[PacketFence-users] Can't join packetfence to domain for RADIUS

2016-10-14 Thread Alex Fishel 
Thank you everyone for your suggestions.  Unfortunately I am still having
trouble here.  I tried the suggestions provided by Darren but I have not
yet been able to join successfully. I will go back and double-check
everything I've already tried first but is there anything else that can be
done?  Happy to provide config information if needed.

Thanks again!

-- 
Alex Fishel
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Sponsor guest access issue

2016-10-14 Thread Derek Wuelfrath 
Daren,

Can you send the log file ?
Looks like there may be a problem with matching the provided sponsor… (error 
message displayed on the portal seems incomplete...)

Cheers!
-dw.

—
Derek Wuelfrath
de...@inverse.ca 
> On Oct 14, 2016, at 04:22, Morgan, Darren  wrote:
> 
> I now no longer get the error, but when we try to authorise the guest with 
> any of the users from the Sponsors group we get the message that they do not 
> have permission.  As you can see from the previous .conf files I’ve marked 
> the users in the Sponsers source as ‘sponsor=1’

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Can't join packetfence to domain for RADIUS

2016-10-14 Thread Antoine Amacher 

Hello Alex,

You can have a look under 
/chroots/DOMAIN-NAME/var/log/sambaDOMAIN-NAME/log.winbind


Thanks


On 10/13/2016 11:28 PM, Alex Fishel wrote:

Hello all,

I upgraded the server as suggested but it hasn't seemed to make a 
difference yet.  Is there a log file that could be examined to 
diagnose the problem?


Thanks!

--
Alex Fishel





--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Login Attempt Limit with Bad Passwords

2016-10-14 Thread Jonathan Diaz 
I have been looking for a way to limit a user's amount that they can
attempt to login and fail to authenticate before Packetfence would stop
them from trying to login again for a certain amount of time.  I was trying
to find information on the matter and couldn't seem to find any answers
pertaining to this problem.

We have been having this problem with some of our End Users that have old
passwords saved in devices and it locking them out of LDAP when the device
tries to authenticate with PacketFence over and over.  So they login to our
WPA-Enterprise Network with their LDAP credentials and then hit the device
registration captive portal.

Would 'Login Attempt Limit' under 'Portal Profiles' > 'Captive Portal' be a
good way of going about this?  Or does this only effect the the account
when they are at the Captive Portal page after being verified through the
basic Wireless Network setup?  Could I also set it up to push them to a
different page when this happens to alert them to the fact their
credentials are not correct and/or unregister the device?  Also is there a
way to search the logs or set up logging so that when someone fails a login
with a device we can see the Account they were trying to use and the Device
MAC or Device information?

With our users coming on and off site at different intervals many times
they often forget to change all their devices passwords.

Thanks for any help and insight you may have.

-- 
*Diaz, Jonathan*
Networking Department
Cowee Hall, Troy
518-244-4764
dia...@sage.edu
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] monit setup guide for PF

2016-10-14 Thread Antoine Amacher 
Jake,

We do not have a guide for it, but we did wrote some scripts to 
preconfigure monit,

Have a look in: /usr/local/pf/addons/monit/ you should find waht you are 
looking for.

Thanks


On 10/13/2016 11:01 PM, Sallee, Jake wrote:
> Does anyone have a setup guide for using monit with Packetfence?
>
> I know it can be done, but I can't seem to find any docs on it.
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Can't join packetfence to domain for RADIUS

2016-10-14 Thread Morgan, Darren 
Hi Alex,

I had similar issues when I started to use PacketFence.  I found the following 
helped;

Ensure that DNS servers are listed in /etc/resolv.conf
The correct HOSTNAME is listed in /etc/sysconfig/network and that you use only 
IP address in the AD server address
Check the /etc/hosts file to include the PacketFence server and the AD servers 
for your domain.
127.0.0.1 localhost localhost.localdomain localhost4 
localhost4.localdomain4
192.168.XXX.XXX packetfenceserver.domain.local packetfenceserver
192.168.XXX.XXX domaincontroller.domain.local domaincontroller

If you still have problems then make sure that the domain is in CAPS wherever 
you see it in the following 2 files;
/etc/samba/Oundle.conf
/etc/krb5.conf

And check that you have joined successfully by using;
Chroot /chroots/Domain wbinfo –u


I had problems using the radtest (radtest dd Abcd1234 localhost:18120 12 
testing123) as it kept coming back Reject, but I think that may be a false 
positive as when I tried logging users in to the system it all seems to work OK.

Hope this helps.

Regards

Darren

From: Alex Fishel [mailto:fishal...@gmail.com]
Sent: 14 October 2016 04:28
To: packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] Can't join packetfence to domain for RADIUS

Hello all,
I upgraded the server as suggested but it hasn't seemed to make a difference 
yet.  Is there a log file that could be examined to diagnose the problem?
Thanks!

--
Alex Fishel



This email is sent from either Oundle School or Laxton Junior School for The 
Corporation of Oundle School and is intended only for the addressee named 
above.  The Corporation of Oundle School is a Charity incorporated under Royal 
Charter RC000396 and charity number 309921.  www.oundleschool.org.uk
 Scanned by iCritical.
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Sponsor guest access issue

2016-10-14 Thread Morgan, Darren 
Thanks Derek,

I now no longer get the error, but when we try to authorise the guest with any 
of the users from the Sponsors group we get the message that they do not have 
permission.  As you can see from the previous .conf files I’ve marked the users 
in the Sponsers source as ‘sponsor=1’

Any ideas?

[Sponsors rule OS_Sponsors]
description=Users with sponsor level
class=administration
match=all
action0=mark_as_sponsor=1


[cid:image001.png@01D225FC.7AA70C40]

Regards

Darren
From: Derek Wuelfrath [mailto:de...@inverse.ca]
Sent: 13 October 2016 18:23
To: ML PF 
Subject: Re: [PacketFence-users] Sponsor guest access issue

Hello Daren,

Can you try to add the “sponsor” source to your portal profiles ?
You have the “Sponsors” which defines who is able to sponsor, but not the 
“sponsor” which activate the sponsor feature.

Sponsor ! (not mentionned enough ;))

Cheers!
-dw.

—
Derek Wuelfrath
de...@inverse.ca

On Oct 13, 2016, at 11:59, Morgan, Darren 
> wrote:

~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~
profiles.conf
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~

[default]
description=Default Profile
logo=/common/packetfence-white.png
redirecturl=http://www.google.co.uk
always_use_redirecturl=disabled
locale=en_US
nbregpages=0
filter_match_style=any
block_interval=10m
sms_pin_retry_limit=0
sms_request_limit=0
login_attempt_limit=0
root_module=oundle_school_root_module
billing_tiers=
dot1x_recompute_role_from_portal=enabled
preregistration=disabled
autoregister=disabled
scans=
reuse_dot1x_credentials=0
sources=Sponsors,local,OS_Staff,OS_Pupils,IT_Dept
provisioners=

[RESMachines]
locale=
filter=connection_type:Ethernet-EAP
description=RESMachines from AD
sources=RESMachines,Sponsors

[NoRESMachines]
locale=
filter=connection_type:Ethernet-EAP
description=Domained PC's without RES
sources=NoRESMachines,Sponsors



This email is sent from either Oundle School or Laxton Junior School for The 
Corporation of Oundle School and is intended only for the addressee named 
above.  The Corporation of Oundle School is a Charity incorporated under Royal 
Charter RC000396 and charity number 309921.  www.oundleschool.org.uk
 Scanned by iCritical.
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Security Onion alerts not triggering

2016-10-14 Thread Morris, Andi 
Hi,
I do have a security onion parser, however I’m not running the maintenance 
branch as this is a production system. I’m guessing I’m hitting the issue that 
Julien said is fixed in the maintenance branch.

Cheers,
Andi

From: Thierry Laurion [mailto:tlaur...@inverse.ca]
Sent: 13 October 2016 17:20
To: Morris, Andi ; 
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Security Onion alerts not triggering


Hi,

I created a unit test (https://github.com/inverse-inc/packetfence/pull/1759) 
and can validate that the "security_onion" syslog parser still works correctly 
directly from the log you previously gave, and that the "detect" violation 
trigger still works fine and fires on parsed SIDs.



Clarifications from previous post:

The "detect" violation trigger serves to test upon unified 
Snort/Suricata/SecurityOnion outputs and find the SID part of the message 
extracted from the different syslog parsers configured on your system.
The "suricata_event" violation trigger serves to test upon unified 
Snort/Suricata/SecurityOnion outputs and find the "message" part of the message 
extracted from the different syslog parsers configured on your system.



Can you validate that you have a "security_onion" syslog parser configured in 
the GUI, as define at section 13.1.3 here:

https://packetfence.org/doc/PacketFence_Administration_Guide.html#_blocking_malicious_activities_with_violations



Else I cannot understand why your usage of "detect" violation trigger was not 
working previously if you have ran the maintenance. I'm glad it works, though.

Thierry


On 10/13/2016 10:04 AM, Thierry Laurion wrote:

I investigated a little more with my coworker and you seem to have found a bug! 
:)

You should be able to use the detect trigger with SIDs if the SecurityOnion 
syslog parser is activated, which seems to be the case.

I will return to you once it is fixed; it seems that SecurityOnion changed its 
format or something!

I will reply to the list when done. Thanks for reporting.

Thierry

On 10/13/2016 09:48 AM, Morris, Andi wrote:
Apologies, I thought I did. I didn’t mean to email you directly. I’ll update 
the list now.

Cheers,
Andi

From: Thierry Laurion [mailto:tlaur...@inverse.ca]
Sent: 13 October 2016 14:47
To: Morris, Andi 
Subject: Re: [PacketFence-users] Security Onion alerts not triggering




My pleasure!

You should write that to the list, so that the whole community knows it worked.

Thanks,

On 10/13/2016 05:44 AM, Morris, Andi wrote:
Thanks Thierry, this fixed my issue.

Chers,
Andi

From: Thierry Laurion [mailto:tlaur...@inverse.ca]
Sent: 07 October 2016 18:09
To: 
packetfence-users@lists.sourceforge.net
Cc: Morris, Andi 
Subject: Re: [PacketFence-users] Security Onion alerts not triggering

Hi,

The "detect" trigger matches numerical SIDs found in Snort and Suricata 
generated "alert" logs, which have a different format then the "digested" logs 
of SecurityOnion.

As an exemple, here is the kind of logs that Suricata and Snort generates when 
in "alert" mode:
'07/28/2015-09:09:59.431113  [**] [1:2221002:1] SURICATA HTTP request field 
missing colon [**] [Classification: Generic Protocol Command Decode] [Priority: 
3] {TCP} 10.220.10.186:44196 -> 199.167.22.51:8000'


You should use "suricata_event" triggers in your SecurityOnion related 
violations, which match text and are more generic.

Modify the violation 153 for it to match "ET P2P Vuze BT UDP Connection". 
That would  be a broader match and would also generate a violation for the 
following SIDs:
sid-msg.map:2010140 || ET P2P Vuze BT UDP Connection || 
url,doc.emergingthreats.net/2010140 || url,vuze.com
sid-msg.map:2010141 || ET P2P Vuze BT UDP Connection (2) || 
url,doc.emergingthreats.net/2010141 || url,vuze.com
sid-msg.map:2010142 || ET P2P Vuze BT UDP Connection (3) || 
url,doc.emergingthreats.net/2010142
sid-msg.map:2010143 || ET P2P Vuze BT UDP Connection (4) || 
url,doc.emergingthreats.net/2010143
sid-msg.map:2010144 || ET P2P Vuze BT UDP Connection (5) || 
url,doc.emergingthreats.net/2010144 || url,vuze.com


Regards,
Thierry Laurion
An update, I’m now getting the alerts hitting pfdetect, but they’re still not 
triggering the violation with the same ID.
pfdetect.log shows:
Oct 07 15:23:40 pfdetect(11814) INFO: alert received: 'Oct  7 14:23:40 idsman01 
securityonion_ids: 14:23:40 pid(24921)  Alert Received: 0 1 policy-violation 
idshalls01-eth0-7 {2016-10-07 14:23:39} 21 173773 {ET P2P Vuze BT UDP 
Connection} 10.6.198.173 24.122.228.33 17 10600 65344 1 2010140 6 92 92
' (main::_run_detector)


The relevant section of violation.conf is:
[153]
trigger=detect::2010140
actions=email_admin,reevaluate_access,log
max_enable=10
desc=P2P Vuze2
enabled=Y
template=p2p
grace=2h


From: Morris, Andi

[PacketFence-users] Can't join packetfence to domain for RADIUS

2016-10-14 Thread Alex Fishel 
Hello all,

I upgraded the server as suggested but it hasn't seemed to make a
difference yet.  Is there a log file that could be examined to diagnose the
problem?

Thanks!

-- 
Alex Fishel
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users