Re: [PacketFence-users] PF 13.1 Security Onion 2.4

2024-05-16 Thread Sallee, Jake via PacketFence-users 
Nate:

I am VERY curious to hear about how you are tying SO and PF together.  I also 
am running both and am thinking of integrating them.  I would like to hear your 
thoughts and experiences.

Please feel free to start a new thread or contact me off-list if you are more 
comfortable there.


Jake Sallee

MANAGER OF INFORMATION SECURITY AND NETWORKS

Godfather of Bandwidth

UMHB Box 8005 | 900 College Street | Belton, Texas 76513

Office: 254.295.4658

umhb.edu [cid:b2ab2b8e-dc4f-482c-b826-36f7d662aecf] 
  [cid:e520ac45-d958-4c27-985e-99b5f52c6253] 
  
[cid:68911e97-b919-4eb4-9f1a-9f9eb74ca39f] 

[cid:64fdd590-28a5-44fd-8f8a-078a22b32f4a]


From: Nate Tremmel via PacketFence-users 

Sent: Wednesday, May 8, 2024 12:43 PM
To: PacketFence-users@lists.sourceforge.net 

Cc: Nate Tremmel 
Subject: Re: [PacketFence-users] PF 13.1 Security Onion 2.4

EXTERNAL Exercise Caution

SELinux was blocking syslog from reading the file.

> On May 8, 2024, at 10:32 AM, Nate Tremmel  wrote:
>
> Anyone using Security Onion 2.4 forwarding to PacketFence for suricata 
> events? I have configured as the installation guide for 2.3 version of 
> Security Onion and I have the fast.log populating, but the syslog forwarding 
> doesn’t seem to be sending the fast.log to syslog on packet fence.  I can 
> forward all security onion logs to packet fence and I still don’t see the 
> fast logs coming through.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Basic MAC authentication and vlan assignment

2023-06-26 Thread Sallee, Jake via PacketFence-users 
Check out  Meraki's documentation:

https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X)
[https://a.mtstatic.com/@public/production/site_13505/1603418441-social-share.png]
MS Switch Access Policies 
(802.1X)
MS Series switches fully support the IEEE 802.1X Standard. Configuring wired 
802.1X authentication is often desired in public or communal areas to prevent 
unauthorized network access.
documentation.meraki.com

Match that up with PFs docs:

https://www.packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_switch_ms220_8

It may not be EXACTLY the info that you need, but that should get you most of 
the way there.


Jake Sallee

MANAGER OF INFORMATION SECURITY AND NETWORKS

Godfather of Bandwidth

UMHB Box 8005 | 900 College Street | Belton, Texas 76513

Office: 254.295.4658

umhb.edu [cid:be1c92ab-e0d7-4de4-bce7-2ea353facf0e] 
  [cid:8bec157b-e4d9-4a88-ad31-49c3638c79cf] 
  
[cid:23abced1-c954-4ed1-bcd5-bc1ac5dfe0c7] 

[cid:572b3b67-3269-4b3d-a2ae-eb4cff29aa0d]


From: Bergen, Ryan via PacketFence-users 

Sent: Monday, June 26, 2023 11:56 AM
To: packetfence-users@lists.sourceforge.net 

Cc: Bergen, Ryan 
Subject: Re: [PacketFence-users] Basic MAC authentication and vlan assignment

EXTERNAL Exercise Caution

We are using Meraki switches and currently have it working using freeradius, 
with a custom mysql backend. Looking to move to a more polished product and 
away from custom.



Thanks





From: DOHIN Franck via PacketFence-users 

Date: Monday, June 26, 2023 at 11:53 AM
To: packetfence-users@lists.sourceforge.net 

Cc: DOHIN Franck 
Subject: Re: [PacketFence-users] Basic MAC authentication and vlan assignment

Hello, It depends on the switch you have. You should implement mac 
authentification on your switch port and send request to packetfence servers 
using radius. De : Bergen, Ryan via PacketFence-users [mailto: 
packetfence-users@ lists. sourceforge. net]

ZjQcmQRYFpfptBannerStart

This Message Is From an Untrusted Sender

You have not previously corresponded with this sender.

Report Suspicious  

   ‌

ZjQcmQRYFpfptBannerEnd

Hello,



It depends on the switch you have. You should implement mac authentification on 
your switch port and send request to packetfence servers using radius.



De : Bergen, Ryan via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Envoyé : lundi 26 juin 2023 17:13
À : packetfence-users@lists.sourceforge.net
Cc : Bergen, Ryan 
Objet : [PacketFence-users] Basic MAC authentication and vlan assignment



C'est la première fois que vous recevez un e-mail de cet expéditeur. 
Assurez-vous qu'il s'agit d'une personne de confiance.

Can someone point me to the right area of the administration manual to setup 
basic MAC authentication.



Our setup is simple, devices are all not allowed on the network unless its MAC 
address has been manually added to an approved Network, these networks have a 
vlan ID which places the device on the right vlan after they’ve been authorized.



Thanks!


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive portal customizations gone after upgrade

2022-10-04 Thread Sallee, Jake via PacketFence-users 
All:

Hoping someone can shed some light on this.

We did an upgrade to the latest maintenance patch of PF and the customizations 
we put on the captive portal were removed.

All we did is change the logo (vis the web GUI) and slightly modify the CSS to 
fit our color scheme.

Now our custom logo is a broken jpeg and the CSS has reverted back to the 
default.

I checked out the developers guide for customizing the captive portal but it 
didn't help me much ... full disclosure I am not a web developer so that could 
very well be my fault.

Does anyone have any assistance they can offer to help us get this resolved?


Jake Sallee

SYSTEM ENGINEER AND SECURITY SPECIALIST

Godfather of Bandwidth

UMHB Box 8005 | 900 College Street | Belton, Texas 76513

Phone: 254.295.4658 Fax: 254-295-4221

umhb.edu [cid:image001.png@01D8A0DA.6B4CCE60] 
 [cid:image002.png@01D8A0DA.6B4CCE60] 
 [cid:image003.png@01D8A0DA.6B4CCE60] 




[ESig_UMHB_Primary_4CP_Purple]
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Authentication Source HTTP

2021-08-11 Thread Sallee, Jake via PacketFence-users 
Are you looking for something like this?

https://medium.com/beyond-the-helpdesk/configuring-packetfence-for-use-with-dpsk-6519aaf6fe4d

Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221



From: Schüller Dennis via PacketFence-users 

Sent: Tuesday, August 10, 2021 5:59 AM
To: packetfence-users@lists.sourceforge.net
Cc: Schüller Dennis
Subject: [PacketFence-users] Authentication Source HTTP

Hey everybody,

I’m looking for a Solution to implement a voucher-System to Packetfence or 
generate an Authentication-Source for this.

So my Idea is, if a User connect to the Wifi he must enter a key which is 
stored in a Database ore something else after the Key is correct he can access 
to the Network for x-Time.

I can’t find any Dokumentation about the Authentication-Sources like http what 
in my Opinion could be the Solution.
Could someone Explain this Source and how to configure it?

Or have someone an other Solution form my Problem?

Thanks a lot!

Mit freundlichen Grüßen / with kind regards
i. A. Dennis Schüller
IT-Systemadministrator
Finanzen & Administration

dennis.schuel...@nuerburgring.de

T +49 (2691) 302 9885
M +49 151 571 320 36
F +49 2691 302 9897
Nürburgring 1927
GmbH & Co. KG

Otto-Flimm-Straße
53520 Nürburg
nuerburgring.de

[cid:image001.jpg@01D78DE7.91568FD0]
 [cid:image002.jpg@01D78DE7.91568FD0]  
 [cid:image003.jpg@01D78DE7.91568FD0]   
[cid:image004.jpg@01D78DE7.91568FD0] 
[cid:image005.png@01D78DE7.91568FD0]
[cid:image006.jpg@01D78DE7.91568FD0]
Bitte schonen Sie unsere Umwelt und drucken die Email nur aus, wenn es wirklich 
notwendig ist!
Please consider the environment before printing this email!




Geschäftsführung: Mirco Markfort
Amtsgericht Koblenz HRA 21947
Sitz: Nürburg

Diese E-Mail und alle Anhänge enthalten vertrauliche und/oder rechtlich 
geschützte Informationen.
Wenn Sie nicht der richtige Adressat sind oder Sie die E-Mail irrtümlich 
erhalten haben, informieren Sie bitte unverzüglich den Absender und vernichten 
Sie diese E-Mail.
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht 
gestattet.


--
Diese Mail wurde auf Computerviren geprüft
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] (no subject)

2021-08-10 Thread Sallee, Jake via PacketFence-users 
Abdi:

Setting up PF for the first time can be difficult if you are not familiar with 
Linux.

My suggestion is to wipe the slate clean and start over again.  Delete your 
current PF and Linux install completely.

Start by just installing PF on a new linux install.  Follow the install guide 
CAREFULLY, read the whole guide before doing anything and then read every step 
as you complete them.

Once the OS and PF is installed run through the configuration wizard.

Once that is done you can move forward.

Like I mentioned before, the important thing to remember is the difference 
between a problem and a project.  

> I have tried the captive portal and the vlan enforcement but it would not work

That is a project.  It involves the solving of several problems.

Once the software is installed and the initial config is done you can start the 
process of testing the vlan enforcement.

I'm copying this conversation to the list so anyone else who wants to can jump 
in and add their knowledge as well.

Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221



From: Abdi Ahmed 
Sent: Tuesday, August 10, 2021 10:19 AM
To: Sallee, Jake
Subject:

Thank you,

The module I want to implement is to register the users of my network and from 
what I understand from the pf documentation is when ever a user enters your 
network put it on the registration vlan after its acknowledged put it on the 
normal vlan of your infrastructure.
I have tried the captive portal and the vlan enforcement but it would not work

On Tue, Aug 10, 2021, 5:34 PM Sallee, Jake 
mailto:jake.sal...@umhb.edu>> wrote:
Its no problem, no need to apologize for anything.

English is my ONLY language and it can still be hard for me to communicate 
exactly what I want to say.

As for deploying PacketFence (PF) that is a long conversation.

PF is a very versatile product, and it can do almost anything you want it to.  
The catch is you have to know HOW to make it do what you want it to do.  Just 
like anything else there is a learning curve and PF expects you to already have 
some fairly deep understanding of computer networking.

So the first questions you need to ask are "Are you familiar with computer 
networking?"  and "Do you know what vlans are and how they work?"

Then you need to make sure the equipment you want to use with PF is capable of 
working with PF.  Some switches do not have the technology necessary so you 
will need to verify.  As long as your switch supports  vlans and  802.1X port 
security you should be okay.

The process of installing and configuring PF is detailed in the quick start 
guide on the website.

If the process of installing a linux server and software is unfamiliar to you 
this could be an excellent time to learn.  But, if you need PF deployed quickly 
you can contact Inverse (the company that makes PF) and they can work with you 
to get it setup and installed to your requirements.  However, that service is 
NOT free.  It's not expensive, but it is not free.

Post to the list if you have any specific questions.  Good luck!

Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221



From: Abdi Ahmed mailto:cabdiqanic...@gmail.com>>
Sent: Monday, August 9, 2021 9:25 PM
To: Sallee, Jake
Subject: Sorry for my bad attitude

Hi,
I am not so good in english but I got the points that you was talking about.
I am new to the packetfence solution and I am implementing it for medium 
enterprise so have you give a hint how I can use the vlan enforcement?


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] (no subject)

2021-08-09 Thread Sallee, Jake via PacketFence-users 
Abdi:

I am assuming you're new to the mailing list; if so, Welcome to the mailing 
list!

Here you don't have to ask for help first, just post your question and if 
someone can help you, they will.

A few things to keep in mind:

1)  Remember this is FREE support.  Most of the people here are other PF users 
and have lots of other things to do so don't get too upset if no one responds 
quickly

2)  Give details when you ask your question.  Tell us what the problem is to 
the best of your ability and tell us what you have tried to do to fix it.  
Include relevant log entries too if you can find them.  PF generates LOTS of 
very good logs.

3)  Remember the difference between solving a problem and accomplishing a 
project.Keep your problems specific.  We can help solve a specific problem 
like: "this user is getting the wrong vlan assigned when the connect" but broad 
statements like "I can't get vlan enforcement to work" usually involve solving 
many smaller issues.

If you want specific help this list is awesome, but if you need someone to help 
you with a project that is the type of thing people get paid for.  If that is 
the case I HIGHLY recommend the professional support offered by Inverse.

Please feel free to post your issue to the list, if I know anything about it 
I'll chine in.  Good luck to you!

Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221



From: Abdi Ahmed via PacketFence-users 
Sent: Wednesday, August 4, 2021 1:11 AM
To: PacketFence-users@lists.sourceforge.net
Cc: Abdi Ahmed
Subject: [PacketFence-users] (no subject)

I am facing problem with vlan enforcement can I get help


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Issue on Mobile Devices

2021-07-08 Thread Sallee, Jake via PacketFence-users 
I apologize if I did not phrase that correctly.  

We ARE using PF for isolation and registration, what we are not using is the 
DHCP functionality that PF offers.  

We are using our own DHCP servers to provide IPs to clients for registration 
and isolation, as well as the standard production networks.

Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Diego García del Río 
Sent: Thursday, July 8, 2021 1:06 PM
To: packetfence-users@lists.sourceforge.net
Cc: Sallee, Jake
Subject: Re: [PacketFence-users] Captive Portal Issue on Mobile Devices

EXTERNAL Exercise Caution
not using packetfence for isolation/registration is quite surprising. Is that 
supported at all?

Im guessing it works for you.. but still quite surprising. (unless you're using 
the built-in captive portal of your APs)

but if you're using an external dhcp server then the RFC7710 path seems moot...



Diego Garcia del Rio | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103) | 
Cel: +54 9 11 4530-4697 | www.mediatel.com.ar<http://www.mediatel.com.ar/> | 
Juan Carlos Cruz 2360 – 4B (1636), Vicente López, Buenos Aires, Argentina |
https://goo.gl/maps/NZCFPwVkFFf14cR67


On Thu, 8 Jul 2021 at 14:16, Sallee, Jake via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
> you might want to check /usr/local/pg/logs for the file httpd.portal.access 
> and look for the string rfc7710 in there?

First, thank you for the effort but I didn't see anything in the logs about 
rfc7710.  But, I have not enabled debugging in the logs yet so there is still 
hope.

Quick question though, currently we do not use PF for our DHCP (even for 
registration or isolation).  With that in mind would the info you mention still 
show up in the logs?

Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU<http://WWW.UMHB.EDU>

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Diego García del Río 
mailto:dgar...@mediatel.com.ar>>
Sent: Wednesday, July 7, 2021 5:47 PM
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: Sallee, Jake
Subject: Re: [PacketFence-users] Captive Portal Issue on Mobile Devices

EXTERNAL Exercise Caution
you might want to check /usr/local/pg/logs for the file httpd.portal.access and 
look for the string rfc7710 in there...

(and sorry, its RFC 7710bis, not 7720bis)

Diego Garcia del Rio | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103) | 
Cel: +54 9 11 4530-4697 | 
www.mediatel.com.ar<http://www.mediatel.com.ar><http://www.mediatel.com.ar/> | 
Juan Carlos Cruz 2360 – 4B (1636), Vicente López, Buenos Aires, Argentina |
https://goo.gl/maps/NZCFPwVkFFf14cR67


On Wed, 7 Jul 2021 at 19:45, Diego García del Río 
mailto:dgar...@mediatel.com.ar><mailto:dgar...@mediatel.com.ar<mailto:dgar...@mediatel.com.ar>>>
 wrote:
Hi.. I asume you're running your portal on https? release 10.2 had introduced 
dhcp-based portal discovery (RFC 7720bis support) and apple devices, most of 
which should be running a 2020 or newer os, should support it. if you can 
capture traffic on the portal interface on your cluster, you should see that 
the url for packetfence should be returned in a dhcp option (that finishes in 
"/rfc7710"). I believe the logs might show it (but only maybe in debug level)

the clients then query that url. Can you check if the proper, load-balanced url 
is being returned?

somehow maybe the device is failing to contact the /rfc7710 endpoint or 
something, like the client being authenticated is being returned and thus the 
apple device think its logged in?

its a wild guess.. but it would be one option why you see this on apple devices.

(newer windows releases should support it as well, but not 100% sure when /what 
release it would be). Android 11 also added support, but of course, there you 
have a much more fragmented ecosystem and i haven't seen non-google devices 
implementing it yet.




Diego Garcia del Rio | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103) | 
Cel: +54 9 11 4530-4697 | 
www.mediatel.com.ar<http://www.mediatel.com.ar><http://www.mediatel.com.ar/> | 
Juan Carlos Cruz 2360 – 4B (1636), Vicente López, Buenos Aires, Argentina |
https://goo.gl/maps/NZCFPwVkFFf14cR67


On Wed, 7 Jul 2021 at 18:35, Sallee, Jake via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net><mailto:packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>>
 wrote:
Hello all!

This is a strange one and I hope someone out there has faced this demon before 
and can help.

We are running PF 10.3 (with latest maintenance

Re: [PacketFence-users] Captive Portal Issue on Mobile Devices

2021-07-08 Thread Sallee, Jake via PacketFence-users 
> you might want to check /usr/local/pg/logs for the file httpd.portal.access 
> and look for the string rfc7710 in there?

First, thank you for the effort but I didn't see anything in the logs about 
rfc7710.  But, I have not enabled debugging in the logs yet so there is still 
hope.  

Quick question though, currently we do not use PF for our DHCP (even for 
registration or isolation).  With that in mind would the info you mention still 
show up in the logs?

Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Diego García del Río 
Sent: Wednesday, July 7, 2021 5:47 PM
To: packetfence-users@lists.sourceforge.net
Cc: Sallee, Jake
Subject: Re: [PacketFence-users] Captive Portal Issue on Mobile Devices

EXTERNAL Exercise Caution
you might want to check /usr/local/pg/logs for the file httpd.portal.access and 
look for the string rfc7710 in there...

(and sorry, its RFC 7710bis, not 7720bis)

Diego Garcia del Rio | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103) | 
Cel: +54 9 11 4530-4697 | www.mediatel.com.ar<http://www.mediatel.com.ar/> | 
Juan Carlos Cruz 2360 – 4B (1636), Vicente López, Buenos Aires, Argentina |
https://goo.gl/maps/NZCFPwVkFFf14cR67


On Wed, 7 Jul 2021 at 19:45, Diego García del Río 
mailto:dgar...@mediatel.com.ar>> wrote:
Hi.. I asume you're running your portal on https? release 10.2 had introduced 
dhcp-based portal discovery (RFC 7720bis support) and apple devices, most of 
which should be running a 2020 or newer os, should support it. if you can 
capture traffic on the portal interface on your cluster, you should see that 
the url for packetfence should be returned in a dhcp option (that finishes in 
"/rfc7710"). I believe the logs might show it (but only maybe in debug level)

the clients then query that url. Can you check if the proper, load-balanced url 
is being returned?

somehow maybe the device is failing to contact the /rfc7710 endpoint or 
something, like the client being authenticated is being returned and thus the 
apple device think its logged in?

its a wild guess.. but it would be one option why you see this on apple devices.

(newer windows releases should support it as well, but not 100% sure when /what 
release it would be). Android 11 also added support, but of course, there you 
have a much more fragmented ecosystem and i haven't seen non-google devices 
implementing it yet.




Diego Garcia del Rio | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103) | 
Cel: +54 9 11 4530-4697 | www.mediatel.com.ar<http://www.mediatel.com.ar/> | 
Juan Carlos Cruz 2360 – 4B (1636), Vicente López, Buenos Aires, Argentina |
https://goo.gl/maps/NZCFPwVkFFf14cR67


On Wed, 7 Jul 2021 at 18:35, Sallee, Jake via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
Hello all!

This is a strange one and I hope someone out there has faced this demon before 
and can help.

We are running PF 10.3 (with latest maintenance patches) in a 3 node cluster.

TLDR:  Captive portal issues on iPhones and some mobile devices, cant find any 
reason in the logs as to why it would be happening.  Started happening out of 
the blue, updated to 10.3 and applied all patches but nothing helped.

Long version:

The issue seems to be centered around WiFi on iPhones and some mobile computers 
(laptops, tables, etc) where some are Apple products and some are not.  Android 
phones seem not to be affected.

When an unregistered endpoint is assigned an IP in the registration network the 
device notices the captive portal and tries to open a browser window to 
facilitate the registration process.

However this is where things begin to go wrong.

Some of the time the page does not load at all, after a brief wait of perhaps 7 
seconds, the mobile browser generates an error saying the page cannot be 
loaded.  When the error is dismissed the browser automatically closes and the 
user is dumped to the home screen on their device.

Sometimes it does load but the custom logo is not displayed (loads a broken 
jpg).  Sometimes the page loads as plain text and no CSS.

If the page does load enough for the user to accept the AUP and fill out the 
registration form.  When the user submits the form, however the same browser 
error is displayed and the user id bounced out of the browser app.

If the error occurs AFTER submitting the registration form, the device still 
shows as unregistered in PF.   However, if the user rejoins the network the 
captive portal page will be presented but it will be the enabling access page 
with the progress bar (and a still broken jpg).  Interestingly, the device will 
now show as registered in PF and will have the correct role assigned.

I have been scouring the logs and can?t seem to find any entries that would 
point to a cause.  Desk

[PacketFence-users] Captive Portal Issue on Mobile Devices

2021-07-07 Thread Sallee, Jake via PacketFence-users 
Hello all!

This is a strange one and I hope someone out there has faced this demon before 
and can help.

We are running PF 10.3 (with latest maintenance patches) in a 3 node cluster.

TLDR:  Captive portal issues on iPhones and some mobile devices, cant find any 
reason in the logs as to why it would be happening.  Started happening out of 
the blue, updated to 10.3 and applied all patches but nothing helped.

Long version:

The issue seems to be centered around WiFi on iPhones and some mobile computers 
(laptops, tables, etc) where some are Apple products and some are not.  Android 
phones seem not to be affected.

When an unregistered endpoint is assigned an IP in the registration network the 
device notices the captive portal and tries to open a browser window to 
facilitate the registration process.

However this is where things begin to go wrong.

Some of the time the page does not load at all, after a brief wait of perhaps 7 
seconds, the mobile browser generates an error saying the page cannot be 
loaded.  When the error is dismissed the browser automatically closes and the 
user is dumped to the home screen on their device.

Sometimes it does load but the custom logo is not displayed (loads a broken 
jpg).  Sometimes the page loads as plain text and no CSS.

If the page does load enough for the user to accept the AUP and fill out the 
registration form.  When the user submits the form, however the same browser 
error is displayed and the user id bounced out of the browser app.

If the error occurs AFTER submitting the registration form, the device still 
shows as unregistered in PF.   However, if the user rejoins the network the 
captive portal page will be presented but it will be the enabling access page 
with the progress bar (and a still broken jpg).  Interestingly, the device will 
now show as registered in PF and will have the correct role assigned.

I have been scouring the logs and can?t seem to find any entries that would 
point to a cause.  Desktops and Laptops with full OS on them do not seem to 
have the issue.

Any help would be greatly appreciated.

Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MAC Randomisation

2020-07-16 Thread Sallee, Jake via PacketFence-users 
IIRC MAC randomization is only used for beacon frames by default which PF 
doesn't care about as far as I know.  So hopefully it is not an issue at all.

I do remember also seeing some devices give an option to randomize MAC on 
connect to a specific SSID so perhaps it would be possible to get users to turn 
that behavior off for NAC protected networks.

(Warning, incoming soap box)

MAC Randomization also led to some talk about having a NAC client on endpoints. 
 I cannot express fervently enough, one should never trust equipment one does 
not manage and own, full stop.

If your NAC solution only handles your org's assets then perhaps a client based 
NAC is acceptable, but in a BYOD or hybrid environment it is a terrible idea in 
my opinion.

 https://imgflip.com/i/48gxav

(**steps off soap box**)

Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Max McGrath via PacketFence-users 

Sent: Wednesday, July 15, 2020 3:56 PM
To: ML PF
Cc: Max McGrath
Subject: [PacketFence-users] MAC Randomisation

EXTERNAL Exercise Caution
Hi all -

I'm seeing a lot of chatter on the web and mailing lists that I'm on as it 
relates to MAC randomisation being adopted:

https://globalreachtech.com/blog-mac-randomisation-apple/

https://support.apple.com/en-qa/HT211227

Admittedly, I don't fully understand it (though it seems pretty 
straightforward).  How do we anticipate this impacting NACs?  PacketFence 
specifically?

Thanks!

Max
--
Max McGrath 
[https://static.licdn.com/scds/common/u/img/webpromo/btn_profile_greytxt_80x15.png]
 
Infrastructure and Security Manager
Carthage College
262-551-
mmcgr...@carthage.edu


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN isolation and routed networks

2020-04-22 Thread Sallee, Jake via PacketFence-users 
What you are describing sounds similar to what we are doing.

PF works great with routed networks and depending on the details of your VPN 
connection I think it should work in your situation.

I have never setup a PF deployment like the one you are talking about however 
if your VPN is setup in a point-to-point configuration then it will very likely 
work.

Logically speaking the packets from the satellite locations are encapsulated 
and sent to your central site. Once there the encapsulation is stripped, they 
are routed and the replies are encapsulated and sent back.  If this is the case 
the presence of the VPN tunnel is invisible to PF and the deployment should be 
the same as any other routed deployment.

If my guess about they way your VPN is setup is correct then I see no reason 
why it would not work.

I would love to hear how your deployment goes, good luck!

Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Erik via PacketFence-users 
Sent: Wednesday, April 22, 2020 9:43 AM
To: packetfence-users@lists.sourceforge.net
Cc: Erik
Subject: [PacketFence-users] VLAN isolation and routed networks

EXTERNAL Exercise Caution

Hi,

I have recently begun to investigate PacketFence to see if it can be
used under the circumstances I am faced with.
What I have found in the documentation sofar is rather little and tells
me that routed networks are possible, but the example does not match my
circumstances. I am guessing it is just an example and other options are
available. I will be building a test site as soon as the necessary
equipment arrives.

Hope I can pick your brains in the mean time.


So the circumstances are these.

There are several separate locations that are connected to one central
location via VPN (OpenVPN).
Every location has their own local network and none of the address
ranges overlap. Locations can talk to each other because the central
location, where the VPN server is, routes traffic between locations.

Every location is going to be split up into a trusted and untrusted LAN.
There is a local firewall on each location that can manage this, but I
am looking for a solution that can be managed at the central location.

So I thought of PacketFence and wondered if it might fit. The general
idea is that the switches on each location access the PacketFence at the
central location for authentication and that PacketFence tells them if
the client can be authenticated, into which VLAN they must be put.

The switches can communicate with PacketFence at the central location
via the VPN. The clients cannot, because by default they are blocked by
the firewall.

I do not need or want PacketFence to provide DNS or DHCP. Once the local
switch has put the client on the correct VLAN and has allowed the port
the client is on to forward traffic, the clients will get DHCP and DNS
from the local servers.

So basically, PacketFence will not needed to know about the local
networks. It will only have to authenticate credentials and let the
switch know what VLAN to use. The switches will use 802.1x for those
clients that support it and MAC authentication for those devices that don't.

I have used FreeRADIUS in the past with 802.1x and MAC authentication to
simply enable and disable switch ports. Back then the VLANs had been
fixed and defined on the switch. You either got access or you did not.
The current situation is similar with the notable exeption that now the
switch does not know the VLAN id beforehand and has to be told not just
whether to enable the port, but also in which VLAN to put it.


What do you think am I barking up the wrong tree here?

thanks for your time,
Erik van Linstee


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers=DwICAg=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=Zh9JRoxj0jirhMFSqM384cbN1cbabr-OQXzDkWzBlzs=rVGvx_Pwfde8evljeAcbeVumxYzzCgxDNKKtCaYLU_A=


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] POC Radius auth with Juniper switches

2020-04-15 Thread Sallee, Jake via PacketFence-users 
Did you configure the Windows box for 802.1x?

Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Kevin MacNeil via PacketFence-users 

Sent: Wednesday, April 15, 2020 4:41 PM
To: packetfence-users@lists.sourceforge.net
Cc: Kevin MacNeil
Subject: [PacketFence-users] POC Radius auth with Juniper switches

EXTERNAL Exercise Caution

I am working on a proof of concept for Packetfence for our production Juniper 
environment of ~200 switches. I have EX4200's in my test lab and have used the 
Juniper example 
https://urldefense.proofpoint.com/v2/url?u=https-3A__packetfence.org_doc_PacketFence-5FNetwork-5FDevices-5FConfiguration-5FGuide.html-23-5Fjuniper=DwIGaQ=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=GglvSsG0w5UxfuXgspmD-WjDFPqio39urpw0ErinIpQ=b7Ci3enf4ej78jZJcGp4bVoOON36-eWwYBYG_TCgHIk=
  in the network device configuration guide. Otherwise I have followed the 
installation guide. I was able to join to my local AD domain, which I then 
added to the default and null realms. I configured a new internal AD 
authentication source and the connection test works as expected. I added the 
catchall rule per the instructions. I created a new 802.1x connection profile 
as well per the instructions. I created a new switch group using the 
Juniper::EX type. However after configuring my Windows 10 test box I am getting 
the following error, "Network device does not support this mode of operation."

FWIW I have tried both the 12.3 and 15.1 versions of JUNOS with the same 
result. I'm guessing this is an easy problem but I'm not sure what is wrong. 
Any and all help appreciated.


Request Time
0
RADIUS Request
User-Name = "test\\kevin"
NAS-IP-Address = 192.168.98.3
NAS-Port = 75
State = 0x4cc4fae04dcce0c184a03c0a51cb6cd7
Called-Station-Id = "00:23:9c:00:0c:c0"
Calling-Station-Id = "08:00:27:0a:b3:58"
NAS-Identifier = "labsw3"
NAS-Port-Type = Ethernet
Acct-Session-Id = "8O2.1x81ab013900042681"
Event-Timestamp = "Apr 15 2020 17:04:26 EDT"
EAP-Message = 0x020800061a03
NAS-Port-Id = "ge-0/0/9.0"
FreeRADIUS-Proxied-To = 127.0.0.1
EAP-Type = MSCHAPv2
Stripped-User-Name = "kevin"
Realm = "default"
PacketFence-Domain = "TEST"
PacketFence-KeyBalanced = "4f50863fad315484ff895de9b971f63b"
PacketFence-Radius-Ip = "192.168.13.41"
PacketFence-NTLMv2-Only = ""
Module-Failure-Message = "rest: Server returned:"
Module-Failure-Message = "rest: 
{\"control:PacketFence-Authorization-Status\":\"allow\",\"control:PacketFence-Switch-Id\":\"192.168.98.3\",\"control:PacketFence-Switch-Ip-Address\":\"192.168.98.3\",\"control:PacketFence-UserName\":\"testkevin\",\"control:PacketFence-Request-Time\":1586984666,\"control:PacketFence-Connection-Type\":\"Ethernet-EAP\",\"control:PacketFence-IfIndex\":75,\"control:PacketFence-Mac\":\"08:00:27:0a:b3:58\",\"Reply-Message\":\"Network
 device does not support this mode of 
operation\",\"control:PacketFence-Eap-Type\":26,\"control:PacketFence-Switch-Mac\":\"00:23:9c:00:0c:c0\"}"
User-Password = "**"
SQL-User-Name = "testkevin"
RADIUS Reply
EAP-Message = 0x03080004
Message-Authenticator = 0x
User-Name = "test\\kevin"


interfaces {
 interface-range access-ports {
 member-range ge-0/0/2 to ge-0/0/23;
 unit 0 {
 family ethernet-switching {
 port-mode access;
 }
 }
 }
}

protocols {
 dot1x {
 authenticator {
 authentication-profile-name packetfence;
 interface {
 access-ports {
 supplicant multiple;
 mac-radius;
 }
 }
 }
 }
}

access {
 radius-server {
 192.168.13.41 {
 port 1812;
 secret "secret";
 }
 }

 profile packetfence {
 authentication-order radius;
 radius {
 authentication-server 192.168.13.41;
 accounting-server 192.168.13.41;
 }
 accounting {
 order radius;
 accounting-stop-on-failure;
 accounting-stop-on-access-deny;
 }
 }
}

ethernet-switching-options {
 secure-access-port {
 interface access-ports {
 mac-limit 2 action drop;
 }
 }
}

snmp {
 name "labsw3";
 description juniper;
 location EX;
 contact "kevin@test.local";
 client-list list0 {
 192.168.13.41/32;
 }
 community public {
 authorization read-only;
 client-list-name list0;
 }
 community private {
 authorization read-write;
 client-list-name list0;
 }
}





___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

Re: [PacketFence-users] Request Support

2020-03-12 Thread Sallee, Jake via PacketFence-users 
Vincenzo:

If you want professional support your best bet is to reach out to Inverse, they 
are the makers of PacketFence and are REALLY good.  However, they do not work 
for free and there will be a cost associated if you engage their services.  

https://packetfence.org/support.html#/commercial

In my opinion the cost is reasonable and I have worked with many of their 
technicians and I have never had anything but a stellar experience.

Please remember the people on this list are mostly PF users who all have other 
jobs, they volunteer their time on the list to help others.  The best thing you 
can do is approach the list with a specific problem and what you have tried to 
do to fix it.

My suggestion is to set your log level to debug and watch the relevant logs 
while the error happens, most of the time PF will tell you exactly what the 
issue is.  Just don't forget to change the log level back to default when 
you're done.

If you want I can try to help but the time difference may make it a long 
process, I'm in GMT -6.  Good luck to you, feel free to post back to the list 
if you want more help from us.


Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Vincenzo Pinto via PacketFence-users 

Sent: Thursday, March 12, 2020 8:58 AM
To: packetfence-users@lists.sourceforge.net
Cc: Vincenzo Pinto
Subject: [PacketFence-users] Request Support

EXTERNAL Exercise Caution
Good morning,

my name is Vincenzo Pinto, and i work for a company in Italy, Milan, i'm 
writing this e-mail to ask for support regarding your software.
I installed packetfence9.3 as a virtual machine on Proxmox. The machine has 2 
network cards, one on management and the second with a virtual Lan (id 3). All 
clients must connect to the wifi network by going through packetfence.
Once the device registers, it passes through our programm called Ntopng, with 
an ethernet card in passthourgh, which performs checks and directs the clients 
on the various protocols to an our captive portal, based on the access code.

We have a problem, once the user logs in as a GUEST, he gives me the "unable to 
detect network" error, and therefore cannot pass through our captive portal.

Can you support us?


Thanks



--
[https://docs.google.com/uc?export=download=1zIhMbHXfzPgSCAunzH49oxXtYXUe0Elt=0B0hGBDMsm4QCY3F3akY4TlBjdmpZVGRYRU1hcXZ2eHlLamx3PQ]

Vincenzo G. Pinto
direct: +39 3518680116
vincenzo.pi...@ies-italia.it

IES Italia
Via Luigi Canonica, 29
20154 Milano ITALIA
tel. +39 02 4953 6475
www.ies-italia.it


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Fwd: Upgrade 9.1 to 9.3

2020-02-14 Thread Sallee, Jake via PacketFence-users 
:mysql::_get_db)...
Feb 14 10:13:48 vminednac01 pfconfig[1752]: pfconfig(1752) ERROR: [mac:[undef]] 
Couldn't connect to MySQL database to access L2. This is a major problem ! 
Check the MySQL section in /usr/local/pf/co...sql::_db_error)
Feb 14 10:13:48 vminednac01 pfconfig[1752]: pfconfig(1752) ERROR: [mac:[undef]] 
Caught error DBI connect('database=pf;host=localhost;port=3306','pf',...) 
failed: Can't connect to local MySQL server 
...sql.pm<https://urldefense.proofpoint.com/v2/url?u=http-3A__sql.pm=DwMFaQ=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=Wc5i9unISZ3i_w6TfFDi-vntdTZxf_dVZWKJCUNDbJI=ix_hqTxjeJjy_qxu9zou8EfUoPWCQrQg47DfE634Gj8=>
 line 47.
 while connecting to database. 
(pfconfig::backend::mysql::_get_db)...
Feb 14 10:13:48 vminednac01 pfconfig[1752]: pfconfig(1752) ERROR: [mac:[undef]] 
Couldn't connect to MySQL database to access L2. This is a major problem ! 
Check the MySQL section in /usr/local/pf/co...sql::_db_error)
Feb 14 10:13:48 vminednac01 pfconfig[1752]: Could not write namespace 
config::Network(vminednac01) to L2 cache !
Feb 14 10:13:48 vminednac01 pfconfig[1752]: pfconfig(1752) ERROR: [mac:[undef]] 
Could not write namespace config::Network(vminednac01) to L2 cache ! 
(pfconfig::manager::cache_resource)
Hint: Some lines were ellipsized, use -l to show in full.
[root@vminednac01 ~]#


Cumprimentos,

Domingos Varela
Tel. +244 923 229 330 | Luanda - Angola


Domingos Varela mailto:sousa.var...@gmail.com>> 
escreveu no dia sexta, 14/02/2020 à(s) 13:34:
Hi Jake,

thanks for your response, the answer below.
Regards

Cumprimentos,

Domingos Varela
Tel. +244 923 229 330 | Luanda - Angola


Sallee, Jake via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 escreveu no dia quinta, 13/02/2020 à(s) 22:01:
Domingos:

I happy to try and help, but we will need more info.

Lets start with your log files.  When you try to start the PF services what do 
the logs say?  You can put your log file on pastebin and link it here.
I am unable to collect the logs during system startup because the system is 
stuck "Checking configuration sanity ..." for several hours and does not leave 
until I cancel.

If you did the upgrade, did you also do the database schema upgrade?
Yes, 9.1 -> 9.2 and 9.2 -> 9.3 db schema


Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU<http://WWW.UMHB.EDU>

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Domingos Varela via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
Sent: Thursday, February 13, 2020 1:18 AM
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: Domingos Varela
Subject: [PacketFence-users] Fwd: Upgrade 9.1 to 9.3

EXTERNAL Exercise Caution
Hello,

Someone help me, to solve this issue!
Thanks

-- Forwarded message -
De: Domingos Varela 
mailto:sousa.var...@gmail.com><mailto:sousa.var...@gmail.com<mailto:sousa.var...@gmail.com>>>
Date: terça, 11/02/2020, 14:11
Subject: Upgrade 9.1 to 9.3
To: 
mailto:packetfence-users@lists.sourceforge.net><mailto:packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>>


Hi,

I tried to upgrade from version 9.1 to 9.3, I followed the steps in the 
documentation, but after finishing the system it gets stuck in "cheking 
configuration sanity...", and it doesn't go away ... now I have the system out 
of service.
image in attach

Can anyone help?

Thanks
Regards

Cumprimentos,

Domingos Varela
Tel. +244 923 229 330 | Luanda - Angola


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers=DwMFaQ=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=Wc5i9unISZ3i_w6TfFDi-vntdTZxf_dVZWKJCUNDbJI=kLJQmgTCTCSc8ynxAXgKV9sJ0S-rpI5exgpZaeHsa80=>

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Fwd: Upgrade 9.1 to 9.3

2020-02-13 Thread Sallee, Jake via PacketFence-users 
Domingos:

I happy to try and help, but we will need more info.

Lets start with your log files.  When you try to start the PF services what do 
the logs say?  You can put your log file on pastebin and link it here.  

If you did the upgrade, did you also do the database schema upgrade?  


Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Domingos Varela via PacketFence-users 

Sent: Thursday, February 13, 2020 1:18 AM
To: packetfence-users@lists.sourceforge.net
Cc: Domingos Varela
Subject: [PacketFence-users] Fwd: Upgrade 9.1 to 9.3

EXTERNAL Exercise Caution
Hello,

Someone help me, to solve this issue!
Thanks

-- Forwarded message -
De: Domingos Varela mailto:sousa.var...@gmail.com>>
Date: terça, 11/02/2020, 14:11
Subject: Upgrade 9.1 to 9.3
To: 
mailto:packetfence-users@lists.sourceforge.net>>


Hi,

I tried to upgrade from version 9.1 to 9.3, I followed the steps in the 
documentation, but after finishing the system it gets stuck in "cheking 
configuration sanity...", and it doesn't go away ... now I have the system out 
of service.
image in attach

Can anyone help?

Thanks
Regards

Cumprimentos,

Domingos Varela
Tel. +244 923 229 330 | Luanda - Angola


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Pending changes to MS LDAP

2020-02-11 Thread Sallee, Jake via PacketFence-users 
Can anyone tell me if the pending changes to LDAP Microsoft announced are going 
to effect packetfence.

Source:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

We have out PF cluster using our AD servers as an authentication source.  Will 
I need to set the LDAP connection to use SSL and install the certs, etc?

Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Maintenance patches

2020-01-28 Thread Sallee, Jake via PacketFence-users 
Inverse peeps!

I like getting the notifications about available maintenance patches, but is 
there a place where I can go to read the patch release notes?  

Thank you in advance. 

Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Upgrade path from PacketFence 3.5.0 to current

2020-01-13 Thread Sallee, Jake via PacketFence-users 
I have to ask ... why not build a new box or cluster?

Upgrading that many versions is going to be a challenge.  Plus, according to 
the upgrade doc, you cant upgrade to PF7 or beyond running CentOS 6 or Debian 
Wheezy.

So ... a rebuild may be your only option.

Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Chris Crawford via PacketFence-users 

Sent: Thursday, January 9, 2020 1:09 PM
To: packetfence-users@lists.sourceforge.net
Cc: Chris Crawford
Subject: [PacketFence-users] Upgrade path from PacketFence 3.5.0 to current

EXTERNAL Exercise Caution
Good morning,

Does anyone have a method, or a guide, or webpage that would give me some 
details on how to safely, and with confidence upgrade PacketFence from 3.5.0 
(which is really old, I know. It wasn’t my decision) to a newer, more current 
version?

The problem we have is with newer switches (Extreme 5900 series) which don’t 
want to support MAC-Security using traps, and alike.

Any information would help. Thank you very much!

Cheers,

CHRIS CRAWFORD
Network Analyst • Information Technology Services
T 506 453-4695 C 506 260-8795

[University of New Brunswick]

[Facebook]/uofnb
 [Twitter] 
@unb
 [Instagram] 
@discoverunb
 
UNB.ca

Confidentiality Note: This email and the information contained in it is 
confidential, may be privileged and is intended for the exclusive use of the 
addressee(s). Any other person is strictly prohibited from using, disclosing, 
distributing or reproducing it. If you have received this communication in 
error, please reply by email to the sender and delete or destroy all copies of 
this message.





___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Unable to perform RADIUS Disconnect-Request

2019-12-18 Thread Sallee, Jake via PacketFence-users 
Hello all!

BG Info:
New cluster install
v9.2
Currently doing pre-production tests
Xirrus APs
RADIUS Deauth
Routed mode

I have run into an issue where my wireless clients are not getting disconnected 
correctly.

Here is the snip from the log:
===
Dec 18 11:46:21 NAC-PFv9-01 pfqueue: pfqueue(116887) INFO: 
[mac:fc:01:7c:91:b2:59] [fc:01:7c:91:b2:59] DesAssociating mac on switch 
(10.11.39.16) (pf::api::desAssociate)
Dec 18 11:46:21 NAC-PFv9-01 pfqueue: pfqueue(116887) INFO: 
[mac:fc:01:7c:91:b2:59] deauthenticating fc:01:7c:91:b2:59 
(pf::Switch::Xirrus::radiusDisconnect)
Dec 18 11:46:21 NAC-PFv9-01 pfqueue: pfqueue(116887) WARN: 
[mac:fc:01:7c:91:b2:59] Unknown general attribute 80 for unpack()
(Net::Radius::Packet::unpack)
Dec 18 11:46:21 NAC-PFv9-01 pfqueue: Unknown general attribute 80 for unpack()
Dec 18 11:46:21 NAC-PFv9-01 pfqueue: pfqueue(116887) WARN: 
[mac:fc:01:7c:91:b2:59] Unable to perform RADIUS Disconnect-Request. 
Disconnect-NAK received with Error-Cause: Session-Context-Not-Found. 
(pf::Switch::Xirrus::radiusDisconnect)
===

Some initial google-ing brought me to this link:
https://sourceforge.net/p/packetfence/mailman/message/36077249/

But that is for Aruba and the variable "acct-session-id" is not present in the 
Xirrus module.

I am wondering if this line if the culprit: Unknown general attribute 80 for 
unpack()

Is it possible the session ID is not getting populated correctly because of 
this error?

Any ideas?

Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] packetfence clustered environment

2019-12-12 Thread Sallee, Jake via PacketFence-users 
Forgive me for butting in, but do you have a specific reason for using an 
inline deployment?

IMHO a routed / vlan deployment is better.

Obviously, if you have a reason why you want to use an inline deployment you 
can ignore me : )

Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

From: Fabrice Durand via PacketFence-users 

Sent: Thursday, December 12, 2019 2:44 PM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand 
Subject: Re: [PacketFence-users] packetfence clustered environment

EXTERNAL Exercise Caution

yes one ip per interface and a vip per layer2.
Le 19-12-12 à 15 h 40, Pasquale Lo Bello via PacketFence-users a écrit :
Thanks. So i have to set the ip.addresses in all the interfaces?

Il gio 12 dic 2019, 15:37 Fabrice Durand via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 ha scritto:

Hello Pasquale,

the management must be on the same layer 2 , the inline must be on the same 
layer 2 , but it doesn't mean that all interfaces nust be on the same layer 2 
network.

Regards

Fabrice


Le 19-12-12 à 09 h 17, Pasquale Lo Bello via PacketFence-users a écrit :
Hello

i'm trying to set up a clustered environment with three nodes.

I'm using the "Clustering quick installation guide" as reference, and i have a 
question about one of the assumptions:

"The servers network interfaces are on the same layer 2 network"

In my case i have three virtual machines, each having 2 interfaces (one for 
management, the other one for inline).

In total I have 6 interfaces and all of them have to be on the same segment 
(virtual network in my case). Is this correct?

Thanks in advance
Pasquale.




___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users

--

Fabrice Durand

fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  
www.inverse.ca

Inverse inc. :: Leaders behind SOGo 
(http://www.sogo.nu)
 and PacketFence 
(http://packetfence.org)
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users




___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users

--

Fabrice Durand

fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  
www.inverse.ca

Inverse inc. :: Leaders behind SOGo 
(http://www.sogo.nu)
 and PacketFence

Re: [PacketFence-users] Raspberry Pi and Packetfence

2019-11-13 Thread Sallee, Jake via PacketFence-users 
Running PF on a Pi sounds interesting … what use case are you going for?

Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

From: Zacharry Williams via PacketFence-users 

Sent: Tuesday, November 12, 2019 4:37 PM
To: packetfence-users@lists.sourceforge.net
Cc: Zacharry Williams 
Subject: Re: [PacketFence-users] Raspberry Pi and Packetfence

EXTERNAL Exercise Caution
I haven't tried but it should work. Probably not with ZEN though.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] NAC bypass

2019-05-23 Thread Sallee, Jake via PacketFence-users 
> Out of curiosity, how are you prevent IPv6 addresses from flowing? Is this at 
> the router/L3 switch or firewall level?

That's a good question!

The answer is both firewall and L3.  

I have lots of internal vlans ... like ... a lot.  So, so many ... I may have a 
psychological problem.

All my vlan interfaces do not have IPv6 addresses and the switches and routers 
will not forward v6 packets (I'm not running an IPv6 capable routing protocol). 
 All modern OSes will tunnel your IPv6 over IPv4 (windows does this by default 
IIRC) but that is a 6to4 gateway and brings the conversation full circle.

I also run a cluster of internal segmentation firewalls which do not permit 
IPv6 to pass through them.

So IPv6 is dropped either at the router or FW if it is seen by them, and if the 
OS tunnels IPv6 through a v4 connection that is no different than regular 
traffic.

Bada-bing bada-boom! No IPv6 for you!

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Louis Scaringella 
Sent: Thursday, May 23, 2019 2:07 PM
To: packetfence-users@lists.sourceforge.net
Cc: Sallee, Jake
Subject: Re: [PacketFence-users] NAC bypass

EXTERNAL Exercise Caution

Out of curiosity, how are you prevent IPv6 addresses from flowing? Is this at 
the router/L3 switch or firewall level?

What about non-routable link local addresses?



> On May 23, 2019, at 1:21 PM, Sallee, Jake via PacketFence-users 
>  wrote:
>
> Max:
>
> This strikes me as an uninformed opinion.
>
> While a lot of tools don't speak IPv6, very little of the world runs IPv6 ... 
> even though its over a decade old.  Most IPv6 providers run an IPv6to4 
> gateway and technically all IPv6 traffic will run through a 6to4 gateway 
> somewhere or else they would not have access to traditional IPv4 networks ... 
> AKA the bulk of the internet.
>
> Once your traffic has gone through the gateway it is essentially classic IPv4 
> and thus is readable by all those tools you were trying to avoid.
>
> In my network IPv6 flat doesn't work.  If you have your computer configured 
> with an IPv6 address your traffic will not flow ... at all.  So ... problem 
> solved : )
>
> Also, plenty of "defensive" tools support IPv6.  My NSM distro of choice is 
> SecurityOnion and it fully supports IPv6.
>
> As a final note I would hold anyone under strict suspicion who says they can 
> move around a network undetected.  You may go unnoticed for a number of 
> reasons, but it is *literally* impossible to be undetectable on a network.  
> And, if the network team wants to find you bad enough, they will.  Trust me.
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> http://WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
>
> 
> From: Max McGrath via PacketFence-users 
> 
> Sent: Thursday, May 23, 2019 12:08 PM
> To: ML PF
> Cc: Max McGrath
> Subject: [PacketFence-users] NAC bypass
>
> EXTERNAL Exercise Caution
> Hello -
>
> I've been looking into NAC Bypass lately and came across the following:
>
> Most defensive tools exclusively look at IPv4 addresses. Forcing traffic over 
> IPv6 yields a high chance you will go undetected and be unchallenged.
>
> Would this be true in PacketFence, or would it depend on my specific 
> configuration?
>
> Max
> --
> Max McGrath 
> [https://urldefense.proofpoint.com/v2/url?u=https-3A__static.licdn.com_scds_common_u_img_webpromo_btn-5Fprofile-5Fgreytxt-5F80x15.png=DwIFAg=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=FIAzVlcOPqEjodnFXQemsWqyIMKywyq4ELlpTMYAu04=_1sSp07FqWczc33G7UfwhDpzdO-wcx8mlprAX0poUyc=
>  ] 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_in_max-2Dmcgrath-2Da299124b=DwMFaQ=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=kpvMAJTEdvMKZ0D2qE8FzWouIHwKlexZ01KQD1TSKvo=OTRA2r5e4HRmG2Uaf8oKT7uy56LDd0Fks4eAjh8nDvg=>
> Infrastructure and Security Manager
> Carthage College
> 262-551-
> mmcgr...@carthage.edu<mailto:mmcgr...@carthage.edu>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers=DwIFAg=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=FIAzVlcOPqEjodnFXQemsWqyIMKywyq4ELlpTMYAu04=q4xPBr0KB-Z2W9d0NzWNI0vKJ4sWjVQyltlpPA-Ne1E=

The information transmitted, including any attachments, is intended only for 
the person or entity to

Re: [PacketFence-users] NAC bypass

2019-05-23 Thread Sallee, Jake via PacketFence-users 
Max:

This strikes me as an uninformed opinion.

While a lot of tools don't speak IPv6, very little of the world runs IPv6 ... 
even though its over a decade old.  Most IPv6 providers run an IPv6to4 gateway 
and technically all IPv6 traffic will run through a 6to4 gateway somewhere or 
else they would not have access to traditional IPv4 networks ... AKA the bulk 
of the internet.

Once your traffic has gone through the gateway it is essentially classic IPv4 
and thus is readable by all those tools you were trying to avoid.

In my network IPv6 flat doesn't work.  If you have your computer configured 
with an IPv6 address your traffic will not flow ... at all.  So ... problem 
solved : )

Also, plenty of "defensive" tools support IPv6.  My NSM distro of choice is 
SecurityOnion and it fully supports IPv6.

As a final note I would hold anyone under strict suspicion who says they can 
move around a network undetected.  You may go unnoticed for a number of 
reasons, but it is *literally* impossible to be undetectable on a network.  
And, if the network team wants to find you bad enough, they will.  Trust me.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Max McGrath via PacketFence-users 

Sent: Thursday, May 23, 2019 12:08 PM
To: ML PF
Cc: Max McGrath
Subject: [PacketFence-users] NAC bypass

EXTERNAL Exercise Caution
Hello -

I've been looking into NAC Bypass lately and came across the following:

Most defensive tools exclusively look at IPv4 addresses. Forcing traffic over 
IPv6 yields a high chance you will go undetected and be unchallenged.

Would this be true in PacketFence, or would it depend on my specific 
configuration?

Max
--
Max McGrath 
[https://static.licdn.com/scds/common/u/img/webpromo/btn_profile_greytxt_80x15.png]
 

Infrastructure and Security Manager
Carthage College
262-551-
mmcgr...@carthage.edu


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence 8.3 - AD source causes Radius go down

2019-05-22 Thread Sallee, Jake via PacketFence-users 
... can you post HOW you solved it?  That way other who may search the list 
later can fix their similar issues too.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: pro fence via PacketFence-users 
Sent: Wednesday, May 22, 2019 10:14 AM
To: packetfence-users@lists.sourceforge.net
Cc: pro fence
Subject: Re: [PacketFence-users] Packetfence 8.3 - AD source causes Radius go 
down

EXTERNAL Exercise Caution
SOLVED

On Tue, 21 May 2019 at 16:41, pro fence 
mailto:pfenc...@gmail.com>> wrote:
Hi,

after adding a new Active directory authentication source, the radius services 
(acct and auth) are unable to restart, despite the fact that the connection 
binding test succeeds in the authentication source (my user only has the read 
right), i get the following error message :

rlm_ldap (AciveDirectory): Bind credentials incorrect: Invalid 
credentialsrlm_ldap (AciveDirectory): Opening connection failed (0)
/usr/local/pf/raddb/mods-enabled/ldap_packetfence[5]: Instantiation failed for 
module "AciveDirectory"

Do you have any idea ?
Any help is welcome,
Regards,


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Lab setup without AD

2019-04-08 Thread Sallee, Jake via PacketFence-users 
Matt:

Others may know better than me, but unless you are authenticating users from 
other domains you do not needs a realm.

In your lab setup the realm will be either local or null if you are not using a 
user database backend (like AD).

In FreeRADIUS land the realm is what you use to determine which authentication 
oracle receives the access request.  Since you are using a local user DB then 
you can leave your realm as NULL or LOCAL and not worry about it.

Unless you are testing something like authentication to a domain you can ignore 
the realm setting.  

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Matt Kopf via PacketFence-users 
Sent: Monday, April 8, 2019 11:21 AM
To: packetfence-users@lists.sourceforge.net
Cc: Matt Kopf
Subject: [PacketFence-users] Lab setup without AD

EXTERNAL Exercise Caution
Hello, I am new to PF. I’d like to do some testing and work with it in a lab 
environment or even at home.

Can I setup PF without having an AD server?

I can’t seem to create a realm without one.

There are many new terms to me realm being one of them. Is there a glossary of 
terms or should I just google away?

Basically what I want to setup for a lab at the start is a PF server, a DPCP 
server, and one of our HP switches. Just to start. Am I on the right track?

Sorry for all the dumb questions but this is a new area for me.




Matt Kopf



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco 2960 802.1X and MAB

2019-01-15 Thread Sallee, Jake via PacketFence-users 
Where are you at in the process of setting up PF in your environment?

The reason I ask is because this will vastly effect exactly what information 
you need at the moment.

>What is needed to be configured in PF?

Nothing special, just add a switch as you would normally according to the PF 
documentation.

>What is needed to be configured on client side? Its a macbook

Nothing, MAB is transparent to the endpoint.

>What is needed to be configured on the cisco 2960?

Cisco has lots of documentation on configuring MAB.  The specifics will be 
different depending on the version of IOS your switch is running.  There is a 
global portion and also a per port portion.  

My global config:
=
aaa group server radius NAC
 server  auth-port 1812 acct-port 1813
!
aaa authentication dot1x default group NAC
aaa authorization network default group NAC 
aaa accounting system default start-stop group NAC
!
radius-server host  auth-port 1812 acct-port 1813 key 
radius-server vsa send authentication

My port config:
==
interface GigabitEthernet1/0/4
 switchport mode access
 switchport voice vlan 
 authentication host-mode multi-domain
 authentication order mab
 authentication port-control auto
 mab
 mls qos trust cos
 spanning-tree portfast
 spanning-tree bpdufilter enable
 spanning-tree bpduguard enable
 spanning-tree guard loop
!

Most of the port config is not MAB specific, just some good practices.  That 
should get you started.

Good luck!  Post back to the list if you run into issues.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Wifi Guy via PacketFence-users 
Sent: Monday, January 14, 2019 4:08 PM
To: packetfence-users@lists.sourceforge.net
Cc: Wifi Guy
Subject: [PacketFence-users] Cisco 2960 802.1X and MAB

Hi all,

Can someone help with what is required to get wired 802.1X and/or MAB to work 
on wired clients connecting to a cisco 2960 switch?

What is needed to be configured in PF?
What is needed to be configured on client side? Its a macbook
What is needed to be configured on the cisco 2960?

Thanks



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] guest registration problems

2018-08-29 Thread Sallee, Jake via PacketFence-users 
All:

BG Info: Packetfence v8.1.0 3 node cluster

Two issues:

1)  When using guest email registration:

The link in the email points back to the server that generated the email and 
NOT the cluster so the link does not work.  

The link sent in the email points to: NAC-server-1.domain.tld, if I change the 
link to cluster.domain.tld the link works fine.

How can I change the link in the email to point to the cluster and not the 
generating member server?

2) When using guest SMS registration:

Users are either reporting not getting the SMS message at all, or the ones they 
do get look like email headers and do not contain the activation code.

I ave been able to reproduce the error, but I am at a loss on how to fix it.

The error seems to be 100% reproducible on AT's network ... I do not know 
about other providers yet.

Any assistance anyone can provide would be most welcome!

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Setting device role based on computer AD membership or static roles

2018-08-08 Thread Sallee, Jake via PacketFence-users 
All:

I would like to be able to check if the user's computer is joined to our AD and 
assign a role based on that membership or not.

The issue I am attempting to address is this:

Devices which are owned by the university and are used by university employees 
are assigned one role while personal devices which are operated by university 
employees are assigned a different role.

If I assign role based on only the user and realm then personal devices will 
end up with the wrong role since they will be assigned the same role as 
university owned devices.

Conversely, is there a way to make a manually assigned role stick to a node?  

In 802.1x the device is de-registered when it disconnects, so when the device 
re-connects its role is re-evaluated and it gets the role which is evaluated by 
the rules on the authentication source.

This is problematic if you try to manually assign a user's role since the role 
change will not stay and will be reverted on the next re-connection.

Suggestions are welcome!

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] 802.1x fall through authentication

2018-08-06 Thread Sallee, Jake via PacketFence-users 
All:

(INFO: PF 8.1.0 three node cluster)

Is it possible to configure fall through authentication with 802.1x?

I have two AD realms and I want users to be able to login by providing their 
user name only (IE: UserName) and not require the full user name (IE: 
usern...@domain.tld).

I have added the realms and all the other plumbing necessary to make the 
authentication work, but unless a user enters the full user name authentication 
fails.

I thought the default flow was if a user does not provide domain information 
the auth sources in the profile are applied in the order they are listed in the 
profile settings.  This does not seem to be happening for me.  Any idea how to 
fix this would be very helpful.

Thank you all.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Problem to join my AD : client not found in kerberos database.

2018-07-09 Thread Sallee, Jake via PacketFence-users 
Was PF previously joined to AD?


If so you may have some residual entries in your AD which need to be removed.


also, what is in the logfile?


Check out page 45 in the install guide.


Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

From: Xav Tauran via PacketFence-users 
Sent: Monday, July 9, 2018 10:49 AM
To: packetfence-users@lists.sourceforge.net
Cc: Xav Tauran
Subject: [PacketFence-users] Problem to join my AD : client not found in 
kerberos database.

Hello all,

I have changed my AD administrator passwod (expired), I can't join PacketFence 
to the AD anymore. For information, my AD is directly connected to PF.
Now when I try to join PF to my AD I have this error : client not found in 
kerberos database.

Any solutions?

Thank you in advance.

Regards,

Xavier

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Haproxy will always crash after a few hours

2018-07-06 Thread Sallee, Jake via PacketFence-users 
Fabrice:


I have been checking, since you applied the patch it does NOT look like my 
haproxy processes have crashed.


Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

From: Thomas OLIVIER via PacketFence-users 

Sent: Thursday, July 5, 2018 4:40 AM
To: Durand fabrice via PacketFence-users
Cc: Thomas OLIVIER
Subject: Re: [PacketFence-users] Haproxy will always crash after a few hours


Thank's Fabrice !

I think those instructions will work. Can anyone confirm ?

using yum update is better than a source compilation...




On 05/07/2018 03:44, Durand fabrice via PacketFence-users wrote:

Ok sorry i think i wasn't clear enough:


To apply the patch:

curl 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/3209.diff
 | patch -p1 --dry-run

If no error:

curl 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/3209.diff
 | patch -p1

After applying the patch you will need to do:

cp /usr/local/pf/conf/systemd/packetfence-haproxy-db.service 
/lib/systemd/system/

cp /usr/local/pf/conf/systemd/packetfence-haproxy-portal.service 
/lib/systemd/system/

cp /usr/local/pf/conf/haproxy-portal.conf.example 
/usr/local/pf/conf/haproxy-portal.conf

cp /usr/local/pf/conf/haproxy-db.conf.example /usr/local/pf/conf/haproxy-db.conf

systemctl daemon-reload

yum update haproxy --enablerepo=packetfence-devel

systemctl restart packetfence-haproxy-db

systemctl restart packetfence-haproxy-portal


Regards

Fabrice


Le 2018-07-04 à 07:36, Murilo Calegari via PacketFence-users a écrit :
Hi, Thomas!

Can you send the instructions regarding on how to perform the upgrade?

Em qua, 4 de jul de 2018 às 08:35, Thomas OLIVIER via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 escreveu:
Hi,

In my case, no more issue since a haproxy upgrade (to 1.8 stable). ->
crossed fingers

I compiled the stable version with lua and ssl option activated


Juste my 2 cents !


Thomas.


On 04/07/2018 02:37, Sallee, Jake via PacketFence-users wrote:
> Fabrice:
>
> I'm more than happy to give you access.
>
> I'm in the office tonight, but ... don't tell anyone ... since tomorrow is my 
> country's birthday (kinda) I will be celebrating by blowing up tiny parts of 
> it : )
>
> If you want to try it tonight I'm available, but the next time I'll be in 
> will be Thursday 8am GMT -5.
>
> I'm open to whatever, I appreciate your assistance.
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU<http://WWW.UMHB.EDU>
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
>
> 
> From: Durand fabrice via PacketFence-users 
> mailto:packetfence-users@lists.sourceforge.net>>
> Sent: Tuesday, July 3, 2018 7:24 PM
> To: 
> packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
> Cc: Durand fabrice
> Subject: Re: [PacketFence-users] Haproxy will always crash after a few hours
>
> Do you have the exact version of haproxy installed ?
>
> I think that it can be related to the lua script, it's why you can try
> with the latest haproxy version.
> (https://urldefense.proofpoint.com/v2/url?u=https-3A__www.haproxy.org_download_1.8_src_CHANGELOG=DwIF-g=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=ALWcJ_xAtF3vyxWsSwnBANUJiRWwfAB0sIQBoB4P1zM=30MOxIo3uwuouni3FahWSIniOg_NUk6kGwM2svxdsEg=)
>
> Jake if you want, let me give an access to your setup and i will upgrade
> the haproxy version and adapt the code to see if it fix the issue.
>
> Regards
> Fabrice
>
>
>
> Le 2018-07-03 à 14:47, Sallee, Jake via PacketFence-users a écrit :
>> Yes I am, here is what I am seeing:
>>
>>
>> please forgive the formatting.
>>
>>
>> 
>>
>> cat /var/log/messages /usr/local/pf/logs/httpd.portal.error | grep -i haproxy
>>
>> Jul 2 05:55:02 NAC-PFv8-01 kernel: haproxy[116369]: segfault at 41739e1d ip 
>> 560f414cd1d2 sp 7ffc0998ca30 error 4 in haproxy[560f41432000+101000]
>>
>> Jul 2 05:55:02 NAC-PFv8-01 haproxy-systemd-wrapper: haproxy-systemd-wrapper: 
>> exit, haproxy RC=0
>>
>> Jul 3 10:37:09 NAC-PFv8-01 systemd: Stopping PacketFence HAProxy Load 
>> Balancer for connecting to clustered databases... Jul 3 10:37:09 NAC-PFv8-01 
>> haproxy-systemd-wrapper: haproxy-systemd-wrapper: exit, haproxy RC=143
>>
>> Jul 3 10:37:09 NAC-PFv8-01 systemd: packetfence-haproxy-db.service: main 
>> process exited, code=exited, status=143/n/a
>>
>> Jul 3 10:37:09 NAC-PFv8-0

Re: [PacketFence-users] Haproxy will always crash after a few hours

2018-07-03 Thread Sallee, Jake via PacketFence-users 
Fabrice:

I'm more than happy to give you access.

I'm in the office tonight, but ... don't tell anyone ... since tomorrow is my 
country's birthday (kinda) I will be celebrating by blowing up tiny parts of it 
: )

If you want to try it tonight I'm available, but the next time I'll be in will 
be Thursday 8am GMT -5.

I'm open to whatever, I appreciate your assistance.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Durand fabrice via PacketFence-users 

Sent: Tuesday, July 3, 2018 7:24 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice
Subject: Re: [PacketFence-users] Haproxy will always crash after a few hours

Do you have the exact version of haproxy installed ?

I think that it can be related to the lua script, it's why you can try
with the latest haproxy version.
(https://urldefense.proofpoint.com/v2/url?u=https-3A__www.haproxy.org_download_1.8_src_CHANGELOG=DwIF-g=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=ALWcJ_xAtF3vyxWsSwnBANUJiRWwfAB0sIQBoB4P1zM=30MOxIo3uwuouni3FahWSIniOg_NUk6kGwM2svxdsEg=)

Jake if you want, let me give an access to your setup and i will upgrade
the haproxy version and adapt the code to see if it fix the issue.

Regards
Fabrice



Le 2018-07-03 à 14:47, Sallee, Jake via PacketFence-users a écrit :
> Yes I am, here is what I am seeing:
>
>
> please forgive the formatting.
>
>
> 
>
> cat /var/log/messages /usr/local/pf/logs/httpd.portal.error | grep -i haproxy
>
> Jul 2 05:55:02 NAC-PFv8-01 kernel: haproxy[116369]: segfault at 41739e1d ip 
> 560f414cd1d2 sp 7ffc0998ca30 error 4 in haproxy[560f41432000+101000]
>
> Jul 2 05:55:02 NAC-PFv8-01 haproxy-systemd-wrapper: haproxy-systemd-wrapper: 
> exit, haproxy RC=0
>
> Jul 3 10:37:09 NAC-PFv8-01 systemd: Stopping PacketFence HAProxy Load 
> Balancer for connecting to clustered databases... Jul 3 10:37:09 NAC-PFv8-01 
> haproxy-systemd-wrapper: haproxy-systemd-wrapper: exit, haproxy RC=143
>
> Jul 3 10:37:09 NAC-PFv8-01 systemd: packetfence-haproxy-db.service: main 
> process exited, code=exited, status=143/n/a
>
> Jul 3 10:37:09 NAC-PFv8-01 systemd: Stopped PacketFence HAProxy Load Balancer 
> for connecting to clustered databases.
>
> Jul 3 10:37:09 NAC-PFv8-01 systemd: Unit packetfence-haproxy-db.service 
> entered failed state.
>
> Jul 3 10:37:09 NAC-PFv8-01 systemd: packetfence-haproxy-db.service failed.
>
> Jul 3 10:37:43 NAC-PFv8-01 systemd: Starting PacketFence HAProxy Load 
> Balancer for connecting to clustered databases... Jul 3 10:37:46 NAC-PFv8-01 
> pfcmd: haproxy-db|config generated
>
> Jul 3 10:37:46 NAC-PFv8-01 systemd: Started PacketFence HAProxy Load Balancer 
> for connecting to clustered databases.
>
> Jul 3 10:37:46 NAC-PFv8-01 systemd: Starting PacketFence HAProxy Load 
> Balancer for the captive portal...
>
> Jul 3 10:37:49 NAC-PFv8-01 pfcmd: haproxy-portal|config generated
>
> Jul 3 10:37:49 NAC-PFv8-01 systemd: Started PacketFence HAProxy Load Balancer 
> for the captive portal.
>
> Jul 3 10:39:15 NAC-PFv8-01 Keepalived_vrrp[17269]: Cannot find script killall 
> -0 haproxy in path
>
> Jul 3 10:39:15 NAC-PFv8-01 Keepalived_vrrp[17269]: Disabling track script 
> haproxy since not found/accessible
>
> Jul 3 12:22:57 NAC-PFv8-01 kernel: haproxy[16903]: segfault at fb181d ip 
> 556900d401d2 sp 7ffd7fac0950 error 4 in haproxy[556900ca5000+101000]
>
> Jul 3 12:22:57 NAC-PFv8-01 haproxy-systemd-wrapper: haproxy-systemd-wrapper: 
> exit, haproxy RC=0
>
> Jul 3 13:37:37 NAC-PFv8-01 systemd: Starting PacketFence HAProxy Load 
> Balancer for the captive portal...
>
> Jul 3 13:37:40 NAC-PFv8-01 pfcmd: haproxy-portal|config generated Jul 3 
> 13:37:40 NAC-PFv8-01 systemd: Started PacketFence HAProxy Load Balancer for 
> the captive portal.
>
> 
>
>
> Inverse peeps:
>
>
> If you want I can be available for you guys to take a peak at my system, run 
> an strace, etc.  This cluster is not yet in production so we can do whatever 
> testing you want.
>
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> http://WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
> 
> From: Murilo Calegari 
> Sent: Tuesday, July 3, 2018 11:57 AM
> To: packetfence-users@lists.sourceforge.net
> Cc: Sallee, Jake
> Subject: Re: [PacketFence-users] Haproxy will always crash after a few hours
>
> Can you see if the same type of errors are registered in the log files I've 
> mentioned?
&

Re: [PacketFence-users] Log spamming

2018-07-03 Thread Sallee, Jake via PacketFence-users 
Nicolas:

Excellent!

I can make the manual edit, but do you think I should use the pfmaint.pl tool 
instead?

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Nicolas Quiniou-Briand via PacketFence-users 

Sent: Tuesday, July 3, 2018 3:02 PM
To: packetfence-users@lists.sourceforge.net
Cc: Nicolas Quiniou-Briand
Subject: Re: [PacketFence-users] Log spamming

Hello Jake,

On 2018-07-03 11:52 AM, Sallee, Jake via PacketFence-users wrote:
> Any idea what is going wrong and how to fix it?

Fabrice fixed this issue [0].


[0]
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_inverse-2Dinc_packetfence_commit_d56501a99483d7a85da425a80cdff98c8e2630c8=DwICAg=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=NE4xjBO6ajFjRHNpa-xPlSA2Pcueg-0Lj4_nsbrirVA=mgUR-6YSiQh3xFRP5eZ0XuZUGYQBZn7j5ajO4atroXk=
--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  
https://urldefense.proofpoint.com/v2/url?u=https-3A__inverse.ca=DwICAg=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=NE4xjBO6ajFjRHNpa-xPlSA2Pcueg-0Lj4_nsbrirVA=7Z7ceaWjhj3sZIjp0CcLkAVdst5Vydqvfb86L2L7KO8=
Inverse inc. :: Leaders behind SOGo 
(https://urldefense.proofpoint.com/v2/url?u=https-3A__sogo.nu=DwICAg=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=NE4xjBO6ajFjRHNpa-xPlSA2Pcueg-0Lj4_nsbrirVA=x2bA6e1X839fAB8K44up3Yr6-Fow1hVJIyTW6yonohs=),
 PacketFence
(https://urldefense.proofpoint.com/v2/url?u=https-3A__packetfence.org=DwICAg=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=NE4xjBO6ajFjRHNpa-xPlSA2Pcueg-0Lj4_nsbrirVA=TgHTdea0SxhWUBUJypejZyBSWNOU_6HQHXZ4MpXC3pA=)
 and Fingerbank 
(https://urldefense.proofpoint.com/v2/url?u=http-3A__fingerbank.org=DwICAg=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=NE4xjBO6ajFjRHNpa-xPlSA2Pcueg-0Lj4_nsbrirVA=c4bOqFkRrojG_Wrnlaw850gmv6l_tuMuZ_m9iEzvlQ4=)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! 
https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot=DwICAg=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=NE4xjBO6ajFjRHNpa-xPlSA2Pcueg-0Lj4_nsbrirVA=_9NZtYn5JRVFKjcb200Bn7bKgYz6FwaVVXS-GDmNxsA=
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers=DwICAg=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=NE4xjBO6ajFjRHNpa-xPlSA2Pcueg-0Lj4_nsbrirVA=ta2kVu39AEpmKOWyEZchnG4rid3lsGIeKPNqEcht-VA=

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Log spamming

2018-07-03 Thread Sallee, Jake via PacketFence-users 
UPDATE:

I was able to get the log spaming from pfdhcp to stop after I disabled the 
service. We do not use the dhcp server on PF so thats no big deal.  

I would still like to know what I did wrong though, just to make sure it will 
not cause any other issues.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Sallee, Jake via PacketFence-users 

Sent: Tuesday, July 3, 2018 10:52 AM
To: packetfence
Cc: Sallee, Jake
Subject: [PacketFence-users] Log spamming

All:

my /var/log/messages file is getting spammed with several lines per second of 
the following:

Jul  3 10:49:07 NAC-PFv8-02 /usr/local/pf/bin/pfdhcp[30276]: 
t=2018-07-03T10:49:07-0500 lvl=info msg="Setting log level to INFO"
Jul  3 10:49:07 NAC-PFv8-02 /usr/local/pf/bin/pfdhcp[30276]: 
t=2018-07-03T10:49:07-0500 lvl=eror msg="Error while getting etcd key 
'10.61.30.0': 100: Key not found (/dhcpd) [13]" pid=30276

The IP changes and it looks like it is just cycling through the entries in my 
switches.conf.

Any idea what is going wrong and how to fix it?

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
http://WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! 
https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot=DwICAg=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=MWysGKspY21y-zdQkZFI-IrpUX1ofRhWrTpSbOouOa8=PNh9cUFNXbGltomNoNfbmaeGb_XJrmV9DsBuIY8Qt60=
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers=DwICAg=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=MWysGKspY21y-zdQkZFI-IrpUX1ofRhWrTpSbOouOa8=obmUAXvtFBu32JMPhIvBJULl-iKWkB_mJBpGuDsyhB8=

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Haproxy will always crash after a few hours

2018-07-03 Thread Sallee, Jake via PacketFence-users 
Yes I am, here is what I am seeing:


please forgive the formatting.




cat /var/log/messages /usr/local/pf/logs/httpd.portal.error | grep -i haproxy

Jul 2 05:55:02 NAC-PFv8-01 kernel: haproxy[116369]: segfault at 41739e1d ip 
560f414cd1d2 sp 7ffc0998ca30 error 4 in haproxy[560f41432000+101000]

Jul 2 05:55:02 NAC-PFv8-01 haproxy-systemd-wrapper: haproxy-systemd-wrapper: 
exit, haproxy RC=0

Jul 3 10:37:09 NAC-PFv8-01 systemd: Stopping PacketFence HAProxy Load Balancer 
for connecting to clustered databases... Jul 3 10:37:09 NAC-PFv8-01 
haproxy-systemd-wrapper: haproxy-systemd-wrapper: exit, haproxy RC=143

Jul 3 10:37:09 NAC-PFv8-01 systemd: packetfence-haproxy-db.service: main 
process exited, code=exited, status=143/n/a

Jul 3 10:37:09 NAC-PFv8-01 systemd: Stopped PacketFence HAProxy Load Balancer 
for connecting to clustered databases.

Jul 3 10:37:09 NAC-PFv8-01 systemd: Unit packetfence-haproxy-db.service entered 
failed state.

Jul 3 10:37:09 NAC-PFv8-01 systemd: packetfence-haproxy-db.service failed.

Jul 3 10:37:43 NAC-PFv8-01 systemd: Starting PacketFence HAProxy Load Balancer 
for connecting to clustered databases... Jul 3 10:37:46 NAC-PFv8-01 pfcmd: 
haproxy-db|config generated

Jul 3 10:37:46 NAC-PFv8-01 systemd: Started PacketFence HAProxy Load Balancer 
for connecting to clustered databases.

Jul 3 10:37:46 NAC-PFv8-01 systemd: Starting PacketFence HAProxy Load Balancer 
for the captive portal...

Jul 3 10:37:49 NAC-PFv8-01 pfcmd: haproxy-portal|config generated

Jul 3 10:37:49 NAC-PFv8-01 systemd: Started PacketFence HAProxy Load Balancer 
for the captive portal.

Jul 3 10:39:15 NAC-PFv8-01 Keepalived_vrrp[17269]: Cannot find script killall 
-0 haproxy in path

Jul 3 10:39:15 NAC-PFv8-01 Keepalived_vrrp[17269]: Disabling track script 
haproxy since not found/accessible

Jul 3 12:22:57 NAC-PFv8-01 kernel: haproxy[16903]: segfault at fb181d ip 
556900d401d2 sp 7ffd7fac0950 error 4 in haproxy[556900ca5000+101000]

Jul 3 12:22:57 NAC-PFv8-01 haproxy-systemd-wrapper: haproxy-systemd-wrapper: 
exit, haproxy RC=0

Jul 3 13:37:37 NAC-PFv8-01 systemd: Starting PacketFence HAProxy Load Balancer 
for the captive portal...

Jul 3 13:37:40 NAC-PFv8-01 pfcmd: haproxy-portal|config generated Jul 3 
13:37:40 NAC-PFv8-01 systemd: Started PacketFence HAProxy Load Balancer for the 
captive portal.




Inverse peeps:


If you want I can be available for you guys to take a peak at my system, run an 
strace, etc.  This cluster is not yet in production so we can do whatever 
testing you want.


Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

From: Murilo Calegari 
Sent: Tuesday, July 3, 2018 11:57 AM
To: packetfence-users@lists.sourceforge.net
Cc: Sallee, Jake
Subject: Re: [PacketFence-users] Haproxy will always crash after a few hours

Can you see if the same type of errors are registered in the log files I've 
mentioned?


Em ter, 3 de jul de 2018 12:56, Sallee, Jake via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 escreveu:
Sorry to butt in, but I wanted to say I think I am having the same issue.


haproxy seems to crash after a few hours, but only on one of the servers in my 
cluster.


Is there any test or logs I can provide to assist in the troubleshooting 
process?


Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU<http://WWW.UMHB.EDU>

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

From: Murilo Calegari via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
Sent: Tuesday, July 3, 2018 10:06 AM
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: Murilo Calegari
Subject: Re: [PacketFence-users] Haproxy will always crash after a few hours

Hi, Fabrice

Trying to update haproxy hasn't worked since it returns the following error:

patch unexpectedly ends in middle of line
patch:  Only garbage was found in the patch input

I've been able to find the exact moment when Haproxy seems to stop (just a few 
seconds after I put it in production) — in /var/log/messages there's a log 
entry at 11:33:38 that states:

Jul  3 11:33:38 prometeu kernel: haproxy[1947]: segfault at db6cae1d ip 
55f4db45e1d2 sp 7ffeadb0bdc0 error 4 in haproxy[55f4db3c3000+101000]
Jul  3 11:33:38 prometeu haproxy-systemd-wrapper: haproxy-systemd-wrapper: 
exit, haproxy RC=0

>From this moment it just crashes and it won't start automatically again.

Tracing what might have happened before this error, I've found the following, 
that appeared maybe over 50 times in /usr/local/pf/logs/httpd.portal.error:

Jul  3 11:33:36 prometeu httpd_portal_err: Use of uninitialized value $host in 
string eq at 
/usr/local/pf/li

Re: [PacketFence-users] Haproxy will always crash after a few hours

2018-07-03 Thread Sallee, Jake via PacketFence-users 
Sorry to butt in, but I wanted to say I think I am having the same issue.


haproxy seems to crash after a few hours, but only on one of the servers in my 
cluster.


Is there any test or logs I can provide to assist in the troubleshooting 
process?


Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

From: Murilo Calegari via PacketFence-users 

Sent: Tuesday, July 3, 2018 10:06 AM
To: packetfence-users@lists.sourceforge.net
Cc: Murilo Calegari
Subject: Re: [PacketFence-users] Haproxy will always crash after a few hours

Hi, Fabrice

Trying to update haproxy hasn't worked since it returns the following error:

patch unexpectedly ends in middle of line
patch:  Only garbage was found in the patch input

I've been able to find the exact moment when Haproxy seems to stop (just a few 
seconds after I put it in production) — in /var/log/messages there's a log 
entry at 11:33:38 that states:

Jul  3 11:33:38 prometeu kernel: haproxy[1947]: segfault at db6cae1d ip 
55f4db45e1d2 sp 7ffeadb0bdc0 error 4 in haproxy[55f4db3c3000+101000]
Jul  3 11:33:38 prometeu haproxy-systemd-wrapper: haproxy-systemd-wrapper: 
exit, haproxy RC=0

>From this moment it just crashes and it won't start automatically again.

Tracing what might have happened before this error, I've found the following, 
that appeared maybe over 50 times in /usr/local/pf/logs/httpd.portal.error:

Jul  3 11:33:36 prometeu httpd_portal_err: Use of uninitialized value $host in 
string eq at 
/usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm line 
298.

This sequence started at 11:33:23 and stopped at 11:33:36, 2 seconds before 
Haproxy crashes.

Is it possible that this caused the issue? I haven't seen the same error 
appearing any time while we were testing with 1 or 2 devices. I'm attaching the 
two logs mentioned.

Hope someone can help me.

Best Regards,

Murilo Calegari de Souza

Em sex, 22 de jun de 2018 às 15:37, Fabrice Durand via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 escreveu:

Hello,

sorry a typo, this is:

curl 
https://github.com/inverse-inc/packetfence/pull/3209.diff
 | patch -p1 --dry-run


curl 
https://github.com/inverse-inc/packetfence/pull/3209.diff
 | patch -p1

Regards
Fabrice


Le 2018-06-22 à 13:57, Gerllys Speroto Calvi a écrit :
HI,

The command you entered does not work on CentOS 7.
Displays the message: 3209.diff command does not exist.

I executed the following commands:
wget 
https://github.com/inverse-inc/packetfence/pull/3209.diff

3209.diff | patch -p1 --dry-run

3209.diff | patch -p1

What is the correct way to run the 3209.diff file?


2018-06-21 21:42 GMT-03:00 Murilo Calegari 
mailto:murilo.calegari.so...@gmail.com>>:


-- Forwarded message -
From: Durand fabrice via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
Date: qui, 21 de jun de 2018 às 21:35
Subject: Re: [PacketFence-users] Haproxy will always crash after a few hours
To: 
mailto:packetfence-users@lists.sourceforge.net>>
Cc: Durand fabrice mailto:fdur...@inverse.ca>>



Hello Murilo,

in the incoming PacketFence 8.1 version we upgraded the haproxy version.

If you want you can try to upgrade to the 1.8 version and apply this patch 
https://github.com/inverse-inc/packetfence/pull/3209.diff

To apply the patch:

https://github.com/inverse-inc/packetfence/pull/3209.diff
 | patch -p1 --dry-run

If no error:

[PacketFence-users] Log spamming

2018-07-03 Thread Sallee, Jake via PacketFence-users 
All:

my /var/log/messages file is getting spammed with several lines per second of 
the following:

Jul  3 10:49:07 NAC-PFv8-02 /usr/local/pf/bin/pfdhcp[30276]: 
t=2018-07-03T10:49:07-0500 lvl=info msg="Setting log level to INFO"
Jul  3 10:49:07 NAC-PFv8-02 /usr/local/pf/bin/pfdhcp[30276]: 
t=2018-07-03T10:49:07-0500 lvl=eror msg="Error while getting etcd key 
'10.61.30.0': 100: Key not found (/dhcpd) [13]" pid=30276

The IP changes and it looks like it is just cycling through the entries in my 
switches.conf.

Any idea what is going wrong and how to fix it?

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] 802.1x auto de-register

2018-06-29 Thread Sallee, Jake via PacketFence-users 
All:

How can I disable the feature that automatically de-registers an endpoint when 
they de-associate with an 802.1x SSID?

I want them to be auto-registered when the associate, but when they drop off I 
want them to stay registered.

In my environment we are setting up two SSIDs, one un-encrypted and the other 
... you guessed it ... encrypted.  Users can roam between the two SSIDs and may 
get annoyed if they have to re-register every time they return to the open SSID 
after leaving the 802.1x SSID.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Autoregistering thousand of Chromebooks

2018-06-29 Thread Sallee, Jake via PacketFence-users 
TL;DR: The PF RADIUS server always accepts connection requests unless the node 
is assigned the DENY role (or a custom equivalent).

Longer answer:

Lets assume you are using VLan enforcement (its the most common and what I am 
familiar with : )

Here is the work flow for an unregistered node that PF has never seen before:

When the access request comes in to PF using the MAC as the username PF adds 
the MAC to its database and ACCEPTS the connection.  However PF adds a RADIUS 
AVPair to the RADIUS response instructing the AP or switch (the NAS in RADIUS 
parlance) to place the device in the registration VLan.

The device is now on the registration network and the user is forced to 
register.

PF de-authenticates the device from the NAS.

The device interprets this loss of connection as a simple interruption and 
tries to reconnect.

PF RADIUS sees the MAC, does the DB query and finds it is reg'ed, and returns 
an ACCESS ACCEPT.  This time the AVPair contains the VLan for the role the 
client was assigned by the registration process.

and viola! 

In order for the node to have access to the reg portal (and the isolation 
portal) the RADIUS server still must accept the access request.  If PF sent an 
ACCESS DENY response the node would not be able to get on the network at all.

That is why PF accepts connections by default.

Hope that helps.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Steve Pfister via PacketFence-users 

Sent: Friday, June 29, 2018 8:59 AM
To: Sallee, Jake via PacketFence-users
Cc: Steve Pfister
Subject: Re: [PacketFence-users] Autoregistering thousand of Chromebooks

Actually, I thought the WLC was still doing the MAC filtering. It
appears to be sending an auth request to PF using the MAC address as the
username, and something obscured as the password (I'm assuming it's also
the MAC). It looks like it's getting authenticated even though no
username like that exists. Why would that be?

On 6/28/2018 12:35 PM, Sallee, Jake via PacketFence-users wrote:
>> Does MAC filtering really not do anything?
> PF doesn't do MAC filtering by default.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! 
https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot=DwICAg=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=FSla4_b2Ueqpi04nein4yyBc6FMxCazAdCkS5hd_hFg=kdYcXA6IrMH8Dm90-76aVI-BviDli__J4zAxHTyDUfw=
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers=DwICAg=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=FSla4_b2Ueqpi04nein4yyBc6FMxCazAdCkS5hd_hFg=sp-Zs2ZKlacSgWi-4JrcNtr-ZrC3tTxMD99pdM53CG0=

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Autoregistering thousand of Chromebooks

2018-06-28 Thread Sallee, Jake via PacketFence-users 
I think I'm confused.

I thought your problem was you had lots of chromebooks you wanted to register 
without having to go through the captive portal on each one.

There are two ways you can do this:

1) setup a registration switch / AP and connect the units to it

or

2) get a list of the MAC addresses and import them via the Admin GUI

> Does MAC filtering really not do anything?

PF doesn't do MAC filtering by default.  Unless you specifically tell PF to 
deny a connection it will be accepted, but the endpoint will be placed into a 
vlan or network segment which corresponds to the role you have specified for 
that endpoint.

So it is less MAC filtering and more MAC sorting.  The idea being that you 
setup your roles to restrict the access of the nodes on the segment  to only 
what you want them to have.

I think I am missing some info that will help me help you.  Can you give me a 
quick rundown of your situation and the issue you are having?

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Steve Pfister via PacketFence-users 

Sent: Thursday, June 28, 2018 9:41 AM
To: packetfence-users@lists.sourceforge.net
Cc: Steve Pfister
Subject: Re: [PacketFence-users] Autoregistering thousand of Chromebooks

I have it where it will connect and is assigned to the right vlan now.
The problem is, it's not doing any MAC filtering at all. It will let
anyone at all in. Does MAC filtering really not do anything?

On 6/25/2018 5:55 PM, Sallee, Jake via PacketFence-users wrote:
> Do you have a test area you can use?
>
> PF has a mode you can use on your switch / AP that will auto-register any 
> device you plugin / associate to that device.
>
> If you set up a switch or AP in PF and set its mode to registration it will 
> do what you want.
>
> Where you set the role for the auto-registered endpoints i'm not sure, but I 
> am pretty sure it can be done.
>
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> http://WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
>
> 
> From: Steve Pfister via PacketFence-users 
> 
> Sent: Monday, June 25, 2018 4:11 PM
> To: packetfence-users@lists.sourceforge.net
> Cc: Steve Pfister
> Subject: [PacketFence-users] Autoregistering thousand of Chromebooks
>
> We have thousands of Chromebooks that currently use pre-shared keys to
> authenticate. We'd like to use Packetfence and MAC authentication
> instead. I have a test SSID setup, and I'm able to connect to it, but I
> can't seem to get registered without it trying to go through the captive
> portal. Is it not possible to just use MAC authentication?
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! 
> https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot=DwICAg=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=MFRKEq2S18FB9NrA04Gmd1fQelD2ZsNuGtcJ-dgXeb4=MrXPlulrfhicg_3ycrS0ejrGFVsW550lmspagtFfNYY=
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers=DwICAg=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=MFRKEq2S18FB9NrA04Gmd1fQelD2ZsNuGtcJ-dgXeb4=p2-TrZZbEponMonn1FPrf-ABalOHYlm1fBg4x-qZ_aY=
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! 
> https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot=DwICAg=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=H1reS47zEW0IGY5pXpFgqEodPcZOJDGxQqCKiGzNU5Q=EmO9qnNC6R2Rwc50-II-eBfrAfSjgfWA5rABicH3uX8=
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers=DwICAg=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=H1reS47zEW0IGY5pXpFgqEodPcZOJDGxQqCKiGzNU5Q=ohJIOgEp7rhsbeMatCEiGlPrZ5_Y0HW4heInPqcdm_8=

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! 
https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot=DwICAg=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4p

Re: [PacketFence-users] Autoregistering thousand of Chromebooks

2018-06-25 Thread Sallee, Jake via PacketFence-users 
Do you have a test area you can use?

PF has a mode you can use on your switch / AP that will auto-register any 
device you plugin / associate to that device.

If you set up a switch or AP in PF and set its mode to registration it will do 
what you want.

Where you set the role for the auto-registered endpoints i'm not sure, but I am 
pretty sure it can be done.


Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Steve Pfister via PacketFence-users 

Sent: Monday, June 25, 2018 4:11 PM
To: packetfence-users@lists.sourceforge.net
Cc: Steve Pfister
Subject: [PacketFence-users] Autoregistering thousand of Chromebooks

We have thousands of Chromebooks that currently use pre-shared keys to
authenticate. We'd like to use Packetfence and MAC authentication
instead. I have a test SSID setup, and I'm able to connect to it, but I
can't seem to get registered without it trying to go through the captive
portal. Is it not possible to just use MAC authentication?


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! 
https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot=DwICAg=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=MFRKEq2S18FB9NrA04Gmd1fQelD2ZsNuGtcJ-dgXeb4=MrXPlulrfhicg_3ycrS0ejrGFVsW550lmspagtFfNYY=
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers=DwICAg=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=MFRKEq2S18FB9NrA04Gmd1fQelD2ZsNuGtcJ-dgXeb4=p2-TrZZbEponMonn1FPrf-ABalOHYlm1fBg4x-qZ_aY=

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] 802.1x confiuration instructions

2018-06-22 Thread Sallee, Jake via PacketFence-users 
All:

The instructions for configuring 802.1x in the install guide are fine for 
testing but not really for a production install.

Are there any instructions on configuring a production 802.1x deployment?  I 
understand inverse can't talk about all the hundreds of different vendors, but 
it would be helpful if we could get some more detailed instructions for 
configuring the PF side of things.

I am trying to install new certs for our 802.1x deployment, any help is 
appreciated. 

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Replacing snake oil certs with production certs.

2018-06-20 Thread Sallee, Jake via PacketFence-users 
I knew it ... I knew it!

The instant I posted this I knew I would find the problem and it would be my 
own fault.

For posterity the issue was the private key file was password protected.  Use 
openssl to remove the password and *BAM*  services start up fine.

My apologies for the false alarm, hopefully someone else can learn from my 
mistake.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Sallee, Jake via PacketFence-users 

Sent: Wednesday, June 20, 2018 4:14 PM
To: packetfence
Cc: Sallee, Jake
Subject: [PacketFence-users] Replacing snake oil certs with production certs.

All:

This is a new PFv8.0.1 3 node cluster install.

Are there any instructions for installing new production certs on the PF 
servers in a cluster?

I have a new cert that I am trying to install but when I do the httpd services 
fail to restart.

I'm thinking the certs need to be processed into a format that PF likes, I just 
don't know what that format is.

I renamed the self signed cert and key file to old-server.crt and 
old-server.key, then copied my new cert and key file, and named them server.crt 
and server.key.  Next I chown'ed and chmod'ed the new certs to be pf:pf 660 
(which is what the default certs are).

When I bounce the httpd.portal and/or httpd.admin the services stop but fail to 
start again.  Reverting the certs fixes the issue.

Any guidance would be happily accepted.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, 
https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fSlashdot.org=E,1,_wmtwdEvSShvqCi3qPjM4ij2heE3X3nFDQWfFbNXOrigzXZ8HYebyvDYVmA_FWeuRHo4xa4Y12pssuznWRmP2AlvCGy-53Ax1lWVcNDdvNtPMPdIcIJnzzQCYg,,=1!
 
https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fsdm.link%2fslashdot=E,1,-hBjQuN1d8aNDbkVr-k-ERq_squU_pxaP-IBd1tS8fKi40KruteG__NN7OcSbwMaIBcuOdzjeoqB9Pw6u8RxXmxCT_QFOAka48xC8XmtZGmG=1
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Replacing snake oil certs with production certs.

2018-06-20 Thread Sallee, Jake via PacketFence-users 
All:

This is a new PFv8.0.1 3 node cluster install.

Are there any instructions for installing new production certs on the PF 
servers in a cluster?

I have a new cert that I am trying to install but when I do the httpd services 
fail to restart.

I'm thinking the certs need to be processed into a format that PF likes, I just 
don't know what that format is.

I renamed the self signed cert and key file to old-server.crt and 
old-server.key, then copied my new cert and key file, and named them server.crt 
and server.key.  Next I chown'ed and chmod'ed the new certs to be pf:pf 660 
(which is what the default certs are).

When I bounce the httpd.portal and/or httpd.admin the services stop but fail to 
start again.  Reverting the certs fixes the issue.

Any guidance would be happily accepted.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Cannot Remove Node Role

2018-06-06 Thread Sallee, Jake via PacketFence-users 
Gents:

I am testing my new 8.0.1 cluster, I added a test role called  you guessed 
it, test.  I would like to remove the role now, but I cannot.

How does one go about removing or renaming a node role in PFv8?

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Maintenance Patch Install Instructions for Clusters

2018-06-06 Thread Sallee, Jake via PacketFence-users 
I can't find any official documentation on how to install the available 
maintenance patches for PF, especially in an active/active cluster.

Anyone have some pointers?

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] New PF install trouble joining child domain

2018-06-03 Thread Sallee, Jake via PacketFence-users 
Fabrice:

I missed your reply, my apologies.

I did end up finding the issue.

We have a domain and a child domain and apparently its a problem if you try 
join the server to both the parent and the child with the same name.  I was 
able to solve the issue by just changing the server name slightly when joining 
the child domain.

All the literature I was able to find on the internet about the error all 
referenced not having the correct permissions.

Other than that the install and configuration process has been pretty smooth.

My first impressions of PFv8 have been pretty positive, you guys did some good 
work.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Durand fabrice via PacketFence-users 

Sent: Friday, June 1, 2018 9:02 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice
Subject: Re: [PacketFence-users] New PF install trouble joining child domain

Hello Jake,

just one word , sometimes samba/winbind is a nightmare to debug.

What i can suggest is to set the log to debug and see if you have more
information.

Change the file
https://github.com/inverse-inc/packetfence/blob/devel/addons/AD/smb.tt
and add : log level = 3

Regards

Fabrice



Le 2018-05-31 à 09:20, Sallee, Jake via PacketFence-users a écrit :
> All:
>
> I'm setting up a new PFv8.1 cluster and I am at the point where I am joining 
> the individual servers to the domains we have.
>
> The main / parent domain join went perfectly, but I am unable to join the 
> child domain.  Here is the error :
>
> Failed to join domain: Failed to set machine spn: Constraint violation
> Do you have sufficient permissions to create machine accounts?
>
> Google-ing the error says to make sure the join account has the correct 
> privileges, I am assuming it does as the account is a domain admin.  
> Interestingly enough the computer account DOES get created in AD complete 
> with GUID and SID.
>
> The winbindd log is spaming the following MANY time per second:
>
> May 30 16:11:50 NAC-PFv8-01 winbindd[95903]: [2018/05/30 21:11:50.730648,  0] 
> ../source3/winbindd/winbindd_cache.c:3170(initialize_winbindd_cache)
> May 30 16:11:50 NAC-PFv8-01 winbindd[95903]:  initialize_winbindd_cache: 
> clearing cache and re-creating with version number 2
> May 30 16:11:50 NAC-PFv8-01 winbindd[95903]: [2018/05/30 21:11:50.735636,  0] 
> ../source3/winbindd/winbindd_util.c:891(init_domain_list)
> May 30 16:11:50 NAC-PFv8-01 winbindd[95903]:  Could not fetch our SID - did 
> we join?
> May 30 16:11:50 NAC-PFv8-01 winbindd[95903]: [2018/05/30 21:11:50.735686,  0] 
> ../source3/winbindd/winbindd.c:1404(winbindd_register_handlers)
> May 30 16:11:50 NAC-PFv8-01 winbindd[95903]:  unable to initialize domain list
>
> Any ideas?
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, 
> https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fSlashdot.org=E,1,CodLILYC642eo-JkOokuyzxipLjF-b5YHf-Nwj2gX_ti4fDQtwiJHueLdB4GyNQBeAHcG3zsPGPHlLtOz_JPpepvXZSZ22xrKClzVbe2Au7r_wUWdgzVSZs5=1!
>  
> https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fsdm.link%2fslashdot=E,1,U9GcN8QCjqwC_S62mJDE7ct6FIgA8K3Xo5cKtaEmjkAPqFoggCBgqHymk30I8ZqhgoDNigJs3AoaBeITF76f9uRnOXET57SLGIeqY2RHvsM,=1
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, 
https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fSlashdot.org=E,1,bDnEczOAB_gh6f6zld84Flr6PC501saBCrhT5vnxeZmDpLu2azNaO5i3E4DTeiPmnBLIsm7GmhATLUdku7_i6pDaUi_RAoF762_H7OlkYka9w21mgFDg1UZ0=1!
 
https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fsdm.link%2fslashdot=E,1,GU9qSjB6yUU7nN-yB3dlxQA6Kc02v1b7mPCf17g-5DglNZOw0RO7llD6R-T8i6RcOF-T6Ho1sZbUMUgu-Y0jj3u6OQZHqYpsWB49Duv1H58T=1
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] New PF install trouble joining child domain

2018-05-31 Thread Sallee, Jake via PacketFence-users 
All:

I'm setting up a new PFv8.1 cluster and I am at the point where I am joining 
the individual servers to the domains we have.

The main / parent domain join went perfectly, but I am unable to join the child 
domain.  Here is the error :

Failed to join domain: Failed to set machine spn: Constraint violation
Do you have sufficient permissions to create machine accounts?

Google-ing the error says to make sure the join account has the correct 
privileges, I am assuming it does as the account is a domain admin.  
Interestingly enough the computer account DOES get created in AD complete with 
GUID and SID.

The winbindd log is spaming the following MANY time per second:

May 30 16:11:50 NAC-PFv8-01 winbindd[95903]: [2018/05/30 21:11:50.730648,  0] 
../source3/winbindd/winbindd_cache.c:3170(initialize_winbindd_cache)
May 30 16:11:50 NAC-PFv8-01 winbindd[95903]:  initialize_winbindd_cache: 
clearing cache and re-creating with version number 2
May 30 16:11:50 NAC-PFv8-01 winbindd[95903]: [2018/05/30 21:11:50.735636,  0] 
../source3/winbindd/winbindd_util.c:891(init_domain_list)
May 30 16:11:50 NAC-PFv8-01 winbindd[95903]:  Could not fetch our SID - did we 
join?
May 30 16:11:50 NAC-PFv8-01 winbindd[95903]: [2018/05/30 21:11:50.735686,  0] 
../source3/winbindd/winbindd.c:1404(winbindd_register_handlers)
May 30 16:11:50 NAC-PFv8-01 winbindd[95903]:  unable to initialize domain list

Any ideas?

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Clustering-nodes rebooted

2017-12-11 Thread Sallee, Jake via PacketFence-users 
Rebooting all nodes at once is ... less than desirable : )


What is the error you are getting in your maraidb logs?


Also, look here:


http://galeracluster.com/documentation-webpages/monitoringthecluster.html


and here


http://galeracluster.com/documentation-webpages/troubleshooting.html


Both places have some excellent info that will probably help you get back up 
and running again.


My gut says your first stop should be the mariadb log, that will point you in 
the correct direction.


If you find more specific info and get stuck post back to this list and if I 
see it I'll try to assist as I can.


Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

From: Luís Torres via PacketFence-users 

Sent: Monday, December 11, 2017 3:34 PM
To: packetfence-users@lists.sourceforge.net
Cc: Luís Torres
Subject: [PacketFence-users] Clustering-nodes rebooted


Hello mates,



I rebooted all 3 nodes at same time and now it keeps me sending me this error:



pf::db::db_connect)
Dec 11 21:33:02 pf01 packetfence: FATAL -e(626): unable to connect to database: 
Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' 
(111 "Connection refused") at -e line 1.
(pf::db::db_connect)
Dec 11 21:33:03 pf01 packetfence: INFO pf-mariadb(1278): There is an alive 
quorum but no db available on any server (main::startup_clean_shutdown)
Dec 11 21:33:03 pf01 packetfence: INFO pf-mariadb(1278): This node is not safe 
to bootstrap from. Starting in normal mode to connect to a bootstrapped peer. 
(main::startup_clean_shutdown)
Dec 11 21:33:03 pf01 packetfence: FATAL -e(626): unable to connect to database: 
Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' 
(111 "Connection refused") at -e line 1.
(pf::db::db_connect)



I cannot start now the cluster :(



any ideas?



Regards to all

LT





--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Question about device-registration page

2017-11-13 Thread Sallee, Jake via PacketFence-users 
All:

Forgive me for jumping in here but I wanted to put in my $.02.

Generally the user's role is how you assign the user's level of network access. 
 If you give the user a way to self assign a role you will need to find a way 
to verify that user has the necessary rights to that role.

Guests may have different levels of access than patrons/students, while 
patrons/students will have different access than employees or admin users.

If you allow the user to self assign the role you will need to somehow prove 
the user has the appropriate  permissions for that role.

If you are able to prove the permissions necessary for a given role, then you 
should be able to automatically assign the role without the user's need to pick 
one. Right?

I can see the ability to choose a role being helpful if you have multiple roles 
with identical access, the ability to choose then could be helpful in 
reporting.  But, that relies on your user's being honest and I just don't trust 
users ... but that could just be my battle hardened cynicism coming into play : 
)

Obviously, there is no disrespect intended here, just joining the discussion.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Fabrice Durand via PacketFence-users 

Sent: Monday, November 13, 2017 10:10 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand
Subject: Re: [PacketFence-users] Question about device-registration page

Hello Marcus,

in the device registration page there is no way to allow the end user to
choose the role.

You define it or PacketFence use the same one of the user.

Also Julien did this sort of thing you want to use on the device
registration page but for the captive portal.
(https://github.com/inverse-inc/packetfence/pull/2471)

Right now nobody asked to add a way to be able to select a role on the
device registration page, so if you want to do that we will be happy to
include this patch in PacketFence.

Regards

Fabrice



Le 2017-11-13 à 10:35, Marcus Lauer via PacketFence-users a écrit :
>I am running PacketFence 7.3.0 on a RHEL7 system and have
> encountered some issues with device registration. First, registration
> though the https://hostname/device-registration page did not work at all
> until I installed the patch at
> https://github.com/inverse-inc/packetfence/commit/10223d70146120a4e2a63bd169536ebcd82917c4.
> So thank you julsemaan for that patch.
>
>My question is this: Is there an easy way to let the user choose
> a Role through the device-registration page?
>
>In our captive portal the first thing users have to do is chose
> either "Computer" or "Device". This is easy to do in the captive portal.
> I just have a "Choice" portal module which lets them choose between two
> authentication modules, each of which does a "set_role" upon successful
> login. These Roles end up on different VLANs.
>
>Unfortunately in the device-registration page there is no mention
> of the device role. The Role is not among the device information shown
> in the list of registered devices. Also, when registering a device there
> is no method for selecting the Role. It appears that whichever Role was
> chosen in the Device Registration selected for that Connection Profile
> is the one which is applied.
>
>I could probably do the necessary coding to add Role selection to
> the device-registration page. Before I do that I just want to make sure
> that I'm not missing an easier way to do it.
>
>I would also like to note that in the unpatched PacketFence 7.3.0
> is it possible to select multiple roles for a Device Registration. The
> patch I mentioned above changed the multiple selection box for Role in a
> Device Registration Entry to a drop-down list. This suggests to me that
> someone might have intended to allow multiple roles to be associated
> with one device registration. Perhaps the idea was to let the user
> select a role after registering? If this is the case then I would love
> to know so that I don't duplicate someone else's efforts.
>

--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  
https://linkprotect.cudasvc.com/url?a=https://www.inverse.ca=E,1,7G3YNtDhAp23DlxNMtOREslYK-1f2OtZ0LDCSkcfi5vHf0JqrQ8P6SupI8IAxQoTBHqWk0HD6hcDFLSdtXsAjQLQo6tRivmhDzQL75gHmS8VvYP7JiF4Wot2IQ,,=1
Inverse inc. :: Leaders behind SOGo 
(https://linkprotect.cudasvc.com/url?a=http://www.sogo.nu=E,1,dpB_FNCxtz3gLpiSawwfVzzGy1BZryJLkdoKEtWWEbhRoCvA8_a5u25CRcDlFyI-sRICMIiVWcM4DBFefxkE4e2aGGq2IT_Kk-fPZuo_uJUeOgE4G5Br=1)
 and PacketFence 
(https://linkprotect.cudasvc.com/url?a=http://packetfence.org=E,1,FS41WDLDW-XOknP4KRLjJW7-lNcejTjjy2b6hexenYUpmZfvGsrcbU7wU-lyIX0b858Ba1iJITQ0sXICumoDDBb-mOeiK3eYtD5Rg06d-zkpSbBBYyk,=1)

Re: [PacketFence-users] PacketFence FreeRADIUS only configuration

2017-10-12 Thread Sallee, Jake via PacketFence-users 
Matt:


To elaborate on Fabrice's statements jut a bit:


The RADIUS portion of PF can be thought of as just the mechanism PF uses to 
talk to the controllers / APs / Switches.


All the logic of who and what devices get what role is defined in PF and those 
roles should correspond with some type of established network based method of 
controlling access.


In our instance we use VLans and internal firewalls.


When a user authenticates the role they are assigned in PF triggers the RADIUS 
server to respond to the AP with a VLan assignment for that host, that vlan has 
established rules concerning where hosts on the subnet can and cannot go on the 
network which are enforced via our internal firewalls.


There are other ways you can do it but this is how we do it and my gut feeling 
is it is very similar to how must people deploy PF.


PF will not return an ACCESS DENY except under special circumstances, most of 
the time you don't want access deny anyway.  Typically when you want to deny a 
user access to network resources, you want to isolate them.


Isolation provides the ability to push the user onto a network subnet where you 
can better control their access and allow for self-remediation, if you want.


There are corner cases where outright rejecting the user is what you want, and 
I am just a stranger on the Internet who knows nothing about your specific 
requirements ... so you can take my comments with a proverbial grain of salt, 
YMMV, etc.


Hope that helps, please feel free to post back to the list  with any problems 
you have.  If I can help and I have time I'll respond.


Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

From: Fabrice Durand via PacketFence-users 

Sent: Thursday, October 12, 2017 10:30 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand
Subject: Re: [PacketFence-users] PacketFence FreeRADIUS only configuration


Hello Matt,

with mac auth packetfence return by default Accept but the vlan_id/Acl/Role is 
different based on the status of the device.

Let say if a device is unreg then you probably want to return Accept with an 
acl name that will deny the access to the network and when you set the device 
reg with a role then you probably want to Accept too by with an acl name that 
will allow the device on the network.

On the opposite when you do 802.1x then if the username and password is correct 
then PacketFence will return Accept but if you use a wrong username and 
password the return will be Deny.

Also to debug when freeradius run, go in /usr/local/pf and do raddebug -f 
var/run/radius.sock -t 3000

Regards
Fabrice

Le 2017-10-12 à 10:47, Matt Fogleman via PacketFence-users a écrit :
I'm really new to both FreeRADIUS and PacketFence, what I am trying to do is 
just get a simple Mac auth configuration up for our wireless network.  I 
installed PacketFence with the new RADIUS only option on RHEL7, I added our 
wireless controller in the Configuration > Switches section and gave it the 
RADIUS key, and also configured the same thing on our wireless controller.

It seems to be accepting connections, but it is just accepting everything.  I 
added the Mac address of a laptop in the "Nodes" section, and saw in Auditing 
that it sent back an Accept message.  But then I deleted the Mac address out of 
"Nodes" and tried again and it sent the Accept message again.  So I tried a 
different device that I hadn't added before, and it got accepted as well.

Is there somewhere I have to configure the conditions for it to send back a 
Reject message?

I'm also getting an error when trying to start debugging.
Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 
0x1000105f (1.0.1e release) (in range 1.0.1 release - 1.0.1t rele)
Has anyone else encountered this?

--
Matt Fogleman
Network Technician
Unionville-Chadds Ford School District
(o)  (610) 347-0970



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, 
Slashdot.org!
 
http://sdm.link/slashdot



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::

Re: [PacketFence-users] HP 1920 (JG1920-14G) support ?

2017-07-05 Thread Sallee, Jake via PacketFence-users 
According to HPs documentation the switch supports MAC auth and 802.1x

https://www.hpe.com/h20195/v2/GetPDF.aspx/c04394247.pdf

Have you tried using those?

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: devzero--- via PacketFence-users 
Sent: Wednesday, July 5, 2017 9:06 AM
To: packetfence-users@lists.sourceforge.net
Cc: devz...@web.de
Subject: [PacketFence-users] HP 1920 (JG1920-14G) support ?

Hello,

any chance to get packectfence work with HP 1920 Switches?

I wanted to try as a generic device via snmp and getting this far:

Jul  5 15:57:18 packetfence packetfence: INFO pfcmd.pl(12509): generating 
/usr/local/pf/var/conf/ssl-certificates.conf 
(pf::services::manager::httpd::generateCommonConfig)
Jul  5 15:57:18 packetfence packetfence: INFO pfcmd.pl(12509): generating 
/usr/local/pf/var/conf/captive-portal-common 
(pf::services::manager::httpd::generateCommonConfig)
Jul  5 15:57:23 packetfence pfqueue: pfqueue(11017) INFO: [mac:] up trap 
received on 172.16.26.25 ifIndex 6 (pf::task::pfsnmp::handleUpTrap)
Jul  5 15:57:23 packetfence pfqueue: pfqueue(11017) INFO: [mac:] setting 
172.16.26.25 port 6 to MAC detection VLAN (pf::task::pfsnmp::handleUpTrap)
Jul  5 15:57:23 packetfence pfqueue: pfqueue(11017) INFO: [mac:] setting VLAN 
at 172.16.26.25 ifIndex 6 from 30 to 4 (pf::Switch::setVlan)
Jul  5 15:57:23 packetfence pfqueue: pfqueue(11017) ERROR: [mac:] Error occured 
while handling trap : Can't locate object method "_setVlan" via package 
"pf::Switch::Generic" at /usr/local/pf/lib/pf/Switch.pm line 688.
 (pf::task::pfsnmp::handleTrap)
Jul  5 15:57:24 packetfence packetfence: pfsetvlan(0) WARN: [mac:[undef]] 
ignoring non trap line  perl callback function 0x7fd57fb142c8 returns 1 (main::)
Jul  5 15:57:24 packetfence packetfence: pfsetvlan(0) WARN: [mac:[undef]] 
ignoring non trap line  perl callback function 0x7fd57fb142c8 returns 1 (main::)
Jul  5 15:57:24 packetfence packetfence: pfsetvlan(6) WARN: [mac:[undef]] SNMP 
trap handling not implemented for this type of switch. (pf::Switch::parseTrap)
Jul  5 15:57:24 packetfence packetfence: pfsetvlan(7) WARN: [mac:[undef]] SNMP 
trap handling not implemented for this type of switch. (pf::Switch::parseTrap)
Jul  5 15:57:28 packetfence pfqueue: pfqueue(11026) INFO: [mac:] down trap 
received on 172.16.26.25 ifIndex 6 (pf::task::pfsnmp::handleDownTrap)
Jul  5 15:57:28 packetfence pfqueue: pfqueue(11026) INFO: [mac:] setting 
172.16.26.25 port 6 to MAC detection VLAN (pf::task::pfsnmp::handleDownTrap)
Jul  5 15:57:28 packetfence pfqueue: pfqueue(11026) INFO: [mac:] setting VLAN 
at 172.16.26.25 ifIndex 6 from 30 to 4 (pf::Switch::setVlan)
Jul  5 15:57:28 packetfence pfqueue: pfqueue(11026) ERROR: [mac:] Error occured 
while handling trap : Can't locate object method "_setVlan" via package 
"pf::Switch::Generic" at /usr/local/pf/lib/pf/Switch.pm line 688.
 (pf::task::pfsnmp::handleTrap)
Jul  5 15:57:30 packetfence packetfence: pfsetvlan(0) WARN: [mac:[undef]] 
ignoring non trap line  perl callback function 0x7fd57fb142c8 returns 1 (main::)
Jul  5 15:57:30 packetfence packetfence: pfsetvlan(8) WARN: [mac:[undef]] SNMP 
trap handling not implemented for this type of switch. (pf::Switch::parseTrap)
Jul  5 15:57:31 packetfence pfqueue: pfqueue(11021) INFO: 
[mac:3c:07:54:41:ca:ee] oldip (10.0.30.10) and newip (10.0.20.10) are different 
for 3c:07:54:41:ca:ee - closing ip4log entry (pf::api::update_ip4log)
Jul  5 15:57:32 packetfence pfqueue: pfqueue(11028) INFO: [mac:] up trap 
received on 172.16.26.25 ifIndex 5 (pf::task::pfsnmp::handleUpTrap)
Jul  5 15:57:32 packetfence pfqueue: pfqueue(11028) INFO: [mac:] setting 
172.16.26.25 port 5 to MAC detection VLAN (pf::task::pfsnmp::handleUpTrap)
Jul  5 15:57:32 packetfence pfqueue: pfqueue(11028) INFO: [mac:] setting VLAN 
at 172.16.26.25 ifIndex 5 from 20 to 4 (pf::Switch::setVlan)
Jul  5 15:57:32 packetfence pfqueue: pfqueue(11028) ERROR: [mac:] Error occured 
while handling trap : Can't locate object method "_setVlan" via package 
"pf::Switch::Generic" at /usr/local/pf/lib/pf/Switch.pm line 688.
 (pf::task::pfsnmp::handleTrap)


Further question:
Who can i clean already detected devices from node database?
I did not enter dhcp server ip in the first setup and nodes seem all to be 
detected via management interface, what i don`t want to occur.

regards
Roland

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users