Re: [PacketFence-users] Android wireless provisioning error

[Fabrice Durand via PacketFence-users]

Hello Akala,

can you send me your profiles.conf and portal_modules.conf and
provisioning.conf ?

Regards

Fabrice



Le 2017-08-11 à 07:15, Akala Kehinde via PacketFence-users a écrit :
> HI guys,
>
> Any thoughts on this?
>
> Regards,
> Kehinde
>
> On Tue, Aug 8, 2017 at 7:44 PM, Akala Kehinde  > wrote:
>
> Hello guys,
>
> I get this error while trying to do Android wireless provisioning,
> when I click on the configure button on the PF android app:
>
> Aug  8 19:42:38 egelsbach packetfence_httpd.portal:
> httpd.portal(9458) INFO: [mac:f0:d7:aa:87:a6:ad] User default has
> authenticated on the portal. (Class::MOP::Class:::after)
> Aug  8 19:42:38 egelsbach packetfence_httpd.portal:
> httpd.portal(9458) ERROR: [mac:f0:d7:aa:87:a6:ad] Caught exception
> in captiveportal::Controller::WirelessProfile->index "Can't call
> method "profile_template" on an undefined value at
> 
> /usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/Controller/WirelessProfile.pm
> line 41." (captiveportal::PacketFence::Controller::Root::end)
>
> Any ideas?
>
> Regards,
> Kehinde
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence

[Fabrice Durand via PacketFence-users]

Hello Rachid,

your issue is with the reevaluate access, check in the log why the
deauth is not working.

Regards

Fabrice



Le 2017-08-11 à 08:06, Rachid Boutarene via PacketFence-users a écrit :
>
> Hello , I contact you to ask if you can help me?
>
> I had installed successful Packet fence and configurated it well but I
> have every once problem with captive portal when I’m trying to connect
>
> (your network should be enabled within a minute or two. If it is not
> reboot your computer) it doesn’t want to redirect into internet
>
>  
>
> Thanks to you
>
>  
>
> *Disclaimer:* This communication (including any files transmitted with
> it) is intended solely for the person or entity to whom it is
> addressed, and may contain confidential or privileged information. The
> disclosure, distribution or copying of this message is strictly
> forbidden. Should you have received this communication in error,
> kindly contact the sender promptly, destroy any copies and delete this
> message from your computer system.
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Compatibility double check for our environment

[Fabrice Durand via PacketFence-users]

Hello Yan,


Le 2017-08-10 à 23:27, Yan Kimiko via PacketFence-users a écrit :
>
> Thank you Durand. 
>
>
> /Currently we are in classifying and preparing period. We’ll consider
> buying inverse consulting once we really need help. As we are in
> China, we have also to make sure inverse selling service to China first./
> /
> /
/We deploy all over the world./
> //
> /For now, I have deployed a PF environment via PF ZEN in ESXi and we
> are //waiting for some resources (e.g. this project’s development
> engineer, related network devices such as AC and switches for test
> usage) to get ready//. /
> /
> /
> /After reading the Network Device Configuration Guide, I drew below
> map of network connections for our testing environment. Could you help
> confirm if it is right or not ? I’m not sure if PF should be connected
> to Core Switch or Access Switch ,or any switch that can reach other
> switches is enough. Also if we have remote offices and the inner
> network is reachable to each other, can we control them with one PF ?/
> /
> /
/Your schema is correct.

But you have to understand that you have 2 sort of traffic, the first
one is the traffic between pf and the switch/ap , this traffic is use
for radius/snmp/coa/ to control the switch.
The second traffic is between the end device and packetfence, this
traffic (dns/http) is to redirect the device on the captive portal.

So just imagine that you have on the management side the traffic to deal
with the switch/AP and on the other side (registration) the traffic to
deal with the end device (also remote offices).

 Regards
Fabrice

/
> //
> /
> /
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence-ZEN-7.2.0 bandwidth violation not working

[Fabrice Durand via PacketFence-users]

raddebug ...


Le 2017-08-17 à 06:12, Emmanuel Togo a écrit :
>
> Hello Fabrice,
>
> raddebuf command is not available.
>
>
> Regards
>
> Emmanuel
>
>
>
> 
> *From:* Durand fabrice via PacketFence-users
> 
> *Sent:* 26 July 2017 11:59 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Durand fabrice
> *Subject:* Re: [PacketFence-users] Packetfence-ZEN-7.2.0 bandwidth
> violation not working
>  
> Hello Emmanuel,
>
> it looks that there is just start in your accounting (a way to send
> interim update and stop from the AP/Switch ?).
>
> Can you check with:
>
> raddebuf -f /usr/local/pf/run/radius-acct.sock -t 300
>
> and paste few requests ?
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-07-26 à 03:38, Emmanuel Togo via PacketFence-users a écrit :
> > Hello Fabrice,
> > Thank you once again.
> > The username in radacct_log is different from mac address. See below
> the output
> >
> > MariaDB [pf]> select * from radacct_log where username="sophos5";
> >
> +--+---+--+--++-+-+--+-+--+
> > | id   | acctsessionid | username | nasipaddress |
> acctstatustype | timestamp   | acctinputoctets |
> acctoutputoctets | acctsessiontime | acctuniqueid |
> >
> +--+---+--+--++-+-+--+-+--+
> > |  772 | 002C-0019 | sophos5  | 10.1.5.145   |
> Start  | 2017-07-20 02:54:44 |   0
> |0 |   0 | c594c1423a7cde15a0d2ed85743f1d4a |
> > |  793 | 002C-0026 | sophos5  | 10.1.5.145   |
> Start  | 2017-07-20 09:56:48 |   0
> |0 |   0 | 22775775af347dee8d387e13406c5f5f |
> > |  795 | 002C-0027 | sophos5  | 10.1.5.145   |
> Start  | 2017-07-20 09:58:30 |   0
> |0 |   0 | 4ac58d4ddec42d583960a1982f32d62b |
> > |  797 | 002C-0028 | sophos5  | 10.1.5.145   |
> Start  | 2017-07-20 10:00:58 |   0
> |0 |   0 | 4ac58d4ddec42d583960a1982f32d62b |
> > |  909 | 00010B4E-0035 | sophos5  | 10.1.5.145   |
> Start  | 2017-07-20 15:03:04 |   0
> |0 |   0 | 22775775af347dee8d387e13406c5f5f |
> > |  915 | 00010B4E-0038 | sophos5  | 10.1.5.145   |
> Start  | 2017-07-20 15:25:21 |   0
> |0 |   0 | 22775775af347dee8d387e13406c5f5f |
> > |  921 | 00010B4E-003C | sophos5  | 10.1.5.145   |
> Start  | 2017-07-20 15:40:29 |   0
> |0 |   0 | 22775775af347dee8d387e13406c5f5f |
> > |  925 | 00010B4E-003F | sophos5  | 10.1.5.145   |
> Start  | 2017-07-20 15:46:58 |   0
> |0 |   0 | 22775775af347dee8d387e13406c5f5f |
> > |  929 | 00010B4E-0040 | sophos5  | 10.1.5.145   |
> Start  | 2017-07-20 15:51:01 |   0
> |0 |   0 | 22775775af347dee8d387e13406c5f5f |
> > | 1008 | 00010B4E-0064 | sophos5  | 10.1.5.145   |
> Start  | 2017-07-21 10:23:59 |   0
> |0 |   0 | c594c1423a7cde15a0d2ed85743f1d4a |
> > | 1038 | 00010B4E-0073 | sophos5  | 10.1.5.145   |
> Start  | 2017-07-21 12:50:49 |   0
> |0 |   0 | c594c1423a7cde15a0d2ed85743f1d4a |
> > | 1232 | 7844-000E | sophos5  | 10.1.5.145   |
> Start  | 2017-07-24 16:54:10 |   0
> |0 |   0 | ce7983729464e2b0b3cf6174c4f9e837 |
> > | 1286 | 7844-0028 | sophos5  | 10.1.5.145   |
> Start  | 2017-07-25 11:20:12 |   0
> |0 |   0 | 22775775af347dee8d387e13406c5f5f |
> >
> +--+---+--+--++-+-+--+-+--+
> > 13 rows in set (0.00 sec)
> >
> >
> > Regards
> > Emmanuel
> >
> > On 7/26/17, 1:22 AM, "Durand fabrice via PacketFence-users"
>  wrote:
> >
> >  an you do that:
> >
> >  select * from radacct_log where username="08:ee:8b:8c:2e:35";
> >
> >  does it return something ?
> >
> >
> >  Le 2017-07-25 à 19:30, Emmanuel Togo via PacketFence-users a
> écrit :
> >  > Hello Fabrice,
> >  >
> >  > Thank you. See the output below
> >  >
> >  > +---+---++---+
> >  > | callingstationid  | acctinput | acctoutput | accttotal |
> >  > 

Re: [PacketFence-users] R: R: R: R: R: network-access-detection

[Fabrice Durand via PacketFence-users]

Ok so first fix the PacketFence server in order to be able to reach
internet .

you need to have the default gateway configured and a valid dns server.

ip route

cat /etc/resolv.conf

Then when it's done your issue will probably be fixed.

Regards

Fabrice




Le 2017-08-17 à 07:30, Alessandro Canella a écrit :
>
> Hello Fabrice:
>
>  
>
> IP_forward (tested from MGMT ip) result is 1: so, enabled I think.
>
>  
>
> ZEN seems not know DIG, HOST, NSlookup… so I use Ping “name” and
> cannot resolve nothing.
>
>  
>
>  
>
>  
>
>  
>
> *Da:*Durand fabrice via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* venerdì 11 agosto 2017 01.50
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* Durand fabrice <fdur...@inverse.ca>
> *Oggetto:* Re: [PacketFence-users] R: R: R: R: network-access-detection
>
>  
>
> Hello Alessandro,
>
> what is the result of ? :
>
> cat /proc/sys/net/ipv4/ip_forward
>
> From the pf server are you able to do a query ?
> nslookup
> > server 153.47.30.113
> > inverse.ca
>
> Regards
> Fabrice
>
> Le 2017-08-10 à 13:42, Alessandro Canella via PacketFence-users a écrit :
>
> Here some test:
>
>  
>
> BEFORE  LOGIN
>
>  
>
>   Suffisso DNS specifico per connessione: inlinel2.feo-cer.net
>
>Indirizzo IPv4. . . . . . . . . . . . :
> 192.168.30.14(Preferenziale)
>
>Gateway predefinito . . . . . . . . . : 192.168.30.1
>
>Server DHCP . . . . . . . . . . . . . : 192.168.30.1
>
>Server DNS . . . . . . . . . . . . .  : 153.47.30.113
>
> C:\Users\aless>nslookup
>
> Server predefinito:  UnKnown
>
> Address:  153.47.30.113
>
>  
>
> lancelot.feo-cer.net
>
> Server:  UnKnown
>
> Address:  153.47.30.113
>
> Nome:percival.feo-cer.net
>
> Address:  192.168.30.1
>
> Aliases:  lancelot.feo-cer.net.inlinel2.feo-cer.net
>
>  
>
>  
>
> AFTER LOGIN
>
>  
>
> C:\Users\aless>nslookup
>
> DNS request timed out.
>
> timeout was 2 seconds.
>
> Server predefinito:  UnKnown
>
> Address:  153.47.30.113
>
>  
>
> > server 192.168.30.1
>
> DNS request timed out.
>
> timeout was 2 seconds.
>
> Server predefinito:  [192.168.30.1]
>
> Address:  192.168.30.1
>
>  
>
> As you see from image attached, portscan …works….query not….
>
>  
>
> *Da:*Alessandro Canella via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* giovedì 10 agosto 2017 09.42
> *A:* packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Cc:* Alessandro Canella <alessandro.cane...@itcare.it>
> <mailto:alessandro.cane...@itcare.it>
> *Oggetto:* [PacketFence-users] R: R: R: network-access-detection
>
>  
>
> Fabrice,
>
>  
>
> I made a test with nslookup. My first hop (PF inline IF) is closed
> and cannot reach a remote DNS too. Note that other proto seems ok.
>
>  
>
>  
>
>  
>
> *Da:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* martedì 8 agosto 2017 14.37
> *A:* packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Cc:* Fabrice Durand <fdur...@inverse.ca <mailto:fdur...@inverse.ca>>
> *Oggetto:* Re: [PacketFence-users] R: R: network-access-detection
>
>  
>
> Hello Alessandro,
>
> you probably missconfigured the dns.
>
> Can you give me your networks.conf ?
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-08-07 à 11:51, Alessandro Canella via PacketFence-users a
> écrit :
>
> I’ve retried and checked traffic.
>
>  
>
> As wrotten, I’m in inline, users authenticate but GIF cannot
> be retrieved.
>
>  
>
> But not only : from a successful registered client, I cannot
> query DNS. And any other packet works fine….
>
>  
>
>  
>
> How I can check where is “deny” that stops me?
>
>  
>
>  
>
>  
>
> *Da:*Alessandro Canella via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* venerdì 4 agosto 2017 08.18
> *A:* Ludovic Zammit <lzam...@inverse.ca>

Re: [PacketFence-users] R: R: R: network-access-detection

[Fabrice Durand via PacketFence-users]

Enable nat.


Le 2017-08-17 à 07:34, Alessandro Canella a écrit :
>
> [192.168.30.0]
>
> dns=153.47.30.113
>
> dhcp_start=192.168.30.10
>
> gateway=192.168.30.1
>
> domain-name=inlinel2.feo-cer.net
>
> nat_enabled=disabled
>
> named=enabled
>
> dhcp_max_lease_time=86400
>
> fake_mac_enabled=disabled
>
> dhcpd=enabled
>
> dhcp_end=192.168.30.246
>
> type=inlinel2
>
> netmask=255.255.255.0
>
> dhcp_default_lease_time=86400
>
>  
>
> *Da:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* martedì 8 agosto 2017 14.37
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* Fabrice Durand <fdur...@inverse.ca>
> *Oggetto:* Re: [PacketFence-users] R: R: network-access-detection
>
>  
>
> Hello Alessandro,
>
> you probably missconfigured the dns.
>
> Can you give me your networks.conf ?
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-08-07 à 11:51, Alessandro Canella via PacketFence-users a écrit :
>
> I’ve retried and checked traffic.
>
>  
>
> As wrotten, I’m in inline, users authenticate but GIF cannot be
> retrieved.
>
>  
>
> But not only : from a successful registered client, I cannot query
> DNS. And any other packet works fine….
>
>  
>
>  
>
> How I can check where is “deny” that stops me?
>
>  
>
>  
>
>  
>
> *Da:*Alessandro Canella via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* venerdì 4 agosto 2017 08.18
> *A:* Ludovic Zammit <lzam...@inverse.ca>
> <mailto:lzam...@inverse.ca>;
> packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Cc:* Alessandro Canella <alessandro.cane...@itcare.it>
> <mailto:alessandro.cane...@itcare.it>
> *Oggetto:* [PacketFence-users] R: network-access-detection
>
>  
>
> Hello Ludovic,
>
>  
>
> I’ve tried with Win10, tested with both IP (I know, if I test the
> first reachable is not correct…) I’ve leaved Vlan Enforce due to
> incopatibility of switches, so I’m in inline mode.
>
>  
>
> I will try to raise timeout to 90 secs and to open it by hand in
> new tab.
>
>  
>
> Later I will recap tests.
>
>  
>
> Thanks in advance.
>
>  
>
>  
>
>  
>
>  
>
>  
>
> *Da:*Ludovic Zammit [mailto:lzam...@inverse.ca]
> *Inviato:* giovedì 3 agosto 2017 19.40
> *A:* packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Cc:* Alessandro Canella <alessandro.cane...@itcare.it
> <mailto:alessandro.cane...@itcare.it>>
> *Oggetto:* Re: [PacketFence-users] network-access-detection
>
>  
>
> Hello Alessandra,
>
>  
>
> Are you using Mac OS X ? Which PacketFence version are you using ?
>
>
> By default on the ZEN it will try to reach our public IP.
>
>  
>
> Once you get authorize after the registration process you will
> need to check if you have placed into the correct vlan (In VLAN
> enforcement mode) and got the proper IP address.
>
>  
>
> Check also if you have internet, it's known for Mac OS X devices
> that they are slow to release their IP and pickup the new one
> (~90secs).
>
>  
>
> Try to have a tab open on the network-access-detection.gif and see
> if it loads after the registration process.
>
>  
>
> Thanks,
>
> Ludovic Zammit
>
> lzam...@inverse.ca <mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) 
> ::  www.inverse.ca <http://www.inverse.ca>
>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org) 
>
>  
>
>  
>
>  
>
> On Aug 3, 2017, at 11:41 AM, Alessandro Canella via
> PacketFence-users <packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>
>  
>
> Hello all,
>
>  
>
> I still have problem
> detecting  /common/network-access-detection.gif after access
> is granted. I’m using ZEN version.
>
>  
>
> I’ve tried lot of different config. All seems fine, gif is
> reachable from both side of inline mode but “unable to detect”
> is the last po

Re: [PacketFence-users] R: radius rejected.

[Fabrice Durand via PacketFence-users]

Hello Alessandro,

You need to use eapol_test for eap test:


%eapol_test -c -a -p -s

Example config file:

network={
   ssid="test"
   key_mgmt=IEEE8021X
   eap=
   pairwise=CCMP TKIP
   group=CCMP TKIP WEP104 WEP40
   phase2="auth=MSCHAPV2"
   identity=""
   password=""
}

Regards
Fabrice

Le 2017-07-17 à 05:45, Alessandro Canella a écrit :
>
> Hello Fabrice,
>
>  
>
> test are made with local radtest (I’ve switch configured
> and…unaccessible… and a Windows Radius test tool too) as I seen from log.
>
>  
>
> (2) Thu Jul 13 15:27:49 2017: Debug:   EXPAND %{Packet-Src-IP-Address}
>
> (2) Thu Jul 13 15:27:49 2017: Debug:  --> 127.0.0.1
>
>  
>
>  
>
> *Da:*Durand fabrice via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* venerdì 14 luglio 2017 02.29
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* Durand fabrice
> *Oggetto:* Re: [PacketFence-users] radius rejected.
>
>  
>
> Hello Alessandro,
>
> does the request is coming from a switch ?
>
> It miss the Calling-Station-Id attribute.
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-07-13 à 13:01, Alessandro Canella via PacketFence-users a écrit :
>
> Hello,
>
>  
>
> I’m using ZEN, latest download from site. I do not plan to join
> AD/LDAP but only to use local users.
>
>   
>  
>
>
> I’ve created local users in RADDB but according to precedent posts
> in mailing lists I’ve deleted it and planned to use only “person”
> in web interface.
>
>  
>
> Plaintext password are enabled in advanced config and I’ve added
> “packetfence-local-auth” both in
> /usr/local/pf/conf/radiusd/packetfence-tunnel and in in authorize
> section just after
>
> packetfence-eap-mac-policy in conf/radiusd/packetfence
>
>  
>
> but debug still shows logs attached below…
>
>  
>
> thanks in advance…
>
>  
>
>  
>
> (2) Thu Jul 13 15:27:49 2017: Debug: Received Access-Request Id 72
> from 127.0.0.
>   1:43886 to 127.0.0.1:18120 length 73
>
> (2) Thu Jul 13 15:27:49 2017: Debug:   User-Name = "ale"
>
> (2) Thu Jul 13 15:27:49 2017: Debug:   User-Password = "pale"
>
> (2) Thu Jul 13 15:27:49 2017: Debug:   NAS-IP-Address = 153.47.30.99
>
> (2) Thu Jul 13 15:27:49 2017: Debug:   NAS-Port = 12
>
> (2) Thu Jul 13 15:27:49 2017: Debug:   Message-Authenticator =
> 0x952a6bbbaa25fb2  
> f8c80772d743956be
>
> (2) Thu Jul 13 15:27:49 2017: Debug: # Executing section authorize
> from file
> /us  
> r/local/pf/raddb/sites-enabled/packetfence
>
> (2) Thu Jul 13 15:27:49 2017: Debug:   authorize {
>
> (2) Thu Jul 13 15:27:49 2017: Debug: update {
>
> (2) Thu Jul 13 15:27:49 2017: Debug:   EXPAND
> %{Packet-Src-IP-Address}
>
> (2) Thu Jul 13 15:27:49 2017: Debug:  --> 127.0.0.1
>
> (2) Thu Jul 13 15:27:49 2017: Debug:   EXPAND %l
>
> (2) Thu Jul 13 15:27:49 2017: Debug:  --> 1499959669
>
> (2) Thu Jul 13 15:27:49 2017: Debug: } # update = noop
>
> (2) Thu Jul 13 15:27:49 2017: Debug: policy
> rewrite_calling_station_id {
>
> (2) Thu Jul 13 15:27:49 2017: Debug:   if (
> &&
> (  
> Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9
>   
> a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> {
>
> (2) Thu Jul 13 15:27:49 2017: Debug:   if (
> &&
> (  
> Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9
>   
> a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
> -> FALSE
>
> (2) Thu Jul 13 15:27:49 2017: Debug:   else {
>
> (2) Thu Jul 13 15:27:49 2017: Debug: [noop] = noop
>
> (2) Thu Jul 13 15:27:49 2017: Debug:   } # else = noop
>
> (2) Thu Jul 13 15:27:49 2017: Debug: } # policy
> rewrite_calling_station_id
> =noop
>
> (2) Thu Jul 13 15:27:49 2017: Debug: policy
> rewrite_called_station_id {
>
> (2) Thu Jul 13 15:27:49 2017: Debug:   if
> (() && (
>   Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9
>   
> 
> a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
>  

Re: [PacketFence-users] No suricata.yaml file present in PF 7.x

[Fabrice Durand via PacketFence-users]

Hello Kehinde,

in my opinion the better setup to do is to use security onion and send
the syslog to PacketFence.

Regards

Fabrice



Le 2017-07-18 à 06:44, Akala Kehinde via PacketFence-users a écrit :
> Hallo guys,
>
> The suricata.yaml file is missing in PF7.x. I'm trying to do a
> Suricata setup with PF. I have installed Suricata on PF on a different
> location on PF. 
>
> Now what IP addresses be specified in the $HOME-NET and $EXTERNAL
> variables. And also what interface will PF listen on for alerts, the
> PF management interface?
>
> The Suricata and Snort integration seem a bit different than earlier
> versions as trapping as been removed.
>
> Pls could you point me in the right direction.
>  
> Regards,
> Kehinde
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Machine authentication

[Fabrice Durand via PacketFence-users]

Hello Luca,

add a realm dm.loc and assign it to your domain and restart radius.

Regards

Fabrice



Le 2017-07-10 à 05:58, luca comes via PacketFence-users a écrit :
>
> I've found this error in radius.log
>
>
> ERROR: mschap_machine: Program returned code (1) and output 'Reading
> winbind reply failed! (0xc00
> 1)'
>
>
> But the domain is working fine, how can I solve this?
>
>
> Luca
>
>
> Inviato da Outlook 
>
>
>
> 
> *Da:* luca comes via PacketFence-users
> 
> *Inviato:* lunedì 10 luglio 2017 11:42
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* luca comes
> *Oggetto:* Re: [PacketFence-users] Machine authentication
>  
>
> Hi all,
>
> any suggestion? I don't know what check, domain is correctly
> configured the test are fine (wbinfo -u etc.). I added my domain to
> the LOCAL realm as per Antoine mail but is still doesn't work.
>
>
> Thanks for your help
>
>
> Luca
>
>
> Inviato da Outlook 
>
>
>
> 
> *Da:* luca comes via PacketFence-users
> 
> *Inviato:* venerdì 7 luglio 2017 17:40
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* luca comes
> *Oggetto:* Re: [PacketFence-users] Machine authentication
>  
>
> Hi Antoine,
>
> thank you for your answer, unfortunately it doesn't work. Same
> behavior as before, any other suggestion?
>
>
> Luca
>
>
> Inviato da Outlook 
>
>
>
> 
> *Da:* Antoine Amacher via PacketFence-users
> 
> *Inviato:* venerdì 7 luglio 2017 17:20
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* Antoine Amacher
> *Oggetto:* Re: [PacketFence-users] Machine authentication
>  
>
> Lucas,
>
>
> Map the domain on which they should authenticate with the REALM LOCAL.
>
>
> In configuration -> policies and access control -> realms
>
>
> Thanks
>
>
> On 07/07/2017 11:15 AM, luca comes via PacketFence-users wrote:
>>
>> Hi all,
>>
>> I'm trying to do machine authentication vs Windows AD but it doesn't
>> work. I've created the domain and the realm but in the radius debug
>> log I can see that it is not catching the correct realm:
>>
>>
>>
>> (20) Fri Jul  7 16:29:45 2017: Debug: Received Access-Request Id 103
>> from 10.10.10.4:1645 to 172.27.17.5:1812 length 226
>> (20) Fri Jul  7 16:29:45 2017: Debug:   User-Name = "host/LAB3-NB.dm.loc"
>> (20) Fri Jul  7 16:29:45 2017: Debug:   Service-Type = Framed-User
>> (20) Fri Jul  7 16:29:45 2017: Debug:   Framed-MTU = 1500
>> (20) Fri Jul  7 16:29:45 2017: Debug:   Called-Station-Id =
>> "00-22-91-6F-B8-81"
>> (20) Fri Jul  7 16:29:45 2017: Debug:   Calling-Station-Id =
>> "00-9C-02-92-EA-B0"
>> (20) Fri Jul  7 16:29:45 2017: Debug:   EAP-Message =
>> 0x0201001801686f73742f4c4142332d4e422e646d2e6c6f63
>> (20) Fri Jul  7 16:29:45 2017: Debug:   Message-Authenticator =
>> 0xcf9553149f5c843907b87d3758e0b7d8
>> (20) Fri Jul  7 16:29:45 2017: Debug:   Cisco-AVPair =
>> "audit-session-id=0A0A0A0400DEBBDF4BBE"
>> (20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port-Type = Ethernet
>> (20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port = 50101
>> (20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port-Id =
>> "GigabitEthernet1/0/1"
>> (20) Fri Jul  7 16:29:45 2017: Debug:   NAS-IP-Address = 10.10.10.4
>> 
>>
>> 
>>
>> (20) Fri Jul  7 16:29:46 2017: Debug: suffix: Checking for suffix
>> after "@"
>> (20) Fri Jul  7 16:29:46 2017: Debug: suffix: No '@' in User-Name =
>> "host/LAB3-NB.dm.loc", skipping NULL due to config.
>> (20) Fri Jul  7 16:29:46 2017: Debug: [suffix] = noop
>> (20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Checking for prefix
>> before "\"
>> (20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: No '\' in User-Name =
>> "host/LAB3-NB.dm.loc", looking up realm NULL
>> (20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Found realm "null"
>> (20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Adding
>> Stripped-User-Name = "host/LAB3-NB.dm.loc"
>> (20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Adding Realm = "null"
>> (20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Authentication realm
>> is LOCAL
>> (20) Fri Jul  7 16:29:46 2017: Debug: [ntdomain] = ok
>>
>>
>> How can I solve this? Obviously the machine is correctly joined to
>> the domain below the servicePrincipalName associated:
>>
>>
>> TERMSRV/LAB3-NB.dm.loc
>> TERMSRV/LAB3-NB
>> RestrictedKrbHost/LAB3-NB
>> HOST/LAB3-NB
>> RestrictedKrbHost/LAB3-NB.dm.loc
>> HOST/LAB3-NB.dm.loc
>>
>>
>> Anyone that can suggest me what to check?
>>
>>
>> Thank you in advance.
>>
>>
>> Luca
>>
>>
>> Inviato da Outlook 
>>
>>
>>
>> --
>> Check out the vibrant tech community on 

Re: [PacketFence-users] Machine authentication

[Fabrice Durand via PacketFence-users]

The machine authentication is ok this time.

Do you have the packetfence.log for this device ?



Le 2017-07-10 à 08:58, luca comes a écrit :
>
> Hello Fabrice,
>
> attached you can find radius debug file of the transaction.
>
>
> Thanks
>
>
> Luca
>
>
> Inviato da Outlook <http://aka.ms/weboutlook>
>
>
>
> 
> *Da:* Fabrice Durand <fdur...@inverse.ca>
> *Inviato:* lunedì 10 luglio 2017 14:48
> *A:* luca comes; packetfence-users@lists.sourceforge.net
> *Oggetto:* Re: [PacketFence-users] Machine authentication
>  
>
> Hello Luca,
>
> you need to have the realm to use the correct domain join.
>
>
> Also what i need is the complete radius debug when you try machine
> authentication.
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-07-10 à 08:45, luca comes a écrit :
>>
>> Hi Fabrice,
>>
>> in this manner the error is not shown in radius.log but machine
>> authentication is still not working. Also as the preceding email the
>> domain (DM) is correctly joined and tested with wbinfo. But if I try
>> a radtest vs my domain I obtain an Access-Reject. Any suggestio on
>> how to troubleshoot this problem? I would like to go in production
>> but with those results I have to leave.
>>
>>
>> Thanks
>>
>>
>> Luca
>>
>>
>> Inviato da Outlook <http://aka.ms/weboutlook>
>>
>>
>>
>> 
>> *Da:* Fabrice Durand via PacketFence-users
>> <packetfence-users@lists.sourceforge.net>
>> *Inviato:* lunedì 10 luglio 2017 14:23
>> *A:* packetfence-users@lists.sourceforge.net
>> *Cc:* Fabrice Durand
>> *Oggetto:* Re: [PacketFence-users] Machine authentication
>>  
>>
>> Hello Luca,
>>
>> add a realm dm.loc and assign it to your domain and restart radius.
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2017-07-10 à 05:58, luca comes via PacketFence-users a écrit :
>>>
>>> I've found this error in radius.log
>>>
>>>
>>> ERROR: mschap_machine: Program returned code (1) and output 'Reading
>>> winbind reply failed! (0xc00
>>> 1)'
>>>
>>>
>>> But the domain is working fine, how can I solve this?
>>>
>>>
>>> Luca
>>>
>>>
>>> Inviato da Outlook <http://aka.ms/weboutlook>
>>>
>>>
>>>
>>> 
>>> *Da:* luca comes via PacketFence-users
>>> <packetfence-users@lists.sourceforge.net>
>>> *Inviato:* lunedì 10 luglio 2017 11:42
>>> *A:* packetfence-users@lists.sourceforge.net
>>> *Cc:* luca comes
>>> *Oggetto:* Re: [PacketFence-users] Machine authentication
>>>  
>>>
>>> Hi all,
>>>
>>> any suggestion? I don't know what check, domain is correctly
>>> configured the test are fine (wbinfo -u etc.). I added my domain to
>>> the LOCAL realm as per Antoine mail but is still doesn't work.
>>>
>>>
>>> Thanks for your help
>>>
>>>
>>> Luca
>>>
>>>
>>> Inviato da Outlook <http://aka.ms/weboutlook>
>>>
>>>
>>>
>>> 
>>> *Da:* luca comes via PacketFence-users
>>> <packetfence-users@lists.sourceforge.net>
>>> *Inviato:* venerdì 7 luglio 2017 17:40
>>> *A:* packetfence-users@lists.sourceforge.net
>>> *Cc:* luca comes
>>> *Oggetto:* Re: [PacketFence-users] Machine authentication
>>>  
>>>
>>> Hi Antoine,
>>>
>>> thank you for your answer, unfortunately it doesn't work. Same
>>> behavior as before, any other suggestion?
>>>
>>>
>>> Luca
>>>
>>>
>>> Inviato da Outlook <http://aka.ms/weboutlook>
>>>
>>>
>>>
>>> 
>>> *Da:* Antoine Amacher via PacketFence-users
>>> <packetfence-users@lists.sourceforge.net>
>>> *Inviato:* venerdì 7 luglio 2017 17:20
>>> *A:* packetfence-users@lists.sourceforge.net
>>> *Cc:* Antoine Amacher
>>> *Oggetto:* Re: [PacketFence-users] Machine authentication
>>>  
>>>
>>> Lucas,
>>>
>>>
>>&g

Re: [PacketFence-users] Machine authentication

[Fabrice Durand via PacketFence-users]

Hello Luca,

you need to have the realm to use the correct domain join.


Also what i need is the complete radius debug when you try machine
authentication.

Regards

Fabrice



Le 2017-07-10 à 08:45, luca comes a écrit :
>
> Hi Fabrice,
>
> in this manner the error is not shown in radius.log but machine
> authentication is still not working. Also as the preceding email the
> domain (DM) is correctly joined and tested with wbinfo. But if I try a
> radtest vs my domain I obtain an Access-Reject. Any suggestio on how
> to troubleshoot this problem? I would like to go in production but
> with those results I have to leave.
>
>
> Thanks
>
>
> Luca
>
>
> Inviato da Outlook <http://aka.ms/weboutlook>
>
>
>
> --------------------
> *Da:* Fabrice Durand via PacketFence-users
> <packetfence-users@lists.sourceforge.net>
> *Inviato:* lunedì 10 luglio 2017 14:23
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* Fabrice Durand
> *Oggetto:* Re: [PacketFence-users] Machine authentication
>  
>
> Hello Luca,
>
> add a realm dm.loc and assign it to your domain and restart radius.
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-07-10 à 05:58, luca comes via PacketFence-users a écrit :
>>
>> I've found this error in radius.log
>>
>>
>> ERROR: mschap_machine: Program returned code (1) and output 'Reading
>> winbind reply failed! (0xc00
>> 1)'
>>
>>
>> But the domain is working fine, how can I solve this?
>>
>>
>> Luca
>>
>>
>> Inviato da Outlook <http://aka.ms/weboutlook>
>>
>>
>>
>> 
>> *Da:* luca comes via PacketFence-users
>> <packetfence-users@lists.sourceforge.net>
>> *Inviato:* lunedì 10 luglio 2017 11:42
>> *A:* packetfence-users@lists.sourceforge.net
>> *Cc:* luca comes
>> *Oggetto:* Re: [PacketFence-users] Machine authentication
>>  
>>
>> Hi all,
>>
>> any suggestion? I don't know what check, domain is correctly
>> configured the test are fine (wbinfo -u etc.). I added my domain to
>> the LOCAL realm as per Antoine mail but is still doesn't work.
>>
>>
>> Thanks for your help
>>
>>
>> Luca
>>
>>
>> Inviato da Outlook <http://aka.ms/weboutlook>
>>
>>
>>
>> 
>> *Da:* luca comes via PacketFence-users
>> <packetfence-users@lists.sourceforge.net>
>> *Inviato:* venerdì 7 luglio 2017 17:40
>> *A:* packetfence-users@lists.sourceforge.net
>> *Cc:* luca comes
>> *Oggetto:* Re: [PacketFence-users] Machine authentication
>>  
>>
>> Hi Antoine,
>>
>> thank you for your answer, unfortunately it doesn't work. Same
>> behavior as before, any other suggestion?
>>
>>
>> Luca
>>
>>
>> Inviato da Outlook <http://aka.ms/weboutlook>
>>
>>
>>
>> 
>> *Da:* Antoine Amacher via PacketFence-users
>> <packetfence-users@lists.sourceforge.net>
>> *Inviato:* venerdì 7 luglio 2017 17:20
>> *A:* packetfence-users@lists.sourceforge.net
>> *Cc:* Antoine Amacher
>> *Oggetto:* Re: [PacketFence-users] Machine authentication
>>  
>>
>> Lucas,
>>
>>
>> Map the domain on which they should authenticate with the REALM LOCAL.
>>
>>
>> In configuration -> policies and access control -> realms
>>
>>
>> Thanks
>>
>>
>> On 07/07/2017 11:15 AM, luca comes via PacketFence-users wrote:
>>>
>>> Hi all,
>>>
>>> I'm trying to do machine authentication vs Windows AD but it doesn't
>>> work. I've created the domain and the realm but in the radius debug
>>> log I can see that it is not catching the correct realm:
>>>
>>>
>>>
>>> (20) Fri Jul  7 16:29:45 2017: Debug: Received Access-Request Id 103
>>> from 10.10.10.4:1645 to 172.27.17.5:1812 length 226
>>> (20) Fri Jul  7 16:29:45 2017: Debug:   User-Name =
>>> "host/LAB3-NB.dm.loc"
>>> (20) Fri Jul  7 16:29:45 2017: Debug:   Service-Type = Framed-User
>>> (20) Fri Jul  7 16:29:45 2017: Debug:   Framed-MTU = 1500
>>> (20) Fri Jul  7 16:29:45 2017: Debug:   Called-Station-Id =
>>> "00-22-91-6F-B8-81"
>>> (20) Fri Jul  7 16:29:45 2017: Debug:   Calling-Station-Id =
>>> &qu

Re: [PacketFence-users] Machine authentication

[Fabrice Durand via PacketFence-users]

Your issue is with the DM_Machine_Auth_PDC source.

Verify that you are able to bind with this source.

Also you can use pftest.



Le 2017-07-10 à 09:24, luca comes a écrit :
>
> Hi Fabrice,
>
> yes I was checking the debug and I saw it. In the attached
> packetfence.log I can see ERROR: [mac:00:9c:02:92:ea:b0] Error binding
> 'Connection reset by peer' (pf::LDAP::bind) but the domain join is
> still working with wbinf -u for example.
>
>
> Luca
>
>
> Inviato da Outlook <http://aka.ms/weboutlook>
>
>
>
> 
> *Da:* Fabrice Durand <fdur...@inverse.ca>
> *Inviato:* lunedì 10 luglio 2017 15:06
> *A:* luca comes; packetfence-users@lists.sourceforge.net
> *Oggetto:* Re: [PacketFence-users] Machine authentication
>  
>
> The machine authentication is ok this time.
>
> Do you have the packetfence.log for this device ?
>
>
>
> Le 2017-07-10 à 08:58, luca comes a écrit :
>>
>> Hello Fabrice,
>>
>> attached you can find radius debug file of the transaction.
>>
>>
>> Thanks
>>
>>
>> Luca
>>
>>
>> Inviato da Outlook <http://aka.ms/weboutlook>
>>
>>
>>
>> 
>> *Da:* Fabrice Durand <fdur...@inverse.ca>
>> *Inviato:* lunedì 10 luglio 2017 14:48
>> *A:* luca comes; packetfence-users@lists.sourceforge.net
>> *Oggetto:* Re: [PacketFence-users] Machine authentication
>>  
>>
>> Hello Luca,
>>
>> you need to have the realm to use the correct domain join.
>>
>>
>> Also what i need is the complete radius debug when you try machine
>> authentication.
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2017-07-10 à 08:45, luca comes a écrit :
>>>
>>> Hi Fabrice,
>>>
>>> in this manner the error is not shown in radius.log but machine
>>> authentication is still not working. Also as the preceding email the
>>> domain (DM) is correctly joined and tested with wbinfo. But if I try
>>> a radtest vs my domain I obtain an Access-Reject. Any suggestio on
>>> how to troubleshoot this problem? I would like to go in production
>>> but with those results I have to leave.
>>>
>>>
>>> Thanks
>>>
>>>
>>> Luca
>>>
>>>
>>> Inviato da Outlook <http://aka.ms/weboutlook>
>>>
>>>
>>>
>>> 
>>> *Da:* Fabrice Durand via PacketFence-users
>>> <packetfence-users@lists.sourceforge.net>
>>> *Inviato:* lunedì 10 luglio 2017 14:23
>>> *A:* packetfence-users@lists.sourceforge.net
>>> *Cc:* Fabrice Durand
>>> *Oggetto:* Re: [PacketFence-users] Machine authentication
>>>  
>>>
>>> Hello Luca,
>>>
>>> add a realm dm.loc and assign it to your domain and restart radius.
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>>
>>>
>>> Le 2017-07-10 à 05:58, luca comes via PacketFence-users a écrit :
>>>>
>>>> I've found this error in radius.log
>>>>
>>>>
>>>> ERROR: mschap_machine: Program returned code (1) and output
>>>> 'Reading winbind reply failed! (0xc00
>>>> 1)'
>>>>
>>>>
>>>> But the domain is working fine, how can I solve this?
>>>>
>>>>
>>>> Luca
>>>>
>>>>
>>>> Inviato da Outlook <http://aka.ms/weboutlook>
>>>>
>>>>
>>>>
>>>> 
>>>> *Da:* luca comes via PacketFence-users
>>>> <packetfence-users@lists.sourceforge.net>
>>>> *Inviato:* lunedì 10 luglio 2017 11:42
>>>> *A:* packetfence-users@lists.sourceforge.net
>>>> *Cc:* luca comes
>>>> *Oggetto:* Re: [PacketFence-users] Machine authentication
>>>>  
>>>>
>>>> Hi all,
>>>>
>>>> any suggestion? I don't know what check, domain is correctly
>>>> configured the test are fine (wbinfo -u etc.). I added my domain to
>>>> the LOCAL realm as per Antoine mail but is still doesn't work.
>>>>
>>>>
>>>> Thanks for your help
>>>>
>>>>
>>>> Luca
>>>>
>>>

Re: [PacketFence-users] Portal Personalization

[Fabrice Durand via PacketFence-users]

Hello Yohann,

can you check if those 2 packages are installed:

cairo-1.14.2-1.el7.x86_64
pycairo-1.8.10-8.el7.x86_64

Regards

Fabrice



Le 2017-07-25 à 05:10, LE GALL Yohann a écrit :
>
> Hi Fabrice,
>
>  
>
> Yes, I’m living in Brittany.
>
>  
>
> I’ve found exactly the same file with a grep command and I think there
> is no other way to make it works. So I’ve translate it in French in
> this file.
>
>  
>
> I’ve got a last problem with my Packetfence system which is no
> generating diagram. When I’m going on the link generated by graphite,
> it tell me this error :
>
> *Graphite encountered an unexpected error while handling your request.*
>
> *Please contact your site administrator if the problem persists.*
>
>  
>
> Traceback (most recent call last):
>
>   File
> "/usr/lib/python2.7/site-packages/django/core/handlers/base.py", line
> 99, in get_response
>
> resolver_match = resolver.resolve(request.path_info)
>
>   File "/usr/lib/python2.7/site-packages/django/core/urlresolvers.py",
> line 339, in resolve
>
> sub_match = pattern.resolve(new_path)
>
>   File "/usr/lib/python2.7/site-packages/django/core/urlresolvers.py",
> line 339, in resolve
>
> sub_match = pattern.resolve(new_path)
>
>   File "/usr/lib/python2.7/site-packages/django/core/urlresolvers.py",
> line 223, in resolve
>
> return ResolverMatch(self.callback, args, kwargs, self.name)
>
>   File "/usr/lib/python2.7/site-packages/django/core/urlresolvers.py",
> line 230, in callback
>
> self._callback = get_callable(self._callback_str)
>
>   File "/usr/lib/python2.7/site-packages/django/utils/functional.py",
> line 32, in wrapper
>
> result = func(*args)
>
>   File "/usr/lib/python2.7/site-packages/django/core/urlresolvers.py",
> line 97, in get_callable
>
> mod = import_module(mod_name)
>
>   File "/usr/lib/python2.7/site-packages/django/utils/importlib.py",
> line 40, in import_module
>
> __import__(name)
>
>   File "/usr/lib/python2.7/site-packages/graphite/render/views.py",
> line 34, in 
>
> from graphite.render.evaluator import evaluateTarget,
> extractPathExpressions
>
>   File
> "/usr/lib/python2.7/site-packages/graphite/render/evaluator.py", line
> 72, in 
>
> from graphite.render.functions import
> SeriesFunctions,NormalizeEmptyResultError
>
>   File
> "/usr/lib/python2.7/site-packages/graphite/render/functions.py", line
> 34, in 
>
> from graphite.render.glyph import format_units
>
>   File "/usr/lib/python2.7/site-packages/graphite/render/glyph.py",
> line 20, in 
>
> import cairocffi as cairo
>
> ImportError: No module named cairocffi
>
>  
>
>  
>
>  
>
> I don’t know how should it works in standard mode because I never seen
> it works because.
>
>  
>
> Sincerely,
>
> Yohann
>
>  
>
> 
>
> *Yohann*  *LE GALL*
> Administrateur Systèmes et Réseaux junior
> http://biocoop.eu/SignatureBiocoop/OWA_trait_biocoop.png
> y.leg...@biocoop.fr
>
>
>  
>
> *De :*Durand fabrice via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Envoyé :* mardi 25 juillet 2017 05:31
> *À :* packetfence-users@lists.sourceforge.net
> *Cc :* Durand fabrice 
> *Objet :* Re: [PacketFence-users] Portal Personalization
>
>  
>
> Hello Yohann,
>
> Yohann from Brittany ?
>
> Ok so since it's a string combined then it's probably not localize.
>
> What you can do (hack) is to edit
> html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Root.pm
> and change the string to french.
>
> Also i will have a look to fix it.
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-07-20 à 05:56, LE GALL Yohann via PacketFence-users a écrit :
>
> Hi community,
>
>  
>
> I’m currently configuring my packetfence’s infrastructure for a
> Guest access. I’m french and all my Guest will be french, so I’m
> modifying the html template for that. I found all css and texts
> files except one text which is :
>
>  
>
> « Role guest has been assigned to your device with unregistration
> date : »
>
>  
>
> Did you know where this text is written ?
>
>  
>
> Thank’s for your job
>
>  
>
> Sincerly,
>
> Yohann
>
>  
>
> 
>
> *Yohann*  *LE GALL*
> Administrateur Systèmes et Réseaux junior
> http://biocoop.eu/SignatureBiocoop/OWA_trait_biocoop.png
> y.leg...@biocoop.fr 
>
>
>   
>
>  
>
>
>   
>
>  
>
>
>
>
> 
> --
>
> Check out the vibrant tech community on one of the world's most
>
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
>
> ___
>
> PacketFence-users mailing list
>
> PacketFence-users@lists.sourceforge.net
> 

Re: [PacketFence-users] Join Active Directory fails,Debian

[Fabrice Durand via PacketFence-users]

Hello Lucas,

first edit domain.conf and remove anything and do a "pfcmd configreload
hard" in order to retreive the config in admin

Next be sure that domain name are in upper case and retry and ip forward
is enable.

Regards
Fabrice
 
Le 2017-06-29 à 08:30, Lucas Beier via PacketFence-users a écrit :
> Hi,
>
> i"m trying to add my ad to packetfence with the GUI.
>
> But Packetfence isnt joining, it says it cant find the DC.
>
> But i can reach the dc with nslookup.
>
>
> I cant visit the configuration at the GUI now.
>
> I dont have any idea what to do now, here is my chroot log.
>
>
> [2017/06/29 11:06:53,  0] ../source3/winbindd/winbindd.c:1549(main)
>   winbindd version 4.2.14-Debian started.
>   Copyright Andrew Tridgell and the Samba Team 1992-2014
> [2017/06/29 11:06:53.762576,  0]
> ../source3/winbindd/winbindd_cache.c:3235(initialize_winbindd_cache)
>   initialize_winbindd_cache: clearing cache and re-creating with
> version number 2
> [2017/06/29 11:06:53.767279,  0]
> ../source3/winbindd/winbindd_util.c:736(init_domain_list)
>   Could not fetch our SID - did we join?
> [2017/06/29 11:06:53.767317,  0]
> ../source3/winbindd/winbindd.c:1294(winbindd_register_handlers)
>   unable to initialize domain list
>
>
> Regards
>
> luke
>
>
> --
>
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Error communicatin with Nessus

[Fabrice Durand via PacketFence-users]

Hello Akala,

if nessus run on the same server then try 127.0.0.1 for the server ip.

Also what return : netstat -nlp | grep 8834

Regards

Fabrice



Le 2017-07-28 à 12:09, Akala Kehinde via PacketFence-users a écrit :
> Just FYI, the Nessus server runs on the PF server.
>
> Regards,
> Kehinde
>
> On Fri, Jul 28, 2017 at 5:53 PM, Akala Kehinde  > wrote:
>
> Hallo Guys,
>
> Quick one..
> I get this error when PF tries triggering a violation:
>
> Checked line 96 and seems it's an error with the creds, but creds
> is right. Or is the creds not supposed to be that on the Nessus
> server?
>
> Jul  8 13:57:58 pfence pfqueue: pfqueue(10450) INFO:
> [mac:00:50:ff:25:ce:00] New ID generated: 149951507810ce00
> (pf::util::generate_id)
> Jul  8 13:57:58 pfence pfqueue: pfqueue(10450) ERROR:
> [mac:00:50:ff:25:ce:00] communication error: Can't connect
> to 172.16.100.10:8834  at
> /usr/local/pf/lib/pf/scan/nessus6.pm  line 96.
>  (pf::api::can_fork::notify)
>
>
> Regards,
> Kehinde
>
> Regards,
> Kehinde
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Possible having same registration VLAN on GUEST and STAFF SSIDs??

[Fabrice Durand via PacketFence-users]

Yes it's possible but you have to play with the vlan filters.

Regards

Fabrice



Le 2017-07-28 à 12:22, Akala Kehinde via PacketFence-users a écrit :
> Or is it possible to have 2 different registration VLANs??
>
> Regards,
> Kehinde
>
> On Fri, Jul 28, 2017 at 6:21 PM, Akala Kehinde  > wrote:
>
> Hello guys,
>
> Below is my AP (Cisco 1242 AG) configuration in an OOB setup:
>
> When I tried configuring SSID GUEST to be in same initial VLAN 98
> as STAFF, I get an error. I am not sure if it's possible to have
> same registartion VLAN i.e. 98 tied to different VLAN overrides
> i.e. STAFF and GUEST. 
>
> :
> :
> dot11 ssid GUEST
>vlan 99 backup GUEST
>authentication open mac-address MAC_METHODS 
>mbssid guest-mode
> !
> dot11 ssid STAFF
>vlan 98 backup STAFF
>authentication open eap EAP_METHODS 
>authentication key-management wpa
>mbssid guest-mode
> :
> :
>
> I want a situation where the GUEST VLAN is also in same
> registration VLAN as STAFF before overriden to GUEST production
> VLAN. Is this possible??
>
>
> Regards,
> Kehinde
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] DHCP doesnt reply

[Fabrice Durand via PacketFence-users]

Hello Luís,

can you paste your networks.conf and pf.conf please ?

Regards

Fabrice



Le 2017-07-28 à 10:37, Luís Torres via PacketFence-users a écrit :
>
> Hello,
>
>  
>
> Im new to packetfence and Im trynig to put the captive portal
> working..., Im integrating with a Cisco WLC5500. 
>
> If I use a dhcp server , other then PF, works fine .., but with the pf
> dhcpd , I can see the requests to the server but it wont reply any IP.
>
>  
>
> Can you guys give me a help?
>
>  
>
> cheers
>
>  
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Bad Request 400 on Packetfence PKI

[Fabrice Durand via PacketFence-users]

Hello Akala,

can you check what you have in the packetfence pki logs ?

/usr/local/packetfence-pki/logs

Regards

Fabrice



Le 2017-07-28 à 11:51, Akala Kehinde via PacketFence-users a écrit :
> Hello Antoine,
>
> I still get the error even though the output below looks good:
>
> [root@egelsbach conf]# iptables -S | grep 9393
> -A input-management-if -p tcp -m tcp --dport 9393 -j ACCEPT
> [root@egelsbach conf]# ps -edf | grep packetfence-pki
> root  6108 1  0 12:36 ?00:00:00 /usr/sbin/httpd -f
> /usr/local/packetfence-pki/conf/httpd.conf
> pf6111  6108  0 12:36 ?00:00:00 /usr/sbin/httpd -f
> /usr/local/packetfence-pki/conf/httpd.conf
> pf6113  6108  0 12:36 ?00:00:00 /usr/sbin/httpd -f
> /usr/local/packetfence-pki/conf/httpd.conf
> pf6114  6108  0 12:36 ?00:00:00 /usr/sbin/httpd -f
> /usr/local/packetfence-pki/conf/httpd.conf
> pf6116  6108  0 12:36 ?00:00:00 /usr/sbin/httpd -f
> /usr/local/packetfence-pki/conf/httpd.conf
> pf6117  6108  0 12:36 ?00:00:00 /usr/sbin/httpd -f
> /usr/local/packetfence-pki/conf/httpd.conf
> pf6118  6108  0 12:36 ?00:00:00 /usr/sbin/httpd -f
> /usr/local/packetfence-pki/conf/httpd.conf
> pf6120  6108  0 12:36 ?00:00:00 /usr/sbin/httpd -f
> /usr/local/packetfence-pki/conf/httpd.conf
> pf6121  6108  0 12:36 ?00:00:00 /usr/sbin/httpd -f
> /usr/local/packetfence-pki/conf/httpd.conf
> pf6122  6108  0 12:36 ?00:00:00 /usr/sbin/httpd -f
> /usr/local/packetfence-pki/conf/httpd.conf
> pf7132  6108  0 12:43 ?00:00:00 /usr/sbin/httpd -f
> /usr/local/packetfence-pki/conf/httpd.conf
> root 19256 13884  0 17:49 pts/900:00:00 grep --color=auto
> packetfence-pki
> [root@egelsbach conf]# iptables -S | grep 9393
> -A input-management-if -p tcp -m tcp --dport 9393 -j ACCEPT
> [root@egelsbach conf]# 
> [root@egelsbach conf]# netstat -nlp | grep 9393
> tcp6   0  0 :::9393 :::*  
>  LISTEN  6108/httpd  
> [root@egelsbach conf]# 
>
>
> Regards,
> Kehinde
>
> On Fri, Jul 28, 2017 at 5:50 PM, Akala Kehinde  > wrote:
>
> Hello Antoine,
>
> I still get the error even though the output below lks good:
>
>
>
>
> Regards,
> Kehinde
>
> On Fri, Jul 28, 2017 at 3:59 PM, Antoine Amacher via
> PacketFence-users  > wrote:
>
> Hi,
>
> Can you make sure the pki is properly started,
>
> ps -edf | grep packetfence-pki
>
> netstat -nlp | grep 9393
>
> and that iptables is allowing it:
>
> iptables -S | grep 9393
>
> Thanks
>
>
> On 07/28/2017 06:53 AM, Akala Kehinde via PacketFence-users wrote:
>> Hello Guys,
>>
>> I get a Bad Request 400 when I try
>> accessing https://172.16.100.2:9393/
>>  i.e. the PKI server interface on
>> PF 7.2.
>>
>> Any idea what might be wrong?
>>
>> Regards,
>> Kehinde
>>
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> 
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> 
>
> -- 
> Antoine Amacher
> aamac...@inverse.ca   ::  www.inverse.ca 
>  
> +1.514.447.4918 x130   :: +1 (866) 353-6153 
> x130 
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu 
> ) and PacketFence (www.packetfence.org 
> )
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 
>
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> 

Re: [PacketFence-users] Possible having same registration VLAN on GUEST and STAFF SSIDs??

[Fabrice Durand via PacketFence-users]

https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_cisco_2


Le 2017-07-28 à 12:21, Akala Kehinde via PacketFence-users a écrit :
> Hello guys,
>
> Below is my AP (Cisco 1242 AG) configuration in an OOB setup:
>
> When I tried configuring SSID GUEST to be in same initial VLAN 98 as
> STAFF, I get an error. I am not sure if it's possible to have same
> registartion VLAN i.e. 98 tied to different VLAN overrides i.e. STAFF
> and GUEST. 
>
> :
> :
> dot11 ssid GUEST
>vlan 99 backup GUEST
>authentication open mac-address MAC_METHODS 
>mbssid guest-mode
> !
> dot11 ssid STAFF
>vlan 98 backup STAFF
>authentication open eap EAP_METHODS 
>authentication key-management wpa
>mbssid guest-mode
> :
> :
>
> I want a situation where the GUEST VLAN is also in same registration
> VLAN as STAFF before overriden to GUEST production VLAN. Is this
> possible??
>
>
> Regards,
> Kehinde
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] wmi query without result, how do I trigger an action

[Fabrice Durand via PacketFence-users]

Hello Cristian,

can you put the log of pfqueue in TRACE and retry , you will have more
debug to understand what happen.

Edit conf/log/conf.d/pfqueue.conf

### pfqueue logger ###
log4perl.rootLogger = TRACE, QUEUE_SYSLOG

Regards
Fabrice

Le 2017-08-07 à 09:23, Cristian Mammoli via PacketFence-users a écrit :
> Hi, this is pretty trivial I think but I didn't find a way to make it
> work.
> I want to trigger a violation when a client has no antivirus
> installed, i configured a wmi rule like this:
>
> [custom_Antivirus]
> request=select * from AntiVirusProduct
> namespace=ROOT\SecurityCenter2
> action= < [AntivirusPresent]
> attribute = displayName
> operator = match
> value = *
>
> [1:!AntivirusPresent]
> action=trigger_violation
> action_param = mac = $mac, tid = 12, type = INTERNAL
> EOT
> on_tab=1
>
> But it does not work, I think the problem is that the query does not
> return any result and I get inthe logs:
>
> pfqueue(7319) ERROR: [mac:20:cf:30:36:7c:bb] No WMI header given in
> string '' (pf::scan::wmi::rules::parseResult)
>
>
> --
>
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] R: R: network-access-detection

[Fabrice Durand via PacketFence-users]

Hello Alessandro,

you probably missconfigured the dns.

Can you give me your networks.conf ?

Regards

Fabrice



Le 2017-08-07 à 11:51, Alessandro Canella via PacketFence-users a écrit :
>
> I’ve retried and checked traffic.
>
>  
>
> As wrotten, I’m in inline, users authenticate but GIF cannot be
> retrieved.
>
>  
>
> But not only : from a successful registered client, I cannot query
> DNS. And any other packet works fine….
>
>  
>
>  
>
> How I can check where is “deny” that stops me?
>
>  
>
>  
>
>  
>
> *Da:*Alessandro Canella via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* venerdì 4 agosto 2017 08.18
> *A:* Ludovic Zammit ;
> packetfence-users@lists.sourceforge.net
> *Cc:* Alessandro Canella 
> *Oggetto:* [PacketFence-users] R: network-access-detection
>
>  
>
> Hello Ludovic,
>
>  
>
> I’ve tried with Win10, tested with both IP (I know, if I test the
> first reachable is not correct…) I’ve leaved Vlan Enforce due to
> incopatibility of switches, so I’m in inline mode.
>
>  
>
> I will try to raise timeout to 90 secs and to open it by hand in new tab.
>
>  
>
> Later I will recap tests.
>
>  
>
> Thanks in advance.
>
>  
>
>  
>
>  
>
>  
>
>  
>
> *Da:*Ludovic Zammit [mailto:lzam...@inverse.ca]
> *Inviato:* giovedì 3 agosto 2017 19.40
> *A:* packetfence-users@lists.sourceforge.net
> 
> *Cc:* Alessandro Canella  >
> *Oggetto:* Re: [PacketFence-users] network-access-detection
>
>  
>
> Hello Alessandra,
>
>  
>
> Are you using Mac OS X ? Which PacketFence version are you using ?
>
>
> By default on the ZEN it will try to reach our public IP.
>
>  
>
> Once you get authorize after the registration process you will need to
> check if you have placed into the correct vlan (In VLAN enforcement
> mode) and got the proper IP address.
>
>  
>
> Check also if you have internet, it's known for Mac OS X devices that
> they are slow to release their IP and pickup the new one (~90secs).
>
>  
>
> Try to have a tab open on the network-access-detection.gif and see if
> it loads after the registration process.
>
>  
>
> Thanks,
>
> Ludovic Zammit
> lzam...@inverse.ca  ::  +1.514.447.4918
> (x145) ::  www.inverse.ca 
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
> PacketFence (http://packetfence.org)
>
>  
>
>  
>
>  
>
> On Aug 3, 2017, at 11:41 AM, Alessandro Canella via
> PacketFence-users  > wrote:
>
>  
>
> Hello all,
>
>  
>
> I still have problem
> detecting  /common/network-access-detection.gif after access is
> granted. I’m using ZEN version.
>
>  
>
> I’ve tried lot of different config. All seems fine, gif is
> reachable from both side of inline mode but “unable to detect” is
> the last portal page that I seen.
>
>  
>
> Any ideas about which log explore?
>
>  
>
>  
>
>  
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org
> ! 
> http://sdm.link/slashdot___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>  
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Assign role based on device class

[Fabrice Durand via PacketFence-users]

Hello Cristian,

you can do that:

[smartphones_by_devclass]
filter = node_info.device_class
operator = is
value = Smartphones/PDAs/Tablets

[employees_ssid]
filter = ssid
operator = is
value = aprapfdot1x

[set_smartphone_role:smartphones_by_devclass_ssid]
scope = RegisteredRole
role = smartphones
action = modify_node
action_param = mac = $mac, category = smartphones


Regards
Fabrice

Le 2017-08-04 à 07:52, Cristian Mammoli via PacketFence-users a écrit :
> I saw one can set a role using a "violation" but this is not a real
> violation. The role is set but the device is put into the isolation
> vlan if I set "Re-evealuate". The violation should set the role,
> "self-close" and reevaluate.
> Anyway I cannot restrict the violation to only one SSID like I would like
>
> Another way is via vlan_filters like this:
>
> [smartphones_by_devclass]
> filter = node_info.device_class
> operator = is
> value = Smartphones/PDAs/Tablets
>
> [employees_ssid]
> filter = ssid
> operator = is
> value = aprapfdot1x
>
> [set_smartphone_role:smartphones_by_devclass_ssid]
> scope = RegisteredRole
> role = smartphones
>
> It works but the role is not reflected in the gui, furthemore there is
> no way to "override" this behaviour for some device.
>
> What I would like to achieve is:
> Corporate smartphones are assigned the smartphone role and put in the
> appropriate vlan BY DEFAULT, but I should be able to override this if
> needed
>
> Ty
> Il 03/08/2017 14:20, Cristian Mammoli via PacketFence-users ha scritto:
>> Hi, is it possible to assign a role based on the device class as
>> shown in the nodes page?
>>
>> I would like to put all corporate smartphones in a dedicated vlan but
>> I didn't find a way to do it.
>> Smartphones are authenticated with 802.1x, I tried to assign a role
>> in the authentication source based on the computer name "start with
>> android-" but it is ignored.
>>
>

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF just refuses to join AD domain??

[Fabrice Durand via PacketFence-users]

Hello Akala,

does ip_forward is enable ?

does the time of the packetfence server is the same as the AD server ?

Regards

Fabrice



Le 2017-08-23 à 02:38, Akala Kehinde a écrit :
> Hello Fabrice,
>
> Kindly see below:
>
> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -u
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind domain name!
> Error looking up domain users
> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -g
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind domain name!
> failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE
> Error looking up domain groups
> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -t
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind domain name!
> checking the trust secret for domain (null) via RPC calls failed
> failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
> Could not check secret
> [root@pfence pf]#
> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -P
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind domain name!
> checking the NETLOGON for domain[] dc connection to "" failed
> failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -p
> Ping to winbindd failed
> could not ping winbindd!
> [root@pfence pf]#
>
>
> Tested with TESTMAWOH.DE  but still cannot join.. 
> It's driving me nuts:)
>
> Regards,
> Kehinde
>
> On Wed, Aug 23, 2017 at 4:44 AM, Durand fabrice via PacketFence-users
>  > wrote:
>
> Hello Akala,
>
> what happen if you do that:
>
> chroot /chroots/MYDOMAIN
>
> wbinfo -u
>
> wbinfo -g
>
> if there is no usernames or groups displayed then try :
>
> dns_name=TESTMAWOH.DE 
>
> and rejoin
>
> Regards
> Fabrice
>
>
> Le 2017-08-22 à 22:21, Akala Kehinde via PacketFence-users a écrit :
>>
>> Hello guys,
>>
>> I get this error when trying to join PF to an Active Directory
>> Server:
>>
>> [root@pfence pf]# tail -f
>> /chroots/MYDOMAIN/var/log/sambaMYDOMAIN/log.winbindd
>> [2017/08/23 02:20:34.196193,  0]
>> ../source3/winbindd/winbindd_util.c:869(init_domain_list)
>>   Could not fetch our SID - did we join?
>> [2017/08/23 02:20:34.196275,  0]
>> ../source3/winbindd/winbindd.c:1408(winbindd_register_handlers)
>>   unable to initialize domain list
>> [2017/08/23 02:20:34.324267,  0]
>> ../source3/winbindd/winbindd_cache.c:3245(initialize_winbindd_cache)
>>   initialize_winbindd_cache: clearing cache and re-creating with
>> version number 2
>> [2017/08/23 02:20:34.333731,  0]
>> ../source3/winbindd/winbindd_util.c:869(init_domain_list)
>>   Could not fetch our SID - did we join?
>>
>> [root@pfence pf]#
>>
>> Below is my domain.conf file:
>>
>> [MYDOMAIN]
>> 
>> ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(userAccountControl:1.2.840.113556.1.4.803:=2
>> ntlm_cache=disabled
>> registration=0
>> ntlm_cache_expiry=3600
>> dns_name=egelsbach.testmawoh.de 
>> dns_servers=172.16.7.10
>> ou=Computers
>> ntlm_cache_on_connection=disabled
>> workgroup=TESTMAWOH
>> ntlm_cache_batch_one_at_a_time=disabled
>> sticky_dc=*
>> ad_server=winserver.egelsbach.testmawoh.de
>> 
>> ntlm_cache_batch=disabled
>> server_name=pfence
>> bind_pass=
>> bind_dn=
>>
>> [root@pfence pf]# ps -efd | grep winbindd
>> root 20052 1  7 04:15 ?00:00:14 winbindd-wrapper
>> root 21912 20052  1 04:18 ?00:00:00 sudo chroot
>> /chroots/MYDOMAIN /usr/sbin/winbindd -s /etc/samba/MYDOMAIN.conf
>> -l /var/log/sambaMYDOMAIN --foreground
>> root 21913 21912  0 04:18 ?00:00:00
>> /usr/sbin/winbindd -s /etc/samba/MYDOMAIN.conf -l
>> /var/log/sambaMYDOMAIN --foreground
>> root 21915  4173  0 04:18 ttyS000:00:00 grep --color=auto
>> winbindd
>>
>> [root@pfence pf]# /usr/local/pf/bin/pfcmd service winbindd status
>> service|shouldBeStarted|pid
>> winbindd|1|20052
>> [root@pfence pf]#
>>
>> There is reachability between PF, the AD and DNS servers and all
>> can resolve DNS queries. 
>>
>> I have tried everything but just refuses to bind..Whatelse could
>> be wrong pls?
>>
>>
>> Regards,
>> Kehinde
>>
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>> 

Re: [PacketFence-users] Multiple Nessus scan policies possible on PF?

[Fabrice Durand via PacketFence-users]

If Nessus support it then why not but it need to be coded in teh Nessus6
module.

Regards

Fabrice


Le 2017-08-23 à 03:01, Akala Kehinde a écrit :
> Hello Fabrice,
>
> Basically what I was trying to ask is if it's possible to attache more
> than 1 scan policy to a Nessus scan engine. Don't think it's possible.
> Except you create another engine with another policy, and attach both
> scan engines in the connection profile. 
>
> scan.conf
>
> [ENGINE1]
> ip=172.16.100.10
> scannername=Local Scanner
> duration=30s
> categories=staff
> port=8834
> registration=1
> username=nessusadmin
> post_registration=1
> password=pass
> pre_registration=0
> oses=202,1
> nessus_clientpolicy=basic
> type=nessus6
>
> [ENGINE2]
> ip=172.16.100.10
> scannername=Local Scanner
> duration=30s
> categories=staff
> port=8834
> registration=1
> username=nessusadmin
> post_registration=1
> password=pass
> pre_registration=0
> oses=202,1
> nessus_clientpolicy=wannacry
> type=nessus6
>
> Profile.conf
>
> [SNS]
> filter=port:7,port:8
> description=SNS PROFILE
> sources=LDAP
> redirecturl=http://www.mawoh.de
> logo=/common/mawoh.png
> root_module=SNS_PORTAL
> access_registration_when_registered=enabled
> scans=ENGINE1,ENGINE2
>
> Regards,
> Kehinde
>
> On Wed, Aug 23, 2017 at 4:47 AM, Durand fabrice via PacketFence-users
>  > wrote:
>
> Hello Akala,
>
> yes, based on the os.
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-08-18 à 15:44, Akala Kehinde via PacketFence-users a écrit :
>> Hello guys.
>>
>> Will like to know if it's possible to have more than 1 nessus
>> scan policy configured on PF.
>>
>> Regards,
>> Kehinde
>>
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> 
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> 
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 
>
>

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Disable Self Registration on PacketFence 7.2

[Fabrice Durand via PacketFence-users]

Hello Chandra,

Create a new Root portal module and add a authentication login, then
create a new connection profile , add a filter based on per example the
ssid and assign a Root portal module that only do login.

To detect the network connectivity packetfence try to fetch a gif on
internet, so if you are using packetfence in out of band then be sure
that the device is able to reach internet once on the prod vlan,
If you are using inline mode then be sure that ip_forward has been
enable on the packetfence server and be sure that packetfence server is
able to reach internet.

Regards
Fabrice

Le 2017-08-23 à 06:09, Chandra Ardi Sancaka via PacketFence-users a écrit :
>
> Hi Guys,
>
>  
>
> I’m new to this application, so I got a question, it’s a simple one,
> but I couldn’t find the right answer to my problem.
>
>  
>
> The question is same as the subject : How to disable self registration
> on PF7.2
>
>  
>
> And anyone can point me to the right direction to solve this one to :
> unable to detect network connectivity. I’v done a little on the web,
> someone solved it but doesn’t explain how to.
>
>  
>
> Please just please help me
>
>  
>
> Regards,
>
>  
>
> Chandra.
>
>  
>
> Sent from Mail  for
> Windows 10
>
>  
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive portal SSL not using defined cert after PF7 upgrade

[Fabrice Durand via PacketFence-users]

Haproxy terminate the ssl tunnel and not apache anymore (for the portal).

So just this file is enough /usr/local/pf/conf/ssl/server.pem

Regards

Fabrice



Le 2017-08-23 à 03:24, Will Halsall via PacketFence-users a écrit :
>
> I just added the intermediate certificate to the cat process:
>
>  
>
> cat /usr/local/pf/conf/ssl/server.crt
> /usr/local/pf/conf/ssl/server.key
> /usr/local/pf/conf/ssl/intermediates.crt
> >/usr/local/pf/conf/ssl/server.pem
>
>  
>
>  
>
>  
>
> and  uncommented the intermediate certificate in ssl-certificates.conf
>
> Packetfence/conf/httpd.conf.d/ssl-certificates.conf:SSLCertificateChainFile
> %%install_dir%%/conf/ssl/intermediates.crt
>
>  
>
>  
>
> See if that helps
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
> *From:*Thomas, Gregory A via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Tuesday, August 22, 2017 8:21 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Thomas, Gregory A
> *Subject:* Re: [PacketFence-users] Captive portal SSL not using
> defined cert after PF7 upgrade
>
>  
>
> I know this is an older post but I am having some problems with the
> cert getting to the user’s computer.
>
>  
>
> I have concatenated the crt and key file to a pem. The thing is, I am
> using a wild card cert with a chain so on some machines the user is
> seeing an error of an invalid cert. When looking at the cert they are
> seeing it is from *.uwp.edu (which is the valid name) I am guessing it
> is invalid because it is missing the chain crt.
>
>  
>
> Is there any way to include the chain in the pem file?
>
>  
>
> --
>
> Gregory A. Thomas
>
> Student Life Support Specialist
>
> University of Wisconsin-Parkside
>
> thom...@uwp.edu
> 
>
> 262.595.2432
>
>  
>
> *From:*Virginie Girou [mailto:virginie.gi...@ut-capitole.fr]
> *Sent:* Tuesday, May 2, 2017 3:27 AM
> *To:* packetfence-users@lists.sourceforge.net
> 
> *Subject:* Re: [PacketFence-users] Captive portal SSL not using
> defined cert after PF7 upgrade
>
>  
>
> Hello,
>
> thank you it works now !
>
> Virginie Girou
> Equipe systeme
> DSI - UT1 Capitole 
> Tel : +33 (0)5.61.63.39.19
>
> Le 28/04/2017 23:53, Sokolowski, Darryl a écrit :
>
> Fantastic!
>
> We’re up and running!
>
> Thanks again to all for your help!
>
>  
>
> Darryl
>
>  
>
> *From:*Louis Munro [mailto:lmu...@inverse.ca]
> *Sent:* Friday, April 28, 2017 5:46 PM
> *To:* packetfence-users@lists.sourceforge.net
> 
> *Subject:* Re: [PacketFence-users] Captive portal SSL not using
> defined cert after PF7 upgrade
>
>  
>
>  
>
> On Apr 28, 2017, at 5:25 PM, Sokolowski, Darryl
> > wrote:
>
>  
>
> Oh, ok, now I understand what Fabrice meant about haproxy
> terminating the ssl tunnel. Thanks for that explanation.
>
> Sorry, I didn’t pick that up right away.
>
>  
>
> I changed var/conf/haproxy.conf to point at my certificates,
> and every time I restart the service, it rewrites haproxy.conf
> file back to using server.pem.
>
>  
>
>  
>
> That's the expected behaviour.
>
> That file is actually generated based on your configuration, every
> time your start the service.
>
>  
>
>
>
> So reading your response again, it sounds like my concatenated
> certificate might need to be named ‘server.pem’.
>
> If I rename my certificate to ‘server.pem’, it works as desired.
>
> Is that the way to do it? Or am I still off-base?
>
>  
>
>  
>
> That's the way to go.
>
>  
>
>
>
> ‘server.pem’ won’t get overwritten by an ugrade?
>
>  
>
>  
>
> This is what the packetfence.spec file does: 
>
>  
>
> #Make ssl certificate
>
> if [ ! -f /usr/local/pf/conf/ssl/server.crt ]; then
>
> openssl req -x509 -new -nodes -days 365 -batch\
>
> -out /usr/local/pf/conf/ssl/server.crt\
>
> -keyout /usr/local/pf/conf/ssl/server.key\
>
> -nodes -config /usr/local/pf/conf/openssl.cnf
>
> cat /usr/local/pf/conf/ssl/server.crt 
> /usr/local/pf/conf/ssl/server.key > /usr/local/pf/conf/ssl/server.pem
>
> fi
>
> So as long as you have a file named
>  "/usr/local/pf/conf/ssl/server.crt" it won't overwrite the
> server.pem.
>
>
>
>  
>
>  
>
>  
>
> I agree that this should be configurable.
>
> I'm adding it to the whishlist for 7.1 or 7.2.
>
>  
>
>  
>
>  
>
> Regards,
> --
>
> Louis Munro
> lmu...@inverse.ca   ::  www.inverse.ca
>  
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu
> ) and PacketFence 

Re: [PacketFence-users] Packetfence-ZEN-7.2.0 bandwidth violation not working

[Fabrice Durand via PacketFence-users]

If radius accounting is not running then you will not be able to receive
radius accounting ...

So bandwidth violation not working will not work.


Le 2017-08-17 à 09:37, Emmanuel Togo a écrit :
>
> Hello  Fabrice,
>
> Please see the error message after running  raddebug -f
> /usr/local/pf/run/radius-acct.sock -t 300
>
> radmin: Failed connecting to /usr/local/pf/run/radius-acct.sock: No
> such file or directory
>
>  
>
> Regards
>
> Emmanuel
>
>  
>
> *From: *Fabrice Durand via PacketFence-users
> <packetfence-users@lists.sourceforge.net>
> *Reply-To: *"packetfence-users@lists.sourceforge.net"
> <packetfence-users@lists.sourceforge.net>
> *Date: *Thursday, August 17, 2017 at 12:18 PM
> *To: *"packetfence-users@lists.sourceforge.net"
> <packetfence-users@lists.sourceforge.net>
> *Cc: *Fabrice Durand <fdur...@inverse.ca>
> *Subject: *Re: [PacketFence-users] Packetfence-ZEN-7.2.0 bandwidth
> violation not working
>
>  
>
> raddebug ...
>
>  
>
> Le 2017-08-17 à 06:12, Emmanuel Togo a écrit :
>
> Hello Fabrice,
>
> raddebuf command is not available.
>
>  
>
> Regards
>
> Emmanuel
>
>  
>
> 
>
> *From:*Durand fabrice via PacketFence-users
> <packetfence-users@lists.sourceforge.net>
> <mailto:packetfence-users@lists.sourceforge.net>
> *Sent:* 26 July 2017 11:59 PM
> *To:* packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Cc:* Durand fabrice
> *Subject:* Re: [PacketFence-users] Packetfence-ZEN-7.2.0 bandwidth
> violation not working
>
>  
>
> Hello Emmanuel,
>
> it looks that there is just start in your accounting (a way to send
> interim update and stop from the AP/Switch ?).
>
> Can you check with:
>
> raddebuf -f /usr/local/pf/run/radius-acct.sock -t 300
>
> and paste few requests ?
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-07-26 à 03:38, Emmanuel Togo via PacketFence-users a écrit :
> > Hello Fabrice,
> > Thank you once again.
> > The username in radacct_log is different from mac address. See
> below the output
> >
> > MariaDB [pf]> select * from radacct_log where username="sophos5";
> >
> 
> +--+---+--+--++-+-+--+-+--+
> > | id   | acctsessionid | username | nasipaddress |
> acctstatustype | timestamp   | acctinputoctets |
> acctoutputoctets | acctsessiontime |
> acctuniqueid |
> >
> 
> +--+---+--+--++-+-+--+-+--+
> > |  772 | 002C-0019 | sophos5  | 10.1.5.145   |
> Start  | 2017-07-20 02:54:44 |   0
> |0 |   0 |
> c594c1423a7cde15a0d2ed85743f1d4a |
> > |  793 | 002C-0026 | sophos5  | 10.1.5.145   |
> Start  | 2017-07-20 09:56:48 |   0
> |0 |   0 |
> 22775775af347dee8d387e13406c5f5f |
> > |  795 | 002C-0027 | sophos5  | 10.1.5.145   |
> Start  | 2017-07-20 09:58:30 |   0
> |0 |   0 |
> 4ac58d4ddec42d583960a1982f32d62b |
> > |  797 | 002C-0028 | sophos5  | 10.1.5.145   |
> Start  | 2017-07-20 10:00:58 |   0
> |0 |   0 |
> 4ac58d4ddec42d583960a1982f32d62b |
> > |  909 | 00010B4E-0035 | sophos5  | 10.1.5.145   |
> Start  | 2017-07-20 15:03:04 |   0
> |0 |   0 |
> 22775775af347dee8d387e13406c5f5f |
> > |  915 | 00010B4E-0038 | sophos5  | 10.1.5.145   |
> Start  | 2017-07-20 15:25:21 |   0
> |0 |   0 |
> 22775775af347dee8d387e13406c5f5f |
> > |  921 | 00010B4E-003C | sophos5  | 10.1.5.145   |
> Start  | 2017-07-20 15:40:29 |   0
> |0 |   0 |
> 22775775af347dee8d387e13406c5f5f |
> > |  925 | 00010B4E-003F | sophos5  | 10.1.5.145   |
> Start  | 2017-07-20 15:46:58 |   0
> |0 | 

Re: [PacketFence-users] VLAN Filter for MAB devices

[Fabrice Durand via PacketFence-users]

Hi Hello Kehinde,

MAB is exactly what you need , also for that create a violation that
will autoreg printer, it will be easier than vlan filters.

Regards

Fabrice



Le 2017-06-08 à 07:51, Akala Kehinde via PacketFence-users a écrit :
> Hallo,
>
> Hallo guys,
>
> Want to knw if it's possible to do MAB authentication for non-manageable
> devices like printers.
> Don't want to do Hybrid setup, prefer OOB setup instead.
>
> Or is it possible to define a VLAN filter that auto-registers these
> devices
> and assigns them a registered role?
>
> Something like this:
>
> [hp_printers]
> filter = node_info.mac
> operator = regex
> value = ^(00:04:0d|84:83:71|00:07:3b|00:09:6e).*
> [autoreg:hp_printers]
> scope = AutoReg
> role = devices
>
> The regex values, any tool out there to match full MAC address?
>
> Regards,
> Kehinde
> Regards,
> Kehinde
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Fw: Bandwidth Violation

[Fabrice Durand via PacketFence-users]

Hello Mancharagopan Ponnampalam,


first are you using PacketFence in inline mode ?


If it's inline mode you need to be sure that pfbandwidthd is enable.

Also if you are using radius then you need to have the accounting from
the AP/Switch.

Regards

Fabrice



Le 2017-06-09 à 12:28, Mancharagopan Ponnampalam via PacketFence-users a
écrit :
>
>
> Hi,
>
>
> I recently downloaded packetfence ZEN 7.0 and I am trying to create
> bandwidth violation. But it's not working. Users can browse even after
> the bandwidth exceeded. What should i do?
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] node database errors after upgrade?

[Fabrice Durand via PacketFence-users]

Hello Denis,

you will have to compare the current schema and the schema from this
file :
https://github.com/inverse-inc/packetfence/blob/devel/db/pf-schema-6.4.0.sql

Connect to the db pf and do :explain node; and compare ...

regards

Fabrice



Le 2017-06-14 à 11:16, denis via PacketFence-users a écrit :
> Hello,
>
> I'm running a 6.4 PF server, upgraded from 4.x  6 months ago.
>
> Primary functionnalities ( 802.1x, vlan enforcement,
> autoregistration...) are working as expected, but nodes databases
> seems to be corrupted :
>
>
> - node status is always unknown, switches and ports are not displayed
> on node info,
>
> - reevaluate access gives and error and does nothing.
>
> - packetfence.log has a lot of errors like
>
> Jun 14 17:00:36 httpd.aaa(9080) INFO: [mac:28:84:fa:f7:f8:c8] database
> query failed with: Unknown column 'role' in 'field list' (errno: 1054)
> (pf::db::db_query_execute)
>
> Apart from that it works.
>
>
> When upgrading db from 4.x i was very cautious in applying schema
> updates, but it looks like something goes wrong. I'm not expert in db,
> so if someone can help me to correct this problem, i will be happy to
> do this before upgrading to 7.1.
>
> Thanks
>
> Denis
>
>
>
> --
>
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN Enforcement

[Fabrice Durand via PacketFence-users]

Hello Rafael,

vlan 10 is for registration so it's normal that you don't have internet
access.

Regards

Fabrice



Le 2017-06-12 à 16:14, Diogo Rafael via PacketFence-users a écrit :
>
> Hi,
>
> Im trying to implement VLAN Enforcement on my environment but im
> having some troubles
>
> I have to interfaces eth0 that connects to the internet and eth1.
>
> On the interface eth1 i have 3 VLANs, VLAN 10 for registration, VLAN
> 20 for Isolation, and VLAN 30 is none.
>
> When a user try to register on VLAN10 he cant go throught the
> internet. Please help me.
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 7.1 remove inline mode

[Fabrice Durand via PacketFence-users]

Hello Darryl,

in fact you just have to modify networks.conf and cluster.conf to remove
inline related config. (bin/pfcmd configreload hard)

Regards

Fabrice



Le 2017-06-13 à 18:12, Sokolowski, Darryl via PacketFence-users a écrit :
>
> Hi all,
>
> let me say I’m loving this product! Good work to all involved!
>
> Thank you for all your efforts!
>
>  
>
> My question is, I built my environment first, then clustered, and
> found out that inline mode isn’t supported in the clustered environment.
>
> So I’d like to remove it from my clustered environment, but can I do
> that safely?
>
> Can I just access the configurator again and clear the inline checkbox?
>
>  
>
> Or can I remove the references for the inline interface from the
> config files?
>
> I wanted to ask before I hose my installation.
>
>  
>
> Thanks
>
> Darryl
>
>  
>
>
>
> 
>
> >>> CONFIDENTIALITY NOTICE <<<
>
> This electronic mail (e-mail) message, including any and/or all
> attachments, is for the sole use of the intended recipient(s), and may
> contain confidential and/or privileged information, pertaining to
> business conducted under the direction and supervision of EarthColor,
> Inc. All e-mail messages, which may have been established as expressed
> views and/or opinions (stated either within the e-mail message or any
> of its attachments), are left to the sole responsibility of that of
> the sender, and are not necessarily attributed to EarthColor, Inc.
> Unauthorized interception, review, use, disclosure or distribution of
> any such information contained within this e-mail message and/or its
> attachment(s), is(are) strictly prohibited. If you are not the
> intended recipient, please contact the sender by replying to this
> e-mail message, along with the destruction of all copies of the
> original e-mail message (along with any attachments).
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence missing snort config

[Fabrice Durand via PacketFence-users]

Hello Kam,

PacketFence doesn't support local snort/suricata but just remote.

What you can do is to install security onion on another server and
configure it to send the alert to the packetfence server. (see doc).

I am also agree that there is still references in the documentation on
the local snort/suricata config, i will remove them.

Regards

Fabrice



Le 2017-10-04 à 01:57, kam thang via PacketFence-users a écrit :
>
> Hi Guys,
>
> I'm planning to enable snort on packetfence but when i look for the
> snort conf in packetfence on the location /usr/local/pf/var/conf ... i
> couldn't find the snort.conf anywhere can you please help...
>
> OS: CentOS7 64bit
> Packetfence : yum installed packetfence-release-1.2-5.1.noarch.rpm
>
> Snort installed 2.9.9.0
>
>
> Thanks,
> Kam
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 7.3 fresh install on Debian Jessie

[Fabrice Durand via PacketFence-users]

Hello Draffin,

it happen when your server is not able to download the database.

What you can do is to answer no when it ask you for your fingerbank key
and it will not download the database.

Regards

Fabrice



Le 2017-10-03 à 22:21, Draffin, Walt via PacketFence-users a écrit :
> I'm trying to install PF 7.3 on a new installation of Debian 8.8
>
> When I run the apt-get install packetfence it downloads everything
> fine but when it starts installing I get the following error on
> fingerbank update.
>
> Setting up fingerbank (3.1.1-1) ...
> DBIx::Class::Schema::Versioned::upgrade(): Upgrade not necessary at
> db/upgrade.pl  line 59
>
> Most of the time it makes it through the 480 MB download but has yet
> to complete the 1.9 Gb download.  Everytime it gets to around 5 mins
> of downloading, I receive the following:
>
> curl: (18) transfer closed with  bytes remaining to read
>
> dpkg: error processing package fingerbank (--configure):
>  subprocess installed post-installation script returned error exit
> status 18
> Errors were encountered while processing:
>  fingerbank
>
> Is anyone else experiencing this or have any suggestions?
>
> Thanks,
> WaltDjr
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cheap AP

[Fabrice Durand via PacketFence-users]

Hello Spencer,

you can try with AP that support openwrt, also there is a Ubiquity
controller that can manage Ubiquity AP and we are close to support
MAC-AUTH and 802.1x with this setup.

Regards

Fabrice



Le 2017-10-10 à 05:12, Spencer Hazell via PacketFence-users a écrit :
>
> Hi
>
>  
>
> Can you point me in the direction of a cheap AP (preferably fat – as I
> guess it cheaper) that will work?
>
>  
>
> We don’t have many guests and already have a solution in place, so I’d
> like a cheap dedicated AP that can be used for guests only?
>
>  
>
> Thanks
>
>  
>
> Spencer Hazell
>
>   
>
>  
>
>   
>
> MD final master logos-02
>
>   
>
> cid:image002.jpg@01D22ABC.9B34C230
>
> *IT Manager*
>
>  
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal allow only selected usernames

[Fabrice Durand via PacketFence-users]

Hello Tomasz,

you can try to validate your rules with pftest.

Also can you try to esacpe @ like : condition0=username,starts,testuser\@


Regards
Fabrice

Le 2017-10-09 à 05:33, Tomasz Karczewski via PacketFence-users a écrit :
>
> Hi Fabrice,
>
>  
>
> I’ve made source as you said. I have radius source with rules below
>
>  
>
> [RADIUS rule ALLOW]
>
> description=Allow
>
> class=authentication
>
> match=any
>
> action0=set_role=guest
>
> action1=set_access_duration=1D
>
> condition0=username,starts,testuser@
>
>  
>
> [RADIUS rule REJECT]
>
> description=Reject all
>
> class=authentication
>
> match=all
>
> action0=set_role=REJECT
>
> action1=set_access_duration=1h
>
>  
>
> It should allow only username starts with „testuser” but REJECT rule
> seems no to work.
>
> Still registering other users. Maibe i missed something?
>
>  
>
> Tomasz Karczewski
>
> Administrator Sieci
>
>  
>
> olman
>
>  
>
> tkarczew...@man.olsztyn.pl
>
> http://www.man.olsztyn.pl   http://www.uwm.edu.pl
>
> tel. (89) 523 45 55  fax. (89) 523 43 47
>
>  
>
> Ośrodek Eksploatacji i Zarządzania
>
> Miejską Siecią Komputerową OLMAN w Olsztynie
>
> Uniwersytet Warmińsko-Mazurski w Olsztynie
>
>  
>
> *From:*Durand fabrice via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Friday, October 6, 2017 11:52 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Durand fabrice <fdur...@inverse.ca>
> *Subject:* Re: [PacketFence-users] Captive Portal allow only selected
> usernames
>
>  
>
> It's in the source where you have to define the rules.
>
> Also you can use a regexp in the rule to match what you need.
>
> Last thing , keep in mind that there is an order in the rule, so the
> first match win and the last one can match by default.
>
>  
>
> Le 2017-10-06 à 05:19, Tomasz Karczewski via PacketFence-users a écrit :
>
> Thank you for response.
>
> Where exactly do i have to make these rules?
>
> Sources? Portal Profiles? Vlan filters?
>
> One more question. Does there a way to add to advanced rule to
> match i.e. company field defined in users field?
>
> If this field not match don’t allow?
>
>  
>
> Tomasz Karczewski
>
> Administrator Sieci
>
>  
>
> olman
>
>  
>
> tkarczew...@man.olsztyn.pl <mailto:tkarczew...@man.olsztyn.pl>
>
> http://www.man.olsztyn.pl   http://www.uwm.edu.pl
>
> tel. (89) 523 45 55  fax. (89) 523 43 47
>
>  
>
> Ośrodek Eksploatacji i Zarządzania
>
> Miejską Siecią Komputerową OLMAN w Olsztynie
>
> Uniwersytet Warmińsko-Mazurski w Olsztynie
>
>  
>
> *From:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Thursday, October 5, 2017 8:12 PM
> *To:* packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Cc:* Fabrice Durand <fdur...@inverse.ca> <mailto:fdur...@inverse.ca>
> *Subject:* Re: [PacketFence-users] Captive Portal allow only
> selected usernames
>
>  
>
> Hello Tomasz,
>
> create a rule for each users and at the end add a catch_all with
> the reject role.
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-10-05 à 07:42, Tomasz Karczewski via PacketFence-users a
> écrit :
>
> Hi,
>
>  
>
> I'm trying to allow only selected users to wifi with specific ssid 
> and 
>
> connection-type.
>
> For example i have ssid "specificusers" connection type 
> wireless-noeap.
>
> I want to allow only selected usernames to allow and register device 
> with 
>
> specific role i.e. "specificusers"
>
> us...@domain.com <mailto:us...@domain.com> us...@domain.com 
> <mailto:us...@domain.com> us...@domain.com <mailto:us...@domain.com> and not 
> allow any other 
>
> usernames.
>
> Did anyone do this?
>
>  
>
> Tnx for answers
>
> Tomasz Karczewski
>
>
>
>
>
> 
> --
>
> Check out the vibrant tech community on one of the world's most
>
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
>
>
> ___
>
>

Re: [PacketFence-users] Captive Portal allow only selected usernames

[Fabrice Durand via PacketFence-users]

Just a little example here:

https://packetfence.org/doc/PacketFence_Administration_Guide.html#_connection_profiles


Le 2017-10-09 à 02:40, Tomasz Karczewski via PacketFence-users a écrit :
>
> Thank you Fabrice.
>
> One more question. Where can i find values or examples of captive
> portal advanced filters?
>
>  
>
> Tomasz Karczewski
>
> Administrator Sieci
>
>  
>
> olman
>
>  
>
> tkarczew...@man.olsztyn.pl
>
> http://www.man.olsztyn.pl   http://www.uwm.edu.pl
>
> tel. (89) 523 45 55  fax. (89) 523 43 47
>
>  
>
> Ośrodek Eksploatacji i Zarządzania
>
> Miejską Siecią Komputerową OLMAN w Olsztynie
>
> Uniwersytet Warmińsko-Mazurski w Olsztynie
>
>  
>
> *From:*Durand fabrice via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Friday, October 6, 2017 11:52 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Durand fabrice <fdur...@inverse.ca>
> *Subject:* Re: [PacketFence-users] Captive Portal allow only selected
> usernames
>
>  
>
> It's in the source where you have to define the rules.
>
> Also you can use a regexp in the rule to match what you need.
>
> Last thing , keep in mind that there is an order in the rule, so the
> first match win and the last one can match by default.
>
>  
>
> Le 2017-10-06 à 05:19, Tomasz Karczewski via PacketFence-users a écrit :
>
> Thank you for response.
>
> Where exactly do i have to make these rules?
>
> Sources? Portal Profiles? Vlan filters?
>
> One more question. Does there a way to add to advanced rule to
> match i.e. company field defined in users field?
>
> If this field not match don’t allow?
>
>  
>
> Tomasz Karczewski
>
> Administrator Sieci
>
>  
>
> olman
>
>  
>
> tkarczew...@man.olsztyn.pl <mailto:tkarczew...@man.olsztyn.pl>
>
> http://www.man.olsztyn.pl   http://www.uwm.edu.pl
>
>     tel. (89) 523 45 55  fax. (89) 523 43 47
>
>  
>
> Ośrodek Eksploatacji i Zarządzania
>
> Miejską Siecią Komputerową OLMAN w Olsztynie
>
> Uniwersytet Warmińsko-Mazurski w Olsztynie
>
>  
>
> *From:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Thursday, October 5, 2017 8:12 PM
> *To:* packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Cc:* Fabrice Durand <fdur...@inverse.ca> <mailto:fdur...@inverse.ca>
> *Subject:* Re: [PacketFence-users] Captive Portal allow only
> selected usernames
>
>  
>
> Hello Tomasz,
>
> create a rule for each users and at the end add a catch_all with
> the reject role.
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-10-05 à 07:42, Tomasz Karczewski via PacketFence-users a
> écrit :
>
> Hi,
>
>  
>
> I'm trying to allow only selected users to wifi with specific ssid 
> and 
>
> connection-type.
>
> For example i have ssid "specificusers" connection type 
> wireless-noeap.
>
> I want to allow only selected usernames to allow and register device 
> with 
>
> specific role i.e. "specificusers"
>
> us...@domain.com <mailto:us...@domain.com> us...@domain.com 
> <mailto:us...@domain.com> us...@domain.com <mailto:us...@domain.com> and not 
> allow any other 
>
> usernames.
>
> Did anyone do this?
>
>  
>
> Tnx for answers
>
> Tomasz Karczewski
>
>
>
>
>
> 
> --
>
> Check out the vibrant tech community on one of the world's most
>
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
>
>
> ___
>
> PacketFence-users mailing list
>
> PacketFence-users@lists.sourceforge.net
> <mailto:PacketFence-users@lists.sourceforge.net>
>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> -- 
>
> Fabrice Durand
>
> fdur...@inverse.ca <mailto:fdur...@inverse.ca> ::  +1.514.447.4918 (x135) 
> ::  www.inverse.ca <http://www.inverse.ca>
>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org) 
>
>
>
>
> 
> --

Re: [PacketFence-users] Captive Portal allow only selected usernames

[Fabrice Durand via PacketFence-users]

Hello Tomasz,

create a rule for each users and at the end add a catch_all with the
reject role.

Regards

Fabrice



Le 2017-10-05 à 07:42, Tomasz Karczewski via PacketFence-users a écrit :
> Hi,
>
> I'm trying to allow only selected users to wifi with specific ssid and 
> connection-type.
> For example i have ssid "specificusers" connection type wireless-noeap.
> I want to allow only selected usernames to allow and register device with 
> specific role i.e. "specificusers"
> us...@domain.com us...@domain.com us...@domain.com and not allow any other 
> usernames.
> Did anyone do this?
>
> Tnx for answers
> Tomasz Karczewski
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VERY Slow Database

[Fabrice Durand via PacketFence-users]

Hello Joshua,

it's probably the radacct/radacct_log/locationlog table.

Do a: select count(*) from radacct; (on each tables) you probably have a
huge table.

So just do a truncate radacct/radacct_log/locationlog and it should be ok.

Btw in the new packetfence version we limit that.

Regards

Fabrice



Le 2017-10-17 à 04:12, Nathan, Josh via PacketFence-users a écrit :
> So, we have a PacketFence 6.0.1 installation, and it's been plugging
> along for almost two years now.  However, its database has gotten
> REALLY slow.  The PacketFence admin page actually times out when
> trying to load the Node list (only 25 entries per page selected).  The
> server isn't being stressed at all that I can tell.  I'm not really a
> DB admin.  What can I do to kick some new life back into our PF database?
>
> Thanks,
>
>   
> Joshua Nathan
> *IT Technician*
> Black Forest Academy
>
> p:+49 (0) 7626 9161 630 m: +49 (0) 152 3452 0056
> a:
> w:Hammersteiner Straße 50, 79400 Kandern
> bfacademy.de 
>
>   
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Can't download and update fingerbank DB

[Fabrice Durand via PacketFence-users]

Hello Yan,

it looks that you didn't imported fingerbank into mysql.

Go in Configuration -> Compliance -> Fingerbank Profiling -> General
settings then in Action "Initialize MySQL database".


Regards

Fabrice



Le 2017-10-17 ?? 03:19, Yan via PacketFence-users a ??crit?0?2:
> Hi dear users,
>
> We are using PF V7.2 in our office. We want to use PF to recognize
> mobile devices from computers when connecting wireless ssid. It seems
> PF define device's type via DHCP fingerprint. Our packetfence.log
> keeps logging "pfqueue: pfqueue(1341) WARN: [mac:ff:ee:dd:cc:bb:aa]
> Unable to perform a Fingerbank lookup for device with MAC address
> 'ff:ee:dd:cc:bb:aa' (pf::fingerbank::__ANON__)".
>
> And after I ran the "Update Fingerbank DB" button and restart pf
> services, the packetfence.log is now filling with "pfqueue(6013)
> ERROR: [mac:04:xx:xx:cb:0f:74]
> DBIx::Class::Storage::DBI::_dbh_execute(): Table
> 'pf_fingerbank.dhcp_vendor' doesn't exist at
> /usr/local/pf/lib/fingerbank/Base/CRUD.pm line
> 416?0?2(pf::api::can_fork::notify)"
>
> How to reinstall and update fingerbank ??0?2Anyone could help ??0?2Thank you
> very much.
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence working with WLC 8.3.122

[Fabrice Durand via PacketFence-users]

Hello Brian,


the dns must be a production one.

The wlc is suppose to intercept the http/https traffic and forward you
to the captive portal.


So it can be an issue with the ACL (i am not sure since you are able to
hit it), or a maybe you didn't enabled Radius NAC in the ssid config.

Regards

Fabrice



Le 2017-10-17 à 09:50, bott a écrit :
>
> Actually I'm wrong, although I changed the DNS server to point to the
> portal page I do now get redirected, however after registration
> nothing works as DNS is still pointing to the portal IP and it answers
> every query with the portal page.
>
>
>
>
> On 2017-10-12 08:41 AM, Fabrice Durand wrote:
>>
>> Hello Brian,
>>
>> are you able to resolve a fqdn from your laptop ?
>>
>> What is your acl , can you show me how it look ?
>>
>> Regards
>> Fabrice
>>
>>
>> Le 2017-10-11 à 09:23, Brian Ott a écrit :
>>>
>>> Thanks for the reply Fabrice!
>>>
>>>
>>> Changing to HTTP doesn't alter the results, it still doesn't forward. 
>>>
>>>
>>> Brian Ott
>>>
>>> Ontario Institute for Cancer Research
>>> MaRS Centre, South Tower
>>> 101 College Street, Suite 800
>>> Toronto, Ontario, Canada M5G 0A3
>>> 
>>> Telephone:    647-260-7977
>>> Email:  brian@oicr.on.ca
>>> www.oicr.on.ca
>>>
>>>  
>>>
>>> This message and any attachments may contain confidential and/or
>>> privileged information for the sole use of the intended recipient.
>>> Any review or distribution by anyone other than the person for whom
>>> it was originally intended is strictly prohibited. If you have
>>> received this message in error, please contact the sender and delete
>>> all copies. Opinions, conclusions or other information contained in
>>> this message may not be that of the organization.
>>> 
>>> *From:* Durand fabrice via PacketFence-users
>>> 
>>> *Sent:* Friday, October 6, 2017 5:54:37 PM
>>> *To:* packetfence-users@lists.sourceforge.net
>>> *Cc:* Durand fabrice
>>> *Subject:* Re: [PacketFence-users] Packetfence working with WLC 8.3.122
>>>  
>>>
>>> Hello,
>>>
>>> can you try to set the redirect url in http instead of https ?
>>>
>>> Regards
>>> Fabrice
>>>
>>> Le 2017-10-06 à 16:02, bott via PacketFence-users a écrit :
 Hello, 

 We have had packetfence working on older versions and are looking
 upgrade our WLC and Packetfence install. 


 From a fresh install only using "web-auth" and following the
 provided guide on the website for the WLC controller it looks as if
 everything is fine. I see the client connect, the ACL is sent and
 in the client information as well as the redirect URL. 

 However a few things happen: 
 1. The user does not get redirected when attempting to browse. (IE:
 input google.com in browser and nothing happens but a timeout - no
 redirect)
 2. I can access the URL directly that is listed in the "Redirect
 URL" on the WLC. 

 The interface is different from version 6 so I'm not sure if I'm
 missing something. I've provided screenshots here to show that it
 looks fine: 
 https://imgur.com/a/KGjRx

 I'm not sure why its not forcing a redirect when trying to browse,
 any help would be appreciated. 



 --
 Check out the vibrant tech community on one of the world's most
 engaging tech sites, Slashdot.org! http://sdm.link/slashdot


 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>
>> -- 
>> Fabrice Durand
>> fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>> (http://packetfence.org) 
>

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Customize captive portal profile

[Fabrice Durand via PacketFence-users]

Hello Hubert,

you have a tab "Files" in Connection Profiles and Pages.

Feel freer to edit the html pages.

Also there is locales in  conf/locale/en/LC_MESSAGES you probably have
to edit too.

Do that after you edited the locales:

for TRANSLATION in de en es fr he_IL it nl pl_PL pt_BR; do
    /usr/bin/msgfmt conf/locale/$TRANSLATION/LC_MESSAGES/packetfence.po \
  --output-file conf/locale/$TRANSLATION/LC_MESSAGES/packetfence.mo
done

Regards

Fabrice



Le 2017-10-16 à 00:54, Hubert Kupper via PacketFence-users a écrit :
> Hello,
>
> I want to customize the default captive portal profile and change
> "username/password" to "mailaccount/password". Which file do I have to
> edit or is the Template Toolkit required?
>
> Regards,
> Hubert
>
> --
>
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence working with WLC 8.3.122

[Fabrice Durand via PacketFence-users]

Hello Brian,

are you able to resolve a fqdn from your laptop ?

What is your acl , can you show me how it look ?

Regards
Fabrice


Le 2017-10-11 à 09:23, Brian Ott a écrit :
>
> Thanks for the reply Fabrice!
>
>
> Changing to HTTP doesn't alter the results, it still doesn't forward. 
>
>
> Brian Ott
>
> Ontario Institute for Cancer Research
> MaRS Centre, South Tower
> 101 College Street, Suite 800
> Toronto, Ontario, Canada M5G 0A3
> 
> Telephone:    647-260-7977
> Email:  brian@oicr.on.ca
> www.oicr.on.ca
>
>  
>
> This message and any attachments may contain confidential and/or
> privileged information for the sole use of the intended recipient. Any
> review or distribution by anyone other than the person for whom it was
> originally intended is strictly prohibited. If you have received this
> message in error, please contact the sender and delete all copies.
> Opinions, conclusions or other information contained in this message
> may not be that of the organization.
> 
> *From:* Durand fabrice via PacketFence-users
> 
> *Sent:* Friday, October 6, 2017 5:54:37 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Durand fabrice
> *Subject:* Re: [PacketFence-users] Packetfence working with WLC 8.3.122
>  
>
> Hello,
>
> can you try to set the redirect url in http instead of https ?
>
> Regards
> Fabrice
>
> Le 2017-10-06 à 16:02, bott via PacketFence-users a écrit :
>> Hello, 
>>
>> We have had packetfence working on older versions and are looking
>> upgrade our WLC and Packetfence install. 
>>
>>
>> From a fresh install only using "web-auth" and following the provided
>> guide on the website for the WLC controller it looks as if everything
>> is fine. I see the client connect, the ACL is sent and in the client
>> information as well as the redirect URL. 
>>
>> However a few things happen: 
>> 1. The user does not get redirected when attempting to browse. (IE:
>> input google.com in browser and nothing happens but a timeout - no
>> redirect)
>> 2. I can access the URL directly that is listed in the "Redirect URL"
>> on the WLC. 
>>
>> The interface is different from version 6 so I'm not sure if I'm
>> missing something. I've provided screenshots here to show that it
>> looks fine: 
>> https://imgur.com/a/KGjRx
>>
>> I'm not sure why its not forcing a redirect when trying to browse,
>> any help would be appreciated. 
>>
>>
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal fiels translation

[Fabrice Durand via PacketFence-users]

Hello Luís,

there https://www.transifex.com/inverse/packetfence/

Regards

Fabrice



Le 2017-09-25 à 05:57, Luís Torres via PacketFence-users a écrit :
>
> Hello mates,
>
>  
>
> how can I translate the captive portal to other language? any guides?
>
>  
>
> thanks
>
>  
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Service Disappeared

[Fabrice Durand via PacketFence-users]

Hello Nathan,

there is no systemd script to restart the whole packetfence's services.

What you can do is the following:

/usr/local/pf/bin/pfcmd service pf start


Regard

Fabrice



Le 2017-09-26 à 04:43, Nathan, Josh via PacketFence-users a écrit :
> Sorry, to be a little more specific... it seems that at least a number
> of the files are still in /etc/systemd/system... but when I issue
> "systemctl start packetfence", I get:
>
> Failed to start packetfence.service: Unit not found.
>
>
>
>   
> Joshua Nathan
> *IT Technician*
> Black Forest Academy
>
> p:+49 (0) 7626 9161 630  m: +49 (0) 152 3452 0056
> a:
> w:Hammersteiner Straße 50, 79400 Kandern
> bfacademy.de 
>
>   
>
>
>
> On Tue, Sep 26, 2017 at 10:37 AM, Nathan, Josh
> > wrote:
>
> Strange issue... I just did a clean install of PacketFence 7.2.0
> on a CentOS 7 server.  However, at some point over night, my
> PacketFence service disappeared.  The directory and configurations
> seem to all still be in place, but the service is gone.  Is there
> a way to readily recreate that?
>
> Thanks,
>
>   
> Joshua Nathan
> *IT Technician*
> Black Forest Academy
>
> p:+49 (0) 7626 9161 630   m: +49 (0)
> 152 3452 0056 
> a:
> w:Hammersteiner Straße 50, 79400 Kandern
> bfacademy.de 
>
>   
>
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] upgrade to 7.3.0

[Fabrice Durand via PacketFence-users]

Hello Kylián,

anything in packetfence.log ?

Can you see something in journalctl ?

Regards

Fabrice



Le 2017-09-29 à 09:21, Kylián Martin via PacketFence-users a écrit :
> Hi all,
>
> having strange behavior after upgrade to 7.3.0:
>
>
> /var/log/messages
>
> Sep 29 15:02:04 NAC1 perl: [1506690124.92286] Failed to connect to config 
> service for namespace resource::switches_list, retrying
> Sep 29 15:02:04 NAC1 pfcmd: [1506690124.96461] Failed to connect to config 
> service for namespace resource::URI_Filters, retrying
> Sep 29 15:02:05 NAC1 perl: [1506690125.02363] Failed to connect to config 
> service for namespace resource::switches_list, retrying
> Sep 29 15:02:05 NAC1 pfcmd: [1506690125.06546] Failed to connect to config 
> service for namespace resource::URI_Filters, retrying
> Sep 29 15:02:05 NAC1 perl: [1506690125.12438] Failed to connect to config 
> service for namespace resource::switches_list, retrying
> Sep 29 15:02:05 NAC1 pfcmd: [1506690125.16625] Failed to connect to config 
> service for namespace resource::URI_Filters, retrying
> Sep 29 15:02:05 NAC1 perl: [1506690125.22515] Failed to connect to config 
> service for namespace resource::switches_list, retrying
> Sep 29 15:02:05 NAC1 pfcmd: [1506690125.26706] Failed to connect to config 
> service for namespace resource::URI_Filters, retrying
> Sep 29 15:02:05 NAC1 perl: [1506690125.32599] Failed to connect to config 
> service for namespace resource::switches_list, retrying
>
> And I am unable to make changes throught web mgmt: Error! Unable to commit 
> changes to file please run pfcmd fixpermissions and try again
>
> I've googled same issue in version 4.7, thread is without solution.
> Already tried pfcmd fixpermissions and restart packetfence-config , no luck
>
> Can anybody help please?
>
>
> Ing. Martin Kylián
> specialista pro správu sítě a bezpečnost
>
> E kyli...@plzen.eu
> T +420 378 035 108
> M +420 777 247 298
> W www.sitmp.cz
>
> Správa informačních technologií města Plzně
> Dominikánská 4, 301 00  Plzeň
>
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] IP Revolution

[Fabrice Durand via PacketFence-users]

Hello Alessandro,

what you probably have to do is to change the default route to use OUT
and define in PacketFence configuration Interface SNAT to OUT.

With that the OUT interface will be natted for the inline network and
the default route will permit to pass through this interface.

Regards

Fabrice



Le 2017-10-02 à 05:46, Alessandro Canella via PacketFence-users a écrit :
> Hello All,
>
> I've built a PF ZEN environment for test purposes, based on 7.10
>
> REG  IF is 192.168.30.x/24, VLAN 30
> MGM   IF is 153.47.30.0/25, VLAN 1
>
> Now I need to go to production, but some ICT Security changes are happened.
>
> REG  IF remain  192.168.30.x/24, VLAN 30
> MGM   IF will be 10.206.1.128/25, VLAN 50
> OUT(OUTGOING TRAFFIC )  IF will flow via 192.168.0.0/24, VLAN 90
>
> I've added virtual interfaces, on correct VLANs. To make it Simple I think to 
> change IP to old MGM (Eth0)  interface assigning OUT IP
>
> So, first of all I need to gain access to MGMT portal in 10.206.1.128/25 IF, 
> I think shortest way is using some persistent route adding it in 
> /etc/sysconfig/network-scripts/route-eth0.50 maybe?
>
> After this I can change "old" master eth0 IP, and should be work?
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal certificate

[Fabrice Durand via PacketFence-users]

You probably did a mistake with the concatenated certificate.

Is there any empty lines in the file ?


Le 2017-10-03 à 09:48, Luís Torres via PacketFence-users a écrit :
>
> Hi Fabrice,
>
>  
>
> Just did that, restarted the haproxy but the result was :
>
>  
>
> ERROR pfcmd.pl(50729):
> pf::services::manager::haproxy=HASH(0xade6b0)->name died or has failed
> to start (pf::services::manager::postStartCleanup)
>
>  
>
> the service HAproxy wont start
>
>  
>
> regards
>
> LT
>
>  
>
> Em 2017-10-03 14:13, Fabrice Durand via PacketFence-users escreveu:
>
>> In fact haproxy terminate the ssl tunnel so you don't have to change
>> the ssl-certificates.conf file.
>>
>> This file is just use for the admin interface now and not the portal
>> anymore.
>>
>> So just do that: (MyCERT.crt and MyPRIVKEY.key are your certificate
>> files)
>>
>> cat conf/ssl/MyCERT.crt conf/ssl/MyPRIVKEY.key > conf/ssl/server.pem
>>
>> Regards
>>
>> Fabrice
>>
>>  
>>
>>
>> Le 2017-10-03 à 05:25, Luís Torres via PacketFence-users a écrit :
>>>
>>> thank you Fabrice,
>>>
>>>  
>>>
>>> The ssl-certificates.conf should be like this as well? :
>>>
>>>  
>>>
>>> */SSLCertificateChainFile %%install_dir%%/conf/ssl/server.pem/*
>>>
>>>  
>>>
>>>  
>>>
>>> cheers
>>>
>>>  
>>>
>>> Em 2017-10-02 23:49, Durand fabrice via PacketFence-users escreveu:
>>>
>>> Hello Luís,
>>>
>>> you need to concatenate the certificates like that:
>>>
>>> cat conf/ssl/server.crt conf/ssl/server.key > conf/ssl/server.pem
>>>
>>> and restart haproxy
>>>
>>>  
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>>  
>>>
>>>
>>> Le 2017-10-02 à 10:57, Luís Torres via PacketFence-users a écrit :
>>>
>>> Hi,
>>>
>>>  
>>>
>>> to stop the cert error on the captive portal, its only need
>>> to change it on ssl-certificates.conf to point to the
>>> correct ones?
>>>
>>>  
>>>
>>> thanks
>>>
>>>  
>>>
>>>
>>> 
>>> --
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>
>>>
>>>
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>>
>>> 
>>> --
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>
>>>
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> <mailto:PacketFence-users@lists.sourceforge.net>
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>  
>>>
>>>  
>>>
>>>
>>> --
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>
>>>
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> -- 
>> Fabrice Durand
>> fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>> (http://packetfence.org) 
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>> _

Re: [PacketFence-users] Captive Portal certificate

[Fabrice Durand via PacketFence-users]

In fact haproxy terminate the ssl tunnel so you don't have to change the
ssl-certificates.conf file.

This file is just use for the admin interface now and not the portal
anymore.

So just do that: (MyCERT.crt and MyPRIVKEY.key are your certificate files)

cat conf/ssl/MyCERT.crt conf/ssl/MyPRIVKEY.key > conf/ssl/server.pem

Regards

Fabrice



Le 2017-10-03 à 05:25, Luís Torres via PacketFence-users a écrit :
>
> thank you Fabrice,
>
>  
>
> The ssl-certificates.conf should be like this as well? :
>
>  
>
> */SSLCertificateChainFile %%install_dir%%/conf/ssl/server.pem/*
>
>  
>
>  
>
> cheers
>
>  
>
> Em 2017-10-02 23:49, Durand fabrice via PacketFence-users escreveu:
>
>> Hello Luís,
>>
>> you need to concatenate the certificates like that:
>>
>> cat conf/ssl/server.crt conf/ssl/server.key > conf/ssl/server.pem
>>
>> and restart haproxy
>>
>>  
>>
>> Regards
>>
>> Fabrice
>>
>>  
>>
>>
>> Le 2017-10-02 à 10:57, Luís Torres via PacketFence-users a écrit :
>>>
>>> Hi,
>>>
>>>  
>>>
>>> to stop the cert error on the captive portal, its only need to
>>> change it on ssl-certificates.conf to point to the correct ones?
>>>
>>>  
>>>
>>> thanks
>>>
>>>  
>>>
>>>
>>> --
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>
>>>
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> 
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>  
>
>  
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] radius | node remains unreg

[Fabrice Durand via PacketFence-users]

Hello Mj,

you can create a connection profile based on the connection type
Ethernet-EAP and activate autoregistration on it.

Regards

Fabrice



Le 2017-10-03 à 05:37, lists via PacketFence-users a écrit :
> Hi,
>
> We have an pf-inline wifi-segment with a captive portal, and also a
> pf-out-of-band wired network, where we have enabled 802.1x / radius
> authentication for our windows workstations.
>
> We authenticate using the workstation account first, and then change
> to the logged-in user account. This works nicely, but with one
> problem: the windows workstations remains state "unreg" after a
> successful authentication, so from the workstations point of view,
> nothing seems to work.
>
> When we manually change the node MAC status to "reg" in packetfence,
> everything starts working perfectly.
>
> How can we make automate the nodes becomes "reg"-ged, when a windows
> workstations authenticates using 802.1x PEAP? Surely this must be a
> very simple solution / switch somewhere? :-)
>
> I tried creating a catch-all rule in our machines-authentication
> source, setting an access duration for 30 days, but I'm not sure if
> that is the correct approach. Also: this doesn't seem to have the
> desired effect or perhaps I need to restart something manually
> after changing that?
>
> MJ
>
> --
>
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF just refuses to join AD domain??

[Fabrice Durand via PacketFence-users]

Let's try that:

ip netns exec MYDOMAIN ping 172.16.7.10

ip netns exec MYDOMAIN nslookup www.google.de

What is the result ?


Le 2017-08-23 à 10:55, Akala Kehinde a écrit :
> Hello Fabrice,
>
> Was thinkig, could it be a problem with the winbindd itself.
>
> Regards,
> Kehinde
>
> On Wed, Aug 23, 2017 at 3:02 PM, Akala Kehinde <kehindeak...@gmail.com
> <mailto:kehindeak...@gmail.com>> wrote:
>
> Hallo Fabrice,
>
> [root@pfence sysctl.d]# cat 99-ip_forward.conf
> # ip forwarding enabled by packetfence
> net.ipv4.ip_forward = 1
>
> Checked timing already on both servers, it"s d same.
>
>     Regards,
>     Kehinde
>
> On Wed, Aug 23, 2017 at 2:32 PM, Fabrice Durand via
> PacketFence-users <packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>
> Hello Akala,
>
> does ip_forward is enable ?
>
> does the time of the packetfence server is the same as the AD
> server ?
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-08-23 à 02:38, Akala Kehinde a écrit :
>> Hello Fabrice,
>>
>> Kindly see below:
>>
>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -u
>> could not obtain winbind interface details:
>> WBC_ERR_WINBIND_NOT_AVAILABLE
>> could not obtain winbind domain name!
>> Error looking up domain users
>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -g
>> could not obtain winbind interface details:
>> WBC_ERR_WINBIND_NOT_AVAILABLE
>> could not obtain winbind domain name!
>> failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE
>> Error looking up domain groups
>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -t
>> could not obtain winbind interface details:
>> WBC_ERR_WINBIND_NOT_AVAILABLE
>> could not obtain winbind domain name!
>> checking the trust secret for domain (null) via RPC calls failed
>> failed to call wbcCheckTrustCredentials:
>> WBC_ERR_WINBIND_NOT_AVAILABLE
>> Could not check secret
>> [root@pfence pf]#
>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -P
>> could not obtain winbind interface details:
>> WBC_ERR_WINBIND_NOT_AVAILABLE
>> could not obtain winbind domain name!
>> checking the NETLOGON for domain[] dc connection to "" failed
>> failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -p
>> Ping to winbindd failed
>> could not ping winbindd!
>> [root@pfence pf]#
>>
>>
>> Tested with TESTMAWOH.DE <http://TESTMAWOH.DE> but still
>> cannot join.. 
>> It's driving me nuts:)
>>
>> Regards,
>> Kehinde
>>
>> On Wed, Aug 23, 2017 at 4:44 AM, Durand fabrice via
>> PacketFence-users <packetfence-users@lists.sourceforge.net
>> <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>>
>> Hello Akala,
>>
>> what happen if you do that:
>>
>> chroot /chroots/MYDOMAIN
>>
>> wbinfo -u
>>
>> wbinfo -g
>>
>> if there is no usernames or groups displayed then try :
>>
>> dns_name=TESTMAWOH.DE <http://TESTMAWOH.DE>
>>
>> and rejoin
>>
>> Regards
>> Fabrice
>>
>>
>> Le 2017-08-22 à 22:21, Akala Kehinde via
>> PacketFence-users a écrit :
>>>
>>> Hello guys,
>>>
>>> I get this error when trying to join PF to an Active
>>> Directory Server:
>>>
>>> [root@pfence pf]# tail -f
>>> /chroots/MYDOMAIN/var/log/sambaMYDOMAIN/log.winbindd
>>> [2017/08/23 02:20:34.196193,  0]
>>> ../source3/winbindd/winbindd_util.c:869(init_domain_list)
>>>   Could not fetch our SID - did we join?
>>> [2017/08/23 02:20:34.196275,  0]
>>> ../source3/winbindd/winbindd.c:1408(winbindd_register_handlers)
>>>   unable to initialize domain list
>>> [2017/08/23 02:20:34.324267,  0]
>>> 
>>

Re: [PacketFence-users] Code fetched from PF gitub leads to HTTP 503 error, httpd.dispatcher service refusing to start.. Urgent please!!

[Fabrice Durand via PacketFence-users]

Hello Akala,

it looks that it's an issue with proxypassthrough configuration.

Check if this command return the correct config for
fencing.proxy_passthroughs

Regards

Fabrice



Le 2017-08-28 à 16:36, Akala Kehinde via PacketFence-users a écrit :
>
>
> On 28 Aug 2017 8:10 PM, "Akala Kehinde"  > wrote:
>
>
> HI guys,
>
> Quick one.
>
> I just suddenly get this error when trying to connect on Reg VLAN.
> User gets a 503 error message when trying to redirect via captive
> portal:
> Seems some code was fetched from PF gitub and in the process lead
> to the error.
>
>
> See some logs below:
>
> *httpd.dispatcher|not started*
>
> */var/log/messages*
>
> Aug 28 18:10:07 egelsbach.testmawoh.de
>  haproxy[3314]: 172.16.98.10:55086
>  [28/Aug/2017:18:10:04.282]
> portal-http-172.16.98.1 proxy/ 10/0/-1/-1/3015 503 213 - -
> SC-- 0/0/0/0/3 0/0 "POST / HTTP/1.1"
>
>
> */packetfence.log
> *
> Aug 28 19:10:02 egelsbach packetfence: INFO pfcmd.pl
> (9434): Daemon httpd.dispatcher took 0.026
> seconds to start. (pf::services::manager::launchService)
> Aug 28 19:10:02 egelsbach pfhttpd: panic: json: cannot unmarshal
> number into Go value of type string
> Aug 28 19:10:02 egelsbach pfhttpd: goroutine 1 [running]:
> Aug 28 19:10:02 egelsbach pfhttpd: panic(0xa7cb80, 0xc4201ad2c0)
> Aug 28 19:10:02 egelsbach pfhttpd:
> /usr/local/go/src/runtime/panic.go:500 +0x1a1
> Aug 28 19:10:02 egelsbach pfhttpd:
> 
> github.com/inverse-inc/packetfence/go/pfconfigdriver.decodeJsonInterface(0xe9aae0
> 
> ,
> 0xc42000e3d8, 0xc420143900, 0x4d2, 0x500, 0xa35820, 0xc420141e50)
> Aug 28 19:10:02 egelsbach pfhttpd:
> 
> /tmp/tmp.RFVjTHbjr1/src/github.com/inverse-inc/packetfence/go/pfconfigdriver/fetch.go:173
> 
> +0x182
> Aug 28 19:10:02 egelsbach pfhttpd:
> 
> github.com/inverse-inc/packetfence/go/pfconfigdriver.decodeInterface(0xe9aae0
> 
> ,
> 0xc42000e3d8, 0xb45bba, 0x4, 0xc420143900, 0x4d2, 0x500, 0xa35820,
> 0xc420141e50)
> Aug 28 19:10:02 egelsbach pfhttpd:
> 
> /tmp/tmp.RFVjTHbjr1/src/github.com/inverse-inc/packetfence/go/pfconfigdriver/fetch.go:159
> 
> +0xc3
> Aug 28 19:10:02 egelsbach pfhttpd:
> 
> github.com/inverse-inc/packetfence/go/pfconfigdriver.FetchDecodeSocket(0xe9aae0
> 
> ,
> 0xc42000e3d8, 0x7fbee85fb200, 0xeef700, 0x0, 0xe9aae0)
> Aug 28 19:10:02 egelsbach pfhttpd:
> 
> /tmp/tmp.RFVjTHbjr1/src/github.com/inverse-inc/packetfence/go/pfconfigdriver/fetch.go:252
> 
> +0x2b7
> Aug 28 19:10:02 egelsbach pfhttpd:
> 
> github.com/inverse-inc/packetfence/go/pfconfigdriver.FetchDecodeSocketCache(0xe9aae0
> 
> ,
> 0xc42000e3d8, 0x7fbee85fb200, 0xeef700, 0xeef701, 0x16, 0xc4200d9700)
> Aug 28 19:10:02 egelsbach pfhttpd:
> 
> /tmp/tmp.RFVjTHbjr1/src/github.com/inverse-inc/packetfence/go/pfconfigdriver/fetch.go:228
> 
> +0x21c
> Aug 28 19:10:02 egelsbach pfhttpd:
> 
> github.com/inverse-inc/packetfence/go/pfconfigdriver.(*Pool).refreshStruct(0xeee360
> 
> ,
> 0xe9aae0, 0xc42000e3d8, 0xa90c40, 0xeef700)
> Aug 28 19:10:02 egelsbach pfhttpd:
> 
> /tmp/tmp.RFVjTHbjr1/src/github.com/inverse-inc/packetfence/go/pfconfigdriver/pool.go:95
> 
> +0x319
> Aug 28 19:10:02 egelsbach pfhttpd:
> 
> github.com/inverse-inc/packetfence/go/pfconfigdriver.(*Pool).AddStruct(0xeee360
> 
> ,
> 0xe9aae0, 0xc42000e3d8, 0xa90c40, 0xeef700)
> Aug 28 19:10:02 egelsbach pfhttpd:
> 
> /tmp/tmp.RFVjTHbjr1/src/github.com/inverse-inc/packetfence/go/pfconfigdriver/pool.go:74
> 
> +0xdc
> Aug 28 19:10:02 egelsbach pfhttpd:
> 
> github.com/inverse-inc/packetfence/go/caddy/httpdispatcher.setup(0xc42007ca20
> 
> 

Re: [PacketFence-users] radiusd service not starting on PF 7.2

[Fabrice Durand via PacketFence-users]

Hello Rokkhan,

try this:

cp /usr/local/pf/conf/radiusd/auth.conf.example
/usr/local/pf/conf/radiusd/auth.conf

then restart radiusd.


Regards

Fabrice



Le 2017-08-28 à 16:52, Rokkhan via PacketFence-users a écrit :
> i can not start radiusd service on PF 7.2 but packetfence logs show
> like it has started without any problems:
>
> Aug 25 16:27:12 SLX00012040 packetfence: INFO pfcmd.pl
> (10671): Instantiate profile default
> (pf::Connection::ProfileFactory::_from_profile)
> Aug 25 16:27:20 SLX00012040 packetfence: INFO pfcmd.pl
> (10671): Connecting to MySQL database
> (pfconfig::backend::mysql::_get_db)
> Aug 25 16:27:27 SLX00012040 packetfence: INFO pfcmd.pl
> (10671): Daemon radiusd-acct took 4.481 seconds to
> start. (pf::services::manager::launchService)
> Aug 25 16:27:32 SLX00012040 packetfence: INFO pfcmd.pl
> (10671): Daemon radiusd-auth took 4.608 seconds to
> start. (pf::services::manager::launchService)
>
> I get this error if I try to start manually:
>
> /usr/local/pf/bin/pfcmd service radiusd start
> service|command
> Checking configuration sanity...
> WARNING - unknown configuration parameter general.dnsservers if you
> added the parameter yourself make sure it is present in
> conf/documentation.conf
> Job for packetfence-radiusd-acct.service failed because the control
> process exited with error code. See "systemctl status
> packetfence-radiusd-acct.service" and "journalctl -xe" for details.
> radiusd-acct|not started
> Job for packetfence-radiusd-auth.service failed because the control
> process exited with error code. See "systemctl status
> packetfence-radiusd-auth.service" and "journalctl -xe" for details.
> radiusd-auth|not started
>
> systemctl status packetfence-radiusd-acct.service
> ● packetfence-radiusd-acct.service - PacketFence FreeRADIUS
> multi-protocol accounting server
> Loaded: loaded
> (/usr/lib/systemd/system/packetfence-radiusd-acct.service; enabled;
> vendor preset: disabled)
> Active: failed (Result: start-limit) since Fri 2017-08-25 16:30:49
> UTC; 37s ago
> Docs: man:radiusd(8)
> man:radiusd.conf(5)
> http://wiki.freeradius.org/
> http://networkradius.com/doc/
> Process: 10957 ExecStartPre=/usr/sbin/radiusd -d /usr/local/pf/raddb
> -n acct -Cxm -lstdout (code=exited, status=1/FAILURE)
> Process: 10952 ExecStartPre=/usr/local/pf/bin/pfcmd service radiusd
> generateconfig (code=exited, status=0/SUCCESS)
>
> Aug 25 16:30:49 SLX00012040 radiusd[10957]: -x Turn on additional
> debugging (-xx gives more debugging).
> Aug 25 16:30:49 SLX00012040 systemd[1]:
> packetfence-radiusd-acct.service: control process exited, code=exited
> status=1
> Aug 25 16:30:49 SLX00012040 systemd[1]: Failed to start PacketFence
> FreeRADIUS multi-protocol accounting server.
> Aug 25 16:30:49 SLX00012040 systemd[1]: Unit
> packetfence-radiusd-acct.service entered failed state.
> Aug 25 16:30:49 SLX00012040 systemd[1]:
> packetfence-radiusd-acct.service failed.
> Aug 25 16:30:49 SLX00012040 systemd[1]:
> packetfence-radiusd-acct.service holdoff time over, scheduling restart.
> Aug 25 16:30:49 SLX00012040 systemd[1]: start request repeated too
> quickly for packetfence-radiusd-acct.service
> Aug 25 16:30:49 SLX00012040 systemd[1]: Failed to start PacketFence
> FreeRADIUS multi-protocol accounting server.
> Aug 25 16:30:49 SLX00012040 systemd[1]: Unit
> packetfence-radiusd-acct.service entered failed state.
> Aug 25 16:30:49 SLX00012040 systemd[1]:
> packetfence-radiusd-acct.service failed.
>
>
>
>  Runnning in debug mode:
>
>
> radiusd -d /usr/local/pf/raddb -n auth -XXX
> Mon Aug 28 16:30:01 2017 : Debug : Server was built with:
> Mon Aug 28 16:30:01 2017 : Debug :   accounting   : yes
> Mon Aug 28 16:30:01 2017 : Debug :   authentication   : yes
> Mon Aug 28 16:30:01 2017 : Debug :   ascend-binary-attributes : yes
> Mon Aug 28 16:30:01 2017 : Debug :   coa  : yes
> Mon Aug 28 16:30:01 2017 : Debug :   control-socket   : yes
> Mon Aug 28 16:30:01 2017 : Debug :   detail   : yes
> Mon Aug 28 16:30:01 2017 : Debug :   dhcp : yes
> Mon Aug 28 16:30:01 2017 : Debug :   dynamic-clients  : yes
> Mon Aug 28 16:30:01 2017 : Debug :   osfc2: no
> Mon Aug 28 16:30:01 2017 : Debug :   proxy: yes
> Mon Aug 28 16:30:01 2017 : Debug :   regex-pcre   : yes
> Mon Aug 28 16:30:01 2017 : Debug :   regex-posix  : no
> Mon Aug 28 16:30:01 2017 : Debug :   regex-posix-extended : no
> Mon Aug 28 16:30:01 2017 : Debug :   session-management   : yes
> Mon Aug 28 16:30:01 2017 : Debug :   stats: yes
> Mon Aug 28 16:30:01 2017 : Debug :   tcp  : yes
> Mon Aug 28 16:30:01 2017 : Debug :   threads  : no
> Mon Aug 28 16:30:01 2017 : Debug :   tls  : yes
> Mon Aug 28 16:30:01 2017 : Debug :   unlang 

Re: [PacketFence-users] PF just refuses to join AD domain??

[Fabrice Durand via PacketFence-users]

Ok so your issue is related to the route of the system.

do:

ip route

and:

ip route get 172.16.7.10

restart iptables



Le 2017-08-23 à 15:44, Akala Kehinde a écrit :
> Hi Fabrice,
>
> See below:
>
> [root@pfence sysctl.d]# ip netns exec MYDOMAIN ping 172.16.7.10
> PING 172.16.7.10 (172.16.7.10) 56(84) bytes of data.
>
> --- 172.16.7.10 ping statistics ---
> 22 packets transmitted, 0 received, 100% packet loss, time 21107ms
>
> [root@pfence sysctl.d]# ip netns exec MYDOMAIN nslookup www.google.de
> <http://www.google.de>
> ;; connection timed out; trying next origin
> ;; connection timed out; no servers could be reached
>
> [root@pfence sysctl.d]#
>
>
> Regards,
> Kehinde
>
> On Wed, Aug 23, 2017 at 6:45 PM, Fabrice Durand via PacketFence-users
> <packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>
>
> Let's try that:
>
> ip netns exec MYDOMAIN ping 172.16.7.10
>
> ip netns exec MYDOMAIN nslookup www.google.de <http://www.google.de>
>
> What is the result ?
>
>
> Le 2017-08-23 à 10:55, Akala Kehinde a écrit :
>> Hello Fabrice,
>>
>> Was thinkig, could it be a problem with the winbindd itself.
>>
>> Regards,
>> Kehinde
>>
>> On Wed, Aug 23, 2017 at 3:02 PM, Akala Kehinde
>> <kehindeak...@gmail.com <mailto:kehindeak...@gmail.com>> wrote:
>>
>> Hallo Fabrice,
>>
>> [root@pfence sysctl.d]# cat 99-ip_forward.conf
>> # ip forwarding enabled by packetfence
>>     net.ipv4.ip_forward = 1
>>
>> Checked timing already on both servers, it"s d same.
>>
>> Regards,
>> Kehinde
>>
>> On Wed, Aug 23, 2017 at 2:32 PM, Fabrice Durand via
>> PacketFence-users <packetfence-users@lists.sourceforge.net
>> <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>>
>> Hello Akala,
>>
>> does ip_forward is enable ?
>>
>> does the time of the packetfence server is the same as
>> the AD server ?
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2017-08-23 à 02:38, Akala Kehinde a écrit :
>>> Hello Fabrice,
>>>
>>> Kindly see below:
>>>
>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -u
>>> could not obtain winbind interface details:
>>> WBC_ERR_WINBIND_NOT_AVAILABLE
>>> could not obtain winbind domain name!
>>> Error looking up domain users
>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -g
>>> could not obtain winbind interface details:
>>> WBC_ERR_WINBIND_NOT_AVAILABLE
>>> could not obtain winbind domain name!
>>> failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE
>>> Error looking up domain groups
>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -t
>>> could not obtain winbind interface details:
>>> WBC_ERR_WINBIND_NOT_AVAILABLE
>>> could not obtain winbind domain name!
>>> checking the trust secret for domain (null) via RPC
>>> calls failed
>>> failed to call wbcCheckTrustCredentials:
>>> WBC_ERR_WINBIND_NOT_AVAILABLE
>>> Could not check secret
>>> [root@pfence pf]#
>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -P
>>> could not obtain winbind interface details:
>>> WBC_ERR_WINBIND_NOT_AVAILABLE
>>> could not obtain winbind domain name!
>>> checking the NETLOGON for domain[] dc connection to ""
>>> failed
>>> failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -p
>>> Ping to winbindd failed
>>> could not ping winbindd!
>>> [root@pfence pf]#
>>>
>>>
>>> Tested with TESTMAWOH.DE <http://TESTMAWOH.DE> but still
>>> cannot join.. 
>>> It's driving me nuts:)
>>>
>>> Regards,
>>> Kehinde
>>>
>>> On Wed, Aug 23, 2017 a

Re: [PacketFence-users] Proper VLAN config

[Fabrice Durand via PacketFence-users]

Hello Moritz,

just keep in mind that the registration and isolation vlan is managed by
packetfence (dhcp/dns/gateway), after that the production vlan can be
what you want.

Regards

Fabrice



Le 2017-08-25 à 10:39, Moritz Schmid via PacketFence-users a écrit :
> Hey guys,
>
> I’m new to pf and a little bit confused about a proper vlan setup for the 
> vlan enforcement. So far I’d like to have my setup checked please. My 
> Question: Is it possible that the management vlan and the “normal” aka 
> production vlan are the same? I know it is possible to have several prod 
> vlans but in my case I just want to have one.
>
> In the Network Device Conf Guide its: Normal VLAN: 1, Registration VLAN: 2 & 
> Isolation VLAN: 3
> In the OoB Zen Guide its: Mgmt VLAN 1, Reg VLAN 2, Isolation VLAN 3 & Normal 
> VLAN 10
>
> My plans and my understanding is the following:
>
> Pf server (following the guide):
> Eth0  as  mgmt/normal withip 10.0.0.x
> Eth0 vlan 2   as  registrationwith dhcp from pf (192.168.2.x)
> Eth0 vlan 3   as  isolation   withdhcp from pf 
> (192.168.3.x)
>
> Switch
> Default vlan (1) with ip 10.0.0.x
> …
> …
>
> On uplink (Port 1) which is in the default vlan 1 and Port 2 as the trunk 
> port in all three vlans.
>
> Regards,
> Moritz
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Restricting users to specific interfaces In-Line setup

[Fabrice Durand via PacketFence-users]

Hello Michael,

you will have to play with the iptables rules.

check in conf/iptables.conf and the current rules in
var/conf/iptables.conf, you will see what to do.

Also have a look at ipset -L , there is some ipset session for each
different network / roles.

Regards

Fabrice



Le 2017-08-31 à 04:55, HD | Michael Westergaard via PacketFence-users a
écrit :
>
> Hi All
>
>  
>
> We have a specific scenario where Wireless network Equipment does not
> support of band mode with Packetfence.
>
>  
>
> We want to do the following with the packetfence server using multiple
> in-line interfaces on different VLAN if it is possible.
>
>  
>
> Guest (VLAN20) on eth1 in-line mode packetfence connected with
> Wireless AP with SSID in VLAN 20
>
>  
>
> These users must only register to this interface and is able to access
> internet only.
>
>  
>
>  
>
> Production (VLAN30) on eth2 in-line mode packetfence connected with
> Wireless AP with SSID in VLAN 30
>
>  
>
> Internal users are able to access internal ressources, but we want to
> restrict them not allow any mobile device.
>
>  
>
>  
>
> It seems to me that user groups are not able to accomplish this
> design. Is it even possible or do you have other suggestions? The
> Packetfence server will be in routed mode to make ACL’s easier.
>
>  
>
>  
>
> Best
>
>  
>
> Mike
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] domain trouble shooting commands fail

[Fabrice Durand via PacketFence-users]

Hello Jon,

does winbind run ?

Regards

Fabrice



Le 2017-08-28 à 23:19, Jon Falconer via PacketFence-users a écrit :
> Greetings all,
>
> I have done a fresh install of Packet Fence 7.2.0, and in configuring it, 
> have setup an Active Directory domain join. Packet Fence seems to think that 
> the domain join succeeded since it says "Test join succeed!" for the domain 
> (the only domain) configured on the Configuration > Policies and Access 
> Control > Active Directory Domains page. However, when I run the trouble 
> shooting commands listed on page 34 of the Administration Guide for version 
> 7.2.0, I get the following results:
>
> root@pf2:/etc/samba# chroot /chroots/PUCAD/ wbinfo -u
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind domain name!
> Error looking up domain users
> root@pf2:/etc/samba#
>
> root@pf2:/etc/samba# chroot /chroots/PUCAD/ ntlm_auth --username=joetest
> Password:
> could not obtain winbind separator!
> Reading winbind reply failed! (0x01)
> :  (0x0)
> root@pf2:/etc/samba#
>
> This is all running on Debian 8 with all updates as of mid August 2017.
>
> ---domain.conf---
> root@pf2:/usr/local/pf/conf# cat domain.conf
> [PUCAD]
> ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(userAccountControl:1.2.840.113556.1.4.803:=2
> registration=0
> sticky_dc=10.xxx.yyy.zzz
> ou=Computers
> ntlm_cache_batch_one_at_a_time=disabled
> ad_server=10. xxx.yyy.zzz
> dns_name=puc.edu
> ntlm_cache_expiry=3600
> bind_dn=
> workgroup=PUC
> ntlm_cache_batch=disabled
> bind_pass=
> ntlm_cache=disabled
> server_name=%h
> ntlm_cache_on_connection=disabled
> dns_servers=10. xxx.yyy.zzz
> root@pf2:/usr/local/pf/conf#
>
>
> -realm.conf---
> root@pf2:/usr/local/pf/conf# cat realm.conf
> [DEFAULT]
> source=PUC_AD1
> domain=PUCAD
> options=strip
> root@pf2:/usr/local/pf/conf#
>
>
> Any other info needed to diagnose this problem?
>
> Thanks,
>
> Jon
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unifi IP Accounting

[Fabrice Durand via PacketFence-users]

Hello Ian,

it's an option to enable in PacketFence where you update the iplog
information based on the radius accounting.

Regards

Fabrice


Le 2017-08-28 à 23:10, Ian Halliday via PacketFence-users a écrit :
> Hello Listmates,
>
> We just completed a PF install in a routed environment using Ubiquity
> Unifi APs for wireless access. We started with portal authentication,
> but eventually went with 802.1X for the vlan separation. 
>
> One question: should we be seeing the node IP addresses populated
> through Radius accounting data for any non-DHCP host? The IP populates
> correctly in the database radacct table, but its not making it over to
> the ip4log/ipv6 table. I modified the acct_update stored procedure in
> our setup to populate/update that row right away when a valid
> IPv4/IPv6 radius update comes in, but if there is a better way to do
> it, I'm all for it! 
>
> Thanks in advance for any input!
>
> -- Ian
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence works with core switch but not with attached AP

[Fabrice Durand via PacketFence-users]

Hello Spencer,

it looks that your AP can do 802.1x but mac auth i am not sure.

Also the switch must support multi auth in order to authenticate all the
mac address.

Lat thing you can do is to enable floating device in packetfence and
return an inline vlan in order to authenticate each devices on a portal.

Regards

Fabrice



Le 2017-09-05 à 06:49, Spencer Hazell via PacketFence-users a écrit :
>
> Hi,
>
>  
>
> I spent a long time but have finally configured my HP 1920 (using
> H3C::S5120) and it is working well for port connected devices. 
> However I have VigorAP902 access point, which appears to not be
> supported.  I should mention I’m using out of band vlan enforcement
> with my HP switch.
>
>  
>
> Is it possible that the Access Point that connects to my working
> switch can be configured in a way that uses the configuration from my
> switch and the AP can act as a dumb/transparent device?  I.E vlan
> assignment/deauthentication is done by the HP switch and not the AP.
>
>  
>
> If not, what are my options?
>
>  
>
> Thanks
>
> Spencer
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Service Disappeared

[Fabrice Durand via PacketFence-users]

ok so do:

systemctl restart packetfence-config

/usr/local/pf/bin/pfcmd service pf restart


Le 2017-09-26 à 09:16, Nathan, Josh via PacketFence-users a écrit :
> OK.  That gives me:
>
> Failed to connect to config service for namespace
> resource::URI_Filters, retrying
>
>
> And that message just keeps getting repeated until I kill it.
>
>
>   
> Joshua Nathan
> *IT Technician*
> Black Forest Academy
>
> p:+49 (0) 7626 9161 630  m: +49 (0) 152 3452 0056
> a:
> w:Hammersteiner Straße 50, 79400 Kandern
> bfacademy.de <http://bfacademy.de/>
>
>   
>
>
>
> On Tue, Sep 26, 2017 at 2:15 PM, Fabrice Durand via PacketFence-users
> <packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>
> Hello Nathan,
>
> there is no systemd script to restart the whole packetfence's
> services.
>
> What you can do is the following:
>
> /usr/local/pf/bin/pfcmd service pf start
>
>
> Regard
>
> Fabrice
>
>
>
> Le 2017-09-26 à 04:43, Nathan, Josh via PacketFence-users a écrit :
>> Sorry, to be a little more specific... it seems that at least a
>> number of the files are still in /etc/systemd/system... but when
>> I issue "systemctl start packetfence", I get:
>>
>> Failed to start packetfence.service: Unit not found.
>>
>>
>>
>>  
>> Joshua Nathan
>> *IT Technician*
>> Black Forest Academy
>>
>> p:   +49 (0) 7626 9161 630  m: +49 (0) 152 3452 0056
>> a:
>> w:   Hammersteiner Straße 50, 79400 Kandern
>> bfacademy.de <http://bfacademy.de/>
>>
>>  
>>
>>
>>
>> On Tue, Sep 26, 2017 at 10:37 AM, Nathan, Josh
>> <josh.nat...@bfacademy.de <mailto:josh.nat...@bfacademy.de>> wrote:
>>
>> Strange issue... I just did a clean install of PacketFence
>> 7.2.0 on a CentOS 7 server.  However, at some point over
>> night, my PacketFence service disappeared.  The directory and
>> configurations seem to all still be in place, but the service
>> is gone.  Is there a way to readily recreate that?
>>
>> Thanks,
>>
>>  
>> Joshua Nathan
>> *IT Technician*
>> Black Forest Academy
>>
>> p:   +49 (0) 7626 9161 630 <tel:+49%207626%209161630>  m: +49
>> (0) 152 3452 0056 <tel:+49%201523%204520056>
>> a:
>> w:   Hammersteiner Straße 50, 79400 Kandern
>> bfacademy.de <http://bfacademy.de/>
>>
>>  
>>
>>
>>
>>
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> <mailto:PacketFence-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>
> -- 
> Fabrice Durand
> fdur...@inverse.ca <mailto:fdur...@inverse.ca> ::  +1.514.447.4918 
> <tel:%28514%29%20447-4918> (x135) ::  www.inverse.ca <http://www.inverse.ca>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org) 
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> <mailto:PacketFence-users@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] AD authentication issue

[Fabrice Durand via PacketFence-users]

Hello Luca,

pftest will use ldap bind to authenticate but freeradius will use ntlm_auth.

Can you do this on your server:

raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000

And try to authenticate, you will be able to see why it failed to
authenticate. (you can paste the result).

Regards

Fabrice



Le 2017-10-17 à 11:41, Luca Messori via PacketFence-users a écrit :
>
> Hi all,
>
> I’m trying to configure authentication against Active Directory on my
> company network.
>
> I have already joined the PF virtual machine to my domain.
>
> I think that I have correctly configured authentication because the
> pftest command return a successful authentication:
>
> /usr/local/pf/bin/pftest authentication l.messori 
>
> Testing authentication for "l.messori"
>
>  
>
> Authenticating against Mead-AD
>
>   Authentication SUCCEEDED against Mead-AD (Authentication successful.)
>
>   Matched against Mead-AD for 'authentication' rules
>
>     set_role : default
>
>     set_access_duration : 12h
>
>   Did not match against Mead-AD for 'administration' rules
>
>  
>
> Despite that, sniffing traffic from PF, I cannot see traffic to port 389.
>
> In the following output:
>
> 10.33.33.251 is my test switch
>
> 10.33.33.50 is the PF virtual machine
>
> [root@PacketFence-ZEN conf]#  tcpdump -i eth0 -nn "host 10.33.33.251
> or port 389"
>
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
>
> 15:26:19.782510 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x82 length: 138
>
> 15:26:19.864640 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Accept (2), id: 0x82 length: 37
>
> 15:26:20.130792 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x83 length: 183
>
> 15:26:20.134381 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x83 length: 64
>
> 15:26:20.160915 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x84 length: 297
>
> 15:26:20.172822 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x84 length: 1090
>
> 15:26:20.186698 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x85 length: 177
>
> 15:26:20.191446 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x85 length: 1086
>
> 15:26:20.214413 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x86 length: 177
>
> 15:26:20.217368 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x86 length: 711
>
> 15:26:20.244856 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x87 length: 315
>
> 15:26:20.247276 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x87 length: 123
>
> 15:26:20.260349 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x88 length: 177
>
> 15:26:20.269760 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x88 length: 101
>
> 15:26:20.293628 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x89 length: 230
>
> 15:26:20.348960 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x89 length: 133
>
> 15:26:20.373341 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x8a length: 294
>
> 15:26:21.409974 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x8a length: 149
>
> 15:26:21.421321 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x8b length: 214
>
> 15:26:21.571988 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x8b length: 101
>
> 15:26:21.586364 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x8c length: 214
>
> 15:26:21.593453 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Accept (2), id: 0x8c length: 177
>
>  
>
> And my switch log shows authentication failure:
>
> 10/17/2017 17:12:16.90  Authentication
> failed for Network Login 802.1x user MEADINFORMATICA\l.messori Mac
> 50:3F:56:01:1C:09 port 3
>
> 10/17/2017 17:12:15.12  Authentication
> failed for Network Login MAC user 503F56011C09 Mac 50:3F:56:01:1C:09
> port 3
>
> 10/17/2017 17:12:14.86  Port 3 link UP
> at speed 100 Mbps and full-duplex
>
>  
>
> Can you help me?
>
> I think that PF never ask AD for users authentication
>
>  
>
> Kind regards
>
>  
>
> */Luca Messori/*
>
> _
>
>  
>
>   Descrizione: mead
>
>  
>
>  
>
>    *Mead Informatica Srl*
>     *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
>     Tel. +39 0522 265800 Tel. amm.ne 0522265940 -  Fax +39 0522 393306
>     Tel. +39 049 8702540   Fax +39 049 8706249
>
>  
>
>    http://www.meadinformatica.it 
>
> ---
>
>  
>
> 

Re: [PacketFence-users] Captive Portal customization

[Fabrice Durand via PacketFence-users]

Did you assign the portal module on the connection profile ?

Regards

Fabrice



Le 2017-10-17 à 10:40, Nicolay Rytchev via PacketFence-users a écrit :
> Yes, I tried it. Please look screenshots below.
> But I still see all possible authentication methods on my Portal`s page:
>
>
> Встроенное изображение 3Встроенное изображение 2Встроенное изображение 1
>
> 2017-10-17 15:56 GMT+02:00 Fabrice Durand via PacketFence-users
> <packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>>:
>
> Hello Nicolay,
>
> have a look at the portal module, you will be able to create the
> workflow you want to have on the portal.
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-10-17 à 09:02, Nicolay Rytchev via PacketFence-users a écrit :
>> Hello List,
>>
>>
>> I want to customize by my own Captive portal but without success.
>> I would like remove any source in my Portal Profile except the
>> sms authentication.
>> How can I do that ?
>>
>> Thank you in advance.
>>
>>
>>
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> <mailto:PacketFence-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>
> -- 
> Fabrice Durand
> fdur...@inverse.ca <mailto:fdur...@inverse.ca> ::  +1.514.447.4918 
> <tel:%28514%29%20447-4918> (x135) ::  www.inverse.ca <http://www.inverse.ca>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org) 
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> <mailto:PacketFence-users@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] R: AD authentication issue

[Fabrice Durand via PacketFence-users]

it worked !!


Le 2017-10-17 à 12:44, Luca Messori a écrit :
>
> I have attached the log file using this command:
>
>  
>
> /usr/sbin/radiusd -d /usr/local/pf/raddb -n auth -fm –X
>
>  
>
> Is this good for you?
>
>  
>
> Kind regards
>
>  
>
> */Luca Messori/*
>
> _
>
>  
>
>   Descrizione: mead
>
>  
>
>  
>
>    *Mead Informatica Srl*
>     *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
>     Tel. +39 0522 265800 Tel. amm.ne 0522265940 -  Fax +39 0522 393306
>     Tel. +39 049 8702540   Fax +39 049 8706249
>
>  
>
>    http://www.meadinformatica.it <http://www.meadinformatica.it/>
>
> ---
>
>  
>
> Questo messaggio puo' contenere informazioni di carattere riservato e
> confidenziale. Qualora non foste i destinatari, vi preghiamo di
> notificarcelo
> e di provvedere ad eliminare il messaggio, con gli eventuali allegati,
> senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del
> contenuto
> di questo mesaggio espone il responsabile alle conseguenze civili e
> penali.
>
>  
>
> This message may contain information which is confidential or
> privileged. if you are not the intended recipient, please immediately
> notify us
> and destroy this message and any attachments without retaining a copy.
> Any unauthorized use of this message can expose the responsabile party
> to civil and/or criminal penalties.
>
>  
>
> Descrizione: Descrizione: cid:696372015@22072008-1A64
>
>  
>
>  
>
> *Da:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* martedì 17 ottobre 2017 18:20
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* Fabrice Durand <fdur...@inverse.ca>
> *Oggetto:* Re: [PacketFence-users] AD authentication issue
>
>  
>
> Hello Luca,
>
> pftest will use ldap bind to authenticate but freeradius will use
> ntlm_auth.
>
> Can you do this on your server:
>
> raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000
>
> And try to authenticate, you will be able to see why it failed to
> authenticate. (you can paste the result).
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-10-17 à 11:41, Luca Messori via PacketFence-users a écrit :
>
> Hi all,
>
> I’m trying to configure authentication against Active Directory on
> my company network.
>
> I have already joined the PF virtual machine to my domain.
>
> I think that I have correctly configured authentication because
> the pftest command return a successful authentication:
>
> /usr/local/pf/bin/pftest authentication l.messori 
>
> Testing authentication for "l.messori"
>
>  
>
> Authenticating against Mead-AD
>
>   Authentication SUCCEEDED against Mead-AD (Authentication
> successful.)
>
>   Matched against Mead-AD for 'authentication' rules
>
>     set_role : default
>
>     set_access_duration : 12h
>
>   Did not match against Mead-AD for 'administration' rules
>
>  
>
> Despite that, sniffing traffic from PF, I cannot see traffic to
> port 389.
>
> In the following output:
>
> 10.33.33.251 is my test switch
>
> 10.33.33.50 is the PF virtual machine
>
> [root@PacketFence-ZEN conf]#  tcpdump -i eth0 -nn "host
> 10.33.33.251 or port 389"
>
> tcpdump: verbose output suppressed, use -v or -vv for full
> protocol decode
>
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535
> bytes
>
> 15:26:19.782510 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x82 length: 138
>
> 15:26:19.864640 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Accept (2), id: 0x82 length: 37
>
> 15:26:20.130792 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x83 length: 183
>
> 15:26:20.134381 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x83 length: 64
>
> 15:26:20.160915 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x84 length: 297
>
> 15:26:20.172822 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x84 length: 1090
>
> 15:26:20.186698 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x85 length: 177
>
> 15:26:20.191446 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Chal

Re: [PacketFence-users] Packetfence working with WLC 8.3.122

[Fabrice Durand via PacketFence-users]

Hello Brian,

did you try to use the same acl that we have in the documentation ?
https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_wireless_lan_controller_wlc_web_auth


This acl is more a trigger than a real acl.

Also can you paste a radius answer when you try to connect on the ssid
(Radius audit log).

Regards

Fabrice



Le 2017-10-17 à 10:30, bott a écrit :
>
> Hi Fabrice,
>
>
> Here is a screenshot of the ACL: https://imgur.com/a/Br66F
>
>
> As mentioned I can go to the portal page if I input the URL manually.
> However going to google.com doesn't forward the traffic. This is when
> I use a production DNS server.
>
>
> I've also confirmed that NAC State is "Radius NAC".
>
>
> On 2017-10-17 10:26 AM, Fabrice Durand wrote:
>>
>> Hello Brian,
>>
>>
>> the dns must be a production one.
>>
>> The wlc is suppose to intercept the http/https traffic and forward
>> you to the captive portal.
>>
>>
>> So it can be an issue with the ACL (i am not sure since you are able
>> to hit it), or a maybe you didn't enabled Radius NAC in the ssid config.
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2017-10-17 à 09:50, bott a écrit :
>>>
>>> Actually I'm wrong, although I changed the DNS server to point to
>>> the portal page I do now get redirected, however after registration
>>> nothing works as DNS is still pointing to the portal IP and it
>>> answers every query with the portal page.
>>>
>>>
>>>
>>>
>>> On 2017-10-12 08:41 AM, Fabrice Durand wrote:

 Hello Brian,

 are you able to resolve a fqdn from your laptop ?

 What is your acl , can you show me how it look ?

 Regards
 Fabrice


 Le 2017-10-11 à 09:23, Brian Ott a écrit :
>
> Thanks for the reply Fabrice!
>
>
> Changing to HTTP doesn't alter the results, it still doesn't forward. 
>
>
> Brian Ott
>
> Ontario Institute for Cancer Research
> MaRS Centre, South Tower
> 101 College Street, Suite 800
> Toronto, Ontario, Canada M5G 0A3
> 
> Telephone:    647-260-7977
> Email:  brian@oicr.on.ca
> www.oicr.on.ca
>
>  
>
> This message and any attachments may contain confidential and/or
> privileged information for the sole use of the intended recipient.
> Any review or distribution by anyone other than the person for
> whom it was originally intended is strictly prohibited. If you
> have received this message in error, please contact the sender and
> delete all copies. Opinions, conclusions or other information
> contained in this message may not be that of the organization.
> 
> *From:* Durand fabrice via PacketFence-users
> 
> *Sent:* Friday, October 6, 2017 5:54:37 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Durand fabrice
> *Subject:* Re: [PacketFence-users] Packetfence working with WLC
> 8.3.122
>  
>
> Hello,
>
> can you try to set the redirect url in http instead of https ?
>
> Regards
> Fabrice
>
> Le 2017-10-06 à 16:02, bott via PacketFence-users a écrit :
>> Hello, 
>>
>> We have had packetfence working on older versions and are looking
>> upgrade our WLC and Packetfence install. 
>>
>>
>> From a fresh install only using "web-auth" and following the
>> provided guide on the website for the WLC controller it looks as
>> if everything is fine. I see the client connect, the ACL is sent
>> and in the client information as well as the redirect URL. 
>>
>> However a few things happen: 
>> 1. The user does not get redirected when attempting to browse.
>> (IE: input google.com in browser and nothing happens but a
>> timeout - no redirect)
>> 2. I can access the URL directly that is listed in the "Redirect
>> URL" on the WLC. 
>>
>> The interface is different from version 6 so I'm not sure if I'm
>> missing something. I've provided screenshots here to show that it
>> looks fine: 
>> https://imgur.com/a/KGjRx
>>
>> I'm not sure why its not forcing a redirect when trying to
>> browse, any help would be appreciated. 
>>
>>
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>

 -- 
 Fabrice Durand
 fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
 Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
 

Re: [PacketFence-users] R: AD authentication issue

[Fabrice Durand via PacketFence-users]

It looks that you already run freeradius in debug mode. ( -X )

do: pfcmd service radiusd restart

Then raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000

Regards
Fabrice

Le 2017-10-17 à 12:31, Luca Messori a écrit :
>
> Hi Fabrice,
>
> I have this error using raddebug:
>
>  
>
> [root@PacketFence-ZEN ~]# raddebug -f
> /usr/local/pf/var/run/radiusd.sock -t 3000
>
> ERROR: Cannot redirect debug logs to a file when already in debugging
> mode.
>
> ERROR: Cannot redirect debug logs to a file when already in debugging
> mode.
>
> cp: missing destination file operand after ‘/dev/null’
>
> Try 'cp --help' for more information.
>
> chgrp: missing operand after ‘pf’
>
> Try 'chgrp --help' for more information.
>
> chmod: missing operand after ‘g+w’
>
> Try 'chmod --help' for more information.
>
> ^CERROR: Cannot redirect debug logs to a file when already in
> debugging mode.
>
>  
>
> Kind regards
>
>  
>
> */Luca Messori/*
>
> _
>
>  
>
>   Descrizione: mead
>
>  
>
>  
>
>    *Mead Informatica Srl*
>     *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
>     Tel. +39 0522 265800 Tel. amm.ne 0522265940 -  Fax +39 0522 393306
>     Tel. +39 049 8702540   Fax +39 049 8706249
>
>  
>
>    http://www.meadinformatica.it <http://www.meadinformatica.it/>
>
> ---
>
>  
>
> Questo messaggio puo' contenere informazioni di carattere riservato e
> confidenziale. Qualora non foste i destinatari, vi preghiamo di
> notificarcelo
> e di provvedere ad eliminare il messaggio, con gli eventuali allegati,
> senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del
> contenuto
> di questo mesaggio espone il responsabile alle conseguenze civili e
> penali.
>
>  
>
> This message may contain information which is confidential or
> privileged. if you are not the intended recipient, please immediately
> notify us
> and destroy this message and any attachments without retaining a copy.
> Any unauthorized use of this message can expose the responsabile party
> to civil and/or criminal penalties.
>
>  
>
> Descrizione: Descrizione: cid:696372015@22072008-1A64
>
>  
>
>  
>
> *Da:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* martedì 17 ottobre 2017 18:20
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* Fabrice Durand <fdur...@inverse.ca>
> *Oggetto:* Re: [PacketFence-users] AD authentication issue
>
>  
>
> Hello Luca,
>
> pftest will use ldap bind to authenticate but freeradius will use
> ntlm_auth.
>
> Can you do this on your server:
>
> raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000
>
> And try to authenticate, you will be able to see why it failed to
> authenticate. (you can paste the result).
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-10-17 à 11:41, Luca Messori via PacketFence-users a écrit :
>
> Hi all,
>
> I’m trying to configure authentication against Active Directory on
> my company network.
>
> I have already joined the PF virtual machine to my domain.
>
> I think that I have correctly configured authentication because
> the pftest command return a successful authentication:
>
> /usr/local/pf/bin/pftest authentication l.messori 
>
> Testing authentication for "l.messori"
>
>  
>
> Authenticating against Mead-AD
>
>   Authentication SUCCEEDED against Mead-AD (Authentication
> successful.)
>
>   Matched against Mead-AD for 'authentication' rules
>
>     set_role : default
>
>     set_access_duration : 12h
>
>   Did not match against Mead-AD for 'administration' rules
>
>  
>
> Despite that, sniffing traffic from PF, I cannot see traffic to
> port 389.
>
> In the following output:
>
> 10.33.33.251 is my test switch
>
> 10.33.33.50 is the PF virtual machine
>
> [root@PacketFence-ZEN conf]#  tcpdump -i eth0 -nn "host
> 10.33.33.251 or port 389"
>
> tcpdump: verbose output suppressed, use -v or -vv for full
> protocol decode
>
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535
> bytes
>
> 15:26:19.782510 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x82 length: 138
>
> 15:26:19.864640 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Accept (2), id: 0x82 length: 37
>
> 15:26:20.130792 IP 10.33.33.251.32769 &

Re: [PacketFence-users] Can't download and update fingerbank DB

[Fabrice Durand via PacketFence-users]

Hello Yan,

do you have a proxy between PacketFence and internet ?

When i see your wget command, i can see that :?0?2 "Issued certificate has
expired" and the fingerbank.inverse.ca certificate is not yet expired so
there is probably something that block/filter the request.

Regards

Fabrice



Le 2017-10-17 ?? 22:16, Yan via PacketFence-users a ??crit?0?2:
>
> Hi Durand,
>
> After "Initialize MYSQL database" the error missing, but now
> packetfence.log keeps filling with "pfqueue: pfqueue(10132) WARN:
> [mac:xx:bd:27:xx:xx:xx] Unable to perform a Fingerbank lookup for
> device with MAC address 'xx:bd:27:xx:xx:xx'
> (pf::fingerbank::__ANON__)". ?0?2And fingerbank.log is filling with
> "fingerbank: pfqueue(10133) WARN: [mac:xx:xx:0e:cb:xx:xx] An error
> occured while interrogating upstream Fingerbank project: 500 Can't
> connect to fingerbank.inverse.ca:443 (fingerbank::Source::API::__ANON__)
> Oct 18 09:59:59 PacketFence-ZEN fingerbank: pfqueue(10133) INFO:
> [mac:xx:xx:0e:cb:xx:xx] Fingerbank API has returned an invalid result,
> will not cache it. (fingerbank::Source::API::match)".?0?2
>
> And I found I can't update fingerbank DB. When I initialize "Update
> Fingerbank DB" in Configuration--Compliance--Fingerbank
> Profiling--General Settings--ACTION, I found the error message
> "pfqueue: pfqueue(10324) ERROR: [mac:unknown] Couldn't update Upstream
> database, code : 500, msg : An error occurred while updating file
> '/usr/local/fingerbank/db/fingerbank_Upstream.db'
> (pf::fingerbank::_update_fingerbank_component)" in packetfence.log. I
> can manually execute wget cmd to download. Is this meant I have to buy
> any fingerbank license ? As I noticed fingerbank official website said
> free license has a 300 times' limit every hour. We can buy it if
> necessary.
>
> [root@PacketFence-ZEN logs]# wget --no-check-certificate
> https://fingerbank.inverse.ca/api/v1/download?key=
> --2017-10-18 10:09:18--
> ?0?2https://fingerbank.inverse.ca/api/v1/download?key=
> Resolving fingerbank.inverse.ca (fingerbank.inverse.ca)... 167.114.150.85
> Connecting to fingerbank.inverse.ca
> (fingerbank.inverse.ca)|167.114.150.85|:443... connected.
> WARNING: cannot verify fingerbank.inverse.ca's certificate, issued by
> ??/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
> RSA Domain Validation Secure Server CA??:
> ?0?2 Issued certificate has expired.
> HTTP request sent, awaiting response... 200 OK
> Length: 2020635648 (1.9G) [application/x-sqlite3]
> Saving to: ??download?key=8c7619e51115bd21f186822f19320edfa528681b??
>
> ?0?20% [ ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 
> ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 
> ?0?2 ?0?2 ?0?2 ?0?2
> ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2] 12,525,568 ?0?21.77MB/s ?0?2eta 
> 21m 37s
>
> -- Original --
> *From:* packetfence-users 
> *Date:* ,10?? 17,2017 20:29
> *To:* packetfence-users 
> *Cc:* Fabrice Durand 
> *Subject:* Re: [PacketFence-users] Can't download and update fingerbank DB
>
> Hello Yan,
>
> it looks that you didn't imported fingerbank into mysql.
>
> Go in Configuration -> Compliance -> Fingerbank Profiling -> General
> settings then in Action "Initialize MySQL database".
>
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-10-17 ?? 03:19, Yan via PacketFence-users a ??crit?0?2:
>> Hi dear users,
>>
>> We are using PF V7.2 in our office. We want to use PF to recognize
>> mobile devices from computers when connecting wireless ssid. It seems
>> PF define device's type via DHCP fingerprint. Our packetfence.log
>> keeps logging "pfqueue: pfqueue(1341) WARN: [mac:ff:ee:dd:cc:bb:aa]
>> Unable to perform a Fingerbank lookup for device with MAC address
>> 'ff:ee:dd:cc:bb:aa' (pf::fingerbank::__ANON__)".
>>
>> And after I ran the "Update Fingerbank DB" button and restart pf
>> services, the packetfence.log is now filling with "pfqueue(6013)
>> ERROR: [mac:04:xx:xx:cb:0f:74]
>> DBIx::Class::Storage::DBI::_dbh_execute(): Table
>> 'pf_fingerbank.dhcp_vendor' doesn't exist at
>> /usr/local/pf/lib/fingerbank/Base/CRUD.pm line
>> 416?0?2(pf::api::can_fork::notify)"
>>
>> How to reinstall and update fingerbank ??0?2Anyone could help ??0?2Thank
>> you very much.
>>
>>
>> --Check
>>  out the vibrant tech community on one of the world's mostengaging tech 
>> sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>> ___PacketFence-users mailing 
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> -- Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  
> www.inverse.caInverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and 
> PacketFence (http://packetfence.org) 
>
>
> 

Re: [PacketFence-users] R: R: AD authentication issue

[Fabrice Durand via PacketFence-users]

Hello Lucas,

my assumption is that you want to autoregister device if the 802.1x
authentication was successful.

What you can do is to create a Connection Profile (WireSecure) , add a
filter (Connection Type: Ethernet-EAP), enable "Automatically register
devices" and in Sources add you AD source.

Regards

Fabrice



Le 2017-10-18 à 04:07, Luca Messori a écrit :
>
> Hi Fabrice,
>
> You are right.
>
> This morning I done some new test using good credential and wrong
> credential (same username but wrong password) and I have the correct
> reply from Radius server.
>
>  
>
> So, I haven’t an authentication problem but an authorization problem
> to investigate.
>
> Radius server is sending to the switch a vlanid set to 442 but for me
> this is the registration vlan.
>
> I would like that it will send vlanid=20 (my working vlan for
> enterprise users)
>
>  
>
> Can you help me?
>
> How can I sent you to resolve this issue?
>
>  
>
> Have a nice day
>
>  
>
>  
>
> */Luca Messori/*
>
> _
>
>  
>
>   Descrizione: mead
>
>  
>
>  
>
>    *Mead Informatica Srl*
>     *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
>     Tel. +39 0522 265800 Tel. amm.ne 0522265940 -  Fax +39 0522 393306
>     Tel. +39 049 8702540   Fax +39 049 8706249
>
>  
>
>    http://www.meadinformatica.it <http://www.meadinformatica.it/>
>
> ---
>
>  
>
> Questo messaggio puo' contenere informazioni di carattere riservato e
> confidenziale. Qualora non foste i destinatari, vi preghiamo di
> notificarcelo
> e di provvedere ad eliminare il messaggio, con gli eventuali allegati,
> senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del
> contenuto
> di questo mesaggio espone il responsabile alle conseguenze civili e
> penali.
>
>  
>
> This message may contain information which is confidential or
> privileged. if you are not the intended recipient, please immediately
> notify us
> and destroy this message and any attachments without retaining a copy.
> Any unauthorized use of this message can expose the responsabile party
> to civil and/or criminal penalties.
>
>  
>
> Descrizione: Descrizione: cid:696372015@22072008-1A64
>
>  
>
>  
>
> *Da:*Fabrice Durand [mailto:fdur...@inverse.ca]
> *Inviato:* martedì 17 ottobre 2017 18:48
> *A:* Luca Messori <l.mess...@meadinformatica.it>;
> packetfence-users@lists.sourceforge.net
> *Oggetto:* Re: R: [PacketFence-users] AD authentication issue
>
>  
>
> it worked !!
>
>  
>
> Le 2017-10-17 à 12:44, Luca Messori a écrit :
>
> I have attached the log file using this command:
>
>  
>
> /usr/sbin/radiusd -d /usr/local/pf/raddb -n auth -fm –X
>
>  
>
> Is this good for you?
>
>  
>
> Kind regards
>
>  
>
> */Luca Messori/*
>
> _
>
>  
>
>   Descrizione: mead
>
>  
>
>  
>
>    *Mead Informatica Srl*
>     *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
>     Tel. +39 0522 265800 Tel. amm.ne 0522265940 -  Fax +39 0522 393306
>     Tel. +39 049 8702540   Fax +39 049 8706249
>
>  
>
>    http://www.meadinformatica.it <http://www.meadinformatica.it/>
>
> ---
>
>  
>
> Questo messaggio puo' contenere informazioni di carattere
> riservato e confidenziale. Qualora non foste i destinatari, vi
> preghiamo di notificarcelo
> e di provvedere ad eliminare il messaggio, con gli eventuali
> allegati, senza trattenerne copia. Qualsivoglia utilizzo non
> autorizzato del contenuto
> di questo mesaggio espone il responsabile alle conseguenze civili
> e penali.
>
>  
>
> This message may contain information which is confidential or
> privileged. if you are not the intended recipient, please
> immediately notify us
> and destroy this message and any attachments without retaining a
> copy. Any unauthorized use of this message can expose the
> responsabile party
> to civil and/or criminal penalties.
>
>  
>
> Descrizione: Descrizione: cid:696372015@22072008-1A64
>
>  
>
>  
>
> *Da:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* martedì 17 ottobre 2017 18:20
> *A:* packetfence-users@lists.sourceforge.net
> <mailto:packetfence-

Re: [PacketFence-users] Can't download and update fingerbank DB

[Fabrice Durand via PacketFence-users]

Hi Yan,

once you have the file, go in the admin gui,?0?2 Configuration ->
Compliance -> General settings, verify that the mysql credentials and
database name is correct then "Action -> Initialize MySQL database"

If the access to the db is ok then you should be able to see a process
"python" running that import the db from the sqlite file.

It can take a long time.

Regards

Fabrice



Le 2017-10-18 ?? 12:19, Yan via PacketFence-users a ??crit?0?2:
> Hi Durand,
> After running "yum reinstall fingerbank --enablerepo=packetfence", I
> can find fingerbank_Upstream.db located in /usr/local/fingerbank/db
> now. But I'm not so familiar with DB operation. How to integrate it
> into mysql ? Is it something like "mysql -u username -p fingerbank <
> fingerbank_Upstream.db" ?
>
>
> -- Original --
> *From:* packetfence-users 
> *Date:* ,10?? 18,2017 23:16
> *To:* packetfence-users 
> *Cc:* Fabrice Durand 
> *Subject:* Re: [PacketFence-users] Can't download and update fingerbank DB
>
> Hi Yan,
>
> there is a database who is coming with the fingerbank package, so you
> can probably found it in /usr/local/fingerbank/db. (yum reinstall
> fingerbank if needed)
>
> If you have it (fingerbank_Upstream.db) then you can integrate it into
> mysql then the futur update will be just some interim update and not
> the whole database.
>
> Regards
>
> Fabrice
>
>
> Le 2017-10-18 ?? 10:38, Yan via PacketFence-users a ??crit?0?2:
>>
>> Hi Durand,
>>
>> I don't have any proxy configured in my server. The cert expire error
>> not shows up every time. I just tried to execute wget 3 times, no
>> certificate expire error any more, but 1 connection refused and 2
>> connection closed during downloading. Is Fingerbank has a timeout
>> setting for http connecting ? Is there any other way to download and
>> update fingerbank DB ? Or how to initialize this component ?
>>
>> The first try:
>> [root@PacketFence-ZEN ~]# wget
>> https://fingerbank.inverse.ca/api/v1/download?key=
>> --2017-10-18 22:08:35--
>> ?0?2https://fingerbank.inverse.ca/api/v1/download?key=
>> Resolving fingerbank.inverse.ca (fingerbank.inverse.ca)... 167.114.150.85
>> Connecting to fingerbank.inverse.ca
>> (fingerbank.inverse.ca)|167.114.150.85|:443... failed: Connection
>> refused.
>>
>> The second try:
>> [root@PacketFence-ZEN ~]# wget
>> https://fingerbank.inverse.ca/api/v1/download?key=
>> --2017-10-18 22:12:56--
>> ?0?2https://fingerbank.inverse.ca/api/v1/download?key=
>> Resolving fingerbank.inverse.ca (fingerbank.inverse.ca)... 167.114.150.85
>> Connecting to fingerbank.inverse.ca
>> (fingerbank.inverse.ca)|167.114.150.85|:443... connected.
>> HTTP request sent, awaiting response... 200 OK
>> Length: 2020635648 (1.9G) [application/x-sqlite3]
>> Saving to: ??download?key=??
>>
>> ?0?23% [=> ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 
>> ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 
>> ?0?2 ?0?2 ?0?2
>> ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ] 70,840,939 ?0?252.1KB/s ?0?2 in 6m 55s
>>
>> 2017-10-18 22:19:53 (167 KB/s) - Connection closed at byte 70840939.
>> Retrying.
>>
>> --2017-10-18 22:19:54-- ?0?2(try: 2)
>> ?0?2https://fingerbank.inverse.ca/api/v1/download?key=
>> Connecting to fingerbank.inverse.ca
>> (fingerbank.inverse.ca)|167.114.150.85|:443... connected.
>> HTTP request sent, awaiting response... 200 OK
>> Length: 2020635648 (1.9G) [application/x-sqlite3]
>> Saving to: ??download?key=??
>>
>> ?0?20% [ ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 
>> ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 
>> ?0?2 ?0?2 ?0?2 ?0?2
>> ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ] 0 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 --.-K/s ?0?2 
>> in 0.003s
>>
>>
>> Cannot write to ??download?key=?? (Success).
>>
>> The third time is similar to the second time.
>>
>>
>>
>> -- Original --
>> *From:* packetfence-users 
>> *Date:* ,10?? 18,2017 21:18
>> *To:* packetfence-users 
>> *Cc:* Fabrice Durand 
>> *Subject:* Re: [PacketFence-users] Can't download and update
>> fingerbank DB
>>
>> Hello Yan,
>>
>> do you have a proxy between PacketFence and internet ?
>>
>> When i see your wget command, i can see that :?0?2 "Issued certificate
>> has expired" and the fingerbank.inverse.ca certificate is not yet
>> expired so there is probably something that block/filter the request.
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2017-10-17 ?? 22:16, Yan via PacketFence-users a ??crit?0?2:
>>>
>>> Hi Durand,
>>>
>>> After "Initialize MYSQL database" the error missing, but now
>>> packetfence.log keeps filling with "pfqueue: pfqueue(10132) WARN:
>>> [mac:xx:bd:27:xx:xx:xx] Unable to perform a Fingerbank lookup for
>>> device with MAC address 

Re: [PacketFence-users] Can't download and update fingerbank DB

[Fabrice Durand via PacketFence-users]

Hi Yan,

there is a database who is coming with the fingerbank package, so you
can probably found it in /usr/local/fingerbank/db. (yum reinstall
fingerbank if needed)

If you have it (fingerbank_Upstream.db) then you can integrate it into
mysql then the futur update will be just some interim update and not the
whole database.

Regards

Fabrice


Le 2017-10-18 ?? 10:38, Yan via PacketFence-users a ??crit?0?2:
>
> Hi Durand,
>
> I don't have any proxy configured in my server. The cert expire error
> not shows up every time. I just tried to execute wget 3 times, no
> certificate expire error any more, but 1 connection refused and 2
> connection closed during downloading. Is Fingerbank has a timeout
> setting for http connecting ? Is there any other way to download and
> update fingerbank DB ? Or how to initialize this component ?
>
> The first try:
> [root@PacketFence-ZEN ~]# wget
> https://fingerbank.inverse.ca/api/v1/download?key=
> --2017-10-18 22:08:35--
> ?0?2https://fingerbank.inverse.ca/api/v1/download?key=
> Resolving fingerbank.inverse.ca (fingerbank.inverse.ca)... 167.114.150.85
> Connecting to fingerbank.inverse.ca
> (fingerbank.inverse.ca)|167.114.150.85|:443... failed: Connection refused.
>
> The second try:
> [root@PacketFence-ZEN ~]# wget
> https://fingerbank.inverse.ca/api/v1/download?key=
> --2017-10-18 22:12:56--
> ?0?2https://fingerbank.inverse.ca/api/v1/download?key=
> Resolving fingerbank.inverse.ca (fingerbank.inverse.ca)... 167.114.150.85
> Connecting to fingerbank.inverse.ca
> (fingerbank.inverse.ca)|167.114.150.85|:443... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 2020635648 (1.9G) [application/x-sqlite3]
> Saving to: ??download?key=??
>
> ?0?23% [=> ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 
> ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 
> ?0?2 ?0?2 ?0?2
> ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ] 70,840,939 ?0?252.1KB/s ?0?2 in 6m 55s
>
> 2017-10-18 22:19:53 (167 KB/s) - Connection closed at byte 70840939.
> Retrying.
>
> --2017-10-18 22:19:54-- ?0?2(try: 2)
> ?0?2https://fingerbank.inverse.ca/api/v1/download?key=
> Connecting to fingerbank.inverse.ca
> (fingerbank.inverse.ca)|167.114.150.85|:443... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 2020635648 (1.9G) [application/x-sqlite3]
> Saving to: ??download?key=??
>
> ?0?20% [ ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 
> ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 
> ?0?2 ?0?2 ?0?2 ?0?2
> ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ] 0 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 --.-K/s ?0?2 
> in 0.003s
>
>
> Cannot write to ??download?key=?? (Success).
>
> The third time is similar to the second time.
>
>
>
> -- Original --
> *From:* packetfence-users 
> *Date:* ,10?? 18,2017 21:18
> *To:* packetfence-users 
> *Cc:* Fabrice Durand 
> *Subject:* Re: [PacketFence-users] Can't download and update fingerbank DB
>
> Hello Yan,
>
> do you have a proxy between PacketFence and internet ?
>
> When i see your wget command, i can see that :?0?2 "Issued certificate
> has expired" and the fingerbank.inverse.ca certificate is not yet
> expired so there is probably something that block/filter the request.
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-10-17 ?? 22:16, Yan via PacketFence-users a ??crit?0?2:
>>
>> Hi Durand,
>>
>> After "Initialize MYSQL database" the error missing, but now
>> packetfence.log keeps filling with "pfqueue: pfqueue(10132) WARN:
>> [mac:xx:bd:27:xx:xx:xx] Unable to perform a Fingerbank lookup for
>> device with MAC address 'xx:bd:27:xx:xx:xx'
>> (pf::fingerbank::__ANON__)". ?0?2And fingerbank.log is filling with
>> "fingerbank: pfqueue(10133) WARN: [mac:xx:xx:0e:cb:xx:xx] An error
>> occured while interrogating upstream Fingerbank project: 500 Can't
>> connect to fingerbank.inverse.ca:443 (fingerbank::Source::API::__ANON__)
>> Oct 18 09:59:59 PacketFence-ZEN fingerbank: pfqueue(10133) INFO:
>> [mac:xx:xx:0e:cb:xx:xx] Fingerbank API has returned an invalid
>> result, will not cache it. (fingerbank::Source::API::match)".?0?2
>>
>> And I found I can't update fingerbank DB. When I initialize "Update
>> Fingerbank DB" in Configuration--Compliance--Fingerbank
>> Profiling--General Settings--ACTION, I found the error message
>> "pfqueue: pfqueue(10324) ERROR: [mac:unknown] Couldn't update
>> Upstream database, code : 500, msg : An error occurred while updating
>> file '/usr/local/fingerbank/db/fingerbank_Upstream.db'
>> (pf::fingerbank::_update_fingerbank_component)" in packetfence.log. I
>> can manually execute wget cmd to download. Is this meant I have to
>> buy any fingerbank license ? As I noticed fingerbank official website
>> said free license has a 300 times' limit every hour. We can buy it if
>> necessary.
>>
>> [root@PacketFence-ZEN logs]# wget 

Re: [PacketFence-users] Username format for portal and automatically registered devices

[Fabrice Durand via PacketFence-users]

Hello Cristian,

It is but because the supplicant send DOMAIN\Username and the portal use
the sAMAccountName.

The solution could be to use another attribute that contain the
DOMAIN\Username but i am not sure it exist on the active directory and i
am not sure that user will be happy to fill DOMAIN\Username on the portal.

We talked about that internally and we will probably play with the realm
/ username to detect that the user is the same and don't try to add
twice the same user.

Regards

Fabrice



Le 2017-10-18 à 10:53, Cristian Mammoli via PacketFence-users a écrit :
> Hi, sorry to dig this up... Could someone please explain if this
> behaviour is expected or not?
>
> Thank you
>
> Il 02/08/2017 17:59, Cristian Mammoli via PacketFence-users ha scritto:
>> Of course I checked "Use stripped username" and added "strip to the
>> realm option.
>>
>> Il 02/08/2017 15:26, Cristian Mammoli via PacketFence-users ha scritto:
>>> Hi, in my POC I'm trying the following setup:
>>> If a computer does not support 802.1x should be presented with the
>>> captive portal where the user can register the device, access the
>>> production network and join the domain
>>> Once joined 802.1x is configured and enabled via GPO.
>>> With 802.1x enabled the user should not be presented with the portal
>>> and the device should be autoregistered
>>>
>>> The problem is that if I register the device with the portal the
>>> username format is just "username". If I autoregister a 802.1x
>>> capable device the user format is DOMAIN\username. A s I consequence
>>> I have "duplicate" usernames
>>>
>>> Furthermore the powershell scripts specified in the "Active
>>> Directory Integration" section of the admin guide try to deregister
>>> devices owned by "user", not "DOMAIN\user"
>>>
>>> [gruppoapra-macauth]
>>> filter_match_style=all
>>> locale=
>>> filter=connection_type:WIRED_MAC_AUTH,switch_group:switch-jesi-accesso
>>> description=Gruppo Apra MAC Authentication
>>> sources=gruppoapra-auth,email,sponsor,sms
>>> redirecturl=http://www.apra.it/
>>> logo=/common/logo_apra.jpg
>>> root_module=apra_root_portal_policy
>>>
>>> [gruppoapra-dot1x]
>>> filter_match_style=all
>>> locale=
>>> filter=switch_group:switch-jesi-accesso,connection_type:Ethernet-EAP
>>> description=Gruppo Apra 802.1x
>>> sources=gruppoapra-auth
>>> reuse_dot1x_credentials=enabled
>>> autoregister=enabled
>>> redirecturl=http://www.apra.it/
>>> logo=/common/logo_apra.jpg
>>> root_module=apra_root_portal_policy
>>>
>>>
>>
>

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] R: R: R: AD authentication issue

[Fabrice Durand via PacketFence-users]

ess...@meadinformatica.it>
> <mailto:l.mess...@meadinformatica.it>;
> packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Oggetto:* Re: R: [PacketFence-users] AD authentication issue
>
>  
>
> it worked !!
>
>  
>
> Le 2017-10-17 à 12:44, Luca Messori a écrit :
>
> I have attached the log file using this command:
>
>  
>
> /usr/sbin/radiusd -d /usr/local/pf/raddb -n auth -fm –X
>
>  
>
> Is this good for you?
>
>  
>
> Kind regards
>
>  
>
> */Luca Messori/*
>
> _
>
>  
>
>   Descrizione: mead
>
>  
>
>  
>
>    *Mead Informatica Srl*
>     *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
>     Tel. +39 0522 265800 Tel. amm.ne 0522265940 -  Fax +39
> 0522 393306
>     Tel. +39 049 8702540   Fax +39 049 8706249
>
>  
>
>    http://www.meadinformatica.it <http://www.meadinformatica.it/>
>
> 
> ---
>
>  
>
> Questo messaggio puo' contenere informazioni di carattere
> riservato e confidenziale. Qualora non foste i destinatari, vi
> preghiamo di notificarcelo
> e di provvedere ad eliminare il messaggio, con gli eventuali
> allegati, senza trattenerne copia. Qualsivoglia utilizzo non
> autorizzato del contenuto
> di questo mesaggio espone il responsabile alle conseguenze
> civili e penali.
>
>  
>
> This message may contain information which is confidential or
> privileged. if you are not the intended recipient, please
> immediately notify us
> and destroy this message and any attachments without retaining
> a copy. Any unauthorized use of this message can expose the
> responsabile party
> to civil and/or criminal penalties.
>
>  
>
> Descrizione: Descrizione: cid:696372015@22072008-1A64
>
>  
>
>  
>
> *Da:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* martedì 17 ottobre 2017 18:20
> *A:* packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Cc:* Fabrice Durand <fdur...@inverse.ca>
> <mailto:fdur...@inverse.ca>
> *Oggetto:* Re: [PacketFence-users] AD authentication issue
>
>  
>
> Hello Luca,
>
> pftest will use ldap bind to authenticate but freeradius will
> use ntlm_auth.
>
> Can you do this on your server:
>
> raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000
>
> And try to authenticate, you will be able to see why it failed
> to authenticate. (you can paste the result).
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-10-17 à 11:41, Luca Messori via PacketFence-users a
> écrit :
>
> Hi all,
>
> I’m trying to configure authentication against Active
> Directory on my company network.
>
> I have already joined the PF virtual machine to my domain.
>
> I think that I have correctly configured authentication
> because the pftest command return a successful authentication:
>
> /usr/local/pf/bin/pftest authentication l.messori  password>
>
> Testing authentication for "l.messori"
>
>  
>
> Authenticating against Mead-AD
>
>   Authentication SUCCEEDED against Mead-AD (Authentication
> successful.)
>
>   Matched against Mead-AD for 'authentication' rules
>
>     set_role : default
>
>     set_access_duration : 12h
>
>   Did not match against Mead-AD for 'administration' rules
>
>  
>
> Despite that, sniffing traffic from PF, I cannot see
> traffic to port 389.
>
> In the following output:
>
> 10.33.33.251 is my test switch
>
> 10.33.33.50 is the PF virtual machine
>
> [root@PacketFence-ZEN conf]#  tcpdump -i eth0 -nn "host
> 10.33.33.251 or port 389"
>
> tcpdump: verbose output suppressed, use -v or -vv for full
>   

Re: [PacketFence-users] Logo change problem

[Fabrice Durand via PacketFence-users]

Hello Nicolay,

something like that should work:

/common/IPGL.png

Regards
Fabrice

Le 2017-10-20 à 03:37, Nicolay Rytchev via PacketFence-users a écrit :
> Hello All,
>
> I try to change logo on portal web page but without success.
> May be special path for the file should be specified ?
>
>
>
> Встроенное изображение 1
>
> Thank you in advance.
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SMS gateway configuration

[Fabrice Durand via PacketFence-users]

Hello Nicolay,

if it's a new SMS gateway then you will need to import it in the database.

So connect to the database and:

INSERT INTO sms_carrier
    (id, name, email_pattern, created)
VALUES
    (100122, 'MyGateway', '%s@mygateway.gateway', now());

Regards

Fabrice


Le 2017-10-20 à 09:50, Nicolay Rytchev via PacketFence-users a écrit :
> Hello All,
>
> I want to implement SMS authentication by PF Captive Portal, as I
> understand it works via email.
> PF takes phone number and PIN information from the body of the letter
> and can send this information to the SMS gateway by SMTP.
> Where can I do that ?
> How can I specify my own SMS Gateway  in the menu?
>
>
> Thank you in advance.
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] R: Radiusd don't start after upgarde

[Fabrice Durand via PacketFence-users]

 set to '1' (or 2, 3, etc.).  e.g.
>
>     #
>
>     #   ...
>
>     #   update control {
>
>     #  Tmp-String-0 = "%{debug:1}"
>
>     #   }
>
>     #   ...
>
>     #
>
>     #  The attribute that the value is assigned to is unimportant,
>
>     #  and should be a "throw-away" attribute with no side effects.
>
>     #
>
>     #requests =
> ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
>
>  
>
>     #
>
>     #  Which syslog facility to use, if ${destination} == "syslog"
>
>     #
>
>     #  The exact values permitted here are OS-dependent.  You probably
>
>     #  don't want to change this.
>
>     #
>
>     syslog_facility = local1
>
>  
>
>     #  Log the full User-Name attribute, as it was found in the
> request.
>
>     #
>
>     # allowed values: {no, yes}
>
>     #
>
>     stripped_names = no
>
>  
>
>     #  Log authentication requests to the log file.
>
>     #
>
>     #  allowed values: {no, yes}
>
>     #
>
>     auth = yes
>
>  
>
>     #  Log passwords with the authentication requests.
>
>     #  auth_badpass  - logs password if it's rejected
>
>     #  auth_goodpass - logs password if it's correct
>
>     #
>
>     #  allowed values: {no, yes}
>
>     #
>
>     auth_badpass = no
>
>     auth_goodpass = no
>
>  
>
>     #  Log additional text at the end of the "Login OK" messages.
>
>     #  for these to work, the "auth" and "auth_goodpass" or
> "auth_badpass"
>
>     #  configurations above have to be set to "yes".
>
>     #
>
>     #  The strings below are dynamically expanded, which means that
>
>     #  you can put anything you want in them.  However, note that
>
>     #  this expansion can be slow, and can negatively impact server
>
>     #  performance.
>
>     #
>
> #   msg_goodpass = ""
>
> #   msg_badpass = ""
>
>  
>
>     #  The message when the user exceeds the Simultaneous-Use limit.
>
>     #
>
>     msg_denied = "You are already logged in - access denied"
>
> }
>
>  
>
>  
>
>  
>
> */Luca Messori/*
>
> _
>
>  
>
>       Descrizione: mead
>
>  
>
>  
>
>    *Mead Informatica Srl*
>     *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
>     Tel. +39 0522 265800 Tel. amm.ne 0522265940 -  Fax +39 0522 393306
>     Tel. +39 049 8702540   Fax +39 049 8706249
>
>  
>
>    http://www.meadinformatica.it <http://www.meadinformatica.it/>
>
> ---
>
>  
>
> Questo messaggio puo' contenere informazioni di carattere riservato e
> confidenziale. Qualora non foste i destinatari, vi preghiamo di
> notificarcelo
> e di provvedere ad eliminare il messaggio, con gli eventuali allegati,
> senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del
> contenuto
> di questo mesaggio espone il responsabile alle conseguenze civili e
> penali.
>
>  
>
> This message may contain information which is confidential or
> privileged. if you are not the intended recipient, please immediately
> notify us
> and destroy this message and any attachments without retaining a copy.
> Any unauthorized use of this message can expose the responsabile party
> to civil and/or criminal penalties.
>
>  
>
> Descrizione: Descrizione: cid:696372015@22072008-1A64
>
>  
>
>  
>
> *Da:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* giovedì 19 ottobre 2017 16:41
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* Fabrice Durand <fdur...@inverse.ca>
> *Oggetto:* Re: [PacketFence-users] Radiusd don't start after upgarde
>
>  
>
> Hello Luca,
>
> Can you paste /usr/local/pf/raddb/auth.conf ?
>
> Regards
> Fabrice
>
> Le 2017-10-19 à 10:28, Luca Messori via PacketFence-users a écrit :
>
>  
>
> Hi,
>
> after upgrading to PF 7.3, the Radius daemon don’t start
>
>  
>
> Running it in debug mode, I have this error:
>
> Thu Oct 19 14:25:27 2017 : Error :
> /usr/local/pf/raddb/auth.conf[6]: Listeners of type 'auth' MUST be
> defined in a server.
>
>  
>
> My auth.conf

Re: [PacketFence-users] SMS gateway configuration

[Fabrice Durand via PacketFence-users]

Hello Nicolay,

just do:

mysql -upf -p pf

INSERT INTO sms_carrier
    (id, name, email_pattern, created)
VALUES
    (100122, 'MyGateway', '%s@mygateway.gateway', now());

exit


That's it.

Regards

Fabrice



Le 2017-10-23 à 09:55, Nicolay Rytchev via PacketFence-users a écrit :
> Hello Fabrice,
>
> Thank you for your advice. I am not really familiar with database
> configuration.
> I am network engineer.
> Could you be more specific about how and where to do that?
>
>
> Regards,
> Nicolay
>
>
> 2017-10-23 15:30 GMT+02:00 Fabrice Durand via PacketFence-users
> <packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>>:
>
> Hello Nicolay,
>
> if it's a new SMS gateway then you will need to import it in the
> database.
>
> So connect to the database and:
>
> INSERT INTO sms_carrier
>     (id, name, email_pattern, created)
> VALUES
>     (100122, 'MyGateway', '%s@mygateway.gateway', now());
>
> Regards
>
> Fabrice
>
>
> Le 2017-10-20 à 09:50, Nicolay Rytchev via PacketFence-users a écrit :
>> Hello All,
>>
>> I want to implement SMS authentication by PF Captive Portal, as I
>> understand it works via email.
>> PF takes phone number and PIN information from the body of the
>> letter and can send this information to the SMS gateway by SMTP.
>> Where can I do that ?
>> How can I specify my own SMS Gateway  in the menu?
>>
>>
>> Thank you in advance.
>>
>>
>>
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> <mailto:PacketFence-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>
> -- 
> Fabrice Durand
> fdur...@inverse.ca <mailto:fdur...@inverse.ca> ::  +1.514.447.4918 
> <tel:%28514%29%20447-4918> (x135) ::  www.inverse.ca <http://www.inverse.ca>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org) 
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> <mailto:PacketFence-users@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Bandwidth statistics make no sense (Cisco 2960x)

[Fabrice Durand via PacketFence-users]

Hello Cristian,

so i am able to replicate it and it looks to be a bug with the ios version.

Let's say i have a nothing connected on the port Gi1/0/8, if i do that:

Switch#sh interfaces gigabitEthernet 1/0/8
GigabitEthernet1/0/8 is administratively down, line protocol is down
(disabled)
  Hardware is Gigabit Ethernet, address is dca5.f434.5508 (bia
dca5.f434.5508)
  MTU 1500 bytes, BW 1 Kbit/sec, DLY 1000 usec,
 reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Auto-duplex, Auto-speed, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:07:35, output 00:07:05, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
 484517 packets input, 59890752 bytes, 0 no buffer
 Received 266453 broadcasts (221983 multicasts)
 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
 0 watchdog, 221983 multicast, 0 pause input
 0 input packets with dribble condition detected
 618866 packets output, 72946865 bytes, 0 underruns
 0 output errors, 0 collisions, 35 interface resets
 0 unknown protocol drops
 0 babbles, 0 late collision, 0 deferred
 0 lost carrier, 0 no carrier, 0 pause output
 0 output buffer failures, 0 output buffers swapped out

I have 59890752 bytes in and 72946865 bytes out.


I plug a laptop on it, pf receive a accounting packet with in 0 and out
0 (normal).

If i shutdown the port then pf receive a accounting packet with 59890752
(a little bit more) bytes in and 72946865 (a little bit more) bytes out.

++---++---++-+-+--+-+--+
| id | acctsessionid | username   | nasipaddress  |
acctstatustype | timestamp   | acctinputoctets |
acctoutputoctets | acctsessiontime | acctuniqueid |
++---++---++-+-+--+-+--+
|  3 | 005C  | host/inverse-8.inverse.inc | 172.20.135.77 |
Start  | 2017-11-15 16:19:21 |   0 |   
0 |   0 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
|  6 | 005C  | host/inverse-8.inverse.inc | 172.20.135.77 |
Stop   | 2017-11-15 16:19:28 |    59665537 |
72749820 |   7 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
|  9 | 005D  | host/inverse-8.inverse.inc | 172.20.135.77 |
Start  | 2017-11-15 16:19:31 |   0 |   
0 |   0 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
| 12 | 005D  | host/inverse-8.inverse.inc | 172.20.135.77 |
Stop   | 2017-11-15 16:36:05 |    59846611 |
72909854 | 994 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
| 15 | 0060  | host/inverse-8.inverse.inc | 172.20.135.77 |
Start  | 2017-11-15 16:36:26 |   0 |   
0 |   0 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
| 18 | 0060  | host/inverse-8.inverse.inc | 172.20.135.77 |
Stop   | 2017-11-15 16:36:57 |    59869432 |
72929035 |  30 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
| 21 | 0061  | host/inverse-8.inverse.inc | 172.20.135.77 |
Start  | 2017-11-15 16:38:25 |   0 |   
0 |   0 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
| 24 | 0061  | host/inverse-8.inverse.inc | 172.20.135.77 |
Stop   | 2017-11-15 16:38:56 |    59890752 |
72946865 |  31 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
++---++---++-+-+--+-+--+

So it looks that the in/out bytes are never reseted and the switch send
the in/out bytes since the switch started.

What i can recommend is there is a new ios version then upgrade, if it
doesn't fix the issue then open a TAC with cisco.

Regards

Fabrice



Le 2017-11-15 à 06:09, Cristian Mammoli via PacketFence-users a écrit :
> Ok this my Notebook wifi adapter (E4:B3:18:2C:E0:C0) and 192.168.7.221
> is a Cisco WLC. No problem here, the accounting data looks ok:
>
> MariaDB [pf]> select * from radacct_log where
> acctuniqueid="c16c078f963c875d37013c5cba979106";
> 

Re: [PacketFence-users] Bandwidth statistics make no sense (Cisco 2960x)

[Fabrice Durand via PacketFence-users]

Hello Cristian,

when PacketFence receive a accounting request, there are mysql
procedures that will update/insert in the radacct table.

When pf receive a start we log in radacct_log and insert a new entry in
radacct, when it's an interim update we update the entry in the radacct
table and when it's a stop we also update the radacct table and close
the entry.

So if you can do that:

select acctuniqueid from radacct where callingstationid="00:11:22:33:44:55";

and give me the result of that:

select * from radacct_log where acctuniqueid="xyz";

Regards

Fabrice


Le 2017-11-13 à 07:59, Cristian Mammoli via PacketFence-users a écrit :
> Hi Fabrice, could you please give me an hint to start looking whats
> going wrong here? How is bandwidth calculated and where?
>
> Thanks in advance
>
> Il 19/10/2017 18:22, Cristian Mammoli via PacketFence-users ha scritto:
>> If you mean PacketFence is 7.3.0
>> If you mean IOS: Cisco IOS Software, C2960X Software
>> (C2960X-UNIVERSALK9-M), Version 15.2(2)E6, RELEASE SOFTWARE (fc1)
>>
>>
>> Il 19/10/2017 16:41, Fabrice Durand via PacketFence-users ha scritto:
>>> Hello Cristian,
>>>
>>> which version are you running ?
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>
>>
>> --
>>
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> -- 
> Mammoli Cristian
> System administrator
> T. +39 0731 22911
> Via Brodolini 6 | 60035 Jesi (an)
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Violation 1300003 force-closed after successful Captive Portal Authentication

[Fabrice Durand via PacketFence-users]

Hello Ricardo,

i am not seeing what is wrong but it's not suppose to have that in the
log: Can't re-evaluate access because no open locationlog entry was found

Can you put the portal in debug mode ?

conf/log.conf.d/httpd.portal.conf:

### httpd.portal logger ###
log4perl.rootLogger = INFO, HTTPD_PORTAL

Regards

Fabrice



Le 2017-11-27 à 12:02, Ricardo Underwood via PacketFence-users a écrit :
> Hello,
>
> Is there anyone that can give me a hand, a hint or a lead on this
> matter, I really need to figure out what the problem is.
>
> Thanks in advance,
>
> Ricardo Underwood
>
> On Wed, Nov 22, 2017 at 2:22 PM, Ricardo Underwood
> > wrote:
>
> Hello,
>
> I've been configuring Packetfence to work with our wired and
> wireless network, at the moment I'm trying to get the Wireless
> working using Captive Portal, I'm using oauth2 with Google as per
> we want to take advantage of our Google Apps as our authentication
> method for company wide, we use Ruckus Zone Director
> version 10.0.1.0 build 35 with 5 Ruckus R710 AP, I've followed the
> directions from the Admin Guide and the Network configuration
> guide for Ruckus, I have create a Hotspot Service in Ruckus
> ZoneDirector and pointing to the IP of our packet fence, when the
> users tries to access the SSID it will direct them to the Captive
> Portal, they can authenticate with google the device its
> registered, I can see in the registered nodes, however after all
> that it shows to the user "Your network should be enabled within a
> minute or two, if it is not reboot your computer", well I have
> tried from different devices(iOS are giving a different error but
> that is no a mayor issue right now) and all are having the same
> problem, from Mac and Windows computers, desktops and laptops,
> from the packetfence.log I got this:
>
> Nov 22 00:05:40 packetfence packetfence_httpd.portal:
> httpd.portal(1729) INFO: [mac:60:f8:1d:c3:e7:58] Instantiate
> profile Ruckus (pf::Connection::ProfileFactory::_from_profile)
> Nov 22 00:05:40 pfsetvlan(0) WARN: ignoring non trap line
> 2017-11-22 00:05:39 NET-SNMP version 5.7.2.1 Stopped. (main::)
> Nov 22 00:05:40 pfsetvlan(0) WARN: ignoring non trap line Stopping
> snmptrapd (main::)
> Nov 22 00:05:40 pfsetvlan(0) WARN: ignoring non trap line  (main::)
> Nov 22 00:05:40 packetfence packetfence_httpd.portal:
> httpd.portal(1726) INFO: [mac:60:f8:1d:c3:e7:58] URI '/Ruckus' is
> detected as an external captive portal URI
> (pf::web::externalportal::handle)
> Nov 22 00:05:40 packetfence packetfence_httpd.portal:
> httpd.portal(1725) INFO: [mac:unknown] External captive portal
> detected !
> 
> (captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
> Nov 22 00:05:40 packetfence packetfence_httpd.portal:
> httpd.portal(1725) INFO: [mac:unknown] Detected external portal
> client. Using the IP 192.168.2.126 address in it's session.
> (captiveportal::PacketFence::Model::Portal::Session::_build_clientIP)
> Nov 22 00:05:40 packetfence packetfence_httpd.portal:
> httpd.portal(1725) INFO: [mac:60:f8:1d:c3:e7:58] External captive
> portal detected !
> 
> (captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
> Nov 22 00:05:40 packetfence packetfence_httpd.portal:
> httpd.portal(1725) INFO: [mac:60:f8:1d:c3:e7:58] Detected external
> portal client. Using the IP 192.168.2.126 address in it's session.
> (captiveportal::PacketFence::Model::Portal::Session::_build_clientIP)
> Nov 22 00:05:40 packetfence packetfence_httpd.portal:
> httpd.portal(1725) INFO: [mac:60:f8:1d:c3:e7:58] Instantiate
> profile Ruckus (pf::Connection::ProfileFactory::_from_profile)
> Nov 22 00:05:41 packetfence packetfence_httpd.portal:
> httpd.portal(1727) INFO: [mac:60:f8:1d:c3:e7:58] URI '/Ruckus' is
> detected as an external captive portal URI
> (pf::web::externalportal::handle)
> Nov 22 00:05:41 packetfence packetfence_httpd.portal:
> httpd.portal(1726) INFO: [mac:unknown] External captive portal
> detected !
> 
> (captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
> Nov 22 00:05:41 packetfence packetfence_httpd.portal:
> httpd.portal(1726) INFO: [mac:unknown] Detected external portal
> client. Using the IP 192.168.2.126 address in it's session.
> (captiveportal::PacketFence::Model::Portal::Session::_build_clientIP)
> Nov 22 00:05:41 packetfence packetfence_httpd.portal:
> httpd.portal(1729) INFO: [mac:60:f8:1d:c3:e7:58] Instantiate
> profile Ruckus (pf::Connection::ProfileFactory::_from_profile)
> Nov 22 00:05:41 packetfence packetfence_httpd.portal:
> httpd.portal(1726) INFO: [mac:60:f8:1d:c3:e7:58] External captive
> portal detected !
> 
> 

Re: [PacketFence-users] Violation 1300003 force-closed after successful Captive Portal Authentication

[Fabrice Durand via PacketFence-users]

6 127.0.0.1 - -
> [28/Nov/2017:16:47:26 -0500] "packetfence.domain.com
> <http://packetfence.domain.com>" "GET /access HTTP/1.1" 200 4868 "-"
> "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8
> (KHTML, like Gecko)" 139113
> Nov 28 16:47:26 packetfence httpd_portal: 192.168.2.126 127.0.0.1 - -
> [28/Nov/2017:16:47:26 -0500] "192.168.2.223" "GET
> /Ruckus?sip=192.168.2.100=58b63311d5e0_mac=60f81dc3e758=192.168.2.126==ZoneDirector218.domain.com
> <http://ZoneDirector218.domain.com>=http%3a%2f%2fcaptive.apple.com
> <http://2fcaptive.apple.com>%2fhotspot%2ddetect.html=domain%5fPF=Engineering+Outside+Pompador=10
> HTTP/1.0" 302 1567 "-" "CaptiveNetworkSupport-346.50.1 wispr" 32425
> Nov 28 16:47:26 packetfence httpd_portal: 192.168.2.126 127.0.0.1 - -
> [28/Nov/2017:16:47:26 -0500] "192.168.2.223" "GET
> /captive-portal?destination_url=http://captive.apple.com/hotspot-detect.html=192.168.2.100=58b63311d5e0_mac=60f81dc3e758=192.168.2.126==ZoneDirector218.domain.com=http%3a%2f%2fcaptive.apple.com%2fhotspot%2ddetect.html=domain%5fPF=Engineering+Outside+Pompador=10
> HTTP/1.0" 200 2511 "-" "CaptiveNetworkSupport-346.50.1 wispr" 165176
>
> Nov 28 16:47:37 packetfence httpd_portal: 192.168.2.126 127.0.0.1 - -
> [28/Nov/2017:16:47:37 -0500] "192.168.2.223" "GET
> /Ruckus?sip=192.168.2.100=58b63311d5e0_mac=60f81dc3e758=192.168.2.126==ZoneDirector218.domain.com
> <http://ZoneDirector218.domain.com>=https%3a%2f%2fwww.domain.com
> <http://2fwww.domain.com>%2f=domain%5fPF=Engineering+Outside+Pompador=10
> HTTP/1.1" 302 1503 "http://packetfence.domain.com/access; "Mozilla/5.0
> (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like
> Gecko)" 39711
> Nov 28 16:47:37 packetfence httpd_portal: 192.168.2.126 127.0.0.1 - -
> [28/Nov/2017:16:47:37 -0500] "192.168.2.223" "GET
> /captive-portal?destination_url=https://www.domain.com/=192.168.2.100=58b63311d5e0_mac=60f81dc3e758=192.168.2.126==ZoneDirector218.domain.com=https%3a%2f%2fwww.domain.com%2f=domain%5fPF=Engineering+Outside+Pompador=10
> HTTP/1.1" 200 2511 "http://packetfence.domain.com/access; "Mozilla/5.0
> (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like
> Gecko)" 179506
> Nov 28 16:47:37 packetfence httpd_portal: 192.168.2.126 127.0.0.1 - -
> [28/Nov/2017:16:47:37 -0500] "192.168.2.223" "GET
> /Ruckus?sip=192.168.2.100=58b63311d5e0_mac=60f81dc3e758=192.168.2.126==ZoneDirector218.domain.com
> <http://ZoneDirector218.domain.com>=http%3a%2f%2fcaptive.apple.com
> <http://2fcaptive.apple.com>%2fhotspot%2ddetect.html=domain%5fPF=Engineering+Outside+Pompador=10
> HTTP/1.0" 302 1567 "-" "CaptiveNetworkSupport-346.50.1 wispr" 41387
> Nov 28 16:47:37 packetfence httpd_portal: 192.168.2.126 127.0.0.1 - -
> [28/Nov/2017:16:47:37 -0500] "192.168.2.223" "POST
> /record_destination_url HTTP/1.1" 200 -
> "http://192.168.2.223/captive-portal?destination_url=https://www.domain.com/=192.168.2.100=58b63311d5e0_mac=60f81dc3e758=192.168.2.126==ZoneDirector218.domain.com=https%3a%2f%2fwww.domain.com%2f=domain%5fPF=Engineering+Outside+Pompador=10;
> "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8
> (KHTML, like Gecko)" 102354
> Nov 28 16:47:37 packetfence httpd_portal: 192.168.2.126 127.0.0.1 - -
> [28/Nov/2017:16:47:37 -0500] "192.168.2.223" "GET
> /captive-portal?destination_url=http://captive.apple.com/hotspot-detect.html=192.168.2.100=58b63311d5e0_mac=60f81dc3e758=192.168.2.126==ZoneDirector218.domain.com=http%3a%2f%2fcaptive.apple.com%2fhotspot%2ddetect.html=domain%5fPF=Engineering+Outside+Pompador=10
> HTTP/1.0" 200 2511 "-" "CaptiveNetworkSupport-346.50.1 wispr" 172019
>
> I have masked the domain name and SSID with the word domain as per
> they contain the name of the company.
>
> Can you spot anything wrong?
>
> Regards,
>
> Ricardo
>
> On Tue, Nov 28, 2017 at 8:53 AM, Fabrice Durand via PacketFence-users
> <packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>
> Hello Ricardo,
>
> i am not seeing what is wrong but it's not suppose to have that in
> the log: Can't re-evaluate access because no open locationlog
> entry was found
>
> Can you put the portal in debug mode ?
>
> conf/log.conf.d/httpd.portal.conf:
>
> ### httpd.portal logger ###
> log4perl.rootLogger = INFO, HTTPD_PORTAL
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-11-27 à 12:02, 

Re: [PacketFence-users] Supported standalone AP

[Fabrice Durand via PacketFence-users]

Hello Spencer,

you can use something like that:

https://www.ubnt.com/unifi/unifi-ap-ac-lite/

There is only a limitation with 802.1x (i hope Ubiquiti will fix it) but
mac auth should be ok.

Regards

Fabrice



Le 2017-11-24 à 06:11, Spencer Hazell via PacketFence-users a écrit :
>
> Hi
>
>  
>
> I have successfully configured my HP switches to work with packetfence
> and it works amazing!
>
>  
>
> However I’m after a single AP that will work with switch to provide
> the same functionality.  What choices do I have for acquiring a cheap
> AP (on its own) that will work with packetfence.
>
>  
>
> We are only a small company hence the reason for nothing too expensive
> – just an AP -> Switch (already have) -> Packetfence PC.
>
>  
>
> Thanks
>
>  
>
>  
>
> Spencer Hazell
>
>   
>
>  
>
>   
>
> MD final master logos-02
>
>   
>
> cid:image002.jpg@01D22ABC.9B34C230
>
> *IT Manager*
>
> 01249 650441 
>
>  
>
>   
>
>  
>
>   
>
> cid:image003.jpg@01D22ABC.9B34C230
>
>  
>
> manderduffill.com 
>
>   
>
>  
>
> The Old Post Office, 41 - 43 Market Place, Chippenham SN15 3HR
>
>  
>
>
>   
>   
>   
>   
>
> This email, together with any attachments, is for the exclusive and
> confidential use of the addressee(s) and may contain legal privileged
> information. Any other distribution, use or reproduction without the
> sender's prior consent is unauthorised and strictly prohibited. If you
> have received this message in error please notify the sender by email
> immediately and delete the message from your computer without making
> any copies. The opinions expressed in this email are not necessarily
> representative of Mander Duffill Limited and no representation is
> made. Mander Duffill is the trading name of Mander Duffill Limited.
> Company number 06962383, registered in England. Registered office: The
> Old Post Office, 41 - 43 Market Place, Chippenham, Wiltshire SN15 3HR, UK.
>
>  
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Supported standalone AP

[Fabrice Durand via PacketFence-users]

https://github.com/inverse-inc/packetfence/pull/2735


Le 2017-11-24 à 08:48, Gonzague Dambricourt a écrit :
> Yeah for now . .UniFi doesn’t support CoA :( 
>
>> Le 24 nov. 2017 à 14:46, Fabrice Durand via PacketFence-users
>> <packetfence-users@lists.sourceforge.net
>> <mailto:packetfence-users@lists.sourceforge.net>> a écrit :
>>
>> Hello Spencer,
>>
>> you can use something like that:
>>
>> https://www.ubnt.com/unifi/unifi-ap-ac-lite/
>>
>> There is only a limitation with 802.1x (i hope Ubiquiti will fix it)
>> but mac auth should be ok.
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2017-11-24 à 06:11, Spencer Hazell via PacketFence-users a écrit :
>>> Hi
>>>  
>>> I have successfully configured my HP switches to work with
>>> packetfence and it works amazing!
>>>  
>>> However I’m after a single AP that will work with switch to provide
>>> the same functionality.  What choices do I have for acquiring a
>>> cheap AP (on its own) that will work with packetfence.
>>>  
>>> We are only a small company hence the reason for nothing too
>>> expensive – just an AP -> Switch (already have) -> Packetfence PC.
>>>  
>>> Thanks
>>>  
>>>  
>>> Spencer Hazell
>>> 
>>>  
>>> 
>>> 
>>> 
>>> 
>>> *IT Manager*
>>> 01249 650441 
>>>  
>>> 
>>>  
>>> 
>>> 
>>>  
>>> manderduffill.com <http://www.manderduffill.com/>
>>> 
>>>  
>>> The Old Post Office, 41 - 43 Market Place, Chippenham SN15 3HR
>>>  
>>>
>>> 
>>> 
>>> 
>>> 
>>>
>>> This email, together with any attachments, is for the exclusive and
>>> confidential use of the addressee(s) and may contain legal
>>> privileged information. Any other distribution, use or reproduction
>>> without the sender's prior consent is unauthorised and strictly
>>> prohibited. If you have received this message in error please notify
>>> the sender by email immediately and delete the message from your
>>> computer without making any copies. The opinions expressed in this
>>> email are not necessarily representative of Mander Duffill Limited
>>> and no representation is made. Mander Duffill is the trading name of
>>> Mander Duffill Limited. Company number 06962383, registered in
>>> England. Registered office: The Old Post Office, 41 - 43 Market
>>> Place, Chippenham, Wiltshire SN15 3HR, UK.
>>>  
>>>
>>>
>>> --
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org <http://Slashdot.org>! 
>>> http://sdm.link/slashdot
>>>
>>>
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> -- 
>> Fabrice Durand
>> fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>> (http://packetfence.org) 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org
>> <http://slashdot.org/>! 
>> http://sdm.link/slashdot___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> <mailto:PacketFence-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] RADIUS 802.1x EAP-TLS + Machine Auth

[Fabrice Durand via PacketFence-users]

Hello Jason,


Le 2017-11-21 à 23:40, Jason Sloan a écrit :
> Fabrice,
>
> Totally understand being busy. Thanks for the reply. I was actually
> able to get this working a few hours ago, and hadn't had time to post
> a reply. I'm not sure what did it, perhaps adding "strip" to the realm
> options because the radius stripped name for hosts is host/ -
> this likely accomplishes the same thing that you suggested but in a
> different manner. To be completely clear I couldn't find a normalize
> option but I did see: "RADIUS machine auth with username - Use the
> RADIUS username instead of the TLS certificate common name when doing
> machine authentication." Just to verify, this is the option you are
> suggesting, correct?
>
Yes this is the option, it will use the attribute User-Name
(host/DESKTOP-6U152VD.mydomain.local) instead of the attribute
TLS-Client-Cert-Common-Name  (DESKTOP-6U152VD.mydomain.local) , so
User-Name will match with the AD attribute servicePrincipalName.

Also / is not considered as a separator of a REALM in Freeradius so i am
not sure that strip fixed the issue.
 
> One other thing I noticed in the authentication  request is the REALM
> is coming up as "NULL." Is this normal for RADIUS authenticated EAP-TLS?
For machine authentication, yes this is normal but i think it should be
possible to do a hack like we did in PacketFence Multidomain.
When the username is host/DESKTOP-6U152VD.mydomain.local then set the
realm as mydomain.local and try to authenticate on the sources where
mydomain.local is defined.
>
> Much of the info I was reading from the listserv also had included
> adding source or sources to the realm, this is not available in the
> GUI, is this a .conf feature only or a feature of PF 6.x that was
> deprecated?
Now in PacketFence you defined in the source the realm associated,
before it was in the realm configuration where you defined the only
source associated.
>
> Thanks,
> -Jason
Regards
Fabrice


-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] [WISPr redirection]Can't direct user todownload specific files in registration VLAN

[Fabrice Durand via PacketFence-users]

Hello Yan,

use proxy_passthroughs=123.23.1.2 instead of passthroughs=123.23.1.2 and
retry.

Regards

Fabrice



Le 2017-11-22 ?? 10:26, Yan via PacketFence-users a ??crit?0?2:
> In short, I want to know if it is possible to use PF's Captive Portal
> detection mechanism to pop out the captive portal, and no need to
> input any username and password, but with a url link inside the
> captive portal, and the user can then access the url with passthrough
> mechanism ?
>
> My pf.conf is as below:
> [fencing]
> passthrough=enabled
> #allow below host??s 80 port to reach the download link
> passthroughs=123.23.1.2
>
> [captive_portal]
> network_detection_ip=172.20.3.120
> secure_redirect=disabled
>
>
> -- Original --
> *From:* packetfence-users 
> *Date:* ,11?? 22,2017 21:53
> *To:* packetfence-users 
> *Cc:* Yan <1136723...@qq.com>
> *Subject:* Re: [PacketFence-users] [WISPr redirection]Can't direct
> user todownload specific files in registration VLAN
>
> Hi dear users,
>
> We use PF V7.3 in our office. Currently we set the authentication
> process as below:
> 1. Connect to secure ssid PF-wireless with 802.1x username and password.
> 2.After connection, the user default be set to registration VLAN.
> 3.We create a root portal module with only message.html, within which
> we add a download link(http://123.23.1.2/agent-install.html) pointing
> to host 123.23.1.2.
> 4.After user passed 802.1x authentication, there is a pop up window
> redirecting user to our portal. And the user can see the link.
> 5.User click the link to download our agent file and then the host
> 123.23.1.2 will know and?0?2send a message log to PF, PF will register
> this user's device.
> 6.The user belongs to normal VLAN now and get the right network access.
>
> Now some mac OSX users can't open the link in the auto pop up window.
> Windows users don't have this problem. I checked this problem with my
> own computer and find if I don't close the auto pop up window, I can't
> even connect to PF registration IP. If I close the pop up window and
> open a new browser my network will be redirected to the portal page.
> And I can download the package from this new browser.
>
> I know that the auto pop up page is accomplished by PF's WISPr
> redirection capabilities, can you tell how it works ? Why can't I
> download file by the link in portal on mac osx ?
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Failed to connect to config service for namespace resource::URI_Filters, retrying

[Fabrice Durand via PacketFence-users]

Hello,

try first to restart packetfence-config

systemctl restart packetfence-config

and do a pfcmd configreload hard

Regards

Fabrice



Le 2017-11-23 à 07:07, Samuel Chege via PacketFence-users a écrit :
> You can also try to remove the package called kf5-kio-widgets FIRST
> before re-installing; it seems to be the one connected to URI_Filters.
>
> On 23 November 2017 at 14:35, Samuel Chege  > wrote:
>
> Hi Luis,
>
> I had the same exact problem in my first attempt at trying to
> install PF 7.3.0 on CentOS 7. I resolved it by doing a minimal
> install. You most likely chose another type of installation and
> some software is conflicting with packetfence. Try and do a
> minimal CentOS install and setup packetfence again.
>
> On 22 November 2017 at 19:54, Luís Torres via PacketFence-users
>  > wrote:
>
> Hi,
>
>  
>
> donno what happen, but after reboot I cant start PF and always
> getting this message:
>
>  
>
> 369617.14165] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369617.24306] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369617.34436] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369617.44564] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369617.54673] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369617.64793] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369617.74908] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369617.8502] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369617.95153] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369618.05267] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369618.15372] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369618.25478] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369618.35583] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369618.45685] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369618.55786] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369618.65905] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369618.76025] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369618.86145] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369618.96267] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369619.06376] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369619.16484] Failed to connect to config service for
> namespace resource::URI_Filters, retrying
> [1511369619.26587] Failed to connect to config...
>
>  
>
>  
>
> What I should do?
>
>  
>
> Regards
>
> LT
>
>  
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 
>
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo 

Re: [PacketFence-users] VLAN filter rule to temporarily allow specific switch

[Fabrice Durand via PacketFence-users]

Hello Yan,

you also need to register the device.

so something like that:

[pf_ssid]
filter = ssid
operator = is
value = PF-Wireless

[SG1_switch]
filter = switch._ip
operator = is
value = 172.11.5.121

[reg_by_switch:pf_ssid_switch]
scope = RegistrationRole
action = modify_node
action_param = mac = $mac, status = reg, category=employees
role = employees

Regards
Fabrice

Le 2017-11-29 ?? 09:24, Yan via PacketFence-users a ??crit?0?2:
> Hi users,
>
> I want to add a VLAN filter rule to temporarily pass one specific
> switch (IP 172.11.5.121) and keep the others as normal. Is below rule
> okay to do this ?
>
>
> [pf_ssid]
> filter = ssid
> operator = is
> value = PF-Wireless
>
> [SG1_switch]
> filter = switch._ip
> operator = is
> value = 172.11.5.121
>
> [reg_by_switch:pf_ssid_switch]
> scope = RegistrationRole
> action = modify_node
> action_param = mac = $mac
> role = employees
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cluster - Portal opening

[Fabrice Durand via PacketFence-users]

Hello Luís,

the only solution i can see is to raise the server resources

Regards
Fabrice

Le 2017-12-14 à 10:05, Luís Torres via PacketFence-users a écrit :
>
> Hi mates,
>
>  
>
> is there a way to speed up the opening of the portal webpage? in the
> cluster it takes a few seconds to open it...
>
>  
>
> cheers
>
>  
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence doesn't change VLAN after registration

[Fabrice Durand via PacketFence-users]

Hello Luca,


What is the deauth method you choosed in your switch config ? (Suppose
to be Radius).

What is the deauth port and coa port you defined (1700 / 3799) ?


Can you do a capture of the CoA ? (tshark -i eth0 -f "port 1700 or 3799"
-w /tmp/coa.pcap) and send it to me ?

Regards
Fabrice

Le 2017-12-15 à 09:00, luca comes a écrit :
>
> Hi Fabrice,
>
> sorry I didn't want to offend anybody I only meant I can't understand
> what is going on and hope someone can help. I really appreciate your
> effort and sure after I put my PF in production I think my company wll
> buy also support. PF is going to become the access server for all of
> our sites' networks and more or less 1000 users. Going back to the
> problem you centered the issue I can't see any Deauthentication inside
> the log and this is strange. If I force it manually changing the role
> of the node it works fine and the it is moved on the guest VLAN but I
> cannot understand how to debug the problem. I extended the log
> facility to DEBUG but no useful information are sent, is there any
> other thing I can check?
>
>
> Thanks
>
>
> Luca
>
>
>
> ----------------
> *Da:* Fabrice Durand via PacketFence-users
> <packetfence-users@lists.sourceforge.net>
> *Inviato:* venerdì 15 dicembre 2017 14:46
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* Fabrice Durand
> *Oggetto:* Re: [PacketFence-users] Packetfence doesn't change VLAN
> after registration
>  
>
> Hello Luca,
>
> if you want faster answer you can buy a support contract with Inverse.
>
> I answer on the mailing list when i have time to do it and most of the
> time i am busy.
>
>
> So the packetfence.log is not enough complete because what is
> interesting is just a after and we should suppose to see
> "Deauthenticating ...".
>
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-12-15 à 06:17, luca comes via PacketFence-users a écrit :
>>
>> Hi all,
>>
>> I ask a new question hoping this time someone would answer to me. I'm
>> configuring a guest wireless LAN on Cisco WLC and Packetfence (last
>> version 7.3) on CentOS 7. The authentication on the guest is made
>> with sponsor authorization so the client access the guest but is
>> correctly moved on the registration VLAN by PF and the portal is
>> shown to the user. After all the informations have been provided
>> correctly the email is sent to the sponsor who can access the link
>> and unlock the user. The problem is that after unlock the user is
>> never moved on the guest VLAN even if is correctly registered. The
>> role mapping per VLAN ID is correctly configured in the switch
>> configuration, I attach the log cleaned from unuseful noise. Someone
>> can help to investigate on this issue?
>>
>>
>> Thank you in advance 
>>
>>
>> Luca
>>
>>
>> Inviato da Outlook <http://aka.ms/weboutlook>
>>
>>
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> <mailto:PacketFence-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> -- 
> Fabrice Durand
> fdur...@inverse.ca <mailto:fdur...@inverse.ca> ::  +1.514.447.4918 (x135) ::  
> www.inverse.ca <http://www.inverse.ca>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org) 

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco Catalyst 9300 and 9400 support

[Fabrice Durand via PacketFence-users]

Hello,

yes if the ios is not something completely exotic it should be ok.

Regards

Fabrice


Le 2017-12-15 à 06:25, Tomasz Karczewski via PacketFence-users a écrit :
>
> Does it have different cisco ios?
>
>  
>
> Tomasz Karczewski
>
> Administrator Sieci
>
>  
>
> olman
>
>  
>
> tkarczew...@man.olsztyn.pl
>
> http://www.man.olsztyn.pl   http://www.uwm.edu.pl
>
> tel. (89) 523 45 55  fax. (89) 523 43 47
>
>  
>
> Ośrodek Eksploatacji i Zarządzania
>
> Miejską Siecią Komputerową OLMAN w Olsztynie
>
> Uniwersytet Warmińsko-Mazurski w Olsztynie
>
>  
>
> *From:* Jeremy Plumley via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Thursday, December 14, 2017 10:35 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Jeremy Plumley 
> *Subject:* [PacketFence-users] Cisco Catalyst 9300 and 9400 support
>
>  
>
> Just reaching out to see if anyone has implemented Packetfence on a
> Cisco Catalyst 9300 or 9400 model switch? This seems to be Cisco’s new
> line that will probably phase out 4500 and 6500 model switches.
>
>  
>
> Jeremy Plumley
>
> ITS Network Administrator
>
> Ext 50024
>
> E-Mail correspondence to and from this address may be subject to the
> North Carolina Public Records Law and shall be disclosed to third
> parties when required by the statutes (G.S. 132-1.)
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence doesn't change VLAN after registration

[Fabrice Durand via PacketFence-users]

Hello Luca,

if you want faster answer you can buy a support contract with Inverse.

I answer on the mailing list when i have time to do it and most of the
time i am busy.


So the packetfence.log is not enough complete because what is
interesting is just a after and we should suppose to see
"Deauthenticating ...".


Regards

Fabrice



Le 2017-12-15 à 06:17, luca comes via PacketFence-users a écrit :
>
> Hi all,
>
> I ask a new question hoping this time someone would answer to me. I'm
> configuring a guest wireless LAN on Cisco WLC and Packetfence (last
> version 7.3) on CentOS 7. The authentication on the guest is made with
> sponsor authorization so the client access the guest but is correctly
> moved on the registration VLAN by PF and the portal is shown to the
> user. After all the informations have been provided correctly the
> email is sent to the sponsor who can access the link and unlock the
> user. The problem is that after unlock the user is never moved on the
> guest VLAN even if is correctly registered. The role mapping per VLAN
> ID is correctly configured in the switch configuration, I attach the
> log cleaned from unuseful noise. Someone can help to investigate on
> this issue?
>
>
> Thank you in advance 
>
>
> Luca
>
>
> Inviato da Outlook 
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Ubiquiti UniFi AP Captive Portal

[Fabrice Durand via PacketFence-users]

 their device on the captive
> portal page
>  2. One 802.1X protected SSID with Radius assigned VLAN's and
> mac-address authentication. When the user has registered his or
> her device they now can connect to this protected SSID.
>
> Best regards,
> Geert
>
> 2017-12-12 23:53 GMT+01:00 Timothy Mullican via PacketFence-users
> <packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>>:
>
> Fabrice,
> I am running UniFi controller version 5.6.22 and UniFi AP-AC-Pro
> firmware 3.9.3.7537, both of which should be the latest. It
> appears that the Radius assigned VLAN option only shows up as an
> option in the UniFi controller when you choose WPA Enterprise. You
> can see screenshots of my setup below:
>
> https://i.imgsafe.org/05/ 05bb81f5b4.png
> <https://i.imgsafe.org/05/05bb81f5b4.png>
> https://i.imgsafe.org/05/ 05bbd86ab4.png
>     <https://i.imgsafe.org/05/05bbd86ab4.png>
> https://i.imgsafe.org/05/ 05bbb5eafe.png
> <https://i.imgsafe.org/05/05bbb5eafe.png>
> https://i.imgsafe.org/05/ 05bbc22129.png
> <https://i.imgsafe.org/05/05bbc22129.png>
>
> The running config from the UniFi AP is also available at:
>
> https://pastebin.com/Zz0cRLSM
>
> Thanks!
> On ‎Tuesday‎, ‎December‎ ‎12‎, ‎2017‎ ‎10‎:‎13‎:‎36‎ ‎AM‎ ‎CST,
> Fabrice Durand via PacketFence-users <packetfence-users@lists.
> sourceforge.net <mailto:packetfence-users@lists.sourceforge.net>>
> wrote:
>
>
> You probably have to update the controller version.
>
>
>
> Le 2017-12-12 à 10:30, Timothy Mullican via PacketFence-users a
> écrit :
> Fabrice,
> On the UniFi controller the “Use dynamic VLAN assignment” option
> only shows up on SSIDs using 802.1x. Is there any way to also use
> dynamic vlan assignment on open SSIDs? For open networks it only
> lets me specify a static VLAN to use. 
>
> Thanks!
>
> Sent from mobile phone
>
> On Dec 12, 2017, at 07:41, Fabrice Durand via PacketFence-users
> <packetfence-users@lists. sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>
> Hello Timothy,
>
> you must enable that:
>
> https://raw.githubusercontent. com/inverse-inc/packetfence/
> ae18f50b4879cc2d4132490fcee33f 2fbe53b36f/docs/images/unifi-
> radius.png
> 
> <https://raw.githubusercontent.com/inverse-inc/packetfence/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-radius.png>
>
> Regards
>
> Fabrice
>
>
> Le 2017-12-12 à 01:37, Timothy Mullican via PacketFence-users a
> écrit :
> Hello all,
> I am trying to setup a proof of concept using an Ubiquiti UniFi
> UAP-PRO with the following setup:
>
> Cisco 3560-E L3 Switch
> UniFi UAP-PRO
> UniFi Controller running on CentOS 7.3 (docker) on ESXi
> PacketFence running on CentOS 7.3 on ESXi
>
> The Cisco switch has the following VLANs:
> VLAN 2 - registration
> VLAN 3 - isolation 
> VLAN 4 - guest
> VLAN 10 - enterprise
> VLAN 20 - wireless
> VLAN 100 - out of band management
>
> I have created two SSIDs on the UniFi AP, a secure 802.1x SSID and
> an open SSID. I was able to apply the patch available
> at https://github.com/inverse- inc/packetfence/pull/2735
> <https://github.com/inverse-inc/packetfence/pull/2735> to enable
> 802.1x for the secure network and this is working correctly.
> However, for the open guest SSID, I am trying to do a captive
> portal with dynamic vlan assignment. The user would initially be
> placed in the registration vlan (2) and then moved to another vlan
> based on their user role (vlan 4 or 10). Both the UniFi controller
> VM and the UniFi AP are in VLAN 20. On the UniFi controller,
> dynamic VLAN assignment appears to only be an option under 802.1x
> networks, otherwise you must choose a static VLAN. I saw the
> external captive portal setup for the UniFi under the PacketFence
> Network Devices documentation, but I don’t believe this supports
> dynamic VLAN assignment. Does anyone know of any way to do dynamic
> VLAN assignment on an open wireless network with the UniFi AP, or
> have any suggestions?
>
> Thanks!
>
>
> -- -- 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org <http://Slashdot.org>! 
> http://sdm.link/slashdot
>
>
>
> __

Re: [PacketFence-users] Cluster - no dhcp

[Fabrice Durand via PacketFence-users]

Just on one of them, right ?

If it's the case then it's normal.


Le 2017-12-12 à 14:22, Luís Torres via PacketFence-users a écrit :
>
> Hi mates,
>
>  
>
> manage to recover the cluster but now the dhcp wont start. Gives me
> the error:
>
>  
>
> /usr/local/pf/bin/pfcmd service dhcpd restart
> service|command
> dhcpd|already stopped
> Service 'dhcpd' is not managed by PacketFence. Therefore, no action
> will be performed
>
>  
>
> What could be?
>
>  
>
> Regards
>
> LT
>
>  
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Mysql query error -"Database query failed with non retryable error"

[Fabrice Durand via PacketFence-users]

Hello Yan,

it looks that the pid ( the person ) doesn't exist on your setup.

So check in the person tab if you can find it (the person id appear just
before the error in the log).

Regards

Fabrice



Le 2017-11-16 ?? 05:21, Yan via PacketFence-users a ??crit?0?2:
> Hi dear users,
>
> We use PF V7.3 in our offices and currently there 200+ employees using
> PF as AAA server for 802.1x wireless connection. I guess we are not
> the largest client of PF. But when I check packetfence.log I found
> below errors keeps occurring. And most of the errors happened around
> 10:00 to 11:00 am. Our employees usually come to office during this time.?0?2
> I keep all system settings as default.?0?2So is this performance issue ?
> Are these errors caused by any inappropriate settings ? How could I
> optimize my settings to resolve this issue ?
>
> error log below:
> packetfence_httpd.aaa: httpd.aaa(32263) ERROR: [mac:xx:xx:xx:26:13:xx]
> Database query failed with non retryable error: Cannot add or update a
> child row: a foreign key constraint fails (`pf`.`node`, CONSTRAINT
> `0_57` FOREIGN KEY (`pid`) REFERENCES `person` (`pid`) ON DELETE
> CASCADE ON UPDATE CASCADE) (errno: 1452) [INSERT INTO `node` (
> `autoreg`, `bandwidth_balance`, `bypass_role_id`, `bypass_vlan`,
> `category_id`, `computername`, `detect_date`, `device_class`,
> `device_score`, `device_type`, `device_version`, `dhcp6_enterprise`,
> `dhcp6_fingerprint`, `dhcp_fingerprint`, `dhcp_vendor`, `last_arp`,
> `last_dhcp`, `last_seen`, `lastskip`, `mac`, `machine_account`,
> `notes`, `pid`, `regdate`, `sessionid`, `status`, `time_balance`,
> `unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?, ?, NOW(),
> ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW(), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
> ? ) ON DUPLICATE KEY UPDATE `autoreg` = ?, `last_seen` = NOW(),
> `notes` = ?, `pid` = ?, `status` = ?] (pf::dal::db_execute)
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Bandwidth statistics make no sense (Cisco 2960x)

[Fabrice Durand via PacketFence-users]

Hello Cristian,

i just tested with the latest ios and it looks to be the same (Version
15.2(6)E)

Regards

Fabrice



Le 2017-11-16 à 07:45, Cristian Mammoli via PacketFence-users a écrit :
> Thank you very much Fabrice, greatly appreciated. I'll schedule an
> upgrade on a test switch.
>
> Maybe the bug is related to this:
> https://quickview.cloudapps.cisco.com/quickview/bug/CSCve85309 ?
>
> Il 15/11/2017 22:50, Fabrice Durand via PacketFence-users ha scritto:
>> Hello Cristian,
>>
>> so i am able to replicate it and it looks to be a bug with the ios version.
>>
>> Let's say i have a nothing connected on the port Gi1/0/8, if i do that:
>>
>> Switch#sh interfaces gigabitEthernet 1/0/8
>> GigabitEthernet1/0/8 is administratively down, line protocol is down
>> (disabled)
>>   Hardware is Gigabit Ethernet, address is dca5.f434.5508 (bia
>> dca5.f434.5508)
>>   MTU 1500 bytes, BW 1 Kbit/sec, DLY 1000 usec,
>>  reliability 255/255, txload 1/255, rxload 1/255
>>   Encapsulation ARPA, loopback not set
>>   Keepalive set (10 sec)
>>   Auto-duplex, Auto-speed, media type is 10/100/1000BaseTX
>>   input flow-control is off, output flow-control is unsupported
>>   ARP type: ARPA, ARP Timeout 04:00:00
>>   Last input 00:07:35, output 00:07:05, output hang never
>>   Last clearing of "show interface" counters never
>>   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
>>   Queueing strategy: fifo
>>   Output queue: 0/40 (size/max)
>>   5 minute input rate 0 bits/sec, 0 packets/sec
>>   5 minute output rate 0 bits/sec, 0 packets/sec
>>  484517 packets input, 59890752 bytes, 0 no buffer
>>  Received 266453 broadcasts (221983 multicasts)
>>  0 runts, 0 giants, 0 throttles
>>  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
>>  0 watchdog, 221983 multicast, 0 pause input
>>  0 input packets with dribble condition detected
>>  618866 packets output, 72946865 bytes, 0 underruns
>>  0 output errors, 0 collisions, 35 interface resets
>>  0 unknown protocol drops
>>  0 babbles, 0 late collision, 0 deferred
>>  0 lost carrier, 0 no carrier, 0 pause output
>>  0 output buffer failures, 0 output buffers swapped out
>>
>> I have 59890752 bytes in and 72946865 bytes out.
>>
>>
>> I plug a laptop on it, pf receive a accounting packet with in 0 and out
>> 0 (normal).
>>
>> If i shutdown the port then pf receive a accounting packet with 59890752
>> (a little bit more) bytes in and 72946865 (a little bit more) bytes out.
>>
>> ++---++---++-+-+--+-+--+
>> | id | acctsessionid | username   | nasipaddress  |
>> acctstatustype | timestamp   | acctinputoctets |
>> acctoutputoctets | acctsessiontime | acctuniqueid |
>> ++---++---++-+-+--+-+--+
>> |  3 | 005C  | host/inverse-8.inverse.inc | 172.20.135.77 |
>> Start  | 2017-11-15 16:19:21 |   0 |   
>> 0 |   0 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
>> |  6 | 005C  | host/inverse-8.inverse.inc | 172.20.135.77 |
>> Stop   | 2017-11-15 16:19:28 |    59665537 |
>> 72749820 |   7 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
>> |  9 | 005D  | host/inverse-8.inverse.inc | 172.20.135.77 |
>> Start  | 2017-11-15 16:19:31 |   0 |   
>> 0 |   0 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
>> | 12 | 005D  | host/inverse-8.inverse.inc | 172.20.135.77 |
>> Stop   | 2017-11-15 16:36:05 |    59846611 |
>> 72909854 | 994 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
>> | 15 | 0060  | host/inverse-8.inverse.inc | 172.20.135.77 |
>> Start  | 2017-11-15 16:36:26 |   0 |   
>> 0 |   0 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
>> | 18 | 0060  | host/inverse-8.inverse.inc | 172.20.135.77 |
>> Stop   | 2017-11-15 16:36:57 |    59869432 |
>> 72929035 |  30 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
>> | 21 | 0061  | host/inverse-8.inverse.inc | 172.20.135.77 |
>> Start  | 2017-11-15 16:38:25 |   0 |   
>> 0 |

Re: [PacketFence-users] auth request from wrong switch

[Fabrice Durand via PacketFence-users]

Hum ok, really weird.

It looks that first when the device connect on the port 2/43 802.1x
failed so it start mac auth but just after that the port goes down and a
new request is coming from the port 5/3.

When this happen, can you check in the mac-address-table where is the
mac address (before and after) ?

Is it a stack of switches ?

Does the issue occur all the time on the same physical switch ?


Le 2017-11-16 à 22:52, Sokolowski, Darryl a écrit :
> Hi Fabrice,
> Yes, those ports are switchports plugged directly to pcs. Not uplink.
> Show cdp neighbors returns expected ports, but none of those in
> question here.
>
> Thanks
> Darryl
>
>
>
>  Original message 
> From: Durand fabrice via PacketFence-users
> 
> Date: 11/16/17 7:48 PM (GMT-05:00)
> To: packetfence-users@lists.sourceforge.net
> Cc: Durand fabrice 
> Subject: Re: [PacketFence-users] auth request from wrong switch
>
> Just to be sure, the port 5/3 and 2/43 are switch port , no uplink ?
>
> Does "show cdp neighbors" return one of these ports ?
>
>
>
> Le 2017-11-16 à 17:46, Sokolowski, Darryl via PacketFence-users a écrit :
>>
>> Another thing I noticed is that if I go into PF and restart the
>> switchport from the node details, it will authenticate as dot1x.
>>
>> When it fails, it seems it is trying wired mac auth. When it does
>> wired mac auth, it says it’s successful, but on a port that is
>> something other than where it is really plugged in, so no network access.
>>
>> If I unplug the nic, and plug it back in, it does not work, only when
>> I restart the port from PF does it work properly and authenticate as
>> dot1x.
>>
>>  
>>
>>  
>>
>>  
>>
>> *From:*Sokolowski, Darryl via PacketFence-users
>> [mailto:packetfence-users@lists.sourceforge.net]
>> *Sent:* Thursday, November 16, 2017 10:34 AM
>> *To:* packetfence-users@lists.sourceforge.net; Jason Sloan
>> 
>> *Cc:* Sokolowski, Darryl 
>> *Subject:* Re: [PacketFence-users] auth request from wrong switch
>>
>>  
>>
>> Hi again,
>>
>> This is weird, I don’t know what it means.
>>
>> A machine starts up, shows up on port 2/43, then it appears for some
>> reason it gets authorized on a different port right after that. The
>> first port it appears on, 2/43 is the real port it’s plugged into.
>> Then right after that, it appears on 5/3, and that’s when I think it
>> gets kicked off the network, since now the switch thinks it’s on 5/3.
>> There are no minihubs in the way, these machines plug directly into
>> their respective ports.
>>
>>  
>>
>> I attached a good bit of the debug log, but didn’t want to send the
>> whole thing, it’s very long. Let me know if I need to send more.
>> There is more in the attachment than I pasted below.
>>
>> I can’t figure out why these machines are getting seen on multiple ports.
>>
>>  
>>
>> Thanks for any insight.
>>
>> Darryl
>>
>>  
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350287: 350087: Nov 16
>> 12:53:00.279: dot1x-packet:[0026.2d15.049b, Gi2/43] EAPOL canned
>> status packet sent to client 0xAC94"
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350288: 350088: Nov 16
>> 12:53:00.279: dot1x-ev:[0026.2d15.049b, Gi2/43] Deleting client
>> 0xAC94 (0026.2d15.049b)"
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350289: 350089: Nov 16
>> 12:53:00.279: dot1x-ev:[0026.2d15.049b, Gi2/43] Delete auth client
>> (0xAC94) message"
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350290: 350090: Nov 16
>> 12:53:00.279: dot1x-ev:Auth client ctx destroyed
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350291: 350091: Nov 16
>> 12:53:00.279: RADIUS/ENCODE():Orig. component type = Invalid
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350292: 350092: Nov 16
>> 12:53:00.279: RADIUS(): Config NAS IP: 172.16.0.200
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350293: 350093: Nov 16
>> 12:53:00.279: RADIUS(): Config NAS IPv6: ::
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350294: 350094: Nov 16
>> 12:53:00.279: RADIUS(): sending
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350295: 350095: Nov 16
>> 12:53:00.279: RADIUS(): Send Access-Request to
>> 172.16.1.73:1812 onvrf(0) id 1645/251, len 259"
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350296: 350096: Nov 16
>> 12:53:00.279: RADIUS:  authenticator 7A 07 65 33 17 CD 20 47 - 3C 6A
>> 23 4C 46 19 31 B0
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350297: 350097: Nov 16
>> 12:53:00.279: RADIUS:  User-Name   [1]   14  "00262d15049b"
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350298: 350098: Nov 16
>> 12:53:00.279: RADIUS:  User-Password   [2]   18  *
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350299: 350099: Nov 16
>> 12:53:00.279: RADIUS:  Service-Type    [6]   6   Call
>> Check    [10]
>>
>> 2017-11-16 

Re: [PacketFence-users] R: R: R: R: Switch Compatibility

[Fabrice Durand via PacketFence-users]

cumentation.
>
>  
>
>  
>
> *Da:*Durand fabrice [mailto:fdur...@inverse.ca]
> *Inviato:* sabato 11 novembre 2017 13.51
> *A:* Alessandro Canella <alessandro.cane...@itcare.it
> <mailto:alessandro.cane...@itcare.it>>;
> packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Oggetto:* Re: R: [PacketFence-users] Switch Compatibility
>
>  
>
> Hello Alessandro,
>
>  
>
> you will need to edit the switch module and add this:
>
> =item returnAuthorizeWrite
> Return radius attributes to allow write access
> =cut
>
> sub returnAuthorizeWrite {
>     my ($self, $args) = @_;
>     my $logger = $self->logger;
>     my $radius_reply_ref;
>     my $status;
>     $radius_reply_ref->{'Zyxel-Privilege-AVPair'} =
> 'shell:priv-lvl=15';
>     $radius_reply_ref->{'Reply-Message'} = "Switch enable access
> granted by PacketFence";
>     $logger->info("User $args->{'user_name'} logged in
> $args->{'switch'}{'_id'} with write access");
>     my $filter = pf::access_filter::radius->new;
>     my $rule = $filter->test('returnAuthorizeWrite', $args);
>     ($radius_reply_ref, $status) =
> $filter->handleAnswerInRule($rule,$args,$radius_reply_ref);
>     return [$status, %$radius_reply_ref];
>
> }
>
> =item returnAuthorizeRead
> Return radius attributes to allow read access
> =cut
>
> sub returnAuthorizeRead {
>     my ($self, $args) = @_;
>     my $logger = $self->logger;
>     my $radius_reply_ref;
>     my $status;
>     $radius_reply_ref->{'Zyxel-Privilege-AVPair'} =
> 'shell:priv-lvl=3';
>     $radius_reply_ref->{'Reply-Message'} = "Switch read access
> granted by PacketFence";
>     $logger->info("User $args->{'user_name'} logged in
> $args->{'switch'}{'_id'} with read access");
>     my $filter = pf::access_filter::radius->new;
>     my $rule = $filter->test('returnAuthorizeRead', $args);
>     ($radius_reply_ref, $status) =
> $filter->handleAnswerInRule($rule,$args,$radius_reply_ref);
>     return [$status, %$radius_reply_ref];
> }
>
> Then restart PacketFence.
>
> Let me know if it works.
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-11-11 à 02:41, Alessandro Canella a écrit :
>
> Zyxel GS 2210.
>
>  
>
> I need only AAA for switch login (if you remember I use
> captive portal for wifi in inline mode)
>
>  
>
> Zyxel provide
> 
> https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=009451=EN
> 
> <https://kb.zyxel.com/KB/searchArticle%21gwsViewDetail.action?articleOid=009451=EN>
>
>  
>
> I’ve done all as wrote in this doc (dictionary and so on)  
>
>  
>
> *Da:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* venerdì 10 novembre 2017 21.35
> *A:* packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Cc:* Fabrice Durand <fdur...@inverse.ca>
> <mailto:fdur...@inverse.ca>
> *Oggetto:* Re: [PacketFence-users] Switch Compatibility
>
>  
>
> Hello Alessandro,
>
> what is the type of the switch ?
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-11-10 à 09:44, Alessandro Canella via
> PacketFence-users a écrit :
>
> Hello all,
>
>  
>
> I solved everything (thanks to all..) ando now I0m
> investigating about this:
>
>  
>
>  
>
>  
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2711) INFO: [mac:[undef]] Authentication
> successful for newuser in source file1 (Htpasswd)
> (pf::authentication::authenticate)
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2711) INFO: [mac:[undef]] Using sources file1
> for matching (pf::authentication::match2)
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2711) INFO: [mac:[undef]] Matched rule (admins)
> in source file1, returning action

Re: [PacketFence-users] Captive portal not redirecting after registration

[Fabrice Durand via PacketFence-users]

Hello Pedro,

it looks that it's a reevaluation issue, can you provide the
packetfence.log ?

What controler/AP are you using in your POC ?

Regards

Fabrice



Le 2017-11-17 à 13:03, Pedro Trindade via PacketFence-users a écrit :
> Hello all, I've been trying to make a Packetfence 7.3.0 POC on a
> Centos7.0 server.
>
> However after the registration process the user is not redirected both
> in ios and android devices.
>
> Any help would be appreciated :)
>
> Thanks,
>
> Pedro C. Trindade
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] DHCP service not listed

[Fabrice Durand via PacketFence-users]

Hello,

this is normal, the dhcp can run only on 2 off them.

Regards

Fabrice



Le 2017-11-17 à 14:35, Tobias Friede via PacketFence-users a écrit :
> Hi,
>
> I have the same problem, maybe that behavior is normal?
>
> My Cluster is a PF 7.2 Cluster. 
>
> Greetings
> Tobias
>
> 2017-11-17 16:34 GMT+01:00 Stephen Appleby via PacketFence-users
>  >:
>
> I've created a 3 node PF cluster. On one of the nodes DHCP is not
> listed as a service on the Status-Services page, and on the
> cluster status page that node's DHCP service status 
>
> show unknown. If I run 'pfcmd service pf restart' on that node it
> doesn't list the DHCP service either.
>
>
> Any idea as to what the problem might be?
>
>
>
> Stephen 
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Switch Compatibility

[Fabrice Durand via PacketFence-users]

Hello Alessandro,

what is the type of the switch ?

Regards

Fabrice



Le 2017-11-10 à 09:44, Alessandro Canella via PacketFence-users a écrit :
>
> Hello all,
>
>  
>
> I solved everything (thanks to all..) ando now I0m investigating about
> this:
>
>  
>
>  
>
>  
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2711)
> INFO: [mac:[undef]] Authentication successful for newuser in source
> file1 (Htpasswd) (pf::authentication::authenticate)
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2711)
> INFO: [mac:[undef]] Using sources file1 for matching
> (pf::authentication::match2)
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2711)
> INFO: [mac:[undef]] Matched rule (admins) in source file1, returning
> actions. (pf::Authentication::Source::match)
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2711)
> INFO: [mac:[undef]] PacketFence does not support this switch for
> read/write access login (pf::Switch::returnAuthorizeWrite)
>
>  
>
>  
>
> I’ve configured switch according to brand guidelines (based on
> freeradius) and I’m trying to enable PF Radius for CLI / HTTPS login.
>
>  
>
>  
>
> Switch is configured in PF Switch webpage, I’ve configured SNMP and
> SSH too
>
>  
>
> *Alessandro Canella*
>
> Descrizione: Descrizione: Descrizione: Descrizione: Cattura*/
> /*  Via Gurzone 77 – 45030
>   Occhiobello (RO) – Italy
>   t. ++39 0532 1916333
>   f. ++34 0532 1911433
> *  m. ++39 348 **4433733***
>
> *  email : alessandro.cane...@itcare.it
> 
>   skype : alessandro.canella ***
>
> /P// //please consider the environment before printing this email/
>
>  
>
>  
>
>  
>
>  
>
>  
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Recommended Distribution / Version

[Fabrice Durand via PacketFence-users]

Ok let me fix that.

Btw you can remove the file initial_data.json and do a python manage.py
syncdb.



Le 2017-11-14 à 04:12, Jason Sloan a écrit :
> Looks like there's 2 more dependencies
> python-ipaddress
> python-idna
>
> Then it looks like I'm bombing out on an initial data load of some
> sort. Based on the output it looks like the syncdb command is being
> issued, but the table doesn't exist in the database.
>
> Full output:
>
> Running transaction
>   Installing : packetfence-pki-1.0.8-1.el7.centos.noarch             
>                                                                      
>                                                                      
>                        1/1
> certificate exist do nothing
> /usr/lib/python2.7/site-packages/django/core/management/commands/syncdb.py:24:
> RemovedInDjango19Warning: The syncdb command will be removed in Django 1.9
>   warnings.warn("The syncdb command will be removed in Django 1.9",
> RemovedInDjango19Warning)
>
> /usr/lib/python2.7/site-packages/django/core/management/commands/loaddata.py:229:
> RemovedInDjango19Warning: initial_data fixtures are deprecated. Use
> data migrations instead.
>   RemovedInDjango19Warning
>
> Operations to perform:
>   Synchronize unmigrated apps: staticfiles, rest_framework, pki,
> messages, bootstrap3
>   Apply all migrations: admin, authtoken, contenttypes, auth, sessions
> Synchronizing apps without migrations:
>   Creating tables...
>     Creating table pki_ca
>     Creating table pki_attrib
>     Creating table pki_schema
>     Creating table pki_ldap
>     Creating table pki_certprofile
>     Creating table cert
>     Creating table pki_certrevoked
>     Creating table pki_rest
>     Running deferred SQL...
>   Installing custom SQL...
> Traceback (most recent call last):
>   File "manage.py", line 10, in 
>     execute_from_command_line(sys.argv)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/__init__.py",
> line 338, in execute_from_command_line
>     utility.execute()
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/__init__.py",
> line 330, in execute
>     self.fetch_command(subcommand).run_from_argv(self.argv)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/base.py",
> line 390, in run_from_argv
>     self.execute(*args, **cmd_options)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/base.py",
> line 441, in execute
>     output = self.handle(*args, **options)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/commands/syncdb.py",
> line 25, in handle
>     call_command("migrate", **options)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/__init__.py",
> line 120, in call_command
>     return command.execute(*args, **defaults)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/base.py",
> line 441, in execute
>     output = self.handle(*args, **options)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/commands/migrate.py",
> line 179, in handle
>     created_models = self.sync_apps(connection,
> executor.loader.unmigrated_apps)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/commands/migrate.py",
> line 364, in sync_apps
>     hide_empty=True,
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/__init__.py",
> line 120, in call_command
>     return command.execute(*args, **defaults)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/base.py",
> line 441, in execute
>     output = self.handle(*args, **options)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/commands/loaddata.py",
> line 60, in handle
>     self.loaddata(fixture_labels)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/commands/loaddata.py",
> line 90, in loaddata
>     self.load_label(fixture_label)
>   File
> "/usr/lib/python2.7/site-packages/django/core/management/commands/loaddata.py",
> line 147, in load_label
>     obj.save(using=self.using)
>   File
> "/usr/lib/python2.7/site-packages/django/core/serializers/base.py",
> line 173, in save
>     models.Model.save_base(self.object, using=using, raw=True)
>   File "/usr/lib/python2.7/site-packages/django/db/models/base.py",
> line 738, in save_base
>     updated = self._save_table(raw, cls, force_insert, force_update,
> using, update_fields)
>   File "/usr/lib/python2.7/site-packages/django/db/models/base.py",
> line 803, in _save_table
>     forced_update)
>   File "/usr/lib/python2.7/site-packages/django/db/models/base.py",
> line 853, in _do_update
>     return filtered._update(values) > 0
>   File "/usr/lib/python2.7/site-packages/django/db/models/query.py",
> line 580, in _update
>     return query.get_compiler(self.db).execute_sql(CURSOR)
>   File
> "/usr/lib/python2.7/site-packages/django/db/models/sql/compiler.py",
> line 1059, in execute_sql
>     cursor = super(SQLUpdateCompiler, self).execute_sql(result_type)
>   File
> 

Re: [PacketFence-users] R: R: R: Switch Compatibility

[Fabrice Durand via PacketFence-users]

ilter::radius->new;
>     my $rule = $filter->test('returnAuthorizeRead', $args);
>     ($radius_reply_ref, $status) =
> $filter->handleAnswerInRule($rule,$args,$radius_reply_ref);
>     return [$status, %$radius_reply_ref];
> }
>
> Then restart PacketFence.
>
> Let me know if it works.
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-11-11 à 02:41, Alessandro Canella a écrit :
>
> Zyxel GS 2210.
>
>  
>
> I need only AAA for switch login (if you remember I use captive
> portal for wifi in inline mode)
>
>  
>
> Zyxel provide
> 
> https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=009451=EN
> 
> <https://kb.zyxel.com/KB/searchArticle%21gwsViewDetail.action?articleOid=009451=EN>
>
>  
>
> I’ve done all as wrote in this doc (dictionary and so on)  
>
>  
>
> *Da:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* venerdì 10 novembre 2017 21.35
> *A:* packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Cc:* Fabrice Durand <fdur...@inverse.ca> <mailto:fdur...@inverse.ca>
> *Oggetto:* Re: [PacketFence-users] Switch Compatibility
>
>  
>
> Hello Alessandro,
>
> what is the type of the switch ?
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-11-10 à 09:44, Alessandro Canella via PacketFence-users a
> écrit :
>
> Hello all,
>
>  
>
> I solved everything (thanks to all..) ando now I0m
> investigating about this:
>
>  
>
>  
>
>  
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2711) INFO: [mac:[undef]] Authentication successful
> for newuser in source file1 (Htpasswd)
> (pf::authentication::authenticate)
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2711) INFO: [mac:[undef]] Using sources file1 for
> matching (pf::authentication::match2)
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2711) INFO: [mac:[undef]] Matched rule (admins) in
> source file1, returning actions.
> (pf::Authentication::Source::match)
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2711) INFO: [mac:[undef]] PacketFence does not
> support this switch for read/write access login
> (pf::Switch::returnAuthorizeWrite)
>
>  
>
>  
>
> I’ve configured switch according to brand guidelines (based on
> freeradius) and I’m trying to enable PF Radius for CLI / HTTPS
> login.
>
>  
>
>  
>
> Switch is configured in PF Switch webpage, I’ve configured
> SNMP and SSH too
>
>  
>
> *Alessandro Canella*
>
> Descrizione: Descrizione: Descrizione: Descrizione: Cattura*/
> /*  Via Gurzone 77 – 45030
>   Occhiobello (RO) – Italy
>   t. ++39 0532 1916333
>   f. ++34 0532 1911433
> *  m. ++39 348 <tel:%2B%2B39%20342%203804635>**4433733*
>
> *  email : alessandro.cane...@itcare.it
> <mailto:alessandro.cane...@itcare.it>
>   skype : alessandro.canella *
>
> /P// //please consider the environment before printing this email/
>
>  
>
>  
>
>  
>
>  
>
>  
>
>
>
>
>
>
> 
> --
>
> Check out the vibrant tech community on one of the world's most
>
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
>
>
>
> ___
>
> PacketFence-users mailing list
>
> PacketFence-users@lists.sourceforge.net
> <mailto:PacketFence-users@lists.sourceforge.net>
>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
>
> -- 
>
> Fabrice Durand
>
> fdur...@inverse.ca <mailto:fdur...@inverse.ca> ::  +1.514.447.4918 (x135) 
> ::  www.inverse.ca <http://www.inverse.ca>
>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org) 
>
>  
>

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users