Re: [PacketFence-users] Radius Filter

2018-02-19 Thread Durand fabrice via PacketFence-users 

Hello John,

it can't work with portal preview since the filter use the radius request.

It must be a real test.

Regards

Fabrice



Le 2018-02-16 à 05:37, John Sayce via PacketFence-users a écrit :

So I'm working remotely at the moment.  The floating address I have configured 
is 00:11:22:33:44:55 and I'm using the portal preview feature, so if that's not 
going to work I understand, although I did also test it on site.  I can't see 
anything mentioning the vlan filter in the log.  It's as follows:

Feb 16 09:52:24 httpd.portal(58307) WARN: [mac:unknown] Unable to match MAC 
address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:24 httpd.portal(58307) INFO: [mac:unknown] Instantiate profile 
default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:24 httpd.portal(58307) WARN: [mac:00:11:22:33:44:55] Unable to 
match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:24 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:24 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile Internal (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:25 httpd.portal(58301) WARN: [mac:unknown] Unable to match MAC 
address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:25 httpd.portal(58301) INFO: [mac:unknown] Instantiate profile 
default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:25 httpd.portal(58301) WARN: [mac:00:11:22:33:44:55] Unable to 
match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:25 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:25 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile Internal (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:25 httpd.portal(58300) WARN: [mac:unknown] Unable to match MAC 
address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:25 httpd.portal(58300) INFO: [mac:unknown] Instantiate profile 
default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:25 httpd.portal(58300) WARN: [mac:00:11:22:33:44:55] Unable to 
match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:25 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:25 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile Internal (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:32 httpd.portal(58307) WARN: [mac:unknown] Unable to match MAC 
address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:32 httpd.portal(58307) INFO: [mac:unknown] Instantiate profile 
default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:32 httpd.portal(58307) WARN: [mac:00:11:22:33:44:55] Unable to 
match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:32 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:32 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile Internal (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] 
Authenticating user using sources : ASD 
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] [ASD] 
Authentication successful for jsayce 
(pf::Authentication::Source::LDAPSource::authenticate)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] 
Authentication successful for 'jsayce' in source ASD (AD) 
(pf::authentication::authenticate)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] User jsayce 
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source 
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source 
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Successfully 
authenticated jsayce 
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source 
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source 
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source 
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] User jsayce 
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58307) WARN: [mac:00:11:22:33:44:55] Calling match 
with empty/invalid rule class. Defaulting to 'authentication' 
(pf::authentication::match)
Feb 16 09:52:33 httpd.portal(58307) INFO:

Re: [PacketFence-users] Meru 3200 & packetfence 7.4 ssh & telnet not working

2018-02-19 Thread Durand fabrice via PacketFence-users 

Hello Derek,

it looks that we got issue on the mailling list , does it works now ?

Regards

Fabrice



Le 2018-02-16 à 09:22, Derek Brabrook via PacketFence-users a écrit :

My bad I found the "no station" in the new Meru.pm you pointed me to

Derek


*From: *"packetfence-users" 
*To: *"packetfence-users" 
*Cc: *"Durand fabrice" 
*Sent: *Friday, 16 February, 2018 03:02:55
*Subject: *Re: [PacketFence-users] Meru 3200 & packetfence 7.4 ssh & 
telnet not working


Hello Derek,

it looks that the per library has been updated and is not still 
compatible with the packetfence code.


You can try to use the Transport and personality parameter when it use 
Net::Appliance::Session there 
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Meru.pm#L158 
.



http://search.cpan.org/~oliver/Net-Appliance-Session-4.31/lib/Net/Appliance/Session.pm


Regards
Fabrice

Le 2018-02-13 à 14:34, Derek Brabrook via PacketFence-users a écrit :


We run a Meru 3200 controller (software Version 5.1-75), I have
Packetfence (7.4) running from
an ESXi VM on a trunked connection on a Debian Jessie flavour of
linux and everything seems to be working.

except for de-association via telnet or ssh on the Meru, every
time it attempts to de-associate via telnet or ssh
it throws this in

/usr/local/pf/logs/packetfence.log

Feb 10 17:15:58 packet pfqueue: pfqueue(14065) INFO:
[mac:d0:df:9a:66:af:d4] [d0:df:9a:66:af:d4] DesAssociating mac on
switch (10.11.60.2) (pf::api::desAssociate)
Feb 10 17:15:58 packet pfqueue: pfqueue(14065) ERROR:
[mac:d0:df:9a:66:af:d4] Unable to connect to 10.11.60.2 using SSH.
Failed with Missing required arguments: personality, transport at
(eval 1979) line 75.
(pf::Switch::Meru::deauthenticateMacDefault)

or


Feb 8 16:11:12 packet pfqueue: pfqueue(7868) ERROR:
[mac:d0:df:9a:66:af:d4] Unable to connect to 10.11.60.2 using Telnet.
Failed with Missing required arguments: personality, transport at
(eval 2035) line 75.




I've tried all combinations in the Switches settings from SNMP to
Telnet and SSH I've even logged into the packetfence server
su'd to the packetfence user and initiated an SSH connection to
the Meru to accept the keys, but always the same error in
packetfence.log

functionally it works if you connect to the wifi then register on
the portal, then turn off your wifi, turn back on and connect to
the same SSID
it puts you in the right VLAN and everything works as it should,
it just won't de-associate on the Meru with ssh or telnet.

I'm aware of the PMK caching issues, our version allows you to
turn off PMK caching, and I'm aware that Meru doesn't pass the
SSID with the radius
request on an open wifi and only supports CLI de-association via
telnet or SSH, but I've run out of steam on this one I cannot see
how I can get it to de-associate
if it won't connect to the Meru CLI.

the user I've created on the Meru has level 15 access so it
doesn't need elevated privs on the meru but it never gets that far


switches.conf

[10.11.60.2]
registrationVlan=10
defaultVlan=40
isolationVlan=20
description=Meru
radiusSecret=redacted
deauthMethod=Telnet
cliUser=pf
cliPwd=redacted
cliEnablePwd=redacted
guestVlan=248
VoIPLLDPDetect=N
controllerIp=10.11.60.2
cliAccess=Y
VoIPCDPDetect=N
ExternalPortalEnforcement=Y
VoIPDHCPDetect=N
macDetectionVlan=232
type=Meru::MC

Am I missing something glaringly obvious here ? Any help appreciated


Regards

Derek




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Derek Brabrook
Technegydd TG | IT Technician
01267 245326
Ysgol Uwchradd Y Frenhines Elisabeth | Queen Elizabeth High School
Heol Llansteffan, Tre Ioan, Caerfyrddin, SA31 3NL | Llanstephan Road, 
Johnstown,

Carmarthen, SA31 3NL





--
Check out the vibrant

Re: [PacketFence-users] dhcp-listener "interface in every vlan"

2018-02-19 Thread Durand fabrice via PacketFence-users 

Hello David,

did you enabled the radius accounting on the WLC ? because you can have 
the ip address of the device inside the accounting packet.


Regards

Fabrice



Le 2018-02-17 à 02:35, David Brustad via PacketFence-users a écrit :

Hello everyone,

-Cisco WLC 4400
-Production DHCP server served by Cisco Router
-Packetfence ZEN 7.4.0 VM eth0 management, eth1 vlans 119 (role_119) 
120 (registration) 121 (isolation)

-iphone with MAC 68:db:ca:05:5c:39

Ok so I have everything working for the most part:

iphone connects to test_ssid, and is served vlan 120 IP address via 
packetfence dhcp.

iphone is directed to portal when any web page is loaded
accept AUP -> login -> select role (vlan 119, or vlan 115) works fine, 
the vlan requested is assigned, and is reflected in the nodes page of 
packetfence, but the new destination IP address is not shown, simply 
the registration IP that the device was assigned from. The phone does 
receive its new ip address from Cisco router and can then browse the 
web like normal.


When I run tail -f /usr/local/pf/logs/pfdhcplistener.log I can see the 
phone get its address from packetfence in registration vlan 120, but 
when the new role is assigned to vlan 119, there is no activity from 
that vlan in the dhcplistener log.


Any ideas to troubleshoot dhcp listener would be amazing- thank you 
guys for such an awesome software package!


Thanks,
David


I can ping:

-from packetfence 10.10.119.15 to the router management interface / 
and back
-from packetfence10.10.119.15 to router dhcp interface 10.10.119.1 / 
and back



/etc/sysconfig/network-scripts/ifcfg-eth1.119

DEVICE=eth1.119
VLAN=yes
ONBOOT=yes
BOOTPROTO=static
NM_CONTROLLED=no
IPADDR=10.10.119.15
NETMASK=255.255.255.0


/usr/local/pf/conf/pf.conf

# Comma-delimited list of DHCP servers.  Passthroughs are created to 
allow DHCP transactions from even "trapped" nodes.


dhcpservers=127.0.0.1,10.10.119.1

[interface eth1.119]
ip=10.10.119.15
type=dhcp-listener
mask=255.255.255.0
gateway=10.10.119.3


/usr/local/pf/logs/pfdhcplistener.log

Feb 17 05:59:30 PacketFence-ZEN pfdhcplistener: pfdhcplistener(3169) 
INFO: [mac:[undef]] DHCP detector on eth1.121 enabled (main::setup_global)


Feb 17 05:59:30 PacketFence-ZEN pfdhcplistener: pfdhcplistener(3169) 
INFO: [mac:[undef]] Reload configuration on eth1.121 
(main::reload_config)


Feb 17 05:59:30 PacketFence-ZEN pfdhcplistener: pfdhcplistener(3171) 
INFO: [mac:[undef]] DHCP detector on eth0 enabled (main::setup_global)


Feb 17 05:59:30 PacketFence-ZEN pfdhcplistener: pfdhcplistener(3171) 
INFO: [mac:[undef]] Reload configuration on eth0 (main::reload_config)


Feb 17 05:59:30 PacketFence-ZEN pfdhcplistener: pfdhcplistener(3170) 
INFO: [mac:[undef]] DHCP detector on eth1.120 enabled (main::setup_global)


Feb 17 05:59:30 PacketFence-ZEN pfdhcplistener: pfdhcplistener(3170) 
INFO: [mac:[undef]] Reload configuration on eth1.120 (main::reload_config)


Feb 17 05:59:30 PacketFence-ZEN pfdhcplistener: pfdhcplistener(3172) 
INFO: [mac:[undef]] DHCP detector on eth1.119 enabled (main::setup_global)


Feb 17 05:59:30 PacketFence-ZEN pfdhcplistener: pfdhcplistener(3172) 
INFO: [mac:[undef]] Reload configuration on eth1.119 (main::reload_config)



Feb 17 06:00:44 PacketFence-ZEN pfdhcplistener: pfqueue(3097) INFO: 
[mac:unknown] DHCPREQUEST from bc:b3:08:fb:a5:9d (10.10.120.20) 
(pf::dhcp::processor_v4::parse_dhcp_request)


Feb 17 06:00:44 PacketFence-ZEN pfdhcplistener: pfqueue(3100) INFO: 
[mac:unknown] DHCPACK from 10.10.120.9 (00:50:56:9e:bd:64) to host 
bc:b3:08:fb:a5:9d (10.10.120.20) for 30 seconds 
(pf::dhcp::processor_v4::parse_dhcp_ack)


Feb 17 06:00:44 PacketFence-ZEN pfdhcplistener: pfqueue(3100) INFO: 
[mac:unknown] The listener process is on the same server as the DHCP 
server. (pf::dhcp::processor_v4::pf_is_dhcp)


Feb 17 06:00:44 PacketFence-ZEN pfdhcplistener: pfqueue(3097) INFO: 
[mac:unknown] The listener process is on the same server as the DHCP 
server. (pf::dhcp::processor_v4::pf_is_dhcp)


Feb 17 06:01:22 PacketFence-ZEN pfdhcplistener: pfqueue(3101) INFO: 
[mac:unknown] DHCPREQUEST from 68:db:ca:05:5c:39 (10.10.119.120) with 
lease of 7776000 seconds (pf::dhcp::processor_v4::parse_dhcp_request)


Feb 17 06:01:22 PacketFence-ZEN pfdhcplistener: pfqueue(3101) INFO: 
[mac:unknown] The listener process is NOT on the same server as the 
DHCP server. (pf::dhcp::processor_v4::pf_is_dhcp)



Feb 17 06:01:26 PacketFence-ZEN pfdhcplistener: pfqueue(3101) INFO: 
[mac:unknown] DHCPREQUEST from 68:db:ca:05:5c:39 (10.10.120.15) 
(pf::dhcp::processor_v4::parse_dhcp_request)


Feb 17 06:01:26 PacketFence-ZEN pfdhcplistener: pfqueue(3101) INFO: 
[mac:unknown] The listener process is on the same server as the DHCP 
server. (pf::dhcp::processor_v4::pf_is_dhcp)


Feb 17 06:01:26 PacketFence-ZEN pfdhcplistener: pfqueue(3098) INFO: 
[mac:unknown] DHCPACK from 10.10.120.9 (00:50:56:9e:bd:64) to host 
68:db:ca:05:5c:39 (10.10.120.15) for 30 seconds

Re: [PacketFence-users] VRRP on portal interface?

2018-02-19 Thread Durand fabrice via PacketFence-users 

Hello Jason,

the VIP in the admin interface is when you have an active/passive cluster.

So remove it and just use the cluster.conf file, it should be ok.

Regards

Fabrice



Le 2018-02-16 à 12:27, Trinklein, Jason R via PacketFence-users a écrit :


I have specified a virtual IP address for the portal interface for all 
three cluster members in the web interface, but I’m unable to ping the 
VIP. I have set high-availability in cluster.conf for the portal 
interface as well. What am I missing?


Thank you,

--

*Jason Trinklein*

/Wireless Engineering Manager/

College of Charleston

81 St. Philip Street | Office 311D | Charleston, SC 29403

trinkle...@cofc.edu  | (843) 300–8009



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Access to PF captive portal is blocked

2018-02-19 Thread Eugene Pefti via PacketFence-users 
Yes, Fabrice. I will send it shortly once get home

Sent from iPhone

From:  "packetfence-users@lists.sourceforge.net"

Reply-To:  "packetfence-users@lists.sourceforge.net"

Date:  Sunday, February 18, 2018 at 10:51 AM
To:  "packetfence-users@lists.sourceforge.net"

Cc:  Fabrice Durand 
Subject:  Re: [PacketFence-users] Access to PF captive portal is blocked


 

Hello Eugene,
 do you have the capture ?
 
 Regards
 Fabrice
 
 
Le 2018-02-15 à 23:12, E.P. via PacketFence-users a écrit :
 
 
> 
>  
> 
> Hi Fabrice,
>  
> I dare sending it again believing my previous email fell into cracks.
>  
> Can you please advise what could be wrong (see below)
>  
>  
>  
> Eugene
>  
>  
>  
>  
>  
>  
>  
> 
> From: E.P. [mailto:ype...@gmail.com]
>  Sent: Wednesday, February 14, 2018 1:08 AM
>  To: packetfence-users@lists.sourceforge.net
>  Subject: Access to PF captive portal is blocked
>  
>  
>  
>  
>  
> Hello folks,
>  
> I really hope someone who ran into a similar problem will shed some light.
>  
> Feeling bad we don¹t hear anything from Fabrice or someone from inverse.
>  
> I have an out-of-band deployment of PF and my WiFi client gets connected and
> redirected to PF
>  
> I see redirects by capturing the traffic on PF by tcpdump.
>  
> ButŠ I see that PF sends TCP resets even for TCP SYN packet coming from the
> client.
>  
> It seems to me it is just iptables firewall that blocks it.
>  
> Why ? Where am I supposed to enter those IP addresses that are allowed to go
> through captive portal registration?
>  
> I do allow PF IP address in the pre-authorization access list and my ping to
> FQDN of PF succeeds normally.
>  
> It is only HTTP(s) doesn¹t go through.
>  
> Even manually entered URL in the client browser doesn¹t open up any page, i.e.
> https://pf.blabla.com/captive-portal or https://172.16.0.222/captive-portal
>  
>  
>  
> Eugene
>  
>  
>   
>  
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>  
>   
>  
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/lis
> tinfo/packetfence-users
>  
 
 

-- Check out the vibrant tech community on one of the world's most engaging
tech sites, Slashdot.org!
http://sdm.link/slashdot___
PacketFence-users mailing list PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Access to PF captive portal is blocked

2018-02-19 Thread E.P. via PacketFence-users 
Here it is, Fabrice

10.0.254.3 is the WiFi client and 172.16.0.222 is PF.

Tcpdump.pcap is attached and it is made right on PF

The second capture is made on the laptop connected to guest WiFi.

It contains pings to PF but all TCP SYN requests all are answered with RST.

 

Eugene

 

From: Durand fabrice via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Sunday, February 18, 2018 10:51 AM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice 
Subject: Re: [PacketFence-users] Access to PF captive portal is blocked

 

Hello Eugene,

do you have the capture ?

Regards
Fabrice

Le 2018-02-15 à 23:12, E.P. via PacketFence-users a écrit :

Hi Fabrice,

I dare sending it again believing my previous email fell into cracks.

Can you please advise what could be wrong (see below)

 

Eugene

 

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Wednesday, February 14, 2018 1:08 AM
To: packetfence-users@lists.sourceforge.net
 
Subject: Access to PF captive portal is blocked

 

Hello folks,

I really hope someone who ran into a similar problem will shed some light.

Feeling bad we don’t hear anything from Fabrice or someone from inverse.

I have an out-of-band deployment of PF and my WiFi client gets connected and
redirected to PF

I see redirects by capturing the traffic on PF by tcpdump.

But… I see that PF sends TCP resets even for TCP SYN packet coming from the
client.

It seems to me it is just iptables firewall that blocks it. 

Why ? Where am I supposed to enter those IP addresses that are allowed to go
through captive portal registration?

I do allow PF IP address in the pre-authorization access list and my ping to
FQDN of PF succeeds normally.

It is only HTTP(s) doesn’t go through. 

Even manually entered URL in the client browser doesn’t open up any page,
i.e. https://pf.blabla.com/captive-portal or
https://172.16.0.222/captive-portal

 

Eugene







--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot






___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

 



tcpdump.pcap
Description: Binary data


laptop capture.pcap
Description: Binary data
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unable to De-register node 7.4

2018-02-19 Thread Durand fabrice via PacketFence-users 

Hello Michael,

can you try to run pf-maint.pl, it should be ok after that.

Regards

Fabrice



Le 2018-02-16 à 12:27, Michael Holt via PacketFence-users a écrit :


Hi,

I'm running into an issue when trying to De-Register a node.  I see 
this in the logs:


==> httpd.admin.log <==

Feb 16 17:21:27 nac-01 httpd_admin: httpd.admin(4755) ERROR: 
[mac:unknown] Caught exception in 
pfappserver::Controller::Node->bulk_deregister "missing required param 
'driver' or 'driver_class' at /usr/local/pf/lib/pf/ip4log.pm line 
673." (pfappserver::PacketFence::Controller::Root::end)


==> httpd.admin.access <==

Feb 16 17:21:27 nac-01 httpd_admin_access: 10.2.40.32 - - 
[16/Feb/2018:17:21:27 +]  "10.2.20.71:1443" "POST 
/node/bulk_deregister HTTP/1.1" 500 82 
"https://10.2.20.71:1443/admin/nodes; "Mozilla/5.0 (Windows NT 10.0; 
Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0" 58541


Feb 16 17:23:35 nac-01 httpd_admin_access: 10.2.40.32 - - 
[16/Feb/2018:17:23:34 +]  "10.2.20.71:1443" "GET 
/node/00:15:65:c4:27:d4/read?_=1518763555390 HTTP/1.1" 200 13663 
"https://10.2.20.71:1443/admin/nodes; "Mozilla/5.0 (Windows NT 10.0; 
Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0" 288438


==> httpd.admin.audit.log <==

{"status":200,"context":"/node/update","action":"update","user":"admin","mac":"00:15:65:c4:27:d4","happened_at":"Fri 
Feb 16 17:23:38 2018"}


==> httpd.admin.log <==

Feb 16 17:23:38 nac-01 httpd_admin: httpd.admin(12540) ERROR: 
[mac:unknown] Trying to save a NULL value in a non nullable field 
node.unregdate (pf::dal::validate_field)


Feb 16 17:23:38 nac-01 httpd_admin: httpd.admin(12540) ERROR: 
[mac:unknown] Skipping invalid value (NULL) in when inserting field 
node.unregdate (pf::dal::_insert_data)


Feb 16 17:23:38 nac-01 httpd_admin: httpd.admin(12540) ERROR: 
[mac:unknown] Trying to save a NULL value in a non nullable field 
node.unregdate (pf::dal::validate_field)


Feb 16 17:23:38 nac-01 httpd_admin: httpd.admin(12540) ERROR: 
[mac:unknown] Skipping invalid value (NULL) in when updating field 
node.unregdate (pf::dal::_update_data)


Feb 16 17:23:38 nac-01 httpd_admin: httpd.admin(12540) INFO: 
[mac:unknown] re-evaluating access (admin_modify called) 
(pf::enforcement::reevaluate_access)


Feb 16 17:23:38 nac-01 httpd_admin: httpd.admin(12540) INFO: 
[mac:unknown] VLAN reassignment is forced. 
(pf::enforcement::_should_we_reassign_vlan)


Feb 16 17:23:38 nac-01 httpd_admin: httpd.admin(12540) INFO: 
[mac:unknown] switch port is (10.2.21.224) ifIndex 13 connection type: 
Wired MAC Auth (pf::enforcement::_vlan_reevaluation)


==> httpd.admin.access <==

Feb 16 17:23:38 nac-01 httpd_admin_access: 10.2.40.32 - - 
[16/Feb/2018:17:23:38 +]  "10.2.20.71:1443" "POST 
/node/00:15:65:c4:27:d4/update HTTP/1.1" 200 2 
"https://10.2.20.71:1443/admin/nodes; "Mozilla/5.0 (Windows NT 10.0; 
Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0" 167437


Feb 16 17:23:40 nac-01 httpd_admin_access: 10.2.40.32 - - 
[16/Feb/2018:17:23:39 +]  "10.2.20.71:1443" "POST 
/node/search?direction=asc_num=1=mac HTTP/1.1" 200 78786 
"https://10.2.20.71:1443/admin/nodes; "Mozilla/5.0 (Windows NT 10.0; 
Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0" 422240


Feb 16 17:23:44 nac-01 httpd_admin_access: 10.2.40.32 - - 
[16/Feb/2018:17:23:44 +]  "10.2.20.71:1443" "POST 
/node/bulk_deregister HTTP/1.1" 500 82 
"https://10.2.20.71:1443/admin/nodes; "Mozilla/5.0 (Windows NT 10.0; 
Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0" 56429


==> httpd.admin.log <==

Feb 16 17:23:44 nac-01 httpd_admin: httpd.admin(12540) ERROR: 
[mac:unknown] Caught exception in 
pfappserver::Controller::Node->bulk_deregister "missing required param 
'driver' or 'driver_class' at /usr/local/pf/lib/pf/ip4log.pm line 
673." (pfappserver::PacketFence::Controller::Root::end)


==> httpd.admin.access <==

Feb 16 17:23:47 nac-01 httpd_admin_access: 10.2.40.32 - - 
[16/Feb/2018:17:23:47 +]  "10.2.20.71:1443" "GET 
/node/00:15:65:c4:27:d4/read?_=1518763555391 HTTP/1.1" 200 13663 
"https://10.2.20.71:1443/admin/nodes; "Mozilla/5.0 (Windows NT 10.0; 
Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0" 902804


==> httpd.admin.log <==

Feb 16 17:23:52 nac-01 httpd_admin: httpd.admin(4755) ERROR: 
[mac:unknown] Caught exception in 
pfappserver::Controller::Node->update "missing required param 'driver' 
or 'driver_class' at /usr/local/pf/lib/pf/ip4log.pm line 673." 
(pfappserver::PacketFence::Controller::Root::end)


==> httpd.admin.access <==

Feb 16 17:23:52 nac-01 httpd_admin_access: 10.2.40.32 - - 
[16/Feb/2018:17:23:52 +]  "10.2.20.71:1443" "POST 
/node/00:15:65:c4:27:d4/update HTTP/1.1" 500 82 
"https://10.2.20.71:1443/admin/nodes; "Mozilla/5.0 (Windows NT 10.0; 
Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0" 201418


*Michael Holt - IT*

2107 W. Alameda Ave. |  Burbank, CA 91506

P: 818.525.1860  | C: 818.967.8409  | michael.h...@ladb.com 



www.ladb.com   | www.ladb.tv

Re: [PacketFence-users] Unifi APs and CoA

2018-02-19 Thread Eugene Pefti via PacketFence-users 
Good job, Chris and thanks for sharing your progress.
I dare asking my stupid question again ;)
Why users which associated to guest WiFi (Open with a redirect to PF captive
portal) can’t reach PF via HTTP ?
They receive IP address from the local DHCP server and then can ping PF but
there’s no way to go through self-registration

Eugene

From:  "packetfence-users@lists.sourceforge.net"

Reply-To:  "packetfence-users@lists.sourceforge.net"

Date:  Thursday, February 15, 2018 at 8:00 AM
To:  "packetfence-users@lists.sourceforge.net"

Cc:  Chris Abel 
Subject:  Re: [PacketFence-users] Unifi APs and CoA

Hey All,

I was able to get deauth working with my Unifi APs and it seems everything
is working smoothly. Here is the configuration I used for the switch in
packetfence:

[Unifi AP IP Address or subnet]

description=Unifi Access Points

group=Unifi

radiusSecret=RaidusPassword

controllerIp=Unifi Controller IP Address

useCoA=N

wsTransport=HTTPS

deauthMethod=HTTPS

wsUser=Unifi Controller Username

wsPwd=Unifi Controller Password



Hope this helps someone. I hope Packetfence releases some documentation on
Unifi AP's because with the necessary applied patch and the unifi controller
changes to config.properties, everything seems to be working well. Actually
in my opinion, it seems to be working better than the hostapd setup in
packetfence and is way easier to setup.


On Wed, Feb 14, 2018 at 3:52 PM, Chris Abel 
wrote:
> Hello all,
> 
> I am also trying to get my Unifi APs working with packetfence. It seems that I
> am very close. I am able to get the portal to show up on the client when in
> the registration vlan, but after registering, the client never deauth's and
> disconnects from the access point. I can disable my wireless and enable it
> again and the client is assigned the correct role and put into the right vlan,
> so that part seems to be working. I have applied the patch in the following
> way:
> 
> in /usr/local/pf I ran "curl
> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735
> .diff | patch -p1"
> 
> Is this the correct patch and the correct way to apply it? If so, why is this
> patch not disconnecting the client from the AP?
> 
> I have also applied the following to my AP's in Unifi:
> 
> /var/lib/unifi/sites//config.properties
> config.system_cfg.1=aaa.1.auth_cache=disabled
> config.system_cfg.2=aaa.2.auth_cache=disabled
> config.system_cfg.3=aaa.1.dynamic_vlan=1
> config.system_cfg.4=aaa.2.dynamic_vlan=1
> config.system_cfg.5=aaa.1.radius.acct.1.ip=
> config.system_cfg.6=aaa.1.radius.acct.1.port=
> config.system_cfg.7=aaa.1.radius.acct.1.secret= password>
> config.system_cfg.8=aaa.2.radius.acct.1.ip=
> config.system_cfg.9=aaa.2.radius.acct.1.port=
> config.system_cfg.10=aaa.2.radius.acct.1.secret= password>
> 
> 
> What should the configuration be in packetfence when setting up the switch?
> Should I use hostapd or Unifi Controller? Should I enable COA or not?
> 
> 
> Does anyone have a working setup of Unifi APs with an out of band setup of
> packetfence at this point? If so, could you shed some light and post your
> configurations?
> 
> Thanks!
> 
> On Sat, Feb 10, 2018 at 1:33 AM, E.P. via PacketFence-users
>  wrote:
>> Yes, David, this is my plan to test the captive portal on wired connections
>> to rule out the unruly Unifi APs
>> Ideally I would love to make it also work with HP switches 1820/1920 model
>> because this is the majority of switches installed in our organization.
>> But will try it on Cisco switch as a beginning
>> Thanks again, for your sharing.
>> There’s apparently something wrong with mailing list for packetfence as
>> there’s nothing coming in and I don’t believe it’s only me who persists in
>> making things work and asking for advices 
>>  
>> Eugene
>>  
>> From: David Harvey [mailto:da...@thoughtmachine.net]
>> Sent: Friday, February 09, 2018 4:37 AM
>> To: E.P. ; fdur...@inverse.ca
>> Subject: Re: [PacketFence-users] Unifi APs and CoA
>>  
>> 
>> Hi Eugene,
>> 
>>  
>> 
>> I'm including Fabrice in case anything I have covered is misleading or plain
>> untrue! I don't want to give you bad advice..
>> 
>>  
>> 
>> I'm running Unifi AP-AC Pros on 3.9.19.8123. I'm pretty sure most of my
>> functionality worked fine from 3.8.x, but bear in mind I'm running EAP-TLS
>> and so haven't had the same open SSID guest portal aspect (which might make
>> my advice less relevant).
>> 
>> I've been fumbling through, so I'm sure Fabrice can offer better advice but I
>> would start by saying..
>> 
>>  
>> 
>> My understanding of the additional functionality this patch affords, is
>> dealing with kicking the client off an AP so it will then re-auth and
>> hopefully get put onto the correct VLAN.  So before

Re: [PacketFence-users] Access to PF captive portal is blocked

2018-02-19 Thread Fabrice Durand via PacketFence-users 
Hello Eugene,

yes you can, just add portal to the management interface.

Regards

Fabrice



Le 2018-02-19 à 02:13, E.P. a écrit :
>
> I think it is slowly coming to me, Fabrice.
>
> My PF is pure for RADIUS enforcement and PF has only one IP address of
> management type.
>
> Now if I want WebAuth enforcement I would need to create one more
> interface of portal type
>
> The question is can I create this portal type interface in the same
> subnet as the management interface ?
>
> I would want to have them both in the same VLAN
>
>  
>
> Eugene
>
>  
>
> *From:*E.P. [mailto:ype...@gmail.com]
> *Sent:* Sunday, February 18, 2018 7:20 PM
> *To:* 'packetfence-users@lists.sourceforge.net'
> 
> *Cc:* 'Durand fabrice' 
> *Subject:* RE: [PacketFence-users] Access to PF captive portal is blocked
>
>  
>
> Here it is, Fabrice
>
> 10.0.254.3 is the WiFi client and 172.16.0.222 is PF.
>
> Tcpdump.pcap is attached and it is made right on PF
>
> The second capture is made on the laptop connected to guest WiFi.
>
> It contains pings to PF but all TCP SYN requests all are answered with
> RST.
>
>  
>
> Eugene
>
>  
>
> *From:*Durand fabrice via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Sunday, February 18, 2018 10:51 AM
> *To:* packetfence-users@lists.sourceforge.net
> 
> *Cc:* Durand fabrice >
> *Subject:* Re: [PacketFence-users] Access to PF captive portal is blocked
>
>  
>
> Hello Eugene,
>
> do you have the capture ?
>
> Regards
> Fabrice
>
> Le 2018-02-15 à 23:12, E.P. via PacketFence-users a écrit :
>
> Hi Fabrice,
>
> I dare sending it again believing my previous email fell into cracks.
>
> Can you please advise what could be wrong (see below)
>
>  
>
> Eugene
>
>  
>
>  
>
> *From:* E.P. [mailto:ype...@gmail.com]
> *Sent:* Wednesday, February 14, 2018 1:08 AM
> *To:* packetfence-users@lists.sourceforge.net
> 
> *Subject:* Access to PF captive portal is blocked
>
>  
>
> Hello folks,
>
> I really hope someone who ran into a similar problem will shed
> some light.
>
> Feeling bad we don’t hear anything from Fabrice or someone from
> inverse.
>
> I have an out-of-band deployment of PF and my WiFi client gets
> connected and redirected to PF
>
> I see redirects by capturing the traffic on PF by tcpdump.
>
> But… I see that PF sends TCP resets even for TCP SYN packet coming
> from the client.
>
> It seems to me it is just iptables firewall that blocks it.
>
> Why ? Where am I supposed to enter those IP addresses that are
> allowed to go through captive portal registration?
>
> I do allow PF IP address in the pre-authorization access list and
> my ping to FQDN of PF succeeds normally.
>
> It is only HTTP(s) doesn’t go through.
>
> Even manually entered URL in the client browser doesn’t open up
> any page, i.e. https://pf.blabla.com/captive-portal or
> https://172.16.0.222/captive-portal
>
>  
>
> Eugene
>
>
>
> 
> --
>
> Check out the vibrant tech community on one of the world's most
>
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
>
> PacketFence-users mailing list
>
> PacketFence-users@lists.sourceforge.net
> 
>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>  
>

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Access to PF captive portal is blocked

2018-02-19 Thread E.P. via PacketFence-users 
Interesting, haproxy service is acting up. Can’t start

 

[root@PacketFence-ZEN ~]# systemctl status packetfence-haproxy

* packetfence-haproxy.service - PacketFence HAProxy Load Balancer

   Loaded: loaded (/usr/lib/systemd/system/packetfence-haproxy.service; 
enabled; vendor preset: disabled)

   Active: failed (Result: start-limit) since Mon 2018-02-19 08:56:31 PST; 15s 
ago

  Process: 4189 ExecStart=/usr/sbin/haproxy-systemd-wrapper -f 
/usr/local/pf/var/conf/haproxy.conf -p /usr/local/pf/var/run/haproxy.pid 
(code=exited, status=1/FAILURE)

  Process: 4186 ExecStartPre=/usr/local/pf/bin/pfcmd service haproxy 
generateconfig (code=exited, status=0/SUCCESS)

Main PID: 4189 (code=exited, status=1/FAILURE)

 

Feb 19 08:56:30 PacketFence-ZEN haproxy-systemd-wrapper[4189]: 
haproxy-systemd-wrapper: exit, haproxy RC=1

Feb 19 08:56:30 PacketFence-ZEN systemd[1]: Unit packetfence-haproxy.service 
entered failed state.

Feb 19 08:56:30 PacketFence-ZEN systemd[1]: packetfence-haproxy.service failed.

Feb 19 08:56:31 PacketFence-ZEN systemd[1]: packetfence-haproxy.service holdoff 
time over, scheduling restart.

Feb 19 08:56:31 PacketFence-ZEN systemd[1]: start request repeated too quickly 
for packetfence-haproxy.service

Feb 19 08:56:31 PacketFence-ZEN systemd[1]: Failed to start PacketFence HAProxy 
Load Balancer.

Feb 19 08:56:31 PacketFence-ZEN systemd[1]: Unit packetfence-haproxy.service 
entered failed state.

Feb 19 08:56:31 PacketFence-ZEN systemd[1]: packetfence-haproxy.service failed.

 

From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: Monday, February 19, 2018 7:20 AM
To: E.P. ; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Access to PF captive portal is blocked

 

In fact you need to restart the portal, haproxy and iptables to make it 
available.

 

 

Le 2018-02-19 à 03:29, E.P. a écrit :

And my further attempts to put two and two together and look back in time into 
this mailing list showed that Fabrice already answered this question before 

Yes, I’d create an alias, e.g. eth0.1

So, under Configuration-Networks-Interfaces I click  “ADD VLAN”  and then add 
VLAN 1, add a new IP address to belong to the same subnet and then select type 
“portal” 

New interface eth0.1 gets created with IP address 172.16.0.223, I can reach it 
via IP and my interfaces and networks look like this:

 



 

What else am I doing to enable captive portal? I thought that it is enabled by 
default and I see httpd.portal is UP and running but I don’t see anything ports 
open on 172.16.0.223

And iptables allow all HTTP and HTTPS for input-portal-if chain

 

Eugene

 

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Sunday, February 18, 2018 11:14 PM
To: 'packetfence-users@lists.sourceforge.net 
 '  
 

Cc: 'Durand fabrice'   
Subject: RE: [PacketFence-users] Access to PF captive portal is blocked

 

I think it is slowly coming to me, Fabrice.

My PF is pure for RADIUS enforcement and PF has only one IP address of 
management type.

Now if I want WebAuth enforcement I would need to create one more interface of 
portal type

The question is can I create this portal type interface in the same subnet as 
the management interface ?

I would want to have them both in the same VLAN

 

Eugene

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Sunday, February 18, 2018 7:20 PM
To: 'packetfence-users@lists.sourceforge.net 
 ' 
 >
Cc: 'Durand fabrice'  >
Subject: RE: [PacketFence-users] Access to PF captive portal is blocked

 

Here it is, Fabrice

10.0.254.3 is the WiFi client and 172.16.0.222 is PF.

Tcpdump.pcap is attached and it is made right on PF

The second capture is made on the laptop connected to guest WiFi.

It contains pings to PF but all TCP SYN requests all are answered with RST.

 

Eugene

 

From: Durand fabrice via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Sunday, February 18, 2018 10:51 AM
To: packetfence-users@lists.sourceforge.net 
 
Cc: Durand fabrice  >
Subject: Re: [PacketFence-users] Access to PF captive portal is blocked

 

Hello Eugene,

do you have the capture ?

Regards
Fabrice

Le 2018-02-15 à 23:12, E.P. via PacketFence-users a écrit :

Hi Fabrice,

I dare sending it again believing my previous email fell into cracks.

Can you please advise what could be wrong (see below)

 

Eugene

 

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Wednesday, February 14, 2018 1:08 AM
To: packetfence-users@lists.sourceforge.net

[PacketFence-users] iptables.conf customisation

2018-02-19 Thread lists via PacketFence-users 

Hi,

We are trying to specifically allow only certain traffic from our 
forward-internal-inline-if interface, and have edited our iptables.conf 
accordingly:



root@packetfence:/usr/local/pf# iptables -L forward-internal-inline-if -n 
--line-numbers
Chain forward-internal-inline-if (1 references)
num  target prot opt source   destination
1ACCEPT tcp  --  10.19.0.0/16 0.0.0.0/0tcp dpt:8331
.
11   ACCEPT tcp  --  10.19.0.0/16 0.0.0.0/0tcp dpt:443
12   ACCEPT udp  --  10.19.0.0/16 0.0.0.0/0udp dpt:53
13   ACCEPT all  --  0.0.0.0/00.0.0.0/0mark match 
0x1
14   DROP   all  --  0.0.0.0/00.0.0.0/0
root@packetfence:/usr/local/pf#


However, after loading these rules (pfcmd service iptables restart) we 
could still access everything. This is probably because of rule #13, 
which presumably was added by packetfence itself. (at least: we think we 
did not add it...)


So we simply deleted rule #13, and our own final DROP line kicked in. 
Firewalling works now, but we are not sure if it was smart to kick out 
rule #13 with the ACCEPT for mark match 0x1


Can anyone tell us the negative side effects (if any) from simply 
deleting rule #13?


MJ

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Image Broken

2018-02-19 Thread luca comes via PacketFence-users 
Hi Fabrice,

thanks I solved with your suggestion. My technical partner updated the machine 
so django was updated too.


Luca


Inviato da Outlook



Da: Durand fabrice via PacketFence-users 

Inviato: domenica 18 febbraio 2018 19:49
A: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice
Oggetto: Re: [PacketFence-users] Image Broken


Hello Luca,

i think you probably updated django and it try to use the sqlite file instead 
of the mysql database.


Check the file /usr/lib/python2.7/site-packages/graphite/local_settings.py to 
see if it use sqlite or mysql, if it use sqlite then do that:

ln -sf /usr/local/pf/var/conf/local_settings.py 
/usr/lib/python2.7/site-packages/graphite/local_settings.py


Regards

Fabrice


Le 2018-02-16 à 04:27, luca comes via PacketFence-users a écrit :

Hi Fabrice,

I changed the permissions but now I can see the real error. As shown in the log 
file attached it seems that it cannot connect to the DB but I can't understand 
why, mariadb is running and PF is working fine. What query is made and which 
user is used?


Thanks


Luca



Da: Durand fabrice via PacketFence-users 

Inviato: venerdì 16 febbraio 2018 04:04
A: 
packetfence-users@lists.sourceforge.net
Cc: Durand fabrice
Oggetto: Re: [PacketFence-users] Image Broken


Hello Luca,

it 's suppose to be the pf user who own this file.

Regards

Fabrice

Le 2018-02-15 à 08:48, luca comes via PacketFence-users a écrit :
Hi all,
I have a problem with my dashboard's graphs. In my cluster when the master node 
is started I see the images broken but when I shut it and second node takes 
ownership graphs are ok. Graphite is started but if I try to connect to it I 
receive a generic Internal Server Error. In the httpd.graphite.error log I can 
see this:

Feb 15 14:43:57 pfnac01 httpd_graphite_err: [Thu Feb 15 13:43:57.609768 2018] 
[:error] [pid 29198] [client 192.168.167.50:39658] mod_wsgi (pid=29198): Target 
WSGI script '/usr/local/pf/conf/httpd.conf.d/graphite-web.wsgi' cannot be 
loaded as Python module.
Feb 15 14:43:57 pfnac01 httpd_graphite_err: [Thu Feb 15 13:43:57.609792 2018] 
[:error] [pid 29198] [client 192.168.167.50:39658] mod_wsgi (pid=29198): 
Exception occurred processing WSGI script 
'/usr/local/pf/conf/httpd.conf.d/graphite-web.wsgi'.
Feb 15 14:43:57 pfnac01 httpd_graphite_err: [Thu Feb 15 13:43:57.609817 2018] 
[:error] [pid 29198] [client 192.168.167.50:39658] Traceback (most recent call 
last):
Feb 15 14:43:57 pfnac01 httpd_graphite_err: [Thu Feb 15 13:43:57.609835 2018] 
[:error] [pid 29198] [client 192.168.167.50:39658]   File 
"/usr/local/pf/conf/httpd.conf.d/graphite-web.wsgi", line 18, in 
Feb 15 14:43:57 pfnac01 httpd_graphite_err: [Thu Feb 15 13:43:57.609865 2018] 
[:error] [pid 29198] [client 192.168.167.50:39658] from graphite.logger 
import log
Feb 15 14:43:57 pfnac01 httpd_graphite_err: [Thu Feb 15 13:43:57.609877 2018] 
[:error] [pid 29198] [client 192.168.167.50:39658]   File 
"/usr/lib/python2.7/site-packages/graphite/logger.py", line 84, in 
Feb 15 14:43:57 pfnac01 httpd_graphite_err: [Thu Feb 15 13:43:57.609907 2018] 
[:error] [pid 29198] [client 192.168.167.50:39658] log = GraphiteLogger() # 
import-shared logger instance
Feb 15 14:43:57 pfnac01 httpd_graphite_err: [Thu Feb 15 13:43:57.609916 2018] 
[:error] [pid 29198] [client 192.168.167.50:39658]   File 
"/usr/lib/python2.7/site-packages/graphite/logger.py", line 40, in __init__
Feb 15 14:43:57 pfnac01 httpd_graphite_err: [Thu Feb 15 13:43:57.609929 2018] 
[:error] [pid 29198] [client 192.168.167.50:39658] self.infoHandler = 
FileHandler(self.infoLogFile)
Feb 15 14:43:57 pfnac01 httpd_graphite_err: [Thu Feb 15 13:43:57.609936 2018] 
[:error] [pid 29198] [client 192.168.167.50:39658]   File 
"/usr/lib64/python2.7/logging/__init__.py", line 902, in __init__
Feb 15 14:43:57 pfnac01 httpd_graphite_err: [Thu Feb 15 13:43:57.609949 2018] 
[:error] [pid 29198] [client 192.168.167.50:39658] 
StreamHandler.__init__(self, self._open())
Feb 15 14:43:57 pfnac01 httpd_graphite_err: [Thu Feb 15 13:43:57.609956 2018] 
[:error] [pid 29198] [client 192.168.167.50:39658]   File 
"/usr/lib64/python2.7/logging/__init__.py", line 925, in _open
Feb 15 14:43:57 pfnac01 httpd_graphite_err: [Thu Feb 15 13:43:57.609967 2018] 
[:error] [pid 29198] [client 192.168.167.50:39658] stream = 
open(self.baseFilename, self.mode)
Feb 15 14:43:57 pfnac01 httpd_graphite_err: [Thu Feb 15 13:43:57.609985 2018] 
[:error] [pid 29198] [client 192.168.167.50:39658] IOError: [Errno 13] 
Permission denied: '/var/log/graphite-web/info.log'

It seems a problem on the permission to the log file but the 
/var/log/graphite-web is empty just as on the other two nodes. Anyway I tried 
to create the