Re: [PacketFence-users] Captive Portal authorization failed "you do not have permission to register a device with this username"....

2018-12-11 Thread Enrico Becchetti via PacketFence-users 

Il 12/12/2018 08:17, Nicolas Quiniou-Briand ha scritto:

Hello,

On 2018-12-12 7:46 a.m., Enrico Becchetti wrote:

Hello !

"Configuration->Policies and Access Control-> Roles" I've added 
"PF-WEB",

"Max Nodes per user" equal to 0 and default Traffic Shaping.


You just create the role. To assign it, you need to create an 
authentication rule in your authentication source. For SAML source, 
you need to define first a source and then assign this source to your 
SAML source :


https://packetfence.org/doc/PacketFence_Installation_Guide.html#_saml_authentication 


Dear Nicolas ,
my goal is to permit to all authenticated users the use of the network.
So my authorization rule can be very simply: all or catchall etc.

You wrote "For SAML source, you need to define first a source and then 
assign this source to your SAML source"

is right or there are too many  "Source"

It almost seems that to assign an authorization to SAML I have to create 
a new source. Is that it?


In PacketFence_Installation_Guide there is INVERSE as authorization field
instead of my "local". So if I understand I need to create a new rule 
and than assign
it to this SAML Source but inside "Configuration->Policies and Access 
Control->"

there isn't.

thanks for your quick reply
Enrico

--
___

Enrico BecchettiServizio di Calcolo e Reti

Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica  06123 Perugia (ITALY)
Phone:+39 075 5852777 Mail: Enrico.Becchettipg.infn.it
__



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal authorization failed "you do not have permission to register a device with this username"....

2018-12-11 Thread Nicolas Quiniou-Briand via PacketFence-users 

Hello,

On 2018-12-12 7:46 a.m., Enrico Becchetti wrote:

Hello !

"Configuration->Policies and Access Control-> Roles" I've added "PF-WEB",
"Max Nodes per user" equal to 0 and default Traffic Shaping.


You just create the role. To assign it, you need to create an 
authentication rule in your authentication source. For SAML source, you 
need to define first a source and then assign this source to your SAML 
source :


https://packetfence.org/doc/PacketFence_Installation_Guide.html#_saml_authentication
--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca
Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence 
(https://packetfence.org) and Fingerbank (http://fingerbank.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Applying correct VLAN to users

2018-12-11 Thread G PL via PacketFence-users 
Hello,
I have find the solution for me in this post

https://github.com/inverse-inc/packetfence/issues/2291
In my first post, i'm using IAP 105.
For IAP 305, i have modified the Aruba.pm (it's works on the 2 IAP models)
and restart packetfence.
*I don't use COA in the switch configuration*
The change (start line 484 ):

# transforming MAC to the expected format 00-11-22-33-CA-FE
   # $mac = uc($mac);
   # $mac =~ s/:/-/g;
$mac = lc($mac);
$mac =~ s/://g;

# Standard Attributes
my $attributes_ref = {
'Calling-Station-Id' => $mac,
'User-Name' => $mac,
'NAS-IP-Address' => $send_disconnect_to,
'Acct-Session-Id' => $acctsessionid,
};


Regards

Le jeu. 6 déc. 2018 à 08:13, Nicolas Quiniou-Briand via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello Bram,
>
> On 2018-12-05 1:45 p.m., Bram Wittendorp wrote:
> > I was trying this out on my iPad an I was also using CoA. But it didn't
> work from me.
>
> What say the packetfence.log when you use CoA ?
> --
> Nicolas Quiniou-Briand
> n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca
> Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence
> (https://packetfence.org) and Fingerbank (http://fingerbank.org)
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal authorization failed "you do not have permission to register a device with this username"....

2018-12-11 Thread Enrico Becchetti via PacketFence-users 
Il 11/12/2018 15:31, Nicolas Quiniou-Briand via PacketFence-users ha 
scritto:

Hello Enrico,

Where did you assign the PF-WEB role ?


Hello !

"Configuration->Policies and Access Control-> Roles" I've added "PF-WEB",
"Max Nodes per user" equal to 0 and default Traffic Shaping.

Thanks
Enrico

--
___

Enrico BecchettiServizio di Calcolo e Reti

Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica  06123 Perugia (ITALY)
Phone:+39 075 5852777 Mail: Enrico.Becchettipg.infn.it
__



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Post 8.2 upgrade IP address concerns

2018-12-11 Thread Thomas, Gregory A via PacketFence-users 
>From the log file after a ticket was logged and the day after.

Dec 10 02:26:51 pf2018 pfdhcplistener: pfqueue(14407) INFO: [mac:unknown] 
DHCPREQUEST from 28:e3:47:58:07:68 (131.210.168.141) 
(pf::dhcp::processor_v4::parse_dhcp_request)
Dec 10 02:26:51 pf2018 pfdhcplistener: pfqueue(13300) INFO: [mac:unknown] 
DHCPACK from 131.210.160.1 (00:0c:29:cc:22:d2) to host 28:e3:47:58:07:68 
(131.210.168.141) for 86400 seconds (pf::dhcp::processor_v4::parse_dhcp_ack)
Dec 10 02:54:55 pf2018 pfdhcplistener: pfqueue(15557) INFO: [mac:unknown] 
DHCPREQUEST from 28:e3:47:58:07:68 (131.210.168.141) 
(pf::dhcp::processor_v4::parse_dhcp_request)
Dec 10 02:54:55 pf2018 pfdhcplistener: pfqueue(15890) INFO: [mac:unknown] 
DHCPACK from 131.210.160.1 (00:0c:29:cc:22:d2) to host 28:e3:47:58:07:68 
(131.210.168.141) for 86400 seconds (pf::dhcp::processor_v4::parse_dhcp_ack)
Dec 10 03:13:29 pf2018 pfdhcplistener: pfqueue(16163) INFO: [mac:unknown] 
DHCPREQUEST from 28:e3:47:58:07:68 (131.210.168.141) 
(pf::dhcp::processor_v4::parse_dhcp_request)
Dec 10 03:13:29 pf2018 pfdhcplistener: pfqueue(16829) INFO: [mac:unknown] 
DHCPACK from 131.210.160.1 (00:0c:29:cc:22:d2) to host 28:e3:47:58:07:68 
(131.210.168.141) for 86400 seconds (pf::dhcp::processor_v4::parse_dhcp_ack)

Dec 10 07:42:29 pf2018 pfdhcplistener: pfqueue(32748) INFO: [mac:unknown] 
DHCPREQUEST from 28:e3:47:58:07:68 (131.210.168.141) 
(pf::dhcp::processor_v4::parse_dhcp_request)
Dec 10 07:42:29 pf2018 pfdhcplistener: pfqueue(1939) INFO: [mac:unknown] 
DHCPACK from 131.210.160.1 (00:0c:29:cc:22:d2) to host 28:e3:47:58:07:68 
(131.210.168.141) for 86400 seconds (pf::dhcp::processor_v4::parse_dhcp_ack)

There is nothing from this MAC address before the time, and nothing the day 
before. The queue is at 0 and there is no blip to say there was anything 
waiting.

Is there anything else I need to look at?

Gregory A. Thomas
Student Life Support Specialist
University of Wisconsin-Parkside
thom...@uwp.edu
262.595.2432

From: Durand fabrice via PacketFence-users 

Sent: Monday, December 10, 2018 9:22 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice 
Subject: Re: [PacketFence-users] Post 8.2 upgrade IP address concerns


Hello Thomas,

it looks to be an issue with the pfdhcplistener or maybe the numbers of items 
in the pfqueue.

Can you check the pfdhcplistener.log file and the number of items in the queue ?

Regards

Fabrice
Le 18-12-10 à 15 h 44, Thomas, Gregory A via PacketFence-users a écrit :
After the upgrade from 8.0 to 8.2, I am getting an issue with Windows machines 
(more than the usual Windows problems :)) It is a completely inline system.

I am getting the:
An Error occurred
Your computer was not found in the PacketFence database. Please reboot to solve 
this issue.

IP xxx.xxx.xxx.xxx (This is a valid IP address for the network)

MAC 0
When I got the error, it did not matter how many times I rebooted, the same 
error occurred. The only way for me to clear it was to do an IP release and the 
IP renew. After this, it works as expected.

For now, I send them instructions on how to release and renew their IP address 
and within a minute, they are up and running. My concern is two fold:

1.   Why, and why only Windows machines.

2.   Will I have this problem next semester when they have all been gone 
for a month and their registrations renew and I will need to send out 100's of 
instructions.

Any thoughts? I am starting finals week, so I am expecting to be busy the first 
couple of days this week, but could force a reboot or two later in the week to 
resolve this problem.

Thanks!

Gregory A. Thomas
Student Life Support Specialist
University of Wisconsin-Parkside
thom...@uwp.edu
262.595.2432





___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN Assignment for MAB clients

2018-12-11 Thread Tobias Friede via PacketFence-users 
Hi,

>
> *Just go into the Audit Log or Node Tab, select the device, set the State
> to registered  and choose the desired role :) *
> *Reevaluate access or restart Switchport => You should got the specified
> rule. *
>
> I had tried this before and it was not working. Maybe because it was a
> VoIP device PacketFence did not assign the VLAN. When I tried it on another
> device that is not VoIP, it worked.
>

correct, if a device is detected as voice device, packetfence only sends
the VSA and the switch put the device in the configured voice vlan.

Thanks for the help!
>

You are welcome :)

--
> *From:* Tobias Friede 
> *Sent:* Tuesday, December 11, 2018 12:39:20 AM
> *To:* Anton Castelli
> *Cc:* packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] VLAN Assignment for MAB clients
>
>
>
>
> Thanks for the information on the switch config. We are considering a
> support subscription, however we are still in the demo/testing/evaluation
> phase.
>
>
>  You are welcome :)
>
> Fabrice,
>
>
> Thanks for the patch.
>
>
> I think the critical part was the "getVoipVsa" function returning the
> "device-traffic-class=voice" RADIUS attribute. I had also been in contact
> with Dell support about the VoIP phone being assigned to the default (data)
> VLAN. They suggested sending this attribute. Apparently it is supported
> since the 6.5 version of DNOS. I was actually working on a pull request
> with this added to the Dell::N1500 object. Should I continue with that pull
> request or will the update be included in the next version of PacketFence?
> Also, see issue 3479
> 
> on Github. I did not submit it, but it seems relevant.
>
>
> I thought that this is already included in GutHub 
> It's my post.
>
>
>
> Although this solves the issue with VoIP devices, we still would like to
> be able to assign VLANs to other non-802.1x devices. There are many types
> of devices that do not support 802.1x, but we still want to be able to
> assign a VLAN to them, even if we have to set the role manually. For
> example, printers/scanners/copiers, network TVs, game consoles, etc.
>
>
> So, the question still remains: How do we assign a VLAN to a MAB device?
>
>
> Just go into the Audit Log or Node Tab, select the device, set the State
> to registered  and choose the desired role :)
> Reevaluate access or restart Switchport => You should got the specified
> rule.
>
>
> Tobias
>
>
>
> *From:* Tobias Friede via PacketFence-users <
> packetfence-users@lists.sourceforge.net>
> *Sent:* Saturday, December 8, 2018 3:47:48 AM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Tobias Friede
> *Subject:* Re: [PacketFence-users] VLAN Assignment for MAB clients
>
> I can say that the N2000 Serie from DELL should work pretty well with
> PacketFence.
> We had tested exactly that switch model with packetfence and solved some
> issues together with inverse a few month ago (Support Subscription is
> pretty usefull ;) )
>
> The config written in the PacketFence documentation doesn't fit to the
> actually Dell OS... especially the MAB Config.
>
> *Here is my well tested DELL Config:*
> aaa accounting dot1x default start-stop radius
> authentication enable
> dot1x system-auth-control
> aaa authentication dot1x default radius
> aaa authorization network default radius
> dot1x dynamic-vlan enable
>
> aaa server radius dynamic-author
> client  server-key 7 "XXX"
> exit
>
> radius server auth 
> name "PacketFence"
> usage 802.1x
> key 7 "XXX"
> exit
>
> radius server acct 
> name "Default-RADIUS-Server"
> key 7 "XXX"
> exit
>
> radius server vsa send authentication
> ip ssh server
>
> *AND ON ALL NAC INTERFACES *
>
> switchport mode general
> dot1x port-control mac-based
> dot1x reauthentication
> dot1x timeout guest-vlan-period 10
> dot1x unauth-vlan 931
> mab
> default mab pap
> authentication order dot1x mab
> authentication priority dot1x
> lldp tlv-select system-description system-capabilities
> lldp notification
> lldp med confignotification
> switchport voice vlan 205
>
>
>
>
> Am Fr., 7. Dez. 2018 um 16:50 Uhr schrieb Anton Castelli via
> PacketFence-users :
>
> Fabrice,
>
>
> I've attached the relevant part of the packetfence.log. Some of the
> information has been masked. The MAC "35:aa" is a laptop with the 802.1x
> supplicant configured with a username and password from our Active
> Directory. The MAC "39:46" is a VoIP phone with no 802.1x capability that
> is falling back to MAB authentication.
>
>
>
> Ludovic,
>
> In this case it is a Dell N2024P and I'm using the "Dell::N1500" type when
> I added it to Packetfence. I also have a Cisco 2960 that I can test with.
>
> Thanks,
>
>
> --
> ANTON CASTELLI
>

Re: [PacketFence-users] VLAN Assignment for MAB clients

2018-12-11 Thread Anton Castelli via PacketFence-users 
Tobias,


Just go into the Audit Log or Node Tab, select the device, set the State to 
registered  and choose the desired role :)
Reevaluate access or restart Switchport => You should got the specified rule.

I had tried this before and it was not working. Maybe because it was a VoIP 
device PacketFence did not assign the VLAN. When I tried it on another device 
that is not VoIP, it worked.


Thanks for the help!


--
ANTON CASTELLI
Network Engineer IV

INFORMATION TECHNOLOGY
MAIL CODE 4622
SOUTHERN ILLINOIS UNIVERSITY
625 WHAM DRIVE
CARBONDALE, ILLINOIS 62901

anton.caste...@siu.edu
P: 618/453-6424
OIT.SIU.EDU

From: Tobias Friede 
Sent: Tuesday, December 11, 2018 12:39:20 AM
To: Anton Castelli
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] VLAN Assignment for MAB clients





Thanks for the information on the switch config. We are considering a support 
subscription, however we are still in the demo/testing/evaluation phase.


 You are welcome :)

Fabrice,


Thanks for the patch.


I think the critical part was the "getVoipVsa" function returning the 
"device-traffic-class=voice" RADIUS attribute. I had also been in contact with 
Dell support about the VoIP phone being assigned to the default (data) VLAN. 
They suggested sending this attribute. Apparently it is supported since the 6.5 
version of DNOS. I was actually working on a pull request with this added to 
the Dell::N1500 object. Should I continue with that pull request or will the 
update be included in the next version of PacketFence? Also, see issue 
3479
 on Github. I did not submit it, but it seems relevant.

I thought that this is already included in GutHub 
It's my post.



Although this solves the issue with VoIP devices, we still would like to be 
able to assign VLANs to other non-802.1x devices. There are many types of 
devices that do not support 802.1x, but we still want to be able to assign a 
VLAN to them, even if we have to set the role manually. For example, 
printers/scanners/copiers, network TVs, game consoles, etc.


So, the question still remains: How do we assign a VLAN to a MAB device?

Just go into the Audit Log or Node Tab, select the device, set the State to 
registered  and choose the desired role :)
Reevaluate access or restart Switchport => You should got the specified rule.


Tobias



From: Tobias Friede via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
Sent: Saturday, December 8, 2018 3:47:48 AM
To: 
packetfence-users@lists.sourceforge.net
Cc: Tobias Friede
Subject: Re: [PacketFence-users] VLAN Assignment for MAB clients

I can say that the N2000 Serie from DELL should work pretty well with 
PacketFence.
We had tested exactly that switch model with packetfence and solved some issues 
together with inverse a few month ago (Support Subscription is pretty usefull 
;) )

The config written in the PacketFence documentation doesn't fit to the actually 
Dell OS... especially the MAB Config.

Here is my well tested DELL Config:
aaa accounting dot1x default start-stop radius
authentication enable
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
dot1x dynamic-vlan enable

aaa server radius dynamic-author
client  server-key 7 "XXX"
exit

radius server auth 
name "PacketFence"
usage 802.1x
key 7 "XXX"
exit

radius server acct 
name "Default-RADIUS-Server"
key 7 "XXX"
exit

radius server vsa send authentication
ip ssh server

AND ON ALL NAC INTERFACES

switchport mode general
dot1x port-control mac-based
dot1x reauthentication
dot1x timeout guest-vlan-period 10
dot1x unauth-vlan 931
mab
default mab pap
authentication order dot1x mab
authentication priority dot1x
lldp tlv-select system-description system-capabilities
lldp notification
lldp med confignotification
switchport voice vlan 205




Am Fr., 7. Dez. 2018 um 16:50 Uhr schrieb Anton Castelli via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>:

Fabrice,


I've attached the relevant part of the packetfence.log. Some of the information 
has been masked. The MAC "35:aa" is a laptop with the 802.1x supplicant 
configured with a username and password from our Active Directory. The MAC 
"39:46" is a VoIP phone with no 802.1x capability that is falling back to MAB 
authentication.


Ludovic,

In this case it is a Dell N2024P and I'm using the "Dell::N1500" type when I 
added it to Packetfence. I also have a Cisco 2960 that I can test with.

Thanks,


--
ANTON CASTELLI
Network Engineer IV

INFORMATION TECHNOLOGY
MAIL CODE

Re: [PacketFence-users] Captive Portal authorization failed "you do not have permission to register a device with this username"....

2018-12-11 Thread Nicolas Quiniou-Briand via PacketFence-users 

Hello Enrico,

Where did you assign the PF-WEB role ?

--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca
Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence 
(https://packetfence.org) and Fingerbank (http://fingerbank.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal authorization failed "you do not have permission to register a device with this username"....

2018-12-11 Thread Enrico Becchetti via PacketFence-users 

Dear Fabrice and all !
I need a new help to solve this easy question.

My Linux Centos 7.1810 with PF 8.2.1 has the right SAML link
to IDP but when device tries to connect this message is shown

"you do not have permission to register a device with this username"

so the authentication phase works fine but user can't  use my network.

If it can be useful there are config file:

[root@pfsrv conf]# more profiles.conf
[PF-WEB]
locale=en_US,it_IT
filter=vlan:27
description=PF-WEB
sources=INFN-AAI
logo=/common/infnpg-captive.png
device_registration=default
root_module=pf_web_root_portal_module

[root@pfsrv conf]# more device_registration.conf
[default]
description=default
allowed_devices=
category=

[root@pfsrv conf]# more authentication.conf
[local]
description=Local Users
type=SQL

[file1]
description=Legacy Source
path=/usr/local/pf/conf/admin.conf
type=Htpasswd
realms=null

[null]
description=Null Source
type=Null
email_required=no

[null rule catchall]
description=catchall
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D

[INFN-AAI]
authorization_source_id=local
idp_ca_cert_path=/usr/local/pf/conf/ssl/idp.crt
sp_cert_path=/usr/local/pf/conf/ssl/server.crt
idp_metadata_path=/usr/local/pf/conf/idp-metadata.xml
set_access_level_action=
username_attribute=urn:oid:0.9.2342.19200300.100.1.1
idp_cert_path=/usr/local/pf/conf/ssl/idp.crt
description=INFN AAI
idp_entity_id=https://idp.infn.it/saml2/idp/metadata.php
sp_key_path=/usr/local/pf/conf/ssl/server.key
sp_entity_id=https://pfsrv.pg.infn.it
type=SAML

[root@pfsrv conf]# more  roles.conf
[PF-WEB]
max_nodes_per_pid=0
notes=Rete PF-WEB


Thanks a lot again.
Best Regards
Enrico


--

___

Enrico BecchettiServizio di Calcolo e Reti

Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica  06123 Perugia (ITALY)
Phone:+39 075 5852777 Mail: Enrico.Becchettipg.infn.it
__



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] API Token

2018-12-11 Thread Nicolas Quiniou-Briand via PacketFence-users 

Hello,

On 2018-12-02 1:47 p.m., Murilo Calegari via PacketFence-users wrote:
Hi everyone, is the token for the API designed to expire? If so, after 
how much time?


https://packetfence.org/doc/api/#/default/post_login

"This will perform a login against the PacketFence system user, the 
webservices credentials and any configured internal sources in 
PacketFence in this order. The order of priority for the PacketFence 
sources is the same as they are defined in authentication.conf (top to 
bottom). Token obtain via this API call are valid for 10 minutes. Upon 
expiration, a new token must be obtained by calling this API endpoint 
again."




 Can I configure this amount of time?


I don't think so.
--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca
Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence 
(https://packetfence.org) and Fingerbank (http://fingerbank.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] user access to nodes in the admin -> nodes web page

2018-12-11 Thread Ian Alder via PacketFence-users 
Hi Nicolas

Thanks for the reply.

I did see the tenant ID is set to 1 automatically for users, and I cannot 
remove or change the tenant id. 

I have upgraded to version 8.2 and applied the patches. 

The issue is still there.



Regards

Ian Alder



>-Original Message-
>From: Nicolas Quiniou-Briand via PacketFence-users [mailto:packetfence-
>us...@lists.sourceforge.net]
>Sent: 07 December 2018 10:53 AM
>To: Ian Alder ; packetfence-
>us...@lists.sourceforge.net
>Cc: Nicolas Quiniou-Briand 
>Subject: Re: [PacketFence-users] user access to nodes in the admin -> nodes
>web page
>
>Hello Ian,
>
>I try to reproduce your issue but I found this bug:
>https://github.com/inverse-inc/packetfence/issues/3681
>
>If I follow the steps you mentioned, I got:
>- partner1 user with tenant_id 1
>- partner2 user with tenant_id 1
>- nodes owned by partner1 user with tenant_id 1
>- nodes owned by partner2 user with tenant_id 1
>
>I ask my colleagues for help.
>--
>Nicolas Quiniou-Briand
>n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca
>Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence
>(https://packetfence.org) and Fingerbank (http://fingerbank.org)
>
>
>___
>PacketFence-users mailing list
>PacketFence-users@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] user access to nodes in the admin -> nodes web page

2018-12-11 Thread Nicolas Quiniou-Briand via PacketFence-users 

Hello Ian,

On 2018-12-11 12:16 p.m., Ian Alder wrote:

The issue is still there.


Yes, keep an eye on this GitHub issue [0].
You can also post a comment to make things progress.

[0] https://github.com/inverse-inc/packetfence/issues/3681

--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca
Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence 
(https://packetfence.org) and Fingerbank (http://fingerbank.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] help

2018-12-11 Thread Caique Araujo via PacketFence-users 
Hello Fabrice,
>
> The configuration of my switch is marked as that option EXTERNAL PORTAL
> ENFORCEMENT, and when I try to make the connection with the packetfence I
> get the error in the attachment name: Error1 in attachment.
> When the EXTERNAL PORTAL ENFORCEMENT Option is unchecked, it displays the
> connection error, but no internet access, as per Attachment Error2.
>
> Can there be any relation not to make the captive portal available?
>
> Em qui, 6 de dez de 2018 às 22:31, Durand fabrice via PacketFence-users <
> packetfence-users@lists.sourceforge.net> escreveu:
>
>> Hello Cousin,
>>
>> the error message is not related to your issue.
>>
>> do you have more log from packetfence.log file and from
>> httpd.portal.access when you connect your device to the ssid ?
>>
>> Thanks
>>
>> Fabrice
>>
>>
>> Le 18-12-06 à 11 h 20, Caique Araujo via PacketFence-users a écrit :
>>
>> Brother,
>>
>> I am deploying the Packetfence networking team with version 8.2. The type
>> of configuration is web-auth ...
>>
>> What happens is that we have a physical topology, with the following ICs:
>> Packetfence Server, WiSM System (AP Controller) and FortiGate Firewall.
>>
>> Firewall is the DHCP server for the Visitors network, which sends IP
>> information, mask, gateway, and external DNS servers to the network.
>>
>> WiSM controls the SSID of the Visitors Network and acts as a bridge to
>> Firewall and Packetfence and controls the ACLs for authentication access or
>> redirect.
>>
>> My problem is this, when I try to authenticate by mobile access, the
>> firewall delivers all the information, however, packetfence should give me
>> a captive portal and a NOT IMPLEMENTED error!
>>
>> In the logs it displays the following message:
>>
>> pfhttpd: 06/Dec/2018:14:14:37 -0200 [ERROR 502 /api/v1/dhcp/stats] dial
>> tcp 127.0.0.1:2: getsockopt: connection refused
>>
>>
>>
>> --
>> Atenciosamente,
>> Caique Araujo
>>
>>
>> ___
>> PacketFence-users mailing 
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
>
> --
> Atenciosamente,
> Caique Araujo
>


-- 
Atenciosamente,
Caique Araujo
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN Assignment for MAB clients

2018-12-11 Thread Anton Castelli via PacketFence-users 
Tobias,


Thanks for the information on the switch config. We are considering a support 
subscription, however we are still in the demo/testing/evaluation phase.



Fabrice,


Thanks for the patch.


I think the critical part was the "getVoipVsa" function returning the 
"device-traffic-class=voice" RADIUS attribute. I had also been in contact with 
Dell support about the VoIP phone being assigned to the default (data) VLAN. 
They suggested sending this attribute. Apparently it is supported since the 6.5 
version of DNOS. I was actually working on a pull request with this added to 
the Dell::N1500 object. Should I continue with that pull request or will the 
update be included in the next version of PacketFence? Also, see issue 
3479 on Github. I did 
not submit it, but it seems relevant.


Although this solves the issue with VoIP devices, we still would like to be 
able to assign VLANs to other non-802.1x devices. There are many types of 
devices that do not support 802.1x, but we still want to be able to assign a 
VLAN to them, even if we have to set the role manually. For example, 
printers/scanners/copiers, network TVs, game consoles, etc.


So, the question still remains: How do we assign a VLAN to a MAB device?


Thanks,


--
ANTON CASTELLI
Network Engineer IV

INFORMATION TECHNOLOGY
MAIL CODE 4622
SOUTHERN ILLINOIS UNIVERSITY
625 WHAM DRIVE
CARBONDALE, ILLINOIS 62901

anton.caste...@siu.edu
P: 618/453-6424
OIT.SIU.EDU

From: Tobias Friede via PacketFence-users 

Sent: Saturday, December 8, 2018 3:47:48 AM
To: packetfence-users@lists.sourceforge.net
Cc: Tobias Friede
Subject: Re: [PacketFence-users] VLAN Assignment for MAB clients

I can say that the N2000 Serie from DELL should work pretty well with 
PacketFence.
We had tested exactly that switch model with packetfence and solved some issues 
together with inverse a few month ago (Support Subscription is pretty usefull 
;) )

The config written in the PacketFence documentation doesn't fit to the actually 
Dell OS... especially the MAB Config.

Here is my well tested DELL Config:
aaa accounting dot1x default start-stop radius
authentication enable
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
dot1x dynamic-vlan enable

aaa server radius dynamic-author
client  server-key 7 "XXX"
exit

radius server auth 
name "PacketFence"
usage 802.1x
key 7 "XXX"
exit

radius server acct 
name "Default-RADIUS-Server"
key 7 "XXX"
exit

radius server vsa send authentication
ip ssh server

AND ON ALL NAC INTERFACES

switchport mode general
dot1x port-control mac-based
dot1x reauthentication
dot1x timeout guest-vlan-period 10
dot1x unauth-vlan 931
mab
default mab pap
authentication order dot1x mab
authentication priority dot1x
lldp tlv-select system-description system-capabilities
lldp notification
lldp med confignotification
switchport voice vlan 205




Am Fr., 7. Dez. 2018 um 16:50 Uhr schrieb Anton Castelli via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>:

Fabrice,


I've attached the relevant part of the packetfence.log. Some of the information 
has been masked. The MAC "35:aa" is a laptop with the 802.1x supplicant 
configured with a username and password from our Active Directory. The MAC 
"39:46" is a VoIP phone with no 802.1x capability that is falling back to MAB 
authentication.


Ludovic,

In this case it is a Dell N2024P and I'm using the "Dell::N1500" type when I 
added it to Packetfence. I also have a Cisco 2960 that I can test with.

Thanks,


--
ANTON CASTELLI
Network Engineer IV

INFORMATION TECHNOLOGY
MAIL CODE 4622
SOUTHERN ILLINOIS UNIVERSITY
625 WHAM DRIVE
CARBONDALE, ILLINOIS 62901

anton.caste...@siu.edu
P: 618/453-6424
OIT.SIU.EDU

From: Ludovic Zammit mailto:lzam...@inverse.ca>>
Sent: Friday, December 7, 2018 6:46:07 AM
To: Anton Castelli
Cc: 
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] VLAN Assignment for MAB clients

Hello Anton,

Which kind of switch / network equipment are you using for the authentication ?

Thanks,

Ludovic Zammit
lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  
www.inverse.ca
Inverse inc. :: Leaders behind SOGo

Re: [PacketFence-users] help

2018-12-11 Thread Caique Araujo via PacketFence-users 
Hello Francis,

The configuration of my switch is marked as that option EXTERNAL PORTAL
ENFORCEMENT, and when I try to make the connection with the packetfence I
get the error in the attachment name: Error1 in attachment.
When the EXTERNAL PORTAL ENFORCEMENT Option is unchecked, it displays the
connection error, but no internet access, as per Attachment Error2.

Can there be any relation not to make the captive portal available?

Em qui, 6 de dez de 2018 às 22:31, Durand fabrice via PacketFence-users <
packetfence-users@lists.sourceforge.net> escreveu:

> Hello Cousin,
>
> the error message is not related to your issue.
>
> do you have more log from packetfence.log file and from
> httpd.portal.access when you connect your device to the ssid ?
>
> Thanks
>
> Fabrice
>
>
> Le 18-12-06 à 11 h 20, Caique Araujo via PacketFence-users a écrit :
>
> Brother,
>
> I am deploying the Packetfence networking team with version 8.2. The type
> of configuration is web-auth ...
>
> What happens is that we have a physical topology, with the following ICs:
> Packetfence Server, WiSM System (AP Controller) and FortiGate Firewall.
>
> Firewall is the DHCP server for the Visitors network, which sends IP
> information, mask, gateway, and external DNS servers to the network.
>
> WiSM controls the SSID of the Visitors Network and acts as a bridge to
> Firewall and Packetfence and controls the ACLs for authentication access or
> redirect.
>
> My problem is this, when I try to authenticate by mobile access, the
> firewall delivers all the information, however, packetfence should give me
> a captive portal and a NOT IMPLEMENTED error!
>
> In the logs it displays the following message:
>
> pfhttpd: 06/Dec/2018:14:14:37 -0200 [ERROR 502 /api/v1/dhcp/stats] dial
> tcp 127.0.0.1:2: getsockopt: connection refused
>
>
>
> --
> Atenciosamente,
> Caique Araujo
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>


-- 
Atenciosamente,
Caique Araujo
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users