Re: [PacketFence-users] Fw: Can't add authentication Rules

[Louis Munro via PacketFence-users]

Please show us your conf/authentication.conf file (suitably stripped of 
passwords and secrets).

This looks like a bug that has been fixed in maintenance.
Which version is this again?
And did you run the /usr/local/pf/addons/pf-maint.pl script?

Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 

+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Sep 17, 2017, at 05:22, Kimiko_Yan via PacketFence-users 
>  wrote:
> 
> Anyone ?
> 
> After I edit the authentication.conf file as 
> https://www.mail-archive.com/packetfence-users@lists.sourceforge.net/msg12514.html
>  this post said, I still can't do the web auth via radius with local account 
> created in mysql. And the packetfence keep generating the same log on and on, 
> never stop generating logs even I have stopped sending request...
> 
> Is it a bug or something ? How to solve it ?
> 
> [root@localhost conf]# radtest dd Abcd1234 localhost:18120 12 testing123
> Sent Access-Request Id 20 from 0.0.0.0:45150 to 127.0.0.1:18120 length 76
>   User-Name = "dd"
>   User-Password = "Abcd1234"
>   NAS-IP-Address = 127.0.0.1
>   NAS-Port = 12
>   Message-Authenticator = 0x00
>   Cleartext-Password = "Abcd1234"
> Received Access-Reject Id 20 from 127.0.0.1:18120 to 0.0.0.0:0 length 20
> (0) -: Expected Access-Accept got Access-Reject
> 
> [root@localhost conf]# radtest admin admin-pass localhost:18120 12 testing123
> Sent Access-Request Id 7 from 0.0.0.0:51482 to 127.0.0.1:18120 length 75
>   User-Name = "admin"
>   User-Password = "admin-pass"
>   NAS-IP-Address = 127.0.0.1
>   NAS-Port = 12
>   Message-Authenticator = 0x00
>   Cleartext-Password = "admin-pass"
> Received Access-Reject Id 7 from 127.0.0.1:18120 to 0.0.0.0:0 length 20
> (0) -: Expected Access-Accept got Access-Reject
> 
> #packetfence.log:
> Sep 17 17:08:54 localhost packetfence_httpd.aaa: httpd.aaa(19008) ERROR: 
> [mac:[undef]] unable to read password file '/usr/local/pf/conf/admin.conf' 
> (pf::Authentication::Source::HtpasswdSource::authenticate)
> ...
> ...
> ...
> Sep 17 17:14:31 localhost packetfence_httpd.aaa: httpd.aaa(19008) ERROR: 
> [mac:[undef]] Unable to perform RADIUS authentication on any server: ETIMEOUT 
> (pf::Authentication::Source::RADIUSSource::_handle_radius_request)
> Sep 17 17:14:31 localhost packetfence_httpd.aaa: httpd.aaa(19008) INFO: 
> [mac:[undef]] User dd tried to login in 127.0.0.1 but authentication 
> failed (pf::radius::switch_access)
> Sep 17 17:14:31 localhost packetfence_httpd.aaa: httpd.aaa(19008) ERROR: 
> [mac:[undef]] unable to read password file '/usr/local/pf/conf/admin.conf' 
> (pf::Authentication::Source::HtpasswdSource::authenticate)
> Sep 17 17:14:31 localhost packetfence_httpd.aaa: httpd.aaa(19008) ERROR: 
> [mac:[undef]] unable to read password file '/usr/local/pf/conf/admin.conf' 
> (pf::Authentication::Source::HtpasswdSource::authenticate)
> Sep 17 17:14:31 localhost packetfence_httpd.aaa: httpd.aaa(19008) ERROR: 
> [mac:[undef]] unable to read password file '/usr/local/pf/conf/admin.conf' 
> (pf::Authentication::Source::HtpasswdSource::authenticate)
> Sep 17 17:14:31 localhost packetfence_httpd.aaa: httpd.aaa(19008) ERROR: 
> [mac:[undef]] unable to read password file '/usr/local/pf/conf/admin.conf' 
> (pf::Authentication::Source::HtpasswdSource::authenticate)
> Sep 17 17:14:31 localhost packetfence_httpd.aaa: httpd.aaa(19008) ERROR: 
> [mac:[undef]] unable to read password file '/usr/local/pf/conf/admin.conf' 
> (pf::Authentication::Source::HtpasswdSource::authenticate)
> Sep 17 17:14:31 localhost packetfence_httpd.aaa: httpd.aaa(19008) ERROR: 
> [mac:[undef]] unable to read password file '/usr/local/pf/conf/admin.conf' 
> (pf::Authentication::Source::HtpasswdSource::authenticate)
> Sep 17 17:14:31 localhost packetfence_httpd.aaa: httpd.aaa(19008) ERROR: 
> [mac:[undef]] unable to read password file '/usr/local/pf/conf/admin.conf' 
> (pf::Authentication::Source::HtpasswdSource::authenticate)
> Sep 17 17:14:31 localhost packetfence_httpd.aaa: httpd.aaa(19008) ERROR: 
> [mac:[undef]] unable to read password file '/usr/local/pf/conf/admin.conf' 
> (pf::Authentication::Source::HtpasswdSource::authenticate)
> Sep 17 17:14:31 localhost packetfence_httpd.aaa: httpd.aaa(19008) ERROR: 
> [mac:[undef]] unable to read password file '/usr/local/pf/conf/admin.conf' 
> (pf::Authentication::Source::HtpasswdSource::authenticate)
> 
> #radius.log
> Sep 17 17:18:36 localhost auth[19420]: [mac:] Rejected user: dd
> Sep 17 17:18:36 localhost auth[19420]: (45715) Rejected in post-auth: 
> [dd] (from client localhost port 0)
> Sep 17 17:18:36 localhost auth[19420]: (45716) rest: ERROR: Server returned:
> Sep 17 17:18:36 localhost auth[19420]: (45716) 

Re: [PacketFence-users] upgrade to pf 7.2 constant parking violations

[Louis Munro via PacketFence-users]

Hi Gary,
Was there an actual problem with registration?
The message about the violation being force closed seems to be a case of over 
aggressive logging more than anything.
You can ignore it.

Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 

+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Sep 15, 2017, at 10:33, Gary Stansbury via PacketFence-users 
>  wrote:
> 
> Hello all,
> 
> I've just upgraded from pf 6.5 to 7.2 and am now constantly seeing these in 
> my packetfence.log:
> 
> Sep 15 09:47:50 dvpf2 packetfence_httpd.aaa: httpd.aaa(1374) INFO: 
> [mac:7c:04:d0:18:b7:85] violation 133 force-closed for 7c:04:d0:18:b7:85 
> (pf::violation::violation_force_close)
> 
> 
> Seems to be related to parking but I can't get it to turn off!  So far I've 
> tried disabling the violation, which the gui appears to accept but which 
> doesn't actually disable the violation, I've tried removing all actions from 
> the violation, I've tried setting my pf.conf httpd_parking=disabled, and I've 
> made sure my threshold=0 (my pf is not leasing IP addresses so I don't wish 
> to use parking at this time), and I have tried subscribing to the maintenance 
> branch after finding this in the forums
> https://sourceforge.net/p/packetfence/mailman/message/35352599/ 
> 
> 
>  but still after every authentication pf is issuing violation 133 and 
> force closing the connection.
> 
> Out of desperation I've reverted back to 6.5 for now, but of course with the 
> database updates now I have no nodes listed through the gui.
> 
> Anyone else seen this or a dev knows what I'm dealing with?  Ours is a routed 
> setup, no inline.
> 
> Thanks,
> 
> --
> Gary Stansbury
> Network Engineer
> Troup County Board of Education, LaGrange, GA
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! 
> http://sdm.link/slashdot___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users



signature.asc
Description: Message signed with OpenPGP
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] EAP-TTLS showing as connection type "Wireless-802.11-NoEAP"

[Louis Munro via PacketFence-users]

Hi Matt,
Can you try this patch please?

https://github.com/louismunro/packetfence/commit/9231fb76249289cfcfbe2db25524e2d4206fd001.diff
 


Apply it like this:

# cd /usr/local/pf
# wget -Ofix.patch 
https://github.com/louismunro/packetfence/commit/9231fb76249289cfcfbe2db25524e2d4206fd001.diff
 

# patch -p1 < fix.patch
# cp conf/radiusd/packetfence-tunnel{.example,}
# systemctl restart packetfence-radiusd-auth


The issue seems to stem from a missing EAP-Type attribute inside the TLS tunnel 
when using TTLS.
Please let us know if that helps.

Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 

+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Aug 22, 2017, at 01:45, Matt Munro via PacketFence-users 
>  wrote:
> 
> Hi Fabrice,
> 
> I've attached the results of raddebug, only modified to remove the password.
> 
> Thanks
> 
> 
> Matt Munro
> Network Administrator
> Brighton Road, Somerton Park SA 5044
> t: (08) 83502711
> e: mattmu...@shc.sa.edu.au 
> www.shc.sa.edu.au 
> CRICOS Provider No. 00626K
> 
> On Tue, Aug 22, 2017 at 9:53 AM, Durand fabrice via PacketFence-users 
>  > wrote:
> Hello Matt,
> 
> can you provide the result of raddebug -f var/run/radius.sock ?
> 
> The answer will be in this debug and you will probably have to add some 
> unlang code in packetfence-tunnel.
> Regards
> 
> Fabrice
> 



signature.asc
Description: Message signed with OpenPGP
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PIN confirmation not received via SMS on phone

[Louis Munro via PacketFence-users]

SMS activation codes are sent using an email to SMS gateway.
Check to see if the email is actually sent and accepted by the provider.


Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 

+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Aug 15, 2017, at 10:34, Akala Kehinde via PacketFence-users 
>  wrote:
> 
>> Hello guys,
>> 
>> Below is my config:
>> 
>> [MAWOH_SMS]
>> create_local_account=no
>> set_access_level_action=
>> sms_carriers=100113
>> local_account_logins=0
>> description=SMS-based registration for Mawoh Guests
>> type=SMS
>> 
>> Looks right, but don't know what's wrong..
>> Any help is appreciated..
>> 
>> Thanks
> 
> 
> Regards,
> Kehinde
> 
> On Mon, Aug 14, 2017 at 8:26 PM, Akala Kehinde  > wrote:
> Hello guys,
> 
> Need your help urgently on this one. I tried testing the SMS external 
> authentication source but does not work.
> My mobile carrier's SMS gateway is in the sms_carrier database but I don't 
> receive PIN confirmation to my phone when I test.
> 
> Any ideas what the problem may be.
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! 
> http://sdm.link/slashdot___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users



signature.asc
Description: Message signed with OpenPGP
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Caught exception in captiveportal... when choosing sms method

[Louis Munro via PacketFence-users]

Please don't hijack threads.
Start your own question and let people reply.

--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 

+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Aug 15, 2017, at 09:21, Akala Kehinde  wrote:
> 
> Hello Loius/Rossing,
> 
> I am trying to make the SMS Auth work as well, but in my case, I am not 
> receiving any PIN confirmations on my mobile phone. Could this be a problem 
> with the mobile carrier, in my case T-Mobile Germany.
> 
> The config looks right, but dont"t know what's wrong..
> 
> [MAWOH_SMS]
> create_local_account=no
> set_access_level_action=
> sms_carriers=100113
> local_account_logins=0
> description=SMS-based registration for Mawoh Guests
> type=SMS
> 
> Any help is appreciated..
> 
> Thanks.
> 
> Regards,
> Kehinde



signature.asc
Description: Message signed with OpenPGP
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Caught exception in captiveportal... when choosing sms method

[Louis Munro via PacketFence-users]

Hi Will,
Can you try this patch please?

https://github.com/inverse-inc/packetfence/commit/b9642f12ed9bd3ec62f800bd4a5dfd36702553c2.diff
 


Apply it by downloading it and then using patch, i.e:

# cd /usr/local/pf
# wget 
https://github.com/inverse-inc/packetfence/commit/b9642f12ed9bd3ec62f800bd4a5dfd36702553c2.diff
 

# patch -p1 < b9642f12ed9bd3ec62f800bd4a5dfd36702553c2.diff 

# bin/pfcmd service pf restart

Then you can try deleting the source from the GUI and then recreating it again.
If it works we've got ourselves a fix.

Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 

+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Aug 14, 2017, at 14:29, Rossing, Will  wrote:
> 
> Hey Louis, Yes I was just going to report that that works, just comma 
> separation, the GUI won't show the list but it still works.Thanks for 
> your reply!
> 
> On Mon, Aug 14, 2017 at 12:37 PM, Louis Munro  > wrote:
> Hi Will,
> This looks like a bug from the GUI that saves the list of carriers the wrong 
> way.
> 
> Can you try to change the source to this (manually edit the file):
> 
> 
> [sms]
> description=SMS-based registration
> sms_carriers=100061,100107
> type=SMS
> create_local_account=no
> set_access_level_action=
> local_account_logins=0
> 
> Then run this command:
> 
> # /usr/local/pf/bin/pfcmd configreload hard
> 
> 
> 
> And try again?
> 
> The bug, if that's what it is, is in the code that saves the config.
> So editing the file and reloading it should be a (temporary) workaround.
> 
> Please confirm if this works for you.
> If it does we'll open an issue on GitHub for tracking and issue a maintenance 
> patch.
> 
> 
> Regards,
> --
> Louis Munro
> lmu...@inverse.ca   ::  www.inverse.ca 
> 
> +1.514.447.4918 x125   :: +1 (866) 353-6153 x125 
> 
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
> PacketFence (www.packetfence.org )
> 
>> On Aug 14, 2017, at 12:51, Rossing, Will via PacketFence-users 
>> > > wrote:
>> 
>> More info, it works when we only put one SMS provider in the list, if we add 
>> more than one, it gets the exception error.
>> This is how it writes multiple carriers to the config file and seems like it 
>> can't parse it properly or something:
>> 
>> [sms]
>> description=SMS-based registration
>> sms_carriers= <> 100061
>> 100107
>> EOT
>> type=SMS
>> create_local_account=no
>> set_access_level_action=
>> local_account_logins=0
>> 
>> 
>> 
>> One provider works:
>> [sms]
>> description=SMS-based registration
>> sms_carriers=100107
>> type=SMS
>> create_local_account=no
>> set_access_level_action=
>> local_account_logins=0
>> 
>> 
>> On Mon, Aug 14, 2017 at 10:59 AM, Rossing, Will > > wrote:
>> Just deploying 7.2 to production and am getting the following when choosing 
>> the sms authentication in the captive portal.
>> 
>> Caught exception in captiveportal::Controller::Root>dynamic_application 
>> "Can't call method "fetchall_arrayref" on an undefined value at 
>> /usr/local/pf/lib/pf/sms_carrier.pm  line 88."
>> 
>> I swear this worked last week when I put the box in production temporarily.  
>> I've tried removing and adding back in carriers, etc.Any ideas?   I hate 
>> to have to roll back if I can avoid it!
>> 
>> Thanks
>> 
>> Will
>> 
>> --
>> 
>> 
>> Will Rossing
>> Manager, Network Services  | 218.723.6729  | 
>> wross...@css.edu 
>> 
>> 
>> --
>> 
>> 
>> Will Rossing
>> Manager, Network Services  | 218.723.6729  | 
>> wross...@css.edu 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org ! 
>> http://sdm.link/slashdot___ 
>> 
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net 
>> 
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
>> 

Re: [PacketFence-users] Caught exception in captiveportal... when choosing sms method

[Louis Munro via PacketFence-users]

Hi Will,
This looks like a bug from the GUI that saves the list of carriers the wrong 
way.

Can you try to change the source to this (manually edit the file):


[sms]
description=SMS-based registration
sms_carriers=100061,100107
type=SMS
create_local_account=no
set_access_level_action=
local_account_logins=0

Then run this command:

# /usr/local/pf/bin/pfcmd configreload hard



And try again?

The bug, if that's what it is, is in the code that saves the config.
So editing the file and reloading it should be a (temporary) workaround.

Please confirm if this works for you.
If it does we'll open an issue on GitHub for tracking and issue a maintenance 
patch.


Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 

+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Aug 14, 2017, at 12:51, Rossing, Will via PacketFence-users 
>  wrote:
> 
> More info, it works when we only put one SMS provider in the list, if we add 
> more than one, it gets the exception error.
> This is how it writes multiple carriers to the config file and seems like it 
> can't parse it properly or something:
> 
> [sms]
> description=SMS-based registration
> sms_carriers= < 100061
> 100107
> EOT
> type=SMS
> create_local_account=no
> set_access_level_action=
> local_account_logins=0
> 
> 
> 
> One provider works:
> [sms]
> description=SMS-based registration
> sms_carriers=100107
> type=SMS
> create_local_account=no
> set_access_level_action=
> local_account_logins=0
> 
> 
> On Mon, Aug 14, 2017 at 10:59 AM, Rossing, Will  > wrote:
> Just deploying 7.2 to production and am getting the following when choosing 
> the sms authentication in the captive portal.
> 
> Caught exception in captiveportal::Controller::Root>dynamic_application 
> "Can't call method "fetchall_arrayref" on an undefined value at 
> /usr/local/pf/lib/pf/sms_carrier.pm  line 88."
> 
> I swear this worked last week when I put the box in production temporarily.  
> I've tried removing and adding back in carriers, etc.Any ideas?   I hate 
> to have to roll back if I can avoid it!
> 
> Thanks
> 
> Will
> 
> --
> 
> 
> Will Rossing
> Manager, Network Services  | 218.723.6729  | 
> wross...@css.edu 
> 
> 
> --
> 
> 
> Will Rossing
> Manager, Network Services  | 218.723.6729 | wross...@css.edu 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! 
> http://sdm.link/slashdot___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users



signature.asc
Description: Message signed with OpenPGP
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Export Nodes from 6.20 for import into 7.2?

[Louis Munro via PacketFence-users]

Mysqldump allows you to specify which table(s) to dump, or conversely to dump 
all tables and exclude some (--ignore-table).

Off the top of my head I would at least dump the node, node_category and person 
tables.

It's also possible to select only some of the data to be dumped with the 
--where option.
See man mysqldump for the gory details. 

What I would do : 
Install new PF and go through the configurator to create the database and pf 
user with the proper permissions.
in mysql, on the new server, "drop database pf".
in mysql, on the new server, "create database pf" (will create a new empty 
database).
Run a "mysqldump -R --no-data pf > nodata_dump.sql" on the old server (will 
create a copy of the existing database schema).
Dump the data you want to preserve:  "mysqldump [options] pf table1 table2 
table3 > dump.sql"
Import that dump into the new server "mysql pf < nodata_dump.sql" (will 
recreate the tables from your old server)
Import the data that you exported:  "mysql pf < dump.sql"
Run all the upgrade scripts, in order, from 6.2 to 7.2 as mentioned in 
UPGRADE.ascii:  
eg. "mysql pf < db/upgrade-6.2.0-6.3.0.sql ;  mysql pf < 
db/upgrade-6.3.0-6.4.0.sql" 
and so on.


That should ensure your database schema is consistent.

Personally though, I feel it's much easier to just import everything (perhaps 
excluding the accounting and archives tables) and then just prune the data in 
place on the new server.
You can check what you are about to delete before doing it. 
So I usually replace step 5 above with just 

# mysqldump pf --ignore-table=pf.radacct --ignore-table=pf.radacct_log 
--ignore-table=pf.ip4log_archive --ignore-table=pf.locationlog_archive 
--ignore-table=pf.radius_audit_log > pf_dump.sql

Hope this helps,
--
Louis Munro
lmu...@inverse.ca <mailto:lmu...@inverse.ca>  ::  www.inverse.ca 
<http://www.inverse.ca/> 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu/>) and 
PacketFence (www.packetfence.org <http://www.packetfence.org/>)

> On Aug 2, 2017, at 10:32, Rossing, Will via PacketFence-users 
> <packetfence-users@lists.sourceforge.net> wrote:
> 
> Hey Louis, 
> 
> Thanks for the reply,  Only because I saw the import-node-csv.pl 
> <http://import-node-csv.pl/>  script.   Also, I  would be able to clean the 
> data up a little before importing on the new server.
> 
> I am all ears If it makes more sense to use mysqldump  - any tips for 
> import/export process for just the nodes table with that command?
> 
> Thanks again 
> 
> Will
> 
> >>>
> Louis Munro via PacketFence-users Wed, 02 Aug 2017 06:55:06 -0700
> 
> Why a CSV?
> A myslqdump would preserve the data and be much easier to reimport.
> 
> 
> 
> On Wed, Aug 2, 2017 at 6:15 AM, Rossing, Will <wross...@css.edu 
> <mailto:wross...@css.edu>> wrote:
> >
> > Hello,
> >
> > Upgrading from 6.2 to 7.2 and decided to do clean install and import 
> > currently registered nodes.  Can someone tell me the most simple way to 
> > export from 6.2 into a csv that I can import into 7.2?
> >
> > Thank you!
> >
> > will
> >
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! 
> http://sdm.link/slashdot___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Export Nodes from 6.20 for import into 7.2?

[Louis Munro via PacketFence-users]

Sure, that works if all you need is a list of the nodes.

The issue with importing this is that you will miss some of the data, and the 
relational integrity of the database will break.
For instance this does not import the roles, the users or the locationlog.

So we don't actually recommend that.

Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Aug 2, 2017, at 10:18, Ortega Gustavo Martin via PacketFence-users 
>  wrote:
> 
> Hi 
> Another way is using the pfmcd program
> For example, run at PF6.2:
> 
> /usr/local/pf/bin/pfcmd node view all | grep '|reg|' | awk -F "|" '{print 
> "/usr/local/pf/bin/pfcmd node add \""$1"\" computername=\""$2"\" pid=\""$3"\" 
> category=\""$4"\" status=\""$5"\" bypass_vlan=\""$6"\" voip=\""$8"\" 
> detect_date=\""$9"\" regdate=\""$10"\" unregdate=\""$11"\" 
> last_connection_type=\""$12"\" last_switch=\""$13"\" last_port=\""$14"\" 
> last_vlan=\""$15"\" last_ssid=\""$16"\" last_dot1x_username=\""$17"\" 
> user_agent=\""$18"\" dhcp_fingerprint=\""$19"\" last_arp=\""$20"\" 
> last_dhcp=\""$21"\" lastskip=\""$22"\" notes=\""$23"\""}'
> 
> The output is ready for run on the new PF box.
> 
> Have a nice day!
> 
> Gustavo Martín Ortega
>  
> P por favor, no imprima este correo a menos que sea necesario
> 
> El 2 ago. 2017, a las 08:45, Rossing, Will via PacketFence-users 
>  > escribió:
> 
>> Hello,
>> 
>> Upgrading from 6.2 to 7.2 and decided to do clean install and import 
>> currently registered nodes.  Can someone tell me the most simple way to 
>> export from 6.2 into a csv that I can import into 7.2?
>> 
>> Thank you!
>> 
>> will
>> 
>> 
>> packetfence-users@lists.sourceforge.net 
>> 
>> -- 
>>  
>> 
>> Will Rossing
>> Manager, Network Services  | 218.723.6729  | 
>> wross...@css.edu 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org ! 
>> http://sdm.link/slashdot 
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net 
>> 
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
>> 
> El contenido del presente mensaje y sus anexos es privado, confidencial y de 
> exclusivo uso para el destinatario referenciado. Puede contener informacion 
> privilegiada o amparada por el secreto profesional o por disposiciones 
> legales y/o reglamentarias vigentes. Cualquier modificacion, retransmision, 
> diseminacion o divulgacion de su informacion se encuentra expresamente 
> prohibida y su uso inadecuado puede derivar en responsabilidad civil para el 
> usuario o configurar los delitos previstos en los articulos 153 a 157 del 
> Codigo Penal. Si no fuere uno de los destinatarios consignados o lo hubiere 
> recibido por error, Ud. NO ESTA AUTORIZADO a utilizar total o parcialmente, 
> copiar, enviar, revelar, imprimir, divulgar de manera alguna el contenido del 
> presente mensaje o el de sus adjuntos. En consecuencia, tenga a bien 
> comunicarselo inmediatamente al emisor y ELIMINARLO. ANSES no garantiza la 
> seguridad, integridad, exactitud u oportunidad de lo transmitido por este 
> medio ni se responsabiliza de posibles perjuicios derivados de la captura, 
> incorporaciones de virus o cualquier otra manipulación efectuada por 
> terceros. Asimismo, las opiniones expresadas en este mensaje y en los 
> archivos adjuntos son propias del remitente y no representan la opinion o 
> politicas de ANSES, salvo que se diga expresamente y el remitente se 
> encuentre autorizado para ello. Por ende, ANSES no asumira -en ningun caso- 
> responsabilidad alguna frente al destinatario y/o terceros en virtud de 
> dichas comunicaciones y ademas, no sera responsable frente a los usuarios por 
> la correspondencia o los mensajes de correo electronico enviados por terceros 
> u otras personas distintas a ANSES, ya sea que estos hubieren o no solicitado 
> el envio de tales mensajes. ANSES se reserva el derecho de bloquear el acceso 
> o remover en forma parcial o total todo mensaje y sus adjuntos que a su 
> criterio pudiere resultar abusivo, difamatorio, obsceno, fraudulento, 
> artificioso, engañoso, ofensivo o violatorio a los terminos de la presente. 
> PD: Tildes omitidas intencionalmente.
> 
> 

Re: [PacketFence-users] Export Nodes from 6.20 for import into 7.2?

[Louis Munro via PacketFence-users]

Why a CSV?
A myslqdump would preserve the data and be much easier to reimport.


--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Aug 2, 2017, at 07:15, Rossing, Will via PacketFence-users 
>  wrote:
> 
> Hello,
> 
> Upgrading from 6.2 to 7.2 and decided to do clean install and import 
> currently registered nodes.  Can someone tell me the most simple way to 
> export from 6.2 into a csv that I can import into 7.2?
> 
> Thank you!
> 
> will
> 
> 
> packetfence-users@lists.sourceforge.net 
> 
> -- 
>   
> 
> Will Rossing
> Manager, Network Services  | 218.723.6729  | 
> wross...@css.edu 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! 
> http://sdm.link/slashdot___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] dhcpd not starting

[Louis Munro via PacketFence-users]

> I have a 3 member PF 7.2 cluster built from ZEN machines.
> On member #3, the dhcpd service does not start. When I try to start it, I get 
> the message “Service 'dhcpd' is not managed by PacketFence. Therefore, no 
> action will be performed”
>  
> Shouldn’t dhcpd be running on all members?
>  
> I also am seeing in packetfence.log the messages “Can't bind : 
> IO::Socket::INET: connect: Connection refused 
> (pf::ip4log::_get_lease_from_omapi)”
> I assume this is because dhcpd is not running.
>  


Hi Darryl,
ISC dhcpd does not support an active/active 3 node configuration.
It's normal that it won't start on the third node.

Indeed the message above is because it's not running locally.
PacketFence will get the lease information from the database in that case.

Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] How to config database address

[Louis Munro via PacketFence-users]

> On Jul 26, 2017, at 20:51, 沧海云帆  wrote:
> 
> Hello Louis,
> I have change /var/lib/mysql to /var/lib/mysql-bak,when I run systemctl 
> status mariadb and journalctl -xe, it show as below:
> [root@localhost pf]# systemctl start mariadb
> Job for mariadb.service failed because the control process exited with error 
> code. See "systemctl status mariadb.service" and "journalctl -xe" for details.
> [root@localhost pf]# systemctl status mariadb
> ● mariadb.service - MariaDB database server
>Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; vendor 
> preset: disabled)
>   Drop-In: /etc/systemd/system/mariadb.service.d
>└─migrated-from-my.cnf-settings.conf
>Active: failed (Result: exit-code) since Thu 2017-07-27 08:52:58 CST; 3s 
> ago
>   Process: 20457 ExecStart=/usr/sbin/mysqld $MYSQLD_OPTS $_WSREP_NEW_CLUSTER 
> $_WSREP_START_POSITION (code=exited, status=1/FAILURE)
>   Process: 20445 ExecStartPre=/bin/sh -c [ ! -e /usr/bin/galera_recovery ] && 
> VAR= ||   VAR=`/usr/bin/galera_recovery`; [ $? -eq 0 ]   && systemctl 
> set-environment _WSREP_START_POSITION=$VAR || exit 1 (code=exited, 
> status=0/SUCCESS)
>   Process: 20443 ExecStartPre=/bin/sh -c systemctl unset-environment 
> _WSREP_START_POSITION (code=exited, status=0/SUCCESS)
>  Main PID: 20457 (code=exited, status=1/FAILURE)
>Status: "MariaDB server is down"



That's because the actual service is "packetfence-mariadb".

Try 
#systemctl status packetfence-mariadb 
and then perhaps 
# systemctl start packetfence-mariadb


--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Help Please

[Louis Munro via PacketFence-users]

> On Jul 26, 2017, at 08:47, darksom--- via PacketFence-users 
>  wrote:
> 
> I would like to know two things:
> 
> 1 - How to clean logs from /usr/local/pf/logs without causing problems?
> 
logrotate should do that for you already, subject to its configuration.

See /etc/logrotate.d/packetfence.conf

It can be run manually. See man logrotate.

Ultimately these are just text files.
You can move them around, compress them, whatever.

The only caveat is that if a process is running (and has an open file 
descriptor to one of those files) you should stop it first before moving or 
deleting the file.
But I recommend letting logrotate do it for you.

If it's keeping too much to your taste all you need to do is to edit 
/etc/logrotate.d/packetfence.conf to have it keep fewer copies, or rotate it 
more frequently.


> 2 - how to see and how to change the routine to check the status of nodes 
> (Registered -> Unegistered)?
> 
> 
> 

I don't know what you mean by that.
Do you mean the pfmon job that changes the state from registered to 
unregistered when a device has reached it's unregistration date?
Do you want to see the code for that?
Or just the frequency it runs at?

If the latter, there is a nodes_maintenance_interval variable that is set by 
default to 60s.
You can find it in the "maintenance" section of the GUI.



Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] How to config database address

[Louis Munro via PacketFence-users]

> On Jul 24, 2017, at 23:00, 沧海云帆 via PacketFence-users 
>  wrote:
> 
> Hello,
> PF's database address is /var/lib/mysql,now I need to change it to 
> /opt/sqldata,and I change it  follow these steps:
> #cp -arp /var/lib/mysql /opt/sqldata
> change mysql script:
> #vim /etc/init.d/mysql
>  commented 
> 
>  out 
> 70
>  line：# datadir=/var/lib/mysql
> add line：datadir=/opt/sqldata
> save and exit


That script is not used by PacketFence, so it's not going to do you any good.


> #vim /usr/local/pf/addons/dev-helpers/centos-chroot/my.cnf
> commented out datadir:# datadir=/var/lib/mysql
> add datadir:datadir=/opt/sqldata
> commented socket:# socket=/var/lib/mysql/mysql.sock
> add socket: socket=/opt/sqldata/mysql.sock
> save and exit\

That file is not used in a production PacketFence system.
Doing that is useless.


> 
> #vim /usr/locol/pf/conf/mariadb/maraidb.conf.tt
> change as below:
> #socket= /var/lib/mysql/mysql.sock
> socket  = /opt/sqldata/mysql.sock
> #innodb_data_home_dir = /var/lib/mysql
> innodb_data_home_dir = /opt/sqldata
> #innodb_log_group_home_dir = /var/lib/mysql
> innodb_log_group_home_dir = /opt/sqldata
> 
> #chown -R mysql:mysql /opt/sqldata 
> #reboot
> when system rebooted,pf still cannot connect database, the log show it as 
> below:
> Jul 25 11:03:21 localhost packetfence: FATAL -e(656): unable to connect to 
> database: Can't connect to local MySQL server through socket 
> '/var/lib/mysql/mysql.sock' (2 "No such file or directory") at -e line 1.
> how can I do to fix the problem?thank you!


Rebooting is unnecessary if all you want is to restart a service.
What is systemctl reporting?
What is journalctl showing?


Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] radius accounting info not being mapped to users

[Louis Munro via PacketFence-users]

Actually, the query called for the report is report_nodebandwidth_all_sql (see 
lib/pf/pfcmd/report.pm at line 364).

 SELECT radacct.callingstationid as callingstationid,
 SUM(radacct_log.acctinputoctets) AS acctinputoctets,
 SUM(radacct_log.acctoutputoctets) AS acctoutputoctets,
 SUM(radacct_log.acctinputoctets+radacct_log.acctoutputoctets) AS 
accttotaloctets
 FROM radacct_log
 LEFT JOIN radacct ON radacct_log.acctuniqueid = radacct.acctuniqueid
 GROUP BY radacct.callingstationid
 HAVING radacct.callingstationid IS NOT NULL
 ORDER BY accttotaloctets DESC
 LIMIT 25;

What happens if you run this manually?


Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Jul 20, 2017, at 10:50, Diego Garcia del Rio  wrote:
> 
> Hi Louis,
> 
> One more thing I noticed is the following...
> 
> The accounting.pm  file is using these two queries:
> 
> $accounting_statements->{'acct_view_sql'} = get_db_handle()->prepare(qq[
> SELECT 
> CONCAT(SUBSTRING(callingstationid,1,2),':',SUBSTRING(callingstationid,3,2),':',SUBSTRING(callingstationid,5,2),':',
>
> SUBSTRING(callingstationid,7,2),':',SUBSTRING(callingstationid,9,2),':',SUBSTRING(callingstationid,11,2))
>  AS mac,
> 
> but in my DB the calling-station-id already has the colons in it, so the 
> substrings will start getting parts of the address with colons in it.
> 
> not sure if this is something that got messed up in the radius conf (where it 
> was expected to homogenize the formatting, or was it expecting a different 
> reporting format from the NAS or something else, but in my case, the "mac" 
> field as calculated will not match... 
> 
> thanks!
> 
> On Wed, Jul 19, 2017 at 8:04 PM, Diego Garcia del Rio  > wrote:
> Hi Louis,
> 
> Yes, the radacct table also has data. 
> 
> I just noticed though that on my httpd.admin.error log file the following is 
> being logged each time I try to access the graph.
> 
> Jul 19 23:00:38 PacketFence-ZEN httpd_admin_err: [Wed Jul 19 23:00:38 2017] 
> -e: Argument "" isn't numeric in numeric gt (>) at 
> /usr/local/pf/html/pfappserver/root/graph/pie.tt  line 59.
> 
> also, when using ./pfcmd ifoctetshistorymac I don't get any data either.
> 
> See here for some data from the radacct table:
> 
> MariaDB [pf]> select * from radacct
> -> ;
> +---+---+--+---+---+---+--+---+-+-+-+-+--+-+---+--+--+-+--+-+---++-++-+
> | radacctid | acctsessionid | acctuniqueid | username 
>  | groupname | realm | nasipaddress | nasportid | nasporttype | 
> acctstarttime   | acctupdatetime  | acctstoptime| 
> acctinterval | acctsessiontime | acctauthentic | connectinfo_start| 
> connectinfo_stop | acctinputoctets | acctoutputoctets | calledstationid   
>   | callingstationid  | acctterminatecause | servicetype | 
> framedprotocol | framedipaddress |
> +---+---+--+---+---+---+--+---+-+-+-+-+--+-+---+--+--+-+--+-+---++-++-+
> | 1 | 59BBE3C4-0007 | 4a0c8abc1db9b2e180f7501f313b9ded | 
> ac:37:43:a4:41:46 |   | null  | 10.0.10.10   | 3 | 
> Wireless-802.11 | 2017-07-19 20:13:35 | 2017-07-19 20:13:35 | 2017-07-19 
> 20:14:06 | NULL |  32 | RADIUS| CONNECT 
> 802.11a/n/ac | CONNECT 802.11a/n/ac |  489362 | 33813114 | 
> f8:e7:1e:af:12:2c:principal | ac:37:43:a4:41:46 | Idle-Timeout   |
>  || 10.100.0.11 |
> | 2 | 59BBE3C4-0008 | 4a0c8abc1db9b2e180f7501f313b9ded | 
> ac:37:43:a4:41:46 |   | null  | 10.0.10.10   | 3 | 
> Wireless-802.11 | 2017-07-19 20:14:19 | 2017-07-19 20:14:19 | 2017-07-19 
> 20:17:49 | NULL | 209 | RADIUS| CONNECT 
> 802.11a/n/ac | CONNECT 802.11a/n/ac |  353797 |   263304 | 
> 58:b6:33:bf:4b:cc:principal | 

Re: [PacketFence-users] local SQL vs wireless 802.1x EAP mschav2

[Louis Munro via PacketFence-users]

> On Jul 20, 2017, at 10:16, LE GALL Yohann via PacketFence-users 
>  wrote:
> 
> Unfortunately passwords aren't encrypted...


Nothing prevents you from hashing the string before inserting it.


Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] local SQL vs wireless 802.1x EAP mschav2

[Louis Munro via PacketFence-users]

> On Jul 20, 2017, at 09:49, Kylián Martin via PacketFence-users 
>  wrote:
> 
> Does anyone use a custom application to create users in local SQL?
> I would like to make a portal where Single SignON for domain users will work 
> - here they set their wifi password and the portal stores the password + 
> username and other attributes in local SQL. (Not as a Captive portal)
> Is this supported?

I can't answer for what others do, but as long as you store the passwords in 
the right table and column (password.password) and in the right format (they 
need to be prefixed with {ntlm} if they are NT hashes), then configure a 
connection profile to use the local database as authentication source it should 
work.
Take a look at lib/pf/password.pm around line 495 for an example.

Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] local SQL vs wireless 802.1x EAP mschav2

[Louis Munro via PacketFence-users]

> On Jul 20, 2017, at 09:10, Kylián Martin via PacketFence-users 
>  wrote:
> 
> Hi everyone,
> 
> I would like to use packetfence for 802.1x PEAP / EAP-MSchapv2 wireless 
> authentication. (And other features)
> But I do not want to use the AD binding (as it is now). For security reasons, 
> I want to use local SQL and authenticate users there.
> (Can I insert users to local sql with my own application correctly?)
> 
> The question is - what password encryption can I use in local SQL?
> If I want to use EAP-mschapv2, my password should be a plaintext or NT hash.
> (http://deployingradius.com/documents/protocols/compatibility.html)
> Of course, I'd like to see the passwords as bcrypt. I'am afraid it won't work 
> then.


Your only options are plaintext or NT hashes.
That's a limitation of the protocol, not of PacketFence (or FreeRADIUS in 
general).

There's no way around that.

Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] radius accounting info not being mapped to users

[Louis Munro via PacketFence-users]

Hi Diego,
Can you see if you have data in the radacct table?

Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Jul 19, 2017, at 18:25, Diego Garcia del Rio via PacketFence-users 
>  wrote:
> 
> Dear users,
> 
> I have a setup where users are being authenticated using mac-based auth with 
> radius. This is a system with Ruckus' ZD1200 and a few APs. Radius auth works 
> well and I have configured radius accounting as well. In fact, I see the 
> radius accounting packets being sent to PF -both interim acct records as well 
> as upon connect/disconnect-.
> 
> I even see the records being entered into the radacct and radacct_log tables. 
> The radacct_log shows a few entries such as the following:
> 
> 
> | 13 | 59BBE3C4-0011 | ac:37:43:a4:xx:xx | 10.0.10.10   | Start  
> | 2017-07-19 21:24:07 |   0 |0 |   0 
> | 4a0c8abc1db9b2e180f7501f313b9ded |
> | 14 | 59BBE3C4-0011 | ac:37:43:a4:xx:xx | 10.0.10.10   | Interim-Update 
> | 2017-07-19 21:29:07 |   77539 |   106422 | 300 
> | 4a0c8abc1db9b2e180f7501f313b9ded |
> | 15 | 59BBE3C4-0012 | ac:37:43:a4:xx:xx | 10.0.10.10   | Start  
> | 2017-07-19 21:29:59 |   0 |0 |   0 
> | 4a0c8abc1db9b2e180f7501f313b9ded |
> | 16 | 59BBE3C4-0011 | ac:37:43:a4:xx:xx | 10.0.10.10   | Stop   
> | 2017-07-19 21:29:59 |  112233 |   157549 | 352 
> | 4a0c8abc1db9b2e180f7501f313b9ded |
> | 17 | 59BBE3C4-0012 | ac:37:43:a4:xx:xx | 10.0.10.10   | Interim-Update 
> | 2017-07-19 21:34:59 |  125499 |   181451 | 300 
> | 4a0c8abc1db9b2e180f7501f313b9ded |
> | 18 | 59BBE3C4-0012 | ac:37:43:a4:xx:xx | 10.0.10.10   | Stop   
> | 2017-07-19 21:38:55 |   0 |0 | 236 
> | 4a0c8abc1db9b2e180f7501f313b9ded |
> 
> the MAC is matching the  device as shown in the node table:
> 
> MariaDB [pf]> select mac, pid, computername  from node where 
> mac="ac:37:43:a4:41:46" ;
> +---+---+--+
> | mac   | pid   | computername |
> +---+---+--+
> | ac:37:43:a4:xx:xx | diego | android-98d54ed505c746a1 |
> +---+---+--+
> 
> 
> anyone has any clue on why I might not be able to see the accounting info 
> being processed? In the GUI, when selecting "Top 25 Bandwidth Consumers"  I 
> see the following:
> 
> What's going on?
> There's not enough data to generate this graph. Is PacketFence in production
> 
> But im pretty sure im in production mode...
> 
> thanks!
> 
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! 
> http://sdm.link/slashdot___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Can't start packetfence-httpd.admin.service

[Louis Munro via PacketFence-users]

> On Jul 19, 2017, at 18:16, Diego Garcia del Rio  wrote:
> 
> no. In my case its a single node setup. I was doing an strace on the httpd 
> process and was seeing a LOT of missing files  being referenced. 
> 
> for example:
> 
> stat("/usr/local/fingerbank/lib/pf/services/manager/httpd_collector.pmc", 
> 0x7fffb60ccab0) = -1 ENOENT (No such file or directory)
> stat("/usr/local/fingerbank/lib/pf/services/manager/httpd_collector.pm 
> ", 0x7fffb60cc9f0) = -1 ENOENT (No such file or 
> directory)
> stat("/usr/local/pf/html/captive-portal/lib/pf/services/manager/httpd_collector.pmc",
>  0x7fffb60ccab0) = -1 ENOENT (No such file or directory)
> stat("/usr/local/pf/html/captive-portal/lib/pf/services/manager/httpd_collector.pm
>  ", 0x7fffb60cc9f0) = -1 ENOENT (No such file or 
> directory)
> stat("/usr/local/pf/lib/pf/services/manager/httpd_collector.pmc", 
> 0x7fffb60ccab0) = -1 ENOENT (No such file or directory)
> stat("/usr/local/pf/lib/pf/services/manager/httpd_collector.pm 
> ", {st_mode=S_IFREG|0644, st_size=1977, ...}) = 0
> open("/usr/local/pf/lib/pf/services/manager/httpd_collector.pm 
> ", O_RDONLY) = 7
> ioctl(7, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 
> 0x7fffb60cc7a0) = -1 ENOTTY (Inappropriate ioctl for device)
> lseek(7, 0, SEEK_CUR)   = 0
> read(7, "package pf::services::manager::h"..., 8192) = 1977
> 
> 
> 
> im not running on a super powerful server... but still, its a 4-core VM with 
> 8GB of ram and an SSD... so not too horrible
> 
> I could eventually do a full strace if needed.
> 



Those are not missing files.
That's the way perl searches for a module through @INC.
It tries each directory in the array until it either succeeds or runs out of 
directories to try.
You'll see this behaviour for other things too, such as linking libraries.

Still, good catch on the incorrect StartLimitInterval.
I will fix that for the next release.



Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Can't start packetfence-httpd.admin.service

[Louis Munro via PacketFence-users]

By Jove!
You are right, of course.

The value to change is indeed TimeoutStartSec.

Are you running a cluster by any chance?
We are trying to find out why the admin is taking too long to start under some 
configurations and anecdotal evidence points to VIPs playing a role.

Best regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Jul 19, 2017, at 18:07, Diego Garcia del Rio via PacketFence-users 
>  wrote:
> 
> Hi Luis,
> 
> (sorry to break the thread as I just joined the mailing list and can't reply 
> to the past message).
> 
> In my case, using the ZEN appliance, I noticed that the httpd.admin was also 
> timing out. If i started httpd manually with the config file, it would take 
> almost 3 minutes to start. I was playing with the StartLimitInterval=120 
> parameter and wasn't working.
> 
> Turns out the StartLimitInterval is used to determine the max number of 
> restarts if the process keeps restarting in a loop. I needed to adjust 
> 
> TimeoutStartSec=180
> 
> (I had to add it to the 
> /usr/lib/systemd/system/packetfence-httpd.admin.service file as it was 
> inheriting the default value from systemd)
> 
> Anyhow, in my case it worked after this, but the fact that its taking almost 
> 3 minutes to start regardless is quite something.
> 
> (StartLimitInterval is used together with StartLimitBurst to determine if the 
> service is starting too often, if there are more than StartLimitBursts within 
> StarLimitInterval, it will set the service to fail)
> 
> Best regards,
> Diego
> 
> 
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! 
> http://sdm.link/slashdot___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Can't start packetfence-httpd.admin.service

[Louis Munro via PacketFence-users]

Let's see if it's just a timeout or something else.
Raise the StartLimitInterval to 120 seconds by doing the following:

1. Edit /lib/systemd/system/packetfence-httpd.admin.service and set 
StartLimitInterval=120

2. Reload the systemd configuration: 
# systemctl daemon-reload

3. Restart the admin: 
# systemctl restart packetfence-httpd.admin 



Please report the results, with logs if it fails.

Regards,
--
Louis Munro
lmu...@inverse.ca <mailto:lmu...@inverse.ca>  ::  www.inverse.ca 
<http://www.inverse.ca/> 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu/>) and 
PacketFence (www.packetfence.org <http://www.packetfence.org/>)

> On Jul 19, 2017, at 12:24, Jarek via PacketFence-users 
> <packetfence-users@lists.sourceforge.net> wrote:
> 
> Hello!
> 
> Dnia 2017-07-19, śro o godzinie 11:07 -0400, Louis Munro via
> PacketFence-users pisze:
>> Hi Jarek,
>> Can you report the output of this command please?
>> 
>> 
>> # systemct cat packetfence-httpd.admin
> 
> 
> # /lib/systemd/system/packetfence-httpd.admin.service
> [Unit]
> Description=PacketFence Administration  Apache HTTP Server 
> Documentation=man:httpd(8)
> Documentation=man:apachectl(8)
> Wants=packetfence-base.target packetfence-config.service
> After=packetfence-base.target packetfence-config.service
> packetfence-haproxy.service
> 
> [Service]
> StartLimitBurst=3
> StartLimitInterval=60
> Type=notify
> PIDFile=/usr/local/pf/var/run/httpd.admin.pid
> Environment=X_PORTAL=default
> ExecStartPre=/usr/local/pf/bin/pfcmd service httpd.admin generateconfig
> ExecStart=/usr/sbin/apache2
> -f /usr/local/pf/var/conf/httpd.conf.d/httpd.admin -DFOREGROUND
> -Ddebian
> ExecReload=/bin/kill -USR1 ${MAINPID}
> ExecStop=/bin/kill -WINCH ${MAINPID}
> # We want systemd to give httpd some time to finish gracefully, but
> still want
> # it to kill httpd after TimeoutStopSec if something went wrong during
> the
> # graceful stop. Normally, Systemd sends SIGTERM signal right after the
> # ExecStop, which would kill httpd. We are sending useless SIGCONT here
> to give
> # httpd time to finish.
> TimeoutStopSec=60
> KillMode=mixed
> KillSignal=SIGCONT
> PrivateTmp=true
> Restart=on-failure
> Slice=packetfence.slice
> 
> [Install]
> WantedBy=packetfence.target
> 
> 
> Best regards
> Jarek
> 
> 
>> Regards,
>> --
>> Louis Munro
>> lmu...@inverse.ca  ::  www.inverse.ca 
>> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and
>> PacketFence (www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Can't start packetfence-httpd.admin.service

[Louis Munro via PacketFence-users]

Hi Jarek,
Can you report the output of this command please?

# systemct cat packetfence-httpd.admin


Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Jul 19, 2017, at 10:00, jarek via PacketFence-users 
>  wrote:
> 
> Hello!
> 
> I'm trying to setup packetfence on new Debian 8. I've tried few times from 
> scratch but failed. 
> At the moment packetfence-httpd.admin.service is continously restarting. I'm 
> able to open configurator page, but after few 
> seconds it becames unavailable. What I'm doing wrong ?
> 
> syslog:
> 
> Jul 19 15:53:19 rj01 systemd[1]: packetfence-httpd.admin.service start 
> operation timed out. Terminating.
> Jul 19 15:54:19 rj01 systemd[1]: packetfence-httpd.admin.service 
> stop-final-sigterm timed out. Killing.
> Jul 19 15:54:20 rj01 systemd[1]: packetfence-httpd.admin.service: main 
> process exited, code=killed, status=9/KILL
> Jul 19 15:54:20 rj01 systemd[1]: Failed to start PacketFence Administration  
> Apache HTTP Server.
> Jul 19 15:54:20 rj01 systemd[1]: Unit packetfence-httpd.admin.service entered 
> failed state.
> Jul 19 15:54:20 rj01 systemd[1]: packetfence-httpd.admin.service holdoff time 
> over, scheduling restart.
> Jul 19 15:54:20 rj01 systemd[1]: Stopping PacketFence Administration  Apache 
> HTTP Server...
> Jul 19 15:54:20 rj01 systemd[1]: Starting PacketFence Administration  Apache 
> HTTP Server...
> Jul 19 15:54:31 rj01 pfcmd[28577]: service|command
> Jul 19 15:54:32 rj01 pfcmd[28577]: httpd.admin|config generated
> Jul 19 15:55:28 rj01 apache2[28583]: [Wed Jul 19 15:55:28 2017] 
> pfappserver.pm: Cannot determine desired terminal width, using default of 80 
> columns
> Jul 19 15:55:31 rj01 apache2[28583]: AH00558: apache2: Could not reliably 
> determine the server's fully qualified domain name, using 127.0.1.1. Set the 
> 'ServerName' directive globally to suppress this message
> Jul 19 15:56:03 rj01 systemd[1]: packetfence-httpd.admin.service start 
> operation timed out. Terminating.
> 
> journalctl -xe
> 
> lip 19 15:54:31 rj01 pfcmd[28577]: service|command
> lip 19 15:54:32 rj01 packetfence[28577]: INFO pfcmd.pl(28577): generating 
> /usr/local/pf/var/conf/ssl-certificates.conf 
> (pf::services::manager::httpd::generateCommonConfig)
> lip 19 15:54:32 rj01 packetfence[28577]: INFO pfcmd.pl(28577): generating 
> /usr/local/pf/var/conf/captive-portal-common 
> (pf::services::manager::httpd::generateCommonConfig)
> lip 19 15:54:32 rj01 pfcmd[28577]: httpd.admin|config generated
> lip 19 15:55:28 rj01 apache2[28583]: [Wed Jul 19 15:55:28 2017] 
> pfappserver.pm: Cannot determine desired terminal width, using default of 80 
> columns
> lip 19 15:55:31 rj01 admin_catalyst[28583]: httpd.admin(28583) WARN: 
> [mac:[undef]] Unicode::Encoding plugin is auto-applied, please remove this 
> from your appclass and make sure to define "encoding" config (Catalyst::setup_
> lip 19 15:55:31 rj01 admin_catalyst[28583]: httpd.admin(28583) WARN: 
> [mac:[undef]] Deprecated 'static' config key used, please use the key 
> 'Plugin::Static::Simple' instead (Class::MOP::Class:::before)
> lip 19 15:55:31 rj01 apache2[28583]: AH00558: apache2: Could not reliably 
> determine the server's fully qualified domain name, using 127.0.1.1. Set the 
> 'ServerName' directive globally to suppress this message
> lip 19 15:55:31 rj01 httpd_admin_err[28585]: [Wed Jul 19 15:55:31.326772 
> 2017] [ssl:warn] [pid 28583] AH01909: packetfence.packetfence.org:443:0 
> server certificate does NOT include an ID which matches the server name
> lip 19 15:56:03 rj01 systemd[1]: packetfence-httpd.admin.service start 
> operation timed out. Terminating.
> lip 19 15:56:28 rj01 httpd_admin_err[28585]: [Wed Jul 19 15:56:28 2017] 
> pfappserver.pm: Cannot determine desired terminal width, using default of 80 
> columns
> lip 19 15:56:31 rj01 admin_catalyst[28583]: httpd.admin(28583) WARN: 
> [mac:[undef]] Unicode::Encoding plugin is auto-applied, please remove this 
> from your appclass and make sure to define "encoding" config (Catalyst::setup_
> lip 19 15:56:31 rj01 admin_catalyst[28583]: httpd.admin(28583) WARN: 
> [mac:[undef]] Deprecated 'static' config key used, please use the key 
> 'Plugin::Static::Simple' instead (Class::MOP::Class:::before)
> lip 19 15:56:31 rj01 httpd_admin_err[28585]: AH00558: apache2: Could not 
> reliably determine the server's fully qualified domain name, using 127.0.1.1. 
> Set the 'ServerName' directive globally to suppress this message
> lip 19 15:56:31 rj01 httpd_admin_err[28588]: [Wed Jul 19 15:56:31.755543 
> 2017] [ssl:warn] [pid 28583] AH01909: packetfence.packetfence.org:443:0 
> server certificate does NOT include an ID which matches the server name
> lip 19 15:56:31 

Re: [PacketFence-users] DLINK DGS3100

[Louis Munro via PacketFence-users]

> On Jul 18, 2017, at 10:41, Alessandro Canella via PacketFence-users 
>  wrote:
> 
> Hi where’s location of pfqueue.log ?


Hi Alessandro,
pfqueue now logs in the main log file, packetfence.log. 

So you can always grep for it in that file:

# grep pfqueue /usr/local/pf/logs/pfqueue.log 


Or look for it by unit in the journal: 

# journalctl -u packetfence-pfqueue



Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Multi-site PF and clustering?

[Louis Munro via PacketFence-users]

Hi Jason,
That's a tricky one.

The closest I can think of that would match your requirements is setting up 
separate instances with two mariadb databases, and then setting up circular 
replication on the person and password tables between the two databases.
You might also want to replicate the node and node_category tables (off the top 
of my head).
I would test that configuration thoroughly before using it in production.

It's hard to find a configuration that will fit all your requirements.
An active/active cluster (with Galera) might help, but then there are issues 
with layer 2 connectivity (the cluster expects the nodes to be in the same 
broadcast domain).

Separate instances are more reliable in case of network partition, but you have 
to find some way to synchronize the person and password tables if you want the 
users to be able to authenticate using the same passwords.

Of course if all the users are held in a separate database/directory then you 
may not have a problem as far as users/passwords are concerned.
There would still be the node information to be replicated though 
(MAC/role/unreg_date).

It's a case of "get creative" I suppose.
Tell us more, we may be able to help.

Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Jul 13, 2017, at 16:40, Jason 'XenoPhage' Frisvold via PacketFence-users 
>  wrote:
> 
> Hi all,
> 
>   I have two sites I need to manage via Packetfence.  Right now, my
> options are to either put a PF server at each location (which is the
> current plan) or to remotely manage one site via a single PF server.
> We'd like to be able to replicate the users across both sites since we
> have some users that travel.
> 
>   So, the question is, can the PF servers at both sites be set up in a
> cluster fashion, or replicated in some manner?  I'm thinking something
> along the lines of an active/active config, but where they act
> independently if the connection between the two sites is severed.
> 
> Thoughts?
> 
> -- 
> ---
> Jason 'XenoPhage' Frisvold
> xenoph...@godshell.com
> ---
> 
> "Any sufficiently advanced magic is indistinguishable from technology."
> - Niven's Inverse of Clarke's Third Law
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! 
> http://sdm.link/slashdot___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Inconsistent roles in switches definition

[Louis Munro via PacketFence-users]

Check the database.
They may still exist in the node_category table.

--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Jul 13, 2017, at 15:00, Jason 'XenoPhage' Frisvold via PacketFence-users 
>  wrote:
> 
> On 7/13/17 04:31, luca comes via PacketFence-users wrote:
>> Dear all,
>> 
>> any suggestion on this problem? Is there a way to clean remove roles
>> from pf? Any roles created and then removed from roles.conf is shown
>> even after reload.
> 
> As far as I understand it, the definition of those roles is only in the
> roles.conf file.  Make sure you check both roles.conf and
> roles.conf.defaults in the /usr/local/pf/conf directory.
> 
>> Thanks
>> 
>> Luca
> 
> -- 
> ---
> Jason 'XenoPhage' Frisvold
> xenoph...@godshell.com
> ---
> 
> “Space,” it says, “is big. Really big. You just won’t believe how
> vastly, hugely, mindbogglingly big it is. I mean, you may think it’s
> a long way down the road to the chemist’s, but that’s just peanuts to
> space.”
> - The Hitchhikers Guide to the Galaxy
> 
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! 
> http://sdm.link/slashdot___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unable to view the web configuration page after installation

[Louis Munro via PacketFence-users]

> On Jul 13, 2017, at 10:04, Muralidhar Bg  wrote:
> 
> 
> I got a website could not be reached screen (same as my initial email)

Is the httpd process running on that port?
Is DNS resolution working properly?
Is there a firewall in the way?
What about routing?

Are your TCP packets even making it to the VM?
Do you see any request for your IP in logs/httpd.admin.access?

Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unable to view the web configuration page after installation

[Louis Munro via PacketFence-users]

Hi,

> On Jul 12, 2017, at 02:57, Muralidhar BG  
> wrote:
> 
> 
> Where in the documentation does it say that?
> 
> 
> Link: 
> https://packetfence.org/doc/PacketFence_Administration_Guide.html#_system_requirements
>  
> 
> 
> Under section 3.1: 
> "In this guide, we assume that all those components are running on the same 
> server (i.e., "localhost" or "127.0.0.1") that PacketFence will be installed 
> on.


Mmm...
That is somewhat ambiguous, I admit.
This is meant to indicate that while in some configuration the services may be 
decoupled and run on separate servers/VMs, for the purposes of the guide they 
are assumed to all run on the same host.
You are not meant to install them. Installing the packetfence package will take 
care of that as you have found.



>> 
>> What I have observed is that if I do not install these dependencies before 
>> have the packetfence package installs them. But then again I get an error 
>> message with mysql after installation (as mentioned in my initial email)
> 
> That is the point of using a package manager such as yum.
> 
> 
> I understand how a package manager works. But the problem I am facing is 
> starting the mysql instace once packetfence is installed. I used the command:
> 
> $ sudo systemctl start mysqld
> 
> I got the following error: Failed to start mysqld.service: Unit is masked.
> 
> What is the first thing I need to do right after installing packetfence to 
> view the web configuration page?


You don't have to start mysql.
Just start configuring by logging on to the configurator web app at 
https://$HOST:1443/ 

See section 9 here: 
https://packetfence.org/doc/PacketFence_Administration_Guide.html#_configuration
 



Don't overthink this.
You are meant to just install the packetfence package.
Systemd will start the required services on it's own.


Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] "default" user not pushing device to login portal

[Louis Munro via PacketFence-users]

> On Jul 11, 2017, at 15:40, Jason 'XenoPhage' Frisvold 
>  wrote:
> 
> 
> Ok, giving this a try now.  I did create a portal and put a filter of
> Connection Type WIRED_MAC_AUTH which seems to at least get me into the
> registration network when I disable 802.1x.  But, once in there, I'm not
> getting redirected to the portal, which is odd.  Auto-registration is
> disabled, but everything else is the same as the default profile.  I
> don't see a "use captive portal" button anywhere to force this action.

You don't need to enable the captive portal.
It's on by default if you have an interface defined as type=registration.
As long as you are sent to the registration VLAN, and you get your IP and DNS 
configuration from the PacketFence managed dhcpd you should be redirected to 
the captive portal.

Check to see if those assumptions are correct.
I.e. are you sent to the right VLAN?
Do you get your dhcp lease and configuration from the PacketFence dhcpd?

If you do, your DNS queries should be sent to pfdns, which should return the IP 
of the captive portal to any (non-passthrought) dns request.
See if your dns requests are sent to PacketFence, and if the reply points to 
the IP of the captive-portal.

Let me know what you find...


> Makes sense, I'll go ahead and start building granular profiles.  How do
> I specify non-802.1x wireless traffic?  Wireless-802.11-NoEAP?
> 

Exactly.

Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] "default" user not pushing device to login portal

[Louis Munro via PacketFence-users]

> On Jul 11, 2017, at 14:24, Jason 'XenoPhage' Frisvold via PacketFence-users 
>  wrote:
> 
> So, if I disable the autoregistration for the profile (config ->
> connection profiles -> default), I get a captive portal.  But, that then
> "breaks" 802.1x in that even with 802.1x enabled, I still get the portal.
> 
> So I'm still missing something.  We're looking for the following order
> or preference :
> 
> 802.1x
> MAB (manually added nodes)
> Captive Portal
> 
> How do I accomplish this?

Create a different portal per connection type.

E.g. One dot1x profile for which autoregistration is enabled, one MAC 
authentication for which it isn't.

That should do it.

I try to use the default portal as little as possible, and create more granular 
profiles that allow a different set of authorization sources etc.
It's also easier to maintain over time, as when adding something new (a new 
SSID for instance) you can define a separate profile for it and not have to 
modify the default which is already handling production traffic for your 
existing network. 


Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] "default" user not pushing device to login portal

[Louis Munro via PacketFence-users]

Hi Jason, 
Sorry for the delay. We've been busy with the latest release here...

I think the issue below is that you have enabled autoregistration on the 
default profile.
So your WIRED_MAC_AUTH devices are autoregistered, but since they don't provide 
a username (as they would if it were 802.1x) then PF has no way to assign them 
a role.

The solution is to create a profile that match MAC authentication and disable 
autoregistration on it.
The devices will then be forced to register, i.e. they'll be placed behind the 
captive portal.

Hope this helps,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Jul 7, 2017, at 12:32, Jason 'XenoPhage' Frisvold  
> wrote:
> 
> On 7/6/17 17:01, Louis Munro wrote:
>> Hi Jason,
>> At first glance, the logs below seem to indicate something is wrong when
>> it comes to assigning a role to the device.
>> 
>> Can we see your authentication.conf, profiles.conf and switches.conf at
>> the very least?
>> It's hard to say what goes wrong without knowing what role should be
>> assigned.
> 
> Sure.  See below :
> 
> authentication.conf :
> -
> 
> [local]
> description=Local Users
> dynamic_routing_module=AuthModule
> type=SQL
> 
> [file1]
> description=Legacy Source
> stripped_user_name=yes
> path=/usr/local/pf/conf/admin.conf
> dynamic_routing_module=AuthModule
> type=Htpasswd
> 
> [file1 rule admins]
> description=All admins
> class=administration
> match=all
> action0=set_access_level=ALL
> 
> [sms]
> description=SMS-based registration
> sms_carriers=100056,100057,100061,100058,100059,100060,100062,100063,100071,100064,100116,100066,100117,100112,100067,100065,100068,100069,100070,100118,100115,100072,100073,100074,100075,100076,100077,100085,100086,100080,100079,100081,100083,100082,100084,100087,100088,100111,100089,100090,100091,100092,100093,100094,100095,100096,100098,100097,100099,100100,100101,100113,100102,100103,100104,100106,100105,100107,100108,100109,100114,100110,100078,100122
> dynamic_routing_module=AuthModule
> type=SMS
> create_local_account=no
> 
> [sms rule catchall]
> description=
> class=authentication
> match=all
> action0=set_role=guest
> action1=set_access_duration=1D
> 
> [email]
> description=Email-based registration
> dynamic_routing_module=AuthModule
> email_activation_timeout=10m
> type=Email
> create_local_account=no
> allow_localdomain=yes
> 
> [email rule catchall]
> description=
> class=authentication
> match=all
> action0=set_role=guest
> action1=set_access_duration=1D
> 
> [sponsor]
> description=Sponsor-based registration
> dynamic_routing_module=AuthModule
> type=SponsorEmail
> create_local_account=no
> allow_localdomain=yes
> 
> [sponsor rule catchall]
> description=
> class=authentication
> match=all
> action0=set_role=guest
> action1=set_access_duration=1D
> 
> [null]
> description=Null Source
> dynamic_routing_module=AuthModule
> type=Null
> email_required=no
> 
> [null rule catchall]
> description=catchall
> class=authentication
> match=all
> action0=set_role=guest
> action1=set_access_duration=1D
> 
> 
> 
> profiles.conf :
> ---
> 
> [default]
> description=Default Profile
> logo=/common/packetfence-white.png
> redirecturl=http://www.packetfence.org/
> always_use_redirecturl=disabled
> locale=en_US
> nbregpages=0
> filter_match_style=any
> block_interval=10m
> sms_pin_retry_limit=0
> sms_request_limit=0
> login_attempt_limit=0
> root_module=default_policy
> billing_tiers=
> dot1x_recompute_role_from_portal=enabled
> preregistration=disabled
> autoregister=enabled
> scans=
> reuse_dot1x_credentials=0
> sources=
> provisioners=
> 
> 
> switches.conf :
> ---
> 
> #
> # Copyright (C) 2005-2015 Inverse inc.
> #
> # See the enclosed file COPYING for license information (GPL).
> # If you did not receive this file, see
> # http://www.fsf.org/licensing/licenses/gpl.html
> [default]
> RoleMap=Y
> 
> [10.10.10.50]
> description=sw50.example.com
> group=OfficeHubs
> 
> [10.10.10.51]
> description=sw51.example.com
> group=OfficeHubs
> 
> [10.10.10.52]
> description=sw52.example.com
> group=OfficeHubs
> 
> [10.10.10.53]
> description=sw53.example.com
> group=OfficeHubs
> 
> [10.10.10.54]
> description=sw55.example.com
> group=OfficeHubs
> 
> [10.10.10.55]
> description=sw55.example.com
> group=OfficeHubs
> 
> [10.10.10.56]
> description=sw56.example.com
> group=OfficeHubs
> 
> [10.10.10.57]
> description=sw57.example.com
> group=OfficeHubs
> 
> [10.10.10.58]
> description=sw58.example.com
> group=OfficeHubs
> 
> [10.10.10.59]
> description=sw59.example.com
> group=OfficeHubs
> 
> [group OfficeHubs]
> VoIPCDPDetect=Y
> VoIPDHCPDetect=Y
> AccessListMap=N
> description=Office Switches (2960-CX)
> VoIPEnabled=Y
> UrlMap=N
> useCoA=Y
> 

Re: [PacketFence-users] Unable to view the web configuration page after installation

[Louis Munro via PacketFence-users]

> On Jul 11, 2017, at 00:38, Muralidhar BG via PacketFence-users 
>  wrote:
> 
> Hello,
> 
> I want to understand something. According to the documentation I should have 
> apache, dhcp, mysql (or mariadb) and freeradius installed and configured 
> before trying to install packetfence. If I install packetfence after 
> installing these dependencies I get an error message (during installtion) 
> relating to mysql stating there is a conflict.


Where in the documentation does it say that?

> 
> What I have observed is that if I do not install these dependencies before 
> have the packetfence package installs them. But then again I get an error 
> message with mysql after installation (as mentioned in my initial email)

That is the point of using a package manager such as yum.


> 
> PS: packetfence expects Firewall, SELinux, AppArmor, resolvconf to be 
> disabled. But once I launch an centos instance in Amazon in does not have 
> firewall, AppArmor and resolvconf. Is that okay?

I haven't tried it on an Amazon instance.
I assume it depends on what AMI you chose.

The bottom line is that SELinux interferes with some of the fancier features of 
PF, and PF intends to manage the firewall rules by hand (e.g. using the 
iptables command and not firewalld).


Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] "default" user not pushing device to login portal

[Louis Munro via PacketFence-users]

Hi Jason,
At first glance, the logs below seem to indicate something is wrong when it 
comes to assigning a role to the device.

Can we see your authentication.conf, profiles.conf and switches.conf at the 
very least?
It's hard to say what goes wrong without knowing what role should be assigned.


> On Jul 6, 2017, at 14:50, Jason 'XenoPhage' Frisvold via PacketFence-users 
>  wrote:
> 
> Greetings,
> 
>   I seem to be missing something in my config and I wonder if you can
> help.  Simply put, plugging in a random device does not push that
> devices port into the captive portal vlan, it simply leaves it in vlan 1
> (which is the default on the switches) and the device has no access.
> 
>   I have 802.1x and VoIP detection working.  This piece is, I think, the
> last piece I need before I start working on the wireless side of things.
> 
>   Is there something obvious I'm missing?  What information can I provide
> to help debug this?
> 
> Here are the packetfence and radius log entries that seem to relate :
> 
> ==> logs/packetfence.log <==
> Jul  6 18:44:55 packetfence0 packetfence_httpd.aaa: httpd.aaa(2641)
> INFO: [mac:yy:yy:yy:yy:yy:yy] handling radius autz request: from
> switch_ip => (10.10.10.1), connection_type => WIRED_MAC_AUTH,switch_mac
> => (xx:xx:xx:xx:xx:xx), mac => [yy:yy:yy:yy:yy:yy], port => 10105,
> username => "" (pf::radius::authorize)
> Jul  6 18:44:55 packetfence0 packetfence_httpd.aaa: httpd.aaa(2641)
> INFO: [mac:yy:yy:yy:yy:yy:yy] Unable to lookup LLDP port from IfIndex.
> LLDP VoIP detection will not work. Is LLDP enabled?
> (pf::Switch::Cisco::Catalyst_2950::getPhonesLLDPAtIfIndex)
> Jul  6 18:44:55 packetfence0 packetfence_httpd.aaa: httpd.aaa(2641)
> INFO: [mac:yy:yy:yy:yy:yy:yy] Could not find any IP phones through
> discovery protocols for ifIndex 10105 (pf::Switch::getPhonesDPAtIfIndex)
> Jul  6 18:44:55 packetfence0 packetfence_httpd.aaa: httpd.aaa(2641)
> INFO: [mac:yy:yy:yy:yy:yy:yy] Instantiate profile default
> (pf::Connection::ProfileFactory::_from_profile)
> Jul  6 18:44:55 packetfence0 packetfence_httpd.aaa: httpd.aaa(2641)
> WARN: [mac:yy:yy:yy:yy:yy:yy] Use of uninitialized value in string eq at
> /usr/local/pf/lib/pf/role.pm line 726.
> (pf::role::_check_bypass)
> Jul  6 18:44:55 packetfence0 packetfence_httpd.aaa: httpd.aaa(2641)
> INFO: [mac:yy:yy:yy:yy:yy:yy] Connection type is WIRED_MAC_AUTH. Getting
> role from node_info (pf::role::getRegisteredRole)
> Jul  6 18:44:55 packetfence0 packetfence_httpd.aaa: httpd.aaa(2641)
> WARN: [mac:yy:yy:yy:yy:yy:yy] Use of uninitialized value $role in
> concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 475.
> (pf::role::getRegisteredRole)
> Jul  6 18:44:55 packetfence0 packetfence_httpd.aaa: httpd.aaa(2641)
> INFO: [mac:yy:yy:yy:yy:yy:yy] Username was NOT defined or unable to
> match a role - returning node based role '' (pf::role::getRegisteredRole)
> Jul  6 18:44:55 packetfence0 packetfence_httpd.aaa: httpd.aaa(2641)
> INFO: [mac:yy:yy:yy:yy:yy:yy] PID: "default", Status: reg Returned VLAN:
> (undefined), Role: (undefined) (pf::role::fetchRoleForNode)
> Jul  6 18:44:55 packetfence0 packetfence_httpd.aaa: httpd.aaa(2641)
> WARN: [mac:yy:yy:yy:yy:yy:yy] Use of uninitialized value $vlanName in
> hash element at /usr/local/pf/lib/pf/Switch.pm line 766.
> (pf::Switch::getVlanByName)
> Jul  6 18:44:55 packetfence0 packetfence_httpd.aaa: httpd.aaa(2641)
> WARN: [mac:yy:yy:yy:yy:yy:yy] Use of uninitialized value $vlanName in
> concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 769.
> (pf::Switch::getVlanByName)
> Jul  6 18:44:55 packetfence0 packetfence_httpd.aaa: httpd.aaa(2641)
> WARN: [mac:yy:yy:yy:yy:yy:yy] No parameter Vlan found in
> conf/switches.conf for the switch 10.10.10.1 (pf::Switch::getVlanByName)
> Jul  6 18:44:55 packetfence0 packetfence_httpd.aaa: httpd.aaa(2641)
> WARN: [mac:yy:yy:yy:yy:yy:yy] Use of uninitialized value $roleName in
> hash element at /usr/local/pf/lib/pf/Switch.pm line 749.
> (pf::Switch::getRoleByName)
> Jul  6 18:44:55 packetfence0 packetfence_httpd.aaa: httpd.aaa(2641)
> WARN: [mac:yy:yy:yy:yy:yy:yy] Use of uninitialized value $roleName in
> concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 752.
> (pf::Switch::getRoleByName)
> 

Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

Re: [PacketFence-users] HP 1920 (JG1920-14G) support ?

[Louis Munro via PacketFence-users]

Correction.
The generic switch (pf::Switch::Generic) is not exactly the same as the base 
class (pf::Switch).
The difference is that the generic switch does support RADIUS.

So it's not completely useless.
Just completely useless for SNMP.

Cheers,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Jul 6, 2017, at 12:56, Louis Munro  wrote:
> 
> 
> 
>> On Jul 6, 2017, at 10:12, devz...@web.de  wrote:
>> 
>> ok, thanks for the info.
>>  
>> being curious why generic is an option to be selected in the webgui at all 
>> then
>>  
>> regards
>> roland
> 
> I suspect that an historical oversight.
> It might have been of some use for RADIUS a long time ago.
> 
> I've opened an issue about it.
> https://github.com/inverse-inc/packetfence/issues/2470 
> 
> 
> Regards,
> --
> Louis Munro
> lmu...@inverse.ca   ::  www.inverse.ca 
>  
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
> PacketFence (www.packetfence.org )

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] HP 1920 (JG1920-14G) support ?

[Louis Munro via PacketFence-users]

> On Jul 6, 2017, at 06:14, devzero--- via PacketFence-users 
>  wrote:
> 
> Is pf webgui such a dumb beast ? I did not find bells and whistles of generic 
> modules being documented somewehere...

The generic switch is a base class from which the other switch modules inherit.
It's not really meant to be used directly, and certainly not with SNMP traps.
SNMP traps differ by vendor and switch model (not to mention firmware releases).
No generic switch can know about all the possible traps in existence.

As others have stated, do yourself a favour and use RADIUS.
It's well worth the investment to learn it.
SNMP is essentially obsolete and support for it (at least as an access control 
method) is dying.

Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] How do you prevent a stolen MAC from accessing the network

[Louis Munro via PacketFence-users]

> On Jul 6, 2017, at 05:18, 沧海云帆 via PacketFence-users 
>  wrote:
> 
> Hello,
> I'm testing  packfence with version 7.1.0,and I have a issue is that how to 
> prevent a stolen MAC from accessing the network.
> for example:
> environment: user auth with microsoft active directory
> switches:cisco2960g and sg300
> 
> domain computer name: computer1@test.local
> registered mac: 40:16:7e:76:c9:10
> I take another laptop and change  the  mac address as 40:16:7e:76:c9:10,this 
> laptop can be access network.
> 
> I want to know how can you avoid this phenomenon? is it  packetfence can 
> authentication with domain computer and only domain computers can be 
> validated?
> thank you!


Any form of network access control that relies on the MAC as an identifier is 
vulnerable to spoofing.
The only way to prevent it is to enforce a method that requires authentication 
based on something known (e.g. a password) or something owned (e.g. a 
certificate).

Practically speaking this means 802.1x with a password (which can be changed if 
the device is stolen) or with a certificate (i.e. EAP-TLS) which you can revoke.

Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF httpd.graphite service failed

[Louis Munro via PacketFence-users]

Hi Mirko,
We don't test for that kind of environment here, so it's definitely possible to 
run into things like that.
We officially support VMWare environments, but other virtualization 
technologies have been known to work too.

That's good to know, anyway.
Thank you for reporting it.

--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Jun 29, 2017, at 11:20, Mirko Corosu  wrote:
> 
> Hi Luois,
> 
> I installed PF on a CentOS7 VM, running on top of oVirt 3.6 vitualization 
> system (qemu-kvm/libvirt). All physical nodes OS's are CentOS7.
> 
> As far as I can understand, in a VM the random generation is "slow", so if 
> you try to read from /dev/random you'll get stuck for minutes unless you 
> configure a paravirtualize random device (not my case).
> 
> The unblocked random generator (/dev/urandom) is an option, even though it 
> could be less secure.
> 
> Regards
> 
> Mirko
> 
> On 29/06/2017 15:46, Louis Munro wrote:
>> Hello Mirko,
>> Sorry I could not help more. I was out most of the day yesterday.
>> That's an interesting issue.
>> Can you tell us more about the environment you are running this on?
>> Best regards,
>> --
>> Louis Munro
>> lmu...@inverse.ca   :: www.inverse.ca 
>> 
>> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
>> PacketFence (www.packetfence.org )
>>> On Jun 29, 2017, at 03:15, Mirko Corosu via PacketFence-users 
>>> >> > wrote:
>>> 
>>> OK, I finally solve my problem.
>>> The httpd.graphite service could not generate the secret in the sub 
>>> "generate_secret" of lib/pf/services/manager/httpd_graphite.pm module from 
>>> /dev/random on my VM (oVirt 3.6).
>>> 
>>> As a workaround, I made /dev/random a link to /dev/urandom, but I have to 
>>> better understand the cause.
> 
> -- 
> 
> 
> Mirko Corosu
> Network and System Administrator
> I.N.F.N. Sezione di Genova
> Via Dodecaneso 33, 16146
> Genova
> Tel. +39 010 3536361
> 
> I problemi più complessi hanno soluzioni semplici,
> facili da comprendere e sbagliate.
> 
> 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF httpd.graphite service failed

[Louis Munro via PacketFence-users]

Hello Mirko,
Sorry I could not help more. I was out most of the day yesterday.

That's an interesting issue.
Can you tell us more about the environment you are running this on?

Best regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Jun 29, 2017, at 03:15, Mirko Corosu via PacketFence-users 
>  wrote:
> 
> OK, I finally solve my problem.
> The httpd.graphite service could not generate the secret in the sub 
> "generate_secret" of lib/pf/services/manager/httpd_graphite.pm module from 
> /dev/random on my VM (oVirt 3.6).
> 
> As a workaround, I made /dev/random a link to /dev/urandom, but I have to 
> better understand the cause.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF httpd.graphite service failed

[Louis Munro via PacketFence-users]

> On Jun 28, 2017, at 09:01, Mirko Corosu via PacketFence-users 
>  wrote:
> 
> WARNING - internal network(s) not defined!
> WARNING - networks.conf is empty but services.dhcpd is enabled. Disable it to 
> remove this warning.
> Jun 28 14:29:50 infnwebgw packetfence: INFO pfcmd.pl(15995): Daemon 
> httpd.graphite took 99.573 seconds to start. 
> (pf::services::manager::launchService)

Did you go through the configurator?

Please show your conf/pf.conf (remove the passwords).

What are the specs of that machine?
99 seconds to start is a bit much.


Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Active Directory Domains problem

[Louis Munro via PacketFence-users]

It will be just as smart as Samba is.
Remember this is just an smb.conf configuration change in the end.

Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Jun 27, 2017, at 15:20, Miles Lott via PacketFence-users 
>  wrote:
> 
> Hopefully it can also be smart about the AD site so that it doesn't try to 
> work with offsite DCs.  We have to hard code things like this all the time, 
> e.g. for php ldap code.
> 
> Miles Lott
> Senior Systems Administrator
> O 713 375-4489 | F 713-850-3527 | C 713 899-4329 | www.gie.com 
> 
> -Original Message-
> From: lists via PacketFence-users 
> [mailto:packetfence-users@lists.sourceforge.net] 
> Sent: Tuesday, June 27, 2017 8:55 AM
> To: packetfence-users@lists.sourceforge.net
> Cc: lists 
> Subject: Re: [PacketFence-users] Active Directory Domains problem
> 
> Hi,
> 
> For you information: starting packetfence 7.2, samba will use auto-discovery 
> for DC location. (password server = *)
> 
> MJ

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Customisation of CSS files in PF 7.1

[Louis Munro via PacketFence-users]

Hi Andrew,
It looks to me like npm inc. has decided not to support the version of npm (the 
executable) that is packaged for CentOS (and probably RedHat) anymore.

I have been able to work around this by installing the node binaries from 
https://nodejs.org/en/download/ <https://nodejs.org/en/download/> which contain 
an updated version of npm.

I guess this is what happens when you don't run Ubuntu these days...

--
Louis Munro
lmu...@inverse.ca <mailto:lmu...@inverse.ca>  ::  www.inverse.ca 
<http://www.inverse.ca/> 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu/>) and 
PacketFence (www.packetfence.org <http://www.packetfence.org/>)

> On Jun 27, 2017, at 10:18, Louis Munro via PacketFence-users 
> <packetfence-users@lists.sourceforge.net> wrote:
> 
> Hi Andrew,
> Something like this?
> 
> # npm install -g grunt-cli
> npm ERR! Linux 3.10.0-514.21.2.el7.x86_64
> npm ERR! argv "/usr/bin/node" "/usr/bin/npm" "install" "-g" "grunt-cli"
> npm ERR! node v6.10.3
> npm ERR! npm  v3.10.10
> 
> npm ERR! failed to fetch from registry: https://registry.npmjs.org/grunt-cli 
> <https://registry.npmjs.org/grunt-cli>
> 
> I get that error too, so don't feel too lonely.
> I am investigating.
> 
> --
> Louis Munro
> lmu...@inverse.ca <mailto:lmu...@inverse.ca>  ::  www.inverse.ca 
> <http://www.inverse.ca/> 
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu/>) and 
> PacketFence (www.packetfence.org <http://www.packetfence.org/>)
> 
>> On Jun 27, 2017, at 09:29, Torry, Andrew via PacketFence-users 
>> <packetfence-users@lists.sourceforge.net 
>> <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>> 
>> 
>> Has anyone managed to get the NPM INSTALL –G GRUNT-CLI commands to work on 
>> the PacketFence_ZEN_7.1 server image?
>>  
>> I can install NODEJS and NPM but the NPM INSTALL –G GRUNT-CLI command is 
>> failing with a repository error all the time.
>>  
>> I need this in order to change the /usr/pf/html/common/styles.css to our own 
>> corporate colour scheme.
>>  
>> Andrew
>> 
>>  
>> Andrew Torry 
>> 
>> Senior Infrastructure Engineer
>> 
>>  
>> Tel: 01326 370760 
>> 
>> Email: andrew.to...@fxplus.ac.uk <mailto:andrew.to...@fxplus.ac.uk>
>>  
>> 
>> 
>> 
>>
>> 
>> 
>>  <https://twitter.com/falmouthexeter>  
>> 
>> <https://www.facebook.com/falmouthexeter>
>>  <https://www.instagram.com/falmouthexeterplus/>   
>> 
>> <https://www.youtube.com/channel/UC5-Jq4vTOhWgYoJJDYrZHWw>
>> 
>> 
>> 
>> 
>> Falmouth Exeter Plus is an exempt charity established by Falmouth University 
>> and the University of Exeter to deliver their shared Higher Education 
>> services in Cornwall.
>> 
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org <http://slashdot.org/>! 
>> http://sdm.link/slashdot___ 
>> <http://sdm.link/slashdot___>
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net 
>> <mailto:PacketFence-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! 
> http://sdm.link/slashdot___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Customisation of CSS files in PF 7.1

[Louis Munro via PacketFence-users]

Hi Andrew,
Something like this?

# npm install -g grunt-cli
npm ERR! Linux 3.10.0-514.21.2.el7.x86_64
npm ERR! argv "/usr/bin/node" "/usr/bin/npm" "install" "-g" "grunt-cli"
npm ERR! node v6.10.3
npm ERR! npm  v3.10.10

npm ERR! failed to fetch from registry: https://registry.npmjs.org/grunt-cli

I get that error too, so don't feel too lonely.
I am investigating.

--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Jun 27, 2017, at 09:29, Torry, Andrew via PacketFence-users 
>  wrote:
> 
> 
> Has anyone managed to get the NPM INSTALL –G GRUNT-CLI commands to work on 
> the PacketFence_ZEN_7.1 server image?
>  
> I can install NODEJS and NPM but the NPM INSTALL –G GRUNT-CLI command is 
> failing with a repository error all the time.
>  
> I need this in order to change the /usr/pf/html/common/styles.css to our own 
> corporate colour scheme.
>  
> Andrew
> 
>  
> Andrew Torry 
> 
> Senior Infrastructure Engineer
> 
>  
> Tel: 01326 370760 
> 
> Email: andrew.to...@fxplus.ac.uk 
>  
> 
> 
> 
> 
> 
> 
>     
> 
> 
>     
> 
> 
> 
> 
> 
> 
> Falmouth Exeter Plus is an exempt charity established by Falmouth University 
> and the University of Exeter to deliver their shared Higher Education 
> services in Cornwall.
> 
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org ! 
> http://sdm.link/slashdot___ 
> 
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
> 
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Active Directory Domains problem

[Louis Munro via PacketFence-users]

Hi Luca,
I am no Active Directory expert, but I believe you don't have much to do for 
that since the DC is discovered from the SRV records that AD publishes.

See here for what I mean:  
https://technet.microsoft.com/en-us/library/cc978011.aspx 


In any case, you can edit the template files used to generate the samba 
configuration (/usr/local/pf/addons/AD/smb.tt) and configure samba exactly how 
you want it.
If it can be done by Samba, there's a way to do it in PacketFence ;-)

Best regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Jun 27, 2017, at 09:39, luca comes  wrote:
> 
> Louis,
> thank you so much your suggestions put me on the right way. So I solved my 
> problem and PF is now joined to the domain. i have only one more question. As 
> you can imagine I have a redundant AD infrastructure but we can put only one 
> DC in the configuration. Is there a way to put the second DC inside the 
> configuration so redundancy is guaranteed.
> 
> Thanks again
> 
> Luca

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Active Directory Domains problem

[Louis Munro via PacketFence-users]

Hi Luca,
As you can see the domain join process creates chroot directories.
Those are required to be able to join multiple AD domains separately because 
there is no way to configure winbindd to listen to a different (unix) socket.

Be very careful trying to remove those directories.
Their contents are actually just the system directories mounted under a 
different name, so if you were to delete them you would destroy your system.
I suggest leaving them alone. They are not using much if any space and they 
will only be recreated if you rejoin the domains using the PacketFence GUI.

If you want to troubleshoot the actual join, the logs will be in the chroots, 
not in the usual /var/log.
I suggest you take a look at lib/pf/domain.pm.
It will show some of what's going on during the join.

In short, the "net ads join" is done inside the chroot, in a separate network 
namespace.
The simplest way to troubleshoot it  is to replicate that by running a shell in 
the same chroot and namespace:

# /sbin/ip netns exec $domain /usr/sbin/chroot $chroot_path /bin/bash

You will then be able to run the same commands that PF would and see the output 
if any.
The logs will also be available.
From there it's just a regular domain join, just like it would if there was no 
chroot or namespace involved.

The other thing to be careful about is iptables.
Since the join is running inside a separate network namespace, NAT must be 
implemented between the inside of the chroot and the outside.
PacketFence will automatically create the rules for that if you have configured 
the domain, so make sure you configure it in the GUI (even if the join fails) 
and then check that the packetfence-iptables service has run.


I hope this helps.
Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Jun 26, 2017, at 02:45, luca comes via PacketFence-users 
>  wrote:
> 
> Hi all,
> any help on how can I troubleshoot the AD Join problem? Also I need to remove 
> all the folders inside /chroot/ created for my numerous tests, is that 
> possible?
> 
> Luca
> 
> Inviato da Outlook 
> 
> 
> Da: luca comes via PacketFence-users  >
> Inviato: giovedì 22 giugno 2017 14:56
> A: packetfence-users@lists.sourceforge.net 
> 
> Cc: luca comes
> Oggetto: Re: [PacketFence-users] Active Directory Domains problem
>  
> Hi ABfrice,
> I've partiallys lved the admin problem removing all the configurations from 
> domain.conf file. After that the admin portal is reachable again, the big 
> problem is that I cannot join the server to my domain. I tried many times and 
> I can't see useful logs in log.winbindd. Also I've noticed that all my test 
> with different names remin inside /chroot/ directory how can I remove those 
> folders without disrupting my machine?
> 
> Luca
> 
> Inviato da Outlook 
> 
> 
> Da: Durand fabrice via PacketFence-users 
>  >
> Inviato: mercoledì 21 giugno 2017 01:17
> A: packetfence-users@lists.sourceforge.net 
> 
> Cc: Durand fabrice
> Oggetto: Re: [PacketFence-users] Active Directory Domains problem
>  
> Hello Luca,
> check for the httpd.admin.* logs files , there is probably something that 
> explain the error.
> Regards
> Fabrice
> 
> 
> Le 2017-06-19 à 11:11, luca comes via PacketFence-users a écrit :
>> Hi all,
>> I'm going crazy to configure active directory domain as part of freeradius 
>> configuration. I'm running PF 7.1.0 on a CentOS 7 fresh minimal install. 
>> When I try to add the domain I've got error from the gui no useful log in 
>> log.winbindd. After that is impossible to access the again the active 
>> directory domains configuratio it display Error!An error occured while 
>> contacting the server. Please try again later.
>> How can I solve the problem?
>> 
>> Thank you in advance
>> 
>> Luca
>> 
>> 
>> Inviato da Outlook 
>> 
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org ! 
>> http://sdm.link/slashdot 
>> 
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net 
>> 
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
>> 

Re: [PacketFence-users] haproxy | mysql

[Louis Munro via PacketFence-users]

> On Jun 12, 2017, at 14:48, lists via PacketFence-users 
>  wrote:
> 
> Hi,
> 
> So, just for fun I tried a fresh install of packetfence 7.1.0 on debian 8.
> 
> As far as I know, we need to configure the OS debian to start mysql.

No, you don't.
Not anymore anyway.

Systemd will automatically start the packetfence-mariadb service if you start 
packetfence.


> 
> However, also Packetfence tries to start something on port 3306 as well 
> (haproxy) so there seems to be a conflict? Found that out, because I 
> initially had forgotten to enable the mysql systemd service.
> 

There is no conflict.
That is the expected behaviour.

> Manually starting mysql after install didn't work, because port 3306 was 
> already taken by haproxy. Is that intentional?
> 

Yes.
You are not supposed to use the mysql service.
You are expected to let systemd do the work for you.

When you run "systemctl isolate packetfence" systemd will start all the 
packetfence services, and all services required by them.

For example, the packetfence-httpd.admin.service unit files defines these 
dependencies:

Wants=packetfence-base.target packetfence-config.service

And in turn, the packetfence-base.target includes the 
packetfence-mariadb.service.

So you don't have to do anything about mysql, and in fact you are making your 
life harder by starting it.


Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] RESOLVED: Upgrading PF 6.5 to 7.0 haproxy not starting

[Louis Munro via PacketFence-users]

Hi Ian,


> On Jun 2, 2017, at 13:58, Ian MacDonald via PacketFence-users 
>  wrote:
> 
> This was very helpful and immediately brought us to conclude it was related 
> to a change in our certs, that we opportunistically pushed out,  as a root 
> cause of our issue.  Is there a place in the docs that describes how to get 
> these debug outputs, to better help us help ourselves in the future?

Unfortunately, each daemon has it's own ideas as to what constitutes "debug 
mode" and how to trigger it.
Some are much better at it (e.g. FreeRADIUS) than others.

I had to learn by trial and error myself, at least for those services where 
Inverse did not write the code (e.g. Apache).

In general, you can have a look at systemd to see what is the actual executable 
that is run for a service.
You can get that information from the "ExecStart" line in the systemctl output.
From there it's mostly a trip to the manpage for it, trying to run it with 
--help, or reading the source if it comes to that.

Some examples: 

FreeRADIUS has excellent debugging features, which are well documented.
man radiusd (or man freeradius on debian) shows for example the -X and -C flags 
which can be used to check for syntax or run the server in debug mode.
Additionally you can use "raddebug" to debug a live server without restarting 
and even filter requests so that only the ones matching a condition will 
trigger the debug mode.
Kudos to the FreeRADIUS team.

Apache has a -X mode, as indicated in man httpd (on CentOS, which I have in 
front of me at the moment).

ISC DHCPd has  -f and -d switches to force a process to stay in the foreground 
and log to STDERR.

man winbindd shows switches for --foreground, --stdout, and --debuglevel.

In addition, the log level of most PacketFence services can be configured 
through the conf/log.conf and conf/log.conf.d/* files.
Changing the loglevel from INFO to DEBUG can be helpful, but would not have 
helped in your case since the service was not even starting.


> 
> The actual issue was that even though the cert, key and intermediate were 
> concatenated together into the .pem file, in the right order, one of the 
> files had different LF/CR formatting (windows vs linux), something introduced 
> by our ca, that was not obvious, and did not affect applying the same files 
> to the configuration GUI (nor any other system using the same wildcard 
> certs). 
> 
> On a note related to upgrade in general,  our team saw the release for 7.1, 
> which we are excited about with the inclusion of Ubiquiti devices, and I had 
> some comments back on the upgrade process that might help clarify things for 
> other users upgrading and using the UPGRADE.asciidoc as a reference.  We 
> think it would be worthwhile to tell people to explicitly execute the Version 
> specific steps prior to the Distribution specific steps.  Some justification 
> follows. 
> 
> We knew from our v6.5 to 7.0 upgrade that the section for "Upgrading from a 
> version prior to 7.1.0" had to be executed before the section for "Debian 
> based systems" because it would not make sense to not upgrade the MariaDB 
> first.   For anyone who started on v7.0.1 or later and who might 
> appropriately skip the "Upgrading from a version prior to 7.0.0" section, it 
> really is not clear which group of steps you should execute first -> i.e. 
> Should the user perform the Distribution specific steps before the Version 
> specific steps or vice-versa.It does hint in the doc that 'some steps may 
> be required to be done BEFORE the packages upgrades'  but it never really 
> says clearly 'Go do all the Version specific steps further down the document 
> before you come back up and do your distribution-specific steps'.   Anyone 
> that reads it all, and just executes in order, would (we think) be doing it 
> in the incorrect order.
> 



Fair points, all of them.

We'll try to do better and be more explicit in the future.

Best regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users