Re: [PacketFence-users] PF 8.0.1 upgrade problem

[Sokolowski, Darryl via PacketFence-users]

/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
pfipset|Service disabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
pfmon|Service enabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
pfperl-api|Service disabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
pfqueue|Service enabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
pfsetvlan|Service disabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
pfsso|Service enabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
pfstats|Service disabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
radiusd-acct|Service enabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
radiusd-auth|Service enabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
radsniff|Service enabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
redis_ntlm_cache|Service disabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
redis_queue|Service enabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
routes|Service disabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
snmptrapd|Service disabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
statsd|Service enabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
winbindd|Service enabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
Restarting journald to enable persistent logging
Setting packetfence.target as the default systemd target.



From: Durand fabrice via PacketFence-users 
<mailto:packetfence-users@lists.sourceforge.net>
Sent: Friday, June 1, 2018 9:50 PM
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: Durand fabrice <mailto:fdur...@inverse.ca>
Subject: Re: [PacketFence-users] PF 8.0.1 upgrade problem


Hello Darryl,

your issue is because pfconfig is not running.

Can you do:

systemctl restart packetfence-config

Regards

Fabrice



Le 2018-06-01 à 12:31, Sokolowski, Darryl via PacketFence-users a écrit :
Hi all,
I am attempting upgrade from PF 7.4 to 8.0.1 and getting the attached errors 
during "yum upgrade".
Afterwards, PF is not working.
I did a checkup on the 7.4 installation before attempting the upgrade and it 
passed.
Any help? I don't know where to go from here.
My installation is from a PF-ZEN image.

Thanks
Darryl


  Installing : netdata-1.10.0-12.1.x86_64   
 16/23
Warning: mariadb.service changed on disk. Run 'systemctl daemon-reload' to 
reload units.
Removed symlink 
/etc/systemd/system/packetfence-base.target.wants/packetfence-redis-cache.service.
Removed symlink 
/etc/systemd/system/packetfence-base.target.wants/packetfence-config.service.
Failed to execute operation: No such file or directory
.
.
.
  Updating   : packetfence-8.0.1-1.el7.noarch   
 17/23
warning: /usr/local/pf/conf/profiles.conf created as 
/usr/local/pf/conf/profiles.conf.rpmnew
warning: /usr/local/pf/conf/switches.conf created as 
/usr/local/pf/conf/switches.conf.rpmnew
Couldn't require pf::services::manager::dhcpd : Bareword 
"pf::config::is_oma

Re: [PacketFence-users] PF 8.0.1 upgrade problem

[Sokolowski, Darryl via PacketFence-users]

ce disabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
pfdetect|Service disabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
pfdhcp|Service disabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
pfdhcplistener|Service enabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
pfdns|Service enabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
pffilter|Service enabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
pfipset|Service disabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
pfmon|Service enabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
pfperl-api|Service disabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
pfqueue|Service enabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
pfsetvlan|Service disabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
pfsso|Service enabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
pfstats|Service disabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
radiusd-acct|Service enabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
radiusd-auth|Service enabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
radsniff|Service enabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
redis_ntlm_cache|Service disabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
redis_queue|Service enabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
routes|Service disabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
snmptrapd|Service disabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
statsd|Service enabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
winbindd|Service enabled
Callback for pthread_atfork() died (ignored): Trying to store a value in 
resource::unified_api_system_user at 
/usr/local/pf/lib/pf/api/unifiedapiclient.pm line 53.
Restarting journald to enable persistent logging
Setting packetfence.target as the default systemd target.



From: Durand fabrice via PacketFence-users 

Sent: Friday, June 1, 2018 9:50 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice 
Subject: Re: [PacketFence-users] PF 8.0.1 upgrade problem


Hello Darryl,

your issue is because pfconfig is not running.

Can you do:

systemctl restart packetfence-config

Regards

Fabrice



Le 2018-06-01 à 12:31, Sokolowski, Darryl via PacketFence-users a écrit :
Hi all,
I am attempting upgrade from PF 7.4 to 8.0.1 and getting the attached errors 
during "yum upgrade".
Afterwards, PF is not working.
I did a checkup on the 7.4 installation before attempting the upgrade and it 
passed.
Any help? I don't know where to go from

[PacketFence-users] PF 8.0.1 upgrade problem

[Sokolowski, Darryl via PacketFence-users]

Hi all,
I am attempting upgrade from PF 7.4 to 8.0.1 and getting the attached errors 
during "yum upgrade".
Afterwards, PF is not working.
I did a checkup on the 7.4 installation before attempting the upgrade and it 
passed.
Any help? I don't know where to go from here.
My installation is from a PF-ZEN image.

Thanks
Darryl


  Installing : netdata-1.10.0-12.1.x86_64   
 16/23
Warning: mariadb.service changed on disk. Run 'systemctl daemon-reload' to 
reload units.
Removed symlink 
/etc/systemd/system/packetfence-base.target.wants/packetfence-redis-cache.service.
Removed symlink 
/etc/systemd/system/packetfence-base.target.wants/packetfence-config.service.
Failed to execute operation: No such file or directory
.
.
.
  Updating   : packetfence-8.0.1-1.el7.noarch   
 17/23
warning: /usr/local/pf/conf/profiles.conf created as 
/usr/local/pf/conf/profiles.conf.rpmnew
warning: /usr/local/pf/conf/switches.conf created as 
/usr/local/pf/conf/switches.conf.rpmnew
Couldn't require pf::services::manager::dhcpd : Bareword 
"pf::config::is_omapi_configured" not allowed while "strict subs" in use at 
/usr/local/pf/lib/pf/services/manager/dhcpd.pm line 233.
Compilation failed in require at (eval 1052) line 2.
at /usr/share/perl5/vendor_perl/Module/Pluggable.pm line 32.
[1527868084.72763] Failed to connect to config service for namespace 
resource::URI_Filters, retrying
.
.
.
[1527868146.16076] Failed to connect to config service for namespace 
resource::URI_Filters, retrying
Couldn't require pf::services::manager::httpd_aaa : Cannot connect to service 
pfconfig! at /usr/local/pf/lib/pfconfig/cached.pm line 203.
Compilation failed in require at /usr/local/pf/lib/pf/services/manager/httpd.pm 
line 35.
BEGIN failed--compilation aborted at 
/usr/local/pf/lib/pf/services/manager/httpd.pm line 35.
Compilation failed in require at /usr/share/perl5/vendor_perl/Module/Runtime.pm 
line 317.
Compilation failed in require at /usr/share/perl5/vendor_perl/Module/Runtime.pm 
line 317.
Compilation failed in require at (eval 1057) line 2.
at /usr/share/perl5/vendor_perl/Module/Pluggable.pm line 32.
Couldn't require pf::services::manager::httpd_admin : Attempt to reload 
pf/services/manager/httpd.pm aborted.
Compilation failed in require at /usr/share/perl5/vendor_perl/Module/Runtime.pm 
line 317.
Compilation failed in require at (eval 1064) line 2.
at /usr/share/perl5/vendor_perl/Module/Pluggable.pm line 32.
Couldn't require pf::services::manager::httpd_collector : Attempt to reload 
pf/services/manager/httpd.pm aborted.
Compilation failed in require at /usr/share/perl5/vendor_perl/Module/Runtime.pm 
line 317.
Compilation failed in require at (eval 1067) line 2.
at /usr/share/perl5/vendor_perl/Module/Pluggable.pm line 32.
Couldn't require pf::services::manager::httpd_graphite : Attempt to reload 
pf/services/manager/httpd.pm aborted.
Compilation failed in require at /usr/share/perl5/vendor_perl/Module/Runtime.pm 
line 317.
Compilation failed in require at (eval 1073) line 2.
at /usr/share/perl5/vendor_perl/Module/Pluggable.pm line 32.
Couldn't require pf::services::manager::httpd_parking : Attempt to reload 
pf/services/manager/httpd.pm aborted.
Compilation failed in require at /usr/share/perl5/vendor_perl/Module/Runtime.pm 
line 317.
Compilation failed in require at (eval 1076) line 2.
at /usr/share/perl5/vendor_perl/Module/Pluggable.pm line 32.
Couldn't require pf::services::manager::httpd_portal : Attempt to reload 
pf/web/constants.pm aborted.
Compilation failed in require at 
/usr/local/pf/lib/pf/services/manager/httpd_portal.pm line 30.
BEGIN failed--compilation aborted at 
/usr/local/pf/lib/pf/services/manager/httpd_portal.pm line 30.
Compilation failed in require at (eval 1079) line 2.
at /usr/share/perl5/vendor_perl/Module/Pluggable.pm line 32.
Couldn't require pf::services::manager::httpd_proxy : Attempt to reload 
pf/services/manager/httpd.pm aborted.
Compilation failed in require at /usr/share/perl5/vendor_perl/Module/Runtime.pm 
line 317.
Compilation failed in require at (eval 1082) line 2.
at /usr/share/perl5/vendor_perl/Module/Pluggable.pm line 32.
Couldn't require pf::services::manager::httpd_webservices : Attempt to reload 
pf/services/manager/httpd_webservices.pm aborted.
Compilation failed in require at (eval 1085) line 2.
at /usr/share/perl5/vendor_perl/Module/Pluggable.pm line 32.
[1527868147.35447] Failed to connect to config service for namespace 
config::Pf, retrying
.
.
.
[1527868208.23051] Failed to connect to config service for namespace 
config::Pf, retrying
Couldn't require pf::api::unifiedapiclient : Cannot connect to service 
pfconfig! at /usr/local/pf/lib/pfconfig/cached.pm line 203.
Compilation failed in require at (eval 1530) line 2.
at /usr/share/perl5/vendor_perl/Module/Pluggable.pm line 32.
Couldn't require pf::provisioner::mobileiron : Attempt 

Re: [PacketFence-users] auth request from wrong switch

[Sokolowski, Darryl via PacketFence-users]

Hi Fabrice,
Yes, those ports are switchports plugged directly to pcs. Not uplink.
Show cdp neighbors returns expected ports, but none of those in question here.


Thanks
Darryl






 Original message 
From: Durand fabrice via PacketFence-users <packetfence-users@lists.sourceforge.net>

Date: 11/16/17 7:48 PM (GMT-05:00) 
To: packetfence-users@lists.sourceforge.net 
Cc: Durand fabrice <fdur...@inverse.ca> 
Subject: Re: [PacketFence-users] auth request from wrong switch 



Just to be sure, the port 5/3 and 2/43 are switch port , no uplink ?
Does "show cdp neighbors" return one of these ports ?



Le 2017-11-16 à 17:46, Sokolowski, Darryl via PacketFence-users a écrit :





Another thing I noticed is that if I go into PF and restart the switchport from the node details, it will authenticate as dot1x.

When it fails, it seems it is trying wired mac auth. When it does wired mac auth, it says it’s successful, but on a port that is something other than where
 it is really plugged in, so no network access.
If I unplug the nic, and plug it back in, it does not work, only when I restart the port from PF does it work properly and authenticate as dot1x.
 
 
 


From: Sokolowski, Darryl via PacketFence-users [mailto:packetfence-users@lists.sourceforge.net]

Sent: Thursday, November 16, 2017 10:34 AM
To: 
packetfence-users@lists.sourceforge.net; Jason Sloan 
<jason.a.sl...@gmail.com>
Cc: Sokolowski, Darryl 
<ds...@earthcolor.com>
Subject: Re: [PacketFence-users] auth request from wrong switch


 
Hi again,
This is weird, I don’t know what it means.
A machine starts up, shows up on port 2/43, then it appears for some reason it gets authorized on a different port right after that. The first port it appears
 on, 2/43 is the real port it’s plugged into. Then right after that, it appears on 5/3, and that’s when I think it gets kicked off the network, since now the switch thinks it’s on 5/3. There are no minihubs in the way, these machines plug directly into their
 respective ports.
 
I attached a good bit of the debug log, but didn’t want to send the whole thing, it’s very long. Let me know if I need to send more. There is more in the attachment
 than I pasted below.
I can’t figure out why these machines are getting seen on multiple ports.
 
Thanks for any insight.
Darryl
 
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350287: 350087: Nov 16 12:53:00.279: dot1x-packet:[0026.2d15.049b, Gi2/43] EAPOL canned status packet sent to
 client 0xAC94"
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350288: 350088: Nov 16 12:53:00.279: dot1x-ev:[0026.2d15.049b, Gi2/43] Deleting client 0xAC94 (0026.2d15.049b)"
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350289: 350089: Nov 16 12:53:00.279: dot1x-ev:[0026.2d15.049b, Gi2/43] Delete auth client (0xAC94) message"
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350290: 350090: Nov 16 12:53:00.279: dot1x-ev:Auth client ctx destroyed
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350291: 350091: Nov 16 12:53:00.279: RADIUS/ENCODE():Orig. component type = Invalid
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350292: 350092: Nov 16 12:53:00.279: RADIUS(): Config NAS IP: 172.16.0.200
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350293: 350093: Nov 16 12:53:00.279: RADIUS(): Config NAS IPv6: ::
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350294: 350094: Nov 16 12:53:00.279: RADIUS(): sending
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350295: 350095: Nov 16 12:53:00.279: RADIUS(): Send Access-Request to 172.16.1.73:1812 onvrf(0) id 1645/251,
 len 259"
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350296: 350096: Nov 16 12:53:00.279: RADIUS:  authenticator 7A 07 65 33 17 CD 20 47 - 3C 6A 23 4C 46 19 31 B0
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350297: 350097: Nov 16 12:53:00.279: RADIUS:  User-Name   [1]   14  "00262d15049b"
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350298: 350098: Nov 16 12:53:00.279: RADIUS:  User-Password   [2]   18  *
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350299: 350099: Nov 16 12:53:00.279: RADIUS:  Service-Type    [6]   6   Call Check    [10]
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350300: 350100: Nov 16 12:53:00.279: RADIUS:  Vendor, Cisco   [26]  31  "
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350301: 350101: Nov 16 12:53:00.279: RADIUS:   Cisco AVpair   [1]   25  "service-type=Call Check"
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350302: 350102: Nov 16 12:53:00.279: RADIUS:  Framed-MTU  [12]  6   1500 

2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350303: 350103: Nov 16 12:53:00.279: RADIUS:  Called-Station-Id   [30]  19  "2C-54-2D-A5-A4-D2"
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350304: 350104: Nov 16 12:53:00.279: RADIUS:  Calling-Station-Id  [31]  19  "00-26-2D-15-04-

Re: [PacketFence-users] auth request from wrong switch

[Sokolowski, Darryl via PacketFence-users]

This is happening to a few ports, but not all ports, I counted 12 so far.
I got some of the debug output, and looking thru it.
I set the ip radius source-interface on the 2 switches that seems to be 
crossing each other.

Thanks
Darryl

From: Jason Sloan [mailto:jason.a.sl...@gmail.com]
Sent: Tuesday, November 14, 2017 2:11 PM
To: Sokolowski, Darryl <ds...@earthcolor.com>
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] auth request from wrong switch

Depends on how the authentication request is sent. Is this happening for one 
client/port on the switch or the entire switch?

Try setting the source interface:
conf t
ip radius source-interface X (in your case you like

Since your switches are not under heavy load you can flip on some debugs and 
take a look at the authentication and make sure it is sourced as expected.

debug dot1x all
debug authentication all
debug radius authentication



On Tue, Nov 14, 2017 at 12:32 PM, Sokolowski, Darryl 
<ds...@earthcolor.com<mailto:ds...@earthcolor.com>> wrote:
Oh, ok. Since we have a ring, all interfaces comprising the ring are forwarding 
except one.
All switches are trunked to each other over the ring. I am certain there are no 
extra errant extra uplinks, since we are just beginning to use the switches and 
 not much plugged into them yet.
How could the blocking cause a machine to appear on a different port?

I did forget to include one switch is a 4507 chassis. Don’t think this should 
matter.

Thanks
Darryl


From: Jason Sloan 
[mailto:jason.a.sl...@gmail.com<mailto:jason.a.sl...@gmail.com>]
Sent: Tuesday, November 14, 2017 11:05 AM
To: Sokolowski, Darryl <ds...@earthcolor.com<mailto:ds...@earthcolor.com>>
Cc: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] auth request from wrong switch

show spanning-tree vlan X (in your case vlan 1)

Check and see if all ports are in a forwarding state, or at least the ones you 
expect to be in a forwarding state are forwarding. If left to its own devices, 
sometimes spanning tree can make the wrong decision during an election. You can 
manually set spanning tree priorities on your up-links if this is the case. If 
the switches have vlan 1 trunked to each other this may be something to look 
at, otherwise probably not an issue.

On Tue, Nov 14, 2017 at 10:10 AM, Sokolowski, Darryl 
<ds...@earthcolor.com<mailto:ds...@earthcolor.com>> wrote:
Hi thanks for the response.
Sorry, I should have offered more detail on environment.
All switches are Cisco 3560E.
172.16.0.196 is a switch, all vlans exist on all switches, all switches use 
vlan1 for management, they are trunked via 10GB ring.
I did not set radius source interface.
No NATs.

Sorry, what do you mean by reviewing spanning tree blocks?



From: Jason Sloan 
[mailto:jason.a.sl...@gmail.com<mailto:jason.a.sl...@gmail.com>]
Sent: Monday, November 13, 2017 4:23 PM
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: Sokolowski, Darryl <ds...@earthcolor.com<mailto:ds...@earthcolor.com>>
Subject: Re: [PacketFence-users] auth request from wrong switch

A few questions.
172.16.0.196 - is that a switch at all? If so, is that switch on the same vlan? 
Have you reviewed your spanning-tree blocks? Are you able to set a radius 
source interface? If so, is it set to the appropriate SVI / L3 link? Any NATs 
in the topology?

On Mon, Nov 13, 2017 at 3:40 PM, Sokolowski, Darryl via PacketFence-users 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
Hi all,
I have a strange problem I can’t see the reason for,
I have machines that get “stuck” unable to access the network seems like 
because the 802.1x authentication request is coming from a switch that the 
device isn’t plugged into.
In this case, I have a computer (18:66:da:1e:06:0a) plugged into switch with IP 
172.16.0.200.
In the log it shows that the request is coming from 172.16.0.196, and 
authorizes the machine and assigns the correct vlan, but it is assigned to the 
wrong switch, so the client never can access the network.
Further, there is already the correct machine (64:00:6a:7c:34:ce) authorized on 
that port because that machine really does plug in there.

Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] handling radius autz request: from switch_ip => 
(172.16.0.196), connection_type => WIRED_MAC_AUTH,switch_mac => 
(00:23:ac:d0:ca:8a), mac => [18:66:da:1e:06:0a], port => 10110, username => 
"1866da1e060a" (pf::radius::authorize)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06

Re: [PacketFence-users] auth request from wrong switch

[Sokolowski, Darryl via PacketFence-users]

Oh, ok. Since we have a ring, all interfaces comprising the ring are forwarding 
except one.
All switches are trunked to each other over the ring. I am certain there are no 
extra errant extra uplinks, since we are just beginning to use the switches and 
 not much plugged into them yet.
How could the blocking cause a machine to appear on a different port?

I did forget to include one switch is a 4507 chassis. Don’t think this should 
matter.

Thanks
Darryl


From: Jason Sloan [mailto:jason.a.sl...@gmail.com]
Sent: Tuesday, November 14, 2017 11:05 AM
To: Sokolowski, Darryl <ds...@earthcolor.com>
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] auth request from wrong switch

show spanning-tree vlan X (in your case vlan 1)

Check and see if all ports are in a forwarding state, or at least the ones you 
expect to be in a forwarding state are forwarding. If left to its own devices, 
sometimes spanning tree can make the wrong decision during an election. You can 
manually set spanning tree priorities on your up-links if this is the case. If 
the switches have vlan 1 trunked to each other this may be something to look 
at, otherwise probably not an issue.

On Tue, Nov 14, 2017 at 10:10 AM, Sokolowski, Darryl 
<ds...@earthcolor.com<mailto:ds...@earthcolor.com>> wrote:
Hi thanks for the response.
Sorry, I should have offered more detail on environment.
All switches are Cisco 3560E.
172.16.0.196 is a switch, all vlans exist on all switches, all switches use 
vlan1 for management, they are trunked via 10GB ring.
I did not set radius source interface.
No NATs.

Sorry, what do you mean by reviewing spanning tree blocks?



From: Jason Sloan 
[mailto:jason.a.sl...@gmail.com<mailto:jason.a.sl...@gmail.com>]
Sent: Monday, November 13, 2017 4:23 PM
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: Sokolowski, Darryl <ds...@earthcolor.com<mailto:ds...@earthcolor.com>>
Subject: Re: [PacketFence-users] auth request from wrong switch

A few questions.
172.16.0.196 - is that a switch at all? If so, is that switch on the same vlan? 
Have you reviewed your spanning-tree blocks? Are you able to set a radius 
source interface? If so, is it set to the appropriate SVI / L3 link? Any NATs 
in the topology?

On Mon, Nov 13, 2017 at 3:40 PM, Sokolowski, Darryl via PacketFence-users 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
Hi all,
I have a strange problem I can’t see the reason for,
I have machines that get “stuck” unable to access the network seems like 
because the 802.1x authentication request is coming from a switch that the 
device isn’t plugged into.
In this case, I have a computer (18:66:da:1e:06:0a) plugged into switch with IP 
172.16.0.200.
In the log it shows that the request is coming from 172.16.0.196, and 
authorizes the machine and assigns the correct vlan, but it is assigned to the 
wrong switch, so the client never can access the network.
Further, there is already the correct machine (64:00:6a:7c:34:ce) authorized on 
that port because that machine really does plug in there.

Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] handling radius autz request: from switch_ip => 
(172.16.0.196), connection_type => WIRED_MAC_AUTH,switch_mac => 
(00:23:ac:d0:ca:8a), mac => [18:66:da:1e:06:0a], port => 10110, username => 
"1866da1e060a" (pf::radius::authorize)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Connection type is WIRED_MAC_AUTH. Getting role from 
node_info (pf::role::getRegisteredRole)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Username was defined "1866da1e060a" - returning role 
'Employee' (pf::role::getRegisteredRole)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] PID: "CORE\amblerd", Status: reg Returned VLAN: 
(undefined), Role: Employee (pf::role::fetchRoleForNode)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] (172.16.0.196) Added VLAN 18 to the returned RADIUS 
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] handling radius autz request: from switch_ip => 
(172.16.0.196), connection_type => Ethernet-EAP,switch_mac => 
(00:23:ac:d0:ca:8a), mac => [64:00:6a:7c:34:ce], port => 10110, username => 
"host/LoboA7.CORE.LOCAL" (pf::radius::authorize)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] is doing machine auth with account 
'host/Lob

Re: [PacketFence-users] auth request from wrong switch

[Sokolowski, Darryl via PacketFence-users]

Hi Fabrice,
Thanks for the response.
Weird, I’m not seeing the machine in raddebug.
Today, I have a similar situation with multiple machines, but all these are on 
the same switch, just reporting incorrect ports.
Port 5/2 is the correct port, which after multiple attempts to restart the 
switchport seems to finally have returned the correct assignment.
Strange thing is that other ports with the same issue began working properly 
all at the same time.
The screenshot shows it suddenly began using mab instead of dot1x, then when 
dot1x took over, it was right again.
I do have both configured on the ports, with “authentication order dot1x mab”

[cid:image001.png@01D35D31.7EC7F290]

The only reference I see is in packetfence.log for the mac address is:

Nov 14 14:58:41 pf1 pfqueue: pfqueue(4152) INFO: [mac:00:26:2d:17:e4:bf] 
deauthenticating (pf::Switch::Cisco::Catalyst_2960::radiusDisconnect)
Nov 14 14:58:41 pf1 pfqueue: pfqueue(4152) WARN: [mac:00:26:2d:17:e4:bf] 
Unknown vendor attribute 9/252 for unpack()
(Net::Radius::Packet::unpack)
Nov 14 14:58:41 pf1 pfqueue: Unknown vendor attribute 9/252 for unpack()

I don’t see the mac in radius.log
I’m checking AD with “chroot /chroots/ wbinfo –u” and it returns the 
users.

Thanks


From: Durand fabrice via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Sent: Monday, November 13, 2017 6:33 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice <fdur...@inverse.ca>
Subject: Re: [PacketFence-users] auth request from wrong switch


Hi Darryl,

can you also run radius in debug mode to see all the details ?

Regards

Fabrice



Le 2017-11-13 à 16:22, Jason Sloan via PacketFence-users a écrit :
A few questions.
172.16.0.196 - is that a switch at all? If so, is that switch on the same vlan? 
Have you reviewed your spanning-tree blocks? Are you able to set a radius 
source interface? If so, is it set to the appropriate SVI / L3 link? Any NATs 
in the topology?

On Mon, Nov 13, 2017 at 3:40 PM, Sokolowski, Darryl via PacketFence-users 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
Hi all,
I have a strange problem I can’t see the reason for,
I have machines that get “stuck” unable to access the network seems like 
because the 802.1x authentication request is coming from a switch that the 
device isn’t plugged into.
In this case, I have a computer (18:66:da:1e:06:0a) plugged into switch with IP 
172.16.0.200.
In the log it shows that the request is coming from 172.16.0.196, and 
authorizes the machine and assigns the correct vlan, but it is assigned to the 
wrong switch, so the client never can access the network.
Further, there is already the correct machine (64:00:6a:7c:34:ce) authorized on 
that port because that machine really does plug in there.

Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] handling radius autz request: from switch_ip => 
(172.16.0.196), connection_type => WIRED_MAC_AUTH,switch_mac => 
(00:23:ac:d0:ca:8a), mac => [18:66:da:1e:06:0a], port => 10110, username => 
"1866da1e060a" (pf::radius::authorize)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Connection type is WIRED_MAC_AUTH. Getting role from 
node_info (pf::role::getRegisteredRole)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Username was defined "1866da1e060a" - returning role 
'Employee' (pf::role::getRegisteredRole)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] PID: "CORE\amblerd", Status: reg Returned VLAN: 
(undefined), Role: Employee (pf::role::fetchRoleForNode)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] (172.16.0.196) Added VLAN 18 to the returned RADIUS 
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] handling radius autz request: from switch_ip => 
(172.16.0.196), connection_type => Ethernet-EAP,switch_mac => 
(00:23:ac:d0:ca:8a), mac => [64:00:6a:7c:34:ce], port => 10110, username => 
"host/LoboA7.CORE.LOCAL" (pf::radius::authorize)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] is doing machine auth with account 
'host/LoboA7.CORE.LOCAL'. (pf::radius::authorize)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Instantiate profile Earthcolor_Owned 
(pf::Connection::ProfileFactory::_from_profile)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Found authentication source(s) : 'AD-Auth' for realm 
'nul

Re: [PacketFence-users] auth request from wrong switch

[Sokolowski, Darryl via PacketFence-users]

Hi thanks for the response.
Sorry, I should have offered more detail on environment.
All switches are Cisco 3560E.
172.16.0.196 is a switch, all vlans exist on all switches, all switches use 
vlan1 for management, they are trunked via 10GB ring.
I did not set radius source interface.
No NATs.

Sorry, what do you mean by reviewing spanning tree blocks?



From: Jason Sloan [mailto:jason.a.sl...@gmail.com]
Sent: Monday, November 13, 2017 4:23 PM
To: packetfence-users@lists.sourceforge.net
Cc: Sokolowski, Darryl <ds...@earthcolor.com>
Subject: Re: [PacketFence-users] auth request from wrong switch

A few questions.
172.16.0.196 - is that a switch at all? If so, is that switch on the same vlan? 
Have you reviewed your spanning-tree blocks? Are you able to set a radius 
source interface? If so, is it set to the appropriate SVI / L3 link? Any NATs 
in the topology?

On Mon, Nov 13, 2017 at 3:40 PM, Sokolowski, Darryl via PacketFence-users 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
Hi all,
I have a strange problem I can’t see the reason for,
I have machines that get “stuck” unable to access the network seems like 
because the 802.1x authentication request is coming from a switch that the 
device isn’t plugged into.
In this case, I have a computer (18:66:da:1e:06:0a) plugged into switch with IP 
172.16.0.200.
In the log it shows that the request is coming from 172.16.0.196, and 
authorizes the machine and assigns the correct vlan, but it is assigned to the 
wrong switch, so the client never can access the network.
Further, there is already the correct machine (64:00:6a:7c:34:ce) authorized on 
that port because that machine really does plug in there.

Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] handling radius autz request: from switch_ip => 
(172.16.0.196), connection_type => WIRED_MAC_AUTH,switch_mac => 
(00:23:ac:d0:ca:8a), mac => [18:66:da:1e:06:0a], port => 10110, username => 
"1866da1e060a" (pf::radius::authorize)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Connection type is WIRED_MAC_AUTH. Getting role from 
node_info (pf::role::getRegisteredRole)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Username was defined "1866da1e060a" - returning role 
'Employee' (pf::role::getRegisteredRole)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] PID: "CORE\amblerd", Status: reg Returned VLAN: 
(undefined), Role: Employee (pf::role::fetchRoleForNode)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] (172.16.0.196) Added VLAN 18 to the returned RADIUS 
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] handling radius autz request: from switch_ip => 
(172.16.0.196), connection_type => Ethernet-EAP,switch_mac => 
(00:23:ac:d0:ca:8a), mac => [64:00:6a:7c:34:ce], port => 10110, username => 
"host/LoboA7.CORE.LOCAL" (pf::radius::authorize)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] is doing machine auth with account 
'host/LoboA7.CORE.LOCAL'. (pf::radius::authorize)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Instantiate profile Earthcolor_Owned 
(pf::Connection::ProfileFactory::_from_profile)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Found authentication source(s) : 'AD-Auth' for realm 
'null' (pf::config::util::filter_authentication_sources)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) WARN: 
[mac:64:00:6a:7c:34:ce] Calling match with empty/invalid rule class. Defaulting 
to 'authentication' (pf::authentication::match2)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Using sources AD-Auth for matching 
(pf::authentication::match2)
Nov 13 03:12:52 pf1 pfqueue: pfqueue(9628) INFO: [mac:unknown] undefined source 
id provided (pf::lookup::person::lookup_person)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Found authentication source(s) : 'AD-Auth' for realm 
'null' (pf::config::util::filter_authentication_sources)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Using sources AD-Auth for matching 
(pf::authentication::match2)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Username was NOT defined or unable to match a role - 
returning node based role 'Employee' (pf::role::ge

[PacketFence-users] auth request from wrong switch

[Sokolowski, Darryl via PacketFence-users]

Hi all,
I have a strange problem I can't see the reason for,
I have machines that get "stuck" unable to access the network seems like 
because the 802.1x authentication request is coming from a switch that the 
device isn't plugged into.
In this case, I have a computer (18:66:da:1e:06:0a) plugged into switch with IP 
172.16.0.200.
In the log it shows that the request is coming from 172.16.0.196, and 
authorizes the machine and assigns the correct vlan, but it is assigned to the 
wrong switch, so the client never can access the network.
Further, there is already the correct machine (64:00:6a:7c:34:ce) authorized on 
that port because that machine really does plug in there.

Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] handling radius autz request: from switch_ip => 
(172.16.0.196), connection_type => WIRED_MAC_AUTH,switch_mac => 
(00:23:ac:d0:ca:8a), mac => [18:66:da:1e:06:0a], port => 10110, username => 
"1866da1e060a" (pf::radius::authorize)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Connection type is WIRED_MAC_AUTH. Getting role from 
node_info (pf::role::getRegisteredRole)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Username was defined "1866da1e060a" - returning role 
'Employee' (pf::role::getRegisteredRole)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] PID: "CORE\amblerd", Status: reg Returned VLAN: 
(undefined), Role: Employee (pf::role::fetchRoleForNode)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] (172.16.0.196) Added VLAN 18 to the returned RADIUS 
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] handling radius autz request: from switch_ip => 
(172.16.0.196), connection_type => Ethernet-EAP,switch_mac => 
(00:23:ac:d0:ca:8a), mac => [64:00:6a:7c:34:ce], port => 10110, username => 
"host/LoboA7.CORE.LOCAL" (pf::radius::authorize)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] is doing machine auth with account 
'host/LoboA7.CORE.LOCAL'. (pf::radius::authorize)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Instantiate profile Earthcolor_Owned 
(pf::Connection::ProfileFactory::_from_profile)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Found authentication source(s) : 'AD-Auth' for realm 
'null' (pf::config::util::filter_authentication_sources)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) WARN: 
[mac:64:00:6a:7c:34:ce] Calling match with empty/invalid rule class. Defaulting 
to 'authentication' (pf::authentication::match2)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Using sources AD-Auth for matching 
(pf::authentication::match2)
Nov 13 03:12:52 pf1 pfqueue: pfqueue(9628) INFO: [mac:unknown] undefined source 
id provided (pf::lookup::person::lookup_person)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Found authentication source(s) : 'AD-Auth' for realm 
'null' (pf::config::util::filter_authentication_sources)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Using sources AD-Auth for matching 
(pf::authentication::match2)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Username was NOT defined or unable to match a role - 
returning node based role 'Employee' (pf::role::getRegisteredRole)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] PID: "host/LoboA7.CORE.LOCAL", Status: reg Returned 
VLAN: (undefined), Role: Employee (pf::role::fetchRoleForNode)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] (172.16.0.196) Added VLAN 18 to the returned RADIUS 
Access-Accept (pf::Switch::returnRadiusAccessAccept)

I can't figure out what's going on here.
Anyone seen this and can you point me how to make it right?

Thanks
Darryl

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Machine authentication not getting role

[Sokolowski, Darryl via PacketFence-users]

Hi Holger,
My setup is very much like the example Ludovic gave below.
I used the GUI to configure it, but of course I’m showing the config files 
below. I don’t trust myself to configure .conf files manually ☺

In authentication.conf:

[AD-MachineAuth]
cache_match=0
basedn=ou=computers,dc=domain,dc=local
password=***
set_access_level_action=
scope=sub
email_attribute=mail
usernameattribute=servicePrincipalName
connection_timeout=5
stripped_user_name=no
binddn=someuser
encryption=ssl
port=636
description=Active Directory AD Machine Authentication
host=192.168.1.1
type=AD

[AD-MachineAuth rule MachineAuthOU]
action0=set_role=Office_18
condition0=distinguishedName,matches regexp,
match=all
class=authentication
action1=set_access_duration=5D
description=MachineAuthRule AD OU

I’m searching the distinguished name of the machine account, as it contains the 
OU the account resides in.
Add additional rules and change the role and  for each OU you need 
to match.

In domain.conf:

[MyAD]
ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(userAccountControl:1.2.840.113556.1.4.803:=2
ntlm_cache=disabled
registration=0
ntlm_cache_expiry=3600
dns_name=DOMAIN.LOCAL
dns_servers=192.168.1.1, 192.168.1.12
ou=Computers
bind_pass=
ntlm_cache_on_connection=disabled
bind_dn=
workgroup=DOMAIN
ntlm_cache_batch_one_at_a_time=disabled
sticky_dc=*
ad_server=192.168.1.1
ntlm_cache_batch=disabled
server_name=%h

In realm.conf:

[DEFAULT]
source=AD-MachineAuth
domain=MyAD

[DOMAIN]
source=AD-MachineAuth
domain=MyAD

[DOMAIN.LOCAL]
source=AD-MachineAuth
domain=MyAD

In my profile I filter connection type = EAP and using my AD authentication 
source. Click the box to autoregister

[Company_Owned]
locale=
root_module=Company_Machines
filter=connection_type:Ethernet-EAP
description=machines in AD
logo=/common/mylogo.png
sources=AD-MachineAuth
reuse_dot1x_credentials=enabled
autoregister=enabled

I hope I didn’t forget anything.

Regards,
Darryl

From: Holger Patzelt via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Sent: Wednesday, August 16, 2017 4:02 AM
To: packetfence-users@lists.sourceforge.net
Cc: holger.patz...@t-systems.com
Subject: Re: [PacketFence-users] Machine authentication not getting role

Hello Darryl,

would you be so kind sharing your final configs with us?
We do plan to use something similar in the future and it would be very helpful 
to see how you did it.

Thanks,
Holger Patzelt



Von: Sokolowski, Darryl via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Gesendet: Montag, 14. August 2017 23:10
An: Ludovic Zammit
Cc: Sokolowski, Darryl; 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Betreff: Re: [PacketFence-users] Machine authentication not getting role

Aah, perfect! I don’t know what I was doing wrong.  I had been failing 
previously, and I removed my rule and started over again and this time it 
worked!
Now I can assign the role according to what OU the machine account resides in 
and assign a different role according to that ou.

This may be a basic question, but what’s the difference between “contains” and 
“regexp” when writing the conditions?
“contains” does not match on my ou name, but “regexp” does.

Thanks a million!
Darryl

From: Ludovic Zammit [mailto:lzam...@inverse.ca]
Sent: Monday, August 14, 2017 2:57 PM
To: Sokolowski, Darryl <ds...@earthcolor.com<mailto:ds...@earthcolor.com>>
Cc: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] Machine authentication not getting role

Hello Darryl,

Sorry I was not that clear, I admit it.

If you want to auto-register domain joined computers without seeing the captive 
portal, configure the following:

- an AD source with Username Attribute = servicePrincipalName with a rule that 
will match and give role and an unreg date

[AD]
description=Microsoft Active Directory
password=*
scope=sub
binddn=cn=administrator,cn=users,dc=domain,dc=local
basedn=cn=users,dc=inverse,dc=local
email_attribute=mail
usernameattribute=serviceprincipalname
connection_timeout=5
stripped_user_name=yes
encryption=none
dynamic_routing_module=AuthModule
port=389
type=AD
host=10.0.0.1

[AD rule catchall]
class=authentication
match=all
action0=set_access_duration=1h
action1=set_role=default

- Configure your domain:

[mylovelyAD]
ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(userAccountControl:1.2.840.113556.1.4.803:=2
ntlm_cache=disabled
dns_server=10.0.0.1
registration=0
ntlm_cache_expiry=3600
dns_name=domain.local
ou=Computers
bind_pass=
ntlm_cache_on_connection=disabled
bind_dn=
workgroup=inverse
ad_server=10.0.0.1
ntlm_cache_batch_one_at_a_time=disabled
ntlm_cache_batch=disabled
server_name=unicorn13
dns_servers=10.0.0.1
sticky_dc=*

- Configure the REALMs:

[DEFAULT]
domain=mylovelyAD

[NULL]
domain=mylovelyAD

- Configure a connection profile that match

Re: [PacketFence-users] Machine authentication not getting role

[Sokolowski, Darryl via PacketFence-users]

918 (x145) ::  
www.inverse.ca<http://www.inverse.ca/>

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) 
and PacketFence (http://packetfence.org<http://packetfence.org/>)



On Aug 14, 2017, at 9:10 AM, Sokolowski, Darryl 
<ds...@earthcolor.com<mailto:ds...@earthcolor.com>> wrote:

Hi Ludovic. Thanks. I'm using machine authentication against active directory. 
Right now I'm trying to get a catch all rule to assign a role just to make sure 
I have that part working, so that I can ultimately assign different roles 
according to the OU that the machine account resides in. Right now I'm not 
testing for the ou, just assigning a role to test that my rule works.

In the packetfence log I see the authentication success, but no role assignment.

Machine auth works, as I can autoregister and I get on the management network, 
but any role I put in the authentication rule doesn't get assigned to the 
machine.

Thanks
Darryl




 Original message 
From: Ludovic Zammit via PacketFence-users 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Date: 8/14/17 7:47 AM (GMT-05:00)
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: Ludovic Zammit <lzam...@inverse.ca<mailto:lzam...@inverse.ca>>
Subject: Re: [PacketFence-users] Machine authentication not getting role

PS: /usr/local/pf/bin/pftest authentication username password

You can put "" if you don't want to display the password in the CLI.

Thanks,

Ludovic Zammit

lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<http://www.inverse.ca/>

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) 
and PacketFence (http://packetfence.org<http://packetfence.org/>)



On Aug 14, 2017, at 7:43 AM, Ludovic Zammit via PacketFence-users 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
 wrote:

Hello,

Are you doing user authentication ? If yes, please check the tool 
/usr/local/pf/bin/pftest username password you will see if your username bring 
any access settings.

If you check in the /usr/local/pf/logs/packetfence.log you should be able to 
see all the action taken after the radius request.

Thanks,

Ludovic Zammit

lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<http://www.inverse.ca/>

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) 
and PacketFence (http://packetfence.org<http://packetfence.org/>)



On Aug 11, 2017, at 4:13 PM, Sokolowski, Darryl via PacketFence-users 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
 wrote:

Hi everyone,
Can anyone help me with this please?
I have the machine authentication source looking at active directory,  and a 
rule to assign role and access duration.
I am able to automatically register the device via machine authentication, but 
I can’t get the role assigned when it registers.
On the switch I see
%AUTHMGR-5-START: Starting 'dot1x' for client
%DOT1X-5-SUCCESS: Authentication successful for client
%AUTHMGR-5-SUCCESS: Authorization succeeded for client

But the role is not sent.

Raddebug shows the correct realm is identified and used, and the machine 
authentication source is defined in the realm.

In the nodes in packetfence, I see the node is registered with the owner as the 
machine name but no role is assigned.

I don’t know what I’m missing.

Thanks
Darryl

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://slashdot.org/>! 
http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://slashdot.org/>! 
http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users




>>> CONFIDENTIALITY NOTICE <<<

This electronic mail (e-mail) message, including any and/or all attachments, is 
for the sole use of the intended recipient(s), and may contain confidential 
and/or privileged information, pertaining to business conducted under the 
direction and supervision of EarthColor, Inc. Al

Re: [PacketFence-users] Machine authentication not getting role

[Sokolowski, Darryl via PacketFence-users]

Hi, thanks.
Forgive me for my questions, the concept of NAC is new to me.
I guess I am still confused about assigning (or not assigning) the role. “you 
cannot switch a node role because it will be recomputed on every radius 
request” has me confused. What is the role being computed from? I was under the 
impression from reading, that the role could be “automatically” computed and 
assigned by using various LDAP or AD attributes. And so having it recomputed is 
a good thing, because if it finds a change in the AD, then it would compute it 
to the new role based on the AD attributes.
From what you said here, it sounds like I would have to edit each node record 
to assign the role manually?
Am I thinking about this the wrong way?

Thanks
Darryl


From: Ludovic Zammit [mailto:lzam...@inverse.ca]
Sent: Monday, August 14, 2017 10:43 AM
To: Sokolowski, Darryl <ds...@earthcolor.com>
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Machine authentication not getting role

Hello,

If you are doing machine authentication with auto registration, you can not 
switch a node role because it will be recomputed on every radius request.

You could use the bypass role if you want to drop the device into a specific 
role. You will find in Under Nodes > MAC > Bypass Role.

For your AD source, if you are doing machine authentication on a microsoft AD, 
make sure that you are checking the correct LDAP attribute.

Username Attribute = servicePrincipalName

Thanks,

Ludovic Zammit

lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<http://www.inverse.ca>

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



On Aug 14, 2017, at 9:10 AM, Sokolowski, Darryl 
<ds...@earthcolor.com<mailto:ds...@earthcolor.com>> wrote:

Hi Ludovic. Thanks. I'm using machine authentication against active directory. 
Right now I'm trying to get a catch all rule to assign a role just to make sure 
I have that part working, so that I can ultimately assign different roles 
according to the OU that the machine account resides in. Right now I'm not 
testing for the ou, just assigning a role to test that my rule works.

In the packetfence log I see the authentication success, but no role assignment.

Machine auth works, as I can autoregister and I get on the management network, 
but any role I put in the authentication rule doesn't get assigned to the 
machine.

Thanks
Darryl




 Original message 
From: Ludovic Zammit via PacketFence-users 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Date: 8/14/17 7:47 AM (GMT-05:00)
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: Ludovic Zammit <lzam...@inverse.ca<mailto:lzam...@inverse.ca>>
Subject: Re: [PacketFence-users] Machine authentication not getting role

PS: /usr/local/pf/bin/pftest authentication username password

You can put "" if you don't want to display the password in the CLI.

Thanks,

Ludovic Zammit

lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<http://www.inverse.ca/>

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) 
and PacketFence (http://packetfence.org<http://packetfence.org/>)



On Aug 14, 2017, at 7:43 AM, Ludovic Zammit via PacketFence-users 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
 wrote:

Hello,

Are you doing user authentication ? If yes, please check the tool 
/usr/local/pf/bin/pftest username password you will see if your username bring 
any access settings.

If you check in the /usr/local/pf/logs/packetfence.log you should be able to 
see all the action taken after the radius request.

Thanks,

Ludovic Zammit

lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<http://www.inverse.ca/>

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) 
and PacketFence (http://packetfence.org<http://packetfence.org/>)



On Aug 11, 2017, at 4:13 PM, Sokolowski, Darryl via PacketFence-users 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
 wrote:

Hi everyone,
Can anyone help me with this please?
I have the machine authentication source looking at active directory,  and a 
rule to assign role and access duration.
I am able to automatically register the device via machine authentication, but 
I can’t get the role assigned when it registers.
On the switch I see
%AUTHMGR-5-START: Starting 'dot1x' for client
%DOT1X-5-SUCCESS: Authentication successful for client
%AUTHMGR-5-SUCCESS: Authorization succeeded for client

But the role is not sent.

Raddebug shows the correct realm is identified and used, and t

Re: [PacketFence-users] Machine authentication not getting role

[Sokolowski, Darryl via PacketFence-users]

Hi Ludovic. Thanks. I'm using machine authentication against active directory. Right now I'm trying to get a catch all rule to assign a role just to make sure I have that part working, so that I can ultimately assign different roles according to the OU
 that the machine account resides in. Right now I'm not testing for the ou, just assigning a role to test that my rule works.


In the packetfence log I see the authentication success, but no role assignment. 


Machine auth works, as I can autoregister and I get on the management network, but any role I put in the authentication rule doesn't get assigned to the machine.


Thanks
Darryl










 Original message 
From: Ludovic Zammit via PacketFence-users <packetfence-users@lists.sourceforge.net>

Date: 8/14/17 7:47 AM (GMT-05:00) 
To: packetfence-users@lists.sourceforge.net 
Cc: Ludovic Zammit <lzam...@inverse.ca> 
Subject: Re: [PacketFence-users] Machine authentication not getting role 


PS: /usr/local/pf/bin/pftest authentication username password


You can put "" if you don't want to display the password in the CLI.



Thanks,

Ludovic Zammit
lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) 








On Aug 14, 2017, at 7:43 AM, Ludovic Zammit via PacketFence-users <packetfence-users@lists.sourceforge.net> wrote:


Hello,


Are you doing user authentication ? If yes, please check the tool /usr/local/pf/bin/pftest username password you will see if your username bring any access settings.


If you check in the /usr/local/pf/logs/packetfence.log you should be able to see all the action taken after the radius request.



Thanks,

Ludovic Zammit
lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) 








On Aug 11, 2017, at 4:13 PM, Sokolowski, Darryl via PacketFence-users <packetfence-users@lists.sourceforge.net> wrote:




Hi everyone,

Can anyone help me with this please?

I have the machine authentication source looking at active directory,  and a rule to assign role and access duration.

I am able to automatically register the device via machine authentication, but I can’t get the role assigned when it registers.

On the switch I see 

%AUTHMGR-5-START: Starting 'dot1x' for client

%DOT1X-5-SUCCESS: Authentication successful for client

%AUTHMGR-5-SUCCESS: Authorization succeeded for client

 

But the role is not sent.

 

Raddebug shows the correct realm is identified and used, and the machine authentication source is defined in the realm.

 

In the nodes in packetfence, I see the node is registered with the owner as the machine name but no role is assigned.

 

I don’t know what I’m missing.

 

Thanks

Darryl

 

--
Check
 out the vibrant tech community on one of the world's most
engaging
 tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users
 mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users





--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! 
http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users










--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Machine authentication not getting role

[Sokolowski, Darryl via PacketFence-users]

Hi everyone,
Can anyone help me with this please?
I have the machine authentication source looking at active directory,  and a 
rule to assign role and access duration.
I am able to automatically register the device via machine authentication, but 
I can't get the role assigned when it registers.
On the switch I see
%AUTHMGR-5-START: Starting 'dot1x' for client
%DOT1X-5-SUCCESS: Authentication successful for client
%AUTHMGR-5-SUCCESS: Authorization succeeded for client

But the role is not sent.

Raddebug shows the correct realm is identified and used, and the machine 
authentication source is defined in the realm.

In the nodes in packetfence, I see the node is registered with the owner as the 
machine name but no role is assigned.

I don't know what I'm missing.

Thanks
Darryl

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] machine auth and vlan assign

[Sokolowski, Darryl via PacketFence-users]

Hi all,
I've seen other posts with similar titles, but I can't seem to make sense of 
what I need to do.
Following some of the troubleshooting from other posts I found the following.

I have machine authentication seemingly working, along with auto-registration.
When 802.1x authenticates the machine to my AD, it registers the machine in 
packetfence, but it does not assign the role, so the switch puts the port in 
the management vlan.
I have a catch-all rule in my machine authentication source saying

1.   assign role "PomOffice_18"

2.   set access duration 1 year.

When the port comes up I see :
Aug  1 20:32:10: %AUTHMGR-5-START: Starting 'dot1x' for client (e0db.55e9.4328) 
on Interface Gi0/16 AuditSessionID AC1000C3014543120991
Aug  1 20:32:10: %DOT1X-5-SUCCESS: Authentication successful for client 
(e0db.55e9.4328) on Interface Gi0/16 AuditSessionID AC1000C3014543120991
Aug  1 20:32:10: %AUTHMGR-7-RESULT: Authentication result 'success' from 
'dot1x' for client (e0db.55e9.4328) on Interface Gi0/16 AuditSessionID 
AC1000C3014543120991
Aug  1 20:32:11: %AUTHMGR-5-SUCCESS: Authorization succeeded for client 
(e0db.55e9.4328) on Interface Gi0/16 AuditSessionID AC1000C3014543120991
Aug  1 20:32:11: %LINK-3-UPDOWN: Interface GigabitEthernet0/16, changed state 
to up
Aug  1 20:32:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface 
GigabitEthernet0/16, changed state to up
But not setting the VLAN to 18.

In the nodes, I see the machine registered, but the role and unregistration is 
blank.

If I manually set the role in the node, it gets applied during 802.1x 
authentication, but it is not being delivered by the rule in the authentication 
source.

Raddebug shows the correct profile is being used, and my machine auth source is 
set in the profile, but the vlan is not being set once 802.1x succeeds.

I'm not sure if somehow it's not using the correct realm? Raddebug only ever 
references realm "LOCAL"

I don't know why it's not setting the vlan.
Thanks in advance for your help.
Darryl

Here are my conf

Realm.conf
[root@pf1 conf]# cat realm.conf
[LOCAL]
source=AD-MachineAuth
domain=CoreAD

[CORE]
source=AD-MachineAuth
domain=CoreAD

[CORE.LOCAL]
source=AD-MachineAuth
domain=CoreAD

Domain.conf
[root@pf1 conf]# cat domain.conf
[CoreAD]
ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(userAccountControl:1.2.840.113556.1.4.803:=2
ntlm_cache=disabled
registration=0
ntlm_cache_expiry=3600
dns_name=CORE.LOCAL
dns_servers=172.16.1.12,172.16.1.92
ou=Computers
bind_pass=
ntlm_cache_on_connection=disabled
bind_dn=
workgroup=CORE
ntlm_cache_batch_one_at_a_time=disabled
sticky_dc=*
ad_server=172.16.1.12
ntlm_cache_batch=disabled
server_name=%h

Profiles.conf
[root@pf1 conf]# cat profiles.conf
[CompanyOwned]
locale=
root_module=CompanyMachines
filter=connection_type:Ethernet-EAP
description=Company owned machines in AD
logo=/common/eclogo.png
sources=AD-MachineAuth
autoregister=enabled

[CompanyUsers]
locale=
filter=
description=user login
sources=AD-Auth

[CompanyProfile]
locale=
root_module=Companypolicy
filter=vlan:2,network:192.168.6.0/24
description=Profile for guest access
logo=/common/eclogo.png

Authentication.conf
...
[AD-MachineAuth]
cache_match=0
basedn=ou=computers-earthcolor,dc=core,dc=local
password=***
set_access_level_action=
scope=base
email_attribute=mail
usernameattribute=servicePrincipalName
connection_timeout=5
stripped_user_name=no
binddn=core\adbinduser
encryption=ssl
port=636
description=Active Directory AD Machine Authentication
host=172.16.1.12
type=AD

[AD-MachineAuth rule PomeroyMachine]
action0=set_role=PomOffice_18
match=any
class=authentication
action1=set_access_duration=1YF+0D
description=Machine dn Pomeroy
...




>>> CONFIDENTIALITY NOTICE <<<

This electronic mail (e-mail) message, including any and/or all attachments, is 
for the sole use of the intended recipient(s), and may contain confidential 
and/or privileged information, pertaining to business conducted under the 
direction and supervision of EarthColor, Inc. All e-mail messages, which may 
have been established as expressed views and/or opinions (stated either within 
the e-mail message or any of its attachments), are left to the sole 
responsibility of that of the sender, and are not necessarily attributed to 
EarthColor, Inc. Unauthorized interception, review, use, disclosure or 
distribution of any such information contained within this e-mail message 
and/or its attachment(s), is(are) strictly prohibited. If you are not the 
intended recipient, please contact the sender by replying to this e-mail 
message, along with the destruction of all copies of the original e-mail 
message (along with any attachments).
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! 

Re: [PacketFence-users] dhcpd not starting

[Sokolowski, Darryl via PacketFence-users]

Thanks Louis,
I assumed it was not starting because I misconfigured something.

Thanks for pointing that out.

Darryl


From: Louis Munro via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Sent: Tuesday, August 1, 2017 1:01 PM
To: packetfence-users@lists.sourceforge.net
Cc: Louis Munro 
Subject: Re: [PacketFence-users] dhcpd not starting



I have a 3 member PF 7.2 cluster built from ZEN machines.
On member #3, the dhcpd service does not start. When I try to start it, I get 
the message “Service 'dhcpd' is not managed by PacketFence. Therefore, no 
action will be performed”

Shouldn’t dhcpd be running on all members?

I also am seeing in packetfence.log the messages “Can't bind : 
IO::Socket::INET: connect: Connection refused 
(pf::ip4log::_get_lease_from_omapi)”
I assume this is because dhcpd is not running.


Hi Darryl,
ISC dhcpd does not support an active/active 3 node configuration.
It's normal that it won't start on the third node.

Indeed the message above is because it's not running locally.
PacketFence will get the lease information from the database in that case.

Regards,
--
Louis Munro
lmu...@inverse.ca  ::  
www.inverse.ca
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and 
PacketFence (www.packetfence.org)






>>> CONFIDENTIALITY NOTICE <<<

This electronic mail (e-mail) message, including any and/or all attachments, is 
for the sole use of the intended recipient(s), and may contain confidential 
and/or privileged information, pertaining to business conducted under the 
direction and supervision of EarthColor, Inc. All e-mail messages, which may 
have been established as expressed views and/or opinions (stated either within 
the e-mail message or any of its attachments), are left to the sole 
responsibility of that of the sender, and are not necessarily attributed to 
EarthColor, Inc. Unauthorized interception, review, use, disclosure or 
distribution of any such information contained within this e-mail message 
and/or its attachment(s), is(are) strictly prohibited. If you are not the 
intended recipient, please contact the sender by replying to this e-mail 
message, along with the destruction of all copies of the original e-mail 
message (along with any attachments).
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] dhcpd not starting

[Sokolowski, Darryl via PacketFence-users]

Anyone to offer some guidance?
This is my first and only installation of packetfence, so I have nothing to 
compare it to and still trying to learn it as I go.


Thanks again,
Darryl

From: Sokolowski, Darryl via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Sent: Friday, July 28, 2017 10:07 AM
To: packetfence-users@lists.sourceforge.net
Cc: Sokolowski, Darryl <ds...@earthcolor.com>
Subject: Re: [PacketFence-users] dhcpd not starting

I think my networks.conf looks ok.
It has the network info and dhcpd=enabled

cat networks.conf
[192.168.2.0]
dns=192.168.2.7
dhcp_start=192.168.2.10
gateway=192.168.2.7
domain-name=vlan-registration.domain.com
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=192.168.2.246
type=vlan-registration
netmask=255.255.255.0
dhcp_default_lease_time=30

[192.168.3.0]
dns=192.168.3.7
dhcp_start=192.168.3.10
gateway=192.168.3.7
domain-name=vlan-isolation.domain.com
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=192.168.3.246
type=vlan-isolation
netmask=255.255.255.0
dhcp_default_lease_time=30

pf.conf has interfaces defined


[interface eth0]
ip=172.16.1.74
type=management
mask=255.255.248.0

[interface eth0.2]
enforcement=vlan
ip=192.168.2.7
type=internal
mask=255.255.255.0

[interface eth0.3]
enforcement=vlan
ip=192.168.3.7
type=internal
mask=255.255.255.0

where else do I need to look ?


From: Sokolowski, Darryl via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Sent: Thursday, July 27, 2017 3:03 PM
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: Sokolowski, Darryl <ds...@earthcolor.com<mailto:ds...@earthcolor.com>>
Subject: [PacketFence-users] dhcpd not starting

Hi,
I have a 3 member PF 7.2 cluster built from ZEN machines.
On member #3, the dhcpd service does not start. When I try to start it, I get 
the message "Service 'dhcpd' is not managed by PacketFence. Therefore, no 
action will be performed"

Shouldn't dhcpd be running on all members?

I also am seeing in packetfence.log the messages "Can't bind : 
IO::Socket::INET: connect: Connection refused 
(pf::ip4log::_get_lease_from_omapi)"
I assume this is because dhcpd is not running.

The config files are synced, but I don't know why it doesn't start.

Can someone help point me right to get it figured out?

Thanks
Darryl




>>> CONFIDENTIALITY NOTICE <<<

This electronic mail (e-mail) message, including any and/or all attachments, is 
for the sole use of the intended recipient(s), and may contain confidential 
and/or privileged information, pertaining to business conducted under the 
direction and supervision of EarthColor, Inc. All e-mail messages, which may 
have been established as expressed views and/or opinions (stated either within 
the e-mail message or any of its attachments), are left to the sole 
responsibility of that of the sender, and are not necessarily attributed to 
EarthColor, Inc. Unauthorized interception, review, use, disclosure or 
distribution of any such information contained within this e-mail message 
and/or its attachment(s), is(are) strictly prohibited. If you are not the 
intended recipient, please contact the sender by replying to this e-mail 
message, along with the destruction of all copies of the original e-mail 
message (along with any attachments).
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] dhcpd not starting

[Sokolowski, Darryl via PacketFence-users]

I think my networks.conf looks ok.
It has the network info and dhcpd=enabled

cat networks.conf
[192.168.2.0]
dns=192.168.2.7
dhcp_start=192.168.2.10
gateway=192.168.2.7
domain-name=vlan-registration.domain.com
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=192.168.2.246
type=vlan-registration
netmask=255.255.255.0
dhcp_default_lease_time=30

[192.168.3.0]
dns=192.168.3.7
dhcp_start=192.168.3.10
gateway=192.168.3.7
domain-name=vlan-isolation.domain.com
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=192.168.3.246
type=vlan-isolation
netmask=255.255.255.0
dhcp_default_lease_time=30

pf.conf has interfaces defined


[interface eth0]
ip=172.16.1.74
type=management
mask=255.255.248.0

[interface eth0.2]
enforcement=vlan
ip=192.168.2.7
type=internal
mask=255.255.255.0

[interface eth0.3]
enforcement=vlan
ip=192.168.3.7
type=internal
mask=255.255.255.0

where else do I need to look ?


From: Sokolowski, Darryl via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Sent: Thursday, July 27, 2017 3:03 PM
To: packetfence-users@lists.sourceforge.net
Cc: Sokolowski, Darryl <ds...@earthcolor.com>
Subject: [PacketFence-users] dhcpd not starting

Hi,
I have a 3 member PF 7.2 cluster built from ZEN machines.
On member #3, the dhcpd service does not start. When I try to start it, I get 
the message "Service 'dhcpd' is not managed by PacketFence. Therefore, no 
action will be performed"

Shouldn't dhcpd be running on all members?

I also am seeing in packetfence.log the messages "Can't bind : 
IO::Socket::INET: connect: Connection refused 
(pf::ip4log::_get_lease_from_omapi)"
I assume this is because dhcpd is not running.

The config files are synced, but I don't know why it doesn't start.

Can someone help point me right to get it figured out?

Thanks
Darryl




>>> CONFIDENTIALITY NOTICE <<<

This electronic mail (e-mail) message, including any and/or all attachments, is 
for the sole use of the intended recipient(s), and may contain confidential 
and/or privileged information, pertaining to business conducted under the 
direction and supervision of EarthColor, Inc. All e-mail messages, which may 
have been established as expressed views and/or opinions (stated either within 
the e-mail message or any of its attachments), are left to the sole 
responsibility of that of the sender, and are not necessarily attributed to 
EarthColor, Inc. Unauthorized interception, review, use, disclosure or 
distribution of any such information contained within this e-mail message 
and/or its attachment(s), is(are) strictly prohibited. If you are not the 
intended recipient, please contact the sender by replying to this e-mail 
message, along with the destruction of all copies of the original e-mail 
message (along with any attachments).
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] dhcpd not starting

[Sokolowski, Darryl via PacketFence-users]

Hi,
I have a 3 member PF 7.2 cluster built from ZEN machines.
On member #3, the dhcpd service does not start. When I try to start it, I get 
the message "Service 'dhcpd' is not managed by PacketFence. Therefore, no 
action will be performed"

Shouldn't dhcpd be running on all members?

I also am seeing in packetfence.log the messages "Can't bind : 
IO::Socket::INET: connect: Connection refused 
(pf::ip4log::_get_lease_from_omapi)"
I assume this is because dhcpd is not running.

The config files are synced, but I don't know why it doesn't start.

Can someone help point me right to get it figured out?

Thanks
Darryl





>>> CONFIDENTIALITY NOTICE <<<

This electronic mail (e-mail) message, including any and/or all attachments, is 
for the sole use of the intended recipient(s), and may contain confidential 
and/or privileged information, pertaining to business conducted under the 
direction and supervision of EarthColor, Inc. All e-mail messages, which may 
have been established as expressed views and/or opinions (stated either within 
the e-mail message or any of its attachments), are left to the sole 
responsibility of that of the sender, and are not necessarily attributed to 
EarthColor, Inc. Unauthorized interception, review, use, disclosure or 
distribution of any such information contained within this e-mail message 
and/or its attachment(s), is(are) strictly prohibited. If you are not the 
intended recipient, please contact the sender by replying to this e-mail 
message, along with the destruction of all copies of the original e-mail 
message (along with any attachments).
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] radius secret lost if master role moves

[Sokolowski, Darryl via PacketFence-users]

Hi,
I have a 3-server packetfence 7.1 cluster.
It seems when the master role moves to another member, the radius 
authentication for mab begins failing and I get the 'server dead' message in 
the switch logs.
I found that if I retype the secret in the switch group gui, it begins working 
again.

I checked the switchs.conf on each server and all have the correct radius 
secret.
I reloaded the config (pfcmd configreload hard) and restarted the services, and 
it works until the master moves again.

Any suggestions?

Thanks





>>> CONFIDENTIALITY NOTICE <<<

This electronic mail (e-mail) message, including any and/or all attachments, is 
for the sole use of the intended recipient(s), and may contain confidential 
and/or privileged information, pertaining to business conducted under the 
direction and supervision of EarthColor, Inc. All e-mail messages, which may 
have been established as expressed views and/or opinions (stated either within 
the e-mail message or any of its attachments), are left to the sole 
responsibility of that of the sender, and are not necessarily attributed to 
EarthColor, Inc. Unauthorized interception, review, use, disclosure or 
distribution of any such information contained within this e-mail message 
and/or its attachment(s), is(are) strictly prohibited. If you are not the 
intended recipient, please contact the sender by replying to this e-mail 
message, along with the destruction of all copies of the original e-mail 
message (along with any attachments).
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Fingerbank API daily limit

[Sokolowski, Darryl via PacketFence-users]

Anybody have any insight on this?
I don't know whether this is normal or not.

From: Sokolowski, Darryl via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Sent: Thursday, June 15, 2017 5:01 PM
To: packetfence-users@lists.sourceforge.net
Cc: Sokolowski, Darryl <ds...@earthcolor.com>
Subject: [PacketFence-users] Fingerbank API daily limit

Hi all,
I've started getting an email that I've reached my hourly limit of access to 
the Fingerbank API.
The email says to consider using the local SQLite database.
I thought that packetfence does use the local copy to cut down on upstream 
calls?

Maybe I have a misconfiguration?
When I go to the administration, Configuration, Compliance, Fingerbank and 
click any of the headings, the "Local" tab under each is blank, but the 
"Upstream" tab has listings.

The fingerbank log is empty.

In packetfence.log, there are a lot of warnings like "pfqueue: pfqueue(3856) 
WARN: [mac:70:5a:0f:10:0c:8a] Unable to perform a Fingerbank lookup for device 
with MAC address '70:5a:0f:10:0c:8a' (pf::fingerbank::__ANON__)"

Can anyone point me in the right direction to resolve those messages?
I'm running a 3 node packetfence 7.1 cluster.

Thanks
Darryl



>>> CONFIDENTIALITY NOTICE <<<

This electronic mail (e-mail) message, including any and/or all attachments, is 
for the sole use of the intended recipient(s), and may contain confidential 
and/or privileged information, pertaining to business conducted under the 
direction and supervision of EarthColor, Inc. All e-mail messages, which may 
have been established as expressed views and/or opinions (stated either within 
the e-mail message or any of its attachments), are left to the sole 
responsibility of that of the sender, and are not necessarily attributed to 
EarthColor, Inc. Unauthorized interception, review, use, disclosure or 
distribution of any such information contained within this e-mail message 
and/or its attachment(s), is(are) strictly prohibited. If you are not the 
intended recipient, please contact the sender by replying to this e-mail 
message, along with the destruction of all copies of the original e-mail 
message (along with any attachments).
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Fingerbank API daily limit

[Sokolowski, Darryl via PacketFence-users]

Hi all,
I've started getting an email that I've reached my hourly limit of access to 
the Fingerbank API.
The email says to consider using the local SQLite database.
I thought that packetfence does use the local copy to cut down on upstream 
calls?

Maybe I have a misconfiguration?
When I go to the administration, Configuration, Compliance, Fingerbank and 
click any of the headings, the "Local" tab under each is blank. The "Upstream" 
tab has listings.

The fingerbank log is empty.

In packetfence.log, there are a lot of warnings like "pfqueue: pfqueue(3856) 
WARN: [mac:70:5a:0f:10:0c:8a] Unable to perform a Fingerbank lookup for device 
with MAC address '70:5a:0f:10:0c:8a' (pf::fingerbank::__ANON__)"

Can anyone point me in the right direction to resolve those messages?
I'm running a 3 node packetfence 7.1 cluster.

Thanks
Darryl




>>> CONFIDENTIALITY NOTICE <<<

This electronic mail (e-mail) message, including any and/or all attachments, is 
for the sole use of the intended recipient(s), and may contain confidential 
and/or privileged information, pertaining to business conducted under the 
direction and supervision of EarthColor, Inc. All e-mail messages, which may 
have been established as expressed views and/or opinions (stated either within 
the e-mail message or any of its attachments), are left to the sole 
responsibility of that of the sender, and are not necessarily attributed to 
EarthColor, Inc. Unauthorized interception, review, use, disclosure or 
distribution of any such information contained within this e-mail message 
and/or its attachment(s), is(are) strictly prohibited. If you are not the 
intended recipient, please contact the sender by replying to this e-mail 
message, along with the destruction of all copies of the original e-mail 
message (along with any attachments).
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 7.1 remove inline mode

[Sokolowski, Darryl via PacketFence-users]

Thanks Fabrice!
That worked perfectly!

Darryl

From: Fabrice Durand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Sent: Wednesday, June 14, 2017 8:12 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand <fdur...@inverse.ca>
Subject: Re: [PacketFence-users] PF 7.1 remove inline mode


Hello Darryl,

in fact you just have to modify networks.conf and cluster.conf to remove inline 
related config. (bin/pfcmd configreload hard)

Regards

Fabrice



Le 2017-06-13 à 18:12, Sokolowski, Darryl via PacketFence-users a écrit :
Hi all,
let me say I'm loving this product! Good work to all involved!
Thank you for all your efforts!

My question is, I built my environment first, then clustered, and found out 
that inline mode isn't supported in the clustered environment.
So I'd like to remove it from my clustered environment, but can I do that 
safely?
Can I just access the configurator again and clear the inline checkbox?

Or can I remove the references for the inline interface from the config files?
I wanted to ask before I hose my installation.

Thanks
Darryl




>>> CONFIDENTIALITY NOTICE <<<

This electronic mail (e-mail) message, including any and/or all attachments, is 
for the sole use of the intended recipient(s), and may contain confidential 
and/or privileged information, pertaining to business conducted under the 
direction and supervision of EarthColor, Inc. All e-mail messages, which may 
have been established as expressed views and/or opinions (stated either within 
the e-mail message or any of its attachments), are left to the sole 
responsibility of that of the sender, and are not necessarily attributed to 
EarthColor, Inc. Unauthorized interception, review, use, disclosure or 
distribution of any such information contained within this e-mail message 
and/or its attachment(s), is(are) strictly prohibited. If you are not the 
intended recipient, please contact the sender by replying to this e-mail 
message, along with the destruction of all copies of the original e-mail 
message (along with any attachments).



--

Check out the vibrant tech community on one of the world's most

engaging tech sites, Slashdot.org! http://sdm.link/slashdot




___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users



--

Fabrice Durand

fdur...@inverse.ca<mailto:fdur...@inverse.ca> ::  +1.514.447.4918 (x135) ::  
www.inverse.ca<http://www.inverse.ca>

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] PF 7.1 remove inline mode

[Sokolowski, Darryl via PacketFence-users]

Hi all,
let me say I'm loving this product! Good work to all involved!
Thank you for all your efforts!

My question is, I built my environment first, then clustered, and found out 
that inline mode isn't supported in the clustered environment.
So I'd like to remove it from my clustered environment, but can I do that 
safely?
Can I just access the configurator again and clear the inline checkbox?

Or can I remove the references for the inline interface from the config files?
I wanted to ask before I hose my installation.

Thanks
Darryl





>>> CONFIDENTIALITY NOTICE <<<

This electronic mail (e-mail) message, including any and/or all attachments, is 
for the sole use of the intended recipient(s), and may contain confidential 
and/or privileged information, pertaining to business conducted under the 
direction and supervision of EarthColor, Inc. All e-mail messages, which may 
have been established as expressed views and/or opinions (stated either within 
the e-mail message or any of its attachments), are left to the sole 
responsibility of that of the sender, and are not necessarily attributed to 
EarthColor, Inc. Unauthorized interception, review, use, disclosure or 
distribution of any such information contained within this e-mail message 
and/or its attachment(s), is(are) strictly prohibited. If you are not the 
intended recipient, please contact the sender by replying to this e-mail 
message, along with the destruction of all copies of the original e-mail 
message (along with any attachments).
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Cluster but need Inline also

[Sokolowski, Darryl via PacketFence-users]

Hi All,
What might be a way to set up both a cluster for redundancy and also enable 
Inline mode?
I have a need for both, but am unsure that I should try to add it to the 
clustered machines.
Should I have a separate PF installation for the inline?

To clarify my intentions a bit:
What we wanted to try to do is to put any unregistered machine into our guest 
network after accepting the terms in the aup-text via the captive portal, to 
protect our wired connections within the office.
Easy enough, and already achieved using a PF 7 cluster.  But I see that Inline 
mode is not supported on the clustered machines.

We had originally planned on using Inline mode for wireless connections.  Right 
now, our policy is not to allow any wireless connections to our internal 
network, so our wireless is really just guest access, but we want to make 
wireless users accept the same aup-text terms before granting access. So we 
were supposing we could use packetfence as a hotspot to present the terms and 
conditions and to control the wireless access. And have an easy route to our 
internal network should the emergency need arise, or policies change.

Should I use a WLAN controller instead? (But then the controller is a single 
point of failure.)

Has anyone set up anything similar? Looking for ideas on how this could be 
achieved.

Thanks





>>> CONFIDENTIALITY NOTICE <<<

This electronic mail (e-mail) message, including any and/or all attachments, is 
for the sole use of the intended recipient(s), and may contain confidential 
and/or privileged information, pertaining to business conducted under the 
direction and supervision of EarthColor, Inc. All e-mail messages, which may 
have been established as expressed views and/or opinions (stated either within 
the e-mail message or any of its attachments), are left to the sole 
responsibility of that of the sender, and are not necessarily attributed to 
EarthColor, Inc. Unauthorized interception, review, use, disclosure or 
distribution of any such information contained within this e-mail message 
and/or its attachment(s), is(are) strictly prohibited. If you are not the 
intended recipient, please contact the sender by replying to this e-mail 
message, along with the destruction of all copies of the original e-mail 
message (along with any attachments).
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] PF 7 Cluster member dhcpd not starting

[Sokolowski, Darryl via PacketFence-users]

Hi,
Is it by design that dhcpd does not start on one member of a 3 member PF 7 
cluster?
On the first and second member, it is set to start with pf services, but on 
this third member, it is set not to start.

# bin/pfcmd service dhcpd status
service|shouldBeStarted|pid
dhcpd|0|0

I saw that pfmon only runs on one member at a time, and was unsure of the 
expected behavior for dhcpd?

Thanks
Darryl





>>> CONFIDENTIALITY NOTICE <<<

This electronic mail (e-mail) message, including any and/or all attachments, is 
for the sole use of the intended recipient(s), and may contain confidential 
and/or privileged information, pertaining to business conducted under the 
direction and supervision of EarthColor, Inc. All e-mail messages, which may 
have been established as expressed views and/or opinions (stated either within 
the e-mail message or any of its attachments), are left to the sole 
responsibility of that of the sender, and are not necessarily attributed to 
EarthColor, Inc. Unauthorized interception, review, use, disclosure or 
distribution of any such information contained within this e-mail message 
and/or its attachment(s), is(are) strictly prohibited. If you are not the 
intended recipient, please contact the sender by replying to this e-mail 
message, along with the destruction of all copies of the original e-mail 
message (along with any attachments).
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Renaming PF cluster member

[Sokolowski, Darryl via PacketFence-users]

Hi all,
I would like to rename one of my servers that is in a PF7 cluster.
Is that more trouble than it is worth?
Is there more to it than updating the cluster.conf, hostname, and dns?
Am I going to whack my Mariadb cluster by doing that?

Any insight is appreciated.

Thanks
Darryl






>>> CONFIDENTIALITY NOTICE <<<

This electronic mail (e-mail) message, including any and/or all attachments, is 
for the sole use of the intended recipient(s), and may contain confidential 
and/or privileged information, pertaining to business conducted under the 
direction and supervision of EarthColor, Inc. All e-mail messages, which may 
have been established as expressed views and/or opinions (stated either within 
the e-mail message or any of its attachments), are left to the sole 
responsibility of that of the sender, and are not necessarily attributed to 
EarthColor, Inc. Unauthorized interception, review, use, disclosure or 
distribution of any such information contained within this e-mail message 
and/or its attachment(s), is(are) strictly prohibited. If you are not the 
intended recipient, please contact the sender by replying to this e-mail 
message, along with the destruction of all copies of the original e-mail 
message (along with any attachments).
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users