[PacketFence-users] TTLS Issues

2021-05-12 Thread Nathan, Josh via PacketFence-users 
Hello,

So, in my continuing saga of getting a new setup going for how we use
PacketFence, I am trying to get EAP-TTLS working.  Yesterday, I had it
working for a little while.  Then I started adding some more settings to
get things ready for production, did some "clean up", and discovered it no
longer worked.  I've tried to get it working again, but I'm hitting a wall
that I don't understand.  The TTLS authentication seemed to like using LDAP
as its backend rather than a straight RADIUS proxy, but I'm getting a
strange error.

In the RADIUS debug, I'm getting:

(21) Wed May 12 13:58:58 2021: Debug: JumpCloud-LDAP: EXPAND
(&(|(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})))
(21) Wed May 12 13:58:58 2021: Debug: JumpCloud-LDAP:-->
(&(|(sAMAccountName=josh.nathan)))
(21) Wed May 12 13:58:58 2021: Debug: JumpCloud-LDAP: Performing search in
"ou=Users,o=5ab0e00f9778114e1c04036d,dc=jumpcloud,dc=com" with filter
"(&(|(sAMAccountName=josh.nathan)))", scope "sub"
(21) Wed May 12 13:58:58 2021: Debug: JumpCloud-LDAP: Waiting for search
result...
(21) Wed May 12 13:58:58 2021: Debug: JumpCloud-LDAP: Search returned no
results
(21) Wed May 12 13:58:58 2021: Debug: [JumpCloud-LDAP] = notfound


However, running "pftest authentication josh.nathan [password]
JumpCloud-LDAP" gives me:

Testing authentication for "josh.nathan"

Authenticating against 'JumpCloud-LDAP' in context 'admin'
  Authentication SUCCEEDED against JumpCloud-LDAP (Authentication
successful.)
  Matched against JumpCloud-LDAP for 'authentication' rule IsStaffDevice
set_role : staff
set_access_duration : 2W
  Did not match against JumpCloud-LDAP for 'administration' rules

Authenticating against 'JumpCloud-LDAP' in context 'portal'
  Authentication SUCCEEDED against JumpCloud-LDAP (Authentication
successful.)
  Matched against JumpCloud-LDAP for 'authentication' rule IsStaffDevice
set_role : staff
set_access_duration : 2W
  Did not match against JumpCloud-LDAP for 'administration' rules


So the username is clearly valid, and can be found via the LDAP
authentication source.  Why would the RADIUS debug log get "not found"???

Doing a grep on the packetfence.log file doesn't return anything.

Thanks for any help/pointers!

Joshua Nathan
*IT Supervisor*
Black Forest Academy

p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Post-Auth for RADIUS

2021-05-06 Thread Nathan, Josh via PacketFence-users 
Is there any way to get PacketFence to do any other debug logs?  Without
anything showing in either packetfence.log or the audit logs via the
console, I feel like I'm up a creek without a paddle.  What are my options?

With my 9.0 install, everything works fine except for Pixel devices (and I
don't want to mess with my production server too much to try and modify it).

Now with 10.2, my Pixel device connects, but I don't get any real logging
or VLAN assignments (the whole reason I want to use PF).

Joshua Nathan
*IT Supervisor*
Black Forest Academy

p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de




On Fri, Apr 30, 2021 at 1:56 PM Nathan, Josh 
wrote:

> I don't know if it helps, but I'm doing PEAP authentication with
> MSCHAPv2.  I tried using the Provisioner, but that doesn't work from my
> Pixel 3a.  So I'm just manually putting in the connection information.  I
> do have a legit certificate.  And of course, the phone is authenticating...
> it's just that the post-auth (post-proxy?) isn't assigning the VLAN.
>
> I did have this working in PF 9.0, except that now my Pixel 3a phone won't
> connect to that, even when it has a legit certificate.
>
> Joshua Nathan
> *IT Supervisor*
> Black Forest Academy
>
> p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056
> a:
> w: Hammersteiner Straße 50, 79400 Kandern
> bfacademy.de
>
>
>
>
> On Mon, Apr 26, 2021 at 3:51 PM Nathan, Josh 
> wrote:
>
>> Hello Ludovic,
>>
>> OK, I made those changes, then did a "pfcmd service pf restart".
>>
>> No dice.  Exact same results.  Here's the end of the raddebug again in
>> case that helps.  Still nothing in packetfence.log.
>>
>> (17) Mon Apr 26 15:46:04 2021: Debug: Received Access-Request Id 93 from
>> 172.20.50.76:43555 to 172.20.104.31:1812 length 277
>> (17) Mon Apr 26 15:46:04 2021: Debug:   User-Name = "josh.nathan"
>> (17) Mon Apr 26 15:46:04 2021: Debug:   NAS-Identifier = "66d9e7f8b8a4"
>> (17) Mon Apr 26 15:46:04 2021: Debug:   Called-Station-Id =
>> "66-D9-E7-F8-B8-A4:BFA-EAP-Test"
>> (17) Mon Apr 26 15:46:04 2021: Debug:   NAS-Port-Type = Wireless-802.11
>> (17) Mon Apr 26 15:46:04 2021: Debug:   Service-Type = Framed-User
>> (17) Mon Apr 26 15:46:04 2021: Debug:   Calling-Station-Id =
>> "58-CB-52-37-5D-AB"
>> (17) Mon Apr 26 15:46:04 2021: Debug:   Connect-Info = "CONNECT 0Mbps
>> 802.11b"
>> (17) Mon Apr 26 15:46:04 2021: Debug:   Acct-Session-Id =
>> "52DAD7D4BB763411"
>> (17) Mon Apr 26 15:46:04 2021: Debug:   Acct-Multi-Session-Id =
>> "DBEED5366DD430AE"
>> (17) Mon Apr 26 15:46:04 2021: Debug:   WLAN-Pairwise-Cipher = 1027076
>> (17) Mon Apr 26 15:46:04 2021: Debug:   WLAN-Group-Cipher = 1027076
>> (17) Mon Apr 26 15:46:04 2021: Debug:   WLAN-AKM-Suite = 1027073
>> (17) Mon Apr 26 15:46:04 2021: Debug:   Framed-MTU = 1400
>> (17) Mon Apr 26 15:46:04 2021: Debug:   EAP-Message =
>> 0x02e4002e1900170303002300057749b9bde9be1ec64f7c9567e2867e5dc1d76f261821842d90f500
>> (17) Mon Apr 26 15:46:04 2021: Debug:   State =
>> 0xacaf705da54b69970120abcaacda4228
>> (17) Mon Apr 26 15:46:04 2021: Debug:   Message-Authenticator =
>> 0x0bed628cf8ff12e2250c3de6e9c1cc45
>> (17) Mon Apr 26 15:46:04 2021: Debug: Restoring 
>> (17) Mon Apr 26 15:46:04 2021: Debug:
>> :TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
>> (17) Mon Apr 26 15:46:04 2021: Debug:
>> :TLS-Session-Version = "TLS 1.2"
>> (17) Mon Apr 26 15:46:04 2021: Debug: # Executing section authorize from
>> file /usr/local/pf/raddb/sites-enabled/packetfence
>> (17) Mon Apr 26 15:46:04 2021: Debug:   authorize {
>> (17) Mon Apr 26 15:46:04 2021: Debug: policy
>> packetfence-nas-ip-address {
>> (17) Mon Apr 26 15:46:04 2021: Debug:   if (!NAS-IP-Address ||
>> NAS-IP-Address == "0.0.0.0"){
>> (17) Mon Apr 26 15:46:04 2021: Debug:   if (!NAS-IP-Address ||
>> NAS-IP-Address == "0.0.0.0") -> TRUE
>> (17) Mon Apr 26 15:46:04 2021: Debug:   if (!NAS-IP-Address ||
>> NAS-IP-Address == "0.0.0.0") {
>> (17) Mon Apr 26 15:46:04 2021: Debug: update request {
>> (17) Mon Apr 26 15:46:04 2021: Debug:   EXPAND
>> %{Packet-Src-IP-Address}
>> (17) Mon Apr 26 15:46:04 2021: Debug:  --> 172.20.50.76
>> (17) Mon Apr 26 15:46:04 2021: Debug: } # update request = noop
>> (17) Mon Apr 26 15:46:04 2021: Debug:   } # if (!NAS-IP-Address ||
>> NAS-IP-Address == "0.0.0.0") = noop
>> (17) Mon Apr 26 15:46:04 2021

Re: [PacketFence-users] Post-Auth for RADIUS

2021-04-30 Thread Nathan, Josh via PacketFence-users 
I don't know if it helps, but I'm doing PEAP authentication with MSCHAPv2.
I tried using the Provisioner, but that doesn't work from my Pixel 3a.  So
I'm just manually putting in the connection information.  I do have a legit
certificate.  And of course, the phone is authenticating... it's just that
the post-auth (post-proxy?) isn't assigning the VLAN.

I did have this working in PF 9.0, except that now my Pixel 3a phone won't
connect to that, even when it has a legit certificate.

Joshua Nathan
*IT Supervisor*
Black Forest Academy

p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de




On Mon, Apr 26, 2021 at 3:51 PM Nathan, Josh 
wrote:

> Hello Ludovic,
>
> OK, I made those changes, then did a "pfcmd service pf restart".
>
> No dice.  Exact same results.  Here's the end of the raddebug again in
> case that helps.  Still nothing in packetfence.log.
>
> (17) Mon Apr 26 15:46:04 2021: Debug: Received Access-Request Id 93 from
> 172.20.50.76:43555 to 172.20.104.31:1812 length 277
> (17) Mon Apr 26 15:46:04 2021: Debug:   User-Name = "josh.nathan"
> (17) Mon Apr 26 15:46:04 2021: Debug:   NAS-Identifier = "66d9e7f8b8a4"
> (17) Mon Apr 26 15:46:04 2021: Debug:   Called-Station-Id =
> "66-D9-E7-F8-B8-A4:BFA-EAP-Test"
> (17) Mon Apr 26 15:46:04 2021: Debug:   NAS-Port-Type = Wireless-802.11
> (17) Mon Apr 26 15:46:04 2021: Debug:   Service-Type = Framed-User
> (17) Mon Apr 26 15:46:04 2021: Debug:   Calling-Station-Id =
> "58-CB-52-37-5D-AB"
> (17) Mon Apr 26 15:46:04 2021: Debug:   Connect-Info = "CONNECT 0Mbps
> 802.11b"
> (17) Mon Apr 26 15:46:04 2021: Debug:   Acct-Session-Id =
> "52DAD7D4BB763411"
> (17) Mon Apr 26 15:46:04 2021: Debug:   Acct-Multi-Session-Id =
> "DBEED5366DD430AE"
> (17) Mon Apr 26 15:46:04 2021: Debug:   WLAN-Pairwise-Cipher = 1027076
> (17) Mon Apr 26 15:46:04 2021: Debug:   WLAN-Group-Cipher = 1027076
> (17) Mon Apr 26 15:46:04 2021: Debug:   WLAN-AKM-Suite = 1027073
> (17) Mon Apr 26 15:46:04 2021: Debug:   Framed-MTU = 1400
> (17) Mon Apr 26 15:46:04 2021: Debug:   EAP-Message =
> 0x02e4002e1900170303002300057749b9bde9be1ec64f7c9567e2867e5dc1d76f261821842d90f500
> (17) Mon Apr 26 15:46:04 2021: Debug:   State =
> 0xacaf705da54b69970120abcaacda4228
> (17) Mon Apr 26 15:46:04 2021: Debug:   Message-Authenticator =
> 0x0bed628cf8ff12e2250c3de6e9c1cc45
> (17) Mon Apr 26 15:46:04 2021: Debug: Restoring 
> (17) Mon Apr 26 15:46:04 2021: Debug:
> :TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
> (17) Mon Apr 26 15:46:04 2021: Debug:   :TLS-Session-Version
> = "TLS 1.2"
> (17) Mon Apr 26 15:46:04 2021: Debug: # Executing section authorize from
> file /usr/local/pf/raddb/sites-enabled/packetfence
> (17) Mon Apr 26 15:46:04 2021: Debug:   authorize {
> (17) Mon Apr 26 15:46:04 2021: Debug: policy
> packetfence-nas-ip-address {
> (17) Mon Apr 26 15:46:04 2021: Debug:   if (!NAS-IP-Address ||
> NAS-IP-Address == "0.0.0.0"){
> (17) Mon Apr 26 15:46:04 2021: Debug:   if (!NAS-IP-Address ||
> NAS-IP-Address == "0.0.0.0") -> TRUE
> (17) Mon Apr 26 15:46:04 2021: Debug:   if (!NAS-IP-Address ||
> NAS-IP-Address == "0.0.0.0") {
> (17) Mon Apr 26 15:46:04 2021: Debug: update request {
> (17) Mon Apr 26 15:46:04 2021: Debug:   EXPAND
> %{Packet-Src-IP-Address}
> (17) Mon Apr 26 15:46:04 2021: Debug:  --> 172.20.50.76
> (17) Mon Apr 26 15:46:04 2021: Debug: } # update request = noop
> (17) Mon Apr 26 15:46:04 2021: Debug:   } # if (!NAS-IP-Address ||
> NAS-IP-Address == "0.0.0.0") = noop
> (17) Mon Apr 26 15:46:04 2021: Debug: } # policy
> packetfence-nas-ip-address = noop
> (17) Mon Apr 26 15:46:04 2021: Debug: update {
> (17) Mon Apr 26 15:46:04 2021: Debug:   EXPAND %{Packet-Src-IP-Address}
> (17) Mon Apr 26 15:46:04 2021: Debug:  --> 172.20.50.76
> (17) Mon Apr 26 15:46:04 2021: Debug:   EXPAND %{Packet-Dst-IP-Address}
> (17) Mon Apr 26 15:46:04 2021: Debug:  --> 172.20.104.31
> (17) Mon Apr 26 15:46:04 2021: Debug:   EXPAND %l
> (17) Mon Apr 26 15:46:04 2021: Debug:  --> 1619444764
> (17) Mon Apr 26 15:46:04 2021: Debug: } # update = noop
> (17) Mon Apr 26 15:46:04 2021: Debug: policy
> packetfence-set-realm-if-machine {
> (17) Mon Apr 26 15:46:04 2021: Debug:   if (User-Name =~
> /host\/([a-z0-9_-]*)[\.](.*)/i) {
> (17) Mon Apr 26 15:46:04 2021: Debug:   if (User-Name =~
> /host\/([a-z0-9_-]*)[\.](.*)/i)  -> FALSE
> (17) Mon Apr 26 15:46:04 2021: Debug: } # policy
> packetfence-set-realm-if-machine = noop
> (17) Mon Apr 2

Re: [PacketFence-users] Post-Auth for RADIUS

2021-04-26 Thread Nathan, Josh via PacketFence-users 
Hello Ludovic,

OK, I made those changes, then did a "pfcmd service pf restart".

No dice.  Exact same results.  Here's the end of the raddebug again in case
that helps.  Still nothing in packetfence.log.

(17) Mon Apr 26 15:46:04 2021: Debug: Received Access-Request Id 93 from
172.20.50.76:43555 to 172.20.104.31:1812 length 277
(17) Mon Apr 26 15:46:04 2021: Debug:   User-Name = "josh.nathan"
(17) Mon Apr 26 15:46:04 2021: Debug:   NAS-Identifier = "66d9e7f8b8a4"
(17) Mon Apr 26 15:46:04 2021: Debug:   Called-Station-Id =
"66-D9-E7-F8-B8-A4:BFA-EAP-Test"
(17) Mon Apr 26 15:46:04 2021: Debug:   NAS-Port-Type = Wireless-802.11
(17) Mon Apr 26 15:46:04 2021: Debug:   Service-Type = Framed-User
(17) Mon Apr 26 15:46:04 2021: Debug:   Calling-Station-Id =
"58-CB-52-37-5D-AB"
(17) Mon Apr 26 15:46:04 2021: Debug:   Connect-Info = "CONNECT 0Mbps
802.11b"
(17) Mon Apr 26 15:46:04 2021: Debug:   Acct-Session-Id = "52DAD7D4BB763411"
(17) Mon Apr 26 15:46:04 2021: Debug:   Acct-Multi-Session-Id =
"DBEED5366DD430AE"
(17) Mon Apr 26 15:46:04 2021: Debug:   WLAN-Pairwise-Cipher = 1027076
(17) Mon Apr 26 15:46:04 2021: Debug:   WLAN-Group-Cipher = 1027076
(17) Mon Apr 26 15:46:04 2021: Debug:   WLAN-AKM-Suite = 1027073
(17) Mon Apr 26 15:46:04 2021: Debug:   Framed-MTU = 1400
(17) Mon Apr 26 15:46:04 2021: Debug:   EAP-Message =
0x02e4002e1900170303002300057749b9bde9be1ec64f7c9567e2867e5dc1d76f261821842d90f500
(17) Mon Apr 26 15:46:04 2021: Debug:   State =
0xacaf705da54b69970120abcaacda4228
(17) Mon Apr 26 15:46:04 2021: Debug:   Message-Authenticator =
0x0bed628cf8ff12e2250c3de6e9c1cc45
(17) Mon Apr 26 15:46:04 2021: Debug: Restoring 
(17) Mon Apr 26 15:46:04 2021: Debug:
:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(17) Mon Apr 26 15:46:04 2021: Debug:   :TLS-Session-Version
= "TLS 1.2"
(17) Mon Apr 26 15:46:04 2021: Debug: # Executing section authorize from
file /usr/local/pf/raddb/sites-enabled/packetfence
(17) Mon Apr 26 15:46:04 2021: Debug:   authorize {
(17) Mon Apr 26 15:46:04 2021: Debug: policy packetfence-nas-ip-address
{
(17) Mon Apr 26 15:46:04 2021: Debug:   if (!NAS-IP-Address ||
NAS-IP-Address == "0.0.0.0"){
(17) Mon Apr 26 15:46:04 2021: Debug:   if (!NAS-IP-Address ||
NAS-IP-Address == "0.0.0.0") -> TRUE
(17) Mon Apr 26 15:46:04 2021: Debug:   if (!NAS-IP-Address ||
NAS-IP-Address == "0.0.0.0") {
(17) Mon Apr 26 15:46:04 2021: Debug: update request {
(17) Mon Apr 26 15:46:04 2021: Debug:   EXPAND
%{Packet-Src-IP-Address}
(17) Mon Apr 26 15:46:04 2021: Debug:  --> 172.20.50.76
(17) Mon Apr 26 15:46:04 2021: Debug: } # update request = noop
(17) Mon Apr 26 15:46:04 2021: Debug:   } # if (!NAS-IP-Address ||
NAS-IP-Address == "0.0.0.0") = noop
(17) Mon Apr 26 15:46:04 2021: Debug: } # policy
packetfence-nas-ip-address = noop
(17) Mon Apr 26 15:46:04 2021: Debug: update {
(17) Mon Apr 26 15:46:04 2021: Debug:   EXPAND %{Packet-Src-IP-Address}
(17) Mon Apr 26 15:46:04 2021: Debug:  --> 172.20.50.76
(17) Mon Apr 26 15:46:04 2021: Debug:   EXPAND %{Packet-Dst-IP-Address}
(17) Mon Apr 26 15:46:04 2021: Debug:  --> 172.20.104.31
(17) Mon Apr 26 15:46:04 2021: Debug:   EXPAND %l
(17) Mon Apr 26 15:46:04 2021: Debug:  --> 1619444764
(17) Mon Apr 26 15:46:04 2021: Debug: } # update = noop
(17) Mon Apr 26 15:46:04 2021: Debug: policy
packetfence-set-realm-if-machine {
(17) Mon Apr 26 15:46:04 2021: Debug:   if (User-Name =~
/host\/([a-z0-9_-]*)[\.](.*)/i) {
(17) Mon Apr 26 15:46:04 2021: Debug:   if (User-Name =~
/host\/([a-z0-9_-]*)[\.](.*)/i)  -> FALSE
(17) Mon Apr 26 15:46:04 2021: Debug: } # policy
packetfence-set-realm-if-machine = noop
(17) Mon Apr 26 15:46:04 2021: Debug: policy
packetfence-balanced-key-policy {
(17) Mon Apr 26 15:46:04 2021: Debug:   if ( &&
( =~ /^(.*)(.)$/i)) {
(17) Mon Apr 26 15:46:04 2021: Debug:   if ( &&
( =~ /^(.*)(.)$/i))  -> FALSE
(17) Mon Apr 26 15:46:04 2021: Debug:   else {
(17) Mon Apr 26 15:46:04 2021: Debug: update {
(17) Mon Apr 26 15:46:04 2021: Debug:   EXPAND
%{md5:%{Calling-Station-Id}%{User-Name}}
(17) Mon Apr 26 15:46:04 2021: Debug:  -->
50bc5046614b032967fc88f562a08c92
(17) Mon Apr 26 15:46:04 2021: Debug:   EXPAND
%{md5:%{Calling-Station-Id}%{User-Name}}
(17) Mon Apr 26 15:46:04 2021: Debug:  -->
50bc5046614b032967fc88f562a08c92
(17) Mon Apr 26 15:46:04 2021: Debug: } # update = noop
(17) Mon Apr 26 15:46:04 2021: Debug:   } # else = noop
(17) Mon Apr 26 15:46:04 2021: Debug: } # policy
packetfence-balanced-key-policy = noop
(17) Mon Apr 26 15:46:04 2021: Debug: policy packetfence-set-tenant-id {
(17) Mon Apr 26 15:46:04 2021: Debug:   if (!NAS-IP-Address ||
NAS-IP-Address == "0.0.0.0"){
(17) Mon Apr 26 15:46:04 2021: Debug:   if (!NAS-IP-Address ||
NAS-IP-Address == "0.0.0.0") -> FALSE
(17) Mon Apr 26 15:46:04 2021: Debug:

Re: [PacketFence-users] Post-Auth for RADIUS

2021-04-22 Thread Nathan, Josh via PacketFence-users 
I did.  That last email is seriously all that's there.

[root@gatekeeper ~]# grep 58:cb:52:37:5d:ab
/usr/local/pf/logs/packetfence.log
Apr 16 09:13:51 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
Keeping the first one 'null' (pf::radius::_parseRequest)
Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
Keeping the first one 'null' (pf::radius::_parseRequest)
Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
Keeping the first one 'null' (pf::radius::_parseRequest)
Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
Keeping the first one 'null' (pf::radius::_parseRequest)
Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
Keeping the first one 'null' (pf::radius::_parseRequest)
Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
Keeping the first one 'null' (pf::radius::_parseRequest)
Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
Keeping the first one 'null' (pf::radius::_parseRequest)
Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
Keeping the first one 'null' (pf::radius::_parseRequest)
Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] Updating locationlog from accounting request
(pf::api::handle_accounting_metadata)


That second entry from *Apr 15 15:40:15* to *Apr 15 15:41:04* is completely
unfiltered.  Absolutely everything logged between those times is there, and
in that time frame I got a fairly sizable radius debug log (the end of
which I included in my first email).

I'm gathering from your email, though, that somehow my installation is
broken?

Joshua Nathan
*IT Supervisor*
Black Forest Academy

p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de




On Thu, Apr 22, 2021 at 3:17 PM Zammit, Ludovic  wrote:

> Hello Nathan,
>
> Show me the output of:
>
> grep 58:cb:52:37:5d:ab /usr/local/pf/logs/packetfence.log
>
> Thanks,
>
> *Ludovic Zammit*
> *Product Support Engineer Principal*
> *Cell:* +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us: <https://community.akamai.com> <http://blogs.akamai.com>
> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies>
> <http://www.linkedin.com/company/akamai-technologies>
> <http://www.youtube.com/user/akamaitechnologies?feature=results_main>
>
> On Apr 22, 2021, at 2:35 AM, Nathan, Josh 
> wrote:
>
> Any further insights regarding what I could try or where I should look?
> I've not had any luck this week at figuring anything out, either. :-/
>
> Joshua Nathan
> *IT Supervisor*
> Black Forest Academy
>
> p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056
> a:
> w: Hammersteiner Straße 50, 79400 Kandern
> bfacademy.de
> <https://urldefense.com/v3/__http://bfacademy.de/__;!!GjvTz_vk!Gh7_gb4ulBDLBsfliq32776EAGf4dgeMb6C4VmGLDzKUEgQ50QhydedmISt3FAmr$>
>
>
>
>
> On Fri, Apr 16, 2021 at 9:39 AM Nathan, Josh 
> wrote:
>
>> Hello Ludovic,
>>
>> OK, here's from this morning:
>>
>> [root@gatekeeper ~]# grep 58:cb:52:37:5d:ab
>> /usr/local/pf/logs/packetfence.log
>> Apr 16 09:13:51 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
>> Keeping the first one 'null' (pf::radius::_parseRequest)
>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
>> Keeping the first one 'null' (pf::radius::_parseRequest)
>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
>> Keeping the first one 'null' (pf::radius::_parseRequest)
>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
>> Keeping the first one 'null' (pf::radius::_parseRequest)
>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.

Re: [PacketFence-users] Post-Auth for RADIUS

2021-04-22 Thread Nathan, Josh via PacketFence-users 
Any further insights regarding what I could try or where I should look?
I've not had any luck this week at figuring anything out, either. :-/

Joshua Nathan
*IT Supervisor*
Black Forest Academy

p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de




On Fri, Apr 16, 2021 at 9:39 AM Nathan, Josh 
wrote:

> Hello Ludovic,
>
> OK, here's from this morning:
>
> [root@gatekeeper ~]# grep 58:cb:52:37:5d:ab
> /usr/local/pf/logs/packetfence.log
> Apr 16 09:13:51 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
> Keeping the first one 'null' (pf::radius::_parseRequest)
> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
> Keeping the first one 'null' (pf::radius::_parseRequest)
> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
> Keeping the first one 'null' (pf::radius::_parseRequest)
> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
> Keeping the first one 'null' (pf::radius::_parseRequest)
> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
> Keeping the first one 'null' (pf::radius::_parseRequest)
> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
> Keeping the first one 'null' (pf::radius::_parseRequest)
> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
> Keeping the first one 'null' (pf::radius::_parseRequest)
> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
> Keeping the first one 'null' (pf::radius::_parseRequest)
> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
> [mac:58:cb:52:37:5d:ab] Updating locationlog from accounting request
> (pf::api::handle_accounting_metadata)
>
>
> And here's from yesterday during that 15:40 timeframe if that helps:
>
> Apr 15 15:40:15 gatekeeper packetfence: pfperl-api(2161) INFO: Using 300
> resolution threshold (pf::pfcron::task::cluster_check::run)
> Apr 15 15:40:15 gatekeeper packetfence: pfperl-api(2161) INFO: All cluster
> members are running the same configuration version
> (pf::pfcron::task::cluster_check::run)
> Apr 15 15:40:15 gatekeeper packetfence: pfperl-api(2162) INFO: getting
> security_events triggers for accounting cleanup
> (pf::accounting::acct_maintenance)
> Apr 15 15:40:42 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
> Keeping the first one 'null' (pf::radius::_parseRequest)
> Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
> Keeping the first one 'null' (pf::radius::_parseRequest)
> Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
> Keeping the first one 'null' (pf::radius::_parseRequest)
> Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
> Keeping the first one 'null' (pf::radius::_parseRequest)
> Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
> Keeping the first one 'null' (pf::radius::_parseRequest)
> Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
> Keeping the first one 'null' (pf::radius::_parseRequest)
> Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
> Keeping the first one 'null' (pf::radius::_parseRequest)
> Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
> Keeping the first one 'null' (pf::radius::_parseRequest)
> Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
> [mac:58:cb:52:37:5d:ab] Updating locationlog from accounting request
> (pf::api::handle_accounting_metadata)
> Apr 15 15:41:04 gatekeeper pfqueue: pfqueue(17589) WARN:
> [mac:00:25:90:87:e9:50] Unable to pul

Re: [PacketFence-users] Post-Auth for RADIUS

2021-04-16 Thread Nathan, Josh via PacketFence-users 
Hello Ludovic,

OK, here's from this morning:

[root@gatekeeper ~]# grep 58:cb:52:37:5d:ab
/usr/local/pf/logs/packetfence.log
Apr 16 09:13:51 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
Keeping the first one 'null' (pf::radius::_parseRequest)
Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
Keeping the first one 'null' (pf::radius::_parseRequest)
Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
Keeping the first one 'null' (pf::radius::_parseRequest)
Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
Keeping the first one 'null' (pf::radius::_parseRequest)
Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
Keeping the first one 'null' (pf::radius::_parseRequest)
Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
Keeping the first one 'null' (pf::radius::_parseRequest)
Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
Keeping the first one 'null' (pf::radius::_parseRequest)
Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
Keeping the first one 'null' (pf::radius::_parseRequest)
Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] Updating locationlog from accounting request
(pf::api::handle_accounting_metadata)


And here's from yesterday during that 15:40 timeframe if that helps:

Apr 15 15:40:15 gatekeeper packetfence: pfperl-api(2161) INFO: Using 300
resolution threshold (pf::pfcron::task::cluster_check::run)
Apr 15 15:40:15 gatekeeper packetfence: pfperl-api(2161) INFO: All cluster
members are running the same configuration version
(pf::pfcron::task::cluster_check::run)
Apr 15 15:40:15 gatekeeper packetfence: pfperl-api(2162) INFO: getting
security_events triggers for accounting cleanup
(pf::accounting::acct_maintenance)
Apr 15 15:40:42 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
Keeping the first one 'null' (pf::radius::_parseRequest)
Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
Keeping the first one 'null' (pf::radius::_parseRequest)
Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
Keeping the first one 'null' (pf::radius::_parseRequest)
Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
Keeping the first one 'null' (pf::radius::_parseRequest)
Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
Keeping the first one 'null' (pf::radius::_parseRequest)
Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
Keeping the first one 'null' (pf::radius::_parseRequest)
Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
Keeping the first one 'null' (pf::radius::_parseRequest)
Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm.
Keeping the first one 'null' (pf::radius::_parseRequest)
Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO:
[mac:58:cb:52:37:5d:ab] Updating locationlog from accounting request
(pf::api::handle_accounting_metadata)
Apr 15 15:41:04 gatekeeper pfqueue: pfqueue(17589) WARN:
[mac:00:25:90:87:e9:50] Unable to pull accounting history for device
00:25:90:87:e9:50. The history set doesn't exist yet.
(pf::accounting_events_history::latest_mac_history)


Joshua Nathan
*IT Supervisor*
Black Forest Academy

p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de




On Thu, Apr 15, 2021 at 3:52 PM Ludovic Zammit  wrote:

> Hello Nathan,
>
> Show me the output of:
>
> grep 58:cb:52:37:5d:ab /usr/local/pf/logs/packetfence.log
>
> Thanks,
>
>
> Ludovic Zammit
> lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org)
>
>
>
>

[PacketFence-users] Post-Auth for RADIUS

2021-04-15 Thread Nathan, Josh via PacketFence-users 
Hello,

So, I'm trying to configure a 10.2 Zen version of PF. Our user
authentication happens via RADIUS.  So I configured our RADIUS server under
the "Internal Sources" section, and everything is now "mostly" working.  My
devices authenticate, but the Authentication Rules don't seem to be taking
effect.

When I try using the debug command for RADIUS (raddebug -f
/usr/local/pf/var/run/radiusd.sock -t 3600), here's what I get.  There must
be a setting I'm missing somewhere.  The packetfence.log file is
effectively silent on the issue.

(327) Thu Apr 15 15:40:43 2021: Debug: rest: Processing response header
(327) Thu Apr 15 15:40:43 2021: Debug: rest:   Status : 200 (OK)
(327) Thu Apr 15 15:40:43 2021: Debug: rest:   Type   : json
(application/json)
(327) Thu Apr 15 15:40:43 2021: Debug: rest: Parsing attribute
"control:PacketFence-Authorization-Status"
(327) Thu Apr 15 15:40:43 2021: Debug: rest: EXPAND allow
(327) Thu Apr 15 15:40:43 2021: Debug: rest:--> allow
(327) Thu Apr 15 15:40:43 2021: Debug: rest:
PacketFence-Authorization-Status := "allow"
(327) Thu Apr 15 15:40:43 2021: Debug: [rest] = updated
(327) Thu Apr 15 15:40:43 2021: Debug: eap: Peer sent EAP Response (code 2)
ID 56 length 46
(327) Thu Apr 15 15:40:43 2021: Debug: eap: Continuing tunnel setup
(327) Thu Apr 15 15:40:43 2021: Debug: [eap] = ok
(327) Thu Apr 15 15:40:43 2021: Debug:   } # authorize = ok
(327) Thu Apr 15 15:40:43 2021: Debug: Found Auth-Type = eap
(327) Thu Apr 15 15:40:43 2021: Debug: # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(327) Thu Apr 15 15:40:43 2021: Debug:   authenticate {
(327) Thu Apr 15 15:40:43 2021: Debug: eap: Expiring EAP session with state
0xce6b3ab6c75323c5
(327) Thu Apr 15 15:40:43 2021: Debug: eap: Finished EAP session with state
0xce6b3ab6c75323c5
(327) Thu Apr 15 15:40:43 2021: Debug: eap: Previous EAP request found for
state 0xce6b3ab6c75323c5, released from the list
(327) Thu Apr 15 15:40:43 2021: Debug: eap: Peer sent packet with method
EAP PEAP (25)
(327) Thu Apr 15 15:40:43 2021: Debug: eap: Calling submodule eap_peap to
process data
(327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: Continuing EAP-TLS
(327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: [eaptls verify] = ok
(327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: Done initial handshake
(327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: [eaptls process] = ok
(327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: Session established.
Decoding tunneled attributes
(327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: PEAP state send tlv success
(327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: Received EAP-TLV response
(327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: Success
(327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: Using saved attributes
from the original Access-Accept
(327) Thu Apr 15 15:40:43 2021: Debug: eap_peap:   User-Name = "josh.nathan"
(327) Thu Apr 15 15:40:43 2021: Debug: eap: Sending EAP Success (code 3) ID
56 length 4
(327) Thu Apr 15 15:40:43 2021: Debug: eap: Freeing handler
(327) Thu Apr 15 15:40:43 2021: Debug: [eap] = ok
(327) Thu Apr 15 15:40:43 2021: Debug:   } # authenticate = ok
(327) Thu Apr 15 15:40:43 2021: Debug: # Executing section post-auth from
file /usr/local/pf/raddb/sites-enabled/packetfence
(327) Thu Apr 15 15:40:43 2021: Debug:   post-auth {
(327) Thu Apr 15 15:40:43 2021: Debug: update {
(327) Thu Apr 15 15:40:43 2021: Debug:   EXPAND %{Packet-Src-IP-Address}
(327) Thu Apr 15 15:40:43 2021: Debug:  --> 172.20.50.76
(327) Thu Apr 15 15:40:43 2021: Debug:   EXPAND %{Packet-Dst-IP-Address}
(327) Thu Apr 15 15:40:43 2021: Debug:  --> 172.20.104.31
(327) Thu Apr 15 15:40:43 2021: Debug: } # update = noop
(327) Thu Apr 15 15:40:43 2021: Debug: policy packetfence-set-tenant-id
{
(327) Thu Apr 15 15:40:43 2021: Debug:   if (!NAS-IP-Address ||
NAS-IP-Address == "0.0.0.0"){
(327) Thu Apr 15 15:40:43 2021: Debug:   if (!NAS-IP-Address ||
NAS-IP-Address == "0.0.0.0") -> FALSE
(327) Thu Apr 15 15:40:43 2021: Debug:   if (
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(327) Thu Apr 15 15:40:43 2021: Debug:   EXPAND
%{%{control:PacketFence-Tenant-Id}:-0}
(327) Thu Apr 15 15:40:43 2021: Debug:  --> 1
(327) Thu Apr 15 15:40:43 2021: Debug:   if (
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0")  -> FALSE
(327) Thu Apr 15 15:40:43 2021: Debug:   if (
:PacketFence-Tenant-Id == 0 ) {
(327) Thu Apr 15 15:40:43 2021: Debug:   if (
:PacketFence-Tenant-Id == 0 )  -> FALSE
(327) Thu Apr 15 15:40:43 2021: Debug: } # policy
packetfence-set-tenant-id = noop
(327) Thu Apr 15 15:40:43 2021: Debug: if
("%{%{control:PacketFence-Proxied-From}:-False}" == "True") {
(327) Thu Apr 15 15:40:43 2021: Debug: EXPAND
%{%{control:PacketFence-Proxied-From}:-False}
(327) Thu Apr 15 15:40:43 2021: Debug:--> False
(327) Thu Apr 15 15:40:43 2021: Debug: if
("%{%{control:PacketFence-Proxied-From}:-False}" == "True")  ->

Re: [PacketFence-users] EAP-TLS Auth Failure

2021-03-24 Thread Nathan, Josh via PacketFence-users 
Ah, ok.

Thank you!

Joshua Nathan
*IT Supervisor*
Black Forest Academy

p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de




On Wed, Mar 24, 2021 at 2:34 PM Ludovic Zammit  wrote:

> Unfortunately, if you are using an android phone with version 11 patched
> after December 9 2020 you will need to have a public trusted cert installed
> the RADIUS on PF.
>
> Android need to trust the Root CA that provided the cert on the RADIUS
> side.
>
> Either you provision the Root CA on the android phone and you create a
> profile that would trust the chain of certs or you install a cert from an
> already trusted Root CA installed like Godaddy and deal with you windows
> laptop by pushing the Godaddy into the Root CA trusted store.
>
> Thanks,
>
>
> Ludovic Zammit
> lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org)
>
>
>
>
>
>
>
>
> On Mar 24, 2021, at 9:17 AM, Nathan, Josh 
> wrote:
>
> Thank you!  I decided to go the route of issuing the certificate for the
> RADIUS service.  That seemed to work for the Windows laptop, but it didn't
> work for my Pixel 3a phone.  The Android app always throws an error when
> trying to setup the WiFi, so I tried doing it manually.  I downloaded the
> CA certificate I created within PacketFence (as used for generating the
> user and RADIUS certificates), and installed that.  And then I also
> installed the RADIUS certificate.  Neither works.  Any guidance on what it
> means by "internal error".  Somehow it looks like it's accepting the
> certificates (not throwing "unknown CA" at least).
>
> (513) Wed Mar 24 13:41:25 2021: Debug: eap_tls: Continuing EAP-TLS
> (513) Wed Mar 24 13:41:25 2021: Debug: eap_tls: [eaptls verify] = ok
> (513) Wed Mar 24 13:41:25 2021: Debug: eap_tls: Done initial handshake
> (513) Wed Mar 24 13:41:25 2021: ERROR: eap_tls: TLS Alert
> read:fatal:internal error
> (513) Wed Mar 24 13:41:25 2021: ERROR: eap_tls: TLS_accept: Failed in error
> (513) Wed Mar 24 13:41:25 2021: ERROR: eap_tls: Failed in __FUNCTION__
> (SSL_read)
> (513) Wed Mar 24 13:41:25 2021: ERROR: eap_tls: error:14094438:SSL
> routines:ssl3_read_bytes:tlsv1 alert internal error
> (513) Wed Mar 24 13:41:25 2021: ERROR: eap_tls: error:140940E5:SSL
> routines:ssl3_read_bytes:ssl handshake failure
> (513) Wed Mar 24 13:41:25 2021: ERROR: eap_tls: System call (I/O) error
> (-1)
> (513) Wed Mar 24 13:41:25 2021: ERROR: eap_tls: TLS receive handshake
> failed during operation
> (513) Wed Mar 24 13:41:25 2021: ERROR: eap_tls: [eaptls process] = fail
> (513) Wed Mar 24 13:41:25 2021: ERROR: Test2: Failed continuing EAP TLS
> (13) session.  EAP sub-module failed
> (513) Wed Mar 24 13:41:25 2021: Debug: Test2: Sending EAP Failure (code 4)
> ID 50 length 4
> (513) Wed Mar 24 13:41:25 2021: Debug: Test2: Failed in EAP select
> (513) Wed Mar 24 13:41:25 2021: Debug: [Test2] = invalid
> (513) Wed Mar 24 13:41:25 2021: Debug:   } # Auth-Type Test2 = invalid
> (513) Wed Mar 24 13:41:25 2021: Debug: Failed to authenticate the user
> (513) Wed Mar 24 13:41:25 2021: Debug: Using Post-Auth-Type Reject
> (513) Wed Mar 24 13:41:25 2021: Debug: # Executing group from file
> /usr/local/pf/raddb/sites-enabled/packetfence
>
>
> But hey, the Windows laptop works now!  So that was great!
> Thank you!
>
> Joshua Nathan
> *IT Supervisor*
> Black Forest Academy
>
> p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056
> a:
> w: Hammersteiner Straße 50, 79400 Kandern
> bfacademy.de
>
>
>
>
> On Tue, Mar 23, 2021 at 6:23 PM Ludovic Zammit  wrote:
>
>> Hello,
>>
>> Your error "TLS Alert write:fatal:unknown CA” means that the windows does
>> not trust the certificate that is install on PF for RADIUS.
>>
>> Either make sure to ignore the certificate server identity on the windows
>> for that connection or Issue a certificate for RADIUS from the PKI that you
>> are using.
>>
>> 
>>
>> Uncheck the first one at the top.
>>
>> Thanks,
>>
>>
>> Ludovic Zammit
>> lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>> (http://packetfence.org)
>>
>>
>>
>>
>>
>>
>>
>>
>> On Mar 23, 2021, at 10:24 AM, Nathan, Josh via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>> Hello,
>>
>> Well, I'm not sure what I missed, but after following the installation
>> guid

[PacketFence-users] EAP-TLS Auth Failure

2021-03-23 Thread Nathan, Josh via PacketFence-users 
Hello,

Well, I'm not sure what I missed, but after following the installation
guide for using the built-in PKI provider, I have been unable to get TLS
working.

I'm trying to prep a new virtual server for replacing our existing one.  I
have the ZEN version with PF 10.2.0.  The error I'm running into is that
the server is rejecting the certificate during authentication.  The client
device is Windows 10.  I used the registration page and the built-in
Windows provisioner.  The server accepted my credentials on the
registration page, and I did a copy and paste of the password it provided
for the certificate it generated.  After generating the certificate, the
server pushed the configurator, which is what I used for installed the
certificate and configuring the wireless connection.  So I don't know where
I could have gone wrong in regard to this.  The only thing I can think of
would be maybe I was supposed to do something different after generating
the CA certificate.

I copied the certificate, went to "System Configuration" in the left-hand
panel.  Then at the bottom of that panel, clicked on "SSL Certificates".
Then selected the "Radius" tab, and clicked edit.  From within there, I was
presented with 3 large text fields, the middle one being "Certification
Authority certificate(s)".  I selected everything within that middle box,
and replaced it with the CA certificate I had copied from what I had
generated.  Was that not right?  Regardless, here's an except from the logs
showing the RADIUS authentication error.

(69834) Tue Mar 23 14:52:42 2021: Debug: Found Auth-Type = Test2
(69834) Tue Mar 23 14:52:42 2021: Debug: # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(69834) Tue Mar 23 14:52:42 2021: Debug:   Auth-Type Test2 {
(69834) Tue Mar 23 14:52:42 2021: Debug: Test2: Expiring EAP session with
state 0x6076e6ab646debf0
(69834) Tue Mar 23 14:52:42 2021: Debug: Test2: Finished EAP session with
state 0x6076e6ab646debf0
(69834) Tue Mar 23 14:52:42 2021: Debug: Test2: Previous EAP request found
for state 0x6076e6ab646debf0, released from the list
(69834) Tue Mar 23 14:52:42 2021: Debug: Test2: Peer sent packet with
method EAP TLS (13)
(69834) Tue Mar 23 14:52:42 2021: Debug: Test2: Calling submodule eap_tls
to process data
(69834) Tue Mar 23 14:52:42 2021: Debug: eap_tls: Continuing EAP-TLS
(69834) Tue Mar 23 14:52:42 2021: Debug: eap_tls: Got final TLS record
fragment (257 bytes)
(69834) Tue Mar 23 14:52:42 2021: Debug: eap_tls: [eaptls verify] = ok
(69834) Tue Mar 23 14:52:42 2021: Debug: eap_tls: Done initial handshake
(69834) Tue Mar 23 14:52:42 2021: Debug: eap_tls: TLS - Creating attributes
from certificate OIDs
(69834) Tue Mar 23 14:52:42 2021: Debug: eap_tls:   TLS-Client-Cert-Serial
:= "06"
(69834) Tue Mar 23 14:52:42 2021: Debug: eap_tls:
TLS-Client-Cert-Expiration := "220323134604Z"
(69834) Tue Mar 23 14:52:42 2021: Debug: eap_tls:
TLS-Client-Cert-Valid-Since := "210323134604Z"
(69834) Tue Mar 23 14:52:42 2021: Debug: eap_tls:   TLS-Client-Cert-Subject
:= "/C=DE/ST=BW/L=Kandern/street=Hammersteiner Str.
50/postalCode=79400/O=Black Forest Academy/CN=josh.nathan"
(69834) Tue Mar 23 14:52:42 2021: Debug: eap_tls:   TLS-Client-Cert-Issuer
:= "/C=DE/ST=BW/L=Kandern/street=Hammersteiner Str.
50/postalCode=79400/O=Black Forest Academy/CN=BFA_Root_CA"
(69834) Tue Mar 23 14:52:42 2021: Debug: eap_tls:
TLS-Client-Cert-Common-Name := "josh.nathan"
(69834) Tue Mar 23 14:52:42 2021: Debug: eap_tls:
TLS-Client-Cert-Subject-Alt-Name-Email := "josh.nat...@bfacademy.de"
(69834) Tue Mar 23 14:52:42 2021: ERROR: eap_tls:   SSL says error 20 :
unable to get local issuer certificate
(69834) Tue Mar 23 14:52:42 2021: ERROR: eap_tls: TLS Alert
write:fatal:unknown CA
(69834) Tue Mar 23 14:52:42 2021: ERROR: eap_tls: Failed in __FUNCTION__
(SSL_read): error:14089086:SSL
routines:ssl3_get_client_certificate:certificate verify failed
(69834) Tue Mar 23 14:52:42 2021: ERROR: eap_tls: System call (I/O) error
(-1)
(69834) Tue Mar 23 14:52:42 2021: ERROR: eap_tls: TLS receive handshake
failed during operation
(69834) Tue Mar 23 14:52:42 2021: ERROR: eap_tls: [eaptls process] = fail
(69834) Tue Mar 23 14:52:42 2021: ERROR: Test2: Failed continuing EAP TLS
(13) session.  EAP sub-module failed
(69834) Tue Mar 23 14:52:42 2021: Debug: Test2: Sending EAP Failure (code
4) ID 27 length 4
(69834) Tue Mar 23 14:52:42 2021: Debug: Test2: Failed in EAP select
(69834) Tue Mar 23 14:52:42 2021: Debug: [Test2] = invalid
(69834) Tue Mar 23 14:52:42 2021: Debug:   } # Auth-Type Test2 = invalid
(69834) Tue Mar 23 14:52:42 2021: Debug: Failed to authenticate the user
(69834) Tue Mar 23 14:52:42 2021: Debug: Using Post-Auth-Type Reject


Thank you for any help/guidance you can provide!

Joshua Nathan
*IT Supervisor*
Black Forest Academy

p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de
___
PacketFence-users mailing

Re: [PacketFence-users] Configurator Issues

2021-01-28 Thread Nathan, Josh via PacketFence-users 
Well, I decided to just load the ZEN version, and that seems to be working
for me.  So I'll move forward with that.

Joshua Nathan
*IT Supervisor*
Black Forest Academy

p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de




On Tue, Jan 26, 2021 at 9:12 AM Nathan, Josh 
wrote:

> Hello,
>
> I'm trying to do a fresh install of PacketFence 10.2 on CentOS 7 within a
> virtual machine.  I installed and updated CentOS 7.  I did install it with
> the Gnome Desktop since I do prefer to have a graphical interface. I
> disabled the firewall, disabled SELinux, and even disabled NetworkManager.
> Got the network interfaces how I wanted them, and then started running the
> PacketFence install.  However, after running the yum command to install
> PacketFence, Gnome crashed and now doesn't work.  I tried getting that
> working unsuccessfully for a bit, but now I've realized that at least after
> the subsequent reboots, the PF Configurator doesn't seem to be running (I
> can't say for sure it ever did since I hadn't tried until after my failed
> attempts at recovering Gnome).  I tried using pfcmd to start the "pf"
> service in hopes that it would bring up the configurator since nothing's
> been configured yet, but that didn't work.
>
> Is there an easy command to start the configurator, or what log file(s)
> should I be looking at?
>
> Thanks for any guidance!
>
> Joshua Nathan
> *IT Supervisor*
> Black Forest Academy
>
> p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056
> a:
> w: Hammersteiner Straße 50, 79400 Kandern
> bfacademy.de
>
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Configurator Issues

2021-01-26 Thread Nathan, Josh via PacketFence-users 
Hello,

I'm trying to do a fresh install of PacketFence 10.2 on CentOS 7 within a
virtual machine.  I installed and updated CentOS 7.  I did install it with
the Gnome Desktop since I do prefer to have a graphical interface. I
disabled the firewall, disabled SELinux, and even disabled NetworkManager.
Got the network interfaces how I wanted them, and then started running the
PacketFence install.  However, after running the yum command to install
PacketFence, Gnome crashed and now doesn't work.  I tried getting that
working unsuccessfully for a bit, but now I've realized that at least after
the subsequent reboots, the PF Configurator doesn't seem to be running (I
can't say for sure it ever did since I hadn't tried until after my failed
attempts at recovering Gnome).  I tried using pfcmd to start the "pf"
service in hopes that it would bring up the configurator since nothing's
been configured yet, but that didn't work.

Is there an easy command to start the configurator, or what log file(s)
should I be looking at?

Thanks for any guidance!

Joshua Nathan
*IT Supervisor*
Black Forest Academy

p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Log Expiration

2019-09-27 Thread Nathan, Josh via PacketFence-users 
Thanks!  I didn't expect it to be in /etc.

Joshua Nathan
*IT Supervisor*
Black Forest Academy

p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de




On Fri, Sep 27, 2019 at 1:16 PM Nicolas Quiniou-Briand via
PacketFence-users  wrote:

> Hi,
>
> On 27/09/2019 11:40, Nathan, Josh via PacketFence-users wrote:
> > I tried to find it in log.conf and pf.conf, and I don't seem to have a
> > packetfence.logrotate file anywhere...
>
> Take a look at /etc/logrotate.d/packetfence
>
> --
> Nicolas Quiniou-Briand
> n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca
> Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence
> (https://packetfence.org) and Fingerbank (http://fingerbank.org)
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Log Expiration

2019-09-27 Thread Nathan, Josh via PacketFence-users 
Hello,

So, I am having trouble finding where I can set the expiration time for the
various log files.  It used to be in the configuration pages of the admin
console, but it doesn't seem to be there anymore.  Just to make sure that
I'm not hanging onto any user data any longer than necessary, I'd like to
set log files to be cleaned up sooner.

I tried to find it in log.conf and pf.conf, and I don't seem to have a
packetfence.logrotate file anywhere...

I'm running PacketFence-ZEN 9.0.1

Thanks,

Joshua Nathan
*IT Supervisor*
Black Forest Academy

p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF UniFi OOB, not using UniFi-controller?

2018-11-30 Thread Nathan, Josh via PacketFence-users 
We actually did do something like this, but I'm going to be honest, we
haven't really tested it in a long time (firmware updates might have broken
it), and the problem is that the only way we found to make it would was to
attempt the command on every antenna.  We just programmed the script to
ignore any errors, and just keep trying through the different antennas.
Not elegant at all.  But we're also running an old version of PacketFence.
We're hoping to finally do the upgrade, an hoping to actually switch to the
new method which doesn't involve trying to brute force a given device
off... The script we have was developed when Ubiquiti had their
Radius-assigned VLAN functionality still in Beta.  So... yes, old.

But, if you want to give it a try, here's the old, slapped together,
"Switch" file that we have.

package pf::Switch::UBNTUAP;


=head1 NAME

pf::Switch::ubntuap

=head1 SYNOPSIS

The pf::Switch::ubntuap module manages access to hostapd

=head1 STATUS

Should work on the ubnt uap version started 4.9.2

=cut

use strict;
use warnings;

use POSIX;
use Try::Tiny;
use Net::SSH::Perl;

use base ('pf::Switch');

use pf::constants;
use pf::config qw(
$MAC
$SSID
);
sub description { 'Ubiquiti AP' }

# importing switch constants
use pf::Switch::constants;
use pf::util;
use pf::util::radius qw(perform_disconnect);

=head1 SUBROUTINES

=over

=cut

# CAPABILITIES
# access technology supported
sub supportsWirelessDot1x { return $TRUE; }
sub supportsWirelessMacAuth { return $TRUE; }
# inline capabilities
sub inlineCapabilities { return ($MAC,$SSID); }


=item parseTrap

This is called when we receive an SNMP-Trap for this device

=cut

sub parseTrap {
my ( $this, $trapString ) = @_;
my $trapHashRef;
my $logger = $this->logger;

$logger->debug("trap currently not handled");
$trapHashRef->{'trapType'} = 'unknown';

return $trapHashRef;
}

=item getVersion - obtain image version information from switch

=cut

sub getVersion {
my ($this) = @_;
my $logger = $this->logger;
$logger->info("we don't know how to determine the version through SNMP
!");
return '2.0.13';
}

=item deauthTechniques

Return the reference to the deauth technique or the default deauth
technique.

=cut

sub deauthTechniques {
my ($this, $method) = @_;
my $logger = $this->logger;
my $default = $SNMP::RADIUS;
my %tech = (
$SNMP::RADIUS => 'deauthenticateMacRadius',
);

if (!defined($method) || !defined($tech{$method})) {
$method = $default;
}
return $method,$tech{$method};
}

=item deauthenticateMacDefault

De-authenticate a MAC address from wireless network (including 802.1x).

New implementation using RADIUS Disconnect-Request.

=cut

sub deauthenticateMacRadius {
my ( $self, $mac, $is_dot1x ) = @_;
my $logger = $self->logger;

if ( !$self->isProductionMode() ) {
$logger->info("not in production mode... we won't perform
deauthentication");
return 1;
}

$logger->debug("deauthenticate $mac using RADIUS Disconnect-Request
deauth method");
return $self->radiusDisconnect($mac);
}

=item radiusDisconnect

Sends a RADIUS Disconnect-Request to the NAS with the MAC as the
Calling-Station-Id to disconnect.

Optionally you can provide other attributes as an hashref.

Uses L for the low-level RADIUS stuff.

=cut

# TODO consider whether we should handle retries or not?
sub radiusDisconnect {
my ($self, $mac, $add_attributes_ref) = @_;
my $logger = $self->logger;

# initialize
$add_attributes_ref = {} if (!defined($add_attributes_ref));

if (!defined($self->{'_cliUser'}) || !defined($self->{'_cliPwd'})) {
$logger->warn(
"Unable to perform CLI Disconnect-Request on $self->{'_ip'}:
CLI credentials not configured"
);
return;
}

$logger->info("deauthenticating $mac");

my $send_disconnect_to = $self->{'_ip'};
# allowing client code to override where we connect with NAS-IP-Address
$send_disconnect_to = $add_attributes_ref->{'NAS-IP-Address'}
if (defined($add_attributes_ref->{'NAS-IP-Address'}));

my $response;

my $host = $self->{'_ip'};
my $user = $self->{'_cliUser'};
my $pass = $self->{'_cliPwd'};

try {
   my $ssh = Net::SSH::Perl->new($host);
   #-- authenticate
   $ssh->login($user, $pass);
   #-- execute the command
   # Template: iwpriv ath0 kickmac b0:65:bd:63:2c:56
   my($stdout, $stderr, $exit) = $ssh->cmd("iwpriv ath0 kickmac $mac;
iwpriv ath1 kickmac $mac; iwpriv ath2 kickmac $mac; iwpriv ath3 kickmac
$mac; iwpriv ath4 kickmac $mac; iwpriv ath5 kickmac $mac; iwpriv ath6
kickmac $mac; iwpriv ath7 kickmac $mac; iwpriv ath8 kickmac $mac; iwpriv
ath9 kickmac $mac");
} catch {
chomp;
$logger->warn("Unable to perform CLI Disconnect-Request: $_");
$logger->error("Wrong CLI credentials or unreachable network
device...") if ($_ =~ /^Timeout/);
};

 return $TRUE;

=item

[PacketFence-users] RADIUS Proxy

2018-04-19 Thread Nathan, Josh via PacketFence-users 
Hello All,

OK, I am somewhat abandoning trying to use LDAP as I thought RADIUS might
be easier.

I'm trying to use JumpCloud's Radius-as-a-Service.  If I tell my AP to use
their RADIUS server directly, authentication works.  However, I'd like to
use PacketFence as a go-between to use dynamic VLANs and the quarantine
functionality.

I'm testing with PacketFence-ZEN 7.4.0

However, PacketFence's RADIUS debug logs says my username and password is
incorrect, even though it works if I bypass PacketFence.  So somehow I'm
not getting PacketFence to proxy the authentication request correctly.
Unfortunately, as I can't directly manage the inner-workings of the
service, I can't confirm how the passwords are encrypted, but since a
direct access point connection works fine, I have a hard time believe that
PacketFence can't authenticate against it.  Here're my configurations, and
the debug output...

proxy.conf.inc:

%%eduroam%%

%%config%%

home_server jumpcloud {
type = auth
ipaddr = 104.154.91.253
port = 1812
secret = mysupersecretsecret
require_message_authenticator = yes
}

home_server_pool bfacademy {
type = fail-over
home_server = jumpcloud
}

realm bfacademy.de {
auth_pool = bfacademy
strip
}


packetfence-tunnel:

authorize {
if ( outer.EAP-Type == TTLS) {
update request {
 := TTLS
}
}
filter_username

mschap

suffix
ntdomain

%%multi_domain%%

%%redis_ntlm_cache_fetch%%


### NOTE: I've tried with the "update control" section commented out, set
to LOCAL,
### and set like this. Same result regardless.

update control {
#:= LOCAL
Proxy-to-Realm := "bfacademy.de"
}

eap {
ok = return
}

rewrite_called_station_id

packetfence-local-auth

pap
}

authenticate {

Auth-Type PAP {
pap
}

Auth-Type CHAP {
chap
}

Auth-Type MS-CHAP {
packetfence # increment the StatsD counter

if(PacketFence-Domain) {
chrooted_mschap
}
else {
mschap
}

if(:NT-Password && :NT-Password != "") {
mschap_local {
reject = 2
}
if (reject || fail) {
packetfence-mschap-authenticate
}
}
else {
packetfence-mschap-authenticate
}
}

eap
}


My RADIUS debug output:

[root@PacketFence-ZEN pf]# cat debuglog.log
(0) Thu Apr 19 13:52:36 2018: Debug: Received Access-Request Id 48 from
172.20.242.102:46157 to 172.20.242.98:1812 length 203
(0) Thu Apr 19 13:52:36 2018: Debug:   User-Name = "josh.nat...@bfacademy.de
"
(0) Thu Apr 19 13:52:36 2018: Debug:   NAS-IP-Address = 172.20.242.102
(0) Thu Apr 19 13:52:36 2018: Debug:   NAS-Identifier = "788a208cc8e2"
(0) Thu Apr 19 13:52:36 2018: Debug:   NAS-Port = 0
(0) Thu Apr 19 13:52:36 2018: Debug:   Called-Station-Id =
"78-8A-20-8D-C8-E2:Beta-BFA"
(0) Thu Apr 19 13:52:36 2018: Debug:   Calling-Station-Id =
"A8-7C-01-A2-60-6F"
(0) Thu Apr 19 13:52:36 2018: Debug:   Framed-MTU = 1400
(0) Thu Apr 19 13:52:36 2018: Debug:   NAS-Port-Type = Wireless-802.11
(0) Thu Apr 19 13:52:36 2018: Debug:   Connect-Info = "CONNECT 0Mbps
802.11b"
(0) Thu Apr 19 13:52:36 2018: Debug:   EAP-Message =
0x02d4001d016a6f73682e6e617468616e40626661636164656d792e6465
(0) Thu Apr 19 13:52:36 2018: Debug:   Message-Authenticator =
0xdf7fa16da736e74d7c4a2b520b9b3e48
(0) Thu Apr 19 13:52:36 2018: Debug: # Executing section authorize from
file /usr/local/pf/raddb/sites-enabled/packetfence
(0) Thu Apr 19 13:52:36 2018: Debug:   authorize {
(0) Thu Apr 19 13:52:36 2018: Debug: update {
(0) Thu Apr 19 13:52:36 2018: Debug:   EXPAND %{Packet-Src-IP-Address}
(0) Thu Apr 19 13:52:36 2018: Debug:  --> 172.20.242.102
(0) Thu Apr 19 13:52:36 2018: Debug:   EXPAND %l
(0) Thu Apr 19 13:52:36 2018: Debug: --> 1524138756
(0) Thu Apr 19 13:52:36 2018: Debug: } # update = noop
(0) Thu Apr 19 13:52:36 2018: Debug: policy rewrite_calling_station_id {
(0) Thu Apr 19 13:52:36 2018: Debug:   if ( &&
( =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(0) Thu Apr 19 13:52:36 2018: Debug:   if ( &&
( =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(0) Thu Apr 19 13:52:36 2018: Debug:   if ( &&
( =~

Re: [PacketFence-users] LDAP Source Problem

2018-04-06 Thread Nathan, Josh via PacketFence-users 
OK, I tried defining my LDAP source separately in the mod-available section
(and of course adding the sym link in mods-enabled).  Made sure the
references within the packetfence-tunnel file had ldap enabled as well.
For what it's worth, I've also moved this to a test-bed running PacketFence
7.4.0.

At this point, it seems to at least be attempting the LDAP authentication,
but the radius logs show:

Apr  6 14:29:17 PacketFence-ZEN auth[7892]: rlm_ldap (ldap): Bind with
uid=adminuser,ou=Users,o=,dc=jumpcloud,dc=com to ldaps://
ldap.jumpcloud.com:636 failed: Can't contact LDAP server
Apr  6 14:29:17 PacketFence-ZEN auth[7892]: rlm_ldap (ldap): Opening
connection failed (5)
Apr  6 14:29:17 PacketFence-ZEN auth[7892]: (79)   Invalid user:
[josh.nathan] (from client 172.20.242.214/16 port 0 cli a8:7c:01:a2:60:6f
via TLS tunnel)
Apr  6 14:29:17 PacketFence-ZEN auth[7892]: (80) eap_peap:   This means you
need to read the PREVIOUS messages in the debug output
Apr  6 14:29:17 PacketFence-ZEN auth[7892]: (80) eap_peap:   to find out
the reason why the user was rejected
Apr  6 14:29:17 PacketFence-ZEN auth[7892]: (80) eap_peap:   Look for
"reject" or "fail".  Those earlier messages will tell you
Apr  6 14:29:17 PacketFence-ZEN auth[7892]: (80) eap_peap:   what went
wrong, and how to fix the problem
Apr  6 14:29:17 PacketFence-ZEN auth[7892]: (80) Login incorrect (eap_peap:
The users session was previously rejected: returning reject (again.)):
[josh.nathan] (from client 172.20.242.214/16 port 0 cli a8:7c:01:a2:60:6f)
Apr  6 14:29:17 PacketFence-ZEN auth[7892]: [mac:a8:7c:01:a2:60:6f]
Rejected user: josh.nathan


Once again, the part that throws me off is that from the admin console, the
test bind is successful using SSL.  So the message about not being able to
contact the LDAP server is a little confusing to me.

Any help with next direction to look?  I'm pretty new to trying to use LDAP
at all, and am testing JumpCloud's LDAP service to see if it would be a
good fit.


Joshua Nathan
*IT Supervisor*
Black Forest Academy

p: +49 (0) 7626 9161 630 m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de



On Wed, Mar 21, 2018 at 4:36 PM, Nathan, Josh <josh.nat...@bfacademy.de>
wrote:

> Hello,
>
> So, I'm having some trouble setting up an LDAP authentication source in
> PacketFence version 6.0.1.
>
> It tests successfully, and doing an ldapsearch test comes back without
> issue.  In fact, from the registration VLAN, through the PacketFence
> Captive Portal it works!
>
> However, with the username and password, it's not connecting to our 802.1X
> (WPA2-Enterprise) wireless network.  It comes back saying that the
> username/password is invalid.  We've been using a separate RADIUS database
> for user management, but actually using LDAP is of course a much better
> option.  I've tried looking at the logs, but I'm not readily finding
> anything.
>
> Why would it work in the captive portal, but not from an 802.1X handshake?
>
> I will note that I'm using SSL over port 636, and a self-signed
> certificate in these tests if that makes a difference.
>
> Thanks for helping point me in the right direction!
>
> Joshua Nathan
> *IT Supervisor*
> Black Forest Academy
>
> p: +49 (0) 7626 9161 630 m: +49 (0) 152 3452 0056
> a:
> w: Hammersteiner Straße 50, 79400 Kandern
> bfacademy.de
>
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] LDAP Source Problem

2018-03-21 Thread Nathan, Josh via PacketFence-users 
Hello,

So, I'm having some trouble setting up an LDAP authentication source in
PacketFence version 6.0.1.

It tests successfully, and doing an ldapsearch test comes back without
issue.  In fact, from the registration VLAN, through the PacketFence
Captive Portal it works!

However, with the username and password, it's not connecting to our 802.1X
(WPA2-Enterprise) wireless network.  It comes back saying that the
username/password is invalid.  We've been using a separate RADIUS database
for user management, but actually using LDAP is of course a much better
option.  I've tried looking at the logs, but I'm not readily finding
anything.

Why would it work in the captive portal, but not from an 802.1X handshake?

I will note that I'm using SSL over port 636, and a self-signed certificate
in these tests if that makes a difference.

Thanks for helping point me in the right direction!

Joshua Nathan
*IT Supervisor*
Black Forest Academy

p: +49 (0) 7626 9161 630 m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unifi APs and CoA

2018-02-10 Thread Nathan, Josh via PacketFence-users 
Hey Just FYI... Running both the Guest and RADIUS-Assigned VLANs on the
same AP (separate SSIDs, of course), does NOT work on Unifi's 3.8.15
firmware.  It works with firmware version 3.8.3, broke at 3.8.6, and it's
working again at least as of 3.9.19.

So if you need that firmware version, it won't work on the same AP.  If you
disable the Guest portal, the RADIUS-Assigned can function properly, but if
you enable the Guest portal on the one SSID, it somehow breaks the
RADIUS-Assigned functionality on the other SSID.


Joshua Nathan
*IT Technician*
Black Forest Academy

p: +49 (0) 7626 9161 630  m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de



On Sat, Feb 10, 2018 at 7:33 AM, E.P. via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Yes, David, this is my plan to test the captive portal on wired
> connections to rule out the unruly Unifi APs
>
> Ideally I would love to make it also work with HP switches 1820/1920 model
> because this is the majority of switches installed in our organization.
>
> But will try it on Cisco switch as a beginning
>
> Thanks again, for your sharing.
>
> There’s apparently something wrong with mailing list for packetfence as
> there’s nothing coming in and I don’t believe it’s only me who persists in
> making things work and asking for advices 
>
>
>
> Eugene
>
>
>
> *From:* David Harvey [mailto:da...@thoughtmachine.net]
> *Sent:* Friday, February 09, 2018 4:37 AM
> *To:* E.P. ; fdur...@inverse.ca
> *Subject:* Re: [PacketFence-users] Unifi APs and CoA
>
>
>
> Hi Eugene,
>
>
>
> I'm including Fabrice in case anything I have covered is misleading or
> plain untrue! I don't want to give you bad advice..
>
>
>
> I'm running Unifi AP-AC Pros on 3.9.19.8123. I'm pretty sure most of my
> functionality worked fine from 3.8.x, but bear in mind I'm running EAP-TLS
> and so haven't had the same open SSID guest portal aspect (which might make
> my advice less relevant).
>
> I've been fumbling through, so I'm sure Fabrice can offer better advice
> but I would start by saying..
>
>
>
> My understanding of the additional functionality this patch affords, is
> dealing with kicking the client off an AP so it will then re-auth and
> hopefully get put onto the correct VLAN.  So before worrying about if the
> patch is working, I'd see if you can get to a state where you can reach the
> portal as a new device/user, and after registering it puts you on the
> correct VLAN if you toggle WiFi off and back on (thus skipping the kick
> from AP part of the process).
>
>
>
> As far as I understand, to achieve this you need:
>
>
>
> Ideally to have shown it works with your wired network, something like:
>
> Clients are placed on a registration network which hits the portal, and
> that is able to register them properly as a node in packetfence associated
> with a role which belongs to an authenticated VLAN.
>
> This is a really useful way to show that the core functionality works.
>
>
>
> My setup from there added EAP-TLS to the Radius config, but I understand
> you're not looking to do that.. The setup should be similar though, as
> UniFi controller or AP will still have a RADIUS profile - in your case it
> will just be doing the MAC auth bit to decide on VLAN rather than having
> that layered on top of the certificate part. From there I am guessing a
> bit, as I understand there were some changes made to make the pure MAC auth
> bits work which I'd have to collate from the other posts on this topic..
> Specifically, my clients change VLAN on the same SSID, they don't join a
> different SSID after registration..
>
>
>
> I hope this is of some help,
>
>
>
> David
>
>
>
>
>
> On Fri, Feb 9, 2018 at 8:23 AM, E.P.  wrote:
>
> Hi David,
>
> Sorry to bother you again, I’m a bit desperate here.
>
> Thought that it will be a breeze to implement guest WiFi with captive
> portal but I’m still at nowhere.
>
> Can you please tell me what Unifi AP you are using? Is it a show stopper
> for me if I use older APs with firmware 3.8.15 ?
>
> I installed that required patch on PF as per Fabrice. Anything else I’m
> missing ?
>
>
>
> Eugene
>
>
>
> *From:* David Harvey [mailto:da...@thoughtmachine.net]
> *Sent:* Friday, February 02, 2018 7:10 AM
> *To:* Eugene Pefti 
>
>
> *Subject:* Re: [PacketFence-users] Unifi APs and CoA
>
>
>
> Hi Eugene,
>
>
>
> No problem at all, although I'm not sure how much detail I can add.  Tim
> and Fabrice seem to have the best grasp of this with the most comprehensive
> guidance in The thread "[PacketFence-users] Ubiquiti UniFi AP Captive
> Portal".
>
> The draft docs were also quite handy: https://github.com/
> inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f
> 2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_
> Guide.asciidoc#ubiquiti-1
>
>
>
> Now my setup
>
> I've been running EAP-TLS for some time now for wired and wifi, so not
> using the MAC based

Re: [PacketFence-users] VERY Slow Database

2017-10-17 Thread Nathan, Josh via PacketFence-users 
Thanks!  That's worlds better!


Joshua Nathan
*IT Technician*
Black Forest Academy

p: +49 (0) 7626 9161 630  m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de



On Tue, Oct 17, 2017 at 5:21 AM, Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Joshua,
>
> it's probably the radacct/radacct_log/locationlog table.
>
> Do a: select count(*) from radacct; (on each tables) you probably have a
> huge table.
>
> So just do a truncate radacct/radacct_log/locationlog and it should be ok.
>
> Btw in the new packetfence version we limit that.
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-10-17 à 04:12, Nathan, Josh via PacketFence-users a écrit :
>
> So, we have a PacketFence 6.0.1 installation, and it's been plugging along
> for almost two years now.  However, its database has gotten REALLY slow.
> The PacketFence admin page actually times out when trying to load the Node
> list (only 25 entries per page selected).  The server isn't being stressed
> at all that I can tell.  I'm not really a DB admin.  What can I do to kick
> some new life back into our PF database?
>
> Thanks,
>
> Joshua Nathan
> *IT Technician*
> Black Forest Academy
>
> p: +49 (0) 7626 9161 630 m: +49 (0) 152 3452 0056
> a:
> w: Hammersteiner Straße 50, 79400 Kandern
> bfacademy.de
>
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 <(514)%20447-4918> 
> (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org)
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence 7.2.0 Cannot set authentication rules in radius source.

2017-10-17 Thread Nathan, Josh via PacketFence-users 
I ran into that as well.  What fixed it for me, is that there are two
values in the source with default numbers.  The port and the timeout or
whatever, I think.  You need to FILL IN those values.  Leaving them
auto-completed didn't work for me for some reason.  I just entered in the
same numbers it had in grey, and then everything saved normally.


Joshua Nathan
*IT Technician*
Black Forest Academy

p: +49 (0) 7626 9161 630  m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de



On Thu, Aug 31, 2017 at 4:16 AM, Tomasz Karczewski via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Packetfence 7.1.0 version has no problems with that.
>
> Maybe it’s some kind of bug?
>
>
>
> *From:* Tomasz Karczewski via PacketFence-users [mailto:packetfence-users@
> lists.sourceforge.net]
> *Sent:* Wednesday, August 30, 2017 1:06 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Tomasz Karczewski
> *Subject:* [PacketFence-users] Packetfence 7.2.0 Cannot set
> authentication rules in radius source.
>
>
>
> Hi,
>
>
>
> I’m deploying new version of packetfence and when i adding new radius
> authentication source and
>
> set authentication rules I got message “*Error!* An error condition has
> occured. See server side logs for details.”
>
>
>
> Logs from httpd.admin.log are as follows
>
>
>
> Aug 30 09:01:33 PacketFence-ZEN httpd_admin: httpd.admin(2349) ERROR:
> [mac:unknown] Caught exception in 
> pfappserver::Controller::Config::Source->update
> "Attribute (timeout) does not pass the type constraint because: Validation
> failed for 'Maybe[Int]' with value  at constructor
> pf::Authentication::Source::RADIUSSource::new (defined at
> /usr/local/pf/lib/pf/Authentication/Source/RADIUSSource.pm line 233) line
> 136.
>
> pf::Authentication::Source::RADIUSSource::new('pf::
> Authentication::Source::RADIUSSource', 'HASH(0x7ffb9b826ae8)') called at
> /usr/local/pf/lib/pf/authentication.pm line 121
>
> pf::authentication::newAuthenticationSource('RADIUS', 'source',
> 'HASH(0x7ffb9b826530)') called at /usr/local/pf/html/
> pfappserver/lib/pfappserver/Form/Config/Source.pm line 346
>
> pfappserver::Form::Config::Source::get_source('
> pfappserver::Form::Config::Source::RADIUS=HASH(0x7ffb9b6ee2a0)') called
> at 
> /usr/local/pf/html/pfappserver/lib/pfappserver/Form/Field/SourceRuleCondition.pm
> line 72
>
> pfappserver::Form::Field::SourceRuleCondition::options_
> attributes('HTML::FormHandler::Field::Select::16=HASH(0x7ffb9b825ee8)')
> called at native delegation method 
> HTML::FormHandler::Field::Select::get_options
> (execute_method) of attribute options_method (defined at
> /usr/share/perl5/vendor_perl/HTML/FormHandler/Field/Select.pm line 52)
> line 3
>
> HTML::FormHandler::Field::Select::get_options('HTML::
> FormHandler::Field::Select::16=HASH(0x7ffb9b825ee8)') called at
> /usr/share/perl5/vendor_perl/HTML/FormHandler/Field/Select.pm line 265
>
> HTML::FormHandler::Field::Select::_load_options('HTML::
> FormHandler::Field::Select::16=HASH(0x7ffb9b825ee8)') called at
> /usr/share/perl5/vendor_perl/HTML/FormHandler/Field/Select.pm line 251
>
> HTML::FormHandler::Field::Select::_result_from_input('
> HTML::FormHandler::Field::Select::16=HASH(0x7ffb9b825ee8)',
> 'HTML::FormHandler::Field::Result=HASH(0x7ffb9b825ed0)', 'username', 1)
> called at /usr/share/perl5/vendor_perl/HTML/FormHandler/InitResult.pm
> line 59
>
> HTML::FormHandler::InitResult::_result_from_input('
> pfappserver::Form::Field::SourceRuleCondition::22=HASH(0x7ffb...',
> 'HTML::FormHandler::Field::Result=HASH(0x7ffb9b804d28)',
> 'HASH(0x7ffb9b73ea00)', 1) called at /usr/share/perl5/vendor_perl/
> HTML/FormHandler/Field/Compound.pm line 74
>
> Class::MOP::Class:::around('CODE(0x7ffb798c81c0)',
> 'pfappserver::Form::Field::SourceRuleCondition::22=HASH(0x7ffb...',
> 'HTML::FormHandler::Field::Result=HASH(0x7ffb9b804d28)',
> 'HASH(0x7ffb9b73ea00)', 1) called at 
> /usr/lib64/perl5/vendor_perl/Class/MOP/Method/Wrapped.pm
> line 162
>
> Class::MOP::Method::Wrapped::__ANON__('pfappserver::Form::
> Field::SourceRuleCondition::22=HASH(0x7ffb...',
> 'HTML::FormHandler::Field::Result=HASH(0x7ffb9b804d28)',
> 'HASH(0x7ffb9b73ea00)', 1) called at 
> /usr/lib64/perl5/vendor_perl/Class/MOP/Method/Wrapped.pm
> line 91
>
> HTML::FormHandler::Field::Compound::_result_from_input('
> pfappserver::Form::Field::SourceRuleCondition::22=HASH(0x7ffb...',
> 'HTML::FormHandler::Field::Result=HASH(0x7ffb9b804d28)',
> 'HASH(0x7ffb9b73ea00)', 1) called at /usr/share/perl5/vendor_perl/
> HTML/FormHandler/Field/Repeatable.pm line 159
>
> HTML::FormHandler::Field::Repeatable::_result_from_
> input('pfappserver::Form::Field::DynamicList::18=HASH(0x7ffb9b814880)',
> 'HTML::FormHandler::Field::Result=HASH(0x7ffb9b81d618)',
> 'ARRAY(0x7ffb9b73e940)', 1) called at 
> /usr/share/perl5/vendor_perl/HTML/FormHandler/InitResult.pm
> line 59
>
>

[PacketFence-users] VERY Slow Database

2017-10-17 Thread Nathan, Josh via PacketFence-users 
So, we have a PacketFence 6.0.1 installation, and it's been plugging along
for almost two years now.  However, its database has gotten REALLY slow.
The PacketFence admin page actually times out when trying to load the Node
list (only 25 entries per page selected).  The server isn't being stressed
at all that I can tell.  I'm not really a DB admin.  What can I do to kick
some new life back into our PF database?

Thanks,

Joshua Nathan
*IT Technician*
Black Forest Academy

p: +49 (0) 7626 9161 630 m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] help - PF not starting after a reboot

2017-09-29 Thread Nathan, Josh via PacketFence-users 
When I had a similar problem, recently, I was directed to restart the
packetfence-config service.  And then afterward I found I also needed to
restart the packetfence-mariadb service for subsequent issues.


Joshua Nathan
*IT Technician*
Black Forest Academy

p: +49 (0) 7626 9161 630  m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de



On Fri, Sep 29, 2017 at 1:00 PM, Luís Torres via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> getting loads of this erros on the packetfenc.log:
>
>
>
> p 29 11:58:18 packetfence packetfence: ERROR pfcmd.pl(958):
> [1506682698.49178] Failed to connect to config service for namespace
> config::Pf, retrying (pfconfig::cached::_get_from_socket)
> Sep 29 11:58:18 packetfence packetfence: ERROR pfcmd.pl(964):
> [1506682698.56148] Failed to connect to config service for namespace
> resource::URI_Filters, retrying (pfconfig::cached::_get_from_socket)
> Sep 29 11:58:18 packetfence packetfence: ERROR pfcmd.pl(937):
> [1506682698.56148] Failed to connect to config service for namespace
> resource::switches_group, retrying (pfconfig::cached::_get_from_socket)
> Sep 29 11:58:18 packetfence packetfence: ERROR pfcmd.pl(958):
> [1506682698.59354] Failed to connect to config service for namespace
> config::Pf, retrying (pfconfig::cached::_get_from_socket)
> Sep 29 11:58:18 packetfence packetfence: ERROR pfcmd.pl(964):
> [1506682698.6632] Failed to connect to config service for namespace
> resource::URI_Filters, retrying (pfconfig::cached::_get_from_socket)
> Sep 29 11:58:18 packetfence pa
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Service Disappeared

2017-09-27 Thread Nathan, Josh via PacketFence-users 
Thanks for your help!  I had forgotten about the config service.  Ended up
having to restart MariaDB too.  It was running, but PF was stating that it
couldn't write to L2 cache.  After restarting config and mariadb,
everything started up without issue!


Joshua Nathan
*IT Technician*
Black Forest Academy

p: +49 (0) 7626 9161 630  m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de



On Tue, Sep 26, 2017 at 3:18 PM, Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> ok so do:
>
> systemctl restart packetfence-config
>
> /usr/local/pf/bin/pfcmd service pf restart
>
> Le 2017-09-26 à 09:16, Nathan, Josh via PacketFence-users a écrit :
>
> OK.  That gives me:
>
> Failed to connect to config service for namespace resource::URI_Filters,
> retrying
>
>
> And that message just keeps getting repeated until I kill it.
>
>
> Joshua Nathan
> *IT Technician*
> Black Forest Academy
>
> p: +49 (0) 7626 9161 630  m: +49 (0) 152 3452 0056
> a:
> w: Hammersteiner Straße 50, 79400 Kandern
> bfacademy.de
>
>
>
>
> On Tue, Sep 26, 2017 at 2:15 PM, Fabrice Durand via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hello Nathan,
>>
>> there is no systemd script to restart the whole packetfence's services.
>>
>> What you can do is the following:
>>
>> /usr/local/pf/bin/pfcmd service pf start
>>
>>
>> Regard
>>
>> Fabrice
>>
>>
>>
>> Le 2017-09-26 à 04:43, Nathan, Josh via PacketFence-users a écrit :
>>
>> Sorry, to be a little more specific... it seems that at least a number of
>> the files are still in /etc/systemd/system... but when I issue "systemctl
>> start packetfence", I get:
>>
>> Failed to start packetfence.service: Unit not found.
>>
>>
>>
>> Joshua Nathan
>> *IT Technician*
>> Black Forest Academy
>>
>> p: +49 (0) 7626 9161 630  m: +49 (0) 152 3452 0056
>> a:
>> w: Hammersteiner Straße 50, 79400 Kandern
>> bfacademy.de
>>
>>
>>
>>
>> On Tue, Sep 26, 2017 at 10:37 AM, Nathan, Josh <josh.nat...@bfacademy.de>
>> wrote:
>>
>>> Strange issue... I just did a clean install of PacketFence 7.2.0 on a
>>> CentOS 7 server.  However, at some point over night, my PacketFence service
>>> disappeared.  The directory and configurations seem to all still be in
>>> place, but the service is gone.  Is there a way to readily recreate that?
>>>
>>> Thanks,
>>>
>>> Joshua Nathan
>>> *IT Technician*
>>> Black Forest Academy
>>>
>>> p: +49 (0) 7626 9161 630 <+49%207626%209161630>  m: +49 (0) 152 3452
>>> 0056 <+49%201523%204520056>
>>> a:
>>> w: Hammersteiner Straße 50, 79400 Kandern
>>> bfacademy.de
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>>
>> ___
>> PacketFence-users mailing 
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>> --
>> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 <%28514%29%20447-4918> 
>> (x135) ::  www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>> (http://packetfence.org)
>>
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 <(514)%20447-4918> 
> (x135) ::  www.inv

Re: [PacketFence-users] Service Disappeared

2017-09-26 Thread Nathan, Josh via PacketFence-users 
OK.  That gives me:

Failed to connect to config service for namespace resource::URI_Filters,
retrying


And that message just keeps getting repeated until I kill it.


Joshua Nathan
*IT Technician*
Black Forest Academy

p: +49 (0) 7626 9161 630  m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de



On Tue, Sep 26, 2017 at 2:15 PM, Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Nathan,
>
> there is no systemd script to restart the whole packetfence's services.
>
> What you can do is the following:
>
> /usr/local/pf/bin/pfcmd service pf start
>
>
> Regard
>
> Fabrice
>
>
>
> Le 2017-09-26 à 04:43, Nathan, Josh via PacketFence-users a écrit :
>
> Sorry, to be a little more specific... it seems that at least a number of
> the files are still in /etc/systemd/system... but when I issue "systemctl
> start packetfence", I get:
>
> Failed to start packetfence.service: Unit not found.
>
>
>
> Joshua Nathan
> *IT Technician*
> Black Forest Academy
>
> p: +49 (0) 7626 9161 630  m: +49 (0) 152 3452 0056
> a:
> w: Hammersteiner Straße 50, 79400 Kandern
> bfacademy.de
>
>
>
>
> On Tue, Sep 26, 2017 at 10:37 AM, Nathan, Josh <josh.nat...@bfacademy.de>
> wrote:
>
>> Strange issue... I just did a clean install of PacketFence 7.2.0 on a
>> CentOS 7 server.  However, at some point over night, my PacketFence service
>> disappeared.  The directory and configurations seem to all still be in
>> place, but the service is gone.  Is there a way to readily recreate that?
>>
>> Thanks,
>>
>> Joshua Nathan
>> *IT Technician*
>> Black Forest Academy
>>
>> p: +49 (0) 7626 9161 630 <+49%207626%209161630>  m: +49 (0) 152 3452 0056
>> <+49%201523%204520056>
>> a:
>> w: Hammersteiner Straße 50, 79400 Kandern
>> bfacademy.de
>>
>>
>>
>>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 <(514)%20447-4918> 
> (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org)
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Service Disappeared

2017-09-26 Thread Nathan, Josh via PacketFence-users 
Strange issue... I just did a clean install of PacketFence 7.2.0 on a
CentOS 7 server.  However, at some point over night, my PacketFence service
disappeared.  The directory and configurations seem to all still be in
place, but the service is gone.  Is there a way to readily recreate that?

Thanks,

Joshua Nathan
*IT Technician*
Black Forest Academy

p: +49 (0) 7626 9161 630  m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Service Disappeared

2017-09-26 Thread Nathan, Josh via PacketFence-users 
Sorry, to be a little more specific... it seems that at least a number of
the files are still in /etc/systemd/system... but when I issue "systemctl
start packetfence", I get:

Failed to start packetfence.service: Unit not found.



Joshua Nathan
*IT Technician*
Black Forest Academy

p: +49 (0) 7626 9161 630  m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de



On Tue, Sep 26, 2017 at 10:37 AM, Nathan, Josh <josh.nat...@bfacademy.de>
wrote:

> Strange issue... I just did a clean install of PacketFence 7.2.0 on a
> CentOS 7 server.  However, at some point over night, my PacketFence service
> disappeared.  The directory and configurations seem to all still be in
> place, but the service is gone.  Is there a way to readily recreate that?
>
> Thanks,
>
> Joshua Nathan
> *IT Technician*
> Black Forest Academy
>
> p: +49 (0) 7626 9161 630 <+49%207626%209161630>  m: +49 (0) 152 3452 0056
> <+49%201523%204520056>
> a:
> w: Hammersteiner Straße 50, 79400 Kandern
> bfacademy.de
>
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Error with pf-maint.pl

2016-06-14 Thread Nathan, Josh 
Is there a way to generate this?

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630


On Fri, Jun 10, 2016 at 11:31 AM, Nathan, Josh <josh.nat...@bfacademy.de>
wrote:

> James,
>
> /usr/local/pf/git_commit_id does NOT exist for me.
>
> Thanks,
> Joshua Nathan
> Level 3 IT Support and Development
> Black Forest Academy
> +49 (0) 7626-9161-630
>
>
> On Thu, Jun 9, 2016 at 4:58 PM, James Rouzier <jrouz...@inverse.ca> wrote:
>
>> The script saves all previous applied patches in the directory.
>>
>> /usr/local/pf/.paches
>>
>> can you send me the contents of  /usr/local/pf/git_commit_id
>>
>> James rouzierjrouz...@inverse.ca :: +1.514.447.4918 (x115)  ::  
>> http://www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>> (http://www.packetfence.org)
>>
>> On 2016-06-09 10:51 AM, Nathan, Josh wrote:
>>
>> No, I ran it once before.  I think after the first patch was released.
>> But then I've seen at least one, if not 2 more patches get released that
>> looked helpful.
>>
>> Thanks,
>> Joshua Nathan
>> Level 3 IT Support and Development
>> Black Forest Academy
>> +49 (0) 7626-9161-630
>>
>>
>> On Thu, Jun 9, 2016 at 4:41 PM, James Rouzier <jrouz...@inverse.ca>
>> wrote:
>>
>>> Was this the first time you ran pf-maint.pl after you installed 6.0.1?
>>>
>>> James rouzierjrouz...@inverse.ca :: +1.514.447.4918 (x115)  ::  
>>> http://www.inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>>> (http://www.packetfence.org)
>>>
>>> On 2016-06-09 10:36 AM, Nathan, Josh wrote:
>>>
>>> I get this:
>>>
>>>
>>> 44843a2ebfee8d3a97908d7a262ae222f52a1ded-569bff3d1f44e60fc6cbbb4b26deb9e7d1e9f919.diff
>>>
>>> Thanks,
>>> Joshua Nathan
>>> Level 3 IT Support and Development
>>> Black Forest Academy
>>> +49 (0) 7626-9161-630
>>>
>>>
>>> On Thu, Jun 9, 2016 at 4:18 PM, James Rouzier < <jrouz...@inverse.ca>
>>> jrouz...@inverse.ca> wrote:
>>>
>>>> Hi Josh it seems that the maintenance branch is out of wack with your
>>>> install.
>>>>
>>>> Can you send me the out of the following command
>>>>
>>>> ls /usr/local/pf/.paches
>>>>
>>>> James rouzierjrouz...@inverse.ca :: +1.514.447.4918 (x115)  ::  
>>>> http://www.inverse.ca
>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>>>> (http://www.packetfence.org)
>>>>
>>>> On 2016-06-09 10:01 AM, Nathan, Josh wrote:
>>>>
>>>> Any ideas on what to look for?  I'd like to apply some of the patches
>>>> that have been released.  The server obviously has Internet access.  Do I
>>>> need to pass a specific flag to pf-maint.pl?
>>>>
>>>> Thanks,
>>>> Joshua Nathan
>>>> Level 3 IT Support and Development
>>>> Black Forest Academy
>>>> +49 (0) 7626-9161-630
>>>>
>>>>
>>>> On Tue, Jun 7, 2016 at 10:35 AM, Nathan, Josh <
>>>> <josh.nat...@bfacademy.de>josh.nat...@bfacademy.de> wrote:
>>>>
>>>>> When I try to run pf-maint, I get the following error:
>>>>>
>>>>> ** GET
>>>>> <https://api.github.com/repos/inverse-inc/packetfence/compare/a962ef7cf0c0755845f9e48ee0d2d0c5bf517c7d...f9dda4c3b46973fd6fa4fac586df9ce810df745c>
>>>>> https://api.github.com/repos/inverse-inc/packetfence/compare/a962ef7cf0c0755845f9e48ee0d2d0c5bf517c7d...f9dda4c3b46973fd6fa4fac586df9ce810df745c
>>>>> ==> 404 Not Found (1s)
>>>>> 404 Not Found
>>>>>
>>>>>
>>>>> I'm running PF 6.0.1.
>>>>>
>>>>> Thanks,
>>>>> Joshua Nathan
>>>>> Level 3 IT Support and Development
>>>>> Black Forest Academy
>>>>> +49 (0) 7626-9161-630 <%2B49%20%280%29%207626-9161-630>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> What NetFlow Analyzer can do for you? Monitors network bandwidth and 
>>>> traffic
>>>> patterns at an interface-level. Reveals which users, apps, and protocols 
>>>> a

Re: [PacketFence-users] Error with pf-maint.pl

2016-06-10 Thread Nathan, Josh 
James,

/usr/local/pf/git_commit_id does NOT exist for me.

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630


On Thu, Jun 9, 2016 at 4:58 PM, James Rouzier <jrouz...@inverse.ca> wrote:

> The script saves all previous applied patches in the directory.
>
> /usr/local/pf/.paches
>
> can you send me the contents of  /usr/local/pf/git_commit_id
>
> James rouzierjrouz...@inverse.ca :: +1.514.447.4918 (x115)  ::  
> http://www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://www.packetfence.org)
>
> On 2016-06-09 10:51 AM, Nathan, Josh wrote:
>
> No, I ran it once before.  I think after the first patch was released.
> But then I've seen at least one, if not 2 more patches get released that
> looked helpful.
>
> Thanks,
> Joshua Nathan
> Level 3 IT Support and Development
> Black Forest Academy
> +49 (0) 7626-9161-630
>
>
> On Thu, Jun 9, 2016 at 4:41 PM, James Rouzier <jrouz...@inverse.ca> wrote:
>
>> Was this the first time you ran pf-maint.pl after you installed 6.0.1?
>>
>> James rouzierjrouz...@inverse.ca :: +1.514.447.4918 (x115)  ::  
>> http://www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>> (http://www.packetfence.org)
>>
>> On 2016-06-09 10:36 AM, Nathan, Josh wrote:
>>
>> I get this:
>>
>>
>> 44843a2ebfee8d3a97908d7a262ae222f52a1ded-569bff3d1f44e60fc6cbbb4b26deb9e7d1e9f919.diff
>>
>> Thanks,
>> Joshua Nathan
>> Level 3 IT Support and Development
>> Black Forest Academy
>> +49 (0) 7626-9161-630
>>
>>
>> On Thu, Jun 9, 2016 at 4:18 PM, James Rouzier < <jrouz...@inverse.ca>
>> jrouz...@inverse.ca> wrote:
>>
>>> Hi Josh it seems that the maintenance branch is out of wack with your
>>> install.
>>>
>>> Can you send me the out of the following command
>>>
>>> ls /usr/local/pf/.paches
>>>
>>> James rouzierjrouz...@inverse.ca :: +1.514.447.4918 (x115)  ::  
>>> http://www.inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>>> (http://www.packetfence.org)
>>>
>>> On 2016-06-09 10:01 AM, Nathan, Josh wrote:
>>>
>>> Any ideas on what to look for?  I'd like to apply some of the patches
>>> that have been released.  The server obviously has Internet access.  Do I
>>> need to pass a specific flag to pf-maint.pl?
>>>
>>> Thanks,
>>> Joshua Nathan
>>> Level 3 IT Support and Development
>>> Black Forest Academy
>>> +49 (0) 7626-9161-630
>>>
>>>
>>> On Tue, Jun 7, 2016 at 10:35 AM, Nathan, Josh <
>>> <josh.nat...@bfacademy.de>josh.nat...@bfacademy.de> wrote:
>>>
>>>> When I try to run pf-maint, I get the following error:
>>>>
>>>> ** GET
>>>> <https://api.github.com/repos/inverse-inc/packetfence/compare/a962ef7cf0c0755845f9e48ee0d2d0c5bf517c7d...f9dda4c3b46973fd6fa4fac586df9ce810df745c>
>>>> https://api.github.com/repos/inverse-inc/packetfence/compare/a962ef7cf0c0755845f9e48ee0d2d0c5bf517c7d...f9dda4c3b46973fd6fa4fac586df9ce810df745c
>>>> ==> 404 Not Found (1s)
>>>> 404 Not Found
>>>>
>>>>
>>>> I'm running PF 6.0.1.
>>>>
>>>> Thanks,
>>>> Joshua Nathan
>>>> Level 3 IT Support and Development
>>>> Black Forest Academy
>>>> +49 (0) 7626-9161-630 <%2B49%20%280%29%207626-9161-630>
>>>>
>>>>
>>>
>>>
>>> --
>>> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
>>> patterns at an interface-level. Reveals which users, apps, and protocols are
>>> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
>>> J-Flow, sFlow and other flows. Make informed decisions using capacity
>>> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
>>>
>>>
>>>
>>> ___
>>> PacketFence-users mailing 
>>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>>
>>>
>>> --
>>> What NetFlow Analyzer can do for you? Monitors network bandwidth and
>

Re: [PacketFence-users] Error with pf-maint.pl

2016-06-09 Thread Nathan, Josh 
Any ideas on what to look for?  I'd like to apply some of the patches that
have been released.  The server obviously has Internet access.  Do I need
to pass a specific flag to pf-maint.pl?

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630


On Tue, Jun 7, 2016 at 10:35 AM, Nathan, Josh <josh.nat...@bfacademy.de>
wrote:

> When I try to run pf-maint, I get the following error:
>
> ** GET
> https://api.github.com/repos/inverse-inc/packetfence/compare/a962ef7cf0c0755845f9e48ee0d2d0c5bf517c7d...f9dda4c3b46973fd6fa4fac586df9ce810df745c
> ==> 404 Not Found (1s)
> 404 Not Found
>
>
> I'm running PF 6.0.1.
>
> Thanks,
> Joshua Nathan
> Level 3 IT Support and Development
> Black Forest Academy
> +49 (0) 7626-9161-630
>
>
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Error with pf-maint.pl

2016-06-07 Thread Nathan, Josh 
When I try to run pf-maint, I get the following error:

** GET
https://api.github.com/repos/inverse-inc/packetfence/compare/a962ef7cf0c0755845f9e48ee0d2d0c5bf517c7d...f9dda4c3b46973fd6fa4fac586df9ce810df745c
==> 404 Not Found (1s)
404 Not Found


I'm running PF 6.0.1.

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Error Generating EAP-TLS Profile

2016-04-28 Thread Nathan, Josh 
When using the Android Provisioner, I'm trying to set it to use EAP-TLS,
and I get this error on the captive portal after successfully providing my
credentials:

Apr 28 11:53:03 httpd.portal(18407) ERROR: [mac:a8:7c:01:a2:60:6f] Caught
exception in captiveportal::Controller::Root->dynamic_application "Can't
locate object method "current_module" via package
"captiveportal::DynamicRouting::Module::Provisioning" at
/usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module.pm
line 201." (captiveportal::PacketFence::Controller::Root::end)

This is with PacketFence 6.0.  I'm using the PacketFence PKI.  For what
it's worth, the PKI is on a different computer than PacketFence, itself.

What do I need to look at to find the problem?  Everything "seems" pretty
straight-forward...

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Android App

2016-04-25 Thread Nathan, Josh 
So, I'm having difficulty with the Android App. I'm trying to use PEAP, but
the app doesn't seem to recognize that the username and password need to be
supplied.  So leaves me with registering, downloading/installing the app,
running the app, and then going into the device's wifi settings and
manually adjusting the connection just created.  Is this a problem with my
setup somehow?

Here's my Provisioner configuration:

[android]
eap_type=25
can_sign_profile=0
security_type=WPA
description=android provisioner
broadcast=1
server_certificate_path=/usr/local/pf/conf/ssl/tls_certs/ca.pem
oses=
type=android
category=
pki_provider=HostPKI
ssid=DynBFAK

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] ANN: PacketFence 6.0.0

2016-04-22 Thread Nathan, Josh 
Yep, unchecking the snort service did allow PacketFence to start without
issue.  So it does seem to be related to Snort...

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630


On Fri, Apr 22, 2016 at 4:02 PM, Louis Munro <lmu...@inverse.ca> wrote:

> Hi Nathan,
> Can you try temporarily disabling snort and then starting PacketFence with
> systemd to see if it’s really snort that’s causing it to timeout, or if we
> are barking up the wrong tree?
>
> Regards,
> --
> Louis Munro
> lmu...@inverse.ca  ::  www.inverse.ca
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
> On Apr 22, 2016, at 9:59 , Nathan, Josh <josh.nat...@bfacademy.de> wrote:
>
> Didn't take especially long.  I know about the warnings, I thought like
> with previous versions of PF, all the rules would default to Snort.
>
> [root@gatekeeper bin]# ./pfcmd service snort start
> service|command
> httpd.admin|already started
> Checking configuration sanity...
> WARNING - Invalid trigger Suricata::ET MALWARE for violation 200
> WARNING - Invalid trigger Suricata::ET TROJAN for violation 2002030
> Spawning daemon child...
> My daemon child 17401 lives...
> Daemon parent exiting (0)
> snort|start
> pfdetect|already started
> [root@gatekeeper bin]#
>
>
> Thanks,
> Joshua Nathan
> Level 3 IT Support and Development
> Black Forest Academy
> +49 (0) 7626-9161-630
>
>
> On Fri, Apr 22, 2016 at 3:33 PM, Antoine Amacher <aamac...@inverse.ca>
> wrote:
>
>> Nathan,
>>
>> Can you try the following from your pf directory and let us know the
>> result:
>> bin/pfcmd service snort start
>>
>> thank you
>>
>>
>> On 04/22/2016 08:06 AM, Nathan, Josh wrote:
>>
>> Here's what the messages log says:
>> Apr 22 13:54:48 gatekeeper systemd: Starting PacketFence Service...
>> Apr 22 13:54:50 gatekeeper pfcmd: service|command
>> Apr 22 13:54:56 gatekeeper pfcmd: [Fri Apr 22 13:54:56 2016]
>> pfappserver.pm: Cannot determine desired terminal width, using default
>> of 80 columns
>> Apr 22 13:54:57 gatekeeper pfcmd: AH00548: NameVirtualHost has no effect
>> and will be removed in the next release
>> /usr/local/pf/var/conf/httpd.conf.d/httpd.admin:147
>> Apr 22 13:54:57 gatekeeper pfcmd: AH00558: httpd: Could not reliably
>> determine the server's fully qualified domain name, using
>> gatekeeper.bfacademy.de. Set the 'ServerName' directive globally to
>> suppress this message
>> Apr 22 13:55:04 gatekeeper pfcmd: httpd.admin|start
>> Apr 22 13:55:04 gatekeeper pfcmd: Checking configuration sanity...
>> Apr 22 13:55:08 gatekeeper pfcmd: iptables|already started
>> Apr 22 13:55:08 gatekeeper pfcmd: redis_queue|start
>> Apr 22 13:55:10 gatekeeper pfcmd: AH00548: NameVirtualHost has no effect
>> and will be removed in the next release
>> /usr/local/pf/var/conf/httpd.conf.d/httpd.aaa:167
>> Apr 22 13:55:10 gatekeeper pfcmd: AH00558: httpd: Could not reliably
>> determine the server's fully qualified domain name, using
>> gatekeeper.bfacademy.de. Set the 'ServerName' directive globally to
>> suppress this message
>> Apr 22 13:55:12 gatekeeper pfcmd: httpd.aaa|start
>> Apr 22 13:55:12 gatekeeper pfcmd: radiusd-acct|start
>> Apr 22 13:55:12 gatekeeper pfcmd: radiusd|start
>> Apr 22 13:55:14 gatekeeper pfcmd: pfqueue|start
>> Apr 22 13:55:15 gatekeeper pfcmd: pfdns|start
>> Apr 22 13:55:17 gatekeeper pfcmd: pfdhcplistener_enp0s8|start
>> Apr 22 13:55:17 gatekeeper kernel: device enp0s8 entered promiscuous mode
>> Apr 22 13:55:18 gatekeeper pfcmd: pfdhcplistener_enp0s9|start
>> Apr 22 13:55:18 gatekeeper kernel: device enp0s9 entered promiscuous mode
>> Apr 22 13:55:20 gatekeeper pfcmd: pfdhcplistener_enp0s3|start
>> Apr 22 13:55:20 gatekeeper kernel: device enp0s3 entered promiscuous mode
>> Apr 22 13:55:21 gatekeeper pfcmd: pfdhcplistener_enp0s10|start
>> Apr 22 13:55:21 gatekeeper kernel: device enp0s10 entered promiscuous mode
>> Apr 22 13:55:21 gatekeeper pfcmd: AH00558: httpd: Could not reliably
>> determine the server's fully qualified domain name, using
>> gatekeeper.bfacademy.de. Set the 'ServerName' directive globally to
>> suppress this message
>> Apr 22 13:55:21 gatekeeper pfcmd: httpd.parking|start
>> Apr 22 13:55:24 gatekeeper pfcmd: AH00548: NameVirtualHost has no effect
>> and will be removed in the next release
>> /usr/local/pf/var/conf/httpd.conf.d/httpd.portal:241
>> Apr 22 13:55:24 gatekeeper pfcmd: AH00558: httpd: Could not reliably
>>

[PacketFence-users] Snort Rules for P2P

2016-04-22 Thread Nathan, Josh 
So... Is there a quicker/easier way to setup P2P detection with Snort?
Within the emerging-threats file, there's a LOT of different SIDs.  Do I
really need to enter them all by hand, or is there a way to somehow block
trigger anything in that file?

PF 6.0

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] ANN: PacketFence 6.0.0

2016-04-22 Thread Nathan, Josh 
Didn't take especially long.  I know about the warnings, I thought like
with previous versions of PF, all the rules would default to Snort.

[root@gatekeeper bin]# ./pfcmd service snort start
service|command
httpd.admin|already started
Checking configuration sanity...
WARNING - Invalid trigger Suricata::ET MALWARE for violation 200
WARNING - Invalid trigger Suricata::ET TROJAN for violation 2002030
Spawning daemon child...
My daemon child 17401 lives...
Daemon parent exiting (0)
snort|start
pfdetect|already started
[root@gatekeeper bin]#


Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630


On Fri, Apr 22, 2016 at 3:33 PM, Antoine Amacher <aamac...@inverse.ca>
wrote:

> Nathan,
>
> Can you try the following from your pf directory and let us know the
> result:
> bin/pfcmd service snort start
>
> thank you
>
>
> On 04/22/2016 08:06 AM, Nathan, Josh wrote:
>
> Here's what the messages log says:
> Apr 22 13:54:48 gatekeeper systemd: Starting PacketFence Service...
> Apr 22 13:54:50 gatekeeper pfcmd: service|command
> Apr 22 13:54:56 gatekeeper pfcmd: [Fri Apr 22 13:54:56 2016]
> pfappserver.pm: Cannot determine desired terminal width, using default of
> 80 columns
> Apr 22 13:54:57 gatekeeper pfcmd: AH00548: NameVirtualHost has no effect
> and will be removed in the next release
> /usr/local/pf/var/conf/httpd.conf.d/httpd.admin:147
> Apr 22 13:54:57 gatekeeper pfcmd: AH00558: httpd: Could not reliably
> determine the server's fully qualified domain name, using
> gatekeeper.bfacademy.de. Set the 'ServerName' directive globally to
> suppress this message
> Apr 22 13:55:04 gatekeeper pfcmd: httpd.admin|start
> Apr 22 13:55:04 gatekeeper pfcmd: Checking configuration sanity...
> Apr 22 13:55:08 gatekeeper pfcmd: iptables|already started
> Apr 22 13:55:08 gatekeeper pfcmd: redis_queue|start
> Apr 22 13:55:10 gatekeeper pfcmd: AH00548: NameVirtualHost has no effect
> and will be removed in the next release
> /usr/local/pf/var/conf/httpd.conf.d/httpd.aaa:167
> Apr 22 13:55:10 gatekeeper pfcmd: AH00558: httpd: Could not reliably
> determine the server's fully qualified domain name, using
> gatekeeper.bfacademy.de. Set the 'ServerName' directive globally to
> suppress this message
> Apr 22 13:55:12 gatekeeper pfcmd: httpd.aaa|start
> Apr 22 13:55:12 gatekeeper pfcmd: radiusd-acct|start
> Apr 22 13:55:12 gatekeeper pfcmd: radiusd|start
> Apr 22 13:55:14 gatekeeper pfcmd: pfqueue|start
> Apr 22 13:55:15 gatekeeper pfcmd: pfdns|start
> Apr 22 13:55:17 gatekeeper pfcmd: pfdhcplistener_enp0s8|start
> Apr 22 13:55:17 gatekeeper kernel: device enp0s8 entered promiscuous mode
> Apr 22 13:55:18 gatekeeper pfcmd: pfdhcplistener_enp0s9|start
> Apr 22 13:55:18 gatekeeper kernel: device enp0s9 entered promiscuous mode
> Apr 22 13:55:20 gatekeeper pfcmd: pfdhcplistener_enp0s3|start
> Apr 22 13:55:20 gatekeeper kernel: device enp0s3 entered promiscuous mode
> Apr 22 13:55:21 gatekeeper pfcmd: pfdhcplistener_enp0s10|start
> Apr 22 13:55:21 gatekeeper kernel: device enp0s10 entered promiscuous mode
> Apr 22 13:55:21 gatekeeper pfcmd: AH00558: httpd: Could not reliably
> determine the server's fully qualified domain name, using
> gatekeeper.bfacademy.de. Set the 'ServerName' directive globally to
> suppress this message
> Apr 22 13:55:21 gatekeeper pfcmd: httpd.parking|start
> Apr 22 13:55:24 gatekeeper pfcmd: AH00548: NameVirtualHost has no effect
> and will be removed in the next release
> /usr/local/pf/var/conf/httpd.conf.d/httpd.portal:241
> Apr 22 13:55:24 gatekeeper pfcmd: AH00558: httpd: Could not reliably
> determine the server's fully qualified domain name, using
> gatekeeper.bfacademy.de. Set the 'ServerName' directive globally to
> suppress this message
> Apr 22 13:55:27 gatekeeper pfcmd: httpd.portal|start
> Apr 22 13:55:27 gatekeeper dhcpd: Not searching LDAP since ldap-server,
> ldap-port and ldap-base-dn were not specified in the config file
> Apr 22 13:55:27 gatekeeper dhcpd: Internet Systems Consortium DHCP Server
> 4.2.5
> Apr 22 13:55:27 gatekeeper dhcpd: Copyright 2004-2013 Internet Systems
> Consortium.
> Apr 22 13:55:27 gatekeeper dhcpd: All rights reserved.
> Apr 22 13:55:27 gatekeeper dhcpd: For info, please visit
> <https://www.isc.org/software/dhcp/>https://www.isc.org/software/dhcp/
> Apr 22 13:55:27 gatekeeper dhcpd: Wrote 0 group decls to leases file.
> Apr 22 13:55:27 gatekeeper dhcpd: Wrote 4 leases to leases file.
> Apr 22 13:55:27 gatekeeper pfcmd: dhcpd|start
> Apr 22 13:55:29 gatekeeper pfcmd: AH00548: NameVirtualHost has no effect
> and will be removed in the next release
> /usr/local/pf/var/conf/httpd.conf.d/httpd.webservices:167
> Apr 22 13:55:29 gatekeeper pfcmd: AH00558: httpd: Could not reliably
>

Re: [PacketFence-users] ANN: PacketFence 6.0.0

2016-04-22 Thread Nathan, Josh 
eper snort[12065]: PortVar 'SHELLCODE_PORTS' defined :
Apr 22 13:55:32 gatekeeper snort[12065]: [ any ]
Apr 22 13:55:32 gatekeeper snort[12065]:
Apr 22 13:55:32 gatekeeper snort[12065]: Found pid path directive
(/usr/local/pf/var/run)
Apr 22 13:55:32 gatekeeper snort[12065]: Tagged Packet Limit: 256
Apr 22 13:55:32 gatekeeper snort[12065]: Log directory = /usr/local/pf/var
Apr 22 13:59:48 gatekeeper systemd: packetfence.service start operation
timed out. Terminating.
Apr 22 13:59:48 gatekeeper systemd: Failed to start PacketFence Service.
Apr 22 13:59:48 gatekeeper systemd: Unit packetfence.service entered failed
state.
Apr 22 13:59:48 gatekeeper systemd: packetfence.service failed.
Apr 22 13:59:50 gatekeeper kernel: device enp0s8 left promiscuous mode
Apr 22 13:59:51 gatekeeper kernel: device enp0s10 left promiscuous mode
Apr 22 13:59:51 gatekeeper kernel: device enp0s3 left promiscuous mode
Apr 22 13:59:51 gatekeeper kernel: device enp0s9 left promiscuous mode

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630


On Thu, Apr 21, 2016 at 8:00 PM, Louis Munro <lmu...@inverse.ca> wrote:

> Anything interesting in /var/log/messages?
>
> You could temporarily set TimeoutStartSec=infinity
> in /etc/systemd/system/multi-user.target.wants/packetfence.service
> See how long it takes to actually start for you and then adjust the
> timeout.
>
> Regards,
> --
> Louis Munro
> lmu...@inverse.ca  ::  www.inverse.ca
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
> On Apr 21, 2016, at 10:59 , Nathan, Josh <josh.nat...@bfacademy.de> wrote:
>
> I will confess that I'm struggling to get used to CentOS 7 as it is so
> different from CentOS 6.  Here's the "journalctl -xe":
>
> Apr 21 16:55:06 gatekeeper.bfacademy.de systemd[1]: packetfence.service
> start operation timed out. Terminating.
> Apr 21 16:55:06 gatekeeper.bfacademy.de polkitd[731]: Unregistered
> Authentication Agent for unix-process:7258:55
> Apr 21 16:55:06 gatekeeper.bfacademy.de systemd[1]: Failed to start
> PacketFence Service.
> -- Subject: Unit packetfence.service has failed
> -- Defined-By: systemd
> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> --
> -- Unit packetfence.service has failed.
> --
> -- The result is failed.
> Apr 21 16:55:06 gatekeeper.bfacademy.de systemd[1]: Unit
> packetfence.service entered failed state.
> Apr 21 16:55:06 gatekeeper.bfacademy.de systemd[1]: packetfence.service
> failed.
>
> This is after going through the configurator.  If, while it's trying to
> start the services, I go ahead and connect to the admin console and "help
> it", then it all boots up fine.  I'll usually try to manually kick off p0f
> and pfdetect, and that does the trick.
>
> Thanks,
> Joshua Nathan
> Level 3 IT Support and Development
> Black Forest Academy
> +49 (0) 7626-9161-630
>
>
> On Thu, Apr 21, 2016 at 3:28 PM, Louis Munro <lmu...@inverse.ca> wrote:
>
>> Hi Nathan,
>> Can you show us some logs please?
>>
>> Please also clarify whether this is before or after going through the
>> configurator.
>>
>> Regards,
>> --
>> Louis Munro
>> lmu...@inverse.ca  ::  www.inverse.ca
>> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
>> www.packetfence.org)
>>
>> On Apr 21, 2016, at 6:24 , Nathan, Josh <josh.nat...@bfacademy.de> wrote:
>>
>> So... I've just done a fresh install of PacketFence 6 on a CentOS 7 box.
>> Is anyone else having the problem where PacketFence won't start because
>> it's takes too long, and systemctl times out on it?  I am running it in a
>> virtual server, so maybe I'm not giving it enough resources...  But it has
>> 8GB of Ram and 4 CPU cores...
>>
>>
>>
>>
>> --
>> Find and fix application performance issues faster with Applications
>> Manager
>> Applications Manager provides deep performance insights into multiple
>> tiers of
>> your business applications. It resolves application problems quickly and
>> reduces your MTTR. Get your free trial!
>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
> --
> Find and

Re: [PacketFence-users] ANN: PacketFence 6.0.0

2016-04-21 Thread Nathan, Josh 
I will confess that I'm struggling to get used to CentOS 7 as it is so
different from CentOS 6.  Here's the "journalctl -xe":

Apr 21 16:55:06 gatekeeper.bfacademy.de systemd[1]: packetfence.service
start operation timed out. Terminating.
Apr 21 16:55:06 gatekeeper.bfacademy.de polkitd[731]: Unregistered
Authentication Agent for unix-process:7258:55
Apr 21 16:55:06 gatekeeper.bfacademy.de systemd[1]: Failed to start
PacketFence Service.
-- Subject: Unit packetfence.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit packetfence.service has failed.
-- 
-- The result is failed.
Apr 21 16:55:06 gatekeeper.bfacademy.de systemd[1]: Unit
packetfence.service entered failed state.
Apr 21 16:55:06 gatekeeper.bfacademy.de systemd[1]: packetfence.service
failed.

This is after going through the configurator.  If, while it's trying to
start the services, I go ahead and connect to the admin console and "help
it", then it all boots up fine.  I'll usually try to manually kick off p0f
and pfdetect, and that does the trick.

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630


On Thu, Apr 21, 2016 at 3:28 PM, Louis Munro <lmu...@inverse.ca> wrote:

> Hi Nathan,
> Can you show us some logs please?
>
> Please also clarify whether this is before or after going through the
> configurator.
>
> Regards,
> --
> Louis Munro
> lmu...@inverse.ca  ::  www.inverse.ca
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
> On Apr 21, 2016, at 6:24 , Nathan, Josh <josh.nat...@bfacademy.de> wrote:
>
> So... I've just done a fresh install of PacketFence 6 on a CentOS 7 box.
> Is anyone else having the problem where PacketFence won't start because
> it's takes too long, and systemctl times out on it?  I am running it in a
> virtual server, so maybe I'm not giving it enough resources...  But it has
> 8GB of Ram and 4 CPU cores...
>
>
>
>
> --
> Find and fix application performance issues faster with Applications
> Manager
> Applications Manager provides deep performance insights into multiple
> tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] ANN: PacketFence 6.0.0

2016-04-21 Thread Nathan, Josh 
So... I've just done a fresh install of PacketFence 6 on a CentOS 7 box.
Is anyone else having the problem where PacketFence won't start because
it's takes too long, and systemctl times out on it?  I am running it in a
virtual server, so maybe I'm not giving it enough resources...  But it has
8GB of Ram and 4 CPU cores...

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630


On Wed, Apr 20, 2016 at 12:25 AM, Ludovic Marcotte 
wrote:

> The Inverse team is pleased to announce the immediate availability of
> PacketFence 6.0.0. This is a major release with new features, enhancements
> and important bug fixes. This release is considered ready for production
> use and upgrading from previous versions is strongly advised.
> What is PacketFence?
>
> PacketFence is a fully supported, trusted, Free and Open Source Network
> Access Control (NAC) solution. Boasting an impressive feature set,
> PacketFence can be used to effectively secure small to very large
> heterogeneous networks.
>
> Among the features provided by PacketFence, there are:
>
>- powerful BYOD (Bring Your Own Device) capabilities
>- state-of-the art devices fingerprinting with Fingerbank
>- multiple enforcement methods including Role-Based Access Control
>(RBAC) and hotspot-style
>- compliance checks for endpoints present on your network
>- integration with various vulnerability scanners, intrusion detection
>solutions, security agents and firewalls
>- bandwidth accounting for all devices
>
> A complete overview of the solution is available from the official website:
>  http://packetfence.org/about.html
> Changes Since Previous Release
>
> *New Features*
>
>- Fully redesigned frontend and backend of the captive portal
>- Parking state for unregistered devices (where it will have a longer
>DHCP lease time and will only access a lightweight portal)
>- CentOS 7 and Debian 8 (Jessie) support
>- RADIUS support for Avaya switches
>- New filter engine to return custom answers in pfdns
>- Redirect URL are defined in Role by Web Auth URL switch
>configuration (Cisco)
>- Added support for Captive-Portal DHCP attribute (RFC7710)
>- Added Google Project Fi as a SMS carrier for SMS signup option
>- FreeRADIUS 3 support with Redis integration
>
> *Enhancements*
>
>- Added ability to expire users
>- Automatically update all the Fingerbank databases (Redis, p0f,
>SQLite3)
>- Do not allow the TRACE method to be used in any of the web processes
>- Can now limit the maximum unregdate an administrator can set to a
>person
>- Added option to disable the accounting recording in the SQL tables
>- Added caching of the latest accounting request for use in access
>reevaluation
>- Reduced the number of webservices calls during RADIUS accounting
>- Added configuration for Apache 2.4 with Template Toolkit
>- Added a timer for each RADIUS request (radius audit log)
>-
>
>Assign the voice role to VoIP devices when PacketFence detects them
>- Renamed VLAN to Role in admin GUI violation
>- Unregistering a node from a secure connection to an unsecured one is
>now managed by the VLAN filters
>- Location history of a node now shows the role instead of the VLAN id
>- Documentation to configure Cisco switches with Identity Networking
>Policy
>- Trigger violation on source or destination IP address only if they
>are in the trapping range networks
>- Performance improvement for VoIP detection
>- Added new RADIUS filter return option (random number in a range)
>- Reinstated iplog (iplog_history and iplog_archive) rotation/cleanup
>jobs performed by pfmon
>- An asynchronous LDAP lookup is now done on each 802.1x request to
>populate the person fields for that user
>
> *Bug Fixes*
>
>- Compute unregistration date for secure connections
>- Fixed unescape value in LDAP search
>- Fixed Apache 2.4 core dump
>- Fixed update locationlog from accounting start with the wrong
>connection type
>
> See https://github.com/inverse-inc/packetfence/commits/packetfence-6.0.0 for
> the complete change log.
>
> See the UPGRADE file for notes about upgrading:
> 
> https://github.com/inverse-inc/packetfence/tree/packetfence-6.0.0/UPGRADE.asciidoc
> Getting PacketFence
>
> PacketFence is free software and is distributed under the GNU GPL. As
> such, you are free to download and try it by either getting the new release
> or by getting the sources:  
> http://packetfence.org/download.html
>
> Documentation about the installation and configuration of PacketFence is
> also available: http://packetfence.org/support/index.html#/documentation
> How Can I Help?
>
> PacketFence is a collaborative effort in order to create the

Re: [PacketFence-users] PEAP With Custom Cert

2016-04-15 Thread Nathan, Josh 
iOS will let me connect via PEAP, but it baulks at the certificate.  It
says "Unable to join the network" if set to EAP-TLS.

With Windows, it will successfully install the EAP-TLS from PacketFence,
but...
- with "Validate server certificate" enabled, it promptly fails to connect
- With "Validate server certificate" disabled, it silently fails to connect

With Windows, it fails to install the profile for PEAP from PacketFence.
- Manually setting up the connection with "Validate server certificate"
promptly produces a failure to connect
- Manually setting up the connection without "Validate server certificate"
results in silent failure to connect

For now, I've added a local user, and am starting to test with that to
eliminate the relay.  However, I'm still getting the MPPE mismatch.  Any
ideas one what configurations to look at that would impact the MPPE keys?

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630


On Thu, Apr 14, 2016 at 7:15 PM, Louis Munro <lmu...@inverse.ca> wrote:

> Right now, I don’t know.
>
> Try testing with an actual device to see if it’s the same.
> It’s not inconceivable that this is specific to eapol_test.
>
> --
> Louis Munro
> lmu...@inverse.ca  ::  www.inverse.ca
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
> On Apr 14, 2016, at 4:58 , Nathan, Josh <josh.nat...@bfacademy.de> wrote:
>
> OK, here are my updated logs.  This time the RADIUS debug log file was
> taken from the end-point RADIUS server.  The eapol_test log was taken from
> the intermediary RADIUS server.  Any ideas on what might be causing the
> mismatch?  They both list the same MPPE key set...
>
>
>
>
> --
> Find and fix application performance issues faster with Applications
> Manager
> Applications Manager provides deep performance insights into multiple
> tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PEAP With Custom Cert

2016-04-12 Thread Nathan, Josh 
Well, I updated the certificates on the end-point RADIUS server, and I made
sure to uncomment out the section of the eapol_test config file to include
the same ca.pem file that the RADIUS server uses.

When running the eapol_test setup from the end-point RADIUS server,
everything says success.  The certificate is approved, and the MPPE keys
are declared OK.

However, when I run the test from the initial RADIUS server where the relay
will occur, the certificates are declared good, but the MPPE keys are still
mismatched.

...
RADIUS packet matching with station
MS-MPPE-Send-Key (sign) - hexdump(len=32): 02 05 ad fc 4e 86 a3 d6 1f f6 ca
af 00 b9 ee 5f f7 6f e5 60 4f 78 70 c8 88 da 22 7b 44 56 51 03
MS-MPPE-Recv-Key (crypt) - hexdump(len=32): 64 bc 06 07 41 ec bf 15 3e dc
14 9d 9b 8d 2a 28 75 a8 26 70 dd 23 4b e9 7b 0d 94 1f 34 af f1 20
Decapsulated EAP packet - hexdump(len=17): 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00
decapsulated EAP packet (code=0 id=0 len=0) from RADIUS server: unknown EAP
code
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Ignored EAP-Packet with unknown code 0
EAP: EAP entering state DISCARD
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: startWhen --> 0
EAPOL test timed out
EAPOL: EAP key not available
EAPOL: EAP Session-Id not available
WPA: Clear old PMK and PTK
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 0  mismatch: 1
FAILURE

What would it be about the relay that is interfering?

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630


On Tue, Apr 12, 2016 at 10:19 AM, Nathan, Josh <josh.nat...@bfacademy.de>
wrote:

> OK, that makes sense.  I thought all communication was happening between
> the client and the PF server, and then the PF server (RADIUS) was then
> establishing a separate connection to defer to the other server rather than
> just tunnelling the connection.
>
> OK, well... I had originally setup a separate RADIUS server because it
> looks like the PF RADIUS instance is linked to the PF database.  The
> problem with that, is that I don't see a way to establish the NT Hash on
> the passwords.  I'd at least rather not store them plain-text.  So I was
> left with using either plaintext or setting up a separate server for
> handling credentials.
>
> Thanks,
> Joshua Nathan
> Level 3 IT Support and Development
> Black Forest Academy
> +49 (0) 7626-9161-630
>
>
> On Mon, Apr 11, 2016 at 7:18 PM, Louis Munro <lmu...@inverse.ca> wrote:
>
>> Hi Nathan,
>>
>> On Apr 11, 2016, at 10:21 , Nathan, Josh <josh.nat...@bfacademy.de> wrote
>>
>>
>> As a side note, I am actually forwarding credentials to another radius
>> server to actually handle the authentication, as you'll see in the logs.  I
>> did bold within the RADIUS logs where it is showing the default SSL cert
>> even though I have replaced the references to it in the eap.conf file with
>> new certs that actually have legitimate information.
>>
>>
>> Pretty big side note actually.
>>
>> If you are proxying authentication somewhere else, the certificate you
>> are seeing is coming from that server, not the PacketFence one.
>> Think about it: the cert comes from wherever the TLS tunnel terminates,
>> not anywhere else along the way.
>>
>>
>>
>> While that certification reference bothers me, it still looks like the
>> eapol_test is actually successful.  Am I wrong?
>>
>>
>> Yes and no.
>> It looks to me like the server accepted the authentication but
>> eapol_rejected the reply because of a mismatch in the MPPE keys.
>>
>> Note that the FreeRADIUS debugging output is not going to allow you to
>> see what is going on between the supplicant and the radius server where the
>> request is proxied.
>> That data is encrypted between the supplicant and the (proxied-to) radius
>> server.
>>
>> So your certificate issues cannot be resolved by editing eap.conf on the
>> PacketFence server.
>> Have a look a the config of the other server.
>>
>> Or, you could just authenticate from the PacketFence server ;-)
>>
>> Regards,
>> --
>> Louis Munro
>> lmu...@inverse.ca  ::  www.inverse.ca
>> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
>> www.packetfence.org)
>>
>>
>> --
>> Find and fix application performance issues faster with App

Re: [PacketFence-users] PEAP With Custom Cert

2016-04-12 Thread Nathan, Josh 
OK, that makes sense.  I thought all communication was happening between
the client and the PF server, and then the PF server (RADIUS) was then
establishing a separate connection to defer to the other server rather than
just tunnelling the connection.

OK, well... I had originally setup a separate RADIUS server because it
looks like the PF RADIUS instance is linked to the PF database.  The
problem with that, is that I don't see a way to establish the NT Hash on
the passwords.  I'd at least rather not store them plain-text.  So I was
left with using either plaintext or setting up a separate server for
handling credentials.

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630


On Mon, Apr 11, 2016 at 7:18 PM, Louis Munro <lmu...@inverse.ca> wrote:

> Hi Nathan,
>
> On Apr 11, 2016, at 10:21 , Nathan, Josh <josh.nat...@bfacademy.de> wrote
>
>
> As a side note, I am actually forwarding credentials to another radius
> server to actually handle the authentication, as you'll see in the logs.  I
> did bold within the RADIUS logs where it is showing the default SSL cert
> even though I have replaced the references to it in the eap.conf file with
> new certs that actually have legitimate information.
>
>
> Pretty big side note actually.
>
> If you are proxying authentication somewhere else, the certificate you are
> seeing is coming from that server, not the PacketFence one.
> Think about it: the cert comes from wherever the TLS tunnel terminates,
> not anywhere else along the way.
>
>
>
> While that certification reference bothers me, it still looks like the
> eapol_test is actually successful.  Am I wrong?
>
>
> Yes and no.
> It looks to me like the server accepted the authentication but
> eapol_rejected the reply because of a mismatch in the MPPE keys.
>
> Note that the FreeRADIUS debugging output is not going to allow you to see
> what is going on between the supplicant and the radius server where the
> request is proxied.
> That data is encrypted between the supplicant and the (proxied-to) radius
> server.
>
> So your certificate issues cannot be resolved by editing eap.conf on the
> PacketFence server.
> Have a look a the config of the other server.
>
> Or, you could just authenticate from the PacketFence server ;-)
>
> Regards,
> --
> Louis Munro
> lmu...@inverse.ca  ::  www.inverse.ca
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
>
> --
> Find and fix application performance issues faster with Applications
> Manager
> Applications Manager provides deep performance insights into multiple
> tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
> gampad/clk?id=1444514301=/ca-pub-7940484522588532
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PEAP With Custom Cert

2016-04-08 Thread Nathan, Josh 
Thanks!  I didn't actually know about the eapol_test utility.  I'll get
that and see what I get.  Oddly enough, when searching the PacketFence
archives, none of my searches popped up a reference to that tool.  Oh well,
at least now I have something more definitive to search for. =)

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630


On Thu, Apr 7, 2016 at 4:05 PM, Louis Munro <lmu...@inverse.ca> wrote:

> Didn’t quite finish that post…
>
> Regardless of which EAP method you use, I can’t recommend eapol_test
> enough.
> It will allow to test your configuration in a reproducible manner and
> eliminate the supplicant and OS from the equation.
>
> Google around for instructions regarding building eapol_test.
> The first hit will probably be good enough.
> The archives will also provide numerous time where I explained it.
> (hint: on RedHat and derivatives the two build dependencies are
> libnl-devel and openssl-devel).
>
> Once you have a successful eapol_test authentication going, then it’s time
> to start testing with an actual device to find out how to configure it.
>
> Experience has shown me that testing with hardware before the
> configuration is shown to be valid is only a recipe for more frustration.
>
> Regards,
> --
> Louis Munro
> lmu...@inverse.ca  ::  www.inverse.ca
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
> On Apr 7, 2016, at 9:56 , Louis Munro <lmu...@inverse.ca> wrote:
>
> Hi Nathan,
>
> Let’s take this one step at a time.
>
> Both PEAP and EAP-TLS are configured through
> /usr/local/pf/radiusd/eap.conf.
> Please paste that file for our perusal.
>
> Essentially, when using either the server certificate must be valid.
> Which means that the supplicant must be able to validate the chain of
> trust all the way up to a known trusted root.
> So if your server certificate was signed by an intermdiate cert (itself
> signed by a trusted root CA) you will need to provide the supplicant with
> both the server cert and the intermediate so that the chain is complete.
> The usual way to do that is to concatenate both the server and
> intermediate certificate in the same file to which you then point
> FreeRADIUS (as it’s server cert file).
>
>
> Regards,
> --
> Louis Munro
> lmu...@inverse.ca  ::  www.inverse.ca
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
> On Apr 7, 2016, at 6:57 , Nathan, Josh <josh.nat...@bfacademy.de> wrote:
>
> Has anyone else come across this, or is it time for a rebuild?
>
> It makes me wonder if something similar is happening even with the TLS
> connection because Windows won't connect even if I turn off Server
> Certificate Validation.  When I tell the Windows Provisioner that it's a
> PEAP connection, the CA install fails.  All of this is on PacketFence
> 5.5.2, sitting on CentOS 6.7.
>
> I can actually just tell my Android to connect to the WPA2-Enterprise
> network, and it'll hash out the PEAP without trouble even if I don't use a
> provisioner.  I'll confess I've only tried with a provisioner on iOS, but
> it works... I just am presented somehow with the default RADIUS certificate
> with all the bogus information (country: FR, locality: Somewhere, CA:
> Example Certificate Authority, etc).
>
> Thanks,
> Joshua Nathan
> Level 3 IT Support and Development
> Black Forest Academy
> +49 (0) 7626-9161-630
>
>
> On Wed, Apr 6, 2016 at 4:21 PM, Nathan, Josh <josh.nat...@bfacademy.de>
> wrote:
>
>> OK, so I've been having no luck with getting EAP-TLS to work properly
>> with my Windows computers, but I'm interested in testing PEAP.  However, I
>> can see from my iPad that RADIUS *always* hands out its own self-made CA
>> cert for PEAP.  I've even removed the entire raddb/certs directory,
>> restarted radius, and it still somehow pulls out its own cert.  I have the
>> certs I made with the PacketFence PKI setup in the eap.conf file, but I'm
>> guessing they're not applying because they're contained within the tls
>> block.  I tried copying down the line for the CA file into the peap block,
>> but it didn't make a difference.  Is this tree even with barking down?  How
>> do I direct the cert to be used when PEAP is in use?
>>
>> Thanks,
>> Joshua Nathan
>> Level 3 IT Support and Development
>> Black Forest Academy
>> +49 (0) 7626-9161-630
>>
>>
>
> --
> _

Re: [PacketFence-users] PEAP With Custom Cert

2016-04-07 Thread Nathan, Josh 
Has anyone else come across this, or is it time for a rebuild?

It makes me wonder if something similar is happening even with the TLS
connection because Windows won't connect even if I turn off Server
Certificate Validation.  When I tell the Windows Provisioner that it's a
PEAP connection, the CA install fails.  All of this is on PacketFence
5.5.2, sitting on CentOS 6.7.

I can actually just tell my Android to connect to the WPA2-Enterprise
network, and it'll hash out the PEAP without trouble even if I don't use a
provisioner.  I'll confess I've only tried with a provisioner on iOS, but
it works... I just am presented somehow with the default RADIUS certificate
with all the bogus information (country: FR, locality: Somewhere, CA:
Example Certificate Authority, etc).

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630


On Wed, Apr 6, 2016 at 4:21 PM, Nathan, Josh <josh.nat...@bfacademy.de>
wrote:

> OK, so I've been having no luck with getting EAP-TLS to work properly with
> my Windows computers, but I'm interested in testing PEAP.  However, I can
> see from my iPad that RADIUS *always* hands out its own self-made CA cert
> for PEAP.  I've even removed the entire raddb/certs directory, restarted
> radius, and it still somehow pulls out its own cert.  I have the certs I
> made with the PacketFence PKI setup in the eap.conf file, but I'm guessing
> they're not applying because they're contained within the tls block.  I
> tried copying down the line for the CA file into the peap block, but it
> didn't make a difference.  Is this tree even with barking down?  How do I
> direct the cert to be used when PEAP is in use?
>
> Thanks,
> Joshua Nathan
> Level 3 IT Support and Development
> Black Forest Academy
> +49 (0) 7626-9161-630
>
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] PEAP With Custom Cert

2016-04-06 Thread Nathan, Josh 
OK, so I've been having no luck with getting EAP-TLS to work properly with
my Windows computers, but I'm interested in testing PEAP.  However, I can
see from my iPad that RADIUS *always* hands out its own self-made CA cert
for PEAP.  I've even removed the entire raddb/certs directory, restarted
radius, and it still somehow pulls out its own cert.  I have the certs I
made with the PacketFence PKI setup in the eap.conf file, but I'm guessing
they're not applying because they're contained within the tls block.  I
tried copying down the line for the CA file into the peap block, but it
didn't make a difference.  Is this tree even with barking down?  How do I
direct the cert to be used when PEAP is in use?

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Radius SSL Certs

2016-04-05 Thread Nathan, Josh 
Well, I'm OK with doing private, but here's my dilemma.  We're trying to do
a BYOD model, but we'd still like to use 802.1X for our wireless.  Right
now, iOS, OSX, and Android will connect, but Windows refuses.  I think it's
because of the SSL certificates.  The other 3 OSs complain mildly, but they
allow me to trust the cert, and then don't have any problems.  Windows just
won't connect.  Since we're wanting to do BYOD, I can't readily install a
client cert on every Windows device that walks through our door.  Any
suggestions?  I'm not really getting any definitive errors, only the
generic "Can't connect" from Windows, but I've read online in various spots
that this seems to be a cert issue.

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630


On Tue, Apr 5, 2016 at 12:15 PM, Tim DeNike <tim.den...@mcc.edu> wrote:

> And I'll be completely honest which you.  We're getting ready to dump usin
> a public CA for 802.1x.  Comodo in particular has been a pain.  Androids
> don't always have a complete certificate chain for comodo, and Windows Pcs
> seem to randomly get an intermediate cert set in third party store as a
> trusted root (I'm pretty sure it's a few installers/apps doing it).  So
> between the 2 problems, you can make all of one or all of the other work
> with no problems but you'll always have to screw with the other.  Private
> CA is the way to go imho.
>
> Sent from my iPhone
>
> On Apr 5, 2016, at 6:05 AM, Nathan, Josh <josh.nat...@bfacademy.de> wrote:
>
> Hello,
>
> So I'm trying to get Radius to supply a valid cert.  Even though I've got
> my PacketFence server, itself, using my Comodo Wildcard certificate, I can
> see when logging into my wireless AP via 802.1X that I'm still getting the
> self-signed Radius cert.  I renamed the certs directory according to the
> README file located in it, and then I created a symbolic link to my PF ssl
> directory.  I then did a packetfence-config restart and a packetfence
> restart, but my iPad still shows that I'm getting the self-signed test
> Radius cert.
>
> What documentation did I miss?
>
> Thanks,
> Joshua Nathan
> Level 3 IT Support and Development
> Black Forest Academy
> +49 (0) 7626-9161-630
>
>
> --
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Radius SSL Certs

2016-04-05 Thread Nathan, Josh 
Hello,

So I'm trying to get Radius to supply a valid cert.  Even though I've got
my PacketFence server, itself, using my Comodo Wildcard certificate, I can
see when logging into my wireless AP via 802.1X that I'm still getting the
self-signed Radius cert.  I renamed the certs directory according to the
README file located in it, and then I created a symbolic link to my PF ssl
directory.  I then did a packetfence-config restart and a packetfence
restart, but my iPad still shows that I'm getting the self-signed test
Radius cert.

What documentation did I miss?

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Radius Debug Not Running

2016-04-05 Thread Nathan, Josh 
Thanks, that worked.

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630


On Tue, Apr 5, 2016 at 11:24 AM, Tobias Friede <t.fri...@gmail.com> wrote:

> Hi,
>
> start Debugging while radiusd is running with this command:
>
> raddebug -f /usr/local/pf/var/run/radiusd.sock
>
>
> Greetings
>
> Tobias
>
>
>
> 2016-04-05 9:16 GMT+02:00 Nathan, Josh <josh.nat...@bfacademy.de>:
>
>> So, I'm not sure what's wrong with my command since I've run Radius in
>> debug before, but now whenever I try, I get "the server is not configured
>> to listen on any ports".  Radius starts just fine from the GUI, so I'm a
>> little at a loss.  Here's how I'm trying to start it (PacketFence 5.5.2 on
>> CentOS 6.7):
>>
>> radiusd -d /usr/local/pf/raddb -X
>>
>>
>> I wouldn't really care, except in my test environment, OSX, iOS, and
>> Android can all do wireless 802.1X, but Windows always fails.  Albeit, I am
>> thinking that Windows *might* be rejecting the SSL cert, but I'm not seeing
>> anything in the Windows logs to say why it's failing.
>>
>> Thanks,
>> Joshua Nathan
>> Level 3 IT Support and Development
>> Black Forest Academy
>> +49 (0) 7626-9161-630
>>
>>
>>
>> --
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
> --
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Best Practice Question

2016-03-08 Thread Nathan, Josh 
Hello,

We're working on switching to a fully "out of band" deployment of
PacketFence if possible, and I wasn't quite understanding what the ideal
situation is for Guest accounts.  We'd like to use the self-registration by
email, but we ideally would like an automatic VLAN change upon registering
as a Guest.

So... Guest connects to our "Guest" WPA2-encrypted SSID (registration
VLAN?), registers in PacketFence, and then gets re-assigned to the Guest
VLAN.  Is that possible without using 802.1x?  Obviously, until the person
registers, they won't have a username and password to login with.

What's the best practice/recommended way for handling guest
self-registrations?  Do you need to have that VLAN as "Inline"?  Or do we
need to run two SSIDs where they register on one, and then the network
sends them over to the other after registration?

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://makebettercode.com/inteldaal-eval___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Snort Not Detecting Bittorrent?

2016-02-25 Thread Nathan, Josh 
Well... Snort is definitely not seeing anything.  We do have a Dynamic VLAN
setup in Test right now, and it detected the bittorrent activity
immediately.  So... somehow I guess Snort isn't binding to the VLAN
interfaces for our Inline connections properly?  We haven't setup a proper
SPAN interface in our Production environment yet, but maybe that's required?

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630


On Wed, Feb 24, 2016 at 4:21 PM, Louis Munro <lmu...@inverse.ca> wrote:

>
>
> On Feb 24, 2016, at 10:08 , Nathan, Josh <josh.nat...@bfacademy.de> wrote:
>
> Thanks for the reply Louis!  I actually ended up having to use the
> /usr/local/pf/*var*/conf/snort.conf file as it didn't like the variables,
> etc, in the pre-processed version.
>
>
> That is actually my mistake.
> The patch really should be the one under var/conf/.
>
> It is *NOT* showing any bittorrent activity.
>
>
> I'm sorry to say that I'm not sure where to look to figure out why it's
> not working.  I guess I've relied too much on it working "out of the box".
> Where should I start for figuring out why Snort isn't detecting bittorrents?
>
>
> Make sure traffic is actually forwarded to the interface that snort is
> listening to.
> Does snort show actual packets being seen and counted in it’s statistics?
>
>
> The way I handle these issues usually is to start with a fake known
> signature.
> Something along the lines of
>
> alert ip any any -> any any ( msg: "ICMP packet detected!"; sid: 1; )
>
> added to the local rules under conf/snort/
>
> Should detect any ICMP packet seen by the interface.
> You could then ping your gateway and (assuming that traffic is forwarded
> to snort) it should detect it.
> That would demonstrate that rules processing is actually working.
>
> It’s then a matter of making sure you have a rule to match bittorrent.
> Check your snort.conf to see which rules are included.
>
>
> Regards,
> --
> Louis Munro
> lmu...@inverse.ca  ::  www.inverse.ca
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
>
> --
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Snort Not Detecting Bittorrent?

2016-02-24 Thread Nathan, Josh 
Thanks for the reply Louis!  I actually ended up having to use the
/usr/local/pf/*var*/conf/snort.conf file as it didn't like the variables,
etc, in the pre-processed version.

It is *NOT* showing any bittorrent activity.

I'm sorry to say that I'm not sure where to look to figure out why it's not
working.  I guess I've relied too much on it working "out of the box".
Where should I start for figuring out why Snort isn't detecting bittorrents?

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630


On Tue, Feb 23, 2016 at 4:23 PM, Louis Munro <lmu...@inverse.ca> wrote:

>
>
> On Feb 23, 2016, at 3:21 , Nathan, Josh <josh.nat...@bfacademy.de> wrote:
>
>  We do get the occasional "Rogue DHCP" alert, so we know Snort is doing
> *something*... But I don't see any log files that mention any of torrent
> activity.
>
>
>
> Hi Josh,
> That check is not done by snort but by PacketFence itself.
>
> The question for you is then whether snort is actually detecting those
> bittorrent connections.
> PacketFence can only take action on what snort detects.
>
> Check the following:
> Is snort actually running? (I know, that sounds daft but it still must be
> checked…)
> Is snort detecting the bittorrent usage?
>
> You can run snort in debug mode by calling it directly from the command
> line without the -D flag, like this:
> # snort -u pf -m 0137 -c /usr/local/pf/conf/snort.conf -i $INTERFACE -N
>
> That should allow you to easily see if it actually detects bittorrent.
>
> Only once you can show that snort is detecting bittorrent is there any
> point in looking at the PacketFence configuration.
> It then becomes an issue of whether snort is passing along the alerts to
> PacketFence, and whether PacketFence is listening correctly for them.
>
> Regards,
> --
> Louis Munro
> lmu...@inverse.ca  ::  www.inverse.ca
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
>
> --
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Snort Not Detecting Bittorrent?

2016-02-23 Thread Nathan, Josh 
We're having trouble with PacketFence throwing violations on P2P activity.
It doesn't seem to be detecting it.  Back when we were running PacketFence
3.x it was working, but we've recently come to realize that on our
PacketFence 5.2 system, it is not catching it.  We've recently come to
suspect our students are successfully using bittorrent programs, so I did a
quick download of Vuze, and torrented a copy of Linux without any issue to
confirm PacketFence/Snort isn't catching it.

We are running our system as Inline right now with all of our internal
interfaces marked as "monitor" as well.  We do get the occasional "Rogue
DHCP" alert, so we know Snort is doing *something*... But I don't see any
log files that mention any of torrent activity.

We've also tried explicitly adding all of the SIDs listed in the
emerging-p2p.rules file.  Here's our violation.conf file below.  Would
anything else be helpful?

# Most of the snort rules are from Emerging Threats (
http://www.emergingthreats.net/)
#
# In order to use different rulesets, please point the variable snort_rules,
# defined below (in [defaults]), to your local file(s).
#
[defaults]
priority=4
max_enable=3
actions=email,log
auto_enable=Y
enabled=N
grace=120m
window=0
delay_by=0s
button_text=Enable Network
snort_rules=local.rules,emerging-attack_response.rules,emerging-botcc.rules,emerging-exploit.rules,emerging-malware.rules,emerging-p2p.rules,emerging-scan.rules,emerging-shellcode.rules,emerging-trojan.rules,emerging-worm.rules
# vlan: The vlan parameter allows you to define in what vlan a node with a
violation will be put in.
# Accepted values are the vlan names: isolation, normal, registration,
macDetection, inline, voice
# and all the roles names you defined in the node_category table. (see
switches.conf)
vlan=isolation
# if you add a role/category here, nodes in these roles/categories will be
immune to the violation
whitelisted_categories=
template=generic

[111]
desc=Nessus Scan
# On a Scan violation priority must be higher (lower number) than the
special system scan violation (121)
priority=4
template=failed_scan
max_enable=4
button_text=Scan my computer again
trigger=Nessus::10861,Nessus::10943,Nessus::11177,Nessus::11231,Nessus::11302,Nessus::11304,Nessus::11528,Nessus::11595,Nessus::11664,Nessus::11787,Nessus::11790,Nessus::11803,Nessus::11808,Nessus::11835,Nessus::11878,Nessus::11886,Nessus::11887,Nessus::11921,Nessus::12051,Nessus::12052,Nessus::12054,Nessus::12092,Nessus::12208,Nessus::12209,Nessus::13641,Nessus::13852,Nessus::14724,Nessus::15460,Nessus::15894,Nessus::15970,Nessus::16324,Nessus::16326,Nessus::16327,Nessus::16328,Nessus::16329,Nessus::18020,Nessus::18021,Nessus::18023,Nessus::18025,Nessus::18027,Nessus::18028,Nessus::18215,Nessus::18482,Nessus::18483,Nessus::18490,Nessus::18502,Nessus::18681,Nessus::18682,Nessus::19401,Nessus::19402,Nessus::19406,Nessus::19408,Nessus::20005,Nessus::20172,Nessus::20299,Nessus::20368,Nessus::20382,Nessus::20389,Nessus::20390,Nessus::20904,Nessus::20905,Nessus::21213,Nessus::21332,Nessus::21685,Nessus::21687,Nessus::22030,Nessus::22034,Nessus::22183,Nessus::22184,Nessus::22185,Nessus::22186,Nessus::22187,Nessus::22192,Nessus::22194,Nessus::22332,Nessus::22449,Nessus::22530,Nessus::23644,Nessus::23646,Nessus::23647,Nessus::23833,Nessus::23835,Nessus::23837,Nessus::23838,Nessus::23999,Nessus::24000
actions=trap,email,log
enabled=Y
# for faster remediation, it is recommended to leave an offending client in
the registration vlan (where it is scanned)
vlan=registration

[112]
desc=OpenVAS scan
# On a scan violation priority must be higher (lower number) than the
special system scan violation (121)
priority=4
template=failed_scan
max_enable=4
button_text=Scan my computer again
trigger=OpenVAS::1.3.6.1.4.1.25623.1.0.90023,OpenVAS::1.3.6.1.4.1.25623.1.0.14259,OpenVAS::1.3.6.1.4.1.25623.1.0.800618,OpenVAS::1.3.6.1.4.1.25623.1.0.90011
actions=trap,email,log
enabled=Y
# for faster remediation, it is recommended to leave an offending client in
the registration vlan (where it is scanned)
vlan=registration

#
# Example config to block a whole class of devices based on their MAC
address vendor
# Trigger format: The number is the ID of the MAC vendor from the 'MAC
Vendor' list in Fingerbank (either 'upstream' or 'local' or both)
#
# The below example blocks MAC Vendor ID 42 which is 'IMC Networks corp.'
#
[113]
desc=MAC Vendor isolation example
template=banned_devices
trigger=MAC_VENDOR::42
actions=trap,email,log
enabled=N

#
# Example config to block a device based on it's type or class
# Trigger format: The number is the ID of the device (type or class or
both) from the 'Device' list in Fingerbank (either 'upstream' or 'local' or
both)
#
# The below example blocks Windows 95, 98, 98SE, NT4 and ME.
#
[114]
desc=Ancient OS isolation example
template=banned_os
trigger=DEVICE::28,DEVICE::29,DEVICE::30,DEVICE::31,DEVICE::32
actions=trap,email,log
enabled=N

#
# Example config to block a

Re: [PacketFence-users] Fingerbank Hourly API Limit

2016-02-16 Thread Nathan, Josh 
So, I don't know why I didn't check before... but I was wrong about a
previous assumption.  It looks like each of our PacketFence servers is
sending a query to the fingerbank database 1k-3k times a day.  Is this
normal?

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630


On Wed, Feb 10, 2016 at 11:10 AM, Nathan, Josh <josh.nat...@bfacademy.de>
wrote:

> Hello,
>
> Due to site location deficiencies, we're currently running multiple
> PacketFence servers.  Lately, we've started getting a lot of emails saying
> that we've reached our "hourly API limit" for Fingerbank.
>
> My understanding is that PacketFence stores a local copy that it
> periodically tries to update.  Is that not correct?  If that is correct,
> how can I offset the update times of my servers so that we're not hitting
> this limit so often?
>
> Thanks,
> Joshua Nathan
> Level 3 IT Support and Development
> Black Forest Academy
> +49 (0) 7626-9161-630
>
>
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Fingerbank Hourly API Limit

2016-02-10 Thread Nathan, Josh 
Hello,

Due to site location deficiencies, we're currently running multiple
PacketFence servers.  Lately, we've started getting a lot of emails saying
that we've reached our "hourly API limit" for Fingerbank.

My understanding is that PacketFence stores a local copy that it
periodically tries to update.  Is that not correct?  If that is correct,
how can I offset the update times of my servers so that we're not hitting
this limit so often?

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] 802.1X Question

2015-12-09 Thread Nathan, Josh 
Hello,

So, I'm working to get 802.1X authentication working, and I'm wondering if
PacketFence can do what I want it to...

I would like to do 802.1X against either a RADIUS database or LDAP while
still relying on the PacketFence database for what VLAN to use.  Does that
make sense?

My initial attempts seem to rely on the RADIUS database/LDAP server to
specify the VLAN.  But that means I need to heavily build-in logic to
determine if the device has already been registered in PacketFence or if
the device in question has been quarantined.

Ideally, the 802.1X process would defer to the Authentication Sources setup
in the portal profile.

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] SNMP Error

2015-12-02 Thread Nathan, Josh 
So... Strange problem.

I'm working in a test environment that's running PacketFence 5.4.0.  If I
have my client authenticate using EAP-TTLS, when logging into the captive
portal, PacketFence properly bounces the port, and assigns the correct VLAN.

However, if I set the client computer to use PEAP, when the computer logs
into the captive portal, the switch port is NOT bounced, and the
packetfence.log file shows this:

Dec 02 12:53:18 httpd.webservices(6104) ERROR: got an SNMP error trying to
force 802.1x unauthorized: Received notWritable(17) error-status at
error-index 1 (pf::Switch::Brocade::dot1xPortReauthenticate)
Dec 02 12:53:18 httpd.webservices(6104) ERROR: got an SNMP error trying to
force 802.1x control auto: Received notWritable(17) error-status at
error-index 1 (pf::Switch::Brocade::dot1xPortReauthenticate)

I don't understand why it would be dependent in any way what 802.1X
protocol the client computer uses...

Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-9161-630
--
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x Without AD

2015-11-25 Thread Nathan, Josh 
OK... correction.  The PacketFence radius.log file reports: Auth: Login OK
AND the switch does assign the VLAN, but the computer thinks that
authentication failed.  I had to force it to do a DHCP renew for it to get
an IP Address and acknowledge the success.  Any ideas on how to smooth that
out?

Also... is it expected that a successful 802.1X authentication only moves
the devices to the Registration VLAN rather than just putting them in the
Production VLAN?  Why does the device have to do the
double-authentication?  Once at connection, and second at the portal?

Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-9161-630


On Wed, Nov 25, 2015 at 10:42 AM, Nathan, Josh <josh.nat...@bfacademy.de>
wrote:

> Hello,
>
> So... I'm trying to setup 802.1x in a test environment, but I'm getting
> login faiIures even when the credentials are good.  We don't have an Active
> Directory server or the like, but instead we're storing accounts in a MySQL
> database using MD5 encryption.
>
> With a Linux computer (Chromixium to be precise), I'm able to go through
> the process successfully if the 802.1X authentication is set to use
> "Tunneled TLS".  But with a Windows computer, I'm really only given the
> option of using PEAP (which would be good to use anyway), but that always
> fails.  If I set the Linux computer to use PEAP, it also fails.
>
> I'm running it on PacketFence 5.4, and it's a Ubiquiti EdgeSwitch, but I'm
> thinking the problem is with how I'm storing/encrypting the passwords, not
> the configurations of the server/switch.  What would I need to do to get
> this working?  What configuration files do you need (if any)?
>
> Thanks,
> Joshua Nathan
> IT Administrator
> Black Forest Academy
> +49 (0) 7626-9161-630
>
>
--
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] 802.1x Without AD

2015-11-25 Thread Nathan, Josh 
Hello,

So... I'm trying to setup 802.1x in a test environment, but I'm getting
login faiIures even when the credentials are good.  We don't have an Active
Directory server or the like, but instead we're storing accounts in a MySQL
database using MD5 encryption.

With a Linux computer (Chromixium to be precise), I'm able to go through
the process successfully if the 802.1X authentication is set to use
"Tunneled TLS".  But with a Windows computer, I'm really only given the
option of using PEAP (which would be good to use anyway), but that always
fails.  If I set the Linux computer to use PEAP, it also fails.

I'm running it on PacketFence 5.4, and it's a Ubiquiti EdgeSwitch, but I'm
thinking the problem is with how I'm storing/encrypting the passwords, not
the configurations of the server/switch.  What would I need to do to get
this working?  What configuration files do you need (if any)?

Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-9161-630
--
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x Without AD

2015-11-25 Thread Nathan, Josh 
->{'_ip'}] Unable to perform RADIUS CoA-Request: RADIUS
Shared Secret not configured"
   );
   return;
}

$logger->info("[$self->{'_ip'}] Deauthenticating $mac");

# Where should we send the RADIUS CoA-Request?
# to network device by default
my $send_disconnect_to = $self->{'_ip'};
# allowing client code to override where we connect with NAS-IP-Address
$send_disconnect_to = $add_attributes_ref->{'NAS-IP-Address'}
if (defined($add_attributes_ref->{'NAS-IP-Address'}));

my $response;
try {
my $connection_info = {
nas_ip => $send_disconnect_to,
secret => $self->{'_radiusSecret'},
LocalAddr => $self->deauth_source_ip(),
};

$logger->debug("[$self->{'_ip'}] Network device supports roles.
Evaluating role to be returned.");
my $roleResolver = pf::roles::custom->instance();
my $role = $roleResolver->getRoleForNode($mac, $self);

my $acctsessionid = node_accounting_current_sessionid($mac);
my $node_info = node_attributes($mac);
# transforming MAC to the expected format 00-11-22-33-CA-FE
$mac = uc($mac);
$mac =~ s/:/-/g;

# Standard Attributes
my $attributes_ref = {
'Calling-Station-Id' => $mac,
'NAS-IP-Address' => $send_disconnect_to,
'Acct-Session-Id' => $acctsessionid,
};

# merging additional attributes provided by caller to the standard
attributes
$attributes_ref = { %$attributes_ref, %$add_attributes_ref };

# Roles are configured and the user should have one
if ( defined($role) && (defined($node_info->{'status'}) &&
isenabled($self->{_RoleMap}) ) ) {

$attributes_ref = {
%$attributes_ref,
'Filter-Id' => $role,
};
$logger->info("[$self->{'_ip'}] Returning ACCEPT with Role:
$role");
$response = perform_coa($connection_info, $attributes_ref);

}
else {
$response = perform_disconnect($connection_info,
$attributes_ref);
}
} catch {
chomp;
$logger->warn("[$self->{'_ip'}] Unable to perform RADIUS
CoA-Request: $_");
$logger->error("[$self->{'_ip'}] Wrong RADIUS secret or unreachable
network device...") if ($_ =~ /^Timeout/);
};
return if (!defined($response));

return $TRUE if ($response->{'Code'} eq 'CoA-ACK');

$logger->warn(
"[$self->{'_ip'}] Unable to perform RADIUS Disconnect-Request."
. ( defined($response->{'Code'}) ? " $response->{'Code'}" : 'no
RADIUS code' ) . ' received'
. ( defined($response->{'Error-Cause'}) ? " with Error-Cause:
$response->{'Error-Cause'}." : '' )
);
return;
}




=head1 AUTHOR

Inverse inc. <i...@inverse.ca>

=head1 COPYRIGHT

Copyright (C) 2005-2015 Inverse inc.

=head1 LICENSE

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301,
USA.

=cut

1;

# vim: set shiftwidth=4:
# vim: set expandtab:
# vim: set backspace=indent,eol,start:


Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-9161-630


On Wed, Nov 25, 2015 at 11:30 AM, Nathan, Josh <josh.nat...@bfacademy.de>
wrote:

> OK... correction.  The PacketFence radius.log file reports: Auth: Login OK
> AND the switch does assign the VLAN, but the computer thinks that
> authentication failed.  I had to force it to do a DHCP renew for it to get
> an IP Address and acknowledge the success.  Any ideas on how to smooth that
> out?
>
> Also... is it expected that a successful 802.1X authentication only moves
> the devices to the Registration VLAN rather than just putting them in the
> Production VLAN?  Why does the device have to do the
> double-authentication?  Once at connection, and second at the portal?
>
> Thanks,
> Joshua Nathan
> IT Administrator
> Black Forest Academy
> +49 (0) 7626-9161-630
>
>
> On Wed, Nov 25, 2015 at 10:42 AM, Nathan, Josh <josh.nat...@bfacademy.de>
> wrote:
>
>> Hello,
>>
>> So... I'm trying to setup 802.1x in a test environment, but I'm get

Re: [PacketFence-users] Using Multiple SNAT Interfaces Problem

2015-10-16 Thread Nathan, Josh 
Sure.

iproute2, fortunately, comes pre-installed with everything I needed on
CentOS 6.7 (not sure about other versions). The thing to keep in mind is
that only one thing I did endures a reboot by default, and that's the
declaration of the "tables" (iproute2 is based off of being able to run
multiple routing tables simultaneously). You can add tables with this
command:

# echo [unique ordering number] [unique table name] >>
/etc/iproute2/rt_tables

Tutorials I saw were listing ordering numbers around 100 or 200... not sure
what the complete viable range is, but each table needs a unique number.
For our purposes, we were using table names such as "staff" or "student"
(obviously, no quotation marks in the command). And of course, the
rt_tables file for you might be in a different location... adjust
accordingly.

After that, you need to run the following commands. First is the template,
then an example. We ended up putting it in a bash script that is run from
our /etc/rc.d/rc.local file so that it is re-instated on boot.

# ip route add [internal IP range] dev [internal eth] src [server internal
IP] table [name of ruleset]
# ip route add default via [desired external gateway] dev [external eth]
table [name of ruleset (same as above)]
# ip rule add to [internal IP range] table [name of ruleset (same as above)]
# ip rule add from [internal IP range] table [name of ruleset (same as
above)]

ip route add 192.168.16.0/24 dev eth0.16 src 192.168.16.1 table student
ip route add default via 172.20.0.10 dev eth2 table student
ip rule add to 192.168.16.0/24 table student
ip rule add from 192.168.16.0/24 table student


And we are also happy to report that we have not seen any conflicts with
PacketFence using this at this time. It didn't mess up the registration
process or anything that we've been able to tell. We haven't put it into
Production yet, but the test environment held up.

Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-9161-630


On Fri, Oct 16, 2015 at 12:19 AM, Durand fabrice <fdur...@inverse.ca> wrote:

> Hello Joshua,
>
> maybe you can share what you did with iproute2 ;-)
>
> Regards
> Fabrice
>
>
>
> Le 2015-10-15 07:35, Nathan, Josh a écrit :
>
> Thanks Fabrice! I was able to get it working with that!
>
> Thanks,
> Joshua Nathan
> IT Administrator
> Black Forest Academy
> +49 (0) 7626-9161-630
>
>
> On Wed, Oct 14, 2015 at 3:36 PM, Fabrice DURAND <fdur...@inverse.ca>
> wrote:
>
>> Hello Joshua,
>>
>> you will need to configure iproute2 to do that.
>> <http://www.lartc.org/howto/>http://www.lartc.org/howto/
>>
>> regards
>> Fabrice
>>
>>
>>
>> Le 2015-10-14 05:08, Nathan, Josh a écrit :
>> > Hello all,
>> >
>> > So... I see where PacketFence has the option to specify that there are
>> > multiple SNAT interfaces, but I've not found where/all to specify
>> > which one to use... Here's what I want to do.
>> >
>> > Within an Inline environment, I want to specify that VLAN 15 (ex.
>> > eth0.15) reaches the Internet via eth1, and VLAN 16 (eth0.16) reaches
>> > the Internet via eth2. Is there a built-in way for PacketFence to do
>> > that? In the networks.conf file I see the NATing enabled or disabled
>> > option, but I haven't see where I can flag different internal
>> > interfaces to use different SNAT interfaces.
>> >
>> > Thanks,
>> > Joshua Nathan
>> > IT Administrator
>> > Black Forest Academy
>> > +49 (0) 7626-9161-630
>> >
>> >
>> >
>> >
>> --
>> >
>> >
>> > ___
>> > PacketFence-users mailing list
>> > PacketFence-users@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>> --
>> Fabrice Durand
>> fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo ( <http://www.sogo.nu>
>> http://www.sogo.nu) and PacketFence (http://packetfence.org)
>>
>>
>>
>> --
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
> --
>
>
>
> ___
> PacketFenc

Re: [PacketFence-users] Using Multiple SNAT Interfaces Problem

2015-10-15 Thread Nathan, Josh 
Thanks Fabrice! I was able to get it working with that!

Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-9161-630


On Wed, Oct 14, 2015 at 3:36 PM, Fabrice DURAND <fdur...@inverse.ca> wrote:

> Hello Joshua,
>
> you will need to configure iproute2 to do that.
> http://www.lartc.org/howto/
>
> regards
> Fabrice
>
>
>
> Le 2015-10-14 05:08, Nathan, Josh a écrit :
> > Hello all,
> >
> > So... I see where PacketFence has the option to specify that there are
> > multiple SNAT interfaces, but I've not found where/all to specify
> > which one to use... Here's what I want to do.
> >
> > Within an Inline environment, I want to specify that VLAN 15 (ex.
> > eth0.15) reaches the Internet via eth1, and VLAN 16 (eth0.16) reaches
> > the Internet via eth2. Is there a built-in way for PacketFence to do
> > that? In the networks.conf file I see the NATing enabled or disabled
> > option, but I haven't see where I can flag different internal
> > interfaces to use different SNAT interfaces.
> >
> > Thanks,
> > Joshua Nathan
> > IT Administrator
> > Black Forest Academy
> > +49 (0) 7626-9161-630
> >
> >
> >
> >
> --
> >
> >
> > ___
> > PacketFence-users mailing list
> > PacketFence-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice Durand
> fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (
> http://packetfence.org)
>
>
>
> --
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Using Multiple SNAT Interfaces Problem

2015-10-14 Thread Nathan, Josh 
Hello all,

So... I see where PacketFence has the option to specify that there are
multiple SNAT interfaces, but I've not found where/all to specify which one
to use... Here's what I want to do.

Within an Inline environment, I want to specify that VLAN 15 (ex. eth0.15)
reaches the Internet via eth1, and VLAN 16 (eth0.16) reaches the Internet
via eth2. Is there a built-in way for PacketFence to do that? In the
networks.conf file I see the NATing enabled or disabled option, but I
haven't see where I can flag different internal interfaces to use different
SNAT interfaces.

Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-9161-630
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Errors in Logs

2015-09-09 Thread Nathan, Josh 
Sorry, I meant 5.2.

Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-9161-630


On Tue, Sep 8, 2015 at 7:39 PM, Fabrice DURAND <fdur...@inverse.ca> wrote:

> Hello Nathan,
>
> PacketFence 3.2.0 ?!
>
> So you probably configured a RADIUS authentication source in packetfence
> and if you didn't defined specific auth source in the default portal
> then packetfence will use it.
> For the "non-existent person", patch with this commit :
>
> https://github.com/inverse-inc/packetfence/commit/a7dd7e159ee865fd1798a24a8c40f7aec1031ccd
> or use pf-maint.pl (perl /usr/local/pf/addons/pf-maint.pl)
> And "Unknown switch" is just because you are using inline (it's a warning).
>
> Also can you modify the the progress bar timeout to be at least 1
> minutes (Issue with browser dns cache)
>
> regards
> Fabrice
>
>
> Le 2015-09-03 04:25, Nathan, Josh a écrit :
> > Hello,
> >
> > I'm trying to debug some problems we're having with our PacketFence
> > server, so I'm first trying to whittle through the various errors in
> > the logs. Can anyone give me some direction on these?
> >
> > From packetfence.log:
> > httpd.portal(25510) ERROR: Unable to perform RADIUS authentication on
> > any server: ETIMEOUT
> > (pf::Authentication::Source::RADIUSSource::authenticate)
> > httpd.portal(25510) ERROR: Database issue: We tried 3 times to serve
> > query person_add_sql called from pf::person::person_add and we failed.
> > Is the database running? (pf::db::db_query_execute)
> > httpd.portal(25510) ERROR: modify of non-existent person  attempted -
> > person add failed (pf::person::person_modify)
> > httpd.portal(25456) ERROR: WARNING ! Unknown switch(es) 192.168.16.1
> > (pf::SwitchFactory::instantiate)
> > httpd.portal(25510) ERROR: attempt to add existing person
> > phyllis.hender...@bfacademy.de <mailto:phyllis.hender...@bfacademy.de>
> > (pf::person::person_add)
> >
> > The strange part is that the authentication and registration IS
> > successful. However, the reason I'm looking into this is that the
> > Captive Portal is having trouble loading, and the progress bar page
> > struggles to load as well.
> >
> > The listed "unknown switch" is the PacketFence server, itself!
> >
> > Running PacketFence 3.2.0...
> > 100% Inline enforcement...
> > What other files would be helpful in troubleshooting this?
> >
> > Thanks,
> > Joshua Nathan
> > IT Administrator
> > Black Forest Academy
> > +49 (0) 7626-9161-630
> >
> >
> >
> >
> --
> > Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
> > Get real-time metrics from all of your servers, apps and tools
> > in one place.
> > SourceForge users - Click here to start your Free Trial of Datadog now!
> > http://pubads.g.doubleclick.net/gampad/clk?id=241902991=/4140
> >
> >
> > ___
> > PacketFence-users mailing list
> > PacketFence-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice Durand
> fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (
> http://packetfence.org)
>
>
>
> --
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Graphite/Carbon error

2015-09-03 Thread Nathan, Josh 
I'm getting it too. Our problem is that we are in general having problems
with our Captive Portal. But for now, I guess I'll ignore those errors and
search elsewhere...

Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-9161-630


On Sat, Aug 15, 2015 at 3:01 PM, mourik jan heupink 
wrote:

> Hi,
>
> For what it's worth: I am getting those errors as well on my 5.3.1
> install. Perhaps they are harmless, as the graphics etc do seem to work
> here.
>
> Just thought I'd let you know.
>
> MJ
>
> On 08/12/2015 12:33 AM, Thomas, Gregory A wrote:
> > I just spun up two new servers to do an inline replacement of the older
> > versions. (4.7 to 5.3.1) Everything is running fine but I am getting
> > entries into the exceptions log based on graphite/carbon from what I can
> > see. It is the same error on both servers and they only happen when you
> > go to the status page.
> >
> >
> >
> > Any clues on how to resolve this besides stopping services?
> >
> >
> >
> > 
> >
> > Tue Aug 11 17:27:14 2015 :: Failed CarbonLink query
> >
> 'packetfence_slife_uwp_edu.radsniff-exchanged.radius_count-access_request.received'
> >
> > Traceback (most recent call last):
> >
> >   File "/usr/lib/python2.6/site-packages/graphite/render/datalib.py",
> > line 231, in fetchData
> >
> > cachedResults = CarbonLink.query(dbFile.real_metric)
> >
> >   File "/usr/lib/python2.6/site-packages/graphite/render/datalib.py",
> > line 140, in query
> >
> > results = self.send_request(request)
> >
> >   File "/usr/lib/python2.6/site-packages/graphite/render/datalib.py",
> > line 163, in send_request
> >
> > conn = self.get_connection(host)
> >
> >   File "/usr/lib/python2.6/site-packages/graphite/render/datalib.py",
> > line 130, in get_connection
> >
> > connection.connect( (server, port) )
> >
> >   File "", line 1, in connect
> >
> > error: [Errno 111] Connection refused
> >
> > Tue Aug 11 17:27:14 2015 :: [Errno 2] No such file or directory:
> > '/var/lib/carbon/rrd'
> >
> > Traceback (most recent call last):
> >
> >   File "/usr/lib/python2.6/site-packages/graphite/storage.py", line 189,
> > in _find
> >
> > entries = os.listdir(current_dir)
> >
> > OSError: [Errno 2] No such file or directory: '/var/lib/carbon/rrd'
> >
> > Tue Aug 11 17:27:14 2015 :: Failed CarbonLink query
> >
> 'packetfence_slife_uwp_edu.radsniff-exchanged.radius_count-access_accept.received'
> >
> > Traceback (most recent call last):
> >
> >  File "/usr/lib/python2.6/site-packages/graphite/render/datalib.py",
> > line 231, in fetchData
> >
> > cachedResults = CarbonLink.query(dbFile.real_metric)
> >
> >   File "/usr/lib/python2.6/site-packages/graphite/render/datalib.py",
> > line 140, in query
> >
> > results = self.send_request(request)
> >
> >   File "/usr/lib/python2.6/site-packages/graphite/render/datalib.py",
> > line 163, in send_request
> >
> > conn = self.get_connection(host)
> >
> >   File "/usr/lib/python2.6/site-packages/graphite/render/datalib.py",
> > line 130, in get_connection
> >
> > connection.connect( (server, port) )
> >
> >   File "", line 1, in connect
> >
> > error: [Errno 111] Connection refused
> >
> > 
> >
> >
> >
> >
> >
> > --
> >
> > Gregory A. Thomas
> >
> > IT Manager, Student Life
> >
> > University of Wisconsin-Parkside
> >
> > thomasg-gbeauytk...@public.gmane.org
> >
>  40uwp.edu>
> >
> > 262.595.2432
> >
> >
> >
> >
> >
> >
> --
> >
> >
> >
> > ___
> > PacketFence-users mailing list
> > packetfence-users-5nwgofrqmnerv+lv9mx5uipxlwaov...@public.gmane.org
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >
>
>
>
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Errors in Logs

2015-09-03 Thread Nathan, Josh 
Hello,

I'm trying to debug some problems we're having with our PacketFence server,
so I'm first trying to whittle through the various errors in the logs. Can
anyone give me some direction on these?

>From packetfence.log:
httpd.portal(25510) ERROR: Unable to perform RADIUS authentication on any
server: ETIMEOUT (pf::Authentication::Source::RADIUSSource::authenticate)
httpd.portal(25510) ERROR: Database issue: We tried 3 times to serve query
person_add_sql called from pf::person::person_add and we failed. Is the
database running? (pf::db::db_query_execute)
httpd.portal(25510) ERROR: modify of non-existent person  attempted -
person add failed (pf::person::person_modify)
httpd.portal(25456) ERROR: WARNING ! Unknown switch(es) 192.168.16.1
(pf::SwitchFactory::instantiate)
httpd.portal(25510) ERROR: attempt to add existing person
phyllis.hender...@bfacademy.de (pf::person::person_add)

The strange part is that the authentication and registration IS successful.
However, the reason I'm looking into this is that the Captive Portal is
having trouble loading, and the progress bar page struggles to load as well.

The listed "unknown switch" is the PacketFence server, itself!

Running PacketFence 3.2.0...
100% Inline enforcement...
What other files would be helpful in troubleshooting this?

Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-9161-630
--
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Database Issues with PF 5.1???

2015-06-17 Thread Nathan, Josh 
The next lines from packetfence.log were:
Jun 17 14:51:23 httpd.portal(13792) INFO: Matched MAC '60:eb:69:56:4e:6e'
to IP address '192.168.11.244' using OMAPI (pf::iplog::mac2ip)
Jun 17 14:51:23 httpd.portal(13792) INFO: Matched MAC '60:eb:69:56:4e:6e'
to IP address '192.168.11.244' using OMAPI (pf::iplog::mac2ip)

Here's the result from the SQL query:
+---+--+--+--+-++--+-+--+--+++---++
| mac   | switch   | port | vlan | connection_type |
dot1x_username | ssid | start_time  | end_time | switch_ip|
switch_mac | stripped_user_name | realm | session_id |
+---+--+--+--+-++--+-+--+--+++---++
| 60:eb:69:56:4e:6e | 192.168.11.1 | 0| 11   | Inline
||  | 2015-06-17 14:48:38 | NULL | 192.168.11.1 |
NULL   | NULL   | NULL  | NULL   |
+---+--+--+--+-++--+-+--+--+++---++
1 row in set (0.00 sec)


Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-916123


On Wed, Jun 17, 2015 at 2:56 PM, Fabrice DURAND fdur...@inverse.ca wrote:

  Does pfdhcplistener work on your install ?

 Can you query the database with:

 select * from locationlog where mac=60:eb:69:56:4e:6e;

 What after :
 Jun 17 14:51:22 httpd.portal(13792) INFO: Instantiate a new iptables
 modification method. pf::ipset (pf::inline::get_technique)


 Regards
 Fabrice


 Le 2015-06-17 08:52, Nathan, Josh a écrit :

  I tried doing a fresh install... still seeing the problem. Here's
 another error I'm getting:
 Jun 17 14:51:22 httpd.portal(13792) INFO: [60:eb:69:56:4e:6e] shouldn't
 reach here. Calling access re-evaluation. Make sure your network device
 configuration is correct.
 (captiveportal::PacketFence::Controller::CaptivePortal::unknownState)
 Jun 17 14:51:22 httpd.portal(13792) ERROR: WARNING ! Unknown switch(es)
 192.168.11.1 (pf::SwitchFactory::instantiate)
 Jun 17 14:51:22 httpd.portal(13792) INFO: [60:eb:69:56:4e:6e]
 re-evaluating access (redir.cgi called) (pf::enforcement::reevaluate_access)
 Jun 17 14:51:22 httpd.portal(13792) INFO: Instantiate a new iptables
 modification method. pf::ipset (pf::inline::get_technique)

  In this case 192.168.11.1 is the PacketFence gateway, itself. Not sure
 why it's calling it an unknown switch...

 Thanks,
 Joshua Nathan
 IT Administrator
 Black Forest Academy
 +49 (0) 7626-916123


 On Tue, Jun 16, 2015 at 12:42 PM, Nathan, Josh josh.nat...@bfacademy.de
 wrote:

 Oh, and we're running it as InlineL2

 Thanks,
 Joshua Nathan
 IT Administrator
 Black Forest Academy
 +49 (0) 7626-916123 %2B49%20%280%29%207626-916123


   On Tue, Jun 16, 2015 at 12:41 PM, Nathan, Josh 
 josh.nat...@bfacademy.de wrote:

  Hello,

  I'm seeing a strange problem with my PF 5.1  server. It works, except
 that every few minutes people are reaching the Sorry page.  Here's the
 error from the packetfence.log file:

 Jun 16 12:39:08 httpd.portal(27967) INFO: Matched IP '172.22.159.209' to
 MAC address 'b0:34:95:f0:d9:b6' using OMAPI (pf::iplog::ip2mac)
 Jun 16 12:39:09 httpd.portal(27967) WARN: database query failed with:
 Column 'pid' cannot be null (errno: 1048), will try again
 (pf::db::db_query_execute)
 Jun 16 12:39:09 httpd.portal(27967) WARN: database query failed with:
 Column 'pid' cannot be null (errno: 1048), will try again
 (pf::db::db_query_execute)
 Jun 16 12:39:09 httpd.portal(27967) WARN: database query failed with:
 Column 'pid' cannot be null (errno: 1048), will try again
 (pf::db::db_query_execute)
 Jun 16 12:39:09 httpd.portal(27967) ERROR: Database issue: We tried 3
 times to serve query person_add_sql called from pf::person::person_add and
 we failed. Is the database running? (pf::db::db_query_execute)
 Jun 16 12:39:09 httpd.portal(27967) ERROR: modify of non-existent
 person  attempted - person add failed (pf::person::person_modify)
 Jun 16 12:39:30 httpd.portal(28041) INFO: Matched IP '172.22.159.209' to
 MAC address 'b0:34:95:f0:d9:b6' using OMAPI (pf::iplog::ip2mac)
 Jun 16 12:39:31 httpd.portal(28041) WARN: database query failed with:
 Column 'pid' cannot be null (errno: 1048), will try again
 (pf::db::db_query_execute)
 Jun 16 12:39:31 httpd.portal(28041) WARN: database query failed with:
 Column 'pid' cannot be null (errno: 1048), will try again
 (pf::db::db_query_execute)
 Jun 16 12:39:31 httpd.portal(28041) WARN: database query failed with:
 Column 'pid' cannot be null (errno: 1048), will try again
 (pf::db::db_query_execute)
 Jun 16 12:39:31 httpd.portal(28041) ERROR: Database issue: We tried 3
 times to serve query person_add_sql

[PacketFence-users] Database Issues with PF 5.1???

2015-06-16 Thread Nathan, Josh 
Hello,

I'm seeing a strange problem with my PF 5.1  server. It works, except that
every few minutes people are reaching the Sorry page.  Here's the error
from the packetfence.log file:

Jun 16 12:39:08 httpd.portal(27967) INFO: Matched IP '172.22.159.209' to
MAC address 'b0:34:95:f0:d9:b6' using OMAPI (pf::iplog::ip2mac)
Jun 16 12:39:09 httpd.portal(27967) WARN: database query failed with:
Column 'pid' cannot be null (errno: 1048), will try again
(pf::db::db_query_execute)
Jun 16 12:39:09 httpd.portal(27967) WARN: database query failed with:
Column 'pid' cannot be null (errno: 1048), will try again
(pf::db::db_query_execute)
Jun 16 12:39:09 httpd.portal(27967) WARN: database query failed with:
Column 'pid' cannot be null (errno: 1048), will try again
(pf::db::db_query_execute)
Jun 16 12:39:09 httpd.portal(27967) ERROR: Database issue: We tried 3 times
to serve query person_add_sql called from pf::person::person_add and we
failed. Is the database running? (pf::db::db_query_execute)
Jun 16 12:39:09 httpd.portal(27967) ERROR: modify of non-existent person
attempted - person add failed (pf::person::person_modify)
Jun 16 12:39:30 httpd.portal(28041) INFO: Matched IP '172.22.159.209' to
MAC address 'b0:34:95:f0:d9:b6' using OMAPI (pf::iplog::ip2mac)
Jun 16 12:39:31 httpd.portal(28041) WARN: database query failed with:
Column 'pid' cannot be null (errno: 1048), will try again
(pf::db::db_query_execute)
Jun 16 12:39:31 httpd.portal(28041) WARN: database query failed with:
Column 'pid' cannot be null (errno: 1048), will try again
(pf::db::db_query_execute)
Jun 16 12:39:31 httpd.portal(28041) WARN: database query failed with:
Column 'pid' cannot be null (errno: 1048), will try again
(pf::db::db_query_execute)
Jun 16 12:39:31 httpd.portal(28041) ERROR: Database issue: We tried 3 times
to serve query person_add_sql called from pf::person::person_add and we
failed. Is the database running? (pf::db::db_query_execute)
Jun 16 12:39:31 httpd.portal(28041) ERROR: modify of non-existent person
attempted - person add failed (pf::person::person_modify)

Normally the person just has to refresh the page, and it will work for a
few more minutes before hitting the Sorry page again. Any ideas???

Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-916123
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Database Issues with PF 5.1???

2015-06-16 Thread Nathan, Josh 
Oh, and we're running it as InlineL2

Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-916123


On Tue, Jun 16, 2015 at 12:41 PM, Nathan, Josh josh.nat...@bfacademy.de
wrote:

 Hello,

 I'm seeing a strange problem with my PF 5.1  server. It works, except that
 every few minutes people are reaching the Sorry page.  Here's the error
 from the packetfence.log file:

 Jun 16 12:39:08 httpd.portal(27967) INFO: Matched IP '172.22.159.209' to
 MAC address 'b0:34:95:f0:d9:b6' using OMAPI (pf::iplog::ip2mac)
 Jun 16 12:39:09 httpd.portal(27967) WARN: database query failed with:
 Column 'pid' cannot be null (errno: 1048), will try again
 (pf::db::db_query_execute)
 Jun 16 12:39:09 httpd.portal(27967) WARN: database query failed with:
 Column 'pid' cannot be null (errno: 1048), will try again
 (pf::db::db_query_execute)
 Jun 16 12:39:09 httpd.portal(27967) WARN: database query failed with:
 Column 'pid' cannot be null (errno: 1048), will try again
 (pf::db::db_query_execute)
 Jun 16 12:39:09 httpd.portal(27967) ERROR: Database issue: We tried 3
 times to serve query person_add_sql called from pf::person::person_add and
 we failed. Is the database running? (pf::db::db_query_execute)
 Jun 16 12:39:09 httpd.portal(27967) ERROR: modify of non-existent person
 attempted - person add failed (pf::person::person_modify)
 Jun 16 12:39:30 httpd.portal(28041) INFO: Matched IP '172.22.159.209' to
 MAC address 'b0:34:95:f0:d9:b6' using OMAPI (pf::iplog::ip2mac)
 Jun 16 12:39:31 httpd.portal(28041) WARN: database query failed with:
 Column 'pid' cannot be null (errno: 1048), will try again
 (pf::db::db_query_execute)
 Jun 16 12:39:31 httpd.portal(28041) WARN: database query failed with:
 Column 'pid' cannot be null (errno: 1048), will try again
 (pf::db::db_query_execute)
 Jun 16 12:39:31 httpd.portal(28041) WARN: database query failed with:
 Column 'pid' cannot be null (errno: 1048), will try again
 (pf::db::db_query_execute)
 Jun 16 12:39:31 httpd.portal(28041) ERROR: Database issue: We tried 3
 times to serve query person_add_sql called from pf::person::person_add and
 we failed. Is the database running? (pf::db::db_query_execute)
 Jun 16 12:39:31 httpd.portal(28041) ERROR: modify of non-existent person
 attempted - person add failed (pf::person::person_modify)

 Normally the person just has to refresh the page, and it will work for a
 few more minutes before hitting the Sorry page again. Any ideas???

 Thanks,
 Joshua Nathan
 IT Administrator
 Black Forest Academy
 +49 (0) 7626-916123


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Expiration and Mass Deregister

2015-05-25 Thread Nathan, Josh 
Oh, I did forget to mention! If we unregister too many people at a time, we
have to restart the PacketFence service. Not sure what the conflict is, but
running that command a couple hundred times corrupts one of the running
files or something, and then nothing can register until it's restarted. We
really only do a mass deregister once a week, so we do it in the middle of
the night, and then restart the services. But I don't know if that issue
persists with newer versions of PacketFence, and I've only ever run
PacketFence on Centos 6.x.

Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-916123


On Mon, May 25, 2015 at 12:02 PM, Nathan, Josh josh.nat...@bfacademy.de
wrote:

 We do something similar to this, actually. However, while we used to run a
 query against the database, something changed with the upgrade to 4.0 that
 caused that to stop working. They'd be listed as unregistered in the
 database, but still have access.  I was able to put together a pfcmd
 command that would do it, though. Here's what I have:

 /usr/local/pf/bin/pfcmd node edit [mac address]
 status=unreg,unregdate=[datetime in YearMonthDayHourMinuteSecond format]


 We use a Perl script to generate the list of Mac addresses, and then loop
 through them with this command.

 Thanks,
 Joshua Nathan
 IT Administrator
 Black Forest Academy
 +49 (0) 7626-916123


 On Sun, May 24, 2015 at 4:04 PM, Jason 'XenoPhage' Frisvold 
 xenoph...@godshell.com wrote:

  On May 22, 2015, at 18:17, Mr J Potter jpotter...@because.org.uk
 wrote:
 
  Hi Jason,
 
  Did you find a way of doing this? I need to deregister all users
 periodically (plan is 7 times a day), and being able to do this via cron
 would be great.

 There's no built-in way to do this easily, but you can manipulate the
 database and perform the same process.  Just build a query that finds the
 devices you're looking to deregister and then put them all in a state of
 unregistered.

 That said, it may be worth re-thinking things a little.  The automatic
 mechanisms within Packetfence are pretty good.  You can probably set the
 timers for 7 days and have the system handle this for you.

  thanks,
 
  Jim Pott

 Jason 'XenoPhage' Frisvold
 xenoph...@godshell.com

 --
 One dashboard for servers and applications across Physical-Virtual-Cloud
 Widest out-of-the-box monitoring support with 50+ applications
 Performance metrics, stats and reports that give you Actionable Insights
 Deep dive visibility with transaction tracing using APM Insight.
 http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Expiration and Mass Deregister

2015-05-25 Thread Nathan, Josh 
We do something similar to this, actually. However, while we used to run a
query against the database, something changed with the upgrade to 4.0 that
caused that to stop working. They'd be listed as unregistered in the
database, but still have access.  I was able to put together a pfcmd
command that would do it, though. Here's what I have:

/usr/local/pf/bin/pfcmd node edit [mac address]
status=unreg,unregdate=[datetime in YearMonthDayHourMinuteSecond format]


We use a Perl script to generate the list of Mac addresses, and then loop
through them with this command.

Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-916123


On Sun, May 24, 2015 at 4:04 PM, Jason 'XenoPhage' Frisvold 
xenoph...@godshell.com wrote:

  On May 22, 2015, at 18:17, Mr J Potter jpotter...@because.org.uk
 wrote:
 
  Hi Jason,
 
  Did you find a way of doing this? I need to deregister all users
 periodically (plan is 7 times a day), and being able to do this via cron
 would be great.

 There's no built-in way to do this easily, but you can manipulate the
 database and perform the same process.  Just build a query that finds the
 devices you're looking to deregister and then put them all in a state of
 unregistered.

 That said, it may be worth re-thinking things a little.  The automatic
 mechanisms within Packetfence are pretty good.  You can probably set the
 timers for 7 days and have the system handle this for you.

  thanks,
 
  Jim Pott

 Jason 'XenoPhage' Frisvold
 xenoph...@godshell.com

 --
 One dashboard for servers and applications across Physical-Virtual-Cloud
 Widest out-of-the-box monitoring support with 50+ applications
 Performance metrics, stats and reports that give you Actionable Insights
 Deep dive visibility with transaction tracing using APM Insight.
 http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Fingerbank Error

2015-05-11 Thread Nathan, Josh 
Hello,

Fresh install of PacketFence 5.0.2...

I've not actually ever used Github before, and the new Fingerbank thing is
giving me trouble. I created a Github account (free), and have even tried
creating an API with full permissions for everything, but PacketFence still
can't update its fingerbank database.

Error in the GUI:
*Error!* An error occured while updating Fingerbank 'upstream' database file

Error in the Fingerbank log file:
May 11 10:12:59 httpd.admin(30061) WARN: Failed to download latest version
of 'Upstream' database with the following return code: 401
(fingerbank::DB::fetch_upstream)
May 11 10:12:59 httpd.admin(30061) WARN: An error occured while updating
Fingerbank 'upstream' database file (fingerbank::DB::update_upstream)

The admin guide seems to just say, fill in the settings, but sadly with
no Github experience, that's too vague for me.  Most of the Settings fields
seemed to already be filled out, so I left them as is.  I just put in my
API key.

How much do I have to do with the Github account? Do I need to be part of
an organization? Do I need to create my own repository? It talks about
authorizing applications, but I don't see in the Github interface where it
actually allows me to authorize an application (maybe there are
pre-reqs?)...

For the PF's Fingerbank settings, do I need to adjust any settings other
than filling in my API key?

Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-916123
--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Fingerbank Error

2015-05-11 Thread Nathan, Josh 
Also, just discovered that the Captive Portal is throwing this error when I
visit it as well:
Caught exception in
captiveportal::Controller::CaptivePortal-processFingerbank Can't use an
undefined value as an ARRAY reference at /usr/local/pf/lib/pf/fingerbank.pm
line 179.

Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-916123


On Mon, May 11, 2015 at 10:25 AM, Nathan, Josh josh.nat...@bfacademy.de
wrote:

 Hello,

 Fresh install of PacketFence 5.0.2...

 I've not actually ever used Github before, and the new Fingerbank thing is
 giving me trouble. I created a Github account (free), and have even tried
 creating an API with full permissions for everything, but PacketFence still
 can't update its fingerbank database.

 Error in the GUI:
 *Error!* An error occured while updating Fingerbank 'upstream' database
 file

 Error in the Fingerbank log file:
 May 11 10:12:59 httpd.admin(30061) WARN: Failed to download latest version
 of 'Upstream' database with the following return code: 401
 (fingerbank::DB::fetch_upstream)
 May 11 10:12:59 httpd.admin(30061) WARN: An error occured while updating
 Fingerbank 'upstream' database file (fingerbank::DB::update_upstream)

 The admin guide seems to just say, fill in the settings, but sadly with
 no Github experience, that's too vague for me.  Most of the Settings fields
 seemed to already be filled out, so I left them as is.  I just put in my
 API key.

 How much do I have to do with the Github account? Do I need to be part of
 an organization? Do I need to create my own repository? It talks about
 authorizing applications, but I don't see in the Github interface where it
 actually allows me to authorize an application (maybe there are
 pre-reqs?)...

 For the PF's Fingerbank settings, do I need to adjust any settings other
 than filling in my API key?

 Thanks,
 Joshua Nathan
 IT Administrator
 Black Forest Academy
 +49 (0) 7626-916123


--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Problem with RADIUS source and conditions

2015-05-08 Thread Nathan, Josh 
I ran into that problem too.  Here's how I fixed it:

The problem was in /lib/pf/Authentication/Source.pm

At line #58, it starts defining common_attributes for the conditions, but
it does NOT have an entry for username.

This causes the if statement at line #133 to fail, and apparently the
elseif process does not ever bring the code to the point where it
actually checks the conditions specified.  So... if the value is
username, it will apparently ALWAYS fail to assign the proper role.

My subroutine ended up looking like this:

sub common_attributes {
  my $self = shift;
  return [
  { value = 'SSID', type = $Conditions::SUBSTRING },
  { value = 'current_time', type = $Conditions::TIME },
  { value = 'connection_type', type = $Conditions::CONNECTION },
  { value = 'computer_name', type = $Conditions::SUBSTRING },
  *{ value = 'username', type = $Conditions::SUBSTRING },*
 ];
}


Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-916123


On Fri, May 8, 2015 at 11:47 AM, Nicola Canepa canep...@mmfg.it wrote:

 Hello.
 I'm trying to activate RADIUS authentication for admin users.
 I have configured the source, and the users are quthenticated, as per
 httpd.admin.log:
  May 08 10:00:39 httpd.admin(7875) INFO: Authentication successful for
  canepan in source XXX (RADIUS) (pf::authentication::authenticate)
 But if I enable a Rule with a Condition, it never matches.
 I tried configuring the following:
 - if any of the following conditions are met
 - username matches regexp .*
 - username equals canepan
 - username contains canepan

 But I always end with this log (I enabled DEBUG in httpd.admin):
  May 08 09:59:23 httpd.admin(7875) DEBUG: Match called with parameters
  username = canepan (pf::authentication::match)
 If I leave the Rule without Conditions, the user can log in (with the
 configured roles).

 What am I doing wrong?

 Thank you for your answers.

 Nicola

 --

 Nicola Canepa
 Tel: +39-0522-399-3474
 canep...@mmfg.it
 ---
 Il contenuto della presente comunicazione è riservato e destinato
 esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da
 persona diversa dal destinatario sono proibite la diffusione, la
 distribuzione e la copia. Nel caso riceveste la presente per errore, Vi
 preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro
 computer, senza utilizzare i dati contenuti. La presente comunicazione
 (comprensiva dei documenti allegati) non avrà valore di proposta
 contrattuale e/o accettazione di proposte provenienti dal destinatario, nè
 rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà
 impegnativa, qualora non sia sottoscritto successivo accordo da chi può
 validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale
 a ns. carico, se la presente non sia seguita da contratto sottoscritto
 dalle parti.

 The content of the above communication is strictly confidential and
 reserved solely for the referred addressees. In the event of receipt by
 persons different from the addressee, copying, alteration and distribution
 are forbidden. If received by mistake we ask you to inform us and to
 destroy and/or delete from your computer without using the data herein
 contained. The present message (eventual annexes inclusive) shall not be
 considered a contractual proposal and/or acceptance of offer from the
 addressee, nor waiver recognizance of rights, debts  and/or credits, nor
 shall it be binding when not executed as a subsequent agreement by persons
 who could lawfully represent us. No pre-contractual liability shall apply
 to us when the present communication is not followed by any binding
 agreement between the parties.



 --
 One dashboard for servers and applications across Physical-Virtual-Cloud
 Widest out-of-the-box monitoring support with 50+ applications
 Performance metrics, stats and reports that give you Actionable Insights
 Deep dive visibility with transaction tracing using APM Insight.
 http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Radius Condition

2015-01-28 Thread Nathan, Josh 
Yep.  My subroutine ended up looking like this:

sub common_attributes {
  my $self = shift;
  return [
  { value = 'SSID', type = $Conditions::SUBSTRING },
  { value = 'current_time', type = $Conditions::TIME },
  { value = 'connection_type', type = $Conditions::CONNECTION },
  { value = 'computer_name', type = $Conditions::SUBSTRING },
  *{ value = 'username', type = $Conditions::SUBSTRING },*
 ];
}

Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-916123

On Wed, Jan 28, 2015 at 12:40 PM, Rosario Ippolito 
sarrus.ippol...@gmail.com wrote:

 Thank you so much sir! So we just have to add the field username in the
 subroutine common_attributes?

 2015-01-28 9:47 GMT+01:00 Nathan, Josh josh.nat...@bfacademy.de:

 OK, I solved my problem.  I'm not sure where to report it, so I'm saying
 it here.

 The problem was in /lib/pf/Authentication/Source.pm

 At line #58, it starts defining common_attributes for the conditions,
 but it does NOT have an entry for username.

 This causes the if statement at line #133 to fail, and apparently the
 elseif process does not ever bring the code to the point where it
 actually checks the conditions specified.  So... if the value is
 username, it will apparently ALWAYS fail to assign the proper role.

 Hopefully this will be fixed in future releases.

 Thanks for your help as I debugged my issue!
 Hope this helps somebody else!
 Joshua Nathan
 IT Administrator
 Black Forest Academy
 +49 (0) 7626-916123

 On Wed, Jan 14, 2015 at 11:02 AM, Nathan, Josh josh.nat...@bfacademy.de
 wrote:

 Well, it took a long time in testing as other issues came up causing me
 to table this problem.  However, here's the test/results...

 Rule in authentication.conf:
 [RadiusTest rule RadiusStaff]
 description=Check if Staff Account
 match=all
 action0=set_role=staff
 action1=set_access_duration=1W
 condition0=username,equals,jnathan


 Test results:
 ./pftest authentication jnathan [password] RadiusTest
 Testing authentication for jnathan

 Authenticating against RadiusTest
   Authentication SUCCEEDED against RadiusTest (Successful authentication
 using RADIUS.)
   Did not match against RadiusTest


 Any idea why this doesn't match?  Thanks for your help!

 Thanks,
 Joshua Nathan
 IT Administrator
 Black Forest Academy
 +49 (0) 7626-916123

 On Tue, Dec 23, 2014 at 3:19 PM, Fabrice DURAND fdur...@inverse.ca
 wrote:

 Hello Matteo,

 to be remove from the mailing list you can scroll down your mouse.

 Regards
 Fabrice

 Le 2014-12-23 08:59, Matteo Pidalà a écrit :
  Remove from mail list me please
 
 
  regards
 
  2014-12-23 14:41 GMT+01:00 Fabrice DURAND fdur...@inverse.ca
  mailto:fdur...@inverse.ca:
 
  Hello Josh,
 
  the better thing to do is to test with pftest and see if the rules
  match.
 
  Regards
  Fabrice
 
  Le 2014-12-22 10:35, Nathan, Josh a écrit :
   Anymore thoughts about this? I tested the login with the
 condition
   Current Time is after 01:00 and that worked, but trying to do
   anything with the username seems to always fail.
  
   Thanks,
   Joshua Nathan
   IT Administrator
   Black Forest Academy
   +49 (0) 7626-916123 tel:%2B49%20%280%29%207626-916123
  
   On Thu, Dec 11, 2014 at 9:45 AM, Nathan, Josh
   josh.nat...@bfacademy.de mailto:josh.nat...@bfacademy.de
  mailto:josh.nat...@bfacademy.de
  mailto:josh.nat...@bfacademy.de wrote:
  
   Thanks for your reply Juan,
  
   But if you look, you should see from the excerpt of my conf
 file
   that I do, indeed, have a role.  The role is staff.
  Further, it
   does correctly assign the role if I remove any conditions I
 have
   regarding the username (I'll admit that I haven't tried
 other
   types of conditions as those aren't pertinent to my goal).
 From
   the logs, you can see that the username I tried to
 authenticate
   with was jnathan, and even in the most basic condition I
 tried
   (the condition of the username being jnathan), it then
  fails to
   assign the role... as if the condition always fails.
  
   So as it stands, the Rule itself works (sees that I have a
 legit
   username and password, and assigns the proper role).
 However,
   when I assign a Condition to the rule, it fails.  Maybe I'm
  typing
   it in wrong?  I've tried with no quotes, single quotes,
 double
   quotes... When looking at the conf file in Vim, I don't see
 any
   erroneous characters or extra whitespace...
  
   The end goal is to have a single Radius database that
 houses all
   usernames and passwords, where our username pattern
 determines
   which role someone is assigned.
  
   Thanks,
   Joshua Nathan
   IT Administrator
   Black Forest Academy
   +49 (0

Re: [PacketFence-users] Radius Condition

2015-01-28 Thread Nathan, Josh 
OK, I solved my problem.  I'm not sure where to report it, so I'm saying it
here.

The problem was in /lib/pf/Authentication/Source.pm

At line #58, it starts defining common_attributes for the conditions, but
it does NOT have an entry for username.

This causes the if statement at line #133 to fail, and apparently the
elseif process does not ever bring the code to the point where it
actually checks the conditions specified.  So... if the value is
username, it will apparently ALWAYS fail to assign the proper role.

Hopefully this will be fixed in future releases.

Thanks for your help as I debugged my issue!
Hope this helps somebody else!
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-916123

On Wed, Jan 14, 2015 at 11:02 AM, Nathan, Josh josh.nat...@bfacademy.de
wrote:

 Well, it took a long time in testing as other issues came up causing me to
 table this problem.  However, here's the test/results...

 Rule in authentication.conf:
 [RadiusTest rule RadiusStaff]
 description=Check if Staff Account
 match=all
 action0=set_role=staff
 action1=set_access_duration=1W
 condition0=username,equals,jnathan


 Test results:
 ./pftest authentication jnathan [password] RadiusTest
 Testing authentication for jnathan

 Authenticating against RadiusTest
   Authentication SUCCEEDED against RadiusTest (Successful authentication
 using RADIUS.)
   Did not match against RadiusTest


 Any idea why this doesn't match?  Thanks for your help!

 Thanks,
 Joshua Nathan
 IT Administrator
 Black Forest Academy
 +49 (0) 7626-916123

 On Tue, Dec 23, 2014 at 3:19 PM, Fabrice DURAND fdur...@inverse.ca
 wrote:

 Hello Matteo,

 to be remove from the mailing list you can scroll down your mouse.

 Regards
 Fabrice

 Le 2014-12-23 08:59, Matteo Pidalà a écrit :
  Remove from mail list me please
 
 
  regards
 
  2014-12-23 14:41 GMT+01:00 Fabrice DURAND fdur...@inverse.ca
  mailto:fdur...@inverse.ca:
 
  Hello Josh,
 
  the better thing to do is to test with pftest and see if the rules
  match.
 
  Regards
  Fabrice
 
  Le 2014-12-22 10:35, Nathan, Josh a écrit :
   Anymore thoughts about this? I tested the login with the condition
   Current Time is after 01:00 and that worked, but trying to do
   anything with the username seems to always fail.
  
   Thanks,
   Joshua Nathan
   IT Administrator
   Black Forest Academy
   +49 (0) 7626-916123 tel:%2B49%20%280%29%207626-916123
  
   On Thu, Dec 11, 2014 at 9:45 AM, Nathan, Josh
   josh.nat...@bfacademy.de mailto:josh.nat...@bfacademy.de
  mailto:josh.nat...@bfacademy.de
  mailto:josh.nat...@bfacademy.de wrote:
  
   Thanks for your reply Juan,
  
   But if you look, you should see from the excerpt of my conf
 file
   that I do, indeed, have a role.  The role is staff.
  Further, it
   does correctly assign the role if I remove any conditions I
 have
   regarding the username (I'll admit that I haven't tried other
   types of conditions as those aren't pertinent to my goal).
 From
   the logs, you can see that the username I tried to
 authenticate
   with was jnathan, and even in the most basic condition I
 tried
   (the condition of the username being jnathan), it then
  fails to
   assign the role... as if the condition always fails.
  
   So as it stands, the Rule itself works (sees that I have a
 legit
   username and password, and assigns the proper role).  However,
   when I assign a Condition to the rule, it fails.  Maybe I'm
  typing
   it in wrong?  I've tried with no quotes, single quotes, double
   quotes... When looking at the conf file in Vim, I don't see
 any
   erroneous characters or extra whitespace...
  
   The end goal is to have a single Radius database that houses
 all
   usernames and passwords, where our username pattern determines
   which role someone is assigned.
  
   Thanks,
   Joshua Nathan
   IT Administrator
   Black Forest Academy
   +49 (0) 7626-916123 tel:%2B49%20%280%29%207626-916123
  tel:%2B49%20%280%29%207626-916123
  
   On Wed, Dec 10, 2014 at 6:43 PM, Juan Camilo Valencia
   juan.valen...@seguratec.com.co
  mailto:juan.valen...@seguratec.com.co
   mailto:juan.valen...@seguratec.com.co
  mailto:juan.valen...@seguratec.com.co wrote:
  
   Hi Josh,
  
   Take a look to this log line
   Dec 10 10:42:14 httpd.portal(10615) WARN: No role
 specified
   or found for pid jnathan (MAC 00:1d:72:35:1b:15); assume
   maximum number of registered nodes is reached
   (pf::node::is_max_reg_nodes_reached)
  
   That means that you don´t have a role assigned for the
 user
   that you are using, you can

Re: [PacketFence-users] Radius Condition

2015-01-14 Thread Nathan, Josh 
Well, it took a long time in testing as other issues came up causing me to
table this problem.  However, here's the test/results...

Rule in authentication.conf:
[RadiusTest rule RadiusStaff]
description=Check if Staff Account
match=all
action0=set_role=staff
action1=set_access_duration=1W
condition0=username,equals,jnathan


Test results:
./pftest authentication jnathan [password] RadiusTest
Testing authentication for jnathan

Authenticating against RadiusTest
  Authentication SUCCEEDED against RadiusTest (Successful authentication
using RADIUS.)
  Did not match against RadiusTest


Any idea why this doesn't match?  Thanks for your help!

Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-916123

On Tue, Dec 23, 2014 at 3:19 PM, Fabrice DURAND fdur...@inverse.ca wrote:

 Hello Matteo,

 to be remove from the mailing list you can scroll down your mouse.

 Regards
 Fabrice

 Le 2014-12-23 08:59, Matteo Pidalà a écrit :
  Remove from mail list me please
 
 
  regards
 
  2014-12-23 14:41 GMT+01:00 Fabrice DURAND fdur...@inverse.ca
  mailto:fdur...@inverse.ca:
 
  Hello Josh,
 
  the better thing to do is to test with pftest and see if the rules
  match.
 
  Regards
  Fabrice
 
  Le 2014-12-22 10:35, Nathan, Josh a écrit :
   Anymore thoughts about this? I tested the login with the condition
   Current Time is after 01:00 and that worked, but trying to do
   anything with the username seems to always fail.
  
   Thanks,
   Joshua Nathan
   IT Administrator
   Black Forest Academy
   +49 (0) 7626-916123 tel:%2B49%20%280%29%207626-916123
  
   On Thu, Dec 11, 2014 at 9:45 AM, Nathan, Josh
   josh.nat...@bfacademy.de mailto:josh.nat...@bfacademy.de
  mailto:josh.nat...@bfacademy.de
  mailto:josh.nat...@bfacademy.de wrote:
  
   Thanks for your reply Juan,
  
   But if you look, you should see from the excerpt of my conf
 file
   that I do, indeed, have a role.  The role is staff.
  Further, it
   does correctly assign the role if I remove any conditions I
 have
   regarding the username (I'll admit that I haven't tried other
   types of conditions as those aren't pertinent to my goal).
 From
   the logs, you can see that the username I tried to authenticate
   with was jnathan, and even in the most basic condition I
 tried
   (the condition of the username being jnathan), it then
  fails to
   assign the role... as if the condition always fails.
  
   So as it stands, the Rule itself works (sees that I have a
 legit
   username and password, and assigns the proper role).  However,
   when I assign a Condition to the rule, it fails.  Maybe I'm
  typing
   it in wrong?  I've tried with no quotes, single quotes, double
   quotes... When looking at the conf file in Vim, I don't see any
   erroneous characters or extra whitespace...
  
   The end goal is to have a single Radius database that houses
 all
   usernames and passwords, where our username pattern determines
   which role someone is assigned.
  
   Thanks,
   Joshua Nathan
   IT Administrator
   Black Forest Academy
   +49 (0) 7626-916123 tel:%2B49%20%280%29%207626-916123
  tel:%2B49%20%280%29%207626-916123
  
   On Wed, Dec 10, 2014 at 6:43 PM, Juan Camilo Valencia
   juan.valen...@seguratec.com.co
  mailto:juan.valen...@seguratec.com.co
   mailto:juan.valen...@seguratec.com.co
  mailto:juan.valen...@seguratec.com.co wrote:
  
   Hi Josh,
  
   Take a look to this log line
   Dec 10 10:42:14 httpd.portal(10615) WARN: No role
 specified
   or found for pid jnathan (MAC 00:1d:72:35:1b:15); assume
   maximum number of registered nodes is reached
   (pf::node::is_max_reg_nodes_reached)
  
   That means that you don´t have a role assigned for the user
   that you are using, you can assigned when you create the
  rule
   and assign that role to a vlan id in your switch, the
  problem
   is that without a role PF assume that you reach a maximum
 of
   devices authorized for the pid and doesn´t assign a
  functional
   vlan, I think that your rule is corrected created except
 for
   the role, try to create a role and that should solve the
  problem.
  
   I hope that this help you solve the problem.
  
   Best Regards,
  
   On Wed, Dec 10, 2014 at 5:09 AM, Nathan, Josh
   josh.nat...@bfacademy.de
  mailto:josh.nat...@bfacademy.de mailto:josh.nat...@bfacademy.de
  mailto:josh.nat...@bfacademy.de
   wrote:
  
   OK, I've also

Re: [PacketFence-users] Radius Condition

2014-12-22 Thread Nathan, Josh 
Anymore thoughts about this? I tested the login with the condition Current
Time is after 01:00 and that worked, but trying to do anything with the
username seems to always fail.

Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-916123

On Thu, Dec 11, 2014 at 9:45 AM, Nathan, Josh josh.nat...@bfacademy.de
wrote:

 Thanks for your reply Juan,

 But if you look, you should see from the excerpt of my conf file that I
 do, indeed, have a role.  The role is staff.  Further, it does correctly
 assign the role if I remove any conditions I have regarding the username
 (I'll admit that I haven't tried other types of conditions as those aren't
 pertinent to my goal).  From the logs, you can see that the username I
 tried to authenticate with was jnathan, and even in the most basic
 condition I tried (the condition of the username being jnathan), it then
 fails to assign the role... as if the condition always fails.

 So as it stands, the Rule itself works (sees that I have a legit username
 and password, and assigns the proper role).  However, when I assign a
 Condition to the rule, it fails.  Maybe I'm typing it in wrong?  I've tried
 with no quotes, single quotes, double quotes... When looking at the conf
 file in Vim, I don't see any erroneous characters or extra whitespace...

 The end goal is to have a single Radius database that houses all usernames
 and passwords, where our username pattern determines which role someone is
 assigned.

 Thanks,
 Joshua Nathan
 IT Administrator
 Black Forest Academy
 +49 (0) 7626-916123

 On Wed, Dec 10, 2014 at 6:43 PM, Juan Camilo Valencia 
 juan.valen...@seguratec.com.co wrote:

 Hi Josh,

 Take a look to this log line
 Dec 10 10:42:14 httpd.portal(10615) WARN: No role specified or found
 for pid jnathan (MAC 00:1d:72:35:1b:15); assume maximum number of
 registered nodes is reached (pf::node::is_max_reg_nodes_reached)

 That means that you don´t have a role assigned for the user that you are
 using, you can assigned when you create the rule and assign that role to a
 vlan id in your switch, the problem is that without a role PF assume that
 you reach a maximum of devices authorized for the pid and doesn´t assign a
 functional vlan, I think that your rule is corrected created except for the
 role, try to create a role and that should solve the problem.

 I hope that this help you solve the problem.

 Best Regards,

 On Wed, Dec 10, 2014 at 5:09 AM, Nathan, Josh josh.nat...@bfacademy.de
 wrote:

 OK, I've also discovered the in httpd.admin.log file:

 Dec 10 10:41:14 httpd.admin(6919) INFO: [00:1d:72:35:1b:15]
 re-evaluating access (node_modify called)
 (pf::enforcement::reevaluate_access)
 Dec 10 10:41:14 httpd.admin(6919) INFO: Instantiate a new iptables
 modification method. pf::ipset (pf::inline::get_technique)

 *Dec 10 10:41:15 httpd.admin(6919) ERROR: Use of uninitialized value
 $all_or_any in string eq at
 /usr/local/pf/html/pfappserver/lib/pfappserver/Model/Search/Node.pm line
 73. (pfappserver::__ANON__)*
 Dec 10 10:41:34 httpd.admin(6919) INFO: status 200
 (pfappserver::Controller::Configuration::pf_section)
 Dec 10 10:41:59 httpd.admin(6919) INFO: set_role
 (pfappserver::Base::Form::Authentication::Action::validate)
 Dec 10 10:41:59 httpd.admin(6919) INFO: set_access_duration
 (pfappserver::Base::Form::Authentication::Action::validate)

 Thanks,
 Joshua Nathan
 IT Administrator
 Black Forest Academy
 +49 (0) 7626-916123

 On Wed, Dec 10, 2014 at 10:46 AM, Nathan, Josh josh.nat...@bfacademy.de
  wrote:

 OK, here're the packetfence logs for my login with NO conditions set
 (works... user gains Internet access):

 Dec 10 10:37:31 httpd.portal(6988) INFO: Authentication successful for
 jnathan in source RadiusTest (RADIUS) (pf::authentication::authenticate)
 Dec 10 10:37:31 httpd.portal(6988) INFO: Matched rule (RadiusStaff) in
 source RadiusTest, returning actions. (pf::Authentication::Source::match)
 Dec 10 10:37:31 httpd.portal(6988) INFO: Matched rule (RadiusStaff) in
 source RadiusTest, returning actions. (pf::Authentication::Source::match)
 Dec 10 10:37:31 httpd.portal(6988) INFO: person jnathan modified to
 jnathan (pf::person::person_modify)
 Dec 10 10:37:31 httpd.portal(6988) INFO: [00:1d:72:35:1b:15]
 re-evaluating access (manage_register called)
 (pf::enforcement::reevaluate_access)
 Dec 10 10:37:31 httpd.portal(6988) INFO: Instantiate a new iptables
 modification method. pf::ipset (pf::inline::get_technique)
 Dec 10 10:37:31 httpd.webservices(6992) INFO: Instantiate a new
 iptables modification method. pf::ipset (pf::inline::get_technique)
 Dec 10 10:37:32 httpd.webservices(6992) INFO: [00:1d:72:35:1b:15]
 stated changed, adapting firewall rules for proper enforcement
 (pf::inline::performInlineEnforcement)

 Here're the logs when ANY condition I've tried is set (doesn't work...
 user NOT granted Internet access):

 Dec 10 10:42:14 httpd.portal(10615) INFO: Authentication successful for
 jnathan in source RadiusTest (RADIUS) (pf

Re: [PacketFence-users] Radius Condition

2014-12-11 Thread Nathan, Josh 
Thanks for your reply Juan,

But if you look, you should see from the excerpt of my conf file that I do,
indeed, have a role.  The role is staff.  Further, it does correctly
assign the role if I remove any conditions I have regarding the username
(I'll admit that I haven't tried other types of conditions as those aren't
pertinent to my goal).  From the logs, you can see that the username I
tried to authenticate with was jnathan, and even in the most basic
condition I tried (the condition of the username being jnathan), it then
fails to assign the role... as if the condition always fails.

So as it stands, the Rule itself works (sees that I have a legit username
and password, and assigns the proper role).  However, when I assign a
Condition to the rule, it fails.  Maybe I'm typing it in wrong?  I've tried
with no quotes, single quotes, double quotes... When looking at the conf
file in Vim, I don't see any erroneous characters or extra whitespace...

The end goal is to have a single Radius database that houses all usernames
and passwords, where our username pattern determines which role someone is
assigned.

Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-916123

On Wed, Dec 10, 2014 at 6:43 PM, Juan Camilo Valencia 
juan.valen...@seguratec.com.co wrote:

 Hi Josh,

 Take a look to this log line
 Dec 10 10:42:14 httpd.portal(10615) WARN: No role specified or found for
 pid jnathan (MAC 00:1d:72:35:1b:15); assume maximum number of registered
 nodes is reached (pf::node::is_max_reg_nodes_reached)

 That means that you don´t have a role assigned for the user that you are
 using, you can assigned when you create the rule and assign that role to a
 vlan id in your switch, the problem is that without a role PF assume that
 you reach a maximum of devices authorized for the pid and doesn´t assign a
 functional vlan, I think that your rule is corrected created except for the
 role, try to create a role and that should solve the problem.

 I hope that this help you solve the problem.

 Best Regards,

 On Wed, Dec 10, 2014 at 5:09 AM, Nathan, Josh josh.nat...@bfacademy.de
 wrote:

 OK, I've also discovered the in httpd.admin.log file:

 Dec 10 10:41:14 httpd.admin(6919) INFO: [00:1d:72:35:1b:15] re-evaluating
 access (node_modify called) (pf::enforcement::reevaluate_access)
 Dec 10 10:41:14 httpd.admin(6919) INFO: Instantiate a new iptables
 modification method. pf::ipset (pf::inline::get_technique)

 *Dec 10 10:41:15 httpd.admin(6919) ERROR: Use of uninitialized value
 $all_or_any in string eq at
 /usr/local/pf/html/pfappserver/lib/pfappserver/Model/Search/Node.pm line
 73. (pfappserver::__ANON__)*
 Dec 10 10:41:34 httpd.admin(6919) INFO: status 200
 (pfappserver::Controller::Configuration::pf_section)
 Dec 10 10:41:59 httpd.admin(6919) INFO: set_role
 (pfappserver::Base::Form::Authentication::Action::validate)
 Dec 10 10:41:59 httpd.admin(6919) INFO: set_access_duration
 (pfappserver::Base::Form::Authentication::Action::validate)

 Thanks,
 Joshua Nathan
 IT Administrator
 Black Forest Academy
 +49 (0) 7626-916123

 On Wed, Dec 10, 2014 at 10:46 AM, Nathan, Josh josh.nat...@bfacademy.de
 wrote:

 OK, here're the packetfence logs for my login with NO conditions set
 (works... user gains Internet access):

 Dec 10 10:37:31 httpd.portal(6988) INFO: Authentication successful for
 jnathan in source RadiusTest (RADIUS) (pf::authentication::authenticate)
 Dec 10 10:37:31 httpd.portal(6988) INFO: Matched rule (RadiusStaff) in
 source RadiusTest, returning actions. (pf::Authentication::Source::match)
 Dec 10 10:37:31 httpd.portal(6988) INFO: Matched rule (RadiusStaff) in
 source RadiusTest, returning actions. (pf::Authentication::Source::match)
 Dec 10 10:37:31 httpd.portal(6988) INFO: person jnathan modified to
 jnathan (pf::person::person_modify)
 Dec 10 10:37:31 httpd.portal(6988) INFO: [00:1d:72:35:1b:15]
 re-evaluating access (manage_register called)
 (pf::enforcement::reevaluate_access)
 Dec 10 10:37:31 httpd.portal(6988) INFO: Instantiate a new iptables
 modification method. pf::ipset (pf::inline::get_technique)
 Dec 10 10:37:31 httpd.webservices(6992) INFO: Instantiate a new iptables
 modification method. pf::ipset (pf::inline::get_technique)
 Dec 10 10:37:32 httpd.webservices(6992) INFO: [00:1d:72:35:1b:15] stated
 changed, adapting firewall rules for proper enforcement
 (pf::inline::performInlineEnforcement)

 Here're the logs when ANY condition I've tried is set (doesn't work...
 user NOT granted Internet access):

 Dec 10 10:42:14 httpd.portal(10615) INFO: Authentication successful for
 jnathan in source RadiusTest (RADIUS) (pf::authentication::authenticate)
 Dec 10 10:42:14 httpd.portal(10615) WARN: No role specified or found for
 pid jnathan (MAC 00:1d:72:35:1b:15); assume maximum number of registered
 nodes is reached (pf::node::is_max_reg_nodes_reached)


 For the sake of testing, I set a very simple rule.  Here's the entry
 from my Authentication.conf file:

 [RadiusTest

Re: [PacketFence-users] Radius Condition

2014-12-10 Thread Nathan, Josh 
OK, here're the packetfence logs for my login with NO conditions set
(works... user gains Internet access):

Dec 10 10:37:31 httpd.portal(6988) INFO: Authentication successful for
jnathan in source RadiusTest (RADIUS) (pf::authentication::authenticate)
Dec 10 10:37:31 httpd.portal(6988) INFO: Matched rule (RadiusStaff) in
source RadiusTest, returning actions. (pf::Authentication::Source::match)
Dec 10 10:37:31 httpd.portal(6988) INFO: Matched rule (RadiusStaff) in
source RadiusTest, returning actions. (pf::Authentication::Source::match)
Dec 10 10:37:31 httpd.portal(6988) INFO: person jnathan modified to jnathan
(pf::person::person_modify)
Dec 10 10:37:31 httpd.portal(6988) INFO: [00:1d:72:35:1b:15] re-evaluating
access (manage_register called) (pf::enforcement::reevaluate_access)
Dec 10 10:37:31 httpd.portal(6988) INFO: Instantiate a new iptables
modification method. pf::ipset (pf::inline::get_technique)
Dec 10 10:37:31 httpd.webservices(6992) INFO: Instantiate a new iptables
modification method. pf::ipset (pf::inline::get_technique)
Dec 10 10:37:32 httpd.webservices(6992) INFO: [00:1d:72:35:1b:15] stated
changed, adapting firewall rules for proper enforcement
(pf::inline::performInlineEnforcement)

Here're the logs when ANY condition I've tried is set (doesn't work... user
NOT granted Internet access):

Dec 10 10:42:14 httpd.portal(10615) INFO: Authentication successful for
jnathan in source RadiusTest (RADIUS) (pf::authentication::authenticate)
Dec 10 10:42:14 httpd.portal(10615) WARN: No role specified or found for
pid jnathan (MAC 00:1d:72:35:1b:15); assume maximum number of registered
nodes is reached (pf::node::is_max_reg_nodes_reached)


For the sake of testing, I set a very simple rule.  Here's the entry from
my Authentication.conf file:

[RadiusTest]
description=FreeRadius Server
secret=my secret
port=1812
type=RADIUS
host=my radius server

[RadiusTest rule RadiusStaff]
description=Check if Staff Account
match=all
action0=set_role=staff
action1=set_access_duration=1W
condition0=username,equals,jnathan

Ultimately, I'd like to use a regular expression rather than an equals.
I'd like to use something akin to: [a-zA-Z]$

Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-916123

On Tue, Dec 9, 2014 at 9:31 PM, Nathan, Josh josh.nat...@bfacademy.de
wrote:

 I know it works without the condition.  I did test that.  And I can see in
 the PacketFence logs that the username and password do authenticate
 correctly.  I'd send you the mentioned log files, but for my time zone, I'm
 already home.  I can send those tomorrow.

 But... I tested it without any conditions, and it worked fine.  Even with
 the condition, it all says that authentication was successful, it just
 follows it up with the warning that there is no role assignment.

 Thanks,
 Joshua Nathan
 IT Administrator
 Black Forest Academy
 +49 (0) 7626-916123

 On Tue, Dec 9, 2014 at 4:43 PM, Louis Munro lmu...@inverse.ca wrote:

 On 2014-12-09, at 9:04 , Nathan, Josh josh.nat...@bfacademy.de wrote:

  Hello,
 
  I'm trying to authenticate users against a Radius database, but if I
 add a condition to the rule, I keep getting this message in the logs along
 with the Sorry! page:
 
  httpd.portal(6978) WARN: No role specified or found for pid jnathan
 (MAC 00:1d:72:35:1b:15); assume maximum number of registered nodes is
 reached (pf::node::is_max_reg_nodes_reached)
 
  I would like to set it as a regular expression so that if the username
 ends with a letter, they have one role, and if they end with a number they
 have a different role.
 
  However, right now even setting it so that if the username either
 contains or equals 'jnathan', I get this message, let alone trying to
 use a regular expression.
 
  Any help?  How do I get these conditions working?


 Hi Joshua,
 Before diving into conditions it helps to make sure the authentication
 actually succeeds and the source is well configured.
 Can you post the contents of your conf/authenticaton.conf file (stripped
 of passwords and such), especially the section that defines the RADIUS
 source?

 You also need to check to see what else is in the logs. Clearly your rule
 was not matched, but that's not enough information to go on.

 Try defining a catchall rule first.
 Don't add any conditions.
 If your rule is still not matched then the problem is not with the rule
 itself.

 Regards,
 --
 Louis Munro
 lmu...@inverse.ca  ::  www.inverse.ca
 +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
 www.packetfence.org)



 --
 Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
 from Actuate! Instantly Supercharge Your Business Reports and Dashboards
 with Interactivity, Sharing, Native Excel Exports, App Integration  more
 Get technology previously reserved for billion-dollar corporations, FREE

 http://pubads.g.doubleclick.net

Re: [PacketFence-users] Radius Condition

2014-12-10 Thread Nathan, Josh 
OK, I've also discovered the in httpd.admin.log file:

Dec 10 10:41:14 httpd.admin(6919) INFO: [00:1d:72:35:1b:15] re-evaluating
access (node_modify called) (pf::enforcement::reevaluate_access)
Dec 10 10:41:14 httpd.admin(6919) INFO: Instantiate a new iptables
modification method. pf::ipset (pf::inline::get_technique)

*Dec 10 10:41:15 httpd.admin(6919) ERROR: Use of uninitialized value
$all_or_any in string eq at
/usr/local/pf/html/pfappserver/lib/pfappserver/Model/Search/Node.pm line
73. (pfappserver::__ANON__)*
Dec 10 10:41:34 httpd.admin(6919) INFO: status 200
(pfappserver::Controller::Configuration::pf_section)
Dec 10 10:41:59 httpd.admin(6919) INFO: set_role
(pfappserver::Base::Form::Authentication::Action::validate)
Dec 10 10:41:59 httpd.admin(6919) INFO: set_access_duration
(pfappserver::Base::Form::Authentication::Action::validate)

Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-916123

On Wed, Dec 10, 2014 at 10:46 AM, Nathan, Josh josh.nat...@bfacademy.de
wrote:

 OK, here're the packetfence logs for my login with NO conditions set
 (works... user gains Internet access):

 Dec 10 10:37:31 httpd.portal(6988) INFO: Authentication successful for
 jnathan in source RadiusTest (RADIUS) (pf::authentication::authenticate)
 Dec 10 10:37:31 httpd.portal(6988) INFO: Matched rule (RadiusStaff) in
 source RadiusTest, returning actions. (pf::Authentication::Source::match)
 Dec 10 10:37:31 httpd.portal(6988) INFO: Matched rule (RadiusStaff) in
 source RadiusTest, returning actions. (pf::Authentication::Source::match)
 Dec 10 10:37:31 httpd.portal(6988) INFO: person jnathan modified to
 jnathan (pf::person::person_modify)
 Dec 10 10:37:31 httpd.portal(6988) INFO: [00:1d:72:35:1b:15] re-evaluating
 access (manage_register called) (pf::enforcement::reevaluate_access)
 Dec 10 10:37:31 httpd.portal(6988) INFO: Instantiate a new iptables
 modification method. pf::ipset (pf::inline::get_technique)
 Dec 10 10:37:31 httpd.webservices(6992) INFO: Instantiate a new iptables
 modification method. pf::ipset (pf::inline::get_technique)
 Dec 10 10:37:32 httpd.webservices(6992) INFO: [00:1d:72:35:1b:15] stated
 changed, adapting firewall rules for proper enforcement
 (pf::inline::performInlineEnforcement)

 Here're the logs when ANY condition I've tried is set (doesn't work...
 user NOT granted Internet access):

 Dec 10 10:42:14 httpd.portal(10615) INFO: Authentication successful for
 jnathan in source RadiusTest (RADIUS) (pf::authentication::authenticate)
 Dec 10 10:42:14 httpd.portal(10615) WARN: No role specified or found for
 pid jnathan (MAC 00:1d:72:35:1b:15); assume maximum number of registered
 nodes is reached (pf::node::is_max_reg_nodes_reached)


 For the sake of testing, I set a very simple rule.  Here's the entry from
 my Authentication.conf file:

 [RadiusTest]
 description=FreeRadius Server
 secret=my secret
 port=1812
 type=RADIUS
 host=my radius server

 [RadiusTest rule RadiusStaff]
 description=Check if Staff Account
 match=all
 action0=set_role=staff
 action1=set_access_duration=1W
 condition0=username,equals,jnathan

 Ultimately, I'd like to use a regular expression rather than an equals.
 I'd like to use something akin to: [a-zA-Z]$

 Thanks,
 Joshua Nathan
 IT Administrator
 Black Forest Academy
 +49 (0) 7626-916123

 On Tue, Dec 9, 2014 at 9:31 PM, Nathan, Josh josh.nat...@bfacademy.de
 wrote:

 I know it works without the condition.  I did test that.  And I can see
 in the PacketFence logs that the username and password do authenticate
 correctly.  I'd send you the mentioned log files, but for my time zone, I'm
 already home.  I can send those tomorrow.

 But... I tested it without any conditions, and it worked fine.  Even with
 the condition, it all says that authentication was successful, it just
 follows it up with the warning that there is no role assignment.

 Thanks,
 Joshua Nathan
 IT Administrator
 Black Forest Academy
 +49 (0) 7626-916123

 On Tue, Dec 9, 2014 at 4:43 PM, Louis Munro lmu...@inverse.ca wrote:

 On 2014-12-09, at 9:04 , Nathan, Josh josh.nat...@bfacademy.de
 wrote:

  Hello,
 
  I'm trying to authenticate users against a Radius database, but if I
 add a condition to the rule, I keep getting this message in the logs along
 with the Sorry! page:
 
  httpd.portal(6978) WARN: No role specified or found for pid jnathan
 (MAC 00:1d:72:35:1b:15); assume maximum number of registered nodes is
 reached (pf::node::is_max_reg_nodes_reached)
 
  I would like to set it as a regular expression so that if the username
 ends with a letter, they have one role, and if they end with a number they
 have a different role.
 
  However, right now even setting it so that if the username either
 contains or equals 'jnathan', I get this message, let alone trying to
 use a regular expression.
 
  Any help?  How do I get these conditions working?


 Hi Joshua,
 Before diving into conditions it helps to make sure the authentication
 actually succeeds and the source is well

[PacketFence-users] Radius Condition

2014-12-09 Thread Nathan, Josh 
Hello,

I'm trying to authenticate users against a Radius database, but if I add a
condition to the rule, I keep getting this message in the logs along with
the Sorry! page:

httpd.portal(6978) WARN: No role specified or found for pid jnathan (MAC
00:1d:72:35:1b:15); assume maximum number of registered nodes is reached
(pf::node::is_max_reg_nodes_reached)

I would like to set it as a regular expression so that if the username ends
with a letter, they have one role, and if they end with a number they have
a different role.

However, right now even setting it so that if the username either
contains or equals 'jnathan', I get this message, let alone trying to
use a regular expression.

Any help?  How do I get these conditions working?

Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-916123
--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration  more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Radius Condition

2014-12-09 Thread Nathan, Josh 
I know it works without the condition.  I did test that.  And I can see in
the PacketFence logs that the username and password do authenticate
correctly.  I'd send you the mentioned log files, but for my time zone, I'm
already home.  I can send those tomorrow.

But... I tested it without any conditions, and it worked fine.  Even with
the condition, it all says that authentication was successful, it just
follows it up with the warning that there is no role assignment.

Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-916123

On Tue, Dec 9, 2014 at 4:43 PM, Louis Munro lmu...@inverse.ca wrote:

 On 2014-12-09, at 9:04 , Nathan, Josh josh.nat...@bfacademy.de wrote:

  Hello,
 
  I'm trying to authenticate users against a Radius database, but if I add
 a condition to the rule, I keep getting this message in the logs along with
 the Sorry! page:
 
  httpd.portal(6978) WARN: No role specified or found for pid jnathan (MAC
 00:1d:72:35:1b:15); assume maximum number of registered nodes is reached
 (pf::node::is_max_reg_nodes_reached)
 
  I would like to set it as a regular expression so that if the username
 ends with a letter, they have one role, and if they end with a number they
 have a different role.
 
  However, right now even setting it so that if the username either
 contains or equals 'jnathan', I get this message, let alone trying to
 use a regular expression.
 
  Any help?  How do I get these conditions working?


 Hi Joshua,
 Before diving into conditions it helps to make sure the authentication
 actually succeeds and the source is well configured.
 Can you post the contents of your conf/authenticaton.conf file (stripped
 of passwords and such), especially the section that defines the RADIUS
 source?

 You also need to check to see what else is in the logs. Clearly your rule
 was not matched, but that's not enough information to go on.

 Try defining a catchall rule first.
 Don't add any conditions.
 If your rule is still not matched then the problem is not with the rule
 itself.

 Regards,
 --
 Louis Munro
 lmu...@inverse.ca  ::  www.inverse.ca
 +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
 www.packetfence.org)



 --
 Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
 from Actuate! Instantly Supercharge Your Business Reports and Dashboards
 with Interactivity, Sharing, Native Excel Exports, App Integration  more
 Get technology previously reserved for billion-dollar corporations, FREE

 http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration  more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Inline Quarantine Not Working

2013-04-17 Thread Nathan, Josh 
Hello,

I've recently setup a PacketFence 3.6 server in Inline mode.  I created a 
custom violation via the webgui in Configuration-Violations.  However, even 
though I enabled the violation, and set trap as one of the actions, it's 
still letting computers with an open violation browse the Internet without any 
problems.  Is there another step in the process that I'm missing?  ...Create 
violation under configuration-violations tab... Restart PacketFence.

_
Thanks and God bless!
Joshua D. Nathan
IT Administrator
Black Forest Academy
+49-7626-916123
--
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis  visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Inline Quarantine Not Working

2013-04-17 Thread Nathan, Josh 
Fabrice,

Thanks for the reply.  Both with or without a violation the MAC address is in 
the ipset.

OK, as I'm replying I'm doing some tests.  So... it looks like if the computer 
has an instance of the same violation that is in a closed status, then any 
newer violations of the same vid don't work.

_
Thanks and God bless!
Joshua D. Nathan
IT Administrator
Black Forest Academy
+49-7626-916123

From: Fabrice DURAND [fdur...@inverse.ca]
Sent: Wednesday, April 17, 2013 1:50 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Inline Quarantine Not Working

Hello Nathan,
Can you create a new violation for your node and verify that in the ipset 
session your the mac addresse appear ?
ipset -L

Regards
Fabrice

Le 2013-04-17 06:24, Nathan, Josh a écrit :
Hello,

I've recently setup a PacketFence 3.6 server in Inline mode.  I created a 
custom violation via the webgui in Configuration-Violations.  However, even 
though I enabled the violation, and set trap as one of the actions, it's 
still letting computers with an open violation browse the Internet without any 
problems.  Is there another step in the process that I'm missing?  ...Create 
violation under configuration-violations tab... Restart PacketFence.

_
Thanks and God bless!
Joshua D. Nathan
IT Administrator
Black Forest Academy
+49-7626-916123



--
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis  visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.netmailto:PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users




--
Fabrice Durand
fdur...@inverse.camailto:fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  
www.inverse.cahttp://www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)
--
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis  visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Multiple Login Criteria

2013-04-17 Thread Nathan, Josh 
Hello,

I work at a school, and we're using PacketFence 3.6.  What we want to do, is 
force the people to login at different intervals based off of the credentials 
they supply.  Since we have lab computers, we'd like students to have to log in 
every time they open a browser.  Preferably making an exception for mobile 
devices.  However, we don't want teachers to have to log in that often with 
their devices, or guests.

Is there a way to do something like that?  Maybe make it so that certain 
computers are based off of sessions and others can stay authenticated for a 
week?  Suggestions?

_
Thanks and God bless!
Joshua D. Nathan
IT Administrator
Black Forest Academy
+49-7626-916123
--
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis  visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Delayed Connection

2013-02-06 Thread Nathan, Josh 
Hello,

We're running PacketFence 3.3.2 in Inline mode.  The problem we're having is 
that most of the time when someone logs in, it tells them that no Internet 
Access is detected.  Most of the time they can still access the Internet.  
However, sometimes it will take several minutes before they can actually get to 
the Internet after logging in.  If multiple users (20-ish) are logging in 
around the same time, the problem also gets worse.

Any ideas on why there would be such a delay, and why the Internet connection 
test isn't working?  Since it does work (given some time), I'm not sure what 
part of my configuration files to even look at...

_
Thanks and God bless!
Joshua D. Nathan
IT Administrator
Black Forest Academy
+49-7626-916123
--
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Delayed Connection

2013-02-06 Thread Nathan, Josh 
Thanks! I'll look into updating our PacketFence version.

_
Thanks and God bless!
Joshua D. Nathan
IT Administrator
Black Forest Academy
+49-7626-916123

From: Durand Fabrice [fdur...@inverse.ca]
Sent: Wednesday, February 06, 2013 2:07 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Delayed Connection

Hello Nathan,
it´s because a bug in a perl module. (permissions on a file)

For inline it is preferable to use packetfence 3.6.0 or upper.
This version of packetfence use ipset instead of just iptables and work better 
for the inline mode.

Regards
Fabrice

Le 2013-02-06 05:38, Nathan, Josh a écrit :
Hello,

We're running PacketFence 3.3.2 in Inline mode.  The problem we're having is 
that most of the time when someone logs in, it tells them that no Internet 
Access is detected.  Most of the time they can still access the Internet.  
However, sometimes it will take several minutes before they can actually get to 
the Internet after logging in.  If multiple users (20-ish) are logging in 
around the same time, the problem also gets worse.

Any ideas on why there would be such a delay, and why the Internet connection 
test isn't working?  Since it does work (given some time), I'm not sure what 
part of my configuration files to even look at...

_
Thanks and God bless!
Joshua D. Nathan
IT Administrator
Black Forest Academy
+49-7626-916123



--
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.netmailto:PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users




--
Fabrice Durand
fdur...@inverse.camailto:fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  
www.inverse.cahttp://www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)
--
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Rogue DHCP Violations

2012-10-09 Thread Nathan, Josh 
I'm using the default that came with PF.  Here's the trigger...

[1100010]
desc=Rogue DHCP
url=/remediation.php?template=roguedhcp
trigger=internal::1100010
actions=email,log,trap
enabled=Y
auto_enable=N

Unfortunately, I'm having a terrible time finding the rule for it.  I can keep 
looking, but if you know the default location, I'd appreciate the nudge in the 
right direction.  I've tried searching all the files in /usr/local/pf/conf/snort

_
Thanks and God bless!
Joshua D. Nathan
IT Administrator
Black Forest Academy
+49-7626-916123

From: Bulanda, Dave G [dgbula...@indianatech.edu]
Sent: Monday, October 08, 2012 3:30 PM
To: 'packetfence-users@lists.sourceforge.net'
Subject: Re: [PacketFence-users] Rogue DHCP Violations

Ok, on my Rogue DHCP server violation I do not quarantine, just email and log.  
So I am wondering if there is an error in your violation record which is 
causing it?

What does your trigger look like?


David Bulanda
Network Services Manager
dgbula...@indianatech.edumailto:dgbula...@indianatech.edu
Indiana Techhttp://www.indianatech.edu/



From: Nathan, Josh [mailto:josh.nat...@bfacademy.de]
Sent: Monday, October 08, 2012 9:11 AM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Rogue DHCP Violations

Dave,

Thanks for the response. I can definitely find the laptops that are getting 
flagged, and they are not approved for being DHCP servers. But we even have 
non-technical teachers getting flagged for it.  They'll just be surfing the 
Internet and then get quarantined as running a rogue DHCP server for no 
apparent reason.

_
Thanks and God bless!
Joshua D. Nathan
IT Administrator
Black Forest Academy
+49-7626-916123

From: Bulanda, Dave G [dgbula...@indianatech.edu]
Sent: Monday, October 08, 2012 2:45 PM
To: 'packetfence-users@lists.sourceforge.net'
Subject: Re: [PacketFence-users] Rogue DHCP Violations
Josh,

Make sure that you have all the ip’s of valid dhcp servers listed in the 
pf.conf file. Second, in the violation it should show you the mac address of 
the system handing out the dhcp addresses, I would look there to see if you can 
track it down.

Something I did observe earlier in the semester was a Laptop with an Intel 
wireless card in it, which it could become a hotspot as well. That was causing 
some rogue dhcp reports and rogue ap reports in my wireless system.


David Bulanda
Network Services Manager
dgbula...@indianatech.edumailto:dgbula...@indianatech.edu
Indiana Techhttp://www.indianatech.edu/



From: Nathan, Josh 
[mailto:josh.nat...@bfacademy.de]mailto:[mailto:josh.nat...@bfacademy.de]
Sent: Monday, October 08, 2012 7:46 AM
To: 
packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] Rogue DHCP Violations

Hello,

We're getting a lot of Rogue DHCP server violations, but I'm not seeing what 
the cause could be.  We're running PacketFence version 3.3.2.  I've looked at 
some of the laptops that are getting these, but there doesn't seem to be 
anything amiss.

Any suggestions on what to look for? Sometime it will be a week or more between 
reports of the computer having this problem.

_
Thanks and God bless!
Joshua D. Nathan
IT Administrator
Black Forest Academy
+49-7626-916123
--
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Rogue DHCP Violations

2012-10-08 Thread Nathan, Josh 
Hello,

We're getting a lot of Rogue DHCP server violations, but I'm not seeing what 
the cause could be.  We're running PacketFence version 3.3.2.  I've looked at 
some of the laptops that are getting these, but there doesn't seem to be 
anything amiss.

Any suggestions on what to look for? Sometime it will be a week or more between 
reports of the computer having this problem.

_
Thanks and God bless!
Joshua D. Nathan
IT Administrator
Black Forest Academy
+49-7626-916123
--
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Restrict DNS

2012-05-07 Thread Nathan, Josh 
Hello,

I'm looking at trying to combine PacketFence with OpenDNS.  However, in order 
to do that, I need to block all DNS requests except the one(s) I specify.  Is 
there a way to do this within PacketFence (perhaps log a violation for any DNS 
requests going to non-listed DNS servers)?  Or shall I try doing this strictly 
within iptables directly?

_
Thanks and God bless!
Joshua D. Nathan
IT Support
Black Forest Academy
+49-7626-916166
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[Packetfence-users] Named Not Starting

2012-04-19 Thread Nathan, Josh 
On a fresh install of PacketFence 3.3.1, I can't get named to start.  No errors 
are given, either.  I'm using Inline enforcement.

Because named won't run, browsers aren't getting successfully redirected.  I 
was able to confirm that the redirect message is being given by doing a telnet 
to the PacketFence server (via IP Address) over port 80.  When I did that it 
gave me the html for redirecting to the registration page, but since it gives 
the server name and domain instead of the IP address in the redirect, browsers 
can't resolve the redirect.

So it appears that everything except named is working.  When I looked in 
/usr/local/pf/var/conf there wasn't a named.conf which makes me think it's not 
even attempting to generate one (which would prevent it from starting).  I've 
tried running the configurator a couple different times.  The Administration 
page shows that it's supposed to be running.

The OS is CentOS 5.8

_
Thanks and God bless!
Joshua D. Nathan
IT Support
Black Forest Academy
+49-7626-916166
--
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2___
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [Packetfence-users] DHCP and Network Configuration

2012-02-22 Thread Nathan, Josh 
Francois,

Thanks for the reply!  Good to know about the sub-interfaces vs VLAN 
interfaces.  And yes, as I started following what challenges others have been 
facing I started thinking I might need to switch to an Inline configuration 
instead.  I'll try these over the next few days and see if that clears 
everything up.

Thanks again!
Josh

--
Virtualization  Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
___
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[Packetfence-users] DHCP and Network Configuration

2012-02-16 Thread Nathan, Josh 
Hello, I'm new to PacketFence and am trying it out in a tiny sandbox 
environment. Right now I have a proxy (gateway) server, my PF/DHCP server, and 
then a laptop connected to a little 8-port ethernet switch. Right now, both 
servers have two NICs each (one of which is connected to the sandbox 
environment, the other connected to a router which gives each Internet access). 
 The goal is to get it so that when the laptop tries to get an IP Address, it 
has to be registered, and then allowed access to the Internet.

The problem I'm having is that if I try to setup a Monitor, Registration, and 
Isolation network on my PF server, DHCP won't start complaining that Interface 
eth0 matches multiple shared networks.  I tried combining them into just eth0, 
but then the laptop either has Internet access with or without being registered 
or it never gets Internet access.

Yes, I did run the configurator.pl, but that left me with the DHCP error.  
Since, I've been reading forums, etc, and editing the various files manually to 
no avail.  Unfortuantely, I've tried enough things that there might be some 
glaring problems right now, but any help would be immensely appreciated.

I'm running CentOS 5.7 (I initially install CentOS 5.3, but apparently amidst 
all the updates it went to 5.7... at least /etc/redhat-release says I'm on 5.7 
now).

Below are my various conf files, but first here's what I get when trying to 
start PF (note, Snort always fails to start and take pfdetect down with it... 
but I can then start pfdetect again and it will stay up as long as I leave 
snort down.  Not sure how much of my problem is related to that.

Starting PacketFence...Checking configuration sanity...
service|command
config files|start
iptables|start
named|start
Internet Systems Consortium DHCP Server V3.0.5-RedHat
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Wrote 0 leases to leases file.
Interface eth0 matches multiple shared networks

If you did not get this software from ftp.isc.org, please
get the latest from ftp.isc.org and install that before
requesting help.

If you did get this software from ftp.isc.org and have not
yet read the README, please read it before requesting help.
If you intend to request help from the dhcp-ser...@isc.org
mailing list, please read the section on the README about
submitting bug reports and requests for help.

Please do not under any circumstances send requests for
help directly to the authors of this software - please
send them to the appropriate mailing list as described in
the README file.

exiting.
dhcpd|start
radiusd|start
httpd|start
snmptrapd|start
pfdetect|start
pfsetvlan|start
pfdhcplistener|start
pfmon|start
snort|start

Here are my conf files...
/usr/local/pf/conf/pf.conf:
[general]
domain=bfa
hostname=alexander
dnsservers=194.25.0.60

[trapping]
range=172.25.0.0/16,172.25.20.0/16
detection=enabled
registration=enabled

[alerting]
emailaddr=[my email address]

[scan]
pass=[valid password]
registration=enabled

[database]
pass=packetfence
db=pf
user=pf
port=3306
host=localhost

[interface eth0]
type=monitor

[interface eth0:1]
ip=172.25.10.1
mask=255.255.255.0
gateway=172.25.10.1
type=internal
enforcement=vlan

[interface eth0:2]
ip=172.25.20.1
mask=255.255.255.0
gateway=172.25.20.1
type=internal
enforcement=vlan

[interface eth1]
ip=10.0.220.42
mask=255.0.0.0
gateway=10.0.220.3
type=management

/usr/local/pf/conf/networks.conf:
[172.25.10.0]
type=vlan-registration
netmask=255.255.255.0
gateway=172.25.0.1
named=enabled
dns=172.25.10.1
domain-name=registration.bfa
dhcpd=enabled
dhcp_start=172.25.10.10
dhcp_end=172.25.10.250
dhcp_default_lease_time=300
dhcp_max_lease_time=300

[172.25.20.0]
type=vlan-isolation
netmask=255.255.255.0
gateway=172.25.0.1
named=enabled
dns=172.25.20.1
domain-name=isolation.bfa
dhcpd=enabled
dhcp_start=172.25.20.10
dhcp_end=172.25.20.250
dhcp_default_lease_time=300
dhcp_max_lease_time=300

And here are my ifcfg files for the NIC (for whatever reason, mine had colons 
instead of dots in the script name)...
/etc/sysconfig/ifcfg-eth0:
DEVICE=eth0
BOOTPROTO=none
BROADCAST=172.25.255.255
HWADDR=00:1B:21:6E:A3:21
IPADDR=172.25.0.2
IPV6INIT=no
IPV6_AUTOCONF=yes
NETMASK=255.255.0.0
NETWORK=172.25.0.0
ONBOOT=yes
TYPE=Ethernet
PEERDNS=yes
USERCTL=no

/etc/sysconfig/ifcfg-eth0:1
GATEWAY=172.25.0.1
TYPE=Ethernet
DEVICE=eth0:1
BOOTPROTO=static
NETMASK=255.255.255.0
IPADDR=172.25.10.1
USERCTL=no
IPV6INIT=no
ONPARENT=yes
PEERDNS=yes
ONBOOT=yes
VLAN=yes

/etc/sysconfig/ifcfg-eth0:2
GATEWAY=172.25.0.1
TYPE=Ethernet
DEVICE=eth0:2
BOOTPROTO=static
NETMASK=255.255.255.0
IPADDR=172.25.20.1
USERCTL=no
IPV6INIT=no
ONPARENT=yes
PEERDNS=yes
ONBOOT=yes
VLAN=yes

Thanks!!!
Josh
--
Virtualization  Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to