date:20190812

Re: [PacketFence-users] Registration dhco

2019-08-12 Thread Domingos Varela via PacketFence-users

Hi Fabrice,

I am using the first option, but I am having problems in the pf gateway,
because I can access the network registration only by the same subnet if
trying for another no longer respond ... below the configuration of pf.

#SWITCH

Vlan 220

interface Vlan220
 description Registration
 ip address 192.168.220.1 255.255.255.0
 ip helper-address 192.168.220.6


#PF

[interface eth1.220]
enforcement=vlan
ip=192.168.220.6
type=internal
mask=255.255.255.0
gateway=192.168.220.1

[192.168.220.0]
dns=192.168.220.6
split_network=disabled
dhcp_start=192.168.220.10
gateway=192.168.220.1
domain-name=vlan-registration.sonangol.pvt
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=192.168.220.246
type=vlan-registration
netmask=255.255.255.0
dhcp_default_lease_time=30


A segunda, 12/08/2019, 13:44, Fabrice Durand  escreveu:

> Hello Domingos,
>
> really sorry for the delay.
>
> So yes the registration and isolation vlan need to be available in all
> your switches like a normal vlan. (layer 2)
>
> The only difference is that this vlan is managed by packetfence, so pf is
> the dhcp/dns/default gateway.
>
> So let's say the reg vlan is 123 then you don't have to set a gateway on
> this vlan.
>
>
> Now let's say you want to route the registration vlan and isolation vlan.
>
> You have 2 ways to do it, the first one is to have a gateway in the vlan
> 123 and tell packetfence to use this gateway to reach the remote
> registration vlan and in the client gateway (on the other side) you need to
> set an ip-helper address to the registration interface ip of packetfence.
>
> Or you can use the management interface as a dhcp, to do that just add an
> additional daemon to the management interface (dhcp) and create a remote
> registration config that use the gateway facing the management interface.
>
> Regards
>
> Fabrice
>
>
> Le 19-08-09 à 12 h 03, Domingos Varela a écrit :
>
> Hi Fabrice,
>
> I agree with you that it is a network problem, because the production
> network does not have access to the registration network.
>
> Should registration and isolation networks be routed or not in the
> infrastructure?
>
> If not, how do clients get to the dhcp server if they don't have access to
> the gateway of these networks?
>
> Is it possible to change the dhcp listen port to the management address?
> Thanks
>
> Regards
>
>
> A quarta, 7/08/2019, 16:44, Domingos Varela 
> escreveu:
>
>> Hi,
>>
>> Pf logs in attach
>>
>> Thanks
>>
>>   pf-logs.7z
>> 
>>
>>
>>
>>
>> A quarta, 7/08/2019, 15:41, Fabrice Durand  escreveu:
>>
>>> Hello Domingas,
>>>
>>> the packetfence.log should be enough.
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>>
>>> Le 19-08-06 à 17 h 01, Domingos Varela a écrit :
>>>
>>> Hi Patrice,
>>>
>>> Which equipment do you want the logs from?
>>> For more details I send the implementation diagram.
>>> Thanks
>>> Regards
>>>
>>> Cumprimentos,
>>>
>>> * Domingos Varela*
>>> Tel. +244 923 229 330 | Luanda - Angola
>>>
>>>
>>> Fabrice Durand via PacketFence-users <
>>> packetfence-users@lists.sourceforge.net> escreveu no dia terça,
>>> 6/08/2019 à(s) 20:27:
>>>
 Hello Domingos,

 if the device receive an ip address from the production vlan then it
 mean that there is a network miss-configuration.

 Can you provide some logs ?

 Regards

 Fabrice


 Le 19-08-05 à 10 h 17, Domingos Varela via PacketFence-users a écrit :

 Hi,

 I am using pf to authenticate wifi users on the network, but when a
 user connects to the network he gets the IP from the data network and not
 from the registration network.

 Shouldn't users receive the IP from the registration network and after
 logging in receive the io from the data network?

 Thanks
 Regards


 ___
 PacketFence-users mailing 
 listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users

 --
 Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  
 www.inverse.ca
 Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
 (http://packetfence.org)

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users

>>> --
>>> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  
>>> www.inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>>> (http://packetfence.org)
>>>
>>> --
> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org)
>
>

Re: [PacketFence-users] 802.1x Accept/Reject Role Control

2019-08-12 Thread Jon Barret via PacketFence-users

Thank you so much, that solved our issues!

Jon

On Mon, Aug 12, 2019 at 8:40 AM Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Jon,
>
> it's really simple, you just need to set -1 in the registration role.
>
> Then if a unreg device try to connect then it will be rejected.
>
> Regards
>
> Fabrice
>
>
> Le 19-08-09 à 11 h 37, Jon Barret via PacketFence-users a écrit :
>
> Hello,
>
> We are currently looking into using Packetfence but are running into some
> issues. The way the network is setup we connect computers behind an IP
> phone. If we were to use VLAN isolation then once the phone would
> authenticate a computer would be able to join that Vlan is the way I
> understand it. We noticed however that we could possibly control access
> just by using roles. For example if an ip phone is in an accept role and a
> computer is in a reject role. The phone will get access to the network then
> after plugging the computer into the phone that has network access, packet
> fence will deny access because of the role associated with the mac address.
> We are wondering if there is a way to  configure roles so that whenever a
> new mac address or device is recognized instead of auto-registering this
> device can we set the role to REJECT by default. So then we could go into
> packet fence and add the mac address to an accept role giving it access if
> we knew this was a safe device. Please advise and I appreciate your help.
> Also if this isn't the best way to receive support please let me know, i'm
> going off of the packetfence's website advice.
>
> Thanks!
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> --
> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org)
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] How to get the scan engine working?

2019-08-12 Thread Zairy Fajar via PacketFence-users

Ok I'll try it tomorrow...thanks a a lot Fabrice, and everyone else

On Mon, Aug 12, 2019, 7:53 PM Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> yes, this is fingerbank that will recognize the os of the device.
>
>
> Le 19-08-12 à 08 h 50, Fajar Zairy via PacketFence-users a écrit :
>
> No it is not enabled, should I enable it??
>
> On Mon, Aug 12, 2019, 7:49 PM Fabrice Durand via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> PacketFence is not able to recognize the OS of the device.
>>
>> Does Fingerbank is enabled on your system ?
>>
>>
>> Le 19-08-07 à 06 h 17, Zairy Fajar via PacketFence-users a écrit :
>>
>> The packetfence.log shows:
>>
>> pfence pfqueue: pfqueue(7518) WARN: [mac:
>> 11:3j:81:cc:cd:27]
>> Can't find scan engine for 11:3j:81:cc:cd:27 since we don't have it's OS
>>
>> Please help.. I'm running out of time and ideas
>>
>> On Wed, Jul 31, 2019, 3:23 PM Zairy Fajar  wrote:
>>
>>> Hi,
>>> I'm sorry if this is a basic question, but I've been struggling on
>>> getting my scan engine to work on the captive portal..
>>> I followed this installation guide
>>> https://packetfence.org/doc/PacketFence_Installation_Guide.html
>>>
>>> and everything was fine until the part 6. Enabling the Captive Portal
>>>
>>> 
>>> but I want to add something else, I want to do a scan before the user is
>>> registered on the captive portal..
>>> I've tried to use both nessus and WMI, but nothing works, nothing shows
>>> on the captive portal, there was no scan initiated, and also, nothing on
>>> the packetfence.log.. nothing said anything about scan..
>>>
>>> What could be the problem?
>>> please help
>>> thanks in advance
>>>
>>>
>>
>> ___
>> PacketFence-users mailing 
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> --
>> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  
>> www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>> (http://packetfence.org)
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> --
> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org)
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] How to get the scan engine working?

2019-08-12 Thread Fabrice Durand via PacketFence-users


yes, this is fingerbank that will recognize the os of the device.


Le 19-08-12 à 08 h 50, Fajar Zairy via PacketFence-users a écrit :

No it is not enabled, should I enable it??

On Mon, Aug 12, 2019, 7:49 PM Fabrice Durand via PacketFence-users 
> wrote:


PacketFence is not able to recognize the OS of the device.

Does Fingerbank is enabled on your system ?


Le 19-08-07 à 06 h 17, Zairy Fajar via PacketFence-users a écrit :

The packetfence.log shows:

pfence pfqueue: pfqueue(7518) WARN: [mac:
11:3j:81:cc:cd:27]
Can't find scan engine for 11:3j:81:cc:cd:27 since we don't have it's OS
Please help.. I'm running out of time and ideas

On Wed, Jul 31, 2019, 3:23 PM Zairy Fajar mailto:zairyfaj...@gmail.com>> wrote:

Hi,
I'm sorry if this is a basic question, but I've been
struggling on getting my scan engine to work on the captive
portal..
I followed this installation guide
https://packetfence.org/doc/PacketFence_Installation_Guide.html

and everything was fine until the part6. Enabling the Captive
Portal


but I want to add something else, I want to do a scan before
the user is registered on the captive portal..
I've tried to use both nessus and WMI, but nothing works,
nothing shows on the captive portal, there was no scan
initiated, and also, nothing on the packetfence.log.. nothing
said anything about scan..

What could be the problem?
please help
thanks in advance



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  

https://lists.sourceforge.net/lists/listinfo/packetfence-users


-- 
Fabrice Durand

fdur...@inverse.ca    ::  +1.514.447.4918 (x135) 
::www.inverse.ca  
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] How to get the scan engine working?

2019-08-12 Thread Fajar Zairy via PacketFence-users

No it is not enabled, should I enable it??

On Mon, Aug 12, 2019, 7:49 PM Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> PacketFence is not able to recognize the OS of the device.
>
> Does Fingerbank is enabled on your system ?
>
>
> Le 19-08-07 à 06 h 17, Zairy Fajar via PacketFence-users a écrit :
>
> The packetfence.log shows:
>
> pfence pfqueue: pfqueue(7518) WARN: [mac:
> 11:3j:81:cc:cd:27]
> Can't find scan engine for 11:3j:81:cc:cd:27 since we don't have it's OS
>
>  Please help.. I'm running out of time and ideas
>
> On Wed, Jul 31, 2019, 3:23 PM Zairy Fajar  wrote:
>
>> Hi,
>> I'm sorry if this is a basic question, but I've been struggling on
>> getting my scan engine to work on the captive portal..
>> I followed this installation guide
>> https://packetfence.org/doc/PacketFence_Installation_Guide.html
>>
>> and everything was fine until the part 6. Enabling the Captive Portal
>>
>> 
>> but I want to add something else, I want to do a scan before the user is
>> registered on the captive portal..
>> I've tried to use both nessus and WMI, but nothing works, nothing shows
>> on the captive portal, there was no scan initiated, and also, nothing on
>> the packetfence.log.. nothing said anything about scan..
>>
>> What could be the problem?
>> please help
>> thanks in advance
>>
>>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> --
> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org)
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] How to get the scan engine working?

2019-08-12 Thread Fabrice Durand via PacketFence-users


PacketFence is not able to recognize the OS of the device.

Does Fingerbank is enabled on your system ?


Le 19-08-07 à 06 h 17, Zairy Fajar via PacketFence-users a écrit :

The packetfence.log shows:

pfence pfqueue: pfqueue(7518) WARN: [mac:
11:3j:81:cc:cd:27]
Can't find scan engine for 11:3j:81:cc:cd:27 since we don't have it's OS
Please help.. I'm running out of time and ideas

On Wed, Jul 31, 2019, 3:23 PM Zairy Fajar > wrote:


Hi,
I'm sorry if this is a basic question, but I've been struggling on
getting my scan engine to work on the captive portal..
I followed this installation guide
https://packetfence.org/doc/PacketFence_Installation_Guide.html

and everything was fine until the part6. Enabling the Captive Portal


but I want to add something else, I want to do a scan before the
user is registered on the captive portal..
I've tried to use both nessus and WMI, but nothing works, nothing
shows on the captive portal, there was no scan initiated, and
also, nothing on the packetfence.log.. nothing said anything about
scan..

What could be the problem?
please help
thanks in advance



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Registration dhco

2019-08-12 Thread Fabrice Durand via PacketFence-users


Hello Domingos,

really sorry for the delay.

So yes the registration and isolation vlan need to be available in all 
your switches like a normal vlan. (layer 2)


The only difference is that this vlan is managed by packetfence, so pf 
is the dhcp/dns/default gateway.


So let's say the reg vlan is 123 then you don't have to set a gateway on 
this vlan.



Now let's say you want to route the registration vlan and isolation vlan.

You have 2 ways to do it, the first one is to have a gateway in the vlan 
123 and tell packetfence to use this gateway to reach the remote 
registration vlan and in the client gateway (on the other side) you need 
to set an ip-helper address to the registration interface ip of packetfence.


Or you can use the management interface as a dhcp, to do that just add 
an additional daemon to the management interface (dhcp) and create a 
remote registration config that use the gateway facing the management 
interface.


Regards

Fabrice


Le 19-08-09 à 12 h 03, Domingos Varela a écrit :

Hi Fabrice,

I agree with you that it is a network problem, because the production 
network does not have access to the registration network.


Should registration and isolation networks be routed or not in the 
infrastructure?


If not, how do clients get to the dhcp server if they don't have 
access to the gateway of these networks?


Is it possible to change the dhcp listen port to the management address?
Thanks

Regards


A quarta, 7/08/2019, 16:44, Domingos Varela > escreveu:


Hi,

Pf logs in attach

Thanks

pf-logs.7z







A quarta, 7/08/2019, 15:41, Fabrice Durand mailto:fdur...@inverse.ca>> escreveu:

Hello Domingas,

the packetfence.log should be enough.

Regards

Fabrice


Le 19-08-06 à 17 h 01, Domingos Varela a écrit :

Hi Patrice,

Which equipment do you want the logs from?
For more details I send the implementation diagram.
Thanks
Regards

Cumprimentos,*

Domingos Varela*
Tel. +244 923 229 330 | Luanda - Angola


Fabrice Durand via PacketFence-users
mailto:packetfence-users@lists.sourceforge.net>> escreveu no
dia terça, 6/08/2019 à(s) 20:27:

Hello Domingos,

if the device receive an ip address from the production
vlan then it mean that there is a network miss-configuration.

Can you provide some logs ?

Regards

Fabrice


Le 19-08-05 à 10 h 17, Domingos Varela via
PacketFence-users a écrit :

Hi,

I am using pf to authenticate wifi users on the network,
but when a user connects to the network he gets the IP
from the data network and not from the registration
network.

Shouldn't users receive the IP from the registration
network and after logging in receive the io from the
data network?

Thanks
Regards


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  

https://lists.sourceforge.net/lists/listinfo/packetfence-users


-- 
Fabrice Durand

fdur...@inverse.ca    ::  +1.514.447.4918 
(x135) ::www.inverse.ca  
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and 
PacketFence (http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand

fdur...@inverse.ca    ::  +1.514.447.4918 (x135) 
::www.inverse.ca  
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and 
PacketFence (http://packetfence.org)


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x Accept/Reject Role Control

2019-08-12 Thread Fabrice Durand via PacketFence-users


Hello Jon,

it's really simple, you just need to set -1 in the registration role.

Then if a unreg device try to connect then it will be rejected.

Regards

Fabrice


Le 19-08-09 à 11 h 37, Jon Barret via PacketFence-users a écrit :

Hello,

We are currently looking into using Packetfence but are running into 
some issues. The way the network is setup we connect computers behind 
an IP phone. If we were to use VLAN isolation then once the phone 
would authenticate a computer would be able to join that Vlan is the 
way I understand it. We noticed however that we could possibly control 
access just by using roles. For example if an ip phone is in an accept 
role and a computer is in a reject role. The phone will get access to 
the network then after plugging the computer into the phone that has 
network access, packet fence will deny access because of the role 
associated with the mac address. We are wondering if there is a way 
to  configure roles so that whenever a new mac address or device is 
recognized instead of auto-registering this device can we set the role 
to REJECT by default. So then we could go into packet fence and add 
the mac address to an accept role giving it access if we knew this was 
a safe device. Please advise and I appreciate your help. Also if this 
isn't the best way to receive support please let me know, i'm going 
off of the packetfence's website advice.


Thanks!


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Registration dhco

Re: [PacketFence-users] 802.1x Accept/Reject Role Control

Re: [PacketFence-users] How to get the scan engine working?

Re: [PacketFence-users] How to get the scan engine working?

Re: [PacketFence-users] How to get the scan engine working?

Re: [PacketFence-users] How to get the scan engine working?

Re: [PacketFence-users] Registration dhco

Re: [PacketFence-users] 802.1x Accept/Reject Role Control

8 matches

Site Navigation

Mail list logo

Footer information