Re: [PacketFence-users] Server swap over 90%

[Schüller Dennis via PacketFence-users]

Hey,
not he swap warning and reject messages cames across the day. I’ve add a swap 
file on the three nodes now it looks like the issue  with swap is solved. But 
the Reject messages are still there.
Each Day another switch random.


Grüße aus der Grünen Hölle / Regards from the Green Hell

i. A. Dennis Schüller
Systembetreuung
IT

dennis.schuel...@nuerburgring.de

T +49 (2691) 302 9885
M +49 151 571 320 36
F +49 2691 302 9897

Nürburgring 1927
GmbH & Co. KG

Otto-Flimm-Straße
53520 Nürburg
nuerburgring.de

[cid:image001.png@01D8E844.5EA63280]


[cid:image002.jpg@01D8E844.5EA63280]

Bitte schonen Sie unsere Umwelt und drucken die Email nur aus, wenn es wirklich 
notwendig ist!
Please consider the environment before printing this email!


Von: Cian Phillips via PacketFence-users 

Gesendet: Montag, 24. Oktober 2022 17:23
An: packetfence-users@lists.sourceforge.net
Cc: Cian Phillips 
Betreff: Re: [PacketFence-users] Server swap over 90%

Hi Dennis,

We are not clustered and get swap warnings occasionally, but I haven’t noticed 
clients unable to connect during those events. They only seem to happen one a 
day during non-peak times. I’ll take a look at our logs to see if we are seeing 
the rejected authentications too. We used the ISO to set up the server in 
VMWare. I wondered if we just needed a larger swap partition. Are you getting 
the warnings at peak times? Does it happen frequently?

Cian
Sent from my iPhone


On Oct 23, 2022, at 10:28 PM, Simon Sutcliffe via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
 We are seeing the same with Zen 12 in a cluster

Get Outlook for Android

From: Schüller Dennis via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
Sent: Friday, October 21, 2022 7:56:01 AM
To: 
packetfence-users@lists.sourceforge.net
 
mailto:packetfence-users@lists.sourceforge.net>>
Cc: Schüller Dennis 
mailto:dennis.schuel...@nuerburgring.de>>
Subject: [PacketFence-users] Server swap over 90%

This message was sent from an e-mail domain unknown to Royal HaskoningDHV. 
Please be cautious.


Hey All,

one of my Cluster-Nodes alert for swap.

But just one (the Master) as result, Authentications are rejected, because of 
“server not response”

Some one with the same Problem, some Idea how can I solve this issue?



Thanks a lot!



Grüße aus der Grünen Hölle / Regards from the Green Hell


i. A. Dennis Schüller
Systembetreuung
IT

dennis.schuel...@nuerburgring.de

T +49 (2691) 302 9885
M +49 151 571 320 36
F +49 2691 302 9897


Nürburgring 1927
GmbH & Co. KG

Otto-Flimm-Straße
53520 Nürburg
nuerburgring.de







Bitte schonen Sie unsere Umwelt und drucken die Email nur aus, wenn es wirklich 
notwendig ist!
Please consider the environment before printing this email!




--

Diese Mail wurde auf Computerviren geprüft
This email and any attachments are intended solely for the use of the 
addressee(s); disclosure or copying by others than the intended person(s) is 
strictly prohibited. If you have received this email in error, please treat 
this email as confidential, notify the sender and delete all copies of the 
email immediately ___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--

Diese Mail wurde auf Computerviren geprüft
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Beginner configuration issue(s)

[Marc Angelo via PacketFence-users]

Hi All

I have a question regarding the configuration of Packet Fence

First, what I am wanting to do.

We have multiple VLANs within our infrastructure we are only interested in 
using PF in one of these and that is the management network for our switches. I 
have set up a test VLAN with one switch in the VLAN plus I have installed a VM 
with PF and it is in the same VLAN as the test switch.

The objective is to only allow specific MAC addresses to plug into a specific 
wall port. The MAC address is to be authenticated by PF before being allowed 
access to the network and to assign a VLAN to the device that is authenticated. 
We are using EdgeSwitches which I see are available devices within PF



My question is what steps I take to set a configuration like this up. I’m not 
looking (initially anyway  ) for a lengthy description I just want to be 
pointed in the right direction (eg 1. Add switch 2. Configure Radius to 
authenticate MAC address etc)

Thanks in advance for any assistance, greatly appreciated

Cheers
Marc



Marc Angelo
Systems Administrator

Email  marc.ang...@enatel.net

[Enatel Logo]

Enatel  | 66 Treffers Road  |  Christchurch 8042  |  New Zealand  |  Phone +64 
3 366 4550   |  www.enatel.net  [Enatel on LinkedIn] 


[Enatel e]


**CONFIDENTIALITY STATEMENT**
This message is intended for the sole use of the individual(s) and/or entity to 
whom it is addressed, and may contain information that is legally privileged, 
confidential, and exempt from disclosure under applicable law. If you are not 
the intended addressee, nor authorized to receive for the intended addressee, 
you are hereby notified that dissemination, distribution, copying or disclosure 
of this message is strictly prohibited. If you have received this message in 
error please immediately advise the sender by reply email, and delete the 
message.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Upgrade-Script breaks system

[Michael Weber via PacketFence-users]

Hello,
 I did not change anything in iptables.conf.

We have a VMware environment so I can restore the "old" VM every time. Please 
find the do-upgrade.sh output below:

Here are the last lines of the output, than the system is not available via 
network anymore:
Setting packetfence.target as the default systemd target.
Restarting journald to enable persistent logging
Restarting rsyslog
Mon 24 Oct 2022 07:49:55 PM CEST - Images detected:
- fingerbank-db
- pfpki
- radiusd-acct
- radiusd-cli
- pfcmd
- radiusd-auth
- api-frontend
- pfcron
- haproxy-portal
- httpd.webservices
- proxysql
- pfperl-api
- radiusd-load-balancer
- httpd.admin_dispatcher
- radiusd-eduroam
- pfsso
- httpd.portal
- pfqueue
- pfconnector
- haproxy-admin
- pfconfig
- httpd.aaa
- httpd.dispatcher
ghcr.io/inverse-inc/packetfence/fingerbank-db:maintenance-12-0
ghcr.io/inverse-inc/packetfence/pfpki:maintenance-12-0
ghcr.io/inverse-inc/packetfence/radiusd-acct:maintenance-12-0
ghcr.io/inverse-inc/packetfence/radiusd-cli:maintenance-12-0
ghcr.io/inverse-inc/packetfence/pfcmd:maintenance-12-0
ghcr.io/inverse-inc/packetfence/radiusd-auth:maintenance-12-0
ghcr.io/inverse-inc/packetfence/api-frontend:maintenance-12-0
ghcr.io/inverse-inc/packetfence/pfcron:maintenance-12-0
ghcr.io/inverse-inc/packetfence/haproxy-portal:maintenance-12-0
ghcr.io/inverse-inc/packetfence/httpd.webservices:maintenance-12-0
ghcr.io/inverse-inc/packetfence/proxysql:maintenance-12-0
ghcr.io/inverse-inc/packetfence/pfperl-api:maintenance-12-0
ghcr.io/inverse-inc/packetfence/radiusd-load-balancer:maintenance-12-0
ghcr.io/inverse-inc/packetfence/httpd.admin_dispatcher:maintenance-12-0
ghcr.io/inverse-inc/packetfence/radiusd-eduroam:maintenance-12-0
ghcr.io/inverse-inc/packetfence/pfsso:maintenance-12-0
ghcr.io/inverse-inc/packetfence/httpd.portal:maintenance-12-0
ghcr.io/inverse-inc/packetfence/pfqueue:maintenance-12-0
ghcr.io/inverse-inc/packetfence/pfconnector:maintenance-12-0
ghcr.io/inverse-inc/packetfence/haproxy-admin:maintenance-12-0
ghcr.io/inverse-inc/packetfence/pfconfig:maintenance-12-0
ghcr.io/inverse-inc/packetfence/httpd.aaa:maintenance-12-0
ghcr.io/inverse-inc/packetfence/httpd.dispatcher:maintenance-12-0
Mon 24 Oct 2022 07:52:20 PM CEST - Pull of images finished
Mon 24 Oct 2022 07:52:21 PM CEST - Tag of images finished
Mon 24 Oct 2022 07:52:21 PM CEST - Previous images cleaned
Migrating from a version prior to 12.0. Need to restart some services...
Created symlink 
/etc/systemd/system/packetfence-base.target.wants/packetfence-redis-cache.service
 -> /lib/systemd/system/packetfence-redis-cache.service.
Created symlink 
/etc/systemd/system/packetfence-base.target.wants/packetfence-config.service -> 
/lib/systemd/system/packetfence-config.service.
Removed 
/etc/systemd/system/packetfence.target.wants/packetfence-iptables.service.
Fixed permissions.
Starting PacketFence Administration GUI...
Created symlink 
/etc/systemd/system/packetfence.target.wants/packetfence-iptables.service -> 
/lib/systemd/system/packetfence-iptables.service.
iptables v1.8.7 (nf_tables): chain `DOCKER' in table `filter' is incompatible, 
use 'nft' tool.

Waiting for iptables to be ready
iptables: Chain already exists.

Progress: [ 98%] 
[###...]

Von: Quiniou-Briand, Nicolas 
Gesendet: Montag, 24. Oktober 2022 13:51
An: Matthies, Heiko ; 
packetfence-users@lists.sourceforge.net; Michael Weber 

Betreff: RE: Upgrade-Script breaks system

Hello,

Thanks.
Could you answer my second question regarding customization of iptables.conf ?

Nicolas Quiniou-Briand
Product Support Engineer
[cid:image001.png@01D8E7E0.DC605160]
Office: +33156696210
Akamai Technologies
145 Broadway
Cambridge, MA 02142
Connect with Us:
[cid:image002.jpg@01D8E7E0.DC605160] 
[cid:image003.png@01D8E7E0.DC605160]   
[cid:image004.png@01D8E7E0.DC605160]   
[cid:image005.png@01D8E7E0.DC605160] 
  
[cid:image006.png@01D8E7E0.DC605160] 
  
[cid:image007.png@01D8E7E0.DC605160] 


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Server swap over 90%

[Cian Phillips via PacketFence-users]

Hi Dennis,

We are not clustered and get swap warnings occasionally, but I haven’t noticed 
clients unable to connect during those events. They only seem to happen one a 
day during non-peak times. I’ll take a look at our logs to see if we are seeing 
the rejected authentications too. We used the ISO to set up the server in 
VMWare. I wondered if we just needed a larger swap partition. Are you getting 
the warnings at peak times? Does it happen frequently?

Cian 

Sent from my iPhone

> On Oct 23, 2022, at 10:28 PM, Simon Sutcliffe via PacketFence-users 
>  wrote:
> 
>  We are seeing the same with Zen 12 in a cluster 
> 
> Get Outlook for Android
> From: Schüller Dennis via PacketFence-users 
> 
> Sent: Friday, October 21, 2022 7:56:01 AM
> To: packetfence-users@lists.sourceforge.net 
> 
> Cc: Schüller Dennis 
> Subject: [PacketFence-users] Server swap over 90%
>  
> This message was sent from an e-mail domain unknown to Royal HaskoningDHV. 
> Please be cautious.
> 
> Hey All,
> one of my Cluster-Nodes alert for swap.
> But just one (the Master) as result, Authentications are rejected, because of 
> “server not response”
> Some one with the same Problem, some Idea how can I solve this issue?
>  
> Thanks a lot!
>  
> Grüße aus der Grünen Hölle / Regards from the Green Hell
> i. A. Dennis Schüller
> Systembetreuung
> IT
> 
> dennis.schuel...@nuerburgring.de 
> 
> T +49 (2691) 302 9885
> M +49 151 571 320 36
> F +49 2691 302 9897
> Nürburgring 1927
> GmbH & Co. KG
> 
> Otto-Flimm-Straße 
> 53520 Nürburg
> nuerburgring.de
> 
> 
> Bitte schonen Sie unsere Umwelt und drucken die Email nur aus, wenn es 
> wirklich notwendig ist! 
> Please consider the environment before printing this email!
>  
> -- 
> Diese Mail wurde auf Computerviren geprüft
> This email and any attachments are intended solely for the use of the 
> addressee(s); disclosure or copying by others than the intended person(s) is 
> strictly prohibited. If you have received this email in error, please treat 
> this email as confidential, notify the sender and delete all copies of the 
> email immediately ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Issues with machine authentication using MS-CHAPv2

[Fabrice Durand via PacketFence-users]

Hello Matthies,

can you provide the radius debug section where you can see the call to
ntlm_auth ?

Regards
Fabrice


Le lun. 24 oct. 2022 à 11:29, Matthies, Heiko via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
>
>
> I troubleshooted this issue a little further and discovered, that no there
> is no authentication sent to the domain controllers when using machine
> authentication. When switching to user auth, everything works fine and I
> see packages in the tcpdump.
>
> Is there something I’m missing? According to the official guide, this
> should work out of the box…
>
>
>
> Kind Regards
>
>
>
> Heiko Matthies
>
>
>
>
>
> 
>
>
> *ASAP Engineering GmbH* Sachsstraße 1A | 85080 Gaimersheim
> Tel. +49 8458 3389 252 <+49%208458%203389%20252> | Fax. +49 (8458) 3389
> 399
> heiko.matth...@asap.de | www.asap.de
>
> Geschäftsführer: Michael Neisen, Robert Werner, Christian Schweiger | Sitz
> der Gesellschaft: Gaimersheim | Amtsgericht: Ingolstadt HRB 5408
>
> Datenschutz: Ausführliche Informationen zum Umgang mit Ihren
> personenbezogenen Daten bei ASAP erhalten Sie auf unserer Website unter
> Datenschutz. 
>
> *Von:* Matthies, Heiko via PacketFence-users <
> packetfence-users@lists.sourceforge.net>
> *Gesendet:* Dienstag, 18. Oktober 2022 18:21
> *An:* packetfence-users@lists.sourceforge.net
> *Cc:* Matthies, Heiko 
> *Betreff:* [PacketFence-users] Issues with machine authentication using
> MS-CHAPv2
>
>
>
> Hello Guys,
>
>
>
> i’m trying to implement machine- and user authentication on Windows 10
> Clients via MS-CHAPv2 using Packetfence v11.1. While the user
> authentication works like a charm, I’m having trouble setting up the
> machine authentication. I got the following log information from the radius
> debug log:
>
>
>
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: Auth-Type
> MS-CHAP {
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'User-Name'} = :User-Name -> 'host/
> IN19NB-1003.group.asap.de'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'NAS-IP-Address'} = :NAS-IP-Address -> '10.23.16.10'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'NAS-Port'} = :NAS-Port -> '45'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'Framed-MTU'} = :Framed-MTU -> '1500'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'State'} = :State -> ''
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'Called-Station-Id'} = :Called-Station-Id ->
> '**'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'Calling-Station-Id'} = :Calling-Station-Id ->
> '**'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'NAS-Identifier'} = :NAS-Identifier -> '**'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'NAS-Port-Type'} = :NAS-Port-Type -> 'Ethernet'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'Event-Timestamp'} = :Event-Timestamp -> 'Oct 18 2022
> 18:52:46 CEST'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'EAP-Message'} = :EAP-Message ->
> ''
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'NAS-Port-Id'} = :NAS-Port-Id ->
> 'Tengigabitethernet1/0/45'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'EAP-Key-Name'} = :EAP-Key-Name -> '0x00'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'FreeRADIUS-Proxied-To'} = :FreeRADIUS-Proxied-To ->
> '127.0.0.1'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'MS-CHAP-Challenge'} = :MS-CHAP-Challenge ->
> ''
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'MS-CHAP2-Response'} = :MS-CHAP2-Response ->
> ''
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'EAP-Type'} = :EAP-Type -> 'MSCHAPv2'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'Realm'} = :Realm -> 'group.asap.de'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'MS-CHAP-User-Name'} = :MS-CHAP-User-Name -> 'host/
> IN19NB-1003.group.asap.de'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'PacketFence-Domain'} = :PacketFence-Domain -> 'group'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'PacketFence-KeyBalanced'} = :PacketFence-KeyBalanced
> -> ''
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'PacketFence-Radius-Ip'} = :PacketFence-Radius-Ip ->
> '10.20.10.55'
> Oct 18 17:52:46 

Re: [PacketFence-users] Upgrade-Script breaks system

[Quiniou-Briand, Nicolas via PacketFence-users]

I opened following issue https://github.com/inverse-inc/packetfence/issues/7298

Nicolas Quiniou-Briand
Product Support Engineer

[cid:image001.png@01D8E7C1.27AE7A40]


Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142


Connect with Us:

[cid:image002.jpg@01D8E7C1.27AE7A40] 
[cid:image003.png@01D8E7C1.27AE7A40]   
[cid:image004.png@01D8E7C1.27AE7A40]   
[cid:image005.png@01D8E7C1.27AE7A40] 
  
[cid:image006.png@01D8E7C1.27AE7A40] 
  
[cid:image007.png@01D8E7C1.27AE7A40] 



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Multiple ACLs and Aruba 6300M

[Fabrice Durand via PacketFence-users]

Hello Regimantas,

alright, sorry for the delayed response.

So let's follow these steps and see what happens on the switch.

First edit this file (/usr/local/pf/raddb/mods-config/files/authorize) and
add at the end (replace 02-00-00-00-00-00-00 by the mac address of the
device you are testing with):

02-00-00-00-00-00 Auth-Type := Local, User-Password == 02-00-00-00-00-00
Nas-FILTER-Rule = "permit in tcp from any to host 10.10.10.101",
Nas-FILTER-Rule += "deny in tcp from any to any"

Then edit /usr/local/pf/conf/radiusd/packetfence and uncomment #files (line
104 on my side)

[% authorize_eap_choice %]

#
#  Read the 'users' file.  In v3, this is located in
#  raddb/mods-config/files/authorize
files

# Accept any non-eap request and send it to the packetfence
module for authorization
if ( !EAP-Message && "%{%{Control:Auth-type}:-No-MS_CHAP}"
!= "MS-CHAP") {
update {
:Auth-Type := Accept
}
}


Next you have to restart radiusd:

/usr/local/pf/bin/pfcmd service radiusd restart

Then connect your device on the switch port (mac auth and not 802.1x) and
you should be able to see the Nas-Filter-Rule attributes in the reply.


(0) Mon Oct 24 13:20:48 2022: Debug: Sent Access-Accept Id 85 from
172.105.98.135:1812 to 172.105.98.135:45454 length 108
(0) Mon Oct 24 13:20:48 2022: Debug:   NAS-Filter-Rule = "permit in tcp
from any to host 10.10.10.101"
(0) Mon Oct 24 13:20:48 2022: Debug:   NAS-Filter-Rule = "deny in tcp from
any to any"
(0) Mon Oct 24 13:20:48 2022: Debug:   Tunnel-Type = VLAN

(0) Mon Oct 24 13:20:48 2022: Debug:   Tunnel-Private-Group-Id = "2"

(0) Mon Oct 24 13:20:48 2022: Debug:   Tunnel-Medium-Type = IEEE-802

(0) Mon Oct 24 13:20:48 2022: Debug: Finished request

And check on the switch side if they apply correctly.

Let me know if it works, because as you can see there is no difference
between what packetfence returns and what we have in the reply from the
user file.

Regards
Fabrice



Le mar. 18 oct. 2022 à 08:42, Fabrice Durand  a écrit :

> Let me prepare on my side the config and i will share with you what needs
> to be done in the freeradius config.
> I will be back to you shortly.
>
>
> Le mar. 18 oct. 2022 à 08:38, Regimantas Pabrėža <
> regimantas.pabr...@limedika.lt> a écrit :
>
>> Sure I would like to get it resolved.
>>
>>
>>
>> 802.1X authentication is a new thing to me and I‘m currently testing it
>> so any help setting up FreeRADIUS is more than welcome 
>>
>>
>>
>> Pagarbiai,
>>
>> Regimantas Pabrėža
>> IT Administratorius
>>
>> Mob. +370 675 02148
>>
>>
>>
>> *From:* Fabrice Durand 
>> *Sent:* Tuesday, October 18, 2022 3:20 PM
>> *To:* packetfence-users@lists.sourceforge.net
>> *Cc:* Regimantas Pabrėža 
>> *Subject:* Re: [PacketFence-users] Multiple ACLs and Aruba 6300M
>>
>>
>>
>> Hello Regimantas,
>>
>>
>>
>> i would like to see this fixed since it´s a issue we saw a lot of time on
>> the mailing list.
>>
>> Since i don´t have a aruba switch on my side, is it possible to configure
>> freeradius to use the file to answer the radius request and see the result
>> with raddebug ?
>>
>> With that we will be able to compare and see exactly what happen.
>>
>>
>>
>> Btw += is unlang and is a way to append values in attributes (like an
>> array) and this is what we do internally in PacketFence.
>>
>>
>>
>> Let me know if you need help to setup the freeradius with the file.
>>
>>
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>>
>>
>> Le lun. 17 oct. 2022 à 08:38, Regimantas Pabrėža via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> a écrit :
>>
>> Hello,
>>
>>
>>
>> I‘m trying to push multiple ACLs from packetfence to aruba 6300m but only
>> the first line appears on the switch side
>>
>>
>>
>> Configuration on packetfence: Configuratoin -> Policies and Access
>> Control -> Switches -> Roles
>>
>>
>>
>> Radius reply on packetfence: Auditing -> RADIUS Audit Logs -> RADIUS
>>
>>
>>
>> Switch configuration:
>>
>>
>>
>>
>>
>> Does anyone managed to push multiple lines to Aruba 6300M ?
>>
>>
>>
>> Checking examples in documentation on hpe site I see one strange thing.
>> The first NAS-FILTER-Rule command has = (equal sign) and other
>> NAS-FILTER-Rule commands has += (plus and equal sign)
>>
>>
>>
>>
>>
>> Packetfence RADIUS reply shows both command with = (equal sign)
>>
>>
>>
>> Maybe that‘s the case but I don‘t know how to change it on packetfence
>>
>>
>>
>> Pagarbiai,
>>
>> Regimantas Pabrėža
>> IT Administratorius
>> UAB „Limedika“
>> Erdvės g. 51, Ramučiai, LT – 52114, Kauno raj*. *Lietuva
>> Mob. +370 675 02148
>>
>>
>>
>> Šis laiškas ir jo priedai skirtas tik nurodytam asmeniui, nes jame ir jo
>> prieduose esanti informacija yra konfidenciali ar riboto naudojimo. Jeigu
>> šis pranešimas arba jame esanti informacija yra skirta ne Jums, ją naudoti,
>> 

Re: [PacketFence-users] Upgrade-Script breaks system

[Matthies, Heiko via PacketFence-users]

Hello Nicolas,

another information which maybe useful to you. After I logged into the GUI and 
tried to rejoin my domain, the same issue (timeout) occurs. I think the system 
tries to reinsert the ruleset from the v12 iptables.conf and bricks the system 
doing so.

Kind Regards,

Heiko Matthies


[cid:2018_Signatur_ASAP_Engineering_607ba42f-d9c6-4abe-af16-b2b0953d2657.png]

[cid:MK_FB_Bayerns_Best_50_Mailsignatur_20220808_5e0395c7-1b32-4dd9-96cf-94c702a6ef87.jpg]

ASAP Engineering GmbH Sachsstra?e 1A | 85080 Gaimersheim
Tel. +49 8458 3389 252 | Fax. +49 (8458) 3389 
399
heiko.matth...@asap.de | 
www.asap.de

Gesch?ftsf?hrer: Michael Neisen, Robert Werner, Christian Schweiger | Sitz der 
Gesellschaft: Gaimersheim | Amtsgericht: Ingolstadt HRB 5408

Datenschutz: Ausf?hrliche Informationen zum Umgang mit Ihren personenbezogenen 
Daten bei ASAP erhalten Sie auf unserer Website unter 
Datenschutz.
Von: Quiniou-Briand, Nicolas 
Gesendet: Montag, 24. Oktober 2022 15:06
An: Matthies, Heiko ; 
packetfence-users@lists.sourceforge.net; Michael Weber 

Betreff: RE: Upgrade-Script breaks system

Hello,

Thanks for your feedback.

> This line is uncommented in production as we used the haproxy dashboard in 
> the past. I don't think this would break the upgrade process.

I agree but I just want to confirm something.
I think I found root cause of your issue. I will open an issue sooner and let 
you know.

Nicolas Quiniou-Briand
Product Support Engineer

[cid:image001.png@01D8E7BB.FAFEE8E0]


Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142


Connect with Us:

[cid:image002.jpg@01D8E7BB.FAFEE8E0] 
[cid:image003.png@01D8E7BB.FAFEE8E0]   
[cid:image004.png@01D8E7BB.FAFEE8E0]   
[cid:image005.png@01D8E7BB.FAFEE8E0] 
  
[cid:image006.png@01D8E7BB.FAFEE8E0] 
  
[cid:image007.png@01D8E7BB.FAFEE8E0] 



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Upgrade-Script breaks system

[Quiniou-Briand, Nicolas via PacketFence-users]

Hello,

Thanks for your feedback.

> This line is uncommented in production as we used the haproxy dashboard in 
> the past. I don't think this would break the upgrade process.

I agree but I just want to confirm something.
I think I found root cause of your issue. I will open an issue sooner and let 
you know.

Nicolas Quiniou-Briand
Product Support Engineer

[cid:image001.png@01D8E7BA.1AA342B0]


Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142


Connect with Us:

[cid:image002.jpg@01D8E7BA.1AA342B0] 
[cid:image003.png@01D8E7BA.1AA342B0]   
[cid:image004.png@01D8E7BA.1AA342B0]   
[cid:image005.png@01D8E7BA.1AA342B0] 
  
[cid:image006.png@01D8E7BA.1AA342B0] 
  
[cid:image007.png@01D8E7BA.1AA342B0] 



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Upgrade-Script breaks system

[Matthies, Heiko via PacketFence-users]

Hello Nicolas,

I compared the current iptables.conf with the iptables.conf.example and found 
only one difference:
#-A input-management-if --protocol tcp --match tcp --dport 1025 --jump ACCEPT
This line is uncommented in production as we used the haproxy dashboard in the 
past. I don't think this would break the upgrade process.

Kind Regards,

Heiko Matthies


[cid:2018_Signatur_ASAP_Engineering_607ba42f-d9c6-4abe-af16-b2b0953d2657.png]

[cid:MK_FB_Bayerns_Best_50_Mailsignatur_20220808_5e0395c7-1b32-4dd9-96cf-94c702a6ef87.jpg]

ASAP Engineering GmbH Sachsstra?e 1A | 85080 Gaimersheim
Tel. +49 8458 3389 252 | Fax. +49 (8458) 3389 
399
heiko.matth...@asap.de | 
www.asap.de

Gesch?ftsf?hrer: Michael Neisen, Robert Werner, Christian Schweiger | Sitz der 
Gesellschaft: Gaimersheim | Amtsgericht: Ingolstadt HRB 5408

Datenschutz: Ausf?hrliche Informationen zum Umgang mit Ihren personenbezogenen 
Daten bei ASAP erhalten Sie auf unserer Website unter 
Datenschutz.
Von: Quiniou-Briand, Nicolas 
Gesendet: Montag, 24. Oktober 2022 13:51
An: Matthies, Heiko ; 
packetfence-users@lists.sourceforge.net; Michael Weber 

Betreff: RE: Upgrade-Script breaks system

Hello,

Thanks.
Could you answer my second question regarding customization of iptables.conf ?

Nicolas Quiniou-Briand
Product Support Engineer

[cid:image001.png@01D8E7B3.20915FB0]


Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142


Connect with Us:

[cid:image002.jpg@01D8E7B3.20915FB0] 
[cid:image003.png@01D8E7B3.20915FB0]   
[cid:image004.png@01D8E7B3.20915FB0]   
[cid:image005.png@01D8E7B3.20915FB0] 
  
[cid:image006.png@01D8E7B3.20915FB0] 
  
[cid:image007.png@01D8E7B3.20915FB0] 



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Upgrade-Script breaks system

[Matthies, Heiko via PacketFence-users]

Hello Nicolas,

I suppose, Michael will provide the needed logs and information for you. As we 
have still not upgraded our main packetfence instance, I could reproduce the 
issue if needed. Just hit me up, if you need further information about this 
issue.

Kind regards,

Heiko Matthies


[cid:2018_Signatur_ASAP_Engineering_607ba42f-d9c6-4abe-af16-b2b0953d2657.png]

[cid:MK_FB_Bayerns_Best_50_Mailsignatur_20220808_5e0395c7-1b32-4dd9-96cf-94c702a6ef87.jpg]

ASAP Engineering GmbH Sachsstra?e 1A | 85080 Gaimersheim
Tel. +49 8458 3389 252 | Fax. +49 (8458) 3389 
399
heiko.matth...@asap.de | 
www.asap.de

Gesch?ftsf?hrer: Michael Neisen, Robert Werner, Christian Schweiger | Sitz der 
Gesellschaft: Gaimersheim | Amtsgericht: Ingolstadt HRB 5408

Datenschutz: Ausf?hrliche Informationen zum Umgang mit Ihren personenbezogenen 
Daten bei ASAP erhalten Sie auf unserer Website unter 
Datenschutz.
Von: Quiniou-Briand, Nicolas via PacketFence-users 

Gesendet: Montag, 24. Oktober 2022 09:09
An: Michael Weber ; 
packetfence-users@lists.sourceforge.net
Cc: Quiniou-Briand, Nicolas 
Betreff: Re: [PacketFence-users] Upgrade-Script breaks system

Hello Michael,

Just to clarify, I only need output of `do-upgrade.sh` script during a failed 
upgrade.
Could you answer my second question regarding customization of iptables.conf ?

Nicolas Quiniou-Briand
Product Support Engineer

[cid:image001.png@01D8E7AE.9D151540]


Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142


Connect with Us:

[cid:image002.jpg@01D8E7AE.9D151540] 
[cid:image003.png@01D8E7AE.9D151540]   
[cid:image004.png@01D8E7AE.9D151540]   
[cid:image005.png@01D8E7AE.9D151540] 
  
[cid:image006.png@01D8E7AE.9D151540] 
  
[cid:image007.png@01D8E7AE.9D151540] 




From: Michael Weber mailto:michael.we...@crimson.de>>
Sent: Monday, October 24, 2022 9:06 AM
To: Quiniou-Briand, Nicolas mailto:nquin...@akamai.com>>; 
packetfence-users@lists.sourceforge.net
Subject: Re: Upgrade-Script breaks system

Hello,
I am not in the office today. I can provide all of these logs in ~8 hours. Even 
a remote support to collect all required logs is fine for me.

Best regards
Michael Weber

From: Quiniou-Briand, Nicolas mailto:nquin...@akamai.com>>
Sent: Monday, October 24, 2022 8:47:25 AM
To: 
packetfence-users@lists.sourceforge.net
 
mailto:packetfence-users@lists.sourceforge.net>>
Cc: Michael Weber mailto:michael.we...@crimson.de>>
Subject: RE: Upgrade-Script breaks system


Hello,



I would like to take a look on this issue.

As far as I know, the message:



#v+

chain DOCKER in table filter is incompatible, use 'nft' instead

#v-



doesn't stop upgrade and appears on all upgrades.

1. Could you provide me logs (in private) of your upgrade (using do-upgrade.sh) 
?

2. Could you tell me if you edited iptables.conf to add custom rules before 
your upgrade ?



Nicolas Quiniou-Briand
Product Support Engineer


[cid:image001.png@01D8E7AE.9D151540]



Office: +33156696210


Akamai Technologies
145 Broadway
Cambridge, MA 02142



Connect with Us:


[cid:image002.jpg@01D8E7AE.9D151540] 
[cid:image003.png@01D8E7AE.9D151540]   
[cid:image004.png@01D8E7AE.9D151540] 

  [cid:image005.png@01D8E7AE.9D151540] 

  [cid:image006.png@01D8E7AE.9D151540] 

  [cid:image007.png@01D8E7AE.9D151540] 




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] CoA after guest registration

[James Andrewartha via PacketFence-users]

Hi,

I'm trying to work out how to get PacketFence to send a CoA to an 
Aerohive (XIQ) AP after a guest registers and is approved by sponsor. I 
have the AP switch object configured to map by switch role, which sends 
a Filter-ID I can match on. If I disconnect and reconnect (and clear 
auth cache on the AP) I get the correct role, but I'm trying to work out 
how to trigger a CoA so that step isn't needed.


I think I need to be looking into the release code, based on this log 
entry, but I dug into the source without much luck.


Oct 24 15:32:57 kerr packetfence_httpd.portal[585169]: 
httpd.portal(585169) INFO: [mac:62:a0:d3:d3:54:4b] Device is registered 
and still on the portal, attempting to release it again. 
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)


Thanks,

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Upgrade-Script breaks system

[Quiniou-Briand, Nicolas via PacketFence-users]

Hello,

Thanks.
Could you answer my second question regarding customization of iptables.conf ?

Nicolas Quiniou-Briand
Product Support Engineer

[cid:image001.png@01D8E7AF.9ABD2610]


Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142


Connect with Us:

[cid:image002.jpg@01D8E7AF.9ABD2610] 
[cid:image003.png@01D8E7AF.9ABD2610]   
[cid:image004.png@01D8E7AF.9ABD2610]   
[cid:image005.png@01D8E7AF.9ABD2610] 
  
[cid:image006.png@01D8E7AF.9ABD2610] 
  
[cid:image007.png@01D8E7AF.9ABD2610] 



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Upgrade-Script breaks system

[Quiniou-Briand, Nicolas via PacketFence-users]

Hello Michael,

Just to clarify, I only need output of `do-upgrade.sh` script during a failed 
upgrade.
Could you answer my second question regarding customization of iptables.conf ?

Nicolas Quiniou-Briand
Product Support Engineer

[cid:image001.png@01D8E788.37EA7370]


Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142


Connect with Us:

[cid:image002.jpg@01D8E788.37EA7370] 
[cid:image003.png@01D8E788.37EA7370]   
[cid:image004.png@01D8E788.37EA7370]   
[cid:image005.png@01D8E788.37EA7370] 
  
[cid:image006.png@01D8E788.37EA7370] 
  
[cid:image007.png@01D8E788.37EA7370] 




From: Michael Weber 
Sent: Monday, October 24, 2022 9:06 AM
To: Quiniou-Briand, Nicolas ; 
packetfence-users@lists.sourceforge.net
Subject: Re: Upgrade-Script breaks system

Hello,
I am not in the office today. I can provide all of these logs in ~8 hours. Even 
a remote support to collect all required logs is fine for me.

Best regards
Michael Weber

From: Quiniou-Briand, Nicolas mailto:nquin...@akamai.com>>
Sent: Monday, October 24, 2022 8:47:25 AM
To: 
packetfence-users@lists.sourceforge.net
 
mailto:packetfence-users@lists.sourceforge.net>>
Cc: Michael Weber mailto:michael.we...@crimson.de>>
Subject: RE: Upgrade-Script breaks system


Hello,



I would like to take a look on this issue.

As far as I know, the message:



#v+

chain DOCKER in table filter is incompatible, use 'nft' instead

#v-



doesn't stop upgrade and appears on all upgrades.

1. Could you provide me logs (in private) of your upgrade (using do-upgrade.sh) 
?

2. Could you tell me if you edited iptables.conf to add custom rules before 
your upgrade ?



Nicolas Quiniou-Briand
Product Support Engineer


[cid:image001.png@01D8E788.37EA7370]



Office: +33156696210


Akamai Technologies
145 Broadway
Cambridge, MA 02142



Connect with Us:


[cid:image002.jpg@01D8E788.37EA7370] 
[cid:image003.png@01D8E788.37EA7370]   
[cid:image004.png@01D8E788.37EA7370] 

  [cid:image005.png@01D8E788.37EA7370] 

  [cid:image006.png@01D8E788.37EA7370] 

  [cid:image007.png@01D8E788.37EA7370] 




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Upgrade-Script breaks system

[Michael Weber via PacketFence-users]

Hello,
I am not in the office today. I can provide all of these logs in ~8 hours. Even 
a remote support to collect all required logs is fine for me.

Best regards
Michael Weber

From: Quiniou-Briand, Nicolas 
Sent: Monday, October 24, 2022 8:47:25 AM
To: packetfence-users@lists.sourceforge.net 

Cc: Michael Weber 
Subject: RE: Upgrade-Script breaks system


Hello,



I would like to take a look on this issue.

As far as I know, the message:



#v+

chain DOCKER in table filter is incompatible, use ‘nft’ instead

#v-



doesn’t stop upgrade and appears on all upgrades.


1. Could you provide me logs (in private) of your upgrade (using do-upgrade.sh) 
?

2. Could you tell me if you edited iptables.conf to add custom rules before 
your upgrade ?



Nicolas Quiniou-Briand
Product Support Engineer

[cid:image003.png@01D8E785.3A6A47E0]

Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142

Connect with Us:

[cid:image004.jpg@01D8E785.3A6A47E0] 
[cid:image005.png@01D8E785.3A6A47E0]   
[cid:image006.png@01D8E785.3A6A47E0]   
[cid:image007.png@01D8E785.3A6A47E0] 
  
[cid:image008.png@01D8E785.3A6A47E0] 
  
[cid:image009.png@01D8E785.3A6A47E0] 



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Upgrade-Script breaks system

[Quiniou-Briand, Nicolas via PacketFence-users]

Hello,

I would like to take a look on this issue.
As far as I know, the message:

#v+
chain DOCKER in table filter is incompatible, use 'nft' instead
#v-

doesn't stop upgrade and appears on all upgrades.

1. Could you provide me logs (in private) of your upgrade (using do-upgrade.sh) 
?
2. Could you tell me if you edited iptables.conf to add custom rules before 
your upgrade ?

Nicolas Quiniou-Briand
Product Support Engineer

[cid:image003.png@01D8E785.3A6A47E0]


Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142


Connect with Us:

[cid:image004.jpg@01D8E785.3A6A47E0] 
[cid:image005.png@01D8E785.3A6A47E0]   
[cid:image006.png@01D8E785.3A6A47E0]   
[cid:image007.png@01D8E785.3A6A47E0] 
  
[cid:image008.png@01D8E785.3A6A47E0] 
  
[cid:image009.png@01D8E785.3A6A47E0] 



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Reject Messages

[Schüller Dennis via PacketFence-users]

Hey All,

at the moment i get a lot of REJECT errors:


I can't identifie why, but her is a part from my Packetfence.log, which shows 
This WARN a lot of times:

Oct 24 08:29:10 pf4 packetfence[306923]: -e(306923) WARN: Use of uninitialized 
value $port in addition (+) at 
/usr/local/pf/lib/pf/services/manager/radiusd_child.pm line 1657.


Since PF12.

?

i didn't change the snmp settings and with Version 11.2 every Thing works fine!


Thanks!

-- 
Diese Mail wurde auf Computerviren geprüft
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users