[PacketFence-users] EAP-TLS Azure AD Device Groups

[Michael Brown via PacketFence-users]

Hi Everyone,
Using EAP-TLS/certs, is it possible to authenticate a device based on what 
Azure AD group they are in?
I am successfully authenticating users based on Azure AD group memberships with 
user certificates but cannot seem to get this to work using a device 
certificate.  The device certificate I am using has the subject set to 
CN={{AAD_Device_ID}}.  I do not have any SANs set on the certificate.  When 
trying to connect on a client device I am getting the following:Aug 21 14:06:28 
srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) INFO: 
[mac:98:59:7a:4c:39:b1] handling radius autz request: from switch_ip => 
(10.20.10.28), connection_type => Wireless-802.11-EAP,switch_mac => 
(e0:cb:bc:91:85:df), mac => [98:59:7a:4c:39:b1], port => 1, username => 
"d1315df8-5850-48ec-8055-2801981948bb", ssid => Auth-Enterprise2 
(pf::radius::authorize)
Aug 21 14:06:28 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) INFO: 
[mac:98:59:7a:4c:39:b1] Instantiate profile Auth-Enterprise2 
(pf::Connection::ProfileFactory::_from_profile)
Aug 21 14:06:28 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) INFO: 
[mac:98:59:7a:4c:39:b1] Found authentication source(s) : 
'Auth-Enterprise2_AzureAD,Catchall-Deny' for realm 'null' 
(pf::config::util::filter_authentication_sources)
Aug 21 14:06:28 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) INFO: 
[mac:98:59:7a:4c:39:b1] Using sources Auth-Enterprise2_AzureAD, Catchall-Deny 
for matching (pf::authentication::match2)
Aug 21 14:06:29 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) ERROR: 
[mac:98:59:7a:4c:39:b1] Failed to obtain groups for 
d1315df8-5850-48ec-8055-2801981948bb: 404 Not Found 
(pf::Authentication::Source::AzureADSource::get_memberOf)
Aug 21 14:06:29 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) ERROR: 
[mac:98:59:7a:4c:39:b1] Failed to obtain groups for 
d1315df8-5850-48ec-8055-2801981948bb: 404 Not Found 
(pf::Authentication::Source::AzureADSource::get_memberOf)
Aug 21 14:06:29 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) INFO: 
[mac:98:59:7a:4c:39:b1] Matched rule (catchall) in source Catchall-Deny, 
returning actions. (pf::Authentication::Source::match_rule)
Aug 21 14:06:29 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) INFO: 
[mac:98:59:7a:4c:39:b1] Matched rule (catchall) in source Catchall-Deny, 
returning actions. (pf::Authentication::Source::match)
Aug 21 14:06:29 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) INFO: 
[mac:98:59:7a:4c:39:b1] Found authentication source(s) : 
'Auth-Enterprise2_AzureAD,Catchall-Deny' for realm 'null' 
(pf::config::util::filter_authentication_sources)
Aug 21 14:06:29 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) INFO: 
[mac:98:59:7a:4c:39:b1] Role has already been computed and we don't want to 
recompute it. Getting role from node_info (pf::role::getRegisteredRole)
Aug 21 14:06:29 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) INFO: 
[mac:98:59:7a:4c:39:b1] Username was defined 
"d1315df8-5850-48ec-8055-2801981948bb" - returning role 'REJECT' 
(pf::role::getRegisteredRole)
Aug 21 14:06:29 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) INFO: 
[mac:98:59:7a:4c:39:b1] PID: "d1315df8-5850-48ec-8055-2801981948bb", Status: 
reg Returned VLAN: (undefined), Role: REJECT (pf::role::fetchRoleForNode)
Aug 21 14:06:29 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) INFO: 
[mac:98:59:7a:4c:39:b1] According to rules in fetchRoleForNode this node must 
be kicked out. Returning USERLOCK (pf::Switch::handleRadiusDeny)
Aug 21 14:06:29 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) INFO: 
[mac:98:59:7a:4c:39:b1] security_event 133 force-closed for 
98:59:7a:4c:39:b1 (pf::security_event::security_event_force_close)



The application in Azure is set with the following permissions on Microsoft 
Graph:
Device.Read.AllDirectory.Read.AllGroupMember.Read.AllUser.Read


Thanks for your help___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] No Network Access After Restart

[Michael Brown via PacketFence-users]

Hi Everyone,
I am trying to deploy the 12.2 ZEN ova. The VM starts up fine. I am able to 
access the VM via the admin portal and assign the management interface and get 
through the initial setup. When I add the additional network interfaces to the 
VM for isolation and registration and then restart the VM I loose all network 
access from the VM and am no longer able to access the admin portal. Any ideas 
why this happens?  Not sure if this matters but I add the management, isolation 
and registration network interfaces to the VM as separate network interfaces so 
the VM winds up with three nics.
Thanks for your help. 
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Domain Joining PacketFence Fails

[Michael Brown via PacketFence-users]

Try creating the computer object in AD prior to joining and then join via the 
packetfence gui. 

Sent from Yahoo Mail for iPhone


On Tuesday, August 23, 2022, 12:11 PM, Aaron Zuercher via PacketFence-users 
 wrote:

Nate,this part of my install was pretty straight forward.  What version of 
windows in your DC?   What about firewall blocking something?
Aaron

On Tue, Aug 23, 2022 at 7:34 AM Nate Breeden via PacketFence-users 
 wrote:


When trying to domain join PacketForce, on the web GUI we receive “Failed to 
join domain: failed to find DC for domain Computers - The object was not found.”

 

After searching through a bunch of articles, it looks like where it says “for 
domain Computers” should say “for domain MYDOMAIN”?

 

Did a full reinstall of PacketFence thinking something was wrong with the 
install, but am still facing the same issue.

 

In the actual Debian VM if I ping a hostname without the domain name it replies 
with the correct IP address, same thing when pining with the FQDN.

 

Cat /etc/resolv.conf > this returns the proper DNS IP addresses for my domain

 

Net ads status > this returns “ads_connect: No logon servers are currently 
available to service the logon request.” (X2)

 

 

Also have tried tweaking each setting on the Configuration > Policies and 
Access Control > Domains > Active Directory Domains > [my identifier], 
including either using IP addresses/hostnames (for Active Directory server, 
Sticky DC), changing the admin credentials around (myadmin@domain.local, 
myadmin@domain, myadmin, mydomain\myadmin), have tweaked the “This server’s 
name” field, to either specify a name or utilize %h.

 

 

 

 

Here is the log from /usr/local/pf/logs/packetfence.log (censored my server 
name and domain name)

 

Aug 22 20:23:40 [myservername] pfqueue[12690]: pfqueue(12690) INFO: 
[mac:unknown] domain join : Failed to join domain: failed to find DC for domain 
Computers - The object was not found. (pf::domain::join_domain)

Aug 22 20:23:44 [myservername] packetfence_winbindd-wrapper[13632]: 
winbindd-wrapper(13632) WARN: [mac:[undef]] Re-registering [mydomain] 
(main::child_sighandler)

Aug 22 20:23:50 [myservername] packetfence_winbindd-wrapper[13632]: 
winbindd-wrapper(13632) WARN: [mac:[undef]] Re-registering [mydomain] 
(main::child_sighandler)

Aug 22 20:23:56 [myservername] packetfence_winbindd-wrapper[13632]: 
winbindd-wrapper(13632) WARN: [mac:[undef]] Re-registering [mydomain] 
(main::child_sighandler)

Aug 22 20:24:02 [myservername] packetfence_winbindd-wrapper[13632]: 
winbindd-wrapper(13632) WARN: [mac:[undef]] Re-registering [mydomain] 
(main::child_sighandler)

Aug 22 20:24:08 [myservername] packetfence_winbindd-wrapper[13632]: 
winbindd-wrapper(13632) WARN: [mac:[undef]] Re-registering [mydomain] 
(main::child_sighandler)

Aug 22 20:24:14 [myservername] packetfence_winbindd-wrapper[13632]: 
winbindd-wrapper(13632) WARN: [mac:[undef]] Re-registering [mydomain] 
(main::child_sighandler)

Aug 22 20:24:20 [myservername] packetfence_winbindd-wrapper[13632]: 
winbindd-wrapper(13632) WARN: [mac:[undef]] Re-registering [mydomain] 
(main::child_sighandler)

Aug 22 20:24:26 [myservername] packetfence_winbindd-wrapper[13632]: 
winbindd-wrapper(13632) WARN: [mac:[undef]] Re-registering [mydomain] 
(main::child_sighandler)

Aug 22 20:24:29 [myservername] packetfence[13694]: pfperl-api(1249) INFO: 
getting security_events triggers for accounting cleanup 
(pf::accounting::acct_maintenance)

Aug 22 20:24:29 [myservername] packetfence[13693]: pfperl-api(1242) INFO: 
processed 0 security_events during security_event maintenance (1661199869.09285 
1661199869.0996)  (pf::security_event::security_event_mainte>Aug 22 20:24:29 
[myservername] packetfence[13693]: pfperl-api(1242) INFO: processed 0 
security_events during security_event maintenance (1661199869.10111 
1661199869.10295)  (pf::security_event::security_event_maint>Aug 22 20:24:29 
[myservername] packetfence[13696]: pfperl-api(1248) INFO: Using 300 resolution 
threshold (pf::pfcron::task::cluster_check::run)

Aug 22 20:24:29 [myservername] packetfence[13696]: pfperl-api(1248) INFO: All 
cluster members are running the same configuration version 
(pf::pfcron::task::cluster_check::run)

Aug 22 20:24:32 [myservername] packetfence_winbindd-wrapper[13632]: 
winbindd-wrapper(13632) WARN: [mac:[undef]] Re-registering [mydomain] 
(main::child_sighandler)

Aug 22 20:24:38 [myservername] packetfence_winbindd-wrapper[13632]: 
winbindd-wrapper(13632) WARN: [mac:[undef]] Re-registering [mydomain] 
(main::child_sighandler)

Aug 22 20:24:44 [myservername] packetfence_winbindd-wrapper[13632]: 
winbindd-wrapper(13632) WARN: [mac:[undef]] Re-registering [mydomain] 
(main::child_sighandler)

Aug 22 20:24:50 [myservername] packetfence_winbindd-wrapper[13632]: 
winbindd-wrapper(13632) WARN: [mac:[undef]] Re-registering [mydomain] 
(main::child_sighandler)

Aug 22 20:24:56 [myservername] packetfence_winbindd-wrapper[13632]: 
winbindd-wrapper(13632) 

Re: [PacketFence-users] Accessing Portal Module from 802.1x Network

[Michael Brown via PacketFence-users]

We really hoping to get some feedback on this. 
Thanks!Mike




From:packetfence-users@lists.sourceforge.net
Sent: 7/5/2022 1:15:17 PM +00:00
To: ben...@uniwan.be
Subject: Re: [PacketFence-users] Accessing Portal Module from 802.1x Network
Checking in on this.  Is there a way to add an option to the status portal 
(//packfence.org/status) to access/create the user's psk or something like 
that? 
I have the dpsk feature working using a custom portal module with a chained 
option but in order to access/create/populate the PSK the user has to join a 
registration network.  I am trying to eliminate that step so that the user can 
just access their PSK from their business device that is connected to the 
dot1.x network and then use that PSK to join their BYOD device.    

On Thursday, June 30, 2022, 12:24:35 PM EDT, Michael Brown via 
PacketFence-users  wrote: 

Hi Ludovic,
Will this allow them to access their PSK from the portal?  I am really just 
trying to figure out a way that employees can access their PSK from their 
assigned device.that is connected to a PEAP/802.1x network so that they can 
connect their BYOD devices.  
Thanks for your help.
Mike
On Wednesday, June 29, 2022, 09:17:06 AM EDT, Zammit, Ludovic 
 wrote: 

Hello Michael,
The DPSK feature check if the local user created in the PF database table 
person under the field psk.
If you wanted you could populate that field with the PF API or a script and 
they could use the DPSK feature.
Thanks,


| Ludovic Zammit
Product Support Engineer Principal |
|  |
|  |
| Cell: +1.613.670.8432
 | Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
 |
|  |
| Connect with Us: ||



On Jun 27, 2022, at 10:22 PM, Michael Brown via PacketFence-users 
 wrote:

Hi Everyone,
My main wifi network is an 802.1x network that uses AD computer and user groups 
for authentication.  I am opening up a DPSK network to our employees for BYOD.  
I would like to provide the ability for all employees, from their assigned 
device that is registered and connected to our 802.1x wifi network, to access a 
portal module that can be used to authenticate to and then create/access their 
DPSK. 
Is this possible?  I have no problem accessing the status page and registering 
a DPSK device by MAC from a registered device that is connected to the 802.1x 
network but I have issues accessing the portal module to access the DPSK.  When 
accessing the portal from the registered device on the 802.1x network I get 
“Your network should be enabled within a minute or two. If it is not reboot 
your computer.”.  I am assuming this is because the device is already 
registered.  
Thanks for your help.___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!TTtfPf_PR2n37zvEDprWhWS17FKqGXR6Z8R6ro5kndGNiaD98j1wBz0Guf1oXQAJdSs-ykVilwq1zgCDhiGlJThWw27mHkcLGhenvw$
 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Accessing Portal Module from 802.1x Network

[Michael Brown via PacketFence-users]

 Checking in on this.  Is there a way to add an option to the status portal 
(packfence.org/status) to access/create the user's psk or something like that? 
I have the dpsk feature working using a custom portal module with a chained 
option but in order to access/create/populate the PSK the user has to join a 
registration network.  I am trying to eliminate that step so that the user can 
just access their PSK from their business device that is connected to the 
dot1.x network and then use that PSK to join their BYOD device.    

On Thursday, June 30, 2022, 12:24:35 PM EDT, Michael Brown via 
PacketFence-users  wrote:  
 
  Hi Ludovic,
Will this allow them to access their PSK from the portal?  I am really just 
trying to figure out a way that employees can access their PSK from their 
assigned device.that is connected to a PEAP/802.1x network so that they can 
connect their BYOD devices.  
Thanks for your help.
Mike
On Wednesday, June 29, 2022, 09:17:06 AM EDT, Zammit, Ludovic 
 wrote:  
 
 Hello Michael,
The DPSK feature check if the local user created in the PF database table 
person under the field psk.
If you wanted you could populate that field with the PF API or a script and 
they could use the DPSK feature.
Thanks,


| Ludovic Zammit
Product Support Engineer Principal |
|  |
|  |
| Cell: +1.613.670.8432
 | AkamaiTechnologies - Inverse
145 Broadway
Cambridge, MA 02142
 |
|  |
| Connect with Us: | |



On Jun 27, 2022, at 10:22 PM, Michael Brown via PacketFence-users 
 wrote:

Hi Everyone,
My main wifi network is an 802.1x network that uses AD computer and user groups 
for authentication.  I am opening up a DPSK network to our employees for BYOD.  
I would like to provide the ability for all employees, from their assigned 
device that is registered and connected to our 802.1x wifi network, to access a 
portal module that can be used to authenticate to and then create/access their 
DPSK. 
Is this possible?  I have no problem accessing the status page and registering 
a DPSK device by MAC from a registered device that is connected to the 802.1x 
network but I have issues accessing the portal module to access the DPSK.  When 
accessing the portal from the registered device on the 802.1x network I get 
“Your network should be enabled within a minute or two. If it is not reboot 
your computer.”.  I am assuming this is because the device is already 
registered.  
Thanks for your help.___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!TTtfPf_PR2n37zvEDprWhWS17FKqGXR6Z8R6ro5kndGNiaD98j1wBz0Guf1oXQAJdSs-ykVilwq1zgCDhiGlJThWw27mHkcLGhenvw$
 

  ___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
  ___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Accessing Portal Module from 802.1x Network

[Michael Brown via PacketFence-users]

 Hi Ludovic,
Will this allow them to access their PSK from the portal?  I am really just 
trying to figure out a way that employees can access their PSK from their 
assigned device.that is connected to a PEAP/802.1x network so that they can 
connect their BYOD devices.  
Thanks for your help.
Mike
On Wednesday, June 29, 2022, 09:17:06 AM EDT, Zammit, Ludovic 
 wrote:  
 
 Hello Michael,
The DPSK feature check if the local user created in the PF database table 
person under the field psk.
If you wanted you could populate that field with the PF API or a script and 
they could use the DPSK feature.
Thanks,


| Ludovic Zammit
Product Support Engineer Principal |
|  |
|  |
| Cell: +1.613.670.8432
 | AkamaiTechnologies - Inverse
145 Broadway
Cambridge, MA 02142
 |
|  |
| Connect with Us: | |



On Jun 27, 2022, at 10:22 PM, Michael Brown via PacketFence-users 
 wrote:

Hi Everyone,
My main wifi network is an 802.1x network that uses AD computer and user groups 
for authentication.  I am opening up a DPSK network to our employees for BYOD.  
I would like to provide the ability for all employees, from their assigned 
device that is registered and connected to our 802.1x wifi network, to access a 
portal module that can be used to authenticate to and then create/access their 
DPSK. 
Is this possible?  I have no problem accessing the status page and registering 
a DPSK device by MAC from a registered device that is connected to the 802.1x 
network but I have issues accessing the portal module to access the DPSK.  When 
accessing the portal from the registered device on the 802.1x network I get 
“Your network should be enabled within a minute or two. If it is not reboot 
your computer.”.  I am assuming this is because the device is already 
registered.  
Thanks for your help.___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!TTtfPf_PR2n37zvEDprWhWS17FKqGXR6Z8R6ro5kndGNiaD98j1wBz0Guf1oXQAJdSs-ykVilwq1zgCDhiGlJThWw27mHkcLGhenvw$
 

  ___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Accessing Portal Module from 802.1x Network

[Michael Brown via PacketFence-users]

Hi Everyone,
My main wifi network is an 802.1x network that uses AD computer and user groups 
for authentication.  I am opening up a DPSK network to our employees for BYOD.  
I would like to provide the ability for all employees, from their assigned 
device that is registered and connected to our 802.1x wifi network, to access a 
portal module that can be used to authenticate to and then create/access their 
DPSK. 
Is this possible?  I have no problem accessing the status page and registering 
a DPSK device by MAC from a registered device that is connected to the 802.1x 
network but I have issues accessing the portal module to access the DPSK.  When 
accessing the portal from the registered device on the 802.1x network I get 
“Your network should be enabled within a minute or two. If it is not reboot 
your computer.”.  I am assuming this is because the device is already 
registered.  
Thanks for your help.___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Upgrade DB Permissions Error

[Michael Brown via PacketFence-users]

Hi Guys,
I am trying to upgrade from 10.1.0 to 10.3.0



I stopped all my services and am trying to upgrade MariaDB. When I run the 
command:

mysql_upgrade -u pf -p




I get the following error:

Version check failed. Got the following error when calling the 'mysql' command 
line client

ERROR 1227 (42000) at line 1: Access denied; you need (at least one of) the 
SUPER privilege(s) for this operation

FATAL ERROR: Upgrade failed




pf is the account listed on the web admin portal under Configuration > System 
Configuration  > Database > General > User




This is an out of band setup that I installed from the 10.1.0 ZEN ovf.



Any idea how to fix this error?
Thanks,Mike
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Portal Access From Registered Devices

[Michael Brown via PacketFence-users]

Just checking in to see if anyone has any ideas on this. I was thinking it 
might be something I am missing in my portal module but am not totally 
sure.Thanks. 


Sent from Yahoo Mail for iPhone


On Friday, February 19, 2021, 11:12 AM, Michael Brown 
 wrote:

Hi Guys,




I have a root portal module setup that allows a user to sign in to wifi with 
username and password, sign up for wifi access via sponsor email and login to 
obtain a DPSK. 




Is it possible to somehow make this portal available to an already registered 
device?  When I try to access the portal from a device that is already 
registered I get to the portal but it displays the following message “Your 
network should be enabled within a minute or two. If it is not reboot your 
computer.” and there is no way for me to get back to the initial portal choices 
to retrieve my DPSK.  




We will be using DPSK only for IOT devices and because they are IOT devices 
there is no way to access the portal/DPSK directly on these devices.  I want 
our users to be able to sign in to the portal from anywhere to obtain the DPSK 
from the provisioner or retrieve the DPSK already assigned to their account as 
well as register their IOT device via the status/device-registration portion of 
the portal so they can then connect their IOT devices.

I do have "Allow access to registration portal when registered" enabled on the 
Connection Profile > Captive Portal but that seems to just allow the status 
part of the portal not the initial choices.   


Is it possible to make the portal accessible to registered devices?




Thanks,

Mike




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Portal Access From Registered Devices

[Michael Brown via PacketFence-users]

Hi Guys,




I have a root portal module setup that allows a user to sign in to wifi with 
username and password, sign up for wifi access via sponsor email and login to 
obtain a DPSK. 




Is it possible to somehow make this portal available to an already registered 
device?  When I try to access the portal from a device that is already 
registered I get to the portal but it displays the following message “Your 
network should be enabled within a minute or two. If it is not reboot your 
computer.” and there is no way for me to get back to the initial portal choices 
to retrieve my DPSK.  




We will be using DPSK only for IOT devices and because they are IOT devices 
there is no way to access the portal/DPSK directly on these devices.  I want 
our users to be able to sign in to the portal from anywhere to obtain the DPSK 
from the provisioner or retrieve the DPSK already assigned to their account as 
well as register their IOT device via the status/device-registration portion of 
the portal so they can then connect their IOT devices.

I do have "Allow access to registration portal when registered" enabled on the 
Connection Profile > Captive Portal but that seems to just allow the status 
part of the portal not the initial choices.   


Is it possible to make the portal accessible to registered devices?




Thanks,

Mike

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] DPSK Authentication - Meraki Access Points

[Michael Brown via PacketFence-users]

 That's it Fabrice.  Hostapd worked like a charm.  Got any advice on how to 
adapt the Meraki Cloud Controller V2 module? 
On Friday, November 20, 2020, 09:48:01 PM EST, Durand fabrice 
 wrote:  
 
  
Hello Michael,
 
you can try with the hostapd switch module, this one use 
tunnel-password(https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Hostapd.pm#L189)
 
If it works then it will be easy to adapt the meraki switch module.
 
Regards
 
Fabrice
 

 
 Le 20-11-17 à 11 h 53, Michael Brown via PacketFence-users a écrit :
  
 
 Hey Guys, 
  Just checking in one more time on this one.  Any ideas?  
  Thanks, Mike 
  On Thursday, November 12, 2020, 11:38:23 AM EST, Michael Brown 
 wrote:  
  
  Based off the auditing log below it looks like PacketFence sends the PSK 
back to the Meraki access point as Cisco-AVPair.  Is there anyway to change 
PacketFence to send the PSK as tunnel-password instead of Cisco-AVPair? 
RADIUS Request RADIUS Request User-Name = "00e04c19" User-Password = 
"**" NAS-IP-Address = 172.20.10.20 Called-Station-Id = 
"68:3a:1e:85:cc:cc:WIFI-BYOD" Calling-Station-Id = "00:e0:4c:19:dd:dd" 
NAS-Port-Type = Wireless-802.11 Event-Timestamp = "Nov 12 2020 09:58:47 EST" 
Connect-Info = "CONNECT 11Mbps 802.11b" Message-Authenticator = 
0x2458d1c2852dfb55ec85d8484624 Meraki-Network-Name = "Network" 
Meraki-Ap-Name = "AP-01" Stripped-User-Name = "00e04c19" Realm = "null" 
FreeRADIUS-Client-IP-Address = 172.20.10.20 Called-Station-SSID = "WIFI-BYOD" 
PacketFence-KeyBalanced = "8e4b512c5636628cd16b291bf294" 
PacketFence-Radius-Ip = "172.20.100.2" SQL-User-Name = "00e04c19"     
RADIUS Reply Tunnel-Type = VLAN Tunnel-Private-Group-Id = "118" 
Tunnel-Medium-Type = IEEE-802 Cisco-AVPair = "psk=otahreeddttr" 
Cisco-AVPair = "psk-mode=ascii"   
   
  
   On Wednesday, November 11, 2020, 01:26:30 PM EST, Michael Brown 
 wrote:  
  
  Checking in on this.  
  I put a message up on Meraki and it looks like the problem is the RADIUS 
Access-Accept message is not returning the Tunnel-Password with the user's 
dpsk.  It is only returning the VLAN ID.   Is there something missing in my 
config to make that happen? 
  Thanks. 
  
     On Tuesday, October 20, 2020, 12:07:27 PM EDT, Michael Brown 
 wrote:  
  

Hi Guys,
 
 
 
Has anyone been able to get DPSK working with Meraki access points?
 
 
 
The provisioner portion is working where the user joins a network, signs in to 
the portal and then once they are signed in they are presented with the name of 
the network that uses DPSK and their DPSK password.  The problem is when I try 
to join the DPSK network with the provided DPSK I receive can't connect to this 
network (Windows 10 device).
 
 
 
We have one PacketFence server set up out of band.
 
 
 
Here are my profiles:
 
 
 
PROVIDES DPSK
 
[Auth-Wireless]
 
locale=
 
sources=BYOD-Wireless-User-Authentication
 
advanced_filter=
 
provisioners=DPSK
 
filter=ssid:Auth
 
 
 
DPSK NETWORK PROFILE
 
[BYOD-Wireless]
 
locale=
 
advanced_filter=
 
filter=ssid:WIFI-BYOD
 
dpsk=enabled
 
autoregister=enabled
 
default_psk_key=testing12345678!
 
unreg_on_acct_stop=disabled
 
filter_match_style=all
 
 
 
 
 
HERE IS THE AUTH SOURCE FOR Auth-Wireless PROFILE:
 
[BYOD-Wireless-User-Authentication]
 
cache_match=0
 
read_timeout=10
 
realms=null,domain.com
 
basedn=DC=domain,DC=local
 
monitor=1
 
password=password
 
shuffle=0
 
searchattributes=
 
set_access_durations_action=
 
scope=sub
 
email_attribute=mail
 
usernameattribute=sAMAccountName
 
connection_timeout=1
 
binddn=CN=Admin\,PacketFence,OU=IT,Accounts,OU=Domain_Users,DC=domain,DC=local
 
encryption=none
 
description=BYOD Wireless User Authentication
 
port=389
 
host=dc.domain.com
 
write_timeout=5
 
type=AD
 
 
 
[BYOD-Wireless-User-Authentication rule Network-Administrators]
 
action0=set_role=WIFI-IT-STAFF-DISTRICT
 
condition0=memberOf,equals,CN=Network 
Administrators,OU=DomainGroups,DC=domain,DC=local
 
status=enabled
 
match=all
 
class=authentication
 
action1=set_access_duration=1h
 
description=Active Directory - Network Administrators Group
 
 
 
[BYOD-Wireless-User-Authentication rule Faculty-All]
 
action0=set_role=WIFI-STAFF-GUESTS
 
condition0=memberOf,equals,CN=Faculty - All,OU=Domain Groups,DC=domain,DC=local
 
status=enabled
 
match=all
 
class=authentication
 
action1=set_access_duration=1h
 
description=Active Directory - Faculty All
 
 
 
 
 
HERE IS THE MERAKI SSID CONFIG FOR THE DPSK NETWORK:
 
Association requirements: Identity PSK with RADIUS
 
WPA encryption mode: WPA2
 
Splash page: None
 
Readius server set to PacketFence management
 
Radius testing: disabled
 
Radius CoA: disabled
 
Client IP assignment: Bridge mode
 
VLAN tagging: Don't use
 
Radius override: Radius response can overr

Re: [PacketFence-users] DPSK Authentication - Meraki Access Points

[Michael Brown via PacketFence-users]

 Hey Guys,
Just checking in one more time on this one.  Any ideas? 
Thanks,Mike
On Thursday, November 12, 2020, 11:38:23 AM EST, Michael Brown 
 wrote:  
 
  Based off the auditing log below it looks like PacketFence sends the PSK back 
to the Meraki access point as Cisco-AVPair.  Is there anyway to change 
PacketFence to send the PSK as tunnel-password instead of Cisco-AVPair?
RADIUS RequestRADIUS RequestUser-Name = "00e04c19"User-Password = 
"**"NAS-IP-Address = 172.20.10.20Called-Station-Id = 
"68:3a:1e:85:cc:cc:WIFI-BYOD"Calling-Station-Id = 
"00:e0:4c:19:dd:dd"NAS-Port-Type = Wireless-802.11Event-Timestamp = "Nov 12 
2020 09:58:47 EST"Connect-Info = "CONNECT 11Mbps 802.11b"Message-Authenticator 
= 0x2458d1c2852dfb55ec85d8484624Meraki-Network-Name = 
"Network"Meraki-Ap-Name = "AP-01"Stripped-User-Name = "00e04c19"Realm = 
"null"FreeRADIUS-Client-IP-Address = 172.20.10.20Called-Station-SSID = 
"WIFI-BYOD"PacketFence-KeyBalanced = 
"8e4b512c5636628cd16b291bf294"PacketFence-Radius-Ip = 
"172.20.100.2"SQL-User-Name = "00e04c19"  RADIUS ReplyTunnel-Type = 
VLANTunnel-Private-Group-Id = "118"Tunnel-Medium-Type = IEEE-802Cisco-AVPair = 
"psk=otahreeddttr"Cisco-AVPair = "psk-mode=ascii" 


On Wednesday, November 11, 2020, 01:26:30 PM EST, Michael Brown 
 wrote:  
 
  Checking in on this. 
I put a message up on Meraki and it looks like the problem is the RADIUS 
Access-Accept message is not returning the Tunnel-Password with the user's 
dpsk.  It is only returning the VLAN ID.   Is there something missing in my 
config to make that happen?
Thanks.

 On Tuesday, October 20, 2020, 12:07:27 PM EDT, Michael Brown 
 wrote:  
 
 
Hi Guys,

 

Has anyone been ableto get DPSK working with Meraki access points?

 

The provisionerportion is working where the user joins a network, signs in to 
the portal andthen once they are signed in they are presented with the name of 
the networkthat uses DPSK and their DPSK password. The problem is when I try to 
join the DPSK network with the providedDPSK I receive can't connect to this 
network (Windows 10 device).

 

We have onePacketFence server set up out of band.

 

Here are myprofiles:

 

PROVIDES DPSK

[Auth-Wireless]

locale=

sources=BYOD-Wireless-User-Authentication

advanced_filter=

provisioners=DPSK

filter=ssid:Auth

 

DPSK NETWORK PROFILE

[BYOD-Wireless]

locale=

advanced_filter=

filter=ssid:WIFI-BYOD

dpsk=enabled

autoregister=enabled

default_psk_key=testing12345678!

unreg_on_acct_stop=disabled

filter_match_style=all

 

 

HERE IS THE AUTHSOURCE FOR Auth-Wireless PROFILE:

[BYOD-Wireless-User-Authentication]

cache_match=0

read_timeout=10

realms=null,domain.com

basedn=DC=domain,DC=local

monitor=1

password=password

shuffle=0

searchattributes=

set_access_durations_action=

scope=sub

email_attribute=mail

usernameattribute=sAMAccountName

connection_timeout=1

binddn=CN=Admin\,PacketFence,OU=IT,Accounts,OU=Domain_Users,DC=domain,DC=local

encryption=none

description=BYODWireless User Authentication

port=389

host=dc.domain.com

write_timeout=5

type=AD

 

[BYOD-Wireless-User-Authenticationrule Network-Administrators]

action0=set_role=WIFI-IT-STAFF-DISTRICT

condition0=memberOf,equals,CN=NetworkAdministrators,OU=Domain 
Groups,DC=domain,DC=local

status=enabled

match=all

class=authentication

action1=set_access_duration=1h

description=ActiveDirectory - Network Administrators Group

 

[BYOD-Wireless-User-Authenticationrule Faculty-All]

action0=set_role=WIFI-STAFF-GUESTS

condition0=memberOf,equals,CN=Faculty- All,OU=Domain Groups,DC=domain,DC=local

status=enabled

match=all

class=authentication

action1=set_access_duration=1h

description=ActiveDirectory - Faculty All

 

 

HERE IS THE MERAKISSID CONFIG FOR THE DPSK NETWORK:

Associationrequirements: Identity PSK with RADIUS

WPA encryption mode:WPA2

Splash page: None

Readius server setto PacketFence management

Radius testing:disabled

Radius CoA: disabled

Client IPassignment: Bridge mode

VLAN tagging: Don'tuse

Radius override:Radius response can override VLAN tag

 

 

 

 

HERE IS WHAT THE PFLOG SAYS WHEN I TRY TO JOIN:

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) WARN: 
[mac:a8:1e:84:a6:ca:7d]Unable to extract audit-session-id for module 
pf::Switch::Meraki::MR_v2.SSID-based VLAN assignments won't work. Make sure you 
enable Vendor SpecificAttributes (VSA) on the AP if you want them to 
work.(pf::Switch::getCiscoAvPairAttribute)

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56]handling radius autz request: from switch_ip => 
(172.20.110.19),connection_type => Wireless-802.11-NoEAP,switch_mac 
=>(e2:cb:ac:91:85:df), mac => [00:e0:4c:19:dd:56], port => 0, username=> 
"00e04c19dd56", ssid => WIFI-BYOD (pf::radius::authorize)

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56]Instantiate profile 

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

[Michael Brown via PacketFence-users]

 I have a wildcard from Digicert and used this to get the cert:Apache: CSR & 
SSL Installation (OpenSSL)


| 
| 
| 
|  |  |

 |

 |
| 
|  | 
Apache: CSR & SSL Installation (OpenSSL)

Apache: Generating your Apache CSR with OpenSSL and installing your SSL 
certificate and Mod_SSL web server confi...
 |

 |

 |



Also, when requesting the duplicate from Digicert it allows you to enter 
additional SANs beyond the *.domain.com.  I put my pf.domain.com as one of the 
SANs when requesting the duplicate.  I also used WinSCP to connect to my 
packetfence server to get the csr and key files.  I know that's not needed but 
just thought I would mention it.  



On Thursday, November 12, 2020, 04:29:50 PM EST, ypefti--- via 
PacketFence-users  wrote:  
 
 More digging, more tries, more frustrations 
Further to my previous email. I replaced three files from SSL folder with files 
that correspond to the new certificated, i.e.
/usr/local/pf/conf/ssl/server.key
/usr/local/pf/conf/ssl/server.crt
/usr/local/pf/conf/ssl/server.pem

PF web interface said bye-bye to me. Why do I see this error in 
/usr/local/pf/logs/httpd.webservices.error

Nov 12 13:04:07 pf httpd_webservices_err: AH00558: httpd: Could not reliably 
determine the server's fully qualified domain name, using 
fe80::250:56ff:fe8a:e674. Set the 'ServerName' directive globally to suppress 
this message

What happened to Apache and PF ?

And what drives me mad is the fact that if I put old certificate files back I 
still can't login via PF GUI.
Having this error:

A networking error occurred. Is the API service running?

Eugene

-Original Message-
From: ype...@gmail.com  
Sent: Thursday, November 12, 2020 11:26 AM
To: packetfence-users@lists.sourceforge.net
Cc: 'mj' 
Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF

Thank you, MJ,
It looks like questions asked here are replied selectively.
At least out of 4 questions that I asked only this one was finally "noticed" 
after the resend 
I wouldn't bother the list with my questions if the procedure is well 
documented and works.
The existing documentation mentions only this:


"Upon PacketFence installation, self-signed certificates will be created in 
/usr/local/pf/conf/ssl (server.key and server.crt). Those certificates can be 
replaced anytime by your 3rd-party or existing wild card certificate without 
problems. Please note that the CN (Common Name) needs to be the same as the one 
defined in the PacketFence configuration file (pf.conf)."


This is very confusing. We all know that CN in the wildcard certificate looks 
like this:
*.example.com
How would I make use of it with PF ?

If you refer me to Let's Encrypt certificates should I understand that I need 
to do it from www.sslforfree.com And what's the correct procedure to install an 
SSL certificate to PF. Never saw it in the documentation.
I need it for a captive portal.

Eugene

-Original Message-
From: mj via PacketFence-users 
Sent: Wednesday, November 11, 2020 1:38 AM
To: packetfence-users@lists.sourceforge.net
Cc: mj 
Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Hi Eugene,

The list has always been alive, from where we are. :-)

Anyway: I would encourage you to take a look a Let's Encrypt certificates with 
packetfence. I think they are a bit more secure than a wildcard certificate, 
plus they are free and work very well.

(there are some threads on this mailinglist on that subject)

Good luck,
MJ

On 11/10/20 5:31 PM, E.P. via PacketFence-users wrote:
> Since this group suddenly became alive I dare asking my previous again
> 
> 
> How would I install a wildcard SSL certificate on PF, see more details 
> below
> 
> Eugene
> 
> *From:* E.P. 
> *Sent:* Saturday, October 31, 2020 2:43 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Subject:* Wildcard SSL certificate installation on PF
> 
> Guys,
> 
> I’m trying to overcome the issue with a self-signed SSL certificate 
> that PF offers to WiFi authentication via captive portal.
> 
> This a certificate that is in use by HTTPS sessions
> 
> Certificate/Key match
> 
> Chain is invalid
> 
> common_name
> 
> 127.0.0.1, emailAddress=supp...@inverse.ca 
> 
> 
> issuer
> 
> C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1, 
> emailAddress=supp...@inverse.ca 
> 
> 
> not_after
> 
> Oct 7 15:29:09 2021 GMT
> 
> not_before
> 
> Oct 7 15:29:09 2020 GMT
> 
> serial
> 
> A500DC03671C0E35
> 
> subject
> 
> C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1, 
> emailAddress=supp...@inverse.ca 
> 
> 
> Is there any way to import and install a company wild card SSL 
> certificate into PF
> 
> 

Re: [PacketFence-users] DPSK Authentication - Meraki Access Points

[Michael Brown via PacketFence-users]

 Based off the auditing log below it looks like PacketFence sends the PSK back 
to the Meraki access point as Cisco-AVPair.  Is there anyway to change 
PacketFence to send the PSK as tunnel-password instead of Cisco-AVPair?
RADIUS RequestRADIUS RequestUser-Name = "00e04c19"User-Password = 
"**"NAS-IP-Address = 172.20.10.20Called-Station-Id = 
"68:3a:1e:85:cc:cc:WIFI-BYOD"Calling-Station-Id = 
"00:e0:4c:19:dd:dd"NAS-Port-Type = Wireless-802.11Event-Timestamp = "Nov 12 
2020 09:58:47 EST"Connect-Info = "CONNECT 11Mbps 802.11b"Message-Authenticator 
= 0x2458d1c2852dfb55ec85d8484624Meraki-Network-Name = 
"Network"Meraki-Ap-Name = "AP-01"Stripped-User-Name = "00e04c19"Realm = 
"null"FreeRADIUS-Client-IP-Address = 172.20.10.20Called-Station-SSID = 
"WIFI-BYOD"PacketFence-KeyBalanced = 
"8e4b512c5636628cd16b291bf294"PacketFence-Radius-Ip = 
"172.20.100.2"SQL-User-Name = "00e04c19"  RADIUS ReplyTunnel-Type = 
VLANTunnel-Private-Group-Id = "118"Tunnel-Medium-Type = IEEE-802Cisco-AVPair = 
"psk=otahreeddttr"Cisco-AVPair = "psk-mode=ascii" 


On Wednesday, November 11, 2020, 01:26:30 PM EST, Michael Brown 
 wrote:  
 
  Checking in on this. 
I put a message up on Meraki and it looks like the problem is the RADIUS 
Access-Accept message is not returning the Tunnel-Password with the user's 
dpsk.  It is only returning the VLAN ID.   Is there something missing in my 
config to make that happen?
Thanks.

 On Tuesday, October 20, 2020, 12:07:27 PM EDT, Michael Brown 
 wrote:  
 
 
Hi Guys,

 

Has anyone been ableto get DPSK working with Meraki access points?

 

The provisionerportion is working where the user joins a network, signs in to 
the portal andthen once they are signed in they are presented with the name of 
the networkthat uses DPSK and their DPSK password. The problem is when I try to 
join the DPSK network with the providedDPSK I receive can't connect to this 
network (Windows 10 device).

 

We have onePacketFence server set up out of band.

 

Here are myprofiles:

 

PROVIDES DPSK

[Auth-Wireless]

locale=

sources=BYOD-Wireless-User-Authentication

advanced_filter=

provisioners=DPSK

filter=ssid:Auth

 

DPSK NETWORK PROFILE

[BYOD-Wireless]

locale=

advanced_filter=

filter=ssid:WIFI-BYOD

dpsk=enabled

autoregister=enabled

default_psk_key=testing12345678!

unreg_on_acct_stop=disabled

filter_match_style=all

 

 

HERE IS THE AUTHSOURCE FOR Auth-Wireless PROFILE:

[BYOD-Wireless-User-Authentication]

cache_match=0

read_timeout=10

realms=null,domain.com

basedn=DC=domain,DC=local

monitor=1

password=password

shuffle=0

searchattributes=

set_access_durations_action=

scope=sub

email_attribute=mail

usernameattribute=sAMAccountName

connection_timeout=1

binddn=CN=Admin\,PacketFence,OU=IT,Accounts,OU=Domain_Users,DC=domain,DC=local

encryption=none

description=BYODWireless User Authentication

port=389

host=dc.domain.com

write_timeout=5

type=AD

 

[BYOD-Wireless-User-Authenticationrule Network-Administrators]

action0=set_role=WIFI-IT-STAFF-DISTRICT

condition0=memberOf,equals,CN=NetworkAdministrators,OU=Domain 
Groups,DC=domain,DC=local

status=enabled

match=all

class=authentication

action1=set_access_duration=1h

description=ActiveDirectory - Network Administrators Group

 

[BYOD-Wireless-User-Authenticationrule Faculty-All]

action0=set_role=WIFI-STAFF-GUESTS

condition0=memberOf,equals,CN=Faculty- All,OU=Domain Groups,DC=domain,DC=local

status=enabled

match=all

class=authentication

action1=set_access_duration=1h

description=ActiveDirectory - Faculty All

 

 

HERE IS THE MERAKISSID CONFIG FOR THE DPSK NETWORK:

Associationrequirements: Identity PSK with RADIUS

WPA encryption mode:WPA2

Splash page: None

Readius server setto PacketFence management

Radius testing:disabled

Radius CoA: disabled

Client IPassignment: Bridge mode

VLAN tagging: Don'tuse

Radius override:Radius response can override VLAN tag

 

 

 

 

HERE IS WHAT THE PFLOG SAYS WHEN I TRY TO JOIN:

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) WARN: 
[mac:a8:1e:84:a6:ca:7d]Unable to extract audit-session-id for module 
pf::Switch::Meraki::MR_v2.SSID-based VLAN assignments won't work. Make sure you 
enable Vendor SpecificAttributes (VSA) on the AP if you want them to 
work.(pf::Switch::getCiscoAvPairAttribute)

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56]handling radius autz request: from switch_ip => 
(172.20.110.19),connection_type => Wireless-802.11-NoEAP,switch_mac 
=>(e2:cb:ac:91:85:df), mac => [00:e0:4c:19:dd:56], port => 0, username=> 
"00e04c19dd56", ssid => WIFI-BYOD (pf::radius::authorize)

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56]Instantiate profile 
BYOD-Wireless(pf::Connection::ProfileFactory::_from_profile)

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56]Found authentication source(s) 

Re: [PacketFence-users] DPSK Authentication - Meraki Access Points

[Michael Brown via PacketFence-users]

 Checking in on this. 
I put a message up on Meraki and it looks like the problem is the RADIUS 
Access-Accept message is not returning the Tunnel-Password with the user's 
dpsk.  It is only returning the VLAN ID.   Is there something missing in my 
config to make that happen?
Thanks.

 On Tuesday, October 20, 2020, 12:07:27 PM EDT, Michael Brown 
 wrote:  
 
 
Hi Guys,

 

Has anyone been ableto get DPSK working with Meraki access points?

 

The provisionerportion is working where the user joins a network, signs in to 
the portal andthen once they are signed in they are presented with the name of 
the networkthat uses DPSK and their DPSK password. The problem is when I try to 
join the DPSK network with the providedDPSK I receive can't connect to this 
network (Windows 10 device).

 

We have onePacketFence server set up out of band.

 

Here are myprofiles:

 

PROVIDES DPSK

[Auth-Wireless]

locale=

sources=BYOD-Wireless-User-Authentication

advanced_filter=

provisioners=DPSK

filter=ssid:Auth

 

DPSK NETWORK PROFILE

[BYOD-Wireless]

locale=

advanced_filter=

filter=ssid:WIFI-BYOD

dpsk=enabled

autoregister=enabled

default_psk_key=testing12345678!

unreg_on_acct_stop=disabled

filter_match_style=all

 

 

HERE IS THE AUTHSOURCE FOR Auth-Wireless PROFILE:

[BYOD-Wireless-User-Authentication]

cache_match=0

read_timeout=10

realms=null,domain.com

basedn=DC=domain,DC=local

monitor=1

password=password

shuffle=0

searchattributes=

set_access_durations_action=

scope=sub

email_attribute=mail

usernameattribute=sAMAccountName

connection_timeout=1

binddn=CN=Admin\,PacketFence,OU=IT,Accounts,OU=Domain_Users,DC=domain,DC=local

encryption=none

description=BYODWireless User Authentication

port=389

host=dc.domain.com

write_timeout=5

type=AD

 

[BYOD-Wireless-User-Authenticationrule Network-Administrators]

action0=set_role=WIFI-IT-STAFF-DISTRICT

condition0=memberOf,equals,CN=NetworkAdministrators,OU=Domain 
Groups,DC=domain,DC=local

status=enabled

match=all

class=authentication

action1=set_access_duration=1h

description=ActiveDirectory - Network Administrators Group

 

[BYOD-Wireless-User-Authenticationrule Faculty-All]

action0=set_role=WIFI-STAFF-GUESTS

condition0=memberOf,equals,CN=Faculty- All,OU=Domain Groups,DC=domain,DC=local

status=enabled

match=all

class=authentication

action1=set_access_duration=1h

description=ActiveDirectory - Faculty All

 

 

HERE IS THE MERAKISSID CONFIG FOR THE DPSK NETWORK:

Associationrequirements: Identity PSK with RADIUS

WPA encryption mode:WPA2

Splash page: None

Readius server setto PacketFence management

Radius testing:disabled

Radius CoA: disabled

Client IPassignment: Bridge mode

VLAN tagging: Don'tuse

Radius override:Radius response can override VLAN tag

 

 

 

 

HERE IS WHAT THE PFLOG SAYS WHEN I TRY TO JOIN:

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) WARN: 
[mac:a8:1e:84:a6:ca:7d]Unable to extract audit-session-id for module 
pf::Switch::Meraki::MR_v2.SSID-based VLAN assignments won't work. Make sure you 
enable Vendor SpecificAttributes (VSA) on the AP if you want them to 
work.(pf::Switch::getCiscoAvPairAttribute)

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56]handling radius autz request: from switch_ip => 
(172.20.110.19),connection_type => Wireless-802.11-NoEAP,switch_mac 
=>(e2:cb:ac:91:85:df), mac => [00:e0:4c:19:dd:56], port => 0, username=> 
"00e04c19dd56", ssid => WIFI-BYOD (pf::radius::authorize)

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56]Instantiate profile 
BYOD-Wireless(pf::Connection::ProfileFactory::_from_profile)

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56]Found authentication source(s) 
:'local,file1,Faculty-All,Wifi-Sponsors,District-Wireless-User-Authentication,Guest-Wireless-User-Authentication,BYOD-Wireless-User-Authentication'for
 realm 'null' (pf::config::util::filter_authentication_sources)

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) WARN: 
[mac:00:e0:4c:19:dd:56]No category computed for autoreg 
(pf::role::getNodeInfoForAutoReg)

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56]Found authentication source(s) 
:'local,file1,Faculty-All,Wifi-Sponsors,District-Wireless-User-Authentication,Guest-Wireless-User-Authentication,BYOD-Wireless-User-Authentication'for
 realm 'null' (pf::config::util::filter_authentication_sources)

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56]Connection type is MAC-AUTH. Getting role from 
node_info(pf::role::getRegisteredRole)

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56]Username was defined "00e04c19dd56" - returning 
role'WIFI-IT-STAFF-DISTRICT' (pf::role::getRegisteredRole)

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: 

[PacketFence-users] DPSK Authentication - Meraki Access Points

[Michael Brown via PacketFence-users]

Hi Guys,

 

Has anyone been ableto get DPSK working with Meraki access points?

 

The provisionerportion is working where the user joins a network, signs in to 
the portal andthen once they are signed in they are presented with the name of 
the networkthat uses DPSK and their DPSK password. The problem is when I try to 
join the DPSK network with the providedDPSK I receive can't connect to this 
network (Windows 10 device).

 

We have onePacketFence server set up out of band.

 

Here are myprofiles:

 

PROVIDES DPSK

[Auth-Wireless]

locale=

sources=BYOD-Wireless-User-Authentication

advanced_filter=

provisioners=DPSK

filter=ssid:Auth

 

DPSK NETWORK PROFILE

[BYOD-Wireless]

locale=

advanced_filter=

filter=ssid:WIFI-BYOD

dpsk=enabled

autoregister=enabled

default_psk_key=testing12345678!

unreg_on_acct_stop=disabled

filter_match_style=all

 

 

HERE IS THE AUTHSOURCE FOR Auth-Wireless PROFILE:

[BYOD-Wireless-User-Authentication]

cache_match=0

read_timeout=10

realms=null,domain.com

basedn=DC=domain,DC=local

monitor=1

password=password

shuffle=0

searchattributes=

set_access_durations_action=

scope=sub

email_attribute=mail

usernameattribute=sAMAccountName

connection_timeout=1

binddn=CN=Admin\,PacketFence,OU=IT,Accounts,OU=Domain_Users,DC=domain,DC=local

encryption=none

description=BYODWireless User Authentication

port=389

host=dc.domain.com

write_timeout=5

type=AD

 

[BYOD-Wireless-User-Authenticationrule Network-Administrators]

action0=set_role=WIFI-IT-STAFF-DISTRICT

condition0=memberOf,equals,CN=NetworkAdministrators,OU=Domain 
Groups,DC=domain,DC=local

status=enabled

match=all

class=authentication

action1=set_access_duration=1h

description=ActiveDirectory - Network Administrators Group

 

[BYOD-Wireless-User-Authenticationrule Faculty-All]

action0=set_role=WIFI-STAFF-GUESTS

condition0=memberOf,equals,CN=Faculty- All,OU=Domain Groups,DC=domain,DC=local

status=enabled

match=all

class=authentication

action1=set_access_duration=1h

description=ActiveDirectory - Faculty All

 

 

HERE IS THE MERAKISSID CONFIG FOR THE DPSK NETWORK:

Associationrequirements: Identity PSK with RADIUS

WPA encryption mode:WPA2

Splash page: None

Readius server setto PacketFence management

Radius testing:disabled

Radius CoA: disabled

Client IPassignment: Bridge mode

VLAN tagging: Don'tuse

Radius override:Radius response can override VLAN tag

 

 

 

 

HERE IS WHAT THE PFLOG SAYS WHEN I TRY TO JOIN:

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) WARN: 
[mac:a8:1e:84:a6:ca:7d]Unable to extract audit-session-id for module 
pf::Switch::Meraki::MR_v2.SSID-based VLAN assignments won't work. Make sure you 
enable Vendor SpecificAttributes (VSA) on the AP if you want them to 
work.(pf::Switch::getCiscoAvPairAttribute)

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56]handling radius autz request: from switch_ip => 
(172.20.110.19),connection_type => Wireless-802.11-NoEAP,switch_mac 
=>(e2:cb:ac:91:85:df), mac => [00:e0:4c:19:dd:56], port => 0, username=> 
"00e04c19dd56", ssid => WIFI-BYOD (pf::radius::authorize)

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56]Instantiate profile 
BYOD-Wireless(pf::Connection::ProfileFactory::_from_profile)

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56]Found authentication source(s) 
:'local,file1,Faculty-All,Wifi-Sponsors,District-Wireless-User-Authentication,Guest-Wireless-User-Authentication,BYOD-Wireless-User-Authentication'for
 realm 'null' (pf::config::util::filter_authentication_sources)

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) WARN: 
[mac:00:e0:4c:19:dd:56]No category computed for autoreg 
(pf::role::getNodeInfoForAutoReg)

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56]Found authentication source(s) 
:'local,file1,Faculty-All,Wifi-Sponsors,District-Wireless-User-Authentication,Guest-Wireless-User-Authentication,BYOD-Wireless-User-Authentication'for
 realm 'null' (pf::config::util::filter_authentication_sources)

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56]Connection type is MAC-AUTH. Getting role from 
node_info(pf::role::getRegisteredRole)

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56]Username was defined "00e04c19dd56" - returning 
role'WIFI-IT-STAFF-DISTRICT' (pf::role::getRegisteredRole)

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56]PID: "user", Status: reg Returned VLAN: (undefined), 
Role:WIFI-IT-STAFF-DISTRICT (pf::role::fetchRoleForNode)

Oct 17 22:18:07srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: 
[mac:00:e0:4c:19:dd:56](172.20.110.19) Added VLAN 118 to the returned RADIUS 
Access-Accept(pf::Switch::returnRadiusAccessAccept)

Oct 17 

Re: [PacketFence-users] Captive Portal Auto Reauthentication

[Michael Brown via PacketFence-users]

 Ok thanks a lot for the reply Ludovic.

On Wednesday, August 5, 2020, 10:11:13 AM EDT, Ludovic Zammit 
 wrote:  
 
 Hello Michael,
No, they would have to submit their credential once PF unreg their node past 
the unreg_date. Only 802.1x has that kind of feature.
Thanks,

Ludovic Zammit
lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 




On Jul 31, 2020, at 12:19 PM, Michael Brown via PacketFence-users 
 wrote:
Hi Guys,
Is there a way to have clients who have authenticated via the captive portal 
(Wireless-No-EAP) using their Active Directory credentials to reauthenticate 
automatically after their Access Duration time limit has expired?  

Thanks,Mike___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


  ___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Auto Reauthentication

[Michael Brown via PacketFence-users]

Checking in on this. Thanks. 


Sent from Yahoo Mail for iPhone


On Friday, July 31, 2020, 12:19 PM, Michael Brown  
wrote:

Hi Guys,
Is there a way to have clients who have authenticated via the captive portal 
(Wireless-No-EAP) using their Active Directory credentials to reauthenticate 
automatically after their Access Duration time limit has expired?  

Thanks,Mike


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal Auto Reauthentication

[Michael Brown via PacketFence-users]

Hi Guys,
Is there a way to have clients who have authenticated via the captive portal 
(Wireless-No-EAP) using their Active Directory credentials to reauthenticate 
automatically after their Access Duration time limit has expired?  

Thanks,Mike___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PacketFence and Domain Join Issues

[Michael Brown via PacketFence-users]

 That did it.  Thanks a lot. 
On Wednesday, July 22, 2020, 09:02:17 PM EDT, Christian McDonald via 
PacketFence-users  wrote:  
 
 Bug with winbindd not being enabled after joining the domain...so winbindd 
isn’t running when you reboot.
Run /usr/local/pf/addons/pf-maint.pl to pull latest patches and try again.
On Wed, Jul 22, 2020 at 1:02 PM Louis Scaringella via PacketFence-users 
 wrote:

Hello,

We are running PacketFence 10.1.0 and running into an issue when joining the 
domain. It seems we are able to join the domain just fine, but after a 
rebooting, we see the message “Cannot open network namespace RQSDomain”. When 
we re-join it seems to join fine and is green, but always after a reboot this 
fails to show it is joined still.

Any ideas to please help with this issue?

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903

The information transmitted, including any attachments, is intended only for 
the person or entity to which it is addressed and may contain confidential 
and/or privileged material. Any review, retransmission, dissemination or other 
use of, or taking of any action in reliance upon, this information by persons 
or entities other than the intended recipient is prohibited, and all liability 
arising therefrom is disclaimed. If you received this in error, please contact 
the sender and delete the material from any computer.

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
R. Christian McDonald M: (616) 856-9291E: 
rcmcdonald91@gmail.com___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
  ___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] PacketFence and Domain Join Issues

[Michael Brown via PacketFence-users]

We are seeing this too.  Did you find a solution?  
We are running PacketFence 10.1.0 ZEN.  Thanks. ___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Sponsor Email - Activate Access 404 error

[Michael Brown via PacketFence-users]

 Almost there with this.
I added the portal daemon on the management interfaceI added a dns record in 
our AD for the management interface IP - pf.domain.comOn the sponsor 
authentication source I put pf.domain.com in the Host in activation link field
Now everything works except that when the sponsor clicks the link in the email 
and logs in to the portal to authorize the request I get "does not have 
permission to sponsor a user".  What seems to be happening is when the sponsor 
logs in to the portal after clicking the link in the auth email each auth 
source is checked for a match to the sponsor login from top down.  The first 
auth source that matches the sponsor user's credentials is used to validate the 
sponsor's auth and if that matched source does not have an admin rule defined 
setting the user as a sponsor the sponsor's allow access to the requester will 
fail.  Is there anyway around this?  Is there a way to tell the portal to use a 
specific auth source when the sponsor logs in to the portal to allow the user 
requesting the access? 
Here is what the pf log says 
Jul 15 00:16:40 srv-pf-02 packetfence_httpd.portal: httpd.portal(888) INFO: 
[mac:0] [00:e0:4c:19:dd:56] Activation code sent to email mcbr...@domain.com 
from michaelbrow...@yahoo.com successfully verified. for activation type: 
sponsor (pf::activation::validate_code)
Jul 15 00:16:40 srv-pf-02 packetfence_httpd.portal: httpd.portal(888) INFO: 
[mac:0] Realm source is part of the connection profile sources. Using it as the 
only auth source. 
(captiveportal::PacketFence::Controller::Authenticate::getSources)
Jul 15 00:16:40 srv-pf-02 packetfence_httpd.portal: httpd.portal(888) ERROR: 
[mac:0] unable to read password file '/usr/local/pf/conf/admin.conf' 
(pf::Authentication::Source::HtpasswdSource::authenticate)
Jul 15 00:16:40 srv-pf-02 packetfence_httpd.portal: httpd.portal(888) INFO: 
[mac:0] [Faculty-All] Authentication successful for mcbrown 
(pf::Authentication::Source::LDAPSource::authenticate)
Jul 15 00:16:40 srv-pf-02 packetfence_httpd.portal: httpd.portal(888) INFO: 
[mac:0] Authentication successful for mcbrown in source Faculty-All (AD) 
(pf::authentication::authenticate)
Jul 15 00:16:40 srv-pf-02 packetfence_httpd.portal: httpd.portal(888) INFO: 
[mac:0] Successfully authenticated mcbrown/192.168.13.11/0 
(captiveportal::PacketFence::Controller::Authenticate::authenticationLogin)
Jul 15 00:16:40 srv-pf-02 packetfence_httpd.portal: httpd.portal(888) INFO: 
[mac:0] Using sources Faculty-All for matching (pf::authentication::match2)
Jul 15 00:16:40 srv-pf-02 packetfence_httpd.portal: httpd.portal(888) ERROR: 
[mac:0] mcbrown does not have permission to sponsor a user 
(captiveportal::PacketFence::Controller::Activate::Email::doSponsorRegistration)

Here are the settings in authentication.conf of the two auth sources used for 
sponsor[sponsor]description=Sponsor-based 
registrationtype=SponsorEmailallow_localdomain=yescreate_local_account=novalidate_sponsor=yespassword_length=8set_access_durations_action=lang=en_USlocal_account_logins=0activation_domain=pf.domain.comemail_activation_timeout=30msources=Wifi-Sponsorshash_passwords=bcrypt
[sponsor rule 
catchall]action0=set_role=gueststatus=enabledmatch=allclass=authenticationaction1=set_access_duration=1D


[Wifi-Sponsors]cache_match=0read_timeout=10realms=nullbasedn=DC=domain,DC=localmonitor=1password=passwordshuffle=0searchattributes=set_access_durations_action=scope=subemail_attribute=mailusernameattribute=sAMAccountNameconnection_timeout=1binddn=CN=Admin\,
 PacketFence,OU=IT Utilty 
Accounts,OU=Domain_Users,DC=domain,DC=localencryption=nonedescription=Wifi 
Sponsorsport=389host=dc.domain.comwrite_timeout=5type=AD
[Wifi-Sponsors rule 
Wifi-Sponsors_Admin]action0=set_access_level=ALLcondition0=groupMembership,is 
member of,CN=Wifi Sponsors,OU=Domain 
Groups,DC=domain,DC=localstatus=enabledmatch=allclass=administrationaction1=mark_as_sponsor=1




Thanks again.
Mike









On Sunday, July 12, 2020, 09:38:46 PM EDT, Michael Brown 
 wrote:  
 
 DNS assignment? on PacketFence or client or is it AD DNS? What IP should the 
approval be going to? management IP? 


Sent from Yahoo Mail for iPhone


On Sunday, July 12, 2020, 7:32 PM, G PL via PacketFence-users 
 wrote:

Hello, bad DNS
Le dim. 12 juil. 2020 à 20:15, Michael Brown via PacketFence-users 
 a écrit :

Hey Guys,
I am in the middle of setting up sponsor email authentication.
Got everything working up until the sponsor approval.  When I click on the 
Activate Access button/link in the sponsor email I get a 404 error.  I am 
assuming this is because the link brings the sponsor to the portal and because 
the sponsor is on a production vlan the portal cannot be accessed.  
Here is the link the sponsor is redirected 
to:https://packetfence.packetfence.org/activate/email/sponsor/xx
Is this an access issue with the sponsor portion of the portal and if so how 
can I make the email sponsor portion of the portal

Re: [PacketFence-users] Sponsor Email - Activate Access 404 error

[Michael Brown via PacketFence-users]

 I don't see the sponsor daemon as an option under interfaces?
On Monday, July 13, 2020, 03:06:20 AM EDT, i...@gcnet.it  
wrote:  
 
 
You must enable the sponsor daemon on the  interface where come from the 
sponsor.
 Check with netstat if in the interface is listen the port 443 probabily not.  
After u enable the sponsor must restart haproxy portal iotable and mybe other 
service..or reboot the pf 
 Bye bye
  
--
 GC Net
domenica, 12 luglio 2020, 08:15PM +02:00 da Michael Brown via PacketFence-users 
packetfence-users@lists.sourceforge.net:


  
Hey Guys,
I am in the middle of setting up sponsor email authentication.
Got everything working up until the sponsor approval.  When I click on the 
Activate Access button/link in the sponsor email I get a 404 error.  I am 
assuming this is because the link brings the sponsor to the portal and because 
the sponsor is on a production vlan the portal cannot be accessed.  
Here is the link the sponsor is redirected 
to:https://packetfence.packetfence.org/activate/email/sponsor/xx
Is this an access issue with the sponsor portion of the portal and if so how 
can I make the email sponsor portion of the portal available to all of our 
production vlans?
Thanks again for your help. 
Mike 
 ___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
   ___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Sponsor Email - Activate Access 404 error

[Michael Brown via PacketFence-users]

DNS assignment? on PacketFence or client or is it AD DNS? What IP should the 
approval be going to? management IP? 


Sent from Yahoo Mail for iPhone


On Sunday, July 12, 2020, 7:32 PM, G PL via PacketFence-users 
 wrote:

Hello, bad DNS
Le dim. 12 juil. 2020 à 20:15, Michael Brown via PacketFence-users 
 a écrit :

Hey Guys,
I am in the middle of setting up sponsor email authentication.
Got everything working up until the sponsor approval.  When I click on the 
Activate Access button/link in the sponsor email I get a 404 error.  I am 
assuming this is because the link brings the sponsor to the portal and because 
the sponsor is on a production vlan the portal cannot be accessed.  
Here is the link the sponsor is redirected 
to:https://packetfence.packetfence.org/activate/email/sponsor/xx
Is this an access issue with the sponsor portion of the portal and if so how 
can I make the email sponsor portion of the portal available to all of our 
production vlans?
Thanks again for your help. 
Mike___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Sponsor Email - Activate Access 404 error

[Michael Brown via PacketFence-users]

Hey Guys,
I am in the middle of setting up sponsor email authentication.
Got everything working up until the sponsor approval.  When I click on the 
Activate Access button/link in the sponsor email I get a 404 error.  I am 
assuming this is because the link brings the sponsor to the portal and because 
the sponsor is on a production vlan the portal cannot be accessed.  
Here is the link the sponsor is redirected 
to:https://packetfence.packetfence.org/activate/email/sponsor/xx
Is this an access issue with the sponsor portion of the portal and if so how 
can I make the email sponsor portion of the portal available to all of our 
production vlans?
Thanks again for your help. 
Mike___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Machine Authentication

[Michael Brown via PacketFence-users]

ce_httpd.aaa: httpd.aaa(1907) WARN: 
[mac:00:e0:4c:19:dd:56] No category computed for autoreg 
(pf::role::getNodeInfoForAutoReg)
 Jul  6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN: 
[mac:00:e0:4c:19:dd:56] No role specified or found for pid host/IT-VM-TEST. 
domain.local (MAC 00:e0:4c:19:dd:56); assume maximum number of registered nodes 
is reached (pf::node::is_max_reg_nodes_reached) Jul  6 00:34:40 srv-pf-02 
packetfence_httpd.aaa: httpd.aaa(1907) ERROR: [mac:00:e0:4c:19:dd:56] no role 
computed by any sources - registration of 00:e0:4c:19:dd:56 to host/IT-VM-TEST. 
domain.local failed (pf::registration::setup_node_for_registration) 
Jul  6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR: 
[mac:00:e0:4c:19:dd:56] auto-registration of node failed no role computed by 
any sources (pf::radius::authorize)
 Jul  6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR: 
[mac:00:e0:4c:19:dd:56] Database query failed with non retryable error: Cannot 
add or update a child row: a foreign key constraint fails (`pf`.`node`, 
CONSTRAINT `0_57` FOREIGN KEY (`tenant_id`, `pid`) REFERENCES `person` 
(`tenant_id`, `pid`) ON DELETE CASCADE ON UPDATE CASCADE) (errno: 1452) [INSERT 
INTO `node` ( `autoreg`, `bandwidth_balance`, `bypass_role_id`, `bypass_vlan`, 
`category_id`, `computername`, `detect_date`, `device_class`, 
`device_manufacturer`, `device_score`, `device_type`, `device_version`, 
`dhcp6_enterprise`, `dhcp6_fingerprint`, `dhcp_fingerprint`, `dhcp_vendor`, 
`last_arp`, `last_dhcp`, `last_seen`, `lastskip`, `mac`, `machine_account`, 
`notes`, `pid`, `regdate`, `sessionid`, `status`, `tenant_id`, `time_balance`, 
`unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 
?, ?, ?, ?, ?, ?, NOW(), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE 
KEY UPDATE `autoreg` = ?, `last_seen` = NOW(), `machine_account` = ?, `pid` = 
?, `tenant_id` = ?]{yes, NULL, NULL, NULL, NULL, NULL, 2020-07-06 00:09:30, 
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, -00-00 00:00:00, 
-00-00 00:00:00, -00-00 00:00:00, 00:e0:4c:19:dd:56, host/IT-VM-TEST. 
domain.local, NULL, host/IT-VM-TEST. domain.local, -00-00 00:00:00, NULL, 
unreg, 1, NULL, -00-00 00:00:00, NULL, no, yes, host/IT-VM-TEST. 
domain.local, host/IT-VM-TEST. domain.local, 1} (pf::dal::db_execute) 
Jul  6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR: 
[mac:00:e0:4c:19:dd:56] Cannot save 00:e0:4c:19:dd:56 error (500) 
(pf::radius::authorize)
  
  Thanks. Mike 
   
 
Regards
  
Fabrice
 

 
 
  
  On Sunday, July 5, 2020, 08:22:42 PM EDT, Durand fabrice via 
PacketFence-users  wrote:  
  
 
Hello Michael,
 

 
 Le 20-06-30 à 00 h 02, Michael Brown via PacketFence-users a écrit :
  
 
  Hi Guys, 
  I am trying to get machine authentication working so that if a machine is a 
member of the Active Directory Domain Computers group it will join wifi without 
prompting the user for anything.   
  The access points are all Meraki.  
  
  On packetfence I have the following: Connection Profile  Automatically 
register devices is turned on Connection Type = Wireless-802.11 EAP 
  Authentication Profile Relam: Host
Realm can't be Host, it's suppose to be the fqdn of the domain, like 
host/x1234.acme.com the realm is acme.com
 
So create the realm acme.com, associate the domain to it and in the 
authentication source (AD) edit the authentication rule and remove Realm = host
 
Next connect to the ssid and paste the packetfence.log and the radius.log file 
if it still doesn't work.
 
Regards
 
Fabrice
  

 
 
Group Membership > is a member of > 
CN=DomainComputers,CN=Users,DC=x,DC=local Role > Default Access Duration > 
1hr  Username Attribute = servicePrincipalName  
  
  On a domain device that is a member of Domain Computers, when I choose to 
join the wireless network it is prompting me for a username and password.   
  Any ideas on how I can get the Domain Computer devices to auto join? 
  Thanks a lot.   Mike 
  
  
  
 
 
  
  ___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
 
___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users
 
   
   ___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Machine Authentication

[Michael Brown via PacketFence-users]

?, ?, ?, 
?, ?, ?, ?, ?, ?, NOW(), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE 
KEY UPDATE `autoreg` = ?, `last_seen` = NOW(), `machine_account` = ?, `pid` = 
?, `tenant_id` = ?]{yes, NULL, NULL, NULL, NULL, NULL, 2020-07-06 00:09:30, 
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, -00-00 00:00:00, 
-00-00 00:00:00, -00-00 00:00:00, 00:e0:4c:19:dd:56, host/IT-VM-TEST. 
domain.local, NULL, host/IT-VM-TEST. domain.local, -00-00 00:00:00, NULL, 
unreg, 1, NULL, -00-00 00:00:00, NULL, no, yes, host/IT-VM-TEST. 
domain.local, host/IT-VM-TEST. domain.local, 1} (pf::dal::db_execute) 
Jul  6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR: 
[mac:00:e0:4c:19:dd:56] Cannot save 00:e0:4c:19:dd:56 error (500) 
(pf::radius::authorize)
  
  Thanks. Mike 
   
 
Regards
 
Fabrice
 

 
 
  
  On Sunday, July 5, 2020, 08:22:42 PM EDT, Durand fabrice via 
PacketFence-users  wrote:  
  
 
Hello Michael,
 

 
 Le 20-06-30 à 00 h 02, Michael Brown via PacketFence-users a écrit :
  
 
  Hi Guys, 
  I am trying to get machine authentication working so that if a machine is a 
member of the Active Directory Domain Computers group it will join wifi without 
prompting the user for anything.   
  The access points are all Meraki.  
  
  On packetfence I have the following: Connection Profile  Automatically 
register devices is turned on Connection Type = Wireless-802.11 EAP 
  Authentication Profile Relam: Host
Realm can't be Host, it's suppose to be the fqdn of the domain, like 
host/x1234.acme.com the realm is acme.com
 
So create the realm acme.com, associate the domain to it and in the 
authentication source (AD) edit the authentication rule and remove Realm = host
 
Next connect to the ssid and paste the packetfence.log and the radius.log file 
if it still doesn't work.
 
Regards
 
Fabrice
  

 
 
Group Membership > is a member of > CN=Domain 
Computers,CN=Users,DC=x,DC=local Role > Default Access Duration > 1hr  
Username Attribute = servicePrincipalName  
  
  On a domain device that is a member of Domain Computers, when I choose to 
join the wireless network it is prompting me for a username and password.   
  Any ideas on how I can get the Domain Computer devices to auto join? 
  Thanks a lot.   Mike 
  
  
  
 
 
  
  ___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
 
___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users
 
   ___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Machine Authentication

[Michael Brown via PacketFence-users]

 ERROR: 
[mac:00:e0:4c:19:dd:56] auto-registration of node failed no role computed by 
any sources (pf::radius::authorize)
Jul  6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR: 
[mac:00:e0:4c:19:dd:56] Database query failed with non retryable error: Cannot 
add or update a child row: a foreign key constraint fails (`pf`.`node`, 
CONSTRAINT `0_57` FOREIGN KEY (`tenant_id`, `pid`) REFERENCES `person` 
(`tenant_id`, `pid`) ON DELETE CASCADE ON UPDATE CASCADE) (errno: 1452) [INSERT 
INTO `node` ( `autoreg`, `bandwidth_balance`, `bypass_role_id`, `bypass_vlan`, 
`category_id`, `computername`, `detect_date`, `device_class`, 
`device_manufacturer`, `device_score`, `device_type`, `device_version`, 
`dhcp6_enterprise`, `dhcp6_fingerprint`, `dhcp_fingerprint`, `dhcp_vendor`, 
`last_arp`, `last_dhcp`, `last_seen`, `lastskip`, `mac`, `machine_account`, 
`notes`, `pid`, `regdate`, `sessionid`, `status`, `tenant_id`, `time_balance`, 
`unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 
?, ?, ?, ?, ?, ?, NOW(), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE 
KEY UPDATE `autoreg` = ?, `last_seen` = NOW(), `machine_account` = ?, `pid` = 
?, `tenant_id` = ?]{yes, NULL, NULL, NULL, NULL, NULL, 2020-07-06 00:09:30, 
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, -00-00 00:00:00, 
-00-00 00:00:00, -00-00 00:00:00, 00:e0:4c:19:dd:56, host/IT-VM-TEST. 
domain.local, NULL, host/IT-VM-TEST. domain.local, -00-00 00:00:00, NULL, 
unreg, 1, NULL, -00-00 00:00:00, NULL, no, yes, host/IT-VM-TEST. 
domain.local, host/IT-VM-TEST. domain.local, 1} (pf::dal::db_execute)
Jul  6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR: 
[mac:00:e0:4c:19:dd:56] Cannot save 00:e0:4c:19:dd:56 error (500) 
(pf::radius::authorize)

Thanks.Mike

On Sunday, July 5, 2020, 08:22:42 PM EDT, Durand fabrice via 
PacketFence-users  wrote:  
 
  
Hello Michael,
 

 
 Le 20-06-30 à 00 h 02, Michael Brown via PacketFence-users a écrit :
  
 
   Hi Guys, 
  I am trying to get machine authentication working so that if a machine is a 
member of the Active Directory Domain Computers group it will join wifi without 
prompting the user for anything.   
  The access points are all Meraki.  
  
  On packetfence I have the following: Connection Profile  Automatically 
register devices is turned on Connection Type = Wireless-802.11 EAP 
  Authentication Profile Relam: Host
Realm can't be Host, it's suppose to be the fqdn of the domain, like 
host/x1234.acme.com the realm is acme.com
 
So create the realm acme.com, associate the domain to it and in the 
authentication source (AD) edit the authentication rule and remove Realm = host
 
Next connect to the ssid and paste the packetfence.log and the radius.log file 
if it still doesn't work.
 
Regards
 
Fabrice
 

 
 
Group Membership > is a member of > CN=Domain 
Computers,CN=Users,DC=x,DC=local Role > Default Access Duration > 1hr  
Username Attribute = servicePrincipalName  
  
  On a domain device that is a member of Domain Computers, when I choose to 
join the wireless network it is prompting me for a username and password.   
  Any ideas on how I can get the Domain Computer devices to auto join? 
  Thanks a lot.   Mike 
  
  
  
 
 
  
  ___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
 
 ___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
  ___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Machine Authentication

[Michael Brown via PacketFence-users]

 I am just trying to manually connect to the network for now.  Was holding off 
on the GP because I am still testing. 
I have no problem connecting to the wifi network via 802.1x packetfence when 
using a domain username/password.  I have a separate Authentication Source 
defined for users who are  members of the Domain Users group.  When this 
Authentication Source is used when attempting to join the wifi network and I 
use a Domain User member username and password to log in, everything works 
fine.  The problem is when I am trying to connect using just machine 
authentication and the Domain Computers Authentication Source. 





On Saturday, July 4, 2020, 10:44:40 PM EDT, Bill Handler 
 wrote:  
 
 Group Policy for 802.1x - under Computer in GPO Editor, security settings, 
wireless.  You can set up so GPO has the end system connects to the SSID and 
authenticates via 802.1x.
Set up your AD server as the authentication source in PF.  It’s explained in 
the install doc. 
Lots of google articles show how to set up the GPO for your end systems. 

Thanks,
 
 
 
Bill

Sent from my iPad
On Jul 4, 2020, at 10:38 PM, Michael Brown via PacketFence-users 
 wrote:


A Windows Domain group policy? That does what? Push out wifi network?
I have Windows NPS setup and computers can join wifi successfully based on 
their Domain Computers membership.  No special settings are needed, you just 
click connect from the regular Windows wifi settings and it authenticated 
without ever prompting the user for any input.  Trying to achieve this via 
packetfence so I can get rid of NPS.  
Thanks.

On Saturday, July 4, 2020, 08:25:25 PM EDT, G PL via PacketFence-users 
 wrote:

Hello,Probably a Group policy is missing for  the computer configuration. 
Regards
Le mar. 30 juin 2020 à 22:20, Michael Brown via PacketFence-users 
 a écrit :

Hi Guys,
I am trying to get machine authentication working so that if a machine is a 
member of the Active Directory Domain Computers group it will join wifi without 
prompting the user for anything.  
The access points are all Meraki. 

On packetfence I have the following:Connection Profile Automatically register 
devices is turned onConnection Type = Wireless-802.11 EAP
Authentication ProfileRelam: HostGroup Membership > is a member of > CN=Domain 
Computers,CN=Users,DC=x,DC=localRole > DefaultAccess Duration > 1hrUsername 
Attribute = servicePrincipalName

On a domain device that is a member of Domain Computers, when I choose to join 
the wireless network it is prompting me for a username and password.  
Any ideas on how I can get the Domain Computer devices to auto join?
Thanks a lot.  Mike




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

  ___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Machine Authentication

[Michael Brown via PacketFence-users]

 A Windows Domain group policy? That does what? Push out wifi network?
I have Windows NPS setup and computers can join wifi successfully based on 
their Domain Computers membership.  No special settings are needed, you just 
click connect from the regular Windows wifi settings and it authenticated 
without ever prompting the user for any input.  Trying to achieve this via 
packetfence so I can get rid of NPS.  
Thanks.

On Saturday, July 4, 2020, 08:25:25 PM EDT, G PL via PacketFence-users 
 wrote:  
 
 Hello,Probably a Group policy is missing for  the computer configuration. 
Regards
Le mar. 30 juin 2020 à 22:20, Michael Brown via PacketFence-users 
 a écrit :

Hi Guys,
I am trying to get machine authentication working so that if a machine is a 
member of the Active Directory Domain Computers group it will join wifi without 
prompting the user for anything.  
The access points are all Meraki. 

On packetfence I have the following:Connection Profile Automatically register 
devices is turned onConnection Type = Wireless-802.11 EAP
Authentication ProfileRelam: HostGroup Membership > is a member of > CN=Domain 
Computers,CN=Users,DC=x,DC=localRole > DefaultAccess Duration > 1hrUsername 
Attribute = servicePrincipalName

On a domain device that is a member of Domain Computers, when I choose to join 
the wireless network it is prompting me for a username and password.  
Any ideas on how I can get the Domain Computer devices to auto join?
Thanks a lot.  Mike




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
  ___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Machine Authentication

[Michael Brown via PacketFence-users]

 Just checking to see if any ideas on this one.  Thanks.
On Tuesday, June 30, 2020, 04:19:42 PM EDT, Michael Brown via 
PacketFence-users  wrote:  
 
 Hi Guys,
I am trying to get machine authentication working so that if a machine is a 
member of the Active Directory Domain Computers group it will join wifi without 
prompting the user for anything.  
The access points are all Meraki. 

On packetfence I have the following:Connection Profile Automatically register 
devices is turned onConnection Type = Wireless-802.11 EAP
Authentication ProfileRelam: HostGroup Membership > is a member of > CN=Domain 
Computers,CN=Users,DC=x,DC=localRole > DefaultAccess Duration > 1hrUsername 
Attribute = servicePrincipalName

On a domain device that is a member of Domain Computers, when I choose to join 
the wireless network it is prompting me for a username and password.  
Any ideas on how I can get the Domain Computer devices to auto join?
Thanks a lot.  Mike




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
  ___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Machine Authentication

[Michael Brown via PacketFence-users]

Hi Guys,
I am trying to get machine authentication working so that if a machine is a 
member of the Active Directory Domain Computers group it will join wifi without 
prompting the user for anything.  
The access points are all Meraki. 

On packetfence I have the following:Connection Profile Automatically register 
devices is turned onConnection Type = Wireless-802.11 EAP
Authentication ProfileRelam: HostGroup Membership > is a member of > CN=Domain 
Computers,CN=Users,DC=x,DC=localRole > DefaultAccess Duration > 1hrUsername 
Attribute = servicePrincipalName

On a domain device that is a member of Domain Computers, when I choose to join 
the wireless network it is prompting me for a username and password.  
Any ideas on how I can get the Domain Computer devices to auto join?
Thanks a lot.  Mike




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal Redirect

[Michael Brown via PacketFence-users]

Hey Guys,

I am trying to get 802.1x with captive portal working for a byod wireless 
network using MR42 and MR52 Meraki access points.
PacketFence Version: ZEN 10.0.1
PF Management IP - 172.20.254.250PF Registration IP- 172.20.252.250PF Isolation 
IP - 172.20.251.250
Added the Meraki MR52 I am testing with as a switch on Policies and Access 
ControlThese are the settings I am using for the AP on PFDefinition:Use CoA 
turned onExternal Portal Enforcement turned on
Roles:Role mapping by VLAN ID
Registration: 252Isolation: 251
Role mapping by Web Auth URLRegistration: http://172.20.252.250/Meraki::MR_v2

On the client I join the wireless network.I get an IP from PacketFence dhcp  
Client Details:  IP: 172.20.252.12  DNS: 172.20.252.250  Gateway: 172.20.252.250
Web browser opens once I receive the IP from DHCP and tries to load 
http://172.20.252.250/Meraki::MR_v2 but it looks like it gets caught in a 
redirect loop. Web page says ERR_TOO_MANY_REDIRECTS and I wind up with the the 
following in the address bar of the page that tried to load: 
http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://www.msftconnecttest.com/redirect

Any ideas what I am missing? 
Thanks,Mike

Sent from Yahoo Mail for iPhone
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal Redirect Not Working

[Michael Brown via PacketFence-users]

 Hey Guys,

I am trying to get 802.1x with captive portal working for a byod wireless 
network using MR42 and MR52 Meraki access points.
PacketFence Version: ZEN 10.0.1
PF Management IP - 172.20.254.250PF Registration IP- 172.20.252.250PF Isolation 
IP - 172.20.251.250
Added the Meraki MR52 I am testing with as a switch on Policies and Access 
ControlThese are the settings I am using for the AP on PFDefinition:Use CoA 
turned onExternal Portal Enforcement turned on
Roles:Role mapping by VLAN ID
Registration: 252Isolation: 251
Role mapping by Web Auth URLRegistration: http://172.20.252.250/Meraki::MR_v2

On the client I join the wireless network.I get an IP from PacketFence dhcp  
Client Details:  IP: 172.20.252.12  DNS: 172.20.252.250  Gateway: 172.20.252.250
Web browser opens once I receive the IP from DHCP and tries to load 
http://172.20.252.250/Meraki::MR_v2 but it looks like it gets caught in a 
redirect loop. Web page says ERR_TOO_MANY_REDIRECTS and I wind up with the the 
following in the address bar of the page that tried to load: 
http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://www.msftconnecttest.com/redirect

Any ideas what I am missing? 
Thanks,Mike  ___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users