[PacketFence-users] Future of CentOS and PacketFence
https://blog.centos.org/2020/12/future-is-centos-stream/ Any idea how this announcement today will impact PacketFence moving forward? -- *R. Christian McDonald * M: (616) 856-9291 E: rcmcdonal...@gmail.com ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Switch Template for APC Network Management Card 2
Greetings, Has anyone already created a switch template for APC NMC 2 cards? I see APC-Service-Type attribute is already predefined in the Switch Template interface, but I've never created a Switch Template before. Thanks, -- R. Christian McDonald *Information Technology Manager* Grand Rapids Adventist Academy T: (888) 791-3108 (x1105) O: (616) 791-9797 (x1105) C: (616) 856-9291 1151 Oakleigh Road NW Grand Rapids, MI 49504 ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Cluster upgrade 10.1 to 10.2 Problems
# Copyright (C) Inverse inc. [Node Manager] actions=NODES_READ,NODES_CREATE,NODES_UPDATE,NODES_DELETE,SECURITY_EVENTS_READ,SWITCHES_READ,DHCP_OPTION_82_READ,USERS_READ description=Nodes management [User Manager] actions=USERS_CREATE,USERS_DELETE,USERS_READ,USERS_UPDATE,USERS_SET_ROLE,USERS_SET_ACCESS_DURATION,USERS_SET_UNREG_DATE,USERS_SET_TIME_BALANCE,USERS_SET_BANDWIDTH_BALANCE,USERS_SET_ACCESS_LEVEL,USERS_MARK_AS_SPONSOR,USERS_CREATE_MULTIPLE,DHCP_OPTION_82_READ,SECURITY_EVENTS_READ,SWITCHES_READ,SYSTEM_READ,USERS_SOURCES_READ,CONFIGURATION_MAIN_READ description=Users management [Security Event Manager] description=Security Events managements actions=SECURITY_EVENTS_READ,SECURITY_EVENTS_CREATE,SECURITY_EVENTS_UPDATE,SECURITY_EVENTS_DELETE,USERS_READ,NODES_READ On Thu, Nov 5, 2020 at 9:12 AM Ludovic Zammit wrote: > Hello Christian, > > Could you send me your conf/adminroles.conf please? > > Thanks, > > > Ludovic zammitlzam...@inverse.ca :: +1.514.447.4918 (x145) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > > > On Nov 2, 2020, at 4:53 PM, Christian McDonald wrote: > > This is indeed the built-in admin account. (See the issue I opened up here > https://github.com/inverse-inc/packetfence/issues/5919). > > This is really a pretty basic cluster setup atm, only doing radius > enforcement. Nothing else. > > Under the admin user, actions = ALL > > On Thu, Oct 22, 2020 at 11:30 AM Ludovic Zammit via PacketFence-users < > packetfence-users@lists.sourceforge.net> wrote: > >> Hello, >> >> What is the account that you have issue with ? Is that admin ? If it’s >> local account, send a screen capture of the rights under Action. >> >> Send the output of your conf/authentication.conf hide personal infos. >> >> Thanks, >> >> >> Ludovic zammitlzam...@inverse.ca :: +1.514.447.4918 (x145) :: >> www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >> (http://packetfence.org) >> >> >> >> >> >> On Oct 21, 2020, at 11:40 PM, Christian McDonald >> wrote: >> >> Any other things to try? I’m following the upgrade procedure exactly. >> Thanks. >> >> On Tue, Oct 20, 2020 at 8:40 AM Ludovic Zammit via PacketFence-users < >> packetfence-users@lists.sourceforge.net> wrote: >> >>> Hello, >>> >>> Have you tried that: >>> >>> >>> https://github.com/inverse-inc/packetfence/blob/devel/UPGRADE.asciidoc#rename-pfmon-actions-to-pfcron >>> >>> Thanks, >>> >>> >>> Ludovic zammitlzam...@inverse.ca :: +1.514.447.4918 (x145) :: >>> www.inverse.ca >>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>> (http://packetfence.org) >>> >>> >>> >>> >>> >>> On Oct 16, 2020, at 4:57 PM, Christian McDonald via PacketFence-users < >>> packetfence-users@lists.sourceforge.net> wrote: >>> >>> Starting with a healthy 3 node 10.1 cluster, patched using ./pf-maint.pl >>> and freshly rebooted. Galera health, etc. >>> >>> A few observations: >>> >>> >>>1. I get a PFCRON_READ Administrative Role error when browsing >>>Configuration > Maintenance as the built-in admin user. I understand >>> there >>>were significant changes to the PFMON/PFCRON component in 10.2. Not sure >>>how to proceed. I also tried patching node C prior to starting it the >>>standalone state with ./pf-maint.pl and then running the to-10.2.xxx >>>scripts. I observe the same behavior as above. >>>2. I'm having a hard time getting Node C's database synced over to >>>Node A and Node B. Even after stopping mariadb, clearing /var/lib/mysql/* >>>and starting mariadb again, node A and node B still seem to be hanging >>> onto >>>the 10.1.0 database as per 'SELECT * FROM pf_version;' Though node c >>>indicates the correct schema version when running the above sql query >>> from >>>the command line. >>> >>> >>> -- >>> R. Christian McDonald >>> *Information Technology Manager* >>> Grand Rapids Adventist Academy >>> >>> T: (888) 791-3108 (x1105) >>> O: (616) 791-9797 (x1105) >>> C: (616) 856-9291 >>> >>> 1151 Oakleigh Road >>> <https://www.google.com/maps/search/1151+Oakleigh+Road?entry=gmail=g> >>> NW >>>
Re: [PacketFence-users] Cluster upgrade 10.1 to 10.2 Problems
This is indeed the built-in admin account. (See the issue I opened up here https://github.com/inverse-inc/packetfence/issues/5919). This is really a pretty basic cluster setup atm, only doing radius enforcement. Nothing else. Under the admin user, actions = ALL On Thu, Oct 22, 2020 at 11:30 AM Ludovic Zammit via PacketFence-users < packetfence-users@lists.sourceforge.net> wrote: > Hello, > > What is the account that you have issue with ? Is that admin ? If it’s > local account, send a screen capture of the rights under Action. > > Send the output of your conf/authentication.conf hide personal infos. > > Thanks, > > > Ludovic zammitlzam...@inverse.ca :: +1.514.447.4918 (x145) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > > > On Oct 21, 2020, at 11:40 PM, Christian McDonald > wrote: > > Any other things to try? I’m following the upgrade procedure exactly. > Thanks. > > On Tue, Oct 20, 2020 at 8:40 AM Ludovic Zammit via PacketFence-users < > packetfence-users@lists.sourceforge.net> wrote: > >> Hello, >> >> Have you tried that: >> >> >> https://github.com/inverse-inc/packetfence/blob/devel/UPGRADE.asciidoc#rename-pfmon-actions-to-pfcron >> >> Thanks, >> >> >> Ludovic zammitlzam...@inverse.ca :: +1.514.447.4918 (x145) :: >> www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >> (http://packetfence.org) >> >> >> >> >> >> On Oct 16, 2020, at 4:57 PM, Christian McDonald via PacketFence-users < >> packetfence-users@lists.sourceforge.net> wrote: >> >> Starting with a healthy 3 node 10.1 cluster, patched using ./pf-maint.pl >> and freshly rebooted. Galera health, etc. >> >> A few observations: >> >> >>1. I get a PFCRON_READ Administrative Role error when browsing >>Configuration > Maintenance as the built-in admin user. I understand there >>were significant changes to the PFMON/PFCRON component in 10.2. Not sure >>how to proceed. I also tried patching node C prior to starting it the >>standalone state with ./pf-maint.pl and then running the to-10.2.xxx >>scripts. I observe the same behavior as above. >>2. I'm having a hard time getting Node C's database synced over to >>Node A and Node B. Even after stopping mariadb, clearing /var/lib/mysql/* >>and starting mariadb again, node A and node B still seem to be hanging >> onto >>the 10.1.0 database as per 'SELECT * FROM pf_version;' Though node c >>indicates the correct schema version when running the above sql query from >>the command line. >> >> >> -- >> R. Christian McDonald >> *Information Technology Manager* >> Grand Rapids Adventist Academy >> >> T: (888) 791-3108 (x1105) >> O: (616) 791-9797 (x1105) >> C: (616) 856-9291 >> >> 1151 Oakleigh Road >> <https://www.google.com/maps/search/1151+Oakleigh+Road?entry=gmail=g> >> NW >> Grand Rapids, MI 49504 >> ___ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> ___ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > -- > *R. Christian McDonald * > M: (616) 856-9291 > E: rcmcdonal...@gmail.com > > > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- R. Christian McDonald *Information Technology Manager* Grand Rapids Adventist Academy T: (888) 791-3108 (x1105) O: (616) 791-9797 (x1105) C: (616) 856-9291 1151 Oakleigh Road NW Grand Rapids, MI 49504 ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Cluster upgrade 10.1 to 10.2 Problems
Any other things to try? I’m following the upgrade procedure exactly. Thanks. On Tue, Oct 20, 2020 at 8:40 AM Ludovic Zammit via PacketFence-users < packetfence-users@lists.sourceforge.net> wrote: > Hello, > > Have you tried that: > > > https://github.com/inverse-inc/packetfence/blob/devel/UPGRADE.asciidoc#rename-pfmon-actions-to-pfcron > > Thanks, > > > Ludovic zammitlzam...@inverse.ca :: +1.514.447.4918 (x145) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > > > On Oct 16, 2020, at 4:57 PM, Christian McDonald via PacketFence-users < > packetfence-users@lists.sourceforge.net> wrote: > > Starting with a healthy 3 node 10.1 cluster, patched using ./pf-maint.pl > and freshly rebooted. Galera health, etc. > > A few observations: > > >1. I get a PFCRON_READ Administrative Role error when browsing >Configuration > Maintenance as the built-in admin user. I understand there >were significant changes to the PFMON/PFCRON component in 10.2. Not sure >how to proceed. I also tried patching node C prior to starting it the >standalone state with ./pf-maint.pl and then running the to-10.2.xxx >scripts. I observe the same behavior as above. >2. I'm having a hard time getting Node C's database synced over to >Node A and Node B. Even after stopping mariadb, clearing /var/lib/mysql/* >and starting mariadb again, node A and node B still seem to be hanging onto >the 10.1.0 database as per 'SELECT * FROM pf_version;' Though node c >indicates the correct schema version when running the above sql query from >the command line. > > > -- > R. Christian McDonald > *Information Technology Manager* > Grand Rapids Adventist Academy > > T: (888) 791-3108 (x1105) > O: (616) 791-9797 (x1105) > C: (616) 856-9291 > > 1151 Oakleigh Road > <https://www.google.com/maps/search/1151+Oakleigh+Road?entry=gmail=g> > NW > Grand Rapids, MI 49504 > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- *R. Christian McDonald * M: (616) 856-9291 E: rcmcdonal...@gmail.com ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Cluster upgrade 10.1 to 10.2 Problems
Starting with a healthy 3 node 10.1 cluster, patched using ./pf-maint.pl and freshly rebooted. Galera health, etc. A few observations: 1. I get a PFCRON_READ Administrative Role error when browsing Configuration > Maintenance as the built-in admin user. I understand there were significant changes to the PFMON/PFCRON component in 10.2. Not sure how to proceed. I also tried patching node C prior to starting it the standalone state with ./pf-maint.pl and then running the to-10.2.xxx scripts. I observe the same behavior as above. 2. I'm having a hard time getting Node C's database synced over to Node A and Node B. Even after stopping mariadb, clearing /var/lib/mysql/* and starting mariadb again, node A and node B still seem to be hanging onto the 10.1.0 database as per 'SELECT * FROM pf_version;' Though node c indicates the correct schema version when running the above sql query from the command line. -- R. Christian McDonald *Information Technology Manager* Grand Rapids Adventist Academy T: (888) 791-3108 (x1105) O: (616) 791-9797 (x1105) C: (616) 856-9291 1151 Oakleigh Road NW Grand Rapids, MI 49504 ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Packetfence install on centos 8
CentOS 7 is the supported version. Stick with v7. ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Moving management interfaces in a cluster to a different nic
I already have the cluster healthy and established. Could I just shutdown the pf services, reconfigure the networking, edit pf.conf, cluster.conf and any relevant /etc/sysconfig/network-scripts and reboot? On Mon, Oct 5, 2020 at 7:54 AM Ludovic Zammit via PacketFence-users < packetfence-users@lists.sourceforge.net> wrote: > Hello Christian, > > Use the previous IPs of the standalone server as Virtual IPs on the > cluster and you don’t need to reconfigure all your network equipments. > > Use a temporary VIPs to create your cluster, once you are ready, use the > old standalone IPS as new VIPs of the cluster. > > Thanks, > > > Ludovic zammitlzam...@inverse.ca :: +1.514.447.4918 (x145) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > > > On Oct 2, 2020, at 3:57 PM, Christian McDonald via PacketFence-users < > packetfence-users@lists.sourceforge.net> wrote: > > I've got an interesting situation. What's the safest way to move a > management interface on a 3 node cluster from one vNIC to another without > breaking things? Downtime is fine. Thanks. > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- *R. Christian McDonald * M: (616) 856-9291 E: rcmcdonal...@gmail.com ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Moving management interfaces in a cluster to a different nic
I've got an interesting situation. What's the safest way to move a management interface on a 3 node cluster from one vNIC to another without breaking things? Downtime is fine. Thanks. ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Adding interfaces to production cluster
What is the correct procedure for adding interfaces to an existing cluster for additional services like inline enforcement etc? -- *R. Christian McDonald * M: (616) 856-9291 E: rcmcdonal...@gmail.com ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] AD/LDAP Authentication Source. Single hostname. Round Robin?
When configuring an AD/LDAP authentication source with a single LDAP hostname (i.e. ad.mydomain.com), will PacketFence round-robin the A records or should I explicitly declare multiple LDAP hosts. ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] PacketFence and Domain Join Issues
Bug with winbindd not being enabled after joining the domain...so winbindd isn’t running when you reboot. Run /usr/local/pf/addons/pf-maint.pl to pull latest patches and try again. On Wed, Jul 22, 2020 at 1:02 PM Louis Scaringella via PacketFence-users < packetfence-users@lists.sourceforge.net> wrote: > Hello, > > We are running PacketFence 10.1.0 and running into an issue when joining > the domain. It seems we are able to join the domain just fine, but after a > rebooting, we see the message “Cannot open network namespace RQSDomain”. > When we re-join it seems to join fine and is green, but always after a > reboot this fails to show it is joined still. > > Any ideas to please help with this issue? > > Louis Scaringella > Security Systems Engineer > Yellow Dog Networks, Inc > 785-342-7903 > > The information transmitted, including any attachments, is intended only > for the person or entity to which it is addressed and may contain > confidential and/or privileged material. Any review, retransmission, > dissemination or other use of, or taking of any action in reliance upon, > this information by persons or entities other than the intended recipient > is prohibited, and all liability arising therefrom is disclaimed. If you > received this in error, please contact the sender and delete the material > from any computer. > > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- *R. Christian McDonald * M: (616) 856-9291 E: rcmcdonal...@gmail.com ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Upgraded to 10.1.0 and Winbind stopped working.
Make sure winbindd is actually running. On Mon, Jul 20, 2020 at 7:55 AM Nicolas Quiniou-Briand via PacketFence-users wrote: > On 10/07/2020 20:30, Robert McNutt via PacketFence-users wrote: > > Did an upgrade from 10.0.0 to 10.1.0 and now 802.1X auth doesn't work > > when using PEAP. The audit log shows error reading winbind reply. Any > > thoughts on what could cause this? > > > > mschap: Program returned code (1) and output 'Reading winbind reply > > failed! (0xc001)' > > > You should be able to see something in packetfence.log. > > -- > Nicolas Quiniou-Briand > n...@inverse.ca :: +1.514.447.4918 *140 :: https://inverse.ca > Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence > (https://packetfence.org) and Fingerbank (http://fingerbank.org) > > > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- *R. Christian McDonald * M: (616) 856-9291 E: rcmcdonal...@gmail.com ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Domain Join Drops After Reboot
My 3 node cluster won't stay joined to the domain and winbindd is 'disabled' after rebooting. I see this error under test join, 'Cannot open network namespace "AD": No such file or directory' ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Clustering Guide Sanity Check
Seems that I had my nose on a bug. https://github.com/inverse-inc/packetfence/issues/5667 /closing Thanks all! On Tue, Jul 7, 2020 at 12:16 PM Christian McDonald wrote: > I've also discovered what appears to be an issue in haproxy-admin.conf > > https://pastebin.com/GpFQCtJD > > This line is missing an argument, which is preventing haproxy-admin from > starting. > > http-request set-header Host > > On Tue, Jul 7, 2020 at 11:50 AM Christian McDonald > wrote: > >> The only obvious issue I see in packetfence.log related to haproxy-admin >> is: >> >> Jul 7 11:47:08 pf1 packetfence: -e(6841) WARN: Use of uninitialized >> value $portal_preview_ip in concatenation (.) or string at >> /usr/local/pf/lib/pf/services/manager/haproxy_admin.pm line 219. >> (pf::services::manager::haproxy_admin::generateConfig) >> >> On Tue, Jul 7, 2020 at 11:48 AM Christian McDonald >> wrote: >> >>> Seems that the galera side is operational and replicating...I see all >>> three nodes in incoming_addresses and operational status is 'synced' on all >>> three nodes too. keepalive seems to be working fine too. Only problem is >>> that haproxy-admin isn't starting on the primary node. >>> >>> https://pastebin.com/VsSehT6p >>> >>> On Tue, Jul 7, 2020 at 9:54 AM Christian McDonald >>> wrote: >>> Still getting the 'could not write namespace ... L2 cache' errors. On Tue, Jul 7, 2020 at 7:49 AM Nicolas Quiniou-Briand via PacketFence-users wrote: > If I was you, I will: > - break the `--force-new-cluster` command > - completely stop any MariaDB service > - restart at this step: > > #v+ > systemctl stop packetfence-mariadb > /usr/local/pf/bin/pfcmd generatemariadbconfig > /usr/local/pf/sbin/pf-mariadb --force-new-cluster > #v- > -- > Nicolas Quiniou-Briand > n...@inverse.ca :: +1.514.447.4918 *140 :: https://inverse.ca > Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence > (https://packetfence.org) and Fingerbank (http://fingerbank.org) > > > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- R. Christian McDonald *Director of Technology* Grand Rapids Adventist Acadmey T: (888) 791-3108 (x1105) O: (616) 791-9797 (x1105) C: (616) 856-9291 1151 Oakeigh Road NW Grand Rapids, MI 49504 >>> >>> >>> -- >>> R. Christian McDonald >>> *Director of Technology* >>> Grand Rapids Adventist Acadmey >>> >>> T: (888) 791-3108 (x1105) >>> O: (616) 791-9797 (x1105) >>> C: (616) 856-9291 >>> >>> 1151 Oakeigh Road NW >>> Grand Rapids, MI 49504 >>> >> >> >> -- >> R. Christian McDonald >> *Director of Technology* >> Grand Rapids Adventist Acadmey >> >> T: (888) 791-3108 (x1105) >> O: (616) 791-9797 (x1105) >> C: (616) 856-9291 >> >> 1151 Oakeigh Road NW >> Grand Rapids, MI 49504 >> > > > -- > R. Christian McDonald > *Director of Technology* > Grand Rapids Adventist Acadmey > > T: (888) 791-3108 (x1105) > O: (616) 791-9797 (x1105) > C: (616) 856-9291 > > 1151 Oakeigh Road NW > Grand Rapids, MI 49504 > -- R. Christian McDonald *Director of Technology* Grand Rapids Adventist Acadmey T: (888) 791-3108 (x1105) O: (616) 791-9797 (x1105) C: (616) 856-9291 1151 Oakeigh Road NW Grand Rapids, MI 49504 ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Clustering Guide Sanity Check
The only obvious issue I see in packetfence.log related to haproxy-admin is: Jul 7 11:47:08 pf1 packetfence: -e(6841) WARN: Use of uninitialized value $portal_preview_ip in concatenation (.) or string at /usr/local/pf/lib/pf/services/manager/haproxy_admin.pm line 219. (pf::services::manager::haproxy_admin::generateConfig) On Tue, Jul 7, 2020 at 11:48 AM Christian McDonald wrote: > Seems that the galera side is operational and replicating...I see all > three nodes in incoming_addresses and operational status is 'synced' on all > three nodes too. keepalive seems to be working fine too. Only problem is > that haproxy-admin isn't starting on the primary node. > > https://pastebin.com/VsSehT6p > > On Tue, Jul 7, 2020 at 9:54 AM Christian McDonald > wrote: > >> Still getting the 'could not write namespace ... L2 cache' errors. >> >> On Tue, Jul 7, 2020 at 7:49 AM Nicolas Quiniou-Briand via >> PacketFence-users wrote: >> >>> If I was you, I will: >>> - break the `--force-new-cluster` command >>> - completely stop any MariaDB service >>> - restart at this step: >>> >>> #v+ >>> systemctl stop packetfence-mariadb >>> /usr/local/pf/bin/pfcmd generatemariadbconfig >>> /usr/local/pf/sbin/pf-mariadb --force-new-cluster >>> #v- >>> -- >>> Nicolas Quiniou-Briand >>> n...@inverse.ca :: +1.514.447.4918 *140 :: https://inverse.ca >>> Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence >>> (https://packetfence.org) and Fingerbank (http://fingerbank.org) >>> >>> >>> ___ >>> PacketFence-users mailing list >>> PacketFence-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >> >> >> -- >> R. Christian McDonald >> *Director of Technology* >> Grand Rapids Adventist Acadmey >> >> T: (888) 791-3108 (x1105) >> O: (616) 791-9797 (x1105) >> C: (616) 856-9291 >> >> 1151 Oakeigh Road NW >> Grand Rapids, MI 49504 >> > > > -- > R. Christian McDonald > *Director of Technology* > Grand Rapids Adventist Acadmey > > T: (888) 791-3108 (x1105) > O: (616) 791-9797 (x1105) > C: (616) 856-9291 > > 1151 Oakeigh Road NW > Grand Rapids, MI 49504 > -- R. Christian McDonald *Director of Technology* Grand Rapids Adventist Acadmey T: (888) 791-3108 (x1105) O: (616) 791-9797 (x1105) C: (616) 856-9291 1151 Oakeigh Road NW Grand Rapids, MI 49504 ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Clustering Guide Sanity Check
Still getting the 'could not write namespace ... L2 cache' errors. On Tue, Jul 7, 2020 at 7:49 AM Nicolas Quiniou-Briand via PacketFence-users wrote: > If I was you, I will: > - break the `--force-new-cluster` command > - completely stop any MariaDB service > - restart at this step: > > #v+ > systemctl stop packetfence-mariadb > /usr/local/pf/bin/pfcmd generatemariadbconfig > /usr/local/pf/sbin/pf-mariadb --force-new-cluster > #v- > -- > Nicolas Quiniou-Briand > n...@inverse.ca :: +1.514.447.4918 *140 :: https://inverse.ca > Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence > (https://packetfence.org) and Fingerbank (http://fingerbank.org) > > > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- R. Christian McDonald *Director of Technology* Grand Rapids Adventist Acadmey T: (888) 791-3108 (x1105) O: (616) 791-9797 (x1105) C: (616) 856-9291 1151 Oakeigh Road NW Grand Rapids, MI 49504 ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Clustering Guide Sanity Check
Seems that the galera side is operational and replicating...I see all three nodes in incoming_addresses and operational status is 'synced' on all three nodes too. keepalive seems to be working fine too. Only problem is that haproxy-admin isn't starting on the primary node. https://pastebin.com/VsSehT6p On Tue, Jul 7, 2020 at 9:54 AM Christian McDonald wrote: > Still getting the 'could not write namespace ... L2 cache' errors. > > On Tue, Jul 7, 2020 at 7:49 AM Nicolas Quiniou-Briand via > PacketFence-users wrote: > >> If I was you, I will: >> - break the `--force-new-cluster` command >> - completely stop any MariaDB service >> - restart at this step: >> >> #v+ >> systemctl stop packetfence-mariadb >> /usr/local/pf/bin/pfcmd generatemariadbconfig >> /usr/local/pf/sbin/pf-mariadb --force-new-cluster >> #v- >> -- >> Nicolas Quiniou-Briand >> n...@inverse.ca :: +1.514.447.4918 *140 :: https://inverse.ca >> Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence >> (https://packetfence.org) and Fingerbank (http://fingerbank.org) >> >> >> ___ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > > > -- > R. Christian McDonald > *Director of Technology* > Grand Rapids Adventist Acadmey > > T: (888) 791-3108 (x1105) > O: (616) 791-9797 (x1105) > C: (616) 856-9291 > > 1151 Oakeigh Road NW > Grand Rapids, MI 49504 > -- R. Christian McDonald *Director of Technology* Grand Rapids Adventist Acadmey T: (888) 791-3108 (x1105) O: (616) 791-9797 (x1105) C: (616) 856-9291 1151 Oakeigh Road NW Grand Rapids, MI 49504 ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Clustering Guide Sanity Check
I've also discovered what appears to be an issue in haproxy-admin.conf https://pastebin.com/GpFQCtJD This line is missing an argument, which is preventing haproxy-admin from starting. http-request set-header Host On Tue, Jul 7, 2020 at 11:50 AM Christian McDonald wrote: > The only obvious issue I see in packetfence.log related to haproxy-admin > is: > > Jul 7 11:47:08 pf1 packetfence: -e(6841) WARN: Use of uninitialized value > $portal_preview_ip in concatenation (.) or string at > /usr/local/pf/lib/pf/services/manager/haproxy_admin.pm line 219. > (pf::services::manager::haproxy_admin::generateConfig) > > On Tue, Jul 7, 2020 at 11:48 AM Christian McDonald > wrote: > >> Seems that the galera side is operational and replicating...I see all >> three nodes in incoming_addresses and operational status is 'synced' on all >> three nodes too. keepalive seems to be working fine too. Only problem is >> that haproxy-admin isn't starting on the primary node. >> >> https://pastebin.com/VsSehT6p >> >> On Tue, Jul 7, 2020 at 9:54 AM Christian McDonald >> wrote: >> >>> Still getting the 'could not write namespace ... L2 cache' errors. >>> >>> On Tue, Jul 7, 2020 at 7:49 AM Nicolas Quiniou-Briand via >>> PacketFence-users wrote: >>> If I was you, I will: - break the `--force-new-cluster` command - completely stop any MariaDB service - restart at this step: #v+ systemctl stop packetfence-mariadb /usr/local/pf/bin/pfcmd generatemariadbconfig /usr/local/pf/sbin/pf-mariadb --force-new-cluster #v- -- Nicolas Quiniou-Briand n...@inverse.ca :: +1.514.447.4918 *140 :: https://inverse.ca Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence (https://packetfence.org) and Fingerbank (http://fingerbank.org) ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> >>> -- >>> R. Christian McDonald >>> *Director of Technology* >>> Grand Rapids Adventist Acadmey >>> >>> T: (888) 791-3108 (x1105) >>> O: (616) 791-9797 (x1105) >>> C: (616) 856-9291 >>> >>> 1151 Oakeigh Road NW >>> Grand Rapids, MI 49504 >>> >> >> >> -- >> R. Christian McDonald >> *Director of Technology* >> Grand Rapids Adventist Acadmey >> >> T: (888) 791-3108 (x1105) >> O: (616) 791-9797 (x1105) >> C: (616) 856-9291 >> >> 1151 Oakeigh Road NW >> Grand Rapids, MI 49504 >> > > > -- > R. Christian McDonald > *Director of Technology* > Grand Rapids Adventist Acadmey > > T: (888) 791-3108 (x1105) > O: (616) 791-9797 (x1105) > C: (616) 856-9291 > > 1151 Oakeigh Road NW > Grand Rapids, MI 49504 > -- R. Christian McDonald *Director of Technology* Grand Rapids Adventist Acadmey T: (888) 791-3108 (x1105) O: (616) 791-9797 (x1105) C: (616) 856-9291 1151 Oakeigh Road NW Grand Rapids, MI 49504 ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Clustering Guide Sanity Check
Here is my setup: 1. 3 x CentOS 7 (fully up-to-date) w/ SELinux *disabled *+ firewalld *disabled *and *masked *+ IPv6 *disabled *(via sysctl.conf and /etc/defaults/grub ipv6.disable=1). I also have net.ipv4.ip_nonlocal_bind = 1 in sysctl.conf. Xtrabackup is also installed. Each box is a VM on ESXi with only one vNIC (ens192...vmxnet3 based). This interface has all port group security OFF which is a requirement for VRRP. My management VLAN is VLAN10, so my management interface is "ens192.10." I can dedicate a vNIC to management if necessary, I just like to keep my vNIC count to a minimum. 2. PacketFence is installed on all three VMs...named pf1.ad.mydomain.com, pf2.ad.mydomain.com, pf3.ad.mydomain.com. I use nmtui on all three nodes to set the hostname (pf1.ad.mydomain.com, etc) 3. On the first node, pf1.ad.mydomain.com, I start packetfence-mariadb and secure the installation. I set the root password and then press Y for everything else. 4. I then login to mariadb console to create the pfcluster user for replication. 'mysql -u root -p' ... type in password defined in step 3. I then create both users and grant process *as per the clustering guide*...replacing only the pfcluster password with a secure password of my choosingflush privileges; and exit the mariadb console. 5. On all the nodes, I use the configurator to set the management VLAN/IP ens192.10 on all three nodes. 192.168.10.51-53, 192.168.10.50 is used as the cluster VRRP management IP. 6. On the first node only, I proceed through the configurator only to the screen that shows the database password, admin password, etc. I DO NOT press Start Packetfence. 7. I add a new line 'host=127.0.0.1' to '[database]' in pf.conf I also add the [active_active] section with the galera username 'pfcluster' and the secure password I defined in step 4. In pfconfig.conf I replace host=localhost with host=127.0.0.1. Save both confs. 8. When I restart packetfence config and configreload hard, I get a ton of L2 cache errors...I'm guessing because the DB is unavailable? It would be really nice if the documentation was very clear on what errors are expected and what are not. This is really ambiguous as written. 9. Next I build my cluster.conf which is pretty basic: ( https://pastebin.com/Xm2wYXJt ) 10. Again, when I configreload hard, I get the same L2 cache errors that I'm assuming are DB related and expected. 11. On all nodes, I 'systemctl set-default packetfence-cluster' 12. On the first node, stop packetfence-mariadb, generatemariadbconfig and bootstrap the first node with --force-new-cluster. 13. In a new SSH session, I attempt to service pf restart and I still get L2 cache errors indicating that something is wrong with the DB (?) On Mon, Jul 6, 2020 at 9:11 PM Durand fabrice via PacketFence-users < packetfence-users@lists.sourceforge.net> wrote: > Hello Christian, > > in which step do you have an issue ? > > Regards > > Fabrice > > > > Le 20-07-06 à 18 h 49, Christian McDonald via PacketFence-users a écrit : > > Greetings, > > I've been pulling my hair out trying to get a 3-node PF Cluster running. > > Has anyone recently followed the clustering guide running the latest PF > version? > > I'm usually pretty good at following instructions, but there is something > very broken about the clustering guide. > > Anybody have any suggestions? > > > ___ > PacketFence-users mailing > listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users > > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- R. Christian McDonald *Director of Technology* Grand Rapids Adventist Acadmey T: (888) 791-3108 (x1105) O: (616) 791-9797 (x1105) C: (616) 856-9291 1151 Oakeigh Road NW Grand Rapids, MI 49504 ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Clustering Guide Sanity Check
Greetings, I've been pulling my hair out trying to get a 3-node PF Cluster running. Has anyone recently followed the clustering guide running the latest PF version? I'm usually pretty good at following instructions, but there is something very broken about the clustering guide. Anybody have any suggestions? ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Issues with logging into admin portal via AD group membership
I've got a simple internal authentication source for logging into the admin portal via AD group membership. When I run ./pftest I get the following: Authenticating against 'SYS_PacketFence_Admin' in context 'portal' Authentication SUCCEEDED against SYS_PacketFence_Admin (Authentication successful.) Did not match against SYS_PacketFence_Admin for 'authentication' rules Matched against SYS_PacketFence_Admin for 'administration' rule SYS_PacketFence_Admin set_access_level : ALL However, when I try logging into the admin portal, I get "Wasn't able to authenticate those credentials." Any ideas? ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Issues with logging into admin portal via AD group membership
So I guess I'm not understanding a fundamental concept in PacketFence... I ended up moving this new authentication source up to the highest priority and admin portal authentication started working. So, I'm guessing authentication sources operate on a first-match basis? Meaning, that if I had an authentication source that matched the user but *didn't apply* an administration access level at say priority 1, any additional authentication sources scoped to the same Base DN with matches would be ignored? On Mon, Feb 3, 2020 at 3:05 PM Christian McDonald wrote: > I've got a simple internal authentication source for logging into the > admin portal via AD group membership. When I run ./pftest I get the > following: > > Authenticating against 'SYS_PacketFence_Admin' in context 'portal' > Authentication SUCCEEDED against SYS_PacketFence_Admin (Authentication > successful.) > Did not match against SYS_PacketFence_Admin for 'authentication' rules > Matched against SYS_PacketFence_Admin for 'administration' rule > SYS_PacketFence_Admin > set_access_level : ALL > > However, when I try logging into the admin portal, I get "Wasn't able to > authenticate those credentials." > > Any ideas? > -- R. Christian McDonald *Director of Technology* Grand Rapids Adventist Acadmey T: (888) 791-3108 (x1105) O: (616) 791-9797 (x1105) C: (616) 856-9291 1151 Oakeigh Road NW Grand Rapids, MI 49504 ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Upgrade guide for 9.3
https://github.com/inverse-inc/packetfence/blob/devel/UPGRADE.asciidoc On Tue, Jan 14, 2020 at 9:10 AM Lierman, Andrew via PacketFence-users < packetfence-users@lists.sourceforge.net> wrote: > When will the upgrade guide be updated to include 9.3 steps for upgrading? > I see it goes up to 9.2 currently. > > Thanks, > > -- > > *Confidentiality Notice:* This e-mail message, including any attachments, > is for the sole use of the intended recipient(s) and may contain > confidential and privileged information. Any unauthorized review, use, > disclosure or distribution is prohibited. If you are not the intended > recipient, please contact the sender by reply e-mail and destroy all copies > of the original message. The views expressed in this transmission are not > necessarily the views of the School District of Altoona. > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- R. Christian McDonald *Director of Technology* Grand Rapids Adventist Acadmey T: (888) 791-3108 (x1105) O: (616) 791-9797 (x1105) C: (616) 856-9291 1151 Oakeigh Road NW Grand Rapids, MI 49504 ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Computer LDAP Authentication Source Question
Greetings, I have a simple authentication source for domain-joined Windows machines that uses the servicePrincipalName. This works great. I know that I can do single sign on via GPO which will cause the machine to re-authenticate using the sAMAccountName after user logon...so, at the logon screen, the servicePrincipalName is used and once a user logins the sAMAccountName is used. However, I'd like to push users onto different VLANs based on whether they login via a domain-joined machine verses a BYOD machine (i.e. non-domain joined). So the operational logic would be: If machine is domain-joined and user is a memberOf yourFavoriteGroup then role TRUSTED If machine is *not *domain-joined and user is a memberOf yourFavoriteGroup then role UNTRUSTED. Any ideas? Best, Christian ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] HA with 2 nodes + Galera arbitrator
Greetings, Does PacketFence support 2 nodes plus a Galera arbitrator (as opposed to the usually recommended 3 node minimum)? -- R. Christian McDonald *Director of Technology* Grand Rapids Adventist Academy C: (616) 856-9291 ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Current Suricata Integration Workflow?
Greetings, I have Suricata configured to forward logs via UDP to the PF management IP. It looks like UDP prot 514 is already open on vanilla PF install? I have added and enabled the Suricata Syslog Parser and created the fifo alert pipe. What else remains to be done in order to start building violations against Suricata events? ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] MSCHAPv2 Reject only on one access point?
Also, RADDEBUG won't stay running very long: raddebug -f /usr/local/pf/var/run/radiusd.sock > /root/radius.debug This command works and I get output written to radius.debug, but the debugger will stop running randomly making it very difficult to isolate fault conditions. On Wed, Feb 20, 2019 at 8:45 AM Christian McDonald wrote: > Fabrice, > > I can't see anything immediately obvious from the logs. I should mention > that I'm using a single user account in Active Directory that is shared on > multiple Chromebooks. All the Chromebooks are configured identically. > However, some connect just fine and others don't...chrooted_mschap: Program > returned code (1) and output 'The attempted logon is invalid. > > Does Active Directory place limits on NTLM authentication? Some sort of > rate-limiting? > > On Tue, Feb 19, 2019 at 8:52 PM Durand fabrice via PacketFence-users < > packetfence-users@lists.sourceforge.net> wrote: > >> Hello Christian, >> >> what you can do is to run radius in debug mode: >> >> raddebug -r /usr/local/pf/var/run/radiusd.sock > /root/radius.debug >> >> >> Then try the bogus AP and try with another one and check the debug and >> search for the line where freeradius call ntlm_auth and see if the output >> is the same. (chrooted_mschap: Executing: /usr/bin/sudo /usr/sbin/chroot >> /chroots/...) >> >> Regards >> >> Fabrice >> >> >> Le 19-02-19 à 11 h 46, Christian McDonald via PacketFence-users a écrit : >> >> Greetings, >> >> I have one access point that keeps rejecting clients with: >> >> chrooted_mschap: Program returned code (1) and output 'The attempted >> logon is invalid. This is either due to a bad username or authentication >> information. (0xc06d)' >> >> However, the same client on a different AP with the same credentials >> works fine. >> >> All APs are members of the same "switch" group and have identical >> configuration both in PacketFence and my controller (UniFi) >> >> -- >> *R. Christian McDonald * >> M: (616) 856-9291 >> E: rcmcdonal...@gmail.com >> >> >> ___ >> PacketFence-users mailing >> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> ___ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > > > -- > R. Christian McDonald > *Director of Technology* > Grand Rapids Adventist Academy > C: (616) 856-9291 > > -- R. Christian McDonald *Director of Technology* Grand Rapids Adventist Academy C: (616) 856-9291 ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] MSCHAPv2 Reject only on one access point?
Fabrice, I can't see anything immediately obvious from the logs. I should mention that I'm using a single user account in Active Directory that is shared on multiple Chromebooks. All the Chromebooks are configured identically. However, some connect just fine and others don't...chrooted_mschap: Program returned code (1) and output 'The attempted logon is invalid. Does Active Directory place limits on NTLM authentication? Some sort of rate-limiting? On Tue, Feb 19, 2019 at 8:52 PM Durand fabrice via PacketFence-users < packetfence-users@lists.sourceforge.net> wrote: > Hello Christian, > > what you can do is to run radius in debug mode: > > raddebug -r /usr/local/pf/var/run/radiusd.sock > /root/radius.debug > > > Then try the bogus AP and try with another one and check the debug and > search for the line where freeradius call ntlm_auth and see if the output > is the same. (chrooted_mschap: Executing: /usr/bin/sudo /usr/sbin/chroot > /chroots/...) > > Regards > > Fabrice > > > Le 19-02-19 à 11 h 46, Christian McDonald via PacketFence-users a écrit : > > Greetings, > > I have one access point that keeps rejecting clients with: > > chrooted_mschap: Program returned code (1) and output 'The attempted logon > is invalid. This is either due to a bad username or authentication > information. (0xc06d)' > > However, the same client on a different AP with the same credentials works > fine. > > All APs are members of the same "switch" group and have identical > configuration both in PacketFence and my controller (UniFi) > > -- > *R. Christian McDonald * > M: (616) 856-9291 > E: rcmcdonal...@gmail.com > > > ___ > PacketFence-users mailing > listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users > > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- R. Christian McDonald *Director of Technology* Grand Rapids Adventist Academy C: (616) 856-9291 ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Issues with Multiple SSIDs and Multiple Connection Profiles
Greetings, I want to make sure that registrations performed on one SSID aren't allowed on another SSID. For example, I have an 802.1X WPA2-Enterprise SSID for staff and students to use with their username and password (Active Directory). I also have an open guest network that using dynamic VLAN assignment to initially drop users onto the registration VLAN and then move them over to the production guest VLAN. I want to make sure that if a registered user decides to move from the WPA2-Enterprise SSID to the Guest SSID, that their role (and VLAN) doesn't follow them onto the other SSID. -- *R. Christian McDonald * M: (616) 856-9291 E: rcmcdonal...@gmail.com ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] MSCHAPv2 Reject only on one access point?
Greetings, I have one access point that keeps rejecting clients with: chrooted_mschap: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc06d)' However, the same client on a different AP with the same credentials works fine. All APs are members of the same "switch" group and have identical configuration both in PacketFence and my controller (UniFi) -- *R. Christian McDonald * M: (616) 856-9291 E: rcmcdonal...@gmail.com ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Unable to detect network connectivity
Does your WLAN controller and APs support RADIUS CoA or Disconnect packets? Have you tried manually disconnecting and reconnecting to the WiFi network to see if connectivity is available? On Mon, Feb 18, 2019 at 9:59 AM Ismail Yushaw via PacketFence-users < packetfence-users@lists.sourceforge.net> wrote: > Hi all, > I am running Packetfence Zen and am having the following problems. > > I have successfully presented users with a captive portal on a VLAN > enforcement and the users are able to login successful registration. But > the client is presented with > "‘Unable to detect network connectivity. Try to restarting your web > browser or opening a new tab to see if your access has been successfully > enabled.’" > > Below is the output of my ipset > > > [root@pf bin]# ipset -L > Name: parking > Type: hash:ip > Revision: 1 > Header: family inet hashsize 1024 maxelem 65536 > Size in memory: 16528 > References: 2 > Members: > > Name: pfsession_passthrough > Type: hash:ip,port > Revision: 2 > Header: family inet hashsize 1024 maxelem 65536 > Size in memory: 16528 > References: 2 > Members: > > Name: pfsession_isol_passthrough > Type: hash:ip,port > Revision: 2 > Header: family inet hashsize 1024 maxelem 65536 > Size in memory: 16528 > References: 2 > Members: > > and below is the network.conf > > [root@pf bin]# cat ../conf/networks.conf > [192.168.2.0] > dns=192.168.2.1 > split_network=disabled > dhcp_start=192.168.2.10 > gateway=192.168.2.1 > domain-name=vlan-registration.nita.htb > nat_enabled=disabled > named=enabled > dhcp_max_lease_time=30 > fake_mac_enabled=disabled > dhcpd=enabled > dhcp_end=192.168.2.246 > type=vlan-registration > netmask=255.255.255.0 > dhcp_default_lease_time=30 > > [192.168.3.0] > dns=192.168.3.1 > split_network=disabled > dhcp_start=192.168.3.10 > gateway=192.168.3.1 > domain-name=vlan-isolation.nita.htb > nat_enabled=disabled > named=enabled > dhcp_max_lease_time=30 > fake_mac_enabled=disabled > dhcpd=enabled > dhcp_end=192.168.3.246 > type=vlan-isolation > netmask=255.255.255.0 > dhcp_default_lease_time=30 > > [10.1.0.0] > dns=10.240.1.20 > split_network=disabled > dhcp_start=10.1.0.10 > gateway=10.1.2.211 > domain-name=inlinel2.nita.htb > nat_enabled=enabled > named=enabled > dhcp_max_lease_time=86400 > fake_mac_enabled=disabled > dhcpd=enabled > dhcp_end=10.1.3.246 > type=inlinel2 > netmask=255.255.252.0 > dhcp_default_lease_time=86400 > > Mind you that I have enabled ip4 forwarding > > > > > > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- R. Christian McDonald *Director of Technology* Grand Rapids Adventist Academy C: (616) 856-9291 ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Users Being Authenticated without using AD
Try restarting all the services. There are tons of settings and features riddled throughput PacketFence that require resetting services (or even the whole operating system) to get working correctly...I've had similar frustrations On Wed, Feb 13, 2019 at 9:13 PM William Blake MacIsaac via PacketFence-users wrote: > I'm hoping someone can help me.I'm trying to setup 802.1x-Wireless to > allow users to connect to a SSID utilizing domain credentials. The problem > is, when users connect and enter there username and password, they are not > being tested against the Authentication sources i have setup, they are just > being allowed to connect, regardless if they are part of the group or not. > I can even delete the whole authentication source and they are still being > authenticated.. what the hell? :(, please help > > > [image: image.png] > > :19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345) INFO: > [mac:8c:f5:a3:a2:d4:18] handling radius autz request: from switch_ip => > (10.100.2.254), connection_type => Wireless-802.11-EAP,switch_mac => > (00:15:5d:01:3d:00), mac => [8c:f5:a3:a2:d4:18], port => 12290, username => > "bmacisaaca", ssid => YC-IT (pf::radius::authorize) > Feb 13 14:19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345) INFO: > [mac:8c:f5:a3:a2:d4:18] Instantiate profile 802.1X-Profile > (pf::Connection::ProfileFactory::_from_profile) > Feb 13 14:19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345) INFO: > [mac:8c:f5:a3:a2:d4:18] Found authentication source(s) : > 'local,8021X-Wireless' for realm 'null' > (pf::config::util::filter_authentication_sources) > Feb 13 14:19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345) WARN: > [mac:8c:f5:a3:a2:d4:18] Calling match with empty/invalid rule class. > Defaulting to 'authentication' (pf::authentication::match2) > Feb 13 14:19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345) INFO: > [mac:8c:f5:a3:a2:d4:18] Using sources local, 8021X-Wireless for matching > (pf::authentication::match2) > Feb 13 14:19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345) INFO: > [mac:8c:f5:a3:a2:d4:18] LDAP testing connection (pf::LDAP::expire_if) > Feb 13 14:19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345) INFO: > [mac:8c:f5:a3:a2:d4:18] Role has already been computed and we don't want to > recompute it. Getting role from node_info (pf::role::getRegisteredRole) > Feb 13 14:19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345) INFO: > [mac:8c:f5:a3:a2:d4:18] Username was defined "bmacisaaca" - returning role > 'YC-IT-WIFI' (pf::role::getRegisteredRole) > Feb 13 14:19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345) INFO: > [mac:8c:f5:a3:a2:d4:18] PID: "bmacisaaca", Status: reg Returned VLAN: > (undefined), Role: YC-IT-WIFI (pf::role::fetchRoleForNode) > Feb 13 14:19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345) WARN: > [mac:8c:f5:a3:a2:d4:18] No parameter YC-IT-WIFIVlan found in > conf/switches.conf for the switch 10.100.2.254 (pf::Switch::getVlanByName) > Feb 13 14:19:39 PacketFence pfqueue: pfqueue(33849) INFO: [mac:unknown] > undefined source id provided (pf::lookup::person::lookup_person) > Feb 13 14:19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345) INFO: > [mac:8c:f5:a3:a2:d4:18] violation 133 force-closed for > 8c:f5:a3:a2:d4:18 (pf::violation::violation_force_close) > Feb 13 14:19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345) INFO: > [mac:8c:f5:a3:a2:d4:18] Instantiate profile 802.1X-Profile > (pf::Connection::ProfileFactory::_from_profile) > Feb 13 14:21:15 PacketFence packetfence_httpd.aaa: httpd.aaa(8345) INFO: > [mac:8c:f5:a3:a2:d4:18] handling radius autz request: from switch_ip => > (10.100.2.254), connection_type => Wireless-802.11-EAP,switch_mac => > (00:15:5d:01:3d:00), mac => [8c:f5:a3:a2:d4:18], port => 12290, username => > "bmacisaaca", ssid => YC-IT (pf::radius::authorize) > Feb 13 14:21:15 PacketFence packetfence_httpd.aaa: httpd.aaa(8345) INFO: > [mac:8c:f5:a3:a2:d4:18] Instantiate profile 802.1X-Profile > (pf::Connection::ProfileFactory::_from_profile) > Feb 13 14:21:15 PacketFence packetfence_httpd.aaa: httpd.aaa(8345) INFO: > [mac:8c:f5:a3:a2:d4:18] Found authentication source(s) : 'local' for realm > 'null' (pf::config::util::filter_authentication_sources) > Feb 13 14:21:15 PacketFence packetfence_httpd.aaa: httpd.aaa(8345) WARN: > [mac:8c:f5:a3:a2:d4:18] Calling match with empty/invalid rule class. > Defaulting to 'authentication' (pf::authentication::match2) > Feb 13 14:21:15 PacketFence packetfence_httpd.aaa: httpd.aaa(8345) INFO: > [mac:8c:f5:a3:a2:d4:18] Using sources local for matching > (pf::authentication::match2) > Feb 13 14:21:15 PacketFence packetfence_httpd.aaa: httpd.aaa(8345) INFO: > [mac:8c:f5:a3:a2:d4:18] Role has already been computed and we don't want to > recompute it. Getting role from node_info (pf::role::getRegisteredRole) > Feb 13 14:21:15 PacketFence packetfence_httpd.aaa: httpd.aaa(8345) INFO: > [mac:8c:f5:a3:a2:d4:18] Username was defined
Re: [PacketFence-users] Can't link PacketFence with AD Server.
Have you tried the full distinguished name of the bind user? On Fri, Feb 1, 2019 at 2:56 PM Adrian Dessaigne via PacketFence-users < packetfence-users@lists.sourceforge.net> wrote: > Anyone ? > > I have tryed on many different machine and distribution, with different > windows server version and I still have this probleme. Anyone ? > > - Mail original - > De: "packetfence-users" > À: "packetfence-users" > Cc: "ADE" > Envoyé: Vendredi 28 Décembre 2018 12:51:08 > Objet: [PacketFence-users] Can't link PacketFence with AD Server. > > Hello everyone, > > I'm a student in IT and I have a study contract. I'm working on a sketch > with PacketFence to set up 802.1X. > > I'm using an ESXi 6.7 with two VM: > -CentOS 7 with the last version of PacketFence. > -Windows Server 2012 with AD. > > I use the network 192.168.1.0/24 > PacketFence IP's: 192.168.1.202 > Windows AD IP's: 192.168.1.203 > Domain: novasyspf.coop > > I have followed all the instruction on the Installation Guide: > -Unique virtual network card > -Disabled Firewall > -Disabled SELinux > > -yum update. > > -Explicitly instruct NetworkManager to never interct with my DNS > configuration: > dns=none in 99-no-dns.conf file > > Then adding PF repository and installing it. > > During the configurator, I've choosed the folling option: > -Step 1 : Radius Only > -Step 2: Network, Interface set as Management with the IP 192.168.1.202 > and Gateway 192.168.1.1 > -Step 4 omain: "novasyspf.coop" | Hostname "radiuspf" |DHCP Server > "192.168.1.203" > -Step 6: No fingerbank > > Launching PF went good. Once on the admin page, I go > Configuration->Policies and Access Control->Domains->Active Directory > Domains. > > Here are the parameters I've choosed for adding new domain: > > ID: DomaineAD > Workgroup: novasyspf > DNS name of the domain: novasyspf.coop > This server name: radiuspf > AD Server: 192.168.1.203 > DNS Server 192.168.1.203 > Username: administra...@novasys.coop (I tried with just "Administrator") > Password: secret > > Then I click on save and join. After a few moment I get this error: > "Error ! An error occurred while connecting with the server. Please try > again later" > > By following the troubleshooting guide, I have this in > /chroots/DomaineAD/var/log/sambaDomaineAD/log.winbindd: > [2018/12/28 11:14: [ 38.799687, 0 | 38.799687, 0 ] ] > ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache) > initialize_winbindd_cache: clearing cache and re-creating with version > number 2 > [2018/12/28 11:14: [ 38.804681, 0 | 38.804681, 0 ] ] > ../source3/winbindd/winbindd_util.c:1264(init_domain_list) > Could not fetch our SID - did we join? > [2018/12/28 11:14: [ 38.804724, 0 | 38.804724, 0 ] ] > ../source3/winbindd/winbindd.c:1360(winbindd_register_handlers) > unable to initialize domain list > > The command "chroot /chroots/DomaineAD/ wbinfo -u" return me this: > could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE > could not obtain winbind domain name! > Error looking up domain users > > The command chroot /chroots/DomaineAD/ ntlm_auth --username=Administrateur > return me this: > could not obtain winbind separator! > Reading winbind reply failed! (0x01) > : (0x0) > > Samba and Winbind services are botch Active and running. > > By doing "net ads lookup -S 192.168.1.203" I get all the AD information: > > > Information for Domain Controller: 192.168.1.203 > > > > > Response Type: LOGON_SAM_LOGON_RESPONSE_EX > > GUID: fc62aa13-7384-4707-99b9-ba7d1008113e > > Flags: > > Is a PDC: yes > > Is a GC of the forest: yes > > Is an LDAP server: yes > > Supports DS: yes > > Is running a KDC: yes > > Is running time services: yes > > Is the closest DC: yes > > Is writable: yes > > Has a hardware clock: yes > > Is a non-domain NC serviced by LDAP server: no > > Is NT6 DC that has some secrets: no > > Is NT6 DC that has all secrets: yes > > Runs Active Directory Web Services: yes > > Runs on Windows 2012 or later: yes > > Forest: novasyspf.coop > > Domain: novasyspf.coop > > Domain Controller: WIN-AD.novasyspf.coop > > Pre-Win2k Domain: NOVASYSPF > > Pre-Win2k Hostname: WIN-AD > > Server Site Name : Default-First-Site-Name > > Client Site Name : Default-First-Site-Name > > NT Version: 5 > > LMNT Token: > > LM20 Token: > > > > > same with "net ads info -s /etc/samba/DomaineAD.conf" > > LDAP server: 192.168.1.203 > > > LDAP server name: WIN-AD.novasyspf.coop > > Realm: NOVASYSPF.COOP > > Bind Path: dc=NOVASYSPF,dc=COOP > > LDAP port: 389 > > Server time: ven ., 28 déc. 2018 11:59:55 CET > > KDC server: 192.168.1.203 > > > Server time offset: -22 > > Last machine account password change: jeu ., 01 janv. 1970 01:00:00 CET > > The /etc/hosts file have this: > 127.0.0.1 localhost localhost.localdomain > 127.0.0.1 radiuspf radiuspf.novasyspf.coop > 192.168.1.203 WIN-AD WIN-AD.novasyspf.coop > 192.168.1.202 radiuspf radiuspf.novasyspf.coop > > The /etc/resolv.conf file have this: > nameserver 192.168.1.203 > nameserver
Re: [PacketFence-users] User attributes not populating from AD
Correction. Apparently this isn't the root cause. Would really like to figure out why some users get their name and email populated from AD and others don't. On Fri, Jan 25, 2019 at 1:51 PM Christian McDonald wrote: > I think I can reliably reproduce this. > > It seems that these other user attributes are only populated when a user > actually registers a device. The user simply logging into the /status page > creates the user account entry but doesn't populate the fields from AD. > > On Fri, Jan 25, 2019 at 1:43 PM Murilo Calegari < > murilo.calegari.so...@gmail.com> wrote: > >> These issues are often in my environment too, but it does not happen on >> all users... >> >> Em sex, 25 de jan de 2019 16:23, Christian McDonald via PacketFence-users >> escreveu: >> >>> Hello, >>> >>> I have a fresh install of PF 8.3 on CentOS7. All I have done is bind to >>> my AD domain and created a internal AD authentication source. I can login >>> to the /status page on the portal and user accounts are created in >>> PacketFence. However, none of the attributes from AD are populating. I am >>> only seeing the username populated. Any reason why these users aren't being >>> created using their first name, last name, etc.? >>> >>> -- >>> *R. Christian McDonald * >>> M: (616) 856-9291 >>> E: rcmcdonal...@gmail.com >>> >> ___ >>> PacketFence-users mailing list >>> PacketFence-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >> -- > *R. Christian McDonald * > M: (616) 856-9291 > E: rcmcdonal...@gmail.com > -- *R. Christian McDonald * M: (616) 856-9291 E: rcmcdonal...@gmail.com ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Consistent username format UPN vs Realm\Domain
Greetings, I have an Active Directory domain and would like to allow the re-use of Windows credentials when logging in. I have pushed a WiFi profile GPO out to my laptops and this is working fine. However, this login mechanism uses REALM\Username format. I would prefer my users use their UPN (in my environment, UPN = email address). This is creating two "user" entries in PacketFence..one in the REALM\Username format and another in the UPN format. How can I configure my realms and authentication sources to treat either as the same user? Best regards, -- *R. Christian McDonald * E: rcmcdonal...@gmail.com ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] User attributes not populating from AD
I think I can reliably reproduce this. It seems that these other user attributes are only populated when a user actually registers a device. The user simply logging into the /status page creates the user account entry but doesn't populate the fields from AD. On Fri, Jan 25, 2019 at 1:43 PM Murilo Calegari < murilo.calegari.so...@gmail.com> wrote: > These issues are often in my environment too, but it does not happen on > all users... > > Em sex, 25 de jan de 2019 16:23, Christian McDonald via PacketFence-users < > packetfence-users@lists.sourceforge.net> escreveu: > >> Hello, >> >> I have a fresh install of PF 8.3 on CentOS7. All I have done is bind to >> my AD domain and created a internal AD authentication source. I can login >> to the /status page on the portal and user accounts are created in >> PacketFence. However, none of the attributes from AD are populating. I am >> only seeing the username populated. Any reason why these users aren't being >> created using their first name, last name, etc.? >> >> -- >> *R. Christian McDonald * >> M: (616) 856-9291 >> E: rcmcdonal...@gmail.com >> > ___ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > -- *R. Christian McDonald * M: (616) 856-9291 E: rcmcdonal...@gmail.com ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] User attributes not populating from AD
Hello, I have a fresh install of PF 8.3 on CentOS7. All I have done is bind to my AD domain and created a internal AD authentication source. I can login to the /status page on the portal and user accounts are created in PacketFence. However, none of the attributes from AD are populating. I am only seeing the username populated. Any reason why these users aren't being created using their first name, last name, etc.? -- *R. Christian McDonald * M: (616) 856-9291 E: rcmcdonal...@gmail.com ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Customizing the FQDN of Captive Portal?
You can define additional FQDNs somewhere in the GUI. I believe when behind PacketFence DNS, these are automatically resolved to the PF server IP address. However, on your production network, you will need to configure A records on your own DNS servers. I'm specifically asking for a way define the FQDN that users are automatically redirected to. This seems to be hard-coded to be the FQDN of the PF host itself. On Thu, Jan 24, 2019 at 8:47 AM Murilo Calegari < murilo.calegari.so...@gmail.com> wrote: > I've got the same question! Is it possible to define multiple portal FQDNs > which PacketFence listens to? > > Em qui, 24 de jan de 2019 às 10:34, Christian McDonald via > PacketFence-users escreveu: > >> Greetings, >> >> The default FQDN of the captive portal that appears in users browsers is >> simply the FQDN of the PacketFence server. Is there a way change this? >> For example, let's say the FQDN of my PF server is " >> nac01.corp.example.com". How can I instead direct users to a more >> friendly name "registration.corp.example.com"? >> >> Thanks, >> >> -- >> *R. Christian McDonald * >> E: rcmcdonal...@gmail.com >> ___ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > -- *R. Christian McDonald * M: (616) 856-9291 E: rcmcdonal...@gmail.com ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Customizing the FQDN of Captive Portal?
Greetings, The default FQDN of the captive portal that appears in users browsers is simply the FQDN of the PacketFence server. Is there a way change this? For example, let's say the FQDN of my PF server is "nac01.corp.example.com". How can I instead direct users to a more friendly name " registration.corp.example.com"? Thanks, -- *R. Christian McDonald * E: rcmcdonal...@gmail.com ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Issues with Ubiquiti UniFi Dynamic VLAN on Open Network
Greetings, As of UniFi Controller 5.9 (I believe), UniFi APs now support dynamic VLANs on open networks! I am testing this now and I've gotten it mostly working. The only thing I can't seem to get working is the automatic jump from the registration VLAN to the authenticated guest VLAN. If I manually disconnect and reconnect to the WiFi network, the client will correctly connect to the authenticated guest VLAN. How can we make this VLAN hop automatic? Thanks, Christian McDonald ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Unable to login to FingerBank using GitHub
This has been an ongoing issue for weeks now. I have contacted Inverse and have not heard back. Any suggestions? I get an error message: The change you wanted was rejected. Maybe you tried to change something you didn't have access to. If you are the application owner check the logs for more information. -- *R. Christian McDonald * M: (616) 856-9291 E: rcmcdonal...@gmail.com ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users