Re: [PacketFence-users] MSPKI: unfinished request in component post-auth module packetfence

[Antoine Amacher]

Hello Stefan,

What do you see in the logs/packetfence.log upon using 'bin/pfcmd checkup', and 
do you see the filter being trigger when the user authenticate?
Look for "1:EthernetEAP" in the packetfence.log.

Thanks.

On Thursday, October 06, 2016 10:36 EDT, "Marold, Stefan" 
 wrote:
 Hi Antoine,

Thank you very much for your answer. Yes, the status of the client is unreg. 
I've configured an AD source with a catch-all rule and thought, this will 
register the nodes automatically. But after reading the documentation again, I 
think it is only for captive portal.

I tried to configure AutoRegister as you suggested, but I think there is an 
error in my configuration. With the following configuration, I expect the 
client will be autoregistered with role 'default', vlan 477. Instead, it is 
still unreg, vlan 11.

[root@PacketFence-6_2_1 ~]# cat /usr/local/pf/conf/vlan_filters.conf|egrep -v 
"^#"
[EthernetEAP]
filter = connection_type
operator = is
value = Ethernet-EAP
[EAPTLS]
filter = radius_request
attribute = EAP-Type
operator = is
value = EAP-TLS
[1:EthernetEAP]
scope = AutoRegister
role = default

[root@PacketFence-6_2_1 ~]# /usr/local/pf/bin/pfcmd checkup Checking 
configuration sanity...

tail -f /usr/local/pf/logs/radius.log
Thu Oct 6 09:56:37 2016 : Error: (10) Ignoring duplicate packet from client 
172.20.10.118 port 1645 - ID: 216 due to unfinished request in component 
post-auth module packetfence
Thu Oct 6 09:56:39 2016 : Error: (10) Ignoring duplicate packet from client 
172.20.10.118 port 1645 - ID: 216 due to unfinished request in component 
post-auth module packetfence
Thu Oct 6 09:56:41 2016 : Error: (10) Ignoring duplicate packet from client 
172.20.10.118 port 1645 - ID: 216 due to unfinished request in component 
post-auth module packetfence
Thu Oct 6 09:56:43 2016 : Error: (10) Ignoring duplicate packet from client 
172.20.10.118 port 1645 - ID: 216 due to unfinished request in component 
post-auth module packetfence
Thu Oct 6 09:56:44 2016 : Auth: rlm_perl: Returning vlan 11 to request from 
74:2b:62:6d:47:d4 port 50101
Thu Oct 6 09:56:44 2016 : rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 
means OK)
Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (1): Hit 
idle_timeout, was idle for 905 seconds
Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (2): Hit 
idle_timeout, was idle for 905 seconds
Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (3): Hit 
idle_timeout, was idle for 905 seconds
Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (4): Hit 
idle_timeout, was idle for 905 seconds
Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (0): Hit 
idle_timeout, was idle for 905 seconds
Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (5): Hit 
idle_timeout, was idle for 905 seconds
Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Opening additional connection 
(6), 1 of 64 pending slots used
Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Need 2 more connections to reach 
10 spares
Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Opening additional connection 
(7), 1 of 63 pending slots used
Thu Oct 6 09:56:35 2016 : [mac:74:2b:62:6d:47:d4] Accepted user: and returned 
VLAN 11
Thu Oct 6 09:56:44 2016 : Auth: (10) Login OK: [host/D1527.dorsten.local] (from 
client 172.20.10.118 port 50101 cli 74:2b:62:6d:47:d4)

Best regards
Stefan


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


 
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Sponsor configuration in inline deployment

[Fabrice Durand]

Not sure to understand how you fixed it.



Le 2016-10-06 à 11:33, Riccardo Pelliccioli a écrit :


Solved,

I had to reduce de expiration period

BR

Rick


On 10/6/2016 5:19 PM, Riccardo Pelliccioli wrote:


Thank you Fabrice,

I made a step forward; with this profile I'm able to make the 
registration; the sponsor receive the email with the link for the 
activation but i receive a strange wrong password message; into the 
logs I can find:


Oct 06 11:13:07 httpd.portal(2914) INFO: [mac:00:50:56:aa:37:67] 
[00:50:56:aa:37:67] Activation code sent to email x...@xxx.it from 
x...@gmail.com successfully verified.  for activation type: sponsor 
(pf::activation::validate_code)
Oct 06 11:13:07 httpd.portal(2914) INFO: [mac:00:50:56:aa:37:67] 
Password validation failed for Pippo: password has expired 
(pf::password::validate_password)
Oct 06 11:13:07 httpd.portal(2914) ERROR: [mac:00:50:56:aa:37:67] 
unable to read password file '/usr/local/pf/conf/admin.conf' 
(pf::Authentication::Source::HtpasswdSource::authenticate)


The last line I think isn't useful

BR,

Rick


On 10/6/2016 2:34 PM, Fabrice Durand wrote:


Hello Rick,

what you can do is to create a new portal profile with a network filter.

So let say that your inline network is 192.168.0.0/24 then create a 
portal profile with this filter and assign the authentication 
sources you want to use.


Regards

Fabrice



Le 2016-10-06 à 05:02, Riccardo Pelliccioli a écrit :


Hi Fabrice,

many thanks for your answer.

This is clear to me and I have a local user defined as a "sponsor" 
anyway the problem looks like I'm not able to use the external 
source (just in the external source I'm able to define the 
"Sponsor-based registration"; instead from the logs I can see I'm 
still using the "local source" (then the wrong htpasswd file 
defined into internal sources)


How may I force it to use the external?

Many thanks for your support

BR,

Rick


On 10/6/2016 2:15 AM, Durand fabrice wrote:


Hi Riccardo,

when you create a local user in PacketFence you are able to set 
the "Mark as sponsor" on this user (define an email address too).


You can't use File1 as a sponsor source since you need to match 
with an email address (and in a htpasswd file it's not possible).


Keep in mind that only authentication sources that can contain an 
email address are allowed to be use for sponsor. (LDAP, AD, local).


Regards

Fabrice



Le 2016-10-05 à 11:46, Riccardo Pelliccioli a écrit :


Hi there,

in the scenario with inline deployment using ZEN appliance 6.2.1 
I woul dlike to depoly a Self registration Captive Portal with 2 
options:


 1. Sponsored authentication
 2. SMS authentication

For the sponsored authentication I'm not able to grant sponsoring 
privileges to a local user and in the log file packetfence.log I 
have the following messages:


Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:unknown] Memory 
configuration is not valid anymore for key FilterEngine::Profile 
in local cached_hash (pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:unknown] Memory 
configuration is not valid anymore for key config::Profiles in 
local cached_hash (pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:unknown] 
Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:unknown] Memory 
configuration is not valid anymore for key 
resource::authentication_sources in local cached_hash 
(pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Memory configuration is not valid anymore for key 
config::Profiles in local cached_hash (pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Memory configuration is not valid anymore for key 
resource::authentication_lookup in local cached_hash 
(pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
registering  guest through a sponsor 
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Sponsor::do_sponsor_registration)
*Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Using sources local, file1 for matching (pf::authentication::match)*


file1 look like a pointer to a htmlaccess file but I think this 
is deprecated due a specific mysql table for users (password 
table) and I'm also able to see the "sponsor" field in this table.


What I did is just to add a "Mark as Sponsor" rule on the Sources 
> Internal Sources > File1 anyway when I try to register from 
a client I reach the error message: the mail  is not 
allowed to sponsor guest access


What I miss or what is wrong?

For the SMS, I think I have 

Re: [PacketFence-users] Sponsor configuration in inline deployment

[Riccardo Pelliccioli]

Solved,

I had to reduce de expiration period

BR

Rick


On 10/6/2016 5:19 PM, Riccardo Pelliccioli wrote:


Thank you Fabrice,

I made a step forward; with this profile I'm able to make the 
registration; the sponsor receive the email with the link for the 
activation but i receive a strange wrong password message; into the 
logs I can find:


Oct 06 11:13:07 httpd.portal(2914) INFO: [mac:00:50:56:aa:37:67] 
[00:50:56:aa:37:67] Activation code sent to email x...@xxx.it from 
x...@gmail.com successfully verified.  for activation type: sponsor 
(pf::activation::validate_code)
Oct 06 11:13:07 httpd.portal(2914) INFO: [mac:00:50:56:aa:37:67] 
Password validation failed for Pippo: password has expired 
(pf::password::validate_password)
Oct 06 11:13:07 httpd.portal(2914) ERROR: [mac:00:50:56:aa:37:67] 
unable to read password file '/usr/local/pf/conf/admin.conf' 
(pf::Authentication::Source::HtpasswdSource::authenticate)


The last line I think isn't useful

BR,

Rick


On 10/6/2016 2:34 PM, Fabrice Durand wrote:


Hello Rick,

what you can do is to create a new portal profile with a network filter.

So let say that your inline network is 192.168.0.0/24 then create a 
portal profile with this filter and assign the authentication sources 
you want to use.


Regards

Fabrice



Le 2016-10-06 à 05:02, Riccardo Pelliccioli a écrit :


Hi Fabrice,

many thanks for your answer.

This is clear to me and I have a local user defined as a "sponsor" 
anyway the problem looks like I'm not able to use the external 
source (just in the external source I'm able to define the 
"Sponsor-based registration"; instead from the logs I can see I'm 
still using the "local source" (then the wrong htpasswd file defined 
into internal sources)


How may I force it to use the external?

Many thanks for your support

BR,

Rick


On 10/6/2016 2:15 AM, Durand fabrice wrote:


Hi Riccardo,

when you create a local user in PacketFence you are able to set the 
"Mark as sponsor" on this user (define an email address too).


You can't use File1 as a sponsor source since you need to match 
with an email address (and in a htpasswd file it's not possible).


Keep in mind that only authentication sources that can contain an 
email address are allowed to be use for sponsor. (LDAP, AD, local).


Regards

Fabrice



Le 2016-10-05 à 11:46, Riccardo Pelliccioli a écrit :


Hi there,

in the scenario with inline deployment using ZEN appliance 6.2.1 I 
woul dlike to depoly a Self registration Captive Portal with 2 
options:


 1. Sponsored authentication
 2. SMS authentication

For the sponsored authentication I'm not able to grant sponsoring 
privileges to a local user and in the log file packetfence.log I 
have the following messages:


Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:unknown] Memory 
configuration is not valid anymore for key FilterEngine::Profile 
in local cached_hash (pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:unknown] Memory 
configuration is not valid anymore for key config::Profiles in 
local cached_hash (pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:unknown] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:unknown] Memory 
configuration is not valid anymore for key 
resource::authentication_sources in local cached_hash 
(pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Memory configuration is not valid anymore for key config::Profiles 
in local cached_hash (pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Memory configuration is not valid anymore for key 
resource::authentication_lookup in local cached_hash 
(pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
registering  guest through a sponsor 
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Sponsor::do_sponsor_registration)
*Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Using sources local, file1 for matching (pf::authentication::match)*


file1 look like a pointer to a htmlaccess file but I think this is 
deprecated due a specific mysql table for users (password table) 
and I'm also able to see the "sponsor" field in this table.


What I did is just to add a "Mark as Sponsor" rule on the Sources 
> Internal Sources > File1 anyway when I try to register from 
a client I reach the error message: the mail  is not allowed 
to sponsor guest access


What I miss or what is wrong?

For the SMS, I think I have to change the sub send_sms in 
activation.pm due of our provider that accept http GET or POST 
with 

Re: [PacketFence-users] Sponsor configuration in inline deployment

[Riccardo Pelliccioli]

Thank you Fabrice,

I made a step forward; with this profile I'm able to make the 
registration; the sponsor receive the email with the link for the 
activation but i receive a strange wrong password message; into the logs 
I can find:


Oct 06 11:13:07 httpd.portal(2914) INFO: [mac:00:50:56:aa:37:67] 
[00:50:56:aa:37:67] Activation code sent to email x...@xxx.it from 
x...@gmail.com successfully verified.  for activation type: sponsor 
(pf::activation::validate_code)
Oct 06 11:13:07 httpd.portal(2914) INFO: [mac:00:50:56:aa:37:67] 
Password validation failed for Pippo: password has expired 
(pf::password::validate_password)
Oct 06 11:13:07 httpd.portal(2914) ERROR: [mac:00:50:56:aa:37:67] unable 
to read password file '/usr/local/pf/conf/admin.conf' 
(pf::Authentication::Source::HtpasswdSource::authenticate)


The last line I think isn't useful

BR,

Rick


On 10/6/2016 2:34 PM, Fabrice Durand wrote:


Hello Rick,

what you can do is to create a new portal profile with a network filter.

So let say that your inline network is 192.168.0.0/24 then create a 
portal profile with this filter and assign the authentication sources 
you want to use.


Regards

Fabrice



Le 2016-10-06 à 05:02, Riccardo Pelliccioli a écrit :


Hi Fabrice,

many thanks for your answer.

This is clear to me and I have a local user defined as a "sponsor" 
anyway the problem looks like I'm not able to use the external source 
(just in the external source I'm able to define the "Sponsor-based 
registration"; instead from the logs I can see I'm still using the 
"local source" (then the wrong htpasswd file defined into internal 
sources)


How may I force it to use the external?

Many thanks for your support

BR,

Rick


On 10/6/2016 2:15 AM, Durand fabrice wrote:


Hi Riccardo,

when you create a local user in PacketFence you are able to set the 
"Mark as sponsor" on this user (define an email address too).


You can't use File1 as a sponsor source since you need to match with 
an email address (and in a htpasswd file it's not possible).


Keep in mind that only authentication sources that can contain an 
email address are allowed to be use for sponsor. (LDAP, AD, local).


Regards

Fabrice



Le 2016-10-05 à 11:46, Riccardo Pelliccioli a écrit :


Hi there,

in the scenario with inline deployment using ZEN appliance 6.2.1 I 
woul dlike to depoly a Self registration Captive Portal with 2 options:


 1. Sponsored authentication
 2. SMS authentication

For the sponsored authentication I'm not able to grant sponsoring 
privileges to a local user and in the log file packetfence.log I 
have the following messages:


Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:unknown] Memory 
configuration is not valid anymore for key FilterEngine::Profile in 
local cached_hash (pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:unknown] Memory 
configuration is not valid anymore for key config::Profiles in 
local cached_hash (pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:unknown] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:unknown] Memory 
configuration is not valid anymore for key 
resource::authentication_sources in local cached_hash 
(pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Memory configuration is not valid anymore for key config::Profiles 
in local cached_hash (pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Memory configuration is not valid anymore for key 
resource::authentication_lookup in local cached_hash 
(pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
registering  guest through a sponsor 
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Sponsor::do_sponsor_registration)
*Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Using sources local, file1 for matching (pf::authentication::match)*


file1 look like a pointer to a htmlaccess file but I think this is 
deprecated due a specific mysql table for users (password table) 
and I'm also able to see the "sponsor" field in this table.


What I did is just to add a "Mark as Sponsor" rule on the Sources > 
Internal Sources > File1 anyway when I try to register from a 
client I reach the error message: the mail  is not allowed to 
sponsor guest access


What I miss or what is wrong?

For the SMS, I think I have to change the sub send_sms in 
activation.pm due of our provider that accept http GET or POST with 
basic authentication instead of mail to sms.


BR,

Riccardo


--
Riccardo Pelliccioli
Business Developer
  

Re: [PacketFence-users] ANN: PacketFence v6.3.0

[Krzysztof Adamski]

Where can I find documentation on:

Integration with Cisco MSE adds maps, location based portals and 
notifications
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MSPKI: unfinished request in component post-auth module packetfence

[Marold, Stefan]

Hi Antoine,

Thank you very much for your answer. Yes, the status of the client is unreg. 
I've configured an AD source with a catch-all rule and thought, this will 
register the nodes automatically. But after reading the documentation again, I 
think it is only for captive portal.

I tried to configure AutoRegister as you suggested, but I think there is an 
error in my configuration. With the following configuration, I expect the 
client will be autoregistered with role 'default', vlan 477. Instead, it is 
still unreg, vlan 11.

[root@PacketFence-6_2_1 ~]# cat /usr/local/pf/conf/vlan_filters.conf|egrep -v 
"^#"
[EthernetEAP]
filter = connection_type
operator = is
value = Ethernet-EAP
[EAPTLS]
filter = radius_request
attribute = EAP-Type
operator = is
value = EAP-TLS
[1:EthernetEAP]
scope = AutoRegister
role = default

 [root@PacketFence-6_2_1 ~]# /usr/local/pf/bin/pfcmd checkup Checking 
configuration sanity...

tail -f /usr/local/pf/logs/radius.log
Thu Oct  6 09:56:37 2016 : Error: (10) Ignoring duplicate packet from client 
172.20.10.118 port 1645 - ID: 216 due to unfinished request in component 
post-auth module packetfence
Thu Oct  6 09:56:39 2016 : Error: (10) Ignoring duplicate packet from client 
172.20.10.118 port 1645 - ID: 216 due to unfinished request in component 
post-auth module packetfence
Thu Oct  6 09:56:41 2016 : Error: (10) Ignoring duplicate packet from client 
172.20.10.118 port 1645 - ID: 216 due to unfinished request in component 
post-auth module packetfence
Thu Oct  6 09:56:43 2016 : Error: (10) Ignoring duplicate packet from client 
172.20.10.118 port 1645 - ID: 216 due to unfinished request in component 
post-auth module packetfence
Thu Oct  6 09:56:44 2016 : Auth: rlm_perl: Returning vlan 11 to request from 
74:2b:62:6d:47:d4 port 50101
Thu Oct  6 09:56:44 2016 : rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 
means OK)
Thu Oct  6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (1): Hit 
idle_timeout, was idle for 905 seconds
Thu Oct  6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (2): Hit 
idle_timeout, was idle for 905 seconds
Thu Oct  6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (3): Hit 
idle_timeout, was idle for 905 seconds
Thu Oct  6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (4): Hit 
idle_timeout, was idle for 905 seconds
Thu Oct  6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (0): Hit 
idle_timeout, was idle for 905 seconds
Thu Oct  6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (5): Hit 
idle_timeout, was idle for 905 seconds
Thu Oct  6 09:56:44 2016 : Info: rlm_sql (sql): Opening additional connection 
(6), 1 of 64 pending slots used
Thu Oct  6 09:56:44 2016 : Info: rlm_sql (sql): Need 2 more connections to 
reach 10 spares
Thu Oct  6 09:56:44 2016 : Info: rlm_sql (sql): Opening additional connection 
(7), 1 of 63 pending slots used
Thu Oct  6 09:56:35 2016 : [mac:74:2b:62:6d:47:d4] Accepted user:  and returned 
VLAN 11
Thu Oct  6 09:56:44 2016 : Auth: (10) Login OK: [host/D1527.dorsten.local] 
(from client 172.20.10.118 port 50101 cli 74:2b:62:6d:47:d4)

Best regards
Stefan


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MSPKI: unfinished request in component post-auth module packetfence

[Marold, Stefan]

Hi Antoine,

Thank you very much for your answer. Yes, the status of the client is unreg. 
I've configured an AD source with a catch-all rule and thought, this will 
register the nodes automatically. But after reading the documentation again, I 
think it is only for captive portal.

I tried to configure AutoRegister as you suggested, but I think there is an 
error in my configuration. With the following configuration, I expect the 
client will be autoregistered with role 'default', vlan 477. Instead, it is 
still unreg, vlan 11.

[root@PacketFence-6_2_1 ~]# cat /usr/local/pf/conf/vlan_filters.conf|egrep -v 
"^#"
[EthernetEAP]
filter = connection_type
operator = is
value = Ethernet-EAP
[EAPTLS]
filter = radius_request
attribute = EAP-Type
operator = is
value = EAP-TLS
[1:EthernetEAP]
scope = AutoRegister
role = default

 [root@PacketFence-6_2_1 ~]# /usr/local/pf/bin/pfcmd checkup
Checking configuration sanity...

tail -f /usr/local/pf/logs/radius.log
Thu Oct  6 09:56:37 2016 : Error: (10) Ignoring duplicate packet from client 
172.20.10.118 port 1645 - ID: 216 due to unfinished request in component 
post-auth module packetfence
Thu Oct  6 09:56:39 2016 : Error: (10) Ignoring duplicate packet from client 
172.20.10.118 port 1645 - ID: 216 due to unfinished request in component 
post-auth module packetfence
Thu Oct  6 09:56:41 2016 : Error: (10) Ignoring duplicate packet from client 
172.20.10.118 port 1645 - ID: 216 due to unfinished request in component 
post-auth module packetfence
Thu Oct  6 09:56:43 2016 : Error: (10) Ignoring duplicate packet from client 
172.20.10.118 port 1645 - ID: 216 due to unfinished request in component 
post-auth module packetfence
Thu Oct  6 09:56:44 2016 : Auth: rlm_perl: Returning vlan 11 to request from 
74:2b:62:6d:47:d4 port 50101
Thu Oct  6 09:56:44 2016 : rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 
means OK)
Thu Oct  6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (1): Hit 
idle_timeout, was idle for 905 seconds
Thu Oct  6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (2): Hit 
idle_timeout, was idle for 905 seconds
Thu Oct  6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (3): Hit 
idle_timeout, was idle for 905 seconds
Thu Oct  6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (4): Hit 
idle_timeout, was idle for 905 seconds
Thu Oct  6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (0): Hit 
idle_timeout, was idle for 905 seconds
Thu Oct  6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (5): Hit 
idle_timeout, was idle for 905 seconds
Thu Oct  6 09:56:44 2016 : Info: rlm_sql (sql): Opening additional connection 
(6), 1 of 64 pending slots used
Thu Oct  6 09:56:44 2016 : Info: rlm_sql (sql): Need 2 more connections to 
reach 10 spares
Thu Oct  6 09:56:44 2016 : Info: rlm_sql (sql): Opening additional connection 
(7), 1 of 63 pending slots used
Thu Oct  6 09:56:35 2016 : [mac:74:2b:62:6d:47:d4] Accepted user:  and returned 
VLAN 11
Thu Oct  6 09:56:44 2016 : Auth: (10) Login OK: [host/D1527.dorsten.local] 
(from client 172.20.10.118 port 50101 cli 74:2b:62:6d:47:d4)

Best regards
Stefan

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Sponsor configuration in inline deployment

[Fabrice Durand]

Hello Rick,

what you can do is to create a new portal profile with a network filter.

So let say that your inline network is 192.168.0.0/24 then create a 
portal profile with this filter and assign the authentication sources 
you want to use.


Regards

Fabrice



Le 2016-10-06 à 05:02, Riccardo Pelliccioli a écrit :


Hi Fabrice,

many thanks for your answer.

This is clear to me and I have a local user defined as a "sponsor" 
anyway the problem looks like I'm not able to use the external source 
(just in the external source I'm able to define the "Sponsor-based 
registration"; instead from the logs I can see I'm still using the 
"local source" (then the wrong htpasswd file defined into internal 
sources)


How may I force it to use the external?

Many thanks for your support

BR,

Rick


On 10/6/2016 2:15 AM, Durand fabrice wrote:


Hi Riccardo,

when you create a local user in PacketFence you are able to set the 
"Mark as sponsor" on this user (define an email address too).


You can't use File1 as a sponsor source since you need to match with 
an email address (and in a htpasswd file it's not possible).


Keep in mind that only authentication sources that can contain an 
email address are allowed to be use for sponsor. (LDAP, AD, local).


Regards

Fabrice



Le 2016-10-05 à 11:46, Riccardo Pelliccioli a écrit :


Hi there,

in the scenario with inline deployment using ZEN appliance 6.2.1 I 
woul dlike to depoly a Self registration Captive Portal with 2 options:


 1. Sponsored authentication
 2. SMS authentication

For the sponsored authentication I'm not able to grant sponsoring 
privileges to a local user and in the log file packetfence.log I 
have the following messages:


Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:unknown] Memory 
configuration is not valid anymore for key FilterEngine::Profile in 
local cached_hash (pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:unknown] Memory 
configuration is not valid anymore for key config::Profiles in local 
cached_hash (pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:unknown] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:unknown] Memory 
configuration is not valid anymore for key 
resource::authentication_sources in local cached_hash 
(pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Memory configuration is not valid anymore for key config::Profiles 
in local cached_hash (pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Memory configuration is not valid anymore for key 
resource::authentication_lookup in local cached_hash 
(pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
registering  guest through a sponsor 
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Sponsor::do_sponsor_registration)
*Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Using sources local, file1 for matching (pf::authentication::match)*


file1 look like a pointer to a htmlaccess file but I think this is 
deprecated due a specific mysql table for users (password table) and 
I'm also able to see the "sponsor" field in this table.


What I did is just to add a "Mark as Sponsor" rule on the Sources > 
Internal Sources > File1 anyway when I try to register from a 
client I reach the error message: the mail  is not allowed to 
sponsor guest access


What I miss or what is wrong?

For the SMS, I think I have to change the sub send_sms in 
activation.pm due of our provider that accept http GET or POST with 
basic authentication instead of mail to sms.


BR,

Riccardo


--
Riccardo Pelliccioli
Business Developer
  
nextONE srl

Via Nino Bixio 1 – 20900 Monza (MB), Italy

Mobile: +39.335.201206
Email:riccardo.pellicci...@next1.it


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Riccardo Pelliccioli

Re: [PacketFence-users] packetfence Sorry You do not have the permission to register a device with this username

[Fabrice Durand]

Hello محمد العشاري,

we need more details on how you configure packetfence.

So give us something to eat.

Regards

Fabrice



Le 2016-10-06 à 02:25, ‫محمد العشاري‬‎ a écrit :


Hello ;

Dears , after install and configure packetfence , I can’t login via username 
and password, error message is Sorry   You do not have the permission to 
register a device with this username
Regards

Sent from Mail  for 
Windows 10




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] packetfence Sorry You do not have the permission to register a device with this username

[‫محمد العشاري‬‎]

Hello ;

Dears , after install and configure packetfence , I can’t login via username 
and password, error message is Sorry   You do not have the permission to 
register a device with this username

Regards


Sent from Mail for Windows 10
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] HAProxy seems to mess up mgmt... 443 not 1443?

[Greg Harewood]

Hi

tcp        0      0 1.1.1.1:443                 0.0.0.0:*                   
LISTEN      1860/httpd          
tcp        0      0 1.1.1.1:80                  0.0.0.0:*                   
LISTEN      1860/httpd          
tcp        0      0 1.1.1.3:443                 0.0.0.0:*                   
LISTEN      1697/haproxy        
tcp        0      0 1.1.1.3:80                  0.0.0.0:*                   
LISTEN      1697/haproxy        
tcp        0      0 1.1.2.1:443                 0.0.0.0:*                   
LISTEN      1860/httpd          
tcp        0      0 1.1.2.1:80                  0.0.0.0:*                   
LISTEN      1860/httpd          
tcp        0      0 1.1.2.3:443                 0.0.0.0:*                   
LISTEN      1697/haproxy        
tcp        0      0 1.1.2.3:80                  0.0.0.0:*                   
LISTEN      1697/haproxy        
tcp        0      0 192.168.149.218:1443        0.0.0.0:*                   
LISTEN      1690/httpd          
tcp        0      0 192.168.149.220:1443        0.0.0.0:*                   
LISTEN      1690/httpd          
tcp        0      0 192.168.149.220:443         0.0.0.0:*                   
LISTEN      1697/haproxy        
tcp        0      0 192.168.149.220:80          0.0.0.0:*                   
LISTEN      1697/haproxy        

My management address is 192.168.149.218 on this node, with a vip of .220.  I 
can manage the node(s) locally on their physical addresses with...

https://192.168.149.218:1443/
https://192.168.149.219:1443/ 

...but management on https://192.168.149.220:1443/ does not work.  And it's not 
a surprise... the haproxy turns out to listen on 443.  Checking the config 
file...

[root@mcjs-pfence3a lgjh]# tail -20 /usr/local/pf/var/conf/haproxy.conf

frontend portal-http-mgmt
        bind 192.168.149.220:80
        reqadd X-Forwarded-Proto:\ http
        default_backend portal-mgmt-backend

frontend portal-https-mgmt
        bind 192.168.149.220:443 ssl no-sslv3 crt 
/usr/local/pf/conf/ssl/server.pem
        reqadd X-Forwarded-Proto:\ https
        default_backend portal-mgmt-backend

backend portal-mgmt-backend
        balance source
        option httpclose
        option forwardfor
        server 192.168.149.218 192.168.149.218:80 check
        server 192.168.149.219 192.168.149.219:80 check

Lo... the mgmt proxy sends to 192.168.149.218 ... but nothing is listening on 
that.  What's up with that?

Thanks for any help!

Greg--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Sponsor configuration in inline deployment

[Riccardo Pelliccioli]

Hi Fabrice,

many thanks for your answer.

This is clear to me and I have a local user defined as a "sponsor" 
anyway the problem looks like I'm not able to use the external source 
(just in the external source I'm able to define the "Sponsor-based 
registration"; instead from the logs I can see I'm still using the 
"local source" (then the wrong htpasswd file defined into internal sources)


How may I force it to use the external?

Many thanks for your support

BR,

Rick


On 10/6/2016 2:15 AM, Durand fabrice wrote:


Hi Riccardo,

when you create a local user in PacketFence you are able to set the 
"Mark as sponsor" on this user (define an email address too).


You can't use File1 as a sponsor source since you need to match with 
an email address (and in a htpasswd file it's not possible).


Keep in mind that only authentication sources that can contain an 
email address are allowed to be use for sponsor. (LDAP, AD, local).


Regards

Fabrice



Le 2016-10-05 à 11:46, Riccardo Pelliccioli a écrit :


Hi there,

in the scenario with inline deployment using ZEN appliance 6.2.1 I 
woul dlike to depoly a Self registration Captive Portal with 2 options:


 1. Sponsored authentication
 2. SMS authentication

For the sponsored authentication I'm not able to grant sponsoring 
privileges to a local user and in the log file packetfence.log I have 
the following messages:


Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:unknown] Memory 
configuration is not valid anymore for key FilterEngine::Profile in 
local cached_hash (pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:unknown] Memory 
configuration is not valid anymore for key config::Profiles in local 
cached_hash (pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:unknown] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:unknown] Memory 
configuration is not valid anymore for key 
resource::authentication_sources in local cached_hash 
(pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Memory configuration is not valid anymore for key config::Profiles in 
local cached_hash (pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Memory configuration is not valid anymore for key 
resource::authentication_lookup in local cached_hash 
(pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
registering  guest through a sponsor 
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Sponsor::do_sponsor_registration)
*Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Using sources local, file1 for matching (pf::authentication::match)*


file1 look like a pointer to a htmlaccess file but I think this is 
deprecated due a specific mysql table for users (password table) and 
I'm also able to see the "sponsor" field in this table.


What I did is just to add a "Mark as Sponsor" rule on the Sources > 
Internal Sources > File1 anyway when I try to register from a 
client I reach the error message: the mail  is not allowed to 
sponsor guest access


What I miss or what is wrong?

For the SMS, I think I have to change the sub send_sms in 
activation.pm due of our provider that accept http GET or POST with 
basic authentication instead of mail to sms.


BR,

Riccardo


--
Riccardo Pelliccioli
Business Developer
  
nextONE srl

Via Nino Bixio 1 – 20900 Monza (MB), Italy

Mobile: +39.335.201206
Email:riccardo.pellicci...@next1.it


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Riccardo Pelliccioli
Business Developer
 
nextONE srl

Via Nino Bixio 1 – 20900 Monza (MB), Italy

Mobile: +39.335.201206
Email: riccardo.pellicci...@next1.it

<>--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org!