Re: [PacketFence-users] Question about "web log apache aaa bad requests"

2021-11-02 Thread Fabrice Durand via PacketFence-users 
Hello Adrian,

most of the requests are from the radius probe from the switch.
Probably that is configured on your switch:

automate-tester username dummy ignore-acct-port idle-time 3

So it looks to be normal.

Regards
Fabrice

Le mar. 2 nov. 2021 à 04:08, Adrian Dessaigne 
a écrit :

> Hello Fabrice,
>
> Thanks for your answer. I did a  packet sniffing with the command and here
> is the result :
> https://pastebin.com/d3VLaLvT
> (Pastbin code in case the link is deleted : d3VLaLvT)
>
> I see two different packets :
> One with the "CLI or VPN access not allowed from this switch". I don't get
> that error message since I don't know when PF need to access the CLI and
> the login parameters are good.
> Another one with : "[truncated] Scoreboard: _KKK__K_WK_K"
>
> Thanks for your help.
>
> Adrian.
>
>
> --
> *De: *"Fabrice Durand" 
> *À: *"packetfence-users" 
> *Cc: *"ADE" 
> *Envoyé: *Vendredi 29 Octobre 2021 14:39:43
> *Objet: *Re: [PacketFence-users] Question about "web log apache aaa bad
> requests"
>
> Hello Adrian,
> you can try that to see exactly what happen:
>
> tshark -i any -f "port 7070" -Y "http.request || http.response" -V
>
>
> Regards
> Fabrice
>
> Le mar. 26 oct. 2021 à 05:56, Adrian Dessaigne via PacketFence-users <
> packetfence-users@lists.sourceforge.net> a écrit :
>
>> Hi again,
>>
>> I'm trying to know from where I get this message and I compared the logs
>> files with our secondary backup server.
>> In the file httpd.aaa.access I still get spammed with those :
>>
>> Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 6300 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4331 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 33865 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3727 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:04 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:04 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 786 6798 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:05 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:05 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5267 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:05 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:05 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5643 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:06 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:06 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3873 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5117 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3882 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 29848 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 31987 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:08 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:08 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 786 29763 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:09 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:09 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 6815 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:09 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:09 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4121 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:10 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:10 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4211 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3960 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3636 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4949 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200]
>> "POST

Re: [PacketFence-users] Restarting service in a cluster

2021-11-02 Thread Zammit, Ludovic via PacketFence-users 
Hello Jakob,

You can’t the feature is not there yet.

You will need to either SSH into each server and restart services manually or 
go on each web management interface on each server and restart services withou 
the help of th web admin.

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Nov 1, 2021, at 5:25 PM, Jakob Ackermann via PacketFence-users 
>  wrote:
> 
> Hello,
> 
> I'm trying to figure out how to restart a service in a cluster from the 
> command line. After distributing my certificates using 
> `/usr/local/pf/bin/cluster/sync --file /usr/local/pf/conf/ssl/server.pem 
> --as-master` I would like to let every server in the cluster restart a 
> service. Similar to `/usr/local/pf/bin/pfcmd service haproxy-admin restart` 
> but for the whole cluster. Any idea how I could accomplish that?
> 
> Thanks
> Jakob Ackermann
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!EZV2Lxgteeg-MydB8OuMN1UcZLSqpojO3v0TkCZDfzFrYvEG__E3EhUmSktHbmhG$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] AD user group in the authentication source

2021-11-02 Thread E.P. via PacketFence-users 
Thank you, Aaron and Ludovic,

This is weird. Here’s how the authentication rule looks in my AD source

 



 

Now, I’m testing the user that is NOT a member of Staff-WiFi AD group

 

 

root@packetfence:~# /usr/local/pf/bin/pftest authentication fake.user XX 
OPTIONS-AD-SOURCE

Testing authentication for "fake.user"

 

Authenticating against 'OPTIONS-AD-SOURCE' in context 'admin'

  Authentication SUCCEEDED against OPTIONS-AD-SOURCE (Authentication 
successful.)

  Matched against OPTIONS-AD-SOURCE for 'authentication' rule Staff-WiFi

set_role : Staff-WiFi

set_unreg_date : 2022-12-31

  Did not match against OPTIONS-AD-SOURCE for 'administration' rules

 

Eugene

 

From: Aaron Zuercher  
Sent: Tuesday, November 02, 2021 10:52 AM
To: packetfence-users@lists.sourceforge.net
Cc: E.P. 
Subject: Re: [PacketFence-users] AD user group in the authentication source

 

Mine is setup for memberOf equals "full DN of Group"

 

Aaron

 

On Tue, Nov 2, 2021 at 3:26 AM E.P. via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > wrote:

I dare asking a stupid question.

What is the correct way to create a condition in the authentication source 
based on AD to verify the user specific group membership.

I created a condition based on “memberOf” attribute which is equal to the DN of 
the group. It seems doesn’t apply or rather not verified.

Any user from the AD domain who authenticates can connect via RADIUS.

 

Eugene

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net 
 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Rejected users logging via Windows

2021-11-02 Thread Zammit, Ludovic via PacketFence-users 
Hello EP,

It looks like the certificate passed to PF was not correct.

Use the command:

raddebug -f /usr/local/pf/var/run/radiusd.sock

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Nov 2, 2021, at 3:07 AM, E.P. via PacketFence-users 
>  > wrote:
> 
> Hello,
> A while ago someone asked here this question and there was no reply.
> I hit it again and I have clue, out of the blue, all authentications attempts 
> from Windows OS fail:
>  
> Nov 1 23:52:53 packetfence auth[2736]: Adding client 172.19.254.2/32
> Nov 1 23:52:53 packetfence auth[2736]: (24) eap_peap: ERROR: (TLS) Alert 
> read:fatal:access denied
> Nov 1 23:52:53 packetfence auth[2736]: [mac:c4:9d:ed:8c:11:03] Rejected user: 
> it.tech 
> Nov 1 23:52:53 packetfence auth[2736]: (24) Login incorrect (eap_peap: (TLS) 
> Alert read:fatal:access denied): [it.tech ] (from client 
> 172.19.254.2/32 port 0 cli c4:9d:ed:8c:11:03)
>  
> No problem with mobile phones.
> Trying to run RADIUS in the debug mode using the old radiusd -X command but 
> on ver 11 it can’t be found anymore.
> Any ideas ?
>  
> Eugene
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HSzjvTbxfJXK0mkPrgLUPV-NYCaZZ_BeC5q6gvsmiOPixf6OENCNuSHeVErDcS-r$
>  
> 


smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Trouble trying to enable captive portal with Unifi Controller (WebAuth)

2021-11-02 Thread Federico Alberto Sayd via PacketFence-users 
Hello Eugene

That is the format that Unifi Controller uses to redirect to an external
captive portal. You shouldn't worry about the URL format because PF
redirects this request to the PF portal.

You have two ways to add APs to PacketFence. You can add every AP as a
switch. You need to specify the AP MAC address and the parameters to
connect to Unifi Controller (IP, user and password).

The second method is adding the controller as a switch. You need to add the
controller's ip address in "IP Address/MAC Address/Range (CIDR)", select
"Ubiquiti::Unifi" as type and also specify the controller's address again
in the "Controller IP Address"

Then you need to restart pfcron, run the task pfcron ubiquiti_ap_ma_to_ip
and check the cached APs with the command "/usr/local/pf/bin/pfcmd cache
switch_distributed list"

You can configure the certificates used for the portal in https://
:1443/admin#/configuration/certificate/http

El mar, 2 nov 2021 a las 2:26, E.P. () escribió:

> I’m jumping into this thread as it got my interest as well because we are
> with Unifi and planning to deploy guest WiFi with WebAuth via the portal.
>
> In the URL that Fabrice advised to configure I believe “s” is for the site
> name ?
>
> http:///guest/s/default/
>
> which is normally a random alphanumeric string ?
>
>
>
> Also, the output of “usr/local/pf/bin/pfcmd cache switch_distributed list”
> doesn’t show me any lists of APs. Is it supposed to be empty ? I have few
> AP already serving users and acting as RADIUS clients. I have them added by
> IP address.
>
> I ran this one as well before:
>
> /usr/local/pf/bin/pfcmd pfcron ubiquiti_ap_mac_to_ip
>
>
>
> For the certificates I understand it has to be placed into this folder, am
> I correct ?
>
>
>
> Captive portal = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert +
> intermediate)
>
>
>
> Eugene
>
>
>
> *From:* Federico Alberto Sayd via PacketFence-users <
> packetfence-users@lists.sourceforge.net>
> *Sent:* Monday, November 01, 2021 9:59 AM
> *To:* Fabrice Durand 
> *Cc:* Federico Alberto Sayd ; egr...@jcc.com.ar;
> packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] Trouble trying to enable captive
> portal with Unifi Controller (WebAuth)
>
>
>
> Hi Fabrice:
>
>
>
> I am running Unifi Controller 6.4.54
>
>
>
> I reworked my setup from scratch following Enrique's directions and it
> worked ok, then I rebooted the server and it didn't work anymore.
>
>
>
> Now the packetfence.log shows this error when I want to
> authenticate clients using APs managed by Unifi Controller:
>
>
>
> Nov  1 13:39:33 srv-packetfence packetfence_httpd.portal[1512]:
> httpd.portal(1512) ERROR: [mac:XX:XX:XX:XX:XX:XX] Can not load perl module
> for switch
> f0:9f:c2:f0:07:42, type: Ubiquiti::Unifi . The type is unknown or the perl
> module has compilation errors.  (pf::SwitchFactory::instantiate)
> Nov  1 13:39:33 srv-packetfence packetfence_httpd.portal[1512]:
> httpd.portal(1512) ERROR: [mac:XX:XX:XX:XX:XX:XX] Unable to instantiate
> switch object
> using switch_id 'f0:9f:c2:f0:07:42' (pf::web::externalportal::handle)
>
>
>
> Can you help me with this error?
>
>
>
> Thank you
>
>
>
> Federico
>
>
>
> El vie, 29 oct 2021 a las 9:31, Fabrice Durand ()
> escribió:
>
> Hello Frederico,
>
>
>
> what version of the ubiquiti controller are you running ?
>
> Also did you define the switch in the packetfence configuration (like by
> ip or mac ?)
>
>
>
> Last thing, can you try that http:///guest/s/default/
> (notice the / at the end).
>
>
>
> Regards
>
> Fabrice
>
>
>
>
>
> Le mer. 27 oct. 2021 à 02:27, Federico Alberto Sayd via PacketFence-users <
> packetfence-users@lists.sourceforge.net> a écrit :
>
> Hi Enrique:
>
> I followed the docs and added Unifi Controller as a switch and configured
> the web service credentials. PF automatically retrieves the APs managed by
> Unifi Controller (I checked with the command  "/usr/local/pf/bin/pfcmd
> cache switch_distributed list".
>
> I don't know if there is some difference in adding every AP as a switch.
>
> What do you mean by "valid certificate"? An HTTPS certificate for the
> captive portal?
>
> I don't know how to configure the roles tab for the Unifi Controller in
> PF. I don't know how to construct the URL that goes in "Registration" in
> "Role Mapping by WebAuth URL".
>
> Did you configure the roles tab in your setup?
>
> Thanks for your help
>
>
>
>
>
> El mar, 26 oct 2021 a las 10:10, Enrique Gross ()
> escribió:
>
> Hi Federico
>
>
>
> We don't use webauth with Unifi, but i remember there was a post about
> this issue
>
>
>
> After adding the Unifi Controller to PF, have you tried to add the unifi
> APs as a switch (by mac address)? Also, have you got a valid certificate on
> PF?
>
>
>
> On the unifi side i use  "use secure portal option" and dns redirect option
>
>
>
> I have done a quick test on this, I'm redirected to the pf portal.
>
>
>
>
>
> Enrique
>
>
>
>
>
>
>
> El lun, 25 oct 2021 a las 2:33, Federico Alberto Sayd via
>

Re: [PacketFence-users] AD user group in the authentication source

2021-11-02 Thread Zammit, Ludovic via PacketFence-users 
Hello EP,

You are correct.

memberof equals distinguishedName

Then test it out with the command:

/usr/local/pftest authentication USERNAME ""

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Nov 2, 2021, at 1:40 AM, E.P. via PacketFence-users 
>  wrote:
> 
> I dare asking a stupid question.
> What is the correct way to create a condition in the authentication source 
> based on AD to verify the user specific group membership.
> I created a condition based on “memberOf” attribute which is equal to the DN 
> of the group. It seems doesn’t apply or rather not verified.
> Any user from the AD domain who authenticates can connect via RADIUS.
>  
> Eugene
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!DAgw4QqWZI5NrcPBSRsPu8nUUBMMcoUvesQY2YCsfVAFrf0rqfd5wWzKecm_P3cD$
>  
> 


smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] AD user group in the authentication source

2021-11-02 Thread Aaron Zuercher via PacketFence-users 
try memberOF equals
also my rules are set to MATCHES:  ALL
not sure if that would matter


On Tue, Nov 2, 2021 at 1:01 PM E.P.  wrote:

> Thank you, Aaron and Ludovic,
>
> This is weird. Here’s how the authentication rule looks in my AD source
>
>
>
>
>
> Now, I’m testing the user that is NOT a member of Staff-WiFi AD group
>
>
>
>
>
> root@packetfence:~# /usr/local/pf/bin/pftest authentication fake.user
> XX OPTIONS-AD-SOURCE
>
> Testing authentication for "fake.user"
>
>
>
> Authenticating against 'OPTIONS-AD-SOURCE' in context 'admin'
>
>   Authentication SUCCEEDED against OPTIONS-AD-SOURCE (Authentication
> successful.)
>
>   Matched against OPTIONS-AD-SOURCE for 'authentication' rule Staff-WiFi
>
> set_role : Staff-WiFi
>
> set_unreg_date : 2022-12-31
>
>   Did not match against OPTIONS-AD-SOURCE for 'administration' rules
>
>
>
> Eugene
>
>
>
> *From:* Aaron Zuercher 
> *Sent:* Tuesday, November 02, 2021 10:52 AM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* E.P. 
> *Subject:* Re: [PacketFence-users] AD user group in the authentication
> source
>
>
>
> Mine is setup for memberOf equals "full DN of Group"
>
>
>
> Aaron
>
>
>
> On Tue, Nov 2, 2021 at 3:26 AM E.P. via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> I dare asking a stupid question.
>
> What is the correct way to create a condition in the authentication source
> based on AD to verify the user specific group membership.
>
> I created a condition based on “memberOf” attribute which is equal to the
> DN of the group. It seems doesn’t apply or rather not verified.
>
> Any user from the AD domain who authenticates can connect via RADIUS.
>
>
>
> Eugene
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Rejected users logging via Windows

2021-11-02 Thread Zammit, Ludovic via PacketFence-users 
Hello,

You an use the Web admin to install the RADIUS SSL cert.

Make sure to restart radiusd on all servers to apply the cert.

You can use the PF PKI and the PF PKI provisioner to install it on Windows for 
a Wireless interface. You could also download the cert from the PF web 
interface and install it manually on the device.

What’s the PKI that you are using ?

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Nov 2, 2021, at 2:18 PM, E.P.  wrote:
> 
> Yes, Ludovic,
> Apparently the certificate has some issues. RADIUS debug revealed this:
>  
> (18) Tue Nov  2 11:06:07 2021: ERROR: eap_peap: (TLS) Failed reading 
> application data from OpenSSL: error:14094419:SSL 
> routines:ssl3_read_bytes:tlsv1 alert access denied
> (18) Tue Nov  2 11:06:07 2021: ERROR: eap_peap: [eaptls process] = fail
> (18) Tue Nov  2 11:06:07 2021: ERROR: eap: Failed continuing EAP PEAP (25) 
> session.  EAP sub-module failed
> (18) Tue Nov  2 11:06:07 2021: Debug: eap: Sending EAP Failure (code 4) ID 
> 215 length 4
> (18) Tue Nov  2 11:06:07 2021: Debug: eap: Failed in EAP select
> (18) Tue Nov  2 11:06:07 2021: Debug: [eap] = invalid
> (18) Tue Nov  2 11:06:07 2021: Debug:   } # authenticate = invalid
>  
> So, all that I did was copying three files into /usr/local/pf/raddb/certs 
> folder
> Server.crt (the certificate issued by Godaddy CA)
> Server.key (private key)
> ca.pem (root CA)
>  
> I just wanted to replace this example certificate that PF uses for EAP/TLS 
> session
>  
> 
>  
> Is there any instruction how to generate a different certificate on PF that 
> will be accepted by Windows OS supplicant ?
>  
> Eugene
> From: Zammit, Ludovic  
> Sent: Tuesday, November 02, 2021 5:51 AM
> To: packetfence-users@lists.sourceforge.net
> Cc: E.P. 
> Subject: Re: [PacketFence-users] Rejected users logging via Windows
>  
> Hello EP,
>  
> It looks like the certificate passed to PF was not correct.
>  
> Use the command:
>  
> raddebug -f /usr/local/pf/var/run/radiusd.sock
>  
> Thanks,
>  
> Ludovic Zammit
> Product Support Engineer Principal
> 
> Cell: +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:
>    
> 
>  
> 
>  
> 
>  
> 
>  
> 
> 
>> On Nov 2, 2021, at 3:07 AM, E.P. via PacketFence-users 
>> > > wrote:
>>  
>> Hello,
>> A while ago someone asked here this question and there was no reply.
>> I hit it again and I have clue, out of the blue, all authentications 
>> attempts from Windows OS fail:
>>  
>> Nov 1 23:52:53 packetfence auth[2736]: Adding client 172.19.254.2/32
>> Nov 1 23:52:53 packetfence auth[2736]: (24) eap_peap: ERROR: (TLS) Alert 
>> read:fatal:access denied
>> Nov 1 23:52:53 packetfence auth[2736]: [mac:c4:9d:ed:8c:11:03] Rejected 
>> user: it.tech 
>> 
>> Nov 1 23:52:53 packetfence auth[2736]: (24) Login incorrect (eap_peap: (TLS) 
>> Alert read:fatal:access denied): [it.tech 
>> ]
>>  (from client 172.19.254.2/32 port 0 cli c4:9d:ed:8c:11:03)
>>  
>> No problem with mobile phones.
>> Trying to run RADIUS in the debug mode using the old radiusd -X command but 
>> on ver 11 it can’t be found anymore.
>> Any ideas ?
>>  
>> Eugene
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net 
>> 
>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HSzjvTbxfJXK0mkPrgLUPV-NYCaZZ_BeC5q6gvsmiOPixf6OENCNuSHeVErDcS-r$
>>  
>>

[PacketFence-users] Need some clarification on Unregistration Date

2021-11-02 Thread Steve Pfister via PacketFence-users 
We are using local users for authentication, and there are some we would 
like to be valid for a certain range of dates. What we've tried to do, 
is to have the range of valid dates as the Registration Window, and the 
Unregistration Date as the last day of the range. Not only does the 
device not become unregistered on the Unregistration Date, but it is 
still possible to register again outside of the window, and the 
Unregistration Date for the device become the same date but the 
following year.


For example, if we use the Registration Window as 2019-12-01 to 
2020-06-30, and the Unregistration Date as 2020-06-30, then I can 
register today with no issue, and the new Unregistration Date becomes 
2022-06-30.


Obviously, we aren't quite understanding how Registration Window and 
Unregistration Date work. Is it possible to have local usernames only 
valid for a range of dates, and what is the most common way to 
accomplish that?


--



Steven Pfister

Information Technology

Admin Building

115 S Ludlow St. Dayton, OH 45402

(937) 542-3149

www.daytonpublic.com | 
spfis...@daytonpublic.com




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Rejected users logging via Windows

2021-11-02 Thread Zammit, Ludovic via PacketFence-users 
Hello EP,

It looks like the certificate passed to PF was not correct.

Use the command:

raddebug -f /usr/local/pf/var/run/radiusd.sock

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Nov 2, 2021, at 3:07 AM, E.P. via PacketFence-users 
>  wrote:
> 
> Hello,
> A while ago someone asked here this question and there was no reply.
> I hit it again and I have clue, out of the blue, all authentications attempts 
> from Windows OS fail:
>  
> Nov 1 23:52:53 packetfence auth[2736]: Adding client 172.19.254.2/32
> Nov 1 23:52:53 packetfence auth[2736]: (24) eap_peap: ERROR: (TLS) Alert 
> read:fatal:access denied
> Nov 1 23:52:53 packetfence auth[2736]: [mac:c4:9d:ed:8c:11:03] Rejected user: 
> it.tech 
> Nov 1 23:52:53 packetfence auth[2736]: (24) Login incorrect (eap_peap: (TLS) 
> Alert read:fatal:access denied): [it.tech ] (from client 
> 172.19.254.2/32 port 0 cli c4:9d:ed:8c:11:03)
>  
> No problem with mobile phones.
> Trying to run RADIUS in the debug mode using the old radiusd -X command but 
> on ver 11 it can’t be found anymore.
> Any ideas ?
>  
> Eugene
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HSzjvTbxfJXK0mkPrgLUPV-NYCaZZ_BeC5q6gvsmiOPixf6OENCNuSHeVErDcS-r$
>  
> 


smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] AD user group in the authentication source

2021-11-02 Thread Aaron Zuercher via PacketFence-users 
Mine is setup for memberOf equals "full DN of Group"

Aaron

On Tue, Nov 2, 2021 at 3:26 AM E.P. via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> I dare asking a stupid question.
>
> What is the correct way to create a condition in the authentication source
> based on AD to verify the user specific group membership.
>
> I created a condition based on “memberOf” attribute which is equal to the
> DN of the group. It seems doesn’t apply or rather not verified.
>
> Any user from the AD domain who authenticates can connect via RADIUS.
>
>
>
> Eugene
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Trouble trying to enable captive portal with Unifi Controller (WebAuth)

2021-11-02 Thread E.P. via PacketFence-users 
I’m jumping into this thread as it got my interest as well because we are with 
Unifi and planning to deploy guest WiFi with WebAuth via the portal.

In the URL that Fabrice advised to configure I believe “s” is for the site name 
?

http://  
/guest/s/default/

which is normally a random alphanumeric string ?

 

Also, the output of “usr/local/pf/bin/pfcmd cache switch_distributed list” 
doesn’t show me any lists of APs. Is it supposed to be empty ? I have few AP 
already serving users and acting as RADIUS clients. I have them added by IP 
address.

I ran this one as well before:

/usr/local/pf/bin/pfcmd pfcron ubiquiti_ap_mac_to_ip

 

For the certificates I understand it has to be placed into this folder, am I 
correct ?

 

Captive portal = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + 
intermediate)

 

Eugene

 

From: Federico Alberto Sayd via PacketFence-users 
 
Sent: Monday, November 01, 2021 9:59 AM
To: Fabrice Durand 
Cc: Federico Alberto Sayd ; egr...@jcc.com.ar; 
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Trouble trying to enable captive portal with 
Unifi Controller (WebAuth)

 

Hi Fabrice:

 

I am running Unifi Controller 6.4.54

 

I reworked my setup from scratch following Enrique's directions and it worked 
ok, then I rebooted the server and it didn't work anymore.

 

Now the packetfence.log shows this error when I want to authenticate clients 
using APs managed by Unifi Controller:

 

Nov  1 13:39:33 srv-packetfence packetfence_httpd.portal[1512]: 
httpd.portal(1512) ERROR: [mac:XX:XX:XX:XX:XX:XX] Can not load perl module for 
switch 
f0:9f:c2:f0:07:42, type: Ubiquiti::Unifi . The type is unknown or the perl 
module has compilation errors.  (pf::SwitchFactory::instantiate)
Nov  1 13:39:33 srv-packetfence packetfence_httpd.portal[1512]: 
httpd.portal(1512) ERROR: [mac:XX:XX:XX:XX:XX:XX] Unable to instantiate switch 
object 
using switch_id 'f0:9f:c2:f0:07:42' (pf::web::externalportal::handle)

 

Can you help me with this error?

 

Thank you

 

Federico

 

El vie, 29 oct 2021 a las 9:31, Fabrice Durand (mailto:oeufd...@gmail.com> >) escribió:

Hello Frederico,

 

what version of the ubiquiti controller are you running ?

Also did you define the switch in the packetfence configuration (like by ip or 
mac ?)

 

Last thing, can you try that http:// 
 /guest/s/default/ 
(notice the / at the end).

 

Regards

Fabrice

 

 

Le mer. 27 oct. 2021 à 02:27, Federico Alberto Sayd via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > a écrit :

Hi Enrique:

I followed the docs and added Unifi Controller as a switch and configured the 
web service credentials. PF automatically retrieves the APs managed by Unifi 
Controller (I checked with the command  "/usr/local/pf/bin/pfcmd cache 
switch_distributed list".

I don't know if there is some difference in adding every AP as a switch.

What do you mean by "valid certificate"? An HTTPS certificate for the captive 
portal? 

I don't know how to configure the roles tab for the Unifi Controller in PF. I 
don't know how to construct the URL that goes in "Registration" in "Role 
Mapping by WebAuth URL".

Did you configure the roles tab in your setup?

Thanks for your help

 

 

El mar, 26 oct 2021 a las 10:10, Enrique Gross (mailto:egr...@jcc-advance.com.ar> >) escribió:

Hi Federico

 

We don't use webauth with Unifi, but i remember there was a post about this 
issue

 

After adding the Unifi Controller to PF, have you tried to add the unifi APs as 
a switch (by mac address)? Also, have you got a valid certificate on PF?

 

On the unifi side i use  "use secure portal option" and dns redirect option

 

I have done a quick test on this, I'm redirected to the pf portal.

 

 

Enrique

 

  

 

El lun, 25 oct 2021 a las 2:33, Federico Alberto Sayd via PacketFence-users 
(mailto:packetfence-users@lists.sourceforge.net> >) escribió:

Hello:

 

I am trying to configure Packetfence as a captive portal for a guest wifi 
network managed with Unifi Controller (WebAuth Enforcement)

 

I want to redirect my guest wifi users to the captive portal in PacketFence and 
authenticate them with Google Workspace LDAP.

 

I followed the Network Device Configuration Guide and I added Unifi Controller 
as a switch in Packetfence config. The connection between Unifi Contoller and 
PF is working fine, I can retrieve the list of AP's managed by Unifi Controller 
with the command "/usr/local/pf/bin/pfcmd cache switch_distributed list"

 

I added a second interface in PF and enabled the portal service on it. I 
configured the portal IP as an external guest portal on Unifi Controller. 

 

Also, I configured Google Workspace LDAP as auth source. I didn't specify any 
rules because I want the same auth source for all users.

In "Standard Connections Profile" I changed the default profile to point to 
Google-LDAP as auth

Re: [PacketFence-users] Question about "web log apache aaa bad requests"

2021-11-02 Thread Adrian Dessaigne via PacketFence-users 
Hello Fabrice, 

Thanks for your answer. I did a packet sniffing with the command and here is 
the result : 
[ https://pastebin.com/d3VLaLvT | https://pastebin.com/d3VLaLvT ] 
(Pastbin code in case the link is deleted : d3VLaLvT) 

I see two different packets : 
One with the "CLI or VPN access not allowed from this switch". I don't get that 
error message since I don't know when PF need to access the CLI and the login 
parameters are good. 
Another one with : " [truncated] Scoreboard: _KKK__K_WK_K" 

Thanks for your help. 

Adrian. 



De: "Fabrice Durand"  
À: "packetfence-users"  
Cc: "ADE"  
Envoyé: Vendredi 29 Octobre 2021 14:39:43 
Objet: Re: [PacketFence-users] Question about "web log apache aaa bad requests" 

Hello Adrian, 
you can try that to see exactly what happen: 

tshark -i any -f "port 7070" -Y "http.request || http.response" -V 


Regards 
Fabrice 

Le mar. 26 oct. 2021 à 05:56, Adrian Dessaigne via PacketFence-users < [ 
mailto:packetfence-users@lists.sourceforge.net | 
packetfence-users@lists.sourceforge.net ] > a écrit : 



Hi again, 

I'm trying to know from where I get this message and I compared the logs files 
with our secondary backup server. 
In the file httpd.aaa.access I still get spammed with those : 

Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200] "POST 
//radius/rest/authorize HTTP/1.1" 401 286 788 6300 "-" "FreeRADIUS 3.0.21" " [ 
http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " 
Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200] "POST 
//radius/rest/authorize HTTP/1.1" 401 286 788 4331 "-" "FreeRADIUS 3.0.21" " [ 
http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " 
Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200] "POST 
//radius/rest/authorize HTTP/1.1" 401 286 788 33865 "-" "FreeRADIUS 3.0.21" " [ 
http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " 
Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200] "POST 
//radius/rest/authorize HTTP/1.1" 401 286 788 3727 "-" "FreeRADIUS 3.0.21" " [ 
http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " 
Oct 26 11:14:04 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:04 +0200] "POST 
//radius/rest/authorize HTTP/1.1" 401 286 786 6798 "-" "FreeRADIUS 3.0.21" " [ 
http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " 
Oct 26 11:14:05 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:05 +0200] "POST 
//radius/rest/authorize HTTP/1.1" 401 286 788 5267 "-" "FreeRADIUS 3.0.21" " [ 
http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " 
Oct 26 11:14:05 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:05 +0200] "POST 
//radius/rest/authorize HTTP/1.1" 401 286 788 5643 "-" "FreeRADIUS 3.0.21" " [ 
http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " 
Oct 26 11:14:06 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:06 +0200] "POST 
//radius/rest/authorize HTTP/1.1" 401 286 788 3873 "-" "FreeRADIUS 3.0.21" " [ 
http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " 
Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200] "POST 
//radius/rest/authorize HTTP/1.1" 401 286 788 5117 "-" "FreeRADIUS 3.0.21" " [ 
http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " 
Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200] "POST 
//radius/rest/authorize HTTP/1.1" 401 286 788 3882 "-" "FreeRADIUS 3.0.21" " [ 
http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " 
Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200] "POST 
//radius/rest/authorize HTTP/1.1" 401 286 788 29848 "-" "FreeRADIUS 3.0.21" " [ 
http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " 
Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200] "POST 
//radius/rest/authorize HTTP/1.1" 401 286 788 31987 "-" "FreeRADIUS 3.0.21" " [ 
http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " 
Oct 26 11:14:08 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:08 +0200] "POST 
//radius/rest/authorize HTTP/1.1" 401 286 786 29763 "-" "FreeRADIUS 3.0.21" " [ 
http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " 
Oct 26 11:14:09 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:09 +0200] "POST 
//radius/rest/authorize HTTP/1.1" 401 286 788 6815 "-" "FreeRADIUS 3.0.21" " [ 
http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " 
Oct 26 11:14:09 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:09 +0200] "POST 
//radius/rest/authorize HTTP/1.1" 401 286 788 4121 "-" "FreeRADIUS 3.0.21" " [ 
http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " 
Oct 26 11:14:10 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:10 +0200] "POST 
//radius/rest/authorize HTTP/1.1" 401 286 788 4211 "-" "FreeRADIUS 3.0.21" " [ 
http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " 
Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200] "POST 
//radius/rest/authorize HTTP/1.1" 401 286 788 3960 "-" "FreeRADIUS 3.0.21" " [ 
http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " 
Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200] "POST 
//radius/rest/authorize HTTP/1.1" 401 286 788 3636 "-" "FreeRADIUS 3.0.21" " [ 
http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " 
Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200] "POST 
//radius/rest/authorize

[PacketFence-users] Rejected users logging via Windows

2021-11-02 Thread E.P. via PacketFence-users 
Hello,

A while ago someone asked here this question and there was no reply.

I hit it again and I have clue, out of the blue, all authentications
attempts from Windows OS fail:

 

Nov 1 23:52:53 packetfence auth[2736]: Adding client 172.19.254.2/32
Nov 1 23:52:53 packetfence auth[2736]: (24) eap_peap: ERROR: (TLS) Alert
read:fatal:access denied
Nov 1 23:52:53 packetfence auth[2736]: [mac:c4:9d:ed:8c:11:03] Rejected
user: it.tech
Nov 1 23:52:53 packetfence auth[2736]: (24) Login incorrect (eap_peap: (TLS)
Alert read:fatal:access denied): [it.tech] (from client 172.19.254.2/32 port
0 cli c4:9d:ed:8c:11:03)

 

No problem with mobile phones.

Trying to run RADIUS in the debug mode using the old radiusd -X command but
on ver 11 it can't be found anymore.

Any ideas ?

 

Eugene

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] AD user group in the authentication source

2021-11-02 Thread E.P. via PacketFence-users 
I dare asking a stupid question.

What is the correct way to create a condition in the authentication source
based on AD to verify the user specific group membership.

I created a condition based on "memberOf" attribute which is equal to the DN
of the group. It seems doesn't apply or rather not verified.

Any user from the AD domain who authenticates can connect via RADIUS.

 

Eugene

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Restarting service in a cluster

2021-11-02 Thread Jakob Ackermann via PacketFence-users 
Hello,

I'm trying to figure out how to restart a service in a cluster from the
command line. After distributing my certificates using
`/usr/local/pf/bin/cluster/sync --file /usr/local/pf/conf/ssl/server.pem
--as-master` I would like to let every server in the cluster restart a
service. Similar to `/usr/local/pf/bin/pfcmd service haproxy-admin restart`
but for the whole cluster. Any idea how I could accomplish that?

Thanks
Jakob Ackermann
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users