Re: [PacketFence-users] MS-CHAP2-Response is incorrect

[Fabrice Durand via PacketFence-users]

Hello Nicat,

can you run this command and try to connect ?

raddebug -f /usr/local/pf/var/run/radiusd.sock -t 300

Then paste the output.

Regards
Fabrice

Le mer. 30 mars 2022 à 08:54, Nijat Sultanov via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi there,
> I was looking for a support from packetfence and tried the mailing list.
> Somehow I'm not able to make a topic in the packetfence section on
> sourceforge.net.
> Maybe you can help me now.
>
> I'm trying to run packetfence with my unify AP, but struggle to make a
> successful authentification with my user. Previously I used a Switch and
> the authentification worked fine. Now, I'm trying to make a wireless
> authentification but somehow I'm getting rejected everytime with the
> reason: mschap: MS-CHAP2-Response is incorrect.
>
> He is the RADIUS Auditing Log:
>  Request Time
> 0RADIUS Request
> User-Name = "nijat" Event-Timestamp = "Mar 28 2022 14:54:48 UTC"
> Calling-Station-Id = "be:f1:bd:b6:40:a3" WLAN-AKM-Suite = 1027073
> MS-CHAP-User-Name = "nijat" PacketFence-Outer-User = "nijat" Realm = "null"
> MS-CHAP2-Response =
> 0x6e69e18213141ad3c9c9de0c32d6cedd713fdec8317a42db25f2e4ce62cf8b49d5727646a3cdbc15b035
> Acct-Multi-Session-Id = "723AF7C45EAA7B4C" NAS-IP-Address = 10.80.80.67
> Service-Type = Framed-User PacketFence-Radius-Ip = "10.80.80.143"
> PacketFence-KeyBalanced = "b6125b7968479546eeef8c210c3176af"
> WLAN-Group-Cipher = 1027076 NAS-Identifier = "7a4558c7885f"
> Called-Station-Id = "7a:45:58:c7:88:5f:pftest" EAP-Type = MSCHAPv2
> EAP-Message =
> 0x026e00401a026e003b31e18213141ad3c9c9de0c32d6cedd713fdec8317a42db25f2e4ce62cf8b49d5727646a3cdbc15b035006e696a6174
> Framed-MTU = 1400 WLAN-Pairwise-Cipher = 1027076 Stripped-User-Name =
> "nijat" Acct-Session-Id = "9C80BE880B7D623E" FreeRADIUS-Proxied-To =
> 127.0.0.1 State = 0xeeed1a94ee8300284b8988160fb70984 Called-Station-SSID =
> "pftest" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps
> 802.11a" MS-CHAP-Challenge = 0x573a1544f904d394d0a45b27858fcedf
> Module-Failure-Message = "mschap: MS-CHAP2-Response is incorrect"
> User-Password = "**" SQL-User-Name = "nijat"RADIUS Reply
> MS-CHAP-Error = "nE=691 R=0 C=59ed45f1aa35086ebe0c808a8ff4e84b V=3
> M=Authentication rejected" EAP-Message = 0x046e0004 Message-Authenticator =
> 0x
> --
> Nicat Sultan
>
> Trainee Systemintegration
>
> Lucas Beier Moritz Maus Fusion2go IT GbR
>
>
>
> +49 2253 - 609 89 47 4 <+49%202253%20-%20609%2089%2047%204>
> i...@fusion2go.de
> https://fusion2go.de
> Triftweg 9, 53902 Bad Münstereifel
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] STUCK ON VERIFYING

[Fabrice Durand via PacketFence-users]

It´s like the switch never receives the radius reply.
i would suggest to capture the traffic to see what happen.

Le mer. 30 mars 2022 à 08:54, David Kitonga via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Ok.
>
> Setup
>
>
>
> Cisco 3850
>
> Windows 11 endpoint
>
> PF ZEN installation.
>
> Microsoft AD
>
>
>
>
>
> The purpose is NAC via AD SSO.
>
>
>
> Regards
>
> David
>
>
>
> *From:* Zammit, Ludovic 
> *Sent:* Wednesday, 30 March 2022 15:17
> *To:* David Kitonga 
> *Cc:* packetfence-users@lists.sourceforge.net
> *Subject:* Re: STUCK ON VERIFYING
>
>
>
> Hello David,
>
>
>
> It’s working but you have to provide more information than just few debug
> lines.
>
>
>
> We need a context and intended purpose.
>
>
>
> Thanks,
>
>
>
> *Ludovic Zammit*
> *Product Support Engineer Principal*
>
> *Cell:* +1.613.670.8432
>
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
>
> Connect with Us:
>
>
> 
> 
> 
> 
> 
> 
>
>
>
> On Mar 30, 2022, at 4:06 AM, David Kitonga 
> wrote:
>
>
>
> Is the support channel working ?
>
>
>
> Regards
>
> David
>
>
>
> *From:* David Kitonga
> *Sent:* Tuesday, 29 March 2022 11:21
> *To:* packetfence-users@lists.sourceforge.net
> *Subject:* STUCK ON VERIFYING
>
>
>
> 
>
> On radius logs
>
> Mar 29 11:13:23  auth[2194]: Adding client **.**.*.115/32
> Mar 29 11:13:23  auth[2194]: [mac:00:e0:4c:36:06:8d] Accepted user: and
> returned VLAN 1100
> Mar 29 11:13:23  auth[2194]: (45060) Login OK: [00e04c36068d] (from client
> **.**.*.115/32 port 50108 cli 00:e0:4c:36:06:8d)
>
> Switch debug
>
> Mar 29 11:13:39 EAT: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd:
> Authentication failed for client (00e0.4c36.068d) with reason (No Response
> from Client) on Interface Te1/0/8 AuditSessionID 0A0F0073004DD27E411D
>
> Mar 29 11:13:49 EAT: AUTH-EVENT: [Te1/0/8] mac seen: 1 authz count[DATA]:
> 0 authz count[UNKNOWN]: 0 open access: 0 replace open set: 0 notify all: 1
> block notification: 0
>
> Mar 29 11:13:49 EAT: AUTH-EVENT: [Te1/0/8] mac seen: 1 authz count[DATA]:
> 0 authz count[UNKNOWN]: 0 open access: 0 replace open set: 0 notify all: 1
> block notification: 0
>
> Mar 29 11:13:49 EAT: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd:
> Authentication failed for client (00e0.4c36.068d) with reason (Timeout) on
> Interface Te1/0/8 AuditSessionID 0A0F0073004DD27E411D
>
> Mar 29 11:13:49 EAT: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd:
> Authorization failed or unapplied for client (00e0.4c36.068d) on Interface
> TenGigabitEthernet1/0/8 AuditSessionID 0A0F0073004DD27E411D. Failure
> reason: Authc fail. Authc failure reason: Timeout.
>
>
>
>
>
> Regards
>
> David
>
>
>
>
> Email Disclaimer
> 
>
>
>
> Email Disclaimer 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unifi APs and Packetfence

[Fabrice Durand via PacketFence-users]

Hello Adrian,
I deal with that sometimes and it's supposed to be the NAS that sends
the Framed-MTU
attribute.
Are you able to see it in the request ?
Can you change it on the AP side ?

Also if you change it on the freeradius side i don´t think it will change
anything.

Regards
Fabrice



Le mar. 22 mars 2022 à 20:41, Enrique Gross via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi Adrián
>
> I have a group of unifi APs doing radius packetfence magic vía L2TP/IPSEC
> tunnel. No issues so far.
>
> Maybe I can help you, it's your routing ok? any NAT between your APs and
> packetfence management address? Where is your UNIFI controller located? I'm
> not really a fragmentation/MTU expert, why do you think this is causing
> problems?
>
> Enrique
>
>
>
> El mar, 22 de mar. de 2022 17:26, Adrian Damaschek via PacketFence-users <
> packetfence-users@lists.sourceforge.net> escribió:
>
>> Hello Everyone,
>>
>> I started this topic in my previous thred, but since its now a different
>> issue and more specific I decided to split it off. (the issue with SECP
>> Certs got fixed fo thanks everyone)
>>
>> Following problem. I got packetfence installed in my main Datacenter, now
>> I would like to have a central NAC for all my wifi, I use Unifi Access
>> point and the problem is that it seems not to work over VPN connections
>>
>> From all I could find its related to Fragmentation and MTU. Its suggested
>> to set the atribute of FramedMTU to something like 1300 or lower. To tell
>> the client as the MTU needs to be lower.
>> People seem to say that you set this on the radius server, and it tells
>> the client to use a lower frameMTU. Not a expert on radius so I don’t know.
>>
>> Anyone managed to get unifi APs to work with radius from offsite ?
>>
>> I would not want to deal with having to have a NAC per site. A radius
>> proxy fowarding the requests might be a option but I prefer to use that as
>> a last resort
>>
>> Thanks for any responses
>>
>> Adrian
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam configuration - SSID filter and REALM Filter

[Fabrice Durand via PacketFence-users]

Just like that:

[image: image.png]

Le dim. 20 mars 2022 à 07:39, P.Thirunavukkarasu 
a écrit :

> Hi Fabrice,
> Thank you and Sorry for the question...
>
> *Create the connection profile for outbound authentication*
> *"Create the Connection Profile named External Eduroam authentication
> Check Automatically register devices then create a REALM filter Eduroam.
> Next, make sure to add the Eduroam source previously created"*
>
> [image: image.png]
>
> Then how to create the *Realm filter Eduroam*? I am not clear...
> Regards,
> Thirunavukkarasu
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] New Currency Paypal

[Fabrice Durand via PacketFence-users]

Hello Dennis,

you can add it there, it should work.

https://github.com/inverse-inc/packetfence/blob/devel/html/pfappserver/lib/pfappserver/Form/Config/Source/Billing.pm#L64

Regards
Fabrice



Le ven. 18 mars 2022 à 09:46, Schüller Dennis via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hey,
>
> i want to add a new currency tot he Paypal Billing Source.
>
> At the moment i can select between CAD and USD but i musst use EUR.
>
>
>
> Can someone help me, please?
>
>
>
> Thanks a lot!
>
>
>
> Mit freundlichen Grüßen / with kind regards
>
> *i. A.* *Dennis* *Schüller*
> IT-Systemadministrator
> Finanzen & Administration
>
> dennis.schuel...@nuerburgring.de
>
> T +49 (2691) 302 9885
> M +49 151 571 320 36
> F +49 2691 302 9897
>
> Nürburgring 1927
> GmbH & Co. KG
>
> Otto-Flimm-Straße
> 53520 Nürburg
> nuerburgring.de
>
> 
> 
>   
>
> 
>
> Bitte schonen Sie unsere Umwelt und drucken die Email nur aus, wenn es
> wirklich notwendig ist!
> Please consider the environment before printing this email!
>
>
>
> --
>
> Nürburgring 1927 GmbH & Co. KG / Sitz: Nürburg / Handelsregister
> Amtsgericht Koblenz / HRA 21947
> Persönlich haftender Gesellschafter: Nürburgring 1927 Verwaltungs GmbH /
> Sitz: Nürburg
> Handelsregister Amtsgericht Koblenz / HRB 25796 / Geschäftsführer: Ingo
> Böder, Christian Stephani
>
> Diese E-Mail und alle Anhänge enthalten vertrauliche und/oder rechtlich
> geschützte Informationen.
> Wenn Sie nicht der richtige Adressat sind oder Sie die E-Mail irrtümlich
> erhalten haben, informieren Sie bitte unverzüglich den Absender und
> vernichten Sie diese E-Mail.
> Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist
> nicht gestattet.
>
> --
> Diese Mail wurde auf Computerviren geprüft
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam configuration - SSID filter and REALM Filter

[Fabrice Durand via PacketFence-users]

Hello Thirunavukkarasu,

the realm eduroam is define in the freeradius unlang, so if the logic
detect that it´s an outbound authentication then the realm eduroam will be
added in the request.
For the DEFAULT one you should use your domain for that.

Regards
Fabrice


Le ven. 18 mars 2022 à 09:45, P.Thirunavukkarasu via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi Team,
> The corrected one for my previous email...
>
> Plz help me in solving the problem stated below
>
> From the installation guide
> *13.3.3. Create the connection profile for local authentication*
> Go to Configuration → Policies and Access Control → Connection Profiles →
> New Connection Profile.
> Create a connection profile named Local and external Eduroam
> authentication Check Automatically register devices then create a *SSID
> filter Eduroam*. Make sure to add the Active Directory source to match on
> the local users.
>
> *13.3.5. Create the connection profile for outbound authentication*
> Go to Configuration → Policies and Access Control → Connection Profiles →
> New Connection Profile.
> Create the Connection Profile named External Eduroam authentication Check
> Automatically register devices then create a *REALM filter Eduroam*.
> Next, make sure to add the Eduroam source previously created.
>
> *My questions are *
>
>1. Should I create a REALM named *Eduroam *for Realm filter Eduroam?
>2. Any configurations are required in the default realm?
>
> Ref:
> https://www.packetfence.org/support/faq/packetfence-and-eduroam.html
>
>
>
>
>
>
>
> *realm DEFAULT { ignore_null = yes type = radius accthost
> = eduroam1.ns.utk.edu  authhost
> = eduroam1.ns.utk.edu  secret =
> SHARED-SECRET-UPSTREAM nostrip}*
> Regards,
> Thirunavukkarasu
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Palo Alto XML API roles

[Fabrice Durand via PacketFence-users]

Hello Torem,

i don´t have a Palo Alto on my side but if it works by just allowing the
User-ID part then we will have to adjust our documentation.

Regards
Fabrice


Le ven. 18 mars 2022 à 09:45, Toren Smith via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Just a quick question here: in all the documentation I've seen for
> connecting PacketFence to a Palo Alto firewall for SSO, the
> instructions state to grant the API account access to *everything*,
> rather than just the User-ID part of the API. Does it really need all
> that? I like the idea of that integration, but I don't think it'll fly
> if it means creating a non-expiring admin account with full system
> access. I can try running it with just the User-ID privileges, but I
> figured I'd check here first to see if anyone knows for sure. Thanks!
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] ERROR: Server returned no data

[Fabrice Durand via PacketFence-users]

Hello Tomas,

try that (conff/radiusd/rest.conf):
https://github.com/inverse-inc/packetfence/commit/5ee142d9ba6ce457c10967013fa11a361caa9694

Regards
Fabrice

Le ven. 11 mars 2022 à 10:12, tomas.rybicka via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Dear Packetfence Support Team,
>
> i have trouble with Devices where in Nodes Table is Registered but in
> Auditing i see this Device is Unregistered with this error 'ERROR: Server
> returned no data'.
> Packetfence 11.1
> AccessPoints Cico Meraki
> EAP-TLS
>
> ==> radius.log <==
> Mar  9 11:57:42 czstd-srv-pf11 auth[3185]: Adding client 10.55.201.112/32
> Mar  9 11:57:42 czstd-srv-pf11 auth[3185]: (2742) rest: ERROR: Server
> returned no data
> Mar  9 11:57:42 czstd-srv-pf11 auth[3185]: [mac:40:5b:d8:0e:ea:c5]
> Rejected user: host/CZSTD-NB0081.MEGroup.Global
> Mar  9 11:57:42 czstd-srv-pf11 auth[3185]: (2742) Rejected in post-auth:
> [host/CZSTD-NB0081.MEGroup.Global] (from client 10.55.201.112/32 port 1
> cli 40:5b:d8:0e:ea:c5)
> Mar  9 11:57:42 czstd-srv-pf11 auth[3185]: (2742) Login incorrect (rest:
> Failed creating HTTP body content): [host/CZSTD-NB0081.MEGroup.Global]
> (from client 10.55.201.112/32 port 1 cli 40:5b:d8:0e:ea:c5)
> Mar  9 11:57:47 czstd-srv-pf11 auth[3185]: (2752) rest: ERROR: Server
> returned no data
> Mar  9 11:57:47 czstd-srv-pf11 auth[3185]: [mac:40:5b:d8:0e:ea:c5]
> Rejected user: host/CZSTD-NB0081.MEGroup.Global
> Mar  9 11:57:47 czstd-srv-pf11 auth[3185]: (2752) Rejected in post-auth:
> [host/CZSTD-NB0081.MEGroup.Global] (from client 10.55.201.112/32 port 1
> cli 40:5b:d8:0e:ea:c5)
> Mar  9 11:57:47 czstd-srv-pf11 auth[3185]: (2752) Login incorrect (rest:
> Failed creating HTTP body content): [host/CZSTD-NB0081.MEGroup.Global]
> (from client 10.55.201.112/32 port 1 cli 40:5b:d8:0e:ea:c5)
> Mar  9 11:57:52 czstd-srv-pf11 auth[3185]: (2761) rest: ERROR: Server
> returned no data
> Mar  9 11:57:52 czstd-srv-pf11 auth[3185]: [mac:40:5b:d8:0e:ea:c5]
> Rejected user: host/CZSTD-NB0081.MEGroup.Global
> Mar  9 11:57:52 czstd-srv-pf11 auth[3185]: (2761) Rejected in post-auth:
> [host/CZSTD-NB0081.MEGroup.Global] (from client 10.55.201.112/32 port 1
> cli 40:5b:d8:0e:ea:c5)
> Mar  9 11:57:52 czstd-srv-pf11 auth[3185]: (2761) Login incorrect (rest:
> Failed creating HTTP body content): [host/CZSTD-NB0081.MEGroup.Global]
> (from client 10.55.201.112/32 port 1 cli 40:5b:d8:0e:ea:c5)
> Mar  9 11:57:57 czstd-srv-pf11 auth[3185]: (2770) rest: ERROR: Server
> returned no data
> Mar  9 11:57:57 czstd-srv-pf11 auth[3185]: [mac:40:5b:d8:0e:ea:c5]
> Rejected user: host/CZSTD-NB0081.MEGroup.Global
> Mar  9 11:57:57 czstd-srv-pf11 auth[3185]: (2770) Rejected in post-auth:
> [host/CZSTD-NB0081.MEGroup.Global] (from client 10.55.201.112/32 port 1
> cli 40:5b:d8:0e:ea:c5)
> Mar  9 11:57:57 czstd-srv-pf11 auth[3185]: (2770) Login incorrect (rest:
> Failed creating HTTP body content): [host/CZSTD-NB0081.MEGroup.Global]
> (from client 10.55.201.112/32 port 1 cli 40:5b:d8:0e:ea:c5)
> Mar  9 11:58:03 czstd-srv-pf11 auth[3185]: (2780) rest: ERROR: Server
> returned no data
> Mar  9 11:58:03 czstd-srv-pf11 auth[3185]: [mac:40:5b:d8:0e:ea:c5]
> Rejected user: host/CZSTD-NB0081.MEGroup.Global
> Mar  9 11:58:03 czstd-srv-pf11 auth[3185]: (2780) Rejected in post-auth:
> [host/CZSTD-NB0081.MEGroup.Global] (from client 10.55.201.112/32 port 1
> cli 40:5b:d8:0e:ea:c5)
> Mar  9 11:58:03 czstd-srv-pf11 auth[3185]: (2780) Login incorrect (rest:
> Failed creating HTTP body content): [host/CZSTD-NB0081.MEGroup.Global]
> (from client 10.55.201.112/32 port 1 cli 40:5b:d8:0e:ea:c5)
> Mar  9 11:58:08 czstd-srv-pf11 auth[3185]: (2789) rest: ERROR: Server
> returned no data
> Mar  9 11:58:08 czstd-srv-pf11 auth[3185]: [mac:40:5b:d8:0e:ea:c5]
> Rejected user: host/CZSTD-NB0081.MEGroup.Global
> Mar  9 11:58:08 czstd-srv-pf11 auth[3185]: (2789) Rejected in post-auth:
> [host/CZSTD-NB0081.MEGroup.Global] (from client 10.55.201.112/32 port 1
> cli 40:5b:d8:0e:ea:c5)
> Mar  9 11:58:08 czstd-srv-pf11 auth[3185]: (2789) Login incorrect (rest:
> Failed creating HTTP body content): [host/CZSTD-NB0081.MEGroup.Global]
> (from client 10.55.201.112/32 port 1 cli 40:5b:d8:0e:ea:c5)
>
> From Webinterface
> Auditing Node information:
>  MAC Address 40:5b:d8:0e:ea:c5
>  Auth Status Reject
>  Auth Status eap
>  Auto Registration No
>  Calling Station Identifier 40:5b:d8:0e:ea:c5
>  Computer Name N/A
>  EAP Type TLS
>  Event Type Radius-Access-Request
>  IP Address
>  Is a Phone No
>  Created at 2022-03-09 12:02:19
>  Node Status N/A
>  Domain
>  Profile N/A
>  Realm MEGroup.Global
>  Reason rest: Failed creating HTTP body content
>  Role N/A
>  Source N/A
>  Stripped User Name
>  User Name host/CZSTD-NB0081.MEGroup.Global
> Unique Identifier
>
>
>
> Auditing Radius:
>  Request Time 0
>  RADIUS Request
>  RADIUS Reply
> MS-MPPE-Recv-Key =
> 0x901d9845adf079529298df43f89d1e1d08fc03c3b51e6d56190037f4f5a5c5bb
> MS-MPPE-Send-Key =
> 

Re: [PacketFence-users] Issue after upgrading the packetfence - Regarding

[Fabrice Durand via PacketFence-users]

Hello Thirunavukkarasu,

do that instead:
/usr/sbin/freeradius -d /usr/local/pf/raddb -n auth -fxx -l stdout

and paste the output.

Regards
Fabrice


Le ven. 11 mars 2022 à 10:12, Thirunavukkarasu Palanisamy via
PacketFence-users  a écrit :

> Hi Team,
> Greetings of the day
>
> After upgrading the packetfence to Version 11.2.0 the following message I
> got in freeradius -X
>
>
>
>
>
>
>
>
> *Ready to process requestsIgnoring request to auth address * port 1812
> bound to server default from unknown client 172.16.20.210 port 55029 proto
> udpReady to process requestsIgnoring request to auth address * port 1812
> bound to server default from unknown client 172.16.20.210 port 55029 proto
> udpReady to process requestsIgnoring request to auth address * port 1812
> bound to server default from unknown client 172.16.20.210 port 55029 proto
> udpReady to process requestsIgnoring request to auth address * port 1812
> bound to server default from unknown client 172.16.20.210 port 55029 proto
> udpReady to process requests*
>
> The client details are as follows
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *client localhost {ipaddr = 127.0.0.1
> require_message_authenticator = nosecret = <<< secret >>>
> nas_type = "other"proto = "*"  limit {max_connections = 16
>   lifetime = 0idle_timeout = 30  } } client localhost_ipv6 {
> ipv6addr = ::1require_message_authenticator = nosecret
> = <<< secret >>>  limit {max_connections = 16lifetime = 0
>   idle_timeout = 30  } }*
> How to resolve the issue?
> Regards,
> Thirunavukkarasu
>
>
>
>
>
> *-*
> *TANUVAS*
> *The contents of this message are confidential and are not be shared with
> outside parties without prior permission*
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Problem with VLAN change on Meraki WiFi

[Fabrice Durand via PacketFence-users]

Hello Chris,

instead of 2210 , set it to 0 in packetfence (i mean use the native vlan).

Regards
Fabrice

Le ven. 11 mars 2022 à 10:12, Chris Jordan via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
> I have an odd issue switching VLANs on Meraki Wifi.
>
> I have 3 VLANs 2225 is the PacketFence VLAN Registration, 2210 is Internal
> Wifi, and 2298 is the Guest VLAN.
>
> I have them setup as VLAN roles here in PacktFence
>
> [image: image.png]
>
> Now on Meraki the switch port that the AP is connected to is on Native
> VLAN 2210 which is internal network wifi. The SSID when connected I have it
> setup as a VLAN tag to the Register 2225 PacketFence which will display the
> splash screen to either use Guest or login to internal wifi.
>
> Here is my problem, when a user logs in and tries to connect to the VLAN
> 2210 with Role FL-Internal it changes the VLAN but it never gets an IP and
> doesn't display anything in the logs. However the guest VLAN works fine and
> switches correctly. I believe it has something to do with the native VLAN
> already being 2210.
>
> Has anybody encountered this?
>
> Thanks,
> --
> [image: formlabslogo] 
>
> *Christopher Jordan* | Sr. Systems Administrator
> 22 McGrath Hwy | Suite 206 | Somerville | MA 02143
>
> www.formlabs.com
>
>   
>   
> 
> www.christopherjordan.com
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] RADIUS Tracking Issues & Best Practice

[Fabrice Durand via PacketFence-users]

Hello Trevor,

in the coming new PacketFence release we added that:

https://github.com/inverse-inc/packetfence/pull/6772

Which allow you to create a radius probe account in order to test if the
server is available.

Btw access-reject also means that the server is available.

Regards
Fabrice


Le lun. 21 févr. 2022 à 10:47, Trevor Bryant via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
>
>
> I’m using PacketFence with Aruba Network switches. I have enabled RADIUS
> tracking on the switches to determine if the PacketFence servers are active
> responding to requests. Even though this username isn’t active and the
> request fails, it still sends the failed message back to the switch so the
> switch can determine if RADIUS is actually working or not.
>
>
>
> I configured tracking to test authentication using “RADIUS-Tracking-User”
> as the username. Every 5 min, my switches will try to authenticate using
> that username. This is filling up my audit logs with these failed auth
> messages.  Also, it shows lots of failed RADIUS authentications under the
> dashboard view. They are legitimate for obvious reasons, but I would like
> to see if anyone has any suggestion on how to better manage this.
>
>
>
> Is there a way to prevent any authentication requests from this username
> to be rejected, but not logged to the audit log?
>
>
>
> Thank You
>
>
> Simon - Kucher & Partners
> Strategy & Marketing Consultants LLC
> One Boston Place, Suite 3301
> Boston, MA 02108
> United States
> Tel: +1 617 319 9548 
> trevor.bry...@simon-kucher.com
> www.simon-kucher.com
>
> *Follow us on:*
>  LinkedIn
> 
>  Facebook
> 
>  Twitter
> 
>  Instagram
> 
>  Youtube
> 
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SCEP over Intune dose not work

[Fabrice Durand via PacketFence-users]

I have a debian cluster running on my side wit the raddebug command here:
/usr/sbin/raddebug

and it´s coming from the freeradius package.
root@cluster3:/usr/local/pf# apt-file search raddebug
freeradius: /usr/sbin/raddebug

Le lun. 21 févr. 2022 à 10:27, Adrian Damaschek <
adrian.damasc...@technicondesign.com> a écrit :

> Still no I don’t have any commands starting with radd
> I am using packetfence 11 on Debian if that makes a difference where the
> debug commands are
>
> Regards
> Adrian
>
>
> From: Fabrice Durand 
> Sent: Monday, 21 February 2022 16:16
> To: Adrian Damaschek 
> Cc: packetfence-users 
> Subject: Re: [PacketFence-users] SCEP over Intune dose not work
>
> Sorry a typo
>
> raddebug -f /usr/local/pf/var/run/radiusd.sock -d 3000
>
> For the MTU i think that it needs to be done on the AP (to match the VPN
> value) and maybe on the vpn server too.
>
> Le lun. 21 févr. 2022 à 09:58, Adrian Damaschek  adrian.damasc...@technicondesign.com> a écrit :
> Hi Fabrice,
>
> So I get a command not found, but radsniff was there. And I get the
> packages, they show up,
>
> 2022-02-21 15:54:30.435928 (17) Access-Request Id 18
> enp6s18::58613 -> :1812 +0.416
> User-Name = "test2"
> NAS-IP-Address = 10.100.90.106
> Service-Type = Framed-User
> Framed-MTU = 1400
> State = 0xc7a76f0fc0c47689325319c17a81ab41
> Called-Station-Id = "1E-E8-29-62-A4-DC:TEST_NAC"
> Calling-Station-Id = "30-24-32-93-1A-8E"
> NAS-Identifier = "1ee82962a4dc"
> NAS-Port-Type = Wireless-802.11
> Acct-Session-Id = "60D23A6D993769B8"
> Acct-Multi-Session-Id = "C7D2CF37B0AFCE34"
> Connect-Info = "CONNECT 0Mbps 802.11b"
> EAP-Message =
> 0x026300cb190017030300c3f4a0bb92d0a0dcdab0b290eaa3123328c6c54a3f63eb436e00ad49c85c372c31ceed35386371283c0046a6566770221560f5a3a9d789d03f6b6347f257ff42447c9c8cd468e512731420b82c57d93c878316232c1f3426399ddfdb916c97e42e2a791ac45c3dad0120bd989a62f1256150f26032a03e634698324dd93e598faa55fce805b0cd288c6c84f63afc4930622db0095cc54ace06612fd2a1a22658e6cdb63e1996591580955c726879ea8f5e9c5f833d5908bc02
> Message-Authenticator = 0x19c1e44542159c5d1e854d237da9d73b
> WLAN-Pairwise-Cipher = 1027076
> WLAN-Group-Cipher = 1027076
> WLAN-AKM-Suite = 1027077
> WLAN-Group-Mgmt-Cipher = 1027078
> Authenticator-Field = 0x9faacd593cad6cdc503fce73431de630
>
> I saw some people said that doing EAP over VPNs is a problem because of
> the Framed-MTU, and suggested to change that, but I cant seem to find a way
> to lower it.
>
> Since the APs in the same site work, and its only remote APs that access
> the radius server via VPN
>
> Regards
> Adrian
>
>
> From: Fabrice Durand 
> Sent: Monday, 21 February 2022 15:50
> To: Adrian Damaschek 
> Cc: packetfence-users 
> Subject: Re: [PacketFence-users] SCEP over Intune dose not work
>
> Hello Adrian,
>
> glad to know that it works for you.
> Btw I have no clue why the TPM module cannot be used.
>
> I know that we got an issue with certificates provided by intune where
> Freeradius complained that it wasn´t able to decrypt too.
> There are also issues with Android and intune if the certificate contains
> a postal code.
>
> You probably need to ask Microsoft why this happens.
>
> Also for you AP connection issue, can you try first to run raddebug ?
>
> raddebug -f /usr/local/pf/var/run/radiusd.sock -d 3000
>
> and paste the output.
>
> For the MTU i have seen something like that in the past, i have to find it.
>
> Regards
> Fabrice
>
>
> Le lun. 21 févr. 2022 à 08:38, Adrian Damaschek  adrian.damasc...@technicondesign.com> a écrit :
> Hello Fabrice,
>
> So this works now, I can get the cert.
> But it seems that I have some APs now that don’t want to connect. What
> combines the APs that don’t want to use the RADIUS server they are all over
> SiteToSite VPNs.
>
> Is this a InTune specific issue as well or possibly related to some MTU
> problems that I read might cause problems ?
>
> Regards
> Adrian
>
>
>
> From: Fabrice Durand 
> Sent: Friday, 18 February 2022 14:21
> To: Adrian Damaschek 
> Cc: packetfence-users  packetfence-users@lists.sourceforge.net>
> Subject: Re: [PacketFence-users] SCEP over Intune dose not work
>
>
> You don't often get email from mailto:mailto:mailto:mailto:
> oeufd...@gmail.com. http://aka.ms/LearnAboutSenderIdentification
>
> Hello Adrian,
> the error is "err="crypto/rsa: decryption error""
>
> We got multiple issues with intune because of the Key Storage Provider,
> can you verify that it´s configured like that ?
>
>
>
>
> Regards
> Fabrice
>
>
> Le mer. 16 févr. 2022 à 11:24, Adrian Damaschek  mailto:adrian.damasc...@technicondesign.com> a 

Re: [PacketFence-users] SCEP over Intune dose not work

[Fabrice Durand via PacketFence-users]

Sorry a typo

raddebug -f /usr/local/pf/var/run/radiusd.sock -d 3000

For the MTU i think that it needs to be done on the AP (to match the VPN
value) and maybe on the vpn server too.

Le lun. 21 févr. 2022 à 09:58, Adrian Damaschek <
adrian.damasc...@technicondesign.com> a écrit :

> Hi Fabrice,
>
> So I get a command not found, but radsniff was there. And I get the
> packages, they show up,
>
> 2022-02-21 15:54:30.435928 (17) Access-Request Id 18
> enp6s18::58613 -> :1812 +0.416
> User-Name = "test2"
> NAS-IP-Address = 10.100.90.106
> Service-Type = Framed-User
> Framed-MTU = 1400
> State = 0xc7a76f0fc0c47689325319c17a81ab41
> Called-Station-Id = "1E-E8-29-62-A4-DC:TEST_NAC"
> Calling-Station-Id = "30-24-32-93-1A-8E"
> NAS-Identifier = "1ee82962a4dc"
> NAS-Port-Type = Wireless-802.11
> Acct-Session-Id = "60D23A6D993769B8"
> Acct-Multi-Session-Id = "C7D2CF37B0AFCE34"
> Connect-Info = "CONNECT 0Mbps 802.11b"
> EAP-Message =
> 0x026300cb190017030300c3f4a0bb92d0a0dcdab0b290eaa3123328c6c54a3f63eb436e00ad49c85c372c31ceed35386371283c0046a6566770221560f5a3a9d789d03f6b6347f257ff42447c9c8cd468e512731420b82c57d93c878316232c1f3426399ddfdb916c97e42e2a791ac45c3dad0120bd989a62f1256150f26032a03e634698324dd93e598faa55fce805b0cd288c6c84f63afc4930622db0095cc54ace06612fd2a1a22658e6cdb63e1996591580955c726879ea8f5e9c5f833d5908bc02
> Message-Authenticator = 0x19c1e44542159c5d1e854d237da9d73b
> WLAN-Pairwise-Cipher = 1027076
> WLAN-Group-Cipher = 1027076
> WLAN-AKM-Suite = 1027077
> WLAN-Group-Mgmt-Cipher = 1027078
> Authenticator-Field = 0x9faacd593cad6cdc503fce73431de630
>
> I saw some people said that doing EAP over VPNs is a problem because of
> the Framed-MTU, and suggested to change that, but I cant seem to find a way
> to lower it.
>
> Since the APs in the same site work, and its only remote APs that access
> the radius server via VPN
>
> Regards
> Adrian
>
>
> From: Fabrice Durand 
> Sent: Monday, 21 February 2022 15:50
> To: Adrian Damaschek 
> Cc: packetfence-users 
> Subject: Re: [PacketFence-users] SCEP over Intune dose not work
>
> Hello Adrian,
>
> glad to know that it works for you.
> Btw I have no clue why the TPM module cannot be used.
>
> I know that we got an issue with certificates provided by intune where
> Freeradius complained that it wasn´t able to decrypt too.
> There are also issues with Android and intune if the certificate contains
> a postal code.
>
> You probably need to ask Microsoft why this happens.
>
> Also for you AP connection issue, can you try first to run raddebug ?
>
> raddebug -f /usr/local/pf/var/run/radiusd.sock -d 3000
>
> and paste the output.
>
> For the MTU i have seen something like that in the past, i have to find it.
>
> Regards
> Fabrice
>
>
> Le lun. 21 févr. 2022 à 08:38, Adrian Damaschek  adrian.damasc...@technicondesign.com> a écrit :
> Hello Fabrice,
>
> So this works now, I can get the cert.
> But it seems that I have some APs now that don’t want to connect. What
> combines the APs that don’t want to use the RADIUS server they are all over
> SiteToSite VPNs.
>
> Is this a InTune specific issue as well or possibly related to some MTU
> problems that I read might cause problems ?
>
> Regards
> Adrian
>
>
>
> From: Fabrice Durand 
> Sent: Friday, 18 February 2022 14:21
> To: Adrian Damaschek 
> Cc: packetfence-users 
> Subject: Re: [PacketFence-users] SCEP over Intune dose not work
>
>
> You don't often get email from mailto:mailto:oeufd...@gmail.com.
> http://aka.ms/LearnAboutSenderIdentification
>
> Hello Adrian,
> the error is "err="crypto/rsa: decryption error""
>
> We got multiple issues with intune because of the Key Storage Provider,
> can you verify that it´s configured like that ?
>
>
>
>
> Regards
> Fabrice
>
>
> Le mer. 16 févr. 2022 à 11:24, Adrian Damaschek  adrian.damasc...@technicondesign.com> a écrit :
> Hello Fabrice,
>
> I have it set to http for now and just use the IP address to remove any
> chance of a bad hostname or something, I just want it to work, then ill
> work out how to make it secure and working over the internet so for now its
> inside my network and testing
>
> As for the logs this is what I get
>
> Feb 16 17:17:58 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:17:58
> +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 78487 "-"
> "HAPROXY-load-balancing-check"
> Feb 16 17:18:08 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:18:08
> +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 91712 "-"
> "HAPROXY-load-balancing-check"
> Feb 16 17:18:10 testnac pfpki[870]: t=2022-02-16T17:18:10+0100 lvl=info
> msg="Got GET request from
> 

Re: [PacketFence-users] SCEP over Intune dose not work

[Fabrice Durand via PacketFence-users]

Hello Adrian,

glad to know that it works for you.
Btw I have no clue why the TPM module cannot be used.

I know that we got an issue with certificates provided by intune where
Freeradius complained that it wasn´t able to decrypt too.
There are also issues with Android and intune if the certificate contains a
postal code.

You probably need to ask Microsoft why this happens.

Also for you AP connection issue, can you try first to run raddebug ?

raddebug -f /usr/local/pf/var/run/radiusd.sock -d 3000

and paste the output.

For the MTU i have seen something like that in the past, i have to find it.

Regards
Fabrice


Le lun. 21 févr. 2022 à 08:38, Adrian Damaschek <
adrian.damasc...@technicondesign.com> a écrit :

> Hello Fabrice,
>
> So this works now, I can get the cert.
> But it seems that I have some APs now that don’t want to connect. What
> combines the APs that don’t want to use the RADIUS server they are all over
> SiteToSite VPNs.
>
> Is this a InTune specific issue as well or possibly related to some MTU
> problems that I read might cause problems ?
>
> Regards
> Adrian
>
>
>
> From: Fabrice Durand 
> Sent: Friday, 18 February 2022 14:21
> To: Adrian Damaschek 
> Cc: packetfence-users 
> Subject: Re: [PacketFence-users] SCEP over Intune dose not work
>
>
> You don't often get email from mailto:oeufd...@gmail.com.
> http://aka.ms/LearnAboutSenderIdentification
>
> Hello Adrian,
> the error is "err="crypto/rsa: decryption error""
>
> We got multiple issues with intune because of the Key Storage Provider,
> can you verify that it´s configured like that ?
>
>
>
>
> Regards
> Fabrice
>
>
> Le mer. 16 févr. 2022 à 11:24, Adrian Damaschek  adrian.damasc...@technicondesign.com> a écrit :
> Hello Fabrice,
>
> I have it set to http for now and just use the IP address to remove any
> chance of a bad hostname or something, I just want it to work, then ill
> work out how to make it secure and working over the internet so for now its
> inside my network and testing
>
> As for the logs this is what I get
>
> Feb 16 17:17:58 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:17:58
> +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 78487 "-"
> "HAPROXY-load-balancing-check"
> Feb 16 17:18:08 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:18:08
> +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 91712 "-"
> "HAPROXY-load-balancing-check"
> Feb 16 17:18:10 testnac pfpki[870]: t=2022-02-16T17:18:10+0100 lvl=info
> msg="Got GET request from
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%3A51464%2F=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000=8FDw15S81om9BJFjNqzAqirLe0tHJWsw9%2BCPjJKAJHE%3D=0;
> pid=870
> Feb 16 17:18:10 testnac pfpki[870]: t=2022-02-16T17:18:10+0100 lvl=info
> msg="SCEP GET To:
> /api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACaps=default"
> pid=870
> Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=info
> msg="Calling Unified API on uri:
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2F127.0.0.1%3A%2Fapi%2Fv1%2Fdhcp%2Fstats=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000=viVM0hGzW8BV7OwGbwo2%2B2JFGtd82RuaDq3Yw5HLmTk%3D=0;
> pid=907
> Feb 16 17:18:10 testnac pfhttpd[856]: api-frontend-access 127.0.0.1 - -
> [16/Feb/2022:17:18:10 +0100] "GET /api/v1/dhcp/stats HTTP/1.1" 200 29 "-"
> "Go-http-client/1.1"
> Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=warn
> msg="Compile error '$.items[*].network, $.items[*].percentused' parse error
> from GET /api/v1/dhcp/stats: Expected Type to be a Map." pid=907
> Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=warn
> msg="Unhandled response type from GET /api/v1/dhcp/stats" pid=907
> Feb 16 17:18:11 testnac pfhttpd[870]: level=info
> ts=2022-02-16T16:18:11.606591188Z caller=service_logging.go:22
> component=scep_service method=GetCACaps err=null took=710ns
> Feb 16 17:18:11 testnac pfhttpd[870]: level=info
> ts=2022-02-16T16:18:11.607000502Z caller=endpoint.go:186 op=GetCACaps
> error=null took=412.322µs
> Feb 16 17:18:11 testnac pfhttpd[870]: level=info
> ts=2022-02-16T16:18:11.607165566Z caller=logutil.go:70 component=http
> method=GET status=200 proto=HTTP/1.1 host=127.0.0.1 user_agent="Mozilla/4.0
> (compatible; Win32; NDES client 10.0.19041.1466/vb_release_svc_prod1)"
> path="/api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACaps=default"
> Feb 16 17:18:11 testnac haproxy[983]: :50394
> [16/Feb/2022:17:18:10.930] portal-http- pki/
> 

Re: [PacketFence-users] SCEP over Intune dose not work

[Fabrice Durand via PacketFence-users]

Hello Adrian,
the error is "err="crypto/rsa: decryption error""

We got multiple issues with intune because of the Key Storage Provider, can
you verify that it´s configured like that ?


[image: image001.png]

Regards
Fabrice


Le mer. 16 févr. 2022 à 11:24, Adrian Damaschek <
adrian.damasc...@technicondesign.com> a écrit :

> Hello Fabrice,
>
> I have it set to http for now and just use the IP address to remove any
> chance of a bad hostname or something, I just want it to work, then ill
> work out how to make it secure and working over the internet so for now its
> inside my network and testing
>
> As for the logs this is what I get
>
> Feb 16 17:17:58 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:17:58
> +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 78487 "-"
> "HAPROXY-load-balancing-check"
> Feb 16 17:18:08 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:18:08
> +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 91712 "-"
> "HAPROXY-load-balancing-check"
> Feb 16 17:18:10 testnac pfpki[870]: t=2022-02-16T17:18:10+0100 lvl=info
> msg="Got GET request from 127.0.0.1:51464" pid=870
> Feb 16 17:18:10 testnac pfpki[870]: t=2022-02-16T17:18:10+0100 lvl=info
> msg="SCEP GET To:
> /api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACaps=default"
> pid=870
> Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=info
> msg="Calling Unified API on uri: https://127.0.0.1:/api/v1/dhcp/stats;
> pid=907
> Feb 16 17:18:10 testnac pfhttpd[856]: api-frontend-access 127.0.0.1 - -
> [16/Feb/2022:17:18:10 +0100] "GET /api/v1/dhcp/stats HTTP/1.1" 200 29 "-"
> "Go-http-client/1.1"
> Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=warn
> msg="Compile error '$.items[*].network, $.items[*].percentused' parse error
> from GET /api/v1/dhcp/stats: Expected Type to be a Map." pid=907
> Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=warn
> msg="Unhandled response type from GET /api/v1/dhcp/stats" pid=907
> Feb 16 17:18:11 testnac pfhttpd[870]: level=info
> ts=2022-02-16T16:18:11.606591188Z caller=service_logging.go:22
> component=scep_service method=GetCACaps err=null took=710ns
> Feb 16 17:18:11 testnac pfhttpd[870]: level=info
> ts=2022-02-16T16:18:11.607000502Z caller=endpoint.go:186 op=GetCACaps
> error=null took=412.322µs
> Feb 16 17:18:11 testnac pfhttpd[870]: level=info
> ts=2022-02-16T16:18:11.607165566Z caller=logutil.go:70 component=http
> method=GET status=200 proto=HTTP/1.1 host=127.0.0.1 user_agent="Mozilla/4.0
> (compatible; Win32; NDES client 10.0.19041.1466/vb_release_svc_prod1)"
> path="/api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACaps=default"
> Feb 16 17:18:11 testnac haproxy[983]: :50394
> [16/Feb/2022:17:18:10.930] portal-http- pki/127.0.0.1
> 0/0/1/676/677 200 181 - -  2/1/0/0/0 0/0 {} "GET
> /scep/scep_user_wificert/pkiclient.exe?operation=GetCACaps=default
> HTTP/1.1"
> Feb 16 17:18:11 testnac pfpki[870]: t=2022-02-16T17:18:11+0100 lvl=info
> msg="Got GET request from 127.0.0.1:51470" pid=870
> Feb 16 17:18:11 testnac pfpki[870]: t=2022-02-16T17:18:11+0100 lvl=info
> msg="SCEP GET To:
> /api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACert=default"
> pid=870
> Feb 16 17:18:12 testnac pfstats[907]: t=2022-02-16T17:18:12+0100 lvl=info
> msg="Calling Unified API on uri:
> https://127.0.0.1:/api/v1/queues/stats; pid=907
> Feb 16 17:18:12 testnac pfhttpd[856]: api-frontend-access 127.0.0.1 - -
> [16/Feb/2022:17:18:12 +0100] "GET /api/v1/queues/stats HTTP/1.1" 200 978
> "-" "Go-http-client/1.1"
> Feb 16 17:18:12 testnac pfhttpd[870]: level=info
> ts=2022-02-16T16:18:12.325002433Z caller=service_logging.go:34
> component=scep_service method=GetCACert message=default err=null took=962ns
> Feb 16 17:18:12 testnac pfhttpd[870]: level=info
> ts=2022-02-16T16:18:12.325087335Z caller=endpoint.go:186 op=GetCACert
> error=null took=88.807µs
> Feb 16 17:18:12 testnac pfhttpd[870]: level=info
> ts=2022-02-16T16:18:12.325122193Z caller=logutil.go:70 component=http
> method=GET status=200 proto=HTTP/1.1 host=127.0.0.1 user_agent="Mozilla/4.0
> (compatible; Win32; NDES client 10.0.19041.1466/vb_release_svc_prod1)"
> path="/api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACert=default"
> Feb 16 17:18:12 testnac haproxy[983]: :50394
> [16/Feb/2022:17:18:11.643] portal-http- pki/127.0.0.1
> 0/0/0/682/682 200 1147 - -  2/1/0/0/0 0/0 {} "GET
> /scep/scep_user_wificert/pkiclient.exe?operation=GetCACert=default
> HTTP/1.1"
> Feb 16 17:18:18 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:18:18
> +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 59644 "-"
> "HAPROXY-load-balancing-check"
> Feb 16 17:18:19 testnac pfpki[870]: t=2022-02-16T17:18:19+0100 lvl=info
> msg="Got POST request from 127.0.0.1:51504" pid=870
> Feb 16 17:18:19 testnac pfpki[870]: t=2022-02-16T17:18:19+0100 lvl=info
> msg="SCEP POST To:
> /api/v1/scep/scep_user_wificert/pkiclient.exe?operation=PKIOperation"
> pid=870
> Feb 16 

Re: [PacketFence-users] SCEP over Intune dose not work

[Fabrice Durand via PacketFence-users]

Hello Adrian,

welcome to the intune world ...
Do you see in the packetfence log when the 500 happens ? (journalctl
command)
Did you defined the scep url as http ? If it´s the case you can take a
network capture to see what happen exactly.


We also made change in the incoming PacketFence version for the pki and
scep, so you can test the devel version to see if it fix your issue.

Regards
Fabrice


Le mar. 15 févr. 2022 à 11:42, Adrian Damaschek via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello Everyone,
>
> So I was using PF since some time turn run the NAC on my switches but now
> I am trying to set up the PKI, with SCEP that would provide Intune certs so
> users can use them for Radius WiF
>
> Sadly I got stuck and I don’t know what am I doing wrong
>
> I got a CA on PFPKI, a SCEP profile, I can run a request via SSCEP, that
> one runs and pops out a cert.
> I got the Intune integration setup with a app registered, the app has the
> permissions as per documentation
>
> I added the CA as a RootCA via intune, this works correctly and now is the
> part that I cant work out.
> I cant make a SCEP request work.
>
> Only error I get in windows is SCEP: Certificate enroll failed. Result:
> (Internal server error (500).). Event ID is 32.
>
> Would appreciate any help with this
>
> Regards
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Huawei AC6005 Wireless Controller doesn’t support Web Auth. #4790

[Fabrice Durand via PacketFence-users]

what kind of authentication source you use to authenticate ?

Le ven. 11 févr. 2022 à 16:05, Jorge Nolla  a écrit :

> Hi Fabrice,
>
> I did try $username, but it returns the DEFAULT username and not the
> actual username which was used to register the device with in the portal.
>
>
> On Feb 11, 2022, at 2:02 PM, Fabrice Durand  wrote:
>
> Hello Jorge,
>
> you can try that:
>
> https://github.com/inverse-inc/packetfence/commit/e99698c955d596b6d04ef52c64a7aadc21f34e47
> Regards
> Fabrice
>
>
> Le ven. 11 févr. 2022 à 12:04, Jorge Nolla  a écrit :
>
>> Hi Fabrice,
>>
>> This is the last step for us to get this working, any thoughts?
>>
>> Thank you!
>> Jorge
>>
>> On Feb 10, 2022, at 6:05 PM, Jorge Nolla  wrote:
>>
>> Fabrice,
>>
>> With this configuration it seems PF is not doing any accounting, probably
>> because it is expecting the username to be the Mac.
>>
>>
>> On Feb 10, 2022, at 4:57 PM, Jorge Nolla  wrote:
>>
>> Fabrice,
>>
>> Looking at the reply of the Billing server to packet fence, it did not
>> accept the username and password. If we hardcode the username and password
>> instead of the $Mac then it works:
>>
>>
>>  my $html_form = qq[
>>   > action="https://portal.fispy.mx:8443/login;>
>>> type="text/javascript">
>>
>>
>> RADIUS Request
>> User-Name = "5blz"
>> User-Password = "**"
>> NAS-IP-Address = 10.7.255.2
>> NAS-Port = 900
>> Service-Type = Framed-User
>> Framed-Protocol = PPP
>> Framed-IP-Address = 10.9.129.39
>> Called-Station-Id = "c0:f6:c2:a5:c4:d0:FISPY-WiFi"
>> Calling-Station-Id = "f0:2f:4b:14:67:d9"
>> NAS-Identifier = "AirEngine9700-M1"
>> NAS-Port-Type = Wireless-802.11
>> Acct-Session-Id = "AirEngi00090012ad34060020d"
>> Event-Timestamp = "Feb 10 2022 16:49:02 MST"
>> NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900"
>> Huawei-Connect-ID = 393741
>> Huawei-Startup-Stamp = 1643301831
>> Huawei-IPHost-Addr = "10.9.129.39 f0:2f:4b:14:67:d9"
>> Huawei-Loopback-Address = "C0F6-C2A5-C4D0"
>> Huawei-User-Mac = "\000\000\000\003"
>> Huawei-Version = "Huawei AirEngine9700-M1"
>> Huawei-Product-ID = "AC"
>> Stripped-User-Name = "5blz"
>> Realm = "null"
>> Realm = "null"
>> FreeRADIUS-Client-IP-Address = 10.7.255.2
>> Called-Station-SSID = "FISPY-WiFi"
>> PacketFence-KeyBalanced = "aa86741e358fa86079a91aaf4dc581f9"
>> PacketFence-Radius-Ip = "10.0.255.99"
>> SQL-User-Name = "5blz"
>>
>>
>> RADIUS Reply
>> Acct-Interim-Interval = 60
>> REST-HTTP-Status-Code = 200
>>
>>
>>
>>
>> On Feb 10, 2022, at 3:51 PM, Jorge Nolla  wrote:
>>
>> I’m no radius expert so I do apologize. I do see the request being
>> accepted by the billing server with the MAC as username. Not sure how what
>> gets translated, as there are no records of that Mac address configured on
>> the billing server.
>>
>>
>> 2022-02-10 15:44:22.487982 (109) Access-Request Id 170 any:
>> 10.0.255.99:47364 -> 10.0.254.100:1812 +122.837
>> User-Name = "f0:2f:4b:14:67:d9"
>> User-Password =
>> "O\031\222\341p͑\256O\376N\260*CY\035\360\337\370\373x\313\036\004\267}&>\006g\3220"
>> NAS-IP-Address = 10.7.255.2
>> NAS-Port = 900
>> Service-Type = Framed-User
>> Framed-Protocol = PPP
>> Framed-IP-Address = 10.9.215.255
>> Called-Station-Id = "c0:f6:c2:a5:c4:d0:FISPY-WiFi"
>> Calling-Station-Id = "f0:2f:4b:14:67:d9"
>> NAS-Identifier = "AirEngine9700-M1"
>> Proxy-State = 0x3937
>> NAS-Port-Type = Wireless-802.11
>> Acct-Session-Id = "AirEngi0009008e8f160600201"
>> Event-Timestamp = "Feb 10 2022 15:44:22 MST"
>> Message-Authenticator = 0x3f20f75cc25e65a3f6d4a928de8644fe
>> NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900"
>> Huawei-Connect-ID = 393729
>> Huawei-Startup-Stamp = 1643301831
>> Huawei-IPHost-Addr = "10.9.215.255 f0:2f:4b:14:67:d9"
>> Huawei-Loopback-Address = "C0F6-C2A5-C4D0"
>> Huawei-User-Mac = "\000\000\000\003"
>> Huawei-Version = "Huawei AirEngine9700-M1"
>> Huawei-Product-ID = "AC"
>> Attr-26.29464.33 = 0x31302e302e3235352e3939
>> Attr-26.29464.32 =
>> 0x3165623139616265663234666132396334383731346130343334323334323936
>> Authenticator-Field = 0x337490bc1555238aad909eb52234a42e
>> 2022-02-10 15:44:22.504685 (110) Access-Accept Id 170 any:
>> 10.0.255.99:47364 <- 10.0.254.100:1812 +122.854 +0.016
>> Framed-IP-Address = 10.250.68.42
>> Session-Timeout = 299
>> Proxy-State = 0x3937
>> Authenticator-Field = 0xd5a830666d0bc44b13654de6c615f3a0
>>
>>
>>
>>
>> On Feb 10, 2022, at 2:45 PM, Jorge Nolla  wrote:
>>
>> Here is the start of the accounting. Still the billing server is looking
>> for the username which was used to login, not the MAC.
>>
>> 2022-02-10 14:40:59.155697 (5169) Accounting-Request Id 59 any:
>> 10.0.255.99:48071 -> 10.0.254.100:1813 +68.397
>> User-Name = "f0:2f:4b:14:67:d9"
>> NAS-IP-Address = 10.7.255.2
>> NAS-Port = 900
>> Service-Type = Framed-User
>> Framed-Protocol = PPP
>> Framed-IP-Address = 10.9.149.208
>> Called-Station-Id = "c0:f6:c2:a5:c4:d0:FISPY-WiFi"
>> Calling-Station-Id = "f0:2f:4b:14:67:d9"
>> NAS-Identifier = "AirEngine9700-M1"
>> Proxy-State = 0x313939
>> 

Re: [PacketFence-users] Huawei AC6005 Wireless Controller doesn’t support Web Auth. #4790

[Fabrice Durand via PacketFence-users]

Hello Jorge,

you can try that:
https://github.com/inverse-inc/packetfence/commit/e99698c955d596b6d04ef52c64a7aadc21f34e47
Regards
Fabrice


Le ven. 11 févr. 2022 à 12:04, Jorge Nolla  a écrit :

> Hi Fabrice,
>
> This is the last step for us to get this working, any thoughts?
>
> Thank you!
> Jorge
>
> On Feb 10, 2022, at 6:05 PM, Jorge Nolla  wrote:
>
> Fabrice,
>
> With this configuration it seems PF is not doing any accounting, probably
> because it is expecting the username to be the Mac.
>
>
> On Feb 10, 2022, at 4:57 PM, Jorge Nolla  wrote:
>
> Fabrice,
>
> Looking at the reply of the Billing server to packet fence, it did not
> accept the username and password. If we hardcode the username and password
> instead of the $Mac then it works:
>
>
>  my $html_form = qq[
>action="https://portal.fispy.mx:8443/login;>
>
>
>
> RADIUS Request
> User-Name = "5blz"
> User-Password = "**"
> NAS-IP-Address = 10.7.255.2
> NAS-Port = 900
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-IP-Address = 10.9.129.39
> Called-Station-Id = "c0:f6:c2:a5:c4:d0:FISPY-WiFi"
> Calling-Station-Id = "f0:2f:4b:14:67:d9"
> NAS-Identifier = "AirEngine9700-M1"
> NAS-Port-Type = Wireless-802.11
> Acct-Session-Id = "AirEngi00090012ad34060020d"
> Event-Timestamp = "Feb 10 2022 16:49:02 MST"
> NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900"
> Huawei-Connect-ID = 393741
> Huawei-Startup-Stamp = 1643301831
> Huawei-IPHost-Addr = "10.9.129.39 f0:2f:4b:14:67:d9"
> Huawei-Loopback-Address = "C0F6-C2A5-C4D0"
> Huawei-User-Mac = "\000\000\000\003"
> Huawei-Version = "Huawei AirEngine9700-M1"
> Huawei-Product-ID = "AC"
> Stripped-User-Name = "5blz"
> Realm = "null"
> Realm = "null"
> FreeRADIUS-Client-IP-Address = 10.7.255.2
> Called-Station-SSID = "FISPY-WiFi"
> PacketFence-KeyBalanced = "aa86741e358fa86079a91aaf4dc581f9"
> PacketFence-Radius-Ip = "10.0.255.99"
> SQL-User-Name = "5blz"
>
>
> RADIUS Reply
> Acct-Interim-Interval = 60
> REST-HTTP-Status-Code = 200
>
>
>
>
> On Feb 10, 2022, at 3:51 PM, Jorge Nolla  wrote:
>
> I’m no radius expert so I do apologize. I do see the request being
> accepted by the billing server with the MAC as username. Not sure how what
> gets translated, as there are no records of that Mac address configured on
> the billing server.
>
>
> 2022-02-10 15:44:22.487982 (109) Access-Request Id 170 any:
> 10.0.255.99:47364 -> 10.0.254.100:1812 +122.837
> User-Name = "f0:2f:4b:14:67:d9"
> User-Password =
> "O\031\222\341p͑\256O\376N\260*CY\035\360\337\370\373x\313\036\004\267}&>\006g\3220"
> NAS-IP-Address = 10.7.255.2
> NAS-Port = 900
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-IP-Address = 10.9.215.255
> Called-Station-Id = "c0:f6:c2:a5:c4:d0:FISPY-WiFi"
> Calling-Station-Id = "f0:2f:4b:14:67:d9"
> NAS-Identifier = "AirEngine9700-M1"
> Proxy-State = 0x3937
> NAS-Port-Type = Wireless-802.11
> Acct-Session-Id = "AirEngi0009008e8f160600201"
> Event-Timestamp = "Feb 10 2022 15:44:22 MST"
> Message-Authenticator = 0x3f20f75cc25e65a3f6d4a928de8644fe
> NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900"
> Huawei-Connect-ID = 393729
> Huawei-Startup-Stamp = 1643301831
> Huawei-IPHost-Addr = "10.9.215.255 f0:2f:4b:14:67:d9"
> Huawei-Loopback-Address = "C0F6-C2A5-C4D0"
> Huawei-User-Mac = "\000\000\000\003"
> Huawei-Version = "Huawei AirEngine9700-M1"
> Huawei-Product-ID = "AC"
> Attr-26.29464.33 = 0x31302e302e3235352e3939
> Attr-26.29464.32 =
> 0x3165623139616265663234666132396334383731346130343334323334323936
> Authenticator-Field = 0x337490bc1555238aad909eb52234a42e
> 2022-02-10 15:44:22.504685 (110) Access-Accept Id 170 any:
> 10.0.255.99:47364 <- 10.0.254.100:1812 +122.854 +0.016
> Framed-IP-Address = 10.250.68.42
> Session-Timeout = 299
> Proxy-State = 0x3937
> Authenticator-Field = 0xd5a830666d0bc44b13654de6c615f3a0
>
>
>
>
> On Feb 10, 2022, at 2:45 PM, Jorge Nolla  wrote:
>
> Here is the start of the accounting. Still the billing server is looking
> for the username which was used to login, not the MAC.
>
> 2022-02-10 14:40:59.155697 (5169) Accounting-Request Id 59 any:
> 10.0.255.99:48071 -> 10.0.254.100:1813 +68.397
> User-Name = "f0:2f:4b:14:67:d9"
> NAS-IP-Address = 10.7.255.2
> NAS-Port = 900
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-IP-Address = 10.9.149.208
> Called-Station-Id = "c0:f6:c2:a5:c4:d0:FISPY-WiFi"
> Calling-Station-Id = "f0:2f:4b:14:67:d9"
> NAS-Identifier = "AirEngine9700-M1"
> Proxy-State = 0x313939
> NAS-Port-Type = Wireless-802.11
> Acct-Status-Type = Start
> Acct-Delay-Time = 0
> Acct-Session-Id = "AirEngi0009008391da06001f8"
> Acct-Authentic = RADIUS
> Event-Timestamp = "Feb 10 2022 14:40:58 MST"
> NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900"
> Huawei-Connect-ID = 393720
> Huawei-IPHost-Addr = "10.9.149.208 f0:2f:4b:14:67:d9"
> Huawei-Loopback-Address = "C0F6-C2A5-C4D0"
> Huawei-User-Mac = "\000\000\000\003"
> Attr-26.29464.32 =
> 

Re: [PacketFence-users] Huawei AC6005 Wireless Controller doesn’t support Web Auth. #4790

[Fabrice Durand via PacketFence-users]

There is no realm so you have to configure the null realm.


Le mer. 9 févr. 2022 à 20:12, Jorge Nolla  a écrit :

> Hi Fabrice,
>
> This is the output when It receives an accounting message from the
> controller:
>
>
> ^C[root@wifi jnolla]# radsniff -i any -f "port 1813" -x
> Logging all events
> Sniffing on (any)
> 2022-02-09 18:10:33.642001 (1) Accounting-Request Id 147 any:
> 10.7.255.2:62395 -> 10.0.255.99:1813 +0.000
> User-Name = "62:ca:49:92:a0:3d"
> NAS-IP-Address = 10.7.255.2
> NAS-Port = 900
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-IP-Address = 10.9.239.159
> Called-Station-Id = "C0-F6-C2-A5-C4-D0:FISPY-WiFi"
> Calling-Station-Id = "62ca-4992-a03d"
> NAS-Identifier = "AirEngine9700-M1"
> NAS-Port-Type = Wireless-802.11
> Acct-Status-Type = Interim-Update
> Acct-Delay-Time = 0
> Acct-Input-Octets = 131762920
> Acct-Output-Octets = 194531281
> Acct-Session-Id = "AirEngi00090083f40606001b4"
> Acct-Authentic = RADIUS
> Acct-Session-Time = 33887
> Acct-Input-Packets = 211695
> Acct-Output-Packets = 221103
> Acct-Input-Gigawords = 0
> Acct-Output-Gigawords = 0
> Event-Timestamp = "Feb  9 2022 18:10:32 MST"
> NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900"
> Huawei-Loopback-Address = "C0F6-C2A5-C4D0"
> Huawei-User-Mac = "\000\000\000\003"
> Authenticator-Field = 0x86cc68cf43a59904f7d3c0e36e910008
> 2022-02-09 18:10:33.661871 (2) Accounting-Response Id 147 any:
> 10.7.255.2:62395 <- 10.0.255.99:1813 +0.019 +0.019
> Reply-Message = "Accounting ok"
> Authenticator-Field = 0xdfccea5174f4312f6e0784825583dbdf
> 2022-02-09 18:10:38.861871 (1) Cleaning up request packet ID 147
> 2022-02-09 18:10:49.323597 (3) Accounting-Request Id 148 any:
> 10.7.255.2:62395 -> 10.0.255.99:1813 +15.681
> User-Name = "62:ca:49:92:a0:3d"
> NAS-IP-Address = 10.7.255.2
> NAS-Port = 900
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-IP-Address = 10.9.239.159
> Called-Station-Id = "C0-F6-C2-A5-C4-D0:FISPY-WiFi"
> Calling-Station-Id = "62ca-4992-a03d"
> NAS-Identifier = "AirEngine9700-M1"
> NAS-Port-Type = Wireless-802.11
> Acct-Status-Type = Interim-Update
> Acct-Delay-Time = 0
> Acct-Input-Octets = 131775665
> Acct-Output-Octets = 194533397
> Acct-Session-Id = "AirEngi00090083f40606001b4"
> Acct-Authentic = RADIUS
> Acct-Session-Time = 33902
> Acct-Input-Packets = 211773
> Acct-Output-Packets = 221123
> Acct-Input-Gigawords = 0
> Acct-Output-Gigawords = 0
> Event-Timestamp = "Feb  9 2022 18:10:48 MST"
> NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900"
> Huawei-Loopback-Address = "C0F6-C2A5-C4D0"
> Huawei-User-Mac = "\000\000\000\003"
> Authenticator-Field = 0x3fbec8864dcb325273ce4ba1da28e690
> 2022-02-09 18:10:49.342798 (4) Accounting-Response Id 148 any:
> 10.7.255.2:62395 <- 10.0.255.99:1813 +15.700 +0.019
> Reply-Message = "Accounting ok"
> Authenticator-Field = 0x15b54405e404decb5b3db3f58cc8d2cb
> 2022-02-09 18:10:54.542798 (3) Cleaning up request packet ID 148
>
>
>
>
> On Feb 9, 2022, at 6:04 PM, Fabrice Durand  wrote:
>
> You have to restart pfacct and radiusd-acct.
>
> And check the accounting packet, not sure you have the realm in the
> username attribute.
>
> raddebug -f /usr/local/pf/var/run/radiusd-acct.sock -t 300
> or
> radsniff -i any -f "port 1813" -x
>
> Regards
> Fabrice
>
> Le mer. 9 févr. 2022 à 19:57, Jorge Nolla  a écrit :
>
>> I noticed pfacct running and made the change, still no luck.
>>
>> 
>>
>> On Feb 9, 2022, at 5:55 PM, Fabrice Durand  wrote:
>>
>> Hello Jorge,
>> you have to enable radius-acct service.
>>
>> It´s radius-acct who is able to proxy the request to another server, not
>> pfacct (btw you can keep it enabled).
>>
>> Regards
>> Fabrice
>>
>>
>> Le mer. 9 févr. 2022 à 19:21, Jorge Nolla  a écrit :
>>
>>>
>>> Another configuration file with references to the billing server Splynx:
>>>
>>> [root@wifi raddb]# cat mods-config/perl/multi_domain_constants.pm
>>> package multi_domain_constants;
>>>
>>> our $VAR1 = {
>>>   '1' => {
>>>'ConfigRealm' => {
>>>   'local' => {
>>>
>>>  'radius_strip_username' => 'disabled',
>>>'eap' => 'default',
>>>
>>>  'admin_strip_username' => 'disabled',
>>>
>>>  'portal_strip_username' => 'disabled'
>>>  },
>>>   'default' => {
>>>
>>>  'radius_acct_proxy_type' => 'load-balance',
>>>
>>>  'radius_auth_compute_in_pf' => 'disabled',
>>>
>>>  'eduroam_radius_auth_proxy_type' => 

Re: [PacketFence-users] Huawei AC6005 Wireless Controller doesn’t support Web Auth. #4790

[Fabrice Durand via PacketFence-users]

Hello Jorge,
you have to enable radius-acct service.

It´s radius-acct who is able to proxy the request to another server, not
pfacct (btw you can keep it enabled).

Regards
Fabrice


Le mer. 9 févr. 2022 à 19:21, Jorge Nolla  a écrit :

>
> Another configuration file with references to the billing server Splynx:
>
> [root@wifi raddb]# cat mods-config/perl/multi_domain_constants.pm
> package multi_domain_constants;
>
> our $VAR1 = {
>   '1' => {
>'ConfigRealm' => {
>   'local' => {
>'radius_strip_username'
> => 'disabled',
>'eap' => 'default',
>'admin_strip_username'
> => 'disabled',
>'portal_strip_username'
> => 'disabled'
>  },
>   'default' => {
>
>  'radius_acct_proxy_type' => 'load-balance',
>
>  'radius_auth_compute_in_pf' => 'disabled',
>
>  'eduroam_radius_auth_proxy_type' => 'keyed-balance',
>
>  'radius_auth_proxy_type' => 'keyed-balance',
>
>  'portal_strip_username' => 'disabled',
>
>  'admin_strip_username' => 'disabled',
>  'radius_auth' => '',
>
>  'radius_strip_username' => 'disabled',
>  'eap' => 'default',
>  'eduroam_radius_acct'
> => '',
>
>  'eduroam_radius_acct_proxy_type' => 'load-balance',
>
>  'permit_custom_attributes' => 'disabled',
>
>  'eduroam_radius_auth_compute_in_pf' => 'enabled',
>  'eduroam_radius_auth'
> => '',
>  'radius_acct' => ''
>},
>   'null' => {
>   'eap' => 'default',
>   'radius_strip_username'
> => 'disabled',
>   'admin_strip_username'
> => 'disabled',
>   'portal_strip_username'
> => 'disabled'
> },
>   'fispy.mx' => {
>
> 'eduroam_radius_acct' => '',
>   'eap' => 'default',
>
> 'radius_strip_username' => 'enabled',
>
> 'admin_strip_username' => 'enabled',
>   'radius_auth' =>
> 'Splynx',
>
> 'portal_strip_username' => 'enabled',
>
> 'eduroam_radius_auth_proxy_type' => 'keyed-balance',
>
> 'radius_auth_proxy_type' => 'keyed-balance',
>
> 'radius_acct_proxy_type' => 'load-balance',
>
> 'radius_auth_compute_in_pf' => 'enabled',
>
> 'eduroam_radius_auth' => '',
>   'radius_acct' =>
> 'Splynx',
>
> 'eduroam_radius_auth_compute_in_pf' => 'enabled',
>
> 'eduroam_radius_acct_proxy_type' => 'load-balance',
>
> 'permit_custom_attributes' => 'disabled'
> }
> },
>'ConfigDomain' => {},
>'ConfigOrderedRealm' => [
>  'default',
>  'local',
>  'null',
>  'fispy.mx'
>]
>  },
>   '0' => {
>'ConfigDomain' => {},
>'ConfigRealm' => {},
>'ConfigOrderedRealm' => []
>  }
> };
> our $DATA = $VAR1;
> 1;
> [root@wifi raddb]#
>
>
>
> On Feb 9, 2022, at 5:19 PM, Jorge Nolla  wrote:
>
> Hi Team,
>
> Still can’t get accounting to proxy to the billing server. I don’t see the
> configuration on the proxy.conf so I imagine is pulling from this file.
>
>
> [root@wifi raddb]# cat proxy.conf.inc
> # This file is generated from a template at
> /usr/local/pf/conf/radiusd/proxy.conf.inc
> # Any changes made to this file will be lost on restart
>
> # Eduroam integration is not configured
>
> realm default {
>
> }
> realm local {
>
> }
> realm null {
>
> }
> realm fispy.mx {
>
> auth_pool = auth_pool_fispy.mx
> acct_pool = acct_pool_fispy.mx
> }
> home_server_pool auth_pool_fispy.mx {
> type = keyed-balance
> home_server = Splynx
> }
>
> home_server_pool acct_pool_fispy.mx {
> type = load-balance
> home_server = Splynx
> }
>
>
> realm eduroam.default {
>
> }
>
> realm eduroam.local {
>
> }
>
> realm eduroam.null {
>
> }
>
> realm eduroam.fispy.mx {
>
> }
>
>
>
>
> home_server Splynx {
> ipaddr = 10.0.254.100
> port = 1812
> secret = 

Re: [PacketFence-users] Huawei AC6005 Wireless Controller doesn’t support Web Auth. #4790

[Fabrice Durand via PacketFence-users]

Yes, that's it.

Le mar. 8 févr. 2022 à 11:23, Jorge Nolla  a écrit :

> Fabrice,
>
> The document you had provided didn’t layout the configuration steps. I
> think this might be the correct document for the configuration you are
> referring. If you have a chance take a look and let me know.
>
> https://support.huawei.com/enterprise/mx/knowledge/EKB1100055064
>
>
>
> On Feb 8, 2022, at 9:14 AM, Fabrice Durand  wrote:
>
> You can try that instead:
>
> my $html_form = qq[
>  action="http://$controller_ip:8443/login;>
> 
> 
> 
>  type="text/javascript">
> ];
>
> It will pass the mac address of the device in the radius request as
> username and password instead of the real username and password who has
> been authenticated previously on the portal.
> Then you just need to configure the registration role in the switch
> configuration to be -1 (packetfence side) and if the device is unreg then
> the request will be rejected.
>
>
> Le mar. 8 févr. 2022 à 11:04, Jorge Nolla  a écrit :
>
>> Hi Fabrice,
>>
>> Let me check what the difference is in configuration on the AC side, I’ll
>> report within the hour. Any clues as to why the parameters are not being
>> passed?
>>
>>
>> On Feb 8, 2022, at 8:55 AM, Fabrice Durand  wrote:
>>
>> Hello Jorge,
>>
>> i really think that it´s not the correct way to support the web auth in
>> Huawei.
>> The only thing you can do with the portal is to authenticate with a
>> username and password, there is no way to do anything else
>> (sms/email/sponsor/).
>>
>> Also when you authenticate on the portal , the portal validate your
>> username and password and with the workflow you have it will authenticate
>> twice (portal and radius) and it doesn´t make sense.
>>
>> So if you want to keep this way then you will need a simple html page
>> with a username and password field that post on
>> https://portal.fispy.mx:8443/login then configure packetfence to
>> authenticate the username and password from radius.
>>
>> The other way who looks really better is to use that: (
>> https://support.huawei.com/enterprise/en/doc/EDOC118282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_2
>> )
>>
>> 
>>
>> As i said , it´s exactly how it works with the cisco wlc and it will
>> support all authentication mechanisms available on the portal.
>>
>> Regards
>> Fabrice
>>
>>
>>
>>
>> Le lun. 7 févr. 2022 à 20:25, Jorge Nolla  a écrit :
>>
>>>
>>> Radius request from the AC once it receives the correct values. This is
>>> sent back to Radius which in this case is PF
>>>
>>> User-Name = “5blz” *<<< VALUE NEEDED IN URL as username* User-Password
>>> = "**” *<<< VALUE NEEDED IN URL as password* NAS-IP-Address =
>>> 10.7.255.2 NAS-Port = 900 Service-Type = Framed-User Framed-Protocol = PPP
>>> Framed-IP-Address = 10.9.91.31 Called-Station-Id =
>>> "c0:f6:c2:a5:c4:d0:FISPY-WiFi" Calling-Station-Id = "f0:2f:4b:14:67:d9"
>>> NAS-Identifier = "AirEngine9700-M1" NAS-Port-Type = Wireless-802.11
>>> Acct-Session-Id = "AirEngi000900d5d66c0600187" Event-Timestamp =
>>> "Feb 7 2022 18:05:13 MST" NAS-Port-Id =
>>> "slot=0;subslot=0;port=0;vlanid=900" Huawei-Loopback-Address =
>>> "C0F6-C2A5-C4D0" Huawei-User-Mac = "\000\000\000\003" Stripped-User-Name =
>>> "5blz" Realm = "null" FreeRADIUS-Client-IP-Address = 10.7.255.2
>>> Called-Station-SSID = "FISPY-WiFi" PacketFence-KeyBalanced =
>>> "aa86741e358fa86079a91aaf4dc581f9" PacketFence-Radius-Ip = "10.0.255.99"
>>> SQL-User-Name = "5blz"
>>>
>>> On Feb 7, 2022, at 3:58 PM, Jorge Nolla  wrote:
>>>
>>> Hi Fabrice,
>>>
>>> I did hardcode as follow:
>>>
>>> https://portal.fispy.mx:8443/login?username=bob=bob;
>>> style="display:none">
>>>
>>> But the redirect which the client is getting, is only this part, not
>>> sure why:
>>>
>>> https://portal.fispy.mx:8443/login?
>>>
>>>
>>> Here is the flow of the External Portal Authentication as per Huawei.
>>> Portal Server - Notify the STA of the login URL
>>> STA - Send the username and password in HTTP GET POST. When this is
>>> configured to use ISE as per the guide, the ISE server sends the redirect
>>> to the STA as per the format.
>>> https://portal.fispy.mx:8443/login?username=($username)=($password)
>>>
>>>
>>> 
>>>
>>> On Feb 7, 2022, at 2:51 PM, Fabrice Durand  wrote:
>>>
>>> Did you try to hardcode that in the code and see if it works ?
>>>
>>> Also i don´t understand the goal of passing the username and password ,
>>> is there any extra check after that ? What happen if the user register by
>>> sms/email ?
>>>
>>> And i just found that:
>>>
>>> https://support.huawei.com/enterprise/en/doc/EDOC118282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_1
>>> Is it something that can be configured on the Hawei ? If yes then it
>>> will mimic the way the Cisco WLC works.
>>>
>>> Regards
>>> Fabrice
>>>
>>>
>>> Le lun. 7 févr. 2022 à 16:01, Jorge Nolla  a écrit :
>>>
 Hi Fabrice,

 This line needs to be HTTPS for it to work
 

Re: [PacketFence-users] Huawei AC6005 Wireless Controller doesn’t support Web Auth. #4790

[Fabrice Durand via PacketFence-users]

You can try that instead:

my $html_form = qq[
http://$controller_ip:8443/login;>




];

It will pass the mac address of the device in the radius request as
username and password instead of the real username and password who has
been authenticated previously on the portal.
Then you just need to configure the registration role in the switch
configuration to be -1 (packetfence side) and if the device is unreg then
the request will be rejected.


Le mar. 8 févr. 2022 à 11:04, Jorge Nolla  a écrit :

> Hi Fabrice,
>
> Let me check what the difference is in configuration on the AC side, I’ll
> report within the hour. Any clues as to why the parameters are not being
> passed?
>
>
> On Feb 8, 2022, at 8:55 AM, Fabrice Durand  wrote:
>
> Hello Jorge,
>
> i really think that it´s not the correct way to support the web auth in
> Huawei.
> The only thing you can do with the portal is to authenticate with a
> username and password, there is no way to do anything else
> (sms/email/sponsor/).
>
> Also when you authenticate on the portal , the portal validate your
> username and password and with the workflow you have it will authenticate
> twice (portal and radius) and it doesn´t make sense.
>
> So if you want to keep this way then you will need a simple html page with
> a username and password field that post on
> https://portal.fispy.mx:8443/login then configure packetfence to
> authenticate the username and password from radius.
>
> The other way who looks really better is to use that: (
> https://support.huawei.com/enterprise/en/doc/EDOC118282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_2
> )
>
> 
>
> As i said , it´s exactly how it works with the cisco wlc and it will
> support all authentication mechanisms available on the portal.
>
> Regards
> Fabrice
>
>
>
>
> Le lun. 7 févr. 2022 à 20:25, Jorge Nolla  a écrit :
>
>>
>> Radius request from the AC once it receives the correct values. This is
>> sent back to Radius which in this case is PF
>>
>> User-Name = “5blz” *<<< VALUE NEEDED IN URL as username* User-Password =
>> "**” *<<< VALUE NEEDED IN URL as password* NAS-IP-Address =
>> 10.7.255.2 NAS-Port = 900 Service-Type = Framed-User Framed-Protocol = PPP
>> Framed-IP-Address = 10.9.91.31 Called-Station-Id =
>> "c0:f6:c2:a5:c4:d0:FISPY-WiFi" Calling-Station-Id = "f0:2f:4b:14:67:d9"
>> NAS-Identifier = "AirEngine9700-M1" NAS-Port-Type = Wireless-802.11
>> Acct-Session-Id = "AirEngi000900d5d66c0600187" Event-Timestamp =
>> "Feb 7 2022 18:05:13 MST" NAS-Port-Id =
>> "slot=0;subslot=0;port=0;vlanid=900" Huawei-Loopback-Address =
>> "C0F6-C2A5-C4D0" Huawei-User-Mac = "\000\000\000\003" Stripped-User-Name =
>> "5blz" Realm = "null" FreeRADIUS-Client-IP-Address = 10.7.255.2
>> Called-Station-SSID = "FISPY-WiFi" PacketFence-KeyBalanced =
>> "aa86741e358fa86079a91aaf4dc581f9" PacketFence-Radius-Ip = "10.0.255.99"
>> SQL-User-Name = "5blz"
>>
>> On Feb 7, 2022, at 3:58 PM, Jorge Nolla  wrote:
>>
>> Hi Fabrice,
>>
>> I did hardcode as follow:
>>
>> https://portal.fispy.mx:8443/login?username=bob=bob;
>> style="display:none">
>>
>> But the redirect which the client is getting, is only this part, not sure
>> why:
>>
>> https://portal.fispy.mx:8443/login?
>>
>>
>> Here is the flow of the External Portal Authentication as per Huawei.
>> Portal Server - Notify the STA of the login URL
>> STA - Send the username and password in HTTP GET POST. When this is
>> configured to use ISE as per the guide, the ISE server sends the redirect
>> to the STA as per the format.
>> https://portal.fispy.mx:8443/login?username=($username)=($password)
>>
>>
>> 
>>
>> On Feb 7, 2022, at 2:51 PM, Fabrice Durand  wrote:
>>
>> Did you try to hardcode that in the code and see if it works ?
>>
>> Also i don´t understand the goal of passing the username and password ,
>> is there any extra check after that ? What happen if the user register by
>> sms/email ?
>>
>> And i just found that:
>>
>> https://support.huawei.com/enterprise/en/doc/EDOC118282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_1
>> Is it something that can be configured on the Hawei ? If yes then it will
>> mimic the way the Cisco WLC works.
>>
>> Regards
>> Fabrice
>>
>>
>> Le lun. 7 févr. 2022 à 16:01, Jorge Nolla  a écrit :
>>
>>> Hi Fabrice,
>>>
>>> This line needs to be HTTPS for it to work
>>> http://$controller_ip:8443/login?username=bob=bob;
>>> style="display:none”>
>>>
>>> This needs to be the username and password which is being entered by the
>>> user in the PF portal, which is the Radius username and password
>>> username=bob=bob
>>>
>>>
>>> On Feb 7, 2022, at 12:03 PM, Fabrice Durand  wrote:
>>>
>>> I just pushed a fix.
>>>
>>> cd /usr/local/pf
>>> curl
>>> https://github.com/inverse-inc/packetfence/commit/7628afddf46e0226667560dc33df192f9c4cf420.diff
>>> | patch -p1
>>> and restart
>>>
>>> Le lun. 7 févr. 2022 à 13:46, Jorge Nolla  a écrit :
>>>
 Here are the log outputs for 

Re: [PacketFence-users] Huawei AC6005 Wireless Controller doesn’t support Web Auth. #4790

[Fabrice Durand via PacketFence-users]

Hello Jorge,

i really think that it´s not the correct way to support the web auth in
Huawei.
The only thing you can do with the portal is to authenticate with a
username and password, there is no way to do anything else
(sms/email/sponsor/).

Also when you authenticate on the portal , the portal validate your
username and password and with the workflow you have it will authenticate
twice (portal and radius) and it doesn´t make sense.

So if you want to keep this way then you will need a simple html page with
a username and password field that post on
https://portal.fispy.mx:8443/login then configure packetfence to
authenticate the username and password from radius.

The other way who looks really better is to use that: (
https://support.huawei.com/enterprise/en/doc/EDOC118282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_2
)

[image: download.png]

As i said , it´s exactly how it works with the cisco wlc and it will
support all authentication mechanisms available on the portal.

Regards
Fabrice




Le lun. 7 févr. 2022 à 20:25, Jorge Nolla  a écrit :

>
> Radius request from the AC once it receives the correct values. This is
> sent back to Radius which in this case is PF
>
> User-Name = “5blz” *<<< VALUE NEEDED IN URL as username* User-Password =
> "**” *<<< VALUE NEEDED IN URL as password* NAS-IP-Address =
> 10.7.255.2 NAS-Port = 900 Service-Type = Framed-User Framed-Protocol = PPP
> Framed-IP-Address = 10.9.91.31 Called-Station-Id =
> "c0:f6:c2:a5:c4:d0:FISPY-WiFi" Calling-Station-Id = "f0:2f:4b:14:67:d9"
> NAS-Identifier = "AirEngine9700-M1" NAS-Port-Type = Wireless-802.11
> Acct-Session-Id = "AirEngi000900d5d66c0600187" Event-Timestamp =
> "Feb 7 2022 18:05:13 MST" NAS-Port-Id =
> "slot=0;subslot=0;port=0;vlanid=900" Huawei-Loopback-Address =
> "C0F6-C2A5-C4D0" Huawei-User-Mac = "\000\000\000\003" Stripped-User-Name =
> "5blz" Realm = "null" FreeRADIUS-Client-IP-Address = 10.7.255.2
> Called-Station-SSID = "FISPY-WiFi" PacketFence-KeyBalanced =
> "aa86741e358fa86079a91aaf4dc581f9" PacketFence-Radius-Ip = "10.0.255.99"
> SQL-User-Name = "5blz"
>
> On Feb 7, 2022, at 3:58 PM, Jorge Nolla  wrote:
>
> Hi Fabrice,
>
> I did hardcode as follow:
>
> https://portal.fispy.mx:8443/login?username=bob=bob;
> style="display:none">
>
> But the redirect which the client is getting, is only this part, not sure
> why:
>
> https://portal.fispy.mx:8443/login?
>
>
> Here is the flow of the External Portal Authentication as per Huawei.
> Portal Server - Notify the STA of the login URL
> STA - Send the username and password in HTTP GET POST. When this is
> configured to use ISE as per the guide, the ISE server sends the redirect
> to the STA as per the format.
> https://portal.fispy.mx:8443/login?username=($username)=($password)
>
>
> 
>
> On Feb 7, 2022, at 2:51 PM, Fabrice Durand  wrote:
>
> Did you try to hardcode that in the code and see if it works ?
>
> Also i don´t understand the goal of passing the username and password , is
> there any extra check after that ? What happen if the user register by
> sms/email ?
>
> And i just found that:
>
> https://support.huawei.com/enterprise/en/doc/EDOC118282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_1
> Is it something that can be configured on the Hawei ? If yes then it will
> mimic the way the Cisco WLC works.
>
> Regards
> Fabrice
>
>
> Le lun. 7 févr. 2022 à 16:01, Jorge Nolla  a écrit :
>
>> Hi Fabrice,
>>
>> This line needs to be HTTPS for it to work
>> http://$controller_ip:8443/login?username=bob=bob;
>> style="display:none”>
>>
>> This needs to be the username and password which is being entered by the
>> user in the PF portal, which is the Radius username and password
>> username=bob=bob
>>
>>
>> On Feb 7, 2022, at 12:03 PM, Fabrice Durand  wrote:
>>
>> I just pushed a fix.
>>
>> cd /usr/local/pf
>> curl
>> https://github.com/inverse-inc/packetfence/commit/7628afddf46e0226667560dc33df192f9c4cf420.diff
>> | patch -p1
>> and restart
>>
>> Le lun. 7 févr. 2022 à 13:46, Jorge Nolla  a écrit :
>>
>>> Here are the log outputs for /usr/local/pf/logs/packetfence.log
>>>
>>>
>>> Feb  7 11:03:04 wifi packetfence_httpd.portal[61371]:
>>> httpd.portal(61371) INFO: [mac:[undef]] URI '/Huawei' is detected as an
>>> external captive portal URI (pf::web::externalportal::handle)
>>> Feb  7 11:03:04 wifi packetfence_httpd.portal[61371]:
>>> httpd.portal(61371) ERROR: [mac:[undef]] Cannot load perl module for switch
>>> type 'pf::Switch::Huawei'. Either switch type is unknown or switch type
>>> perl module have compilation errors. See the following message for details:
>>>  (pf::web::externalportal::handle)
>>> Feb  7 11:03:06 wifi packetfence_httpd.portal[61370]:
>>> httpd.portal(61370) INFO: [mac:[undef]] URI '/Huawei' is detected as an
>>> external captive portal URI (pf::web::externalportal::handle)
>>> Feb  7 11:03:06 wifi packetfence_httpd.portal[61370]:
>>> httpd.portal(61370) ERROR: [mac:[undef]] Cannot load perl module for switch
>>> type 

Re: [PacketFence-users] Huawei AC6005 Wireless Controller doesn’t support Web Auth. #4790

[Fabrice Durand via PacketFence-users]

Did you try to hardcode that in the code and see if it works ?

Also i don´t understand the goal of passing the username and password , is
there any extra check after that ? What happen if the user register by
sms/email ?

And i just found that:
https://support.huawei.com/enterprise/en/doc/EDOC118282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_1
Is it something that can be configured on the Hawei ? If yes then it will
mimic the way the Cisco WLC works.

Regards
Fabrice


Le lun. 7 févr. 2022 à 16:01, Jorge Nolla  a écrit :

> Hi Fabrice,
>
> This line needs to be HTTPS for it to work
> http://$controller_ip:8443/login?username=bob=bob;
> style="display:none”>
>
> This needs to be the username and password which is being entered by the
> user in the PF portal, which is the Radius username and password
> username=bob=bob
>
>
> On Feb 7, 2022, at 12:03 PM, Fabrice Durand  wrote:
>
> I just pushed a fix.
>
> cd /usr/local/pf
> curl
> https://github.com/inverse-inc/packetfence/commit/7628afddf46e0226667560dc33df192f9c4cf420.diff
> | patch -p1
> and restart
>
> Le lun. 7 févr. 2022 à 13:46, Jorge Nolla  a écrit :
>
>> Here are the log outputs for /usr/local/pf/logs/packetfence.log
>>
>>
>> Feb  7 11:03:04 wifi packetfence_httpd.portal[61371]: httpd.portal(61371)
>> INFO: [mac:[undef]] URI '/Huawei' is detected as an external captive portal
>> URI (pf::web::externalportal::handle)
>> Feb  7 11:03:04 wifi packetfence_httpd.portal[61371]: httpd.portal(61371)
>> ERROR: [mac:[undef]] Cannot load perl module for switch type
>> 'pf::Switch::Huawei'. Either switch type is unknown or switch type perl
>> module have compilation errors. See the following message for details:
>>  (pf::web::externalportal::handle)
>> Feb  7 11:03:06 wifi packetfence_httpd.portal[61370]: httpd.portal(61370)
>> INFO: [mac:[undef]] URI '/Huawei' is detected as an external captive portal
>> URI (pf::web::externalportal::handle)
>> Feb  7 11:03:06 wifi packetfence_httpd.portal[61370]: httpd.portal(61370)
>> ERROR: [mac:[undef]] Cannot load perl module for switch type
>> 'pf::Switch::Huawei'. Either switch type is unknown or switch type perl
>> module have compilation errors. See the following message for details:
>>  (pf::web::externalportal::handle)
>>
>>
>>
>> On Feb 7, 2022, at 10:50 AM, Jorge Nolla  wrote:
>>
>> Here is the output for HAProxy
>>
>> Feb 7 10:48:54 wifi haproxy[2285]: 10.9.215.39:63814
>> [07/Feb/2022:10:48:54.074] portal-https-10.0.255.99~ 10.0.255.99-backend/
>> 127.0.0.1 0/0/0/13/13 501 413 - -  2/1/0/0/0 0/0 {wifi.fispy.mx}
>> "GET
>> /Huawei?ac-ip=10.7.255.2=10.9.215.39=FISPY-WiFi=f02f4b1467d9
>> HTTP/1.1”
>>
>>
>>
>> On Feb 7, 2022, at 10:06 AM, Jorge Nolla  wrote:
>>
>> Hi Fabrice,
>>
>> From the Pf portal after the patch is applied.
>>
>> type: 'Huawei' is not a valid value The chosen type (Huawei) is not
>> supported.
>>
>> On Feb 6, 2022, at 6:49 PM, Jorge Nolla  wrote:
>>
>>
>> This is the only option on the config.
>>
>> 
>>
>>
>> On Feb 6, 2022, at 6:41 PM, Jorge Nolla  wrote:
>>
>> Hi Fabrice,
>>
>> Getting an error page from PF
>>
>> Not Implemented
>> GET no supported for current URL.
>>
>> How is the switch supposed to be defined in PF?
>>
>>
>>
>> On Feb 6, 2022, at 5:55 PM, Fabrice Durand  wrote:
>>
>> I am just not sure what to set for username and password, if you do sms
>> auth then there is no password.
>>
>> Also in the url it looks that it miss the mac address of the device , can
>> you try to add  device-mac and see if the device mac is in the url ?
>>
>> Here the first draft:
>>
>>
>> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff
>>
>> cd /usr/local/pf/
>> curl
>> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff
>> | patch -p1
>>
>> then restart packetfence.
>>
>> On the controller:
>>
>> url-template name PacketFence
>>  url https://wifi.fispy.mx/ Hawei
>>  url-parameter device-ip device-mac ac-ip user-ipaddress userip ssid ssid
>> user-mac ap-mac
>>
>> So when the device will be forwarded to the portal it should be able to
>> recognise the mac address and the ip of the device (in the bottom).
>>
>> Register on the portal and you should be forwarded to
>> http://$controller_ip:8443/login?username=bob=bob
>>
>> Let me know how it behave.
>>
>> Regards
>> Fabrice
>>
>>
>>
>>
>> Le dim. 6 févr. 2022 à 18:58, Jorge Nolla  a écrit :
>>
>>> Hi Fabrice
>>>
>>> This is the GET the AC is expecting:
>>>
>>> https://portal.fispy.mx:8443/login?username=($username)=($password)
>>>
>>> If successful it will return as per image below. If it fails the AC will
>>> redirect back to the Portal
>>>
>>> 
>>>
>>>
>>> Here is the configuration:
>>>
>>> url-template name PacketFence
>>>  url https://wifi.fispy.mx/captive-portal
>>>  url-parameter login-url destination_url
>>> https://portal.fispy.mx:8443/login?username=($username)=($password)
>>>
>>>
>>> HA Proxy output
>>>
>>> Feb 6 16:44:26 wifi haproxy[2427]: 

Re: [PacketFence-users] Huawei AC6005 Wireless Controller doesn’t support Web Auth. #4790

[Fabrice Durand via PacketFence-users]

I just pushed a fix.

cd /usr/local/pf
curl
https://github.com/inverse-inc/packetfence/commit/7628afddf46e0226667560dc33df192f9c4cf420.diff
| patch -p1
and restart

Le lun. 7 févr. 2022 à 13:46, Jorge Nolla  a écrit :

> Here are the log outputs for /usr/local/pf/logs/packetfence.log
>
>
> Feb  7 11:03:04 wifi packetfence_httpd.portal[61371]: httpd.portal(61371)
> INFO: [mac:[undef]] URI '/Huawei' is detected as an external captive portal
> URI (pf::web::externalportal::handle)
> Feb  7 11:03:04 wifi packetfence_httpd.portal[61371]: httpd.portal(61371)
> ERROR: [mac:[undef]] Cannot load perl module for switch type
> 'pf::Switch::Huawei'. Either switch type is unknown or switch type perl
> module have compilation errors. See the following message for details:
>  (pf::web::externalportal::handle)
> Feb  7 11:03:06 wifi packetfence_httpd.portal[61370]: httpd.portal(61370)
> INFO: [mac:[undef]] URI '/Huawei' is detected as an external captive portal
> URI (pf::web::externalportal::handle)
> Feb  7 11:03:06 wifi packetfence_httpd.portal[61370]: httpd.portal(61370)
> ERROR: [mac:[undef]] Cannot load perl module for switch type
> 'pf::Switch::Huawei'. Either switch type is unknown or switch type perl
> module have compilation errors. See the following message for details:
>  (pf::web::externalportal::handle)
>
>
>
> On Feb 7, 2022, at 10:50 AM, Jorge Nolla  wrote:
>
> Here is the output for HAProxy
>
> Feb 7 10:48:54 wifi haproxy[2285]: 10.9.215.39:63814
> [07/Feb/2022:10:48:54.074] portal-https-10.0.255.99~ 10.0.255.99-backend/
> 127.0.0.1 0/0/0/13/13 501 413 - -  2/1/0/0/0 0/0 {wifi.fispy.mx} "GET
> /Huawei?ac-ip=10.7.255.2=10.9.215.39=FISPY-WiFi=f02f4b1467d9
> HTTP/1.1”
>
>
>
> On Feb 7, 2022, at 10:06 AM, Jorge Nolla  wrote:
>
> Hi Fabrice,
>
> From the Pf portal after the patch is applied.
>
> type: 'Huawei' is not a valid value The chosen type (Huawei) is not
> supported.
>
> On Feb 6, 2022, at 6:49 PM, Jorge Nolla  wrote:
>
>
> This is the only option on the config.
>
> 
>
>
> On Feb 6, 2022, at 6:41 PM, Jorge Nolla  wrote:
>
> Hi Fabrice,
>
> Getting an error page from PF
>
> Not Implemented
> GET no supported for current URL.
>
> How is the switch supposed to be defined in PF?
>
>
>
> On Feb 6, 2022, at 5:55 PM, Fabrice Durand  wrote:
>
> I am just not sure what to set for username and password, if you do sms
> auth then there is no password.
>
> Also in the url it looks that it miss the mac address of the device , can
> you try to add  device-mac and see if the device mac is in the url ?
>
> Here the first draft:
>
>
> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff
>
> cd /usr/local/pf/
> curl
> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff
> | patch -p1
>
> then restart packetfence.
>
> On the controller:
>
> url-template name PacketFence
>  url https://wifi.fispy.mx/ Hawei
>  url-parameter device-ip device-mac ac-ip user-ipaddress userip ssid ssid
> user-mac ap-mac
>
> So when the device will be forwarded to the portal it should be able to
> recognise the mac address and the ip of the device (in the bottom).
>
> Register on the portal and you should be forwarded to
> http://$controller_ip:8443/login?username=bob=bob
>
> Let me know how it behave.
>
> Regards
> Fabrice
>
>
>
>
> Le dim. 6 févr. 2022 à 18:58, Jorge Nolla  a écrit :
>
>> Hi Fabrice
>>
>> This is the GET the AC is expecting:
>>
>> https://portal.fispy.mx:8443/login?username=($username)=($password)
>>
>> If successful it will return as per image below. If it fails the AC will
>> redirect back to the Portal
>>
>> 
>>
>>
>> Here is the configuration:
>>
>> url-template name PacketFence
>>  url https://wifi.fispy.mx/captive-portal
>>  url-parameter login-url destination_url
>> https://portal.fispy.mx:8443/login?username=($username)=($password)
>>
>>
>> HA Proxy output
>>
>> Feb 6 16:44:26 wifi haproxy[2427]: 10.9.70.173:52266
>> [06/Feb/2022:16:44:26.153] portal-https-10.0.255.99~ 10.0.255.99-backend/
>> 127.0.0.1 0/0/0/202/202 200 9003 - -  2/1/0/0/0 0/0 {wifi.fispy.mx}
>> "GET /captive-portal?destination_url=
>> https://portal.fispy.mx:8443/login?username=($username)=($password)
>> HTTP/1.1"
>>
>> Only problem is that PacketFence is not updating the dynamic values with
>> username and password for it to work
>>
>> AC = Access Controller. This manages the APs’ as they are operating in
>> Fit/Lightweight mode.
>> AP = Access Points. These are the actual radios.
>>
>> Best Regards,
>> Jorge
>>
>>
>> On Feb 6, 2022, at 4:40 PM, Fabrice Durand  wrote:
>>
>> Hello Jorge,
>>
>> i have what i need at least to be able to support the web-auth.
>> The only thing i am not sure is at the end of the registration process
>> what we are supposed to do.
>>
>> I will create a branch on github in order for you to test. (it will be an
>> update of the Huawei switch module).
>>
>> For information, what is the ac-ip ac-mac versus ap-ip ap-mac ?
>>
>> 

Re: [PacketFence-users] Huawei AC6005 Wireless Controller doesn’t support Web Auth. #4790

[Fabrice Durand via PacketFence-users]

I am just not sure what to set for username and password, if you do sms
auth then there is no password.

Also in the url it looks that it miss the mac address of the device , can
you try to add  device-mac and see if the device mac is in the url ?

Here the first draft:

https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff

cd /usr/local/pf/
curl
https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff
| patch -p1

then restart packetfence.

On the controller:

url-template name PacketFence
 url https://wifi.fispy.mx/ Hawei
 url-parameter device-ip device-mac ac-ip user-ipaddress userip ssid ssid
user-mac ap-mac

So when the device will be forwarded to the portal it should be able to
recognise the mac address and the ip of the device (in the bottom).

Register on the portal and you should be forwarded to http://
$controller_ip:8443/login?username=bob=bob

Let me know how it behave.

Regards
Fabrice




Le dim. 6 févr. 2022 à 18:58, Jorge Nolla  a écrit :

> Hi Fabrice
>
> This is the GET the AC is expecting:
>
> https://portal.fispy.mx:8443/login?username=($username)=($password)
>
> If successful it will return as per image below. If it fails the AC will
> redirect back to the Portal
>
>
>
> Here is the configuration:
>
> url-template name PacketFence
>  url https://wifi.fispy.mx/captive-portal
>  url-parameter login-url destination_url
> https://portal.fispy.mx:8443/login?username=($username)=($password)
>
>
> HA Proxy output
>
> Feb 6 16:44:26 wifi haproxy[2427]: 10.9.70.173:52266
> [06/Feb/2022:16:44:26.153] portal-https-10.0.255.99~ 10.0.255.99-backend/
> 127.0.0.1 0/0/0/202/202 200 9003 - -  2/1/0/0/0 0/0 {wifi.fispy.mx}
> "GET /captive-portal?destination_url=
> https://portal.fispy.mx:8443/login?username=($username)=($password)
> HTTP/1.1"
>
> Only problem is that PacketFence is not updating the dynamic values with
> username and password for it to work
>
> AC = Access Controller. This manages the APs’ as they are operating in
> Fit/Lightweight mode.
> AP = Access Points. These are the actual radios.
>
> Best Regards,
> Jorge
>
>
> On Feb 6, 2022, at 4:40 PM, Fabrice Durand  wrote:
>
> Hello Jorge,
>
> i have what i need at least to be able to support the web-auth.
> The only thing i am not sure is at the end of the registration process
> what we are supposed to do.
>
> I will create a branch on github in order for you to test. (it will be an
> update of the Huawei switch module).
>
> For information, what is the ac-ip ac-mac versus ap-ip ap-mac ?
>
> Regards
> Fabrice
>
>
> Le dim. 6 févr. 2022 à 18:30, Jorge Nolla  a écrit :
>
>> If I try to manually send the redirect in the browser here is what HA
>> proxy records. This is a simple copy and paste in the browser and the
>> output:
>>
>> https://wifi.fispy.mx/captive-portal?destination_url=
>> https://portal.fispy.mx:8443/login?username=539z=0uf3
>>
>> 4875 - -  2/1/0/0/0 0/0 {wifi.fispy.mx} "GET
>> /captive-portal?destination_url=
>> https://portal.fispy.mx:8443/login?username=539z=0uf3 HTTP/1.1"
>>
>>
>> It doesn’t let it go through as it seems that is trying to validate
>> network connectivity
>>
>>
>> On Feb 6, 2022, at 4:07 PM, Jorge Nolla  wrote:
>>
>> Seems weird how the format of the URL is recorded/sent
>>
>>
>> Here is a normal redirect, the url is formatted correctly,
>>
>>
>> Feb 6 16:03:41 wifi haproxy[2427]: 10.99.1.20:63577
>> [06/Feb/2022:16:03:41.232] portal-https-10.0.255.99~ 10.0.255.99-backend/
>> 127.0.0.1 0/0/1/233/234 200 4910 - -  2/1/0/0/0 0/0 {wifi.fispy.mx}
>> "GET /captive-portal?destination_url=https://www.fispy.mx/ HTTP/1.1"
>>
>>  I’m not sure why the value sent by the AP has all the % and weird
>> symbols
>> destination%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>> 
>>
>>
>> On Feb 6, 2022, at 4:00 PM, Jorge Nolla  wrote:
>>
>> Hi Fabrice,
>>
>> Here are the options that can be added:
>>
>> [AirEngine9700-M1-url-template-PacketFence]url-parameter ?
>>   ap-group-name   AP group name
>>   ap-ip   AP IP address
>>   ap-location AP location
>>   ap-mac  AP MAC address
>>   ap-name AP name
>>   device-ip   Device IP address
>>   device-mac  Device MAC address
>>   login-url   Device's login URL provided to the external portal
>> server
>>   mac-address Mac address
>>   redirect-urlThe url in user original http packet
>>   set Set
>>   ssidSSID
>>   sysname Device name
>>   user-ipaddress  User IP address
>>   user-macUser MAC address
>>
>>
>> url-template name PacketFence
>>  url https://wifi.fispy.mx/captive-portal
>>  url-parameter device-ip ac-ip user-ipaddress userip ssid ssid user-mac
>> ap-mac
>>
>>
>> 200 9003 - -  2/1/0/0/0 0/0 {wifi.fispy.mx} "GET
>> 

Re: [PacketFence-users] Huawei AC6005 Wireless Controller doesn’t support Web Auth. #4790

[Fabrice Durand via PacketFence-users]

Great!
it will be easier.


Le dim. 6 févr. 2022 à 18:38, Jorge Nolla  a écrit :

> Fabrice,
>
> I figured out why the AC is formatting in that way,
>
>
> 6.3.7.3.6 The URL of the Redirected Portal Page Contains %XX, Which Cannot
> Be Identified by Some Portal Servers
>
> When a third-party Portal server is connected, the browser can be
> redirected to the URL of the Portal page, but the Portal page cannot be
> opened. The URL of the Portal page contains %XX, for example,
> http://12.12.12.1:8080/portal?ac
>  %2Dip=100%2E1%2E1%2E1=200%2E1%2E1%2E172=portal %5Ftest.
>
> By default, the Portal URL encoding and decoding function is enabled on
> the device.
>
> URL encoding encodes special characters (that is, characters that are not
> simple 7- bit ASCII characters, such as Chinese characters) in hexadecimal
> format using the percent sign (%), including special characters such as the
> equal sign (=), ampersand (&), and percent sign (%). The URL encoding is
> actually a hexadecimal character ASCII code. However, there is a slight
> change, and "%" needs to be added to the beginning. For example, the ASCII
> code of a backslash (\) is 92, and the hexadecimal number of 92 is 5c.
> Therefore, the URL encoding result of a backslash (\) is %5c. The URL
> coding table can be found on the Internet. Some Portal servers do not
> support this encoding format. When the URL encoding function is enabled on
> the device, redirection fails.
>
> Disable the Portal URL encoding function on the device.
>
> *[Huawei] undo portal url-encode enable*
>
>
> This worked, now we get the correct output:
>
> Feb 6 16:34:19 wifi haproxy[2427]: 10.9.70.173:51832
> [06/Feb/2022:16:34:18.789] portal-https-10.0.255.99~ 10.0.255.99-backend/
> 127.0.0.1 0/0/1/387/388 302 1018 - -  2/1/0/0/0 0/0 {wifi.fispy.mx}
> "GET
> /captive-portal?ac-ip=10.7.255.2=10.9.70.173=FISPY-WiFi=f02f4b1467d9
> HTTP/1.1"
>
>
>
> On Feb 6, 2022, at 4:29 PM, Jorge Nolla  wrote:
>
> If I try to manually send the redirect in the browser here is what HA
> proxy records. This is a simple copy and paste in the browser and the
> output:
>
> https://wifi.fispy.mx/captive-portal?destination_url=
> https://portal.fispy.mx:8443/login?username=539z=0uf3
>
> 4875 - -  2/1/0/0/0 0/0 {wifi.fispy.mx} "GET
> /captive-portal?destination_url=
> https://portal.fispy.mx:8443/login?username=539z=0uf3 HTTP/1.1"
>
>
> It doesn’t let it go through as it seems that is trying to validate
> network connectivity
>
>
> On Feb 6, 2022, at 4:07 PM, Jorge Nolla  wrote:
>
> Seems weird how the format of the URL is recorded/sent
>
>
> Here is a normal redirect, the url is formatted correctly,
>
>
> Feb 6 16:03:41 wifi haproxy[2427]: 10.99.1.20:63577
> [06/Feb/2022:16:03:41.232] portal-https-10.0.255.99~ 10.0.255.99-backend/
> 127.0.0.1 0/0/1/233/234 200 4910 - -  2/1/0/0/0 0/0 {wifi.fispy.mx}
> "GET /captive-portal?destination_url=https://www.fispy.mx/ HTTP/1.1"
>
>  I’m not sure why the value sent by the AP has all the % and weird symbols
> destination%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
> 
>
>
> On Feb 6, 2022, at 4:00 PM, Jorge Nolla  wrote:
>
> Hi Fabrice,
>
> Here are the options that can be added:
>
> [AirEngine9700-M1-url-template-PacketFence]url-parameter ?
>   ap-group-name   AP group name
>   ap-ip   AP IP address
>   ap-location AP location
>   ap-mac  AP MAC address
>   ap-name AP name
>   device-ip   Device IP address
>   device-mac  Device MAC address
>   login-url   Device's login URL provided to the external portal server
>   mac-address Mac address
>   redirect-urlThe url in user original http packet
>   set Set
>   ssidSSID
>   sysname Device name
>   user-ipaddress  User IP address
>   user-macUser MAC address
>
>
> url-template name PacketFence
>  url https://wifi.fispy.mx/captive-portal
>  url-parameter device-ip ac-ip user-ipaddress userip ssid ssid user-mac
> ap-mac
>
>
> 200 9003 - -  2/1/0/0/0 0/0 {wifi.fispy.mx} "GET
> /captive-portal?ac%2Dip=10%2E7%2E255%2E2=10%2E9%2E70%2E173=FISPY%2DWiFi%2Dmac=f02f4b1467d9
> HTTP/1.1"
>
>
> If we do not specify the URL on this configuration, where would
> PacketFence get the value for the AC Web Authentication call?
>
>
> https://portal.fispy.mx:8443/login?username=($username)=($password)
>
> Best Regards,
> Jorge
>
> On Feb 5, 2022, at 8:23 PM, Fabrice Durand  wrote:
>
> Hello Jorge,
>
> what we need is the user mac and the ap information.
> I found that
> https://support.huawei.com/enterprise/en/doc/EDOC118283/659354b1/display-url-template
>
> Is it possible to add extra parameters like user-mac ssid ap-ip ap-mac ?
>
> And if yes can you provide me the url generated by the controller when it
> redirect ?  (haproxy-portal log)
>
> Regards
> Fabrice
>
>
>
> Le sam. 5 févr. 2022 à 20:42, Jorge Nolla  a écrit :
>
>> Hi Team,
>>
>> 

Re: [PacketFence-users] Huawei AC6005 Wireless Controller doesn’t support Web Auth. #4790

[Fabrice Durand via PacketFence-users]

Hello Jorge,

i have what i need at least to be able to support the web-auth.
The only thing i am not sure is at the end of the registration process what
we are supposed to do.

I will create a branch on github in order for you to test. (it will be an
update of the Huawei switch module).

For information, what is the ac-ip ac-mac versus ap-ip ap-mac ?

Regards
Fabrice


Le dim. 6 févr. 2022 à 18:30, Jorge Nolla  a écrit :

> If I try to manually send the redirect in the browser here is what HA
> proxy records. This is a simple copy and paste in the browser and the
> output:
>
> https://wifi.fispy.mx/captive-portal?destination_url=
> https://portal.fispy.mx:8443/login?username=539z=0uf3
>
> 4875 - -  2/1/0/0/0 0/0 {wifi.fispy.mx} "GET
> /captive-portal?destination_url=
> https://portal.fispy.mx:8443/login?username=539z=0uf3 HTTP/1.1"
>
>
> It doesn’t let it go through as it seems that is trying to validate
> network connectivity
>
>
> On Feb 6, 2022, at 4:07 PM, Jorge Nolla  wrote:
>
> Seems weird how the format of the URL is recorded/sent
>
>
> Here is a normal redirect, the url is formatted correctly,
>
>
> Feb 6 16:03:41 wifi haproxy[2427]: 10.99.1.20:63577
> [06/Feb/2022:16:03:41.232] portal-https-10.0.255.99~ 10.0.255.99-backend/
> 127.0.0.1 0/0/1/233/234 200 4910 - -  2/1/0/0/0 0/0 {wifi.fispy.mx}
> "GET /captive-portal?destination_url=https://www.fispy.mx/ HTTP/1.1"
>
>  I’m not sure why the value sent by the AP has all the % and weird symbols
> destination%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
> 
>
>
> On Feb 6, 2022, at 4:00 PM, Jorge Nolla  wrote:
>
> Hi Fabrice,
>
> Here are the options that can be added:
>
> [AirEngine9700-M1-url-template-PacketFence]url-parameter ?
>   ap-group-name   AP group name
>   ap-ip   AP IP address
>   ap-location AP location
>   ap-mac  AP MAC address
>   ap-name AP name
>   device-ip   Device IP address
>   device-mac  Device MAC address
>   login-url   Device's login URL provided to the external portal server
>   mac-address Mac address
>   redirect-urlThe url in user original http packet
>   set Set
>   ssidSSID
>   sysname Device name
>   user-ipaddress  User IP address
>   user-macUser MAC address
>
>
> url-template name PacketFence
>  url https://wifi.fispy.mx/captive-portal
>  url-parameter device-ip ac-ip user-ipaddress userip ssid ssid user-mac
> ap-mac
>
>
> 200 9003 - -  2/1/0/0/0 0/0 {wifi.fispy.mx} "GET
> /captive-portal?ac%2Dip=10%2E7%2E255%2E2=10%2E9%2E70%2E173=FISPY%2DWiFi%2Dmac=f02f4b1467d9
> HTTP/1.1"
>
>
> If we do not specify the URL on this configuration, where would
> PacketFence get the value for the AC Web Authentication call?
>
>
> https://portal.fispy.mx:8443/login?username=($username)=($password)
>
> Best Regards,
> Jorge
>
> On Feb 5, 2022, at 8:23 PM, Fabrice Durand  wrote:
>
> Hello Jorge,
>
> what we need is the user mac and the ap information.
> I found that
> https://support.huawei.com/enterprise/en/doc/EDOC118283/659354b1/display-url-template
>
> Is it possible to add extra parameters like user-mac ssid ap-ip ap-mac ?
>
> And if yes can you provide me the url generated by the controller when it
> redirect ?  (haproxy-portal log)
>
> Regards
> Fabrice
>
>
>
> Le sam. 5 févr. 2022 à 20:42, Jorge Nolla  a écrit :
>
>> Hi Team,
>>
>> Any input on this? We really would like to get this to work.
>>
>> Thank you!
>> Jorge
>>
>> On Feb 2, 2022, at 7:48 PM, Jorge Nolla  wrote:
>>
>> Hi Fabrice,
>>
>> This is the sequence:
>>
>> Feb  2 14:51:32 wifi haproxy[2427]: 10.9.79.52:61132
>> [02/Feb/2022:14:51:32.663] portal-http-10.0.255.99 10.0.255.99-backend/
>> 127.0.0.1 0/0/0/201/201 200 7146 - -  3/1/0/0/0 0/0 {wifi.fispy.mx}
>> "GET /access?lang= HTTP/1.1"
>> Feb  2 14:51:37 wifi haproxy[2427]: 10.9.79.52:61133
>> [02/Feb/2022:14:51:37.905] portal-http-10.0.255.99 static/127.0.0.1
>> 0/0/0/2/2 200 228 - -  4/2/0/0/0 0/0 {10.0.255.99} "GET
>> /common/network-access-detection.gif?r=1643838705224 HTTP/1.1"
>> Feb  2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61130
>> [02/Feb/2022:14:51:43.927] portal-https-10.0.255.99~ 10.0.255.99-backend/
>> 127.0.0.1 0/0/0/122/122 302 1018 - -  4/1/0/0/0 0/0 {wifi.fispy.mx}
>> "GET
>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>> HTTP/1.1"
>> Feb  2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61132
>> [02/Feb/2022:14:51:44.060] portal-http-10.0.255.99 10.0.255.99-backend/
>> 127.0.0.1 0/0/0/129/129 200 7146 - -  4/2/0/0/0 0/0 {wifi.fispy.mx}
>> "GET /access?lang= HTTP/1.1"
>> Feb  2 14:51:49 wifi haproxy[2427]: 10.9.79.52:61133
>> [02/Feb/2022:14:51:49.219] portal-http-10.0.255.99 static/127.0.0.1
>> 0/0/0/1/1 200 228 - -  4/2/0/0/0 0/0 {10.0.255.99} "GET
>> /common/network-access-detection.gif?r=1643838716546 HTTP/1.1"
>> Feb  2 14:51:55 wifi haproxy[2427]: 

Re: [PacketFence-users] Huawei AC6005 Wireless Controller doesn’t support Web Auth. #4790

[Fabrice Durand via PacketFence-users]

Hello Jorge,

what we need is the user mac and the ap information.
I found that
https://support.huawei.com/enterprise/en/doc/EDOC118283/659354b1/display-url-template

Is it possible to add extra parameters like user-mac ssid ap-ip ap-mac ?

And if yes can you provide me the url generated by the controller when it
redirect ?  (haproxy-portal log)

Regards
Fabrice



Le sam. 5 févr. 2022 à 20:42, Jorge Nolla  a écrit :

> Hi Team,
>
> Any input on this? We really would like to get this to work.
>
> Thank you!
> Jorge
>
> On Feb 2, 2022, at 7:48 PM, Jorge Nolla  wrote:
>
> Hi Fabrice,
>
> This is the sequence:
>
> Feb  2 14:51:32 wifi haproxy[2427]: 10.9.79.52:61132
> [02/Feb/2022:14:51:32.663] portal-http-10.0.255.99 10.0.255.99-backend/
> 127.0.0.1 0/0/0/201/201 200 7146 - -  3/1/0/0/0 0/0 {wifi.fispy.mx}
> "GET /access?lang= HTTP/1.1"
> Feb  2 14:51:37 wifi haproxy[2427]: 10.9.79.52:61133
> [02/Feb/2022:14:51:37.905] portal-http-10.0.255.99 static/127.0.0.1
> 0/0/0/2/2 200 228 - -  4/2/0/0/0 0/0 {10.0.255.99} "GET
> /common/network-access-detection.gif?r=1643838705224 HTTP/1.1"
> Feb  2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61130
> [02/Feb/2022:14:51:43.927] portal-https-10.0.255.99~ 10.0.255.99-backend/
> 127.0.0.1 0/0/0/122/122 302 1018 - -  4/1/0/0/0 0/0 {wifi.fispy.mx}
> "GET
> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
> HTTP/1.1"
> Feb  2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61132
> [02/Feb/2022:14:51:44.060] portal-http-10.0.255.99 10.0.255.99-backend/
> 127.0.0.1 0/0/0/129/129 200 7146 - -  4/2/0/0/0 0/0 {wifi.fispy.mx}
> "GET /access?lang= HTTP/1.1"
> Feb  2 14:51:49 wifi haproxy[2427]: 10.9.79.52:61133
> [02/Feb/2022:14:51:49.219] portal-http-10.0.255.99 static/127.0.0.1
> 0/0/0/1/1 200 228 - -  4/2/0/0/0 0/0 {10.0.255.99} "GET
> /common/network-access-detection.gif?r=1643838716546 HTTP/1.1"
> Feb  2 14:51:55 wifi haproxy[2427]: 10.9.79.52:61130
> [02/Feb/2022:14:51:55.287] portal-https-10.0.255.99~ 10.0.255.99-backend/
> 127.0.0.1 0/0/0/136/136 302 1018 - -  4/1/0/0/0 0/0 {wifi.fispy.mx}
> "GET
> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
> HTTP/1.1”
>
>
>
> On Feb 2, 2022, at 7:12 PM, Fabrice Durand  wrote:
>
> Hello Jorge,
>
> i will have a look closer.
> But i have a question, when the device is forwarded to the captive portal,
> (just before
> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin)
> , what is the url ?
> You should be able to see it in the haproxy-portal.log file.
>
> Regards
> Fabrice
>
> Le mer. 2 févr. 2022 à 10:18, Jorge Nolla  a écrit :
>
>> Hi Fabrice,
>>
>>
>> We almost have the configuration working, but are not sure how to get the
>> redirect to the client to work correctly. Attached is the documentation for
>> Cisco ISE which we used for PacketFence as well.
>>
>> Portal.fispy.mx  is the Huawei AC.
>>
>> This is the format the client should get from PacketFence. This is the
>> only piece we are missing for this to work.
>>
>> https://portal.fispy.mx:8443/login?username=($username)=($password)
>>
>>
>> If we manually click on the link above, then the flow of traffic works
>> correctly CLIENT > AC > RADIUS (PacketFence), and authentication works. The
>> problem is that when the user logs in to the portal the redirect is broken.
>> The parameter for the redirect that PacketFence is serving, comes from a
>> configuration parameter within the AC. This configuration works fine for
>> Cisco ISE, but the URL format is not working for PacketFence.
>>
>>
>> When we configure the redirect this is what the client is getting from
>> PacketFence
>>
>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>>
>>
>> url-template name PacketFence
>>  url https://wifi.fispy.mx/captive-portal
>>  url-parameter login-url switch_url https://portal.fispy.mx:8443/login
>>  <<< THIS IS THE PARAMETER FOR THE REDIRECT TO PACKETFENCE
>>
>>
>>
>> AC CONFIG
>>
>> authentication-profile name PacketFence
>>  portal-access-profile PacketFence
>>  free-rule-template default_free_rule
>>  authentication-scheme PacketFence
>>  accounting-scheme PacketFence
>>  radius-server PacketFence
>>  force-push url https://www.fispy.mx
>>
>> radius-server template PacketFence
>>  radius-server shared-key cipher %^%#*)l=:1.X-Yd$\<~orEF@
>> ]<}NMejv3)E^\6;7:NUY%^%#
>>  radius-server authentication 10.0.255.99 1812 source ip-address
>> 10.7.255.2 weight 90
>>  radius-server accounting 10.0.255.99 1813 source ip-address 10.7.255.2
>> weight 80
>>  undo radius-server user-name domain-included
>>  calling-station-id mac-format unformatted
>>  called-station-id wlan-user-format ac-mac
>>  radius-server attribute translate
>>  radius-attribute disable HW-NAS-Startup-Time-Stamp send
>>  radius-attribute disable HW-IP-Host-Address send
>>  radius-attribute disable HW-Connect-ID send
>>  radius-attribute 

Re: [PacketFence-users] Huawei AC6005 Wireless Controller doesn’t support Web Auth. #4790

[Fabrice Durand via PacketFence-users]

Hello Jorge,

i will have a look closer.
But i have a question, when the device is forwarded to the captive portal,
(just before
https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin)
, what is the url ?
You should be able to see it in the haproxy-portal.log file.

Regards
Fabrice

Le mer. 2 févr. 2022 à 10:18, Jorge Nolla  a écrit :

> Hi Fabrice,
>
>
> We almost have the configuration working, but are not sure how to get the
> redirect to the client to work correctly. Attached is the documentation for
> Cisco ISE which we used for PacketFence as well.
>
> Portal.fispy.mx is the Huawei AC.
>
> This is the format the client should get from PacketFence. This is the
> only piece we are missing for this to work.
>
> https://portal.fispy.mx:8443/login?username=($username)=($password)
>
>
> If we manually click on the link above, then the flow of traffic works
> correctly CLIENT > AC > RADIUS (PacketFence), and authentication works. The
> problem is that when the user logs in to the portal the redirect is broken.
> The parameter for the redirect that PacketFence is serving, comes from a
> configuration parameter within the AC. This configuration works fine for
> Cisco ISE, but the URL format is not working for PacketFence.
>
>
> When we configure the redirect this is what the client is getting from
> PacketFence
>
> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>
>
> url-template name PacketFence
>  url https://wifi.fispy.mx/captive-portal
>  url-parameter login-url switch_url https://portal.fispy.mx:8443/login
>  <<< THIS IS THE PARAMETER FOR THE REDIRECT TO PACKETFENCE
>
>
>
> AC CONFIG
>
> authentication-profile name PacketFence
>  portal-access-profile PacketFence
>  free-rule-template default_free_rule
>  authentication-scheme PacketFence
>  accounting-scheme PacketFence
>  radius-server PacketFence
>  force-push url https://www.fispy.mx
>
> radius-server template PacketFence
>  radius-server shared-key cipher %^%#*)l=:1.X-Yd$\<~orEF@
> ]<}NMejv3)E^\6;7:NUY%^%#
>  radius-server authentication 10.0.255.99 1812 source ip-address
> 10.7.255.2 weight 90
>  radius-server accounting 10.0.255.99 1813 source ip-address 10.7.255.2
> weight 80
>  undo radius-server user-name domain-included
>  calling-station-id mac-format unformatted
>  called-station-id wlan-user-format ac-mac
>  radius-server attribute translate
>  radius-attribute disable HW-NAS-Startup-Time-Stamp send
>  radius-attribute disable HW-IP-Host-Address send
>  radius-attribute disable HW-Connect-ID send
>  radius-attribute disable HW-Version send
>  radius-attribute disable HW-Product-ID send
>  radius-attribute disable HW-Domain-Name send
>  radius-attribute disable HW-User-Extend-Info send
>
> url-template name PacketFence
>  url https://wifi.fispy.mx/captive-portal
>  url-parameter login-url switch_url https://portal.fispy.mx:8443/login
>  <<< THIS IS THE PARAMETER FOR THE REDIRECT TO PACKETFENCE
>
> web-auth-server PacketFence
>  server-ip 10.0.255.99
>  port 443
>  url-template PacketFence
>  protocol http
>  http get-method enable
>
> portal-access-profile name PacketFence
>  web-auth-server PacketFence direct
>
>
> authentication-scheme PacketFence
>   authentication-mode radius
>
> wlan
>  security-profile name FISPY-WiFi
>
>  vap-profile name FISPY-WiFi
>   service-vlan vlan-id 900
>   permit-vlan vlan-id 900
>   ssid-profile FISPY-WiFi
>   security-profile FISPY-WiFi
>   authentication-profile PacketFence
>   sta-network-detect disable
>   service-experience-analysis enable
>   mdns-snooping enable
>
>
>
>
> ###CISCO ISE CONFIG TO COMPARE###
>
> url-template name CISCO-ISE
>  url
> https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02
>  parameter start-mark #
>  url-parameter login-url switch_url https://portal.fispy.mx:8443/login
>
> 
>
>
>
>
>
>
> On Feb 2, 2022, at 6:17 AM, Fabrice Durand  wrote:
>
> Hello Jorge,
>
> do you have any Huawei documentation to implement that ?
>
> Regards
> Fabrice
>
>
> Le mer. 26 janv. 2022 à 15:59, Jorge Nolla via PacketFence-users <
> packetfence-users@lists.sourceforge.net> a écrit :
>
>> Hi Team,
>>
>> We were wondering if anyone has had any success in configuring Web Auth
>> for the Huawei AC? It’s somewhat critical for us to get this going.
>>
>> Thank you!
>> Jorge
>>
>> ___
>> PacketFence-users mailing list
>
> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
>
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Radius Accounting fails to start

[Fabrice Durand via PacketFence-users]

In fact it depend what you need exactly but the idea is to configure the
default realm to forward the accounting to another server (defined as a
radius source).

So create a radius source in packetfence and in the realm config select
this source for the accounting.
Restart radius and it should work.
Most of the time i am doing that with a specific realm, not the default one
but it should work.

Le mer. 2 févr. 2022 à 20:12, Jorge Nolla  a écrit :

> Hi Fabrice,
>
> After we enable radius-act any other configuration needed?
>
>
> On Feb 2, 2022, at 6:07 PM, Fabrice Durand  wrote:
>
> Hello Jorge,
> the only way is to use radius-acct instead of pfacct.
> pfacct doesn´t implement that right now.
>
> So disable pfacct and enable radius-acct.
>
> Regards
> Fabrice
>
>
>
>
> Le mer. 2 févr. 2022 à 19:55, Jorge Nolla via PacketFence-users <
> packetfence-users@lists.sourceforge.net> a écrit :
>
>> Apologies for the SPAM :) but I figured it out.
>>
>>
>> "Starting from v10, pfacct daemon is used to track bandwidth usage of
>> nodes using RADIUS Accounting or NetFlow v5 traffic. It is enabled by
>> default and replaced packetfence-radiusd- acct service. pfacct will store
>> data into bandwidth_accounting table.”
>>
>> So the question is, is there a way to forward radius accounting to
>> external source?
>>
>> Thank you!
>>
>>
>> On Feb 2, 2022, at 5:39 PM, Jorge Nolla  wrote:
>>
>> Here is the process already listening on the port.
>>
>> udp0  0 10.0.255.99:18130.0.0.0:*
>> 2392/pfacct  off (0.00/0/0)
>>
>> Any thoughts?
>>
>> On Feb 2, 2022, at 5:21 PM, Jorge Nolla  wrote:
>>
>>
>> Seems like is ready these parameters first home_server localhost. But
>> not sure where they are coming from...
>>
>> Wed Feb  2 17:13:18 2022 : Debug:  home_server localhost {
>> Wed Feb  2 17:13:18 2022 : Debug:   ipaddr = 127.0.0.1
>> Wed Feb  2 17:13:18 2022 : Debug:   port = 1812
>> Wed Feb  2 17:13:18 2022 : Debug:   type = "auth"
>> Wed Feb  2 17:13:18 2022 : Debug:   secret = "testing123"
>> Wed Feb  2 17:13:18 2022 : Debug:   response_window = 20.00
>> Wed Feb  2 17:13:18 2022 : Debug:   response_timeouts = 1
>> Wed Feb  2 17:13:18 2022 : Debug:   max_outstanding = 65536
>> Wed Feb  2 17:13:18 2022 : Debug:   zombie_period = 40
>> Wed Feb  2 17:13:18 2022 : Debug:   status_check = "status-server"
>> Wed Feb  2 17:13:18 2022 : Debug:   ping_interval = 30
>> Wed Feb  2 17:13:18 2022 : Debug:   check_interval = 30
>> Wed Feb  2 17:13:18 2022 : Debug:   check_timeout = 4
>> Wed Feb  2 17:13:18 2022 : Debug:   num_answers_to_alive = 3
>> Wed Feb  2 17:13:18 2022 : Debug:   revive_interval = 120
>> Wed Feb  2 17:13:18 2022 : Debug:   limit {
>> Wed Feb  2 17:13:18 2022 : Debug:   max_connections = 16
>> Wed Feb  2 17:13:18 2022 : Debug:   max_requests = 0
>> Wed Feb  2 17:13:18 2022 : Debug:   lifetime = 0
>> Wed Feb  2 17:13:18 2022 : Debug:   idle_timeout = 0
>> Wed Feb  2 17:13:18 2022 : Debug:   }
>> Wed Feb  2 17:13:18 2022 : Debug:   coa {
>> Wed Feb  2 17:13:18 2022 : Debug:   irt = 2
>> Wed Feb  2 17:13:18 2022 : Debug:   mrt = 16
>> Wed Feb  2 17:13:18 2022 : Debug:   mrc = 5
>> Wed Feb  2 17:13:18 2022 : Debug:   mrd = 30
>> Wed Feb  2 17:13:18 2022 : Debug:   }
>> Wed Feb  2 17:13:18 2022 : Debug:  }
>> Wed Feb  2 17:13:18 2022 : Warning: Ignoring "response_window =
>> 20.00", forcing to "response_window = 10.00"
>> Wed Feb  2 17:13:18 2022 : Debug:  home_server pfacct_local {
>> Wed Feb  2 17:13:18 2022 : Debug:   ipaddr = 127.0.0.1
>> Wed Feb  2 17:13:18 2022 : Debug:   port = 1813
>> Wed Feb  2 17:13:18 2022 : Debug:   type = "acct"
>> Wed Feb  2 17:13:18 2022 : Debug:   secret =
>> "ZDQ3YzUzMjkxM2M1NjBhM2IyMTJjNWE0"
>> Wed Feb  2 17:13:18 2022 : Debug:   src_ipaddr = "10.0.255.99"
>> Wed Feb  2 17:13:18 2022 : Debug:   response_window = 30.00
>> Wed Feb  2 17:13:18 2022 : Debug:   response_timeouts = 1
>> Wed Feb  2 17:13:18 2022 : Debug:   max_outstanding = 65536
>> Wed Feb  2 17:13:18 2022 : Debug:   zombie_period = 40
>> Wed Feb  2 17:13:18 2022 : Debug:   status_check = "none"
>> Wed Feb  2 17:13:18 2022 : Debug:   ping_interval = 30
>> Wed Feb  2 17:13:18 2022 : Debug:   check_timeout = 4
>> Wed Feb  2 17:13:18 2022 : Debug:   num_answers_to_alive = 3
>> Wed Feb  2 17:13:18 2022 : Debug:   revive_interval = 300
>> Wed Feb  2 17:13:18 2022 : Debug:   limit {
>> Wed Feb  2 17:13:18 2022 : Debug:   max_connections = 16
>> Wed Feb  2 17:13:18 2022 : Debug:   max_requests = 0
>> Wed Feb  2 17:13:18 2022 : Debug:   lifetime = 0
>> Wed Feb  2 17:13:18 2022 : Debug:   idle_timeout = 0
>>
>>
>>
>> On Feb 2, 2022, at 5:15 PM, Jorge Nolla  wrote:
>>
>> Here is the output when I try to start with -XXX. Not sure how the
>> process is running.
>>
>> Wed Feb  2 17:13:19 2022 : Error: Failed binding to acct address
>> 

Re: [PacketFence-users] Radius Accounting fails to start

[Fabrice Durand via PacketFence-users]

Hello Jorge,
the only way is to use radius-acct instead of pfacct.
pfacct doesn´t implement that right now.

So disable pfacct and enable radius-acct.

Regards
Fabrice




Le mer. 2 févr. 2022 à 19:55, Jorge Nolla via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Apologies for the SPAM :) but I figured it out.
>
>
> "Starting from v10, pfacct daemon is used to track bandwidth usage of
> nodes using RADIUS Accounting or NetFlow v5 traffic. It is enabled by
> default and replaced packetfence-radiusd- acct service. pfacct will store
> data into bandwidth_accounting table.”
>
> So the question is, is there a way to forward radius accounting to
> external source?
>
> Thank you!
>
>
> On Feb 2, 2022, at 5:39 PM, Jorge Nolla  wrote:
>
> Here is the process already listening on the port.
>
> udp0  0 10.0.255.99:18130.0.0.0:*
>   2392/pfacct  off (0.00/0/0)
>
> Any thoughts?
>
> On Feb 2, 2022, at 5:21 PM, Jorge Nolla  wrote:
>
>
> Seems like is ready these parameters first home_server localhost. But not
> sure where they are coming from...
>
> Wed Feb  2 17:13:18 2022 : Debug:  home_server localhost {
> Wed Feb  2 17:13:18 2022 : Debug:   ipaddr = 127.0.0.1
> Wed Feb  2 17:13:18 2022 : Debug:   port = 1812
> Wed Feb  2 17:13:18 2022 : Debug:   type = "auth"
> Wed Feb  2 17:13:18 2022 : Debug:   secret = "testing123"
> Wed Feb  2 17:13:18 2022 : Debug:   response_window = 20.00
> Wed Feb  2 17:13:18 2022 : Debug:   response_timeouts = 1
> Wed Feb  2 17:13:18 2022 : Debug:   max_outstanding = 65536
> Wed Feb  2 17:13:18 2022 : Debug:   zombie_period = 40
> Wed Feb  2 17:13:18 2022 : Debug:   status_check = "status-server"
> Wed Feb  2 17:13:18 2022 : Debug:   ping_interval = 30
> Wed Feb  2 17:13:18 2022 : Debug:   check_interval = 30
> Wed Feb  2 17:13:18 2022 : Debug:   check_timeout = 4
> Wed Feb  2 17:13:18 2022 : Debug:   num_answers_to_alive = 3
> Wed Feb  2 17:13:18 2022 : Debug:   revive_interval = 120
> Wed Feb  2 17:13:18 2022 : Debug:   limit {
> Wed Feb  2 17:13:18 2022 : Debug:   max_connections = 16
> Wed Feb  2 17:13:18 2022 : Debug:   max_requests = 0
> Wed Feb  2 17:13:18 2022 : Debug:   lifetime = 0
> Wed Feb  2 17:13:18 2022 : Debug:   idle_timeout = 0
> Wed Feb  2 17:13:18 2022 : Debug:   }
> Wed Feb  2 17:13:18 2022 : Debug:   coa {
> Wed Feb  2 17:13:18 2022 : Debug:   irt = 2
> Wed Feb  2 17:13:18 2022 : Debug:   mrt = 16
> Wed Feb  2 17:13:18 2022 : Debug:   mrc = 5
> Wed Feb  2 17:13:18 2022 : Debug:   mrd = 30
> Wed Feb  2 17:13:18 2022 : Debug:   }
> Wed Feb  2 17:13:18 2022 : Debug:  }
> Wed Feb  2 17:13:18 2022 : Warning: Ignoring "response_window =
> 20.00", forcing to "response_window = 10.00"
> Wed Feb  2 17:13:18 2022 : Debug:  home_server pfacct_local {
> Wed Feb  2 17:13:18 2022 : Debug:   ipaddr = 127.0.0.1
> Wed Feb  2 17:13:18 2022 : Debug:   port = 1813
> Wed Feb  2 17:13:18 2022 : Debug:   type = "acct"
> Wed Feb  2 17:13:18 2022 : Debug:   secret =
> "ZDQ3YzUzMjkxM2M1NjBhM2IyMTJjNWE0"
> Wed Feb  2 17:13:18 2022 : Debug:   src_ipaddr = "10.0.255.99"
> Wed Feb  2 17:13:18 2022 : Debug:   response_window = 30.00
> Wed Feb  2 17:13:18 2022 : Debug:   response_timeouts = 1
> Wed Feb  2 17:13:18 2022 : Debug:   max_outstanding = 65536
> Wed Feb  2 17:13:18 2022 : Debug:   zombie_period = 40
> Wed Feb  2 17:13:18 2022 : Debug:   status_check = "none"
> Wed Feb  2 17:13:18 2022 : Debug:   ping_interval = 30
> Wed Feb  2 17:13:18 2022 : Debug:   check_timeout = 4
> Wed Feb  2 17:13:18 2022 : Debug:   num_answers_to_alive = 3
> Wed Feb  2 17:13:18 2022 : Debug:   revive_interval = 300
> Wed Feb  2 17:13:18 2022 : Debug:   limit {
> Wed Feb  2 17:13:18 2022 : Debug:   max_connections = 16
> Wed Feb  2 17:13:18 2022 : Debug:   max_requests = 0
> Wed Feb  2 17:13:18 2022 : Debug:   lifetime = 0
> Wed Feb  2 17:13:18 2022 : Debug:   idle_timeout = 0
>
>
>
> On Feb 2, 2022, at 5:15 PM, Jorge Nolla  wrote:
>
> Here is the output when I try to start with -XXX. Not sure how the process
> is running.
>
> Wed Feb  2 17:13:19 2022 : Error: Failed binding to acct address
> 10.0.255.99 port 1813 bound to server packetfence: Address already in use
> Wed Feb  2 17:13:19 2022 : Error: /usr/local/pf/raddb/acct.conf[8]: Error
> binding to port for 10.0.255.99 port 1813
>
> On Feb 2, 2022, at 5:11 PM, Jorge Nolla  wrote:
>
> Hi Team,
>
> For some reason we are not able to get the radius acct service up and
> running. Here is the output, not sure if we missed anything.
>
> [jnolla@wifi ~]$ systemctl status packetfence-radiusd-acct.service
> ● packetfence-radiusd-acct.service - PacketFence FreeRADIUS multi-protocol
> accounting server
>  Loaded: loaded (/usr/lib/systemd/system/packetfence-radiusd-acct.service;
> enabled; vendor preset: disabled)
>  Active: activating 

Re: [PacketFence-users] Huawei AC6005 Wireless Controller doesn’t support Web Auth. #4790

[Fabrice Durand via PacketFence-users]

Hello Jorge,

do you have any Huawei documentation to implement that ?

Regards
Fabrice


Le mer. 26 janv. 2022 à 15:59, Jorge Nolla via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi Team,
>
> We were wondering if anyone has had any success in configuring Web Auth
> for the Huawei AC? It’s somewhat critical for us to get this going.
>
> Thank you!
> Jorge
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] EAP-MD5 authentication (old devices)

[Fabrice Durand via PacketFence-users]

Hello Leon,

can you post the output of raddebug ?

raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000

and retry to authenticate the phone.

Regards
Fabrice




Le mer. 2 févr. 2022 à 08:19, Leon Pinto via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello All,
>
>
>
> I kindly request for help on EAP-MD5 with packetfence 11 with Microsoft AD
> as the authentication source…
>
>
>
> I am trying to authenticate an older telephony device and unfortunately,
> it offers only EAP-MD5… The device is rejected with the message eap_md5:
> Cleartext-Password is required for EAP-MD5 authentication
>
>
>
> The pf can see the device in the AD and seems to do its job… However the
> radius response is not good and we get the message “eap_md5:
> Cleartext-Password is required for EAP-MD5 authentication”
>
>
>
> Authenticating against 'msad_voptech_phones' in context 'admin'
>
>   Authentication SUCCEEDED against msad_voptech_phones (Authentication
> successful.)
>
>   Matched against msad_voptech_phones for 'authentication' rule
> ar_voptech_phones
>
> set_role : voptech_test
>
> set_unreg_date : 2038-01-18
>
>   Did not match against msad_voptech_phones for 'administration' rules
>
>
>
> Authenticating against 'msad_voptech_phones' in context 'portal'
>
>   Authentication SUCCEEDED against msad_voptech_phones (Authentication
> successful.)
>
>   Matched against msad_voptech_phones for 'authentication' rule
> ar_voptech_phones
>
> set_role : voptech_test
>
> set_unreg_date : 2038-01-18
>
>   Did not match against msad_voptech_phones for 'adminis
>
>
>
> *Auditing*
>
> Auth Status
>
> Reject
>
> Auth Status
>
> eap
>
> Auto Registration
>
> No
>
> Calling Station Identifier
>
> 00:a8:59:f9:82:0b
>
> Computer Name
>
> N/A
>
> EAP Type
>
> MD5
>
> Event Type
>
> Radius-Access-Request
>
> IP Address
>
> Is a Phone
>
> No
>
> Created at
>
> 2022-02-02 16:43:38
>
> Node Status
>
> N/A
>
> Domain
>
> Profile
>
> N/A
>
> Realm
>
> null
>
> Reason
>
> eap_md5: Cleartext-Password is required for EAP-MD5 authentication
>
> Role
>
> N/A
>
> Source
>
> N/A
>
> Stripped User Name
>
> voptechtest
>
> User Name
>
> voptechtest
>
>
>
> I tried to change the database hashing to plain text but no luck… Can
> someone help or guide me in the correct direction?
>
>
>
> Thanks for all your support…
>
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] ability to specify a different portal URL in the RFC7710 response

[Fabrice Durand via PacketFence-users]

Hello Diego,

you can change it there:
https://github.com/inverse-inc/packetfence/blob/devel/go/httpdispatcher/proxy.go#L148

then go in /usr/local/pf/go
make go-env
source ~/.bashrc
make pfhttpd
mv pfhrrpd ../sbin
systemctl restart packetfence-httpd.dispatcher.service

Regards
Fabrice


Le mer. 2 févr. 2022 à 03:37, Diego Garcia del Rio via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello everyone
>
> I am using a ruckus smartzone based setup with WISPR / hot-spot redirect
> on the AP. (so packetfence is NOT the DHCP server nor is it really using an
> isolation or registration vlan on packetfence) In fact, my packetfence
> server is not co-located on the same site as the clients.
>
> So un-authenticated clients get re-directed by the wifi access point and
> steered to "http://activelearning.school-wifi.com/RuckusSmartZone; where
> the login works just fine
>
> The thing is that I was trying to configure rfc7710 dhcp options in my
> dhcp server and that's ok (I was pointing to "
> https://activelearning.school-wifi.com/rfc7710; as the content of the
> dhcp option.
>
> And that works fine. Clients that are rfc7710 capable retrieve that dhcp
> option and immediately open the portal. The problem is that the portal url
> that the /rfc7710 ip specifies is "
> https://activelearning.school-wifi.com/portal;. And of course, that
> doesn't work since my clients are not locally terminated on packetfence, so
> PF has no IP/MAC information to do any correlation and shows an "unknown
> client error"
>
> My question was if there is any way to cause the /rfc7710 json response to
> point to ANY OTHER url. In my case, for example, it could be "
> http://neverssl.com; or anything else that would cause the AP to do the
> proper WISPR redirection. (notice that neverssl is HTTP and not HTTPS)
>
>
> Is there any knob/option I could use?
>
> I was looking at the code in proxy.go for httpdispatcher and it seems the
> "UserPortalURL" field fo the JSON response is derived from the
> "X-Forwarded-For" header added by the front-end proxy. I think it might be
> useful to provide some means of overriding this value so that clients can
> then use rfc7710 in this scenario as well.
>
> Thanks in advance!
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] How to set pf to use FreeRADIUS-Client-IP-Address filter Inbound authentication instead of NAS-IP-Address ?

[Fabrice Durand via PacketFence-users]

Hello Mickael,

first Marseille and Paris are not supposed to work together but we will try
to make it work.

It looks that there is a misconfiguration on the Paris server, it´s
not suppose to return any vlan/acl but just accept or reject.
So on the Eduroam server how did you define the Paris radius server ?
(IP/Port)

Also check in the file raddb/sites-enabled/packetfence-tunnel in the
post-auth section and check if you have that:
if !( ("%{client:shortname}" =~ /eduroam_tlrs/)  ||
(:PacketFence-ShortName && :PacketFence-ShortName =~
/eduroam_tlrs/)) {
rest
}

Because if the request is coming from eduroam (it´s the case since there is
the attribute PacketFence-ShortName = "eduroam_tlrs1" in the request) then
we bypass the rest module.
And in your case the rest module is called. (because this is coming from
the rest module Reply-Message = "Switch is not managed by PacketFence")

Regards
Fabrice



Le lun. 31 janv. 2022 à 17:22, Mickael BOUBALA via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello All,
>
>
> I have seen from the guide  how to configure eduroam:
> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_eduroam
> .
> My server is running  Packetfence 10.3.0.
> outbound eduroam authentication works successfully.
>
>
> *Inbound eduroam authentication : *
> But  i'm facing issue with inbound  eduroam authentication with the
> following message:
>
> Reply-Message = "Switch is not managed by PacketFence"
>
> *The reason :*
> My pf server is making a filter on NAS-IP-Address = 193.54.188.34  instead
> of FreeRADIUS-Client-IP-Address = 194.57.7.15.
> The server with IP 194.57.7.15 is the eduroam.fr proxy radius and it's a
> client radius of my pf server.
> The radius requests from NAS-IP-Address = 193.54.188.34 are fording by
> FreeRADIUS-Client-IP-Address = 194.57.7.15.
>
>
> *synoptic: *
> "Paris" RADIUS : is my radius server
> "Marseilles" RADIUS:  is the radius server of another institution.
>
> Access-Point -- [radius] -->  "Marseilles" RADIUS -- [radius] --> Country
> Proxys (rad1|2.eduroam.fr) -- [radius] -->  "Paris" RADIUS
>
>
> *Log :*
>
> Radius Request:
>
> User-Name = "us...@soleil.fr"
> NAS-IP-Address = 193.54.188.34
> NAS-Port = 1
> Service-Type = Framed-User
> Framed-MTU = 1300
> Called-Station-Id = "11:22:33:44:55:66:eduroam"
> Calling-Station-Id = "AA:BB:CC:EE:DD:FF"
> NAS-Identifier = "WLC8510-1"
> Proxy-State = 0x313639
> Proxy-State = 0x3933
> NAS-Port-Type = Wireless-802.11
> Acct-Session-Id = "61f7db3a/AA:BB:CC:EE:DD:FF/15621780"
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "12"
> Event-Timestamp = "Jan 31 2022 13:51:17 CET"
> EAP-Message = 0x020100140160406365612e6672
> Message-Authenticator = 0x118d65d70758e05e470d9
> Chargeable-User-Identity = 0x22
> Location-Capable = Civic-Location
> Airespace-Wlan-Id = 51
> Cisco-AVPair = "audit-session-id=22bcdbf761"
> Cisco-AVPair = "mDNS=true"
> Stripped-User-Name = "user2"
> Realm = "cea.fr"
> FreeRADIUS-Client-IP-Address = 194.57.7.15
> Called-Station-SSID = "eduroam"
> PacketFence-ShortName = "eduroam_tlrs1"
> PacketFence-KeyBalanced = "183d134047864398846ac987aa0435a2"
> PacketFence-Radius-Ip = "213.186.33.5"
> User-Password = "**"
> SQL-User-Name = "us...@soleil.fr"
>
>  RADIUS Reply:
>
> Reply-Message = "Switch is not managed by PacketFence"
>
> Proxy-State = 0x313639
>
> Proxy-State = 0x3933
>
>
>
> Helps:
> How to set pf to use FreeRADIUS-Client-IP-Address  filter Inbound
>  authentication  ?
>
> Thank You.
>
> Regards
> Mickael BOUBALA
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] OSCP not functioning to MS PKI

[Fabrice Durand via PacketFence-users]

Hello Simon,

since the ocsp url is http , you could capture the traffic and see what
happens exactly.

Regards
Fabrice



Le mar. 1 févr. 2022 à 12:54, Simon Sutcliffe via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi Team
>
>
>
> Another day another issue with our lab that we cannot get to the bottom of
> with the logging and a bit of tracing.
>
>
>
> We have a fully functioning EAP-TLS solution working without having OSCP
> enabled.
>
>
>
> When we enable the OSCP checking the radius returns a reject.  This is
> because we have not enabled softfail in the OSCP profile and there is an
> error happening.
>
> * Radius Logging shows the following*
>
> Starting OCSP Request
>
> Debug: eap_tls: ocsp: Using responder URL
> http://pki-2020.corporateroot.net:80/ocsp
>
> ERROR: eap_tls: ocsp: Couldn't verify OCSP basic response
>
> ERROR: eap_tls: (TLS) ocsp: Certificate has been expired/revoked
>
> ERROR: eap_tls: (TLS) Alert write:fatal:internal error
>
> ERROR: eap_tls: (TLS) Server : Error in error
>
> ERROR: eap_tls: (TLS) Failed reading from OpenSSL
>
> ERROR: eap_tls: (TLS) error:27069065:OCSP
> routines:OCSP_basic_verify:certificate verify error
>
> ERROR: eap_tls: (TLS) error:1417C086:SSL
> routines:tls_process_client_certificate:certificate verify failed
>
> ERROR: eap_tls: (TLS) System call (I/O) error (-1)
>
> ERROR: eap_tls: (TLS) EAP Receive handshake failed during operation
>
> ERROR: eap_tls: [eaptls process] = fail
>
>
>
> We are using a MS PKI and are aware that we have not enabled NONCE
>
>
>
> But in the OSCP profile we have also made sure we do not have it enabled.
>
>
>
> [image: Graphical user interface, text, application Description
> automatically generated]
>
>
>
> We have also made sure the Radius Server has a valid certificate just to
> be sure (Lets Encrypt)
>
>
>
> This is what is presented in the Audit
>
>
>
> [image: Graphical user interface, text, application Description
> automatically generated]
>
> Matches the logging.
>
>
>
> Any clues where we need to be.
>
>
>
> Kind Regards
>
>
>
> Simon
>
>
>
> *Simon Sutcliffe*
> *IT Architect, Workplace Solutions*
>
> *T *+44 1733 336600 | *M *+44 7775 823368 | *E* simon.sutcli...@rhdhv.com
> | *W* www.royalhaskoningdhv.com
> HaskoningDHV UK Ltd., a company of *Royal HaskoningDHV*
>
>
>
>
> Royal HaskoningDHV - Internal Use Only
> This email and any attachments are intended solely for the use of the
> addressee(s); disclosure or copying by others than the intended person(s)
> is strictly prohibited. If you have received this email in error, please
> treat this email as confidential, notify the sender and delete all copies
> of the email immediately
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Query Database for MAC address match

[Fabrice Durand via PacketFence-users]

Hello Christopher,

if you have an API in front of the postgresql db then it won´t be too
complicate to code.

I did that in the past and the code is there:

https://github.com/inverse-inc/packetfence/compare/feature/rest_provisioner

Regards
Fabrice


Le jeu. 27 janv. 2022 à 14:51, Chris Jordan via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
> I am trying to figure out how to get PacketFence to query a postgresql
> database to look for MAC addresses in a column to determine what vlan they
> belong to.
>
> For example a user connects to wifi, packetfence goes to the database to
> see if there is a mac address and if it does exist then it is approved on
> the corporate vlan. If the mac address is not found in the database it will
> set it to the guest vlan.
>
> This will help us determine what is corporate owned device and what is not
> to prevent unauthorized access to our network. Has anybody done this before?
>
> Thanks,
>
> --
> [image: formlabslogo] 
>
> *Christopher Jordan* | Sr. Systems Administrator
> 22 McGrath Hwy | Suite 206 | Somerville | MA 02143
>
> www.formlabs.com
>
>   
>   
> 
> www.christopherjordan.com
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Challenge with sending filter-ID to Cisco switch

[Fabrice Durand via PacketFence-users]

Hello Simon,

if you change this line
https://github.com/inverse-inc/packetfence/blob/devel/conf/template_switches.conf.defaults#L94
from

acceptRole=Filter-Id = $role
to
acceptRole=Filter-Id = ${role}.in

and do a /usr/local/pf/bin/pfcmd configreload hard

does it work ?

Regards
Fabrice


Le ven. 21 janv. 2022 à 12:56, Simon Sutcliffe 
a écrit :

> Hi Fabrice,
>
> We have been using the default cisco switch template as non of our
> production switches have templates.
>
> We have 3650 and 2960 in the lab.
>
> Kind Regards
>
> Simon
>
> Sent from my Galaxy
>
>
>  Original message 
> From: Fabrice Durand 
> Date: 21/01/2022 16:54 (GMT+00:00)
> To: Simon Sutcliffe 
> Cc: packetfence-users@lists.sourceforge.net, Raghuram Kuricheti <
> raghuram.kurich...@rhdhv.com>
> Subject: Re: Challenge with sending filter-ID to Cisco switch
>
> This message was sent from a *public domain email service* such as Gmail,
> Yahoo!, AOL, etc. Please be cautious.
>
> Hello Simon,
>
> what switch module are you using in PacketFence ?
>
> It´s implemented here:
>
> https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Cisco/Catalyst_2960.pm#L580
>
> Regards
> Fabrice
>
>
> Le ven. 21 janv. 2022 à 02:43, Simon Sutcliffe 
> a écrit :
>
>> Dear Team
>>
>>
>>
>> Over the last few weeks we have been engaged with trying to understand a
>> problem we were facing.  The problem was with sending a Filter-ID
>>
>>
>>
>> [image: Graphical user interface, text, application, chat or text message
>> Description automatically generated]
>>
>>
>>
>>
>>
>> On the switch we had created a extended access list of the same name
>>
>> ip access-list extended Pre-Auth-For-Registration
>>
>> 10 permit ip 10.207.129.0 0.0.0.255 10.202.1.0 0.0.0.255
>>
>> 20 permit ip 10.207.129.0 0.0.0.255 10.202.5.0 0.0.0.255
>>
>> 30 deny   ip 10.207.129.0 0.0.0.255 10.0.0.0 0.255.255.255
>>
>> 40 permit ip any any
>>
>>
>>
>> And during the MAB connection the radius response within the auditing
>> section clearly showed that PF was sending the attribute along with the
>> VLAN we wanted the client to be placed in.
>>
>> RADIUS Reply
>>
>> REST-HTTP-Status-Code = 200
>>
>> Filter-Id = "Pre-Auth-For-Registration"
>>
>> Tunnel-Medium-Type = IEEE-802
>>
>> Tunnel-Private-Group-Id = "7"
>>
>> Tunnel-Type = VLAN
>>
>> In the logging on the Cisco Switch you saw the Filter-ID was asl
>> received. However on two Cisco Switches (3650 and 2960) we tested the VLAN
>> was correctly actioned but the Filter-ID was ignored.
>>
>> The problem was identified as
>>
>>
>> *The ACL Filter-ID is not including the direction*
>>
>>
>>
>> The solution to solve the case was to add an additional command in the
>> switch config.
>>
>>
>>
>> #radius-server attribute 11 default direction inbound
>>
>>
>>
>> This forced the inbound Filter-ID to be assigned to the inbound ACL
>> handle.
>>
>> After this the ACL could be clearly seen within the session and was
>> actioned by the switch
>>
>>
>>
>> bsns-3750-5#show authentication sessions interface g1/0/1
>>
>>
>>
>> Interface:  GigabitEthernet1/0/1
>>
>>   MAC Address:  0050.5699.4ea1
>>
>>IP Address:  192.168.2.200
>>
>> User-Name:  cisco
>>
>>Status:  Authz Success
>>
>>Domain:  DATA
>>
>>   Security Policy:  Should Secure
>>
>>   Security Status:  Unsecure
>>
>>Oper host mode:  multi-auth
>>
>>  Oper control dir:  both
>>
>> Authorized By:  Authentication Server
>>
>>   Vlan Policy:  7
>>
>> *Filter-Id:  Pre-Auth-For-Registration*
>>
>>   Session timeout:  N/A
>>
>>  Idle timeout:  N/A
>>
>> Common Session ID:  C0A80001059E47B77481
>>
>>   Acct Session ID:  0x0733
>>
>>Handle:  0x5E00059F
>>
>>
>>
>> There is also this note in the Cisco documentation
>>
>> The Filter-Id attribute can be used to specify an inbound or outbound ACL
>> that is already configured on the switch. The attribute contains the ACL
>> number followed by *.in* for ingress filtering or *.out* for egress
>> filtering. If the RADIUS server does not allow the *.in* or *.out *syntax,
>> the access list is applied to the outbound ACL by default. Because of
>> limited support of Cisco IOS access lists on the switch, the Filter-Id
>> attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699
>> (IP standard and IP extended ACLs).
>>
>> @Fabrice Durand  This could be a point for your
>> developers and documentation team to make a note to see if this can be
>> solved with some direction information from PF.  If not you have this
>> information if another customer is facing the same challenge.
>>
>> Hope this was helpful and I appreciate your support on the other issues
>> we are facing.
>>
>> Kind Regards
>>
>>
>>
>> Simon
>>
>>
>>
>>
>>
>>
>>
>> Royal HaskoningDHV - Internal Use Only
>> This email and any attachments are intended solely for the use of the
>> addressee(s); 

Re: [PacketFence-users] Challenge with sending filter-ID to Cisco switch

[Fabrice Durand via PacketFence-users]

Hello Simon,

what switch module are you using in PacketFence ?

It´s implemented here:
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Cisco/Catalyst_2960.pm#L580

Regards
Fabrice


Le ven. 21 janv. 2022 à 02:43, Simon Sutcliffe 
a écrit :

> Dear Team
>
>
>
> Over the last few weeks we have been engaged with trying to understand a
> problem we were facing.  The problem was with sending a Filter-ID
>
>
>
> [image: Graphical user interface, text, application, chat or text message
> Description automatically generated]
>
>
>
>
>
> On the switch we had created a extended access list of the same name
>
> ip access-list extended Pre-Auth-For-Registration
>
> 10 permit ip 10.207.129.0 0.0.0.255 10.202.1.0 0.0.0.255
>
> 20 permit ip 10.207.129.0 0.0.0.255 10.202.5.0 0.0.0.255
>
> 30 deny   ip 10.207.129.0 0.0.0.255 10.0.0.0 0.255.255.255
>
> 40 permit ip any any
>
>
>
> And during the MAB connection the radius response within the auditing
> section clearly showed that PF was sending the attribute along with the
> VLAN we wanted the client to be placed in.
>
> RADIUS Reply
>
> REST-HTTP-Status-Code = 200
>
> Filter-Id = "Pre-Auth-For-Registration"
>
> Tunnel-Medium-Type = IEEE-802
>
> Tunnel-Private-Group-Id = "7"
>
> Tunnel-Type = VLAN
>
> In the logging on the Cisco Switch you saw the Filter-ID was asl received.
> However on two Cisco Switches (3650 and 2960) we tested the VLAN was
> correctly actioned but the Filter-ID was ignored.
>
> The problem was identified as
>
>
> *The ACL Filter-ID is not including the direction*
>
>
>
> The solution to solve the case was to add an additional command in the
> switch config.
>
>
>
> #radius-server attribute 11 default direction inbound
>
>
>
> This forced the inbound Filter-ID to be assigned to the inbound ACL
> handle.
>
> After this the ACL could be clearly seen within the session and was
> actioned by the switch
>
>
>
> bsns-3750-5#show authentication sessions interface g1/0/1
>
>
>
> Interface:  GigabitEthernet1/0/1
>
>   MAC Address:  0050.5699.4ea1
>
>IP Address:  192.168.2.200
>
> User-Name:  cisco
>
>Status:  Authz Success
>
>Domain:  DATA
>
>   Security Policy:  Should Secure
>
>   Security Status:  Unsecure
>
>Oper host mode:  multi-auth
>
>  Oper control dir:  both
>
> Authorized By:  Authentication Server
>
>   Vlan Policy:  7
>
> *Filter-Id:  Pre-Auth-For-Registration*
>
>   Session timeout:  N/A
>
>  Idle timeout:  N/A
>
> Common Session ID:  C0A80001059E47B77481
>
>   Acct Session ID:  0x0733
>
>Handle:  0x5E00059F
>
>
>
> There is also this note in the Cisco documentation
>
> The Filter-Id attribute can be used to specify an inbound or outbound ACL
> that is already configured on the switch. The attribute contains the ACL
> number followed by *.in* for ingress filtering or *.out* for egress
> filtering. If the RADIUS server does not allow the *.in* or *.out *syntax,
> the access list is applied to the outbound ACL by default. Because of
> limited support of Cisco IOS access lists on the switch, the Filter-Id
> attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699
> (IP standard and IP extended ACLs).
>
> @Fabrice Durand  This could be a point for your
> developers and documentation team to make a note to see if this can be
> solved with some direction information from PF.  If not you have this
> information if another customer is facing the same challenge.
>
> Hope this was helpful and I appreciate your support on the other issues we
> are facing.
>
> Kind Regards
>
>
>
> Simon
>
>
>
>
>
>
>
> Royal HaskoningDHV - Internal Use Only
> This email and any attachments are intended solely for the use of the
> addressee(s); disclosure or copying by others than the intended person(s)
> is strictly prohibited. If you have received this email in error, please
> treat this email as confidential, notify the sender and delete all copies
> of the email immediately
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Blank Page on Dashboard

[Fabrice Durand via PacketFence-users]

Hello Syed,

you have to use dev mode in the browser to see if you have any error (like
404) related to netdata (https://mgmt_ip:1443/netdata/)

Once found can you post the url ?

Regards
Fabrice


Le jeu. 13 janv. 2022 à 09:53, Misbah Hussaini via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
> I have clustered my PF servers running version 11.2 and post activity, the
> charts are not visible on the Dashboard. Sometimes I get the* error "The
> charts of the dashboard are currently not available"*. I have cleared the
> cache in /var/cache/netdata and restarted all the services but the problem
> remains. I have tried accessing the dashboard using the VIP or node IP but
> the behaviour is still the same.
>
> Any clue on how to troubleshoot this?
>
>
> Regards
> Syed Hussaini
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Question about the Self Service Portal

[Fabrice Durand via PacketFence-users]

Hello Simon,

right now it´s not possible to use OpenID on the self service portal.
It won´t be too complex to add.

Regards

Fabrice



Le mar. 14 déc. 2021 à 01:14, Simon Sutcliffe via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi Team
>
> Any chance of a yes or no answer to this one please?
>
> Kind Regards
>
> Simon
>
>
>
> Sent from my Galaxy
>
>
>
>  Original message 
> From: Simon Sutcliffe 
> Date: 10/12/2021 13:03 (GMT+00:00)
> To: packetfence-users@lists.sourceforge.net
> Cc: lmarc...@akamai.com
> Subject: Question about the Self Service Portal
>
> Hi Team
>
>
>
> We are working on the topic of having our staff to manage their own
> personal devices using DPSK.  We have enabled the self service portal and
> we are looking into the authorisation of the user portal.
>
>
>
> [image: Graphical user interface, application Description automatically
> generated]
>
>
>
> We would like to understand if this portal can be reached with OpenID
> (Auth2) sources.  We have one configured but it does not appear here as an
> option nor is it mentioned in the self service configuration area..
>
>
>
> Kind Regards
>
>
>
> Simon
>
>
>
> *Simon Sutcliffe*
> *IT Architect, Workplace Solutions*
>
> *T *+44 1733 336600 | *M *+44 7775 823368 | *E* simon.sutcli...@rhdhv.com
> | *W* www.royalhaskoningdhv.com
> HaskoningDHV UK Ltd., a company of *Royal HaskoningDHV*
>
>
>
>
> Royal HaskoningDHV - Internal Use Only
> This email and any attachments are intended solely for the use of the
> addressee(s); disclosure or copying by others than the intended person(s)
> is strictly prohibited. If you have received this email in error, please
> treat this email as confidential, notify the sender and delete all copies
> of the email immediately
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Apache Log4j Vulnerability

[Fabrice Durand via PacketFence-users]

It´s NOT

Le lun. 13 déc. 2021 à 15:29, Erich Flynn via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Can we confirm PacketFence is not subject to CVE-2021-44228?
> Chat
> Spaces1
> Meet
> New meetingMy meetings
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Redirection issue

[Fabrice Durand via PacketFence-users]

Hello Jules,

what do you mean by "We set an IP address on the registration field of the
switch which is the same as our PF " ?

Do you have more details on how you configured your setup ?

Regards
Fabrice


Le mer. 1 déc. 2021 à 10:10, HERVAULT Jules via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello everyone,
>
> We are a novice team trying to implement PF basic configuration and we
> encountered issues regarding web authentication redirection. We followed
> the Installation Guide until step 6, but once there, there is a "too many
> redirects" error when trying to reach the captive portal.
> We set an IP address on the registration field of the switch which is the
> same as our PF (assuming that the captive portal is listening on port 80 on
> the PF). Once the machine connects to the network, it gets an IP address in
> the right network, a web page pops up redirecting us to the registration
> address, but the page is blank and then times out.
> Do you have any idea of what we did wrong ?
>
> Here's our configuration:
> -Cisco : Catalyst 3560-CG
> -PacketFence: version 11.0
>
> Thank you for your time,
>
> HJ
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] integration with anyconnect

[Fabrice Durand via PacketFence-users]

Hello Adelmo,
yes you can integrate packetfence with anyconnect.
There is some documentation about that
https://www.packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_cisco_asa

Regards
Fabrice


Le mer. 1 déc. 2021 à 10:11, Adelmo Itsuzo Takemori via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi
>
>
>
> Can we integrate packetfence with cisco anyconnect? We have antivírus
> (Symantec) and inventory tool (Applixure), na we need to allow to
> estabilish vpn after validate this instalations.
>
>
>
>
>
> *Adelmo Itsuzo Takemori*
>
> F: +55 (31) 3269 6528 | +55 (31) 99231-7264
>
>  *Agora somos Qintess!*
>
> *“Esta mensagem é confidencial e endereçada exclusivamente a(s) pessoa(s)
> e/ou instituições acima indicadas e pode conter informações confidenciais
> ou privilegiadas, as quais não podem, sob qualquer forma, ser utilizadas,
> divulgadas, alteradas ou copiadas. No caso desta mensagem ser recebida por
> engano, por favor, providencie sua exclusão de qualquer sistema notificando
> o remetente imediatamente. O remetente utiliza o correio eletrônico no
> exercício do seu trabalho, eximindo esta instituição de qualquer
> responsabilidade por utilização indevida.”*
>
> *“This message is confidential and is addressed solely to (s) person (s)
> and / or institutions listed above and may contain confidential or
> privileged information, which can not in any way be used, disclosed,
> altered or copied. If this message is received by mistake, please provide
> their exclusion from any system and notify the sender immediately. The
> sender uses the mail in the course of their work, exempting the institution
> from any liability for misuse.”*
>
>
>
>
>
>
> *“Esta mensagem é confidencial e endereçada exclusivamente a(s) pessoa(s)
> e/ou instituições acima indicadas e pode conter informações confidenciais
> ou privilegiadas, as quais não podem, sob qualquer forma, ser utilizadas,
> divulgadas, alteradas ou copiadas. No caso desta mensagem ser recebida por
> engano, por favor, providencie sua exclusão de qualquer sistema notificando
> o remetente imediatamente. O remetente utiliza o correio eletrônico no
> exercício do seu trabalho, eximindo esta instituição de qualquer
> responsabilidade por utilização indevida.”*
>
> *“This message is confidential and is addressed solely to (s) person (s)
> and / or institutions listed above and may contain confidential or
> privileged information, which can not in any way be used, disclosed,
> altered or copied. If this message is received by mistake, please provide
> their exclusion from any system and notify the sender immediately. The
> sender uses the mail in the course of their work, exempting the institution
> from any liability for misuse.”*
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Question about "web log apache aaa bad requests"

[Fabrice Durand via PacketFence-users]

Hello Adrian,

most of the requests are from the radius probe from the switch.
Probably that is configured on your switch:

automate-tester username dummy ignore-acct-port idle-time 3

So it looks to be normal.

Regards
Fabrice

Le mar. 2 nov. 2021 à 04:08, Adrian Dessaigne 
a écrit :

> Hello Fabrice,
>
> Thanks for your answer. I did a  packet sniffing with the command and here
> is the result :
> https://pastebin.com/d3VLaLvT
> (Pastbin code in case the link is deleted : d3VLaLvT)
>
> I see two different packets :
> One with the "CLI or VPN access not allowed from this switch". I don't get
> that error message since I don't know when PF need to access the CLI and
> the login parameters are good.
> Another one with : "[truncated] Scoreboard: _KKK__K_WK_K"
>
> Thanks for your help.
>
> Adrian.
>
>
> --
> *De: *"Fabrice Durand" 
> *À: *"packetfence-users" 
> *Cc: *"ADE" 
> *Envoyé: *Vendredi 29 Octobre 2021 14:39:43
> *Objet: *Re: [PacketFence-users] Question about "web log apache aaa bad
> requests"
>
> Hello Adrian,
> you can try that to see exactly what happen:
>
> tshark -i any -f "port 7070" -Y "http.request || http.response" -V
>
>
> Regards
> Fabrice
>
> Le mar. 26 oct. 2021 à 05:56, Adrian Dessaigne via PacketFence-users <
> packetfence-users@lists.sourceforge.net> a écrit :
>
>> Hi again,
>>
>> I'm trying to know from where I get this message and I compared the logs
>> files with our secondary backup server.
>> In the file httpd.aaa.access I still get spammed with those :
>>
>> Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 6300 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4331 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 33865 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3727 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:04 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:04 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 786 6798 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:05 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:05 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5267 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:05 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:05 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5643 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:06 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:06 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3873 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5117 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3882 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 29848 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 31987 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:08 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:08 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 786 29763 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:09 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:09 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 6815 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:09 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:09 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4121 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:10 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:10 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4211 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3960 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3636 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200]
>> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4949 "-" "FreeRADIUS
>> 3.0.21" "127.0.0.1:7070"
>> Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200]
>> "POST 

Re: [PacketFence-users] Adding a Switch

[Fabrice Durand via PacketFence-users]

Hello Perez,
try this one:
https://www.packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_2960

Regards
Fabrice

Le sam. 30 oct. 2021 à 01:54, Perez, Maximo II - ECS ISS 
a écrit :

> Hi Durand,
> What is the switch configuration on the Cisco switch that should be made
> to make it visible on PF?
>
> Thank you,
> Max Perez
> ECS-ISS
>
>
> On Fri, Oct 29, 2021 at 8:52 PM Fabrice Durand  wrote:
>
>> Hello Maximo,
>> a switch can be added in this section:
>>
>> https://pfmgmt:1443/admin#/configuration/switches
>>
>> Regards
>> Fabrice
>>
>>
>> Le ven. 29 oct. 2021 à 08:50, Fabrice Durand  a
>> écrit :
>>
>>> Hello Maximo,
>>>
>>> a switch can be added in this section :
>>>
>>>
>>> Le lun. 18 oct. 2021 à 01:23, Perez, Maximo II - ECS ISS via
>>> PacketFence-users  a écrit :
>>>
 Hi,

 We are using PacketFence for the first time and are currently being set
 up in a test environment.
 Our team is trying to add switches under the Network Devices, but under
 the Network View, the switches are in unregistered status or can't be seen
 by PF.
 It is a Cisco switch.
 There is no test button to test the network connection between the
 switch and PF.
 How can we add the switch?

 Thanks,
 Max

 We value your feedback! Please help us improve our services by

 taking a moment to answer the customer satisfaction survey.


 

 Please consider the environment before printing this email.


 Disclaimer:
 The information contained in this communication is intended solely for
 the use of the individual or entity to whom it is addressed and others
 authorized to receive it. It may contain confidential or legally privileged
 information. If you are not the intended recipient you are hereby notified
 that any disclosure, copying, distribution or taking any action in reliance
 on the contents of this information is strictly prohibited and may be
 unlawful. If you have erroneously received this communication, please
 notify us immediately by responding to this email and then delete it from
 your system. Equitable Computer Services, Inc. is neither liable for the
 improper and incomplete transmission of the information contained in this
 communication nor for any delay in its receipt.
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users

>>>
> We value your feedback! Please help us improve our services by
>
> taking a moment to answer the customer satisfaction survey.
>
>
> 
>
> Please consider the environment before printing this email.
>
>
> Disclaimer:
> The information contained in this communication is intended solely for the
> use of the individual or entity to whom it is addressed and others
> authorized to receive it. It may contain confidential or legally privileged
> information. If you are not the intended recipient you are hereby notified
> that any disclosure, copying, distribution or taking any action in reliance
> on the contents of this information is strictly prohibited and may be
> unlawful. If you have erroneously received this communication, please
> notify us immediately by responding to this email and then delete it from
> your system. Equitable Computer Services, Inc. is neither liable for the
> improper and incomplete transmission of the information contained in this
> communication nor for any delay in its receipt.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] ANN: PacketFence v11.1

[Fabrice Durand via PacketFence-users]

Redhat8 or Debian11

Le ven. 29 oct. 2021, 18 h 30, ypefti--- via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Good news, thanks, Ludovic.
>
> I grasped for this opportunity to try to upgrade ours to the new release
> while we are not in production mode now.
>
> Followed the official document for CentOS/Redhat based systems.
>
> Set it up for an update with yum and ran into these errors while
> downloading dependencies.
>
> How can I safely disregard them to proceed with the upgrade ?
>
>
>
> Total download size: 558 M
>
> Is this ok [y/d/N]: y
>
> Downloading packages:
>
> No Presto metadata available for packetfence
>
> No Presto metadata available for base
>
> No Presto metadata available for updates
>
> (1/201):
> MariaDB-common-10.2.37-1.el7.centos.x86_64.rpm
> |  81 kB  00:00:00
>
> (2/201):
> MariaDB-compat-10.2.37-1.el7.centos.x86_64.rpm
> | 2.2 MB  00:00:00
>
> (3/201):
> ImageMagick-perl-6.9.10.68-6.el7_9.x86_64.rpm
> | 154 kB  00:00:00
>
> (4/201):
> MariaDB-client-10.2.37-1.el7.centos.x86_64.rpm
> |  11 MB  00:00:01
>
> (5/201):
> MariaDB-server-10.2.37-1.el7.centos.x86_64.rpm
>  |  24 MB  00:00:01
>
> (6/201):
> ImageMagick-6.9.10.68-6.el7_9.x86_64.rpm
> | 2.3 MB  00:00:05
>
> (7/201):
> NetworkManager-1.18.8-2.el7_9.x86_64.rpm
>| 1.9 MB  00:00:05
>
> (8/201):
> NetworkManager-team-1.18.8-2.el7_9.x86_64.rpm
> | 165 kB  00:00:00
>
> (9/201): apr-1.4.8-7.el7.x86_64.rpm
>  | 104 kB
> 00:00:00
>
> (10/201):
> OpenEXR-libs-1.7.1-8.el7.x86_64.rpm
> | 217 kB  00:00:00
>
> (11/201):
> NetworkManager-tui-1.18.8-2.el7_9.x86_64.rpm
> | 329 kB  00:00:01
>
> (12/201):
> bc-1.06.95-13.el7.x86_64.rpm
> | 115 kB  00:00:00
>
> (13/201):
> centos-release-7-9.2009.1.el7.centos.x86_64.rpm
> |  27 kB  00:00:00
>
> (14/201):
> ca-certificates-2021.2.50-72.el7_9.noarch.rpm
> | 379 kB  00:00:00
>
> coreutils-8.22-24.el7_9.2.x86_
> FAILED
> ] 2.4 MB/s |  44 MB  00:03:31 ETA
>
>
> http://muug.ca/mirror/centos/7.9.2009/updates/x86_64/Packages/coreutils-8.22-24.el7_9.2.x86_64.rpm:
> [Errno 14] curl#56 - "Recv failure: Connection reset by peer"
>
> Trying other mirror.
>
> iproute-4.11.0-30.el7.x86_64.r
> FAILED
> -]  20 MB/s | 214 MB  00:00:17 ETA
>
>
> http://mirror.esecuredata.com/centos/7.9.2009/os/x86_64/Packages/iproute-4.11.0-30.el7.x86_64.rpm:
> [Errno 14] curl#56 - "Recv failure: Connection reset by peer"
>
> Trying other mirror.
>
> net-snmp-perl-5.7.2-49.el7_9.1
> FAILED
>
>
> http://centos.mirror.iweb.ca/7.9.2009/updates/x86_64/Packages/net-snmp-perl-5.7.2-49.el7_9.1.x86_64.rpm:
> [Errno 14] curl#56 - "Recv failure: Connection reset by peer"
>
> Trying other mirror.
>
> (134/201):
> openldap-2.4.44-24.el7_9.x86_64.rpm
> | 356 kB  00:00:00
>
> openssl-1.0.2k-22.el7_9.x86_64 FAILED
>    ] 7.1
> MB/s | 358 MB  00:00:28 ETA
>
>
> http://mirror.esecuredata.com/centos/7.9.2009/updates/x86_64/Packages/openssl-1.0.2k-22.el7_9.x86_64.rpm:
> [Errno 14] curl#56 - "Recv failure: Connection reset by peer"
>
> Trying other mirror.
>
> (135/201):
> packetfence-release-2.1.0-20210414154410.286398790.0007.v10.3.0.el7.noarch.rpm
> | 6.1 kB  00:00:00
>
> (136/201):
> pcre-devel-8.32-17.el7.x86_64.rpm
>  | 480 kB  00:00:00
>
> (137/201):
> openssl-libs-1.0.2k-22.el7_9.x86_64.rpm
> | 1.2 MB  00:00:00
>
> openssl-devel-1.0.2k-22.el7_9. FAILED
>
>
>
> http://mirror.esecuredata.com/centos/7.9.2009/updates/x86_64/Packages/openssl-devel-1.0.2k-22.el7_9.x86_64.rpm:
> [Errno 14] curl#56 - "Recv failure: Connection reset by peer"
>
> Trying other mirror.
>
> (138/201):
> packetfence-10.3.0-20210414154410.286398790.0007.v10.3.0.el7.x86_64.rpm
> |  73 MB  00:00:03
>
> (139/201):
> linux-firmware-20200421-80.git78c0348.el7_9.noarch.rpm
> |  80 MB  00:00:21
>
> perl-Crypt-PBKDF2-0.150900-1.e
> FAILED
>
>
> http://inverse.ca/downloads/PacketFence/RHEL7/x86_64/RPMS/perl-Crypt-PBKDF2-0.150900-1.el7.noarch.rpm:
> [Errno 14] curl#56 - "Recv failure: Connection reset by peer"
>
> Trying other mirror.
>
> (140/201):
> perl-ExtUtils-CBuilder-0.28.2.6-299.el7_9.noarch.rpm
> |  68 kB  00:00:00
>
> (141/201):
> perl-Digest-SHA3-0.24-1.el7.x86_64.rpm
>  |  32 kB  00:00:00
>
> perl-5.16.3-299.el7_9.x86_64.r
> FAILED
> -] 3.8 MB/s | 505 MB  00:00:14 ETA
>
>
> http://mirror.esecuredata.com/centos/7.9.2009/updates/x86_64/Packages/perl-5.16.3-299.el7_9.x86_64.rpm:
> [Errno 14] curl#56 - "Recv failure: Connection reset by peer"
>
> Trying other mirror.
>
> (142/201):
> perl-ExtUtils-Install-1.58-299.el7_9.noarch.rpm
> |  75 kB  00:00:00
>
> (
>
> samba-4.10.16-15.el7_9.x86_64. FAILED
>   =-   ] 3.2 MB/s | 516 MB  00:00:13 ETA
>
>
> 

Re: [PacketFence-users] iPhone / IOS

[Fabrice Durand via PacketFence-users]

Hello John,

i would say as always with iphone ...
The thing is if you try to change the vlan id after the registration on the
portal then the iphone will disconnect and ... never try to reconnect.
Compare to android and windows devices who will reconnect.

The only solution is to use web-auth in this case. (the vlan never change
but the acl yes)

https://www.packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_webauth

Regards
Fabrice



Le lun. 25 oct. 2021 à 10:49, John Sayce via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi,
>
>
>
> I’ve got an issue with iPhone and out of band enforcement so I’m not sure
> the issue is with packetfence or my Aruba access points.  I’m fine with
> android phones and windows laptops.
>
>
>
> When an iPhone registers (or changes role) the COA request is sent to
> wireless controller and appears to complete without error however the
> iPhone doesn’t appear disconnect from the network.  As such it doesn’t
> renew the dhcp lease for the new network and consequently doesn’t have
> access.
>
>
>
> I’ve tried setting the DHCP lease time to 45 seconds but this doesn’t
> appear to work either.  The iPhone stubbornly seems to cling to the dhcp
> lease.
>
>
>
> I found this post (issue 2) for other captive portal products which
> appears to describe the same issue.
> https://community.extremenetworks.com/communities/community-home/digestviewer/viewthread?MessageKey=d48bae8e-4d0e-4f4f-b1ba-fb7641c52cb7=3c7204eb-25f1-447b-9e7a-8c9a19ec264d=digestviewer#bmd48bae8e-4d0e-4f4f-b1ba-fb7641c52cb7
>
>
>
> Has anyone experiences this?
>
>
>
> Thanks
>
> John Sayce
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Adding a Switch

[Fabrice Durand via PacketFence-users]

Hello Maximo,
a switch can be added in this section:

https://pfmgmt:1443/admin#/configuration/switches

Regards
Fabrice


Le ven. 29 oct. 2021 à 08:50, Fabrice Durand  a écrit :

> Hello Maximo,
>
> a switch can be added in this section :
>
>
> Le lun. 18 oct. 2021 à 01:23, Perez, Maximo II - ECS ISS via
> PacketFence-users  a écrit :
>
>> Hi,
>>
>> We are using PacketFence for the first time and are currently being set
>> up in a test environment.
>> Our team is trying to add switches under the Network Devices, but under
>> the Network View, the switches are in unregistered status or can't be seen
>> by PF.
>> It is a Cisco switch.
>> There is no test button to test the network connection between the switch
>> and PF.
>> How can we add the switch?
>>
>> Thanks,
>> Max
>>
>> We value your feedback! Please help us improve our services by
>>
>> taking a moment to answer the customer satisfaction survey.
>>
>>
>> 
>>
>> Please consider the environment before printing this email.
>>
>>
>> Disclaimer:
>> The information contained in this communication is intended solely for
>> the use of the individual or entity to whom it is addressed and others
>> authorized to receive it. It may contain confidential or legally privileged
>> information. If you are not the intended recipient you are hereby notified
>> that any disclosure, copying, distribution or taking any action in reliance
>> on the contents of this information is strictly prohibited and may be
>> unlawful. If you have erroneously received this communication, please
>> notify us immediately by responding to this email and then delete it from
>> your system. Equitable Computer Services, Inc. is neither liable for the
>> improper and incomplete transmission of the information contained in this
>> communication nor for any delay in its receipt.
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Trouble trying to enable captive portal with Unifi Controller (WebAuth)

[Fabrice Durand via PacketFence-users]

Hello Frederico,

what version of the ubiquiti controller are you running ?
Also did you define the switch in the packetfence configuration (like by ip
or mac ?)

Last thing, can you try that http:///guest/s/default/ (notice
the / at the end).

Regards
Fabrice


Le mer. 27 oct. 2021 à 02:27, Federico Alberto Sayd via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi Enrique:
>
> I followed the docs and added Unifi Controller as a switch and configured
> the web service credentials. PF automatically retrieves the APs managed by
> Unifi Controller (I checked with the command  "/usr/local/pf/bin/pfcmd
> cache switch_distributed list".
>
> I don't know if there is some difference in adding every AP as a switch.
>
> What do you mean by "valid certificate"? An HTTPS certificate for the
> captive portal?
>
> I don't know how to configure the roles tab for the Unifi Controller in
> PF. I don't know how to construct the URL that goes in "Registration" in
> "Role Mapping by WebAuth URL".
>
> Did you configure the roles tab in your setup?
>
> Thanks for your help
>
>
> El mar, 26 oct 2021 a las 10:10, Enrique Gross ()
> escribió:
>
>> Hi Federico
>>
>> We don't use webauth with Unifi, but i remember there was a post about
>> this issue
>>
>> After adding the Unifi Controller to PF, have you tried to add the unifi
>> APs as a switch (by mac address)? Also, have you got a valid certificate on
>> PF?
>>
>> On the unifi side i use  "use secure portal option" and dns redirect
>> option
>>
>> I have done a quick test on this, I'm redirected to the pf portal.
>>
>>
>> Enrique
>>
>>
>>
>> El lun, 25 oct 2021 a las 2:33, Federico Alberto Sayd via
>> PacketFence-users () escribió:
>>
>>> Hello:
>>>
>>> I am trying to configure Packetfence as a captive portal for a guest
>>> wifi network managed with Unifi Controller (WebAuth Enforcement)
>>>
>>> I want to redirect my guest wifi users to the captive portal in
>>> PacketFence and authenticate them with Google Workspace LDAP.
>>>
>>> I followed the Network Device Configuration Guide and I added Unifi
>>> Controller as a switch in Packetfence config. The connection between Unifi
>>> Contoller and PF is working fine, I can retrieve the list of AP's managed
>>> by Unifi Controller with the command "/usr/local/pf/bin/pfcmd cache
>>> switch_distributed list"
>>>
>>> I added a second interface in PF and enabled the portal service on it. I
>>> configured the portal IP as an external guest portal on Unifi Controller.
>>>
>>> Also, I configured Google Workspace LDAP as auth source. I didn't
>>> specify any rules because I want the same auth source for all users.
>>> In "Standard Connections Profile" I changed the default profile to point
>>> to Google-LDAP as auth source. When I preview the portal I can confirm the
>>> Google LDAP authentication is working fine.
>>>
>>> But when I try to test the setup, the client's URL is rewritten to
>>> http:///guest/s/default and PF shows a 501 error as
>>> follow:
>>>
>>> Not Implemented
>>> GET Nos supported for current URL
>>>
>>> I don't know if I have to configure the roles tab in the switch config
>>> and specify a webauth URL. What do I have to put in registration in "Role
>>> mapping by Web Auth URL??
>>> Do I need to configure additional roles (by Vlan?? by switch role, etc.)
>>> ??
>>>
>>> To be frank, I don't understand the roles config and I can't infer from
>>> the examples given in the installation guide.
>>>
>>> Can you help me o provide me with some hint?
>>>
>>> Thanks in advance.
>>>
>>> Federico.
>>>
>>>
>>> Additional info:
>>> PacketFence: 11.0
>>> SO: Debian 11
>>> Unifi Controller: 6.0.45
>>>
>>>
>>>
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>
>>
>> --
>>
>> [image: Imágenes integradas 1]
>>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Question about "web log apache aaa bad requests"

[Fabrice Durand via PacketFence-users]

Hello Adrian,

you can try that to see exactly what happen:

tshark -i any -f "port 7070" -Y "http.request || http.response" -V


Regards
Fabrice

Le mar. 26 oct. 2021 à 05:56, Adrian Dessaigne via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi again,
>
> I'm trying to know from where I get this message and I compared the logs
> files with our secondary backup server.
> In the file httpd.aaa.access I still get spammed with those :
>
> Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200]
> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 6300 "-" "FreeRADIUS
> 3.0.21" "127.0.0.1:7070"
> Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200]
> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4331 "-" "FreeRADIUS
> 3.0.21" "127.0.0.1:7070"
> Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200]
> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 33865 "-" "FreeRADIUS
> 3.0.21" "127.0.0.1:7070"
> Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200]
> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3727 "-" "FreeRADIUS
> 3.0.21" "127.0.0.1:7070"
> Oct 26 11:14:04 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:04 +0200]
> "POST //radius/rest/authorize HTTP/1.1" 401 286 786 6798 "-" "FreeRADIUS
> 3.0.21" "127.0.0.1:7070"
> Oct 26 11:14:05 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:05 +0200]
> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5267 "-" "FreeRADIUS
> 3.0.21" "127.0.0.1:7070"
> Oct 26 11:14:05 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:05 +0200]
> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5643 "-" "FreeRADIUS
> 3.0.21" "127.0.0.1:7070"
> Oct 26 11:14:06 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:06 +0200]
> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3873 "-" "FreeRADIUS
> 3.0.21" "127.0.0.1:7070"
> Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200]
> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5117 "-" "FreeRADIUS
> 3.0.21" "127.0.0.1:7070"
> Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200]
> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3882 "-" "FreeRADIUS
> 3.0.21" "127.0.0.1:7070"
> Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200]
> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 29848 "-" "FreeRADIUS
> 3.0.21" "127.0.0.1:7070"
> Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200]
> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 31987 "-" "FreeRADIUS
> 3.0.21" "127.0.0.1:7070"
> Oct 26 11:14:08 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:08 +0200]
> "POST //radius/rest/authorize HTTP/1.1" 401 286 786 29763 "-" "FreeRADIUS
> 3.0.21" "127.0.0.1:7070"
> Oct 26 11:14:09 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:09 +0200]
> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 6815 "-" "FreeRADIUS
> 3.0.21" "127.0.0.1:7070"
> Oct 26 11:14:09 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:09 +0200]
> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4121 "-" "FreeRADIUS
> 3.0.21" "127.0.0.1:7070"
> Oct 26 11:14:10 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:10 +0200]
> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4211 "-" "FreeRADIUS
> 3.0.21" "127.0.0.1:7070"
> Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200]
> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3960 "-" "FreeRADIUS
> 3.0.21" "127.0.0.1:7070"
> Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200]
> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3636 "-" "FreeRADIUS
> 3.0.21" "127.0.0.1:7070"
> Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200]
> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4949 "-" "FreeRADIUS
> 3.0.21" "127.0.0.1:7070"
> Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200]
> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3341 "-" "FreeRADIUS
> 3.0.21" "127.0.0.1:7070"
> Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200]
> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4892 "-" "FreeRADIUS
> 3.0.21" "127.0.0.1:7070"
> Oct 26 11:14:12 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:12 +0200]
> "POST //radius/rest/authorize HTTP/1.1" 401 286 786 5130 "-" "FreeRADIUS
> 3.0.21" "127.0.0.1:7070"
> Oct 26 11:14:13 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:13 +0200]
> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5497 "-" "FreeRADIUS
> 3.0.21" "127.0.0.1:7070"
> Oct 26 11:14:13 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:13 +0200]
> "POST //radius/rest/authorize HTTP/1.1" 200 881 1516 70853 "-" "FreeRADIUS
> 3.0.21" "127.0.0.1:7070"
>
> But on the other server, I don't have anything in this file.
> From what I could search, the port 7070 is related to the httpd service
> and radiusd is mostly using it.
> So I stoped the radiusd-auth service and the logs stopped (as well the
> error-notifications on the admin interface)
> After restarting the service, the logs started to be 

Re: [PacketFence-users] Custom Security Event

[Fabrice Durand via PacketFence-users]

Hello Arun,

sorry for the late reply.

Can you add just before this line:

https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/role.pm#L737

use Data;;Dumper;
$logger->warn(Dumper $args);

then restart httpd.aaa and retry.
You should be able to see all the args in the logs. (if you can paste them).

Regards
Fabrice



Le dim. 19 sept. 2021 à 08:15, Arun Kangle  a écrit :

> Hi Fabrice,
> Update no 2:
>
> I could be wrong but I think for some reason "condition=security_event.id
> == "308"" is not honoured (On GUI I can see security even is in "open"
> state). Because just to verify I changed "condition=username == "hodtest""
> and form the logs I see that condition is honored and node is assigned to
> "isolation" vlan.
>
>
> Logs:
> Sep 19 17:30:58 aolicnac packetfence_httpd.aaa[284027]: httpd.aaa(249065)
> INFO: [mac:38:ba:f8:de:a7:10] handling radius autz request: from switch_ip
> => (192.168.2.27), connection_type => Wireless-802.11-EAP,switch_mac =>
> (00:4e:35:cc:8d:ee), mac => [38:ba:f8:de:a7:10], port => 0, username =>
> "hodtest", ssid => aolicnet (pf::radius::authorize)
> Sep 19 17:30:58 aolicnac packetfence_httpd.aaa[284027]: httpd.aaa(249065)
> INFO: [mac:38:ba:f8:de:a7:10] Instantiate profile dot1x-eap
> (pf::Connection::ProfileFactory::_from_profile)
>
> *Sep 19 17:30:58 aolicnac packetfence_httpd.aaa[284027]: httpd.aaa(249065)
> INFO: [mac:38:ba:f8:de:a7:10] Match rule Disable_auto_reg
> (pf::access_filter::test)*Sep 19 17:30:58 aolicnac
> packetfence_httpd.aaa[284027]: httpd.aaa(249065) INFO:
> [mac:38:ba:f8:de:a7:10] highest priority security_event is 308. Target
> Role for security_event: isolation (pf::role::getIsolationRole)
> Sep 19 17:30:58 aolicnac packetfence_httpd.aaa[284027]: httpd.aaa(249065)
> INFO: [mac:38:ba:f8:de:a7:10] (192.168.2.27) Added VLAN 19 to the returned
> RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
> Sep 19 17:30:58 aolicnac packetfence_httpd.aaa[284027]: httpd.aaa(249065)
> WARN: [mac:38:ba:f8:de:a7:10] No parameter isolationRole found in
> conf/switches.conf for the switch 192.168.2.27 (pf::Switch::getRoleByName)
> Sep 19 17:31:06 aolicnac packetfence_httpd.aaa[463999]: httpd.aaa(249065)
> INFO: [mac:38:ba:f8:de:a7:10] Updating locationlog from accounting request
> (pf::api::handle_accounting_metadata)
> Sep 19 17:31:06 aolicnac packetfence_httpd.aaa[463999]: httpd.aaa(249065)
> WARN: [mac:38:ba:f8:de:a7:10] Firewall SSO Notify
> (pf::api::firewallsso_accounting)
> Sep 19 17:31:06 aolicnac packetfence_httpd.aaa[463999]: httpd.aaa(249065)
> INFO: [mac:38:ba:f8:de:a7:10] Sending a firewall SSO 'Update' request for
> MAC '38:ba:f8:de:a7:10' and IP '192.168.10.58' (pf::firewallsso::do_sso)
> Sep 19 17:31:06 aolicnac packetfence_httpd.aaa[463999]: httpd.aaa(249065)
> INFO: [mac:38:ba:f8:de:a7:10] Request to /api/v1/firewall_sso/update is
> unauthorized, will perform a login (pf::api::unifiedapiclient::call)
> Sep 19 17:31:07 aolicnac pfqueue[476302]: pfqueue(476302) INFO:
> [mac:38:ba:f8:de:a7:10] Sending a firewall SSO 'Update' request for MAC
> '38:ba:f8:de:a7:10' and IP '192.168.10.58' (pf::firewallsso::do_sso)
> Sep 19 17:31:07 aolicnac pfqueue[476302]: pfqueue(476302) WARN:
> [mac:38:ba:f8:de:a7:10] Unable to match MAC address to IP '192.168.10.58'
> (pf::ip4log::ip2mac)
> Sep 19 17:31:07 aolicnac pfqueue[478327]: pfqueue(478327) INFO:
> [mac:38:ba:f8:de:a7:10] Instantiate profile dot1x-eap
> (pf::Connection::ProfileFactory::_from_profile)
> Sep 19 17:31:14 aolicnac packetfence_httpd.aaa[463999]: httpd.aaa(249065)
> WARN: [mac:38:ba:f8:de:a7:10] Firewall SSO Notify
> (pf::api::firewallsso_accounting)
> Sep 19 17:31:14 aolicnac packetfence_httpd.aaa[463999]: httpd.aaa(249065)
> INFO: [mac:38:ba:f8:de:a7:10] Sending a firewall SSO 'Stop' request for MAC
> '38:ba:f8:de:a7:10' and IP '192.168.10.58' (pf::firewallsso::do_sso)
> Sep 19 17:31:14 aolicnac packetfence_httpd.aaa[463999]: httpd.aaa(249065)
> INFO: [mac:38:ba:f8:de:a7:10] Updating locationlog from accounting request
> (pf::api::handle_accounting_metadata)
> Sep 19 17:31:14 aolicnac packetfence_httpd.aaa[463999]: httpd.aaa(249065)
> WARN: [mac:38:ba:f8:de:a7:10] Firewall SSO Notify
> (pf::api::firewallsso_accounting)
> Sep 19 17:31:14 aolicnac packetfence_httpd.aaa[463999]: httpd.aaa(249065)
> INFO: [mac:38:ba:f8:de:a7:10] Sending a firewall SSO 'Update' request for
> MAC '38:ba:f8:de:a7:10' and IP '192.168.10.58' (pf::firewallsso::do_sso)
> Sep 19 17:31:15 aolicnac packetfence_httpd.aaa[463999]: httpd.aaa(249065)
> WARN: [mac:38:ba:f8:de:a7:10] Unable to pull accounting history for device
> 38:ba:f8:de:a7:10. The history set doesn't exist yet.
> (pf::accounting_events_history::latest_mac_history)
> Sep 19 17:31:15 aolicnac pfqueue[476998]: pfqueue(476998) INFO:
> [mac:38:ba:f8:de:a7:10] Sending a firewall SSO 'Update' request for MAC
> '38:ba:f8:de:a7:10' and IP '192.168.10.58' (pf::firewallsso::do_sso)
> Sep 19 17:31:15 aolicnac packetfence_httpd.aaa[463999]: 

Re: [PacketFence-users] CaptivePortal Problem with Apple ios14

[Fabrice Durand via PacketFence-users]

Hello,

what a surprise ... , it´s not like always.

On my side to troubleshoot that, i use a mac to connect to the phone and
check the console log.
Also i am doing a network capture on the PacketFence side (filter the ip
address of the device) and see if there is any traffic coming from the
device.

It can be the CA who sign the certificate is not in the certificate store
of the device, certificate validity issues, a network configuration issue...

Regards
Fabrice


Le jeu. 16 sept. 2021 à 08:08, Zestermann, Ronald via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
>
>
> we use the captive portal for access to an open WLAN. We have an official
> certificate from Swisssign and the chain of certificates as well as the
> certificate are valid.
>
>
>
> Windows 10 clients have no problems. Apple devices with iOS 12.5.4 also
> work without problems. Unfortunately, Apple devices with iOS 14 do not
> work. These devices are not forwarded to the portal page.
>
>
>
> What can that be? How can I further isolate the error?
>
>
>
>
>
>
>
> mit besten Grüßen
>
>
>
> Ronald Zestermann
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Custom Security Event

[Fabrice Durand via PacketFence-users]

In fact it´s a little bit more complicate since you do autoregistration.

What you can do is to trigger the security event with action isolate.
Then create a vlan filter that disable the autoregistration if the security
event is open for this device.

Then the first request will be rejected (security event triggered) and once
the device reconnect it will go in the isolation vlan.


Vlan filter:

[Disable_Auto_reg]
description=Disable Auto Reg on security event
run_actions=enabled
status=enabled
condition=security_event.id == "309"
top_op=and
scopes=AutoRegister
role=REJECT

Security event:

[309]
trigger=internal::is_max_reg_nodes_reached
desc=Max node
access_duration=12h
actions=reevaluate_access
window=dynamic
enabled=Y



Le lun. 13 sept. 2021 à 13:04, Arun Kangle  a écrit :

> Hi Fabrice,
> I did quick testing,  it's not triggering. I am using V 11.0, upgraded
> from 10.3.9
> 1) while creating the security event, GUI shows the error (attached
> screenshot) but event is created successfully
> 2) event is not getting triggered, so no further actions (like
> assign isoalation role and not getting redirected to web-page)
>
> security_event.conf
>  more security_events.conf
> [307]
> desc=Private MAC Address detection
> actions=log,reevaluate_access
> enabled=Y
> whitelisted_roles=default,v-guest,r-guest,registration
>
> [308]
> access_duration=12h
> enabled=Y
> template=banned_os
> trigger=internal::is_max_reg_nodes_reached
> desc=Max nodes reached
> actions=reevaluate_access
> # Copyright (C) Inverse inc.
>
>
> Logs:
>
> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
> INFO: [mac:38:ba:f8:de:a7:10] handling radius autz request: from switch_ip
> => (192.168.2.27), connection_type => Wireless-802.11-EAP,switch_mac =>
> (00:4e:35:cc:8d:ee), mac => [38:ba:f8:de:a7:10], port => 0, username =>
> "hodtest", ssid => aolicnet (pf::radius::authorize)
> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
> INFO: [mac:38:ba:f8:de:a7:10] Instantiate profile dot1x-eap
> (pf::Connection::ProfileFactory::_from_profile)
> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
> INFO: [mac:38:ba:f8:de:a7:10] Found authentication source(s) :
> 'set-group-based-role' for realm 'null'
> (pf::config::util::filter_authentication_sources)
> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
> INFO: [mac:38:ba:f8:de:a7:10] Using sources set-group-based-role for
> matching (pf::authentication::match2)
> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
> WARN: [mac:38:ba:f8:de:a7:10] [set-group-based-role set-role-Bypassed]
> Searching for
> (&(sAMAccountName=hodtest)(memberOf=CN=Bypassed,OU=AOL-Group,DC=AOLIC,DC=NET)),
> from DC=AOLIC,DC=NET, with scope sub
> (pf::Authentication::Source::LDAPSource::match_in_subclass)
> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
> WARN: [mac:38:ba:f8:de:a7:10] [set-group-based-role set-role-HOD] Searching
> for
> (&(sAMAccountName=hodtest)(memberOf=CN=HOD,OU=AOL-Group,DC=AOLIC,DC=NET)),
> from DC=AOLIC,DC=NET, with scope sub
> (pf::Authentication::Source::LDAPSource::match_in_subclass)
> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
> INFO: [mac:38:ba:f8:de:a7:10] Matched rule (set-role-HOD) in source
> set-group-based-role, returning actions.
> (pf::Authentication::Source::match_rule)
> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
> INFO: [mac:38:ba:f8:de:a7:10] Matched rule (set-role-HOD) in source
> set-group-based-role, returning actions. (pf::Authentication::Source::match)
> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
> INFO: [mac:38:ba:f8:de:a7:10] per-role max nodes per-user limit reached: 1
> are already registered to pid hodtest for role HOD
> (pf::node::is_max_reg_nodes_reached)
> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
> WARN: [mac:38:ba:f8:de:a7:10] Unable to pull accounting history for device
> 38:ba:f8:de:a7:10. The history set doesn't exist yet.
> (pf::accounting_events_history::latest_mac_history)
> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
> INFO: [mac:38:ba:f8:de:a7:10] security_event 308 (trigger
> internal::is_max_reg_nodes_reached) already exists for 38:ba:f8:de:a7:10,
> not adding again (pf::security_event::security_event_trigger)
> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
> ERROR: [mac:38:ba:f8:de:a7:10] max nodes per pid met or exceeded -
> registration of 38:ba:f8:de:a7:10 to hodtest failed
> (pf::registration::setup_node_for_registration)
> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
> ERROR: [mac:38:ba:f8:de:a7:10] auto-registration of node failed max nodes
> per pid met or exceeded (pf::radius::authorize)
>
>
> On Mon, Sep 13, 2021 at 1:33 PM Arun Kangle  wrote:
>
>> Thanks a lot for your help Fabrice. I patched my server. Will do some
>> 

Re: [PacketFence-users] How to use username rewriting in v11?

[Fabrice Durand via PacketFence-users]

Yes you can do that

Le mar. 14 sept. 2021 à 06:15, David Harvey  a
écrit :

> Borderline thread hijack, but as it's on topic:
>
> Is it possible to use the radius username rewrite functionality  in
> combination with "Dot1x recompute role from portal"
>
> Thanks,
>
> David
>
> On Tue, Sep 7, 2021 at 9:50 AM Cristian Mammoli via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Thanks, the macros was the missing bit to get what I wanted :-)
>>
>> Il 06/09/2021 19:47, Fabrice Durand ha scritto:
>>
>> Hello,
>>
>> you have to use the preprocess scope in the radius filter.
>> In addition you can use the macro
>> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_filter_engine_macro
>>
>> Regards
>> Fabrice
>>
>>
>> Le lun. 6 sept. 2021 à 12:07, Cristian Mammoli via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> a écrit :
>>
>>> COuld you please provide an example on how to configure a radius filter
>>> to rewrite username?
>>>
>>> I'm referring to this:
>>> https://github.com/inverse-inc/packetfence/pull/6293
>>>
>>> Thanks
>>>
>>>
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>
>> --
>>
>> *Cristian Mammoli*
>> Network and Computer Systems Administrator
>>
>> T. +39 0731719822
>> www.apra.it
>>
>> [image: Apra Spa]
>> 
>> [image: linksocial]
>>
>> *Avviso sulla tutela di informazioni riservate.* Questo messaggio è
>> stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli
>> eventuali allegati, potrebbero contenere informazioni di carattere
>> estremamente riservato e confidenziale. Qualora non foste i destinatari
>> designati, vogliate cortesemente informarci immediatamente con lo stesso
>> mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza
>> trattenerne copia.
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
>
> --
> David Harvey
> Director of Internal Technology, Thought Machine
>
> Data Classification: Public
>
> *Web*: www.thoughtmachine.net
>
> Thought Machine Group a limited company registered in England & Wales.
> Registered number: 4277.
> Registered Office: 5 New Street Square, London EC4A 3TW
> 
> .
>
> The content of this email is confidential and intended for the recipient
> specified in message only. It is strictly forbidden to share any part of
> this message with any third party, without a written consent of the sender.
> If you received this message by mistake, please reply to this message and
> follow with its deletion, so that we can ensure such a mistake does not
> occur in the future.
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] host prefix missing

[Fabrice Durand via PacketFence-users]

Hello Stephan,

it looks that you strip the username somewhere, do you have a realm or a
radius filter who do that ?

Regards
Fabrice


Le lun. 13 sept. 2021 à 16:41, Kaufhold, Stephan via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
>
>
> the client host/cust-SEG.custulm.local can't authenticate.
>
> In packetfence.log I see cust-SEG.custulm.local without "host/" prefix.
>
>
>
> /usr/local/pf/bin/pftest authentication host/cust-SEG.custulm.local "" is
> working well.
>
> /usr/local/pf/bin/pftest authentication cust-SEG.custulm.local "" is not
> working.
>
>
>
> What can be the reason to remove the host prefix?
>
>
>
> Thanks in advance
>
>
>
> radius.log...
>
> Sep 13 13:44:06 cust-NAC01 auth[1674]: Adding client 10.1.40.1/32
>
> Sep 13 13:44:06 cust-NAC01 auth[1674]: [mac:10:7b:44:18:ed:3a] Rejected
> user: host/cust-SEG.custulm.local
>
> Sep 13 13:44:06 cust-NAC01 auth[1674]: (150) Rejected in post-auth:
> [host/cust-SEG.custulm.local] (from client 10.1.40.1/32 port 260 cli
> 10:7b:44:18:ed:3a)
>
> Sep 13 13:44:06 cust-NAC01 auth[1674]: (150) Login incorrect (sql_reject:
> Insufficient space to store pair string, needed 2088 bytes have 2048
> bytes): [host/cust-SEG.custulm.local] (from client 10.1.40.1/32 port 260
> cli 10:7b:44:18:ed:3a)
>
>
>
> packetfence.log...
>
>
>
> Sep 13 13:44:06 cust-NAC01 packetfence_httpd.aaa: httpd.aaa(1047) WARN:
> [mac:10:7b:44:18:ed:3a] [AS-custulm INSEL] Searching for
> (servicePrincipalName=cust-SEG.custulm.local), from DC=custulm,DC=local,
> with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass)
>
> Sep 13 13:44:06 cust-NAC01 packetfence_httpd.aaa: httpd.aaa(1047) INFO:
> [mac:10:7b:44:18:ed:3a] No rules matches or no category defined for the
> node, set it as unreg. (pf::role::getNodeInfoForAutoReg)
>
> Sep 13 13:44:06 cust-NAC01 packetfence_httpd.aaa: httpd.aaa(1047) WARN:
> [mac:10:7b:44:18:ed:3a] No category computed for autoreg
> (pf::role::getNodeInfoForAutoReg)
>
> Sep 13 13:44:06 cust-NAC01 packetfence_httpd.aaa: httpd.aaa(1047) WARN:
> [mac:10:7b:44:18:ed:3a] No role specified or found for pid
> cust-SEG.custulm.local (MAC 10:7b:44:18:ed:3a); assume maximum number of
> registered nodes is reached (pf::node::is_max_reg_nodes_reached)
>
> Sep 13 13:44:06 cust-NAC01 packetfence_httpd.aaa: httpd.aaa(1047) ERROR:
> [mac:10:7b:44:18:ed:3a] max nodes per pid met or exceeded - registration of
> 10:7b:44:18:ed:3a to cust-SEG.custulm.local failed
> (pf::registration::setup_node_for_registration)
>
> Sep 13 13:44:06 cust-NAC01 packetfence_httpd.aaa: httpd.aaa(1047) ERROR:
> [mac:10:7b:44:18:ed:3a] auto-registration of node failed max nodes per pid
> met or exceeded (pf::radius::authorize)
>
> Sep 13 13:44:06 cust-NAC01 packetfence_httpd.aaa: httpd.aaa(1047) ERROR:
> [mac:10:7b:44:18:ed:3a] Database query failed with non retryable error:
> Cannot add or update a child row: a foreign key constraint fails
> (`pf`.`node`, CONSTRAINT `0_57` FOREIGN KEY (`tenant_id`, `pid`) REFERENCES
> `person` (`tenant_id`, `pid`) ON DELETE CASCADE ON UPDATE CASCADE) (errno:
> 1452) [INSERT INTO `node` ( `autoreg`, `bandwidth_balance`,
> `bypass_role_id`, `bypass_vlan`, `category_id`, `computername`,
> `detect_date`, `device_class`, `device_manufacturer`, `device_score`,
> `device_type`, `device_version`, `dhcp6_enterprise`, `dhcp6_fingerprint`,
> `dhcp_fingerprint`, `dhcp_vendor`, `last_arp`, `last_dhcp`, `last_seen`,
> `lastskip`, `mac`, `machine_account`, `notes`, `pid`, `regdate`,
> `sessionid`, `status`, `tenant_id`, `time_balance`, `unregdate`,
> `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
> ?, ?, ?, NOW(), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE KEY
> UPDATE `autoreg` = ?, `last_seen` = NOW(), `pid` = ?, `tenant_id` = ?]{yes,
> NULL, NULL, NULL, NULL, NULL, 2021-09-13 11:21:11, NULL, NULL, NULL, NULL,
> NULL, NULL, NULL, NULL, NULL, -00-00 00:00:00, -00-00 00:00:00,
> -00-00 00:00:00, 10:7b:44:18:ed:3a, NULL, NULL, cust-SEG.custulm.local,
> -00-00 00:00:00, NULL, unreg, 1, NULL, -00-00 00:00:00, NULL, no,
> yes, cust-SEG.custulm.local, 1} (pf::dal::db_execute)
>
> Sep 13 13:44:06 cust-NAC01 packetfence_httpd.aaa: httpd.aaa(1047) ERROR:
> [mac:10:7b:44:18:ed:3a] Cannot save 10:7b:44:18:ed:3a error (500)
> (pf::radius::authorize)
>
>
>
> Kind regards
>
>
>
>
>
>
>
> --
>
> Celos Computer GmbH | Liststraße 1 | 89079 Ulm
> www.celos.de |  facebook |  xing
> 
>
>
>
> Stephan Kaufhold
> *Consultant *
>
>
>
> Telefon:   +49 731 96884-690   | Fax: +49 73196884-790  | E-Mail:
> stephan.kaufh...@celos.de
>
>
> --
>
> Besuchen Sie uns auf
> 
> 
> 
>
>
>
>
>
>
>
>
>
>
> Sitz der 

Re: [PacketFence-users] Custom Security Event

[Fabrice Durand via PacketFence-users]

Hello Arun,

try that.
cd /usr/local/pf
patch -p1 --dry-run < max_node.diff
if there is no error:
patch -p1 < max_node.diff

Then restart packetfence.

Regards
Fabrice

Le sam. 11 sept. 2021 à 10:40, Arun Kangle  a écrit :

> Hi Fabrice,
> Thanks for your reply. I will need help on this.
>
> Thanks again,
> - Arun
>
> On Sat, Sep 11, 2021 at 7:25 AM Fabrice Durand  wrote:
>
>> Hello Arun,
>>
>> there is no security event that trigger that but it´s not something
>> really complicate to add in packetfence.
>>
>> If you look at is_max_reg_nodes_reached in node.pm, you can trigger a
>> security event from there.
>>
>> Let me know if you need help on that, it won´t take me so much time to
>> code it.
>>
>> Regards
>> Fabrice
>>
>>
>> Le mer. 25 août 2021 à 05:54, Arun Kangle via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> a écrit :
>>
>>> Hello All,
>>> I went through the install guide and this list but I did not find
>>> information on how to configure a customer security event.
>>> Basically I wanted to trigger a custom security event when " max nodes
>>> per pid met or exceeded" and move the node to the isolation vlan so that
>>> the user can deregister one of the nodes to proceed.
>>>
>>> Thanks on advance,
>>> - Arun
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>
diff --git a/lib/pf/constants/trigger.pm b/lib/pf/constants/trigger.pm
index 115823f6b6..67aa9caa98 100644
--- a/lib/pf/constants/trigger.pm
+++ b/lib/pf/constants/trigger.pm
@@ -86,6 +86,7 @@ our $TRIGGER_MAP = {
 "fingerbank_diff_score_too_low" => "Fingerbank Collector detected a network behavior that doesn't match the known profile",
 "fingerbank_blacklisted_ips_threshold_too_high" => "Fingerbank Collector detected traffic to blacklisted IPs",
 "fingerbank_blacklisted_ports" => "Fingerbank Collector detected traffic to blacklisted ports",
+"is_max_reg_nodes_reached" => "max nodes per pid met or exceeded",
   },
   $TRIGGER_TYPE_PROVISIONER => {
 $TRIGGER_ID_PROVISIONER => "Check status",
diff --git a/lib/pf/node.pm b/lib/pf/node.pm
index d0d88bfa80..17a77ce0c1 100644
--- a/lib/pf/node.pm
+++ b/lib/pf/node.pm
@@ -1116,6 +1116,14 @@ sub is_max_reg_nodes_reached {
 $logger->warn("No role specified or found for pid $pid (MAC $mac); assume maximum number of registered nodes is reached");
 }
 
+my $apiclient = pf::client::getClient;
+my %security_event = (
+'mac'   => $mac,
+'tid'   => 'is_max_reg_nodes_reached',
+'type'  => 'internal',
+);
+$apiclient->notify('trigger_security_event', %security_event);
+
 # fallback to maximum reached
 return $TRUE;
 }
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Administrator RADIUS role

[Fabrice Durand via PacketFence-users]

Hello,

yes it´s possible, but not with the "radius_request.Reply-Message" since
it´s a reply not a request.

I think you need to add the radius attribute in the configuration->radius
attributes (i don´t have the admin interface in front of me) then add
Reply-Message.
Once done, you should be able to use it in you administration rule in your
radius source.

Let me know if you have issue, i will dig a little bit more.

Regards
Fabrice




Le ven. 20 août 2021 à 14:38, Павел Семенищев via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi there
> Has anyone configured RBAC for packetfence admins via external RADIUS?
>
>
> --
> Best Regards,
> Pavel
>
>
>
> Среда, 18 августа 2021, 19:46 +03:00 от Павел Семенищев via
> PacketFence-users :
>
> Hi there
>
> I’ve just installed ZEN-v10.3.0
> I am trying to set up web administrators authorization through an external
> RADIUS server.
> If I create Authentication Source -> Administration Rules
> without conditions, then the administrator is authorized with the required
> role
>
> [NasRadius rule AdminRoleNode]
> action0 = set_access_level = Node Manager
> status = enabled
> match = any
> class = administration
>
> But I need to assign different roles to different administrators.
> How to add a condition and in which RADIUS attribute should I transfer the
> role?
>
> I have tried adding a condition
>
> [NasRadius rule AdminRoleNode]
> action0 = set_access_level = Node Manager
> condition0 = radius_request.Reply-Message, equals, NodeManager
> status = enabled
> match = any
> class = administration
>
> External RADIUS returns role in attribute
>
> Access-Accept (2), id: 0xa5, Authenticator:
> 63540bff74a2eb318a4ba0b6b8b6c9c6
>   Reply-Message Attribute (18), length: 13, Value: NodeManager
>
> But PF does not authorize the web administrator.
>
> --
> Kind regards,
> Pavel Semenischev
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Best Practice for devices from partner companies

[Fabrice Durand via PacketFence-users]

Hello,

i believe the solution is to use eap-tls but if they don´t provide the ca
certificate of their company then they will have to provide a way to talk
to their radius server. (something like eduroam)

The other solution can be to allow the vpn server in the passthrough then
if they connect on the guest wifi they will be able to have a vpn
connection and surf on internet (not internally).

Regards
Fabrice


Le mer. 8 sept. 2021 à 03:03, Matthies, Heiko via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello Ludovic,
>
>
>
> this issue regards just the wired access as those devices are unable to
> use our guest-wifi (which is currently not packetfence based). The customer
> who provided those devices is very restrictive about the usage outside of
> their own company network which is why the devices need a VPN connection in
> order to access any kind of websites -> captive-portal detection does not
> work correctly on those machines (but this is another topic)
>
>
>
> Yes, I think I figured out the correct switchport config for the usage of
> both internal corporate clients and partner company clients. My goal was to
> streamline the switchport configs so that most of our switchports would be
> configured equally and every port provides the same capabilities.
>
> I went with putting MAB-auth first and then following with dot1x-auth.
> This way, those partner devices get processed right away and don’t get to
> present their certificate.
>
> The only downside of this is, that I get two reject events before the
> accept for my own corporate clients because I disallowed the authentication
> via MAB for those. Is there a better solution for this (maybe I could
> ignore MAB request for a specific kind of node-group?)
>
>
>
> We are currently using EAP-TTLS for our own clients, the partner devices
> use EAP-TLS. In theory, this would be possible but I doubt that I would get
> my hands on a certificate from this company, as I said they are very
> restrictive and I don’t think they would provide something like this for us.
>
>
>
> I think I will stick to the “authentication order” solution for now, at
> least for those special clients, but maybe there really is a way to just
> serve dot1x auth for selected clients without sending a reject first.
>
>
>
> Thank you!
>
>
>
> Greetings
>
>
>
> Heiko
>
>
>
>
> 
>
>
> *ASAP Engineering GmbH* Sachsstraße 1A | 85080 Gaimersheim
> Tel. +49 (8458) 3389 0 <+49%20(8458)%203389%200> | Fax. +49 (8458) 3389
> 399
> heiko.matth...@asap.de | www.asap.de
>
> Geschäftsführer: Michael Neisen, Robert Werner, Christian Schweiger | Sitz
> der Gesellschaft: Gaimersheim | Amtsgericht: Ingolstadt HRB 5408
>
> Datenschutz: Ausführliche Informationen zum Umgang mit Ihren
> personenbezogenen Daten bei ASAP erhalten Sie auf unserer Website unter
> Datenschutz. 
>
> *Von:* Zammit, Ludovic 
> *Gesendet:* Dienstag, 7. September 2021 14:40
> *An:* packetfence-users@lists.sourceforge.net
> *Cc:* Matthies, Heiko 
> *Betreff:* Re: [PacketFence-users] Best Practice for devices from partner
> companies
>
>
>
> Hello Heiko,
>
>
>
> Few questions:
>
>
>
> Are you currently using EAP TLS for you ?
>
>
>
> Is it wired or wireless access ? I will assume it’s wired but I prefer to
> ask.
>
>
>
> If it’s wired, you actually choose the method of authentication on the
> switch port configuration. Even if they have 802.1x configuration at the
> NIC level it would do Mac authentication if you tell it to.
>
>
>
> If you are not already using EAP TLS for your network, you could create a
> new EAP TLS profile that server a certificate from a Root CA that they
> already trust.
>
>
>
> Example:
>
>
>
> EAP PEAP = Your RADIUS certificate
>
>
>
> EAP TLS = CompanyA RADIUS certificate
>
>
>
> Thanks,
>
>
>
> *Ludovic Zammit*
> *Product Support Engineer Principal*
>
> *Cell:* +1.613.670.8432
>
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
>
> Connect with Us:
>
>  
>  
> 
> 
>
>
>
> On Sep 6, 2021, at 8:38 AM, Matthies, Heiko via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>
>
> Hello,
>
> I'm looking for a way to integrate devices from partner companies into our
> network. I planned to provide a extra VLAN at every site which allows
> nothing but basic internet access without a captive portal.
> They normally use certificate based authentication via EAP-TLS which leads
> me to my problem:
> - By default, Windows is configured to ignore certificate handshakes with
> RADIUS servers it does not trust. As the devices were provisioned by third
> party companies there is no way that their configiuration would trust my
> self signed RADIUS 

Re: [PacketFence-users] Remove 'Null Source' from splash page

[Fabrice Durand via PacketFence-users]

Hello David,

you don´t have to change the pm file but the translation one. (it´s a po
file)

Do something like that on you pf server to find the file):

grep "I accept the terms" * -r

Then edit it and change the stuff you want.

Then in /usr/local/pf do:
make translation

Regards
Fabrice



Le jeu. 26 août 2021 à 15:55, David Herselman via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi,
>
>
>
> We would like to be able to have an empty splash page, whereby
> aup_text.html is completely empty and the ‘I accept the terms’ is replaced
> with ‘Connect’.
>
>
>
> I’ve managed to rename the button:
>
> perl -i -pe 's/I accept the terms/Connect/g'
> /usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/Form/Widget/Field/AUP.pm;
>
>
>
> But I’m having problems removing ‘Null Source’. When I set ‘description’
> as empty or a white space in /usr/local/pf/conf/authentication.conf I get
> the following:
>
> [null]
>
> description=
>
> type=Null
>
> email_required=no
>
> dynamic_routing_module=AuthModule
>
>
>
>
>
> If I replace it with a period then it works and only display the period,
> how do I display nothing at all?
>
>
>
>
>
> Regards
>
> David Herselman
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VPN client configuration in Packetfence

[Fabrice Durand via PacketFence-users]

Hello Arun,

in fact you need to define the layer3 remote network in packetfence
(network interface section) and you will need to forward the dhcp traffic
from the remote network to packetfence. (i hope the traffic is not natted)

Regards
Fabrice


Le ven. 27 août 2021 à 07:57, IS AppSec (IT/Chennai) via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Dear Team,
>
>
>
>
>
> We are implementing packetfence in our environment with out-of –band VLAN
> method. So we should create respective VLANs in our network switches (L2
> mode) & firewalls (NAT mode). While creating this configuration for Wired &
> wireless users we can configure settings packetfence. We have site-site &
> client-site VPN in our environment
>
>
>
> 1.   How will packetfence take care about these VPN users? Any
> special configurations?
>
> 2.   Do we need to make any additional on our network devices for VPN
> users?
>
>
>
>
>
> *Regard**s*
>
>
>
> Arun
>
> Information Security Analyst
>
> Networks & Security
>
> Phone: +91 9750831454
>
> P Please don't print this email unless you really need. Save Papers, Save
> Trees, Save Earth.
>
> [image: cid:image011.png@01D54BB1.75016D20]
>
>
>
>   [image: Description: Description: Description: Description:
> Description: Description: Description:
> C:\Users\5025785\Downloads\facebook.png]
>  [image: Description: Description:
> Description: Description: Description: Description: Description:
> C:\Users\5025785\Downloads\twitter (1).png]
>  [image: Description: Description:
> Description: Description: Description: Description: Description:
> C:\Users\5025785\Downloads\linkedin.png]
>  [image:
> Description: Description: Description: Description: Description:
> Description: Description: C:\Users\5025785\Downloads\world-wide-web (1).png]
> 
>
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> Information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you may please note
> that any use, dissemination, distribution, or copying of this communication
> is strictly prohibited. If you have received this communication in error,
> please notify us immediately by telephone and (i) destroy this message if a
> facsimile or (ii) delete this message immediately if this is an electronic
> communication
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Free-Radius authentication with Active Directory using Kerberos.

[Fabrice Durand via PacketFence-users]

Hello Peter,

kerberos is not supported by the windows supplicant, so it´s not possible.
What you can do is to enable the nt-hash feature in packetfence and just
deal with that. (no more ntlm)

Regards
Fabrice



Le mer. 25 août 2021 à 05:54, Chin, Peter via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello All
>
>
>
> We are looking at implementing PacketFence as our NAC with few conditions.
> One being able to perform users and machines authentication and with
> objects from active directory. Secondly, authenticate against active
> directory using Kerberos instead of NTLM or NTLMv2 because of security
> requirements. NTLM and V2 are the protocols written in the documentation
> but not Kerberos. Has anyone implemented PacketFence with these
> requirements successfully?
>
>
>
> Thank you,
>
>
>
> Peter Chin | Sr. Technical Programmer | IT Operations | Community College
> of Rhode Island |400 East Ave, Warwick RI, 02886 | pc...@ccri.edu | (401)
> 825.1237
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Version 11 - CentOS 7, CentOS 8 or Rocky Linux?

[Fabrice Durand via PacketFence-users]

Hello Fernando,

upgrading centos 7 to centos 8 is "possible", i did it but it's not the
method i recommend.
IMO you should start from scratch and install Rocky/Alma linux and install
packetfence 11 on it.

Btw there is an upgrade script you can use to export the config to a new
server.

Regards
Fabrice



Le ven. 10 sept. 2021 à 01:40, Fernando Pimenta via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello All,
>
> With version 11, PF dropped the support for CentOS 7 and added CentOS 8.
> But CentOS 8 will be discontinued in December.
>
> Is Inverse targeting Rocky Linux?
>
> I have a production server with CentOS 7 and PF 10.3. Which is the best
> way for this scenario: maintain the server and compose a new server in
> parallel with CentOS 8 or upgrade to v11 using my CentOS 7 based server?
>
> Thanks for all the opinions.
>
> Fernando Pimenta
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Wake-on-Lan

[Fabrice Durand via PacketFence-users]

Hello Joffrey,

as i remember it´s a switch config to do, not sure every vendor supports it
(at least cisco supports it).

Regards
Fabrice


Le jeu. 26 août 2021 à 15:55, Joffrey Bienvenue via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Good morning
>
> In order to patch our PCs, we often need to wake them up using Wake-On-Lan.
>
> Is it possible to send WOL requests on the registration vlan?
>
> Then once awake, we would send them into a restricted VLAN where we could
> apply patches... Unless there is a better way to do so?
>
> Cheers
> Joffrey
>
> --
> Joffrey Bienvenue |  CTO  |  Peerless Clothing Inc.  |   Boul. Pie IX
> Montréal, QC H1Z 4J5  |  514-723-7887
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] haproxy portal

[Fabrice Durand via PacketFence-users]

Hello All,

remove that from pf.conf:

[captive_portal]
ip_address=192.168.203.1

Just quick explanation why there is this parameter, it´s just because of
samsung devices.
If the device is on the same layer2 that the registration interface then
the portal ip address needs to be on a different network. (if not the
portal never trigger)
It´s like samsung device works, don´t ask me why i have no clue ...

And if you check on the ip stack, the ip you define as captive_portal is
defined on the lo interface (ip a)

Regards
Fabrice




Le mer. 8 sept. 2021 à 03:03, Zestermann, Ronald via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
> since I have a similar problem, I'll add myself to this post. Maybe it
> will also help the creator.
>
> The start of haproxy-portal fails with the following error:
>
> -- Unit packetfence-haproxy-portal.service has begun starting up.
> Sep 07 07:14:12 pir-nac03 packetfence[1016]: -e(1016) WARN: requesting
> member ips for an undefined interface... (pf::cluster::members_ips)
> Sep 07 07:14:12 pir-nac03 packetfence[1016]: -e(1016) WARN: requesting
> member ips for an undefined interface... (pf::cluster::members_ips)
> Sep 07 07:14:12 pir-nac03 pfhttpd[31992]: api-frontend-access 127.0.0.1 -
> - [07/Sep/2021:07:14:12 +0200] "GET /api/v1/queues/stats HTTP/1.1" 200 1123
> "https://192.168.9.183:1443/admin?;
> Sep 07 07:14:12 pir-nac03 haproxy[32595]: 192.168.8.15:62612
> [07/Sep/2021:07:14:12.725] admin-https-192.168.8.2~ api/127.0.0.1
> 0/0/0/6/7 200 1295 - -  1/1/0/0/0 0/0 {192.168.9.183:1
> Sep 07 07:14:12 pir-nac03 haproxy[1019]: [ALERT] 249/071412 (1019) :
> Parsing [/usr/local/pf/var/conf/haproxy-portal.conf:122]: frontend
> 'portal-http-192.168.203.1' has the same name as
> Sep 07 07:14:12 pir-nac03 haproxy[1019]: [ALERT] 249/071412 (1019) :
> parsing [/usr/local/pf/var/conf/haproxy-portal.conf:125] : stick-table name
> 'portal-http-192.168.203.1' conflicts wi
> Sep 07 07:14:12 pir-nac03 haproxy[1019]: [ALERT] 249/071412 (1019) :
> Parsing [/usr/local/pf/var/conf/haproxy-portal.conf:140]: frontend
> 'portal-https-192.168.203.1' has the same name as
> Sep 07 07:14:12 pir-nac03 haproxy[1019]: [ALERT] 249/071412 (1019) :
> parsing [/usr/local/pf/var/conf/haproxy-portal.conf:143] : stick-table name
> 'portal-https-192.168.203.1' conflicts w
> Sep 07 07:14:12 pir-nac03 haproxy[1019]: [ALERT] 249/071412 (1019) :
> Error(s) found in configuration file :
> /usr/local/pf/var/conf/haproxy-portal.conf
> Sep 07 07:14:12 pir-nac03 haproxy[1019]: [ALERT] 249/071412 (1019) : Fatal
> errors found in configuration.
> Sep 07 07:14:12 pir-nac03 systemd[1]: packetfence-haproxy-portal.service:
> Main process exited, code=exited, status=1/FAILURE
> Sep 07 07:14:12 pir-nac03 systemd[1]: Failed to start PacketFence HAProxy
> Load Balancer for the captive portal.
> -- Subject: Unit packetfence-haproxy-portal.service has failed
>
> checking the configuration results in the following:
>
> haproxy -c -V -f /usr/local/pf/var/conf/haproxy-portal.conf
> [ALERT] 250/074126 (24684) : Parsing
> [/usr/local/pf/var/conf/haproxy-portal.conf:122]: frontend
> 'portal-http-192.168.203.1' has the same name as frontend
> 'portal-http-192.168.203.1' declared at
> /usr/local/pf/var/conf/haproxy-portal.conf:70.
> [ALERT] 250/074126 (24684) : parsing
> [/usr/local/pf/var/conf/haproxy-portal.conf:125] : stick-table name
> 'portal-http-192.168.203.1' conflicts with table declared in frontend
> 'portal-http-192.168.203.1' at
> /usr/local/pf/var/conf/haproxy-portal.conf:70.
> [ALERT] 250/074126 (24684) : Parsing
> [/usr/local/pf/var/conf/haproxy-portal.conf:140]: frontend
> 'portal-https-192.168.203.1' has the same name as frontend
> 'portal-https-192.168.203.1' declared at
> /usr/local/pf/var/conf/haproxy-portal.conf:88.
> [ALERT] 250/074126 (24684) : parsing
> [/usr/local/pf/var/conf/haproxy-portal.conf:143] : stick-table name
> 'portal-https-192.168.203.1' conflicts with table declared in frontend
> 'portal-https-192.168.203.1' at
> /usr/local/pf/var/conf/haproxy-portal.conf:88.
> [ALERT] 250/074126 (24684) : Error(s) found in configuration file :
> /usr/local/pf/var/conf/haproxy-portal.conf
> [ALERT] 250/074126 (24684) : Fatal errors found in configuration.
>
> It is strange that there are duplicate entries of the frontend type in
> haproxy-portal.conf and I don't know where they come from or how I can
> delete them again. Every change to the file is deleted after a restart.
> 
> cat /usr/local/pf/var/conf/haproxy-portal.conf
> # This file is generated from a template at
> /usr/local/pf/conf/haproxy-portal.conf
> # Any changes made to this file will be lost on restart
>
> # Copyright (C) Inverse inc.
> global
>   external-check
>   user haproxy
> group haproxy
> daemon
> pidfile /usr/local/pf/var/run/haproxy-portal.pid
> log /dev/log local0
> stats socket /usr/local/pf/var/run/haproxy-portal.stats level
> admin process 1
> maxconn 

Re: [PacketFence-users] Custom Security Event

[Fabrice Durand via PacketFence-users]

Hello Arun,

there is no security event that trigger that but it´s not something really
complicate to add in packetfence.

If you look at is_max_reg_nodes_reached in node.pm, you can trigger a
security event from there.

Let me know if you need help on that, it won´t take me so much time to code
it.

Regards
Fabrice


Le mer. 25 août 2021 à 05:54, Arun Kangle via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello All,
> I went through the install guide and this list but I did not find
> information on how to configure a customer security event.
> Basically I wanted to trigger a custom security event when " max nodes per
> pid met or exceeded" and move the node to the isolation vlan so that the
> user can deregister one of the nodes to proceed.
>
> Thanks on advance,
> - Arun
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] NAT specific internal IP to specific external

[Fabrice Durand via PacketFence-users]

Hello Ivo,

Hum, first you need to add virtual ips on the WAN interface and play with
conf/iptables.conf to add your rules.

Also which interface is the management one ? (this one is natted by
default).

Regards
Fabrice



Le ven. 10 sept. 2021 à 01:40, Admin SielNet via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
> I am a new PF user and currently overwhelmed with the settings of PF.
>
> Our PacketFence installation has 2 network ports currently.
>
> 1 interface is WAN. 123.123.123.160
> The other interface is LAN. 10.0.0.1
>
> We have one /24 public address block at our disposal.
>
> What I like to do with the PacketFence VM is the following:
>
> NAT private 10.10.5.X to public 123.123.123.5
> NAT private 10.10.6.X to public 123.123.123.6
> NAT private 10.10.7.X to public 123.123.123.7
> and so forth. For 120 IP addresses.
>
> What do I need to do to accomplish this?
> I need to set up virtual interfaces in PacketFence for every user.
> The IP addresses are examples.
>
> An internal user should receive 1 public IP address. (example
> 123.123.123.7)
> Each device of this user should receive an IP from 10.10.7.X and each
> device from this user should use the public IP address 123.123.123.7
>
> Lastly, users should be on separate VLANs. 10.10.7.X is VLAN 7.
>
> I am unsure how I can accomplish this with PF.
> I am a newbie in networks.
> As far as I understand, this is possible.
>
> I just need a little help to figure this out.
>
> Greetings
>
> Ivo Damjanovic
> SielNet e.V.
>
>
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] How to use username rewriting in v11?

[Fabrice Durand via PacketFence-users]

Hello,

you have to use the preprocess scope in the radius filter.
In addition you can use the macro
https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_filter_engine_macro

Regards
Fabrice


Le lun. 6 sept. 2021 à 12:07, Cristian Mammoli via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> COuld you please provide an example on how to configure a radius filter
> to rewrite username?
>
> I'm referring to this:
> https://github.com/inverse-inc/packetfence/pull/6293
>
> Thanks
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence portal with Coovachilli

[Fabrice Durand via PacketFence-users]

Hello Francisco,

it happen directly on the client browser.

https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/CoovaChilli.pm#L84

So i recommend to run the chrome dev mode and see in the network tab if the
device is able to tell the AP that it is registered.

Regards
Fabrice


Le mer. 28 juil. 2021 à 07:41, Francisco jose via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
> I am configuring Packetfence to work as a captive portal backend using
> CoovaChilli in OpenWRT.
>
> In Packetfence, I have made the following configuration:
>
> - I have configured a Packetfence switch with the CoovaChilli template and
> the External Portal Enforcement option enabled. As auth source is
> configured an OpenLDAP server.
> - A Connection Profile to use the portal for Wireless-Web_auth connections
> type.
> - In Packetfence management interface, I have enabled the portal service.
> - In Advanced Options -> Captive Portal, I have disabled secure
> redirection as the official documentation says.
>
>
> In Coovachilli, I have made the following configuration:
>
> - I have configured the Radius Server with Packetfence management IP and a
> valid radius secret.
> - I have configure CoA feature.
>
> When I connect a client to the portal SSID, it is redirected to the portal
> home page, and authenticated successfully by login or guest access.
> Packetfence successfully authenticates the user and applies the role, but
> does not send the authentication status to Coovachilli, so even though the
> client is authenticated by Packetfence, Coovachilli keeps the dnat status
> for the client and does not allow external connection.
>
> Is there a way to configure Packetfence to inform Coovachilli to change
> the status from dnat to pass?
>
> Chilli version: coova-chilli 1.5
> Packetfence version: 10.3.0+20210414154410+286398790+0009+v10.3.0+stretch1
>
> Thanks!
> --
> [image: Galgus logo] 
> Francisco José Álvarez | *Integration Engineer*
> +34 955 382 328 | galgus.net
>
> La información contenida en este correo es confidencial y puede ser
> privilegiada. Está dirigida exclusivamente a los destinatarios indicados
> arriba. Si Usted no es uno de los destinatarios, le queda totalmente
> prohibido el uso, distribución, publicación o copia de la información
> contenida en este correo. Es su propia responsabilidad escanear este correo
> así como sus adjuntos para detectar virus. Si Usted ha recibido este correo
> por error, por favor indíquenoslo lo más breve posible a he...@galgus.net
> y borre este correo de su sistema.
>
> The information contained in this e-mail transmission is confidential and
> may be privileged. It is intended only for the addressee(s) stated above.
> If you are not an addressee, any use, dissemination, distribution,
> publication or copying of the information contained in this e-mail is
> strictly prohibited. It is your responsibility to scan this email and any
> attachments for viruses. If you have received this e-mail in error, please
> immediately notify us at he...@galgus.net and delete the e-mail from your
> system.
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Issue on Mobile Devices

[Fabrice Durand via PacketFence-users]

Hello Jake,

as Diego said it can be a lack of the dhcp option for the RFC7710 in your
dhcp server (i coded the dhcp server with all my love and you still don't
want to use it).
It can also be a certificate issue, if the certificate expiration date is
more than x months then apple devices don like it and will not follow the
redirection.

If you are able to take a capture from packetfence for a device who have
the issue, t would be easier to troubleshoot.

Regards
Fabrice


Le jeu. 8 juil. 2021 à 17:16, Diego García del Río via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi jake,
>
> Its ok.. thats what I had understood
>
> im just surprised that registration / isolation works with an external
> dhcp server. I guess thats what the dhcp listener process is there for
> (snooping the dhcp client information). In general I always expected
> packetfence to identify the client by the fact that its acting as dhcp
> server for the registration/isolation networks. In fact, while external
> dhcp servers can be used for production traffic, isolation/registration is
> meant to be handled with the internal dhcp (as far as I understand). I
> mean, the system seems to be working for you otherwise so it probably works
> fine... but the whole thing is very strange.
>
> sorry for derailing the topic.
>
>
>
>
>
> *Diego Garcia del Rio* | CTO | Mediatel S.A. | Tel: +54 11 5218 0463
> (x103) | Cel: +54 9 11 4530-4697 | www.mediatel.com.ar | Juan Carlos Cruz
> 2360 – 4B (1636), Vicente López, Buenos Aires, Argentina |
> https://goo.gl/maps/NZCFPwVkFFf14cR67
>
>
> On Thu, 8 Jul 2021 at 15:31, Sallee, Jake via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> I apologize if I did not phrase that correctly.
>>
>> We ARE using PF for isolation and registration, what we are not using is
>> the DHCP functionality that PF offers.
>>
>> We are using our own DHCP servers to provide IPs to clients for
>> registration and isolation, as well as the standard production networks.
>>
>> Jake Sallee
>> Godfather of Bandwidth
>> System Engineer and Security Specialist
>> University of Mary Hardin-Baylor
>> WWW.UMHB.EDU
>>
>> 900 College St.
>> Belton, Texas
>> 76513
>>
>> Fone: 254-295-4658
>> Phax: 254-295-4221
>>
>> 
>> From: Diego García del Río 
>> Sent: Thursday, July 8, 2021 1:06 PM
>> To: packetfence-users@lists.sourceforge.net
>> Cc: Sallee, Jake
>> Subject: Re: [PacketFence-users] Captive Portal Issue on Mobile Devices
>>
>> EXTERNAL Exercise Caution
>> not using packetfence for isolation/registration is quite surprising. Is
>> that supported at all?
>>
>> Im guessing it works for you.. but still quite surprising. (unless you're
>> using the built-in captive portal of your APs)
>>
>> but if you're using an external dhcp server then the RFC7710 path seems
>> moot...
>>
>>
>>
>> Diego Garcia del Rio | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103)
>> | Cel: +54 9 11 4530-4697 | www.mediatel.com.ar<
>> http://www.mediatel.com.ar/> | Juan Carlos Cruz 2360 – 4B (1636),
>> Vicente López, Buenos Aires, Argentina |
>> https://goo.gl/maps/NZCFPwVkFFf14cR67
>>
>>
>> On Thu, 8 Jul 2021 at 14:16, Sallee, Jake via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> packetfence-users@lists.sourceforge.net>> wrote:
>> > you might want to check /usr/local/pg/logs for the file
>> httpd.portal.access and look for the string rfc7710 in there?
>>
>> First, thank you for the effort but I didn't see anything in the logs
>> about rfc7710.  But, I have not enabled debugging in the logs yet so there
>> is still hope.
>>
>> Quick question though, currently we do not use PF for our DHCP (even for
>> registration or isolation).  With that in mind would the info you mention
>> still show up in the logs?
>>
>> Jake Sallee
>> Godfather of Bandwidth
>> System Engineer and Security Specialist
>> University of Mary Hardin-Baylor
>> WWW.UMHB.EDU
>>
>> 900 College St.
>> Belton, Texas
>> 76513
>>
>> Fone: 254-295-4658
>> Phax: 254-295-4221
>>
>> 
>> From: Diego García del Río > dgar...@mediatel.com.ar>>
>> Sent: Wednesday, July 7, 2021 5:47 PM
>> To: packetfence-users@lists.sourceforge.net> packetfence-users@lists.sourceforge.net>
>> Cc: Sallee, Jake
>> Subject: Re: [PacketFence-users] Captive Portal Issue on Mobile Devices
>>
>> EXTERNAL Exercise Caution
>> you might want to check /usr/local/pg/logs for the file
>> httpd.portal.access and look for the string rfc7710 in there...
>>
>> (and sorry, its RFC 7710bis, not 7720bis)
>>
>> Diego Garcia del Rio | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103)
>> | Cel: +54 9 11 4530-4697 | www.mediatel.com.ar<
>> http://www.mediatel.com.ar> | Juan Carlos
>> Cruz 2360 – 4B (1636), Vicente López, Buenos Aires, Argentina |
>> https://goo.gl/maps/NZCFPwVkFFf14cR67
>>
>>
>> On Wed, 7 Jul 2021 at 19:45, Diego García del Río <
>> 

Re: [PacketFence-users] VLAN Enforcement with MAC address authentication

[Fabrice Durand via PacketFence-users]

Hello Thapeli,

i can see that you have multiples issues in your config.

First the switch config doesn't looks to be correct.

If the packetfence server is plugged on the port Fa/01 only the vlan 1 is
allowed.
Next you don't have to enable 802.1x on this port.

interface FastEthernet0/1
 switchport trunk allowed vlan 1
 switchport mode trunk dot1x port-control auto
 dot1x host-mode multi-host
 dot1x timeout quiet-period 2
 dot1x timeout tx-period 3
 dot1x reauthentication


Port where you plug your testing device should be like that:


switchport mode access
dot1x port-control auto
dot1x host-mode multi-host
dot1x reauthentication



Also on the pf side it looks that you have an interface interface
eno1636.1 which is useless since the native vlan looks to be 1 ,
so eno1636 is already in the vlan 1.



Other thing, you can't return the vlan id 1 if the native vlan on the
switchport is already the 1, you should return nothing.


[172.16.251.2]
description=Test Switch
guestVlan=
defaultVlan=
type=Cisco::Catalyst_2950
VoIPLLDPDetect=N
uplink=23,24
radiusSecret=useStrongerSecret
MachineVlan=
UserVlan=


 And verify that you are able to ping the switch ip from packetfence :
172.16.251.2


Regards

Fabrice



Le jeu. 8 juil. 2021 à 17:16, Thapeli Matsabu via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi,
>
> Find the attached. I only have one server. It is also working as radius.
>
>
>
>
>
> Kind regards,
>
>
>
>
>
> *From:* Zammit, Ludovic 
> *Sent:* 08 July 2021 09:28 PM
> *To:* Thapeli Matsabu 
> *Cc:* packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] VLAN Enforcement with MAC address
> authentication
>
>
>
> Hello there,
>
>
>
> If your Radius audit log is empty it probably means that the radius
> authentication did not work properly or you are still cached from a
> previous authentication.
>
>
>
> Can you provide the /usr/local/pf/logs/packetfence.log and the
> /usr/local/pf/logs/radius.log of the server that does the authentication ?
>
>
>
> Thanks,
>
>
>
> *Ludovic Zammit*
> *Product Support Engineer Principal*
>
> [image: Image removed by sender.]
>
> *Cell:* +1.613.670.8432
>
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
>
> Connect with Us:
>
> [image: Image removed by sender.] [image:
> Image removed by sender.] [image: Image removed
> by sender.] [image: Image removed by sender.]
> [image: Image removed by
> sender.] [image:
> Image removed by sender.]
> 
>
>
>
> On Jul 8, 2021, at 3:25 PM, Thapeli Matsabu 
> wrote:
>
>
>
> Hi Ludovic,
>
> Apologies for delayed response. Due to covid restrictions I am working
> from home and my lab was still at the office. Today I went and got the
> equipment.
>
>
>
>1. My radius audit log is empty. What does that mean?
>2. Radius CoA. Is this on the switch configuration?
>
>
>
>
>
>
>
> *From:* Zammit, Ludovic 
> *Sent:* 06 July 2021 02:41 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Thapeli Matsabu 
> *Subject:* Re: [PacketFence-users] VLAN Enforcement with MAC address
> authentication
>
>
>
> Hello there,
>
>
>
> Multiple things that you can verify.
>
>
>
> 1. Make sure in Auditing that the radius reply for that Mac address
> contain the Tunnel-Private-Group-Id = “1"
>
>
>
> 2. Re-check if the radius CoA is correctly configured to disconnect user
> (radius dynamic authorization)
>
>
>
> 3. Show us your configuration / logs related to that authentication.
>
>
>
> Thanks,
>
>
>
> *Ludovic Zammit*
> *Product Support Engineer Principal*
>
> <~WRD0001.jpg>
>
> *Cell:* +1.613.670.8432
>
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
>
> Connect with Us:
>
> <~WRD0001.jpg> <~WRD0001.jpg>
> <~WRD0001.jpg>
> 
> <~WRD0001.jpg>
> 
> <~WRD0001.jpg>
> 
> <~WRD0001.jpg>
> 
>
>
>
>
> On Jul 6, 2021, at 3:51 AM, Thapeli Matsabu via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>
>
> Hi all,
>
> I have been through this mailing trying to find if someone had this
> problem before, but I could not find anything similar.
>
>
>

Re: [PacketFence-users] cli access alwasy accept

[Fabrice Durand via PacketFence-users]

Hello,

it has been fixed but it introduced a new regression.

Can you try that:
https://github.com/inverse-inc/packetfence/commit/2b622a55fda11390d2d7c7cc6752f0dd3d4af2e6

Regards
Fabrice


Le jeu. 8 juil. 2021 à 14:06, mi saki via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> i use pf to auth cli .
>
> and everything is ok.but no matter i  enter any password 。it  accept this
> authorization
>
>
>
> ---
>
> Request Time
> 0
> RADIUS Request
> User-Name = "testuser11"
> User-Password = "**"
> NAS-IP-Address = 10.95.17.6
> NAS-Port = 16878920
> Service-Type = Login-User
> Framed-IP-Address = 192.168.50.177
> Calling-Station-Id = "00:00:00:00:00:00"
> NAS-Identifier = "2-IT-office-SW01"
> Proxy-State = 0x3335
> NAS-Port-Type = Virtual
> Acct-Session-Id = "1210608184124010"
> Event-Timestamp = "Jul  8 2021 18:41:12 CST"
> Message-Authenticator = 0x420b2d3f948dc06ef05359262d996619
> NAS-Port-Id = "slot=1;subslot=0;port=24;vlanid=3400"
> Huawei-Connect-ID = 2359297
> Huawei-Startup-Stamp = 956750422
> Huawei-IPHost-Addr = "192.168.50.177 00:00:00:00:00:00"
> Huawei-Product-ID = "H3C S5110-28P-PWR"
> Stripped-User-Name = "testuser11"
> Realm = "null"
> FreeRADIUS-Client-IP-Address = 172.31.137.75
> PacketFence-KeyBalanced = "018578ff66ff1ab1b889f7256c0da2ab"
> PacketFence-Radius-Ip = "172.31.137.67"
> SQL-User-Name = "testuser11"
> RADIUS Reply
> Proxy-State = 0x3335
> H3C-Exec-Privilege = Manage
>
>
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unregistered nodes via pfmon node_cleanup are unable to be re-registered

[Fabrice Durand via PacketFence-users]

Hello Mark,
When from the admin gui you register the device, do you change the unreg
date ?

Regards
Fabrice


Le mer. 23 juin 2021 à 19:38, Mark Okuno via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello packetfence-users,
>
> We are running packetfence 9.0 on a 3-node cluster.  We seem to have run
> into an issue where a node that has become unregistered due to the
> scheduled pfmon node_cleanup *unreg window* feature is unable to be
> re-registered on the UI.  The registration status stays for about a minute
> or so, and then reverts back to unregistered.  I have been able to 'fix'
> this issue by executing the pfcmd node delete command on the CLI.
>
> Is this how PF is supposed to function regarding the unreg window
> feature?  If possible, I'd like my node managers to be able to re-register
> such nodes without escalating tickets to our ops team.  Thank you!
>
> Best,
>
>
> Mark Okuno
> IT Operations, UCSB Library
> University of California, Santa Barbara
> 805.893.2002
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1X against FreeIPA LDAP source

[Fabrice Durand via PacketFence-users]

Hello Mathieu,

in fact if you want to use FreeIPA , you need to have the clear-text/nthash
version of the password in the ldap directory.
Btw i don't know if samba is available with FreeIPA.

Regards
Fabrice


Le mer. 23 juin 2021 à 06:30, Mathieu Valois via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi,
> I've installed PacketFence 10.3.0 and I would like to enable 802.1X on my
> network using my FreeIPA LDAP as a source of authentication using EAP if
> possible (computers are all debian 10 using network manager). Is that even
> possible, and if it is, where can I find resources to achieve such a thing?
>
> Following the install documentation leaded me to always get authentication
> errors because the mschap binary failed complaining it's not in the domain.
> --
> [image: téïcée]  *Mathieu
> Valois*
>
> Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760
> Bretteville-sur-Odon
> Bureau Vitré: Zone de la baratière - 12, route de Domalain - 35500 Vitré
> 02 72 34 13 20 | www.teicee.com
> 
> [image: téïcée sur facebook]  [image:
> téïcée sur twitter]  [image: téïcée sur
> linkedin]  [image: téïcée sur
> viadeo]  [image: Datadocké]
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Question regarding CLI Access for Avaya/Nortel/Extreme ERS switches

[Fabrice Durand via PacketFence-users]

Yes you can add it in Avaya.pm and you just need to restart httpd.aaa.

Regards
Fabrice


Le mer. 16 juin 2021 à 14:13, Chris Crawford via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Do I need to put this into the Avaya.pm in …/lib/pf/Switch/Avaya.pm? Or
> can I create a new switch template and put it in it?
>
>
>
> Also, I assume I need to restart PacketFence for this to take affect?
>
>
>
> Cheers,
>
> Chris
>
>
>
> *From:* Quiniou-Briand, Nicolas 
> *Sent:* June 14, 2021 9:01 AM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Chris Crawford 
> *Subject:* RE: Question regarding CLI Access for Avaya/Nortel/Extreme ERS
> switches
>
>
>
> ✉*External message:* Use caution.
>
> Hello Chris,
>
>
>
> > My question is about how I would add it?
>
>
>
> You normally just need to add two functions in your .pm file:
>
> - returnAuthorizeWrite (to handle read/write access)
>
> - returnAuthorizeRead (to handle read-only access)
>
>
>
> See Generic switch module [1] as an example.
>
>
>
> [1]
> https://github.com/inverse-inc/packetfence/blob/268dd8ce5812e0daf8e83e3fcddd502b1037665a/lib/pf/Switch/Generic.pm
>
>
>
> *Nicolas Quiniou-Briand*
> *Product Support Engineer*
>
> *Office:* +33156696210
>
> Akamai Technologies
> 145 Broadway
> Cambridge, MA 02142
>
> Connect with Us:
>
>   
>   
>   
> 
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Debian 11 support?

[Fabrice Durand via PacketFence-users]

Hello,

it's on the way, we are working on the support for debian 11 and rhel8.

Regards
Fabrice


Le mer. 16 juin 2021 à 14:13, David Magda via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
> Currently the official repos only have binaries for Debian 9 (stretch)
> which is getting kind of old (security updates will stop June 2022):
>
>
> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_debian_based_systems
>
> Given that Debian 11 (bullseye) will be released in the coming month or
> two, are there any plans on supporting it? I’m about to build out some new
> infrastructure, and am able to delay things for a little while if it means
> one less upgrade down the road.
>
> (CentOS is another (less-than-ideal) option for us, but 7 is also aging,
> and there’s drama with 8.)
>
> Thanks for any info.
>
> Regards,
> David
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MikroTik dot1x (Ethernet not WiFi)

[Fabrice Durand via PacketFence-users]

Hello David,

I will be happy to review your PR once done.

Btw i am always impressed by the Mikrotik features, it's like a network
equipment switch knife.

Last thing, if the deauth method is not the same between wifi and wired ,
you can add the function wiredeauthTechniques in the switch module. (
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Cisco/Catalyst_2960.pm#L450
)

Regards
Fabrice





Le mer. 19 mai 2021 à 22:04, David Herselman via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi Fabrice,
>
>
>
> Even better! 
>
>
>
> Herewith my minimal modifications, I’ll submit a patch after doing some
> more testing but everything looks good so far:
>
> --- Mikrotik.pm.orig2021-05-08
> 07:38:14.976719201 +0200
>
> +++ /usr/local/pf/lib/pf/Switch/Mikrotik.pm 2021-05-19
> 23:05:18.489619568 +0200
>
> @@ -29,6 +29,7 @@
>
>  $SSID
>
>  $WIRELESS_MAC_AUTH
>
>  $WEBAUTH_WIRELESS
>
> +$WIRELESS
>
> );
>
> sub description { 'Mikrotik' }
>
>
>
> @@ -46,6 +47,8 @@
>
> # CAPABILITIES
>
> # access technology supported
>
> use pf::SwitchSupports qw(
>
> +WiredMacAuth
>
> +WiredDot1x
>
>  WirelessMacAuth
>
>  ExternalPortal
>
>  WebFormRegistration
>
> @@ -139,7 +142,8 @@
>
> sub deauthTechniques {
>
>  my ($self, $method, $connection_type) = @_;
>
>  my $logger = $self->logger;
>
> -my $default = $SNMP::SSH;
>
> +my $default = $SNMP::RADIUS;
>
>  my %tech = (
>
>  $SNMP::SSH=> 'deauthenticateMacSSH',
>
>  $SNMP::RADIUS => 'deauthenticateMacRadius',
>
> @@ -257,8 +261,8 @@
>
>
>
> Don't forget to fill /usr/share/freeradius/dictionary.mikrotik with the
> following attributes:
>
>
>
> -ATTRIBUTE   Mikrotik-Wireless-VlanID26  integer
>
> -ATTRIBUTE   Mikrotik-Wireless-VlanIDType27  integer
>
> +ATTRIBUTE   Mikrotik-Wireless-*VLANID*26  integer
>
> +ATTRIBUTE   Mikrotik-Wireless-*VLANID-Type*   27  integer
>
>
>
> =cut
>
>
>
> @@ -276,10 +280,18 @@
>
>  # Inline Vs. VLAN enforcement
>
>  my $role = "";
>
>  if ( (!$args->{'wasInline'} || ($args->{'wasInline'} &&
> $args->{'vlan'} != 0) ) && isenabled($self->{_VlanMap})) {
>
> -$radius_reply_ref = {
>
> -'Mikrotik-Wireless-VLANID' => $args->{'vlan'} . "",
>
> -'Mikrotik-Wireless-VLANID-Type' => "0",
>
> -};
>
> +if (($args->{'connection_type'} & $WIRELESS) == $WIRELESS) {
>
> +$radius_reply_ref = {
>
> +'Mikrotik-Wireless-VLANID' => $args->{'vlan'} . "",
>
> +'Mikrotik-Wireless-VLANID-Type' => "0",
>
> +};
>
> +} else {
>
> +$radius_reply_ref = {
>
> +'Tunnel-Type' => "13",
>
> +'Tunnel-Medium-Type' => "6",
>
> +'Tunnel-Private-Group-ID' => $args->{'vlan'} . "",
>
> +};
>
> +}
>
>  }
>
>
>
>  $logger->info("(".$self->{'_id'}.") Returning ACCEPT with VLAN
> $args->{'vlan'} and role $role");
>
>
>
>
>
>
>
> PS: mac fallback is confirmed to be a problem since 6.48 and should get
> fixed in the next stable release…
>
>
>
>
>
> Regards
>
> David Herselman
>
>
>
> *From:* Fabrice Durand 
> *Sent:* Wednesday, 19 May 2021 3:00 AM
> *To:* David Herselman 
> *Subject:* Re: [PacketFence-users] MikroTik dot1x (Ethernet not WiFi)
>
>
>
> Hello David,
>
> what you can do instead of merging wired and wireless attributes is to
> test the connection type.
>
>
>
> use pf::config qw(
> $MAC
> $SSID
> $WIRELESS_MAC_AUTH
> $WEBAUTH_WIRELESS
> $WIRELESS
> );
>
>
>
> 
>
>
>
> if (($args->{'connection_type'} & $WIRELESS) == $WIRELESS) {
>
>
>
> } else {
>
>
>
> }
>
>
>
> Regards
>
> Fabrice
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MikroTik dot1x (Ethernet not WiFi)

[Fabrice Durand via PacketFence-users]

Hello David,

you are in the good tracks.

First you need to append that:

use pf::SwitchSupports qw(
WiredMacAuth
WiredDot1x ... );
Then retry.
Also can you provide a raddebug output when you connect ?

raddebug -f /usr/local/pf/var/run/radiusd.sock

Regards
Fabrice


Le mar. 18 mai 2021 à 01:22, David Herselman via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi,
>
> I'm hoping someone could point me at some documentation which may provide
> necessary steps to extend the MikroTik module to additionally support
> 802.1x for ethernet.
>
> I tried adding 'WiredDot1x' and 'WiredMacAuth' to
> /usr/local/pf/lib/pf/Switch/Mikrotik.pm in the pf::SwitchSupports stansa
> but still received the following warnings:
>
> May 16 09:19:58 packetfence2 packetfence_httpd.aaa: httpd.aaa(1992) WARN:
> [mac:38:60:77:2f:73:f5] Use of uninitialized value $nas_port in
> concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 2468.
>  (pf::Switch::NasPortToIfIndex)
> May 16 09:19:58 packetfence2 packetfence_httpd.aaa: httpd.aaa(1992) WARN:
> [mac:38:60:77:2f:73:f5] Use of uninitialized value $port in concatenation
> (.) or string at /usr/local/pf/lib/pf/radius.pm line 188.
>  (pf::radius::authorize)
> May 16 09:19:58 packetfence2 packetfence_httpd.aaa: httpd.aaa(1992) INFO:
> [mac:38:60:77:2f:73:f5] handling radius autz request: from switch_ip =>
> (100.127.255.10), connection_type => Ethernet-EAP,switch_mac =>
> (6c:3b:6b:18:bc:0b), mac => [38:60:77:2f:73:f5], port => , username =>
> "DOMAIN-01\davidh" (pf::radius::authorize)
> May 16 09:19:58 packetfence2 packetfence_httpd.aaa: httpd.aaa(1992) WARN:
> [mac:38:60:77:2f:73:f5] (100.127.255.10) Sending REJECT since switch is
> unsupported (pf::radius::_switchUnsupportedReply)
>
>
> When I review the Pica8 module I see the following, but have no reference
> as to what they do and whether or not I'm missing something which is
> possibly clearly documented.
>
> Pica8 switch module:
> use pf::config qw(
> $ROLE_API_LEVEL
> $MAC
> $PORT
> $WIRED_802_1X
> $WIRED_MAC_AUTH
>
> MikroTik switch module:
> use pf::config qw(
> $MAC
> $SSID
> $WIRELESS_MAC_AUTH
> $WEBAUTH_WIRELESS
>
>
> Regards
> David Herselman
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] FortiGate VPN Auth based on AD Group Membership

[Fabrice Durand via PacketFence-users]

Hello Chris,

First we don't compute the role from the source for Fortigate, we just do a
mschap verification then if it's authenticated then we allow the access.
It misses a little bit of code to do that but it's not something really
complicated.

Next the condition in the radius filter you should try:
condition=switch._ip == "172.18.1.90" && connection_type == "VPN-Access"

Btw i will have to work on the VPN code soon so i will add the logic to
compute the role of the user to return the radius attribute
Fortinet-Group-Name

Regards
Fabrice


Le mar. 11 mai 2021 à 09:55, Chris Crawford via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Good morning,
>
>
>
> I’m looking to assign a user a role, based on their membership in AD and
> have that returned to the FortiGate to allow the user to connect to the VPN.
>
>
>
> User login comes in from the VPN. The User Authenticates.
>
> User-Name = "chris"
>
> NAS-IP-Address = 10.10.20.10
>
> Called-Station-Id = "10.10.20.10"
>
> Calling-Station-Id = "10.10.10.10"
>
> NAS-Identifier = "FortiGate"
>
> Proxy-State = 0x313631
>
> NAS-Port-Type = Virtual
>
> Acct-Session-Id = "46906026"
>
> Event-Timestamp = "May 11 2021 10:23:26 ADT"
>
> Connect-Info = "vpn-ssl"
>
> Message-Authenticator = 0xcc6237fa515961d575f802b4a0908044
>
> Fortinet-Vdom-Name = "root"
>
> MS-CHAP-Challenge = 0x92ae68a2ac66124ad164042f4f38c45b
>
> MS-CHAP2-Response =
> 0x7e00806b361b428955e2c7df110c101a8be450fe07df152cd08c0445ee178820959c7bb361acf054930c
>
> Stripped-User-Name = "chris"
>
> Realm = "null"
>
> FreeRADIUS-Client-IP-Address = packetfenceVIP
>
> PacketFence-Domain = "DOMAIN"
>
> PacketFence-KeyBalanced = "2276c8900707b1d83ae8bfcaa3008c39"
>
> PacketFence-Radius-Ip = "packetfence1"
>
> PacketFence-NTLMv2-Only = "--allow-mschapv2"
>
> User-Password = "**"
>
> SQL-User-Name = "chris"
>
>
>
> RADIUS Reply
>
> MS-CHAP2-Success =
> 0x7e533d454642323841433243304643323339413633424430303635354336354243423341423039
>
> Proxy-State = 0x313631
>
>
>
> I have a connection profile that it’s supposed to flow though:
>
> 'SSLVPN-90e-Test' => {
>
> 'billing_tiers' => [],
>
> 'filter_match_style' => 'all',
>
> 'preregistration' => 'disabled',
>
> 'sms_pin_retry_limit' => '0',
>
> 'unbound_dpsk' => 'disabled',
>
> 'locale' => [],
>
> 'vlan_pool_technique' => 'username_hash',
>
> 'always_use_redirecturl' => 'disabled',
>
> 'login_attempt_limit' => '0',
>
> 'template_paths' => [
>
>
> '/usr/local/pf/html/captive-portal/profile-templates/SSLVPN-90e-Test',
>
>
> '/usr/local/pf/html/captive-portal/profile-templates/default',
>
>
> '/usr/local/pf/html/captive-portal/templates'
>
>
> ],
>
> 'guest_modes' => '',
>
> 'description' => 'SSLVPN',
>
> 'network_logoff_popup' => 'disabled',
>
> 'reuse_dot1x_credentials' => '0',
>
> 'sources' => [
>
>
> 'DOMAIN-SSLVPN'
>
>
> ],
>
> 'access_registration_when_registered' =>
> 'disabled',
>
> 'block_interval' => 600,
>
> 'advanced_filter' => '',
>
> 'provisioners' => [],
>
> 'dot1x_recompute_role_from_portal' =>
> 'enabled',
>
> 'dot1x_unset_on_unmatch' => 'disabled',
>
> 'status' => 'enabled',
>
> 'unreg_on_acct_stop' => 'disabled',
>
> 'root_module' => 'default_policy',
>
> 'sms_request_limit' => '0',
>
> 'network_logoff' => 'disabled',
>
> 'dpsk' => 'disabled',
>
> 'filter' => [
>
>
> 'tenant:1',
>
>
> 'switch_group:VPN-Server'
>
>
> ],
>
> 'mac_auth_recompute_role_from_portal' =>
> 'disabled',
>
> 'autoregister' => 'disabled',
>
> 'scans' => [],
>
> 'redirecturl' => '
> http://www.packetfence.org/',
>
> 'logo' => '/common/packetfence-cp.png',
>
> 'self_service' => 'default'
>
>
>
>
>
> This is the source:
>
> bless( {
>
> 'cache_match' => '0',
>
> 'realms' => [],
>
> 'read_timeout' => '10',
>
> 'basedn' => 'DC=ad,DC=domain,DC=ca',
>
> 'monitor' => '1',
>
> 'rules' => [
>
> bless( {
>
> 

Re: [PacketFence-users] EXTERNAL SENDER - Re: EXTERNAL SENDER - Re: pfdns random crashes

[Fabrice Durand via PacketFence-users]

/inverse-inc/packetfence/go/coredns/plugin/pfdns.(*pfdns).detectVIP(0xc0001f6200,
> 0x0, 0x0)
>
> Apr 27 15:07:18 vs-swk-pf pfdns[222919]:
> /root/rpmbuild/centos-7/BUILD/packetfence-10.2.0/go/coredns/plugin/pfdns/pfconfig.go:109
> +0x468
>
> Apr 27 15:07:18 vs-swk-pf pfdns[222919]:
> github.com/inverse-inc/packetfence/go/coredns/plugin/pfdns.(*pfdns).RefreshPfconfig.func1.1(0xc0001f6200,
> 0xe99c60, 0xc00038bd70)
>
> Apr 27 15:07:18 vs-swk-pf pfdns[222919]:
> /root/rpmbuild/centos-7/BUILD/packetfence-10.2.0/go/coredns/plugin/pfdns/pfdns.go:121
> +0x4f
>
> Apr 27 15:07:18 vs-swk-pf pfdns[222919]: created by
> github.com/inverse-inc/packetfence/go/coredns/plugin/pfdns.(*pfdns).RefreshPfconfig.func1
>
> Apr 27 15:07:18 vs-swk-pf pfdns[222919]:
> /root/rpmbuild/centos-7/BUILD/packetfence-10.2.0/go/coredns/plugin/pfdns/pfdns.go:118
> +0x50
>
> Apr 27 15:07:18 vs-swk-pf systemd[1]: Unit packetfence-pfdns.service
> entered failed state.
>
> Apr 27 15:07:18 vs-swk-pf systemd[1]: packetfence-pfdns.service failed.
>
> Apr 27 15:07:19 vs-swk-pf systemd[1]: packetfence-pfdns.service holdoff
> time over, scheduling restart.
>
> Apr 27 15:07:19 vs-swk-pf systemd[1]: start request repeated too quickly
> for packetfence-pfdns.service
>
> Apr 27 15:07:19 vs-swk-pf systemd[1]: Unit packetfence-pfdns.service
> entered failed state.
>
> Apr 27 15:07:19 vs-swk-pf systemd[1]: packetfence-pfdns.service failed.
>
>
>
> *From:* Fabrice Durand via PacketFence-users <
> packetfence-users@lists.sourceforge.net>
> *Sent:* 28 April 2021 03:38
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Fabrice Durand 
> *Subject:* EXTERNAL SENDER - Re: [PacketFence-users] EXTERNAL SENDER -
> Re: pfdns random crashes
>
>
>
> *This email originated outside of NCG. Unless you recognise the sender,
> and know the content is safe, do not follow guidance, click any links or
> open any attachments. Please contact the serviced...@ncgrp.co.uk
>  if you have concerns about the content of this
> email. *
>
> Hello Adam,
>
>
>
> Check with:
>
>
>
> journalctl | grep pfdns
>
>
>
> Regards
>
> Fabrice
>
>
>
>
>
> Le mar. 27 avr. 2021 à 22:34, Franklin, Adam via PacketFence-users <
> packetfence-users@lists.sourceforge.net> a écrit :
>
> Hi Ludovic
>
> Could you tell me where to find the appropriate logs?
>
> Many Thanks
>
> Adam
>
> Get Outlook for Android <https://aka.ms/AAb9ysg>
>
>
> --
>
> *From:* Zammit, Ludovic 
> *Sent:* Monday, April 26, 2021 8:50:07 PM
> *To:* packetfence-users@lists.sourceforge.net <
> packetfence-users@lists.sourceforge.net>
> *Cc:* Franklin, Adam 
> *Subject:* EXTERNAL SENDER - Re: [PacketFence-users] pfdns random crashes
>
>
>
> This email originated outside of NCG. Unless you recognise the sender, and
> know the content is safe, do not follow guidance, click any links or open
> any attachments. Please contact the serviced...@ncgrp.co.uk if you have
> concerns about the content of this email.
>
> This message may contain confidential information and is intended only for
> the individual(s) named. If you are not the named addressee you should not
> disseminate, distribute, print or copy this e-mail. Please notify the
> sender immediately by e-mail if you have received this e-mail by mistake
> and delete this e-mail from your system. E-mail transmission cannot be
> guaranteed to be secure or error-free as information could be intercepted,
> corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
> The sender therefore does not accept liability for any errors or omissions
> in the contents of this message, which arise as a result of e-mail
> transmission. Please note that any views or opinions presented in this
> e-mail are solely those of the author and do not necessarily represent
> those of NCG. Finally, the recipient should check this e-mail and any
> attachments for the presence of viruses. Although this e-mail and its
> attachments are believed to be free of any virus or other defects, which
> might affect any computer or IT system into which they are received, no
> responsibility is accepted by NCG or any of its associated companies for
> any loss or damage arising in any way from the receipt or use thereof.
>
>
>
> NCG Corporation is incorporated under the Further and Higher Education Act
> for the provision of education to students, its trading divisions are
> Newcastle College, Newcastle Sixth Form College, West Lancashire College,
> Kidderminster College, Carlisle College, Lewisham and Southwark and its
> registered office is at Rye Hill House, Scotswood Road, Newcast

Re: [PacketFence-users] WMI SCAN and Security Event

[Fabrice Durand via PacketFence-users]

Hello Abdoul,

packetfence is already aware of the dhcp traffic on the
isolation/registration networks, so there nothing to do.
For the production network, you can do 2 things:

use the ip helper address command on each production vlan (on the cisco
switch):
 ip helper-address address

or use that
https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_dhcp_remote_sensor
and enable "process on dhcp ack" on packetfence

Btw i prefer the 2nd solution which is more accurate.

Regards
Fabrice


Le mer. 28 avr. 2021 à 06:57, Abdoul Raouf Diabagate via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello, please does anyone know how to send a copy of the dhcp traffic from
> the registration interface to the management interface?
>
> My goal is to activate WMI scans
>
> Le jeu. 15 avr. 2021 à 10:10, Abdoul Raouf Diabagate <
> abdoulrao...@gmail.com> a écrit :
>
>> Hello dear Experts and Users of packetfence.
>> i still have this problem with the wmi scan ... can someone please help
>> me?
>> when I type the following command:
>>
>> wmic -U [domain/]adminuser%password //host "select * from
>> Win32_ComputerSystem”
>>
>> Packetfence responds to me with the information from the client computer.
>> name, system version etc ... But from the graphical interface it is always
>> impossible to launch the scan before or after recording. I was suggested to
>> send a copy of the DHCP traffic from my production network to the
>> packetfence management interface. Anyone know how to do this? for
>> information. I have a cisco catalyst 2960 switch, which is connected to my
>> packetfence server. one port for management and one port for the trunk.
>>
>> [image: image.png]
>>
>> Le jeu. 11 mars 2021 à 13:55, Abdoul Raouf Diabagate <
>> abdoulrao...@gmail.com> a écrit :
>>
>>> Hello everybody.
>>>
>>> I installed packetfence following the instructions in the guide. and
>>> everything works fine. However, scanning computers before registration does
>>> not work. I configured WMI and added an AD domain administrator account.
>>>
>>> When the user logs into the captive portal, he displays a message saying
>>> that the computer is being scanned and a security event is opened in
>>> packetfence, but nothing happens after that.
>>>
>>> here is the message when I type a request through the command line:
>>>   wmic -U mydomain / myuser // targetIP "select * from FirewallProduct"
>>> [wmi / wmic.c: 212: main ()] ERROR: Retrieve result data.
>>> NTSTATUS: NT code 0x80041010 - NT code 0x80041010
>>>
>>> My goal is to be able to isolate windows computers that do not have an
>>> antivirus installed. how can i do it please?
>>>
>> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] EXTERNAL SENDER - Re: pfdns random crashes

[Fabrice Durand via PacketFence-users]

Hello Adam,

Check with:

journalctl | grep pfdns

Regards
Fabrice


Le mar. 27 avr. 2021 à 22:34, Franklin, Adam via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi Ludovic
> Could you tell me where to find the appropriate logs?
> Many Thanks
>
> Adam
>
> Get Outlook for Android 
>
> --
> *From:* Zammit, Ludovic 
> *Sent:* Monday, April 26, 2021 8:50:07 PM
> *To:* packetfence-users@lists.sourceforge.net <
> packetfence-users@lists.sourceforge.net>
> *Cc:* Franklin, Adam 
> *Subject:* EXTERNAL SENDER - Re: [PacketFence-users] pfdns random crashes
>
> This email originated outside of NCG. Unless you recognise the sender, and
> know the content is safe, do not follow guidance, click any links or open
> any attachments. Please contact the serviced...@ncgrp.co.uk if you have
> concerns about the content of this email.
>
> This message may contain confidential information and is intended only for
> the individual(s) named. If you are not the named addressee you should not
> disseminate, distribute, print or copy this e-mail. Please notify the
> sender immediately by e-mail if you have received this e-mail by mistake
> and delete this e-mail from your system. E-mail transmission cannot be
> guaranteed to be secure or error-free as information could be intercepted,
> corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
> The sender therefore does not accept liability for any errors or omissions
> in the contents of this message, which arise as a result of e-mail
> transmission. Please note that any views or opinions presented in this
> e-mail are solely those of the author and do not necessarily represent
> those of NCG. Finally, the recipient should check this e-mail and any
> attachments for the presence of viruses. Although this e-mail and its
> attachments are believed to be free of any virus or other defects, which
> might affect any computer or IT system into which they are received, no
> responsibility is accepted by NCG or any of its associated companies for
> any loss or damage arising in any way from the receipt or use thereof.
>
>
> NCG Corporation is incorporated under the Further and Higher Education Act
> for the provision of education to students, its trading divisions are
> Newcastle College, Newcastle Sixth Form College, West Lancashire College,
> Kidderminster College, Carlisle College, Lewisham and Southwark and its
> registered office is at Rye Hill House, Scotswood Road, Newcastle upon
> Tyne, NE4 7SA.
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Wifi attribution

[Fabrice Durand via PacketFence-users]

Hello Robin,

in fact you just need to change the registration role in the switch config
to a prod vlan instead of the registration one.

Regards
Fabrice


Le mar. 27 avr. 2021 à 22:34, Robin Cortat via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
>
>
> I have implemented PacketFence on my infrastructure. Currently,
> PacketFence assigns VLAN 1 to devices that connect to the network switches
> and are part of the domain, via 802.1X.
>
>
>
> Currently, I am using MAC Authentication Bypass to assign the registration
> role to non-Domain devices.
>
>
>
> I would like to change this operation a little, my question is to know if
> it is possible to give access to a wifi network for the stations that have
> the registration role. If yes, how?
>
>
>
> Thank you for your answer
>
>
>
> [image: rcortat] 
>
> [image: logoBNJ] 
>
> [image: logoRJB] 
>
> [image: logoRTN] 
>
> [image: logoRFJ] 
>
> [image: logoGRRIF] 
>
> 
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Switch authentication grants access *with any password* as long as the username is correct (10.3)

[Fabrice Durand via PacketFence-users]

Hello Cristian,

thanks for the raport.
On my side i was able to replicate the issue and i pushed a fix in the
maintenance branch.
So you can run /usr/local/pf/addons/pf-main.pl and restart httpd.aaa
service.

Regards
Fabrice


Le mar. 27 avr. 2021 à 11:00, Cristian Mammoli via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi, I noticed that after the upgrade to 10.3 I can authenticate to the
> devices cli with any password ()
> I reverted to 10.2 and it works correctly:
>
> auth.conf:
> [apra-user-auth-dc01]
> cache_match=0
> realms=apra,apra.it,default,null
> basedn=dc=apra,dc=it
> password=
> set_access_level_action=
> scope=sub
> email_attribute=mail
> usernameattribute=sAMAccountName
> connection_timeout=5
> binddn=cn=packetfence,cn=Users,dc=apra,dc=it
> encryption=starttls
> port=389
> description=Apra User authentication
> host=192.168.0.7,192.168.0.76
> type=AD
> read_timeout=10
> write_timeout=5
> monitor=1
> dynamic_routing_module=AuthModule
> shuffle=1
> searchattributes=
> set_access_durations_action=
>
> [apra-user-auth-dc01 rule Administrator]
> action0=set_access_level=ALL
> condition0=memberOf,equals,CN=Apra Admins,OU=Admins,OU=Utenti,DC=apra,DC=it
> status=enabled
> match=any
> condition1=sAMAccountName,equals,nms
> class=administration
> action1=mark_as_sponsor=1
>
> [group switch_jesi_accesso]
> description=Switch Jesi Accesso
> VoIPEnabled=Y
> registrationVlan=112
> SNMPCommunityWrite=
> guestVlan=99
> deauthMethod=RADIUS
> type=Cisco::Catalyst_2960
> employeesVlan=24
> isolationVlan=113
> radiusSecret=
> SNMPVersion=2c
> consultantsVlan=24
> voiceVlan=14
> machineauthVlan=24
> defaultVlan=1
> staff_itVlan=24
> printersVlan=1
> ap_managementVlan=-1
> videosorveglianzaVlan=21
> always_trigger=1
> cliAccess=Y
> adiacentVlan=17
> uplink_dynamic=0
>
>
> As long as a user is member of the "CN=Apra
> Admins,OU=Admins,OU=Utenti,DC=apra,DC=it" any password is accepted, on any
> type of switch.
>
> This is a log from 10.3 (with wrong password):
> Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) WARN:
> [mac:58:03:fb:51:bc:35] Trying to match IP address with an invalid MAC
> address 'undef' (pf::ip4log::mac2ip)
> Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO:
> [mac:58:03:fb:51:bc:35] Instantiate profile default
> (pf::Connection::ProfileFactory::_from_profile)
> Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO:
> [mac:58:03:fb:51:bc:35] Found authentication source(s) :
> 'local,apra-machine-auth-dc01,apra-user-auth-dc01' for realm 'null'
> (pf::config::util::filter_authentication_sources)
> Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO:
> [mac:58:03:fb:51:bc:35] Using sources local, apra-machine-auth-dc01,
> apra-user-auth-dc01 for matching (pf::authentication::match2)
> Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) WARN:
> [mac:58:03:fb:51:bc:35] [apra-user-auth-dc01 Administrator] Searching for
> (&(sAMAccountName=c.mammoli.adm)(|(memberOf=CN=Apra
> Admins,OU=Admins,OU=Utenti,DC=apra,DC=it)(sAMAccountName=nms))), from
> dc=apra,dc=it, with scope sub
> (pf::Authentication::Source::LDAPSource::match_in_subclass)
> Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO:
> [mac:58:03:fb:51:bc:35] LDAP testing connection (pf::LDAP::expire_if)
> Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO:
> [mac:58:03:fb:51:bc:35] Matched rule (Administrator) in source
> apra-user-auth-dc01, returning actions.
> (pf::Authentication::Source::match_rule)
> Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO:
> [mac:58:03:fb:51:bc:35] Matched rule (Administrator) in source
> apra-user-auth-dc01, returning actions. (pf::Authentication::Source::match)
> Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO:
> [mac:58:03:fb:51:bc:35] User c.mammoli.adm logged in 192.168.16.48 with
> write access (pf::Switch::Cisco::returnAuthorizeWrite)
>
> 10.2 (wrong password):
> Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN:
> [mac:d0:22:be:5f:2c:35] Trying to match IP address with an invalid MAC
> address 'undef' (pf::ip4log::mac2ip)
> Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO:
> [mac:d0:22:be:5f:2c:35] Found authentication source(s) :
> 'local,apra-machine-auth-dc01,apra-user-auth-dc01' for realm 'null'
> (pf::config::util::filter_authentication_sources)
> Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN:
> [mac:d0:22:be:5f:2c:35] Use of uninitialized value in numeric ne (!=) at
> /usr/local/pf/lib/pf/radius.pm line 921.
> Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN:
> [mac:d0:22:be:5f:2c:35] Use of uninitialized value in numeric ne (!=) at
> /usr/local/pf/lib/pf/radius.pm line 921.
> Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO:
> [mac:d0:22:be:5f:2c:35] LDAP testing connection (pf::LDAP::expire_if)
> 

Re: [PacketFence-users] Attribute User-Password Required

[Fabrice Durand via PacketFence-users]

Try to remove that in the LOCAL realm : ldap_source=celinaisd

Then with the cli do:

/usr/local/pf/bin/pfcmd service radiusd generateconfig

/usr/local/pf/bin/pfcmd service radiusd restart

and retry.


Le 2021-04-02 à 12 h 00, Joshua Wise a écrit :

No luck adjusting those values from the web gui, same error.

realm.conf

[1 DEFAULT]
permit_custom_attributes=disabled
radius_auth_proxy_type=keyed-balance
radius_auth_compute_in_pf=enabled
eduroam_radius_auth=
eduroam_radius_auth_proxy_type=keyed-balance
eduroam_radius_acct=
radius_acct_proxy_type=load-balance
radius_auth=
eduroam_radius_auth_compute_in_pf=enabled
eduroam_radius_acct_proxy_type=load-balance
radius_acct=
domain=celinaisd

[1 LOCAL]
radius_strip_username=enabled
permit_custom_attributes=disabled
radius_auth_proxy_type=keyed-balance
radius_auth_compute_in_pf=enabled
eduroam_radius_auth=
domain=celinaisd
eduroam_radius_auth_proxy_type=keyed-balance
eduroam_radius_acct=
radius_acct_proxy_type=load-balance
radius_auth=
ldap_source=celinaisd
eduroam_radius_auth_compute_in_pf=enabled
eduroam_radius_acct_proxy_type=load-balance
radius_acct=

*Joshua Wise*
Systems Engineer, Celina ISD
469-742-9113
https://www.celinaisd.com <https://www.celinaisd.com/>



On Fri, Apr 2, 2021 at 10:32 AM Fabrice Durand <mailto:fdur...@inverse.ca>> wrote:


Hello Joshua,

yes it can be there and it can also be because you set a "LDAP
Source for TTLS PAP" in the realm.

I am just curious to see why it doesn't work, can you share the
realm.conf file ?


Regards

Fabrice


Le 2021-04-01 à 16 h 26, Joshua Wise a écrit :

Are you referring to the section under Configuration > Default >
EAP Profiles?

I reset it to defaults, but get the same error.

I actually had this all working, the authentication portion at
least, about a month ago. After an extended break, it's doing this.

I'm tempted to start over with a fresh installation.

*Joshua Wise*
Systems Engineer, Celina ISD
469-742-9113
https://www.celinaisd.com <https://www.celinaisd.com/>



On Wed, Mar 31, 2021 at 7:22 AM Fabrice Durand via
PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> wrote:

Hello Joshua,

sorry for the late reply.

So it looks that you played with the radius eap configuration.

Can you revert this section (put as default) and retry ?

Thanks

Regards

Fabrice


Le 2021-03-29 à 16 h 15, Joshua Wise via PacketFence-users a
écrit :

Pastebin of the response.

https://pastebin.com/L70fKEB7 <https://pastebin.com/L70fKEB7>
*
*
*Joshua Wise*
Systems Engineer, Celina ISD
469-742-9113
https://www.celinaisd.com <https://www.celinaisd.com/>


On Sat, Mar 27, 2021 at 8:13 AM Durand fabrice via
PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> wrote:

Then run the command without the filter and reconnect
your device.

raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3600


Le 21-03-27 à 08 h 29, Joshua Wise via PacketFence-users
a écrit :

Command appears to run endlessly, I grabbed a snippet
that appears to be what is repeated.

(3440) Sat Mar 27 07:25:15 2021: Debug: Received
Status-Server Id 51 from 127.0.0.1:51452
<http://127.0.0.1:51452> to 127.0.0.1:18121
<http://127.0.0.1:18121> length 50
(3440) Sat Mar 27 07:25:15 2021: Debug:  
Message-Authenticator = 0x9257e8cab94913463172d8be5663c80b
(3440) Sat Mar 27 07:25:15 2021: Debug:  
FreeRADIUS-Statistics-Type = 15
(3440) Sat Mar 27 07:25:15 2021: Debug: # Executing
group from file /usr/local/pf/raddb/sites-enabled/status
(3440) Sat Mar 27 07:25:15 2021: Debug:   Autz-Type
Status-Server {
(3440) Sat Mar 27 07:25:15 2021: Debug:     [ok] = ok
(3440) Sat Mar 27 07:25:15 2021: Debug:   } # Autz-Type
Status-Server = ok
(3440) Sat Mar 27 07:25:15 2021: Debug: Sent
Access-Accept Id 51 from 127.0.0.1:18121
<http://127.0.0.1:18121> to 127.0.0.1:51452
<http://127.0.0.1:51452> length 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Access-Requests = 3441
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Access-Accepts = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Access-Rejects = 2
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Access-Challenges = 16
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Auth-Responses = 18
(3440) Sat 

Re: [PacketFence-users] Attribute User-Password Required

[Fabrice Durand via PacketFence-users]

Hello Joshua,

yes it can be there and it can also be because you set a "LDAP Source 
for TTLS PAP" in the realm.


I am just curious to see why it doesn't work, can you share the 
realm.conf file ?



Regards

Fabrice


Le 2021-04-01 à 16 h 26, Joshua Wise a écrit :
Are you referring to the section under Configuration > Default > EAP 
Profiles?


I reset it to defaults, but get the same error.

I actually had this all working, the authentication portion at least, 
about a month ago. After an extended break, it's doing this.


I'm tempted to start over with a fresh installation.

*Joshua Wise*
Systems Engineer, Celina ISD
469-742-9113
https://www.celinaisd.com <https://www.celinaisd.com/>



On Wed, Mar 31, 2021 at 7:22 AM Fabrice Durand via PacketFence-users 
<mailto:packetfence-users@lists.sourceforge.net>> wrote:


Hello Joshua,

sorry for the late reply.

So it looks that you played with the radius eap configuration.

Can you revert this section (put as default) and retry ?

Thanks

Regards

Fabrice


Le 2021-03-29 à 16 h 15, Joshua Wise via PacketFence-users a écrit :

Pastebin of the response.

https://pastebin.com/L70fKEB7 <https://pastebin.com/L70fKEB7>
*
*
*Joshua Wise*
Systems Engineer, Celina ISD
469-742-9113
https://www.celinaisd.com <https://www.celinaisd.com/>


On Sat, Mar 27, 2021 at 8:13 AM Durand fabrice via
PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> wrote:

Then run the command without the filter and reconnect your
device.

raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3600


Le 21-03-27 à 08 h 29, Joshua Wise via PacketFence-users a
écrit :

Command appears to run endlessly, I grabbed a snippet that
appears to be what is repeated.

(3440) Sat Mar 27 07:25:15 2021: Debug: Received
Status-Server Id 51 from 127.0.0.1:51452
<http://127.0.0.1:51452> to 127.0.0.1:18121
<http://127.0.0.1:18121> length 50
(3440) Sat Mar 27 07:25:15 2021: Debug:
Message-Authenticator = 0x9257e8cab94913463172d8be5663c80b
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Statistics-Type = 15
(3440) Sat Mar 27 07:25:15 2021: Debug: # Executing group
from file /usr/local/pf/raddb/sites-enabled/status
(3440) Sat Mar 27 07:25:15 2021: Debug: Autz-Type
Status-Server {
(3440) Sat Mar 27 07:25:15 2021: Debug: [ok] = ok
(3440) Sat Mar 27 07:25:15 2021: Debug:   } # Autz-Type
Status-Server = ok
(3440) Sat Mar 27 07:25:15 2021: Debug: Sent Access-Accept
Id 51 from 127.0.0.1:18121 <http://127.0.0.1:18121> to
127.0.0.1:51452 <http://127.0.0.1:51452> length 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Access-Requests = 3441
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Access-Accepts = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Access-Rejects = 2
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Access-Challenges = 16
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Auth-Responses = 18
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Auth-Duplicate-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Auth-Malformed-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Auth-Invalid-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Auth-Dropped-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Auth-Unknown-Types = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Accounting-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Accounting-Responses = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Acct-Duplicate-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Acct-Malformed-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Acct-Invalid-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Acct-Dropped-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Acct-Unknown-Types = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Proxy-Access-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Proxy-Access-Accepts = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Proxy-Access-Rejects = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Proxy-Access-Challenges = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Tota

Re: [PacketFence-users] Packetfence SNMP implementation

[Fabrice Durand via PacketFence-users]

Hello doppino,

yes you can use SNMP and active directory but for that you will need to 
use the portal to authenticate.


Be sure on the packetfence side to enable the 
packetfence-snmptrapd.service (it's disabled by default).


Then add the switch in packetfence and fill the correct registration 
vlan and snmp information to be able to talk to the switch.


Regards

Fabrice


Le 2021-04-01 à 10 h 07, doppino--- via PacketFence-users a écrit :

Hello,
I'm new to Packetfence and NAC. I'm implementing PF in a lab 
environment to test and learn. I'm tryng to setup an out of band 
architecture as described here: 
https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_supported_enforcement_modes 
 with 
a cisco 2960 switch. In this phase is not clear to me if I can use 
only SNMP and Active Directory user credential without 802.1x for 
assign vlan and give access to the network.


thanks
D.






___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Attribute User-Password Required

[Fabrice Durand via PacketFence-users]

Hello Joshua,

sorry for the late reply.

So it looks that you played with the radius eap configuration.

Can you revert this section (put as default) and retry ?

Thanks

Regards

Fabrice


Le 2021-03-29 à 16 h 15, Joshua Wise via PacketFence-users a écrit :

Pastebin of the response.

https://pastebin.com/L70fKEB7 
*
*
*Joshua Wise*
Systems Engineer, Celina ISD
469-742-9113
https://www.celinaisd.com 


On Sat, Mar 27, 2021 at 8:13 AM Durand fabrice via PacketFence-users 
> wrote:


Then run the command without the filter and reconnect your device.

raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3600


Le 21-03-27 à 08 h 29, Joshua Wise via PacketFence-users a écrit :

Command appears to run endlessly, I grabbed a snippet that
appears to be what is repeated.

(3440) Sat Mar 27 07:25:15 2021: Debug: Received Status-Server Id
51 from 127.0.0.1:51452  to
127.0.0.1:18121  length 50
(3440) Sat Mar 27 07:25:15 2021: Debug: Message-Authenticator =
0x9257e8cab94913463172d8be5663c80b
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Statistics-Type = 15
(3440) Sat Mar 27 07:25:15 2021: Debug: # Executing group from
file /usr/local/pf/raddb/sites-enabled/status
(3440) Sat Mar 27 07:25:15 2021: Debug:   Autz-Type Status-Server {
(3440) Sat Mar 27 07:25:15 2021: Debug:     [ok] = ok
(3440) Sat Mar 27 07:25:15 2021: Debug:   } # Autz-Type
Status-Server = ok
(3440) Sat Mar 27 07:25:15 2021: Debug: Sent Access-Accept Id 51
from 127.0.0.1:18121  to 127.0.0.1:51452
 length 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Access-Requests = 3441
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Access-Accepts = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Access-Rejects = 2
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Access-Challenges = 16
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Auth-Responses = 18
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Auth-Duplicate-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Auth-Malformed-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Auth-Invalid-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Auth-Dropped-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Auth-Unknown-Types = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Accounting-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Accounting-Responses = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Acct-Duplicate-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Acct-Malformed-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Acct-Invalid-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Acct-Dropped-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Acct-Unknown-Types = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Proxy-Access-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Proxy-Access-Accepts = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Proxy-Access-Rejects = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Proxy-Access-Challenges = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Proxy-Auth-Responses = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Proxy-Auth-Duplicate-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Proxy-Auth-Malformed-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Proxy-Auth-Invalid-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Proxy-Auth-Dropped-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Proxy-Auth-Unknown-Types = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Proxy-Accounting-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Proxy-Accounting-Responses = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Proxy-Acct-Duplicate-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Proxy-Acct-Malformed-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Proxy-Acct-Invalid-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Proxy-Acct-Dropped-Requests = 0
(3440) Sat Mar 27 07:25:15 2021: Debug:
FreeRADIUS-Total-Proxy-Acct-Unknown-Types = 0
(3440) Sat Mar 27 07:25:15 2021: Debug: Finished request
(3440) Sat Mar 27 

Re: [PacketFence-users] 802.1x problem Winbind

[Fabrice Durand via PacketFence-users]

Hello Martijn,


simply associate the DEFAULT and NULL realm to you domain (Realm config 
section) and restart packetfence



Regards

Fabrice


Le 2021-03-16 à 16 h 16, Martijn Langendoen via PacketFence-users a écrit :


Hi all,


i have a problem with my 802.1x setup. i follow the manual about the 
802.1x and active directory and many another tryings but always i get 
the same error about winbind:



RADIUS Request
NAS-Port-Type = Ethernet PacketFence-Outer-User = "ZEELAND\\mlan" 
PacketFence-Radius-Ip = "10.10.0.251" Service-Type = Framed-User 
Called-Station-Id = "00:5f:86:e9:35:01" State = 
0xacbe159cacb60f4b7c0ffe19df40b6be FreeRADIUS-Proxied-To = 127.0.0.1 
Realm = "zeeland" EAP-Type = MSCHAPv2 NAS-IP-Address = 10.10.0.234 
NAS-Port-Id = "GigabitEthernet0/1" PacketFence-NTLMv2-Only = "" 
Calling-Station-Id = "a0:ce:c8:3b:32:2c" PacketFence-KeyBalanced = 
"42db3b63770e87603fd759f79528ec18" MS-CHAP-User-Name = "ZEELAND\\mlan" 
MS-CHAP-Challenge = 0x5b3b206fff4f2ed9c305044240406599 Cisco-AVPair = 
"service-type=Framed" Cisco-AVPair = 
"audit-session-id=0A0A00EA002402AE075F" Cisco-AVPair = 
"method=dot1x" User-Name = "ZEELAND\\mlan" Event-Timestamp = "Mar 16 
2021 21:13:25 CET" EAP-Message = 
0x020800471a0208004231a91abe6dbf631a20b9ce7216b3ebf1306b1000204b8be952f6f79dff2e63416404199ecee558bd0e005a45454c414e445c6d6c616e 
MS-CHAP2-Response = 
0x0845a91abe6dbf631a20b9ce7216b3ebf1306b1000204b8be952f6f79dff2e63416404199ecee558bd0e 
Stripped-User-Name = "mlan" NAS-Port = 50101 Framed-MTU = 1500 
Module-Failure-Message = "mschap: Program returned code (1) and output 
'Reading winbind reply failed! (0xc001)'" Module-Failure-Message = 
"mschap: Reading winbind reply failed! (0xc001)" User-Password = 
"**" SQL-User-Name = "ZEELANDmlan"

RADIUS Reply
MS-CHAP-Error = "\010E=691 R=0 C=781675239b44c0afc817dc28976c59c4 V=3 
M=Authentication failed" EAP-Message = 0x04080004 
Message-Authenticator = 0x


i use packetfence version 10.2.0 ZEN.


what can i do?



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] fingerbank api calls and PC with static IP (no DHCP)

[Fabrice Durand via PacketFence-users]

Hum looks to be the accounting interim update.

Check on the equipment side and raise the interim update value to 
something higher.


Le 2021-03-10 à 08 h 50, Daniele via PacketFence-users a écrit :
I noticed that there are also these logs repeated every 30 seconds in 
the packetfence.log ... ... Mar 10 14:33:06 esepfn004vm 
packetfence_httpd.aaa: httpd.aaa(23895) WARN: [mac:c0:3f:d5:bb:b3:22] 
Unable to pull accounting history for device c0:3f:d5:bb:b3:22The 
history set doesn't exist yet. 
(pf::accounting_events_history::latest_mac_history) Mar 10 14:33:36 
esepfn004vm packetfence_httpd.aaa: httpd.aaa(23895) WARN: 
[mac:c0:3f:d5:bb:b3:22] Unable to pull accounting history for device 
c0:3f:d5:bb:b3:22. The history set doesn't exist yet. 
(pf::accounting_events_history::latest_mac_history) Mar 10 14:34:06 
esepfn004vm packetfence_httpd.aaa: httpd.aaa(23895) WARN: 
[mac:c0:3f:d5:bb:b3:22] Unable to pull accounting history for device 
c0:3f:d5:bb:b3:22. The history set doesn't exist yet. 
(pf::accounting_events_history::latest_mac_history) Mar 10 14:34:36 
esepfn004vm packetfence_httpd.aaa: httpd.aaa(23895) WARN: 
[mac:c0:3f:d5:bb:b3:22] Unable to pull accounting history for device 
c0:3f:d5:bb:b3:22. The history set doesn't exist yet. 
(pf::accounting_events_history::latest_mac_history) ... ...


Il giorno mer 10 mar 2021 alle ore 13:38 Daniele 
mailto:danyrom...@tiscali.it>> ha scritto:


Hi Fabrice,
the device c0:3f:d5:bb:b3:22 doesn't authenticate over and over. I
checked the logs from the switch.
PacketFence can see  the DHCP requests (ip helper address on
router) and it categorizes the device correctly:

/Device Class: Windows OS /
/Device Manufacturer: Elitegroup Computer Systems Co.,Ltd. /
/Device Type: Microsoft Windows Kernel 10.0 /
/Fully Qualified Device Name: Operating System/Windows
OS/Microsoft Windows Kernel 10.0 /
/Version:10.0 /
/Score:78% /
/Mobile:No /
/DHCP Fingerprint:1,3,6,15,31,33,43,44,46,47,119,121,249,252 /
/DHCP Vendor:MSFT 5.0 /

Despite this, Fingerbank collector continues to make constant
requests to the web api. Same for another 4 hosts.
Should I try to reinstalling the fingerbank collector?

Regards
Daniele


Il giorno mer 10 mar 2021 alle ore 02:27 Durand fabrice via
PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> ha scritto:

Hello Daniele,

what i think happen is the device c0:3f:d5:bb:b3:22
authenticate over and over and each time packetfence query
fingerbank. (because there is no enough information)

So first you need to check why you have so much auth/acct in
few period of time and fix it.

Next if you can forward the production dhcp to packetfence in
order to feed fingerbank.

Let me know if it help.

Regards

Fabrice



Le 21-03-09 à 02 h 03, Daniele via PacketFence-users a écrit :

Hello Fabrice,
these are the complete logs

Mar  9 07:43:58 ese fingerbank-collector: [GIN]
2021/03/09 - 07:43:58 | 200 [0m|     133.193µs | 127.0.0.1 |
  [0m GET /endpoint_data/c0:3f:d5:bb:b3:22
Mar  9 07:43:58 ese fingerbank_httpd.aaa: httpd.aaa(1866)
WARN: [mac:c0:3f:d5:bb:b3:22] Cannot find any combination ID
in any schemas (fingerbank::Source::LocalDB::_getCombinationID)
Mar  9 07:43:58 ese fingerbank_httpd.aaa: httpd.aaa(1866)
INFO: [mac:c0:3f:d5:bb:b3:22] Upstream is configured and
unable to fullfil an exact match locally. Will ignore result
from local database (fingerbank::Source::LocalDB::match)
Mar  9 07:43:58 ese fingerbank-collector: [GIN]
2021/03/09 - 07:43:58 | 200 [0m|  145.607165ms | 127.0.0.1 |
  [0m GET /endpoint_data/c0:3f:d5:bb:b3:22/details
Mar  9 07:43:58 ese fingerbank_httpd.aaa: httpd.aaa(1866)
INFO: [mac:c0:3f:d5:bb:b3:22] Successfully interrogate
upstream Fingerbank project for matching. Got device : 5778
(fingerbank::Source::Collector::match)

Thanks

Regards

Daniele


Il giorno mar 9 mar 2021 alle ore 03:00 Durand fabrice via
PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> ha scritto:

Hello Daniel,

what is the process doing all that queries ? (it's at the
beginning of the the lines you pasted).

Thanks

Regards

Fabrice


Le 21-03-07 à 05 h 05, Daniele via PacketFence-users a
écrit :

Hi all!,
I have encountered a problem regarding fingerbank with
some PCs with static IP under dot1x authentication.
The dot1.x authentication of these PCs is successful,
but the fingerbank collector makes numerous requests to
the api.fingerbank.
Five PCs alone exhaust the 

Re: [PacketFence-users] Delay between authentication on captive portal and network access being enabled

[Fabrice Durand via PacketFence-users]

It looks that the disconnection doesn't work correctly:

Jan 20 07:19:37 pf pfqueue: pfqueue(30210) WARN: [mac:58:d9:c3:5e:56:e5] 
Unable to perform RADIUS Disconnect-Request. Disconnect-NAK received 
with Error-Cause: Session-Context-Not-Found. (pf::Switch::radiusDisconnect)


Check on the Ruckus side if you see something in the logs related to the 
CoA.


Regards

Fabrice


Le 21-02-19 à 06 h 37, Chris Brown via PacketFence-users a écrit :

Does anyone have advice about how to troubleshoot this?

On Jan 25, 2021, at 2:40 PM, Chris Brown > wrote:


Hi,

After registering on the captive portal and getting the error 
occurred message, if I open a browser and try and go to cnn.com 
 i get the “error occurred” “your network should be 
enable with a minute or two”… message in my browser.


If I leave the device connected to the wifi, it suddenly gets 
internet access about 5 minutes after registering.


On Jan 25, 2021, at 2:12 AM, Ludovic Zammit > wrote:


Hello Chris,

5 mins is not normal at all, can you try to connect and start a web 
browser on http://cnn.com  and see if it pops up 
the splash page.


Thanks,
Ludovic Zammit
lzam...@inverse.ca    ::  +1.514.447.4918 (x145) 
::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)




On Jan 23, 2021, at 6:57 AM, Chris Brown via PacketFence-users 
> wrote:


I did some testing with a Unifi AP and the captive portal works 
correctly with the Unifi AP. I immediately get network access with 
the Unifi AP.


Does anyone have advice on how to troubleshoot the delay between 
registering on the captive portal and getting network access on the 
Ruckus APs?


On Jan 20, 2021, at 7:50 AM, Chris Brown 
mailto:chr...@vcxtechnologies.com>> 
wrote:


Hi,

After logging into via the captive portal, users get a message 
saying that an error occurred while trying to enable network access.


At this point, if I look in the Packetfence nodes list, the device 
will now show as registered and offline.


If the device stays connected to the network for the next 5-10 
minutes, Packetfence will eventually show the node as online, and 
the device will begin getting network access.




packetfence.log follows. There is a bunch of activity around the 
07:19:xx timestamp when the users device authenticates on the 
captive portal. Then access to the network is actually enabled 
around 5 minutes later, around the 7:24:xx time stamp (after the 
break in the log). Can anyone give me advise on how to shorten the 
time between a node registering and getting network access?


Jan 20 07:19:03 pf packetfence_httpd.aaa: httpd.aaa(1775) INFO: 
[mac:58:d9:c3:5e:56:e5] handling radius autz request: from 
switch_ip => (10.200.0.130), connection_type => 
Wireless-802.11-NoEAP,switch_mac => (8c:0c:90:15:14:9c), mac => 
[58:d9:c3:5e:56:e5], port => 0, username => "58d9c35e56e5", ssid 
=> VCX HOTSPOT (pf::radius::authorize)
Jan 20 07:19:03 pf packetfence_httpd.aaa: httpd.aaa(1775) INFO: 
[mac:58:d9:c3:5e:56:e5] Instantiate profile guest 
(pf::Connection::ProfileFactory::_from_profile)
Jan 20 07:19:03 pf packetfence_httpd.aaa: httpd.aaa(1775) INFO: 
[mac:58:d9:c3:5e:56:e5] is of status unreg; belongs into 
registration VLAN (pf::role::getRegistrationRole)
Jan 20 07:19:03 pf packetfence_httpd.aaa: httpd.aaa(1775) INFO: 
[mac:58:d9:c3:5e:56:e5] According to rules in fetchRoleForNode 
this node must be kicked out. Returning USERLOCK 
(pf::Switch::handleRadiusDeny)
Jan 20 07:19:04 pf packetfence_httpd.aaa: httpd.aaa(1775) INFO: 
[mac:58:d9:c3:5e:56:e5] handling radius autz request: from 
switch_ip => (10.200.0.130), connection_type => 
Wireless-802.11-NoEAP,switch_mac => (8c:0c:90:15:14:98), mac => 
[58:d9:c3:5e:56:e5], port => 0, username => "58d9c35e56e5", ssid 
=> VCX HOTSPOT (pf::radius::authorize)
Jan 20 07:19:04 pf packetfence_httpd.aaa: httpd.aaa(1775) INFO: 
[mac:58:d9:c3:5e:56:e5] Instantiate profile guest 
(pf::Connection::ProfileFactory::_from_profile)
Jan 20 07:19:04 pf packetfence_httpd.aaa: httpd.aaa(1775) INFO: 
[mac:58:d9:c3:5e:56:e5] is of status unreg; belongs into 
registration VLAN (pf::role::getRegistrationRole)
Jan 20 07:19:04 pf packetfence_httpd.aaa: httpd.aaa(1775) INFO: 
[mac:58:d9:c3:5e:56:e5] According to rules in fetchRoleForNode 
this node must be kicked out. Returning USERLOCK 
(pf::Switch::handleRadiusDeny)
Jan 20 07:19:14 pf packetfence_httpd.portal: httpd.portal(29816) 
INFO: [mac:00:11:22:33:44:55] URI '/Ruckus' is detected as an 
external captive portal URI (pf::web::externalportal::handle)
Jan 20 07:19:14 pf packetfence_httpd.portal: httpd.portal(27867) 
INFO: [mac:unknown] External captive portal detected ! 
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Jan 20 07:19:14 pf packetfence_httpd.portal: 

Re: [PacketFence-users] Alert on RADIUS Failure

[Fabrice Durand via PacketFence-users]

Hello Stephen,

you can install monit for that.

yum install monit

then have a configuration file that match specific pattern:

check file radius.log with path /usr/local/pf/logs/radius.log
    group RADIUS
    every 450 cycles    # every 15 minutes (if 1 cycle is 2 seconds)
    if match "Rejected user" then alert
    if match "Sponge Bob" then alert


Regards

Fabrice


Le 21-02-08 à 16 h 37, Stephen Gaucher via PacketFence-users a écrit :


I would like to configure PacketFence to email me if its auth status 
is set to rejected (it fails a RADIUS check).  What’s the easiest way 
to do this?  Thank you!


City of Vernon Disclaimer: This transmission (including any 
attachments) may contain confidential information, privileged material 
(including material protected by the FOI act or other applicable 
privileges), or constitute non-public information. Any use of this 
information by anyone other than the intended recipient is prohibited. 
If you have received this transmission in error, please immediately 
reply to the sender and delete this information from your system. Use, 
dissemination, distribution, or reproduction of this transmission by 
unintended recipients is not authorized and may be unlawful.



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Mikrotik COA

[Fabrice Durand via PacketFence-users]

Hello Enrique,

use_tunneled_reply is a freeradius attribute but i don't think it's 
related to the issue (it's the authentication part).


(https://github.com/inverse-inc/packetfence/blob/devel/conf/radiusd/eap.conf.example)

The issue is when the CoA is sent.

Regards

Fabrice



Le 21-01-08 à 11 h 36, Enrique Gross a écrit :

Fabrice, Adrian, PF users

Happy 2021!

I have received feedback from Mikrotik Support regarding Error-Cause = 
Unsupported-Extension:


Hello,

Thank you for contacting MikroTik Support and sorry for the late
reply.

Yes, it seems that's the case, with using wrong attributes, as
Error 406 means an unsupported extension.

As a test, you could try enabling "use_tunneled_reply" on your
RADIUS server.

If it still doesn't work, please let us know and send us a
Supout.rif made while the issue is present - like in your screenshot.

Best regards,
Guntis G.


 Where i can enable "use_tunneled_reply" on packetfence so i can test 
this?


My TK support on Mikrotik is still open, a good opportunity to send 
them any testing.


Thanks, Enrique.



El dom, 20 dic 2020 a las 19:27, Adrian D'Atri-Guiran via 
PacketFence-users (>) escribió:


Hi Fabrice,

It seems to me that mikrotik also requires the IP address.  When I
submit anything that doesn't have the Framed-Ip-Address as part of
the query, i see "Radius disconnect with no ip provided" in radius
logs (see attached).

https://forum.mikrotik.com/viewtopic.php?t=6672

On Tue, Dec 15, 2020 at 11:55 AM Fabrice Durand
mailto:fdur...@inverse.ca>> wrote:

Hello Adrian,

if you can try with other mac format to see if one works.

like:

5c:e0:c5:c1:d6:fd

5C:E0:C5:C1:D6:FD

5c-e0-c5-c1-d6-fd

5C-E0-C5-C1-D6-FD

5ce0c5c1d6fd

5CE0C5C1D6FD

Regards

Fabrice


Le 20-12-15 à 13 h 06, Adrian D'Atri-Guiran a écrit :

Hi Fabrice,

I played around with it a bit further, and here's a working test:
echo "Framed-IP-Address=10.5.50.2" | radclient -x
10.2.2.1:3799  disconnect secret
Sent Disconnect-Request Id 44 from 0.0.0.0:37354
 to 10.2.2.1:3799
 length 26
        Framed-IP-Address = 10.5.50.2
Received Disconnect-ACK Id 44 from 10.2.2.1:3799
 to 10.2.2.254:37354
 length 30
        NAS-Identifier = "MikroTik"

Where 10.5.50.2 is the client IP. and 10.2.2.1 is the ip of
my main mikrotik router that manages the hotspot.  This
command instantly deauthenticated the client, but did not
remove the client's Cookie.  For this reason I believe that
we should have "cookie" disabled under Hotspot -> Server
Profiles -> Login -> Login By (uncheck Cookie).

My problem is I don't know how to fix Mikrotik.pm how do I
access the client IP? I want to do something like:
'Framed-IP-Address' => "$client_ip_address",
on:

https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Mikrotik.pm#L230



Also I guess we must be careful here because in some
scenarios if the client has been assigned a new IP and
packetfence is not yet aware of it, this could break. MAC
address would probably be better for deauthenticating, but I
haven't managed to get that working yet.

Thanks!
-Adrian


On Mon, Dec 14, 2020 at 6:02 PM Adrian D'Atri-Guiran
mailto:adrian.datri.gui...@gmail.com>> wrote:

Thank you,

>btw you can try to add:
>'Calling-Station-Id' => $mac,
I have attempted this and the result was a new error (and
client remains authenticated on the mikrotik hotspot):

Dec 14 20:58:08 radius pfqueue: pfqueue(4868) WARN:
[mac:5c:e0:c5:c1:d6:fd] Unable to pull accounting history
for device 5c:e0:c5:c1:d6:fd. The history set doesn't
exist yet.
(pf::accounting_events_history::latest_mac_history)
Dec 14 20:58:08 radius pfqueue: pfqueue(4868) WARN:
[mac:5c:e0:c5:c1:d6:fd] Unable to pull accounting history
for device 5c:e0:c5:c1:d6:fd. The history set doesn't
exist yet.
(pf::accounting_events_history::latest_mac_history)
Dec 14 20:58:18 radius packetfence_httpd.webservices:
httpd.webservices() INFO: [mac:5c:e0:c5:c1:d6:fd]
[5c:e0:c5:c1:d6:fd] DesAssociating mac on switch
(10.2.2.1) (pf::api::desAssociate)
Dec 14 20:58:18 radius packetfence_httpd.webservices:

Re: [PacketFence-users] Mikrotik COA

[Fabrice Durand via PacketFence-users]

Hello Adrian,

if you can try with other mac format to see if one works.

like:

5c:e0:c5:c1:d6:fd

5C:E0:C5:C1:D6:FD

5c-e0-c5-c1-d6-fd

5C-E0-C5-C1-D6-FD

5ce0c5c1d6fd

5CE0C5C1D6FD

Regards

Fabrice


Le 20-12-15 à 13 h 06, Adrian D'Atri-Guiran a écrit :

Hi Fabrice,

I played around with it a bit further, and here's a working test:
echo "Framed-IP-Address=10.5.50.2" | radclient -x 10.2.2.1:3799 
 disconnect secret
Sent Disconnect-Request Id 44 from 0.0.0.0:37354 
 to 10.2.2.1:3799  length 26

        Framed-IP-Address = 10.5.50.2
Received Disconnect-ACK Id 44 from 10.2.2.1:3799 
 to 10.2.2.254:37354  
length 30

        NAS-Identifier = "MikroTik"

Where 10.5.50.2 is the client IP. and 10.2.2.1 is the ip of my main 
mikrotik router that manages the hotspot.  This command instantly 
deauthenticated the client, but did not remove the client's Cookie.  
For this reason I believe that we should have "cookie" disabled under 
Hotspot -> Server Profiles -> Login -> Login By (uncheck Cookie).


My problem is I don't know how to fix Mikrotik.pm how do I access the 
client IP? I want to do something like:

'Framed-IP-Address' => "$client_ip_address",
on:
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Mikrotik.pm#L230 



Also I guess we must be careful here because in some scenarios if the 
client has been assigned a new IP and packetfence is not yet aware of 
it, this could break. MAC address would probably be better for 
deauthenticating, but I haven't managed to get that working yet.


Thanks!
-Adrian


On Mon, Dec 14, 2020 at 6:02 PM Adrian D'Atri-Guiran 
mailto:adrian.datri.gui...@gmail.com>> 
wrote:


Thank you,

>btw you can try to add:
>'Calling-Station-Id' => $mac,
I have attempted this and the result was a new error (and client
remains authenticated on the mikrotik hotspot):

Dec 14 20:58:08 radius pfqueue: pfqueue(4868) WARN:
[mac:5c:e0:c5:c1:d6:fd] Unable to pull accounting history for
device 5c:e0:c5:c1:d6:fd. The history set doesn't exist yet.
(pf::accounting_events_history::latest_mac_history)
Dec 14 20:58:08 radius pfqueue: pfqueue(4868) WARN:
[mac:5c:e0:c5:c1:d6:fd] Unable to pull accounting history for
device 5c:e0:c5:c1:d6:fd. The history set doesn't exist yet.
(pf::accounting_events_history::latest_mac_history)
Dec 14 20:58:18 radius packetfence_httpd.webservices:
httpd.webservices() INFO: [mac:5c:e0:c5:c1:d6:fd]
[5c:e0:c5:c1:d6:fd] DesAssociating mac on switch (10.2.2.1)
(pf::api::desAssociate)
Dec 14 20:58:18 radius packetfence_httpd.webservices:
httpd.webservices() INFO: [mac:5c:e0:c5:c1:d6:fd]
deauthenticating 5c:e0:c5:c1:d6:fd
(pf::Switch::Mikrotik::radiusDisconnect)
Dec 14 20:58:18 radius packetfence_httpd.webservices:
httpd.webservices() INFO: [mac:5c:e0:c5:c1:d6:fd] controllerIp
is set, we will use controller 10.2.2.1 to perform deauth
(pf::Switch::Mikrotik::radiusDisconnect)
Dec 14 20:58:18 radius packetfence_httpd.webservices:
httpd.webservices() WARN: [mac:5c:e0:c5:c1:d6:fd] Unable to
perform RADIUS Disconnect-Request. Disconnect-NAK received with
Error-Cause: Unsupported-Extension.
(pf::Switch::Mikrotik::radiusDisconnect)
Dec 14 20:58:18 radius packetfence_httpd.webservices:
httpd.webservices() INFO: [mac:5c:e0:c5:c1:d6:fd]
[5c:e0:c5:c1:d6:fd] DesAssociating mac on switch (10.2.2.1)
(pf::api::desAssociate)
Dec 14 20:58:18 radius packetfence_httpd.webservices:
httpd.webservices() INFO: [mac:5c:e0:c5:c1:d6:fd]
deauthenticating 5c:e0:c5:c1:d6:fd
(pf::Switch::Mikrotik::radiusDisconnect)
Dec 14 20:58:18 radius packetfence_httpd.webservices:
httpd.webservices() INFO: [mac:5c:e0:c5:c1:d6:fd] controllerIp
is set, we will use controller 10.2.2.1 to perform deauth
(pf::Switch::Mikrotik::radiusDisconnect)
Dec 14 20:58:18 radius packetfence_httpd.webservices:
httpd.webservices() WARN: [mac:5c:e0:c5:c1:d6:fd] Unable to
perform RADIUS Disconnect-Request. Disconnect-NAK received with
Error-Cause: Unsupported-Extension.
(pf::Switch::Mikrotik::radiusDisconnect)



On Fri, Dec 11, 2020 at 5:43 PM Durand fabrice via
PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> wrote:

btw you can try to add:

'Calling-Station-Id' => $mac,

here:


https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Mikrotik.pm#L230


Le 20-12-11 à 20 h 31, Durand fabrice via PacketFence-users a
écrit :
> The code needs to be updated:
>
>
> https://forum.mikrotik.com/viewtopic.php?t=33063
>
>
> Le 20-12-11 à 14 h 28, Enrique Gross via PacketFence-users 

Re: [PacketFence-users] Packetfence cluster vip captive portal not showing

[Fabrice Durand via PacketFence-users]

Hello Sonali,

do a tcpdump on the registration interface to see if there is some traffic.

Also do you get an ip address when you are in the registration vlan ? 
Are you able to ping it from the pf servers ?


Regards

Fabrice


Le 20-11-20 à 04 h 57, Sonali Gulia a écrit :

hi all

i am setting up my cluster . all server sync well . after assigning 
registration vlan portal pages not showing .while doing ip a main 
server showing managment interface  with vip  . on second server 
registration and isolation interface showing with vip . on third 
server no interface showing vip while doing ip a, while doing netstat 
i can see all server listing to vips and their respective mangnent ip 
  Registration and isolation ip is there any problem with it ??.


or there is network issue like any gateway assigning on l2 or l3 .
please suggest something how should i process with it .


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 10.2.0 Eap gtc sub module failed

[Fabrice Durand via PacketFence-users]

The simplest way to see what is not working is probably to compare the 
request that works and the one who not.


Because right now in the debug there is no call to ldap and or sql.

Regards

Fabrice


Le 20-11-03 à 08 h 58, Sonali Gulia a écrit :

Hi

We are using ldap module but i also try sql nothing works. Same config 
was working fine with previous version


On Tue, 3 Nov 2020 at 7:23 PM, Fabrice Durand > wrote:


Hello Sonali,

your issue looks to be because there is no module before that set
the "known good" password in the request.

Where is stored the password ? (ldap/sql/...)

Regards

Fabrice


Le 20-11-02 à 22 h 46, Sonali Gulia a écrit :



hi

Hi all in new version of pf 10.2.0 eap gtc sub module failed .
While in previous version it was working fine plz help

here is the result of raddebug -f
/usr/local/pf/var/run/radiusd.sock -t 3000'

i changed my  personal details with
my_username
my_user_device_mac
my_switch_ip
my_server_ip
my_switch_mac
my_cluster_managment_ip

also highlight the error in logs .


(26979) Mon Nov  2 15:39:12 2020: Debug: # Executing group from
file /usr/local/pf/raddb/sites-enabled/packetfence
(26979) Mon Nov  2 15:39:12 2020: Debug: authenticate {
(26979) Mon Nov  2 15:39:12 2020: Debug: eap: Expiring EAP
session with state 0xddba5edfdca958cb
(26979) Mon Nov  2 15:39:12 2020: Debug: eap: Finished EAP
session with state 0xec639e88eb7087f4
(26979) Mon Nov  2 15:39:12 2020: Debug: eap: Previous EAP
request found for state 0xec639e88eb7087f4, released from the list
(26979) Mon Nov  2 15:39:12 2020: Debug: eap: Peer sent packet
with method EAP PEAP (25)
(26979) Mon Nov  2 15:39:12 2020: Debug: eap: Calling submodule
eap_peap to process data
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: Continuing EAP-TLS
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: [eaptls
verify] = ok
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: Done initial
handshake
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: [eaptls
process] = ok
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: Session
established.  Decoding tunneled attributes
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: PEAP state phase2
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: EAP method GTC (6)
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: Got tunneled
request
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap:   EAP-Message
= 0x0213000f0642726561746853473240
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: Setting
User-Name to my_username
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: Sending
tunneled request to packetfence-tunnel
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap:   EAP-Message
= 0x0213000f0642726561746853473240
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap:  
FreeRADIUS-Proxied-To = 127.0.0.1
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap:   User-Name =
"myusername"
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap:   State =
0xddba5edfdca958cb96d4c517e9bc660c
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap:   Service-Type
= Framed-User
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap:   Cisco-AVPair
= "service-type=Framed"
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap:   Cisco-AVPair
= "audit-session-id=0A011517000D005BC4FA"
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap:   Cisco-AVPair
= "method=dot1x"
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap:   Framed-MTU =
1500
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap:  
Calling-Station-Id := "my_user_device_mac"
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap:  
NAS-IP-Address = my_switch_ip
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap:   NAS-Port-Id
= "GigabitEthernet1/0/1"
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap:  
NAS-Port-Type = Ethernet
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap:   NAS-Port = 50101
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap:  
PacketFence-KeyBalanced := "99a990b22af7d7ca016a27643cd35a1e"
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap:  
PacketFence-Radius-Ip := "my_server_ip"
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap:  
Called-Station-Id := "my_switch_mac"
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap:  
Event-Timestamp = "Nov  2 2020 15:39:12 IST"
(26979) Mon Nov  2 15:39:12 2020: Debug: Virtual server
packetfence-tunnel received request
(26979) Mon Nov  2 15:39:12 2020: Debug: EAP-Message =
0x0213000f0642726561746853473240
(26979) Mon Nov  2 15:39:12 2020: Debug: FreeRADIUS-Proxied-To =
127.0.0.1
(26979) Mon Nov  2 15:39:12 2020: Debug: User-Name = "myusername"
(26979) Mon Nov  2 15:39:12 2020: Debug:   State =

Re: [PacketFence-users] 10.2.0 Eap gtc sub module failed

[Fabrice Durand via PacketFence-users]

Hello Sonali,

your issue looks to be because there is no module before that set the 
"known good" password in the request.


Where is stored the password ? (ldap/sql/...)

Regards

Fabrice


Le 20-11-02 à 22 h 46, Sonali Gulia a écrit :



hi

Hi all in new version of pf 10.2.0 eap gtc sub module failed . While 
in previous version it was working fine plz help


here is the result of raddebug -f /usr/local/pf/var/run/radiusd.sock 
-t 3000'


i changed my  personal details with
my_username
my_user_device_mac
my_switch_ip
my_server_ip
my_switch_mac
my_cluster_managment_ip

also highlight the error in logs .


(26979) Mon Nov  2 15:39:12 2020: Debug: # Executing group from file 
/usr/local/pf/raddb/sites-enabled/packetfence

(26979) Mon Nov  2 15:39:12 2020: Debug:   authenticate {
(26979) Mon Nov  2 15:39:12 2020: Debug: eap: Expiring EAP session 
with state 0xddba5edfdca958cb
(26979) Mon Nov  2 15:39:12 2020: Debug: eap: Finished EAP session 
with state 0xec639e88eb7087f4
(26979) Mon Nov  2 15:39:12 2020: Debug: eap: Previous EAP request 
found for state 0xec639e88eb7087f4, released from the list
(26979) Mon Nov  2 15:39:12 2020: Debug: eap: Peer sent packet with 
method EAP PEAP (25)
(26979) Mon Nov  2 15:39:12 2020: Debug: eap: Calling submodule 
eap_peap to process data

(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: Continuing EAP-TLS
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: [eaptls verify] = ok
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: Done initial handshake
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: [eaptls process] = ok
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: Session 
established.  Decoding tunneled attributes

(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: PEAP state phase2
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: EAP method GTC (6)
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: Got tunneled request
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: EAP-Message = 
0x0213000f0642726561746853473240
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: Setting User-Name 
to my_username
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: Sending tunneled 
request to packetfence-tunnel
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: EAP-Message = 
0x0213000f0642726561746853473240
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: 
FreeRADIUS-Proxied-To = 127.0.0.1
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: User-Name = 
"myusername"
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap:   State = 
0xddba5edfdca958cb96d4c517e9bc660c
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: Service-Type = 
Framed-User
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: Cisco-AVPair = 
"service-type=Framed"
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: Cisco-AVPair = 
"audit-session-id=0A011517000D005BC4FA"
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: Cisco-AVPair = 
"method=dot1x"

(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: Framed-MTU = 1500
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: Calling-Station-Id 
:= "my_user_device_mac"
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: NAS-IP-Address = 
my_switch_ip
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: NAS-Port-Id = 
"GigabitEthernet1/0/1"
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: NAS-Port-Type = 
Ethernet

(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: NAS-Port = 50101
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: 
PacketFence-KeyBalanced := "99a990b22af7d7ca016a27643cd35a1e"
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: 
PacketFence-Radius-Ip := "my_server_ip"
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: Called-Station-Id 
:= "my_switch_mac"
(26979) Mon Nov  2 15:39:12 2020: Debug: eap_peap: Event-Timestamp = 
"Nov  2 2020 15:39:12 IST"
(26979) Mon Nov  2 15:39:12 2020: Debug: Virtual server 
packetfence-tunnel received request
(26979) Mon Nov  2 15:39:12 2020: Debug:   EAP-Message = 
0x0213000f0642726561746853473240

(26979) Mon Nov  2 15:39:12 2020: Debug: FreeRADIUS-Proxied-To = 127.0.0.1
(26979) Mon Nov  2 15:39:12 2020: Debug:   User-Name = "myusername"
(26979) Mon Nov  2 15:39:12 2020: Debug:   State = 
0xddba5edfdca958cb96d4c517e9bc660c

(26979) Mon Nov  2 15:39:12 2020: Debug:   Service-Type = Framed-User
(26979) Mon Nov  2 15:39:12 2020: Debug:   Cisco-AVPair = 
"service-type=Framed"
(26979) Mon Nov  2 15:39:12 2020: Debug:   Cisco-AVPair = 
"audit-session-id=0A011517000D005BC4FA"

(26979) Mon Nov  2 15:39:12 2020: Debug:   Cisco-AVPair = "method=dot1x"
(26979) Mon Nov  2 15:39:12 2020: Debug:   Framed-MTU = 1500
(26979) Mon Nov  2 15:39:12 2020: Debug: Calling-Station-Id := 
"my_user_device_mac"

(26979) Mon Nov  2 15:39:12 2020: Debug:   NAS-IP-Address = my_switch_ip
(26979) Mon Nov  2 15:39:12 2020: Debug:   NAS-Port-Id = 
"GigabitEthernet1/0/1"

(26979) Mon Nov  2 15:39:12 2020: Debug:   NAS-Port-Type = Ethernet
(26979) Mon Nov  2 15:39:12 2020: Debug:   NAS-Port = 50101
(26979) Mon Nov  2 15:39:12 2020: Debug: 

Re: [PacketFence-users] 10.2.0 Eap gtc sub module failed

[Fabrice Durand via PacketFence-users]

At least when you try to connect ...


Le 20-10-30 à 06 h 37, Sonali Gulia a écrit :

hi Durand fabrice

here is the result of raddebug -f /usr/local/pf/var/run/radiusd.sock 
-t 3000


(10522) Fri Oct 30 21:32:00 2020: Debug: Received Status-Server Id 97 
from 127.0.0.1:51783  to 127.0.0.1:18121 
 length 50
(10522) Fri Oct 30 21:32:00 2020: Debug: Message-Authenticator = 
0x595be7422b20bffc2fd6282691eb1b4e

(10522) Fri Oct 30 21:32:00 2020: Debug: FreeRADIUS-Statistics-Type = 15
(10522) Fri Oct 30 21:32:00 2020: Debug: # Executing group from file 
/usr/local/pf/raddb/sites-enabled/status

(10522) Fri Oct 30 21:32:00 2020: Debug:   Autz-Type Status-Server {
(10522) Fri Oct 30 21:32:00 2020: Debug:     [ok] = ok
(10522) Fri Oct 30 21:32:00 2020: Debug:   } # Autz-Type Status-Server 
= ok
(10522) Fri Oct 30 21:32:00 2020: Debug: Sent Access-Accept Id 97 from 
127.0.0.1:18121  to 127.0.0.1:51783 
 length 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Access-Requests = 10523
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Access-Accepts = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Access-Rejects = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Access-Challenges = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Auth-Responses = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Auth-Duplicate-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Auth-Malformed-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Auth-Invalid-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Auth-Dropped-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Auth-Unknown-Types = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Accounting-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Accounting-Responses = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Acct-Duplicate-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Acct-Malformed-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Acct-Invalid-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Acct-Dropped-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Acct-Unknown-Types = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Access-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Access-Accepts = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Access-Rejects = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Access-Challenges = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Auth-Responses = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Auth-Duplicate-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Auth-Malformed-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Auth-Invalid-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Auth-Dropped-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Auth-Unknown-Types = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Accounting-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Accounting-Responses = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Acct-Duplicate-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Acct-Malformed-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Acct-Invalid-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Acct-Dropped-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Acct-Unknown-Types = 0

(10522) Fri Oct 30 21:32:00 2020: Debug: Finished request
(10522) Fri Oct 30 21:32:05 2020: Debug: Cleaning up request packet ID 
97 with timestamp +157883
(10523) Fri Oct 30 21:32:15 2020: Debug: Received Status-Server Id 71 
from 127.0.0.1:43289  to 127.0.0.1:18121 
 length 50
(10523) Fri Oct 30 21:32:15 2020: Debug: Message-Authenticator = 
0x2e1611a2cb839f02f01df0ab302f9062

(10523) Fri Oct 30 21:32:15 2020: Debug: FreeRADIUS-Statistics-Type = 15
(10523) Fri Oct 30 21:32:15 2020: Debug: # Executing group from file 
/usr/local/pf/raddb/sites-enabled/status

(10523) Fri Oct 30 21:32:15 2020: Debug:   Autz-Type Status-Server {
(10523) Fri Oct 30 21:32:15 2020: Debug:     [ok] = ok
(10523) Fri Oct 30 21:32:15 2020: Debug:   } # Autz-Type Status-Server 
= ok
(10523) Fri Oct 30 21:32:15 2020: Debug: Sent Access-Accept Id 71 from 
127.0.0.1:18121  to 127.0.0.1:43289 
 length 0
(10523) Fri Oct 30 21:32:15 2020: Debug: 

Re: [PacketFence-users] captive_portal.ip_address in pf.conf.defaults

[Fabrice Durand via PacketFence-users]

3

*DAIFUKU * <http://www.daifukuna.com/>

*Always an Edge Ahead*

*From:* Fabrice Durand via PacketFence-users

<mailto:packetfence-users@lists.sourceforge.net>
*Sent:* Friday, October 9, 2020 2:18 PM
*To:* packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Cc:* Fabrice Durand 
<mailto:fdur...@inverse.ca>
*Subject:* Re: [PacketFence-users]
captive_portal.ip_address in pf.conf.defaults

Hello Jeff,

your issue is because keepalived is not running.

let's try:

/usr/local/pf/bin/pfcmd service pf updatesystemd

systemctl restart packetfence-keepalived.service

Regards

Fabrice

Le 20-10-09 à 14 h 11, Jeff Linden via
PacketFence-users a écrit :

Hello,

I’ve upgraded PacketFence from 9.2 to 10.1.  Since
then, I’ve had trouble getting the Captive Portal
to function.  Since I noticed a newer version is
available, I have now upgraded to 10.2 before
writing this.

In the web interface, under Status -> Services,
the haproxy-portal is enabled and running.  All
green.  Except, the pid is 0.

Also in the web interface, under Advanced Access
Configuration -> Captive Portal, the
haproxy-portal dropdown is showing green.  But,
looking further by clicking the dropdown, I notice
Enabled and Managed are green, but Alive is red.

Systemctl status packetfence-haproxy-portal
returns the following result:

● packetfence-haproxy-portal.service - PacketFence
HAProxy Load Balancer for the captive portal

Loaded: loaded
(/lib/systemd/system/packetfence-haproxy-portal.service;
enabled; vendor preset: enabled)

Active: activating (start-pre) since Fri
2020-10-09 10:57:14 EDT; 2s ago

Process: 230643 ExecStart=/usr/sbin/haproxy -Ws -f
/usr/local/pf/var/conf/haproxy-portal.conf -p
/usr/local/pf/var/run/haproxy-portal.pid
(code=exited, status=1/FAILU

Main PID: 230643 (code=exited, status=1/FAILURE);
Control PID: 230652 (perl)

Tasks: 1 (limit: 36864)

CGroup:
/packetfence.slice/packetfence-haproxy-portal.service

└─control

└─230652 /usr/bin/perl -I/usr/local/pf/lib
-Mpf::services::manager::haproxy_portal -e

pf::services::manager::haproxy_portal->new()->generateConfig()

Oct 09 10:57:16 nadc1-pfence-01 haproxy[230643]:
[ALERT] 282/105714 (230643) : Starting frontend
portal-http-66.70.255.147: cannot bind socket
[66.70.255.147:80]

Oct 09 10:57:16 nadc1-pfence-01 haproxy[230643]:
[ALERT] 282/105714 (230643) : Starting frontend
portal-https-66.70.255.147: cannot bind socket
[66.60.255.147:443]

Oct 09 10:57:14 nadc1-pfence-01 systemd[1]:
packetfence-haproxy-portal.service: Main process
exited, code=exited, status=1/FAILURE

Oct 09 10:57:14 nadc1-pfence-01 systemd[1]: Failed
to start PacketFence HAProxy Load Balancer for the
captive portal.

Oct 09 10:57:14 nadc1-pfence-01 systemd[1]:
packetfence-haproxy-portal.service: Unit entered
failed state.

Oct 09 10:57:14 nadc1-pfence-01 systemd[1]:
packetfence-haproxy-portal.service: Failed with
result 'exit-code'.

Oct 09 10:57:14 nadc1-pfence-01 systemd[1]:
packetfence-haproxy-portal.service: Service
hold-off time over, scheduling restart.

Oct 09 10:57:14 nadc1-pfence-01 systemd[1]:
Stopped PacketFence HAProxy Load Balancer for the
captive portal.

Oct 09 10:57:14 nadc1-pfence-01 systemd[1]:
Starting PacketFence HAProxy Load Balancer for the
captive portal...

In /var/log/haproxy.log