Re: [PacketFence-users] How to prevent IPTables from starting

[Zammit, Ludovic via PacketFence-users]

Hello Daniel,

Iptables is needed in PacketFence for firewall and also routing.

If you turn off iptables, you will lose the filtering part but also any 
registration and isolation routing.

If you don’t have a registration and isolation network then you are fine.

You can do:

systemctl disable packetfence-iptables --now

systemctl mask packetfence-iptables

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On May 30, 2024, at 3:18 PM, Daniel Zook via PacketFence-users 
>  wrote:
> 
> I set up a 3-node cluster environment and everything is working as expected, 
> *EXCEPT* that when the IPTables service is running the cluster fails to 
> respond to DNS requests.  I've posted here and on the sub-reddit, but no one 
> has provided a solution, so preventing IPTables from running seems to be the 
> only way to work around this.  Unfortunately, I have yet to figure out how to 
> keep IPTables from starting automatically (either at boot, or after a period 
> of time after stopping it.)
> 
> Does anyone know how to keep IPTables from running?
> 
> Thanks.
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!RIIrpW6JYji7cVo82f3tLlSKSeL76-MGe4Cad5ZRegPzAzf0FizzGCmFwnJfdIlg1ONEFnZ4Vt4YDN3NxTpiRDTflbrDnHqVPCigWg$



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Node reevaluation fails with radius message.

[Zammit, Ludovic via PacketFence-users]

Hello Jori,

Because the switch does not like the attributes that is sent.

It could just be because of the Mac address format or the accounting id.

Are you sending Radius accounting toward pf from the switch ?

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On May 28, 2024, at 3:10 AM, Jori Luoto via PacketFence-users 
>  wrote:
> 
> Hello,
> 
> What could be wrong here when I see message below in Auditing->Radius Audit 
> Logs -> Disconnect NAK??
> 
> RADIUS Request
> Acct-Session-Id = " 
> User-Name = xx-yy-zz-xx-yy-zz "
> NAS-IP-Address =  "
> Calling-Station-Id = xx-yy-zz-xx-yy-zz",
> 
> RADIUS Reply
> Error-Cause = Invalid-Attribute-Value "
> Code = Disconnect-NAK
> 
> Switch is Aruba 6300 running on AOS-CX 10.13.1015 and basic Mac authorization 
> works fine. When I try to use re-evaluation in node system is not working as 
> expected.
> 
> 
> 
> 
> Terveisin
> 
> -jori luoto-
> 
> 
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!VeGrtXOXC6-RGPVfxNgPZOfiyYi5LrAJbd4ahSs87a8AZ9kziuYmCYKnn8RnP2t94VB9uPWksf9VGDfdzQoBm86ED9TiL0Bl1Ls4vw$



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Configuration of dot1x VOIp on Aruba 6200 switch

[Zammit, Ludovic via PacketFence-users]

Hello Hugo,

Show us the Aruba config.

Remove your personal info.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On May 22, 2024, at 5:48 AM, BEAUDOUIN Hugo (Stagiaire Infra) via 
> PacketFence-users  wrote:
> 
> Hello there,
>  
> I am taking the liberty to write in the mailing list because I have 
> encountered a problem with Aruba 6200 switch (ArubaOS-CX10) . Indeed, I have 
> connected an Aastra telephone to a switchport and this one started. However, 
> the switch detected a connection but in the switch table, there is not the 
> mac address of telephone. Therefore, packetfence can’t authenticate the phone 
> (via the MAB) because the switch don’t know the mac address. For me, this is 
> a configuration problem on the Aruba switch because with a Cisco switch and 
> the same phone, I didn’t encounter  this problem. I read many documentations 
> on the web but none mentions it or it is too old. If anyone has a tip or 
> clue, I am interested. Thanks.
>  
> Best Regards
> HB
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!X_a0D2P7LthKweT0Um03WQMIejhL6Cr7zTEiNT2ZzuiwM_76kaxsWPGAU0-T7ulcz9Yr2wlYRBCGj6ZIh74KAw7dTy4DQEVLDc3EvQ$



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] DNS fails in cluster

[Zammit, Ludovic via PacketFence-users]

Hello,

Can you show the output of:

/usr/local/pf/bin/pfcmd checkup

/usr/local/pf/bin/cluster/node

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On May 2, 2024, at 3:07 PM, Daniel Zook  wrote:
> 
> Thanks for the reply Ludovic.
> 
> I followed your suggestion, however, on the sync step, I discovered that the 
> networks.conf file reverted the change back to the node's registration 
> network IP address.
> 
> Here is a screenshot showing it corrected to use the VIP of 10.9.0.5 for the 
> gateway and dns:
> 
> 
> And here is a screenshot showing the same file after running sync 
> --as-master, where it reverted back to 10.9.0.2 
> :
> 
> 
> I did not go any further after that.
> 
> Your thoughts?
> 
> Daniel J. Zook a.k.a. "Zookie" (he/him/his)
> Eastern Mennonite University
> 
> 
> On Thu, May 2, 2024 at 8:58 AM Zammit, Ludovic  > wrote:
>> Hello Daniel,
>> 
>> Make sure the configuration is consistent on all members on the cluster.
>> 
>> Do on the firs node :
>> 
>> vim /usr/local/pf/conf/networks.conf (Make sure the VIP IP address is used 
>> for the gateway and DNS )
>> 
>> /usr/local/pf/bin/pfcmd configreload hard
>> 
>> /usr/local/pf/bin/cluster/node/sync --as-master
>> 
>> Then on node 2 and node 3:
>> 
>> /usr/local/pf/bin/pfcmd configreload hard
>> 
>> /usr/local/pf/bin/pfcmd service pf restart
>> 
>> Thanks,
>> 
>> 
>> Ludovic Zammit
>> Product Support Engineer Principal Lead
>> 
>> Cell: +1.613.670.8432
>> Akamai Technologies - Inverse
>> 145 Broadway
>> Cambridge, MA 02142
>> Connect with Us:    
>>   
>> 
>>   
>> 
>>   
>> 
>>   
>> 
>> 
>>> On Apr 30, 2024, at 11:19 AM, Daniel Zook via PacketFence-users 
>>> >> > wrote:
>>> 
>>> I have a working packetfence cluster and everything seems to be setup and 
>>> working fine except that when a guest connects on the Registration VLAN, 
>>> DNS fails.  It acts as if there is a firewall blocking it, or there is no 
>>> service listening.
>>> 
>>> If I stop IPTables on one or more cluster members, DNS starts working 
>>> again.  Unfortunately, PacketFence somehow restarts IPTables after a period 
>>> of time even if I set it to "disabled" (and DNS fails to work again.)
>>> 
>>> What do I need to do to prevent IPTables from running so that DNS keeps 
>>> working on the Registration network?
>>> 
>>> Thanks in advance for your help.
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net 
>>> 
>>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!U0N9vfZORkZrsZMlMngvIxLK9YrfKlEED3Lq3jCNRwl8G8DKAstUjvGZqphnSe5Vr_wZ3vUdrcUIyaDw8_Q8NYBnzXS-EP9RkcL7CA$
>> 



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] DNS fails in cluster

[Zammit, Ludovic via PacketFence-users]

Hello Daniel,

Make sure the configuration is consistent on all members on the cluster.

Do on the firs node :

vim /usr/local/pf/conf/networks.conf (Make sure the VIP IP address is used for 
the gateway and DNS )

/usr/local/pf/bin/pfcmd configreload hard

/usr/local/pf/bin/cluster/node/sync --as-master

Then on node 2 and node 3:

/usr/local/pf/bin/pfcmd configreload hard

/usr/local/pf/bin/pfcmd service pf restart

Thanks,


Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Apr 30, 2024, at 11:19 AM, Daniel Zook via PacketFence-users 
>  wrote:
> 
> I have a working packetfence cluster and everything seems to be setup and 
> working fine except that when a guest connects on the Registration VLAN, DNS 
> fails.  It acts as if there is a firewall blocking it, or there is no service 
> listening.
> 
> If I stop IPTables on one or more cluster members, DNS starts working again.  
> Unfortunately, PacketFence somehow restarts IPTables after a period of time 
> even if I set it to "disabled" (and DNS fails to work again.)
> 
> What do I need to do to prevent IPTables from running so that DNS keeps 
> working on the Registration network?
> 
> Thanks in advance for your help.
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!U0N9vfZORkZrsZMlMngvIxLK9YrfKlEED3Lq3jCNRwl8G8DKAstUjvGZqphnSe5Vr_wZ3vUdrcUIyaDw8_Q8NYBnzXS-EP9RkcL7CA$



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unable to install no matter what

[Zammit, Ludovic via PacketFence-users]

Hello there,

We have known issue with the ISO Packetfence version 13.1, try the ISO for 
version 13.0.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Apr 18, 2024, at 6:59 AM, Laboratorio Tronic via PacketFence-users 
>  wrote:
> 
> Hello hive mind,
> I'm not sure about how this kind of communication works but I'll give it 
> a try.
> I'm coming from a painful experience with pfSense, being a newbie in the 
> firewall/Nac field, took me ages to setup the software like I wanted it to 
> work (considering the whole project is a non-profit one for a natural park I 
> volunteer for, where a messed up network is already in place and I don't have 
> much manoeuvring space to change it).
> Only AFTER I had it set up, I discovered the self-registration plugin for the 
> captive portal is no longer unmaintained/working, so I thought I'd replace it 
> all with PacketFence, which seems to have all I need.
> 
> MY HARDWARE (for testing):
> - Intel Core i3 (2cores/4threads) 2,7GHz.
> - 8GB DDR4 RAM
> - 128GB SSD
> - 1 integrated Realtek Gigabit NIC
> - 2 PCIeX Intel Gigabit NICs (one of which linked to the router)
> 
> WHAT I TRIED:
> - burning the ver.13 ISO on a disk and installing from scratch. -> in the 
> middle of installation it doesn't find the repositories, no matter which 
> country/preset I input..even inputting them manually will not work. Ignoring 
> this step will led to the impossibility to retrieve the public key and 
> continue installation. "Select and install software" step won't complete and 
> stop the whole process.
> 
> - installing Debian first and then following the guide on the site to install 
> packetfence on it. -> Debian deployment goes well but the last step of the 
> guide will not work: when I apt get install packetfence it says many packets 
> are damaged/blocked, repositories won't contain them, they're no longer 
> maintained, are deprecated or so on. Tried finding and installing all the 
> packets manually but no luck so far.
> 
> - Downloading the ZEN VM and launching it on VmWare player. -> boots up and 
> then says to connect to an IP address which isn't even on the same subnet and 
> anyway won't show any page when fetched by the browser.
> 
> I'm really frustrated because every review/comment about PacketFence seems at 
> least satisfied, if not enthusiastic..and I can't even get started.
> Anyone can help?
> 
> Thanks in advance
> 
> Marco
> 
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!TR-hcUpS4TyvQmv3dIHRGO1aaB951_waB1LYQXBbM6-YHbx5rscJvtGHqe5ukkWOrd6GNm3B1Z6roYceYQbEQhMPnvajs3o3mHDR_w$



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Revoking multiple PK-PKI certificates at a time

[Zammit, Ludovic via PacketFence-users]

Hello Will,

If you are NOT using OCSP, you can just remove the certificate using MySQL 
command within PF database.

If you are using OCSP you will need to provide the certificate ID in any way.

How many certs are we talking about?

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Apr 18, 2024, at 11:49 AM, Will Nygard via PacketFence-users 
>  wrote:
> 
> Hi all,
> 
> Does anyone know a way to revoke multiple PK-PKI certificates at once? I 
> looked around on the web and was unable to find a way to do this. So far, 
> revoking one at a time through the web console is working for me, as I'm just 
> starting to implement EAP-TLS, but once I scale up it would be very time 
> consuming to revoke all at once. 
> 
> The reason I need to revoke certificates en masse is to deal with an issue 
> with Jamf Pro SCEP integration, which I saw another user dealing with in this 
> email. 
> https://urldefense.com/v3/__https://www.mail-archive.com/packetfence-users@lists.sourceforge.net/msg22151.html__;!!GjvTz_vk!RubQGmSHcWc82ONTU4JJxg3X558b_FcjeE1ETYiv47HZCn2Lv1dqFY3YCz2h4HPLTfRNsFHkX2Gh1bWmhkx6MNHbbaGoC3yjFhEXBg$
>  
> 
> Any ideas?
> 
> Thanks,
> Will N
> Systems and Network Administrator
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!RubQGmSHcWc82ONTU4JJxg3X558b_FcjeE1ETYiv47HZCn2Lv1dqFY3YCz2h4HPLTfRNsFHkX2Gh1bWmhkx6MNHbbaGoC3z86Kdf0A$



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Urgent Cannot Login to Packetfence Web Console / Wasn't able to authenticate those credentials

[Zammit, Ludovic via PacketFence-users]

Hello there,

Urgent and mailing support is not very compatible. If you require urgent help, 
you can contact us to have a Support contract.

It could be a credential issue or DB issue.

You can try to create a locale account and see if it works.

Create a local account on the CLI:

htpasswd -c /usr/local/pf/conf/admin.conf USERNAME

Put the password twice, try to log in again.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Apr 17, 2024, at 7:55 AM, Ahmad Yusran Siregar 
>  wrote:
> 
> Hi All,
>  
> Urgent please help, today I cannot login to packetfence web admin console 
> with any of the users, yesterday we still can access and login to the web 
> console, but today’s it show this error whit all the user’s provided :
> 
>  
> Already change the password manually on the mariadb, expiration and restart 
> packetfence server, but still can’t access.
>  
> We are using Packetfence Zen 13, please help this issue because we are using 
> it on production ☹
>  
> Thanks
>  
> Regards,
> Ahmad Yusran Siregar
> Information Security SHG
> Sioam Hospitals Group
> +6221 2566 8000 | Mobile +62 812-2110-1946
> 



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence Captive Portal - not applying role after authentication

[Zammit, Ludovic via PacketFence-users]

Hello Giovanni,

It looks like the device is not getting kicked out with a Radius disconnect or 
access changed with the CoA (Change of Authorization) and that’s what caused 
the non role assignation.

Make sure that the CoA is enabled on the PF Radius authentication server in 
your WLC config.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 19, 2024, at 8:16 PM, Giovanni Trapasso via PacketFence-users 
>  wrote:
> 
> Hello,
> 
> I am running Packetfence 13.1 ZEN.  I have configured the server as a captive 
> portal using social media as external sources, Windows, Facebook and Google.  
> I am using a Cisco WLC as a test box, running 8.5.x code.
> 
> I have the server and the WLC configured as the documentation recommended but 
> I am having a slight issue after authentication.  I have the 2 ACL for 
> Pre-Registration and authorized-all and in the logs I can see the 
> pre-registration ACL being applied as well as the registration vlan.  But 
> after a successful authentication to the social media external source I am 
> not getting the guest role I configured in my catchall action applies, as 
> well I am not getting the vlan or authorized-all ACL which I have configured  
> on my WLC under switches under switch role.
> 
> I attached the packetfence.log section during an authentication attempt and I 
> am guessing the issue is with this error in the log:
> 
> Mar 19 18:00:51 guestauthpf httpd.portal-docker-wrapper[5391]: 
> httpd.portal(15) INFO: [mac:10:02:b5:3a:bd:21] person 
> usern...@telusplanet.net  added 
> (pf::person::person_add)
> 
> Mar 19 18:00:51 guestauthpf httpd.portal-docker-wrapper[5391]: 
> httpd.portal(15) INFO: [mac:10:02:b5:3a:bd:21] OAuth2 successfull for 
> username usern...@telusplanet.net  
> (captiveportal::PacketFence::DynamicRouting::Module::Authentication::OAuth::handle_callback)
> 
> Mar 19 18:00:51 guestauthpf httpd.portal-docker-wrapper[5391]: 
> httpd.portal(15) WARN: [mac:10:02:b5:3a:bd:21] Calling match with 
> empty/invalid rule class. Defaulting to 'authentication' 
> (pf::authentication::match)
> 
> Mar 19 18:00:51 guestauthpf httpd.portal-docker-wrapper[5391]: 
> httpd.portal(15) INFO: [mac:10:02:b5:3a:bd:21] Using sources Windows_Live for 
> matching (pf::authentication::match)
> 
> 
> I did find if I quickly bump wireless, disconnect and reconnect, it will 
> assign the guest roles and assign the guest vlan.
> 
> I have attached a few log files, one is during the authentication attempt and 
> the other is when I bumped my wireless connection.
> 
> I hope someone can help.
> -- 
> ___
> Giovanni Trapasso
> University of Alberta
> ___
>  wireless.txt>___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!R9-uOGEc7z-cCjIUtDJkeirKaua48b3OHSMSUSurB2dyIOOYNN3mtkP-0aDzUpbCElQgx_gOMteafGWZotvm12fh1updatqHeUUewg$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] DA authentication problems

[Zammit, Ludovic via PacketFence-users]

Hello there,

It’s an issue with the domain join procedure. Check if you are still joined.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 16, 2024, at 12:04 PM, Nolberto Delgado via PacketFence-users 
>  wrote:
> 
> Hi thanks for replying, I deleted the DA machine but now I'm getting this 
> error from the web interface:
> 
> 
> NTLM auth api returned with HTTP code: 500, error while establishing secure 
> channel connection: {Operation Failed} Teh resque
> 
> 
> 
> 
> I would be very grateful if you can give me an overview of what I should 
> check, I am stuck on this issue for 2 weeks already thanks
> 
> 
> 
> Cordialy 
>  
>  
>   
> Nolberto Delgado Espinosa
> Ingeniero de Implementación y Soporte 
> www.sotelcom.co 
> 
>  · i...@sotelcom.co  
> Correo: n olberto.delg...@sotelcom.co 
>  
> Avenida 5an # 23dn - 68. Oficina 319-321 
> PBX: (2) 524 6043 Ext: 109
> Centro Comercial Pasarela. Cali, Colombia
> Móvil: +57 3165246043 - 3003663525 
>  
> 
> De: Fabrice Durand via PacketFence-users 
>  >
> Enviado: viernes, 15 de marzo de 2024 22.18
> Para: packetfence-users@lists.sourceforge.net 
>  
>  >
> Cc: Fabrice Durand mailto:oeufd...@gmail.com>>
> Asunto: Re: [PacketFence-users] DA authentication problems
>  
> I think you will need to delete the machine account on the AD side and rejoin 
> the packetfence server.
> 
> Le ven. 15 mars 2024 à 15:36, Nolberto Delgado via PacketFence-users 
>  > a écrit :
> DA authentication problems
> 
> 
> Good morning, I am trying to authenticate access to the network using 
> packketfence.
> 
> I am using the installation guide to the letter with the same scenario 
> presented in the guide.
> 
> I have installed it in a hyper-v environment it did not work for me, I 
> proceeded to install it in a vmware environment with the packetfence ZEN as 
> the guide indicates but I have the same errors.
> 
> Logs radius:
> 
> Mar 15 09:02:13 tests auth[4569]: (9531) Login incorrect (chrooted_mschap: 
> Invalid output from ntlm_auth: expecting 'NT_KEY: ' prefix): [TEST] (from 
> client 192.168.89.26/32 
> 
>  port 50020 cli 00:e0:4c:36:00:00:cf via TLS tunnel)
> Mar 15 09:02:13 pruebas auth[4569]: (9532) Login incorrect (eap_peap: The 
> users session was previously rejected: returning reject (again.)): 
> [PRUEBASAS\test] (from client 192.168.89.26/32 
> 
>  port 50020 cli 00:e0:4c:36:00:cf)
> 
> 
> Error via web:
> 
> ntlm auth api returned with HTTP code:401, test machine account failed.Access 
> denied.
> 
> 
> In the windows server I have the radius client pointing to the packetfence 
> ip, I don't know if this is a windows error or a packetfence error, I am 
> waiting for your kind help.
> 
> cordially
> 
> 
>  
>  
>   
> Nolberto Delgado Espinosa
> Ingeniero de Implementación y Soporte 
> www.sotelcom.co 
> 
>  · i...@sotelcom.co  
> Correo: nolberto.delg...@sotelcom.co  
> Avenida 5an # 23dn - 68. Oficina 319-321 
> PBX: (2) 524 6043 Ext: 109
> Centro Comercial Pasarela. Cali, Colombia
> Móvil: +57 3165246043 - 3003663525 
>  
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
> 
> ___
> PacketFence-users mailing list
> 

Re: [PacketFence-users] Display of registered nodes

[Zammit, Ludovic via PacketFence-users]

Hello Jochen,

This is how I would do it:

- Do EAP TLS computer authentication on the devices
- Make sure to install the Root CA that signed the compter cert into 
PacketFence root CA authority under  Config / SSL certificate / Root CA
- Create a connection profile with a sub connection filter on TLS
- On that source, put an AD source that is configured properly with:

The search attributes on DNsHostName then having a rule that do a search on 
serviceprincipalName starts with host/

Thanks,


Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 14, 2024, at 11:27 AM, Jochen Ackermann 
>  wrote:
> 
> Am 13.03.2024 um 21:44 schrieb Zammit, Ludovic:
>> Can you tell me one use case that you want to achieve with EAP TLS 
>> authentication ?
> 
> Hello Ludovic,
> 
> The use case (i.e. requirement) is to register/accept hosts based on their 
> account/group-membership in the AD irrespective of the current user.
> 
> All our hosts are have machine certificates issued by our local CA tied to 
> their hostname which are to be used to authenticate/authorise the access to 
> the corresponding subnet. The subnet is derived from the AD group-membership 
> of the host, so the VLAN information (together with reauthentication 
> interval) is then sent to the switch in the radius reply. Wireless 
> connections should work in the same way, with additional CoA. Of course, if 
> the host is yet unknown to packetfence, as long as it has a valid AD account, 
> it should perform auto-registration. The whole process relies on the AD 
> account of the host and we would very much prefer, not to use the captive 
> portal.
> 
> The subsequent user login is entirely handled by AD and not part of the Dot1X 
> authentication. The Exception beeing the use of VPN, where the user 
> authentication is done within packetfence, which works as expected (Group 
> membership is also checked for the authorization).
> 
> 
> kind regards,
> 
>Jochen



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Display of registered nodes

[Zammit, Ludovic via PacketFence-users]

Hello,

Can you tell me one use case that you want to achieve with EAP TLS 
authentication ?

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 12, 2024, at 10:33 AM, Jochen Ackermann 
>  wrote:
> 
> On 06.03.2024 17:22, Zammit, Ludovic wrote:
>> Correct, I’m referring to the computer authentication mode on the windows 
>> supplicant setup.
>> All authentication interaction would logged into the 
>> /usr/local/pf/logs/packetfence.log you do the following:
>> grep MAC-ADDRESS /usr/local/pf/logs/packetfence.log
> 
> 
> Hello Ludovic,
> 
> thank you for pointing out the logfile, but unfortunately I don't know what 
> to look for (although I could be missing the obvious here). AFAIK the 
> hostname has to follow the form host/hostname or hostname$ to signify a 
> machine name to AD, but I don't know why packetfence would treat it as a 
> username or how to identify the mismatch in the logfile. To me the line 
> "modify of non-existent person host\myhost..." and "Already did a person 
> lookup for host/myhost..." in the packetfence.log look suspicious, but I 
> can't see a reason for switching to person/user.
> 
> I also include excerpts from the raddebug log and would be glad if you (or 
> someone) could tell me where to look for clues (or if maybe the relevant part 
> is missing).
> 
> I also tried to employ EXAMPLE_eap-tls-preProcess to set the name to myhost$, 
> but while the rule is matched (according to packetfence.log), I can see noc 
> changes and moreover I'm not sure which parameter exactly to set. 
> TLS-Stripped-Username, as well as some others, didn't seem to have any 
> effect, the log output at least stays the same.
> 
> 
> Radius filter:
> [eap-tls-preProcess-MachineAuth]
> status=disabled
> top_op=and
> description=Preprocess attribute for EAP-TLS
> merge_answer=no
> condition=connection_type =~ "Ethernet-EAP" && 
> (contains(radius_request.User-Name, "host/") || 
> contains(radius_request.username, "host/") || contains(username, "host/"))
> scopes=preProcess
> answer.0=TLS-Stripped-UserName = 
> ${BuildFromMatch($radius_request.TLS-Client-Cert-Subject-Alt-Name,"^[^.]+","$0"."$")}
> 
> 
> from packetfence.log:
> is doing machine auth with account 'host/myhost.my.domain'. 
> (pf::radius::_machine_auth_detection)
> Instantiate profile cProfile-8021x-machine-auth 
> (pf::Connection::ProfileFactory::_from_profile)
> Found authentication source(s) : 'AuthSource-machine' for realm 'my.domain' 
> (pf::config::util::filter_authentication_sources)
> Using sources AuthSource-machine for matching (pf::authentication::match2)
> Matched rule (rule-vlan5) in source AuthSource-machine, returning actions. 
> (pf::Authentication::Source::match)
> modify of non-existent person host/myhost.my.domain attempted - person added 
> (pf::person::person_modify)
> Found authentication source(s) : 'AuthSource-machine' for realm 'my.domain' 
> (pf::config::util::filter_authentication_sources)
> Role has already been computed and we don't want to recompute it. Getting 
> role from node_info (pf::role::getRegisteredRole)
> Username was defined "host/myhost.my.domain" - returning role 'role-vlan5' 
> (pf::role::getRegisteredRole)
> PID: "host/myhost.my.domain", Status: reg Returned VLAN: (undefined), Role: 
> role-vlan5 (pf::role::fetchRoleForNode)
> Already did a person lookup for host/myhost.my.domain 
> (pf::lookup::person::lookup_person)
> (10.1.1.1) Added VLAN 5 to the returned RADIUS Access-Accept 
> (pf::Switch::Template::returnRadiusAccessAccept)
> 
> 
> from raddebug -f
> (222) Debug: Received Access-Request Id 198 from 10.1.1.1:1645 to 
> 10.1.1.10:1812 length 264
> (222) Debug:   User-Name = "host/myhost.my.domain"
> (222) Debug:   authorize {
> (222) Debug: policy packetfence-set-realm-if-machine {
> (222) Debug:   if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) {
> (222) Debug:   if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i)  -> TRUE
> (222) Debug:   if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i)  {
> (222) Debug: update {
> (222) Debug:   EXPAND %{2}
> (222) Debug:  --> my.domain
> (222) Debug: } # update = noop
> (222) Debug:   } # if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) = noop
> (222) Debug: } # policy packetfence-set-realm-if-machine = noop
> ...
> (222) Debug: policy filter_username {
> (222) Debug:   if () {
> (222) Debug:   if ()  -> TRUE
> (222) Debug:   if ()  {
> (222) Debug: if ( =~ / /) {
> (222) Debug: if ( =~ / /)  -> FALSE
> (222) Debug: if ( =~ /@[^@]*@/ ) {
> (222) Debug: if ( =~ 

Re: [PacketFence-users] Display of registered nodes

[Zammit, Ludovic via PacketFence-users]

Hello,

Correct, I’m referring to the computer authentication mode on the windows 
supplicant setup.

All authentication interaction would logged into the 
/usr/local/pf/logs/packetfence.log you do the following:

grep MAC-ADDRESS /usr/local/pf/logs/packetfence.log  

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 6, 2024, at 6:09 AM, Jochen Ackermann via PacketFence-users 
>  wrote:
> 
> Hello Ludovic,
> 
> the authentication mode on the computer (windows, wired autoconfig) is set to 
> "computer authentication" or do you refer to a setting within packetfence? 
> The PF authentication Source uses servicePricipalName as Username Attribute, 
> is there any other setting to come into play? Wouldn't packetfence know from 
> the prefix /host (or hostname$) to interpret the name as machine-name? Would 
> there be any helpful information in the debug logs.
> 
> Thank you,
> 
>   Jochen
> 
> 
> On 05.03.2024 17:25, Zammit, Ludovic wrote:
>> I think the answer is that you have to do computer authentication only, 
>> because I think you do computer + user authentication and the user 
>> authentication overrides the computer authentication.
>>> 
>>> We would like to use packetfence for Dot1X EAP-TLS authentication based on 
>>> machine certificates with the hostname as the TLS-Client-Cert-Common-Name 
>>> (the user of the machine afterwards authenticates against AD directly).
>>> The role-mapping and authentication itself in PF works well, but as a sort 
>>> of irksome result the authenticated (and auto-registered) machine lists on 
>>> the Nodes tab with the corresponding MAC address and an empty computername. 
>>> Instead the hostname is shown as owner and the machine name is registered 
>>> under the Users tab with the FQDN, together with other regular (i.e. 
>>> "real") user's accounts.
>>> Auditing->Node Information shows Computer Name N/A and username 
>>> host/hostname.domain.tld
>>> The Authentication Source uses servicePricipalName as Username Attribute, 
>>> that is the only hint I found to distingish between user and machine 
>>> authentication.
>>> Is there some way to treat the hostname to show up as node instead of user 
>>> as normally indicated by the form host/... or hostname$
> 
> 
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!QURolkl3c3VT9mN6cYT_BWqmjaXz02NHWNWxLZFXU9aj2fXAuVq8mq--V7b5imM65r6m2AIkbvyLGbqlsgH_bGGjRkyd7cpv5hb8eA$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Redirect Captive Portal Loop

[Zammit, Ludovic via PacketFence-users]

Hello,

It’s probably an old bug, which PF version are you running ?

Try to patch your system on the newer maintenance package.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 5, 2024, at 4:44 AM, Yiheang Ly via PacketFence-users 
>  wrote:
> 
> Dear Team,
>  
> We have Cisco WLC configured captive portal via Packetfence. We noticed that 
> During Redirection, Endpoint Loop with same URL.
> Example: 
> https://packetfenceIP/Cisco:WLC/SessionID=https://packetfenceIP/Cisco:WLC/SessionID
>  
> 
> I have tried to find some solution on google but seem not work.
>  
> Note: Configuration follow Packetfence guideline.
>  
> Thank You
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!ReDf2dlMKahq12UNUzBO3xpHVLOF-DvISH70uK4La32vnCsuEHxrunkDJZnSeCfuIoVKsMgOC1iWkdIjZnCb4eMJPRHqCBzf6HnDsA$



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Differences between Packetfence (Debian ISO) and Packetfence ZEN

[Zammit, Ludovic via PacketFence-users]

Hello Herbert,

Software wise, there is no difference, the Packetfence ZEN OVA is just a 
preinstalled PF on a VM.

The ISO will let you customize the PacketFence server a bit better but most 
used when you deploy on non-vmware hypervisor.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Feb 23, 2024, at 4:51 PM, Herber, Reese via PacketFence-users 
>  wrote:
> 
> Good Afternoon,
> 
> We have packetfence currently working as a radius server and PKI for our 
> Aruba wireless network. As we are rolling this out in production I am looking 
> into making a test packetfence environment so we do not affect the wireless 
> network.
> 
> What exactly are the differences between the ISO that I deployed for our 
> current server and the Packetfence Zen ISO that I see on the website. I 
> couldn't find a comparison page anywhere.
> 
> 
> Thanks,
> 
> Reese Herber
> Systems Integration Analyst
> Technical Services Department
> 
> Phone: 253-530-3715
> 
> "The fusion of technology and education is the canvas on which we paint the 
> masterpiece of our collective future, one pixel at a time."
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!VM-dxX4EMkc_1uNSN03iEQci6-CQwXZ2Tk_iXYNAqzNxIZrxs5edVqD2JwXwnseA0eLkgo-593e_zQHp89JcMCIoCSJDRtI_VSpfng$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] haproxy-admin fails to load with exit 1 after certificate renewal (Debian)

[Zammit, Ludovic via PacketFence-users]

Hello Errick,

Probably a wrong certificate format.

You can check the haproxy log to see the exact issue.

journalctl -u packetfence-haproxy-portal

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 1, 2024, at 7:14 PM, Errick via PacketFence-users 
>  wrote:
> 
> Hi All,
> 
> Have a single server running Packetfence and using Lets Encrypt certificates 
> via manual renewal. After applying the new certs (server.crt, server.key, 
> server.pem) from the LetsEncrypt .pem and .key files, we are seeing 
> haproxy-admin fail to start with exit code 1. 
> 
> It is unable to start manually or via pfcmd service pf start. 
> 
> Rolling back to the old certs immediately resolves the issues and 
> haproxy-admin can start successfully. 
> 
> I do not see any error information in systemctl status nor in journalctl -xe 
> for this service when it fails. 
> 
> Any ideas on ways to troubleshoot or fix this?
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!Ql7-VgWeCuwSZ_NNLguh8MN2gK2ieGRHSiH5MEU7Que_pNLV_gHwl1fOeUgcd5gM_ZEkmC1imJE9dx2mZG6bv0nahrCfbZUgFjh9jA$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Redirect Captive Portal Loop

[Zammit, Ludovic via PacketFence-users]

That’s odd, I don’t remember seeing that issue on 13.X

What’s the controller iOS version? 

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 5, 2024, at 11:32 AM, Yiheang Ly  
> wrote:
> 
> Dear Zammit,
> 
> I’m actually running on latest version. PF13.
> Do you know any workaround for this?
> 
> Thank You
>  
> From: Zammit, Ludovic 
> Sent: Tuesday, March 5, 2024 11:26 PM
> To: PacketFence-users 
> Cc: Yiheang Ly 
> Subject: Re: [PacketFence-users] Redirect Captive Portal Loop
>  
> Hello,
> 
> It’s probably an old bug, which PF version are you running ?
> 
> Try to patch your system on the newer maintenance package.
> 
> Thanks,
> 
> Ludovic Zammit
> Product Support Engineer Principal Lead
> 
> Cell: +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:     
>   
> 
>   
> 
>   
> 
>   
> 
> 
>> On Mar 5, 2024, at 4:44 AM, Yiheang Ly via PacketFence-users 
>>  wrote:
>> 
>> Dear Team,
>>  
>> We have Cisco WLC configured captive portal via Packetfence. We noticed that 
>> During Redirection, Endpoint Loop with same URL.
>> Example: 
>> https://packetfenceIP/Cisco:WLC/SessionID=https://packetfenceIP/Cisco:WLC/SessionID
>>  
>> 
>> I have tried to find some solution on google but seem not work.
>>  
>> Note: Configuration follow Packetfence guideline.
>>  
>> Thank You
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net 
>> 
>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!ReDf2dlMKahq12UNUzBO3xpHVLOF-DvISH70uK4La32vnCsuEHxrunkDJZnSeCfuIoVKsMgOC1iWkdIjZnCb4eMJPRHqCBzf6HnDsA$
> 



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Display of registered nodes

[Zammit, Ludovic via PacketFence-users]

Hello there,

I think the answer is that you have to do computer authentication only, because 
I think you do computer + user authentication and the user authentication 
overrides the computer authentication.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 5, 2024, at 3:47 AM, Jochen Ackermann via PacketFence-users 
>  wrote:
> 
> Hi All,
> 
> We would like to use packetfence for Dot1X EAP-TLS authentication based on 
> machine certificates with the hostname as the TLS-Client-Cert-Common-Name 
> (the user of the machine afterwards authenticates against AD directly).
> The role-mapping and authentication itself in PF works well, but as a sort of 
> irksome result the authenticated (and auto-registered) machine lists on the 
> Nodes tab with the corresponding MAC address and an empty computername. 
> Instead the hostname is shown as owner and the machine name is registered 
> under the Users tab with the FQDN, together with other regular (i.e. "real") 
> user's accounts.
> Auditing->Node Information shows Computer Name N/A and username 
> host/hostname.domain.tld
> The Authentication Source uses servicePricipalName as Username Attribute, 
> that is the only hint I found to distingish between user and machine 
> authentication.
> Is there some way to treat the hostname to show up as node instead of user as 
> normally indicated by the form host/... or hostname$
> 
> 
> Kind regards,
> 
> 
>   Jochen
> 
> 
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!T034Bq_8aUUncg2ZjGI3Vn0b2eznq3oi_ekRuEBi8YGwGoG5ekFIzPbXk402VR0AXnA1yt3TUkENYmHGDEstqo__usn_-MsTk6fD4A$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SCEP and Jamf

[Zammit, Ludovic via PacketFence-users]

Hello Brad,

We have seen issues on Mac OS X “recent” version getting a certificate.

To answer your last question why the cert is in PF, because PF did his job by 
providing the certificate and then the process fails in the next steps 
following that cert issuing. 

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Feb 27, 2024, at 6:23 PM, Brad White via PacketFence-users 
>  wrote:
> 
> Hello,
> 
> As we’ve scaled out the deployment of our EAP-TLS network that uses 
> PacketFence, I noticed an issue affecting a small percentage of Apple devices 
> (macOS / iPadOS / iOS) relating to SCEP.
> 
> - We have Jamf Pro acting as a SCEP Proxy for configuration profiles
> - We’re using PacketFence for PKI and as a SCEP Server
> - We’re using Microsoft Entra as an Application Proxy to expose PF’s SCEP URL 
> to the internet. This app proxy URL is listed as the base URL for the SCEP 
> server in Jamf
> - The Jamf Pro configuration profiles we’re using for macOS and iPadOS/iOS 
> are very similar and contain:
>   - PacketFence Root Certificate
>   - SCEP Payload specifying the CN subject to use for SCEP-issued machine 
> certificates, retry delay, etc.
>   - WiFi payload specifying SSID, auto-join, what username to use, etc.
> 
> The issue we are seeing with a fairly small number of devices (it’s currently 
> affecting less than 2% of macOS and a little over 4% of iPadOS/iOS) are two 
> Jamf Pro errors correlating with the configuration profile failing to push:
> 
> - Unable to obtain certificate from SCEP server at “our_Jamf_URL”. 
> 
> - The SCEP server returned an invalid response.
> 
> What is strange is that for these devices where the Jamf config profile is 
> failing, I can find active SCEP certificates in PacketFence (Configuration > 
> Integration > Certificates). They all show up in there and SCEP shows a green 
> circle.
> 
> I can manually revoke the SCEP machine certificate for a device that failed 
> in PacketFence, then re-push the Jamf config profile, and then it will 
> install fine.
> 
> So why are Jamf configuration profiles failing only on a small minority of 
> devices (with SCEP errors)? Probably related - why is PacketFence 
> provisioning a SCEP certificate for them that Jamf is failing to install?
> 
> I’m wondering if there is a setting we need to adjust somewhere since that 
> vast majority of devices are working fine.
> 
> Thanks,
> Brad White
> Client Systems Analyst
> Peninsula School District
> whi...@psd401.net
> 253.530.3710
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!WNkitAcACqAEWKcZRhDGFz_kEP2sTFpH71jMJryRtY7uxYcyCAoxIFpVR5I4tTgLUiZ5t6E7XmMXFf8xeMchCsf6O8kx6r_HO69ZYA$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Issues upgrading from 12.2.0 to 13.1.0

[Zammit, Ludovic via PacketFence-users]

Hello Adrian,

We came across that issue as well, we will investigate it.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 5, 2024, at 5:26 AM, Adrian Dessaigne via PacketFence-users 
>  wrote:
> 
> Hello inverse team !
> 
> I'm having a few issues upgrading my 3 servers cluster from version 12.2.0 to 
> 13.1.0.
> I'll explain the process I followed and what issues I've encountered.
> 
> I first read the "Clustering Quick Installation Guide", part 12.4 "Performing 
> an upgrade on a cluster" as mentionned in the Upgrade Guide, part 5.2.
> I do my backup via snapshots and start the process.
> 
> Disabling the auto correction and galera autofix goes well.
> I can detach the Node C and make A and B run smoothly. The company network 
> and service aren't interrupted.
> 
> I then proceed to upgrade node C with the following command :
> /usr/local/pf/addons/upgrade/do-upgrade.sh
> During the process, the script showed me an error :
> <386697.png>
> Moving conf/switches.conf.dpkg-dist -> conf/switches.conf
> Attempting a dry-run on the patch on conf/switches.conf
> checking file conf/switches.conf
> Hunk #1 FAILED at 1.
> 1 out of 1 hunk FAILED
> Patching conf/switches.conf failed.
> 
> I re run the script and it goes "smoothly". I run the checkup and no errors 
> and proceed to switch production between Node A, B and C.
> With node C taking the HA IP, we still couldn't authenticate on the network. 
> I check the config and all the switches were gone !
> 
> I revert from my snapshot and proceed the same until the switch error.
> I open the file and check the content. It's empty. It seems like it got 
> replaced by the default config file so I tried to copy back the backup with 
> all my previous switches configuration and then run the checkup :
> systemctl start packetfence-proxysql
> /usr/local/pf/bin/pfcmd checkup
> I get a Warning saying the switch type "Cisco::Catalyst_2960" don't exist. So 
> I replaced all instance of the file with the type "Cisco::IOS_15.0"
> I run the checkup again and it output no warning or errors.
> 
> To avoid service interruption, I've kept the node A and B up with the C too. 
> A and B where together and C still in standalone.
> I could authenticate with a switch on node A, B and the HA IP but I couldn't 
> authenticate on node C. I've tried many PF configuration to make it work but 
> it just won't.
> Packetfence.log output nothing.
> Radius.log output nothing.
> 
> It have the same behaviours as the switch wasn't declared in PF (but it was).
> 
> To this point I don't know how can I go further into the update without going 
> with a new cluster from scratch.
> 
> Thanks a lot for your help.
> 
> Greats,
> Adrian DESSAIGNE
>  
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!SolXgZOaJevVNSWJmjCQhTd2oUq9JAPKGIsuQWfQgNmHsteO6qjrs2Y2BUmIqMBVcWyIHGZhZoyUpxFru4rRQCmN2I5xX8oUrZ4AdA$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PACKETFENCE 12 - block routing between the Inline Layer 2 interface and Managemen

[Zammit, Ludovic via PacketFence-users]

Hello,

On debian 11 it would be:

apt-get update 

apt-get install packetfence -y

RHEL8:

yum update packetfence

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Feb 22, 2024, at 3:33 PM, Gerllys Speroto Calvi  wrote:
> 
> Which command in Packetfences 12 to perform maintenance and download bug fix 
> packages? /usr/local/pf/addons/pf-maint.pl 
> 
>  command has been disabled



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PACKETFENCE 12 - block routing between the Inline Layer 2 interface and Managemen

[Zammit, Ludovic via PacketFence-users]

Hello there,

You will need to create a iptnbles rules that block the communication.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Feb 22, 2024, at 12:28 PM, Gerllys Speroto Calvi via PacketFence-users 
>  wrote:
> 
> Good afternoon,
> I configured PacketFence version 12.2.0.
> Authentication via AD and registration via email is ok.
> I have the following problem: Users connected to the captive portal (INLINE 
> Layer 2 Interface) are accessing management network servers.
> 
> INLINE Layer 2 interface: IP 192.168.20.1
> Management interface: IP 172.16.144.44
> 
> How to block routing between the Inline Layer 2 interface and Management?
> 
> -- 
> Atenciosamente
>   
> Gerllys Speroto Calvi
> Técnico em Tecnologia da Informação
> (27)99656-0587
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!SKC49DVWVlhBoELfwwQ4nYkUmi3p69uCp17OLWt8RTygCVXM3oNGJw5zigqkCrT618S_wqZ7GmT9nbFwmBaFB4fkdxH-m4PWIWKOxg$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Missing node information in testing mode

[Zammit, Ludovic via PacketFence-users]

Hello Sebastian,

It’s probably normal because we rarely use that mode.

It could be something we did not have tested, it would make sense because those 
information are populated during a real authentication.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Feb 20, 2024, at 8:52 AM, sh1ndy--- via PacketFence-users 
>  wrote:
> 
>  
> Hello,
>  
> I am currently running an HP Aruba switch in testing mode to gather mac 
> addresses.
> I noticed many of the node information is missing. The Location tab is 
> completely empty.
> Also there is no Last Switch information at the Info tab. Is this by design?
>  
> Regards
> Sebastian
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!QXJNlaflFindEBM8oGdxjuP6H8I9M_YWaoiazZw3H-JO0aNljgVMUl0RJp_DnBvdLa_jfkA5Rnm8Vp7xeB54MKz4QBjeNUfc1ymcuQ$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Support of Cisco Catalyst 9200 series

[Zammit, Ludovic via PacketFence-users]

Hello Micheal,

It should work, you can use the iOS 16 module in PF.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Feb 15, 2024, at 11:27 AM, Michael Holz via PacketFence-users 
>  wrote:
> 
> Hello PF users,
> 
> I am currently evaluating PF for a campus network while simultaneously 
> looking for access switches. Since they are not explicitly mentioned as 
> supported material, how well do Cisco Catalyst 9200 series switches (meaning 
> IOS v17 currently) work with PF?
> 
> Thanks in advance and kind regards,
> Michael
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!QLCpMfVb4nCJ7EfLJUZMj5rcbavyWcnumpLbbvbHerjCVvt1fRn3avweAxjkuT70oR54lwijHMkVMM8N3Ahi0m74laoSMMJyPeB4pQ$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] packetfence-windows-agent Can`t download profile.xml

[Zammit, Ludovic via PacketFence-users]

Hello there,

You have to be in the registration network when you run that agent because it 
query PacketFence to get the correct profile.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Feb 14, 2024, at 9:47 AM, itmailabs via PacketFence-users 
>  wrote:
> 
> Hello
> I want to configure the Windows agent, when I make a build according to the 
> manifest that I took from here 
> https://github.com/inverse-inc/packetfence-windows-agent 
> ,
>  when I launch the Windows agent I get an error on the command line
> Failed loading profile: Get 
> "http://wireless-profiles.packetfence.org/profile.xml": dial tcp: lookup 
> wireless-profiles.packetfence.org 
> : no such host
> And here’s the error when I press the “Configure” button: Unable to retrieve 
> your profile file, please contact your local support.
> 
> Can you tell me how to configure the agent correctly? I can not understand.
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!QyKNgrFnr41tWgTuZX_Ph_WZKz61KFTGmNuh0H9gm1XnPx-Ui79_wy4UL8fC7UUP4UDQF6p7Sj1948FUSrLsAHr2OyLmoWf34JLJ1Q$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] EAPTLS: no role assigned to autoregistered devices

[Zammit, Ludovic via PacketFence-users]

Hello Andrey,

Alright.

Have a nice weekend.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Feb 15, 2024, at 10:26 AM, Andrey Chernyakov  
> wrote:
> 
> Hello again,
> 
> I’ve found the solution, after log analysis it was so obvious: enable Dot1x 
> recompute role from portal parameter in connection profile.
> 
> Thank you, Ludovic, I’m beginner in PacketFence world, I wasn’t aware of 
> packetfence.log file content. No questions anymore, highly appreciate your 
> help!
> 
> --
> Andrey Chernyakov
> Senior Network and Security Engineer
> 
> email: chernya...@npsconsult.com 
> 
> NPS Consult S.A.
> L-5687, Dalheim
> Luxembourg
> On 15 Feb 2024 at 16:05 +0100, Andrey Chernyakov , 
> wrote:
>> Sure, here it is (at the bottom of email, I modified a search request just 
>> to ignore outdated logs).
>> 
>> According to the logs, EAPTLS authentication source was matched, but host 
>> wasn’t assigned to the role because it was already computed (but I have no 
>> idea when, before authentication I deleted MAC address from nodes list, and 
>> it’s auto registered host according to the relevant parameter of connection 
>> profile).
>> 
>> My goal is to assign all hosts (with known and registered MAC addresses and 
>> with unknown and first time see MAC addresses) once they've been 
>> authenticated via EAPTLS into specific roles.
>> 
>> root@packetfence:~# tail -f /usr/local/pf/logs/packetfence.log | grep 
>> 02:7a:87:11:54:dd
>> 
>> Feb 15 15:54:06 packetfence pfperl-api-docker-wrapper[193686]: 
>> pfperl-api(10) INFO: [mac:[undef]] Request to 
>> /api/v1/dhcp/mac/02:7a:87:11:54:dd is unauthorized, will perform a login 
>> (pf::api::unifiedapiclient::call)
>> Feb 15 15:54:07 packetfence pfqueue[221285]: pfqueue(221285) INFO: 
>> [mac:02:7a:87:11:54:dd] Trying generic MIB to force 802.1x port 
>> re-authentication. Your mileage may vary. If it doesn't work open a bug 
>> report with your hardware type. (pf::Switch::_dot1xPortReauthenticate)
>> Feb 15 15:54:07 packetfence pfqueue[221285]: pfqueue(221285) ERROR: 
>> [mac:02:7a:87:11:54:dd] error creating SNMP v3 write connection to 
>> 192.168.100.2: An empty authProtocol was specified 
>> (pf::Switch::connectWriteTo)
>> Feb 15 15:54:33 packetfence pfqueue[219798]: pfqueue(219798) WARN: 
>> [mac:unknown] Warning: 1062: Duplicate entry '02:7a:87:11:54:dd' for key 
>> 'PRIMARY' (pf::dal::db_execute)
>> Feb 15 15:54:33 packetfence pfqueue[219798]: pfqueue(219798) INFO: 
>> [mac:unknown] DHCPACK from 192.168.100.254 (00:0c:29:35:5f:47) to host 
>> 02:7a:87:11:54:dd (192.168.22.102) for 691200 seconds 
>> (pf::dhcp::processor_v4::parse_dhcp_ack)
>> Feb 15 15:54:33 packetfence pfqueue[219894]: pfqueue(219894) INFO: 
>> [mac:unknown] DHCPREQUEST from 02:7a:87:11:54:dd (192.168.22.102) 
>> (pf::dhcp::processor_v4::parse_dhcp_request)
>> Feb 15 15:54:33 packetfence pfqueue[219894]: pfqueue(219894) INFO: 
>> [mac:02:7a:87:11:54:dd] Sending a firewall SSO 'Update' request for MAC 
>> '02:7a:87:11:54:dd' and IP '192.168.22.102' (pf::firewallsso::do_sso)
>> Feb 15 15:54:33 packetfence pfqueue[221313]: pfqueue(221313) INFO: 
>> [mac:02:7a:87:11:54:dd] Instantiate profile dot1x_wired_profile 
>> (pf::Connection::ProfileFactory::_from_profile)
>> Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) 
>> ERROR: [mac:02:7a:87:11:54:dd] error creating SNMP v3 read connection to 
>> 192.168.100.2: An empty privProtocol was specified (pf::Switch::connectRead)
>> Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) 
>> INFO: [mac:02:7a:87:11:54:dd] handling radius autz request: from switch_ip 
>> => (192.168.100.2), connection_type => Ethernet-EAP,switch_mac => 
>> (00:04:96:9b:0a:db), mac => [02:7a:87:11:54:dd], port => 1017, username => 
>> "PC2-LAB$@ad.nps.local 
>> "
>>  (pf::radius::authorize)
>> Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) 
>> INFO: [mac:02:7a:87:11:54:dd] Instantiate profile dot1x_wired_profile 
>> (pf::Connection::ProfileFactory::_from_profile)
>> Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) 
>> INFO: [mac:02:7a:87:11:54:dd] Found authentication source(s) : 
>> 'Machine_auth' for realm 'ad.nps.local' 
>> (pf::config::util::filter_authentication_sources)
>> Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) 
>> INFO: [mac:02:7a:87:11:54:dd] Role has 

Re: [PacketFence-users] service not start

[Zammit, Ludovic via PacketFence-users]

Hello,

Try to re-install PacketFence.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Feb 13, 2024, at 10:53 AM, Sudheera Warnasooriya via PacketFence-users 
>  wrote:
> 
> Hello
> i have install packetfence 13 in debian server (used with "Debian ISO image" 
> ).But i cannot start packetfence service, 
> 
> "
>  Can't connect to pfconfig on containers-gateway.internal:4 : Connection 
> refused
> Feb 13 14:43:31 packetfence packetfence[1194]: pfcmd.pl 
> (1194)
>  ERROR: [1707835411.75172] Failed to connect to config service for namespace 
> config::Pf(), retr>
> Feb 13 14:43:31 packetfence pfcmd[1194]: [1707835411.75172] Failed to connect 
> to config service for namespace config::Pf(), retrying
> Feb 13 14:43:31 packetfence pfcmd[1194]: Can't connect to pfconfig on 
> containers-gateway.internal:4 : Connection refused
> Feb 13 14:43:31 packetfence packetfence[1194]: pfcmd.pl 
> (1194)
>  ERROR: [1707835411.85293] Failed to connect to config service for namespace 
> config::Pf(), retr>
> Feb 13 14:43:31 packetfence pfcmd[1194]: [1707835411.85293] Failed to connect 
> to config service for namespace config::Pf(), retrying
> Feb 13 14:43:31 packetfence systemd[1]: packetfence.service: start operation 
> timed out. Terminating.
> Feb 13 14:43:31 packetfence systemd[1]: packetfence.service: Failed with 
> result 'timeout'.
> Feb 13 14:43:31 packetfence systemd[1]: Failed to start PacketFence Service.
> Feb 13 14:43:31 packetfence systemd[1]: packetfence.service: Consumed 3.474s 
> CPU time.
> "
> 
> when i check log file ,it said 
> "
>  packetfence packetfence[1194]: pfcmd.pl 
> (1194)
>  ERROR: [1707835411  .85293] Failed to connect to config service for 
> namespace config::Pf(), retrying "
> "
> 
> pls help
> 
> Thanks
> sudheera
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!WbzUIgVUCX3MDqTPCkQVR8JAEGM72Vzokc02Xo9gdvYL_KTLS-RUrN_atWCvAPAqy3pLiLAdE18PyA4dU9u6uBysr5uIxhPWv1Uq_Q$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Issues when attempting to enable OCSP for a single Certificate Template

[Zammit, Ludovic via PacketFence-users]

Hello Reese,

If I understand correctly, you are using PacketFence PKI and you want to use 
the builtin OCSP in PacketFence to reject any revoked certificates correct?

Which Packetfence version are you running ?

What’s the OCSP url that you have configured ?

Is the EAP TLS working on regular non-revoked cert?

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Feb 15, 2024, at 7:30 PM, Herber, Reese via PacketFence-users 
>  wrote:
> 
> Good Afternoon,
> 
> I'm hoping someone can chime in on setting up OCSP. We have successfully 
> implemented EAP-TLS machine authentication, working with our Active 
> Directory-managed Windows machines and our JAMF-managed MacOS devices. Our 
> current goal is to extend this setup to include a few (<50) BYOD devices by 
> generating machine auth certificates for them. However, we are facing 
> challenges with the OCSP.
> 
> Despite revoking a test certificate issued from the Packetfence PKI for a 
> BYOD device, the certificate remains valid for login, indicating that OCSP is 
> not functioning as expected. Moreover, when OCSP is enabled, it appears to 
> disrupt the connection for our Windows devices authenticated through valid 
> certificates, specifically when attempting to connect to RADIUS.
> 
> Here is the error we encounter in the radius logs for the windows devices 
> when this issue occurs:
> 
> Module-Failure-Message = "eap_tls: ocsp: Couldn't get OCSP response",
> Module-Failure-Message = "eap_tls: (TLS) ocsp: Unable to check certificate
> failing",
> Module-Failure-Message = "eap_tls: (TLS) Alert write:fatal:internal error",
> Module-Failure-Message = "eap_tls: (TLS) Server : Error in error",
> Module-Failure-Message = "eap_tls: (TLS) Failed reading from OpenSSL",
> Module-Failure-Message = "eap_tls: (TLS) error:27076072:OCSP 
> routines:parse_http_line1:server response error",
> Module-Failure-Message = "eap_tls: (TLS) error:1417C086:SSL 
> routines:tls_process_client_certificate:certificate verify failed",
> Module-Failure-Message = "eap_tls: (TLS) System call (I\/O) error (-1)",
> Module-Failure-Message = "eap_tls: (TLS) EAP Receive handshake failed during 
> operation",
> Module-Failure-Message = "eap_tls: [eaptls process] = fail",
> Module-Failure-Message = "eap: Failed continuing EAP TLS (13) session.  EAP 
> sub-module failed"
> 
> Here are the things I am hoping to get some insight on:
> 
> How to correctly configure OCSP for the specific template used for BYOD 
> devices, ensuring that revoked certificates are recognized as invalid and 
> deny the connection.
> Why my windows devices are throwing errors about being unable to get an OCSP 
> response when the MacOS devices don't have that issue.
> 
> 
> I'm hoping there is just a setting I am missing here, but please let me know 
> if I can answer any additional questions.
> Thanks,
> 
> Reese Herber
> Systems Integration Analyst
> Department of Learning and Innovation
> 
> Phone: 253-530-3715
> 
> "The fusion of technology and education is the canvas on which we paint the 
> masterpiece of our collective future, one pixel at a time."
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!TQWBmmEvfY8qqz6OUjxpkc3eVuLwTqMx63A40XDoFtQxGp4O9BGn6nySE_sr-PHVCoAhplhN8lBswCSdF0ZDtspac0XBM7Yiwigr1Q$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Issues when attempting to use Radius Auth with Aruba Mobility Conductor

[Zammit, Ludovic via PacketFence-users]

Hello Reese,

You have to have the controller IP in PF.

The error here says rejected in Post auth meaning that the Cert based 
authentication worked, it’s PacketFence now that does not match any rule to 
assign a role and access duration.

Create an EAP TLS source and add it to the profile that connection matches.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Feb 13, 2024, at 7:20 PM, Herber, Reese via PacketFence-users 
>  wrote:
> 
> I recently switched our test environment from a windows based NPS to 
> Packetfence (with Packetfence PKI) however I am currently running into an 
> issue when attempting to include the two Aruba Mobility Controllers (we run 
> HA with dual controllers). We have one Aruba AP setup for radius and yet I 
> somehow get different results between my Mac and Windows clients when 
> attempting to connect, the Mac devices work fine but the radius.log shows 
> them connecting from one of the controllers, whereas the windows devices fail 
> to connect by saying that the switch is not managed:
> 
> Feb 13 16:05:48 VMNOCNMPAKFEN auth[5612]: Adding client 10.81.0.9/32 
> 
> Feb 13 16:05:48 VMNOCNMPAKFEN auth[5612]: (255) rest: ERROR: Server returned:
> Feb 13 16:05:48 VMNOCNMPAKFEN auth[5612]: (255) rest: ERROR: 
> {"Reply-Message":"Switch is not managed by 
> PacketFence","control:PacketFence-Authorization-Status":"allow","control:PacketFence-Request-Time":1707869148}
> Feb 13 16:05:48 VMNOCNMPAKFEN auth[5612]: (255) Rejected in post-auth: 
> [host/WindowsTestCert] (from client 10.81.0.9/32 
> 
>  port 0 cli c8:34:8e:3d:f2:fd)
> Feb 13 16:05:48 VMNOCNMPAKFEN auth[5612]: (255) Login incorrect (rest: Server 
> returned:): [host/WindowsTestCert] (from client 10.81.0.9/32 
> 
>  port 0 cli c8:34:8e:3d:f2:fd)
> 
> When troubleshooting this I deleted the 2 controller addresses from my 
> packetfence setup and now I get an error that my identifier is already in use 
> when trying to re-add it (this behavior continues after I reboot packetfence 
> via the CLI)
> 
> Hopefully someone with experience with Aruba devices can chime in here as the 
> documentation is a few Aruba OS's behind.
> Thanks,
> 
> Reese Herber
> Systems Integration Analyst
> Department of Learning and Innovation
> 
> Phone: 253-530-3715
> 
> "The fusion of technology and education is the canvas on which we paint the 
> masterpiece of our collective future, one pixel at a time."
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!W884KzJP9hBW7SRk7CEIeX3RgQVmmDl0YtTCiSWbYLhazHVmZTYTTA3MVBSqDcWxoM7sL4gclb5OTFTKWH7MdEiuezYXz1mym2L5jQ$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] EAPTLS: no role assigned to autoregistered devices

[Zammit, Ludovic via PacketFence-users]

Hello Andrey,

For EAP TLS you don’t need to join the PF servers to your domain.

You will need to add the Root CA that signed the user/computer certs under 
Configuration > System Configuration > SSL Certificates > RADIUS > RADIUS 
Certification Authority Certificate(s).

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Feb 14, 2024, at 8:22 AM, Andrey Chernyakov via PacketFence-users 
>  wrote:
> 
> Hi, PacketFence community,
> 
> Currently I’m evaluating EAPTLS authentication with machine certificates in 
> my lab for wired network, but Authentication Source with EAPTLS doesn’t seem 
> to be working.
> 
> From my perspective, the configuration is good, EAP profile prefers TLS 
> authentication, RADIUS has valid certificate signed by the same CA as machine 
> certificates with I use for EAPTLS authentication. Connection profile allows 
> auto-registration of devices. Authentication source should catch-all 
> authentication attempts and assign devices to role (gaming, for example).
> 
> The problem with such configuration is - devices are authenticated and 
> auto-registered, but they aren’t matched with authentication source rules 
> (last screenshot with log can prove it), and they are respectively registered 
> with no role. But I need role in order to be able to assign devices with 
> relevant profile. Below you can find screenshots from my lab, any ideas how 
> to fix it?
> 
> Appreciate your help in advance!
> 
> 
> 
> 
> 
> 
> --
> Andrey Chernyakov
> Senior Network and Security Engineer
> 
> email: chernya...@npsconsult.com 
> 
> NPS Consult S.A.
> L-5687, Dalheim
> Luxembourg
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!V0y-cm6QtbaX3LNvCqTm9ryY2N_3aGEiu4ikb0nOrYFq0feBL78xaFufS1HdtCJqH2S1thqJ0SJep9YaqRkOwJLp6aDXvcSB4ve5CA$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] EAPTLS: no role assigned to autoregistered devices

[Zammit, Ludovic via PacketFence-users]

Please do that:

grep MAC-ADDRESS /usr/local/pf/logs/packetfence.log

Show the output please.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Feb 15, 2024, at 9:49 AM, Andrey Chernyakov  
> wrote:
> 
> Hello Ludovic,
> 
> Thanks for your reply.
> 
> It’s clear, there are no connections to domain controllers, RADIUS is signed 
> with valid certificate from Microsoft PKI and EAPTLS authentication works 
> well.
> But Authentication source defined to use EAPTLS is just ignored by 
> authentication process, machines aren’t getting the role defined in 
> authentication rule (even with no conditions, catch-all rule), they always 
> get registration role.
> 
> --
> Andrey Chernyakov
> Senior Network and Security Engineer
> 
> email: chernya...@npsconsult.com 
> 
> NPS Consult S.A.
> L-5687, Dalheim
> Luxembourg
> On 15 Feb 2024 at 15:11 +0100, Zammit, Ludovic , wrote:
>> Hello Andrey,
>> 
>> For EAP TLS you don’t need to join the PF servers to your domain.
>> 
>> You will need to add the Root CA that signed the user/computer certs under 
>> Configuration > System Configuration > SSL Certificates > RADIUS > RADIUS 
>> Certification Authority Certificate(s).
>> 
>> Thanks,
>> 
>> 
>> 
>> Ludovic Zammit
>> Product Support Engineer Principal Lead
>> 
>> Cell: +1.613.670.8432
>> Akamai Technologies - Inverse
>> 145 Broadway
>> Cambridge, MA 02142
>> Connect with Us:    
>>   
>> 
>>   
>> 
>>   
>> 
>>   
>> 
>> 
>>> On Feb 14, 2024, at 8:22 AM, Andrey Chernyakov via PacketFence-users 
>>>  wrote:
>>> 
>>> Hi, PacketFence community,
>>> 
>>> Currently I’m evaluating EAPTLS authentication with machine certificates in 
>>> my lab for wired network, but Authentication Source with EAPTLS doesn’t 
>>> seem to be working.
>>> 
>>> From my perspective, the configuration is good, EAP profile prefers TLS 
>>> authentication, RADIUS has valid certificate signed by the same CA as 
>>> machine certificates with I use for EAPTLS authentication. Connection 
>>> profile allows auto-registration of devices. Authentication source should 
>>> catch-all authentication attempts and assign devices to role (gaming, for 
>>> example).
>>> 
>>> The problem with such configuration is - devices are authenticated and 
>>> auto-registered, but they aren’t matched with authentication source rules 
>>> (last screenshot with log can prove it), and they are respectively 
>>> registered with no role. But I need role in order to be able to assign 
>>> devices with relevant profile. Below you can find screenshots from my lab, 
>>> any ideas how to fix it?
>>> 
>>> Appreciate your help in advance!
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> --
>>> Andrey Chernyakov
>>> Senior Network and Security Engineer
>>> 
>>> email: chernya...@npsconsult.com 
>>> 
>>> NPS Consult S.A.
>>> L-5687, Dalheim
>>> Luxembourg
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!V0y-cm6QtbaX3LNvCqTm9ryY2N_3aGEiu4ikb0nOrYFq0feBL78xaFufS1HdtCJqH2S1thqJ0SJep9YaqRkOwJLp6aDXvcSB4ve5CA$
>> 



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence 13 zen node online/offline

[Zammit, Ludovic via PacketFence-users]

You can do a packet capture with:

tcpdump -I any port 1813

Check if you receive it.

Sometime it’s a bad shared secret on the accounting.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Feb 9, 2024, at 1:59 AM, Giulio Lo Presti  wrote:
> 
> Hello Ludovic,
> 
> Thanks for reply, I know already what you say and I receive accounting start 
> and stop from switch correctly. The problem is that the status on web 
> interface is always unknown, in case of node up or down. But if I click on 
> the node I will see info when has been authenticated and when it has been 
> disconnected. I see that web interface relies on the node_connection_status 
> dal table that is always empty.
> 
> From your experience what cam be the problem?
> 
> Thanks Giulio 
> On Thu, Feb 8, 2024, 14:52 Zammit, Ludovic  > wrote:
>> Hello Giulio,
>> 
>> The online / offline feature relies on RADIUS Accounting packet, you will to 
>> send your accounting to PF the same as the RADIUS authentication.
>> 
>> Online = RADIUS Acct Start
>> Offline = RADIUS Acct Stop
>> 
>> Thanks,
>> 
>> Ludovic Zammit
>> Product Support Engineer Principal Lead
>> 
>> Cell: +1.613.670.8432
>> Akamai Technologies - Inverse
>> 145 Broadway
>> Cambridge, MA 02142
>> Connect with Us:    
>>   
>> 
>>   
>> 
>>   
>> 
>>   
>> 
>> 
>>> On Feb 7, 2024, at 2:24 PM, Giulio Lo Presti via PacketFence-users 
>>> >> > wrote:
>>> 
>>> Hello,
>>> 
>>> I'm struggling to get the authenticated PC or user appear to online/ 
>>> offline it show unknown. I see in database that the node_status table that 
>>> has 4 field In it is not been updated.
>>> Everything else is working fine. Can  you please someone point me in the 
>>> right direction?
>>> 
>>> Thanks a lot for your help
>>> Giulio
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net 
>>> 
>>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!VsdpjDbRM-54L7iDRCIhVDFpzaacso3CfvQIxuzJCjOEttr2JRdjq3gAjzY4owkBE8Boo-1FM5EL8qnSE8pntfBaS88YGdKlZjUtMw$
>>>  
>> 



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Questions regarding the setup of LetsEncrypt

[Zammit, Ludovic via PacketFence-users]

Hello Reese,

You have to have the port 80 forwarded to PacketFence.

packetfence.domain.com  —> Public IP —> NAT to 
PF local management IP

Open and forward 80 & 443.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Feb 6, 2024, at 7:00 PM, Herber, Reese via PacketFence-users 
>  wrote:
> 
> Good Afternoon,
> 
> I'm struggling to find documentation on how to setup letsencrypt, I have had 
> success using certbot on a few linux servers and a windows environment but 
> there doesn't seem to be any documentation on what exact record I need to 
> register at my DNS Registrar for letsencrypt to be functional.
> 
> Please let me know if I can answer any additional questions.
> Thanks,
> 
> Reese Herber
> Systems Integration Analyst
> Department of Learning and Innovation
> 
> "The fusion of technology and education is the canvas on which we paint the 
> masterpiece of our collective future, one pixel at a time."
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!SapAWGB-Fno1I0VFcgi8ZJ89kEr8Zkqj7ro23Hq0SiyHzmh-9sBTdzoThzqOnSrJ74gdgy2N0aOdWKeHX6vYp-dIMHTa3UWFNDn_8g$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence 13 zen node online/offline

[Zammit, Ludovic via PacketFence-users]

Hello Giulio,

The online / offline feature relies on RADIUS Accounting packet, you will to 
send your accounting to PF the same as the RADIUS authentication.

Online = RADIUS Acct Start
Offline = RADIUS Acct Stop

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Feb 7, 2024, at 2:24 PM, Giulio Lo Presti via PacketFence-users 
>  wrote:
> 
> Hello,
> 
> I'm struggling to get the authenticated PC or user appear to online/ offline 
> it show unknown. I see in database that the node_status table that has 4 
> field In it is not been updated.
> Everything else is working fine. Can  you please someone point me in the 
> right direction?
> 
> Thanks a lot for your help
> Giulio
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!VsdpjDbRM-54L7iDRCIhVDFpzaacso3CfvQIxuzJCjOEttr2JRdjq3gAjzY4owkBE8Boo-1FM5EL8qnSE8pntfBaS88YGdKlZjUtMw$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MAB and Authentication Sources

[Zammit, Ludovic via PacketFence-users]

Hello Vishaal,

Test for the status of a Mac address, it supposed to be Registered and not 
unregistered. Also, it needs to have a Role.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Feb 1, 2024, at 2:21 PM, Vishaal Golam via PacketFence-users 
>  wrote:
> 
> Hello,
> 
>   Just a question to know if I've misunderstandig MAB concept.
> I've a DDI system with all recorded mac-adresses of our devices.
> How can I test if a device was authorize to receive a vlan allocation
> in packetfence. The DDI have an REST API, it is this way I've to do to
> configure Mac Addresse Based authentification?
> 
> I have a question to clarify my understanding of the MAB concept.
> I have a DDI system that contains all the recorded MAC addresses of our 
> devices.
> How can I test whether a device is authorized to receive a VLAN allocation in 
> PacketFence?
> The DDI system has a REST API, and I would like to confirm if
> configuring MAB authentication is done through this API.
> 
> Thanks
> 
> 
> -- 
> 
> 
> Vishaal Golam - Direction Générale Déléguée à l'Informatique et au Numérique
> Université Gustave Eiffel - Université Paris-Est - Marne-la-Vallée
> Cité Descartes - 5,bld Descartes-Champs-sur-Marne-77454 Marne-la-Vallée Cedex2
> Tél : +33 (0)1 60 95 74 55  Mob: 06 11 19 70 30  Mail : 
> vishaal.golam(at)univ-eiffel.fr
> 
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!R-QW8OuuwAfc4YMGZMm9ITJfsF5c3k4FMT5w8rFhzygdPKYiwoRf3cw9NIY4cgb8n9MgNPqOypyki5ihMFIdvYeGPPqNXdNQVxnC1Q$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] encryption in PacketFence

[Zammit, Ludovic via PacketFence-users]

Hello,

Notes Paragraph 2 of Article 19 of this Law provides that the application of 
the provisions of Article 19 for infringement of copyright or related rights is 
subject to a specific law, which must respect freedom of speech and other 
guarantees provided for in Article 5 of the Federal Constitution.
Article 31 provides that until the entry into force of a specific law, as 
mentioned in the Paragraph 2 of Article 19, the liability of the internet 
application providers (IAPs) for damages arising from content generated by 
third parties, in case of copyright or related rights infringement, shall 
continue to be regulated by the copyright legislation in force and applicable 
on the date this Law came into force.

Article 32 states that this Law shall enter into force after the expiry of 
sixty (60) days of its official publication. This Law was published in the 
Official Gazette on April 24, 2014, and came into force on June 24, 2014.

We do not encrypt the data in mariadb but we can force a cleanup after X period 
of time. PacketFence can clean nodes and users information.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Jan 29, 2024, at 7:08 PM, robson saldanha martins via PacketFence-users 
>  wrote:
> 
> My question may seem simple, but I would like to emphasize that I am an 
> inexperienced user. I would be very grateful if you could point me in the 
> right direction. I would like to know if there is any native option in 
> PacketFence to encrypt the captured data that will be sent to MariaDB. I need 
> to store this data for a year, as I am considering using PacketFence to 
> comply with Law 12,965, the Civil Rights Framework for the Internet. 
> Could someone help me resolve my doubt? 
>   Minha pergunta pode parecer simples, mas gostaria de ressaltar que sou um 
> usuário inexperiente. Ficaria muito grato se pudessem me indicar o caminho. 
> Gostaria de saber se há alguma opção nativa no PacketFence para criptografar 
> os dados capturados que serão enviados ao MariaDB. Preciso armazenar esses 
> dados por um ano, pois estou considerando o uso do PacketFence para estar em 
> conformidade com a Lei 12.965, o Marco Civil da Internet.
> Alguém poderia me ajudar a sanar a minha dúvida?  
> 
> Att.: Robsonm
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!WcW-JlmrbRyZWBgZW7rgL8aop2f57SnQ8ffAcdrLx0JnpmPsT7jc1sSk3ZyvL_IRBI1KJUzThwzq4Sd9uDcH6IFoOuQsrdYKxDIh_g$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Help with IP Tables and Processor usage question

[Zammit, Ludovic via PacketFence-users]

Hello David,

Can you show the output of the top command and show it here?

Thanks

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Jan 29, 2024, at 5:49 PM, David Moore  wrote:
> 
> 13.0, before that I'm not sure, but it was 12.x
> 
> Get Outlook for Android 
> 
> 
> From: Zammit, Ludovic 
> Sent: Monday, January 29, 2024 4:27:55 PM
> To: PacketFence-users 
> Cc: David Moore 
> Subject: Re: [PacketFence-users] Help with IP Tables and Processor usage 
> question
> 
> Hello David,
> 
> What was the previous PF version before the upgrade?
> 
> Thanks,
> 
> Ludovic Zammit
> Product Support Engineer Principal Lead
> 
> Cell: +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:     
>   
> 
>   
> 
>   
> 
>   
> 
> 
>> On Jan 25, 2024, at 10:02 AM, David Moore via PacketFence-users 
>>  wrote:
>> 
>> I recently upgraded to PF 13.1 and have had a few issues, most of which I 
>> have been able to resolve. The only lingering issue I'm aware of is with IP 
>> Tables, but I'm not positive it's something to be concerned about because PF 
>> is working. 
>> 
>> My PF server is ZEN running in VMWare ESXi the assigned hardware is 32 GB of 
>> RAM, 4 Processors and 300 GB of disk space, my network consists of about 30 
>> nodes authenticating with 802.1x (Active Directory and MAC Auth for non-AD 
>> devices) memory and disk space are fine but the CPU is constantly at 5Ghz of 
>> consumption (is that normal for the processor?)
>> 
>> Please see the details from packetfence.log and from systemctl status 
>> packetfence-iptables below:
>> 
>> packetfence.log:
>> Jan 25 09:43:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(14) 
>> INFO: [mac:[undef]] getting security_events triggers for accounting cleanup 
>> (pf::accounting::acct_maintenance)
>> Jan 25 09:43:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(17) 
>> INFO: [mac:[undef]] processed 0 security_events during security_event 
>> maintenance (1706193787.30847 1706193787.36479) 
>> (pf::security_event::security_event_maintenance)
>> Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: saving existing 
>> iptables to /usr/local/pf/var/iptables.bak (pf::iptables::iptables_save)
>> Jan 25 09:43:15 fence packetfence[562283]: -e(562283) WARN: We are using 
>> IPSET (pf::ipset::iptables_generate)
>> Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: flushing 
>> iptables (pf::ipset::iptables_flush_mangle)
>> Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: Adding Forward 
>> rules to allow connections to the OAuth2 Providers and passthrough. 
>> (pf::iptables::generate_passthrough_rules)
>> Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: Adding IP based 
>> passthrough for connectivitycheck.gstatic.com 
>> 
>>  (pf::iptables::generate_passthrough_rules)
>> Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: Adding NAT 
>> Masquerade statement. (pf::iptables::generate_passthrough_rules)
>> Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: restoring 
>> iptables from /usr/local/pf/var/conf/iptables.conf 
>> (pf::iptables::iptables_restore)
>> Jan 25 09:43:15 fence packetfence[562283]: -e(562283) WARN: Problem trying 
>> to run command: LANG=C /sbin/iptables-restore < 
>> /usr/local/pf/var/conf/iptables.conf called from iptables_restore. Child 
>> exited with non-zero value 2 (pf::util::pf_run)
>> Jan 25 09:44:06 fence pfperl-api-docker-wrapper[562338]: pfperl-api(19) 
>> INFO: [mac:[undef]] processed 0 security_events 

Re: [PacketFence-users] Help with IP Tables and Processor usage question

[Zammit, Ludovic via PacketFence-users]

Perfect, could do the same bit when you are in top hit the key “c” that will 
develop the processes behind the perl process.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Feb 1, 2024, at 1:28 PM, David Moore  wrote:
> 
> 
> 
> The perl process comes and goes, it will show up at the top between 60-90+ 
> percent and then disappear
> 
> 
> From: Zammit, Ludovic
> Sent: Thursday, February 1, 2024 1:15 PM
> To: David Moore
> Cc: PacketFence-users
> Subject: Re: [PacketFence-users] Help with IP Tables and Processor usage 
> question
> 
> Hello David,
> 
> Can you show the output of the top command and show it here?
> 
> Thanks
> 
> Ludovic Zammit
> Product Support Engineer Principal Lead
> 
> Cell: +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:     
>   
> 
>   
> 
>   
> 
>   
> 
> 
> On Jan 29, 2024, at 5:49 PM, David Moore  wrote:
> 
> 13.0, before that I'm not sure, but it was 12.x
> 
> Get Outlook for Android 
> 
> 
> From: Zammit, Ludovic 
> Sent: Monday, January 29, 2024 4:27:55 PM
> To: PacketFence-users 
> Cc: David Moore 
> Subject: Re: [PacketFence-users] Help with IP Tables and Processor usage 
> question
> 
> Hello David,
> 
> What was the previous PF version before the upgrade?
> 
> Thanks,
> 
> Ludovic Zammit
> Product Support Engineer Principal Lead
> 
> Cell: +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:     
>   
> 
>   
> 
>   
> 
>   
> 
> 
> On Jan 25, 2024, at 10:02 AM, David Moore via PacketFence-users 
>  wrote:
> 
> I recently upgraded to PF 13.1 and have had a few issues, most of which I 
> have been able to resolve. The only lingering issue I'm aware of is with IP 
> Tables, but I'm not positive it's something to be concerned about because PF 
> is working. 
> 
> My PF server is ZEN running in VMWare ESXi the assigned hardware is 32 GB of 
> RAM, 4 Processors and 300 GB of disk space, my network consists of about 30 
> nodes authenticating with 802.1x (Active Directory and MAC Auth for non-AD 
> devices) memory and disk space are fine but the CPU is constantly at 5Ghz of 
> consumption (is that normal for the processor?)
> 
> Please see the details from packetfence.log and from systemctl status 
> packetfence-iptables below:
> 
> packetfence.log:
> Jan 25 09:43:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(14) INFO: 
> [mac:[undef]] getting security_events triggers for accounting cleanup 
> (pf::accounting::acct_maintenance)
> Jan 25 09:43:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(17) INFO: 
> [mac:[undef]] processed 0 security_events during security_event maintenance 
> (1706193787.30847 1706193787.36479) 
> (pf::security_event::security_event_maintenance)
> Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: saving existing 
> iptables to /usr/local/pf/var/iptables.bak (pf::iptables::iptables_save)
> Jan 25 

Re: [PacketFence-users] Help with IP Tables and Processor usage question

[Zammit, Ludovic via PacketFence-users]

Hello David,

What was the previous PF version before the upgrade?

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Jan 25, 2024, at 10:02 AM, David Moore via PacketFence-users 
>  wrote:
> 
> I recently upgraded to PF 13.1 and have had a few issues, most of which I 
> have been able to resolve. The only lingering issue I'm aware of is with IP 
> Tables, but I'm not positive it's something to be concerned about because PF 
> is working. 
> 
> My PF server is ZEN running in VMWare ESXi the assigned hardware is 32 GB of 
> RAM, 4 Processors and 300 GB of disk space, my network consists of about 30 
> nodes authenticating with 802.1x (Active Directory and MAC Auth for non-AD 
> devices) memory and disk space are fine but the CPU is constantly at 5Ghz of 
> consumption (is that normal for the processor?)
> 
> Please see the details from packetfence.log and from systemctl status 
> packetfence-iptables below:
> 
> packetfence.log:
> Jan 25 09:43:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(14) INFO: 
> [mac:[undef]] getting security_events triggers for accounting cleanup 
> (pf::accounting::acct_maintenance)
> Jan 25 09:43:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(17) INFO: 
> [mac:[undef]] processed 0 security_events during security_event maintenance 
> (1706193787.30847 1706193787.36479) 
> (pf::security_event::security_event_maintenance)
> Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: saving existing 
> iptables to /usr/local/pf/var/iptables.bak (pf::iptables::iptables_save)
> Jan 25 09:43:15 fence packetfence[562283]: -e(562283) WARN: We are using 
> IPSET (pf::ipset::iptables_generate)
> Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: flushing iptables 
> (pf::ipset::iptables_flush_mangle)
> Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: Adding Forward 
> rules to allow connections to the OAuth2 Providers and passthrough. 
> (pf::iptables::generate_passthrough_rules)
> Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: Adding IP based 
> passthrough for connectivitycheck.gstatic.com 
>  
> (pf::iptables::generate_passthrough_rules)
> Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: Adding NAT 
> Masquerade statement. (pf::iptables::generate_passthrough_rules)
> Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: restoring 
> iptables from /usr/local/pf/var/conf/iptables.conf 
> (pf::iptables::iptables_restore)
> Jan 25 09:43:15 fence packetfence[562283]: -e(562283) WARN: Problem trying to 
> run command: LANG=C /sbin/iptables-restore < 
> /usr/local/pf/var/conf/iptables.conf called from iptables_restore. Child 
> exited with non-zero value 2 (pf::util::pf_run)
> Jan 25 09:44:06 fence pfperl-api-docker-wrapper[562338]: pfperl-api(19) INFO: 
> [mac:[undef]] processed 0 security_events during security_event maintenance 
> (1706193846.10912 1706193846.12021) 
> (pf::security_event::security_event_maintenance)
> Jan 25 09:44:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(15) INFO: 
> [mac:[undef]] Using 300 resolution threshold 
> (pf::pfcron::task::cluster_check::run)
> Jan 25 09:44:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(14) INFO: 
> [mac:[undef]] getting security_events triggers for accounting cleanup 
> (pf::accounting::acct_maintenance)
> Jan 25 09:44:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(15) INFO: 
> [mac:[undef]] All cluster members are running the same configuration version 
> (pf::pfcron::task::cluster_check::run)
> Jan 25 09:44:16 fence packetfence[562283]: -e(562283) INFO: saving existing 
> iptables to /usr/local/pf/var/iptables.bak (pf::iptables::iptables_save)
> Jan 25 09:44:16 fence packetfence[562283]: -e(562283) WARN: We are using 
> IPSET (pf::ipset::iptables_generate)
> Jan 25 09:44:16 fence packetfence[562283]: -e(562283) INFO: flushing iptables 
> (pf::ipset::iptables_flush_mangle)
> Jan 25 09:44:16 fence packetfence[562283]: -e(562283) INFO: Adding Forward 
> rules to allow connections to the OAuth2 Providers and passthrough. 
> (pf::iptables::generate_passthrough_rules)
> Jan 25 09:44:16 fence packetfence[562283]: -e(562283) INFO: Adding IP based 
> passthrough for connectivitycheck.gstatic.com 
>  
> (pf::iptables::generate_passthrough_rules)
> Jan 25 09:44:16 fence packetfence[562283]: -e(562283) INFO: Adding NAT 
> Masquerade statement. (pf::iptables::generate_passthrough_rules)
> Jan 25 09:44:16 fence packetfence[562283]: -e(562283) INFO: restoring 
> iptables from 

Re: [PacketFence-users] Nodes Details

[Zammit, Ludovic via PacketFence-users]

Hello Raheel,

Because those informations are gathered based on DHCP activity seen by PF.

If you use a captive portal where PF is the DHCP server, it will profile the 
device but if you don’t use a captive portal and you have a windows DHCP 
server, you can install the DHCP sensor:

https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_dhcp_remote_sensor
Thanks,


Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Dec 18, 2023, at 8:49 AM, Raheel Khilji via PacketFence-users 
>  wrote:
> 
> Hi all,
> 
> I have successfully deploy and authenticate a user but problem is my nodes 
> page not showing the details like computer name / IP address/ OS version.
> 
> 
> Please help how to resolve thies issue
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!QLM7LO8uy5hKa875YU8BHNZJLfPKR1L3Ep0BEP3yrvXmJst0qDUHJI4Oksaz7vhzhTXOpLI5j7yi3bD7tYsdvlL1RXwx465lg4ZHUQ$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN coud not befound

[Zammit, Ludovic via PacketFence-users]

Hello Stephan,

Nov 29 14:04:22 PVS-PF01 httpd.aaa-docker-wrapper[3191]: httpd.aaa(9) WARN: 
[mac:00:1a:e8:58:be:20] No parameter PS-VOICEVlan found in conf/switches.conf 
for the switch 192.168.1.8 

Nowhere in your switches.conf you have a config for 192.168.1.8.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Nov 29, 2023, at 8:12 AM, Kaufhold, Stephan via PacketFence-users 
>  wrote:
> 
> Hello,
> 
> I don't understand this behavior.
> 
> Vlans are defined in Switches.conf
> 
> Can You help?
> 
> Regards Stephan
> 
> Nov 29 14:04:22 PVS-PF01 httpd.aaa-docker-wrapper[3191]: httpd.aaa(9) WARN: 
> [mac:00:1a:e8:58:be:20] No parameter PS-VOICEVlan found in conf/switches.conf 
> for the switch 192.168.1.8 (pf::Switch::getVlanByName)
> Nov 29 14:04:22 PVS-PF01 httpd.aaa-docker-wrapper[3191]: httpd.aaa(9) WARN: 
> [mac:00:1a:e8:58:be:20] No parameter PS-VOICERole found in conf/switches.conf 
> for the switch 192.168.1.8 (pf::Switch::getRoleByName)
> 
> 
> conf/switches.conf
>  snip ..
> 
> [172.30.20.7]
> group=ARUBA-STD
> 
> [172.30.20.8]
> group=ARUBA-STD
> PS-VOICEVlan=201
> RoleMap=Y
> PS-VOICERole=200
> 
> ...
> [group ARUBA-STD]
> deauthMethod=SNMP
> description=ARUBA-STD
> type=ArubaSwitch
> deauthOnPrevious=Y
> SNMPUserNameRead=manager
> radiusSecret=ijbuzvWAOFIHREHJT89GRQEW09A
> MGMT-VLANVlan=20
> DRUCKER-VLANVlan=40
> PS-VOICEVlan=200
> 
> 
> 
> 
> 
> Celos Computer GmbH | Liststraße 1 | 89079 Ulm 
> www.celos.de  
> |
>   facebook  
> |
>   xing  
> 
>  
> Stephan Kaufhold
> Consultant
>  
> Telefon:  +49 731 96884-690  | Fax:  +49 731.96884.790  | E-Mail:  
> stephan.kaufh...@celos.de 
>  
> Besuchen Sie uns auf
>  
> 
>  
> 
>  
> 
>  
> 
> Sitz der Gesellschaft: Ulm | Rechtsform: GmbH | Amtsgericht Ulm: HRB 730872 | 
> Geschäftsführer: Dipl. Ing. Thomas Hoffmann
> Diese E-Mail kann Betriebs- oder Geschäftsgeheimnisse oder sonstige 
> vertrauliche Informationen enthalten.
> Sollten Sie diese E-Mail irrtümlich erhalten haben, ist Ihnen eine 
> Kenntnisnahme des Inhalts, eine Vervielfältigung oder Weitergabe ausdrücklich 
> untersagt. Bitte benachrichtigen Sie uns und vernichten Sie die empfangene 
> E-Mail. Vielen Dank.
>  
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!Vbyg8je7i_VnfMap4KYdIePNMUtL31LoAo0JfeqnTeDRE3JT5zIvsuF4qN4Zk4T7WtrmY1ZqzJ3Ljcgspx_JQUFKczpI_NObFHTHaQ$



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] wifi access guest - block users after access duration end

[Zammit, Ludovic via PacketFence-users]

Hello,

Check if you have the right RADIUS CoA configuration on the WLC.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Nov 24, 2023, at 11:23 AM, Casagrande Roberto, SEDE CENTRALE - GUBBIO, 
> Colacem S.p.A.  wrote:
> 
> Hi 
> I have 4402 (ver.7.0.235.3) and 5520 (8.5.151.0)
> thanks for support
> R
> 
> Da: Zammit, Ludovic mailto:luza...@akamai.com>>
> Inviato: venerdì 24 novembre 2023 14:30
> A: PacketFence-users  >
> Cc: Casagrande Roberto, SEDE CENTRALE - GUBBIO, Colacem S.p.A. 
> mailto:r.casagra...@financo.it>>
> Oggetto: Re: [PacketFence-users] wifi access guest - block users after access 
> duration end
>  
> [Non ricevi spesso messaggi di posta elettronica da luza...@akamai.com 
> . Per informazioni sull'importanza di questo 
> fatto, visita https://aka.ms/LearnAboutSenderIdentification.] 
> 
> 
> Attenzione: Questa mail proviene dall’esterno della nostra organizzazione. 
> Non fare click su link e non aprire allegati se non conosci il mittente e non 
> sai se il contenuto è sicuro.
> Warning: This email originated from outside our organization. Do not click on 
> any links or open any attachments unless you know the sender and are sure 
> that the content is safe.



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] wifi access guest - block users after access duration end

[Zammit, Ludovic via PacketFence-users]

Hello There,

There is a good chance that the CoA is not working thus disconnecting the 
client after a day.

Which WLC version are you using ?

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Nov 23, 2023, at 3:44 AM, Casagrande Roberto, SEDE CENTRALE - GUBBIO, 
> Colacem S.p.A. via PacketFence-users 
>  wrote:
> 
> hi,
> we have PF configured with WLC for authetication Guest users.
> 
> 
> 
> We created the users with two actions like the guide suggestes  (look picture 
> up). I thought , when the user access to wifi Guest with credential that have 
> the actions before describe, after elasped one day,
> 
> I hoped with the credential of this user, it is not allowed the access to the 
> Wifi. Only if we change registration windows the user not permit to access 
> into  WIFIGUEST.
> 
> 
> 
> Can I have a your suggest how  disable the user after elapsed one day from 
> first join to the WIFIGuest ?
> 
> thanks a lot 
> R
>  
>  
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!RTeOTyijWYXB5SPu6I2sAMCCIT63Ee7by0bDuP5dO6nj7CzDbGgUggVYAVhebhiaufufVW-0SL4OOnfsAG7WjbhoXP18P9Hn99fMIQ$



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco Switch Mac Authentication SNMP error

[Zammit, Ludovic via PacketFence-users]

Hello Miguel,

Put -1 as the registration VLAN setting under each switch you want to kick 
device out.

-1 returns a reject.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Nov 17, 2023, at 12:54 PM, Miguel Correia via PacketFence-users 
>  wrote:
> 
> Hi,
> Im trying to configure Packetfence to deny access to all devices, unless they 
> are registered. I pretend to use packetfence and through snmp communicate 
> with a cisco switch and control port-security, so if mac is allowed the right 
> vlan is given and mac associated to the port...
> PacketFence Info:
> Version: 13.0.0
> Cisco Switch:
> Model: ME-C3750-24TE-M
> Version: IOS 12.2
> PacketFence Configuration:
> Roles:
> Role "Custom Created"
> Nodes:
> Mannually Created, mac address added and Role "Custom" attributed.
> MAC: 30:85:A9:05:80:B4
> Switches:
> Added the test switch x.x.x.220
> Dynamic Uplinks enabled
> Roles
> VLAN ID (enabled)
> registration: 1000
> isolation: 1001
> macDetection: 1006
> Custom: 99
> Default: 99
> SNMP
> Version: v2c
> Community Read: X
> Community Write: Y
> Engine ID: 80090321A1B34383
> Version Trap: v2c
> Community Trap: Y
> Switch Configuration:
> """
> vlan 99
> name test
> vlan 1000
> name PacketFence
> !
> vlan 1001
> name Isolation
> !
> vlan 1006
> name mac-detection
> !
> interface FastEthernet1/0/1
> description #TESTES_PORTATIL#
> switchport access vlan 1000
> switchport mode access
> switchport port-security
> switchport port-security violation restrict
> switchport port-security mac-address 0200..0101 vlan access
> spanning-tree portfast
> spanning-tree bpduguard enable
> !
> snmp-server community Y RW
> snmp-server community X RO
> snmp-server enable traps port-security
> snmp-server enable traps port-security trap-rate 1
> snmp-server host X.X.X.2 version 2c Y port-security
> """
> On PacketFence I receive the following log on 
> "/usr/local/pf/logs/snmptrapd.log":
> """
> NET-SNMP version 5.9
> 2023-11-16|17:28:14|UDP: [X.X.X.220]:56719->[172.16.255.2]:162|0.0.0.0|BEGIN 
> TYPE 0 END TYPE BEGIN SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS 
> .1.3.6.1.2.1.1.3.0 = Timeticks: (63220365) 7 days, 
> 7:36:43.65|.1.3.6.1.6.3.1.1.4.1.0 = OID: 
> .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10001 = Wrong Type (should be 
> INTEGER): Gauge32: 10001|.1.3.6.1.2.1.31.1.1.1.1.10001 = STRING: 
> FastEthernet1/0/1|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10001 = Hex-STRING: 30 85 
> A9 05 80 B4 END VARIABLEBINDINGS
> """
> Could someone help me understading if there is any error with snmp or wrong 
> config for packetfence out of band vlan enforcing using only SNMP?
> 
> Com os melhores cumprimentos,
>  
>  
> Miguel Correia
> Cybersecurity Engineer
> 
>  
> Email: miguel.corr...@redshift-consulting.com.pt 
> 
> Mobile: +351 969 416 588
>  
>  
>  
> LISPOLIS – Polo Tecnológico de Lisboa
> Rua António Champalimaud Lote 1 sala 0.2.0
> 1600-546 Lisboa
> Portugal
>  
> Phone: +351 217 230 635
> Email: sa...@redshift.pt 
> www: https://redshift.global 
> 
> Media:
> 
> O conteúdo deste e-mail é confidencial para o destinatário pretendido e não 
> pode ser divulgado. Embora seja credível de que este e-mail e quaisquer 
> anexos estejam livres de vírus, é responsabilidade do destinatário 
> confirmá-lo. Informamos que comunicações urgentes e de tempo limitado não 
> devem ser enviadas por e-mail. Por meio deste avisamos que um recibo de 
> entrega não constitui confirmação nem recebimento pelo (s) destinatário (s) 
> pretendido (s).
> The contents of this e-mail are confidential to the intended recipient and 
> may not be disclosed. Although it is believed that this e-mail and any 
> attachments are virus free, it is the responsibility of the recipient to 
> confirm this. You are advised that urgent, time-sensitive communications 
> should not be sent by e-mail. We hereby give you notice that a delivery 
> receipt does not constitute acknowledgement nor receipt by the intended 
> recipient(s)..
>  
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> 

Re: [PacketFence-users] Error after upgrading to 13.0

[Zammit, Ludovic via PacketFence-users]

Hello there,

Did you run the schema upgrade from 12.1 to 13.0 ?

root@PF:/usr/local/pf# ls -ltr db/upgrade-12*
-rw-r--r-- 1 pf pf 1569 Nov 13 00:24 db/upgrade-12.2-13.0.sql
-rw-r--r-- 1 pf pf 2485 Nov 13 00:24 db/upgrade-12.1-12.2.sql
-rw-r--r-- 1 pf pf 1710 Nov 13 00:24 db/upgrade-12.0-12.1.sql

Use pfacct.

/usr/local/pf/bin/pfcmd fixpermissions
/usr/local/pf/bin/pfcmd pfconfig clear_backend
systemctl restart packetfence-config
/usr/local/pf/bin/pfcmd configreload hard
/usr/local/pf/bin/pfcmd service pf restart

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Nov 14, 2023, at 3:00 AM, rein--- via PacketFence-users 
>  wrote:
> 
> 
> Hi,
> 
> I've tried to upgrade from 12.1 to 13 for some time now, but never succeed.
> First i got an error regarding some tenant-id. Figured out some part of the 
> upgrade scripts did not run /usr/local/pf/addons/upgrade/to-xxx, so now at 
> least the database starts.
> Second: i could no longer log in into my switches for some reason, after 
> changing from cisco_2960 to ios_15.0 that got restored, whoohoow
> 
> but unfortunately, MAC auth (MAB) was still failing on the switches. 
> 
> This one i cant seem to figure out.
> 
> when checking the logs:
> 
> for some reason radiusd-acct wont start, as the port 1813 is already in use 
> by a process called pfacct.
> 
> which one should be the one to run?
> 
> I tried with both, and had some form of success with pfacct.
> 
> last but not least: node lookup fails in the DB due to a missing field, I'm 
> not really sure what's wrong here either:
> 
> 
> Nov 14 01:44:09 packetfence httpd.aaa-docker-wrapper[1969]: httpd.aaa(10) 
> INFO: [mac:00:04:c4:05:31:97] handling radius autz request: from switch_ip => 
> (192.168.101.30), conn ection_type => Ethernet-NoEAP,switch_mac => 
> (54:4a:00:6e:63:a8), mac => [00:04:c4:05:31:97], port => 10140, username => 
> "0004c4053197" (pf::radius::authorize)
> Nov 14 01:44:09 packetfence httpd.aaa-docker-wrapper[1969]: httpd.aaa(10) 
> ERROR: [mac:00:04:c4:05:31:97] Database query failed with non retryable 
> error: Unknown column 'node. bypass_acls' in 'field list' (errno: 1054) 
> [SELECT `node`.`mac` AS `mac`, `node`.`pid` AS `pid`, `node`.`category_id` AS 
> `category_id`, `node`.`detect_date` AS `detect_date`, `node`.`regdate` AS 
> `regdate`, `node`.`unregdate` AS `unregdate`, `node`.`lastskip` AS 
> `lastskip`, `node`.`time_balance` AS `time_balance`, 
> `node`.`bandwidth_balance` AS `ba ndwidth_balance`, `node`.`status` AS 
> `status`, `node`.`user_agent` AS `user_agent`, `node`.`computername` AS 
> `computername`, `node`.`notes` AS `notes`, `node`.`last_arp` AS ` last_arp`, 
> `node`.`last_dhcp` AS `last_dhcp`, `node`.`dhcp_fingerprint` AS 
> `dhcp_fingerprint`, `node`.`dhcp6_fingerprint` AS `dhcp6_fingerprint`, 
> `node`.`dhcp_vendor` AS `dhc p_vendor`, `node`.`dhcp6_enterprise` AS 
> `dhcp6_enterprise`, `node`.`device_type` AS `device_type`, 
> `node`.`device_class` AS `device_class`, `node`.`device_version` AS `device 
> _version`, `node`.`device_score` AS `device_score`, 
> `node`.`device_manufacturer` AS `device_manufacturer`, `node`.`bypass_vlan` 
> AS `bypass_vlan`, `node`.`voip` AS `voip`, `no de`.`autoreg` AS `autoreg`, 
> `node`.`sessionid` AS `sessionid`, `node`.`machine_account` AS 
> `machine_account`, `node`.`bypass_role_id` AS `bypass_role_id`, 
> `node`.`last_seen` AS `last_seen`, `node`.`bypass_acls` AS `bypass_acls`, 
> `nc`.`name` AS `category`, `nr`.`name` AS `bypass_role` FROM node LEFT OUTER 
> JOIN `node_category` AS `nc` ON ( `node`.` category_id` = `nc`.`category_id` 
> ) LEFT OUTER JOIN `node_category` AS `nr` ON ( `node`.`bypass_role_id` = 
> `nr`.`category_id` ) WHERE ( `node`.`mac` = ? )]{00:04:c4:05:31:97} 
> (pf::dal::db_execute)
> Nov 14 01:44:09 packetfence httpd.aaa-docker-wrapper[1969]: httpd.aaa(10) 
> ERROR: [mac:00:04:c4:05:31:97] Database query failed with non retryable 
> error: Unknown column 'bypas s_acls' in 'field list' (errno: 1054) [INSERT 
> INTO `node` ( `autoreg`, `bandwidth_balance`, `bypass_acls`, 
> `bypass_role_id`, `bypass_vlan`, `category_id`, `computername`, `de 
> tect_date`, `device_class`, `device_manufacturer`, `device_score`, 
> `device_type`, `device_version`, `dhcp6_enterprise`, `dhcp6_fingerprint`, 
> `dhcp_fingerprint`, `dhcp_vendor` , `last_arp`, `last_dhcp`, `last_seen`, 
> `lastskip`, `mac`, `machine_account`, `notes`, `pid`, `regdate`, `sessionid`, 
> `status`, `time_balance`, `unregdate`, `user_agent`, `vo ip`) VALUES ( ?, ?, 
> ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 
> ?, ?, ?, ? ) ON 

Re: [PacketFence-users] Ruckus APs and COA

[Zammit, Ludovic via PacketFence-users]

Hello Giuliano,

Two solutions, the first one is to do 802.1x with auto registration, the device 
will be evaluated on the fly on each connection so getting the role and VLAN 
that he belongs to.

Second solution keeping the captive portal, is to put a smaller registration 
window or access duration to a 1 day 5 days etc..

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Nov 20, 2023, at 5:06 AM, Giuliano Da Dalt via PacketFence-users 
>  wrote:
> 
> Good morning, we are looking for the solution to this case.
> Currently, to block students' internet browsing from personal devices, we use 
> a Captive Portal.
> This technology is no longer applicable as complete segregation of the device 
> from any client, even the internal network, is a problem.
> We know that white-listing can be done but it is no longer sufficient, 
> especially in the case of external services.
> Our idea is to use VLANs: one that allows complete internet access, the other 
> with internet access but with very limited bandwidth (this way push 
> notifications, RMM and updates continue to work).
> To switch from one VLAN to another we want to use the COA feature.
> 
> We did several tests with our Ruckus APs and PacketFence.
> We are very close to our goal, but 1% missing.
> If we disconnect and reconnect client COA works like a charm.
> We were therefore not able to obtain the same result when the client is 
> already connected beacuse we don't find a way to make PacketFence check 
> regularly if a user status changes (AD group change).
> 
> Giuliano Da Dalt
> Ufficio informatico - Bearzi
> Tel. 0432-493983
> Int. 983
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!Ts3O-5qqMdZb8tKuqnFZeH5mdpKZILf0yOv_b2RY_Vc3f1hURA87egxrPN17JR4Lx1Af9ploanPsqroQWXmWT5gYLEwJPucw8YNuNA$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] RADIUS Audit Logs stays empty after Upgrade to 13.0

[Zammit, Ludovic via PacketFence-users]

Hello Stephan,

It’s ongoing issue that we are fixing.

We will issue a fix when it’s fixed.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Nov 3, 2023, at 7:41 AM, Kaufhold, Stephan via PacketFence-users 
>  wrote:
> 
> Hello,
> 
> after upgrading from 12.2 to 13.0 I have actually one remaining problem.
> The RADIUS Audit Logs in web ui stays empty.
> 
> What can I do to fix it, or to find the cause?
> 
> Kind Reghards 
> 
> Stephan
> 
> 
> 
> Celos Computer GmbH | Liststraße 1 | 89079 Ulm 
> www.celos.de  
> |
>   facebook  
> |
>   xing  
> 
>  
> Stephan Kaufhold
> Consultant
>  
> Telefon:  +49 731 96884-690  | Fax:  +49 731.96884.790  | E-Mail:  
> stephan.kaufh...@celos.de 
>  
> Besuchen Sie uns auf
>  
> 
>  
> 
>  
> 
>  
> 
> Sitz der Gesellschaft: Ulm | Rechtsform: GmbH | Amtsgericht Ulm: HRB 730872 | 
> Geschäftsführer: Dipl. Ing. Thomas Hoffmann
> Diese E-Mail kann Betriebs- oder Geschäftsgeheimnisse oder sonstige 
> vertrauliche Informationen enthalten.
> Sollten Sie diese E-Mail irrtümlich erhalten haben, ist Ihnen eine 
> Kenntnisnahme des Inhalts, eine Vervielfältigung oder Weitergabe ausdrücklich 
> untersagt. Bitte benachrichtigen Sie uns und vernichten Sie die empfangene 
> E-Mail. Vielen Dank.
>  
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!UmN5CW-Mt7X6w_EfdV2aK3p12ZEy3UKmP3my_TflP7PoDclly6sOkgtfJN-n2kVGVQthlXy5R1oc4Ubc0t5MlFtw3kfMrVhtjqtQBw$



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Configuring PF on dell OS10 power switch

[Zammit, Ludovic via PacketFence-users]

Hello there,

Did you check our documentation ?

https://www.packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_dell

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Nov 2, 2023, at 10:00 AM, Swan Zou via PacketFence-users 
>  wrote:
> 
> Greetings,
>  
> I’m currently trying to configure my Dell OS10 switch so it can do MAC 
> authentication through 802.1x.
>  
> As any of you know how do to it thanks for the reply. 
>  
> Cordialements, Regards,
>  
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!XhZ7qLdCJhLROlpATYFhsM6IdVruml6LcKHr8FfJ5aT9HQHMAHSW4Xk7xL1kOdKlBfGG6YkNKfIFoZGWtRWoUIqrmqkKi_ZZ0zqzrw$



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Online Status Unknown

[Zammit, Ludovic via PacketFence-users]

Hello Fagner,

It looks like normal because the status now is only changed based on the Radius 
accounting.

Accounting Start = Online

Accounting Stop = Offline

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Oct 18, 2023, at 11:28 AM, Fagner Lima via PacketFence-users 
>  wrote:
> 
> Dear all, good afternoon.
>  
> I'm using Packetfence 13.0.0, only in inline mode, authenticating to Active 
> Directory, Facebook and via SMS perfectly.
>  
> I believe this is a bug, could anyone confirm this suspicion?
>  
> 
>  
>  
> 
>  
> Kind regards.
> --
> 
>  
> Fagner Lima
> OSCP | CEH | CySA+ | SECURITY+ | LPIC-II
>  
> M: +55 69 - 9 9241 - 4243
> E: fagner.l...@rondosecurity.com.br  
>  
> www.rondosecurity.com.br 
> 
>   
>  
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
>  
>  
>  
> De: jhyanagi mailto:jhyan...@gmail.com>> 
> Enviada em: segunda-feira, 2 de outubro de 2023 13:09
> Para: packetfence-users@lists.sourceforge.net 
> 
> Cc: Fagner Lima mailto:fagner_a...@hotmail.com>>
> Assunto: Re: [PacketFence-users] Online Status Unknown
>  
> This environment is not INLINE mode, anyway online/offline status change is 
> based on *RADIUS accounting* in my captive portal setup.
>  
> 
> 
>  
> On Mon, Sep 11, 2023 at 6:50 AM Fagner Lima via PacketFence-users 
>  > wrote:
> Hey guys. 
>  
> I am using Packetfence in INLINE mode only perfectly.
>  
> As can be seen in the image below, the user's status is Ok, but in the Online 
> column it appears as Unknown.Would that be a bug?
>  
> 
>  
>  
> Has anyone experienced this and resolved it?
>  
> Thanks
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!QVcEJK3Y9iZI4H0vsXHeo2IVWQPUM-YqNKuUtKefwZkzzMDbeeo8vlyiJFNPhL-NP-D5g73q3LF0h7djYvZDLvTJU79JHfUmlKOWkg$



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] radiusd-auth not starting after upgrade from 12.0 to 13.0

[Zammit, Ludovic via PacketFence-users]

Hello Hubert,

How did you upgrade ? If you did not use the 
/usr/local/pf/addons/upgrade/do-upgrade.sh

You will need to run those scripts:

root@packetfence:/usr/local/pf# ls -ltr /usr/local/pf/addons/upgrade/to-12*
-rwxr-xr-x 1 pf   pf   1576 Oct 20 13:54 
/usr/local/pf/addons/upgrade/to-12.2-firewallsso.pl
-rwxr-xr-x 1 pf   pf   1836 Oct 20 13:54 
/usr/local/pf/addons/upgrade/to-12.1-move-rolebyname-to-vpnbyname-fortigate.pl
lrwxrwxrwx 1 root root   34 Oct 20 13:54 
/usr/local/pf/addons/upgrade/to-12.1-move-logos-to-profile-templates.pl -> 
move-logos-to-profile-templates.pl
-rwxr-xr-x 1 pf   pf   3418 Oct 20 13:54 
/usr/local/pf/addons/upgrade/to-12.1-eduroam-migration.pl
-rwxr-xr-x 1 pf   pf   1888 Oct 20 13:54 
/usr/local/pf/addons/upgrade/to-12.0-use-proxysql.pl
-rwxr-xr-x 1 pf   pf   2438 Oct 20 13:54 
/usr/local/pf/addons/upgrade/to-12.0-rename-log-files.pl
-rwxr-xr-x 1 pf   pf   2780 Oct 20 13:54 
/usr/local/pf/addons/upgrade/to-12.0-remove-tenant.pl
-rwxr-xr-x 1 pf   pf   2655 Oct 20 13:54 
/usr/local/pf/addons/upgrade/to-12.0-authentication.pl


root@pf21-3:/usr/local/pf# ls -ltr /usr/local/pf/addons/upgrade/to-13*
-rwxr-xr-x 1 pf pf 3214 Oct 20 13:54 
/usr/local/pf/addons/upgrade/to-13.0-remove-provisioner.pl
-rwxr-xr-x 1 pf pf 1845 Oct 20 13:54 
/usr/local/pf/addons/upgrade/to-13.0-convert-switch-types.pl
-rwxr-xr-x 1 pf pf 3089 Oct 20 13:54 
/usr/local/pf/addons/upgrade/to-13.0-authentication-conf.pl

My guess is that the problem comes from of the tenant config.

Run all those scripts and restart packetfence:

/usr/local/pf/bin/pfcmd service pf restart

Thanks,


Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Oct 16, 2023, at 6:07 AM, Hubert Kupper via PacketFence-users 
>  wrote:
> 
> Hi,
> 
> 
> after upgrade packetfence 12.0 to 13.0 the radiusd-auth is not starting. 
> Syslog shows the following message:
> 
> root@packetfence:/var/log# tail syslog
> Oct 16 12:02:52 packetfence freeradius[16268]: 
> /usr/local/pf/raddb/sites-enabled/packetfence[31]: Please verify that the 
> configuration exists in 
> /usr/local/pf/raddb/mods-enabled/packetfence-set-tenant-id.
> Oct 16 12:02:52 packetfence freeradius[16268]: 
> /usr/local/pf/raddb/sites-enabled/packetfence[14]: Errors parsing authorize 
> section.
> Oct 16 12:02:52 packetfence systemd[1]: packetfence-radiusd-auth.service: 
> Control process exited, code=exited, status=1/FAILURE
> Oct 16 12:02:52 packetfence systemd[1]: packetfence-radiusd-auth.service: 
> Failed with result 'exit-code'.
> Oct 16 12:02:52 packetfence systemd[1]: Failed to start PacketFence 
> FreeRADIUS authentication multi-protocol authentication server.
> Oct 16 12:02:52 packetfence systemd[1]: packetfence-radiusd-auth.service: 
> Consumed 3.891s CPU time.
> Oct 16 12:02:52 packetfence systemd[1]: packetfence-radiusd-auth.service: 
> Scheduled restart job, restart counter is at 98.
> Oct 16 12:02:52 packetfence systemd[1]: Stopped PacketFence FreeRADIUS 
> authentication multi-protocol authentication server.
> Oct 16 12:02:52 packetfence systemd[1]: packetfence-radiusd-auth.service: 
> Consumed 3.891s CPU time.
> Oct 16 12:02:52 packetfence systemd[1]: Starting PacketFence FreeRADIUS 
> authentication multi-protocol authentication server...
> root@packetfence:/var/log#
> 
> In 12.0 all works fine.
> 
> Regards, Hubert
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Bullseye Packetfence 13 installation does not survive a reboot

[Zammit, Ludovic via PacketFence-users]

Hello,

What is the PF version ?

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Oct 10, 2023, at 3:15 AM, packetfence-users--- via PacketFence-users 
>  wrote:
> 
> Hi,
> 
> a fresh installation of Packetfence never comes back up after reboot,
> no matter if I 
> 
> - install it and reboot
> - install it, go through GUI setup and reboot
> - install it and copy config files and reboot
> 
> Logs are getting spammed at a very high rate:
> 
>> Oct 10 07:13:27 packetfence pffilter[1886607]: Can't connect to
> pfconfig on containers-gateway.internal:4 : Invalid argument
>> Oct 10 07:13:27 packetfence perl[1887156]: Can't connect to pfconfig
> on containers-gateway.internal:4 : Invalid argument
>> Oct 10 07:13:27 packetfence pffilter[1886607]: pffilter(1886607)
> ERROR: [mac:[undef]] [1696922007.15707] Failed to connect to config
> service for namespace config::Pf(), retrying
> (pfconfig::cached::_get_from_socket)
>> Oct 10 07:13:27 packetfence pffilter[1886607]: [1696922007.15707]
> Failed to connect to config service for namespace config::Pf(),
> retrying
>> Oct 10 07:13:27 packetfence packetfence[1887156]: -e(1887156) ERROR:
> [1696922007.1576] Failed to connect to config service for namespace
> resource::URI_Filters(), retrying (pfconfig::cached::_get_from_socket)
>> Oct 10 07:13:27 packetfence perl[1887156]: [1696922007.1576] Failed
> to connect to config service for namespace resource::URI_Filters(),
> retrying
>> Oct 10 07:13:27 packetfence perl[1887161]: Can't connect to pfconfig
> on containers-gateway.internal:4 : Invalid argument
>> Oct 10 07:13:27 packetfence packetfence[1887161]: -e(1887161) ERROR:
> [1696922007.16226] Failed to connect to config service for namespace
> config::Pf(), retrying (pfconfig::cached::_get_from_socket)
>> Oct 10 07:13:27 packetfence perl[1887161]: [1696922007.16226] Failed
> to connect to config service for namespace config::Pf(), retrying
>> Oct 10 07:13:27 packetfence perl[1887018]: Can't connect to pfconfig
> on containers-gateway.internal:4 : Invalid argument
>> Oct 10 07:13:27 packetfence packetfence[1887018]: -e(1887018) ERROR:
> [1696922007.17713] Failed to connect to config service for namespace
> config::Pf(), retrying (pfconfig::cached::_get_from_socket)
>> Oct 10 07:13:27 packetfence perl[1887018]: [1696922007.17713] Failed
> to connect to config service for namespace config::Pf(), retrying
>> Oct 10 07:13:27 packetfence perl[1727]: Can't connect to pfconfig on
> containers-gateway.internal:4 : Invalid argument
>> Oct 10 07:13:27 packetfence packetfence[1727]: -e(1727) ERROR:
> [1696922007.17855] Failed to connect to config service for namespace
> resource::Database(), retrying (pfconfig::cached::_get_from_socket)
>> Oct 10 07:13:27 packetfence perl[1727]: [1696922007.17855] Failed to
> connect to config service for namespace resource::Database(), retrying
>> Oct 10 07:13:27 packetfence perl[1888406]: Can't connect to pfconfig
> on containers-gateway.internal:4 : Invalid argument
>> Oct 10 07:13:27 packetfence packetfence[1888406]: -e(1888406) ERROR:
> [1696922007.19066] Failed to connect to config service for namespace
> resource::authentication_sources_monitored(), retrying
> (pfconfig::cached::_get_from_socket)
>> Oct 10 07:13:27 packetfence perl[1888406]: [1696922007.19066] Failed
> to connect to config service for namespace
> resource::authentication_sources_monitored(), retrying
>> Oct 10 07:13:27 packetfence perl[1886465]: Can't connect to pfconfig
> on containers-gateway.internal:4 : Invalid argument
>> Oct 10 07:13:27 packetfence packetfence[1886465]: -e(1886465) ERROR:
> [1696922007.19208] Failed to connect to config service for namespace
> config::Pf(), retrying (pfconfig::cached::_get_from_socket)
> 
> What do?
> 
> Regards
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!XXZJZ8jaevhpW0FLjWKRTk0TMzMVRGPNN-ORKJOE_jqdvsmw5qRz7WPs8QCKgneYS40K-xtRyBDzlURiS2s-s7Q91LzDSlkhCHkPDw$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF-Newbie: Radius MAC -Auth and RADIUS debug config

[Zammit, Ludovic via PacketFence-users]

Hello Jori,

Here are two commands to check freeradius:

freeradius -d /usr/local/pf/raddb -f /usr/local/pf/var/run/radiusd.sock -t 3600 
| tee raddebug.log

freeradius -d /usr/local/pf/raddb -n auth -CX

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Oct 22, 2023, at 5:16 AM, Jori Luoto via PacketFence-users 
>  wrote:
> 
> 
> Hello everybody,
> 
> I have installed Packetfence three weeks ago to Centos 8 Stream via yum 
> without any visible problems, initial configuration steps went ok and UI 
> works fine with no visible errors around.
>  
> FreeRadius talks with switch ok (for example switch cli login works fine to 
> Aruba AOS-CX's) but mac auth  seems to be problematic and I suppose either 
> some of attributes is in worng format or some attributes will no go to output.
> 
> How can I start internal Radius with -X to debug what’s going on there? 
> 
> 
> Regs
> -Jori Luoto-
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!V_R3HoPnC5S_zNYvDH--MB9Z-EJDlqGJkjBd570E945kyTn9ArEY6gKqhVqdgW_gWiEXUex4VlUxR9I2TjU_YF8qlKUHRZExmw_qQw$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Translations using traditional method

[Zammit, Ludovic via PacketFence-users]

Hello Arun,

Try:

Msgid “Custom_field_1"
Msgid "UUID"

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Sep 27, 2023, at 8:23 AM, Arun Kangle via PacketFence-users 
>  wrote:
> 
> Hello All,
> I wanted to rename the "customer_field_1" to "UUID" so I edited the following 
> file  /conf/locale/en_BR/LC_MESSAGES/packetfence.po:
> 
> Msgid "custom_field_1"
> Msgid "UUID"
> 
> Then I tried to execute in this directory /usr/local/pf the command below
> 
> For TRANSLATION in de en es fr he_IL it nl pl_PL pt_BR; of
>   / Usr / bin / msgfmt conf / locale / $ TRANSLATION / LC_MESSAGES / 
> packetfence.po
> --output-file conf / locale / $ TRANSLATION / LC_MESSAGES / 
> packetfence.mo;
> Done
> 
>  but I i notice that "msgfmt" doesn't exist under /user/bin
> 
> Could you please let me know if the above method has changed?
> 
> Thanks in advance,
> - Arun
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!QGHuYmDbr7ICRj0r5qdLAgPMnkQmeuGy1EXjlpv9WUG5FvyAFhUmHXOzkSaXDMpOVKUBNJE8Uw27TSR4r5jEUxLQEwic1dcOoBjVQQ$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] ip-helper address for the Registration and Isolation vlans of the packetfence

[Zammit, Ludovic via PacketFence-users]

Hello there,

It’s nor required to have a ip helper toward PacketFence Registration and 
Isolation interface because that’s layer, you don’t need it. You need only when 
it’s layer. You will need it probably on your Guest VLAN interface only.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Sep 26, 2023, at 7:25 AM, P.Thirunavukkarasu via PacketFence-users 
>  wrote:
> 
> Hi Team
> Greetings of the day
> 
> I am trying to configure the PF with Aruba Instant for guest access 
> (email-based registration)
> 
> I created only 2 VLAN interfaces in packetfence. 
> VLAN 2 for registration 
> VLAN 3 for isolation and enabled the DHCP (in the PF) in both interfaces
> 
> For production, I am using the guest VLAN 30 (only for the guest). We have 
> other production VLANs in our network for the Faculty and Students. 
> 
> In the Aruba 6300M Switch, I created the VLANs for the Registration and 
> Isolation and assigned the IP for the VLAN interfaces
> 
> In the switch, I added the ip-helper address of the production DHCP server 
> address in the production vlan interfaces. 
> Similarly in the switch I configured the Registration and Isolation vlan 
> interfaces with the Management IP address of the packetfence as the ip-helper 
> address
> Is it correct? 
> 
> Thanks and Regards,
> Thirunavukkarasu
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!QUC9q6k2GkjuiUDorS3rdtf12T-Z_W3PesYWTiIy1FEjadWx5Xt4hYHkU_g7P9uessmHMkwp1p-hd1WwAzf61pvfb05ARU0ruao1fQ$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PacketFence 12.2.0 - radius accounting service does not start

[Zammit, Ludovic via PacketFence-users]

Hello Daniel,

You should not run the radiusd-acct, only the pfacct.

Stop it and disable it into the services in PF web ui if you have it enabled.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Aug 4, 2023, at 2:27 AM, Krüger, Daniel via PacketFence-users 
>  wrote:
> 
> Ok guys,
> 
> I "found something out".
> 
> There are 2 accounting services on a ZEN system, the pfacct service and 
> radiusd-acct service, if you try to just start radiusd-acct then the result 
> is the message flood shown in my first message.
> 
> By default pfacct is running, it shows me the node in green or red if it's 
> online or not.
> However, no accounting information is shown, port 1813 is listening.
> 
> udp0  0 192.168.2.28:1813   0.0.0.0:* 
>   10817/docker-proxy
> 
> Shutting down the pfacct and firing up radiusd-acct brings up this accounting 
> service.
> 
> udp0  0 0.0.0.0:18130.0.0.0:* 
>   11568/freeradius
> 
> However, no singnalling of the current online state is working anymore, also, 
> now accounting information.
> 
> Ok, switching back to pfacct - oops no singnalling anymore. Just after a 
> reboot it works again.
> 
> Can someone here tell a bit about these two services, why are they existing 
> is this form, which one should be used...
> 
> I could not find anything in the documentation about this.
> 
> 
> Thx,
> 
> Daniel
> 
> Von: Krüger, Daniel via PacketFence-users 
>  >
> Gesendet: Donnerstag, 3. August 2023 09:09
> An: packetfence-users@lists.sourceforge.net 
> 
> Cc: Krüger, Daniel  >
> Betreff: [PacketFence-users] PacketFence 12.2.0 - radius accounting service 
> does not start
> 
> Hello,
> 
> I just set up a fresh ZEN PF instance (third time) in order to configure MAC 
> auth with Aruba, basic setup works but no accounting.
> 
> It is impossible to start the radius accounting service, why is this so?
> 
> Aug  3 09:03:12 packetfence radiusd-acct-docker-wrapper[23680]: Failed to 
> create stream fd: No such file or directory
> Aug  3 09:03:13 packetfence radiusd-acct-docker-wrapper[23680]: Thu Aug  3 
> 09:03:13 2023 : Warning: tls: Setting DH parameters from 
> /usr/local/pf/raddb/certs/dh - this is no longer necessary.
> Aug  3 09:03:13 packetfence radiusd-acct-docker-wrapper[23680]: Thu Aug  3 
> 09:03:13 2023 : Warning: tls: You should comment out the 'dh_file' 
> configuration item.
> Aug  3 09:03:13 packetfence radiusd-acct-docker-wrapper[23680]: Thu Aug  3 
> 09:03:13 2023 : Warning: tls: Setting DH parameters from 
> /usr/local/pf/raddb/certs/dh - this is no longer necessary.
> Aug  3 09:03:13 packetfence radiusd-acct-docker-wrapper[23680]: Thu Aug  3 
> 09:03:13 2023 : Warning: tls: You should comment out the 'dh_file' 
> configuration item.
> Aug  3 09:03:13 packetfence radiusd-acct-docker-wrapper[23680]: Thu Aug  3 
> 09:03:13 2023 : Info: rlm_sql_mysql: libmysql version: 10.5.18
> Aug  3 09:03:13 packetfence radiusd-acct-docker-wrapper[23680]: Thu Aug  3 
> 09:03:13 2023 : Info: rlm_sql (sql): Attempting to connect to database "pf"
> Aug  3 09:03:13 packetfence radiusd-acct-docker-wrapper[23680]: Thu Aug  3 
> 09:03:13 2023 : Info: rlm_sql (pfguest): Attempting to connect to database 
> "pf"
> Aug  3 09:03:13 packetfence radiusd-acct-docker-wrapper[23680]: Thu Aug  3 
> 09:03:13 2023 : Info: rlm_sql (pfsponsor): Attempting to connect to database 
> "pf"
> Aug  3 09:03:13 packetfence radiusd-acct-docker-wrapper[23680]: Thu Aug  3 
> 09:03:13 2023 : Info: rlm_sql (pfsms): Attempting to connect to database "pf"
> Aug  3 09:03:13 packetfence radiusd-acct-docker-wrapper[23680]: Thu Aug  3 
> 09:03:13 2023 : Info: rlm_sql (pflocal): Attempting to connect to database 
> "pf"
> Aug  3 09:03:13 packetfence radiusd-acct-docker-wrapper[23680]: Thu Aug  3 
> 09:03:13 2023 : Warning: rlm_sql (sql_reject): groupmemb_query is empty.  
> Please delete it from the configuration
> Aug  3 09:03:13 packetfence radiusd-acct-docker-wrapper[23680]: Thu Aug  3 
> 09:03:13 2023 : Warning: rlm_sql (sql_reject): authorize_check_query is 
> empty.  Please delete it from the configuration
> Aug  3 09:03:13 packetfence radiusd-acct-docker-wrapper[23680]: Thu Aug  3 
> 09:03:13 2023 : Info: rlm_sql (sql_reject): Attempting to connect to database 
> "pf"
> Aug  3 09:03:13 packetfence radiusd-acct-docker-wrapper[23680]: Thu Aug  3 
> 09:03:13 2023 : Warning: rlm_sql (sql_degraded): groupmemb_query is empty. 

Re: [PacketFence-users] LDAP Authentication - Unable to Contact Server

[Zammit, Ludovic via PacketFence-users]

Hello Cory,

Normally no, it works like you described. It’s not normal that you see nothing 
going out of your PF server during and LDPS query or test bind.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Aug 3, 2023, at 1:26 PM, Cory Robbins via PacketFence-users 
>  wrote:
> 
> Hello,
> 
> I have a fresh ISO install of PacketFence, and I am attempting to configure 
> Google Workspace LDAP as an Authentication Source.  I have configured it 
> following the documentation, and I have the certificates in place.  When I 
> test the bind password, I'm getting "Can't connect to server or bind with 
> 'GoogleCredentials' on 216.239.32.58:636 
> ."
>   I also don't see any traffic leaving the server through wireshark or my 
> PFSense firewall logs.  I install ldap-utils to perform an ldapsearch, and I 
> get this error: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> additional info: (unknown error code)
> 
> Am I supposed to manually install something for LDAP to work?  Again, there 
> is no traffic hitting my firewall or trying to exit the server.
> 
> Thanks for any help!
> 
>   
> Cory Robbins
> Network Administrator, West Fork Schools
> (479) 839-2231 Ext: 4044  | 
> crobb...@wftigers.org 
> https://westforkschools.org 
> 
> 359 School Ave. West Fork, AR 72774
>   
> 
> 
> 
> 
> 
> Create your own email signature 
> 
>  
> ‌
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!QE24_MlGBUZnTlcoMUQAFkKmU7qYA8-6IrwT2wr742XVl06rQUuK5vp5qzZAAj7YYgfc1u4RSLWPvZ92ItgnlA0QnvRsvcB2_n92eg$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Authentication rules does not work

[Zammit, Ludovic via PacketFence-users]

Hello there,

If you want to do a match on specific OU, it better to change the BaseDN of the 
look up and create one source pet OU you want to match one.

Then you create a catch all rule with no conditions.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Jul 27, 2023, at 3:03 AM, Uğur Aygün via PacketFence-users 
>  wrote:
> 
> Hello all i have a basic problem in packetfence and can not be able to solve 
> it.
> 
> I have an active directory connection and I also have an authentication 
> source. like dc=domain,dc=com
> 
> I want to simply write a rule that if a person is in specific ou like 
> ou=users,dc=domain,dc=com
> And i want else to not be able to connect that specific ssid. 
> 
> I write it in the condition like "distinguished name is 
> ou=users,dc=domain,dc=com
> and assign a role and duration.
> 
> In the end a user from another ou for example ou=users2 can also be able to 
> login my ssid with his/her credentials.
> 
> How can i solve this problem? Also when is try to use a more specific rule 
> like sAMAaccount name is testuser i can not be able to connect that ssid. In 
> audit tab it says there is no role to attend.
> 
> I think this is because of active directory implementation how can i solve 
> this?
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!QsMwOEo9A3o3KFif3jj9nLPdNvkFNWBfuj5TtgzAU9Je3yiAR28sJxoHlwsw0k3vSQ7y7aKYAAJkDd0QnoS3qzv8luMatcjwx_lTrQ$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Issue while syncing the MariaDB databases at cluster creation

[Zammit, Ludovic via PacketFence-users]

Hello Gabriel,

Did you install mariadb-backup on all nodes?

apt-get -y install mariadb-backup

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Jul 17, 2023, at 9:06 AM, Gabriel Morin via PacketFence-users 
>  wrote:
> 
> Hello,
> 
> I've been following the cluster setup guide to setup a 3-nodes PacketFence 
> cluster, and everything has been running smoothly until the database syncing 
> step.
> 
> Starting the packetfence-mariadb service on the main node with the 
> --force-new-cluster is working perfectly, but starting it on the other nodes 
> doesn't work.
> This is how I proceed : only one of the other two nodes is powered on. I sync 
> the files, and then I try to sync the database. Sadly, I see that the second 
> node joins the first one, and then they immediately desynchronize eachother 
> and it keeps looping.
> 
> Furthermore, the logs are full of messages indicating that some files are not 
> present nor accessible while trying to start the service on both the second 
> and third nodes.
> 
> I tried clustering using both the zen OVA file and the PacketFence iso 
> availiable on the website, and it keeps getting the same errors.
> 
> Here are the mysql logs for the main and secondary nodes : 
> 
> Many thanks in advance for your answers,
> 
> Best regards,
> 
> Gabriel MORIN
> 
> 1st node :
> Jul 17 12:04:06 node_1 mysqld[80239]: 2023-07-17 12:04:06 2 [Note] WSREP: 
> 
> Jul 17 12:04:06 node_1 mysqld[80239]: View:
> Jul 17 12:04:06 node_1 mysqld[80239]:  id: 
> e7b51203-2186-11ee-9758-a70beafa5e98:54094
> Jul 17 12:04:06 node_1 mysqld[80239]:  status: primary
> Jul 17 12:04:06 node_1 mysqld[80239]:  protocol_version: 4
> Jul 17 12:04:06 node_1 mysqld[80239]:  capabilities: MULTI-MASTER, 
> CERTIFICATION, PARALLEL_APPLYING, REPLAY, ISOLATION, PAUSE, CAUSAL_READ, 
> INCREMENTAL_WS, UNORDERED, PREORDERED, STREAMING, NBO
> Jul 17 12:04:06 node_1 mysqld[80239]:  final: no
> Jul 17 12:04:06 node_1 mysqld[80239]:  own_index: 0
> Jul 17 12:04:06 node_1 mysqld[80239]:  members(2):
> Jul 17 12:04:06 node_1 mysqld[80239]: 0: 
> 33705641-2473-11ee-bbe6-f7033c9996f6, node_1
> Jul 17 12:04:06 node_1 mysqld[80239]: 1: 
> 434a4440-2489-11ee-906a-7e678365dfea, node_2
> Jul 17 12:04:06 node_1 mysqld[80239]: 
> =
> Jul 17 12:04:06 node_1 mysqld[80239]: 2023-07-17 12:04:06 2 [Note] WSREP: 
> wsrep_notify_cmd is not defined, skipping notification.
> Jul 17 12:04:06 node_1 mysqld[80239]: 2023-07-17 12:04:06 2 [Note] WSREP: 
> Lowest cert index boundary for CC from group: 54086
> Jul 17 12:04:06 node_1 mysqld[80239]: 2023-07-17 12:04:06 2 [Note] WSREP: Min 
> available from gcache for CC from group: 27378
> Jul 17 12:04:07 node_1 mysqld[80239]: 2023-07-17 12:04:07 0 [Note] WSREP: 
> Deferred close timer started for socket with remote endpoint: 
> tcp://192.168.100.48:34664
> Jul 17 12:04:07 node_1 mysqld[80239]: 2023-07-17 12:04:07 0 [Note] WSREP: 
> forgetting 434a4440-906a (tcp://192.168.100.48:4567)
> Jul 17 12:04:07 node_1 mysqld[80239]: 2023-07-17 12:04:07 0 [Note] WSREP: 
> Node 33705641-bbe6 state prim
> Jul 17 12:04:07 node_1 mysqld[80239]: 2023-07-17 12:04:07 0 [Note] WSREP: 
> view(view_id(PRIM,33705641-bbe6,173) memb {
> Jul 17 12:04:07 node_1 mysqld[80239]: 33705641-bbe6,0
> Jul 17 12:04:07 node_1 mysqld[80239]: } joined {
> Jul 17 12:04:07 node_1 mysqld[80239]: } left {
> Jul 17 12:04:07 node_1 mysqld[80239]: } partitioned {
> Jul 17 12:04:07 node_1 mysqld[80239]: 434a4440-906a,0
> Jul 17 12:04:07 node_1 mysqld[80239]: })
> Jul 17 12:04:07 node_1 mysqld[80239]: 2023-07-17 12:04:07 0 [Note] WSREP: 
> save pc into disk
> Jul 17 12:04:07 node_1 mysqld[80239]: 2023-07-17 12:04:07 0 [Note] WSREP: 
> forgetting 434a4440-906a (tcp://192.168.100.48:4567)
> Jul 17 12:04:07 node_1 mysqld[80239]: 2023-07-17 12:04:07 0 [Note] WSREP: 
> Deferred close timer handle_wait Operation aborted. for 0x55a7b6bb0c00
> Jul 17 12:04:07 node_1 mysqld[80239]: 2023-07-17 12:04:07 0 [Note] WSREP: 
> Deferred close timer destruct
> Jul 17 12:04:07 node_1 mysqld[80239]: 2023-07-17 12:04:07 0 [Note] WSREP: New 
> COMPONENT: primary = yes, bootstrap = no, my_idx = 0, memb_num = 1
> Jul 17 12:04:07 node_1 mysqld[80239]: 2023-07-17 12:04:07 0 [Note] WSREP: 
> STATE_EXCHANGE: sent state UUID: 448a2f9b-2489-11ee-9585-3ffcdf8d99ab
> Jul 17 12:04:07 node_1 mysqld[80239]: 2023-07-17 12:04:07 0 [Note] WSREP: 
> STATE EXCHANGE: sent state msg: 448a2f9b-2489-11ee-9585-3ffcdf8d99ab
> Jul 17 12:04:07 node_1 mysqld[80239]: 

Re: [PacketFence-users] Authentication Source MAC Address

[Zammit, Ludovic via PacketFence-users]

Hello Chad

If you want to do that, create the Mac address in PacketFence, register it and 
assign a role.

For you side question, 802.1x is preferred because it’s the most secure but not 
all devices supports it and you need to push a config to them so they use the 
proper 802.1x authentication (EAP PEAP vs EAP TLS) 

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Jun 28, 2023, at 3:55 PM, Chad Boese via PacketFence-users 
>  wrote:
> 
> I am trying to setup a Authentication Source with the Condition Mac Address 
> equals the mac address ( 6c:00:00:00:00:00). This will not work. If I put 
> username =  6c00 it works just fine. How can I get it to use the mac 
> address?
> 
> On my switch I have mac based authentication enabled on the ports. 
> Side question would there be a reason not to enable both  802.1x Based 
> Authentication and AC Based Authentication on my switches?
> 
> 
> Thanks,
> Chad
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!WW1hy6WlNJiwD0dzmUWXXzh-M7H8YNWYkfH86h_qXRIOKrpx_qAa58kl0xGo6_hCwBbvilTMa8d7uF55BEgbwb0E7MBlrVA17iFEKw$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Basic MAC authentication and vlan assignment

[Zammit, Ludovic via PacketFence-users]

Hello Ryan,

You will need to register your allowed Mac addresses and attach them to their 
proper Roles.

The roles will dictate which VLAN they should be in.

You can massively import Mac address using CSV import as well.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Jun 26, 2023, at 11:12 AM, Bergen, Ryan via PacketFence-users 
>  wrote:
> 
> Can someone point me to the right area of the administration manual to setup 
> basic MAC authentication.
>  
> Our setup is simple, devices are all not allowed on the network unless its 
> MAC address has been manually added to an approved Network, these networks 
> have a vlan ID which places the device on the right vlan after they’ve been 
> authorized.
>  
> Thanks!
>  
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!TsMsOIxCoULaXPxASUW2rJQC7dyfl_FsISOnRjAer5M0KoVLaQ7ZwBsMI3rjy4raFXr1ocIbeNdSIH8qyYMe4FbHFTKQrltrXsobcw$



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Nodes show offline

[Zammit, Ludovic via PacketFence-users]

Hello Chad,

The offline appears when the equipment sends a accounting stop so the 
authentication has stopped.

If you don’t want that to happen, make sure that the interface will never 
undergo to sleep mode.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Jun 26, 2023, at 8:47 AM, Chad Boese via PacketFence-users 
>  wrote:
> 
> When a PC sits overnight the node shows offline even though it is 
> authenticated and working fine. How do I get the real status of a node when 
> they all show offline? How can I get them to show online all the time when 
> authenticated? 
> 
> Thanks
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!RylnDW9vPE1B3CjtsS4avcHeM3k5mz5iNcJHd24EBPC5vTwawdlWazMlSk3htRvoZqerfHhpR4sCoNhy50xQlNjRGVavy_giDoxULA$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Radius - AD

[Zammit, Ludovic via PacketFence-users]

Hello Jose,

PF will only reject a device if that device has the reject role.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Jun 23, 2023, at 9:05 AM, Jose Rivero via PacketFence-users 
>  wrote:
> 
> Hello Mehmet
> 
> 
> Thanks for your support. The problem that I mentioned is with version 12. 
> Look at the radtest.
> 
> root@vm-lab:~# radtest admin admin localhost 12 testing123
> Sent Access-Request Id 169 from 0.0.0.0:33708 to 127.0.0.1:1812 length 75
> User-Name = "admin"
> User-Password = "admin"
> NAS-IP-Address = 127.0.1.1
> NAS-Port = 12
> Message-Authenticator = 0x00
> Cleartext-Password = "admin"
> Received Access-Accept Id 169 from 127.0.0.1:1812 to 127.0.0.1:33708 length 20
> 
> 
> I decided to install version 11 and checked that if it rejects my connection 
> attempts. But no Active Directory user recognizes me.
> 
> root@vm-lab:~# radtest Operador Aruba_Test 192.168.220.25:1812 12 Omega.,21
> Sent Access-Request Id 152 from 0.0.0.0:49055 to 192.168.220.25:1812 length 78
> User-Name = "Operador"
> User-Password = "Aruba_Test"
> NAS-IP-Address = 127.0.1.1
> NAS-Port = 12
> Message-Authenticator = 0x00
> Cleartext-Password = "Aruba_Test"
> Received Access-Reject Id 152 from 192.168.220.25:1812 to 
> 192.168.220.22:49055 length 20
> 
> 
> Log displayed on the platform
> 
> RADIUS Request
> User-Name = "Operador"
> User-Password = "**"
> NAS-IP-Address = 127.0.1.1
> NAS-Port = 12
> Event-Timestamp = "Jun 23 2023 00:38:25 UTC"
> Message-Authenticator = 0x371e8c6e6bedfbe578d214cf0a821625
> Stripped-User-Name = "Operador"
> Realm = "null"
> FreeRADIUS-Client-IP-Address = 192.168.220.22
> PacketFence-KeyBalanced = "68bacf36bd3f3ec1dcb876b6dd9a8a39"
> PacketFence-Radius-Ip = "192.168.220.25"
> Module-Failure-Message = "rest: Server returned:"
> Module-Failure-Message = "rest: 
> {\"control:PacketFence-Authorization-Status\":\"allow\"}"
> SQL-User-Name = "Operador"
> 
> RADIUS Reply
> REST-HTTP-Status-Code = 401
> 
> 
> Grateful for your support.
> 
> 
> De: Mehmet Ucpinar mailto:mehmet3pi...@gmail.com>>
> Enviado: jueves, 22 de junio de 2023 16:57
> Para: packetfence-users@lists.sourceforge.net 
>  
>  >
> Cc: Jose Rivero mailto:jose.riv...@net-trust.cl>>
> Asunto: Re: [PacketFence-users] Radius - AD
>  
> Hello Jose,
> 
> We need to more details but I believe you issue is because of registration 
> config.
> Set (-1) from switch registration or disable auto registration from profile 
> (except dot1x profile)
> 
> Kindly,
> 
> 
>> On 22 Jun 2023, at 20:51, Jose Rivero via PacketFence-users 
>> > > wrote:
>> 
>> 
>> Hello friends, it is my first time to set up this system. Follow the 
>> documentation to link to my domain controller. But I don't understand why 
>> the Radius server accepts any user pass when it performs a verification 
>> test. Have you ever had this problem?
>> 
>> 
>> Grateful for your support.
>> 
>> Jose Rivero
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net 
>> 
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!Rc1iTupQaiBBXDf_vzbg3hl4LaMfWzo0d8QbJvZDqhQQ4zYa62n6KN5gPgI2rD97Y_S76vSVcLhKHzTrP3MDHa8PImuh5Rbs0P7gIw$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Google LDAPs - 802.1x User Authentication - Regarding

[Zammit, Ludovic via PacketFence-users]

Hello,

The answer in probably in the logs.

/usr/local/pf/logs/packetfence.log

/usr/local/pf/logs/radius.log

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Jun 16, 2023, at 7:32 AM, P.Thirunavukkarasu via PacketFence-users 
>  wrote:
> 
> Hi Team,
> We configured the packetfence for 802.1x wifi authentication with Google LDAPs
> 
> Users authentication happened with Android mobile, at the same time the same 
> user could not authenticate their credentials in Windows devices and failed 
> to connect with Wi-Fi
> What is the issue? Is it due to the server certificate issue?
> Thanks & Regards,
> Thirunavukkarasu
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!XJWtMEkkDnGHAM0XG0hsuAJ82hfMyB7XUm5CzxAPsz2LemceFcHFzLC5Y2FgbNKLc59SomFXSnMUOF502CNm7AhVcQu0jfVsCuTDyA$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] How to Block Audit

[Zammit, Ludovic via PacketFence-users]

Hello Chad,

You will block it based on the method of authentication. Let say you want to do 
that on the wired, assuming you are doing wired 802.1x EAP PEAP (Computer + 
User authentication) and if the device does not have 802.1x supplicant it would 
do Mac authentication.

The simple way to handle that is that you return -1 for the registration role. 
It would automatically reject unregistered devices doing Mac auth.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Jun 12, 2023, at 9:17 AM, Chad Boese via PacketFence-users 
>  wrote:
> 
> How do I block and audit all machines in PF? I have an Authorization Source 
> setup for AD, this seems to be working fine. This is the only  Authorization 
> Source setup. If I hook up a test PC that is not part of the domain (I want 
> to block) - I do not see that PC in nodes. I would like to see that. How can 
> I get that PC to show up and have it blocked? 
> 
> Thanks,
> Chad
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!QTSP9n_iG8vwvN_sixsGayTtKuf1H1vtpcPl0EPHQKdo0kffG-rcdR7jWF2cQWJCyslC2ub5tlE3WoQoi3o_CNlEfcVkwWwoCWGzwA$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Service node error

[Zammit, Ludovic via PacketFence-users]

Hello,

Is the PFDNS started properly on your 2nd server?

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On May 31, 2023, at 10:33 AM, Renato Pereira 
>  wrote:
> 
> Hi Zammit,
> 
> I found out the possible cause, the token API responds quickly, but the 
> status API (example: api/v1/service/pfdns/status) takes 1 minute
> 
> 
> 
> 
> 
> My deploy is:
> 
> Cluster 1:
>  node 1 - Good
>  node 2 - Problem
>  node 3 - Good
> Cluster 2:
>  node 1 - Good
>  node 2 - Good
> 
> Do you have any ideia how I fix this problem? (I restated the VM, the service 
> but without success)?
> De: Renato Pereira  >
> Enviado: quarta-feira, 24 de maio de 2023 14:18
> Para: Zammit, Ludovic ; 
> packetfence-users@lists.sourceforge.net 
> 
> Assunto: RE: [PacketFence-users] Service node error
>  
> Hi Ludovic,
> 
> Yes my cluster is layer 3, I not found any problem with port TCP  
> connection between serves.
> 
> I tried the connection via postman and get answer of other APIs but the 
> /services/cluster_status not work (none server) other APIs work, do you know 
> if this API in this correct?
> 
> https://www.packetfence.org/doc/api/#/
> 
> Regards,
> 
> 
> De: Zammit, Ludovic
> Enviadas: Quarta-feira, 24 de Mai de 2023 10:16
> Para: packetfence-users@lists.sourceforge.net
> Cc: Renato Pereira
> Assunto: Re: [PacketFence-users] Service node error
> 
> Hello Renato,
> 
> PF relies on the API service to pull the services status on the other server.
> 
> Make sure all services are up on running with:
> 
> /usr/local/pf/bin/pfcmd service pf status
> 
> If you have a layer 3 cluster, make sure the API is not filtered, I think it 
> uses the port  TCP.
> 
> Thanks,
> 
> 
> 
> Ludovic Zammit
> Product Support Engineer Principal Lead
> 
> Cell: +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:     
>   
> 
>   
> 
>   
> 
>   
> 
> 
>> On May 23, 2023, at 9:33 PM, Renato Pereira via PacketFence-users 
>>  wrote:
>> 
>> Hi list,
>> 
>> There are one node in the my cluster (5 nodes) that dont load service status:
>> 
>> 
>> 
>> None service show status, if  I configuredanything that need restart service 
>> I need run via CLI.
>> 
>> Does anyone have any ideas on how to solve or analyze this problem?
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net 
>> 
>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!VM15SnRWX377Bm-vUBTy6q0cwf-G7-zyMEsYausVeqmV4ol6yI8YB_InhDXTHfVpwS9jTJJ9IydPd0bYOg18GdNUjHHhz5OshENQ4w$



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Setting up for new Meraki APs

[Zammit, Ludovic via PacketFence-users]

Hello Steven,

That’s correct, make sure to use the same role config and you will be good.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On May 25, 2023, at 9:15 AM, Steven Pfister via PacketFence-users 
>  wrote:
> 
> We are in the middle of transitioning our wireless networking from a 
> controller-based Cisco AP network to a cloud-based Meraki AP network. What 
> steps are needed on our Packetfence server? Can I just add a new Switch Group 
> and import all the AP management subnets? Nothing should be changing on the 
> client machines as far as how they authenticate to the network.
> 
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!Vlqg1nw0a1qG3YiMzciMk8t5GrpH3LV5EOUmWLAipn75FZoxkwOnwUiv_JvylBBO0IZJONtOGDtFmGvIzh6VkH4ezicIsdm4SmWPZg$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] about no role computed by any sources error

[Zammit, Ludovic via PacketFence-users]

Perfect, glad it works.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On May 25, 2023, at 6:37 AM, Serdar  wrote:
> 
> Thank you  it worked
> 
> I had really paid no attention to the easiest part :)
> 
> On Tue, May 23, 2023 at 3:53 PM Zammit, Ludovic  > wrote:
>> Hello there,
>> 
>> Make sure that you have a catchall rule in your available sources.
>> 
>> Thanks,
>> 
>> 
>> 
>> Ludovic Zammit
>> Product Support Engineer Principal Lead
>> 
>> Cell: +1.613.670.8432
>> Akamai Technologies - Inverse
>> 145 Broadway
>> Cambridge, MA 02142
>> Connect with Us:    
>>   
>> 
>>   
>> 
>>   
>> 
>>   
>> 
>> 
>>> On May 22, 2023, at 8:14 AM, Serdar via PacketFence-users 
>>> >> > wrote:
>>> 
>>> Hello
>>> 
>>> I just wanted to use PF (12.2) as a radius service w/o NAC features because 
>>> it has some good user interface.
>>> 
>>> But when i try to login my wireless test setup i get the following error
>>> 
>>> User-Name = "  "
>>> REST-HTTP-Status-Code = 200
>>> Reply-Message = "no role computed by any sources"
>>> 
>>> my test environment : 
>>> 
>>> Access Point : Set to Generic , because it is not listed in device list
>>> Realm : Configured with Matching Domain realm
>>> Auth Source : LDAP , Google LDAP associated with the matching realm
>>> Role mapping by VLAN ID : tried both on (default ) and off
>>> 
>>>  
>>> 
>>> 
>>> 
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net 
>>> 
>>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!R3VML-8VQmE3D3R5v5b2hH6DMUGmo--jmujp13bC80yf9lq4aId3UuBVBxIsAwtix7k-im9glyYSI0gICCk6fHo53F21XYYhjMStMw$
>>>  
>> 



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Service node error

[Zammit, Ludovic via PacketFence-users]

Hello Renato,

PF relies on the API service to pull the services status on the other server.

Make sure all services are up on running with:

/usr/local/pf/bin/pfcmd service pf status

If you have a layer 3 cluster, make sure the API is not filtered, I think it 
uses the port  TCP.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On May 23, 2023, at 9:33 PM, Renato Pereira via PacketFence-users 
>  wrote:
> 
> Hi list,
> 
> There are one node in the my cluster (5 nodes) that dont load service status:
> 
> 
> 
> None service show status, if  I configuredanything that need restart service 
> I need run via CLI.
> 
> Does anyone have any ideas on how to solve or analyze this problem?
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!VM15SnRWX377Bm-vUBTy6q0cwf-G7-zyMEsYausVeqmV4ol6yI8YB_InhDXTHfVpwS9jTJJ9IydPd0bYOg18GdNUjHHhz5OshENQ4w$



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] machine auth / hostname

[Zammit, Ludovic via PacketFence-users]

Hello Jochen,

If I read that right, you are trying to do EAP TLS certificate based 
authentication.

RADIUS authentication as a whole happens in two steps. The first step (RADIUS 
Authentication) will be to verify your certificate issuer and then step 2 
(RADIUS Authorization) where PF checks the available sources for that 
authentication where it will try to match a source rule to get a role applied 
to the connection.

Depending which PKI you are using, it depends how the certificate is created. 
PF won’t trust the username passed by the device (because it can be changed), 
so PF has a list of trusted certificate attributes that it will trust as 
username from inside the certificate.

PacketFence-UserNameAttribute
TLS-Client-Cert-Subject-Alt-Name-Upn
TLS-Client-Cert-Common-Name

Most of the time using the servicePrincipaleName won’t work because it’s not a 
EAP PEAP authentication.

You can decode the certificate attributes passed down by using the raddebug 
command:

raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3600 | tee raddebug.log

On PacketFence, you can create a EAP-TLS source that matches a TLS-Cert-Issuer 
= MyRootCA-NAME and assign a role and an access duration.

Thanks, 


Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On May 23, 2023, at 5:05 AM, Jochen Ackermann via PacketFence-users 
>  wrote:
> 
> Dear list,
> 
> We are currently evaluating packetfence for machine- as well as user- 
> authentication (but not on the same device). According to the installation 
> guide we set the Authentication Sources to use servicePrincipalName (together 
> with Search Attribute dNSHostName) for machine auth and sAMAccountName for 
> the users. The host is authenticated based on a machine cert issued to it's 
> hostname matching it's AD-record
> 
> The authentication works in both cases, but with machine auth hosts do not 
> register as nodes (as I would expect them to), instead they appear under the 
> users tab. The radius audit log shows the Node Information/User Name as 
> host/name.domain and the Users Tab shows name.domain and the correct 
> AuthSource for machine auth (The nodes tab shows the MAC address and 
> name.domain as owner).
> Am I maybe missing something?
> 
> Kind regards,
> 
> 
> Jo
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!U9NRJgmYV7n5XVDq9X1SNU9CL2hKqEBn4kb9tpyO62SjFlVuyJ94_eTnhJwJN6C37hJHStaTV3YO5PMzdugWo-ii3jKeSFhdculXpw$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Intermittent Winbind Issues

[Zammit, Ludovic via PacketFence-users]

Hello Steven,

On the PacketFence side, it’s winbindd process that is responsible for that AD 
bind. You need to check if everything is ok with that service with:

systemctl status packetfence-winbindd

Then without restarting the process, when it does not work you can try that 
command:

chroot /chroots/DOMAIN_NAME/ ntlm_auth --username=bob --password=bob

It should give something like this 

NT_STATUS_NO_SUCH_USER: The specified account does not exist. (0xc064)

If you don’t have that, it means that your AD connection between PF and the AD 
is broken and thus no 802.1x would work.

We have seen that most of the time, it’s a change on the AD side where the 
PacketFence server object in the AD is moved or altered.

You can restart winbindd as well and it can fix the issue, you probably don’t 
need to re-join it to fix it.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On May 23, 2023, at 2:47 PM, Steven Spangle via PacketFence-users 
>  wrote:
> 
> Hello, looking for some assistance as I’m running into an issue that I’m not 
> sure how to proceed researching the cause of.  Sorry for the wall of text, 
> but want to provide as much information as I can! 
>  
> We’ve been using Packetfence for a few years now (around June 2020, since 
> Cisco ACS went EOL) and sometime last year we started having issues where the 
> connection to AD would stop working.  We would notice it first because 802.1x 
> authentication would start failing and we’d get calls from users unable to 
> connect.  When this was happening, I would go into the GUI and check Policies 
> and Access Control-Active Directory Domains-Our Domain and could see it 
> attempting to update the Domain Join field for a couple of minutes before 
> failing.  I could not get it to reconnect even with proper credentials until 
> I restarted the Packetfence server, after which I could go in and provide 
> credentials and it would reconnect fine.  I believe initially this was 
> because we setup password expiration for the root account, because before it 
> was giving us an unable to update token error.  So we made a note to go in 
> and reset the password monthly before it expired and that seemed to take care 
> of the issue.
>  
> This past weekend however, we had a similar issue after our patch management 
> system updated the Packetfence server.  This time I wasn’t given any specific 
> errors from the GUI, but when I would go into the radius log I could see 
> these messages as clients tried to authenticate:
>  
> May 21 16:09:13 packetfence auth[11877]: Adding client 10.1.247.26/32
> May 21 16:09:13 packetfence auth[11877]: (330510) chrooted_mschap_machine: 
> ERROR: Program returned code (1) and output 'Reading winbind reply failed! 
> (0xc001)'
> May 21 16:09:13 packetfence auth[11877]: (330510)   Login incorrect 
> (chrooted_mschap_machine: Program returned code (1) and output 'Reading 
> winbind reply failed! (0xc001)'): [host/8CG7111XXX.redacted.domain] (from 
> client 10.1.247.26/32 port 1 cli 00:28:f8:44:c7:8f via TLS tunnel)
> May 21 16:09:13 packetfence auth[11877]: (330511) Login incorrect (eap_peap: 
> The users session was previously rejected: returning reject (again.)): 
> [host/8CG7111XXX.redacted.domain] (from client 10.1.247.26/32 port 1 cli 
> 00:28:f8:44:c7:8f)
>  
> Again, I could not connect to the domain until I restarted the server, then I 
> could provide credentials and join the domain and everything started working 
> again.  I’m really just looking for information as to what I can check to see 
> what may be happening.  I’ve looked through all the logs (current and 
> compressed) in /usr/local/pf/logs but I really only see the messages I’ve 
> attached in the radius log.
>  
> Thanks
> Steven
>  
> This message and any files transmitted with it are confidential and intended 
> only for the use of the individual or entity to which it is addressed. If the 
> reader of this message is not the intended recipient, or the employee or 
> agent responsible for delivering the message to the intended recipient, you 
> are hereby notified that any dissemination, distribution or copying of this 
> message is strictly prohibited. If you have received this communication in 
> error, please notify us immediately by replying to the sender of this e-mail 
> and delete this e-mail from your system. 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> 

Re: [PacketFence-users] about no role computed by any sources error

[Zammit, Ludovic via PacketFence-users]

Hello there,

Make sure that you have a catchall rule in your available sources.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On May 22, 2023, at 8:14 AM, Serdar via PacketFence-users 
>  wrote:
> 
> Hello
> 
> I just wanted to use PF (12.2) as a radius service w/o NAC features because 
> it has some good user interface.
> 
> But when i try to login my wireless test setup i get the following error
> 
> User-Name = "  "
> REST-HTTP-Status-Code = 200
> Reply-Message = "no role computed by any sources"
> 
> my test environment : 
> 
> Access Point : Set to Generic , because it is not listed in device list
> Realm : Configured with Matching Domain realm
> Auth Source : LDAP , Google LDAP associated with the matching realm
> Role mapping by VLAN ID : tried both on (default ) and off
> 
>  
> 
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!R3VML-8VQmE3D3R5v5b2hH6DMUGmo--jmujp13bC80yf9lq4aId3UuBVBxIsAwtix7k-im9glyYSI0gICCk6fHo53F21XYYhjMStMw$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Customize Emails

[Zammit, Ludovic via PacketFence-users]

Hello There,

It’s under this directory:

/usr/local/pf/html/captive-portal/templates/emails/

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On May 12, 2023, at 1:53 AM, Schüller Dennis via PacketFence-users 
>  wrote:
> 
> Hey All,
> I try to Customize the Email-Layout for Example for the “Messages for Created 
> Users”
> Could someone tell me where I can find the Templates on the Server?
>  
> Or is there any Settings in the GUI which allow to Configure it.
>  
> Thanks a lot!
>  
> Grüße aus der Grünen Hölle / Regards from the Green Hell
> i. A. Dennis Schüller
> Systembetreuung
> IT
> 
> dennis.schuel...@nuerburgring.de  
> 
> T +49 (2691) 302 9885
> M +49 151 571 320 36
> F +49 2691 302 9897
> Nürburgring 1927
> GmbH & Co. KG
> 
> Otto-Flimm-Straße 
> 53520 Nürburg
> nuerburgring.de  
> 
>  
> 
> Bitte schonen Sie unsere Umwelt und drucken die Email nur aus, wenn es 
> wirklich notwendig ist! 
> Please consider the environment before printing this email!
>  
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!VCoQ6qo4tOfX_yHPc25YwT7xWiKDyK7ejvpdZhi2KheHx6MYFyj5eayaWJpgxAgxle0QWfltTmSliAok1zKk2Eew9mwsieougGIF7w$



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Administrative Rule RADIUS Reply

[Zammit, Ludovic via PacketFence-users]

Hello,

You could use the command:

/usr/local/pf/bin/pftest authentication USERNAME  ""   

You will see if you match properly your rule, it should bring Administration 
right.

Could you show me your conf/authentication.conf?

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Apr 27, 2023, at 7:41 PM, IT Mercenary  wrote:
> 
> Hi All,
> 
> I'm hoping for some guidance on how to change the Radius Reply for CLI 
> authentication when users are not a member of the specified group. The group 
> is being matched as the RADIUS reply indicates the right administration rule 
> is being matched (catch all).
> 
> The behavior I was getting:
> 
> 
> 
> 
> 
> Compared to what I'm getting now:
> 
> 
> 
> Thanks!
> 
> On Mon, Apr 24, 2023 at 6:45 AM IT Mercenary  > wrote:
>> Hi Ludovic,
>> 
>> I've changed the group to use DN and equal, but I'm getting the same 
>> results. Is there a way to customize the behavior when an administrative 
>> user is authenticated but not authorized?
>> 
>> Thanks!
>> 
>> On Mon, Apr 24, 2023 at 5:32 AM Zammit, Ludovic > > wrote:
>>> Hello there,
>>> 
>>> It loos like the match regex operator does not work properly, in order to 
>>> have a good match use the DistinguishName of the group object in the Ad in 
>>> combinaison of the operator equals
>>> 
>>> Memberof equals CN=MyGroup,OU=domain,OU=com
>>> 
>>> Thanks,
>>> 
>>> 
>>> 
>>> Ludovic Zammit
>>> Product Support Engineer Principal Lead
>>> 
>>> Cell: +1.613.670.8432
>>> Akamai Technologies - Inverse
>>> 145 Broadway
>>> Cambridge, MA 02142
>>> Connect with Us:   
>>>   
>>> 
>>>   
>>> 
>>>   
>>> 
>>>   
>>> 
>>> 
 On Apr 21, 2023, at 1:45 PM, IT Mercenary via PacketFence-users 
 >>> > wrote:
 
 Hello,
 
 I have an administration rule for switch CLI access that is producing 
 different results for users that are not a member of an AD group. Both 
 switches are in a switch group with type based on the standard Cisco 
 template. The desired result is being produced on appliance version 12.1.0 
 and the undesired result on v12.2.0.
 
 Administration Rules
 
 
 v12.1.0 Results
 
 RADIUS Tab:
 
 
 v12.2.0 Results
 
 
 RADIUS Tab:
 
 
 
 Thanks!
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net 
 
 https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!RJRooQcys6zdEdxUze4ob_Fdoh8f6vc2-IXTbp2iUXgzmcvH-3YEOBQRdtmbI7Lzb_CFnZNayskBCKtC7pOqRsEGTSZZOy4s7Q6HOQ$
  
>>> 



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] group membership

[Zammit, Ludovic via PacketFence-users]

Hello,

All your users are under the OU Users or not ?

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Apr 25, 2023, at 6:31 AM, P.Thirunavukkarasu via PacketFence-users 
>  wrote:
> 
> https://medium.com/beyond-the-helpdesk/configuring-packetfence-for-use-with-dpsk-6519aaf6fe4d
>  
> 
> 
> 
> 
> 
> Regards,
> Thirunavukkarasu
> 
> On Fri, Apr 14, 2023 at 6:53 PM Артур Беляков via PacketFence-users 
>  > wrote:
>> hello everyone, I'm trying to make a distinction between users by group 
>> members, but it doesn't feel like packetfence doesn't see the group from AD. 
>> made a binding to the domain, selected the authentication source
>> 
>> 
>> 
>> 
>> maybe I'm not there to perform a check on the group?
>> I'm trying to do this through conditions in AD authentication sources
>> 
>> 
>> 
>> -
>> TANUVAS
>> The contents of this message are confidential and are not be shared with 
>> outside parties without prior permission
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net 
>> 
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
>> 
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!QGMkY6CAE57gqvRoJb89MIJuT-n9Rma8mEL7QifqlgeuzSPMj7goCLOJlXW_uKRyakZI1PdQQh4XsIVw2R0cSoNt42zW29Ni815nYg$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Job for packetfence-radiusd-eduroam.service failed because the control process exited with error code

[Zammit, Ludovic via PacketFence-users]

Hello there,

To restart pf use the command:

/usr/local/pf/bin/pfcmd service pf restart

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Apr 24, 2023, at 1:15 AM, P.Thirunavukkarasu  
> wrote:
> 
> Hi Fabrice and Team,
> Greetings of the day
> The following is the O/P of the command for your reference
> 
> cd /usr/local/pf
> curl 
> https://github.com/inverse-inc/packetfence/commit/abee5646b31420ee37844ab57bf02dfa8d84d174.diff
>  
> 
>  | patch -p1
> 
> root@packetfence:~# cd /usr/local/pf
> root@packetfence:/usr/local/pf# curl 
> https://github.com/inverse-inc/packetfence/commit/abee5646b31420ee37844ab57bf02dfa8d84d174.diff
>  
> 
>  | patch -p1
>   % Total% Received % Xferd  Average Speed   TimeTime Time  
> Current
>  Dload  Upload   Total   SpentLeft  Speed
> 100  1360  100  13600 0   3097  0 --:--:-- --:--:-- --:--:--  3097
> patching file lib/pf/services/manager/radiusd_child.pm 
> 
> -
> 
> root@packetfence:~# service packetfence restart
> Job for packetfence.service canceled.
> 
> root@packetfence:~# service packetfence status
> ● packetfence.service - PacketFence Service
>  Loaded: loaded (/lib/systemd/system/packetfence.service; disabled; 
> vendor preset: enabled)
>  Active: inactive (dead)
> 
> root@packetfence:~# netstat -nlp| grep 11812
> udp0  0 0.0.0.0:11812 
> 
>0.0.0.0:*   3433/freeradius
> 
> root@packetfence:~# systemctl status packetfence-radiusd-eduroam.service
> ● packetfence-radiusd-eduroam.service - PacketFence FreeRADIUS multi-protocol 
> EDUROAM authentication server
>  Loaded: loaded (/lib/systemd/system/packetfence-radiusd-eduroam.service; 
> enabled; vendor preset: enabled)
>  Active: active (running) since Mon 2023-04-24 10:32:49 IST; 6min ago
>Docs: man:radiusd(8)
>  man:radiusd.conf(5)
>  http://wiki.freeradius.org/ 
> 
>  http://networkradius.com/doc/ 
> 
>Main PID: 3433 (freeradius)
>  Status: "Processing requests"
>   Tasks: 5 (limit: 14325)
>  Memory: 200.9M
> CPU: 9.639s
>  CGroup: /packetfence.slice/packetfence-radiusd-eduroam.service
>  ├─3433 /usr/sbin/freeradius -d /usr/local/pf/raddb -n eduroam -fm
>  └─3544 /bin/cat
> 
> Apr 24 10:32:49 packetfence eduroam[3433]: Loaded virtual server pf.degraded
> Apr 24 10:32:49 packetfence eduroam[3433]: Loaded virtual server 
> packetfence-degraded-tunnel
> Apr 24 10:32:49 packetfence eduroam[3433]: Loaded virtual server 
> dynamic_clients
> Apr 24 10:32:49 packetfence eduroam[3433]: Loaded virtual server eduroam
> Apr 24 10:32:49 packetfence eduroam[3433]: Loaded virtual server 
> packetfence-tunnel
> Apr 24 10:32:49 packetfence eduroam[3433]: Loaded virtual server 
> packetfence-tunnel-fast
> Apr 24 10:32:49 packetfence eduroam[3433]: Loaded virtual server status
> Apr 24 10:32:49 packetfence eduroam[3433]: Loaded virtual server 
> packetfence-cli
> Apr 24 10:32:49 packetfence systemd[1]: Started PacketFence FreeRADIUS 
> multi-protocol EDUROAM authentication server.
> Apr 24 10:32:49 packetfence eduroam[3433]: Ready to process requests
> 
> root@packetfence:~# /usr/local/pf/bin/pfcmd service radiusd restart
> Service StatusPID
> Checking configuration sanity...
> WARNING - internal network(s) not defined!
> packetfence-radiusd-auth.service

Re: [PacketFence-users] Administrative Rule RADIUS Reply

[Zammit, Ludovic via PacketFence-users]

Hello there,

It loos like the match regex operator does not work properly, in order to have 
a good match use the DistinguishName of the group object in the Ad in 
combinaison of the operator equals

Memberof equals CN=MyGroup,OU=domain,OU=com

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Apr 21, 2023, at 1:45 PM, IT Mercenary via PacketFence-users 
>  wrote:
> 
> Hello,
> 
> I have an administration rule for switch CLI access that is producing 
> different results for users that are not a member of an AD group. Both 
> switches are in a switch group with type based on the standard Cisco 
> template. The desired result is being produced on appliance version 12.1.0 
> and the undesired result on v12.2.0.
> 
> Administration Rules
> 
> 
> v12.1.0 Results
> 
> RADIUS Tab:
> 
> 
> v12.2.0 Results
> 
> 
> RADIUS Tab:
> 
> 
> 
> Thanks!
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!RJRooQcys6zdEdxUze4ob_Fdoh8f6vc2-IXTbp2iUXgzmcvH-3YEOBQRdtmbI7Lzb_CFnZNayskBCKtC7pOqRsEGTSZZOy4s7Q6HOQ$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence Admin SSO Login

[Zammit, Ludovic via PacketFence-users]

Hello there,

Did you add the daemon portal on the management interface and restarted all PF 
services?

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Apr 20, 2023, at 2:53 PM, STALKER, HAYDEN W. via PacketFence-users 
>  wrote:
> 
> Hello,
>  
> I am trying to configure SSO for the Admin login of Packetfence. I followed 
> the instructions under 13.9 of the installation guide. I have a Single 
> Sign-On button at the admin page but when I click it goes to a page that says 
> Not Implemented, GET not supported for current URL. Here is the url it 
> redirects to 
> https://example.com/admin-sso?callback=https%3A%2F%2Fexample.com%3A1443%2Fadmin%23%2Flogin
>  
> 
>  it is the full domain name of the server, but I replaced it with example.com 
> . I am not sure what I am missing but it seems like the 
> /admin-sso page is just missing, is there something I need to do to 
> initialize the creation of that page? Thank you for your time, let me know if 
> you have any questions.
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!TQLTv3eg_IHvl-LrA79GFZfq64ZEPZga4AEL68gT0HW9Ecxy5Zc4is6jlf7I47xBRltwQ9j5IgTR32PE4h4H_diQbIox9p-pJU5BPg$
>  
> 


smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] (no subject)

[Zammit, Ludovic via PacketFence-users]

Hello There,

You can download the PacketFence ZEN (Zero Effort Nac), it’s a pre-packaged OVA 
for VMware.

That’s the only offline solution that we offer.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Apr 18, 2023, at 10:36 AM, linus.vanheek--- via PacketFence-users 
>  wrote:
> 
> Hello everybody,
> 
> i have an offline Debian 11 VM, is it possible to get the repository offline, 
> can i Download it anywhere because i Cant get to the Website with my Server.
> 
> BG
> Linus
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!SVSJbU5iHKgJKiTlOKhXNw1GktSiXVXs3Z8hSNnAcZO5eAwCDjEOKsA4ci-HtauNwQnsTpO8ng9AkRNi6NcdbbimniX3GUCQzeDUSg$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] table auth_log empty

[Zammit, Ludovic via PacketFence-users]

Hello there,

We only store authentication coming from authentication from the captive 
portal, if you are doing auto-registration with do1tx, it won’t be recorded 
there.

What are you trying to do ?

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Apr 14, 2023, at 8:31 AM, sgiops sgiops via PacketFence-users 
>  wrote:
> 
> Hello, 
> 
> I've found that the table "auth_log" in PF database is empty  so I can't 
> produce reports for dot1x authentications. 
> There is something that should be enabled in order to have authentication 
> events logged 
> in this table?
> 
> Thanks
> 
> Mirko
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!T9c1NO-k5C6ExqzVPQOVRLJOcjNM13kH4VKThSdgcJTuMB25oZJ6vG4xqWCX1yVK2W2l7bRdr7b23xQeKDcjqu43FRTiJk_M7iv0_g$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] table auth_log empty

[Zammit, Ludovic via PacketFence-users]

Hello Mirko,

We don’t offer one to one help like this, you will need to copy the mailing 
list.

You have to be careful if you increase the retention delay on the audit log.

One option is the one you mentioned with a mysql request or you can send syslog 
information about log to an SEIM server and analyze it.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Apr 20, 2023, at 2:52 AM, sgiops sgiops  wrote:
> 
> Hello Ludovic, 
> 
> thanks for your help, i would have liked a report about users and machine 
> authentication (without captive portal). Maybe this can be created using the 
> audit logs and increasing the time of retention for the audit logs. 
> Is this a valid approach or there is a better way?
> 
> Regards
> 
> Mirko
> 
> Il giorno mer 19 apr 2023 alle ore 22:26 Zammit, Ludovic  > ha scritto:
> Hello there,
> 
> We only store authentication coming from authentication from the captive 
> portal, if you are doing auto-registration with do1tx, it won’t be recorded 
> there.
> 
> What are you trying to do ?
> 
> Thanks,
> 
> 
> 
> Ludovic Zammit
> Product Support Engineer Principal Lead
> 
> Cell: +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:     
>   
> 
>   
> 
>   
> 
>   
> 
> 
>> On Apr 14, 2023, at 8:31 AM, sgiops sgiops via PacketFence-users 
>> > > wrote:
>> 
>> Hello, 
>> 
>> I've found that the table "auth_log" in PF database is empty  so I can't 
>> produce reports for dot1x authentications. 
>> There is something that should be enabled in order to have authentication 
>> events logged 
>> in this table?
>> 
>> Thanks
>> 
>> Mirko
>> 
>> 
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net 
>> 
>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!T9c1NO-k5C6ExqzVPQOVRLJOcjNM13kH4VKThSdgcJTuMB25oZJ6vG4xqWCX1yVK2W2l7bRdr7b23xQeKDcjqu43FRTiJk_M7iv0_g$
>>  
>> 
>>  
> 



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Job for packetfence-radiusd-eduroam.service failed because the control process exited with error code

[Zammit, Ludovic via PacketFence-users]

Hello there,

Can you give me the output of that command:

freeradius -d /usr/local/pf/raddb/ -f 
/usr/local/pf/var/run/radiusd-eduroam.sock -CX

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Apr 15, 2023, at 3:01 AM, P.Thirunavukkarasu via PacketFence-users 
>  wrote:
> 
> Hi Team,
> Anyone can plz guide me in the following issue?
> 
> root@packetfence:~# netstat -nlp| grep 11812
> 
> 
> 
> root@packetfence:~# /usr/local/pf/bin/pfcmd service radiusd restart
> 
> 
>  root@packetfence:~# systemctl status packetfence-radiusd-eduroam.service
>  
>  
> 
> root@packetfence:~# journalctl -xe
> ░░
> ░░ The unit packetfence-radiusd-eduroam.service has entered the 'failed' 
> state with result 'exit-code'.
> Apr 15 12:28:32 packetfence systemd[1]: Failed to start PacketFence 
> FreeRADIUS multi-protocol EDUROAM authentication server.
> ░░ Subject: A start job for unit packetfence-radiusd-eduroam.service has 
> failed
> ░░ Defined-By: systemd
> ░░ Support: https://www.debian.org/support 
> 
> ░░
> ░░ A start job for unit packetfence-radiusd-eduroam.service has finished with 
> a failure.
> ░░
> ░░ The job identifier is 35829 and the job result is failed.
> Apr 15 12:28:32 packetfence systemd[1]: packetfence-radiusd-eduroam.service: 
> Consumed 10.527s CPU time.
> ░░ Subject: Resources consumed by unit runtime
> ░░ Defined-By: systemd
> ░░ Support: https://www.debian.org/support 
> 
> ░░
> ░░ The unit packetfence-radiusd-eduroam.service completed and consumed the 
> indicated resources.
> Apr 15 12:28:32 packetfence systemd[1]: Started PacketFence Docker Iptables 
> configuration.
> ░░ Subject: A start job for unit packetfence-docker-iptables.service has 
> finished successfully
> ░░ Defined-By: systemd
> ░░ Support: https://www.debian.org/support 
> 
> ░░
> ░░ A start job for unit packetfence-docker-iptables.service has finished 
> successfully.
> ░░
> ░░ The job identifier is 35909.
> Apr 15 12:28:32 packetfence systemd[1]: packetfence-docker-iptables.service: 
> Succeeded.
> ░░ Subject: Unit succeeded
> ░░ Defined-By: systemd
> ░░ Support: https://www.debian.org/support 
> 
> ░░
> ░░ The unit packetfence-docker-iptables.service has successfully entered the 
> 'dead' state.
> Apr 15 12:28:33 packetfence systemd[1]: packetfence-radiusd-eduroam.service: 
> Scheduled restart job, restart counter is at 19.
> ░░ Subject: Automatic restarting of a unit has been scheduled
> ░░ Defined-By: systemd
> ░░ Support: https://www.debian.org/support 
> 
> ░░
> ░░ Automatic restarting of the unit packetfence-radiusd-eduroam.service has 
> been scheduled, as the result for
> ░░ the configured Restart= setting for the unit.
> Apr 15 12:28:33 packetfence systemd[1]: Stopped PacketFence FreeRADIUS 
> multi-protocol EDUROAM authentication server.
> ░░ Subject: A stop job for unit packetfence-radiusd-eduroam.service has 
> finished
> ░░ Defined-By: systemd
> ░░ Support: https://www.debian.org/support 
> 
> ░░
> ░░ A stop job for unit packetfence-radiusd-eduroam.service has finished.
> ░░
> ░░ The job identifier is 36065 and the job result is done.
> Apr 15 12:28:33 packetfence systemd[1]: packetfence-radiusd-eduroam.service: 
> Consumed 10.527s CPU time.
> ░░ Subject: Resources consumed by unit runtime
> ░░ Defined-By: systemd
> ░░ Support: https://www.debian.org/support 
> 
> ░░
> ░░ The unit 

Re: [PacketFence-users] No Network Access After Restart

[Zammit, Ludovic via PacketFence-users]

Hello Michael,

Glad it worked.

Thanks



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Apr 13, 2023, at 9:45 PM, Michael Brown  wrote:
> 
> Thanks a lot Ludovic.  That fixed it.  
> 
> On Tuesday, April 11, 2023 at 10:58:57 AM EDT, Zammit, Ludovic 
>  wrote:
> 
> 
> Hello Michael,
> 
> It’s a known issue with the Debian network driver where VMware switch the 
> network assigned.
> 
> You can verify which network is assigned to which interface using the 
> command: 
> 
> ip a
> 
> Check the Mac address on VMware NIC as well. Re-map it.
> 
> Thanks,
> 
> Ludovic Zammit
> Product Support Engineer Principal Lead
> 
> Cell: +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:     
>   
> 
>   
> 
>   
> 
>   
> 
> 
>> On Apr 8, 2023, at 10:33 AM, Michael Brown via PacketFence-users 
>> > > wrote:
>> 
> 
> Hi Everyone,
> 
> I am trying to deploy the 12.2 ZEN ova. The VM starts up fine. I am able to 
> access the VM via the admin portal and assign the management interface and 
> get through the initial setup. When I add the additional network interfaces 
> to the VM for isolation and registration and then restart the VM I loose all 
> network access from the VM and am no longer able to access the admin portal. 
> Any ideas why this happens?  Not sure if this matters but I add the 
> management, isolation and registration network interfaces to the VM as 
> separate network interfaces so the VM winds up with three nics.
> 
> Thanks for your help. 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!WL_lojJt7TUiVKJOv4NYWT_NYdz6XV_DrkQyU-J1eeDzFKNAdjg6q6TmVKB6Xf3GIgbkxnHSfqVCQCAFJZgmyA_C2m4RhnbIPVmUJA$
>  
> 



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] No Network Access After Restart

[Zammit, Ludovic via PacketFence-users]

Hello Michael,

It’s a known issue with the Debian network driver where VMware switch the 
network assigned.

You can verify which network is assigned to which interface using the command: 

ip a

Check the Mac address on VMware NIC as well. Re-map it.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Apr 8, 2023, at 10:33 AM, Michael Brown via PacketFence-users 
>  wrote:
> 
> Hi Everyone,
> 
> I am trying to deploy the 12.2 ZEN ova. The VM starts up fine. I am able to 
> access the VM via the admin portal and assign the management interface and 
> get through the initial setup. When I add the additional network interfaces 
> to the VM for isolation and registration and then restart the VM I loose all 
> network access from the VM and am no longer able to access the admin portal. 
> Any ideas why this happens?  Not sure if this matters but I add the 
> management, isolation and registration network interfaces to the VM as 
> separate network interfaces so the VM winds up with three nics.
> 
> Thanks for your help. 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!WL_lojJt7TUiVKJOv4NYWT_NYdz6XV_DrkQyU-J1eeDzFKNAdjg6q6TmVKB6Xf3GIgbkxnHSfqVCQCAFJZgmyA_C2m4RhnbIPVmUJA$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Azure AD & group membership

[Zammit, Ludovic via PacketFence-users]

Hello there,

It does work, I verified yesterday.

It’s memberof equals NAMEofTHEGroup

We might add the memberofOUID so we can match on Object UID.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 31, 2023, at 12:59 AM, UMS ums  wrote:
> 
> Hello
> 
> That works for a local AD but not for Azure AD.
> I saw i field OAuth2-group in the Radius request details but i can't use it 
> in an authentication source.
> 
> Any sugestions?
> 
> Thanks in advance 
> 
> 
> 
> Op woensdag 29 maart 2023 schreef Zammit, Ludovic  >:
> Hello there,
> 
> If I remember correctly, you can use memberof and the name of the group.
> 
> Thanks,
> 
> 
> 
> Ludovic Zammit
> Product Support Engineer Principal Lead
> 
> Cell: +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:     
>   
> 
>   
> 
>   
> 
>   
> 
> 
>> On Mar 28, 2023, at 2:19 PM, UMS ums via PacketFence-users 
>> > > wrote:
>> 
>> Hi, 
>> 
>> Is it possible with the Azure AD integration authentication source to use a 
>> authentication rule with memberOf?
>> 
>> I want to assign a role based on the group membership in Azure AD.
>> If not, is checking for group membership possible by using SAML to connect 
>> to Azure AD?
>> 
>> I don't have a on prem AD.
>> 
>> Thanks in advance
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net 
>> 
>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!VMGf6RIlziMTw30EWl1xV9KdhoyT8MMmAU_foZtpFHW1fuoT36bo0ctZiB206SJ11pzt0PPT-Pa_ZZNUtr130FT0mpy_FH9F-jEnNw$
>>  
>> 
>>  
> 
> 
> 
> -- 
>  
> David Vermonden
> User Management Schools
> 0471137374
> http://umschools.dyndns.org 
> 


smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Azure AD & group membership

[Zammit, Ludovic via PacketFence-users]

Hello there,

If I remember correctly, you can use memberof and the name of the group.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 28, 2023, at 2:19 PM, UMS ums via PacketFence-users 
>  wrote:
> 
> Hi, 
> 
> Is it possible with the Azure AD integration authentication source to use a 
> authentication rule with memberOf?
> 
> I want to assign a role based on the group membership in Azure AD.
> If not, is checking for group membership possible by using SAML to connect to 
> Azure AD?
> 
> I don't have a on prem AD.
> 
> Thanks in advance
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!VMGf6RIlziMTw30EWl1xV9KdhoyT8MMmAU_foZtpFHW1fuoT36bo0ctZiB206SJ11pzt0PPT-Pa_ZZNUtr130FT0mpy_FH9F-jEnNw$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Clustering over different subnets

[Zammit, Ludovic via PacketFence-users]

Hello Johannes,

You need 3 nodes because the database quorum.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 29, 2023, at 7:44 AM, Mudrich, J. via PacketFence-users 
>  wrote:
> 
> Hello everyone,
>  
> I’m trying to figure out how to set up a cluster over two different subnets. 
> I just need a DB replication for my two servers. So I read through the 
> clustering guide. But I’m a bit lost.
> There are several sections where it’s mentioned you need at least 3 servers. 
> But there is no explanation why you need 3 of them.
> Even the sections 7.1 and 7.3, which seem to fit my scenario, state I need 3 
> servers on my primary site / subnet. Why?
>  
> Thanks
> Johannes
>  
>  
>  
> 
> 
> Johannes Mudrich
> Mitarbeiter
> Verwaltung, IT
> 
> Altmark-Klinikum gGmbH
> Ernst-von-Bergmann-Straße 22
> 39638 Gardelegen
> 
> Tel.:  03907 791229
> Fax.:  03907 791248
> Mail:  j.mudr...@altmark-klinikum.de 
> 
> 
>  
> 
>  
> 
>  
> Salus Altmark Holding gGmbH
> Tel.: +49 39325700 
> Sitz der Gesellschaft:
> Seepark 5 | 39116 Magdeburg
> www.salusaltmarkholding.de 
> 
>  
> 
>  
> 
>   
> 
>  
> 
>   
> 
>  
> 
>   
> 
>  
> 
>   
> 
>  
> 
> Registergericht: AG Stendal: HRB 112594
> Geschäftsführer: Jürgen Richter
> Aufsichtsratsvorsitz: Wolfgang Beck
> Gemäß Art. 13 DSGVO informieren wir darüber, dass Ihre Daten elektronisch 
> gespeichert werden. Nähere Informationen: 
> www.salusaltmarkholding.de/datenschutz 
> 
> Ab Januar 2022 nehmen wir keine Mails mit doc-, xls- und ppt-Anhängen mehr an.
> Bitte verwenden Sie die aktuellen Office-Formate docx, xlsx, pptx oder pdf.
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> 

Re: [PacketFence-users] Blank Captive Portal

[Zammit, Ludovic via PacketFence-users]

Hello Andrew,

Could you share a screenshot ?

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 23, 2023, at 12:05 PM, Lierman, Andrew via PacketFence-users 
>  wrote:
> 
> I switched to the latest version of PacketFence (12.2.0) from 10.3.0 and when 
> I connect a device, the captive portal is blank. Not sure why that is, but 
> also when saving my Switch config (Cisco 9800 WLC), it says:  ACLs not 
> supported for switch
> 
> Why would this pop up? It works without issue on 10.3.0
> -- 
> Book a Meeting 
> 
> 
> 
> Andrew Lierman | IT Systems Administrator
> School District of Altoona
> a: 1903 Bartlett Ave | Altoona, WI 54720
> w: www.altoona.k12.wi.us 
> 
> p: 715-838-7087
> 
> Confidentiality Notice: This e-mail message, including any attachments, is 
> for the sole use of the intended recipient(s) and may contain
> confidential and privileged information. Any unauthorized review, use, 
> disclosure or distribution is prohibited.  If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all copies 
> of the original message.  The views
> expressed in this transmission are not necessarily the views of the School 
> District of Altoona.___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!Ra5YHccPdk1yYPfTtNiB94XcbEtLN1H39k1dxiW8mHqHDDpfk-ApgBaaTHabcLAdsVG29GzGlYMHR8Douw-osvBrjrV1wnYmWb-vvQ$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] can I deploy packetfence on docker?

[Zammit, Ludovic via PacketFence-users]

Hello all,

James summarized quite well.

You can’t run PF in docker now..

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 22, 2023, at 10:30 PM, James Andrewartha via PacketFence-users 
>  wrote:
> 
> On 23/3/23 09:23, Mochamad Ridwan via PacketFence-users wrote:
>> Hi, can I deploy packetfence on docker?
> Packetfence 12 heavily uses Docker, there's 16 containers running on my 
> server, but I don't know if it's possible to run it on Docker alone without a 
> host server (and my guess is not at the moment).
> 
> -- 
> James Andrewartha
> Network & Projects Engineer
> Christ Church Grammar School
> Claremont, Western Australia
> Ph. (08) 9442 1757
> Mob. 0424 160 877
> 
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!TZXg8vNTH_Ge47qc82zQO4579i-o94A8ymvDYekei6Fg0kONyJlDEzZZN2N_DBDmBltRLL6y8Q0DfogmC44j1_GTf13O6RnlvqMYSw$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x machine authentication under Linux

[Zammit, Ludovic via PacketFence-users]

Hello Francis,

I don’t think it would be doable because the workflow to allow a computer 
authentication rely a LDAP attribute servicePrincipalName which I don’t think 
the linux computer object has and passes through the the wpa_supplicant.

I think the best way to handle that situation is to do EAP TLS certificate 
based authentication. You can filter that EAP TLS based on the connection type 
TLS.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 21, 2023, at 11:20 AM, Francis via PacketFence-users 
>  wrote:
> 
> Hello,
> 
> I was able to configure Packetfence to do machine authentication for Windows 
> desktops. I'm using AD as an authentication source configured with the 
> computers OU, so user authentication is not possible. This works fine for 
> both wired 802.1x and WPA2-Enterprise wifi.
> 
> Now I wonder how to do the same thing I did on Windows on my Linux (Ubuntu) 
> desktops. Like Windows desktops, we joined them to our AD domain (with sssd). 
> So I guess there is a way to authenticate the computers with the AD computer 
> object, but I fail to see how to do it after I did multiple searches.
> 
> Network-Manager seems to only allow user-inputed credentials for 
> PEAP/MSCHAPv2 authentication.
> 
> The goal is to authorize only corporate devices in the employees vlan. All 
> other unknown devices are restricted to the guest vlan. This is why I'm 
> trying to do computer auth and not user auth.
> 
> Thank you.
> 
> -- 
> Francis
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!UuCwj_JREa70qEgBTcUk-SNtECgBVOwHTcsSuu54OZC_IKtpPo6oo2tLkIR3UzOaSoeGRHXuf_53mGoc3v-ZEdCeUFNQa10m7DS4Cg$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unable to load a new Radius Certificate generated by an external certification authority

[Zammit, Ludovic via PacketFence-users]

Hello Mirko,

Just uncheck "Find RADIUS Server intermediate CA(s) automatically” and put the 
intermediate as the Root CA cert that signed the CSR.

PacketFence try to fetch automatically the intermediate from the url inside the 
certificate but can’t do it.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 21, 2023, at 11:15 AM, sgiops sgiops via PacketFence-users 
>  wrote:
> 
> Hello!
> 
> In order to put in a production environment the PF server, we generated a new 
> certificate for the radius service. This certificate has been generated using 
> the MS certification authority coming with the domain controllers to have the 
> CA already trusted on all the domain computers.  
> I generated the CSR using the PF gui, submitted the certificate to our 
> internal certification authority and retrieved the signed certificate and the 
> CA certificate (all base64).
> 
> When i tried to load the generated certificates (System Configuration -> SSL 
> Certificates -> RADIUS -> Edit Radius Certificate) I obtained that the 
> certification chain is invalid, because the intermediate CA certificates 
> cannot be loaded.
> 
> I do not undestand, there are no intermediate CA's, the certification path is 
> only CA -> Server certificate. 
> 
> Did anyone managed to load certificates from Domain Controller CA? If I use 
> the internal PKI i do not have any problem but a GPO should be prepared in 
> order to diffuse and trust the PKI certificate.
> 
> Thanks
> 
> Mirko
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!RmosF-3Vwk31MJT0iZCfshyFOajAts9B3iXHCFaP5A06TJOJLtIoLqrMRpP5BFkdqswu8mW2db4o-bgz2SJ9ETxNt5tAShAwVUlWuA$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] secure AP Uplink Ports

[Zammit, Ludovic via PacketFence-users]

Hello Johannes,

We usually don’t do radius authentication on the Access Point since switch does 
not support well the trunk mode in radius.

What you could do a is to pin the Mac address on the port and only that Mac 
address would be allowed to communicate. It’s port security violation.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 21, 2023, at 8:11 AM, Mudrich, J. via PacketFence-users 
>  wrote:
> 
> Hello everyone,
>  
> I have another question regarding port security: Is there any way I can 
> secure a port on an edge switch where an access point is connected?
> I’m thinking of a scenario where someone takes a ladder, pulls the cable from 
> an access point and connects his own device.
> Maybe some mechanism like: If port comes up without APs MAC, close the port.
>  
> Thanks
> Johannes
> 
> 
> Johannes Mudrich
> Mitarbeiter
> IT
> 
> Altmark-Klinikum gGmbH
> Ernst-von-Bergmann-Straße 22
> 39638 Gardelegen
> 
> Tel.:  03907 791229
> Fax.:  03907 791248
> Mail:  j.mudr...@altmark-klinikum.de 
> 
> 
>  
> 
>  
> 
>  
> Salus Altmark Holding gGmbH
> Tel.: +49 39325700 
> Sitz der Gesellschaft:
> Seepark 5 | 39116 Magdeburg
> www.salusaltmarkholding.de 
> 
>  
> 
>  
> 
>   
> 
>  
> 
>   
> 
>  
> 
>   
> 
>  
> 
>   
> 
>  
> 
> Registergericht: AG Stendal: HRB 112594
> Geschäftsführer: Jürgen Richter
> Aufsichtsratsvorsitz: Wolfgang Beck
> Gemäß Art. 13 DSGVO informieren wir darüber, dass Ihre Daten elektronisch 
> gespeichert werden. Nähere Informationen: 
> www.salusaltmarkholding.de/datenschutz 
> 
> Ab Januar 2022 nehmen wir keine Mails mit doc-, xls- und ppt-Anhängen mehr an.
> Bitte verwenden Sie die aktuellen Office-Formate docx, xlsx, pptx oder pdf.
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> 

Re: [PacketFence-users] RADIUS Reply Missing Cisco-AVPair device-traffic-class=voice

[Zammit, Ludovic via PacketFence-users]

Hello There,

In order to engage the Voice workflow, the Mac address need to be enable with 
VOIP and the switch enabled with Voip as well.

Do it manually on the Mac address in PF itself or you can enable the VOIP lldp 
detection with SNMP.

You don’t need to create an Authentication source for that, check the voip flag 
and connect.

Thanks.

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 20, 2023, at 2:18 PM, IT Mercenary via PacketFence-users 
>  wrote:
> 
> Hello!
> 
> I'm working on a proof of concept deployment of PacketFence with Dell 
> switches. I'd like to assign the voice VLAN but the RADIUS reply seems to be 
> missing "Cisco-AVPair" 'device-traffic-class=voice'. The switch is sending 
> the MAC (MAB), and the role is being assigned by the authentication rule in 
> the authentication source. How does PacketFence determine this is a VoIP port?
> 
> Switch: Dell N2048
> Firmware: 6.7.1.20
> PacketFence Switch Type: N1500 Series
> 
> Screenshot of authentication source.
> 
> 
> I confirmed the N1500.pm file has the line to return the desired AV Pair.
> 
> 
> Thanks in advance for your help!
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!VgCeQGvNPHFSVfW_NKix8aex9sSgujBTCnTmcak4e3iE7UmrFG6_yX_qRsToLW2XMy0LYPuw76njjm_KjVtbKdgwXKnX4aKOZ4hz3g$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unable to upgrade from 11.2 to 12.2

[Zammit, Ludovic via PacketFence-users]

Hello Andrea,

Here’s the steps:

- Detach pf3 node from your 11.2 cluster 
- /usr/local/pf/addons/upgrade/do-upgrade.sh and answer the questions
- Test your 12.2 instance by stopping services on pf1 and pf2
- When everything works as expected, upgrade pf on pf1 and pf2

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 14, 2023, at 8:00 AM, de Lutti Andrea via PacketFence-users 
>  wrote:
> 
> Good morning everyone,
> I have tried a lot of times to upgrade my three nodes cluster.
> I have followed the upgrade guide 
> https://www.packetfence.org/doc/PacketFence_Clustering_Guide.html#_performing_an_upgrade_on_a_cluster
>  
> 
> I receive the configuration sanity warning
> Use of uninitialized value in concatenation (.) or string at 
> /usr/local/pf/lib/pfconfig/backend/mysql.pm line 59
> Could not write namespace config::PfDefault() to L2 cache !
> Could not write namespace config::Documentation() to L2 cache !
> Could not write namespace config::Cluster(DEFAULT) to L2 cache !
>  
> When performing detaching node C from cluster 
> (https://www.packetfence.org/doc/PacketFence_Clustering_Guide.html#_detach_node_c_from_the_cluster
>  
> 
>  ), restarting proxysql give me the error
>  
> /usr/local/pf/bin/pfcmd service proxysql restart
> Usage:
> pfcmd service 
> [start|stop|restart|status|generateconfig|updatesystemd]
> [--ignore-checkup]
>  
>   stop/stop/restart specified service
>   status returns PID of specified PF daemon or 0 if not running.
>  
>   --ignore-checkup will start the requested services even if the checkup 
> fails
>  
> Services managed by PacketFence:
>  
>   api-frontend   | Golang daemon providing API
>   fingerbank-collector   | Fingerprinting data collection daemon
>   galera-autofix | Automated recovery of Galera clusters
>   haproxy-admin  | haproxy admin daemon
>   haproxy-db | haproxy database daemon
>   haproxy-portal | haproxy portal daemon
>   httpd.aaa  | Apache AAA webservice
>   httpd.admin_dispatcher | Admin GUI dispatcher
>   httpd.collector| Apache Collector daemon
>   httpd.dispatcher   | Captive portal dispatcher
>   httpd.portal   | Apache Captive Portal
>   httpd.proxy| Apache Proxy Interception
>   httpd.webservices  | Apache Webservices
>   iptables   | PacketFence firewall rules
>   keepalived | Virtual IP management
>   mysql-probe| MySQL probe service
>   netdata| Monitoring service
>   pfacct | Netflow and Radius Accounting service
>   pf | all services that should be running based on 
> your config
>   pfcertmanager  | Certificate Manager Service
>   pfcron | PF Cron daemon
>   pfdetect   | PF snort alert parser
>   pfdhcp | dhcpd daemon
>   pfdhcplistener | PF DHCP monitoring daemon
>   pfdns  | DNS daemon
>   pffilter   | PF conditions filtering daemon
>   pfipset| IPSET daemon
>   pfperl-api | Perl daemon providing API
>   pfpki  | PKI daemon
>   pfqueue| PF queueing service
>   pfsso  | Firewall SSO daemon
>   pfstats| PF statistics daemon
>   radiusd| FreeRADIUS daemon
>   radsniff   | radsniff daemon
>   redis_ntlm_cache   | Redis for the NTLM cache
>   redis_queue| Redis for pfqueue
>   snmptrapd  | SNMP trap receiver daemon
>  tc | Traffic shaping service
>   tracking-config| Tracking configuration change
>   winbindd   | Winbind daemon
>  
> Next, when upgrading node C 
> (https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_full_upgrade_for_packetfence_versions_11_1_0_and_later
>  
> )
>  , I have:
>  
> /usr/local/pf/addons/upgrade/do-upgrade.sh
> =
> Installing or upgrading the upgrade tools for PacketFence
> 

Re: [PacketFence-users] Another Problem with DACL and Authentication

[Zammit, Ludovic via PacketFence-users]

Hello There,

Is it a Wireless Authentication ?

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 20, 2023, at 8:57 AM, sgiops sgiops via PacketFence-users 
>  wrote:
> 
> Hello everyone, 
> 
> i'm trying to configure DACL witch packetfence and a Cisco Switch.
> The user performs the authentication on the switch and acquires the correct 
> role from PF, but immediately after the successful authentication in the 
> Radius Audit Logs i see the rows reported in the attached image. 
> The switch reports "authentication fail" and the port remains "unauthorized".
> 
> If i disable the role mapping by access list, the process succeed and the 
> user is moved to the correct vlan. 
> 
> 
> Do you have any hint?
> 
> 
> 
> 
> 
>  13-46-54.png>___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!TW6kH4r5fIc2DHuGK69FeiceYgZfWiMBzphkyrGz-oX0ETTTe9y7V8ao5Y0PX11TW4yyyGMy1BGPXmbxvBEL3T4LFABXCEu5VVGC5g$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Switch IP range vs. IP

[Zammit, Ludovic via PacketFence-users]

Hello Johannes,

Here’s the order of a switch evaluation for an authentication:

Mac address > IP address > Subnet range (CIDR)

If you do an overlap of two subnet, that’s not good.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 20, 2023, at 8:36 AM, Mudrich, J. via PacketFence-users 
>  wrote:
> 
> Hello everyone,
>  
> I’m just curious how PF works here: If a add a switch with an IP address of 
> 10.1.1.140 and another “switch” with an IP range of 10.1.1.128/25 and yet 
> another one with 10.1.1.0/24. Which configuration will PF use if a request 
> comes from 10.1.1.140?
> Would be nice if PF always uses the more specific address/configuration.
>  
> Thanks
> Johannes
> 
> 
> Johannes Mudrich
> Mitarbeiter
> IT
> 
> Altmark-Klinikum gGmbH
> Ernst-von-Bergmann-Straße 22
> 39638 Gardelegen
> 
> Tel.:  03907 791229
> Fax.:  03907 791248
> Mail:  j.mudr...@altmark-klinikum.de 
> 
> 
>  
> 
>  
> 
>  
> Salus Altmark Holding gGmbH
> Tel.: +49 39325700 
> Sitz der Gesellschaft:
> Seepark 5 | 39116 Magdeburg
> www.salusaltmarkholding.de 
> 
>  
> 
>  
> 
>   
> 
>  
> 
>   
> 
>  
> 
>   
> 
>  
> 
>   
> 
>  
> 
> Registergericht: AG Stendal: HRB 112594
> Geschäftsführer: Jürgen Richter
> Aufsichtsratsvorsitz: Wolfgang Beck
> Gemäß Art. 13 DSGVO informieren wir darüber, dass Ihre Daten elektronisch 
> gespeichert werden. Nähere Informationen: 
> www.salusaltmarkholding.de/datenschutz 
> 
> Ab Januar 2022 nehmen wir keine Mails mit doc-, xls- und ppt-Anhängen mehr an.
> Bitte verwenden Sie die aktuellen Office-Formate docx, xlsx, pptx oder pdf.
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> 

Re: [PacketFence-users] captive portal page not accessible

[Zammit, Ludovic via PacketFence-users]

Hello there,

It’s because it’s not a page that you can display or reach, you need to be 
brought there by a external portal mechanism.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 17, 2023, at 1:33 PM, jhyanagi via PacketFence-users 
>  wrote:
> 
> Hello PacketFence users,
> 
> I have a better understanding now, so let me answer some of my questions for 
> reference.
> 
> The actual captive portal page is like below.
> 
> http://address-of-eth0/captive-portal 
> 
> 
> it was not HTTPS but HTTP, it generates an error since it is not the correct 
> way to access the portal,
> anyway I can see the captive portal page.
> 
> However, I still cannot access the page with
> 
> http://address-of-eth0/Cisco::WLC 
> 
> 
> It looks that the address like /Cisco::WLC or /CoovaChilli is to be used as 
> the external portal,
> can anybody explain why I cannot still access this?
> 
> what I can get is
> 
> 501 Not Implemented
> GET not supported for current URL
> 
> Any help would be appreciated.
> 
> Thanks. Regards
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!WDl4ZELj1F_ooitnmRipcjNBz_pcKd-wu4ZIQWF9SxcKF_DKziHWELA4oCTcy84gPYHh8odwvcu45PvZTD8C4oJBeeaBNBL-XVVWMg$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] change HTTPs cert; chain invalid

[Zammit, Ludovic via PacketFence-users]

Hello Johannes,

Turn off the intermediates fetch automatically and add your own ca manually.

PF can’t reach the intermediates so it fails.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 10, 2023, at 2:32 AM, Mudrich, J.  
> wrote:
> 
> Hello Ludovic,
>  
> yes, I am using an internal PKI. I even verified the chain with openssl:
>  
> root@akgapf:/usr/local/pf/conf/ssl# openssl verify -CAfile 
> /etc/ssl/certs/akgaca.ak.local.pem server.crt
> server.crt: OK
> root@akgapf:/usr/local/pf/conf/ssl# openssl verify -CAfile 
> /etc/ssl/certs/akgaca.ak.local.pem server.pem
> server.pem: OK
>  
> PF gives me the following error message:
>  
> Failed verifying chain: error stdin: verification failed . Unable to fetch 
> all the intermediates through the information contained in the certificate. 
> You will have to upload the intermediate chain manually in x509 (Apache) 
> format.
> config/certificate/http
>  
> There are no intermediates!
>  
> you’ll find the chain attached.
>  
> Kind regards
> Johannes
>  
>  
>  
> 
> 
> Johannes Mudrich
> Mitarbeiter
> IT
> 
> Altmark-Klinikum gGmbH
> Ernst-von-Bergmann-Straße 22
> 39638 Gardelegen
> 
> Tel.:  03907 791229
> Fax.:  03907 791248
> Mail:  j.mudr...@altmark-klinikum.de 
> Von: Zammit, Ludovic [mailto:luza...@akamai.com] 
> Gesendet: Donnerstag, 9. März 2023 21:07
> An: PacketFence-users 
> Cc: Mudrich, J. 
> Betreff: Re: [PacketFence-users] change HTTPs cert; chain invalid
>  
> Hello Johannes,
>  
> I’m assuming you are issuing a certificate from your internal PKI right ?
>  
> Can you show me the chain and the error that you have currently ?
>  
> Thanks,
> 
> 
> 
> Ludovic Zammit
> Product Support Engineer Principal Lead
> 
> Cell: +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:
>    
> 
>  
> 
>  
> 
>  
> 
>  
> 
> 
> On Mar 9, 2023, at 3:01 AM, Mudrich, J. via PacketFence-users 
>  > wrote:
>  
> Hi,
>  
> I would like to change the existing HTTPs cert. So I created one in my own 
> CA. Added the cert and key into Configuration -> System Configuration -> SSL 
> Certificates.
> Then I added my CA root cert to /usr/local/share/ca-certificates and ran 
> update-ca-certificates. It’s now present in /etc/ssl/certs.
>  
> But PF still says “Chain is invalid”. Do I need to add the root cert 
> somewhere else?
>  
> Thanks
> Johannes
> 
> 
> 
> Johannes Mudrich
> Mitarbeiter
> IT
> 
> Altmark-Klinikum gGmbH
> Ernst-von-Bergmann-Straße 22
> 39638 Gardelegen
> Tel.:
>  03907 791229
> Fax.:
>  03907 791248
> Mail:
>  j.mudr...@altmark-klinikum.de 
> 
> 
> 
>  
> 
>  
> Salus Altmark Holding gGmbH
> Tel.: +49 39325700 
> Sitz der Gesellschaft:
> Seepark 5 | 39116 Magdeburg
> www.salusaltmarkholding.de 
> 
>  
> 
>   
> 
>   
> 

Re: [PacketFence-users] Nodes not displaying after upgrade to 12.2

[Zammit, Ludovic via PacketFence-users]

Hello David,

Have you tried another web browser or clear your cache ?

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 9, 2023, at 1:56 PM, David Moore via PacketFence-users 
>  wrote:
> 
> I just upgraded from ZEN 12.1 to 12.2 today
> 
> Now when I login to the web interface and click on the nodes tab I get the 
> following error:
> 
>  
> 
> Everything else appears to be working as expected, any help would be greatly 
> appreciated.
> 
> Thanks
> Dave
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!RoEnvlOG9Ar5OIWiAeSoziYASWqfdlj12MUMcSFrxW-hkrlnmXERJCx6Jl8orXq0sjIBf0DFvBgsa-AJMrlfhq4fxl5J9L3J0zQmXA$
>  
> 


smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Regenerate a new self-signed certificate or update your current certificate.

[Zammit, Ludovic via PacketFence-users]

Hello there,

You can try that:

cd /usr/local/pf
make conf/ssl/server.crt

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 9, 2023, at 4:15 AM, P.Thirunavukkarasu via PacketFence-users 
>  wrote:
> 
> Hi Team,
> While restarting the radius the following message I received
> 
> root@packetfence:~# /usr/local/pf/bin/pfcmd service radiusd restart
> Service StatusPID
> Checking configuration sanity...
> WARNING - internal network(s) not defined!
> WARNING - The certificate used by haproxy (/usr/local/pf/conf/ssl/server.pem) 
> has expired.
> Regenerate a new self-signed certificate or update your current certificate.
> WARNING - The certificate used by Apache (/usr/local/pf/conf/ssl/server.crt) 
> has expired.
> Regenerate a new self-signed certificate or update your current certificate.
> 
> How to regenerate the certificates in the PF?
> Thanks and regards
> Thirunavukkarasu
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!UWxA9RupqI8WG0Lr_P-PdjD3Q3FYu9PGFKUvz7oTE3fQ0v25gAkC5tyjc4E_v1-WeiAMts8KxWQ554MvAm1Wv9bwhTjimj-3YgL8Cg$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] change HTTPs cert; chain invalid

[Zammit, Ludovic via PacketFence-users]

Hello Johannes,

I’m assuming you are issuing a certificate from your internal PKI right ?

Can you show me the chain and the error that you have currently ?

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 9, 2023, at 3:01 AM, Mudrich, J. via PacketFence-users 
>  wrote:
> 
> Hi,
>  
> I would like to change the existing HTTPs cert. So I created one in my own 
> CA. Added the cert and key into Configuration -> System Configuration -> SSL 
> Certificates.
> Then I added my CA root cert to /usr/local/share/ca-certificates and ran 
> update-ca-certificates. It’s now present in /etc/ssl/certs.
>  
> But PF still says “Chain is invalid”. Do I need to add the root cert 
> somewhere else?
>  
> Thanks
> Johannes
> 
> 
> Johannes Mudrich
> Mitarbeiter
> IT
> 
> Altmark-Klinikum gGmbH
> Ernst-von-Bergmann-Straße 22
> 39638 Gardelegen
> 
> Tel.:  03907 791229
> Fax.:  03907 791248
> Mail:  j.mudr...@altmark-klinikum.de 
> 
> 
>  
> 
>  
> 
>  
> Salus Altmark Holding gGmbH
> Tel.: +49 39325700 
> Sitz der Gesellschaft:
> Seepark 5 | 39116 Magdeburg
> www.salusaltmarkholding.de 
> 
>  
> 
>  
> 
>   
> 
>  
> 
>   
> 
>  
> 
>   
> 
>  
> 
>   
> 
>  
> 
> Registergericht: AG Stendal: HRB 112594
> Geschäftsführer: Jürgen Richter
> Aufsichtsratsvorsitz: Wolfgang Beck
> Gemäß Art. 13 DSGVO informieren wir darüber, dass Ihre Daten elektronisch 
> gespeichert werden. Nähere Informationen: 
> www.salusaltmarkholding.de/datenschutz 
> 
> Ab Januar 2022 nehmen wir keine Mails mit doc-, xls- und ppt-Anhängen mehr an.
> Bitte verwenden Sie die aktuellen Office-Formate docx, xlsx, pptx oder pdf.
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
>