[PacketFence-users] Microsoft hardening AD/LDAP connections in March updates

[Arthur Emerson via PacketFence-users]

One of our other software vendors is sending out weekly nag emails about this 
Microsoft change, because it will break their Active Directory integration:

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

Is this something that PF and/or individual sites will need to address as well 
when using AD integration before they are locked out in March???

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: 347 Powell, First Floor

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Meru/Fortinet firmware issue heads-up

[Arthur Emerson via PacketFence-users]

With a disclaimer that our PacketFence install is bordering on grossly 
obsolete, I'm sending a heads-up for anyone still using Meru/Fortinet wireless 
equipment.

Their controller firmware version 8.4.3 has either a bug or feature where they 
are no longer sending the RADIUS Calling-Station-ID to PF.  This was observed 
on an open SSID, using MAC authentication.  I don't know if 802.1x 
authentication is also missing the Calling-Station-ID.  At least on our ancient 
version of PF, RADIUS returns no VLAN...so the controller uses whatever the 
default VLAN is configured for.  Upgrading from 8.4.2 to 8.4.3 resulted in two 
days of head-scratching before raddebug revealed the cause of VLANs not 
switching.

The release notes supposedly do not mention any RADIUS changes whatsoever.  
However, doing a stare-and-compare between the web GUI in 8.4.2 and 8.4.3, the 
pick list for RADIUS parameter Called-Station-ID tripled in available formats 
to send.

We have an escalated ticket open with Fortinet support, and will report back 
any news...

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 008-A

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] So is support for Meru dead now on 7.4 ?

[Arthur Emerson via PacketFence-users]

Considering that Meru as a company is 404 and the brain-drain following
the Fortinet acquisition essentially put the whole product line into
life support mode in terms of customer support, I would not hold my
breath waiting for someone to fix any Meru problems in PF.

We are running PF 5.x with two Meru controllers and 600+ AP's.  The
de-associate thing has been a pain point for quite some time.  Unless
I'm going crazy, ancient versions of PF used to even write log entries
for every de-associate asking users to pressure Meru to add the proper
de-associate support instead of requiring the ssh/telnet kludge.  They
supposedly did add the procedure, but I don't know if PF's Meru code
was ever updated to use it.

Long story short, our de-associate seems to be hit-or-miss with PF 5.x.
I think that we had set some sort of station timeout in the Meru
controllers, which causes them to re-query PF every few minutes to
decide if they should still be connected and to what VLAN.  Tradeoff
PF server load for more frequent queries versus user inconvenience having
to wait longer for a de-associate/re-associate after registration.

One piece of debugging advice that I will offer is to make sure that
you run ssh once AS THE USER RUNNING THE PF SERVICE to automatically
add the controller's certificate into the ssh config as a known host.
I don't know if PF is calling out to ssh or using some perl function
to do the connection, but have seen that pesky certificate prompt
break plenty of automation routines that use ssh over the years.

So, as is the case with anything in the open-source community or with
volunteer organizations, I suspect that the only way this will ever get
fixed is if someone who hasn't moved away from Meru/Fortinet takes the
lead and figures out what is needed to do the native de-associate without
ssh/telnet.  Everyone that I knew from Meru moved on a long time ago,
so I have no resources to tap outside of the same Fortinet support
department that everyone else has available...

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 008-A


From: Derek Brabrook via PacketFence-users 

Reply: packetfence-users@lists.sourceforge.net 

Date: March 6, 2018 at 12:20:42 PM
To: packetfence-users 

Cc: Derek Brabrook 

Subject:  [PacketFence-users] So is support for Meru dead now on 7.4 ?

seeing as packetfence won't connect to the meru controller either via telnet or 
ssh to de-associate
macs ?

(see previous posts on this issue Meru 3200)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! 
http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cheap AP

[Arthur Emerson via PacketFence-users]

It sounds like you may want to use a simple inline deployment on a
dedicated guest SSID, and any AP that you can buy should work in this
configuration...

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 008-A


From: Spencer Hazell via PacketFence-users 

Reply: packetfence-users@lists.sourceforge.net 

Date: October 10, 2017 at 8:56:22 AM
To: packetfence-users@lists.sourceforge.net 

Cc: Spencer Hazell 
Subject:  [PacketFence-users] Cheap AP

Hi

Can you point me in the direction of a cheap AP (preferably fat – as I guess it 
cheaper) that will work?

We don’t have many guests and already have a solution in place, so I’d like a 
cheap dedicated AP that can be used for guests only?

Thanks

Spencer Hazell



[MD final master logos-02]

[file:///Users/emerson/Library/Group 
Containers/2E337YPCZY.airmail/Library/Application 
Support/it.bloop.airmail2/Airmail/General/Local/1507642560321438976/Attachments/image002.jpg@01D22ABC.9B34C230]

IT Manager


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! 
http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


image001.png@01D3377A.DDB9DE80
Description: image001.png@01D3377A.DDB9DE80


image002.jpg@01D3377A.DDB9DE80
Description: image002.jpg@01D3377A.DDB9DE80
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] prevent certain ldap usernames from registering devices

[Arthur Emerson via PacketFence-users]

What we do with PF 5.x is have a limit (N) on the number of devices that
guest users can register...and then make sure that there are N+1 bogus
MAC addresses registered/active for that user account.  Anyone who tries
to register another device is told that they already have too many
devices registered...

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 008-A


From: lists via PacketFence-users 

Reply: packetfence-users@lists.sourceforge.net 

Date: September 12, 2017 at 5:56:17 AM
To: packetfence-users@lists.sourceforge.net 

Cc: lists 
Subject:  [PacketFence-users] prevent certain ldap usernames from registering 
devices

Hi,

Is there a way to 'blacklist' specific ldap usernames from registering
devices in the packetfence portal?

Running pf 7 with inline guest portal, with an AD ldap-based usersource.

I tried creating a rule under our ldap authentication source:
- condition 'username'
- role REJECT
- access duration (mandatory!) of 0h

While this makes the registration basically fail, but in a way very
unclear to the end-user. We hope pf has a better way of informing the
user that this specific account is not allowed to register devices..?

Best regards,
MJ

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users