Re: [PacketFence-users] Packetfence-PKI / Setup Wizard Error

2017-11-14 Thread Durand fabrice via PacketFence-users 

Hello Jason,

i did a try and i am not able to reproduce the error.

So it can be an issue with the keyUsage value or an issue with pyopenssl.

What did you define for keyUsage and can you give me the version of 
pyopenssl you use ?


rpm -qa|grep -i openssl

Regards

Fabrice



Le 2017-11-14 à 16:14, Jason Sloan via PacketFence-users a écrit :

Error:
Environment:

Centos 7 - Clean Install

Steps to reproduce:
Install Packetfence-PKI
Browse to PKI Admin site & login.
Complete all 4 steps of initial setup wizard & Submit

Error condition occurs.

Looks like a bad variable type, probably also related to the newer 
django version?






Error details:

Request Method: POST
Request URL: https://localhost:9393/pki/init_wizard/

Django Version: 1.8.1
Python Version: 2.7.5
Installed Applications:
('django.contrib.admin',
 'django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'rest_framework',
 'rest_framework.authtoken',
 'bootstrap3',
 'pki')
Installed Middleware:
('django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware',
 'inverse.middleware.SecurityMiddleware')


Traceback:
File "/usr/lib/python2.7/site-packages/django/core/handlers/base.py" 
in get_response
  132.                     response = wrapped_callback(request, 
*callback_args, **callback_kwargs)
File 
"/usr/lib/python2.7/site-packages/django/contrib/auth/decorators.py" 
in _wrapped_view

  22.                 return view_func(request, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/django/views/generic/base.py" 
in view

  71.             return self.dispatch(request, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/formtools/wizard/views.py" in 
dispatch
  237.         response = super(WizardView, self).dispatch(request, 
*args, **kwargs)
File "/usr/lib/python2.7/site-packages/django/views/generic/base.py" 
in dispatch

  89.         return handler(request, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/formtools/wizard/views.py" in post
  300.                 return self.render_done(form, **kwargs)
File "/usr/lib/python2.7/site-packages/formtools/wizard/views.py" in 
render_done

  357.                                   **kwargs)
File "/usr/local/packetfence-pki/pki/views.py" in done
  539.             certif.sign()
File "/usr/local/packetfence-pki/pki/models.py" in sign
  61.  cert.add_extensions([crypto.X509Extension("keyUsage", 
True,self.key_usage)])

File "/usr/lib/python2.7/site-packages/OpenSSL/crypto.py" in __init__
  723.         extension = _lib.X509V3_EXT_nconf(_ffi.NULL, ctx, 
type_name, value)


Exception Type: TypeError at /pki/init_wizard/
Exception Value: initializer for ctype 'char *' must be a str or list 
or tuple, not unicode




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] auth request from wrong switch

2017-11-14 Thread Sokolowski, Darryl via PacketFence-users 
This is happening to a few ports, but not all ports, I counted 12 so far.
I got some of the debug output, and looking thru it.
I set the ip radius source-interface on the 2 switches that seems to be 
crossing each other.

Thanks
Darryl

From: Jason Sloan [mailto:jason.a.sl...@gmail.com]
Sent: Tuesday, November 14, 2017 2:11 PM
To: Sokolowski, Darryl 
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] auth request from wrong switch

Depends on how the authentication request is sent. Is this happening for one 
client/port on the switch or the entire switch?

Try setting the source interface:
conf t
ip radius source-interface X (in your case you like

Since your switches are not under heavy load you can flip on some debugs and 
take a look at the authentication and make sure it is sourced as expected.

debug dot1x all
debug authentication all
debug radius authentication



On Tue, Nov 14, 2017 at 12:32 PM, Sokolowski, Darryl 
> wrote:
Oh, ok. Since we have a ring, all interfaces comprising the ring are forwarding 
except one.
All switches are trunked to each other over the ring. I am certain there are no 
extra errant extra uplinks, since we are just beginning to use the switches and 
 not much plugged into them yet.
How could the blocking cause a machine to appear on a different port?

I did forget to include one switch is a 4507 chassis. Don’t think this should 
matter.

Thanks
Darryl


From: Jason Sloan 
[mailto:jason.a.sl...@gmail.com]
Sent: Tuesday, November 14, 2017 11:05 AM
To: Sokolowski, Darryl >
Cc: 
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] auth request from wrong switch

show spanning-tree vlan X (in your case vlan 1)

Check and see if all ports are in a forwarding state, or at least the ones you 
expect to be in a forwarding state are forwarding. If left to its own devices, 
sometimes spanning tree can make the wrong decision during an election. You can 
manually set spanning tree priorities on your up-links if this is the case. If 
the switches have vlan 1 trunked to each other this may be something to look 
at, otherwise probably not an issue.

On Tue, Nov 14, 2017 at 10:10 AM, Sokolowski, Darryl 
> wrote:
Hi thanks for the response.
Sorry, I should have offered more detail on environment.
All switches are Cisco 3560E.
172.16.0.196 is a switch, all vlans exist on all switches, all switches use 
vlan1 for management, they are trunked via 10GB ring.
I did not set radius source interface.
No NATs.

Sorry, what do you mean by reviewing spanning tree blocks?



From: Jason Sloan 
[mailto:jason.a.sl...@gmail.com]
Sent: Monday, November 13, 2017 4:23 PM
To: 
packetfence-users@lists.sourceforge.net
Cc: Sokolowski, Darryl >
Subject: Re: [PacketFence-users] auth request from wrong switch

A few questions.
172.16.0.196 - is that a switch at all? If so, is that switch on the same vlan? 
Have you reviewed your spanning-tree blocks? Are you able to set a radius 
source interface? If so, is it set to the appropriate SVI / L3 link? Any NATs 
in the topology?

On Mon, Nov 13, 2017 at 3:40 PM, Sokolowski, Darryl via PacketFence-users 
>
 wrote:
Hi all,
I have a strange problem I can’t see the reason for,
I have machines that get “stuck” unable to access the network seems like 
because the 802.1x authentication request is coming from a switch that the 
device isn’t plugged into.
In this case, I have a computer (18:66:da:1e:06:0a) plugged into switch with IP 
172.16.0.200.
In the log it shows that the request is coming from 172.16.0.196, and 
authorizes the machine and assigns the correct vlan, but it is assigned to the 
wrong switch, so the client never can access the network.
Further, there is already the correct machine (64:00:6a:7c:34:ce) authorized on 
that port because that machine really does plug in there.

Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] handling radius autz request: from switch_ip => 
(172.16.0.196), connection_type => WIRED_MAC_AUTH,switch_mac => 
(00:23:ac:d0:ca:8a), mac => [18:66:da:1e:06:0a], port => 10110, username => 
"1866da1e060a" (pf::radius::authorize)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Connection type is WIRED_MAC_AUTH. Getting role from 
node_info (pf::role::getRegisteredRole)
Nov 13 03:12:37 pf1

[PacketFence-users] Packetfence-PKI / Setup Wizard Error

2017-11-14 Thread Jason Sloan via PacketFence-users 
Error:
Environment:

Centos 7 - Clean Install

Steps to reproduce:
Install Packetfence-PKI
Browse to PKI Admin site & login.
Complete all 4 steps of initial setup wizard & Submit

Error condition occurs.

Looks like a bad variable type, probably also related to the newer django
version?





Error details:

Request Method: POST
Request URL: https://localhost:9393/pki/init_wizard/

Django Version: 1.8.1
Python Version: 2.7.5
Installed Applications:
('django.contrib.admin',
 'django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'rest_framework',
 'rest_framework.authtoken',
 'bootstrap3',
 'pki')
Installed Middleware:
('django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware',
 'inverse.middleware.SecurityMiddleware')


Traceback:
File "/usr/lib/python2.7/site-packages/django/core/handlers/base.py" in
get_response
  132. response = wrapped_callback(request,
*callback_args, **callback_kwargs)
File "/usr/lib/python2.7/site-packages/django/contrib/auth/decorators.py"
in _wrapped_view
  22. return view_func(request, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/django/views/generic/base.py" in view
  71. return self.dispatch(request, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/formtools/wizard/views.py" in
dispatch
  237. response = super(WizardView, self).dispatch(request, *args,
**kwargs)
File "/usr/lib/python2.7/site-packages/django/views/generic/base.py" in
dispatch
  89. return handler(request, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/formtools/wizard/views.py" in post
  300. return self.render_done(form, **kwargs)
File "/usr/lib/python2.7/site-packages/formtools/wizard/views.py" in
render_done
  357.   **kwargs)
File "/usr/local/packetfence-pki/pki/views.py" in done
  539. certif.sign()
File "/usr/local/packetfence-pki/pki/models.py" in sign
  61. cert.add_extensions([crypto.X509Extension("keyUsage",
True,self.key_usage)])
File "/usr/lib/python2.7/site-packages/OpenSSL/crypto.py" in __init__
  723. extension = _lib.X509V3_EXT_nconf(_ffi.NULL, ctx, type_name,
value)

Exception Type: TypeError at /pki/init_wizard/
Exception Value: initializer for ctype 'char *' must be a str or list or
tuple, not unicode
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Bandwidth statistics make no sense (Cisco 2960x)

2017-11-14 Thread Fabrice Durand via PacketFence-users 
Hello Cristian,

when PacketFence receive a accounting request, there are mysql
procedures that will update/insert in the radacct table.

When pf receive a start we log in radacct_log and insert a new entry in
radacct, when it's an interim update we update the entry in the radacct
table and when it's a stop we also update the radacct table and close
the entry.

So if you can do that:

select acctuniqueid from radacct where callingstationid="00:11:22:33:44:55";

and give me the result of that:

select * from radacct_log where acctuniqueid="xyz";

Regards

Fabrice


Le 2017-11-13 à 07:59, Cristian Mammoli via PacketFence-users a écrit :
> Hi Fabrice, could you please give me an hint to start looking whats
> going wrong here? How is bandwidth calculated and where?
>
> Thanks in advance
>
> Il 19/10/2017 18:22, Cristian Mammoli via PacketFence-users ha scritto:
>> If you mean PacketFence is 7.3.0
>> If you mean IOS: Cisco IOS Software, C2960X Software
>> (C2960X-UNIVERSALK9-M), Version 15.2(2)E6, RELEASE SOFTWARE (fc1)
>>
>>
>> Il 19/10/2017 16:41, Fabrice Durand via PacketFence-users ha scritto:
>>> Hello Cristian,
>>>
>>> which version are you running ?
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>
>>
>> --
>>
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> -- 
> Mammoli Cristian
> System administrator
> T. +39 0731 22911
> Via Brodolini 6 | 60035 Jesi (an)
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] auth request from wrong switch

2017-11-14 Thread Jason Sloan via PacketFence-users 
Depends on how the authentication request is sent. Is this happening for
one client/port on the switch or the entire switch?

Try setting the source interface:
conf t
ip radius source-interface X (in your case you like

Since your switches are not under heavy load you can flip on some debugs
and take a look at the authentication and make sure it is sourced as
expected.

debug dot1x all
debug authentication all
debug radius authentication



On Tue, Nov 14, 2017 at 12:32 PM, Sokolowski, Darryl 
wrote:

> Oh, ok. Since we have a ring, all interfaces comprising the ring are
> forwarding except one.
>
> All switches are trunked to each other over the ring. I am certain there
> are no extra errant extra uplinks, since we are just beginning to use the
> switches and  not much plugged into them yet.
>
> How could the blocking cause a machine to appear on a different port?
>
>
>
> I did forget to include one switch is a 4507 chassis. Don’t think this
> should matter.
>
>
>
> Thanks
>
> Darryl
>
>
>
>
>
> *From:* Jason Sloan [mailto:jason.a.sl...@gmail.com]
> *Sent:* Tuesday, November 14, 2017 11:05 AM
> *To:* Sokolowski, Darryl 
> *Cc:* packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] auth request from wrong switch
>
>
>
> show spanning-tree vlan X (in your case vlan 1)
>
>
>
> Check and see if all ports are in a forwarding state, or at least the ones
> you expect to be in a forwarding state are forwarding. If left to its own
> devices, sometimes spanning tree can make the wrong decision during an
> election. You can manually set spanning tree priorities on your up-links if
> this is the case. If the switches have vlan 1 trunked to each other this
> may be something to look at, otherwise probably not an issue.
>
>
>
> On Tue, Nov 14, 2017 at 10:10 AM, Sokolowski, Darryl 
> wrote:
>
> Hi thanks for the response.
>
> Sorry, I should have offered more detail on environment.
>
> All switches are Cisco 3560E.
>
> 172.16.0.196 is a switch, all vlans exist on all switches, all switches
> use vlan1 for management, they are trunked via 10GB ring.
>
> I did not set radius source interface.
>
> No NATs.
>
>
>
> Sorry, what do you mean by reviewing spanning tree blocks?
>
>
>
>
>
>
>
> *From:* Jason Sloan [mailto:jason.a.sl...@gmail.com]
> *Sent:* Monday, November 13, 2017 4:23 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Sokolowski, Darryl 
> *Subject:* Re: [PacketFence-users] auth request from wrong switch
>
>
>
> A few questions.
>
> 172.16.0.196 - is that a switch at all? If so, is that switch on the same
> vlan? Have you reviewed your spanning-tree blocks? Are you able to set a
> radius source interface? If so, is it set to the appropriate SVI / L3 link?
> Any NATs in the topology?
>
>
>
> On Mon, Nov 13, 2017 at 3:40 PM, Sokolowski, Darryl via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> Hi all,
>
> I have a strange problem I can’t see the reason for,
>
> I have machines that get “stuck” unable to access the network seems like
> because the 802.1x authentication request is coming from a switch that the
> device isn’t plugged into.
>
> In this case, I have a computer (18:66:da:1e:06:0a) plugged into switch
> with IP 172.16.0.200.
>
> In the log it shows that the request is coming from 172.16.0.196, and
> authorizes the machine and assigns the correct vlan, but it is assigned to
> the wrong switch, so the client never can access the network.
>
> Further, there is already the correct machine (64:00:6a:7c:34:ce)
> authorized on that port because that machine really does plug in there.
>
>
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] handling radius autz request: from switch_ip =>
> (172.16.0.196), connection_type => WIRED_MAC_AUTH,switch_mac =>
> (00:23:ac:d0:ca:8a), mac => [18:66:da:1e:06:0a], port => 10110, username =>
> "1866da1e060a" (pf::radius::authorize)
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] Instantiate profile default (pf::Connection::
> ProfileFactory::_from_profile)
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] Connection type is WIRED_MAC_AUTH. Getting role
> from node_info (pf::role::getRegisteredRole)
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] Username was defined "1866da1e060a" - returning
> role 'Employee' (pf::role::getRegisteredRole)
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] PID: "CORE\amblerd", Status: reg Returned VLAN:
> (undefined), Role: Employee (pf::role::fetchRoleForNode)
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] (172.16.0.196) Added VLAN 18 to the returned RADIUS
> Access-Accept (pf::Switch::returnRadiusAccessAccept)
>
> Nov 13

Re: [PacketFence-users] auth request from wrong switch

2017-11-14 Thread Sokolowski, Darryl via PacketFence-users 
Oh, ok. Since we have a ring, all interfaces comprising the ring are forwarding 
except one.
All switches are trunked to each other over the ring. I am certain there are no 
extra errant extra uplinks, since we are just beginning to use the switches and 
 not much plugged into them yet.
How could the blocking cause a machine to appear on a different port?

I did forget to include one switch is a 4507 chassis. Don’t think this should 
matter.

Thanks
Darryl


From: Jason Sloan [mailto:jason.a.sl...@gmail.com]
Sent: Tuesday, November 14, 2017 11:05 AM
To: Sokolowski, Darryl 
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] auth request from wrong switch

show spanning-tree vlan X (in your case vlan 1)

Check and see if all ports are in a forwarding state, or at least the ones you 
expect to be in a forwarding state are forwarding. If left to its own devices, 
sometimes spanning tree can make the wrong decision during an election. You can 
manually set spanning tree priorities on your up-links if this is the case. If 
the switches have vlan 1 trunked to each other this may be something to look 
at, otherwise probably not an issue.

On Tue, Nov 14, 2017 at 10:10 AM, Sokolowski, Darryl 
> wrote:
Hi thanks for the response.
Sorry, I should have offered more detail on environment.
All switches are Cisco 3560E.
172.16.0.196 is a switch, all vlans exist on all switches, all switches use 
vlan1 for management, they are trunked via 10GB ring.
I did not set radius source interface.
No NATs.

Sorry, what do you mean by reviewing spanning tree blocks?



From: Jason Sloan 
[mailto:jason.a.sl...@gmail.com]
Sent: Monday, November 13, 2017 4:23 PM
To: 
packetfence-users@lists.sourceforge.net
Cc: Sokolowski, Darryl >
Subject: Re: [PacketFence-users] auth request from wrong switch

A few questions.
172.16.0.196 - is that a switch at all? If so, is that switch on the same vlan? 
Have you reviewed your spanning-tree blocks? Are you able to set a radius 
source interface? If so, is it set to the appropriate SVI / L3 link? Any NATs 
in the topology?

On Mon, Nov 13, 2017 at 3:40 PM, Sokolowski, Darryl via PacketFence-users 
>
 wrote:
Hi all,
I have a strange problem I can’t see the reason for,
I have machines that get “stuck” unable to access the network seems like 
because the 802.1x authentication request is coming from a switch that the 
device isn’t plugged into.
In this case, I have a computer (18:66:da:1e:06:0a) plugged into switch with IP 
172.16.0.200.
In the log it shows that the request is coming from 172.16.0.196, and 
authorizes the machine and assigns the correct vlan, but it is assigned to the 
wrong switch, so the client never can access the network.
Further, there is already the correct machine (64:00:6a:7c:34:ce) authorized on 
that port because that machine really does plug in there.

Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] handling radius autz request: from switch_ip => 
(172.16.0.196), connection_type => WIRED_MAC_AUTH,switch_mac => 
(00:23:ac:d0:ca:8a), mac => [18:66:da:1e:06:0a], port => 10110, username => 
"1866da1e060a" (pf::radius::authorize)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Connection type is WIRED_MAC_AUTH. Getting role from 
node_info (pf::role::getRegisteredRole)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Username was defined "1866da1e060a" - returning role 
'Employee' (pf::role::getRegisteredRole)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] PID: "CORE\amblerd", Status: reg Returned VLAN: 
(undefined), Role: Employee (pf::role::fetchRoleForNode)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] (172.16.0.196) Added VLAN 18 to the returned RADIUS 
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] handling radius autz request: from switch_ip => 
(172.16.0.196), connection_type => Ethernet-EAP,switch_mac => 
(00:23:ac:d0:ca:8a), mac => [64:00:6a:7c:34:ce], port => 10110, username => 
"host/LoboA7.CORE.LOCAL" (pf::radius::authorize)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] is doing machine auth with account 
'host/LoboA7.CORE.LOCAL'. (pf::radius::authorize)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:

Re: [PacketFence-users] auth request from wrong switch

2017-11-14 Thread Jason Sloan via PacketFence-users 
show spanning-tree vlan X (in your case vlan 1)

Check and see if all ports are in a forwarding state, or at least the ones
you expect to be in a forwarding state are forwarding. If left to its own
devices, sometimes spanning tree can make the wrong decision during an
election. You can manually set spanning tree priorities on your up-links if
this is the case. If the switches have vlan 1 trunked to each other this
may be something to look at, otherwise probably not an issue.

On Tue, Nov 14, 2017 at 10:10 AM, Sokolowski, Darryl 
wrote:

> Hi thanks for the response.
>
> Sorry, I should have offered more detail on environment.
>
> All switches are Cisco 3560E.
>
> 172.16.0.196 is a switch, all vlans exist on all switches, all switches
> use vlan1 for management, they are trunked via 10GB ring.
>
> I did not set radius source interface.
>
> No NATs.
>
>
>
> Sorry, what do you mean by reviewing spanning tree blocks?
>
>
>
>
>
>
>
> *From:* Jason Sloan [mailto:jason.a.sl...@gmail.com]
> *Sent:* Monday, November 13, 2017 4:23 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Sokolowski, Darryl 
> *Subject:* Re: [PacketFence-users] auth request from wrong switch
>
>
>
> A few questions.
>
> 172.16.0.196 - is that a switch at all? If so, is that switch on the same
> vlan? Have you reviewed your spanning-tree blocks? Are you able to set a
> radius source interface? If so, is it set to the appropriate SVI / L3 link?
> Any NATs in the topology?
>
>
>
> On Mon, Nov 13, 2017 at 3:40 PM, Sokolowski, Darryl via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> Hi all,
>
> I have a strange problem I can’t see the reason for,
>
> I have machines that get “stuck” unable to access the network seems like
> because the 802.1x authentication request is coming from a switch that the
> device isn’t plugged into.
>
> In this case, I have a computer (18:66:da:1e:06:0a) plugged into switch
> with IP 172.16.0.200.
>
> In the log it shows that the request is coming from 172.16.0.196, and
> authorizes the machine and assigns the correct vlan, but it is assigned to
> the wrong switch, so the client never can access the network.
>
> Further, there is already the correct machine (64:00:6a:7c:34:ce)
> authorized on that port because that machine really does plug in there.
>
>
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] handling radius autz request: from switch_ip =>
> (172.16.0.196), connection_type => WIRED_MAC_AUTH,switch_mac =>
> (00:23:ac:d0:ca:8a), mac => [18:66:da:1e:06:0a], port => 10110, username =>
> "1866da1e060a" (pf::radius::authorize)
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] Instantiate profile default (pf::Connection::
> ProfileFactory::_from_profile)
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] Connection type is WIRED_MAC_AUTH. Getting role
> from node_info (pf::role::getRegisteredRole)
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] Username was defined "1866da1e060a" - returning
> role 'Employee' (pf::role::getRegisteredRole)
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] PID: "CORE\amblerd", Status: reg Returned VLAN:
> (undefined), Role: Employee (pf::role::fetchRoleForNode)
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] (172.16.0.196) Added VLAN 18 to the returned RADIUS
> Access-Accept (pf::Switch::returnRadiusAccessAccept)
>
> Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:64:00:6a:7c:34:ce] handling radius autz request: from switch_ip =>
> (172.16.0.196), connection_type => Ethernet-EAP,switch_mac =>
> (00:23:ac:d0:ca:8a), mac => [64:00:6a:7c:34:ce], port => 10110, username =>
> "host/LoboA7.CORE.LOCAL" (pf::radius::authorize)
>
> Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:64:00:6a:7c:34:ce] is doing machine auth with account
> 'host/LoboA7.CORE.LOCAL'. (pf::radius::authorize)
>
> Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:64:00:6a:7c:34:ce] Instantiate profile Earthcolor_Owned
> (pf::Connection::ProfileFactory::_from_profile)
>
> Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:64:00:6a:7c:34:ce] Found authentication source(s) : 'AD-Auth' for
> realm 'null' (pf::config::util::filter_authentication_sources)
>
> Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) WARN:
> [mac:64:00:6a:7c:34:ce] Calling match with empty/invalid rule class.
> Defaulting to 'authentication' (pf::authentication::match2)
>
> Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:64:00:6a:7c:34:ce] Using sources AD-Auth for matching
> (pf::authentication::match2)
>
> Nov 13 03:12:52 pf1 pfqueue: pfqueue(9628) INFO: [mac:unknown]

Re: [PacketFence-users] auth request from wrong switch

2017-11-14 Thread Sokolowski, Darryl via PacketFence-users 
Hi Fabrice,
Thanks for the response.
Weird, I’m not seeing the machine in raddebug.
Today, I have a similar situation with multiple machines, but all these are on 
the same switch, just reporting incorrect ports.
Port 5/2 is the correct port, which after multiple attempts to restart the 
switchport seems to finally have returned the correct assignment.
Strange thing is that other ports with the same issue began working properly 
all at the same time.
The screenshot shows it suddenly began using mab instead of dot1x, then when 
dot1x took over, it was right again.
I do have both configured on the ports, with “authentication order dot1x mab”

[cid:image001.png@01D35D31.7EC7F290]

The only reference I see is in packetfence.log for the mac address is:

Nov 14 14:58:41 pf1 pfqueue: pfqueue(4152) INFO: [mac:00:26:2d:17:e4:bf] 
deauthenticating (pf::Switch::Cisco::Catalyst_2960::radiusDisconnect)
Nov 14 14:58:41 pf1 pfqueue: pfqueue(4152) WARN: [mac:00:26:2d:17:e4:bf] 
Unknown vendor attribute 9/252 for unpack()
(Net::Radius::Packet::unpack)
Nov 14 14:58:41 pf1 pfqueue: Unknown vendor attribute 9/252 for unpack()

I don’t see the mac in radius.log
I’m checking AD with “chroot /chroots/ wbinfo –u” and it returns the 
users.

Thanks


From: Durand fabrice via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Sent: Monday, November 13, 2017 6:33 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice 
Subject: Re: [PacketFence-users] auth request from wrong switch


Hi Darryl,

can you also run radius in debug mode to see all the details ?

Regards

Fabrice



Le 2017-11-13 à 16:22, Jason Sloan via PacketFence-users a écrit :
A few questions.
172.16.0.196 - is that a switch at all? If so, is that switch on the same vlan? 
Have you reviewed your spanning-tree blocks? Are you able to set a radius 
source interface? If so, is it set to the appropriate SVI / L3 link? Any NATs 
in the topology?

On Mon, Nov 13, 2017 at 3:40 PM, Sokolowski, Darryl via PacketFence-users 
>
 wrote:
Hi all,
I have a strange problem I can’t see the reason for,
I have machines that get “stuck” unable to access the network seems like 
because the 802.1x authentication request is coming from a switch that the 
device isn’t plugged into.
In this case, I have a computer (18:66:da:1e:06:0a) plugged into switch with IP 
172.16.0.200.
In the log it shows that the request is coming from 172.16.0.196, and 
authorizes the machine and assigns the correct vlan, but it is assigned to the 
wrong switch, so the client never can access the network.
Further, there is already the correct machine (64:00:6a:7c:34:ce) authorized on 
that port because that machine really does plug in there.

Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] handling radius autz request: from switch_ip => 
(172.16.0.196), connection_type => WIRED_MAC_AUTH,switch_mac => 
(00:23:ac:d0:ca:8a), mac => [18:66:da:1e:06:0a], port => 10110, username => 
"1866da1e060a" (pf::radius::authorize)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Connection type is WIRED_MAC_AUTH. Getting role from 
node_info (pf::role::getRegisteredRole)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Username was defined "1866da1e060a" - returning role 
'Employee' (pf::role::getRegisteredRole)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] PID: "CORE\amblerd", Status: reg Returned VLAN: 
(undefined), Role: Employee (pf::role::fetchRoleForNode)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] (172.16.0.196) Added VLAN 18 to the returned RADIUS 
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] handling radius autz request: from switch_ip => 
(172.16.0.196), connection_type => Ethernet-EAP,switch_mac => 
(00:23:ac:d0:ca:8a), mac => [64:00:6a:7c:34:ce], port => 10110, username => 
"host/LoboA7.CORE.LOCAL" (pf::radius::authorize)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] is doing machine auth with account 
'host/LoboA7.CORE.LOCAL'. (pf::radius::authorize)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Instantiate profile Earthcolor_Owned 
(pf::Connection::ProfileFactory::_from_profile)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Found authentication source(s) : 'AD-Auth' for realm 
'null' (pf::config::util::filter_authentication_sources)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa:

Re: [PacketFence-users] auth request from wrong switch

2017-11-14 Thread Sokolowski, Darryl via PacketFence-users 
Hi thanks for the response.
Sorry, I should have offered more detail on environment.
All switches are Cisco 3560E.
172.16.0.196 is a switch, all vlans exist on all switches, all switches use 
vlan1 for management, they are trunked via 10GB ring.
I did not set radius source interface.
No NATs.

Sorry, what do you mean by reviewing spanning tree blocks?



From: Jason Sloan [mailto:jason.a.sl...@gmail.com]
Sent: Monday, November 13, 2017 4:23 PM
To: packetfence-users@lists.sourceforge.net
Cc: Sokolowski, Darryl 
Subject: Re: [PacketFence-users] auth request from wrong switch

A few questions.
172.16.0.196 - is that a switch at all? If so, is that switch on the same vlan? 
Have you reviewed your spanning-tree blocks? Are you able to set a radius 
source interface? If so, is it set to the appropriate SVI / L3 link? Any NATs 
in the topology?

On Mon, Nov 13, 2017 at 3:40 PM, Sokolowski, Darryl via PacketFence-users 
>
 wrote:
Hi all,
I have a strange problem I can’t see the reason for,
I have machines that get “stuck” unable to access the network seems like 
because the 802.1x authentication request is coming from a switch that the 
device isn’t plugged into.
In this case, I have a computer (18:66:da:1e:06:0a) plugged into switch with IP 
172.16.0.200.
In the log it shows that the request is coming from 172.16.0.196, and 
authorizes the machine and assigns the correct vlan, but it is assigned to the 
wrong switch, so the client never can access the network.
Further, there is already the correct machine (64:00:6a:7c:34:ce) authorized on 
that port because that machine really does plug in there.

Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] handling radius autz request: from switch_ip => 
(172.16.0.196), connection_type => WIRED_MAC_AUTH,switch_mac => 
(00:23:ac:d0:ca:8a), mac => [18:66:da:1e:06:0a], port => 10110, username => 
"1866da1e060a" (pf::radius::authorize)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Connection type is WIRED_MAC_AUTH. Getting role from 
node_info (pf::role::getRegisteredRole)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Username was defined "1866da1e060a" - returning role 
'Employee' (pf::role::getRegisteredRole)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] PID: "CORE\amblerd", Status: reg Returned VLAN: 
(undefined), Role: Employee (pf::role::fetchRoleForNode)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] (172.16.0.196) Added VLAN 18 to the returned RADIUS 
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] handling radius autz request: from switch_ip => 
(172.16.0.196), connection_type => Ethernet-EAP,switch_mac => 
(00:23:ac:d0:ca:8a), mac => [64:00:6a:7c:34:ce], port => 10110, username => 
"host/LoboA7.CORE.LOCAL" (pf::radius::authorize)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] is doing machine auth with account 
'host/LoboA7.CORE.LOCAL'. (pf::radius::authorize)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Instantiate profile Earthcolor_Owned 
(pf::Connection::ProfileFactory::_from_profile)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Found authentication source(s) : 'AD-Auth' for realm 
'null' (pf::config::util::filter_authentication_sources)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) WARN: 
[mac:64:00:6a:7c:34:ce] Calling match with empty/invalid rule class. Defaulting 
to 'authentication' (pf::authentication::match2)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Using sources AD-Auth for matching 
(pf::authentication::match2)
Nov 13 03:12:52 pf1 pfqueue: pfqueue(9628) INFO: [mac:unknown] undefined source 
id provided (pf::lookup::person::lookup_person)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Found authentication source(s) : 'AD-Auth' for realm 
'null' (pf::config::util::filter_authentication_sources)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Using sources AD-Auth for matching 
(pf::authentication::match2)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Username was NOT defined or unable to match a role - 
returning node based role 'Employee' (pf::role::getRegisteredRole)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:

Re: [PacketFence-users] Question about device-registration page

2017-11-14 Thread Marcus Lauer via PacketFence-users 
Maybe I should explain what I am envisioning in more detail. The
short version is this: If the admin assigns two or more Roles to a
Device Registration then the user should be given a choice of Role.
Obviously more admins will assign one Role per Device Registration and
this will not be an issue.

As you said, roles should be assigned on the basis of proving
that one has access. However this does not imply that every user should
only have access to one Role. For example a user who has the right to be
in a Role which grants them access to various protected servers might
choose to register as a Guest when they only need basic internet access
on that particular occasion. This makes more sense in some
configurations (short registration periods) than others but it is at
least a plausible scenario. Likewise we might have two untrusted VLANs
with minimal differences, e.g. one for Computers and one for Devices,
the latter with longer registration periods but more access restrictions
on outgoing network traffic, and let the user decide which one is
appropriate for their Raspberry Pi (or whatever).

The UI for unpatched PacketFence 7.3.0 already allows the admin
to add multiple Roles to a Device Registration. So far this has been
treated as a bug. A patch has been released to turn the multi-selection
field which permits the selection of multiple Roles into a drop-down
list which allows only one Role to be selected. I would prefer to allow
multiple Roles to be selected.

Specifically I suggest that when a Device Registration hash more
than one Role the user should be allowed to choose from those Roles,
probably with a drop-down box on the registration page. Most admins
won't want to set up access in this manner. When just one Role is
selected then that one Role should automatically be applied and there
should be no drop-down box. However I would like it to be possible to
give users a choice because there are scenarios in which it might be
appropriate.

We're basically just doing the same sort of auth for wired
connections as we might do for wireless: if you can prove you belong
here then you get access. Client systems are being put in a safe zone,
we just happen to want to have two safe zones with slightly different
rules. In our case giving users a choice would make sense. It is not
necessary to give them a choice. We might just end up putting everything
in one VLAN because it's easier. But it would be nice to have the
option, and I think we can implement it in PacketFence a nice way which
doesn't screw things up for anyone else.

Anyone else have any thoughts on this?



On 11/13/17 12:35, Sallee, Jake via PacketFence-users wrote:
> All:
> 
> Forgive me for jumping in here but I wanted to put in my $.02.
> 
> Generally the user's role is how you assign the user's level of network 
> access.  If you give the user a way to self assign a role you will need to 
> find a way to verify that user has the necessary rights to that role.
> 
> Guests may have different levels of access than patrons/students, while 
> patrons/students will have different access than employees or admin users.
> 
> If you allow the user to self assign the role you will need to somehow prove 
> the user has the appropriate  permissions for that role.
> 
> If you are able to prove the permissions necessary for a given role, then you 
> should be able to automatically assign the role without the user's need to 
> pick one. Right?
> 
> I can see the ability to choose a role being helpful if you have multiple 
> roles with identical access, the ability to choose then could be helpful in 
> reporting.  But, that relies on your user's being honest and I just don't 
> trust users ... but that could just be my battle hardened cynicism coming 
> into play : )
> 
> Obviously, there is no disrespect intended here, just joining the discussion.
> 
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
> 
> 900 College St.
> Belton, Texas
> 76513
> 
> Fone: 254-295-4658
> Phax: 254-295-4221
> 
> 
> From: Fabrice Durand via PacketFence-users 
> 
> Sent: Monday, November 13, 2017 10:10 AM
> To: packetfence-users@lists.sourceforge.net
> Cc: Fabrice Durand
> Subject: Re: [PacketFence-users] Question about device-registration page
> 
> Hello Marcus,
> 
> in the device registration page there is no way to allow the end user to
> choose the role.
> 
> You define it or PacketFence use the same one of the user.
> 
> Also Julien did this sort of thing you want to use on the device
> registration page but for the captive portal.
> (https://github.com/inverse-inc/packetfence/pull/2471)
> 
> Right now nobody asked to add a way to be able to select a role on the
> device registration page, so if you want to do that we will be happy to
> include this patch in PacketFence.
> 
> Regards
> 
>

Re: [PacketFence-users] Recommended Distribution / Version

2017-11-14 Thread Fabrice Durand via PacketFence-users 
Ok let me fix that.

Btw you can remove the file initial_data.json and do a python manage.py
syncdb.



Le 2017-11-14 à 04:12, Jason Sloan a écrit :
> Looks like there's 2 more dependencies
> python-ipaddress
> python-idna
>
> Then it looks like I'm bombing out on an initial data load of some
> sort. Based on the output it looks like the syncdb command is being
> issued, but the table doesn't exist in the database.
>
> Full output:
>
> Running transaction
>   Installing : packetfence-pki-1.0.8-1.el7.centos.noarch             
>                                                                      
>                                                                      
>                        1/1
> certificate exist do nothing
> /usr/lib/python2.7/site-packages/django/core/management/commands/syncdb.py:24:
> RemovedInDjango19Warning: The syncdb command will be removed in Django 1.9
>   warnings.warn("The syncdb command will be removed in Django 1.9",
> RemovedInDjango19Warning)
>
> /usr/lib/python2.7/site-packages/django/core/management/commands/loaddata.py:229:
> RemovedInDjango19Warning: initial_data fixtures are deprecated. Use
> data migrations instead.
>   RemovedInDjango19Warning
>
> Operations to perform:
>   Synchronize unmigrated apps: staticfiles, rest_framework, pki,
> messages, bootstrap3
>   Apply all migrations: admin, authtoken, contenttypes, auth, sessions
> Synchronizing apps without migrations:
>   Creating tables...
>     Creating table pki_ca
>     Creating table pki_attrib
>     Creating table pki_schema
>     Creating table pki_ldap
>     Creating table pki_certprofile
>     Creating table cert
>     Creating table pki_certrevoked
>     Creating table pki_rest
>     Running deferred SQL...
>   Installing custom SQL...
> Traceback (most recent call last):
>   File "manage.py", line 10, in 
>     execute_from_command_line(sys.argv)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/__init__.py",
> line 338, in execute_from_command_line
>     utility.execute()
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/__init__.py",
> line 330, in execute
>     self.fetch_command(subcommand).run_from_argv(self.argv)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/base.py",
> line 390, in run_from_argv
>     self.execute(*args, **cmd_options)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/base.py",
> line 441, in execute
>     output = self.handle(*args, **options)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/commands/syncdb.py",
> line 25, in handle
>     call_command("migrate", **options)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/__init__.py",
> line 120, in call_command
>     return command.execute(*args, **defaults)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/base.py",
> line 441, in execute
>     output = self.handle(*args, **options)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/commands/migrate.py",
> line 179, in handle
>     created_models = self.sync_apps(connection,
> executor.loader.unmigrated_apps)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/commands/migrate.py",
> line 364, in sync_apps
>     hide_empty=True,
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/__init__.py",
> line 120, in call_command
>     return command.execute(*args, **defaults)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/base.py",
> line 441, in execute
>     output = self.handle(*args, **options)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/commands/loaddata.py",
> line 60, in handle
>     self.loaddata(fixture_labels)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/commands/loaddata.py",
> line 90, in loaddata
>     self.load_label(fixture_label)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/commands/loaddata.py",
> line 147, in load_label
>     obj.save(using=self.using)
>   File
> "/usr/lib/python2.7/site-packages/django/core/serializers/base.py",
> line 173, in save
>     models.Model.save_base(self.object, using=using, raw=True)
>   File "/usr/lib/python2.7/site-packages/django/db/models/base.py",
> line 738, in save_base
>     updated = self._save_table(raw, cls, force_insert, force_update,
> using, update_fields)
>   File "/usr/lib/python2.7/site-packages/django/db/models/base.py",
> line 803, in _save_table
>     forced_update)
>   File "/usr/lib/python2.7/site-packages/django/db/models/base.py",
> line 853, in _do_update
>     return filtered._update(values) > 0
>   File "/usr/lib/python2.7/site-packages/django/db/models/query.py",
> line 580, in _update
>     return query.get_compiler(self.db).execute_sql(CURSOR)
>   File
> "/usr/lib/python2.7/site-packages/django/db/models/sql/compiler.py",
> line 1059, in execute_sql
>     cursor = super(SQLUpdateCompiler, self).execute_sql(result_type)
>   File
>

Re: [PacketFence-users] Recommended Distribution / Version

2017-11-14 Thread Jason Sloan via PacketFence-users 
Fabrice,

Thanks for the quick response. I just did a clean install on CentOS 7 and
Received errors when installing packetfence-pki.

Base install.
yum update
install packetfence repo.
yum install --enablerepo=packetfence,packetfence-extra python-cryptography
(this is because if packetfence is installed using base python-crypto, i
can't install from binaries later.)
yum install --enablerepo=packetfence packetfence
do basic configuration of pf and start services.
yum install --nogpgcheck --enablerepo=packetfence,packetfence-extra
packetfence-pki

During install the following errors are generated:

Running transaction
  Installing : python-ldap-2.4.15-2.el7.x86_64


1/16
  Updating   : pyOpenSSL-17.2.0-9.1.noarch


2/16
  Updating   : python-django-bash-completion-1.8.1-3.1.noarch


 3/16
  Updating   : python-django-1.8.1-3.1.noarch


 4/16
  Installing : python-django-rest-framework-3.1.1-16.1.noarch


 5/16
  Updating   : python-django-tagging-0.3.6-5.1.noarch


 6/16
  Installing : python2-django-formtools-1.0-4.1.noarch


7/16
  Installing : django-countries-5.0-4.1.noarch


8/16
  Installing : python2-asn1crypto-0.22.0-2.el7.centos.noarch


9/16
  Installing : python-django-bootstrap3-5.1.0-4.1.noarch


   10/16
  Installing : python2-pyasn1-modules-0.1.9-7.el7.noarch


   11/16
  Installing : packetfence-pki-1.0.8-1.el7.centos.noarch


   12/16
Generating a 2048 bit RSA private key
..+++
..+++
writing new private key to '/usr/local/packetfence-pki/conf/server.key'
-
Traceback (most recent call last):
  File "manage.py", line 10, in 
execute_from_command_line(sys.argv)
  File
"/usr/lib/python2.7/site-packages/django/core/management/__init__.py", line
338, in execute_from_command_line
utility.execute()
  File
"/usr/lib/python2.7/site-packages/django/core/management/__init__.py", line
312, in execute
django.setup()
  File "/usr/lib/python2.7/site-packages/django/__init__.py", line 18, in
setup
apps.populate(settings.INSTALLED_APPS)
  File "/usr/lib/python2.7/site-packages/django/apps/registry.py", line
108, in populate
app_config.import_models(all_models)
  File "/usr/lib/python2.7/site-packages/django/apps/config.py", line 198,
in import_models
self.models_module = import_module(models_module_name)
  File "/usr/lib64/python2.7/importlib/__init__.py", line 37, in
import_module
__import__(name)
  File "/usr/local/packetfence-pki/pki/models.py", line 16, in 
from OpenSSL import crypto
  File "/usr/lib/python2.7/site-packages/OpenSSL/__init__.py", line 8, in

from OpenSSL import rand, crypto, SSL
  File "/usr/lib/python2.7/site-packages/OpenSSL/crypto.py", line 12, in

from cryptography import x509
  File "/usr/lib64/python2.7/site-packages/cryptography/x509/__init__.py",
line 9, in 
from cryptography.x509.base import (
  File "/usr/lib64/python2.7/site-packages/cryptography/x509/base.py", line
16, in 
from cryptography.x509.extensions import Extension, ExtensionType
  File
"/usr/lib64/python2.7/site-packages/cryptography/x509/extensions.py", line
10, in 
import ipaddress
ImportError: No module named ipaddress
  Cleanup: python-django-tagging-0.3.1-11.1.noarch


   13/16
  Cleanup: python-django-1.6.11-15.1.noarch



On Mon, Nov 13, 2017 at 6:27 PM, Durand fabrice via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Jason,
>
> use Centos 7 , this is the version we use to develop.
>
> Also i did some fix on the pki to make it work under Centos 7, just tell
> me what is the issue and i will fix it.
>
> Le 2017-11-13 à 15:30, Jason Sloan via PacketFence-users a écrit :
>
> Wondering if there's a recommended distribution for Packetfence. I
> initially tried with Centos 7, but I'm having trouble installing
> packetfence-pki. I poked around with Ubuntu LTS 16.04, but similar issues.
>
> I'd like to essentially do the following:
>
>
>- Use packetfence for RADIUS auth for Network Administration (Switch
>CLI)
>
> Supported, it depend of the switch model.
>
>
>- Authenticate VPN users via RADIUS MSPKI+Password (Add two-factor in
>the future)
>
> You will probably need to play with Freeradius for that.
>
>
>- Authenticate Corporate WiFi (EAP-TLS from MSPKI AutoEnromment
>Certificates)
>
> Supported, https://packetfence.org/doc/PacketFence_MSPKI_Quick_
> Install_Guide.html
>
>
>- Provision BYOD Devices (PacketFence as a SubCA issued by MSPKI) (I
>believe this is where packetfence-pki comes in)
>
> PacketFence-pki or MSPKI.
>
>
> It seems like many of the instructions / precompiled binaries are for
> older version of Debian or RHEL. I'd like to avoid compiling for source or
> wandering the internet looking to satisfy dependencies
>
> I think I'm going to give Centos 6 a shot.
>
> You can't install PacketFence

Re: [PacketFence-users] Recommended Distribution / Version

2017-11-14 Thread Jason Sloan via PacketFence-users 
Looks like there's 2 more dependencies
python-ipaddress
python-idna

Then it looks like I'm bombing out on an initial data load of some sort.
Based on the output it looks like the syncdb command is being issued, but
the table doesn't exist in the database.

Full output:

Running transaction
  Installing : packetfence-pki-1.0.8-1.el7.centos.noarch


 1/1
certificate exist do nothing
/usr/lib/python2.7/site-packages/django/core/management/commands/syncdb.py:24:
RemovedInDjango19Warning: The syncdb command will be removed in Django 1.9
  warnings.warn("The syncdb command will be removed in Django 1.9",
RemovedInDjango19Warning)

/usr/lib/python2.7/site-packages/django/core/management/commands/loaddata.py:229:
RemovedInDjango19Warning: initial_data fixtures are deprecated. Use data
migrations instead.
  RemovedInDjango19Warning

Operations to perform:
  Synchronize unmigrated apps: staticfiles, rest_framework, pki, messages,
bootstrap3
  Apply all migrations: admin, authtoken, contenttypes, auth, sessions
Synchronizing apps without migrations:
  Creating tables...
Creating table pki_ca
Creating table pki_attrib
Creating table pki_schema
Creating table pki_ldap
Creating table pki_certprofile
Creating table cert
Creating table pki_certrevoked
Creating table pki_rest
Running deferred SQL...
  Installing custom SQL...
Traceback (most recent call last):
  File "manage.py", line 10, in 
execute_from_command_line(sys.argv)
  File
"/usr/lib/python2.7/site-packages/django/core/management/__init__.py", line
338, in execute_from_command_line
utility.execute()
  File
"/usr/lib/python2.7/site-packages/django/core/management/__init__.py", line
330, in execute
self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/usr/lib/python2.7/site-packages/django/core/management/base.py",
line 390, in run_from_argv
self.execute(*args, **cmd_options)
  File "/usr/lib/python2.7/site-packages/django/core/management/base.py",
line 441, in execute
output = self.handle(*args, **options)
  File
"/usr/lib/python2.7/site-packages/django/core/management/commands/syncdb.py",
line 25, in handle
call_command("migrate", **options)
  File
"/usr/lib/python2.7/site-packages/django/core/management/__init__.py", line
120, in call_command
return command.execute(*args, **defaults)
  File "/usr/lib/python2.7/site-packages/django/core/management/base.py",
line 441, in execute
output = self.handle(*args, **options)
  File
"/usr/lib/python2.7/site-packages/django/core/management/commands/migrate.py",
line 179, in handle
created_models = self.sync_apps(connection,
executor.loader.unmigrated_apps)
  File
"/usr/lib/python2.7/site-packages/django/core/management/commands/migrate.py",
line 364, in sync_apps
hide_empty=True,
  File
"/usr/lib/python2.7/site-packages/django/core/management/__init__.py", line
120, in call_command
return command.execute(*args, **defaults)
  File "/usr/lib/python2.7/site-packages/django/core/management/base.py",
line 441, in execute
output = self.handle(*args, **options)
  File
"/usr/lib/python2.7/site-packages/django/core/management/commands/loaddata.py",
line 60, in handle
self.loaddata(fixture_labels)
  File
"/usr/lib/python2.7/site-packages/django/core/management/commands/loaddata.py",
line 90, in loaddata
self.load_label(fixture_label)
  File
"/usr/lib/python2.7/site-packages/django/core/management/commands/loaddata.py",
line 147, in load_label
obj.save(using=self.using)
  File "/usr/lib/python2.7/site-packages/django/core/serializers/base.py",
line 173, in save
models.Model.save_base(self.object, using=using, raw=True)
  File "/usr/lib/python2.7/site-packages/django/db/models/base.py", line
738, in save_base
updated = self._save_table(raw, cls, force_insert, force_update, using,
update_fields)
  File "/usr/lib/python2.7/site-packages/django/db/models/base.py", line
803, in _save_table
forced_update)
  File "/usr/lib/python2.7/site-packages/django/db/models/base.py", line
853, in _do_update
return filtered._update(values) > 0
  File "/usr/lib/python2.7/site-packages/django/db/models/query.py", line
580, in _update
return query.get_compiler(self.db).execute_sql(CURSOR)
  File "/usr/lib/python2.7/site-packages/django/db/models/sql/compiler.py",
line 1059, in execute_sql
cursor = super(SQLUpdateCompiler, self).execute_sql(result_type)
  File "/usr/lib/python2.7/site-packages/django/db/models/sql/compiler.py",
line 837, in execute_sql
cursor.execute(sql, params)
  File "/usr/lib/python2.7/site-packages/django/db/backends/utils.py", line
79, in execute
return super(CursorDebugWrapper, self).execute(sql, params)
  File "/usr/lib/python2.7/site-packages/django/db/backends/utils.py", line
64, in execute
return self.cursor.execute(sql, params)
  File "/usr/lib/python2.7/site-packages/django/db/utils.py", line 97, in
__exit__
six.reraise(dj_exc_type, dj_exc_value, traceback)
  File