[PacketFence-users] PF12.2 out-of-band routed mode not working - No DNS or Captive Portal
RESTRICTED Hi Folks, Maybe someone can help me out? We have been using PF now for over 6 years and are very happy with it. But we need to upgrade it to stay in line with our security policies. We have a fully working 6.5 installation and a shadow 9.0 installation that are both working in out-of-band routed mode. The current PF servers have two NICs each:- Eth0 - Management running the 'portal' daemon Eth1 - Registration We have several routed networks (several wired ones and several centrally managed Wireless networks) The DHCP activity from these networks is 'reflected' from or network DHCP servers to the PF management interface so that the Nodes and IPLog tables are maintained correctly - effectively removing the need for the PF server to provide DHCP services. The network DHCP servers are configured to use the IP address of the registration interface (eth1) as the only name server. We are using 'MAC Authentication Bypass' on our Cisco switches and our WiFi estate is controlled by a Wireless Lan Controller. In order to upgrade to a newer version of PF we have been building out a new 12.2 server but we cannot get our routed test network to work despite it being configured precisely the same way as with the working networks and PF servers. We have a complete 'connection profile' in place and relevant other configuration to match the working servers. When connected to the registration network(s) of our existing PF server all DNS requests reply with the IP address of the management interface and display the captive portal to the end user as expected. When I connect to a routed registration network the new PF12 server is responding to all DNS requests with the IP address 172.0.0.2 which of course is not routed on our network in any shape or form. Is a fully routed 'out-of-band' solution no longer supported in 12.2 or am I missing something here. Regards Andrew RESTRICTED ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Unable to 'preview' HTML files in 'Connection Profile->Files' in Admin GUI on PF12.1
RESTRICTED Is it just me but when I preview an entire profile it works fine but if I try and preview an individual HTML file it gives me an empty page. The URL I get for the whole profile preview is:- https://:1443/portal_preview/captive-portal?PORTAL=GUEST and I am able to move around and preview all the portal pages but if I try and preview say the PARKING security event page I get this:- https:// :1443/config/profile/GUEST/preview/security_events/parked.html and this page connects but has no content. The template file used 'parked.html' is a simple copy of the 'generic.html' template with slightly more informative text. It works in 6.5 and 9.1 but cant see anything in PF11 or 12 Does not seem to be browser dependent either a sit does this in Chrome/Edge and Firefox Andrew RESTRICTED ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Issue with PacketFence 12 and Cisco WLC
RESTRICTED
HI Fabrice,
Long time since I did anything with our PF server but we are having to upgrade
from 6.5 and I am unsure how to code the override in WLC.pm.
I have simply added a 'tweaked' copy of the 'extractSSIDFromCalledStationId'
subroutine into the WLC.pm file assuming it will take precedence over the
definition in Switch.pm but it does not appear to be working as we are still
getting:-
packetfence.log:Feb 28 10:33:48 packetfence httpd.aaa-docker-wrapper[4185393]:
httpd.aaa(7) INFO: [mac:[undef]] Unable to extract MAC from Called-Station-Id:
Tremough_HSE_0_MG29_AP1:ISETest (pf::radius::extractApMacFromRadiusRequest)
packetfence.log:Feb 28 10:33:48 packetfence httpd.aaa-docker-wrapper[4185393]:
httpd.aaa(7) INFO: [mac:ee:d5:c7:dc:8f:84] Unable to extract SSID of
Called-Station-Id: Tremough_HSE_0_MG29_AP1:ISETest
(pf::Switch::extractSSIDFromCalledStationId)
packetfence.log:Feb 28 10:33:48 packetfence httpd.aaa-docker-wrapper[4185393]:
httpd.aaa(7) WARN: [mac:ee:d5:c7:dc:8f:84] Unable to extract SSID for module
pf::Switch::Cisco::WLC_5500. SSID-based VLAN assignments won't work. Please let
us know so we can add support for it. (pf::Switch::extractSsid)
In WLC.pm we now have:-
.
.
.
Snip
.
.
.
=item extractSSIDFromCalledStationId
Parse the Called-Station-Id attribute sent by a Cisco WLC differently as it can
be configured to send a
non-standard string that can be anything rather than a formatted MAC Address
followed by :SSID
=cut
sub extractSSIDFromCalledStationId {
my ($self, $radius_request) = @_;
# it's put in Called-Station-Id
# ie: Called-Station-Id = "aa-bb-cc-dd-ee-ff:Secure SSID" or
"aa:bb:cc:dd:ee:ff:Secure SSID"
if (defined($radius_request->{'Called-Station-Id'})) {
if ($radius_request->{'Called-Station-Id'} =~ /^
# below is MAC Address with supported separators: :, - or nothing
#
[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}
.*
:
# : delimiter
(.*)
# SSID
$/ix) {
return $1;
} else {
my $logger = $self->logger;
$logger->info("Unable to extract SSID of Called-Station-Id:
".$radius_request->{'Called-Station-Id'});
}
}
return undef;
}
I am not Perl expert so may be missing something here.
Regards
Andrew
From: Fabrice Durand
Sent: 28 February 2023 01:42
To: packetfence-users@lists.sourceforge.net
Cc: Andrew Torry ; Angus Hibberd
Subject: Re: [PacketFence-users] Issue with PacketFence 12 and Cisco WLC
CAUTION: This email originated from outside of the organisation. Do not click
links or open attachments unless you recognise the sender and know the content
is safe.
Hello Andrew,
since it's just cisco wlc related, then you can put this function in WLC.pm
instead.
What you can do is to open a PR on github with your change, we will review it
and merge it in the code base.
Regards
Fabrice
Le lun. 27 févr. 2023 à 16:14, Andrew Torry via PacketFence-users
mailto:packetfence-users@lists.sourceforge.net>>
a écrit :
RESTRICTED
Greetings fellow PF users,
We have an issue that I was wondering if there is any chance of someone from
the dev team to look at for me.
The Cisco WLC provide for the transmission of the CalledStationID field of a
RADIUS packet to be based on different formats:-
[cid:image001.png@01D94B61.048E0EF0]
In our specific case with a campus stretched out over a huge areas containing
about 1300 AP's it is very useful to have the RADIUS logs refer to the NAME of
an AP rather than simply it's MAC address.
This works find with all our systems except PF.
The code inside Switch.pm is hardwired to recognise XX:XX:XX:XX:XX:XX:SSID or
:SSDI or XX-XX-XX-XX-XX-XX:SSID but rejects any other format (such
as AP Name:SSID) above.
This renders our WLC configuration incompatible with PF.
There is a simple tweak to the code that we can perform by replacing the REGEXP
in the code from:-
sub extractSSIDFromCalledStationId {
my ($self, $radius_request) = @_;
# it's put in Called-Station-Id
# ie: Called-Station-Id = "aa-bb-cc-dd-ee-ff:Secure SSID" or
"aa:bb:cc:dd:ee:ff:Secure SSID"
if (defined($radius_request->{'Called-Station-Id'})) {
if ($radius_request->{'Called-Station-Id'} =~ /^
# below is MAC Address with supported separators: :, - or nothing
[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}
:
# : delimiter
(.*)
[PacketFence-users] Issue with PacketFence 12 and Cisco WLC
RESTRICTED
Greetings fellow PF users,
We have an issue that I was wondering if there is any chance of someone from
the dev team to look at for me.
The Cisco WLC provide for the transmission of the CalledStationID field of a
RADIUS packet to be based on different formats:-
[cid:image003.png@01D94ACB.45CC1740]
In our specific case with a campus stretched out over a huge areas containing
about 1300 AP's it is very useful to have the RADIUS logs refer to the NAME of
an AP rather than simply it's MAC address.
This works find with all our systems except PF.
The code inside Switch.pm is hardwired to recognise XX:XX:XX:XX:XX:XX:SSID or
:SSDI or XX-XX-XX-XX-XX-XX:SSID but rejects any other format (such
as AP Name:SSID) above.
This renders our WLC configuration incompatible with PF.
There is a simple tweak to the code that we can perform by replacing the REGEXP
in the code from:-
sub extractSSIDFromCalledStationId {
my ($self, $radius_request) = @_;
# it's put in Called-Station-Id
# ie: Called-Station-Id = "aa-bb-cc-dd-ee-ff:Secure SSID" or
"aa:bb:cc:dd:ee:ff:Secure SSID"
if (defined($radius_request->{'Called-Station-Id'})) {
if ($radius_request->{'Called-Station-Id'} =~ /^
# below is MAC Address with supported separators: :, - or nothing
[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}
:
# : delimiter
(.*)
# SSID
$/ix) {
return $1;
} else {
my $logger = $self->logger;
$logger->info("Unable to extract SSID of Called-Station-Id:
".$radius_request->{'Called-Station-Id'});
}
}
return undef;
}
To:-
sub extractSSIDFromCalledStationId {
my ($self, $radius_request) = @_;
# it's put in Called-Station-Id
# ie: Called-Station-Id = "aa-bb-cc-dd-ee-ff:Secure SSID" or
"aa:bb:cc:dd:ee:ff:Secure SSID"
if (defined($radius_request->{'Called-Station-Id'})) {
if ($radius_request->{'Called-Station-Id'} =~ /^
# below is MAC Address with supported separators: :, - or nothing
#
[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}
.*
:
# : delimiter
(.*)
# SSID
$/ix) {
return $1;
} else {
my $logger = $self->logger;
$logger->info("Unable to extract SSID of Called-Station-Id:
".$radius_request->{'Called-Station-Id'});
}
}
return undef;
}
But we are reluctant to modify CORE code as this will be lost at upgrades.
What would be nice is to have some sort of 'Called-Station-ID format specifier'
included in the Configuration system.
Andrew
RESTRICTED
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
