from:"E.P. via PacketFence\-users"

Re: [PacketFence-users] AD user group in the authentication source

2021-11-10 Thread E.P. via PacketFence-users

Thank you, Andrew,

This is exactly what I tried when Ludovic replied me and showed his rule but 
initially I couldn’t add a rule with an empty condition.

I then deleted the source and recreated it with a rule looking like this, i.e. 
no condition and simple REJECT at the top.

Will test it tomorrow from office

 



 

From: Andrew Jones via PacketFence-users 
 
Sent: Monday, November 08, 2021 7:27 PM
To: packetfence-users@lists.sourceforge.net
Cc: Andrew Jones 
Subject: Re: [PacketFence-users] AD user group in the authentication source

 

On 2021-11-09 09:46, E.P. via PacketFence-users wrote: 

Hello,

Trying to reach out again in the attempt to get some ideas or
insights.

My problems are still the same with conditions in the authentication
source.

Problem number one.

I  want to have an authentication rule that looks like this
(Non-Staff-WiFi)

PF doesn’t like “not_equals” operand 

Problem number two:

If I have only one authentication rule, i.e. Staff-WiFi as shown
above, any user who successfully authenticates but not a member of the
said AD group still gets access and assigned the Staff-WiFi role

Eugene

Hi Eugene,
not_equals doesn't seem to make sense in the context of checking whether a user 
is a member of a group, because it's not a 1:1 relationship.
Can't you simply leave the condition empty (keep the rule, but remove the group 
check) for the second rule, and make it a catch-all that way? My understanding 
is that the first match wins and processing stops.
Andrew

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] AD user group in the authentication source

2021-11-08 Thread E.P. via PacketFence-users

Hello,

Trying to reach out again in the attempt to get some ideas or insights.

My problems are still the same with conditions in the authentication source.

Problem number one.

I  want to have an authentication rule that looks like this (Non-Staff-WiFi)

 



 

 

PF doesn’t like “not_equals” operand 

 



 

Problem number two:

 

If I have only one authentication rule, i.e. Staff-WiFi as shown above, any 
user who successfully authenticates but not a member of the said AD group still 
gets access and assigned the Staff-WiFi role

 

Eugene

 

From: E.P.  
Sent: Tuesday, November 02, 2021 11:50 PM
To: 'Aaron Zuercher' 
Cc: packetfence-users@lists.sourceforge.net
Subject: RE: [PacketFence-users] AD user group in the authentication source

 

Aaron, it seems we are getting closer to the solution of the riddle.

I changed my authentication rules to match yours, i.e. Matches ALL and link 
“memberOf” to “equals” 

It made the test from CLI to fail the authentication with a user not belonging 
to the target AD group

 

root@packetfence:~# /usr/local/pf/bin/pftest authentication fake.user XX  
OPTIONS-AD-SOURCE

Authenticating against 'OPTIONS-AD-SOURCE' in context 'admin'

  Authentication SUCCEEDED against OPTIONS-AD-SOURCE (Authentication 
successful.)

  Did not match against OPTIONS-AD-SOURCE for 'authentication' rules

  Did not match against OPTIONS-AD-SOURCE for 'administration' rules

 

But my real connection to the RADIUS protected SSID with this fake.user ID was 
successful

Not sure where to look next. Any other ideas or suggestion from Fabrice or 
Ludovic ?

 

Eugene

 

From: Aaron Zuercher mailto:aaron.techge...@gmail.com> > 
Sent: Tuesday, November 02, 2021 12:26 PM
To: E.P. mailto:ype...@gmail.com> >
Cc: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Subject: Re: [PacketFence-users] AD user group in the authentication source

 

try memberOF equals

also my rules are set to MATCHES:  ALL

not sure if that would matter

 

 

On Tue, Nov 2, 2021 at 1:01 PM E.P. mailto:ype...@gmail.com> 
> wrote:

Thank you, Aaron and Ludovic,

This is weird. Here’s how the authentication rule looks in my AD source

 



 

Now, I’m testing the user that is NOT a member of Staff-WiFi AD group

 

 

root@packetfence:~# /usr/local/pf/bin/pftest authentication fake.user XX 
OPTIONS-AD-SOURCE

Testing authentication for "fake.user"

 

Authenticating against 'OPTIONS-AD-SOURCE' in context 'admin'

  Authentication SUCCEEDED against OPTIONS-AD-SOURCE (Authentication 
successful.)

  Matched against OPTIONS-AD-SOURCE for 'authentication' rule Staff-WiFi

set_role : Staff-WiFi

set_unreg_date : 2022-12-31

  Did not match against OPTIONS-AD-SOURCE for 'administration' rules

 

Eugene

 

From: Aaron Zuercher mailto:aaron.techge...@gmail.com> > 
Sent: Tuesday, November 02, 2021 10:52 AM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: E.P. mailto:ype...@gmail.com> >
Subject: Re: [PacketFence-users] AD user group in the authentication source

 

Mine is setup for memberOf equals "full DN of Group"

 

Aaron

 

On Tue, Nov 2, 2021 at 3:26 AM E.P. via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > wrote:

I dare asking a stupid question.

What is the correct way to create a condition in the authentication source 
based on AD to verify the user specific group membership.

I created a condition based on “memberOf” attribute which is equal to the DN of 
the group. It seems doesn’t apply or rather not verified.

Any user from the AD domain who authenticates can connect via RADIUS.

 

Eugene

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net 
<mailto:PacketFence-users@lists.sourceforge.net> 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Trouble trying to enable captive portal with Unifi Controller (WebAuth)

2021-11-03 Thread E.P. via PacketFence-users

Thank you, Federico.

I read it all from the PF document 

All my APs are added as switches by IP addresses and belong to the same switch 
group.

Unifi controller is also member of this group.

Type is Ubiquity:Unifi

And I’m having little challenges with the SSL certificate that I want to use 
for RADIUS.

It appears that the wildcard certificate that is in full use by the 
organization network devices can’t be used by PF. 

I uploaded it but after that all Windows OS supplicants stopped being able to 
login to RADIUS protected SSID using PEAP.

Thinking of a workaround but nothing comes to my mind mind 

 

Eugene

 

 

From: Federico Alberto Sayd  
Sent: Tuesday, November 02, 2021 7:18 AM
To: ype...@gmail.com
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Trouble trying to enable captive portal with 
Unifi Controller (WebAuth)

 

Hello Eugene

 

That is the format that Unifi Controller uses to redirect to an external 
captive portal. You shouldn't worry about the URL format because PF redirects 
this request to the PF portal.

 

You have two ways to add APs to PacketFence. You can add every AP as a switch. 
You need to specify the AP MAC address and the parameters to connect to Unifi 
Controller (IP, user and password).


The second method is adding the controller as a switch. You need to add the 
controller's ip address in "IP Address/MAC Address/Range (CIDR)", select 
"Ubiquiti::Unifi" as type and also specify the controller's address again in 
the "Controller IP Address"

 

Then you need to restart pfcron, run the task pfcron ubiquiti_ap_ma_to_ip and 
check the cached APs with the command "/usr/local/pf/bin/pfcmd cache 
switch_distributed list"

 

You can configure the certificates used for the portal in https:// 
 
:1443/admin#/configuration/certificate/http

 

El mar, 2 nov 2021 a las 2:26, E.P. (mailto:ype...@gmail.com> >) escribió:

I’m jumping into this thread as it got my interest as well because we are with 
Unifi and planning to deploy guest WiFi with WebAuth via the portal.

In the URL that Fabrice advised to configure I believe “s” is for the site name 
?

http://  
/guest/s/default/

which is normally a random alphanumeric string ?

 

Also, the output of “usr/local/pf/bin/pfcmd cache switch_distributed list” 
doesn’t show me any lists of APs. Is it supposed to be empty ? I have few AP 
already serving users and acting as RADIUS clients. I have them added by IP 
address.

I ran this one as well before:

/usr/local/pf/bin/pfcmd pfcron ubiquiti_ap_mac_to_ip

 

For the certificates I understand it has to be placed into this folder, am I 
correct ?

 

Captive portal = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + 
intermediate)

 

Eugene

 

From: Federico Alberto Sayd via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > 
Sent: Monday, November 01, 2021 9:59 AM
To: Fabrice Durand mailto:oeufd...@gmail.com> >
Cc: Federico Alberto Sayd mailto:fs...@fca.uncu.edu.ar> 
>; egr...@jcc.com.ar  ; 
packetfence-users@lists.sourceforge.net 
 
Subject: Re: [PacketFence-users] Trouble trying to enable captive portal with 
Unifi Controller (WebAuth)

 

Hi Fabrice:

 

I am running Unifi Controller 6.4.54

 

I reworked my setup from scratch following Enrique's directions and it worked 
ok, then I rebooted the server and it didn't work anymore.

 

Now the packetfence.log shows this error when I want to authenticate clients 
using APs managed by Unifi Controller:

 

Nov  1 13:39:33 srv-packetfence packetfence_httpd.portal[1512]: 
httpd.portal(1512) ERROR: [mac:XX:XX:XX:XX:XX:XX] Can not load perl module for 
switch 
f0:9f:c2:f0:07:42, type: Ubiquiti::Unifi . The type is unknown or the perl 
module has compilation errors.  (pf::SwitchFactory::instantiate)
Nov  1 13:39:33 srv-packetfence packetfence_httpd.portal[1512]: 
httpd.portal(1512) ERROR: [mac:XX:XX:XX:XX:XX:XX] Unable to instantiate switch 
object 
using switch_id 'f0:9f:c2:f0:07:42' (pf::web::externalportal::handle)

 

Can you help me with this error?

 

Thank you

 

Federico

 

El vie, 29 oct 2021 a las 9:31, Fabrice Durand (mailto:oeufd...@gmail.com> >) escribió:

Hello Frederico,

 

what version of the ubiquiti controller are you running ?

Also did you define the switch in the packetfence configuration (like by ip or 
mac ?)

 

Last thing, can you try that http:// 
 /guest/s/default/ 
(notice the / at the end).

 

Regards

Fabrice

 

 

Le mer. 27 oct. 2021 à 02:27, Federico Alberto Sayd via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > a écrit :

Hi Enrique:

I followed the docs and added Unifi Controller as a switch and configured the 
web service credentials. PF automatically retrieves the APs managed by Unifi

Re: [PacketFence-users] Rejected users logging via Windows

2021-11-03 Thread E.P. via PacketFence-users

Ludovic,

You caught off guard with the question about PKI.

After I upgraded to PF ver 11.0 iI was using PF native PKI.

Hence its sample certificate, i.e. C=FR, ST=Radius, O=Example Inc., CN=Example 
Server Certificate, emailAddress=ad...@example.org 
<mailto:emailAddress=ad...@example.org> 

Of course we can’t use it. Hence I tried to upload the wild card certificate 
with the private key that was installed on many servers and network devices in 
our company without any issues. For some reason as I demonstrated it earlier 
Windows OS supplicant can’t use or rather doesn’t trust RADIUS server 
presenting this certificate for PEAP session .

I downloaded this wildcard certificate using PF web interface by going to into 
Edit under RADIUS section.

I don’t mind generating and using the certificate from within PF. As long as it 
 uses the acceptable subject name and an issuer under our control we can live 
it with it. But I don’t see PF PKI anymore in the new version. I remember 
playing with PF CA earlier and was successful with configuring EAP-TLS

 

Eugene

 

From: Zammit, Ludovic  
Sent: Tuesday, November 02, 2021 1:49 PM
To: ype...@gmail.com
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Rejected users logging via Windows

 

Hello,

 

You an use the Web admin to install the RADIUS SSL cert.

 

Make sure to restart radiusd on all servers to apply the cert.

 

You can use the PF PKI and the PF PKI provisioner to install it on Windows for 
a Wireless interface. You could also download the cert from the PF web 
interface and install it manually on the device.

 

What’s the PKI that you are using ?

 

Thanks,

 


Ludovic Zammit
Product Support Engineer Principal


  
<https://www.akamai.com/us/en/multimedia/images/custom/2019/logo-no-tag-93x45.png>
 



Cell: +1.613.670.8432

Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142




Connect with Us:

 <https://community.akamai.com/>  <http://blogs.akamai.com/>  
<https://twitter.com/akamai>  <http://www.facebook.com/AkamaiTechnologies>  
<http://www.linkedin.com/company/akamai-technologies>  
<http://www.youtube.com/user/akamaitechnologies?feature=results_main> 







On Nov 2, 2021, at 2:18 PM, E.P. mailto:ype...@gmail.com> > 
wrote:

 

Yes, Ludovic,

Apparently the certificate has some issues. RADIUS debug revealed this:

 

(18) Tue Nov  2 11:06:07 2021: ERROR: eap_peap: (TLS) Failed reading 
application data from OpenSSL: error:14094419:SSL 
routines:ssl3_read_bytes:tlsv1 alert access denied

(18) Tue Nov  2 11:06:07 2021: ERROR: eap_peap: [eaptls process] = fail

(18) Tue Nov  2 11:06:07 2021: ERROR: eap: Failed continuing EAP PEAP (25) 
session.  EAP sub-module failed

(18) Tue Nov  2 11:06:07 2021: Debug: eap: Sending EAP Failure (code 4) ID 215 
length 4

(18) Tue Nov  2 11:06:07 2021: Debug: eap: Failed in EAP select

(18) Tue Nov  2 11:06:07 2021: Debug: [eap] = invalid

(18) Tue Nov  2 11:06:07 2021: Debug:   } # authenticate = invalid

 

So, all that I did was copying three files into /usr/local/pf/raddb/certs folder

1.  Server.crt (the certificate issued by Godaddy CA)
2.  Server.key (private key)
3.  ca.pem (root CA)

 

I just wanted to replace this example certificate that PF uses for EAP/TLS 
session

 



 

Is there any instruction how to generate a different certificate on PF that 
will be accepted by Windows OS supplicant ?

 

Eugene

From: Zammit, Ludovic mailto:luza...@akamai.com> > 
Sent: Tuesday, November 02, 2021 5:51 AM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: E.P. mailto:ype...@gmail.com> >
Subject: Re: [PacketFence-users] Rejected users logging via Windows

 

Hello EP,

 

It looks like the certificate passed to PF was not correct.

 

Use the command:

 

raddebug -f /usr/local/pf/var/run/radiusd.sock

 

Thanks,

 


Ludovic Zammit
Product Support Engineer Principal


  
<https://www.akamai.com/us/en/multimedia/images/custom/2019/logo-no-tag-93x45.png>
 




Cell: +1.613.670.8432

Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142





Connect with Us:

 <https://community.akamai.com/>  <http://blogs.akamai.com/>  
<https://urldefense.com/v3/__https:/twitter.com/akamai__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNd3a-yo5g$>
  
<https://urldefense.com/v3/__http:/www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNcYAR2ZcA$>
  
<https://urldefense.com/v3/__http:/www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNdX7v2epA$>
  
<https://urldefense.com/v3/__http:/www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876

Re: [PacketFence-users] AD user group in the authentication source

2021-11-03 Thread E.P. via PacketFence-users

Aaron, it seems we are getting closer to the solution of the riddle.

I changed my authentication rules to match yours, i.e. Matches ALL and link 
“memberOf” to “equals” 

It made the test from CLI to fail the authentication with a user not belonging 
to the target AD group

 

root@packetfence:~# /usr/local/pf/bin/pftest authentication fake.user XX  
OPTIONS-AD-SOURCE

Authenticating against 'OPTIONS-AD-SOURCE' in context 'admin'

  Authentication SUCCEEDED against OPTIONS-AD-SOURCE (Authentication 
successful.)

  Did not match against OPTIONS-AD-SOURCE for 'authentication' rules

  Did not match against OPTIONS-AD-SOURCE for 'administration' rules

 

But my real connection to the RADIUS protected SSID with this fake.user ID was 
successful

Not sure where to look next. Any other ideas or suggestion from Fabrice or 
Ludovic ?

 

Eugene

 

From: Aaron Zuercher  
Sent: Tuesday, November 02, 2021 12:26 PM
To: E.P. 
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] AD user group in the authentication source

 

try memberOF equals

also my rules are set to MATCHES:  ALL

not sure if that would matter

 

 

On Tue, Nov 2, 2021 at 1:01 PM E.P. mailto:ype...@gmail.com> 
> wrote:

Thank you, Aaron and Ludovic,

This is weird. Here’s how the authentication rule looks in my AD source

 



 

Now, I’m testing the user that is NOT a member of Staff-WiFi AD group

 

 

root@packetfence:~# /usr/local/pf/bin/pftest authentication fake.user XX 
OPTIONS-AD-SOURCE

Testing authentication for "fake.user"

 

Authenticating against 'OPTIONS-AD-SOURCE' in context 'admin'

  Authentication SUCCEEDED against OPTIONS-AD-SOURCE (Authentication 
successful.)

  Matched against OPTIONS-AD-SOURCE for 'authentication' rule Staff-WiFi

set_role : Staff-WiFi

set_unreg_date : 2022-12-31

  Did not match against OPTIONS-AD-SOURCE for 'administration' rules

 

Eugene

 

From: Aaron Zuercher mailto:aaron.techge...@gmail.com> > 
Sent: Tuesday, November 02, 2021 10:52 AM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: E.P. mailto:ype...@gmail.com> >
Subject: Re: [PacketFence-users] AD user group in the authentication source

 

Mine is setup for memberOf equals "full DN of Group"

 

Aaron

 

On Tue, Nov 2, 2021 at 3:26 AM E.P. via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > wrote:

I dare asking a stupid question.

What is the correct way to create a condition in the authentication source 
based on AD to verify the user specific group membership.

I created a condition based on “memberOf” attribute which is equal to the DN of 
the group. It seems doesn’t apply or rather not verified.

Any user from the AD domain who authenticates can connect via RADIUS.

 

Eugene

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net 
<mailto:PacketFence-users@lists.sourceforge.net> 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] AD user group in the authentication source

2021-11-02 Thread E.P. via PacketFence-users

Thank you, Aaron and Ludovic,

This is weird. Here’s how the authentication rule looks in my AD source

 



 

Now, I’m testing the user that is NOT a member of Staff-WiFi AD group

 

 

root@packetfence:~# /usr/local/pf/bin/pftest authentication fake.user XX 
OPTIONS-AD-SOURCE

Testing authentication for "fake.user"

 

Authenticating against 'OPTIONS-AD-SOURCE' in context 'admin'

  Authentication SUCCEEDED against OPTIONS-AD-SOURCE (Authentication 
successful.)

  Matched against OPTIONS-AD-SOURCE for 'authentication' rule Staff-WiFi

set_role : Staff-WiFi

set_unreg_date : 2022-12-31

  Did not match against OPTIONS-AD-SOURCE for 'administration' rules

 

Eugene

 

From: Aaron Zuercher  
Sent: Tuesday, November 02, 2021 10:52 AM
To: packetfence-users@lists.sourceforge.net
Cc: E.P. 
Subject: Re: [PacketFence-users] AD user group in the authentication source

 

Mine is setup for memberOf equals "full DN of Group"

 

Aaron

 

On Tue, Nov 2, 2021 at 3:26 AM E.P. via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > wrote:

I dare asking a stupid question.

What is the correct way to create a condition in the authentication source 
based on AD to verify the user specific group membership.

I created a condition based on “memberOf” attribute which is equal to the DN of 
the group. It seems doesn’t apply or rather not verified.

Any user from the AD domain who authenticates can connect via RADIUS.

 

Eugene

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net 
<mailto:PacketFence-users@lists.sourceforge.net> 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Trouble trying to enable captive portal with Unifi Controller (WebAuth)

2021-11-02 Thread E.P. via PacketFence-users

I’m jumping into this thread as it got my interest as well because we are with 
Unifi and planning to deploy guest WiFi with WebAuth via the portal.

In the URL that Fabrice advised to configure I believe “s” is for the site name 
?

http://  
/guest/s/default/

which is normally a random alphanumeric string ?

 

Also, the output of “usr/local/pf/bin/pfcmd cache switch_distributed list” 
doesn’t show me any lists of APs. Is it supposed to be empty ? I have few AP 
already serving users and acting as RADIUS clients. I have them added by IP 
address.

I ran this one as well before:

/usr/local/pf/bin/pfcmd pfcron ubiquiti_ap_mac_to_ip

 

For the certificates I understand it has to be placed into this folder, am I 
correct ?

 

Captive portal = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + 
intermediate)

 

Eugene

 

From: Federico Alberto Sayd via PacketFence-users 
 
Sent: Monday, November 01, 2021 9:59 AM
To: Fabrice Durand 
Cc: Federico Alberto Sayd ; egr...@jcc.com.ar; 
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Trouble trying to enable captive portal with 
Unifi Controller (WebAuth)

 

Hi Fabrice:

 

I am running Unifi Controller 6.4.54

 

I reworked my setup from scratch following Enrique's directions and it worked 
ok, then I rebooted the server and it didn't work anymore.

 

Now the packetfence.log shows this error when I want to authenticate clients 
using APs managed by Unifi Controller:

 

Nov  1 13:39:33 srv-packetfence packetfence_httpd.portal[1512]: 
httpd.portal(1512) ERROR: [mac:XX:XX:XX:XX:XX:XX] Can not load perl module for 
switch 
f0:9f:c2:f0:07:42, type: Ubiquiti::Unifi . The type is unknown or the perl 
module has compilation errors.  (pf::SwitchFactory::instantiate)
Nov  1 13:39:33 srv-packetfence packetfence_httpd.portal[1512]: 
httpd.portal(1512) ERROR: [mac:XX:XX:XX:XX:XX:XX] Unable to instantiate switch 
object 
using switch_id 'f0:9f:c2:f0:07:42' (pf::web::externalportal::handle)

 

Can you help me with this error?

 

Thank you

 

Federico

 

El vie, 29 oct 2021 a las 9:31, Fabrice Durand (mailto:oeufd...@gmail.com> >) escribió:

Hello Frederico,

 

what version of the ubiquiti controller are you running ?

Also did you define the switch in the packetfence configuration (like by ip or 
mac ?)

 

Last thing, can you try that http:// 
 /guest/s/default/ 
(notice the / at the end).

 

Regards

Fabrice

 

 

Le mer. 27 oct. 2021 à 02:27, Federico Alberto Sayd via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > a écrit :

Hi Enrique:

I followed the docs and added Unifi Controller as a switch and configured the 
web service credentials. PF automatically retrieves the APs managed by Unifi 
Controller (I checked with the command  "/usr/local/pf/bin/pfcmd cache 
switch_distributed list".

I don't know if there is some difference in adding every AP as a switch.

What do you mean by "valid certificate"? An HTTPS certificate for the captive 
portal? 

I don't know how to configure the roles tab for the Unifi Controller in PF. I 
don't know how to construct the URL that goes in "Registration" in "Role 
Mapping by WebAuth URL".

Did you configure the roles tab in your setup?

Thanks for your help

 

 

El mar, 26 oct 2021 a las 10:10, Enrique Gross (mailto:egr...@jcc-advance.com.ar> >) escribió:

Hi Federico

 

We don't use webauth with Unifi, but i remember there was a post about this 
issue

 

After adding the Unifi Controller to PF, have you tried to add the unifi APs as 
a switch (by mac address)? Also, have you got a valid certificate on PF?

 

On the unifi side i use  "use secure portal option" and dns redirect option

 

I have done a quick test on this, I'm redirected to the pf portal.

 

 

Enrique

 

  

 

El lun, 25 oct 2021 a las 2:33, Federico Alberto Sayd via PacketFence-users 
(mailto:packetfence-users@lists.sourceforge.net> >) escribió:

Hello:

 

I am trying to configure Packetfence as a captive portal for a guest wifi 
network managed with Unifi Controller (WebAuth Enforcement)

 

I want to redirect my guest wifi users to the captive portal in PacketFence and 
authenticate them with Google Workspace LDAP.

 

I followed the Network Device Configuration Guide and I added Unifi Controller 
as a switch in Packetfence config. The connection between Unifi Contoller and 
PF is working fine, I can retrieve the list of AP's managed by Unifi Controller 
with the command "/usr/local/pf/bin/pfcmd cache switch_distributed list"

 

I added a second interface in PF and enabled the portal service on it. I 
configured the portal IP as an external guest portal on Unifi Controller. 

 

Also, I configured Google Workspace LDAP as auth source. I didn't specify any 
rules because I want the same auth source for all users.

In "Standard Connections Profile" I changed the default profile to point to 
Google-LDAP as auth

[PacketFence-users] Rejected users logging via Windows

2021-11-02 Thread E.P. via PacketFence-users

Hello,

A while ago someone asked here this question and there was no reply.

I hit it again and I have clue, out of the blue, all authentications
attempts from Windows OS fail:

 

Nov 1 23:52:53 packetfence auth[2736]: Adding client 172.19.254.2/32
Nov 1 23:52:53 packetfence auth[2736]: (24) eap_peap: ERROR: (TLS) Alert
read:fatal:access denied
Nov 1 23:52:53 packetfence auth[2736]: [mac:c4:9d:ed:8c:11:03] Rejected
user: it.tech
Nov 1 23:52:53 packetfence auth[2736]: (24) Login incorrect (eap_peap: (TLS)
Alert read:fatal:access denied): [it.tech] (from client 172.19.254.2/32 port
0 cli c4:9d:ed:8c:11:03)

 

No problem with mobile phones.

Trying to run RADIUS in the debug mode using the old radiusd -X command but
on ver 11 it can't be found anymore.

Any ideas ?

 

Eugene

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] AD user group in the authentication source

2021-11-02 Thread E.P. via PacketFence-users

I dare asking a stupid question.

What is the correct way to create a condition in the authentication source
based on AD to verify the user specific group membership.

I created a condition based on "memberOf" attribute which is equal to the DN
of the group. It seems doesn't apply or rather not verified.

Any user from the AD domain who authenticates can connect via RADIUS.

 

Eugene

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Issues with Captive Portal and Unifi Wireless

2020-12-10 Thread E.P. via PacketFence-users

Thank you, Fabrice, as usual !

Yes, it looks like the maintenance patch was not applied (pf-maint.pl) as it
started pulling lots of packages when I started it.

But to my frustration it all ended up with nothing:

 

[root@pf conf]# /usr/local/pf/bin/pfcmd pfcron ubiquiti_ap_mac_to_ip

Died at /usr/local/pf/lib/pf/Switch/Ubiquiti/Unifi.pm line 204.

 

Once again, Im a bit confused. If I decide to define all APs by IP
addresses (and Id better do because there are many and they are all in one
172.19.0.0/16 subnet) then I can have one entry in switches.conf file 

 

[172.19.0.0]

description=Ubiquiti APs

ExternalPortalEnforcement=Y

type=Ubiquiti::Unifi

controllerIp=172.16.0.XXX

wsTransport=HTTPS

wsUser=admin

wsPwd=X

 

But if I decide to have every individual AP added then I need to have as
many MAC based entries as I have all APs and all of them sharing the section
for Unifi controller IP ?

 

Eugene

 

 

 

 

From: Durand fabrice via PacketFence-users
 
Sent: Wednesday, December 09, 2020 5:45 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice 
Subject: Re: [PacketFence-users] Issues with Captive Portal and Unifi
Wireless

 

Hello Eugene,

the probable issue is because the switch is not defined on the packetfence
side. (18:e8:29:93:52:a8)

But you can add a switch range on pf (like 192.168.0.0/24 as switch id, set
the controller ip and set the http credential to connect to the api) and
there is pfcron task who will try to find all the bssid of all the AP and
will do a map between the mac and the ip of the AP.

First use the latest version + the maintenance patch (pf-maint.pl) and to
force the task do:

./sbin/pfcron ubiquiti_ap_mac_to_ip

to see what you have in the cache:

./bin/pfcmd cache switch_distributed list

You should be able to see Ubiquiti-18:e8:29:93:52:a8 in the cache.

Then retry to hit the portal

Regards

Fabrice

 

Le 20-12-08 à 23 h 23, ypefti--- via PacketFence-users a écrit :

Guys,

Im resurrecting the old topic that Ive never brought to a conclusion and
implementation.

Asking for a second opinion of those who could do it and for Fabrice and
Ludovic expertise.

Please help me! I do believe Inverse team tested their product with Unifi
WiFi.

I redirect a guest portal from Unifi to PF by using their option called use
external portal server

The endpoint normally associates to a guest SSID and web page comes up
showing this error.

pf.options.bc.ca resolves normally to the IP address of PF that has captive
portal listens on that IP address.

 



What drives me mad and is unknown to me is how this URL is formed and why
this URL contains the directory of Unifi controller, i.e. q4b0wgkk.

Of course it doesnt exist on PF and to me it is a reason I see Not
implemented.

What am I missing ? I can also attach captures done during this connection
attempt. 

 

Eugene






___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] SMTP configuration to send PIN out via SMS

2020-12-10 Thread E.P. via PacketFence-users

Maybe this question has been already asked and I'm too lazy to google it but
maybe someone has a fresh knowledge about it.

I'm trying to configure SMTP server on PF to send emails out and
specifically the PIN via SMS gateways.

I created an email account for this purposes on the internal mail server but
the mail server rejects all attempts to send mail out because the mismatch
in the authentication username and MAIL FROM header

 

Here's an extract from the log file in the mail server:

 

Wed 2020-12-09 23:32:06.635: Authenticating packetfe...@options.bc.ca...

Wed 2020-12-09 23:32:06.636: Authenticated as packetfe...@options.bc.ca

Wed 2020-12-09 23:32:06.636: --> 235 2.7.0 Authentication successful

Wed 2020-12-09 23:32:06.637: <-- MAIL FROM:

Wed 2020-12-09 23:32:06.638: --> 550 5.7.0 Authentication rejected

Wed 2020-12-09 23:32:06.638: Authentication does not match address given in
MAIL command

 

Where would I change r...@pf.options.bc.ca 
for packetfe...@pf.options.bc.ca   ?

 

Eugene

 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Issues with Captive Portal and Unifi Wireless

2020-12-09 Thread E.P. via PacketFence-users

And one important addition to this riddle.

If I hit the captive portal page manually while being associated to the
guest SSID 

I see that PF rightfully complains that my computer was not found in the
database.

It has to be noted that this is Layer 3 deployment and there's no way to put
this endpoint to the registration VLAN.

The endpoint receives the IP address from the local firewall at the remote
site and can easily reach PF that is at the central location

 

Eugene

 

From: ype...@gmail.com  
Sent: Tuesday, December 08, 2020 8:24 PM
To: packetfence-users@lists.sourceforge.net
Subject: Issues with Captive Portal and Unifi Wireless

 

Guys,

I'm resurrecting the old topic that I've never brought to a conclusion and
implementation.

Asking for a second opinion of those who could do it and for Fabrice and
Ludovic expertise.

Please help me! I do believe Inverse team tested their product with Unifi
WiFi.

I redirect a guest portal from Unifi to PF by using their option called "use
external portal server"

The endpoint normally associates to a guest SSID and web page comes up
showing this error.

pf.options.bc.ca resolves normally to the IP address of PF that has captive
portal listens on that IP address.

 



What drives me mad and is unknown to me is how this URL is formed and why
this URL contains the directory of Unifi controller, i.e. q4b0wgkk.

Of course it doesn't exist on PF and to me it is a reason I see "Not
implemented".

What am I missing ? I can also attach captures done during this connection
attempt. 

 

Eugene

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

2020-11-16 Thread E.P. via PacketFence-users

 and explore the SAN attribute in the certificate

Eugene

From: Michael Brown mailto:michaelbrow...@yahoo.com> 
> 
Sent: Thursday, November 12, 2020 1:47 PM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: ype...@gmail.com <mailto:ype...@gmail.com> 
Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF

I have a wildcard from Digicert and used this to get the cert:

 <https://www.digicert.com/kb/csr-ssl-installation/apache-openssl.htm> Apache: 
CSR & SSL Installation (OpenSSL)

Apache: CSR & SSL Installation (OpenSSL)

Apache: Generating your Apache CSR with OpenSSL and installing your SSL 
certificate and Mod_SSL web server confi...

Also, when requesting the duplicate from Digicert it allows you to enter 
additional SANs beyond the *.domain.com <http://domain.com/> .  I put my 
pf.domain.com <http://pf.domain.com/>  as one of the SANs when requesting the 
duplicate.  I also used WinSCP to connect to my packetfence server to get the 
csr and key files.  I know that's not needed but just thought I would mention 
it.  

On Thursday, November 12, 2020, 04:29:50 PM EST, ypefti--- via 
PacketFence-users < <mailto:packetfence-users@lists.sourceforge.net> 
packetfence-users@lists.sourceforge.net> wrote: 

More digging, more tries, more frustrations 
Further to my previous email. I replaced three files from SSL folder with files 
that correspond to the new certificated, i.e.
/usr/local/pf/conf/ssl/server.key
/usr/local/pf/conf/ssl/server.crt
/usr/local/pf/conf/ssl/server.pem

PF web interface said bye-bye to me. Why do I see this error in 
/usr/local/pf/logs/httpd.webservices.error

Nov 12 13:04:07 pf httpd_webservices_err: AH00558: httpd: Could not reliably 
determine the server's fully qualified domain name, using 
fe80::250:56ff:fe8a:e674. Set the 'ServerName' directive globally to suppress 
this message

What happened to Apache and PF ?

And what drives me mad is the fact that if I put old certificate files back I 
still can't login via PF GUI.
Having this error:

A networking error occurred. Is the API service running?

Eugene

-Original Message-
From:  <mailto:ype...@gmail.com> ype...@gmail.com < <mailto:ype...@gmail.com> 
ype...@gmail.com> 
Sent: Thursday, November 12, 2020 11:26 AM
To:  <mailto:packetfence-users@lists.sourceforge.net> 
packetfence-users@lists.sourceforge.net
Cc: 'mj' < <mailto:li...@merit.unu.edu> li...@merit.unu.edu>
Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF

Thank you, MJ,
It looks like questions asked here are replied selectively.
At least out of 4 questions that I asked only this one was finally "noticed" 
after the resend 
I wouldn't bother the list with my questions if the procedure is well 
documented and works.
The existing documentation mentions only this:

"Upon PacketFence installation, self-signed certificates will be created in 
/usr/local/pf/conf/ssl (server.key and server.crt). Those certificates can be 
replaced anytime by your 3rd-party or existing wild card certificate without 
problems. Please note that the CN (Common Name) needs to be the same as the one 
defined in the PacketFence configuration file (pf.conf)."

This is very confusing. We all know that CN in the wildcard certificate looks 
like this:
*.example.com <http://example.com/> 
How would I make use of it with PF ?

If you refer me to Let's Encrypt certificates should I understand that I need 
to do it from  <http://www.sslforfree.com/> www.sslforfree.com And what's the 
correct procedure to install an SSL certificate to PF. Never saw it in the 
documentation.
I need it for a captive portal.

Eugene

-Original Message-
From: mj via PacketFence-users < 
<mailto:packetfence-users@lists.sourceforge.net> 
packetfence-users@lists.sourceforge.net>
Sent: Wednesday, November 11, 2020 1:38 AM
To:  <mailto:packetfence-users@lists.sourceforge.net> 
packetfence-users@lists.sourceforge.net
Cc: mj < <mailto:li...@merit.unu.edu> li...@merit.unu.edu>
Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Hi Eugene,

The list has always been alive, from where we are. :-)

Anyway: I would encourage you to take a look a Let's Encrypt certificates with 
packetfence. I think they are a bit more secure than a wildcard certificate, 
plus they are free and work very well.

(there are some threads on this mailinglist on that subject)

Good luck,
MJ

On 11/10/20 5:31 PM, E.P. via PacketFence-users wrote:
> Since this group suddenly became alive I d

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

2020-11-12 Thread E.P. via PacketFence-users

May I kindly ask to tell me what you did with certificate files, Colton?

Sent from iPhone

> On Nov 12, 2020, at 19:55, Colton Conor via PacketFence-users 
>  wrote:
> 
> 
> We use a wildcard on PF without a problem. 
> 
>> On Thu, Nov 12, 2020 at 3:51 PM Michael Brown via PacketFence-users 
>>  wrote:
>> I have a wildcard from Digicert and used this to get the cert:
>> Apache: CSR & SSL Installation (OpenSSL)
>> 
>> Apache: CSR & SSL Installation (OpenSSL)
>> Apache: Generating your Apache CSR with OpenSSL and installing your SSL 
>> certificate and Mod_SSL web server confi...
>> 
>> 
>> Also, when requesting the duplicate from Digicert it allows you to enter 
>> additional SANs beyond the *.domain.com.  I put my pf.domain.com as one of 
>> the SANs when requesting the duplicate.  I also used WinSCP to connect to my 
>> packetfence server to get the csr and key files.  I know that's not needed 
>> but just thought I would mention it.  
>> 
>> 
>> 
>> 
>> On Thursday, November 12, 2020, 04:29:50 PM EST, ypefti--- via 
>> PacketFence-users  wrote:
>> 
>> 
>> More digging, more tries, more frustrations 
>> Further to my previous email. I replaced three files from SSL folder with 
>> files that correspond to the new certificated, i.e.
>> /usr/local/pf/conf/ssl/server.key
>> /usr/local/pf/conf/ssl/server.crt
>> /usr/local/pf/conf/ssl/server.pem
>> 
>> PF web interface said bye-bye to me. Why do I see this error in 
>> /usr/local/pf/logs/httpd.webservices.error
>> 
>> Nov 12 13:04:07 pf httpd_webservices_err: AH00558: httpd: Could not reliably 
>> determine the server's fully qualified domain name, using 
>> fe80::250:56ff:fe8a:e674. Set the 'ServerName' directive globally to 
>> suppress this message
>> 
>> What happened to Apache and PF ?
>> 
>> And what drives me mad is the fact that if I put old certificate files back 
>> I still can't login via PF GUI.
>> Having this error:
>> 
>> A networking error occurred. Is the API service running?
>> 
>> Eugene
>> 
>> -Original Message-
>> From: ype...@gmail.com  
>> Sent: Thursday, November 12, 2020 11:26 AM
>> To: packetfence-users@lists.sourceforge.net
>> Cc: 'mj' 
>> Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF
>> 
>> Thank you, MJ,
>> It looks like questions asked here are replied selectively.
>> At least out of 4 questions that I asked only this one was finally "noticed" 
>> after the resend 
>> I wouldn't bother the list with my questions if the procedure is well 
>> documented and works.
>> The existing documentation mentions only this:
>> 
>> 
>> "Upon PacketFence installation, self-signed certificates will be created in 
>> /usr/local/pf/conf/ssl (server.key and server.crt). Those certificates can 
>> be replaced anytime by your 3rd-party or existing wild card certificate 
>> without problems. Please note that the CN (Common Name) needs to be the same 
>> as the one defined in the PacketFence configuration file (pf.conf)."
>> 
>> 
>> This is very confusing. We all know that CN in the wildcard certificate 
>> looks like this:
>> *.example.com
>> How would I make use of it with PF ?
>> 
>> If you refer me to Let's Encrypt certificates should I understand that I 
>> need to do it from www.sslforfree.com And what's the correct procedure to 
>> install an SSL certificate to PF. Never saw it in the documentation.
>> I need it for a captive portal.
>> 
>> Eugene
>> 
>> -Original Message-
>> From: mj via PacketFence-users 
>> Sent: Wednesday, November 11, 2020 1:38 AM
>> To: packetfence-users@lists.sourceforge.net
>> Cc: mj 
>> Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF
>> 
>> Hi Eugene,
>> 
>> The list has always been alive, from where we are. :-)
>> 
>> Anyway: I would encourage you to take a look a Let's Encrypt certificates 
>> with packetfence. I think they are a bit more secure than a wildcard 
>> certificate, plus they are free and work very well.
>> 
>> (there are some threads on this mailinglist on that subject)
>> 
>> Good luck,
>> MJ
>> 
>> On 11/10/20 5:31 PM, E.P. via Packet

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

2020-11-12 Thread E.P. via PacketFence-users

Thank you, Michael.

I did it almost the same way. 

What I don’t understand is the logic of PF and Apache integration.

It appears that the original Apache config file, i.e. httpd.conf is useless and 
not in use by PF

I will play and explore the SAN attribute in the certificate

Eugene

From: Michael Brown  
Sent: Thursday, November 12, 2020 1:47 PM
To: packetfence-users@lists.sourceforge.net
Cc: ype...@gmail.com
Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF

I have a wildcard from Digicert and used this to get the cert:

Apache: CSR  
<https://www.digicert.com/kb/csr-ssl-installation/apache-openssl.htm> & SSL 
Installation (OpenSSL)

Apache: CSR & SSL Installation (OpenSSL)

Apache: Generating your Apache CSR with OpenSSL and installing your SSL 
certificate and Mod_SSL web server confi...

Also, when requesting the duplicate from Digicert it allows you to enter 
additional SANs beyond the *.domain.com.  I put my pf.domain.com as one of the 
SANs when requesting the duplicate.  I also used WinSCP to connect to my 
packetfence server to get the csr and key files.  I know that's not needed but 
just thought I would mention it.  

On Thursday, November 12, 2020, 04:29:50 PM EST, ypefti--- via 
PacketFence-users  wrote: 

More digging, more tries, more frustrations 
Further to my previous email. I replaced three files from SSL folder with files 
that correspond to the new certificated, i.e.
/usr/local/pf/conf/ssl/server.key
/usr/local/pf/conf/ssl/server.crt
/usr/local/pf/conf/ssl/server.pem

PF web interface said bye-bye to me. Why do I see this error in 
/usr/local/pf/logs/httpd.webservices.error

Nov 12 13:04:07 pf httpd_webservices_err: AH00558: httpd: Could not reliably 
determine the server's fully qualified domain name, using 
fe80::250:56ff:fe8a:e674. Set the 'ServerName' directive globally to suppress 
this message

What happened to Apache and PF ?

And what drives me mad is the fact that if I put old certificate files back I 
still can't login via PF GUI.
Having this error:

A networking error occurred. Is the API service running?

Eugene

-Original Message-
From: ype...@gmail.com <mailto:ype...@gmail.com>  mailto:ype...@gmail.com> > 
Sent: Thursday, November 12, 2020 11:26 AM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: 'mj' mailto:li...@merit.unu.edu> >
Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF

Thank you, MJ,
It looks like questions asked here are replied selectively.
At least out of 4 questions that I asked only this one was finally "noticed" 
after the resend 
I wouldn't bother the list with my questions if the procedure is well 
documented and works.
The existing documentation mentions only this:

"Upon PacketFence installation, self-signed certificates will be created in 
/usr/local/pf/conf/ssl (server.key and server.crt). Those certificates can be 
replaced anytime by your 3rd-party or existing wild card certificate without 
problems. Please note that the CN (Common Name) needs to be the same as the one 
defined in the PacketFence configuration file (pf.conf)."

This is very confusing. We all know that CN in the wildcard certificate looks 
like this:
*.example.com
How would I make use of it with PF ?

If you refer me to Let's Encrypt certificates should I understand that I need 
to do it from www.sslforfree.com And what's the correct procedure to install an 
SSL certificate to PF. Never saw it in the documentation.
I need it for a captive portal.

Eugene

-Original Message-
From: mj via PacketFence-users mailto:packetfence-users@lists.sourceforge.net> >
Sent: Wednesday, November 11, 2020 1:38 AM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: mj mailto:li...@merit.unu.edu> >
Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Hi Eugene,

The list has always been alive, from where we are. :-)

Anyway: I would encourage you to take a look a Let's Encrypt certificates with 
packetfence. I think they are a bit more secure than a wildcard certificate, 
plus they are free and work very well.

(there are some threads on this mailinglist on that subject)

Good luck,
MJ

On 11/10/20 5:31 PM, E.P. via PacketFence-users wrote:
> Since this group suddenly became alive I dare asking my previous again
> 
> 
> How would I install a wildcard SSL certificate on PF, see more details 
> below
> 
> Eugene
> 
> *From:* E.P. mailto:ype...@gmail.com> >
> *Sent:*

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

2020-11-10 Thread E.P. via PacketFence-users

Since this group suddenly became alive I dare asking my previous again 

How would I install a wildcard SSL certificate on PF, see more details below

 

Eugene

 

From: E.P.  
Sent: Saturday, October 31, 2020 2:43 PM
To: packetfence-users@lists.sourceforge.net
Subject: Wildcard SSL certificate installation on PF

 

Guys,

I’m trying to overcome the issue with a self-signed SSL certificate that PF 
offers to WiFi authentication via captive portal.

This a certificate that is in use by HTTPS sessions

 

Certificate/Key match

Chain is invalid

common_name

127.0.0.1, emailAddress=supp...@inverse.ca 
  

issuer

C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1, 
emailAddress=supp...@inverse.ca   

not_after

Oct 7 15:29:09 2021 GMT 

not_before

Oct 7 15:29:09 2020 GMT 

serial

A500DC03671C0E35 

subject

C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1, 
emailAddress=supp...@inverse.ca   

 

Is there any way to import and install a company wild card SSL certificate into 
PF

 

Eugene

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PacketFence certificate issues

2020-11-01 Thread E.P. via PacketFence-users

Anyone from PF support team to chime on it, please ?

Desperately trying to understand what's wrong.

One more thing from my investigation. The webpage that pops up when I
connect to a hotspot contains the following URL 

 

https://172.16.0.120/guest/s/q4b0wgkk/?ap=18:e8:29:93:52:a8

=c4:9d:ed:8c:11:03=1604086233=http://www.msftconnecttest.com%2fredi
rect=Testing

 

172.16.0.120 is the IP address of PF management interface listening for
captive portal.

But q4b0wgkk is the folder name from Unifi controller. It doesn't exist on
PF. Why is it formed that way ?

c4:9d:ed:8c:11:03 is the MAC address of the endpoint 

And 18:e8:29:93:52:a8 is the AP indeed.

 

Eugene

 

From: ype...@gmail.com  
Sent: Friday, October 30, 2020 12:42 PM
To: packetfence-users@lists.sourceforge.net
Subject: PacketFence certificate issues

 

Guys,

Sorry for flooding you with questions regarding public WiFi via captive
portal.

I'm making baby steps going ahead and now ran into one more problem.

The endpoint (Windows 10) associates to a guest SSID and the web browser
opens up a page with a URL pointing to PacketFence (172.16.0.120)

It is reachable but the message on the page says: 

"Connect to Wi-Fi" with a "Connect" button.

All my attempts to click it doesn't do any result. But my capture of the
conversation between the endpoint and Packetfence is attached.

The endpoint (10.0.254.4) complains about the certificate (Fatal error) and
sends RST and closes the connection

Am I missing something ?

 

Eugene

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Wildcard SSL certificate installation on PF

2020-11-01 Thread E.P. via PacketFence-users

Guys,

I'm trying to overcome the issue with a self-signed SSL certificate that PF
offers to WiFi authentication via captive portal.

This a certificate that is in use by HTTPS sessions

 

Certificate/Key match

Chain is invalid

common_name

127.0.0.1, emailAddress=supp...@inverse.ca 

issuer

C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1,
emailAddress=supp...@inverse.ca 

not_after

Oct 7 15:29:09 2021 GMT 

not_before

Oct 7 15:29:09 2020 GMT 

serial

A500DC03671C0E35 

subject

C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1,
emailAddress=supp...@inverse.ca 

 

Is there any way to import and install a company wild card SSL certificate
into PF

 

Eugene

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Wifi Hotspot with SMS OTP Authentication Needed

2020-10-30 Thread E.P. via PacketFence-users

Hello,
I looked through archive of the emails on the topic in the subject and found
that this question has never been answered. Is there any reference or at
least high level instruction how to do it ?

Eugene

-Original Message-
From: Sina Owolabi via PacketFence-users
 
Sent: Saturday, August 24, 2019 1:43 AM
To: packetfence-users@lists.sourceforge.net
Cc: Sina Owolabi 
Subject: [PacketFence-users] Wifi Hotspot with SMS OTP Authentication Needed

Hi!

Im looking for advice on wifi hotspot design where the captive portal
collects user registration data (which could change over time).

The hotspot captive portal needs to generate an OTP SMS and accept it for
authentication to allow internet access.
I was reading the docs and I saw packetfence uses Clickatell as an 'SMS
Authentication Source', but I didnt fully understand the configuration
description.

Can Packetfence work in this situation, perhaps as in a CentOS 7 KVM guest?
Can I get advice on if this would work?
I'm not averse to consulting on this if necessary and I dont mind a bit of
work getting it all to function.

Thanks!

-- 

cordially yours,

Sina Owolabi

+2348176469061


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Can't login to PF admin page after upgrade to ver 9.1

2019-11-11 Thread E.P. via PacketFence-users

Yes, exactly. 

Sent from iPhone

> On Nov 11, 2019, at 04:41, Serhiy Morhun via PacketFence-users 
>  wrote:
> 
> I had the same error after an upgrade to 9.1. Rebooting the server resolved 
> it and I was able to log in again.
> 
> 
> 
> 
>> On Mon, Nov 11, 2019 at 3:31 AM E.P. via PacketFence-users 
>>  wrote:
>> Folks,
>> 
>> Ran an upgrade to ver 9.1
>> 
>> It went smoothly as I saw it, no issues noticed.
>> 
>> Tried to login to admin page and was challenged by this error message:
>> 
>>  
>> 
>> Couldn't find any information for the current token. Either it is invalid or 
>> it has expired.
>> 
>>  
>> 
>> Eugene
>> 
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 
> ---
> THE INFORMATION CONTAINED IN THIS MESSAGE (E-MAIL AND ANY ATTACHMENTS) IS 
> INTENDED ONLY FOR THE INDIVIDUAL AND CONFIDENTIAL USE OF THE DESIGNATED 
> RECIPIENT(S).
> If any reader of this message is not an intended recipient or any agent 
> responsible for delivering it to an intended recipient, you are hereby 
> notified that you have received this document in error, and that any review, 
> dissemination, distribution, copying or other use of this message is 
> prohibited.  If you have received this message in error, please notify us 
> immediately by reply e-mail message or by telephone and delete the original 
> message from your e-mail system and/or computer database.  Thank you.
> ---
> NOTICE:
> You are advised that e-mail correspondence and attachments between the public 
> and the Ridgewood Board of Education are obtainable by any person who files a 
> request under the NJ Open Public Records Act (OPRA) unless it is subject to a 
> specific OPRA exception.  You should have no expectation that the content of 
> e-mails sent to or from school district e-mail addresses, or between the 
> public and school district officials and employees, will remain private.
> ---
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Can't login to PF admin page after upgrade to ver 9.1

2019-11-11 Thread E.P. via PacketFence-users

Folks, 

Ran an upgrade to ver 9.1

It went smoothly as I saw it, no issues noticed.

Tried to login to admin page and was challenged by this error message:

 

Couldn't find any information for the current token. Either it is invalid or
it has expired.

 

Eugene

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Manual device registration to allow it to the network

2019-07-04 Thread E.P. via PacketFence-users

Hi Fabrice,

I’ll definitely try this method. For now I want to understand the logic of an 
endpoint authentication and authorization via RADIUS/801.x as there’s something 
that works different from how I expected (or rather doesn’t work)

Here’s a story. A user successfully authenticates against AD and I see this 
event in radius.log

 

Jul  4 06:34:25 PacketFence-ZEN auth[11338]: [mac:c4:9d:ed:8c:11:03] Accepted 
user: OPTIONS\it.tech and returned VLAN 2

Jul  4 06:34:25 PacketFence-ZEN auth[11338]: (177) Login OK: [OPTIONS\it.tech] 
(from client 172.19.254.2 port 0 cli c4:9d:ed:8

c:11:03)

 

This VLAN 2 is set in registration under Roles in the switch. Ok, may be this 
is how it supposed to work before the endpoint is registered as opposed to the 
VLAN 10 which should be assigned upon device registration.

But can anyone explain me why the endpoint receives an IP address from the 
local DHCP server. This DHCP server listens on the sub-interface for this VLAN 
10. 

So what I see is that an endpoint receives an IP address but it can’t reach an 
IP address of its default gateway.

Ok once again, I don’t have any problem to manually register this endpoint and 
assign a specific role.

Having it done the endpoint gets online only after I reconnect it on the 
endpoint itself or via the wireless controller.

 

This behavior is observed on Windows 10 and it took quite a long time (about a 
minute) to authenticate and get an IP address without getting online.

But it doesn’t work at all for Mac OS and mobile devices (Apple iPads and 
Android tabs), namely, same registration VLAN 2 is assigned as per radius.log 
but an endpoint can’t receive an IP address via DHCP.

 

If it is OS specific behavior and I can’t do anything about it then it’s OK 
again but I want to make it work smooth and fast.

The target role for all endpoints that should be allowed to connect via this 
specific SSID is Staff and I’m assigning this role in the authentication rule 
for a specific authentication source.

The result of the test authentication for a user confirm it:

 

./pftest authentication it.tech 

 

Authenticating against 'OPTIONS-AD-SOURCE' in context 'admin'

  Authentication SUCCEEDED against OPTIONS-AD-SOURCE (Authentication 
successful.)

  Matched against OPTIONS-AD-SOURCE for 'authentication' rules

set_unreg_date : 2019-12-31 11:53:24

set_role : Staff

 

What’s the point of assigning this role by a rule if in reality an endpoint 
doesn’t get assigned the required VLAN ID upon successful authentication 
against a specific SSID ?

Should I forget about VLAN 10 that is assigned to Staff role and only assign 
VLAN 10 to registration ?

 

Eugene

 

From: Durand fabrice via PacketFence-users 
 
Sent: Wednesday, July 03, 2019 5:52 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice 
Subject: Re: [PacketFence-users] Manual device registration to allow it to the 
network

 

Hello Eugene,

it's something really easy to do.

First in the switch config assign -1 to the registration role (it will reject 
the device that is not reg) and assign the correct vlan id for the other roles.

Next create a connection profile with a filter that match the ssid and don't 
assign any sources.

And at the end register the device you want and assign a role manually.

That's it.

Regards

Fabrice

 

Le 19-07-03 à 14 h 44, E.P. via PacketFence-users a écrit :

Now I’m getting confused after trying to understand RADIUS enforcement.

Reading the document that says:

 

Using RADIUS enforcement, everytime a device connects to the network, a 
matching production VLAN will be assigned, depending on the rules in 
Configuration→Policies and Access Control→Authentication Sources

 

The only place (or rather configuration component) to assign VLAN is in Roles 
under the switch (or switch group) where I add VLAN ID in “Role mapping by VLAN 
ID”. Am I correct ?

 

So, for example, I have Staff role with VLAN 10 added to it in the switch 
group. 

Then upon a user successful authentication and a condition matching in the 
authentication rule the action is assigned, namely unregistration date and role 
assignment. 

 

It all works and the endpoint gets connected but its status shows as 
unregistered and role unassigned under Nodes section in PacketFence Web UI. But 
as it seems to me an endpoint gets connected because VLAN ID assignment is 
pushed from the Wireless system controller for a specific SSID. If I remove it 
and assign this duty to RADIUS then it doesn’t work.

An endpoint can’t connect because it doesn’t receive an IP address because the 
AP doesn’t put it to the required VLAN

 

Eugene

 

From: E.P.  <mailto:ype...@gmail.com>  
Sent: Wednesday, July 03, 2019 10:11 AM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: 'Nicolas Quiniou-Briand'  <mailto:n...@inverse.ca> 
Subject: RE: [PacketFence-users] Manual device registration to allow

Re: [PacketFence-users] Failure to authenticate the user - user rejected

2019-07-03 Thread E.P. via PacketFence-users

That seemed to make the trick, Fabrice.

I realized that it had to do with the domain part that should be used in the 
whole string for the user ID.

I tried it both FQDN and NETBIOS domain name and it worked only for the former 
even though I have two realms accordingly. Anyways, thanks !

 

From: Durand fabrice via PacketFence-users 
 
Sent: Wednesday, July 03, 2019 5:54 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice 
Subject: Re: [PacketFence-users] Failure to authenticate the user - user 
rejected

 

Hello Eugene,

in the realm config assign the correct domain to the null realm and restart 
radius.

Regards

Fabrice

Le 19-06-30 à 15 h 16, E.P. via PacketFence-users a écrit :

Guys,

Please point my eyes in the right direction in the attempt to understand what’s 
wrong.

Perhaps it has been discussed before here in this list but I failed to find an 
advice that would lead to a fix.

I followed the standard procedure to configure PF for out-of-band 
authentication with RADIUS, i.e.

REALM, Authentication source and rules are created, PF has joined the AD.

Pftest shows matching on authentication and rules usage.

Trying to authenticate a user via prepared wireless infrastructure and failing.

The error message in radius.log file:

 

Jun 30 19:06:15 PacketFence-ZEN auth[14695]: (12) mschap: ERROR: Program 
returned code (1) and output 'Reading winbind reply failed! (0xc001)'

Jun 30 19:06:15 PacketFence-ZEN auth[14695]: (12)   Login incorrect (mschap: 
Program returned code (1) and output 'Reading winbind reply failed! 
(0xc001)'):

[it.tech] (from client 172.19.254.2 port 0 cli 18:81:0e:7c:3c:ed via TLS tunnel)

 

More details about this failure confirm it (from Auditing section of RADIUS tab 
)

 

RADIUS Request

 

NAS-Port-Type = Wireless-802.11

Acct-Session-Id = "7CF82607D10A8E1F"

Service-Type = Framed-User

Called-Station-Id = "1a:e8:29:95:52:a8:Staff"

State = 0xca4368e4ca1a724922f2ea060748e538

FreeRADIUS-Proxied-To = 127.0.0.1

WLAN-Group-Cipher = 1027076

WLAN-Pairwise-Cipher = 1027076

Called-Station-SSID = "Staff"

Connect-Info = "CONNECT 0Mbps 802.11b"

Realm = "null"

EAP-Type = MSCHAPv2

NAS-IP-Address = 172.19.254.2

Calling-Station-Id = "18:81:0e:7c:3c:ed"

MS-CHAP-User-Name = "it.tech"

MS-CHAP-Challenge = 0xb89fd532c49532ed8705862bf6d1a71d

User-Name = "it.tech"

NAS-Identifier = "18E8299352A8E540DB07"

Event-Timestamp = "Jun 30 2019 19:06:45 UTC"

EAP-Message = 
0x025900421a0259003d3117654048664c8c6cca60cf392f53009ba3e45e992bc0d9f32f0f1c21da7d122062526a5801d58f200069742e74656368

MS-CHAP2-Response = 
0x597417654048664c8c6cca60cf392f53009ba3e45e992bc0d9f32f0f1c21da7d122062526a5801d58f20

Stripped-User-Name = "it.tech"

Framed-MTU = 1400

WLAN-AKM-Suite = 1027073

Module-Failure-Message = "mschap: Program returned code (1) and output 'Reading 
winbind reply failed! (0xc001)'"

Module-Failure-Message = "mschap: Reading winbind reply failed! (0xc001)"

User-Password = "**"

Module-Failure-Message = "Failed retrieving values required to evaluate 
condition"

SQL-User-Name = "it.tech"

 

Eugene

 

 






___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net 
<mailto:PacketFence-users@lists.sourceforge.net> 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Manual device registration to allow it to the network

2019-07-03 Thread E.P. via PacketFence-users

Hi Nicolas,

Yes, I of course mean dot1x 

My RADIUS authorization part is limited at this point, RADIUS doesn't assign 
the VLAN to the endpoint session.

Should I interpret your advice as I have to implement authorization via RADIUS 
and only then an unregistered/unassigned endpoint won't have access until the 
manual assignment ?

Eugene

-Original Message-
From: Nicolas Quiniou-Briand via PacketFence-users 

Sent: Wednesday, July 3, 2019 12:13 AM
To: packetfence-users@lists.sourceforge.net
Cc: Nicolas Quiniou-Briand 
Subject: Re: [PacketFence-users] Manual device registration to allow it to the 
network

Hello Eugene,

On 2019-07-03 8:10 a.m., E.P. via PacketFence-users wrote:

> Does it seem doable ?

Yes. When you say (via WPA2-Enterprise/RADIUS), you mean with 802.1X ?

> I compared two endpoints, one of them is registered with a role and 

> the other one is unregistered without a role and both have normal 

> access once they successfully authenticated

When you add a node to PF by hand, device will be automatically registered with 
the role you assigned. Consequently, RADIUS authorization step will not occur 
when device is plugged on the network, only authentication.

--

Nicolas Quiniou-Briand

 <mailto:n...@inverse.ca> n...@inverse.ca  ::  +1.514.447.4918 *140  ::   
<https://inverse.ca> https://inverse.ca Inverse inc. :: Leaders behind SOGo ( 
<https://sogo.nu> https://sogo.nu), PacketFence

( <https://packetfence.org> https://packetfence.org) and Fingerbank ( 
<http://fingerbank.org> http://fingerbank.org)

___

PacketFence-users mailing list

 <mailto:PacketFence-users@lists.sourceforge.net> 
PacketFence-users@lists.sourceforge.net

 <https://lists.sourceforge.net/lists/listinfo/packetfence-users> 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Manual device registration to allow it to the network

2019-07-03 Thread E.P. via PacketFence-users

Now I’m getting confused after trying to understand RADIUS enforcement.

Reading the document that says:

Using RADIUS enforcement, everytime a device connects to the network, a 
matching production VLAN will be assigned, depending on the rules in 
Configuration→Policies and Access Control→Authentication Sources

The only place (or rather configuration component) to assign VLAN is in Roles 
under the switch (or switch group) where I add VLAN ID in “Role mapping by VLAN 
ID”. Am I correct ?

So, for example, I have Staff role with VLAN 10 added to it in the switch 
group. 

Then upon a user successful authentication and a condition matching in the 
authentication rule the action is assigned, namely unregistration date and role 
assignment. 

It all works and the endpoint gets connected but its status shows as 
unregistered and role unassigned under Nodes section in PacketFence Web UI. But 
as it seems to me an endpoint gets connected because VLAN ID assignment is 
pushed from the Wireless system controller for a specific SSID. If I remove it 
and assign this duty to RADIUS then it doesn’t work.

An endpoint can’t connect because it doesn’t receive an IP address because the 
AP doesn’t put it to the required VLAN

Eugene

From: E.P.  
Sent: Wednesday, July 03, 2019 10:11 AM
To: packetfence-users@lists.sourceforge.net
Cc: 'Nicolas Quiniou-Briand' 
Subject: RE: [PacketFence-users] Manual device registration to allow it to the 
network

Hi Nicolas,

Yes, I of course mean dot1x 

My RADIUS authorization part is limited at this point, RADIUS doesn't assign 
the VLAN to the endpoint session.

Should I interpret your advice as I have to implement authorization via RADIUS 
and only then an unregistered/unassigned endpoint won't have access until the 
manual assignment ?

Eugene

-Original Message-
From: Nicolas Quiniou-Briand via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > 
Sent: Wednesday, July 3, 2019 12:13 AM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: Nicolas Quiniou-Briand mailto:n...@inverse.ca> >
Subject: Re: [PacketFence-users] Manual device registration to allow it to the 
network

Hello Eugene,

On 2019-07-03 8:10 a.m., E.P. via PacketFence-users wrote:

> Does it seem doable ?

Yes. When you say (via WPA2-Enterprise/RADIUS), you mean with 802.1X ?

> I compared two endpoints, one of them is registered with a role and 

> the other one is unregistered without a role and both have normal 

> access once they successfully authenticated

When you add a node to PF by hand, device will be automatically registered with 
the role you assigned. Consequently, RADIUS authorization step will not occur 
when device is plugged on the network, only authentication.

--

Nicolas Quiniou-Briand

 <mailto:n...@inverse.ca> n...@inverse.ca  ::  +1.514.447.4918 *140  ::   
<https://inverse.ca> https://inverse.ca Inverse inc. :: Leaders behind SOGo ( 
<https://sogo.nu> https://sogo.nu), PacketFence

( <https://packetfence.org> https://packetfence.org) and Fingerbank ( 
<http://fingerbank.org> http://fingerbank.org)

___

PacketFence-users mailing list

 <mailto:PacketFence-users@lists.sourceforge.net> 
PacketFence-users@lists.sourceforge.net

 <https://lists.sourceforge.net/lists/listinfo/packetfence-users> 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Manual device registration to allow it to the network

2019-07-03 Thread E.P. via PacketFence-users

Folks,

My boss wants to manually allow devices that connect to a specific SSID (via
WPA2-Enterprise/RADIUS)  and the way to do it is manually register them
under Nodes section and also assign them a role including REJECT.

Does it seem doable ?

I compared two endpoints, one of them is registered with a role and the
other one is unregistered without a role and both have normal access once
they successfully authenticated

 

Eugene

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Active Directory Authentication Source

2019-07-03 Thread E.P. via PacketFence-users

Hi Chad,

It’ll be very useful to know a bit about AD architecture 

Overall, you can of course use any user from your AD but whatever was written 
in the documentation was done for a reason.

This is how it all works. 

The procedure is pretty much simple. I used this document to configure only 
RADIUS part of Packetfence

 

https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Installation_Guide.asciidoc#eap-authentication-against-openldap

 

And start reading from this section - Microsoft Active Directory (AD)

 

Eugene

 

From: Chadwick Boseman via PacketFence-users 
 
Sent: Tuesday, July 02, 2019 9:27 PM
To: packetfence-users@lists.sourceforge.net
Cc: Chadwick Boseman 
Subject: [PacketFence-users] Active Directory Authentication Source

 

Hi, I am new to Packetfence or even NAC, and now I am trying to deploy 
Packetfence for a PoC need..

So I have followed steps from the documentation here : 
https://packetfence.org/doc/PacketFence_Installation_Guide.html#_going_through_the_configurator

And I have reached the part 


5.2. Connecting PacketFence to Microsoft Active Directory 

 


and I am concerned about the authentication source using AD part. Since the 
documentation doesn't show any detailed or example configuration, I did some 
research on someone else's deployment on YouTube, and it is said that to add 
the AD as an authentication source, we need the AD path of a user with domain 
admin rights for the "Bind DN" field, and also  to join the domain and test the 
authentication source (the username and password of the AD Admin)

 

My question is, can I use another user's username and password to join domain?, 
and can I use the path of normal user (not AD Admin) for the Bind DN?

Because I am afraid that if I use the AD admin account and I make some mistake 
on my PF, it would affect the AD configuration :(  (I know next to nothing 
about AD too..sorry)

 

I'd really appreciate it if someone could give me an answer/explanation about it

Thanks in advance..

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Failure to authenticate the user - user rejected

2019-06-30 Thread E.P. via PacketFence-users

Guys,

Please point my eyes in the right direction in the attempt to understand
what's wrong.

Perhaps it has been discussed before here in this list but I failed to find
an advice that would lead to a fix.

I followed the standard procedure to configure PF for out-of-band
authentication with RADIUS, i.e.

REALM, Authentication source and rules are created, PF has joined the AD.

Pftest shows matching on authentication and rules usage.

Trying to authenticate a user via prepared wireless infrastructure and
failing.

The error message in radius.log file:

 

Jun 30 19:06:15 PacketFence-ZEN auth[14695]: (12) mschap: ERROR: Program
returned code (1) and output 'Reading winbind reply failed! (0xc001)'

Jun 30 19:06:15 PacketFence-ZEN auth[14695]: (12)   Login incorrect (mschap:
Program returned code (1) and output 'Reading winbind reply failed!
(0xc001)'):

[it.tech] (from client 172.19.254.2 port 0 cli 18:81:0e:7c:3c:ed via TLS
tunnel)

 

More details about this failure confirm it (from Auditing section of RADIUS
tab )

 

RADIUS Request

 

NAS-Port-Type = Wireless-802.11

Acct-Session-Id = "7CF82607D10A8E1F"

Service-Type = Framed-User

Called-Station-Id = "1a:e8:29:95:52:a8:Staff"

State = 0xca4368e4ca1a724922f2ea060748e538

FreeRADIUS-Proxied-To = 127.0.0.1

WLAN-Group-Cipher = 1027076

WLAN-Pairwise-Cipher = 1027076

Called-Station-SSID = "Staff"

Connect-Info = "CONNECT 0Mbps 802.11b"

Realm = "null"

EAP-Type = MSCHAPv2

NAS-IP-Address = 172.19.254.2

Calling-Station-Id = "18:81:0e:7c:3c:ed"

MS-CHAP-User-Name = "it.tech"

MS-CHAP-Challenge = 0xb89fd532c49532ed8705862bf6d1a71d

User-Name = "it.tech"

NAS-Identifier = "18E8299352A8E540DB07"

Event-Timestamp = "Jun 30 2019 19:06:45 UTC"

EAP-Message =
0x025900421a0259003d3117654048664c8c6cca60cf392f53009ba3e45e
992bc0d9f32f0f1c21da7d122062526a5801d58f200069742e74656368

MS-CHAP2-Response =
0x597417654048664c8c6cca60cf392f53009ba3e45e992bc0d9f32f0f1c
21da7d122062526a5801d58f20

Stripped-User-Name = "it.tech"

Framed-MTU = 1400

WLAN-AKM-Suite = 1027073

Module-Failure-Message = "mschap: Program returned code (1) and output
'Reading winbind reply failed! (0xc001)'"

Module-Failure-Message = "mschap: Reading winbind reply failed!
(0xc001)"

User-Password = "**"

Module-Failure-Message = "Failed retrieving values required to evaluate
condition"

SQL-User-Name = "it.tech"

 

Eugene

 

 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 9.0.1 initial setup is stuck on database page

2019-06-20 Thread E.P. via PacketFence-users

Hello guys,

I wish someone can explain me something that I don’t understand. Just recently 
found time to get back to this installation.

It looks like it was installed and the initial installation script completed.

During the setup I changed the IP address that PF acquired via DHCP 
(172.16.2.134  ) and set it manually to be 172.16.0.222 and set a management 
role for this IP

I now can access its Web GUI via this IP. But why does the appliance keeps the 
initial IP address it received and shows that it is still bound to its eth0 
interface.

And I can access PF using this IP too.

 

[root@PacketFence-ZEN ~]# ifconfig

OPTIONSAD-b: flags=4163  mtu 1500

inet 169.254.0.2  netmask 255.255.255.252  broadcast 169.254.0.3

inet6 fe80::8890:aeff:fe57:1cfc  prefixlen 64  scopeid 0x20

ether 8a:90:ae:57:1c:fc  txqueuelen 1000  (Ethernet)

RX packets 69  bytes 12680 (12.3 KiB)

RX errors 0  dropped 0  overruns 0  frame 0

TX packets 67  bytes 13778 (13.4 KiB)

TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

 

eth0: flags=4163  mtu 1500

inet 172.16.2.134  netmask 255.255.252.0  broadcast 172.16.3.255

inet6 fe80::20c:29ff:febc:4c26  prefixlen 64  scopeid 0x20

ether 00:0c:29:bc:4c:26  txqueuelen 1000  (Ethernet)

RX packets 9625242  bytes 831835734 (793.3 MiB)

RX errors 0  dropped 0  overruns 0  frame 0

TX packets 68530  bytes 60794099 (57.9 MiB)

TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

 

lo: flags=73  mtu 65536

inet 127.0.0.1  netmask 255.0.0.0

inet6 ::1  prefixlen 128  scopeid 0x10

loop  txqueuelen 1  (Local Loopback)

RX packets 309453434  bytes 59723935332 (55.6 GiB)

RX errors 0  dropped 0  overruns 0  frame 0

TX packets 309453434  bytes 59723935332 (55.6 GiB)

TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

 

Also, what is the significance of the new interface, i.e. OPTIONSAD-b ? I 
created an active directory domain by this name. Why create an interface for it 
?

And finally, still trying to understand, if I’m going to use PF only for out of 
band RADIUS/dot1x authentication do I need any other roles ?

I’m not going to use VLAN enforcement at least for now.

 

Eugene

 

 

From: Sajawal Ghani via PacketFence-users 
 
Sent: Tuesday, June 11, 2019 6:32 AM
To: packetfence-users@lists.sourceforge.net
Cc: Sajawal Ghani 
Subject: Re: [PacketFence-users] PF 9.0.1 initial setup is stuck on database 
page

 

Hello, 

Indeed it is making it to the users-list. Otherwise, I wouldn't receive this 
email. 

 

What’s the point of setting it to management type?

 

The IP address with which you access the web portal of PacketFence would appear 
by default in the second screen (After you select the enforcement). There you 
must set it as management 'because Packetfence has to know which address would 
you use to access PF web portal. 

 

Secondly, I used VLAN enforcement for my PF environment and later I also use 
built-in radius services for authentication of end devices. For me it was also 
difficult is the beginning but now everything seems to work. if there is no 
particular reason for choosing radius enforcement, perhaps try with VLAN 
enforcement. This guide might be useful to you: 

 

http://www.packetfence.org/downloads/PacketFence/doc/PacketFence_Out-of-Band_Deployment_Quick_Guide_ZEN-5.4.0.pdf

 

On Tue, Jun 11, 2019 at 2:20 PM E.P. via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > wrote:

Hi Nicholas and Sajawal,

Thank you for attempting to help.

Apparently I missed the type of the interface, which should have been assigned 
to management.

This is a bit misleading and confusing. The IP address assigned to the 
appliance without all roles is for management purposes indeed. What’s the point 
of setting it to management type ? 

Also, I selected RADIUS role at the first page because without any roles the 
installation script doesn’t allow me to go ahead. Would it mean that RADIUS 
daemon will use the same IP address as was assigned to the appliance management 
?

 

Eugene

 

From: Nicholas Pier <09np...@gmail.com <mailto:09np...@gmail.com> > 
Sent: Sunday, June 9, 2019 8:34 AM
To: E.P. mailto:ype...@gmail.com> >
Cc: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Subject: Re: [PacketFence-users] PF 9.0.1 initial setup is stuck on database 
page

 

Eugene,

 

I don't know exactly where the setup logs to. Perhaps packetfence.log ? It 
might be worthwhile to watch the file sizes of the /usr/local/pf/logs directory 
to see which file's sizes are growing during installation or just "tail" them. 
Perhaps one can lead you towards a cause? That said, have you tried 
re-deploying with a fresh appliance? I don't think this is typical behaviour. 

 

tcp/1443 should be the ssl-pr

Re: [PacketFence-users] PF 9.0.1 initial setup is stuck on database page

2019-06-11 Thread E.P. via PacketFence-users

Hi Nicholas and Sajawal,

Thank you for attempting to help.

Apparently I missed the type of the interface, which should have been assigned 
to management.

This is a bit misleading and confusing. The IP address assigned to the 
appliance without all roles is for management purposes indeed. What’s the point 
of setting it to management type ? 

Also, I selected RADIUS role at the first page because without any roles the 
installation script doesn’t allow me to go ahead. Would it mean that RADIUS 
daemon will use the same IP address as was assigned to the appliance management 
?

 

Eugene

 

From: Nicholas Pier <09np...@gmail.com> 
Sent: Sunday, June 9, 2019 8:34 AM
To: E.P. 
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PF 9.0.1 initial setup is stuck on database 
page

 

Eugene,

 

I don't know exactly where the setup logs to. Perhaps packetfence.log ? It 
might be worthwhile to watch the file sizes of the /usr/local/pf/logs directory 
to see which file's sizes are growing during installation or just "tail" them. 
Perhaps one can lead you towards a cause? That said, have you tried 
re-deploying with a fresh appliance? I don't think this is typical behaviour. 

 

tcp/1443 should be the ssl-protected webpage where you're doing setup currently 
and ultimately administration of the solution. Packetfence doesn't start most 
of its processes until the final setup of setup.  So, I wouldn't expect to see 
radius, https on 443 and other ports yet.

 

Nicholas P. Pier
Network & Virtualization Engineer
CCNP RS, PCSNSE7, VCIX6-DCV, VCIX6-NV

 

 

On Sun, Jun 9, 2019 at 12:18 AM E.P. mailto:ype...@gmail.com> > wrote:

Moreover, after few minutes the page stopped responding entirely. I would 
assume that if something goes wrong with database parameters setup it is not a 
condition of the initial setup script to make PF not to respond. I see port 
1443 is open in the system while running “netstat” and it is used by httpd 
process.

Any logs that would be indicative and useful to understand what makes it not 
complete the setup ?

 

Eugene

 

 

 

From: Nicholas Pier <09np...@gmail.com <mailto:09np...@gmail.com> > 
Sent: Saturday, June 08, 2019 5:53 PM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: E.P. mailto:ype...@gmail.com> >
Subject: Re: [PacketFence-users] PF 9.0.1 initial setup is stuck on database 
page

 

Hey Eugene,

 

Yes, your email is making the users mailing list.

 

I haven't been able to reproduce your problem in any recent installations of 
the Zen appliance. Can you confirm that you set the root password, created the 
pf database tables, and set the pf user credentials before proceeding? In the 
past, I've been stuck by not re-entering the root user's password after setting 
it to something other than the default "blank" password. This prevented me from 
completing the following steps. 

 

Could you provide some insight as to what OS, and browser you're using? Context 
would be helpful. 

 

Nicholas P. Pier
Network & Virtualization Engineer
CCNP RS, PCSNSE7, VCIX6-DCV, VCIX6-NV

 

 

On Sat, Jun 8, 2019 at 7:45 PM E.P. via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > wrote:

I would appreciate if anyone reply and confirm that this email is making it to 
packetfence users list

 

Eugene

 

From: E.P. mailto:ype...@gmail.com> > 
Sent: Saturday, June 08, 2019 12:11 PM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Subject: PF 9.0.1 initial setup is stuck on database page

 

Hey guys,

Maybe I’m special or it is a bad witchcraft on me.

After a long time I got back to Packetfence as we still need to secure Ubiquiti 
Unifi WiFi with dot1x via RADIUS

Well, trying to install zero effort appliance and stuck at the initial pages 
after creating database user. 

Clicking on “Continue” button doesn’t move it ahead. Opening the same page,

namely https://172.16.0.223:1443/configurator/database in the other browser 
window doesn’t even fetch the page.

The VM seems to be online and I can access it via SSH.

What is wrong ?

 

Eugene

 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net 
<mailto:PacketFence-users@lists.sourceforge.net> 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 9.0.1 initial setup is stuck on database page

2019-06-09 Thread E.P. via PacketFence-users

Hi Nicholas, 

Very much appreciate you reply my email on Saturday night. 

Pleased and grateful indeed 

Yes, there were three screens of the initial setup, first where I checked 
“RADIUS enforcement” then I changed DHCP IP address to the static and then on 
the third screen I setup root password, tested it OK, then added pf user and 
everything was successful. Clicking “Continue” stopped the process.

I tried the deployment two times, once again, it is ZEN (Zero effort NAC),  I 
believe it is based on RedHat. And I used both Firefox and Chrome.

 

Eugene

 

 

From: Nicholas Pier <09np...@gmail.com> 
Sent: Saturday, June 08, 2019 5:53 PM
To: packetfence-users@lists.sourceforge.net
Cc: E.P. 
Subject: Re: [PacketFence-users] PF 9.0.1 initial setup is stuck on database 
page

 

Hey Eugene,

 

Yes, your email is making the users mailing list.

 

I haven't been able to reproduce your problem in any recent installations of 
the Zen appliance. Can you confirm that you set the root password, created the 
pf database tables, and set the pf user credentials before proceeding? In the 
past, I've been stuck by not re-entering the root user's password after setting 
it to something other than the default "blank" password. This prevented me from 
completing the following steps. 

 

Could you provide some insight as to what OS, and browser you're using? Context 
would be helpful. 

 

Nicholas P. Pier
Network & Virtualization Engineer
CCNP RS, PCSNSE7, VCIX6-DCV, VCIX6-NV

 

 

On Sat, Jun 8, 2019 at 7:45 PM E.P. via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > wrote:

I would appreciate if anyone reply and confirm that this email is making it to 
packetfence users list

 

Eugene

 

From: E.P. mailto:ype...@gmail.com> > 
Sent: Saturday, June 08, 2019 12:11 PM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Subject: PF 9.0.1 initial setup is stuck on database page

 

Hey guys,

Maybe I’m special or it is a bad witchcraft on me.

After a long time I got back to Packetfence as we still need to secure Ubiquiti 
Unifi WiFi with dot1x via RADIUS

Well, trying to install zero effort appliance and stuck at the initial pages 
after creating database user. 

Clicking on “Continue” button doesn’t move it ahead. Opening the same page,

namely https://172.16.0.223:1443/configurator/database in the other browser 
window doesn’t even fetch the page.

The VM seems to be online and I can access it via SSH.

What is wrong ?

 

Eugene

 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net 
<mailto:PacketFence-users@lists.sourceforge.net> 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 9.0.1 initial setup is stuck on database page

2019-06-09 Thread E.P. via PacketFence-users

Moreover, after few minutes the page stopped responding entirely. I would 
assume that if something goes wrong with database parameters setup it is not a 
condition of the initial setup script to make PF not to respond. I see port 
1443 is open in the system while running “netstat” and it is used by httpd 
process.

Any logs that would be indicative and useful to understand what makes it not 
complete the setup ?

 

Eugene

 

 

 

From: Nicholas Pier <09np...@gmail.com> 
Sent: Saturday, June 08, 2019 5:53 PM
To: packetfence-users@lists.sourceforge.net
Cc: E.P. 
Subject: Re: [PacketFence-users] PF 9.0.1 initial setup is stuck on database 
page

 

Hey Eugene,

 

Yes, your email is making the users mailing list.

 

I haven't been able to reproduce your problem in any recent installations of 
the Zen appliance. Can you confirm that you set the root password, created the 
pf database tables, and set the pf user credentials before proceeding? In the 
past, I've been stuck by not re-entering the root user's password after setting 
it to something other than the default "blank" password. This prevented me from 
completing the following steps. 

 

Could you provide some insight as to what OS, and browser you're using? Context 
would be helpful. 

 

Nicholas P. Pier
Network & Virtualization Engineer
CCNP RS, PCSNSE7, VCIX6-DCV, VCIX6-NV

 

 

On Sat, Jun 8, 2019 at 7:45 PM E.P. via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > wrote:

I would appreciate if anyone reply and confirm that this email is making it to 
packetfence users list

 

Eugene

 

From: E.P. mailto:ype...@gmail.com> > 
Sent: Saturday, June 08, 2019 12:11 PM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Subject: PF 9.0.1 initial setup is stuck on database page

 

Hey guys,

Maybe I’m special or it is a bad witchcraft on me.

After a long time I got back to Packetfence as we still need to secure Ubiquiti 
Unifi WiFi with dot1x via RADIUS

Well, trying to install zero effort appliance and stuck at the initial pages 
after creating database user. 

Clicking on “Continue” button doesn’t move it ahead. Opening the same page,

namely https://172.16.0.223:1443/configurator/database in the other browser 
window doesn’t even fetch the page.

The VM seems to be online and I can access it via SSH.

What is wrong ?

 

Eugene

 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net 
<mailto:PacketFence-users@lists.sourceforge.net> 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] PF 9.0.1 initial setup is stuck on database page

2019-06-08 Thread E.P. via PacketFence-users

Hey guys,

Maybe I'm special or it is a bad witchcraft on me.

After a long time I got back to Packetfence as we still need to secure
Ubiquiti Unifi WiFi with dot1x via RADIUS

Well, trying to install zero effort appliance and stuck at the initial pages
after creating database user. 

Clicking on "Continue" button doesn't move it ahead. Opening the same page,

namely https://172.16.0.223:1443/configurator/database in the other browser
window doesn't even fetch the page.

The VM seems to be online and I can access it via SSH.

What is wrong ?

 

Eugene

 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 9.0.1 initial setup is stuck on database page

2019-06-08 Thread E.P. via PacketFence-users

I would appreciate if anyone reply and confirm that this email is making it
to packetfence users list

 

Eugene

 

From: E.P.  
Sent: Saturday, June 08, 2019 12:11 PM
To: packetfence-users@lists.sourceforge.net
Subject: PF 9.0.1 initial setup is stuck on database page

 

Hey guys,

Maybe I'm special or it is a bad witchcraft on me.

After a long time I got back to Packetfence as we still need to secure
Ubiquiti Unifi WiFi with dot1x via RADIUS

Well, trying to install zero effort appliance and stuck at the initial pages
after creating database user. 

Clicking on "Continue" button doesn't move it ahead. Opening the same page,

namely https://172.16.0.223:1443/configurator/database in the other browser
window doesn't even fetch the page.

The VM seems to be online and I can access it via SSH.

What is wrong ?

 

Eugene

 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 7.4 with 'Reading winbind reply failed!'

2018-03-15 Thread E.P. via PacketFence-users

Hi Fabrice
Thank you for looking into it.
Well, I may be damned but after running "pfcmd confireload hard" I finally see 
the desired result, i.e.
My realm OPTIONS after being created allows me to authenticate using this realm 
and its linked AD domain.
Hurray, winbind error is gone
But my matching rules in the authentication source still don't work.
I'll continue in the separate email with a different subject to handle problems 
easily

Eugene




session-state:Module-Failure-Message := "mschap: Program returned code (1) and 
output 'Reading winbind reply failed! (0xc001)

-Original Message-
From: Durand fabrice via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Wednesday, March 14, 2018 5:22 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice <fdur...@inverse.ca>
Subject: Re: [PacketFence-users] PF 7.4 with 'Reading winbind reply failed!'

Hello Eugene,

when you create a realm in packetfence and you restart the radius server (pfcmd 
service radius restart) then you should have the realm defined in the 
proxy.conf.inc file.

So from the admin gui, create the realm, do pfcmd configreload hard and pfcmd 
service radius restart.

If the proxy.conf.inc file is still empty then open an issue on github.

Regards

Fabrice



Le 2018-03-13 à 22:00, E.P. via PacketFence-users a écrit :
> Hi Chris,
> Welcome on board, we are in the same boat with someone else here with the 
> same error message.
> I already provided Fabrice with all sort of answers here kindly requested 
> trying to help me but we are still at nowhere.
> Hoping this issue will be a spotlight 
>
> Eugene
>
> -Original Message-
> From: Christian Sudec via PacketFence-users 
> [mailto:packetfence-users@lists.sourceforge.net]
> Sent: Tuesday, March 13, 2018 8:33 AM
> To: packetfence-users@lists.sourceforge.net
> Cc: Christian Sudec <c.su...@htlwrn.ac.at>
> Subject: [PacketFence-users] PF 7.4 with 'Reading winbind reply failed!'
>
> Hi!
>
> Currently installed PacketFence 7.4 on Debian 8.0 (latest patchlevel) 
> as described in the 'Administrators Guide', chapters 1 to 6 and 9 to
> 10.2 - as you see I just want RADIUS enforcement (for 802.1x) to work.
>
> PF is bound to our active directory domain and I also created two new realms 
> as told in chapter 10.7, but sadly everytime I connect a supplicant and type 
> in my ad-user and password, it get's rejected with the following log entry in 
> Auditing:
> chrooted_mschap: Program returned code (1) and output 'Reading winbind reply 
> failed! (0xc001)'
>
> I searched the lists but apart from a "permissions problem" I couldn't find 
> anything useful, which is why I'm kindly asking for help!
>
> regards
> Chris
>
> --
>  Check out the vibrant tech community on one of the world's 
> most engaging tech sites, Slashdot.org! http://sdm.link/slashdot 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
>  Check out the vibrant tech community on one of the world's 
> most engaging tech sites, Slashdot.org! http://sdm.link/slashdot 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Check out the vibrant tech community on one of the world's most engaging tech 
sites, Slashdot.org! http://sdm.link/slashdot 
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] No roles assignment and no rules matching in the authentication source

2018-03-15 Thread E.P. via PacketFence-users

Ok, let’s try tackle this issue again.

As Fabrice suggested me initially I was supposed to install two patches.

I did my best but as Ian rightfully noticed I don’t have them applied properly.

Is there anything else I can do to forcefully install them ?

Moreover, do they really have to do with an error in matching conditions ?

Once again, this is what I see in packetfence.log file about it

 

+

Mar 15 07:40:23 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO: 
[mac:3c:2e:ff:3b:c7:ca] Instantiate profile Staff-connection-profile 
(pf::Connection::ProfileFactory::_from_profile)

Mar 15 07:40:23 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO: 
[mac:3c:2e:ff:3b:c7:ca] Found authentication source(s) : 'OPTIONS-AD-SOURCE' 
for realm 'options' (pf::config::util::filter_authentication_sources)

Mar 15 07:40:23 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) WARN: 
[mac:3c:2e:ff:3b:c7:ca] Calling match with empty/invalid rule class. Defaulting 
to 'authentication' (pf::authentication::match2)

Mar 15 07:40:23 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO: 
[mac:3c:2e:ff:3b:c7:ca] Using sources OPTIONS-AD-SOURCE for matching 
(pf::authentication::match2)

++

 

And here’s an extract from authentication.conf file defining my source

 

+++

 

[OPTIONS-AD-SOURCE]

cache_match=0

read_timeout=10

realms=options

password=

scope=base

binddn=CN=ADintegrator,CN=Users,DC=options,DC=bc,DC=ca

port=389

description=Options-AD-Source

write_timeout=5

type=AD

basedn=CN=Users,DC=options,DC=bc,DC=ca

set_access_level_action=

usernameattribute=sAMAccountName

connection_timeout=5

stripped_user_name=no

encryption=none

host=172.16.0.104

email_attribute=mail

 

[OPTIONS-AD-SOURCE rule Staff-WiFi]

action0=set_role=Staff

condition0=memberOf,equals,CN=Staff-WiFi,CN=Users,DC=options,DC=bc,DC=ca

match=any

class=authentication

action1=set_unreg_date=2019-12-31

description=Evaluates Staff-WiFi AD group membership

++

 

Eugene

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Tuesday, March 13, 2018 6:46 PM
To: packetfence-users@lists.sourceforge.net
Cc: 'Ian MacDonald' <i...@netstatz.com>
Subject: RE: [PacketFence-users] No roles assignment and no rules matching in 
the authentication source

 

Hi Ian,

I’d love to make sure that the patch is applied properly and that’s why I sent 
the output to this list hoping to hear from Fabrice (someone) as to why it 
failed. I have no idea honestly what is going on. The patch didn’t want to 
apply via curl command and I pulled it by wget.

Then tried to apply it as shown below and the results are also shown.

Sort of desperate already and leaving a hope that PF is a solution free of 
surprises/unknowns and an excessive administrative overhead.

 

Eugene

 

 

From: Ian MacDonald via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Monday, March 12, 2018 10:17 AM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: Ian MacDonald <i...@netstatz.com <mailto:i...@netstatz.com> >
Subject: Re: [PacketFence-users] No roles assignment and no rules matching in 
the authentication source

 

Eugene, 

 

On the note of patch application;  Are you sure you applied the entire patch? 
The output of your patching below indicates 3 hunks that still need to be 
manually applied. 

 

cheers,

Ian 

 

 [root@PacketFence-ZEN pf]# patch -p1 < 
./34405d44b203ce2fd4a4dac435ff62d69c4ed00f.diff

 patching file lib/pf/config.pm <http://config.pm>  

 Hunk #1 succeeded at 326 (offset 5 lines).

 Hunk #2 FAILED at 947.

 1 out of 2 hunks FAILED -- saving rejects to file lib/pf/config.pm.rej

 

 

 [root@PacketFence-ZEN pf]# patch -p1 < 
1eef967ad1ee589136a097166c440cb30107ddfb.diff

 patching file lib/pf/enforcement.pm <http://enforcement.pm>  

 Reversed (or previously applied) patch detected!  Assume -R? [n] n

 Apply anyway? [n] y

 Hunk #1 FAILED at 43.

 Hunk #2 FAILED at 169.

 2 out of 2 hunks FAILED -- saving rejects to file lib/pf/enforcement.pm.rej

 

On Sun, Mar 11, 2018 at 6:44 PM, E.P. via PacketFence-users 
<packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> > wrote:

And also this issue still bothers me, Fabrice.

I applied the patch but it is all about deauthentication

What does it have to do with role assignment and not matching conditions in the 
authentication source?

Is there any other logs or outputs to analyze to find the root cause ?

 

Eugene

 

From: Fabrice Durand [mailto:fdur...@inverse.ca <mailto:fdur...@inverse.ca> ] 
Sent: Thursday, March 08, 2018 11:30 AM


To: E.P. <y

Re: [PacketFence-users] PF 7.4 with 'Reading winbind reply failed!'

2018-03-14 Thread E.P. via PacketFence-users

Hi Chris,
Welcome on board, we are in the same boat with someone else here with the same 
error message.
I already provided Fabrice with all sort of answers here kindly requested 
trying to help me but we are still at nowhere.
Hoping this issue will be a spotlight 

Eugene

-Original Message-
From: Christian Sudec via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Tuesday, March 13, 2018 8:33 AM
To: packetfence-users@lists.sourceforge.net
Cc: Christian Sudec 
Subject: [PacketFence-users] PF 7.4 with 'Reading winbind reply failed!'

Hi!

Currently installed PacketFence 7.4 on Debian 8.0 (latest patchlevel) as 
described in the 'Administrators Guide', chapters 1 to 6 and 9 to
10.2 - as you see I just want RADIUS enforcement (for 802.1x) to work.

PF is bound to our active directory domain and I also created two new realms as 
told in chapter 10.7, but sadly everytime I connect a supplicant and type in my 
ad-user and password, it get's rejected with the following log entry in 
Auditing:
chrooted_mschap: Program returned code (1) and output 'Reading winbind reply 
failed! (0xc001)'

I searched the lists but apart from a "permissions problem" I couldn't find 
anything useful, which is why I'm kindly asking for help!

regards
Chris

--
Check out the vibrant tech community on one of the world's most engaging tech 
sites, Slashdot.org! http://sdm.link/slashdot 
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] No roles assignment and no rules matching in the authentication source

2018-03-12 Thread E.P. via PacketFence-users

orge.net
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: Fabrice Durand  <mailto:fdur...@inverse.ca> <fdur...@inverse.ca>
Subject: Re: [PacketFence-users] No roles assignment and no rules matching
in the authentication source

 

Hello Eugene,

i suppose you apply the PR 2735 on github.

I have push 2 new commits so can you try to apply them and make another try
?

curl
https://github.com/inverse-inc/packetfence/pull/2735/commits/1eef967ad1ee589
136a097166c440cb30107ddfb.diff | patch -p1

curl
https://github.com/inverse-inc/packetfence/pull/2735/commits/34405d44b203ce2
fd4a4dac435ff62d69c4ed00f.diff | patch -p1

Regards
Fabrice

Le 2018-03-06 à 22:53, E.P. via PacketFence-users a écrit :

Theres another challenge in the endless string of them

My PEAP connection from Windows based supplicant lands on the connection
profile and wheels start rotating, i.e. the profile uses the authentication
source

The connection and authentication completes but theres no role assignment
and I see that my conditions are not matched.

Heres an extract from packetfence.log

 


++

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] handling radius autz request: from switch_ip =>
(172.19.254.2), connection_type => Wireless-802.11-EAP,switch_mac => (

24:a4:3c:5e:c1:00), mac => [70:1a:04:2c:52:ff], port => 0, username =>
"OPTIONS\test", ssid => SecStaff (pf::radius::authorize)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653)
ERROR: [mac:70:1a:04:2c:52:ff] Can't bind : IO::Socket::INET: connect:
Connection refused

(pf::ip4log::_get_lease_from_omapi)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] Instantiate profile Staff-connection-profile
(pf::Connection::ProfileFactory::_from_profile)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] Found authentication source(s) : 'OPTIONS-AD-SOURCE'
for realm 'default' (pf::config::util::filter_authentication_sour

ces)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) WARN:
[mac:70:1a:04:2c:52:ff] Calling match with empty/invalid rule class.
Defaulting to 'authentication' (pf::authentication::match2)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] Using sources OPTIONS-AD-SOURCE for matching
(pf::authentication::match2)

Mar  5 07:43:32 PacketFence-ZEN pfqueue: pfqueue(16161) INFO: [mac:unknown]
undefined source id provided (pf::lookup::person::lookup_person)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) WARN:
[mac:70:1a:04:2c:52:ff] Can't find provisioner for 70:1a:04:2c:52:ff since
we don't have it's OS (pf::Connection::Profile::findProvisioner)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) WARN:
[mac:70:1a:04:2c:52:ff] Use of uninitialized value in string eq at
/usr/local/pf/lib/pf/role.pm line 728.

(pf::role::_check_bypass)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] Connection type is WIRELESS_MAC_AUTH. Getting role
from node_info (pf::role::getRegisteredRole)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) WARN:
[mac:70:1a:04:2c:52:ff] Use of uninitialized value $role in concatenation
(.) or string at /usr/local/pf/lib/pf/role.pm line 476.

(pf::role::getRegisteredRole)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] Username was NOT defined or unable to match a role -
returning node based role '' (pf::role::getRegisteredRole)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] PID: "OPTIONS\test", Status: reg Returned VLAN:
(undefined), Role: (undefined) (pf::role::fetchRoleForNode)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] violation 133 force-closed for 70:1a:04:2c:52:ff
(pf::violation::violation_force_close)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653)
ERROR: [mac:70:1a:04:2c:52:ff] Can't bind : IO::Socket::INET: connect:
Connection refused

(pf::ip4log::_get_lease_from_omapi)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] Instantiate profile Staff-connection-profile
(pf::Connection::ProfileFactory::_from_profile)

Mar  5 07:43:33 PacketFence-ZEN pfqueue: pfqueue(16150) ERROR:
[mac:34:17:eb:de:f0:b4] Can't bind : IO::Socket::INET: connect: Connection
refused


+

 

Why do I see all those errors? Why do I see the connection is refused, e.g.
Can't bind : IO::Socket::INET: connect: Connection refused

Why theres

Re: [PacketFence-users] [Packetfence] AD authentication with FreeRadius: "reading winbind reply failed!"

2018-03-12 Thread E.P. via PacketFence-users

Hi Fabrice,

So, what is the expected order of realms processing ?

Any ideas or enlightenments about what is wrong?

I restarted radius service many times and even rebooted the appliance

 

From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: Friday, March 09, 2018 5:32 AM
To: E.P. ; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] [Packetfence] AD authentication with 
FreeRadius: "reading winbind reply failed!"

 

Hum really strange that even if you restart radius service the file still 
missing the other realms.

 

 

Le 2018-03-08 à 23:55, E.P. a écrit :

Easy 

 

cat /usr/local/pf/raddb/proxy.conf.inc

 

realm default {

strip

}

 

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Thursday, March 08, 2018 6:42 PM
To: E.P.   ; 
packetfence-users@lists.sourceforge.net 
 
Subject: Re: [PacketFence-users] [Packetfence] AD authentication with 
FreeRadius: "reading winbind reply failed!"

 

Can you paste the file proxy.conf.inc from raddb directory ?

 

Le 2018-03-08 à 16:54, E.P. a écrit :

I tried it as well, Fabrice.

Doesn’t matter what I use as a username, whether it is t...@options.bc.ca 
  or OPTIONS\test.

I had both realms added before I ended up using the default one. They both 
point to the same AD domain.

Attached is yet another RADIUS debug session with my attempt to authenticate 
with OPTIONS realm 

Also, may I know why do I see the username showing initially as OPTIONS\\test 
(two backslashes) ?

 

[OPTIONS]

domain=optionsad

options=strip

 

[OPTIONS-AD-REALM]

domain=optionsad

options=strip

 

Eugene

 

From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: Thursday, March 08, 2018 11:28 AM
To: E.P.   ; 
packetfence-users@lists.sourceforge.net 
 
Subject: Re: [PacketFence-users] [Packetfence] AD authentication with 
FreeRadius: "reading winbind reply failed!"

 

Hello Eugene,

it looks that you need to add a realm OPTIONS because the username is like 
OPTIONS\test.

Regards

Fabrice

 

 

Le 2018-03-08 à 14:23, E.P. a écrit :

Hi Fabrice,

Since Jimmy and I seem to have the same problem with winbind I’m attaching 
requested RADIUS requests.

There are two files, radius-request shows the session when I have only one 
default realm and the authentication source also points to the default realm

 

[DEFAULT]

domain=optionsad

options=strip

 

And the second file, radius-request2 shows the session when I added a named 
realm, i.e. 

 

[OPTIONS-AD-REALM]

domain=optionsad

options=strip

 

Eugene

 

From: Fabrice Durand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Thursday, March 08, 2018 5:29 AM
To: packetfence-users@lists.sourceforge.net 
 
Cc: Fabrice Durand   
Subject: Re: [PacketFence-users] [Packetfence] AD authentication with 
FreeRadius: "reading winbind reply failed!"

 

cd /usr/local/pf

raddebug -f var/run/radiusd.sock -t 3000

 

Le 2018-03-08 à 02:57, Jimmy Claes via PacketFence-users a écrit :

Hello Fabrice

 

When I run the command it says that file does not exist, neither does the 
directory ‘/etc/raddb/’:

 

 

Regards

Jimmy

 

Van: Fabrice Durand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Verzonden: woensdag 7 maart 2018 23:09
Aan: packetfence-users@lists.sourceforge.net 
 
CC: Fabrice Durand   
Onderwerp: Re: [PacketFence-users] [Packetfence] AD authentication with 
FreeRadius: "reading winbind reply failed!"

 

Ok can you send me a complete radius request ? (raddebug -f 
var/run/radiusd.sock -t 3000)

Regards

Fabrice

 

 

Le 2018-03-07 à 02:04, Jimmy Claes via PacketFence-users a écrit :

Hello Fabrice

 

Realms are already created and associated with the AD.



 

 

Regards

Jimmy

 

Van: Durand fabrice via PacketFence-users [ 
 
mailto:packetfence-users@lists.sourceforge.net] 
Verzonden: woensdag 7 maart 2018 3:26
Aan:   
packetfence-users@lists.sourceforge.net
CC: Durand fabrice   
Onderwerp: Re: [PacketFence-users] [Packetfence] AD authentication with 
FreeRadius: "reading winbind reply failed!"

 

Hello Jimmy,

create the realms associated to your domain, like you have a user like ACME\bob 
and b...@acme.com   then create the 2 realms and 
associate them to your AD.

Regards

Fabrice

 

 

Le 2018-03-06 à 07:14, Jimmy Claes via PacketFence-users a écrit :

I’ve been trying to figure out this problem for days, whenever I try to 
authenticate a user on Windows, I

Re: [PacketFence-users] [Packetfence] AD authentication with FreeRadius: "reading winbind reply failed!"

2018-03-09 Thread E.P. via PacketFence-users

Easy 

 

cat /usr/local/pf/raddb/proxy.conf.inc

 

realm default {

strip

}

 

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Thursday, March 08, 2018 6:42 PM
To: E.P. ; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] [Packetfence] AD authentication with 
FreeRadius: "reading winbind reply failed!"

 

Can you paste the file proxy.conf.inc from raddb directory ?

 

Le 2018-03-08 à 16:54, E.P. a écrit :

I tried it as well, Fabrice.

Doesn’t matter what I use as a username, whether it is t...@options.bc.ca 
  or OPTIONS\test.

I had both realms added before I ended up using the default one. They both 
point to the same AD domain.

Attached is yet another RADIUS debug session with my attempt to authenticate 
with OPTIONS realm 

Also, may I know why do I see the username showing initially as OPTIONS\\test 
(two backslashes) ?

 

[OPTIONS]

domain=optionsad

options=strip

 

[OPTIONS-AD-REALM]

domain=optionsad

options=strip

 

Eugene

 

From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: Thursday, March 08, 2018 11:28 AM
To: E.P.   ; 
packetfence-users@lists.sourceforge.net 
 
Subject: Re: [PacketFence-users] [Packetfence] AD authentication with 
FreeRadius: "reading winbind reply failed!"

 

Hello Eugene,

it looks that you need to add a realm OPTIONS because the username is like 
OPTIONS\test.

Regards

Fabrice

 

 

Le 2018-03-08 à 14:23, E.P. a écrit :

Hi Fabrice,

Since Jimmy and I seem to have the same problem with winbind I’m attaching 
requested RADIUS requests.

There are two files, radius-request shows the session when I have only one 
default realm and the authentication source also points to the default realm

 

[DEFAULT]

domain=optionsad

options=strip

 

And the second file, radius-request2 shows the session when I added a named 
realm, i.e. 

 

[OPTIONS-AD-REALM]

domain=optionsad

options=strip

 

Eugene

 

From: Fabrice Durand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Thursday, March 08, 2018 5:29 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand   
Subject: Re: [PacketFence-users] [Packetfence] AD authentication with 
FreeRadius: "reading winbind reply failed!"

 

cd /usr/local/pf

raddebug -f var/run/radiusd.sock -t 3000

 

Le 2018-03-08 à 02:57, Jimmy Claes via PacketFence-users a écrit :

Hello Fabrice

 

When I run the command it says that file does not exist, neither does the 
directory ‘/etc/raddb/’:

 

 

Regards

Jimmy

 

Van: Fabrice Durand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Verzonden: woensdag 7 maart 2018 23:09
Aan: packetfence-users@lists.sourceforge.net 
 
CC: Fabrice Durand   
Onderwerp: Re: [PacketFence-users] [Packetfence] AD authentication with 
FreeRadius: "reading winbind reply failed!"

 

Ok can you send me a complete radius request ? (raddebug -f 
var/run/radiusd.sock -t 3000)

Regards

Fabrice

 

 

Le 2018-03-07 à 02:04, Jimmy Claes via PacketFence-users a écrit :

Hello Fabrice

 

Realms are already created and associated with the AD.



 

 

Regards

Jimmy

 

Van: Durand fabrice via PacketFence-users [ 
 
mailto:packetfence-users@lists.sourceforge.net] 
Verzonden: woensdag 7 maart 2018 3:26
Aan:   
packetfence-users@lists.sourceforge.net
CC: Durand fabrice   
Onderwerp: Re: [PacketFence-users] [Packetfence] AD authentication with 
FreeRadius: "reading winbind reply failed!"

 

Hello Jimmy,

create the realms associated to your domain, like you have a user like ACME\bob 
and b...@acme.com   then create the 2 realms and 
associate them to your AD.

Regards

Fabrice

 

 

Le 2018-03-06 à 07:14, Jimmy Claes via PacketFence-users a écrit :

I’ve been trying to figure out this problem for days, whenever I try to 
authenticate a user on Windows, I get the following error while the login is 
correct:

 

 

‘wbinfo –p’ fails aswell:

 

 

Winbind service is running:

 

 

Freeradius service is running:

 

 

The permissions on winbindd_privileged are properly set:

 

 

Result of running ‘freeradius –X’ attached.

 









PacketFence (http://packetfence.org) 






-- 
Fabrice Durand
fdur...@inverse.ca   ::  +1.514.447.4918 (x135) ::  
www.inverse.ca  
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites,

Re: [PacketFence-users] No roles assignment and no rules matching in the authentication source

2018-03-08 Thread E.P. via PacketFence-users

And what file are we patching ?

 

patch -p1 < 1eef967ad1ee589136a097166c440cb30107ddfb.diff

can't find file to patch at input line 5

Perhaps you used the wrong -p or --strip option?

The text leading up to this was:

--

|diff --git a/lib/pf/enforcement.pm b/lib/pf/enforcement.pm

|index 8ff56b4252b..05589bba682 100644

|--- a/lib/pf/enforcement.pm

|+++ b/lib/pf/enforcement.pm

--

File to patch:

 

 

 

From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: Thursday, March 08, 2018 5:28 AM
To: E.P. <ype...@gmail.com>; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] No roles assignment and no rules matching
in the authentication source

 

https://github.com/inverse-inc/packetfence/pull/2735/commits/1eef967ad1ee589
136a097166c440cb30107ddfb.diff is suppose to return that:

 

diff --git a/lib/pf/enforcement.pm b/lib/pf/enforcement.pm
index 8ff56b4252b..05589bba682 100644
--- a/lib/pf/enforcement.pm
+++ b/lib/pf/enforcement.pm
@@ -43,6 +43,7 @@ use pf::config qw(
 %connection_type_explained
 $WIRED
 $WIRELESS
+$WEBAUTH
 );
 use pf::inline::custom $INLINE_API_LEVEL;
 use pf::iptables;
@@ -169,7 +170,7 @@ sub _vlan_reevaluation {
 $client->notify( 'ReAssignVlan', %data );
 }
 }
-elsif ( ( $conn_type & $WIRELESS ) == $WIRELESS ) {
+elsif ( ( ( $conn_type & $WIRELESS ) == $WIRELESS ) || ( (
$conn_type & $WEBAUTH ) == $WEBAUTH ) ) {
 $logger->debug("Calling API with desAssociate request on switch
(".$switch_id.")");
 if ($cluster_deauth) {
 $client->notify( 'desAssociate_in_queue', %data );
 

And it work on my side, so do wget instead and after patch -p1 <
1eef967ad1ee589136a097166c440cb30107ddfb.diff

Same for the other patch.

Regards

Fabrice

 

 

 

Le 2018-03-08 à 00:48, E.P. a écrit :

Am I applying this patch in the wrong way ?

 

[root@PacketFence-ZEN conf]# curl
https://github.com/inverse-inc/packetfence/pull/2735/commits/1eef967ad1ee589
136a097166c440cb30107ddfb.diff | patch -p1


  % Total% Received % Xferd  Average Speed   TimeTime Time
Current

 Dload  Upload   Total   SpentLeft
Speed

100   1610   1610 0241  0 --:--:-- --:--:-- --:--:--
242

patch unexpectedly ends in middle of line

patch:  Only garbage was found in the patch input.

 

[root@PacketFence-ZEN conf]# curl
https://github.com/inverse-inc/packetfence/pull/2735/commits/34405d44b203ce2
fd4a4dac435ff62d69c4ed00f.diff | patch -p1

 % Total% Received % Xferd  Average Speed   TimeTime Time
Current

 Dload  Upload   Total   SpentLeft
Speed

100   1610   1610 0218  0 --:--:-- --:--:-- --:--:--
218

patch unexpectedly ends in middle of line

patch:  Only garbage was found in the patch input

 

wget seems to fetch this file

 

[root@PacketFence-ZEN conf]# wget
https://github.com/inverse-inc/packetfence/pull/2735/commits/1eef967ad1ee589
136a097166c440cb30107ddfb.diff 

--2018-03-08 05:45:34--
https://github.com/inverse-inc/packetfence/pull/2735/commits/1eef967ad1ee589
136a097166c440cb30107ddfb.diff

Resolving github.com (github.com)... 192.30.253.113, 192.30.253.112

Connecting to github.com (github.com)|192.30.253.113|:443... connected.

HTTP request sent, awaiting response... 302 Found

Location:
https://github.com/inverse-inc/packetfence/commit/1eef967ad1ee589136a097166c
440cb30107ddfb.diff [following]

--2018-03-08 05:45:35--
https://github.com/inverse-inc/packetfence/commit/1eef967ad1ee589136a097166c
440cb30107ddfb.diff

Reusing existing connection to github.com:443.

HTTP request sent, awaiting response... 200 OK

Length: unspecified [text/plain]

Saving to: '1eef967ad1ee589136a097166c440cb30107ddfb.diff'

[ <=>
] 831 --.-K/s   in 0s  

2018-03-08 05:45:35 (59.3 MB/s) -
'1eef967ad1ee589136a097166c440cb30107ddfb.diff' saved [831]

 

Eugene

 

From: Fabrice Durand via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Wednesday, March 07, 2018 2:08 PM
To: packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: Fabrice Durand  <mailto:fdur...@inverse.ca> <fdur...@inverse.ca>
Subject: Re: [PacketFence-users] No roles assignment and no rules matching
in the authentication source

 

Hello Eugene,

i suppose you apply the PR 2735 on github.

I have push 2 new commits so can you try to apply them and make another try
?

curl
https://github.com/inverse-inc/packetfence/pull/2735/commits/1eef967ad1ee589
136a097166c440cb30107ddfb.diff | patch -p1

curl
https://github.com/inverse-inc/packetfence/pull/2735/commits/34405d44b203ce2
fd4a4dac435ff62d69c4ed00f.diff | patch -p1

Regards
Fabrice

Le 2018-03-06 à 22:53, E.P. via PacketFence-users a écrit :

Theres anot

Re: [PacketFence-users] No roles assignment and no rules matching in the authentication source

2018-03-08 Thread E.P. via PacketFence-users

Am I applying this patch in the wrong way ?

 

[root@PacketFence-ZEN conf]# curl
https://github.com/inverse-inc/packetfence/pull/2735/commits/1eef967ad1ee589
136a097166c440cb30107ddfb.diff | patch -p1


  % Total% Received % Xferd  Average Speed   TimeTime Time
Current

 Dload  Upload   Total   SpentLeft
Speed

100   1610   1610 0241  0 --:--:-- --:--:-- --:--:--
242

patch unexpectedly ends in middle of line

patch:  Only garbage was found in the patch input.

 

[root@PacketFence-ZEN conf]# curl
https://github.com/inverse-inc/packetfence/pull/2735/commits/34405d44b203ce2
fd4a4dac435ff62d69c4ed00f.diff | patch -p1

 % Total% Received % Xferd  Average Speed   TimeTime Time
Current

 Dload  Upload   Total   SpentLeft
Speed

100   1610   1610 0218  0 --:--:-- --:--:-- --:--:--
218

patch unexpectedly ends in middle of line

patch:  Only garbage was found in the patch input

 

wget seems to fetch this file

 

[root@PacketFence-ZEN conf]# wget
https://github.com/inverse-inc/packetfence/pull/2735/commits/1eef967ad1ee589
136a097166c440cb30107ddfb.diff 

--2018-03-08 05:45:34--
https://github.com/inverse-inc/packetfence/pull/2735/commits/1eef967ad1ee589
136a097166c440cb30107ddfb.diff

Resolving github.com (github.com)... 192.30.253.113, 192.30.253.112

Connecting to github.com (github.com)|192.30.253.113|:443... connected.

HTTP request sent, awaiting response... 302 Found

Location:
https://github.com/inverse-inc/packetfence/commit/1eef967ad1ee589136a097166c
440cb30107ddfb.diff [following]

--2018-03-08 05:45:35--
https://github.com/inverse-inc/packetfence/commit/1eef967ad1ee589136a097166c
440cb30107ddfb.diff

Reusing existing connection to github.com:443.

HTTP request sent, awaiting response... 200 OK

Length: unspecified [text/plain]

Saving to: '1eef967ad1ee589136a097166c440cb30107ddfb.diff'

[ <=>
] 831 --.-K/s   in 0s  

2018-03-08 05:45:35 (59.3 MB/s) -
'1eef967ad1ee589136a097166c440cb30107ddfb.diff' saved [831]

 

Eugene

 

From: Fabrice Durand via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Wednesday, March 07, 2018 2:08 PM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand <fdur...@inverse.ca>
Subject: Re: [PacketFence-users] No roles assignment and no rules matching
in the authentication source

 

Hello Eugene,

i suppose you apply the PR 2735 on github.

I have push 2 new commits so can you try to apply them and make another try
?

curl
https://github.com/inverse-inc/packetfence/pull/2735/commits/1eef967ad1ee589
136a097166c440cb30107ddfb.diff | patch -p1

curl
https://github.com/inverse-inc/packetfence/pull/2735/commits/34405d44b203ce2
fd4a4dac435ff62d69c4ed00f.diff | patch -p1

Regards
Fabrice

Le 2018-03-06 à 22:53, E.P. via PacketFence-users a écrit :

Theres another challenge in the endless string of them

My PEAP connection from Windows based supplicant lands on the connection
profile and wheels start rotating, i.e. the profile uses the authentication
source

The connection and authentication completes but theres no role assignment
and I see that my conditions are not matched.

Heres an extract from packetfence.log

 


++

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] handling radius autz request: from switch_ip =>
(172.19.254.2), connection_type => Wireless-802.11-EAP,switch_mac => (

24:a4:3c:5e:c1:00), mac => [70:1a:04:2c:52:ff], port => 0, username =>
"OPTIONS\test", ssid => SecStaff (pf::radius::authorize)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653)
ERROR: [mac:70:1a:04:2c:52:ff] Can't bind : IO::Socket::INET: connect:
Connection refused

(pf::ip4log::_get_lease_from_omapi)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] Instantiate profile Staff-connection-profile
(pf::Connection::ProfileFactory::_from_profile)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] Found authentication source(s) : 'OPTIONS-AD-SOURCE'
for realm 'default' (pf::config::util::filter_authentication_sour

ces)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) WARN:
[mac:70:1a:04:2c:52:ff] Calling match with empty/invalid rule class.
Defaulting to 'authentication' (pf::authentication::match2)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] Using sources OPTIONS-AD-SOURCE for matching
(pf::authentication::match2)

Mar  5 07:43:32 PacketFence-ZEN pfqueue: pfqueue(16161) INFO: [mac:unknown]
undefined source id provided (pf::lookup::person::lookup_person)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(165

Re: [PacketFence-users] [Packetfence] AD authentication with FreeRadius: "reading winbind reply failed!"

2018-03-08 Thread E.P. via PacketFence-users

Good morning, Fabrice,

I ran chroot /chroots/optionsad wbinfo -u and received the output of all users 
and groups from AD where optionsad is my AD domain.

 

And here’s what I see in RADIUS debugs when I use a named realm, not the 
default one, Windows supplicant uses PEAP method

 

session-state:Module-Failure-Message := "mschap: Program returned code (1) and 
output 'Reading winbind reply failed! (0xc001)'"

 

So, I wish I understand the logic or the lack of it 

And asking the same question, what’s the point about a named realm if it 
doesn’t work ?

 

Eugene

From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: Wednesday, March 07, 2018 2:01 PM
To: E.P. ; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] [Packetfence] AD authentication with 
FreeRadius: "reading winbind reply failed!"

 

Hello Eugene,

 

Le 2018-03-06 à 22:33, E.P. a écrit :

Hi Jimmy and Fabrice,

I would like to report the same experience. I have a realm (OPTIONS-AD-REALM) 
and it is associated with the AD domain (optionsad), i.e. 

 

[OPTIONS-AD-REALM]

domain=optionsad

options=strip

 

I had similar problems with winbind, same errors in the output of RADIUS debug. 
Moreover, my attempt to test authentication from the command line was 
successful:

 

This is just an ldap bind / search, not the same think as ntlm_auth



[root@PacketFence-ZEN bin]# ./pftest authentication it.tech X

 

Authenticating against OPTIONS-AD-SOURCE

  Authentication SUCCEEDED against OPTIONS-AD-SOURCE (Authentication 
successful.) 

  Matched against OPTIONS-AD-SOURCE for 'authentication' rules

set_role : Staff

set_unreg_date : 2019-12-31

 

Go figure what’s wrong, permissions, bugs or a lack of understanding from my 
side as what I see as the result of ntlm_auth query drives me mad:

 

There is a chroot for each domains, if you do : chroot /chroot/ITTECH then 
wbinfo -u, does it answer something ?
Also a radius request in debug mode should help to find the solution.

Regards
Fabrice




[root@PacketFence-ZEN bin]# ntlm_auth --request-nt-key --domain=optionsad 
--username=it.tech

Password: 

could not obtain winbind separator!

Reading winbind reply failed! (0x01)

:  (0x0)

 

So, here I would like Fabrice comment on this, specifically bearing in mind 
that it all works if I use only the default realm and link it to the AD domain.

What’s the point of having named realms ?

Moreover, if I test my authentication source with the authentication realm 
pointing to default the test fails. If I remove it then the test goes through ?

What’s the point of having the realm here, Fabrice ?

Moreover, if I use FQDN for the host that acts as the windows domain controller 
my test also fails but if I use the IP address it is all good. 

I know and I swear that PF can resolve the name normally.

There are more questions that I’d like to ask strongly believing there’s faulty 
code or missing documentation or a combination of both.

 

Eugene

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] [Packetfence] AD authentication with FreeRadius: "reading winbind reply failed!"

2018-03-07 Thread E.P. via PacketFence-users

Hi Jimmy,

Yes, this is what I meant, my connection via the profile that uses AD source
and authentication against AD works only on the condition that I use the
default realm and this default realm is linked to the AD domain.

Here are extract from configs

 

Domain.conf

===

[optionsad]

ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(userAccountContro
l:1.2.840.113556.1.4.803:=2

ntlm_cache=enabled

registration=0

ntlm_cache_expiry=3600

dns_name=options.bc.ca

dns_servers=172.XXX.XXX.XXX,172.XXX.XXX.XXX

ou=Computers

bind_pass=ZZZ

ntlm_cache_on_connection=disabled

bind_dn=ADintegrator

workgroup=OPTIONS

ntlm_cache_batch_one_at_a_time=disabled

sticky_dc=*

ad_server=adserver.options.bc.ca

ntlm_cache_batch=disabled

server_name=%h

ntlm_cache_source=OPTIONS-AD-SOURCE

 

realm.conf

==

[DEFAULT]

domain=optionsad

options=strip

 

authentication.conf

===

 

[OPTIONS-AD-SOURCE]

cache_match=0

read_timeout=10

realms=default

password=Z

scope=base

binddn=CN=ADintegrator,CN=Users,DC=options,DC=bc,DC=ca

port=389

description=Options-AD-Source

write_timeout=5

type=AD

basedn=CN=Users,DC=options,DC=bc,DC=ca

set_access_level_action=

usernameattribute=sAMAccountName

connection_timeout=5

stripped_user_name=no

encryption=none

host=adserver.options.bc.ca

email_attribute=mail

 

Eugene

 

From: Jimmy Claes via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Tuesday, March 06, 2018 11:28 PM
To: 'packetfence-users@lists.sourceforge.net'
<packetfence-users@lists.sourceforge.net>
Cc: Jimmy Claes <j.cl...@clbgroup.be>
Subject: Re: [PacketFence-users] [Packetfence] AD authentication with
FreeRadius: "reading winbind reply failed!"

 

Hello Eugene

 

By the following it all works if I use only the default realm and link it
to the AD domain. You mean that if u set your sources to the default realm,
assigning AD to the default realm and have no other realms configured,
authenticating with AD works?
Would u mind sharing the configuration u have that works with default realm?

Short term, it might just suffice for us.

 

Regards

Jimmy

 

Van: E.P. via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net] 
Verzonden: woensdag 7 maart 2018 4:33
Aan: packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net> 
CC: E.P. <ype...@gmail.com <mailto:ype...@gmail.com> >
Onderwerp: Re: [PacketFence-users] [Packetfence] AD authentication with
FreeRadius: "reading winbind reply failed!"

 

Hi Jimmy and Fabrice,

I would like to report the same experience. I have a realm
(OPTIONS-AD-REALM) and it is associated with the AD domain (optionsad), i.e.


 

[OPTIONS-AD-REALM]

domain=optionsad

options=strip

 

I had similar problems with winbind, same errors in the output of RADIUS
debug. Moreover, my attempt to test authentication from the command line was
successful:

 

[root@PacketFence-ZEN bin]# ./pftest authentication it.tech X

 

Authenticating against OPTIONS-AD-SOURCE

  Authentication SUCCEEDED against OPTIONS-AD-SOURCE (Authentication
successful.) 

  Matched against OPTIONS-AD-SOURCE for 'authentication' rules

set_role : Staff

set_unreg_date : 2019-12-31

 

Go figure whats wrong, permissions, bugs or a lack of understanding from my
side as what I see as the result of ntlm_auth query drives me mad:

 

[root@PacketFence-ZEN bin]# ntlm_auth --request-nt-key --domain=optionsad
--username=it.tech

Password: 

could not obtain winbind separator!

Reading winbind reply failed! (0x01)

:  (0x0)

 

So, here I would like Fabrice comment on this, specifically bearing in mind
that it all works if I use only the default realm and link it to the AD
domain.

Whats the point of having named realms ?

Moreover, if I test my authentication source with the authentication realm
pointing to default the test fails. If I remove it then the test goes
through ?

Whats the point of having the realm here, Fabrice ?

Moreover, if I use FQDN for the host that acts as the windows domain
controller my test also fails but if I use the IP address it is all good. 

I know and I swear that PF can resolve the name normally.

There are more questions that Id like to ask strongly believing theres
faulty code or missing documentation or a combination of both.

 

Eugene

 

From: Durand fabrice via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net] 


Sent: Tuesday, March 06, 2018 6:26 PM
To: packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: Durand fabrice <fdur...@inverse.ca <mailto:fdur...@inverse.ca> >
Subject: Re: [PacketFence-users] [Packetfence] AD authentication with
FreeRadius: "reading winbind reply failed!"

 

Hello Jimmy,

create the realms associated to your domain, like you have a user like
ACME\bob and b...@acme.com <

[PacketFence-users] No roles assignment and no rules matching in the authentication source

2018-03-07 Thread E.P. via PacketFence-users

There's another challenge in the endless string of them.

My PEAP connection from Windows based supplicant lands on the connection
profile and wheels start rotating, i.e. the profile uses the authentication
source

The connection and authentication completes but there's no role assignment
and I see that my conditions are not matched.

Here's an extract from packetfence.log

 


++

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] handling radius autz request: from switch_ip =>
(172.19.254.2), connection_type => Wireless-802.11-EAP,switch_mac => (

24:a4:3c:5e:c1:00), mac => [70:1a:04:2c:52:ff], port => 0, username =>
"OPTIONS\test", ssid => SecStaff (pf::radius::authorize)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653)
ERROR: [mac:70:1a:04:2c:52:ff] Can't bind : IO::Socket::INET: connect:
Connection refused

(pf::ip4log::_get_lease_from_omapi)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] Instantiate profile Staff-connection-profile
(pf::Connection::ProfileFactory::_from_profile)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] Found authentication source(s) : 'OPTIONS-AD-SOURCE'
for realm 'default' (pf::config::util::filter_authentication_sour

ces)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) WARN:
[mac:70:1a:04:2c:52:ff] Calling match with empty/invalid rule class.
Defaulting to 'authentication' (pf::authentication::match2)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] Using sources OPTIONS-AD-SOURCE for matching
(pf::authentication::match2)

Mar  5 07:43:32 PacketFence-ZEN pfqueue: pfqueue(16161) INFO: [mac:unknown]
undefined source id provided (pf::lookup::person::lookup_person)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) WARN:
[mac:70:1a:04:2c:52:ff] Can't find provisioner for 70:1a:04:2c:52:ff since
we don't have it's OS (pf::Connection::Profile::findProvisioner)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) WARN:
[mac:70:1a:04:2c:52:ff] Use of uninitialized value in string eq at
/usr/local/pf/lib/pf/role.pm line 728.

(pf::role::_check_bypass)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] Connection type is WIRELESS_MAC_AUTH. Getting role
from node_info (pf::role::getRegisteredRole)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) WARN:
[mac:70:1a:04:2c:52:ff] Use of uninitialized value $role in concatenation
(.) or string at /usr/local/pf/lib/pf/role.pm line 476.

(pf::role::getRegisteredRole)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] Username was NOT defined or unable to match a role -
returning node based role '' (pf::role::getRegisteredRole)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] PID: "OPTIONS\test", Status: reg Returned VLAN:
(undefined), Role: (undefined) (pf::role::fetchRoleForNode)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] violation 133 force-closed for 70:1a:04:2c:52:ff
(pf::violation::violation_force_close)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653)
ERROR: [mac:70:1a:04:2c:52:ff] Can't bind : IO::Socket::INET: connect:
Connection refused

(pf::ip4log::_get_lease_from_omapi)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] Instantiate profile Staff-connection-profile
(pf::Connection::ProfileFactory::_from_profile)

Mar  5 07:43:33 PacketFence-ZEN pfqueue: pfqueue(16150) ERROR:
[mac:34:17:eb:de:f0:b4] Can't bind : IO::Socket::INET: connect: Connection
refused


+

 

Why do I see all those errors? Why do I see the connection is refused, e.g.
Can't bind : IO::Socket::INET: connect: Connection refused

Why there's no matching, e.g. Calling match with empty/invalid rule class

 

Here's an extract from authentication.conf file

 

[OPTIONS-AD-SOURCE]

cache_match=0

read_timeout=10

realms=default

password=IloveU#007

scope=base

binddn=CN=ADintegrator,CN=Users,DC=options,DC=bc,DC=ca

port=389

description=Options-AD-Source

write_timeout=5

type=AD

basedn=CN=Users,DC=options,DC=bc,DC=ca

set_access_level_action=

usernameattribute=sAMAccountName

connection_timeout=5

stripped_user_name=no

encryption=none

host=adserver.options.bc.ca

email_attribute=mail

 

[OPTIONS-AD-SOURCE rule Staff-WiFi]

action0=set_role=Staff

condition0=memberOf,equals,CN=Staff-WiFi,CN=Users,DC=options,DC=bc,DC=ca

match=any

class=authentication

Re: [PacketFence-users] [Packetfence] AD authentication with FreeRadius: "reading winbind reply failed!"

2018-03-06 Thread E.P. via PacketFence-users

Hi Jimmy and Fabrice,

I would like to report the same experience. I have a realm
(OPTIONS-AD-REALM) and it is associated with the AD domain (optionsad), i.e.


 

[OPTIONS-AD-REALM]

domain=optionsad

options=strip

 

I had similar problems with winbind, same errors in the output of RADIUS
debug. Moreover, my attempt to test authentication from the command line was
successful:

 

[root@PacketFence-ZEN bin]# ./pftest authentication it.tech X

 

Authenticating against OPTIONS-AD-SOURCE

  Authentication SUCCEEDED against OPTIONS-AD-SOURCE (Authentication
successful.) 

  Matched against OPTIONS-AD-SOURCE for 'authentication' rules

set_role : Staff

set_unreg_date : 2019-12-31

 

Go figure whats wrong, permissions, bugs or a lack of understanding from my
side as what I see as the result of ntlm_auth query drives me mad:

 

[root@PacketFence-ZEN bin]# ntlm_auth --request-nt-key --domain=optionsad
--username=it.tech

Password: 

could not obtain winbind separator!

Reading winbind reply failed! (0x01)

:  (0x0)

 

So, here I would like Fabrice comment on this, specifically bearing in mind
that it all works if I use only the default realm and link it to the AD
domain.

Whats the point of having named realms ?

Moreover, if I test my authentication source with the authentication realm
pointing to default the test fails. If I remove it then the test goes
through ?

Whats the point of having the realm here, Fabrice ?

Moreover, if I use FQDN for the host that acts as the windows domain
controller my test also fails but if I use the IP address it is all good. 

I know and I swear that PF can resolve the name normally.

There are more questions that Id like to ask strongly believing theres
faulty code or missing documentation or a combination of both.

 

Eugene

 

From: Durand fabrice via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net] 


Sent: Tuesday, March 06, 2018 6:26 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice 
Subject: Re: [PacketFence-users] [Packetfence] AD authentication with
FreeRadius: "reading winbind reply failed!"

 

Hello Jimmy,

create the realms associated to your domain, like you have a user like
ACME\bob and b...@acme.com   then create the 2 realms
and associate them to your AD.

Regards

Fabrice

 

 

Le 2018-03-06 à 07:14, Jimmy Claes via PacketFence-users a écrit :

Ive been trying to figure out this problem for days, whenever I try to
authenticate a user on Windows, I get the following error while the login is
correct:



 

wbinfo p fails aswell:



 

Winbind service is running:



 

Freeradius service is running:



 

The permissions on winbindd_privileged are properly set:



 

Result of running freeradius X attached.

 







--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot






___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Reading winbind reply failed when doing PEAP with mschap AD based authentication

2018-03-05 Thread E.P. via PacketFence-users

Guys,

I'm sending it in vain not believing that there's anyone at PF watching this
list.

Is Packetfence going through hard time? I even send a request about the
commercial support, no reply from anyone.

Still hoping someone will pick it up, please help !

 

I migrated  to a fresh install of PF ver 7.4 and rebuilt everything from
scratch keeping same realm, same AD domain, same authentication source, same
switches.conf file.

All my attempt to authenticate from Windows supplicants configured to use
PEAP are rejected and I see this error in RADIUS debugs

session-state:Module-Failure-Message := "mschap: Program returned code (1)
and output 'Reading winbind reply failed! (0xc001)'"

 

What bothers me and makes me crazy is that if I test it with pftest I don't
have any problem at all

 

[root@PacketFence-ZEN bin]# ./pftest authentication it.tech X

 

Authenticating against OPTIONS-AD-SOURCE

  Authentication SUCCEEDED against OPTIONS-AD-SOURCE (Authentication
successful.) 

  Matched against OPTIONS-AD-SOURCE for 'authentication' rules

set_role : Staff

set_unreg_date : 2019-12-31

 

I suspect there's something with permissions as what I see as the result of
ntlm_auth query prompts me about it

 

[root@PacketFence-ZEN bin]# ntlm_auth --request-nt-key --domain=optionsad
--username=it.tech

Password: 

could not obtain winbind separator!

Reading winbind reply failed! (0x01)

:  (0x0)

 

But what makes me even more frustrated is that wbinfo query returns all AD
groups and users:

 

[root@PacketFence-ZEN bin]# chroot /chroots/optionsad wbinfo -u

 

Eugene

 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unifi APs and CoA

2018-02-27 Thread E.P. via PacketFence-users

acketfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> >
Date: Thursday, February 15, 2018 at 8:00 AM
To: "packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> " 
<packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> >
Cc: Chris Abel <ca...@wildwoodprograms.org <mailto:ca...@wildwoodprograms.org> >
Subject: Re: [PacketFence-users] Unifi APs and CoA

Hey All,

I was able to get deauth working with my Unifi APs and it seems everything is 
working smoothly. Here is the configuration I used for the switch in 
packetfence:

[Unifi AP IP Address or subnet]

description=Unifi Access Points

group=Unifi

radiusSecret=RaidusPassword

controllerIp=Unifi Controller IP Address

useCoA=N

wsTransport=HTTPS

deauthMethod=HTTPS

wsUser=Unifi Controller Username

wsPwd=Unifi Controller Password

Hope this helps someone. I hope Packetfence releases some documentation on 
Unifi AP's because with the necessary applied patch and the unifi controller 
changes to config.properties, everything seems to be working well. Actually in 
my opinion, it seems to be working better than the hostapd setup in packetfence 
and is way easier to setup.

On Wed, Feb 14, 2018 at 3:52 PM, Chris Abel <ca...@wildwoodprograms.org 
<mailto:ca...@wildwoodprograms.org> > wrote:

Hello all,

I am also trying to get my Unifi APs working with packetfence. It seems that I 
am very close. I am able to get the portal to show up on the client when in the 
registration vlan, but after registering, the client never deauth's and 
disconnects from the access point. I can disable my wireless and enable it 
again and the client is assigned the correct role and put into the right vlan, 
so that part seems to be working. I have applied the patch in the following way:

in /usr/local/pf I ran "curl 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.diff
 | patch -p1"

Is this the correct patch and the correct way to apply it? If so, why is this 
patch not disconnecting the client from the AP?

I have also applied the following to my AP's in Unifi:

/var/lib/unifi/sites//config.properties
config.system_cfg.1=aaa.1.auth_cache=disabled
config.system_cfg.2=aaa.2.auth_cache=disabled
config.system_cfg.3=aaa.1.dynamic_vlan=1
config.system_cfg.4=aaa.2.dynamic_vlan=1
config.system_cfg.5=aaa.1.radius.acct.1.ip=
config.system_cfg.6=aaa.1.radius.acct.1.port=
config.system_cfg.7=aaa.1.radius.acct.1.secret=
config.system_cfg.8=aaa.2.radius.acct.1.ip=
config.system_cfg.9=aaa.2.radius.acct.1.port=
config.system_cfg.10=aaa.2.radius.acct.1.secret=

What should the configuration be in packetfence when setting up the switch? 
Should I use hostapd or Unifi Controller? Should I enable COA or not? 

Does anyone have a working setup of Unifi APs with an out of band setup of 
packetfence at this point? If so, could you shed some light and post your 
configurations?

Thanks!

On Sat, Feb 10, 2018 at 1:33 AM, E.P. via PacketFence-users 
<packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> > wrote:

Yes, David, this is my plan to test the captive portal on wired connections to 
rule out the unruly Unifi APs

Ideally I would love to make it also work with HP switches 1820/1920 model 
because this is the majority of switches installed in our organization.

But will try it on Cisco switch as a beginning

Thanks again, for your sharing. 

There’s apparently something wrong with mailing list for packetfence as there’s 
nothing coming in and I don’t believe it’s only me who persists in making 
things work and asking for advices 

Eugene

From: David Harvey [mailto:da...@thoughtmachine.net 
<mailto:da...@thoughtmachine.net> ] 
Sent: Friday, February 09, 2018 4:37 AM
To: E.P. <ype...@gmail.com <mailto:ype...@gmail.com> >; fdur...@inverse.ca 
<mailto:fdur...@inverse.ca> 
Subject: Re: [PacketFence-users] Unifi APs and CoA

Hi Eugene,

I'm including Fabrice in case anything I have covered is misleading or plain 
untrue! I don't want to give you bad advice..

I'm running Unifi AP-AC Pros on 3.9.19.8123. I'm pretty sure most of my 
functionality worked fine from 3.8.x, but bear in mind I'm running EAP-TLS and 
so haven't had the same open SSID guest portal aspect (which might make my 
advice less relevant).

I've been fumbling through, so I'm sure Fabrice can offer better advice but I 
would start by saying..

My understanding of the additional functionality this patch affords, is dealing 
with kicking the client off an AP so it will then re-auth and hopefully get put 
onto the correct VLAN.  So before worrying about if the patch is working, I'd 
see if you can get to a state where you can reach the portal as a new 
device/user, and after registering it

[PacketFence-users] Captive portal redirect issues

2018-02-27 Thread E.P. via PacketFence-users

Folks,

I feel awkward to bombard this list with questions but I do hope I'm heard
and someone can help me.

On the way to make the captive portal to surface but stumbling upon the
redirect or rather packetfence not completing it.

I'm connecting to the guest SSID and open the web browser on the laptop to
go to any public website.

I see that it is redirected to PF with the following URL:

https://pf.options.bc.ca/guest/s/hfsrdv0y/?id=70:1a:04:2c:52:ff
 =24:a4:3c:50:76:08:=15197205638

but nothing happens and sometime the browser (if it is Firefox) complains
saying that GET to /guest/s/hfsrdv0y is not implemented.

What am I missing ? First MAC address in the URL is the wireless client and
the second one is WAP

Once again, here's what I configured:

1.  Network interface is added to be of portal type. 
2.  WAP is added to switches.conf
3.  "Captive portal" page under Configuration-Advanced access
configuration has an IP address of the portal interface. Do I really need it
by the way ?

What about "Connection profiles" ? Should it all work with the default one ?

 

Eugene

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Access to PF captive portal is blocked

2018-02-27 Thread E.P. via PacketFence-users

Scratching my head trying to interpret these events having started haproxy in 
the debug mode.

What’s wrong in the haproxy.conf or rather how it should look with the second 
IP address added for portal?

I even removed the portal interface temporarily, i.e. there’s no 172.16.0.223 
configured now

 

[root@PacketFence-ZEN ~]# /usr/sbin/haproxy -f 
/usr/local/pf/var/conf/haproxy.conf -p /usr/local/pf/var/run/haproxy.pid -d

[WARNING] 049/101442 (5326) : Proxy 'stats': in multi-process mode, stats will 
be limited to process assigned to the current request.

Available polling systems :

  epoll : pref=300,  test result OK

   poll : pref=200,  test result OK

 select : pref=150,  test result FAILED

Total: 3 (2 usable), will use epoll.

Using epoll() as the polling mechanism.

[ALERT] 049/101442 (5326) : Starting frontend portal-http-172.16.0.223: cannot 
bind socket [172.16.0.223:80]

[ALERT] 049/101442 (5326) : Starting frontend portal-https-172.16.0.223: cannot 
bind socket [172.16.0.223:443]

 

 

From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: Monday, February 19, 2018 7:20 AM
To: E.P. <ype...@gmail.com>; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Access to PF captive portal is blocked

 

In fact you need to restart the portal, haproxy and iptables to make it 
available.

 

 

Le 2018-02-19 à 03:29, E.P. a écrit :

And my further attempts to put two and two together and look back in time into 
this mailing list showed that Fabrice already answered this question before 

Yes, I’d create an alias, e.g. eth0.1

So, under Configuration-Networks-Interfaces I click  “ADD VLAN”  and then add 
VLAN 1, add a new IP address to belong to the same subnet and then select type 
“portal” 

New interface eth0.1 gets created with IP address 172.16.0.223, I can reach it 
via IP and my interfaces and networks look like this:

 



 

What else am I doing to enable captive portal? I thought that it is enabled by 
default and I see httpd.portal is UP and running but I don’t see anything ports 
open on 172.16.0.223

And iptables allow all HTTP and HTTPS for input-portal-if chain

 

Eugene

 

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Sunday, February 18, 2018 11:14 PM
To: 'packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> '  
<mailto:packetfence-users@lists.sourceforge.net> 
<packetfence-users@lists.sourceforge.net>
Cc: 'Durand fabrice'  <mailto:fdur...@inverse.ca> <fdur...@inverse.ca>
Subject: RE: [PacketFence-users] Access to PF captive portal is blocked

 

I think it is slowly coming to me, Fabrice.

My PF is pure for RADIUS enforcement and PF has only one IP address of 
management type.

Now if I want WebAuth enforcement I would need to create one more interface of 
portal type

The question is can I create this portal type interface in the same subnet as 
the management interface ?

I would want to have them both in the same VLAN

 

Eugene

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Sunday, February 18, 2018 7:20 PM
To: 'packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> ' 
<packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> >
Cc: 'Durand fabrice' <fdur...@inverse.ca <mailto:fdur...@inverse.ca> >
Subject: RE: [PacketFence-users] Access to PF captive portal is blocked

 

Here it is, Fabrice

10.0.254.3 is the WiFi client and 172.16.0.222 is PF.

Tcpdump.pcap is attached and it is made right on PF

The second capture is made on the laptop connected to guest WiFi.

It contains pings to PF but all TCP SYN requests all are answered with RST.

 

Eugene

 

From: Durand fabrice via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Sunday, February 18, 2018 10:51 AM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: Durand fabrice <fdur...@inverse.ca <mailto:fdur...@inverse.ca> >
Subject: Re: [PacketFence-users] Access to PF captive portal is blocked

 

Hello Eugene,

do you have the capture ?

Regards
Fabrice

Le 2018-02-15 à 23:12, E.P. via PacketFence-users a écrit :

Hi Fabrice,

I dare sending it again believing my previous email fell into cracks.

Can you please advise what could be wrong (see below)

 

Eugene

 

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Wednesday, February 14, 2018 1:08 AM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Subject: Access to PF captive portal is blocked

 

Hello folks,

I really hope someone who ran into a similar problem will shed some light.

Feeling bad we don’t hear anything from Fabrice or someone from inverse.

I have an out-of-band deployment of PF and my WiFi client gets connected and 
redirected to PF

I see redirects by capturing the traffic on PF by tcpdump.

But… I see that PF se

Re: [PacketFence-users] Access to PF captive portal is blocked

2018-02-21 Thread E.P. via PacketFence-users

I think it is slowly coming to me, Fabrice.

My PF is pure for RADIUS enforcement and PF has only one IP address of
management type.

Now if I want WebAuth enforcement I would need to create one more interface
of portal type

The question is can I create this portal type interface in the same subnet
as the management interface ?

I would want to have them both in the same VLAN

 

Eugene

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Sunday, February 18, 2018 7:20 PM
To: 'packetfence-users@lists.sourceforge.net'
<packetfence-users@lists.sourceforge.net>
Cc: 'Durand fabrice' <fdur...@inverse.ca>
Subject: RE: [PacketFence-users] Access to PF captive portal is blocked

 

Here it is, Fabrice

10.0.254.3 is the WiFi client and 172.16.0.222 is PF.

Tcpdump.pcap is attached and it is made right on PF

The second capture is made on the laptop connected to guest WiFi.

It contains pings to PF but all TCP SYN requests all are answered with RST.

 

Eugene

 

From: Durand fabrice via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Sunday, February 18, 2018 10:51 AM
To: packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: Durand fabrice <fdur...@inverse.ca <mailto:fdur...@inverse.ca> >
Subject: Re: [PacketFence-users] Access to PF captive portal is blocked

 

Hello Eugene,

do you have the capture ?

Regards
Fabrice

Le 2018-02-15 à 23:12, E.P. via PacketFence-users a écrit :

Hi Fabrice,

I dare sending it again believing my previous email fell into cracks.

Can you please advise what could be wrong (see below)

 

Eugene

 

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Wednesday, February 14, 2018 1:08 AM
To: packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net> 
Subject: Access to PF captive portal is blocked

 

Hello folks,

I really hope someone who ran into a similar problem will shed some light.

Feeling bad we dont hear anything from Fabrice or someone from inverse.

I have an out-of-band deployment of PF and my WiFi client gets connected and
redirected to PF

I see redirects by capturing the traffic on PF by tcpdump.

But I see that PF sends TCP resets even for TCP SYN packet coming from the
client.

It seems to me it is just iptables firewall that blocks it. 

Why ? Where am I supposed to enter those IP addresses that are allowed to go
through captive portal registration?

I do allow PF IP address in the pre-authorization access list and my ping to
FQDN of PF succeeds normally.

It is only HTTP(s) doesnt go through. 

Even manually entered URL in the client browser doesnt open up any page,
i.e. https://pf.blabla.com/captive-portal or
https://172.16.0.222/captive-portal

 

Eugene






--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot





___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net> 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Access to PF captive portal is blocked

2018-02-19 Thread E.P. via PacketFence-users

Here it is, Fabrice

10.0.254.3 is the WiFi client and 172.16.0.222 is PF.

Tcpdump.pcap is attached and it is made right on PF

The second capture is made on the laptop connected to guest WiFi.

It contains pings to PF but all TCP SYN requests all are answered with RST.

 

Eugene

 

From: Durand fabrice via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Sunday, February 18, 2018 10:51 AM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice <fdur...@inverse.ca>
Subject: Re: [PacketFence-users] Access to PF captive portal is blocked

 

Hello Eugene,

do you have the capture ?

Regards
Fabrice

Le 2018-02-15 à 23:12, E.P. via PacketFence-users a écrit :

Hi Fabrice,

I dare sending it again believing my previous email fell into cracks.

Can you please advise what could be wrong (see below)

 

Eugene

 

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Wednesday, February 14, 2018 1:08 AM
To: packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net> 
Subject: Access to PF captive portal is blocked

 

Hello folks,

I really hope someone who ran into a similar problem will shed some light.

Feeling bad we dont hear anything from Fabrice or someone from inverse.

I have an out-of-band deployment of PF and my WiFi client gets connected and
redirected to PF

I see redirects by capturing the traffic on PF by tcpdump.

But I see that PF sends TCP resets even for TCP SYN packet coming from the
client.

It seems to me it is just iptables firewall that blocks it. 

Why ? Where am I supposed to enter those IP addresses that are allowed to go
through captive portal registration?

I do allow PF IP address in the pre-authorization access list and my ping to
FQDN of PF succeeds normally.

It is only HTTP(s) doesnt go through. 

Even manually entered URL in the client browser doesnt open up any page,
i.e. https://pf.blabla.com/captive-portal or
https://172.16.0.222/captive-portal

 

Eugene







--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot






___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net> 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

 



tcpdump.pcap
Description: Binary data


laptop capture.pcap
Description: Binary data
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Access to PF captive portal is blocked

2018-02-19 Thread E.P. via PacketFence-users

Interesting, haproxy service is acting up. Can’t start

 

[root@PacketFence-ZEN ~]# systemctl status packetfence-haproxy

* packetfence-haproxy.service - PacketFence HAProxy Load Balancer

   Loaded: loaded (/usr/lib/systemd/system/packetfence-haproxy.service; 
enabled; vendor preset: disabled)

   Active: failed (Result: start-limit) since Mon 2018-02-19 08:56:31 PST; 15s 
ago

  Process: 4189 ExecStart=/usr/sbin/haproxy-systemd-wrapper -f 
/usr/local/pf/var/conf/haproxy.conf -p /usr/local/pf/var/run/haproxy.pid 
(code=exited, status=1/FAILURE)

  Process: 4186 ExecStartPre=/usr/local/pf/bin/pfcmd service haproxy 
generateconfig (code=exited, status=0/SUCCESS)

Main PID: 4189 (code=exited, status=1/FAILURE)

 

Feb 19 08:56:30 PacketFence-ZEN haproxy-systemd-wrapper[4189]: 
haproxy-systemd-wrapper: exit, haproxy RC=1

Feb 19 08:56:30 PacketFence-ZEN systemd[1]: Unit packetfence-haproxy.service 
entered failed state.

Feb 19 08:56:30 PacketFence-ZEN systemd[1]: packetfence-haproxy.service failed.

Feb 19 08:56:31 PacketFence-ZEN systemd[1]: packetfence-haproxy.service holdoff 
time over, scheduling restart.

Feb 19 08:56:31 PacketFence-ZEN systemd[1]: start request repeated too quickly 
for packetfence-haproxy.service

Feb 19 08:56:31 PacketFence-ZEN systemd[1]: Failed to start PacketFence HAProxy 
Load Balancer.

Feb 19 08:56:31 PacketFence-ZEN systemd[1]: Unit packetfence-haproxy.service 
entered failed state.

Feb 19 08:56:31 PacketFence-ZEN systemd[1]: packetfence-haproxy.service failed.

 

From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: Monday, February 19, 2018 7:20 AM
To: E.P. <ype...@gmail.com>; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Access to PF captive portal is blocked

 

In fact you need to restart the portal, haproxy and iptables to make it 
available.

 

 

Le 2018-02-19 à 03:29, E.P. a écrit :

And my further attempts to put two and two together and look back in time into 
this mailing list showed that Fabrice already answered this question before 

Yes, I’d create an alias, e.g. eth0.1

So, under Configuration-Networks-Interfaces I click  “ADD VLAN”  and then add 
VLAN 1, add a new IP address to belong to the same subnet and then select type 
“portal” 

New interface eth0.1 gets created with IP address 172.16.0.223, I can reach it 
via IP and my interfaces and networks look like this:

 



 

What else am I doing to enable captive portal? I thought that it is enabled by 
default and I see httpd.portal is UP and running but I don’t see anything ports 
open on 172.16.0.223

And iptables allow all HTTP and HTTPS for input-portal-if chain

 

Eugene

 

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Sunday, February 18, 2018 11:14 PM
To: 'packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> '  
<mailto:packetfence-users@lists.sourceforge.net> 
<packetfence-users@lists.sourceforge.net>
Cc: 'Durand fabrice'  <mailto:fdur...@inverse.ca> <fdur...@inverse.ca>
Subject: RE: [PacketFence-users] Access to PF captive portal is blocked

 

I think it is slowly coming to me, Fabrice.

My PF is pure for RADIUS enforcement and PF has only one IP address of 
management type.

Now if I want WebAuth enforcement I would need to create one more interface of 
portal type

The question is can I create this portal type interface in the same subnet as 
the management interface ?

I would want to have them both in the same VLAN

 

Eugene

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Sunday, February 18, 2018 7:20 PM
To: 'packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> ' 
<packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> >
Cc: 'Durand fabrice' <fdur...@inverse.ca <mailto:fdur...@inverse.ca> >
Subject: RE: [PacketFence-users] Access to PF captive portal is blocked

 

Here it is, Fabrice

10.0.254.3 is the WiFi client and 172.16.0.222 is PF.

Tcpdump.pcap is attached and it is made right on PF

The second capture is made on the laptop connected to guest WiFi.

It contains pings to PF but all TCP SYN requests all are answered with RST.

 

Eugene

 

From: Durand fabrice via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Sunday, February 18, 2018 10:51 AM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: Durand fabrice <fdur...@inverse.ca <mailto:fdur...@inverse.ca> >
Subject: Re: [PacketFence-users] Access to PF captive portal is blocked

 

Hello Eugene,

do you have the capture ?

Regards
Fabrice

Le 2018-02-15 à 23:12, E.P. via PacketFence-users a écrit :

Hi Fabrice,

I dare sending it again believing my previous email fell into cracks.

Can you please advise what could be wrong (see below)

 

Eugene

 

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Wednesday, February 14,

[PacketFence-users] Access to PF captive portal is blocked

2018-02-18 Thread E.P. via PacketFence-users

Hello folks,

I really hope someone who ran into a similar problem will shed some light.

Feeling bad we don't hear anything from Fabrice or someone from inverse.

I have an out-of-band deployment of PF and my WiFi client gets connected and
redirected to PF

I see redirects by capturing the traffic on PF by tcpdump.

But. I see that PF sends TCP resets even for TCP SYN packet coming from the
client.

It seems to me it is just iptables firewall that blocks it. 

Why ? Where am I supposed to enter those IP addresses that are allowed to go
through captive portal registration?

I do allow PF IP address in the pre-authorization access list and my ping to
FQDN of PF succeeds normally.

It is only HTTP(s) doesn't go through. 

Even manually entered URL in the client browser doesn't open up any page,
i.e. https://pf.blabla.com/captive-porta or
https://172.16.0.222/captive-portal

 

Eugene

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Access to PF captive portal is blocked

2018-02-18 Thread E.P. via PacketFence-users

Hi Fabrice,

I dare sending it again believing my previous email fell into cracks.

Can you please advise what could be wrong (see below)

 

Eugene

 

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Wednesday, February 14, 2018 1:08 AM
To: packetfence-users@lists.sourceforge.net
Subject: Access to PF captive portal is blocked

 

Hello folks,

I really hope someone who ran into a similar problem will shed some light.

Feeling bad we don't hear anything from Fabrice or someone from inverse.

I have an out-of-band deployment of PF and my WiFi client gets connected and
redirected to PF

I see redirects by capturing the traffic on PF by tcpdump.

But. I see that PF sends TCP resets even for TCP SYN packet coming from the
client.

It seems to me it is just iptables firewall that blocks it. 

Why ? Where am I supposed to enter those IP addresses that are allowed to go
through captive portal registration?

I do allow PF IP address in the pre-authorization access list and my ping to
FQDN of PF succeeds normally.

It is only HTTP(s) doesn't go through. 

Even manually entered URL in the client browser doesn't open up any page,
i.e. https://pf.blabla.com/captive-portal or
https://172.16.0.222/captive-portal

 

Eugene

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unifi APs and CoA

2018-02-11 Thread E.P. via PacketFence-users

Thank you very much, Nathan. I almost reached the same conclusion by vigorously 
testing this stupid Unifi AP on different firmware levels with the captive 
portal.

Very inconsistent behavior

 

Eugene

 

From: Nathan, Josh via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Saturday, February 10, 2018 10:49 PM
To: packetfence-users@lists.sourceforge.net
Cc: Nathan, Josh <josh.nat...@bfacademy.de>
Subject: Re: [PacketFence-users] Unifi APs and CoA

 

Hey Just FYI... Running both the Guest and RADIUS-Assigned VLANs on the same AP 
(separate SSIDs, of course), does NOT work on Unifi's 3.8.15 firmware.  It 
works with firmware version 3.8.3, broke at 3.8.6, and it's working again at 
least as of 3.9.19.

 

So if you need that firmware version, it won't work on the same AP.  If you 
disable the Guest portal, the RADIUS-Assigned can function properly, but if you 
enable the Guest portal on the one SSID, it somehow breaks the RADIUS-Assigned 
functionality on the other SSID.




 


  <http://bfacademy.com/wp-content/uploads/2017/09/BFA_LogoSignature.png> 


Joshua Nathan


IT Technician


Black Forest Academy


p:

+49 (0) 7626 9161 630  m: +49 (0) 152 3452 0056


a:
w:

Hammersteiner Straße 50, 79400 Kandern
 <http://bfacademy.de/> bfacademy.de



 

 

On Sat, Feb 10, 2018 at 7:33 AM, E.P. via PacketFence-users 
<packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> > wrote:

Yes, David, this is my plan to test the captive portal on wired connections to 
rule out the unruly Unifi APs

Ideally I would love to make it also work with HP switches 1820/1920 model 
because this is the majority of switches installed in our organization.

But will try it on Cisco switch as a beginning

Thanks again, for your sharing. 

There’s apparently something wrong with mailing list for packetfence as there’s 
nothing coming in and I don’t believe it’s only me who persists in making 
things work and asking for advices 

 

Eugene

 

From: David Harvey [mailto:da...@thoughtmachine.net 
<mailto:da...@thoughtmachine.net> ] 
Sent: Friday, February 09, 2018 4:37 AM
To: E.P. <ype...@gmail.com <mailto:ype...@gmail.com> >; fdur...@inverse.ca 
<mailto:fdur...@inverse.ca> 
Subject: Re: [PacketFence-users] Unifi APs and CoA

 

Hi Eugene,

 

I'm including Fabrice in case anything I have covered is misleading or plain 
untrue! I don't want to give you bad advice..

 

I'm running Unifi AP-AC Pros on 3.9.19.8123. I'm pretty sure most of my 
functionality worked fine from 3.8.x, but bear in mind I'm running EAP-TLS and 
so haven't had the same open SSID guest portal aspect (which might make my 
advice less relevant).

I've been fumbling through, so I'm sure Fabrice can offer better advice but I 
would start by saying..

 

My understanding of the additional functionality this patch affords, is dealing 
with kicking the client off an AP so it will then re-auth and hopefully get put 
onto the correct VLAN.  So before worrying about if the patch is working, I'd 
see if you can get to a state where you can reach the portal as a new 
device/user, and after registering it puts you on the correct VLAN if you 
toggle WiFi off and back on (thus skipping the kick from AP part of the 
process).

 

As far as I understand, to achieve this you need:

 

Ideally to have shown it works with your wired network, something like: 

Clients are placed on a registration network which hits the portal, and that is 
able to register them properly as a node in packetfence associated with a role 
which belongs to an authenticated VLAN.

This is a really useful way to show that the core functionality works.

 

My setup from there added EAP-TLS to the Radius config, but I understand you're 
not looking to do that.. The setup should be similar though, as UniFi 
controller or AP will still have a RADIUS profile - in your case it will just 
be doing the MAC auth bit to decide on VLAN rather than having that layered on 
top of the certificate part. From there I am guessing a bit, as I understand 
there were some changes made to make the pure MAC auth bits work which I'd have 
to collate from the other posts on this topic.. Specifically, my clients change 
VLAN on the same SSID, they don't join a different SSID after registration..

 

I hope this is of some help,

 

David

 

 

On Fri, Feb 9, 2018 at 8:23 AM, E.P. <ype...@gmail.com 
<mailto:ype...@gmail.com> > wrote:

Hi David,

Sorry to bother you again, I’m a bit desperate here.

Thought that it will be a breeze to implement guest WiFi with captive portal 
but I’m still at nowhere.

Can you please tell me what Unifi AP you are using? Is it a show stopper for me 
if I use older APs with firmware 3.8.15 ?

I installed that required patch on PF as per Fabrice. Anything else I’m missing 
?

 

Eugene

 

From: David Harvey [mailto:da...@thoughtmachine.net 
<mailto

Re: [PacketFence-users] Unifi APs and CoA

2018-02-10 Thread E.P. via PacketFence-users

Yes, David, this is my plan to test the captive portal on wired connections to 
rule out the unruly Unifi APs

Ideally I would love to make it also work with HP switches 1820/1920 model 
because this is the majority of switches installed in our organization.

But will try it on Cisco switch as a beginning

Thanks again, for your sharing. 

There’s apparently something wrong with mailing list for packetfence as there’s 
nothing coming in and I don’t believe it’s only me who persists in making 
things work and asking for advices 

Eugene

From: David Harvey [mailto:da...@thoughtmachine.net] 
Sent: Friday, February 09, 2018 4:37 AM
To: E.P. ; fdur...@inverse.ca
Subject: Re: [PacketFence-users] Unifi APs and CoA

Hi Eugene,

I'm including Fabrice in case anything I have covered is misleading or plain 
untrue! I don't want to give you bad advice..

I'm running Unifi AP-AC Pros on 3.9.19.8123. I'm pretty sure most of my 
functionality worked fine from 3.8.x, but bear in mind I'm running EAP-TLS and 
so haven't had the same open SSID guest portal aspect (which might make my 
advice less relevant).

I've been fumbling through, so I'm sure Fabrice can offer better advice but I 
would start by saying..

My understanding of the additional functionality this patch affords, is dealing 
with kicking the client off an AP so it will then re-auth and hopefully get put 
onto the correct VLAN.  So before worrying about if the patch is working, I'd 
see if you can get to a state where you can reach the portal as a new 
device/user, and after registering it puts you on the correct VLAN if you 
toggle WiFi off and back on (thus skipping the kick from AP part of the 
process).

As far as I understand, to achieve this you need:

Ideally to have shown it works with your wired network, something like: 

Clients are placed on a registration network which hits the portal, and that is 
able to register them properly as a node in packetfence associated with a role 
which belongs to an authenticated VLAN.

This is a really useful way to show that the core functionality works.

My setup from there added EAP-TLS to the Radius config, but I understand you're 
not looking to do that.. The setup should be similar though, as UniFi 
controller or AP will still have a RADIUS profile - in your case it will just 
be doing the MAC auth bit to decide on VLAN rather than having that layered on 
top of the certificate part. From there I am guessing a bit, as I understand 
there were some changes made to make the pure MAC auth bits work which I'd have 
to collate from the other posts on this topic.. Specifically, my clients change 
VLAN on the same SSID, they don't join a different SSID after registration..

I hope this is of some help,

David

On Fri, Feb 9, 2018 at 8:23 AM, E.P.  > wrote:

Hi David,

Sorry to bother you again, I’m a bit desperate here.

Thought that it will be a breeze to implement guest WiFi with captive portal 
but I’m still at nowhere.

Can you please tell me what Unifi AP you are using? Is it a show stopper for me 
if I use older APs with firmware 3.8.15 ?

I installed that required patch on PF as per Fabrice. Anything else I’m missing 
?

Eugene

From: David Harvey [mailto:da...@thoughtmachine.net 
 ] 
Sent: Friday, February 02, 2018 7:10 AM
To: Eugene Pefti  >

Subject: Re: [PacketFence-users] Unifi APs and CoA

Hi Eugene,

No problem at all, although I'm not sure how much detail I can add.  Tim and 
Fabrice seem to have the best grasp of this with the most comprehensive 
guidance in The thread "[PacketFence-users] Ubiquiti UniFi AP Captive Portal".

The draft docs were also quite handy: 
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc#ubiquiti-1

Now my setup

I've been running EAP-TLS for some time now for wired and wifi, so not using 
the MAC based authentication.  I already had a functional packetfence setup 
which does MAC based and EAP based auth for wired (partially inherited setup), 
but ignore the MAB/MAC part as I don't use it in the wifi setup.

>From here it wasn't too bad to add the Access points to packetfence as 
>switches - initially as hostapd devices (before the Unify module existed) and 
>using the common RADIUS config the ciscos are using.  I also had to create the 
>profile on the unifi controller side with the RADIUS login details for auth 
>and accounting.

Doing it this was has been less complicated as I don't need an open SSID - 
clients have certs so get onto my registration VLAN where they can hit the 
portal and login to find their eventual VLANs.

I can try and pull more detail together when I have time, but I think the Tim 
guide covers it well, although my setup is subtly different without the

Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

2018-02-10 Thread E.P. via PacketFence-users

As a quick update to it, I captured traffic coming from UniFi controller to PF 
during the connection of the client to guest SSID and see that there’s a 
request coming to port 9000 (172.16.0.222 is my PF)

 

http://172.16.0.222:9000/render/?width=586=308&_salt=1518074196.418=PacketFence-ZEN.cpu-0.cpu-idle=PacketFence-ZEN.cpu-0.cpu-interrupt=PacketFence-ZEN.cpu-0.cpu-nice=PacketFence-ZEN.cpu-0.cpu-softirq=PacketFence-ZEN.cpu-0.cpu-steal=PacketFence-ZEN.cpu-0.cpu-system=PacketFence-ZEN.cpu-0.cpu-user=PacketFence-ZEN.cpu-0.cpu-wait=PacketFence-ZEN.cpu-1.cpu-idle=PacketFence-ZEN.cpu-1.cpu-interrupt=PacketFence-ZEN.cpu-1.cpu-user=PacketFence-ZEN.cpu-2.cpu-idle=PacketFence-ZEN.apache-aaa.apache_connections=stats.counters.PacketFence-ZEN.freeradius__main__authenticate.count.count=stats.counters.PacketFence-ZEN.freeradius__main__authenticate.count.rate=PacketFence-ZEN.memory.memory-buffered=PacketFence-ZEN.memory.memory-cached=PacketFence-ZEN.memory.memory-free=PacketFence-ZEN.memory.memory-used

 

But I don’t see anything in http.portal logs

 

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Wednesday, February 07, 2018 7:25 PM
To: 'Timothy Mullican'
Cc: packetfence-users@lists.sourceforge.net; frederic.herm...@neptune.fr; 
holger.patz...@t-systems.com
Subject: RE: AW: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

 

Hi Tim and gang,

Any idea where I should start looking into PF to troubleshoot WebAuth for WiFi ?

I finally had time to prepare UniFi according to screenshots published at github

https://github.com/inverse-inc/packetfence/tree/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images

 

Namely this is what I did in Unifi:

1)  New SSID (wireless network) is created and set as “Open” and checked 
for Guest policy “Appy guest policies” and set VLAN ID to be assigned.

2)  Created Guest policy and set authentication to point it to “External 
portal server” and put the IP address of PF into Custom portal field, checked 
“Use Secure Portal”, added the IP address of PF into “Pre-Authorization access” 
field.

 

Now, on PF just for the sake of testing guets self-registration which should be 
enabled by default I’m not supposed to do anything other than creating a 
connection profile, correct ?

So, I created “guests” connection profile, anything specific to set within this 
profile ? I checked “Active preregistration” in the profile settings but my 
pf.conf file (/usr/local/pf/conf/pf.conf) doesn’t have this (as it says in PF 
admin guide)

 

[guests_self_registration]

preregistration=enabled

 

Ideally we would like to enable PF send SMS/text messages to users with their 
passwords

 

So, with all above set my connection attempts to the said SSID result in no 
redirection to the captive portal. What am I missing and what am I setting in 
“Captive portal” in the connection profile and how would PF start processing 
the connection being forwarded by UniFi controller ?

 

Eugene

 

From: Timothy Mullican [mailto:tjmullic...@yahoo.com] 
Sent: Friday, February 02, 2018 8:06 AM
To: ype...@gmail.com
Cc: packetfence-users@lists.sourceforge.net; frederic.herm...@neptune.fr; 
holger.patz...@t-systems.com
Subject: Re: AW: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

 

Eugene:

 

You should use the IP address of your AP instead of the MAC address. The 
pictures are available at:

 

 

 
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-open.png

 

 

 
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-radius.png

 

 

 
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-secure.png

 

My thread probably has more in depth images though.

 

—

Holger:

 

You are correct that MAC auth is vulnerable to attack. I believe PacketFence 
can detect a host name change as one mitigation and trigger a violation. 
Another mitigation is to put your network behind 802.1x or WPA2. I have to auth 
people against G Suite, so I can’t currently use 802.1x (Oauth). For the guest 
network, spoofing isn’t as much of an issue since it’s separated from my 
corporate lan. I would start a separate thread for this though.

 

Sent from mobile phone


On Feb 2, 2018, at 03:15,  
 wrote:

Hello Tim,

hi all,

 

we do use Juniper EX3200 Switches here and I would like to discuss a security 
issue in your example conf for Juniper in the documentation referenced by your 
posting below:

 

your doc suggests the option

[PacketFence-users] Captive portal configuration basics

2018-02-10 Thread E.P. via PacketFence-users

Folks,

I'm struggling to put all pieces together to make it work like it is
described in this guide:

https://www.puc.edu/__data/assets/pdf_file/0005/162455/PacketFence-Login-For
-Guests.pdf

Would appreciate if someone will give me an advice where to start in PF.

Or alternatively if my questions can be answered:

1.  What IP address do I enter in the field under Captive Portal,
Configuration-Advanced Access Configuration-Captive Portal

Anything else here important ?

2.  Do I need to enter any URL in "Role by Web Auth URL" in Roles under
Switch configuration ?
3.  Do I need any Authentication sources for this ?
4.  I created Guests connection profile. What are the settings in this
profile ? I have them all by default. Any sources or filters ? 

What is configured under "Captive portal" of this connection profile? I also
left default settings.

 

Eugene

 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

2018-02-10 Thread E.P. via PacketFence-users

Hi Tim and gang,

Any idea where I should start looking into PF to troubleshoot WebAuth for WiFi ?

I finally had time to prepare UniFi according to screenshots published at github

https://github.com/inverse-inc/packetfence/tree/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images

 

Namely this is what I did in Unifi:

1)  New SSID (wireless network) is created and set as “Open” and checked 
for Guest policy “Appy guest policies” and set VLAN ID to be assigned.

2)  Created Guest policy and set authentication to point it to “External 
portal server” and put the IP address of PF into Custom portal field, checked 
“Use Secure Portal”, added the IP address of PF into “Pre-Authorization access” 
field.

 

Now, on PF just for the sake of testing guets self-registration which should be 
enabled by default I’m not supposed to do anything other than creating a 
connection profile, correct ?

So, I created “guests” connection profile, anything specific to set within this 
profile ? I checked “Active preregistration” in the profile settings but my 
pf.conf file (/usr/local/pf/conf/pf.conf) doesn’t have this (as it says in PF 
admin guide)

 

[guests_self_registration]

preregistration=enabled

 

Ideally we would like to enable PF send SMS/text messages to users with their 
passwords

 

So, with all above set my connection attempts to the said SSID result in no 
redirection to the captive portal. What am I missing and what am I setting in 
“Captive portal” in the connection profile and how would PF start processing 
the connection being forwarded by UniFi controller ?

 

Eugene

 

From: Timothy Mullican [mailto:tjmullic...@yahoo.com] 
Sent: Friday, February 02, 2018 8:06 AM
To: ype...@gmail.com
Cc: packetfence-users@lists.sourceforge.net; frederic.herm...@neptune.fr; 
holger.patz...@t-systems.com
Subject: Re: AW: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

 

Eugene:





You should use the IP address of your AP instead of the MAC address. The 
pictures are available at:





 

 
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-open.png





 

 
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-radius.png





 

 
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-secure.png





My thread probably has more in depth images though.





—

Holger:





You are correct that MAC auth is vulnerable to attack. I believe PacketFence 
can detect a host name change as one mitigation and trigger a violation. 
Another mitigation is to put your network behind 802.1x or WPA2. I have to auth 
people against G Suite, so I can’t currently use 802.1x (Oauth). For the guest 
network, spoofing isn’t as much of an issue since it’s separated from my 
corporate lan. I would start a separate thread for this though.

 

Sent from mobile phone


On Feb 2, 2018, at 03:15,  
 wrote:

Hello Tim,

hi all,

 

we do use Juniper EX3200 Switches here and I would like to discuss a security 
issue in your example conf for Juniper in the documentation referenced by your 
posting below:

 

your doc suggests the option „mac radius“ to be activated. I would rather NOT 
suggest that, because:

MAC Authentication is subject to spoofing attacks, which one exactly wants to 
get rid of by using 802.1x. 

It is exactly the wrong way to activate the mac radius option, as in this case 
a juniper switch would use simple mac radius as a fallback, if 802.1x would 
fail, which is exactly what you would NOT want to have, if you want to be sure 
NOT to be vulnerable to mac spoofing attacks.

 

So is there a reason you suggest that option for i didn get?

 

Bye,

Holger

 

PS:

A additional personal hint: using interface ranges in the „protocols / dot1x / 
interface“ config did not work with our switches, we had to explicitly name the 
interfaces there.

 

 

Von: Timothy Mullican via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Gesendet: Donnerstag, 1. Februar 2018 18:11
An: packetfence-users@lists.sourceforge.net
Cc: Timothy Mullican ; Frederic Hermann 

Betreff: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

 

By the way,

Fabrice Durand already added code to do this in pull request #2735 on github. 
See 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch

You can apply that patch to get it working. Also see

[PacketFence-users] HP 1820/1920 switches support

2018-02-07 Thread E.P. via PacketFence-users

Folks,

Trying to figure out if the wired network I inherited is ready for port
based access control.

We run mostly HP 1820/1920 switches on the access layer. Their technical
specs do state that they support dot1x and RADIUS.

But I didn't find any references about these models in the device here

 

https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee3
3f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc#h
p

 

Has any had any experience with them ?

 

Eugene

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Where is the packetfence PKI Certificate Authority private key file?

2018-02-03 Thread E.P. via PacketFence-users

Hi Yijie,

I’ve spent some time with PKI as well trying to figure out how to make it work 
and deploy certificates.

Have it currently inaccessible for the reason unknown to me yet, but as far as 
I remember the CA certificate is in *.PEM format and all you have to do is 
manually install it on the endpoint by allowing it installed in the default 
location, i.e. trusted certificate authority. You don’t need the private key 
for CA. Just start MMC, add certificates snapin and import this PEM file.

On the contrary, you’d need *.PFX or *.P12 file for the RADIUS server itself 
that contains both the certificate and private key. And you do need the 
password to import it into an endpoint

 

Eugene

 

From: Yijie Li via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Friday, February 02, 2018 1:50 PM
To: packetfence-users@lists.sourceforge.net
Cc: Yijie Li
Subject: [PacketFence-users] Where is the packetfence PKI Certificate Authority 
private key file?

 

Hi,

 

Regarding this question, I searched the mailing list archive multiple times and 
have googled too. But did not find any solution there.

 

I am in the process of configuring pf and pf PKI. Followed this instructuion 
https://packetfence.org/doc/PacketFence_PKI_Quick_Install_Guide.html. To add 
Apple devices provisioner profile, it seems I need to paste the PacketFence PKI 
CA certificate and private key into the configuration under Signing tab of 
Provisioning Entry. Under this folder /usr/local/packetfence-pki/ca/, I see the 
CA certificate file in pem format. But the private key file is not there. Tried 
some intensive search, but did not come up anything.

 

Where is the pf PKI CA private key? and what is the private key password, if 
any? During CA initialization, there is no user input about where to save it, 
nor about the private key password.

 

 

 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PKI installation

2018-02-03 Thread E.P. via PacketFence-users

Hi Fabrice,

I feel awkward resurrecting this topic but I believe something happened to PKI 
after I upgraded PF to 7.4

Really want it to be not connected with it but I can’t login to PKI admin 
interface.

The login page shows normally with a prompt for username/password, I enter 
previously used admin/password credentials but nothing happens.

I need to grab RADIUS server certificate to manually install it to Windows 10 
machines so that they validate the server properly

Logs under /usr/local/packetfence-pki/logs don’t show anything that would give 
me a clue except of these events:

 

[root@PacketFence-ZEN logs]# cat ./packetfence_pki.access.log
172.16.0.100 - - [03/Feb/2018:03:16:06 +] "POST / HTTP/1.1" 200 2483 
"https://172.16.0.222:9393/; "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) 
Gecko/20100101 Firefox/58.0"

[root@PacketFence-ZEN logs]# cat ./error.log

[Sat Feb 03 05:09:16.445232 2018] [:error] [pid 1050] 
/usr/lib/python2.7/site-packages/bootstrap3/bootstrap.py:5: 
RemovedInDjango19Warning: django.utils.importlib will be removed in Django 1.9.

[root@PacketFence-ZEN logs]# cat ./packetfence_pki.error.log
[Sat Feb 03 03:14:11.433371 2018] [ssl:warn] [pid 27722] AH01909: RSA 
certificate configured for pki:443 does NOT include an ID which matches the 
server name

Eugene

 

 

From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: Wednesday, January 03, 2018 12:26 PM
To: E.P.
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PKI installation

 

Just for information, i uploaded a new version of the packetfence-pki for 
centos7 who fix all the install issues.

Regards

Fabrice

 

 

Le 2017-12-12 à 23:58, E.P. a écrit :

Well, I’m taking my hat off in front of you, no kidding and pun intended ;)

Do you need traceback from the error page ?

 

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Tuesday, December 12, 2017 7:02 PM
To: E.P.
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PKI installation

 

ah ah don't worry , i like to have challenge like that to be able to fix the 
issue for better user experience.

I coded the pki so i want to make it work.

 

 

Le 2017-12-12 à 21:48, E.P. a écrit :

Sure, take your time, Fabrice. I have a special knack of running into troubles 
in cases when others didn’t have any :) 


Eugene

Sent from iPhone


On Dec 12, 2017, at 18:18, Durand fabrice  wrote:

Ok let me try to install the pki on the zen and i will be back to you.

i have installed the pki on 10 servers not a long time ago without any issue.

 

 

Le 2017-12-12 à 20:52, E.P. a écrit :

Yes, db.sqlite3 was owned by root

 

[root@PacketFence-ZEN packetfence-pki]# ls -al

total 56

drwxr-xr-x   7 pf   pf 128 Dec 12 08:49 .

drwxr-xr-x. 15 root root   182 Dec 12 01:33 ..

drwxrws---   2 pf   pf   6 Nov 15 14:20 ca

drwxr-xr-x   2 pf   pf 125 Dec 12 01:33 conf

-rw-r--r--   1 root root 43008 Dec 12 08:44 db.sqlite3

drwxr-xr-x   2 pf   pf 204 Dec 12 02:49 inverse

drwxrws---   2 pf   pf  90 Dec 12 01:35 logs

-rwxr--r--   1 pf   pf 250 Nov 15 14:20 manage.py

-rw-r--r--   1 root root 6 Dec 12 08:49 packetfence-pki.pid

drwxr-xr-x   5 pf   pf4096 Dec 12 02:49 pki

 

Changed the file ownership to pf:pf

 

[root@PacketFence-ZEN packetfence-pki]# ls -al

total 100

drwxr-xr-x   7 pf   pf 147 Dec 13 01:45 .

drwxr-xr-x. 15 root root   182 Dec 12 01:33 ..

drwxrws---   2 pf   pf   6 Nov 15 14:20 ca

drwxr-xr-x   2 pf   pf 125 Dec 12 01:33 conf

-rw-r--r--   1 pf   pf   43008 Dec 13 01:45 db.sqlite3

drwxr-xr-x   2 pf   pf 204 Dec 12 02:49 inverse

drwxrws---   2 pf   pf  90 Dec 12 01:35 logs

-rwxr--r--   1 pf   pf 250 Nov 15 14:20 manage.py

-rw-r--r--   1 root root 5 Dec 13 01:43 packetfence-pki.pid

drwxr-xr-x   5 pf   pf4096 Dec 12 02:49 pki

 

But trying to login to the PKI webpage brings me back to the same original 
error “no such table: pki_ca” which I showed earlier. I tried to follow your 
previous advise about renaming the db.sqlite3 file and running migration but 
the behavior is consistent.  Is it OK that the PKI process ID file is also 
owned by root ?

 

From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: Tuesday, December 12, 2017 5:35 AM
To: E.P.; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PKI installation

 

Just change the owner of the sqlite file to pf and it should be ok.

Btw all these steps are made in the packaging, so it probably failled or never 
finish correctly.

I will do a test on my side.

Regards

Fabrice

 

 

Le 2017-12-12 à 03:47, E.P. a écrit :

Well, we are getting closer ;)

Ran the python script to migrate the database it completed

 

[root@PacketFence-ZEN packetfence-pki]# python manage.py migrate

Operations to perform:

  Synchronize unmigrated apps: staticfiles, rest_framework, messages, bootstrap3

  Apply all migrations: authtoken, sessions, admin, auth,

Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

2018-02-02 Thread E.P. via PacketFence-users

Hi Tim,

As usual, your comments are invaluable ;)

Looking at the guide which is in asciidoc to see how to properly deal with 
Unifi. Would be nice to see pictures as they are missing.

Also, do I need to replace IP addresses for AP in the switches.conf with their 
MAC addresses ?

Eugene

From: Timothy Mullican via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Thursday, February 01, 2018 9:11 AM
To: packetfence-users@lists.sourceforge.net
Cc: Timothy Mullican; Frederic Hermann
Subject: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

By the way,

Fabrice Durand already added code to do this in pull request #2735 on github. 
See 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch

You can apply that patch to get it working. Also see 
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc
 for the updated documentation. You can read though my earlier thread to see 
the steps I took to get it working. 

Tim

Sent from mobile phone

On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users 
 wrote:

This has been a fantastic resource for the thread I recently started (sorry for 
the repetition in it)

I would add:

I've added kick-sta to replace both the authorize and unauthorize guest 
commands in Unifi.pm

It transpired my in house cert was upsetting things until I updated ca certs on 
the debian container I'm using. The symptom was the following in 
packetfence.log:

before:

Can't login on the Unifi controller: 500 Can't connect to 10.100.103.33:8443 
(certificate verify failed) 
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)

after:

Switched status on the Unifi controller using command kick-sta 
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)

After this the kick events come through and I get a brief drop in packets 
whilst pinging.  I'm still fighting the final issue - which is increasing the 
duration of the kick, or ensuring a full re-auth occurs, as currently the 
device I'm testing with drops packets, but remains on the same VLAN still until 
the device is toggled. 

Thanks for the guidance and let me know if you face/overcame anything similar.

Cheers,

David

On Mon, Jul 17, 2017 at 3:54 PM, Frederic Hermann via PacketFence-users 
 wrote:

> De: "Michael Westergaard via PacketFence-users" 
> 
Hi Michael,

> I am trying to see if Packetfence is a proper way to do NAC with Unifi UAP-AC
> with dynamic VLAN. According to the new Unifi Controller 5.5.19 release,
> Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence is 
> using
> for authenticating users over wireless and then changing the VLAN.

> However I cannot find any documentation anywhere if this is possible in
> Packetfence Documentation?

> Especially Packetfence Out of Band (Dynamic VLAN) with Unifi. Have anybody 
> been
> able to make it work?

We made some test a few weeks ago, and we've been able to manage an Unifi 
controler using Radius mode ( rather than the Portal mode described in 
PacketFence documentation).

This allow you to use dynamic VLAN with WPA2-Enterprise, as it seems that 
dynamic VLAN are only available in secure mode on unifi.

The only change we had to do (on the packetfence side) was

That means you have to configure your AP type as "Unifi Controller" in 
packetfence, and set the Deauth method to "HTTPS", instead of Radius.
Of course you will also define the unifi controller IP in the same location.
Then you will have to edit (or override) the Unifi.pm module to change the 
webservice command used to auth/deauth users : this is in the 
"_deauthenticateMacWithHTTP" method, and you should use the "kick-sta" unifi 
command through the webservice, instead of the 
"authorize-guest/unauthorise-guest".

Hope this help,

Regards

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites,

Re: [PacketFence-users] VLAN assigment by RADIUS

2018-01-30 Thread E.P. via PacketFence-users

I think there’s one rule.

Here’s what the pftest produces when I run “./pftest authentication it.tech 
password”:

 



 

And it matches the conditions in the authentication source:

 



So far, I don’t have a problem understanding the process of querying AD during 
the user authentication. I’d love to see the response coming from AD in the 
RADIUS outputs but as long as the test says that the correct role is assigned 
I’m OK.

There’s a gap in my knowledge as to what happens when PF assigns a role? The 
only VLAN ID binding to the role is set in “switches.conf” file for a specific 
switch or WAP, correct ?

Once again, I’m doing only 802.1x, no captive portal.

 

Eugene

 

 

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Monday, January 29, 2018 5:55 PM
To: E.P.; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] VLAN assigment by RADIUS

 

So it mean that there is no rule that match it.tech username in your AD source.

Try pftest authentication it.tech bob and see if the AD source return a role 
and an unregdate.

Fabrice

 

 

Le 2018-01-29 à 20:39, E.P. a écrit :

Well, that’s my problem, Fabrice,

I’ve already checked that log, nothing in there ;)

 


RADIUS Request

User-Name = "it.tech" NAS-IP-Address = 172.19.254.2 NAS-Port = 0 Framed-MTU = 
1400 State = 0xe7795756e6bf4d151b0bfaeaef977462 Called-Station-Id = 
"24:a4:3c:5e:c1:11:staff-secured" Calling-Station-Id = "3c:2e:ff:3b:c7:ca" 
NAS-Identifier = "24a43c507608" NAS-Port-Type = Wireless-802.11 Event-Timestamp 
= "Jan 30 2018 01:36:24 UTC" Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message 
= 0x02c600061a03 FreeRADIUS-Proxied-To = 127.0.0.1 EAP-Type = MSCHAPv2 
Stripped-User-Name = "it.tech" Realm = "default" Called-Station-SSID = 
"staff-secured" PacketFence-Domain = "optionsad" User-Password = "**" 
SQL-User-Name = "it.tech"


RADIUS Reply

EAP-Message = 0x03c60004 Message-Authenticator = 
0x Stripped-User-Name = "it.tech"

 

 

 

From: Durand fabrice via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Monday, January 29, 2018 5:18 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice
Subject: Re: [PacketFence-users] VLAN assigment by RADIUS

 

Hello Eugene,

check in the radius audit log, you will see the radius answer.

Regards

Fabrice

 

 

Le 2018-01-29 à 19:41, E.P. via PacketFence-users a écrit :

Guys, 

How can I see if a specific VLAN ID that I assigned to the switch (or rather 
WAP) in “Role by VLAN ID” setting.

I have it as follows (extract from switches.conf file)

 

StaffRole=10

StaffVlan=10 

 

Should I take into account not a very good marriage of Ubiquiti Unifi and 
FreeRADIUS when it comes to VLAN ID assignment?

I see in the RADIUS debugs that VLAN is indeed assigned to the user session 
(see below) but what is its ID ?

 

(88) attr_filter.packetfence_post_auth: EXPAND %{User-Name}
(88) attr_filter.packetfence_post_auth:--> it.tech
(88) attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10
(88) [attr_filter.packetfence_post_auth] = updated
(88) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default}
(88) linelog:--> messages.Access-Accept
(88) linelog: EXPAND [mac:%{Calling-Station-Id}] Accepted user: 
%{reply:User-Name} and returned VLAN %{reply:Tunnel-Private-Group-ID}
(88) linelog:--> [mac:3c:2e:ff:3b:c7:ca] Accepted user:  and returned VLAN 
(88) [linelog] = ok
(88)   } # post-auth = updated
(88) Login OK: [it.tech] (from client 172.19.254.2 port 0 cli 3c:2e:ff:3b:c7:ca)
(88) Sent Access-Accept Id 46 from 172.16.0.222:1812 to 172.19.254.2:32784 
length 0

 

Eugene

 







--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot







___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

 

 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN assigment by RADIUS

2018-01-30 Thread E.P. via PacketFence-users

Here’s an unexpected change in the development.

I upgraded PF to ver 7.4

I start seeing VLAN ID assignment in RADIUS audit log which is already good but 
endpoint completes authentication only when this VLAN is assigned by Unifi 
controller.

If I have it dynamically assigned by RADIUS it still shows in debugs but the 
endpoint keeps connecting without success.

Just FYI, I do believe we are all getting there and with Fabrice and his 
colleagues are in good hands ;)

 

Eugene

 

 

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Monday, January 29, 2018 11:30 PM
To: 'Durand fabrice'; packetfence-users@lists.sourceforge.net
Subject: RE: [PacketFence-users] VLAN assigment by RADIUS

 

I think there’s one rule.

Here’s what the pftest produces when I run “./pftest authentication it.tech 
password”:

 

 

 

And it matches the conditions in the authentication source:

 

 

So far, I don’t have a problem understanding the process of querying AD during 
the user authentication. I’d love to see the response coming from AD in the 
RADIUS outputs but as long as the test says that the correct role is assigned 
I’m OK.

There’s a gap in my knowledge as to what happens when PF assigns a role? The 
only VLAN ID binding to the role is set in “switches.conf” file for a specific 
switch or WAP, correct ?

Once again, I’m doing only 802.1x, no captive portal.

 

Eugene

 

 

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Monday, January 29, 2018 5:55 PM
To: E.P.; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] VLAN assigment by RADIUS

 

So it mean that there is no rule that match it.tech username in your AD source.

Try pftest authentication it.tech bob and see if the AD source return a role 
and an unregdate.

Fabrice

 

 

Le 2018-01-29 à 20:39, E.P. a écrit :

Well, that’s my problem, Fabrice,

I’ve already checked that log, nothing in there ;)

 


RADIUS Request

User-Name = "it.tech" NAS-IP-Address = 172.19.254.2 NAS-Port = 0 Framed-MTU = 
1400 State = 0xe7795756e6bf4d151b0bfaeaef977462 Called-Station-Id = 
"24:a4:3c:5e:c1:11:staff-secured" Calling-Station-Id = "3c:2e:ff:3b:c7:ca" 
NAS-Identifier = "24a43c507608" NAS-Port-Type = Wireless-802.11 Event-Timestamp 
= "Jan 30 2018 01:36:24 UTC" Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message 
= 0x02c600061a03 FreeRADIUS-Proxied-To = 127.0.0.1 EAP-Type = MSCHAPv2 
Stripped-User-Name = "it.tech" Realm = "default" Called-Station-SSID = 
"staff-secured" PacketFence-Domain = "optionsad" User-Password = "**" 
SQL-User-Name = "it.tech"


RADIUS Reply

EAP-Message = 0x03c60004 Message-Authenticator = 
0x Stripped-User-Name = "it.tech"

 

 

 

From: Durand fabrice via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Monday, January 29, 2018 5:18 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice
Subject: Re: [PacketFence-users] VLAN assigment by RADIUS

 

Hello Eugene,

check in the radius audit log, you will see the radius answer.

Regards

Fabrice

 

 

Le 2018-01-29 à 19:41, E.P. via PacketFence-users a écrit :

Guys, 

How can I see if a specific VLAN ID that I assigned to the switch (or rather 
WAP) in “Role by VLAN ID” setting.

I have it as follows (extract from switches.conf file)

 

StaffRole=10

StaffVlan=10 

 

Should I take into account not a very good marriage of Ubiquiti Unifi and 
FreeRADIUS when it comes to VLAN ID assignment?

I see in the RADIUS debugs that VLAN is indeed assigned to the user session 
(see below) but what is its ID ?

 

(88) attr_filter.packetfence_post_auth: EXPAND %{User-Name}
(88) attr_filter.packetfence_post_auth:--> it.tech
(88) attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10
(88) [attr_filter.packetfence_post_auth] = updated
(88) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default}
(88) linelog:--> messages.Access-Accept
(88) linelog: EXPAND [mac:%{Calling-Station-Id}] Accepted user: 
%{reply:User-Name} and returned VLAN %{reply:Tunnel-Private-Group-ID}
(88) linelog:--> [mac:3c:2e:ff:3b:c7:ca] Accepted user:  and returned VLAN 
(88) [linelog] = ok
(88)   } # post-auth = updated
(88) Login OK: [it.tech] (from client 172.19.254.2 port 0 cli 3c:2e:ff:3b:c7:ca)
(88) Sent Access-Accept Id 46 from 172.16.0.222:1812 to 172.19.254.2:32784 
length 0

 

Eugene

 






--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot






___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

 

 

--

Re: [PacketFence-users] Bandwidth accounting

2018-01-30 Thread E.P. via PacketFence-users

Enabled to answer the first advice but a bit unclear for the second one.

Looking into existing violations, rather an example for violation 1100011
Bandwidth limit example (20GB/month

The only key piece of information for me here is the trigger  Total
traffic over 20GB per month

Where can I see all triggers defined? I assume they are in the database ?

Reading section 21.3 RADIUS Accounting from PF admin guide and see examples
but they look as they are defined in the file, not GUI.

 

Eugene

 

From: Durand fabrice via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Monday, January 29, 2018 5:13 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice
Subject: Re: [PacketFence-users] Bandwidth accounting

 

Hello Eugene,

you need to have radius accounting enabled on your NAS and create a
violation for that.

Regards

Fabrice

 

 

Le 2018-01-29 à 18:04, E.P. via PacketFence-users a écrit :

Folks,

Im trying to understand how to enable violations for bandwidth with
accounting

Looking at this youtube video example but dont see it could be done in the
current version of PF.

https://www.youtube.com/watch?v=7nSrYKkX7wk

The only section on Violations is under Configuration  Compliance but I
dont see Filter field and cant find Hourly violation

It is possible to do anyway ?

 

Eugene







--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot






___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN assigment by RADIUS

2018-01-29 Thread E.P. via PacketFence-users

I’m pulling my hair now in despair …

I added few more WAP to switches.conf file and restarted RADIUS. 

Trying to authenticate as a valid user and it is successful (as it says in 
RADIUS audit log)

But the endpoint can’t communicate at all via IP and it can’t even request IP 
address via DHCP. 

It’s as if VLAN being assigned by RADIUS is not the one that should be and I 
don’t know which one it is

 

Eugene

 

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Monday, January 29, 2018 5:39 PM
To: packetfence-users@lists.sourceforge.net
Cc: 'Durand fabrice'
Subject: RE: [PacketFence-users] VLAN assigment by RADIUS

 

Well, that’s my problem, Fabrice,

I’ve already checked that log, nothing in there ;)

 


RADIUS Request

User-Name = "it.tech" NAS-IP-Address = 172.19.254.2 NAS-Port = 0 Framed-MTU = 
1400 State = 0xe7795756e6bf4d151b0bfaeaef977462 Called-Station-Id = 
"24:a4:3c:5e:c1:11:staff-secured" Calling-Station-Id = "3c:2e:ff:3b:c7:ca" 
NAS-Identifier = "24a43c507608" NAS-Port-Type = Wireless-802.11 Event-Timestamp 
= "Jan 30 2018 01:36:24 UTC" Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message 
= 0x02c600061a03 FreeRADIUS-Proxied-To = 127.0.0.1 EAP-Type = MSCHAPv2 
Stripped-User-Name = "it.tech" Realm = "default" Called-Station-SSID = 
"staff-secured" PacketFence-Domain = "optionsad" User-Password = "**" 
SQL-User-Name = "it.tech"


RADIUS Reply

EAP-Message = 0x03c60004 Message-Authenticator = 
0x Stripped-User-Name = "it.tech"

 

 

 

From: Durand fabrice via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Monday, January 29, 2018 5:18 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice
Subject: Re: [PacketFence-users] VLAN assigment by RADIUS

 

Hello Eugene,

check in the radius audit log, you will see the radius answer.

Regards

Fabrice

 

 

Le 2018-01-29 à 19:41, E.P. via PacketFence-users a écrit :

Guys, 

How can I see if a specific VLAN ID that I assigned to the switch (or rather 
WAP) in “Role by VLAN ID” setting.

I have it as follows (extract from switches.conf file)

 

StaffRole=10

StaffVlan=10 

 

Should I take into account not a very good marriage of Ubiquiti Unifi and 
FreeRADIUS when it comes to VLAN ID assignment?

I see in the RADIUS debugs that VLAN is indeed assigned to the user session 
(see below) but what is its ID ?

 

(88) attr_filter.packetfence_post_auth: EXPAND %{User-Name}
(88) attr_filter.packetfence_post_auth:--> it.tech
(88) attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10
(88) [attr_filter.packetfence_post_auth] = updated
(88) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default}
(88) linelog:--> messages.Access-Accept
(88) linelog: EXPAND [mac:%{Calling-Station-Id}] Accepted user: 
%{reply:User-Name} and returned VLAN %{reply:Tunnel-Private-Group-ID}
(88) linelog:--> [mac:3c:2e:ff:3b:c7:ca] Accepted user:  and returned VLAN 
(88) [linelog] = ok
(88)   } # post-auth = updated
(88) Login OK: [it.tech] (from client 172.19.254.2 port 0 cli 3c:2e:ff:3b:c7:ca)
(88) Sent Access-Accept Id 46 from 172.16.0.222:1812 to 172.19.254.2:32784 
length 0

 

Eugene

 





--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot





___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN assigment by RADIUS

2018-01-29 Thread E.P. via PacketFence-users

Well, that’s my problem, Fabrice,

I’ve already checked that log, nothing in there ;)

 


RADIUS Request

User-Name = "it.tech" NAS-IP-Address = 172.19.254.2 NAS-Port = 0 Framed-MTU = 
1400 State = 0xe7795756e6bf4d151b0bfaeaef977462 Called-Station-Id = 
"24:a4:3c:5e:c1:11:staff-secured" Calling-Station-Id = "3c:2e:ff:3b:c7:ca" 
NAS-Identifier = "24a43c507608" NAS-Port-Type = Wireless-802.11 Event-Timestamp 
= "Jan 30 2018 01:36:24 UTC" Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message 
= 0x02c600061a03 FreeRADIUS-Proxied-To = 127.0.0.1 EAP-Type = MSCHAPv2 
Stripped-User-Name = "it.tech" Realm = "default" Called-Station-SSID = 
"staff-secured" PacketFence-Domain = "optionsad" User-Password = "**" 
SQL-User-Name = "it.tech"


RADIUS Reply

EAP-Message = 0x03c60004 Message-Authenticator = 
0x Stripped-User-Name = "it.tech"

 

 

 

From: Durand fabrice via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Monday, January 29, 2018 5:18 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice
Subject: Re: [PacketFence-users] VLAN assigment by RADIUS

 

Hello Eugene,

check in the radius audit log, you will see the radius answer.

Regards

Fabrice

 

 

Le 2018-01-29 à 19:41, E.P. via PacketFence-users a écrit :

Guys, 

How can I see if a specific VLAN ID that I assigned to the switch (or rather 
WAP) in “Role by VLAN ID” setting.

I have it as follows (extract from switches.conf file)

 

StaffRole=10

StaffVlan=10 

 

Should I take into account not a very good marriage of Ubiquiti Unifi and 
FreeRADIUS when it comes to VLAN ID assignment?

I see in the RADIUS debugs that VLAN is indeed assigned to the user session 
(see below) but what is its ID ?

 

(88) attr_filter.packetfence_post_auth: EXPAND %{User-Name}
(88) attr_filter.packetfence_post_auth:--> it.tech
(88) attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10
(88) [attr_filter.packetfence_post_auth] = updated
(88) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default}
(88) linelog:--> messages.Access-Accept
(88) linelog: EXPAND [mac:%{Calling-Station-Id}] Accepted user: 
%{reply:User-Name} and returned VLAN %{reply:Tunnel-Private-Group-ID}
(88) linelog:--> [mac:3c:2e:ff:3b:c7:ca] Accepted user:  and returned VLAN 
(88) [linelog] = ok
(88)   } # post-auth = updated
(88) Login OK: [it.tech] (from client 172.19.254.2 port 0 cli 3c:2e:ff:3b:c7:ca)
(88) Sent Access-Accept Id 46 from 172.16.0.222:1812 to 172.19.254.2:32784 
length 0

 

Eugene

 






--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot






___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Bandwidth accounting

2018-01-29 Thread E.P. via PacketFence-users

Well,  I'd rather paraphrase my question as to how to use available
"Bandwidth limit" violation to limit a user session based on a specific
bandwidth value.

 

Eugene

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Monday, January 29, 2018 3:04 PM
To: packetfence-users@lists.sourceforge.net
Subject: Bandwidth accounting

 

Folks,

I'm trying to understand how to enable violations for bandwidth with
accounting

Looking at this youtube video example but don't see it could be done in the
current version of PF.

https://www.youtube.com/watch?v=7nSrYKkX7wk

The only section on Violations is under Configuration - Compliance but I
don't see "Filter" field and can't find Hourly violation

It is possible to do anyway ?

 

Eugene

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Bandwidth accounting

2018-01-29 Thread E.P. via PacketFence-users

Folks,

I'm trying to understand how to enable violations for bandwidth with
accounting

Looking at this youtube video example but don't see it could be done in the
current version of PF.

https://www.youtube.com/watch?v=7nSrYKkX7wk

The only section on Violations is under Configuration - Compliance but I
don't see "Filter" field and can't find Hourly violation

It is possible to do anyway ?

 

Eugene

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Number of devices to connect to the network

2018-01-25 Thread E.P. via PacketFence-users

Three different ones ;)

IE 11, Firefox and Chrome.

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Wednesday, January 24, 2018 6:25 PM
To: E.P.; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Number of devices to connect to the network

Weird, i am not able to reproduce it, wish browser are you using ?

Fabrice

Le 2018-01-23 à 03:10, E.P. a écrit :

I figured it out, Fabrice. Thanks for the ldapsearch tool guidance but it
was my haste as usual ;)

I set Matches parameter to All and it turned out that the reply for the
query against AD returned a membership in more than one group.

And of course this condition didnt evaluate as true. I changed it to Any
and it is all good .

I guess Administration rule is not very important here but I found that the
value for the Access level doesnt show and I tried it in two different
browsers:

Eugene

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Monday, January 22, 2018 6:59 PM
To: E.P.; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Number of devices to connect to the network

Hello Eugene,

Use adsiedit.msc on the AD in order to have a ldap view of your AD and check
the exact attribute/values.

On my side i use ldapsearch to fix that sort of issue
(http://www.vinidox.com/ldap/querying-an-ldap-server-from-the-command-line-w
ith-ldap-utils-ldapsearch-ldapadd-ldapmodify/)

Regards

Fabrice

Le 2018-01-22 à 16:54, E.P. a écrit :

Im observing a weird behavior while doing it, Fabrice.

I did create a rule that should match for just one condition, i.e. memberOf

The user Im authenticating does belong to Users CN in AD and I can
authenticate normally, heres the output of pftest authentication it.tech
XXX command

But for some reason rules are not matched. I even tried to set the condition
to distingishedName with value taken from AD

To be like this

What bothers me is that I dont see any LDAP related details coming from AD
server while debugging radius and authenticating as it.tech user.

Could it be the source of the problem ?

Eugene

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Friday, January 19, 2018 6:05 PM
To: E.P.; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Number of devices to connect to the network

In your AD authentication source, create a rule that match a staff group and
assign the staff role and an access duration. (memberof equal
cn=staff,dc=...)

Regards

Fabrice

Le 2018-01-17 à 01:07, E.P. a écrit :

Great!

That confirms my train of thought. But it is still not clear to me how will
it affect the user that authenticates against AD.

Yes, I have created a new role, called staff and yes, I have set a limit
of 2 devices for this role. 

Then, the end-user just connects to SSID, authenticates and gets on the
network. How would I assign the user to the staff role?

Is this where provisioners come to help ?

Eugene

From: Fabrice Durand via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Tuesday, January 16, 2018 6:42 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand
Subject: Re: [PacketFence-users] Number of devices to connect to the network

Hello Eugene,

this is exactly where you have to control that.

So just set a limit on the roles where you want to limit the number of
devices per users.

Regards

Fabrice

Le 2018-01-16 à 02:01, E.P. via PacketFence-users a écrit :

It sounds close to the number of devices/nodes a user can register which is
configurable under Configuration-Policies and access control-Roles, but we
dont allow this luxury to anyone yet. Just regular network admission
control based on the active AD account

From: E.P. [mailto:ype...@gmail.com] 
Sent: Monday, January 15, 2018 10:54 PM
To: packetfence-users@lists.sourceforge.net
Subject: Number of devices to connect to the network

Guys,

We are still at the early phases of PF deployment and only now looking into
AD based authentication for wireless devices

Is there any way to limit the number of user devices that can be connected
by one user?

Lets say the user uses his/her laptop and roams around remote sites where
we provide WiFi with WPA2-Enterprise and we also allow him/her use the phone
(iPhone/Android). No more devices to connect

Eugene

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http

Re: [PacketFence-users] NULL realm

2018-01-25 Thread E.P. via PacketFence-users

Thanks, Fabrice.

Found it and deleted NULL realm from this file and it is gone from the
webpage.

But essentially this is not what I wanted to achieve.

And perhaps theres something I dont understand.

I thought that without the NULL realm the processing of realms will skip it
and it will match my realm  options.bc.ca which is in the end of the list
of realms.

Still, if I authenticate as it.tech and I see in the debug of radius that it
uses NULL realm.

If I authenticate as it.t...@options.bc.ca I see that correct realm use.

But both authentication attempts go through. What the use of options.bc.ca
realm then ?

It looks like with only one AD in our organization we may easily disregard
it ?

 

Eugene

 

From: Durand fabrice via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Wednesday, January 24, 2018 6:34 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice
Subject: Re: [PacketFence-users] NULL realm

 

Hello Eugene,

the NULL realm is located in realm.conf.defaults

Regards

Fabrice

 

 

Le 2018-01-23 à 14:14, E.P. via PacketFence-users a écrit :

Guys,

I wonder if I can make PF bypass NULL realm processing?

The reason is that we want to use only the user ID in the username field.

If we use like this then the authentication attempt hits NULL realm.

I tried to remove it from PF GUI but it still stays there.

Interesting that it is not listed in the realm.conf file

 

++

[root]@[PacketFence-ZEN conf]#cat realm.conf

[DEFAULT]

domain=optionsas

options=strip

 

[options]

domain=optionsad

 

[options.bc.ca]

domain=optionsad

+

 

Eugene







--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot






___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Number of devices to connect to the network

2018-01-25 Thread E.P. via PacketFence-users

One more stupid question from me, Fabrice, regarding the same subject J

How is the role assigned to the user session?

I dont see it in the debugs output but I see it in the results of the
pftest like I showed it before

Am I supposed to see it the RADIUS reply message or somewhere in the debug
outputs ?

Still trying to implement the limitation of devices that the staff user is
supposed to connect.

 



 

And finally, when will the node become registered ? As far as I understand
it doesnt have anything to do with a user that owns it and successfully
authenticates using dot1x supplicant?

Just wondering if we can have hosts/nodes registered after VLAN assignment
to dot1x session ?

 

Eugene

 

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Friday, January 19, 2018 6:05 PM
To: E.P.; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Number of devices to connect to the network

 

In your AD authentication source, create a rule that match a staff group and
assign the staff role and an access duration. (memberof equal
cn=staff,dc=...)

Regards

Fabrice

 

Le 2018-01-17 à 01:07, E.P. a écrit :

Great!

That confirms my train of thought. But it is still not clear to me how will
it affect the user that authenticates against AD.

Yes, I have created a new role, called staff and yes, I have set a limit
of 2 devices for this role. 

Then, the end-user just connects to SSID, authenticates and gets on the
network. How would I assign the user to the staff role?

Is this where provisioners come to help ?

 

Eugene

 

From: Fabrice Durand via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Tuesday, January 16, 2018 6:42 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand
Subject: Re: [PacketFence-users] Number of devices to connect to the network

 

Hello Eugene,

this is exactly where you have to control that.

So just set a limit on the roles where you want to limit the number of
devices per users.

Regards

Fabrice

 

Le 2018-01-16 à 02:01, E.P. via PacketFence-users a écrit :

It sounds close to the number of devices/nodes a user can register which is
configurable under Configuration-Policies and access control-Roles, but we
dont allow this luxury to anyone yet. Just regular network admission
control based on the active AD account

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Monday, January 15, 2018 10:54 PM
To: packetfence-users@lists.sourceforge.net
Subject: Number of devices to connect to the network

 

Guys,

We are still at the early phases of PF deployment and only now looking into
AD based authentication for wireless devices

Is there any way to limit the number of user devices that can be connected
by one user?

Lets say the user uses his/her laptop and roams around remote sites where
we provide WiFi with WPA2-Enterprise and we also allow him/her use the phone
(iPhone/Android). No more devices to connect

 

Eugene

 

 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] NULL realm

2018-01-23 Thread E.P. via PacketFence-users

Guys,

I wonder if I can make PF bypass NULL realm processing?

The reason is that we want to use only the user ID in the username field.

If we use like this then the authentication attempt hits NULL realm.

I tried to remove it from PF GUI but it still stays there.

Interesting that it is not listed in the realm.conf file

 

++

[root]@[PacketFence-ZEN conf]#cat realm.conf

[DEFAULT]

domain=optionsas

options=strip

 

[options]

domain=optionsad

 

[options.bc.ca]

domain=optionsad

+

 

Eugene

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Number of devices to connect to the network

2018-01-23 Thread E.P. via PacketFence-users

I figured it out, Fabrice. Thanks for the ldapsearch tool guidance but it
was my haste as usual ;)

I set Matches parameter to All and it turned out that the reply for the
query against AD returned a membership in more than one group.

And of course this condition didnt evaluate as true. I changed it to Any
and it is all good .

 

I guess Administration rule is not very important here but I found that the
value for the Access level doesnt show and I tried it in two different
browsers:

 



 

Eugene

 

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Monday, January 22, 2018 6:59 PM
To: E.P.; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Number of devices to connect to the network

 

Hello Eugene,

Use adsiedit.msc on the AD in order to have a ldap view of your AD and check
the exact attribute/values.

On my side i use ldapsearch to fix that sort of issue
(http://www.vinidox.com/ldap/querying-an-ldap-server-from-the-command-line-w
ith-ldap-utils-ldapsearch-ldapadd-ldapmodify/)

Regards

Fabrice

 

 

Le 2018-01-22 à 16:54, E.P. a écrit :

Im observing a weird behavior while doing it, Fabrice.

I did create a rule that should match for just one condition, i.e. memberOf

 



 

The user Im authenticating does belong to Users CN in AD and I can
authenticate normally, heres the output of pftest authentication it.tech
XXX command

 



 

But for some reason rules are not matched. I even tried to set the condition
to distingishedName with value taken from AD

 



 

To be like this

 



 

 

What bothers me is that I dont see any LDAP related details coming from AD
server while debugging radius and authenticating as it.tech user.

Could it be the source of the problem ?

 

Eugene

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Friday, January 19, 2018 6:05 PM
To: E.P.; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Number of devices to connect to the network

 

In your AD authentication source, create a rule that match a staff group and
assign the staff role and an access duration. (memberof equal
cn=staff,dc=...)

Regards

Fabrice

 

 

 

Le 2018-01-17 à 01:07, E.P. a écrit :

Great!

That confirms my train of thought. But it is still not clear to me how will
it affect the user that authenticates against AD.

Yes, I have created a new role, called staff and yes, I have set a limit
of 2 devices for this role. 

Then, the end-user just connects to SSID, authenticates and gets on the
network. How would I assign the user to the staff role?

Is this where provisioners come to help ?

 

Eugene

 

From: Fabrice Durand via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Tuesday, January 16, 2018 6:42 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand
Subject: Re: [PacketFence-users] Number of devices to connect to the network

 

Hello Eugene,

this is exactly where you have to control that.

So just set a limit on the roles where you want to limit the number of
devices per users.

Regards

Fabrice

 

 

Le 2018-01-16 à 02:01, E.P. via PacketFence-users a écrit :

It sounds close to the number of devices/nodes a user can register which is
configurable under Configuration-Policies and access control-Roles, but we
dont allow this luxury to anyone yet. Just regular network admission
control based on the active AD account

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Monday, January 15, 2018 10:54 PM
To: packetfence-users@lists.sourceforge.net
Subject: Number of devices to connect to the network

 

Guys,

We are still at the early phases of PF deployment and only now looking into
AD based authentication for wireless devices

Is there any way to limit the number of user devices that can be connected
by one user?

Lets say the user uses his/her laptop and roams around remote sites where
we provide WiFi with WPA2-Enterprise and we also allow him/her use the phone
(iPhone/Android). No more devices to connect

 

Eugene









--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot








___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users







-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org) 

 

 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo

Re: [PacketFence-users] Number of devices to connect to the network

2018-01-22 Thread E.P. via PacketFence-users

Im observing a weird behavior while doing it, Fabrice.

I did create a rule that should match for just one condition, i.e. memberOf

 



 

The user Im authenticating does belong to Users CN in AD and I can
authenticate normally, heres the output of pftest authentication it.tech
XXX command

 



 

But for some reason rules are not matched. I even tried to set the condition
to distingishedName with value taken from AD

 



 

To be like this

 



 

 

What bothers me is that I dont see any LDAP related details coming from AD
server while debugging radius and authenticating as it.tech user.

Could it be the source of the problem ?

 

Eugene

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Friday, January 19, 2018 6:05 PM
To: E.P.; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Number of devices to connect to the network

 

In your AD authentication source, create a rule that match a staff group and
assign the staff role and an access duration. (memberof equal
cn=staff,dc=...)

Regards

Fabrice

 

 

 

Le 2018-01-17 à 01:07, E.P. a écrit :

Great!

That confirms my train of thought. But it is still not clear to me how will
it affect the user that authenticates against AD.

Yes, I have created a new role, called staff and yes, I have set a limit
of 2 devices for this role. 

Then, the end-user just connects to SSID, authenticates and gets on the
network. How would I assign the user to the staff role?

Is this where provisioners come to help ?

 

Eugene

 

From: Fabrice Durand via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Tuesday, January 16, 2018 6:42 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand
Subject: Re: [PacketFence-users] Number of devices to connect to the network

 

Hello Eugene,

this is exactly where you have to control that.

So just set a limit on the roles where you want to limit the number of
devices per users.

Regards

Fabrice

 

 

Le 2018-01-16 à 02:01, E.P. via PacketFence-users a écrit :

It sounds close to the number of devices/nodes a user can register which is
configurable under Configuration-Policies and access control-Roles, but we
dont allow this luxury to anyone yet. Just regular network admission
control based on the active AD account

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Monday, January 15, 2018 10:54 PM
To: packetfence-users@lists.sourceforge.net
Subject: Number of devices to connect to the network

 

Guys,

We are still at the early phases of PF deployment and only now looking into
AD based authentication for wireless devices

Is there any way to limit the number of user devices that can be connected
by one user?

Lets say the user uses his/her laptop and roams around remote sites where
we provide WiFi with WPA2-Enterprise and we also allow him/her use the phone
(iPhone/Android). No more devices to connect

 

Eugene








--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot







___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users






-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org) 

 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Number of devices to connect to the network

2018-01-17 Thread E.P. via PacketFence-users

Great!

That confirms my train of thought. But it is still not clear to me how will
it affect the user that authenticates against AD.

Yes, I have created a new role, called staff and yes, I have set a limit
of 2 devices for this role. 

Then, the end-user just connects to SSID, authenticates and gets on the
network. How would I assign the user to the staff role?

Is this where provisioners come to help ?

 

Eugene

 

From: Fabrice Durand via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Tuesday, January 16, 2018 6:42 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand
Subject: Re: [PacketFence-users] Number of devices to connect to the network

 

Hello Eugene,

this is exactly where you have to control that.

So just set a limit on the roles where you want to limit the number of
devices per users.

Regards

Fabrice

 

 

Le 2018-01-16 à 02:01, E.P. via PacketFence-users a écrit :

It sounds close to the number of devices/nodes a user can register which is
configurable under Configuration-Policies and access control-Roles, but we
dont allow this luxury to anyone yet. Just regular network admission
control based on the active AD account

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Monday, January 15, 2018 10:54 PM
To: packetfence-users@lists.sourceforge.net
Subject: Number of devices to connect to the network

 

Guys,

We are still at the early phases of PF deployment and only now looking into
AD based authentication for wireless devices

Is there any way to limit the number of user devices that can be connected
by one user?

Lets say the user uses his/her laptop and roams around remote sites where
we provide WiFi with WPA2-Enterprise and we also allow him/her use the phone
(iPhone/Android). No more devices to connect

 

Eugene







--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot






___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users





-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org) 
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PKI provisioning configuration for Apple OS/iOS

2018-01-17 Thread E.P. via PacketFence-users

Well, it is in the guide on PKI ;)

This is the picture from the page from section

3.4.3. PacketFence provider configuration

 

 

PacketFence PKI configuration

 

From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: Tuesday, January 16, 2018 6:21 AM
To: E.P.; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PKI provisioning configuration for Apple OS/iOS

 

I can't find in the doc where it's define to 9191 ?!

 

Le 2018-01-16 à 01:00, E.P. a écrit :

Great breakdown, thank you!

What is the correct port number, Fabrice, in “pki_provider.conf” file ?

You showed yours with 9393, but in the guide it is 9191

 

 

From: Fabrice Durand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Monday, January 15, 2018 6:01 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand
Subject: Re: [PacketFence-users] PKI provisioning configuration for Apple OS/iOS

 

Hello Eugene,

 

Le 2018-01-13 à 02:59, E.P. via PacketFence-users a écrit :

Folks,

Our two big shots in the organization live their lives with Apple macbooks and 
we need to get them on the secure WiFi.

Can someone explain me where and how to get the content of certificates that 
are trusted by Apple devices.

First you need to configure a pki in PacketFence (What i use in 
pki_provider.conf):

[PacketFencePKI]
cn_format=%s
profile=clientCrt
revoke_on_unregistration=Y
server_cert_path=/usr/local/pf/conf/ssl/tls_certs/YourCert.pem
ca_cert_path=/usr/local/pf/conf/ssl/tls_certs/MYCA.pem
state=Quebec
password=p@ck3tf3nc3
organization=Inverse.inc
country=CA
proto=https
port=9393
host=127.0.0.1
username=admin
type=packetfence_pki
cn_attribute=mac

Next you need to configure the provisioner in order to provide certificate and 
wifi configuration (provisioning.conf):

[AppleTLS]
broadcast=0
oses=
category=
eap_type=13
can_sign_profile=0
security_type=WPA
description=Apple Provisioning
type=mobileconfig
ssid=baguettesecure
pki_provider=PacketFencePKI

But in you case you need to sign the profile with another certificate , so in 
Signing tab use a certificate like the certificate you have with godaddy.

 
In this form you need to put in certificate for signing profiles your public 
key (-BEGIN CERTIFICATE-), next your private key (-BEGIN PRIVATE 
KEY-) and in the last field the certificate chain of godaddy probably that 
one:
-BEGIN CERTIFICATE-
MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz
NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE
AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD
E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH
/PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy
DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh
GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR
tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA
AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX
WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu
9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr
gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo
2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO
LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
4uJEvlz36hz1
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n

[PacketFence-users] Number of devices to connect to the network

2018-01-16 Thread E.P. via PacketFence-users

Guys,

We are still at the early phases of PF deployment and only now looking into
AD based authentication for wireless devices

Is there any way to limit the number of user devices that can be connected
by one user?

Let's say the user uses his/her laptop and roams around remote sites where
we provide WiFi with WPA2-Enterprise and we also allow him/her use the phone
(iPhone/Android). No more devices to connect

 

Eugene

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PKI provisioning configuration for Apple OS/iOS

2018-01-16 Thread E.P. via PacketFence-users

Great breakdown, thank you!

What is the correct port number, Fabrice, in “pki_provider.conf” file ?

You showed yours with 9393, but in the guide it is 9191

 

 

From: Fabrice Durand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Monday, January 15, 2018 6:01 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand
Subject: Re: [PacketFence-users] PKI provisioning configuration for Apple OS/iOS

 

Hello Eugene,

 

Le 2018-01-13 à 02:59, E.P. via PacketFence-users a écrit :

Folks,

Our two big shots in the organization live their lives with Apple macbooks and 
we need to get them on the secure WiFi.

Can someone explain me where and how to get the content of certificates that 
are trusted by Apple devices.

First you need to configure a pki in PacketFence (What i use in 
pki_provider.conf):

[PacketFencePKI]
cn_format=%s
profile=clientCrt
revoke_on_unregistration=Y
server_cert_path=/usr/local/pf/conf/ssl/tls_certs/YourCert.pem
ca_cert_path=/usr/local/pf/conf/ssl/tls_certs/MYCA.pem
state=Quebec
password=p@ck3tf3nc3
organization=Inverse.inc
country=CA
proto=https
port=9393
host=127.0.0.1
username=admin
type=packetfence_pki
cn_attribute=mac

Next you need to configure the provisioner in order to provide certificate and 
wifi configuration (provisioning.conf):

[AppleTLS]
broadcast=0
oses=
category=
eap_type=13
can_sign_profile=0
security_type=WPA
description=Apple Provisioning
type=mobileconfig
ssid=baguettesecure
pki_provider=PacketFencePKI

But in you case you need to sign the profile with another certificate , so in 
Signing tab use a certificate like the certificate you have with godaddy.

 
In this form you need to put in certificate for signing profiles your public 
key (-BEGIN CERTIFICATE-), next your private key (-BEGIN PRIVATE 
KEY-) and in the last field the certificate chain of godaddy probably that 
one:
-BEGIN CERTIFICATE-
MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz
NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE
AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD
E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH
/PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy
DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh
GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR
tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA
AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX
WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu
9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr
gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo
2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO
LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
4uJEvlz36hz1
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
-END CERTIFICATE

Re: [PacketFence-users] Number of devices to connect to the network

2018-01-16 Thread E.P. via PacketFence-users

It sounds close to the number of devices/nodes a user can register which is
configurable under Configuration-Policies and access control-Roles, but we
don't allow this luxury to anyone yet. Just regular network admission
control based on the active AD account

From: E.P. [mailto:ype...@gmail.com] 
Sent: Monday, January 15, 2018 10:54 PM
To: packetfence-users@lists.sourceforge.net
Subject: Number of devices to connect to the network

Guys,

We are still at the early phases of PF deployment and only now looking into
AD based authentication for wireless devices

Is there any way to limit the number of user devices that can be connected
by one user?

Let's say the user uses his/her laptop and roams around remote sites where
we provide WiFi with WPA2-Enterprise and we also allow him/her use the phone
(iPhone/Android). No more devices to connect

Eugene

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] PKI provisioning configuration for Apple OS/iOS

2018-01-13 Thread E.P. via PacketFence-users

Folks,

Our two big shots in the organization live their lives with Apple macbooks and 
we need to get them on the secure WiFi.

Can someone explain me where and how to get the content of certificates that 
are trusted by Apple devices.

The guide on PKI says Verisign certificate could be an example. As far as I 
understand it I need to get the bundle from Verisign.

Or it could be any well-known trusted CA, correct ? We recently bought SSL 
certificates from GoDaddy and downloaded the bundle from them. It contains 
three certificates but none of them seem to match for what it is said on PKI 
page, namely 

-  The certificate for signing profiles

-  The private key for signing profiles

-  The certificate chain for the signer certificate

 

Eugene

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PKI installation

2018-01-12 Thread E.P. via PacketFence-users

And I dare to ask this question again about provisioners.

I’m struggling with allowing iPads to the network with certificates issued to 
their MAC addresses

 

Eugene

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Wednesday, January 10, 2018 1:05 AM
To: packetfence-users@lists.sourceforge.net
Subject: RE: [PacketFence-users] PKI installation

 

Fabrice,

Can you please elaborate on provisioners and connection profiles within PKI 
context 

Let’s say I created a provisioner for Windows endpoints as described in the 
guide.

How would it allow Windows host to automatically connect to a specific SSID?

As far as I know you can put a check to connect automatically for a specific 
SSID in the wireless networks

Once this network become available a host automatically connects to it.

And how would a connection profile (if I have two) will facilitate it ?

 

Eugene

 

 

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Tuesday, January 09, 2018 2:46 PM
To: E.P.
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PKI installation

 

The admin user is different between PacketFence and the PKI.

When i said "In configuration -> Users -> Edit admin -> Change User Password" 
in was in the pki admin interface.

Fabrice

 

 

Le 2018-01-09 à 13:47, E.P. a écrit :

Sorry for being a pain in the lower part of the back, Fabrice ;)

I thought that the admin user in PF is different from PKI.

At least I know that I did change the password for admin in PF as you described 
and this is how I login to the main GUI.

But I can’t login as admin with the same password to PKI.

 

Eugene

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Device authentication with client TLS certificate issued by PKI

2018-01-11 Thread E.P. via PacketFence-users

Yeah…

Now I had to slap my right hand with a left one.

My bad… I set this file to the correct path but instead of MYCA certificate I 
put the certificate name of the server itself.

Bow low, Fabrice ! Thank you very much !

 

Eugene

 

From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: Wednesday, January 10, 2018 1:10 PM
To: E.P.; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Device authentication with client TLS 
certificate issued by PKI

 

Did you set ca_file = [% install_dir %]/conf/ssl/tls_certs/MYCA.pem in 
conf/radiusd/eap.conf ? (MYCA.pem is the CA public key of of your PKI) 

 

Le 2018-01-10 à 15:43, E.P. a écrit :

More to this issue, Fabrice, 

I changed to PEAP method on the same Windows laptop and kept an option of 
validating server certificate by pointing it directly the name as it shows in 
CN of the PF RADIUS server. No problem at all, authentication goes through.

 

 

I checked for similar errors reported by PF enthusiasts earlier and found that 
this is not the first time and you advised to concatenate the root certificate 
in CA file. What did you mean by it, Fabrice ?

 

Eugene

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Wednesday, January 10, 2018 11:14 AM
To: packetfence-users@lists.sourceforge.net
Cc: 'Fabrice Durand'
Subject: RE: [PacketFence-users] Device authentication with client TLS 
certificate issued by PKI

 

Hi Fabrice,

I already dug it around.

The CA certificate (*.pem format) was imported into Windows without any problem 
and I see it under “Trusted Root Certification Authorities” container. Just in 
case placed the CA cert into “Third –party root certification authority”

On the client PC I have this certificate showing:

 

 

 

Also, tried it without validating server certificate, same results, reason - 
eap_tls: SSL says error 20 : unable to get local issuer certificate

 

Eugene

 

From: Fabrice Durand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Wednesday, January 10, 2018 6:07 AM
To: E.P. via PacketFence-users
Cc: Fabrice Durand
Subject: Re: [PacketFence-users] Device authentication with client TLS 
certificate issued by PKI

 

Hello Eugene,

you probably need to import the CA certificate or uncheck verify server 
certificate in your supplicant config.

Regards

Fabrice

 

 

Le 2018-01-10 à 03:57, E.P. via PacketFence-users a écrit :

And here comes the culmination of my saga with PKI ;)

Actually, I was slowly going towards it and really hoped I will jump through 
this final hoop smoothly.

Alas… Anyways, to cut the long story short, I failed TLS authentication for 
Windows 10 endpoint.

Here’s what I did so far. We want to issue certificates to users based on MAC 
addresses of their devices.

Hence I added a new certificate and used MAC address in CN field in the format 
70:1a:04:2c:52:ff

The profile I used while issuing this certificate was created exactly as it was 
described in the admin guide for PKI, namely TLSClient. Then I downloaded this 
certificate after it was signed and imported to Windows laptop.

The security properties of the wireless connection profile on the laptop was 
configured to use TLS, i.e. 

Microsoft: Smart card or other certificate

Trying to authenticate while running radius in debug mode and see a lot of 
interesting stuff.

Pasting only relevant lines:

 

(5) eap_tls: Continuing EAP-TLS

(5) eap_tls: Got final TLS record fragment (46 bytes)

(5) eap_tls: [eaptls verify] = ok

(5) eap_tls: Done initial handshake

(5) eap_tls: <<< recv TLS 1.0 Handshake [length 03ac], Certificate

(5) eap_tls: Creating attributes from certificate OIDs

(5) eap_tls:   TLS-Client-Cert-Serial := "03"

(5) eap_tls:   TLS-Client-Cert-Expiration := "200110080019Z"

(5) eap_tls:   TLS-Client-Cert-Subject :=  
<mailto:/CN=70:1a:04:2c:52:ff/emailAddress=it.t...@options.bc.ca/ST=BC/O=OptionsCommunityServices/C=CA>
 "/CN=70:1a:04:2c:52:ff/emailAddress=it.t...@options.bc.ca/ST=BC/O=Options 
Community Services/C=CA"

(5) eap_tls:   TLS-Client-Cert-Issuer :=  
<mailto:/CN=Options-PF-CA/emailAddress=it.t...@options.bc.ca/ST=BritishColumbia/O=OptionsCommunityServices/C=CA>
 "/CN=Options-PF-CA/emailAddress=it.t...@options.bc.ca/ST=British 
Columbia/O=Options Community Services/C=CA"

(5) eap_tls:   TLS-Client-Cert-Common-Name := "70:1a:04:2c:52:ff"

(5) eap_tls:   ERROR: SSL says error 20 : unable to get local issuer certificate

 

(5) eap_tls: ERROR: TLS Alert write:fatal:unknown CA

tls: TLS_accept: Error in error

(5) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14089086:SSL 
routines:ssl3_get_client_certificate:certificate verify failed

(5) eap_tls: ERROR: System call (I/O) error (-1)

(5) eap_tls: ERROR: TLS receive handshake failed during operation

(5) eap_tls: ERROR: [eaptls process] = fail

(5) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed

(5) eap: Sending

Re: [PacketFence-users] Device authentication with client TLS certificate issued by PKI

2018-01-10 Thread E.P. via PacketFence-users

More to this issue, Fabrice, 

I changed to PEAP method on the same Windows laptop and kept an option of 
validating server certificate by pointing it directly the name as it shows in 
CN of the PF RADIUS server. No problem at all, authentication goes through.



 

I checked for similar errors reported by PF enthusiasts earlier and found that 
this is not the first time and you advised to concatenate the root certificate 
in CA file. What did you mean by it, Fabrice ?

 

Eugene

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Wednesday, January 10, 2018 11:14 AM
To: packetfence-users@lists.sourceforge.net
Cc: 'Fabrice Durand'
Subject: RE: [PacketFence-users] Device authentication with client TLS 
certificate issued by PKI

 

Hi Fabrice,

I already dug it around.

The CA certificate (*.pem format) was imported into Windows without any problem 
and I see it under “Trusted Root Certification Authorities” container. Just in 
case placed the CA cert into “Third –party root certification authority”

On the client PC I have this certificate showing:

 

 

 

Also, tried it without validating server certificate, same results, reason - 
eap_tls: SSL says error 20 : unable to get local issuer certificate

 

Eugene

 

From: Fabrice Durand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Wednesday, January 10, 2018 6:07 AM
To: E.P. via PacketFence-users
Cc: Fabrice Durand
Subject: Re: [PacketFence-users] Device authentication with client TLS 
certificate issued by PKI

 

Hello Eugene,

you probably need to import the CA certificate or uncheck verify server 
certificate in your supplicant config.

Regards

Fabrice

 

 

Le 2018-01-10 à 03:57, E.P. via PacketFence-users a écrit :

And here comes the culmination of my saga with PKI ;)

Actually, I was slowly going towards it and really hoped I will jump through 
this final hoop smoothly.

Alas… Anyways, to cut the long story short, I failed TLS authentication for 
Windows 10 endpoint.

Here’s what I did so far. We want to issue certificates to users based on MAC 
addresses of their devices.

Hence I added a new certificate and used MAC address in CN field in the format 
70:1a:04:2c:52:ff

The profile I used while issuing this certificate was created exactly as it was 
described in the admin guide for PKI, namely TLSClient. Then I downloaded this 
certificate after it was signed and imported to Windows laptop.

The security properties of the wireless connection profile on the laptop was 
configured to use TLS, i.e. 

Microsoft: Smart card or other certificate

Trying to authenticate while running radius in debug mode and see a lot of 
interesting stuff.

Pasting only relevant lines:

 

(5) eap_tls: Continuing EAP-TLS

(5) eap_tls: Got final TLS record fragment (46 bytes)

(5) eap_tls: [eaptls verify] = ok

(5) eap_tls: Done initial handshake

(5) eap_tls: <<< recv TLS 1.0 Handshake [length 03ac], Certificate

(5) eap_tls: Creating attributes from certificate OIDs

(5) eap_tls:   TLS-Client-Cert-Serial := "03"

(5) eap_tls:   TLS-Client-Cert-Expiration := "200110080019Z"

(5) eap_tls:   TLS-Client-Cert-Subject :=  
<mailto:/CN=70:1a:04:2c:52:ff/emailAddress=it.t...@options.bc.ca/ST=BC/O=OptionsCommunityServices/C=CA>
 "/CN=70:1a:04:2c:52:ff/emailAddress=it.t...@options.bc.ca/ST=BC/O=Options 
Community Services/C=CA"

(5) eap_tls:   TLS-Client-Cert-Issuer :=  
<mailto:/CN=Options-PF-CA/emailAddress=it.t...@options.bc.ca/ST=BritishColumbia/O=OptionsCommunityServices/C=CA>
 "/CN=Options-PF-CA/emailAddress=it.t...@options.bc.ca/ST=British 
Columbia/O=Options Community Services/C=CA"

(5) eap_tls:   TLS-Client-Cert-Common-Name := "70:1a:04:2c:52:ff"

(5) eap_tls:   ERROR: SSL says error 20 : unable to get local issuer certificate

 

(5) eap_tls: ERROR: TLS Alert write:fatal:unknown CA

tls: TLS_accept: Error in error

(5) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14089086:SSL 
routines:ssl3_get_client_certificate:certificate verify failed

(5) eap_tls: ERROR: System call (I/O) error (-1)

(5) eap_tls: ERROR: TLS receive handshake failed during operation

(5) eap_tls: ERROR: [eaptls process] = fail

(5) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed

(5) eap: Sending EAP Failure (code 4) ID 213 length 4

(5) eap: Failed in EAP select

(5) [eap] = invalid

(5)   } # authenticate = invalid

(5) Failed to authenticate the user

(5) Login incorrect (eap_tls: SSL says error 20 : unable to get local issuer 
certificate): [70:1a:04:2c:52:ff] (from client 172.19.254.2 port 0 cli 
70:1a:04:2c:52:ff)

(5) Using Post-Auth-Type Reject

 

Same happens if I issue the certificate to the user based on its name, not MAC 
address

 

(5) eap_tls:   TLS-Client-Cert-Serial := "04"

(5) eap_tls:   TLS-Client-Cert-Expiration := "200110083931Z"

(5) eap_tls:   TLS-Client-Cert-Subject :=  
<mailto:/CN=it.tech/emailAddres

Re: [PacketFence-users] Device authentication with client TLS certificate issued by PKI

2018-01-10 Thread E.P. via PacketFence-users

Hi Fabrice,

I already dug it around.

The CA certificate (*.pem format) was imported into Windows without any problem 
and I see it under “Trusted Root Certification Authorities” container. Just in 
case placed the CA cert into “Third –party root certification authority”

On the client PC I have this certificate showing:

 



 

Also, tried it without validating server certificate, same results, reason - 
eap_tls: SSL says error 20 : unable to get local issuer certificate

 

Eugene

 

From: Fabrice Durand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Wednesday, January 10, 2018 6:07 AM
To: E.P. via PacketFence-users
Cc: Fabrice Durand
Subject: Re: [PacketFence-users] Device authentication with client TLS 
certificate issued by PKI

 

Hello Eugene,

you probably need to import the CA certificate or uncheck verify server 
certificate in your supplicant config.

Regards

Fabrice

 

 

Le 2018-01-10 à 03:57, E.P. via PacketFence-users a écrit :

And here comes the culmination of my saga with PKI ;)

Actually, I was slowly going towards it and really hoped I will jump through 
this final hoop smoothly.

Alas… Anyways, to cut the long story short, I failed TLS authentication for 
Windows 10 endpoint.

Here’s what I did so far. We want to issue certificates to users based on MAC 
addresses of their devices.

Hence I added a new certificate and used MAC address in CN field in the format 
70:1a:04:2c:52:ff

The profile I used while issuing this certificate was created exactly as it was 
described in the admin guide for PKI, namely TLSClient. Then I downloaded this 
certificate after it was signed and imported to Windows laptop.

The security properties of the wireless connection profile on the laptop was 
configured to use TLS, i.e. 

Microsoft: Smart card or other certificate

Trying to authenticate while running radius in debug mode and see a lot of 
interesting stuff.

Pasting only relevant lines:

 

(5) eap_tls: Continuing EAP-TLS

(5) eap_tls: Got final TLS record fragment (46 bytes)

(5) eap_tls: [eaptls verify] = ok

(5) eap_tls: Done initial handshake

(5) eap_tls: <<< recv TLS 1.0 Handshake [length 03ac], Certificate

(5) eap_tls: Creating attributes from certificate OIDs

(5) eap_tls:   TLS-Client-Cert-Serial := "03"

(5) eap_tls:   TLS-Client-Cert-Expiration := "200110080019Z"

(5) eap_tls:   TLS-Client-Cert-Subject :=  
<mailto:/CN=70:1a:04:2c:52:ff/emailAddress=it.t...@options.bc.ca/ST=BC/O=OptionsCommunityServices/C=CA>
 "/CN=70:1a:04:2c:52:ff/emailAddress=it.t...@options.bc.ca/ST=BC/O=Options 
Community Services/C=CA"

(5) eap_tls:   TLS-Client-Cert-Issuer :=  
<mailto:/CN=Options-PF-CA/emailAddress=it.t...@options.bc.ca/ST=BritishColumbia/O=OptionsCommunityServices/C=CA>
 "/CN=Options-PF-CA/emailAddress=it.t...@options.bc.ca/ST=British 
Columbia/O=Options Community Services/C=CA"

(5) eap_tls:   TLS-Client-Cert-Common-Name := "70:1a:04:2c:52:ff"

(5) eap_tls:   ERROR: SSL says error 20 : unable to get local issuer certificate

 

(5) eap_tls: ERROR: TLS Alert write:fatal:unknown CA

tls: TLS_accept: Error in error

(5) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14089086:SSL 
routines:ssl3_get_client_certificate:certificate verify failed

(5) eap_tls: ERROR: System call (I/O) error (-1)

(5) eap_tls: ERROR: TLS receive handshake failed during operation

(5) eap_tls: ERROR: [eaptls process] = fail

(5) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed

(5) eap: Sending EAP Failure (code 4) ID 213 length 4

(5) eap: Failed in EAP select

(5) [eap] = invalid

(5)   } # authenticate = invalid

(5) Failed to authenticate the user

(5) Login incorrect (eap_tls: SSL says error 20 : unable to get local issuer 
certificate): [70:1a:04:2c:52:ff] (from client 172.19.254.2 port 0 cli 
70:1a:04:2c:52:ff)

(5) Using Post-Auth-Type Reject

 

Same happens if I issue the certificate to the user based on its name, not MAC 
address

 

(5) eap_tls:   TLS-Client-Cert-Serial := "04"

(5) eap_tls:   TLS-Client-Cert-Expiration := "200110083931Z"

(5) eap_tls:   TLS-Client-Cert-Subject :=  
<mailto:/CN=it.tech/emailAddress=it.t...@options.bc.ca/ST=BC/O=OptionsCommunityServices/C=CA>
 "/CN=it.tech/emailAddress=it.t...@options.bc.ca/ST=BC/O=Options Community 
Services/C=CA"

(5) eap_tls:   TLS-Client-Cert-Issuer :=  
<mailto:/CN=Options-PF-CA/emailAddress=it.t...@options.bc.ca/ST=BritishColumbia/O=OptionsCommunityServices/C=CA>
 "/CN=Options-PF-CA/emailAddress=it.t...@options.bc.ca/ST=British 
Columbia/O=Options Community Services/C=CA"

(5) eap_tls:   TLS-Client-Cert-Common-Name := "it.tech"

(5) eap_tls:   ERROR: SSL says error 20 : unable to get local issuer certificate

 

Eugene

 

 

 

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Tuesday, January 09, 2018 2:46 PM
To: E.P.
Cc: packetfe

Re: [PacketFence-users] PKI installation

2018-01-10 Thread E.P. via PacketFence-users

Fabrice,

Can you please elaborate on provisioners and connection profiles within PKI 
context 

Let’s say I created a provisioner for Windows endpoints as described in the 
guide.

How would it allow Windows host to automatically connect to a specific SSID?

As far as I know you can put a check to connect automatically for a specific 
SSID in the wireless networks

Once this network become available a host automatically connects to it.

And how would a connection profile (if I have two) will facilitate it ?

 

Eugene

 

 

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Tuesday, January 09, 2018 2:46 PM
To: E.P.
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PKI installation

 

The admin user is different between PacketFence and the PKI.

When i said "In configuration -> Users -> Edit admin -> Change User Password" 
in was in the pki admin interface.

Fabrice

 

 

Le 2018-01-09 à 13:47, E.P. a écrit :

Sorry for being a pain in the lower part of the back, Fabrice ;)

I thought that the admin user in PF is different from PKI.

At least I know that I did change the password for admin in PF as you described 
and this is how I login to the main GUI.

But I can’t login as admin with the same password to PKI.

 

Eugene

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Device authentication with client TLS certificate issued by PKI

2018-01-10 Thread E.P. via PacketFence-users

And here comes the culmination of my saga with PKI ;)

Actually, I was slowly going towards it and really hoped I will jump through 
this final hoop smoothly.

Alas… Anyways, to cut the long story short, I failed TLS authentication for 
Windows 10 endpoint.

Here’s what I did so far. We want to issue certificates to users based on MAC 
addresses of their devices.

Hence I added a new certificate and used MAC address in CN field in the format 
70:1a:04:2c:52:ff

The profile I used while issuing this certificate was created exactly as it was 
described in the admin guide for PKI, namely TLSClient. Then I downloaded this 
certificate after it was signed and imported to Windows laptop.

The security properties of the wireless connection profile on the laptop was 
configured to use TLS, i.e. 

Microsoft: Smart card or other certificate

Trying to authenticate while running radius in debug mode and see a lot of 
interesting stuff.

Pasting only relevant lines:

 

(5) eap_tls: Continuing EAP-TLS

(5) eap_tls: Got final TLS record fragment (46 bytes)

(5) eap_tls: [eaptls verify] = ok

(5) eap_tls: Done initial handshake

(5) eap_tls: <<< recv TLS 1.0 Handshake [length 03ac], Certificate

(5) eap_tls: Creating attributes from certificate OIDs

(5) eap_tls:   TLS-Client-Cert-Serial := "03"

(5) eap_tls:   TLS-Client-Cert-Expiration := "200110080019Z"

(5) eap_tls:   TLS-Client-Cert-Subject := 
"/CN=70:1a:04:2c:52:ff/emailAddress=it.t...@options.bc.ca/ST=BC/O=Options 
Community Services/C=CA"

(5) eap_tls:   TLS-Client-Cert-Issuer := 
"/CN=Options-PF-CA/emailAddress=it.t...@options.bc.ca/ST=British 
Columbia/O=Options Community Services/C=CA"

(5) eap_tls:   TLS-Client-Cert-Common-Name := "70:1a:04:2c:52:ff"

(5) eap_tls:   ERROR: SSL says error 20 : unable to get local issuer certificate

 

(5) eap_tls: ERROR: TLS Alert write:fatal:unknown CA

tls: TLS_accept: Error in error

(5) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14089086:SSL 
routines:ssl3_get_client_certificate:certificate verify failed

(5) eap_tls: ERROR: System call (I/O) error (-1)

(5) eap_tls: ERROR: TLS receive handshake failed during operation

(5) eap_tls: ERROR: [eaptls process] = fail

(5) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed

(5) eap: Sending EAP Failure (code 4) ID 213 length 4

(5) eap: Failed in EAP select

(5) [eap] = invalid

(5)   } # authenticate = invalid

(5) Failed to authenticate the user

(5) Login incorrect (eap_tls: SSL says error 20 : unable to get local issuer 
certificate): [70:1a:04:2c:52:ff] (from client 172.19.254.2 port 0 cli 
70:1a:04:2c:52:ff)

(5) Using Post-Auth-Type Reject

 

Same happens if I issue the certificate to the user based on its name, not MAC 
address

 

(5) eap_tls:   TLS-Client-Cert-Serial := "04"

(5) eap_tls:   TLS-Client-Cert-Expiration := "200110083931Z"

(5) eap_tls:   TLS-Client-Cert-Subject := 
"/CN=it.tech/emailAddress=it.t...@options.bc.ca/ST=BC/O=Options Community 
Services/C=CA"

(5) eap_tls:   TLS-Client-Cert-Issuer := 
"/CN=Options-PF-CA/emailAddress=it.t...@options.bc.ca/ST=British 
Columbia/O=Options Community Services/C=CA"

(5) eap_tls:   TLS-Client-Cert-Common-Name := "it.tech"

(5) eap_tls:   ERROR: SSL says error 20 : unable to get local issuer certificate

 

Eugene

 

 

 

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Tuesday, January 09, 2018 2:46 PM
To: E.P.
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PKI installation

 

The admin user is different between PacketFence and the PKI.

When i said "In configuration -> Users -> Edit admin -> Change User Password" 
in was in the pki admin interface.

Fabrice

 

 

Le 2018-01-09 à 13:47, E.P. a écrit :

Sorry for being a pain in the lower part of the back, Fabrice ;)

I thought that the admin user in PF is different from PKI.

At least I know that I did change the password for admin in PF as you described 
and this is how I login to the main GUI.

But I can’t login as admin with the same password to PKI.

 

Eugene

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PKI installation

2018-01-09 Thread E.P. via PacketFence-users

Sorry for being a pain in the lower part of the back, Fabrice ;)

I thought that the admin user in PF is different from PKI.

At least I know that I did change the password for admin in PF as you described 
and this is how I login to the main GUI.

But I can’t login as admin with the same password to PKI.

 

Eugene

 

From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: Tuesday, January 09, 2018 5:54 AM
To: E.P.
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PKI installation

 

Hello Eugene,

 

Le 2018-01-09 à 03:01, E.P. a écrit :

Couple of questions on PKI, Fabfice

 

1.   How would I change the password for admin user in PKI. The “User 
Management” section gives me the option of editing the admin user but I can’t 
see the password change option

 

In configuration -> Users -> Edit admin -> Change User Password



2.   I’m adding a server certificate after I created a server certificate 
profile by filling out necessary fields and linking it to the certificate 
profile. Clicking Submit and it shows in the list with an icon to sign it.

Now I simply follow the guide on PKI which says the following:

Since the server certificate is stored in the PKI database, you will have to 
sign and export it to the PacketFence server.

On the PKI web interface, under Certificates click on the "sign" icon for the 
certificate for your RADIUS server. This will automatically sign the 
certificate with your CA. Use the Send certificate or Download certificate to 
export it. The certificate will be exported in p12 format which combines both 
the certificate and its key. The password to decrypt the file will be send by 
email.

Ok, I click on the Sign icon for the newly created server certificate and it 
redirects me to the page where I can have an option of sending or downloading 
it. I select  “Download certificate” and end up with an error:

 


SMTPSenderRefused at /pki/cert/2/download/

(550, '5.7.1 Sender unknown', u'pf-nore...@options.bc.ca')

Request Method:

GET


Request URL:

https://172.16.0.222:9393/pki/cert/2/download/


Django Version:

1.8.1


Exception Type:

SMTPSenderRefused


Exception Value:

(550, '5.7.1 Sender unknown', u'pf-nore...@options.bc.ca')

Exception Location:

/usr/lib64/python2.7/smtplib.py in sendmail, line 735


Python Executable:

/usr/bin/python


Python Version:

2.7.5


Python Path:

['/usr/lib64/python27.zip',
 '/usr/lib64/python2.7',
 '/usr/lib64/python2.7/plat-linux2',
 '/usr/lib64/python2.7/lib-tk',
 '/usr/lib64/python2.7/lib-old',
 '/usr/lib64/python2.7/lib-dynload',
 '/usr/lib64/python2.7/site-packages',
 '/usr/lib/python2.7/site-packages',
 '/usr/local/packetfence-pki',
 '/usr/local/packetfence-pki/inverse']

Server time:

Tue, 9 Jan 2018 07:56:21 +

 

 

If I select “Send certificate” I end up with the same error but a bit different 
title

 


SMTPSenderRefused at /pki/cert/2/send/


(550, '5.7.1 Sender unknown', u'pf-nore...@options.bc.ca')


Request Method:

GET


Request URL:

https://172.16.0.222:9393/pki/cert/2/send/

 

Where would I need to make a change to SMTP server.

Needless to say that when I create a local user from PF GUI and select an 
option of sending an email to the address I specify the email gets delivered 
without any errors

In fact it looks that you smtp server refuse to accept the email (550, '5.7.1 
Sender unknown', u'pf-nore...@options.bc.ca') so add it in your smtp server and 
it should be ok.
Regards
Fabrice




 

Eugene

 

From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: Wednesday, January 03, 2018 12:26 PM
To: E.P.
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PKI installation

 

Just for information, i uploaded a new version of the packetfence-pki for 
centos7 who fix all the install issues.

Regards

Fabrice

Le 2017-12-12 à 23:58, E.P. a écrit :

Well, I’m taking my hat off in front of you, no kidding and pun intended ;)

Do you need traceback from the error page ?

 

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Tuesday, December 12, 2017 7:02 PM
To: E.P.
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PKI installation

 

ah ah don't worry , i like to have challenge like that to be able to fix the 
issue for better user experience.

I coded the pki so i want to make it work.

 

Le 2017-12-12 à 21:48, E.P. a écrit :

Sure, take your time, Fabrice. I have a special knack of running into troubles 
in cases when others didn’t have any :) 


Eugene

Sent from iPhone


On Dec 12, 2017, at 18:18, Durand fabrice  wrote:

Ok let me try to install the pki on the zen and i will be back to you.

i have installed the pki on 10 servers not a long time ago without any issue.

 

Le 2017-12-12 à 20:52, E.P. a écrit :

Yes, db.sqlite3 was owned by root

 

[root@PacketFence-ZEN packetfence-pki]# ls -al

total 56

drwxr-xr-x   7 pf   pf 128 Dec 12 08:49 .

drwxr-xr-x. 15 root root   182 Dec 12 01:33 ..

Re: [PacketFence-users] PKI installation

2018-01-09 Thread E.P. via PacketFence-users

Couple of questions on PKI, Fabfice

 

1.   How would I change the password for admin user in PKI. The “User 
Management” section gives me the option of editing the admin user but I can’t 
see the password change option

 

2.   I’m adding a server certificate after I created a server certificate 
profile by filling out necessary fields and linking it to the certificate 
profile. Clicking Submit and it shows in the list with an icon to sign it.

Now I simply follow the guide on PKI which says the following:

Since the server certificate is stored in the PKI database, you will have to 
sign and export it to the PacketFence server.

On the PKI web interface, under Certificates click on the "sign" icon for the 
certificate for your RADIUS server. This will automatically sign the 
certificate with your CA. Use the Send certificate or Download certificate to 
export it. The certificate will be exported in p12 format which combines both 
the certificate and its key. The password to decrypt the file will be send by 
email.

Ok, I click on the Sign icon for the newly created server certificate and it 
redirects me to the page where I can have an option of sending or downloading 
it. I select  “Download certificate” and end up with an error:

 


SMTPSenderRefused at /pki/cert/2/download/

(550, '5.7.1 Sender unknown', u'pf-nore...@options.bc.ca')

Request Method:

GET


Request URL:

https://172.16.0.222:9393/pki/cert/2/download/


Django Version:

1.8.1


Exception Type:

SMTPSenderRefused


Exception Value:

(550, '5.7.1 Sender unknown', u'pf-nore...@options.bc.ca')

Exception Location:

/usr/lib64/python2.7/smtplib.py in sendmail, line 735


Python Executable:

/usr/bin/python


Python Version:

2.7.5


Python Path:

['/usr/lib64/python27.zip',
 '/usr/lib64/python2.7',
 '/usr/lib64/python2.7/plat-linux2',
 '/usr/lib64/python2.7/lib-tk',
 '/usr/lib64/python2.7/lib-old',
 '/usr/lib64/python2.7/lib-dynload',
 '/usr/lib64/python2.7/site-packages',
 '/usr/lib/python2.7/site-packages',
 '/usr/local/packetfence-pki',
 '/usr/local/packetfence-pki/inverse']

Server time:

Tue, 9 Jan 2018 07:56:21 +

 

 

If I select “Send certificate” I end up with the same error but a bit different 
title

 


SMTPSenderRefused at /pki/cert/2/send/


(550, '5.7.1 Sender unknown', u'pf-nore...@options.bc.ca')


Request Method:

GET


Request URL:

https://172.16.0.222:9393/pki/cert/2/send/

 

Where would I need to make a change to SMTP server.

Needless to say that when I create a local user from PF GUI and select an 
option of sending an email to the address I specify the email gets delivered 
without any errors

 

Eugene

 

From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: Wednesday, January 03, 2018 12:26 PM
To: E.P.
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PKI installation

 

Just for information, i uploaded a new version of the packetfence-pki for 
centos7 who fix all the install issues.

Regards

Fabrice

Le 2017-12-12 à 23:58, E.P. a écrit :

Well, I’m taking my hat off in front of you, no kidding and pun intended ;)

Do you need traceback from the error page ?

 

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Tuesday, December 12, 2017 7:02 PM
To: E.P.
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PKI installation

 

ah ah don't worry , i like to have challenge like that to be able to fix the 
issue for better user experience.

I coded the pki so i want to make it work.

 

Le 2017-12-12 à 21:48, E.P. a écrit :

Sure, take your time, Fabrice. I have a special knack of running into troubles 
in cases when others didn’t have any :) 


Eugene

Sent from iPhone


On Dec 12, 2017, at 18:18, Durand fabrice  wrote:

Ok let me try to install the pki on the zen and i will be back to you.

i have installed the pki on 10 servers not a long time ago without any issue.

 

Le 2017-12-12 à 20:52, E.P. a écrit :

Yes, db.sqlite3 was owned by root

 

[root@PacketFence-ZEN packetfence-pki]# ls -al

total 56

drwxr-xr-x   7 pf   pf 128 Dec 12 08:49 .

drwxr-xr-x. 15 root root   182 Dec 12 01:33 ..

drwxrws---   2 pf   pf   6 Nov 15 14:20 ca

drwxr-xr-x   2 pf   pf 125 Dec 12 01:33 conf

-rw-r--r--   1 root root 43008 Dec 12 08:44 db.sqlite3

drwxr-xr-x   2 pf   pf 204 Dec 12 02:49 inverse

drwxrws---   2 pf   pf  90 Dec 12 01:35 logs

-rwxr--r--   1 pf   pf 250 Nov 15 14:20 manage.py

-rw-r--r--   1 root root 6 Dec 12 08:49 packetfence-pki.pid

drwxr-xr-x   5 pf   pf4096 Dec 12 02:49 pki

 

Changed the file ownership to pf:pf

 

[root@PacketFence-ZEN packetfence-pki]# ls -al

total 100

drwxr-xr-x   7 pf   pf 147 Dec 13 01:45 .

drwxr-xr-x. 15 root root   182 Dec 12 01:33 ..

drwxrws---   2 pf   pf   6 Nov 15 14:20 ca

drwxr-xr-x   2 pf   pf 125 Dec 12 01:33 conf

-rw-r--r--   1 pf   pf   43008 Dec 13 01:45 db.sqlite3

drwxr-xr-x   2 pf   pf 204 Dec 12 02:49 inverse

Re: [PacketFence-users] Assistance with AD dot1x

2018-01-09 Thread E.P. via PacketFence-users

This is great, thank you, Fabrice !

I may be special or spellbound to all sort of bumps on the deployment road but 
nothing works to me from the first time.

Now my realm associated with AD works nicely.

 

Eugene

 

 

From: Fabrice Durand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Monday, January 08, 2018 6:49 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand
Subject: Re: [PacketFence-users] Assistance with AD dot1x

 

Hello All,

just to clarify some points.

First realmd can't be used because we have to use ntlm_auth in Freeradius to 
authenticate user for eap/peap mschap v2.

Next, Configuration → Policies and Access Control → Domains → Active Directory 
Domains – Add Domain is only to join the machine to a windows domain (it create 
a chroot for each domains).

Configuration → Policies and Access Control → Domains → Realms is to associate 
a realm to a windows domain, it mean that if the username is b...@acme.edu then 
if there is a realm define for acme.edu then it will use the domain associated 
to it to validate the credentials (In Freeradius).

Don't forget that the username can be ACME\bob , so you will need to create a 
realm ACME too.

Last thing, in Configuration → Policies and Access Control → Authentication 
Sources (Type Internal) when you define a realm associated to a source (like 
acme.edu)  then it mean that if you use on the portal or for 802.1x auto 
registration a username like b...@acme.edu then PacketFence will use it (you 
can strip the username if needed in the source).

Regards
Fabrice

Le 2018-01-07 à 19:32, E.P. via PacketFence-users a écrit :

I’m curious, did you create a new realm or used the default one and linked it 
to AD ?

I tried to create a new realm and it is placed in the end of the list and the 
authentication never reached it.

It only worked to me if I link the default realm to AD

 

Eugene

 

From: j...@momentumvr.co.uk [mailto:j...@momentumvr.co.uk] 
Sent: Sunday, January 07, 2018 5:18 AM
To: 'E.P.'; packetfence-users@lists.sourceforge.net
Subject: RE: [PacketFence-users] Assistance with AD dot1x

 

Thanks for that Eugene, I will take a look at that log tomorrow morning. The 
issue is when we try to add the domain via domains>active directory domains>add 
domain. Strangely connecting via realmd works without issue every time.

 

John

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: 05 January 2018 19:32
To: packetfence-users@lists.sourceforge.net
Cc: j...@momentumvr.co.uk
Subject: RE: [PacketFence-users] Assistance with AD dot1x

 

Hi John,

I still have a fresh experience with configuring AD in PF and it worked to me 
from the first try.

Just to understand it clearly, you can’t complete the configuration if you add 
the source, i.e.

>From the Configuration → Policies and Access Control → Authentication Sources, 
>Add source → Internal - AD.

Or it is failing on adding the domain, i.e. 

Configuration → Policies and Access Control → Domains → Active Directory 
Domains – Add Domain

 

And of course, as it is stated in the admin guide I’d go chechking this file 
for any clues:

 

/chroots//var/log/samba/log.winbindd. Replace  
with the identifier you set in the domain configuration.

 

Eugene

 

From: john--- via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Friday, January 05, 2018 5:00 AM
To: packetfence-users@lists.sourceforge.net
Cc: j...@momentumvr.co.uk
Subject: [PacketFence-users] Assistance with AD dot1x

 

Good afternoon everyone,

 

We are currently working with PF7.3 on Centos 7 and no matter what we do we 
cannot get AD to complete configuration, it simply returns “Null” so obviously 
fails. When we use realmd it works fine. My question initially is, does this 
affect dot1x authentication via AD if we complete this only using realmd and 
not the configuration panel AD connection method? As always your help is 
greatly appreciated.

 

John






--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot






___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users





-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PKI installation

2018-01-09 Thread E.P. via PacketFence-users

Hi Fabrice,

I confirm that I was finally able to rebuild PKI and configure it

At least logged in successfully to PKI configuration and went through 4 steps 
of creating certificates

Very much appreciate your time and efforts !

Trying to figure it out how to roll out certificates to various types of 
endpoints, i.e. Windows 10, Macbooks, Androids and iPhones

 

Eugene

 

From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: Wednesday, January 03, 2018 12:26 PM
To: E.P.
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PKI installation

 

Just for information, i uploaded a new version of the packetfence-pki for 
centos7 who fix all the install issues.

Regards

Fabrice

 

 

Le 2017-12-12 à 23:58, E.P. a écrit :

Well, I’m taking my hat off in front of you, no kidding and pun intended ;)

Do you need traceback from the error page ?

 

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Tuesday, December 12, 2017 7:02 PM
To: E.P.
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PKI installation

 

ah ah don't worry , i like to have challenge like that to be able to fix the 
issue for better user experience.

I coded the pki so i want to make it work.

 

 

Le 2017-12-12 à 21:48, E.P. a écrit :

Sure, take your time, Fabrice. I have a special knack of running into troubles 
in cases when others didn’t have any :) 


Eugene

Sent from iPhone


On Dec 12, 2017, at 18:18, Durand fabrice  wrote:

Ok let me try to install the pki on the zen and i will be back to you.

i have installed the pki on 10 servers not a long time ago without any issue.

 

 

Le 2017-12-12 à 20:52, E.P. a écrit :

Yes, db.sqlite3 was owned by root

 

[root@PacketFence-ZEN packetfence-pki]# ls -al

total 56

drwxr-xr-x   7 pf   pf 128 Dec 12 08:49 .

drwxr-xr-x. 15 root root   182 Dec 12 01:33 ..

drwxrws---   2 pf   pf   6 Nov 15 14:20 ca

drwxr-xr-x   2 pf   pf 125 Dec 12 01:33 conf

-rw-r--r--   1 root root 43008 Dec 12 08:44 db.sqlite3

drwxr-xr-x   2 pf   pf 204 Dec 12 02:49 inverse

drwxrws---   2 pf   pf  90 Dec 12 01:35 logs

-rwxr--r--   1 pf   pf 250 Nov 15 14:20 manage.py

-rw-r--r--   1 root root 6 Dec 12 08:49 packetfence-pki.pid

drwxr-xr-x   5 pf   pf4096 Dec 12 02:49 pki

 

Changed the file ownership to pf:pf

 

[root@PacketFence-ZEN packetfence-pki]# ls -al

total 100

drwxr-xr-x   7 pf   pf 147 Dec 13 01:45 .

drwxr-xr-x. 15 root root   182 Dec 12 01:33 ..

drwxrws---   2 pf   pf   6 Nov 15 14:20 ca

drwxr-xr-x   2 pf   pf 125 Dec 12 01:33 conf

-rw-r--r--   1 pf   pf   43008 Dec 13 01:45 db.sqlite3

drwxr-xr-x   2 pf   pf 204 Dec 12 02:49 inverse

drwxrws---   2 pf   pf  90 Dec 12 01:35 logs

-rwxr--r--   1 pf   pf 250 Nov 15 14:20 manage.py

-rw-r--r--   1 root root 5 Dec 13 01:43 packetfence-pki.pid

drwxr-xr-x   5 pf   pf4096 Dec 12 02:49 pki

 

But trying to login to the PKI webpage brings me back to the same original 
error “no such table: pki_ca” which I showed earlier. I tried to follow your 
previous advise about renaming the db.sqlite3 file and running migration but 
the behavior is consistent.  Is it OK that the PKI process ID file is also 
owned by root ?

 

From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: Tuesday, December 12, 2017 5:35 AM
To: E.P.; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PKI installation

 

Just change the owner of the sqlite file to pf and it should be ok.

Btw all these steps are made in the packaging, so it probably failled or never 
finish correctly.

I will do a test on my side.

Regards

Fabrice

 

 

Le 2017-12-12 à 03:47, E.P. a écrit :

Well, we are getting closer ;)

Ran the python script to migrate the database it completed

 

[root@PacketFence-ZEN packetfence-pki]# python manage.py migrate

Operations to perform:

  Synchronize unmigrated apps: staticfiles, rest_framework, messages, bootstrap3

  Apply all migrations: authtoken, sessions, admin, auth, contenttypes, pki

Synchronizing apps without migrations:

  Creating tables...

Running deferred SQL...

  Installing custom SQL...

Running migrations:

  Rendering model states... DONE

  Applying contenttypes.0001_initial... OK

  Applying auth.0001_initial... OK

  Applying admin.0001_initial... OK

  Applying contenttypes.0002_remove_content_type_name... OK

  Applying auth.0002_alter_permission_name_max_length... OK

  Applying auth.0003_alter_user_email_max_length... OK

  Applying auth.0004_alter_user_username_opts... OK

  Applying auth.0005_alter_user_last_login_null... OK

  Applying auth.0006_require_contenttypes_0002... OK

  Applying authtoken.0001_initial... OK

  Applying pki.0001_initial... OK

  Applying sessions.0001_initial... OK

 

But the attempt to login to PKI failed again, now with a different error 
message:

Re: [PacketFence-users] Assistance with AD dot1x

2018-01-07 Thread E.P. via PacketFence-users

I’m curious, did you create a new realm or used the default one and linked it 
to AD ?

I tried to create a new realm and it is placed in the end of the list and the 
authentication never reached it.

It only worked to me if I link the default realm to AD

 

Eugene

 

From: j...@momentumvr.co.uk [mailto:j...@momentumvr.co.uk] 
Sent: Sunday, January 07, 2018 5:18 AM
To: 'E.P.'; packetfence-users@lists.sourceforge.net
Subject: RE: [PacketFence-users] Assistance with AD dot1x

 

Thanks for that Eugene, I will take a look at that log tomorrow morning. The 
issue is when we try to add the domain via domains>active directory domains>add 
domain. Strangely connecting via realmd works without issue every time.

 

John

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: 05 January 2018 19:32
To: packetfence-users@lists.sourceforge.net
Cc: j...@momentumvr.co.uk
Subject: RE: [PacketFence-users] Assistance with AD dot1x

 

Hi John,

I still have a fresh experience with configuring AD in PF and it worked to me 
from the first try.

Just to understand it clearly, you can’t complete the configuration if you add 
the source, i.e.

>From the Configuration → Policies and Access Control → Authentication Sources, 
>Add source → Internal - AD.

Or it is failing on adding the domain, i.e. 

Configuration → Policies and Access Control → Domains → Active Directory 
Domains – Add Domain

 

And of course, as it is stated in the admin guide I’d go chechking this file 
for any clues:

 

/chroots//var/log/samba/log.winbindd. Replace  
with the identifier you set in the domain configuration.

 

Eugene

 

From: john--- via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Friday, January 05, 2018 5:00 AM
To: packetfence-users@lists.sourceforge.net
Cc: j...@momentumvr.co.uk
Subject: [PacketFence-users] Assistance with AD dot1x

 

Good afternoon everyone,

 

We are currently working with PF7.3 on Centos 7 and no matter what we do we 
cannot get AD to complete configuration, it simply returns “Null” so obviously 
fails. When we use realmd it works fine. My question initially is, does this 
affect dot1x authentication via AD if we complete this only using realmd and 
not the configuration panel AD connection method? As always your help is 
greatly appreciated.

 

John

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Assistance with AD dot1x

2018-01-05 Thread E.P. via PacketFence-users

Hi John,

I still have a fresh experience with configuring AD in PF and it worked to me 
from the first try.

Just to understand it clearly, you can’t complete the configuration if you add 
the source, i.e.

>From the Configuration → Policies and Access Control → Authentication Sources, 
>Add source → Internal - AD.

Or it is failing on adding the domain, i.e. 

Configuration → Policies and Access Control → Domains → Active Directory 
Domains – Add Domain

 

And of course, as it is stated in the admin guide I’d go chechking this file 
for any clues:

 

/chroots//var/log/samba/log.winbindd. Replace  
with the identifier you set in the domain configuration.

 

Eugene

 

From: john--- via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Friday, January 05, 2018 5:00 AM
To: packetfence-users@lists.sourceforge.net
Cc: j...@momentumvr.co.uk
Subject: [PacketFence-users] Assistance with AD dot1x

 

Good afternoon everyone,

 

We are currently working with PF7.3 on Centos 7 and no matter what we do we 
cannot get AD to complete configuration, it simply returns “Null” so obviously 
fails. When we use realmd it works fine. My question initially is, does this 
affect dot1x authentication via AD if we complete this only using realmd and 
not the configuration panel AD connection method? As always your help is 
greatly appreciated.

 

John

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Need an advice and maybe assistance with FreeRADIUS

2018-01-04 Thread E.P. via PacketFence-users

ient 172.19.254.2/32 with 
shared secret "123456"

 

When I try to authenticate from an endpoint to a specific SSID I see this error 
in radius-acct.log 

 

Dec 28 07:38:58 PacketFence-ZEN acct[16780]: Dropping packet without response 
because of error: Received Accounting-Request packet from client 172.19.254.2 
with invalid Request Authenticator!  (Shared secret is incorrect.)

 

I added this WAP under “Policies and access control” in Switches section using 
the shared secret as shown above and following the admin guide. What am I doing 
wrong ?

Here’s how the switches.conf file looks like after I added this WAP:

 

[root@PacketFence-ZEN conf]# cat ./switches.conf

[172.19.254.2]

VoIPCDPDetect=N

VoIPDHCPDetect=N

deauthMethod=RADIUS

description=Test-WAP

VoIPLLDPDetect=N

radiusSecret=123456

VlanMap=N

 

Eugene

 

From: Durand fabrice via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Thursday, December 28, 2017 3:30 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice
Subject: Re: [PacketFence-users] Need an advice and maybe assistance with 
FreeRADIUS

 

Hello Eugene,

in fact for 802.1x you need to use eapol_test instead of radtest. 
(http://deployingradius.com/scripts/eapol_test/)

Also use the port 1812 instead of 18120.

Regards

Fabrice

 

 

Le 2017-12-28 à 03:07, E.P. via PacketFence-users a écrit :

Guys,

I still hope someone with more experience with PF give me a hand with this 
trivial issue (if it is an issue)

I’m on my way to test PF with baby steps and just created a user under Users 
section in PF GUI.

Then I test it using a simple command like this and it seems to work using the 
local identity store.

 

[root@PacketFence-ZEN bin]# ./pftest authentication test1 123456

Testing authentication for "test1"

 

Authenticating against local

  Authentication SUCCEEDED against local (Authentication successful.)

  Matched against local for 'authentication' rules

set_access_level : User Manager

set_unreg_date : -00-00 00:00:00

  Matched against local for 'administration' rules

set_access_level : User Manager

set_unreg_date : -00-00 00:00:00

 

Then I’m following the admin guide and want to test this user authentication 
using radtest command as in

 

 

[root@PacketFence-ZEN bin]# radtest test1 123456 localhost:18120 12 testing123

Sent Access-Request Id 136 from 0.0.0.0:45055 to 127.0.0.1:18120 length 75

User-Name = "test1"

User-Password = "123456"

NAS-IP-Address = 172.16.0.222

NAS-Port = 12

Message-Authenticator = 0x00

Cleartext-Password = "123456"

Received Access-Reject Id 136 from 127.0.0.1:18120 to 0.0.0.0:0 length 20

(0)   -: Expected Access-Accept got Access-Reject

 

Why am I rejected here ? Am I not supposed to use this test1 user to test 
RADIUS with the proxy module ?

 

And finally, when I test this with a real network device, Unifi WAP for 
example, I don’t go anywhere.

I see that NAD is added, here’s an entry from radius.log

 

Dec 28 07:42:46 PacketFence-ZEN auth[16806]: Adding client 172.19.254.2/32 with 
shared secret "123456"

 

When I try to authenticate for an endpoint to a specific SSID I see this error 
in radius-acct.log 

 

Dec 28 07:38:58 PacketFence-ZEN acct[16780]: Dropping packet without response 
because of error: Received Accounting-Request packet from client 172.19.254.2 
with invalid Request Authenticator!  (Shared secret is incorrect.)

 

I added this WAP under “Policies and access control” in Switches section using 
the shared secret as shown above and following the admin guide. What am I doing 
wrong ?

Here’s how the switches.conf file looks like after I added this WAP:

 

[root@PacketFence-ZEN conf]# cat ./switches.conf

[172.19.254.2]

VoIPCDPDetect=N

VoIPDHCPDetect=N

deauthMethod=RADIUS

description=Test-WAP

VoIPLLDPDetect=N

radiusSecret=123456

VlanMap=N

 

Just to confirm, I’m not doing any inline mode, nor guest or web 
authentication, just pure WPA-Enterprise with RADIUS internal users identity 
store.

 

Eugene

 










--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot










___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

 

 







-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

___

Re: [PacketFence-users] Need an advice and maybe assistance with FreeRADIUS

2018-01-03 Thread E.P. via PacketFence-users

/)

Also use the port 1812 instead of 18120.

Regards

Fabrice

 

 

Le 2017-12-28 à 03:07, E.P. via PacketFence-users a écrit :

Guys,

I still hope someone with more experience with PF give me a hand with this 
trivial issue (if it is an issue)

I’m on my way to test PF with baby steps and just created a user under Users 
section in PF GUI.

Then I test it using a simple command like this and it seems to work using the 
local identity store.

 

[root@PacketFence-ZEN bin]# ./pftest authentication test1 123456

Testing authentication for "test1"

 

Authenticating against local

  Authentication SUCCEEDED against local (Authentication successful.)

  Matched against local for 'authentication' rules

set_access_level : User Manager

set_unreg_date : -00-00 00:00:00

  Matched against local for 'administration' rules

set_access_level : User Manager

set_unreg_date : -00-00 00:00:00

 

Then I’m following the admin guide and want to test this user authentication 
using radtest command as in

 

 

[root@PacketFence-ZEN bin]# radtest test1 123456 localhost:18120 12 testing123

Sent Access-Request Id 136 from 0.0.0.0:45055 to 127.0.0.1:18120 length 75

User-Name = "test1"

User-Password = "123456"

NAS-IP-Address = 172.16.0.222

NAS-Port = 12

Message-Authenticator = 0x00

Cleartext-Password = "123456"

Received Access-Reject Id 136 from 127.0.0.1:18120 to 0.0.0.0:0 length 20

(0)   -: Expected Access-Accept got Access-Reject

 

Why am I rejected here ? Am I not supposed to use this test1 user to test 
RADIUS with the proxy module ?

 

And finally, when I test this with a real network device, Unifi WAP for 
example, I don’t go anywhere.

I see that NAD is added, here’s an entry from radius.log

 

Dec 28 07:42:46 PacketFence-ZEN auth[16806]: Adding client 172.19.254.2/32 with 
shared secret "123456"

 

When I try to authenticate for an endpoint to a specific SSID I see this error 
in radius-acct.log 

 

Dec 28 07:38:58 PacketFence-ZEN acct[16780]: Dropping packet without response 
because of error: Received Accounting-Request packet from client 172.19.254.2 
with invalid Request Authenticator!  (Shared secret is incorrect.)

 

I added this WAP under “Policies and access control” in Switches section using 
the shared secret as shown above and following the admin guide. What am I doing 
wrong ?

Here’s how the switches.conf file looks like after I added this WAP:

 

[root@PacketFence-ZEN conf]# cat ./switches.conf

[172.19.254.2]

VoIPCDPDetect=N

VoIPDHCPDetect=N

deauthMethod=RADIUS

description=Test-WAP

VoIPLLDPDetect=N

radiusSecret=123456

VlanMap=N

 

Just to confirm, I’m not doing any inline mode, nor guest or web 
authentication, just pure WPA-Enterprise with RADIUS internal users identity 
store.

 

Eugene

 









--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot









___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

 

 






-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users






--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot






___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users





-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech com

Re: [PacketFence-users] PKI installation

2018-01-03 Thread E.P. via PacketFence-users

Great, will try to do it a bit later

Thanks, Fabrice

From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: Wednesday, January 03, 2018 12:26 PM
To: E.P.
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PKI installation

Just for information, i uploaded a new version of the packetfence-pki for 
centos7 who fix all the install issues.

Regards

Fabrice

Le 2017-12-12 à 23:58, E.P. a écrit :

Well, I’m taking my hat off in front of you, no kidding and pun intended ;)

Do you need traceback from the error page ?

From: Durand fabrice [mailto:fdur...@inverse.ca] 
Sent: Tuesday, December 12, 2017 7:02 PM
To: E.P.
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PKI installation

ah ah don't worry , i like to have challenge like that to be able to fix the 
issue for better user experience.

I coded the pki so i want to make it work.

Le 2017-12-12 à 21:48, E.P. a écrit :

Sure, take your time, Fabrice. I have a special knack of running into troubles 
in cases when others didn’t have any :) 

Eugene

Sent from iPhone

On Dec 12, 2017, at 18:18, Durand fabrice  wrote:

Ok let me try to install the pki on the zen and i will be back to you.

i have installed the pki on 10 servers not a long time ago without any issue.

Le 2017-12-12 à 20:52, E.P. a écrit :

Yes, db.sqlite3 was owned by root

[root@PacketFence-ZEN packetfence-pki]# ls -al

total 56

drwxr-xr-x   7 pf   pf 128 Dec 12 08:49 .

drwxr-xr-x. 15 root root   182 Dec 12 01:33 ..

drwxrws---   2 pf   pf   6 Nov 15 14:20 ca

drwxr-xr-x   2 pf   pf 125 Dec 12 01:33 conf

-rw-r--r--   1 root root 43008 Dec 12 08:44 db.sqlite3

drwxr-xr-x   2 pf   pf 204 Dec 12 02:49 inverse

drwxrws---   2 pf   pf  90 Dec 12 01:35 logs

-rwxr--r--   1 pf   pf 250 Nov 15 14:20 manage.py

-rw-r--r--   1 root root 6 Dec 12 08:49 packetfence-pki.pid

drwxr-xr-x   5 pf   pf4096 Dec 12 02:49 pki

Changed the file ownership to pf:pf

[root@PacketFence-ZEN packetfence-pki]# ls -al

total 100

drwxr-xr-x   7 pf   pf 147 Dec 13 01:45 .

drwxr-xr-x. 15 root root   182 Dec 12 01:33 ..

drwxrws---   2 pf   pf   6 Nov 15 14:20 ca

drwxr-xr-x   2 pf   pf 125 Dec 12 01:33 conf

-rw-r--r--   1 pf   pf   43008 Dec 13 01:45 db.sqlite3

drwxr-xr-x   2 pf   pf 204 Dec 12 02:49 inverse

drwxrws---   2 pf   pf  90 Dec 12 01:35 logs

-rwxr--r--   1 pf   pf 250 Nov 15 14:20 manage.py

-rw-r--r--   1 root root 5 Dec 13 01:43 packetfence-pki.pid

drwxr-xr-x   5 pf   pf4096 Dec 12 02:49 pki

But trying to login to the PKI webpage brings me back to the same original 
error “no such table: pki_ca” which I showed earlier. I tried to follow your 
previous advise about renaming the db.sqlite3 file and running migration but 
the behavior is consistent.  Is it OK that the PKI process ID file is also 
owned by root ?

From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: Tuesday, December 12, 2017 5:35 AM
To: E.P.; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PKI installation

Just change the owner of the sqlite file to pf and it should be ok.

Btw all these steps are made in the packaging, so it probably failled or never 
finish correctly.

I will do a test on my side.

Regards

Fabrice

Le 2017-12-12 à 03:47, E.P. a écrit :

Well, we are getting closer ;)

Ran the python script to migrate the database it completed

[root@PacketFence-ZEN packetfence-pki]# python manage.py migrate

Operations to perform:

  Synchronize unmigrated apps: staticfiles, rest_framework, messages, bootstrap3

  Apply all migrations: authtoken, sessions, admin, auth, contenttypes, pki

Synchronizing apps without migrations:

  Creating tables...

Running deferred SQL...

  Installing custom SQL...

Running migrations:

  Rendering model states... DONE

  Applying contenttypes.0001_initial... OK

  Applying auth.0001_initial... OK

  Applying admin.0001_initial... OK

  Applying contenttypes.0002_remove_content_type_name... OK

  Applying auth.0002_alter_permission_name_max_length... OK

  Applying auth.0003_alter_user_email_max_length... OK

  Applying auth.0004_alter_user_username_opts... OK

  Applying auth.0005_alter_user_last_login_null... OK

  Applying auth.0006_require_contenttypes_0002... OK

  Applying authtoken.0001_initial... OK

  Applying pki.0001_initial... OK

  Applying sessions.0001_initial... OK

But the attempt to login to PKI failed again, now with a different error 
message:

OperationalError at /

attempt to write a readonly database

Request Method:

POST

Request URL:

https://192.168.2.25:9393/

Django Version:

1.8.1

Exception Type:

OperationalError

Exception Value:

attempt to write a readonly database

Exception Location:

/usr/lib/python2.7/site-packages/django/db/backends/sqlite3/base.py in

Re: [PacketFence-users] Need an advice and maybe assistance with FreeRADIUS

2018-01-03 Thread E.P. via PacketFence-users

[mailto:fdur...@inverse.ca] 
Sent: Thursday, December 28, 2017 5:17 PM
To: E.P.; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Need an advice and maybe assistance with 
FreeRADIUS

Can you try pfcmd configreload hard and restart radius. (pfcmd service radiusd 
restart)

Le 2017-12-28 à 19:20, E.P. a écrit :

I should have made my previous email shorter because my main question fell into 
cracks.

Why do I have an error with the shared secret? Quoting it here again:

When I test this with a real network device, Unifi WAP for example, I don’t go 
anywhere.

I see that NAD is added, here’s an entry from radius.log

Dec 28 07:42:46 PacketFence-ZEN auth[16806]: Adding client 172.19.254.2/32 with 
shared secret "123456"

When I try to authenticate from an endpoint to a specific SSID I see this error 
in radius-acct.log 

Dec 28 07:38:58 PacketFence-ZEN acct[16780]: Dropping packet without response 
because of error: Received Accounting-Request packet from client 172.19.254.2 
with invalid Request Authenticator!  (Shared secret is incorrect.)

I added this WAP under “Policies and access control” in Switches section using 
the shared secret as shown above and following the admin guide. What am I doing 
wrong ?

Here’s how the switches.conf file looks like after I added this WAP:

[root@PacketFence-ZEN conf]# cat ./switches.conf

[172.19.254.2]

VoIPCDPDetect=N

VoIPDHCPDetect=N

deauthMethod=RADIUS

description=Test-WAP

VoIPLLDPDetect=N

radiusSecret=123456

VlanMap=N

Eugene

From: Durand fabrice via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Thursday, December 28, 2017 3:30 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice
Subject: Re: [PacketFence-users] Need an advice and maybe assistance with 
FreeRADIUS

Hello Eugene,

in fact for 802.1x you need to use eapol_test instead of radtest. 
(http://deployingradius.com/scripts/eapol_test/)

Also use the port 1812 instead of 18120.

Regards

Fabrice

Le 2017-12-28 à 03:07, E.P. via PacketFence-users a écrit :

Guys,

I still hope someone with more experience with PF give me a hand with this 
trivial issue (if it is an issue)

I’m on my way to test PF with baby steps and just created a user under Users 
section in PF GUI.

Then I test it using a simple command like this and it seems to work using the 
local identity store.

[root@PacketFence-ZEN bin]# ./pftest authentication test1 123456

Testing authentication for "test1"

Authenticating against local

  Authentication SUCCEEDED against local (Authentication successful.)

  Matched against local for 'authentication' rules

set_access_level : User Manager

set_unreg_date : -00-00 00:00:00

  Matched against local for 'administration' rules

set_access_level : User Manager

set_unreg_date : -00-00 00:00:00

Then I’m following the admin guide and want to test this user authentication 
using radtest command as in

[root@PacketFence-ZEN bin]# radtest test1 123456 localhost:18120 12 testing123

Sent Access-Request Id 136 from 0.0.0.0:45055 to 127.0.0.1:18120 length 75

User-Name = "test1"

User-Password = "123456"

NAS-IP-Address = 172.16.0.222

NAS-Port = 12

Message-Authenticator = 0x00

Cleartext-Password = "123456"

Received Access-Reject Id 136 from 127.0.0.1:18120 to 0.0.0.0:0 length 20

(0)   -: Expected Access-Accept got Access-Reject

Why am I rejected here ? Am I not supposed to use this test1 user to test 
RADIUS with the proxy module ?

And finally, when I test this with a real network device, Unifi WAP for 
example, I don’t go anywhere.

I see that NAD is added, here’s an entry from radius.log

Dec 28 07:42:46 PacketFence-ZEN auth[16806]: Adding client 172.19.254.2/32 with 
shared secret "123456"

When I try to authenticate for an endpoint to a specific SSID I see this error 
in radius-acct.log 

Dec 28 07:38:58 PacketFence-ZEN acct[16780]: Dropping packet without response 
because of error: Received Accounting-Request packet from client 172.19.254.2 
with invalid Request Authenticator!  (Shared secret is incorrect.)

I added this WAP under “Policies and access control” in Switches section using 
the shared secret as shown above and following the admin guide. What am I doing 
wrong ?

Here’s how the switches.conf file looks like after I added this WAP:

[root@PacketFence-ZEN conf]# cat ./switches.conf

[172.19.254.2]

VoIPCDPDetect=N

VoIPDHCPDetect=N

deauthMethod=RADIUS

description=Test-WAP

VoIPLLDPDetect=N

radiusSecret=123456

VlanMap=N

Just to confirm, I’m not doing any inline mode, nor guest or web 
authentication, just pure WPA-Enterprise with RADIUS internal users identity 
store.

Eugene

--
Check out the vibrant tech community on one of the

Re: [PacketFence-users] Need an advice and maybe assistance with FreeRADIUS

2018-01-02 Thread E.P. via PacketFence-users

 do I have an error with the shared secret? Quoting it here again:

 

When I test this with a real network device, Unifi WAP for example, I dont
go anywhere.

I see that NAD is added, heres an entry from radius.log

 

Dec 28 07:42:46 PacketFence-ZEN auth[16806]: Adding client 172.19.254.2/32
with shared secret "123456"

 

When I try to authenticate from an endpoint to a specific SSID I see this
error in radius-acct.log 

 

Dec 28 07:38:58 PacketFence-ZEN acct[16780]: Dropping packet without
response because of error: Received Accounting-Request packet from client
172.19.254.2 with invalid Request Authenticator!  (Shared secret is
incorrect.)

 

I added this WAP under Policies and access control in Switches section
using the shared secret as shown above and following the admin guide. What
am I doing wrong ?

Heres how the switches.conf file looks like after I added this WAP:

 

[root@PacketFence-ZEN conf]# cat ./switches.conf

[172.19.254.2]

VoIPCDPDetect=N

VoIPDHCPDetect=N

deauthMethod=RADIUS

description=Test-WAP

VoIPLLDPDetect=N

radiusSecret=123456

VlanMap=N

 

Eugene

 

From: Durand fabrice via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Thursday, December 28, 2017 3:30 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice
Subject: Re: [PacketFence-users] Need an advice and maybe assistance with
FreeRADIUS

 

Hello Eugene,

in fact for 802.1x you need to use eapol_test instead of radtest.
(http://deployingradius.com/scripts/eapol_test/)

Also use the port 1812 instead of 18120.

Regards

Fabrice

 

 

Le 2017-12-28 à 03:07, E.P. via PacketFence-users a écrit :

Guys,

I still hope someone with more experience with PF give me a hand with this
trivial issue (if it is an issue)

Im on my way to test PF with baby steps and just created a user under Users
section in PF GUI.

Then I test it using a simple command like this and it seems to work using
the local identity store.

 

[root@PacketFence-ZEN bin]# ./pftest authentication test1 123456

Testing authentication for "test1"

 

Authenticating against local

  Authentication SUCCEEDED against local (Authentication successful.)

  Matched against local for 'authentication' rules

set_access_level : User Manager

set_unreg_date : -00-00 00:00:00

  Matched against local for 'administration' rules

set_access_level : User Manager

set_unreg_date : -00-00 00:00:00

 

Then Im following the admin guide and want to test this user authentication
using radtest command as in

 

 

[root@PacketFence-ZEN bin]# radtest test1 123456 localhost:18120 12
testing123

Sent Access-Request Id 136 from 0.0.0.0:45055 to 127.0.0.1:18120 length 75

User-Name = "test1"

User-Password = "123456"

NAS-IP-Address = 172.16.0.222

NAS-Port = 12

Message-Authenticator = 0x00

Cleartext-Password = "123456"

Received Access-Reject Id 136 from 127.0.0.1:18120 to 0.0.0.0:0 length 20

(0)   -: Expected Access-Accept got Access-Reject

 

Why am I rejected here ? Am I not supposed to use this test1 user to test
RADIUS with the proxy module ?

 

And finally, when I test this with a real network device, Unifi WAP for
example, I dont go anywhere.

I see that NAD is added, heres an entry from radius.log

 

Dec 28 07:42:46 PacketFence-ZEN auth[16806]: Adding client 172.19.254.2/32
with shared secret "123456"

 

When I try to authenticate for an endpoint to a specific SSID I see this
error in radius-acct.log 

 

Dec 28 07:38:58 PacketFence-ZEN acct[16780]: Dropping packet without
response because of error: Received Accounting-Request packet from client
172.19.254.2 with invalid Request Authenticator!  (Shared secret is
incorrect.)

 

I added this WAP under Policies and access control in Switches section
using the shared secret as shown above and following the admin guide. What
am I doing wrong ?

Heres how the switches.conf file looks like after I added this WAP:

 

[root@PacketFence-ZEN conf]# cat ./switches.conf

[172.19.254.2]

VoIPCDPDetect=N

VoIPDHCPDetect=N

deauthMethod=RADIUS

description=Test-WAP

VoIPLLDPDetect=N

radiusSecret=123456

VlanMap=N

 

Just to confirm, Im not doing any inline mode, nor guest or web
authentication, just pure WPA-Enterprise with RADIUS internal users identity
store.

 

Eugene

 









--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot








___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

 

 





-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: L

1 2 >

1 - 100 of 123 matches

Mail list logo