[PacketFence-users] PF 10.2 - 802.1x for wired clients proxied to another radius server?

[Peter Eriksson via PacketFence-users]

Setup: Switches supporting ports with
MAC-based authentication
802.1x (user+password) authentication 

There is a separate RADIUS (eduroam) server that handles with 802.1x 
user+password stuff so the PF servers just proxy the incoming 802.1x EAP 
requests to the other RADIUS server, and if it grants access then PF assigns a 
role to the port and things work fine.

I have this set up on PF v6 servers just fine, but I’m struggling getting the 
802.1x part it to work on v10.2 for some reason.

I configured the DEFAULT realm to proxy requests to the RADIUS server, and it 
seems to receive and return the requests. Debugging it is a bit difficult since 
running “radius -X” that the documentation recommends doesn’t seem to work 
(complains about needing to use threads for TLS to work)? Raddebug gives… a lot 
of output though :)

Anyone has succeeded in getting this fairly simple (atleast I think so :-) 
setup to work?

All the documentation pointers I located using Google just talk about really 
old PF versions (which worked for my old servers), and the radius config in v10 
is radically different…

- Peter




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] captive portal: the captive portal does not appear when I am in the registration Vlan

[Abdoul Raouf Diabagate via PacketFence-users]

I just installed packetfence version 10.2 ZEN. after following the setup
guide i want to do my first test. the test with the 8021X supplicant works
and the customer is dynamically registered in the correct vlan

However when I want to test the captive portal, I plug a windows computer
into one of the switch ports. after a few minutes, the computer is placed
in my registration vlan and receives a dynamically ip address from
packetfence. and I am redirected to the address
http://192.168.222.129/Cisco::Catalyst_2960/sidceab07.
after a few minutes of waiting, the browser displays 'waiting time exceeded'

However when I move a port of the switch manually in the registration vlan,
and I plug in a computer, the portal page automatically displays

Any ideas?

[switch port conf]
interface FastEthernet0/12
 switchport mode access
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer restart 10800
 authentication timer reauthenticate 7200
 authentication violation replace
 mab
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout quiet-period 2
 dot1x timeout tx-period 3

[Packetfence LOG]

Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO:
[mac:b0:6e:bf:ab:3a:fe] handling radius autz request: from switch_ip =>
(192.168.222.130), connection_type => Ethernet-NoEAP,switch_mac =>
(88:90:8d:30:60:0c), mac => [b0:6e:bf:ab:3a:fe], port => 10012, username =>
"b06ebfab3afe" (pf::radius::authorize)
Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO:
[mac:b0:6e:bf:ab:3a:fe] Instantiate profile noEAP
(pf::Connection::ProfileFactory::_from_profile)
Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO:
[mac:b0:6e:bf:ab:3a:fe] is of status unreg; belongs into registration VLAN
(pf::role::getRegistrationRole)
Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO:
[mac:b0:6e:bf:ab:3a:fe] (192.168.222.130) Added VLAN 120 to the returned
RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO:
[mac:b0:6e:bf:ab:3a:fe] (192.168.222.130) Added role registration to the
returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO:
[mac:b0:6e:bf:ab:3a:fe] Adding web authentication redirection to reply
using role: 'registration' and URL: '
http://192.168.222.129/Cisco::Catalyst_2960/sidc3b51a'
(pf::Switch::Cisco::Catalyst_2960::returnRadiusAccessAccept)
Nov 10 13:00:56 packetfence packetfence: pfperl-api(1486) INFO: Using 300
resolution threshold (pf::pfcron::task::cluster_check::run)
Nov 10 13:00:56 packetfence packetfence: pfperl-api(1487) INFO: processed 0
security_events during security_event maintenance (1605013256.13453
1605013256.14244)  (pf::security_event::security_event_maintenance)
Nov 10 13:00:56 packetfence packetfence: pfperl-api(1486) INFO: All cluster
members are running the same configuration version
(pf::pfcron::task::cluster_check::run)
Nov 10 13:00:56 packetfence packetfence: pfperl-api(1487) INFO: processed 0
security_events during security_event maintenance (1605013256.1439
1605013256.14699)  (pf::security_event::security_event_maintenance)
Nov 10 13:00:56 packetfence packetfence: pfperl-api(1485) INFO: getting
security_events triggers for accounting cleanup
(pf::accounting::acct_maintenance)
Nov 10 13:01:48 packetfence pfqueue: pfqueue(27361) WARN:
[mac:b0:6e:bf:ab:3a:fe] Unable to match MAC address to IP '192.168.120.103'
(pf::ip4log::ip2mac)
Nov 10 13:01:48 packetfence pfqueue: pfqueue(27361) INFO:
[mac:b0:6e:bf:ab:3a:fe] oldip (192.168.120.53) and newip (192.168.120.103)
are different for b0:6e:bf:ab:3a:fe - closing ip4log entry
(pf::api::update_ip4log)
Nov 10 13:01:48 packetfence pfqueue: pfqueue(26901) WARN:
[mac:b0:6e:bf:ab:3a:fe] Unable to pull accounting history for device
b0:6e:bf:ab:3a:fe. The history set doesn't exist yet.
(pf::accounting_events_history::latest_mac_history)
Nov 10 13:01:48 packetfence pfqueue: pfqueue(26901) WARN:
[mac:b0:6e:bf:ab:3a:fe] Unable to pull accounting history for device
b0:6e:bf:ab:3a:fe. The history set doesn't exist yet.
(pf::accounting_events_history::latest_mac_history)
Nov 10 13:01:56 packetfence packetfence: pfperl-api(1485) INFO: getting
security_events triggers for accounting cleanup
(pf::accounting::acct_maintenance)
Nov 10 13:01:56 packetfence packetfence: pfperl-api(1486) INFO: processed 0
security_events during security_event maintenance (1605013316.14234
1605013316.1507)  (pf::security_event::security_event_maintenance)
Nov 10 13:01:56 packetfence packetfence: pfperl-api(1486) INFO: processed 0
security_events during security_event maintenance (1605013316.15212
1605013316.1)  (pf::security_event::security_event_maintenance)
Nov 10 13:01:56 packetfence packetfence: pfperl-api(1485) INFO: Using 300
resolution threshold 

Re: [PacketFence-users] Different Vlan domain claints no domain clients

[Enrique Gross via PacketFence-users]

Uzzi,

Hi!

I'm doing some testing with Mikrotik and packetfence, I'm interested in PPP
authentication, CAPSMAN and MAB authentication with VLAN assignment, and
Mikrotik has also implemented dot1x on their last RouterOS versions so i
would like to test that too.

On what stage are you on your project? Have you already implemented CAPSMAN
with Radius auth and Packetfence Mikrotik Switch module?

I had successfully configured CAPSMAN with PF a few months ago, i had to
stop that testing but i am coming back to my test environment now

Regarding your question, i think you could assign a role to your "known"
domain devices via MAC-Auth and then the appropriate VLAN, your "not known"
devices will face captive-portal to evaluate access and appropriate VLAN

If working with AD, I think WPA Enterprise is the way to go, I have not
really joined all the concepts on that matter yet.

Have a nice day.

Enrique





El lun., 9 nov. 2020 a las 9:40, Andrea Lenarduzzi via PacketFence-users (<
packetfence-users@lists.sourceforge.net>) escribió:

> Yes Enrique, I'm using CAPSMAN
> Il lunedì 9 novembre 2020, 11:50:23 CET, Enrique Gross <
> egr...@jcc-advance.com.ar> ha scritto:
>
>
> Hi Uzzi
>
> Are you using CAPSMAN, on Mikrotik?
>
> Enrique
>
> El lun., 9 nov. 2020 a las 3:27, Andrea Lenarduzzi via PacketFence-users (<
> packetfence-users@lists.sourceforge.net>) escribió:
>
> Hi I've this issue:
>
> one miktrotick controller with SSID
> vlan isolation
> vlan registration
> vlan DomainLaptop
> vlan NOdomainLaptop
>
> Can I assign to Domain clients vlan DomainLaptop and NO Domain clients vlan
> NOdomainLaptop?
>
> Then in the second moment I wat to extend this feature to Destop clients
>
> Thank you
> Regards
> Uzzi
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
>
> [image: Imágenes integradas 1]
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>


-- 

[image: Imágenes integradas 1]
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

[E.P. via PacketFence-users]

Since this group suddenly became alive I dare asking my previous again 

How would I install a wildcard SSL certificate on PF, see more details below

 

Eugene

 

From: E.P.  
Sent: Saturday, October 31, 2020 2:43 PM
To: packetfence-users@lists.sourceforge.net
Subject: Wildcard SSL certificate installation on PF

 

Guys,

I’m trying to overcome the issue with a self-signed SSL certificate that PF 
offers to WiFi authentication via captive portal.

This a certificate that is in use by HTTPS sessions

 

Certificate/Key match

Chain is invalid

common_name

127.0.0.1, emailAddress=supp...@inverse.ca 
  

issuer

C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1, 
emailAddress=supp...@inverse.ca   

not_after

Oct 7 15:29:09 2021 GMT 

not_before

Oct 7 15:29:09 2020 GMT 

serial

A500DC03671C0E35 

subject

C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1, 
emailAddress=supp...@inverse.ca   

 

Is there any way to import and install a company wild card SSL certificate into 
PF

 

Eugene

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Ip accounting...

[Enrico via PacketFence-users]

   Dear PF users,
I'm using pf 8.3.0 with CentOS 7.6. I've got some "profiles" to manage
wifi and cabled networks. Everything runs fine but I've a question about
the Report and Bandwidth consumers feature. As you know, the dashboard shows
some informations about accounting , for example Top 25 Bandwidth
Consumer. In this case, when I change the period and select 30 or 60 days
it shows the same data. It seems that there aren't any old accountings.

This server has been in production for a long time so I'm sure that 
there are

some activities that I can't see inside this report.

Any ideas ?

Many thanks
Best Regards
Enrico

--
___

Enrico BecchettiServizio di Calcolo e Reti

Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica  06123 Perugia (ITALY)
Phone:+39 075 5852777   Skype:enrico_becchetti
 Mail: Enrico.Becchettipg.infn.it
__



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Integration of PacketFence with Cisco WLC for Guests

[Ezeh Victor via PacketFence-users]

Hi,

Please I need assistance with figuring how I can integrate PacketFence with
Cisco WLC.

Any assistance will be appreciated.

Regards.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] AD Authenticationn source

[Ludovic Zammit via PacketFence-users]

Hello Boris,

Try to do an LDAP search from your PacketFence server and see if it works 
better.

yum install ldap-utils

Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On Nov 10, 2020, at 2:34 AM, Boris Ebwanga via PacketFence-users 
>  wrote:
> 
> Hi!
> I have been trying to an AD authentication source to PacketFence. But I can't 
> figure out what should the Bind DN be. 
> 
> I have tried putting an administrator of my AD domain controller but yet no 
> success.
> Could anyone help me ?
> 
> The bind DN I used : CN=Administrator,CN=Users,DC=company,DC=enb,DC=cm
> The error message : Can't connect to server or bind with 
> 'CN=Administrator,CN=Users,DC=company,DC=enb,DC=c' on 192.168.211.129:389 
>  
> 
> I am using samba as AD DC.
> Thanks
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] pf & wired 802.1x authentication | windows updates

[mj via PacketFence-users]

Hi,

Thank you Fabrice and Ludovic Zammit (and thanks for the cc, as I did 
not receive your reply via the list...) for your excellent suggestions!


I will take a look first at Ludovic Zammit suggestion, as you are right: 
it's the "unknown CA" issue.


The question (for me) is: how to "issue a certificate from a MS PKI for 
example (AD CS)"


New stuff to me. We're running a samba AD.

If anyone has documented how to do that, I would appreciate some help. 
But for now I'll give good ol' google a go. :-)


Thanks again!

MJ

On 11/10/20 2:47 AM, Durand fabrice via PacketFence-users wrote:

Hello mj,

if the devices are joined to the domain then you can probably play with 
the GPO.


You can have a configuration on the switch port with 802.1x/mab, so when 
the device lost the supplicant configuration then it will go in the 
registration vlan.


And on the PacketFence side you can enable the domain passthrough (to 
allow the device to reach the AD from the reg vlan) then the device will 
update it GPO and reconfigure the supplicant.


Regards

Fabrice


Le 20-11-09 à 10 h 45, mj via PacketFence-users a écrit :

Hi,

We are using packetfence with 802.1x authentication on our wired 
network. This works nicely.


However, what we have now repeatedly seen, is that after (bigger) 
windows updates, the windows 10 clients 802.1x authentication 
configurations are reset back to the default -> no network for the 
windows client.


I know this is not packetfence's fault, but talking to microsoft is 
difficult. :-)


So, Anyone else here using wired 802.1x, and seeing this same 
behaviour..?


Anyone with a clue on how to STOP this from happening?

As the workstations then have NO connectivity, the only solution is to 
walk to them, and re-configure the settings. (or turn off 
authentication on the switch)


Curious to your experiences.

MJ


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] AD Authenticationn source

[Boris Ebwanga via PacketFence-users]

Hi!
I have been trying to an AD authentication source to PacketFence. But I
can't figure out what should the *Bind DN* be.

I have tried putting an administrator of my AD domain controller but yet no
success.
Could anyone help me ?

The bind DN I used : *CN=Administrator,CN=Users,DC=company,DC=enb,DC=cm*
The error message : *Can't connect to server or bind with
'CN=Administrator,CN=Users,DC=company,DC=enb,DC=c'* *on 192.168.211.129:389
*

I am using samba as AD DC.
Thanks
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users