Re: [PacketFence-users] PKI installation

2018-02-06 Thread Fabrice Durand via PacketFence-users 
Hello Eugene,

can you try that:

sqlite3 db.sqlite3

UPDATE "auth_user" set
password='pbkdf2_sha256$2$Z2Lhr1cW8QM0$mN9PtNhxneIDzApqFa4uG8V44IXqHe+r7yootSoSzJQ='
where username='admin';

the password is p@ck3tf3nc3


Regards

Fabrice



Le 2018-02-03 à 01:31, E.P. a écrit :
>
> Hi Fabrice,
>
> I feel awkward resurrecting this topic but I believe something
> happened to PKI after I upgraded PF to 7.4
>
> Really want it to be not connected with it but I can’t login to PKI
> admin interface.
>
> The login page shows normally with a prompt for username/password, I
> enter previously used admin/password credentials but nothing happens.
>
> I need to grab RADIUS server certificate to manually install it to
> Windows 10 machines so that they validate the server properly
>
> Logs under /usr/local/packetfence-pki/logs don’t show anything that
> would give me a clue except of these events:
>
>  
>
> [root@PacketFence-ZEN logs]# cat ./packetfence_pki.access.log
> 172.16.0.100 - - [03/Feb/2018:03:16:06 +] "POST / HTTP/1.1" 200
> 2483 "https://172.16.0.222:9393/"; "Mozilla/5.0 (Windows NT 6.1; Win64;
> x64; rv:58.0) Gecko/20100101 Firefox/58.0"
>
> [root@PacketFence-ZEN logs]# cat ./error.log
> 
> [Sat Feb 03 05:09:16.445232 2018] [:error] [pid 1050]
> /usr/lib/python2.7/site-packages/bootstrap3/bootstrap.py:5:
> RemovedInDjango19Warning: django.utils.importlib will be removed in
> Django 1.9.
>
> [root@PacketFence-ZEN logs]# cat ./packetfence_pki.error.log
> [Sat Feb 03 03:14:11.433371 2018] [ssl:warn] [pid 27722] AH01909: RSA
> certificate configured for pki:443 does NOT include an ID which
> matches the server name
>
> Eugene
>
>  
>
>  
>
> *From:*Fabrice Durand [mailto:fdur...@inverse.ca]
> *Sent:* Wednesday, January 03, 2018 12:26 PM
> *To:* E.P.
> *Cc:* packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] PKI installation
>
>  
>
> Just for information, i uploaded a new version of the packetfence-pki
> for centos7 who fix all the install issues.
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-12-12 à 23:58, E.P. a écrit :
>
> Well, I’m taking my hat off in front of you, no kidding and pun
> intended ;)
>
> Do you need traceback from the error page ?
>
>  
>
> *From:*Durand fabrice [mailto:fdur...@inverse.ca]
> *Sent:* Tuesday, December 12, 2017 7:02 PM
> *To:* E.P.
> *Cc:* packetfence-users@lists.sourceforge.net
> 
> *Subject:* Re: [PacketFence-users] PKI installation
>
>  
>
> ah ah don't worry , i like to have challenge like that to be able
> to fix the issue for better user experience.
>
> I coded the pki so i want to make it work.
>
>  
>
>  
>
> Le 2017-12-12 à 21:48, E.P. a écrit :
>
> Sure, take your time, Fabrice. I have a special knack of
> running into troubles in cases when others didn’t have any :)
>
>
> Eugene
>
> Sent from iPhone
>
>
> On Dec 12, 2017, at 18:18, Durand fabrice  > wrote:
>
> Ok let me try to install the pki on the zen and i will be
> back to you.
>
> i have installed the pki on 10 servers not a long time ago
> without any issue.
>
>  
>
>  
>
> Le 2017-12-12 à 20:52, E.P. a écrit :
>
> Yes, db.sqlite3 was owned by root
>
>  
>
> [root@PacketFence-ZEN packetfence-pki]# ls -al
>
> total 56
>
> drwxr-xr-x   7 pf   pf 128 Dec 12 08:49 .
>
> drwxr-xr-x. 15 root root   182 Dec 12 01:33 ..
>
> drwxrws---   2 pf   pf   6 Nov 15 14:20 ca
>
> drwxr-xr-x   2 pf   pf 125 Dec 12 01:33 conf
>
> */-rw-r--r--   1 root root 43008 Dec 12 08:44 db.sqlite3/*
>
> drwxr-xr-x   2 pf   pf 204 Dec 12 02:49 inverse
>
> drwxrws---   2 pf   pf  90 Dec 12 01:35 logs
>
> -rwxr--r--   1 pf   pf 250 Nov 15 14:20 manage.py
>
> -rw-r--r--   1 root root 6 Dec 12 08:49
> packetfence-pki.pid
>
> drwxr-xr-x   5 pf   pf    4096 Dec 12 02:49 pki
>
>  
>
> Changed the file ownership to pf:pf
>
>  
>
> [root@PacketFence-ZEN packetfence-pki]# ls -al
>
> total 100
>
> drwxr-xr-x   7 pf   pf 147 Dec 13 01:45 .
>
> drwxr-xr-x. 15 root root   182 Dec 12 01:33 ..
>
> drwxrws---   2 pf   pf   6 Nov 15 14:20 ca
>
> drwxr-xr-x   2 pf   pf 125 Dec 12 01:33 conf
>
> */-rw-r--r--   1 pf   pf   43008 Dec 13 01:45 db.sqlite3/*
>
> /drwxr-xr-x   2 pf   pf 204 Dec 12 02:49 inverse/
>
> /drwxrws---   2 pf   pf  90 Dec 12 01:35 logs/
>
> /-rwxr--r--   1

Re: [PacketFence-users] Restarting swicthports errors

2018-02-06 Thread Fabrice Durand via PacketFence-users 
Hello,

the issue is open on github

https://github.com/inverse-inc/packetfence/issues/2923

Regards

Fabrice



Le 2018-02-02 à 10:43, David Harvey via PacketFence-users a écrit :
> Sorry for all the mailing list spam. I've been having a bit of a
> packetfence tinkering week!
>
> Since upgrading to packetfence 7.4 followed by applying the Unifi
> patch 2735.patch
> 
>  (the
> latter probably unrelated given the files it touches), i've been
> seeing failures when attempting to restart swithcports from the GUI. 
> On screen I get
>
> "Error! An error condition has occured. See server side logs for details."
>
> And consulting logs reveals:
>
> Feb  2 13:26:17 pf httpd_admin: httpd.admin(21612) ERROR:
> [mac:unknown] Caught exception in
> pfappserver::Controller::Node->bulk_restart_switchport "Can't use an
> undefined value as a subroutine reference at
> /usr/local/pf/lib/CHI/Driver/DBI.pm line 43." (pfappser
> ver::PacketFence::Controller::Root::end)
> Feb  2 13:26:34 pf httpd_admin: httpd.admin(21612) ERROR:
> [mac:unknown] Caught exception in
> pfappserver::Controller::Node->bulk_restart_switchport "Can't use an
> undefined value as a subroutine reference at
> /usr/local/pf/lib/CHI/Driver/DBI.pm line 43." (pfappser
> ver::PacketFence::Controller::Root::end)
> Feb  2 13:29:02 pf httpd_admin: httpd.admin(21612) ERROR:
> [mac:unknown] Caught exception in
> pfappserver::Controller::Node->bulk_restart_switchport "Can't use an
> undefined value as a subroutine reference at
> /usr/local/pf/lib/CHI/Driver/DBI.pm line 43." (pfappser
> ver::PacketFence::Controller::Root::end)
> Feb  2 13:37:46 pf httpd_admin: httpd.admin(21612) INFO: [mac:unknown]
> Instantiate profile default
> (pf::Connection::ProfileFactory::_from_profile)
> Feb  2 13:38:57 pf httpd_admin: httpd.admin(21612) INFO: [mac:unknown]
> Instantiate profile default
> (pf::Connection::ProfileFactory::_from_profile)
> Feb  2 13:42:27 pf httpd_admin: httpd.admin(21630) INFO: [mac:unknown]
> Hard expiring resource : config::Profiles (pfconfig::manager::expire)
> Feb  2 13:42:27 pf httpd_admin: httpd.admin(21630) INFO: [mac:unknown]
> Connecting to MySQL database (pfconfig::backend::mysql::_get_db)
> Feb  2 13:42:27 pf httpd_admin: httpd.admin(21630) INFO: [mac:unknown]
> Expiring child resource FilterEngine::Profile. Master resource is
> config::Profiles (pfconfig::manager::expire)
> Feb  2 13:42:27 pf httpd_admin: httpd.admin(21630) INFO: [mac:unknown]
> Hard expiring resource : FilterEngine::Profile (pfconfig::manager::expire)
> Feb  2 13:42:27 pf httpd_admin: httpd.admin(21630) INFO: [mac:unknown]
> Expiring child resource resource::URI_Filters. Master resource is
> config::Profiles (pfconfig::manager::expire)
> Feb  2 13:42:27 pf httpd_admin: httpd.admin(21630) INFO: [mac:unknown]
> Hard expiring resource : resource::URI_Filters (pfconfig::manager::expire)
> Feb  2 13:42:27 pf httpd_admin: httpd.admin(21630) ERROR:
> [mac:unknown] OK (pf::ConfigStore::commit)
>
> So with my basic understanding I assumed there is a MAC passing, or
> MAC to switchport mapping issue.  Checking the node MAC address ->
> location tab, does show up to date session information :-/
>
> Any ideas!?
>
> Many thanks in advance,
>
> David
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] users stay in registration VLAN after authentication success

2018-02-06 Thread Fabrice Durand via PacketFence-users 
Hello Tom,

sorry, this is a really busy period.

What we can try to find the issue is to put the log in debug, since it
looks that is on the portal that you have the issue we can try it first.

So in conf/log.conf.d/httpd.portal.conf , replace INFO per TRACE (2nd
line) and restart the portal.

Once done do another test and paste me the log (probably a huge amount
of lines).

Regards

Fabrice


Le 2018-02-02 à 07:19, tom lo a écrit :
> Hi Fabrice,
>
> Just to see if you have any idea or suggestions for us to troubleshoot
> the issues.
>
>
>
> Regards,
> Tom
>
> On Thu, Jan 25, 2018 at 12:21 PM, tom lo  wrote:
>> Hi Fabrice,
>>
>> Here is the content from the log file httpd.portal.access when the
>> user hit the portal.
>>
>>
>> 172.18.x.y - - [23/Jan/2018:11:31:37]  "captive.apple.com" "GET
>> /hotspot-detect.html HTTP/1.0" 302 1080 "-"
>> "CaptiveNetworkSupport-355.30.1 wispr" 4896
>> 172.18.x.y - - [23/Jan/2018:11:32:22]  "www.apple.com" "GET /
>> HTTP/1.1" 302 1101 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like
>> Mac OS X) AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 5069
>> 172.18.x.y - - [23/Jan/2018:11:32:22]  "byod.a_domain.com" "GET
>> /captive-portal?destination_url=http://www.apple.com/&; HTTP/1.1" 200
>> 31211 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
>> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 2823405
>> 172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
>> /common/styles.css HTTP/1.1" 200 22524
>> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&";
>> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
>> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 8248
>> 172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
>> /content/captiveportal.js HTTP/1.1" 200 2771
>> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&";
>> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
>> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 2990
>> 172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
>> /common/pf.js HTTP/1.1" 200 4259
>> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&";
>> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
>> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 4216
>> 172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
>> /common/A_Logo_Black_trans_med.png HTTP/1.1" 200 6418
>> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&";
>> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
>> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 3465
>> 172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
>> /common/jquery-1.11.3.min.js HTTP/1.1" 200 95957
>> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&";
>> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
>> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 19690
>> 172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "GET
>> /common/img/sprite.svg HTTP/1.1" 200 27622
>> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&";
>> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
>> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 6047
>> 172.18.x.y - - [23/Jan/2018:11:32:25]  "byod.a_domain.com" "POST
>> /record_destination_url HTTP/1.1" 200 -
>> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&";
>> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
>> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 35716
>> 172.18.x.y - - [23/Jan/2018:11:32:25]  "www.apple.com" "GET
>> /library/test/success.html HTTP/1.0" 302 1080 "-"
>> "CaptiveNetworkSupport-355.30.1 wispr" 4852
>> 172.18.x.y - - [23/Jan/2018:11:33:26]  "www.apple.com" "GET
>> /library/test/success.html HTTP/1.0" 302 1080 "-"
>> "CaptiveNetworkSupport-355.30.1 wispr" 4972
>> 172.18.x.y - - [23/Jan/2018:11:33:26]  "byod.a_domain.com" "POST
>> /signup HTTP/1.1" 302 294
>> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&";
>> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
>> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 210063
>> 172.18.x.y - - [23/Jan/2018:11:33:26]  "byod.a_domain.com" "GET
>> /captive-portal HTTP/1.1" 302 286
>> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&";
>> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
>> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 52410
>> 172.18.x.y - - [23/Jan/2018:11:33:27]  "byod.a_domain.com" "GET
>> /access HTTP/1.1" 200 6351
>> "https://byod.a_domain.com/captive-portal?destination_url=http://www.apple.com/&";
>> "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X)
>> AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C202" 51125
>> 172.18.x.y - - [23/Jan/2018:11:33:27]  "byod.a_domain.com" "GET
>> /content/timerbar.js

Re: [PacketFence-users] PFCMD Violation ADD & TRIGGER Clarification

2018-02-06 Thread Fabrice Durand via PacketFence-users 
Hello Scott,

it looks a bug in PacketFence, can you open an issue on github ?
https://github.com/inverse-inc/packetfence

Regards

Fabrice



Le 2018-02-01 à 15:05, Scott Bodeen via PacketFence-users a écrit :
> Hello all,
>
> I've spent a good part of the day looking through the PF manuals and
> doing online searches to find out what exactly is the difference
> between adding a violation and triggering a violation using pfcmd.  I
> have not been successful.
>
> Through my own experimenting, I've found that if I add a violation to
> a device, all other devices belonging to the owner are put in to a
> REJECT role when in registration.  When I trigger a violation, only
> that one device is blocked and all other devices belonging to the
> owner are not effected.
>
> Is what I have mentioned above the intended outcome of add & trigger? 
> If so, is this documented anywhere?  If not, could it be added to the
> administrator's manual?
>
> Thanks for any help
>
> -- 
> Scott R. Bodeen
> Network Administrator
> Regional School Unit 1
> 207.443.8253
>
> /The information transmitted herein is intended only for the person or
> entity to which it is addressed and may contain confidential and/or
> privileged material.  If you received this in error, please contact
> the sender and delete the e-mail and any attachments from any computer./
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] R: R: R: No client IP update in cluster

2018-01-31 Thread Fabrice Durand via PacketFence-users 
Hello Luca,

dhcp is udp traffic so it's not really easy to load balance.

Btw there is a pull request on github for that:

https://github.com/inverse-inc/packetfence/pull/2887

Regards

Fabrice




Le 2018-01-31 à 03:40, luca comes via PacketFence-users a écrit :
> Hi Fabrice,
> I checked and what I can see is that pfdhcplistener is populated only
> on the master machine. The other 2 nodes have queue empty. The cluster
> doesn't balance over all the nodes? Should I tune some parameters?
>
> Luca
>
>
> 
> *Da:* Durand fabrice via PacketFence-users
> 
> *Inviato:* martedì 30 gennaio 2018 01:04
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* Durand fabrice
> *Oggetto:* Re: [PacketFence-users] R: R: No client IP update in cluster
>  
>
> It looks like you probably have a high number of job waiting in the
> queue, take a look on the admin gui to see how many.
>
>
> Le 2018-01-25 à 11:24, luca comes via PacketFence-users a écrit :
>> Hi Fabrice,
>> I then installed dhcp forwarder on my DHCP and I can see traffic
>> arrive with tcpdump. The client IP on the gui has changed but after a
>> long long time. It's strange because in a standalone configuration
>> this feature was really quick is there something else I can check?
>>
>> Thanks
>>
>> Luca
>>
>> 
>> *Da:* Durand fabrice via PacketFence-users
>> 
>> 
>> *Inviato:* martedì 23 gennaio 2018 03:46
>> *A:* packetfence-users@lists.sourceforge.net
>> 
>> *Cc:* Durand fabrice
>> *Oggetto:* Re: [PacketFence-users] R: No client IP update in cluster
>>  
>>
>> Hello Luca,
>>
>>
>> it's also available for Linux:
>> https://github.com/inverse-inc/packetfence-dhcp-forwarder/tree/master/dhcp-forwarder
>> so you can install it on each cluster's member.
>>
>>
>> Le 2018-01-22 à 10:34, luca comes via PacketFence-users a écrit :
>>> Hi Fabrice,
>>> I'm using a cluster of ISC DHCPD on CentOS 7 so think I can't use
>>> your dhcp forwarder. I understand is it only for windows isn't it?
>>> Anyway I did a test, when the client change role it send a dhcp
>>> request to the server:
>>>
>>> [root@dhcp01 ~]# tail -f /var/log/dhcp/dhcpd.log | grep
>>> 00:9c:02:92:ea:b0
>>> Jan 22 12:23:54 dhcp01 dhcpd: DHCPACK to 172.20.251.192
>>> (00:9c:02:92:ea:b0) via ens160
>>> Jan 22 12:24:00 dhcp01 dhcpd: DHCPREQUEST for 172.20.251.192 from
>>> 00:9c:02:92:ea:b0 (LAB3-NB) via 192.168.167.1: wrong network.
>>> Jan 22 12:24:00 dhcp01 dhcpd: DHCPNAK on 172.20.251.192 to
>>> 00:9c:02:92:ea:b0 via 192.168.167.1
>>> Jan 22 12:24:00 dhcp01 dhcpd: DHCPDISCOVER from 00:9c:02:92:ea:b0
>>> via 192.168.167.1
>>> Jan 22 12:24:01 dhcp01 dhcpd: DHCPOFFER on 192.168.167.190 to
>>> 00:9c:02:92:ea:b0 (LAB3-NB) via 192.168.167.1
>>> Jan 22 12:24:01 dhcp01 dhcpd: DHCPREQUEST for 192.168.167.190
>>> (172.27.112.17) from 00:9c:02:92:ea:b0 (LAB3-NB) via 192.168.167.1
>>> Jan 22 12:24:01 dhcp01 dhcpd: DHCPACK on 192.168.167.190 to
>>> 00:9c:02:92:ea:b0 (LAB3-NB) via 192.168.167.1
>>>
>>> Instead I can't see any packet on the pfdhcplistener for that MAC
>>> Address. The strange thing is that it is receiving traffic from the
>>> DHCP on port 767. At the moment I put an helper address on the
>>> switch so a copy of the traffic is sent directly to the
>>> pfdhcplistener and the client IP is updated. It's always showed as
>>> offline but I don't understand why.
>> If you didn't install the forwarder , from where do you receive the
>> copy of the dhcp traffic on the port 767 ?
>> Also inline/offline is based on the accounting , not from the dhcp.
>>
>> Regards
>> Fabrice
>>
>>>
>>> Luca
>>>
>>> Inviato da Outlook 
>>>
>>> 
>>> *Da:* Durand fabrice via PacketFence-users
>>> 
>>> 
>>> *Inviato:* sabato 20 gennaio 2018 03:21
>>> *A:* packetfence-users@lists.sourceforge.net
>>> 
>>> *Cc:* Durand fabrice
>>> *Oggetto:* Re: [PacketFence-users] No client IP update in cluster
>>>  
>>>
>>> Hello Lucas,
>>>
>>>
>>> first use that instead:
>>>
>>> https://github.com/inverse-inc/packetfence-dhcp-forwarder
>>>
>>>
>>> And there is no listening process on UDP 767 but pfdhcplistener
>>> capture the traffic on 67/68 and 767.
>>>
>>> If you tail pfdhcplistener on the server where the vip is , do you
>>> see some updates from te hproduction dhcp server ?
>>>
>>> Also do a capture on the management interface to see if you receive
>>> something on the port 767. (tshark -i eth0 -f "port 767")
>>>
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>>
>>>
>>> Le 2018-01-18 à 09:43, luca comes via PacketFence-users a écrit :
 Hi all,
 I've migrated my single node infrastructure to a 3 node cluster. At
 the moment I'

Re: [PacketFence-users] packetfence 7.4 + Authentication Sources

2018-01-31 Thread Fabrice Durand via PacketFence-users 
Hello Will,

yes i saw that on my setup and we will push a fix in the maintenance.

Regards

Fabrice



Le 2018-01-31 à 08:00, Will Halsall via PacketFence-users a écrit :
>
> Hi Folks,
>
>  
>
> Adding an Associated Realms to any of my Authentication Sources causes
> the test connection to fail with the following error *Error!*
> Unexpected error. See server-side logs for details.
>
>  
>
> Without an Associated Realms everything works fine
>
>  
>
> This is not causing me a problem but was just wondering about it
>
>  
>
>  
>
> Thanks
>
>  
>
>  
>
> WillH
>
>  
>
>  
>
>  
>
> 
>
> This message is intended only for the use of the person(s) to
> whom it is addressed, and may contain privileged and confidential
> information.
> If it has come to you in error, please contact the sender as soon as
> possible,
> and note that you must take no action based on the content, nor must
> you copy,
> distribute, or show the content to any other person.
>
>
> In accordance with its legal obligations, Farnborough College of
> Technology reserves the right to monitor the content of e-mails sent and
> received, but will not do so routinely.
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] All authentication failed with error "No EAPsession matching state xxxx"

2018-01-31 Thread Fabrice Durand via PacketFence-users 
Hello Yan,


Le 2018-01-31 ?? 00:28, Yan a ??crit?0?2:
>
> Hi dear users,
>
> After a whole night??s analysis, we found it??s pf that takes too much
> time processing authentication request if the QPS is too high and
> hangs all radius requests later and then Aruba AC meets the radius
> timeout setting and re-sends the same radius access request to pf
> while pf just sent out the first radius accept packet and then
> received the same request, it will response accept for a second time
> and then delete the state id, but Aruba AC might has waited for
> another 5 seconds and send a radius request for a third time, and this
> time pf find no state id match this session and just response
> reject...And then more and more reject responses will cause user
> re-connect wireless and the QPS is much more...It's bad circle...
>
>
> We find pf has below bottlenecks at least to lead to the hang issue:
>
> 1.Mysql query is too slow.
>
Most of the times it's because you receive too many accounting packet
(try to disable it) or because there too many IO.
>
> 2."curl" keeps calling httpd service and it's very slow.
>
Where do you see curl ?, Freeradius use the rest module to talk to the
webservice
>
> 3."doperl" is too slow.
>
Not really, it depend how you configured PacketFence, let's say you have
a ldap source but it take 600ms to do a search then the radius answer
will be slow.
>
> 4."ntlm_auth" process is too slow.
>
Because probably the AD is too slow to answer, btw you can use the NTLM
cache for that.
>
> ?0?2
>
> 5.A device will try to connect again if radiusd crashes or restarted
> or meets its max requests
>

>
> But we don't find which configuration will solve this issue yet. Is
> there any suggestion on how to change configuration to handle this
> performance issue ? Or any basic directions on how to adjust the
> parameters to handle 200 QPS,500 QPS and 2000 QPS ?
>
>
We have setup that handle millions of request per day and without any
issues, check the graph like radius latency and also have a look at
http://mgmt_ip:9000 and try to find where it take time.
Btw if you want to us to check your setup, you can ask for a support
with inverse and it will be a pleasure to help you.
?0?2
Regards
Fabrice

> Any response is appreciated. Thank you very very much.
>

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence Authentication Issue.

2018-01-30 Thread Fabrice Durand via PacketFence-users 
Hello Rana,

In fact you need first to choose clear text ot mschap to store the local
user password (it's bcrypt by default).

Next if it still not working then run radius in debug mode and send me
the debug.

Regards

Fabrice



Le 2018-01-30 à 09:28, Rana, Vijaykumar via PacketFence-users a écrit :
>
>  
>
> Hello,
>
> I have set up a packetfence server and configured a Switch(Dell
> S3048-ON) connected to it. Now I am trying to authenticate a local
> machine and it works for the credentials in the packetfence database.
>
> I have also setup a htpasswd file which I have added to the
> Authenticating Sources. So if I do the following test:
>
> *pftest authentication user passwd*
>
> I get authentication successful against the htpasswd file. But when I
> use the same credentials to login from my local machine it does not work.
>
>  
>
> Also in the packetfence-tunnel file I have uncommented the line,
> *packetfence-local-auth, *but still it doesn’t work.
>
>  
>
> Please help me out and let me know if there is any additional
> configuration required.
>
>  
>
> Thank you.
>
>  
>
> Best regards,
>
> Vijaykumar Rana**
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence 7.4

2018-01-30 Thread Fabrice Durand via PacketFence-users 
Hello Will,

this is a limitation of your OS,
https://www.cyberciti.biz/faq/linux-increase-the-maximum-number-of-open-files/

Regards

Fabrice



Le 2018-01-30 à 09:19, Will Halsall via PacketFence-users a écrit :
>
> Hi Folks,
>
>  
>
>  
>
> I just noticed these errors reported in our logs. I am not sure when
> they started.
>
>  
>
> redis_ntlm_cache.log:Jan 30 12:53:29 packetfence
> redis-ntlm-cache[27687]: Redis can't set maximum open files to 10032
> because of OS error: Operation not permitted.
>
>  
>
> redis_queue.log:Jan 30 12:53:02 packetfence redis-queue[27235]: Redis
> can't set maximum open files to 10032 because of OS error: Operation
> not permitted.
>
>  
>
>  
>
> Thanks
>
>  
>
>  
>
>  
>
> Will
>
> 
>
> This message is intended only for the use of the person(s) to
> whom it is addressed, and may contain privileged and confidential
> information.
> If it has come to you in error, please contact the sender as soon as
> possible,
> and note that you must take no action based on the content, nor must
> you copy,
> distribute, or show the content to any other person.
>
>
> In accordance with its legal obligations, Farnborough College of
> Technology reserves the right to monitor the content of e-mails sent and
> received, but will not do so routinely.
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Read Only Unregistered Nodes

2018-01-25 Thread Fabrice Durand via PacketFence-users 
can i have your adminroles.conf file ?

Regards

Fabrice



Le 2018-01-25 à 09:49, Jeremy Plumley a écrit :
>
> I’m attempting to setup a custom Admin Role in the webgui under
> Configuration | System Configuration | Admin Access. I cloned Node
> Manager into a new Admin Role called Desktop Node Mgmt. When I try to
> restrict the “Allowed node options” to specific roles my Admin users
> are unable to register a node that has “no role” selected. They show
> up as read only. My goal is to have two groups, one that can approve
> for any role and one that has restrictions to a handful of roles. Hope
> that makes more since.
>
>  
>
> Jeremy Plumley
>
> ITS Network Administrator
>
> Ext 50024
>
>  
>
> *From:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Thursday, January 25, 2018 9:43 AM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Fabrice Durand 
> *Subject:* Re: [PacketFence-users] Read Only Unregistered Nodes
>
>  
>
> Hello Jeremy,
>
> i am not sure to understand , you mix device role and administration
> access that is completely different.
>
> Regards
> Fabrice
>
> E-Mail correspondence to and from this address may be subject to the
> North Carolina Public Records Law and shall be disclosed to third
> parties when required by the statutes (G.S. 132-1.) 

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Aruba Switch Network Configuration

2018-01-25 Thread Fabrice Durand via PacketFence-users 
Hello Jeremy,

it looks that the Aruba HPE 2930M support the CoA
(http://www.arubanetworks.com/assets/ds/DS_2930MSwitchSeries.pdf)

So it should be cool to add the support in Packetfence.

Regards

Fabrice



Le 2018-01-25 à 09:25, Jeremy Plumley via PacketFence-users a écrit :
>
> Just wanted to share my config for the Aruba HPE 2930M switch I’m
> testing. All appears to be working for my needs. I ended up defining
> my switch in Packetfence as a “HP::Procurve_2920” in order for it to
> work properly. In addition, it must use SNMP as deauth method.
>
>  
>
> #Radius/SNMP Config#
>
> radius-server host  dyn-authorization
>
> radius-server host  key 
>
> aaa server-group radius "packetfence" host 
>
> aaa accounting network start-stop radius server-group "packetfence"
>
> aaa authentication port-access eap-radius server-group "packetfence"
>
> aaa authentication mac-based chap-radius server-group "packetfence"
>
> ip source-interface radius vlan 
>
> snmpv3 user 
>
> snmpv3 group managerpriv user  sec-model ver3
>
> snmpv3 enable
>
> snmpv3 only
>
> snmpv3 restricted-access
>
>  
>
> #Port Config#
>
> aaa port-access authenticator active
>
> aaa port-access authenticator 
>
> aaa port-access authenticator  client-limit  on port>
>
> aaa port-access mac-based 
>
> aaa port-access mac-based  addr-moves
>
> aaa port-access mac-based  reauth-period 14400
>
> aaa port-access mac-based  addr-limit 
>
> aaa port-access  controlled-direction in
>
>  
>
> #show run interface#
>
>  
>
> interface 1/1
>
>    tagged vlan 
>
>    untagged vlan 
>
>    lldp enable-notification
>
>    lldp config dot1TlvEnable vlan-name
>
>    aaa port-access authenticator
>
>    aaa port-access authenticator client-limit 5
>
>    aaa port-access mac-based
>
>    aaa port-access mac-based addr-limit 5
>
>    aaa port-access mac-based addr-moves
>
>    aaa port-access mac-based reauth-period 14400
>
>    aaa port-access controlled-direction in
>
>    spanning-tree admin-edge-port
>
>    spanning-tree loop-guard bpdu-protection
>
>    exit
>
>  
>
> Jeremy Plumley
>
> ITS Network Administrator
>
> Ext 50024
>
> E-Mail correspondence to and from this address may be subject to the
> North Carolina Public Records Law and shall be disclosed to third
> parties when required by the statutes (G.S. 132-1.)
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Re: Image broken in PF status dashboard

2018-01-25 Thread Fabrice Durand via PacketFence-users 
yum update libdrm is suppose to fix the issue.



Le 2018-01-25 ?? 09:00, Yan a ??crit?0?2:
> Hi Fabrice,
> It seems to be the same issue you said. The error is as below. I run
> "yum?0?2--exclude=collectd*?0?2update" but the image is still broken. Is
> there any other way to fix it ?
>
> Python 2.7.5 (default, Nov 20 2015, 02:00:19)
> [GCC 4.8.5 20150623 (Red Hat 4.8.5-4)] on linux2
> Type "help", "copyright", "credits" or "license" for more information.
> >>> import cairo
> Traceback (most recent call last):
> ?0?2 File "", line 1, in 
> ?0?2 File "/usr/lib64/python2.7/site-packages/cairo/__init__.py", line 1,
> in 
> ?0?2 ?0?2 from _cairo import *
> ImportError: /lib64/libgbm.so.1: undefined symbol: drmGetDevice

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Read Only Unregistered Nodes

2018-01-25 Thread Fabrice Durand via PacketFence-users 
Hello Jeremy,

i am not sure to understand , you mix device role and administration
access that is completely different.

Regards
Fabrice

Le 2018-01-25 à 08:48, Jeremy Plumley via PacketFence-users a écrit :
>
> Wanted to follow up on this and see if there is a way to add “no role”
> access so I can create role limitations for admin users.
>
>  
>
> Jeremy Plumley
>
> ITS Network Administrator
>
> Ext 50024
>
>  
>
> *From:* Jeremy Plumley via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Wednesday, January 10, 2018 3:44 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Jeremy Plumley 
> *Subject:* Re: [PacketFence-users] Read Only Unregistered Nodes
>
>  
>
> I found that by removing my select roles limitations and allowed all
> roles it started working again. Seems brand new nodes that show up as
> unregistered start with “no role.” This is what was causing an issue
> and appearing read only. Is there a way to allow “no role” access if
> you decide to restrict node manager roles. Thanks.
>
>  
>
> Jeremy Plumley
>
> ITS Network Administrator
>
> Ext 50024
>
> E-Mail correspondence to and from this address may be subject to the
> North Carolina Public Records Law and shall be disclosed to third
> parties when required by the statutes (G.S. 132-1.)
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Problem with Certificates

2018-01-25 Thread Fabrice Durand via PacketFence-users 
Hello Hubert,

it will be cat server.crt intermediate1.cert intermediate2.crt
server.key > server.pem

Regards
Fabrice

Le 2018-01-25 à 08:40, Hubert Kupper via PacketFence-users a écrit :
> Hello Fabrice,
>
> thanks. I did: cat server.crt server.key > server.pem. Now packetfence
> starts and the registration page pop up. How can I add the ca chain?
>
> Best regards,
> Hubert
>
> Am 25.01.2018 um 03:22 schrieb Durand fabrice via PacketFence-users:
>> Hello Hubert,
>>
>> Haproxy terminate the ssl connection , so the certificate must be use
>> by haproxy.
>>
>> Take a look there
>> https://github.com/inverse-inc/packetfence/blob/devel/Makefile#L78 to
>> see how to do it.
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2018-01-23 à 00:26, Hubert Kupper via PacketFence-users a écrit :
>>> Hello,
>>>
>>> we have the following problem:
>>> We want to replace the packetfence certs with certs from our PKI
>>> provider because the security warnings confuse some of our users. We
>>> copied the certs to /conf/ssl, checked
>>> /conf/httpd.conf.d/ssl-certificates.conf and the hostname in
>>> pf.conf. All seems to be ok. After restarting packetfence the
>>> registration page for the users doesn't pop up. Packetfence.log
>>> shows no entries. When we use the original certs from packetfence,
>>> the registration page pop up and all things are fine. Did we forget
>>> a step when changing the certs?
>>>
>>> Regards,
>>> Hubert
>>>
>>> --
>>>
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
>
> --
>
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Problem getting Radius MacAuth to work.

2018-01-25 Thread Fabrice Durand via PacketFence-users 


Le 2018-01-25 à 05:41, Schenkelberg, Martin via PacketFence-users a écrit :
>
> Hello all, i hope you can give me a hint of what im doing wrong.
>
>  
>
> We are evaluating to use PacketFence 7.3.0 Zen to authenticate users
> connecting to our lan and wifi infrastructure and to assign them the
> right vlans. (Guest / Productive ….)
>
>  
>
> For Wifi we use a Cisco Wlc and everything works fine.
>
>  
>
> For LAN Access we use different HP / ARUBA Switches.
>
>  
>
> One Switch (Aruba 2530-24g) Works fine with SNMP (Link Up Down)
> unknown users will be redirected to the portal and after login the
> right vlan is assigned tot he switch port.
>
You should use 802.1x/mac auth.
>
>  
>
> Now i try to do the same with a HP 5130 Series Switch which is a
> rebranded H3C Switch using Comware OS.
>
>  
>
> I followed the  H3C section of the Network Device Configuration Guide
> to configure my Switch but i´m not able to get it to work.
>
>  
>
> If i plug in Network Device i receive the following log Messages:
>
>  
>
> *Switch Console: *
>
> %Jan 25 11:23:33:305 2018 Testswitch MACA/6/MACA_LOGIN_FAILURE:
> -IfName=GigabitEthernet1/0/1-MACAddr=98e7-f48e-3c2f-VLANId=200-UserName=98e7f48e3c2f-UserNameFormat=MAC
> address; The user failed the MAC address authentication.
>
>  
>
> *Packetfence.log:*
>
> PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(3450) INFO:
> [mac:[undef]] User 98e7f48e3c2f tried to login in 172.20.14.66 but
> authentication failed (pf::radius::switch_access)
>
>  
>
>  
>
> *Radius.log:*
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_rest (rest): Closing
> connection (320): Hit idle_timeout, was idle for 68 seconds
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: (316) rest: ERROR: Server
> returned:
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: (316) rest: ERROR:
> {"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Authentication
> failed on PacketFence"}
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: Need 4 more connections
> to reach 10 spares
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_rest (rest): Opening
> additional connection (324), 1 of 58 pending slots used
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_sql (sql): Closing
> connection (322): Hit idle_timeout, was idle for 68 seconds
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: Need 4 more connections
> to reach 10 spares
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_sql (sql): Opening
> additional connection (326), 1 of 58 pending slots used
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: [mac:98-E7-F4-8E-3C-2F]
> Rejected user: 98e7f48e3c2f
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: (316) Rejected in
> post-auth: [98e7f48e3c2f] (from client 172.20.14.66 port 16781512 cli
> 98-E7-F4-8E-3C-2F)
>
>  
>
>  
>
> *Radius Debug Log: (There is an Error 500 inside regarding REST)*
>
> * *
>
> [root@PacketFence-ZEN radius]# raddebug -f
> /usr/local/pf/var/run/radiusd.sock -t 300
>
> (76) Thu Jan 25 08:28:15 2018: Debug: Received Access-Request Id 160
> from 172.20.14.66:39936 to 172.20.1.230:1812 length 166
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   User-Name = "98e7f48e3c2f"
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   User-Password = "98e7f48e3c2f"
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   Service-Type = Call-Check
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   NAS-Identifier = "Testswitch"
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   NAS-Port = 16781512
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   NAS-Port-Type = Ethernet
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   Calling-Station-Id =
> "98-E7-F4-8E-3C-2F"
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   Called-Station-Id =
> "5C-8A-38-D8-B7-45"
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   NAS-Port-Id =
> "slot=1;subslot=0;port=1;vlanid=200"
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   NAS-IP-Address = 172.20.14.66
>
> (76) Thu Jan 25 08:28:15 2018: Debug: # Executing section authorize
> from file /usr/local/pf/raddb/sites-enabled/packetfence
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   authorize {
>
> (76) Thu Jan 25 08:28:15 2018: Debug: update {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   EXPAND
> %{Packet-Src-IP-Address}
>
> (76) Thu Jan 25 08:28:15 2018: Debug:  --> 172.20.14.66
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   EXPAND %l
>
> (76) Thu Jan 25 08:28:15 2018: Debug:  --> 1516868895
>
> (76) Thu Jan 25 08:28:15 2018: Debug: } # update = noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug: policy
> rewrite_calling_station_id {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   if (&Calling-Station-Id &&
> (&Calling-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   if (&Calling-Station-Id &&
> (&Calling-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))

Re: [PacketFence-users] Number of devices to connect to the network

2018-01-25 Thread Fabrice Durand via PacketFence-users 


Le 2018-01-25 à 04:04, E.P. a écrit :
>
> One more stupid question from me, Fabrice, regarding the same subject J
>
> How is the role assigned to the user session?
>
It's with the source's rules, like you did with the staff role.
Let's say you hit the portal then fill b...@options.bc.ca and use the AD
source to authenticate then if a rule match then it will assign a role
and an access duration.
>
> I don’t see it in the debugs output but I see it in the results of the
> pftest like I showed it before
>
> Am I supposed to see it the RADIUS reply message or somewhere in the
> debug outputs ?
>
In radius you will see the vlan id of the staff role.
A source assign a role and an access duration, a switch configuration
will convert the role to a vlan id (role tab in switch config).

> Still trying to implement the limitation of devices that the staff
> user is supposed to connect.
>
>  
>
>  
>
> And finally, when will the node become registered ? As far as I
> understand it doesn’t have anything to do with a user that owns it and
> successfully authenticates using dot1x supplicant?
>
> Just wondering if we can have hosts/nodes registered after VLAN
> assignment to dot1x session ?
>
Create a connection profile with a filter SSID = secure ssid and check
autoregister 802.1x then add your AD source in the connection profile.
It will autoreg your device and assign the role that the rule of your AD
source returned.
Regards
Fabrice

>  
>
> Eugene
>
>  
>
> *From:*Durand fabrice [mailto:fdur...@inverse.ca]
> *Sent:* Friday, January 19, 2018 6:05 PM
> *To:* E.P.; packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] Number of devices to connect to the
> network
>
>  
>
> In your AD authentication source, create a rule that match a staff
> group and assign the staff role and an access duration. (memberof
> equal cn=staff,dc=...)
>
> Regards
>
> Fabrice
>
>  
>
> Le 2018-01-17 à 01:07, E.P. a écrit :
>
> Great!
>
> That confirms my train of thought. But it is still not clear to me
> how will it affect the user that authenticates against AD.
>
> Yes, I have created a new role, called “staff” and yes, I have set
> a limit of 2 devices for this role.
>
> Then, the end-user just connects to SSID, authenticates and gets
> on the network. How would I assign the user to the “staff” role?
>
> Is this where provisioners come to help ?
>
>  
>
> Eugene
>
>  
>
> *From:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Tuesday, January 16, 2018 6:42 AM
> *To:* packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Cc:* Fabrice Durand
> *Subject:* Re: [PacketFence-users] Number of devices to connect to
> the network
>
>  
>
> Hello Eugene,
>
> this is exactly where you have to control that.
>
> So just set a limit on the roles where you want to limit the
> number of devices per users.
>
> Regards
>
> Fabrice
>
>  
>
> Le 2018-01-16 à 02:01, E.P. via PacketFence-users a écrit :
>
> It sounds close to the number of devices/nodes a user can
> register which is configurable under Configuration-Policies
> and access control-Roles, but we don’t allow this luxury to
> anyone yet. Just regular network admission control based on
> the active AD account
>
>  
>
> *From:*E.P. [mailto:ype...@gmail.com]
> *Sent:* Monday, January 15, 2018 10:54 PM
> *To:* packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Subject:* Number of devices to connect to the network
>
>  
>
> Guys,
>
> We are still at the early phases of PF deployment and only now
> looking into AD based authentication for wireless devices
>
> Is there any way to limit the number of user devices that can
> be connected by one user?
>
> Let’s say the user uses his/her laptop and roams around remote
> sites where we provide WiFi with WPA2-Enterprise and we also
> allow him/her use the phone (iPhone/Android). No more devices
> to connect
>
>  
>
> Eugene
>
>  
>
>  
>

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] NULL realm

2018-01-25 Thread Fabrice Durand via PacketFence-users 
Hello Eugene,

in fact the REALM is used in 2 cases, if you add the option STRIP in the
realm config and restart radius then you will see that radius will strip it.

When you assign a REALM to a domain then if the realm match then it will
use the domain you define (options.bc.ca -> use AD OPTIONS) in
freeradius to do ntlm_auth.

Next you can associate realm to a authentication source, so if you
created a connection with multiples sources then if you fill the
username with b...@options.bc.ca then the first source with options.bc.ca
enabled will be used. (same if you do autoreg 802.1x).

So in your case because there is just on AD you can just assign the
DEFAULT realm to your AD domain.


Regards

Fabrice




Le 2018-01-25 à 03:49, E.P. a écrit :
>
> Thanks, Fabrice.
>
> Found it and deleted NULL realm from this file and it is gone from the
> webpage.
>
> But essentially this is not what I wanted to achieve.
>
> And perhaps there’s something I don’t understand.
>
> I thought that without the NULL realm the processing of realms will
> skip it and it will match my realm – options.bc.ca which is in the end
> of the list of realms.
>
> Still, if I authenticate as it.tech and I see in the debug of radius
> that it uses NULL realm.
>
> If I authenticate as it.t...@options.bc.ca
>  I see that correct realm use.
>
> But both authentication attempts go through. What the use of
> options.bc.ca realm then ?
>
> It looks like with only one AD in our organization we may easily
> disregard it ?
>
>  
>
> Eugene
>
>  
>
> *From:*Durand fabrice via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Wednesday, January 24, 2018 6:34 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Durand fabrice
> *Subject:* Re: [PacketFence-users] NULL realm
>
>  
>
> Hello Eugene,
>
> the NULL realm is located in realm.conf.defaults
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2018-01-23 à 14:14, E.P. via PacketFence-users a écrit :
>
> Guys,
>
> I wonder if I can make PF bypass NULL realm processing?
>
> The reason is that we want to use only the user ID in the username
> field.
>
> If we use like this then the authentication attempt hits NULL realm.
>
> I tried to remove it from PF GUI but it still stays there.
>
> Interesting that it is not listed in the realm.conf file
>
>  
>
> ++
>
> [root]@[PacketFence-ZEN conf]#cat realm.conf
>
> [DEFAULT]
>
> domain=optionsas
>
> options=strip
>
>  
>
> [options]
>
> domain=optionsad
>
>  
>
> [options.bc.ca]
>
> domain=optionsad
>
> +
>
>  
>
> Eugene
>
>
>
>
> 
> --
>
> Check out the vibrant tech community on one of the world's most
>
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
>
> ___
>
> PacketFence-users mailing list
>
> PacketFence-users@lists.sourceforge.net
> 
>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>  
>

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 回复: Image broken in PF status dashboard

2018-01-25 Thread Fabrice Durand via PacketFence-users 
Hello Yan,

try that:

fdurand@oeufdure:~$ python
Python 2.7.12 (default, Nov 20 2017, 18:23:56)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import cairo


And give me the error.

Also it can be this bug:
https://github.com/inverse-inc/packetfence/issues/2868

Regards
Fabrice

Le 2018-01-25 ?? 03:34, Yan a ??crit?0?2:
> Hi Fabrice,
>
> Below attached is error detail. Any solution on this ?
> Traceback (most recent call last):
>   File "/usr/lib/python2.7/site-packages/django/core/handlers/base.py", line 
> 99, in get_response
> resolver_match = resolver.resolve(request.path_info)
>   File "/usr/lib/python2.7/site-packages/django/core/urlresolvers.py", line 
> 339, in resolve
> sub_match = pattern.resolve(new_path)
>   File "/usr/lib/python2.7/site-packages/django/core/urlresolvers.py", line 
> 339, in resolve
> sub_match = pattern.resolve(new_path)
>   File "/usr/lib/python2.7/site-packages/django/core/urlresolvers.py", line 
> 223, in resolve
> return ResolverMatch(self.callback, args, kwargs, self.name)
>   File "/usr/lib/python2.7/site-packages/django/core/urlresolvers.py", line 
> 230, in callback
> self._callback = get_callable(self._callback_str)
>   File "/usr/lib/python2.7/site-packages/django/utils/functional.py", line 
> 32, in wrapper
> result = func(*args)
>   File "/usr/lib/python2.7/site-packages/django/core/urlresolvers.py", line 
> 97, in get_callable
> mod = import_module(mod_name)
>   File "/usr/lib/python2.7/site-packages/django/utils/importlib.py", line 40, 
> in import_module
> __import__(name)
>   File "/usr/lib/python2.7/site-packages/graphite/render/views.py", line 34, 
> in 
> from graphite.render.evaluator import evaluateTarget, 
> extractPathExpressions
>   File "/usr/lib/python2.7/site-packages/graphite/render/evaluator.py", line 
> 72, in 
> from graphite.render.functions import 
> SeriesFunctions,NormalizeEmptyResultError
>   File "/usr/lib/python2.7/site-packages/graphite/render/functions.py", line 
> 34, in 
> from graphite.render.glyph import format_units
>   File "/usr/lib/python2.7/site-packages/graphite/render/glyph.py", line 20, 
> in 
> import cairocffi as cairo
> ImportError: No module named cairocffi
> After I run "pip install cairocffi" and "pip install constants" the issue is 
> still there.
> Traceback (most recent call last): File
> "/usr/lib/python2.7/site-packages/django/core/handlers/base.py", line
> 99, in get_response resolver_match =
> resolver.resolve(request.path_info) File
> "/usr/lib/python2.7/site-packages/django/core/urlresolvers.py", line
> 339, in resolve sub_match = pattern.resolve(new_path) File
> "/usr/lib/python2.7/site-packages/django/core/urlresolvers.py", line
> 339, in resolve sub_match = pattern.resolve(new_path) File
> "/usr/lib/python2.7/site-packages/django/core/urlresolvers.py", line
> 223, in resolve return ResolverMatch(self.callback, args, kwargs,
> self.name) File
> "/usr/lib/python2.7/site-packages/django/core/urlresolvers.py", line
> 230, in callback self._callback = get_callable(self._callback_str)
> File "/usr/lib/python2.7/site-packages/django/utils/functional.py",
> line 32, in wrapper result = func(*args) File
> "/usr/lib/python2.7/site-packages/django/core/urlresolvers.py", line
> 97, in get_callable mod = import_module(mod_name) File
> "/usr/lib/python2.7/site-packages/django/utils/importlib.py", line 40,
> in import_module __import__(name) File
> "/usr/lib/python2.7/site-packages/graphite/render/views.py", line 34,
> in  from graphite.render.evaluator import evaluateTarget,
> extractPathExpressions File
> "/usr/lib/python2.7/site-packages/graphite/render/evaluator.py", line
> 72, in  from graphite.render.functions import
> SeriesFunctions,NormalizeEmptyResultError File
> "/usr/lib/python2.7/site-packages/graphite/render/functions.py", line
> 34, in  from graphite.render.glyph import format_units File
> "/usr/lib/python2.7/site-packages/graphite/render/glyph.py", line 20,
> in  import cairocffi as cairo File
> "/usr/lib/python2.7/site-packages/cairocffi/__init__.py", line 16, in
>  from . import constants ImportError: cannot import name constants

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Number of devices to connect to the network

2018-01-25 Thread Fabrice Durand via PacketFence-users 
Ok in this case fill an issue on github
https://github.com/inverse-inc/packetfence/issues


Le 2018-01-25 à 03:02, E.P. a écrit :
>
> Three different ones ;)
>
> IE 11, Firefox and Chrome.
>
>  
>
> *From:*Durand fabrice [mailto:fdur...@inverse.ca]
> *Sent:* Wednesday, January 24, 2018 6:25 PM
> *To:* E.P.; packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] Number of devices to connect to the
> network
>
>  
>
> Weird, i am not able to reproduce it, wish browser are you using ?
>
> Fabrice
>
>  
>
> Le 2018-01-23 à 03:10, E.P. a écrit :
>
> I figured it out, Fabrice. Thanks for the ldapsearch tool guidance
> but it was my haste as usual ;)
>
> I set “Matches” parameter to “All” and it turned out that the
> reply for the query against AD returned a membership in more than
> one group.
>
> And of course this condition didn’t evaluate as true. I changed it
> to “Any” and it is all good .
>
>  
>
> I guess Administration rule is not very important here but I found
> that the value for the “Access level” doesn’t show and I tried it
> in two different browsers:
>
>  
>
>  
>
> Eugene
>
>  
>
> *From:*Durand fabrice [mailto:fdur...@inverse.ca]
> *Sent:* Monday, January 22, 2018 6:59 PM
> *To:* E.P.; packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Subject:* Re: [PacketFence-users] Number of devices to connect to
> the network
>
>  
>
> Hello Eugene,
>
> Use adsiedit.msc on the AD in order to have a ldap view of your AD
> and check the exact attribute/values.
>
> On my side i use ldapsearch to fix that sort of issue
> 
> (http://www.vinidox.com/ldap/querying-an-ldap-server-from-the-command-line-with-ldap-utils-ldapsearch-ldapadd-ldapmodify/)
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2018-01-22 à 16:54, E.P. a écrit :
>
> I’m observing a weird behavior while doing it, Fabrice.
>
> I did create a rule that should match for just one condition,
> i.e. memberOf
>
>  
>
>  
>
> The user I’m authenticating does belong to Users CN in AD and
> I can authenticate normally, here’s the output of pftest
> authentication it.tech XXX command
>
>  
>
>  
>
> But for some reason rules are not matched. I even tried to set
> the condition to distingishedName with value taken from AD
>
>  
>
>  
>
> To be like this
>
>  
>
>  
>
>  
>
> What bothers me is that I don’t see any LDAP related details
> coming from AD server while debugging radius and
> authenticating as it.tech user.
>
> Could it be the source of the problem ?
>
>  
>
> Eugene
>
> *From:*Durand fabrice [mailto:fdur...@inverse.ca]
> *Sent:* Friday, January 19, 2018 6:05 PM
> *To:* E.P.; packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Subject:* Re: [PacketFence-users] Number of devices to
> connect to the network
>
>  
>
> In your AD authentication source, create a rule that match a
> staff group and assign the staff role and an access duration.
> (memberof equal cn=staff,dc=...)
>
> Regards
>
> Fabrice
>
>  
>
>  
>
>  
>
> Le 2018-01-17 à 01:07, E.P. a écrit :
>
> Great!
>
> That confirms my train of thought. But it is still not
> clear to me how will it affect the user that authenticates
> against AD.
>
>     Yes, I have created a new role, called “staff” and yes, I
> have set a limit of 2 devices for this role.
>
> Then, the end-user just connects to SSID, authenticates
> and gets on the network. How would I assign the user to
> the “staff” role?
>
> Is this where provisioners come to help ?
>
>  
>
> Eugene
>
>  
>
> *From:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Tuesday, January 16, 2018 6:42 AM
> *To:* packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Cc:* Fabrice Dur

Re: [PacketFence-users] users stay in registration VLAN after authentication success

2018-01-22 Thread Fabrice Durand via PacketFence-users 
Hello Tom,

there : https://pf_mgmt:1443/admin/configuration#configuration/main/advanced

Regards
Fabrice

Le 2018-01-20 à 19:03, tom lo a écrit :
> Hi Durand,
>
> What change should I make on PF to "disable update locationlog on accounting"?
>
>
> Regards,
> Tom
>
> On Sun, Jan 21, 2018 at 4:31 AM, Durand fabrice  wrote:
>> Hello Tom,
>>
>>
>> Le 2018-01-20 à 03:02, tom lo a écrit :
>>> Hi Durand,
>>>
>>>
>>> Thanks for your reply and please see if my understanding is correct
>>> about the locationlog.
>>> If the locationlog is correct, from mysql, I should see one entry when
>>> a device reach captive portal, and another entry immediately after the
>>> authentication complete, with matching start / end time?
>>> If the locationlog is wrong, the new entry may be missing even the
>>> authentication is completed?
>> In fact when PacketFence receive a radius request , it will update the
>> location log, so just after the registration on the captive portal
>> Packetfence need to know where the device is to send a disconnection.
>> And if the disconnection succeed you will see a new entry in the
>> locationlog.
>>>
>>> I checked a log from an issue reported few hours ago. User
>>> "12:34:56:33:22:11" completed the authentication at 11:11am, but there
>>> is no entry about the updated role (staff) for this device until the
>>> user retry the connection at 13:06.  Is this a kind of wrong
>>> locationlog?
>> Yes probably if you see no locationlog entry was found in the log.
>> But it can also be a issue with a cache on the controller,if there is no new
>> radius request each time the device connect on the ssid per example.
>>>
>>> I also found another mysql output for a device which had a smooth VLAN
>>> re-direction in its 1st try. mysql output shows one entry when a
>>> device reach captive portal, and another entry after the
>>> authentication complete with matching start / end time.
>>>
>>> Also, for your information, we are using Ruckus ZoneDirector and the
>>> SSID setting is mac-auth.
>>>
>>> I'll check with users in real-time to see about the queue and mysql
>>> output, and let you know the result.
>>>
>>>
>>> The following is the related log / mysql output for the issue reported.
>> Before "Jan 20 11:11:59" do you see "INFO: [mac:12:34:56:33:22:11] handling
>> radius autz request" ? if no then the device is on the registration network
>> but PacketFence never receive the radius request !
>>>
>>> Jan 20 11:11:59 httpd.portal(6296) INFO: [mac:12:34:56:33:22:11]
>>> re-evaluating access (manage_register called)
>>> (pf::enforcement::reevaluate_access)
>>> Jan 20 11:11:59 httpd.portal(6296) WARN: [mac:12:34:56:33:22:11] Can't
>>> re-evaluate access because no open locationlog entry was found
>>> (pf::enforcement::reevaluate_access)
>>> Jan 20 11:15:29 httpd.aaa(2033) INFO: [mac:12:34:56:33:22:11] Updating
>>> locationlog from accounting request
>>> (pf::api::handle_accounting_metadata)
>>> Jan 20 13:06:53 httpd.aaa(2033) INFO: [mac:12:34:56:33:22:11] handling
>>> radius autz request...
>>>
>>> select * from locationlog where mac="12:34:56:33:22:11";
>>>
>>> +---+-+--+--+--+---+-+---+--+-+-+-+---++---++
>>> | mac   | switch  | port | vlan | role
>>> |connection_type   | connection_sub_type | dot1x_username| ssid
>>> | start_time  | end_time| switch_ip   |switch_mac
>>> | stripped_user_name | realm | session_id |
>>>
>>> +---+-+--+--+--+---+-+---+--+-+-+-+---++---++
>>> | 12:34:56:33:22:11 | 172.18.4.61 | 0| 50   | staff
>>> |Wireless-802.11-NoEAP | NULL| 12:34:56:33:22:11 |SSID_A
>>> | 2018-01-20 13:06:53 | -00-00 00:00:00 | 172.18.4.61| 11:22:33:44:55:0d
>>> | 12:34:56:33:22:11  | null  | NULL   |
>>> | 12:34:56:33:22:11 | 172.18.4.61 | 0| 501  | registration
>>> |Wireless-802.11-NoEAP | NULL| 12:34:56:33:22:11 |SSID_A
>>> | 2018-01-20 11:10:51 | 2018-01-20 11:11:12 | 172.18.4.61| 11:22:33:44:55:09
>>> | 12:34:56:33:22:11  | null  | NULL   |
>>> | 12:34:56:33:22:11 | 172.18.4.61 | 0| 501  | registration
>>> |Wireless-802.11-NoEAP | NULL| 12:34:56:33:22:11 |SSID_A
>>> | 2018-01-20 11:11:12 | 2018-01-20 11:11:38 | 172.18.4.61| 11:22:33:44:55:0d
>>> | 12:34:56:33:22:11  | null  | NULL   |
>>>
>>> +---+-+--+--+--+---+-+---+--+-+-+-+---++---++

Re: [PacketFence-users] Successfully passed 802.1x auth but nonetwork access

2018-01-18 Thread Fabrice Durand via PacketFence-users 
Hello Yan,

in Freeradius if you want to authenticate a user with 802.1x
peap/mschapv2 then you need to use ntlm_auth and you need to join the
domain to the active directory.
(http://deployingradius.com/documents/protocols/compatibility.html)

I don't know exactly how they do with acs but i remember that they
create a sort of smb packet to do the authentication to the AD.

Regards

Fabrice




Le 2018-01-16 ?? 11:02, Yan a ??crit?0?2:
> Hi Fabrice,
>
> So is there any problem within my configuration which I posted in my
> previous mail ?
> I ask our network team if cisco acs needs to join domian server, they
> said no need. They said they only need to add AD server in cisco ACS
> for authentication. What??s the difference between using acs and using
> pf-freeradius ?
>
>
> -- Original --
> *From:* packetfence-users 
> *Date:* ,1?? 16,2018 00:26
> *To:* Fabrice Durand , packetfence-users
> 
> *Cc:* Yan <1136723...@qq.com>
> *Subject:* Re: [PacketFence-users] Successfully passed 802.1x auth but
> nonetwork access
>
>
> Yes. They have the same domain/users but on different servers. Both of
> them can authenticate our all users.
>
>
> -- Original --
> *From:* Fabrice Durand 
> *Date:* ,1?? 15,2018 22:13
> *To:* Yan <1136723...@qq.com>, packetfence-users
> 
> *Subject:* Re: [PacketFence-users] Successfully passed 802.1x auth but
> no network access
>
> Hello Yan,
>
> does AD1 and AD2 are the same ? (same domain/users ...)
>
> Regards
>
> Fabrice
>
>
>
> Le 2018-01-15 ?? 00:41, Yan a ??crit :
>> Hi Durand,
>>
>> I installed a netdata in my pf server and not found any network issue
>> yet(I'm learning to use it). But there is another case I'm not sure
>> if it is related to the authentication issue.
>> We have 2 PF servers, pf1 is in office A and pf2 is in office B. We
>> also have 2 domain servers(for AD and DNS) and AD1 is in office A and
>> AD2 is in office B.
>> In configuration--Policy and access control--Domains--Active
>> Directory Domains menu of both PF servers, I added and joined the
>> same domain AD1 (domain in office A).
>> But in Configuration--Policy and access control--Authentication
>> Sources menu, I add domain AD1 to pf1, and AD2 to pf2.
>> And for the connection profile, I choose AD1 as authentication source
>> on pf1, and choose AD2 as authentication source on pf2. I don't know
>> if I clearly describe it, I draw a picture to make is more clear.
>> Would this cause the previous strange issue ?
>
> -- Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  
> www.inverse.caInverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and 
> PacketFence (http://packetfence.org) 

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Successfully passed 802.1x auth but no network access

2018-01-18 Thread Fabrice Durand via PacketFence-users 
Hello Yan,

sorry for the delay.

So why don't you joined pf2 to ad2 , i think it will be simpler and
probably fix your issue.

Regards

Fabrice

?0?2


Le 2018-01-15 ?? 11:17, Yan a ??crit?0?2:
>
> Yes. They have the same domain/users but on different servers. Both of
> them can authenticate our all users.
>
>
> -- Original --
> *From:* Fabrice Durand 
> *Date:* ,1?? 15,2018 22:13
> *To:* Yan <1136723...@qq.com>, packetfence-users
> 
> *Subject:* Re: [PacketFence-users] Successfully passed 802.1x auth but
> no network access
>
> Hello Yan,
>
> does AD1 and AD2 are the same ? (same domain/users ...)
>
> Regards
>
> Fabrice
>
>
>
> Le 2018-01-15 ?? 00:41, Yan a ??crit :
>> Hi Durand,
>>
>> I installed a netdata in my pf server and not found any network issue
>> yet(I'm learning to use it). But there is another case I'm not sure
>> if it is related to the authentication issue.
>> We have 2 PF servers, pf1 is in office A and pf2 is in office B. We
>> also have 2 domain servers(for AD and DNS) and AD1 is in office A and
>> AD2 is in office B.
>> In configuration--Policy and access control--Domains--Active
>> Directory Domains menu of both PF servers, I added and joined the
>> same domain AD1 (domain in office A).
>> But in Configuration--Policy and access control--Authentication
>> Sources menu, I add domain AD1 to pf1, and AD2 to pf2.
>> And for the connection profile, I choose AD1 as authentication source
>> on pf1, and choose AD2 as authentication source on pf2. I don't know
>> if I clearly describe it, I draw a picture to make is more clear.
>> Would this cause the previous strange issue ?
>
> -- Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  
> www.inverse.caInverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and 
> PacketFence (http://packetfence.org) 

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] pf with ruckus smartzone not working for me

2018-01-16 Thread Fabrice Durand via PacketFence-users 
Hello Barry,

when the error happen , is it when you try to do web-auth or out of band
? (if you have the httpd.portal.access lines when you hit the portal)

Because it looks that packetfence is not able to fetch your ip address.

Also to reevaluate an access on Ruckus SmartZone packetfence use the web
api of the controller, so you need to fill the webservice tab in the
switch config (pf side).

Regards

Fabrice



Le 2018-01-16 à 03:42, Support Procyon Networks via PacketFence-users a
écrit :
>
> Dear Reader,
>
>  
>
> I got problems to use pf in combination with a ruckus smartzone
> controller, out of band, webauth. I want users who  connect to the
> guest ssid to get the portal and register with there email.
>
>  
>
> I configured the smartzone controller according to
> PacketFence_Network_Devices_Configuration_Guide. Rest of the settings
> is all default.
>
>  
>
> When a client connect to the guest ssid he  gets a application error
>  “Application error : Caught exception in
> captiveportal::Controller::Root”  full error message is at the of this
> mail.
>
> This happens with when using pf 7.3
>
>  
>
> When using pf 7.2 users who connect to the guest ssid do get the
> portal, they can select email-based registration, they enter there
> email, now they should get internet access for 10 min, but they don’t,
> “Unable to detect network”, rebooting or waiting doesn’t help. I can
> see on a other device that I get the mail with the registration link,
> this does work, but the device doesn’t get access.
>
> Correct me if I am wrong but pf should communicate with the ruckus
> controller to signal that this device should given access. Now when
> looking with wireshark I can see there is no communication between de
> controller and pf except snmp get request from pf to controller that
> are random/time interval, but not in sync with registration.
>
>  
>
> Maybe I do something wrong in the basis, I can imagine that I have to
> bind the ruckus controller “switch” some how to the portal(?),but I
> also can imagen that this is not needed because the ip of the
> controller is inside the portal request.
>
>  
>
> If some one can help me with this, that would be great.
>
>  
>
> I am using the OVF verions of pf
>
>  
>
> Ruckus smartzone 3.5.1.0.862    I had version 3.4.2.0.152 before this
> with the same results.
>
>  
>
> Best Regards
>
>  
>
> Barry
>
>  
>
>  
>
> Here the full error message portal with pf 7.3
>
>  
>
>  
>
> Application error : Caught exception in
> captiveportal::Controller::Root->getLanguages "Can't call method
> "normalizedIP" on an undefined value at
> /usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/Model/Portal/Session.pm
> line 249." Caught exception in
> captiveportal::Controller::Root->setupLanguage "Can't use string ("0")
> as an ARRAY ref while "strict refs" in use at
> /usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/Controller/Root.pm
> line 189." Caught exception in
> captiveportal::Controller::Root->setupDynamicRouting "Can't call
> method "normalizedIP" on an undefined value at
> /usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/Model/Portal/Session.pm
> line 249." Caught exception in
> captiveportal::Controller::Root->dynamic_application "Can't call
> method "execute" on an undefined value at
> /usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/Controller/Root.pm
> line 156."
>
>  
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Number of devices to connect to the network

2018-01-16 Thread Fabrice Durand via PacketFence-users 
Hello Eugene,

this is exactly where you have to control that.

So just set a limit on the roles where you want to limit the number of
devices per users.

Regards

Fabrice



Le 2018-01-16 à 02:01, E.P. via PacketFence-users a écrit :
>
> It sounds close to the number of devices/nodes a user can register
> which is configurable under Configuration-Policies and access
> control-Roles, but we don’t allow this luxury to anyone yet. Just
> regular network admission control based on the active AD account
>
>  
>
> *From:*E.P. [mailto:ype...@gmail.com]
> *Sent:* Monday, January 15, 2018 10:54 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Subject:* Number of devices to connect to the network
>
>  
>
> Guys,
>
> We are still at the early phases of PF deployment and only now looking
> into AD based authentication for wireless devices
>
> Is there any way to limit the number of user devices that can be
> connected by one user?
>
> Let’s say the user uses his/her laptop and roams around remote sites
> where we provide WiFi with WPA2-Enterprise and we also allow him/her
> use the phone (iPhone/Android). No more devices to connect
>
>  
>
> Eugene
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PKI provisioning configuration for Apple OS/iOS

2018-01-16 Thread Fabrice Durand via PacketFence-users 
I can't find in the doc where it's define to 9191 ?!


Le 2018-01-16 à 01:00, E.P. a écrit :
>
> Great breakdown, thank you!
>
> What is the correct port number, Fabrice, in “pki_provider.conf” file ?
>
> You showed yours with 9393, but in the guide it is 9191
>
>  
>
>  
>
> *From:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Monday, January 15, 2018 6:01 AM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Fabrice Durand
> *Subject:* Re: [PacketFence-users] PKI provisioning configuration for
> Apple OS/iOS
>
>  
>
> Hello Eugene,
>
>  
>
> Le 2018-01-13 à 02:59, E.P. via PacketFence-users a écrit :
>
> Folks,
>
> Our two big shots in the organization live their lives with Apple
> macbooks and we need to get them on the secure WiFi.
>
> Can someone explain me where and how to get the content of
> certificates that are trusted by Apple devices.
>
> First you need to configure a pki in PacketFence (What i use in
> pki_provider.conf):
>
> [PacketFencePKI]
> cn_format=%s
> profile=clientCrt
> revoke_on_unregistration=Y
> server_cert_path=/usr/local/pf/conf/ssl/tls_certs/YourCert.pem
> ca_cert_path=/usr/local/pf/conf/ssl/tls_certs/MYCA.pem
> state=Quebec
> password=p@ck3tf3nc3
> organization=Inverse.inc
> country=CA
> proto=https
> port=9393
> host=127.0.0.1
> username=admin
> type=packetfence_pki
> cn_attribute=mac
>
> Next you need to configure the provisioner in order to provide
> certificate and wifi configuration (provisioning.conf):
>
> [AppleTLS]
> broadcast=0
> oses=
> category=
> eap_type=13
> can_sign_profile=0
> security_type=WPA
> description=Apple Provisioning
> type=mobileconfig
> ssid=baguettesecure
> pki_provider=PacketFencePKI
>
> But in you case you need to sign the profile with another certificate
> , so in Signing tab use a certificate like the certificate you have
> with godaddy.
>
>  
> In this form you need to put in certificate for signing profiles your
> public key (-BEGIN CERTIFICATE-), next your private key
> (-BEGIN PRIVATE KEY-) and in the last field the certificate
> chain of godaddy probably that one:
> -BEGIN CERTIFICATE-
> MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
> EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
> EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
> ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz
> NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
> EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE
> AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw
> DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD
> E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH
> /PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy
> DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh
> GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR
> tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA
> AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
> FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX
> WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu
> 9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr
> gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo
> 2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO
> LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
> 4uJEvlz36hz1
> -END CERTIFICATE-
> -BEGIN CERTIFICATE-
> MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
> EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
> EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
> ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
> MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
> EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
> CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
> EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
> MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
> BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
> K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
> cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
> pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
> eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
> AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
> HQ4EFgQUQMK

Re: [PacketFence-users] Number of registered devices notification

2018-01-16 Thread Fabrice Durand via PacketFence-users 
Hello Raphael,

can you try that:

in /usr/local/pf/

patch -p1 --dry-run < status.diff

and if there is no error:

patch -p1 < status.diff

and restart packetfence.

Let me know if it works, i will push it in the main code.

Regards

Fabrice



Le 2018-01-15 à 18:01, Raphael Dias via PacketFence-users a écrit :
> Hi
>
> So I am. I still see this in 7.3.0. Is there any way to change this
> message? The only way I see is to modify error.html with a generic
> possible cause.
>
> Thanks
>
> On Mon, Jun 20, 2016 at 5:00 AM, Darwish O. Alhelo  > wrote:
>
> Dear
>
> after upgrading fro 5.3 to 6.03 , i noticed that the error message
> saying "you have exceeded number of devices you can register"  do
> not appears to the users trying to add new devices mor than i
> allowed ,they have different misleading message "couldn't 
> register your device, Please contact local support"
>
> is there a way  to fix this
>
> -- 
> Best Regards
> Darwish
>
> 
> --
> What NetFlow Analyzer can do for you? Monitors network bandwidth
> and traffic
> patterns at an interface-level. Reveals which users, apps, and
> protocols are
> consuming the most bandwidth. Provides multi-vendor support for
> NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using
> capacity planning
> reports. http://sdm.link/zohomanageengine
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

diff --git a/html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Root.pm b/html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Root.pm
index 543f135..7453953 100644
--- a/html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Root.pm
+++ b/html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Root.pm
@@ -286,7 +286,11 @@ sub apply_new_node_info {
 return $TRUE;
 }
 else {
-$self->app->error("Couldn't register your device. Please contact your local support staff.");
+if ($status) {
+$self->app->error($status_msg);
+} else {
+$self->app->error("Couldn't register your device. Please contact your local support staff.");
+}
 $self->detach();
 }
 }
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] firewalling for inline on the packetfence server

2018-01-16 Thread Fabrice Durand via PacketFence-users 
Hello,

you can play with iptables.conf in the conf directory in order to add
your custom rules.

Regards

Fabrice



Le 2018-01-15 à 11:18, lists via PacketFence-users a écrit :
> Hi,
>
> We're using packetfence in inline modus for our wifi (10.10.10.0/24)
> segment. The external packetfence interface is inside our dmz lan /24
> segment. (192.84.141.0/24)
>
> We currently firewall on our gateway 192.84.141.1. Even though this
> works, it has the negative side effect that everybody on the wifi
> segment has direct access to the machines in 192.84.141.0/24.
>
> Therefore we would like to firewall outgoing traffic on the
> packetfence machine, to only allow stuff like https, dns, etc, and
> drop the rest.
>
> However, since packetfence is so buzy with it's own firewall rules and
> adjustments, we're not sure if this is supported, or even possible.
>
> Could anyone shed some light on this..?
>
> --
>
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] R: R: no httpd portal in a Cluster

2018-01-15 Thread Fabrice Durand via PacketFence-users 
Yes you have to do it.


Le 2018-01-15 à 09:31, luca comes a écrit :
> Thanks Fabrice,
> after the change on the master node the port is correctly
> listening. Node 2 and 3 are still not listen on port 443, should I do
> it on every node? 
>
> Luca
>
>
> 
> *Da:* Fabrice Durand 
> *Inviato:* lunedì 15 gennaio 2018 15:10
> *A:* luca comes; Fabrice Durand via PacketFence-users
> *Oggetto:* Re: R: [PacketFence-users] no httpd portal in a Cluster
>  
>
> Hello Luca,
>
> try that:
>
>
> [CLUSTER]
> management_ip=172.27.17.7
>
> [CLUSTER interface ens160]
> ip=172.27.17.7
> type=management
>
> [CLUSTER interface ens192.2445]
> ip=10.255.20.7
> type=internal
>
> [CLUSTER interface ens192.2446]
> ip=10.255.30.7
> type=internal
>
> [pfnac01]
> management_ip=172.27.17.5
>
> [pfnac02]
> management_ip=172.27.17.6
>
> [pfnac03]
> management_ip=172.27.17.3
>
> [pfnac01 interface ens160]
> ip=172.27.17.5
> type=management,portal
> mask=255.255.255.0
>
> [pfnac02 interface ens160]
> ip=172.27.17.6
> type=management,portal
> mask=255.255.255.0
>
> [pfnac03 interface ens160]
> ip=172.27.17.3
> type=management,portal
> mask=255.255.255.0
>
>
> [pfnac01 interface ens192.2445]
> enforcement=vlan
> ip=10.255.20.5
> type=internal
> mask=255.255.255.0
>
> [pfnac02 interface ens192.2445]
> enforcement=vlan
> ip=10.255.20.6
> type=internal
> mask=255.255.255.0
>
> [pfnac03 interface ens192.2445]
> enforcement=vlan
> ip=10.255.20.10
> type=internal
> mask=255.255.255.0
>
>
> [pfnac01 interface ens192.2446]
> enforcement=vlan
> ip=10.255.30.5
> type=internal
> mask=255.255.255.0
>
>
> [pfnac02 interface ens192.2446]
> enforcement=vlan
> ip=10.255.30.6
> type=internal
> mask=255.255.255.0
>
> [pfnac03 interface ens192.2446]
> enforcement=vlan
> ip=10.255.30.10
> type=internal
> mask=255.255.255.0
>
>
> and do a pfcmd configreload hard and restart packetfence.
>
>
> Regards
>
> Fabrice
>
>
>
> Le 2018-01-15 à 08:54, luca comes a écrit :
>> Hi Fabrice,
>> underneath my cluster.conf, as you can see I also tried to put the
>> high availability flag on the management without success:
>>
>> # Cluster configuration file for active/active
>> # This file will have it deactivated by default
>> # To activate the active/active mode, set a management IP in the
>> cluster section
>> # Before doing any changes to this file, read the documentation
>> [CLUSTER]
>> management_ip=172.27.17.7
>>
>> [CLUSTER interface ens160]
>> ip=172.27.17.7
>> type=management,high-availability
>>
>> [CLUSTER interface ens192.2445]
>> ip=10.255.20.7
>> type=internal
>>
>> [CLUSTER interface ens192.2446]
>> ip=10.255.30.7
>> type=internal
>>
>> [pfnac01]
>> management_ip=172.27.17.5
>>
>> [pfnac01 interface ens160]
>> ip=172.27.17.5
>> type=management,high-availability
>> mask=255.255.255.0
>>
>> [pfnac01 interface ens192.2445]
>> enforcement=vlan
>> ip=10.255.20.5
>> type=internal
>> mask=255.255.255.0
>>
>> [pfnac01 interface ens192.2446]
>> enforcement=vlan
>> ip=10.255.30.5
>> type=internal
>> mask=255.255.255.0
>>
>> [pfnac02]
>> management_ip=172.27.17.6
>>
>> [pfnac02 interface ens160]
>> ip=172.27.17.6
>> type=management,high-availability
>> mask=255.255.255.0
>>
>> [pfnac02 interface ens192.2445]
>> enforcement=vlan
>> ip=10.255.20.6
>> type=internal
>> mask=255.255.255.0
>>
>> [pfnac02 interface ens192.2446]
>> enforcement=vlan
>> ip=10.255.30.6
>> type=internal
>> mask=255.255.255.0
>>
>> [pfnac03]
>> management_ip=172.27.17.3
>>
>> [pfnac03 interface ens160]
>> ip=172.27.17.3
>> type=management,high-availability
>> mask=255.255.255.0
>>
>> [pfnac03 interface ens192.2445]
>> enforcement=vlan
>> ip=10.255.20.10
>> type=internal
>> mask=255.255.255.0
>>
>> [pfnac03 interface ens192.2446]
>> enforcement=vlan
>> ip=10.255.30.10
>> type=internal
>> mask=255.255.255.0
>>
>>
>> Luca
>> 
>> *Da:* Fabrice Durand via PacketFence-users
>> 
>> <mailto:packetfence-users@lists.sourceforge.net>
>> *Inviato:* lunedì 15 gennaio 2018 14:37
>> *A:* packetfence-use

Re: [PacketFence-users] Re: Successfully passed 802.1x auth but no network access

2018-01-15 Thread Fabrice Durand via PacketFence-users 
Hello Yan,

does AD1 and AD2 are the same ? (same domain/users ...)

Regards

Fabrice



Le 2018-01-15 ?? 00:41, Yan a ??crit?0?2:
> Hi Durand,
>
> I installed a netdata in my pf server and not found any network issue
> yet(I'm learning to use it). But there is another case I'm not sure if
> it is related to the authentication issue.
> We have 2 PF servers, pf1 is in office A and pf2 is in office B. We
> also have 2 domain servers(for AD and DNS) and AD1 is in office A and
> AD2 is in office B.
> In configuration--Policy and access control--Domains--Active Directory
> Domains menu of both PF servers, I added and joined the same domain
> AD1 (domain in office A).
> But in Configuration--Policy and access control--Authentication
> Sources menu, I add domain AD1 to pf1, and AD2 to pf2.
> And for the connection profile, I choose AD1 as authentication source
> on pf1, and choose AD2 as authentication source on pf2.?0?2I don't know
> if I clearly describe it, I draw a picture to make is more clear.
> Would this cause the previous strange issue ??0?2

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] R: no httpd portal in a Cluster

2018-01-15 Thread Fabrice Durand via PacketFence-users 
Hello Luca,

try that:


[CLUSTER]
management_ip=172.27.17.7

[CLUSTER interface ens160]
ip=172.27.17.7
type=management

[CLUSTER interface ens192.2445]
ip=10.255.20.7
type=internal

[CLUSTER interface ens192.2446]
ip=10.255.30.7
type=internal

[pfnac01]
management_ip=172.27.17.5

[pfnac02]
management_ip=172.27.17.6

[pfnac03]
management_ip=172.27.17.3

[pfnac01 interface ens160]
ip=172.27.17.5
type=management,portal
mask=255.255.255.0

[pfnac02 interface ens160]
ip=172.27.17.6
type=management,portal
mask=255.255.255.0

[pfnac03 interface ens160]
ip=172.27.17.3
type=management,portal
mask=255.255.255.0


[pfnac01 interface ens192.2445]
enforcement=vlan
ip=10.255.20.5
type=internal
mask=255.255.255.0

[pfnac02 interface ens192.2445]
enforcement=vlan
ip=10.255.20.6
type=internal
mask=255.255.255.0

[pfnac03 interface ens192.2445]
enforcement=vlan
ip=10.255.20.10
type=internal
mask=255.255.255.0


[pfnac01 interface ens192.2446]
enforcement=vlan
ip=10.255.30.5
type=internal
mask=255.255.255.0


[pfnac02 interface ens192.2446]
enforcement=vlan
ip=10.255.30.6
type=internal
mask=255.255.255.0

[pfnac03 interface ens192.2446]
enforcement=vlan
ip=10.255.30.10
type=internal
mask=255.255.255.0


and do a pfcmd configreload hard and restart packetfence.


Regards

Fabrice



Le 2018-01-15 à 08:54, luca comes a écrit :
> Hi Fabrice,
> underneath my cluster.conf, as you can see I also tried to put the
> high availability flag on the management without success:
>
> # Cluster configuration file for active/active
> # This file will have it deactivated by default
> # To activate the active/active mode, set a management IP in the
> cluster section
> # Before doing any changes to this file, read the documentation
> [CLUSTER]
> management_ip=172.27.17.7
>
> [CLUSTER interface ens160]
> ip=172.27.17.7
> type=management,high-availability
>
> [CLUSTER interface ens192.2445]
> ip=10.255.20.7
> type=internal
>
> [CLUSTER interface ens192.2446]
> ip=10.255.30.7
> type=internal
>
> [pfnac01]
> management_ip=172.27.17.5
>
> [pfnac01 interface ens160]
> ip=172.27.17.5
> type=management,high-availability
> mask=255.255.255.0
>
> [pfnac01 interface ens192.2445]
> enforcement=vlan
> ip=10.255.20.5
> type=internal
> mask=255.255.255.0
>
> [pfnac01 interface ens192.2446]
> enforcement=vlan
> ip=10.255.30.5
> type=internal
> mask=255.255.255.0
>
> [pfnac02]
> management_ip=172.27.17.6
>
> [pfnac02 interface ens160]
> ip=172.27.17.6
> type=management,high-availability
> mask=255.255.255.0
>
> [pfnac02 interface ens192.2445]
> enforcement=vlan
> ip=10.255.20.6
> type=internal
> mask=255.255.255.0
>
> [pfnac02 interface ens192.2446]
> enforcement=vlan
> ip=10.255.30.6
> type=internal
> mask=255.255.255.0
>
> [pfnac03]
> management_ip=172.27.17.3
>
> [pfnac03 interface ens160]
> ip=172.27.17.3
> type=management,high-availability
> mask=255.255.255.0
>
> [pfnac03 interface ens192.2445]
> enforcement=vlan
> ip=10.255.20.10
> type=internal
> mask=255.255.255.0
>
> [pfnac03 interface ens192.2446]
> enforcement=vlan
> ip=10.255.30.10
> type=internal
> mask=255.255.255.0
>
>
> Luca
> 
> *Da:* Fabrice Durand via PacketFence-users
> 
> *Inviato:* lunedì 15 gennaio 2018 14:37
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* Fabrice Durand
> *Oggetto:* Re: [PacketFence-users] no httpd portal in a Cluster
>  
>
> Hello Lucas,
>
> can i have the cluster.conf file ?
>
> Regards
>
> Fabrice
>
>
>
> Le 2018-01-15 à 05:10, luca comes via PacketFence-users a écrit :
>>
>> Hi all,
>>
>> I've successfully migrated a single node infrastructure to a full 3
>> node cluster, all things has gone well but I have only one problem.
>> After the cluster configuration the https port is not listening
>> neither on the virtual IP nor the local IPs of each server on the
>> management interface. This is needed for my sponsor guest
>> authentication, I checked httpd.portal and is correctly started on
>> each server, also on each management interface the portal listing
>> daemons is added to the configuration. What I'm missing? Please help
>> me otherwise I cannot put it in production.
>>
>>
>> Thanks
>>
>>
>> Luca
>>
>>
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>> ___
>> Packet

Re: [PacketFence-users] PKI provisioning configuration for Apple OS/iOS

2018-01-15 Thread Fabrice Durand via PacketFence-users 
Hello Eugene,


Le 2018-01-13 à 02:59, E.P. via PacketFence-users a écrit :
>
> Folks,
>
> Our two big shots in the organization live their lives with Apple
> macbooks and we need to get them on the secure WiFi.
>
> Can someone explain me where and how to get the content of
> certificates that are trusted by Apple devices.
>
First you need to configure a pki in PacketFence (What i use in
pki_provider.conf):

[PacketFencePKI]
cn_format=%s
profile=clientCrt
revoke_on_unregistration=Y
server_cert_path=/usr/local/pf/conf/ssl/tls_certs/YourCert.pem
ca_cert_path=/usr/local/pf/conf/ssl/tls_certs/MYCA.pem
state=Quebec
password=p@ck3tf3nc3
organization=Inverse.inc
country=CA
proto=https
port=9393
host=127.0.0.1
username=admin
type=packetfence_pki
cn_attribute=mac

Next you need to configure the provisioner in order to provide
certificate and wifi configuration (provisioning.conf):

[AppleTLS]
broadcast=0
oses=
category=
eap_type=13
can_sign_profile=0
security_type=WPA
description=Apple Provisioning
type=mobileconfig
ssid=baguettesecure
pki_provider=PacketFencePKI

But in you case you need to sign the profile with another certificate ,
so in Signing tab use a certificate like the certificate you have with
godaddy.

 
In this form you need to put in certificate for signing profiles your
public key (-BEGIN CERTIFICATE-), next your private key
(-BEGIN PRIVATE KEY-) and in the last field the certificate
chain of godaddy probably that one:
-BEGIN CERTIFICATE-
MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz
NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE
AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD
E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH
/PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy
DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh
GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR
tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA
AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX
WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu
9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr
gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo
2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO
LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
4uJEvlz36hz1
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
-END CERTIFICATE-


The last part will be to create a connection profile like that
(profiles.conf):

[Provisioning]
locale=
root_module=Provisioning
filter=ssid:baguettefence
description=Provisioning
provisioners=AppleTLS

And have a portal module like this (portal_module.conf):

[Provisioning]
modules=ProvisioningChain
type=Root
description=Root Provisioning

[AppleTLS]
skipable=disabled
actions=
type=Provisioning
description=Apple Provisioning

[Provi

Re: [PacketFence-users] no httpd portal in a Cluster

2018-01-15 Thread Fabrice Durand via PacketFence-users 
Hello Lucas,

can i have the cluster.conf file ?

Regards

Fabrice



Le 2018-01-15 à 05:10, luca comes via PacketFence-users a écrit :
>
> Hi all,
>
> I've successfully migrated a single node infrastructure to a full 3
> node cluster, all things has gone well but I have only one problem.
> After the cluster configuration the https port is not listening
> neither on the virtual IP nor the local IPs of each server on the
> management interface. This is needed for my sponsor guest
> authentication, I checked httpd.portal and is correctly started on
> each server, also on each management interface the portal listing
> daemons is added to the configuration. What I'm missing? Please help
> me otherwise I cannot put it in production.
>
>
> Thanks
>
>
> Luca
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Assistance with nessus

2018-01-11 Thread Fabrice Durand via PacketFence-users 
Hello André,

i have uploaded a new perl nessus library in the repo.

Can you try to do: yum update perl-Net-Nessus-REST --enablerepo=packetfence

and retry (restart packetfence first).

Regards
Fabrice

Le 2018-01-11 à 09:08, André Scrivener a écrit :
> Hello Fabrice,
>
> after change to nessus6, received this logs:
>
>
> Jan 11 11:37:34 packetfence pfqueue: pfqueue(18220) ERROR:
> [mac:84:7b:eb:e5:ea:e2] Can't locate object method "get_scanner_id"
> via package "Net::Nessus::REST" at
> /usr/local/pf/lib/pf/scan/nessus6.pm <http://nessus6.pm> line 109.
>  (pf::api::can_fork::notify)
>
>
> Here is my scan.conf
>
> [root@packetfence ~]# cat /usr/local/pf/conf/scan.conf
> [nessus-test]
> ip=172.16.0.4
> verify_hostname=disabled
> scannername=Local Scanner
> duration=
> categories=default
> port=8834
> registration=1
> username=admin
> post_registration=1
> password=admin
> pre_registration=1
> oses=5474,2,202,1,192,193
> nessus_clientpolicy=packetfence
> type=nessus6
> [root@packetfence ~]# 
>
>
>
> My config Nessus:
>
>
> Name Scanner:
>
> https://imgur.com/kUxVsAy
>
>
> Policy Scanner:
>
> https://imgur.com/G4FWllf
>
>
> I saw this same problem on this by link https://goo.gl/syFQ8B, but I
> noticed that the error line is different, I prefer your opinion. :)
>
>
>
> Regards,
>
> André
>
>
>
> 2018-01-10 20:50 GMT-03:00 Durand fabrice  <mailto:fdur...@inverse.ca>>:
>
> Hello André,
>
> so you have to choose nessus6 and not nessus.
>
> Restart
>
> Fabrice
>
>
>
>     Le 2018-01-10 à 17:53, André Scrivener a écrit :
>> Hello Fabrice,
>>
>> Last version for centos 7!
>>
>> Version is Nessus 7.
>>
>> Regards,
>> André 
>>
>> Em 10 de jan de 2018, às 18:14, Fabrice Durand via
>> PacketFence-users > <mailto:packetfence-users@lists.sourceforge.net>> escreveu:
>>
>>> Hello André,
>>>
>>> what is the version of nessus ?
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>>
>>>
>>> Le 2018-01-10 à 15:59, André Scrivener via PacketFence-users a
>>> écrit :
>>>> Hey guys!
>>>>
>>>>
>>>> I'm enabling nessus to scan hosts, but I'm trying out these
>>>> logs below:
>>>>
>>>>
>>>> Jan 10 18:33:25 packetfence pfqueue: pfqueue(12693) INFO:
>>>> [mac:84:7b:eb:e5:ea:e2] Instantiate profile default
>>>> (pf::Connection::ProfileFactory::_from_profile)
>>>> Jan 10 18:33:26 packetfence pfqueue: pfqueue(12693) INFO:
>>>> [mac:84:7b:eb:e5:ea:e2] violation 125 already exists for
>>>> 84:7b:eb:e5:ea:e2, not adding again (pf::violation::violation_add)
>>>> Jan 10 18:33:26 packetfence pfqueue: pfqueue(12693) INFO:
>>>> [mac:84:7b:eb:e5:ea:e2] Instantiate profile default
>>>> (pf::Connection::ProfileFactory::_from_profile)
>>>> Jan 10 18:33:26 packetfence pfqueue: pfqueue(12693) INFO:
>>>> [mac:84:7b:eb:e5:ea:e2] New ID generated: 151561640696eae2
>>>> (pf::util::generate_id)
>>>> Jan 10 18:33:27 packetfence pfqueue: pfqueue(12693) ERROR:
>>>> [mac:84:7b:eb:e5:ea:e2] Can't use string ("") as a HASH ref
>>>> while "strict refs" in use at
>>>> /usr/share/perl5/vendor_perl/Net/Nessus/XMLRPC.pm line 666.
>>>>  (pf::api::can_fork::notify)
>>>>
>>>>
>>>> I looked in the documentation for something about XMLRPC and
>>>> Nessus, but I could not do the patching.
>>>>
>>>> Can you help me with this?
>>>>
>>>> Regards
>>>>
>>>>
>>>> -- 
>>>> Att
>>>> *André*
>>>>
>>>>
>>>> 
>>>> --
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org <http://Slashdot.org>! 
>>>> http://sdm.link/slashdot
>>>>
>>>>
>>>> ___
>>>> PacketFence-users mailing list
>>>> PacketFence-users@lists.sourceforge.net
>>>> <mailto:Packet

Re: [PacketFence-users] Assistance with nessus

2018-01-10 Thread Fabrice Durand via PacketFence-users 
Hello André,

what is the version of nessus ?

Regards

Fabrice



Le 2018-01-10 à 15:59, André Scrivener via PacketFence-users a écrit :
> Hey guys!
>
>
> I'm enabling nessus to scan hosts, but I'm trying out these logs below:
>
>
> Jan 10 18:33:25 packetfence pfqueue: pfqueue(12693) INFO:
> [mac:84:7b:eb:e5:ea:e2] Instantiate profile default
> (pf::Connection::ProfileFactory::_from_profile)
> Jan 10 18:33:26 packetfence pfqueue: pfqueue(12693) INFO:
> [mac:84:7b:eb:e5:ea:e2] violation 125 already exists for
> 84:7b:eb:e5:ea:e2, not adding again (pf::violation::violation_add)
> Jan 10 18:33:26 packetfence pfqueue: pfqueue(12693) INFO:
> [mac:84:7b:eb:e5:ea:e2] Instantiate profile default
> (pf::Connection::ProfileFactory::_from_profile)
> Jan 10 18:33:26 packetfence pfqueue: pfqueue(12693) INFO:
> [mac:84:7b:eb:e5:ea:e2] New ID generated: 151561640696eae2
> (pf::util::generate_id)
> Jan 10 18:33:27 packetfence pfqueue: pfqueue(12693) ERROR:
> [mac:84:7b:eb:e5:ea:e2] Can't use string ("") as a HASH ref while
> "strict refs" in use at
> /usr/share/perl5/vendor_perl/Net/Nessus/XMLRPC.pm line 666.
>  (pf::api::can_fork::notify)
>
>
> I looked in the documentation for something about XMLRPC and Nessus,
> but I could not do the patching.
>
> Can you help me with this?
>
> Regards
>
>
> -- 
> Att
> *André*
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Device authentication with client TLS certificate issued by PKI

2018-01-10 Thread Fabrice Durand via PacketFence-users 
Did you set ca_file = [% install_dir %]/conf/ssl/tls_certs/MYCA.pem in
conf/radiusd/eap.conf ? (MYCA.pem is the CA public key of of your PKI)


Le 2018-01-10 à 15:43, E.P. a écrit :
>
> More to this issue, Fabrice,
>
> I changed to PEAP method on the same Windows laptop and kept an option
> of validating server certificate by pointing it directly the name as
> it shows in CN of the PF RADIUS server. No problem at all,
> authentication goes through.
>
>  
>
> I checked for similar errors reported by PF enthusiasts earlier and
> found that this is not the first time and you advised to concatenate
> the root certificate in CA file. What did you mean by it, Fabrice ?
>
>  
>
> Eugene
>
>  
>
> *From:*E.P. [mailto:ype...@gmail.com]
> *Sent:* Wednesday, January 10, 2018 11:14 AM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* 'Fabrice Durand'
> *Subject:* RE: [PacketFence-users] Device authentication with client
> TLS certificate issued by PKI
>
>  
>
> Hi Fabrice,
>
> I already dug it around.
>
> The CA certificate (*.pem format) was imported into Windows without
> any problem and I see it under “Trusted Root Certification
> Authorities” container. Just in case placed the CA cert into “Third
> –party root certification authority”
>
> On the client PC I have this certificate showing:
>
>  
>
>  
>
>  
>
> Also, tried it without validating server certificate, same results,
> reason - eap_tls: SSL says error 20 : unable to get local issuer
> certificate
>
>  
>
> Eugene
>
>  
>
> *From:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Wednesday, January 10, 2018 6:07 AM
> *To:* E.P. via PacketFence-users
> *Cc:* Fabrice Durand
> *Subject:* Re: [PacketFence-users] Device authentication with client
> TLS certificate issued by PKI
>
>  
>
> Hello Eugene,
>
> you probably need to import the CA certificate or uncheck verify
> server certificate in your supplicant config.
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2018-01-10 à 03:57, E.P. via PacketFence-users a écrit :
>
> And here comes the culmination of my saga with PKI ;)
>
> Actually, I was slowly going towards it and really hoped I will
> jump through this final hoop smoothly.
>
> Alas… Anyways, to cut the long story short, I failed TLS
> authentication for Windows 10 endpoint.
>
> Here’s what I did so far. We want to issue certificates to users
> based on MAC addresses of their devices.
>
> Hence I added a new certificate and used MAC address in CN field
> in the format 70:1a:04:2c:52:ff
>
> The profile I used while issuing this certificate was created
> exactly as it was described in the admin guide for PKI, namely
> TLSClient. Then I downloaded this certificate after it was signed
> and imported to Windows laptop.
>
> The security properties of the wireless connection profile on the
> laptop was configured to use TLS, i.e.
>
> Microsoft: Smart card or other certificate
>
> Trying to authenticate while running radius in debug mode and see
> a lot of interesting stuff.
>
> Pasting only relevant lines:
>
>  
>
> (5) eap_tls: Continuing EAP-TLS
>
> (5) eap_tls: Got final TLS record fragment (46 bytes)
>
> (5) eap_tls: [eaptls verify] = ok
>
> (5) eap_tls: Done initial handshake
>
> (5) eap_tls: <<< recv TLS 1.0 Handshake [length 03ac], Certificate
>
> (5) eap_tls: Creating attributes from certificate OIDs
>
> (5) eap_tls:   TLS-Client-Cert-Serial := "03"
>
> (5) eap_tls:   TLS-Client-Cert-Expiration := "200110080019Z"
>
> (5) eap_tls:   TLS-Client-Cert-Subject :=
> "/CN=70:1a:04:2c:52:ff/emailAddress=it.t...@options.bc.ca/ST=BC/O=Options
> Community Services/C=CA"
> 
> <mailto:/CN=70:1a:04:2c:52:ff/emailAddress=it.t...@options.bc.ca/ST=BC/O=OptionsCommunityServices/C=CA>
>
> (5) eap_tls:   TLS-Client-Cert-Issuer :=
> "/CN=Options-PF-CA/emailAddress=it.t...@options.bc.ca/ST=British
> Columbia/O=Options Community Services/C=CA"
> 
> <mailto:/CN=Options-PF-CA/emailAddress=it.t...@options.bc.ca/ST=BritishColumbia/O=OptionsCommunityServices/C=CA>
>
> (5) eap_tls:   TLS-Client-Cert-Common-Name := "70:1a:04:2c:52:ff"
>
> (5) eap_tls:   ERROR: SSL says error 20 : unable to get local
> issuer certificate
>
>  
>
> (5) eap_tls: ERROR: TLS Alert write:fatal:unknown CA
>
> tls: TLS_accept: Error in error
>
> (5) eap_

Re: [PacketFence-users] Re: Successfully passed 802.1x auth but nonetworkaccess

2018-01-10 Thread Fabrice Durand via PacketFence-users 
Hello Yan,

i checked the logs and all looks to be ok, 802.1x authentication works
correctly.

What i can imagine that you maybe lost the connection between
PacketFence and the AP/Controller or maybe a cache on the AP/Controller.

What you can do to check that is to install netdata on the PacketFence
server and enable fping plugin in order to test the connection between
pf and the AP.

Regards

Fabrice



Le 2018-01-10 ?? 11:18, Yan a ??crit?0?2:
> Hi Fabrice,
>
> The very first thing I check is pf radius audit log when an issue
> happened. But it seems okay for those issue users (fail auth ratio is
> low and no special error during network issue). Just one need to
> noticed, when some issue users connected to wireless, the client side
> can connected correctly and get ip address, but there is no radius
> authentication log during the issue time. It seems AP or AC replied to
> the client directly and not sent to PF.
>
> The radius debug log is attached below. Hope it helps.

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Successfully passed 802.1x auth but no networkaccess

2018-01-10 Thread Fabrice Durand via PacketFence-users 
Hello Yan,

you need to check on the PacketFence side what happen:


run that (raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000) , try
to connect and paste the result

Also take a look in audit in packetfence gui and check for a mac address
where you have the issue.

Regards
Fabrice

Le 2018-01-10 ?? 08:27, Yan via PacketFence-users a ??crit?0?2:
>
> And now this issue happened with ruckus and aruba. Our network team
> noticed us they??ll change 2 big offices?? authentication to acs
> again... The issue with ruckus behaves also normal with pf logs. But I
> noticed AC sent out an accounting stop packet immediately after it
> sent accounting start packet with reason ??admin reset??.
> Really need a clue on this issue...Thanks in advance.
>
> -- Original --
> *From:* packetfence-users 
> *Date:* ,1?? 10,2018 20:41
> *To:* packetfence-users 
> *Cc:* Yan <1136723...@qq.com>
> *Subject:* Re: [PacketFence-users] Successfully passed 802.1x auth but
> no networkaccess
>
> Hi dear users,
>
> We use PF V7.3 in our office integrated with Aruba AC. Recently our
> wireless behaves very strange. Some users can connected to wireless,
> passed the 802.1x auth and can get the correct role and IP, but they
> just couldn't access any network. There is no wired in PF logs. But as
> we check Aruba AC logs, we can see many "User miss" logs.
> I don't know what caused this issue but now our network team said
> previous ACS didn't have this issue and let us check pf's problem.
> Anyone ever met this issue ?
>
> Jan 10 10:49:54 172.26.2.230 Jan 10 10:49:52 2018 WHZH-7210-1
> authmgr[4111]: <522050> <4111>  
> MAC=f4:cc:89:e8:2a:d3,IP=172.26.36.202 User data downloaded to
> datapath, new Role=Didi-Guest-acl-prof/80, bw Contract=0/0, reason=New
> user IP processing, idle-timeout=300
> Jan 10 10:49:54 172.26.2.230 Jan 10 10:49:52 2018 WHZH-7210-1
> authmgr[4111]: <522026> <4111>  
> MAC=f4:cc:89:e8:2a:d3 IP=172.26.36.202 User miss: ingress=0x1041e,
> VLAN=205 flags=0x4000c040
> Jan 10 10:49:54 172.26.2.230 Jan 10 10:49:52 2018 WHZH-7210-1
> authmgr[4111]: <522050> <4111>  
> MAC=8e:85:00:80:79:ff,IP=172.26.18.2 User data downloaded to datapath,
> new Role=employees/78, bw Contract=0/0, reason=New user IP processing,
> idle-timeout=15300
> Jan 10 10:49:54 172.26.2.230 Jan 10 10:49:52 2018 WHZH-7210-1
> authmgr[4111]: <522026> <4111>  
> MAC=8e:85:00:80:79:ff IP=172.26.18.2 User miss: ingress=0x1048c,
> VLAN=204 flags=0x4000c040
> Jan 10 10:49:54 172.26.2.230 Jan 10 10:49:52 2018 WHZH-7210-1
> authmgr[4111]: <522050> <4111>  
> MAC=84:44:67:4f:57:55,IP=172.26.33.243 User data downloaded to
> datapath, new Role=employees/78, bw Contract=0/0, reason=New user IP
> processing, idle-timeout=15300
> Jan 10 10:49:54 172.26.2.230 Jan 10 10:49:52 2018 WHZH-7210-1
> authmgr[4111]: <522026> <4111>  
> MAC=84:44:67:4f:57:55 IP=172.26.33.243 User miss: ingress=0x10399,
> VLAN=203
>
>
> BTW I comment out acct-session-id in
> /usr/local/pf/lib/pf/Switch/Aruba.pm since we found pf can't
> disconnect device with acctsessionid. Not sure if this action caused
> error.
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Device authentication with client TLS certificate issued by PKI

2018-01-10 Thread Fabrice Durand via PacketFence-users 
Hello Eugene,

you probably need to import the CA certificate or uncheck verify server
certificate in your supplicant config.

Regards

Fabrice



Le 2018-01-10 à 03:57, E.P. via PacketFence-users a écrit :
>
> And here comes the culmination of my saga with PKI ;)
>
> Actually, I was slowly going towards it and really hoped I will jump
> through this final hoop smoothly.
>
> Alas… Anyways, to cut the long story short, I failed TLS
> authentication for Windows 10 endpoint.
>
> Here’s what I did so far. We want to issue certificates to users based
> on MAC addresses of their devices.
>
> Hence I added a new certificate and used MAC address in CN field in
> the format 70:1a:04:2c:52:ff
>
> The profile I used while issuing this certificate was created exactly
> as it was described in the admin guide for PKI, namely TLSClient. Then
> I downloaded this certificate after it was signed and imported to
> Windows laptop.
>
> The security properties of the wireless connection profile on the
> laptop was configured to use TLS, i.e.
>
> Microsoft: Smart card or other certificate
>
> Trying to authenticate while running radius in debug mode and see a
> lot of interesting stuff.
>
> Pasting only relevant lines:
>
>  
>
> (5) eap_tls: Continuing EAP-TLS
>
> (5) eap_tls: Got final TLS record fragment (46 bytes)
>
> (5) eap_tls: [eaptls verify] = ok
>
> (5) eap_tls: Done initial handshake
>
> (5) eap_tls: <<< recv TLS 1.0 Handshake [length 03ac], Certificate
>
> (5) eap_tls: Creating attributes from certificate OIDs
>
> (5) eap_tls:   TLS-Client-Cert-Serial := "03"
>
> (5) eap_tls:   TLS-Client-Cert-Expiration := "200110080019Z"
>
> (5) eap_tls:   TLS-Client-Cert-Subject :=
> "/CN=70:1a:04:2c:52:ff/emailAddress=it.t...@options.bc.ca/ST=BC/O=Options
> Community Services/C=CA"
>
> (5) eap_tls:   TLS-Client-Cert-Issuer :=
> "/CN=Options-PF-CA/emailAddress=it.t...@options.bc.ca/ST=British
> Columbia/O=Options Community Services/C=CA"
>
> (5) eap_tls:   TLS-Client-Cert-Common-Name := "70:1a:04:2c:52:ff"
>
> (5) eap_tls:   ERROR: SSL says error 20 : unable to get local issuer
> certificate
>
>  
>
> (5) eap_tls: ERROR: TLS Alert write:fatal:unknown CA
>
> tls: TLS_accept: Error in error
>
> (5) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read):
> error:14089086:SSL routines:ssl3_get_client_certificate:certificate
> verify failed
>
> (5) eap_tls: ERROR: System call (I/O) error (-1)
>
> (5) eap_tls: ERROR: TLS receive handshake failed during operation
>
> (5) eap_tls: ERROR: [eaptls process] = fail
>
> (5) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP
> sub-module failed
>
> (5) eap: Sending EAP Failure (code 4) ID 213 length 4
>
> (5) eap: Failed in EAP select
>
> (5) [eap] = invalid
>
> (5)   } # authenticate = invalid
>
> (5) Failed to authenticate the user
>
> (5) Login incorrect (eap_tls: SSL says error 20 : unable to get local
> issuer certificate): [70:1a:04:2c:52:ff] (from client 172.19.254.2
> port 0 cli 70:1a:04:2c:52:ff)
>
> (5) Using Post-Auth-Type Reject
>
>  
>
> Same happens if I issue the certificate to the user based on its name,
> not MAC address
>
>  
>
> (5) eap_tls:   TLS-Client-Cert-Serial := "04"
>
> (5) eap_tls:   TLS-Client-Cert-Expiration := "200110083931Z"
>
> (5) eap_tls:   TLS-Client-Cert-Subject :=
> "/CN=it.tech/emailAddress=it.t...@options.bc.ca/ST=BC/O=Options
> Community Services/C=CA"
>
> (5) eap_tls:   TLS-Client-Cert-Issuer :=
> "/CN=Options-PF-CA/emailAddress=it.t...@options.bc.ca/ST=British
> Columbia/O=Options Community Services/C=CA"
>
> (5) eap_tls:   TLS-Client-Cert-Common-Name := "it.tech"
>
> (5) eap_tls:   ERROR: SSL says error 20 : unable to get local issuer
> certificate
>
>  
>
> Eugene
>
>  
>
>  
>
>  
>
> *From:*Durand fabrice [mailto:fdur...@inverse.ca]
> *Sent:* Tuesday, January 09, 2018 2:46 PM
> *To:* E.P.
> *Cc:* packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] PKI installation
>
>  
>
> The admin user is different between PacketFence and the PKI.
>
> When i said "In configuration -> Users -> Edit admin -> Change User
> Password" in was in the pki admin interface.
>
> Fabrice
>
>  
>
>  
>
> Le 2018-01-09 à 13:47, E.P. a écrit :
>
> Sorry for being a pain in the lower part of the back, Fabrice ;)
>
> I thought that the admin user in PF is different from PKI.
>
> At least I know that I did change the password for admin in PF as
> you described and this is how I login to the main GUI.
>
> But I can’t login as admin with the same password to PKI.
>
>  
>
> Eugene
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1

Re: [PacketFence-users] PKI installation

2018-01-09 Thread Fabrice Durand via PacketFence-users 
Hello Eugene,


Le 2018-01-09 à 03:01, E.P. a écrit :
>
> Couple of questions on PKI, Fabfice
>
>  
>
> 1.   How would I change the password for admin user in PKI. The
> “User Management” section gives me the option of editing the admin
> user but I can’t see the password change option
>
>  
>
In configuration -> Users -> Edit admin -> Change User Password
>
> 2.   I’m adding a server certificate after I created a server
> certificate profile by filling out necessary fields and linking it to
> the certificate profile. Clicking Submit and it shows in the list with
> an icon to sign it.
>
> Now I simply follow the guide on PKI which says the following:
>
> Since the server certificate is stored in the PKI database, you will
> have to sign and export it to the PacketFence server.
>
> On the PKI web interface, under Certificates click on the "sign" icon
> for the certificate for your RADIUS server. This will automatically
> sign the certificate with your CA. Use the /Send
> certificate/ or /Download certificate/ to export it. The certificate
> will be exported in p12 format which combines both the certificate and
> its key. The password to decrypt the file will be send by email.
>
> Ok, I click on the Sign icon for the newly created server certificate
> and it redirects me to the page where I can have an option of sending
> or downloading it. I select  “Download certificate” and end up with an
> error:
>
>  
>
>
>   SMTPSenderRefused at /pki/cert/2/download/
>
> (550, '5.7.1 Sender unknown', u'pf-nore...@options.bc.ca')
>
> *Request Method:***
>
>   
>
> GET
>
> *Request URL:***
>
>   
>
> https://172.16.0.222:9393/pki/cert/2/download/
>
> *Django Version:***
>
>   
>
> 1.8.1
>
> *Exception Type:***
>
>   
>
> SMTPSenderRefused
>
> *Exception Value:***
>
>   
> (550, '5.7.1 Sender unknown', u'pf-nore...@options.bc.ca')
>
> *Exception Location:***
>
>   
>
> /usr/lib64/python2.7/smtplib.py in sendmail, line 735
>
> *Python Executable:***
>
>   
>
> /usr/bin/python
>
> *Python Version:***
>
>   
>
> 2.7.5
>
> *Python Path:***
>
>   
> ['/usr/lib64/python27.zip',
>  '/usr/lib64/python2.7',
>  '/usr/lib64/python2.7/plat-linux2',
>  '/usr/lib64/python2.7/lib-tk',
>  '/usr/lib64/python2.7/lib-old',
>  '/usr/lib64/python2.7/lib-dynload',
>  '/usr/lib64/python2.7/site-packages',
>  '/usr/lib/python2.7/site-packages',
>  '/usr/local/packetfence-pki',
>  '/usr/local/packetfence-pki/inverse']
>
> *Server time:***
>
>   
>
> Tue, 9 Jan 2018 07:56:21 +
>
>  
>
>  
>
> If I select “Send certificate” I end up with the same error but a bit
> different title
>
>  
>
>
>   SMTPSenderRefused at /pki/cert/2/send/
>
> (550, '5.7.1 Sender unknown', u'pf-nore...@options.bc.ca')
>
> *Request Method:*
>
>   
>
> GET
>
> *Request URL:*
>
>   
>
> https://172.16.0.222:9393/pki/cert/2/send/
>
>  
>
> Where would I need to make a change to SMTP server.
>
> Needless to say that when I create a local user from PF GUI and select
> an option of sending an email to the address I specify the email gets
> delivered without any errors
>
In fact it looks that you smtp server refuse to accept the email (550,
'5.7.1 Sender unknown', u'pf-nore...@options.bc.ca') so add it in your
smtp server and it should be ok.
Regards
Fabrice

>  
>
> Eugene
>
>  
>
> *From:*Fabrice Durand [mailto:fdur...@inverse.ca]
> *Sent:* Wednesday, January 03, 2018 12:26 PM
> *To:* E.P.
> *Cc:* packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] PKI installation
>
>  
>
> Just for information, i uploaded a new version of the packetfence-pki
> for centos7 who fix all the install issues.
>
> Regards
>
> Fabrice
>
> Le 2017-12-12 à 23:58, E.P. a écrit :
>
> Well, I’m taking my hat off in front of you, no kidding and pun
> intended ;)
>
> Do you need traceback from the error page ?
>
>  
>
> *From:*Durand fabrice [mailto:fdur...@inverse.ca]
> *Sent:* Tuesday, December 12, 2017 7:02 PM
> *To:* E.P.
> *Cc:* packetfence-users@lists.sourceforge.net
> 
> *Subject:* Re: [PacketFence-users] PKI installation
>
>  
>
> ah ah don't worry , i like to have challenge like that to be able
> to fix the issue for better user experience.
>
> I coded the pki so i want to make it work.
>
>  
>
> Le 2017-12-12 à 21:48, E.P. a écrit :
>
> Sure, take your time, Fabrice. I have a special knack of
> running into troubles in cases when others didn’t have any :)
>
>
> Eugene
>
> Sent from iPhone
>
>
> On Dec 12, 2017, at 18:18, Durand fabrice  > wrote:
>
> Ok let me try to install the pki on the zen and i will be
> back to you.
>
> i have installed the pki on 10 servers not a long time ago
> without any issue.
>
>  
>
> Le 2017-12-12 à 20:52, E.P. a écrit :
>
>

Re: [PacketFence-users] Assistance with AD dot1x

2018-01-08 Thread Fabrice Durand via PacketFence-users 
Hello All,

just to clarify some points.

First realmd can't be used because we have to use ntlm_auth in
Freeradius to authenticate user for eap/peap mschap v2.

Next, Configuration → Policies and Access Control → Domains → Active
Directory Domains – Add Domain is only to join the machine to a windows
domain (it create a chroot for each domains).

Configuration → Policies and Access Control → Domains → Realms is to
associate a realm to a windows domain, it mean that if the username is
b...@acme.edu then if there is a realm define for acme.edu then it will
use the domain associated to it to validate the credentials (In Freeradius).

Don't forget that the username can be ACME\bob , so you will need to
create a realm ACME too.

Last thing, in Configuration → Policies and Access Control →
Authentication Sources (Type Internal) when you define a realm
associated to a source (like acme.edu)  then it mean that if you use on
the portal or for 802.1x auto registration a username like b...@acme.edu
then PacketFence will use it (you can strip the username if needed in
the source).

Regards
Fabrice

Le 2018-01-07 à 19:32, E.P. via PacketFence-users a écrit :
>
> I’m curious, did you create a new realm or used the default one and
> linked it to AD ?
>
> I tried to create a new realm and it is placed in the end of the list
> and the authentication never reached it.
>
> It only worked to me if I link the default realm to AD
>
>  
>
> Eugene
>
>  
>
> *From:*j...@momentumvr.co.uk [mailto:j...@momentumvr.co.uk]
> *Sent:* Sunday, January 07, 2018 5:18 AM
> *To:* 'E.P.'; packetfence-users@lists.sourceforge.net
> *Subject:* RE: [PacketFence-users] Assistance with AD dot1x
>
>  
>
> Thanks for that Eugene, I will take a look at that log tomorrow
> morning. The issue is when we try to add the domain via domains>active
> directory domains>add domain. Strangely connecting via realmd works
> without issue every time.
>
>  
>
> John
>
>  
>
> *From:*E.P. [mailto:ype...@gmail.com]
> *Sent:* 05 January 2018 19:32
> *To:* packetfence-users@lists.sourceforge.net
> 
> *Cc:* j...@momentumvr.co.uk 
> *Subject:* RE: [PacketFence-users] Assistance with AD dot1x
>
>  
>
> Hi John,
>
> I still have a fresh experience with configuring AD in PF and it
> worked to me from the first try.
>
> Just to understand it clearly, you can’t complete the configuration if
> you add the source, i.e.
>
> From the *Configuration → Policies and Access Control → Authentication
> Sources*, *Add source → Internal - AD*.
>
> Or it is failing on adding the domain, i.e.
>
> *Configuration → Policies and Access Control → Domains → Active
> Directory Domains – Add Domain***
>
> * *
>
> |And of course, as it is stated in the admin guide I’d go chechking
> this file for any clues:|||
>
> | |
>
> |/chroots//var/log/samba/log.winbindd|.
> Replace || with the identifier you set in the domain
> configuration.**
>
>  
>
> Eugene
>
>  
>
> *From:*john--- via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Friday, January 05, 2018 5:00 AM
> *To:* packetfence-users@lists.sourceforge.net
> 
> *Cc:* j...@momentumvr.co.uk 
> *Subject:* [PacketFence-users] Assistance with AD dot1x
>
>  
>
> Good afternoon everyone,
>
>  
>
> We are currently working with PF7.3 on Centos 7 and no matter what we
> do we cannot get AD to complete configuration, it simply returns
> “Null” so obviously fails. When we use realmd it works fine. My
> question initially is, does this affect dot1x authentication via AD if
> we complete this only using realmd and not the configuration panel AD
> connection method? As always your help is greatly appreciated.
>
>  
>
> John
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] packetfence 7.3 configuration wizard - radius?

2018-01-04 Thread Fabrice Durand via PacketFence-users 
sr/local/pf/raddb/policy.d/accounting
>
> including configuration file /usr/local/pf/raddb/policy.d/canonicalization
>
> including configuration file /usr/local/pf/raddb/policy.d/control
>
> including configuration file /usr/local/pf/raddb/policy.d/cui
>
> including configuration file /usr/local/pf/raddb/policy.d/debug
>
> including configuration file /usr/local/pf/raddb/policy.d/dhcp
>
> including configuration file /usr/local/pf/raddb/policy.d/eap
>
> including configuration file /usr/local/pf/raddb/policy.d/filter
>
> including configuration file /usr/local/pf/raddb/policy.d/operator-name
>
> including configuration file /usr/local/pf/raddb/policy.d/packetfence
>
> including files in directory /usr/local/pf/raddb/sites-enabled/
>
> including configuration file
> /usr/local/pf/raddb/sites-enabled/dynamic-clients
>
> including configuration file /usr/local/pf/raddb/sites-enabled/packetfence
>
> including configuration file
> /usr/local/pf/raddb/sites-enabled/packetfence-tunnel
>
> including configuration file
> /usr/local/pf/raddb/sites-enabled/packetfence-cli
>
> main {
>
> security {
>
>     user = "pf"
>
>    group = "pf"
>
>     allow_core_dumps = no
>
> }
>
>     name = "radiusd"
>
>     prefix = "/usr"
>
>     localstatedir = "/usr/local/pf/var"
>
>     logdir = "/usr/local/pf/logs"
>
>     run_dir = "/usr/local/pf/var/run"
>
> }
>
> main {
>
>     name = "radiusd"
>
>     prefix = "/usr"
>
>     localstatedir = "/usr/local/pf/var"
>
>     sbindir = "/usr/sbin"
>
>     logdir = "/usr/local/pf/logs"
>
>     run_dir = "/usr/local/pf/var/run"
>
>     libdir = "/usr/lib64/freeradius"
>
>     radacctdir = "/usr/local/pf/logs/radacct"
>
>     hostname_lookups = no
>
>     max_request_time = 10
>
>     cleanup_delay = 5
>
>     continuation_timeout = 15
>
>     max_requests = 2
>
>     pidfile = "/usr/local/pf/var/run/radiusd.pid"
>
>     checkrad = "/usr/sbin/checkrad"
>
>     debug_level = 0
>
>     proxy_requests = yes
>
> log {
>
>     stripped_names = no
>
>     auth = yes
>
>     auth_badpass = no
>
>     auth_goodpass = no
>
>     colourise = yes
>
>     msg_denied = "You are already logged in - access denied"
>
> }
>
> resources {
>
> }
>
> security {
>
>     max_attributes = 200
>
>     reject_delay = 1.00
>
>     status_server = yes
>
>     allow_vulnerable_openssl = "yes"
>
> }
>
> }
>
> auth:  Loading Realms and Home Servers 
>
> proxy server {
>
>     retry_delay = 5
>
>     retry_count = 3
>
>     default_fallback = no
>
>     dead_time = 120
>
>     wake_all_if_all_dead = no
>
> }
>
> home_server localhost {
>
>     ipaddr = 127.0.0.1
>
>     port = 1812
>
>     type = "auth"
>
>     secret = <<< secret >>>
>
>     response_window = 20.00
>
>     response_timeouts = 1
>
>     max_outstanding = 65536
>
>     zombie_period = 40
>
>     status_check = "status-server"
>
>     ping_interval = 30
>
>     check_interval = 30
>
>     check_timeout = 4
>
>     num_answers_to_alive = 3
>
>     revive_interval = 120
>
>   limit {
>
>     max_connections = 16
>
>     max_requests = 0
>
>     lifetime = 0
>
>     idle_timeout = 0
>
>   }
>
>   coa {
>
>     irt = 2
>
>     mrt = 16
>
>     mrc = 5
>
>     mrd = 30
>
>   }
>
> }
>
> Ignoring "response_window = 20.00", forcing to "response_window =
> 10.00"
>
> home_server_pool my_auth_failover {
>
>     type = fail-over
>
>     home_server = localhost
>
> }
>
> realm example.com {
>
>     auth_pool = my_auth_failover
>
> }
>
> realm default {
>
> }
>
> realm local {
>
> }
>
> realm null {
>
> }
>
> auth:  Loading Clients 
>
> client localhost {
>
>     ipaddr = 127.0.0.1
>
>     require_message_authenticator = no
>
>     secret = <<< secret >>>
>
>     nas_type = "other"
>
>

Re: [PacketFence-users] PKI installation

2018-01-03 Thread Fabrice Durand via PacketFence-users 
Just for information, i uploaded a new version of the packetfence-pki
for centos7 who fix all the install issues.

Regards

Fabrice



Le 2017-12-12 à 23:58, E.P. a écrit :
>
> Well, I’m taking my hat off in front of you, no kidding and pun
> intended ;)
>
> Do you need traceback from the error page ?
>
>  
>
> *From:*Durand fabrice [mailto:fdur...@inverse.ca]
> *Sent:* Tuesday, December 12, 2017 7:02 PM
> *To:* E.P.
> *Cc:* packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] PKI installation
>
>  
>
> ah ah don't worry , i like to have challenge like that to be able to
> fix the issue for better user experience.
>
> I coded the pki so i want to make it work.
>
>  
>
>  
>
> Le 2017-12-12 à 21:48, E.P. a écrit :
>
> Sure, take your time, Fabrice. I have a special knack of running
> into troubles in cases when others didn’t have any :)
>
>
> Eugene
>
> Sent from iPhone
>
>
> On Dec 12, 2017, at 18:18, Durand fabrice  > wrote:
>
> Ok let me try to install the pki on the zen and i will be back
> to you.
>
> i have installed the pki on 10 servers not a long time ago
> without any issue.
>
>  
>
>  
>
> Le 2017-12-12 à 20:52, E.P. a écrit :
>
> Yes, db.sqlite3 was owned by root
>
>  
>
> [root@PacketFence-ZEN packetfence-pki]# ls -al
>
> total 56
>
> drwxr-xr-x   7 pf   pf 128 Dec 12 08:49 .
>
> drwxr-xr-x. 15 root root   182 Dec 12 01:33 ..
>
> drwxrws---   2 pf   pf   6 Nov 15 14:20 ca
>
> drwxr-xr-x   2 pf   pf 125 Dec 12 01:33 conf
>
> */-rw-r--r--   1 root root 43008 Dec 12 08:44 db.sqlite3/*
>
> drwxr-xr-x   2 pf   pf 204 Dec 12 02:49 inverse
>
> drwxrws---   2 pf   pf  90 Dec 12 01:35 logs
>
> -rwxr--r--   1 pf   pf 250 Nov 15 14:20 manage.py
>
> -rw-r--r--   1 root root 6 Dec 12 08:49
> packetfence-pki.pid
>
> drwxr-xr-x   5 pf   pf    4096 Dec 12 02:49 pki
>
>  
>
> Changed the file ownership to pf:pf
>
>  
>
> [root@PacketFence-ZEN packetfence-pki]# ls -al
>
> total 100
>
> drwxr-xr-x   7 pf   pf 147 Dec 13 01:45 .
>
> drwxr-xr-x. 15 root root   182 Dec 12 01:33 ..
>
> drwxrws---   2 pf   pf   6 Nov 15 14:20 ca
>
> drwxr-xr-x   2 pf   pf 125 Dec 12 01:33 conf
>
> */-rw-r--r--   1 pf   pf   43008 Dec 13 01:45 db.sqlite3/*
>
> /drwxr-xr-x   2 pf   pf 204 Dec 12 02:49 inverse/
>
> /drwxrws---   2 pf   pf  90 Dec 12 01:35 logs/
>
> /-rwxr--r--   1 pf   pf 250 Nov 15 14:20 manage.py/
>
> /-rw-r--r--   1 root root 5 Dec 13 01:43
> packetfence-pki.pid/
>
> /drwxr-xr-x   5 pf   pf    4096 Dec 12 02:49 pki/
>
>  
>
> But trying to login to the PKI webpage brings me back to
> the same original error “no such table: pki_ca” which I
> showed earlier. I tried to follow your previous advise
> about renaming the db.sqlite3 file and running migration
> but the behavior is consistent.  Is it OK that the PKI
> process ID file is also owned by root ?
>
>  
>
> *From:*Fabrice Durand [mailto:fdur...@inverse.ca]
> *Sent:* Tuesday, December 12, 2017 5:35 AM
> *To:* E.P.; packetfence-users@lists.sourceforge.net
> 
> *Subject:* Re: [PacketFence-users] PKI installation
>
>  
>
> Just change the owner of the sqlite file to pf and it
> should be ok.
>
> Btw all these steps are made in the packaging, so it
> probably failled or never finish correctly.
>
> I will do a test on my side.
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-12-12 à 03:47, E.P. a écrit :
>
> Well, we are getting closer ;)
>
> Ran the python script to migrate the database it completed
>
>  
>
> [root@PacketFence-ZEN packetfence-pki]# python
> manage.py migrate
>
> Operations to perform:
>
>   Synchronize unmigrated apps: staticfiles,
> rest_framework, messages, bootstrap3
>
>   Apply all migrations: authtoken, sessions, admin,
> auth, contenttypes, pki
>
> Synchronizing apps without migrations:
>
>   Creating tables...
>
>     Running deferred SQL...
>
>   Installing custom SQL...
>
> Running migrations:
>
>   Rendering model st

Re: [PacketFence-users] Need help solving a problem with vlan enforcement

2018-01-03 Thread Fabrice Durand via PacketFence-users 
 = authpwdread
>> #SNMPPrivProtocolTrap = DES
>> #SNMPPrivPasswordTrap = privpwdread
>> [192.168.1.0/24 <http://192.168.1.0/24>]
>> description=Test Range Switch
>> type=Cisco::Catalyst_2900XL
>> mode=production
>> uplink=23,24
>> [root@packetfence ~]# 
>>
>>
>> Follow switch configuration: 
>>
>> Following the configuration of the manual, the model of my
>> switch is DELL n1548.
>> 
>> (https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_dell
>> 
>> <https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_dell>)
>>
>>
>> console#show running-config 
>>
>> !Current Configuration:
>> !System Description "Dell Networking N1548, 6.2.6.6, Linux 3.6.5"
>> !System Software Version 6.2.6.6
>> !
>> configure
>> vlan 2-5,10,100
>> exit
>> vlan 2
>> name "Registration"
>> exit
>> vlan 3
>> name "Isolation"
>> exit
>>     vlan 4
>>     name "Mac detection"
>> exit
>> vlan 5
>> name "Guest"
>> exit
>> vlan 100
>> name "VoIP"
>> exit
>> stack             
>> member 1 3    ! N1548
>> exit              
>> interface vlan 1  
>> ip address 172.16.0.50 255.255.255.0
>> exit              
>> authentication enable
>> dot1x system-auth-control
>> aaa authentication dot1x default radius
>> aaa authorization network default radius
>> dot1x dynamic-vlan enable
>> voice vlan        
>> aaa server radius dynamic-author
>> client 172.16.0.2 server-key "useStrongerSecret"
>> exit              
>> radius-server host auth 172.16.0.2
>> name "PacketFence"
>> usage 802.1x      
>> key "useStrongerSecret"
>> exit              
>> !                 
>> interface Gi1/0/11
>> switchport mode trunk
>> switchport trunk allowed vlan 1-5,100
>> dot1x port-control force-authorized
>> exit              
>> !                 
>> interface Gi1/0/13
>> switchport voice detect auto
>> switchport mode general
>> switchport access vlan 10
>> dot1x port-control mac-based
>> dot1x reauthentication
>> dot1x mac-auth-bypass
>> authentication order mab
>> authentication priority mab
>> lldp transmit-tlv sys-desc sys-cap
>> lldp transmit-mgmt
>> lldp notification 
>> lldp med confignotification
>> voice vlan 100    
>> exit              
>> snmp-server engineid local 82a203141877eaf0a0
>> snmp-server community "private" rw
>> snmp-server community "public" ro
>> exit              
>>
>> console#
>>
>>
>>
>>
>> I still do not understand where the error is. Any idea
>>
>>
>> 2017-12-29 11:15 GMT-03:00 Fabrice Durand via
>> PacketFence-users > <mailto:packetfence-users@lists.sourceforge.net>>:
>>
>> Hello André,
>>
>> First you need to check on the switch side if the mac
>> address of the device is in the vlan 300.
>>
>> Next a registration vlan is a vlan managed by
>> PacketFence, so you need to enable dhcp on the vlan 300
>> and 600.
>>
>> Another thing i can see is that the interface enp0s8.300
>> (vlan 300) use the network 172.17.0.0/24
>> <http://172.17.0.0/24> and it should be 172.16.0.0/24
>> <http://172.16.0.0/24> ?! (but enp0s8 use this network).
>>
>> So i my opinion, you probably mess up the vlan/interface
>> config.
>>
>> If enp0s8 interface is really on the vlan 300 then
>> enp0s8.300 is useless and you probably have to use the
>> vlan 301 as the registration network.
>>
>&

Re: [PacketFence-users] Aruba Switch Network Configuration

2018-01-03 Thread Fabrice Durand via PacketFence-users 
Hello Jeremy,

do you have any documentation related to the support of the VoIP on the
Aruba switch ?

There is probably a vsa attribute to return when PacketFence detect that
a phone is plugged on a switch port.

If the vsa exist then it will be easy to add the VoIP support for the
Aruba switches.

Regards

Fabrice



Le 2018-01-03 à 13:29, Jeremy Plumley a écrit :
>
> I have my demo HPE Aruba 2930M switch now. So far data vlan seems ok
> but I’m having issues with my Cisco VOIP Phones. The Packetfence log
> is throwing this error over my phones.
>
>  
>
> Jan  3 13:21:48 pf1 packetfence_httpd.aaa: httpd.aaa(3637) WARN:
> [mac:64:00:f1:ab:11:35] RADIUS Authentication of IP Phones is not
> supported on switch type pf::Switch::ArubaSwitch. Please let us know
> what hardware you are using. (pf::Switch::supportsRadiusVoip)
>
>  
>
> Any ideas on how to support phones on these or should I attempt
> another switch type?
>
>  
>
> Jeremy Plumley
>
> ITS Network Administrator
>
> Ext 50024
>
>  
>
> *From:*Durand fabrice via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Wednesday, December 06, 2017 9:07 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Durand fabrice 
> *Subject:* Re: [PacketFence-users] Aruba Switch Network Configuration
>
>  
>
> Ok so it should work.
>
> When i did the code the Aruba switches were really new and there were
> bugs in the Aruba OS.
>
> Btw i think that it's fully supported by Clear Pass so it will work
> with PacketFence.
>
> Regards
> Fabrice
>
> E-Mail correspondence to and from this address may be subject to the
> North Carolina Public Records Law and shall be disclosed to third
> parties when required by the statutes (G.S. 132-1.) 

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence-pki restore/ovewrite admin password

2018-01-03 Thread Fabrice Durand via PacketFence-users 
Hello,

what you can do is to connect in the sqlite db and update the password.

sqlite3 db.sqlite3

UPDATE "auth_user" set
password='pbkdf2_sha256$2$Z2Lhr1cW8QM0$mN9PtNhxneIDzApqFa4uG8V44IXqHe+r7yootSoSzJQ='
where username='admin';

the password is p@ck3tf3nc3


Regards

Fabrice



Le 2018-01-03 à 10:12, Rokkhan via PacketFence-users a écrit :
> Hi,
>
> I am unable to login to packetfence-pki web interface with the admin
> password neither with another user I created after installation.
>
> Is there anyway to restore or overwirte the admin password? 
>
> I am using Packetfence-pki 1.0.5 in centos 7
>
> Greetings
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] packetfence 7.3 configuration wizard - radius?

2018-01-03 Thread Fabrice Durand via PacketFence-users 
Hello Ivan,

what you can do is the following:

/usr/local/pf/bin/pfcmd service radiusd generateconfig

/usr/sbin/radiusd -d /usr/local/pf/raddb  -n auth -fxx -l stdout

And paste the debug if the service is not able to start.

Regards

Fabrice



Le 2018-01-03 à 09:31, Auger, Ivan (ITS) via PacketFence-users a écrit :
>
> Selected radius enforcement in configuration wizard – radius does not
> start in last step – everything else starts.  Is there something
> additional that needs to be defined in /usr/local/pf/conf/pf.conf or
> in /usr/local/pf/conf/raddb template directory?
>
>  
>
> Thanks….
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Need an advice and maybe assistance with FreeRADIUS

2018-01-03 Thread Fabrice Durand via PacketFence-users 
Hello Eugene,

First did you uncomment packetfence-local-auth in
/usr/local/pf/conf/radiusd/packetfence-tunnel ?

Also what type of hashing password did you choose ? (Configuration ->
System configuration -> Advanced ) only ntlm and plaintext are supported
by local auth.

Regards

Fabrice



Le 2018-01-03 à 00:21, E.P. a écrit :
>
> I applied the patch, Tim, and it was successful, I mean the patch
> installation.
>
> Then I restarted RADIUS daemon and tried the local user
> authentication. As I described it in the other email to Fabrice it was
> rejected due to MSCHAPv2. For me it is a sign that I’m getting closer ;)
>
> And yes, Unifi is indeed ubiquitous ;) I inherited the organization
> WiFi setup based on distributed deployment of Unifi in L3 mode and now
> the management is pushing for more security without any significant
> investments.
>
>  
>
> Eugene
>
>  
>
> *From:*Timothy Mullican [mailto:tjmullic...@yahoo.com]
> *Sent:* Tuesday, January 02, 2018 7:04 PM
> *To:* E.P.
> *Cc:* packetfence-users@lists.sourceforge.net; Fabrice Durand
> *Subject:* Re: [PacketFence-users] Need an advice and maybe assistance
> with FreeRADIUS
>
>  
>
> Eugene,
>
>  
>
> The patch is mandatory in order for PacketFence to recognize that the
> UniFi supports 802.1x (and MAC-based auth). As for the controller, you
> should be able to get away without it if you do not need dynamic VLAN
> assignment. However, without the controller, PacketFence will not be
> able to disassociate or deauthenticate any clients, so keep this in
> mind for any temporary sessions (if applicable). Try applying the
> patch, restarting all the PacketFence services, and see if it fixes
> your problems. Based on the lack of Ubiquiti support for various
> integration issues (802.1x and MAC auth dynamic vlan assignment), the
> patch has been delayed being merged into the core code (per Fabrice),
> so you have to apply it manually. Please let me know if you have any
> additional questions.
>
>  
>
> Thanks,
>
> Tim
>
>  
>
> Sent from mobile phone
>
>
> On Jan 2, 2018, at 16:06, E.P.  <mailto:ype...@gmail.com>> wrote:
>
> Appreciate those screenshots as well, Tim!
>
> I’m running latest code of the Unifi controller as well and latest
> firmware supported on all WAP.
>
> Quick question, is the IP address of the controller mandatory when
> I configure WAP in PF switches section?
>
>  
>
> Eugene
>
>  
>
> *From:*Timothy Mullican [mailto:tjmullic...@yahoo.com]
> *Sent:* Friday, December 29, 2017 9:34 AM
> *To:* packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Cc:* E.P.; Fabrice Durand
> *Subject:* Re: [PacketFence-users] Need an advice and maybe
> assistance with FreeRADIUS
>
>  
>
> Eugene,
>
>  
>
> Just a thought, but can you change the deauthentication method to
> HTTPS and specify the UniFi controller IP? See my setup below:
>
>  
>
> https://i.imgsafe.org/0c/0cff2c7f19.png
>
> https://i.imgsafe.org/0c/0cff2dfd99.png
>
>  
>
> My UniFi AP is 192.168.20.7
>
> My UniFi controller is 192.168.20.6
>
>  
>
> This is my UniFi AP setup:
>
> https://i.imgsafe.org/05/05bbb5eafe.png
>
> https://i.imgsafe.org/05/05bbd86ab4.png
>
>      
>
>     Also please make sure you have the latest UniFi AP and controller
> firmware as they were just updated a few days ago. 
>
>  
>
> See my earlier post on the PacketFence-Users forum if you have
> questions. 
>
>  
>
> Tim
>
>  
>
> Sent from mobile phone
>
>
> On Dec 29, 2017, at 07:59, Fabrice Durand via PacketFence-users
>  <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>
> For me it looks that 172.19.254.2 is define twice.
>
> Can you do in /usr/local/pf/raddb:
>
> grep 172.19.254.2 * -r 
>
> Also can you try to run radiusd in debug mode and see if you
> can see 172.19.254.2 (radiusd -d /usr/local/pf/raddb -n auth -X)
>
>  
>
> Regards
>
> Fabrice
>
>  
>
> Le 2017-12-29 à 01:26, E.P. a écrit :
>
> Nah…
>
> No luck at all, Fabrice. I’m becoming desperate ;)
>
> I thought it has to do with Unifi controller (reading it
> here in other threads that it is far from being
> error-free) but I pointed it to FreeRADIUS running on
> DaloRADIUS host and the regular user a

Re: [PacketFence-users] Need help solving a problem with vlan enforcement

2018-01-03 Thread Fabrice Durand via PacketFence-users 
hpwdread
> #SNMPPrivProtocolTrap = DES
> #SNMPPrivPasswordTrap = privpwdread
> [192.168.1.0/24 <http://192.168.1.0/24>]
> description=Test Range Switch
> type=Cisco::Catalyst_2900XL
> mode=production
> uplink=23,24
> [root@packetfence ~]# 
>
>
> Follow switch configuration: 
>
> Following the configuration of the manual, the model of my switch
> is DELL n1548.
> 
> (https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_dell
> 
> <https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_dell>)
>
>
> console#show running-config 
>
> !Current Configuration:
> !System Description "Dell Networking N1548, 6.2.6.6, Linux 3.6.5"
> !System Software Version 6.2.6.6
> !
> configure
> vlan 2-5,10,100
> exit
> vlan 2
> name "Registration"
> exit
> vlan 3
> name "Isolation"
> exit
> vlan 4
> name "Mac detection"
> exit
> vlan 5
> name "Guest"
> exit
> vlan 100
> name "VoIP"
> exit
> stack             
> member 1 3    ! N1548
> exit              
> interface vlan 1  
> ip address 172.16.0.50 255.255.255.0
> exit              
> authentication enable
> dot1x system-auth-control
> aaa authentication dot1x default radius
> aaa authorization network default radius
> dot1x dynamic-vlan enable
> voice vlan        
> aaa server radius dynamic-author
> client 172.16.0.2 server-key "useStrongerSecret"
> exit              
> radius-server host auth 172.16.0.2
> name "PacketFence"
>     usage 802.1x      
>     key "useStrongerSecret"
> exit              
> !                 
> interface Gi1/0/11
> switchport mode trunk
> switchport trunk allowed vlan 1-5,100
> dot1x port-control force-authorized
> exit              
> !                 
> interface Gi1/0/13
> switchport voice detect auto
> switchport mode general
> switchport access vlan 10
> dot1x port-control mac-based
> dot1x reauthentication
> dot1x mac-auth-bypass
> authentication order mab
> authentication priority mab
> lldp transmit-tlv sys-desc sys-cap
> lldp transmit-mgmt
> lldp notification 
> lldp med confignotification
> voice vlan 100    
> exit              
> snmp-server engineid local 82a203141877eaf0a0
> snmp-server community "private" rw
> snmp-server community "public" ro
> exit              
>
> console#
>
>
>
>
> I still do not understand where the error is. Any idea
>
>
> 2017-12-29 11:15 GMT-03:00 Fabrice Durand via PacketFence-users
>  <mailto:packetfence-users@lists.sourceforge.net>>:
>
> Hello André,
>
> First you need to check on the switch side if the mac address
> of the device is in the vlan 300.
>
> Next a registration vlan is a vlan managed by PacketFence, so
> you need to enable dhcp on the vlan 300 and 600.
>
> Another thing i can see is that the interface enp0s8.300 (vlan
> 300) use the network 172.17.0.0/24 <http://172.17.0.0/24> and
> it should be 172.16.0.0/24 <http://172.16.0.0/24> ?! (but
> enp0s8 use this network).
>
> So i my opinion, you probably mess up the vlan/interface config.
>
> If enp0s8 interface is really on the vlan 300 then enp0s8.300
> is useless and you probably have to use the vlan 301 as the
> registration network.
>
> Last things, be sure that enp0s8 is plugged on a trunk port
> and be sure that you define all the vlans in your switch
> configuration.
>
> Regards
> Fabrice
>
>
>
>
> Le 2017-12-29 à 08:50, André Scrivener via PacketFence-users a
> écrit :
>> I'm configuring pf as vlan enforcement, but I'm having a
>> problem, where vlans with their respective IPs are not being
>> assigned. In the logs it returns the correct vlans, but does
>> not apply to the station.
>>
>> /
>> /
>> /Dec 29 11:36:54 packtfence packetfence_httpd.aaa:
>> httpd.aaa(5185) INFO: [mac:64:1c:67:82:7d:f2] handling radius
>> autz request: from switch_ip => (172.16.0.50),
>> connection_type => WIRED_MAC

Re: [PacketFence-users] Need an advice and maybe assistance with FreeRADIUS

2018-01-03 Thread Fabrice Durand via PacketFence-users 
I tried to add the DAS parameter directly in the configuration file of
the AP and it works (CoA), but the limitation is that you can enable it
only on one ssid.

https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf

Regards

Fabrice



Le 2017-12-29 à 16:18, Timothy Mullican via PacketFence-users a écrit :
> It may be possible to skip the controller and run the deauthentication
> command on the AP itself, but it is product specific as opposed to the
> controller API, which is cross-product. The UniFi code on PacketFence
> would have to be modified to support this. 
>
> See 
> https://community.ubnt.com/t5/UniFi-Wireless/Issue-manual-kick-sta-command/m-p/1197157/highlight/true#M95831
>
> Sent from mobile phone
>
> On Dec 29, 2017, at 15:12, Timothy Mullican via PacketFence-users
>  <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>
>> I am running UniFi AP 3.9.15.8011 and Controller 5.6.26 (I’m using
>> linuxserver/UniFi docker image on CentOS 7.4). 
>>
>> First, make sure you applied the UniFi patch
>> (see 
>> https://community.ubnt.com/t5/UniFi-Wireless/Packetfence-7-1-Out-of-Band-Dynamic-VLAN-with-Unifi/m-p/2134984/highlight/true#M261219).
>> This enables dynamic VLAN assignment using radius and 802.1x on the
>> PacketFence side. The latest UniFi firmware also allows dynamic vlan
>> assignment using MAC authentication (i.e., guest access). If you have
>> any questions about this let me know and I can help you (also see my
>> earlier thread).
>>
>> If you are using the PacketFence captive portal authentication to
>> assign a user’s VLAN, PacketFence requires the UniFi controller to
>> deauthenticate clients from the AP. If you look at
>>  
>> https://github.com/inverse-inc/packetfence/pull/2735/files#diff-8b99f599546e7710d1df6b776d184569,
>> you can see the deauthentication method used is an HTTPS API call to
>> the controller running the “kick-sta” command on the client MAC
>> address. As you are probably aware, the user must reauthenticate in
>> order to be placed in the correct VLAN after successfully
>> authenticating. PacketFence automates this process in several ways
>> (HTTP/HTTPS, SNMP, Telnet/SSH, RADIUS CoA).
>>
>> As far as I know, the only way to deauthenticate a client on the AP
>> is using the Controller API over HTTPS (no support for CoA yet). If
>> CoA is implemented we should be able to bypass the controller and
>> send direct client RADIUS deauthentication requests to the AP. 
>>
>> If you are using 802.1x without the captive portal, you may be able
>> to get away without relying on the controller, since the VLAN is only
>> assigned once at logon to the AP, but I have not tested this yet. 
>>
>> Fabrice may be able to help if I didn’t explain something correctly
>> above. 
>>
>> Tim
>>
>>>
>>> On Dec 29, 2017, at 12:38, E.P. >> <mailto:ype...@gmail.com>> wrote:
>>>
>>>> Hi Timothy,
>>>>
>>>> I’m really-really grateful to you and your comments.
>>>>
>>>> May I ask you what firmware level you run on your Unifi AP ?
>>>>
>>>> And by the way, just out of curiosity, why we need controller IP
>>>> address in the settings for AP/switch ?
>>>>
>>>> I thought that the real RADIUS client is the AP and the
>>>> controller’s only job is to push settings including
>>>> WPA-Enterprise/RADIUS to AP
>>>>
>>>>  
>>>>
>>>> Eugene
>>>>
>>>>  
>>>>
>>>> *From:*Timothy Mullican [mailto:tjmullic...@yahoo.com]
>>>> *Sent:* Friday, December 29, 2017 9:34 AM
>>>> *To:* packetfence-users@lists.sourceforge.net
>>>> <mailto:packetfence-users@lists.sourceforge.net>
>>>> *Cc:* E.P.; Fabrice Durand
>>>> *Subject:* Re: [PacketFence-users] Need an advice and maybe
>>>> assistance with FreeRADIUS
>>>>
>>>>  
>>>>
>>>> Eugene,
>>>>
>>>>  
>>>>
>>>> Just a thought, but can you change the deauthentication method to
>>>> HTTPS and specify the UniFi controller IP? See my setup below:
>>>>
>>>>  
>>>>
>>>> https://i.imgsafe.org/0c/0cff2c7f19.png
>>>>
>>>> https://i.imgsafe.org/0c/0cff2dfd99.png
>>>>
>>>>  
>>>>
>>>> My UniFi AP is 192.168.20.7
>>>>
>>>> My UniFi controller is 192.168.20.6
>>>>
>&g

Re: [PacketFence-users] Need help solving a problem with vlan enforcement

2017-12-29 Thread Fabrice Durand via PacketFence-users 
Hello André,

First you need to check on the switch side if the mac address of the
device is in the vlan 300.

Next a registration vlan is a vlan managed by PacketFence, so you need
to enable dhcp on the vlan 300 and 600.

Another thing i can see is that the interface enp0s8.300 (vlan 300) use
the network 172.17.0.0/24 and it should be 172.16.0.0/24 ?! (but enp0s8
use this network).

So i my opinion, you probably mess up the vlan/interface config.

If enp0s8 interface is really on the vlan 300 then enp0s8.300 is useless
and you probably have to use the vlan 301 as the registration network.

Last things, be sure that enp0s8 is plugged on a trunk port and be sure
that you define all the vlans in your switch configuration.

Regards
Fabrice



Le 2017-12-29 à 08:50, André Scrivener via PacketFence-users a écrit :
> I'm configuring pf as vlan enforcement, but I'm having a problem,
> where vlans with their respective IPs are not being assigned. In the
> logs it returns the correct vlans, but does not apply to the station.
>
> /
> /
> /Dec 29 11:36:54 packtfence packetfence_httpd.aaa: httpd.aaa(5185)
> INFO: [mac:64:1c:67:82:7d:f2] handling radius autz request: from
> switch_ip => (172.16.0.50), connection_type =>
> WIRED_MAC_AUTH,switch_mac => (14:18:77:ea:f0:a2), mac =>
> [64:1c:67:82:7d:f2], port => 41, username => "641C67827DF2"
> (pf::radius::authorize)/
> /Dec 29 11:36:54 packtfence packetfence_httpd.aaa: httpd.aaa(5185)
> INFO: [mac:64:1c:67:82:7d:f2] Instantiate profile default
> (pf::Connection::ProfileFactory::_from_profile)/
> /Dec 29 11:36:54 packtfence packetfence_httpd.aaa: httpd.aaa(5185)
> INFO: [mac:64:1c:67:82:7d:f2] is of status unreg; belongs into
> registration VLAN (pf::role::getRegistrationRole)/
> /Dec 29 11:36:54 packtfence packetfence_httpd.aaa: httpd.aaa(5185)
> INFO: [mac:64:1c:67:82:7d:f2] (172.16.0.50) Added VLAN 300 to the
> returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)/
>
>
> /Dec 29 11:36:54 packtfence auth[7662]: Need 1 more connections to
> reach min connections (3)/
> /Dec 29 11:36:54 packtfence auth[7662]: rlm_rest (rest): Opening
> additional connection (23), 1 of 62 pending slots used/
> /Dec 29 11:36:54 packtfence auth[7662]: Need 1 more connections to
> reach min connections (3)/
> /Dec 29 11:36:54 packtfence auth[7662]: rlm_sql (sql): Opening
> additional connection (25), 1 of 62 pending slots used/
> /Dec 29 11:36:54 packtfence auth[7662]: [mac:64:1c:67:82:7d:f2]
> Accepted user:  and returned VLAN 300/
> /Dec 29 11:36:54 packtfence auth[7662]: (44) Login OK: [641C67827DF2]
> (from client 172.16.0.50 port 41 cli 64:1c:67:82:7d:f2)/
>
>
> In the logs it returns to vlan correct, but does not assign to the
> computer, it stubborn in assigning the network 172.16.0.0/24
> .
>
> I did not configure DHCP in packetfence, when packetfence returns a
> vlan it is for it to get dhcp from my infrastructure. (So I imagine.)
>
> Follows some of my settings, it's okay to expose information since
> it's a lab.
>
>
> [root@packtfence ~]# ifconfig 
> SCRIVENER-b: flags=4163  mtu 1500
>         inet 169.254.0.2  netmask 255.255.255.252  broadcast 169.254.0.3
>         inet6 fe80::c8b5:5bff:febe:b1cc  prefixlen 64  scopeid 0x20
>         ether ca:b5:5b:be:b1:cc  txqueuelen 1000  (Ethernet)
>         RX packets 8  bytes 648 (648.0 B)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 8  bytes 648 (648.0 B)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> enp0s3: flags=4099  mtu 1500
>         ether 08:00:27:a3:36:2a  txqueuelen 1000  (Ethernet)
>         RX packets 5668  bytes 8119227 (7.7 MiB)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 1260  bytes 80253 (78.3 KiB)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> enp0s8: flags=4163  mtu 1500
>         inet 172.16.0.2  netmask 255.255.255.0  broadcast 172.16.0.255
>         inet6 fe80::a00:27ff:fef4:37f8  prefixlen 64  scopeid 0x20
>         ether 08:00:27:f4:37:f8  txqueuelen 1000  (Ethernet)
>         RX packets 20960  bytes 4119093 (3.9 MiB)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 12227  bytes 21064744 (20.0 MiB)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> enp0s8.300: flags=4163  mtu 1500
>         inet 172.17.0.2  netmask 255.255.255.0  broadcast 172.17.0.255
>         inet6 fe80::a00:27ff:fef4:37f8  prefixlen 64  scopeid 0x20
>         ether 08:00:27:f4:37:f8  txqueuelen 1000  (Ethernet)
>         RX packets 10  bytes 628 (628.0 B)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 14  bytes 900 (900.0 B)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> enp0s8.301: flags=4163  mtu 1500
>         inet 172.19.0.2  netmask 255.255.255.0  broadcast 172.19.0.255
>         inet6 fe80::a00:27ff:fef4:37f8  prefixlen 64  scopeid 0x20
>         ether 08:00:27:f4:37:f8  txqueuelen 1000  (Ether

Re: [PacketFence-users] Need an advice and maybe assistance with FreeRADIUS

2017-12-29 Thread Fabrice Durand via PacketFence-users 
For me it looks that 172.19.254.2 is define twice.

Can you do in /usr/local/pf/raddb:

grep 172.19.254.2 * -r 

Also can you try to run radiusd in debug mode and see if you can see
172.19.254.2 (radiusd -d /usr/local/pf/raddb -n auth -X)


Regards

Fabrice


Le 2017-12-29 à 01:26, E.P. a écrit :
>
> Nah…
>
> No luck at all, Fabrice. I’m becoming desperate ;)
>
> I thought it has to do with Unifi controller (reading it here in other
> threads that it is far from being error-free) but I pointed it to
> FreeRADIUS running on DaloRADIUS host and the regular user
> authentication worked nice.
>
> I just don’t like DaloRADIUS due to its limitations and support and
> hold my aspiration towards PF.
>
> Well, here we go again, I reconfigured the entry in switches file and
> it looks very simplistic, 172.19.254.2 is the IP address of Unifi AP.
>
>  
>
> /[root@PacketFence-ZEN conf]# cat ./switches.conf/
>
> /[172.19.254.2]/
>
> /VoIPCDPDetect=N/
>
> /VoIPDHCPDetect=N/
>
> /deauthMethod=RADIUS/
>
> /description=Test-WAP/
>
> /VoIPLLDPDetect=N/
>
> /radiusSecret=1234567890/
>
> /VlanMap=N/
>
>  
>
> Someone who uses Unifi may be jump in to validate my settings please.
>
> In the settings for a specific wireless network I select “WPA
> Enterprise” and select RADIUS profile that I configured separately
> pointing to PF IP address. The RADIUS profile is configured as usual, i.e.
>
> IP address, ports which are 1812/1813 and shared secret, nothing fancy
> about it.
>
>  
>
> Both radius log files show the same consistent error:
>
>  
>
> /Dec 29 06:10:24 PacketFence-ZEN acct[13247]: Dropping packet without
> response because of error: Received Accounting-Request packet from
> client 172.19.254.2 with invalid Request Authenticator!  (Shared
> secret is incorrect.)/
>
> / /
>
> /Dec 29 06:20:29 PacketFence-ZEN auth[13273]: Dropping packet without
> response because of error: Received packet from 172.19.254.2 with
> invalid Message-Authenticator!  (Shared secret is incorrect.)/
>
>  
>
> I don’t think I have to start radius in debugging mode to have more
> output, do I ?
>
>  
>
> Eugene
>
>  
>
> *From:*Durand fabrice [mailto:fdur...@inverse.ca]
> *Sent:* Thursday, December 28, 2017 5:17 PM
> *To:* E.P.; packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] Need an advice and maybe assistance
> with FreeRADIUS
>
>  
>
> Can you try pfcmd configreload hard and restart radius. (pfcmd service
> radiusd restart)
>
>  
>
> Le 2017-12-28 à 19:20, E.P. a écrit :
>
> I should have made my previous email shorter because my main
> question fell into cracks.
>
> Why do I have an error with the shared secret? Quoting it here again:
>
>  
>
> When I test this with a real network device, Unifi WAP for
> example, I don’t go anywhere.
>
> I see that NAD is added, here’s an entry from radius.log
>
>  
>
> /Dec 28 07:42:46 PacketFence-ZEN auth[16806]: Adding client
> 172.19.254.2/32 with shared secret "123456"/
>
>  
>
> When I try to authenticate from an endpoint to a specific SSID I
> see this error in radius-acct.log
>
>  
>
> /Dec 28 07:38:58 PacketFence-ZEN acct[16780]: Dropping packet
> without response because of error: Received Accounting-Request
> packet from client 172.19.254.2 with invalid Request
> Authenticator!  (Shared secret is incorrect.)/
>
>  
>
> I added this WAP under “Policies and access control” in Switches
> section using the shared secret as shown above and following the
> admin guide. What am I doing wrong ?
>
> Here’s how the switches.conf file looks like after I added this WAP:
>
>  
>
> /[root@PacketFence-ZEN conf]# cat ./switches.conf/
>
> /[172.19.254.2]/
>
> /VoIPCDPDetect=N/
>
> /VoIPDHCPDetect=N/
>
> /deauthMethod=RADIUS/
>
> /description=Test-WAP/
>
> /VoIPLLDPDetect=N/
>
> /radiusSecret=123456/
>
> /VlanMap=N/
>
>  
>
> Eugene
>
>  
>
> *From:*Durand fabrice via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Thursday, December 28, 2017 3:30 PM
> *To:* packetfence-users@lists.sourceforge.net
> 
> *Cc:* Durand fabrice
> *Subject:* Re: [PacketFence-users] Need an advice and maybe
> assistance with FreeRADIUS
>
>  
>
> Hello Eugene,
>
> in fact for 802.1x you need to use eapol_test instead of radtest.
> (http://deployingradius.com/scripts/eapol_test/)
>
> Also use the port 1812 instead of 18120.
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-12-28 à 03:07, E.P. via PacketFence-users a écrit :
>
> Guys,
>
> I still hope someone with more experience with PF give me a
> hand with this trivial issue (if it is an issue)
>
> I’m on my way to test PF with baby steps and just created a
> user under Users section in PF GUI.
>
> Then I test it using a simple

Re: [PacketFence-users] OMAPI.pm errors

2017-12-20 Thread Fabrice Durand via PacketFence-users 
Hum if it's a cluster then omapi will not work on one of them (dhcpd
only run on 2 of the 3 servers).

What you can do is just to disable omapi.

Regards

Fabrice



Le 2017-12-20 à 05:12, Luís Torres via PacketFence-users a écrit :
>
> I didnt..., and yes its a cluster.
>
> Should I use in all the three?
>
>  
>
> dd if=/dev/urandom bs=16 count=1 2>/dev/null | openssl enc -e -base64
>
>
> LT
>
>  
>
> Em 2017-12-20 02:04, Durand fabrice via PacketFence-users escreveu:
>
>> Hello Luís,
>>
>> did you set the OMAPI key in the PacketFence GUI  and restart pfqueue
>> and dhcpd services ?
>>
>> Is it a cluster ?
>>
>> Regards
>>
>> Fabrice
>>
>>  
>>
>>
>> Le 2017-12-15 à 09:41, Luís Torres via PacketFence-users a écrit :
>>>
>>> Hello,
>>>
>>> getting always this erros on the PF. What could be the cause?
>>>
>>>  
>>>
>>> " pfqueue(2025) ERROR: [mac:00:15:5d:02:0e:87] Timeout sending on
>>> OMAPI socket at /usr/local/pf/lib/pf/OMAPI.pm line 252"
>>>
>>> " WARN: [mac:00:17:08:5a:bd:be] Use of uninitialized value in
>>> numeric eq (==) at /usr/local/pf/lib/pf/OMAPI.pm line 287."
>>>
>>> " ec 15 14:40:16 pf01 pfqueue: pfqueue(14740) ERROR:
>>> [mac:b8:86:87:63:d1:fc] Error send auth at
>>> /usr/local/pf/lib/pf/OMAPI.pm line 269.
>>> (pf::ip4log::_get_lease_from_omapi)"
>>>
>>> "pf01 pfqueue: pfqueue(14246) ERROR: [mac:00:15:5d:02:52:1f] Error
>>> send auth at /usr/local/pf/lib/pf/OMAPI.pm line 269."
>>>
>>>  
>>>
>>> Thanks
>>>
>>> LT
>>>
>>>  
>>>
>>>
>>> --
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>
>>>
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> 
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>  
>
>  
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence doesn't change VLAN after registration

2017-12-15 Thread Fabrice Durand via PacketFence-users 
Hello Luca,


What is the deauth method you choosed in your switch config ? (Suppose
to be Radius).

What is the deauth port and coa port you defined (1700 / 3799) ?


Can you do a capture of the CoA ? (tshark -i eth0 -f "port 1700 or 3799"
-w /tmp/coa.pcap) and send it to me ?

Regards
Fabrice

Le 2017-12-15 à 09:00, luca comes a écrit :
>
> Hi Fabrice,
>
> sorry I didn't want to offend anybody I only meant I can't understand
> what is going on and hope someone can help. I really appreciate your
> effort and sure after I put my PF in production I think my company wll
> buy also support. PF is going to become the access server for all of
> our sites' networks and more or less 1000 users. Going back to the
> problem you centered the issue I can't see any Deauthentication inside
> the log and this is strange. If I force it manually changing the role
> of the node it works fine and the it is moved on the guest VLAN but I
> cannot understand how to debug the problem. I extended the log
> facility to DEBUG but no useful information are sent, is there any
> other thing I can check?
>
>
> Thanks
>
>
> Luca
>
>
>
> ----
> *Da:* Fabrice Durand via PacketFence-users
> 
> *Inviato:* venerdì 15 dicembre 2017 14:46
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* Fabrice Durand
> *Oggetto:* Re: [PacketFence-users] Packetfence doesn't change VLAN
> after registration
>  
>
> Hello Luca,
>
> if you want faster answer you can buy a support contract with Inverse.
>
> I answer on the mailing list when i have time to do it and most of the
> time i am busy.
>
>
> So the packetfence.log is not enough complete because what is
> interesting is just a after and we should suppose to see
> "Deauthenticating ...".
>
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-12-15 à 06:17, luca comes via PacketFence-users a écrit :
>>
>> Hi all,
>>
>> I ask a new question hoping this time someone would answer to me. I'm
>> configuring a guest wireless LAN on Cisco WLC and Packetfence (last
>> version 7.3) on CentOS 7. The authentication on the guest is made
>> with sponsor authorization so the client access the guest but is
>> correctly moved on the registration VLAN by PF and the portal is
>> shown to the user. After all the informations have been provided
>> correctly the email is sent to the sponsor who can access the link
>> and unlock the user. The problem is that after unlock the user is
>> never moved on the guest VLAN even if is correctly registered. The
>> role mapping per VLAN ID is correctly configured in the switch
>> configuration, I attach the log cleaned from unuseful noise. Someone
>> can help to investigate on this issue?
>>
>>
>> Thank you in advance 
>>
>>
>> Luca
>>
>>
>> Inviato da Outlook <http://aka.ms/weboutlook>
>>
>>
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> <mailto:PacketFence-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> -- 
> Fabrice Durand
> fdur...@inverse.ca <mailto:fdur...@inverse.ca> ::  +1.514.447.4918 (x135) ::  
> www.inverse.ca <http://www.inverse.ca>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org) 

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco Catalyst 9300 and 9400 support

2017-12-15 Thread Fabrice Durand via PacketFence-users 
Hello,

yes if the ios is not something completely exotic it should be ok.

Regards

Fabrice


Le 2017-12-15 à 06:25, Tomasz Karczewski via PacketFence-users a écrit :
>
> Does it have different cisco ios?
>
>  
>
> Tomasz Karczewski
>
> Administrator Sieci
>
>  
>
> olman
>
>  
>
> tkarczew...@man.olsztyn.pl
>
> http://www.man.olsztyn.pl   http://www.uwm.edu.pl
>
> tel. (89) 523 45 55  fax. (89) 523 43 47
>
>  
>
> Ośrodek Eksploatacji i Zarządzania
>
> Miejską Siecią Komputerową OLMAN w Olsztynie
>
> Uniwersytet Warmińsko-Mazurski w Olsztynie
>
>  
>
> *From:* Jeremy Plumley via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Thursday, December 14, 2017 10:35 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Jeremy Plumley 
> *Subject:* [PacketFence-users] Cisco Catalyst 9300 and 9400 support
>
>  
>
> Just reaching out to see if anyone has implemented Packetfence on a
> Cisco Catalyst 9300 or 9400 model switch? This seems to be Cisco’s new
> line that will probably phase out 4500 and 6500 model switches.
>
>  
>
> Jeremy Plumley
>
> ITS Network Administrator
>
> Ext 50024
>
> E-Mail correspondence to and from this address may be subject to the
> North Carolina Public Records Law and shall be disclosed to third
> parties when required by the statutes (G.S. 132-1.)
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence doesn't change VLAN after registration

2017-12-15 Thread Fabrice Durand via PacketFence-users 
Hello Luca,

if you want faster answer you can buy a support contract with Inverse.

I answer on the mailing list when i have time to do it and most of the
time i am busy.


So the packetfence.log is not enough complete because what is
interesting is just a after and we should suppose to see
"Deauthenticating ...".


Regards

Fabrice



Le 2017-12-15 à 06:17, luca comes via PacketFence-users a écrit :
>
> Hi all,
>
> I ask a new question hoping this time someone would answer to me. I'm
> configuring a guest wireless LAN on Cisco WLC and Packetfence (last
> version 7.3) on CentOS 7. The authentication on the guest is made with
> sponsor authorization so the client access the guest but is correctly
> moved on the registration VLAN by PF and the portal is shown to the
> user. After all the informations have been provided correctly the
> email is sent to the sponsor who can access the link and unlock the
> user. The problem is that after unlock the user is never moved on the
> guest VLAN even if is correctly registered. The role mapping per VLAN
> ID is correctly configured in the switch configuration, I attach the
> log cleaned from unuseful noise. Someone can help to investigate on
> this issue?
>
>
> Thank you in advance 
>
>
> Luca
>
>
> Inviato da Outlook 
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cluster - Portal opening

2017-12-15 Thread Fabrice Durand via PacketFence-users 
Hello Luís,

the only solution i can see is to raise the server resources

Regards
Fabrice

Le 2017-12-14 à 10:05, Luís Torres via PacketFence-users a écrit :
>
> Hi mates,
>
>  
>
> is there a way to speed up the opening of the portal webpage? in the
> cluster it takes a few seconds to open it...
>
>  
>
> cheers
>
>  
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Ubiquiti UniFi AP Captive Portal

2017-12-13 Thread Fabrice Durand via PacketFence-users 
t;  1. One open SSID where users can register their device on the captive
> portal page
>  2. One 802.1X protected SSID with Radius assigned VLAN's and
> mac-address authentication. When the user has registered his or
> her device they now can connect to this protected SSID.
>
> Best regards,
> Geert
>
> 2017-12-12 23:53 GMT+01:00 Timothy Mullican via PacketFence-users
>  <mailto:packetfence-users@lists.sourceforge.net>>:
>
> Fabrice,
> I am running UniFi controller version 5.6.22 and UniFi AP-AC-Pro
> firmware 3.9.3.7537, both of which should be the latest. It
> appears that the Radius assigned VLAN option only shows up as an
> option in the UniFi controller when you choose WPA Enterprise. You
> can see screenshots of my setup below:
>
> https://i.imgsafe.org/05/ 05bb81f5b4.png
> <https://i.imgsafe.org/05/05bb81f5b4.png>
> https://i.imgsafe.org/05/ 05bbd86ab4.png
> <https://i.imgsafe.org/05/05bbd86ab4.png>
> https://i.imgsafe.org/05/ 05bbb5eafe.png
> <https://i.imgsafe.org/05/05bbb5eafe.png>
> https://i.imgsafe.org/05/ 05bbc22129.png
> <https://i.imgsafe.org/05/05bbc22129.png>
>
> The running config from the UniFi AP is also available at:
>
> https://pastebin.com/Zz0cRLSM
>
> Thanks!
> On ‎Tuesday‎, ‎December‎ ‎12‎, ‎2017‎ ‎10‎:‎13‎:‎36‎ ‎AM‎ ‎CST,
> Fabrice Durand via PacketFence-users      sourceforge.net <mailto:packetfence-users@lists.sourceforge.net>>
> wrote:
>
>
> You probably have to update the controller version.
>
>
>
> Le 2017-12-12 à 10:30, Timothy Mullican via PacketFence-users a
> écrit :
> Fabrice,
> On the UniFi controller the “Use dynamic VLAN assignment” option
> only shows up on SSIDs using 802.1x. Is there any way to also use
> dynamic vlan assignment on open SSIDs? For open networks it only
> lets me specify a static VLAN to use. 
>
> Thanks!
>
> Sent from mobile phone
>
> On Dec 12, 2017, at 07:41, Fabrice Durand via PacketFence-users
>  <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>
> Hello Timothy,
>
> you must enable that:
>
> https://raw.githubusercontent. com/inverse-inc/packetfence/
> ae18f50b4879cc2d4132490fcee33f 2fbe53b36f/docs/images/unifi-
> radius.png
> 
> <https://raw.githubusercontent.com/inverse-inc/packetfence/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-radius.png>
>
> Regards
>
> Fabrice
>
>
> Le 2017-12-12 à 01:37, Timothy Mullican via PacketFence-users a
> écrit :
> Hello all,
> I am trying to setup a proof of concept using an Ubiquiti UniFi
> UAP-PRO with the following setup:
>
> Cisco 3560-E L3 Switch
> UniFi UAP-PRO
> UniFi Controller running on CentOS 7.3 (docker) on ESXi
> PacketFence running on CentOS 7.3 on ESXi
>
> The Cisco switch has the following VLANs:
> VLAN 2 - registration
> VLAN 3 - isolation 
> VLAN 4 - guest
> VLAN 10 - enterprise
> VLAN 20 - wireless
> VLAN 100 - out of band management
>
> I have created two SSIDs on the UniFi AP, a secure 802.1x SSID and
> an open SSID. I was able to apply the patch available
> at https://github.com/inverse- inc/packetfence/pull/2735
> <https://github.com/inverse-inc/packetfence/pull/2735> to enable
> 802.1x for the secure network and this is working correctly.
> However, for the open guest SSID, I am trying to do a captive
> portal with dynamic vlan assignment. The user would initially be
> placed in the registration vlan (2) and then moved to another vlan
> based on their user role (vlan 4 or 10). Both the UniFi controller
> VM and the UniFi AP are in VLAN 20. On the UniFi controller,
> dynamic VLAN assignment appears to only be an option under 802.1x
> networks, otherwise you must choose a static VLAN. I saw the
> external captive portal setup for the UniFi under the PacketFence
> Network Devices documentation, but I don’t believe this supports
> dynamic VLAN assignment. Does anyone know of any way to do dynamic
> VLAN assignment on an open wireless network with the UniFi AP, or
> have any suggestions?
>
> Thanks!
>
>
> -- -- 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org <http://Slashdot.org>! 
> http://sdm.link/slashdot
>
>
>
> __ _
> PacketFence-users m

Re: [PacketFence-users] Cluster - no dhcp

2017-12-12 Thread Fabrice Durand via PacketFence-users 
Just on one of them, right ?

If it's the case then it's normal.


Le 2017-12-12 à 14:22, Luís Torres via PacketFence-users a écrit :
>
> Hi mates,
>
>  
>
> manage to recover the cluster but now the dhcp wont start. Gives me
> the error:
>
>  
>
> /usr/local/pf/bin/pfcmd service dhcpd restart
> service|command
> dhcpd|already stopped
> Service 'dhcpd' is not managed by PacketFence. Therefore, no action
> will be performed
>
>  
>
> What could be?
>
>  
>
> Regards
>
> LT
>
>  
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Ubiquiti UniFi AP Captive Portal

2017-12-12 Thread Fabrice Durand via PacketFence-users 
You probably have to update the controller version.



Le 2017-12-12 à 10:30, Timothy Mullican via PacketFence-users a écrit :
> Fabrice,
> On the UniFi controller the “Use dynamic VLAN assignment” option only
> shows up on SSIDs using 802.1x. Is there any way to also use dynamic
> vlan assignment on open SSIDs? For open networks it only lets me
> specify a static VLAN to use. 
>
> Thanks!
>
> Sent from mobile phone
>
> On Dec 12, 2017, at 07:41, Fabrice Durand via PacketFence-users
>  <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>
>> Hello Timothy,
>>
>> you must enable that:
>>
>> https://raw.githubusercontent.com/inverse-inc/packetfence/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-radius.png
>>
>> Regards
>>
>> Fabrice
>>
>>
>> Le 2017-12-12 à 01:37, Timothy Mullican via PacketFence-users a écrit :
>>> Hello all,
>>> I am trying to setup a proof of concept using an Ubiquiti UniFi
>>> UAP-PRO with the following setup:
>>>
>>> Cisco 3560-E L3 Switch
>>> UniFi UAP-PRO
>>> UniFi Controller running on CentOS 7.3 (docker) on ESXi
>>> PacketFence running on CentOS 7.3 on ESXi
>>>
>>> The Cisco switch has the following VLANs:
>>> VLAN 2 - registration
>>> VLAN 3 - isolation 
>>> VLAN 4 - guest
>>> VLAN 10 - enterprise
>>> VLAN 20 - wireless
>>> VLAN 100 - out of band management
>>>
>>> I have created two SSIDs on the UniFi AP, a secure 802.1x SSID and
>>> an open SSID. I was able to apply the patch available
>>> at https://github.com/inverse-inc/packetfence/pull/2735 to enable
>>> 802.1x for the secure network and this is working correctly.
>>> However, for the open guest SSID, I am trying to do a captive portal
>>> with dynamic vlan assignment. The user would initially be placed in
>>> the registration vlan (2) and then moved to another vlan based on
>>> their user role (vlan 4 or 10). Both the UniFi controller VM and the
>>> UniFi AP are in VLAN 20. On the UniFi controller, dynamic VLAN
>>> assignment appears to only be an option under 802.1x networks,
>>> otherwise you must choose a static VLAN. I saw the external captive
>>> portal setup for the UniFi under the PacketFence Network Devices
>>> documentation, but I don’t believe this supports dynamic VLAN
>>> assignment. Does anyone know of any way to do dynamic VLAN
>>> assignment on an open wireless network with the UniFi AP, or have
>>> any suggestions?
>>>
>>> Thanks!
>>>
>>>
>>> --
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org <http://Slashdot.org>! 
>>> http://sdm.link/slashdot
>>>
>>>
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> -- 
>> Fabrice Durand
>> fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>> (http://packetfence.org) 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org <http://Slashdot.org>!
>> http://sdm.link/slashdot
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> <mailto:PacketFence-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Can PF return multiple VLANs in one time ?

2017-12-12 Thread Fabrice Durand via PacketFence-users 
Hello Yan,

you need to patch packetfence:

cd /usr/local/pf

curl
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2530.diff
| patch -p1

Then restart all the services.

On the Ruckus side i don't know, i have no documentation.

Btw if you have screenshot of how to set the role on the Ruckus side it
will be a pleasure for me to add them in the pull request in order to
merge it in the main code.

Regards

Fabrice




Le 2017-12-11 ?? 22:41, Yan a ??crit?0?2:
> Hi Fabrice,
> That??s great.
> So how can I use this feature??0?2
> Should I update some module first ?
>
>
> -- Original --
> *From:* packetfence-users 
> *Date:* ,12?? 12,2017 11:36
> *To:* packetfence-users 
> *Cc:* Durand fabrice 
> *Subject:* Re: [PacketFence-users] Can PF return multiple VLANs in one
> time ?
>
> Hello Yan,
>
> yes it can return a role but the code hasn't been merged yet. (it miss
> documentation about the Ruckus configuration)
>
> https://github.com/inverse-inc/packetfence/pull/2530
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-12-11 ?? 22:30, Yan via PacketFence-users a ??crit?0?2:
>> Hi users,
>> One of our office uses ruckus AC. And there are 3 normal
>> VLAN(25,26,27) used in this office. We have not used dynamic VLAN
>> assignment yet.?0?2
>> Can PF return 3 vlans or return a vlan group to ruckus and then
>> ruckus ramdomly choose one vlan and assign it the user ?
>>
>>
>> --Check
>>  out the vibrant tech community on one of the world's mostengaging tech 
>> sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>> ___PacketFence-users mailing 
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Ubiquiti UniFi AP Captive Portal

2017-12-12 Thread Fabrice Durand via PacketFence-users 
Hello Timothy,

you must enable that:

https://raw.githubusercontent.com/inverse-inc/packetfence/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-radius.png

Regards

Fabrice


Le 2017-12-12 à 01:37, Timothy Mullican via PacketFence-users a écrit :
> Hello all,
> I am trying to setup a proof of concept using an Ubiquiti UniFi
> UAP-PRO with the following setup:
>
> Cisco 3560-E L3 Switch
> UniFi UAP-PRO
> UniFi Controller running on CentOS 7.3 (docker) on ESXi
> PacketFence running on CentOS 7.3 on ESXi
>
> The Cisco switch has the following VLANs:
> VLAN 2 - registration
> VLAN 3 - isolation 
> VLAN 4 - guest
> VLAN 10 - enterprise
> VLAN 20 - wireless
> VLAN 100 - out of band management
>
> I have created two SSIDs on the UniFi AP, a secure 802.1x SSID and an
> open SSID. I was able to apply the patch available
> at https://github.com/inverse-inc/packetfence/pull/2735 to enable
> 802.1x for the secure network and this is working correctly. However,
> for the open guest SSID, I am trying to do a captive portal with
> dynamic vlan assignment. The user would initially be placed in the
> registration vlan (2) and then moved to another vlan based on their
> user role (vlan 4 or 10). Both the UniFi controller VM and the UniFi
> AP are in VLAN 20. On the UniFi controller, dynamic VLAN assignment
> appears to only be an option under 802.1x networks, otherwise you must
> choose a static VLAN. I saw the external captive portal setup for the
> UniFi under the PacketFence Network Devices documentation, but I don’t
> believe this supports dynamic VLAN assignment. Does anyone know of any
> way to do dynamic VLAN assignment on an open wireless network with the
> UniFi AP, or have any suggestions?
>
> Thanks!
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Wireless hotspot creation - help

2017-12-12 Thread Fabrice Durand via PacketFence-users 
Ok so it should work with coovachilli on openwrt.

There is a module in PacketFence for that.

Regards

Fabrice



Le 2017-12-12 à 07:36, Luca Fois via PacketFence-users a écrit :
> Hi;
>
> Thanks for your quick reply
> I will use a ubiquiti picostation m2 with openwrt.
>
> I think its better than airos for my purpose.
>
> The vps has a static IP but my modem not.
>
> So I think i will use openvpn.
>
> Thanks again 
>
> Luca
>
> Il 12 dic 2017 03:25, "Durand fabrice via PacketFence-users"
>  > ha scritto:
>
> Hello Luca,
>
> it depend if your AP support web redirection.
>
> What is the type of your AP ?
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-12-10 à 13:15, Luca Fois via PacketFence-users a écrit :
>> Hi all,
>>
>> I would like to setup a free wireless hotspot.
>>
>> The ap is on my own home network but i would like to run
>> packetfence, radius, db and captive portal on a vps.
>>
>> Anyone here could share his tips? 
>>
>> Here my network:
>>
>> AP --> modem -- VPS ( that should be used for all the services ).
>>
>> Thanks,
>>
>> Luca
>>
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> 
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> 
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PKI installation

2017-12-12 Thread Fabrice Durand via PacketFence-users 
Just change the owner of the sqlite file to pf and it should be ok.

Btw all these steps are made in the packaging, so it probably failled or
never finish correctly.

I will do a test on my side.

Regards

Fabrice



Le 2017-12-12 à 03:47, E.P. a écrit :
>
> Well, we are getting closer ;)
>
> Ran the python script to migrate the database it completed
>
>  
>
> [root@PacketFence-ZEN packetfence-pki]# python manage.py migrate
>
> Operations to perform:
>
>   Synchronize unmigrated apps: staticfiles, rest_framework, messages,
> bootstrap3
>
>   Apply all migrations: authtoken, sessions, admin, auth,
> contenttypes, pki
>
> Synchronizing apps without migrations:
>
>   Creating tables...
>
>     Running deferred SQL...
>
>   Installing custom SQL...
>
> Running migrations:
>
>   Rendering model states... DONE
>
>   Applying contenttypes.0001_initial... OK
>
>   Applying auth.0001_initial... OK
>
>   Applying admin.0001_initial... OK
>
>   Applying contenttypes.0002_remove_content_type_name... OK
>
>   Applying auth.0002_alter_permission_name_max_length... OK
>
>   Applying auth.0003_alter_user_email_max_length... OK
>
>   Applying auth.0004_alter_user_username_opts... OK
>
>   Applying auth.0005_alter_user_last_login_null... OK
>
>   Applying auth.0006_require_contenttypes_0002... OK
>
>   Applying authtoken.0001_initial... OK
>
>   Applying pki.0001_initial... OK
>
>   Applying sessions.0001_initial... OK
>
>  
>
> But the attempt to login to PKI failed again, now with a different
> error message:
>
>  
>
> 
>
>
>   OperationalError at /
>
> attempt to write a readonly database
>
> *Request Method:***
>
>   
>
> POST
>
> *Request URL:***
>
>   
>
> https://192.168.2.25:9393/
>
> *Django Version:***
>
>   
>
> 1.8.1
>
> *Exception Type:***
>
>   
>
> OperationalError
>
> *Exception Value:***
>
>   
> attempt to write a readonly database
>
> *Exception Location:***
>
>   
>
> /usr/lib/python2.7/site-packages/django/db/backends/sqlite3/base.py in
> execute, line 318
>
> *Python Executable:***
>
>   
>
> /bin/python
>
> *Python Version:***
>
>   
>
> 2.7.5
>
> *Python Path:***
>
>   
> ['/usr/lib64/python27.zip',
>  '/usr/lib64/python2.7',
>  '/usr/lib64/python2.7/plat-linux2',
>  '/usr/lib64/python2.7/lib-tk',
>  '/usr/lib64/python2.7/lib-old',
>  '/usr/lib64/python2.7/lib-dynload',
>  '/usr/lib64/python2.7/site-packages',
>  '/usr/lib/python2.7/site-packages',
>  '/usr/local/packetfence-pki',
>  '/usr/local/packetfence-pki/inverse']
>
> *Server time:***
>
>   
>
> Tue, 12 Dec 2017 08:45:28 +
>
> 
>
>  
>
> *From:*Durand fabrice [mailto:fdur...@inverse.ca]
> *Sent:* Monday, December 11, 2017 7:20 PM
> *To:* E.P.; packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] PKI installation
>
>  
>
> Looks that the db hasn't been initialized , can you do that in
> /usr/local/packetfence-pki
>
> rm db3.sqlite
>
> python manage.py migrate
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-12-11 à 21:55, E.P. a écrit :
>
> I was a bit premature with my report that it worked ;)
>
> After logging into the PKI page I ended up with this error:
>
>  
>
> OperationalError at /
>
> no such table: pki_ca
>
> *Request Method:*
>
>   
>
> POST
>
> *Request URL:*
>
>   
>
> https://192.168.2.25:9393/
>
> *Django Version:*
>
>   
>
> 1.8.1
>
> *Exception Type:*
>
>   
>
> OperationalError
>
> *Exception Value:*
>
>   
>
> no such table: pki_ca
>
> *Exception Location:*
>
>   
>
> /usr/lib/python2.7/site-packages/django/db/backends/sqlite3/base.py
> in execute, line 318
>
> *Python Executable:*
>
>   
>
> /bin/python
>
> *Python Version:*
>
>   
>
> 2.7.5
>
> *Python Path:*
>
>   
>
> ['/usr/lib64/python27.zip',
>
> '/usr/lib64/python2.7',
>
> '/usr/lib64/python2.7/plat-linux2',
>
> '/usr/lib64/python2.7/lib-tk',
>
> '/usr/lib64/python2.7/lib-old',
>
> '/usr/lib64/python2.7/lib-dynload',
>
> '/usr/lib64/python2.7/site-packages',
>
> '/usr/lib/python2.7/site-packages',
>
> '/usr/local/packetfence-pki',
>
> '/usr/local/packetfence-pki/inverse']
>
> *Server time:*
>
>   
>
> Tue, 12 Dec 2017 02:53:21 +
>
>  
>
>  
>
> And there’s a whole lot of traceback that I can show but it will
> make this post unreadable
>
>  
>
>  
>
> *From:*E.P. [mailto:ype...@gmail.com]
> *Sent:* Monday, December 11, 2017 6:52 PM
> *To:* 'Durand fabrice'; 'packetfence-users@lists.sourceforge.net
> '
> *Subject:* RE: [PacketFence-users] PKI installation
>
>  
>
> Hm…
>
> I was stubbornly persisting on this service showing in the output
> of netstat.
>
> But now I can hav

Re: [PacketFence-users] PKI installation

2017-12-11 Thread Fabrice Durand via PacketFence-users 
Ok so can you try that:

yum install python-django-rest-framework python-django-bootstrap3
--enablerepo=packetfence,packetfence-extra


Le 2017-12-11 à 16:25, E.P. a écrit :
>
> Thank you, Fabrice !
>
> I found this advice earlier, built the cache, no luck, same results:
>
>  
>
> [root@PacketFence-ZEN ~]# yum makecache
> --enablerepo=packetfence,packetfence-extra
>
> 
>
> Metadata Cache Created
>
>  
>
> [root@PacketFence-ZEN ~]# yum install packetfence-pki
> --enablerepo=packetfence-extra, packetfence
>
> 
>
> --> Finished Dependency Resolution
>
> Error: Package: packetfence-pki-1.1.1-1.el7.centos.noarch
> (packetfence-extra)
>
>    Requires: python-django-rest-framework
>
> Error: Package: packetfence-pki-1.1.1-1.el7.centos.noarch
> (packetfence-extra)
>
>    Requires: python-django-bootstrap3
>
>  
>
> Eugene
>
>  
>
> *From:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Monday, December 11, 2017 1:21 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Fabrice Durand
> *Subject:* Re: [PacketFence-users] PKI installation
>
>  
>
> Hello Eugene,
>
> can you try:
>
> yum makecache --enablerepo=packetfence,packetfence-extra
>
> yum install packetfence-pki --enablerepo=packetfence-extra, packetfence
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-12-11 à 16:03, E.P. via PacketFence-users a écrit :
>
> Hi guys,
>
> I’m trying to follow the guide published here:
>
>  
>
> https://packetfence.org/doc/PacketFence_PKI_Quick_Install_Guide.html
>
>  
>
> My setup is based on ZEN virtual appliance and I understand it
> runs CentOS 7 Linux.
>
> Now when I’m trying to install packetfence-pki package as in step
> 3.1.6 of the above guide I end up with dependency error, e.g.
>
>  
>
> [root@PacketFence-ZEN ~]# yum install packetfence-pki
> --enablerepo=packetfence-extra, packetfence
>
> 
>
> --> Finished Dependency Resolution
>
> Error: Package: packetfence-pki-1.1.1-1.el7.centos.noarch
> (packetfence-extra)
>
>    Requires: python-django-rest-framework
>
> Error: Package: packetfence-pki-1.1.1-1.el7.centos.noarch
> (packetfence-extra)
>
>    Requires: python-django-bootstrap3
>
>  
>
> I tried to look for any solution of this error in the mail archive
> but can’t see anything meaningful or helpful.
>
> Anyone please advise, will very much appreciate it!
>
>  
>
>  
>
>
>
>
> 
> --
>
> Check out the vibrant tech community on one of the world's most
>
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
>
> ___
>
> PacketFence-users mailing list
>
> PacketFence-users@lists.sourceforge.net
> <mailto:PacketFence-users@lists.sourceforge.net>
>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> -- 
> Fabrice Durand
> fdur...@inverse.ca <mailto:fdur...@inverse.ca> ::  +1.514.447.4918 (x135) ::  
> www.inverse.ca <http://www.inverse.ca>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org) 

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PKI installation

2017-12-11 Thread Fabrice Durand via PacketFence-users 
Hello Eugene,

can you try:

yum makecache --enablerepo=packetfence,packetfence-extra

yum install packetfence-pki --enablerepo=packetfence-extra, packetfence

Regards

Fabrice



Le 2017-12-11 à 16:03, E.P. via PacketFence-users a écrit :
>
> Hi guys,
>
> I’m trying to follow the guide published here:
>
>  
>
> https://packetfence.org/doc/PacketFence_PKI_Quick_Install_Guide.html
>
>  
>
> My setup is based on ZEN virtual appliance and I understand it runs
> CentOS 7 Linux.
>
> Now when I’m trying to install packetfence-pki package as in step
> 3.1.6 of the above guide I end up with dependency error, e.g.
>
>  
>
> [root@PacketFence-ZEN ~]# yum install packetfence-pki
> --enablerepo=packetfence-extra, packetfence
>
> 
>
> --> Finished Dependency Resolution
>
> Error: Package: packetfence-pki-1.1.1-1.el7.centos.noarch
> (packetfence-extra)
>
>    Requires: python-django-rest-framework
>
> Error: Package: packetfence-pki-1.1.1-1.el7.centos.noarch
> (packetfence-extra)
>
>    Requires: python-django-bootstrap3
>
>  
>
> I tried to look for any solution of this error in the mail archive but
> can’t see anything meaningful or helpful.
>
> Anyone please advise, will very much appreciate it!
>
>  
>
>  
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PoC: Social Login from Captive Portal and Firewall (Checkpoint) Enforcement

2017-12-08 Thread Fabrice Durand via PacketFence-users 


Le 2017-12-08 à 09:45, Benoît Dubé via PacketFence-users a écrit :
>
> Merci beaucoup Fabrice,
>
>
> When external users are redirected to the PacketFence portal, IP
> packets contain the user's IP.  I can install the DHCP remote sensor
> on the server, but question is why to do that if the IP info is
> already known by PacketFence?
>
>
Because for PacketFence a device is a mac address, not a ip.
If you hit the portal and if PacketFence is not able to a an IP to MAC
then you will have an error message on the portal.

> Note: DNS, DHCP and AD will always be available to uregistred users
> with a policy on Checkpoint.
>
>
> About the switch module for the fw to parse the IP address. Since the
> original session goes to the fw and the redirected one goes to the
> Packetfence both containing the user's IP within the IP packet, isn't
> the PacketFence able to grab the IP address directly from the session
> with the portal.
>
It's just because we need to be able to parse the url to fetch the ip
information, for some other vendor it can be ?DEVICEIP=1.2.3.4 , for
checkpoint it can be ?IPDEVICE=1.2.3.4
Also at the end of the registration the switch module need to know how
to tell the fw that the device is registered, and i think it can be with
a Firewall SSO request.
>
>
> About Oauth, I understand that user must be able to access Oauth
> autorization server, which is easily possible through Checkpoint. Hope
> that the access token provided by auth provider to the client
> (PacketFence) be enough to authenticate the user and process to the
> sponsorship and eventually to inform the FW to give the rights to
> access internal resources.
>
>
> Sponsor access without Oauth ??  I understand here that user can
> access with a locally defined credential instead of social credential.
> Is it what you are referring to? 
>
> I understand that the user can choose any login name/password during
> the registration phase and be sponsored by an employee and if accesses
> permitted by the sponsor, user will be granted access with the defined
> login/passwd. Right ?
>
Sponsor access is like that:
i am guest and connect to the open ssid, i hit the portal and
PacketFence ask me for my email address and an email address of an
employee (who is allowed to be a sponsor because he is a member of an AD
group per example).
When i validate the form then the sponsor receive an email to ask him if
we want to allow me to access to the network, so he click on the link
and hit a page on the PacketFence server.
He put his AD credential and after that my device is allowed to reach
internet.
So no need to have username and password, just need to know a employee.
Regards
Fabrice


>
>
>
> Envoyé à partir d’Outlook 
>
>
>
> 
> *De :* Durand fabrice via PacketFence-users
> 
> *Envoyé :* 7 décembre 2017 22:32
> *À :* packetfence-users@lists.sourceforge.net
> *Cc :* Durand fabrice
> *Objet :* Re: [PacketFence-users] PoC: Social Login from Captive
> Portal and Firewall (Checkpoint) Enforcement
>  
>
> Ok so you will need to send a copy of the dhcp traffic to the pf
> server, if you can install the DHCP remote sensor on the dhcp server.
>
> Next step will be to have a switch module for the Checkpoint firewall
> (not a big deal) in order to parse the ip address in the url.
>
> Also try first the sponsor access instead of Oauth (Oauth need
> internet access for the device).
>
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-12-07 à 22:18, Benoît Dubé via PacketFence-users a écrit :
>>
>> It's the Checkpoint who does the redirection for URL traffic. The
>> firewall is located at the entrance of the datacenter and every users
>> located in different sites in the province pass through it. Then,
>> it's all layer 3 (IP). There is no MAC address that Checkpoint nor
>> Packetfence can be aware of. I don't know which parameters are
>> attached to the redirected URL, at least the original URL, since I
>> have to setup the PoC.
>>
>>
>> Unfortunately, I don't find any reference with the specific setup
>> that we plan. All information are based on traditional NAC setup,
>> where a controler dynamically modified VLAN configurations on edge
>> switches. In our case, the enforcement should be done at the IP layer
>> and applied by the fw. Checkpoint provide a captive portal but it
>> isn't able to authenticate against external sources (Google,
>> Facebook, etc). My customer doesn't want to provide accounts for the
>> consultants or any other temporary personal on their own AD.
>>
>>
>> I have the same challenge with ClearPass that I must test.
>>
>>
>> Merci Fabrice
>>
>>
>> Benoît
>>
>>
>>
>> 
>> *De :* Durand fabrice via PacketFence-users
>> 
>> 
>> *Envoyé :* 7 décembre 2017 21:09
>> *À :* packetfence-users@lists.sourceforge.net
>>

Re: [PacketFence-users] Aruba Switch Network Configuration

2017-12-06 Thread Fabrice Durand via PacketFence-users 
Hello Jeremy,

does the Aruba Switch run Arubas OS or is it something like HP Os ?

Regards

Fabrice



Le 2017-12-06 à 09:07, Jeremy Plumley via PacketFence-users a écrit :
>
> I’m looking into possibly replacing some of our access layer switch
> needs with Aruba Networks switches. I notice in 7.2.0 there is an
> option for Aruba Switches but I see no documentation for the commands
> to run on the Network Configuration documentation. Has anyone
> configured an Aruba Switch using Packetfence and willing to share the
> configuration they used? Thanks.
>
>  
>
> *Jeremy Plumley,*
>
> ITS Network Administrator
>
> Guilford Technical Community College
>
> Applied Technologies, Rm #249
>
> Jamestown Campus, 601 E. Main Street, Jamestown, NC 27282
>
> E-mail: _jmplum...@gtcc.edu _
>
> Direct: 336.334.4822 ext 50024
>
> Mailing Address: PO Box 309, Jamestown, NC 27282
>
> *www.gtcc.edu* 
>
> Current_Color_GTCC%20Logo%20smaller
>
> */Supporting success through innovative education, training, and
> partnerships/*
>
>  
>
> E-Mail correspondence to and from this address may be subject to the
> North Carolina Public Records Law and shall be disclosed to third
> parties when required by the statutes (G.S. 132-1.)
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN filter rule to temporarily allow specific switch

2017-11-29 Thread Fabrice Durand via PacketFence-users 
Hello Yan,

you also need to register the device.

so something like that:

[pf_ssid]
filter = ssid
operator = is
value = PF-Wireless

[SG1_switch]
filter = switch._ip
operator = is
value = 172.11.5.121

[reg_by_switch:pf_ssid&SG1_switch]
scope = RegistrationRole
action = modify_node
action_param = mac = $mac, status = reg, category=employees
role = employees

Regards
Fabrice

Le 2017-11-29 ?? 09:24, Yan via PacketFence-users a ??crit?0?2:
> Hi users,
>
> I want to add a VLAN filter rule to temporarily pass one specific
> switch (IP 172.11.5.121) and keep the others as normal. Is below rule
> okay to do this ?
>
>
> [pf_ssid]
> filter = ssid
> operator = is
> value = PF-Wireless
>
> [SG1_switch]
> filter = switch._ip
> operator = is
> value = 172.11.5.121
>
> [reg_by_switch:pf_ssid&SG1_switch]
> scope = RegistrationRole
> action = modify_node
> action_param = mac = $mac
> role = employees
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Violation 1300003 force-closed after successful Captive Portal Authentication

2017-11-28 Thread Fabrice Durand via PacketFence-users 
xObQOhRe91zdyACmYVHMFWfBvhsabyZriPfB46EzhVZSgg";
> "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8
> (KHTML, like Gecko)" 602216
> Nov 28 16:47:26 packetfence httpd_portal: 192.168.2.126 127.0.0.1 - -
> [28/Nov/2017:16:47:25 -0500] "packetfence.domain.com
> <http://packetfence.domain.com>" "GET /captive-portal HTTP/1.1" 302
> 321
> "https://accounts.google.com/signin/challenge/totp/2?continue=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Fauth%3Fclient_id%3D850332612794-ls8srlkmlb2loojnfaqb1iua6s36d3b6.apps.googleusercontent.com%26response_type%3Dcode%26scope%3Dhttps%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email%26redirect_uri%3Dhttps%3A%2F%2Fpacketfence.domain.com%2Foauth2%2Fcallback%26from_login%3D1%26as%3D575c66b6f481fd8d&sarp=1&scc=1&TL=AHnYQLye-ptRGy_nIl3qxac-UB_bt9HflplUyfjvTPzHaQD4LLRGP-OB_bzNIZvBoTT4akR3AL6ntBfu9-vMXOZ8ZHbWrgQXkdF1qG2lbSCOlX0BvcGlxObQOhRe91zdyACmYVHMFWfBvhsabyZriPfB46EzhVZSgg";
> "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8
> (KHTML, like Gecko)" 131640
> Nov 28 16:47:26 packetfence httpd_portal: 192.168.2.126 127.0.0.1 - -
> [28/Nov/2017:16:47:26 -0500] "packetfence.domain.com
> <http://packetfence.domain.com>" "GET /access HTTP/1.1" 200 4868 "-"
> "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8
> (KHTML, like Gecko)" 139113
> Nov 28 16:47:26 packetfence httpd_portal: 192.168.2.126 127.0.0.1 - -
> [28/Nov/2017:16:47:26 -0500] "192.168.2.223" "GET
> /Ruckus?sip=192.168.2.100&mac=58b63311d5e0&client_mac=60f81dc3e758&uip=192.168.2.126&lid=&dn=ZoneDirector218.domain.com
> <http://ZoneDirector218.domain.com>&url=http%3a%2f%2fcaptive.apple.com
> <http://2fcaptive.apple.com>%2fhotspot%2ddetect.html&ssid=domain%5fPF&loc=Engineering+Outside+Pompador&vlan=10
> HTTP/1.0" 302 1567 "-" "CaptiveNetworkSupport-346.50.1 wispr" 32425
> Nov 28 16:47:26 packetfence httpd_portal: 192.168.2.126 127.0.0.1 - -
> [28/Nov/2017:16:47:26 -0500] "192.168.2.223" "GET
> /captive-portal?destination_url=http://captive.apple.com/hotspot-detect.html&sip=192.168.2.100&mac=58b63311d5e0&client_mac=60f81dc3e758&uip=192.168.2.126&lid=&dn=ZoneDirector218.domain.com&url=http%3a%2f%2fcaptive.apple.com%2fhotspot%2ddetect.html&ssid=domain%5fPF&loc=Engineering+Outside+Pompador&vlan=10
> HTTP/1.0" 200 2511 "-" "CaptiveNetworkSupport-346.50.1 wispr" 165176
>
> Nov 28 16:47:37 packetfence httpd_portal: 192.168.2.126 127.0.0.1 - -
> [28/Nov/2017:16:47:37 -0500] "192.168.2.223" "GET
> /Ruckus?sip=192.168.2.100&mac=58b63311d5e0&client_mac=60f81dc3e758&uip=192.168.2.126&lid=&dn=ZoneDirector218.domain.com
> <http://ZoneDirector218.domain.com>&url=https%3a%2f%2fwww.domain.com
> <http://2fwww.domain.com>%2f&ssid=domain%5fPF&loc=Engineering+Outside+Pompador&vlan=10
> HTTP/1.1" 302 1503 "http://packetfence.domain.com/access"; "Mozilla/5.0
> (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like
> Gecko)" 39711
> Nov 28 16:47:37 packetfence httpd_portal: 192.168.2.126 127.0.0.1 - -
> [28/Nov/2017:16:47:37 -0500] "192.168.2.223" "GET
> /captive-portal?destination_url=https://www.domain.com/&sip=192.168.2.100&mac=58b63311d5e0&client_mac=60f81dc3e758&uip=192.168.2.126&lid=&dn=ZoneDirector218.domain.com&url=https%3a%2f%2fwww.domain.com%2f&ssid=domain%5fPF&loc=Engineering+Outside+Pompador&vlan=10
> HTTP/1.1" 200 2511 "http://packetfence.domain.com/access"; "Mozilla/5.0
> (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like
> Gecko)" 179506
> Nov 28 16:47:37 packetfence httpd_portal: 192.168.2.126 127.0.0.1 - -
> [28/Nov/2017:16:47:37 -0500] "192.168.2.223" "GET
> /Ruckus?sip=192.168.2.100&mac=58b63311d5e0&client_mac=60f81dc3e758&uip=192.168.2.126&lid=&dn=ZoneDirector218.domain.com
> <http://ZoneDirector218.domain.com>&url=http%3a%2f%2fcaptive.apple.com
> <http://2fcaptive.apple.com>%2fhotspot%2ddetect.html&ssid=domain%5fPF&loc=Engineering+Outside+Pompador&vlan=10
> HTTP/1.0" 302 1567 "-" "CaptiveNetworkSupport-346.50.1 wispr" 41387
> Nov 28 16:47:37 packetfence httpd_portal: 192.168.2.126 127.0.0.1 - -
> [28/Nov/2017:16:47:37 -0500] "192.168.2.223" "POST
> /record_destination_url HTTP/1.1" 200 -
> "http://192.168.2.223/captive-portal?destination_url=https://www.domain.com/&sip=192.168.2.100&mac=58b63311d5e0&client_mac=60f81dc3e758&

Re: [PacketFence-users] Violation 1300003 force-closed after successful Captive Portal Authentication

2017-11-28 Thread Fabrice Durand via PacketFence-users 
Hello Ricardo,

i am not seeing what is wrong but it's not suppose to have that in the
log: Can't re-evaluate access because no open locationlog entry was found

Can you put the portal in debug mode ?

conf/log.conf.d/httpd.portal.conf:

### httpd.portal logger ###
log4perl.rootLogger = INFO, HTTPD_PORTAL

Regards

Fabrice



Le 2017-11-27 à 12:02, Ricardo Underwood via PacketFence-users a écrit :
> Hello,
>
> Is there anyone that can give me a hand, a hint or a lead on this
> matter, I really need to figure out what the problem is.
>
> Thanks in advance,
>
> Ricardo Underwood
>
> On Wed, Nov 22, 2017 at 2:22 PM, Ricardo Underwood
> mailto:ricardo@gmail.com>> wrote:
>
> Hello,
>
> I've been configuring Packetfence to work with our wired and
> wireless network, at the moment I'm trying to get the Wireless
> working using Captive Portal, I'm using oauth2 with Google as per
> we want to take advantage of our Google Apps as our authentication
> method for company wide, we use Ruckus Zone Director
> version 10.0.1.0 build 35 with 5 Ruckus R710 AP, I've followed the
> directions from the Admin Guide and the Network configuration
> guide for Ruckus, I have create a Hotspot Service in Ruckus
> ZoneDirector and pointing to the IP of our packet fence, when the
> users tries to access the SSID it will direct them to the Captive
> Portal, they can authenticate with google the device its
> registered, I can see in the registered nodes, however after all
> that it shows to the user "Your network should be enabled within a
> minute or two, if it is not reboot your computer", well I have
> tried from different devices(iOS are giving a different error but
> that is no a mayor issue right now) and all are having the same
> problem, from Mac and Windows computers, desktops and laptops,
> from the packetfence.log I got this:
>
> Nov 22 00:05:40 packetfence packetfence_httpd.portal:
> httpd.portal(1729) INFO: [mac:60:f8:1d:c3:e7:58] Instantiate
> profile Ruckus (pf::Connection::ProfileFactory::_from_profile)
> Nov 22 00:05:40 pfsetvlan(0) WARN: ignoring non trap line
> 2017-11-22 00:05:39 NET-SNMP version 5.7.2.1 Stopped. (main::)
> Nov 22 00:05:40 pfsetvlan(0) WARN: ignoring non trap line Stopping
> snmptrapd (main::)
> Nov 22 00:05:40 pfsetvlan(0) WARN: ignoring non trap line  (main::)
> Nov 22 00:05:40 packetfence packetfence_httpd.portal:
> httpd.portal(1726) INFO: [mac:60:f8:1d:c3:e7:58] URI '/Ruckus' is
> detected as an external captive portal URI
> (pf::web::externalportal::handle)
> Nov 22 00:05:40 packetfence packetfence_httpd.portal:
> httpd.portal(1725) INFO: [mac:unknown] External captive portal
> detected !
> 
> (captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
> Nov 22 00:05:40 packetfence packetfence_httpd.portal:
> httpd.portal(1725) INFO: [mac:unknown] Detected external portal
> client. Using the IP 192.168.2.126 address in it's session.
> (captiveportal::PacketFence::Model::Portal::Session::_build_clientIP)
> Nov 22 00:05:40 packetfence packetfence_httpd.portal:
> httpd.portal(1725) INFO: [mac:60:f8:1d:c3:e7:58] External captive
> portal detected !
> 
> (captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
> Nov 22 00:05:40 packetfence packetfence_httpd.portal:
> httpd.portal(1725) INFO: [mac:60:f8:1d:c3:e7:58] Detected external
> portal client. Using the IP 192.168.2.126 address in it's session.
> (captiveportal::PacketFence::Model::Portal::Session::_build_clientIP)
> Nov 22 00:05:40 packetfence packetfence_httpd.portal:
> httpd.portal(1725) INFO: [mac:60:f8:1d:c3:e7:58] Instantiate
> profile Ruckus (pf::Connection::ProfileFactory::_from_profile)
> Nov 22 00:05:41 packetfence packetfence_httpd.portal:
> httpd.portal(1727) INFO: [mac:60:f8:1d:c3:e7:58] URI '/Ruckus' is
> detected as an external captive portal URI
> (pf::web::externalportal::handle)
> Nov 22 00:05:41 packetfence packetfence_httpd.portal:
> httpd.portal(1726) INFO: [mac:unknown] External captive portal
> detected !
> 
> (captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
> Nov 22 00:05:41 packetfence packetfence_httpd.portal:
> httpd.portal(1726) INFO: [mac:unknown] Detected external portal
> client. Using the IP 192.168.2.126 address in it's session.
> (captiveportal::PacketFence::Model::Portal::Session::_build_clientIP)
> Nov 22 00:05:41 packetfence packetfence_httpd.portal:
> httpd.portal(1729) INFO: [mac:60:f8:1d:c3:e7:58] Instantiate
> profile Ruckus (pf::Connection::ProfileFactory::_from_profile)
> Nov 22 00:05:41 packetfence packetfence_httpd.portal:
> httpd.portal(1726) INFO: [mac:60:f8:1d:c3:e7:58] External captive
> portal detected !
> 
> (captiveportal::PacketFence::Model::Portal

Re: [PacketFence-users] Supported standalone AP

2017-11-24 Thread Fabrice Durand via PacketFence-users 
https://github.com/inverse-inc/packetfence/pull/2735


Le 2017-11-24 à 08:48, Gonzague Dambricourt a écrit :
> Yeah for now . .UniFi doesn’t support CoA :( 
>
>> Le 24 nov. 2017 à 14:46, Fabrice Durand via PacketFence-users
>> > <mailto:packetfence-users@lists.sourceforge.net>> a écrit :
>>
>> Hello Spencer,
>>
>> you can use something like that:
>>
>> https://www.ubnt.com/unifi/unifi-ap-ac-lite/
>>
>> There is only a limitation with 802.1x (i hope Ubiquiti will fix it)
>> but mac auth should be ok.
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2017-11-24 à 06:11, Spencer Hazell via PacketFence-users a écrit :
>>> Hi
>>>  
>>> I have successfully configured my HP switches to work with
>>> packetfence and it works amazing!
>>>  
>>> However I’m after a single AP that will work with switch to provide
>>> the same functionality.  What choices do I have for acquiring a
>>> cheap AP (on its own) that will work with packetfence.
>>>  
>>> We are only a small company hence the reason for nothing too
>>> expensive – just an AP -> Switch (already have) -> Packetfence PC.
>>>  
>>> Thanks
>>>  
>>>  
>>> Spencer Hazell
>>> 
>>>  
>>> 
>>> 
>>> 
>>> 
>>> *IT Manager*
>>> 01249 650441 
>>>  
>>> 
>>>  
>>> 
>>> 
>>>  
>>> manderduffill.com <http://www.manderduffill.com/>
>>> 
>>>  
>>> The Old Post Office, 41 - 43 Market Place, Chippenham SN15 3HR
>>>  
>>>
>>> 
>>> 
>>> 
>>> 
>>>
>>> This email, together with any attachments, is for the exclusive and
>>> confidential use of the addressee(s) and may contain legal
>>> privileged information. Any other distribution, use or reproduction
>>> without the sender's prior consent is unauthorised and strictly
>>> prohibited. If you have received this message in error please notify
>>> the sender by email immediately and delete the message from your
>>> computer without making any copies. The opinions expressed in this
>>> email are not necessarily representative of Mander Duffill Limited
>>> and no representation is made. Mander Duffill is the trading name of
>>> Mander Duffill Limited. Company number 06962383, registered in
>>> England. Registered office: The Old Post Office, 41 - 43 Market
>>> Place, Chippenham, Wiltshire SN15 3HR, UK.
>>>  
>>>
>>>
>>> --
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org <http://Slashdot.org>! 
>>> http://sdm.link/slashdot
>>>
>>>
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> -- 
>> Fabrice Durand
>> fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>> (http://packetfence.org) 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org
>> <http://slashdot.org/>! 
>> http://sdm.link/slashdot___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> <mailto:PacketFence-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Supported standalone AP

2017-11-24 Thread Fabrice Durand via PacketFence-users 
Hello Spencer,

you can use something like that:

https://www.ubnt.com/unifi/unifi-ap-ac-lite/

There is only a limitation with 802.1x (i hope Ubiquiti will fix it) but
mac auth should be ok.

Regards

Fabrice



Le 2017-11-24 à 06:11, Spencer Hazell via PacketFence-users a écrit :
>
> Hi
>
>  
>
> I have successfully configured my HP switches to work with packetfence
> and it works amazing!
>
>  
>
> However I’m after a single AP that will work with switch to provide
> the same functionality.  What choices do I have for acquiring a cheap
> AP (on its own) that will work with packetfence.
>
>  
>
> We are only a small company hence the reason for nothing too expensive
> – just an AP -> Switch (already have) -> Packetfence PC.
>
>  
>
> Thanks
>
>  
>
>  
>
> Spencer Hazell
>
>   
>
>  
>
>   
>
> MD final master logos-02
>
>   
>
> cid:image002.jpg@01D22ABC.9B34C230
>
> *IT Manager*
>
> 01249 650441 
>
>  
>
>   
>
>  
>
>   
>
> cid:image003.jpg@01D22ABC.9B34C230
>
>  
>
> manderduffill.com 
>
>   
>
>  
>
> The Old Post Office, 41 - 43 Market Place, Chippenham SN15 3HR
>
>  
>
>
>   
>   
>   
>   
>
> This email, together with any attachments, is for the exclusive and
> confidential use of the addressee(s) and may contain legal privileged
> information. Any other distribution, use or reproduction without the
> sender's prior consent is unauthorised and strictly prohibited. If you
> have received this message in error please notify the sender by email
> immediately and delete the message from your computer without making
> any copies. The opinions expressed in this email are not necessarily
> representative of Mander Duffill Limited and no representation is
> made. Mander Duffill is the trading name of Mander Duffill Limited.
> Company number 06962383, registered in England. Registered office: The
> Old Post Office, 41 - 43 Market Place, Chippenham, Wiltshire SN15 3HR, UK.
>
>  
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Failed to connect to config service for namespace resource::URI_Filters, retrying

2017-11-23 Thread Fabrice Durand via PacketFence-users 
Hello,

try first to restart packetfence-config

systemctl restart packetfence-config

and do a pfcmd configreload hard

Regards

Fabrice



Le 2017-11-23 à 07:07, Samuel Chege via PacketFence-users a écrit :
> You can also try to remove the package called kf5-kio-widgets FIRST
> before re-installing; it seems to be the one connected to URI_Filters.
>
> On 23 November 2017 at 14:35, Samuel Chege  > wrote:
>
> Hi Luis,
>
> I had the same exact problem in my first attempt at trying to
> install PF 7.3.0 on CentOS 7. I resolved it by doing a minimal
> install. You most likely chose another type of installation and
> some software is conflicting with packetfence. Try and do a
> minimal CentOS install and setup packetfence again.
>
> On 22 November 2017 at 19:54, Luís Torres via PacketFence-users
>  > wrote:
>
> Hi,
>
>  
>
> donno what happen, but after reboot I cant start PF and always
> getting this message:
>
>  
>
> 369617.14165] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369617.24306] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369617.34436] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369617.44564] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369617.54673] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369617.64793] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369617.74908] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369617.8502] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369617.95153] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369618.05267] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369618.15372] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369618.25478] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369618.35583] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369618.45685] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369618.55786] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369618.65905] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369618.76025] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369618.86145] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369618.96267] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369619.06376] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369619.16484] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369619.26587] Failed to connect to config...
>
>  
>
>  
>
> What I should do?
>
>  
>
> Regards
>
> LT
>
>  
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 
>
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

Re: [PacketFence-users] [WISPr redirection]Can't direct user todownload specific files in registration VLAN

2017-11-23 Thread Fabrice Durand via PacketFence-users 
Hello Yan,

use proxy_passthroughs=123.23.1.2 instead of passthroughs=123.23.1.2 and
retry.

Regards

Fabrice



Le 2017-11-22 ?? 10:26, Yan via PacketFence-users a ??crit?0?2:
> In short, I want to know if it is possible to use PF's Captive Portal
> detection mechanism to pop out the captive portal, and no need to
> input any username and password, but with a url link inside the
> captive portal, and the user can then access the url with passthrough
> mechanism ?
>
> My pf.conf is as below:
> [fencing]
> passthrough=enabled
> #allow below host??s 80 port to reach the download link
> passthroughs=123.23.1.2
>
> [captive_portal]
> network_detection_ip=172.20.3.120
> secure_redirect=disabled
>
>
> -- Original --
> *From:* packetfence-users 
> *Date:* ,11?? 22,2017 21:53
> *To:* packetfence-users 
> *Cc:* Yan <1136723...@qq.com>
> *Subject:* Re: [PacketFence-users] [WISPr redirection]Can't direct
> user todownload specific files in registration VLAN
>
> Hi dear users,
>
> We use PF V7.3 in our office. Currently we set the authentication
> process as below:
> 1. Connect to secure ssid PF-wireless with 802.1x username and password.
> 2.After connection, the user default be set to registration VLAN.
> 3.We create a root portal module with only message.html, within which
> we add a download link(http://123.23.1.2/agent-install.html) pointing
> to host 123.23.1.2.
> 4.After user passed 802.1x authentication, there is a pop up window
> redirecting user to our portal. And the user can see the link.
> 5.User click the link to download our agent file and then the host
> 123.23.1.2 will know and?0?2send a message log to PF, PF will register
> this user's device.
> 6.The user belongs to normal VLAN now and get the right network access.
>
> Now some mac OSX users can't open the link in the auto pop up window.
> Windows users don't have this problem. I checked this problem with my
> own computer and find if I don't close the auto pop up window, I can't
> even connect to PF registration IP. If I close the pop up window and
> open a new browser my network will be redirected to the portal page.
> And I can download the package from this new browser.
>
> I know that the auto pop up page is accomplished by PF's WISPr
> redirection capabilities, can you tell how it works ? Why can't I
> download file by the link in portal on mac osx ?
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] RADIUS 802.1x EAP-TLS + Machine Auth

2017-11-22 Thread Fabrice Durand via PacketFence-users 
Hello Jason,


Le 2017-11-21 à 23:40, Jason Sloan a écrit :
> Fabrice,
>
> Totally understand being busy. Thanks for the reply. I was actually
> able to get this working a few hours ago, and hadn't had time to post
> a reply. I'm not sure what did it, perhaps adding "strip" to the realm
> options because the radius stripped name for hosts is host/ -
> this likely accomplishes the same thing that you suggested but in a
> different manner. To be completely clear I couldn't find a normalize
> option but I did see: "RADIUS machine auth with username - Use the
> RADIUS username instead of the TLS certificate common name when doing
> machine authentication." Just to verify, this is the option you are
> suggesting, correct?
>
Yes this is the option, it will use the attribute User-Name
(host/DESKTOP-6U152VD.mydomain.local) instead of the attribute
TLS-Client-Cert-Common-Name  (DESKTOP-6U152VD.mydomain.local) , so
User-Name will match with the AD attribute servicePrincipalName.

Also / is not considered as a separator of a REALM in Freeradius so i am
not sure that strip fixed the issue.
 
> One other thing I noticed in the authentication  request is the REALM
> is coming up as "NULL." Is this normal for RADIUS authenticated EAP-TLS?
For machine authentication, yes this is normal but i think it should be
possible to do a hack like we did in PacketFence Multidomain.
When the username is host/DESKTOP-6U152VD.mydomain.local then set the
realm as mydomain.local and try to authenticate on the sources where
mydomain.local is defined.
>
> Much of the info I was reading from the listserv also had included
> adding source or sources to the realm, this is not available in the
> GUI, is this a .conf feature only or a feature of PF 6.x that was
> deprecated?
Now in PacketFence you defined in the source the realm associated,
before it was in the realm configuration where you defined the only
source associated.
>
> Thanks,
> -Jason
Regards
Fabrice


-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] DHCP service not listed

2017-11-17 Thread Fabrice Durand via PacketFence-users 
Hello,

this is normal, the dhcp can run only on 2 off them.

Regards

Fabrice



Le 2017-11-17 à 14:35, Tobias Friede via PacketFence-users a écrit :
> Hi,
>
> I have the same problem, maybe that behavior is normal?
>
> My Cluster is a PF 7.2 Cluster. 
>
> Greetings
> Tobias
>
> 2017-11-17 16:34 GMT+01:00 Stephen Appleby via PacketFence-users
>  >:
>
> I've created a 3 node PF cluster. On one of the nodes DHCP is not
> listed as a service on the Status-Services page, and on the
> cluster status page that node's DHCP service status 
>
> show unknown. If I run 'pfcmd service pf restart' on that node it
> doesn't list the DHCP service either.
>
>
> Any idea as to what the problem might be?
>
>
>
> Stephen 
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive portal not redirecting after registration

2017-11-17 Thread Fabrice Durand via PacketFence-users 
Hello Pedro,

it looks that it's a reevaluation issue, can you provide the
packetfence.log ?

What controler/AP are you using in your POC ?

Regards

Fabrice



Le 2017-11-17 à 13:03, Pedro Trindade via PacketFence-users a écrit :
> Hello all, I've been trying to make a Packetfence 7.3.0 POC on a
> Centos7.0 server.
>
> However after the registration process the user is not redirected both
> in ios and android devices.
>
> Any help would be appreciated :)
>
> Thanks,
>
> Pedro C. Trindade
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] R: R: R: R: Switch Compatibility

2017-11-17 Thread Fabrice Durand via PacketFence-users 
gt; *Da:*Durand fabrice [mailto:fdur...@inverse.ca]
> *Inviato:* sabato 11 novembre 2017 13.51
> *A:* Alessandro Canella  <mailto:alessandro.cane...@itcare.it>>;
> packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Oggetto:* Re: R: [PacketFence-users] Switch Compatibility
>
>  
>
> Hello Alessandro,
>
>  
>
> you will need to edit the switch module and add this:
>
> =item returnAuthorizeWrite
> Return radius attributes to allow write access
> =cut
>
> sub returnAuthorizeWrite {
>     my ($self, $args) = @_;
>     my $logger = $self->logger;
>     my $radius_reply_ref;
>     my $status;
>     $radius_reply_ref->{'Zyxel-Privilege-AVPair'} =
> 'shell:priv-lvl=15';
>     $radius_reply_ref->{'Reply-Message'} = "Switch enable access
> granted by PacketFence";
>     $logger->info("User $args->{'user_name'} logged in
> $args->{'switch'}{'_id'} with write access");
>     my $filter = pf::access_filter::radius->new;
>     my $rule = $filter->test('returnAuthorizeWrite', $args);
>     ($radius_reply_ref, $status) =
> $filter->handleAnswerInRule($rule,$args,$radius_reply_ref);
>     return [$status, %$radius_reply_ref];
>
> }
>
> =item returnAuthorizeRead
> Return radius attributes to allow read access
> =cut
>
> sub returnAuthorizeRead {
>     my ($self, $args) = @_;
>     my $logger = $self->logger;
>     my $radius_reply_ref;
>     my $status;
>     $radius_reply_ref->{'Zyxel-Privilege-AVPair'} =
> 'shell:priv-lvl=3';
>     $radius_reply_ref->{'Reply-Message'} = "Switch read access
> granted by PacketFence";
>     $logger->info("User $args->{'user_name'} logged in
> $args->{'switch'}{'_id'} with read access");
>     my $filter = pf::access_filter::radius->new;
>     my $rule = $filter->test('returnAuthorizeRead', $args);
>     ($radius_reply_ref, $status) =
> $filter->handleAnswerInRule($rule,$args,$radius_reply_ref);
>     return [$status, %$radius_reply_ref];
> }
>
> Then restart PacketFence.
>
> Let me know if it works.
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-11-11 à 02:41, Alessandro Canella a écrit :
>
> Zyxel GS 2210.
>
>  
>
> I need only AAA for switch login (if you remember I use
> captive portal for wifi in inline mode)
>
>  
>
> Zyxel provide
> 
> https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=009451&lang=EN
> 
> <https://kb.zyxel.com/KB/searchArticle%21gwsViewDetail.action?articleOid=009451&lang=EN>
>
>  
>
> I’ve done all as wrote in this doc (dictionary and so on)  
>
>  
>
> *Da:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* venerdì 10 novembre 2017 21.35
> *A:* packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Cc:* Fabrice Durand 
> <mailto:fdur...@inverse.ca>
> *Oggetto:* Re: [PacketFence-users] Switch Compatibility
>
>  
>
> Hello Alessandro,
>
> what is the type of the switch ?
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-11-10 à 09:44, Alessandro Canella via
> PacketFence-users a écrit :
>
> Hello all,
>
>  
>
> I solved everything (thanks to all..) ando now I0m
> investigating about this:
>
>  
>
>  
>
>  
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2711) INFO: [mac:[undef]] Authentication
> successful for newuser in source file1 (Htpasswd)
> (pf::authentication::authenticate)
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2711) INFO: [mac:[undef]] Using sources file1
> for matching (pf::authentication::match2)
>
>

Re: [PacketFence-users] auth request from wrong switch

2017-11-17 Thread Fabrice Durand via PacketFence-users 
Hum ok, really weird.

It looks that first when the device connect on the port 2/43 802.1x
failed so it start mac auth but just after that the port goes down and a
new request is coming from the port 5/3.

When this happen, can you check in the mac-address-table where is the
mac address (before and after) ?

Is it a stack of switches ?

Does the issue occur all the time on the same physical switch ?


Le 2017-11-16 à 22:52, Sokolowski, Darryl a écrit :
> Hi Fabrice,
> Yes, those ports are switchports plugged directly to pcs. Not uplink.
> Show cdp neighbors returns expected ports, but none of those in
> question here.
>
> Thanks
> Darryl
>
>
>
>  Original message 
> From: Durand fabrice via PacketFence-users
> 
> Date: 11/16/17 7:48 PM (GMT-05:00)
> To: packetfence-users@lists.sourceforge.net
> Cc: Durand fabrice 
> Subject: Re: [PacketFence-users] auth request from wrong switch
>
> Just to be sure, the port 5/3 and 2/43 are switch port , no uplink ?
>
> Does "show cdp neighbors" return one of these ports ?
>
>
>
> Le 2017-11-16 à 17:46, Sokolowski, Darryl via PacketFence-users a écrit :
>>
>> Another thing I noticed is that if I go into PF and restart the
>> switchport from the node details, it will authenticate as dot1x.
>>
>> When it fails, it seems it is trying wired mac auth. When it does
>> wired mac auth, it says it’s successful, but on a port that is
>> something other than where it is really plugged in, so no network access.
>>
>> If I unplug the nic, and plug it back in, it does not work, only when
>> I restart the port from PF does it work properly and authenticate as
>> dot1x.
>>
>>  
>>
>>  
>>
>>  
>>
>> *From:*Sokolowski, Darryl via PacketFence-users
>> [mailto:packetfence-users@lists.sourceforge.net]
>> *Sent:* Thursday, November 16, 2017 10:34 AM
>> *To:* packetfence-users@lists.sourceforge.net; Jason Sloan
>> 
>> *Cc:* Sokolowski, Darryl 
>> *Subject:* Re: [PacketFence-users] auth request from wrong switch
>>
>>  
>>
>> Hi again,
>>
>> This is weird, I don’t know what it means.
>>
>> A machine starts up, shows up on port 2/43, then it appears for some
>> reason it gets authorized on a different port right after that. The
>> first port it appears on, 2/43 is the real port it’s plugged into.
>> Then right after that, it appears on 5/3, and that’s when I think it
>> gets kicked off the network, since now the switch thinks it’s on 5/3.
>> There are no minihubs in the way, these machines plug directly into
>> their respective ports.
>>
>>  
>>
>> I attached a good bit of the debug log, but didn’t want to send the
>> whole thing, it’s very long. Let me know if I need to send more.
>> There is more in the attachment than I pasted below.
>>
>> I can’t figure out why these machines are getting seen on multiple ports.
>>
>>  
>>
>> Thanks for any insight.
>>
>> Darryl
>>
>>  
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350287: 350087: Nov 16
>> 12:53:00.279: dot1x-packet:[0026.2d15.049b, Gi2/43] EAPOL canned
>> status packet sent to client 0xAC94"
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350288: 350088: Nov 16
>> 12:53:00.279: dot1x-ev:[0026.2d15.049b, Gi2/43] Deleting client
>> 0xAC94 (0026.2d15.049b)"
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350289: 350089: Nov 16
>> 12:53:00.279: dot1x-ev:[0026.2d15.049b, Gi2/43] Delete auth client
>> (0xAC94) message"
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350290: 350090: Nov 16
>> 12:53:00.279: dot1x-ev:Auth client ctx destroyed
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350291: 350091: Nov 16
>> 12:53:00.279: RADIUS/ENCODE():Orig. component type = Invalid
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350292: 350092: Nov 16
>> 12:53:00.279: RADIUS(): Config NAS IP: 172.16.0.200
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350293: 350093: Nov 16
>> 12:53:00.279: RADIUS(): Config NAS IPv6: ::
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350294: 350094: Nov 16
>> 12:53:00.279: RADIUS(): sending
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350295: 350095: Nov 16
>> 12:53:00.279: RADIUS(): Send Access-Request to
>> 172.16.1.73:1812 onvrf(0) id 1645/251, len 259"
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350296: 350096: Nov 16
>> 12:53:00.279: RADIUS:  authenticator 7A 07 65 33 17 CD 20 47 - 3C 6A
>> 23 4C 46 19 31 B0
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350297: 350097: Nov 16
>> 12:53:00.279: RADIUS:  User-Name   [1]   14  "00262d15049b"
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350298: 350098: Nov 16
>> 12:53:00.279: RADIUS:  User-Password   [2]   18  *
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350299: 350099: Nov 16
>> 12:53:00.279: RADIUS:  Service-Type    [6]   6   Call
>> Check    [10]
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350300: 350100: Nov 16
>> 12:53:00.279: RADIUS:  Vendor, Cisco   [26]  31  "
>>
>> 2017-11-16 07:52:

Re: [PacketFence-users] Mysql query error -"Database query failed with non retryable error"

2017-11-16 Thread Fabrice Durand via PacketFence-users 
Hello Yan,

it looks that the pid ( the person ) doesn't exist on your setup.

So check in the person tab if you can find it (the person id appear just
before the error in the log).

Regards

Fabrice



Le 2017-11-16 ?? 05:21, Yan via PacketFence-users a ??crit?0?2:
> Hi dear users,
>
> We use PF V7.3 in our offices and currently there 200+ employees using
> PF as AAA server for 802.1x wireless connection. I guess we are not
> the largest client of PF. But when I check packetfence.log I found
> below errors keeps occurring. And most of the errors happened around
> 10:00 to 11:00 am. Our employees usually come to office during this time.?0?2
> I keep all system settings as default.?0?2So is this performance issue ?
> Are these errors caused by any inappropriate settings ? How could I
> optimize my settings to resolve this issue ?
>
> error log below:
> packetfence_httpd.aaa: httpd.aaa(32263) ERROR: [mac:xx:xx:xx:26:13:xx]
> Database query failed with non retryable error: Cannot add or update a
> child row: a foreign key constraint fails (`pf`.`node`, CONSTRAINT
> `0_57` FOREIGN KEY (`pid`) REFERENCES `person` (`pid`) ON DELETE
> CASCADE ON UPDATE CASCADE) (errno: 1452) [INSERT INTO `node` (
> `autoreg`, `bandwidth_balance`, `bypass_role_id`, `bypass_vlan`,
> `category_id`, `computername`, `detect_date`, `device_class`,
> `device_score`, `device_type`, `device_version`, `dhcp6_enterprise`,
> `dhcp6_fingerprint`, `dhcp_fingerprint`, `dhcp_vendor`, `last_arp`,
> `last_dhcp`, `last_seen`, `lastskip`, `mac`, `machine_account`,
> `notes`, `pid`, `regdate`, `sessionid`, `status`, `time_balance`,
> `unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?, ?, NOW(),
> ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW(), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
> ? ) ON DUPLICATE KEY UPDATE `autoreg` = ?, `last_seen` = NOW(),
> `notes` = ?, `pid` = ?, `status` = ?] (pf::dal::db_execute)
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Bandwidth statistics make no sense (Cisco 2960x)

2017-11-16 Thread Fabrice Durand via PacketFence-users 
Hello Cristian,

i just tested with the latest ios and it looks to be the same (Version
15.2(6)E)

Regards

Fabrice



Le 2017-11-16 à 07:45, Cristian Mammoli via PacketFence-users a écrit :
> Thank you very much Fabrice, greatly appreciated. I'll schedule an
> upgrade on a test switch.
>
> Maybe the bug is related to this:
> https://quickview.cloudapps.cisco.com/quickview/bug/CSCve85309 ?
>
> Il 15/11/2017 22:50, Fabrice Durand via PacketFence-users ha scritto:
>> Hello Cristian,
>>
>> so i am able to replicate it and it looks to be a bug with the ios version.
>>
>> Let's say i have a nothing connected on the port Gi1/0/8, if i do that:
>>
>> Switch#sh interfaces gigabitEthernet 1/0/8
>> GigabitEthernet1/0/8 is administratively down, line protocol is down
>> (disabled)
>>   Hardware is Gigabit Ethernet, address is dca5.f434.5508 (bia
>> dca5.f434.5508)
>>   MTU 1500 bytes, BW 1 Kbit/sec, DLY 1000 usec,
>>  reliability 255/255, txload 1/255, rxload 1/255
>>   Encapsulation ARPA, loopback not set
>>   Keepalive set (10 sec)
>>   Auto-duplex, Auto-speed, media type is 10/100/1000BaseTX
>>   input flow-control is off, output flow-control is unsupported
>>   ARP type: ARPA, ARP Timeout 04:00:00
>>   Last input 00:07:35, output 00:07:05, output hang never
>>   Last clearing of "show interface" counters never
>>   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
>>   Queueing strategy: fifo
>>   Output queue: 0/40 (size/max)
>>   5 minute input rate 0 bits/sec, 0 packets/sec
>>   5 minute output rate 0 bits/sec, 0 packets/sec
>>  484517 packets input, 59890752 bytes, 0 no buffer
>>  Received 266453 broadcasts (221983 multicasts)
>>  0 runts, 0 giants, 0 throttles
>>  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
>>  0 watchdog, 221983 multicast, 0 pause input
>>  0 input packets with dribble condition detected
>>  618866 packets output, 72946865 bytes, 0 underruns
>>  0 output errors, 0 collisions, 35 interface resets
>>  0 unknown protocol drops
>>  0 babbles, 0 late collision, 0 deferred
>>  0 lost carrier, 0 no carrier, 0 pause output
>>  0 output buffer failures, 0 output buffers swapped out
>>
>> I have 59890752 bytes in and 72946865 bytes out.
>>
>>
>> I plug a laptop on it, pf receive a accounting packet with in 0 and out
>> 0 (normal).
>>
>> If i shutdown the port then pf receive a accounting packet with 59890752
>> (a little bit more) bytes in and 72946865 (a little bit more) bytes out.
>>
>> ++---++---++-+-+--+-+--+
>> | id | acctsessionid | username   | nasipaddress  |
>> acctstatustype | timestamp   | acctinputoctets |
>> acctoutputoctets | acctsessiontime | acctuniqueid |
>> ++---++---++-+-+--+-+--+
>> |  3 | 005C  | host/inverse-8.inverse.inc | 172.20.135.77 |
>> Start  | 2017-11-15 16:19:21 |   0 |   
>> 0 |   0 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
>> |  6 | 005C  | host/inverse-8.inverse.inc | 172.20.135.77 |
>> Stop   | 2017-11-15 16:19:28 |    59665537 |
>> 72749820 |   7 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
>> |  9 | 005D  | host/inverse-8.inverse.inc | 172.20.135.77 |
>> Start  | 2017-11-15 16:19:31 |   0 |   
>> 0 |   0 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
>> | 12 | 005D  | host/inverse-8.inverse.inc | 172.20.135.77 |
>> Stop   | 2017-11-15 16:36:05 |    59846611 |
>> 72909854 | 994 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
>> | 15 | 0060  | host/inverse-8.inverse.inc | 172.20.135.77 |
>> Start  | 2017-11-15 16:36:26 |   0 |   
>> 0 |   0 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
>> | 18 | 0060  | host/inverse-8.inverse.inc | 172.20.135.77 |
>> Stop   | 2017-11-15 16:36:57 |    59869432 |
>> 72929035 |  30 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
>> | 21 | 0061  | host/inverse-8.inverse.inc | 172.20.135.77 |
>> Start  | 2017-11-15 16:38:25 |   0 |   
>> 0 |   

Re: [PacketFence-users] Bandwidth statistics make no sense (Cisco 2960x)

2017-11-15 Thread Fabrice Durand via PacketFence-users 
Hello Cristian,

so i am able to replicate it and it looks to be a bug with the ios version.

Let's say i have a nothing connected on the port Gi1/0/8, if i do that:

Switch#sh interfaces gigabitEthernet 1/0/8
GigabitEthernet1/0/8 is administratively down, line protocol is down
(disabled)
  Hardware is Gigabit Ethernet, address is dca5.f434.5508 (bia
dca5.f434.5508)
  MTU 1500 bytes, BW 1 Kbit/sec, DLY 1000 usec,
 reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Auto-duplex, Auto-speed, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:07:35, output 00:07:05, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
 484517 packets input, 59890752 bytes, 0 no buffer
 Received 266453 broadcasts (221983 multicasts)
 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
 0 watchdog, 221983 multicast, 0 pause input
 0 input packets with dribble condition detected
 618866 packets output, 72946865 bytes, 0 underruns
 0 output errors, 0 collisions, 35 interface resets
 0 unknown protocol drops
 0 babbles, 0 late collision, 0 deferred
 0 lost carrier, 0 no carrier, 0 pause output
 0 output buffer failures, 0 output buffers swapped out

I have 59890752 bytes in and 72946865 bytes out.


I plug a laptop on it, pf receive a accounting packet with in 0 and out
0 (normal).

If i shutdown the port then pf receive a accounting packet with 59890752
(a little bit more) bytes in and 72946865 (a little bit more) bytes out.

++---++---++-+-+--+-+--+
| id | acctsessionid | username   | nasipaddress  |
acctstatustype | timestamp   | acctinputoctets |
acctoutputoctets | acctsessiontime | acctuniqueid |
++---++---++-+-+--+-+--+
|  3 | 005C  | host/inverse-8.inverse.inc | 172.20.135.77 |
Start  | 2017-11-15 16:19:21 |   0 |   
0 |   0 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
|  6 | 005C  | host/inverse-8.inverse.inc | 172.20.135.77 |
Stop   | 2017-11-15 16:19:28 |    59665537 |
72749820 |   7 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
|  9 | 005D  | host/inverse-8.inverse.inc | 172.20.135.77 |
Start  | 2017-11-15 16:19:31 |   0 |   
0 |   0 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
| 12 | 005D  | host/inverse-8.inverse.inc | 172.20.135.77 |
Stop   | 2017-11-15 16:36:05 |    59846611 |
72909854 | 994 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
| 15 | 0060  | host/inverse-8.inverse.inc | 172.20.135.77 |
Start  | 2017-11-15 16:36:26 |   0 |   
0 |   0 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
| 18 | 0060  | host/inverse-8.inverse.inc | 172.20.135.77 |
Stop   | 2017-11-15 16:36:57 |    59869432 |
72929035 |  30 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
| 21 | 0061  | host/inverse-8.inverse.inc | 172.20.135.77 |
Start  | 2017-11-15 16:38:25 |   0 |   
0 |   0 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
| 24 | 0061  | host/inverse-8.inverse.inc | 172.20.135.77 |
Stop   | 2017-11-15 16:38:56 |    59890752 |
72946865 |  31 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
++---++---++-+-+--+-+--+

So it looks that the in/out bytes are never reseted and the switch send
the in/out bytes since the switch started.

What i can recommend is there is a new ios version then upgrade, if it
doesn't fix the issue then open a TAC with cisco.

Regards

Fabrice



Le 2017-11-15 à 06:09, Cristian Mammoli via PacketFence-users a écrit :
> Ok this my Notebook wifi adapter (E4:B3:18:2C:E0:C0) and 192.168.7.221
> is a Cisco WLC. No problem here, the accounting data looks ok:
>
> MariaDB [pf]> select * from radacct_log where
> acctuniqueid="c16c078f963c875d37013c5cba979106";
> ++--+-+---++-+-+---

Re: [PacketFence-users] Packetfence-PKI / Setup Wizard Error

2017-11-15 Thread Fabrice Durand via PacketFence-users 
Ok so here the patch
https://github.com/inverse-inc/packetfence-pki/commit/c66ef2ab34964caecda3d2cdff1c956656227ffc.diff

Regards

Fabrice



Le 2017-11-15 à 08:56, Fabrice Durand via PacketFence-users a écrit :
>
> Ok i am able to replicate it, let me fix it and i will give you a patch.
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-11-14 à 22:41, Jason Sloan a écrit :
>> Sorry, I should have included the values.
>> I wasn't sure if the values should be comma delimited or not. I tried
>> both comma and space delimited.
>>
>> KU:
>> digitalSignature, keyCertSign, cRLSign
>>
>> EKU:
>> serverAuth
>>
>> pyOpenSSL version:
>> pyOpenSSL-17.2.0-9.1.noarch
>>
>> On Tue, Nov 14, 2017 at 6:32 PM, Durand fabrice via PacketFence-users
>> > <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>>
>> Hello Jason,
>>
>> i did a try and i am not able to reproduce the error.
>>
>> So it can be an issue with the keyUsage value or an issue with
>> pyopenssl.
>>
>> What did you define for keyUsage and can you give me the version
>> of pyopenssl you use ?
>>
>> rpm -qa|grep -i openssl
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2017-11-14 à 16:14, Jason Sloan via PacketFence-users a écrit :
>>> Error:
>>> Environment:
>>>
>>> Centos 7 - Clean Install
>>>
>>> Steps to reproduce:
>>> Install Packetfence-PKI
>>> Browse to PKI Admin site & login.
>>> Complete all 4 steps of initial setup wizard & Submit
>>>
>>> Error condition occurs.
>>>
>>> Looks like a bad variable type, probably also related to the
>>> newer django version?
>>>
>>>
>>>
>>>
>>>
>>> Error details:
>>>
>>> Request Method: POST
>>> Request URL: https://localhost:9393/pki/init_wizard/
>>> <https://localhost:9393/pki/init_wizard/>
>>>
>>> Django Version: 1.8.1
>>> Python Version: 2.7.5
>>> Installed Applications:
>>> ('django.contrib.admin',
>>>  'django.contrib.auth',
>>>  'django.contrib.contenttypes',
>>>  'django.contrib.sessions',
>>>  'django.contrib.messages',
>>>  'django.contrib.staticfiles',
>>>  'rest_framework',
>>>  'rest_framework.authtoken',
>>>  'bootstrap3',
>>>  'pki')
>>> Installed Middleware:
>>> ('django.contrib.sessions.middleware.SessionMiddleware',
>>>  'django.middleware.common.CommonMiddleware',
>>>  'django.middleware.csrf.CsrfViewMiddleware',
>>>  'django.contrib.auth.middleware.AuthenticationMiddleware',
>>>  'django.contrib.messages.middleware.MessageMiddleware',
>>>  'django.middleware.clickjacking.XFrameOptionsMiddleware',
>>>  'inverse.middleware.SecurityMiddleware')
>>>
>>>
>>> Traceback:
>>> File
>>> "/usr/lib/python2.7/site-packages/django/core/handlers/base.py"
>>> in get_response
>>>   132.                     response = wrapped_callback(request,
>>> *callback_args, **callback_kwargs)
>>> File
>>> "/usr/lib/python2.7/site-packages/django/contrib/auth/decorators.py"
>>> in _wrapped_view
>>>   22.                 return view_func(request, *args, **kwargs)
>>> File
>>> "/usr/lib/python2.7/site-packages/django/views/generic/base.py"
>>> in view
>>>   71.             return self.dispatch(request, *args, **kwargs)
>>> File
>>> "/usr/lib/python2.7/site-packages/formtools/wizard/views.py" in
>>> dispatch
>>>   237.         response = super(WizardView,
>>> self).dispatch(request, *args, **kwargs)
>>> File
>>> "/usr/lib/python2.7/site-packages/django/views/generic/base.py"
>>> in dispatch
>>>   89.         return handler(request, *args, **kwargs)
>>> File
>>> "/usr/lib/python2.7/site-packages/formtools/wizard/views.py" in post
>>>   300.                 return self.render_done(form, **kwargs)
>>

Re: [PacketFence-users] Packetfence-PKI / Setup Wizard Error

2017-11-15 Thread Fabrice Durand via PacketFence-users 
Ok i am able to replicate it, let me fix it and i will give you a patch.

Regards

Fabrice



Le 2017-11-14 à 22:41, Jason Sloan a écrit :
> Sorry, I should have included the values.
> I wasn't sure if the values should be comma delimited or not. I tried
> both comma and space delimited.
>
> KU:
> digitalSignature, keyCertSign, cRLSign
>
> EKU:
> serverAuth
>
> pyOpenSSL version:
> pyOpenSSL-17.2.0-9.1.noarch
>
> On Tue, Nov 14, 2017 at 6:32 PM, Durand fabrice via PacketFence-users
>  > wrote:
>
> Hello Jason,
>
> i did a try and i am not able to reproduce the error.
>
> So it can be an issue with the keyUsage value or an issue with
> pyopenssl.
>
> What did you define for keyUsage and can you give me the version
> of pyopenssl you use ?
>
> rpm -qa|grep -i openssl
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-11-14 à 16:14, Jason Sloan via PacketFence-users a écrit :
>> Error:
>> Environment:
>>
>> Centos 7 - Clean Install
>>
>> Steps to reproduce:
>> Install Packetfence-PKI
>> Browse to PKI Admin site & login.
>> Complete all 4 steps of initial setup wizard & Submit
>>
>> Error condition occurs.
>>
>> Looks like a bad variable type, probably also related to the
>> newer django version?
>>
>>
>>
>>
>>
>> Error details:
>>
>> Request Method: POST
>> Request URL: https://localhost:9393/pki/init_wizard/
>> 
>>
>> Django Version: 1.8.1
>> Python Version: 2.7.5
>> Installed Applications:
>> ('django.contrib.admin',
>>  'django.contrib.auth',
>>  'django.contrib.contenttypes',
>>  'django.contrib.sessions',
>>  'django.contrib.messages',
>>  'django.contrib.staticfiles',
>>  'rest_framework',
>>  'rest_framework.authtoken',
>>  'bootstrap3',
>>  'pki')
>> Installed Middleware:
>> ('django.contrib.sessions.middleware.SessionMiddleware',
>>  'django.middleware.common.CommonMiddleware',
>>  'django.middleware.csrf.CsrfViewMiddleware',
>>  'django.contrib.auth.middleware.AuthenticationMiddleware',
>>  'django.contrib.messages.middleware.MessageMiddleware',
>>  'django.middleware.clickjacking.XFrameOptionsMiddleware',
>>  'inverse.middleware.SecurityMiddleware')
>>
>>
>> Traceback:
>> File
>> "/usr/lib/python2.7/site-packages/django/core/handlers/base.py"
>> in get_response
>>   132.                     response = wrapped_callback(request,
>> *callback_args, **callback_kwargs)
>> File
>> "/usr/lib/python2.7/site-packages/django/contrib/auth/decorators.py"
>> in _wrapped_view
>>   22.                 return view_func(request, *args, **kwargs)
>> File
>> "/usr/lib/python2.7/site-packages/django/views/generic/base.py"
>> in view
>>   71.             return self.dispatch(request, *args, **kwargs)
>> File "/usr/lib/python2.7/site-packages/formtools/wizard/views.py"
>> in dispatch
>>   237.         response = super(WizardView,
>> self).dispatch(request, *args, **kwargs)
>> File
>> "/usr/lib/python2.7/site-packages/django/views/generic/base.py"
>> in dispatch
>>   89.         return handler(request, *args, **kwargs)
>> File "/usr/lib/python2.7/site-packages/formtools/wizard/views.py"
>> in post
>>   300.                 return self.render_done(form, **kwargs)
>> File "/usr/lib/python2.7/site-packages/formtools/wizard/views.py"
>> in render_done
>>   357.                                   **kwargs)
>> File "/usr/local/packetfence-pki/pki/views.py" in done
>>   539.             certif.sign()
>> File "/usr/local/packetfence-pki/pki/models.py" in sign
>>   61.           
>>  cert.add_extensions([crypto.X509Extension("keyUsage",
>> True,self.key_usage)])
>> File "/usr/lib/python2.7/site-packages/OpenSSL/crypto.py" in __init__
>>   723.         extension = _lib.X509V3_EXT_nconf(_ffi.NULL, ctx,
>> type_name, value)
>>
>> Exception Type: TypeError at /pki/init_wizard/
>> Exception Value: initializer for ctype 'char *' must be a str or
>> list or tuple, not unicode
>>
>>
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> 
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> 
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sit

Re: [PacketFence-users] Bandwidth statistics make no sense (Cisco 2960x)

2017-11-14 Thread Fabrice Durand via PacketFence-users 
Hello Cristian,

when PacketFence receive a accounting request, there are mysql
procedures that will update/insert in the radacct table.

When pf receive a start we log in radacct_log and insert a new entry in
radacct, when it's an interim update we update the entry in the radacct
table and when it's a stop we also update the radacct table and close
the entry.

So if you can do that:

select acctuniqueid from radacct where callingstationid="00:11:22:33:44:55";

and give me the result of that:

select * from radacct_log where acctuniqueid="xyz";

Regards

Fabrice


Le 2017-11-13 à 07:59, Cristian Mammoli via PacketFence-users a écrit :
> Hi Fabrice, could you please give me an hint to start looking whats
> going wrong here? How is bandwidth calculated and where?
>
> Thanks in advance
>
> Il 19/10/2017 18:22, Cristian Mammoli via PacketFence-users ha scritto:
>> If you mean PacketFence is 7.3.0
>> If you mean IOS: Cisco IOS Software, C2960X Software
>> (C2960X-UNIVERSALK9-M), Version 15.2(2)E6, RELEASE SOFTWARE (fc1)
>>
>>
>> Il 19/10/2017 16:41, Fabrice Durand via PacketFence-users ha scritto:
>>> Hello Cristian,
>>>
>>> which version are you running ?
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>
>>
>> --
>>
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> -- 
> Mammoli Cristian
> System administrator
> T. +39 0731 22911
> Via Brodolini 6 | 60035 Jesi (an)
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Recommended Distribution / Version

2017-11-14 Thread Fabrice Durand via PacketFence-users 
Ok let me fix that.

Btw you can remove the file initial_data.json and do a python manage.py
syncdb.



Le 2017-11-14 à 04:12, Jason Sloan a écrit :
> Looks like there's 2 more dependencies
> python-ipaddress
> python-idna
>
> Then it looks like I'm bombing out on an initial data load of some
> sort. Based on the output it looks like the syncdb command is being
> issued, but the table doesn't exist in the database.
>
> Full output:
>
> Running transaction
>   Installing : packetfence-pki-1.0.8-1.el7.centos.noarch             
>                                                                      
>                                                                      
>                        1/1
> certificate exist do nothing
> /usr/lib/python2.7/site-packages/django/core/management/commands/syncdb.py:24:
> RemovedInDjango19Warning: The syncdb command will be removed in Django 1.9
>   warnings.warn("The syncdb command will be removed in Django 1.9",
> RemovedInDjango19Warning)
>
> /usr/lib/python2.7/site-packages/django/core/management/commands/loaddata.py:229:
> RemovedInDjango19Warning: initial_data fixtures are deprecated. Use
> data migrations instead.
>   RemovedInDjango19Warning
>
> Operations to perform:
>   Synchronize unmigrated apps: staticfiles, rest_framework, pki,
> messages, bootstrap3
>   Apply all migrations: admin, authtoken, contenttypes, auth, sessions
> Synchronizing apps without migrations:
>   Creating tables...
>     Creating table pki_ca
>     Creating table pki_attrib
>     Creating table pki_schema
>     Creating table pki_ldap
>     Creating table pki_certprofile
>     Creating table cert
>     Creating table pki_certrevoked
>     Creating table pki_rest
>     Running deferred SQL...
>   Installing custom SQL...
> Traceback (most recent call last):
>   File "manage.py", line 10, in 
>     execute_from_command_line(sys.argv)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/__init__.py",
> line 338, in execute_from_command_line
>     utility.execute()
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/__init__.py",
> line 330, in execute
>     self.fetch_command(subcommand).run_from_argv(self.argv)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/base.py",
> line 390, in run_from_argv
>     self.execute(*args, **cmd_options)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/base.py",
> line 441, in execute
>     output = self.handle(*args, **options)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/commands/syncdb.py",
> line 25, in handle
>     call_command("migrate", **options)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/__init__.py",
> line 120, in call_command
>     return command.execute(*args, **defaults)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/base.py",
> line 441, in execute
>     output = self.handle(*args, **options)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/commands/migrate.py",
> line 179, in handle
>     created_models = self.sync_apps(connection,
> executor.loader.unmigrated_apps)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/commands/migrate.py",
> line 364, in sync_apps
>     hide_empty=True,
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/__init__.py",
> line 120, in call_command
>     return command.execute(*args, **defaults)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/base.py",
> line 441, in execute
>     output = self.handle(*args, **options)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/commands/loaddata.py",
> line 60, in handle
>     self.loaddata(fixture_labels)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/commands/loaddata.py",
> line 90, in loaddata
>     self.load_label(fixture_label)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/commands/loaddata.py",
> line 147, in load_label
>     obj.save(using=self.using)
>   File
> "/usr/lib/python2.7/site-packages/django/core/serializers/base.py",
> line 173, in save
>     models.Model.save_base(self.object, using=using, raw=True)
>   File "/usr/lib/python2.7/site-packages/django/db/models/base.py",
> line 738, in save_base
>     updated = self._save_table(raw, cls, force_insert, force_update,
> using, update_fields)
>   File "/usr/lib/python2.7/site-packages/django/db/models/base.py",
> line 803, in _save_table
>     forced_update)
>   File "/usr/lib/python2.7/site-packages/django/db/models/base.py",
> line 853, in _do_update
>     return filtered._update(values) > 0
>   File "/usr/lib/python2.7/site-packages/django/db/models/query.py",
> line 580, in _update
>     return query.get_compiler(self.db).execute_sql(CURSOR)
>   File
> "/usr/lib/python2.7/site-packages/django/db/models/sql/compiler.py",
> line 1059, in execute_sql
>     cursor = super(SQLUpdateCompiler, self).execute_sql(result_type)
>   File
> "/usr/

Re: [PacketFence-users] Question about device-registration page

2017-11-13 Thread Fabrice Durand via PacketFence-users 
Hello Marcus,

in the device registration page there is no way to allow the end user to
choose the role.

You define it or PacketFence use the same one of the user.

Also Julien did this sort of thing you want to use on the device
registration page but for the captive portal.
(https://github.com/inverse-inc/packetfence/pull/2471)

Right now nobody asked to add a way to be able to select a role on the
device registration page, so if you want to do that we will be happy to
include this patch in PacketFence.

Regards

Fabrice



Le 2017-11-13 à 10:35, Marcus Lauer via PacketFence-users a écrit :
>I am running PacketFence 7.3.0 on a RHEL7 system and have
> encountered some issues with device registration. First, registration
> though the https://hostname/device-registration page did not work at all
> until I installed the patch at
> https://github.com/inverse-inc/packetfence/commit/10223d70146120a4e2a63bd169536ebcd82917c4.
> So thank you julsemaan for that patch.
>
>My question is this: Is there an easy way to let the user choose
> a Role through the device-registration page?
>
>In our captive portal the first thing users have to do is chose
> either "Computer" or "Device". This is easy to do in the captive portal.
> I just have a "Choice" portal module which lets them choose between two
> authentication modules, each of which does a "set_role" upon successful
> login. These Roles end up on different VLANs.
>
>Unfortunately in the device-registration page there is no mention
> of the device role. The Role is not among the device information shown
> in the list of registered devices. Also, when registering a device there
> is no method for selecting the Role. It appears that whichever Role was
> chosen in the Device Registration selected for that Connection Profile
> is the one which is applied.
>
>I could probably do the necessary coding to add Role selection to
> the device-registration page. Before I do that I just want to make sure
> that I'm not missing an easier way to do it.
>
>I would also like to note that in the unpatched PacketFence 7.3.0
> is it possible to select multiple roles for a Device Registration. The
> patch I mentioned above changed the multiple selection box for Role in a
> Device Registration Entry to a drop-down list. This suggests to me that
> someone might have intended to allow multiple roles to be associated
> with one device registration. Perhaps the idea was to let the user
> select a role after registering? If this is the case then I would love
> to know so that I don't duplicate someone else's efforts.
>

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] R: R: R: Switch Compatibility

2017-11-13 Thread Fabrice Durand via PacketFence-users 
 pf::access_filter::radius->new;
>     my $rule = $filter->test('returnAuthorizeRead', $args);
>     ($radius_reply_ref, $status) =
> $filter->handleAnswerInRule($rule,$args,$radius_reply_ref);
>     return [$status, %$radius_reply_ref];
> }
>
> Then restart PacketFence.
>
> Let me know if it works.
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-11-11 à 02:41, Alessandro Canella a écrit :
>
> Zyxel GS 2210.
>
>  
>
> I need only AAA for switch login (if you remember I use captive
> portal for wifi in inline mode)
>
>  
>
> Zyxel provide
> 
> https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=009451&lang=EN
> 
> <https://kb.zyxel.com/KB/searchArticle%21gwsViewDetail.action?articleOid=009451&lang=EN>
>
>  
>
> I’ve done all as wrote in this doc (dictionary and so on)  
>
>  
>
> *Da:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* venerdì 10 novembre 2017 21.35
> *A:* packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Cc:* Fabrice Durand  <mailto:fdur...@inverse.ca>
> *Oggetto:* Re: [PacketFence-users] Switch Compatibility
>
>  
>
> Hello Alessandro,
>
> what is the type of the switch ?
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-11-10 à 09:44, Alessandro Canella via PacketFence-users a
> écrit :
>
> Hello all,
>
>  
>
> I solved everything (thanks to all..) ando now I0m
> investigating about this:
>
>  
>
>  
>
>  
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2711) INFO: [mac:[undef]] Authentication successful
> for newuser in source file1 (Htpasswd)
> (pf::authentication::authenticate)
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2711) INFO: [mac:[undef]] Using sources file1 for
> matching (pf::authentication::match2)
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2711) INFO: [mac:[undef]] Matched rule (admins) in
> source file1, returning actions.
> (pf::Authentication::Source::match)
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2711) INFO: [mac:[undef]] PacketFence does not
> support this switch for read/write access login
> (pf::Switch::returnAuthorizeWrite)
>
>  
>
>  
>
> I’ve configured switch according to brand guidelines (based on
> freeradius) and I’m trying to enable PF Radius for CLI / HTTPS
> login.
>
>  
>
>  
>
> Switch is configured in PF Switch webpage, I’ve configured
> SNMP and SSH too
>
>  
>
> *Alessandro Canella*
>
> Descrizione: Descrizione: Descrizione: Descrizione: Cattura*/
> /*  Via Gurzone 77 – 45030
>   Occhiobello (RO) – Italy
>   t. ++39 0532 1916333
>   f. ++34 0532 1911433
> *  m. ++39 348 **4433733*
>
> *  email : alessandro.cane...@itcare.it
> <mailto:alessandro.cane...@itcare.it>
>   skype : alessandro.canella *
>
> /P// //please consider the environment before printing this email/
>
>  
>
>  
>
>  
>
>  
>
>  
>
>
>
>
>
>
> 
> --
>
> Check out the vibrant tech community on one of the world's most
>
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
>
>
>
> ___
>
> PacketFence-users mailing list
>
> PacketFence-users@lists.sourceforge.net
> <mailto:PacketFence-users@lists.sourceforge.net>
>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
>
> -- 
>
> Fabrice Durand
>
> fdur...@inverse.ca <mailto:fdur...@inverse.ca> ::  +1.514.447.4918 (x135) 
> ::  www.inverse.ca <http://www.inverse.ca>
>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org) 
>
>  
>

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Switch Compatibility

2017-11-10 Thread Fabrice Durand via PacketFence-users 
Hello Alessandro,

what is the type of the switch ?

Regards

Fabrice



Le 2017-11-10 à 09:44, Alessandro Canella via PacketFence-users a écrit :
>
> Hello all,
>
>  
>
> I solved everything (thanks to all..) ando now I0m investigating about
> this:
>
>  
>
>  
>
>  
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2711)
> INFO: [mac:[undef]] Authentication successful for newuser in source
> file1 (Htpasswd) (pf::authentication::authenticate)
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2711)
> INFO: [mac:[undef]] Using sources file1 for matching
> (pf::authentication::match2)
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2711)
> INFO: [mac:[undef]] Matched rule (admins) in source file1, returning
> actions. (pf::Authentication::Source::match)
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2711)
> INFO: [mac:[undef]] PacketFence does not support this switch for
> read/write access login (pf::Switch::returnAuthorizeWrite)
>
>  
>
>  
>
> I’ve configured switch according to brand guidelines (based on
> freeradius) and I’m trying to enable PF Radius for CLI / HTTPS login.
>
>  
>
>  
>
> Switch is configured in PF Switch webpage, I’ve configured SNMP and
> SSH too
>
>  
>
> *Alessandro Canella*
>
> Descrizione: Descrizione: Descrizione: Descrizione: Cattura*/
> /*  Via Gurzone 77 – 45030
>   Occhiobello (RO) – Italy
>   t. ++39 0532 1916333
>   f. ++34 0532 1911433
> *  m. ++39 348 **4433733***
>
> *  email : alessandro.cane...@itcare.it
> 
>   skype : alessandro.canella ***
>
> /P// //please consider the environment before printing this email/
>
>  
>
>  
>
>  
>
>  
>
>  
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] progress bar missing

2017-11-09 Thread Fabrice Durand via PacketFence-users 
Hello Tobias,

did you changed the html template files ?

Because the progress bar is there by default.

Regards
Fabrice

Le 2017-11-09 à 04:32, Schimanski Tobias via PacketFence-users a écrit :
>
> Hey guys
>
>  
>
> my packetfence didn’t show the progress bar after login. It shows an
> error that no internet connection can established, but after my
> configured redirection delay (in Networks -> Fencing -> Redirection
> delay) the internet works fine.
>
> How can I get back my progess bar?
>
>  
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] user management on web portal

2017-11-09 Thread Fabrice Durand via PacketFence-users 
Hello Nicolay,

can you try that in adminroles.conf

[Create_User]
allowed_node_roles=
actions=USERS_READ,USERS_CREATE
allowed_roles=
allowed_access_levels=
allowed_actions=
description=Create User


Regards

Fabrice



Le 2017-11-09 à 01:56, Nicolay Rytchev via PacketFence-users a écrit :
> Hello Fabrice,
>
> I mean the following:
>
> I want to create a several users and grant  them rights to create a
> local database users (lobby management )  for authentication proccess.
> But all these users can see each other and remove any accounts from
> database.
> All these accounts have only user management rights.
>
> Regards,
> Nicolay
>
>
> 2017-11-07 22:17 GMT+01:00 Fabrice Durand via PacketFence-users
>  <mailto:packetfence-users@lists.sourceforge.net>>:
>
> Hello Nicolay,
>
> not sure to understand , you mean in the admin gui ?
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-11-07 à 08:23, Nicolay Rytchev via PacketFence-users a écrit :
>> Hello all,
>>
>> Is it possible to hide from the user or forbid to him see or
>> change user's account in local database that is not created by him ?
>> I have successfuly remove user account that was created from
>> another account.
>>
>>
>> Regards,
>> Nicolay
>>
>>
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> <mailto:PacketFence-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>
> -- 
> Fabrice Durand
> fdur...@inverse.ca <mailto:fdur...@inverse.ca> ::  +1.514.447.4918 
>  (x135) ::  www.inverse.ca <http://www.inverse.ca>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org) 
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> <mailto:PacketFence-users@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 7.3 - Problem with Device Registration - caught exception

2017-11-09 Thread Fabrice Durand via PacketFence-users 
Hello Michel,

did you define a device registration profile and did you assign it to
your connection profile ?

In 7.3 you can create multiples connection profile and assign one of
them to a connection profile.

Regards

Fabrice


Le 2017-11-09 à 01:20, Pedersen Michel via PacketFence-users a écrit :
>
> Hello,
>
>  
>
> We’re trying to use the self-service device registration in the portal
> (where the user logs to see his/her devices and then can manually
> register additional devices).
>
> In PF 7.2 this worked fine but after upgrading til 7.3 this stops
> working with the following error:
>
>  
>
> Caught exception in
> captiveportal::Controller::DeviceRegistration->registerNode "Can't use
> an undefined value as an ARRAY reference at
> /usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/Controller/DeviceRegistration.pm
> line 221."
>
>  
>
> I’ve tried setting up a clean install of PF 7.3 on another server, but
> I get the same error there, so I don’t think it has anything to do
> with the upgrade from 7.2 -> 7.3 but something in 7.3 itself.
>
>  
>
> Pf-maint.pl has been run to fetch any available patches but
> unfortunately this error seems to persist.
>
>  
>
> Packetfence.log throws up the following errors at the time of the
> manual device registration (146.2.193.12 is PC that is logging in to
> PF to do the manual device registration):
>
>  
>
> Nov  9 07:15:25 svvtportal01 packetfence_httpd.portal:
> httpd.portal(96710) ERROR: [mac:unknown] Can't bind :
> IO::Socket::INET: connect: Connection refused
>
> (pf::ip4log::_get_lease_from_omapi)
>
> Nov  9 07:15:25 svvtportal01 packetfence_httpd.portal:
> httpd.portal(96710) WARN: [mac:unknown] Unable to match MAC address to
> IP '146.2.193.12' (pf::ip4log::ip2mac)
>
> Nov  9 07:15:25 svvtportal01 packetfence_httpd.portal:
> httpd.portal(96710) ERROR: [mac:unknown] Can't bind :
> IO::Socket::INET: connect: Connection refused
>
> (pf::ip4log::_get_lease_from_omapi)
>
> Nov  9 07:15:25 svvtportal01 packetfence_httpd.portal:
> httpd.portal(96710) WARN: [mac:unknown] Unable to match MAC address to
> IP '146.2.193.12' (pf::ip4log::ip2mac)
>
> Nov  9 07:15:25 svvtportal01 packetfence_httpd.portal:
> httpd.portal(96710) ERROR: [mac:0] Can't bind : IO::Socket::INET:
> connect: Connection refused
>
> (pf::ip4log::_get_lease_from_omapi)
>
> Nov  9 07:15:25 svvtportal01 packetfence_httpd.portal:
> httpd.portal(96710) WARN: [mac:0] Unable to match MAC address to IP
> '146.2.193.12' (pf::ip4log::ip2mac)
>
> Nov  9 07:15:25 svvtportal01 packetfence_httpd.portal:
> httpd.portal(96710) ERROR: [mac:0] Can't bind : IO::Socket::INET:
> connect: Connection refused
>
> (pf::ip4log::_get_lease_from_omapi)
>
> Nov  9 07:15:25 svvtportal01 packetfence_httpd.portal:
> httpd.portal(96710) WARN: [mac:0] Unable to match MAC address to IP
> '146.2.193.12' (pf::ip4log::ip2mac)
>
> Nov  9 07:15:25 svvtportal01 packetfence_httpd.portal:
> httpd.portal(96710) INFO: [mac:0] Instantiate profile default
> (pf::Connection::ProfileFactory::_from_profile)
>
> Nov  9 07:15:25 svvtportal01 packetfence_httpd.portal:
> httpd.portal(96710) ERROR: [mac:0] Caught exception in
> captiveportal::Controller::DeviceRegistration->registerNode "Can't use
> an undefined value as an ARRAY reference at /usr/local/pf
>
> /html/captive-portal/lib/captiveportal/PacketFence/Controller/DeviceRegistration.pm
> line 221." (captiveportal::PacketFence::Controller::Root::end)
>
> Nov  9 07:15:25 svvtportal01 pfqueue: pfqueue(96806) INFO:
> [mac:unknown] violation not added, MAC 0 is invalid! trigger
> internal::new_dhcp_info (pf::violation::violation_trigger)
>
>  
>
> I’m hoping that this is something that can be fixed easily as it’s
> currently stopping me from putting PF into production.
>
>
> Best regards
> Michel Pedersen
>
> *Norwegian Public Roads Administration* 
> *Postal address:* Statens vegvesen Vegdirektoratet, Postboks 8142
> Dep, 0033 OSLO
> *Office address:* Brynsengfaret 6A, OSLO
> *Mobile:* +47 99117502  *e-mail/Lync:* michel.peder...@vegvesen.no
> 
> www.vegvesen.no
>   *e-mail:* firmap...@vegvesen.no
> 
>
> Please consider the environment before printing this e-mail
>
>  
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most

Re: [PacketFence-users] Problem with Reports in PF 7.3.0

2017-11-08 Thread Fabrice Durand via PacketFence-users 
Hello Hubert,

run pf-maint.pl and it will fix the issue.

Regards

Fabrice



Le 2017-11-08 à 07:06, Hubert Kupper via PacketFence-users a écrit :
> Hello Fabrice,
>
> I always have the problem on two freshly installed PF 7.3.0 Servers
> running on CentOS.
>
> Regards
> Hubert
>
> Am 27.10.2017 um 10:12 schrieb Hubert Kupper via PacketFence-users:
>> Hello Fabrice,
>>
>> it's difficult. The switches are configrured and in production for
>> years. With older PF versions, the node states report works. In PF
>> 7.3.0 node states are shown only if I click "today" but "Operating
>> Systems" or "Bandwidth Consumers" show the "What's going on..."
>> message. When I click "7 days" or older, "Node States" is empty but
>> the other options show graphs. I am a little bit confused.
>>
>> Regards
>> Hubert
>>
>> Am 26.10.2017 um 14:58 schrieb Fabrice Durand via PacketFence-users:
>>> Hello Hubert,
>>>
>>> PacketFence need to have the accounting data from the switch to show
>>> you
>>> reports.
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>>
>>>
>>> Le 2017-10-26 à 03:29, Hubert Kupper via PacketFence-users a écrit :
>>>> Hello,
>>>>
>>>> I have a new PF 7.3.0 server running in production. In the REPORTS tab
>>>> only node states are shown all other reports show:
>>>> "What's going on?There's not enough data to generate this graph. Is
>>>> PacketFence in production?" There are many active connections.
>>>>
>>>> Regards,
>>>> Hubert
>>>>
>>>> --
>>>>
>>>>
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> ___
>>>> PacketFence-users mailing list
>>>> PacketFence-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>> --
>>
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Email-guest_sponsor_activation.html

2017-11-07 Thread Fabrice Durand via PacketFence-users 
Hello Luís,


in
html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Authentication/Sponsor.pm
line 177 add cell_phone in the list

177 foreach my $key (qw(firstname lastname telephone company
cell_phone)) {

regards

Fabrice



Le 2017-11-07 à 05:10, Luís Torres via PacketFence-users a écrit :
>
> Hello,
>
>  
>
> Dont know why I cant get the cell phone out on the email guest sponsor
> activation:
>
>  
>
>  
>
> Nome do requerente: Luis
> Sobrenome do requerente: Torres
> Telefone:
> Email do requerente: luistor...@netc.pt 
>
>  
>
> Changed on the email template to :
>
> [% i18n("Phone number") %]: [% cell_phone %]
>
>  
>
> also on portal_modules.conf :
>
>  
>
> [default_guest_policy]
> description=Acesso com aprovador
> custom_fields=firstname,lastname,cell_phone
> modules=
> actions=
> show_first_module_on_default=disabled
> template=content-with-choice.html
>
>  
>
> And I checked the DB and the field is filled with the cellphone:
>
> 'luistor...@netc.pt', 'Luis', 'Torres', 'luistor...@netc.pt', '', '',
> '', '', 'luis.tor...@xxxl.pt', '', '', '', 'pt_PT', '',
> '913xx', '', '', '', '', '', '', '', '', '', '', '', '', '', '',
> 'PortalReg', 'sponsor'
>
>  
>
> Regards,
>
> LT
>
>  
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] user management on web portal

2017-11-07 Thread Fabrice Durand via PacketFence-users 
Hello Nicolay,

not sure to understand , you mean in the admin gui ?

Regards

Fabrice



Le 2017-11-07 à 08:23, Nicolay Rytchev via PacketFence-users a écrit :
> Hello all,
>
> Is it possible to hide from the user or forbid to him see or change
> user's account in local database that is not created by him ?
> I have successfuly remove user account that was created from another
> account.
>
>
> Regards,
> Nicolay
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] R: R: R: R: R: Radius Project Reloaded

2017-11-07 Thread Fabrice Durand via PacketFence-users 
/pf/services/manager/radiusd.p    m line 28.
>
> BEGIN failed--compilation aborted at
> /usr/local/pf/lib/pf/services/manager/radiu    sd.pm line 28.
>
> Compilation failed in require at (eval 1720) line 2.
>
> at /usr/share/perl5/vendor_perl/Module/Pluggable.pm line 32.
>
> module pf::cmd::pf::checkup cannot be loaded
>
> Can't locate object method "name" via package
> "pf::services::manager::radiusd" a    t
> /usr/local/pf/lib/pf/services.pm line 42.
>
> Compilation failed in require at
> /usr/local/pf/lib/pf/cmd/pf/checkup.pm line 20.
>
> BEGIN failed--compilation aborted at
> /usr/local/pf/lib/pf/cmd/pf/checkup.pm line 20.
>
> Compilation failed in require at
> /usr/share/perl5/vendor_perl/Module/Load.pm lin    e 27.
>
> Can't locate pf/cmd/pf/checkup in @INC (@INC contains:
> /usr/local/pf/lib /usr/lo    cal/lib64/perl5
> /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl
> /usr/share/p    erl5/vendor_perl /usr/lib64/perl5
> /usr/share/perl5) at /usr/share/perl5/vendor_p   
> erl/Module/Load.pm line 27.
>
>  
>
>  
>
>  
>
> *Da:*Fabrice Durand [mailto:fdur...@inverse.ca]
> *Inviato:* giovedì 2 novembre 2017 15.45
> *A:* Alessandro Canella  <mailto:alessandro.cane...@itcare.it>>;
> packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Oggetto:* Re: R: R: [PacketFence-users] Radius Project Reloaded
>
>  
>
> What are the errors ?
>
>  
>
>  
>
> Le 2017-11-02 à 09:18, Alessandro Canella a écrit :
>
> Something went wrong…
>
>  
>
>  
>
> [root@PacketFence-ZEN pf]# patch -p1 < pat.diff
>
> (Stripping trailing CRs from patch; use --binary to disable.)
>
> patching file lib/pf/services/manager/radiusd_child.pm
>
> patch unexpectedly ends in middle of line
>
> Hunk #1 succeeded at 567 with fuzz 1 (offset -23 lines).
>
>  
>
>  
>
> A)  Pfcmd checkup reports lot of error
>
> B)  Web Admin stop works.
>
>  
>
>  
>
> *Da:*Fabrice Durand [mailto:fdur...@inverse.ca]
> *Inviato:* martedì 31 ottobre 2017 17.32
> *A:* Alessandro Canella 
> <mailto:alessandro.cane...@itcare.it>;
>     packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Oggetto:* Re: R: [PacketFence-users] Radius Project Reloaded
>
>  
>
> Once you have the file do
>
> cd /usr/local/pf
>
> patch -p1 < the_patch.diff
>
>  
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-10-31 à 11:56, Alessandro Canella a écrit :
>
> Hello Fabrice,
>
>  
>
>  
>
> Done some tests. Cannot grant internet access to PF, so
> I’ve pasted diff content in a local diff file, but doesn’t
> work (remains freezed and needs a ctrl-c to return to prompt)
>
>  
>
> Not too simply.. any ideas? Can I execute single lines of
> diff file?
>
>  
>
> *Da:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* martedì 31 ottobre 2017 14.15
> *A:* packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Cc:* Fabrice Durand 
> <mailto:fdur...@inverse.ca>
> *Oggetto:* Re: [PacketFence-users] Radius Project Reloaded
>
>  
>
> Hello Alessandro,
>
> can you try this patch:
>
> cd /usr/local/pf
>
> curl
> 
> https://github.com/inverse-inc/packetfence/commit/fa866d14be0b16ef1af0ed849c85a481a4011048.diff
> | patch -p1
>
> Then restart packetfence.
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-10-31 à 07:59, Alessandro Canella via
> PacketFence-users a écrit :
>
> Hello all,
>
>  
>
> after closing successfully inline config, I will try
> to config AAA in Zyxel Switches.
>
>  
&g

Re: [PacketFence-users] Wireless WPA2-PSK Devices

2017-11-06 Thread Fabrice Durand via PacketFence-users 
Hello Paul,

What i would do is to use the device registration page in this case.

When user want to register there IOT devices, they use there already
registered device to hit the device registration page and register the
IOT by his mac address.

At the end of the registration you will just have to show a message with
the password and ask them to configure the IOT on the ssid where you
configured wpa-psk.

Regards

Fabrice



Le 2017-11-06 à 01:33, Paul Coates via PacketFence-users a écrit :
>
> I've already got the open SSID working, i.e. mac-auth with the
> packetfence captive portal. I need to know if I should expect devices
> that can only do WPA/WPA2-PSK to work with a secure SSID configuration
> or if that is only intended for devices capable of WPA/WPA2-EAP. I
> would prefer to use a method that encrypts traffic from the user
> devices but would like to know if this is possible or if I'm wasting
> my time.
>
> The fallback is to switch on PSK on the controller with the mac-auth
> solution, this also works, so the traffic is encrypted but how secure
> is it really if users all have to share the same PSK.
>
> Paul
>
>
> On 04/11/17 13:00, Tomasz Karczewski via PacketFence-users wrote:
>> Maybe try to use mac-auth + captive portal authentication?
>>
>> Tomasz Karczewski
>> Administrator Sieci
>>
>>
>>
>> tkarczew...@man.olsztyn.pl
>> http://www.man.olsztyn.pl   http://www.uwm.edu.pl
>> tel. (89) 523 45 55  fax. (89) 523 43 47
>>
>> Ośrodek Eksploatacji i Zarządzania
>> Miejską Siecią Komputerową OLMAN w Olsztynie
>> Uniwersytet Warmińsko-Mazurski w Olsztynie
>>
>> -Original Message-
>> From: Paul Coates via PacketFence-users
>> [mailto:packetfence-users@lists.sourceforge.net] 
>> Sent: Saturday, November 4, 2017 5:22 AM
>> To: packetfence-users@lists.sourceforge.net
>> Cc: Paul Coates 
>> Subject: [PacketFence-users] Wireless WPA2-PSK Devices
>>
>> We have been running a wired PacketFence service for our students for a
>> while now. This year students are turning up with more Google Home, Amazon
>> Echo, Sonos speakers, etc. devices only capable of WPA/WPA2-PSK. 
>> These devices can not connect to our campus WPA2-EAP wireless service so I'm
>> returning to packetfence as a possible solution.
>>
>> I've been able to get an open wireless network with mac-auth working with a
>> test laptop but I'm struggling to get secure wireless working without it
>> asking for a login and password. I assume the secure method is also supposed
>> to have the client send it's mac address for authentication?
>>
>> We are using Huawei ACU2 controllers, the same config as the AC6605 in the
>> Network Devices Configuration Guide, but those instructions are for
>> v2r5 software or earlier, the configuration file format completely changed
>> in v2r6 so I'm having a few issues.
>>
>> My question is, the devices I mentioned that can only do WPA/WPA2-PSK,
>> should these devices work over the secure wireless solution when I get it
>> working, or can we only use the open mac-auth solution?
>>
>> Thanks,
>>
>> Paul
>>
>> --
>> Paul Coates, Newcastle University, Network Team
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most engaging
>> tech sites, Slashdot.org! http://sdm.link/slashdot
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] R: R: R: R: Radius Project Reloaded

2017-11-06 Thread Fabrice Durand via PacketFence-users 
/perl5 /usr/share/perl5) at /usr/share/perl5/vendor_p   
> erl/Module/Load.pm line 27.
>
>  
>
>  
>
>  
>
> *Da:*Fabrice Durand [mailto:fdur...@inverse.ca]
> *Inviato:* giovedì 2 novembre 2017 15.45
> *A:* Alessandro Canella  <mailto:alessandro.cane...@itcare.it>>;
> packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Oggetto:* Re: R: R: [PacketFence-users] Radius Project Reloaded
>
>  
>
> What are the errors ?
>
>  
>
>  
>
> Le 2017-11-02 à 09:18, Alessandro Canella a écrit :
>
> Something went wrong…
>
>  
>
>  
>
> [root@PacketFence-ZEN pf]# patch -p1 < pat.diff
>
> (Stripping trailing CRs from patch; use --binary to disable.)
>
> patching file lib/pf/services/manager/radiusd_child.pm
>
> patch unexpectedly ends in middle of line
>
> Hunk #1 succeeded at 567 with fuzz 1 (offset -23 lines).
>
>  
>
>  
>
> A)  Pfcmd checkup reports lot of error
>
> B)  Web Admin stop works.
>
>  
>
>  
>
> *Da:*Fabrice Durand [mailto:fdur...@inverse.ca]
> *Inviato:* martedì 31 ottobre 2017 17.32
> *A:* Alessandro Canella 
> <mailto:alessandro.cane...@itcare.it>;
> packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Oggetto:* Re: R: [PacketFence-users] Radius Project Reloaded
>
>  
>
> Once you have the file do
>
> cd /usr/local/pf
>
> patch -p1 < the_patch.diff
>
>  
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-10-31 à 11:56, Alessandro Canella a écrit :
>
> Hello Fabrice,
>
>  
>
>  
>
> Done some tests. Cannot grant internet access to PF, so I’ve
> pasted diff content in a local diff file, but doesn’t work
> (remains freezed and needs a ctrl-c to return to prompt)
>
>  
>
> Not too simply.. any ideas? Can I execute single lines of diff
> file?
>
>  
>
> *Da:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* martedì 31 ottobre 2017 14.15
> *A:* packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Cc:* Fabrice Durand 
> <mailto:fdur...@inverse.ca>
> *Oggetto:* Re: [PacketFence-users] Radius Project Reloaded
>
>  
>
> Hello Alessandro,
>
> can you try this patch:
>
> cd /usr/local/pf
>
> curl
> 
> https://github.com/inverse-inc/packetfence/commit/fa866d14be0b16ef1af0ed849c85a481a4011048.diff
> | patch -p1
>
> Then restart packetfence.
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-10-31 à 07:59, Alessandro Canella via
> PacketFence-users a écrit :
>
> Hello all,
>
>  
>
> after closing successfully inline config, I will try to
> config AAA in Zyxel Switches.
>
>  
>
> I’ve configured dictionary.zyxel and clients.conf too ,
> according this faq :
> 
> https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=009451&lang=EN
> 
> <https://kb.zyxel.com/KB/searchArticle%21gwsViewDetail.action?articleOid=009451&lang=EN>
>
>  
>
> But login doesn’t work. So I’ve created user in
> raddb/users. Nothing happens.
>
>  
>
> I’ve stopped to search log and I’ve found in
> usr/local/pf/logs/radius.log
>
>  
>
> Oct 31 11:10:43 PacketFence-ZEN auth[2945]: Failed binding
> to auth address 192.168.0.72 port 1812 bound to server
> packetfence: Address already in use
>
> Oct 31 11:10:43 PacketFence-ZEN auth[2945]:
> /usr/local/pf/raddb/auth.conf[23]: Error binding to port
> for 192.168.0.72 port 1812
>
>  
>
>  
>
> /usr/local/pf/raddb/auth.conf contain:
>
>  
>
> listen {
>
>  
>
>     ipaddr = 127.0.0.1
>
>     port = 18120
>
>     type = auth
>
>     virtual_server = packetfence
>
> }
>
>  
>
> listen {
>
>     ipaddr = 192.168.0.72
&

Re: [PacketFence-users] R: R: R: Radius Project Reloaded

2017-11-02 Thread Fabrice Durand via PacketFence-users 
ry to disable.)
>
> patching file lib/pf/services/manager/radiusd_child.pm
>
> patch unexpectedly ends in middle of line
>
> Hunk #1 succeeded at 567 with fuzz 1 (offset -23 lines).
>
>  
>
>  
>
> A)  Pfcmd checkup reports lot of error
>
> B)  Web Admin stop works.
>
>  
>
>  
>
> *Da:*Fabrice Durand [mailto:fdur...@inverse.ca]
> *Inviato:* martedì 31 ottobre 2017 17.32
> *A:* Alessandro Canella 
> <mailto:alessandro.cane...@itcare.it>;
> packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Oggetto:* Re: R: [PacketFence-users] Radius Project Reloaded
>
>  
>
> Once you have the file do
>
> cd /usr/local/pf
>
> patch -p1 < the_patch.diff
>
>  
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-10-31 à 11:56, Alessandro Canella a écrit :
>
> Hello Fabrice,
>
>  
>
>  
>
> Done some tests. Cannot grant internet access to PF, so I’ve
> pasted diff content in a local diff file, but doesn’t work
> (remains freezed and needs a ctrl-c to return to prompt)
>
>  
>
> Not too simply.. any ideas? Can I execute single lines of diff
> file?
>
>  
>
> *Da:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* martedì 31 ottobre 2017 14.15
> *A:* packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Cc:* Fabrice Durand 
> <mailto:fdur...@inverse.ca>
> *Oggetto:* Re: [PacketFence-users] Radius Project Reloaded
>
>  
>
> Hello Alessandro,
>
> can you try this patch:
>
> cd /usr/local/pf
>
> curl
> 
> https://github.com/inverse-inc/packetfence/commit/fa866d14be0b16ef1af0ed849c85a481a4011048.diff
> | patch -p1
>
> Then restart packetfence.
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-10-31 à 07:59, Alessandro Canella via
> PacketFence-users a écrit :
>
> Hello all,
>
>  
>
> after closing successfully inline config, I will try to
> config AAA in Zyxel Switches.
>
>  
>
> I’ve configured dictionary.zyxel and clients.conf too ,
> according this faq :
> 
> https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=009451&lang=EN
> 
> <https://kb.zyxel.com/KB/searchArticle%21gwsViewDetail.action?articleOid=009451&lang=EN>
>
>  
>
> But login doesn’t work. So I’ve created user in
> raddb/users. Nothing happens.
>
>  
>
> I’ve stopped to search log and I’ve found in
> usr/local/pf/logs/radius.log
>
>  
>
> Oct 31 11:10:43 PacketFence-ZEN auth[2945]: Failed binding
> to auth address 192.168.0.72 port 1812 bound to server
> packetfence: Address already in use
>
> Oct 31 11:10:43 PacketFence-ZEN auth[2945]:
> /usr/local/pf/raddb/auth.conf[23]: Error binding to port
> for 192.168.0.72 port 1812
>
>  
>
>  
>
> /usr/local/pf/raddb/auth.conf contain:
>
>  
>
> listen {
>
>  
>
>     ipaddr = 127.0.0.1
>
>     port = 18120
>
>     type = auth
>
>     virtual_server = packetfence
>
> }
>
>  
>
> listen {
>
>     ipaddr = 192.168.0.72
>
>     port = 0
>
>     type = auth
>
>     virtual_server = packetfence
>
> }
>
>  
>
> listen {
>
>     ipaddr = 192.168.0.72
>
>     port = 0
>
>     type = auth
>
>     virtual_server = packetfence
>
> }
>
>  
>
> Last “listen” is row 23, I think can be safely removed.
>
>  
>
> But if raw 23 goes on error, it’s because as you see
> listener is already on…so where I can find my AAA error?
>
>
>
>
>
>
> 
> -

Re: [PacketFence-users] Entarasys/Extreme B5 Switch

2017-11-02 Thread Fabrice Durand via PacketFence-users 
Hello Stephen,


it looks that there an issue to connect to the OMAPI socket.

Does the dhcp server is running ?

Also try to disable OMAPI in the admin gui and restart pfqueue.

Regards

Fabrice



Le 2017-11-02 à 10:20, Stephen Appleby via PacketFence-users a écrit :
>
> I've setup radius and MAC auth on an Entarasys/Extreme B5K125 switch.
>
> Everything seems  to be working correctly, but I'm seeing the
> following error in the packetfence log whenever someone 
>
> connects a device.
>
>
>
> Nov  2 09:15:28 PacketFence-ZEN pfqueue: pfqueue(6190) WARN:
> [mac:34:64:a9:d1:a9:0a] Use of uninitialized value $version in pack at
> /usr/local/pf/lib/pf/OMAPI.pm line 256.
> Nov  2 09:15:28 PacketFence-ZEN pfqueue: pfqueue(8708) WARN:
> [mac:34:64:a9:d1:a9:0a] Use of uninitialized value $version in pack at
> /usr/local/pf/lib/pf/OMAPI.pm line 256.
> Nov  2 09:15:28 PacketFence-ZEN pfqueue: pfqueue(6190) WARN:
> [mac:34:64:a9:d1:a9:0a] Use of uninitialized value $headerLength in
> pack at /usr/local/pf/lib/pf/OMAPI.pm line 256.
> Nov  2 09:15:28 PacketFence-ZEN pfqueue: pfqueue(8708) WARN:
> [mac:34:64:a9:d1:a9:0a] Use of uninitialized value $headerLength in
> pack at /usr/local/pf/lib/pf/OMAPI.pm line 256.
> Nov  2 09:15:28 PacketFence-ZEN pfqueue: pfqueue(6190) WARN:
> [mac:34:64:a9:d1:a9:0a] Use of uninitialized value in numeric eq (==)
> at /usr/local/pf/lib/pf/OMAPI.pm line 287.
> Nov  2 09:15:28 PacketFence-ZEN pfqueue: pfqueue(6190) ERROR:
> [mac:34:64:a9:d1:a9:0a] Error send auth at
> /usr/local/pf/lib/pf/OMAPI.pm line 269.
> Nov  2 09:15:28 PacketFence-ZEN pfqueue: pfqueue(8708) WARN:
> [mac:34:64:a9:d1:a9:0a] Use of uninitialized value in numeric eq (==)
> at /usr/local/pf/lib/pf/OMAPI.pm line 287.
> Nov  2 09:15:28 PacketFence-ZEN pfqueue: pfqueue(8708) ERROR:
> [mac:34:64:a9:d1:a9:0a] Error send auth at
> /usr/local/pf/lib/pf/OMAPI.pm line 269.
>
>
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

<    1   2   3   4   5   6   7   8   >