that doesn't work with freeradius because 
the mechanism to connect to the database doesn't support the way windows is 
dealing with the password?

The log tends to suggest to me that's it's not even trying actice directory 
with EAP-MD5 despite there being no other authentication sources configured 
"Info: rlm_sql (sql)"

I can't seem to find any documentation about this.


-Original Message-
From: Nicolas Quiniou-Briand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: 22 July 2019 12:30
To: packetfence-users@lists.sourceforge.net
Cc: Nicolas Quiniou-Briand 
Subject: Re: [PacketFence-users] EAP-MD5 & Active Directory?

Hello John

On 2019-07-22 11:34 a.m., John Sayce via PacketFence-users wrote:
> Mon Jul 22 10:13:31 2019 : Auth: (13018) Login incorrect (eap_md5: 
> Cleartext-Password is required for EAP-MD5 authentication): 
> [asd\switch1] (from client 10.8.4.2 port 31 cli 54:80:28:9c:50:50)

Try to change "Database passwords hashing method" setting to "plain" in 
Configuration -> System configuration -> Main configuration -> Advanced.

As mentioned here [0], EAP-MD5 is only compatible with clear text passwords.

[0] http://deployingradius.com/documents/protocols/compatibility.html
--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca Inverse inc. 
:: Leaders behind SOGo (https://sogo.nu), PacketFence
(https://packetfence.org) and Fingerbank (http://fingerbank.org)


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] EAP-MD5 & Active Directory?

2019-07-22 Thread Nicolas Quiniou-Briand via PacketFence-users 

Hello John

On 2019-07-22 11:34 a.m., John Sayce via PacketFence-users wrote:

Mon Jul 22 10:13:31 2019 : Auth: (13018) Login incorrect (eap_md5: 
Cleartext-Password is required for EAP-MD5 authentication): [asd\switch1] (from 
client 10.8.4.2 port 31 cli 54:80:28:9c:50:50)


Try to change "Database passwords hashing method" setting to "plain" in 
Configuration -> System configuration -> Main configuration -> Advanced.


As mentioned here [0], EAP-MD5 is only compatible with clear text passwords.

[0] http://deployingradius.com/documents/protocols/compatibility.html
--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca
Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence 
(https://packetfence.org) and Fingerbank (http://fingerbank.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Configuration help for Aruba Instant controller needed (guest access)

2019-07-22 Thread Nicolas Quiniou-Briand via PacketFence-users 

Hello Jona,

On 2019-07-22 11:58 a.m., Stegmaier, Jona via PacketFence-users wrote:
Jul 22 11:04:32 packetfence pfqueue: pfqueue(28927) ERROR: 
[mac:ac:7b:a1:55:25:9e] Error handling desAssociate : Undefined 
subroutine ::Switch::Aruba::Instant_Access::perform_coa called at 
/usr/local/pf/lib/pf/Switch/Aruba/Instant_Access.pm line 81.


This issue has been fixed in maintenance branch by Fabrice [0].

Apply maintenance patches by running $PF/addons/pf-maint.pl script twice 
if you never run it before then restart your PF services.


[0] 
https://github.com/inverse-inc/packetfence/commit/eaddda6b6b018fc564b3f57e434d637a685b9468#diff-940a8790f2fa932819c8c11c269ec232

--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca
Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence 
(https://packetfence.org) and Fingerbank (http://fingerbank.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PROBLEM DURING LOGIN PHASE FROM PORTAL

2019-07-22 Thread Nicolas Quiniou-Briand via PacketFence-users 

Hello,

Did you create your user "packettest" in packetfence DB with a role ?
--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca
Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence 
(https://packetfence.org) and Fingerbank (http://fingerbank.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Configuration help for Aruba Instant controller needed (guest access)

2019-07-22 Thread Stegmaier, Jona via PacketFence-users 
Hello,

 

thanks for your reply!

I tried the authentication with the help of roles, but nothing changed. 
Packetfence sends the role update, but the access points can’t enforce the VLAN 
change.

The only error message, that Packetfence creates, you can find in the last 
line: 

 

Jul 22 11:04:31 packetfence packetfence_httpd.portal: httpd.portal(24693) INFO: 
[mac:ac:7b:a1:55:25:9e] User default has authenticated on the portal. 
(Class::MOP::Class:::after)

Jul 22 11:04:31 packetfence packetfence_httpd.portal: httpd.portal(24693) WARN: 
[mac:ac:7b:a1:55:25:9e] Unknown network type for network 10.82.51.0 
(pf::config::get_network_type)

Jul 22 11:04:31 packetfence packetfence_httpd.portal: httpd.portal(24693) INFO: 
[mac:ac:7b:a1:55:25:9e] re-evaluating access (manage_register called) 
(pf::enforcement::reevaluate_access)

Jul 22 11:04:31 packetfence packetfence_httpd.portal: httpd.portal(24693) INFO: 
[mac:ac:7b:a1:55:25:9e] VLAN reassignment is forced. 
(pf::enforcement::_should_we_reassign_vlan)

Jul 22 11:04:31 packetfence packetfence_httpd.portal: httpd.portal(24693) INFO: 
[mac:ac:7b:a1:55:25:9e] switch port is (10.82.50.167) ifIndex unknown 
connection type: WiFi MAC Auth (pf::enforcement::_vlan_reevaluation)

Jul 22 11:04:32 packetfence pfqueue: pfqueue(28927) INFO: 
[mac:ac:7b:a1:55:25:9e] [ac:7b:a1:55:25:9e] DesAssociating mac on switch 
(10.82.50.167) (pf::api::desAssociate)

Jul 22 11:04:32 packetfence pfqueue: pfqueue(28927) INFO: 
[mac:ac:7b:a1:55:25:9e] [10.82.50.167] Returning ACCEPT with role: -test- 
(pf::Switch::Aruba::Instant_Access::radiusDisconnect)

Jul 22 11:04:32 packetfence pfqueue: pfqueue(28927) ERROR: 
[mac:ac:7b:a1:55:25:9e] Error handling desAssociate : Undefined subroutine 
::Switch::Aruba::Instant_Access::perform_coa called at 
/usr/local/pf/lib/pf/Switch/Aruba/Instant_Access.pm line 81.

 

Best regards,

Jona

 

Von: G PL via PacketFence-users  
Gesendet: Samstag, 20. Juli 2019 23:29
An: packetfence-users@lists.sourceforge.net
Cc: G PL 
Betreff: Re: [PacketFence-users] Configuration help for Aruba Instant 
controller needed (guest access)

 

Hello, 

In my setup, I'm sending role to the iap and not using coa. The iap translate 
role to vlan. 

You need the register and guest role. 

Regards

Le vendredi 19 juillet 2019, Stegmaier, Jona via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > a écrit :

Hi all,

 

I try to configure a guest access (WLAN) with our Packetfence v9 system and our 
Aruba Instant Virtual Controller (Version 6.5.4) / 305 Access Points.

The steps of the official support document refer to an older version of Aruba 
Instant, so I want to ask, if anybody uses the Aruba Version 6 and can tell me, 
how to configure the Aruba controller. 

 

I tried an configuration, but the process fails, when Packetfence tries to 
enforce the guest VLAN. (no VLAN change is made). 

On the packetfence side, CoA is enabled (and all the necessary VLAN roles). 

 

 

Thanks and best regards,
Jona

 

-- 

Jona Stegmaier

Fraunhofer-Institut für Physikalische Messtechnik IPM; ITK 

Heidenhofstr. 8, 79110 Freiburg, Germany 

  

Phone +49 761 8857-132,   
jona.stegma...@ipm.fraunhofer.de

  https://www.ipm.fraunhofer.de

 



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] PROBLEM DURING LOGIN PHASE FROM PORTAL

2019-07-22 Thread Süleyman Gelener via PacketFence-users 
Dear Subscribers,

i am trying to connect my device to the packetfence, however it gave me errors 
that are shown below.  My user is not available in packetfence so this is first 
time i am trying to add my user. However, switch automatically assign my device 
to default owner, so i am not able to assign it to user which log in from 
portal(username/password). can someone help me please? Many thanks from now.



Best Regards,
Suleyman




Jul 22 12:35:18 localhost packetfence_httpd.portal: httpd.portal(13099) INFO: 
[mac:00:26:9e:7b:a5:7d] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Jul 22 12:35:18 localhost packetfence_httpd.portal: httpd.portal(13099) ERROR: 
[mac:00:26:9e:7b:a5:7d] Error while communicating with the Fingerbank 
collector. 500 Can't connect to 127.0.0.1:4723 (Connection refused) 
(pf::fingerbank::endpoint_attributes)
Jul 22 12:35:18 localhost packetfence_httpd.portal: httpd.portal(13099) WARN: 
[mac:00:26:9e:7b:a5:7d] Use of uninitialized value in string ne at 
/usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm line 
138.
 (captiveportal::PacketFence::DynamicRouting::Application::process_fingerbank)
Jul 22 12:35:18 localhost packetfence_httpd.portal: httpd.portal(13099) ERROR: 
[mac:00:26:9e:7b:a5:7d] Error while communicating with the Fingerbank 
collector. 500 Can't connect to 127.0.0.1:4723 (Connection refused) 
(pf::fingerbank::update_collector_endpoint_data)
Jul 22 12:35:22 localhost packetfence_httpd.portal: httpd.portal(14934) INFO: 
[mac:00:26:9e:7b:a5:7d] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Jul 22 12:35:22 localhost packetfence_httpd.portal: httpd.portal(14934) ERROR: 
[mac:00:26:9e:7b:a5:7d] Error while communicating with the Fingerbank 
collector. 500 Can't connect to 127.0.0.1:4723 (Connection refused) 
(pf::fingerbank::endpoint_attributes)
Jul 22 12:35:22 localhost packetfence_httpd.portal: httpd.portal(14934) WARN: 
[mac:00:26:9e:7b:a5:7d] Use of uninitialized value in string ne at 
/usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm line 
138.
 (captiveportal::PacketFence::DynamicRouting::Application::process_fingerbank)
Jul 22 12:35:22 localhost packetfence_httpd.portal: httpd.portal(14934) ERROR: 
[mac:00:26:9e:7b:a5:7d] Error while communicating with the Fingerbank 
collector. 500 Can't connect to 127.0.0.1:4723 (Connection refused) 
(pf::fingerbank::update_collector_endpoint_data)
Jul 22 12:35:25 localhost packetfence_httpd.portal: httpd.portal(13099) INFO: 
[mac:00:26:9e:7b:a5:7d] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Jul 22 12:35:25 localhost packetfence_httpd.portal: httpd.portal(13099) ERROR: 
[mac:00:26:9e:7b:a5:7d] Error while communicating with the Fingerbank 
collector. 500 Can't connect to 127.0.0.1:4723 (Connection refused) 
(pf::fingerbank::endpoint_attributes)
Jul 22 12:35:25 localhost packetfence_httpd.portal: httpd.portal(13099) WARN: 
[mac:00:26:9e:7b:a5:7d] Use of uninitialized value in string ne at 
/usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm line 
138.
 (captiveportal::PacketFence::DynamicRouting::Application::process_fingerbank)
Jul 22 12:35:25 localhost packetfence_httpd.portal: httpd.portal(13099) ERROR: 
[mac:00:26:9e:7b:a5:7d] Error while communicating with the Fingerbank 
collector. 500 Can't connect to 127.0.0.1:4723 (Connection refused) 
(pf::fingerbank::update_collector_endpoint_data)
Jul 22 12:35:27 localhost pfdhcp[2357]: t=2019-07-22T12:35:27+0300 lvl=info 
msg="DHCPREQUEST for 10.11.0.190 from 00:26:9e:7b:a5:7d (TOSHiBA-PC)" pid=2357 
mac=00:26:9e:7b:a5:7d
Jul 22 12:35:27 localhost pfdhcp[2357]: t=2019-07-22T12:35:27+0300 lvl=info 
msg="DHCPACK on 10.11.0.190 to 00:26:9e:7b:a5:7d (TOSHiBA-PC)" pid=2357 
mac=00:26:9e:7b:a5:7d
Jul 22 12:35:28 localhost packetfence_httpd.portal: httpd.portal(14020) INFO: 
[mac:00:26:9e:7b:a5:7d] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Jul 22 12:35:28 localhost packetfence_httpd.portal: httpd.portal(14020) ERROR: 
[mac:00:26:9e:7b:a5:7d] Error while communicating with the Fingerbank 
collector. 500 Can't connect to 127.0.0.1:4723 (Connection refused) 
(pf::fingerbank::endpoint_attributes)
Jul 22 12:35:28 localhost packetfence_httpd.portal: httpd.portal(14020) WARN: 
[mac:00:26:9e:7b:a5:7d] Use of uninitialized value in string ne at 
/usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm line 
138.
 (captiveportal::PacketFence::DynamicRouting::Application::process_fingerbank)
Jul 22 12:35:28 localhost packetfence_httpd.portal: httpd.portal(14020) ERROR: 
[mac:00:26:9e:7b:a5:7d] Error while communicating with the Fingerbank 
collector. 500 Can't connect to 127.0.0.1:4723 (Connection refused) 
(pf::fingerbank::update_collector_endpoint_data)
Jul 22 12:35:31 localhost packetfence_httpd.portal: httpd.portal(14934) INFO: 
[mac:00:26:9e:7b:a5:7d] Instantiate profile default

[PacketFence-users] EAP-MD5 & Active Directory?

2019-07-22 Thread John Sayce via PacketFence-users 
I have some phones and switches that only support EAP-MD5 authentication.

Can I use EAP-MD5 authentication with Active Directory as an authentication 
source?

I have this working with NPS.  I needed to enable EAP-MD5 in the registry and I 
had to create a different password policy to save the password using reversible 
encryption but I got it working in the end.

When I run the same authentication against packetfence I get the following 
error:

Mon Jul 22 10:13:31 2019 : Auth: (13018) Login incorrect (eap_md5: 
Cleartext-Password is required for EAP-MD5 authentication): [asd\switch1] (from 
client 10.8.4.2 port 31 cli 54:80:28:9c:50:50)
Mon Jul 22 10:13:31 2019 : Info: rlm_sql (sql): Closing connection (1665): Hit 
idle_timeout, was idle for 120 seconds
Mon Jul 22 10:13:31 2019 : Info: rlm_sql (sql): Need 1 more connections to 
reach 10 spares
Mon Jul 22 10:13:31 2019 : Info: rlm_sql (sql): Opening additional connection 
(1667), 1 of 62 pending slots used
Mon Jul 22 10:13:31 2019 : [mac:54:80:28:9c:50:50] Rejected user: asd\switch1

Is EAP-MD5 forced to use local authentication?  Or am I missing something?

Cheers


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Dynamically lookup and register nodes from an external system

2019-07-22 Thread Schmidt Korbinian via PacketFence-users 
Hello PacketFence users,

I am looking for ways to automatically synchronize pre-registered nodes with an 
external system like a database.

One way to achieve this would be an application that periodically calls pfcmd 
or the HTTP API to import nodes into PacketFence.
 
Now I was just wondering if there was a way to dynamically register nodes 
during the first encounter of their MAC address.

A possible workflow would be:
  1.   If no node is found for a given MAC address in the PacketFence database, 
the system asks the external source if the node is known there (e.g. with a 
script that searches for the MAC address in a database table).
  2a. When the MAC address is found in the external system, a new node is 
created and automatically registered. This way PacketFence can immediately 
evaluate the network access (just like it would do with imported nodes).
  2b. When the MAC address is not found, the system continues with the normal 
flow for unknown nodes (e. g. putting the switch port into the registration 
VLAN).

Has anyone ever implemented something similar and can tell me if it possible? 
Or should I stick to the periodic update approach?

Thank you and
Best regards

Korbinian Schmidt

F.EE Industrieautomation GmbH & Co KG 
In der Seugn 20, 92431 Neunburg  v. W.
Email: korbinian.schm...@fee.de



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users