[PacketFence-users] Vlan Pooling Question

[Truax, Peter via PacketFence-users]

Hello everyone,

We are implementing PacketFence using Out-of-Band enforcement using MAC 
Authentication.

We have a situation where we would like to use 2 vlans for the same role. The 
vlans would be automatically assigned via some mechanism. For example, we have 
more Students than one vlan can use effectively by best practice. So, we use 
vlan 600 and 601 to be "Students." These are now assigned by our NAC solution 
via round-robin that we are replacing with PacketFence.

According to the Administration Guide at 
https://packetfence.org/doc/PacketFence_Administration_Guide.html section 10.1, 
vlan pooling is supported. This sounds like what we want to do.

Can someone clarify the instructions a bit?  Do we configure the vlan pool in 
the Role by VLAN ID section of the Switch? And how do you specify which of the 
2 algorithms (hash of username, or round-robin)?

We have attempted this by inputing 600,601 into the Roles by VLAN ID, but 
looking at the debug output, PacketFence sends "600,601" as the vlan assigned 
to the switch. Obviously this fails.

Regards,

Peter Truax
Network Administrator
(360) 688-2240
St. Martin's University
5000 Abbey Way E
Lacey, WA 98503

[cid:image001.png@01D38EB3.6B4FD300]

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] users stay in registration VLAN after authentication success

[tom lo via PacketFence-users]

Hi Ludovic,

We are still using ZoneDirector, not the newer SmartZone controller,
and seems Packetfence start supporting SmartZone from version 6.5
In version 6.4, which we are using, there are only one switch type for
select "Ruckus Wireless Controllers".
So you would suggest we to try another switch module?


Regards,
Tom


On Tue, Jan 16, 2018 at 10:48 PM, Ludovic Zammit  wrote:
> Hello there,
>
> PacketFence two different switch module, there is a legacy one and the other
> one is meant for the SmartZone controller.
>
> Have you tried to change the switch module ?
>
> Thanks,
>
>
> Ludovic Zammit
> lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
>
>
>
>
> On Jan 16, 2018, at 9:32 AM, tom lo via PacketFence-users
>  wrote:
>
> Hi,
>
>
> We've been using Packetfence ZEN 6.4 with Ruckus ZoneDirector for a
> while, to authentication user against AD before putting them into
> production VLAN.
> It was working fine until recently that users report that when they
> doing authentication in captive portal, they start seeing the message
> "Unable to detect network connectivity. Try to restarting your web
> browser or opening a new tab to see if your access has been
> successfully enabled."
> They tried to turn off/on WiFi and they will see "Your network should
> be enabled within a minute or two. If it is not reboot your computer",
> if they wait for around 15 mins, sometimes they found their device
> could fall into production VLAN.
> During the issue happens to user, we could see in ZoneDirector that
> the client device were still in registration VLN,
> and from packetfence admin portal, user mac address "Info" page, the
> role is set to a registered role.
> If we delete the client connection manually from ZoneDirector GUI, we
> found the client device will re-connect and fall into the production
> VLAN.
>
> We tried one suggestion from this mailing list, toggle $TRUE and
> $FALSE for synchronize_locationlog in /Switch/Ruckus.pm#L190, and
> restart httpd.portal, but made no difference.
>
> We captured the packetfence.log, and found some warning but not sure
> if it's related to the issue.
> httpd.portal(2282) WARN: [mac:ab:cd:00:00:12:34] Use of uninitialized
> value in concatenation (.) or string at
> /usr/local/pf/lib/pf/authentication.pm line 284.
> httpd.portal(2282) WARN: [mac:ab:cd:00:00:12:34] Calling match with
> empty/invalid rule class. Defaulting to 'authentication'
> (pf::authentication::match)
> httpd.portal(2245) WARN: [mac:ab:cd:00:00:12:34] Can't re-evaluate
> access because no open locationlog entry was found
> (pf::enforcement::reevaluate_access)
>
> Please advise what we could do to troubleshoot the issue.  Thanks for your
> time.
>
>
> Regards,
> Tom
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] No translation on "Enabling network access" page

[Virginie Girou via PacketFence-users]

Hello,

We use a packetfence as captive portal in our university (v 7.0) using 
french language but first installed in v 6.4 and then updated.


I've installed another one directly in 7.3 for test before production, 
but the entire "Enabling network access" page stays in english even if i 
choose french language in the portal configuration (or another language).

All others are correctly in french.

I don't even find the file where i could translate title and messages.

Could you help me please, i am stuck ...

Regards,

--
Virginie Girou
Equipe systeme
DSI - UT1 Capitole
Tel : +33 (0)5.61.63.39.19


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Successfully passed 802.1x auth but nonetwork access

[Yan via PacketFence-users]

Hi Fabrice,


So is there any problem within my configuration which I posted in my previous 
mail ?
I ask our network team if cisco acs needs to join domian server, they said no 
need. They said they only need to add AD server in cisco ACS for 
authentication. What??s the difference between using acs and using 
pf-freeradius ?


-- Original --
From: packetfence-users 
Date: ,1?? 16,2018 00:26
To: Fabrice Durand , packetfence-users 

Cc: Yan <1136723...@qq.com>
Subject: Re: [PacketFence-users] Successfully passed 802.1x auth but nonetwork 
access





Yes. They have the same domain/users but on different servers. Both of them can 
authenticate our all users.


-- Original --
From: Fabrice Durand 
Date: ,1?? 15,2018 22:13
To: Yan <1136723...@qq.com>, packetfence-users 

Subject: Re: [PacketFence-users] Successfully passed 802.1x auth but no network 
access



  
Hello Yan,

does AD1 and AD2 are the same ? (same domain/users ...)

Regards

Fabrice




Le 2018-01-15 ?? 00:41, Yan a ??crit :

  Hi Durand,
  

  I installed a netdata in  my pf server and not found any network 
issue yet(I'm learning  to use it). But there is another case I'm not 
sure if it is  related to the authentication issue.
  We have 2 PF servers, pf1  is in office A and pf2 is in office B. 
We also have 2 domain  servers(for AD and DNS) and AD1 is in office A 
and AD2 is in  office B.
  In configuration--Policy  and access control--Domains--Active 
Directory Domains menu of  both PF servers, I added and joined the same 
domain AD1  (domain in office A).
  But in Configuration--Policy and access control--Authentication   
   Sources menu, I add domain AD1 to pf1, and AD2 to pf2.
  And  for the connection profile, I choose AD1 as authentication   
   source on pf1, and choose AD2 as authentication source on  pf2. 
I don't know if I clearly describe it, I  draw a picture to make is 
more clear.
  Would  this cause the previous strange issue ? 
  

-- Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  
www.inverse.caInverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and 
PacketFence (http://packetfence.org)

704B02F3@E4FCB45D.2F225E5A
Description: Binary data
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] firewalling for inline on the packetfence server

[lists via PacketFence-users]

Hi Fabrice,

On 16-1-2018 14:54, Fabrice Durand via PacketFence-users wrote:

Hello,

you can play with iptables.conf in the conf directory in order to add
your custom rules.


So, in the case of limiting outgoing traffic for inline nat clients to 
http/https/dns, do you mean adding lines something like this:



:input-internal-inline-if - [0:0]
# OUR OWN RULES HERE:
-A -A input-internal-inline-if --protocol tcp --match tcp --dport 80  --jump 
ACCEPT
-A -A input-internal-inline-if --protocol tcp --match tcp --dport 443  --jump 
ACCEPT
-A -A input-internal-inline-if --protocol udp --match udp --dport 53  --jump 
ACCEPT

 # DHCP:
-A input-internal-inline-if --protocol udp --match udp --dport 67  --jump ACCEPT
etc


and then, before the final line, to drop 'all other traffic':


-A input-internal-inline-if --jump DROP
%%input_inter_inline_rules%%


You mean something like that..?

MJ

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] pf with ruckus smartzone not working for me

[Fabrice Durand via PacketFence-users]

Hello Barry,

when the error happen , is it when you try to do web-auth or out of band
? (if you have the httpd.portal.access lines when you hit the portal)

Because it looks that packetfence is not able to fetch your ip address.

Also to reevaluate an access on Ruckus SmartZone packetfence use the web
api of the controller, so you need to fill the webservice tab in the
switch config (pf side).

Regards

Fabrice



Le 2018-01-16 à 03:42, Support Procyon Networks via PacketFence-users a
écrit :
>
> Dear Reader,
>
>  
>
> I got problems to use pf in combination with a ruckus smartzone
> controller, out of band, webauth. I want users who  connect to the
> guest ssid to get the portal and register with there email.
>
>  
>
> I configured the smartzone controller according to
> PacketFence_Network_Devices_Configuration_Guide. Rest of the settings
> is all default.
>
>  
>
> When a client connect to the guest ssid he  gets a application error
>  “Application error : Caught exception in
> captiveportal::Controller::Root”  full error message is at the of this
> mail.
>
> This happens with when using pf 7.3
>
>  
>
> When using pf 7.2 users who connect to the guest ssid do get the
> portal, they can select email-based registration, they enter there
> email, now they should get internet access for 10 min, but they don’t,
> “Unable to detect network”, rebooting or waiting doesn’t help. I can
> see on a other device that I get the mail with the registration link,
> this does work, but the device doesn’t get access.
>
> Correct me if I am wrong but pf should communicate with the ruckus
> controller to signal that this device should given access. Now when
> looking with wireshark I can see there is no communication between de
> controller and pf except snmp get request from pf to controller that
> are random/time interval, but not in sync with registration.
>
>  
>
> Maybe I do something wrong in the basis, I can imagine that I have to
> bind the ruckus controller “switch” some how to the portal(?),but I
> also can imagen that this is not needed because the ip of the
> controller is inside the portal request.
>
>  
>
> If some one can help me with this, that would be great.
>
>  
>
> I am using the OVF verions of pf
>
>  
>
> Ruckus smartzone 3.5.1.0.862    I had version 3.4.2.0.152 before this
> with the same results.
>
>  
>
> Best Regards
>
>  
>
> Barry
>
>  
>
>  
>
> Here the full error message portal with pf 7.3
>
>  
>
>  
>
> Application error : Caught exception in
> captiveportal::Controller::Root->getLanguages "Can't call method
> "normalizedIP" on an undefined value at
> /usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/Model/Portal/Session.pm
> line 249." Caught exception in
> captiveportal::Controller::Root->setupLanguage "Can't use string ("0")
> as an ARRAY ref while "strict refs" in use at
> /usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/Controller/Root.pm
> line 189." Caught exception in
> captiveportal::Controller::Root->setupDynamicRouting "Can't call
> method "normalizedIP" on an undefined value at
> /usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/Model/Portal/Session.pm
> line 249." Caught exception in
> captiveportal::Controller::Root->dynamic_application "Can't call
> method "execute" on an undefined value at
> /usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/Controller/Root.pm
> line 156."
>
>  
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] users stay in registration VLAN after authentication success

[Ludovic Zammit via PacketFence-users]

Hello there,

PacketFence two different switch module, there is a legacy one and the other 
one is meant for the SmartZone controller.

Have you tried to change the switch module ?

Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On Jan 16, 2018, at 9:32 AM, tom lo via PacketFence-users 
>  wrote:
> 
> Hi,
> 
> 
> We've been using Packetfence ZEN 6.4 with Ruckus ZoneDirector for a
> while, to authentication user against AD before putting them into
> production VLAN.
> It was working fine until recently that users report that when they
> doing authentication in captive portal, they start seeing the message
> "Unable to detect network connectivity. Try to restarting your web
> browser or opening a new tab to see if your access has been
> successfully enabled."
> They tried to turn off/on WiFi and they will see "Your network should
> be enabled within a minute or two. If it is not reboot your computer",
> if they wait for around 15 mins, sometimes they found their device
> could fall into production VLAN.
> During the issue happens to user, we could see in ZoneDirector that
> the client device were still in registration VLN,
> and from packetfence admin portal, user mac address "Info" page, the
> role is set to a registered role.
> If we delete the client connection manually from ZoneDirector GUI, we
> found the client device will re-connect and fall into the production
> VLAN.
> 
> We tried one suggestion from this mailing list, toggle $TRUE and
> $FALSE for synchronize_locationlog in /Switch/Ruckus.pm#L190, and
> restart httpd.portal, but made no difference.
> 
> We captured the packetfence.log, and found some warning but not sure
> if it's related to the issue.
> httpd.portal(2282) WARN: [mac:ab:cd:00:00:12:34] Use of uninitialized
> value in concatenation (.) or string at
> /usr/local/pf/lib/pf/authentication.pm line 284.
> httpd.portal(2282) WARN: [mac:ab:cd:00:00:12:34] Calling match with
> empty/invalid rule class. Defaulting to 'authentication'
> (pf::authentication::match)
> httpd.portal(2245) WARN: [mac:ab:cd:00:00:12:34] Can't re-evaluate
> access because no open locationlog entry was found
> (pf::enforcement::reevaluate_access)
> 
> Please advise what we could do to troubleshoot the issue.  Thanks for your 
> time.
> 
> 
> Regards,
> Tom
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] users stay in registration VLAN after authentication success

[tom lo via PacketFence-users]

Hi,


We've been using Packetfence ZEN 6.4 with Ruckus ZoneDirector for a
while, to authentication user against AD before putting them into
production VLAN.
It was working fine until recently that users report that when they
doing authentication in captive portal, they start seeing the message
"Unable to detect network connectivity. Try to restarting your web
browser or opening a new tab to see if your access has been
successfully enabled."
They tried to turn off/on WiFi and they will see "Your network should
be enabled within a minute or two. If it is not reboot your computer",
if they wait for around 15 mins, sometimes they found their device
could fall into production VLAN.
During the issue happens to user, we could see in ZoneDirector that
the client device were still in registration VLN,
and from packetfence admin portal, user mac address "Info" page, the
role is set to a registered role.
If we delete the client connection manually from ZoneDirector GUI, we
found the client device will re-connect and fall into the production
VLAN.

We tried one suggestion from this mailing list, toggle $TRUE and
$FALSE for synchronize_locationlog in /Switch/Ruckus.pm#L190, and
restart httpd.portal, but made no difference.

We captured the packetfence.log, and found some warning but not sure
if it's related to the issue.
httpd.portal(2282) WARN: [mac:ab:cd:00:00:12:34] Use of uninitialized
value in concatenation (.) or string at
/usr/local/pf/lib/pf/authentication.pm line 284.
httpd.portal(2282) WARN: [mac:ab:cd:00:00:12:34] Calling match with
empty/invalid rule class. Defaulting to 'authentication'
(pf::authentication::match)
httpd.portal(2245) WARN: [mac:ab:cd:00:00:12:34] Can't re-evaluate
access because no open locationlog entry was found
(pf::enforcement::reevaluate_access)

Please advise what we could do to troubleshoot the issue.  Thanks for your time.


Regards,
Tom

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Number of devices to connect to the network

[Fabrice Durand via PacketFence-users]

Hello Eugene,

this is exactly where you have to control that.

So just set a limit on the roles where you want to limit the number of
devices per users.

Regards

Fabrice



Le 2018-01-16 à 02:01, E.P. via PacketFence-users a écrit :
>
> It sounds close to the number of devices/nodes a user can register
> which is configurable under Configuration-Policies and access
> control-Roles, but we don’t allow this luxury to anyone yet. Just
> regular network admission control based on the active AD account
>
>  
>
> *From:*E.P. [mailto:ype...@gmail.com]
> *Sent:* Monday, January 15, 2018 10:54 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Subject:* Number of devices to connect to the network
>
>  
>
> Guys,
>
> We are still at the early phases of PF deployment and only now looking
> into AD based authentication for wireless devices
>
> Is there any way to limit the number of user devices that can be
> connected by one user?
>
> Let’s say the user uses his/her laptop and roams around remote sites
> where we provide WiFi with WPA2-Enterprise and we also allow him/her
> use the phone (iPhone/Android). No more devices to connect
>
>  
>
> Eugene
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PKI provisioning configuration for Apple OS/iOS

[Fabrice Durand via PacketFence-users]

I can't find in the doc where it's define to 9191 ?!


Le 2018-01-16 à 01:00, E.P. a écrit :
>
> Great breakdown, thank you!
>
> What is the correct port number, Fabrice, in “pki_provider.conf” file ?
>
> You showed yours with 9393, but in the guide it is 9191
>
>  
>
>  
>
> *From:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Monday, January 15, 2018 6:01 AM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Fabrice Durand
> *Subject:* Re: [PacketFence-users] PKI provisioning configuration for
> Apple OS/iOS
>
>  
>
> Hello Eugene,
>
>  
>
> Le 2018-01-13 à 02:59, E.P. via PacketFence-users a écrit :
>
> Folks,
>
> Our two big shots in the organization live their lives with Apple
> macbooks and we need to get them on the secure WiFi.
>
> Can someone explain me where and how to get the content of
> certificates that are trusted by Apple devices.
>
> First you need to configure a pki in PacketFence (What i use in
> pki_provider.conf):
>
> [PacketFencePKI]
> cn_format=%s
> profile=clientCrt
> revoke_on_unregistration=Y
> server_cert_path=/usr/local/pf/conf/ssl/tls_certs/YourCert.pem
> ca_cert_path=/usr/local/pf/conf/ssl/tls_certs/MYCA.pem
> state=Quebec
> password=p@ck3tf3nc3
> organization=Inverse.inc
> country=CA
> proto=https
> port=9393
> host=127.0.0.1
> username=admin
> type=packetfence_pki
> cn_attribute=mac
>
> Next you need to configure the provisioner in order to provide
> certificate and wifi configuration (provisioning.conf):
>
> [AppleTLS]
> broadcast=0
> oses=
> category=
> eap_type=13
> can_sign_profile=0
> security_type=WPA
> description=Apple Provisioning
> type=mobileconfig
> ssid=baguettesecure
> pki_provider=PacketFencePKI
>
> But in you case you need to sign the profile with another certificate
> , so in Signing tab use a certificate like the certificate you have
> with godaddy.
>
>  
> In this form you need to put in certificate for signing profiles your
> public key (-BEGIN CERTIFICATE-), next your private key
> (-BEGIN PRIVATE KEY-) and in the last field the certificate
> chain of godaddy probably that one:
> -BEGIN CERTIFICATE-
> MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
> EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
> EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
> ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz
> NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
> EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE
> AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw
> DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD
> E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH
> /PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy
> DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh
> GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR
> tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA
> AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
> FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX
> WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu
> 9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr
> gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo
> 2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO
> LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
> 4uJEvlz36hz1
> -END CERTIFICATE-
> -BEGIN CERTIFICATE-
> MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
> EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
> EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
> ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
> MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
> EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
> CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
> EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
> MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
> BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
> K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
> cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
> pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
> eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
> AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
> HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
> 9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
> b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
> b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
> CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
> 

Re: [PacketFence-users] Number of registered devices notification

[Fabrice Durand via PacketFence-users]

Hello Raphael,

can you try that:

in /usr/local/pf/

patch -p1 --dry-run < status.diff

and if there is no error:

patch -p1 < status.diff

and restart packetfence.

Let me know if it works, i will push it in the main code.

Regards

Fabrice



Le 2018-01-15 à 18:01, Raphael Dias via PacketFence-users a écrit :
> Hi
>
> So I am. I still see this in 7.3.0. Is there any way to change this
> message? The only way I see is to modify error.html with a generic
> possible cause.
>
> Thanks
>
> On Mon, Jun 20, 2016 at 5:00 AM, Darwish O. Alhelo  > wrote:
>
> Dear
>
> after upgrading fro 5.3 to 6.03 , i noticed that the error message
> saying "you have exceeded number of devices you can register"  do
> not appears to the users trying to add new devices mor than i
> allowed ,they have different misleading message "couldn't 
> register your device, Please contact local support"
>
> is there a way  to fix this
>
> -- 
> Best Regards
> Darwish
>
> 
> --
> What NetFlow Analyzer can do for you? Monitors network bandwidth
> and traffic
> patterns at an interface-level. Reveals which users, apps, and
> protocols are
> consuming the most bandwidth. Provides multi-vendor support for
> NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using
> capacity planning
> reports. http://sdm.link/zohomanageengine
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

diff --git a/html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Root.pm b/html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Root.pm
index 543f135..7453953 100644
--- a/html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Root.pm
+++ b/html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Root.pm
@@ -286,7 +286,11 @@ sub apply_new_node_info {
 return $TRUE;
 }
 else {
-$self->app->error("Couldn't register your device. Please contact your local support staff.");
+if ($status) {
+$self->app->error($status_msg);
+} else {
+$self->app->error("Couldn't register your device. Please contact your local support staff.");
+}
 $self->detach();
 }
 }
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] firewalling for inline on the packetfence server

[Fabrice Durand via PacketFence-users]

Hello,

you can play with iptables.conf in the conf directory in order to add
your custom rules.

Regards

Fabrice



Le 2018-01-15 à 11:18, lists via PacketFence-users a écrit :
> Hi,
>
> We're using packetfence in inline modus for our wifi (10.10.10.0/24)
> segment. The external packetfence interface is inside our dmz lan /24
> segment. (192.84.141.0/24)
>
> We currently firewall on our gateway 192.84.141.1. Even though this
> works, it has the negative side effect that everybody on the wifi
> segment has direct access to the machines in 192.84.141.0/24.
>
> Therefore we would like to firewall outgoing traffic on the
> packetfence machine, to only allow stuff like https, dns, etc, and
> drop the rest.
>
> However, since packetfence is so buzy with it's own firewall rules and
> adjustments, we're not sure if this is supported, or even possible.
>
> Could anyone shed some light on this..?
>
> --
>
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Number of devices to connect to the network

[E.P. via PacketFence-users]

Guys,

We are still at the early phases of PF deployment and only now looking into
AD based authentication for wireless devices

Is there any way to limit the number of user devices that can be connected
by one user?

Let's say the user uses his/her laptop and roams around remote sites where
we provide WiFi with WPA2-Enterprise and we also allow him/her use the phone
(iPhone/Android). No more devices to connect

 

Eugene

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PKI provisioning configuration for Apple OS/iOS

[E.P. via PacketFence-users]

Great breakdown, thank you!

What is the correct port number, Fabrice, in “pki_provider.conf” file ?

You showed yours with 9393, but in the guide it is 9191

 

 

From: Fabrice Durand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Monday, January 15, 2018 6:01 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand
Subject: Re: [PacketFence-users] PKI provisioning configuration for Apple OS/iOS

 

Hello Eugene,

 

Le 2018-01-13 à 02:59, E.P. via PacketFence-users a écrit :

Folks,

Our two big shots in the organization live their lives with Apple macbooks and 
we need to get them on the secure WiFi.

Can someone explain me where and how to get the content of certificates that 
are trusted by Apple devices.

First you need to configure a pki in PacketFence (What i use in 
pki_provider.conf):

[PacketFencePKI]
cn_format=%s
profile=clientCrt
revoke_on_unregistration=Y
server_cert_path=/usr/local/pf/conf/ssl/tls_certs/YourCert.pem
ca_cert_path=/usr/local/pf/conf/ssl/tls_certs/MYCA.pem
state=Quebec
password=p@ck3tf3nc3
organization=Inverse.inc
country=CA
proto=https
port=9393
host=127.0.0.1
username=admin
type=packetfence_pki
cn_attribute=mac

Next you need to configure the provisioner in order to provide certificate and 
wifi configuration (provisioning.conf):

[AppleTLS]
broadcast=0
oses=
category=
eap_type=13
can_sign_profile=0
security_type=WPA
description=Apple Provisioning
type=mobileconfig
ssid=baguettesecure
pki_provider=PacketFencePKI

But in you case you need to sign the profile with another certificate , so in 
Signing tab use a certificate like the certificate you have with godaddy.

 
In this form you need to put in certificate for signing profiles your public 
key (-BEGIN CERTIFICATE-), next your private key (-BEGIN PRIVATE 
KEY-) and in the last field the certificate chain of godaddy probably that 
one:
-BEGIN CERTIFICATE-
MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz
NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE
AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD
E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH
/PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy
DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh
GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR
tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA
AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX
WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu
9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr
gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo
2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO
LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
4uJEvlz36hz1
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
-END 

Re: [PacketFence-users] Number of devices to connect to the network

[E.P. via PacketFence-users]

It sounds close to the number of devices/nodes a user can register which is
configurable under Configuration-Policies and access control-Roles, but we
don't allow this luxury to anyone yet. Just regular network admission
control based on the active AD account

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Monday, January 15, 2018 10:54 PM
To: packetfence-users@lists.sourceforge.net
Subject: Number of devices to connect to the network

 

Guys,

We are still at the early phases of PF deployment and only now looking into
AD based authentication for wireless devices

Is there any way to limit the number of user devices that can be connected
by one user?

Let's say the user uses his/her laptop and roams around remote sites where
we provide WiFi with WPA2-Enterprise and we also allow him/her use the phone
(iPhone/Android). No more devices to connect

 

Eugene

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] pf with ruckus smartzone not working for me

[Support Procyon Networks via PacketFence-users]

Dear Reader,

I got problems to use pf in combination with a ruckus smartzone controller, out 
of band, webauth. I want users who  connect to the guest ssid to get the portal 
and register with there email.

I configured the smartzone controller according to 
PacketFence_Network_Devices_Configuration_Guide. Rest of the settings is all 
default.

When a client connect to the guest ssid he  gets a application error  
"Application error : Caught exception in captiveportal::Controller::Root"  full 
error message is at the of this mail.
This happens with when using pf 7.3

When using pf 7.2 users who connect to the guest ssid do get the portal, they 
can select email-based registration, they enter there email, now they should 
get internet access for 10 min, but they don't, "Unable to detect network", 
rebooting or waiting doesn't help. I can see on a other device that I get the 
mail with the registration link, this does work, but the device doesn't get 
access.
Correct me if I am wrong but pf should communicate with the ruckus controller 
to signal that this device should given access. Now when looking with wireshark 
I can see there is no communication between de controller and pf except snmp 
get request from pf to controller that are random/time interval, but not in 
sync with registration.

Maybe I do something wrong in the basis, I can imagine that I have to bind the 
ruckus controller "switch" some how to the portal(?),but I also can imagen that 
this is not needed because the ip of the controller is inside the portal 
request.

If some one can help me with this, that would be great.

I am using the OVF verions of pf

Ruckus smartzone 3.5.1.0.862I had version 3.4.2.0.152 before this with the 
same results.

Best Regards

Barry


Here the full error message portal with pf 7.3


Application error : Caught exception in 
captiveportal::Controller::Root->getLanguages "Can't call method "normalizedIP" 
on an undefined value at 
/usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/Model/Portal/Session.pm
 line 249." Caught exception in captiveportal::Controller::Root->setupLanguage 
"Can't use string ("0") as an ARRAY ref while "strict refs" in use at 
/usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/Controller/Root.pm
 line 189." Caught exception in 
captiveportal::Controller::Root->setupDynamicRouting "Can't call method 
"normalizedIP" on an undefined value at 
/usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/Model/Portal/Session.pm
 line 249." Caught exception in 
captiveportal::Controller::Root->dynamic_application "Can't call method 
"execute" on an undefined value at 
/usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/Controller/Root.pm
 line 156."

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users