from:"Tim DeNike"

Re: [PacketFence-users] Webauth with Aruba

2018-01-30 Thread Tim DeNike via PacketFence-users

I use it.  The PF documentation was more or less spot-on for it.

On Tue, Jan 30, 2018 at 10:52 AM, Trinklein, Jason R via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Has anyone run Packetfence webauth with Aruba for guest wireless access?
> Any guides or manuals for integration that I can use?
>
>
>
> --
>
> *Jason Trinklein*
>
> *Wireless Engineering Manager*
>
> College of Charleston
>
> 81 St. Philip Street | Office 311D | Charleston, SC 29403
>
> trinkle...@cofc.edu | (843) 300–8009 <(843)%20300-8009>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 7.2 and IPv6 functionality issues with patches.

2017-09-26 Thread Tim DeNike via PacketFence-users

And Firewall SSO doesn't send updates for V6 addresses. :(

On Mon, Sep 25, 2017 at 3:29 PM, Tim DeNike <tim.den...@mcc.edu> wrote:

> PS:  This doesn't solve the potential issue of the # of active IPv6
> addresses a device could potentially have on 1 interface.
>
> 1.  Link Local
> 2.  SLAAC temporary address
> 3.  SLAAC address
> 4.  DHCPv6 address
> 5.  DHCPv6 PD Prefix
>
> The only issue that would affect my network is on the wireless side with
> multiple SLAAC addresses.  We can't use DHCPv6 there because of Android
> problems.
>
>
>
> On Mon, Sep 25, 2017 at 2:57 PM, Tim DeNike <tim.den...@mcc.edu> wrote:
>
>> Finally getting around to 7.2 upgrade and testing IPv6 functionality.
>> Couple issues.
>>
>> #1.  Our switches send multiple Framed-IPv6-Address values in a single
>> accounting packet.  Needed to keep the value of Framed-IPv6-Address from
>> API into an array and break it down in handle_accounting_metadata.
>> #2.  IPlog from accounting packets wasn't working at all because it was
>> set to == when it should have been != in api.pm
>> #3.  IPlog from accounting packets wasn't set to function on IP6
>> addresses.
>> #4.  pf/util/dictionary is missing:
>> ATTRIBUTE Framed-IPv6-Address 168 ipv6addr
>> ATTRIBUTE Framed-IPv6-Prefix  97 ipv6prefix #Could
>> be used in future
>>
>> The following diffs against 7.2 appear to function properly in my lab.
>>
>> lib/pf/radius/rest.pm
>> 70,71c70
>> < $_ =~ /Framed-IPv6-Address/ ? ($_ => $request->{$_}->{value}) :
>> ($_ => $request->{$_}->{value}->[0]);
>> < #$_ => $request->{$_}->{value}->[0];
>> ---
>> > $_ => $request->{$_}->{value}->[0];
>>
>>
>> lib/pf/api.pm
>> 1349c1349
>> < if ($RAD_REQUEST{'Acct-Status-Type'} != $ACCOUNTING::STOP){
>> ---
>> > if ($RAD_REQUEST{'Acct-Status-Type'} == $ACCOUNTING::STOP){
>> 1352,1361c1352,1353
>> < if ($RAD_REQUEST{'Framed-IP-Address'} ) {
>> < $logger->info("Updating ip4log from accounting request
>> wit $RAD_REQUEST{'Framed-IP-Address'}");
>> < $client->notify("update_ip4log", mac => $mac, ip =>
>> $RAD_REQUEST{'Framed-IP-Address'});
>> < }
>> < if ( $RAD_REQUEST{'Framed-IPv6-Address'} ) {
>> < foreach my $ip6addr ( 
>> @{$RAD_REQUEST{'Framed-IPv6-Address'}}
>> ) {
>> <$logger->info("Updating ip6log froun accounting
>> $ip6addr");
>> <$client->notify("update_ip6log", mac => $mac, ip =>
>> $ip6addr) if ($ip6addr !~ m/^fe80.*/ );
>> < }
>> < }
>> ---
>> > $logger->info("Updating iplog from accounting request");
>> > $client->notify("update_ip4log", mac => $mac, ip =>
>> $RAD_REQUEST{'Framed-IP-Address'}) if ($RAD_REQUEST{'Framed-IP-Address'}
>> );
>>
>>
>>
>>
>>
>> Tim - MCC
>>
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 7.2 and IPv6 functionality issues with patches.

2017-09-25 Thread Tim DeNike via PacketFence-users

PS:  This doesn't solve the potential issue of the # of active IPv6
addresses a device could potentially have on 1 interface.

1.  Link Local
2.  SLAAC temporary address
3.  SLAAC address
4.  DHCPv6 address
5.  DHCPv6 PD Prefix

The only issue that would affect my network is on the wireless side with
multiple SLAAC addresses.  We can't use DHCPv6 there because of Android
problems.



On Mon, Sep 25, 2017 at 2:57 PM, Tim DeNike <tim.den...@mcc.edu> wrote:

> Finally getting around to 7.2 upgrade and testing IPv6 functionality.
> Couple issues.
>
> #1.  Our switches send multiple Framed-IPv6-Address values in a single
> accounting packet.  Needed to keep the value of Framed-IPv6-Address from
> API into an array and break it down in handle_accounting_metadata.
> #2.  IPlog from accounting packets wasn't working at all because it was
> set to == when it should have been != in api.pm
> #3.  IPlog from accounting packets wasn't set to function on IP6 addresses.
> #4.  pf/util/dictionary is missing:
> ATTRIBUTE Framed-IPv6-Address 168 ipv6addr
> ATTRIBUTE Framed-IPv6-Prefix  97 ipv6prefix #Could be
> used in future
>
> The following diffs against 7.2 appear to function properly in my lab.
>
> lib/pf/radius/rest.pm
> 70,71c70
> < $_ =~ /Framed-IPv6-Address/ ? ($_ => $request->{$_}->{value}) :
> ($_ => $request->{$_}->{value}->[0]);
> < #$_ => $request->{$_}->{value}->[0];
> ---
> > $_ => $request->{$_}->{value}->[0];
>
>
> lib/pf/api.pm
> 1349c1349
> < if ($RAD_REQUEST{'Acct-Status-Type'} != $ACCOUNTING::STOP){
> ---
> > if ($RAD_REQUEST{'Acct-Status-Type'} == $ACCOUNTING::STOP){
> 1352,1361c1352,1353
> < if ($RAD_REQUEST{'Framed-IP-Address'} ) {
> < $logger->info("Updating ip4log from accounting request
> wit $RAD_REQUEST{'Framed-IP-Address'}");
> < $client->notify("update_ip4log", mac => $mac, ip =>
> $RAD_REQUEST{'Framed-IP-Address'});
> < }
> < if ( $RAD_REQUEST{'Framed-IPv6-Address'} ) {
> < foreach my $ip6addr ( @{$RAD_REQUEST{'Framed-IPv6-Address'}}
> ) {
> <$logger->info("Updating ip6log froun accounting
> $ip6addr");
> <$client->notify("update_ip6log", mac => $mac, ip =>
> $ip6addr) if ($ip6addr !~ m/^fe80.*/ );
> < }
> < }
> ---
> > $logger->info("Updating iplog from accounting request");
> > $client->notify("update_ip4log", mac => $mac, ip =>
> $RAD_REQUEST{'Framed-IP-Address'}) if ($RAD_REQUEST{'Framed-IP-Address'}
> );
>
>
>
>
>
> Tim - MCC
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] 7.2 and IPv6 functionality issues with patches.

2017-09-25 Thread Tim DeNike via PacketFence-users

Finally getting around to 7.2 upgrade and testing IPv6 functionality.
Couple issues.

#1.  Our switches send multiple Framed-IPv6-Address values in a single
accounting packet.  Needed to keep the value of Framed-IPv6-Address from
API into an array and break it down in handle_accounting_metadata.
#2.  IPlog from accounting packets wasn't working at all because it was set
to == when it should have been != in api.pm
#3.  IPlog from accounting packets wasn't set to function on IP6 addresses.
#4.  pf/util/dictionary is missing:
ATTRIBUTE Framed-IPv6-Address 168 ipv6addr
ATTRIBUTE Framed-IPv6-Prefix  97 ipv6prefix #Could be
used in future

The following diffs against 7.2 appear to function properly in my lab.

lib/pf/radius/rest.pm
70,71c70
< $_ =~ /Framed-IPv6-Address/ ? ($_ => $request->{$_}->{value}) :
($_ => $request->{$_}->{value}->[0]);
< #$_ => $request->{$_}->{value}->[0];
---
> $_ => $request->{$_}->{value}->[0];


lib/pf/api.pm
1349c1349
< if ($RAD_REQUEST{'Acct-Status-Type'} != $ACCOUNTING::STOP){
---
> if ($RAD_REQUEST{'Acct-Status-Type'} == $ACCOUNTING::STOP){
1352,1361c1352,1353
< if ($RAD_REQUEST{'Framed-IP-Address'} ) {
< $logger->info("Updating ip4log from accounting request
wit $RAD_REQUEST{'Framed-IP-Address'}");
< $client->notify("update_ip4log", mac => $mac, ip =>
$RAD_REQUEST{'Framed-IP-Address'});
< }
< if ( $RAD_REQUEST{'Framed-IPv6-Address'} ) {
< foreach my $ip6addr (
@{$RAD_REQUEST{'Framed-IPv6-Address'}} ) {
<$logger->info("Updating ip6log froun accounting
$ip6addr");
<$client->notify("update_ip6log", mac => $mac, ip =>
$ip6addr) if ($ip6addr !~ m/^fe80.*/ );
< }
< }
---
> $logger->info("Updating iplog from accounting request");
> $client->notify("update_ip4log", mac => $mac, ip =>
$RAD_REQUEST{'Framed-IP-Address'}) if ($RAD_REQUEST{'Framed-IP-Address'} );





Tim - MCC
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Mobile phone MAC randomisation breaks PF

2017-09-19 Thread Tim DeNike via PacketFence-users

MAC randomization (At least the way Ive seen it work) only randomizes the
MAC when the device is passively probing for networks.  It uses the fixed
MAC when it actually connects.

OR.. It uses a random MAC for a specific SSID and doesn't change it while
connected to that SSID.

If its randomizing the MAC every single time, tell her tough beans, get a
phone that works correctly.  :D

On Tue, Sep 19, 2017 at 10:15 AM, Torry, Andrew via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hi folks,
>
>
>
> We have a new student who cannot seem to get onto our PF controlled wifi
> since her mobile phone
>
> keeps randomising its MAC address. It appears this feature is hard coded
> into the phones OS and
>
> cannot be disabled. The only way we can see to fix this is to register
> every one of the 65535 MAC addresses
>
> the device could be using to the user’s ID but this sees dangerously
> cludgy to me.
>
>
>
> Has anyone else come up with a potential fix for this as it completely
> breaks PF and other MAC based registration systems.
>
>
>
> Andrew
>
>
>
> Andrew Torry
>
> Senior Infrastructure Engineer
>
>
>
> Tel: 01326 370760
>
> Email: andrew.to...@fxplus.ac.uk
>
>
>
> [image: Falmouth Exeter Plus]
> [image: Twitter]  [image: Facebook]
>  [image: Instagram]
>  [image: YouTube]
> 
>
> [image: Falmouth University]
>
> Falmouth Exeter Plus is an exempt charity established by Falmouth
> University and the University of Exeter to deliver their shared Higher
> Education services in Cornwall.
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Multiple endpoints behind a single switchport

2017-06-20 Thread Tim DeNike via PacketFence-users

Brocade.  And previously extreme.  Big benefit of brocade is how they
handle acls.  We have a substantial ipv4 and ipv6 acl on every device on a
switch and haven't run out of cam space.

Pretty much any Broadcom based switch can do Mac based vlans though.

Sent from my iPhone

On Jun 20, 2017, at 4:17 PM, Derek Wuelfrath <dwuelfr...@inverse.ca> wrote:

Which network equipment are you using just out of curiosity ! :)

Cheers!
-dw

--
Derek Wuelfrath
dwuelfr...@inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu), PacketFence (
www.packetfence.org) and Fingerbank (www.fingerbank.org)

On Jun 20, 2017, at 16:16, Tim DeNike <tim.den...@mcc.edu> wrote:

Correct...  We use it and it works beautifully.. Nice to be able to have VM
running in a different vlan than your laptop.  :D

On Tue, Jun 20, 2017 at 4:10 PM, Derek Wuelfrath <dwuelfr...@inverse.ca>
wrote:

> You would need network equipment that supports multiple untagged VLAN on
> the same switch port.
>
> Cheers!
> -dw
>
> --
> Derek Wuelfrath
> dwuelfr...@inverse.ca
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu), PacketFence (
> www.packetfence.org) and Fingerbank (www.fingerbank.org)
>
> On Jun 20, 2017, at 15:27, Tim DeNike <tim.den...@mcc.edu> wrote:
>
> Or using radius COA and multiple untagged devices on the switch port.
>
> On Tue, Jun 20, 2017 at 10:50 AM, Derek Wuelfrath via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Max,
>>
>> Even if this feature let’s you “manage multiple devices” on an unmanaged
>> switch, there is no magic :)
>> This feature needs to work using the webauth enforcement. This is the
>> only way the “upstream” managed switch can enforce different “policies” on
>> multiple devices plugged into an unmanaged switch.
>>
>> Cheers!
>> -dw
>>
>> --
>> Derek Wuelfrath
>> dwuelfr...@inverse.ca
>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu), PacketFence (
>> www.packetfence.org) and Fingerbank (www.fingerbank.org)
>>
>> On Jun 20, 2017, at 10:46, Max McGrath <mmcgr...@carthage.edu> wrote:
>>
>> Thanks Derek.
>>
>> That's what I had assumed, but in my testing that was not my experience.
>>
>> I'll revisit in my test environment when I have a moment.
>>
>> Max
>>
>> --
>> Max McGrath  <https://www.linkedin.com/pub/max-mcgrath/1b/3a6/a21>
>> Network Administrator
>> Carthage College
>> 262-551- <(262)%20551->
>> mmcgr...@carthage.edu
>>
>> On Tue, Jun 20, 2017 at 9:34 AM, Derek Wuelfrath <dwuelfr...@inverse.ca>
>> wrote:
>>
>>> Hey Max,
>>>
>>> That means, if per exemple you have a managed switch port with
>>> PacketFence enforcement configured on it, and that you have a small
>>> unmanaged desktop switch plugged into that managed switch port, then you
>>> can register / unregister / apply a violation / close a violation / change
>>> the role of all the devices plugged into that unmanaged desktop switch.
>>>
>>> Managing a device from PacketFence that is plugged into that unmanaged
>>> desktop switch will inform you that they are other devices with a
>>> locationlog opened on the same managed switch port and that you can apply
>>> the action to all of the devices or only on the one you are currently
>>> editing.
>>>
>>> Does that helps ?
>>>
>>> Cheers!
>>> -dw
>>>
>>> --
>>> Derek Wuelfrath
>>> dwuelfr...@inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu), PacketFence (
>>> www.packetfence.org) and Fingerbank (www.fingerbank.org)
>>>
>>> On Jun 16, 2017, at 16:14, Max McGrath via PacketFence-users <
>>> packetfence-users@lists.sourceforge.net> wrote:
>>>
>>> Hello -
>>>
>>> I saw in the release notes for version 7.0 a feature which states
>>> "Ability to manage multiple "active" endpoints behind a single switchport
>>> (PR#2034)".
>>>
>>> What exactly does this mean?  Does it mean that PacketFence will now
>>> work with multiple endpoints plugged into a single hub/switch?
>>>
>>> I've just tried that and it doesn't seem to function as expected.
>>> Perhaps PR#2034 does something different than I'm reading into it.
>>>
>>> Thanks!
>>>
>>> Max
>>> --
>>> Max McGrath  <https://www.linkedin.com/pub/max-mcgrath/1b/3a6/a21>
>>> Network Administrator
>

Re: [PacketFence-users] Multiple endpoints behind a single switchport

2017-06-20 Thread Tim DeNike via PacketFence-users

Correct...  We use it and it works beautifully.. Nice to be able to have VM
running in a different vlan than your laptop.  :D

On Tue, Jun 20, 2017 at 4:10 PM, Derek Wuelfrath <dwuelfr...@inverse.ca>
wrote:

> You would need network equipment that supports multiple untagged VLAN on
> the same switch port.
>
> Cheers!
> -dw
>
> --
> Derek Wuelfrath
> dwuelfr...@inverse.ca
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu), PacketFence (
> www.packetfence.org) and Fingerbank (www.fingerbank.org)
>
> On Jun 20, 2017, at 15:27, Tim DeNike <tim.den...@mcc.edu> wrote:
>
> Or using radius COA and multiple untagged devices on the switch port.
>
> On Tue, Jun 20, 2017 at 10:50 AM, Derek Wuelfrath via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Max,
>>
>> Even if this feature let’s you “manage multiple devices” on an unmanaged
>> switch, there is no magic :)
>> This feature needs to work using the webauth enforcement. This is the
>> only way the “upstream” managed switch can enforce different “policies” on
>> multiple devices plugged into an unmanaged switch.
>>
>> Cheers!
>> -dw
>>
>> --
>> Derek Wuelfrath
>> dwuelfr...@inverse.ca
>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu), PacketFence (
>> www.packetfence.org) and Fingerbank (www.fingerbank.org)
>>
>> On Jun 20, 2017, at 10:46, Max McGrath <mmcgr...@carthage.edu> wrote:
>>
>> Thanks Derek.
>>
>> That's what I had assumed, but in my testing that was not my experience.
>>
>> I'll revisit in my test environment when I have a moment.
>>
>> Max
>>
>> --
>> Max McGrath  <https://www.linkedin.com/pub/max-mcgrath/1b/3a6/a21>
>> Network Administrator
>> Carthage College
>> 262-551- <(262)%20551->
>> mmcgr...@carthage.edu
>>
>> On Tue, Jun 20, 2017 at 9:34 AM, Derek Wuelfrath <dwuelfr...@inverse.ca>
>> wrote:
>>
>>> Hey Max,
>>>
>>> That means, if per exemple you have a managed switch port with
>>> PacketFence enforcement configured on it, and that you have a small
>>> unmanaged desktop switch plugged into that managed switch port, then you
>>> can register / unregister / apply a violation / close a violation / change
>>> the role of all the devices plugged into that unmanaged desktop switch.
>>>
>>> Managing a device from PacketFence that is plugged into that unmanaged
>>> desktop switch will inform you that they are other devices with a
>>> locationlog opened on the same managed switch port and that you can apply
>>> the action to all of the devices or only on the one you are currently
>>> editing.
>>>
>>> Does that helps ?
>>>
>>> Cheers!
>>> -dw
>>>
>>> --
>>> Derek Wuelfrath
>>> dwuelfr...@inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu), PacketFence (
>>> www.packetfence.org) and Fingerbank (www.fingerbank.org)
>>>
>>> On Jun 16, 2017, at 16:14, Max McGrath via PacketFence-users <
>>> packetfence-users@lists.sourceforge.net> wrote:
>>>
>>> Hello -
>>>
>>> I saw in the release notes for version 7.0 a feature which states
>>> "Ability to manage multiple "active" endpoints behind a single switchport
>>> (PR#2034)".
>>>
>>> What exactly does this mean?  Does it mean that PacketFence will now
>>> work with multiple endpoints plugged into a single hub/switch?
>>>
>>> I've just tried that and it doesn't seem to function as expected.
>>> Perhaps PR#2034 does something different than I'm reading into it.
>>>
>>> Thanks!
>>>
>>> Max
>>> --
>>> Max McGrath  <https://www.linkedin.com/pub/max-mcgrath/1b/3a6/a21>
>>> Network Administrator
>>> Carthage College
>>> 262-551- <(262)%20551->
>>> mmcgr...@carthage.edu
>>> 
>>> --
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org <http://slashdot.org/>!
>>> http://sdm.link/slashdot___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>>
>>
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Multiple endpoints behind a single switchport

2017-06-20 Thread Tim DeNike via PacketFence-users

Or using radius COA and multiple untagged devices on the switch port.

On Tue, Jun 20, 2017 at 10:50 AM, Derek Wuelfrath via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Max,
>
> Even if this feature let’s you “manage multiple devices” on an unmanaged
> switch, there is no magic :)
> This feature needs to work using the webauth enforcement. This is the only
> way the “upstream” managed switch can enforce different “policies” on
> multiple devices plugged into an unmanaged switch.
>
> Cheers!
> -dw
>
> --
> Derek Wuelfrath
> dwuelfr...@inverse.ca
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu), PacketFence (
> www.packetfence.org) and Fingerbank (www.fingerbank.org)
>
> On Jun 20, 2017, at 10:46, Max McGrath  wrote:
>
> Thanks Derek.
>
> That's what I had assumed, but in my testing that was not my experience.
>
> I'll revisit in my test environment when I have a moment.
>
> Max
>
> --
> Max McGrath  
> Network Administrator
> Carthage College
> 262-551- <(262)%20551->
> mmcgr...@carthage.edu
>
> On Tue, Jun 20, 2017 at 9:34 AM, Derek Wuelfrath 
> wrote:
>
>> Hey Max,
>>
>> That means, if per exemple you have a managed switch port with
>> PacketFence enforcement configured on it, and that you have a small
>> unmanaged desktop switch plugged into that managed switch port, then you
>> can register / unregister / apply a violation / close a violation / change
>> the role of all the devices plugged into that unmanaged desktop switch.
>>
>> Managing a device from PacketFence that is plugged into that unmanaged
>> desktop switch will inform you that they are other devices with a
>> locationlog opened on the same managed switch port and that you can apply
>> the action to all of the devices or only on the one you are currently
>> editing.
>>
>> Does that helps ?
>>
>> Cheers!
>> -dw
>>
>> --
>> Derek Wuelfrath
>> dwuelfr...@inverse.ca
>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu), PacketFence (
>> www.packetfence.org) and Fingerbank (www.fingerbank.org)
>>
>> On Jun 16, 2017, at 16:14, Max McGrath via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>> Hello -
>>
>> I saw in the release notes for version 7.0 a feature which states
>> "Ability to manage multiple "active" endpoints behind a single switchport
>> (PR#2034)".
>>
>> What exactly does this mean?  Does it mean that PacketFence will now work
>> with multiple endpoints plugged into a single hub/switch?
>>
>> I've just tried that and it doesn't seem to function as expected.
>> Perhaps PR#2034 does something different than I'm reading into it.
>>
>> Thanks!
>>
>> Max
>> --
>> Max McGrath  
>> Network Administrator
>> Carthage College
>> 262-551- <(262)%20551->
>> mmcgr...@carthage.edu
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org !
>> http://sdm.link/slashdot___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Utilize Google SMTP servers for guest access emails

2017-06-18 Thread Tim DeNike via PacketFence-users

Setup a postfix server with dmarc signing.

Sent from my iPhone

On Jun 18, 2017, at 2:50 PM, Hans Johnson via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

The other thing is to check whether whatever PF is using for its SMTP relay
is listed as a permitted mail host through SPF. We had that issue when
dealing with emails being sent to the US Government from Google. (We're on
US Forest Service land, so there's a lot of back and forth). Anyhow, I had
to go and update our DNS records to permit Google to send email on our
domain's behalf.

Hans

On Thu, Jun 15, 2017 at 8:53 PM, Max McGrath via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello -
>
> We have a lot of guests at our site right now and it appears that a lot of
> times when someone registers as a guest with the email-registration option
> -- the email ends up being sent, but it goes to their spam and the user
> never sees it.
>
> Being a Google Apps organization, it would be nice to have PF be able to
> utilize Google's SMTP servers (and authenticate with one of our
> username/passwords).  This way, it would appear more legitimate (with
> proper SPF and DKIM) than from our local SMTP server.
>
> Is this currently possible in PF?  I don't believe it is, but perhaps I'm
> missing something.
>
> Thanks!
>
> Max
> --
> Max McGrath  
> Network Administrator
> Carthage College
> 262-551- <(262)%20551->
> mmcgr...@carthage.edu
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>


-- 
-
Hans Johnson (hans.john...@gmail.com)
B.ASc, Computer Engineering
Simon Fraser University

... Si hoc legere scis numium eruditionis habes. -- Anonymous

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] New PF 7.0 Cluster Configuration Question

2017-06-07 Thread Tim DeNike via PacketFence-users

Just ran into that myself the other day. Like some sysctl variable wasn't
set.

Sent from my iPhone

On Jun 7, 2017, at 10:02 AM, Peter Reilly via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

Was resolved by a reboot of all hosts in case anyone else has the same
issue.

Peter


On 05/31/2017 05:17 PM, Peter Reilly wrote:

Thank you,

By resync you mean: /usr/local/pf/bin/cluster/sync ?

Although that completed correctly the 1st time, now I get errors:

ERROR : [1496265119.53917] Failed to connect to config service for
namespace resource::switches_list, retrying
[1496265119.53917] Failed to connect to config service for namespace
resource::switches_list, retrying
ERROR : [1496265119.63971] Failed to connect to config service for
namespace resource::switches_list, retrying
[1496265119.63971] Failed to connect to config service for namespace
resource::switches_list, retrying
ERROR : [1496265119.7403] Failed to connect to config service for namespace
resource::switches_list, retrying
[1496265119.7403] Failed to connect to config service for namespace
resource::switches_list, retrying
ERROR : [1496265119.84084] Failed to connect to config service for
namespace resource::switches_list, retrying
[1496265119.84084] Failed to connect to config service for namespace
resource::switches_list, retrying

Can I reset the config on that host back to defaults?

I have a snapshot I can revert to if needed.

Peter


On 05/31/2017 04:38 PM, Antoine Amacher wrote:

Hello Peter,

One of your node is note properly sync or cannot communicate with others:

"wsrep_incoming_addresses 10.18.0.36:3306,10.18.0.37:3306"

Only 2 nodes are connected on your instance.

Isolate the one which is failing and try to resync it with the rest of the
cluster.

Thanks

On 05/31/2017 03:56 PM, Peter Reilly wrote:

I have a new configuration of packetfence, and I'm stuck at the final
section of the guide:  Checking the MariaDB sync.

I'm new to MariaDB clustering.  Any help would be appreciated.  Thanks!

Issuing mysql> show status like 'wsrep%'; shows:

wsrep_apply_oooe 0.00
wsrep_apply_oool 0.00
wsrep_apply_window 1.00
wsrep_causal_reads 0
wsrep_cert_deps_distance 1.50
wsrep_cert_index_size 6
wsrep_cert_interval 0.00
wsrep_cluster_conf_id 91
wsrep_cluster_size 2
wsrep_cluster_state_uuid d53707fc-462e-11e7-9e94-2307d1d8c35a
wsrep_cluster_status Primary
wsrep_commit_oooe 0.00
wsrep_commit_oool 0.00
wsrep_commit_window 1.00
wsrep_connected ON
wsrep_desync_count 1
wsrep_evs_delayed 02bbf569-4637-11e7-b3bd-475698c96cee:tcp://10.18.0.38:4567
:2,07b40a38-4636-11e7-96ad-8356df2560a3:tcp://10.18.0.38:4567
:2,0bdbe92c-4639-11e7-bd9f-5ef6eacc266d:tcp://10.18.0.38:4567
:2,0d6af863-4635-11e7-b534-065ae24e0e14:tcp://10.18.0.38:4567
:1,119bc620-4638-11e7-8c60-1f44bae4b807:tcp://10.18.0.38:4567
:2,13002f75-4634-11e7-a038-2206d6fbb42d:tcp://10.18.0.38:4567
:2,17864215-4637-11e7-baed-87a29423c2d7:tcp://10.18.0.38:4567
:1,1cc5fffc-4636-11e7-9611-b316acb7efd8:tcp://10.18.0.38:4567
:4,20f0aa1f-4639-11e7-b9e2-26ed5e81aa1f:tcp://10.18.0.38:4567
:5,2233a2eb-4635-11e7-8b9e-ab9cb722ae49:tcp://10.18.0.38:4567
:1,266bcf47-4638-11e7-a0e4-96c21bef49e7:tcp://10.18.0.38:4567
:4,28121797-4634-11e7-bcfe-56e8bb6c19b7:tcp://10.18.0.38:4567
:3,2c4f5b44-4637-11e7-8213-93a3892fcf15:tcp://10.18.0.38:4567
:3,35b7c77a-4639-11e7-9475-534e43ccb537:tcp://10.18.0.38:4567
:3,37506d89-4635-11e7-8dc9-b7fcdffd54b7:tcp://10.18.0.38:4567
:2,3b3344a8-4638-11e7-a347-96ac9e947fb6:tcp://10.18.0.38:4567
:2,3ce12393-4634-11e7-a81f-c2a8c8de2496:tcp://10.18.0.38:4567
:1,4114e63d-4637-11e7-b030-7efc7248d13f:tcp://10.18.0.38:4567
:2,46a3ea11-4636-11e7-8fda-13eadcade32c:tcp://10.18.0.38:4567
:4,4a8097a4-4639-11e7-bf2a-533999db367c:tcp://10.18.0.38:4567
:3,4c17ad42-4635-11e7-b6e6-d315ee85be43:tcp://10.18.0.38:4567
:4,50468a8e-4638-11e7-8601-1617155ed644:tcp://10.18.0.38:4567
:2,51a6cd8b-4634-11e7-8a97-fad9fee5825c:tcp://10.18.0.38:4567
:3,55da74f8-4637-11e7-a998-769b9f8e1983:tcp://10.18.0.38:4567
:4,5b6cbebf-4636-11e7-a547-0641a36aa6e9:tcp://10.18.0.38:4567
:3,5f47c624-4639-11e7-947c-6e7cf852e708:tcp://10.18.0.38:4567
:2,60e069b1-4635-11e7-aeae-d77204b723ef:tcp://10.18.0.38:4567
:3,650de7fc-4638-11e7-b6d9-827cc491159f:tcp://10.18.0.38:4567
:2,6673fcbd-4634-11e7-80b0-0283b8f039e0:tcp://10.18.0.38:4567
:2,6aa4abb6-4637-11e7-9ea7-0ebb92fd544f:tcp://10.18.0.38:4567
:1,6c5aea5a-4633-11e7-9601-1b63974f512e:tcp://10.18.0.38:4567
:4,70313a6d-4636-11e7-bc4c-eec94e18edfc:tcp://10.18.0.38:4567
:1,75ac13d0-4635-11e7-9b79-3a8f9493d61d:tcp://10.18.0.38:4567
:3,79d4f68b-4638-11e7-9269-d2d28710d4f
wsrep_evs_evict_list |
wsrep_evs_repl_latency 0.000296411/0.000296411/0.000296411/0/1
wsrep_evs_state GATHER
wsrep_flow_control_paused 0.00
wsrep_flow_control_paused_ns 0
wsrep_flow_control_recv 0
wsrep_flow_control_sent 0
wsrep_gcomm_uuid d53696c2-462e-11e7-96e9-73b1bf863e3e
wsrep_incoming_addresses 10.18.0.36:3306,10.18.0.37:3306
wsrep_last_committed 6

Re: [PacketFence-users] User accounts

2017-06-06 Thread Tim DeNike via PacketFence-users

Samba AD server.

Sent from my iPhone

> On Jun 6, 2017, at 4:56 PM, Jason 'XenoPhage' Frisvold via PacketFence-users 
>  wrote:
>
> Greetings,
>
>In a previous life, we used Packetfence for a campus network with
> thousands of users.  The user database was a well established LDAP
> directory that had been in existence for a while.
>
>In my current life, however, we have no such database.  I'm looking for
> a solution.  I was hoping to just have Packetfence serve as that
> database, at least for now, but I don't see a way for users to manage
> their accounts..  ie, how do they change passwords?  Is it better to
> just pop up a local ldap instance and populate that?
>
> Any thoughts appreciated!
>
> Thanks,
>
> --
> ---
> Jason 'XenoPhage' Frisvold
> xenoph...@godshell.com
> ---
>
> "Any sufficiently advanced magic is indistinguishable from technology."
> - Niven's Inverse of Clarke's Third Law
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 7 routed mode

2017-05-12 Thread Tim DeNike

If you add networks in the GUI it will create static routes with the
gateway specified. Or use ospf/bgp like I do and create one aggregate route
on the PD server.  We have an isolation/registration network per building
through mpls.  Nothing touches the Pf servers at l2.

Sent from my iPhone

On May 12, 2017, at 9:48 AM, luca comes  wrote:

Hi all,

I'm delivering my new PF to test wired 802.1x on my network. I need to work
with routed network because PF is in our datacenter and I need to control
subnets on remote sites. So I've created a local registration/isolation
vlan directly attached to the server and I configured new vlans on the
sites. I then configured PF to know that he is working in routed mode
adding the necessary on conf/networks.conf as said in the admin giude. What
I don't understand is if I need to add remote networks on the routing table
of the server because at the moment the registration/isolation interfaces
are not reachable and if I take a look to the routing table:


[root@pfnac01 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse
Iface
0.0.0.0 172.27.17.231   0.0.0.0 UG0  00
ens160
10.255.10.0 0.0.0.0 255.255.255.0   U 0  00
ens192.2441
10.255.20.0 0.0.0.0 255.255.255.0   U 0  00
ens192.2445
10.255.30.0 0.0.0.0 255.255.255.0   U 0  00
ens192.2446
169.254.0.0 0.0.0.0 255.255.255.252 U 0  00 DM-b
169.254.0.0 0.0.0.0 255.255.0.0 U 1002   00
ens160
169.254.0.0 0.0.0.0 255.255.0.0 U 1003   00
ens192
169.254.0.0 0.0.0.0 255.255.0.0 U 1004   00
ens192.2441
169.254.0.0 0.0.0.0 255.255.0.0 U 1005   00
ens192.2445
169.254.0.0 0.0.0.0 255.255.0.0 U 1006   00
ens192.2446
172.27.17.0 0.0.0.0 255.255.255.0   U 0  00
ens160


Where 10.255.10.0 is my regular network, 10.255.20.0 is my local
registration, 10.255.30.0 is my local isolation and 172.27.17.0 is the
management. I can't see my remote networks 10.149.105.0 (remote
registration) and 10.148.105.0 (remote isolation).


Any help is appreciated


Thanks


Luca



Inviato da Outlook 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Sending custom radius attribute based on role?

2017-04-30 Thread Tim DeNike

Look at the radius filters. Match category and add an arbitrary radius
attribute pair.

Sent from my iPhone

On Apr 30, 2017, at 5:58 PM, Hans Johnson wrote:

Hello,

I’m just setting up PF ZEN for a non-profit I work with, and I’m wondering
if there is a way to send a custom RADIUS attribute based on the role. This
would be to override the QoS setting for some users.

We operate a camp in a remote location, where our only access to the
Internet is via a private satellite link. For wireless, I have a cisco WLC
(a pair of WLC 4404s) going, with coverage in our staff housing.

In order to protect our meagre resources (we only have 3.3Mbps access to
the outside world), what I would like to do is have the system be able to
set the QoS level for our short term volunteers to “Bronze” as Cisco
defines it. Within that, I’ll probably rate limit them to something like
250kbps, which should be fine for email, facebook, iMessage, etc…

Anyhow, in reading the available documentation here:

http://www.cisco.com/c/en/us/support/docs/wireless/4100-series-wireless-lan-controllers/96103-wlc-attributes.html

I should be able to push the radius attributes and override the QoS level
for the network.

If I have to muck around in the config files, that’s fine, I just need to
be pointed in the right direction. :)

Thanks,

Hans

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Windows 10 AntiVirus and DNS

2017-03-01 Thread Tim DeNike

It uses https 443.  It's the worst idea they have ever come up with.
Disable the tunneling of dns.  It breaks captive portals and also
geolocation to get to the cdn closest to you.

Sent from my iPhone

> On Mar 1, 2017, at 10:01 PM, Buhagiar, Jon  wrote:
>
> Group,
>
>
>  We have had PacketFence in place for about a year now. We are using 
> PacketFence as a captive portal for our Cisco WLC. Once a user has 
> authenticated it sends the COA to the WLC and it switches the user to the 
> appropriate VLAN. Runs rock solid! Over the past month I've had a few users 
> that cannot get to the captive portal. PacketFence gives them an IP, but they 
> cannot get the captive portal. They can ping it, no problem and admittedly I 
> have not had them try it by the IP. All of the users are running Windows 10 
> and have some sort of AV installed, the last one had Kapersky installed. I 
> ran across this article 
> https://sourceforge.net/p/packetfence/mailman/message/35354458/ and it seems 
> logical. I have not had a person down since I ran across the article. Since 
> we are a school and do not maintain the user's laptop(s), we hesitate to 
> suggest removing the AV.
>
>
>  Once thought has come to mind... What if we transparent proxy the DNS 
> traffic back to Packetfence for 53/UDP? That is assuming that the AV software 
> is using 53/UDP for it's DNS client. Has anyone run into this? If we 
> transparent proxy the DNS back to PacketFence, is it a fix? Since this 
> problem looks like it's not going away.
>
>
> Thank you,
>
>
> Jon Buhagiar
>
>
>
>
>
> This message and any attachments are intended only for the use of the 
> addressee and may contain information that is privileged and confidential. If 
> the reader of the message is not the intended recipient or an authorized 
> representative of the intended recipient, you are hereby notified that any 
> dissemination of this communication is strictly prohibited. If you have 
> received this communication in error, notify the sender immediately by return 
> email and delete the message and any attachments from your system.
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PALO ALTO SSO and multiple VSYS

2016-12-16 Thread Tim DeNike

I'll get it to you. I have some other modifications to it that I'll have to
eliminate first.

Sent from my iPhone

On Dec 16, 2016, at 8:25 AM, Tomasz Karczewski <tkarczew...@man.olsztyn.pl>
wrote:

Tnx for your reply.



I’ve made what you wrote but when I wanted to add firewall in webgui I’ve
got logs like this:



Dec 16 09:48:40 httpd.admin(23967) INFO:
Config::Firewall_SSO::PaloAltoVsys3
(pfappserver::Base::Controller::Crud::view)

Dec 16 09:48:40 httpd.admin(23967) ERROR: Caught exception in
pfappserver::Controller::Config::Firewall_SSO->view "Can't call method
"process" on an undefined value at
/usr/local/pf/html/pfappserver/lib/pfappserver/Base/Controller/Crud.pm line
206." (pfappserver::PacketFence::Controller::Root::end)



And in webgui I see:



*Error!* An error occured while contacting the server. Please try again
later.



Could you tell me what exactly do I have to change at .pm file (package
name and description)?



*From:* Tim DeNike [mailto:tim.den...@mcc.edu <tim.den...@mcc.edu>]
*Sent:* Thursday, December 15, 2016 4:32 PM
*To:* packetfence-users@lists.sourceforge.net
*Subject:* Re: [PacketFence-users] PALO ALTO SSO and multiple VSYS



copy /usr/local/pf/lib/pf/firewallsso/PaloAlto.pm to PaloAlto_Vsys1.pm



edit the file and add =vsys1 into the $webpage definition after
$action=set



Also change the package name and description.



restart PF and the new option should be available.



On Thu, Dec 15, 2016 at 6:51 AM, Tomasz Karczewski <
tkarczew...@man.olsztyn.pl> wrote:

Hi,



My PA SSO Works fine. I’ve got one question is there any way  to set user
on another vsys than vsys1?

I’ve got multi vsys environment and i tried to put user in another vsys but
maybe I’m doing something wrong?

User is putting always in vsys1.



Tnx for reply.



Tomasz Karczewski


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PALO ALTO SSO and multiple VSYS

2016-12-15 Thread Tim DeNike

copy /usr/local/pf/lib/pf/firewallsso/PaloAlto.pm to PaloAlto_Vsys1.pm

edit the file and add =vsys1 into the $webpage definition after
$action=set

Also change the package name and description.

restart PF and the new option should be available.

On Thu, Dec 15, 2016 at 6:51 AM, Tomasz Karczewski <
tkarczew...@man.olsztyn.pl> wrote:

> Hi,
>
>
>
> My PA SSO Works fine. I’ve got one question is there any way  to set user
> on another vsys than vsys1?
>
> I’ve got multi vsys environment and i tried to put user in another vsys
> but maybe I’m doing something wrong?
>
> User is putting always in vsys1.
>
>
>
> Tnx for reply.
>
>
>
> Tomasz Karczewski
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] packetfence and cisco switches

2016-12-14 Thread Tim DeNike

Use RADIUS. Way better!

Sent from my iPhone

On Dec 14, 2016, at 4:03 PM, Tobias Friede  wrote:

Hi,

I think that's not possible because Port Security creates a static entry in
the Mac Table of the switch.
That's how port security is working ;)

You could enable aging. That means if the client is inactive, the mac
adress is removed from the switch port (after a specific time)

=> http://packetlife.net/blog/2010/may/3/port-security/


Greetings
Tobias


2016-12-14 19:57 GMT+01:00 Cuttler, Brian R (HEALTH) <
brian.cutt...@health.ny.gov>:

> Packetfence users,
>
> We are using PF 5.0.2 and have a variety of Cisco switches in place.
>
> We have the access ports (vs trunk ports) configured with “sticky mac”
> addresses, and find (we per documentation) that when we make any changes to
> the switch config and save those changes “write memory” that the dynamic
> addresses of the end point devices get written into the switch boot config
> file.
>
> Typical changes we’d want to save are things like adding vlans to the
> trunk, adding a port description for a special end point device, adding a
> new vlan to the switch, etc.
>
> The problem we are seeing is that if a device (typical PC or printer) is
> moved to another port on the switch, then the MAC address of the device
> which is “dynamic” on the port, conflicts with the now static address on
> the old port.
>
> I am going to see if configuring a test switch with “dynamic secure”
> rather than “sticky secure”, I think just a matter of unsetting “sticky”
> for the interface.
>
> Does anyone have any experience with this?
>
> How do you prevent the learned MAC addresses from getting written into the
> config file?
>
> Thank you,
>
> Brian
>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PacketFence v7 - Will clustering be easier?

2016-12-13 Thread Tim DeNike

Ahh.. I don't use DRBD for it.. I use Mysql circular replication on 2 DB
servers.  BUT.. DRBD is awesome.. Use it for our 80TB NAS to replicate to 2
other servers.  :D  I do agree.. If you don't understand DRBD, it can
really mess you up.

On Tue, Dec 13, 2016 at 10:37 AM, Morris, Andi <amor...@cardiffmet.ac.uk>
wrote:

> Hi,
>
> I’ve used PF in a clustered environment previously (version 5) and had
> more downtime because of it than I did without. This wasn’t directly an
> issue with PacketFence, but with the way that DRDB ties in with the Linux
> kernel, and how to maintain an up to date kernel whilst running this
> technology.
>
>
>
> Personally I’m hoping that the upcoming version 7 clustering will resolve
> my worries around this, as currently we’re relying on VMWare to help to
> mitigate the single point of failure that is currently our database server.
> It certainly sounds very promising.
>
>
>
> Cheers,
>
> Andi
>
>
>
> *From:* Tobias Friede [mailto:t.fri...@gmail.com]
> *Sent:* 13 December 2016 14:41
> *To:* packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] PacketFence v7 - Will clustering be
> easier?
>
>
>
> 2016-12-12 22:43 GMT+01:00 Tim DeNike <tim.den...@mcc.edu>:
>
> Umm As far as clusters go, packetfence is pretty damn easy IMHO..
>
>
>
> Mhh, I tried many installations and followed the Cluster Guide.
>
> I always stuck at the point, where the filesystem is created on the
> DRBD-Cluster.
>
> I just get I/O errors after mounting the partition  Maybe the
> Documentation is not up to date?
>
>
>
>
>
>
>
> Greetings
>
> Tobias
>
>
>
>
>
>
>
>
>
>
>
> On Mon, Dec 12, 2016 at 3:47 PM, Tobias Friede <t.fri...@gmail.com> wrote:
>
> Hi,
>
>
>
> nice announcement, thanks for your great work !
>
>
>
> From: Ludovic Marcotte <lmarco...@inverse.ca>
> >Database Clustering - PacketFence v7 will make use of MariaDB Galera
> Cluster. Each PacketFence server will hold a copy of the database and any
> >cluster member detaching itself from the clustered environment will still
> work and handle endpoint connections gracefully. It will automatically
> >resynchronize itself to the cluster when network connectivity is restored;
>
>
>
>
> The big question is: will clustering be easier than in packetfence 6.x?
>
>
>
> The complicated cluster integration is one of the biggest disadvantage of
> packetfence, that's why we cluster Packetfence with VMware technologies and
> not with build in features.
>
> But VMware helps only in case of hardware and network issues and not in
> case of software issues, so I would prefer an integrated cluster mechanism.
>
>
>
>
>
> Greetings from Germany
>
> Tobias
>
>
>
>
>
>
>
>
>
>
>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
>
> [image: Cardiff Metropolitan University - Queens Anniversary Prizes 2015]
> <http://www.cardiffmet.ac.uk/news/Pages/Cardiff-Met-research-recognised-in-Queens-Anniversary-Prizes-for-Higher-and-Further-Education.aspx>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PacketFence v7 - Will clustering be easier?

2016-12-12 Thread Tim DeNike

Umm As far as clusters go, packetfence is pretty damn easy IMHO..

On Mon, Dec 12, 2016 at 3:47 PM, Tobias Friede  wrote:

> Hi,
>
> nice announcement, thanks for your great work !
>
> From: Ludovic Marcotte 
> >Database Clustering - PacketFence v7 will make use of MariaDB Galera
> Cluster. Each PacketFence server will hold a copy of the database and any
> >cluster member detaching itself from the clustered environment will still
> work and handle endpoint connections gracefully. It will automatically
> >resynchronize itself to the cluster when network connectivity is restored;
>
>
> The big question is: will clustering be easier than in packetfence 6.x?
>
> The complicated cluster integration is one of the biggest disadvantage of
> packetfence, that's why we cluster Packetfence with VMware technologies and
> not with build in features.
> But VMware helps only in case of hardware and network issues and not in
> case of software issues, so I would prefer an integrated cluster mechanism.
>
>
> Greetings from Germany
> Tobias
>
>
>
>
>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Admin Roles - Allowed Node Roles

2016-12-07 Thread Tim DeNike

Anyone?

On Mon, Dec 5, 2016 at 11:15 AM, Tim DeNike <tim.den...@mcc.edu> wrote:

> PF 6.3.  I set an Admin role for helpdesk users and give them access to a
> limited # of the roles in our system.  Just the roles they would need to do
> their job.  This works in Node view by doing a bulk register, but if they
> click on the node and want to change the role/register a device, it shows
> as readonly unless the device is currently registered and has a role that
> they have access to, not if the device is unregistered and has no role.
> The goal is to allow them to assign devices to the commonly used roles
> around campus, but deny them access to roles that are used dynamically (IE:
>  802.1x), or that they just plain don't need.
>
> I *think* we just need to allow them access to a "NULL" role to be able to
> do this.. I just can't find the best place to hack it together.
>
> Thoughts?
>
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Admin Roles - Allowed Node Roles

2016-12-05 Thread Tim DeNike

PF 6.3.  I set an Admin role for helpdesk users and give them access to a
limited # of the roles in our system.  Just the roles they would need to do
their job.  This works in Node view by doing a bulk register, but if they
click on the node and want to change the role/register a device, it shows
as readonly unless the device is currently registered and has a role that
they have access to, not if the device is unregistered and has no role.
The goal is to allow them to assign devices to the commonly used roles
around campus, but deny them access to roles that are used dynamically (IE:
 802.1x), or that they just plain don't need.

I *think* we just need to allow them access to a "NULL" role to be able to
do this.. I just can't find the best place to hack it together.

Thoughts?
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] ANN: PacketFence v6.4.0

2016-11-16 Thread Tim DeNike

   - Support authentication through Eduroam (PR#1642)

Elaborate on that one. Lol.

Sent from my iPhone

On Nov 16, 2016, at 1:09 PM, Ludovic Marcotte  wrote:

The Inverse team is pleased to announce the immediate availability of
PacketFence v6.4.0. This is a major release with new features, enhancements
and important bug fixes. This release is considered ready for production
use and upgrading from previous versions is strongly advised.
What is PacketFence?

PacketFence is a fully supported, trusted, Free and Open Source Network
Access Control (NAC) solution. Boasting an impressive feature set,
PacketFence can be used to effectively secure small to very large
heterogeneous networks.

Among the features provided by PacketFence, there are:

   - powerful BYOD (Bring Your Own Device) capabilities
   - state-of-the art devices fingerprinting with Fingerbank
   - multiple enforcement methods including Role-Based Access Control
   (RBAC) and hotspot-style
   - compliance checks for endpoints present on your network
   - integration with various vulnerability scanners, intrusion detection
   solutions, security agents and firewalls
   - bandwidth accounting for all devices

A complete overview of the solution is available from the official website:
https://packetfence.org/about.html
Changes Since Previous Release

*New Features*

   -

   Added Mojo Networks WiFi equipment support (PR#1765)
   - Made Web admin reports more interactive (PR#1731)
   - Support authentication through Eduroam (PR#1642)
   - Allow to create different portal templates based on the browser locale
   (PR#1638)

*Enhancements*

   - Improved IP log performance (PR#1832 / PR#1828 / PR#1790)
   - Added fault tolerance on RADIUS monitoring scripts (PR#1831)
   - Improved the database and maintenance backup script (PR#1830)
   - Added password caching support for Novell eDirectory (PR#1829)
   - Improved caching of LDAP users data (PR#1826)
   - Improved clustering documentation (PR#1825)
   - Added RADIUS command line interface support on port 1812 (PR#1817)
   - Removed useless htaccess file search for each HTTP request (PR#1806)
   -

   Turned off HTTP KeepAlive to avoid connections holding onto Apache
   processes (PR#1801)
   - Added Cisco MSE documentation (PR#1799)
   - Ability to query 'iplog_archive' table for detailed IP/MAC history
   (PR#1793)
   - Now also display the status for sub services from the Web interface
   (#1040 /PR#1792)
   - Requests made with username 'dummy' will not be recorded in the RADIUS
   audit log anymore (PR#1789)
   - More lightweight p0f processing (PR#1788)
   - Removed useless logging in pfdns.log (PR#1782)
   - Added an activation timeout on sponsor source (PR#1777)
   - Improved captive portal logging (PR#1769)
   - Allow the OAuth landing page template to be customizable (PR#1767)
   - Use RESTful call for RADIUS accounting instead of Perl (#1760)
   - Optimized getting node information from the database (PR#1753)
   - New action generateconfig for pfcmd service command (PR#1744)
   - Added memory limitation for httpd.portal processes (PR#1738)
   - Added predefined search in RADIUS audit log and DHCP Option 82 log
   (PR#1716)
   - Improved display of fingerprinting informations in the nodes search
   (PR#1709)
   - Allow captiveportal::Form::Authentication to be customize (PR#1666)
   - Default config overlay for switches.conf, profiles.conf, pfqueue.conf
   and violations.conf (PR#1647)
   - Optimized queries for finding open violations (PR#1718)

*Bug Fixes*

   - Fixed floating devices in active/active clusters (PR#1800)
   -

   Fixed and improved syntax of pfcmd ipmachistory (#1794)
   - Fixed wrong bandwidth calculation on RADIUS accounting (#1733)
   - Fixed empty Calling-Station-Id in RADIUS accounting (PR#1756)
   - Make sure connection caches are cleared after forking (#1748 / #1749 /
   PR#1751)
   - Added a workaround for DHCP clients that do not respect short lease
   times (#1673)
   - Added namespace parameter in WMI rule (PR#1633)
   - Fixed non-working switch ranges with external portal (#1574 / PR#1613)
   - Joining a domain will sometimes return a 500 even though it succeeded
   (#1821/#1818)
   - Cisco WLC ignores our CoA requests but accepts our Disconnect Requests
   (#1819)
   - pfdetect: pipe is closing when no content (#1814)
   -

   Condition is a Phone in RADIUS audit log is not working properly (#1813)
   -

   Condition AutoRegistration in RADIUS audit log is not working properly
   (#1812)
   - Configurator: Status on the services doesn't work (#1811)
   - Invalid SQL for iplog_cleanup_sql (#1802)
   - Added request cache support (#1775)
   - Added stack trace logging (#1774)
   - Removed redundant SQL indexes (#1773)
   - Removed unused code in pf::locationlog (#1772)
   - Fixed missing fields in RADIUS audit log (#1395)
   - Fixed RADIUS audit log hours selection (#1364)

See

Re: [PacketFence-users] IPv6 progress?

2016-11-14 Thread Tim DeNike

Nada?

On Thu, Nov 10, 2016 at 8:23 AM, Tim DeNike <tim.den...@mcc.edu> wrote:

> Is there any progress being made towards functional IPv6 IP tracking in
> PF?  I noticed after I upgraded from 5.7 to 6.3, pfdhcplistener no longer
> takes the udp_reflector data I was sending from my DHCPv6 servers.  Its
> like it just ignores it.  ( I know it only ever looked for the
> fingerprint/vendor/enterprise info and didn't update).
>
> #1.  Forwarding DHCPv6 using udp_reflector
> #2.  Tracking IA-NA address per host
> #3.  Making use of Framed-IPv6-Address RADIUS attribute
> #4.  Performing firewall SSO updates
>
> Less Important (At least to me):
> #5.  Tracking IA-PD subnet per host (as a separate field).
> #6.  Figure out a way to forward ND packets to PF for sites that use SLAAC
> (Maybe snmp queries to routers or sflow data?)
>
> In the end, I think we would probably need to expand the pf.iplog table to
> be more like (Or have a separate table for ipv6 addresses?  I don't know
> what is going to be most scalable/efficient):
>
> mac, ip, start_time, end_time, ip6, start_time6, end_time6, ip6pd,
> start_time6pd, end_time6pd, ip6na1, start_time6na1, end_time6na1, ip6na2,
> start_time6na2, end_time6na2
>
>
> Reasoning for so many fields:
>
> In a network with both SLAAC and DHCP6 enabled, a device could have 4 ipv6
> addresses.
>
> 1 - SLAAC address
> 2 - SLAAC temporary (Privacy extensions address)
> 3 - DHCP6 address
> 4 - DHCP6 PD Prefix
>
> Now this is an improperly configured network, but there could be a legit
> use-case for it.. You should really only use SLAAC or DHCP6, not both.
>
> A Windows client will prefer/use the DHCP6 address, but the SLAAC and
> SLAACtemp address are both valid and usable.
>
> A Mac client will prefer/use the SLAAC temp address, but the SLAAC and
> DHCP6 address are still valid and usable.
>
> Android devices dont support DHCP6 (Because google is really stupid_
>
> IOS Devices behave like OSX devices.
>
> Most home routers will use DHCP6 address for their own communication,
>  some will get a SLAAC address, some won't.  Most don't even need the NA
> address and only require a PD address.
>
>
>
>
>
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] IPv6 progress?

2016-11-10 Thread Tim DeNike

Is there any progress being made towards functional IPv6 IP tracking in
PF?  I noticed after I upgraded from 5.7 to 6.3, pfdhcplistener no longer
takes the udp_reflector data I was sending from my DHCPv6 servers.  Its
like it just ignores it.  ( I know it only ever looked for the
fingerprint/vendor/enterprise info and didn't update).

#1.  Forwarding DHCPv6 using udp_reflector
#2.  Tracking IA-NA address per host
#3.  Making use of Framed-IPv6-Address RADIUS attribute
#4.  Performing firewall SSO updates

Less Important (At least to me):
#5.  Tracking IA-PD subnet per host (as a separate field).
#6.  Figure out a way to forward ND packets to PF for sites that use SLAAC
(Maybe snmp queries to routers or sflow data?)

In the end, I think we would probably need to expand the pf.iplog table to
be more like (Or have a separate table for ipv6 addresses?  I don't know
what is going to be most scalable/efficient):

mac, ip, start_time, end_time, ip6, start_time6, end_time6, ip6pd,
start_time6pd, end_time6pd, ip6na1, start_time6na1, end_time6na1, ip6na2,
start_time6na2, end_time6na2


Reasoning for so many fields:

In a network with both SLAAC and DHCP6 enabled, a device could have 4 ipv6
addresses.

1 - SLAAC address
2 - SLAAC temporary (Privacy extensions address)
3 - DHCP6 address
4 - DHCP6 PD Prefix

Now this is an improperly configured network, but there could be a legit
use-case for it.. You should really only use SLAAC or DHCP6, not both.

A Windows client will prefer/use the DHCP6 address, but the SLAAC and
SLAACtemp address are both valid and usable.

A Mac client will prefer/use the SLAAC temp address, but the SLAAC and
DHCP6 address are still valid and usable.

Android devices dont support DHCP6 (Because google is really stupid_

IOS Devices behave like OSX devices.

Most home routers will use DHCP6 address for their own communication,  some
will get a SLAAC address, some won't.  Most don't even need the NA address
and only require a PD address.
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 6.2.1 how to use PDC AND BDC for 802.1x ??

2016-10-26 Thread Tim DeNike

if your domain is t-systems.local, just put that in the field instead of
the PDC hostname.  Then DNS will just fail between all of your DCs.

On Wed, Oct 26, 2016 at 11:25 AM,  wrote:

> Hi,
>
>
>
> we do 802.1x wired auth with pachetfence, wich works as expected, until we
> have to boot our Primary Domain Controler (PDC), wich is configured in the
> Packet Domain Config.
>
> There is only one field for THE Server. How do I configure the BDC,too?
>
>
>
> Please Help
>
> Thanks,
>
> Holger
>
> 
> --
> The Command Line: Reinvented for Modern Developers
> Did the resurgence of CLI tooling catch you by surprise?
> Reconnect with the command line and become more productive.
> Learn the new .NET and ASP.NET CLI. Get your free copy!
> http://sdm.link/telerik
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive. 
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 6.3 node info autoreg not being set?

2016-10-25 Thread Tim DeNike

OK.  I figured it out.

If you have dot1x recompute role from portal checked then authoreg is
explicitly set to no in role.pm.

Previously,

[reg:WirelessEAP]
scope = AutoRegister
role = node_info.category

Would work to auto-reg a device coming from EAP.  It got a little error
about node_info.category not existing, but it did end up resolving the
proper role so I didn't care.

In 6.3, that error is fatal and the device would get no role.

So Auto-reg on the portal profile works as long as recompute role from
portal is unchecked.


On Tue, Oct 25, 2016 at 7:59 AM, Tim DeNike <tim.den...@mcc.edu> wrote:

> Sorry about the delay.
>
> Wether I set a node to be auto-registered in the portal profile or in the
> vlan_filter.conf.. Auto-registration DOES work, but node.autoreg never gets
> set in the database.  Thats the problem.  It never matches the rule in
> vlan_filters.conf.default because node.autoreg is always "no".
>
>
> Ideas?
>
> On Mon, Oct 24, 2016 at 9:42 AM, Tim DeNike <tim.den...@mcc.edu> wrote:
>
>> Will in a few mins.  But what about nodeinfo autoreg not being set in
>> do?  Wouldn't that be the problem?
>>
>> Sent from my iPhone
>>
>> On Oct 24, 2016, at 9:39 AM, Durand fabrice <fdur...@inverse.ca> wrote:
>>
>> Can you paste me the vlan filter ?
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2016-10-24 à 09:36, Tim DeNike a écrit :
>>
>> I used to used vlan filters to achieve that.  Thats how I did auto-reg
>> before.
>>
>> In an attempt to try to fix it, i changed auto-reg to the portal profile,
>> but devices still don't get flagged as autoreg in pf.node
>>
>> On Mon, Oct 24, 2016 at 9:13 AM, Durand fabrice <fdur...@inverse.ca>
>> wrote:
>>
>>> Hello Tim,
>>>
>>> did you achieve that with Vlan filters ?
>>>
>>> Btw we added default vlan filters (vlan_filters.conf.defaults) to unreg
>>> device coming from a secure ssid but i don't think that it's the issue.
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>>
>>>
>>> Le 2016-10-24 à 09:06, Tim DeNike a écrit :
>>>
>>> When a user connects to a 802.1x SSID, autoreg isn't being set on the
>>> user.
>>>
>>> Subsequently, when they try to connect to a MAC-auth SSID, they aren't
>>> being rejected and are retaining their same role.
>>>
>>> Is there a change in how this functions between 5.7 and 6.3?
>>>
>>>
>>> --
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>>
>>> ___
>>> PacketFence-users mailing 
>>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>> --
>>> Check out the vibrant tech community on one of the world's most engaging
>>> tech sites, SlashDot.org! http://sdm.link/slashdot
>>> ___ PacketFence-users
>>> mailing list PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>
>> ___
>> PacketFence-users mailing 
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
--
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive. 
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 6.3 node info autoreg not being set?

2016-10-25 Thread Tim DeNike

Sorry about the delay.

Wether I set a node to be auto-registered in the portal profile or in the
vlan_filter.conf.. Auto-registration DOES work, but node.autoreg never gets
set in the database.  Thats the problem.  It never matches the rule in
vlan_filters.conf.default because node.autoreg is always "no".


Ideas?

On Mon, Oct 24, 2016 at 9:42 AM, Tim DeNike <tim.den...@mcc.edu> wrote:

> Will in a few mins.  But what about nodeinfo autoreg not being set in do?
> Wouldn't that be the problem?
>
> Sent from my iPhone
>
> On Oct 24, 2016, at 9:39 AM, Durand fabrice <fdur...@inverse.ca> wrote:
>
> Can you paste me the vlan filter ?
>
> Regards
>
> Fabrice
>
>
>
> Le 2016-10-24 à 09:36, Tim DeNike a écrit :
>
> I used to used vlan filters to achieve that.  Thats how I did auto-reg
> before.
>
> In an attempt to try to fix it, i changed auto-reg to the portal profile,
> but devices still don't get flagged as autoreg in pf.node
>
> On Mon, Oct 24, 2016 at 9:13 AM, Durand fabrice <fdur...@inverse.ca>
> wrote:
>
>> Hello Tim,
>>
>> did you achieve that with Vlan filters ?
>>
>> Btw we added default vlan filters (vlan_filters.conf.defaults) to unreg
>> device coming from a secure ssid but i don't think that it's the issue.
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2016-10-24 à 09:06, Tim DeNike a écrit :
>>
>> When a user connects to a 802.1x SSID, autoreg isn't being set on the
>> user.
>>
>> Subsequently, when they try to connect to a MAC-auth SSID, they aren't
>> being rejected and are retaining their same role.
>>
>> Is there a change in how this functions between 5.7 and 6.3?
>>
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>
>> ___
>> PacketFence-users mailing 
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> --
>> Check out the vibrant tech community on one of the world's most engaging
>> tech sites, SlashDot.org! http://sdm.link/slashdot
>> ___ PacketFence-users
>> mailing list PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive. 
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 6.3 node info autoreg not being set?

2016-10-24 Thread Tim DeNike

Will in a few mins.  But what about nodeinfo autoreg not being set in do?
Wouldn't that be the problem?

Sent from my iPhone

On Oct 24, 2016, at 9:39 AM, Durand fabrice <fdur...@inverse.ca> wrote:

Can you paste me the vlan filter ?

Regards

Fabrice



Le 2016-10-24 à 09:36, Tim DeNike a écrit :

I used to used vlan filters to achieve that.  Thats how I did auto-reg
before.

In an attempt to try to fix it, i changed auto-reg to the portal profile,
but devices still don't get flagged as autoreg in pf.node

On Mon, Oct 24, 2016 at 9:13 AM, Durand fabrice <fdur...@inverse.ca> wrote:

> Hello Tim,
>
> did you achieve that with Vlan filters ?
>
> Btw we added default vlan filters (vlan_filters.conf.defaults) to unreg
> device coming from a secure ssid but i don't think that it's the issue.
>
> Regards
>
> Fabrice
>
>
>
> Le 2016-10-24 à 09:06, Tim DeNike a écrit :
>
> When a user connects to a 802.1x SSID, autoreg isn't being set on the
> user.
>
> Subsequently, when they try to connect to a MAC-auth SSID, they aren't
> being rejected and are retaining their same role.
>
> Is there a change in how this functions between 5.7 and 6.3?
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> --
> Check out the vibrant tech community on one of the world's most engaging
> tech sites, SlashDot.org! http://sdm.link/slashdot
> ___ PacketFence-users mailing
> list PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

___
PacketFence-users mailing
listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 6.3 node info autoreg not being set?

2016-10-24 Thread Tim DeNike

I used to used vlan filters to achieve that.  Thats how I did auto-reg
before.

In an attempt to try to fix it, i changed auto-reg to the portal profile,
but devices still don't get flagged as autoreg in pf.node

On Mon, Oct 24, 2016 at 9:13 AM, Durand fabrice <fdur...@inverse.ca> wrote:

> Hello Tim,
>
> did you achieve that with Vlan filters ?
>
> Btw we added default vlan filters (vlan_filters.conf.defaults) to unreg
> device coming from a secure ssid but i don't think that it's the issue.
>
> Regards
>
> Fabrice
>
>
>
> Le 2016-10-24 à 09:06, Tim DeNike a écrit :
>
> When a user connects to a 802.1x SSID, autoreg isn't being set on the
> user.
>
> Subsequently, when they try to connect to a MAC-auth SSID, they aren't
> being rejected and are retaining their same role.
>
> Is there a change in how this functions between 5.7 and 6.3?
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] PF 6.3 node info autoreg not being set?

2016-10-24 Thread Tim DeNike

When a user connects to a 802.1x SSID, autoreg isn't being set on the user.

Subsequently, when they try to connect to a MAC-auth SSID, they aren't
being rejected and are retaining their same role.

Is there a change in how this functions between 5.7 and 6.3?
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Upgraded to PF 6.3.. Load-balancing the Mgmt portal?

2016-10-24 Thread Tim DeNike

Must have been something I was doing wrong. Its working fine now.

On Sun, Oct 23, 2016 at 4:47 PM, Tim DeNike <tim.den...@mcc.edu> wrote:

> Seems like every other click through the management portal directs me to a
> different server and I have to login again.
>
> Any way to make it primary only?
>
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] 6.3 EAP-Type in filters. Change from 5.7?

2016-10-24 Thread Tim DeNike

This used to work:


[EAPTLS]
filter = radius_request
attribute = EAP-Type
operator = is
*value = EAP-TLS*

[MSCHAPV2]
filter = radius_request
attribute = EAP-Type
operator = is
*value = MSCHAPv2*

Now you need to do this:

[EAPTLS]
filter = radius_request
attribute = EAP-Type
operator = is
*value = 13*

[MSCHAPV2]
filter = radius_request
attribute = EAP-Type
operator = is
*value = 26*


Also in the location info on the management portal, it used to show the
human readable EAP-Type, now it just shows the #.
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Upgraded to PF 6.3.. Load-balancing the Mgmt portal?

2016-10-23 Thread Tim DeNike

Seems like every other click through the management portal directs me to a
different server and I have to login again.

Any way to make it primary only?
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Server Load metric

2016-09-13 Thread Tim DeNike

There is no optimal.  It's better used as a baseline.  If it's normally
around 1.5 and today it's running at 10, something is possibly wrong.  All
that really matters is if the system is responsive enough to suit the task.
It could be at 99 and doesn't really matter if radius responses are coming
back fast.

Sent from my iPhone

On Sep 13, 2016, at 4:58 AM, Torry, Andrew 
wrote:

This is all very useful and a fine exercise in Linux semantics, but it does
not really help me much when
I have a manager asking me what this stuff all means and whether the server
up to the job or not.

What is a good (aka safe) figure for a system say with 16G RAM and 8 cores.

It strikes me the vertical scale for this graph might as well be 'Chickens'
or 'Bananas' as it
does not seem to indicate what is or is not a 'good' figure it just shows
ups and downs.

Perhaps the 'Developers' could add an optimal horizontal line into the
graph (ie. go above that
and your server is struggling). After all the number of Portal connections
and other httpd performance
settings are pre-calculated based on resources so it should not be
difficult to do.

Andrew



-
Falmouth University
-

-Original Message-
From: Sallee, Jake [mailto:jake.sal...@umhb.edu ]
Sent: 12 September 2016 14:29
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Server Load metric

Load average is more complex than number of (logical or otherwise)

CPUs vs the load average number. The reason being load takes into

account the processor state of "waiting for disk I/O".


Ah, yes. forgot about that.

You can use a command like iostat to get more detailed info about I/O.

The iowait field will give you the % time your CPU was idle due to waiting
on system I/O (IE: reading from hard disk).

As far as my experience goes, when load is driven up, it is almost

always due to IO saturation, not CPU saturation. However, I don't have

much experience with PF systems, so they might have CPU saturation

issues.


Interesting.  My experience has been almost the opposite. But most of my
workloads tend to be RAM centric and not disc centric which could account
for that.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Matt Zagrabelny 
Sent: Friday, September 9, 2016 3:07 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Server Load metric

On Fri, Sep 9, 2016 at 2:37 PM, Sallee, Jake  wrote:

I always assumed that came from the same source that 'top' pulls from.



If I am correct then the number represents the workload of your system. In
simplified terms you want this number to always be less than the number of
processor cores in your system.



If you have a quad core system and you have a system load of 3.00 then you
are effectively running 3 of your cores at 100%.



If in a quad core system you have a value of 8.00 this means that you have
overloaded your system and there are 4 processes waiting while 4 other
processes are fully utilizing all the cores on your system.



Here is a bit more explanation if your interested.



http://www.howtogeek.com/194642/understanding-the-load-average-on-linux-and-other-unix-like-systems/



TL;DR: the load score should always be less than the number of logical
cores in your system, if its not then your system is overworked and you
need to do something about it.


Load average is more complex than number of (logical or otherwise)
CPUs vs the load average number. The reason being load takes into
account the processor state of "waiting for disk I/O".

>From man proc:


  /proc/loadavg
 The  first  three  fields  in this file are load average
figures giving the number of jobs in the run
 queue (state R) or waiting for disk I/O (state D)
averaged over 1, 5, and 15 minutes.  They  are  the
 same as the load average numbers given by uptime(1) and
other programs.  The fourth field consists of
 two numbers separated by a slash (/).  The first of
these is the number of currently runnable  kernel
 scheduling entities (processes, threads).  The value
after the slash is the number of kernel schedul‐
 ing entities that currently exist on the system.  The
fifth field is the PID of the process that  was
 most recently created on the system.

Thus, you could have a high load average and throw a bunch of CPUs at
the issue and it doesn't change the problem one bit. It could be IO
bound.

As far as my experience goes, when load is driven up, it is almost
always due to IO saturation, not CPU saturation. However, I don't have
much experience with PF systems, so they might have CPU saturation
issues.

Re: [PacketFence-users] Server Load metric

2016-09-09 Thread Tim DeNike

2.0 concurrently active processes.  Represents Unix load average. If you
are multicore, 2.0 is really nothing to worry about.

Sent from my iPhone

On Sep 9, 2016, at 11:53 AM, Torry, Andrew 
wrote:

Can anyone enlighten me as to what the vertical scale on the 'Server Load'
graph represents.
I am really not sure if I should worry about a server load above 2.0 or
not. Is it about to break or what?

Andrew



-
   Falmouth Exeter Plus
-

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Windows 10 & Kaspersky (off-topic)

2016-09-09 Thread Tim DeNike

Price-reliability-performance-features. Pick 3.

How much internet bandwidth do you use?   They are priced reasonably by
actual expected throughout.  Our 5050 ha pair was damn expensive, but we
use them to firewall between all our VRFs including between the campus and
servers.  So having 5-10gig throughput is a requirement.

However. The lower end models that do 1g of throughout aren't really that
expensive.  Multi gig/10gig ports is where the price really goes up.
 100mbit models are only a couple grand.

Sent from my iPhone

On Sep 9, 2016, at 1:16 PM, Sallee, Jake <jake.sal...@umhb.edu> wrote:

Palo Alto. Will do it all.


PA is nice, but good golly Ms. Molly are they proud of them.

I couldn't afford one if I sold all my major organs ... sad day.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Tim DeNike <tim.den...@mcc.edu>
Sent: Thursday, September 8, 2016 2:33 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Windows 10 & Kaspersky

Palo Alto. Will do it all. Including block connections to ssl sites
based on content of the flow.  Ie:  matching  cerificates in the
handshake.

Sent from my iPhone

On Sep 8, 2016, at 12:44 PM, Sallee, Jake <jake.sal...@umhb.edu> wrote:

Solving the issue is simple. Block the traffic.


When the traffic is being tunneled out via dest port 443 over SSL to a
seemingly random list of servers blocking it is difficult.


We do block all access to DNS servers that are not on-campus, so thoe
people who come in with static 8.8.8.8 and 8.8.4.4 and such notice pretty
quick that nothing works; but that is operating under the assumption that
the standard DNS ports are being used.


I am looking for a DNS proxy that I can put in place to intercept and reply
to DNS requests, so if anyone knows of one please feel free to drop me a
line.


I know the technology exists I just haven't gotten around to it yet. My
working theory is to use a route map on my edge router to relay all the
requests to a DNS server I controll running BIND. But alas, this requires
time which I do not have at the moment and running tests that can
potentially take down our production network is frowned upon.


Jake Sallee

Godfather of Bandwidth

System Engineer

University of Mary Hardin-Baylor

WWW.UMHB.EDU


900 College St.

Belton, Texas

76513


Fone: 254-295-4658

Phax: 254-295-4221


________

From: Tim DeNike <tim.den...@mcc.edu>

Sent: Wednesday, September 7, 2016 7:32 PM

To: packetfence-users@lists.sourceforge.net

Subject: Re: [PacketFence-users] Windows 10 & Kaspersky


Solving the issue is simple. Block the traffic. The rest will work

itself out.  People need to learn to not do things that break the

Internet.  Using 3rd party DNS servers like that causes decreased

performance of the interwebzz.


Sent from my iPhone


On Sep 7, 2016, at 6:54 PM, Sallee, Jake <jake.sal...@umhb.edu> wrote:


I didn't see anyone else reply to this so here is what we are seeing.



Scenario 1: (less likely)



Some AV vendors (Kaspersky being one) are installing a DNS proxy with the
AV software and are tunneling all DNS traffic to their own servers.  I did
some research a while ago into this and found the traffic was being
tunneled out via port 443 but I do not remember who the AV vendor was at
the time.



We run split horizon DNS so the effects of this DNS proxy are rather
serious; not only does it break our onboarding process, but it also denies
access to most of our campus resources while the user is actually on campus.



Sometimes it is a setting (in some versions of Norton) but other times it
is just there and cannot be disabled as far as I can tell (as is the case
with Kaspersky).



Interestingly enough, stopping the Kaspersky services does not seem to fix
the issue and we have to either uninstall the AV or manually register the
user.



Scenario 2: (more likely)



There is an option to disable the built-in Windows DNS Client service when
you install Kaspersky.   If the user checked that it can cause DNS issues
as well.  You can check the Windows services manager and see if the DNS
Client service is stopped and disabled, if it is that could be your issue.



By default it should be set to automatic start and restart on all failures
and should be running as "Network Service"



Conclusion:



It is a pain and we have no way of solving this issue, I am open to ideas
though if anyone has them.



Also, if anyone has a direct line to the folks at Kaspersky and/or the
other vendors who are doing this ... tell them from me they deserve a swift
kick in the naughty bits for all the trouble they are causing.



Jake Sallee

Godfather of Bandwidth

System Engineer

University of Mary Hardin-Baylor

WWW.UMHB.EDU


900 College St.

Belton,

Re: [PacketFence-users] Windows 10 & Kaspersky

2016-09-08 Thread Tim DeNike

Palo Alto. Will do it all. Including block connections to ssl sites
based on content of the flow.  Ie:  matching  cerificates in the
handshake.

Sent from my iPhone

On Sep 8, 2016, at 12:44 PM, Sallee, Jake <jake.sal...@umhb.edu> wrote:

>> Solving the issue is simple. Block the traffic.
>
> When the traffic is being tunneled out via dest port 443 over SSL to a 
> seemingly random list of servers blocking it is difficult.
>
> We do block all access to DNS servers that are not on-campus, so thoe people 
> who come in with static 8.8.8.8 and 8.8.4.4 and such notice pretty quick that 
> nothing works; but that is operating under the assumption that the standard 
> DNS ports are being used.
>
> I am looking for a DNS proxy that I can put in place to intercept and reply 
> to DNS requests, so if anyone knows of one please feel free to drop me a line.
>
> I know the technology exists I just haven't gotten around to it yet. My 
> working theory is to use a route map on my edge router to relay all the 
> requests to a DNS server I controll running BIND. But alas, this requires 
> time which I do not have at the moment and running tests that can potentially 
> take down our production network is frowned upon.
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
>
> 
> From: Tim DeNike <tim.den...@mcc.edu>
> Sent: Wednesday, September 7, 2016 7:32 PM
> To: packetfence-users@lists.sourceforge.net
> Subject: Re: [PacketFence-users] Windows 10 & Kaspersky
>
> Solving the issue is simple. Block the traffic. The rest will work
> itself out.  People need to learn to not do things that break the
> Internet.  Using 3rd party DNS servers like that causes decreased
> performance of the interwebzz.
>
> Sent from my iPhone
>
>> On Sep 7, 2016, at 6:54 PM, Sallee, Jake <jake.sal...@umhb.edu> wrote:
>>
>> I didn't see anyone else reply to this so here is what we are seeing.
>>
>>
>> Scenario 1: (less likely)
>>
>>
>> Some AV vendors (Kaspersky being one) are installing a DNS proxy with the AV 
>> software and are tunneling all DNS traffic to their own servers.  I did some 
>> research a while ago into this and found the traffic was being tunneled out 
>> via port 443 but I do not remember who the AV vendor was at the time.
>>
>>
>> We run split horizon DNS so the effects of this DNS proxy are rather 
>> serious; not only does it break our onboarding process, but it also denies 
>> access to most of our campus resources while the user is actually on campus.
>>
>>
>> Sometimes it is a setting (in some versions of Norton) but other times it is 
>> just there and cannot be disabled as far as I can tell (as is the case with 
>> Kaspersky).
>>
>>
>> Interestingly enough, stopping the Kaspersky services does not seem to fix 
>> the issue and we have to either uninstall the AV or manually register the 
>> user.
>>
>>
>> Scenario 2: (more likely)
>>
>>
>> There is an option to disable the built-in Windows DNS Client service when 
>> you install Kaspersky.   If the user checked that it can cause DNS issues as 
>> well.  You can check the Windows services manager and see if the DNS Client 
>> service is stopped and disabled, if it is that could be your issue.
>>
>>
>> By default it should be set to automatic start and restart on all failures 
>> and should be running as "Network Service"
>>
>>
>> Conclusion:
>>
>>
>> It is a pain and we have no way of solving this issue, I am open to ideas 
>> though if anyone has them.
>>
>>
>> Also, if anyone has a direct line to the folks at Kaspersky and/or the other 
>> vendors who are doing this ... tell them from me they deserve a swift kick 
>> in the naughty bits for all the trouble they are causing.
>>
>>
>> Jake Sallee
>> Godfather of Bandwidth
>> System Engineer
>> University of Mary Hardin-Baylor
>> WWW.UMHB.EDU
>>
>> 900 College St.
>> Belton, Texas
>> 76513
>>
>> Fone: 254-295-4658
>> Phax: 254-295-4221
>> 
>> From: Thomas, Gregory A <thom...@uwp.edu>
>> Sent: Wednesday, September 7, 2016 1:14 PM
>> To: packetfence-users@lists.sourceforge.net
>> Subject: [PacketFence-users] Windows 10 & Kaspersky
>>
>> All,
>>
>> Is any one else having problems with Win

Re: [PacketFence-users] Windows 10 & Kaspersky

2016-09-07 Thread Tim DeNike

Solving the issue is simple. Block the traffic. The rest will work
itself out.  People need to learn to not do things that break the
Internet.  Using 3rd party DNS servers like that causes decreased
performance of the interwebzz.

Sent from my iPhone

> On Sep 7, 2016, at 6:54 PM, Sallee, Jake  wrote:
>
> I didn't see anyone else reply to this so here is what we are seeing.
>
>
> Scenario 1: (less likely)
>
>
> Some AV vendors (Kaspersky being one) are installing a DNS proxy with the AV 
> software and are tunneling all DNS traffic to their own servers.  I did some 
> research a while ago into this and found the traffic was being tunneled out 
> via port 443 but I do not remember who the AV vendor was at the time.
>
>
> We run split horizon DNS so the effects of this DNS proxy are rather serious; 
> not only does it break our onboarding process, but it also denies access to 
> most of our campus resources while the user is actually on campus.
>
>
> Sometimes it is a setting (in some versions of Norton) but other times it is 
> just there and cannot be disabled as far as I can tell (as is the case with 
> Kaspersky).
>
>
> Interestingly enough, stopping the Kaspersky services does not seem to fix 
> the issue and we have to either uninstall the AV or manually register the 
> user.
>
>
> Scenario 2: (more likely)
>
>
> There is an option to disable the built-in Windows DNS Client service when 
> you install Kaspersky.   If the user checked that it can cause DNS issues as 
> well.  You can check the Windows services manager and see if the DNS Client 
> service is stopped and disabled, if it is that could be your issue.
>
>
> By default it should be set to automatic start and restart on all failures 
> and should be running as "Network Service"
>
>
> Conclusion:
>
>
> It is a pain and we have no way of solving this issue, I am open to ideas 
> though if anyone has them.
>
>
> Also, if anyone has a direct line to the folks at Kaspersky and/or the other 
> vendors who are doing this ... tell them from me they deserve a swift kick in 
> the naughty bits for all the trouble they are causing.
>
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
> 
> From: Thomas, Gregory A 
> Sent: Wednesday, September 7, 2016 1:14 PM
> To: packetfence-users@lists.sourceforge.net
> Subject: [PacketFence-users] Windows 10 & Kaspersky
>
> All,
>
> Is any one else having problems with Windows 10 and Kaspersky AV?
>
> I am having multiple folks that can connect to the network, but the browser 
> reports: No Connection.
>
> Any clues on what I may need to change on my side or advice to give them to 
> connect.
>
> --
> Gregory A. Thomas
> Student Life Support Specialist
> University of Wisconsin-Parkside
> thom...@uwp.edu
> 262.595.2432
>
>
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Vlan filter matching radius realm?

2016-09-06 Thread Tim DeNike

Changing Null to a internal auth source and mapping the DEFAULT realm to
the null source "eduroam" accomplished what I wanted.

On Tue, Sep 6, 2016 at 12:46 PM, Tim DeNike <tim.den...@mcc.edu> wrote:

> Yeah.. No go.  Im not doing this in tunnel.  This is for requests going
> out to eduroam.
>
> The end goal is to end up getting the user a valid role in PF for external
> eduroam users.  I had this working before in vlan/custom.pm before other
> changes were implemented that caused it to not work the way we wanted it to
> anymore.
>
> Right now, the best I can do is manually assign a vlan attribute from
> RADIUS.
>
> On Tue, Sep 6, 2016 at 10:42 AM, Fabrice Durand <fdur...@inverse.ca>
> wrote:
>
>> Looks like it works for me.
>>
>> btw it should be: "update request { Realm := DEFAULT }" in
>> packetfence-tunnel in post-auth before rest.
>>
>> Fabrice
>>
>>
>>
>> Le 2016-09-06 à 09:13, Fabrice Durand a écrit :
>>
>> Ok i will try it on my side.
>>
>> Le 2016-09-06 à 08:47, Tim DeNike a écrit :
>>
>> [realmdefault]
>> filter = radius_request
>> attribute = User-Name
>> operator = is
>> value = mcc_t...@eduroam.us
>>
>> Works
>>
>> [realmdefault]
>> filter = radius_request
>> attribute = Realm
>> operator = is
>> value = DEFAULT
>>
>> Does not.
>>
>> I did try filter = radius_reply as well... Are you saying I need to use
>> the freeradius internal mappings like radius_reply.Realm?
>>
>> On Tue, Sep 6, 2016 at 8:41 AM, Fabrice Durand <fdur...@inverse.ca>
>> wrote:
>>
>>> The filter is something like that ? :
>>>
>>> [DEFAULT]
>>> filter = radius_request.Realm
>>> operator = is
>>> value = DEFAULT
>>>
>>>
>>>
>>>
>>> Le 2016-09-06 à 08:32, Tim DeNike a écrit :
>>>
>>> Even if I manually defined it by update reply { Realm := DEFAULT } in
>>> the post-auth section before calling packetfence module, it still wouldn't
>>> match.  It showed in the radius audit log, but just wouldn't match.
>>>
>>> On Tue, Sep 6, 2016 at 8:28 AM, Fabrice Durand <fdur...@inverse.ca>
>>> wrote:
>>>
>>>> Hello Tim,
>>>>
>>>> you can use raddebug (raddebug -f /usr/local/pf/var/run/radiusd.sock)
>>>> to
>>>> check if the realm attribute is there.
>>>>
>>>> But if it's DEFAULT, it's probably undefined.
>>>>
>>>> Regards
>>>>
>>>> Fabrice
>>>>
>>>>
>>>>
>>>> Le 2016-09-05 à 19:13, Tim DeNike a écrit :
>>>> > Fwiw. This is for eduroam and is being proxied to 2 local externally
>>>> > facing radius servers that in turn send it to eduroam.
>>>> >
>>>> > Sent from my iPhone
>>>> >
>>>> >> On Sep 5, 2016, at 6:47 PM, Tim DeNike <tim.den...@mcc.edu> wrote:
>>>> >>
>>>> >> I'm trying to get a vlan filter to work by matching an ssid and
>>>> radius
>>>> >> attribute Realm is DEFAULT in order auto register and assign a
>>>> >> role/duration. For some reason I just can't get it to match the Realm
>>>> >> in the radius reply.  Is there some trick to it?
>>>> >>
>>>> >> Sent from my iPhone
>>>> > 
>>>> --
>>>> > ___
>>>> > PacketFence-users mailing list
>>>> > PacketFence-users@lists.sourceforge.net
>>>> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>> --
>>>> Fabrice Durand
>>>> fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
>>>> PacketFence (http://packetfence.org)
>>>>
>>>>
>>>> 
>>>> --
>>>> ___
>>>> PacketFence-users mailing list
>>>> PacketFence-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>
>>>
>>>
>>>

Re: [PacketFence-users] Vlan filter matching radius realm?

2016-09-06 Thread Tim DeNike

Yeah.. No go.  Im not doing this in tunnel.  This is for requests going out
to eduroam.

The end goal is to end up getting the user a valid role in PF for external
eduroam users.  I had this working before in vlan/custom.pm before other
changes were implemented that caused it to not work the way we wanted it to
anymore.

Right now, the best I can do is manually assign a vlan attribute from
RADIUS.

On Tue, Sep 6, 2016 at 10:42 AM, Fabrice Durand <fdur...@inverse.ca> wrote:

> Looks like it works for me.
>
> btw it should be: "update request { Realm := DEFAULT }" in
> packetfence-tunnel in post-auth before rest.
>
> Fabrice
>
>
>
> Le 2016-09-06 à 09:13, Fabrice Durand a écrit :
>
> Ok i will try it on my side.
>
> Le 2016-09-06 à 08:47, Tim DeNike a écrit :
>
> [realmdefault]
> filter = radius_request
> attribute = User-Name
> operator = is
> value = mcc_t...@eduroam.us
>
> Works
>
> [realmdefault]
> filter = radius_request
> attribute = Realm
> operator = is
> value = DEFAULT
>
> Does not.
>
> I did try filter = radius_reply as well... Are you saying I need to use
> the freeradius internal mappings like radius_reply.Realm?
>
> On Tue, Sep 6, 2016 at 8:41 AM, Fabrice Durand <fdur...@inverse.ca> wrote:
>
>> The filter is something like that ? :
>>
>> [DEFAULT]
>> filter = radius_request.Realm
>> operator = is
>> value = DEFAULT
>>
>>
>>
>>
>> Le 2016-09-06 à 08:32, Tim DeNike a écrit :
>>
>> Even if I manually defined it by update reply { Realm := DEFAULT } in the
>> post-auth section before calling packetfence module, it still wouldn't
>> match.  It showed in the radius audit log, but just wouldn't match.
>>
>> On Tue, Sep 6, 2016 at 8:28 AM, Fabrice Durand <fdur...@inverse.ca>
>> wrote:
>>
>>> Hello Tim,
>>>
>>> you can use raddebug (raddebug -f /usr/local/pf/var/run/radiusd.sock) to
>>> check if the realm attribute is there.
>>>
>>> But if it's DEFAULT, it's probably undefined.
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>>
>>>
>>> Le 2016-09-05 à 19:13, Tim DeNike a écrit :
>>> > Fwiw. This is for eduroam and is being proxied to 2 local externally
>>> > facing radius servers that in turn send it to eduroam.
>>> >
>>> > Sent from my iPhone
>>> >
>>> >> On Sep 5, 2016, at 6:47 PM, Tim DeNike <tim.den...@mcc.edu> wrote:
>>> >>
>>> >> I'm trying to get a vlan filter to work by matching an ssid and radius
>>> >> attribute Realm is DEFAULT in order auto register and assign a
>>> >> role/duration. For some reason I just can't get it to match the Realm
>>> >> in the radius reply.  Is there some trick to it?
>>> >>
>>> >> Sent from my iPhone
>>> > 
>>> --
>>> > ___
>>> > PacketFence-users mailing list
>>> > PacketFence-users@lists.sourceforge.net
>>> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>> --
>>> Fabrice Durand
>>> fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
>>> PacketFence (http://packetfence.org)
>>>
>>>
>>> 
>>> --
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>
>>
>>
>> --
>>
>> ___
>> PacketFence-users mailing 
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> --
>> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  
>> www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>> (http://packetfence.org)
>>
>> --
>> ___ PacketFence-users
>> mailing list PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinf

Re: [PacketFence-users] Vlan filter matching radius realm?

2016-09-06 Thread Tim DeNike

[realmdefault]
filter = radius_request
attribute = User-Name
operator = is
value = mcc_t...@eduroam.us

Works

[realmdefault]
filter = radius_request
attribute = Realm
operator = is
value = DEFAULT

Does not.

I did try filter = radius_reply as well... Are you saying I need to use the
freeradius internal mappings like radius_reply.Realm?

On Tue, Sep 6, 2016 at 8:41 AM, Fabrice Durand <fdur...@inverse.ca> wrote:

> The filter is something like that ? :
>
> [DEFAULT]
> filter = radius_request.Realm
> operator = is
> value = DEFAULT
>
>
>
>
> Le 2016-09-06 à 08:32, Tim DeNike a écrit :
>
> Even if I manually defined it by update reply { Realm := DEFAULT } in the
> post-auth section before calling packetfence module, it still wouldn't
> match.  It showed in the radius audit log, but just wouldn't match.
>
> On Tue, Sep 6, 2016 at 8:28 AM, Fabrice Durand <fdur...@inverse.ca> wrote:
>
>> Hello Tim,
>>
>> you can use raddebug (raddebug -f /usr/local/pf/var/run/radiusd.sock) to
>> check if the realm attribute is there.
>>
>> But if it's DEFAULT, it's probably undefined.
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2016-09-05 à 19:13, Tim DeNike a écrit :
>> > Fwiw. This is for eduroam and is being proxied to 2 local externally
>> > facing radius servers that in turn send it to eduroam.
>> >
>> > Sent from my iPhone
>> >
>> >> On Sep 5, 2016, at 6:47 PM, Tim DeNike <tim.den...@mcc.edu> wrote:
>> >>
>> >> I'm trying to get a vlan filter to work by matching an ssid and radius
>> >> attribute Realm is DEFAULT in order auto register and assign a
>> >> role/duration. For some reason I just can't get it to match the Realm
>> >> in the radius reply.  Is there some trick to it?
>> >>
>> >> Sent from my iPhone
>> > 
>> --
>> > ___
>> > PacketFence-users mailing list
>> > PacketFence-users@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> --
>> Fabrice Durand
>> fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>> (http://packetfence.org)
>>
>>
>> 
>> --
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
>
>
> --
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org)
>
>
> 
> --
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Vlan filter matching radius realm?

2016-09-06 Thread Tim DeNike

Even if I manually defined it by update reply { Realm := DEFAULT } in the
post-auth section before calling packetfence module, it still wouldn't
match.  It showed in the radius audit log, but just wouldn't match.

On Tue, Sep 6, 2016 at 8:28 AM, Fabrice Durand <fdur...@inverse.ca> wrote:

> Hello Tim,
>
> you can use raddebug (raddebug -f /usr/local/pf/var/run/radiusd.sock) to
> check if the realm attribute is there.
>
> But if it's DEFAULT, it's probably undefined.
>
> Regards
>
> Fabrice
>
>
>
> Le 2016-09-05 à 19:13, Tim DeNike a écrit :
> > Fwiw. This is for eduroam and is being proxied to 2 local externally
> > facing radius servers that in turn send it to eduroam.
> >
> > Sent from my iPhone
> >
> >> On Sep 5, 2016, at 6:47 PM, Tim DeNike <tim.den...@mcc.edu> wrote:
> >>
> >> I'm trying to get a vlan filter to work by matching an ssid and radius
> >> attribute Realm is DEFAULT in order auto register and assign a
> >> role/duration. For some reason I just can't get it to match the Realm
> >> in the radius reply.  Is there some trick to it?
> >>
> >> Sent from my iPhone
> > 
> --
> > ___
> > PacketFence-users mailing list
> > PacketFence-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> --
> Fabrice Durand
> fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (
> http://packetfence.org)
>
>
> 
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Vlan filter matching radius realm?

2016-09-05 Thread Tim DeNike

I'm trying to get a vlan filter to work by matching an ssid and radius
attribute Realm is DEFAULT in order auto register and assign a
role/duration. For some reason I just can't get it to match the Realm
in the radius reply.  Is there some trick to it?

Sent from my iPhone

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Vlan filter matching radius realm?

2016-09-05 Thread Tim DeNike

Fwiw. This is for eduroam and is being proxied to 2 local externally
facing radius servers that in turn send it to eduroam.

Sent from my iPhone

> On Sep 5, 2016, at 6:47 PM, Tim DeNike <tim.den...@mcc.edu> wrote:
>
> I'm trying to get a vlan filter to work by matching an ssid and radius
> attribute Realm is DEFAULT in order auto register and assign a
> role/duration. For some reason I just can't get it to match the Realm
> in the radius reply.  Is there some trick to it?
>
> Sent from my iPhone

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Aruba IAP radius CoA failing

2016-06-28 Thread Tim DeNike

Crap. Totally forgot. Sorry. I the middle of replacing all the edge
switches in our network. :)

I'll try to remember tomorrow morning.

Sent from my iPhone

On Jun 28, 2016, at 6:55 PM, Adam Smith <adam_sm...@sundance.org> wrote:

Tim,

Just wondering if you were able to get that module diff?

*Adam Smith*
Network Administrator

Sundance Institute
O:435.658.3456
E:adam_sm...@sundance.org
www.sundance.org
<http://www.sundance.org>

On Sun, Jun 26, 2016 at 9:06 AM, Tim DeNike <tim.den...@mcc.edu> wrote:

> I'll try to grab you a diff of my module tomorrow. It was a really minor
> change.
>
> Sent from my iPhone
>
> On Jun 26, 2016, at 8:35 AM, Adam Smith <adam_sm...@sundance.org> wrote:
>
> Thanks for the input.  Do you have any suggestions of what to look for or
> where to make the changes.  I tried to do the radius debug, but I don't
> think coa or DM messages seem to show up when using raddebug.
>
>
> --
> Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Aruba IAP radius CoA failing

2016-06-26 Thread Tim DeNike

I'll try to grab you a diff of my module tomorrow. It was a really minor
change.

Sent from my iPhone

On Jun 26, 2016, at 8:35 AM, Adam Smith  wrote:

Thanks for the input.  Do you have any suggestions of what to look for or
where to make the changes.  I tried to do the radius debug, but I don't
think coa or DM messages seem to show up when using raddebug.

--
Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Aruba IAP radius CoA failing

2016-06-25 Thread Tim DeNike

I use it with Aruba controller but j had to make some slight adjustments to
the pf module.  I don't recall the exact reason but it works good now for
changing the role in an external captive portal situation and also for
doing disconnects for 802.1x devices.  Iirc it was something to do with
Aruba not matching the session properly so I'm doing the coa/disconnect
based on the MAC address and not the accounting session.

Sent from my iPhone

On Jun 25, 2016, at 9:12 AM, Adam Smith  wrote:

I'm having an issue with aruba IAP and CoA

It seems like the Packetfence server is not using the correct secret when
passig the CoA,  it sends the disconnect fine, but that does not fully
disconnect the clients on the ap and so they do not get a full radius auth
request again

I have tried recreating the packet with radclient and successfully send the
CoA and the only thing that I think has changed is the radius secret, does
anyone else know anything about this issue?

*Adam Smith*
Network Administrator

Sundance Institute
O:435.658.3456
E:adam_sm...@sundance.org
www.sundance.org


--
Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] portIndex

2016-06-17 Thread Tim DeNike

Assuming you use ICX 7250s (Probably 7450s as well) on 8.0.40+ firmware.

# Tells the switch to turn on LLDP MED for voice vlan
sub getVoipVsa {
my ($self) = @_;
my $logger = $self->logger;
return (
'Foundry-MAC-Authent-needs-802.1x' => $FALSE,
'Foundry-Voice-Phone-Config' => " ",
'Tunnel-Type'   => $RADIUS::VLAN,
'Tunnel-Medium-Type'=> $RADIUS::ETHERNET,
'Tunnel-Private-Group-ID'   => "T:".$self->getVlanByName('voice'),
);
}

# Converts Brocade ifIndex to port X/Y/Z format (Will break anything in PF
that relies in SNMP.
#You must use radius COA and can't use LLDP voip detection, this could be
resolved, but I don't do VOIP detection, so I don't really care.  :D )
sub NasPortToIfIndex {
my ($self, $nas_port) = @_;

my $logger = $self->logger;
my $ifnum = $nas_port+256+64;
my $slot = int($ifnum/256);
my $shelf = int(($ifnum - ($slot * 256))/64 );
my $port = int($ifnum - ($slot * 256) - ($shelf * 64));
$nas_port = "$slot/$shelf/$port";

$logger->trace("Fallback implementation. Returning NAS-Port as ifIndex:
$nas_port");
return $nas_port;
}

#Allows you to assign ip filters to mac addresses on a port.  I prefer to
use the router image with enable acl-per-port-per-vlan vs the switch image.

sub supportsRoleBasedEnforcement { return $TRUE; }

sub returnRoleAttribute {
my ($this) = @_;

return 'Filter-ID';
}

Part of our purchase deal was the addition of dynamic IPv6 ACL
functionality.  They'll have it by the end of the year.

Excerpt switch config:

ver 08.0.40aT213

lag Uplink dynamic id 1
 ports ethernet 1/2/8 ethernet 2/2/8
 primary-port 1/2/8
 deploy

vlan XYZ name YOURVLAN by port
 tagged ethe 1/2/8 ethe 2/2/8
 loop-detection

vlan 4093 name flexauth by port
 loop-detection
!
!
!
!
authentication
 auth-default-vlan 4093
 max-sw-age 3600
 auth-vlan-mode multiple-untagged
 pass-through lldp
 mac-authentication enable
 mac-authentication enable ethe 1/1/1 to 1/1/48 ethe 2/1/1 to 2/1/48 ethe
3/1/1 to 3/1/48 ethe 4/1/1 to 4/1/48 ethe 5/1/1 to 5/1/48 ethe 6/1/1 to
6/1/48
 mac-authentication dot1x-override
!
!
aaa authentication dot1x default radius
aaa authentication login default local
aaa authorization coa enable
aaa accounting dot1x default start-stop radius
enable acl-per-port-per-vlan
ip dhcp snooping vlan XYZ
ipv6 dhcp6 snooping vlan XYZ

radius-client coa host PFHOST key YOURKEY
radius-server host PFHOST auth-port 1812 acct-port 1813 default key YOURKEY
dot1x
radius-server timeout 5

interface ethernet 1/1/1
 authentication max-sessions 10
 authentication dos-protection enable
 authentication dos-protection mac-limit 2
 load-interval 30
 no spanning-tree
 inline power
 broadcast limit 100
 multicast limit 200
 unknown-unicast limit 50
 trust dscp

interface ethernet 1/2/8
 loop-detection shutdown-disable
 load-interval 30
 arp inspection trust
 dhcp snooping client-learning disable
 dhcp snooping trust
dhcp6 snooping client-learning disable
 dhcp6 snooping trust
 ipv6-neighbor inspection trust
 no spanning-tree
 raguard trust

#If you set the acl role in PF to ip.100.in (An allow all acl), show
mac-auth sessions all will report the IP of the client.
access-list 100 permit ip any any
!
#We use this one for printers to block access to everyone except our
servers (To prevent direct printing because the printer guys never set any
ACLs)
access-list 110 permit ip any 10.32.0.0 0.3.255.255
access-list 110 permit ip any 10.128.0.0 0.0.255.255
access-list 110 permit udp any eq bootpc any eq bootps
access-list 110 permit icmp any any
access-list 110 deny ip any any
!
#We use this one for some devices to only allow traffic to our servers and
VDI workstations, effectively isolating them on the network.
access-list 111 permit ip any 10.32.0.0 0.3.255.255
access-list 111 permit udp any 10.60.0.0 0.3.255.255 eq 4172
access-list 111 permit tcp any 10.60.0.0 0.3.255.255 eq 4172
access-list 111 permit icmp any any
access-list 111 deny ip any 10.0.0.0 0.255.255.255
access-list 111 permit ip any any
!
!
!
!
lldp run
!

On Fri, Jun 17, 2016 at 12:08 PM, Guntharp, Jason W. <jwgunth...@iccms.edu>
wrote:

> Thanks Tim. That makes perfect sense. I’m assuming you directly modified
> /usr/local/pf/lib/Switch/Brocade.pm to accomplish this?
>
> Jason
>
>
>
>
>
> *From:* Tim DeNike [mailto:tim.den...@mcc.edu]
> *Sent:* Thursday, June 16, 2016 9:41 AM
> *To:* packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] portIndex
>
>
>
> Brocade uses 64 ifindexes per shelf, so port 1/1/1 is 1.  1/2/1 is 65.
>  2/1/1 is 129. And so on.
>
>
>
> I don't use Lldp or SNMP at all with my brocades so I modified the module
> to convert it to X/y/z format.
>
> Sent from my iPhone
>
>
> On Jun 16, 2016, at 9:40 AM, Guntharp, Jason W. <jwgunt

Re: [PacketFence-users] User-agent from Radius Accounting

2016-06-13 Thread Tim DeNike

If they are auto reg then the Cisco device wouldn't know the user agent.

Sent from my iPhone

On Jun 13, 2016, at 5:03 PM, Ricardo Duarte  wrote:

Hi there,

Most of my clients never hit the registration portal, as they are being
autoreg. But I still would like to get info about the user-agent.
One way to do it, for Cisco devices, is to read it from Radius Accounting
packets. It is sent inside a av-pair, http-tlv.
So, I wonder if there us any integration point where I can have access to
the Radius accounting packets and write the info to the node table?

Thanks,
Ricardo

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols
are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Using eduroam Radius on a packetFence Portal

2016-06-03 Thread Tim DeNike

You shouldn't use eduroam without dot1x.  That's the whole point.

Sent from my iPhone

On Jun 3, 2016, at 9:07 AM, PROST pierrick  wrote:

Hi,



No one as use case on EDUROAM integration with PF in inline mode /
authentication Portal ?



Have a good day.



Pierrick



*De :* PROST pierrick
*Envoyé :* jeudi 2 juin 2016 15:45
*À :* packetfence-users@lists.sourceforge.net
*Objet :* [PacketFence-users] Using eduroam Radius on a packetFence Portal



Hi everybody,



Does someone has already using EDUROAM on packetfence ?  We try have an
open SSID “eduroam” whith packetfence on Inline mode with a portal
authentification on a dedicated Eduroam VLAN.



We configured Raddb service with eduroam proxy as it is written in the
documentation but is it possible to dedicate a portal profile this ?



Actually, when we try an eduroam account, we have something like this on pf
logs:





Jun 02 15:44:17 httpd.portal(2052) INFO: [mac:38:59:f9:14:62:37] Realm
source undef is configured in the realm cnrs.fr but is not in the portal
profile. Ignoring it and using the portal profile sources.
(pf::config::util::get_user_sources)













Or there is another way to use eduroam without out of band configuration ?





Have a good day.



Pierrick Prost



CNRS



--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols
are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Node Status Unknown

2016-05-27 Thread Tim DeNike

Brocade doesn't send radius accounting packets for Mac based VLANs.  TAC
says this feature is slated for the 8.0.50 release which should be out by
end of year.   I'm not sure why you are seeing "unknown" though.  Normally
what we see is that they always show "online" after a successful auth then
never show offline.  We've got about 90 of 250 ICX 7250s installed and they
work perfectly with packetfence otherwise.  I made a couple light
modifications to the pf module to add support for radius acls and Lldp
controlled voice vlan.

Sent from my iPhone

On May 27, 2016, at 9:52 PM, Guntharp, Jason W. 
wrote:

Hello,



I’m proposing PacketFence 6 for use at a local community college. In our
pilot, we are using Brocade switch gear and I have configured the NAC and
switch according to the admin document. We are using MAC authentication and
the VLAN steering is working well with SNMP as the DEAUTH method. We are
having an issue with the node status online/offline always displaying
“unknown” regardless of actual state. It will not update. I have configured
the Brocade gear to use PacketFence as both auth and acct radius.



Will this field update just using MAC authentication? If so, has anyone
else run into this or have any tips on getting the status to work right?
Interestingly, if I select “online nodes” it will display only the truly
online nodes. If I select “offline nodes” it will display all nodes,
including the ones it displayed online. Despite this,  all records indicate
“unknown”.



Thanks,





Jason Guntharp

Network Administrator

Itawamba Community College

Office: (662) 862-8106

Email: jwgunth...@iccms.edu







--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols
are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Nagios + PF Monitoring

2016-04-30 Thread Tim DeNike

Radius response time.  Expect an access accept from MAC address
99:99:99:99:99:99.  Haven't tried monitoring eap yet.

Sent from my iPhone

> On Apr 30, 2016, at 9:51 AM, Leja, Maciej  wrote:
>
> Hey everyone,
>
> Curious if anyone is doing any specific type of monitoring besides basic 
> up/down + disk/cpu/memory + web type monitoring with their deployment?
>
> We don’t have it inline – just a captive portal – wondering if anyone is 
> doing anything interesting we might be able to steal that could help :)
>
> Thanks,
> ~Maciej
> --
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SSL server certificate for use with Android

2016-04-19 Thread Tim DeNike

Use a private CA. That's the direction we're going. Only way to make sure
there are no conflicts or incomplete cert chains.  Android has the worst
consistency between versions and even different vendor implementations.
Pain in the butt.

Sent from my iPhone

On Apr 19, 2016, at 2:44 AM, Hack, Daniel (DPIPWE) <
daniel.h...@dpipwe.tas.gov.au> wrote:

Hi All,



In a last ditch effort to try to get Android devices working with
PacketFence,
we are looking at purchasing a server certificate from a trusted CA, that
is included in Android’s trusted root store.



Has anybody been down this path?

Any recommendations for certificate providers?



Thanks,

Dan



Network Administrator

Corporate Information Technology

DPIPWE

p: (03) 6165 4484

f: (03) 6224 1388

e: daniel.h...@dpipwe.tas.gov.au



--

CONFIDENTIALITY NOTICE AND DISCLAIMER
The information in this transmission may be confidential and/or protected
by legal professional privilege, and is intended only for the person or
persons to whom it is addressed. If you are not such a person, you are
warned that any disclosure, copying or dissemination of the information is
unauthorised. If you have received the transmission in error, please
immediately contact this office by telephone, fax or email, to inform us of
the error and to enable arrangements to be made for the destruction of the
transmission, or its return at our cost. No liability is accepted for any
unauthorised use of the information contained in this transmission.

--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers
of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] autoregister device - pf thinks it is coming from a secure connection and unregisters it.

2016-04-10 Thread Tim DeNike

The check is done on if the auto registered flag is set in pf.node.

Sent from my iPhone

> On Apr 10, 2016, at 12:30 PM, forums <for...@stepanek.net> wrote:
>
> I have done some more testing and am still not understanding why packetfence 
> thinks a device is from a secure network.
> All of the devices I am testing with have never been registered to a 802.1x 
> network.
>
> I shutdown all others wlans and left only the guest network running.  If I 
> take a brand new device that pf hasn't seen and attach it to the guest 
> wireless, I still get the "Device is comming from a secure connection and has 
> been auto registered, we unreg it and forward it to the portal" message.
>
>
> Thank you
> Sean
>
>> On 2016-04-09 16:34, Tim DeNike wrote:
>> Wpa2-psk isn't "secure".  Wpa2 802.1x is.  What it means is if a
>> device was previously auto registered (like via dot1x), then
>> unregister it when connecting to a Mac based ssid.
>> Probably better to do it with a null authentication source/portal
>> profile.  Might be other ways to do it, though.
>> Sent from my iPhone
>>> On Apr 9, 2016, at 5:04 PM, forums <for...@stepanek.net> wrote:
>>> I have setup a clean install of pf 5.7.0.  The only thing I have added
>>> is my wlc to the switches and a auto-register config I have placed in
>>> vlan_filters.conf.  It is below the logfile.
>>> It appears that it is working, however pf believes that the device is
>>> coming from a secured connection and then unregisters it.
>>> I am not sure what is triggering that.  I do have a wpa-psk wlan on the
>>> controller, however I have not updated the wlan config to use pf.  I
>>> only have a guest ssid that is doing mac auth to the packetfence box.
>>> The device I tested with was not on the secure ssid as I have not added
>>> the wireless key to it.
>>> pf.conf is pretty bare outside of the interfaces, database password,
>>> e-mail address and hostname.
>>> Am I just missing the "unreg it if..." option somewhere?
>>> Thank you
>>> Sean
>>> INFO: [mac:ac:5f:3e:a8:62:67] handling radius autz request: from
>>> switch_ip => (172.18.252.50), connection_type =>
>>> Wireless-802.11-NoEAP,switch_mac => (00:1c:0e:24:09:80), mac =>
>>> [ac:5f:3e:a8:62:67], port => 29, username => "ac5f3ea86267", ssid =>
>>> Guest (pf::radius::authorize)
>>> INFO: [mac:ac:5f:3e:a8:62:67] does not yet exist in database. Adding it
>>> now (pf::radius::authorize)
>>> INFO: [mac:ac:5f:3e:a8:62:67] Match rule 1:guestwifi
>>> (pf::access_filter::test)
>>> INFO: [mac:ac:5f:3e:a8:62:67] Instantiate profile default
>>> (pf::Portal::ProfileFactory::_from_profile)
>>> INFO: [mac:ac:5f:3e:a8:62:67] Instantiate profile default
>>> (pf::Portal::ProfileFactory::_from_profile)
>>> INFO: [mac:ac:5f:3e:a8:62:67] autoregister a node that is already
>>> registered, do nothing. (pf::node::node_register)
>>> INFO: [mac:ac:5f:3e:a8:62:67] Instantiate profile default
>>> (pf::Portal::ProfileFactory::_from_profile)
>>> INFO: [mac:ac:5f:3e:a8:62:67] Connection type is WIRELESS_MAC_AUTH.
>>> Getting role from node_info (pf::role::getRegisteredRole)
>>> INFO: [mac:ac:5f:3e:a8:62:67] Device is comming from a secure connection
>>> and has been auto registered, we unreg it and forward it to the
>>> portal(pf::role::getRegisteredRole)
>>> INFO: [mac:ac:5f:3e:a8:62:67] Username was defined "ac5f3ea86267" -
>>> returning role 'registration' (pf::role::getRegisteredRole)
>>> INFO: [mac:ac:5f:3e:a8:62:67] PID: "default", Status: reg Returned VLAN:
>>> (undefined), Role: registration (pf::role::fetchRoleForNode)
>>> INFO: [mac:ac:5f:3e:a8:62:67] (172.18.252.50) Added VLAN 100 to the
>>> returned RADIUS reply (pf::Switch::returnRadiusAccessAccept)
>>> INFO: [mac:ac:5f:3e:a8:62:67] (172.18.252.50) Added role registration to
>>> the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
>>> INFO: [mac:ac:5f:3e:a8:62:67] (172.18.252.50) Returning ACCEPT with VLAN
>>> 100 and role registration (pf::Switch::returnRadiusAccessAccept)
>>> vlan_filters.conf
>>> [guestwifi]
>>> filter = ssid
>>> operator = is
>>> value = Guest
>>> # Must autoreg every time
>>> [1:guestwifi]
>>> scope = AutoRegister
>>> role = guest
>>> action = register_node
>>> action_param = mac = $mac, category = guest, pid = admin, status =
>>> register

Re: [PacketFence-users] autoregister device - pf thinks it is coming from a secure connection and unregisters it.

2016-04-09 Thread Tim DeNike

Wpa2-psk isn't "secure".  Wpa2 802.1x is.  What it means is if a
device was previously auto registered (like via dot1x), then
unregister it when connecting to a Mac based ssid.

Probably better to do it with a null authentication source/portal
profile.  Might be other ways to do it, though.


Sent from my iPhone

> On Apr 9, 2016, at 5:04 PM, forums  wrote:
>
>
> I have setup a clean install of pf 5.7.0.  The only thing I have added
> is my wlc to the switches and a auto-register config I have placed in
> vlan_filters.conf.  It is below the logfile.
>
> It appears that it is working, however pf believes that the device is
> coming from a secured connection and then unregisters it.
> I am not sure what is triggering that.  I do have a wpa-psk wlan on the
> controller, however I have not updated the wlan config to use pf.  I
> only have a guest ssid that is doing mac auth to the packetfence box.
> The device I tested with was not on the secure ssid as I have not added
> the wireless key to it.
>
> pf.conf is pretty bare outside of the interfaces, database password,
> e-mail address and hostname.
>
> Am I just missing the "unreg it if..." option somewhere?
>
> Thank you
> Sean
>
>
> INFO: [mac:ac:5f:3e:a8:62:67] handling radius autz request: from
> switch_ip => (172.18.252.50), connection_type =>
> Wireless-802.11-NoEAP,switch_mac => (00:1c:0e:24:09:80), mac =>
> [ac:5f:3e:a8:62:67], port => 29, username => "ac5f3ea86267", ssid =>
> Guest (pf::radius::authorize)
> INFO: [mac:ac:5f:3e:a8:62:67] does not yet exist in database. Adding it
> now (pf::radius::authorize)
> INFO: [mac:ac:5f:3e:a8:62:67] Match rule 1:guestwifi
> (pf::access_filter::test)
> INFO: [mac:ac:5f:3e:a8:62:67] Instantiate profile default
> (pf::Portal::ProfileFactory::_from_profile)
> INFO: [mac:ac:5f:3e:a8:62:67] Instantiate profile default
> (pf::Portal::ProfileFactory::_from_profile)
> INFO: [mac:ac:5f:3e:a8:62:67] autoregister a node that is already
> registered, do nothing. (pf::node::node_register)
> INFO: [mac:ac:5f:3e:a8:62:67] Instantiate profile default
> (pf::Portal::ProfileFactory::_from_profile)
> INFO: [mac:ac:5f:3e:a8:62:67] Connection type is WIRELESS_MAC_AUTH.
> Getting role from node_info (pf::role::getRegisteredRole)
> INFO: [mac:ac:5f:3e:a8:62:67] Device is comming from a secure connection
> and has been auto registered, we unreg it and forward it to the
> portal(pf::role::getRegisteredRole)
> INFO: [mac:ac:5f:3e:a8:62:67] Username was defined "ac5f3ea86267" -
> returning role 'registration' (pf::role::getRegisteredRole)
> INFO: [mac:ac:5f:3e:a8:62:67] PID: "default", Status: reg Returned VLAN:
> (undefined), Role: registration (pf::role::fetchRoleForNode)
> INFO: [mac:ac:5f:3e:a8:62:67] (172.18.252.50) Added VLAN 100 to the
> returned RADIUS reply (pf::Switch::returnRadiusAccessAccept)
> INFO: [mac:ac:5f:3e:a8:62:67] (172.18.252.50) Added role registration to
> the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
> INFO: [mac:ac:5f:3e:a8:62:67] (172.18.252.50) Returning ACCEPT with VLAN
> 100 and role registration (pf::Switch::returnRadiusAccessAccept)
>
>
> vlan_filters.conf
>
> [guestwifi]
> filter = ssid
> operator = is
> value = Guest
>
> # Must autoreg every time
> [1:guestwifi]
> scope = AutoRegister
> role = guest
> action = register_node
> action_param = mac = $mac, category = guest, pid = admin, status =
> registered, unregdate = 2016-11-0123:59:59
>
> [2:guestwifi]
> scope = NormalVlan
> role = guest
>
>
>
>
> --
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
> gampad/clk?id=1444514301=/ca-pub-7940484522588532
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301=/ca-pub-7940484522588532
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] database backup/maint script closes all location log?

2016-04-07 Thread Tim DeNike

Im thinking this:

/usr/local/pf/addons/database-cleaner.pl --table=locationlog
--date-field=end_time --older-than="1 WEEK"
--additionnal-condition="(end_time IS NOT NULL OR end_time <> 0)"

should be this:

/usr/local/pf/addons/database-cleaner.pl --table=locationlog
--date-field=end_time --older-than="1 WEEK"
--additionnal-condition="(end_time <> 0)"

When doing an SQL query, is not null matches the 00-00- date, so its
matching those as records to delete.

On Thu, Apr 7, 2016 at 8:42 PM, Tim DeNike <tim.den...@mcc.edu> wrote:

> PF 5.7.  Running the DB maint script seems to close out all location log
> entries instead of purging out old entries.
>
> Unless I'm doing something wrong?
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] database backup/maint script closes all location log?

2016-04-07 Thread Tim DeNike

Same goes for the radacct line.

On Thu, Apr 7, 2016 at 9:01 PM, Tim DeNike <tim.den...@mcc.edu> wrote:

> Im thinking this:
>
> /usr/local/pf/addons/database-cleaner.pl --table=locationlog
> --date-field=end_time --older-than="1 WEEK"
> --additionnal-condition="(end_time IS NOT NULL OR end_time <> 0)"
>
> should be this:
>
> /usr/local/pf/addons/database-cleaner.pl --table=locationlog
> --date-field=end_time --older-than="1 WEEK"
> --additionnal-condition="(end_time <> 0)"
>
> When doing an SQL query, is not null matches the 00-00- date, so its
> matching those as records to delete.
>
> On Thu, Apr 7, 2016 at 8:42 PM, Tim DeNike <tim.den...@mcc.edu> wrote:
>
>> PF 5.7.  Running the DB maint script seems to close out all location log
>> entries instead of purging out old entries.
>>
>> Unless I'm doing something wrong?
>>
>
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] database backup/maint script closes all location log?

2016-04-07 Thread Tim DeNike

PF 5.7.  Running the DB maint script seems to close out all location log
entries instead of purging out old entries.

Unless I'm doing something wrong?
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Radius SSL Certs

2016-04-05 Thread Tim DeNike

And I'll be completely honest which you.  We're getting ready to dump usin
a public CA for 802.1x.  Comodo in particular has been a pain.  Androids
don't always have a complete certificate chain for comodo, and Windows Pcs
seem to randomly get an intermediate cert set in third party store as a
trusted root (I'm pretty sure it's a few installers/apps doing it).  So
between the 2 problems, you can make all of one or all of the other work
with no problems but you'll always have to screw with the other.  Private
CA is the way to go imho.

Sent from my iPhone

On Apr 5, 2016, at 6:05 AM, Nathan, Josh  wrote:

Hello,

So I'm trying to get Radius to supply a valid cert.  Even though I've got
my PacketFence server, itself, using my Comodo Wildcard certificate, I can
see when logging into my wireless AP via 802.1X that I'm still getting the
self-signed Radius cert.  I renamed the certs directory according to the
README file located in it, and then I created a symbolic link to my PF ssl
directory.  I then did a packetfence-config restart and a packetfence
restart, but my iPad still shows that I'm getting the self-signed test
Radius cert.

What documentation did I miss?

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630

--

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Radius SSL Certs

2016-04-05 Thread Tim DeNike

Fwiw. You can't use wildcard certs with 802.1x

That's probably not the problem you are having, though.

Sent from my iPhone

On Apr 5, 2016, at 6:05 AM, Nathan, Josh  wrote:

Hello,

So I'm trying to get Radius to supply a valid cert.  Even though I've got
my PacketFence server, itself, using my Comodo Wildcard certificate, I can
see when logging into my wireless AP via 802.1X that I'm still getting the
self-signed Radius cert.  I renamed the certs directory according to the
README file located in it, and then I created a symbolic link to my PF ssl
directory.  I then did a packetfence-config restart and a packetfence
restart, but my iPad still shows that I'm getting the self-signed test
Radius cert.

What documentation did I miss?

Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630

--

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] DHCPv6 udp_reflector

2016-03-28 Thread Tim DeNike

Finally getting around to test DHCPv6 sniffing.  Have a Windows 2012 DHCPv6
server running udp_reflector mirroring port 547 to the PF address (V4).
Data is getting sent, but PF doesn't seem to be picking up the DHCPv6
messages.

PF 5.7

Thoughts?
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Disable automatic VOIP detection, PF 5.7 QUICKLY!!! THANKS!

2016-03-04 Thread Tim DeNike

FYI.  I figured it out.. role.pm.  Had to comment this out so it wouldn't
try to auto-register phones.. When it did that, it basically went through
the reg routine with every device that was a phone whenever it got a DHCP
lease (I think it was when it got a DHCP lease at least).

sub shouldAutoRegister {
#if ($args->{'isPhone'}) {
#$logger->trace("returned yes because it's an ip phone");
#return $args->{'isPhone'};
#}

On Fri, Mar 4, 2016 at 9:41 AM, Tim DeNike <tim.den...@mcc.edu> wrote:

> That partly works.  The problem I'm having now is that every time a VOIP
> device renews its DHCP address, the voip=yes flag on the node is getting
> changed to no, the user is changed from the assigned user to default, and
> autoreg is set to yes.
>
> To be clear.. I don't want to autoreg or manipulate ANY devices based on
> the dhcp derived device type.
>
> That make sense?
>
> On Thu, Mar 3, 2016 at 8:21 AM, Fabrice DURAND <fdur...@inverse.ca> wrote:
>
>> Apply this pull request on your setup and you will be able to select in
>> the switch config how you want to detect voip.
>>
>> https://github.com/inverse-inc/packetfence/pull/1205
>>
>> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/1205.diff
>>
>> Le 2016-03-03 08:17, Tim DeNike a écrit :
>> >if (defined($node_info->{dhcp_fingerprint}) &&
>> > $node_info->{dhcp_fingerprint} =~ /VoIP Phone/) {
>> > $logger->debug("DHCP fingerprint for $mac indicates VoIP
>> phone");
>> > return 1;
>> > }
>> >
>> > changing to return 0 fixes it.
>> >
>> > This was the offending code in pf/Switch.pm
>> >
>> > Id like to put a formal request in to disable automatic VOIP detection
>> > with a simple checkbox instead of having to hack the code every time.
>> > Fingerprints just aren't accurate enough and we have scripts that
>> > automatically register/flag all of our phones as voip.
>> >
>> > We don't have the tagged vlan set on our switch ports in an idle
>> > state.  We return VSAs with a tagged port and to enable LLDP directing
>> > the phone to the tagged vlan, so if something is mis-identified (like
>> > almost all of our VDIs in this case), it causes a huge issue.
>> >
>> > Ive always just gotten by by disabling the same code in every upgrade,
>> > but as you guys change stuff, i have to track it down again and again.
>> >
>> > A simple checkbox "Disable automatic VOIP dhcp fingerprint detection"
>> > would be great.  :D
>> >
>> >
>> >
>> > On Thu, Mar 3, 2016 at 7:48 AM, Tim DeNike <tim.den...@mcc.edu
>> > <mailto:tim.den...@mcc.edu>> wrote:
>> >
>> > I had this working fine in 5.3 and prior by disabling th
>> >
>> > #if ($args->{'isPhone'}) {
>> > #$node_info{'voip'} = $VOIP;
>> > #}
>> >
>> >
>> > section in vlan.pm <http://vlan.pm>, but it doesn't seem to work
>> > now.. I'm guessing its finger bank that is to fault.
>> >
>> > I disabled the same section in role/custom.pm <http://custom.pm>,
>> > but its still doing it.
>> >
>> > I need to completely disable the automatic detection of VOIP
>> > devices.  Its screwing  up my network right now.. finger bank
>> > thinks VDIs are phones and PF is sending a tagged port back to the
>> > switch for the devices.
>> >
>> >
>> > Quick!
>> >
>> > Thanks!
>> >
>> >
>> >
>> >
>> >
>> --
>> > Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> > Monitor end-to-end web transactions and take corrective actions now
>> > Troubleshoot faster and improve end-user experience. Signup Now!
>> > http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140
>> >
>> >
>> > ___
>> > PacketFence-users mailing list
>> > PacketFence-users@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>> --
>> Fabrice Durand
>> fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http:

Re: [PacketFence-users] Disable automatic VOIP detection, PF 5.7 QUICKLY!!! THANKS!

2016-03-04 Thread Tim DeNike

That partly works.  The problem I'm having now is that every time a VOIP
device renews its DHCP address, the voip=yes flag on the node is getting
changed to no, the user is changed from the assigned user to default, and
autoreg is set to yes.

To be clear.. I don't want to autoreg or manipulate ANY devices based on
the dhcp derived device type.

That make sense?

On Thu, Mar 3, 2016 at 8:21 AM, Fabrice DURAND <fdur...@inverse.ca> wrote:

> Apply this pull request on your setup and you will be able to select in
> the switch config how you want to detect voip.
>
> https://github.com/inverse-inc/packetfence/pull/1205
>
> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/1205.diff
>
> Le 2016-03-03 08:17, Tim DeNike a écrit :
> >if (defined($node_info->{dhcp_fingerprint}) &&
> > $node_info->{dhcp_fingerprint} =~ /VoIP Phone/) {
> > $logger->debug("DHCP fingerprint for $mac indicates VoIP phone");
> > return 1;
> > }
> >
> > changing to return 0 fixes it.
> >
> > This was the offending code in pf/Switch.pm
> >
> > Id like to put a formal request in to disable automatic VOIP detection
> > with a simple checkbox instead of having to hack the code every time.
> > Fingerprints just aren't accurate enough and we have scripts that
> > automatically register/flag all of our phones as voip.
> >
> > We don't have the tagged vlan set on our switch ports in an idle
> > state.  We return VSAs with a tagged port and to enable LLDP directing
> > the phone to the tagged vlan, so if something is mis-identified (like
> > almost all of our VDIs in this case), it causes a huge issue.
> >
> > Ive always just gotten by by disabling the same code in every upgrade,
> > but as you guys change stuff, i have to track it down again and again.
> >
> > A simple checkbox "Disable automatic VOIP dhcp fingerprint detection"
> > would be great.  :D
> >
> >
> >
> > On Thu, Mar 3, 2016 at 7:48 AM, Tim DeNike <tim.den...@mcc.edu
> > <mailto:tim.den...@mcc.edu>> wrote:
> >
> > I had this working fine in 5.3 and prior by disabling th
> >
> > #if ($args->{'isPhone'}) {
> > #$node_info{'voip'} = $VOIP;
> > #}
> >
> >
> > section in vlan.pm <http://vlan.pm>, but it doesn't seem to work
> > now.. I'm guessing its finger bank that is to fault.
> >
> > I disabled the same section in role/custom.pm <http://custom.pm>,
> > but its still doing it.
> >
> > I need to completely disable the automatic detection of VOIP
> > devices.  Its screwing  up my network right now.. finger bank
> > thinks VDIs are phones and PF is sending a tagged port back to the
> > switch for the devices.
> >
> >
> > Quick!
> >
> > Thanks!
> >
> >
> >
> >
> >
> --
> > Site24x7 APM Insight: Get Deep Visibility into Application Performance
> > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> > Monitor end-to-end web transactions and take corrective actions now
> > Troubleshoot faster and improve end-user experience. Signup Now!
> > http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140
> >
> >
> > ___
> > PacketFence-users mailing list
> > PacketFence-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice Durand
> fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (
> http://packetfence.org)
>
>
>
> --
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Change MAC Display To Cisco Format

2016-03-03 Thread Tim DeNike

I'd like to see it be selectable. For instance. We're switching away from
extreme which uses the : notation to brocade which uses the Cisco dotted
notation.
Also. Searches used to be flexible where you could search with or without
colons or dashes and now they require : only (after upgrade to 5.7).

Sent from my iPhone

On Mar 3, 2016, at 11:19 AM, Michael R. Haag <
michael.h...@madisoncounty.ny.gov> wrote:

It would save me a bit of time if I could set Packetfence’s admin GUI to
display MAC addresses in cisco format rather than standard (for copy/paste
purposes). For example:



“001a.a01c.0890” instead of” 00:1a:a0:1c:08:09”



Is this something I could implement with an easy change in the code
somewhere?



It would be best if I could toggle the view from standard to cisco and
back, or keep it saved as a user preference.





Thank you,



Michael R. Haag

Computer Services Technician

Department of Information Technology

Madison County, NY

(315) 366-2204



--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Disable automatic VOIP detection, PF 5.7 QUICKLY!!! THANKS!

2016-03-03 Thread Tim DeNike

   if (defined($node_info->{dhcp_fingerprint}) &&
$node_info->{dhcp_fingerprint} =~ /VoIP Phone/) {
$logger->debug("DHCP fingerprint for $mac indicates VoIP phone");
return 1;
}

changing to return 0 fixes it.

This was the offending code in pf/Switch.pm

Id like to put a formal request in to disable automatic VOIP detection with
a simple checkbox instead of having to hack the code every time.
Fingerprints just aren't accurate enough and we have scripts that
automatically register/flag all of our phones as voip.

We don't have the tagged vlan set on our switch ports in an idle state.  We
return VSAs with a tagged port and to enable LLDP directing the phone to
the tagged vlan, so if something is mis-identified (like almost all of our
VDIs in this case), it causes a huge issue.

Ive always just gotten by by disabling the same code in every upgrade, but
as you guys change stuff, i have to track it down again and again.

A simple checkbox "Disable automatic VOIP dhcp fingerprint detection" would
be great.  :D

On Thu, Mar 3, 2016 at 7:48 AM, Tim DeNike <tim.den...@mcc.edu> wrote:

> I had this working fine in 5.3 and prior by disabling th
>
> #if ($args->{'isPhone'}) {
> #$node_info{'voip'} = $VOIP;
> #}
>
>
> section in vlan.pm, but it doesn't seem to work now.. I'm guessing its
> finger bank that is to fault.
>
> I disabled the same section in role/custom.pm, but its still doing it.
>
> I need to completely disable the automatic detection of VOIP devices.  Its
> screwing  up my network right now.. finger bank thinks VDIs are phones and
> PF is sending a tagged port back to the switch for the devices.
>
>
> Quick!
>
> Thanks!
>
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Aruba External Portal, COA..

2016-01-29 Thread Tim DeNike

Ahh, nice.  That worked perfectly.  Can I set the option "force" in a
particular context.  IE:  Only for the Aruba wireless, and not wired
switches?

On Fri, Jan 29, 2016 at 7:38 AM, Durand fabrice <fdur...@inverse.ca> wrote:

> Hi Tim,
>
> a quick fix should be to modify enforcement.pm:
>
> sub _should_we_reassign_vlan {
> my ( $mac, $locationlog_entry, %opts ) = @_;
> my $logger = get_logger();
> return $TRUE;
> if ( $opts{'force'} ) {
> $logger->info("VLAN reassignment is forced.");
> return $TRUE;
>     }
> ...
>
> Regards
> Fabrice
>
>
>
> Le 2016-01-28 15:51, Tim DeNike a écrit :
>
> OK, the problem I'm running into is... For an unregistered device, I'm
> returning a role to aruba that forwards to the captive portal on packet
> fence.  This works.  After the user authenticates, PF isn't doing a COA to
> change the role.  It seems to only care about re-evaluating the VLAN (VLAN
> isn't changing), and not the role.
>
> Basically, I want to have an unregistered device join, be assigned to vlan
> 502 with role "pf_portal", after authentication, send COA, keeping them on
> vlan 502, but changing the role to "authenticated".  This way it doesn't
> bounce the user and change vlans, just a graceful switch from no access to
> access.
>
> On Fri, Nov 20, 2015 at 8:56 AM, Fabrice DURAND <fdur...@inverse.ca>
> wrote:
>
>> Hello Tim,
>>
>> here an example:
>> http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-integrate-Aruba-Controller-with-CPPM-to-perform-Captive/ta-p/192291
>>
>> Regards
>> Fabrice
>>
>>
>> Le 2015-11-20 08:29, Tim DeNike a écrit :
>>
>> I had this working 6 months ago when we demo'd the Aruba equipment.. Now
>> that we physically have it, I can't remember for the life of me how I got
>> it to work.
>>
>> I know I setup roles in the Aruba controller but I can't seem to get PF
>> to do a COA to change the role after the registration.  PF is returning the
>> role I defined for portal redirection.  The user is redirected.  Logs in
>> and PF registers the device, but no COA is sent.  I think PF isn't doing
>> anything because the VLAN isn't changing, only the role.  Would that make
>> sense?
>>
>> I think I was on 5.0 or 5.1 when I tested the Aruba, now I'm on 5.3.
>>
>>
>>
>>
>> --
>>
>>
>>
>> ___
>> PacketFence-users mailing 
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>> --
>> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  
>> www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>> (http://packetfence.org)
>>
>>
>>
>> --
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
> --
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup 
> Now!http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> --
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Aruba External Portal, COA..

2016-01-28 Thread Tim DeNike

OK, the problem I'm running into is... For an unregistered device, I'm
returning a role to aruba that forwards to the captive portal on packet
fence.  This works.  After the user authenticates, PF isn't doing a COA to
change the role.  It seems to only care about re-evaluating the VLAN (VLAN
isn't changing), and not the role.

Basically, I want to have an unregistered device join, be assigned to vlan
502 with role "pf_portal", after authentication, send COA, keeping them on
vlan 502, but changing the role to "authenticated".  This way it doesn't
bounce the user and change vlans, just a graceful switch from no access to
access.

On Fri, Nov 20, 2015 at 8:56 AM, Fabrice DURAND <fdur...@inverse.ca> wrote:

> Hello Tim,
>
> here an example:
> http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-integrate-Aruba-Controller-with-CPPM-to-perform-Captive/ta-p/192291
>
> Regards
> Fabrice
>
>
> Le 2015-11-20 08:29, Tim DeNike a écrit :
>
> I had this working 6 months ago when we demo'd the Aruba equipment.. Now
> that we physically have it, I can't remember for the life of me how I got
> it to work.
>
> I know I setup roles in the Aruba controller but I can't seem to get PF to
> do a COA to change the role after the registration.  PF is returning the
> role I defined for portal redirection.  The user is redirected.  Logs in
> and PF registers the device, but no COA is sent.  I think PF isn't doing
> anything because the VLAN isn't changing, only the role.  Would that make
> sense?
>
> I think I was on 5.0 or 5.1 when I tested the Aruba, now I'm on 5.3.
>
>
>
>
> --
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org)
>
>
>
> --
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Dashboard Graphs

2016-01-13 Thread Tim DeNike

Can't nat it. The page hard codes the IP address of the management
interface so you won't reach it.

Sent from my iPhone

On Jan 13, 2016, at 9:16 PM, Brian Lucas  wrote:

Remote access to the web admin console is still not showing graphs and I
have port 9000 open on my router and forwarded to the management interface.
Any ideas what the issue might be?

On Thu, Dec 31, 2015, 10:45 Brian Lucas  wrote:

> httpd.graphite is no longer empty and I've tracked down some more
> details.  I typically access the admin interface remotely.  Today I
> accessed it from within the management network and everything worked fine.
> It is still not working remotely but that just tells me its a port
> forwarding or firewall issue somewhere.  I think I can probably figure it
> out from here.  Thanks!
>
> Brian
>
> On Thu, Dec 31, 2015 at 9:32 AM Durand fabrice  wrote:
>
>> Hi Brian,
>>
>> do you have something in httpd.graphite logs ?
>> Is httpd.graphite is running ?
>>
>> Regards
>> Fabrice
>>
>>
>>
>> Le 2015-12-31 07:28, Brian Lucas a écrit :
>>
>> ALL
>>
>> Dashboard graphs are not working on my system.  Port 9000 is open in
>> IPTABLES for the management interface so I don't believe that to be the
>> problem.  The graphite log files are empty however the httpd.admin.log file
>> contains the following error:
>>
>> Dec 31 06:04:22 httpd.admin(15984) ERROR: Use of uninitialized value
>> $start in pattern match (m//) at
>> /usr/local/pf/html/pfappserver/lib/pfappserver/PacketFence/Controller/Graph.pm
>> line 306.
>>  (pfappserver::__ANON__)
>>
>> Can anyone help me with this?  This is on pf 5.5.2 but hasn't worked for
>> a while now.
>>
>> Thanks!
>>
>> Brian
>>
>>
>> --
>>
>>
>>
>> ___
>> PacketFence-users mailing 
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>> --
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Dashboard Graphs

2015-12-31 Thread Tim DeNike

The problem is that pf incorrectly uses graphites with the ip instead of
host name.

Is pf behind nat?

Sent from my iPhone

On Dec 31, 2015, at 12:10 PM, Brian Lucas  wrote:

httpd.graphite is no longer empty and I've tracked down some more details.
I typically access the admin interface remotely.  Today I accessed it from
within the management network and everything worked fine.  It is still not
working remotely but that just tells me its a port forwarding or firewall
issue somewhere.  I think I can probably figure it out from here.  Thanks!

Brian

On Thu, Dec 31, 2015 at 9:32 AM Durand fabrice  wrote:

> Hi Brian,
>
> do you have something in httpd.graphite logs ?
> Is httpd.graphite is running ?
>
> Regards
> Fabrice
>
>
>
> Le 2015-12-31 07:28, Brian Lucas a écrit :
>
> ALL
>
> Dashboard graphs are not working on my system.  Port 9000 is open in
> IPTABLES for the management interface so I don't believe that to be the
> problem.  The graphite log files are empty however the httpd.admin.log file
> contains the following error:
>
> Dec 31 06:04:22 httpd.admin(15984) ERROR: Use of uninitialized value
> $start in pattern match (m//) at
> /usr/local/pf/html/pfappserver/lib/pfappserver/PacketFence/Controller/Graph.pm
> line 306.
>  (pfappserver::__ANON__)
>
> Can anyone help me with this?  This is on pf 5.5.2 but hasn't worked for a
> while now.
>
> Thanks!
>
> Brian
>
>
> --
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] CentOS 7.0 support

2015-12-23 Thread Tim DeNike

Can PF be installed on CentOS 7.0 yet, or is that still unsupported?

Migrating my PF boxes from RHEL6 to CentOS and would prefer to put them on
7 if its doable.
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Aruba External Portal, COA..

2015-11-20 Thread Tim DeNike

I had this working 6 months ago when we demo'd the Aruba equipment.. Now
that we physically have it, I can't remember for the life of me how I got
it to work.

I know I setup roles in the Aruba controller but I can't seem to get PF to
do a COA to change the role after the registration.  PF is returning the
role I defined for portal redirection.  The user is redirected.  Logs in
and PF registers the device, but no COA is sent.  I think PF isn't doing
anything because the VLAN isn't changing, only the role.  Would that make
sense?

I think I was on 5.0 or 5.1 when I tested the Aruba, now I'm on 5.3.
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Email activation portal error. PF 5.3.1

2015-11-12 Thread Tim DeNike

It activates the device, but doesn't set the access duration.

Caught exception in
captiveportal::Controller::Authenticate->createLocalAccount "Attribute
(value) does not pass the type constraint because: Validation failed for
'Str' with value undef at constructor pf::Authentication::Action::new
(defined at /usr/local/pf/lib/pf/Authentication/Action.pm line 43) line 41
pf::Authentication::Action::new('pf::Authentication::Action',
'HASH(0x7f310f84fea8)') called at
/usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/Controller/Authenticate.pm
line 400
captiveportal::PacketFence::Controller::Authenticate::createLocalAccount('captiveportal::Controller::Authenticate=HASH(0x7f310d34b380)',
'captiveportal=HASH(0x7f310f864f80)', 'HASH(0x7f310f876df0)') called at
/usr/share/perl5/vendor_perl/Catalyst/Action.pm line 65
Catalyst::Action::execute('Catalyst::Action=HASH(0x7f310d3dbb48)',
'captiveportal::Controller::Authenticate=HASH(0x7f310d34b380)',
'captiveportal=HASH(0x7f310f864f80)', 'HASH(0x7f310f876df0)') called at
/usr/share/perl5/vendor_perl/Catalyst.pm line 1691 eval {...} called at
/usr/share/perl5/vendor_perl/Catalyst.pm line 1691
Catalyst::execute('captiveportal=HASH(0x7f310f864f80)',
'captiveportal::Controller::Authenticate',
'Catalyst::Action=HASH(0x7f310d3dbb48)') called at
/usr/share/perl5/vendor_perl/Catalyst/Plugin/StackTrace.pm line 22
Catalyst::Plugin::StackTrace::execute('captiveportal=HASH(0x7f310f864f80)',
'captiveportal::Controller::Authenticate',
'Catalyst::Action=HASH(0x7f310d3dbb48)') called at
/usr/share/perl5/vendor_perl/Catalyst/Action.pm line 60
Catalyst::Action::dispatch('Catalyst::Action=HASH(0x7f310d3dbb48)',
'captiveportal=HASH(0x7f310f864f80)') called at
/usr/share/perl5/vendor_perl/Catalyst/Dispatcher.pm line 257
Catalyst::Dispatcher::_do_forward('Catalyst::Dispatcher=HASH(0x7f310c3afb80)',
'forward', 'captiveportal=HASH(0x7f310f864f80)', 'Authenticate',
'createLocalAccount', 'ARRAY(0x7f310f876ee0)') called at
/usr/share/perl5/vendor_perl/Catalyst/Dispatcher.pm line 237
Catalyst::Dispatcher::forward('Catalyst::Dispatcher=HASH(0x7f310c3afb80)',
'captiveportal=HASH(0x7f310f864f80)', 'Authenticate', 'createLocalAccount',
'ARRAY(0x7f310f876ee0)') called at /usr/share/perl5/vendor_perl/Catalyst.pm
line 358 Catalyst::forward('captiveportal=HASH(0x7f310f864f80)',
'Authenticate', 'createLocalAccount', 'ARRAY(0x7f310f876ee0)') called at
/usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/Controller/Activate/Email.pm
line 151
captiveportal::PacketFence::Controller::Activate::Email::doEmailRegistration('captiveportal::Controller::Activate::Email=HASH(0x7f310d350208)',
'captiveportal=HASH(0x7f310f864f80)', 'c1d5719d1bd605a5669f92200175a32c')
called at /usr/share/perl5/vendor_perl/Catalyst/Action.pm line 65
Catalyst::Action::execute('Catalyst::Action=HASH(0x7f310d401d88)',
'captiveportal::Controller::Activate::Email=HASH(0x7f310d350208)',
'captiveportal=HASH(0x7f310f864f80)', 'c1d5719d1bd605a5669f92200175a32c')
called at /usr/share/perl5/vendor_perl/Catalyst.pm line 1691 eval {...}
called at /usr/share/perl5/vendor_perl/Catalyst.pm line 1691
Catalyst::execute('captiveportal=HASH(0x7f310f864f80)',
'captiveportal::Controller::Activate::Email',
'Catalyst::Action=HASH(0x7f310d401d88)') called at
/usr/share/perl5/vendor_perl/Catalyst/Plugin/StackTrace.pm line 22
Catalyst::Plugin::StackTrace::execute('captiveportal=HASH(0x7f310f864f80)',
'captiveportal::Controller::Activate::Email',
'Catalyst::Action=HASH(0x7f310d401d88)') called at
/usr/share/perl5/vendor_perl/Catalyst/Action.pm line 60
Catalyst::Action::dispatch('Catalyst::Action=HASH(0x7f310d401d88)',
'captiveportal=HASH(0x7f310f864f80)') called at
/usr/share/perl5/vendor_perl/Catalyst/Dispatcher.pm line 257
Catalyst::Dispatcher::_do_forward('Catalyst::Dispatcher=HASH(0x7f310c3afb80)',
'forward', 'captiveportal=HASH(0x7f310f864f80)', 'doEmailRegistration',
'ARRAY(0x7f310f86f918)') called at
/usr/share/perl5/vendor_perl/Catalyst/Dispatcher.pm line 237
Catalyst::Dispatcher::forward('Catalyst::Dispatcher=HASH(0x7f310c3afb80)',
'captiveportal=HASH(0x7f310f864f80)', 'doEmailRegistration',
'ARRAY(0x7f310f86f918)') called at /usr/share/perl5/vendor_perl/Catalyst.pm
line 358 Catalyst::forward('captiveportal=HASH(0x7f310f864f80)',
'doEmailRegistration', 'ARRAY(0x7f310f86f918)') called at
/usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/Controller/Activate/Email.pm
line 82
captiveportal::PacketFence::Controller::Activate::Email::code('captiveportal::Controller::Activate::Email=HASH(0x7f310d350208)',
'captiveportal=HASH(0x7f310f864f80)', 'c1d5719d1bd605a5669f92200175a32c')
called at /usr/share/perl5/vendor_perl/Catalyst/Action.pm line 65
Catalyst::Action::execute('Catalyst::Action=HASH(0x7f310d401c50)',
'captiveportal::Controller::Activate::Email=HASH(0x7f310d350208)',
'captiveportal=HASH(0x7f310f864f80)', 'c1d5719d1bd605a5669f92200175a32c')
called at /usr/share/perl5/vendor_perl/Catalyst.pm line 1691 eval {...}
called

Re: [PacketFence-users] Certificate

2015-10-28 Thread Tim DeNike

If you are doing 802.1x, wildcard certificates are no good. Just an FYI.

Sent from my iPhone

> On Oct 28, 2015, at 9:01 PM, Guntharp, Jason W.  wrote:
>
> Our institution is taking a look at packetfence as a NAC. I'm wanting to use 
> our trusted GoDaddy certificate to help get it off the ground. Is there a 
> link or resource anyone would recommend to get the other cert configured on 
> packetfence?
>
> Thanks
>
> Sent from my iPhone
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Device not found in Database

2015-10-22 Thread Tim DeNike

I agree.   The iplog_history table needs to be reworked.  IMHO, we don't
need a single record for the same ip again and again and again for every
renewal, the renewal should extend the end time and keep it as one record.
Iplog_history is the single biggest performance problem in my pf setup.

Sent from my iPhone

On Oct 22, 2015, at 8:35 PM, Thomas, Gregory A  wrote:

I have found a temporary fix for this issue. The user’s device was not in
the node table of the database and thus a correct error. However the device
was given an address from the dhcp server but the database slow to update
the node table with the information.



In my case the iplog_history table was what was causing the problems. I
have an instance of phpMyAdmin installed and when I tried to browse the
table it was extremely slow to respond. I assumed this was causing problems
with writing to the node table as it has to work on pulling info from the
iplog and placing it into iplog_history. The history table was well over
3,000,000 records at 7 weeks of use and close to 300 MB all unindexed.



I backed up iplog_history, truncated the table and rebooted the server.
This time the load never got over 2 and has settled to .7 at peak time.



I will be working on some process to do this type of truncation for me on a
weekly basis to help keep the system running.



--

Gregory A. Thomas

Computer Professional

University of Wisconsin-Parkside

thom...@uwp.edu


262.595.2432



*From:* Thomas, Gregory A [mailto:thom...@uwp.edu ]
*Sent:* Thursday, October 22, 2015 6:31 PM
*To:* packetfence-users@lists.sourceforge.net
*Subject:* [PacketFence-users] Device not found in Database



So,



I am run 5.4 in complete Inline mode.

CentOS 6.7 64bit

6 GB RAM with 6 Processors

Running on an EXi server



This afternoon, the server began a death spiral where the free RAM was
getting to 500 MB free (yeah I know there is still a ton there) and the
load was starting to creep from .8 to 7 and eventually at reboot time stuck
at 20 + for 5 minutes straight. That is not the problem (right now).



I rebooted the server with the managed NIC disabled, know that once enable
the load would jump to handle all of the “new” requests for access. After
about 5 minutes, the load fell to the evening average of 2-3. So I decide
to see how the network is running.



I fire up my phone, which is registered and I get the error: Your device in
not in the Database, please reboot to solve this problem. Of course I don’t
as I know better and renew the lease and everything else under the sun and
eventually reboot all to no avail. After about 10 minutes and trying to
calm residents down who are also getting this error, I get a connection and
can register my phone.



What causes this error and is there a way to somewhat eliminate it?



--

Gregory A. Thomas

Computer Professional

University of Wisconsin-Parkside

thom...@uwp.edu


262.595.2432



--

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Recommended setup for HA and efficiency

2015-10-22 Thread Tim DeNike

Set the role vlan to -1. That should return reject.

Sent from my iPhone

On Oct 22, 2015, at 11:17 AM, Morris, Andi  wrote:

I’ve been working on this today, and have successfully created a manually
triggered violation that sends the device to the macdetection vlan (id 4),
which doesn’t exist on our network. However, I can see the violation
triggering, and access briefly drops on my test device, but it always
connects back up to the network without issue and continues as normal.



Would creating a real vlan, which has no route to the internet be a better
way to go about this? Or am I doing something wrong by sending them to the
mac detection vlan?



Cheers,

Andi



*From:* Morris, Andi [mailto:amor...@cardiffmet.ac.uk
]
*Sent:* 22 October 2015 09:45
*To:* packetfence-users@lists.sourceforge.net
*Subject:* Re: [PacketFence-users] Recommended setup for HA and efficiency



Thanks Arthur,

That’s a really interesting idea. I’ll see if I can find a way to spot
devices that are hanging around for a while and set something like this up.



*From:* Arthur Emerson [mailto:arthur.emer...@msmc.edu
]
*Sent:* 21 October 2015 18:38
*To:* packetfence-users@lists.sourceforge.net
*Subject:* Re: [PacketFence-users] Recommended setup for HA and efficiency



On 10/21/15, 12:35 PM, "Morris, Andi"  wrote:



Has anyone else run into this sort of issue with devices sitting in the
captive portal, and if so how do you combat it?



I made a local portal user ID for unregistered devices that are hanging

around for too long without registering.  Once the device is manually

registered to that user, I set a violation on the device, which sends it

to an unused VLAN (mac-detect?).  You can do the same thing with RADIUS

VLAN settings for the special user, as long as the device gets sent to

the naughty room (isolated on a dead VLAN).



I never automated this process, but it shouldn't be too difficult...



-Arthur



-

Arthur Emerson III Email:  emer...@msmc.edu

Network Administrator  InterNIC:   AE81

Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109

330 Powell Ave.Fax:(845) 562-6762

Newburgh, NY  12550SneakerNet: Aquinas Hall Room 8A


--


 

--

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Recommended setup for HA and efficiency

2015-10-21 Thread Tim DeNike

Move MySQL to a different server on fast storage.  I run 2 MySQL vms in ha
on ssd storage and that helps.

Sent from my iPhone

On Oct 21, 2015, at 12:37 PM, Morris, Andi  wrote:

Hi all,

I’ve recently come into some issues with the load on my PacketFence setup
during peak times and so we’re now looking at seeing if we can split the
service into separate components across servers, and also across our two
sites for high availability.



Loads are currently around 2000 devices concurrently at peak times, all
using 802.1x through the freeradius mschap component to our backend active
directory server. At peak times there are sometimes 500 devices sitting in
the captive portal.



Our current setup is a VMWare server with 4vCPUs & 32GB of memory. Inverse
have had a look and have suggested that our server is being battered by
devices in our captive portal. However I’m not sure there’s much we can do
to alleviate this, as it’s a BYOD environment, and we have little to no
control over the devices that come into the network. I’ve added some apache
filters to 501 certain apps that are hitting the portal, but it doesn’t
seem to be making a huge difference, and some apps are still hitting the
portal even after the 501 error is given.



So, some quick questions regarding this:

-  Will moving the MySQL component of the setup onto a dedicated
server make a marked difference to the performance?

-  If I gave each university site a PF httpd/radius service, would
they both need to access one single central MySQL server or would this
cause deadlocks?

-  Is splitting PF into 3 separate components: apache, freeradius
and MySQL also an option to bring server load down?



Has anyone else run into this sort of issue with devices sitting in the
captive portal, and if so how do you combat it? Larger environments, what
is your setup regarding PF hardware and services?



Cheers,

Andi
--

[image: Cardiff Metropolitan University - 150 years of nurturing talent]


--

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Issue with dhcp sending wrong DNS in clustered mode

2015-10-21 Thread Tim DeNike

When a device is in registration vlan, the DHCP assigned dns server is the
PF server.  This is so they can redirect to the captive portal.

Im not sure how it operates in inline mode.

What is your setup?

On Wed, Oct 21, 2015 at 7:23 AM, Simon Gottschlag  wrote:

> Hi all!
>
>
>
> I’m using the latest version of PacketFence (ZEN) and have setup a cluster.
>
> Registration works, and after that I’m able to ping the internet (example
> 8.8.8.8).
>
>
>
> My problem is that I’m not able to resolve anything else. The DHCP server
> (packetfence server) are sending the cluster nodes IPs as the DNS servers,
> even though I’ve specified another one in networks.conf.
>
>
>
> Are the nodes in the cluster meant to handle all DNS queries? If not, what
> do you think could be the problem?
>
>
>
> Best regards,
> Simon Gottschlag
>
>
> --
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Mysql database maintenance

2015-10-20 Thread Tim DeNike

The maintenance script, also shortening expiration times in configuration,
expiration.  Check to see how often your APs/switches are sending
accounting information.  If you can change them to space the accounting
info out further, it can be a big savings.

On Tue, Oct 20, 2015 at 2:58 PM, Pete Hoffswell <
pete.hoffsw...@davenport.edu> wrote:

> Just looking at my database... it's pretty big -
>
> pf# mysql -u pf -p
> Enter password:
> Welcome to the MySQL monitor.  Commands end with ; or \g.
> 
> mysql> use pf
> Reading table information for completion of table and column names
> You can turn off this feature to get a quicker startup with -A
>
> Database changed
> mysql> SELECT table_schema"DB
> Name",
> ->Round(Sum(data_length + index_length) / 1024 / 1024, 1) "DB Size
> in MB"
> -> FROM   information_schema.tables
> -> GROUP  BY table_schema;
> ++---+
> | DB Name| DB Size in MB |
> ++---+
> | information_schema |   0.0 |
> | pf |8465.4 |
> ++---+
> 2 rows in set (1.07 sec)
>
> mysql>
>
>
>
> What's the best way to clean up the database of old data?
>
> addons/database-backup-and-maintenance.sh
>
> ?
>
>
>
> -
> Pete Hoffswell - Network Manager
> pete.hoffsw...@davenport.edu
> http://www.davenport.edu
>
>
>
> --
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Mysql database maintenance

2015-10-20 Thread Tim DeNike

0 means keep forever.

Your redact_log/radacct is getting up there.  Check the database
maintenance script and modify the interval to keep it for X months.

For us, 2 months = about 3gig for each of those.



On Tue, Oct 20, 2015 at 4:12 PM, Pete Hoffswell <
pete.hoffsw...@davenport.edu> wrote:

> Thanks,
>
> Gotcha.  Configuration > Expiration -
>
> My expirations are set for
>
> Node - 7 days
> IP/Mac Logs - 0 days
> Trap Logs - 0 days
> Location Logs - 0 days
>
> Auto-expire settings are all active as well.
>
> What's zero mean?  Keep none, or keep all?
>
>
> Looks like it's radius -
>
> +-++
> | Tables  | Size in MB |
> +-++
> | radacct_log |5171.00 |
> | radacct |2851.16 |
> | locationlog | 404.67 |
> | iplog   |  32.28 |
> | node|   7.86 |
> | person  |   1.47 |
> | activation  |   0.11 |
> | dhcp_fingerprint|   0.09 |
>
>
> -
> Pete Hoffswell - Network Manager
> pete.hoffsw...@davenport.edu
> http://www.davenport.edu
>
>
> On Tue, Oct 20, 2015 at 4:07 PM, Louis Munro <lmu...@inverse.ca> wrote:
>
>> I would also suggest finding out exactly which table is using the most
>> space.
>> That will tell you where to bother pruning data and where it’s not worth
>> the trouble.
>>
>> I use this query to see the size of the tables:
>>
>>
>> SELECT table_name AS 'Tables',
>> round(((data_length + index_length) / 1024 / 1024), 2) 'Size in MB'
>> FROM information_schema.TABLES
>> WHERE table_schema = 'pf'
>> ORDER BY (data_length + index_length) DESC;
>>
>>
>> --
>> Louis Munro
>> lmu...@inverse.ca  ::  www.inverse.ca
>> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
>> www.packetfence.org)
>>
>> On Oct 20, 2015, at 15:29 , Tim DeNike <tim.den...@mcc.edu> wrote:
>>
>> The maintenance script, also shortening expiration times in
>> configuration, expiration.  Check to see how often your APs/switches are
>> sending accounting information.  If you can change them to space the
>> accounting info out further, it can be a big savings.
>>
>> On Tue, Oct 20, 2015 at 2:58 PM, Pete Hoffswell <
>> pete.hoffsw...@davenport.edu> wrote:
>>
>>> Just looking at my database... it's pretty big -
>>>
>>> pf# mysql -u pf -p
>>> Enter password:
>>> Welcome to the MySQL monitor.  Commands end with ; or \g.
>>> 
>>> mysql> use pf
>>> Reading table information for completion of table and column names
>>> You can turn off this feature to get a quicker startup with -A
>>>
>>> Database changed
>>> mysql> SELECT table_schema"DB
>>> Name",
>>> ->Round(Sum(data_length + index_length) / 1024 / 1024, 1) "DB
>>> Size in MB"
>>> -> FROM   information_schema.tables
>>> -> GROUP  BY table_schema;
>>> ++---+
>>> | DB Name| DB Size in MB |
>>> ++---+
>>> | information_schema |   0.0 |
>>> | pf |8465.4 |
>>> ++---+
>>> 2 rows in set (1.07 sec)
>>>
>>> mysql>
>>>
>>>
>>>
>>> What's the best way to clean up the database of old data?
>>>
>>> addons/database-backup-and-maintenance.sh
>>>
>>> ?
>>>
>>>
>>>
>>> -
>>> Pete Hoffswell - Network Manager
>>> pete.hoffsw...@davenport.edu
>>> http://www.davenport.edu
>>>
>>>
>>>
>>> --
>>>
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>
>> --
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>>
>> --
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
> --
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Violation release_date 8 hours before start_date.

2015-10-12 Thread Tim DeNike

Seeing auto-registration violations where the release_date is 8 hours PRIOR
to the start_date.  Somehow in the logic, its not letting a violation
re-occur until 8 hours AFTER the start date.

The auto-reg violation is set witoiut a delay, window, or grace.  Have
tried setting 1 second grace, window and delay with no change.

PF 5.3
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Violation trigger change in 5.3?

2015-10-08 Thread Tim DeNike

I swear mac-vendor violations used to trigger on the radius provided mac
address.  Now, it seems they only trigger when it hits pfdhcplistener.

Does this have something to do with the migration from using a decimal
encoded mac prefix in the violation to using the mac vendor ID?

Violations that match a specific mac address still work off the RADIUS
provided mac.

Am I crazy here?
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco Wireless LAN Controller WLC Session Timeout Setting

2015-09-14 Thread Tim DeNike

Not Cisco specific, but I have seen some vendors supplicants actually pause
or de-auth the client on a timeout re-authentication.  So the user
essentially sees a disconnect just for the duration of the re-auth.

On Mon, Sep 14, 2015 at 11:03 AM, Tedder, Eric 
wrote:

> Do you use the AVC features on the WLC? I attempted to use AVC on the WLC
> and it caused me to much headache with issues like you are describing.
>
>
>
>
>
> *From:* Pete Hoffswell [mailto:pete.hoffsw...@davenport.edu]
> *Sent:* Monday, September 14, 2015 10:57 AM
> *To:* packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] Cisco Wireless LAN Controller WLC
> Session Timeout Setting
>
>
>
> Thanks for the info, Eric -
>
>
>
> It is quite possible I'm barking up the wrong tree on this issue.  Not a
> PF issue, in my thinking.
>
>
> -
> Pete Hoffswell - Network Manager
> pete.hoffsw...@davenport.edu
> http://www.davenport.edu
>
>
>
> On Mon, Sep 14, 2015 at 10:53 AM, Tedder, Eric 
> wrote:
>
> Pete,
>
>
>
> I run multiple SSIDs with Packet Fence and 1800 is not a problem at my
> site. I also have an SSID with 420 set as my timeout without a problem.
>
> I would suspect a bigger problem like maybe a web proxy or firewall/ACL
> restrictions. We us a 5508 running WLC 8.0.120.0 with a 4GB LAG and PF 4.7
>
> All of this is with VLAN management.
>
>
>
> Eric
>
>
>
> *From:* Pete Hoffswell [mailto:pete.hoffsw...@davenport.edu]
> *Sent:* Monday, September 14, 2015 9:57 AM
> *To:* packetfence-users@lists.sourceforge.net
> *Subject:* [PacketFence-users] Cisco Wireless LAN Controller WLC Session
> Timeout Setting
>
>
>
> Hi everyone -
>
>
>
> We currently run a WLAN session timeout setting of 1800 seconds (30
> minutes). This is what is called for in the PacketFence Documentation.
>
>
>
> We are having users complain of some disruption to real-time streams.
>  (Video conference, etc).  I think that if I turn off the session timeout,
> things might clear up a bit for them?
>
>
>
> Would it be ok to turn off session timeout on my WLC's SSID?
>
>
>
>
> -
> Pete Hoffswell - Network Manager
> pete.hoffsw...@davenport.edu
> http://www.davenport.edu
>
>
>
> --
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> --
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] graphite charts in a cluster

2015-09-11 Thread Tim DeNike

Just upgraded my cluster to 5.3.1 this morning.. How to I make it so it
shows the stats for both servers in the graphs?

It looks like its supposed to?
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] graphite charts in a cluster

2015-09-11 Thread Tim DeNike

Active/Active..  Sorry.  :D

On Fri, Sep 11, 2015 at 10:54 AM, Louis Munro <lmu...@inverse.ca> wrote:

> Hi Tim,
> Is your cluster active/active or active/passive?
>
>
> --
> Louis Munro
> lmu...@inverse.ca  ::  www.inverse.ca
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
> On Sep 11, 2015, at 8:51 , Tim DeNike <tim.den...@mcc.edu> wrote:
>
> Just upgraded my cluster to 5.3.1 this morning.. How to I make it so it
> shows the stats for both servers in the graphs?
>
> It looks like its supposed to?
>
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> --
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] graphite charts in a cluster

2015-09-11 Thread Tim DeNike

I see what the problem is.. I have a seperate interface setup for
clustering and I have the hosts file pointing to that IP instead of the
management IP, so the carbon.con sends the data to the wrong place


On Fri, Sep 11, 2015 at 10:56 AM, Tim DeNike <tim.den...@mcc.edu> wrote:

> Active/Active..  Sorry.  :D
>
> On Fri, Sep 11, 2015 at 10:54 AM, Louis Munro <lmu...@inverse.ca> wrote:
>
>> Hi Tim,
>> Is your cluster active/active or active/passive?
>>
>>
>> --
>> Louis Munro
>> lmu...@inverse.ca  ::  www.inverse.ca
>> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
>> www.packetfence.org)
>>
>> On Sep 11, 2015, at 8:51 , Tim DeNike <tim.den...@mcc.edu> wrote:
>>
>> Just upgraded my cluster to 5.3.1 this morning.. How to I make it so it
>> shows the stats for both servers in the graphs?
>>
>> It looks like its supposed to?
>>
>> --
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>>
>> --
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Passthrough for google play store.

2015-09-04 Thread Tim DeNike

We need to be able to allow an app download for .1x setup from the google
play store.

Hostname is:

r3---sn-hxgpu-a5oe.gvt1.com

But it won't batch *.gvt1.com in  passthroughs.

Im assuming its a dynamically generated host that will change.  Im pretty
sure the problem is in the "---" causing variable problems.

Any ideas?
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Passthrough for google play store.

2015-09-04 Thread Tim DeNike

Oh. *. Seemed to work in the past.

Sent from my iPhone

On Sep 4, 2015, at 10:35 AM, Louis Munro <lmu...@inverse.ca> wrote:

Hi Tim,

Try just .gvt1.com in your passthroughs.

IIRC it is matched as a regular expression, not a globbing pattern.

Regards,
--
Louis Munro
lmu...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
www.packetfence.org)

On Sep 4, 2015, at 9:42 , Tim DeNike <tim.den...@mcc.edu> wrote:


But it won't batch *.gvt1.com in  passthroughs.


--

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Passthrough for google play store.

2015-09-04 Thread Tim DeNike

Weird.. I wrote a script to process everything as pfdns would.. found that
it wasn't taking the updates from the pf.conf into the keyed table in the
DB.  had to delete the config::Pf(packetfence2.mcc.edu) and config::Pf(
packetfence1.mcc.edu) keys then reload packetfence-config

On Fri, Sep 4, 2015 at 10:36 AM, Tim DeNike <tim.den...@mcc.edu> wrote:

> Oh. *. Seemed to work in the past.
>
> Sent from my iPhone
>
> On Sep 4, 2015, at 10:35 AM, Louis Munro <lmu...@inverse.ca> wrote:
>
> Hi Tim,
>
> Try just .gvt1.com in your passthroughs.
>
> IIRC it is matched as a regular expression, not a globbing pattern.
>
> Regards,
> --
> Louis Munro
> lmu...@inverse.ca  ::  www.inverse.ca
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
> On Sep 4, 2015, at 9:42 , Tim DeNike <tim.den...@mcc.edu> wrote:
>
>
> But it won't batch *.gvt1.com in  passthroughs.
>
>
>
> --
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Periodically losing domain trust

2015-08-21 Thread Tim DeNike

Do you have a domain policy set that expires machine accounts faster than
the default 30 days?  Just curious.

On Fri, Aug 21, 2015 at 10:47 AM, Louis Munro lmu...@inverse.ca wrote:



 On Aug 20, 2015, at 17:46 , Morgan, Joel P. joel.mor...@mga.edu wrote:

 I was going to try Samba4, but when I tried to install via yum it said it
 conflicted with samba 3. When I tried to remove samba 3, it said
 packetfence.noarch depended on it. I decided to try something else to avoid
 breaking dependencies.



 PacketFence depends on “some version” of samba to be able to authenticate
 PEAP requests.

 Of course yum will complain if you try to uninstall samba.
 It cannot know that you intend to install another version.

 The way to do this is to uninstall the samba packages with
 # rpm -e —nodeps

 and then reinstall the samba4 packages.

 That will work.



 Last week, using yum I upgraded to Centos 6.7. Today, just like clockwork
 AD authentication started failing 7 days after the join.

 Here are the samba packages I have installed:

 yum list installed | grep samba

 samba.x86_64  3.6.23-20.el6 @base

 samba-client.x86_64   3.6.23-20.el6 @base

 samba-common.x86_64   3.6.23-20.el6 @base

 samba-winbind.x86_64  3.6.23-20.el6 @base

 samba-winbind-clients.x86_64  3.6.23-20.el6 @base

 samba4-libs.x86_644.0.0-66.el6_6.rc4
@updates

 There is a package samba-winbind-krb5-locator.x86_64 that is available,
 but not installed. Redhat describes this package as It contains a plug-in
 for the system Kerberos library to allow the local Kerberos library to use
 the same KDC as Samba and Winbind use. Is this package required?



 I have never used it.
 It has never been necessary in the past.


 One thing I did notice was that in my /chroots/MGA/etc/samba/MGA.conf and
 /chroots/MGADomain/etc/krb5.conf the realm was listed in lowercase.
 Everything I've read states it should always be the domain in UPPERCASE.
 Today, I deleted the existing domain in the Packetfence GUI and created a
 new one where I input the domain in UPPERCASE. I'll see if it lasts more
 than a week.


 I doubt it.
 It would have failed before that and not at ticket renewal time.

 Just to be clear, all the PacketFence integration does is generate an
 smb.conf and krb.conf configuration based on the configuration you provide.
 It allows multiple domains by running each into a a chroot so that they
 don’t step on each other.

 Can you post your smb.conf and krb5.conf files?

 --
 Louis Munro
 lmu...@inverse.ca  ::  www.inverse.ca
 +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
 www.packetfence.org)



 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF DNS record changed

2015-08-20 Thread Tim DeNike

Just set a cname

Sent from my iPhone

 On Aug 20, 2015, at 3:35 PM, Derek Wuelfrath dwuelfr...@inverse.ca wrote:

 Jake,

 You are talking about the dynamic DNS thing that happens when you are joining 
 the domain right ?
 I may have a little something that could be tested but it is not guarantee 
 that it will work… We are unfortunately unable to reproduce here since we 
 don’t do dynamic DNS on domain join (it actually never worked !! ;))

 So here’s the thing… When Samba is binding, it will either use an ‘interface’ 
 parameter configurable within /etc/samba/smb.conf or will ask the kernel for 
 a list of network interfaces to use for binding (except 127.0.0.1… yes it’s 
 good to be home but not in this case)

 What I may want to try is the following:
 - Edit the smb.conf template (/usr/local/pf/addons/AD/smb.tt) used for domain 
 join within the chroot to add the interface parameter pointing to your 
 management ip address (interfaces = 42.13.37.42)

 - Edit that same file to add the following line: bind interfaces only = false
 (Thoses two lines are already at the end of the file, simply uncomment them 
 and change the values)

 - Remove the actual record in your AD so we make sure a new one is created

 - In the PacketFence webadmin GUI, rejoin the domain.

 Let me know!

 Cheers!
 dw.

 —
 Derek Wuelfrath
 dwuelfr...@inverse.ca :: www.inverse.ca
 +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
 (www.packetfence.org)

 On Aug 20, 2015, at 14:30, Sallee, Jake jake.sal...@umhb.edu wrote:

 Hello all ... again.

 The new domain joining system adds a virtual interface to the server that it 
 uses to communicate with the domain.  however this new interface is not the 
 same one as the management interface.

 The new interface is automatically registering its self with my DNS servers 
 overwriting the current (and correct) entry.

 How do I make this stop?

 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU

 900 College St.
 Belton, Texas
 76513

 Fone: 254-295-4658
 Phax: 254-295-4221

 --
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users


 --
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Users entries are double - AD and local database - strip realm problem

2015-08-19 Thread Tim DeNike

Personally. I think this is where pf needs to normalize usernames
based on authentication source.  I fixed it internally to make it work
for our needs (local ad users are always recorded as their
samaccountname wether they auth with realm\user, user@realm, or
user@addomain.realm.  Guest or eduroam users are recorded with full
user@realm. )

A good enhancement would be to specify mappings to how you want it
stored in the DB. My .02 :)

Sent from my iPhone

 On Aug 19, 2015, at 9:59 AM, Dennis Schulmeyer d...@mensch-und-mouse.de 
 wrote:

 Hi everybody,

 In my „Users“ list i see a double entry for a user after registering vi the 
 web portal.
 We have our AD users source and no local created users.
 After 802.1x the PF fetches the users information from our AD and I can see 
 the user - DOMAIN\\firstname.lastname and the PCs hostname - 
 host/hostname.domain.com
 PF finds the correct rules and put the users in the correct VLAN.. So 
 everything is fine ..

 But when a user logs on via web portal, PF will fetch the username from AD 
 and stores it with - firstname.lastname only!

 So one problem is that we have lots of double users entries… and the AD unreg 
 script will unreg the firstname.lastname user only..

 Maybe there is still a problem with our realm stripping?!

 Any hints?

 Thank you in advance!

 Kind regards,
 Dennis


 --
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf

2015-08-06 Thread Tim DeNike

Or setup a portal profile.  Do you want people to register devices on this
ssid?

Sent from my iPhone

On Aug 6, 2015, at 9:12 AM, Pete Hoffswell pete.hoffsw...@davenport.edu
wrote:

Good morning -

I have a SSID resnet, and would like all users to be forced to vlan 10,
no matter their role.

I do have a role resnet that is defined in my device configurations to
vlan 10.

Would this be the correct rule for a vlan_filters.conf?


[resnet-ssid]
filter = ssid
operator = is
value = resnet

[1:resnet-ssid]
scope = NormalVlan
role = resnet


-
Pete Hoffswell - Network Manager
pete.hoffsw...@davenport.edu
http://www.davenport.edu

--

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf

2015-08-06 Thread Tim DeNike

That's why I use different roles for 1x and portal login.  I don't assign
the role to the device for portal login, just register and dynamically
assign. Then I have a rule to deny association for registered devices with
no role to the insecure ssids.  Once someone connects with 1x, that device
isn't allowed on Mac auth until the next day (expire the registration). My
goal is to always keep people on 1x and only use portal for devices that
can't use 1x for some reason.

But we don't have dorms so the situation is a little different.

Sent from my iPhone

On Aug 6, 2015, at 11:11 AM, Pete Hoffswell pete.hoffsw...@davenport.edu
wrote:

Our regular SSID is 802.1x.  There is no portal profile, if I'm not
mistaken.

I have a portal profile for resnet, and that works fine for unregistered
devices.

  I just want registered device (such as ones that connected to the 802.1x
regular ssid first) to connect to a different vlan (resnet) when they
connect to the resnet ssid.

I don't actually want to modify the node.  Just switch it to a different
vlan.





-
Pete Hoffswell - Network Manager
pete.hoffsw...@davenport.edu
http://www.davenport.edu


On Thu, Aug 6, 2015 at 10:55 AM, Chris Abel ca...@wildwoodprograms.org
wrote:

 Yes, this is for auto registration.

 If you still want unregistered users to hit the registration page, why
 don't you add the resnet SSID to the portal profile you have for your
 regular SSID?

 On Thu, Aug 6, 2015 at 10:35 AM, Pete Hoffswell 
 pete.hoffsw...@davenport.edu wrote:

 Thanks, Chris!

 Does the AutoRegister automatically register the user, then?  I don't
 necessarily want that.  I still want them to get stuck on a registration
 page if they are not registered...

 -
 Pete Hoffswell - Network Manager
 pete.hoffsw...@davenport.edu
 http://www.davenport.edu


 On Thu, Aug 6, 2015 at 10:30 AM, Chris Abel ca...@wildwoodprograms.org
 wrote:

 Pete, I think you'll want something like this:

 [resnet-ssid]
 filter = ssid
 operator = is
 value = resnet

 [1:resnet-ssid]
 scope = AutoRegister
 role = resnet

 [2:resnet-ssid]
 scope = NormalVlan
 role = resnet
 action = modify_node
 action_param = mac = $mac, category = resnet

 On Thu, Aug 6, 2015 at 9:27 AM, Pete Hoffswell 
 pete.hoffsw...@davenport.edu wrote:

 Hi Tim.

  Yes, users could register on this SSID as well.  But, a device may
 have been registered on a separate SSID, and then try to connect to this
 network.

 Student connects to our regular SSID, and registers.  Gets a role of
 student
 Student goes to residence hall
 Student connects to SSID resnet.

 This is where I want them to vlan switch to the resnet vlan.  Normally
 identified by role resnet





 -
 Pete Hoffswell - Network Manager
 pete.hoffsw...@davenport.edu
 http://www.davenport.edu


 On Thu, Aug 6, 2015 at 9:14 AM, Tim DeNike tim.den...@mcc.edu wrote:

 Or setup a portal profile.  Do you want people to register devices on
 this ssid?

 Sent from my iPhone

 On Aug 6, 2015, at 9:12 AM, Pete Hoffswell 
 pete.hoffsw...@davenport.edu wrote:

 Good morning -

 I have a SSID resnet, and would like all users to be forced to vlan
 10, no matter their role.

 I do have a role resnet that is defined in my device configurations
 to vlan 10.

 Would this be the correct rule for a vlan_filters.conf?


 [resnet-ssid]
 filter = ssid
 operator = is
 value = resnet

 [1:resnet-ssid]
 scope = NormalVlan
 role = resnet


 -
 Pete Hoffswell - Network Manager
 pete.hoffsw...@davenport.edu
 http://www.davenport.edu


 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users



 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users




 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users




 --
 Chris Abel
 Systems and Network Administrator
 Wildwood Programs
 2995 Curry Road Extension
 Schenectady, NY  12303
 518-836-2341

 IMPORTANT NOTICE: This message and any attachments are solely for the
 intended recipient and may contain confidential information, which is, or
 may be, legally privileged or otherwise protected by law from further
 disclosure. If you are not the intended recipient, any disclosure, copying,
 use, or distribution of the information included in this email and any
 attachments is prohibited. If you have received this communication in
 error, please notify the sender by reply email and immediately and
 permanently delete this email and any

Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf

2015-08-06 Thread Tim DeNike

That's on the user. If they don't use the installer we provide that sets up
all the certificates and trusts. Otherwise it really doesn't matter. If I
went and setup a hotspot near your campus with a ssid of resnet and made
the portal look the same as yours I could probably have dozens or hundreds
of passwords by the end of the day.

Perfect world would be doing certificate auth but it took me long enough
just to get them to think about dropping psk networks. ;)

Sent from my iPhone

On Aug 6, 2015, at 11:27 AM, Chris Abel ca...@wildwoodprograms.org wrote:

We just use portal profiles because of all the security holes with 802.1x.
One such example that still works especially well for mobile devices:
https://www.defcon.org/images/defcon-21/dc-21-presentations/djwishbone-PuNk1nPo0p/DEFCON-21-djwishbone-PuNk1nPo0p-BYO-Disaster-Updated.pdf

Hopefully your 802.1x credentials aren't the same credentials for other
online services.

Not sure how to accomplish what you're trying to do. Sorry.

On Thu, Aug 6, 2015 at 11:16 AM, Tim DeNike tim.den...@mcc.edu wrote:

That's why I use different roles for 1x and portal login. I don't assign
the role to the device for portal login, just register and dynamically
assign. Then I have a rule to deny association for registered devices with
no role to the insecure ssids. Once someone connects with 1x, that device
isn't allowed on Mac auth until the next day (expire the registration). My
goal is to always keep people on 1x and only use portal for devices that
can't use 1x for some reason.

But we don't have dorms so the situation is a little different.

Sent from my iPhone

On Aug 6, 2015, at 11:11 AM, Pete Hoffswell pete.hoffsw...@davenport.edu
wrote:

Our regular SSID is 802.1x. There is no portal profile, if I'm not
mistaken.

I have a portal profile for resnet, and that works fine for unregistered
devices.

I just want registered device (such as ones that connected to the 802.1x
regular ssid first) to connect to a different vlan (resnet) when they
connect to the resnet ssid.

I don't actually want to modify the node. Just switch it to a different
vlan.

-
Pete Hoffswell - Network Manager
pete.hoffsw...@davenport.edu
http://www.davenport.edu

On Thu, Aug 6, 2015 at 10:55 AM, Chris Abel ca...@wildwoodprograms.org
wrote:

Yes, this is for auto registration.

If you still want unregistered users to hit the registration page, why
don't you add the resnet SSID to the portal profile you have for your
regular SSID?

On Thu, Aug 6, 2015 at 10:35 AM, Pete Hoffswell
pete.hoffsw...@davenport.edu wrote:

Thanks, Chris!

Does the AutoRegister automatically register the user, then? I don't
necessarily want that. I still want them to get stuck on a registration
page if they are not registered...

-
Pete Hoffswell - Network Manager
pete.hoffsw...@davenport.edu
http://www.davenport.edu

On Thu, Aug 6, 2015 at 10:30 AM, Chris Abel ca...@wildwoodprograms.org
wrote:

Pete, I think you'll want something like this:

[resnet-ssid]
filter = ssid
operator = is
value = resnet

[1:resnet-ssid]
scope = AutoRegister
role = resnet

[2:resnet-ssid]
scope = NormalVlan
role = resnet
action = modify_node
action_param = mac = $mac, category = resnet

On Thu, Aug 6, 2015 at 9:27 AM, Pete Hoffswell
pete.hoffsw...@davenport.edu wrote:

Hi Tim.

Yes, users could register on this SSID as well. But, a device may
have been registered on a separate SSID, and then try to connect to this
network.

Student connects to our regular SSID, and registers. Gets a role of
student
Student goes to residence hall
Student connects to SSID resnet.

This is where I want them to vlan switch to the resnet vlan. Normally
identified by role resnet

-
Pete Hoffswell - Network Manager
pete.hoffsw...@davenport.edu
http://www.davenport.edu

On Thu, Aug 6, 2015 at 9:14 AM, Tim DeNike tim.den...@mcc.edu wrote:

Or setup a portal profile. Do you want people to register devices on
this ssid?

Sent from my iPhone

On Aug 6, 2015, at 9:12 AM, Pete Hoffswell
pete.hoffsw...@davenport.edu wrote:

Good morning -

I have a SSID resnet, and would like all users to be forced to vlan
10, no matter their role.

I do have a role resnet that is defined in my device configurations
to vlan 10.

Would this be the correct rule for a vlan_filters.conf?

[resnet-ssid]
filter = ssid
operator = is
value = resnet

[1:resnet-ssid]
scope = NormalVlan
role = resnet

-
Pete Hoffswell - Network Manager
pete.hoffsw...@davenport.edu
http://www.davenport.edu

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] PF 5.2, metrics/NAT

2015-07-14 Thread Tim DeNike

Looks like the metrics images are referencing the IP address of the PF Mgmt
IP.  This makes it non-funcitonal for NAT access to the Management
interface.  Should probably be changed to use the defined hostname in the
URLs.

html/pfappserver/lib/pfappserver/PacketFence/Controller/Graph.pm is the
offending file.  The URL probably needs to be constructed using the
pf::config hostname/domain name.
--
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Infringement IP address

2015-07-09 Thread Tim DeNike

You change the iptables rules at all?

Sent from my iPhone

On Jul 9, 2015, at 10:16 AM, Thomas, Gregory A thom...@uwp.edu wrote:

List,

My campus does not get many infringement notifications form the RIAA and
the like but recently, they are not what I would be expecting.

In the past the notification would come with the IP address of the
offending machine, which I would look up and put into a violation status.
My last two notifications have listed the IP address of the management
portal and not the offending device.

I do not remember making any changes. If I did, could someone let me know
where I made and how to fix it.

Thanks

Gregory A. Thomas

IT Manager, Student Life

University of Wisconsin-Parkside

thom...@uwp.edu
/owa/redir.aspx?C=PJoLX1MXo0SU0MLM7GrPmwxJzaMkdtAIgi4jkK-AXpCwJ307G0bt2lvFPw4WGoqQ06Tt1qwrKAA.URL=mailto%3athomasg%40uwp.edu

262.595.2432

--
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Palo Alto SSO integration

2015-07-05 Thread Tim DeNike

That's what it does.  We use it primarily for open ssid and non local dot1x
logins.  I haven't upgraded to 7.0 yet so can't say for sure but it should
work.  Most of our ip-user mapping is for record purposes and not acl.  So
it helps.

Sent from my iPhone

On Jul 5, 2015, at 6:01 PM, Max McGrath mmcgr...@carthage.edu wrote:

Hi all -

A quick question regarding the firewall SSO integration -- specifically
with Palo Alto.

First, I see the guide assumes you have PanOS 6.0.  Is this supported on
the 7.x series?

Second, we don't currently force our users to authenticate to the PA before
using the Internet.  Once you are on our network -- you have access to the
Internet.

We do use Novell eDirectory on the back-end and the Palo Alto pulls from
that to generate the IP-User Mapping -- and it does a HORRIBLE job!

At the very minimum, would using SSO integration between PF and my PA
populate the IP-User Mapping in my PA?
--
Max McGrath
Network Administrator
Carthage College
262-552-5512
mmcgr...@carthage.edu

--
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SSL Cert error when host is behind captive-portal

2015-07-01 Thread Tim DeNike

Allow passthru for OCSP/CRL checks for the cert in question.  Most are
already allowed.

On Wed, Jul 1, 2015 at 3:10 PM, Leja, Maciej mle...@depaul.edu wrote:

   Thanks for the response, that was my problem originally but I fixed
 that.  Now going to the admin portal shows the chain (host cert  inCommon
  UserTrust RSA  AddTrust External CA root) so everything looks good on
 admin site.  But when getting to the portal when I have no internet
 connectivity, I get an error saying “Windows does not have enough
 information to verify this certificate” and on the path it shows “the
 issuer of this certificate could not be found…” yet in the details it shows
 the issuer is InCommon.  Not sure….


   Thanks,
 ~Maciej


   From: Dennis Bühring
 Reply-To: packetfence-users@lists.sourceforge.net
 Date: Wednesday, July 1, 2015 at 1:54 PM
 To: packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] SSL Cert error when host is behind
 captive-portal

   Did you include the certificate chain ? i had to include the issuing
 (intermediate) CA to get rid of the warnings. The root-CA was already
 trusted on the clients (RapidSSL) but the intermediate had to be included
 for the clients to trust my certificate.

  Not sure if this applies to your situation.

  regards
 Dennis

 2015-07-01 20:35 GMT+02:00 Leja, Maciej mle...@depaul.edu:

   Hey folks,

  I set up a new legit ssl cert for the PF box – working for the admin
 interface but users behind the captive portal are not allowed to validate
 it (because they’re not online)….

  Any ideas how to get around this so users don’t get the error in their
 browser when hitting the captive portal?  I’m sure there’s a way around
 whether that’s opening up the fw to allow users to get out (in that case
 what do you let them get out to) …

  Any help greatly appreciated – thanks!

  ~Maciej


 --
 Don't Limit Your Business. Reach for the Cloud.
 GigeNET's Cloud Solutions provide you with the tools and support that
 you need to offload your IT needs and focus on growing your business.
 Configured For All Businesses. Start Your Cloud Today.
 https://www.gigenetcloud.com/
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users




  --
 ---
 oben Balken, unten Balken !
 ---


 --
 Don't Limit Your Business. Reach for the Cloud.
 GigeNET's Cloud Solutions provide you with the tools and support that
 you need to offload your IT needs and focus on growing your business.
 Configured For All Businesses. Start Your Cloud Today.
 https://www.gigenetcloud.com/
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] JSON RPC Querys...

2015-06-11 Thread Tim DeNike

Sweet.. That worked.

What would I do if I wanted to add more API functionality.. For instance,
looking up device location by IP.  Looks like id have to add a sub in api.pm
calling pf::node::node_search.

Long story short: To handle routing of E911 calls for phones we want to
write hooks into our Asterisk PBX system to dynamically query physical
location of phones based on the IP of the SIP registration and route the
E911 calls and adjust CID information with location information.


On Thu, Jun 11, 2015 at 9:30 AM, James Rouzier jrouz...@inverse.ca wrote:

  Tim DeNike,

 To see the response back you must set the id in the jsonrpc request.

 Here are some examples.

 node_information

 curl -v -H Content-Type: application/json-rpc -H Request:
 register_node -X POST -d
 '{params:[mac,00:11:22:33:44:55],jsonrpc:2.0,method:node_information,
 id:0}' http://localhost:9090/

 view_person

 curl -v -H Content-Type: application/json-rpc -H Request: view_person
 -X POST -d '{params:[timdenike],jsonrpc:2.0,method:view_person,
 id : 0}' http://localhost:9090/ http://localhost:9090/

 James rouzierjrouz...@inverse.ca :: +1.514.755.3630  ::  http://www.inverse.ca
 Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
 (http://www.packetfence.org)

 On 2015-06-10 5:23 PM, Tim DeNike wrote:

 OK.. I can't seem to figure out how to PULL data from packet fence with
 the web services API.

  I can trigger events with it like so:

  curl -v -H Content-Type: application/json-rpc -H Request:
 register_node -X POST -d
 '{params:[mac,00:11:22:33:44:55,pid,timdenike,category,business],jsonrpc:2.0,method:register_node}'
 http://localhost:9090/

  This does what you'd think.. Registers the node.

  But how do I retrieve and use the node_information or view_person
 api commands.

  Im trying to integrate packet fence into an ISP billing/accounting
 system and need to have the 2 fully talking.. Ive got it part way done..
 Just trying to fill in the gaps.




 --



 ___
 PacketFence-users mailing 
 listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users



- French - detected
- Afrikaans
- Albanian
- Arabic
- Belarusian
- Bulgarian
- Catalan
- Chinese
- Chinese (Simplified)
- Chinese (Traditional)
- Croatian
- Czech
- Danish
- Dutch
- English
- Estonian
- Filipino
- Finnish
- French
- Galician
- German
- Greek
- Hebrew
- Haitian Creole
- Hindi
- Hungarian
- Icelandic
- Indonesian
- Irish
- Italian
- Japanese
- Korean
- Latvian
- Lithuanian
- Macedonian
- Malay
- Maltese
- Norwegian
- Persian
- Polish
- Portuguese
- Portuguese (Portugal)
- Romanian
- Russian
- Serbian
- Slovak
- Slovenian
- Spanish
- Swahili
- Swedish
- Thai
- Turkish
- Ukrainian
- Vietnamese
- Welsh
- Yiddish


- Afrikaans
- Albanian
- Arabic
- Belarusian
- Bulgarian
- Catalan
- Chinese
- Chinese (Simplified)
- Chinese (Traditional)
- Croatian
- Czech
- Danish
- Dutch
- English
- Estonian
- Filipino
- Finnish
- French
- Galician
- German
- Greek
- Hebrew
- Haitian Creole
- Hindi
- Hungarian
- Icelandic
- Indonesian
- Irish
- Italian
- Japanese
- Korean
- Latvian
- Lithuanian
- Macedonian
- Malay
- Maltese
- Norwegian
- Persian
- Polish
- Portuguese
- Portuguese (Portugal)
- Romanian
- Russian
- Serbian
- Slovak
- Slovenian
- Spanish
- Swahili
- Swedish
- Thai
- Turkish
- Ukrainian
- Vietnamese
- Welsh
- Yiddish

#14de2d20dba867bb_


 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] JSON RPC Querys...

2015-06-10 Thread Tim DeNike

OK.. I can't seem to figure out how to PULL data from packet fence with the
web services API.

I can trigger events with it like so:

curl -v -H Content-Type: application/json-rpc -H Request: register_node
-X POST -d
'{params:[mac,00:11:22:33:44:55,pid,timdenike,category,business],jsonrpc:2.0,method:register_node}'
http://localhost:9090/

This does what you'd think.. Registers the node.

But how do I retrieve and use the node_information or view_person api
commands.

Im trying to integrate packet fence into an ISP billing/accounting system
and need to have the 2 fully talking.. Ive got it part way done.. Just
trying to fill in the gaps.
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

1 2 3 >

1 - 100 of 213 matches

Mail list logo