Re: [PacketFence-users] Attribute User-Password Required

[Durand fabrice via PacketFence-users]

Then run the command without the filter and reconnect your device.

raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3600


Le 21-03-27 à 08 h 29, Joshua Wise via PacketFence-users a écrit :
Command appears to run endlessly, I grabbed a snippet that appears to 
be what is repeated.


(3440) Sat Mar 27 07:25:15 2021: Debug: Received Status-Server Id 51 
from 127.0.0.1:51452 <http://127.0.0.1:51452> to 127.0.0.1:18121 
<http://127.0.0.1:18121> length 50
(3440) Sat Mar 27 07:25:15 2021: Debug: Message-Authenticator = 
0x9257e8cab94913463172d8be5663c80b

(3440) Sat Mar 27 07:25:15 2021: Debug: FreeRADIUS-Statistics-Type = 15
(3440) Sat Mar 27 07:25:15 2021: Debug: # Executing group from file 
/usr/local/pf/raddb/sites-enabled/status

(3440) Sat Mar 27 07:25:15 2021: Debug:   Autz-Type Status-Server {
(3440) Sat Mar 27 07:25:15 2021: Debug:     [ok] = ok
(3440) Sat Mar 27 07:25:15 2021: Debug:   } # Autz-Type Status-Server = ok
(3440) Sat Mar 27 07:25:15 2021: Debug: Sent Access-Accept Id 51 from 
127.0.0.1:18121 <http://127.0.0.1:18121> to 127.0.0.1:51452 
<http://127.0.0.1:51452> length 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Access-Requests = 3441
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Access-Accepts = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Access-Rejects = 2
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Access-Challenges = 16
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Auth-Responses = 18
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Auth-Duplicate-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Auth-Malformed-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Auth-Invalid-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Auth-Dropped-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Auth-Unknown-Types = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Accounting-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Accounting-Responses = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Acct-Duplicate-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Acct-Malformed-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Acct-Invalid-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Acct-Dropped-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Acct-Unknown-Types = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Proxy-Access-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Proxy-Access-Accepts = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Proxy-Access-Rejects = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Proxy-Access-Challenges = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Proxy-Auth-Responses = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Proxy-Auth-Duplicate-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Proxy-Auth-Malformed-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Proxy-Auth-Invalid-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Proxy-Auth-Dropped-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Proxy-Auth-Unknown-Types = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Proxy-Accounting-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Proxy-Accounting-Responses = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Proxy-Acct-Duplicate-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Proxy-Acct-Malformed-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Proxy-Acct-Invalid-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Proxy-Acct-Dropped-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: 
FreeRADIUS-Total-Proxy-Acct-Unknown-Types = 0

(3440) Sat Mar 27 07:25:15 2021: Debug: Finished request
(3440) Sat Mar 27 07:25:20 2021: Debug: Cleaning up request packet ID 
51 with timestamp +51321


*Joshua Wise*
Systems Engineer, Celina ISD
469-742-9113
https://www.celinaisd.com <https://www.celinaisd.com/>


On Fri, Mar 26, 2021 at 9:00 PM Durand fabrice via PacketFence-users 
<mailto:packetfence-users@lists.sourceforge.net>> wrote:


Hello Joshua,

let's run that:

raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3600 -c '(
Calling-Station-Id =~ /78[-:]?4f[-:]?43[-:]?97[-:]?f5[-:]?fe/i )'


And paste the output.

Regards

Fabrice


Le 21-03-26 à 18 h 22, Joshua Wise via PacketFence-users a écrit :

RADIUS Reply is empty.

I ran the specified patch, restarted services, same error.

*Joshua Wise*
Systems Engineer, Celina ISD
469-742-9113
https://www.celinaisd.com <https://www.celinaisd.com/>


On Fri, Mar 26, 2

Re: [PacketFence-users] Attribute User-Password Required

[Durand fabrice via PacketFence-users]

Hello Joshua,

let's run that:

raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3600 -c '( 
Calling-Station-Id =~ /78[-:]?4f[-:]?43[-:]?97[-:]?f5[-:]?fe/i )'



And paste the output.

Regards

Fabrice


Le 21-03-26 à 18 h 22, Joshua Wise via PacketFence-users a écrit :

RADIUS Reply is empty.

I ran the specified patch, restarted services, same error.

*Joshua Wise*
Systems Engineer, Celina ISD
469-742-9113
https://www.celinaisd.com 


On Fri, Mar 26, 2021 at 1:47 PM Ludovic Zammit > wrote:


I never seen that error message.

It needs more investigation.

What is the radius reply given by pf for that authentication ?
Just below the radius request.

Did you patch your server with :

/usr/local/pf/addons/pf-maint.pl 

Then restart all pf services:

/usr/local/pf/bin/pfcmd service pf restart

Thanks,

Ludovic Zammit
lzam...@inverse.ca    ::  +1.514.447.4918 (x145) 
::www.inverse.ca  
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)






On Mar 26, 2021, at 2:24 PM, Joshua Wise
mailto:joshuaw...@celinaisd.com>> wrote:

RADIS Request Audit log:

NAS-Port-Type = Wireless-802.11 PacketFence-Outer-User =
"testw...@celinaisd.com "
PacketFence-Radius-Ip = "10.56.64.44" Service-Type = Framed-User
Called-Station-Id = "00-1A-1E-01-EC-98-cisd.1x" State =
0x6f17c8406f1fd21550a9f72c8da28ab6 FreeRADIUS-Proxied-To =
127.0.0.1 Realm = "default" NAS-IP-Address = 10.56.64.44
PacketFence-NTLMv2-Only = "" Calling-Station-Id =
"78:4f:43:97:f5:fe" Aruba-Essid-Name = "cisd.1x"
PacketFence-KeyBalanced = "e779e78c1ea9a92dab5dc5d6d30a8dc7"
PacketFence-Domain = "celinaisd" Aruba-AP-Group = "CS701"
User-Name = "testw...@celinaisd.com
" Aruba-Location-Id =
"ADMIN-MDF-AP16" NAS-Identifier = "10.56.64.222" Event-Timestamp
= "Mar 25 2021 08:33:08 CDT" EAP-Message =

0x020800511a0208004c316ec62dd3023b6ff16890ed459e79818b175ed1760cce67ff48491f88d067ce8bc17ec36c65b75de60074657374776966694063656c696e616973642e636f6d
Stripped-User-Name = "testwifi" NAS-Port = 0 Framed-MTU = 1100
EAP-Type = MSCHAPv2 PacketFence-UserNameAttribute =
"testw...@celinaisd.com "
Module-Failure-Message = "celinaisd: Attribute \"User-Password\"
is required for authentication" User-Password = "**"
SQL-User-Name = "testw...@celinaisd.com
"

*Joshua Wise*
Systems Engineer, Celina ISD
469-742-9113
https://www.celinaisd.com 


On Fri, Mar 26, 2021 at 12:12 PM Ludovic Zammit
mailto:lzam...@inverse.ca>> wrote:

For that radius request, go check Auditing and show me the
radius request.
Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::
 +1.514.447.4918 (x145) :: www.inverse.ca

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu
) and PacketFence
(http://packetfence.org )









On Mar 26, 2021, at 8:43 AM, Joshua Wise
mailto:joshuaw...@celinaisd.com>>
wrote:

Here we go:

Mar 26 07:40:11 packetfence auth[2770]: (10350)   Login
incorrect (celinaisd: Attribute "User-Password" is required
for authentication): [testw...@celinaisd.com
] (from client
10.56.64.222/32  port 0 cli
78:4f:43:97:f5:fe via TLS tunnel)
Mar 26 07:40:11 packetfence auth[2770]:
[mac:78:4f:43:97:f5:fe] Rejected user:
testw...@celinaisd.com 
Mar 26 07:40:11 packetfence auth[2770]: (10351) Login
incorrect (eap_peap: The users session was previously
rejected: returning reject (again.)):
[testw...@celinaisd.com ]
(from client 10.56.64.222/32  port 0
cli 78:4f:43:97:f5:fe)
*
*
*Joshua Wise*
Systems Engineer, Celina ISD
469-742-9113
https://www.celinaisd.com 


On Fri, Mar 26, 2021 at 7:00 AM Ludovic Zammit
mailto:lzam...@inverse.ca>> wrote:

That’s not good, you should have something in the log
related to that Mac address. Try another computer or
clear the cache info related to your Mac in the wifi
controller.

Check:

grep MAC_ADDRESS /usr/local/pf/logs/radius.log

Use 00:11:22:33:44:55 for the Mac address format.

Thanks,

Ludovic Zammit

Re: [PacketFence-users] fingerbank api calls and PC with static IP (no DHCP)

[Durand fabrice via PacketFence-users]

Hello Daniele,

what i think happen is the device c0:3f:d5:bb:b3:22 authenticate over 
and over and each time packetfence query fingerbank. (because there is 
no enough information)


So first you need to check why you have so much auth/acct in few period 
of time and fix it.


Next if you can forward the production dhcp to packetfence in order to 
feed fingerbank.


Let me know if it help.

Regards

Fabrice



Le 21-03-09 à 02 h 03, Daniele via PacketFence-users a écrit :

Hello Fabrice,
these are the complete logs

Mar  9 07:43:58 ese fingerbank-collector: [GIN] 2021/03/09 - 
07:43:58 | 200 [0m|     133.193µs | 127.0.0.1 |   [0m GET     
/endpoint_data/c0:3f:d5:bb:b3:22
Mar  9 07:43:58 ese fingerbank_httpd.aaa: httpd.aaa(1866) WARN: 
[mac:c0:3f:d5:bb:b3:22] Cannot find any combination ID in any schemas 
(fingerbank::Source::LocalDB::_getCombinationID)
Mar  9 07:43:58 ese fingerbank_httpd.aaa: httpd.aaa(1866) INFO: 
[mac:c0:3f:d5:bb:b3:22] Upstream is configured and unable to fullfil 
an exact match locally. Will ignore result from local database 
(fingerbank::Source::LocalDB::match)
Mar  9 07:43:58 ese fingerbank-collector: [GIN] 2021/03/09 - 
07:43:58 | 200 [0m|  145.607165ms | 127.0.0.1 |   [0m GET   
/endpoint_data/c0:3f:d5:bb:b3:22/details
Mar  9 07:43:58 ese fingerbank_httpd.aaa: httpd.aaa(1866) INFO: 
[mac:c0:3f:d5:bb:b3:22] Successfully interrogate upstream Fingerbank 
project for matching. Got device : 5778 
(fingerbank::Source::Collector::match)


Thanks

Regards

Daniele


Il giorno mar 9 mar 2021 alle ore 03:00 Durand fabrice via 
PacketFence-users <mailto:packetfence-users@lists.sourceforge.net>> ha scritto:


Hello Daniel,

what is the process doing all that queries ? (it's at the
beginning of the the lines you pasted).

Thanks

Regards

Fabrice


Le 21-03-07 à 05 h 05, Daniele via PacketFence-users a écrit :

Hi all!,
I have encountered a problem regarding fingerbank with some PCs
with static IP under dot1x authentication.
The dot1.x authentication of these PCs is successful, but the
fingerbank collector makes numerous requests to the api.fingerbank.
Five PCs alone exhaust the 300 requests per hour of the free
account. All other PCs (hundreds) are profiled correctly and make
no further requests.
I report the logs of one of these PCs, which has generated 20
requests to the APIs in 10 minutes.

Best regards,
Daniele

15:33:56 | 200 [0m| 101.287µs | 127.0.0.1 | [0m GET
/endpoint_data/c0:3f:d5:bb:b3:22
15:34:08 | 200 [0m| 96.003µs | 127.0.0.1 | [0m GET
/endpoint_data/c0:3f:d5:bb:b3:22
RN: [mac:c0:3f:d5:bb:b3:22] Cannot find any combination ID in any
schemas (fingerbank::Source::LocalDB::_getCombinationID)
FO: [mac:c0:3f:d5:bb:b3:22] Upstream is configured and unable to
fullfil an exact match locally. Will ignore result from local
database (fingerbank::Source::LocalDB::match)
15:34:09 | 200 [0m| 140.9671ms | 127.0.0.1 | [0m GET
/endpoint_data/c0:3f:d5:bb:b3:22/details
FO: [mac:c0:3f:d5:bb:b3:22] Successfully interrogate upstream
Fingerbank project for matching. Got device : 5778
(fingerbank::Source::Collector::match)
15:34:26 | 200 [0m| 123.631µs | 127.0.0.1 | [0m GET
/endpoint_data/c0:3f:d5:bb:b3:22
15:34:38 | 200 [0m| 94.558µs | 127.0.0.1 | [0m GET
/endpoint_data/c0:3f:d5:bb:b3:22
RN: [mac:c0:3f:d5:bb:b3:22] Cannot find any combination ID in any
schemas (fingerbank::Source::LocalDB::_getCombinationID)
FO: [mac:c0:3f:d5:bb:b3:22] Upstream is configured and unable to
fullfil an exact match locally. Will ignore result from local
database (fingerbank::Source::LocalDB::match)
15:34:39 | 200 [0m| 168.078307ms | 127.0.0.1 | [0m GET
/endpoint_data/c0:3f:d5:bb:b3:22/details
FO: [mac:c0:3f:d5:bb:b3:22] Successfully interrogate upstream
Fingerbank project for matching. Got device : 5778
(fingerbank::Source::Collector::match)
15:34:56 | 200 [0m| 111.802µs | 127.0.0.1 | [0m GET
/endpoint_data/c0:3f:d5:bb:b3:22
15:35:08 | 200 [0m| 99.633µs | 127.0.0.1 | [0m GET
/endpoint_data/c0:3f:d5:bb:b3:22
RN: [mac:c0:3f:d5:bb:b3:22] Cannot find any combination ID in any
schemas (fingerbank::Source::LocalDB::_getCombinationID)
FO: [mac:c0:3f:d5:bb:b3:22] Upstream is configured and unable to
fullfil an exact match locally. Will ignore result from local
database (fingerbank::Source::LocalDB::match)
15:35:09 | 200 [0m| 153.311229ms | 127.0.0.1 | [0m GET
/endpoint_data/c0:3f:d5:bb:b3:22/details
FO: [mac:c0:3f:d5:bb:b3:22] Successfully interrogate upstream
Fingerbank project for matching. Got device : 5778
(fingerbank::Source::Collector::match)
15:35:26 | 200 [0m| 112.129µs | 127.0.0.1 | [0m GET
/endpoint_data/c0:3f:d5:bb:b3:22
15:35:38 | 200 [0m| 102.694µs | 127.0.0.1 | [0m GET
/endpoint_data/c0:3f:d5:bb:b3:22
RN: [mac:c0:3f:d5

Re: [PacketFence-users] VLANs assignation for HP Procurve 2824 switch

[Durand fabrice via PacketFence-users]

Can you share what you configure on the switch ?

Do you see anything in the radius.log file ?

Le 21-03-09 à 08 h 25, Robin Cortat a écrit :


Precisely and simply, this is what I want to do:

A device plugs into the switch; is this device part of my AD? If yes, 
it joins my company VLAN, if not, it joins an isolation VLAN.


I really need your help because this is an important and decisive 
project for me. I think the problem is that I don't know exactly how 
and what commands I need to perform on my switch and in packetfence to 
achieve this.


Thank you in advance for your answer.

rcortat <http://www.imageson.ch/>

logoBNJ <http://www.bnjpublicite.ch/>



logoRJB <http://www.rjb.ch/>



logoRTN <http://www.rtn.ch/>



logoRFJ <http://www.rfj.ch/>



logoGRRIF <http://www.grrif.ch/>

<https://redir.bnj.ch/site/IS>

*De :*Robin Cortat
*Envoyé :* mardi, 9 mars 2021 07:15
*À :* 'packetfence-users@lists.sourceforge.net' 


*Cc :* Durand fabrice 
*Objet :* RE: [PacketFence-users] VLANs assignation for HP Procurve 
2824 switch


Hello,

Theoretically, there are 2 VLANs on the switch.

I followed the Network Devices Configuration Guide to configure my 
switch, the HP ProCurve 2500 Series chapter.


On PacketFence, I linked my AD and added my switch. I created a 
connection profile saying that if the device that plugs into my switch 
was part of the AD, it would be on VLAN 1, and if it wasn't, it would 
be on VLAN 2.


But there is no indication that it works.

Is what I did theoretically correct?

*De :*Durand fabrice via PacketFence-users 
<mailto:packetfence-users@lists.sourceforge.net>>

*Envoyé :* mardi, 9 mars 2021 02:53
*À :* packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net>

*Cc :* Durand fabrice mailto:fdur...@inverse.ca>>
*Objet :* Re: [PacketFence-users] VLANs assignation for HP Procurve 
2824 switch


Hello Robin,

what is the configuration you applied on the switch ?

What have been done on the packetfence side ?

Do you have any logs ?

Regards

Fabrice

Le 21-03-08 à 10 h 15, Robin Cortat via PacketFence-users a écrit :

Hello,

I use an HP ProCurve 2824 switch, and the only thing I would like
to do with PacketFence is to assign VLANs to devices that would
connect to the switch based on authentication rules.

Unfortunately, after hours and hours of reading documentation and
testing, I did not get what I wanted. Isn't there a simple way to
achieve this solution?

Thank you very much for your answer.



___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] vulnerability check with OID

[Durand fabrice via PacketFence-users]

Hello Enrico,

you can try that:

edit 
https://github.com/inverse-inc/packetfence/blob/maintenance/8.3/lib/pf/factory/condition/violation.pm#L45


and replace equals by regex then you will be able to use a regex for the 
oid.


Regards

Fabrice

Le 21-03-07 à 02 h 21, Enrico Becchetti via PacketFence-users a écrit :

Dear all,

I have an installation of PF version 8.3 with various backends, three 
network profiles, an intrusion detector and

a server to check the compliance of the hosts connecting to the network.

It is an installation made about 3 years ago which is working without 
any problems.


Now I need validation from the community on compliance feature. When 
configuring a violation,
the manual says that you must specify all the vulnerabilities related 
individual OIDs that

must be kept under control. What does this mean ?

Does it mean that PF reacts executing the action specified in the 
trigger only following a vulnerability that

I've written in the list ?

If this is true it means that I have to write  an extremely long list 
of codes in advance, keep it constantly updated
and -even if you can probably put more OIDs with a wildcard character 
or simply not specifying the final part of the number (*.)-
with this mechanism I can't manage the level overall vulnerability but 
only individual bugs.


I use Greennone / Openvas but from the manual I read that  a similar 
thing can be done with Nessus.


Cuold you tell me, why does PF read a single OID instead of the 
overall result produced by the scanners, which is a number from 0 to 10,
and why does it execute an action only when this value is higher than 
a certain level ?


I believe that this possibility, if it is not already present, would 
be very welcome to many users.


Lots of thanks !
Best Regards
Enrico





___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] fingerbank api calls and PC with static IP (no DHCP)

[Durand fabrice via PacketFence-users]

Hello Daniel,

what is the process doing all that queries ? (it's at the beginning of 
the the lines you pasted).


Thanks

Regards

Fabrice


Le 21-03-07 à 05 h 05, Daniele via PacketFence-users a écrit :

Hi all!,
I have encountered a problem regarding fingerbank with some PCs with 
static IP under dot1x authentication.
The dot1.x authentication of these PCs is successful, but the 
fingerbank collector makes numerous requests to the api.fingerbank.
Five PCs alone exhaust the 300 requests per hour of the free account. 
All other PCs (hundreds) are profiled correctly and make no further 
requests.
I report the logs of one of these PCs, which has generated 20 requests 
to the APIs in 10 minutes.


Best regards,
Daniele

15:33:56 | 200 [0m| 101.287µs | 127.0.0.1 | [0m GET 
/endpoint_data/c0:3f:d5:bb:b3:22
15:34:08 | 200 [0m| 96.003µs | 127.0.0.1 | [0m GET 
/endpoint_data/c0:3f:d5:bb:b3:22
RN: [mac:c0:3f:d5:bb:b3:22] Cannot find any combination ID in any 
schemas (fingerbank::Source::LocalDB::_getCombinationID)
FO: [mac:c0:3f:d5:bb:b3:22] Upstream is configured and unable to 
fullfil an exact match locally. Will ignore result from local database 
(fingerbank::Source::LocalDB::match)
15:34:09 | 200 [0m| 140.9671ms | 127.0.0.1 | [0m GET 
/endpoint_data/c0:3f:d5:bb:b3:22/details
FO: [mac:c0:3f:d5:bb:b3:22] Successfully interrogate upstream 
Fingerbank project for matching. Got device : 5778 
(fingerbank::Source::Collector::match)
15:34:26 | 200 [0m| 123.631µs | 127.0.0.1 | [0m GET 
/endpoint_data/c0:3f:d5:bb:b3:22
15:34:38 | 200 [0m| 94.558µs | 127.0.0.1 | [0m GET 
/endpoint_data/c0:3f:d5:bb:b3:22
RN: [mac:c0:3f:d5:bb:b3:22] Cannot find any combination ID in any 
schemas (fingerbank::Source::LocalDB::_getCombinationID)
FO: [mac:c0:3f:d5:bb:b3:22] Upstream is configured and unable to 
fullfil an exact match locally. Will ignore result from local database 
(fingerbank::Source::LocalDB::match)
15:34:39 | 200 [0m| 168.078307ms | 127.0.0.1 | [0m GET 
/endpoint_data/c0:3f:d5:bb:b3:22/details
FO: [mac:c0:3f:d5:bb:b3:22] Successfully interrogate upstream 
Fingerbank project for matching. Got device : 5778 
(fingerbank::Source::Collector::match)
15:34:56 | 200 [0m| 111.802µs | 127.0.0.1 | [0m GET 
/endpoint_data/c0:3f:d5:bb:b3:22
15:35:08 | 200 [0m| 99.633µs | 127.0.0.1 | [0m GET 
/endpoint_data/c0:3f:d5:bb:b3:22
RN: [mac:c0:3f:d5:bb:b3:22] Cannot find any combination ID in any 
schemas (fingerbank::Source::LocalDB::_getCombinationID)
FO: [mac:c0:3f:d5:bb:b3:22] Upstream is configured and unable to 
fullfil an exact match locally. Will ignore result from local database 
(fingerbank::Source::LocalDB::match)
15:35:09 | 200 [0m| 153.311229ms | 127.0.0.1 | [0m GET 
/endpoint_data/c0:3f:d5:bb:b3:22/details
FO: [mac:c0:3f:d5:bb:b3:22] Successfully interrogate upstream 
Fingerbank project for matching. Got device : 5778 
(fingerbank::Source::Collector::match)
15:35:26 | 200 [0m| 112.129µs | 127.0.0.1 | [0m GET 
/endpoint_data/c0:3f:d5:bb:b3:22
15:35:38 | 200 [0m| 102.694µs | 127.0.0.1 | [0m GET 
/endpoint_data/c0:3f:d5:bb:b3:22
RN: [mac:c0:3f:d5:bb:b3:22] Cannot find any combination ID in any 
schemas (fingerbank::Source::LocalDB::_getCombinationID)
FO: [mac:c0:3f:d5:bb:b3:22] Upstream is configured and unable to 
fullfil an exact match locally. Will ignore result from local database 
(fingerbank::Source::LocalDB::match)
15:35:39 | 200 [0m| 162.126044ms | 127.0.0.1 | [0m GET 
/endpoint_data/c0:3f:d5:bb:b3:22/details
FO: [mac:c0:3f:d5:bb:b3:22] Successfully interrogate upstream 
Fingerbank project for matching. Got device : 5778 
(fingerbank::Source::Collector::match)
15:35:56 | 200 [0m| 120.64µs | 127.0.0.1 | [0m GET 
/endpoint_data/c0:3f:d5:bb:b3:22
15:36:08 | 200 [0m| 65.229µs | 127.0.0.1 | [0m GET 
/endpoint_data/c0:3f:d5:bb:b3:22
RN: [mac:c0:3f:d5:bb:b3:22] Cannot find any combination ID in any 
schemas (fingerbank::Source::LocalDB::_getCombinationID)
FO: [mac:c0:3f:d5:bb:b3:22] Upstream is configured and unable to 
fullfil an exact match locally. Will ignore result from local database 
(fingerbank::Source::LocalDB::match)
15:36:09 | 200 [0m| 144.720367ms | 127.0.0.1 | [0m GET 
/endpoint_data/c0:3f:d5:bb:b3:22/details
FO: [mac:c0:3f:d5:bb:b3:22] Successfully interrogate upstream 
Fingerbank project for matching. Got device : 5778 
(fingerbank::Source::Collector::match)
15:36:26 | 200 [0m| 115.692µs | 127.0.0.1 | [0m GET 
/endpoint_data/c0:3f:d5:bb:b3:22
15:36:38 | 200 [0m| 115.507µs | 127.0.0.1 | [0m GET 
/endpoint_data/c0:3f:d5:bb:b3:22
RN: [mac:c0:3f:d5:bb:b3:22] Cannot find any combination ID in any 
schemas (fingerbank::Source::LocalDB::_getCombinationID)
FO: [mac:c0:3f:d5:bb:b3:22] Upstream is configured and unable to 
fullfil an exact match locally. Will ignore result from local database 
(fingerbank::Source::LocalDB::match)
15:36:39 | 200 [0m| 177.595355ms | 127.0.0.1 | [0m GET 
/endpoint_data/c0:3f:d5:bb:b3:22/details
FO: [mac:c0:3f:d5:bb:b3:22] Successfully interrogate upstream 
Fingerbank project for matching. 

Re: [PacketFence-users] PacketFence

[Durand fabrice via PacketFence-users]

Hello Pavit,

do you have the logs on the packetfence side when you try to authenticate ?

Thanks

Regards

Fabrice


Le 21-03-08 à 09 h 36, Pavit Maddy a écrit :

Greetings to all

We have added new cisco9300 catalyst switches in our environment for 
dot1x authentication using Packetfence. These new switches have been 
configured in the same way as we configured cisco2960-x Switch.

But when debugging dot1x events, we came across a message

*%SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or 
unapplied for client (..) on Interface 
GigabitEthernet1/0/28 AuditSessionID 1180FC0A0047DE238CC2. Failure 
reason: Authc fail.*

*
*
What does this event indicate ?

Regards
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLANs assignation for HP Procurve 2824 switch

[Durand fabrice via PacketFence-users]

Hello Robin,

what is the configuration you applied on the switch ?

What have been done on the packetfence side ?

Do you have any logs ?

Regards

Fabrice



Le 21-03-08 à 10 h 15, Robin Cortat via PacketFence-users a écrit :


Hello,

I use an HP ProCurve 2824 switch, and the only thing I would like to 
do with PacketFence is to assign VLANs to devices that would connect 
to the switch based on authentication rules.


Unfortunately, after hours and hours of reading documentation and 
testing, I did not get what I wanted. Isn't there a simple way to 
achieve this solution?


Thank you very much for your answer.



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] No role computed by any sources

[Durand fabrice via PacketFence-users]

Hello Adrian,

your issue is just because you use sAMAccountName as user attribute and 
it should be servicePrincipalName.


Regards

Fabrice


Le 21-02-17 à 03 h 59, Adrian Dessaigne via PacketFence-users a écrit :

Hello Fabrice,

Here is a log for one host. It does repeat with the same infos for 
other hosts on later authentication :


Feb 17 08:34:44 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) 
INFO: [mac:f8:b4:6a:ae:4a:3d] handling radius autz request: from 
switch_ip => (@switchIP), connection_type => Ethernet-EAP,switch_mac 
=> (50:06:ab:89:d0:08), mac => [f8:b4:6a:ae:4a:3d], port => 50308, 
username => "host/PC191102.domain.local" (pf::radius::authorize)
Feb 17 08:34:44 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) 
INFO: [mac:f8:b4:6a:ae:4a:3d] is doing machine auth with account 
'host/PC191102.domain.local'. (pf::radius::authorize)
Feb 17 08:34:45 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) 
INFO: [mac:f8:b4:6a:ae:4a:3d] Instantiate profile 802.1X 
(pf::Connection::ProfileFactory::_from_profile)
Feb 17 08:34:45 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) 
INFO: [mac:f8:b4:6a:ae:4a:3d] Found authentication source(s) : 
'SourceAD1' for realm 'domain.local' 
(pf::config::util::filter_authentication_sources)
Feb 17 08:34:45 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) 
INFO: [mac:f8:b4:6a:ae:4a:3d] Using sources SourceAD1 for matching 
(pf::authentication::match2)
Feb 17 08:34:45 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) 
WARN: [mac:f8:b4:6a:ae:4a:3d] [SourceAD1 CatchAll] Searching for 
(sAMAccountName=host/PC191102.domain.local), from 
OU=BRESTAIM-Utilisateurs,DC=sopab,DC=fr, with scope sub 
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Feb 17 08:34:45 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) 
INFO: [mac:f8:b4:6a:ae:4a:3d] LDAP testing connection 
(pf::LDAP::expire_if)
Feb 17 08:34:45 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) 
ERROR: [mac:f8:b4:6a:ae:4a:3d] Error binding: 'Connexion 
ré-initialisée par le correspondant' (pf::LDAP::log_error_msg)
Feb 17 08:34:45 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) 
WARN: [mac:f8:b4:6a:ae:4a:3d] LDAP connection expired 
(pf::LDAP::expire_if)
Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) 
ERROR: [mac:f8:b4:6a:ae:4a:3d] Error connecting to domain.local:389 
using encryption none (pf::LDAP::compute_connection)
Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) 
WARN: [mac:f8:b4:6a:ae:4a:3d] [SourceAD1] Unable to connect to 
domain.local (pf::Authentication::Source::LDAPSource::_connect)
Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) 
ERROR: [mac:f8:b4:6a:ae:4a:3d] [SourceAD1] Unable to connect to any 
LDAP server (pf::Authentication::Source::LDAPSource::_connect)
Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) 
INFO: [mac:f8:b4:6a:ae:4a:3d] No rules matches or no category defined 
for the node, set it as unreg. (pf::role::getNodeInfoForAutoReg)
Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) 
WARN: [mac:f8:b4:6a:ae:4a:3d] No category computed for autoreg 
(pf::role::getNodeInfoForAutoReg)


Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) 
INFO: [mac:f8:b4:6a:ae:4a:3d] Found authentication source(s) : 
'SourceAD1' for realm 'domain.local' 
(pf::config::util::filter_authentication_sources)
Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) 
INFO: [mac:f8:b4:6a:ae:4a:3d] Role has already been computed and we 
don't want to recompute it. Getting role from node_info 
(pf::role::getRegisteredRole)
Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) 
INFO: [mac:f8:b4:6a:ae:4a:3d] Username was defined 
"host/PC191102.domain.local" - returning role 'default' 
(pf::role::getRegisteredRole)
Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) 
INFO: [mac:f8:b4:6a:ae:4a:3d] PID: "host/PC191102.domain.local", 
Status: reg Returned VLAN: (undefined), Role: default 
(pf::role::fetchRoleForNode)
Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) 
WARN: [mac:f8:b4:6a:ae:4a:3d] No parameter defaultVlan found in 
conf/switches.conf for the switch @switchIP (pf::Switch::getVlanByName)
Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) 
INFO: [mac:f8:b4:6a:ae:4a:3d] security_event 133 force-closed for 
f8:b4:6a:ae:4a:3d (pf::security_event::security_event_force_close)
Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) 
INFO: [mac:f8:b4:6a:ae:4a:3d] Instantiate profile 802.1X 
(pf::Connection::ProfileFactory::_from_profile)


Look like I have AD issues ...
However, when looking in the AD logs, I see the creditential 
validation for the computer " PC191102.domain.local" and all 
PacketFence related queries are in "Success".
We do have multiple DC under the DN, should I use an IP address 
instead in my configuration ?


Regards,
Adrian.

Re: [PacketFence-users] No role computed by any sources

[Durand fabrice via PacketFence-users]

Hello Andrian,

can you share the packetfence.log file when you try to connect ?

Regards

Fabrice


Le 21-02-16 à 11 h 12, Adrian Dessaigne via PacketFence-users a écrit :

Hi everyone,

I'm slowly integrating PacketFence on a new infrastrucutre. I've 
configured everything as shown in the documentation and with my 
personnal experience.

However, I'm facing a small issues and it look random.

I have an authentication source pointing on the "Computer OU" to do 
computer auth.
Some connect without any issues, the device get auto registered, get 
the good role etc etc.
But some computer won't connect at all, it get rejected with the 
Reply-Message = "no role computed by any sources"

I got one case, I just had to shut and no shut the port on the switch :
Between these two frames, the hosts was trying to authenticate via MAB.

The weird thing is, it's the same authentication source and all 
computers are in the same OU.


Domain is joined, REALMs are configured with the only domain available.
Connexion profil filters :
Any
Connexion type : Ethernet-EAP
Sources : Devices Source

Authentication sources config :
Base DN : OU=Computer,DC=domain,DC=fr
Attribute : servicePrincipalName
Filter :
Any
No conditions
Action : Role : default
Access duration : 12h

I've also tryed with "Role On Not Found, I have the same issue".

Any tough on that ?

Thanks for your help,
Adrian.
//
EnregistrerEnregistrer


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Radius Filter - Block Mac Auth for certain roles

[Durand fabrice via PacketFence-users]

Hello Robert,

to answer this question, i need the packetfence.log

Regards

Fabrice


Le 21-02-10 à 20 h 19, Robert McNutt a écrit :


I actually set this up this way also but the vlan filter still returns 
a radius accept to the switch even though it’s sending a REJECT. Is 
there any way for this method to not send the radius accept but 
instead a radius Reject?






On Wed, Feb 10, 2021 at 7:47 PM Durand fabrice via PacketFence-users 
<mailto:packetfence-users@lists.sourceforge.net>> wrote:


Hello Robert,

it's more a vlan filter that you have to do.

[RejectUnauthorizedRoleMAB]
run_actions=enabled
status=enabled
top_op=and
description=RejectUnauthorizedRoleMAB
scopes=RegisteredRole
role=REJECT
condition=connection_type == "Ethernet-NoEAP" &&
!((node_info.category == "gaming" || node_info.category == "guest"))

Regards

Fabrice


Le 21-02-09 à 17 h 00, Robert McNutt via PacketFence-users a écrit :

Still struggling with this logic which I think should be simple.

We're trying to setup a radius filter to only allow MAB for
devices with a specific role... for example IP phones and
Printers. We have an issue where Macintoshes and Some PC's just
default to MAB and they get access to their trusted VLAN. This
seem to defeat the purpose of NAC but it seems like there should
be a way to only allow 802.1X for some devices and only MAB for
others.

Has anyone else run into this or have any ideas to not fall back
to MAB for some devices?
Robert McNutt


On Thu, Apr 23, 2020 at 7:55 AM Ludovic Zammit
mailto:lzam...@inverse.ca>> wrote:

Hello Robert,

A fix has been done yesterday regarding the connection type:


https://github.com/inverse-inc/packetfence/commit/176c6d6df606cff86a83c9cf93a571c44dd52da0

Apply the maintenance branche and check if it fixes it.

/usr/local/pf/addons/pf-maint.pl <http://pf-maint.pl>

Thanks,

Ludovic Zammit
lzam...@inverse.ca  <mailto:lzam...@inverse.ca>  ::  +1.514.447.4918 (x145) 
::www.inverse.ca  <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and 
PacketFence (http://packetfence.org)






On Apr 22, 2020, at 3:58 PM, Robert McNutt via
PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> wrote:

I'm trying to set a radius filter to block mac auth for any
devices assigned to roles that should only auth via PEAP or
EAP-TLS...

For example, if a port has a phone and computer plugged in,
the phone will do mac auth but the computer should never get
a radius accept for mac auth... whats happening by default
is if a computer fails dot1x auth it then falls back to mac
auth and PF accepts it because the node was registered...
this is what I'm trying to prevent...

I set up a radius filter as such:

connection_type == "Ethernet-NoEAP" && (node_info.category
== "CORP-LAN" || node_info.category == "ADMIN-LAN")

It never matches... But if I change the logic to be NOT
Ethernet-EAP, everything matches, EAP and not EAP... it
seems as if the connection_type isn't actually being read by
the filter parsing... Am I missing something?


Robert McNutt
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Robert McNutt
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] AUTH status accept after reject

[Durand fabrice via PacketFence-users]

Hello Baykal,

you can just disable MAB on the switch port.

Regards

Fabrice


Le 21-02-09 à 00 h 12, Baykal Torogeldi Uulu via PacketFence-users a écrit :

image.png

Hello!!!
I try to restrict access to company network for only domain computers.
Non domain device auth status shows accept after status reject. Accept 
status is for mac address of computer and reject status for user that 
authenticated in computer.

Can someone help me what i can do?
Below my config for authentication
image.png
image.png


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Radius Filter - Block Mac Auth for certain roles

[Durand fabrice via PacketFence-users]

Hello Robert,

it's more a vlan filter that you have to do.

[RejectUnauthorizedRoleMAB]
run_actions=enabled
status=enabled
top_op=and
description=RejectUnauthorizedRoleMAB
scopes=RegisteredRole
role=REJECT
condition=connection_type == "Ethernet-NoEAP" && !((node_info.category 
== "gaming" || node_info.category == "guest"))


Regards

Fabrice


Le 21-02-09 à 17 h 00, Robert McNutt via PacketFence-users a écrit :

Still struggling with this logic which I think should be simple.

We're trying to setup a radius filter to only allow MAB for devices 
with a specific role... for example IP phones and Printers. We have an 
issue where Macintoshes and Some PC's just default to MAB and they get 
access to their trusted VLAN. This seem to defeat the purpose of NAC 
but it seems like there should be a way to only allow 802.1X for some 
devices and only MAB for others.


Has anyone else run into this or have any ideas to not fall back to 
MAB for some devices?

Robert McNutt


On Thu, Apr 23, 2020 at 7:55 AM Ludovic Zammit > wrote:


Hello Robert,

A fix has been done yesterday regarding the connection type:


https://github.com/inverse-inc/packetfence/commit/176c6d6df606cff86a83c9cf93a571c44dd52da0

Apply the maintenance branche and check if it fixes it.

/usr/local/pf/addons/pf-maint.pl 

Thanks,

Ludovic Zammit
lzam...@inverse.ca    ::  +1.514.447.4918 (x145) 
::www.inverse.ca  
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)






On Apr 22, 2020, at 3:58 PM, Robert McNutt via PacketFence-users
mailto:packetfence-users@lists.sourceforge.net>> wrote:

I'm trying to set a radius filter to block mac auth for any
devices assigned to roles that should only auth via PEAP or
EAP-TLS...

For example, if a port has a phone and computer plugged in, the
phone will do mac auth but the computer should never get a radius
accept for mac auth... whats happening by default is if a
computer fails dot1x auth it then falls back to mac auth and PF
accepts it because the node was registered... this is what I'm
trying to prevent...

I set up a radius filter as such:

connection_type == "Ethernet-NoEAP" && (node_info.category ==
"CORP-LAN" || node_info.category == "ADMIN-LAN")

It never matches... But if I change the logic to be NOT
Ethernet-EAP, everything matches, EAP and not EAP... it seems as
if the connection_type isn't actually being read by the filter
parsing... Am I missing something?


Robert McNutt
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Issue with iptables and cllustering

[Durand fabrice via PacketFence-users]

Hello Chuck,


is it a cluster of 3 ?


Because the line 313 refer to @ha_ints which is used for a cluster of 2 
(old cluster config).


Did you defined ha interfaces in pf.conf ?


Regards

Fabrice



Le 21-01-04 à 09 h 14, Chuck Gentry via PacketFence-users a écrit :
Every since I have configured a cluster, I am unable to start the 
iptables module.


Error that I am receiving in the journal.
Can't locate object method "STORE" via package 
"pfconfig::cached_array" at /usr/local/pf/lib/pf/iptables.pm line 313. 
(pf::iptables::generate_filter_if_src_to_chain)


PF version 10.2.0, ZEN deployment

Things to note, I have 3 VLAN interfaces configured, type: other, 
portal, registration.  I am not using any of these interfaces at the 
moment.  I was just playing around with them. They are in the cluster.conf


Thank you in advance.


*Confidentiality Notice*: This email message, including any 
attachments, is for the sole use of the intended recipient(s) and may 
contain confidential and privileged information. Any unauthorized 
review, use, disclosure or distribution is prohibited. If you are not 
the intended recipient, please contact the sender by reply email and 
destroy all copies of the original message.




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Mikrotik COA

[Durand fabrice via PacketFence-users]

btw you can try to add:

'Calling-Station-Id' => $mac,

here:

https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Mikrotik.pm#L230


Le 20-12-11 à 20 h 31, Durand fabrice via PacketFence-users a écrit :

The code needs to be updated:


https://forum.mikrotik.com/viewtopic.php?t=33063


Le 20-12-11 à 14 h 28, Enrique Gross via PacketFence-users a écrit :

Hi PF users! Hope you all doing well

Hi Fabrice,

I have read the mail Adrian sent you regarding COA and Mikrotik. I
have been using SSH to disconnect CAPSMAN devices, but I was
interested in using Radius COA.

This is the output of radsniff after successful registration at the
captive-portal, role is assigned but no disconnection is made

2020-12-11 16:18:39.352569 (1) Disconnect-Request Id 219
any:192.168.67.86:56875 -> 192.168.67.254:3799 +0.000
 User-Name = "C2:F7:64:FB:0E:69"
 Authenticator-Field = 0x677a789c11f3586ec7e73859e5b3080a
2020-12-11 16:18:39.375064 (2) Disconnect-NAK Id 219
any:192.168.67.86:56875 <- 192.168.67.254:3799 +0.022 +0.022
 NAS-Identifier = "MK-IBERA2"
 Error-Cause = Unsupported-Extension
 Authenticator-Field = 0xb6261e8e06e5ecf78db2049bea689396
2020-12-11 16:18:44.575064 (1) Cleaning up request packet ID 219

This is Mikrotik side of log:

16:18:39 radius,debug,packet received Disconnect-Request with id 219
from 192.168.67.86:56875
16:18:39 radius,debug,packet Signature = 
0x677a789c11f3586ec7e73859e5b3080a

16:18:39 radius,debug,packet User-Name = "C2:F7:64:FB:0E:69"
16:18:39 radius,debug received remote request 25
code=Disconnect-Request from 192.168.67.86:56875
16:18:39 radius,debug sending Disconnect-NAK to remote request 25
16:18:39 radius,debug,packet sending Disconnect-NAK with id 219 to
192.168.67.86:56875
16:18:39 radius,debug,packet Signature = 
0xb6261e8e06e5ecf78db2049bea689396

16:18:39 radius,debug,packet Error-Cause = 406
16:18:39 radius,debug,packet NAS-Identifier = "MK-IBERA2"

Thanks for your help,

Enrique


--


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Mikrotik COA

[Durand fabrice via PacketFence-users]

The code needs to be updated:


https://forum.mikrotik.com/viewtopic.php?t=33063


Le 20-12-11 à 14 h 28, Enrique Gross via PacketFence-users a écrit :

Hi PF users! Hope you all doing well

Hi Fabrice,

I have read the mail Adrian sent you regarding COA and Mikrotik. I
have been using SSH to disconnect CAPSMAN devices, but I was
interested in using Radius COA.

This is the output of radsniff after successful registration at the
captive-portal, role is assigned but no disconnection is made

2020-12-11 16:18:39.352569 (1) Disconnect-Request Id 219
any:192.168.67.86:56875 -> 192.168.67.254:3799 +0.000
 User-Name = "C2:F7:64:FB:0E:69"
 Authenticator-Field = 0x677a789c11f3586ec7e73859e5b3080a
2020-12-11 16:18:39.375064 (2) Disconnect-NAK Id 219
any:192.168.67.86:56875 <- 192.168.67.254:3799 +0.022 +0.022
 NAS-Identifier = "MK-IBERA2"
 Error-Cause = Unsupported-Extension
 Authenticator-Field = 0xb6261e8e06e5ecf78db2049bea689396
2020-12-11 16:18:44.575064 (1) Cleaning up request packet ID 219

This is Mikrotik side of log:

16:18:39 radius,debug,packet received Disconnect-Request with id 219
from 192.168.67.86:56875
16:18:39 radius,debug,packet Signature = 0x677a789c11f3586ec7e73859e5b3080a
16:18:39 radius,debug,packet User-Name = "C2:F7:64:FB:0E:69"
16:18:39 radius,debug received remote request 25
code=Disconnect-Request from 192.168.67.86:56875
16:18:39 radius,debug sending Disconnect-NAK to remote request 25
16:18:39 radius,debug,packet sending Disconnect-NAK with id 219 to
192.168.67.86:56875
16:18:39 radius,debug,packet Signature = 0xb6261e8e06e5ecf78db2049bea689396
16:18:39 radius,debug,packet Error-Cause = 406
16:18:39 radius,debug,packet NAS-Identifier = "MK-IBERA2"

Thanks for your help,

Enrique


--


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unable to create Rapid7 scan Engine

[Durand fabrice via PacketFence-users]

Hello Daniel,

it looks to be a bug, i will open an issue.

Regards

Fabrice

Le 20-12-10 à 18 h 20, Daniele a écrit :

Hi Fabrice,
the error is at line 51, not 5.
Excuse me


"pfperl-api: Use of uninitialized value $type in concatenation (.) or string at 
/usr/local/pf/lib/pf/factory/scan.pm  <http://scan.pm>  *line 51*"

Il giorno gio 10 dic 2020 alle ore 11:22 Daniele 
mailto:danyrom...@tiscali.it>> ha scritto:


Hi Fabrice,
this is the scan.conf

[test-openvas]
ip=172.31.128.31
duration=20s
categories=
port=9390
registration=0
username=openvas-admin
post_registration=0
password=xxx
pre_registration=0
oses=
type=openvas

There is only the openvas test scan.
When I try to create rapid7 scan in the gui, it writes nothing in
the scan.conf file (the gui displays the two errors)
If I write a rapid7 scan directly in the file, the IP address
disappears in the gui

Thanks and regards, Daniele


Il giorno gio 10 dic 2020 alle ore 03:07 Durand fabrice via
PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> ha scritto:

Hello Daniele,

can you post the scan.conf file ?

Regards

Fabrice


Le 20-12-09 à 14 h 35, Daniele via PacketFence-users a écrit :

Hi all, I am using the latest version of packetfence, 10.2.0,
on Centos 7.9. When I try to configure a new rapid7 scan
engine, I get the following two errors in the gui:
"Unable to validateconfig/scans"
"host: Please specify the hostname or IP of the scan engine"
Simultaneously, I get the following errori in /var/log/messages:
"pfperl-api: Use of uninitialized value $type in
concatenation (.) or string at
/usr/local/pf/lib/pf/factory/scan.pm <http://scan.pm> line 5"
I've filled all the fields correctly, including "Hostname or
IP Address". Thanks and regards, Daniele


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SMTP configuration to send PIN out via SMS

[Durand fabrice via PacketFence-users]

Most of the time i am doing that with postfix directly (it help to see 
errors when sending emails).


So you can install postfix, set relayhost = x.x.x.x and create a 
sender_canonical to rewrite the sender.


Also the sender is supposed to be set in alerting.fromaddr 
https://github.com/inverse-inc/packetfence/blob/devel/conf/pf.conf.defaults#L183



Regards

Fabrice


Le 20-12-10 à 02 h 40, E.P. via PacketFence-users a écrit :


Maybe this question has been already asked and I’m too lazy to google 
it but maybe someone has a fresh knowledge about it.


I’m trying to configure SMTP server on PF to send emails out and 
specifically the PIN via SMS gateways.


I created an email account for this purposes on the internal mail 
server but the mail server rejects all attempts to send mail out 
because the mismatch in the authentication username and MAIL FROM header


Here’s an extract from the log file in the mail server:

Wed 2020-12-09 23:32:06.635: Authenticating packetfe...@options.bc.ca...

Wed 2020-12-09 23:32:06.636: Authenticated as packetfe...@options.bc.ca

Wed 2020-12-09 23:32:06.636: --> 235 2.7.0 Authentication successful

Wed 2020-12-09 23:32:06.637: <-- MAIL FROM:

Wed 2020-12-09 23:32:06.638: --> 550 5.7.0 Authentication rejected

Wed 2020-12-09 23:32:06.638: Authentication does not match address 
given in MAIL command


Where would I change r...@pf.options.bc.ca 
 for packetfe...@pf.options.bc.ca 
 ?


Eugene



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Issues with Captive Portal and Unifi Wireless

[Durand fabrice via PacketFence-users]

Hello Eugene,

the error mean that packetfence is not able to contact the api.

Wrong username/password ?

Regards

Fabrice


Le 20-12-10 à 01 h 35, E.P. a écrit :


Thank you, Fabrice, as usual !

Yes, it looks like the maintenance patch was not applied (pf-maint.pl) 
as it started pulling lots of packages when I started it.


But to my frustration it all ended up with nothing:

[root@pf conf]# /usr/local/pf/bin/pfcmd pfcron ubiquiti_ap_mac_to_ip

Died at /usr/local/pf/lib/pf/Switch/Ubiquiti/Unifi.pm line 204.

Once again, I’m a bit confused. If I decide to define all APs by IP 
addresses (and I’d better do because there are many and they are all 
in one 172.19.0.0/16 subnet) then I can have one entry in 
switches.conf file


[172.19.0.0]

description=Ubiquiti APs

ExternalPortalEnforcement=Y

type=Ubiquiti::Unifi

controllerIp=172.16.0.XXX

wsTransport=HTTPS

wsUser=admin

wsPwd=X

But if I decide to have every individual AP added then I need to have 
as many MAC based entries as I have all APs and all of them sharing 
the section for Unifi controller IP ?


Eugene

*From:* Durand fabrice via PacketFence-users 


*Sent:* Wednesday, December 09, 2020 5:45 PM
*To:* packetfence-users@lists.sourceforge.net
*Cc:* Durand fabrice 
*Subject:* Re: [PacketFence-users] Issues with Captive Portal and 
Unifi Wireless


Hello Eugene,

the probable issue is because the switch is not defined on the 
packetfence side. (18:e8:29:93:52:a8)


But you can add a switch range on pf (like 192.168.0.0/24 as switch 
id, set the controller ip and set the http credential to connect to 
the api) and there is pfcron task who will try to find all the bssid 
of all the AP and will do a map between the mac and the ip of the AP.


First use the latest version + the maintenance patch (pf-maint.pl) and 
to force the task do:


./sbin/pfcron ubiquiti_ap_mac_to_ip

to see what you have in the cache:

./bin/pfcmd cache switch_distributed list

You should be able to see Ubiquiti-18:e8:29:93:52:a8 in the cache.

Then retry to hit the portal

Regards

Fabrice

Le 20-12-08 à 23 h 23, ypefti--- via PacketFence-users a écrit :

Guys,

I’m resurrecting the old topic that I’ve never brought to a
conclusion and implementation.

Asking for a second opinion of those who could do it and for
Fabrice and Ludovic expertise.

Please help me! I do believe Inverse team tested their product
with Unifi WiFi.

I redirect a guest portal from Unifi to PF by using their option
called “use external portal server”

The endpoint normally associates to a guest SSID and web page
comes up showing this error.

pf.options.bc.ca resolves normally to the IP address of PF that
has captive portal listens on that IP address.

What drives me mad and is unknown to me is how this URL is formed
and why this URL contains the directory of Unifi controller, i.e.
q4b0wgkk.

Of course it doesn’t exist on PF and to me it is a reason I see
“Not implemented”.

What am I missing ? I can also attach captures done during this
connection attempt.

Eugene




___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Issues with Captive Portal and Unifi Wireless

[Durand fabrice via PacketFence-users]

Hello Eugene,

the probable issue is because the switch is not defined on the 
packetfence side. (18:e8:29:93:52:a8)


But you can add a switch range on pf (like 192.168.0.0/24 as switch id, 
set the controller ip and set the http credential to connect to the api) 
and there is pfcron task who will try to find all the bssid of all the 
AP and will do a map between the mac and the ip of the AP.


First use the latest version + the maintenance patch (pf-maint.pl) and 
to force the task do:


./sbin/pfcron ubiquiti_ap_mac_to_ip

to see what you have in the cache:

./bin/pfcmd cache switch_distributed list

You should be able to see Ubiquiti-18:e8:29:93:52:a8 in the cache.

Then retry to hit the portal

Regards

Fabrice


Le 20-12-08 à 23 h 23, ypefti--- via PacketFence-users a écrit :


Guys,

I’m resurrecting the old topic that I’ve never brought to a conclusion 
and implementation.


Asking for a second opinion of those who could do it and for Fabrice 
and Ludovic expertise.


Please help me! I do believe Inverse team tested their product with 
Unifi WiFi.


I redirect a guest portal from Unifi to PF by using their option 
called “use external portal server”


The endpoint normally associates to a guest SSID and web page comes up 
showing this error.


pf.options.bc.ca resolves normally to the IP address of PF that has 
captive portal listens on that IP address.


What drives me mad and is unknown to me is how this URL is formed and 
why this URL contains the directory of Unifi controller, i.e. q4b0wgkk.


Of course it doesn’t exist on PF and to me it is a reason I see “Not 
implemented”.


What am I missing ? I can also attach captures done during this 
connection attempt.


Eugene



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unable to create Rapid7 scan Engine

[Durand fabrice via PacketFence-users]

Hello Daniele,

can you post the scan.conf file ?

Regards

Fabrice


Le 20-12-09 à 14 h 35, Daniele via PacketFence-users a écrit :
Hi all, I am using the latest version of packetfence, 10.2.0, on 
Centos 7.9. When I try to configure a new rapid7 scan engine, I get 
the following two errors in the gui:

"Unable to validateconfig/scans"
"host: Please specify the hostname or IP of the scan engine"
Simultaneously, I get the following errori in /var/log/messages:
"pfperl-api: Use of uninitialized value $type in concatenation (.) or 
string at /usr/local/pf/lib/pf/factory/scan.pm  line 5"
I've filled all the fields correctly, including "Hostname or IP 
Address". Thanks and regards, Daniele



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence Wireless-802.11-EAP authentication successfull, but sent to registration pending after some time

[Durand fabrice via PacketFence-users]

Hello Florian,

it looks that you have a provisioner configured on the connection 
profile WLAN_EAP.


Can you remove it and retry ?

Regards

Fabrice


Le 20-12-09 à 03 h 52, Krug, Florian via PacketFence-users a écrit :


Dear Community,

I have a strange behaviour of Packetfence, and do not find the 
problem. I am using Packetfence 10.2.0 on an CentOs System. As 
Wireless AP’s we are Using Unifi Pro Aps.


Authentication through our MSI PKI for Wireless Access with Client 
certificates is successful working, but after some time, I can see 
attached problem in packetfence.log


The Node is than set back to pending and to registration VLAN. Only 
Workaround is to set the nodes back to registered to get client vlan.


Hope you can guide me in the right direction.

Dec  9 08:35:09 packetfence packetfence: pfperl-api(15879) INFO: Using 
300 resolution threshold (pf::pfcron::task::cluster_check::run)


Dec  9 08:35:09 packetfence packetfence: pfperl-api(15879) INFO: All 
cluster members are running the same configuration version 
(pf::pfcron::task::cluster_check::run)


Dec  9 08:35:09 packetfence packetfence: pfperl-api(25991) INFO: 
processed 0 security_events during security_event maintenance 
(1607499309.17937 1607499309.18552) 
(pf::security_event::security_event_maintenance)


Dec  9 08:35:09 packetfence packetfence_httpd.webservices: 
httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] processing 
delayed security_event : 98, 132 
(pf::security_event::_security_event_run_delayed)


Dec  9 08:35:09 packetfence packetfence: pfperl-api(25991) INFO: 
processed 1 security_events during security_event maintenance 
(1607499309.18683 1607499309.19435) 
(pf::security_event::security_event_maintenance)


Dec  9 08:35:09 packetfence packetfence_httpd.webservices: 
httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] security_event 
for mac 28:16:a8:56:d0:d4 security_event_id 132 modified 
(pf::security_event::security_event_modify)


Dec  9 08:35:09 packetfence packetfence_httpd.webservices: 
httpd.webservices(2559) WARN: [mac:28:16:a8:56:d0:d4] Warning: 1265: 
Data truncated for column 'release_date' at row 1 (pf::dal::db_execute)


Dec  9 08:35:09 packetfence packetfence_httpd.webservices: 
httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] executing action 
'log' on class 132 (pf::action::action_execute)


Dec  9 08:35:09 packetfence packetfence_httpd.webservices: 
httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] 
/usr/local/pf/logs/security_event.log 2020-12-09 08:35:09: 
Provisioning Enforcement (132) detected on node 28:16:a8:56:d0:d4 
(10.11.1.157) (pf::action::action_log)


Dec  9 08:35:09 packetfence packetfence_httpd.webservices: 
httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] executing action 
'enforce_provisioning' on class 132 (pf::action::action_execute)


Dec  9 08:35:09 packetfence packetfence_httpd.webservices: 
httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] Instantiate 
profile WLAN_EAP (pf::Connection::ProfileFactory::_from_profile)


Dec  9 08:35:09 packetfence packetfence_httpd.webservices: 
httpd.webservices(2559) WARN: [mac:28:16:a8:56:d0:d4] 
28:16:a8:56:d0:d4 is not authorized anymore with it's provisionner. 
Putting node as pending. (pf::action::action_enforce_provisioning)


Dec  9 08:35:09 packetfence packetfence_httpd.webservices: 
httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] re-evaluating 
access (manage_vopen called) (pf::enforcement::reevaluate_access)


Dec  9 08:35:09 packetfence packetfence_httpd.webservices: 
httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] Instantiate 
profile WLAN_EAP (pf::Connection::ProfileFactory::_from_profile)


Dec  9 08:35:09 packetfence packetfence_httpd.webservices: 
httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] is currentlog 
connected at (10.99.1.128) ifIndex 0 Client 
(pf::enforcement::_should_we_reassign_vlan)


Dec  9 08:35:09 packetfence packetfence_httpd.webservices: 
httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] is of status 
pending; belongs into registration VLAN (pf::role::getRegistrationRole)


Dec  9 08:35:09 packetfence packetfence_httpd.webservices: 
httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] VLAN 
reassignment required (current VLAN = 11 but should be in VLAN 201) 
(pf::enforcement::_should_we_reassign_vlan)


Dec  9 08:35:09 packetfence packetfence_httpd.webservices: 
httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] switch port is 
(10.99.1.128) ifIndex 0connection type: WiFi 802.1X 
(pf::enforcement::_vlan_reevaluation)


Dec  9 08:35:09 packetfence packetfence_httpd.webservices: 
httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] this is a 
non-reevaluate-access security_event, closing security_event entry now 
(pf::action::action_execute)


Dec  9 08:35:09 packetfence packetfence_httpd.webservices: 
httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] security_event 
132 force-closed for 28:16:a8:56:d0:d4 

Re: [PacketFence-users] Future of CentOS and PacketFence

[Durand fabrice via PacketFence-users]

There is still support for Centos 7 until 2024.

We also support Debian 9 (we have to go on Debian 10) and there is also 
Rocky Linux announced.


Next months will tell us more.


Le 20-12-08 à 20 h 20, Christian McDonald via PacketFence-users a écrit :

https://blog.centos.org/2020/12/future-is-centos-stream/

Any idea how this announcement today will impact PacketFence moving 
forward?

--
*R. Christian McDonald *
M: (616) 856-9291
E: rcmcdonal...@gmail.com 


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Mikrotik: de-association of node fails due to missing SSH credentials

[Durand fabrice via PacketFence-users]

Hello Adrian,

try:

radsniff -i any -f "port 3799" -x

and paste the debug.

Regards
Fabrice

Le 20-12-08 à 16 h 19, Adrian D'Atri-Guiran a écrit :

Hi Fabrice,

When I use RADIUS instead of SSH for deauthentication method, I 
receive the following errors in my packetfence log:
Dec  8 16:13:42 radius packetfence_httpd.webservices: 
httpd.webservices(4423) INFO: [mac:5c:e0:c5:c1:d6:fd] 
[5c:e0:c5:c1:d6:fd] DesAssociating mac on switch (10.2.2.60) 
(pf::api::desAssociate)
Dec  8 16:13:42 radius packetfence_httpd.webservices: 
httpd.webservices(4423) INFO: [mac:5c:e0:c5:c1:d6:fd] deauthenticating 
5c:e0:c5:c1:d6:fd (pf::Switch::Mikrotik::radiusDisconnect)
Dec  8 16:13:42 radius packetfence_httpd.webservices: 
httpd.webservices(4423) INFO: [mac:5c:e0:c5:c1:d6:fd] controllerIp is 
set, we will use controller 10.2.2.60 to perform deauth 
(pf::Switch::Mikrotik::radiusDisconnect)
Dec  8 16:13:42 radius packetfence_httpd.webservices: 
httpd.webservices(4423) ERROR: [mac:5c:e0:c5:c1:d6:fd] Trying to save 
a NULL value in a non nullable field radius_audit_log.mac 
(pf::dal::validate_field)
Dec  8 16:13:42 radius packetfence_httpd.webservices: 
httpd.webservices(4423) ERROR: [mac:5c:e0:c5:c1:d6:fd] Skipping 
invalid value (NULL) in when inserting field radius_audit_log.mac 
(pf::dal::_insert_data)
Dec  8 16:13:42 radius packetfence_httpd.webservices: 
httpd.webservices(4423) WARN: [mac:5c:e0:c5:c1:d6:fd] Warning: 1364: 
Field 'mac' doesn't have a default value (pf::dal::db_execute)
Dec  8 16:13:42 radius packetfence_httpd.webservices: 
httpd.webservices(4423) INFO: [mac:5c:e0:c5:c1:d6:fd] 
[5c:e0:c5:c1:d6:fd] DesAssociating mac on switch (10.2.2.60) 
(pf::api::desAssociate)
Dec  8 16:13:42 radius packetfence_httpd.webservices: 
httpd.webservices(4423) INFO: [mac:5c:e0:c5:c1:d6:fd] deauthenticating 
5c:e0:c5:c1:d6:fd (pf::Switch::Mikrotik::radiusDisconnect)
Dec  8 16:13:42 radius packetfence_httpd.webservices: 
httpd.webservices(4423) INFO: [mac:5c:e0:c5:c1:d6:fd] controllerIp is 
set, we will use controller 10.2.2.60 to perform deauth 
(pf::Switch::Mikrotik::radiusDisconnect)
Dec  8 16:13:42 radius packetfence_httpd.webservices: 
httpd.webservices(4423) ERROR: [mac:5c:e0:c5:c1:d6:fd] Trying to save 
a NULL value in a non nullable field radius_audit_log.mac 
(pf::dal::validate_field)
Dec  8 16:13:42 radius packetfence_httpd.webservices: 
httpd.webservices(4423) ERROR: [mac:5c:e0:c5:c1:d6:fd] Skipping 
invalid value (NULL) in when inserting field radius_audit_log.mac 
(pf::dal::_insert_data)
Dec  8 16:13:42 radius packetfence_httpd.webservices: 
httpd.webservices(4423) WARN: [mac:5c:e0:c5:c1:d6:fd] Warning: 1364: 
Field 'mac' doesn't have a default value (pf::dal::db_execute)


And on the mikrotik side, I receive this error in the log:
Radius disconnect with no ip provided

Thanks!

On Mon, Dec 7, 2020 at 6:12 PM Durand fabrice via PacketFence-users 
<mailto:packetfence-users@lists.sourceforge.net>> wrote:


Try that instead:


$logger->info("SSH connection to mikrotik access point with
credentials: username ".$self->{_cliUser}." password ",
$self->{_cliPwd}");


Also why you don't use the RADIUS disconnect method ?


Le 20-12-07 à 19 h 10, Adrian D'Atri-Guiran via PacketFence-users
a écrit :

Hello,

I have followed the guide as per:

https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_command_line_interface_telnet_and_ssh
and I cannot find the place in Configuration → Policies and
Access Control → Switches
to add the credentials, so I have added them to my switches.conf
file
grep '10.2.2.60' /usr/local/pf/conf/switches.conf -A 9
[10.2.2.60]
deauthMethod=SSH
description=CAP AC
controllerIp=10.2.2.60
type=Mikrotik
cliTransport=SSH
cliUser=admin
cliPwd=
ExternalPortalEnforcement=Y
radiusSecret=
registrationVlan=102
isolationVlan=103

But when I try to de-associate a node I receive an error:
ERROR: [mac:12:e1:f9:6d:95:4a] Can't call method "exec" on an
undefined value at /usr/local/pf/lib/pf/Switch/Mikrotik.pm line 343.

I did a bit of digging and added a line of debugging here:

https://github.com/inverse-inc/packetfence/blob/1369b3819f3b1986d11da2bd75925187d7a62b00/lib/pf/Switch/Mikrotik.pm#L337
I added:
$logger->info("SSH connection to mikrotik access point with
credentials:$self->{_cliUser}, $self->{_cliPwd}");
then retarted.  I see the line printing in my logs, but the login
and password are blank.  Somehow my settings from switches.conf
is not making it to the deauthenticateMacSSH subroutine.
Dec  7 18:39:24 radius packetfence_httpd.webservices:
httpd.webservices(4423) INFO: [mac:12:e1:f9:6d:95:4a] SSH
connection to mikrotik access point with credentials:,
 (pf::Switch::Mikrotik::deauthenticateMacSSH)

Thank you for your help,
Adrian

Re: [PacketFence-users] 802.1x HP ProCurve 2824

[Durand fabrice via PacketFence-users]

Hello Robin,

can you paste the config of the switch, switches.conf and pf.conf ? 
(remove sensible info).


Regards

Fabrice


Le 20-12-08 à 09 h 50, Robin Cortat via PacketFence-users a écrit :


Hello,

I am following chapter 5 of the installation guide. I am using an HP 
ProCurve 2824 switch, so I'm following the 
Network_Devices_Configuration_Guide chapter ProCurve 2500 and 2600 
series at the same time. However, having followed all the steps in 
chapter 5 of the installation guide, it is impossible for me to get to 
the final result: Connect the Microsoft Windows 7 endpoint on port no. 
10 from the Cisco Catalyst 2960 switch. From Microsoft Windows, a 
popup should appear prompting you for a username and password.


What should I do ?

Thank you for your answer,

Robin



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Mikrotik: de-association of node fails due to missing SSH credentials

[Durand fabrice via PacketFence-users]

Try that instead:


$logger->info("SSH connection to mikrotik access point with credentials: 
username ".$self->{_cliUser}." password ", $self->{_cliPwd}");



Also why you don't use the RADIUS disconnect method ?


Le 20-12-07 à 19 h 10, Adrian D'Atri-Guiran via PacketFence-users a écrit :

Hello,

I have followed the guide as per:
https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_command_line_interface_telnet_and_ssh
and I cannot find the place in Configuration → Policies and Access 
Control → Switches

to add the credentials, so I have added them to my switches.conf file
grep '10.2.2.60' /usr/local/pf/conf/switches.conf -A 9
[10.2.2.60]
deauthMethod=SSH
description=CAP AC
controllerIp=10.2.2.60
type=Mikrotik
cliTransport=SSH
cliUser=admin
cliPwd=
ExternalPortalEnforcement=Y
radiusSecret=
registrationVlan=102
isolationVlan=103

But when I try to de-associate a node I receive an error:
ERROR: [mac:12:e1:f9:6d:95:4a] Can't call method "exec" on an 
undefined value at /usr/local/pf/lib/pf/Switch/Mikrotik.pm line 343.


I did a bit of digging and added a line of debugging here:
https://github.com/inverse-inc/packetfence/blob/1369b3819f3b1986d11da2bd75925187d7a62b00/lib/pf/Switch/Mikrotik.pm#L337
I added:
$logger->info("SSH connection to mikrotik access point with 
credentials:$self->{_cliUser}, $self->{_cliPwd}");
then retarted.  I see the line printing in my logs, but the login and 
password are blank.  Somehow my settings from switches.conf is not 
making it to the deauthenticateMacSSH subroutine.
Dec  7 18:39:24 radius packetfence_httpd.webservices: 
httpd.webservices(4423) INFO: [mac:12:e1:f9:6d:95:4a] SSH connection 
to mikrotik access point with credentials:, 
 (pf::Switch::Mikrotik::deauthenticateMacSSH)


Thank you for your help,
Adrian



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF ZEN 10.2.0 - Authenticate with Active Directory using email address

[Durand fabrice via PacketFence-users]

Yes i know, i did the code for that.

Btw you can use any kind of ldap attributes.


Le 20-11-30 à 16 h 25, Eric Schubert a écrit :

Thanks, Fabrice. This worked perfectly.

Eric Schubert

*From:* Durand fabrice via PacketFence-users 


*Sent:* Wednesday, November 25, 2020 8:21 PM
*To:* packetfence-users@lists.sourceforge.net 


*Cc:* Durand fabrice 
*Subject:* Re: [PacketFence-users] PF ZEN 10.2.0 - Authenticate with 
Active Directory using email address


Hello Eric,


in the Ad authentication source add search attributes (UserPrincipalName)




then in the realm config (the DEFAULT one) enable "Custom attributes" 
and select your AD source.




Then you need to restart radius.


Regards

Fabrice


Le 20-11-24 à 21 h 29, Eric Schubert via PacketFence-users a écrit :

Hello,

I've been experimenting with PacketFence for NAC for a couple weeks 
now. We're running ZEN, updated to PF 10.2.0 yesterday. Based on 
endless threads on various forums, it would appear we're not the only 
outfit looking to use email addresses for authentication. For the 
life of me, I can't figure out how to configure authentication 
against Active Directory using UserPrincipalName, mail, or any 
attribute other than sAMAccountName. I've tried AD and LDAP and what 
feels like a million combination of settings experiments. I followed 
the installation instructions to a tee. Authentication using 
sAMAccountName works fine, drops me in the right VLAN, registers my 
device, etc. When I try an email address (associated with the same 
sAMAccountName) with known-to-be-correct password, authentication 
fails with the following:


Module-Failure-Message = "chrooted_mschap: Program returned code (1) 
and output 'The attempted logon is invalid. This is either due to a 
bad username or authentication information. (0xc06d)'"
Module-Failure-Message = "chrooted_mschap: External script says: The 
attempted logon is invalid. This is either due to a bad username or 
authentication information. (0xc06d)"
Module-Failure-Message = "chrooted_mschap: MS-CHAP2-Response is 
incorrect"


Occasionally (and I say "occasionally" because it's not consistent 
behavior), authentication seems to be successful via email address; 
I'm greeted with a certificate I trust, then a message on the user 
device (iOS 14.1) saying "Unable to join the network". I then try 
immediately after with the same credentials and am greeted with only 
the "Unable to join the network" message. If I try with just 
sAMAccountName, no problem.


At one point, the user created in PF after successful authentication 
even brought over attributes from AD properly. I deleted the user so 
I could try authenticating with email address again, but those 
attributes no longer populate, even using sAMAccountName. That only 
happened once out of 100+ authentication tests.


Is there any firm documentation or an example config that I can 
reference to set up Active Directory authentication using something 
other than sAMAccountName that doesn't require manually modifying 
files? I'd prefer to control the config via built-in GUI features so 
as not to have to re-create changes if they're wiped out during updates.


Thank you,

Eric Schubert


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] RADIUS as authentication source - Unable to perform RADIUS authentication on any server: ERECVFAIL

[Durand fabrice via PacketFence-users]

> 0, username => "5c:e0:c5:c1:d6:fd", ssid
=> Rook Hotel Unifi (pf::radius::authorize)
INFO: [mac:5c:e0:c5:c1:d6:fd] Instantiate profile RookHotelGuest
(pf::Connection::ProfileFactory::_from_profile)
INFO: [mac:5c:e0:c5:c1:d6:fd] Found authentication source(s) : 'local'
for realm 'null' (pf::config::util::filter_authentication_sources)
INFO: [mac:5c:e0:c5:c1:d6:fd] Connection type is MAC-AUTH. Getting
role from node_info (pf::role::getRegisteredRole)
INFO: [mac:5c:e0:c5:c1:d6:fd] Username was defined "5c:e0:c5:c1:d6:fd"
- returning role 'room906' (pf::role::getRegisteredRole)
INFO: [mac:5c:e0:c5:c1:d6:fd] PID: "room906", Status: reg Returned
VLAN: (undefined), Role: room906 (pf::role::fetchRoleForNode)
WARN: [mac:5c:e0:c5:c1:d6:fd] No parameter room906Vlan found in
conf/switches.conf for the switch 10.2.2.59
(pf::Switch::getVlanByName)
INFO: [mac:5c:e0:c5:c1:d6:fd] Match rule DynamicVLAN
(pf::access_filter::radius::test)

On Wed, Nov 25, 2020 at 6:09 PM Durand fabrice  wrote:

Hello Adrian,

there is multiples way.

First one, fill the roles.conf file:

[room1]
max_nodes_per_pid=0
notes=Room1 devices

[room2]
max_nodes_per_pid=0
notes=Room2 devices

[room3]
max_nodes_per_pid=0
notes=Room3 devices


...

Then run addons/upgrade/to-7.0-roles-conf.pl (it will insert them in the
db).

Next you can check how a user is created from the admin gui (enable dev
mode in chrome and check the network tab to see what is the request and
what is the payload)


Second one (a little bit more advanced)

You need to have the users in packetfence , then add this in
radius_filters.conf

[DynamicVLAN]
answer.1=reply:Tunnel-Type = VLAN
status=enabled
answer.0=reply:Tunnel-Medium-Type = IEEE-802
description=Return VLAN id based on the room number
scopes=returnRadiusAccessAccept
radius_status=RLM_MODULE_OK
merge_answer=no
answer.2=reply:Tunnel-Private-Group-Id =
${BuildFromMatch($node_info.pid,"^room(\d+)$","$1")}
condition=node_info.pid =~ "room(\\d+)" && node_info.status == "reg"


So it mean if the device is reg and the pid is room(digit) then return
the vlan id (digit).

So per example the device have the pid room101 then packetfence will
return the vlan id 101.

room102 -> vlan 102

...

I hope it will help.

Regards

Fabrice


Le 20-11-25 à 17 h 47, Adrian D'Atri-Guiran a écrit :

Hi Fabrice,

This was helpful.  I have some small problems with this approach
though.  For my building I have 120 rooms.
As I understand, I should add 120 roles -- one for each room.
For each of my access points I should define VLAN ID for each of those
120 roles.
While this is a bit tedious but not impossible.

Questions:
1) I looked at the API to see if there is some way to programatically
create these 120 roles, but there is no method for POST
/api/v1/config/roles. So for bulk role creation this must be done
manually?

2) At guest check in, I wish to programmatically generate a new user
and assign them to this role using the API.  I looked at endpoint:
POST /api/v1/users and this does allow me to create a user, but the
user has no username, and more importantly, there is no way to assign
a role to this user with the API?

3) Is there some way I could use a script or code block to define the
VLAN ID assignment from role? I'm worried that someone will make a
mistake when entering in these VLAN IDs for each of the 120 roles on
each new AP that is installed.

Thank you,
Adrian

On Tue, Nov 24, 2020 at 5:57 PM Durand fabrice  wrote:

Hello Adrian,

create a role for each room (like room101 room102 ...) then in the
switch config define the vlan id for each roles.

Btw you need to set the correct role for each users.

Regards

Fabrice


Le 20-11-22 à 19 h 00, Adrian D'Atri-Guiran a écrit :

Hello Fabrice,

Thank you, this was immensely helpful.  I now have my users
authenticating and getting past the captive portal.  But I can't
figure out how I should assign them a VLAN? where is this setting?
My goal is 1 vlan per hotel room, i.e. 1 vlan per login.  For example:
Room 101 - username 101 - password (set via API at check in) - vlan 101
Room 102 - username 102 - password (set via API at check in) - vlan 102
Room 103 - username 103 - password (set via API at check in) - vlan 103

Please point me in the right direction to accomplish this.
Thank you,
Adrian

On Fri, Nov 20, 2020 at 7:00 PM Durand fabrice via PacketFence-users
 wrote:

Hello Adrian,

this is not the correct approach and it's not really a good idea to use
the local freeradius server as a source.

What you can do instead is to use the local accounts to authenticate the
users.

Like create a new user in packetfence, assign a role and an access duration.

On a connection profile with let's say a filter based on the SSID name
add the "local" source.

So when you will hit the portal, packetfence will instanciate the
correct connection profile and use the local source to authenticate.

Regards

Fabric

Re: [PacketFence-users] RADIUS as authentication source - Unable to perform RADIUS authentication on any server: ERECVFAIL

[Durand fabrice via PacketFence-users]

one for each room.
For each of my access points I should define VLAN ID for each of those
120 roles.
While this is a bit tedious but not impossible.

Questions:
1) I looked at the API to see if there is some way to programatically
create these 120 roles, but there is no method for POST
/api/v1/config/roles. So for bulk role creation this must be done
manually?

2) At guest check in, I wish to programmatically generate a new user
and assign them to this role using the API.  I looked at endpoint:
POST /api/v1/users and this does allow me to create a user, but the
user has no username, and more importantly, there is no way to assign
a role to this user with the API?

3) Is there some way I could use a script or code block to define the
VLAN ID assignment from role? I'm worried that someone will make a
mistake when entering in these VLAN IDs for each of the 120 roles on
each new AP that is installed.

Thank you,
Adrian

On Tue, Nov 24, 2020 at 5:57 PM Durand fabrice  wrote:

Hello Adrian,

create a role for each room (like room101 room102 ...) then in the
switch config define the vlan id for each roles.

Btw you need to set the correct role for each users.

Regards

Fabrice


Le 20-11-22 à 19 h 00, Adrian D'Atri-Guiran a écrit :

Hello Fabrice,

Thank you, this was immensely helpful.  I now have my users
authenticating and getting past the captive portal.  But I can't
figure out how I should assign them a VLAN? where is this setting?
My goal is 1 vlan per hotel room, i.e. 1 vlan per login.  For example:
Room 101 - username 101 - password (set via API at check in) - vlan 101
Room 102 - username 102 - password (set via API at check in) - vlan 102
Room 103 - username 103 - password (set via API at check in) - vlan 103

Please point me in the right direction to accomplish this.
Thank you,
Adrian

On Fri, Nov 20, 2020 at 7:00 PM Durand fabrice via PacketFence-users
 wrote:

Hello Adrian,

this is not the correct approach and it's not really a good idea to use
the local freeradius server as a source.

What you can do instead is to use the local accounts to authenticate the
users.

Like create a new user in packetfence, assign a role and an access duration.

On a connection profile with let's say a filter based on the SSID name
add the "local" source.

So when you will hit the portal, packetfence will instanciate the
correct connection profile and use the local source to authenticate.

Regards

Fabrice


Le 20-11-20 à 15 h 23, Adrian D'Atri-Guiran via PacketFence-users a écrit :

Hello,

I am attempting to set up packetfence 10.2 on Debian 9. My goal is to
have users authenticate via a captive portal, and have each user
mapped to a unique and specific VLAN.  As far I am aware, the only way
to accomplish this is via authentication with RADIUS.  I would like to
know if this would be possible using only packetfence as the
authentication / user manager, if so which authentication source do I
use? otherwise, if radius is required, please review my problem below.

On /admin/alt#/configuration/sources
I have added an internal source, RADIUS, in the config for this source
I have defined the host as 127.0.0.1 and port 18120 and secret.
(I have also tried 10.2.2.254 as the host, and a wide variety of
different ports.)
https://i.imgur.com/SBFPctS.png

In /admin/alt#/configuration/realms
I have added RADIUS with the following config: https://i.imgur.com/0yektXa.png

In /admin/alt#/configuration/interfaces
I have one interface defined, with daemons `portal` and `radius`
https://i.imgur.com/Sc1S7V6.png

I have added a user to the top of:
$ head -n 1 /usr/local/pf/raddb/users
test Cleartext-Password := "qwerty"

When I direct my computer to 10.2.2.254/captive-portal I receive a
captive portal, and after checking the box I get the login prompt.
When I enter in 'test' and 'qwerty' i receive this error in
/usr/local/pf/logs/packetfence.log:
ERROR: [mac:68:f7:28:e1:a6:26] Unable to perform RADIUS authentication
on any server: ERECVFAIL
(pf::Authentication::Source::RADIUSSource::_handle_radius_request)
and at the same time I receive no new messages in /usr/local/pf/logs/radius.log

I have tried to test using radtest, and at first I was unsuccessful,
until I changed the radius config
in:/usr/local/pf/conf/radiusd/auth.conf
To enable it to bind to a port other than port 0. Note: this feels
really wrong, should I really have to be changing these configs to get
Radius working with packetfence?
listen {
ipaddr = [% ip %]
port = 0
type = auth
virtual_server = [% virtual_server %]
}
to:
listen {
ipaddr = [% ip %]
port = 18120
type = auth
virtual_server = [% virtual_server %]
}

After this change I was able to confirm radius was sort of working with:
radtest test qwerty2 10.2.2.254:18120 12 redacted_shared_secret
I receive:
Sent Access-Request Id 221 from 0.0.0.0:43344 to 10.2.2.254:18120 length 75
User-Name = &q

Re: [PacketFence-users] RADIUS as authentication source - Unable to perform RADIUS authentication on any server: ERECVFAIL

[Durand fabrice via PacketFence-users]

Hello Adrian,

there is multiples way.

First one, fill the roles.conf file:

[room1]
max_nodes_per_pid=0
notes=Room1 devices

[room2]
max_nodes_per_pid=0
notes=Room2 devices

[room3]
max_nodes_per_pid=0
notes=Room3 devices


...

Then run addons/upgrade/to-7.0-roles-conf.pl (it will insert them in the 
db).


Next you can check how a user is created from the admin gui (enable dev 
mode in chrome and check the network tab to see what is the request and 
what is the payload)



Second one (a little bit more advanced)

You need to have the users in packetfence , then add this in 
radius_filters.conf


[DynamicVLAN]
answer.1=reply:Tunnel-Type = VLAN
status=enabled
answer.0=reply:Tunnel-Medium-Type = IEEE-802
description=Return VLAN id based on the room number
scopes=returnRadiusAccessAccept
radius_status=RLM_MODULE_OK
merge_answer=no
answer.2=reply:Tunnel-Private-Group-Id = 
${BuildFromMatch($node_info.pid,"^room(\d+)$","$1")}

condition=node_info.pid =~ "room(\\d+)" && node_info.status == "reg"


So it mean if the device is reg and the pid is room(digit) then return 
the vlan id (digit).


So per example the device have the pid room101 then packetfence will 
return the vlan id 101.


room102 -> vlan 102

...

I hope it will help.

Regards

Fabrice


Le 20-11-25 à 17 h 47, Adrian D'Atri-Guiran a écrit :

Hi Fabrice,

This was helpful.  I have some small problems with this approach
though.  For my building I have 120 rooms.
As I understand, I should add 120 roles -- one for each room.
For each of my access points I should define VLAN ID for each of those
120 roles.
While this is a bit tedious but not impossible.

Questions:
1) I looked at the API to see if there is some way to programatically
create these 120 roles, but there is no method for POST
/api/v1/config/roles. So for bulk role creation this must be done
manually?

2) At guest check in, I wish to programmatically generate a new user
and assign them to this role using the API.  I looked at endpoint:
POST /api/v1/users and this does allow me to create a user, but the
user has no username, and more importantly, there is no way to assign
a role to this user with the API?

3) Is there some way I could use a script or code block to define the
VLAN ID assignment from role? I'm worried that someone will make a
mistake when entering in these VLAN IDs for each of the 120 roles on
each new AP that is installed.

Thank you,
Adrian

On Tue, Nov 24, 2020 at 5:57 PM Durand fabrice  wrote:

Hello Adrian,

create a role for each room (like room101 room102 ...) then in the
switch config define the vlan id for each roles.

Btw you need to set the correct role for each users.

Regards

Fabrice


Le 20-11-22 à 19 h 00, Adrian D'Atri-Guiran a écrit :

Hello Fabrice,

Thank you, this was immensely helpful.  I now have my users
authenticating and getting past the captive portal.  But I can't
figure out how I should assign them a VLAN? where is this setting?
My goal is 1 vlan per hotel room, i.e. 1 vlan per login.  For example:
Room 101 - username 101 - password (set via API at check in) - vlan 101
Room 102 - username 102 - password (set via API at check in) - vlan 102
Room 103 - username 103 - password (set via API at check in) - vlan 103

Please point me in the right direction to accomplish this.
Thank you,
Adrian

On Fri, Nov 20, 2020 at 7:00 PM Durand fabrice via PacketFence-users
 wrote:

Hello Adrian,

this is not the correct approach and it's not really a good idea to use
the local freeradius server as a source.

What you can do instead is to use the local accounts to authenticate the
users.

Like create a new user in packetfence, assign a role and an access duration.

On a connection profile with let's say a filter based on the SSID name
add the "local" source.

So when you will hit the portal, packetfence will instanciate the
correct connection profile and use the local source to authenticate.

Regards

Fabrice


Le 20-11-20 à 15 h 23, Adrian D'Atri-Guiran via PacketFence-users a écrit :

Hello,

I am attempting to set up packetfence 10.2 on Debian 9. My goal is to
have users authenticate via a captive portal, and have each user
mapped to a unique and specific VLAN.  As far I am aware, the only way
to accomplish this is via authentication with RADIUS.  I would like to
know if this would be possible using only packetfence as the
authentication / user manager, if so which authentication source do I
use? otherwise, if radius is required, please review my problem below.

On /admin/alt#/configuration/sources
I have added an internal source, RADIUS, in the config for this source
I have defined the host as 127.0.0.1 and port 18120 and secret.
(I have also tried 10.2.2.254 as the host, and a wide variety of
different ports.)
https://i.imgur.com/SBFPctS.png

In /admin/alt#/configuration/realms
I have added RADIUS with the following config: https://i.imgur.com/0yektXa.png

In /admin/alt#/configuration/interfaces
I 

Re: [PacketFence-users] PF ZEN 10.2.0 - Authenticate with Active Directory using email address

[Durand fabrice via PacketFence-users]

Hello Eric,


in the Ad authentication source add search attributes (UserPrincipalName)




then in the realm config (the DEFAULT one) enable "Custom attributes" 
and select your AD source.




Then you need to restart radius.


Regards

Fabrice


Le 20-11-24 à 21 h 29, Eric Schubert via PacketFence-users a écrit :

Hello,

I've been experimenting with PacketFence for NAC for a couple weeks 
now. We're running ZEN, updated to PF 10.2.0 yesterday. Based on 
endless threads on various forums, it would appear we're not the only 
outfit looking to use email addresses for authentication. For the life 
of me, I can't figure out how to configure authentication against 
Active Directory using UserPrincipalName, mail, or any attribute other 
than sAMAccountName. I've tried AD and LDAP and what feels like a 
million combination of settings experiments. I followed the 
installation instructions to a tee. Authentication using 
sAMAccountName works fine, drops me in the right VLAN, registers my 
device, etc. When I try an email address (associated with the same 
sAMAccountName) with known-to-be-correct password, authentication 
fails with the following:


Module-Failure-Message = "chrooted_mschap: Program returned code (1) 
and output 'The attempted logon is invalid. This is either due to a 
bad username or authentication information. (0xc06d)'"
Module-Failure-Message = "chrooted_mschap: External script says: The 
attempted logon is invalid. This is either due to a bad username or 
authentication information. (0xc06d)"

Module-Failure-Message = "chrooted_mschap: MS-CHAP2-Response is incorrect"

Occasionally (and I say "occasionally" because it's not consistent 
behavior), authentication seems to be successful via email address; 
I'm greeted with a certificate I trust, then a message on the user 
device (iOS 14.1) saying "Unable to join the network". I then try 
immediately after with the same credentials and am greeted with only 
the "Unable to join the network" message. If I try with just 
sAMAccountName, no problem.


At one point, the user created in PF after successful authentication 
even brought over attributes from AD properly. I deleted the user so I 
could try authenticating with email address again, but those 
attributes no longer populate, even using sAMAccountName. That only 
happened once out of 100+ authentication tests.


Is there any firm documentation or an example config that I can 
reference to set up Active Directory authentication using something 
other than sAMAccountName that doesn't require manually modifying 
files? I'd prefer to control the config via built-in GUI features so 
as not to have to re-create changes if they're wiped out during updates.


Thank you,

Eric Schubert


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Integration of PacketFence with Cisco WLC for Guests

[Durand fabrice via PacketFence-users]

Hello Victor,

click on the line (per example with the ID 1963) and do a screenshot of 
the radius tab.


Regards

Fabrice


Le 20-11-24 à 04 h 01, Ezeh Victor a écrit :

Hi Durand,

Any feedback on my previous response?

Find screenshot again
image.png

On Mon, 23 Nov 2020 at 12:57, Ezeh Victor <mailto:vickeyzed...@gmail.com>> wrote:


Hi Durand,

I have done as directed.


Also, find below a screenshot of Radius Audit Logs

image.png



On Tue, 17 Nov 2020 at 04:07, Durand fabrice via PacketFence-users
mailto:packetfence-users@lists.sourceforge.net>> wrote:

Hello Victor,

it looks that you defined https://172.20.130.50:1443/... as
the registrationUrl.

And in the switch config you need to enable "External Portal
Enforcement".

Also do you have the portal daemon enabled on the management
interface ?
(https://mgmt:1443/admin/alt#/configuration/interfaces)

Can you paste a screenshot of the radius audit log (radius
tab) when you connect on the ssid ?

Regards

Fabrice


Le 20-11-16 à 17 h 56, Ezeh Victor via PacketFence-users a écrit :

Hi

Please can someone assist me. This project has come to a halt.

I do not seem to be getting something right. The captive
portal does not come up after connecting to the guest SSID.

I would really appreciate a response as soon as possible.

Best regards

On Mon, Nov 16, 2020, 11:23 Ezeh Victor
mailto:vickeyzed...@gmail.com>> wrote:

Hi Ludovic/All,

Kindly see the status of trying to access the captive portal;

image.png

On Mon, 16 Nov 2020 at 09:42, Ezeh Victor
mailto:vickeyzed...@gmail.com>>
wrote:

Hi Ludovic,

Kind reminder.

On Sun, Nov 15, 2020, 16:51 Ezeh Victor
mailto:vickeyzed...@gmail.com>> wrote:

Hi Ludovic,

Please I am still expecting your reply.

On Fri, Nov 13, 2020, 19:27 Ezeh Victor
mailto:vickeyzed...@gmail.com>> wrote:

Kindly find below;

# Copyright (C) Inverse inc.
#
#
#
# See the enclosed file COPYING for license
information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
[default]
type=Cisco::WLC_2500
VoIPDHCPDetect=N
coaPort=3799
uplink_dynamic=0
deauthMethod=RADIUS
always_trigger=1

[172.20.130.252]
description=WLC
RoleMap=Y
VlanMap=N
registrationUrl=http://172.20.130.50/Cisco::WLC
UrlMap=Y
isolationRole=Isolation
defaultRole=Authorize_Any
registrationRole=Pre-Auth-For-WebRedirect
radiusSecret=D4n-n3t0ps
inlineRole=Inline

# Copyright (C) Inverse inc.
#
#
#
# See the enclosed file COPYING for license
information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
[192.168.0.1]
description=Test Switch
type=Cisco::Catalyst_2960
mode=production
uplink=23,24
VoIPLLDPDetect=N

#SNMPVersion = 3
#SNMPEngineID = 0
#SNMPUserNameRead = readUser
#SNMPAuthProtocolRead = MD5
#SNMPAuthPasswordRead = authpwdread
#SNMPPrivProtocolRead = DES
#SNMPPrivPasswordRead = privpwdread
#SNMPUserNameWrite = writeUser
#SNMPAuthProtocolWrite = MD5
#SNMPAuthPasswordWrite = authpwdwrite
#SNMPPrivProtocolWrite = DES
#SNMPPrivPasswordWrite = privpwdwrite
#SNMPVersionTrap = 3
#SNMPUserNameTrap = readUser
#SNMPAuthProtocolTrap = MD5
#SNMPAuthPasswordTrap = authpwdread
  

Re: [PacketFence-users] RADIUS as authentication source - Unable to perform RADIUS authentication on any server: ERECVFAIL

[Durand fabrice via PacketFence-users]

Hello Adrian,

create a role for each room (like room101 room102 ...) then in the 
switch config define the vlan id for each roles.


Btw you need to set the correct role for each users.

Regards

Fabrice


Le 20-11-22 à 19 h 00, Adrian D'Atri-Guiran a écrit :

Hello Fabrice,

Thank you, this was immensely helpful.  I now have my users
authenticating and getting past the captive portal.  But I can't
figure out how I should assign them a VLAN? where is this setting?
My goal is 1 vlan per hotel room, i.e. 1 vlan per login.  For example:
Room 101 - username 101 - password (set via API at check in) - vlan 101
Room 102 - username 102 - password (set via API at check in) - vlan 102
Room 103 - username 103 - password (set via API at check in) - vlan 103

Please point me in the right direction to accomplish this.
Thank you,
Adrian

On Fri, Nov 20, 2020 at 7:00 PM Durand fabrice via PacketFence-users
 wrote:

Hello Adrian,

this is not the correct approach and it's not really a good idea to use
the local freeradius server as a source.

What you can do instead is to use the local accounts to authenticate the
users.

Like create a new user in packetfence, assign a role and an access duration.

On a connection profile with let's say a filter based on the SSID name
add the "local" source.

So when you will hit the portal, packetfence will instanciate the
correct connection profile and use the local source to authenticate.

Regards

Fabrice


Le 20-11-20 à 15 h 23, Adrian D'Atri-Guiran via PacketFence-users a écrit :

Hello,

I am attempting to set up packetfence 10.2 on Debian 9. My goal is to
have users authenticate via a captive portal, and have each user
mapped to a unique and specific VLAN.  As far I am aware, the only way
to accomplish this is via authentication with RADIUS.  I would like to
know if this would be possible using only packetfence as the
authentication / user manager, if so which authentication source do I
use? otherwise, if radius is required, please review my problem below.

On /admin/alt#/configuration/sources
I have added an internal source, RADIUS, in the config for this source
I have defined the host as 127.0.0.1 and port 18120 and secret.
(I have also tried 10.2.2.254 as the host, and a wide variety of
different ports.)
https://i.imgur.com/SBFPctS.png

In /admin/alt#/configuration/realms
I have added RADIUS with the following config: https://i.imgur.com/0yektXa.png

In /admin/alt#/configuration/interfaces
I have one interface defined, with daemons `portal` and `radius`
https://i.imgur.com/Sc1S7V6.png

I have added a user to the top of:
$ head -n 1 /usr/local/pf/raddb/users
test Cleartext-Password := "qwerty"

When I direct my computer to 10.2.2.254/captive-portal I receive a
captive portal, and after checking the box I get the login prompt.
When I enter in 'test' and 'qwerty' i receive this error in
/usr/local/pf/logs/packetfence.log:
ERROR: [mac:68:f7:28:e1:a6:26] Unable to perform RADIUS authentication
on any server: ERECVFAIL
(pf::Authentication::Source::RADIUSSource::_handle_radius_request)
and at the same time I receive no new messages in /usr/local/pf/logs/radius.log

I have tried to test using radtest, and at first I was unsuccessful,
until I changed the radius config
in:/usr/local/pf/conf/radiusd/auth.conf
To enable it to bind to a port other than port 0. Note: this feels
really wrong, should I really have to be changing these configs to get
Radius working with packetfence?
listen {
  ipaddr = [% ip %]
  port = 0
  type = auth
  virtual_server = [% virtual_server %]
}
to:
listen {
  ipaddr = [% ip %]
  port = 18120
  type = auth
  virtual_server = [% virtual_server %]
}

After this change I was able to confirm radius was sort of working with:
radtest test qwerty2 10.2.2.254:18120 12 redacted_shared_secret
I receive:
Sent Access-Request Id 221 from 0.0.0.0:43344 to 10.2.2.254:18120 length 75
  User-Name = "test2"
  User-Password = "qwerty2"
  NAS-IP-Address = 10.2.2.254
  NAS-Port = 12
  Message-Authenticator = 0x00
  Cleartext-Password = "qwerty2"
Received Access-Accept Id 221 from 10.2.2.254:18120 to
10.2.2.254:43344 length 20

But the strangest part about this is that I can actually send any
username/password and get Access-Accept.

Despite the above changes, when I attempt to login via the captive
portal I receive:
ERROR: [mac:68:f7:28:e1:a6:26] Unable to perform RADIUS authentication
on any server: ERECVFAIL
(pf::Authentication::Source::RADIUSSource::_handle_radius_request)

Thank you for your time, I appreciate it immensely.
-Adrian


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.s

Re: [PacketFence-users] DPSK Authentication - Meraki Access Points

[Durand fabrice via PacketFence-users]

Hello Michael,

you can try to add this function in 
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Meraki/MR_v2.pm#L167



```

sub returnRadiusAccessAccept {
    my ($self, $args) = @_;
    my $logger = $self->logger;

    $args->{'unfiltered'} = $TRUE;
    my @super_reply = @{$self->SUPER::returnRadiusAccessAccept($args)};
    my $status = shift @super_reply;
    my %radius_reply = @super_reply;
    my $radius_reply_ref = \%radius_reply;
    return [$status, %$radius_reply_ref] if($status == 
$RADIUS::RLM_MODULE_USERLOCK);


    my @av_pairs = defined($radius_reply_ref->{'Cisco-AVPair'}) ? 
@{$radius_reply_ref->{'Cisco-AVPair'}} : ();


    my $role = $self->getRoleByName($args->{'user_role'});
    if ( isenabled($self->{_UrlMap}) && 
$self->externalPortalEnforcement ) {
    if ( defined($args->{'user_role'}) && $args->{'user_role'} ne 
"" && defined($self->getUrlByName($args->{'user_role'}) ) ) {

    $args->{'session_id'} = "sid".$self->setSession($args);
    my $redirect_url = $self->getUrlByName($args->{'user_role'});
    $redirect_url .= '/' unless $redirect_url =~ m(\/$);
    $redirect_url .= $args->{'session_id'};
    # Cisco and Meraki started adding 
"_url=http://example.com; unconditionnaly to the redirect URL.
    # This means that since we don't have any query parameters 
that generated paths like 
"/Cisco::WLC/sid123456_url=http://example.com; which extracts 
the SID as sid123456_url=http://example.com

    # We add empty query parameters to our path as a workaround
    $redirect_url .= "?";
    #override role if a role in role map is define
    if (isenabled($self->{_RoleMap}) && 
$self->supportsRoleBasedEnforcement()) {

    my $role_map = $self->getRoleByName($args->{'user_role'});
    $role = $role_map if (defined($role_map));
    # remove the role if any as we push the redirection ACL 
along with it's role

    delete $radius_reply_ref->{$self->returnRoleAttribute()};
    }
    $logger->info("Adding web authentication redirection to 
reply using role: '$role' and URL: '$redirect_url'");

    push @av_pairs, "url-redirect-acl=$role";
    push @av_pairs, "url-redirect=".$redirect_url;
    }
    }
    if ($args->{profile}->dpskEnabled()) {
    if (defined($args->{owner}->{psk})) {
    $radius_reply_ref = {
    %$radius_reply_ref,
    'Tunnel-Password' => $args->{owner}->{psk},
    };
    } else {
    $radius_reply_ref = {
    %$radius_reply_ref,
    'Tunnel-Password' => $args->{profile}->{_default_psk_key},
    };
    }
    }
    $radius_reply_ref->{'Cisco-AVPair'} = \@av_pairs;
    my $filter = pf::access_filter::radius->new;
    my $rule = $filter->test('returnRadiusAccessAccept', $args);
    ($radius_reply_ref, $status) = 
$filter->handleAnswerInRule($rule,$args,$radius_reply_ref);

    return [$status, %$radius_reply_ref];
}

```

Let me know if it works then i will add it in the main code.

Regards

Fabrice


Le 20-11-21 à 21 h 50, Michael Brown a écrit :
That's it Fabrice.  Hostapd worked like a charm.  Got any advice on 
how to adapt the Meraki Cloud Controller V2 module?


On Friday, November 20, 2020, 09:48:01 PM EST, Durand fabrice 
 wrote:



Hello Michael,

you can try with the hostapd switch module, this one use 
tunnel-password 
(https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Hostapd.pm#L189)


If it works then it will be easy to adapt the meraki switch module.

Regards

Fabrice


Le 20-11-17 à 11 h 53, Michael Brown via PacketFence-users a écrit :
Hey Guys,

Just checking in one more time on this one.  Any ideas?

Thanks,
Mike

On Thursday, November 12, 2020, 11:38:23 AM EST, Michael Brown 
  wrote:



Based off the auditing log below it looks like PacketFence sends the 
PSK back to the Meraki access point as Cisco-AVPair.  Is there anyway 
to change PacketFence to send the PSK as tunnel-password instead of 
Cisco-AVPair?


RADIUS Request
RADIUS Request
User-Name = "00e04c19"
User-Password = "**"
NAS-IP-Address = 172.20.10.20
Called-Station-Id = "68:3a:1e:85:cc:cc:WIFI-BYOD"
Calling-Station-Id = "00:e0:4c:19:dd:dd"
NAS-Port-Type = Wireless-802.11
Event-Timestamp = "Nov 12 2020 09:58:47 EST"
Connect-Info = "CONNECT 11Mbps 802.11b"
Message-Authenticator = 0x2458d1c2852dfb55ec85d8484624
Meraki-Network-Name = "Network"
Meraki-Ap-Name = "AP-01"
Stripped-User-Name = "00e04c19"
Realm = "null"
FreeRADIUS-Client-IP-Address = 172.20.10.20
Called-Station-SSID = "WIFI-BYOD"
PacketFence-KeyBalanced = "8e4b512c5636628cd16b291bf294"
PacketFence-Radius-Ip = "172.20.100.2"
SQL-User-Name = "00e04c19"
RADIUS Reply
Tunnel-Type = VLAN
Tunnel-Private-Group-Id = "118"
Tunnel-Medium-Type = IEEE-802
Cisco-AVPair = "psk=otahreeddttr"

Re: [PacketFence-users] Strange behavior since moving packetfence server to virtual data center

[Durand fabrice via PacketFence-users]

Hello Steve,

try:

bin/pfcmd pfconfig clear_backend

bin/pfcmd configreload hard

regards

Fabrice


Le 20-11-13 à 16 h 56, Steve Pfister via PacketFence-users a écrit :


We have a packet fence server (version 8.1) that was working without 
problems up until it was moved to a virtual data center (new ip 
address). It still work fine, but every Saturday at around 8pm it 
seems to overwrite its ip address with its old ip address and the 
entire server becomes unreachable. We have to have someone reboot it 
to get it back again. We can't find anything that might be doing that. 
Can someone help with this?


Thanks!

--



Steven Pfister

Information Technology

Admin Building

115 S Ludlow St. Dayton, OH 45402

(937) 542-3149

www.daytonpublic.com | 
spfis...@daytonpublic.com 







___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Switch Template for APC Network Management Card 2

[Durand fabrice via PacketFence-users]

Hello Christian,

what are you exactly trying to do ?

Is it something like that : https://www.apc.com/us/en/faqs/FA156083/ ?

Id it's the case then you should probably start to play with the radius 
filter to see if it works then do a switch template if needed.


Regards

Fabrice


Le 20-11-18 à 12 h 26, Christian McDonald via PacketFence-users a écrit :

Greetings,

Has anyone already created a switch template for APC NMC 2 cards? I 
see APC-Service-Type attribute is already predefined in the Switch 
Template interface, but I've never created a Switch Template before.


Thanks,

--
R. Christian McDonald
/Information Technology Manager/
Grand Rapids Adventist Academy

T: (888) 791-3108 (x1105)
O: (616) 791-9797 (x1105)
C: (616) 856-9291

1151 Oakleigh Road NW
Grand Rapids, MI 49504


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] RADIUS as authentication source - Unable to perform RADIUS authentication on any server: ERECVFAIL

[Durand fabrice via PacketFence-users]

Hello Adrian,

this is not the correct approach and it's not really a good idea to use 
the local freeradius server as a source.


What you can do instead is to use the local accounts to authenticate the 
users.


Like create a new user in packetfence, assign a role and an access duration.

On a connection profile with let's say a filter based on the SSID name 
add the "local" source.


So when you will hit the portal, packetfence will instanciate the 
correct connection profile and use the local source to authenticate.


Regards

Fabrice


Le 20-11-20 à 15 h 23, Adrian D'Atri-Guiran via PacketFence-users a écrit :

Hello,

I am attempting to set up packetfence 10.2 on Debian 9. My goal is to
have users authenticate via a captive portal, and have each user
mapped to a unique and specific VLAN.  As far I am aware, the only way
to accomplish this is via authentication with RADIUS.  I would like to
know if this would be possible using only packetfence as the
authentication / user manager, if so which authentication source do I
use? otherwise, if radius is required, please review my problem below.

On /admin/alt#/configuration/sources
I have added an internal source, RADIUS, in the config for this source
I have defined the host as 127.0.0.1 and port 18120 and secret.
(I have also tried 10.2.2.254 as the host, and a wide variety of
different ports.)
https://i.imgur.com/SBFPctS.png

In /admin/alt#/configuration/realms
I have added RADIUS with the following config: https://i.imgur.com/0yektXa.png

In /admin/alt#/configuration/interfaces
I have one interface defined, with daemons `portal` and `radius`
https://i.imgur.com/Sc1S7V6.png

I have added a user to the top of:
$ head -n 1 /usr/local/pf/raddb/users
test Cleartext-Password := "qwerty"

When I direct my computer to 10.2.2.254/captive-portal I receive a
captive portal, and after checking the box I get the login prompt.
When I enter in 'test' and 'qwerty' i receive this error in
/usr/local/pf/logs/packetfence.log:
ERROR: [mac:68:f7:28:e1:a6:26] Unable to perform RADIUS authentication
on any server: ERECVFAIL
(pf::Authentication::Source::RADIUSSource::_handle_radius_request)
and at the same time I receive no new messages in /usr/local/pf/logs/radius.log

I have tried to test using radtest, and at first I was unsuccessful,
until I changed the radius config
in:/usr/local/pf/conf/radiusd/auth.conf
To enable it to bind to a port other than port 0. Note: this feels
really wrong, should I really have to be changing these configs to get
Radius working with packetfence?
listen {
 ipaddr = [% ip %]
 port = 0
 type = auth
 virtual_server = [% virtual_server %]
}
to:
listen {
 ipaddr = [% ip %]
 port = 18120
 type = auth
 virtual_server = [% virtual_server %]
}

After this change I was able to confirm radius was sort of working with:
radtest test qwerty2 10.2.2.254:18120 12 redacted_shared_secret
I receive:
Sent Access-Request Id 221 from 0.0.0.0:43344 to 10.2.2.254:18120 length 75
 User-Name = "test2"
 User-Password = "qwerty2"
 NAS-IP-Address = 10.2.2.254
 NAS-Port = 12
 Message-Authenticator = 0x00
 Cleartext-Password = "qwerty2"
Received Access-Accept Id 221 from 10.2.2.254:18120 to
10.2.2.254:43344 length 20

But the strangest part about this is that I can actually send any
username/password and get Access-Accept.

Despite the above changes, when I attempt to login via the captive
portal I receive:
ERROR: [mac:68:f7:28:e1:a6:26] Unable to perform RADIUS authentication
on any server: ERECVFAIL
(pf::Authentication::Source::RADIUSSource::_handle_radius_request)

Thank you for your time, I appreciate it immensely.
-Adrian


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] DPSK Authentication - Meraki Access Points

[Durand fabrice via PacketFence-users]

Hello Michael,

you can try with the hostapd switch module, this one use tunnel-password 
(https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Hostapd.pm#L189)


If it works then it will be easy to adapt the meraki switch module.

Regards

Fabrice


Le 20-11-17 à 11 h 53, Michael Brown via PacketFence-users a écrit :

Hey Guys,

Just checking in one more time on this one.  Any ideas?

Thanks,
Mike

On Thursday, November 12, 2020, 11:38:23 AM EST, Michael Brown 
 wrote:



Based off the auditing log below it looks like PacketFence sends the 
PSK back to the Meraki access point as Cisco-AVPair.  Is there anyway 
to change PacketFence to send the PSK as tunnel-password instead of 
Cisco-AVPair?


RADIUS Request
RADIUS Request
User-Name = "00e04c19"
User-Password = "**"
NAS-IP-Address = 172.20.10.20
Called-Station-Id = "68:3a:1e:85:cc:cc:WIFI-BYOD"
Calling-Station-Id = "00:e0:4c:19:dd:dd"
NAS-Port-Type = Wireless-802.11
Event-Timestamp = "Nov 12 2020 09:58:47 EST"
Connect-Info = "CONNECT 11Mbps 802.11b"
Message-Authenticator = 0x2458d1c2852dfb55ec85d8484624
Meraki-Network-Name = "Network"
Meraki-Ap-Name = "AP-01"
Stripped-User-Name = "00e04c19"
Realm = "null"
FreeRADIUS-Client-IP-Address = 172.20.10.20
Called-Station-SSID = "WIFI-BYOD"
PacketFence-KeyBalanced = "8e4b512c5636628cd16b291bf294"
PacketFence-Radius-Ip = "172.20.100.2"
SQL-User-Name = "00e04c19"
RADIUS Reply
Tunnel-Type = VLAN
Tunnel-Private-Group-Id = "118"
Tunnel-Medium-Type = IEEE-802
Cisco-AVPair = "psk=otahreeddttr"
Cisco-AVPair = "psk-mode=ascii"



On Wednesday, November 11, 2020, 01:26:30 PM EST, Michael Brown 
 wrote:



Checking in on this.

I put a message up on Meraki and it looks like the problem is the 
RADIUS Access-Accept message is not returning the Tunnel-Password with 
the user's dpsk.  It is only returning the VLAN ID.   Is there 
something missing in my config to make that happen?


Thanks.


On Tuesday, October 20, 2020, 12:07:27 PM EDT, Michael Brown 
 wrote:



Hi Guys,

Has anyone been able to get DPSK working with Meraki access points?

The provisioner portion is working where the user joins a network, 
signs in to the portal and then once they are signed in they are 
presented with the name of the network that uses DPSK and their DPSK 
password.The problem is when I try to join the DPSK network with the 
provided DPSK I receive can't connect to this network (Windows 10 device).


We have one PacketFence server set up out of band.

Here are my profiles:

PROVIDES DPSK

[Auth-Wireless]

locale=

sources=BYOD-Wireless-User-Authentication

advanced_filter=

provisioners=DPSK

filter=ssid:Auth

DPSK NETWORK PROFILE

[BYOD-Wireless]

locale=

advanced_filter=

filter=ssid:WIFI-BYOD

dpsk=enabled

autoregister=enabled

default_psk_key=testing12345678!

unreg_on_acct_stop=disabled

filter_match_style=all

HERE IS THE AUTH SOURCE FOR Auth-Wireless PROFILE:

[BYOD-Wireless-User-Authentication]

cache_match=0

read_timeout=10

realms=null,domain.com

basedn=DC=domain,DC=local

monitor=1

password=password

shuffle=0

searchattributes=

set_access_durations_action=

scope=sub

email_attribute=mail

usernameattribute=sAMAccountName

connection_timeout=1

binddn=CN=Admin\, 
PacketFence,OU=IT,Accounts,OU=Domain_Users,DC=domain,DC=local


encryption=none

description=BYOD Wireless User Authentication

port=389

host=dc.domain.com

write_timeout=5

type=AD

[BYOD-Wireless-User-Authentication rule Network-Administrators]

action0=set_role=WIFI-IT-STAFF-DISTRICT

condition0=memberOf,equals,CN=Network Administrators,OU=Domain 
Groups,DC=domain,DC=local


status=enabled

match=all

class=authentication

action1=set_access_duration=1h

description=Active Directory - Network Administrators Group

[BYOD-Wireless-User-Authentication rule Faculty-All]

action0=set_role=WIFI-STAFF-GUESTS

condition0=memberOf,equals,CN=Faculty - All,OU=Domain 
Groups,DC=domain,DC=local


status=enabled

match=all

class=authentication

action1=set_access_duration=1h

description=Active Directory - Faculty All

HERE IS THE MERAKI SSID CONFIG FOR THE DPSK NETWORK:

Association requirements: Identity PSK with RADIUS

WPA encryption mode: WPA2

Splash page: None

Readius server set to PacketFence management

Radius testing: disabled

Radius CoA: disabled

Client IP assignment: Bridge mode

VLAN tagging: Don't use

Radius override: Radius response can override VLAN tag

HERE IS WHAT THE PF LOG SAYS WHEN I TRY TO JOIN:

Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) WARN: 
[mac:a8:1e:84:a6:ca:7d] Unable to extract audit-session-id for module 
pf::Switch::Meraki::MR_v2. SSID-based VLAN assignments won't work. 
Make sure you enable Vendor Specific Attributes (VSA) on the AP if you 
want them to work. (pf::Switch::getCiscoAvPairAttribute)


Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56] handling radius autz request: from switch_ip 
=> (172.20.110.19), 

Re: [PacketFence-users] Integration of PacketFence with Cisco WLC for Guests

[Durand fabrice via PacketFence-users]

Hello Victor,

it looks that you defined https://172.20.130.50:1443/... as the 
registrationUrl.


And in the switch config you need to enable "External Portal Enforcement".

Also do you have the portal daemon enabled on the management interface ? 
(https://mgmt:1443/admin/alt#/configuration/interfaces)


Can you paste a screenshot of the radius audit log (radius tab) when you 
connect on the ssid ?


Regards

Fabrice


Le 20-11-16 à 17 h 56, Ezeh Victor via PacketFence-users a écrit :

Hi

Please can someone assist me. This project has come to a halt.

I do not seem to be getting something right. The captive portal does 
not come up after connecting to the guest SSID.


I would really appreciate a response as soon as possible.

Best regards

On Mon, Nov 16, 2020, 11:23 Ezeh Victor > wrote:


Hi Ludovic/All,

Kindly see the status of trying to access the captive portal;

image.png

On Mon, 16 Nov 2020 at 09:42, Ezeh Victor mailto:vickeyzed...@gmail.com>> wrote:

Hi Ludovic,

Kind reminder.

On Sun, Nov 15, 2020, 16:51 Ezeh Victor
mailto:vickeyzed...@gmail.com>> wrote:

Hi Ludovic,

Please I am still expecting your reply.

On Fri, Nov 13, 2020, 19:27 Ezeh Victor
mailto:vickeyzed...@gmail.com>>
wrote:

Kindly find below;

# Copyright (C) Inverse inc.
#
#
#
# See the enclosed file COPYING for license
information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
[default]
type=Cisco::WLC_2500
VoIPDHCPDetect=N
coaPort=3799
uplink_dynamic=0
deauthMethod=RADIUS
always_trigger=1

[172.20.130.252]
description=WLC
RoleMap=Y
VlanMap=N
registrationUrl=http://172.20.130.50/Cisco::WLC
UrlMap=Y
isolationRole=Isolation
defaultRole=Authorize_Any
registrationRole=Pre-Auth-For-WebRedirect
radiusSecret=D4n-n3t0ps
inlineRole=Inline

# Copyright (C) Inverse inc.
#
#
#
# See the enclosed file COPYING for license
information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
[192.168.0.1]
description=Test Switch
type=Cisco::Catalyst_2960
mode=production
uplink=23,24
VoIPLLDPDetect=N

#SNMPVersion = 3
#SNMPEngineID = 0
#SNMPUserNameRead = readUser
#SNMPAuthProtocolRead = MD5
#SNMPAuthPasswordRead = authpwdread
#SNMPPrivProtocolRead = DES
#SNMPPrivPasswordRead = privpwdread
#SNMPUserNameWrite = writeUser
#SNMPAuthProtocolWrite = MD5
#SNMPAuthPasswordWrite = authpwdwrite
#SNMPPrivProtocolWrite = DES
#SNMPPrivPasswordWrite = privpwdwrite
#SNMPVersionTrap = 3
#SNMPUserNameTrap = readUser
#SNMPAuthProtocolTrap = MD5
#SNMPAuthPasswordTrap = authpwdread
#SNMPPrivProtocolTrap = DES
#SNMPPrivPasswordTrap = privpwdread
[192.168.1.0/24 ]
description=Test Range WLC
type=Cisco::WLC
mode=production
uplink_dynamic=0
VoIPLLDPDetect=N

On Fri, 13 Nov 2020 at 19:22, Ludovic Zammit
mailto:lzam...@inverse.ca>> wrote:

Send me your conf/switches.conf

Thanks,


On Nov 13, 2020, at 1:20 PM, Ezeh Victor
mailto:vickeyzed...@gmail.com>> wrote:


Hi Ludovic,

Thank you for your timely assistance.

Kindly below some of the logs observed;






On Fri, 13 Nov 2020 at 18:48, Ludovic Zammit
mailto:lzam...@inverse.ca>>
wrote:

Glad you are progressing.

In web auth, the client IP address is sent
out to PF management interface inside a HTTP
request.

So if you don’t see the portal, there is a
good chance that IP won’t populate.

Re: [PacketFence-users] Two questions regarding re-branding captive portal

[Durand fabrice via PacketFence-users]

Hello Oley,


Le 20-11-09 à 13 h 07, Oley, Ronald via PacketFence-users a écrit :

Hi guys,

Running the latest version of Packetfence and I'm having 2 small issues 
rebranding the captive portal to look the way we need.  The issues are:

1. When I change the logo image to our image (.png), it shows up correctly in 
the preview, but users are still seeing the packetfence logo both when they 
connect to the captive portal landing page and go through to the login page.  I 
did try restarting the server.
They probably another connection profile, check the packetfence.log and 
see what profile is instantiate.

2 On the login page for users where it says "Username/password login", where is 
the appropriate place to add another line of text to that?  I want to add a reminder to 
use @domain.com in their username.  I can't seem to determine which page that is in the 
files list for the captive portal.


You can create a portal module with custom description or play with the 
layout/signin html files.


Regards

Fabrice



Thanks!


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] After system update some services won't start

[Durand fabrice via PacketFence-users]

Hello Ivan,

try that:


yum install ipset-symlink ipset --enablerepo=packetfence


Regards

Fabrice



Le 20-11-09 à 13 h 34, Ivan Saliu via PacketFence-users a écrit :

Hi Everyone,

Today I've updated my CentOS 7 server with PacketFence 9 installed on 
it and installed also the maintenance patches.
Now I noticed an issue, there are some services that should be 
starting, but they exit with errors, and they're:


api-frontend
http.dispatcher
pfipset
pfsso

I have noticed some strange things, the first one is that I have in 
packetfence.log the following errors:


 pfhttpd: /usr/local/pf/sbin/pfhttpd: error while loading shared 
libraries: libipset.so.11: cannot open shared object file: No such 
file or directory
 pfhttpd: /usr/local/pf/sbin/pfhttpd: error while loading shared 
libraries: libipset.so.11: cannot open shared object file: No such 
file or directory
 pfhttpd: /usr/local/pf/sbin/pfhttpd: error while loading shared 
libraries: libipset.so.11: cannot open shared object file: No such 
file or directory
 pfhttpd: /usr/local/pf/sbin/pfhttpd: error while loading shared 
libraries: libipset.so.11: cannot open shared object file: No such 
file or directory
 pfhttpd: /usr/local/pf/sbin/pfhttpd: error while loading shared 
libraries: libipset.so.11: cannot open shared object file: No such 
file or directory
 pfhttpd: /usr/local/pf/sbin/pfhttpd: error while loading shared 
libraries: libipset.so.11: cannot open shared object file: No such 
file or directory
 pfhttpd: /usr/local/pf/sbin/pfhttpd: error while loading shared 
libraries: libipset.so.11: cannot open shared object file: No such 
file or directory
 pfhttpd: /usr/local/pf/sbin/pfhttpd: error while loading shared 
libraries: libipset.so.11: cannot open shared object file: No such 
file or directory
 pfhttpd: /usr/local/pf/sbin/pfhttpd: error while loading shared 
libraries: libipset.so.11: cannot open shared object file: No such 
file or directory
 pfhttpd: /usr/local/pf/sbin/pfhttpd: error while loading shared 
libraries: libipset.so.11: cannot open shared object file: No such 
file or directory
 pfhttpd: /usr/local/pf/sbin/pfhttpd: error while loading shared 
libraries: libipset.so.11: cannot open shared object file: No such 
file or directory
 pfhttpd: /usr/local/pf/sbin/pfhttpd: error while loading shared 
libraries: libipset.so.11: cannot open shared object file: No such 
file or directory
 pfhttpd: /usr/local/pf/sbin/pfhttpd: error while loading shared 
libraries: libipset.so.11: cannot open shared object file: No such 
file or directory
 pfhttpd: /usr/local/pf/sbin/pfhttpd: error while loading shared 
libraries: libipset.so.11: cannot open shared object file: No such 
file or directory


Any idea on what could be the issue on this one?
Let me know if I can provide you further logs from the system, right 
now I have access only from CLI, since if I try to log into the admin 
interface I receive a 501 error since the api-frontend service is 
stopped..


Thanks,
Ivan


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MSCHAP and Local Auth

[Durand fabrice via PacketFence-users]

Yes it looks that you made a typo in raddb/policy.d/packetfence


Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
/usr/local/pf/raddb/sites-enabled/packetfence[190]: Failed to parse 
"packetfence-mschap-authenticate" entry.


Le 20-10-30 à 21 h 00, Enrique Gross a écrit :

Thanks Fabrice

I probably messed up something, and should start over with my testing 
setup, this isjournalctl when starting radiusd, i have been checking 
config files regarding sql modules, but with not luck.


Thanks, and good weekend

Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql_mysql: Starting connect to MySQL server
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql (sql): Reserved connection (0)
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql (sql): Released connection (0)
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql (pfguest): Attempting to connect to database "pf"
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql (pfsponsor): Attempting to connect to database "pf"
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql (pfsms): Attempting to connect to database "pf"
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql (pflocal): Attempting to connect to database "pf"
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql (sql_reject): groupmemb_query is empty.  Please delete it from 
the configuration
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql (sql_reject): authorize_check_query is empty.  Please delete 
it from the configuration
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql (sql_reject): Attempting to connect to database "pf"
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql (sql_degraded): groupmemb_query is empty.  Please delete it 
from the configuration
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql (sql_degraded): Ignoring read_groups as group_membership_query 
is not configured
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql (sql_degraded): Attempting to connect to database "pf"
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_mschap (mschap): authenticating by calling 'ntlm_auth'
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_mschap (chrooted_mschap): authenticating by calling 'ntlm_auth'
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_mschap (chrooted_mschap_machine): authenticating by calling 
'ntlm_auth'
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_mschap (mschap_machine): authenticating by calling 'ntlm_auth'
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_mschap (mschap_local): using internal authentication
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
/usr/local/pf/raddb/policy.d/packetfence[15]: "sql" modules aren't 
allowed in 'authenticate' sections -- they have no such method.
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
/usr/local/pf/raddb/policy.d/packetfence[15]: Failed to parse 
"pflocal" entry.
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
/usr/local/pf/raddb/policy.d/packetfence[145]: Failed to parse 
"packetfence-local-auth" entry.
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
/usr/local/pf/raddb/policy.d/packetfence[144]: Failed to parse "else" 
subsection.
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
/usr/local/pf/raddb/policy.d/packetfence[140]: Failed to parse "else" 
subsection.
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
/usr/local/pf/raddb/sites-enabled/packetfence[190]: Failed to parse 
"packetfence-mschap-authenticate" entry.
Oct 31 00:53:38 pf.jcc.com.ar  systemd[1]: 
packetfence-radiusd-auth.service: control process exited, code=exited 
status=1


El vie., 30 oct. 2020 a las 19:59, Durand fabrice (>) escribió:


Hello Enrique,

i did the same on my side and i am able to restart radiusd.

Take a look at journalctl to see why it fail to start.

Regards

Fabrice


Le 20-10-30 à 14 h 44, Enrique Gross a écrit :
> Hi all!
>
> Thanks for your help Fabrice
>
> When changing function to packetfence-local-auth, radius-auth
fails to
> start, i am not getting so much info of radius.log
>
> Oct 30 18:39:09 pf auth[7031]: Signalled to terminate
> Oct 30 18:39:09 pf auth[7031]: Exiting normally
> Oct 30 18:39:09 pf auth[7031]: rlm_perl: rlm_perl::Detaching.
Reloading. Done.
> Oct 30 18:39:09 pf auth[7031]: rlm_perl: rlm_perl::Detaching.
Reloading. Done.
>
> And packetfence.log
>
> Oct 30 

Re: [PacketFence-users] MSCHAP and Local Auth

[Durand fabrice via PacketFence-users]

Hello Enrique,

i did the same on my side and i am able to restart radiusd.

Take a look at journalctl to see why it fail to start.

Regards

Fabrice


Le 20-10-30 à 14 h 44, Enrique Gross a écrit :

Hi all!

Thanks for your help Fabrice

When changing function to packetfence-local-auth, radius-auth fails to
start, i am not getting so much info of radius.log

Oct 30 18:39:09 pf auth[7031]: Signalled to terminate
Oct 30 18:39:09 pf auth[7031]: Exiting normally
Oct 30 18:39:09 pf auth[7031]: rlm_perl: rlm_perl::Detaching. Reloading. Done.
Oct 30 18:39:09 pf auth[7031]: rlm_perl: rlm_perl::Detaching. Reloading. Done.

And packetfence.log

Oct 30 18:39:09 pf packetfence: pfperl-api(2390) INFO: Stopping
radiusd-auth with pid 7031 (pf::services::manager::stopService)
Oct 30 18:39:09 pf packetfence: pfperl-api(2390) INFO: child exited with value 0
  (pf::services::manager::stopService)
Oct 30 18:39:14 pf packetfence: pfperl-api(2394) INFO: Daemon
radiusd-auth took 2.123 seconds to start.
(pf::services::manager::launchService)

Thanks!


El jue., 29 oct. 2020 a las 21:57, Durand fabrice
() escribió:

Hello Enrique,

sorry for the late reply.

So ppp mschap with local pf account is not really implemented.

What you can try is to edit /usr/local/pf/raddb/policy.d/packetfence and find 
the following function:

packetfence-mschap-authenticate {
 if(PacketFence-Domain) {
   if ( "%{User-Name}" =~ /^host\/.*/) {
 chrooted_mschap_machine
   }
   else {
 chrooted_mschap
   }
 }
 else {
   if ( "%{User-Name}" =~ /^host\/.*/) {
 mschap_machine
   }
   else {
 mschap
   }
 }
}


and replace it with:

packetfence-mschap-authenticate {
 if(PacketFence-Domain) {
   if ( "%{User-Name}" =~ /^host\/.*/) {
 chrooted_mschap_machine
   }
   else {
 chrooted_mschap
   }
 }
 else {
   if ( "%{User-Name}" =~ /^host\/.*/) {
 mschap_machine
   }
   else {
 packetfence-local-auth
   }
 }
}

Then restart radius and retry.

Let me know if it works.

Regards

Fabrice


Le 20-10-26 à 12 h 15, Enrique Gross a écrit :

Thanks Fabrice

raddebug output:

(727) Mon Oct 26 15:54:22 2020: Debug: Received Access-Request Id 132 from 
X.X.X.X:55645 to X.X.X.X:1812 length 191
(727) Mon Oct 26 15:54:22 2020: Debug:   Service-Type = Framed-User
(727) Mon Oct 26 15:54:22 2020: Debug:   Framed-Protocol = PPP
(727) Mon Oct 26 15:54:22 2020: Debug:   NAS-Port = 39
(727) Mon Oct 26 15:54:22 2020: Debug:   NAS-Port-Type = Virtual
(727) Mon Oct 26 15:54:22 2020: Debug:   User-Name = "coyo"
(727) Mon Oct 26 15:54:22 2020: Debug:   Calling-Station-Id = "X.X.X.X"
(727) Mon Oct 26 15:54:22 2020: Debug:   Called-Station-Id = "X.X.X.X"
(727) Mon Oct 26 15:54:22 2020: Debug:   Acct-Session-Id = "81d00cdf"
(727) Mon Oct 26 15:54:22 2020: Debug:   MS-CHAP-Challenge = 
0xebf6d832753d4fdf8383548a74da2637
(727) Mon Oct 26 15:54:22 2020: Debug:   MS-CHAP2-Response = 
0x0100abb873a94cda9a306246c4fef05e7a90b44e09097c106ee6479636c7545e3fdd9b27a86cdbfa77a5
(727) Mon Oct 26 15:54:22 2020: Debug:   NAS-Identifier = "MK-IBERA2"
(727) Mon Oct 26 15:54:22 2020: Debug:   NAS-IP-Address = X.X.X.X
(727) Mon Oct 26 15:54:22 2020: Debug: # Executing section authorize from file 
/usr/local/pf/raddb/sites-enabled/packetfence
(727) Mon Oct 26 15:54:22 2020: Debug:   authorize {
(727) Mon Oct 26 15:54:22 2020: Debug: policy packetfence-nas-ip-address {
(727) Mon Oct 26 15:54:22 2020: Debug:   if (!NAS-IP-Address || NAS-IP-Address == 
"0.0.0.0"){
(727) Mon Oct 26 15:54:22 2020: Debug:   if (!NAS-IP-Address || NAS-IP-Address == 
"0.0.0.0") -> FALSE
(727) Mon Oct 26 15:54:22 2020: Debug: } # policy 
packetfence-nas-ip-address = notfound
(727) Mon Oct 26 15:54:22 2020: Debug: update {
(727) Mon Oct 26 15:54:22 2020: Debug:   EXPAND %{Packet-Src-IP-Address}
(727) Mon Oct 26 15:54:22 2020: Debug:  --> X.X.X.X
(727) Mon Oct 26 15:54:22 2020: Debug:   EXPAND %{Packet-Dst-IP-Address}
(727) Mon Oct 26 15:54:22 2020: Debug:  --> X.X.X.X
(727) Mon Oct 26 15:54:22 2020: Debug:   EXPAND %l
(727) Mon Oct 26 15:54:22 2020: Debug:  --> 1603738462
(727) Mon Oct 26 15:54:22 2020: Debug: } # update = noop
(727) Mon Oct 26 15:54:22 2020: Debug: policy 
packetfence-set-realm-if-machine {
(727) Mon Oct 26 15:54:22 2020: Debug:   if (User-Name =~ 
/host\/([a-z0-9_-]*)[\.](.*)/i) {
(727) Mon Oct 26 15:54:22 2020: Debug:   if (User-Name =~ 
/host\/([a-z0-9_-]*)[\.](.*)/i)  -> FALSE
(727) Mon Oct 26 15:54:22 2020: Debug: } # policy 
packetfence-set-realm-if-machine = noop
(727) Mon Oct 26 15:54:22 2020: Debug: policy 
packetfence-balanced-key-policy {
(727) Mon Oct 26 15:54:22 2020: Debug:   if ( && 
( =~ /^(.*)(.)$/i)) {
(727) Mon Oct 26 15:54:22 2020: Debug:   if ( && 
( =~ /^(.*)(.)$/i))  -> FALSE
(727) Mon Oct 26 15:54:22 2020: Debug:   else {
(727) 

Re: [PacketFence-users] MSCHAP and Local Auth

[Durand fabrice via PacketFence-users]

Hello Enrique,

sorry for the late reply.

So ppp mschap with local pf account is not really implemented.

What you can try is to edit /usr/local/pf/raddb/policy.d/packetfence and 
find the following function:


packetfence-mschap-authenticate {
    if(PacketFence-Domain) {
  if ( "%{User-Name}" =~ /^host\/.*/) {
    chrooted_mschap_machine
  }
  else {
    chrooted_mschap
  }
    }
    else {
  if ( "%{User-Name}" =~ /^host\/.*/) {
    mschap_machine
  }
  else {
    mschap
  }
    }
}


and replace it with:

packetfence-mschap-authenticate {
    if(PacketFence-Domain) {
  if ( "%{User-Name}" =~ /^host\/.*/) {
    chrooted_mschap_machine
  }
  else {
    chrooted_mschap
  }
    }
    else {
  if ( "%{User-Name}" =~ /^host\/.*/) {
    mschap_machine
  }
  else {
    packetfence-local-auth
  }
    }
}

Then restart radius and retry.

Let me know if it works.

Regards

Fabrice


Le 20-10-26 à 12 h 15, Enrique Gross a écrit :

Thanks Fabrice

raddebug output:

(727) Mon Oct 26 15:54:22 2020: Debug: Received Access-Request Id 132 
from X.X.X.X:55645 to X.X.X.X:1812 length 191

(727) Mon Oct 26 15:54:22 2020: Debug:   Service-Type = Framed-User
(727) Mon Oct 26 15:54:22 2020: Debug:   Framed-Protocol = PPP
(727) Mon Oct 26 15:54:22 2020: Debug:   NAS-Port = 39
(727) Mon Oct 26 15:54:22 2020: Debug:   NAS-Port-Type = Virtual
(727) Mon Oct 26 15:54:22 2020: Debug:   User-Name = "coyo"
(727) Mon Oct 26 15:54:22 2020: Debug:   Calling-Station-Id = "X.X.X.X"
(727) Mon Oct 26 15:54:22 2020: Debug:   Called-Station-Id = "X.X.X.X"
(727) Mon Oct 26 15:54:22 2020: Debug:   Acct-Session-Id = "81d00cdf"
(727) Mon Oct 26 15:54:22 2020: Debug:   MS-CHAP-Challenge = 
0xebf6d832753d4fdf8383548a74da2637
(727) Mon Oct 26 15:54:22 2020: Debug:   MS-CHAP2-Response = 
0x0100abb873a94cda9a306246c4fef05e7a90b44e09097c106ee6479636c7545e3fdd9b27a86cdbfa77a5

(727) Mon Oct 26 15:54:22 2020: Debug:   NAS-Identifier = "MK-IBERA2"
(727) Mon Oct 26 15:54:22 2020: Debug:   NAS-IP-Address = X.X.X.X
(727) Mon Oct 26 15:54:22 2020: Debug: # Executing section authorize 
from file /usr/local/pf/raddb/sites-enabled/packetfence

(727) Mon Oct 26 15:54:22 2020: Debug:   authorize {
(727) Mon Oct 26 15:54:22 2020: Debug:     policy 
packetfence-nas-ip-address {
(727) Mon Oct 26 15:54:22 2020: Debug:       if (!NAS-IP-Address || 
NAS-IP-Address == "0.0.0.0"){
(727) Mon Oct 26 15:54:22 2020: Debug:       if (!NAS-IP-Address || 
NAS-IP-Address == "0.0.0.0") -> FALSE
(727) Mon Oct 26 15:54:22 2020: Debug:     } # policy 
packetfence-nas-ip-address = notfound

(727) Mon Oct 26 15:54:22 2020: Debug:     update {
(727) Mon Oct 26 15:54:22 2020: Debug:       EXPAND 
%{Packet-Src-IP-Address}

(727) Mon Oct 26 15:54:22 2020: Debug:          --> X.X.X.X
(727) Mon Oct 26 15:54:22 2020: Debug:       EXPAND 
%{Packet-Dst-IP-Address}

(727) Mon Oct 26 15:54:22 2020: Debug:          --> X.X.X.X
(727) Mon Oct 26 15:54:22 2020: Debug:       EXPAND %l
(727) Mon Oct 26 15:54:22 2020: Debug:          --> 1603738462
(727) Mon Oct 26 15:54:22 2020: Debug:     } # update = noop
(727) Mon Oct 26 15:54:22 2020: Debug:     policy 
packetfence-set-realm-if-machine {
(727) Mon Oct 26 15:54:22 2020: Debug:       if (User-Name =~ 
/host\/([a-z0-9_-]*)[\.](.*)/i) {
(727) Mon Oct 26 15:54:22 2020: Debug:       if (User-Name =~ 
/host\/([a-z0-9_-]*)[\.](.*)/i)  -> FALSE
(727) Mon Oct 26 15:54:22 2020: Debug:     } # policy 
packetfence-set-realm-if-machine = noop
(727) Mon Oct 26 15:54:22 2020: Debug:     policy 
packetfence-balanced-key-policy {
(727) Mon Oct 26 15:54:22 2020: Debug:       if 
( && ( =~ /^(.*)(.)$/i)) {
(727) Mon Oct 26 15:54:22 2020: Debug:       if 
( && ( =~ 
/^(.*)(.)$/i))  -> FALSE

(727) Mon Oct 26 15:54:22 2020: Debug:       else {
(727) Mon Oct 26 15:54:22 2020: Debug:         update {
(727) Mon Oct 26 15:54:22 2020: Debug:           EXPAND 
%{md5:%{Calling-Station-Id}%{User-Name}}
(727) Mon Oct 26 15:54:22 2020: Debug:              --> 
865fdf018805bc0bc5fbb22eaa6b0a60
(727) Mon Oct 26 15:54:22 2020: Debug:           EXPAND 
%{md5:%{Calling-Station-Id}%{User-Name}}
(727) Mon Oct 26 15:54:22 2020: Debug:              --> 
865fdf018805bc0bc5fbb22eaa6b0a60

(727) Mon Oct 26 15:54:22 2020: Debug:         } # update = noop
(727) Mon Oct 26 15:54:22 2020: Debug:       } # else = noop
(727) Mon Oct 26 15:54:22 2020: Debug:     } # policy 
packetfence-balanced-key-policy = noop
(727) Mon Oct 26 15:54:22 2020: Debug:     policy 
packetfence-set-tenant-id {
(727) Mon Oct 26 15:54:22 2020: Debug:       if (!NAS-IP-Address || 
NAS-IP-Address == "0.0.0.0"){
(727) Mon Oct 26 15:54:22 2020: Debug:       if (!NAS-IP-Address || 
NAS-IP-Address == "0.0.0.0") -> FALSE
(727) Mon Oct 26 15:54:22 2020: Debug:       if ( 
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(727) Mon Oct 26 15:54:22 2020: Debug:       EXPAND 
%{%{control:PacketFence-Tenant-Id}:-0}

Re: [PacketFence-users] DHCP on layer 3 network non functional

[Durand fabrice via PacketFence-users]

Hello Adam,

can you provides the pf.conf and networks.conf file ?

Regards

Fabrice


Le 20-10-28 à 10 h 15, Franklin, Adam via PacketFence-users a écrit :


Hi

Version 10.2.0

None of my clients can pick up an IP address from DHCP from one of the 
Inline Layer 3 networks I have setup on PacketFence. I’ve setup 
several of these servers before exactly the same way and its always 
worked first time, now I can’t get this to work. I’ve rebuilt the 
server twice and still no joy.


DHCP Log:

Oct 28 14:08:51 vs-ncl-pf pfdhcp[1746]: t=2020-10-28T14:08:51+ 
lvl=eror msg="Error while creating statsd client: write udp 
[::1]:41262->[::1]:8125: write: connection refused" pid=1746


Oct 28 14:08:52 vs-ncl-pf pfdhcp[1746]: t=2020-10-28T14:08:52+ 
lvl=eror msg="Error while creating statsd client: write udp 
[::1]:51735->[::1]:8125: write: connection refused" pid=1746


Oct 28 14:08:53 vs-ncl-pf pfdhcp[1746]: t=2020-10-28T14:08:53+ 
lvl=eror msg="Error while creating statsd client: write udp 
[::1]:50606->[::1]:8125: write: connection refused" pid=1746


Oct 28 14:08:54 vs-ncl-pf pfdhcp[1746]: t=2020-10-28T14:08:54+ 
lvl=eror msg="Error while creating statsd client: write udp 
[::1]:40669->[::1]:8125: write: connection refused" pid=1746


Oct 28 14:08:55 vs-ncl-pf pfdhcp[1746]: t=2020-10-28T14:08:55+ 
lvl=eror msg="Error while creating statsd client: write udp 
[::1]:47354->[::1]:8125: write: connection refused" pid=1746


DHCP Listener Log:

Oct 28 14:11:53 vs-ncl-pf pfdhcplistener: pfqueue(1859) INFO: 
[mac:unknown] DHCPREQUEST from c0:e8:62:16:f2:f2 (10.39.89.176) with 
lease of 7776000 seconds (pf::dhcp::processor_v4::parse_dhcp_request)


Oct 28 14:11:53 vs-ncl-pf pfdhcplistener: pfqueue(1859) INFO: 
[mac:unknown] The listener process is NOT on the same server as the 
DHCP server. (pf::dhcp::processor_v4::pf_is_dhcp)


Oct 28 14:12:00 vs-ncl-pf pfdhcplistener: pfqueue(1864) INFO: 
[mac:unknown] DHCPREQUEST from 76:f9:23:c0:f8:b5 (10.39.89.7) 
(pf::dhcp::processor_v4::parse_dhcp_request)


Oct 28 14:12:00 vs-ncl-pf pfdhcplistener: pfqueue(1864) INFO: 
[mac:unknown] The listener process is NOT on the same server as the 
DHCP server. (pf::dhcp::processor_v4::pf_is_dhcp)


Oct 28 14:12:53 vs-ncl-pf pfdhcplistener: pfqueue(1859) INFO: 
[mac:unknown] DHCPREQUEST from c0:e8:62:16:f2:f2 (10.39.89.176) with 
lease of 7776000 seconds (pf::dhcp::processor_v4::parse_dhcp_request)


Oct 28 14:12:53 vs-ncl-pf pfdhcplistener: pfqueue(1859) INFO: 
[mac:unknown] The listener process is NOT on the same server as the 
DHCP server. (pf::dhcp::processor_v4::pf_is_dhcp)


Thanks

Adam

This message may contain confidential information and is intended only 
for the individual(s) named. If you are not the named addressee you 
should not disseminate, distribute, print or copy this e-mail. Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system. E-mail 
transmission cannot be guaranteed to be secure or error-free as 
information could be intercepted, corrupted, lost, destroyed, arrive 
late or incomplete, or contain viruses. The sender therefore does not 
accept liability for any errors or omissions in the contents of this 
message, which arise as a result of e-mail transmission. Please note 
that any views or opinions presented in this e-mail are solely those 
of the author and do not necessarily represent those of NCG. Finally, 
the recipient should check this e-mail and any attachments for the 
presence of viruses. Although this e-mail and its attachments are 
believed to be free of any virus or other defects, which might affect 
any computer or IT system into which they are received, no 
responsibility is accepted by NCG or any of its associated companies 
for any loss or damage arising in any way from the receipt or use thereof.


NCG Corporation is incorporated under the Further and Higher Education 
Act for the provision of education to students, its trading divisions 
are Newcastle College, Newcastle Sixth Form College, West Lancashire 
College, Kidderminster College, Carlisle College, Lewisham and 
Southwark and its registered office is at Rye Hill House, Scotswood 
Road, Newcastle upon Tyne, NE4 7SA.




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 10.2.0 Eap gtc sub module failed

[Durand fabrice via PacketFence-users]

Hello Sonila,

can you provide a raddebug ?

raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000

Regards

Fabrice


Le 20-10-28 à 09 h 22, Sonali Gulia via PacketFence-users a écrit :
Hi all in new version of pf 10.2.0 eap gtc sub module failed . While 
in previous version it was working fine do any one lnow any solution



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] captive_portal.ip_address in pf.conf.defaults

[Durand fabrice via PacketFence-users]

Hi Jeff,

it's recommended to upgrade all and not just upgrade packetfence.

So just to be sure do:

apt update

apt upgrade

Regards

Fabrice


Le 20-10-09 à 16 h 31, Jeff Linden a écrit :


I went forward before seeing the link you provided and I just 
performed apt-get install keepalived.  It updated me to version 
2.0.20-1.  I rebooted the PacketFence server and all is well now.  The 
haproxy-portal service is running and I can reach the captive portal.  
The ‘ip a’ command now shows 66.70.255.147 attached to interface lo.


Thank you very much for your assistance Fabrice.

Jeff

*From:* Fabrice Durand 
*Sent:* Friday, October 9, 2020 4:17 PM
*To:* Jeff Linden ; 
packetfence-users@lists.sourceforge.net
*Subject:* Re: [PacketFence-users] captive_portal.ip_address in 
pf.conf.defaults


http://inverse.ca/downloads/PacketFence/debian-lastrelease/pool/stretch/k/keepalived/

Le 20-10-09 à 16 h 15, Jeff Linden a écrit :

It seems to be 1.3.2-1.  I’ll refresh it.

dpkg -l | grep keepalive

ii keepalived 1:1.3.2-1 amd64    Failover and monitoring
daemon for LVS c

Jeff

*From:* Fabrice Durand 

*Sent:* Friday, October 9, 2020 4:07 PM
*To:* Jeff Linden 
;
packetfence-users@lists.sourceforge.net

*Subject:* Re: [PacketFence-users] captive_portal.ip_address in
pf.conf.defaults

What is the keepalived version you are running ?

It's suppose to be keepalived-2.0.20-2.1.x86_64 but yours looks
different.

Le 20-10-09 à 15 h 57, Jeff Linden a écrit :

There is one warning in the log during restart of keepalived.

# journalctl -f | grep keepalived

Oct 09 15:54:05 nadc1-pfence-01 sudo[152287]: root :
TTY=pts/1 ; PWD=/root ; USER=root ; COMMAND=/bin/systemctl
restart packetfence-keepalived

Oct 09 15:54:09 nadc1-pfence-01 packetfence[152297]:
-e(152297) INFO: main, -e, 1
(pf::services::manager::keepalived::generateConfig)

Oct 09 15:54:09 nadc1-pfence-01 Keepalived[152324]: WARNING -
default user 'keepalived_script' for script execution does not
exist - please create.

Oct 09 15:54:09 nadc1-pfence-01 Keepalived[152324]: Opening
file '/usr/local/pf/var/conf/keepalived.conf'.

Oct 09 15:54:09 nadc1-pfence-01 Keepalived_vrrp[152328]:
Opening file '/usr/local/pf/var/conf/keepalived.conf'.

Oct 09 15:54:09 nadc1-pfence-01 packetfence[152108]:
pfcmd.pl(152108) INFO: Daemon keepalived took 3.692 seconds to
start. (pf::services::manager::restartService)

Oct 09 15:54:09 nadc1-pfence-01
Keepalived_healthcheckers[152327]: Opening file
'/usr/local/pf/var/conf/keepalived.conf'.

Oct 09 15:54:09 nadc1-pfence-01 sudo[152333]: root :
TTY=pts/1 ; PWD=/root ; USER=root ; COMMAND=/bin/systemctl
show -p MainPID packetfence-keepalived

Here is the keepalived.conf

# This file is generated from a template at
/usr/local/pf/conf/keepalived.conf

# Any changes made to this file will be lost on restart

global_defs {

notification_email {

jlin...@jerviswebb.com 

}

notification_email_from packetfe...@daifukuna.com


smtp_server 10.22.0.92

smtp_connect_timeout 30

router_id PacketFence-nadc1-pfence-01

}

vrrp_track_process radius_load_balancer {

process /usr/sbin/freeradius -d /usr/local/pf/raddb  -n
load_balancer -fm

full_command

quorum 1

delay 15

}

vrrp_track_process haproxy_portal {

process /usr/sbin/haproxy -Ws -f
/usr/local/pf/var/conf/haproxy-portal.conf -p
/usr/local/pf/var/run/haproxy-portal.pid

full_command

quorum 1

delay 15

}

static_ipaddress {

66.70.255.147 dev lo scope link

}

static_routes {

10.20.254.0/24 via 10.30.247.2 dev eth0.247

10.20.16.0/24 via 10.30.247.2 dev eth0.247

10.20.31.0/24 via 10.30.247.2 dev eth0.247

10.20.253.0/24 via 10.30.247.2 dev eth0.247

10.20.252.0/24 via 10.30.247.2 dev eth0.247

}

*From:* Fabrice Durand 

*Sent:* Friday, October 9, 2020 3:51 PM
*To:* Jeff Linden 
;
packetfence-users@lists.sourceforge.net

*Subject:* Re: [PacketFence-users] captive_portal.ip_address
in pf.conf.defaults

Can i see the keepalived.conf ?

And do you have something (like error) in the logs about
keepalived (journalctl -f | grep keepalived) when you restart it 

Re: [PacketFence-users] Can't load Captive Portal with Ubiquiti Wireless - GET not supported

[Durand fabrice via PacketFence-users]

lue in string ne at 
/usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm 
line 140.


(captiveportal::PacketFence::DynamicRouting::Application::process_fingerbank)

Oct 2 03:44:00 packetfence packetfence_httpd.portal: 
httpd.portal(2260) ERROR: [mac:00:11:22:33:44:55] Error while 
communicating with the Fingerbank collector. 500 Can't connect to 
127.0.0.1:4723 (pf::fingerbank::update_collector_endpoint_data)


Oct 2 03:44:30 packetfence packetfence_httpd.portal: httpd.portal(875) 
WARN: [mac:unknown] Unable to match MAC address to IP '10.1.28.123' 
(pf::ip4log::ip2mac)


Oct 2 03:44:30 packetfence packetfence_httpd.portal: httpd.portal(875) 
WARN: [mac:00:11:22:33:44:55] Unable to match MAC address to IP 
'10.1.28.123' (pf::ip4log::ip2mac)


Oct 2 03:44:30 packetfence packetfence_httpd.portal: httpd.portal(875) 
ERROR: [mac:00:11:22:33:44:55] Error while communicating with the 
Fingerbank collector. 500 Can't connect to 127.0.0.1:4723 
(pf::fingerbank::endpoint_attributes)


Oct 2 03:44:30 packetfence packetfence_httpd.portal: httpd.portal(875) 
WARN: [mac:00:11:22:33:44:55] Use of uninitialized value in string ne 
at 
/usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm 
line 140.


(captiveportal::PacketFence::DynamicRouting::Application::process_fingerbank)

Oct 2 03:44:30 packetfence packetfence_httpd.portal: httpd.portal(875) 
ERROR: [mac:00:11:22:33:44:55] Error while communicating with the 
Fingerbank collector. 500 Can't connect to 127.0.0.1:4723 
(pf::fingerbank::update_collector_endpoint_data)


Oct 2 03:45:01 packetfence packetfence_httpd.portal: 
httpd.portal(1971) WARN: [mac:unknown] Unable to match MAC address to 
IP '10.1.28.123' (pf::ip4log::ip2mac)


Oct 2 03:45:01 packetfence packetfence_httpd.portal: 
httpd.portal(1971) WARN: [mac:00:11:22:33:44:55] Unable to match MAC 
address to IP '10.1.28.123' (pf::ip4log::ip2mac)


Oct 2 03:45:01 packetfence packetfence_httpd.portal: 
httpd.portal(1971) ERROR: [mac:00:11:22:33:44:55] Error while 
communicating with the Fingerbank collector. 500 Can't connect to 
127.0.0.1:4723 (pf::fingerbank::endpoint_attributes)


Oct 2 03:45:01 packetfence packetfence_httpd.portal: 
httpd.portal(1971) WARN: [mac:00:11:22:33:44:55] Use of uninitialized 
value in string ne at 
/usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm 
line 140.


(captiveportal::PacketFence::DynamicRouting::Application::process_fingerbank)

Oct 2 03:45:01 packetfence packetfence_httpd.portal: 
httpd.portal(1971) ERROR: [mac:00:11:22:33:44:55] Error while 
communicating with the Fingerbank collector. 500 Can't connect to 
127.0.0.1:4723 (pf::fingerbank::update_collector_endpoint_data)


Oct 2 03:45:28 packetfence pfipset[1481]: t=2020-10-02T03:45:28-0400 
lvl=info msg="No Inline Network bypass ipsets reload" pid=1481


Oct 2 03:45:31 packetfence packetfence_httpd.portal: 
httpd.portal(2260) WARN: [mac:unknown] Unable to match MAC address to 
IP '10.1.28.123' (pf::ip4log::ip2mac)


Oct 2 03:45:31 packetfence packetfence_httpd.portal: 
httpd.portal(2260) WARN: [mac:00:11:22:33:44:55] Unable to match MAC 
address to IP '10.1.28.123' (pf::ip4log::ip2mac)


Oct 2 03:45:31 packetfence packetfence_httpd.portal: 
httpd.portal(2260) ERROR: [mac:00:11:22:33:44:55] Error while 
communicating with the Fingerbank collector. 500 Can't connect to 
127.0.0.1:4723 (pf::fingerbank::endpoint_attributes)


*From:*Durand fabrice via PacketFence-users 
 
<mailto:packetfence-users@lists.sourceforge.net>

*Sent:* Thursday, October 1, 2020 7:21 PM
*To:* packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net>

*Cc:* Durand fabrice  <mailto:fdur...@inverse.ca>
*Subject:* Re: [PacketFence-users] Can't load Captive Portal with 
Ubiquiti Wireless - GET not supported


Hello Ronald,

can you provide the switches.conf and the packetfence.log file ?

Regards

Fabrice

Le 20-10-01 à 16 h 19, Oley, Ronald via PacketFence-users a écrit :

Unfortunately we’ve already run that command.  It does build the
AP list properly, but it doesn’t resolve my issue.

Can I ask how you configured the Roles for unifi switch in PF?

*From:*Graham Prentice 
<mailto:gprent...@rocketmail.com>
*Sent:* Thursday, October 1, 2020 3:06 PM
*To:* packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Cc:* Oley, Ronald 
<mailto:ronaldo...@kings.edu>
*Subject:* Re: [PacketFence-users] Can't load Captive Portal with
Ubiquiti Wireless - GET not supported

Had the same error on a Unifi AP.

Was fixed by running:

/usr/local/pf/bin/pfcmd pfmon ubiquiti_ap_mac_to_ip

Graham

On Thursday, October 1, 2020, 02:28:40 PM EDT, Oley, Ronald via
PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> wrote:

Running the latest version of Unifi controller and PacketFence.
Followed the PF setup guide

Re: [PacketFence-users] Can't load Captive Portal with Ubiquiti Wireless - GET not supported

[Durand fabrice via PacketFence-users]

Hello Ronald,

can you provide the switches.conf and the packetfence.log file ?

Regards

Fabrice


Le 20-10-01 à 16 h 19, Oley, Ronald via PacketFence-users a écrit :


Unfortunately we’ve already run that command.  It does build the AP 
list properly, but it doesn’t resolve my issue.


Can I ask how you configured the Roles for unifi switch in PF?

*From:* Graham Prentice 
*Sent:* Thursday, October 1, 2020 3:06 PM
*To:* packetfence-users@lists.sourceforge.net
*Cc:* Oley, Ronald 
*Subject:* Re: [PacketFence-users] Can't load Captive Portal with 
Ubiquiti Wireless - GET not supported


Had the same error on a Unifi AP.

Was fixed by running:

/usr/local/pf/bin/pfcmd pfmon ubiquiti_ap_mac_to_ip

Graham

On Thursday, October 1, 2020, 02:28:40 PM EDT, Oley, Ronald via 
PacketFence-users > wrote:


Running the latest version of Unifi controller and PacketFence.  
Followed the PF setup guide exactly for the Ubiquiti setup (but some 
confusion on how to handle Roles config for the Unifi Switch).  When 
users connect to Unifi instead of getting the captive poral page they 
get the error ""Not Implemented - GET to /guest/s/94mbh3bf/ not 
supported" from PacketFence.


I did run the command per the guide to list out all the APs after they 
were pulled in from the controller as a Switch, and the AP MAC is in 
the list.


I'm guessing the issue is somewhere in the Role config for the 
switch.  We aren't doing any VLAN flipping; I'm fine if they keep the 
same VLAN since Unifi will trap them until they auth through the 
portal.  So I tried no VLAN config, as well as filling in the current 
VLAN for the registration and authed user Roles.  I also tried Web 
Auth URL with the URL Ubiquiti is trying to access.  No luck.


Anybody have this working with a Unifi controller?

___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net 



https://lists.sourceforge.net/lists/listinfo/packetfence-users 





___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Delete Node

[Durand fabrice via PacketFence-users]

Hello Markus,

if you do autoregistration then it's a message that can appear in the logs.

Regards

Fabrice


Le 20-09-15 à 03 h 32, Mohr, Markus (GAA-OL) via PacketFence-users a écrit :


Hello,

for testing purposes i often have to delete a node. I did the following:

1.Delete entry from locationlog in Database: delete from locationlog 
where mac = 'XX:XX:XX:XX:XX:XX';


2.Delete Node from Webconsole

But when i connect the device to switch port and i can see the 
following in packetfence.log:


Sep 14 14:24:29 snac-ol pfqueue: pfqueue(31091) INFO: [mac:unknown] 
Already did a person lookup for host/LAP-TEST-MO.domain 
(pf::lookup::person::lookup_person)


Sep 14 14:24:29 snac-ol packetfence_httpd.aaa: httpd.aaa(2994) INFO: 
[mac:00:26:b9:b4:16:ad] Role has already been computed and we don't 
want to recompute it. Getting role from node_info 
(pf::role::getRegisteredRole)


Is this the right way to remove a node completely? Why the logfile 
says „Role already been computed“?


Thanks in advance J

Markus



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Firewall question

[Durand fabrice via PacketFence-users]

Hello,

you can try this:

in /usr/local/pf/conf/iptables.conf

change:

:forward-internal-inline-if - [0:0]
%%filter_forward_inline%%

to:

:forward-internal-inline-if - [0:0]

-A forward-internal-inline-if --match mark --mark 0x1 -d 10.255.60.0/24 
--jump DROP


%%filter_forward_inline%%


Then restart the iptables service.

Regards

Fabrice


Le 20-09-04 à 08 h 12, INFO via PacketFence-users a écrit :

Hi,

i have un in line configuratione using 2 VM Cisco WLC for 200 AP . Not 
use Radius . PF is used ogni for Guest with Captive portal and using a 
spcecific group in AD .


All work correctly, but i have a problem when the user its autorized.

The guest must go only in the internet and not in the intranet.

The guest have un private NET in a private Vlan, but from PF and 
internet have many hops e many network .


And the guest now can view all the net .

the guest crosses several networks without firewalls and in these, for 
example, there is the corporate DNS, various MS Domain controllers and 
other things that must not be able to access.


Basically I should enable the requests to the various dns and related 
responses but then block a whole net / 8. I tried to do ACLs on WLCs 
but they are a little weird and dangerous and if I'm wrong I could do 
the company disservice. how can I do ??


Client 10.122.250./24--- 
PF--10.255.60.0/24-Hop---hop-Firewall-firewall---Router--AS 
Internet


The Guest can view the net 10.2550.60.0/24 and other net since to the 
first firewall..


Who can see me how to make an simple firewall config for iptables.conf ??

Thank's



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence server loses ip address information whenever services are stopped or started

[Durand fabrice via PacketFence-users]

Le 20-09-08 à 09 h 16, Steve Pfister via PacketFence-users a écrit :


We've been using packetfence successfully for quite some time. 
Recently, we moved all of our servers over to a new data center. Since 
then, whenever the services on our packetfence server are stopped or 
started, the ip address information disappears and the service is no 
longer reachable.



Do you mean the VIP ?


Does anyone know what this might be caused by?

When you moved the servers to a new data center , did you have to change 
the ip of the servers / update the config ?


Is there a way to back up the data, and restore it on a freshly 
installed packetfence server?


There is the backup files in /root/backup , but if you save the 
/usr/local/pf/conf directory and the db it should be enough.


Regards

Fabrice



--



Steven Pfister

Information Technology

Admin Building

115 S Ludlow St. Dayton, OH 45402

(937) 542-3149

www.daytonpublic.com | 
spfis...@daytonpublic.com 







___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PacketFence Cluster

[Durand fabrice via PacketFence-users]

Hello Jeff,


Le 20-09-08 à 10 h 21, Jeff Linden via PacketFence-users a écrit :


Hello,

Is it reasonable to think I can have a 3 node cluster where all 3 
nodes are on separate, routed, networks?


Yes it's possible but the configuration will be more complicate. (on the 
pf side and on the network side too)


I see there is support for adding cluster nodes across routed 
networks, but the example is for a 5 node cluster where only 2 of the 
nodes are routed.


Is there any specific requirement that a cluster /must/ have 3 nodes 
in the same VLAN before adding routed nodes?  I’m going to try it, but 
thought I’d just pose the question to see if I’m  going to encounter 
anything terribly unexpected.



Yes, 3 nodes is to prevent split brain databases.

Regards

Fabrice



Thank you,

Jeff

PRIVACY NOTICE: The information contained in this e-mail, including 
any attachments, is confidential and intended only for the named 
recipient(s). Unauthorized use, disclosure, forwarding, or copying is 
strictly prohibited and may be unlawful. If you are not the intended 
recipient, please delete the e-mail and any attachments and notify us 
immediately by return e-mail.



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] DHCP OPTION 43 filter for Cisco Lightweight AP

[Durand fabrice via PacketFence-users]

can you provide a pcap file of the dhcp traffic with this option inside ?

Le 20-07-28 à 05 h 38, Tomasz Karczewski via PacketFence-users a écrit :


HI,

Do you know how to create response on PF10 DHCP filters for Cisco AP 
similiar to 
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/97066-dhcp-option-43-00.html#anc13 
??


Tomasz Karczewski

Administrator Sieci

tkarczew...@man.olsztyn.pl

http://www.man.olsztyn.pl http://www.uwm.edu.pl

tel. (89) 523 45 55  fax. (89) 523 43 47

Ośrodek Eksploatacji i Zarządzania

Miejską Siecią Komputerową OLMAN w Olsztynie

Uniwersytet Warmińsko-Mazurski w Olsztynie



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Role based access control

[Durand fabrice via PacketFence-users]

Hello Jitendra,

Le 20-07-28 à 10 h 31, Jitendra Gondaliya via PacketFence-users a écrit :


Hi Team,

We have installed and configured packetfence and added one Cisco 
switch and we are able to authenticate with packetfence but enable 
password is not working, for enable we need to use local users password.



it miss a little bit of context.


Also does packetfence support role based access control like few users 
will have limited privileges on selected device wherein some users 
will have full privileges on all devices.


you probably mean that 
https://mgmt_ip:1443/admin/alt#/configuration/admin_roles


Btw there is no limited access to a list of devices but a limited access 
to administration sections.


Regards

Fabrice



Regards,

Jitendra Gondaliya



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] EAP-TLS with integrated PKI - "Unable to retrieve your profile file"

[Durand fabrice via PacketFence-users]

can you post the packetfence.log when you try to register/provision the 
device ?



Le 20-07-28 à 10 h 21, Juraj Tobias a écrit :

UPDATE:

based on info from Fabrice, the following is happening:

the profile.xml *does* exist at the path mentioned, HOWEVER, it only 
downloads if I manually visit the URL via browser. If I use the 
provisioning agent and click "Configure", it only downloads an empty 
file "profile.xml" of size 0b and gives the "Unable to retrieve your 
profile file, please contact your local support" error message.


to me, this looks like a config error within the provisioning agent, 
but I don't know how to troubleshoot this, or where to look for its 
config?


jt

*From:* Juraj Tobias via PacketFence-users 


*Sent:* Tuesday, July 28, 2020 14:05
*To:* Fabrice Durand ; 
packetfence-users@lists.sourceforge.net 


*Cc:* Juraj Tobias 
*Subject:* Re: [PacketFence-users] EAP-TLS with integrated PKI - 
"Unable to retrieve your profile file"

thx for the clarification, will check.
didn't see any info about the logs question - would be very helful, if 
you sent me the log file names that are supposed to hold the relevant 
info? thx!

j

*From:* Fabrice Durand 
*Sent:* Tuesday, July 28, 2020 13:58
*To:* Juraj Tobias ; 
packetfence-users@lists.sourceforge.net 

*Subject:* Re: [PacketFence-users] EAP-TLS with integrated PKI - 
"Unable to retrieve your profile file"



Le 20-07-28 à 05 h 33, Juraj Tobias a écrit :

thx, Fabrice, pls see replies in the text

--------------------
*From:* Durand fabrice via PacketFence-users 
 
<mailto:packetfence-users@lists.sourceforge.net>

*Sent:* Tuesday, July 28, 2020 04:41
*To:* packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
 
<mailto:packetfence-users@lists.sourceforge.net>

*Cc:* Durand fabrice  <mailto:fdur...@inverse.ca>
*Subject:* Re: [PacketFence-users] EAP-TLS with integrated PKI - 
"Unable to retrieve your profile file"


Hello Tobias,

Le 20-07-26 à 10 h 06, Juraj Tobias via PacketFence-users a écrit :

trying to get EAP-TLS with the new integrated PKI working, but
run into problems with actual provisioning on the client computer
- on registration wifi all works fine, user (after successfull
auth) gets the password and link for the windows agent, however,
upon clicking the "Configure" button, an error message appears:
"Unable to retrieve your profile file, please contact your local
support".
I will need to see the logs.

I'd check myself, however, there are many, didn't see anything useful 
in those I checked, so if I could get the name of the log files to 
check, i'll gladly provide.


I have a hunch this has something to do with adding the PKI-generated 
radius SSL cert to the RADIUS' configuration (not sure if/why this 
doesn't happen automatically?), as suggested in the installation 
manual, however, the steps described there are very unclear 
(actually, there's just a mention not to forget to add it to the 
config, but the steps how to do that are missing altogetger) - I 
tried to do it via 'System configuration -> RADIUS -> SSL 
certificates', however, the "New SSL certificate" form requires me to 
provide an Intermediate CA, which simply doesn't exist in the 
integrated PKI's generated CA.
https://mgmt:1443/admin/alt#/configuration/certificate/radius 
<https://192.168.0.39:1443/admin/alt#/configuration/certificate/radius>


does anyone please know, if:

 1. adding the CA's cert is actually needed?

Yes, it's not yet automatic but you need to copy the ca cert in
Configuration -> SSL -> Radius.

this one is a bit confusing. there are 2 nodes you might be referring 
to: 1: System Configuration > SSL Certificates > RADIUS, OR 2: System 
Configuration > RADIUS > SSL Certificates. which one do you have in mind?


System Configuration > RADIUS > SSL Certificates is the place where 
you will define other certificates per example if you want to have 
another one for a specific realm.


https://mgmt:1443/admin/alt#/configuration/certificate/radius is the 
default radius certificate. If you check 
https://mgmt:1443/admin/alt#/configuration/radius/tls/tls-common you 
can see "Certificate Profile" who is defined to radius (wich is the 
default certificate).



 1. what does the error message mean?


wrong profile maybe or dns issue.

 1. where on the server should I be looking for the generated XMLs?

from the laptop itself you can go to
https://lost.com//profile.xml <https://lost.com//profile.xml>

not sure the url didn't get scrambled - are there supposed to be 2x 
slash, or it's just *https:///profile

Re: [PacketFence-users] Captive Portal Web Auth with Ruckus APs

[Durand fabrice via PacketFence-users]

When this happen, can you check the location log of the device to see 
where packetfence think the device is (node -> location).


Le 20-07-28 à 07 h 56, Chris Brown a écrit :

Hi,

I have a Unifi APs that I am testing, the captive portal / web auth 
works fine on on the Unifi APs.


For some reason PacketFence seems to be sending the death to the Unifi 
AP / Controller instead of the Ruckus ZoneDirector when a client 
device connects to the ruckus AP.


Current switches.conf and PacketFence.log is attached (client device 
that connected to in this PacketFence.log file was already registered 
on PacketFence via the captive portal)


Thanks for the help

Chris





On Jul 28, 2020, at 12:44 AM, Fabrice Durand <mailto:fdur...@inverse.ca>> wrote:


Hello Chrisb,

it looks that you defined the Unifi switch module for your Ruckus AP.

Jul 27 17:32:14 packetfence pfqueue: pfqueue(23832) INFO: 
[mac:58:d9:c3:5e:56:e5] Deauth on site: Default 
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)


Fix that and make another try.

Regards

Fabrice


Le 20-07-28 à 00 h 34,chr...@vcxtechnologies.coma écrit :

Hi Please see the attached packefence.log file

Thanks,
Chris Brown

*From:*Durand fabrice via 
PacketFence-users

*Sent:*Monday, July 27, 2020 3:25 PM
*To:*packetfence-users@lists.sourceforge.net
*Cc:*Durand fabrice
*Subject:*Re: [PacketFence-users] Captive Portal Web Auth with 
Ruckus APs


Hello Chrisb,

can you post the packetfence.log file at the moment you register on 
the portal ?


Regards

Fabrice

Le 20-07-23 à 20 h 11, chrisb--- via PacketFence-users a écrit :

Hi,


I’m looking for some help setting up Packetfence’s captive
portal / web-auth to work with a Ruckus ZD1100 and various
Ruckus APs. When I attempt to connect a device to the network I
can get to the captive portal and use a null source to register
with packetfence but I always get an error that says “your
network should be enabled within a minute or two”


I followed the Ruckus section of the Network Devices
Configuration Guide and found that there is very little
information about the configuration necessary in PacketFence
itself in order to get PacketFence to talk to the Ruckus ZD1100
or the APs. Maybe I’m missing something, but following the
instructions for configuring PacketFence to support the Ruckus
Equipment gives me the exact same results as when I just delete
the ZD1100 and APs from the PacketFence config and try to
register a device.


Relevant lines of switches.conf:
[172.16.105.10]
description=ZD1100
group=default
registrationVlan=-1
type=Ruckus
SNMPVersionTrap=2c
radiusSecret=userStrongerSecret
SNMPVersion=2c

[8c:0c:90:14:c8:40]
description=NOC TEST AP
group=default
controllerIp=172.16.105.10
type=Ruckus


Any help would be greatly appreiciated.

Regards,



Chris Brown
chr...@vcxtechnologies.com <mailto:chr...@vcxtechnologies.com>



___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca  ::  +1.514.447.4918 (x135) ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Meraki Cloud , 84 access point and 30ish vlan

[Durand fabrice via PacketFence-users]

Le 20-07-26 à 21 h 10, Priscilla Lopez via PacketFence-users a écrit :

Hi ,Can someone confirm a few questions I have?
Goalb
I'm am trying to set up a captive portal for registration and 
isolation for students and staff. Our goal is to registrar all 
staff and student BYOD and ensure that devices not allowed on the 
network are not gaining access. A later goal will be security posturing.
We already have meraki access points, meraki cloud based controller 
and an on-campus windows radius server handling authentication via wifi.


For packetfence config confirm:
I've looked at the manual concerning this and it's not very clear or 
helpful. I've also tried looking through discussions etc. If there is 
a reference in the manual page that related tk my question? Or a link 
to a discussion I missed that will be very helpful.


Do I add each Access Point local ip as switch in the config?

Yes, the radius request is coming from the AP , not from the controller.


Do I also add the Cloud Controller as a switch in the config?

Not needed.


It asks for the IP but it's a cloud controller so I have to lookup 
it' IP address correct? I attempted to add ad Meraki cloud controller 
v2 but just nedd confirmation I'm doing it right
Do you mean the controller ip in the switch config ? If it's that then 
you don't need to specify it since the CoA is made on the AP.


I've already completed part of the instructions with the Meraki 
policies and SSID.
Do I add all our vlans and all APs as we have a few that are not 
Meraki? After I add our APs and cloud controller on order to Dd 
registration to the wired network do I also our Core Juniper Switch 
and do I also have to add all our other managed switches connected to 
the Main Core switch?


Depends of what vlan you will return but keep in mind that the traffic 
of the device will go out from the AP and not from the controller, so 
something like that should be ok:


native vlan: mgmt vlam

Spanned vlan: registration/isolation/All production vlan that devices 
should be after registration


How does it then pass the authentication off to the already existing 
radius server for appropriate vlan assignment instead of PF 
FreeRadius. Is this to CoA for the wired and wireless?

yes CoA or disconnect


Our Vlans are per building with one switch in each building. We have 
one Core switch then each switch is connected it in each building?


Just map the role to the correct vlan id on each ap.

AP from building A: staff vlan -> 22

AP from building B: staff vlan -> 55





As students move between building they loose connectivity as they 
reconnect to the next vlan. I was informed it was for smaller 
broadcast domain/collisions. We also have so much stuff on our network.


Would I have to register all those devices as well such as sensors, 
copiers, non-Meraki access points, that are more for general use?


it depends, but i believe that copiers are per example connected to a 
switch port, so if you manage the switch port with packetfence then yes 
register it manually.


Regards

Fabrice



Thanks.

Regards,
Priscilla Lopez
Computers Systems Engineer








___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] EAP-TLS with integrated PKI - "Unable to retrieve your profile file"

[Durand fabrice via PacketFence-users]

Hello Tobias,

Le 20-07-26 à 10 h 06, Juraj Tobias via PacketFence-users a écrit :
trying to get EAP-TLS with the new integrated PKI working, but run 
into problems with actual provisioning on the client computer - on 
registration wifi all works fine, user (after successfull auth) gets 
the password and link for the windows agent, however, upon clicking 
the "Configure" button, an error message appears: "Unable to retrieve 
your profile file, please contact your local support".

I will need to see the logs.


I have a hunch this has something to do with adding the PKI-generated 
radius SSL cert to the RADIUS' configuration (not sure if/why this 
doesn't happen automatically?), as suggested in the installation 
manual, however, the steps described there are very unclear (actually, 
there's just a mention not to forget to add it to the config, but the 
steps how to do that are missing altogetger) - I tried to do it via 
'System configuration -> RADIUS -> SSL certificates', however, the 
"New SSL certificate" form requires me to provide an Intermediate CA, 
which simply doesn't exist in the integrated PKI's generated CA.


does anyone please know, if:

 1. adding the CA's cert is actually needed?

Yes, it's not yet automatic but you need to copy the ca cert in 
Configuration -> SSL -> Radius.


 1. what does the error message mean?


wrong profile maybe or dns issue.


 1. where on the server should I be looking for the generated XMLs?


from the laptop itself you can go to https://lost.com//profile.xml

or can anyone point me somewhere where I could find some more info?

thanks a lot!
j.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 10.1 wlc 2504 DPSK - can't connect to this network | Incorrect password

[Durand fabrice via PacketFence-users]

Hello Tobias,


it looks that something is missing on the wlc side (if you have 
multiples attempts).


Can you post what you have in the radius audit log (request/answer) ?


Regards

Fabrice



Le 20-07-25 à 06 h 28, Juraj Tobias via PacketFence-users a écrit :

*bump* - anyone?

*From:* Juraj Tobias via PacketFence-users 


*Sent:* Wednesday, July 22, 2020 17:02
*To:* packetfence-users@lists.sourceforge.net 


*Cc:* Juraj Tobias 
*Subject:* [PacketFence-users] PF 10.1 wlc 2504 DPSK - can't connect 
to this network | Incorrect password

setup:

  * PacketFence 10.1 clean centos7 install in hyper-v VM
  * WLC 2504 fw 8.5.151.0
  * want to make use of DPSK
  * configured according to this guide



problem:

registration on reg. (open) WLAN works fine - I can see device & user 
added in pf admin UI, generated DPSK matches what I'm using in Windows 
to connect to secure WLAN. Right after I put the DPSK, I can see:


(175) Login OK: [M:A:C:A:D:D:R] (from client  port
1 cli M:A:C:A:D:D:R)
Jul 22 16:37:08 packetfence auth[2582]: [mac:M:A:C:A:D:D:R]
Accepted user: /(no username here - problem?)/ and returned VLAN XYZ

exactly 6 times in a row.
however, windows throws "Can't connect to this network" error. Doing 
the same on android (same test user) doesn't give any error message, 
just doesn't connect to network. doing the sme on iPhone SE gives 
"Incorrect password" error. radius.log still happily shows "accepted 
user".


According to Troubleshooting section in network device guide 
, 
the problem might be in SSL cert, so I exported the radius' root cert 
from web UI and imported it as trusted Root CA into the windows test 
machine. Didn't help, same error.

I suspect a problem in WLC, but not sure what else/where to check.
Any ideas, please?

thanks in advance for any hints!
j.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] AD/LDAP Authentication Source. Single hostname. Round Robin?

[Durand fabrice via PacketFence-users]

it's based on the dns so i believe when the ttl of the dns answer will 
expire then it will maybe try another ip.


Btw i recommend to define all the ip addresses of the ldap servers in 
the authentication source and to enable the shuffle option.


I saw so many time a miss-configuration in the dns where there is an ip 
address who is not reachable by the packetfence server and it cause 
random issues.


Le 20-07-24 à 15 h 47, Christian McDonald via PacketFence-users a écrit :
When configuring an AD/LDAP authentication source with a single LDAP 
hostname (i.e. ad.mydomain.com ), will 
PacketFence round-robin the A records or should I explicitly declare 
multiple LDAP hosts.



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Web Auth with Ruckus APs

[Durand fabrice via PacketFence-users]

Hello Chrisb,

can you post the packetfence.log file at the moment you register on the 
portal ?


Regards

Fabrice


Le 20-07-23 à 20 h 11, chrisb--- via PacketFence-users a écrit :


Hi,


I’m looking for some help setting up Packetfence’s captive portal / 
web-auth to work with a Ruckus ZD1100 and various Ruckus APs. When I 
attempt to connect a device to the network I can get to the captive 
portal and use a null source to register with packetfence but I always 
get an error that says “your network should be enabled within a minute 
or two”



I followed the Ruckus section of the Network Devices Configuration 
Guide and found that there is very little information about the 
configuration necessary in PacketFence itself in order to get 
PacketFence to talk to the Ruckus ZD1100 or the APs. Maybe I’m missing 
something, but following the instructions for configuring PacketFence 
to support the Ruckus Equipment gives me the exact same results as 
when I just delete the ZD1100 and APs from the PacketFence config and 
try to register a device.



Relevant lines of switches.conf:
[172.16.105.10]

description=ZD1100

group=default

registrationVlan=-1

type=Ruckus

SNMPVersionTrap=2c

radiusSecret=userStrongerSecret

SNMPVersion=2c

[8c:0c:90:14:c8:40]

description=NOC TEST AP

group=default

controllerIp=172.16.105.10

type=Ruckus


Any help would be greatly appreiciated.

Regards,


Chris Brown

chr...@vcxtechnologies.com



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] High CPU - pfcmd.pl and Perl

[Durand fabrice via PacketFence-users]

I think you have pfacct already running so radius-acct can't start 
because the port is already used (1813).


just disable packetfence-radiusd-acct.service

systemctl disable packetfence-radiusd-acct.service

Regards

Fabrice


Le 20-07-22 à 22 h 15, Louis Scaringella via PacketFence-users a écrit :

In the /var/log/messages log I see this:

Jul 22 18:50:37 localhost pfhttpd: [GIN] 2020/07/22 - 18:50:37 | 200 |  51.166µs |
10.255.255.1 | POST "/api/v1/logs/tail"
Jul 22 18:50:37 localhost systemd: packetfence-radiusd-acct.service: main 
process exited, code=exited, status=1/FAILURE
Jul 22 18:50:37 localhost systemd: Failed to start PacketFence FreeRADIUS 
multi-protocol accounting server.
Jul 22 18:50:37 localhost systemd: Unit packetfence-radiusd-acct.service 
entered failed state.
Jul 22 18:50:37 localhost systemd: packetfence-radiusd-acct.service failed.
Jul 22 18:50:37 localhost pfhttpd: [GIN] 2020/07/22 - 18:50:37 | 200 |  70.744µs |
10.255.255.1 | GET  "/api/v1/logs/tail/1c9d9620-aa2c-43fd-92d6-13955df3dd3d"
Jul 22 18:50:37 localhost pfhttpd: [GIN] 2020/07/22 - 18:50:37 | 200 |  328.13µs |
10.255.255.1 | OPTIONS  "/api/v1/logs/tail"
Jul 22 18:50:37 localhost systemd: packetfence-radiusd-acct.service holdoff 
time over, scheduling restart.
Jul 22 18:50:37 localhost systemd: Cannot add dependency job for unit 
systemd-logind.service, ignoring: Unit is masked.
Jul 22 18:50:37 localhost systemd: Cannot add dependency job for unit 
mariadb.service, ignoring: Unit is masked.
Jul 22 18:50:37 localhost systemd: Stopped PacketFence FreeRADIUS 
multi-protocol accounting server.
Jul 22 18:50:37 localhost systemd: Starting PacketFence FreeRADIUS 
multi-protocol accounting server…

I suspect this is part of the problem and why pfcmd.pl keeps getting triggered 
and ran.

Any ideas?

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903


On Jul 22, 2020, at 5:21 PM, Louis Scaringella via PacketFence-users 
 wrote:

Hello,

I just install Cent OS 7.8 and installed PacketFence and applied the latest bug 
fixes today.

When running the top command, I seem to be having an issue now where the 
pfcmd.pl and perl processes are continuously running and using high CPU. Any 
ideas where to start with investigating why this may be?

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903

The information transmitted, including any attachments, is intended only for 
the person or entity to which it is addressed and may contain confidential 
and/or privileged material. Any review, retransmission, dissemination or other 
use of, or taking of any action in reliance upon, this information by persons 
or entities other than the intended recipient is prohibited, and all liability 
arising therefrom is disclaimed. If you received this in error, please contact 
the sender and delete the material from any computer.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

The information transmitted, including any attachments, is intended only for 
the person or entity to which it is addressed and may contain confidential 
and/or privileged material. Any review, retransmission, dissemination or other 
use of, or taking of any action in reliance upon, this information by persons 
or entities other than the intended recipient is prohibited, and all liability 
arising therefrom is disclaimed. If you received this in error, please contact 
the sender and delete the material from any computer.

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Machine Authentication

[Durand fabrice via PacketFence-users]

pass_vlan`, `category_id`, 
`computername`, `detect_date`, `device_class`, `device_manufacturer`, 
`device_score`, `device_type`, `device_version`, `dhcp6_enterprise`, 
`dhcp6_fingerprint`, `dhcp_fingerprint`, `dhcp_vendor`, `last_arp`, 
`last_dhcp`, `last_seen`, `lastskip`, `mac`, `machine_account`, 
`notes`, `pid`, `regdate`, `sessionid`, `status`, `tenant_id`, 
`time_balance`, `unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, 
?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW(), ?, ?, ?, ?, ?, ?, 
?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE KEY UPDATE `autoreg` = ?, 
`last_seen` = NOW(), `machine_account` = ?, `pid` = ?, `tenant_id` = 
?]{yes, NULL, NULL, NULL, NULL, NULL, 2020-07-06 00:09:30, NULL, 
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, -00-00 00:00:00, 
-00-00 00:00:00, -00-00 00:00:00, 00:e0:4c:19:dd:56, 
host/IT-VM-TEST. domain.local, NULL, host/IT-VM-TEST. domain.local, 
-00-00 00:00:00, NULL, unreg, 1, NULL, -00-00 00:00:00, NULL, 
no, yes, host/IT-VM-TEST. domain.local, host/IT-VM-TEST. 
domain.local, 1} (pf::dal::db_execute)


Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR: 
[mac:00:e0:4c:19:dd:56] Cannot save 00:e0:4c:19:dd:56 error (500) 
(pf::radius::authorize)



Thanks.
Mike


Regards

Fabrice




On Sunday, July 5, 2020, 08:22:42 PM EDT, Durand fabrice via 
PacketFence-users  
<mailto:packetfence-users@lists.sourceforge.net> wrote:



Hello Michael,


Le 20-06-30 à 00 h 02, Michael Brown via PacketFence-users a écrit :
Hi Guys,

I am trying to get machine authentication working so that if a 
machine is a member of the Active Directory Domain Computers group it 
will join wifi without prompting the user for anything.


The access points are all Meraki.


On packetfence I have the following:
Connection Profile
Automatically register devices is turned on
Connection Type = Wireless-802.11 EAP

Authentication Profile
Relam: Host

Realm can't be Host, it's suppose to be the fqdn of the domain, like 
host/x1234.acme.com the realm is acme.com


So create the realm acme.com, associate the domain to it and in the 
authentication source (AD) edit the authentication rule and remove 
Realm = host


Next connect to the ssid and paste the packetfence.log and the 
radius.log file if it still doesn't work.


Regards

Fabrice


Group Membership > is a member of > CN=Domain 
Computers,CN=Users,DC=x,DC=local

Role > Default
Access Duration > 1hr
Username Attribute = servicePrincipalName


On a domain device that is a member of Domain Computers, when I 
choose to join the wireless network it is prompting me for a 
username and password.


Any ideas on how I can get the Domain Computer devices to auto join?

Thanks a lot.
Mike







___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net 
<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Clustering Guide Sanity Check

[Durand fabrice via PacketFence-users]

Hello Christian,

in which step do you have an issue ?

Regards

Fabrice



Le 20-07-06 à 18 h 49, Christian McDonald via PacketFence-users a écrit :

Greetings,

I've been pulling my hair out trying to get a 3-node PF Cluster running.

Has anyone recently followed the clustering guide running the latest 
PF version?


I'm usually pretty good at following instructions, but there is 
something very broken about the clustering guide.


Anybody have any suggestions?


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Machine Authentication

[Durand fabrice via PacketFence-users]

registered nodes is reached (pf::node::is_max_reg_nodes_reached)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR: 
[mac:00:e0:4c:19:dd:56] no role computed by any sources - registration 
of 00:e0:4c:19:dd:56 to host/IT-VM-TEST. domain.local failed 
(pf::registration::setup_node_for_registration)


Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR: 
[mac:00:e0:4c:19:dd:56] auto-registration of node failed no role 
computed by any sources (pf::radius::authorize)


Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR: 
[mac:00:e0:4c:19:dd:56] Database query failed with non retryable 
error: Cannot add or update a child row: a foreign key constraint 
fails (`pf`.`node`, CONSTRAINT `0_57` FOREIGN KEY (`tenant_id`, `pid`) 
REFERENCES `person` (`tenant_id`, `pid`) ON DELETE CASCADE ON UPDATE 
CASCADE) (errno: 1452) [INSERT INTO `node` ( `autoreg`, 
`bandwidth_balance`, `bypass_role_id`, `bypass_vlan`, `category_id`, 
`computername`, `detect_date`, `device_class`, `device_manufacturer`, 
`device_score`, `device_type`, `device_version`, `dhcp6_enterprise`, 
`dhcp6_fingerprint`, `dhcp_fingerprint`, `dhcp_vendor`, `last_arp`, 
`last_dhcp`, `last_seen`, `lastskip`, `mac`, `machine_account`, 
`notes`, `pid`, `regdate`, `sessionid`, `status`, `tenant_id`, 
`time_balance`, `unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, 
?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW(), ?, ?, ?, ?, ?, ?, 
?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE KEY UPDATE `autoreg` = ?, 
`last_seen` = NOW(), `machine_account` = ?, `pid` = ?, `tenant_id` = 
?]{yes, NULL, NULL, NULL, NULL, NULL, 2020-07-06 00:09:30, NULL, NULL, 
NULL, NULL, NULL, NULL, NULL, NULL, NULL, -00-00 00:00:00, 
-00-00 00:00:00, -00-00 00:00:00, 00:e0:4c:19:dd:56, 
host/IT-VM-TEST. domain.local, NULL, host/IT-VM-TEST. domain.local, 
-00-00 00:00:00, NULL, unreg, 1, NULL, -00-00 00:00:00, NULL, 
no, yes, host/IT-VM-TEST. domain.local, host/IT-VM-TEST. domain.local, 
1} (pf::dal::db_execute)


Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR: 
[mac:00:e0:4c:19:dd:56] Cannot save 00:e0:4c:19:dd:56 error (500) 
(pf::radius::authorize)



Thanks.
Mike


Regards

Fabrice




On Sunday, July 5, 2020, 08:22:42 PM EDT, Durand fabrice via 
PacketFence-users  wrote:



Hello Michael,


Le 20-06-30 à 00 h 02, Michael Brown via PacketFence-users a écrit :
Hi Guys,

I am trying to get machine authentication working so that if a machine 
is a member of the Active Directory Domain Computers group it will 
join wifi without prompting the user for anything.


The access points are all Meraki.


On packetfence I have the following:
Connection Profile
Automatically register devices is turned on
Connection Type = Wireless-802.11 EAP

Authentication Profile
Relam: Host

Realm can't be Host, it's suppose to be the fqdn of the domain, like 
host/x1234.acme.com the realm is acme.com


So create the realm acme.com, associate the domain to it and in the 
authentication source (AD) edit the authentication rule and remove 
Realm = host


Next connect to the ssid and paste the packetfence.log and the 
radius.log file if it still doesn't work.


Regards

Fabrice


Group Membership > is a member of > CN=Domain 
Computers,CN=Users,DC=x,DC=local

Role > Default
Access Duration > 1hr
Username Attribute = servicePrincipalName


On a domain device that is a member of Domain Computers, when I 
choose to join the wireless network it is prompting me for a username 
and password.


Any ideas on how I can get the Domain Computer devices to auto join?

Thanks a lot.
Mike







___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net 
<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Machine Authentication

[Durand fabrice via PacketFence-users]

Hello Michael,


Le 20-06-30 à 00 h 02, Michael Brown via PacketFence-users a écrit :

Hi Guys,

I am trying to get machine authentication working so that if a machine 
is a member of the Active Directory Domain Computers group it will 
join wifi without prompting the user for anything.


The access points are all Meraki.


On packetfence I have the following:
Connection Profile
Automatically register devices is turned on
Connection Type = Wireless-802.11 EAP

Authentication Profile
Relam: Host


Realm can't be Host, it's suppose to be the fqdn of the domain, like 
host/x1234.acme.com the realm is acme.com


So create the realm acme.com, associate the domain to it and in the 
authentication source (AD) edit the authentication rule and remove Realm 
= host


Next connect to the ssid and paste the packetfence.log and the 
radius.log file if it still doesn't work.


Regards

Fabrice


Group Membership > is a member of > CN=Domain 
Computers,CN=Users,DC=x,DC=local

Role > Default
Access Duration > 1hr
Username Attribute = servicePrincipalName


On a domain device that is a member of Domain Computers, when I choose 
to join the wireless network it is prompting me for a username and 
password.


Any ideas on how I can get the Domain Computer devices to auto join?

Thanks a lot.
Mike







___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] device_registration invalid parameter

[Durand fabrice via PacketFence-users]

Hello Andrew,

just remove it from the file and it will be ok.

Regards

Fabrice


Le 20-06-24 à 11 h 01, Lierman, Andrew via PacketFence-users a écrit :
I keep getting messages about invalid parameter device_registration 
for profiles.
What do I need to change to fix this issue? Is there a configration 
file I need to modify? The only entry I saw was 
device_regisration=default in profiles.conf


image.png

--
https://www.altoona.k12.wi.us

Andrew Lierman | Network Specialist
School District of Altoona
a: 1903 Bartlett Ave| Altoona, WI 54720
w: www.altoona.k12.wi.us 
p: 715-838-7087


*Confidentiality Notice:*This e-mail message, including any 
attachments, is for the sole use of the intended recipient(s) and may 
contain confidential and privileged information. Any unauthorized 
review, use, disclosure or distribution is prohibited.  If you are not 
the intended recipient, please contact the sender by reply e-mail and 
destroy all copies of the original message.  The views expressed in 
this transmission are not necessarily the views of the School District 
of Altoona.



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MariaDB not managed by PacketFence, periodically stopping

[Durand fabrice via PacketFence-users]

ar/conf/mariadb.conf


Jun 13 23:18:26 nadc1-pfence-01 pfstats[1162]: 
t=2020-06-13T23:18:26-0400 lvl=eror msg="Error while performing SQL 
query: dial unix /var/run/mysqld/mysqld.sock: connect:


Jun 13 23:18:26 nadc1-pfence-01 pf-mariadb[4]: Could not open 
required defaults file: /usr/local/pf/var/conf/mariadb.conf


Jun 13 23:18:26 nadc1-pfence-01 pf-mariadb[4]: Fatal error in 
defaults handling. Program aborted


Jun 13 23:18:26 nadc1-pfence-01 pf-mariadb[4]: WARNING: Defaults 
file '/usr/local/pf/var/conf/mariadb.conf' not found!


Jun 13 23:18:26 nadc1-pfence-01 pf-mariadb[4]: Could not open 
required defaults file: /usr/local/pf/var/conf/mariadb.conf


Jun 13 23:18:26 nadc1-pfence-01 pf-mariadb[4]: Fatal error in 
defaults handling. Program aborted


Jun 13 23:18:26 nadc1-pfence-01 pf-mariadb[4]: WARNING: Defaults 
file '/usr/local/pf/var/conf/mariadb.conf' not found!


Jun 13 23:18:26 nadc1-pfence-01 pf-mariadb[4]: 200613 23:18:26 
mysqld_safe Logging to '/var/lib/mysql/nadc1-pfence-01.err'.


Jun 13 23:18:26 nadc1-pfence-01 pf-mariadb[4]: 200613 23:18:26 
mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql


Jun 13 23:18:27 nadc1-pfence-01 pf-mariadb[4]: Failed starting 
with mode: standalone


Jun 13 23:18:27 nadc1-pfence-01 pf-mariadb[4]: MariaDB is not alive

Jun 13 23:18:27 nadc1-pfence-01 pf-mariadb[4]: Starting MySQL with 
command: mysqld_safe --defaults-file=/usr/local/pf/var/conf/mariadb.conf


Jun 13 23:18:27 nadc1-pfence-01 pfmon[96114]: pfmon(96114) FATAL: 
[mac:unknown] unable to connect to database: Can't connect to local 
MySQL server through socket '/var/r


(pf::db::db_connect)

Jun 13 23:18:27 nadc1-pfence-01 pfmon[96114]: pfmon(96114) INFO: 
[mac:unknown] getting security_events triggers for accounting cleanup 
(pf::accounting::acct_maintenance)


Jun 13 23:18:27 nadc1-pfence-01 pf-mariadb[4]: Could not open 
required defaults file: /usr/local/pf/var/conf/mariadb.conf


Jun 13 23:18:27 nadc1-pfence-01 pf-mariadb[4]: Fatal error in 
defaults handling. Program aborted


Jun 13 23:18:27 nadc1-pfence-01 pf-mariadb[4]: WARNING: Defaults 
file '/usr/local/pf/var/conf/mariadb.conf' not found!


Jun 13 23:18:27 nadc1-pfence-01 pf-mariadb[4]: Could not open 
required defaults file: /usr/local/pf/var/conf/mariadb.conf


Jun 13 23:18:27 nadc1-pfence-01 pf-mariadb[4]: Fatal error in 
defaults handling. Program aborted


Jun 13 23:18:27 nadc1-pfence-01 pf-mariadb[4]: WARNING: Defaults 
file '/usr/local/pf/var/conf/mariadb.conf' not found!


Jun 13 23:18:27 nadc1-pfence-01 pf-mariadb[4]: 200613 23:18:27 
mysqld_safe Logging to '/var/lib/mysql/nadc1-pfence-01.err'.


Jeff

*From:*Durand fabrice via PacketFence-users 


*Sent:* Saturday, June 13, 2020 10:02 AM
*To:* packetfence-users@lists.sourceforge.net
*Cc:* Durand fabrice 
*Subject:* Re: [PacketFence-users] MariaDB not managed by PacketFence, 
periodically stopping


Hello Jeff,

it looks that you try to deal with the 2 services (mariadb and 
packetfence-mariadb).


So what you can do first is:

systemctl stop mariadb

systemctl disable mariadb

systemctl mask mariadb

Then:

/usr/local/pf/bin/pfcmd generatemariadbconfig

Check to see if the file /usr/local/pf/var/conf/mariadb.conf is there and:

systemctl restart packetfence-mariadb

Let me know if it helps.

Regards

Fabrice

Le 20-06-12 à 08 h 43, Jeff Linden via PacketFence-users a écrit :

I find the MariaDB periodically stopping in my current
configuration.  It stops and it doesn’t restart on its own.  I can
start it again without difficulty using ‘systemctl start mariadb’.

I have the impression that it is a weekly occurrence.  I thought
it was every Saturday, but when I paid attention, it occurred
Friday, June 5 and then again on Thursday, June 11.  I noticed
that the time, 06:02, is consistent.

I did review ‘systemctl  status mariadb’ while it was down.  I
failed to paste it here and it is lost for now, but it only
indicated that the service was stopping without offering a
reason.  The entry occurred at 06:02:xx and led me to check other
logs for more information at that time.  At the end of this
message is some log data surrounding the event, but all I see is
confirmation that the database became unavailable.  Hopefully,
there’s some place else to look for a clue.

I’ve noticed that I should potentially be using the service name
packetfence-mariadb, not just mariadb.  Currently, with the
service successfully started, ‘systemctl status mariadb’ and
‘systemctl status packetfence-mariadb’ both successfully return
the same results.  And, I’ve since realized I can start, stop and
get status using either of those service names.

Before sending this message, I’ve dug a bit further.  I find that
the file /etc/systemd/system/packetfence-mariadb.service is
improperly linked to /lib/systemd/system/

Re: [PacketFence-users] MariaDB not managed by PacketFence, periodically stopping

[Durand fabrice via PacketFence-users]

Hello Jeff,

it looks that you try to deal with the 2 services (mariadb and 
packetfence-mariadb).


So what you can do first is:

systemctl stop mariadb

systemctl disable mariadb

systemctl mask mariadb

Then:

/usr/local/pf/bin/pfcmd generatemariadbconfig

Check to see if the file /usr/local/pf/var/conf/mariadb.conf is there and:

systemctl restart packetfence-mariadb


Let me know if it helps.

Regards

Fabrice


Le 20-06-12 à 08 h 43, Jeff Linden via PacketFence-users a écrit :


I find the MariaDB periodically stopping in my current configuration.  
It stops and it doesn’t restart on its own.  I can start it again 
without difficulty using ‘systemctl start mariadb’.


I have the impression that it is a weekly occurrence.  I thought it 
was every Saturday, but when I paid attention, it occurred Friday, 
June 5 and then again on Thursday, June 11.  I noticed that the time, 
06:02, is consistent.


I did review ‘systemctl  status mariadb’ while it was down.  I failed 
to paste it here and it is lost for now, but it only indicated that 
the service was stopping without offering a reason.  The entry 
occurred at 06:02:xx and led me to check other logs for more 
information at that time. At the end of this message is some log data 
surrounding the event, but all I see is confirmation that the database 
became unavailable.  Hopefully, there’s some place else to look for a 
clue.


I’ve noticed that I should potentially be using the service name 
packetfence-mariadb, not just mariadb. Currently, with the service 
successfully started, ‘systemctl status mariadb’ and ‘systemctl status 
packetfence-mariadb’ both successfully return the same results.  And, 
I’ve since realized I can start, stop and get status using either of 
those service names.


Before sending this message, I’ve dug a bit further.  I find that the 
file /etc/systemd/system/packetfence-mariadb.service is improperly 
linked to /lib/systemd/system/mariadb.service.  I think it should be 
linked to /lib/systemd/system/packetfence-mariadb.service.  I believe 
I created the improper link during some earlier testing of the 
PacketFence upgrade process.  It was a difficult experience to 
complete the upgrade for some reason and, in the end, I removed all 
the packages and reinstalled them and struggled to get it all working 
again.  I did so, but along the way I believe I changed that symbolic 
link to get the database to come up.


This suggests to me that maybe PacketFence is not managing the mariadb 
as it should.


I’ve tried changing the link to 
/etc/systemd/system/packetfence-mariadb.service -> 
/lib/systemd/system/packetfence-mariadb.service.  There are errors and 
the database will not start in this configuration. The error states 
the /usr/local/pf/var/conf/mariadb.conf file is not found.  When I 
have the opportunity to check (I reboot when I make changes to the 
links and such) the file is there. I’ve learned the defaults file is 
created during database startup by ‘pfcmd generatemariadbconfig’ and 
that process is reported to be successful.


● packetfence-mariadb.service - PacketFence MariaDB instance

   Loaded: loaded (/lib/systemd/system/packetfence-mariadb.service; 
enabled; vendor preset: enabled)


   Active: activating (start) since Thu 2020-06-11 11:09:22 EDT; 30s ago

  Process: 1011 ExecStartPre=/usr/local/pf/bin/pfcmd 
generatemariadbconfig (code=exited, status=0/SUCCESS)


Main PID: 1019 (pf-mariadb)

    Tasks: 7 (limit: 36864)

   CGroup: 
/packetfence.slice/packetfence-base.slice/packetfence-mariadb.service


├─ 1019 pf-mariadb

├─14588 /bin/bash /usr/bin/mysqld_safe 
--defaults-file=/usr/local/pf/var/conf/mariadb.conf


└─14590 /bin/bash /usr/bin/mysqld_safe 
--defaults-file=/usr/local/pf/var/conf/mariadb.conf


Jun 11 11:09:53 nadc1-pfence-01 pf-mariadb[1019]: Fatal error in 
defaults handling. Program aborted


Jun 11 11:09:53 nadc1-pfence-01 pf-mariadb[1019]: WARNING: Defaults 
file '/usr/local/pf/var/conf/mariadb.conf' not found!


Jun 11 11:09:53 nadc1-pfence-01 pf-mariadb[1019]: Could not open 
required defaults file: /usr/local/pf/var/conf/mariadb.conf


Jun 11 11:09:53 nadc1-pfence-01 pf-mariadb[1019]: Fatal error in 
defaults handling. Program aborted


Jun 11 11:09:53 nadc1-pfence-01 pf-mariadb[1019]: WARNING: Defaults 
file '/usr/local/pf/var/conf/mariadb.conf' not found!


Jun 11 11:09:53 nadc1-pfence-01 pf-mariadb[1019]: 200611 11:09:53 
mysqld_safe Logging to '/var/lib/mysql/nadc1-pfence-01.err'.


Jun 11 11:09:53 nadc1-pfence-01 pf-mariadb[1019]: 200611 11:09:53 
mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql


Jun 11 11:09:53 nadc1-pfence-01 pf-mariadb[1019]: Failed starting with 
mode: standalone


Jun 11 11:09:53 nadc1-pfence-01 pf-mariadb[1019]: MariaDB is not alive

Here’s the folder listing showing the mariadb.conf in existence.  
Created at the same time as the service start was attempted.  You 
might notice the permissions of the file are 0722, not 0622 as 
expected.  It’s 

Re: [PacketFence-users] Clustering Setup

[Durand fabrice via PacketFence-users]

Hello Talan,

Le 20-06-12 à 03 h 51, Talan Westby via PacketFence-users a écrit :


Hi All,

Hope you’re all keeping well during the current pandemic?

We have been users of Packetfence for several years now and with it 
performing a core business function there has been a considering 
amount of scrutiny over the reliability of having this service hosted 
on just a single server. I have therefore been tasked with changing 
the design of the network to accommodate a new clustered Packetfence 
environment.


I’ve been researching into this and found the guides to create a 
cluster. What I’m a little unsure on, is I can see from these guides 
is setting the system up from scratch. Is it possible to create two 
new servers and convert our current one to form part of a cluster or 
does it have to be started from scratch and our configuration copied 
across?


Yes of course, in fact what you will need to do first is to take a 
snapshoot or a backup, fill the cluster.conf file.


Once you are at this state, just follow the guide, you will do exactly 
the same command.


Btw making a cluster always start by configure a standalone and add the 
2 others, so the standalone is your current prod one.


Regards

Fabrice


I’m happy to proceed with creating an all new server cluster but if we 
can implement a couple of additional servers and then tie it to our 
current one that would save a considerable amount of time copying 
across the configuration.



Any advice on this would be appreciated.

Kind Regards,

DCG Logo black



*Talan Westby*

*Senior Engineer: IT Infrastructure*

The Roundhouse, Roundhouse Road, Pride Park, Derby, DE24 8JE

talan.wes...@derby-college.ac.uk 

_

This electronic message contains information from Derby College which 
may be privileged and confidential.
The information is intended to be for the use of the individual(s) or 
entity named above.


If you are not the intended recipient, be aware that any disclosure, 
copying, distribution or use of the contents of this information is 
prohibited. Internet communications are not secure and therefore Derby 
College does not accept legal responsibility for the contents of this 
message. Any views or opinions presented are only those of the author 
and not those of Derby College.


If you have received this message in error, please reply to this 
message and include d...@derby-college.ac.uk immediately.

_


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Issues v10.0.1

[Durand fabrice via PacketFence-users]

 
registration vlan, but can't access the actual pf IP address either. 
Can't manually access the portal with ip or hostname.


-Ryan

/

This e-mail message together with any attachments or reply should not 
be considered private or confidential because it may be archived and 
subject to public disclosure under certain circumstances, such as 
requests made pursuant to Wisconsin public records law.


The message is intended solely for the use of the individual or entity 
to which they are addressed. Please notify the sender immediately by 
e-mail if you have received this e-mail by mistake and delete this 
e-mail from your system. Please note that the views or opinions 
presented in this e-mail are solely those of the author and do not 
necessarily represent those of the School District of Hartford Jt. #1. 
Any unauthorized use, distribution, copying or disclosure by you or to 
any other person is prohibited./


>>> Durand fabrice via PacketFence-users 
 6/4/2020 9:42 PM >>>
If it's a layer 2 registration network then the dns will answer with 
the ip 192.0.2.1 (to fix the samsung captive portal detection)
So check to see if the ip is on the lo interface (ip a), if it's the 
case check to see if the haproxy-portal is listening on this ip 
(netstat -nlp| grep 443)
Also you can try to capture the traffic of the device and share the 
pcap. (thsrak -i ethx -f "ether host mac_address" -w /tmp/device.pcap

Regards
Fabrice

Le 20-06-04 à 13 h 07, Ryan Radschlag via PacketFence-users a écrit :
We're having issues with the clients not getting redirected to the 
captive portal. From what I can find, all of the DNS requests return 
192.0.2.1 now. Is this supposed to work? Our clients sit idle and 
cant get to the portal even if we manually enter the dns or ip 
address. Currently we're running in out of band deployment. Any 
pointers on how to get this working?


Thanks!
-Ryan

/

This e-mail message together with any attachments or reply should not 
be considered private or confidential because it may be archived and 
subject to public disclosure under certain circumstances, such as 
requests made pursuant to Wisconsin public records law.


The message is intended solely for the use of the individual or 
entity to which they are addressed. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system. Please note that the views or 
opinions presented in this e-mail are solely those of the author and 
do not necessarily represent those of the School District of Hartford 
Jt. #1. Any unauthorized use, distribution, copying or disclosure by 
you or to any other person is prohibited./



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Question about Aruba and MAC/802.1X Auth

[Durand fabrice via PacketFence-users]

https://mgmt_ip:1443/admin/alt#/configuration/filter_engines

Le 20-06-04 à 23 h 28, Louis Scaringella a écrit :

Sorry for my ignorance, where is the VLAN filter created?

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903


On Jun 4, 2020, at 9:56 PM, Durand fabrice via PacketFence-users 
 wrote:

Hello Louis,

my answer bellow.

Le 20-06-04 à 21 h 53, Louis Scaringella via PacketFence-users a écrit :

Hello,

Thank you for your time in helping.

I am working with a client and the goal is to build upon the current 802.1X 
PEAP environment they have with Windows NPS and expand this to use PacketFence 
and to limit BYOD by using MAC address authentication in conjunction with 
802.1X PEAP.

Ideally, I would like to use PacketFence to maintain this MAC address database 
and authenticate against Active Directory for user auth. The 802.1X PEAP side 
of things works well and I have had success multiple times in deploying this 
with Active Directory as the authenticate source just fine. MAC auth is the 
portion i’m struggling with getting to work properly.

The MAC addresses would be populated manually and imported into PacketFence by 
my client’s IT team.

Ideally, what the flow of authentication would be is to have the user attempt 
to connect to the wireless network. Their Aruba controller would be setup to 
handle both MAC auth and 802.1X and pass that to PacketFence via Radius. 
PacketFence would then check it’s database for the MAC address and if found 
move to 802.1X user auth. If the user authenticates to Active Directory 
successfully, the connection is allowed.

No, i don't think this is the correct approach.

What you can do is simple, if the IT team import the mac then it mean that the list of 
mac they import become "registered".

So what you can do, is to create a connection profile with:

Autoregister disabled

Recompute from portal enabled

Then create a vlan filter like this:


node.status =unreg

scope=RegistrationRole

role = REJECT


So it mean that even if your 802.1x authentication succeed if your device is 
not register in packetfence then reject the authentication.


I don’t want to use any concept of registered vs unregistered devices and don’t 
want self registration or captive portal of any kind. I just simply want to 
make sure the MAC address of the supplicant is a member of PacketFence’s 
database.

You will need the concept of registered vs unregistered but the IT team decide 
who is reg vs unreg.



I already have set this up and what is happening is 802.1X is working fine and 
the user is authenticating, but it isn’t limiting the connection by MAC 
address. In other words, devices which are not in the database are allowed to 
connect if they provide valid user credentials. I can’t seem to restrict new 
“BYOD” devices.

Do any of you have experience or some insight that would help here?

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903

The information transmitted, including any attachments, is intended only for 
the person or entity to which it is addressed and may contain confidential 
and/or privileged material. Any review, retransmission, dissemination or other 
use of, or taking of any action in reliance upon, this information by persons 
or entities other than the intended recipient is prohibited, and all liability 
arising therefrom is disclaimed. If you received this in error, please contact 
the sender and delete the material from any computer.

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Regards

Fabrice




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

The information transmitted, including any attachments, is intended only for 
the person or entity to which it is addressed and may contain confidential 
and/or privileged material. Any review, retransmission, dissemination or other 
use of, or taking of any action in reliance upon, this information by persons 
or entities other than the intended recipient is prohibited, and all liability 
arising therefrom is disclaimed. If you received this in error, please contact 
the sender and delete the material from any computer.



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Question about Aruba and MAC/802.1X Auth

[Durand fabrice via PacketFence-users]

Hello Louis,

my answer bellow.

Le 20-06-04 à 21 h 53, Louis Scaringella via PacketFence-users a écrit :

Hello,

Thank you for your time in helping.

I am working with a client and the goal is to build upon the current 802.1X 
PEAP environment they have with Windows NPS and expand this to use PacketFence 
and to limit BYOD by using MAC address authentication in conjunction with 
802.1X PEAP.

Ideally, I would like to use PacketFence to maintain this MAC address database 
and authenticate against Active Directory for user auth. The 802.1X PEAP side 
of things works well and I have had success multiple times in deploying this 
with Active Directory as the authenticate source just fine. MAC auth is the 
portion i’m struggling with getting to work properly.

The MAC addresses would be populated manually and imported into PacketFence by 
my client’s IT team.

Ideally, what the flow of authentication would be is to have the user attempt 
to connect to the wireless network. Their Aruba controller would be setup to 
handle both MAC auth and 802.1X and pass that to PacketFence via Radius. 
PacketFence would then check it’s database for the MAC address and if found 
move to 802.1X user auth. If the user authenticates to Active Directory 
successfully, the connection is allowed.


No, i don't think this is the correct approach.

What you can do is simple, if the IT team import the mac then it mean 
that the list of mac they import become "registered".


So what you can do, is to create a connection profile with:

Autoregister disabled

Recompute from portal enabled

Then create a vlan filter like this:


node.status =unreg

scope=RegistrationRole

role = REJECT


So it mean that even if your 802.1x authentication succeed if your 
device is not register in packetfence then reject the authentication.



I don’t want to use any concept of registered vs unregistered devices and don’t 
want self registration or captive portal of any kind. I just simply want to 
make sure the MAC address of the supplicant is a member of PacketFence’s 
database.


You will need the concept of registered vs unregistered but the IT team 
decide who is reg vs unreg.




I already have set this up and what is happening is 802.1X is working fine and 
the user is authenticating, but it isn’t limiting the connection by MAC 
address. In other words, devices which are not in the database are allowed to 
connect if they provide valid user credentials. I can’t seem to restrict new 
“BYOD” devices.

Do any of you have experience or some insight that would help here?

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903

The information transmitted, including any attachments, is intended only for 
the person or entity to which it is addressed and may contain confidential 
and/or privileged material. Any review, retransmission, dissemination or other 
use of, or taking of any action in reliance upon, this information by persons 
or entities other than the intended recipient is prohibited, and all liability 
arising therefrom is disclaimed. If you received this in error, please contact 
the sender and delete the material from any computer.

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Regards

Fabrice




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Issues v10.0.1

[Durand fabrice via PacketFence-users]

If it's a layer 2 registration network then the dns will answer with the 
ip 192.0.2.1 (to fix the samsung captive portal detection)


So check to see if the ip is on the lo interface (ip a), if it's the 
case check to see if the haproxy-portal is listening on this ip (netstat 
-nlp| grep 443)


Also you can try to capture the traffic of the device and share the 
pcap. (thsrak -i ethx -f "ether host mac_address" -w /tmp/device.pcap


Regards

Fabrice


Le 20-06-04 à 13 h 07, Ryan Radschlag via PacketFence-users a écrit :
We're having issues with the clients not getting redirected to the 
captive portal. From what I can find, all of the DNS requests return 
192.0.2.1 now. Is this supposed to work? Our clients sit idle and cant 
get to the portal even if we manually enter the dns or ip address. 
Currently we're running in out of band deployment. Any pointers on how 
to get this working?


Thanks!
-Ryan

/

This e-mail message together with any attachments or reply should not 
be considered private or confidential because it may be archived and 
subject to public disclosure under certain circumstances, such as 
requests made pursuant to Wisconsin public records law.


The message is intended solely for the use of the individual or entity 
to which they are addressed. Please notify the sender immediately by 
e-mail if you have received this e-mail by mistake and delete this 
e-mail from your system. Please note that the views or opinions 
presented in this e-mail are solely those of the author and do not 
necessarily represent those of the School District of Hartford Jt. #1. 
Any unauthorized use, distribution, copying or disclosure by you or to 
any other person is prohibited./




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN not dynamically assigned

[Durand fabrice via PacketFence-users]

Hello Joffrey,

first i think you need to upgrade the switch firmware to the latest 
version (they fix stuff about mab/802.1x).


https://www.dell.com/support/home/en-ca/product-support/product/networking-n1500-series/drivers

Next you will need to patch packetfence to have the latest dev on the 
Dell switches module, to do that, go in /usr/local/pf/ then do:


curl 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/4968.diff 
| patch -p1 --dry-run


if no errrors:

curl 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/4968.diff 
| patch -p1


then restart packetfence.

Also it looks that you didn't set the switch in production mode, fix 
that in the switch config (pf side).


Let me know if it helps.

Regards

Fabrice


Le 20-05-20 à 13 h 23, Joffrey Bienvenue via PacketFence-users a écrit :

sorry - Dell version is 6.6.0.13

On Wed, 20 May 2020 at 13:23, Joffrey Bienvenue 
mailto:joff...@peerless-clothing.com>> 
wrote:


Hello

Sorry for the output and sorry for the delay replying; we upgraded
to V10.1 after a reboot crashed our pf due to package updates.

Our switch is a Dell N2048 v.6.6.0.

raddebug fails to run

radmin: Failed connecting to /usr/local/pf/var/run/radiusd.log: No
such file or directory


packetfence.log upon authentication

May 20 13:12:37 pf packetfence_httpd.aaa: httpd.aaa(31665) INFO:
[mac:00:1d:72:e2:64:30] handling radius autz request: from
switch_ip => (10.10.224.199), connection_type =>
Ethernet-EAP,switch_mac => (e4:f0:04:ff:b2:55), mac =>
[00:1d:72:e2:64:30], port => 3, username => "SAPACC\joffrey"
(pf::radius::authorize)

May 20 13:12:37 pf packetfence_httpd.aaa: httpd.aaa(31665) INFO:
[mac:00:1d:72:e2:64:30] Instantiate profile 8021x
(pf::Connection::ProfileFactory::_from_profile)

May 20 13:12:37 pf packetfence_httpd.aaa: httpd.aaa(31665) INFO:
[mac:00:1d:72:e2:64:30] Found authentication source(s) :
'PeerlessAD' for realm 'sapacc'
(pf::config::util::filter_authentication_sources)

May 20 13:12:37 pf packetfence_httpd.aaa: httpd.aaa(31665) INFO:
[mac:00:1d:72:e2:64:30] Using sources PeerlessAD for matching
(pf::authentication::match2)

May 20 13:12:37 pf packetfence_httpd.aaa: httpd.aaa(31665) INFO:
[mac:00:1d:72:e2:64:30] LDAP testing connection (pf::LDAP::expire_if)

May 20 13:12:37 pf packetfence_httpd.aaa: httpd.aaa(31665) INFO:
[mac:00:1d:72:e2:64:30] Matched rule (admin) in source PeerlessAD,
returning actions. (pf::Authentication::Source::match_rule)

May 20 13:12:37 pf packetfence_httpd.aaa: httpd.aaa(31665) INFO:
[mac:00:1d:72:e2:64:30] Matched rule (admin) in source PeerlessAD,
returning actions. (pf::Authentication::Source::match)

May 20 13:12:37 pf packetfence_httpd.aaa: httpd.aaa(31665) WARN:
[mac:00:1d:72:e2:64:30] Should perform access control on switch
(10.10.224.199) but the switch is not in production -> Returning
ACCEPT (pf::radius::authorize)

May 20 13:12:37 pf pfqueue: pfqueue(8791) INFO: [mac:unknown]
Already did a person lookup for SAPACC\joffrey
(pf::lookup::person::lookup_person)

May 20 13:12:37 pf packetfence_httpd.aaa: httpd.aaa(31665) INFO:
[mac:00:1d:72:e2:64:30] security_event 133 force-closed for
00:1d:72:e2:64:30 (pf::security_event::security_event_force_close)

May 20 13:12:37 pf packetfence_httpd.aaa: httpd.aaa(31665) INFO:
[mac:00:1d:72:e2:64:30] Instantiate profile 8021x
(pf::Connection::ProfileFactory::_from_profile)



Thank you

Joffrey


    On Thu, 7 May 2020 at 23:04, Durand fabrice via PacketFence-users
mailto:packetfence-users@lists.sourceforge.net>> wrote:

Hello Joffrey,

the output is a little bit messy.

What is the switch ? (Dell ?)

Can you run raddebug -f /usr/local/pf/var/run/radiusd.log -t 3000

Can you post the content of packetfence.log when you
authenticate ?

Regards

Fabrice



Le 20-05-07 à 12 h 48, Joffrey Bienvenue via PacketFence-users
a écrit :

Hello

We are able to login through radius but our switch doesn't
seem to configure the vlan on the user port:
Auditing output from packetfence
MAC Address
00:1d:72:e2:64:30
Auth Status
Accept
Auth Status
eap
Auto Registration
1
Calling Station Identifier
00:1d:72:e2:64:30
Computer Name
joffreydebian
EAP Type
MSCHAPv2
Event Type
Radius-Access-Request
IP Address
Is a Phone
0
Node Status
reg
Domain
SAPACC
Profile
8021x
Realm
sapacc
Reason
Role
N/A
Source
PeerlessAD
Stripped User Name
joffrey
User

Re: [PacketFence-users] VLAN not dynamically assigned

[Durand fabrice via PacketFence-users]

Hello Joffrey,

the output is a little bit messy.

What is the switch ? (Dell ?)

Can you run raddebug -f /usr/local/pf/var/run/radiusd.log -t 3000

Can you post the content of packetfence.log when you authenticate ?

Regards

Fabrice



Le 20-05-07 à 12 h 48, Joffrey Bienvenue via PacketFence-users a écrit :

Hello

We are able to login through radius but our switch doesn't seem to 
configure the vlan on the user port:

Auditing output from packetfence
MAC Address
00:1d:72:e2:64:30
Auth Status
Accept
Auth Status
eap
Auto Registration
1
Calling Station Identifier
00:1d:72:e2:64:30
Computer Name
joffreydebian
EAP Type
MSCHAPv2
Event Type
Radius-Access-Request
IP Address
Is a Phone
0
Node Status
reg
Domain
SAPACC
Profile
8021x
Realm
sapacc
Reason
Role
N/A
Source
PeerlessAD
Stripped User Name
joffrey
User Name
SAPACC\joffrey
Unique Identifier
Created at
2020-05-07 12:37:43
PF VLAN onfig for switch:

registrationVlan=164

isolationVlan=165

voiceVlan=93

inlineVlan=233

mode=testing

EmployeeVlan=98

guestVlan=19

always_trigger=1

AdminVlan=5



Our switch config:

aaa authentication login "defaultList" local

authentication enable

authentication dynamic-vlan enable

dot1x system-auth-control

aaa authentication dot1x default radius

aaa authorization network default radius

aaa server radius dynamic-author

Our port config:

show running-config interface gigabitethernet 1/0/3


switchport mode general

switchport general allowed vlan add 5,19,98,164-165

authentication event fail action authorize vlan164

authentication order dot1x mab

authentication priority dot1x mab


Are we missing anything?
--
Joffrey Bienvenue |  CTO  |  Peerless Clothing Inc.  |  Boul. Pie 
IX Montréal, QC H1Z 4J5  |  514-723-7887



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Radius Filter - Block Mac Auth for certain roles

[Durand fabrice via PacketFence-users]

Hello Robert,

can you paste the packetfence.log when the device authenticate and also 
paste the radius filter.


Regards

Fabrice


Le 20-04-22 à 15 h 58, Robert McNutt via PacketFence-users a écrit :
I'm trying to set a radius filter to block mac auth for any devices 
assigned to roles that should only auth via PEAP or EAP-TLS...


For example, if a port has a phone and computer plugged in, the phone 
will do mac auth but the computer should never get a radius accept for 
mac auth... whats happening by default is if a computer fails dot1x 
auth it then falls back to mac auth and PF accepts it because the node 
was registered... this is what I'm trying to prevent...


I set up a radius filter as such:

connection_type == "Ethernet-NoEAP" && (node_info.category == 
"CORP-LAN" || node_info.category == "ADMIN-LAN")


It never matches... But if I change the logic to be NOT Ethernet-EAP, 
everything matches, EAP and not EAP... it seems as if the 
connection_type isn't actually being read by the filter parsing... Am 
I missing something?



Robert McNutt


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Debian 10 support?

[Durand fabrice via PacketFence-users]

Hello Sam,

it's in the road map, Centos 8 too.

Regards

Fabrice

Le 20-04-17 à 08 h 37, Sam via PacketFence-users a écrit :

Hi

Now that PacketFence 10 was released, is Debian 10 going to be 
supported any time soon? I'm thinking about setting up PF for our 
company, and I'd prefer to use Debian 10 over 9.

--
Sam


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] POC Radius auth with Juniper switches

[Durand fabrice via PacketFence-users]

The difference between the EX2200 and EX2200_v15 is just for the CoA, so 
if one doesn't work then use the other one.


Le 20-04-16 à 17 h 41, Kevin MacNeil via PacketFence-users a écrit :
Most of our on-campus switches are EX4300's. I'm guessing for this we 
would use the Juniper::EX2200_v15 connection profile?



On 4/16/20 9:44 AM, Kevin MacNeil wrote:

Worked! Thank you!


Request Time
0
RADIUS Request
User-Name = "kevin"
NAS-IP-Address = 192.168.98.3
NAS-Port = 75
State = 0xc100021fc00818d1e459dce5efd24c20
Called-Station-Id = "00:23:9c:00:0c:c0"
Calling-Station-Id = "08:00:27:0a:b3:58"
NAS-Identifier = "labsw3"
NAS-Port-Type = Ethernet
Acct-Session-Id = "8O2.1x81ab01af000c6a7c"
Event-Timestamp = "Apr 16 2020 09:33:50 EDT"
EAP-Message = 0x020800061a03
NAS-Port-Id = "ge-0/0/9.0"
FreeRADIUS-Proxied-To = 127.0.0.1
EAP-Type = MSCHAPv2
Stripped-User-Name = "kevin"
Realm = "null"
PacketFence-Domain = "TEST"
PacketFence-KeyBalanced = "f5cbc088283dd1e576c7c5d2c4f73cf5"
PacketFence-Radius-Ip = "192.168.13.41"
PacketFence-NTLMv2-Only = ""
User-Password = "**"
SQL-User-Name = "kevin"
RADIUS Reply
EAP-Message = 0x03080004
Message-Authenticator = 0x
User-Name = "kevin"


On 4/15/20 8:37 PM, Durand fabrice via PacketFence-users wrote:

Hello,

try to use Juniper::EX2200 switch module instead and let us know if it
works.

Regards

Fabrice

Le 20-04-15 à 20 h 29, Kevin MacNeil via PacketFence-users a écrit :

Hi,

Yes, the computer is joined to the same domain that packetfence is
joined to. I have tried logging in with both domain\user and just user
and both failed with the same "Network device does not support this
mode of operation" error.

I should note that my test Windows 10 system is a Virtualbox VM
running on a Ubuntu Linux host, but I accounted for this by raising
the mac-limit to 2 in the config below.

My guess is there is some compatibility issue with the Juniper::EX
template and EX4200 switches, or there is some obscure configuration
issue with my setup. I have tried to follow the documentation as best
as I could but I found it to be very terse given the number of
configuration options in the gui.


On 4/15/20 6:09 PM, Bill Handler via PacketFence-users wrote:

Kevin,

Is the machine domain joined?  I found that when I was logging in
with a domain machine via 802.1x, if I used the domain name in my
username either domain\user or u...@domain.com, it would fail. When I
just used the username it succeeded

Thanks,

Bill

Sent from my iPhone

On Apr 15, 2020, at 5:56 PM, Kevin MacNeil via PacketFence-users
 wrote:

I am working on a proof of concept for Packetfence for our
production Juniper environment of ~200 switches. I have EX4200's in
my test lab and have used the Juniper example
https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_juniper 


in the network device configuration guide. Otherwise I have followed
the installation guide. I was able to join to my local AD domain,
which I then added to the default and null realms. I configured a new
internal AD authentication source and the connection test works as
expected. I added the catchall rule per the instructions. I created a
new 802.1x connection profile as well per the instructions. I created
a new switch group using the Juniper::EX type. However after
configuring my Windows 10 test box I am getting the following error,
"Network device does not support this mode of operation."

FWIW I have tried both the 12.3 and 15.1 versions of JUNOS with the
same result. I'm guessing this is an easy problem but I'm not sure
what is wrong. Any and all help appreciated.


Request Time
0
RADIUS Request
User-Name = "test\\kevin"
NAS-IP-Address = 192.168.98.3
NAS-Port = 75
State = 0x4cc4fae04dcce0c184a03c0a51cb6cd7
Called-Station-Id = "00:23:9c:00:0c:c0"
Calling-Station-Id = "08:00:27:0a:b3:58"
NAS-Identifier = "labsw3"
NAS-Port-Type = Ethernet
Acct-Session-Id = "8O2.1x81ab013900042681"
Event-Timestamp = "Apr 15 2020 17:04:26 EDT"
EAP-Message = 0x020800061a03
NAS-Port-Id = "ge-0/0/9.0"
FreeRADIUS-Proxied-To = 127.0.0.1
EAP-Type = MSCHAPv2
Stripped-User-Name = "kevin"
Realm = "default"
PacketFence-Domain = "TEST"
PacketFence-KeyBalanced = "4f50863fad315484ff895de9b971f63b"
PacketFence-Radius-Ip = "192.168.13.41"
PacketFence-NTLMv2-Only = ""
Module-Failure-Message = "rest: Server returned:"
Module-Failure-Message = "rest:
{\"control:PacketFence-Authorization-Status\":\"allow\",\"control:PacketFence-Switch-Id\":\"192.168.98.3\",\"control:PacketFence-Switch-Ip-Address\":\"192.168.98.3\",\"control:PacketFence-UserName\&q

Re: [PacketFence-users] just discovered packetfence

[Durand fabrice via PacketFence-users]

Hello David,

yes of course you can use packetfence just for radius and btw disable 
some useless services.


Regards

Fabrice


Le 20-04-15 à 19 h 26, David Bear via PacketFence-users a écrit :
I have been impressed with the breadth of features. However, for our 
school, 802.1x auth is really overkill for us. However, we were 
intrigued with the possibility of using RADIUS Auth in packetfence in 
order to turn off our Microsoft NPS role on our servers. Does anyone 
use packetfence just for the radius option?


--



David Bear

IT Manager

Heritage Academy — an /A/rated school

p: 480-461-4410

w: www.hamesa.com e: 
db...@heritageacademyaz.com 


https://www.facebook.com/HeritageAcademyAZ/




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] POC Radius auth with Juniper switches

[Durand fabrice via PacketFence-users]

Hello,

try to use Juniper::EX2200 switch module instead and let us know if it 
works.


Regards

Fabrice

Le 20-04-15 à 20 h 29, Kevin MacNeil via PacketFence-users a écrit :

Hi,

Yes, the computer is joined to the same domain that packetfence is 
joined to. I have tried logging in with both domain\user and just user 
and both failed with the same "Network device does not support this 
mode of operation" error.


I should note that my test Windows 10 system is a Virtualbox VM 
running on a Ubuntu Linux host, but I accounted for this by raising 
the mac-limit to 2 in the config below.


My guess is there is some compatibility issue with the Juniper::EX 
template and EX4200 switches, or there is some obscure configuration 
issue with my setup. I have tried to follow the documentation as best 
as I could but I found it to be very terse given the number of 
configuration options in the gui.



On 4/15/20 6:09 PM, Bill Handler via PacketFence-users wrote:

Kevin,

Is the machine domain joined?  I found that when I was logging in 
with a domain machine via 802.1x, if I used the domain name in my 
username either domain\user or u...@domain.com, it would fail. When I 
just used the username it succeeded


Thanks,

Bill

Sent from my iPhone

On Apr 15, 2020, at 5:56 PM, Kevin MacNeil via PacketFence-users 
 wrote:


I am working on a proof of concept for Packetfence for our 
production Juniper environment of ~200 switches. I have EX4200's in 
my test lab and have used the Juniper example 
https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_juniper 
in the network device configuration guide. Otherwise I have followed 
the installation guide. I was able to join to my local AD domain, 
which I then added to the default and null realms. I configured a new 
internal AD authentication source and the connection test works as 
expected. I added the catchall rule per the instructions. I created a 
new 802.1x connection profile as well per the instructions. I created 
a new switch group using the Juniper::EX type. However after 
configuring my Windows 10 test box I am getting the following error, 
"Network device does not support this mode of operation."


FWIW I have tried both the 12.3 and 15.1 versions of JUNOS with the 
same result. I'm guessing this is an easy problem but I'm not sure 
what is wrong. Any and all help appreciated.



Request Time
0
RADIUS Request
User-Name = "test\\kevin"
NAS-IP-Address = 192.168.98.3
NAS-Port = 75
State = 0x4cc4fae04dcce0c184a03c0a51cb6cd7
Called-Station-Id = "00:23:9c:00:0c:c0"
Calling-Station-Id = "08:00:27:0a:b3:58"
NAS-Identifier = "labsw3"
NAS-Port-Type = Ethernet
Acct-Session-Id = "8O2.1x81ab013900042681"
Event-Timestamp = "Apr 15 2020 17:04:26 EDT"
EAP-Message = 0x020800061a03
NAS-Port-Id = "ge-0/0/9.0"
FreeRADIUS-Proxied-To = 127.0.0.1
EAP-Type = MSCHAPv2
Stripped-User-Name = "kevin"
Realm = "default"
PacketFence-Domain = "TEST"
PacketFence-KeyBalanced = "4f50863fad315484ff895de9b971f63b"
PacketFence-Radius-Ip = "192.168.13.41"
PacketFence-NTLMv2-Only = ""
Module-Failure-Message = "rest: Server returned:"
Module-Failure-Message = "rest: 
{\"control:PacketFence-Authorization-Status\":\"allow\",\"control:PacketFence-Switch-Id\":\"192.168.98.3\",\"control:PacketFence-Switch-Ip-Address\":\"192.168.98.3\",\"control:PacketFence-UserName\":\"testkevin\",\"control:PacketFence-Request-Time\":1586984666,\"control:PacketFence-Connection-Type\":\"Ethernet-EAP\",\"control:PacketFence-IfIndex\":75,\"control:PacketFence-Mac\":\"08:00:27:0a:b3:58\",\"Reply-Message\":\"Network 
device does not support this mode of 
operation\",\"control:PacketFence-Eap-Type\":26,\"control:PacketFence-Switch-Mac\":\"00:23:9c:00:0c:c0\"}"

User-Password = "**"
SQL-User-Name = "testkevin"
RADIUS Reply
EAP-Message = 0x03080004
Message-Authenticator = 0x
User-Name = "test\\kevin"


interfaces {
 interface-range access-ports {
 member-range ge-0/0/2 to ge-0/0/23;
 unit 0 {
 family ethernet-switching {
 port-mode access;
 }
 }
 }
}

protocols {
 dot1x {
 authenticator {
 authentication-profile-name packetfence;
 interface {
 access-ports {
 supplicant multiple;
 mac-radius;
 }
 }
 }
 }
}

access {
 radius-server {
 192.168.13.41 {
 port 1812;
 secret "secret";
 }
 }

 profile packetfence {
 authentication-order radius;
 radius {
 authentication-server 192.168.13.41;
 accounting-server 192.168.13.41;
 }
 accounting {
 order radius;
 accounting-stop-on-failure;
 accounting-stop-on-access-deny;
 }
 }
}

ethernet-switching-options {
 secure-access-port {
 interface access-ports {
 

Re: [PacketFence-users] Disable netdata alerts

[Durand fabrice via PacketFence-users]

Hello Cristian,

you can configure netdata as you want, the configuration files are in 
/usr/local/pf/conf/monitoring


One you did the modification you just need to restart netdata.

Regards

Fabrice


Le 20-04-03 à 12 h 56, Cristian Mammoli via PacketFence-users a écrit :
Hi everyone, is it possible to disable netdata email alerts? We 
already have a monitoring solution in place.


Thanks

C.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Problems with Radius local authentication

[Durand fabrice via PacketFence-users]

Hello Rizk,

i need to know if you are trying to do 802.1x with local authentication 
or pap ?


Regards

Fabrice

Le 20-03-24 à 06 h 28, Charbel Rizk a écrit :

Hello,

Thank you for answering back, I was following the following section 
from the Packetfence document;


https://packetfence.org/doc/PacketFence_Installation_Guide.html#_advanced_radius_configuration 



I did every step requested but I couldn't achieve the result shown on 
the document


# radtest dd Abcd1234 localhost:18120 12 testing123
Sending Access-Request of id 74 to 127.0.0.1 port 18120
  User-Name = "dd"
  User-Password = "Abcd1234"
  NAS-IP-Address = 255.255.255.255
  NAS-Port = 12
rad_recv: Access-Accept packet from host 127.0.0.1:18120, id=74, length=20

I tried a fresh installation of Freeradius on CentOS and the results 
were successful.



Regards,


__
Charbel A. Rizk
IT Consultant
*PYOU CAN TAKE an ACTION NOW, VISIT WWW.REFOREST-LEBANON.ORG 
*



On Tuesday, March 24, 2020, 01:54:26 AM GMT+2, Durand fabrice 
 wrote:



Hello Rizk,

sorry i was not enough precise.

Are you trying to do 802.1x with local authentication or pap ?

If it's 802.1x then you need to use eapoltest to test or create a 
secure ssid that use packetfence and try to authenticate.


Regards

Fabrice


Le 20-03-23 à 14 h 01, Charbel Rizk a écrit :
Here is the debug output

Received Access-Request Id 46 from 127.0.0.1:50551 to 127.0.0.1:18120 
length 74

(2)   User-Name = "test"
(2)   User-Password = "test"
(2)   NAS-IP-Address = 127.0.0.1
(2)   NAS-Port = 12
(2)   Message-Authenticator = 0x3f744ca66a43972dd3e9ea780d45bd34
(2) # Executing section authorize from file 
/etc/raddb/sites-enabled/inner-tunnel

(2)   authorize {
(2)     policy filter_username {
(2)       if () {
(2)       if ()  -> TRUE
(2)       if ()  {
(2)         if ( =~ / /) {
(2)         if ( =~ / /) -> FALSE
(2)         if ( =~ /@[^@]*@/ ) {
(2)         if ( =~ /@[^@]*@/ )  -> FALSE
(2)         if ( =~ /\.\./ ) {
(2)         if ( =~ /\.\./ )  -> FALSE
(2)         if (( =~ /@/) && ( !~ /@(.+)\.(.+)$/))  {
(2)         if (( =~ /@/) && ( !~ 
/@(.+)\.(.+)$/))   -> FALSE

(2)         if ( =~ /\.$/) {
(2)         if ( =~ /\.$/)  -> FALSE
(2)         if ( =~ /@\./) {
(2)         if ( =~ /@\./)  -> FALSE
(2)       } # if ()  = notfound
(2)     } # policy filter_username = notfound
(2)     [chap] = noop
(2)     [mschap] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "test", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2)     update control {
(2)        := LOCAL
(2)     } # update control = noop
(2) eap: No EAP-Message, not doing EAP
(2)     [eap] = noop
(2)     [files] = noop
(2)     [expiration] = noop
(2)     [logintime] = noop
(2)     [pap] = noop
(2)   } # authorize = noop
(2) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = 
Reject

(2) Failed to authenticate the user
(2) Using Post-Auth-Type Reject
(2) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(2)   Post-Auth-Type REJECT {
(2) attr_filter.access_reject: EXPAND %{User-Name}
(2) attr_filter.access_reject:    --> test
(2) attr_filter.access_reject: Matched entry DEFAULT at line 11
(2)     [attr_filter.access_reject] = updated
(2)     update outer.session-state {
(2)       ERROR: Mapping ":Module-Failure-Message" -> 
"" invalid in this context

(2)     } # update outer.session-state = invalid
(2)   } # Post-Auth-Type REJECT = invalid
(2) Delaying response for 1.00 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(2) Sending delayed response
(2) Sent Access-Reject Id 46 from 127.0.0.1:18120 to 127.0.0.1:50551 
length 20

Waking up in 3.9 seconds.
(2) Cleaning up request packet ID 46 with timestamp +127


Thank you and best regards,


__
Charbel A. Rizk
IT Consultant
*PYOU CAN TAKE an ACTION NOW, VISIT WWW.REFOREST-LEBANON.ORG 
*



On Monday, March 23, 2020, 07:04:59 PM GMT+2, Fabrice Durand via 
PacketFence-users  
 wrote:



Hello Charbel,

127.0.0.1:18120  is not the packetfence virtual server.

Btw paste the raddebug when you try to connect.

Regards

Fabrice


Le 20-03-23 à 12 h 36, Charbel Rizk via PacketFence-users a écrit :
Hello,

I have a fresh installation of Packetfence, I'm trying to test local 
radius authentication I have followed all the steps of the 
installation guide advanced radius configuration section but when I 
try to test local authentication I get the following output;


/[root@localhost ~]# radtest test test 127.0.0.1:18120 12 testing123/
/Sent Access-Request Id 110 from 0.0.0.0:35103 to 127.0.0.1:18120 
length 74/

/        User-Name = "test"/
/User-Password = "test"/
/NAS-IP-Address = 127.0.0.1/
/        NAS-Port = 12/
/Message-Authenticator = 0x00/
/Cleartext-Password = "test"/
/Sent Access-Request Id 110 from 0.0.0.0:35103 to 127.0.0.1:18120 
length 74/

/       

Re: [PacketFence-users] Auth Google, Facabook, GitHub Dont Work HELP PLEASE

[Durand fabrice via PacketFence-users]

Hello Yevhen,

you need to have packetfence able to reach internet for oauth sources.

Regards

Fabrice

Le 20-03-24 à 14 h 10, Yevhen Shevchenko via PacketFence-users a écrit :

Hello once more!
Guys, we configured all these sources correctly, but connecting don't 
work.
So maybe who knows about Packetfense need Routing? Because our 
packetFense without routing. Please answer anybody...


--
Regards,
Yevhen Shevchenko

Engineer | TeamDev, Ltd.
Phone: +380 98 649-83-05
yevhen.shevche...@teamdev.com  | 
www.teamdev.com 



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Problems with Radius local authentication

[Durand fabrice via PacketFence-users]

Hello Rizk,

sorry i was not enough precise.

Are you trying to do 802.1x with local authentication or pap ?

If it's 802.1x then you need to use eapoltest to test or create a secure 
ssid that use packetfence and try to authenticate.


Regards

Fabrice


Le 20-03-23 à 14 h 01, Charbel Rizk a écrit :

Here is the debug output

Received Access-Request Id 46 from 127.0.0.1:50551 to 127.0.0.1:18120 
length 74

(2)   User-Name = "test"
(2)   User-Password = "test"
(2)   NAS-IP-Address = 127.0.0.1
(2)   NAS-Port = 12
(2)   Message-Authenticator = 0x3f744ca66a43972dd3e9ea780d45bd34
(2) # Executing section authorize from file 
/etc/raddb/sites-enabled/inner-tunnel

(2)   authorize {
(2)     policy filter_username {
(2)       if () {
(2)       if ()  -> TRUE
(2)       if ()  {
(2)         if ( =~ / /) {
(2)         if ( =~ / /)  -> FALSE
(2)         if ( =~ /@[^@]*@/ ) {
(2)         if ( =~ /@[^@]*@/ )  -> FALSE
(2)         if ( =~ /\.\./ ) {
(2)         if ( =~ /\.\./ )  -> FALSE
(2)         if (( =~ /@/) && ( !~ /@(.+)\.(.+)$/))  {
(2)         if (( =~ /@/) && ( !~ 
/@(.+)\.(.+)$/))   -> FALSE

(2)         if ( =~ /\.$/)  {
(2)         if ( =~ /\.$/)   -> FALSE
(2)         if ( =~ /@\./)  {
(2)         if ( =~ /@\./)   -> FALSE
(2)       } # if ()  = notfound
(2)     } # policy filter_username = notfound
(2)     [chap] = noop
(2)     [mschap] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "test", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2)     update control {
(2)        := LOCAL
(2)     } # update control = noop
(2) eap: No EAP-Message, not doing EAP
(2)     [eap] = noop
(2)     [files] = noop
(2)     [expiration] = noop
(2)     [logintime] = noop
(2)     [pap] = noop
(2)   } # authorize = noop
(2) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = 
Reject

(2) Failed to authenticate the user
(2) Using Post-Auth-Type Reject
(2) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(2)   Post-Auth-Type REJECT {
(2) attr_filter.access_reject: EXPAND %{User-Name}
(2) attr_filter.access_reject:    --> test
(2) attr_filter.access_reject: Matched entry DEFAULT at line 11
(2)     [attr_filter.access_reject] = updated
(2)     update outer.session-state {
(2)       ERROR: Mapping ":Module-Failure-Message" -> 
"" invalid in this context

(2)     } # update outer.session-state = invalid
(2)   } # Post-Auth-Type REJECT = invalid
(2) Delaying response for 1.00 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(2) Sending delayed response
(2) Sent Access-Reject Id 46 from 127.0.0.1:18120 to 127.0.0.1:50551 
length 20

Waking up in 3.9 seconds.
(2) Cleaning up request packet ID 46 with timestamp +127


Thank you and best regards,


__
Charbel A. Rizk
IT Consultant
*PYOU CAN TAKE an ACTION NOW, VISIT WWW.REFOREST-LEBANON.ORG 
*



On Monday, March 23, 2020, 07:04:59 PM GMT+2, Fabrice Durand via 
PacketFence-users  wrote:



Hello Charbel,

127.0.0.1:18120  is not the packetfence virtual server.

Btw paste the raddebug when you try to connect.

Regards

Fabrice


Le 20-03-23 à 12 h 36, Charbel Rizk via PacketFence-users a écrit :
Hello,

I have a fresh installation of Packetfence, I'm trying to test local 
radius authentication I have followed all the steps of the 
installation guide advanced radius configuration section but when I 
try to test local authentication I get the following output;


/[root@localhost ~]# radtest test test 127.0.0.1:18120 12 testing123/
/Sent Access-Request Id 110 from 0.0.0.0:35103 to 127.0.0.1:18120 
length 74/

/        User-Name = "test"/
/        User-Password = "test"/
/        NAS-IP-Address = 127.0.0.1/
/        NAS-Port = 12/
/        Message-Authenticator = 0x00/
/        Cleartext-Password = "test"/
/Sent Access-Request Id 110 from 0.0.0.0:35103 to 127.0.0.1:18120 
length 74/

/        User-Name = "test"/
/        User-Password = "test"/
/        NAS-IP-Address = 127.0.0.1/
/        NAS-Port = 12/
/        Message-Authenticator = 0x00/
/        Cleartext-Password = "test"/
/Sent Access-Request Id 110 from 0.0.0.0:35103 to 127.0.0.1:18120 
length 74/

/        User-Name = "test"/
/        User-Password = "test"/
/        NAS-IP-Address = 127.0.0.1/
/        NAS-Port = 12/
/        Message-Authenticator = 0x00/
/        Cleartext-Password = "test"/
/(0) No reply from server for ID 110 socket 3/


Please help.

Regards,

__
Charbel A. Rizk
IT Consultant
*PYOU CAN TAKE an ACTION NOW, VISIT WWW.REFOREST-LEBANON.ORG 
*



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  

https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca    ::  +1.514.447.4918 (x135) 
::www.inverse.ca  
Inverse inc. :: 

Re: [PacketFence-users] Cisco Dynamic PSK with WLC 2504 - registration works, PSK auth doesn't

[Durand fabrice via PacketFence-users]

Hello Tobias,


Can you check in the radius audit log what is the psk sent by packetfence ?


Is it matching the one you set on the device ?


Regards

Fabrice


Le 20-03-23 à 18 h 10, Juraj Tobias via PacketFence-users a écrit :
i'm looking to provide Dynamic PSK security in our production WLAN - 
i'd like users to register their device via registration SSID, get 
their personal PSK there, and use that for connecting to the secure SSID


i've configured pf 9.3 and our WLC 2504 according to the 
documentation, and the testing goes fine up until the point a personal 
PSK is generated for the test user. however, once trying to use it 
with the secure SSID, the test device (android phone) says "incorrect 
password", which sounds like the WLC fails to authenticate the user 
against the PF server. no logs on either side (WLC, pf server) that 
would indicate where is the problem.


now, the documentation mentions "expired certificate" might cause 
issues, but our certificate, despite being self-signed, is definitely 
not expired (as far as I know "self-signed" and "expired" are two 
different things).

so now i'm emailing here for the 1st time, hoping to get some more advice.

thanks in advance!



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] authentication sources packetfence 9.3

[Durand fabrice via PacketFence-users]

9 18:15:11 aplpcktfpdin01
packetfence_httpd.aaa: httpd.aaa(6759) ERROR:
[mac:d0:94:66:db:ae:77] Database query failed with
non retryable error: Cannot add or update a child
row: a foreign key constraint fails (`pf`.`node`,
CONSTRAINT `0_57` FOREIGN KEY (`tenant_id`, `pid`)
REFERENCES `person` (`tenant_id`, `pid`) ON DELETE
CASCADE ON UPDATE CASCADE) (errno: 1452) [INSERT
INTO `node` ( `autoreg`, `bandwidth_balance`,
`bypass_role_id`, `bypass_vlan`, `category_id`,
`computername`, `detect_date`, `device_class`,
`device_manufacturer`, `device_score`,
`device_type`, `device_version`,
`dhcp6_enterprise`, `dhcp6_fingerprint`,
`dhcp_fingerprint`, `dhcp_vendor`, `last_arp`,
`last_dhcp`, `last_seen`, `lastskip`, `mac`,
`machine_account`, `notes`, `pid`, `regdate`,
`sessionid`, `status`, `tenant_id`,
`time_balance`, `unregdate`, `user_agent`, `voip`)
VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
?, ?, ?, ?, NOW(), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
?, ?, ? ) ON DUPLICATE KEY UPDATE `autoreg` = ?,
`last_seen` = NOW(), `pid` = ?, `status` = ?,
`tenant_id` = ?]{yes, NULL, NULL, NULL, NULL,
NULL, 2020-03-19 18:15:11, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, -00-00 00:00:00,
-00-00 00:00:00, -00-00 00:00:00,
d0:94:66:db:ae:77, NULL, NULL, ANA\iran,
-00-00 00:00:00, NULL, reg, 1, NULL,
-00-00 00:00:00, NULL, no, yes, ANA\iran, reg,
1} (pf::dal::db_execute)
Mar 19 18:15:11 aplpcktfpdin01
packetfence_httpd.aaa: httpd.aaa(6759) ERROR:
        [mac:d0:94:66:db:ae:77] Cannot save
d0:94:66:db:ae:77 error (500) (pf::radius::authorize)

Em qua., 18 de mar. de 2020 às 21:34, Durand
fabrice via PacketFence-users
mailto:packetfence-users@lists.sourceforge.net>>
escreveu:

Try that:

pftest authentication ANA\pereira ""

and

pftest authentication pereira ""

to see if the user is found and if it match a
rule.

If the second one works then in the ANA realm
enable strip in radius.

Regards

Fabrice


Le 20-03-18 à 20 h 13, Zacharry Williams via
PacketFence-users a écrit :

Gonna take a wild guess here, in your realms
config turn on strip radius for null and your
domain and and try logging on with just your
username and password. I'm guessing your
realms config isn't matching. For us we had
three domains and we had to add them all. For
example COMPANY.ORG <http://COMPANY.ORG>,
COMPANY.LAN, COMPANY.COM <http://COMPANY.COM>.

On Wed, Mar 18, 2020, 12:43 PM Wagner Liegio
via PacketFence-users
mailto:packetfence-users@lists.sourceforge.net>>
wrote:

Good afternoon,

Follow the requested files attached.

Em ter., 17 de mar. de 2020 às 14:16,
Ludovic Zammit mailto:lzam...@inverse.ca>> escreveu:

Hello,

Could you post the result fo those
two commands:

cat
/usr/local/pf/conf/authentication.conf

cat /usr/local/pf/conf/profiles.conf

remove your informations.

Thanks,

Ludovic Zammit
lzam...@inverse.ca  <mailto:lzam...@inverse.ca>  ::  
+1.514.447.4918 (x145) ::www.inverse.ca  <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo 
(http://www.sogo.nu) and PacketFence (http://packetfence.org)






On Mar 17, 2020, at 9:42 AM, Wagner
Liegio via PacketFence-users
mailto:packetfence-users@lists.sourceforge.net>>
wrote:

Good Morning,

The rules, functions are standard on
the Z

Re: [PacketFence-users] Samsung Galaxy S10 PF 9.3 Captive Portal Detection

[Durand fabrice via PacketFence-users]

Hello Ian,

you can try the devel version to see if it fix the issue.

echo 'deb http://inverse.ca/downloads/PacketFence/debian-devel stretch 
stretch'  > /etc/apt/sources.list.d/packetfence.list


echo 'deb http://inverse.ca/downloads/PacketFence/debian stretch 
stretch' > /etc/apt/sources.list.d/packetfence.list


apt update

apt install packetfence


Regards

Fabrice

Le 20-03-20 à 16 h 29, Ian MacDonald via PacketFence-users a écrit :

Thanks,

I was actually just reviewing the commits; There are a bunch.   I am 
hoping to just grab the one for the popup.


Our registration is same layer 2 network as the server's captive 
portal;  so we wait for PF10 on Debian or cherry pick the pop-up stuff 
from the rest.


If you want to point us to the critical commits, as we don't really 
know what Samsung changed, and it looks like a bunch of stuff was 
fixed and added in that change.


cheers,
Ian



On Fri, Mar 20, 2020 at 2:49 PM Fabrice Durand via PacketFence-users 
> wrote:


Hello Ian,

it's a know issue with Samsung devices, in fact if the device
won't pop the portal if the device is on the same layer 2 network.

It has been fixed in
https://github.com/inverse-inc/packetfence/pull/5086 and will be
part in the incoming packetfence v10.

Btw if the registration network is a layer 3 network then it
should work.

I don't know why Samsung did that ...

Regards

Fabrice


Le 20-03-20 à 13 h 58, Ian MacDonald via PacketFence-users a écrit :

Hi,

We noticed Samsung Devices on Android 10 are no longer being
redirected to our Packetfence portal on the registration network.

Up until now we have our portal configured with,
a)  Secure redirect ON
b)  WISPr redirection capabilities ON

We do not use the detection mechanism bypass.

When the devices connect to the registration VLAN, they simply
note "Connected without Internet" and never detect the portal and
redirect to the registration page.

Is anyone successfully capturing new Galaxy devices / Android 10,
and do they have any insights as to what mechanism we can use, or
DNS filters we can apply?

We are hoping to shortcut the next step of looking at the traffic
and trying to determine what/how to intercept.

We also seem to have good compatibility with many other existing
devices and platforms, so we are hesitant to start bypassing the
Captive Portal detection, which would likely stop a lot of other
platforms from working effectively.

We are using PF9.3
(9.3.0+20200113144930+108928498+0009+v9.3.0+stretch1) with
hostapd + CoA/Disconnect, Out of Band.

cheers,
Ian


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  

https://lists.sourceforge.net/lists/listinfo/packetfence-users


-- 
Fabrice Durand

fdur...@inverse.ca    ::  +1.514.447.4918 (x135) 
::www.inverse.ca  
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] authentication sources packetfence 9.3

[Durand fabrice via PacketFence-users]

If you stripped in radius in the realm ANA, it mean that packetfence is 
doing a ldap search with sAMAccountName=iran


So try that from the cli:

ldapsearch -h 10.10.10.70  -s sub -b "OU=Usuarios,OU=Tabajara 
Sede,DC=tabajara,DC=com,DC=br" -D 
"CN=packetfence,OU=PacketFence,OU=Servico,OU=Usuarios,OU=Tabajara 
Sede,DC=tabajara,DC=com,DC=br" -w whatyouarelookingfor -L 
"sAMAccountName=iran"


and see if it return something.

Regards

Fabrice


Le 20-03-19 à 14 h 42, Wagner Liegio a écrit :

Good afternoon,

I made the suggested adjustments by activating the strip in radius, 
created a new realm, and the error persists. User authentication 
searching for the domain only works, manually registering the node in 
the packetfence. Therefore, the error still remains in the database 
when trying to register auto.

Below is the database error log:

Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759) 
INFO: [mac:d0:94:66:db:ae:77] handling radius autz request: from 
switch_ip => (10.95.10.1), connection_type => Ethernet-EAP,switch_mac 
=> (c8:0c:c8:f1:25:20), mac => [d0:94:66:db:ae:77], port => 78774, 
username => "ANA\iran" (pf::radius::authorize)
Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759) 
INFO: [mac:d0:94:66:db:ae:77] Instantiate profile 802.1x 
(pf::Connection::ProfileFactory::_from_profile)
Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759) 
INFO: [mac:d0:94:66:db:ae:77] Found authentication source(s) : 'Ana' 
for realm 'default' (pf::config::util::filter_authentication_sources)
Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759) 
INFO: [mac:d0:94:66:db:ae:77] Using sources Ana for matching 
(pf::authentication::match2)
Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759) 
INFO: [mac:d0:94:66:db:ae:77] LDAP testing connection 
(pf::LDAP::expire_if)
Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759) 
WARN: [mac:d0:94:66:db:ae:77] No category computed for autoreg 
(pf::role::getNodeInfoForAutoReg)
Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759) 
WARN: [mac:d0:94:66:db:ae:77] No role specified or found for pid 
ANA\iran (MAC d0:94:66:db:ae:77); assume maximum number of registered 
nodes is reached (pf::node::is_max_reg_nodes_reached)
Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759) 
ERROR: [mac:d0:94:66:db:ae:77] max nodes per pid met or exceeded - 
registration of d0:94:66:db:ae:77 to ANA\iran failed 
(pf::registration::setup_node_for_registration)
Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759) 
ERROR: [mac:d0:94:66:db:ae:77] auto-registration of node failed max 
nodes per pid met or exceeded (pf::radius::authorize)
Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759) 
ERROR: [mac:d0:94:66:db:ae:77] Database query failed with non 
retryable error: Cannot add or update a child row: a foreign key 
constraint fails (`pf`.`node`, CONSTRAINT `0_57` FOREIGN KEY 
(`tenant_id`, `pid`) REFERENCES `person` (`tenant_id`, `pid`) ON 
DELETE CASCADE ON UPDATE CASCADE) (errno: 1452) [INSERT INTO `node` ( 
`autoreg`, `bandwidth_balance`, `bypass_role_id`, `bypass_vlan`, 
`category_id`, `computername`, `detect_date`, `device_class`, 
`device_manufacturer`, `device_score`, `device_type`, 
`device_version`, `dhcp6_enterprise`, `dhcp6_fingerprint`, 
`dhcp_fingerprint`, `dhcp_vendor`, `last_arp`, `last_dhcp`, 
`last_seen`, `lastskip`, `mac`, `machine_account`, `notes`, `pid`, 
`regdate`, `sessionid`, `status`, `tenant_id`, `time_balance`, 
`unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, 
?, ?, ?, ?, ?, ?, ?, ?, ?, NOW(), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 
? ) ON DUPLICATE KEY UPDATE `autoreg` = ?, `last_seen` = NOW(), `pid` 
= ?, `status` = ?, `tenant_id` = ?]{yes, NULL, NULL, NULL, NULL, NULL, 
2020-03-19 18:15:11, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 
NULL, -00-00 00:00:00, -00-00 00:00:00, -00-00 00:00:00, 
d0:94:66:db:ae:77, NULL, NULL, ANA\iran, -00-00 00:00:00, NULL, 
reg, 1, NULL, -00-00 00:00:00, NULL, no, yes, ANA\iran, reg, 1} 
(pf::dal::db_execute)
Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759) 
ERROR: [mac:d0:94:66:db:ae:77] Cannot save d0:94:66:db:ae:77 error 
(500) (pf::radius::authorize)


Em qua., 18 de mar. de 2020 às 21:34, Durand fabrice via 
PacketFence-users <mailto:packetfence-users@lists.sourceforge.net>> escreveu:


Try that:

pftest authentication ANA\pereira ""

and

pftest authentication pereira ""

to see if the user is found and if it match a rule.

If the second one works then in the ANA realm enable strip in radius.

Regards

Fabrice


Le 20-03-18 à 20 h 13, Zacharry Williams via PacketFence-users a
écrit :

Gonna take a wild guess here, in your realms config turn on strip
radius for null and yo

Re: [PacketFence-users] Juniper up/down with SSH - Failed with Login failed to remote host at /usr/local/pf/lib/pf/Switch/Juniper.pm line 135.

[Durand fabrice via PacketFence-users]

Hello Nicholas,

can you verify when you reevaluate the access of the device packetfence 
try to do ssh ? (with tcpdump per example).


Also it looks that there is a way to trace the connection:

https://github.com/inverse-inc/packetfence/blob/maintenance/9.3/lib/pf/Switch/Juniper.pm#L134

add that:

$session->input_log(*STDOUT);

and see if you obtain some useful output.

Regards

Fabrice


Le 20-03-13 à 23 h 28, Nicholas Pier via PacketFence-users a écrit :

Hello,

Does anyone know a cli, log or other troubleshooting resource for 
packetfence's internal SSH client?


  * Port 22 is open between the server and the switch.
  * From the server, I can SSH into the switch with the same
credentials I've provided packetfence in the UI.
  * I've also verified that the same SSH session is successful if I
'su' to become the 'pf' user.


I can SSH directly from my packetfence server to the target switch and 
have verified my credentials. However, when packetfence as user 'pf' 
attempts the login, it fails with the following error message without 
much detail.


Mar 14 00:19:52 packetfence packetfence: ERROR pfperl-api(23844): 
Unable to connect to 10.2.0.140 using SSH. Failed with Login failed to 
remote host at /usr/local/pf/lib/pf/Switch/Juniper.pm line 135.

 (pf::Switch::Juniper::setAdminStatus)

I'm running:
[root@packetfence ~]# rpm -q packetfence
packetfence-9.3.0-20200113144930.108928498.0007.el7.x86_64


*Nicholas P. Pier*
Network Architect
CCNP R, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PacketFence 9.3 Captive Portal for Guests

[Durand fabrice via PacketFence-users]

Hello Brant,

first i think you need to remove:

Role by switch – default=”Authorized devices”, guest=”COMPANY_GUEST”

Role by Web Auth – registration=http://10.10.181.250/Meraki::MR_v2, 
guest=”COMPANY_GUEST”


your are doing vlan enforcement and not web auth.

Once done, connect your device on the ssid and in the admin gui hit 
reevaluate access (in the same time run a capture tshark -i mgmt_int -f 
"port 1700 or port 3799" -w /tmp/deauth,pcap)


We will see what happen.

Regards

Fabrice


Le 20-03-18 à 20 h 33, Nicholas Pier via PacketFence-users a écrit :

Hi Brandt,

From the log message, it almost sounds to me like Packetfence doesn't 
know the MAC of the device it's trying to move to the guest VLAN. I'm 
referring to this:

"Unable to extract audit-session-id"

Maybe something isn't getting passed with WebAuth that would normally 
be passed with Radius or the internal reg portal?


Have you tried only doing the vlan by role configuration in the 
network device configuration guide?


*Nicholas P. Pier*
Network Architect
CCNP R, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10


On Tue, Mar 17, 2020 at 11:21 AM Brandt Winchell 
mailto:brandt.winch...@thinkon.com>> wrote:


Hi Nicholas,

For the PF and port number:

  * I have tried AP=ISE & PF switch config with either and both
port options to be 1700
  * I have also tried AP=No splash with either and both port
options to be 3799

Depending on the combination, I get the same results as described
or I do not get the initial redirection to the captive portal.

This is where my “noobness” comes out with PF.
In the PF switch identifier:

  * I have Role by VLAN to allow 802.1x for internal users.  There
is a connection profile that basically says if 802.1x and AD
auth puts them as part of AD group “X”, then allow them on and
assign the appropriate VLAN.  This seems to work fine for both
wireless clients using 802.1x and connected to SSID=Internal.
  * I also have Role by Switch and Role by Web Auth based on the
PacketFence based on the FP network device guide.

Mar 17 14:47:02 PacketFence-ZEN packetfence_httpd.aaa:
httpd.aaa(14843) INFO: [mac:4c:34:88:c7:8c:24] PID: "POTD_GUEST",
Status: reg Returned VLAN: (undefined), Role: guest
(pf::role::fetchRoleForNode)

Mar 17 14:47:02 PacketFence-ZEN packetfence_httpd.aaa:
httpd.aaa(14843) INFO: [mac:4c:34:88:c7:8c:24] (10.0.1.251) Added
VLAN XXX_GUEST to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)

Mar 17 14:47:02 PacketFence-ZEN packetfence_httpd.aaa:
httpd.aaa(14843) INFO: [mac:4c:34:88:c7:8c:24] External portal
enforcement either not supported '1' or not configured 'N' on
network equipment '10.0.1.251' (pf::Switch::externalPortalEnforcement)

Mar 17 14:47:02 PacketFence-ZEN packetfence_httpd.aaa:
httpd.aaa(14843) WARN: [mac:4c:34:88:c7:8c:24] Unable to extract
audit-session-id for module pf::Switch::Meraki::MR_v2. SSID-based
VLAN assignments won't work. Make sure you enable Vendor Specific
Attributes (VSA) on the AP if you want them to work.
(pf::Switch::getCiscoAvPairAttribute)

*From:* Nicholas Pier <09np...@gmail.com >
*Sent:* Tuesday, March 17, 2020 10:24 AM
*To:* Brandt Winchell mailto:brandt.winch...@thinkon.com>>
*Cc:* packetfence-users@lists.sourceforge.net

*Subject:* Re: [PacketFence-users] PacketFence 9.3 Captive Portal
for Guests

I think you can rule out an issue with the role mapping or your
connection profile since PF seems to be getting the correct role
and VLAN:

(10.10.80.251) Added VLAN XXX_GUEST to the returned RADIUS
Access-Accept (pf::Switch::returnRadiusAccessAccept)

(10.10.80.251) Added role 255 to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)

Packetfence does default to 3799, but ISE defaults to 1700. In one
screenshot for WebAuth in the Network Device Conf Guide, it looks
like PF wants the device configured to think PF is an ISE system.
So, it makes sense to match that with 1700.

I definitely agree that something is wrong with the process of
de-authenticating and changing the auth of a node. Can you confirm
- are you using the WebAuth (6.17.1) or VLAN-based role mappings
(6.17.2) ?

*Nicholas P. Pier*
Network Architect
CCNP R, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10

On Tue, Mar 17, 2020 at 10:05 AM Brandt Winchell
mailto:brandt.winch...@thinkon.com>>
wrote:

Hi Nicholas,

I did see that.  The document was unclear if this needs to be
the disconnect port and/or the CoA port.  According to the
Cisco docs, ISE uses 1700 but PacketFence uses 3799

Re: [PacketFence-users] Packetfence rejects requests from pfSense openVPN

[Durand fabrice via PacketFence-users]

Try with the Catalyst_2960 switch module instead of the generic one

Le 20-03-18 à 20 h 23, Zacharry Williams via PacketFence-users a écrit :
Not sure if it's supported as it's not in the device config guide. But 
that doesn't mean it's not possible. I think you'd have to make a 
different connection profile though.


On Wed, Mar 18, 2020, 11:39 AM Christian Hillebrand via 
PacketFence-users > wrote:


Hi,

At the moment I am testing the user authorization of requests
coming from my openVPN server which is part of my pfSense machine.

I added the pfSense machine as a “Generic” Switch and enabled CLI
Access.

However when I am testing the access, I am rejected with the
following log output:

Mar 18 17:27:09 localhost packetfence_httpd.aaa: httpd.aaa(1667)
INFO: [mac:10:25:51:14:10:10] handling radius autz request: from
switch_ip => (10.0.1.1), connection_type => CLI-Access,switch_mac
=> (00:1b:21:bc:e2:14), mac => [10:25:51:14:10:10], port => 41010,
username => "" (pf::radius::authorize)
Mar 18 17:27:09 localhost packetfence_httpd.aaa: httpd.aaa(1667)
WARN: [mac:10:25:51:14:10:10] (10.0.1.1) Sending REJECT since
switch is unsupported (pf::radius::_switchUnsupportedReply)

Setup:

pfSense is configured to use packetfence as a radius
authentication server.

I configured packetfence to work as a radius server providing
access to my unifi based network. To achieve this I configured an
AD as my authentication source. In the authentication source I
added three accept rules, each handling users of one of my three
“access groups”.

However if it is possible I want to achieve, that only the users
of the first group are accepted when they request VPN access.

Each of the access groups is getting access to my (internal)
network on a different VLAN, which is assigned by packetfence via
a role.

So I have two questions:

Is the setup which I described even possible?

Is pfSense not supported? Or did I mess up the config?

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] authentication sources packetfence 9.3

[Durand fabrice via PacketFence-users]

Try that:

pftest authentication ANA\pereira ""

and

pftest authentication pereira ""

to see if the user is found and if it match a rule.

If the second one works then in the ANA realm enable strip in radius.

Regards

Fabrice


Le 20-03-18 à 20 h 13, Zacharry Williams via PacketFence-users a écrit :
Gonna take a wild guess here, in your realms config turn on strip 
radius for null and your domain and and try logging on with just your 
username and password. I'm guessing your realms config isn't matching. 
For us we had three domains and we had to add them all. For example 
COMPANY.ORG , COMPANY.LAN, COMPANY.COM 
.


On Wed, Mar 18, 2020, 12:43 PM Wagner Liegio via PacketFence-users 
> wrote:


Good afternoon,

Follow the requested files attached.

Em ter., 17 de mar. de 2020 às 14:16, Ludovic Zammit
mailto:lzam...@inverse.ca>> escreveu:

Hello,

Could you post the result fo those two commands:

cat /usr/local/pf/conf/authentication.conf

cat /usr/local/pf/conf/profiles.conf

remove your informations.

Thanks,

Ludovic Zammit
lzam...@inverse.ca    ::  +1.514.447.4918 (x145) 
::www.inverse.ca  
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and 
PacketFence (http://packetfence.org)






On Mar 17, 2020, at 9:42 AM, Wagner Liegio via
PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> wrote:

Good Morning,

The rules, functions are standard on the Zen packetfence 9.3
that I downloaded from the site, I will send some images of
how the configuration is through the webgui, so I noticed
everything is correct, what is happening is that the function
and the rule is not being applied for some reason that I
don't know.









Em ter., 17 de mar. de 2020 às 00:04, Zacharry Williams via
PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> escreveu:

Check and make sure your realms are defined also.

On Mon, Mar 16, 2020, 4:58 PM Brandt Winchell via
PacketFence-users
mailto:packetfence-users@lists.sourceforge.net>> wrote:

Hello,

I know when I ran into this issue, it had to do with
the authorization source for AD.  In the source, I
had an authentication rule that matched the
sAMAccountName is member of “group name”.  The group
name must be the AD DN (distinguished name) of the
group.  CN=%security group you want%,OU=%OU the
object resides in%,DC=%your domain%,DC=%domain suffix%

*From:* Wagner Liegio via PacketFence-users
mailto:packetfence-users@lists.sourceforge.net>>
*Sent:* Monday, March 16, 2020 1:08 PM
*To:* packetfence-users@lists.sourceforge.net

*Cc:* Wagner Liegio mailto:wagner.lie...@gmail.com>>
*Subject:* [PacketFence-users] authentication sources
packetfence 9.3

Good afternoon, I'm facing the same problem only in
version 9.3. I have done everything I can think of,
reconfigured the domain, the connection profile,
checked the rules and functions. The error follows:
No role specified or found for pid ANA \ pereira (MAC
d0: 94: 66: db: ee: 7d); assumes maximum number of
registered nodes is reached (pf :: node ::
is_max_reg_nodes_reached)
plpcktfpdin01 packetfence_httpd.aaa: httpd.aaa (9837)
ERROR: [mac: d0: 94: 66: db: ee: 7d] max nodes per
pid met or exceeded - registration of d0: 94: 66: db:
ae: 7d to ANA \ pereira failed
(pf :: registration :: setup_node_for_registration)
 plpcktfpdin01 packetfence_httpd.aaa: httpd.aaa
(9837) ERROR: [mac: d0: 94: 66: db: ee: 7d]
auto-registration of node failed max nodes per pid
met or exceeded (pf :: radius :: authorize)
 plpcktfpdin01 packetfence_httpd.aaa: httpd.aaa
(9837) ERROR: [mac: d0: 94: 66: db: ee: 7d] Database
query failed with non retryable error: Cannot add or
update a child row: a foreign key constraint fails
(pf.node, CONSTRAINT 0_57 FOREIGN KEY (tenant_id,
pid) REFERENCES person (tenant_id, pid) ON DELETE
CASCADE ON UPDATE CASCADE) (errno: 1452) [INSERT INTO
node
(autoreg, bandwidth_balance, bypass_role_id,

Re: [PacketFence-users] Captive Portal Issues

[Durand fabrice via PacketFence-users]

In this case, is it a webauth setup ? 
(https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_webauth)


If it's the case, the portal URL must be https://PACKETFENCESERVER/Aruba .

https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/web/constants.pm#L105


Le 20-03-12 à 14 h 31, Zacharry Williams via PacketFence-users a écrit :
The bluedogrv SSID issues have been pretty much solved. I just did 
some tweaking to the bindings, and connection profile and people had 
to forget the network as the certificate changes made a few devices 
freak out. Little issues here and there but nothing major. it's really 
the captive portal that's holding me up. Details are in the last mail 
message.


On Wed, Mar 11, 2020 at 6:06 PM Durand fabrice via PacketFence-users 
<mailto:packetfence-users@lists.sourceforge.net>> wrote:


Do you have the logs related to this radius request ?
(packetfence.log)

It looks to me that you are doing 802.1x + web auth.

For the ssid BlueDogRV, just configure it like

https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_all_aruba_os
(Secure SSID and not like WebAuth).

Once done, connect to the ssid BlueDogRV, you are supposed to see :


Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO:
[mac:00:24:d7:90:be:84] handling radius autz request: from
switch_ip => (192.168.100.216), connection_type =>
Wireless-802.11-EAP,switch_mac => (c8:b5:ad:ce:43:7c), mac =>
[00:24:d7:90:be:84], port => 0, username => "host/ tacos
-016.BluedogRV.lan", ssid => "BlueDogRV" (pf::radius::authorize)

If it's the case then change the filter of your connection profile
to use SSID = BlueDogRV and add the source you want to use for
machine auth.

Let me know if it's ok.

Regards

Fabrice


Le 20-03-11 à 17 h 12, Zacharry Williams via PacketFence-users a
écrit :

User-Name = "host/ta-00614.BluedogRV.lan"
NAS-IP-Address = 192.168.100.217
NAS-Port = 0
Service-Type = Framed-User
Framed-MTU = 1100
State = 0x2880f3b42988e97dfdf00d5089857e6a
Called-Station-Id = "f0:5c:19:c2:13:96"
Calling-Station-Id = "9c:30:5b:1c:06:4b"
NAS-Identifier = "Aruba_Wireless"
NAS-Port-Type = Wireless-802.11
Event-Timestamp = "Mar 11 2020 08:58:36 PDT"
EAP-Message = 0x020800061a03
Aruba-Essid-Name = "BlueDogRV"
Aruba-Location-Id = "ID-PF-SLS"
Aruba-AP-Group = "PostFalls"
FreeRADIUS-Proxied-To = 127.0.0.1
EAP-Type = MSCHAPv2
Realm = "BluedogRV.lan"
Called-Station-SSID = "BlueDogRV"
PacketFence-Domain = "Bluedogrv"
PacketFence-KeyBalanced = "f20536da90cb9e178c302675355f1678"
PacketFence-Radius-Ip = "192.168.100.211"
PacketFence-NTLMv2-Only = ""
User-Password = "**"
SQL-User-Name = "host/ta-00614.BluedogRV.lan"

It's there as Aruba-Essid-Name, which i'm guessing isn't being
accepted.
Either way i deleted the switch and put it back in. Which seems
to have alleviated the majority of the issues.

As for the captive portal, I'm thinking is in the same boat as
there aerohive stuff maybe? Where the url isn't being parsed
correctly or something?

On Wed, Mar 11, 2020 at 10:45 AM Fabrice Durand via
PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> wrote:

Ok so first there is no ssid sent in the radius request so
you can't use a filter based on the ssid.

So what you can do (removed the ssid):


[Wireless_EAP]
filter_match_style=all
description=Wireless_EAP
sources=tacos-MachineAuth
filter=connection_type:Wireless-802.11-EAP
autoregister=enabled
redirecturl=https://www.tacos.com
logo=/common/Logo-horz.png

So when you will connect you will see "Instantiate profile
Wireless_EAP"  and "Found authentication source(s) :
'tacos-MachineAuth' for realm ' tacos.lan'"

Next you need to be sure that tacos-MachineAuth return a role.

Test that and let me know.

Regards

Fabrice

Le 20-03-11 à 12 h 07, Zacharry Williams via
PacketFence-users a écrit :

Okay so this is the one from today. get's matched to the
Ethernet profile and denied.


Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641)
INFO: [mac:00:24:d7:90:be:84] handling radius autz request:
from switch_ip => (192.168.100.216), connection_type =>
Wireless-802.11-EAP,switch_mac => (c8:b5:ad:ce:43:7c), mac
=> [00:24:d7:90:be:84], port => 0, username => "host/ tacos
-016.BluedogRV.lan" (pf::radius::authorize)
  

Re: [PacketFence-users] Captive Portal Issues

[Durand fabrice via PacketFence-users]

e the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
[Ethernet802.1x]
filter=connection_type:Ethernet-EAP,connection_sub_type:MS-CHAP-V2
sources=BDRVDC1
unreg_on_acct_stop=enabled
autoregister=enabled

[Wireless_BYOD]
filter_match_style=all
description=Wireless_EAP
sources=BDRVDC1
filter=connection_type:Wireless-802.11-EAP,ssid:tacos-BYOD
autoregister=enabled
logo=/common/Logo-horz.png
redirecturl=https://www.tacos.com
#
# Copyright (C) 2005-2019 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
~
    ~
~
~
~
~
~

On Wed, Mar 11, 2020 at 8:48 AM Zacharry Williams
mailto:zachar...@gmail.com>> wrote:

Yep I'm scrubbing them now. It's also matching clients
connecting on wireless-eap to wired-eap

On Tue, Mar 10, 2020, 4:53 PM Durand fabrice via
PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> wrote:

Hello,

can you provide the packetfence.log file and the
profiles.conf file ?

Regards

Fabrice


Le 20-03-10 à 15 h 19, Zacharry Williams via
PacketFence-users a écrit :

Hey all,

Randomly it matched the correct connection profile, one
time. Is this like a 9.3 bug where connection profiles
aren't being match?

On Mon, Mar 9, 2020 at 3:06 PM Zacharry Williams
mailto:zachar...@gmail.com>> wrote:

Hey all,

I've been working on setting up a guest LAN and a
byod LAN for a few days now. When I use a PSK or AD
Authentication it works fine, but the captive portal
isn't working like I think it should be.
I revisited the guide a few times to check and I
don't think i'm missing any settings. I customized a
captive portal with a logo and an acceptable use
policy but every time I get the captive portal, I
don't get the portal I customized but instead get
the default one. It's like the default connection
profile is matched first. I set the httpd.aaa.conf
logging to debug but nothing shows up as to why it's
picking that connection profile in packetfence.log.
I'm using Aruba instants, and managing them through
Aruba Central.

Where are the logs to read into why it's picking
that portal?



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users


-- 
Fabrice Durand

fdur...@inverse.ca  <mailto:fdur...@inverse.ca>  ::  +1.514.447.4918 (x135) 
::www.inverse.ca  <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Issues

[Durand fabrice via PacketFence-users]

Hello,

can you provide the packetfence.log file and the profiles.conf file ?

Regards

Fabrice


Le 20-03-10 à 15 h 19, Zacharry Williams via PacketFence-users a écrit :

Hey all,

Randomly it matched the correct connection profile, one time. Is this 
like a 9.3 bug where connection profiles aren't being match?


On Mon, Mar 9, 2020 at 3:06 PM Zacharry Williams > wrote:


Hey all,

I've been working on setting up a guest LAN and a byod LAN for a
few days now. When I use a PSK or AD Authentication it works fine,
but the captive portal isn't working like I think it should be.
I revisited the guide a few times to check and I don't think i'm
missing any settings. I customized a captive portal with a logo
and an acceptable use policy but every time I get the captive
portal, I don't get the portal I customized but instead get the
default one. It's like the default connection profile is matched
first. I set the httpd.aaa.conf logging to debug but nothing shows
up as to why it's picking that connection profile in
packetfence.log. I'm using Aruba instants, and managing them
through Aruba Central.

Where are the logs to read into why it's picking that portal?



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Email2SMS subject

[Durand fabrice via PacketFence-users]

Hello Asif,


do you mean the email the user receive ? (if it's the case check in 
/usr/local/pf/html/captive-portal/templates/emails/)


Regards

Fabrice


Le 20-02-17 à 07 h 49, Asif Abbas - AJLN via PacketFence-users a écrit :


Dear,

I just need to know where i can change Email2SMS subject,

Current Subject is "Network Activation" but i want to change this as 
we required.


Kindly help me out or forward this to concern person.

*_
_*

*_
_*

*_
_*

*_Best Regards_**,*

**

S.M. Asif Abbas,

Infrastructure Specialist |IT Department.

Advance Educational Company 
|/Users/deltaline-ksa/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_289735449Riyadh.


/Users/deltaline-ksa/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_817708+966552916158| 
/Users/deltaline-ksa/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_875873150+966118296099


/Users/deltaline-ksa/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_1684364478aab...@ajialuna.edu.sa

إخلاء المسؤولية: هذه الرسالة ومرفقاتها (إن وجدت) تمثل وثيقة سرية قد 
تحتوي على معلومات تتمتع بحماية وحصانة قانونية. إذا لم تكن الشخص المعني 
بهذه الرسالة يجب عليك تنبيه المُرسل بخطأ وصولها إليك، وحذف الرسالة 
ومرفقاتها (إن وجدت) من جهازك. ولا يجوز لك نسخ هذه الرسالة أو مرفقاتها 
(إن وجدت) أو أي جزء منها، أو تسريب محتوياتها لأي شخص أو استعمالها لأي 
غرض مما قد يجعلك تحت طائلة المسؤولية، علماً بأن الإفادات والآراء التي 
تحويها هذه الرسالة تعبر فقط عن رأي المُرسل وليس بالضرورة رأي الشركة 
التعليمة المتطورة وشركتها التابعة ، ولا تتحمل الشركة التعليمية 
المتطورة في أي حال من الأحوال أي مسؤولية عن الأضرار الناتجة عن أي 
فيروسات قد يحملها هذا البريد الإلكتروني.


Disclaimer: This message and its attachment, if any, are confidential 
and may contain legally privileged information. If you are not the 
intended recipient, please contact the sender immediately and delete 
this message and its attachment, if any, from your system. You should 
not copy this message or disclose its contents to any other person or 
use it for any purpose that may hold you liable. Statements and 
opinions expressed in this email are those of the sender, and do not 
necessarily reflect those of The Advanced Educational Co. (ADEC). ADEC 
accepts no liability for damage whatsoever caused by any virus 
transmitted by this email.




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 9.3.0 and connection profiles and recomputing of roles - not working

[Durand fabrice via PacketFence-users]

tion source(s) : '' for realm
'springfieldcollege.edu
<http://springfieldcollege.edu>'
(pf::config::util::filter_authentication_sources)
Feb 10 13:15:08 fennec packetfence_httpd.aaa:
httpd.aaa(15955) WARN: [mac:a4:e9:75:4e:95:5d]
No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Feb 10 13:15:08 fennec packetfence_httpd.aaa:
httpd.aaa(15955) WARN: [mac:a4:e9:75:4e:95:5d]
Switch type 'pf::Switch::Generic' does not
support MABFloatingDevices
(pf::SwitchSupports::__ANON__)
Feb 10 13:15:08 fennec packetfence_httpd.aaa:
httpd.aaa(15955) INFO: [mac:a4:e9:75:4e:95:5d]
Found authentication source(s) : '' for realm
'springfieldcollege.edu
<http://springfieldcollege.edu>'
(pf::config::util::filter_authentication_sources)

PacketFence instantiate the profile
non-sc-eduroam-users but is not able to find
any sources to compute the rules.

My assumption is that you enabled auto
registration on the connection profile but you
didn't defined any sources.

So edit the connection profile and assign an
authentication source on it (you probably  have
an AD one).

Regards

Fabrice


Le 20-02-10 à 14 h 34, Nadim El-Khoury a écrit :

Hi Fabrice,

Please find attached the packetfence.log file.
The username is
nel-kho...@springfieldcollege.edu
<mailto:nel-kho...@springfieldcollege.edu>

    Best,

    Nadim

        On Fri, Feb 7, 2020 at 10:09 PM Durand fabrice
via PacketFence-users
mailto:packetfence-users@lists.sourceforge.net>>
wrote:

Hello Nadim

Le 20-02-05 à 02 h 19, Nadim El-Khoury via
PacketFence-users a écrit :

Hi Everyone,

It does not look like that PF 9.3.0 is
able to assign the right connection
profile once a user is authenticated.

Question 1) Why is the right connection
profile not being picked up based on the
created filter?

probably a wrong filter

Question 2) Can the default connection
profile be disabled?

no

Question 3) Why is the system not
entering the right owner for the
registered device after successful
authentication?

No profile , so no source, so no user.

Question 4) Why is the connection profile
is set to N/A when it does not properly
match a profile?

because packetfence is not able to compute
the connection profile.


When running the /usr/local/pf/bin/pftest
authentication username ""
The command returns the right AD group
the user is part of.

Recomputing of roles does not seem to be
working if a device is successfully
registered with another user or owner.
So, if a new user uses the same device
the role is not recomputed and the new
user using the same old registered device
ends up with the same previous role as
the previous user.

Question 1) How can we change the above
behavior?


share your packetfence.log file when the
device connect and we will have the answer.

Regards

Fabrice



Your help is very much appreciated.

Best,

Nadim



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@

Re: [PacketFence-users] PF 9.3.0 and connection profiles and recomputing of roles - not working

[Durand fabrice via PacketFence-users]

edu
<mailto:nel-kho...@springfieldcollege.edu>

    Best,

Nadim

    On Fri, Feb 7, 2020 at 10:09 PM Durand fabrice via
PacketFence-users
mailto:packetfence-users@lists.sourceforge.net>> wrote:

Hello Nadim

Le 20-02-05 à 02 h 19, Nadim El-Khoury via
PacketFence-users a écrit :

Hi Everyone,

It does not look like that PF 9.3.0 is able to
assign the right connection profile once a user is
authenticated.

Question 1) Why is the right connection profile
not being picked up based on the created filter?

probably a wrong filter

Question 2) Can the default connection profile be
disabled?

no

Question 3) Why is the system not entering the
right owner for the registered device after
successful authentication?

No profile , so no source, so no user.

Question 4) Why is the connection profile is set
to N/A when it does not properly match a profile?

because packetfence is not able to compute the
connection profile.


When running the /usr/local/pf/bin/pftest
authentication username ""
The command returns the right AD group the user is
part of.

Recomputing of roles does not seem to be working
if a device is successfully registered with
another user or owner. So, if a new user uses the
same device the role is not recomputed and the new
user using the same old registered device ends up
with the same previous role as the previous user.

Question 1) How can we change the above behavior?


share your packetfence.log file when the device
connect and we will have the answer.

Regards

Fabrice



Your help is very much appreciated.

Best,

Nadim



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand

fdur...@inverse.ca  <mailto:fdur...@inverse.ca>  ::  +1.514.447.4918 (x135) 
::www.inverse.ca  <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and 
PacketFence (http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users