Re: [PacketFence-users] Captive Portal - Google (OAuth 2) - iphone error

[Diego Garcia del Rio via PacketFence-users]

Hi Giovanni

indeed.. if you're using it for guest access then what you describe is
really the only viable option or just bypass the authentication at
all. Are you using the google sign in just to collect the email
addresses for guests? you could alternatively use the email login
where the user enters (manually) an email address.

On android devices the google login is sometimes an issue as the main
account gets selected automatically and might not be the one that the
user wants to use.

On my sites I stopped using google as an auhentication source (via
oAuth) due to these issues and the hassle created for end users.


On Wed, Jun 12, 2024 at 3:24 PM Giovanni Trapasso
 wrote:
>
> Hi Diego,
>
> Thanks for your reply.
>
> We are using this for our Guest SSID, we don't want our internal Google users 
> to use it.  Have not experienced any issues with Android clients.
>
> For anyone else who might be experiencing this blocking issue from Google we 
> wrote up a workaround for people using iPhone and Google.
>
> 1.Connect to Guest Wi-Fi Network: Go to your device's Wi-Fi settings and 
> connect to the Guest network.
> 2.Choose Google as Authenticator Provider: When prompted for 
> authentication, select "Google" as your authenticator provider
> 3.Agree to Terms: Accept the terms and conditions presented on the screen.
> 4.Bypass Access Block Page: If you encounter an access block page, simply 
> tap "Cancel" to proceed.
> 5.Opt for Offline Use: Select the option to use the internet "Without 
> Internet" or "Offline Mode" if prompted.
> 6.Open Safari and Enter URL: Launch Safari web browser and type in the 
> URL "captive.apple.com" in the address bar.
> 7.Sign in with Google Account: Follow the on-screen prompts to 
> authenticate using your Google account credentials.
>
> On Wed, Jun 12, 2024 at 12:08 PM Diego Garcia del Rio  
> wrote:
>>
>> the only way to get proper google authentication is using the ldap
>> integration and your own google workspace domain (asuming you want to
>> authenticate users from the ualberta.ca domain). It wont work for
>> generic gmail.com users though
>>
>> to do this, you need to enable Secure LDAP in the google workspace admin.
>>
>> Android users are also similarly affected, though in some cases, the
>> OS launches the full browser instead of the captive portal limited
>> browser.
>>
>>
>> On Wed, Jun 12, 2024 at 10:25 AM Giovanni Trapasso via
>> PacketFence-users  wrote:
>> >
>> > Hi Everyone,
>> >
>> > I just deployed a PacketFence captive portal for my guest wireless with 
>> > Google as one of my Authentication Sources.  I have started receiving 
>> > complaints when apple iphone users are trying to use the google option to 
>> > authenticate on my captive portal.  They press the Google button, they get 
>> > the acceptable use page but right after they press the accept button they 
>> > get an error from accounts.google.com.  The error is similar to this:
>> >
>> > "
>> > Access Blocked: Google appsheet's request does not comply with 
>> > Google's Policies
>> >
>> >  request does not comply with Google's 'Use secure browsers' 
>> > policy. if this app has a website, you can open a web browser and try 
>> > signing in from there. if you are attempting to access a wireless network, 
>> > Please follow these instructions.
>> >
>> > You can also contact the developer to let them know that their app must 
>> > comply with Google's 'Use secure browser' policy.
>> >
>> > Learn more about the error
>> >
>> > If you are developer of . See error details.
>> >
>> > Error: 403: disallowed_useragent
>> > "
>> >
>> > Of course this is due to a security policy Google is enforcing.  My 
>> > captive portal is working fine with all types of other devices, even the 
>> > Apple iPad, but Apple iPhones are seeing this issue.
>> >
>> > I am curious how many others are experiencing this issue and what they are 
>> > doing about this?  I have 2 other authentication sources for my guest 
>> > users to choose from so it might not be a big deal
>> > --
>> >
>> >
>> > ___
>> > PacketFence-users mailing list
>> > PacketFence-users@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> ___
> Giovanni Trapasso
> Digital Networks and Data Center Services
> Information Services & Technology (IST)
> 269 General Services Building
> University of Alberta
> Edmonton, Alberta, Canada
> T6G 2E5
>
> Phone: (780) 492-4696
>
> To open a Technical Service call with IST go to:
> https://ist.ualberta.ca/
>
> ** This communication is intended for the use of the recipient to whom it is 
> addressed, and may contain confidential, personal, and/or privileged 
> information. Please contact me immediately if you are not the intended 
> recipient of this communication, and do not copy, distribute, or take action 
> relying on it. Any 

Re: [PacketFence-users] Captive Portal - Google (OAuth 2) - iphone error

[Diego Garcia del Rio via PacketFence-users]

the only way to get proper google authentication is using the ldap
integration and your own google workspace domain (asuming you want to
authenticate users from the ualberta.ca domain). It wont work for
generic gmail.com users though

to do this, you need to enable Secure LDAP in the google workspace admin.

Android users are also similarly affected, though in some cases, the
OS launches the full browser instead of the captive portal limited
browser.


On Wed, Jun 12, 2024 at 10:25 AM Giovanni Trapasso via
PacketFence-users  wrote:
>
> Hi Everyone,
>
> I just deployed a PacketFence captive portal for my guest wireless with 
> Google as one of my Authentication Sources.  I have started receiving 
> complaints when apple iphone users are trying to use the google option to 
> authenticate on my captive portal.  They press the Google button, they get 
> the acceptable use page but right after they press the accept button they get 
> an error from accounts.google.com.  The error is similar to this:
>
> "
> Access Blocked: Google appsheet's request does not comply with 
> Google's Policies
>
>  request does not comply with Google's 'Use secure browsers' 
> policy. if this app has a website, you can open a web browser and try signing 
> in from there. if you are attempting to access a wireless network, Please 
> follow these instructions.
>
> You can also contact the developer to let them know that their app must 
> comply with Google's 'Use secure browser' policy.
>
> Learn more about the error
>
> If you are developer of . See error details.
>
> Error: 403: disallowed_useragent
> "
>
> Of course this is due to a security policy Google is enforcing.  My captive 
> portal is working fine with all types of other devices, even the Apple iPad, 
> but Apple iPhones are seeing this issue.
>
> I am curious how many others are experiencing this issue and what they are 
> doing about this?  I have 2 other authentication sources for my guest users 
> to choose from so it might not be a big deal
> --
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 13.1 Registration Captive Portal connection timed out

[Diego Garcia del Rio via PacketFence-users]

so.. after troubleshooting a bit more.. somehow  pfdns is not
responding the the 66.x ip for the fqdn of the portal. If you ask
pfdns for google.com or any other (while captive) it will reply with
the 66.x ip .. but for the fqdn of the portal itself, it fails.

see here for more details https://github.com/inverse-inc/packetfence/issues/8043

in particular this comment:
https://github.com/inverse-inc/packetfence/issues/5765#issuecomment-681194433
where you create a hosts.pf file and point to it via pfdns

On Tue, May 7, 2024 at 3:10 PM Diego Garcia del Rio  wrote:
>
> I was having similar issues on a fresh install of packetfence 13.1 on
> rocky linux using the RPMs.
>
> I had trouble creating the isolation and registration sub-interfaces
> (vlans), with the config not sticking on the configurator..  as such,
> the haproxy-portal config was not having the correct interface
> settings / the redirect.lua script seems to have been missing options.
> Im still troubleshooting.. but its very weird.
>
> On Tue, May 7, 2024 at 11:50 AM Nate Tremmel via PacketFence-users
>  wrote:
> >
> > I’m running Packetfence 13.1 from ISO and have a registration VLAN.  I am 
> > using Merakis APs with radius role by VLAN.  My test computer joins the 
> > network, get a registration VLAN IP from the packet fence server, and it 
> > tries to open the fqdn of the packetfence server and get a connection timed 
> > out error.  On the computer, the fqdn is resolving to 66.70.255.147 which 
> > seems to be what is supposed to happen in the admin settings and I can ping 
> > that IP. I have allowed access to the management IP through the firewall 
> > for HTTPS from the registration VLAN.
> >
> > Any advice would be welcome.
> > ___
> > PacketFence-users mailing list
> > PacketFence-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 13.1 Registration Captive Portal connection timed out

[Diego Garcia del Rio via PacketFence-users]

can you check which ip is being returned once you're outside the
registration network? (Im asuming you're using dns / fqdn to access
the portal after login)

from what i understand you're using inline enforcement, is that correct?


On Mon, May 13, 2024 at 12:36 PM Nate Tremmel  wrote:
>
> This doesn’t sound like the issue I have, seeing as the preregistration 
> doesn’t work outside of the registration network (NAT to Public IP).  I sign 
> in with username and password and then the portal times out on the public IP.
>
> > On May 13, 2024, at 10:07 AM, Diego Garcia del Rio  
> > wrote:
> >
> > so.. after troubleshooting a bit more.. somehow  pfdns is not
> > responding the the 66.x ip for the fqdn of the portal. If you ask
> > pfdns for google.com or any other (while captive) it will reply with
> > the 66.x ip .. but for the fqdn of the portal itself, it fails.
> >
> > see here for more details 
> > https://github.com/inverse-inc/packetfence/issues/8043
> >
> > in particular this comment:
> > https://github.com/inverse-inc/packetfence/issues/5765#issuecomment-681194433
> > where you create a hosts.pf file and point to it via pfdns
> >
> > On Tue, May 7, 2024 at 3:10 PM Diego Garcia del Rio  
> > wrote:
> >>
> >> I was having similar issues on a fresh install of packetfence 13.1 on
> >> rocky linux using the RPMs.
> >>
> >> I had trouble creating the isolation and registration sub-interfaces
> >> (vlans), with the config not sticking on the configurator..  as such,
> >> the haproxy-portal config was not having the correct interface
> >> settings / the redirect.lua script seems to have been missing options.
> >> Im still troubleshooting.. but its very weird.
> >>
> >> On Tue, May 7, 2024 at 11:50 AM Nate Tremmel via PacketFence-users
> >>  wrote:
> >>>
> >>> I’m running Packetfence 13.1 from ISO and have a registration VLAN.  I am 
> >>> using Merakis APs with radius role by VLAN.  My test computer joins the 
> >>> network, get a registration VLAN IP from the packet fence server, and it 
> >>> tries to open the fqdn of the packetfence server and get a connection 
> >>> timed out error.  On the computer, the fqdn is resolving to 66.70.255.147 
> >>> which seems to be what is supposed to happen in the admin settings and I 
> >>> can ping that IP. I have allowed access to the management IP through the 
> >>> firewall for HTTPS from the registration VLAN.
> >>>
> >>> Any advice would be welcome.
> >>> ___
> >>> PacketFence-users mailing list
> >>> PacketFence-users@lists.sourceforge.net
> >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 13.1 Registration Captive Portal connection timed out

[Diego Garcia del Rio via PacketFence-users]

I was having similar issues on a fresh install of packetfence 13.1 on
rocky linux using the RPMs.

I had trouble creating the isolation and registration sub-interfaces
(vlans), with the config not sticking on the configurator..  as such,
the haproxy-portal config was not having the correct interface
settings / the redirect.lua script seems to have been missing options.
Im still troubleshooting.. but its very weird.

On Tue, May 7, 2024 at 11:50 AM Nate Tremmel via PacketFence-users
 wrote:
>
> I’m running Packetfence 13.1 from ISO and have a registration VLAN.  I am 
> using Merakis APs with radius role by VLAN.  My test computer joins the 
> network, get a registration VLAN IP from the packet fence server, and it 
> tries to open the fqdn of the packetfence server and get a connection timed 
> out error.  On the computer, the fqdn is resolving to 66.70.255.147 which 
> seems to be what is supposed to happen in the admin settings and I can ping 
> that IP. I have allowed access to the management IP through the firewall for 
> HTTPS from the registration VLAN.
>
> Any advice would be welcome.
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Ruckus APs and COA

[Diego Garcia del Rio via PacketFence-users]

Are you referring to Radius COA? from what it seems, no... it looks
like you're talking about AD COA.. meaning, when the user changes AD
groups you'd want him to automatically change state?

Right now I think the only option would be some sort of script.. that
performs the group membership change on AD and then, using the PF
APIs, looks up the user's devices and triggers a "reevaluate access"

On Mon, Nov 20, 2023 at 11:09 AM Giuliano Da Dalt via
PacketFence-users  wrote:
>
> Good morning, we are looking for the solution to this case.
> Currently, to block students' internet browsing from personal devices, we use 
> a Captive Portal.
> This technology is no longer applicable as complete segregation of the device 
> from any client, even the internal network, is a problem.
> We know that white-listing can be done but it is no longer sufficient, 
> especially in the case of external services.
> Our idea is to use VLANs: one that allows complete internet access, the other 
> with internet access but with very limited bandwidth (this way push 
> notifications, RMM and updates continue to work).
> To switch from one VLAN to another we want to use the COA feature.
>
> We did several tests with our Ruckus APs and PacketFence.
> We are very close to our goal, but 1% missing.
> If we disconnect and reconnect client COA works like a charm.
> We were therefore not able to obtain the same result when the client is 
> already connected beacuse we don't find a way to make PacketFence check 
> regularly if a user status changes (AD group change).
>
> Giuliano Da Dalt
> Ufficio informatico - Bearzi
> Tel. 0432-493983
> Int. 983
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PacketFence Setup on New Ruckus vSZ (Virtual Smart Zone) controller

[Diego Garcia del Rio via PacketFence-users]

sure. no problem

I can't guarantee timely response... but still...

On Wed, Aug 30, 2023 at 5:33 PM Oliver Pole  wrote:

> Hey Diego,
> Sorry about that mistake, it was very late in the day when I wrote the
> initial message. I did indeed mean vSZ.
> I'm trying to get my Technical Director involve in this conversation as
> he's can get you the relevant info.
>
> Is it OK with you if I introduce you via email with the the Gmail address
> listed here? We're really in need of direction to get started.
>
> If not I'll try and get him to figure out how to get on the mailing list.
>
> Cheers again Diego
> Oliver
>
>
>
>  Original message 
> From: Diego Garcia del Rio 
> Date: 30/08/2023 21:16 (GMT+00:00)
> To: packetfence-users@lists.sourceforge.net
> Cc: Oliver Pole 
> Subject: Re: [PacketFence-users] PacketFence Setup on New Ruckus vSZ
> (Virtual Smart Zone) controller
>
> also, I just realised you  mention Zone Director in the body of the email
> but smartzone in the title.. which one is it.?
>
> On Wed, Aug 30, 2023 at 2:25 PM Diego Garcia del Rio 
> wrote:
>
>> Hi oliver
>>
>> there are multiple, very different integration options with ruckus and
>> packetfence. While indeed, some of the documentation is quite old, it
>> should still be usable.
>>
>> Is your pf  server in the same "network" (i,e can you run vlans from the
>> APs or ZD -if using tunneling- to the pf server for registration /
>> isolation networks?) or is the PF server in a remote datacenter where vlan
>> extension from the APs would be infeasible?
>>
>> If you can have vlans reach the PF server, then you can use a regular
>> WLAN config with a radius server authentication (with dynamic vlan
>> assignment enabled on the ruckus side). If your pf server can't see the
>> vlans, then you probably need to use WISPR / hotspot-type WLANs on ruckus (
>> those, I've never implemented on ZD but yes on smartzone)
>>
>> if you have L2/vlan reachability between the APs and PF, it should be
>> relatively easy to get it working
>>
>> cheers
>>
>>
>> On Wed, Aug 30, 2023 at 11:32 AM Oliver Pole via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>>> Hi PacketFence Users,
>>>
>>> I was wonder if you guys could help with basic setup with a new Ruckus
>>> Zone Director (latest update) to perform a basic captive portal setup,
>>> email signup etc etc..
>>> so, we can get up and running and slowly learn the ropes.
>>>
>>> My team have followed the tutorial on the networking support document
>>> but it’s very out of date (2015 from the screenshots) and not working for
>>> us as our clients are just not connecting.
>>> If you need *ANY* information from me, please let me know and I’ll send
>>> it in a reply.
>>>
>>> Cheers Guys
>>> Oliver
>>> https://westendwifi.net Westend WiFi creates high performance bespoke
>>> broadband, mini ISP, wireless, Wi-Fi, IoT/LoRaWAN and small cell 4G/5G
>>> networks for retail estates, businesses, councils and government. For
>>> Police and ESMCP / ESN queries please use the following email address:
>>> tim.belfall@westendwifi.net This email and any attachments to it
>>> may contain information which is confidential, legally privileged, subject
>>> to the United Kingdom Official Secrets Act, or otherwise not disclosable by
>>> law, and is protected by copyright. It is intended only for the addressee
>>> named above. If you are not the intended recipient you must delete this
>>> email immediately and not use, distribute, copy, disclose or take any
>>> action in reliance on this email or its contents. If you have received this
>>> email in error please notify us by return email immediately. Westend WiFi
>>> Limited Limited a company registered in England and Wales having company
>>> number 08543595. Trading address: Unit 1 Courtyard, Five House Farm.
>>> Therfield, Hertfordshire - SG8 9RE engyta (UK3064986) and WestEnd WiFi
>>> (UK3007377) are UK IPO registered trademarks of WestEnd WiFi Limited
>>> Westend WiFi Limited is a Friendly WiFi approved provider Westend WiFi
>>> Limited is a member of the Ombudsman Services Westend WiFi Limited is a
>>> licensed spectrum holder by Ofcom Westend WiFi Limited is ISO 9001
>>> registered ISO 9001:2015 Cert No: 300692019 Westend WiFi Limited is ISO
>>> 27001 registered ISO 27001:2013 Cert No: 320892019
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>> https://westendwifi.net Westend WiFi creates high performance bespoke
> broadband, mini ISP, wireless, Wi-Fi, IoT/LoRaWAN and small cell 4G/5G
> networks for retail estates, businesses, councils and government. For
> Police and ESMCP / ESN queries please use the following email address:
> tim.belfall@westendwifi.net This email and any attachments to it may
> contain information which is confidential, legally privileged, subject to
> the 

Re: [PacketFence-users] PacketFence Setup on New Ruckus vSZ (Virtual Smart Zone) controller

[Diego Garcia del Rio via PacketFence-users]

also, I just realised you  mention Zone Director in the body of the email
but smartzone in the title.. which one is it.?

On Wed, Aug 30, 2023 at 2:25 PM Diego Garcia del Rio 
wrote:

> Hi oliver
>
> there are multiple, very different integration options with ruckus and
> packetfence. While indeed, some of the documentation is quite old, it
> should still be usable.
>
> Is your pf  server in the same "network" (i,e can you run vlans from the
> APs or ZD -if using tunneling- to the pf server for registration /
> isolation networks?) or is the PF server in a remote datacenter where vlan
> extension from the APs would be infeasible?
>
> If you can have vlans reach the PF server, then you can use a regular WLAN
> config with a radius server authentication (with dynamic vlan assignment
> enabled on the ruckus side). If your pf server can't see the vlans, then
> you probably need to use WISPR / hotspot-type WLANs on ruckus ( those, I've
> never implemented on ZD but yes on smartzone)
>
> if you have L2/vlan reachability between the APs and PF, it should be
> relatively easy to get it working
>
> cheers
>
>
> On Wed, Aug 30, 2023 at 11:32 AM Oliver Pole via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hi PacketFence Users,
>>
>> I was wonder if you guys could help with basic setup with a new Ruckus
>> Zone Director (latest update) to perform a basic captive portal setup,
>> email signup etc etc..
>> so, we can get up and running and slowly learn the ropes.
>>
>> My team have followed the tutorial on the networking support document but
>> it’s very out of date (2015 from the screenshots) and not working for us as
>> our clients are just not connecting.
>> If you need *ANY* information from me, please let me know and I’ll send
>> it in a reply.
>>
>> Cheers Guys
>> Oliver
>> https://westendwifi.net Westend WiFi creates high performance bespoke
>> broadband, mini ISP, wireless, Wi-Fi, IoT/LoRaWAN and small cell 4G/5G
>> networks for retail estates, businesses, councils and government. For
>> Police and ESMCP / ESN queries please use the following email address:
>> tim.belfall@westendwifi.net This email and any attachments to it may
>> contain information which is confidential, legally privileged, subject to
>> the United Kingdom Official Secrets Act, or otherwise not disclosable by
>> law, and is protected by copyright. It is intended only for the addressee
>> named above. If you are not the intended recipient you must delete this
>> email immediately and not use, distribute, copy, disclose or take any
>> action in reliance on this email or its contents. If you have received this
>> email in error please notify us by return email immediately. Westend WiFi
>> Limited Limited a company registered in England and Wales having company
>> number 08543595. Trading address: Unit 1 Courtyard, Five House Farm.
>> Therfield, Hertfordshire - SG8 9RE engyta (UK3064986) and WestEnd WiFi
>> (UK3007377) are UK IPO registered trademarks of WestEnd WiFi Limited
>> Westend WiFi Limited is a Friendly WiFi approved provider Westend WiFi
>> Limited is a member of the Ombudsman Services Westend WiFi Limited is a
>> licensed spectrum holder by Ofcom Westend WiFi Limited is ISO 9001
>> registered ISO 9001:2015 Cert No: 300692019 Westend WiFi Limited is ISO
>> 27001 registered ISO 27001:2013 Cert No: 320892019
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PacketFence Setup on New Ruckus vSZ (Virtual Smart Zone) controller

[Diego Garcia del Rio via PacketFence-users]

Hi oliver

there are multiple, very different integration options with ruckus and
packetfence. While indeed, some of the documentation is quite old, it
should still be usable.

Is your pf  server in the same "network" (i,e can you run vlans from the
APs or ZD -if using tunneling- to the pf server for registration /
isolation networks?) or is the PF server in a remote datacenter where vlan
extension from the APs would be infeasible?

If you can have vlans reach the PF server, then you can use a regular WLAN
config with a radius server authentication (with dynamic vlan assignment
enabled on the ruckus side). If your pf server can't see the vlans, then
you probably need to use WISPR / hotspot-type WLANs on ruckus ( those, I've
never implemented on ZD but yes on smartzone)

if you have L2/vlan reachability between the APs and PF, it should be
relatively easy to get it working

cheers


On Wed, Aug 30, 2023 at 11:32 AM Oliver Pole via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hi PacketFence Users,
>
> I was wonder if you guys could help with basic setup with a new Ruckus
> Zone Director (latest update) to perform a basic captive portal setup,
> email signup etc etc..
> so, we can get up and running and slowly learn the ropes.
>
> My team have followed the tutorial on the networking support document but
> it’s very out of date (2015 from the screenshots) and not working for us as
> our clients are just not connecting.
> If you need *ANY* information from me, please let me know and I’ll send
> it in a reply.
>
> Cheers Guys
> Oliver
> https://westendwifi.net Westend WiFi creates high performance bespoke
> broadband, mini ISP, wireless, Wi-Fi, IoT/LoRaWAN and small cell 4G/5G
> networks for retail estates, businesses, councils and government. For
> Police and ESMCP / ESN queries please use the following email address:
> tim.belfall@westendwifi.net This email and any attachments to it may
> contain information which is confidential, legally privileged, subject to
> the United Kingdom Official Secrets Act, or otherwise not disclosable by
> law, and is protected by copyright. It is intended only for the addressee
> named above. If you are not the intended recipient you must delete this
> email immediately and not use, distribute, copy, disclose or take any
> action in reliance on this email or its contents. If you have received this
> email in error please notify us by return email immediately. Westend WiFi
> Limited Limited a company registered in England and Wales having company
> number 08543595. Trading address: Unit 1 Courtyard, Five House Farm.
> Therfield, Hertfordshire - SG8 9RE engyta (UK3064986) and WestEnd WiFi
> (UK3007377) are UK IPO registered trademarks of WestEnd WiFi Limited
> Westend WiFi Limited is a Friendly WiFi approved provider Westend WiFi
> Limited is a member of the Ombudsman Services Westend WiFi Limited is a
> licensed spectrum holder by Ofcom Westend WiFi Limited is ISO 9001
> registered ISO 9001:2015 Cert No: 300692019 Westend WiFi Limited is ISO
> 27001 registered ISO 27001:2013 Cert No: 320892019
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] repeted LDAP queries for single login

[Diego Garcia del Rio via PacketFence-users]

Hello,

I have a new setup using PF 12.2 (I have been using other PF versions with
no problem so far) and im seeing a strange behavior. I have a "relatively
complex" login flow, but nothing major (and the same setup used in other PF
versions / instances). Users are authenticating against google workspace
LDAP and I am now using the "baseDn" filter to match users against
different OUs on google.

the weird thing is that for each login attempt, I see multiple queries in
the logs (I have not dumpled the LDAP traffic itself). But in fact, the
repeated queries take "so long" that the portal errors out with 502 code
(im assuming timeout).

I had disabled the cache option in the ldap source, enabling it did help a
bit, but the multiple lookups still seem to be occurring.

below is the packetfence.log for a login attempt for a user that matched
the first rule of the authentication chain (belong to the group "wifi-it"
and assign the proper role). This log was with the "cache" option DISABLED.

Aug  8 18:32:56 mdg httpd.portal-docker-wrapper[6092]: httpd.portal(23)
INFO: [mac:00:11:22:33:44:55] Found authentication source(s) :
'mariaguadalupe-ldap' for realm 'mariaguadalupe.org.ar'
(pf::config::util::filter_authentication_sources)
Aug  8 18:32:56 mdg httpd.portal-docker-wrapper[6092]: httpd.portal(23)
INFO: [mac:00:11:22:33:44:55] Authenticating user using sources :
mariaguadalupe-ldap
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
Aug  8 18:32:59 mdg httpd.portal-docker-wrapper[6092]: httpd.portal(23)
INFO: [mac:00:11:22:33:44:55] [mariaguadalupe-ldap] Authentication
successful for mediatel
(pf::Authentication::Source::LDAPSource::authenticate)
Aug  8 18:32:59 mdg httpd.portal-docker-wrapper[6092]: httpd.portal(23)
INFO: [mac:00:11:22:33:44:55] Authentication successful for mediatel in
source mariaguadalupe-ldap (GoogleWorkspaceLDAP)
(pf::authentication::authenticate)
Aug  8 18:32:59 mdg httpd.portal-docker-wrapper[6092]: httpd.portal(23)
INFO: [mac:00:11:22:33:44:55] User media...@mariaguadalupe.org.ar has
authenticated on the portal.
(captiveportal::PacketFence::DynamicRouting::Module::_username_set)
Aug  8 18:32:59 mdg httpd.portal-docker-wrapper[6092]: httpd.portal(23)
INFO: [mac:00:11:22:33:44:55] Found source mariaguadalupe-ldap in session.
(Class::MOP::Class:::around)
Aug  8 18:32:59 mdg httpd.portal-docker-wrapper[6092]: httpd.portal(23)
INFO: [mac:00:11:22:33:44:55] Found source mariaguadalupe-ldap in session.
(Class::MOP::Class:::around)
Aug  8 18:32:59 mdg httpd.portal-docker-wrapper[6092]: httpd.portal(23)
INFO: [mac:00:11:22:33:44:55] Successfully authenticated
media...@mariaguadalupe.org.ar
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
Aug  8 18:32:59 mdg httpd.portal-docker-wrapper[6092]: httpd.portal(23)
INFO: [mac:00:11:22:33:44:55] Found source mariaguadalupe-ldap in session.
(Class::MOP::Class:::around)
Aug  8 18:32:59 mdg httpd.portal-docker-wrapper[6092]: httpd.portal(23)
INFO: [mac:00:11:22:33:44:55] Found source mariaguadalupe-ldap in session.
(Class::MOP::Class:::around)
Aug  8 18:32:59 mdg httpd.portal-docker-wrapper[6092]: httpd.portal(23)
INFO: [mac:00:11:22:33:44:55] Found source mariaguadalupe-ldap in session.
(Class::MOP::Class:::around)
Aug  8 18:32:59 mdg httpd.portal-docker-wrapper[6092]: httpd.portal(23)
WARN: [mac:00:11:22:33:44:55] Calling match with empty/invalid rule class.
Defaulting to 'authentication' (pf::authentication::match)
Aug  8 18:32:59 mdg httpd.portal-docker-wrapper[6092]: httpd.portal(23)
INFO: [mac:00:11:22:33:44:55] Using sources mariaguadalupe-ldap for
matching (pf::authentication::match)
Aug  8 18:32:59 mdg httpd.portal-docker-wrapper[6092]: httpd.portal(23)
WARN: [mac:00:11:22:33:44:55] [mariaguadalupe-ldap wifi-it] Searching for
(&(uid=mediatel)(memberOf=cn=wifi-it,ou=Groups,dc=mariaguadalupe,dc=org,dc=ar)),
from ou=Users,dc= mariaguadalupe,dc=org,dc=ar, with scope sub
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Aug  8 18:32:59 mdg pfqueue[17889]: pfqueue(17889) INFO: [mac:unknown]
Already did a person lookup for media...@mariaguadalupe.org.ar
(pf::lookup::person::lookup_person)
Aug  8 18:33:01 mdg httpd.portal-docker-wrapper[6092]: httpd.portal(23)
INFO: [mac:00:11:22:33:44:55] Matched rule (wifi-it) in source
mariaguadalupe-ldap, returning actions.
(pf::Authentication::Source::match_rule)
Aug  8 18:33:01 mdg httpd.portal-docker-wrapper[6092]: httpd.portal(23)
INFO: [mac:00:11:22:33:44:55] Matched rule (wifi-it) in source
mariaguadalupe-ldap, returning actions. (pf::Authentication::Source::match)
Aug  8 18:33:01 mdg httpd.portal-docker-wrapper[6092]: httpd.portal(23)
INFO: [mac:00:11:22:33:44:55] Found source mariaguadalupe-ldap in session.
(Class::MOP::Class:::around)
Aug  8 18:33:01 mdg httpd.portal-docker-wrapper[6092]: httpd.portal(23)
WARN: [mac:00:11:22:33:44:55] Calling match with empty/invalid rule class.
Defaulting to 'authentication' 

Re: [PacketFence-users] Newer Model iPhones and Android Devices showing MAC:0 in Captive Portal

[Diego Garcia del Rio via PacketFence-users]

im Guessing it might be related to the rfc7710bis / rfc8910  portal support

this means that via dhcp, the client is provided with an URL they can use
to check the status of the device in the portal (whether they are still
jailed or no)

normally this information is served on the same interface as the portal if
im not mistaken. you might want to check the logs for pf.log or the
haproxy-portal log for urls matching "/rfc7710"

if so.. it might be that the clients are too fast re-accessing that url and
determining they are still locked

in my case, forcing a disconnect via the COA will cause the client to
re-issue a dhcp request.. and thus, a new portal request?




On Wed, Jan 11, 2023 at 2:36 PM Ian MacDonald via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Daniel,
>
> The random MAC would seem like an obvious culprit, but it is not.
>
> On an iPhone, if you click on the little "i" for information next to each
> connection, you see that the OS uses the same [random] mac per SSID, so it
> will never change for a given WiFi network after is has connected.  It will
> be different for each SSID/network.
>
> Since it does not change per SSID, the MAC can be used for auth, but
> obviously the OUI will no longer indicate it is an Apple device.
>
> cheers,
> Ian
>
>
> On Wed, Jan 11, 2023 at 11:48 AM Daniel Silva  wrote:
>
>> Good afternoon,
>>
>> We are having the same problem, in the new version people have captured
>> random macs, and they redirect to a page with information on how to disable
>> random macs. Would that really be the best way to solve it? I don't know, I
>> just know that it generates complaints, tickets in our environment. If you
>> have any idea of how to work around this situation, please send it to me at
>> dan...@unifor.br, thank you in advance.
>>
>>
>>
>>
>> *Daniel Ricardo*
>>
>> Analista de Infraestrutura
>> NATI - Núcleo de Aplicação em Tecnologia da Informação
>>
>> Universidade de Fortaleza
>>
>> Tel.: (85) 3477.3302
>>
>>
>>
>> Em qua., 11 de jan. de 2023 às 10:52, Ian MacDonald via PacketFence-users
>>  escreveu:
>>
>>> Hi Packetfence,
>>>
>>> We have been struggling with some newer model mobile devices with our
>>> WiFi captive portal implementation using Packetfence, and have not seen any
>>> change in the behavior on 11.0 thru 12.1 with our current connection
>>> profile.
>>>
>>> We do not use an inline configuration, and now we are upgraded to 12.1
>>> on Debian 11, though we have not seen any related changelogs for specific
>>> device enumeration related to our issue, so we believe there is some new
>>> capabilities in how these platforms handle WiFi Login that we are missing
>>> configuration for.
>>>
>>> A bit more about our environment.
>>>
>>> Our switch groups are OpenWRT/hostapd based with CoA configured for
>>> Registration/Isolation/Management VLANs connected to our server, and a
>>> Default local VLAN for Internet access that varies depending on the switch
>>> location.
>>>
>>> Based on MAC, devices connect, and receive Internet access for a short
>>> period of time, before completing email-based activation to grant them a
>>> longer access window.
>>>
>>> All devices detect the WiFi login request on the registration network
>>> and prompt users for an email to complete authentication.  When the email
>>> is sent,  PF completes radius accounting, sets the device MAC as registered
>>> and issues a CoA to boot the device after a brief delay to account for
>>> hostapd delay in processing radius changes.  It is at this point where
>>> the process fails for some devices.
>>>
>>> Samsung Galaxy S9 / S10 devices (Android 12) move through this step and
>>> are handed the default redirection page per their connection profile.
>>>
>>> Newer S22 and iPhone 14 devices are shown a Packetfence error occurred
>>> page, which shows the IP address of the gateway for the Default VLAN and
>>> MAC:0.  So they made it to the Normal/Default VLAN and in packetfence they
>>> are registered.
>>>
>>> It seems that right after the CoA disconnect, when the device reconnects
>>> to the WiFi on the correct VLAN,  it detects a sign-in requirement (Or
>>> simply retries the login page) and heads to the portal on the server which
>>> feeds it an error message.   But is on the Default VLAN, so a smart user
>>> can cancel the Login and choose to "stay connected without Internet" and
>>> they are fine.
>>>
>>> Clearly the Internet detection is failing for the device, or it believes
>>> this due to cancelling a login process.
>>>
>>> Just reading this makes me think perhaps we are missing a setting
>>> defined for newer devices, as the config is pretty simple (from the command
>>> line anyway).   I think it is time to try a default connection profile
>>> configured from scratch and see if it adds something we are missing.
>>>
>>> If anyone has experience with this issue, feel free to post back so we
>>> can shortcut our triage, and finally move on to upgrading our production

Re: [PacketFence-users] Question regarding integration with Google Oauth2

[Diego Garcia del Rio via PacketFence-users]

Yes.. google ldap is just a setting under google's workspace.

I committed some additional documentation to PF's google ldap /
documentation here (its not in the public builds yet)

https://github.com/inverse-inc/packetfence/blob/devel/docs/installation/google_workspace_ldap.asciidoc

You need to enable the LDAP service from google workspace's console. You
will be able to get group memberships.. etc..

you can find several threads here in the mailing list about that.

But for schools.. this is definitively the way to go.

cheers



On Fri, Oct 28, 2022 at 12:02 PM Paulo Colomés  wrote:

> Thanks Diego,
>
> I´ve never used Google LDAP tbh, and yes, the end customer is a school. Do
> you know if Google LDAP gets automatically populated with the Workspace
> accounts (they currently own like 5.000 acounts)?
>
> Paulo Colomés
> Ingeniero de Proyectos TI - NIS.CL
> Web: www.nis.cl
> Teléfono: +56-9-84053482
>
> On 28-10-2022, at 12:00, Diego Garcia del Rio  wrote:
>
> You should look into using google LDAP.
>
> Google Oauth is not really supported by google in the captive portal
> browser of most phones now a days. Also, you can't limit the google
> authentication to a single domain (I had posted some changes to support a
> specific google domain but those never made it upstream). So any google
> account would work.
>
> I strongly suggest you look into the google LDAP integration instead (its
> free for schools). If you're not a school though, it might require some of
> the more expensive google workspace plans.
>
>
>
> On Thu, Oct 27, 2022 at 9:20 AM Paulo Colomés via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Good morning everyone.
>>
>> We are willing to deploy a combined solution with a Cisco WLC (plus Cisco
>> APs) and PacketFence to create a unique SSID with a Captive Portal using
>> Google Authentication (all of our users have a Google Workspace account)
>> but some questions arose during the planning phase:
>>
>> 1. It is possible to use PacketFence in this scenario? We are not using
>> Active Directory at all but only Google to authenticate users.
>> 2.  Do you know if it's possible to set up this Captive Portal to make
>> users enter their Google credentials only once every 30 days? We don´t want
>> to make them authenticate every day. I think this is a AAA feature on
>> PacketFence, but I am not sure about the Google authentication integration.
>> Our main goal is to deploy the Google authentication page when a user
>> connects to the WiFi and leave them online for 30 days without asking them
>> to re-authenticate.
>>
>> Thanks in advance
>>
>> Paulo Colomés
>> Ingeniero de Proyectos TI - NIS.CL 
>> Web: www.nis.cl
>> Teléfono: +56-9-84053482
>>
>>
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Question regarding integration with Google Oauth2

[Diego Garcia del Rio via PacketFence-users]

You should look into using google LDAP.

Google Oauth is not really supported by google in the captive portal
browser of most phones now a days. Also, you can't limit the google
authentication to a single domain (I had posted some changes to support a
specific google domain but those never made it upstream). So any google
account would work.

I strongly suggest you look into the google LDAP integration instead (its
free for schools). If you're not a school though, it might require some of
the more expensive google workspace plans.



On Thu, Oct 27, 2022 at 9:20 AM Paulo Colomés via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Good morning everyone.
>
> We are willing to deploy a combined solution with a Cisco WLC (plus Cisco
> APs) and PacketFence to create a unique SSID with a Captive Portal using
> Google Authentication (all of our users have a Google Workspace account)
> but some questions arose during the planning phase:
>
> 1. It is possible to use PacketFence in this scenario? We are not using
> Active Directory at all but only Google to authenticate users.
> 2.  Do you know if it's possible to set up this Captive Portal to make
> users enter their Google credentials only once every 30 days? We don´t want
> to make them authenticate every day. I think this is a AAA feature on
> PacketFence, but I am not sure about the Google authentication integration.
> Our main goal is to deploy the Google authentication page when a user
> connects to the WiFi and leave them online for 30 days without asking them
> to re-authenticate.
>
> Thanks in advance
>
> Paulo Colomés
> Ingeniero de Proyectos TI - NIS.CL
> Web: www.nis.cl
> Teléfono: +56-9-84053482
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Authentication FAILED against Google_Workspace (Invalid login or password)

[Diego Garcia del Rio via PacketFence-users]

does the "test" button on the ldap google source work?

did you have the proper realm configured as well? (Is it stripping / adding
the correct value?)

I use the google workspace ldap source in several installations and it
works fine



On Thu, Sep 29, 2022 at 9:58 AM P.Thirunavukkarasu via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hi Team,
> Greetings to all of you
> Configured the packetfence with Google Workspace LDAP
> Roles and Rules are configured in the NAC and Switches.
>
> While running the following command the following output I received
> */usr/local/pf/bin/pftest authentication [username] [password]*
>
> Authenticating against 'Google_Workspace' in context 'admin'
>
>
>
> *Authentication FAILED against Google_Workspace (Invalid login or
> password)  Did not match against Google_Workspace for 'authentication'
> rules  Did not match against Google_Workspace for 'administration' rules*
> Authenticating against 'Google_Workspace' in context 'portal'
>
>
> *Authentication FAILED against Google_Workspace (Invalid login or
> password)  Did not match against Google_Workspace for 'authentication'
> rules  Did not match against Google_Workspace for 'administration' rules*
>
> Can anyone please help me to resolve the issue?
>
> Best,
> Thirunavukkarasu
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal - Pass mac address

[Diego Garcia del Rio via PacketFence-users]

not sure which wifi integration you're using (or is it wired?) but, at
least for Ruckus (and im sure others as well), when using web-auth it will
have the mac address in the redirect message and support a "remote"
authentication without any need to forward dhcp to packetfence.

(it can get tricky to configure the access points in the "switches" part)..
I had to add them both by MAC as well as the IP of my controller.. but it
works. I have PF deployed in a remote datacenter and 10 schools which
connect to it (over a VPN, but thats just so I dont expose PF to the
internet). All the school sites have overlapping IPs



On Sun, Sep 25, 2022 at 5:03 PM Michael Weber via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello all,
>
> is there a way to pass the MAC address of the client to the captive
> portal?
> I think something about: https://packetfence/signup?mac=aabbccddeeff
> I would like to use the redirect to a external website and pass the mac to
> the portal with something like:
> http://packetfence/captive-portal?next=next=aabbccddeeff
>
> Background:
> We have multiple offices without VPN that use wifi and got the same subnet
> in the wifi. We configured "Guest pre-registration".
> Now guests are redirected to the captive portal but we only see a invalid
> IP address (because of nat between packetfence and clients)  in the footer
> and no mac address.
> IP Helper is configured and nodes are added to packetfence. Unfortunally
> the IP that shows up on the portal is not the correct one (NAT between
> client and packetfence) and because of that the MAC address is not resolved
> based on the IP.
> The biggest problems are the NAT between the clients and packetfence and
> the that we got the same subnet in wifi for all offices. Perhaps there is a
> other solution? Feel free to provide some ideas 
>
> Best Regards
> Michael
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PacketFence in radius enforcement

[Diego Garcia del Rio via PacketFence-users]

HI leonardo,

Im not sure what you're trying to do... but for plain radius authentication
you should use a simple radius server and that's it. In most cases, pf is
meant to be used to do 802.1x when acting as a radius server. PF
developers, please correct me if I'm wrong.

In most case, PF will not authenticate users but rather mac addresses over
radius so again, im not sure if your use case is supported. To be honest,
if you;'re trying to do un-supported things, you should really try them out
in your lab and try to figure out how the system works, doing packet
captures, etc...



On Tue, Jun 14, 2022 at 7:15 AM  wrote:

> very kind Diego,
>
> I understand what you say.
>
> But suppose I want to use local pf users for authentication and the
> TP-Link controller Omada is compatible with pf.
>
> Then a captive portal appears to the user connected via wifi, for whose
> authentication Omada will contact a server radius (pf).
>
> I have a number of questions to ask yourself:
>
>
>
> For communication with the NAS, does the pf radius use pap or chap?
>
>
>
> pf's radius is listening on port 1812, right?
>
>
>
> Always assuming that Omada is compatible with pf, the operating scheme on
> pf is:
>
>
>
> - On the managing interface (which is the only interface of pf) I select
> 'radius' as "additionnal listening daemon ".
>
>
>
> - does the controller have to be inserted as a switch? if yes, I click on
> new switch \ default \ and then apart from the "Secret Passphrase "(between
> ilo radius pf and nas Omada) which must be entered in the tab radius, and
> the ip address of Omada in the "Controller IP Address" field, what else
> should I enter in that switch part?
>
>
>
> - Then always in pf, I create a connection profile with source local. How
> can I indicate in this connection profile that it refers to the request
> radius?
>
>
>
> Thanks always
>
>
>
> *Da:* Diego Garcia del Rio 
> *Inviato:* lunedì 13 giugno 2022 23:37
> *A:* leonardo.i...@itsinformatica.it
> *Cc:* packetfence-users ;
> P.Thirunavukkarasu 
> *Oggetto:* Re: PacketFence in radius enforcement
>
>
>
> Hi Leonardo,
>
>
>
> TPLink is not one of the supported vendors for wifi. Not sure what you're
> trying to achieve. Would PF just be a radius server for authentication? Im
> not 100% sure you can use it that way, as you'd still have to configure the
> "switch" to be a particular model / brand / vendor
>
>
>
> You can find the supported models here:
>
>
> https://www.packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html
>
>
>
> For example, you won't be able to use it to do any sort of authentication
> against google in this way. You'd need google's LDAP authentication as well
> as PAP for the password to be sent in cleartext to the LDAP server.
> Google's web auth will not work at all as PF is not seeing the password in
> any part of the exchange.
>
>
>
> Best regards
>
>
>
> On Mon, Jun 13, 2022 at 8:14 AM  wrote:
>
> Hello,
>
> I have a Tp-Link Omada wifi controller on which I want to implement a
> local captive portal but with authentication through an External Radius
> Server.
>
> In practice, the Omada one will be used for the captive portal and
> PacketFence in radius enforcement will be used for the External Radius
> Server.
>
>
>
> ** Omada side **
>
> It first asks me to choose between PAP and CHAP as Authentication Mode, I
> will choose CHAP for obvious security reasons.
>
> Furthermore, you are asked to create a radius profile in which you are
> asked for the following information:
>
> "Enable VLAN Assignment for Wireless Network": yes / no
>
> "Authentication Server IP": I guess pf's ip
>
> "Authentication Port": Port 1812 is proposed
>
> "Authentication Password":
>
> "RADIUS Accounting": yes / no
>
>
>
> ** Pf side **
>
> On the managing interface (which is the only interface of pf) I have
> selected 'radius' as "additionnal listening daemon".
>
> And then?
>
> What do I set in Configuration \ System Configuration \ Radius?
>
> If I want to use a certain source for the user database how do I set the
> connection profile to attach it to the listening radius on the management
> interface?
>
>
>
> Thank you
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PacketFence in radius enforcement

[Diego Garcia del Rio via PacketFence-users]

Hi Leonardo,

TPLink is not one of the supported vendors for wifi. Not sure what you're
trying to achieve. Would PF just be a radius server for authentication? Im
not 100% sure you can use it that way, as you'd still have to configure the
"switch" to be a particular model / brand / vendor

You can find the supported models here:
https://www.packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html

For example, you won't be able to use it to do any sort of authentication
against google in this way. You'd need google's LDAP authentication as well
as PAP for the password to be sent in cleartext to the LDAP server.
Google's web auth will not work at all as PF is not seeing the password in
any part of the exchange.

Best regards

On Mon, Jun 13, 2022 at 8:14 AM  wrote:

> Hello,
>
> I have a Tp-Link Omada wifi controller on which I want to implement a
> local captive portal but with authentication through an External Radius
> Server.
>
> In practice, the Omada one will be used for the captive portal and
> PacketFence in radius enforcement will be used for the External Radius
> Server.
>
>
>
> ** Omada side **
>
> It first asks me to choose between PAP and CHAP as Authentication Mode, I
> will choose CHAP for obvious security reasons.
>
> Furthermore, you are asked to create a radius profile in which you are
> asked for the following information:
>
> "Enable VLAN Assignment for Wireless Network": yes / no
>
> "Authentication Server IP": I guess pf's ip
>
> "Authentication Port": Port 1812 is proposed
>
> "Authentication Password":
>
> "RADIUS Accounting": yes / no
>
>
>
> ** Pf side **
>
> On the managing interface (which is the only interface of pf) I have
> selected 'radius' as "additionnal listening daemon".
>
> And then?
>
> What do I set in Configuration \ System Configuration \ Radius?
>
> If I want to use a certain source for the user database how do I set the
> connection profile to attach it to the listening radius on the management
> interface?
>
>
>
> Thank you
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] R: Setting up a local source with Google Workspace

[Diego Garcia del Rio via PacketFence-users]

Hi Leonardo

On jexplorer don't use any certificate,  since stunned handles that for
you. It's an "insecure to secure" TCP tunnel.

In jexplorer use 127.0.0.1:1636 as the server / port to connect

Select "no encryption" in jexplorer. And use the root path as the one
mentioned in the previous emails (ou=Users,DC=myschool)

But try using the bind username / password

That way you should be able to see all users / groups provisioned from
Google and check attributes, etc..




On Fri, Jun 3, 2022, 17:28  wrote:

> dear Diego, I would also like to give you the result of the actions you
> recommend + the Google Workspace logs:
>
>
>
> *Stunnel*
>
> in the stunnel.conf file I entered the following configuration:
>
>
>
> [ldap]
>
> client = yes
>
> accept = 127.0.0.1:1636
>
> connect = ldap.google.com:636
>
> cert = C:\tmp\cert\Google_2025_05_24_39655.crt
>
> key = C:\tmp\cert\Google_2025_05_24_39655.key
>
>
>
> and these are the logs:
>
> 2022.06.03 15:39:56 LOG5[main]: Reading configuration from file C:\Program
> Files (x86)\stunnel\config\stunnel.conf
>
> 2022.06.03 15:39:56 LOG5[main]: UTF-8 byte order mark detected
>
> 2022.06.03 15:39:56 LOG5[main]: FIPS mode disabled
>
> 2022.06.03 15:39:56 LOG4[main]: Service [ldap] needs authentication to
> prevent MITM attacks
>
> 2022.06.03 15:39:57 LOG5[main]: Configuration successful
>
>
>
> it seems to me that it is ok
>
>
>
> *JXplorer*
>
> In Security \ Client Certificates \ add Certificate \ I gave the Google
> Workspace certificate file and a name and then the default password which
> is "passphrase"
>
> Then I selected the imported certificate and clicked on Set Private Key \
> and I gave the Google Worksapce key file and then the default password
> which is "passphrase"
>
> I clicked on the "Connect to DSA" button
>
> I set up the fields as follows:
>
> host: ldap.google.com
>
> port: 636
>
> Protocol: LDAP v3
>
> Base DN: ou = Users, dc = school name, dc = edu, dc = it
>
> Level: SSL + User + Password
>
> User DN: username of credentials generated with LDAP clients in Google
> Worksapce
>
> Password: password of the credentials generated with the LDAP client in
> Google Worksapce.
>
> I get the following error:
>
> Error opening connection:
>
> ldap.google.com:636
>
>
>
> error details
>
> javax.naming.CommunicationException: ldap.google.com:636 [Root exception
> is java.net.ConnectException: Connection timed out: connect]
>
> at com.sun.jndi.ldap.Connection.(Unknown Source)
>
> at com.sun.jndi.ldap.LdapClient.(Unknown Source)
>
> at com.sun.jndi.ldap.LdapClient.getInstance(Unknown Source)
>
> at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
>
> at com.sun.jndi.ldap.LdapCtx.(Unknown Source)
>
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown
> Source)
>
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown
> Source)
>
> at
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
>
> at
> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
>
> at
> javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
>
> at javax.naming.InitialContext.getDefaultInitCtx(Unknown
> Source)
>
> at javax.naming.InitialContext.init(Unknown Source)
>
> at javax.naming.ldap.InitialLdapContext.(Unknown
> Source)
>
> at
> com.ca.commons.jndi.JNDIOps.openContext(JNDIOps.java:529)
>
> at com.ca.commons.jndi.JNDIOps.(JNDIOps.java:123)
>
> at com.ca.commons.jndi.BasicOps.(BasicOps.java:55)
>
> at
> com.ca.commons.jndi.AdvancedOps.(AdvancedOps.java:59)
>
> at com.ca.commons.naming.DXOps.(DXOps.java:41)
>
> at
> com.ca.directory.jxplorer.broker.CBGraphicsOps.(CBGraphicsOps.java:46)
>
> at
> com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:477)
>
> at
> com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:422)
>
> at
> com.ca.directory.jxplorer.broker.JNDIDataBroker.processRequest(JNDIDataBroker.java:396)
>
> at
> com.ca.directory.jxplorer.broker.DataBroker.processQueue(DataBroker.java:200)
>
> at
> com.ca.directory.jxplorer.broker.JNDIDataBroker.processQueue(JNDIDataBroker.java:913)
>
> at
> com.ca.directory.jxplorer.broker.DataBroker.run(DataBroker.java:165)
>
> at java.lang.Thread.run(Unknown Source)
>
> Caused by: java.net.ConnectException: Connection timed out: connect
>
> at java.net.DualStackPlainSocketImpl.connect0(Native
> Method)
>
> at java.net.DualStackPlainSocketImpl.socketConnect(Unknown
> Source)
>
> at java.net.AbstractPlainSocketImpl.doConnect(Unknown
> Source)
>
> at
> 

Re: [PacketFence-users] R: Setting up a local source with Google Workspace

[Diego Garcia del Rio via PacketFence-users]

Indeed. The realm is needed. Otherwise packetfence doesn't know against
which source to authenticate

On Fri, Jun 3, 2022, 14:29 P.Thirunavukkarasu via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hi Leonardo,
>
> In 'Bind DN' and 'Password' I have to enter the credentials generated by
> the Google Workspace console -> Authentication section -> "Generate new
> credentials". Quite right?
>
> Yes. Correct..
>
> In the 'Base DN' field I have entered the customer's domain in DN format,
> i.e. the domain is schoolname.edu.it so in this field I have entered the
> string: dc = schoolname, dc = edu, dc = it. Quite right?
>
> *dc=schoolname,dc=edu,dc=it*
>
> This is my setup in our campus with Google Workspace
>
> 'Host' = ldap.google.com on SSL port 636
>
> 'SSL Verify Mode' = none
>
> 'Dead duration' = 60
>
> 'Connection timeout' = 1
>
> 'Request timeout' = 5
>
> 'Response timeout' = 10
>
> 'Scope' = Subtree
>
> 'Search Attributes' = null
>
> 'Append search attributes' = null
>
> 'Email Attribute' = mail
>
> 'Cache match' = off
>
> 'Monitor' = on
>
> 'Shuffle' = off
>
> 'Associated Realms' = *I associated the realm created in the realm
> "schoolname.edu.in "*
>
> *Also I wanted to know what to put in the 'Username Attribute' field.*
>
> *uid*
>
> Hope it will help you...
>
> Thanks
> Thirunavukkarasu
>
> On Fri, Jun 3, 2022 at 3:43 PM leonardo.izzo--- via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hi, I would like to update you on the situation.
>>
>> With the configuration shown below, regardless of the value entered in
>> the 'Username Attribute' field, by clicking on the 'Test' button the result
>> is positive, therefore the parameters indicated are probably correct.
>>
>> On my pf server configured in inline mode, I created a connection profile
>> having as source the local source configured with Google Workspace just
>> tested correctly.
>>
>> In the captive portal that appears on the client side in the wifi on the
>> inline network, I enter the credentials of a Google Workspace user, but
>> unfortunately the error "Invalid login or password" comes out despite these
>> credentials being correct (usern...@schoolname.edu. It).
>>
>> Can you help me? Thank you
>>
>>
>>
>>
>>
>> *Da:* leonardo.i...@itsinformatica.it 
>> *Inviato:* venerdì 27 maggio 2022 15:17
>> *A:* 'packetfence-users@lists.sourceforge.net' <
>> packetfence-users@lists.sourceforge.net>
>> *Oggetto:* Setting up a local source with Google Workspace
>>
>>
>>
>> Hello everyone, I have some doubts regarding some fields of the source in
>> question.
>>
>>
>>
>> In 'Bind DN' and 'Password' I have to enter the credentials generated by
>> the Google Workspace console -> Authentication section -> "Generate new
>> credentials". Quite right?
>>
>> In the 'Base DN' field I have entered the customer's domain in DN format,
>> i.e. the domain is schoolname.edu.it so in this field I have entered the
>> string: dc = schoolname, dc = edu, dc = it. Quite right?
>>
>> 'Host' = ldap.google.com on SSL port 636
>>
>> 'SSL Verify Mode' = none
>>
>> 'Dead duration' = 60
>>
>> 'Connection timeout' = 1
>>
>> 'Request timeout' = 5
>>
>> 'Response timeout' = 10
>>
>> 'Scope' = Subtree
>>
>> 'Search Attributes' = null
>>
>> 'Append search attributes' = null
>>
>> 'Email Attribute' = mail
>>
>> 'Cache match' = off
>>
>> 'Monitor' = on
>>
>> 'Shuffle' = off
>>
>> 'Associated Realms' = nothing
>>
>> Also I wanted to know what to put in the 'Username Attribute' field.
>>
>>
>>
>> Thanks
>>
>
>
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Setting up a local source with Google Workspace

[Diego Garcia del Rio via PacketFence-users]

most of the defaults should work. For the username Attribute, 'uid'
should work.

when you click on the "test" button for the bindDn and password, does it
work?

make sure the ldap service is enabled as well (not just the credentials
generated). Its quite annoying as its not readily evident you
havent enabled the service


[image: image.png]



Also, using "stunnel" (for certificate-based SSL tunneling to google)  and
an ldap browser such as "jExplorer"  you can test and see if you can browse
the ldap tree, make sure the credentials are ok, etc..

The bindDN is "just" the username, like "jdoe"

but the BaseDN needs to have the prefix "ou=Users" such as the following:

ou=Users,dc=myschool,dc=edu,dc=ar

cheers!




On Sun, May 29, 2022 at 1:43 PM leonardo.izzo--- via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello everyone, I have some doubts regarding some fields of the source in
> question.
>
>
>
> In 'Bind DN' and 'Password' I have to enter the credentials generated by
> the Google Workspace console -> Authentication section -> "Generate new
> credentials". Quite right?
>
> In the 'Base DN' field I have entered the customer's domain in DN format,
> i.e. the domain is schoolname.edu.it so in this field I have entered the
> string: dc = schoolname, dc = edu, dc = it. Quite right?
>
> 'Host' = ldap.google.com on SSL port 636
>
> 'SSL Verify Mode' = none
>
> 'Dead duration' = 60
>
> 'Connection timeout' = 1
>
> 'Request timeout' = 5
>
> 'Response timeout' = 10
>
> 'Scope' = Subtree
>
> 'Search Attributes' = null
>
> 'Append search attributes' = null
>
> 'Email Attribute' = mail
>
> 'Cache match' = off
>
> 'Monitor' = on
>
> 'Shuffle' = off
>
> 'Associated Realms' = nothing
>
> Also I wanted to know what to put in the 'Username Attribute' field.
>
>
>
> Thanks
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Google Oauth2 captive portal

[Diego Garcia del Rio via PacketFence-users]

Ciao Leonardo,

For the 1st question, you need a DNS record that makes the PF server
reachable FROM THE CLIENTs. It doesnt need to be reachable at all from the
internet. But the clients need to resolve "pf.mycompany.com" and get an IP
that PF has associated with the portal service. If you're using a
registration vlan where PF is directly the DHCP server (and also DNS and
default gateway) for unregistered clients, then that part should work fine.

For the second option, you can try letsencrypt (but if your server has no
ports exposed to the internet, then it can get a bit complicated).
Otherwise just search for "cheap ssl" .. I use this: https://www.ssls.com/
but your mileage might vary.. depending on which domain you own and how you
can prove you own it. Sssls.com lets you validate via email but you have to
be in control (or at least, in contact) with whoever owned / registered "
mycompany.com"

If you want to test in the meantime, you can try temporarily adding the PF
"fake" certificate (normally untrusted) to your host's certificate store...

but if youre not very familiar with certificates it wont be as easy

cheers


On Sat, May 21, 2022 at 10:29 AM  wrote:

> hi Diego,
>
>
>
>- *there is no need for the PF machine to be publicly reachable. But
>it should have a proper dns name / domain*
>
> Let's take a very simple case: the customer has a pf machine behind an
> Internet router and has an Internet domain like mycompanyname.com and a
> static public IP.
>
> Now, if by publicly reachable you mean the pf console it is clear that it
> is not necessary, however there will be a DNS record that will associate
> the public IP address with pf.mycompanyname.com ", and a port mapping of
> port 443 (https) towards the host corresponding to the machine pf itself
> Right or did I understand nothing?
>
>
>
>- *so yes, the certificate is mandatory. It needs to be trusted by the
>browser, so given you're looking at using this with "guests", then yes, you
>would have to buy a domain or at least a certificate for a host in a domain
>already owned. In this case, the certificate would be for
>"pf.mycompanyname.com <http://pf.mycompanyname.com>"  or something like
>that*
>
> is there an inexpensive service that allows you to purchase SSL
> certificates?
>
>
>
>
>
> thanks always
>
>
>
>
>
> *Da:* Diego Garcia del Rio 
> *Inviato:* venerdì 20 maggio 2022 19:56
> *A:* leonardo.i...@itsinformatica.it
> *Cc:* packetfence-users 
> *Oggetto:* Re: [PacketFence-users] Google Oauth2 captive portal
>
>
>
> Hi leonardo,
>
>
>
> there is no need for the PF machine to be publicly reachable. But it
> should have a proper dns name / domain and valid certificates issued to
> that name (or at least certificates that the client, the laptop pc, can
> trust.)
>
>
>
> If this is a use case with google-for-education domains, then you could
> use the LDAP authentication.
>
>
>
> now, if you dont care about the google usernames (meaning, any user with a
> google account, not just your school / company) then yes, the google-oauth
> path should work.
>
>
>
> I was using it in several deployments but stopped (and switched to the
> secure LDAP) because of the browser restrictions.
>
>
>
> so yes, the certificate is mandatory. It needs to be trusted by the
> browser, so given you're looking at using this with "guests", then yes, you
> would have to buy a domain or at least a certificate for a host in a domain
> already owned. In this case, the certificate would be for "
> pf.mycompanyname.com"  or something like that
>
>
>
> cheers
>
>
>
>
>
> On Fri, May 20, 2022 at 12:00 PM  wrote:
>
> hello Diego and thanks for the reply.
>
> Leaving aside the discussion on mobile devices, and restricting the
> scenario for simplicity to a laptop of a guest who is connected to a wifi
> network and must authenticate on the Internet.
>
> Our client asks that the guest who launches the browser (eg Chrome) from
> his laptop must come up with a captive portal where he is asked to enter
> his Google credentials to authenticate and register his laptop and then be
> able to surf the Internet.
>
> Now let's see if I understand correctly:
>
> the Packetfence machine implemented locally at the customer must be
> reached from the internet using the url: https: // your_portal_hostname /
> oauth2 / callback where is your_portal_hostname is a dns record that allows
> you to reach the Packetfence machine itself from the Internet.
>
> So the customer must have a right internet domain?
>
> Also I understand that it mus

Re: [PacketFence-users] Google Oauth2 captive portal

[Diego Garcia del Rio via PacketFence-users]

Hi leonardo,

there is no need for the PF machine to be publicly reachable. But it should
have a proper dns name / domain and valid certificates issued to that name
(or at least certificates that the client, the laptop pc, can trust.)

If this is a use case with google-for-education domains, then you could use
the LDAP authentication.

now, if you dont care about the google usernames (meaning, any user with a
google account, not just your school / company) then yes, the google-oauth
path should work.

I was using it in several deployments but stopped (and switched to the
secure LDAP) because of the browser restrictions.

so yes, the certificate is mandatory. It needs to be trusted by the
browser, so given you're looking at using this with "guests", then yes, you
would have to buy a domain or at least a certificate for a host in a domain
already owned. In this case, the certificate would be for "
pf.mycompanyname.com"  or something like that

cheers


On Fri, May 20, 2022 at 12:00 PM  wrote:

> hello Diego and thanks for the reply.
>
> Leaving aside the discussion on mobile devices, and restricting the
> scenario for simplicity to a laptop of a guest who is connected to a wifi
> network and must authenticate on the Internet.
>
> Our client asks that the guest who launches the browser (eg Chrome) from
> his laptop must come up with a captive portal where he is asked to enter
> his Google credentials to authenticate and register his laptop and then be
> able to surf the Internet.
>
> Now let's see if I understand correctly:
>
> the Packetfence machine implemented locally at the customer must be
> reached from the internet using the url: https: // your_portal_hostname /
> oauth2 / callback where is your_portal_hostname is a dns record that allows
> you to reach the Packetfence machine itself from the Internet.
>
> So the customer must have a right internet domain?
>
> Also I understand that it must also have a valid https certificate, is
> that so?
>
>
>
> *Da:* Diego Garcia del Rio via PacketFence-users <
> packetfence-users@lists.sourceforge.net>
> *Inviato:* giovedì 19 maggio 2022 21:36
> *A:* packetfence-users 
> *Cc:* Diego Garcia del Rio ; supp...@inverse.ca
> *Oggetto:* Re: [PacketFence-users] Google Oauth2 captive portal
>
>
>
> If you're trying this from a mobile phone (captive portal browser) then
> yes, it will be blocked as google is blocking all embedded browsers and any
> "not-full browsers". It means google authentication can't really be used
> from mobile devices when accessed throguh the captive portal.
>
>
>
> also, your authorized redirect seems wrong. You need to provide a proper,
> REAL HTTPS (with valid certificate) url / server name. NOT "
> pf.packetfence.org/oauth2/callback"
>
>
>
> you need a proper domain name / proper server name.
>
>
>
> On Thu, May 19, 2022 at 10:40 AM leonardo.izzo--- via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> hi, could you please answer? Thanks
>
>
>
>
>
>
>
> *Da:* leonardo.i...@itsinformatica.it 
> *Inviato:* domenica 15 maggio 2022 15:39
> *A:* 'packetfence-users@lists.sourceforge.net' <
> packetfence-users@lists.sourceforge.net>; 'luza...@akamai.com' <
> luza...@akamai.com>
> *Oggetto:* Google Oauth2 captive portal
>
>
>
> hi, i configured pf for a captive portal with OAuth2 using google.
>
> I followed the instructions in the guide on what to do on
> http://code.google.com/apis/console:
>
> 1) I created a project
>
> 2) I went to "OAuth consent screen" and configured it \ I chose External
> and then Create \ I gave a name and email, then I went on without entering
> anything
>
> 3) I went to Credentials \ Create credentials \ I chose "OAuth client ID"
> \ and then as application type "Web Application" and I gave the name pf
>
> 4) I went under "Authorized redirect URI" \ Add URI \ and I entered the
> string https://pf.packetfence.org/oauth2/callback as in my Packetfence
> console in Configuration \ System Configuration \ General Configuration I
> have pf Domain = packetfence.org and Hostname = pf
>
> 5) I have saved the "client ID" and the "client secret"
>
> 6) I went to the OAuth consent screen \ modify App \ authorized domains
> and entered:
>
> google.com, google.it, etc.
>
> 7) I went to OAuth Consent Screen \ Publish App
>
>
>
> I then created a Google-type external authentication source by entering
> the data created in the previous point.
>
> I then created a connection profile containing this source.
>
>
>
> When I try to connect from a device, I get the following er

Re: [PacketFence-users] Google Oauth2 captive portal

[Diego Garcia del Rio via PacketFence-users]

If you're trying this from a mobile phone (captive portal browser) then
yes, it will be blocked as google is blocking all embedded browsers and any
"not-full browsers". It means google authentication can't really be used
from mobile devices when accessed throguh the captive portal.

also, your authorized redirect seems wrong. You need to provide a proper,
REAL HTTPS (with valid certificate) url / server name. NOT "
pf.packetfence.org/oauth2/callback"

you need a proper domain name / proper server name.

On Thu, May 19, 2022 at 10:40 AM leonardo.izzo--- via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> hi, could you please answer? Thanks
>
>
>
>
>
>
>
> *Da:* leonardo.i...@itsinformatica.it 
> *Inviato:* domenica 15 maggio 2022 15:39
> *A:* 'packetfence-users@lists.sourceforge.net' <
> packetfence-users@lists.sourceforge.net>; 'luza...@akamai.com' <
> luza...@akamai.com>
> *Oggetto:* Google Oauth2 captive portal
>
>
>
> hi, i configured pf for a captive portal with OAuth2 using google.
>
> I followed the instructions in the guide on what to do on
> http://code.google.com/apis/console:
>
> 1) I created a project
>
> 2) I went to "OAuth consent screen" and configured it \ I chose External
> and then Create \ I gave a name and email, then I went on without entering
> anything
>
> 3) I went to Credentials \ Create credentials \ I chose "OAuth client ID"
> \ and then as application type "Web Application" and I gave the name pf
>
> 4) I went under "Authorized redirect URI" \ Add URI \ and I entered the
> string https://pf.packetfence.org/oauth2/callback as in my Packetfence
> console in Configuration \ System Configuration \ General Configuration I
> have pf Domain = packetfence.org and Hostname = pf
>
> 5) I have saved the "client ID" and the "client secret"
>
> 6) I went to the OAuth consent screen \ modify App \ authorized domains
> and entered:
>
> google.com, google.it, etc.
>
> 7) I went to OAuth Consent Screen \ Publish App
>
>
>
> I then created a Google-type external authentication source by entering
> the data created in the previous point.
>
> I then created a connection profile containing this source.
>
>
>
> When I try to connect from a device, I get the following error:
>
>
>
> Authorization error
>
> Error 400: invalid_request
>
> You can't sign in to this app because it doesn't comply with Google's
> OAuth 2.0 policy for keeping apps secure.
>
>
>
> You can let the app developer know that this app doesn't comply with one
> or more Google validation rules.
>
> Find out more
>
> Request details
>
> The content in this section was provided by the app developer and has not
> been reviewed or verified by Google.
>
> If you developed the app, make sure these request details comply with
> Google's policies.
>
> redirect_uri: https: //  / oauth2 / callback
>
>
>
> Thanks
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Multiple Roles with Self-Reg Portal(s)?

[Diego Garcia del Rio via PacketFence-users]

you could create two authentication sources (both pointing to the same
LDAP), one which filters faculty and another students.(you would have to
play with the LDAP filters so that the user is not even found if it you
search for faculty using the student's authentication source)
and then you could present two different "login options" -> faculty login
(which only uses the faculty LDAP as authentication source) and student
login(which only uses the student LDAP as auth source), each which leads to
the the two different "select-role" portal modules, one tuned for faculty
and the other for staff

it its only 2 "paths" then its probably ok... otherwise, it could become a
bit un-manageable


On Tue, Feb 15, 2022 at 8:03 AM Toren Smith via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> I'm not sure what the right approach is for this, or how much of this
> PacketFence can do. I'm not planning on using PF as a captive portal,
> I just want to use it for the self-service device registration page
> for MAB on wired and wireless connections. Ideally what I wanted was a
> system where our faculty or students could sign in to the portal and
> register their devices and select from a couple of different roles for
> each device. I can authenticate the accounts via AD or LDAP just fine,
> and I can assign roles to the users based on LDAP attributes. If I
> don't specify a list of roles for the Self-Service Portal, it'll
> assign the student/faculty role to the device when it's registered,
> but if I put in a list of roles they can choose from, then *all* users
> can choose from any of those, regardless of the user's role.
>
> So what I want is for students to sign into the Portal and get the
> option of registering their devices in role A or role B, while faculty
> signing in get to choose between roles C or D. But right now if I
> leave the list blank, neither of them gets to choose a role for their
> devices, and if I put the list of these in, they can all chose from A,
> B, C, or D.
>
> I'd be fine with having two separate portal pages for the two groups,
> but I don't see an obvious way of doing that. I've read through all
> the documentation, but it didn't seem to cover these cases.
>
> Does anybody know the answer? Thanks.
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] issue when using "password" authentication module / user is overriden for other local auth sources

[Diego Garcia del Rio via PacketFence-users]

Dear Users / devs

I am using a portal where I use the "Password" authentication source and
other "local" authentication sources as well. And what I noticed is that
once the portal is loaded, the log indicates that "user XXX has logged into
the portal" (this is before the user selects any option to login, just the
act of displaying the portal shows this)

This is causing the side effect that all nodes are registering under the
user specified for the "Password"  source. Other login attempts using the
"local" source work fine but the device is still registered under the
Password user and not whatever user actually logged in.

I have raise an issue in github with a fair amount of detail (I believe)
 https://github.com/inverse-inc/packetfence/issues/6857

so far, I can use the system as is, but the fact that the devices end up
registered under a different username is concerning to say the least.

thanks in advance!
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] ability to specify a different portal URL in the RFC7710 response

[Diego Garcia del Rio via PacketFence-users]

thanks fabrice! That's one way of doing it ;-)

cheers!!

On Wed, Feb 2, 2022 at 10:09 AM Fabrice Durand  wrote:

> Hello Diego,
>
> you can change it there:
>
> https://github.com/inverse-inc/packetfence/blob/devel/go/httpdispatcher/proxy.go#L148
>
> then go in /usr/local/pf/go
> make go-env
> source ~/.bashrc
> make pfhttpd
> mv pfhrrpd ../sbin
> systemctl restart packetfence-httpd.dispatcher.service
>
> Regards
> Fabrice
>
>
> Le mer. 2 févr. 2022 à 03:37, Diego Garcia del Rio via PacketFence-users <
> packetfence-users@lists.sourceforge.net> a écrit :
>
>> Hello everyone
>>
>> I am using a ruckus smartzone based setup with WISPR / hot-spot redirect
>> on the AP. (so packetfence is NOT the DHCP server nor is it really using an
>> isolation or registration vlan on packetfence) In fact, my packetfence
>> server is not co-located on the same site as the clients.
>>
>> So un-authenticated clients get re-directed by the wifi access point and
>> steered to "http://activelearning.school-wifi.com/RuckusSmartZone; where
>> the login works just fine
>>
>> The thing is that I was trying to configure rfc7710 dhcp options in my
>> dhcp server and that's ok (I was pointing to "
>> https://activelearning.school-wifi.com/rfc7710; as the content of the
>> dhcp option.
>>
>> And that works fine. Clients that are rfc7710 capable retrieve that dhcp
>> option and immediately open the portal. The problem is that the portal url
>> that the /rfc7710 ip specifies is "
>> https://activelearning.school-wifi.com/portal;. And of course, that
>> doesn't work since my clients are not locally terminated on packetfence, so
>> PF has no IP/MAC information to do any correlation and shows an "unknown
>> client error"
>>
>> My question was if there is any way to cause the /rfc7710 json response
>> to point to ANY OTHER url. In my case, for example, it could be "
>> http://neverssl.com; or anything else that would cause the AP to do the
>> proper WISPR redirection. (notice that neverssl is HTTP and not HTTPS)
>>
>>
>> Is there any knob/option I could use?
>>
>> I was looking at the code in proxy.go for httpdispatcher and it seems the
>> "UserPortalURL" field fo the JSON response is derived from the
>> "X-Forwarded-For" header added by the front-end proxy. I think it might be
>> useful to provide some means of overriding this value so that clients can
>> then use rfc7710 in this scenario as well.
>>
>> Thanks in advance!
>>
>>
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] ability to specify a different portal URL in the RFC7710 response

[Diego Garcia del Rio via PacketFence-users]

Hello everyone

I am using a ruckus smartzone based setup with WISPR / hot-spot redirect on
the AP. (so packetfence is NOT the DHCP server nor is it really using an
isolation or registration vlan on packetfence) In fact, my packetfence
server is not co-located on the same site as the clients.

So un-authenticated clients get re-directed by the wifi access point and
steered to "http://activelearning.school-wifi.com/RuckusSmartZone; where
the login works just fine

The thing is that I was trying to configure rfc7710 dhcp options in my dhcp
server and that's ok (I was pointing to "
https://activelearning.school-wifi.com/rfc7710; as the content of the dhcp
option.

And that works fine. Clients that are rfc7710 capable retrieve that dhcp
option and immediately open the portal. The problem is that the portal url
that the /rfc7710 ip specifies is "
https://activelearning.school-wifi.com/portal;. And of course, that doesn't
work since my clients are not locally terminated on packetfence, so PF has
no IP/MAC information to do any correlation and shows an "unknown client
error"

My question was if there is any way to cause the /rfc7710 json response to
point to ANY OTHER url. In my case, for example, it could be "
http://neverssl.com; or anything else that would cause the AP to do the
proper WISPR redirection. (notice that neverssl is HTTP and not HTTPS)


Is there any knob/option I could use?

I was looking at the code in proxy.go for httpdispatcher and it seems the
"UserPortalURL" field fo the JSON response is derived from the
"X-Forwarded-For" header added by the front-end proxy. I think it might be
useful to provide some means of overriding this value so that clients can
then use rfc7710 in this scenario as well.

Thanks in advance!
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] How to change the ip address to different network segment?

[Diego Garcia del Rio via PacketFence-users]

On packetfence 11 changing the pf.conf and /etc/sysconfig/network... (Or
your OS specific IP configuration) and then rebooting was enough for me.  I
tried it on a non clustered pf 11.1 on Rocky Linux 8.4 just last week.



On Wed, Dec 15, 2021, 15:48 nick via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello,
>
> I want to change the ip address from 192.168.X.X to 10.10.X.X, but no
> matter how I tried, it still not work.
> The files I have modified are /usr/local/pf/cong/pf.conf and
> /etc/network/interfaces.
> And I have also run /usr/local/pf/bin/pfcmd configreload
> , /usr/local/pf/bin/pfcmd service pf restart , and service packetfence
> restart.
>
> The network before I change was in 192.168.1.X/24, and dhcp is enabled.
> The network after will be 10.10.X.X/16, and there is no dhcp.
>
> Is there any wrong in my setting? Or if there still some files I need to
> modify?
> Thank you.
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] New Authentication Source - Google Workspace LDAP

[Diego Garcia del Rio via PacketFence-users]

you need to manually upload the files and point to the path where those
files were uploaded. There is no GUI for the certificate upload like there
is for other certificates.

Given you only need to renew it every 3 years its not too bad, but indeed,
you need to manually upload it using SCP / SFP / your-tool-of-choice.



On Thu, Dec 9, 2021 at 10:54 AM P.Thirunavukkarasu via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hi Team,
> I faced a issue in the authentication source page
> [image: image.png]
> There is no option to upload the certificate and key in the page
> I copied the text and pasted it in the box. Not accepted...
> How to resolve it.
> Regards,
> Thirunavukkarasu
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Roles and vlans

[Diego Garcia del Rio via PacketFence-users]

You might want to add the vlan as some field in AD / ldap and then see if
there is any way to access that using the radius or vlan filters to push
the vlan to the user. Not sure it will be possible to be honest



On Fri, Dec 10, 2021, 13:29 jj c  wrote:

> nice thank you for the clarification and advice.
>
> we have many clients per client we have vlan with dhcp server.
> what we want to achieve is that when a client connect in the network using
> his AD acount in the portal.packetfence will give the right vlan to that
> client.
>
> so what we did is to put hundreds of vlan in roles. and put it in the
> authentication sources. so that when a client login in the
> portal. pf will send the right vlan.but it did not work out with what we
> are expecting.  maybe youre right we are misusing the roles.
>
> On Sat, Dec 11, 2021 at 12:05 AM Diego Garcia del Rio 
> wrote:
>
>> But how many roles are you defining ? Several hundred? If so then you're
>> probably misusing the roles. In that case, indeed, vlan-pool is what you
>> want.
>>
>> The manual describes vlan-pools as the following:
>>
>> For a VLAN pool instead of defining a VLAN identifier, you can set a
>> value like that: 20..23,27..30
>>
>> So... for example, for role "students"  you could define a vlan pool like
>> "1000..2999"  and if you select the "vlan pool technique" as "vlan per
>> user" as shown below:
>>
>> [image: image.png]
>>
>>
>>
>> then the system will allocate, for users belonging to the role "students"
>> one vlan in the range 1000 through 2999 (both inclusive). But if there are
>> more USERS in that role than VLANs then vlan allocation will start to fail.
>>
>> The other allocation methods can potentially give the same vlan to 2 or
>> more users.
>>
>>
>> Not sure what your use-case is, but vlan-per-user can be a pain to
>> manage. It makes sense in things like hotels or maybe university student
>> accommodation...
>>
>> cheers,
>>
>>
>>
>>
>> On Fri, Dec 10, 2021, 12:43 jj c  wrote:
>>
>>> sorry for the confusion but i have 2 question here.
>>> 1. when i define roles with each own vlan and use it in authentication
>>> sources the packetfence 11.0  experience slowness.
>>> 2. i want to understand the vlan pool technique per_user_vlan.in the
>>> current manual there is no written details about it.
>>>
>>> On Fri, Dec 10, 2021 at 11:31 PM Diego Garcia del Rio 
>>> wrote:
>>>
 you should be able to easily do vlan per role.. .but you seem to be
 wanting a vlan per user?

 or you have 300 roles defined and each with its own vlan??

 On Fri, Dec 10, 2021 at 12:22 PM jj c via PacketFence-users <
 packetfence-users@lists.sourceforge.net> wrote:

> Hi to all,
> is it possible to bind roles per vlan? because we use vlan per client.
> lets say role1=vlan 10,role2=vlan20,role3=vlan30 and so on. the problem is
> when you put 300 vlan in authentication sources and roles we are
> experiencing slowness when browsing packetfence. also what is per user 
> vlan
> in vlan technique i cannot find in the manual.
>
> Thank you,
> james
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Roles and vlans

[Diego Garcia del Rio via PacketFence-users]

But how many roles are you defining ? Several hundred? If so then you're
probably misusing the roles. In that case, indeed, vlan-pool is what you
want.

The manual describes vlan-pools as the following:

For a VLAN pool instead of defining a VLAN identifier, you can set a value
like that: 20..23,27..30

So... for example, for role "students"  you could define a vlan pool like
"1000..2999"  and if you select the "vlan pool technique" as "vlan per
user" as shown below:

[image: image.png]



then the system will allocate, for users belonging to the role "students"
one vlan in the range 1000 through 2999 (both inclusive). But if there are
more USERS in that role than VLANs then vlan allocation will start to fail.

The other allocation methods can potentially give the same vlan to 2 or
more users.


Not sure what your use-case is, but vlan-per-user can be a pain to manage.
It makes sense in things like hotels or maybe university student
accommodation...

cheers,




On Fri, Dec 10, 2021, 12:43 jj c  wrote:

> sorry for the confusion but i have 2 question here.
> 1. when i define roles with each own vlan and use it in authentication
> sources the packetfence 11.0  experience slowness.
> 2. i want to understand the vlan pool technique per_user_vlan.in the
> current manual there is no written details about it.
>
> On Fri, Dec 10, 2021 at 11:31 PM Diego Garcia del Rio 
> wrote:
>
>> you should be able to easily do vlan per role.. .but you seem to be
>> wanting a vlan per user?
>>
>> or you have 300 roles defined and each with its own vlan??
>>
>> On Fri, Dec 10, 2021 at 12:22 PM jj c via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>>> Hi to all,
>>> is it possible to bind roles per vlan? because we use vlan per client.
>>> lets say role1=vlan 10,role2=vlan20,role3=vlan30 and so on. the problem is
>>> when you put 300 vlan in authentication sources and roles we are
>>> experiencing slowness when browsing packetfence. also what is per user vlan
>>> in vlan technique i cannot find in the manual.
>>>
>>> Thank you,
>>> james
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Roles and vlans

[Diego Garcia del Rio via PacketFence-users]

you should be able to easily do vlan per role.. .but you seem to be wanting
a vlan per user?

or you have 300 roles defined and each with its own vlan??

On Fri, Dec 10, 2021 at 12:22 PM jj c via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hi to all,
> is it possible to bind roles per vlan? because we use vlan per client.
> lets say role1=vlan 10,role2=vlan20,role3=vlan30 and so on. the problem is
> when you put 300 vlan in authentication sources and roles we are
> experiencing slowness when browsing packetfence. also what is per user vlan
> in vlan technique i cannot find in the manual.
>
> Thank you,
> james
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] portal preview failing in 11.0

[Diego Garcia del Rio via PacketFence-users]

Hi Everyone,

I have a brand new node that was installed with PF 11.0. Everything is
working OK except that when I use the portal preview option, the main
portal opens, but as soon as I click on any of the actions, I get an error
message.

404 Site 127.0.0.1:8891 is not served on this interface


The main portal preview is seved fine in the following URL
https://:1443/portal_preview/captive-portal?PORTAL=default

but each of the buttons is missing the re write to /portal_preview/

the buttons link to:
https://
:1443/switchto/colegio-root+colegio-login-choice+colegio-cortesia

and this lead to the error page. if I manually add "/portal_preview/ to the
url,

https://
:1443/portal_preview/switchto/colegio-root+colegio-login-choice+colegio-cortesia

then that additional step works, but things still fail. It  seems the
re-write done by haproxy or similar.

I see this git commit:
https://github.com/inverse-inc/packetfence/commit/ca46947b9111658d942f6b5de0198767460dce02

called "fix preview"

should I upgrade to 11.1?
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Office365 authentications fail on captive portal

[Diego Garcia del Rio via PacketFence-users]

not 100% sure.. but I believe you created an "app" in the azure portal for
the authentication to work? I was having similar issues until I explicitly,
as an administrator, gave consent to the app for all users (rather than
each user having to give individual consent).

I think I was getting a very similar error to you.

On Tue, Sep 21, 2021 at 5:22 AM Matthies, Heiko via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello,
>
>
>
> I'm currently trying out the captive portal module from packetfence and
> having difficulties with the OIDC Authentication. I believe I set up the
> OIDC authentication source correctly as I get redirected back from the
> Microsoft page. After that, the following error message occurs:
>
> *OAuth2 Error: Failed to validate the token, please retry*
>
>
>
> I believe the browser has a problem redeeming the token, the error-log
> shows the following message:
>
> *Access to XMLHttpRequest at
> 'https://login.microsoftonline.com/***/oauth2/authorize?response_type=code_uri=https%3A%2F%2F*%2Foauth2%2Fcallback_id=**===openid
> '
> (redirected from 'https://*/oauth2/common/img/sprite.svg') from origin
> 'https://*' has been blocked by CORS policy: Response to preflight
> request doesn't pass access control check: No 'Access-Control-Allow-Origin'
> header is present on the requested resource.*
>
>
>
> I searched through the different apache configs but even when I add the
> Access-Control-Allow-Origin Header through apache, it does not seem to work.
>
>
>
> Am I missing something? For reference, the SAML-Authentication seems to
> have the same issue, so I suspect a problem with the captive portal itself?
>
>
>
> Greetings
>
>
>
> Heiko Matthies
>
>
>
>
> 
>
>
> *ASAP Engineering GmbH* Sachsstraße 1A | 85080 Gaimersheim
> Tel. +49 (8458) 3389 252 <+49%20(8458)%203389%20252> | Fax. +49 (8458)
> 3389 399
> heiko.matth...@asap.de | www.asap.de
>
> Geschäftsführer: Michael Neisen, Robert Werner, Christian Schweiger | Sitz
> der Gesellschaft: Gaimersheim | Amtsgericht: Ingolstadt HRB 5408
>
> Datenschutz: Ausführliche Informationen zum Umgang mit Ihren
> personenbezogenen Daten bei ASAP erhalten Sie auf unserer Website unter
> Datenschutz. 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] CaptivePortal with ssl certificate

[Diego Garcia del Rio via PacketFence-users]

make sure you restart haproxy-portal after applying the new cert.



On Mon, Sep 13, 2021 at 5:41 PM Zestermann, Ronald via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello,
>
>
>
> We use the CaptivePortal for a guest WLAN and would like to secure the
> CaptivePortal with a certificate. For this we have uploaded the certificate
> and the key under System-Configuartion -> ssl-certificate. Unfortunately,
> the login page of the CaptivePortal is only displayed without a certificate.
>
>
>
> How can we secure the CaptivePortal and its login page with a certificate?
>
>
>
>
>
> mit besten Grüßen
>
>
>
> Ronald Zestermann
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] trim whitepspaces from username field

[Diego Garcia del Rio via PacketFence-users]

Hi Everyone!

Im having an issue where users seem to be entering (way too frequently) a
space in their ldap username field (im using an LDAP source and if there is
a space at the end, the realm / domain is not matched and thus no
authentication source is found).

is there anywhere in the code where I could add some "trim" (remove
leading/trailing spaces) or a similar perl regex to simplify this?

thanks in advance!
Diego
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Ruckus Smartzone

[Diego Garcia del Rio via PacketFence-users]

let me know if you need any help... but I have it deployed just like that
at several schools and it works well.


On Thu, Mar 4, 2021 at 10:34 AM Lamont, Pieter-Jan <
pieterjan.lam...@sgsintpaulus.eu> wrote:

> Hello Diego
>
>
>
> That could also work in our environment . I’ll take a look at this
> scenario next week when I’m back at the office.
> Thanks !!
>
> Kind regards
>
> *Pieter-Jan Lamont*
> IT-Coördinator
>
> Toekomststraat 75 - 8790 Waregem
> Tel. +32 56 62 69 94 - pieterjan.lam...@sgsintpaulus.eu
>
>
> *From:* Diego Garcia del Rio 
> *Sent:* donderdag 4 maart 2021 2:06
> *To:* Lamont, Pieter-Jan 
> *Cc:* packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] Ruckus Smartzone
>
>
>
> Hi pieter-Jan
>
>
>
> I am using the same scenario as you describe. Only that the unrecognized
> devices get directed to the captive portal directly. (packetfence assigns a
> registration vlan to unknown devices, then acts as a dhcp / dns server for
> that vlan and clients get presented the portal). Then the users just login
> using the ldap credentials and the Mac I associated to their account
> automatically
>
>
>
> The only requirement is to have a registration and isolation vlans on
> packetfence and that the same vlan can be reached directly by the aps (when
> you assign the proper vlan to th wifi clients)
>
>
>
> Especially on packetfence 10.2 you get the newest support for captive
> portal detection via dhcp which is not yet offered natively by ruckus when
> doing web auth.
>
>
>
>
>
>
>
> On Wed, Mar 3, 2021, 17:17 Lamont, Pieter-Jan <
> pieterjan.lam...@sgsintpaulus.eu> wrote:
>
> Hello Diego
>
>
>
> Yes the mac encryption is disabled on the smartzone via SSH.
> Mac authentication would be great for our know devices , but not for the
> byod segment L
>
> We would like to use the portal to authenticate students/teachers to our
> campus wifi. The link to Office365 via LDAPS (Azure Domain Services) is
> already working J
> When transferring to the captive portal our ruckus adds a bunch of
> information to the link. I’ll capture this tomorrow from my device. Then
> I’m sure the mac address of my device is added in this information.
>
> Version Smartzone is 5.2.1.0.515
> Version PF 10.2
>
>
>
> Kind regards
>
>
>
> *Pieter-Jan Lamont*
> IT-Coördinator
>
> Toekomststraat 75 - 8790 Waregem
> Tel. +32 56 62 69 94 - pieterjan.lam...@sgsintpaulus.eu
>
>
>
> *From:* Diego Garcia del Rio 
> *Sent:* woensdag 3 maart 2021 17:34
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Lamont, Pieter-Jan 
> *Subject:* Re: [PacketFence-users] Ruckus Smartzone
>
>
>
> Hi Pieter,
>
>
>
> did you disable mac encryption on smartzone?
>
>
>
> Its weird that the mac is not being found. To be honest, I have not used
> the portal option myself yet so Im not of great help there. Any reason why
> you wouldnt do the mac authentication option with the portal served
> directly by packetfence? (Im guessing if you have a large campus or
> multiple campuses with a single smart zone and single packetfence.)
>
>
>
> I was hoping to test the web-auth soon, but I havent had much time.
>
>
>
> which version of smartzone are you using?
>
>
>
> cheers!
>
>
>
>
>
> On Tue, Mar 2, 2021 at 4:05 PM Lamont, Pieter-Jan via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> Hello Packetfence Community
>
>
>
> I’m trying to deploy a Ruckus SmartZone WebAuth configuration .
> I have followed the guide several times(Fresh Debian9 with apt-get
> installation and Packetfence ZEN) but didn’t succeed the deployment.(6.24.1
> – Network Devices Configuration Guide)
> When configuring the captive portal I can’t go to
> http://ip-of-packetfence/RuckusSmartZone (Not implemented) but after
> changing this to http://ip-of-packetfence/Captive-portal , I’m seeing the
> portal.
>
> The user is guided to the captive portal but gets the “Your computer was
> not found in the PF Database” with his IP correctly but no MAC address (MAC
> 0).
>
> When enabling “Activate Preregistration” in the default connection Profile
> , the users gets the Username/password fields to login.
>
> But when entering the correct credentials, the users get a 502 bad gateway
> …
>
> I have also tried to capture all data from the PF to the Ruckus Smartzone,
> but I see no traffic to or from the Smartzone.
>
>
>
>
> Already tried the new updated guide (
> https://github.com/garci66/packetfence/blob/9da2608f131780eb7d9cd64246c9a767868d119f/docs/network/networkdevice/ruckus_smartzone.asciidoc
> 

Re: [PacketFence-users] Ruckus Smartzone

[Diego Garcia del Rio via PacketFence-users]

Hi pieter-Jan

I am using the same scenario as you describe. Only that the unrecognized
devices get directed to the captive portal directly. (packetfence assigns a
registration vlan to unknown devices, then acts as a dhcp / dns server for
that vlan and clients get presented the portal). Then the users just login
using the ldap credentials and the Mac I associated to their account
automatically

The only requirement is to have a registration and isolation vlans on
packetfence and that the same vlan can be reached directly by the aps (when
you assign the proper vlan to th wifi clients)

Especially on packetfence 10.2 you get the newest support for captive
portal detection via dhcp which is not yet offered natively by ruckus when
doing web auth.




On Wed, Mar 3, 2021, 17:17 Lamont, Pieter-Jan <
pieterjan.lam...@sgsintpaulus.eu> wrote:

> Hello Diego
>
>
>
> Yes the mac encryption is disabled on the smartzone via SSH.
> Mac authentication would be great for our know devices , but not for the
> byod segment L
>
> We would like to use the portal to authenticate students/teachers to our
> campus wifi. The link to Office365 via LDAPS (Azure Domain Services) is
> already working J
> When transferring to the captive portal our ruckus adds a bunch of
> information to the link. I’ll capture this tomorrow from my device. Then
> I’m sure the mac address of my device is added in this information.
>
> Version Smartzone is 5.2.1.0.515
> Version PF 10.2
>
>
>
> Kind regards
>
>
>
> *Pieter-Jan Lamont*
> IT-Coördinator
>
> Toekomststraat 75 - 8790 Waregem
> Tel. +32 56 62 69 94 - pieterjan.lam...@sgsintpaulus.eu
>
>
> *From:* Diego Garcia del Rio 
> *Sent:* woensdag 3 maart 2021 17:34
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Lamont, Pieter-Jan 
> *Subject:* Re: [PacketFence-users] Ruckus Smartzone
>
>
>
> Hi Pieter,
>
>
>
> did you disable mac encryption on smartzone?
>
>
>
> Its weird that the mac is not being found. To be honest, I have not used
> the portal option myself yet so Im not of great help there. Any reason why
> you wouldnt do the mac authentication option with the portal served
> directly by packetfence? (Im guessing if you have a large campus or
> multiple campuses with a single smart zone and single packetfence.)
>
>
>
> I was hoping to test the web-auth soon, but I havent had much time.
>
>
>
> which version of smartzone are you using?
>
>
>
> cheers!
>
>
>
>
>
> On Tue, Mar 2, 2021 at 4:05 PM Lamont, Pieter-Jan via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> Hello Packetfence Community
>
>
>
> I’m trying to deploy a Ruckus SmartZone WebAuth configuration .
> I have followed the guide several times(Fresh Debian9 with apt-get
> installation and Packetfence ZEN) but didn’t succeed the deployment.(6.24.1
> – Network Devices Configuration Guide)
> When configuring the captive portal I can’t go to
> http://ip-of-packetfence/RuckusSmartZone (Not implemented) but after
> changing this to http://ip-of-packetfence/Captive-portal , I’m seeing the
> portal.
>
> The user is guided to the captive portal but gets the “Your computer was
> not found in the PF Database” with his IP correctly but no MAC address (MAC
> 0).
>
> When enabling “Activate Preregistration” in the default connection Profile
> , the users gets the Username/password fields to login.
>
> But when entering the correct credentials, the users get a 502 bad gateway
> …
>
> I have also tried to capture all data from the PF to the Ruckus Smartzone,
> but I see no traffic to or from the Smartzone.
>
>
>
>
> Already tried the new updated guide (
> https://github.com/garci66/packetfence/blob/9da2608f131780eb7d9cd64246c9a767868d119f/docs/network/networkdevice/ruckus_smartzone.asciidoc
> )
> but with the same outcome .
> Mac Authentication with the update guide works perfectly, but we are
> searching for the Captive portal solution (webauth)
>
> Is there someone with a working Web Auth on a Ruckus Smartzone that can
> help me this is issue , or anyone with the same problems?
>
>
>
> Kind regards
> Pieter-jan Lamont
>
> *Pieter-Jan Lamont*
> IT-Coördinator
>
> Toekomststraat 75 - 8790 Waregem
> Tel. +32 56 62 69 94 - pieterjan.lam...@sgsintpaulus.eu
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 

Re: [PacketFence-users] Ruckus Smartzone

[Diego Garcia del Rio via PacketFence-users]

Dear ludovic,

Any chance you guys can take a look at the PR I raised with quite a bit of
documentation for smartzone and ruckus in general? It's PR 6141

(I have one commit as root just pulling the repo forward which I'm not sure
how to get rid of so that the cla bot passes)

Cheers!


On Wed, Mar 3, 2021, 18:22 Ludovic Zammit via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Show me the content of your conf/switches.conf
>
> Removed the shared secret and password.
>
> Thanks,
>
>
> Ludovic Zammit
> lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org)
>
>
>
>
>
>
>
>
> On Mar 3, 2021, at 4:06 PM, Lamont, Pieter-Jan <
> pieterjan.lam...@sgsintpaulus.eu> wrote:
>
> Hello Ludovic
>
> I have found the reason why there was a public ip in the info Ruckus was
> sending. This was our Control NAT IP, which we don’t use…
> After removing this config I’m getting our correct private IP in the nbiIP
> field.
>
> GET
> /captive-portal?nbiIP=192.168.10.65_mac=90-97-f3-6b-2d-4e_name=Administration+Domain=Un-Auth-Captive=VTI-Test=
> scg.ruckuswireless.com=VTI-Test=d8:38:fc:17:14:f0=http%3A%2F%
> 2Fportal.fb.com 
> %2Fmobile%2Fstatus.php=0=149=46=scg.ruckuswireless.com=WYSlX0KJHIctnpAfJwtWt4paEFCQ8Rjz2NKJGU5YB2o_161480456=192.168.150.34=1=192.168.149.170
> HTTP/1.1"
>
> When the users goes to the captive portal they get the message “Your
> computer was not found in the PacketFence database. Please reboot to solve
> this issue.”.
> The correct client ip is given (192.168.149.170) but the MAC is 0 (which
> should be 90-97-f3-6b-2d-4e). This client mac is also in the client_mac
> field given from the Ruckus Smartzone.
> After enabling “Activate Preregistration” in the Default Connection
> Profile, the user can login (demouser) but after the correct authentication
> he gets a 502 bad gateway.
>
> Kind regards
>
> 
>
> *Pieter-Jan Lamont*
> IT-Coördinator
>
> Toekomststraat 75 - 8790 Waregem
> Tel. +32 56 62 69 94 - pieterjan.lam...@sgsintpaulus.eu
>
>
>
> *From:* Lamont, Pieter-Jan 
> *Sent:* woensdag 3 maart 2021 21:24
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Ludovic Zammit 
> *Subject:* RE: [PacketFence-users] Ruckus Smartzone
>
> Hello Ludovic
>
> When adding http://ip-of-packetfence/RuckusSmartZone to the Smartzone the
> users is only getting “Not implemented” on the screen .
> If we change this to http://ip-of-packetfence/captive-portal , I see that
> ruckus adds a bunch of information to that link as you described .
>
> "GET
> /captive-portal?nbiIP=84.199.*.*_mac=a8-9c-ed-91-80-d4_name=Administration+Domain=Un-Auth-Captive=VTI-Test=
> scg.ruckuswireless.com=VTI-Test=0c:f4:d5:2f:9e:a0=http%3A%2F%
> 2Fconnect.rom.miui.com 
> %2Fgenerate_204=0=149=46=scg.ruckuswireless.com=4D-QLLuerkFXa3hgUdKB8v3hhjf1Q378oPRjYUdz2ew_1614610736148=192.168.150.10=1=192.168.149.157
> HTTP/1.1" 200 4418 1082 101226 "-" "Mozilla/5.0 (Linux; Android 10; MI 9
> Build/QKQ1.190825.002; wv) AppleWebKit/537.36 (KHTML, like Gecko)
> Version/4.0 Chrome/88.0.4324.181 Mobile Safari/537.36"
>
> The only weird thing about the url is the nbiIP info… it’s a public ip of
> ours, but we don’t use this anywhere in our setup. The other info is
> correct.
> Tomorrow i will test again with my device, so I’m sure the client_mac
> address is correct.
>
> Kind regards
>
> 
>
> *Pieter-Jan Lamont*
> IT-Coördinator
>
> Toekomststraat 75 - 8790 Waregem
> Tel. +32 56 62 69 94 - pieterjan.lam...@sgsintpaulus.eu
>
> *From:* Ludovic Zammit 
> *Sent:* woensdag 3 maart 2021 19:54
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Lamont, Pieter-Jan 
> *Subject:* Re: [PacketFence-users] Ruckus Smartzone
>
> Hello Pieter-Jan,
>
> You are not suppose to have access to
> http://ip-of-packetfence/RuckusSmartZone. You should be redirected to
> that URL via the SmartZone and also send out a http request to PF with a
> bunch of other attribute like the client Mac and IP.
>
> Something along the line:
>
>
> ?nbiIP=192.168.x.y_mac=xxx=Un-Auth-Captive=MY_WIFI=
> scg.ruckuswireless.com
> 
> =MY_SSID=44:1e:98:1e:31:a0=http%3A%2F%
> 2Finit-p01st.push.apple.com
> 

Re: [PacketFence-users] Ruckus Smartzone

[Diego Garcia del Rio via PacketFence-users]

Hi Pieter,

did you disable mac encryption on smartzone?

Its weird that the mac is not being found. To be honest, I have not used
the portal option myself yet so Im not of great help there. Any reason why
you wouldnt do the mac authentication option with the portal served
directly by packetfence? (Im guessing if you have a large campus or
multiple campuses with a single smart zone and single packetfence.)

I was hoping to test the web-auth soon, but I havent had much time.

which version of smartzone are you using?

cheers!


On Tue, Mar 2, 2021 at 4:05 PM Lamont, Pieter-Jan via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Packetfence Community
>
>
>
> I’m trying to deploy a Ruckus SmartZone WebAuth configuration .
> I have followed the guide several times(Fresh Debian9 with apt-get
> installation and Packetfence ZEN) but didn’t succeed the deployment.(6.24.1
> – Network Devices Configuration Guide)
> When configuring the captive portal I can’t go to
> http://ip-of-packetfence/RuckusSmartZone (Not implemented) but after
> changing this to http://ip-of-packetfence/Captive-portal , I’m seeing the
> portal.
>
> The user is guided to the captive portal but gets the “Your computer was
> not found in the PF Database” with his IP correctly but no MAC address (MAC
> 0).
>
> When enabling “Activate Preregistration” in the default connection Profile
> , the users gets the Username/password fields to login.
>
> But when entering the correct credentials, the users get a 502 bad gateway
> …
>
> I have also tried to capture all data from the PF to the Ruckus Smartzone,
> but I see no traffic to or from the Smartzone.
>
>
>
>
> Already tried the new updated guide (
> https://github.com/garci66/packetfence/blob/9da2608f131780eb7d9cd64246c9a767868d119f/docs/network/networkdevice/ruckus_smartzone.asciidoc)
> but with the same outcome .
> Mac Authentication with the update guide works perfectly, but we are
> searching for the Captive portal solution (webauth)
>
> Is there someone with a working Web Auth on a Ruckus Smartzone that can
> help me this is issue , or anyone with the same problems?
>
>
>
> Kind regards
> Pieter-jan Lamont
>
> *Pieter-Jan Lamont*
> IT-Coördinator
>
> Toekomststraat 75 - 8790 Waregem
> Tel. +32 56 62 69 94 - pieterjan.lam...@sgsintpaulus.eu
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] choice of role an access duration

[Diego Garcia del Rio via PacketFence-users]

By the way, I tried using the "stone_role"  option but it didn't work.

I mean: I would first do the "select role" option in the chain and then the
"fixed role" to only set a duration but it doesnt seem to work...

On Sun, Jan 31, 2021 at 7:15 PM Diego Garcia del Rio 
wrote:

> Hi Everyone,
>
> Im trying to achieve the following:
>
> On the captive portal, I'd have an admin user login and then select a Role
> and access duration for a particular device.
>
> I got it working but I think im relying on a bit of a bug for it to work.
>
> The following is my relevant config:
>
> [Select-Role]
> actions=
> template=select-role.html
> admin_role=IT
> type=SelectRole
> list_role= < ALUMNOS
> ADMINISTRATIVOS
> INVITADOS
> PROFESORES
> REJECT
> EOT
> description=Seleccionar Rol
>
> [Role-and-duration]
> modules=default_login_policy,duration-choice,Select-Role
> actions=
> type=Chained
> description=Selecionar Rol y duracion
>
> [duration-choice]
> modules=one-day,one-week,one-year
> actions=
> template=content-with-choice.html
> show_first_module_on_default=disabled
> type=Choice
> description=Access duration
>
> [one-day]
> actions=set_access_duration(1DF+0D),set_role_on_not_found(INVITADOS)
> stone_roles=
> type=FixedRole
> description=One Day Access
>
> [one-week]
> actions=set_access_duration(1WR+0W),set_role_on_not_found(INVITADOS)
> stone_roles=
> type=FixedRole
> description=One Week Access
>
> [one-year]
> actions=set_access_duration(1Y+0Y),set_role_on_not_found(INVITADOS)
> stone_roles=
> type=FixedRole
> description=One Year Access
>
> I configured this using the GUI initially I was using the "set_role"
> configured from the GUI. But there is a bug in the GUI where the ID and not
> the name is being set (so it was configuring something like "set_role(43)" )
> (see bug https://github.com/inverse-inc/packetfence/issues/5133)
>
> But If I was using the "set_role" option it would automatically assign the
> duration and selected role (INVITADOS) and never move onto the
> "Select-Role" step. the node would always be registered as "Invitados" with
> the chosen duration.
>
> By changing the "set_role" action of the "one-week" / "one-day" /
> "one-year" choices to "set_role_on_not_found" I got it working... but I
> think im just being lucky / hitting some bug / something that is letting me
> connect but it wasnt really the indended functionality.
>
> Basically, is there any "approved" way of ONLY setting the
> unregistration_date  / access duation and obtaining the role from another
> step?
>
> Thanks in advance!
> Diego
>
>
>
>
>
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] choice of role an access duration

[Diego Garcia del Rio via PacketFence-users]

Hi Everyone,

Im trying to achieve the following:

On the captive portal, I'd have an admin user login and then select a Role
and access duration for a particular device.

I got it working but I think im relying on a bit of a bug for it to work.

The following is my relevant config:

[Select-Role]
actions=
template=select-role.html
admin_role=IT
type=SelectRole
list_role= 

[PacketFence-users] Choice of access duration together with "role choice"

[Diego Garcia del Rio via PacketFence-users]

Hi Everyone,

Im trying to achieve the following:

On the captive portal, I'd have an admin user login and then select a Role
and access duration for a particular device. The role part is easy as there
is a portal module specifically for it. But the Access duration /
unreg-date is a bit more complex.

I got it working but I think im relying on a bit of a bug for it to work.

The following is my relevant config:

[Select-Role]
actions=
template=select-role.html
admin_role=IT
type=SelectRole
list_role= 

[PacketFence-users] Choice of access duration together with "role choice"

[Diego Garcia del Rio via PacketFence-users]

Hi Everyone,

(sorry if it got double-posted, im not finding my previous email in the
archive nor did a get it back when posting)

Im trying to achieve the following:

On the captive portal, I'd have an admin user login and then select a Role
and access duration for a particular device. The role part is easy as there
is a portal module specifically for it. But the Access duration /
unreg-date is a bit more complex.

I got it working but I think im relying on a bit of a bug for it to work.

The following is my relevant config:

--- Start config---

[Select-Role]
actions=
template=select-role.html
admin_role=IT
type=SelectRole
list_role= <___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Google oAuth From Xiaomi and Iphone

[Diego Garcia del Rio via PacketFence-users]

You need to contact google and request that your oauth client be
whitelisted for wifi login.

On Mon, Jun 29, 2020 at 9:44 AM Akram Abdallah via PacketFence-users
 wrote:
>
> Hello ,
>
> When trying to use the Google Auth in Packetfence portal i get this message 
> 403 : disallowed_useragent" error .
>
> Are there any solutions to this problem?
>
> Regards,
> --
>
>
>
>  Akram Abdallah
>
>  Systems Engineer
>
>
>
>  a.abdal...@bisan.com
>
>
>
>  T +970 2 298 5941 Ext 203 | F +970 2298 5942 | M +970 599 673 513
>
>
>
>  www.bisan.com
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting - http vs https

[Diego Garcia del Rio via PacketFence-users]

Hi Bill

For 802.1x I'm really not in the loop I seem to recall having seen this
question (or something similar) floating around... but no clue.

For chromebooks... you might be able to use the new "secure LDAP"  option
that google provides.. maybe I guess it all depends whether you want to
authenticate the machine or the user.



On Wed, Apr 29, 2020, 13:09 Bill Handler  wrote:

> Diego,
>
>
>
> If I set to http everything works as it should.  The Google authentication
> is strictly for guest, and to verify it can be done.  For people that have
> google domains, we’d limit it to their own google domain for internal
> access.  What I’m curious about is using 802.1x for authenticating managed
> Chromebooks – We’d likely have to pull them from the google domain and
> import them into radius I image…
>
>
>
> I do have another question, if you know…  While 802.1x works, I want to
> throw in a curveball.  On other NAC solutions, we’re able to use 802.1x for
> the user and machine.  i.e. the machine connects to the network wired or
> wirelessly and authenticates against AD via servicePrincipalName and gets
> its machine profile.  When a user logs in, the machine account
> deauthenticates/logs out, and the user is authenticated using
> sAMAccountName and gets their user profile.  I’ve noticed that while PF
> picks up the username when they log in, the profile does not flip to the
> user.  The connection profile lists the domain user auth source first, so
> it should hit that first when the user logs in.  It seems that the machine
> is not logging out/deauth-ing when the user logs in and/or since PF
> recognizes the machine, it just keeps the existing profile.
>
>
>
> Thanks,
>
>
>
> Bill
>
>
>
>
>
> *From:* Diego Garcia del Rio 
> *Sent:* Wednesday, April 29, 2020 11:48 AM
> *To:* Bill Handler 
> *Cc:* Jonathan Nathanson ;
> packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] Google oauth2 -
> Behavior/Troubleshooting - http vs https
>
>
>
> PS.. are you planning on using google oauth for your corporate users? or
> just as guest portal? Cause remember that anyone with a google.com
> address can join. I have a private branch of the google oauth that limits
> you to a single google-apps domain and validates that users belong to it. I
> was in the process of merging it to PF but got sidetracked...but if its
> something you would use, I can try to get it done.
>
>
>
>
>
>
>
> On Wed, Apr 29, 2020 at 12:39 PM Diego Garcia del Rio 
> wrote:
>
> HI Bill
>
>
>
> I guess that it might be messing things up when doing the https redirect
> if you have the self-signed cert... the redirection back might be failing
> at the browser level? So if you host the portal on http it all works fine?
>
>
>
> what address is the pf server using for the registration vlan?
>
>
>
> On Wed, Apr 29, 2020 at 12:16 PM Bill Handler 
> wrote:
>
> Diego,
>
>
>
> Thanks for the quick replies… The 192.0.2.1 address is something built in
> somehow – when I looked it up since it’s a public IP, and it comes back as
> some sort of test network/special use with the comment:
>
>
>
> Addresses starting with "192.0.2.", "198.51.100.", or "203.0.113." are
> reserved for use in documentation and sample configurations. They should
> never be used in a live network configuration. No one has permission to use
> these addresses on the Internet.
>
>
>
> That address is answering back in the packet capture between the PF server
> and the end-system on the registration VLAN.
>
>
>
> Since we’re just testing right now, we have not assigned a public cert to
> the server, but I’m curious that the initial portal interaction is
> unsecured – I’m not sure where in the config to even specify the portal
> address.  I did notice that when I clear the browser cache, and visit the
> portal, I get the pop-up for the self-signed cert…  However, I still wonder
> why I’m not getting the same pop-up or it’s not accepting the previously
> accepted self-signed cert for that oauth page.
>
>
>
> Thanks,
>
>
>
> Bill
>
>
>
>
>
> *From:* Diego Garcia del Rio 
> *Sent:* Wednesday, April 29, 2020 10:11 AM
> *To:* Bill Handler 
> *Cc:* Jonathan Nathanson ;
> packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] Google oauth2 -
> Behavior/Troubleshooting - http vs https
>
>
>
> Hi Bill
>
>
>
> Interesting that of using http it works. I used publicly signed certs for
> my portal. Self signed will just be chaos for the end users unless you can
> push your root ca to the the devices beforehand (a managed fleet, which is
> not my case)
>
>
>
> Now it's clearer that you used the IP and it worked. I wondering what is
> replying with 192.0.2.1 address... but in my case, for DNS requests coming
> from the registration interface, packetfence replies with its own ip... So
> still curious as what's causing this 192 address to be sent back.
>
>
>
>
>
>
>
> On Wed, Apr 29, 2020, 10:37 Bill Handler  wrote:
>
> Diego,
>
>
>
> Our internal DNS is just 

Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting - http vs https

[Diego Garcia del Rio via PacketFence-users]

PS.. are you planning on using google oauth for your corporate users? or
just as guest portal? Cause remember that anyone with a google.com address
can join. I have a private branch of the google oauth that limits you to a
single google-apps domain and validates that users belong to it. I was in
the process of merging it to PF but got sidetracked...but if its something
you would use, I can try to get it done.



On Wed, Apr 29, 2020 at 12:39 PM Diego Garcia del Rio 
wrote:

> HI Bill
>
> I guess that it might be messing things up when doing the https redirect
> if you have the self-signed cert... the redirection back might be failing
> at the browser level? So if you host the portal on http it all works fine?
>
> what address is the pf server using for the registration vlan?
>
> On Wed, Apr 29, 2020 at 12:16 PM Bill Handler 
> wrote:
>
>> Diego,
>>
>>
>>
>> Thanks for the quick replies… The 192.0.2.1 address is something built in
>> somehow – when I looked it up since it’s a public IP, and it comes back as
>> some sort of test network/special use with the comment:
>>
>>
>>
>> Addresses starting with "192.0.2.", "198.51.100.", or "203.0.113." are
>> reserved for use in documentation and sample configurations. They should
>> never be used in a live network configuration. No one has permission to use
>> these addresses on the Internet.
>>
>>
>>
>> That address is answering back in the packet capture between the PF
>> server and the end-system on the registration VLAN.
>>
>>
>>
>> Since we’re just testing right now, we have not assigned a public cert to
>> the server, but I’m curious that the initial portal interaction is
>> unsecured – I’m not sure where in the config to even specify the portal
>> address.  I did notice that when I clear the browser cache, and visit the
>> portal, I get the pop-up for the self-signed cert…  However, I still wonder
>> why I’m not getting the same pop-up or it’s not accepting the previously
>> accepted self-signed cert for that oauth page.
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Bill
>>
>>
>>
>>
>>
>> *From:* Diego Garcia del Rio 
>> *Sent:* Wednesday, April 29, 2020 10:11 AM
>> *To:* Bill Handler 
>> *Cc:* Jonathan Nathanson ;
>> packetfence-users@lists.sourceforge.net
>> *Subject:* Re: [PacketFence-users] Google oauth2 -
>> Behavior/Troubleshooting - http vs https
>>
>>
>>
>> Hi Bill
>>
>>
>>
>> Interesting that of using http it works. I used publicly signed certs for
>> my portal. Self signed will just be chaos for the end users unless you can
>> push your root ca to the the devices beforehand (a managed fleet, which is
>> not my case)
>>
>>
>>
>> Now it's clearer that you used the IP and it worked. I wondering what is
>> replying with 192.0.2.1 address... but in my case, for DNS requests coming
>> from the registration interface, packetfence replies with its own ip... So
>> still curious as what's causing this 192 address to be sent back.
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Apr 29, 2020, 10:37 Bill Handler  wrote:
>>
>> Diego,
>>
>>
>>
>> Our internal DNS is just set for our data vlan – currently there is no
>> DNS record for the PF server in our internal DNS server.  The registration
>> VLAN only lives on the switch directly connected to NIC 2 on the PF server
>> and on my test switches that my testing end-systems are connected to.  I
>> have an IP on the registration VLAN (172) interface in PF 172.16.172.1 and
>> on the VLAN interface on one of my test switches 172.16.172.2; this allows
>> me to ensure that, since everything is tagged on the switch to switch and
>> to the PF server, I can ping between them.  I have the same setup for the
>> Isolation VLAN (173 – 172.16.173.x).
>>
>>
>>
>> In the install guide/your screenshot, the Portal URL is listed as the
>> FQDN of the PF server.  That Portal URL is what is shown on the end-system
>> browser.  I’m using the default PF portal setup, and what is listed is the
>> FQDN of the server…
>>
>>
>>
>> However, I’m not sure that a DNS entry in our local DNS server would help
>> in this instance…The PF server handles DNS/DHCP for the Registration VLAN,
>> it only reaches the internal DNS if something is in the passthrough
>> correct?  In my case PF is spoofing the FQDN in the portal up until the
>> point that Google responds back with the token it seems; then PF DNS is
>> replying with a 192.0.2.1 IP for the FQDN of the PF server.  BTW, in case I
>> mis-spoke, I’m replacing the FQDN with the IP address of the Registration
>> VLAN Interface on the PF server – 172.16.172.1, and then registration goes
>> through, not a different FQDN.
>>
>>
>>
>> Going through the process and copying all the URLs that show in the
>> browser, I noticed that the site is initially http, but when google is
>> called for the account login, it changes to https, and the portal URL is
>> listed as https…
>>
>>
>>
>> When I change the redirect uri in Google/portal URL in PF from https to
>> http it works.  Since you have https on your portal, are you using the
>> 

Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting - http vs https

[Diego Garcia del Rio via PacketFence-users]

HI Bill

I guess that it might be messing things up when doing the https redirect if
you have the self-signed cert... the redirection back might be failing at
the browser level? So if you host the portal on http it all works fine?

what address is the pf server using for the registration vlan?

On Wed, Apr 29, 2020 at 12:16 PM Bill Handler  wrote:

> Diego,
>
>
>
> Thanks for the quick replies… The 192.0.2.1 address is something built in
> somehow – when I looked it up since it’s a public IP, and it comes back as
> some sort of test network/special use with the comment:
>
>
>
> Addresses starting with "192.0.2.", "198.51.100.", or "203.0.113." are
> reserved for use in documentation and sample configurations. They should
> never be used in a live network configuration. No one has permission to use
> these addresses on the Internet.
>
>
>
> That address is answering back in the packet capture between the PF server
> and the end-system on the registration VLAN.
>
>
>
> Since we’re just testing right now, we have not assigned a public cert to
> the server, but I’m curious that the initial portal interaction is
> unsecured – I’m not sure where in the config to even specify the portal
> address.  I did notice that when I clear the browser cache, and visit the
> portal, I get the pop-up for the self-signed cert…  However, I still wonder
> why I’m not getting the same pop-up or it’s not accepting the previously
> accepted self-signed cert for that oauth page.
>
>
>
> Thanks,
>
>
>
> Bill
>
>
>
>
>
> *From:* Diego Garcia del Rio 
> *Sent:* Wednesday, April 29, 2020 10:11 AM
> *To:* Bill Handler 
> *Cc:* Jonathan Nathanson ;
> packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] Google oauth2 -
> Behavior/Troubleshooting - http vs https
>
>
>
> Hi Bill
>
>
>
> Interesting that of using http it works. I used publicly signed certs for
> my portal. Self signed will just be chaos for the end users unless you can
> push your root ca to the the devices beforehand (a managed fleet, which is
> not my case)
>
>
>
> Now it's clearer that you used the IP and it worked. I wondering what is
> replying with 192.0.2.1 address... but in my case, for DNS requests coming
> from the registration interface, packetfence replies with its own ip... So
> still curious as what's causing this 192 address to be sent back.
>
>
>
>
>
>
>
> On Wed, Apr 29, 2020, 10:37 Bill Handler  wrote:
>
> Diego,
>
>
>
> Our internal DNS is just set for our data vlan – currently there is no DNS
> record for the PF server in our internal DNS server.  The registration VLAN
> only lives on the switch directly connected to NIC 2 on the PF server and
> on my test switches that my testing end-systems are connected to.  I have
> an IP on the registration VLAN (172) interface in PF 172.16.172.1 and on
> the VLAN interface on one of my test switches 172.16.172.2; this allows me
> to ensure that, since everything is tagged on the switch to switch and to
> the PF server, I can ping between them.  I have the same setup for the
> Isolation VLAN (173 – 172.16.173.x).
>
>
>
> In the install guide/your screenshot, the Portal URL is listed as the FQDN
> of the PF server.  That Portal URL is what is shown on the end-system
> browser.  I’m using the default PF portal setup, and what is listed is the
> FQDN of the server…
>
>
>
> However, I’m not sure that a DNS entry in our local DNS server would help
> in this instance…The PF server handles DNS/DHCP for the Registration VLAN,
> it only reaches the internal DNS if something is in the passthrough
> correct?  In my case PF is spoofing the FQDN in the portal up until the
> point that Google responds back with the token it seems; then PF DNS is
> replying with a 192.0.2.1 IP for the FQDN of the PF server.  BTW, in case I
> mis-spoke, I’m replacing the FQDN with the IP address of the Registration
> VLAN Interface on the PF server – 172.16.172.1, and then registration goes
> through, not a different FQDN.
>
>
>
> Going through the process and copying all the URLs that show in the
> browser, I noticed that the site is initially http, but when google is
> called for the account login, it changes to https, and the portal URL is
> listed as https…
>
>
>
> When I change the redirect uri in Google/portal URL in PF from https to
> http it works.  Since you have https on your portal, are you using the
> internal PF self-signed cert, or do you have a public cert installed?
>
>
>
> Thanks,
>
>
>
> Bill
>
>
>
>
>
> *From:* Diego Garcia del Rio 
> *Sent:* Wednesday, April 29, 2020 8:49 AM
> *To:* Bill Handler 
> *Cc:* Jonathan Nathanson ;
> packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] Google oauth2 -
> Behavior/Troubleshooting - DNS Issue?
>
>
>
> Hi Bill
>
>
>
> I haven't installed pf10 yet. But I think the key item is the fact that
> the registration vlan DNS is not resolving to the correct PF address. Do
> you have any nic or vlan configured with that IP?
>
>
>
> You mention replacing 

Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting - http vs https

[Diego Garcia del Rio via PacketFence-users]

Hi Bill

Interesting that of using http it works. I used publicly signed certs for
my portal. Self signed will just be chaos for the end users unless you can
push your root ca to the the devices beforehand (a managed fleet, which is
not my case)

Now it's clearer that you used the IP and it worked. I wondering what is
replying with 192.0.2.1 address... but in my case, for DNS requests coming
from the registration interface, packetfence replies with its own ip... So
still curious as what's causing this 192 address to be sent back.



On Wed, Apr 29, 2020, 10:37 Bill Handler  wrote:

> Diego,
>
>
>
> Our internal DNS is just set for our data vlan – currently there is no DNS
> record for the PF server in our internal DNS server.  The registration VLAN
> only lives on the switch directly connected to NIC 2 on the PF server and
> on my test switches that my testing end-systems are connected to.  I have
> an IP on the registration VLAN (172) interface in PF 172.16.172.1 and on
> the VLAN interface on one of my test switches 172.16.172.2; this allows me
> to ensure that, since everything is tagged on the switch to switch and to
> the PF server, I can ping between them.  I have the same setup for the
> Isolation VLAN (173 – 172.16.173.x).
>
>
>
> In the install guide/your screenshot, the Portal URL is listed as the FQDN
> of the PF server.  That Portal URL is what is shown on the end-system
> browser.  I’m using the default PF portal setup, and what is listed is the
> FQDN of the server…
>
>
>
> However, I’m not sure that a DNS entry in our local DNS server would help
> in this instance…The PF server handles DNS/DHCP for the Registration VLAN,
> it only reaches the internal DNS if something is in the passthrough
> correct?  In my case PF is spoofing the FQDN in the portal up until the
> point that Google responds back with the token it seems; then PF DNS is
> replying with a 192.0.2.1 IP for the FQDN of the PF server.  BTW, in case I
> mis-spoke, I’m replacing the FQDN with the IP address of the Registration
> VLAN Interface on the PF server – 172.16.172.1, and then registration goes
> through, not a different FQDN.
>
>
>
> Going through the process and copying all the URLs that show in the
> browser, I noticed that the site is initially http, but when google is
> called for the account login, it changes to https, and the portal URL is
> listed as https…
>
>
>
> When I change the redirect uri in Google/portal URL in PF from https to
> http it works.  Since you have https on your portal, are you using the
> internal PF self-signed cert, or do you have a public cert installed?
>
>
>
> Thanks,
>
>
>
> Bill
>
>
>
>
>
> *From:* Diego Garcia del Rio 
> *Sent:* Wednesday, April 29, 2020 8:49 AM
> *To:* Bill Handler 
> *Cc:* Jonathan Nathanson ;
> packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] Google oauth2 -
> Behavior/Troubleshooting - DNS Issue?
>
>
>
> Hi Bill
>
>
>
> I haven't installed pf10 yet. But I think the key item is the fact that
> the registration vlan DNS is not resolving to the correct PF address. Do
> you have any nic or vlan configured with that IP?
>
>
>
> You mention replacing the fqdn for that of the registration vlan. Is that
> provisioned on your own DNS server ? Cause in my case I only have a DNS
> entry for the "management" interface and packetfence uses the same name but
> spoofs the DNS with with registration vlan IP
>
>
>
> Maybe you have more than one registration vlan?
>
>
>
>
>
>
>
> On Wed, Apr 29, 2020, 09:23 Bill Handler  wrote:
>
> Diego,
>
>
>
> Ran some packet captures on Monday and every time the end-system was
> looking for the IP of the packetfence host – DNS lookup – it was returned
> as a 192.0.2.1.  This is some sort of internal IP that PF is using for the
> portal, as it is the default response no matter what is requested.  I
> checked this via NSLookup on the end-system.
>
>
>
> Thinking I had messed something up in the initial config/deployment (this
> is still as test environment), I re-built/deployed with a fresh install.
>
>
>
> Once everything was built-out, I had the same results.  After entering the
> credentials for Google login, I get the browser window stating that I need
> to log into the network with a ‘connect now’ button.  The address within
> the browser shows:  https://pf428.pcsknox.com/oauth2/callback?code=...
>
>
>
> pf428.pcsknox.com is the hostname/FQDN of the PacketFence server.  In the
> capture I see the DNS request for this, but as I said it is returned as
> 192.0.2.1.  If I replace the FQDN of the PF server with the Registration
> VLAN interface IP on the PF server, the authentication goes through and I
> get the screen showing that the role has been assigned, and am flipped to
> the correct VLAN.  The packet capture shows a DNS query from the end-system
> for “dl.google.com”, which is answered with the correct info.  About 2
> seconds later there is a DNS Query from the end-system for “
> 

Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting - DNS Issue?

[Diego Garcia del Rio via PacketFence-users]

Hi Bill

I haven't installed pf10 yet. But I think the key item is the fact that the
registration vlan DNS is not resolving to the correct PF address. Do you
have any nic or vlan configured with that IP?

You mention replacing the fqdn for that of the registration vlan. Is that
provisioned on your own DNS server ? Cause in my case I only have a DNS
entry for the "management" interface and packetfence uses the same name but
spoofs the DNS with with registration vlan IP

Maybe you have more than one registration vlan?



On Wed, Apr 29, 2020, 09:23 Bill Handler  wrote:

> Diego,
>
>
>
> Ran some packet captures on Monday and every time the end-system was
> looking for the IP of the packetfence host – DNS lookup – it was returned
> as a 192.0.2.1.  This is some sort of internal IP that PF is using for the
> portal, as it is the default response no matter what is requested.  I
> checked this via NSLookup on the end-system.
>
>
>
> Thinking I had messed something up in the initial config/deployment (this
> is still as test environment), I re-built/deployed with a fresh install.
>
>
>
> Once everything was built-out, I had the same results.  After entering the
> credentials for Google login, I get the browser window stating that I need
> to log into the network with a ‘connect now’ button.  The address within
> the browser shows:  https://pf428.pcsknox.com/oauth2/callback?code=...
>
>
>
> pf428.pcsknox.com is the hostname/FQDN of the PacketFence server.  In the
> capture I see the DNS request for this, but as I said it is returned as
> 192.0.2.1.  If I replace the FQDN of the PF server with the Registration
> VLAN interface IP on the PF server, the authentication goes through and I
> get the screen showing that the role has been assigned, and am flipped to
> the correct VLAN.  The packet capture shows a DNS query from the end-system
> for “dl.google.com”, which is answered with the correct info.  About 2
> seconds later there is a DNS Query from the end-system for “
> passwordsleakcheck-pa.googleapis.com” which is also answered correctly.
> This is the last DNS request on this VLAN for the end-system.
>
>
>
> So for whatever reason, the system is not authenticating the
> response/token from Google when it is presented from the end-system – I
> think this is what is happening.  It seems the process is breaking down
> between the end-system and the FP server when Google sends the token.  I’m
> not sure where to look to see where the 192.0.2.1 address is coming from,
> or how to put an ‘A’ record in to the registration vlan dns to point the
> FQDN to the interface’s IP, or what is needed here.  To me, it seems like a
> DNS issue on PF.
>
>
>
> Is this possibly a bug in the code?  I do have packet captures from the
> end-system, the PF server on the registration vlan interface, and on the
> data vlan interface.
>
>
>
> Just to go over the setup, in case that is part of the issue…
>
>
>
> Hypervisor – Hyper-V 2019
>
> Centos7 VM with PF 10 installed using documentation from
> https://packetfence.org/doc/PacketFence_Installation_Guide.html .  802.1x
> working fine tied to our AD server; using machine auth and user auth, SMS
> authentication works without issue.  The only issue seems to be with
> Oauth.  The PF server has 2 NICs, NIC 1 is for the data vlan untagged
> (eth0), NIC 2 is for the other vlans, registration, and isolation (eth1)
> tagged.  PF is handing out DHCP on registration/isolation vlans.
>
>
>
> Any help is appreciated.
>
>
>
> Thanks,
>
>
>
> Bill
>
>
>
> *From:* Bill Handler
> *Sent:* Friday, April 24, 2020 4:40 PM
> *To:* Diego Garcia del Rio 
> *Cc:* Jonathan Nathanson ;
> packetfence-users@lists.sourceforge.net
> *Subject:* RE: [PacketFence-users] Google oauth2 -
> Behavior/Troubleshooting
>
>
>
> Diego,
>
>
>
> Thanks for your help and guidance on this…  The end-system is getting the
> reply from Google with the authorization code – the Portal URL in the
> config that ends in ‘/callback’.  However, the hostname of the pf server is
> not being resolved.  If I replace the hostname.domain with the IP address
> of the registration VLAN interface on the PF server (the end-system’s
> gateway), the authentication proceeds and the end-system authenticates.
>
>
>
> Weirdness abounds…  I’ll perform a packet capture on Monday when I’m back
> in the office to see if I can tell what the end-system is requesting for
> ‘website’ that google returns.
>
>
>
> Have a good weekend, and thanks again for your assistance.
>
>
>
> Thanks,
>
>
>
> Bill
>
>
>
> *From:* Diego Garcia del Rio 
> *Sent:* Friday, April 24, 2020 10:29 AM
> *To:* Bill Handler 
> *Cc:* Jonathan Nathanson ;
> packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] Google oauth2 -
> Behavior/Troubleshooting
>
>
>
> Hi.. those errors are not errors. They are jus the logs of pfdns and its
> still related to the user trying / reaching google.
>
>
>
> you should look at the logs (especially packetfence.log) for any other
> 

Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting

[Diego Garcia del Rio via PacketFence-users]

Hi.. those errors are not errors. They are jus the logs of pfdns and its
still related to the user trying / reaching google.

you should look at the logs (especially packetfence.log) for any other
messages around the time. Most of the log messages SHOULD have the mac
address of the device trying to connect so you can grep for those

(you can also use grep -i to make grep case insensitive, so "grep -i oauth"
should find... all variations of oauth..

also try to set the debug level for the portal module to dEBUG or TRACE:

like this:

conf/log.conf.d/pfqueue.conf

Change to following line from this

log4perl.rootLogger = INFO, PFQUEUE

To this

log4perl.rootLogger = TRACE, PFQUEUE

Then you can either wait 5 minutes (that is the time it takes for the
logging level to be updated)

Or restart the service if you do not want to wait.


But adapt it to the portal module instead of pfqueue.conf

On Fri, Apr 24, 2020 at 11:14 AM Diego Garcia del Rio 
wrote:

> let me check what I have configured.  But i think you do need n API
> enabled.
>
> On Fri, Apr 24, 2020 at 11:12 AM Bill Handler 
> wrote:
>
>> Again, apologies for my ignorance on this…
>>
>>
>>
>> When I created the Oauth credentials in the Google Developer site, I did
>> not enable an API.  I’m thinking I missed doing that.  Since I’m just
>> trying to authenticate users and not accessing anything within GSuite or
>> anything else along those lines, I’m not sure what API I may need.
>>
>>
>>
>> Ideas?
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Bill
>>
>>
>>
>> *From:* Bill Handler
>> *Sent:* Friday, April 24, 2020 8:36 AM
>> *To:* Diego Garcia del Rio 
>> *Cc:* Jonathan Nathanson ;
>> packetfence-users@lists.sourceforge.net
>> *Subject:* RE: [PacketFence-users] Google oauth2 -
>> Behavior/Troubleshooting
>>
>>
>>
>> Diego,
>>
>>
>>
>> Thanks for the pointers.  The logs appear to be now located in the
>> /usr/local/pf/logs directory.  There is no logs folder in the
>> /usr/local/pf/var directory.
>>
>>
>>
>> I ran the restart command and tried to log in via Google again…
>> Rechecked the logs as I did before (grep OAuth), ran it a second time as
>> ‘grep oauth’ and now got some responses… (this is with the openid defaults)
>>
>>
>>
>> [root@packetfence_v10 logs]# cat *.log | grep OAuth
>>
>> Apr 24 07:33:37 packetfence_v10 packetfence: INFO -e(243390): Adding
>> Forward rules to allow connections to the OAuth2 Providers and passthrough.
>> (pf::iptables::generate_passthrough_rules)
>>
>>
>>
>> [root@packetfence_v10 logs]# cat *.log | grep oauth
>>
>> Apr 24 07:43:35 packetfence_v10 haproxy[244351]: 172.16.172.237:50335
>> [24/Apr/2020:07:43:35.454] portal-http-192.0.2.1 172.16.174.1-backend/
>> 127.0.0.1 0/0/1/210/213 302 928 - -  3/2/0/0/0 0/0 {pfv10.pcsknox.com}
>> "GET
>> /switchto/default_policy+default_registration_policy+default_oauth_policy
>> HTTP/1.1"
>>
>> Apr 24 07:43:41 packetfence_v10 haproxy[244351]: 172.16.172.237:50627
>> [24/Apr/2020:07:43:39.361] portal-http-192.0.2.1 172.16.174.1-backend/
>> 127.0.0.1 0/0/0/1909/1910 302 1410 - -  6/2/0/0/0 0/0 {
>> pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1"
>>
>> Apr 24 07:44:54 packetfence_v10 haproxy[244351]: 172.16.172.237:51592
>> [24/Apr/2020:07:44:52.404] portal-http-192.0.2.1 172.16.174.1-backend/
>> 127.0.0.1 0/0/0/1827/1829 302 1410 - -  4/2/0/0/0 0/0 {
>> pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1"
>>
>> Apr 24 07:43:30 packetfence_v10 pfdns: 172.16.172.237 -
>> [24/Apr/2020:07:43:30 -0400] "A IN oauthaccountmanager.googleapis.com.
>> udp 52 false 512" NOERROR qr,rd,ra 102 61.289551ms
>>
>> [root@packetfence_v10 logs]#
>>
>>
>>
>> I put the old Google Auth config – yours with the userinfo.email settings
>> and restarted the pf service.  Tried to authenticate the end-system again,
>> but still failed…
>>
>>
>>
>> Checked the logs as before, and here are the results (duplicate entries
>> from above removed for clarity):
>>
>>
>>
>> [root@packetfence_v10 logs]# cat *.log | grep OAuth
>>
>> Apr 24 08:17:32 packetfence_v10 packetfence: INFO -e(7334): Adding
>> Forward rules to allow connections to the OAuth2 Providers and passthrough.
>> (pf::iptables::generate_passthrough_rules)
>>
>>
>>
>> [root@packetfence_v10 logs]# cat *.log | grep oauth
>>
>> Apr 24 08:14:58 packetfence_v10 haproxy[244351]: 172.16.172.237:60742
>> [24/Apr/2020:08:14:58.422] portal-http-192.0.2.1 172.16.174.1-backend/
>> 127.0.0.1 0/0/1/439/440 302 1482 - -  4/3/0/0/0 0/0 {
>> pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1"
>>
>> Apr 24 08:27:35 packetfence_v10 haproxy[8300]: 172.16.172.237:51328
>> [24/Apr/2020:08:27:33.905] portal-http-192.0.2.1 172.16.174.1-backend/
>> 127.0.0.1 0/0/0/1787/1788 302 1482 - -  3/2/0/0/0 0/0 {
>> pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1"
>>
>> Apr 24 08:27:59 packetfence_v10 pfdns: 172.16.172.237 -
>> [24/Apr/2020:08:27:59 -0400] "A IN oauthaccountmanager.googleapis.com.
>> udp 52 false 512" NOERROR qr,rd,ra 102 23.614118ms
>>
>> Apr 24 08:27:59 packetfence_v10 pfdns: 

Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting

[Diego Garcia del Rio via PacketFence-users]

let me check what I have configured.  But i think you do need n API enabled.

On Fri, Apr 24, 2020 at 11:12 AM Bill Handler  wrote:

> Again, apologies for my ignorance on this…
>
>
>
> When I created the Oauth credentials in the Google Developer site, I did
> not enable an API.  I’m thinking I missed doing that.  Since I’m just
> trying to authenticate users and not accessing anything within GSuite or
> anything else along those lines, I’m not sure what API I may need.
>
>
>
> Ideas?
>
>
>
> Thanks,
>
>
>
> Bill
>
>
>
> *From:* Bill Handler
> *Sent:* Friday, April 24, 2020 8:36 AM
> *To:* Diego Garcia del Rio 
> *Cc:* Jonathan Nathanson ;
> packetfence-users@lists.sourceforge.net
> *Subject:* RE: [PacketFence-users] Google oauth2 -
> Behavior/Troubleshooting
>
>
>
> Diego,
>
>
>
> Thanks for the pointers.  The logs appear to be now located in the
> /usr/local/pf/logs directory.  There is no logs folder in the
> /usr/local/pf/var directory.
>
>
>
> I ran the restart command and tried to log in via Google again…  Rechecked
> the logs as I did before (grep OAuth), ran it a second time as ‘grep oauth’
> and now got some responses… (this is with the openid defaults)
>
>
>
> [root@packetfence_v10 logs]# cat *.log | grep OAuth
>
> Apr 24 07:33:37 packetfence_v10 packetfence: INFO -e(243390): Adding
> Forward rules to allow connections to the OAuth2 Providers and passthrough.
> (pf::iptables::generate_passthrough_rules)
>
>
>
> [root@packetfence_v10 logs]# cat *.log | grep oauth
>
> Apr 24 07:43:35 packetfence_v10 haproxy[244351]: 172.16.172.237:50335
> [24/Apr/2020:07:43:35.454] portal-http-192.0.2.1 172.16.174.1-backend/
> 127.0.0.1 0/0/1/210/213 302 928 - -  3/2/0/0/0 0/0 {pfv10.pcsknox.com}
> "GET
> /switchto/default_policy+default_registration_policy+default_oauth_policy
> HTTP/1.1"
>
> Apr 24 07:43:41 packetfence_v10 haproxy[244351]: 172.16.172.237:50627
> [24/Apr/2020:07:43:39.361] portal-http-192.0.2.1 172.16.174.1-backend/
> 127.0.0.1 0/0/0/1909/1910 302 1410 - -  6/2/0/0/0 0/0 {
> pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1"
>
> Apr 24 07:44:54 packetfence_v10 haproxy[244351]: 172.16.172.237:51592
> [24/Apr/2020:07:44:52.404] portal-http-192.0.2.1 172.16.174.1-backend/
> 127.0.0.1 0/0/0/1827/1829 302 1410 - -  4/2/0/0/0 0/0 {
> pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1"
>
> Apr 24 07:43:30 packetfence_v10 pfdns: 172.16.172.237 -
> [24/Apr/2020:07:43:30 -0400] "A IN oauthaccountmanager.googleapis.com.
> udp 52 false 512" NOERROR qr,rd,ra 102 61.289551ms
>
> [root@packetfence_v10 logs]#
>
>
>
> I put the old Google Auth config – yours with the userinfo.email settings
> and restarted the pf service.  Tried to authenticate the end-system again,
> but still failed…
>
>
>
> Checked the logs as before, and here are the results (duplicate entries
> from above removed for clarity):
>
>
>
> [root@packetfence_v10 logs]# cat *.log | grep OAuth
>
> Apr 24 08:17:32 packetfence_v10 packetfence: INFO -e(7334): Adding Forward
> rules to allow connections to the OAuth2 Providers and passthrough.
> (pf::iptables::generate_passthrough_rules)
>
>
>
> [root@packetfence_v10 logs]# cat *.log | grep oauth
>
> Apr 24 08:14:58 packetfence_v10 haproxy[244351]: 172.16.172.237:60742
> [24/Apr/2020:08:14:58.422] portal-http-192.0.2.1 172.16.174.1-backend/
> 127.0.0.1 0/0/1/439/440 302 1482 - -  4/3/0/0/0 0/0 {pfv10.pcsknox.com}
> "POST /oauth2/go HTTP/1.1"
>
> Apr 24 08:27:35 packetfence_v10 haproxy[8300]: 172.16.172.237:51328
> [24/Apr/2020:08:27:33.905] portal-http-192.0.2.1 172.16.174.1-backend/
> 127.0.0.1 0/0/0/1787/1788 302 1482 - -  3/2/0/0/0 0/0 {
> pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1"
>
> Apr 24 08:27:59 packetfence_v10 pfdns: 172.16.172.237 -
> [24/Apr/2020:08:27:59 -0400] "A IN oauthaccountmanager.googleapis.com.
> udp 52 false 512" NOERROR qr,rd,ra 102 23.614118ms
>
> Apr 24 08:27:59 packetfence_v10 pfdns: 172.16.172.237 -
> [24/Apr/2020:08:27:59 -0400] "A IN oauthaccountmanager.googleapis.com.
> udp 52 false 512" NOERROR qr,rd,ra 102 25.300084ms
>
> [root@packetfence_v10 logs]#
>
>
>
> I’m hopeful that this helps, but again, I’m not sure what I’m looking for…
>
>
>
> Thanks,
>
>
>
> Bill
>
>
>
> *From:* Diego Garcia del Rio 
> *Sent:* Thursday, April 23, 2020 5:26 PM
> *To:* Bill Handler 
> *Cc:* Jonathan Nathanson ;
> packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] Google oauth2 -
> Behavior/Troubleshooting
>
>
>
> Hi bill
>
>
>
> Please look at ALL the log files under /usr/local/pf/var/logs (the httpd
> logs only cover the requests from the devices). There will be two requests
> going to google.. one where Packetfence is doing NAT for the devices to be
> onboarded (this is the traffic from the user's browser) and then another
> that will go from packetfence itself to google again, using the token
> returned by the customer's browser to get the actual data from the google
> account.
>
>
>
> also, I dont remember if any of the changes to google oauth take 

Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting

[Diego Garcia del Rio via PacketFence-users]

Hi bill

Please look at ALL the log files under /usr/local/pf/var/logs (the httpd
logs only cover the requests from the devices). There will be two requests
going to google.. one where Packetfence is doing NAT for the devices to be
onboarded (this is the traffic from the user's browser) and then another
that will go from packetfence itself to google again, using the token
returned by the customer's browser to get the actual data from the google
account.

also, I dont remember if any of the changes to google oauth take effect
immediately or you need to restart the PF service. (to restart the PF
service use this script:

/usr/local/pf/bin/pfcmd  service pf restart





On Thu, Apr 23, 2020 at 3:37 PM Bill Handler  wrote:

> I’m hoping I’ve set up the Google part correctly, if not the
> authentication wouldn’t go through correct?  I just needed to setup OAuth
> 2.0 Client IDs.  I don’t need any API Keys or Service Accounts correct?  In
> the Client ID I listed it as a web application
>
>
>
> Diego,
>
>
>
> Thanks for your help…  This is my first experience with PacketFence, and
> I’m feeling my way through it.  I’m not entirely sure what all your
> information means, so please pardon my ignorance.
>
>
>
> My Google Auth was set to the default openid that you listed.  I changed
> it to the older scope/protected resource urls with no change.
>
>
>
> I know that the request is going out to google, and that something is
> coming back by seeing the url in the end-system’s browser.  It seems like
> PF is not authenticating the token.
>
>
>
> I am still unsure what log file the logging entries you pointed out go
> to.  I was in the logs folder and ran a ‘cat *.log | grep OAuth’ but came
> back with no results.
>
>
>
> Jonathan,
>
>
>
> We’re not using the A3 variant from HiveManger/Extreme IQ, I’m just
> working with PacketFence straight (Although we are an Extreme Networks
> partner and the AeroHive gear is part of our offerings now… ).  PacketFence
> is only handing out DHCP on the registration VLAN, our internal DHCP is
> handing out IPs on our data vlan, Firewall is handing out IPs on guest and
> phone vlans.  But, we’re never getting that far – the end-system is not
> being given the role and stays as unregistered.
>
>
>
> httpd.portal.error Log has no entries for today.  I did a packet capture
> from the PF server and did see some traffic going to/from Google IP
> addresses, but it was TLS or TCP Acks and I could not tell what the payload
> was…
>
>
>
> Thanks,
>
>
>
> Bill
>
>
>
> *From:* Diego Garcia del Rio 
> *Sent:* Thursday, April 23, 2020 10:43 AM
> *To:* Jonathan Nathanson 
> *Cc:* packetfence-users@lists.sourceforge.net; Bill Handler <
> bhand...@pcsknox.com>
> *Subject:* Re: [PacketFence-users] Google oauth2 -
> Behavior/Troubleshooting
>
>
>
> Hi Jonathan, Bill,
>
>
>
> The device will get the role indeed after a disconnect / CoA but given
> Bill mentions that his other auth methods work... I would be surprised that
> CoA fails for this. Also, he should still be seeing the device having the
> new role.
>
>
>
> Below is my config of the google authentication source (old GUI, sorry).
>
>
>
>
>
> 
>
>
>
> also, i seem to be using the OLD user information scheme / url:
>
>
>
> (look here:
> https://github.com/inverse-inc/packetfence/commit/8f38c0e5b51ff5daf83f1720aef8253059fa1a96
> )
>
>
>
> i am using this:
>
> has 'scope' => (isa => 'Str', is => 'rw', default => '
> https://www.googleapis.com/auth/userinfo.email');
> has 'protected_resource_url' => (isa => 'Str', is => 'rw', default => '
> https://www.googleapis.com/oauth2/v2/userinfo');
>
>
>
> instead of the new defaults which are these:
> has 'scope' => (isa => 'Str', is => 'rw', default => 'openid email
> profile');
> has 'protected_resource_url' => (isa => 'Str', is => 'rw', default => '
> https://openidconnect.googleapis.com/v1/userinfo');
>
>
>
>
>
> basically it looks like this:
>
>
>
> 
>
>
>
>
>
> So maybe your authorized scope in google is for this old schema and not
> the new open-id one?
>
>
>
> Also, keep in mind that accessing the google login portal from mobile
> devices can be tricky. Google blacklists the "embedded"  browsers of most
> phones so you need to launch chrome manually or contact google to get an
> exception for your specific APP ID.
>
>
>
> Also, check your logs for any phrase like this: "OAuth2 Error: Failed to
> get the token"
>
>
>
> (look at the code here:
> https://github.com/inverse-inc/packetfence/blob/541c6c8545195881b136bc55edb7cd531594061d/html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Authentication/OAuth.pm
>  )
>
>
>
>
>
> you have these two logging entries in the code: (you might need to
> increase the logging level to debug).
>
>
>
> get_logger->info("OAuth2 successfull for username
> ".$self->username);
> $self->source->lookup_from_provider_info($self->username, $info);
>
>   *  pf::auth_log::record_completed_oauth($self->source->id,
> $self->current_mac, $pid, 

Re: [PacketFence-users] Ruckus SmartZone and PF 9

[Diego Garcia del Rio via PacketFence-users]

Dear Talan,

Can you provide more details on how you're doing the authentication? Is
this radius with mac-auth on the SSID or are you doing "captive portal" in
the AP itself?

I have PF working fine with ruckus' smartzone (albeit 3.6.1 but I don't
expect any differences with 5.1) but I did have to make a small change in
PF to get it working properly.

I am doing radius in non-proxy mode from the AP directly to PF (so I can't
use radius de-auth and need to use the northbound API for de-auth).

if you can provide some screenshots on how you configured smartzone I can
help you most probably.



On Mon, Sep 2, 2019 at 1:09 PM Talan Westby via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hi Nicolas,
>
> Thanks for getting back in touch and sorry for the delay.
>
> I have had Ruckus spend some time working with us on this to no avail.
> What they have managed to do is run some RADIUS test from their SmartZone
> controller back to PF which always seem to fail. I would have thought that
> the RADIUS request would have been a MAC request so we have tried putting
> in a MAC Address as the username and the password which always seems to
> fail. This does work when going via our Cisco WLCs, so I guess the Ruckus
> is doing something slightly different. One thing I have noticed is the
> SmartZone.pm file in PF creates a API call to the Ruckus controller and
> when I take that payload and try the request myself the Ruckus controller
> responds with "Bad Request".
>
> At this point I am wondering if Ruckus have updated their API Northbound
> endpoints in their later versions of software, we are running 5.1 which is
> a relatively new piece of software. Could you confirm whether the PF
> integration has been tested with this newer version of controller?
>
> Also could you confirm the process of on boarding a user to PF from a
> Ruckus controller so we can be sure we are investigating the right section?
> To clarify users are being forwarded to the portal and they are able to
> enrol but the Ruckus SmartZone never receives/recognises that PF has
> authorized that user for access. If we could understand what PF does to
> send that authorization then we can concentrate on what might be causing
> the issue.
>
> Thanks,
> Talan
>
> -Original Message-
> From: Nicolas Quiniou-Briand 
> Sent: 23 August 2019 16:16
> To: Talan Westby ;
> packetfence-users@lists.sourceforge.net
> Subject: Re: [PacketFence-users] Ruckus SmartZone and PF 9
>
> On 2019-08-23 5:08 p.m., Talan Westby wrote:
> > If you could let me know which logs I should be looking at that would be
> great.
>
> I really don't know which logs.
>
> Did you check on Ruckus documentation ? I found this link [0]
>
> Otherwise, you can try to capture traffic between PacketFence and Ruckus
> Smartzone when a device try to register. If traffic is not encrypted, you
> could have some hint.
>
> [0] /usr/local/pf/addons/packages/build-go.sh build /usr/local/pf
> /usr/local/pf/sbin/
> --
> Nicolas Quiniou-Briand
> n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca Inverse
> inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence
> (https://packetfence.org) and Fingerbank (http://fingerbank.org)
> _
>
> This electronic message contains information from Derby College which may
> be privileged and confidential.
> The information is intended to be for the use of the individual(s) or
> entity named above.
>
> If you are not the intended recipient, be aware that any disclosure,
> copying, distribution or use of the contents of this information is
> prohibited. Internet communications are not secure and therefore Derby
> College does not accept legal responsibility for the contents of this
> message. Any views or opinions presented are only those of the author and
> not those of Derby College.
>
> If you have received this message in error, please reply to this message
> and include d...@derby-college.ac.uk immediately.
> _
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] portal "logout"/ "undo" option for oauth users

[Diego Garcia del Rio via PacketFence-users]

Additionally, I think we should set the portal sessions to be "shorter".
They are currently set to 1 year and its quite problematic. I noticed there
is a setting under "chi.conf" to set the httpd.portal cache values (im
testing with 5 minutes). The default value is undefined which I'm not sure
what that value is.

Right now, with the chi.conf timeout to 5 minutes, I notice that if I don't
try to complete my login in 5 minutes, next time I open the portal I get
back to the start which I think can be an acceptable compromise.

But to be honest, having maybe the oauth occur inside an iframe and keep
the "logout" (restart) button always visible might be better.



On Mon, Mar 25, 2019 at 9:36 PM Diego Garcia del Rio 
wrote:

> Dear users,
>
> When using google oAuth or any other oAuth external authentication, if we
> do not enable the  "require AUP" checkbox, the user is redirected straight
> into google for example. I notice that this was done expressly as shown by
> this code commit:
>
>
> https://github.com/inverse-inc/packetfence/commit/8fdf9b009ac34ba801b1ecb34119a079d5ff0cee
>
> The problem is that the user is now "stuck" on google's auth. If he
> accidentally clicked on google's auth, there is no way "back" to select
> another authentication option. Even if he disconnects from the wifi and
> connects again, the session cookies will throw him back immediately into
> the oauth path and its quite problematic.
>
> Im not sure what the best path forward would be. The AUP path is a bit
> cumbersome especially since it requires two steps (one is clicking "accept"
> the AUP and the next is the "login" button to actually go to google. Im not
> 100% sure how we could make the "accept" button be "accept and submit" for
> example...
>
> Any ideas?
>
> thanks!
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] portal "logout"/ "undo" option for oauth users

[Diego Garcia del Rio via PacketFence-users]

Dear users,

When using google oAuth or any other oAuth external authentication, if we
do not enable the  "require AUP" checkbox, the user is redirected straight
into google for example. I notice that this was done expressly as shown by
this code commit:

https://github.com/inverse-inc/packetfence/commit/8fdf9b009ac34ba801b1ecb34119a079d5ff0cee

The problem is that the user is now "stuck" on google's auth. If he
accidentally clicked on google's auth, there is no way "back" to select
another authentication option. Even if he disconnects from the wifi and
connects again, the session cookies will throw him back immediately into
the oauth path and its quite problematic.

Im not sure what the best path forward would be. The AUP path is a bit
cumbersome especially since it requires two steps (one is clicking "accept"
the AUP and the next is the "login" button to actually go to google. Im not
100% sure how we could make the "accept" button be "accept and submit" for
example...

Any ideas?

thanks!
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MAC Missing

[Diego Garcia del Rio via PacketFence-users]

I've seen similar issues with DHCP renews indeed. The system was not
properly updating the ip-mac binding information.

On Fri, Mar 22, 2019, 09:25 Rankin, Cory via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello,
>
> Thank you for the reply. The client I am testing with right now is an
> Android phone so I am forgetting the SSID and then trying to reconnect. I
> will try setting to static then dhcp in the SSID settings or something like
> that to try and get it to release.
>
> On Fri, Mar 22, 2019 at 4:03 AM Uli Schellhaas via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hello,
>>
>> that is because packetfence cannot find the ip the system has in the
>> recent dhcp events. I had the impression, one might want to confirm, that
>> some dhcp renew request (when a client wants his old ip) does not update
>> the day when the address is issued within the database correctly. If i am
>> not totally wrong , i have seen the dhcp service or whatever is responsible
>> for that to update the time but not the day, when a client wishes for its
>> old ip.
>>
>> Solution for my dualboot Windows System  (maybe thats the only reason
>> this problem exists, dualboot?) was to ipconfig /release , then the dhcp
>> request was a normal one, for a new ip, and packetfence dhcpd could
>> recognize the issued ip and show the mac.
>> Am 21.03.2019 um 19:25 schrieb Rankin, Cory via PacketFence-users:
>>
>> Hello,
>>
>> Where should I be looking if suddenly I am not getting a MAC address to
>> the portal? This device was showing the MAC correctly and now on the portal
>> it shows '0'
>>
>> Mar 21 14:19:18 localhost httpd_portal_err: Use of uninitialized value in
>> string ne at
>> /usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm
>> line 137.
>>
>> httpd.portal.access shows the MAC address
>>
>> Mar 21 14:18:16 localhost packetfence_httpd.portal: httpd.portal(5449)
>> WARN: [mac:unknown] Unable to match MAC address to IP '10.9.17.2'
>> (pf::ip4log::ip2mac)
>> Mar 21 14:18:16 localhost packetfence_httpd.portal: httpd.portal(5449)
>> WARN: [mac:0] Unable to match MAC address to IP '10.9.17.2'
>> (pf::ip4log::ip2mac)
>> Mar 21 14:18:16 localhost packetfence_httpd.portal: httpd.portal(5449)
>> INFO: [mac:0] Instantiate profile default
>> (pf::Connection::ProfileFactory::_from_profile)
>> Mar 21 14:18:16 localhost packetfence_httpd.portal: httpd.portal(5449)
>> ERROR: [mac:0] Error while communicating with the Fingerbank collector. 404
>> Not Found (pf::fingerbank::endpoint_attributes)
>> Mar 21 14:18:16 localhost packetfence_httpd.portal: httpd.portal(5449)
>> WARN: [mac:0] Use of uninitialized value in string ne at
>> /usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm
>> line 137.
>>
>>  
>> (captiveportal::PacketFence::DynamicRouting::Application::process_fingerbank)
>>
>> Your computer was not found in the Packetfence database. Please reboot to
>> solve this issue.
>>
>> Message Sent from PCS GMail
>>
>>
>> ___
>> PacketFence-users mailing 
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> --
>> Uli Schellhaas
>> Department IT and Technics
>> Hotline: +49 (0) 6151 - 869 – 111 <+49%206151%20869111>
>> Supportmail: ad...@sit.fraunhofer.de
>> In our service catalog  you will
>> find all the offers of the infrastructure departments of the SIT and the
>> central services of the FhG.
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
> Message Sent from PCS GMail
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal authorization Ruckus Interface logging

[Diego Garcia del Rio via PacketFence-users]

Are you using the captive portal capabilities of Ruckus? Otherwise, you can
use the "classic" radius based mac-authentication on smart-zone and have
either the APs or SZ send radius access requests to PF. On the raidus
response, customers will be assigned the portal vlan and the portal is
presented in PF. Once the user auth's ... then PF sends a disconnect via
API to smartzone (using the northbound API credentials) and the user is
moved to the correct vlan (via a disconnect message since there is no COA
support on the ruckus API). Otherwise, if using the SZ as radius proxy, you
can do it all following the "legacy/ZoneDirector"  model even when using a
SZ.




On Wed, Dec 19, 2018 at 11:46 PM Durand fabrice via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Eric,
>
> as i remember with Ruckus web auth you need to have the management ip be
> able to reach the device.
>
> Let's say when you want to go on www.cnn.com the ruckus reply to the syn
> of the client with the source ip 151.101.209.67 (cnn) and create a 302 to
> redirect the device.
>
> What you can try is to put the vlan associated to the ssid in the same
> vlan than the management interface of the ruckus and make a try.
>
> If it works then you probably need to be able to have a interface of the
> ruckus on the vlan where the device is and "enable" the mechanism to make
> the redirection (ruckus config) or to find a way to make the communication
> between the mgmt interface and the device (acl).
>
> I did that a long time ago and it something similar to that
> https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/117278-troubleshoot-ise-00.html
>
> Regards
>
> Fabrice
>
>
>
> Le 18-12-18 à 19 h 26, Eric Rolleman via PacketFence-users a écrit :
>
> I had a dns-enforcement interface on the VLAN that the captive portal is
> supposed to operate on. I think the captive portal brought up was a result
> of the dns-enforcement rather than Ruckus performing redirection. I changed
> the interface to just portal and find that no captive portal appears.  It
> seems that Ruckus is not performing the captive portal redirection. I have
> a support case open with Ruckus, so I’ll see where that goes.
>
>
>
> I presume that the PacketFence to Ruckus communication to authorize the
> client will only happen if Ruckus does the redirecting to the captive
> portal rather than PacketFence’s dns-enforcement.
>
>
>
> *From:* Eric Rolleman
> *Sent:* Tuesday, December 18, 2018 2:52 PM
> *To:* 'packetfence-users@lists.sourceforge.net'
> 
> 
> *Subject:* RE: [PacketFence-users] Captive Portal authorization Ruckus
> Interface logging
>
>
>
> I started tcpdump on packetfence to filter for traffic to my Ruckus
> controller. tcpdump didn’t catch any traffic between PacketFence and the
> Ruckus Controller. There was no signal from PacketFence to Ruckus to
> indicate that the computer is authorized. PacketFence didn’t even try to
> communicate.
>
>
>
> Is the hotspot feature of PacketFence broken in in 8.1?
>
>
>
> *From:* Caique Araujo via PacketFence-users
> 
> 
> *Sent:* Tuesday, December 18, 2018 4:20 AM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Caique Araujo  
> *Subject:* Re: [PacketFence-users] Captive Portal authorization Ruckus
> Interface logging
>
>
>
> Friend, I have this same problem ... If I can identify I help you, if you
> can, could you help me too?
>
>
>
> Em ter, 18 de dez de 2018 às 00:20, Eric Rolleman via PacketFence-users <
> packetfence-users@lists.sourceforge.net> escreveu:
>
> I followed the directions here:
> https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_ruckus_smartzone
>
>
>
> It seems the instructions are missing something as I can’t get this to
> work. If I type in the address manually after connecting to the wireless
> network I get the following message (:
>
>
>
> The instructions tell me to type in a URL that is not supported…
>
>
>
> *From:* Eric Rolleman via PacketFence-users <
> packetfence-users@lists.sourceforge.net>
> *Sent:* Wednesday, December 12, 2018 5:07 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Eric Rolleman 
> *Subject:* [PacketFence-users] Captive Portal authorization Ruckus
> Interface logging
>
>
>
> Is there a log anywhere that I can look at to find out why clients aren’t
> getting authorized? I found the following dir: “ /usr/local/pf/logs “, but
> none of the logs appear to contain any data on why the my Ruckus Controller
> isn’t authorizing the client. Or if my configuration for the Web Services
> communication is correct.
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> --
>
> Atenciosamente,
>
> Caique Araujo
>
>
> ___
> PacketFence-users mailing 
> 

Re: [PacketFence-users] statitstics only showing last hour

[Diego Garcia del Rio via PacketFence-users]

Dear Fabrice,

Thanks for the info. In this case, I don't think its a visualization issue
but rather something missing in the datasource itself. As mentioned,
zooming in/out changes nothing in the data accessible. Even for the chart
"NEW REGISTERED DEVICES DURING THE PAST MONTH" it is only showing the last
hour of the data.

I ended up changing /usr/local/pf/var/conf/monitoring/netdata.conf and
setting "history = 86400" on the [global] section so that at least we keep
1 day worth of stats. The default value was 3776 or something similar
(barely over an hour) so netdata was basically dropping any stats beyond
the first hour and a few minutes.

(this might increase the memory usage, so I'll keep an eye out for it)

best regards,





On Mon, Aug 13, 2018 at 10:49 PM Durand fabrice via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Diego,
>
> you can adjust the value in the template:
>
>
> https://github.com/inverse-inc/packetfence/blob/devel/html/pfappserver/root/graph/dashboard.tt
>
>
> Cf doc: https://github.com/firehol/netdata/wiki/Custom-Dashboards
>
> Regards
>
> Fabrice
>
>
>
> Le 2018-08-13 à 11:02, Diego Garcia del Rio via PacketFence-users a écrit :
>
> Hello everyone,
>
> I am seeing that on two different systems (on 8.1) all the stats show only
> the last hour, regardless of how long the system has been running (and
> the +/- zoom though it changes the timescale at the bottom -ever so
> slightly-, no new data is loaded).
>
> Is there a setting that has to be adjusted?
>
> Thanks!
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] statitstics only showing last hour

[Diego Garcia del Rio via PacketFence-users]

Hello everyone,

I am seeing that on two different systems (on 8.1) all the stats show only
the last hour, regardless of how long the system has been running (and
the +/- zoom though it changes the timescale at the bottom -ever so
slightly-, no new data is loaded).

Is there a setting that has to be adjusted?

Thanks!
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] possibility to login to /status url using oauth only

[Diego Garcia del Rio via PacketFence-users]

Thanks fabrice.

Ill do that and try to provide more traces.

Best Regards,
Diego


On Fri, Jul 27, 2018 at 11:10 PM Durand fabrice via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hi Diego,
>
> what you describe looks to be a bug, feel free to open an issue on github
> and we will look at it soon.
>
> Regards
>
> Fabrice
>
>
>
> Le 2018-07-27 à 22:01, Diego Garcia del Rio via PacketFence-users a écrit :
>
> Merçi Fabrice,
>
> I already have the "create local account" flag enabled. The accounts are
> indeed being created but no password seems to be applied to them. I looked
> at the code and saw that, in theory, a password should have been generated
> and emailed to the user, but if I look at the password table in mysql, I
> only see the hashed password for admin but nothing for the rest of the
> users (which do exist in the "person" table).
>
> Also, I didn't find an explicit way of resetting / changing the password
> of an account other than at creation time.
>
> It would be nice to (optionally) allow the user to de-register an old
> device.
>
> Finally, it would be good if the "exceeded number of devices" error could
> be propagated so that we can make it clear to the user WHY the registration
> failed. Currently, you only get a generic error.
>
> Best Regards,
> Diego
>
>
> On Fri, Jul 27, 2018 at 10:16 PM Durand fabrice via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hello Diego,
>>
>> no you can't authenticate with oauth on the /status page but you can
>> check "create a local account" in the oauth authentication source and use
>> this account to login the status page.
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2018-07-26 à 15:36, Diego Garcia del Rio via PacketFence-users a
>> écrit :
>>
>> Hello. Is there any way for the user to login to the "/status" part of
>> the captive portal with his oauth credentials instead of a local account?
>>
>> We're trying to implement a case where we limit the number of devices per
>> role (eg, 2 devices). But to ease the burden on our IT staff, instead of
>> showing an error when the user tries to login, we would like to redirect
>> him to the /status portal so that he can un-register an old device.
>>
>> Is this possible at all? (doesn't seem so, at least immediately)
>>
>> Best Regards.
>> diego
>>
>>
>>
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>>
>> ___
>> PacketFence-users mailing 
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] possibility to login to /status url using oauth only

[Diego Garcia del Rio via PacketFence-users]

Merçi Fabrice,

I already have the "create local account" flag enabled. The accounts are
indeed being created but no password seems to be applied to them. I looked
at the code and saw that, in theory, a password should have been generated
and emailed to the user, but if I look at the password table in mysql, I
only see the hashed password for admin but nothing for the rest of the
users (which do exist in the "person" table).

Also, I didn't find an explicit way of resetting / changing the password of
an account other than at creation time.

It would be nice to (optionally) allow the user to de-register an old
device.

Finally, it would be good if the "exceeded number of devices" error could
be propagated so that we can make it clear to the user WHY the registration
failed. Currently, you only get a generic error.

Best Regards,
Diego


On Fri, Jul 27, 2018 at 10:16 PM Durand fabrice via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Diego,
>
> no you can't authenticate with oauth on the /status page but you can check
> "create a local account" in the oauth authentication source and use this
> account to login the status page.
>
> Regards
>
> Fabrice
>
>
>
> Le 2018-07-26 à 15:36, Diego Garcia del Rio via PacketFence-users a écrit :
>
> Hello. Is there any way for the user to login to the "/status" part of the
> captive portal with his oauth credentials instead of a local account?
>
> We're trying to implement a case where we limit the number of devices per
> role (eg, 2 devices). But to ease the burden on our IT staff, instead of
> showing an error when the user tries to login, we would like to redirect
> him to the /status portal so that he can un-register an old device.
>
> Is this possible at all? (doesn't seem so, at least immediately)
>
> Best Regards.
> diego
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] possibility to login to /status url using oauth only

[Diego Garcia del Rio via PacketFence-users]

Hello. Is there any way for the user to login to the "/status" part of the
captive portal with his oauth credentials instead of a local account?

We're trying to implement a case where we limit the number of devices per
role (eg, 2 devices). But to ease the burden on our IT staff, instead of
showing an error when the user tries to login, we would like to redirect
him to the /status portal so that he can un-register an old device.

Is this possible at all? (doesn't seem so, at least immediately)

Best Regards.
diego
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Dynamic authentication methods based on browser

[Diego Garcia del Rio via PacketFence-users]

Dear Thomas,

Sorry to revive a crazy old thread. But you can get google ouath to work
with iphones if you get google to whitelist your API client id. Its manual
but relatively straightforward.

You need to contact  oauth-h...@google.com and provide them with your API
oauth ID.

Its working for me now.

Otherwise you need your users to select "use this network as is" and then
trigger the captive portal by visiting "neverssl.com" or something like
that. But far from ideal I know.



On Thu, Dec 14, 2017 at 1:03 PM Thomas M. Wilson via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> I'm trying to set up our portal to not display Google authentication as a
> choice when the device that's connecting is an iPhone. Why? Well, OAuth
> doesn't work anymore with iPhones since Google changed things and required
> a full-blown browser when doing OAuth rather than the mini browser that
> iPhones use when authenticating to a portal (the dreaded 403
> "disallowed_useragent" error).
>
> My first thought was to have a completely different connection profile
> strictly for iPhones that wouldn't have Google as an authentication choice.
> However, using device_class == "iPhone" in the advanced filter on the
> profile doesn't seem to work so users see the default portal that has
> Google listed. In fact, the advanced filter doesn't seem to work at all -
> changing the default profile to have a filter of device_class == "Windows"
> still shows that portal for all devices.
>
> Anyways, my next thought was to modify the content-with-choice.html file
> to look at the user agent and filter out the Google authentication if the
> user agent contained "iPhone". The problem I'm having here is determining
> which variable holds the user agent. What I want to do is something like:
> [% FOREACH module in modules %]
> [% IF module.id == "Guest_root+Guest_authentication+Guest_Google" &&
> user_agent =~ "iPhone" %]
> 
> [% ELSE %]
> 
> [% END %]
> [% END %]
>
> Has anyone else done this? Or better yet, how is everyone else dealing
> with the Google/iPhone issue?
>
> Thanks
> Tom
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] problems using Oauth / captive portal on 8.1

[Diego Garcia del Rio via PacketFence-users]

ption=
>> class=authentication
>> match=all
>> action0=set_role=guest
>> action1=set_access_duration=1D
>>
>> [email]
>> description=Email-based registration
>> email_activation_timeout=10m
>> type=Email
>> allow_localdomain=yes
>> create_local_account=no
>>
>> [email rule catchall]
>> description=
>> class=authentication
>> match=all
>> action0=set_role=guest
>> action1=set_access_duration=1D
>>
>> [sponsor]
>> description=Sponsor-based registration
>> type=SponsorEmail
>> allow_localdomain=yes
>> create_local_account=no
>>
>> [sponsor rule catchall]
>> description=
>> class=authentication
>> match=all
>> action0=set_role=guest
>> action1=set_access_duration=1D
>>
>> [null]
>> description=Null Source
>> type=Null
>> email_required=no
>>
>> [null rule catchall]
>> description=catchall
>> class=authentication
>> match=all
>> action0=set_role=guest
>> action1=set_access_duration=1D
>> [root@localhost conf]#
>> [root@localhost conf]#
>> [root@localhost conf]# ls -lrta
>> total 3668
>>
>>
>>
>>
>>
>> On Sun, Jul 22, 2018 at 6:52 PM Diego Garcia del Rio 
>> wrote:
>>
>>> Dear Fabrice,
>>>
>>> I'll get them ASAP. Its more confusing though as I now rolled back to a
>>> 7.4 install and I'm seeing the same issues (while other systems with 7.4
>>> seem to be fine).
>>>
>>> Thanks for the support.
>>>
>>>
>>> On Fri, Jul 20, 2018 at 11:24 PM Durand fabrice via PacketFence-users <
>>> packetfence-users@lists.sourceforge.net> wrote:
>>>
>>>> Hello Diego,
>>>>
>>>> can you give your authentication.conf. profiles.conf and
>>>> portal_modules.conf files ?
>>>>
>>>> Regards
>>>>
>>>> Fabrice
>>>>
>>>> Le 2018-07-20 à 16:25, Diego Garcia del Rio via PacketFence-users a
>>>> écrit :
>>>>
>>>> Hello everyone!
>>>>
>>>> I just did a clean install of PF 8.1 on a Centos 7.5 and I am facing
>>>> issues trying to use any of the OAuth sources on the captive portal.
>>>>
>>>> Basically, whenever I add any authentication source to the captive
>>>> portal, I get a "default"  "new portal module"  form (nothing specific to
>>>> the module I was trying to add).
>>>>
>>>> For example, when trying to add a Facebook Oauth form, I get a form
>>>> with "Identifier", "description", AUP, sources dropdown (empty) and landing
>>>> template.
>>>>
>>>> Im getting quite confused to be honest. :(
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>
>>>>
>>>>
>>>> ___
>>>> PacketFence-users mailing 
>>>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>>
>>>>
>>>> --
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> ___
>>>> PacketFence-users mailing list
>>>> PacketFence-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] problems using Oauth / captive portal on 8.1

[Diego Garcia del Rio via PacketFence-users]

This is my current config (now on 7.4 and still not showing any of the
custom fields:

[root@localhost conf]# cat profiles.conf
#
# Copyright (C) 2005-2018 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html



[root@localhost conf]# cat portal_modules.conf
[default_registration_policy]
modules=default_login_policy,default_guest_policy,goog,default_billing_policy,default_saml_policy,default_blackhole_policy
actions=
template=content-with-choice.html
show_first_module_on_default=disabled

[goog]
actions=
custom_fields=
description=goog
with_aup=1
landing_template=oauth2/landing.html
aup_template=aup_text.html
type=Authentication::OAuth::Google




[root@localhost conf]# cat authentication.conf
[local]
description=Local Users
type=SQL
realms=null

[file1]
description=Legacy Source
path=/usr/local/pf/conf/admin.conf
type=Htpasswd
realms=null

[file1 rule admins]
description=All admins
class=administration
match=all
action0=set_access_level=ALL

[sms]
description=SMS-based registration
sms_carriers=100056,100057,100061,100058,100059,100060,100062,100063,100071,100064,100116,100066,100117,100112,100067,100065,100068,100069,100070,100118,100115,100072,100073,100074,100075,100076,100077,100085,100086,100080,100079,100081,100083,100082,100084,100087,100088,100111,100089,100090,100091,100092,100093,100094,100095,100096,100098,100097,100099,100100,100101,100113,100102,100103,100104,100106,100105,100107,100108,100109,100114,100110,100078,100122
type=SMS
create_local_account=no

[sms rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D

[email]
description=Email-based registration
email_activation_timeout=10m
type=Email
allow_localdomain=yes
create_local_account=no

[email rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D

[sponsor]
description=Sponsor-based registration
type=SponsorEmail
allow_localdomain=yes
create_local_account=no

[sponsor rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D

[null]
description=Null Source
type=Null
email_required=no

[null rule catchall]
description=catchall
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
[root@localhost conf]#
[root@localhost conf]#
[root@localhost conf]# ls -lrta
total 3668





On Sun, Jul 22, 2018 at 6:52 PM Diego Garcia del Rio 
wrote:

> Dear Fabrice,
>
> I'll get them ASAP. Its more confusing though as I now rolled back to a
> 7.4 install and I'm seeing the same issues (while other systems with 7.4
> seem to be fine).
>
> Thanks for the support.
>
>
> On Fri, Jul 20, 2018 at 11:24 PM Durand fabrice via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hello Diego,
>>
>> can you give your authentication.conf. profiles.conf and
>> portal_modules.conf files ?
>>
>> Regards
>>
>> Fabrice
>>
>> Le 2018-07-20 à 16:25, Diego Garcia del Rio via PacketFence-users a
>> écrit :
>>
>> Hello everyone!
>>
>> I just did a clean install of PF 8.1 on a Centos 7.5 and I am facing
>> issues trying to use any of the OAuth sources on the captive portal.
>>
>> Basically, whenever I add any authentication source to the captive
>> portal, I get a "default"  "new portal module"  form (nothing specific to
>> the module I was trying to add).
>>
>> For example, when trying to add a Facebook Oauth form, I get a form with
>> "Identifier", "description", AUP, sources dropdown (empty) and landing
>> template.
>>
>> Im getting quite confused to be honest. :(
>>
>>
>>
>>
>>
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>>
>> ___
>> PacketFence-users mailing 
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] problems using Oauth / captive portal on 8.1

[Diego Garcia del Rio via PacketFence-users]

An additional note (and sorry for the constan messaging), to install 7.4 I
had to manually roll back to HAproxy 1.6.11, as 8.1 had installed HAproxy
1.8.9 and the config files generated by pfcmd generateconfig for 7.4 were
not compatible but the RPMs specified HAProxy >=1.6 but no <= version thus
1.8 satisfied the dependency but broke things...


On Sun, Jul 22, 2018 at 7:13 PM Diego Garcia del Rio 
wrote:

> This is my current config (now on 7.4 and still not showing any of the
> custom fields:
>
> [root@localhost conf]# cat profiles.conf
> #
> # Copyright (C) 2005-2018 Inverse inc.
> #
> # See the enclosed file COPYING for license information (GPL).
> # If you did not receive this file, see
> # http://www.fsf.org/licensing/licenses/gpl.html
>
>
>
> [root@localhost conf]# cat portal_modules.conf
> [default_registration_policy]
>
> modules=default_login_policy,default_guest_policy,goog,default_billing_policy,default_saml_policy,default_blackhole_policy
> actions=
> template=content-with-choice.html
> show_first_module_on_default=disabled
>
> [goog]
> actions=
> custom_fields=
> description=goog
> with_aup=1
> landing_template=oauth2/landing.html
> aup_template=aup_text.html
> type=Authentication::OAuth::Google
>
>
>
>
> [root@localhost conf]# cat authentication.conf
> [local]
> description=Local Users
> type=SQL
> realms=null
>
> [file1]
> description=Legacy Source
> path=/usr/local/pf/conf/admin.conf
> type=Htpasswd
> realms=null
>
> [file1 rule admins]
> description=All admins
> class=administration
> match=all
> action0=set_access_level=ALL
>
> [sms]
> description=SMS-based registration
>
> sms_carriers=100056,100057,100061,100058,100059,100060,100062,100063,100071,100064,100116,100066,100117,100112,100067,100065,100068,100069,100070,100118,100115,100072,100073,100074,100075,100076,100077,100085,100086,100080,100079,100081,100083,100082,100084,100087,100088,100111,100089,100090,100091,100092,100093,100094,100095,100096,100098,100097,100099,100100,100101,100113,100102,100103,100104,100106,100105,100107,100108,100109,100114,100110,100078,100122
> type=SMS
> create_local_account=no
>
> [sms rule catchall]
> description=
> class=authentication
> match=all
> action0=set_role=guest
> action1=set_access_duration=1D
>
> [email]
> description=Email-based registration
> email_activation_timeout=10m
> type=Email
> allow_localdomain=yes
> create_local_account=no
>
> [email rule catchall]
> description=
> class=authentication
> match=all
> action0=set_role=guest
> action1=set_access_duration=1D
>
> [sponsor]
> description=Sponsor-based registration
> type=SponsorEmail
> allow_localdomain=yes
> create_local_account=no
>
> [sponsor rule catchall]
> description=
> class=authentication
> match=all
> action0=set_role=guest
> action1=set_access_duration=1D
>
> [null]
> description=Null Source
> type=Null
> email_required=no
>
> [null rule catchall]
> description=catchall
> class=authentication
> match=all
> action0=set_role=guest
> action1=set_access_duration=1D
> [root@localhost conf]#
> [root@localhost conf]#
> [root@localhost conf]# ls -lrta
> total 3668
>
>
>
>
>
> On Sun, Jul 22, 2018 at 6:52 PM Diego Garcia del Rio 
> wrote:
>
>> Dear Fabrice,
>>
>> I'll get them ASAP. Its more confusing though as I now rolled back to a
>> 7.4 install and I'm seeing the same issues (while other systems with 7.4
>> seem to be fine).
>>
>> Thanks for the support.
>>
>>
>> On Fri, Jul 20, 2018 at 11:24 PM Durand fabrice via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>>> Hello Diego,
>>>
>>> can you give your authentication.conf. profiles.conf and
>>> portal_modules.conf files ?
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>> Le 2018-07-20 à 16:25, Diego Garcia del Rio via PacketFence-users a
>>> écrit :
>>>
>>> Hello everyone!
>>>
>>> I just did a clean install of PF 8.1 on a Centos 7.5 and I am facing
>>> issues trying to use any of the OAuth sources on the captive portal.
>>>
>>> Basically, whenever I add any authentication source to the captive
>>> portal, I get a "default"  "new portal module"  form (nothing specific to
>>> the module I was trying to add).
>>>
>>> For example, when trying to add a Facebook Oauth form, I get a form with
>>> "Identifier", "description", AUP, sources dropdown (empty) and landing
>>> template.
>>&g

Re: [PacketFence-users] problems using Oauth / captive portal on 8.1

[Diego Garcia del Rio via PacketFence-users]

Dear Fabrice,

I'll get them ASAP. Its more confusing though as I now rolled back to a 7.4
install and I'm seeing the same issues (while other systems with 7.4 seem
to be fine).

Thanks for the support.


On Fri, Jul 20, 2018 at 11:24 PM Durand fabrice via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Diego,
>
> can you give your authentication.conf. profiles.conf and
> portal_modules.conf files ?
>
> Regards
>
> Fabrice
>
> Le 2018-07-20 à 16:25, Diego Garcia del Rio via PacketFence-users a écrit :
>
> Hello everyone!
>
> I just did a clean install of PF 8.1 on a Centos 7.5 and I am facing
> issues trying to use any of the OAuth sources on the captive portal.
>
> Basically, whenever I add any authentication source to the captive portal,
> I get a "default"  "new portal module"  form (nothing specific to the
> module I was trying to add).
>
> For example, when trying to add a Facebook Oauth form, I get a form with
> "Identifier", "description", AUP, sources dropdown (empty) and landing
> template.
>
> Im getting quite confused to be honest. :(
>
>
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] problems using Oauth / captive portal on 8.1

[Diego Garcia del Rio via PacketFence-users]

Hello everyone!

I just did a clean install of PF 8.1 on a Centos 7.5 and I am facing issues
trying to use any of the OAuth sources on the captive portal.

Basically, whenever I add any authentication source to the captive portal,
I get a "default"  "new portal module"  form (nothing specific to the
module I was trying to add).

For example, when trying to add a Facebook Oauth form, I get a form with
"Identifier", "description", AUP, sources dropdown (empty) and landing
template.

Im getting quite confused to be honest. :(
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Mobile phone MAC randomisation breaks PF

[Diego Garcia del Rio via PacketFence-users]

Agree with Tim... Unless she's telling the phone to "forget" the network
each and every day...

On Tue, Sep 19, 2017 at 11:04 AM, Tim DeNike via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> MAC randomization (At least the way Ive seen it work) only randomizes the
> MAC when the device is passively probing for networks.  It uses the fixed
> MAC when it actually connects.
>
> OR.. It uses a random MAC for a specific SSID and doesn't change it while
> connected to that SSID.
>
> If its randomizing the MAC every single time, tell her tough beans, get a
> phone that works correctly.  :D
>
> On Tue, Sep 19, 2017 at 10:15 AM, Torry, Andrew via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hi folks,
>>
>>
>>
>> We have a new student who cannot seem to get onto our PF controlled wifi
>> since her mobile phone
>>
>> keeps randomising its MAC address. It appears this feature is hard coded
>> into the phones OS and
>>
>> cannot be disabled. The only way we can see to fix this is to register
>> every one of the 65535 MAC addresses
>>
>> the device could be using to the user’s ID but this sees dangerously
>> cludgy to me.
>>
>>
>>
>> Has anyone else come up with a potential fix for this as it completely
>> breaks PF and other MAC based registration systems.
>>
>>
>>
>> Andrew
>>
>>
>>
>> Andrew Torry
>>
>> Senior Infrastructure Engineer
>>
>>
>>
>> Tel: 01326 370760
>>
>> Email: andrew.to...@fxplus.ac.uk
>>
>>
>>
>> [image: Falmouth Exeter Plus]
>> [image: Twitter]  [image: Facebook]
>>  [image: Instagram]
>>  [image: YouTube]
>> 
>>
>> [image: Falmouth University]
>>
>> Falmouth Exeter Plus is an exempt charity established by Falmouth
>> University and the University of Exeter to deliver their shared Higher
>> Education services in Cornwall.
>>
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Bandwidth limit

[Diego Garcia del Rio via PacketFence-users]

Hi Luca,

I don't have experience with the "inline mode" of PF. I haven't seen any
options to do bandwidth limiting in the UI though, so I would not keep my
hopes up.

What controller do you have?


On Thu, Sep 7, 2017 at 3:37 AM, luca comes via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hi Diego,
> thank you for your answer. What about if I put PF inline in front of the
> WiFi controller? Could it perform rate limit after user authentication when
> the IP assigned is known without working on the controller?
>
> Luca
>
>
> --
> *Da:* Diego Garcia del Rio 
> *Inviato:* lunedì 4 settembre 2017 20:23
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* luca comes
> *Oggetto:* Re: [PacketFence-users] Bandwidth limit
>
> You can do this by assinging a new profile to the user as the action of
> the bandwidth violation. Of course the capability to rate limit will depend
> on the device doing the access. If its a fairly advanced wifi, you could do
> it, but might be impossible or hard on wired switches (especially lower
> end)
>
>
>
> On Mon, Sep 4, 2017 at 5:41 AM, luca comes via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Dear all,
>>
>> I have a customer who need to restrict bandwidth to IP/user when they
>> exceed the limit. Is there the possibility using PF? Can you drive me to
>> documentation or some example to understand the possibilities?
>>
>>
>> Thanks
>>
>>
>> Luca
>>
>>
>>
>> Inviato da Outlook 
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Bandwidth limit

[Diego Garcia del Rio via PacketFence-users]

You can do this by assinging a new profile to the user as the action of the
bandwidth violation. Of course the capability to rate limit will depend on
the device doing the access. If its a fairly advanced wifi, you could do
it, but might be impossible or hard on wired switches (especially lower end)



On Mon, Sep 4, 2017 at 5:41 AM, luca comes via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Dear all,
>
> I have a customer who need to restrict bandwidth to IP/user when they
> exceed the limit. Is there the possibility using PF? Can you drive me to
> documentation or some example to understand the possibilities?
>
>
> Thanks
>
>
> Luca
>
>
>
> Inviato da Outlook 
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Authenticating users against google apps but obtaining role from local DB

[Diego Garcia del Rio via PacketFence-users]

Hi Everyone,

I am trying to setup an environment where I am using Google Apps for
education as my main source of "authentication" data for the captive
portal. I am doing mac-based authentication of the devices and redirecting
users to a captive portal to do device self-registration.

Unfortunately im quite limited in what I can do on the google apps
directory and was trying to find a way to define the "role" of the
authenticated user from the local database. So, in short, I would
pre-create all the local users with the assigned roles (like teacher,
elementary-school, high-school, or admin-staff), with each role being pass
on to my wifi controller for different rate-limit values as well as
applying different bandwidth quotas and number of devices registered.

It seems though as I am forced to define a role (via a rule) when using the
google oauth source and then it seems that my local user list is never
checked. Is there any way to do this? Ideally, I would like to avoid to do
the "chained" authentication (since I dont want users to login to their
local PF accounts). I want to authenticate against google but "authorize"
against the local DB.

Any ideas on how to do this?

(Additionally, I did some changes to the Google Oauth plugin to allow only
the users from a specific domain only to be able to login. Otherwise, any
user with a google accounts could login). I will share my code as soon as I
can.

Best Regards,
Diego
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] bandwidth violation remediation

[Diego Garcia del Rio via PacketFence-users]

Thanks!

That's a good idea.



On Jul 26, 2017 21:28, "Durand fabrice via PacketFence-users" <
packetfence-users@lists.sourceforge.net> wrote:

> Hi Diego,
>
> set the grace period of 24h for your current violation and create a new
> one for 1024M/Day.
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-07-26 à 19:56, Diego Garcia del Rio via PacketFence-users a écrit :
>
> Hi,
>
> I have a quick question... I have a system setup with 7.2 where I am using
> bandwidth accounting / violations. I have set a user limit of 512 mbytes
> per day and then they get rate-limited to 256Kbit/s. When a user exceeds
> its bandwidth, I have the option of remediating the violation, but the
> violation gets triggered quite soon again (since the user has still
> exceeded it's quota).
>
> Is there any way to "grant"  the user another 512 megs or something of the
> sort?
>
> Any ideas on how to achieve something like that?
>
> thanks in advance,
> Diego
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] bandwidth violation remediation

[Diego Garcia del Rio via PacketFence-users]

Hi,

I have a quick question... I have a system setup with 7.2 where I am using
bandwidth accounting / violations. I have set a user limit of 512 mbytes
per day and then they get rate-limited to 256Kbit/s. When a user exceeds
its bandwidth, I have the option of remediating the violation, but the
violation gets triggered quite soon again (since the user has still
exceeded it's quota).

Is there any way to "grant"  the user another 512 megs or something of the
sort?

Any ideas on how to achieve something like that?

thanks in advance,
Diego
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] radius accounting info not being mapped to users

[Diego Garcia del Rio via PacketFence-users]

49939 |63202 |
> 58:b6:33:bf:4b:c8:principal | ac:37:43:a4:41:46 | Idle-Timeout   |
> || 10.100.0.11 |
>
>
>
> Thanks !!!
>
>
>
>
> On Wed, Jul 19, 2017 at 7:29 PM, Louis Munro <lmu...@inverse.ca> wrote:
>
>> Hi Diego,
>> Can you see if you have data in the radacct table?
>>
>> Regards,
>> --
>> Louis Munro
>> lmu...@inverse.ca  ::  www.inverse.ca
>> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
>> www.packetfence.org)
>>
>> On Jul 19, 2017, at 18:25, Diego Garcia del Rio via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>> Dear users,
>>
>> I have a setup where users are being authenticated using mac-based auth
>> with radius. This is a system with Ruckus' ZD1200 and a few APs. Radius
>> auth works well and I have configured radius accounting as well. In fact, I
>> see the radius accounting packets being sent to PF -both interim acct
>> records as well as upon connect/disconnect-.
>>
>> I even see the records being entered into the radacct and radacct_log
>> tables. The radacct_log shows a few entries such as the following:
>>
>>
>> | 13 | 59BBE3C4-0011 | ac:37:43:a4:xx:xx | 10.0.10.10   | Start
>>| 2017-07-19 21:24:07 |   0 |0 |
>>   0 | 4a0c8abc1db9b2e180f7501f313b9ded |
>> | 14 | 59BBE3C4-0011 | ac:37:43:a4:xx:xx | 10.0.10.10   |
>> Interim-Update | 2017-07-19 21:29:07 |   77539 |   106422 |
>> 300 | 4a0c8abc1db9b2e180f7501f313b9ded |
>> | 15 | 59BBE3C4-0012 | ac:37:43:a4:xx:xx | 10.0.10.10   | Start
>>| 2017-07-19 21:29:59 |   0 |0 |
>>   0 | 4a0c8abc1db9b2e180f7501f313b9ded |
>> | 16 | 59BBE3C4-0011 | ac:37:43:a4:xx:xx | 10.0.10.10   | Stop
>> | 2017-07-19 21:29:59 |  112233 |   157549 |
>>   352 | 4a0c8abc1db9b2e180f7501f313b9ded |
>> | 17 | 59BBE3C4-0012 | ac:37:43:a4:xx:xx | 10.0.10.10   |
>> Interim-Update | 2017-07-19 21:34:59 |  125499 |   181451 |
>> 300 | 4a0c8abc1db9b2e180f7501f313b9ded |
>> | 18 | 59BBE3C4-0012 | ac:37:43:a4:xx:xx | 10.0.10.10   | Stop
>> | 2017-07-19 21:38:55 |   0 |0 |
>>   236 | 4a0c8abc1db9b2e180f7501f313b9ded |
>>
>> the MAC is matching the  device as shown in the node table:
>>
>> MariaDB [pf]> select mac, pid, computername  from node where
>> mac="ac:37:43:a4:41:46" ;
>> +---+---+--+
>> | mac   | pid   | computername |
>> +---+---+--+
>> | ac:37:43:a4:xx:xx | diego | android-98d54ed505c746a1 |
>> +---+---+--+
>>
>>
>> anyone has any clue on why I might not be able to see the accounting info
>> being processed? In the GUI, when selecting "Top 25 Bandwidth Consumers"  I
>> see the following:
>>
>> What's going on?There's not enough data to generate this graph. Is
>> PacketFence in production
>>
>> But im pretty sure im in production mode...
>>
>> thanks!
>>
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot__
>> _
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] radius accounting info not being mapped to users

[Diego Garcia del Rio via PacketFence-users]

Hi Louis,

Yes, the radacct table also has data.

I just noticed though that on my httpd.admin.error log file the following
is being logged each time I try to access the graph.

Jul 19 23:00:38 PacketFence-ZEN httpd_admin_err: [Wed Jul 19 23:00:38 2017]
-e: Argument "" isn't numeric in numeric gt (>) at
/usr/local/pf/html/pfappserver/root/graph/pie.tt line 59.

also, when using ./pfcmd ifoctetshistorymac I don't get any data either.

See here for some data from the radacct table:

MariaDB [pf]> select * from radacct
-> ;
+---+---+--+---+---+---+--+---+-+-+-+-+--+-+---+--+--+-+--+-+---++-++-+
| radacctid | acctsessionid | acctuniqueid |
username  | groupname | realm | nasipaddress | nasportid |
nasporttype | acctstarttime   | acctupdatetime  | acctstoptime
   | acctinterval | acctsessiontime | acctauthentic | connectinfo_start
   | connectinfo_stop | acctinputoctets | acctoutputoctets |
calledstationid | callingstationid  | acctterminatecause |
servicetype | framedprotocol | framedipaddress |
+---+---+--+---+---+---+--+---+-+-+-+-+--+-+---+--+--+-+--+-+---++-++-+
| 1 | 59BBE3C4-0007 | 4a0c8abc1db9b2e180f7501f313b9ded |
ac:37:43:a4:41:46 |   | null  | 10.0.10.10   | 3 |
Wireless-802.11 | 2017-07-19 20:13:35 | 2017-07-19 20:13:35 | 2017-07-19
20:14:06 | NULL |  32 | RADIUS| CONNECT
802.11a/n/ac | CONNECT 802.11a/n/ac |  489362 | 33813114 |
f8:e7:1e:af:12:2c:principal | ac:37:43:a4:41:46 | Idle-Timeout   |
|| 10.100.0.11 |
| 2 | 59BBE3C4-0008 | 4a0c8abc1db9b2e180f7501f313b9ded |
ac:37:43:a4:41:46 |   | null  | 10.0.10.10   | 3 |
Wireless-802.11 | 2017-07-19 20:14:19 | 2017-07-19 20:14:19 | 2017-07-19
20:17:49 | NULL | 209 | RADIUS| CONNECT
802.11a/n/ac | CONNECT 802.11a/n/ac |  353797 |   263304 |
58:b6:33:bf:4b:cc:principal | ac:37:43:a4:41:46 | Idle-Timeout   |
|| 10.100.0.11 |
| 3 | 59BBE3C4-000A | 4a0c8abc1db9b2e180f7501f313b9ded |
ac:37:43:a4:41:46 |   | null  | 10.0.10.10   | 4 |
Wireless-802.11 | 2017-07-19 20:34:44 | 2017-07-19 20:34:44 | 2017-07-19
20:35:49 | NULL |  66 | RADIUS| CONNECT
802.11a/n/ac | CONNECT 802.11a/n/ac |  423669 | 30089496 |
58:b6:33:bf:4b:cc:principal | ac:37:43:a4:41:46 | User-Request   |
|| 10.100.0.11 |
| 4 | 59BBE3C4-000C | 4a0c8abc1db9b2e180f7501f313b9ded |
ac:37:43:a4:41:46 |   | null  | 10.0.10.10   | 1 |
Wireless-802.11 | 2017-07-19 20:58:11 | 2017-07-19 20:58:11 | 2017-07-19
20:58:19 | NULL |   8 | RADIUS| CONNECT
802.11g/n| CONNECT 802.11g/n|   49939 |63202 |
58:b6:33:bf:4b:c8:principal | ac:37:43:a4:41:46 | Idle-Timeout   |
|| 10.100.0.11 |



Thanks !!!




On Wed, Jul 19, 2017 at 7:29 PM, Louis Munro <lmu...@inverse.ca> wrote:

> Hi Diego,
> Can you see if you have data in the radacct table?
>
> Regards,
> --
> Louis Munro
> lmu...@inverse.ca  ::  www.inverse.ca
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
> On Jul 19, 2017, at 18:25, Diego Garcia del Rio via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> Dear users,
>
> I have a setup where users are being authenticated using mac-based auth
> with radius. This is a system with Ruckus' ZD1200 and a few APs. Radius
> auth works well and I have configured radius accounting as well. In fact, I
> see the radius accounting packets being sent to PF -both interim acct
> records as well as upon connect/disconnect-.
>
> I even see the records being entered into the radacct and radacct_log
> tables. The radacct_log shows a few entries such as the following:
>
>
> | 13 | 59BBE3C4-0011 | 

[PacketFence-users] radius accounting info not being mapped to users

[Diego Garcia del Rio via PacketFence-users]

Dear users,

I have a setup where users are being authenticated using mac-based auth
with radius. This is a system with Ruckus' ZD1200 and a few APs. Radius
auth works well and I have configured radius accounting as well. In fact, I
see the radius accounting packets being sent to PF -both interim acct
records as well as upon connect/disconnect-.

I even see the records being entered into the radacct and radacct_log
tables. The radacct_log shows a few entries such as the following:


| 13 | 59BBE3C4-0011 | ac:37:43:a4:xx:xx | 10.0.10.10   | Start
 | 2017-07-19 21:24:07 |   0 |0 |
0 | 4a0c8abc1db9b2e180f7501f313b9ded |
| 14 | 59BBE3C4-0011 | ac:37:43:a4:xx:xx | 10.0.10.10   |
Interim-Update | 2017-07-19 21:29:07 |   77539 |   106422 |
300 | 4a0c8abc1db9b2e180f7501f313b9ded |
| 15 | 59BBE3C4-0012 | ac:37:43:a4:xx:xx | 10.0.10.10   | Start
 | 2017-07-19 21:29:59 |   0 |0 |
0 | 4a0c8abc1db9b2e180f7501f313b9ded |
| 16 | 59BBE3C4-0011 | ac:37:43:a4:xx:xx | 10.0.10.10   | Stop
  | 2017-07-19 21:29:59 |  112233 |   157549 |
352 | 4a0c8abc1db9b2e180f7501f313b9ded |
| 17 | 59BBE3C4-0012 | ac:37:43:a4:xx:xx | 10.0.10.10   |
Interim-Update | 2017-07-19 21:34:59 |  125499 |   181451 |
300 | 4a0c8abc1db9b2e180f7501f313b9ded |
| 18 | 59BBE3C4-0012 | ac:37:43:a4:xx:xx | 10.0.10.10   | Stop
  | 2017-07-19 21:38:55 |   0 |0 |
236 | 4a0c8abc1db9b2e180f7501f313b9ded |

the MAC is matching the  device as shown in the node table:

MariaDB [pf]> select mac, pid, computername  from node where
mac="ac:37:43:a4:41:46" ;
+---+---+--+
| mac   | pid   | computername |
+---+---+--+
| ac:37:43:a4:xx:xx | diego | android-98d54ed505c746a1 |
+---+---+--+


anyone has any clue on why I might not be able to see the accounting info
being processed? In the GUI, when selecting "Top 25 Bandwidth Consumers"  I
see the following:

What's going on?There's not enough data to generate this graph. Is
PacketFence in production

But im pretty sure im in production mode...

thanks!
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Can't start packetfence-httpd.admin.service

[Diego Garcia del Rio via PacketFence-users]

Thanks.. I figured it couldn't be that bad as the server eventually
starts.

Thanks for the info.. I can help doing a profile or with any other
mechanism if it helps troubleshoot the slow start. Glad to help!

Best Regards,
Diego



On Wed, Jul 19, 2017 at 7:21 PM, Louis Munro  wrote:

>
>
> On Jul 19, 2017, at 18:16, Diego Garcia del Rio  wrote:
>
> no. In my case its a single node setup. I was doing an strace on the httpd
> process and was seeing a LOT of missing files  being referenced.
>
> for example:
>
> stat("/usr/local/fingerbank/lib/pf/services/manager/httpd_collector.pmc",
> 0x7fffb60ccab0) = -1 ENOENT (No such file or directory)
> stat("/usr/local/fingerbank/lib/pf/services/manager/httpd_collector.pm",
> 0x7fffb60cc9f0) = -1 ENOENT (No such file or directory)
> stat("/usr/local/pf/html/captive-portal/lib/pf/services/manager/httpd_collector.pmc",
> 0x7fffb60ccab0) = -1 ENOENT (No such file or directory)
> stat("/usr/local/pf/html/captive-portal/lib/pf/services/manager/httpd_
> collector.pm", 0x7fffb60cc9f0) = -1 ENOENT (No such file or directory)
> stat("/usr/local/pf/lib/pf/services/manager/httpd_collector.pmc",
> 0x7fffb60ccab0) = -1 ENOENT (No such file or directory)
> stat("/usr/local/pf/lib/pf/services/manager/httpd_collector.pm",
> {st_mode=S_IFREG|0644, st_size=1977, ...}) = 0
> open("/usr/local/pf/lib/pf/services/manager/httpd_collector.pm",
> O_RDONLY) = 7
> ioctl(7, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS,
> 0x7fffb60cc7a0) = -1 ENOTTY (Inappropriate ioctl for device)
> lseek(7, 0, SEEK_CUR)   = 0
> read(7, "package pf::services::manager::h"..., 8192) = 1977
>
>
>
> im not running on a super powerful server... but still, its a 4-core VM
> with 8GB of ram and an SSD... so not too horrible
>
> I could eventually do a full strace if needed.
>
>
>
> Those are not missing files.
> That's the way perl searches for a module through @INC.
> It tries each directory in the array until it either succeeds or runs out
> of directories to try.
> You'll see this behaviour for other things too, such as linking libraries.
>
> Still, good catch on the incorrect StartLimitInterval.
> I will fix that for the next release.
>
>
>
> Regards,
> --
> Louis Munro
> lmu...@inverse.ca  ::  www.inverse.ca
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Can't start packetfence-httpd.admin.service

[Diego Garcia del Rio via PacketFence-users]

no. In my case its a single node setup. I was doing an strace on the httpd
process and was seeing a LOT of missing files  being referenced.

for example:

stat("/usr/local/fingerbank/lib/pf/services/manager/httpd_collector.pmc",
0x7fffb60ccab0) = -1 ENOENT (No such file or directory)
stat("/usr/local/fingerbank/lib/pf/services/manager/httpd_collector.pm",
0x7fffb60cc9f0) = -1 ENOENT (No such file or directory)
stat("/usr/local/pf/html/captive-portal/lib/pf/services/manager/httpd_collector.pmc",
0x7fffb60ccab0) = -1 ENOENT (No such file or directory)
stat("/usr/local/pf/html/captive-portal/lib/pf/services/manager/
httpd_collector.pm", 0x7fffb60cc9f0) = -1 ENOENT (No such file or directory)
stat("/usr/local/pf/lib/pf/services/manager/httpd_collector.pmc",
0x7fffb60ccab0) = -1 ENOENT (No such file or directory)
stat("/usr/local/pf/lib/pf/services/manager/httpd_collector.pm",
{st_mode=S_IFREG|0644, st_size=1977, ...}) = 0
open("/usr/local/pf/lib/pf/services/manager/httpd_collector.pm", O_RDONLY)
= 7
ioctl(7, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS,
0x7fffb60cc7a0) = -1 ENOTTY (Inappropriate ioctl for device)
lseek(7, 0, SEEK_CUR)   = 0
read(7, "package pf::services::manager::h"..., 8192) = 1977



im not running on a super powerful server... but still, its a 4-core VM
with 8GB of ram and an SSD... so not too horrible

I could eventually do a full strace if needed.



On Wed, Jul 19, 2017 at 7:12 PM, Louis Munro <lmu...@inverse.ca> wrote:

> By Jove!
> You are right, of course.
>
> The value to change is indeed TimeoutStartSec.
>
> Are you running a cluster by any chance?
> We are trying to find out why the admin is taking too long to start under
> some configurations and anecdotal evidence points to VIPs playing a role.
>
> Best regards,
> --
> Louis Munro
> lmu...@inverse.ca  ::  www.inverse.ca
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
> On Jul 19, 2017, at 18:07, Diego Garcia del Rio via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> Hi Luis,
>
> (sorry to break the thread as I just joined the mailing list and can't
> reply to the past message).
>
> In my case, using the ZEN appliance, I noticed that the httpd.admin was
> also timing out. If i started httpd manually with the config file, it would
> take almost 3 minutes to start. I was playing with the StartLimitInterval=120
> parameter and wasn't working.
>
> Turns out the StartLimitInterval is used to determine the max number of
> restarts if the process keeps restarting in a loop. I needed to adjust
>
> TimeoutStartSec=180
>
> (I had to add it to the 
> /usr/lib/systemd/system/packetfence-httpd.admin.service
> file as it was inheriting the default value from systemd)
>
> Anyhow, in my case it worked after this, but the fact that its taking
> almost 3 minutes to start regardless is quite something.
>
> (StartLimitInterval is used together with StartLimitBurst to determine if
> the service is starting too often, if there are more than StartLimitBursts
> within StarLimitInterval, it will set the service to fail)
>
> Best regards,
> Diego
>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot__
> _
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Can't start packetfence-httpd.admin.service

[Diego Garcia del Rio via PacketFence-users]

Hi Luis,

(sorry to break the thread as I just joined the mailing list and can't
reply to the past message).

In my case, using the ZEN appliance, I noticed that the httpd.admin was
also timing out. If i started httpd manually with the config file, it would
take almost 3 minutes to start. I was playing with the StartLimitInterval=120
parameter and wasn't working.

Turns out the StartLimitInterval is used to determine the max number of
restarts if the process keeps restarting in a loop. I needed to adjust

TimeoutStartSec=180

(I had to add it to the
/usr/lib/systemd/system/packetfence-httpd.admin.service file as it was
inheriting the default value from systemd)

Anyhow, in my case it worked after this, but the fact that its taking
almost 3 minutes to start regardless is quite something.

(StartLimitInterval is used together with StartLimitBurst to determine if
the service is starting too often, if there are more than StartLimitBursts
within StarLimitInterval, it will set the service to fail)

Best regards,
Diego
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users