Re: [PacketFence-users] Aruba CX documentation

2022-04-14 Thread Karl Stevens via PacketFence-users 
Thanks Fabrice, I've found that too - I'm working through it and have it
mostly working now.   Once I'm done I'll try to write up my findings and
make a pull request on the Packetfence docs.

On Thu, Apr 14, 2022 at 7:34 PM Fabrice Durand  wrote:

> Hello Karl,
>
> the switch module has been tested but the configuration has never been
> retrieved.
>
> I found some documentation about 802.1x mac-auth, you can try the examples
> in this doc:
>
> https://www.arubanetworks.com/techdocs/AOS-CX/10.07/PDF/5200-7885.pdf
>
> Regards
> Fabrice
>
> Le jeu. 14 avr. 2022 à 14:22, Karl Stevens via PacketFence-users <
> packetfence-users@lists.sourceforge.net> a écrit :
>
>> Hello,
>>
>> I'm trying to set up a new installation of Packetfence 11.2 with Aruba CX
>> switches.   These are supposed to be supported since Packetfence 10.2, but
>> I'm not able to find any documentation on them in the Network Devices
>> Configuration Guide at
>> https://www.packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_aruba
>> (the only entry for Aruba is for the 2930M series, which has different
>> syntax.)
>>
>> Is there any documentation for configuring this switch series for use by
>> Packetfence?
>>
>> Thanks,
>> Karl Stevens
>>
>>
>> This email and any files transmitted with it are confidential and
>> intended solely for the use of the individual or entity to whom they are
>> addressed. If you have received this email in error please notify the
>> system manager. This message contains confidential information and is
>> intended only for the individual named. If you are not the named addressee
>> you should not disseminate, distribute or copy this e-mail.
>>
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>

-- 
Karl Stevens
Greater St. Albert Roman Catholic School Division No. 734

-- 
This
 email and any files transmitted with it are confidential and intended 

solely for the use of the individual or entity to whom they are 
addressed. If you have received this email in error please notify the 
system manager. This message contains confidential information and is 
intended only for the individual named. If you are not the named 
addressee 
you should not disseminate, distribute or copy this e-mail.




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Radius Authentication Source Timeout for 2FA

2022-04-14 Thread Fabrice Durand via PacketFence-users 
ok easy.

edit the rest.conf file in conf/radiusd
and at this line add (
https://github.com/inverse-inc/packetfence/blob/devel/conf/radiusd/rest.conf.example#L194
):
timeout = 60.00

Then restart radius-auth



Le jeu. 14 avr. 2022 à 21:49, Benjamin Shirley - Simplicity <
b.shir...@simplicity.ag> a écrit :

> Hi Fabrice,
>
>
>
> thanks for getting back to me. I have tried the settings but that does not
> solve the problem. Raddebug shows following information:
>
>
>
> (8) Fri Apr 15 03:45:53 2022: Debug: Finished request
>
> (7) Fri Apr 15 03:45:56 2022: ERROR: rest: Request failed: 28 - Timeout
> was reached
>
> (7) Fri Apr 15 03:45:56 2022: ERROR: rest: Server returned no data
>
> (7) Fri Apr 15 03:45:56 2022: Debug:   [rest] = fail
>
> (7) Fri Apr 15 03:45:56 2022: Debug: } # if (! EAP-Type || (EAP-Type
> != TTLS  && EAP-Type != PEAP) )  = fail
>
> (7) Fri Apr 15 03:45:56 2022: Debug:   } # post-auth = fail
>
> (7) Fri Apr 15 03:45:56 2022: Debug: Using Post-Auth-Type Reject
>
> (7) Fri Apr 15 03:45:56 2022: Debug: # Executing group from file
> /usr/local/pf/raddb/sites-enabled/packetfence
>
>
>
>
>
> Hope this information is any good!
>
>
>
> Kind regards
>
> Benjamin
>
>
>
>
>
>
>
>
>
> Benjamin Shirley . simplicity networks GmbH
>
>
>
> Heinrich-Hertz-Straße 2 . 59302 Oelde . Phone: +49 2522 8330 3124 .
> Mobile: +49 170 9496681
>
> E-Mail: b.shir...@simplicity.ag . Web: www.simplicity.ag
>
> USt-IdNr DE 210993280 . HRB 14936 Münster . Managing Director: Stefan
> Leewe
>
> We operate for *OPUS* and *someday*
>
>
> Think before you print!
>
>
>
>
>
>
>
> *Von: *Fabrice Durand 
> *Datum: *Freitag, 15. April 2022 um 03:18
> *An: *packetfence-users 
> *Cc: *Benjamin Shirley 
> *Betreff: *Re: [PacketFence-users] Radius Authentication Source Timeout
> for 2FA
>
>
>
> Hello Benjamin,
>
>
>
> first you need to raise the timeout value of the radius-auth service.
>
> You should be able to do it there:
>
>
>
>
> https://github.com/inverse-inc/packetfence/blob/devel/conf/radiusd/auth.conf.example#L23
>
>
>
> and add that:
>
>
>
> ```
>
> limit {
>   max_connections = 16
>   lifetime = 0
>   idle_timeout = 60
> }
>
> ```
>
>
>
> you probably have to add an option to the duo radius source too, like:
>
>
>
> response_timeouts = 30
>
>
>
> if it still not work then run raddebug to see where in freeradius it
> timeout.
>
>
>
> raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000
>
>
>
> Regards
>
> Fabrice
>
>
>
> Le jeu. 14 avr. 2022 à 14:22, Benjamin Shirley - Simplicity via
> PacketFence-users  a écrit :
>
> Hi @all,
>
> trying to bypass an issue i'm having using 2 different radius server
> (packetfence / duo authproxy) one for admin login purpose (DUO 2FA) and the
> other beeing packetfence for MAB in our network environment - which is a
> known bug in Dell OS6 Network Operating System - I had the idea to simply
> add the Duo Authproxy as an Radius Authentication Source in Packetfence
> meaning I only have to configure  1 radius authentication server on our
> switches.
>
>
> It works! I am able to proxy the authentication to the DUO Authproxy from
> within PF but there is a tiny problem I am not able to overcome and kindly
> ask for help.
>
>
>
> The problem is that RADIUS Authentication for the Shell-Access in PF times
> out so quickly I am hardly able to tap the push notification, open the DUO
> App and Confirm the Login Proccess, regardless to say that authentication
> via Phone Call will be impossible.
>
>
>
> Is there a way to configure a higher value of lets say 15 seconds
> somewhere maybe only for this one Authentication Source which is only used
> for the purpose of  2FA to our switches??
>
> Kind Regards
>
> Benjamin
>
>
>
>
>
> *Benjamin Shirley *. simplicity networks GmbH
>
>
>
> Heinrich-Hertz-Straße 2 . 59302 Oelde . Phone: +49 2522 8330 3124 .
> Mobile: +49 170 9496681
>
> E-Mail: b.shir...@simplicity.ag . Web: www.simplicity.ag
>
> USt-IdNr DE 210993280 . HRB 14936 Münster . Managing Director: Stefan
> Leewe
>
> We operate for *OPUS* and * someday*
>
>
>
> Think before you print!
>
>
>
>
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Radius Authentication Source Timeout for 2FA

2022-04-14 Thread Benjamin Shirley - Simplicity via PacketFence-users 




Hi Fabrice,

 
thanks for getting back to me. I have tried the settings but that does not solve the problem. Raddebug shows following information:
 
(8) Fri Apr 15 03:45:53 2022: Debug: Finished request
(7) Fri Apr 15 03:45:56 2022: ERROR: rest: Request failed: 28 - Timeout was reached
(7) Fri Apr 15 03:45:56 2022: ERROR: rest: Server returned no data
(7) Fri Apr 15 03:45:56 2022: Debug:   [rest] = fail
(7) Fri Apr 15 03:45:56 2022: Debug: } # if (! EAP-Type || (EAP-Type != TTLS  && EAP-Type != PEAP) )  = fail
(7) Fri Apr 15 03:45:56 2022: Debug:   } # post-auth = fail
(7) Fri Apr 15 03:45:56 2022: Debug: Using Post-Auth-Type Reject
(7) Fri Apr 15 03:45:56 2022: Debug: # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
 
 
Hope this information is any good!
 
Kind regards
Benjamin
 
 

 

 

Benjamin Shirley
.
simplicity networks GmbH
 

Heinrich-Hertz-Straße 2 . 59302 Oelde
 . Phone: +49 2522 8330 3124 . Mobile: +49 170 9496681

E-Mail:
b.shir...@simplicity.ag . Web:
www.simplicity.ag

USt-IdNr DE 210993280 . HRB 14936 Münster . Managing Director: Stefan Leewe 



We operate for
OPUS and someday



Think before you print!
 

 
 

Von: Fabrice Durand 
Datum: Freitag, 15. April 2022 um 03:18
An: packetfence-users 
Cc: Benjamin Shirley 
Betreff: Re: [PacketFence-users] Radius Authentication Source Timeout for 2FA


 


Hello Benjamin, 

 


first you need to raise the timeout value of the radius-auth service.


You should be able to do it there:


 


https://github.com/inverse-inc/packetfence/blob/devel/conf/radiusd/auth.conf.example#L23


 


and add that:


 


```


limit {
      max_connections = 16
      lifetime = 0
      idle_timeout = 60
}


```


 


you probably have to add an option to the duo radius source too, like:


 


response_timeouts = 30


 


if it still not work then run raddebug to see where in freeradius it timeout.


 


raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000


 


Regards


Fabrice


 


Le jeu. 14 avr. 2022 à 14:22, Benjamin Shirley - Simplicity via PacketFence-users  a écrit :




Hi @all,

trying to bypass an issue i'm having using 2 different radius server (packetfence / duo authproxy) one for admin login purpose (DUO 2FA) and the other beeing packetfence for MAB in
 our network environment - which is a known bug in Dell OS6 Network Operating System - I had the idea to simply add the Duo Authproxy as an Radius Authentication Source in Packetfence meaning I only have to configure  1 radius authentication server on our switches.


It works! I am able to proxy the authentication to the DUO Authproxy from within PF but there is a tiny problem I am not able to overcome and kindly ask for help.

 
The problem is that RADIUS Authentication for the Shell-Access in PF times out so quickly I am hardly able to tap the push notification, open the DUO App and Confirm the Login Proccess,
 regardless to say that authentication via Phone Call will be impossible. 
 
Is there a way to configure a higher value of lets say 15 seconds somewhere maybe only for this one Authentication Source which is only used for the purpose of  2FA to our switches??

Kind Regards
Benjamin


 
 

Benjamin Shirley 
. simplicity networks GmbH

 

Heinrich-Hertz-Straße 2 . 59302 Oelde . Phone: +49 2522 8330 3124 . Mobile: +49 170 9496681
E-Mail:
b.shir...@simplicity.ag . Web:
www.simplicity.ag
USt-IdNr DE 210993280 . HRB 14936 Münster . Managing Director: Stefan Leewe 




We operate for
OPUS and 
someday
 
Think before you print!

 

 
 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users







smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Aruba CX documentation

2022-04-14 Thread Fabrice Durand via PacketFence-users 
Thanks, it will be really appreciated.

Le jeu. 14 avr. 2022 à 21:42, Karl Stevens  a écrit :

> Thanks Fabrice, I've found that too - I'm working through it and have it
> mostly working now.   Once I'm done I'll try to write up my findings and
> make a pull request on the Packetfence docs.
>
> On Thu, Apr 14, 2022 at 7:34 PM Fabrice Durand  wrote:
>
>> Hello Karl,
>>
>> the switch module has been tested but the configuration has never been
>> retrieved.
>>
>> I found some documentation about 802.1x mac-auth, you can try the
>> examples in this doc:
>>
>> https://www.arubanetworks.com/techdocs/AOS-CX/10.07/PDF/5200-7885.pdf
>>
>> Regards
>> Fabrice
>>
>> Le jeu. 14 avr. 2022 à 14:22, Karl Stevens via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> a écrit :
>>
>>> Hello,
>>>
>>> I'm trying to set up a new installation of Packetfence 11.2 with Aruba
>>> CX switches.   These are supposed to be supported since Packetfence 10.2,
>>> but I'm not able to find any documentation on them in the Network Devices
>>> Configuration Guide at
>>> https://www.packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_aruba
>>> (the only entry for Aruba is for the 2930M series, which has different
>>> syntax.)
>>>
>>> Is there any documentation for configuring this switch series for use by
>>> Packetfence?
>>>
>>> Thanks,
>>> Karl Stevens
>>>
>>>
>>> This email and any files transmitted with it are confidential and
>>> intended solely for the use of the individual or entity to whom they are
>>> addressed. If you have received this email in error please notify the
>>> system manager. This message contains confidential information and is
>>> intended only for the individual named. If you are not the named addressee
>>> you should not disseminate, distribute or copy this e-mail.
>>>
>>>
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>
>
> --
> Karl Stevens
> Greater St. Albert Roman Catholic School Division No. 734
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the system manager.
> This message contains confidential information and is intended only for the
> individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail.
>
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Aruba CX documentation

2022-04-14 Thread Fabrice Durand via PacketFence-users 
Hello Karl,

the switch module has been tested but the configuration has never been
retrieved.

I found some documentation about 802.1x mac-auth, you can try the examples
in this doc:

https://www.arubanetworks.com/techdocs/AOS-CX/10.07/PDF/5200-7885.pdf

Regards
Fabrice

Le jeu. 14 avr. 2022 à 14:22, Karl Stevens via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
> I'm trying to set up a new installation of Packetfence 11.2 with Aruba CX
> switches.   These are supposed to be supported since Packetfence 10.2, but
> I'm not able to find any documentation on them in the Network Devices
> Configuration Guide at
> https://www.packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_aruba
> (the only entry for Aruba is for the 2930M series, which has different
> syntax.)
>
> Is there any documentation for configuring this switch series for use by
> Packetfence?
>
> Thanks,
> Karl Stevens
>
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the system manager.
> This message contains confidential information and is intended only for the
> individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail.
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence config related fallback plan

2022-04-14 Thread Fabrice Durand via PacketFence-users 
probably a misconfiguration issue.
https://www.packetfence.org/doc/PacketFence_Clustering_Guide.html#_packetfence_configuration_modification_first_server_only

Notice host=127.0.0.1

if you forgot that then it means that each server will use the local
database instance to insert and it will result with table lock.

Le jeu. 14 avr. 2022 à 14:22, Zammit, Ludovic via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello Misbah,
>
> We only an issue with chunk = ‘8192’ for EAP TLS and not EAP PEAP.
>
> I way too big to cover your entire cluster config on the mailing list, I
> will suggest you to take some consulting hours with Akamai and we will do a
> sanity check on your cluster to see why the database would disconnect.
>
> Thanks,
>
> *Ludovic Zammit*
> *Product Support Engineer Principal*
> *Cell:* +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:  
>  
> 
> 
>
> On Apr 13, 2022, at 7:14 PM, Misbah Hussaini 
> wrote:
>
> Hello Ludovic,
>
> Again we had an outage and this time it looks like DB had some sort of
> locking issues. The temp fix was to restart the mariadb service. I'm
> running PF 11.2 with 3 nodes cluster doing 802.1x and mac auth and I see
> below messages in packetfence.log at the time when the problem began and
> these messages continued till DB was restarted.
>
> *Packetfence.log:*
>
> *Apr 13 21:47:12 NAC1 pfqueue[3025858]: pfqueue(3025858) ERROR:
> [mac:unknown] Database query failed with non retryable error: Lock wait
> timeout exceeded; try restarting transaction (errno: 1205) [INSERT INTO
> `node` ( `autoreg`, `bandwidth_balance`, `bypass_role_id`, `bypass_vlan`,
> `category_id`, `computername`, `detect_date`, `device_class`,
> `device_manufacturer`, `device_score`, `device_type`, `device_version`,
> `dhcp6_enterprise`, `dhcp6_fingerprint`, `dhcp_fingerprint`, `dhcp_vendor`,
> `last_arp`, `last_dhcp`, `last_seen`, `lastskip`, `mac`, `machine_account`,
> `notes`, `pid`, `regdate`, `sessionid`, `status`, `tenant_id`,
> `time_balance`, `unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?,
> ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
> ?, ? ) ON DUPLICATE KEY UPDATE `last_dhcp` = ?, `tenant_id` = ?]{no, NULL,
> NULL, , NULL, SEPC4143C97B434, 2021-12-23 14:27:33, VoIP Device, Cisco
> Systems, Inc, 76, Cisco IP Phone CP-7945G, , , , 1,66,6,3,15,150,35, Cisco
> Systems, Inc. IP Phone CP-7945G, -00-00 00:00:00, 2022-04-13 21:46:21,
> 2021-12-24 20:10:12, -00-00 00:00:00, c4:14:3c:97:b4:34, NULL, ,
> default, -00-00 00:00:00, , unreg, 1, NULL, -00-00 00:00:00, , no,
> 2022-04-13 21:46:21, 1} (pf::dal::db_execute)*
> *Apr 13 21:47:12 NAC1 pfqueue[3025858]: pfqueue(3025858) ERROR:
> [mac:unknown] Unable to modify node 'c4:14:3c:97:b4:34
> (pf::node::node_modify)*
> Apr 13 21:47:28 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN:
> [mac:00:11:22:33:44:55] Unable to pull accounting history for device
> 00:11:22:33:44:55. The history set doesn't exist yet.
> (pf::accounting_events_history::latest_mac_history)
> Apr 13 21:47:38 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN:
> [mac:00:11:22:33:44:55] Unable to pull accounting history for device
> 00:11:22:33:44:55. The history set doesn't exist yet.
> (pf::accounting_events_history::latest_mac_history)
> Apr 13 21:47:42 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN:
> [mac:00:11:22:33:44:55] Unable to pull accounting history for device
> 00:11:22:33:44:55. The history set doesn't exist yet.
> (pf::accounting_events_history::latest_mac_history)
> Apr 13 21:47:52 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN:
> [mac:00:11:22:33:44:55] Unable to pull accounting history for device
> 00:11:22:33:44:55. The history set doesn't exist yet.
> (pf::accounting_events_history::latest_mac_history)
> Apr 13 21:47:53 NAC1 packetfence[3029093]: pfperl-api(2533174) INFO: Using
> 300 resolution threshold (pf::pfcron::task::cluster_check::run)
> Apr 13 21:47:53 NAC1 packetfence[3029094]: pfperl-api(2828317) INFO:
> processed 0 security_events during security_event maintenance
> (1649872073.11399 1649872073.12087)
> (pf::security_event::security_event_maintenance)
> Apr 13 21:47:53 NAC1 packetfence[3029094]: pfperl-api(2828317) INFO:
> processed 0 security_events during security_event maintenance
> (1649872073.12281 1649872073.12537)
> (pf::security_event::security_event_maintenance)
> Apr 13 21:47:53 NAC1 packetfence[3029095]: pfperl-api(2426219) INFO:
> getting security_events triggers for accounting cleanup
> (pf::accounting::acct_maintenance)
> Apr 13 21:47:53 NAC1 packetfence[3029093]: pfperl-api(2533174) INFO: All
> cluster members are running the same configuration version
>

Re: [PacketFence-users] Radius Authentication Source Timeout for 2FA

2022-04-14 Thread Fabrice Durand via PacketFence-users 
Hello Benjamin,

first you need to raise the timeout value of the radius-auth service.
You should be able to do it there:

https://github.com/inverse-inc/packetfence/blob/devel/conf/radiusd/auth.conf.example#L23

and add that:

```
limit {
  max_connections = 16
  lifetime = 0
  idle_timeout = 60
}
```

you probably have to add an option to the duo radius source too, like:

response_timeouts = 30

if it still not work then run raddebug to see where in freeradius it
timeout.

raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000

Regards
Fabrice

Le jeu. 14 avr. 2022 à 14:22, Benjamin Shirley - Simplicity via
PacketFence-users  a écrit :

> Hi @all,
>
> trying to bypass an issue i'm having using 2 different radius server
> (packetfence / duo authproxy) one for admin login purpose (DUO 2FA) and the
> other beeing packetfence for MAB in our network environment - which is a
> known bug in Dell OS6 Network Operating System - I had the idea to simply
> add the Duo Authproxy as an Radius Authentication Source in Packetfence
> meaning I only have to configure  1 radius authentication server on our
> switches.
>
>
> It works! I am able to proxy the authentication to the DUO Authproxy from
> within PF but there is a tiny problem I am not able to overcome and kindly
> ask for help.
>
>
> The problem is that RADIUS Authentication for the Shell-Access in PF times
> out so quickly I am hardly able to tap the push notification, open the DUO
> App and Confirm the Login Proccess, regardless to say that authentication
> via Phone Call will be impossible.
>
>
> Is there a way to configure a higher value of lets say 15 seconds
> somewhere maybe only for this one Authentication Source which is only used
> for the purpose of  2FA to our switches??
>
> Kind Regards
>
> Benjamin
>
>
>
>
>
> Benjamin Shirley . simplicity networks GmbH
>
>
>
> Heinrich-Hertz-Straße 2 . 59302 Oelde . Phone: +49 2522 8330 3124 .
> Mobile: +49 170 9496681
>
> E-Mail: b.shir...@simplicity.ag . Web: www.simplicity.ag
>
> USt-IdNr DE 210993280 . HRB 14936 Münster . Managing Director: Stefan
> Leewe
>
> We operate for *OPUS* and *someday*
>
>
> Think before you print!
>
>
>
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence config related fallback plan

2022-04-14 Thread Misbah Hussaini via PacketFence-users 
Hello Ludovic,

Its already added as a switch and have been working fine for past 1 month
but with few endpoints. When I googled this message, freeradius support
list suggested to increase the max server count, which I did, and the issue
was resolved. The concern I have is whether there are other such parameters
which needs to be fine tuned for Production.

Also, the config change you suggested for Fingerbank-collector doesnt
seemsto have worked. Currently im unmonitoring fingerbank using below
command but I know it wont survive service restart or server reboots.

#monit unmonitor packetfence-fingerbank-collectod

On Wed, 13 Apr 2022, 17:11 Zammit, Ludovic,  wrote:

> Hello,
>
> It looks like 192.168.254.14 is trying to ask for an authentication. Add
> it as the switch.
>
> Thanks,
>
> *Ludovic Zammit*
> *Product Support Engineer Principal*
> *Cell:* +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:  
>  
> 
> 
>
> On Apr 12, 2022, at 3:02 AM, Misbah Hussaini 
> wrote:
>
> Thanks Ludovic, I'm testing this config change.
>
> Meanwhile, I checked the radius log when the issue of auth occurred for us
> and I found below lines. As I mentioned earlier, I increased the max
> threads to a higher value in radius.conf file and the issue was resolved
> and auth started working. Does everybody have to increase this value in
> Production? I'm asking especially because we are planning to increase the
> number of devices (by another 250) and perhaps then I need to use a much
> higher value to avoid recurrence of this problem.
>
> Apr  7 10:06:23 NAC1 auth[36]: Ignoring request to auth address
> 192.168.197.90 port 1812 bound to server packetfence from unknown client
> 192.168.254.14 port 1645 proto udp
> Apr  7 10:06:25 NAC1 auth[36]: rlm_sql (sql): No connections available
> and at max connection limit
> Apr  7 10:06:25 NAC1 auth[36]: Ignoring request to auth address
> 192.168.197.90 port 1812 bound to server packetfence from unknown client
> 192.168.254.14 port 1645 proto udp
> Apr  7 10:06:26 NAC1 auth[36]: rlm_sql (sql): No connections available
> and at max connection limit
> Apr  7 10:06:26 NAC1 auth[36]: Ignoring request to auth address
> 192.168.197.90 port 1812 bound to server packetfence from unknown client
> 192.168.254.14 port 1645 proto udp
> Apr  7 10:06:28 NAC1 auth[36]: rlm_sql (sql): No connections available
> and at max connection limit
> Apr  7 10:06:28 NAC1 auth[36]: Ignoring request to auth address
> 192.168.197.90 port 1812 bound to server packetfence from unknown client
> 192.168.254.14 port 1645 proto udp
> Apr  7 10:06:30 NAC1 auth[36]: rlm_sql (sql): No connections available
> and at max connection limit
> Apr  7 10:06:30 NAC1 auth[36]: Ignoring request to auth address
> 192.168.197.90 port 1812 bound to server packetfence from unknown client
> 192.168.254.14 port 1645 proto udp
> Apr  7 10:06:37 NAC1 auth[36]: rlm_sql (sql): No connections available
> and at max connection limit
> Apr  7 10:06:37 NAC1 auth[36]: Ignoring request to auth address
> 192.168.197.90 port 1812 bound to server packetfence from unknown client
> 192.168.254.28 port 1645 proto udp
> Apr  7 10:06:42 NAC1 auth[36]: rlm_sql (sql): No connections available
> and at max connection limit
> Apr  7 10:06:42 NAC1 auth[36]: Ignoring request to auth address
> 192.168.197.90 port 1812 bound to server packetfence from unknown client
> 192.168.254.28 port 1645 proto udp
> Apr  7 10:06:57 NAC1 auth[36]: rlm_sql (sql): No connections available
> and at max connection limit
> Apr  7 10:06:57 NAC1 auth[36]: Ignoring request to auth address
> 192.168.197.90 port 1812 bound to server packetfence from unknown client
> 192.168.254.13 port 1645 proto udp
> Apr  7 10:07:02 NAC1 auth[36]: rlm_sql (sql): No connections available
> and at max connection limit
> Apr  7 10:07:02 NAC1 auth[36]: Ignoring request to auth address
> 192.168.197.90 port 1812 bound to server packetfence from unknown client
> 192.168.254.13 port 1645 proto udp
> Apr  7 10:07:04 NAC1 auth[36]: rlm_sql (sql): No connections available
> and at max connection limit
> Apr  7 10:07:04 NAC1 auth[36]: Ignoring request to auth address
> 192.168.197.90 port 1812 bound to server packetfence from unknown client
> 192.168.254.23 port 1645 proto udp
> Apr  7 10:07:07 NAC1 auth[36]: rlm_sql (sql): No connections available
> and at max connection limit
> Apr  7 10:07:07 NAC1 auth[36]: Ignoring request to auth address
> 192.168.197.90 port 1812 bound to server packetfence from unknown client
> 192.168.254.13 port 1645 proto udp
> Apr  7 10:07:09 NAC1 auth[36]: rlm_sql (sql): No connections available
> and

Re: [PacketFence-users] RADIUS Debugging

2022-04-14 Thread Zammit, Ludovic via PacketFence-users 
Hello,

Check in the logs/packetfence.log, you will have your reason of the reject.

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Apr 12, 2022, at 3:40 AM, P.Thirunavukkarasu  
> wrote:
> 
> Hi Ludovic,
> Thanks a lot
> I did a mistake by editing the radius configuration and started a new instance
> Configured the NAC and now it is working with Google Workspace LDAPs. 
> 
> But when I tried to authenticate the users with Azure AD it shows the 
> following
> 
> Module-Failure-Message = "No Auth-Type found: rejecting the user via 
> Post-Auth-Type = Reject"
> RADIUS Log
> Apr 12 06:51:07 packetfence auth[40780]: rlm_perl: oauth2 worker 
> (tanuvas.edu.in 
> ):
>  sync
> Apr 12 06:51:07 packetfence auth[40780]: rlm_perl: oauth2 worker 
> (tanuvas.edu.in 
> ):
>  syncing in 23 seconds
> Apr 12 06:51:09 packetfence auth[40780]: (1937)   Login incorrect (No 
> Auth-Type found: rejecting the user via Post-Auth-Type = Reject): 
> [nimalesh2...@tanuvas.edu.in ]
> Apr 12 06:51:09 packetfence auth[40780]: Rejected user: 
> nimalesh2...@tanuvas.edu.in 
> Apr 12 06:51:09 packetfence auth[40780]: (1937) Login incorrect 
> (EAP-TTLS-PAP: Failed continuing EAP TTLS (21) session.  EAP sub-module 
> failed): [nimalesh2...@tanuvas.edu.in ] 
> 
> Similarly for eduroam users the RADIUS log is as follows
> Apr 12 04:51:05 packetfence auth[40780]: (62) mschap: ERROR: Program returned 
> code (1) and output 'Reading winbind reply failed! (0xc001)'
> Apr 12 04:51:05 packetfence auth[40780]: (62)   Login incorrect (mschap: 
> Program returned code (1) and output 'Reading winbind reply failed! 
> (0xc001)'): 
> Apr 12 04:51:05 packetfence auth[40780]: Rejected user: some...@roaming.com 
> 
> Apr 12 04:51:05 packetfence auth[40780]: (63) Login incorrect (eap_peap: The 
> users session was previously rejected: returning reject (again.)):
> Apr 12 04:51:09 packetfence auth[40780]: (71) mschap: ERROR: Program returned 
> code (1) and output 'Reading winbind reply failed! (0xc001)'
> Apr 12 04:51:09 packetfence auth[40780]: (71)   Login incorrect (mschap: 
> Program returned code (1) and output 'Reading winbind reply failed! 
> (0xc001)'): 
> Apr 12 04:52:04 packetfence auth[40780]: (83) mschap: ERROR: Program returned 
> code (1) and output 'Reading winbind reply failed! (0xc001)'
> Apr 12 04:52:04 packetfence auth[40780]: (83)   Login incorrect (mschap: 
> Program returned code (1) and output 'Reading winbind reply failed! 
> (0xc001)'): 
> 
> Best,
> Thirunavukkarasu
> TANUVAS



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence config related fallback plan

2022-04-14 Thread Zammit, Ludovic via PacketFence-users 
Hello Misbah,

We only an issue with chunk = ‘8192’ for EAP TLS and not EAP PEAP.

I way too big to cover your entire cluster config on the mailing list, I will 
suggest you to take some consulting hours with Akamai and we will do a sanity 
check on your cluster to see why the database would disconnect.

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Apr 13, 2022, at 7:14 PM, Misbah Hussaini  wrote:
> 
> Hello Ludovic,
> 
> Again we had an outage and this time it looks like DB had some sort of 
> locking issues. The temp fix was to restart the mariadb service. I'm running 
> PF 11.2 with 3 nodes cluster doing 802.1x and mac auth and I see below 
> messages in packetfence.log at the time when the problem began and these 
> messages continued till DB was restarted.
> 
> Packetfence.log:
> 
> Apr 13 21:47:12 NAC1 pfqueue[3025858]: pfqueue(3025858) ERROR: [mac:unknown] 
> Database query failed with non retryable error: Lock wait timeout exceeded; 
> try restarting transaction (errno: 1205) [INSERT INTO `node` ( `autoreg`, 
> `bandwidth_balance`, `bypass_role_id`, `bypass_vlan`, `category_id`, 
> `computername`, `detect_date`, `device_class`, `device_manufacturer`, 
> `device_score`, `device_type`, `device_version`, `dhcp6_enterprise`, 
> `dhcp6_fingerprint`, `dhcp_fingerprint`, `dhcp_vendor`, `last_arp`, 
> `last_dhcp`, `last_seen`, `lastskip`, `mac`, `machine_account`, `notes`, 
> `pid`, `regdate`, `sessionid`, `status`, `tenant_id`, `time_balance`, 
> `unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 
> ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE 
> KEY UPDATE `last_dhcp` = ?, `tenant_id` = ?]{no, NULL, NULL, , NULL, 
> SEPC4143C97B434, 2021-12-23 14:27:33, VoIP Device, Cisco Systems, Inc, 76, 
> Cisco IP Phone CP-7945G, , , , 1,66,6,3,15,150,35, Cisco Systems, Inc. IP 
> Phone CP-7945G, -00-00 00:00:00, 2022-04-13 21:46:21, 2021-12-24 
> 20:10:12, -00-00 00:00:00, c4:14:3c:97:b4:34, NULL, , default, -00-00 
> 00:00:00, , unreg, 1, NULL, -00-00 00:00:00, , no, 2022-04-13 21:46:21, 
> 1} (pf::dal::db_execute)
> Apr 13 21:47:12 NAC1 pfqueue[3025858]: pfqueue(3025858) ERROR: [mac:unknown] 
> Unable to modify node 'c4:14:3c:97:b4:34 (pf::node::node_modify)
> Apr 13 21:47:28 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN: 
> [mac:00:11:22:33:44:55] Unable to pull accounting history for device 
> 00:11:22:33:44:55. The history set doesn't exist yet. 
> (pf::accounting_events_history::latest_mac_history)
> Apr 13 21:47:38 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN: 
> [mac:00:11:22:33:44:55] Unable to pull accounting history for device 
> 00:11:22:33:44:55. The history set doesn't exist yet. 
> (pf::accounting_events_history::latest_mac_history)
> Apr 13 21:47:42 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN: 
> [mac:00:11:22:33:44:55] Unable to pull accounting history for device 
> 00:11:22:33:44:55. The history set doesn't exist yet. 
> (pf::accounting_events_history::latest_mac_history)
> Apr 13 21:47:52 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN: 
> [mac:00:11:22:33:44:55] Unable to pull accounting history for device 
> 00:11:22:33:44:55. The history set doesn't exist yet. 
> (pf::accounting_events_history::latest_mac_history)
> Apr 13 21:47:53 NAC1 packetfence[3029093]: pfperl-api(2533174) INFO: Using 
> 300 resolution threshold (pf::pfcron::task::cluster_check::run)
> Apr 13 21:47:53 NAC1 packetfence[3029094]: pfperl-api(2828317) INFO: 
> processed 0 security_events during security_event maintenance 
> (1649872073.11399 1649872073.12087)  
> (pf::security_event::security_event_maintenance)
> Apr 13 21:47:53 NAC1 packetfence[3029094]: pfperl-api(2828317) INFO: 
> processed 0 security_events during security_event maintenance 
> (1649872073.12281 1649872073.12537)  
> (pf::security_event::security_event_maintenance)
> Apr 13 21:47:53 NAC1 packetfence[3029095]: pfperl-api(2426219) INFO: getting 
> security_events triggers for accounting cleanup 
> (pf::accounting::acct_maintenance)
> Apr 13 21:47:53 NAC1 packetfence[3029093]: pfperl-api(2533174) INFO: All 
> cluster members are running the same configuration version 
> (pf::pfcron::task::cluster_check::run)
> Apr 13 21:48:03 NAC1 pfqueue[3025858]: pfqueue(3025858) ERROR: [mac:unknown] 
> Database query failed with non retryable error: Lock wait timeout exceeded; 
> try restarting transaction (errno: 1205) [INSERT INTO `node` ( `autoreg`, 
> `bandwidth_balance`, `bypass_role_id`, `bypass_vlan`, `category_id`, 
> `computername`, `detect_date`, `device_class`, `device_manufacturer`, 
> `device_score`,

Re: [PacketFence-users] Packetfence config related fallback plan

2022-04-14 Thread Misbah Hussaini via PacketFence-users 
Thanks Ludovic, I'm testing this config change.

Meanwhile, I checked the radius log when the issue of auth occurred for us
and I found below lines. As I mentioned earlier, I increased the max
threads to a higher value in radius.conf file and the issue was resolved
and auth started working. Does everybody have to increase this value in
Production? I'm asking especially because we are planning to increase the
number of devices (by another 250) and perhaps then I need to use a much
higher value to avoid recurrence of this problem.

Apr  7 10:06:23 NAC1 auth[36]: Ignoring request to auth address
192.168.197.90 port 1812 bound to server packetfence from unknown client
192.168.254.14 port 1645 proto udp
Apr  7 10:06:25 NAC1 auth[36]: rlm_sql (sql): No connections available
and at max connection limit
Apr  7 10:06:25 NAC1 auth[36]: Ignoring request to auth address
192.168.197.90 port 1812 bound to server packetfence from unknown client
192.168.254.14 port 1645 proto udp
Apr  7 10:06:26 NAC1 auth[36]: rlm_sql (sql): No connections available
and at max connection limit
Apr  7 10:06:26 NAC1 auth[36]: Ignoring request to auth address
192.168.197.90 port 1812 bound to server packetfence from unknown client
192.168.254.14 port 1645 proto udp
Apr  7 10:06:28 NAC1 auth[36]: rlm_sql (sql): No connections available
and at max connection limit
Apr  7 10:06:28 NAC1 auth[36]: Ignoring request to auth address
192.168.197.90 port 1812 bound to server packetfence from unknown client
192.168.254.14 port 1645 proto udp
Apr  7 10:06:30 NAC1 auth[36]: rlm_sql (sql): No connections available
and at max connection limit
Apr  7 10:06:30 NAC1 auth[36]: Ignoring request to auth address
192.168.197.90 port 1812 bound to server packetfence from unknown client
192.168.254.14 port 1645 proto udp
Apr  7 10:06:37 NAC1 auth[36]: rlm_sql (sql): No connections available
and at max connection limit
Apr  7 10:06:37 NAC1 auth[36]: Ignoring request to auth address
192.168.197.90 port 1812 bound to server packetfence from unknown client
192.168.254.28 port 1645 proto udp
Apr  7 10:06:42 NAC1 auth[36]: rlm_sql (sql): No connections available
and at max connection limit
Apr  7 10:06:42 NAC1 auth[36]: Ignoring request to auth address
192.168.197.90 port 1812 bound to server packetfence from unknown client
192.168.254.28 port 1645 proto udp
Apr  7 10:06:57 NAC1 auth[36]: rlm_sql (sql): No connections available
and at max connection limit
Apr  7 10:06:57 NAC1 auth[36]: Ignoring request to auth address
192.168.197.90 port 1812 bound to server packetfence from unknown client
192.168.254.13 port 1645 proto udp
Apr  7 10:07:02 NAC1 auth[36]: rlm_sql (sql): No connections available
and at max connection limit
Apr  7 10:07:02 NAC1 auth[36]: Ignoring request to auth address
192.168.197.90 port 1812 bound to server packetfence from unknown client
192.168.254.13 port 1645 proto udp
Apr  7 10:07:04 NAC1 auth[36]: rlm_sql (sql): No connections available
and at max connection limit
Apr  7 10:07:04 NAC1 auth[36]: Ignoring request to auth address
192.168.197.90 port 1812 bound to server packetfence from unknown client
192.168.254.23 port 1645 proto udp
Apr  7 10:07:07 NAC1 auth[36]: rlm_sql (sql): No connections available
and at max connection limit
Apr  7 10:07:07 NAC1 auth[36]: Ignoring request to auth address
192.168.197.90 port 1812 bound to server packetfence from unknown client
192.168.254.13 port 1645 proto udp
Apr  7 10:07:09 NAC1 auth[36]: rlm_sql (sql): No connections available
and at max connection limit
Apr  7 10:07:09 NAC1 auth[36]: Ignoring request to auth address
192.168.197.90 port 1812 bound to server packetfence from unknown client
192.168.254.23 port 1645 proto udp
Apr  7 10:07:12 NAC1 auth[36]: rlm_sql (sql): No connections available
and at max connection limit
Apr  7 10:07:12 NAC1 auth[36]: Ignoring request to auth address
192.168.197.90 port 1812 bound to server packetfence from unknown client
192.168.254.13 port 1645 proto udp



Regards
Misbah


On Mon, 11 Apr 2022 at 17:19, Zammit, Ludovic  wrote:

> Hello,
>
> You can disable the TCP FB Collector analyzing:
>
> You can disable the TCP fingerprinting by doing
>
>
> # systemctl edit packetfence-fingerbank-collector.service
>
>
> In the editor that opens, add:
>
>
> [Service]
>
> Environment=COLLECTOR_DISABLE_TCP_HANDLER=true
>
>
> Close the editor, then do:
>
>
> # systemctl daemon-reload
>
> # systemctl restart packetfence-fingerbank-collector
>
>
> Thanks,
>
> *Ludovic Zammit*
> *Product Support Engineer Principal*
> *Cell:* +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:  
>  
> 
> 
>
> On Apr

[PacketFence-users] Radius Authentication Source Timeout for 2FA

2022-04-14 Thread Benjamin Shirley - Simplicity via PacketFence-users 




Hi @all, 

trying to bypass an issue i'm having using 2 different radius server (packetfence / duo authproxy) one for admin login purpose (DUO 2FA) and the other beeing packetfence for MAB in our network environment - which is a known bug in Dell OS6 Network Operating
 System - I had the idea to simply add the Duo Authproxy as an Radius Authentication Source in Packetfence meaning I only have to configure  1 radius authentication server on our switches.



It works! I am able to proxy the authentication to the DUO Authproxy from within PF but there is a tiny problem I am not able to overcome and kindly ask for help.




The problem is that RADIUS Authentication for the Shell-Access in PF times out so quickly I am hardly able to tap the push notification, open the DUO App and Confirm the Login Proccess, regardless to say that authentication via Phone Call will be impossible.




Is there a way to configure a higher value of lets say 15 seconds somewhere maybe only for this one Authentication Source which is only used for the purpose of  2FA to our switches??

Kind Regards
Benjamin



 

 

Benjamin Shirley
.
simplicity networks GmbH
 

Heinrich-Hertz-Straße 2 . 59302 Oelde
 . Phone: +49 2522 8330 3124 . Mobile: +49 170 9496681

E-Mail:
b.shir...@simplicity.ag . Web:
www.simplicity.ag

USt-IdNr DE 210993280 . HRB 14936 Münster . Managing Director: Stefan Leewe 



We operate for
OPUS and someday



Think before you print!
 

 
 



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence config related fallback plan

2022-04-14 Thread Misbah Hussaini via PacketFence-users 
Hello Ludovic,

Again we had an outage and this time it looks like DB had some sort of
locking issues. The temp fix was to restart the mariadb service. I'm
running PF 11.2 with 3 nodes cluster doing 802.1x and mac auth and I see
below messages in packetfence.log at the time when the problem began and
these messages continued till DB was restarted.

*Packetfence.log:*

*Apr 13 21:47:12 NAC1 pfqueue[3025858]: pfqueue(3025858) ERROR:
[mac:unknown] Database query failed with non retryable error: Lock wait
timeout exceeded; try restarting transaction (errno: 1205) [INSERT INTO
`node` ( `autoreg`, `bandwidth_balance`, `bypass_role_id`, `bypass_vlan`,
`category_id`, `computername`, `detect_date`, `device_class`,
`device_manufacturer`, `device_score`, `device_type`, `device_version`,
`dhcp6_enterprise`, `dhcp6_fingerprint`, `dhcp_fingerprint`, `dhcp_vendor`,
`last_arp`, `last_dhcp`, `last_seen`, `lastskip`, `mac`, `machine_account`,
`notes`, `pid`, `regdate`, `sessionid`, `status`, `tenant_id`,
`time_balance`, `unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?,
?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
?, ? ) ON DUPLICATE KEY UPDATE `last_dhcp` = ?, `tenant_id` = ?]{no, NULL,
NULL, , NULL, SEPC4143C97B434, 2021-12-23 14:27:33, VoIP Device, Cisco
Systems, Inc, 76, Cisco IP Phone CP-7945G, , , , 1,66,6,3,15,150,35, Cisco
Systems, Inc. IP Phone CP-7945G, -00-00 00:00:00, 2022-04-13 21:46:21,
2021-12-24 20:10:12, -00-00 00:00:00, c4:14:3c:97:b4:34, NULL, ,
default, -00-00 00:00:00, , unreg, 1, NULL, -00-00 00:00:00, , no,
2022-04-13 21:46:21, 1} (pf::dal::db_execute)*
*Apr 13 21:47:12 NAC1 pfqueue[3025858]: pfqueue(3025858) ERROR:
[mac:unknown] Unable to modify node 'c4:14:3c:97:b4:34
(pf::node::node_modify)*
Apr 13 21:47:28 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN:
[mac:00:11:22:33:44:55] Unable to pull accounting history for device
00:11:22:33:44:55. The history set doesn't exist yet.
(pf::accounting_events_history::latest_mac_history)
Apr 13 21:47:38 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN:
[mac:00:11:22:33:44:55] Unable to pull accounting history for device
00:11:22:33:44:55. The history set doesn't exist yet.
(pf::accounting_events_history::latest_mac_history)
Apr 13 21:47:42 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN:
[mac:00:11:22:33:44:55] Unable to pull accounting history for device
00:11:22:33:44:55. The history set doesn't exist yet.
(pf::accounting_events_history::latest_mac_history)
Apr 13 21:47:52 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN:
[mac:00:11:22:33:44:55] Unable to pull accounting history for device
00:11:22:33:44:55. The history set doesn't exist yet.
(pf::accounting_events_history::latest_mac_history)
Apr 13 21:47:53 NAC1 packetfence[3029093]: pfperl-api(2533174) INFO: Using
300 resolution threshold (pf::pfcron::task::cluster_check::run)
Apr 13 21:47:53 NAC1 packetfence[3029094]: pfperl-api(2828317) INFO:
processed 0 security_events during security_event maintenance
(1649872073.11399 1649872073.12087)
(pf::security_event::security_event_maintenance)
Apr 13 21:47:53 NAC1 packetfence[3029094]: pfperl-api(2828317) INFO:
processed 0 security_events during security_event maintenance
(1649872073.12281 1649872073.12537)
(pf::security_event::security_event_maintenance)
Apr 13 21:47:53 NAC1 packetfence[3029095]: pfperl-api(2426219) INFO:
getting security_events triggers for accounting cleanup
(pf::accounting::acct_maintenance)
Apr 13 21:47:53 NAC1 packetfence[3029093]: pfperl-api(2533174) INFO: All
cluster members are running the same configuration version
(pf::pfcron::task::cluster_check::run)
*Apr 13 21:48:03 NAC1 pfqueue[3025858]: pfqueue(3025858) ERROR:
[mac:unknown] Database query failed with non retryable error: Lock wait
timeout exceeded; try restarting transaction (errno: 1205) [INSERT INTO
`node` *( `autoreg`, `bandwidth_balance`, `bypass_role_id`, `bypass_vlan`,
`category_id`, `computername`, `detect_date`, `device_class`,
`device_manufacturer`, `device_score`, `device_type`, `device_version`,
`dhcp6_enterprise`, `dhcp6_fingerprint`, `dhcp_fingerprint`, `dhcp_vendor`,
`last_arp`, `last_dhcp`, `last_seen`, `lastskip`, `mac`, `machine_account`,
`notes`, `pid`, `regdate`, `sessionid`, `status`, `tenant_id`,
`time_balance`, `unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?,
?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
?, ? ) ON DUPLICATE KEY UPDATE `last_dhcp` = ?, `tenant_id` = ?]{no, NULL,
NULL, , NULL, Admin-PC, 2021-12-22 14:45:32, Windows OS, Dell Inc., 78,
Microsoft Windows Kernel 10.0, 10.0, , ,
1,3,6,15,31,33,43,44,46,47,119,121,249,252, MSFT 5.0, -00-00 00:00:00,
2022-04-13 21:47:12, 2022-04-13 21:45:43, -00-00 00:00:00,
98:90:96:cb:a3:02, NULL, , default, -00-00 00:00:00, , unreg, 1, NULL,
-00-00 00:00:00, , no, 2022-04-13 21:47:12, 1} (pf::dal::db_execute)
*Apr 13 21:48:03 NAC1 pfqueue[3025858]: pfqueue(3025858) ERROR:
[mac:unknown] Unable to modify node

Re: [PacketFence-users] Packetfence config related fallback plan

2022-04-14 Thread Zammit, Ludovic via PacketFence-users 
Hello,

It looks like 192.168.254.14 is trying to ask for an authentication. Add it as 
the switch.

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Apr 12, 2022, at 3:02 AM, Misbah Hussaini  wrote:
> 
> Thanks Ludovic, I'm testing this config change.
> 
> Meanwhile, I checked the radius log when the issue of auth occurred for us 
> and I found below lines. As I mentioned earlier, I increased the max threads 
> to a higher value in radius.conf file and the issue was resolved and auth 
> started working. Does everybody have to increase this value in Production? 
> I'm asking especially because we are planning to increase the number of 
> devices (by another 250) and perhaps then I need to use a much higher value 
> to avoid recurrence of this problem.
> 
> Apr  7 10:06:23 NAC1 auth[36]: Ignoring request to auth address 
> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
> 192.168.254.14 port 1645 proto udp
> Apr  7 10:06:25 NAC1 auth[36]: rlm_sql (sql): No connections available 
> and at max connection limit
> Apr  7 10:06:25 NAC1 auth[36]: Ignoring request to auth address 
> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
> 192.168.254.14 port 1645 proto udp
> Apr  7 10:06:26 NAC1 auth[36]: rlm_sql (sql): No connections available 
> and at max connection limit
> Apr  7 10:06:26 NAC1 auth[36]: Ignoring request to auth address 
> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
> 192.168.254.14 port 1645 proto udp
> Apr  7 10:06:28 NAC1 auth[36]: rlm_sql (sql): No connections available 
> and at max connection limit
> Apr  7 10:06:28 NAC1 auth[36]: Ignoring request to auth address 
> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
> 192.168.254.14 port 1645 proto udp
> Apr  7 10:06:30 NAC1 auth[36]: rlm_sql (sql): No connections available 
> and at max connection limit
> Apr  7 10:06:30 NAC1 auth[36]: Ignoring request to auth address 
> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
> 192.168.254.14 port 1645 proto udp
> Apr  7 10:06:37 NAC1 auth[36]: rlm_sql (sql): No connections available 
> and at max connection limit
> Apr  7 10:06:37 NAC1 auth[36]: Ignoring request to auth address 
> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
> 192.168.254.28 port 1645 proto udp
> Apr  7 10:06:42 NAC1 auth[36]: rlm_sql (sql): No connections available 
> and at max connection limit
> Apr  7 10:06:42 NAC1 auth[36]: Ignoring request to auth address 
> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
> 192.168.254.28 port 1645 proto udp
> Apr  7 10:06:57 NAC1 auth[36]: rlm_sql (sql): No connections available 
> and at max connection limit
> Apr  7 10:06:57 NAC1 auth[36]: Ignoring request to auth address 
> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
> 192.168.254.13 port 1645 proto udp
> Apr  7 10:07:02 NAC1 auth[36]: rlm_sql (sql): No connections available 
> and at max connection limit
> Apr  7 10:07:02 NAC1 auth[36]: Ignoring request to auth address 
> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
> 192.168.254.13 port 1645 proto udp
> Apr  7 10:07:04 NAC1 auth[36]: rlm_sql (sql): No connections available 
> and at max connection limit
> Apr  7 10:07:04 NAC1 auth[36]: Ignoring request to auth address 
> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
> 192.168.254.23 port 1645 proto udp
> Apr  7 10:07:07 NAC1 auth[36]: rlm_sql (sql): No connections available 
> and at max connection limit
> Apr  7 10:07:07 NAC1 auth[36]: Ignoring request to auth address 
> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
> 192.168.254.13 port 1645 proto udp
> Apr  7 10:07:09 NAC1 auth[36]: rlm_sql (sql): No connections available 
> and at max connection limit
> Apr  7 10:07:09 NAC1 auth[36]: Ignoring request to auth address 
> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
> 192.168.254.23 port 1645 proto udp
> Apr  7 10:07:12 NAC1 auth[36]: rlm_sql (sql): No connections available 
> and at max connection limit
> Apr  7 10:07:12 NAC1 auth[36]: Ignoring request to auth address 
> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
> 192.168.254.13 port 1645 proto udp
> 
> 
> 
> Regards
> Misbah
> 
> 
> On Mon, 11 Apr 2022 at 17:19, Zammit, Ludovic  > wrote:
> Hello,
> 
> You can disable the

Re: [PacketFence-users] RADIUS Debugging

2022-04-14 Thread P.Thirunavukkarasu via PacketFence-users 
Hi Ludovic
Herewith I am sending the log for your reference specific to Azure AD
But I couldn't understand the log for the Azure AD


























*Apr 13 10:50:40 packetfence packetfence[1646]: pfperl-api(1646) INFO: Hard
expiring resource : config::Authentication() (pfconfig::manager::expire)Apr
13 10:50:40 packetfence packetfence[1646]: pfperl-api(1646) INFO:
Connecting to MySQL database (pfconfig::backend::mysql::_get_db)Apr 13
10:50:40 packetfence packetfence[1646]: pfperl-api(1646) INFO: Expiring
child resource resource::authentication_config_hash. Master resource is
config::Authentication() (pfconfig::manager::expire)Apr 13 10:50:40
packetfence packetfence[1646]: pfperl-api(1646) INFO: Hard expiring
resource : resource::authentication_config_hash()
(pfconfig::manager::expire)Apr 13 10:50:40 packetfence packetfence[1646]:
pfperl-api(1646) INFO: Expiring child resource
resource::authentication_lookup. Master resource is
config::Authentication() (pfconfig::manager::expire)Apr 13 10:50:40
packetfence packetfence[1646]: pfperl-api(1646) INFO: Hard expiring
resource : resource::authentication_lookup() (pfconfig::manager::expire)Apr
13 10:50:40 packetfence packetfence[1646]: pfperl-api(1646) INFO: Expiring
child resource resource::authentication_sources. Master resource is
config::Authentication() (pfconfig::manager::expire)Apr 13 10:50:40
packetfence packetfence[1646]: pfperl-api(1646) INFO: Hard expiring
resource : resource::authentication_sources()
(pfconfig::manager::expire)Apr 13 10:50:40 packetfence packetfence[1646]:
pfperl-api(1646) INFO: Expiring child resource resource::passthroughs.
Master resource is resource::authentication_sources()
(pfconfig::manager::expire)Apr 13 10:50:40 packetfence packetfence[1646]:
pfperl-api(1646) INFO: Hard expiring resource : resource::passthroughs()
(pfconfig::manager::expire)Apr 13 10:50:40 packetfence packetfence[1646]:
pfperl-api(1646) INFO: Expiring child resource
resource::authentication_sources_monitored. Master resource is
config::Authentication() (pfconfig::manager::expire)Apr 13 10:50:40
packetfence packetfence[1646]: pfperl-api(1646) INFO: Hard expiring
resource : resource::authentication_sources_monitored()
(pfconfig::manager::expire)Apr 13 10:50:40 packetfence packetfence[1646]:
pfperl-api(1646) INFO: Expiring child resource
resource::guest_self_registration. Master resource is
config::Authentication() (pfconfig::manager::expire)Apr 13 10:50:40
packetfence packetfence[1646]: pfperl-api(1646) INFO: Hard expiring
resource : resource::guest_self_registration()
(pfconfig::manager::expire)Apr 13 10:50:40 packetfence packetfence[1646]:
pfperl-api(1646) INFO: Expiring child resource
resource::authentication_sources_azuread. Master resource is
config::Authentication() (pfconfig::manager::expire)Apr 13 10:50:40
packetfence packetfence[1646]: pfperl-api(1646) INFO: Hard expiring
resource : resource::authentication_sources_azuread()
(pfconfig::manager::expire)Apr 13 10:50:40 packetfence packetfence[1646]:
pfperl-api(1646) INFO: Expiring child resource
resource::authentication_sources_ldap. Master resource is
config::Authentication() (pfconfig::manager::expire)Apr 13 10:50:40
packetfence packetfence[1646]: pfperl-api(1646) INFO: Hard expiring
resource : resource::authentication_sources_ldap()
(pfconfig::manager::expire)Apr 13 10:50:40 packetfence packetfence[1646]:
pfperl-api(1646) INFO: Expiring child resource resource::passthroughs.
Master resource is resource::authentication_sources_ldap()
(pfconfig::manager::expire)Apr 13 10:50:40 packetfence packetfence[1646]:
pfperl-api(1646) INFO: Hard expiring resource : resource::passthroughs()
(pfconfig::manager::expire)Apr 13 10:50:40 packetfence packetfence[1646]:
pfperl-api(1646) INFO: Expiring child resource
resource::authentication_sources_radius. Master resource is
config::Authentication() (pfconfig::manager::expire)Apr 13 10:50:40
packetfence packetfence[1646]: pfperl-api(1646) INFO: Hard expiring
resource : resource::authentication_sources_radius()
(pfconfig::manager::expire)Apr 13 10:50:40 packetfence packetfence[1646]:
pfperl-api(1646) INFO: Expiring child resource resource::passthroughs.
Master resource is resource::authentication_sources_radius()
(pfconfig::manager::expire)Apr 13 10:50:40 packetfence packetfence[1646]:
pfperl-api(1646) INFO: Hard expiring resource : resource::passthroughs()
(pfconfig::manager::expire)Apr 13 10:50:40 packetfence packetfence[1646]:
pfperl-api(1646) INFO: Expiring child resource
resource::RolesReverseLookup. Master resource is config::Authentication()
(pfconfig::manager::expire)Apr 13 10:50:40 packetfence packetfence[1646]:
pfperl-api(1646) INFO: Hard expiring resource :
resource::RolesReverseLookup() (pfconfig::manager::expire)*

Log in the web GUI - Module-Failure-Message = "No Auth-Type found:
rejecting the user via Post-Auth-Type = Reject"

RADIUS Log







*Apr 13 13:37:16 packetfence auth[21200]: (213) Login incorrect (eap:
Failed continuing EAP TTLS (21)

[PacketFence-users] Aruba CX documentation

2022-04-14 Thread Karl Stevens via PacketFence-users 
Hello,

I'm trying to set up a new installation of Packetfence 11.2 with Aruba CX
switches.   These are supposed to be supported since Packetfence 10.2, but
I'm not able to find any documentation on them in the Network Devices
Configuration Guide at
https://www.packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_aruba
(the only entry for Aruba is for the 2930M series, which has different
syntax.)

Is there any documentation for configuring this switch series for use by
Packetfence?

Thanks,
Karl Stevens

-- 
This
 email and any files transmitted with it are confidential and intended 

solely for the use of the individual or entity to whom they are 
addressed. If you have received this email in error please notify the 
system manager. This message contains confidential information and is 
intended only for the individual named. If you are not the named 
addressee 
you should not disseminate, distribute or copy this e-mail.




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users