Re: [PacketFence-users] 802.1x computer + user

Yes, it is what we do. First the computer authenticates, and as soon as a user logs on, it switches to user authentication. MJ On 16/05/2022 14:19, José Ramos via PacketFence-users wrote: Hello everyone. Is it possible to combine 802.1x computer + user authentication ? I only do user

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

tificates should I understand that I need to do it fromwww.sslforfree.com <http://www.sslforfree.com/>And what's the correct procedure to install an SSL certificate to PF. Never saw it in the documentation. I need it for a captive portal. Eugene -Orig

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Hi Eugene, The list has always been alive, from where we are. :-) Anyway: I would encourage you to take a look a Let's Encrypt certificates with packetfence. I think they are a bit more secure than a wildcard certificate, plus they are free and work very well. (there are some threads on

Re: [PacketFence-users] pf & wired 802.1x authentication | windows updates

Hi, Please, if I may, one qustion more: On 11/9/20 8:47 PM, Ludovic Zammit wrote: If it’s the case, one solution to fix it. Issue a certificate on PacketFence (RADIUS service) that would be trusted by your clients. Issue a certificate from a MS PKI for example (AD CS). We are running

Re: [PacketFence-users] pf & wired 802.1x authentication | windows updates

etFence side you can enable the domain passthrough (to allow the device to reach the AD from the reg vlan) then the device will update it GPO and reconfigure the supplicant. Regards Fabrice Le 20-11-09 à 10 h 45, mj via PacketFence-users a écrit : Hi, We are using packetfence with 802.1x authent

[PacketFence-users] pf & wired 802.1x authentication | windows updates

Hi, We are using packetfence with 802.1x authentication on our wired network. This works nicely. However, what we have now repeatedly seen, is that after (bigger) windows updates, the windows 10 clients 802.1x authentication configurations are reset back to the default -> no network for the

Re: [PacketFence-users] Packetfence and Samba

Hi, On 10/28/20 12:44 PM, Ludovic Zammit via PacketFence-users wrote: PacketFence supports samba AD integration but you can’t use the multi domain AD configuration to join it. It needs to be done at the system level. Not sure what that means? I thought that pf is using chroot and netns to

Re: [PacketFence-users] Packetfence and Samba

Hi, We are running pf against samba. Depending on what you want from pf, you might need to make sure that samba will do ntlm auth. (for radius) For the rest there are no issues that we know of. MJ On 10/27/20 6:24 AM, Boris Ebwanga via PacketFence-users wrote: Hi everyone! I would like to

Re: [PacketFence-users] [External] Re: R: Fingerbank and softnet_stat issues with version 9.2

On 2/2/20 12:08 AM, Serhiy Morhun via PacketFence-users wrote: I'm running it on VMWARE. We're on KVM, so that's not the same, but both virtualised. MJ ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net

Re: [PacketFence-users] [External] Re: R: Fingerbank and softnet_stat issues with version 9.2

Hi On 1/29/20 11:11 PM, Serhiy Morhun via PacketFence-users wrote: I tried changing the net.core.netdev_budget to 4800 as mentioned before, but it did not seem to make a difference. Yes same here. Are you running on bare metal, or virtualised..? (and if virtual: on what system?) MJ

[PacketFence-users] device profiling discrepancy | security event

Hi, We are trying to ban win7-and-pre devices, and have created a security event like this: [143] trigger=device::7535,device::7534,device::33,device::36 actions=reevaluate_access,email_admin,log,email_user desc=Win7 and older to isolation (triggers automatically) access_duration=14D

Re: [PacketFence-users] [External] Re: R: Fingerbank and softnet_stat issues with version 9.2

Hi, And how about your softnet_stat issues? I posted about those as well, but received no replies at all. I was hoping this thread would eventually also touch that issue... MJ On 1/28/20 4:55 PM, Truax, Peter via PacketFence-users wrote: Hi Everyone, I fixed our fingerbank email problem.

[PacketFence-users] cloned security event, untriggerable

Hi, What is needed for a custom created security event to show up as a triggerable security event in a node details? We cloned the default malware security event, with new number 142, no triggers as we only want to trigger it manually. But alas it does not show up in a node's list of

[PacketFence-users] softnet_stat netdev budget run out warnings

Hi, On monday we migrated from pf-7.1 to pf-9.3, and ever since we are getting warnings in the GUI about "softnet_stat netdev budgets ran outs" Searched the archives here, and found another post where this is also mentioned, but without a real solution. I tried the suggestion to increase

Re: [PacketFence-users] PF 9.1 clean install problem

Hi, I guess you examined the outputs of systemctl status packetfence-httpd.admin.service" and/or "journalctl -xe" for details...? Does it say anything interesting..? I also don't understand. I can only say: No such issues here. MJ On 10/22/19 2:19 PM, Szél Gábor via PacketFence-users

Re: [PacketFence-users] packetfence and unifi

MJ On 10/14/19 10:37 PM, mj via PacketFence-users wrote: Hi, We would like to ask for some info. :-) We have been running packetfence with captive portal for our wifi in inline mode for years. We would now like to upgrade to out-of-band VLAN enforcement, using our unifi APs and our onsite-control

[PacketFence-users] packetfence and unifi

Hi, We would like to ask for some info. :-) We have been running packetfence with captive portal for our wifi in inline mode for years. We would now like to upgrade to out-of-band VLAN enforcement, using our unifi APs and our onsite-controller, while keeping the packetfence captive portal.

Re: [PacketFence-users] [9.1] certificate

On 10/10/19 5:24 PM, pro fence via PacketFence-users wrote: hi, does anybody know if it is possible to use a wildcard certificate (*.mydomain.com ) ? because as per the documentation, the CN must be the same for the certificate and in pf.conf. But you can't add a

Re: [PacketFence-users] Phantom NIC

Hi, I guess the ip belongs to a net namespace, try: ip netns list to see your namespaces, and then type: ip netns exec ifconfig to check it's details. On our packetfence, the AD namespace has ip 169.254.0.1. MJ On 11/28/18 11:06 AM, Hancock, Jamie via PacketFence-users wrote: Hi, My

Re: [PacketFence-users] dhcp domain-search option

For the archives: we're still o 7.1, and the only way of doing that there, is by editing * /usr/local/pf/lib/pf/services/manager/dhcpd.pm near the line 177, and add the line there: option domain-search "domain.com"; Restart dhcpd, and voila. It seems that from version 8 onwards, packetfence

Re: [PacketFence-users] Network access monitoring

Hi, We have (kind of) solved this by logging dns requests done by the inline clients, plus their mac address. We are using this: https://github.com/gamelinux/passivedns We run a cron script to purge the collected data after x number of days. MJ On 06/13/2018 03:52 PM, Murilo Calegari via

[PacketFence-users] on the use of freeradius, 802.1x , samba, etc, etc

Hi, There has been a very interesting thread on the samba mailinglist that perhaps would be of interest fore many here. It's on the use of freeradius, 802.1x, samba AD, NTLMv1, etc, and how to make this combination as secure as possible. I guess people here can benefit from this info.

Re: [PacketFence-users] firewalling for inline on the packetfence server

Hi Fabrice, list, On 16-1-2018 14:54, Fabrice Durand via PacketFence-users wrote: Hello, you can play with iptables.conf in the conf directory in order to add your custom rules. So, in the case of limiting outgoing traffic for inline nat clients to http/https/dns, do you mean adding lines

Re: [PacketFence-users] Unable to add any Authentication Sources on PacketFence 7.1.0

Hi, Just a small remark: On 10/24/2017 04:22 PM, yayo (j) via PacketFence-users wrote: p.s. I have recently updated system via yum update and also patched PF with /chroots/MYADDOMAIN/usr/local/pf/addons/pf-maint.pl I am surprised that this is possible. You should not

Re: [PacketFence-users] person_cleanup / node_cleanup not doing anything

Hi, for the archive: This turned out to be caused by a nightly (scheduled) reboot of our packetfence server. We do that to be able to create a clean backup of the disk image. Problem: packetfence never ran long enough to reach the 1D configured interval for the tasks. Solution: either set

[PacketFence-users] person_cleanup / node_cleanup not doing anything

Hi, We have enabled the tasks person_cleanup and node_cleanup to comply with privacy regulations within the EU. Both tasks don't seem to do very much. :-( Let's focus on person_cleanup: From pfmon.conf: [person_cleanup] status=enabled interval=1D # [node_cleanup] status=enabled interval=1D

Re: [PacketFence-users] email registration always remains status "incomplete"

On 07/17/2017 04:53 PM, lists via PacketFence-users wrote: Hi Fabrice, list, On 13-7-2017 2:23, Durand fabrice via PacketFence-users wrote: when it happen, can you check in the database just after the duration has been extended ? select * from node where mac="9c:2a:70:31:9b:9f'; ok, here

Re: [PacketFence-users] email registration always remains status "incomplete"

Hi Fabrice, On 07/13/2017 02:23 AM, Durand fabrice via PacketFence-users wrote: Hello MJ, when it happen, can you check in the database just after the duration has been extended ? select * from node where mac="9c:2a:70:31:9b:9f'; As I need to be there to check this, I will do this next

Re: [PacketFence-users] email registration always remains status "incomplete"

e second reg attempt is (still!) logged as "incomplete". So something seems to be malfunctioning This is pf 7.1, completely up-to-date with pf-maint.pl Ideas? MJ On 07/10/2017 07:04 PM, mj via PacketFence-users wrote: Hi, We're using pf-7.1 with the captive portal with email r

[PacketFence-users] email registration always remains status "incomplete"

Hi, We're using pf-7.1 with the captive portal with email registration. While everything appears to work (confirmation mails are sent, the links are working, users get "mail activation code has been verified. Access granted for a month" in their browsers. Yet: under Reports / All

Re: [PacketFence-users] Machine authentication

Hi, I noticed two ERROR lines in your packetfence.log: Jul 10 15:21:30 pfnac01 packetfence_httpd.aaa: httpd.aaa(23293) ERROR: [mac:00:9c:02:92:ea:b0] error creating SNMP v1 read connection to 10.10.10.4: No response from remote host "10.10.10.4" (pf::Switch::connectRead) and Jul 10

[PacketFence-users] why is my radius working? :-)

ghehe :-) Happy that after some fiddling with REALMS config, our 802.1x radius auth is working now, but I am seeing behaviour that I don't understand. I have _only_ configured the "DEFAULT" realm and left LOCAL and NULL empty. (also created no new ones) DEFAULT is configured with strip,

Re: [PacketFence-users] Machine authentication

Just to say that I am following this thread with interest, as I currently have the same issue on my (debian8) install. GUI says: domain join OK Also, in CLI, I can do: root@pf:/chroots/DOMAIN/etc/samba# chroot /chroots/DOMAIN ntlm_auth --username=testuser Password: NT_STATUS_OK: Success

Re: [PacketFence-users] packetfence-pki on Debian Jessie

On 06/22/2017 05:06 PM, David Harvey via PacketFence-users wrote: Hi packetfence users, I've been attmepting to experiment with packetfence-pki, but have fallen at the first hurdle. Namely there doesn't seem to be a Debian Jessie package avialable as advertised at Ah sorry:

Re: [PacketFence-users] packetfence-pki on Debian Jessie

Hi, Are you following this: https://packetfence.org/support/faq/article/how-to-install-packetfence-on-debian.html Or are you somehow trying to install things manually..? (the apt way with the inverse repo worked very well for me on jessie, tried last week) Hope that helps, MJ On

Re: [PacketFence-users] Utilize Google SMTP servers for guest access emails

Hi, I guess this would not be done in packetfence, but you'd configure packetfence to use a local postfix, and configure postfix to use a smarthost with authentication for it's outgoing mail. MJ On 06/16/2017 05:53 AM, Max McGrath via PacketFence-users wrote: Hello - We have a lot of

Re: [PacketFence-users] generated chroot config for samba / krb5

Hi Thierry, list, I would like to revive this discussion from last month. I started a new discussion on the samba mailinglist on the "password server =" subject. Please see here: https://lists.samba.org/archive/samba/2017-June/208999.html The outcome of that discussion is that the samba

Re: [PacketFence-users] [SPAM] Re: haproxy | mysql

Hi Bebbet and Louis, Thanks for your answers! MJ On 06/13/2017 03:05 PM, Bebbet van Dinges via PacketFence-users wrote: if you run netstat -tapn, can you see where the mysql instance is listening? if its on 127.0.0.1:3306, then the haproxy can listen on the management:3306, no problem. When a