Re: [PacketFence-users] Access to PF captive portal is blocked

[Fabrice Durand via PacketFence-users]

In fact you need to restart the portal, haproxy and iptables to make it
available.



Le 2018-02-19 à 03:29, E.P. a écrit :
>
> And my further attempts to put two and two together and look back in
> time into this mailing list showed that Fabrice already answered this
> question before 
>
> Yes, I’d create an alias, e.g. eth0.1
>
> So, under Configuration-Networks-Interfaces I click  “ADD VLAN”  and
> then add VLAN 1, add a new IP address to belong to the same subnet and
> then select type “portal”
>
> New interface eth0.1 gets created with IP address 172.16.0.223, I can
> reach it via IP and my interfaces and networks look like this:
>
>  
>
>  
>
> What else am I doing to enable captive portal? I thought that it is
> enabled by default and I see httpd.portal is UP and running but I
> don’t see anything ports open on 172.16.0.223
>
> And iptables allow all HTTP and HTTPS for input-portal-if chain
>
>  
>
> Eugene
>
>  
>
>  
>
> *From:*E.P. [mailto:ype...@gmail.com]
> *Sent:* Sunday, February 18, 2018 11:14 PM
> *To:* 'packetfence-users@lists.sourceforge.net'
> 
> *Cc:* 'Durand fabrice' 
> *Subject:* RE: [PacketFence-users] Access to PF captive portal is blocked
>
>  
>
> I think it is slowly coming to me, Fabrice.
>
> My PF is pure for RADIUS enforcement and PF has only one IP address of
> management type.
>
> Now if I want WebAuth enforcement I would need to create one more
> interface of portal type
>
> The question is can I create this portal type interface in the same
> subnet as the management interface ?
>
> I would want to have them both in the same VLAN
>
>  
>
> Eugene
>
>  
>
> *From:*E.P. [mailto:ype...@gmail.com]
> *Sent:* Sunday, February 18, 2018 7:20 PM
> *To:* 'packetfence-users@lists.sourceforge.net'
>  >
> *Cc:* 'Durand fabrice' >
> *Subject:* RE: [PacketFence-users] Access to PF captive portal is blocked
>
>  
>
> Here it is, Fabrice
>
> 10.0.254.3 is the WiFi client and 172.16.0.222 is PF.
>
> Tcpdump.pcap is attached and it is made right on PF
>
> The second capture is made on the laptop connected to guest WiFi.
>
> It contains pings to PF but all TCP SYN requests all are answered with
> RST.
>
>  
>
> Eugene
>
>  
>
> *From:*Durand fabrice via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Sunday, February 18, 2018 10:51 AM
> *To:* packetfence-users@lists.sourceforge.net
> 
> *Cc:* Durand fabrice >
> *Subject:* Re: [PacketFence-users] Access to PF captive portal is blocked
>
>  
>
> Hello Eugene,
>
> do you have the capture ?
>
> Regards
> Fabrice
>
> Le 2018-02-15 à 23:12, E.P. via PacketFence-users a écrit :
>
> Hi Fabrice,
>
> I dare sending it again believing my previous email fell into cracks.
>
> Can you please advise what could be wrong (see below)
>
>  
>
> Eugene
>
>  
>
>  
>
> *From:* E.P. [mailto:ype...@gmail.com]
> *Sent:* Wednesday, February 14, 2018 1:08 AM
> *To:* packetfence-users@lists.sourceforge.net
> 
> *Subject:* Access to PF captive portal is blocked
>
>  
>
> Hello folks,
>
> I really hope someone who ran into a similar problem will shed
> some light.
>
> Feeling bad we don’t hear anything from Fabrice or someone from
> inverse.
>
> I have an out-of-band deployment of PF and my WiFi client gets
> connected and redirected to PF
>
> I see redirects by capturing the traffic on PF by tcpdump.
>
> But… I see that PF sends TCP resets even for TCP SYN packet coming
> from the client.
>
> It seems to me it is just iptables firewall that blocks it.
>
> Why ? Where am I supposed to enter those IP addresses that are
> allowed to go through captive portal registration?
>
> I do allow PF IP address in the pre-authorization access list and
> my ping to FQDN of PF succeeds normally.
>
> It is only HTTP(s) doesn’t go through.
>
> Even manually entered URL in the client browser doesn’t open up
> any page, i.e. https://pf.blabla.com/captive-portal or
> https://172.16.0.222/captive-portal
>
>  
>
> Eugene
>
>  
>
> 
> --
>
> Check out the vibrant tech community on one of the world's most
>
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>  
>
> ___
>
> PacketFence-users mailing list
>
> PacketFence-users@lists.sourceforge.net
> 
>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>  
>

-- 
Fabrice Durand
fdur...@inverse.ca ::  

Re: [PacketFence-users] Access to PF captive portal is blocked

[Fabrice Durand via PacketFence-users]

It's like the port is not open on the interface (443)


Le 2018-02-18 à 22:19, E.P. a écrit :
>
> Here it is, Fabrice
>
> 10.0.254.3 is the WiFi client and 172.16.0.222 is PF.
>
> Tcpdump.pcap is attached and it is made right on PF
>
> The second capture is made on the laptop connected to guest WiFi.
>
> It contains pings to PF but all TCP SYN requests all are answered with
> RST.
>
>  
>
> Eugene
>
>  
>
> *From:*Durand fabrice via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Sunday, February 18, 2018 10:51 AM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Durand fabrice 
> *Subject:* Re: [PacketFence-users] Access to PF captive portal is blocked
>
>  
>
> Hello Eugene,
>
> do you have the capture ?
>
> Regards
> Fabrice
>
> Le 2018-02-15 à 23:12, E.P. via PacketFence-users a écrit :
>
> Hi Fabrice,
>
> I dare sending it again believing my previous email fell into cracks.
>
> Can you please advise what could be wrong (see below)
>
>  
>
> Eugene
>
>  
>
>  
>
> *From:* E.P. [mailto:ype...@gmail.com]
> *Sent:* Wednesday, February 14, 2018 1:08 AM
> *To:* packetfence-users@lists.sourceforge.net
> 
> *Subject:* Access to PF captive portal is blocked
>
>  
>
> Hello folks,
>
> I really hope someone who ran into a similar problem will shed
> some light.
>
> Feeling bad we don’t hear anything from Fabrice or someone from
> inverse.
>
> I have an out-of-band deployment of PF and my WiFi client gets
> connected and redirected to PF
>
> I see redirects by capturing the traffic on PF by tcpdump.
>
> But… I see that PF sends TCP resets even for TCP SYN packet coming
> from the client.
>
> It seems to me it is just iptables firewall that blocks it.
>
> Why ? Where am I supposed to enter those IP addresses that are
> allowed to go through captive portal registration?
>
> I do allow PF IP address in the pre-authorization access list and
> my ping to FQDN of PF succeeds normally.
>
> It is only HTTP(s) doesn’t go through.
>
> Even manually entered URL in the client browser doesn’t open up
> any page, i.e. https://pf.blabla.com/captive-portal or
> https://172.16.0.222/captive-portal
>
>  
>
> Eugene
>
>
>
>
> 
> --
>
> Check out the vibrant tech community on one of the world's most
>
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
>
> ___
>
> PacketFence-users mailing list
>
> PacketFence-users@lists.sourceforge.net
> 
>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>  
>

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] local user not unregistering

[Fabrice Durand via PacketFence-users]

Hello Franklin,

is there any devices associated to this username ?

Regards

Fabrice



Le 2018-06-28 à 06:00, Franklin, Adam via PacketFence-users a écrit :


Hello

Can anyone tell me why when I use the PacketFence GUI to manually 
create a user and set an “unregistration date” – the unregistration 
date has no effect? How do I get my temporary accounts to unregister 
on the date selected?


Thanks

This message may contain confidential information and is intended only 
for the individual(s) named. If you are not the named addressee you 
should not disseminate, distribute, print or copy this e-mail. Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system. E-mail 
transmission cannot be guaranteed to be secure or error-free as 
information could be intercepted, corrupted, lost, destroyed, arrive 
late or incomplete, or contain viruses. The sender therefore does not 
accept liability for any errors or omissions in the contents of this 
message, which arise as a result of e-mail transmission. Please note 
that any views or opinions presented in this e-mail are solely those 
of the author and do not necessarily represent those of NCG. Finally, 
the recipient should check this e-mail and any attachments for the 
presence of viruses. Although this e-mail and its attachments are 
believed to be free of any virus or other defects, which might a ffect 
any computer or IT system into which they are received, no 
responsibility is accepted by NCG or any of its associated companies 
for any loss or damage arising in any way from the receipt or use thereof.


NCG Corporation is incorporated under the Further and Higher Education 
Act for the provision of education to students, its trading divisions 
are Newcastle College, Newcastle Sixth Form College and West 
Lancashire College, Kidderminster College, Carlisle College, Lewisham 
and Southwark and its registered office is at Rye Hill House, 
Scotswood Road, Newcastle upon Tyne, NE4 7SA.


NCG works nationally to meet diverse education and training needs in 
partnership with its subsidiary companies:


The Intraining Group Limited is a private limited company registered 
in England and Wales with registration number 6540854 whose registered 
office is at Rye Hill House, Scotswood Road, Newcastle upon Tyne, NE4 7SA.


Rathbone Training is: a company limited by guarantee with registration 
number 7830590; a charity registered in England and Wales with 
registration number 1145138; a charity registered in Scotland with 
registration number SC042758. The registered office of Rathbone 
Training is at Rye Hill Campus, Scotswood Road, Newcastle upon Tyne, 
NE4 7SA




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] CoA reply packet not detected by packetfence

[Fabrice Durand via PacketFence-users]

Hello Ali,

in fact /usr/local/pf/html/pfappserver/lib/pfappserver/Model/Node.pm 
bouncePort is made to shut/no shut the port and it use snmp.


What you will need to do is to implement the function 
wiredeauthTechniques (for wire) or deauthTechniques (for wireless) in 
order to launch the correct function to reevaluate the access.


Regards

Fabrice


Le 18-10-21 à 23 h 36, Amjad Ali a écrit :

Hi Fabrice,

Yes your spot on, the issue was wrong port numbers, we'll fix that 
very soon.


A slightly different issue but I need your advice on it, I have 
changed bouncePort sub routine in Node.pm to send the mac address 
instead of switch port index for CoA to work properly. This has been 
done at  /usr/local/pf/html/pfappserver/lib/pfappserver/Model/Node.pm


unless($switch->bouncePort($locationlog->{port})) { # changed port to mac
        $status = $STATUS::INTERNAL_SERVER_ERROR;
        $status_msg = "Couldn't restart port.";
    }


Need to know what would be the best way to change this preferred 
behavior from SNMP to CoA. Because later on if we submit this module 
to be part of PF I guess there would be some issues about it.


Many thanks again.
Ali

On Sat, Oct 20, 2018 at 11:18 AM Durand fabrice via PacketFence-users 
> wrote:


Hello Ali,

you did the good thing but in the capture it looks that the switch
reply on the wrong port.

CoA request: src port 52492 dst 3799

CoA-ACK : src port 1812 dst 3799 (it's suppose to be src 3799 dst
52492)

So it looks to me a switch bug.

Regards

Fabrice

Le 18-10-15 à 05 h 47, Amjad Ali via PacketFence-users a écrit :

Hi All,

We have implemented CoA method to bounce port (reuse Cisco.pm
_radiusBounceMac) in our new hardware module but with some issues.

1) The bounce port CoA request packet is received at switch, the
switch replies with CoA-ACK and obliges with port down then port
port up. (It does what its supposed to do, no problems)
2) The CoA-ACK reply packet also arrives at the switch (I
confirmed it with tcpdump) but packetfence somehow can't get the
reply packet. Instead I get the following log entries

Oct 15 16:43:59 packetfence httpd_admin: httpd.admin(826) INFO:
[mac:unknown] boucing MAC e0:db:55:cd:84:62 using RADIUS
CoA-Request method (pf::Switch::Pica::bouncePort)
Oct 15 16:43:59 packetfence httpd_admin: httpd.admin(826) WARN:
[mac:unknown] Unable to perform RADIUS CoA-Request: Timeout
waiting for a reply from 10.10.51.217 on port 3799 at
/usr/local/pf/lib/pf/util/radius.pm  line 162.
(pf::Switch::Pica::catch {...} )
Oct 15 16:43:59 packetfence httpd_admin: httpd.admin(826) ERROR:
[mac:unknown] Cannot restart switch port for e0:db:55:cd:84:62
(pfappserver::PacketFence::Controller::Node::restart_switchport)

I checked the Radius.pm code (perform_dynauth), it sends the CoA
request packet and listens for a reply, the reply arrives at the
machine running packetfence but evades the socket listening for
reply.

I double checked the timeout and port number but couldn't get to
the root cause. Any ideas would be highly appreciated. I'm
attaching the capture request/reply pcap for your reference.
Please advise.

Thanks,
Ali
-- 
Amjad Ali



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  

https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Amjad Ali


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] pfdhcp providing duplicates IP.

[Fabrice Durand via PacketFence-users]

Hello DIego,

i am working on it and found the issue.

I test the code and it will be soon available in the maintenance branch 
(pf-maint.pl).


Regards

Fabrice

Le 18-11-07 à 11 h 20, Diego Lopes da Cruz via PacketFence-users a écrit :

Hi!
Some clients are complaining about browsing problems, and 
 troubleshooting we found in /usr/local/pf/logs/pfdhcplistener.log 
that the system is distributing the same IP (always the first of the 
range) to 3 or 4 devices (MAC nodes). Occurs the same problem in 
different subnets, always in the first IP range, in our case 
10.220.2.30 of (10.220.2.0/23 ).
I already researched, but I did not find the solution. Has anyone ever 
had this same problem?


*The log:*
/Nov  7 13:12:49 siscav2 pfdhcplistener: pfqueue(30805) INFO: 
[mac:unknown] DHCPACK from 200.19.223.2 (00:50:56:9a:66:b2) to host 
*a8:16:d0:68:b6:b3 (10.220.2.30)* for 3600 seconds 
(pf::dhcp::processor_v4::parse_dhcp_ack)/
/Nov  7 13:15:26 siscav2 pfdhcplistener: pfqueue(30805) INFO: 
[mac:unknown] DHCPACK from 200.19.223.2 (00:50:56:9a:66:b2) to host 
98:ca:33:aa:16:2e (10.220.2.30) for 3600 seconds 
(pf::dhcp::processor_v4::parse_dhcp_ack)/
/Nov  7 13:15:40 siscav2 pfdhcplistener: pfqueue(30791) INFO: 
[mac:unknown] DHCPACK from 200.19.223.2 (00:50:56:9a:66:b2) to host 
*98:ca:33:aa:16:2e (10.220.2.30) *for 3600 seconds 
(pf::dhcp::processor_v4::parse_dhcp_ack)/
/Nov  7 13:18:53 siscav2 pfdhcplistener: pfqueue(30793) INFO: 
[mac:unknown] DHCPACK from 200.19.223.2 (00:50:56:9a:66:b2) to host 
*a8:16:d0:09:2b:8d (10.220.2.30) *for 3600 seconds 
(pf::dhcp::processor_v4::parse_dhcp_ack)/
/Nov  7 13:20:47 siscav2 pfdhcplistener: pfqueue(30802) INFO: 
[mac:unknown] DHCPACK from 200.19.223.2 (00:50:56:9a:66:b2) to host 
*cc:61:e5:2f:17:ef (10.220.2.30)* for 3600 seconds 
(pf::dhcp::processor_v4::parse_dhcp_ack)/
/Nov  7 13:50:47 siscav2 pfdhcplistener: pfqueue(1127) INFO: 
[mac:unknown] DHCPACK from 200.19.223.2 (00:50:56:9a:66:b2) to host 
cc:61:e5:2f:17:ef (10.220.2.30) for 300 seconds 
(pf::dhcp::processor_v4::parse_dhcp_ack)/
/Nov  7 13:53:18 siscav2 pfdhcplistener: pfqueue(1127) INFO: 
[mac:unknown] DHCPACK from 200.19.223.2 (00:50:56:9a:66:b2) to host 
cc:61:e5:2f:17:ef (10.220.2.30) for 300 seconds 
(pf::dhcp::processor_v4::parse_dhcp_ack)/

/
/
*Version of PF:*
/
*# rpm -qa | grep packet*
packetfence-8.1.0-2.el7.noarch
packetfence-ntlm-wrapper-8.1.0-2.el7.x86_64
packetfence-pfcmd-suid-8.1.0-2.el7.x86_64
packetfence-release-1.2-7.el7.noarch
packetfence-config-8.1.0-2.el7.noarch

/
thanks



--



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Internal Radius config basics

[Fabrice Durand via PacketFence-users]

Le 18-11-14 à 02 h 42, Amjad Ali a écrit :
Thank you Fabrice, that clears a lot many things, I just confirmed as 
you explained and it works great.
Just to further understand the above config, the PacketFence still 
uses the internal radius to communicate all the stuff with switch. 
That is, local authentication is achieved with the help of built-in 
radius of PacketFence.

Yes exactly


Thanks
Ali

On Wed, Nov 14, 2018 at 11:54 AM Durand fabrice > wrote:


Hello Ali ,

ok so no need to create a Radius Authentication source.

What you just need to do is the following:

be sure that the password encryption is nthash or cleartext.

uncomment packetfence-local-auth

create a connection profile with a filter like SSID = my_SSID

and select the source local.


Then create your switch on the PacketFence side with the same
shared secret (pf and switch side).

Create users in the user tab and assign them the correct role and
access duration.

And you will be good.

Regards

Fabrice


Le 18-11-13 à 22 h 35, Amjad Ali a écrit :

Hi Durand,

Much appreciate the quick response, actually our use case is such
that we want to authenticate clients directly against PF/Radius,
without going to portal. For that I have uncommented the
/packetfence-local-auth/in
*/usr/local/pf/conf/radiusd/packetfence-tunnel*
*
*
*You think that makes sense?*
*
*
*Thanks,*
*Ali*

On Wed, Nov 14, 2018 at 11:12 AM Durand fabrice via
PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> wrote:

Hello Ali,

In Radius source timeout will be the time you allow the
radius source to answer and shared secret is the shared
secret between the pf and the radius server.

Btw the Radius source is a way to do the authentication on
the portal.

Shared secret in the switch config is the shared secret
between the switch (you defined it in the switch
configuration) and Packetfence.

Regards

Fabrice


Le 18-11-13 à 21 h 59, Amjad Ali via PacketFence-users a écrit :

Hi All,

When setting up internal radius in PF, whats the purpose of
Timeout and Secret?
Secondly when we add a switch there is a Radius tab where we
put Secret key, whats the relations between these two keys?
Why is secret added in two different places?

Thanks
Ali

-- 
Amjad Ali



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  

https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users



-- 
Amjad Ali




--
Amjad Ali


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam local login

[Fabrice Durand via PacketFence-users]

Hello Will,

i think it's because the username is not stripped on the ntlm_auth call.

Can you strip it in the farn-ct-ac-uk realm config ?


It's like that right now:

realm farn-ct.ac.uk {
 nostrip
}

Regards

Fabrice


Le 18-11-14 à 11 h 34, Will Halsall via PacketFence-users a écrit :


Hi Folks

I have configured a Eduroam Exclusive Source and the access point but 
am able to login a local user. I have included the radius eduroam 
debug logs. Would it be possible for someone to have a look to see if 
they can spot what I am doing wrong


Thanks

Will Halsall



This message is intended only for the use of the person(s) to
whom it is addressed, and may contain privileged and confidential 
information.
If it has come to you in error, please contact the sender as soon as 
possible,
and note that you must take no action based on the content, nor must 
you copy,

distribute, or show the content to any other person.


In accordance with its legal obligations, Farnborough College of
Technology reserves the right to monitor the content of e-mails sent and
received, but will not do so routinely.



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] dhcp domain-search option

[Fabrice Durand via PacketFence-users]

In PacketFence 8 there is a way to do it with the API.

cf: https://github.com/inverse-inc/packetfence/tree/devel/go/dhcp


Le 2018-09-28 à 12:58, mj via PacketFence-users a écrit :

For the archives:

we're still o 7.1, and the only way of doing that there, is by editing
* /usr/local/pf/lib/pf/services/manager/dhcpd.pm
near the line 177, and add the line there:

  option domain-search "domain.com";

Restart dhcpd, and voila.

It seems that from version 8 onwards, packetfence no longer uses isc 
dhcpd, so the procedure will be different. (if possible at all...?)


Best,
MJ

On 09/27/2018 11:40 AM, lists via PacketFence-users wrote:

Hi,

We would like to provide a dhcp domain-search option for our 
packetfence (7.1) inline clients.


The gui only allows for a dhcp ip range to be set.

Is it possible to provide a search option somewhere?

MJ


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence 8.3.0 + Eduroma cannot set the Role or the Access Duration

[Fabrice Durand via PacketFence-users]

Hello Will,

i have pushed something in the maintenance branch.

Can you run /usr/local/pf/addons/pf-maint.pl then restart packetfence 
and make another try.


Btw let me know if it fix the issue.

Thanks

Fabrice


Le 19-01-16 à 06 h 38, Will Halsall via PacketFence-users a écrit :


Hi Fabrice

I added the ad source to the default connection profile but no joy

The user with a userPrincipalName of w.hals...@farn-ct.ac.uk 
 and sAMAacountname of xwill dpose not 
set a Role or Access Duration


A user with a userPrincipalName of 0...@farn-ct.ac.uk 
 and a sAMAcountName of 0010 will 
set a Role and Access Duration


Thanks

Will Halsall

*From:*Durand fabrice via PacketFence-users 


*Sent:* 16 January 2019 02:21
*To:* packetfence-users@lists.sourceforge.net
*Cc:* Durand fabrice 
*Subject:* Re: [PacketFence-users] Packetfence 8.3.0 + Eduroma cannot 
set the Role or the Access Duration


Hello Will,

can you provide the content of packetfece.log.

It looks that the user xwill authenticate correctly but there is 
nothing returned by packetfence. (it use the default connection profile).


Do you have an authentication source defined in the default connection 
profile (like the AD source) ?


Regards

Fabrice

Le 19-01-15 à 10 h 50, Will Halsall via PacketFence-users a écrit :

Hi Folks,

Have upgraded to packetfence 8.3 to use the userPrincipalNmae for  802.1x 
authentication and it authenticates fine but I cannot make it set the Role or 
the Access Duration

I have defined the role in the Internal Sources and the Exclusive Sources 
as a catchall rule

This message is intended only for the use of the person(s) to

whom it is addressed, and may contain privileged and confidential 
information.

If it has come to you in error, please contact the sender as soon as 
possible,

and note that you must take no action based on the content, nor must you 
copy,

distribute, or show the content to any other person.

In accordance with its legal obligations, Farnborough College of

Technology reserves the right to monitor the content of e-mails sent and

received, but will not do so routinely.




___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net  


https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] active directory authentication to web interface

[Fabrice Durand via PacketFence-users]

Hello Matteo,

check in the file httpd.admin.log, the answer is probably here.

Regards

Fabrice


Le 19-01-16 à 07 h 16, Matteo De Lazzari via PacketFence-users a écrit :
Uhm... Fabrice, I'm sorry again; I can't make it works. I joined the 
domain, I created a realm and finally I created an authentication 
source with an Administration Rule as you suggested. The binding in 
the auth source works fine, but I can't login via web interface. I 
have a doubt about the Base DN; can I use only an organizational unit 
or also a security group?


Thank you

Matteo

Il 16/01/2019 03:22, Durand fabrice via PacketFence-users ha scritto:

Hello Matteo,

yes of course, you need to define your AD source and add a management 
rule with access_level set to all.


That's it.

Regards

Fabrice


Le 19-01-15 à 10 h 39, Matteo De Lazzari via PacketFence-users a écrit :
Hi to all. Is there a manner to use active directory to authenticate 
the access to web interface?


Thanks, Matteo



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] fields in nodes view

[Fabrice Durand via PacketFence-users]

You can add column or if you want to change the default then you need to 
edit the code for that:


https://github.com/inverse-inc/packetfence/blob/devel/html/pfappserver/lib/pfappserver/PacketFence/Controller/Node.pm#L52

Regards

Fabrice


Le 19-01-16 à 05 h 14, Matteo De Lazzari via PacketFence-users a écrit :
I mean... When i search for nodes, the view show me a default set of 
fields (i.e. status, online/offline, MAC Address, etc). I need to 
change the default set of fields showed.


Thanks

Il 16/01/2019 03:23, Durand fabrice via PacketFence-users ha scritto:

Can you explain more, like what fields you want to see.

Regards

Fabrice


Le 19-01-15 à 10 h 03, Matteo De Lazzari via PacketFence-users a écrit :
Hi to all. Is there a manner to change the default fields showed in 
nodes view (not only for the current session)?



Thanks, Matteo



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope are not followed.

[Fabrice Durand via PacketFence-users]

Hello Benjamin,

so i think i know what happen, you are using the ldap source just for 
authorization and if there is no rules that match then packetfence will 
use the role of the device.


Can you try to remove the role of the device and make another try ?

Thanks

Fabrice


Le 19-01-15 à 21 h 07, Durand fabrice via PacketFence-users a écrit :

Hello Benjamin,

it looks ok so i will do some test tomorrow and let you know.

Regards

Fabrice


Le 19-01-15 à 14 h 29, Brenek, Benjamin a écrit :

Hello Fabrice,

Sorry for the delay.

We are using an external captive portal (Aerohive) that authenticates 
using PacketFence. PacketFence is configured with a radius proxy in 
/usr/local/pf/raddb/proxy.conf that forwards to our radius servers 
for authorization. Then we use the LDAP authentication source to 
auto-register the device.


I have attached:
authentication.conf
profiles.conf
proxy.conf

Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Durand fabrice 
Sent: Friday, January 11, 2019 6:49 PM
To: Brenek, Benjamin ; 
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN 
and Scope are not followed.


CAUTION: This email originated from outside of BAYADA. Beware of 
links and attachments.



Hello Benjamin,

just one thing to be sure to understand correctly, do you 
authenticate on the portal or is it autoreg via radius ?


Can you send me the authentication.conf and profiles.conf file ?

Thanks

Regards

Fabrice


Le 19-01-11 à 09 h 44, Brenek, Benjamin a écrit :

Hi Fabrice,

I did as requested and ran a capture for ldap traffic between 
PacketFence and the ldap source. The BaseDN is correct (ou=Company 
Users,dc=subdomain,dc=domain,dc=com) and the scope was correct 
(subtree => wholeSubtree). It also appears that all searchRequests 
return 0 results, which makes it seem like PacketFence is doing 
something even though it shouldn't.


Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Durand fabrice via PacketFence-users

Sent: Thursday, January 10, 2019 6:30 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice 
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN 
and Scope are not followed.


CAUTION: This email originated from outside of BAYADA. Beware of 
links and attachments.



Hello Benjamin,

what you can do is to capture the ldap traffic between PacketFence 
and the ldap source and see with wireshark if the scope/base dn is 
what you set in the authentication source.


In the code it does a search for the dn of the user and try to bind 
with this dn.


So if the user is not in or under the basedn then the search should 
not return anything and the authentication should fail.


So take the capture and see what happen exactly.

Regards

Fabrice



Le 19-01-10 à 10 h 38, Brenek, Benjamin via PacketFence-users a écrit :

Hi Nicolas,

Our authentication rules under the LDAP sources do not check LDAP 
attributes, as expected/assumed functionality of the LDAP Source 
would be to restrict authorization to the specified Base DN. Is 
this expectation/assumption incorrect?


Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Nicolas Quiniou-Briand 
Sent: Thursday, January 10, 2019 10:20 AM
To: Brenek, Benjamin ;
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN 
and Scope are not followed.


CAUTION: This email originated from outside of BAYADA. Beware of 
links and attachments.



Hello Benjamin,

On 2019-01-10 3:54 p.m., Brenek, Benjamin wrote:

Hi Nicolas,

I did as requested. It looks like the authentication comes back 
with no matches, yet still authenticates the user. Attached is the 
part of the log that relates to authentication of the user.

I saw this:
```
Matched condition SSID equals Company_Employee
(pf::Authentication::Source::match_rule)
[..]
Matched condition SSID equals Company_Employee
(pf::Authentication::Source::match_rule)
```
for both LDAP sources.

Did you have rules on your LDAP sources that check the SSID value 
in place of an LDAP attribute ?

--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::
https://link.zixcentral.com/u/1c747c88/kiOYMOsU6RG3087ChnsoMg?u=https
% 3A%2F%2Finverse.ca Inverse inc. :: Leaders behind SOGo
(https://link.zixcentral.com/u/b29309fb/OHiYMOsU6RG3087ChnsoMg?u=http
s
%3A%2F%2Fsogo.nu), PacketFence
(https://link.zixcentral.com/u/a0bbc547/SNGYMOsU6RG3087ChnsoMg?u=http
s
%3A%2F%2Fpacketfence.org) and Fingerbank

Re: [PacketFence-users] Packet Fence email activation not working.

[Fabrice Durand via PacketFence-users]

Hello Justin,

do you have the source code of the email ?

Regards

Fabrice


Le 19-01-17 à 12 h 29, Justin Hartman via PacketFence-users a écrit :

Hello everyone,

This is my first time posting here and I am hoping someone can shed 
some light on an issue I am having. After spending what I think was 
far too much time trying to understand the finer points of network 
security I managed to get PacketFence working with all my network 
devices, except for one thing. Whenever anyone attempts to use email 
activation the email that the user receives doesn't have a functional 
link to the activation page. The email seems to be correct except the 
button is just an image with no link attached or any way to click on 
it. I have tried reinstalling PacketFence and experienced the same 
result. I am currently running PacketFence 8.3 on Debian Jessie using 
gmail as an SMTP relay. I have spent a couple days trying to figure 
this out and have now come to the conclusion I need some help.


Does anyone have any ideas?

Justin Hartman


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Inline Routed Network - Traffic Dropped by IPtables

[Fabrice Durand via PacketFence-users]

Hello Lindsay,

can you send the file /usr/local/pf/var/conf/iptables.conf and the 
result of the command "ip route"


Thanks

Regards

Fabrice


Le 19-01-14 à 10 h 03, Lindsay, Ross M via PacketFence-users a écrit :


Greetings, All!

We’re working on a pilot of PacketFence to replace a home-grown 
captive portal for two of the networks on our campus. Until we can 
migrate to VLAN enforcement, these two specific networks will be 
routed with PacketFence inline. There’s no NAT here – we’re using 
public address space. I believe we have everything configured 
properly, but traffic will not pass from a registered host on the 
inline network out to the internet. I’ve verified that the routing 
configuration (at the OS level, outside of PF) is correct – the 
devices behind PF can pass traffic just fine if I flush the iptables 
rules added by PF. I’ve also verified that the inline interface is not 
set to NAT in the web GUI. Is there anything else specific that I 
should check or that needs to be changed for this to work? We’re 
running 8.3.0 on CentOS 7 if that helps.


Thank you!

--Ross

*Ross Lindsay* | /Systems/IT Architect Senior/

Office of Information Technology - Network Engineering

*Georgia*Institute of *Tech*nology
Phone: (404) 385-7520  | Skype: rlinds...@gatech.edu 


Email: ross.lind...@oit.gatech.edu 



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence 8.3.0 + Eduroma cannot set the Role or the Access Duration

[Fabrice Durand via PacketFence-users]

Hello Will,

so here is your issue:

Jan 21 08:07:57 packetfence packetfence_httpd.aaa: httpd.aaa(6105) 
DEBUG: [mac:68:b3:5e:1b:0b:e4] [AD_For_802_1x catchall] Searching for 
(|(UserPrincipalName=w.halsall)), from DC=College,DC=Farnborough, with 
scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass)
Jan 21 08:07:57 packetfence packetfence_httpd.aaa: httpd.aaa(6105) 
DEBUG: [mac:68:b3:5e:1b:0b:e4] [AD_For_802_1x catchall] Found 0 results 
(pf::Authentication::Source::LDAPSource::_match_in_subclass)
Jan 21 08:07:57 packetfence packetfence_httpd.aaa: httpd.aaa(6105) 
DEBUG: [mac:68:b3:5e:1b:0b:e4] [AD_For_802_1x catchall] No match found 
for this LDAP filter


You need to uncheck "Strip in RADIUS authorization" in the realm 
farn-ct.ac.uk.


Regards

Fabrice


Le 19-01-21 à 03 h 22, Will Halsall via PacketFence-users a écrit :


Hi Fbrice,

It looks like the DEBUG is on now

Thanks

Will

*From:*Fabrice Durand via PacketFence-users 


*Sent:* 17 January 2019 15:45
*To:* packetfence-users@lists.sourceforge.net
*Cc:* Fabrice Durand 
*Subject:* Re: [PacketFence-users] Packetfence 8.3.0 + Eduroma cannot 
set the Role or the Access Duration


No, the logs are not in debug.

You can restart httpd.aaa to force it.

Le 19-01-17 à 10 h 11, Will Halsall via PacketFence-users a écrit :

I hope this is correct

Thanks

WillH

    *From:*Fabrice Durand via PacketFence-users

<mailto:packetfence-users@lists.sourceforge.net>
*Sent:* 17 January 2019 13:50
*To:* packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Cc:* Fabrice Durand  <mailto:fdur...@inverse.ca>
*Subject:* Re: [PacketFence-users] Packetfence 8.3.0 + Eduroma
cannot set the Role or the Access Duration

Hello Will,

for me it looks that the search in the ldap server doesn't return
anything.

What you can do is to change the log level to debug for httpd.aaa,
make a try and paste again the packetfence.log.


https://github.com/inverse-inc/packetfence/blob/devel/conf/log.conf.d/httpd.aaa.conf.example#L2

log4perl.rootLogger = DEBUG, HTTPD_AAA

Regards

Fabrice

Le 19-01-17 à 07 h 42, Will Halsall via PacketFence-users a écrit :

Hi Fabrice,

The fix has helped as a Role is being returned, not the Role I
wanted but a Role none the less. No Access Duration is being
set at all

Have included the radius debug logs and packetfence.log

Thanks

    WillH

        *From:*Fabrice Durand via PacketFence-users

<mailto:packetfence-users@lists.sourceforge.net>
*Sent:* 16 January 2019 14:40
*To:* packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Cc:* Fabrice Durand 
<mailto:fdur...@inverse.ca>
*Subject:* Re: [PacketFence-users] Packetfence 8.3.0 + Eduroma
cannot set the Role or the Access Duration

Hello Will,

i have pushed something in the maintenance branch.

Can you run /usr/local/pf/addons/pf-maint.pl then restart
packetfence and make another try.

Btw let me know if it fix the issue.

Thanks

Fabrice

Le 19-01-16 à 06 h 38, Will Halsall via PacketFence-users a
écrit :

Hi Fabrice

I added the ad source to the default connection profile
but no joy

The user with a userPrincipalName of
w.hals...@farn-ct.ac.uk <mailto:w.hals...@farn-ct.ac.uk>
and sAMAacountname of xwill dpose not set a Role or Access
Duration

A user with a userPrincipalName of 0...@farn-ct.ac.uk
<mailto:0...@farn-ct.ac.uk> and a sAMAcountName of
0010 will set a Role and Access Duration

Thanks

Will Halsall

*From:*Durand fabrice via PacketFence-users

<mailto:packetfence-users@lists.sourceforge.net>
*Sent:* 16 January 2019 02:21
*To:* packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Cc:* Durand fabrice 
<mailto:fdur...@inverse.ca>
*Subject:* Re: [PacketFence-users] Packetfence 8.3.0 +
Eduroma cannot set the Role or the Access Duration

Hello Will,

can you provide the content of packetfece.log.

It looks that the user xwill authenticate correctly but
there is nothing returned by packetfence. (it use the
default connection profile).

Do you have an authentication source defined in the
default connection profile (like the AD source) ?

Regards

Fabrice

Le 19-01-15 à 10 h 50, Will Halsall via PacketFence-users
a écrit :

 

Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope are not followed.

[Fabrice Durand via PacketFence-users]

Hello Benjamin,

what i can do is to add an connection profile option that will unset the 
role of the device if no sources return a role.


It will be something like "unset the role if no sources compute one".

I will let you know when it will be done.

Regards

Fabrice


Le 19-01-21 à 15 h 46, Brenek, Benjamin a écrit :

Hello Fabrice,

Sorry for the delayed reply. I did as you requested and removed the role from a 
device and tried logging in with an account that should not work. It does 
appear that now the account is getting rejected properly.

Is there a catchall rule that can be applied so that this does not happen in 
production, or is there another solution that can be used? It is not desirable 
for us to have users potentially be able to login with out-of-scope accounts.

Thank you,

Ben

-Original Message-----
From: Fabrice Durand via PacketFence-users 

Sent: Wednesday, January 16, 2019 9:42 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand 
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope 
are not followed.

CAUTION: This email originated from outside of BAYADA. Beware of links and 
attachments.


Hello Benjamin,

so i think i know what happen, you are using the ldap source just for 
authorization and if there is no rules that match then packetfence will use the 
role of the device.

Can you try to remove the role of the device and make another try ?

Thanks

Fabrice


Le 19-01-15 à 21 h 07, Durand fabrice via PacketFence-users a écrit :

Hello Benjamin,

it looks ok so i will do some test tomorrow and let you know.

Regards

Fabrice


Le 19-01-15 à 14 h 29, Brenek, Benjamin a écrit :

Hello Fabrice,

Sorry for the delay.

We are using an external captive portal (Aerohive) that authenticates
using PacketFence. PacketFence is configured with a radius proxy in
/usr/local/pf/raddb/proxy.conf that forwards to our radius servers
for authorization. Then we use the LDAP authentication source to
auto-register the device.

I have attached:
authentication.conf
profiles.conf
proxy.conf

Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Durand fabrice 
Sent: Friday, January 11, 2019 6:49 PM
To: Brenek, Benjamin ;
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN
and Scope are not followed.

CAUTION: This email originated from outside of BAYADA. Beware of
links and attachments.


Hello Benjamin,

just one thing to be sure to understand correctly, do you
authenticate on the portal or is it autoreg via radius ?

Can you send me the authentication.conf and profiles.conf file ?

Thanks

Regards

Fabrice


Le 19-01-11 à 09 h 44, Brenek, Benjamin a écrit :

Hi Fabrice,

I did as requested and ran a capture for ldap traffic between
PacketFence and the ldap source. The BaseDN is correct (ou=Company
Users,dc=subdomain,dc=domain,dc=com) and the scope was correct
(subtree => wholeSubtree). It also appears that all searchRequests
return 0 results, which makes it seem like PacketFence is doing
something even though it shouldn't.

Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Durand fabrice via PacketFence-users

Sent: Thursday, January 10, 2019 6:30 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice 
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN
and Scope are not followed.

CAUTION: This email originated from outside of BAYADA. Beware of
links and attachments.


Hello Benjamin,

what you can do is to capture the ldap traffic between PacketFence
and the ldap source and see with wireshark if the scope/base dn is
what you set in the authentication source.

In the code it does a search for the dn of the user and try to bind
with this dn.

So if the user is not in or under the basedn then the search should
not return anything and the authentication should fail.

So take the capture and see what happen exactly.

Regards

Fabrice



Le 19-01-10 à 10 h 38, Brenek, Benjamin via PacketFence-users a écrit :

Hi Nicolas,

Our authentication rules under the LDAP sources do not check LDAP
attributes, as expected/assumed functionality of the LDAP Source
would be to restrict authorization to the specified Base DN. Is
this expectation/assumption incorrect?

Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Nicolas Quiniou-Briand 
Sent: Thursday, January 10, 2019 10:20 AM
To: Brenek, Benjamin ;
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN
and Scope are not followed.

CAUTIO

Re: [PacketFence-users] Packetfence 8.3.0 + Eduroma cannot set the Role or the Access Duration

[Fabrice Durand via PacketFence-users]

Hello Will,

for me it looks that the search in the ldap server doesn't return anything.

What you can do is to change the log level to debug for httpd.aaa, make 
a try and paste again the packetfence.log.


https://github.com/inverse-inc/packetfence/blob/devel/conf/log.conf.d/httpd.aaa.conf.example#L2

log4perl.rootLogger = DEBUG, HTTPD_AAA


Regards

Fabrice


Le 19-01-17 à 07 h 42, Will Halsall via PacketFence-users a écrit :


Hi Fabrice,

The fix has helped as a Role is being returned, not the Role I wanted 
but a Role none the less. No Access Duration is being set at all


Have included the radius debug logs and packetfence.log

Thanks

WillH

*From:*Fabrice Durand via PacketFence-users 


*Sent:* 16 January 2019 14:40
*To:* packetfence-users@lists.sourceforge.net
*Cc:* Fabrice Durand 
*Subject:* Re: [PacketFence-users] Packetfence 8.3.0 + Eduroma cannot 
set the Role or the Access Duration


Hello Will,

i have pushed something in the maintenance branch.

Can you run /usr/local/pf/addons/pf-maint.pl then restart packetfence 
and make another try.


Btw let me know if it fix the issue.

Thanks

Fabrice

Le 19-01-16 à 06 h 38, Will Halsall via PacketFence-users a écrit :

Hi Fabrice

I added the ad source to the default connection profile but no joy

The user with a userPrincipalName of w.hals...@farn-ct.ac.uk
<mailto:w.hals...@farn-ct.ac.uk> and sAMAacountname of xwill dpose
not set a Role or Access Duration

A user with a userPrincipalName of 0...@farn-ct.ac.uk
<mailto:0...@farn-ct.ac.uk> and a sAMAcountName of 0010
will set a Role and Access Duration

Thanks

Will Halsall

*From:*Durand fabrice via PacketFence-users

<mailto:packetfence-users@lists.sourceforge.net>
*Sent:* 16 January 2019 02:21
*To:* packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Cc:* Durand fabrice  <mailto:fdur...@inverse.ca>
*Subject:* Re: [PacketFence-users] Packetfence 8.3.0 + Eduroma
cannot set the Role or the Access Duration

Hello Will,

can you provide the content of packetfece.log.

It looks that the user xwill authenticate correctly but there is
nothing returned by packetfence. (it use the default connection
profile).

Do you have an authentication source defined in the default
connection profile (like the AD source) ?

Regards

Fabrice

Le 19-01-15 à 10 h 50, Will Halsall via PacketFence-users a écrit :

Hi Folks,

  


Have upgraded to packetfence 8.3 to use the userPrincipalNmae for  
802.1x authentication and it authenticates fine but I cannot make it set the 
Role or the Access Duration

  


I have defined the role in the Internal Sources and the Exclusive 
Sources as a catchall rule

  

  

  


This message is intended only for the use of the person(s) to

whom it is addressed, and may contain privileged and confidential 
information.

If it has come to you in error, please contact the sender as soon as 
possible,

and note that you must take no action based on the content, nor must 
you copy,

distribute, or show the content to any other person.

  

  

  

  


In accordance with its legal obligations, Farnborough College of

Technology reserves the right to monitor the content of e-mails sent and

received, but will not do so routinely.

  






___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users




___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Fabrice Durand
fdur...@inverse.ca  <mailto:fdur...@inverse.ca>  ::  +1.514.447.4918 (x135) 
::www.inverse.ca  <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 8.3 configurator loop in first page

[Fabrice Durand via PacketFence-users]

Hello Medhi,

if it's on Centos then you need to run pf-maint.pl to fix it (restart 
httpd.admin of course) or set you browser in english.


Regards

Fabrice


Le 19-01-17 à 10 h 42, Mehdi-Gabriel Mjahad via PacketFence-users a écrit :

Hello,

I installed Packetfence 8.3 on a fresh CentOS install. Everything went 
fine but when I select the enforcement type in the web configurator 
and click Next, I stay on the same page. I can access other pages, for 
instance the Networks page but it's bugged (eg. VLANs types aren't 
displayed when adding a new VLAN). I can never pass the configurator 
since it doesn't react to any inputs.


Any clue why is this happening ? Is this a bug in the new version ?

Regards

Mehdi Mjahad
mehdi.mja...@probayes.com



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence 8.3.0 + Eduroma cannot set the Role or the Access Duration

[Fabrice Durand via PacketFence-users]

No, the logs are not in debug.

You can restart httpd.aaa to force it.


Le 19-01-17 à 10 h 11, Will Halsall via PacketFence-users a écrit :


I hope this is correct

Thanks

WillH

*From:*Fabrice Durand via PacketFence-users 


*Sent:* 17 January 2019 13:50
*To:* packetfence-users@lists.sourceforge.net
*Cc:* Fabrice Durand 
*Subject:* Re: [PacketFence-users] Packetfence 8.3.0 + Eduroma cannot 
set the Role or the Access Duration


Hello Will,

for me it looks that the search in the ldap server doesn't return 
anything.


What you can do is to change the log level to debug for httpd.aaa, 
make a try and paste again the packetfence.log.


https://github.com/inverse-inc/packetfence/blob/devel/conf/log.conf.d/httpd.aaa.conf.example#L2

log4perl.rootLogger = DEBUG, HTTPD_AAA

Regards

Fabrice

Le 19-01-17 à 07 h 42, Will Halsall via PacketFence-users a écrit :

Hi Fabrice,

The fix has helped as a Role is being returned, not the Role I
wanted but a Role none the less. No Access Duration is being set
at all

Have included the radius debug logs and packetfence.log

Thanks

WillH

*From:*Fabrice Durand via PacketFence-users

<mailto:packetfence-users@lists.sourceforge.net>
*Sent:* 16 January 2019 14:40
*To:* packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Cc:* Fabrice Durand  <mailto:fdur...@inverse.ca>
*Subject:* Re: [PacketFence-users] Packetfence 8.3.0 + Eduroma
cannot set the Role or the Access Duration

Hello Will,

i have pushed something in the maintenance branch.

Can you run /usr/local/pf/addons/pf-maint.pl then restart
packetfence and make another try.

Btw let me know if it fix the issue.

Thanks

Fabrice

Le 19-01-16 à 06 h 38, Will Halsall via PacketFence-users a écrit :

Hi Fabrice

I added the ad source to the default connection profile but no joy

The user with a userPrincipalName of w.hals...@farn-ct.ac.uk
<mailto:w.hals...@farn-ct.ac.uk> and sAMAacountname of xwill
dpose not set a Role or Access Duration

A user with a userPrincipalName of 0...@farn-ct.ac.uk
<mailto:0...@farn-ct.ac.uk> and a sAMAcountName of
0010 will set a Role and Access Duration

Thanks

Will Halsall

*From:*Durand fabrice via PacketFence-users

<mailto:packetfence-users@lists.sourceforge.net>
*Sent:* 16 January 2019 02:21
*To:* packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Cc:* Durand fabrice 
<mailto:fdur...@inverse.ca>
*Subject:* Re: [PacketFence-users] Packetfence 8.3.0 + Eduroma
cannot set the Role or the Access Duration

Hello Will,

can you provide the content of packetfece.log.

It looks that the user xwill authenticate correctly but there
is nothing returned by packetfence. (it use the default
connection profile).

Do you have an authentication source defined in the default
connection profile (like the AD source) ?

Regards

Fabrice

Le 19-01-15 à 10 h 50, Will Halsall via PacketFence-users a
écrit :

Hi Folks,

  


Have upgraded to packetfence 8.3 to use the userPrincipalNmae for  
802.1x authentication and it authenticates fine but I cannot make it set the 
Role or the Access Duration

  


I have defined the role in the Internal Sources and the Exclusive 
Sources as a catchall rule

  

  

  


This message is intended only for the use of the person(s) to

whom it is addressed, and may contain privileged and confidential 
information.

If it has come to you in error, please contact the sender as soon 
as possible,

and note that you must take no action based on the content, nor 
must you copy,

distribute, or show the content to any other person.

  

  

  

  


In accordance with its legal obligations, Farnborough College of

Technology reserves the right to monitor the content of e-mails 
sent and

received, but will not do so routinely.

  







___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users





___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/li

Re: [PacketFence-users] 802.1X TTLS PAP ... does it works ?

[Fabrice Durand via PacketFence-users]

Hello Enrico,

you need to add manually the ldap server in the freeradius 
configuration. 
(https://packetfence.org/doc/PacketFence_Installation_Guide.html#_eap_authentication_against_openldap)


Regards

Fabrice




Le 18-12-20 à 10 h 15, Enrico Becchetti via PacketFence-users a écrit :

  Hi all,
I again ask in this mailing list to finish the setup of my PacketFence
server. I'm running Centos 7.6 x86 with 
packetfence-8.2.1-3.el7.noarch  and , as you can read from
the subject of this email, I need to activate 802.1X authentication 
using TTLS and PAP.


I've one production vlan and PF in Inline mode for this network , I 
've also defined
"connection profile", "authentication sources","network device" and so 
on.

You can see all of my settings here:

https://www.dropbox.com/s/rjc0j8mapt4ymzg/8021x.pdf?dl=0

PF must use my ldap server as backend. In fact  all authentication 
requests come from
AP and Switch must be forwarded to the ldap server. All supplicants 
are configured with

TTLS and PAP security profile and I'ven't any Active Domain controller.

In the following lines radius debug from packetfence:

(9) Thu Dec 20 15:09:35 2018: WARNING:   You set Proxy-To-Realm = 
local, but it is a LOCAL realm!  Cancelling proxy request.
(9) Thu Dec 20 15:09:35 2018: ERROR:   No Auth-Type found: rejecting 
the user via Post-Auth-Type = Reject


log file is here:

https://www.dropbox.com/s/579hffpa4w6ff9z/radiusdebug.log?dl=0

Authentication Methods are set to:MD5,MSCHAPv2,PEAP,TLS,TTLS.

Someone has any ideas to fix it ?

Thank you in advance for your help.
Best Regards
Enrico


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] CoA with Cisco WLC 2500 not working

[Fabrice Durand via PacketFence-users]

Hello Kalcho,

first redefine your switch config it's not [10.20.0.10/24] but it should 
be [10.20.0.0/24] or [10.20.0.10].


Then retry.

Regards

Fabrice


Le 18-12-21 à 03 h 24, Kalcho via PacketFence-users a écrit :

Hello all,

I have problem using CoA with Cisco WLC 2500. When I try to deregister node 
from packetfence nodes interface, I receive next message:

Dec 21 08:51:24 packetfence pfqueue: pfqueue(19828) INFO: 
[mac:cc:fd:17:ef:b3:e5] [cc:fd:17:ef:b3:e5] DesAssociating mac on switch 
(10.20.0.10) (pf::api::desAssociate)
Dec 21 08:51:24 packetfence pfqueue: pfqueue(19828) WARN: 
[mac:cc:fd:17:ef:b3:e5] Unimplemented! First, make sure your configuration is 
ok. If it is then we don't support your hardware. Open a bug report with your 
hardware type. (pf::Switch::deauthenticateMacDefault)


Cisco WLC management IP is 10.20.0.10.
Here is configuration in /us/local/pf/conf/switches.conf
[10.20.0.10/24]
description=Cisco-WLC
controllerIp=10.20.0.10
VlanMap=N
type=Cisco::WLC_2500
coaPort=1700
radiusSecret=StrongPassExample
VoIPCDPDetect=N
VoIPDHCPDetect=N
VoIPLLDPDetect=N

On WLC side I have added new radius and marked "support for CoA" and on WLAN profile on 
Advanced marked "Allow AAA Override"



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1X TTLS PAP ... does it works ?

[Fabrice Durand via PacketFence-users]

If I understand I need to change Wireless-NOEAP to Wireless-EAP and
create, or change, /usr/local/pf/raddb/modules/ldap following
this guide: 16.3 EAP Authentication.
but tell more about because this file 
/usr/local/pf/raddb/sites-available/packetfence-tunnel

shows nothing about pap.
Is it normal that in this file there are only ldap and eap 
authorize module ?

Thanks a lot again !!!
Best Regards
Enrico



Il 20/12/18 19:39, Fabrice Durand via PacketFence-users ha scritto:

Hello Enrico,

you need to add manually the ldap server in the freeradius 
configuration. 
(https://packetfence.org/doc/PacketFence_Installation_Guide.html#_eap_authentication_against_openldap)


Regards

Fabrice




Le 18-12-20 à 10 h 15, Enrico Becchetti via PacketFence-users a 
écrit :

  Hi all,
I again ask in this mailing list to finish the setup of my 
PacketFence
server. I'm running Centos 7.6 x86 with 
packetfence-8.2.1-3.el7.noarch  and , as you can read from
the subject of this email, I need to activate 802.1X 
authentication using TTLS and PAP.


I've one production vlan and PF in Inline mode for this network , 
I 've also defined
"connection profile", "authentication sources","network device" 
and so on.

You can see all of my settings here:

https://www.dropbox.com/s/rjc0j8mapt4ymzg/8021x.pdf?dl=0

PF must use my ldap server as backend. In fact  all 
authentication requests come from
AP and Switch must be forwarded to the ldap server. All 
supplicants are configured with
TTLS and PAP security profile and I'ven't any Active Domain 
controller.


In the following lines radius debug from packetfence:

(9) Thu Dec 20 15:09:35 2018: WARNING:   You set Proxy-To-Realm = 
local, but it is a LOCAL realm! Cancelling proxy request.
(9) Thu Dec 20 15:09:35 2018: ERROR:   No Auth-Type found: 
rejecting the user via Post-Auth-Type = Reject


log file is here:

https://www.dropbox.com/s/579hffpa4w6ff9z/radiusdebug.log?dl=0

Authentication Methods are set to:MD5,MSCHAPv2,PEAP,TLS,TTLS.

Someone has any ideas to fix it ?

Thank you in advance for your help.
Best Regards
Enrico




--
___

Enrico BecchettiServizio di Calcolo e Reti

Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica  06123 Perugia (ITALY)
Phone:+39 075 5852777 Mail: Enrico.Becchettipg.infn.it
___



--
___

Enrico BecchettiServizio di Calcolo e Reti

Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica  06123 Perugia (ITALY)
Phone:+39 075 5852777 Mail: Enrico.Becchettipg.infn.it
___


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
___

Enrico BecchettiServizio di Calcolo e Reti

Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica  06123 Perugia (ITALY)
Phone:+39 075 5852777 Mail: Enrico.Becchettipg.infn.it
__


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Wireless Mac Authentication Connection Profile Settings

[Fabrice Durand via PacketFence-users]

Hello Kalcho,

first take a look in the radius audit log and see what is the radius 
request sent by the WLC.


Also mac filtering is mandatory to do mac auth on an openssid.

So enable it and go back in the radius audit log to see the radius 
request and what packetfence answered.


Regards

Fabrice


Le 18-12-21 à 12 h 19, Kalcho via PacketFence-users a écrit :

Hello all,

I am using Cisco WLC 2500 as the authenticator with Packetfence 8.1 for the 
WiFi. The WiFi profile is configured to be Open, with Radius and AAA Override 
settings. I intend to use it for MAC Authentication to bring a Captive Portal 
for registration. All that I have configured, but I have problem with hitting 
the right profile. If I configure this - call it boyd_profile with Connection 
Type Wireless-802.1-NoEAP, this profile wont be matched, instead default 
profile is matched. If I changed Connection Type Wireless-802.1-EAP the other 
profile that has also the same connection type is matched because it has higher 
priority. But if I set this profile with higher priority it will be matched. My 
question is why it is matched, despite I am using MAC Authentication (Captive 
Portal) and not EAP? Why it is not matched when using Wireless-802.1-NoEAP?

Also all Packetfence guides for this open network setup instruct to mark "Mac 
Filtering", but when using this I am not even able to connect to that SSID. I guess 
this is because the host MAC needs to be entered before in MAC Filtering table. Is this 
intended to work like this or I am missing some point here? Is it meant to work by first 
adding the MAC of the host wishing to connect and then after it is added to the MAC 
filtering table he will connect and hit the Captive Portal, where he can authenticate 
using RADIUS, eg EAP-PEAP and after that provisioning agent can provide it configuration 
profile?





___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SSL Certificate for portal

[Fabrice Durand via PacketFence-users]

/usr/local/pf/conf/ssl/server.pem is for haproxy and 
/usr/local/pf/conf/httpd.conf.d/ssl-certificates.conf is for the admin 
gui and usr/local/pf/conf/radiusd/eap is for radius.


It's 3 different things and not related, so to fix the portal fix 
server.pem.


Regards

Fabrice


Le 18-12-21 à 13 h 54, Eric Rolleman a écrit :


Okay, I need to create a “/usr/local/pf/conf/ssl/server.pem” file and 
update “/usr/local/pf/conf/httpd.conf.d/ssl-certificates.conf” to 
point to “/usr/local/pf/conf/ssl/server.pem” instead of 
“/usr/local/pf/conf/ssl/server.crt” ?


*From:*Durand fabrice via PacketFence-users 


*Sent:* Wednesday, December 12, 2018 6:29 PM
*To:* packetfence-users@lists.sourceforge.net
*Cc:* Durand fabrice 
*Subject:* Re: [PacketFence-users] SSL Certificate for portal

Hello Eric,

for the portal you need to generate a server.pem file (haproxy use it).

It contain the certificate + the intermediate and the private key.

Regards

Fabrice

Le 18-12-12 à 16 h 44, Eric Rolleman via PacketFence-users a écrit :

Where do I change the SSL certificate for the portal?

I replaced the /usr/local/pf/conf/ssl/server.crt and
/usr/local/pf/conf/ssl/server.key files and restarted, but that
only changed the certificate used by the admin site, not the
captive portal.




___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net  


https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Using eduroam as an authentication source for switch access?

[Fabrice Durand via PacketFence-users]

Hello,

in fact it work but you need to define another radius port for that and 
in the switch config it's not possible.


So yes Murilo is true, you need to wait for the 8.3 release where you 
will be able to configure PacketFence as a proxy to the eduroam radius 
server.


Regards

Fabrice


Le 18-11-30 à 14 h 01, Murilo Calegari via PacketFence-users a écrit :

Hi, Peter,

I think eduroam as a Radius source isn't working yet, just as a Login 
source (via portal). There's an open pull request at Github which adds 
supports for Radius proxy and, I hope so, Eduroam login via RADIUS.


Regards,

Murilo

Em sex, 30 de nov de 2018 13:53, Peter Eriksson via PacketFence-users 
> escreveu:


I’ve been using eduroam (among a couple of other sources) as a
system to authenticate users when connecting to our switches with
PacketFence for a couple of years now using an older version of PF.

Now I’m in the process of upgrading to the latest and greatest
version (8.2) and thought I’d do things the “official” way (as
much as is possible). One confusing thing is how to set up eduroam
with the PF servers…

If one does a google search for “packetfence eduroam” the first
result is a FAQ entry:

https://packetfence.org/support/faq/packetfence-and-eduroam.html

However I’m not sure how much the information in that text still
is valid…?

Anyway, I tried to add an “Exclusive” Authentication Source for
Eduroam via the web GUI but it doesn’t seem to get used when a
computer configured for 802.1x authentication connects to a Switch
configured for the same.
(I can see the RADIUS request reaching the Packetfence server, but
no outgoing RADIUS request to the eduroam servers seems to happen)
so I’m guessing this is not the right way to do it.

‘authentication.conf’ parts:


[liu-eduroam]
description=LiU Eduroam RADIUS Servers
type=Eduroam
server1_address=IPADDRESS2
server1_port=1812
server2_address=IPADDRESS1
server2_port=1812
radius_secret=SUPERDUPERSECRET
auth_listening_port=11812
monitor=1
reject_realm=
local_realm=
set_access_level_action=


[liu-eduroam rule liu_staff]
description=LiU Staff
class=authentication
condition0=username,ends,@liu.se 
action0=set_role=liu-employee-user
action1=set_access_duration=1D

[liu-eduroam rule liu_students]
description=LiU Students
class=authentication
condition0=username,matches regexp,^[a-z]+[0-9][0-9][0-9]@liu\.se$
condition1=username,matches
regexp,^[a-z]+[0-9][0-9][0-9]@student\.liu\.se$
action0=set_role=liu-student-user
action1=set_access_duration=12h



The raddb/proxy.conf.inc file generated looks like it contains the
eduroam server parts, but (compared to the text in the FAQ) the
“realm DEFAULT” part is empty. Perhaps an “auth_pool =
eduroam_auth_pool” needs to be added somehow? (And perhaps more)?

Any suggestions?

- Peter
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Different SNAT interfaces for different inline layer 2 interfaces

[Fabrice Durand via PacketFence-users]

Hello Murilo,

it depend of the routing table in the PacketFence server.

Also you can use iproute2 to create dynamic routing based on the source 
interface.


Regards

Fabrice


Le 18-11-30 à 07 h 29, Murilo Calegari via PacketFence-users a écrit :

Hi,

We've got two Inline Layers in our network currently (one for Guest 
and the other for students, on different VLANs and different virtual 
interfaces). Currently they're both being redirected to a pfsense 
firewall at eth0 (configured in Inline -> SNAT Interface). Is it 
possible to specify one different SNAT interface for each one of those 
Inline Layers?


Hope someone can help us!

Regards,


Murilo Calegari de Souza
Estagiário da TI
Coordenadoria de Tecnologia da Informação
Instituto Federal do Espírito Santo – Campus Nova Venécia
27 3752 4311 ramal 43112



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Inline enforcement and unauthenticated user's access

[Fabrice Durand via PacketFence-users]

Le 18-12-04 à 11 h 30, Eric Rolleman via PacketFence-users a écrit :


Does packetfence block all outside access to devices behind an inline 
configuration until the user has authenticated?



Yes except if you defined passthrough in the configuration.


I know it won’t resolve DNS for anything, but if a user attempts to 
connect somewhere by IP and has not authenticated yet, will 
packetfence let the user through?



no




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] EAP-TLS Computer and User Auth

[Fabrice Durand via PacketFence-users]

Hello Wifi,

Le 18-12-03 à 09 h 18, Wifi Guy via PacketFence-users a écrit :

Hi All,

I seem to now have this working to a degree.

I have two authentication sources setup. One for servicePrincipalName 
and one for sAMAccountName. So if a windows machine is booted up, pre 
any login/sign in, machine auth is completed and a role is assigned. 
When the device logs in, another role is set for user auth.


The issue I have with this is that both corp users and BYOD users can 
have the TLS certs and gain the same access to the network access. I 
cant figure a way to separate this? If corp owned devices had a TLS 
cert vs a BYOD device doing MSCHAPv2, could we filter this way? Its 
not ideal, would prefer all to be TLS. Could also setup another CA for 
BYOD, this is a management overhead! :)


You can create a connection profile and define the sub connection type 
as filter and choose the sources you want to use.


So TLS connection profile is for corporate and mschapv2 is for BYOD and 
the rules in the authentications sources are not the same.





What would work is for example if you where able to chain the 
computer/user auth so if a device was seen to do both then a role 
(Corp-Trusted) is set, however if the device went straight to user 
auth then a role (BYOD-Trusted) is set. Its not truly chained as it 
two separate authentications, but you get the idea. Currently I cant 
see any options in authentication rules that would enable this. The 
filters are only for matches "all" or "any" there isnt an "and" "or" 
option.
If the device already did a machine auth then the machine_account will 
be filled 
(https://github.com/inverse-inc/packetfence/blob/devel/conf/vlan_filters.conf.example#L258) 
so you can play with that to detect corporate machine versus byod.


Im sure im not the first to ask this :)


Regards

Fabrice


On Thu, 29 Nov 2018 at 11:03, Wifi Guy > wrote:


Good Morning all,

I have managed to get very far to date with my installation.

Howver I am struggling with the last piece of the puzzle, how to
handle BYOD device that authenticate via EAP-TLS (onboarding
process) and distinguishing that with corp users.

So I thought the best way to handle this is that for Corp users
that authenticate with EAP-TLS will use Machine Auth and be
assigned into a machine role and other users will be assigned into
a BYOD policy. Is this the best approach?

So to the setup I managed to get a reg vlan setup. This allows
users who are not part of the domain to authenticate via a CWP.
There are provisioners setup to assign the device the TLS cert.
This works great! :)

For my corp machines, currently the GPO etc are setup. User and
computer certs are sent on domain join, so no issues with auto
enrollment. Also the machine has the SSID specified with TLS set
and the option computer authentication selected. In an ideal world
I would be able to chain the authentication (something like
TEAP) where computer auth happens at login and then user auth
happens at login. But I cant see a way to do this without breaking
the BYOD issue?

My question is what should the GUI setup look like? Currently I
have two internal AD sources, one for computer auth
(servicePrincipalName) and one for user auth. For the
documentation its not clear how the connection profiles should
look? What order things should be in and if I am looking at this
the wrong way.

Any advice, help etc would be much helpful.

WiFiGuy



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF UniFi OOB, not using UniFi-controller?

[Fabrice Durand via PacketFence-users]

I also did some test and it's possible to configure CoA on the AP itself 
by editing the hostapd config:


radius_das_port=3799
radius_das_client=192.168.1.123 bob

but when the configuration is updated from the controller then the 
config is removed.


Regards

Fabrice


Le 18-11-30 à 06 h 32, Nathan, Josh via PacketFence-users a écrit :
We actually did do something like this, but I'm going to be honest, we 
haven't really tested it in a long time (firmware updates might have 
broken it), and the problem is that the only way we found to make it 
would was to attempt the command on every antenna.  We just programmed 
the script to ignore any errors, and just keep trying through the 
different antennas.  Not elegant at all.  But we're also running an 
old version of PacketFence.  We're hoping to finally do the upgrade, 
an hoping to actually switch to the new method which doesn't involve 
trying to brute force a given device off... The script we have was 
developed when Ubiquiti had their Radius-assigned VLAN functionality 
still in Beta.  So... yes, old.


But, if you want to give it a try, here's the old, slapped together, 
"Switch" file that we have.


package pf::Switch::UBNTUAP;


=head1 NAME

pf::Switch::ubntuap

=head1 SYNOPSIS

The pf::Switch::ubntuap module manages access to hostapd

=head1 STATUS

Should work on the ubnt uap version started 4.9.2

=cut

use strict;
use warnings;

use POSIX;
use Try::Tiny;
use Net::SSH::Perl;

use base ('pf::Switch');

use pf::constants;
use pf::config qw(
    $MAC
    $SSID
);
sub description { 'Ubiquiti AP' }

# importing switch constants
use pf::Switch::constants;
use pf::util;
use pf::util::radius qw(perform_disconnect);

=head1 SUBROUTINES

=over

=cut

# CAPABILITIES
# access technology supported
sub supportsWirelessDot1x { return $TRUE; }
sub supportsWirelessMacAuth { return $TRUE; }
# inline capabilities
sub inlineCapabilities { return ($MAC,$SSID); }


=item parseTrap

This is called when we receive an SNMP-Trap for this device

=cut

sub parseTrap {
    my ( $this, $trapString ) = @_;
    my $trapHashRef;
    my $logger = $this->logger;

    $logger->debug("trap currently not handled");
    $trapHashRef->{'trapType'} = 'unknown';

    return $trapHashRef;
}

=item getVersion - obtain image version information from switch

=cut

sub getVersion {
    my ($this) = @_;
    my $logger = $this->logger;
    $logger->info("we don't know how to determine the version
through SNMP !");
    return '2.0.13';
}

=item deauthTechniques

Return the reference to the deauth technique or the default deauth
technique.

=cut

sub deauthTechniques {
    my ($this, $method) = @_;
    my $logger = $this->logger;
    my $default = $SNMP::RADIUS;
    my %tech = (
        $SNMP::RADIUS => 'deauthenticateMacRadius',
    );

    if (!defined($method) || !defined($tech{$method})) {
        $method = $default;
    }
    return $method,$tech{$method};
}

=item deauthenticateMacDefault

De-authenticate a MAC address from wireless network (including
802.1x).

New implementation using RADIUS Disconnect-Request.

=cut

sub deauthenticateMacRadius {
    my ( $self, $mac, $is_dot1x ) = @_;
    my $logger = $self->logger;

    if ( !$self->isProductionMode() ) {
        $logger->info("not in production mode... we won't perform
deauthentication");
        return 1;
    }

    $logger->debug("deauthenticate $mac using RADIUS
Disconnect-Request deauth method");
    return $self->radiusDisconnect($mac);
}

=item radiusDisconnect

Sends a RADIUS Disconnect-Request to the NAS with the MAC as the
Calling-Station-Id to disconnect.

Optionally you can provide other attributes as an hashref.

Uses L for the low-level RADIUS stuff.

=cut

# TODO consider whether we should handle retries or not?
sub radiusDisconnect {
    my ($self, $mac, $add_attributes_ref) = @_;
    my $logger = $self->logger;

    # initialize
    $add_attributes_ref = {} if (!defined($add_attributes_ref));

    if (!defined($self->{'_cliUser'}) ||
!defined($self->{'_cliPwd'})) {
        $logger->warn(
            "Unable to perform CLI Disconnect-Request on
$self->{'_ip'}: CLI credentials not configured"
        );
        return;
    }

    $logger->info("deauthenticating $mac");

    my $send_disconnect_to = $self->{'_ip'};
    # allowing client code to override where we connect with
NAS-IP-Address
    $send_disconnect_to = $add_attributes_ref->{'NAS-IP-Address'}
        if (defined($add_attributes_ref->{'NAS-IP-Address'}));

    my $response;

    my $host = $self->{'_ip'};
    

Re: [PacketFence-users] PF8.2 Cluster dashboard problem

[Fabrice Durand via PacketFence-users]

Hello,

in fact it's an issue with the netdata package, you need to do yum 
update netdata


Regards

Fabrice


Le 18-11-29 à 10 h 08, Ludovic Zammit via PacketFence-users a écrit :

Hello,

It’s normal, you will to have some data first to display them.

Try connecting some device and check after.

Thanks,
Ludovic Zammit
lzam...@inverse.ca    ::  +1.514.447.4918 (x145) 
::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)




On Nov 29, 2018, at 9:11 AM, 流 沙 via PacketFence-users 
> wrote:


Hello
   After I finished the cluster, there is no data in the 
Dashboard. The PacketFence version is 8.2.0.



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net 


https://lists.sourceforge.net/lists/listinfo/packetfence-users




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Portal Captive

[Fabrice Durand via PacketFence-users]

Yes or you will finish like Claude Francois.

Le 18-11-23 à 09 h 06, Ludovic Marcotte via PacketFence-users a écrit :


On 2018-11-23 8:30 AM, G PL via PacketFence-users wrote:


I dry a little bit.

Better not use PacketFence when you're all wet.
--
Ludovic Marcotte
lmarco...@inverse.ca   ::  +1.514.755.3630  ::https://inverse.ca
Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence 
(https://packetfence.org) and Fingerbank (https://fingerbank.org)


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam local login

[Fabrice Durand via PacketFence-users]

Hello Will,

it's not enough, i need to see the raddebug for this user.

Regards

Fabrice


Le 18-11-21 à 07 h 05, Will Halsall via PacketFence-users a écrit :


Hi Fabrie,

The patch worked fine and users can now authenticate with their 
userPrincilalName . the only thing to note is that there is one error 
in the radius Auth log entry as follows:


Module-Failure-Message = "Failed retrieving values required to 
evaluate condition"


SQL-User-Name = 20217...@farn-ct.ac.uk <mailto:20217...@farn-ct.ac.uk>

Also  the node status in the audit log is N/A as follows:

40:33:1a:47:ab:1e N/A   0     20217...@farn-ct.ac.uk 
  2018-11-21 11:42:14 172.16.36.30 
    Wireles


Thanks for your help

WillH

*From:*Durand fabrice via PacketFence-users 


*Sent:* 20 November 2018 04:35
*To:* packetfence-users@lists.sourceforge.net
*Cc:* Durand fabrice 
*Subject:* Re: [PacketFence-users] Eduroam local login

Hello Will,

yes but it's not yet available in packetfence 8.2.

If you want to test you can use the following PR 
https://github.com/inverse-inc/packetfence/pull/3429 
<https://github.com/inverse-inc/packetfence/pull/3429> :


cd /usr/local/pf

curl 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/3429.diff 
| patch -p1 --dry-run


If no error:

curl 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/3429.diff 
| patch -p1


cp conf/radiusd/ldap_packetfence.conf.example 
conf/radiusd/ldap_packetfence.conf


cp conf/radiusd/packetfence-tunnel.example conf/radiusd/packetfence-tunnel

bin/pfcmd pfconfig clear_backend

bin/pfcmd configreload hard

bin/pfcmd service pf restart

After that, check in the admin gui in the realm configuration and 
select the ldap source to use to resolve the samaccountname attribute, 
then edit the ldap authentication source to select the username 
attribute to resolve the samaccountname (userPrincipalName)


So the logic will be the following, you will use the userPrincipalName 
attribute to authenticate (w.hals...@farn-ct.ac.uk 
<mailto:w.hals...@farn-ct.ac.uk> ) then freeradius will do a ldap 
search to find the samaccountname based on the 
userprincipalname=w.hals...@farn-ct.ac.uk 
<mailto:userprincipalname=w.hals...@farn-ct.ac.uk> and do a ntlm_auth 
with the result of the search.


The last thing will be to use an ldap source (clone the previous one 
if needed) and use userPrincipalName as the user attribute to create 
some rules (role/access duration)


Regards

Fabrice

Le 18-11-19 à 09 h 03, Will Halsall via PacketFence-users a écrit :

Hi Fabrice,

Thankyou yes that now works if I use the
@farn-ct.ac.uk <mailto:samaccountn...@farn-ct.ac.uk>

Can I modify this to use the userPrincipalName (mail address)
w.hals...@farn-ct.ac.uk <mailto:w.hals...@farn-ct.ac.uk> by either
using ldap or using ldap with a filter to retrieve the sAMAccountName

    Thanks

Will H

    *From:*Fabrice Durand via PacketFence-users

<mailto:packetfence-users@lists.sourceforge.net>
*Sent:* 14 November 2018 20:08
*To:* packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Cc:* Fabrice Durand  <mailto:fdur...@inverse.ca>
*Subject:* Re: [PacketFence-users] Eduroam local login

Hello Will,

i think it's because the username is not stripped on the ntlm_auth
call.

Can you strip it in the farn-ct-ac-uk realm config ?

It's like that right now:

realm farn-ct.ac.uk {
 nostrip
}

Regards

Fabrice

Le 18-11-14 à 11 h 34, Will Halsall via PacketFence-users a écrit :

Hi Folks

I have configured a Eduroam Exclusive Source and the access
point but am able to login a local user. I have included the
radius eduroam debug logs. Would it be possible for someone to
have a look to see if they can spot what I am doing wrong

Thanks

Will Halsall

<https://www.farn-ct.ac.uk/about/Events>

This message is intended only for the use of the person(s) to
whom it is addressed, and may contain privileged and
confidential information.
If it has come to you in error, please contact the sender as
soon as possible,
and note that you must take no action based on the content,
nor must you copy,
distribute, or show the content to any other person.


In accordance with its legal obligations, Farnborough College of
Technology reserves the right to monitor the content of
e-mails sent and
received, but will not do so routinely.





___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/list

Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope are not followed.

[Fabrice Durand via PacketFence-users]

Hello Benjamin,

can you try that:

https://github.com/inverse-inc/packetfence/compare/fix/unset_role_on_autoreg.diff

Regards

Fabrice


Le 19-01-22 à 09 h 05, Fabrice Durand via PacketFence-users a écrit :

Hello Benjamin,

what i can do is to add an connection profile option that will unset 
the role of the device if no sources return a role.


It will be something like "unset the role if no sources compute one".

I will let you know when it will be done.

Regards

Fabrice


Le 19-01-21 à 15 h 46, Brenek, Benjamin a écrit :

Hello Fabrice,

Sorry for the delayed reply. I did as you requested and removed the 
role from a device and tried logging in with an account that should 
not work. It does appear that now the account is getting rejected 
properly.


Is there a catchall rule that can be applied so that this does not 
happen in production, or is there another solution that can be used? 
It is not desirable for us to have users potentially be able to login 
with out-of-scope accounts.


Thank you,

Ben

-Original Message-----
From: Fabrice Durand via PacketFence-users 


Sent: Wednesday, January 16, 2019 9:42 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand 
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN 
and Scope are not followed.


CAUTION: This email originated from outside of BAYADA. Beware of 
links and attachments.



Hello Benjamin,

so i think i know what happen, you are using the ldap source just for 
authorization and if there is no rules that match then packetfence 
will use the role of the device.


Can you try to remove the role of the device and make another try ?

Thanks

Fabrice


Le 19-01-15 à 21 h 07, Durand fabrice via PacketFence-users a écrit :

Hello Benjamin,

it looks ok so i will do some test tomorrow and let you know.

Regards

Fabrice


Le 19-01-15 à 14 h 29, Brenek, Benjamin a écrit :

Hello Fabrice,

Sorry for the delay.

We are using an external captive portal (Aerohive) that authenticates
using PacketFence. PacketFence is configured with a radius proxy in
/usr/local/pf/raddb/proxy.conf that forwards to our radius servers
for authorization. Then we use the LDAP authentication source to
auto-register the device.

I have attached:
authentication.conf
profiles.conf
proxy.conf

Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Durand fabrice 
Sent: Friday, January 11, 2019 6:49 PM
To: Brenek, Benjamin ;
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN
and Scope are not followed.

CAUTION: This email originated from outside of BAYADA. Beware of
links and attachments.


Hello Benjamin,

just one thing to be sure to understand correctly, do you
authenticate on the portal or is it autoreg via radius ?

Can you send me the authentication.conf and profiles.conf file ?

Thanks

Regards

Fabrice


Le 19-01-11 à 09 h 44, Brenek, Benjamin a écrit :

Hi Fabrice,

I did as requested and ran a capture for ldap traffic between
PacketFence and the ldap source. The BaseDN is correct (ou=Company
Users,dc=subdomain,dc=domain,dc=com) and the scope was correct
(subtree => wholeSubtree). It also appears that all searchRequests
return 0 results, which makes it seem like PacketFence is doing
something even though it shouldn't.

Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Durand fabrice via PacketFence-users

Sent: Thursday, January 10, 2019 6:30 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice 
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN
and Scope are not followed.

CAUTION: This email originated from outside of BAYADA. Beware of
links and attachments.


Hello Benjamin,

what you can do is to capture the ldap traffic between PacketFence
and the ldap source and see with wireshark if the scope/base dn is
what you set in the authentication source.

In the code it does a search for the dn of the user and try to bind
with this dn.

So if the user is not in or under the basedn then the search should
not return anything and the authentication should fail.

So take the capture and see what happen exactly.

Regards

Fabrice



Le 19-01-10 à 10 h 38, Brenek, Benjamin via PacketFence-users a 
écrit :

Hi Nicolas,

Our authentication rules under the LDAP sources do not check LDAP
attributes, as expected/assumed functionality of the LDAP Source
would be to restrict authorization to the specified Base DN. Is
this expectation/assumption incorrect?

Thank you,

Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com

-Original Message-
From: Nicolas Quiniou

Re: [PacketFence-users] Issue with 802.1x and MAC authentication

[Fabrice Durand via PacketFence-users]

In fact it suppose to be the switch to do that, waiting for 802.1x and 
after a time doing mac-auth.


Are you sure that the switch is correctly configured for 802.1x ?

Le 19-04-04 à 14 h 29, Stuart Gendron a écrit :
So I poked around some more and I think my issue may be with the way 
the switch is configured.


I'm monitoring the following log */usr/local/pf/logs/packetfence.log*

When I unplug and plug back in my device, it sends the MAC address 
right away:


*Apr  4 18:21:21 PacketFence-ZEN packetfence_httpd.aaa: 
httpd.aaa(2057) INFO: [mac:a8:60:b6:09:77:45] handling radius autz 
request: from switch_ip => (10.100.64.67), connection_type => 
Ethernet-NoEAP,switch_mac => (88:f0:77:d9:b2:48), mac => 
[a8:60:b6:09:77:45], port => 49, username => "a860b6097745" 
(pf::radius::authorize)*


This then puts that switchport into the Registration VLAN

*Apr  4 18:21:21 PacketFence-ZEN packetfence_httpd.aaa: 
httpd.aaa(2057) INFO: [mac:a8:60:b6:09:77:45] is of status unreg; 
belongs into registration VLAN (pf::role::getRegistrationRole)*


This causes the device to just sit there in that VLAN without the 
802.1x prompt coming up - which is the prompt I want.


I believe the Cisco SG300 switch that I'm using, with a dumbed down 
version of Cisco IOS, doesn't fully support MAC authentication as the 
fallback (at least all my Googling around isn't bringing anything up).


Ideally I would plug the device into the switchport, and if it's 
deemed not able to do 802.1x authentication, it then fallsback to MAC 
address authentication. This may not be possible with my current setup...


Is there something on the PacketFence side that will wait a bit before 
sending the request to put the switchport in the registration VLAN?


On Thu, Apr 4, 2019 at 2:18 PM Fabrice Durand via PacketFence-users 
<mailto:packetfence-users@lists.sourceforge.net>> wrote:


Hello Stuart,


Le 19-04-04 à 13 h 38, Stuart Gendron via PacketFence-users a écrit :

Just getting started with PacketFence and am struggling with
something.

So I'm using a Cisco SG300 as my test switch, and it does both
802.1x and MAC address authentication (MAB).

I'm finding that once I get authenticated using 802.1x
credentials I can then pop around to other switch ports and get
through without needing to provide credentials again (I assume
because the MAC address is authenticated?).


You need to check if when you unplug/plug packetfence receive a
new radius request.

If it's not the case then it's not normal.

Also you need to see what kind of authentication is made each
time, is it 802.1x or mac auth ?



This is fine, however when I set the device to unauthorized, I
don't receive a prompt for username/password again. I believe
what happens is the MAC gets sent first, PacketFence then sets
the request as Accept, but unregistered so sends it to the
appropriate VLAN, and on the switch the state is Authenticated
(as PacketFence technically authenticated it?).


It depend how you configured packetfence, if you enable
autoregistration for 802.1x then probably your device keep the
credential and retry with them to authenticate.

If fact you need to provide more information about your pf config,
like do you register on a portal / do you autoregister, do you
have a connection profile per connection type ?

If you can resume your config it will help to understand what
happen exactly.

Thanks

Regards

Fabrice



Not sure if this makes sense.

Ideally a device would do 802.1x by default, then fall back to
MAB if needed.

-- 


*Stuart Gendron*
IT Support Specialist



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users


-- 
Fabrice Durand

fdur...@inverse.ca  <mailto:fdur...@inverse.ca>  ::  +1.514.447.4918 (x135) 
::www.inverse.ca  <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--

*Stuart Gendron*
IT Support Specialist

*You.i Labs*
307 Legget Drive, Kanata, ON, K2K 3C8 
<https://maps.google.com/?q=307+Legget+Drive,+Kanata,+ON,%C2%A0K2K+3C8=gmail=g>

t (613) 228-9107 x258 | c (613) 697-6853


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

_

Re: [PacketFence-users] Issue with 802.1x and MAC authentication

[Fabrice Durand via PacketFence-users]

Hello Stuart,


Le 19-04-04 à 13 h 38, Stuart Gendron via PacketFence-users a écrit :

Just getting started with PacketFence and am struggling with something.

So I'm using a Cisco SG300 as my test switch, and it does both 802.1x 
and MAC address authentication (MAB).


I'm finding that once I get authenticated using 802.1x credentials I 
can then pop around to other switch ports and get through without 
needing to provide credentials again (I assume because the MAC address 
is authenticated?).


You need to check if when you unplug/plug packetfence receive a new 
radius request.


If it's not the case then it's not normal.

Also you need to see what kind of authentication is made each time, is 
it 802.1x or mac auth ?



This is fine, however when I set the device to unauthorized, I don't 
receive a prompt for username/password again. I believe what happens 
is the MAC gets sent first, PacketFence then sets the request as 
Accept, but unregistered so sends it to the appropriate VLAN, and on 
the switch the state is Authenticated (as PacketFence technically 
authenticated it?).


It depend how you configured packetfence, if you enable autoregistration 
for 802.1x then probably your device keep the credential and retry with 
them to authenticate.


If fact you need to provide more information about your pf config, like 
do you register on a portal / do you autoregister, do you have a 
connection profile per connection type ?


If you can resume your config it will help to understand what happen 
exactly.


Thanks

Regards

Fabrice



Not sure if this makes sense.

Ideally a device would do 802.1x by default, then fall back to MAB if 
needed.


--

*Stuart Gendron*
IT Support Specialist



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] EAP Authentication + LDAP

[Fabrice Durand via PacketFence-users]

Hello Felipe,


Le 19-03-25 à 09 h 38, Felipe Rodrigues via PacketFence-users a écrit :


Hi guys!

Can anyone help me to configure EAP Authentication (802.1x) with 
OpenLDAP server? I looked the PacketFence manual, chapter 16, about 
Advanced Radius Configuration and found the information about “EAP 
Authentication against OpenLDAP.



The installation guide said to configure the OpenLDAP connection in 
*/usr/local/pf/raddb/modules/ldap* and change the file 
*packetfence-tunnel* but when I can’t find the file in these locations.




It's in /usr/local/pf/conf/radiusd/packetfence-tunnel.


*My scenario:* Today, I’m working with an OpenLDAP server to do the 
authentication on network. I have been using a web portal to connect 
to LDAP base and validated the user credentials. I want to increase 
security with 802.1x but I don’t have option to change my LDAP server 
to another database like Microsoft AD today.


I understand that’s possible to connect Packetfence with my OpenLDAP 
(using the FreeRadius module) and then, configure 802.1x 
authentication. I’m right about that?




Yes


If anyone have a tutorial or any valid information about that 
configuration, let me know.


First you need to configure your ldap connection in mods-available/ldap 
and restart radiusd.


If it fail to restart then fix your configuration (ldap of course).

When it's done then edit packetfence-tunnel and add you ldap server.


Regards

Fabrice




Thanks!




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Make PF function as NAT/Firewall with Radius and VLAN enforcement

[Fabrice Durand via PacketFence-users]

Hi Tony,

can you open a issue on github about that ? 
(https://github.com/inverse-inc/packetfence/issues)


It's more a bug.

Regards

Fabrice


Le 19-02-27 à 18 h 39, Tony W via PacketFence-users a écrit :

Hi Fabrice,

Just getting back to you on the issue of naming interfaces "the old
way" in CentOS7.6

I have discovered that there is an issue using the "old" aming
convention method with PacketFence and Centos 7.6, as shown in the
link below.

https://sites.google.com/site/syscookbook/rhel/rhel-network-interface-rename-rhel7

PF strips the MAC address from the ifcfg-ethX when saving changes.
Centos relies on the MAC address being in the ifcfg-ethX file.
Example of PF generated ifcfg-eth0:

/etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
HWADDR=
ONBOOT=yes
BOOTPROTO=static
NM_CONTROLLED=no
IPADDR=192.168.1.200
NETMASK=255.255.255.0

This is what it should look like

DEVICE=eth0
NAME=eth0
HWADDR=ab:cd:ef:12:34:56
ONBOOT=yes
BOOTPROTO=static
NM_CONTROLLED=no
IPADDR=192.168.1.200
NETMASK=255.255.255.0

The second listing has the MAC address and the NAME. According to the
documentation I have found, CentOS7/RHEL7 requires the HWADDR and NAME
to be populated.

Centos7 uses "/etc/udev/rules.d/70-persistant-net.rules" to set up the
interfaces with the correct name.

Example for the above scenario:

SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*",
ATTR{address}=="ab:cd:ef:12:34:56", ATTR{type}=="1", KERNEL=="eth*",
NAME="eth0"

When you pass "net.ifnames=0" to the kernel during boot, and have
"/etc/udev/rules.d/70-persistant-net.rules" correctly populated, the
system will correctly assign the interfaces so that you get consistent
assignment of IP addresses to the correct physical ports.

If you boot Centos7 after PF has saved the configuration, the system
comes back with the "normal" em1, em2 etc. names and creates files
like ifcfg-em1
This effectively disables PF.

Is there an easy way of getting PF to not strip the MAC address and
NAME from the ifcfg-eth0 file? I have not been able to find anywhere
in the GUI to add a MAC address.

Is there somewhere I can make a mod to fix this? Not sure if many
people use the "old" way but there are a few benefits in doing so in
certain circumstances.
Maybe this could be added in an update or a patch...

Tony

On Tue, 19 Feb 2019 at 01:20, Fabrice Durand via PacketFence-users
 wrote:

Hello Tony,

Le 19-02-17 à 23 h 22, Tony W via PacketFence-users a écrit :

Hi Fabrice,

Thank you for that.

So for PF, set 1 external interface (WAN) with Internet access (Inline)

...
...

Just a quick question specific to CentOS 7.6 and PF.

CentOS 7.x issues interface names like em1, em2, p2p1, p2p2 etc.,
instead of the old style eth0, eth1...

Will PF still work OK, if I change this to the old style (See link below)?

https://sites.google.com/site/syscookbook/rhel/rhel-network-interface-rename-rhel7

Yes it will work.

I feel more comfortable using the old interface naming convention and
the above procedure works well:-)


Regards

Fabrice

...


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)


...

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] [External] Re: VOIP Troubles with Dell Switches

[Fabrice Durand via PacketFence-users]

Ok just the 
docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc file whish 
is docimentation.


So go ahead.

Le 19-02-28 à 13 h 23, Truax, Peter via PacketFence-users a écrit :


I tried the dry-run and this was the result.  Looks like it failed, 
but I am not sure how to fix.


[root@stmartin pf]# curl 
https://github.com/inverse-inc/packetfence/compare/feature/DELL_lldp.diff 
| patch -p1 --dry-run


  % Total    % Received % Xferd  Average Speed   Time    Time Time 
Current


Dload  Upload   Total   Spent    Left  Speed

100  3198    0 3198    0 0   6072  0 --:--:-- --:--:-- 
--:--:--  6068


checking file 
docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc


Hunk #1 FAILED at 2397.

1 out of 1 hunk FAILED

checking file lib/pf/Switch/Dell/N1500.pm

*Peter Truax*

*Network Administrator*

(360) 688-2240

Saint Martin’s University

5000 Abbey Way E

Lacey, WA 98503

*From:*Durand fabrice via PacketFence-users 


*Sent:* Wednesday, February 27, 2019 5:29 PM
*To:* packetfence-users@lists.sourceforge.net
*Cc:* Durand fabrice 
*Subject:* [External] Re: [PacketFence-users] VOIP Troubles with Dell 
Switches


*CAUTION:**This email is from an outside sender. Do not click on links 
or open attachments unless you recognize the sender and know the 
content is safe.*


Hello Peter,

you can try that 
https://github.com/inverse-inc/packetfence/compare/feature/DELL_lldp.diff


It add a better voip support for the Dell switches.

cd /usr/local/pf

curl 
https://github.com/inverse-inc/packetfence/compare/feature/DELL_lldp.diff 
| patch -p1 --dry-run


if no errors to apply the patch then:

curl 
https://github.com/inverse-inc/packetfence/compare/feature/DELL_lldp.diff 
| patch -p1


and restart packetfence.

Regards

Fabrice

Le 19-02-27 à 18 h 19, Truax, Peter via PacketFence-users a écrit :

Hello everyone,

We are having troubles getting Polycom VVX voip phones to work
with Dell N-Series switches.

Below is an excerpt from the radius.log file.

Feb 27 14:29:41 stmartin auth[2673]: [mac:64:16:7f:88:58:ef]
Accepted user:  and returned VLAN

Feb 27 14:29:41 stmartin auth[2673]: (41024) Login OK:
[64167F8858EF] (from client 10.10.0.17 port 1 cli 64:16:7f:88:58:ef)

Basically, what we are seeing is that when a phone is connected,
it received a default vlan ip address. The log above shows that no
voice vlan was sent by pf to the switch.

We have the Role by VLAN ID set to vlan 80 for voice. (which is
our voice vlan).

The switch is configured with the proper voice vlan, and works
when configured manually. When we try to get pf to control the
port, then it fails.

We have gotten Cisco 2960X switches to work successfully with
these phones and PacketFence.

Just to give more info, below is an excerpt from Packetfence.log:

Feb 27 14:29:41 stmartin packetfence_httpd.aaa: httpd.aaa(1775)
INFO: [mac:64:16:7f:88:58:ef] handling radius autz request: from
switch_ip => (10.10.0.17), connection_type =>
WIRED_MAC_AUTH,switch_mac => (f4:8e:38:0a:54:63), mac =>
[64:16:7f:88:58:ef], port => 1, username => "64167F8858EF"
(pf::radius::authorize)

Feb 27 14:29:41 stmartin packetfence_httpd.aaa: httpd.aaa(1775)
INFO: [mac:64:16:7f:88:58:ef] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)

Feb 27 14:29:41 stmartin packetfence_httpd.aaa: httpd.aaa(1775)
INFO: [mac:64:16:7f:88:58:ef] violation 133 force-closed for
64:16:7f:88:58:ef (pf::violation::violation_force_close)

Feb 27 14:29:41 stmartin packetfence_httpd.aaa: httpd.aaa(1775)
INFO: [mac:64:16:7f:88:58:ef] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)

Any ideas on what I can do to get this working?

Regards,

*Peter Truax*

*Network Administrator*

Saint Martin’s University

5000 Abbey Way E

Lacey, WA 98503




___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net  


https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Confirm that PF can be used to do 802.1x with VLAN and in-line

[Fabrice Durand via PacketFence-users]

Hello Tony,

you can do that with inline network but there is a limitation.

When a device is in the inline network then it mean that the locationlog 
changed to inline and after that there is no way to disconnect the 
device from the equipment because PacketFence think that it's inline.


What you will need to have is a sort of inline l2 network but not really 
managed by packetfence (like iptables rules) but still have the dhcp 
enabled on this network.


It's doable but you need to play with the iptables rules and have a dhcp 
enabled on the pf server for theses vlan.


Regards

Fabrice


Le 19-03-05 à 22 h 09, Tony W via PacketFence-users a écrit :

Hi there,

After having played around with PF and read heaps of implementation
samples, I have put together this list and have some questions.

I do not plan to use the portal or registration pages with PF as all
authentication is via 802.1x - so here we go...

1.  Use a wireless controller with a registration SSID (Registration VLAN).
2.  Have clients (Visitors) connect to the SSID and use 802.1x
authentication. DHCP provided by PF
3.  On success, put client in a different VLAN, predetermined by the
credentials provided.
4.  Each VLAN has a dedicated server that the client shall be able to
connect to. DHCP provided by PF
5.  Each server needs Internet access as does the client that has been
put in the VLAN.
6.  All Internet bound traffic shall go out via the Management interface.
7.  Management interface is connected to a firewall with Masquerade (NAT).
8.  It shall be possible to terminate the session from outside or by
client choice. (Go back to registration VLAN)
9.  The servers that the clients connect to, interact with external
equipment and that interaction can trigger a "disconnect" from the
VLAN.
10. Disconnection may be triggered by client disassociation from
access point or by externally controlled disconnect.
11. Only one client will ever be in any VLAN at any one time.


Fabrice has kindly given some pointers previously. Based on his
suggestions and documentation I have the following suggestion:

I have created 10 VLAN's with 1 being for registration, using 802.1x
via a wireless controller and a public SSID.
The other 9 VLAN's are set to in-line layer 2, each with their own
distinct IP range (192.168.xx.0/24)
The interface, on which the 10 VLAN's are configured, is used to
listen for radius traffic and access my switches from the CLI of PF
(No VLAN, set to "other")
Each VLAN has DHCP enabled (It works, devices get DHCP assigned IP addresses)
Management interface is set to 172.16.xx.yy with a gateway IP of
172.16.xx.254 and is plugged into a firewall to the Internet (Internet
access OK).
Wireless Lan Controller is a Ruckus ZD1200 (Will later be a Cisco 5508)

What is missing is:

How to make the 9 servers (One in each VLAN) connect to the Internet
permanently but still be assigned IP addresses from the PF DHCP
server?
Preferably, I should be able to set up a static IP address for each
server in each VLAN - Documentation says this can be done by manually
configuring DHCP.
Is there a way to set these up and "manually" register them
permanently? Using an ACL or something similar.

How to allow clients access to the Internet, once assigned to any of
the 9 VLAN's? The client shall still be assigned the appropriate IP
address by DHCP.
As there will only ever be 1 client in a VLAN at any one time, its MAC
address could be used to open up access, however, it needs to have PF
assign IP addresses.

Finally, on receiving a "disconnect" signal from the external
equipment, the client shall be disconnected from the VLAN and
preferably disassociated from the WLC.
Is it even possible to tell the WLC to disassociate a client via PF,
maybe through the API.

I know this is a very specific implementation but PF seems to have all
that would be needed to do this.

Tony


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] option 82 not working

[Fabrice Durand via PacketFence-users]

Hello saskatooner,

you need to send the dhcp traffic to PacketFence.

https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Installation_Guide.asciidoc#dhcp-remote-sensor

Regards

Fabrice


Le 19-03-17 à 01 h 58, saskatooner Canada via PacketFence-users a écrit :

Hi everyone

My configuration is:

  * 2960 Cisco sw

  * pfsense as firewall between vlans and also DHCP server

  * packetfence with mab and 802.1x authentication with Active Directory

  * packetfence having only one IP, in management vlan =20

  * users having vlans from 21-26 ( packetfence doesn't have an IP in
these ranges)


As pf is not as DHCP server, it cannot bring users; IP address and 
Computer names after their authentication. I have tried enabling 
option 82 to fix this but with no luck.


here is my sw option 82 configs:

#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
11
DHCP snooping is operational on following VLANs:
11
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: 0021.5660.4480 (MAC)
Option 82 on untrusted port is allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface  Trusted    Allow option    Rate limit (pps)
---    ---     
GigabitEthernet0/1 yes    yes unlimited
  Custom circuit-ids:
GigabitEthernet0/2 yes    yes unlimited
  Custom circuit-ids:


On pf. option 82 and dhdp detect are checked. But nothing is showing 
as IP for my nodes.


Could anyone help?
How should I debug? Any related logs for example?



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] How to determine the IP addresses without dhcp

[Fabrice Durand via PacketFence-users]

Hello Piotr,

you can try with the accounting, maybe the ip is in the attribute 
Framed-IP-Address


Regards

Fabrice


Le 19-03-17 à 08 h 36, Piotr Maczek via PacketFence-users a écrit :

Hi all,
I have running instance of PacketFence with 802.1x protocol (Out-of-band). I also 
configured "IP Helpers" appropriately so that PF can see queries from dhcp.
I see IP addressees assigned by dhcp server. But some of the devices have fixed 
IP (don't use dhcp).
How to determine the IP addresses of this nodes in PF ?

Thanks
Piotr


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Password Of The Day

[Fabrice Durand via PacketFence-users]

Hello John,

yes it's possible, you just have to select mandatory fields in the 
portal module.


Regards

Fabrice


Le 19-03-12 à 07 h 59, John Sayce via PacketFence-users a écrit :

Is it possible to use password of the day, but also capture names, emails, 
phone numbers, etc?

Thanks
John

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] DHCP Issues

[Fabrice Durand via PacketFence-users]

Hello Sean,

can you try that:

curl http://127.0.0.1:2/api/v1/dhcp/stats/eth0.3 | python -m json.tool

and paste the result.

Regards

Fabrice


Le 19-03-21 à 11 h 32, Seán Mac Lochlainn via PacketFence-users a écrit :


Hi Nicolas,

I created an external DHCP server in Windows Server and also added the 
DHCP server to the ‘Production DHCP servers’ list in the Admin 
Interface. The user will now go to VLAN 10 (Production) when 
authenticated. Using WireShark, I noticed that the external DHCP 
server I created now sends a DHCPOFFER to the client but there is no 
DHCPREQUEST from the client which I’m unsure why.


Is there any further configuration needed to integrate the external 
DHCP server into PacketFence or is it a configuration issue? I tried 
using ip helper-address on the switch but still receive the same issue


Any further help would be greatly appreciated

Regards,

Sean


*From:* Nicolas Quiniou-Briand via PacketFence-users 


*Sent:* Thursday, March 21, 2019 8:28:01 AM
*To:* packetfence-users@lists.sourceforge.net
*Cc:* Nicolas Quiniou-Briand
*Subject:* Re: [PacketFence-users] DHCP Issues
Hello,

On 2019-03-20 5:09 p.m., Seán Mac Lochlainn via PacketFence-users wrote:
> Hi Everyone,
>
> I’m a student and doing a project, creating a small lab with 802.1x
> authentication.
>
> I’m facing issues with the DHCP from PacketFence assigning the 
client an

> IP address. (Client doesn’t get an IP address on registration or
> isolation VLAN).
>
> I can successfully authenticate clients using PEAP but the client
> doesn’t receive a correct IP address of the VLAN it has been assigned
> to. Normally it will receive a 169.254.x.x IP address instead.

If your clients are correctly authenticate, they should not go in
registration or isolation networks. You should return another VLAN where
you have your own production or test DHCP server.
--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  :: https://inverse.ca
Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence
(https://packetfence.org) and Fingerbank (http://fingerbank.org)


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Make PF function as NAT/Firewall with Radius and VLAN enforcement

[Fabrice Durand via PacketFence-users]

Hello Tony,

Le 19-02-17 à 23 h 22, Tony W via PacketFence-users a écrit :

Hi Fabrice,

Thank you for that.

So for PF, set 1 external interface (WAN) with Internet access (Inline)

No a management one with internet access

Then set at least 1 internal interface (LAN) with VLAN's, say 10 for SSID,
11, 12, 13, 14for the users to be allocated to once authenticated.

11,12,13,14 as inline


I do not need (Or want) Internet access on VLAN 10, only DHCP for the
client devices.

So 10 is a registration interface.

When the client device successfully authenticates, the client traffic
will go to the
selected/allocated VLAN (11, 12, 13 or ) and be given new IP
addresses by DHCP.

It's what an inline interface do.

It is no big deal regarding people being on the initial VLAN 10 as not
many will be there at any one time.
The registration interface on the vlan 10 will have short lease time, by 
default we set it to 30s.


Just a quick question specific to CentOS 7.6 and PF.

CentOS 7.x issues interface names like em1, em2, p2p1, p2p2 etc.,
instead of the old style eth0, eth1...

Will PF still work OK, if I change this to the old style (See link below)?

https://sites.google.com/site/syscookbook/rhel/rhel-network-interface-rename-rhel7

Yes it will work.


I feel more comfortable using the old interface naming convention and
the above procedure works well:-)


Regards

Fabrice








On Mon, 18 Feb 2019 at 12:09, Durand fabrice via PacketFence-users
 wrote:

Hello Tony,

you can set the vlan as inline in PacketFence.

What i would do in this case is the following:

- Create on pf all the VLAN's an inline interface, per example eth1.10,
eth1.11, eth1.12  (the vlan's you return when authenticated)

- Set these vlan's id on the switch config (PacketFence side).

That's it.

The only issue you will have is when you unreg a device then it will
stay on the inline vlan but hit the portal on the inline interface.

If the device reconnect then it will go on the reg vlan.

Regards

Fabrice



Le 19-02-17 à 19 h 35, Tony W via PacketFence-users a écrit :

Hi there,

Trying to work out how to get PF to work as NAT/Firewall to the
internet whilst doing Radius and VLAN enforcement.

Is this possible? Reading the documentation, it appears that the
current version will work in hybrid mode
(A combination of both) but seems to be for "flat" networks on
switches that can not be managed.

I run a wireless network controller, where visitors connect to an SSID
(Assigned to a specific VLAN). This VLAN has no
Internet access.
Authentication is 802.1x. Once authenticated, visitor is directed to
one of a number of predetermined VLAN's by PF.
Each of the VLAN's shall have Internet access through the same PF box.
PF tells Ruckus to put the visitor in the
assigned VLAn. DHCP is used on the initial connection and each of the
VLAN's shall have their own DHCP scope.

I have done this before using FreeRadius with DaloRadius and a Ruckus
controller, configured manually on CentOS 7.3
with Firewall/NAT. That solution is lacking some of the nice extra
stuff integrated in PF.

Whilst not expecting someone to give me the whole solution, I am
looking for some pointers and confirmation that
PF is suitable for what I want to do.

Thanks in advance

Tony


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] ?==?utf-8?q? Node status triggering disauthentication

[Fabrice Durand via PacketFence-users]

Hello Bram,
You probably have unregister on accounting stop enable on your setup.
It's in radius configuration in packetfence admin Gui. (Sorry I don't have the 
admin Gui in front of me right now)
Regards
Fabrice

Le Jeudi, Avril 11, 2019 06:29 EDT, Bram Wittendorp via PacketFence-users 
 a écrit: 
 
> Hi,
> 
> In order to better manage our PacketFence installation I have changed my 
> RADIUS-configuration for our access points so they forward 
> accounting-information towards PacketFence in order to fill the Online / 
> Offline colums.
> 
> After enabling this option, lots of devices did deregister, is there somekind 
> of explination for this kind of behavior?
> 
> Met vriendelijke groet,
> 
> Bram Wittendorp
> Netwerk-/Systeembeheerder | RTV Drenthe
> 
> t: 0592 – 304 693
> e: b.wittend...@rtvdrenthe.nl
> [1504592219323_RTVdrenthe]
> Beilerstraat 30, Assen
> Postbus 999, 9400 AZ Assen
> 
> t : 0592-338080
> www.rtvdrenthe.nl
>



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] ?==?utf-8?q? Captive portal issue with multiple SSIDs and multiple connection profiles

[Fabrice Durand via PacketFence-users]

Hello Craig,
For the connection profile the first match win.
So you need to verify the filter you set for each connection profile.
Also be sure that packetfence is able to extract the ssid and you can also test 
with pftest binary.

Regards
Fabrice
Le Jeudi, Avril 11, 2019 03:02 EDT, Craig Strydom via PacketFence-users 
 a écrit: 
 
> Hello All,
> 
> I have PF 8.3 installed, configured and mostly working, but need to have 
> three different captive portals.
> 
> I have setup different connection profiles which work correctly when I hit 
> the preview button.
> 
> Connection profiles:
> 1. Default
> 2. Guests
> 3. Private company 1
> 4. Private company 2
> 
> But when I connect to the various ssids only Guest portal pops up.
> 
> I can change the order of the connection profiles and put "Private company 
> 1/2" in Nr2. spot, but then only that profile is displayed for all three 
> ssids.
> 
> How should these profiles be setup to allow any ssid to provide it's own 
> captive portal?
> Or am I missing a filter/config file somewhere?
> 
> I have restarted the entire PF and done hard config reload.
> 
> Thank you.
> 
> Regards,
> Craig.



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal-Computer not found in database

[Fabrice Durand via PacketFence-users]

What you can try, even if it's an aruba controller is to use the Aruba 
Instant access module instead(we did it because the CoA changed on this 
equipment)


curl 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/4211.diff
 | patch -p1

Also is it a Aruba COntroller in cluster ?

Regards
Fabrice

Le 19-05-15 à 11 h 11, Louis Scaringella via PacketFence-users a écrit :

Hi Fabrice,

I ran the /usr/local/pf/addons/pf-maint.pl script and it performed some updates 
and I rebooted the Packetfence server.

I can tell you that when I either manually disconnect on the laptop and 
reconnect or disconnect my session from the controller and the client connects 
again, the role is correct on the controller and I am able to get access. This 
would be after the MAC address/device is “registered” already.

So it does appear that something with the CoA process after the AUP is accepted 
is the problem. What appears to be happening is that the session on the Aruba 
controller that PacketFence is trying to disconnect doesn’t exist. This shows 
both in Packetfence and in Aruba debugs. Not sure what’s happening there, but 
the MAC address does match and this controller literally only has this one 
session on it because it is our lab and testing environment.

CoA should be working fine, the RADIUS key is correct and rfc 3576 is setup on 
the controller to use the Packetfence server for the CoA server. I’ll verify 
this again, but I don’t think the communication is the problem because of the 
“invalid session” type error i’m seeing in the logs and on the Controller. The 
CoA is getting to the controller and processed, so something with the session 
isn’t right.

Any ideas?

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903







On May 14, 2019, at 8:32 PM, Louis Scaringella via PacketFence-users 
 wrote:

It’s an actual Controller and not instant. I will check tomorrow and post the 
information. COA should be good to go, but I’ll include what I have setup. 
Thank so much for helping!

Thank you,

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks
785-342-7903


On May 14, 2019, at 8:17 PM, Durand fabrice via PacketFence-users 
 wrote:

Hello Louis,

sorry for the late reply.

As i remember the documentation about the nat source was to do web 
authentication and not vlan enforcement.

Just before going to far, can you run /usr/local/pf/addons/pf-maint.pl to have 
the latest bug fixes.

So right now the CoA looks that it's not working correctly, did you enable rfc 
3574 on the Aruba side with the same shared secret than you set in radius 
authentication ?

Last thing if it's an Aruba instant access then you will need to apply this 
patch:

cd /usr/local/pf

curl 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/4211.diff
 | patch -p1

and restart packetfence and choose "Aruba Instant Access" as the switch model.

Regards

Fabrice



Le 19-05-14 à 12 h 20, Louis Scaringella via PacketFence-users a écrit :
I’m very confused because also seeing this in Packetfence logs. Looks like it 
is authenticating then dissociating right away.

May 14 16:17:12 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3367) 
INFO: [mac:00:24:d6:5b:30:bc] User default has authenticated on the portal. 
(Class::MOP::Class:::after)
May 14 16:17:12 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3367) 
INFO: [mac:00:24:d6:5b:30:bc] No provisioner found for 00:24:d6:5b:30:bc. 
Continuing. 
(captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
May 14 16:17:12 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3367) 
INFO: [mac:00:24:d6:5b:30:bc] User default has authenticated on the portal. 
(Class::MOP::Class:::after)
May 14 16:17:12 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3367) 
INFO: [mac:00:24:d6:5b:30:bc] User default has authenticated on the portal. 
(Class::MOP::Class:::after)
May 14 16:17:12 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3367) 
INFO: [mac:00:24:d6:5b:30:bc] User default has authenticated on the portal. 
(Class::MOP::Class:::after)
May 14 16:17:12 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3367) 
INFO: [mac:00:24:d6:5b:30:bc] User default has authenticated on the portal. 
(Class::MOP::Class:::after)
May 14 16:17:12 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3367) 
INFO: [mac:00:24:d6:5b:30:bc] User default has authenticated on the portal. 
(Class::MOP::Class:::after)
May 14 16:17:12 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3367) 
INFO: [mac:00:24:d6:5b:30:bc] User default has authenticated on the portal. 
(Class::MOP::Class:::after)
May 14 16:17:12 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3367) 
INFO: [mac:00:24:d6:5b:30:bc] violation 133 force-closed for 
00:24:d6:5b:30:bc (pf::violation::violation_force_close)
May 14 16:17:12 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3367) 
INFO: [mac:00:24:d6:5b:30:bc] 

Re: [PacketFence-users] Cisco ASA VPN Configuration in PF 9.0

[Fabrice Durand via PacketFence-users]

Hello Cristian,

first you need to fix your authentication source apra-user-auth-dc01 and 
add a authentication rule that return a role and an access duration. 
(use:  /usr/local/pf/bin/pftest authentication c.mammoli bob  
apra-user-auth-dc01)


After that you should be able to see a role associated to your device 
and probably something better in the radius audit log and we will see 
for the next steps.


Regards

Fabrice


Le 19-05-17 à 12 h 37, Cristian Mammoli via PacketFence-users a écrit :

Cisco ASA VPN Configuration in 9.0

Hi, I'm trying to configure our ASA for VPN authentication but the 
docs are a little bit vague considering this is a new concept


Steps I did:

* Added the asa in the switch group, configured PSK etc
* Configured access list in "Role by Access List"
* Added a connection profile with the following filter: switch=address>

* I used an existing authentication source with LDAP role assignment
* Configured the Packetfence Radius server in the ASA and the vpn as 
in the example provided


Now what?

I can connect via vpn and surf the Internet
In the audit log I see my authentication:

Request Time
0
RADIUS Request
User-Name = "c.mammoli"
User-Password = "**"
NAS-IP-Address = 10.11.10.254
NAS-Port = 186806272
Called-Station-Id = "X.X.X.X"
Calling-Station-Id = "5.90.220.187"
NAS-Port-Type = Virtual
Tunnel-Client-Endpoint:0 = "5.90.220.187"
Event-Timestamp = "May 17 2019 18:27:47 CEST"
Cisco-AVPair = "audit-session-id=0a0b0afe0b2270005cdee105"
Cisco-AVPair = "ip:source-ip=5.90.220.187"
Cisco-AVPair = "coa-push=true"
ASA-TunnelGroupName = "VPN"
ASA-ClientType = AnyConnect-Client-SSL-VPN
Stripped-User-Name = "c.mammoli"
Realm = "null"
FreeRADIUS-Client-IP-Address = 10.11.10.254
SQL-User-Name = "c.mammoli"

RADIUS Reply

But the reply is empty

In the logs:
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] Unable to extract MAC 
from Called-Station-Id: 89.97.236.20 
(pf::radius::extractApMacFromRadiusRequest)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] LDAP testing connection 
(pf::LDAP::expire_if)
httpd.aaa(6766) WARN: [mac:c4:86:e9:96:61:e1] [apra-machine-auth-dc01] 
No entries found (0) with filter (servicePrincipalName=c.mammoli) from 
dc=apra,dc=it on 192.168.0.76:389 
(pf::Authentication::Source::LDAPSource::authenticate)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] LDAP testing connection 
(pf::LDAP::expire_if)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] [apra-user-auth-dc01] 
Authentication successful for c.mammoli 
(pf::Authentication::Source::LDAPSource::authenticate)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] Authentication 
successful for c.mammoli in source apra-user-auth-dc01 (AD) 
(pf::authentication::authenticate)
httpd.aaa(6766) WARN: [mac:c4:86:e9:96:61:e1] Use of uninitialized 
value $roleName in hash element at /usr/local/pf/lib/pf/Switch.pm line 
783.


httpd.aaa(6766) WARN: [mac:c4:86:e9:96:61:e1] Use of uninitialized 
value $roleName in concatenation (.) or string at 
/usr/local/pf/lib/pf/Switch.pm line 786.

 (pf::Switch::getRoleByName)

It looks like the connection profile isn't even matched, and all 
authentication sources are tried even if I only specified one


BTW, what is the redirect acl int he docs used for?? It is not applied 
anywhere and I can't see it int he ASA.pm code


The docs say: "You can force VPN users to authenticate first on the 
captive portal and based on the role of the device allow it and/or set 
dynamic ACL."
Is the portal authentication a requirement? I would like to 
authenticate users and assign a dynamic ACL without external portal 
authentication


Thanks

C.





___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Reject node with MAC Authentication

[Fabrice Durand via PacketFence-users]

Hello Adrian,

just set the vlan id for the unreg role to -1.

Regards

Fabrice


Le 19-06-11 à 08 h 00, Adrian Dessaigne via PacketFence-users a écrit :

Hello everyone,

PacketFence native configuration always accept MAC Authentication. If 
the device is unreg, it's put in Registration VLAN, or else, it's put 
in his associated VLAN.
Is there anyway to configure PacketFence so it reject (Sending RADIUS 
- Access-Reject to the switch) an unreg device with MAC Authentication ?


Best regards,

Adrian.

--

* Adrian Dessaigne*
 Technicien Systèmes et Réseaux


02 57 65 00 60 - 49 rue Robespierre 29200 BREST
/Siège social : 5 rue de Kermadiou 29600 MORLAIX/
//NOVASYS utilise la suite bureautique Libreoffice 
 librement et gratuitement téléchargeable 
à l'adresse https://fr.libreoffice.org///

//
EnregistrerEnregistrer


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Reject node with MAC Authentication

[Fabrice Durand via PacketFence-users]

Le 19-06-11 à 10 h 03, Adrian Dessaigne via PacketFence-users a écrit :
Is it in the "Role" tab in the switch configuration ? I only see the 
REJECT Role.
And in my role list, I don't see the "unreg" one. Do I have to create 
it or it is somewhere else ?


Regards,

Adrian


*De: *"packetfence-users" 
*À: *"packetfence-users" 
*Cc: *"Fabrice Durand" 
*Envoyé: *Mardi 11 Juin 2019 15:19:28
*Objet: *Re: [PacketFence-users] Reject node with MAC Authentication

Hello Adrian,

just set the vlan id for the unreg role to -1.

Regards

Fabrice





___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Reject node with MAC Authentication

[Fabrice Durand via PacketFence-users]

Hello Adrian,

MAB is mac-auth so as you say if you don't want mac auth then disable 
MAB on the switch port.



Regards

Fabrice


Le 19-06-11 à 12 h 01, Adrian Dessaigne via PacketFence-users a écrit :

I want to keep the MAC Auth.

I have some case were unregistred device get access the network 
(without have the permission). It's quite complicated to explain how 
it get throught.


I've already got the answer , thanks anyway :).

Regards,

Adrian.


*De: *"packetfence-users" 
*À: *"packetfence-users" 
*Cc: *"Tobias Friede" 
*Envoyé: *Mardi 11 Juin 2019 17:01:33
*Objet: *Re: [PacketFence-users] Reject node with MAC Authentication

Hi,

I think you misunderstood the question.
I think he want to disable Mac auth also for registered devices 
because MAB could be a security issue and if you have only 802.1x 
capable devices there is no need to accept MAB.


If you set the registration vlan to -1 only unregistered devices will 
be rejected.


I am not sure which is is best way to prevent clients from getting 
access if the switch sends a Mac auth, but I would try to filter all 
Mac Auth requests in my source or on the portal and then send a reject.

Or just disable MAB on the switch ;)

Tobias

Fabrice Durand via PacketFence-users 
<mailto:packetfence-users@lists.sourceforge.net>> schrieb am Di., 11. 
Juni 2019, 16:25:


Le 19-06-11 à 10 h 03, Adrian Dessaigne via PacketFence-users a
écrit :

Is it in the "Role" tab in the switch configuration ? I only
see the REJECT Role.
And in my role list, I don't see the "unreg" one. Do I have to
create it or it is somewhere else ?

Regards,

Adrian


*De: *"packetfence-users"

<mailto:packetfence-users@lists.sourceforge.net>
*À: *"packetfence-users"

<mailto:packetfence-users@lists.sourceforge.net>
*Cc: *"Fabrice Durand" 
<mailto:fdur...@inverse.ca>
*Envoyé: *Mardi 11 Juin 2019 15:19:28
*Objet: *Re: [PacketFence-users] Reject node with MAC
Authentication

Hello Adrian,

just set the vlan id for the unreg role to -1.

Regards

Fabrice





___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand

fdur...@inverse.ca  <mailto:fdur...@inverse.ca>  ::  +1.514.447.4918 (x135) 
::www.inverse.ca  <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Issues with PacketFence Captive Portal configuration

[Fabrice Durand via PacketFence-users]

Hello Felipe,


Le 19-06-11 à 13 h 08, Felipe Rodrigues via PacketFence-users a écrit :

Hi guys,

Just help me to clarify one thing:

- The registration interface is isolated in packetfence right? Does 
this interface need internet access or need to access the ip adress 
configured on the network detection page?


Yes the registration interface is isolated from the other interfaces by 
iptables (except if you enable passthrough) and devices on the 
registration network doesn't need to go on internet or on the network 
detection ip address.


I ask this because apparently the CoA process is working properly. I 
can see the disconnect packets being forwarded via Wireshark and via 
packetfence log (Both ways), but the device is taking a while to do 
the VLAN exchange. With this delay, I believe the device tries to do 
the "network detection", but it's still in the vlan of registration, 
so I'm seeing this error.


After the CoA, do you see a new radius authentication coming from the WLC ?

Regards

Fabrice





Detail: I'm just doing tests on MAC devices (Iphone and Macbook Pro). 
I will try to test with an Android device to validate this question.


Thanks!


*De:* Ivan Saliu via PacketFence-users 


*Enviado:* terça-feira, 11 de junho de 2019 10:58
*Para:* packetfence-users@lists.sourceforge.net
*Cc:* Ivan Saliu
*Assunto:* Re: [PacketFence-users] Issues with PacketFence Captive 
Portal configuration


Hi Fabrice,

Thanks for the tip, changed the parameter and now also this is working 
fine


Ivan

*From:*Durand fabrice via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]

*Sent:* martedì 11 giugno 2019 03:24
*To:* packetfence-users@lists.sourceforge.net
*Cc:* Durand fabrice 
*Subject:* Re: [PacketFence-users] Issues with PacketFence Captive 
Portal configuration


Hello Ivan,

Le 19-06-10 à 15 h 01, Ivan Saliu via PacketFence-users a écrit :

Hi Nicholas and Felipe (hopefully you stuck with us),

So now I’ve understood what I was doing wrong and it was just so
stupid that I can’t even…

Basically I did two things:

-I put the custom port for CoA (1700 on Cisco WLCs…why use
standards…) on the field Disconnect Port (Policies and Access
Control -> Network Devices -> Switches -> My WLC).
I found from the packetfence.log file that it was working only the
authentication, but the VLAN switch was of course not working
since it does a CoA de-authentication to move the VLAN.


-Also the second step was also to put Advanced Access
Configuration -> Captive Portal in the IP field the Registration
interface IP otherwise it wouldn’t recognize in any case internet
access.

Right now the captive portal is working fine, I do have some more
things that worries me that I noticed from the packetfence.log
file like the following error: Unable to extract SSID of
Called-Station-ID, which if persist actually makes more difficult
for me to distinguish between SSID and present a different captive
portal for other users, but these are a lot less painful issues
than the one that I’ve just solved.

You just need to fix the format of the Called-Station-Id attribute in 
the WLC config.


Regards

Fabrice

Thanks again Nicholas for your support, as you said it was indeed
a configuration issue,

Hope you all had a nice day,

Ivan

*From:*Ivan Saliu
*Sent:* lunedì 10 giugno 2019 15:47
*To:* packetfence-users@lists.sourceforge.net

*Cc:* 'Nicholas Pier' <09np...@gmail.com> 
*Subject:* RE: [PacketFence-users] Issues with PacketFence Captive
Portal configuration

Hi Nicholas,

The issue is the second one you pointed out:

  * If they disconnect and reconnect to the wireless, are they
assigned the correct VLAN / IP ? This might mean that
packetfence is properly associating the new role with the
user, but the controller isn't getting dynamically updated.

They get the proper IP address….so the issue is when PacketFence
needs to update the VLAN via Radius?

Still don’t get why the behavior is this one, I’ve checked and the
Deauthentication Method is set as RADIUS, Use CoA is enabled, and
I even put into the CoA port 1700 since Cisco’s WLC uses that.

The only thing that is missing is the Controller IP address field
but I don’t think this should cause the issue.

Ivan

*From:*Nicholas Pier [mailto:09np...@gmail.com]
*Sent:* lunedì 10 giugno 2019 13:58
*To:* Ivan Saliu mailto:ivan.sa...@kikocosmetics.com>>
*Cc:* packetfence-users@lists.sourceforge.net

*Subject:* Re: [PacketFence-users] Issues with PacketFence Captive
Portal configuration

Hi Ivan,

Let's start with what's supposed to happen immediately after 

Re: [PacketFence-users] How to configure vlan VMware esxi - web auth Captive porta

[Fabrice Durand via PacketFence-users]

Hello Roberto,


Le 19-06-12 à 23 h 53, Casagrande Roberto, SEDE CENTRALE - GUBBIO, 
Colacem S.p.A. via PacketFence-users a écrit :

Sorry but I don’t find how to create a trunk port to VMware or I don’t know if 
I configured well the server PF for work with vlan.
Please can I have a support?


There is so many example on internet about that. btw create the number 
of interface you need on the server and assign the vlan directly in the esx.




Other question, I would like use PF for authenticate the guest user with wired 
connection (web auth Captive portal).
The PF management is vlan 20 and the guest user when they work after the 
authentication I would like to leading to other vlan examples 212.
Is it necessary to have the PF with vlan sub interface?


No you don't need to have an interface in the vlan 212.

Regards

Fabrice



Thanks a lot for support
Roberto

Inviato da iPhone

=
Le informazioni contenute in questa comunicazione e gli eventuali documenti 
allegati hanno carattere confidenziale e sono a uso esclusivo del destinatario. 
Nel caso questa comunicazione Vi sia pervenuta per errore, Vi informiamo che la 
sua diffusione e riproduzione è contraria alla legge e preghiamo di darci 
prontamente avviso e di cancellare quanto ricevuto.
Grazie.
This e-mail message and any files transmitted with it contain confidential 
information intended only for the person(s) to whom it is addressed. If you are 
not the intended recipient, you are hereby notified that any use or 
distribution of this e-mail is strictly prohibited: please notify the sender 
and delete the original message.
Thank you.
==

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] [packetfence 8.3] Active/Passive cluster

[Fabrice Durand via PacketFence-users]

Hello Pro,

are you using packetfence-mariadb service in pcs or just mariadb ?

Regards

Fabrice


Le 19-06-13 à 05 h 23, pro fence via PacketFence-users a écrit :

Hello,

does somebody know why when mariadb is started with pcs cluster it 
becomes impossible to connect to mysql directly on the server here is 
the error message :


after checking, the socket is well present in /var/lib/mysql

ERROR 2002 (HY000): Can't connect to local MySQL server through socket 
'/var/lib/mysql/mysql.sock' (2 "No such file or directory")


but when mariadb is started without pcs, th connection works just fine.

any help would be appreciated
regards


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Is RADIUS account from packet fence deployed inline possible?

[Fabrice Durand via PacketFence-users]

Hello Steve,

it's already suppose to send the ip address of the device in the radius 
accounting packet:


https://github.com/inverse-inc/packetfence/blob/devel/go/firewallsso/checkpoint.go#L45

Regards

Fabrice


Le 19-06-12 à 05 h 06, AOL a écrit :

Thanks Fabrice.

that started the RADIUS accounting working. I can see the accounting packets in 
wireshark (although there are a little sporadic). Our solution needs to see the 
client IP within the payload to accept the packet. In Wireshark I can see the 
domain/realm, username and what looks like a MAC address within the packet but 
not the IP. Is there a $ variable I can include in the RADIUYS accounting 
options to include the IP?

Thanks,

Steve


On 11 Jun 2019, at 02:16, Durand fabrice via PacketFence-users 
 wrote:

Hello Steve,

it looks that it's the firewall sso you are looking for.

Try to configure the checkpoint firewall sso in packetfence, it send radius 
accounting packet.

Regards

Fabrice


Le 19-06-10 à 16 h 44, AOL via PacketFence-users a écrit :

Hi,

I’ve been trying to get a PacketFence server to send RADIUS accounting 
information to another server. The PF is deployed inline. The aim is to pass 
the user source IP address within the RADIUS accounting info, so it can be used 
for user tracking on a web proxy. Does anyone know if this is possible?

The configuration pages seem to suggest it’s possible to send accounting to 
another server, but I found an email buried in an pf email archive saying that 
PF only receives RADIUS accounting.

Thanks,

Steve

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Device not terminated after email registration failed.

[Fabrice Durand via PacketFence-users]

[mac:[undef]] Updating locationlog from accounting request 
(pf::api::handle_accounting_metadata)
Jun 12 11:40:28 pfz9 pfqueue: pfqueue(3978) INFO: 
[mac:b8:c1:11:37:68:40] Contacted Ruckus to perform deauthentication 
(pf::Switch::Ruckus::SmartZone::deauthenticateMacWebservices)
Jun 12 11:41:25 pfz9 packetfence_httpd.aaa: httpd.aaa(1754) INFO: 
[mac:b8:c1:11:37:68:40] Instantiate profile WiFi_onBoard 
(pf::Connection::ProfileFactory::_from_profile)
Jun 12 11:45:08 pfz9 pfipset[2432]: t=2019-06-12T11:45:08-0700 
lvl=info msg="No Inline Network bypass ipsets reload" pid=2432
Jun 12 11:46:00 pfz9 pfqueue: pfqueue(4227) INFO: 
[mac:b8:c1:11:37:68:40] [b8:c1:11:37:68:40] DesAssociating mac on 
switch (10.20.21.51) (pf::api::desAssociate)
Jun 12 11:46:00 pfz9 pfqueue: pfqueue(4227) INFO: 
[mac:b8:c1:11:37:68:40] deauthenticating 
(pf::Switch::Ruckus::SmartZone::radiusDisconnect)
Jun 12 11:46:00 pfz9 pfqueue: pfqueue(4227) WARN: 
[mac:b8:c1:11:37:68:40] Unable to perform RADIUS Disconnect-Request: 
No answer from 10.20.21.51 on port 3799 at 
/usr/local/pf/lib/pf/util/radius.pm <http://radius.pm> line 147. 
(pf::Switch::Ruckus::SmartZone::catch {...} )


On Wed, Jun 12, 2019 at 11:20 AM Fabrice Durand via PacketFence-users 
<mailto:packetfence-users@lists.sourceforge.net>> wrote:


Hello Scott,

i will need to see the content of packetfence.log to see what happen.

Regards

Fabrice


Le 19-06-12 à 12 h 59, Lu, Scott via PacketFence-users a écrit :

Hi,

I have configured PF9 captive-portal for Guest registration and
send email for "Network access activation",

1. Guest click "Activate Access" then network access is good.
2. Guest not click Activate Access" then network access is good too.
3. If guest send email to "a...@xyz.com <mailto:a...@xyz.com>,
a@b.c <mailto:a@b.c>, any fake/makeup email account", guest still
have network access too.
No termination at all after fail to register, Could you help me
on this issue?

We are using Ruckus Smartzone with version 3.6.2.0.78 &
PacketFence 9.0.1

Much appreciated!

Scott Lu


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users


-- 
Fabrice Durand

fdur...@inverse.ca  <mailto:fdur...@inverse.ca>  ::  +1.514.447.4918 (x135) 
::www.inverse.ca  <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Scott Lu


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Node Manager Lockdown

[Fabrice Durand via PacketFence-users]

Hello Stuart,

we still working on it: https://github.com/inverse-inc/packetfence/pull/4558

Regards

Fabrice


Le 19-06-12 à 12 h 10, Stuart Gendron via PacketFence-users a écrit :
Playing around with the Node Manager Admin Role to try and lock things 
down so the user can only change nodes to specific roles.


Here's an excerpt from the adminroles.conf file:

*[VPN Node Manager]
actions=NODES_READ,NODES_UPDATE,SECURITY_EVENTS_READ,SWITCHES_READ,DHCP_OPTION_82_READ
allowed_roles=Youi_US01,Youi_SA01,Youi_SA02
allowed_node_roles=Youi_US01,Youi_SA01,Youi_SA02
description=Allows you to manage only VPN nodes
allowed_access_levels=
allowed_actions=*

So attempting this I get an error when trying to change roles that I 
don't have NODES_CREATE and NODES_DELETE.


Adding those 2 actions in I can then change roles, but I can change 
them to ones not listed in the allowed_node_roles (like Default and 
Guest).


Any help would be greatly appreciated!

--

*Stuart Gendron*
IT Support Specialist

*You.i Labs*
307 Legget Drive, Kanata, ON, K2K 3C8 


t (613) 228-9107 x258 | c (613) 697-6853



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Device not terminated after email registration failed.

[Fabrice Durand via PacketFence-users]

Hello Scott,

i will need to see the content of packetfence.log to see what happen.

Regards

Fabrice


Le 19-06-12 à 12 h 59, Lu, Scott via PacketFence-users a écrit :

Hi,

I have configured PF9 captive-portal for Guest registration and send 
email for "Network access activation",


1. Guest click "Activate Access" then network access is good.
2. Guest not click Activate Access" then network access is good too.
3. If guest send email to "a...@xyz.com , a@b.c, 
any fake/makeup email account", guest still have network access too.
No termination at all after fail to register, Could you help me on 
this issue?


We are using Ruckus Smartzone with version 3.6.2.0.78 & PacketFence 9.0.1

Much appreciated!

Scott Lu


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] DHCP Errors on Packetfence and Debian 9

[Fabrice Durand via PacketFence-users]

Hello Thomas,

i see what is the issue.

i will patch it and the new binary will be available tomorrow from the 
maintenance (pf-maint.pl).


Regards

Fabrice


Le 19-05-23 à 09 h 51, Thomas OLIVIER via PacketFence-users a écrit :


Hi All,

I've got an issue on my PacketFence fresh install on Debian9. All 
works fine but when my computer try a DHCPDISCOVER PF crash with that 
errors.


I didn't remember about that error with the "first" dev packages 
released a few days ago



Thank's

Thomas.


May 23 15:07:55 portailtest auth[1]: (4775) Login OK: [00-90-4b-6a-5c-39] 
(from client 192.168.24.8 port 13 cli 00:90:4b:6a:5c:39)
==> logs/packetfence.log <==
May 23 15:07:55 portailtest pfdhcp[14886]: recovered from  runtime error: 
invalid memory address or nil pointer dereference
May 23 15:07:55 portailtest pfdhcp[14886]: runtime.errorString runtime error: 
invalid memory address or nil pointer dereference
May 23 15:07:55 portailtest pfdhcp[14886]: 
/usr/local/go/src/runtime/panic.go:82 (0x441d61)
May 23 15:07:55 portailtest pfdhcp[14886]: 
/usr/local/go/src/runtime/panic.go:81 (0x441b90)
May 23 15:07:55 portailtest pfdhcp[14886]: 
/tmp/buildd/packetfence-9.0.0/debian/tmp.TSwJUhhjgT/src/github.com/inverse-inc/packetfence/go/dhcp/main.go:311
 (0x7d2835)
May 23 15:07:55 portailtest pfdhcp[14886]: 
/tmp/buildd/packetfence-9.0.0/debian/tmp.TSwJUhhjgT/src/github.com/inverse-inc/packetfence/go/dhcp/workers_pool.go:22
 (0x7e09ab)
May 23 15:07:55 portailtest pfdhcp[14886]: 
/tmp/buildd/packetfence-9.0.0/debian/tmp.TSwJUhhjgT/src/github.com/inverse-inc/packetfence/go/dhcp/main.go:128
 (0x7e1a08)
May 23 15:07:55 portailtest pfdhcp[14886]: 
/usr/local/go/src/runtime/asm_amd64.s:1337 (0x459551)
May 23 15:07:55 portailtest pfdhcp[14886]: (dhcp4.Options) (len=8) {
May 23 15:07:55 portailtest pfdhcp[14886]:  (dhcp4.OptionCode) 
OptionDHCPMessageType: ([]uint8) (len=1 cap=78) {
May 23 15:07:55 portailtest pfdhcp[14886]:     01   
 |.|
May 23 15:07:55 portailtest pfdhcp[14886]:  },
May 23 15:07:55 portailtest pfdhcp[14886]:  (dhcp4.OptionCode) 
OptionClientIdentifier: ([]uint8) (len=7 cap=72) {
May 23 15:07:55 portailtest pfdhcp[14886]:     01 00 90 4b 6a 5c 39 
 |...Kj\9|
May 23 15:07:55 portailtest pfdhcp[14886]:  },
May 23 15:07:55 portailtest pfdhcp[14886]:  (dhcp4.OptionCode) 
OptionRequestedIPAddress: ([]uint8) (len=4 cap=63) {
May 23 15:07:55 portailtest pfdhcp[14886]:     a9 fe 96 2d  
 |...-|
May 23 15:07:55 portailtest pfdhcp[14886]:  },
May 23 15:07:55 portailtest pfdhcp[14886]:  (dhcp4.OptionCode) 
OptionVendorClassIdentifier: ([]uint8) (len=8 cap=45) {
May 23 15:07:55 portailtest pfdhcp[14886]:     4d 53 46 54 20 35 2e 30  
 |MSFT 5.0|
May 23 15:07:55 portailtest pfdhcp[14886]:  },
May 23 15:07:55 portailtest pfdhcp[14886]:  (dhcp4.OptionCode) 
OptionParameterRequestList: ([]uint8) (len=11 cap=35) {
May 23 15:07:55 portailtest pfdhcp[14886]:     01 0f 03 06 2c 2e 2f 1f  
21 f9 2b |,./.!.+|
May 23 15:07:55 portailtest pfdhcp[14886]:  },
May 23 15:07:55 portailtest pfdhcp[14886]:  (dhcp4.OptionCode) OptionCode(116): 
([]uint8) (len=1 cap=75) {
May 23 15:07:56 portailtest pfdhcp[14886]:     01   
 |.|
May 23 15:07:56 portailtest pfdhcp[14886]:  },
May 23 15:07:56 portailtest pfdhcp[14886]:  (dhcp4.OptionCode) OptionHostName: 
([]uint8) (len=10 cap=57) {
May 23 15:07:56 portailtest pfdhcp[14886]:     74 68 6f 6d 61 73 70 6f  
72 74    |thomasport|
May 23 15:07:56 portailtest pfdhcp[14886]:  },
May 23 15:07:56 portailtest pfdhcp[14886]:  (dhcp4.OptionCode) 
OptionVendorSpecificInformation: ([]uint8) (len=2 cap=22) {
May 23 15:07:56 portailtest pfdhcp[14886]:     dc 00
 |..|
May 23 15:07:56 portailtest pfdhcp[14886]:  }
May 23 15:07:56 portailtest pfdhcp[14886]: }
May 23 15:07:55 portailtest pfdhcp: recovered from  runtime error: invalid 
memory address or nil pointer dereference
May 23 15:07:55 portailtest pfdhcp: runtime.errorString runtime error: invalid 
memory address or nil pointer dereference
May 23 15:07:55 portailtest pfdhcp: /usr/local/go/src/runtime/panic.go:82 
(0x441d61)
May 23 15:07:55 portailtest pfdhcp: /usr/local/go/src/runtime/panic.go:81 
(0x441b90)
May 23 15:07:55 portailtest pfdhcp: 
/tmp/buildd/packetfence-9.0.0/debian/tmp.TSwJUhhjgT/src/github.com/inverse-inc/packetfence/go/dhcp/main.go:311
 (0x7d2835)
May 23 15:07:55 portailtest pfdhcp: 
/tmp/buildd/packetfence-9.0.0/debian/tmp.TSwJUhhjgT/src/github.com/inverse-inc/packetfence/go/dhcp/workers_pool.go:22
 (0x7e09ab)
May 23 15:07:55 portailtest pfdhcp: 
/tmp/buildd/packetfence-9.0.0/debian/tmp.TSwJUhhjgT/src/github.com/inverse-inc/packetfence/go/dhcp/main.go:128
 (0x7e1a08)
May 23 15:07:55 portailtest pfdhcp: 

Re: [PacketFence-users] SG300 port showing up wrong

[Fabrice Durand via PacketFence-users]

Hello Stuart,

yes it's possible but when you plug in the port 2 is it the port 50 who 
appear in the log ?


Regards

Fabrice


Le 19-05-21 à 11 h 42, Stuart Gendron a écrit :

Logs below:

May 21 11:39:50 youi-packetfence-p1 auth[25948]: rlm_sql (sql): 
Closing connection (106): Hit idle_timeout, was idle for 431977 seconds
May 21 11:39:50 youi-packetfence-p1 auth[25948]: rlm_sql (sql): 
Closing connection (108): Hit idle_timeout, was idle for 431977 seconds
May 21 11:39:50 youi-packetfence-p1 auth[25948]: rlm_sql (sql): 
Closing connection (107): Hit idle_timeout, was idle for 431977 seconds
May 21 11:39:50 youi-packetfence-p1 auth[25948]: rlm_sql (sql): 
Closing connection (105): Hit idle_timeout, was idle for 431977 seconds
May 21 11:39:50 youi-packetfence-p1 auth[25948]: rlm_sql (sql): 
Opening additional connection (109), 1 of 64 pending slots used
May 21 11:39:50 youi-packetfence-p1 auth[25948]: Need 2 more 
connections to reach min connections (3)
May 21 11:39:50 youi-packetfence-p1 auth[25948]: rlm_sql (sql): 
Opening additional connection (110), 1 of 63 pending slots used
May 21 11:39:50 youi-packetfence-p1 auth[25948]: rlm_rest (rest): 
Closing connection (98): Hit idle_timeout, was idle for 431989 seconds
May 21 11:39:50 youi-packetfence-p1 auth[25948]: rlm_rest (rest): 
Closing connection (97): Hit idle_timeout, was idle for 431977 seconds
May 21 11:39:50 youi-packetfence-p1 auth[25948]: rlm_rest (rest): 
Closing connection (99): Hit idle_timeout, was idle for 431977 seconds
May 21 11:39:50 youi-packetfence-p1 auth[25948]: rlm_rest (rest): 
Opening additional connection (100), 1 of 64 pending slots used
May 21 11:39:51 youi-packetfence-p1 auth[25948]: Need 2 more 
connections to reach min connections (3)
May 21 11:39:51 youi-packetfence-p1 auth[25948]: rlm_rest (rest): 
Opening additional connection (101), 1 of 63 pending slots used
May 21 11:39:51 youi-packetfence-p1 auth[25948]: Need 1 more 
connections to reach min connections (3)
May 21 11:39:51 youi-packetfence-p1 auth[25948]: rlm_sql (sql): 
Opening additional connection (111), 1 of 62 pending slots used
May 21 11:39:51 youi-packetfence-p1 auth[25948]: 
[mac:0c:4d:e9:b9:23:ac] Rejected user: 0c4de9b923ac
May 21 11:39:51 youi-packetfence-p1 auth[25948]: (41096) Rejected in 
post-auth: [0c4de9b923ac] (from client 10.100.64.67 port 49 cli 
0c:4d:e9:b9:23:ac)
May 21 11:39:51 youi-packetfence-p1 auth[25948]: (41096) Login 
incorrect: [0c4de9b923ac] (from client 10.100.64.67 port 49 cli 
0c:4d:e9:b9:23:ac)
May 21 11:40:02 youi-packetfence-p1 auth[25948]: Need 7 more 
connections to reach 10 spares
May 21 11:40:02 youi-packetfence-p1 auth[25948]: rlm_sql (sql): 
Opening additional connection (112), 1 of 61 pending slots used
May 21 11:40:02 youi-packetfence-p1 auth[25948]: Need 1 more 
connections to reach min connections (3)
May 21 11:40:02 youi-packetfence-p1 auth[25948]: rlm_rest (rest): 
Opening additional connection (102), 1 of 62 pending slots used
May 21 11:40:02 youi-packetfence-p1 auth[25948]: (41106) Login OK: 
[testradius] (from client 10.100.64.67 port 49 cli 0c:4d:e9:b9:23:ac 
via TLS tunnel)
May 21 11:40:02 youi-packetfence-p1 auth[25948]: 
[mac:0c:4d:e9:b9:23:ac] Accepted user: testradius and returned VLAN 88
May 21 11:40:02 youi-packetfence-p1 auth[25948]: (41107) Login OK: 
[testradius] (from client 10.100.64.67 port 49 cli 0c:4d:e9:b9:23:ac)


Looks like it's also sending port 49.

Is there somewhere to make a modification where I can say $Port = 
$Port - 48 or something?


On Thu, May 16, 2019 at 9:27 PM Durand fabrice > wrote:


Hello Stuart,

it looks that the port is set to 49 in the radius request:

May 16 11:40:01 youi-packetfence-p1 packetfence_httpd.aaa:
httpd.aaa(6346) INFO: [mac:78:7b:8a:d3:ae:74] handling radius autz
request: from switch_ip => (10.100.64.67), connection_type =>
Ethernet-NoEAP,switch_mac => (88:f0:77:d9:b2:48), mac =>
[78:7b:8a:d3:ae:74], port => 49, username => "787b8ad3ae74"
(pf::radius::authorize)

Are you able to check in the radius auditing what is the radius
request (with all the attributes) and paste it to me ?

Regards

Fabrice


Le 19-05-16 à 11 h 41, Stuart Gendron a écrit :

Logs below:

[root@youi-packetfence-p1 ~]# tail -f
/usr/local/pf/logs/packetfence.log| grep 78:7b:8a:d3:ae:74
May 16 11:40:01 youi-packetfence-p1 packetfence_httpd.aaa:
httpd.aaa(6346) INFO: [mac:78:7b:8a:d3:ae:74] handling radius
autz request: from switch_ip => (10.100.64.67), connection_type
=> Ethernet-NoEAP,switch_mac => (88:f0:77:d9:b2:48), mac =>
[78:7b:8a:d3:ae:74], port => 49, username => "787b8ad3ae74"
(pf::radius::authorize)
May 16 11:40:01 youi-packetfence-p1 packetfence_httpd.aaa:
httpd.aaa(6346) INFO: [mac:78:7b:8a:d3:ae:74] Instantiate profile
default (pf::Connection::ProfileFactory::_from_profile)
May 16 11:40:01 youi-packetfence-p1 packetfence_httpd.aaa:

Re: [PacketFence-users] OS Update breaks Captive Portal

[Fabrice Durand via PacketFence-users]

Hello Kalcho,

it looks to be the static content that is not working.

Can you check if httpd.dispatcher is running correctly ?

Regards

Fabrice


Le 19-05-15 à 03 h 16, Kalcho via PacketFence-users a écrit :

Hello,

I have packetfence 8.1 running on CentOS 7, after last CentOS update, captive portal does 
not work. It just shows message "an error occurred". I see that captive portal 
resource files can not be obtained the HTTP error 503 received.

When trying to access packetfence/captive-portal the haproxy_portal.log  shows 
next messages:

May 15 06:46:57 packetfence haproxy[6857]: 172.25.0.245:36436 [15/May/2019:06:46:54.699] 
portal-https-172.18.0.22~ proxy/ 0/0/-1/-1/3005 503 212 - - SC-- 3/2/0/0/3 0/0 
"GET / HTTP/1.1"
May 15 06:47:00 packetfence haproxy[6857]: 172.25.0.245:36438 [15/May/2019:06:46:57.893] 
portal-https-172.18.0.22~ static/ 0/0/-1/-1/3005 503 212 - - SC-- 2/1/0/0/3 0/0 
"GET /favicon.ico HTTP/1.1"
May 15 06:47:06 packetfence haproxy[6857]: 172.25.0.245:36440 [15/May/2019:06:47:05.954] 
portal-https-172.18.0.22~ 172.18.0.22-backend/127.0.0.1 0/0/0/257/257 200 4382 - -  
3/2/0/0/0 0/0 "GET /captive-portal HTTP/1.1"
May 15 06:47:09 packetfence haproxy[6857]: 172.25.0.245:36442 [15/May/2019:06:47:06.286] 
portal-https-172.18.0.22~ static/ 0/0/-1/-1/3005 503 212 - - SC-- 6/5/4/0/3 0/0 
"GET /common/styles.css HTTP/1.1"

I have also applied packetfence maintenance patch, but error stays. I have 
investigated what means this HAProxy error and apparently SC flag means:

"This is a problem with your back-end server, or a network issue between 
HAProxy and the back-end... not on the front side, and not related to the IP address 
of the connecting client.
 From "Session state at disconnect" in the docs:
SC The [back-end] server or an equipment between it and haproxy explicitly refused 
the TCP connection (the proxy received a TCP RST or an ICMP message in return). 
Under some circumstances, it can also be the network stack telling the proxy that 
the server is unreachable (eg: no route, or no ARP response on local network). When 
this happens in HTTP mode, the status code is likely a 502 or 503 here."

Regarding this explanation I see that the problem lays between haproxy and 
captive-portal httpd server communication. Both are running on the same server. 
Httpd is listening on the 127.0.0.1:80 when checked using netstat. I do not 
know what to troubleshoot next?



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] JSON error Go Struct - Inline mode

[Fabrice Durand via PacketFence-users]

Hello Thomas,

i just pushed the patch in devel.

Btw thanks to test on Debian 9 ;-)

Regards

Fabrice


Le 19-04-29 à 08 h 58, Thomas OLIVIER via PacketFence-users a écrit :

Hello,

You rock Fabrice! it works! Thanks for your help :-))

There was the same error for the first function called 
"iptables_mark_node"



--- lib/pf/ipset.pm    2019-04-29 12:29:05.170883782 +0200
+++ lib/pf/ipset.pm.orig    2019-04-29 11:12:09.543421923 +0200
@@ -316,14 +316,14 @@
 call_ipsetd("/ipset/mark_layer3?local=0",{
 "network" => $network,
 "type"    => $mark_type_to_str{$mark},
-    "role_id" => "".$role_id,
+    "role_id" => $role_id,
 "ip"  => $iplog
 });
 } else {
 call_ipsetd("/ipset/mark_layer2?local=0",{
 "network" => $network,
 "type"    => $mark_type_to_str{$mark},
-    "role_id" => "".$role_id,
+    "role_id" => $role_id,
 "ip"  => $iplog,
 "mac" => $mac
 });
@@ -410,13 +410,13 @@
  if ($ConfigNetworks{$network}{'type'} =~ 
/^$NET_TYPE_INLINE_L3$/i) {

 call_ipsetd("/ipset/mark_ip_layer3?local=0",{
 "network" => $network,
-    "role_id" => "".$id,
+    "role_id" => $id,
 "ip"  => $src_ip
 });
 } else {
 call_ipsetd("/ipset/mark_ip_layer2?local=0",{
                 "network" => $network,
-    "role_id" => "".$id,
+    "role_id" => $id,
 "ip"  => $src_ip
 });
 }


Have a nice day!

Thomas.


On 26/04/2019 16:30, Fabrice Durand via PacketFence-users wrote:

Hello Thomas,

can you try that:

diff --git a/lib/pf/ipset.pm b/lib/pf/ipset.pm
index 63273f6c45..fcdb41872a 100644
--- a/lib/pf/ipset.pm
+++ b/lib/pf/ipset.pm
@@ -410,13 +410,13 @@ sub update_node {
  if ($ConfigNetworks{$network}{'type'} =~ 
/^$NET_TYPE_INLINE_L3$/i) {

call_ipsetd("/ipset/mark_ip_layer3?local=0",{
 "network" => $network,
-    "role_id" => $id,
+    "role_id" => "".$id,
 "ip"  => $srcip
 });
 } else {
call_ipsetd("/ipset/mark_ip_layer2?local=0",{
 "network" => $network,
-    "role_id" => $id,
+    "role_id" => "".$id,
 "ip"  => $srcip
 });
 }


Regards

Fabrice


Le 19-04-25 à 13 h 16, Thomas OLIVIER via PacketFence-users a écrit :

Hi All,

There is an issue on my fresh install of PF with Debian 9.

With inline mode all is fine until i want to login, after validate 
the login form i get a lots of errors in the log and ipset is not 
update.



Is it a bug ?



Thomas.



Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71675) INFO: [mac:00:90:4b:6a:5c:39] Instantiate 
profile TEMPLATE (pf::Connection::ProfileFactory::_from_profile)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71675) INFO: [mac:00:90:4b:6a:5c:39] User cj-1023 has 
authenticated on the portal. (Class::MOP::Class:::after)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71675) INFO: [mac:00:90:4b:6a:5c:39] No provisioner 
found for 00:90:4b:6a:5c:39. Continuing. 
(captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71675) INFO: [mac:00:90:4b:6a:5c:39] User cj-1023 has 
authenticated on the portal. (Class::MOP::Class:::after)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71675) INFO: [mac:00:90:4b:6a:5c:39] User cj-1023 has 
authenticated on the portal. (Class::MOP::Class:::after)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71675) INFO: [mac:00:90:4b:6a:5c:39] User cj-1023 has 
authenticated on the portal. (Class::MOP::Class:::after)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71675) INFO: [mac:00:90:4b:6a:5c:39] User cj-102

Re: [PacketFence-users] Blank captive portal with cisco wlc 5508

[Fabrice Durand via PacketFence-users]

Hello pro,

you just need to add and additional listening daemon on the management 
interface:

https://@mgmt_ip:1443/admin/configuration#configuration/networks/interfaces

Then restart packetfence.

Regards

Fabrice

Le 19-04-29 à 08 h 49, pro fence via PacketFence-users a écrit :

Hi,

 thanks for the reply. but i still don't see how to active port 80 and 
443 on management ip.


Any help is appreciated
Regards,

On Mon, 29 Apr 2019 at 14:06, Nicolas Quiniou-Briand via 
PacketFence-users > wrote:




On 2019-04-29 10:27 a.m., pro fence via PacketFence-users wrote:
> my packetfence server is not listening on port 80 on the management
> interface (and my portal is on that interface as per the
installation
> guide), but it is listening on registration and isolation.
> changing the /usr/local/pf/var/conf/haproxy-portal.conf is useless
> because it is lost on restart.

You should be able to change this setting in pf.conf (see ports
section).
-- 
Nicolas Quiniou-Briand

n...@inverse.ca   :: +1.514.447.4918 *140 
:: https://inverse.ca
Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence
(https://packetfence.org) and Fingerbank (http://fingerbank.org)


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Blank captive portal with cisco wlc 5508

[Fabrice Durand via PacketFence-users]

Hello Pro,

haproxy is the process who is suppose to listen on the port 80 and 443.

It looks that the configuration is not correctly generated.

Can you you paste your pf.conf

and do that:

pfcmd pfconfig clear_backend

pfcmd configreload hard

pfcmd service haproxy-portal restart

pfcmd service iptables restart


Regards

Fabrice


Le 19-04-29 à 09 h 39, pro fence via PacketFence-users a écrit :

HI,

thanks for the reply i have already did that.
Here is what i have


tcp    0  0 127.0.0.1:80 <http://127.0.0.1:80> 
0.0.0.0:*   LISTEN  9239/httpd
tcp    0  0 127.0.0.1:80 <http://127.0.0.1:80> 127.0.0.1:33796 
<http://127.0.0.1:33796> SYN_RECV    -
tcp    0  0 registration_vlan_ip:80 0.0.0.0:*   
LISTEN  8662/haproxy
tcp    0  0 isolation_vlan_ip:80 0.0.0.0:*   
LISTEN  8662/haproxy
tcp    0  0 127.0.0.1:8080 <http://127.0.0.1:8080> 
0.0.0.0:*   LISTEN  7877/perl
tcp    0  0 127.0.0.1:8080 <http://127.0.0.1:8080> 
127.0.0.1:34264 <http://127.0.0.1:34264> TIME_WAIT   -


tcp    0  0 10.registration_vlan_ip:443 
0.0.0.0:*   LISTEN  8662/haproxy
tcp    0  0 10.isolation_vlan_ip:443 0.0.0.0:*   
LISTEN  8662/haproxy


the problem is that the portal url (on the switch role config) is as 
follows http://magement_ip/Cisco::WLC


so when i use my ssid to connect it can't show the portal as a telnet 
management_ip 80 doens't work.
I am new to packetfence so i d'ont know how a working config should 
behave. I a using a personnalised ssl certificate and i have the file 
server.pem set along with server.crt and server.key and my  
packetfence-haproxy-portal service is up as a matter of fact here my 
running services :


packetfence-api-frontend.service loaded active running 
PacketFence API frontend Service
packetfence-config.service loaded active running 
PacketFence Config Service
packetfence-haproxy-portal.service loaded active running 
PacketFence HAProxy Load Balancer for the captive portal
packetfence-httpd.aaa.service loaded active running 
PacketFence AAA Apache HTTP Server
packetfence-httpd.dispatcher.service loaded active running 
PacketFence HTTP Dispatcher
packetfence-httpd.parking.service loaded active running 
PacketFence Parking Apache HTTP Server
packetfence-httpd.portal.service loaded active running 
PacketFence Captive Portal Apache HTTP Server
packetfence-httpd.webservices.service loaded active 
running PacketFence Webservices Apache HTTP Server
packetfence-iptables.service loaded active running 
PacketFence Iptables configuration
packetfence-mariadb.service loaded active running 
PacketFence MariaDB instance
packetfence-netdata.service loaded active running Real 
time performance monitoring
packetfence-pfdhcp.service loaded active running 
PacketFence GO DHCPv4 Server Daemon
packetfence-pfdhcplistener.service loaded active running 
PacketFence DHCP Listener Service
packetfence-pfdns.service loaded active running 
PacketFence GO DNS Server Daemon
packetfence-pffilter.service loaded active running 
PacketFence pffilter Service
packetfence-pfipset.service loaded active running 
PacketFence Ipset Daemon
packetfence-pfmon.service loaded active running 
PacketFence pfmon Service
packetfence-pfperl-api.service loaded active running 
PacketFence Unified API
packetfence-pfqueue.service loaded active running 
PacketFence pfqueue Service
packetfence-pfsso.service loaded active running 
PacketFence PFSSO Service
packetfence-pfstats.service loaded active running 
PacketFence Stats daemon
packetfence-radiusd-acct.service loaded active running 
PacketFence FreeRADIUS multi-protocol accounting server
packetfence-radiusd-auth.service loaded active running 
PacketFence FreeRADIUS authentication multi-protocol authentication server
packetfence-radsniff.service loaded active running 
PacketFence radsniff Service
packetfence-redis-cache.service loaded active running 
PacketFence Redis Cache Service

  packetfence-redis_queue.service

thanks in advance,
regards

On Mon, 29 Apr 2019 at 15:15, Fabrice Durand via PacketFence-users 
<mailto:packetfence-users@lists.sourceforge.net>> wrote:


Hello pro,

you just need to add and additional listening daemon on the
management interface:
https://@mgmt_ip:1443/admin/configuration#configuration/networks/interfaces

Then restart packetfence.

Regards

Fabrice

Le 19-04-29 à 08 h 49, pro fence via PacketFence-users a écrit :

Hi,

 thanks for the reply. but i still don't see how to active port
80 and 443 on management ip.

Any help is

Re: [PacketFence-users] JSON error Go Struct - Inline mode

[Fabrice Durand via PacketFence-users]

It will be in 9.

Le 19-04-29 à 11 h 04, Thomas OLIVIER via PacketFence-users a écrit :
Will PF support Debian 9 in the next minor release or in the next 
major 9.0 ?



Thomas.

On 29/04/2019 15:10, Fabrice Durand via PacketFence-users wrote:

Hello Thomas,

i just pushed the patch in devel.

Btw thanks to test on Debian 9 ;-)

Regards

Fabrice


Le 19-04-29 à 08 h 58, Thomas OLIVIER via PacketFence-users a écrit :

Hello,

You rock Fabrice! it works! Thanks for your help :-))

There was the same error for the first function called 
"iptables_mark_node"



--- lib/pf/ipset.pm    2019-04-29 12:29:05.170883782 +0200
+++ lib/pf/ipset.pm.orig    2019-04-29 11:12:09.543421923 +0200
@@ -316,14 +316,14 @@
call_ipsetd("/ipset/mark_layer3?local=0",{
 "network" => $network,
 "type"    => $mark_type_to_str{$mark},
-    "role_id" => "".$role_id,
+    "role_id" => $role_id,
 "ip"  => $iplog
 });
 } else {
call_ipsetd("/ipset/mark_layer2?local=0",{
 "network" => $network,
 "type"    => $mark_type_to_str{$mark},
-    "role_id" => "".$role_id,
+    "role_id" => $role_id,
 "ip"  => $iplog,
 "mac" => $mac
 });
@@ -410,13 +410,13 @@
  if ($ConfigNetworks{$network}{'type'} =~ 
/^$NET_TYPE_INLINE_L3$/i) {

call_ipsetd("/ipset/mark_ip_layer3?local=0",{
 "network" => $network,
-    "role_id" => "".$id,
+    "role_id" => $id,
 "ip"  => $src_ip
 });
 } else {
call_ipsetd("/ipset/mark_ip_layer2?local=0",{
                 "network" => $network,
-    "role_id" => "".$id,
+    "role_id" => $id,
 "ip"  => $src_ip
 });
 }


Have a nice day!

Thomas.


On 26/04/2019 16:30, Fabrice Durand via PacketFence-users wrote:

Hello Thomas,

can you try that:

diff --git a/lib/pf/ipset.pm b/lib/pf/ipset.pm
index 63273f6c45..fcdb41872a 100644
--- a/lib/pf/ipset.pm
+++ b/lib/pf/ipset.pm
@@ -410,13 +410,13 @@ sub update_node {
  if ($ConfigNetworks{$network}{'type'} =~ 
/^$NET_TYPE_INLINE_L3$/i) {

call_ipsetd("/ipset/mark_ip_layer3?local=0",{
 "network" => $network,
-    "role_id" => $id,
+    "role_id" => "".$id,
 "ip"  => $srcip
 });
 } else {
call_ipsetd("/ipset/mark_ip_layer2?local=0",{
 "network" => $network,
-    "role_id" => $id,
+    "role_id" => "".$id,
 "ip"  => $srcip
 });
 }


Regards

Fabrice


Le 19-04-25 à 13 h 16, Thomas OLIVIER via PacketFence-users a écrit :

Hi All,

There is an issue on my fresh install of PF with Debian 9.

With inline mode all is fine until i want to login, after validate 
the login form i get a lots of errors in the log and ipset is not 
update.



Is it a bug ?



Thomas.



Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71675) INFO: [mac:00:90:4b:6a:5c:39] Instantiate 
profile TEMPLATE (pf::Connection::ProfileFactory::_from_profile)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71675) INFO: [mac:00:90:4b:6a:5c:39] User cj-1023 has 
authenticated on the portal. (Class::MOP::Class:::after)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71675) INFO: [mac:00:90:4b:6a:5c:39] No provisioner 
found for 00:90:4b:6a:5c:39. Continuing. 
(captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71675) INFO: [mac:00:90:4b:6a:5c:39] User cj-1023 has 
authenticated on the portal. (Class::MOP::Class:::after)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71675) INFO: [mac:00:90:4b:6a:5c:39] User cj-1023 has 
authenticated on the portal. (Class::MOP::Class:::after)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71675) INFO: [mac:00:90:4b:6a:5c:39] User cj-1023 has 
authentic

Re: [PacketFence-users] Radius Integrations with Packetfence

[Fabrice Durand via PacketFence-users]

Hello Alina,


if the user type his username and password on the portal then you need 
to create a radius source.



Regards

Fabrice


Le 19-07-11 à 05 h 10, Alina Haider via PacketFence-users a écrit :

Hi all,

Actually I wanted to integerate external Radius Server with 
packetfence. Basically when user type its credential in Packetfence 
those credential should be match with users credentials present in 
external Radius Server and if the credential matched packetfence 
should allow the user to access network.


Thanks & Regards,
Alina Haider

*Alina Haider*
Development Intern






IOTA Solutions. Pvt. Ltd. (A Cloud9 Networks’ Company)
Mezzanine Floor, Khumrial Centre, Plot 3 & 4, I & T Centre, G-8/4 
Islamabad


www.iotasolutions.io www.cloud9net.com 





Introducing
*TRACE9 **-*UNIFIED IT INFRASTRUCTURE 
MONITORING SOLUTION


Get a unified 360 degree monitoring view for heterogeneous enterprise 
IT infrastructure; break down silos and accelerate your business.
Monitor Network, Servers, Applications, Databases, DC Infrastructure, 
Cloud, Websites & more from a single pane of glass.


For more information, visit:_www.cloud9stack.io 
_




*From:* Alina Haider via PacketFence-users 


*Sent:* Friday, July 5, 2019 11:51 AM
*To:* packetfence-users@lists.sourceforge.net
*Cc:* Alina Haider
*Subject:* Re: [PacketFence-users] Radius Integrations with Packetfence
Hi Durand,

Actually I wanted to integerate external Radius Server with 
packetfence. Basically when user type its credential in Packetfence 
those credential should be match with users credentials present in 
external Radius Server and if the credential matched packetfence 
should allow the user to access network.


Thanks & Regards,
Alina Haider

*From:* Durand fabrice via PacketFence-users 


*Sent:* Friday, July 5, 2019 6:51 AM
*To:* packetfence-users@lists.sourceforge.net
*Cc:* Durand fabrice
*Subject:* Re: [PacketFence-users] Radius Integrations with Packetfence

Hello Alina,


what are you trying to achieve exactly ?

We can do a full of stuff with PacketFence but i need more information 
to reply correctly.



Regards

Fabrice


Le 19-07-04 à 01 h 50, Alina Haider via PacketFence-users a écrit :

Hi,
Thanks  for your reply. Please can you tell me that how we can 
connect switch with Third party radius server?.
Secondly what is Radius Proxy?Is Radius Proxy is a method to 
integrate Third party Radius server with PacketFence?.


Regards,
Alina Haider

*From:* Durand fabrice via PacketFence-users 
 


*Sent:* Thursday, July 4, 2019 5:56 AM
*To:* packetfence-users@lists.sourceforge.net 


*Cc:* Durand fabrice
*Subject:* Re: [PacketFence-users] Radius Integrations with Packetfence

Hello Alina,

there is no need to change anything in this section to make radius 
working.


The only thing you need to have is the switch configuration and the 
radius shared secret defined.



With that you will be able to send radius access request to 
packetfence from the AP/Controller/Switch.



Regards

Fabrice


Le 19-06-26 à 07 h 39, Alina Haider via PacketFence-users a écrit :

Hey,
I am new to Packetfence and till now I configured the packetfenc on 
my machine.Now I want to integrate FreeRadius server with 
packetfence server and I installed the packetfence with radius 
enforcement.I am attaching the image of radius configuration page 
can you please tell me from where I will get the data to fill those 
fields present on image. Thanks in advance.


Regards,
Alina Haider


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  

https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  

https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

Re: [PacketFence-users] Using Captive Portal to Detect AV

[Fabrice Durand via PacketFence-users]

Hello Chadwick,

you will need to use wmi if it's windows laptop or a MDM for the other 
devices.


Regards

Fabrice


Le 19-07-09 à 23 h 55, Chadwick Boseman via PacketFence-users a écrit :

Please help me, I am stuck on this part

On Mon, Jul 8, 2019 at 3:57 PM Chadwick Boseman > wrote:


Hi,
So I have deployed PF Zen, I have everything working, but the
captive portal is still the minimum, the user only have to accept
some agreement, then they are registered..
What I want to do is, I want the user's device to be checked
whether it has AV installed or not and if it is updated or not..

How do I achieve this?

I'll appreciate any help.. Thanks in advance



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Server logs error

[Fabrice Durand via PacketFence-users]

Hello BR,

it looks to be slow disk.

Regards

Fabrice


Le 19-07-11 à 12 h 11, Domingos Varela via PacketFence-users a écrit :

Hi,

Please, Can anyone help me understand these events?
Thanks

BR

Cumprimentos,*

Domingos Varela*
Tel. +244 923 229 330 | Luanda - Angola


Domingos Varela > escreveu no dia terça, 9/07/2019 à(s) 
10:46:


Hi,

I have my server with the default hardware settings, but I have
logged several alerts constantly, can someone explain to me what
the cause is and if I can do anything better to improve it?

/72% disk_util.dm-0.10min_disk_utilization

7930ms disk_backlog.dm-0.10min_disk_backlog

85.9% system.cpu.10min_cpu_usage

82.9% disk_util.dm-0.10min_disk_utilization

9391 ms disk_backlog.dm-0.10min_disk_backlog

82.4% system.cpu.10min_cpu_usage

82.7% disk_util.dm-0.10min_disk_utilization

9548 ms disk_backlog.dm-0.10min_disk_backlog/

Thanks
BR

Cumprimentos,*

Domingos Varela*
Tel. +244 923 229 330 | Luanda - Angola



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Load Balancing with F5

[Fabrice Durand via PacketFence-users]

Hello Domingos,

you just need to configure on the f5 the 2 portals (like http://10.0.0.1 
and http://10.0.0.2) and terminate the ssl tunnel on the F5.


Be sure to add the X-Forwarder-For attribute in the f5.

Regards

Fabrice


Le 19-07-11 à 12 h 10, Domingos Varela via PacketFence-users a écrit :

Hello,

Has anyone managed to configure the captive portal on F5 in the 
version of pf 9.0.1 to balance two servers?

I tried following the link instructions but it was not a success.

https://packetfence.org/support/faq/captive-portal-load-balancing-with-f5.html 



Thanks
BR

Cumprimentos,*

Domingos Varela*
Tel. +244 923 229 330 | Luanda - Angola


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] HP switches and Avaya Phones

[Fabrice Durand via PacketFence-users]

Hello Mike,

you need to enable lldp on the switch and probably enable lldp-med on 
the phone too.


Last think enable voip on the switch configuration (pf side).

Regards

Fabrice


Le 19-07-09 à 03 h 57, Mike McGeer via PacketFence-users a écrit :

Hi all.

We have Packetfence 9.01 implemented with VLAN MAC address enforcement 
only, no Radius.
The VLAN is switchable when a device is connected directly to the 
switch, the problem is when connecting a VOIP Phone in between the 
Device and the switch its not able to detective device.

Can anyone give some guidance as to how to over come this.
PS my switch knowledge is almost Zero.

Thanks


Michael JA McGeer
Operation and Systems Manager
Afrisam (South Africa)(Pty) Ltd
Phone 011 670 5734
Fax 011 670 5234
Cell 0837019991

To view AfriSam's legal disclaimer, please go to 
http://www.afrisam.co.za/legal/terms-of-use




*Disclaimer*

The information contained in this communication from the sender is 
confidential. It is intended solely for use by the recipient and 
others authorized to receive it. If you are not the recipient, you are 
hereby notified that any disclosure, copying, distribution or taking 
action in relation of the contents of this information is strictly 
prohibited and may be unlawful.


This email has been scanned for viruses and malware, and automatically 
archived by *Mimecast SA (Pty) Ltd*, an innovator in Software as a 
Service (SaaS) for business. *Mimecast Unified Email Management ™ 
(UEM)* offers email continuity, security, archiving and compliance 
with all current legislation. To find out more, contact Mimecast 
. itevomcid




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Manage AD password expiration

[Fabrice Durand via PacketFence-users]

Hello Enrico,

under mac osx you can have a 'system' wireless profile which is a kind 
of machine authentication.


https://gist.github.com/bruienne/fa2360146d8cb046ffde

Regards

Fabrice


Le 19-07-09 à 13 h 08, Enrico Pasqualotto via PacketFence-users a écrit :


Hello, I'm searching a solution to manage the password expiration of 
Mac OSX users that connect with Active-Directory account on WPA2 
Enterprise WIFI.


For Windows users I've created a new ROLE/VLAN that match machine-auth 
so on login screen the device is in a VLAN that talk only with domain 
server.


How can I simulate that for Apple users?

I'm thinking about:

  * recognize the expired password using RADIUS and assign a special
ROLE/VLAN for it. Possible?
  * make a rule that check if device is/was in register state (so I
know that device was previously connected) and if credential fail
put in the custom VLAN where can contact domain server

NOTE: I'm trying with advanced filter on profile but cannot found any 
docs with syntax or supported fields.


Anyone have managed this situation?

Thanks

Enrico

--
Enrico Pasqualotto





___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x Max nodes per user...

[Fabrice Durand via PacketFence-users]

Hello,

it's probably because in your authentication source no rules match and 
it doesn't return any role and access duration.


use bin/pftest to be sure that your username match with a rule.

Regards

Fabrice


Le 19-07-08 à 23 h 58, esouzabh--- via PacketFence-users a écrit :

I’m facing the same problem. How can I ensure that some user can login just one 
time daily?

Att.,
Emannuel Souza


Em 8 de jul de 2019, à(s) 06:42, John Sayce via PacketFence-users 
 escreveu:


Hi,

Does the max nodes per user limitation apply for devices that authenticate with 
802.1x.  I use mac authentication in our guest network and users are limited to 
the number of nodes specified, however staff using the 802.1x authentication 
appear to be able to register as many devices as they wish?  Is this by design 
or is some additional configuration required?  I'm currently using version 
6.5.1.

Thanks
John Sayce


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Fingerbank Node Info Refresh

[Fabrice Durand via PacketFence-users]

Hello Shirley,

what you can try is to configure a security event with a trigger based 
on fingerbank and it's suppose to do the lookup for each devices.


Regards

Fabrice


Le 19-07-09 à 06 h 24, Shirley, Benjamin via PacketFence-users a écrit :


Hi,

it’s not clear to us when Packetfence should trigger a fingerbank 
lookup for a device. It does generally work, but only if we trigger a 
manual “Refresh Fingerbank” in t the Web-Gui. In order to detect MAC 
address spoofing it’s required to happen automatically and ideally 
every time a device connects.


I appreciate any help and input 

Benjamin



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] port-security and snmptrap not working

[Fabrice Durand via PacketFence-users]

Hello,

if the snmptrapd and the pfqueue snmp processes are running then it can 
be the community that is wrong.


Also i have already seen this kind of issue because of /etc/host.deny.

Last thing, you can use strace to see why the snmp trap is not received.

Regards

Fabrice


Le 19-07-11 à 09 h 15, Martijn Langendoen via PacketFence-users a écrit :


Hello again,

I have made a connection profile:

[Portsecurity-snmp]

locale=

always_use_redirecturl=disabled

filter=connection_type:SNMP-Traps

autoregister=enabled

sources=local

with tcpdump I see the traps but noting comes in snmptrap.log

what I’am missing?

*From:*Eran Benno 
*Sent:* dinsdag 25 juni 2019 16:36
*To:* packetfence-users@lists.sourceforge.net
*Cc:* Martijn Langendoen 
*Subject:* port-security and snmptrap not working

Hi Martijn,

You should create a "Connection Profile" that uses SNMP in "Policies 
and Access Control".


Go down that form to the "Filters" section and add a Filter 
"Connection Type" -> SNMP-Traps.


It means you need to define what the PF does with SNMP then after.

If you can give some more information about the "Authentication 
Sources", I might be able to advise some more.


Other than that your switch configuration looks correct.

Brgds,

Eran.

*From:*Martijn Langendoen via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]

*Sent:* Tuesday, June 25, 2019 11:19 AM
*To:* 
'packetfence-users@lists.sourceforge.net'‏>
*Cc:* Martijn Langendoen‏>

*Subject:* [PacketFence-users] port-security and snmptrap not working

Hi all,

Ik have a problem with Packterfence 8.3.0 -ZEN.

I want to use port security on a cisco switch but it wil not working.

PF receive the snmptraps from the switch ( I see in with tcpdump):

tcpdump -i eth0 -port 162:

09:30:07.741905 IP 10.10.0.150.57025 > 145.116.199.36.snmptrap: 
C="private" V2Trap(142) system.sysUpTime.0=311055713 
S:1.1.4.1.0=E:cisco.9.315.0.0.1 
interfaces.ifTable.ifEntry.ifIndex.10109=10109 
31.1.1.1.1.10109="GigabitEthernet0/9" 
E:cisco.9.315.1.2.1.1.10.10109=00_1f_d8_03_d5_59


09:30:10.379234 IP 10.10.0.150.57025 > 145.116.199.36.snmptrap: 
C="private" V2Trap(142) system.sysUpTime.0=311055976 
S:1.1.4.1.0=E:cisco.9.315.0.0.1 
interfaces.ifTable.ifEntry.ifIndex.10109=10109 
31.1.1.1.1.10109="GigabitEthernet0/9" 
E:cisco.9.315.1.2.1.1.10.10109=00_1f_d8_03_d5_59


09:30:12.146661 IP 10.10.0.150.57025 > 145.116.199.36.snmptrap: 
C="private" V2Trap(142) system.sysUpTime.0=311056152 
S:1.1.4.1.0=E:cisco.9.315.0.0.1 
interfaces.ifTable.ifEntry.ifIndex.10109=10109 
31.1.1.1.1.10109="GigabitEthernet0/9" 
E:cisco.9.315.1.2.1.1.10.10109=00_1f_d8_03_d5_59


The snmptrapd on the PF do nothing I mean the log file 
/usr/local/pf/logs/snmptrapd.log stays empty.


My switches.conf:

[10.10.0.150]

description=Cisco 2960G

group=Cisco2960

SNMPCommunityRead=private

deauthMethod=SNMP

[group Cisco2960]

guestVlan=40

cliUser=admin

defaultVlan=815

VoIPCDPDetect=N

VoIPDHCPDetect=N

deauthMethod=RADIUS

description=Cisco 2960

type=Cisco::Catalyst_2960G

VoIPLLDPDetect=N

macDetectionVlan=815

cliPwd=*

cliAccess=Y

isolationVlan=815

cliTransport=SSH

radiusSecret=*

ICTVlan=110

cliEnablePwd=*

registrationVlan=816

ZeroClientVlan=22

Tech-instVlan=45

ZBM-PersoneelVlan=101

ZVL-InternetVlan=222

NarrowcastVlan=11

ErfgoedZeelandVlan=170

OSR-InternetVlan=202

SWMVlan=2

ZMfVlan=43

ZVL-PersoneelVlan=221

RFIDVlan=14

OSR-PersoneelVlan=201

Diversen-vlan21Vlan=21

VDI-PubliekVlan=51

VDI-InternetVlan=50

SNMPCommunityRead=private

SNMPVersionTrap=2c

SNMPCommunityTrap=private

SNMPVersion=2c

My Cisco 2960G switch config:

!

interface GigabitEthernet0/9

switchport access vlan 815

switchport mode access

switchport port-security maximum 1 vlan access

switchport port-security violation restrict

switchport port-security mac-address sticky

switchport port-security mac-address 0200.0001.0109

switchport port-security

no logging event link-status

!

!

snmp-server community public

snmp-server community private

snmp-server location Test

snmp-server contact 

snmp-server enable traps port-security

snmp-server enable traps port-security trap-rate 1

snmp-server host 145.116.199.36 version 2c private port-security

snmp ifmib ifindex persist

!

NOTE: the is the same ip in mail.

On de PF snmptrapd is running:

/usr/sbin/snmptrapd -f -n -c /usr/local/pf/var/conf/snmptrapd.conf -C 
-A -Lf /usr/local/pf/logs/snmptrapd.log -p 
/usr/local/pf/var/run/snmptrapd.pid -On


Snmptrapd.conf:

# This file is generated from a template at 
/usr/local/pf/conf/snmptrapd.conf


# Any changes made to this file will be lost on restart

snmpTrapdAddr 145.116.199.36:162

authCommunity execute,log private

authCommunity execute,log public

perl do "/usr/local/pf/lib/pf/snmptrapd.pm";

format1 %V|%#04.4y-%#02.2m-%02.2l|%#02.2h:%#02.2j:%#02.2k|%b|%a|BEGIN 
TYPE %w END TYPE BEGIN SUBTYPE %q END 

Re: [PacketFence-users] WMI problem， pf9.0.1 not trigger any security events

[Fabrice Durand via PacketFence-users]

Hello Cheung,

can you share your wmi.conf file ? (remove sensible information)

Regards

Fabrice


Le 19-07-10 à 22 h 06, Cheung Paul via PacketFence-users a écrit :


Problem 1:  Packetfence not show wmi tab on noed wmi rules , it is a 
windows os device


imap://fdur...@mail.inverse.ca:143/fetch%3EUID%3E/PacketFence%20Users%20List%3E28663?header=quotebody=1.1.2=D9BA8B5CAC074FB89BFBEB8D82DFCF90.png

Violations not trigger ? why

imap://fdur...@mail.inverse.ca:143/fetch%3EUID%3E/PacketFence%20Users%20List%3E28663?header=quotebody=1.1.3=4D063DCE88A54C7095D02C8F45EF4C76.png

[306]

priority=1

trigger=internal::789123

actions=email_admin,reevaluate_access,log

window=

desc=teamviewer installed

enabled=Y

access_duration=12h

max_enable=30

[307]

priority=1

trigger=internal::789124

actions=email_admin,reevaluate_access,log

window=0s

desc=IPG not running

access_duration=12h

delay_by=

grace=

enabled=Y

[308]

priority=1

trigger=internal::789125

actions=email_admin,reevaluate_access,log

window=

desc=AntiVirus Not install

enabled=Y

access_duration=12h

delay_by=

grace=120s

~

Problem 2 : Packetfence 9.01 can  show wmi tab in wmi rule (old admin, 
new ui not show) , but not trigger any security events?


imap://fdur...@mail.inverse.ca:143/fetch%3EUID%3E/PacketFence%20Users%20List%3E28663?header=quotebody=1.1.4=55EA5A22BAB9496286D85B6474163E71.png

How to trigger security events auto ?

imap://fdur...@mail.inverse.ca:143/fetch%3EUID%3E/PacketFence%20Users%20List%3E28663?header=quotebody=1.1.5=9A5733B7076A4C88AB3A1887F772F1CF.png

[306]

priority=9

actions=email_admin,reevaluate_access,log

window=

max_enable=0

desc=Team viewer

enabled=Y

access_duration=12h

grace=1s

button_text=Enable Network again

trigger=internal::789123

[307]

priority=9

trigger=internal::789124

actions=email_admin,reevaluate_access,log

window=

max_enable=0

desc=IPG

enabled=Y

access_duration=12h

grace=1s

button_text=Enable Network again

[308]

priority=9

trigger=internal::789125

actions=email_admin,reevaluate_access,log

window=

max_enable=0

desc=Antivirus Not Run

enabled=Y

access_duration=12h

grace=1s

button_text=Enable Network again



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Orthographic Error - Web Portal

[Fabrice Durand via PacketFence-users]

Hello Rodrigues,

can you check in the db to see if the encoding is correct ? (table 
pf.person)


Regards

Fabrice


Le 19-07-11 à 08 h 03, Felipe Rodrigues via PacketFence-users a écrit :

Any ideia?

Sent from my iPhone

On 8 Jul 2019, at 14:52, Felipe Rodrigues > wrote:



Hey guys, how are you doing?

I have a character recognition problem in the portal when the user 
authenticates using sponsor:




In this case, the correct name was: João Conceição but the Packet 
Fence but PacketFence did not identify some characters. I changed the 
Portal Language to Portuguese.


Is there any way I can sort this manually?



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Errors with radius from packetfence-multi-domain.pm on 9.0.1

[Fabrice Durand via PacketFence-users]

Hello Davis,

can you post your realm.conf and can you try pfcmd configreload hard

Regards

Fabrice


Le 19-07-08 à 04 h 39, David Ford via PacketFence-users a écrit :


Hello,

We’ve recently upgraded our packetfence setup from 8.0 on Debian 
Jessie to 9.0.1 on Debian Stretch, and have applied the changes in the 
UPGRADE guide I believe.


Many parts of the upgraded setup are working well – the captive portal 
and SNMPtrap based detection on the wired side is working perfectly, 
however we are hitting problems with authenticating radius requests 
(to our AD infrastructure), raddebug is showing the following error, 
which I assume to be the cause, but I can’t immediately see what I’ve 
missed in the upgrade process that would be causing this.


(744) Sat Jul  6 23:04:25 2019: Debug: packetfence-multi-domain: 
perl_embed:: module = 
/usr/local/pf/raddb/mods-config/perl/packetfence-multi-domain.pm , 
func = authorize exit status= hash- or arrayref expected (not a simple 
scalar, use allow_nonref to allow this) at 
/usr/local/pf/lib/pfconfig/cached.pm line 182.


Does anyone have any ideas or suggestions, I’ve checked and winbindd 
seems to be both running and joined to the domain correctly.


Thanks

David

--

David Ford

Head of IT and Computational Science Support Team Leader,

School of Geography and the Environment

Telephone: 01865 285089

For IT Support, please email itsupp...@ouce.ox.ac.uk 
or phone the IT helpdesk: 01865 285088




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] [PF 9.0.1] Clustering Active/Active Issue

[Fabrice Durand via PacketFence-users]

Hello,

Try that:

systemctl set-default packetfence-cluster

and check you cluster.conf file if there is no error.

Regards

Fabrice


Le 19-07-03 à 06 h 07, pro fence via PacketFence-users a écrit :

Hi,

i am configuring an active/active 3 mariadb servers cluster.
The proble is that i can't start the 
"packetfence-radiusd-load_balancer" service with the following error :


" Unable to open file "/usr/local/pf/raddb/load_balancer.conf": No 
such file or directory

Errors reading or parsing /usr/local/pf/raddb/load_balancer.conf"

Why this file is not present, instead i have a 
"radiusd_loadbalancer.conf" file. Is this a normal behaviour ?


Another thing, whenever i enable the "packetfence-keepalived" service, 
it is autmatically disable by packetfence on restart.


Any help is welcome,
Thanks



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Network detection issue

[Fabrice Durand via PacketFence-users]

Hello Leandro,

can you report the bug on github and we will take care of that.

https://github.com/inverse-inc/packetfence/issues/new

Thanks

Fabrice


Le 19-04-24 à 15 h 05, Leandro Ude via PacketFence-users a écrit :


I think i fixed , and it's a bug

/usr/local/pf/html/captive-portal/content/timerbar.js

Line 6:

var time = window.waitTime || 25;

window.waitTime is undefined , so it always sets time to 25

Tried changing 25 to 40   (Ludovic recomended value)

and now it works, the red message doesnt show and redirects perfectly 
to packetfence.org 









El mié., 24 de abr. de 2019 a la(s) 14:27, Leandro Ude 
(leandro...@gmail.com ) escribió:


I made a video capture showing the problem if it helps,

https://streamable.com/s/wobv7/gheadf


El mar., 23 de abr. de 2019 a la(s) 16:12, Leandro Ude
(leandro...@gmail.com ) escribió:


>Which Packetfence version are you running ?
Hi , it's version 8.3.0

>Did you changed the pf.js ?
I haven't changed anything in  pf.js

>Did you apply the maintenance on restart all services ?
You mean "restart all services?" yes, I even tried rebooting. 
This is an isolated demo install , but the problem happens in
production too.

I had the same problem with previous version.

Can you fetch the
http://192.95.20.194/common/network-access-detection.gif once
registered ?
Yes , once registered I can access it without problem :
https://i.imgur.com/zaAjnlf.png

>Do you have any error in your javascript console on your web
browser?
No javascript errors, just the ones shown here:
https://i.imgur.com/6Wn4Pay.png


I think it's a timing issue,  the progress bar I think it's
still 20 seconds (timed it it around 20-25 seconds) , even
though I changed to 50, it seems to have no effect.







El mar., 23 de abr. de 2019 a la(s) 15:54, Ludovic Zammit
(lzam...@inverse.ca ) escribió:

Which Packetfence version are you running ?

Did you changed the pf.js ?

Did you apply the maintenance on restart all services ?

Can you fetch the
http://192.95.20.194/common/network-access-detection.gif once
registered ?

Do you have any error in your javascript console on your
web browser?

Thanks,

Ludovic Zammit
lzam...@inverse.ca    ::  +1.514.447.4918 
(x145) ::www.inverse.ca  
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and 
PacketFence (http://packetfence.org)






On Apr 23, 2019, at 2:36 PM, Leandro Ude
mailto:leandro...@gmail.com>> wrote:

Hi, thanks for the answer , I can see the call , many
failed attempts and finally one successfully. Failed ones
are because change of vlans and the time it takes to the
dhcp to assign ip , the ip address is correctly assigned
almost at the end of the progress bar, and I can see the
200 OK request , but the message still shows "Unable to
detect network connectivity " in red , and
immediately after that shows the welcome webpage

https://i.imgur.com/6Wn4Pay.png


Just a reminder  when I change redirection delay value ,
the progress bar takes always the same time.


Thank you




El mar., 23 de abr. de 2019 a la(s) 15:08, Ludovic Zammit
(lzam...@inverse.ca ) escribió:

Hello Leandro,

Put your chrome web browser into developper mode with
the console open at the beginning of your
registration process.

You should be able to see the call:




If you don’t see it, maybe you have an issue with
your html/common/pf.js

Thanks,

Ludovic Zammit
lzam...@inverse.ca    ::  +1.514.447.4918 
(x145) ::www.inverse.ca  
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu  
) and PacketFence (http://packetfence.org  
)






On Apr 23, 2019, at 12:20 PM, Leandro Ude
mailto:leandro...@gmail.com>>
wrote:

Does anyone have an idea , on what could be the
problem ?

Thanks

El mar., 16 de abr. de 2019 a la(s) 10:42, Leandro
Ude (leandro...@gmail.com
) escribió:

Hi 

Re: [PacketFence-users] Dashboard charts

[Fabrice Durand via PacketFence-users]

Hello Barry,

you have the choice to disable epel repo.

Regards

Fabrice


Le 19-04-24 à 19 h 31, Barry Quiel via PacketFence-users a écrit :
Unfortunately I don't have much of a choice.  Because of our patch 
policy I disable the PF repo.  The manual steps generally required in 
a PF update don't allow for automated patching.  With the PF repo 
disabled this exposes the netdata rpm that lives in the epel repo.  
The automated patch process forces an update of the netdata rpm.


On 4/17/2019 12:12 AM, Nicolas Quiniou-Briand via PacketFence-users 
wrote:

Hello Barry,

PacketFence is shipped with its own netdata package:
```
# yum info netdata
[..]
Installed Packages
Name    : netdata
Arch    : x86_64
Version : 1.10.0
From repo   : packetfence
```

If you use latest netdata packages, you will certainly have issues.



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] New user here - A few questions

[Fabrice Durand via PacketFence-users]

Hello Jason,

Le 19-04-15 à 23 h 28, Jason Salmans via PacketFence-users a écrit :


Hi all,

I’ve got a Packetfence server set up to evaluate and I’ve got a few 
questions.  First, a bit about my environment… I’m working with Cisco 
WLC with mostly 2700 series APs with a few 702w or 1810w hospitality 
APs.  For switches, we’ve got mostly Cisco 2960-X stacks with some 
older Dell 6200 series switches mixed in.  Currently we’re doing 
mostly MAB enforcement with a captive portal for user-ID capture on 
our existing NAC.  Our NAC is currently deployed primarily in 
on-campus housing and our wireless.  We’ve also got Infoblox DHCP/DNS 
servers for these areas as well as a Palo Alto firewall with Panorama.


What I’d like to accomplish with Packetfence:

  * 802.1x with MAB fallback for devices that don’t support it


we support.


 *


  * Device onboarding to assist with 802.1x config, especially for OS
that don’t really support it by default (I’m looking at you Windows)


We support


 *


  * User-ID captured for every device.. obviously the supplicant will
do this with 802.1x but I’d also like to do a captive portal for
MAB devices


We support


 *


  * A “My Devices” portal so users can log in and see a list of their
devices and the registration status.  It would also be great if
users could pre-register devices this way with a MAC before
connecting them to the network (would be required for anything
that doesn’t have a supplicant or web browser)


We support


 *


  * IPv6 (possibly)


ipv4 for reg/isolation network and ipv6 for the production network.


 *


  * Not require a permanent install on BYOD devices if at all possible


You can have a portal with AD authentication for that.


 *


So for my questions:

 1. Is the above all possible on Packetfence?


Yes


1.


 2. What would be the recommended network setup for this?  For my
initial trial, I only set up two NICs.. one for management and one
for Registration.  Also, is it recommended to bring the
registration network, or any network, back to the server? I’m a
little leery of doing Layer 2 all of the way, especially
considering the number of networks I have to work with.


2 nics is ok, and you can have layer 3 registration networks if you want.


1.


 2. What is the recommended wireless setup?  I know I’ve seen some
people recommend an onboarding network that then pushes configs to
connect to the real networks (which can be hidden).

You can have an open ssid for the guest and for onboarding and a secure 
ssid for corporate/byod devices.


1.


 2. I’ve read about Infoblox integration but I can’t seem to find much
documentation on how to accomplish it other than that it may
involve the DHCP Syslog Parser… is there documentation or a
tutorial on how to set it up and what does it improve? (I’ve
noticed my Windows SurfaceBook gets identified as an Xbox device
with Fingerbank Integration …. I’d like to improve on this and get
a more accurate ID).

As i remember the Infoblox syslog is like the iscdhcp format, so you 
just need to send the syslog to packetfence, configure rsyslog to send 
the content in a fifo and create a syslog parser in packetfence (DHCP) 
and you should be good.



Regards

Fabrice



1.

Thanks in advance… really excited to try this out,

Jason Salmans



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] JSON error Go Struct - Inline mode

[Fabrice Durand via PacketFence-users]

Hello Thomas,

can you try that:

diff --git a/lib/pf/ipset.pm b/lib/pf/ipset.pm
index 63273f6c45..fcdb41872a 100644
--- a/lib/pf/ipset.pm
+++ b/lib/pf/ipset.pm
@@ -410,13 +410,13 @@ sub update_node {
  if ($ConfigNetworks{$network}{'type'} =~ 
/^$NET_TYPE_INLINE_L3$/i) {

 call_ipsetd("/ipset/mark_ip_layer3?local=0",{
 "network" => $network,
-    "role_id" => $id,
+    "role_id" => "".$id,
 "ip"  => $srcip
 });
 } else {
 call_ipsetd("/ipset/mark_ip_layer2?local=0",{
 "network" => $network,
-    "role_id" => $id,
+    "role_id" => "".$id,
 "ip"  => $srcip
 });
 }


Regards

Fabrice


Le 19-04-25 à 13 h 16, Thomas OLIVIER via PacketFence-users a écrit :

Hi All,

There is an issue on my fresh install of PF with Debian 9.

With inline mode all is fine until i want to login, after validate the 
login form i get a lots of errors in the log and ipset is not update.



Is it a bug ?



Thomas.



Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71675) INFO: [mac:00:90:4b:6a:5c:39] Instantiate profile 
TEMPLATE (pf::Connection::ProfileFactory::_from_profile)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71675) INFO: [mac:00:90:4b:6a:5c:39] User cj-1023 has 
authenticated on the portal. (Class::MOP::Class:::after)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71675) INFO: [mac:00:90:4b:6a:5c:39] No provisioner found 
for 00:90:4b:6a:5c:39. Continuing. 
(captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71675) INFO: [mac:00:90:4b:6a:5c:39] User cj-1023 has 
authenticated on the portal. (Class::MOP::Class:::after)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71675) INFO: [mac:00:90:4b:6a:5c:39] User cj-1023 has 
authenticated on the portal. (Class::MOP::Class:::after)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71675) INFO: [mac:00:90:4b:6a:5c:39] User cj-1023 has 
authenticated on the portal. (Class::MOP::Class:::after)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71675) INFO: [mac:00:90:4b:6a:5c:39] User cj-1023 has 
authenticated on the portal. (Class::MOP::Class:::after)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71675) INFO: [mac:00:90:4b:6a:5c:39] User cj-1023 has 
authenticated on the portal. (Class::MOP::Class:::after)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71675) INFO: [mac:00:90:4b:6a:5c:39] security_event 
133 force-closed for 00:90:4b:6a:5c:39 
(pf::security_event::security_event_force_close)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71675) INFO: [mac:00:90:4b:6a:5c:39] Instantiate profile 
TEMPLATE (pf::Connection::ProfileFactory::_from_profile)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71675) WARN: [mac:00:90:4b:6a:5c:39] Use of uninitialized 
value in concatenation (.) or string at 
/usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Module/Root.pm 
line 89.

 (captiveportal::PacketFence::DynamicRouting::Module::Root::release)
Apr 25 18:56:13 portailcaptif-wifi packetfence: DEBUG 
pfperl-api(70906): GET "/api/v1/queues/stats" (Mojolicious::dispatch)
Apr 25 18:56:13 portailcaptif-wifi packetfence: DEBUG 
pfperl-api(70906): Routing to controller 
"pf::UnifiedApi::Controller::Queues" and action "stats" 
(Mojolicious::Routes::_controller)
Apr 25 18:56:13 portailcaptif-wifi packetfence: DEBUG 
pfperl-api(70906): cache get for namespace='Default', 
key='HASH(0x55acc3e56d20)', cache='RawMemory', time='0ms': HIT 
(CHI::Driver::_log_get_result)
Apr 25 18:56:13 portailcaptif-wifi packetfence: DEBUG 
pfperl-api(70906): 200 OK (0.001991s, 502.260/s) 
(Mojolicious::Controller::rendered)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71673) WARN: [mac:unknown] locale from the URL  is not 
supported (pf::Portal::Session::getLanguages)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71673) WARN: [mac:00:90:4b:6a:5c:39] locale from the URL  
is not supported (pf::Portal::Session::getLanguages)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71673) INFO: [mac:00:90:4b:6a:5c:39] Instantiate profile 
TEMPLATE (pf::Connection::ProfileFactory::_from_profile)
Apr 25 18:56:13 portailcaptif-wifi packetfence_httpd.portal: 
httpd.portal(71673) WARN: [mac:00:90:4b:6a:5c:39] locale from the URL  
is not supported 
(captiveportal::PacketFence::Controller::Root::getLanguages)
Apr 25 18:56:13 portailcaptif-wifi 

Re: [PacketFence-users] Managment VLAN

[Fabrice Durand via PacketFence-users]

Hello Süleyman


from the packetfence server try to see if you have traffic on the mgmt 
interface and check if you are able to ping the default gateway.


Regards

Fabrice


Le 19-07-16 à 08 h 30, Süleyman Gelener via PacketFence-users a écrit :

Dear Subscribers,

I tried to put managment interface into vlan and succeed it, i made it 
because i had to i dont want to get into details. However now i am not 
able to connect web interface anymore. The following error is given to 
me however there is no connection error. i am able to reach internet 
through switch which means most probably i dont have  network problem 
but problem with pf. I have checked several conf files and related 
services. it seem like there okay. Can someone help me please. Its 
very urgent for me since its my internship project please can someone 
help me. Many thanks from now to everyone


Best Regards,



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] WMI Scan with One Host Only

[Fabrice Durand via PacketFence-users]

Hello Chadwick,

Le 19-07-16 à 04 h 59, Chadwick Boseman via PacketFence-users a écrit :

Hi All,
So I have a PF Zen up and running,

I have some questions regarding my understanding of VLAN membership in PF:
1. When a new device (never connect / never register before) is 
connected to the switch, it will be put into the registration VLAN. 
And after they register their device from the captive portal it will 
be moved to guest VLAN automatically. Is this correct?? if not, please 
explain to me



In fact the vlan you want.
2.  after the device's MAC is registered in the PF server, does the 
user have to manually enable the 802.1x auth from their ethernet 
adapter? or can PF actually automatically change the VLAN to 
default/normal VLAN and activate the 802.1x auth?


The supplicant needs to be configured if you wants to do 802.1x, you can 
do it by GPO if you have a domain.


Also you can do provisioning with packetfence but only for wireless 
right now.




i followed the pf installation guide , the captive portal is 
configured to the bare minimum where the user just need to agree to 
some policy, and the device then registered. My VLANs are as follow :

Guest    :  VLAN 640
Registration : VLAN 640
Normal/default : VLAN 625
Isolation    : VLAN 641

The guest and registration VLANs are the same because the installation 
guide said
/"in Role by VLAN ID, set the registration and guest VLAN ID to 20 - 
this will ensure unregistered clients are initially put in VLAN 20 and 
avoid a VLAN change once they properly authenticate from the captive 
portal"/
/It's for web authentication, not for vlan enforcement, so the 
registration vlan needs to be different than the guest vlan./


I want something more to do on the captive portal, so I configured a 
WMI scan so when a client register their device on the captive portal, 
WMI checks whether they have an Antivirus installed or not..
I want that if the device doesn't have an AV installed, it is moved to 
the isolation VLAN (That's the correct behavior right?) so how do I 
achieve this?


You need to create a wmi scan engine and add it in the connection profile.

Regards

Fabrice




Thanks a lot guys..I'll really appreciate any explanation/answer


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam as authentication source

[Fabrice Durand via PacketFence-users]

Hello Philippe,

Eduroam will only work for 802.1x not for doing chap/pap.

So in order to make it work you need to have a secure ssid called 
eduroam and use the port 11812 for the radius server.


In the eduroam authentication source you also need to define your local 
realm (create your realm and associate it to your Domain) in order to 
keep the authentication local.


Regards

Fabrice


Le 19-07-16 à 05 h 32, DOMINEAUX Philippe via PacketFence-users a écrit :


Hello,

I’ve just configured a fresh new installation of packetfence (9.0.1) 
and I’m trying to make it work with Eduroam.


Following the documentation I’ve created an exclusive source to 
declare Eduroam radius servers for my country


  * rad1.eduroam.fr ( 1812 )
  * rad2.eduroam.fr ( 1812 )
  * leave the Authentication listening port to default 11812

I’ve also followed the documentation (Getting Started chapter) to 
configure an Active Directory server.


The documentation made me configure the DEFAULT and the NULL Realm 
using the Active Directory as Domain.


And it works like a charm if I use mydomain credentials on the captive 
portal or/and using the dot1x authentication.


But nothing works for Eduroam.

I’ve tried to configure a Connection Profile to catch the foreign 
eduroam authentication requests, but If I specify Eduroam as an 
authentication source, the radius logs give me :


“No authentication source found for this username”.

Do you have any clue to make it work ?

Thanks.

__

DOMINEAUX Philippe



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Registration dhco

[Fabrice Durand via PacketFence-users]

Hello Domingos,

really sorry for the delay.

So yes the registration and isolation vlan need to be available in all 
your switches like a normal vlan. (layer 2)


The only difference is that this vlan is managed by packetfence, so pf 
is the dhcp/dns/default gateway.


So let's say the reg vlan is 123 then you don't have to set a gateway on 
this vlan.



Now let's say you want to route the registration vlan and isolation vlan.

You have 2 ways to do it, the first one is to have a gateway in the vlan 
123 and tell packetfence to use this gateway to reach the remote 
registration vlan and in the client gateway (on the other side) you need 
to set an ip-helper address to the registration interface ip of packetfence.


Or you can use the management interface as a dhcp, to do that just add 
an additional daemon to the management interface (dhcp) and create a 
remote registration config that use the gateway facing the management 
interface.


Regards

Fabrice


Le 19-08-09 à 12 h 03, Domingos Varela a écrit :

Hi Fabrice,

I agree with you that it is a network problem, because the production 
network does not have access to the registration network.​


Should registration and isolation networks be routed or not in the 
infrastructure?


If not, how do clients get to the dhcp server if they don't have 
access to the gateway of these networks?


Is it possible to change the dhcp listen port to the management address?
Thanks

Regards


A quarta, 7/08/2019, 16:44, Domingos Varela <mailto:sousa.var...@gmail.com>> escreveu:


Hi,

Pf logs in attach

Thanks

pf-logs.7z

<https://drive.google.com/file/d/0B4kerdl39UHXZmlsckVnclFfaVIxNGhPdFV6MlZENWFyYkdR/view?usp=drivesdk>





A quarta, 7/08/2019, 15:41, Fabrice Durand mailto:fdur...@inverse.ca>> escreveu:

Hello Domingas,

the packetfence.log should be enough.

Regards

Fabrice


Le 19-08-06 à 17 h 01, Domingos Varela a écrit :

Hi Patrice,

Which equipment do you want the logs from?
For more details I send the implementation diagram.
Thanks
Regards

Cumprimentos,*

Domingos Varela*
Tel. +244 923 229 330 | Luanda - Angola


        Fabrice Durand via PacketFence-users
mailto:packetfence-users@lists.sourceforge.net>> escreveu no
dia terça, 6/08/2019 à(s) 20:27:

Hello Domingos,

if the device receive an ip address from the production
vlan then it mean that there is a network miss-configuration.

Can you provide some logs ?

Regards

Fabrice


Le 19-08-05 à 10 h 17, Domingos Varela via
PacketFence-users a écrit :

Hi,

I am using pf to authenticate wifi users on the network,
but when a user connects to the network he gets the IP
from the data network and not from the registration
network.

Shouldn't users receive the IP from the registration
network and after logging in receive the io from the
data network?

Thanks
Regards


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users


-- 
Fabrice Durand

fdur...@inverse.ca  <mailto:fdur...@inverse.ca>  ::  +1.514.447.4918 
(x135) ::www.inverse.ca  <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and 
PacketFence (http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand

fdur...@inverse.ca  <mailto:fdur...@inverse.ca>  ::  +1.514.447.4918 (x135) 
::www.inverse.ca  <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and 
PacketFence (http://packetfence.org)


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x Accept/Reject Role Control

[Fabrice Durand via PacketFence-users]

Hello Jon,

it's really simple, you just need to set -1 in the registration role.

Then if a unreg device try to connect then it will be rejected.

Regards

Fabrice


Le 19-08-09 à 11 h 37, Jon Barret via PacketFence-users a écrit :

Hello,

We are currently looking into using Packetfence but are running into 
some issues. The way the network is setup we connect computers behind 
an IP phone. If we were to use VLAN isolation then once the phone 
would authenticate a computer would be able to join that Vlan is the 
way I understand it. We noticed however that we could possibly control 
access just by using roles. For example if an ip phone is in an accept 
role and a computer is in a reject role. The phone will get access to 
the network then after plugging the computer into the phone that has 
network access, packet fence will deny access because of the role 
associated with the mac address. We are wondering if there is a way 
to  configure roles so that whenever a new mac address or device is 
recognized instead of auto-registering this device can we set the role 
to REJECT by default. So then we could go into packet fence and add 
the mac address to an accept role giving it access if we knew this was 
a safe device. Please advise and I appreciate your help. Also if this 
isn't the best way to receive support please let me know, i'm going 
off of the packetfence's website advice.


Thanks!


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] How to get the scan engine working?

[Fabrice Durand via PacketFence-users]

PacketFence is not able to recognize the OS of the device.

Does Fingerbank is enabled on your system ?


Le 19-08-07 à 06 h 17, Zairy Fajar via PacketFence-users a écrit :

The packetfence.log shows:

pfence pfqueue: pfqueue(7518) WARN: [mac:
11:3j:81:cc:cd:27]
Can't find scan engine for 11:3j:81:cc:cd:27 since we don't have it's OS
Please help.. I'm running out of time and ideas

On Wed, Jul 31, 2019, 3:23 PM Zairy Fajar > wrote:


Hi,
I'm sorry if this is a basic question, but I've been struggling on
getting my scan engine to work on the captive portal..
I followed this installation guide
https://packetfence.org/doc/PacketFence_Installation_Guide.html

and everything was fine until the part6. Enabling the Captive Portal


but I want to add something else, I want to do a scan before the
user is registered on the captive portal..
I've tried to use both nessus and WMI, but nothing works, nothing
shows on the captive portal, there was no scan initiated, and
also, nothing on the packetfence.log.. nothing said anything about
scan..

What could be the problem?
please help
thanks in advance



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] How to get the scan engine working?

[Fabrice Durand via PacketFence-users]

yes, this is fingerbank that will recognize the os of the device.


Le 19-08-12 à 08 h 50, Fajar Zairy via PacketFence-users a écrit :

No it is not enabled, should I enable it??

On Mon, Aug 12, 2019, 7:49 PM Fabrice Durand via PacketFence-users 
<mailto:packetfence-users@lists.sourceforge.net>> wrote:


PacketFence is not able to recognize the OS of the device.

Does Fingerbank is enabled on your system ?


Le 19-08-07 à 06 h 17, Zairy Fajar via PacketFence-users a écrit :

The packetfence.log shows:

pfence pfqueue: pfqueue(7518) WARN: [mac:
11:3j:81:cc:cd:27]
Can't find scan engine for 11:3j:81:cc:cd:27 since we don't have it's OS
Please help.. I'm running out of time and ideas

On Wed, Jul 31, 2019, 3:23 PM Zairy Fajar mailto:zairyfaj...@gmail.com>> wrote:

Hi,
I'm sorry if this is a basic question, but I've been
struggling on getting my scan engine to work on the captive
portal..
I followed this installation guide
https://packetfence.org/doc/PacketFence_Installation_Guide.html

and everything was fine until the part6. Enabling the Captive
Portal

<https://packetfence.org/doc/PacketFence_Installation_Guide.html#_enabling_the_captive_portal>
but I want to add something else, I want to do a scan before
the user is registered on the captive portal..
I've tried to use both nessus and WMI, but nothing works,
nothing shows on the captive portal, there was no scan
initiated, and also, nothing on the packetfence.log.. nothing
said anything about scan..

What could be the problem?
please help
thanks in advance



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users


-- 
Fabrice Durand

fdur...@inverse.ca  <mailto:fdur...@inverse.ca>  ::  +1.514.447.4918 (x135) 
::www.inverse.ca  <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Multiple Devices on one Switchport

[Fabrice Durand via PacketFence-users]

Hello Benjamin,


i will take a look but we probably need to add a configuration parameter 
in the switch config (like enable multihost) and if it's enable then 
don't close the previous location log entry.


Only close the locationlog when the device move or when packetfence 
receive a accounting stop.



It's not something really complicate to code, i will send you a patch soon.

Regards

Fabrice


Le 19-08-29 à 02 h 35, Shirley, Benjamin a écrit :


Hi Fabrice,


thanks for your help. I forgot to mention that I have already tried 
turning on multihost, which did not change the behaviour. I turned it 
back of though because I did not notice any change and didn't know 
what this setting changes in the background.



As I mentioned, the funny thing is that the issue I experience only 
arrises when I have multiple devices on a port that have different 
roles assigned.





Benjamin




*Von:* Durand fabrice via PacketFence-users 


*Gesendet:* Donnerstag, 29. August 2019 01:26:07
*An:* packetfence-users@lists.sourceforge.net
*Cc:* Durand fabrice
*Betreff:* Re: [PacketFence-users] Multiple Devices on one Switchport

Hello Benjamin,

it looks that this is what you need 
https://github.com/inverse-inc/packetfence/pull/2034 



it's in PacketFence since the version 7.0, can you try to enable 
advanced.multihost and retry ?


Regards

Fabrice


Le 19-08-28 à 08 h 25, Shirley, Benjamin via PacketFence-users a écrit :


Hello everyone,

from reading up I am aware my setup is not officially supported, BUT 
it works on our equipment with one caveat I would love to get some 
information on.


We have a lot of offices equipped with workgroup switches connected 
to (Aruba) HP 2920-48Gaccess switches. The access switch is able to 
provide multiple vlans per port and separation of clients does work.


For example I can have 1 client on the workgroup switch being able to 
access the registration vlan and another client accessing production 
network, all controlled by mac authentication and the radius-reply by 
Packetfence.


The problem is that in the situations where I have multiple vlans on 
that one access switch port, Packetfence closes locationlog entries 
for some of the nodes and no more switch port information is 
available, thus reevaluating access or restarting of switch ports 
does not work when changing role or deleting a node. If all clients 
on the workgroup share the same role / vlan I can see the switchport 
details and the before said access re-evalution works / the 
switchport restarts when changing node role. (off course all clients 
loose connectivity for the moment, but this is acceptable)


I would like to understand which procedure triggers this behavior and 
if there is any chance that I can get this working?


Thanks in advance

Benjamin



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] EAP authentication against OpenLDAP

[Fabrice Durand via PacketFence-users]

Yes exactly, so in your ldap config you need to set: password_attribute 
= ntPassword and remove password_header = "{ssha}"


Regards

Fabrice


Le 19-09-05 à 08 h 48, Patrick Bituin via PacketFence-users a écrit :

Hello Fabrice,

Thanks for the response.

I think they are in nt-format, I have the “ntPassword” on my sandbox 
ldap server. Is that what you’re referring to?


Regards,

On Thu, 5 Sep 2019 at 8:38 PM Fabrice Durand via PacketFence-users 
<mailto:packetfence-users@lists.sourceforge.net>> wrote:


Hello Patrick,

you need to store the password in clear text or nthash format.

Regards

Fabrice


Le 19-09-05 à 03 h 33, Patrick Bituin via PacketFence-users a écrit :

Hello Team,

I've followed what the guide says on this link:

https://packetfence.org/doc/PacketFence_Installation_Guide.html#_eap_authentication_against_openldap


But apparently, it didn't work for me. I've also followed some of
the previous conversation/tips on
www.mail-archive.com/packetfence-users@lists.sourceforge.net
<http://www.mail-archive.com/packetfence-users@lists.sourceforge.net>
regarding on the issues and still no luck.

 My equipments are:
Unifi AP AC Pro
Unifi Controller v5.10.26
Latest Packetfence ZEN
Cisco Switch 2960x

Ldap server is phpLDAPadmin


I also did some testing with Active Directory, and it all went
well. Easy peasy. Is there a way I can make it work with our
openldap server? Would really appreciate your help on this.


Here are some of my configs:
/mods-available/ldap


ldap {
    server = "ldap.cloudstaff.com <http://ldap.cloudstaff.com>"
    identity = "uid=csldap,dc=cloudstaff,dc=com"
    password = 'HDZ+r8BC!4m6Qrk'
    password_header = "{ssha}"
    password_attribute = userPassword
    basedn = "dc=cloudstaff,dc=com"
    #filter = "(uid=%{mschap:User-Name})"
    filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
    ldap_connections_number = 5
    timeout = 4
    timelimit = 3
    net_timeout = 1
    tls {
    }
    dictionary_mapping = ${confdir}/ldap.attrmap
    edir_account_policy_check = no

    keepalive {
      # LDAP_OPT_X_KEEPALIVE_IDLE
      idle = 60

      # LDAP_OPT_X_KEEPALIVE_PROBES
      probes = 3

      # LDAP_OPT_X_KEEPALIVE_INTERVAL
      interval = 3
    }
  }


/conf/radiusd/packetfence-tunnel


# -*- text -*-
##
#
#       This is a virtual server that handles *only* inner tunnel
#       requests for EAP-TTLS and PEAP types.
#
#       $Id: c250afa30a78fe9ff7a97b6c9b8a7c3a419a6946 $
#
##

server packetfence-tunnel {


#  Authorization. First preprocess (hints and huntgroups files),
#  then realms, and finally look in the "users" file.
#
#  The order of the realm modules will determine the order that
#  we try to find a matching realm.
#
#  Make *sure* that 'preprocess' comes before any realm if you
#  need to setup hints for the remote radius server
authorize {
        # TTLS does not send an EAP-Message to be parsed so the
eap module
        # cannot assign the EAP-Type
        if ( outer.EAP-Type == TTLS) {
                update request {
                         := TTLS
                }
        }
        packetfence-set-realm-if-machine
        packetfence-set-tenant-id
        #
        #  Take a User-Name, and perform some checks on it, for
spaces and other
        #  invalid characters.  If the User-Name appears invalid,
reject the
        #  request.
        #
        #  See policy.d/filter for the definition of the
filter_username policy.
        #
        filter_username


        #
        #  If the users are logging in with an MS-CHAP-Challenge
        #  attribute for authentication, the mschap module will find
        #  the MS-CHAP-Challenge attribute, and add 'Auth-Type :=
MS-CHAP'
        #  to the request, which will cause the server to then use
        #  the mschap module for authentication.

        # Uncomment if you need to reject user who already failed
ntlm_auth (see packetfence-cache-ntlm-hit too)
        # packetfence-control-ntlm-failure

        mschap

        #
        #  If you are using multiple kinds of realms, you probably
        #  want to set "ignore_null = yes" for all of them.
        #  Otherwise, when the first style of realm doesn't match,
        #  the other styles won't be checked.
        #
        #  Note that proxying the inner tunnel authenticati

Re: [PacketFence-users] EAP authentication against OpenLDAP

[Fabrice Durand via PacketFence-users]

Hello Patrick,

you need to store the password in clear text or nthash format.

Regards

Fabrice


Le 19-09-05 à 03 h 33, Patrick Bituin via PacketFence-users a écrit :

Hello Team,

I've followed what the guide says on this link: 
https://packetfence.org/doc/PacketFence_Installation_Guide.html#_eap_authentication_against_openldap 



But apparently, it didn't work for me. I've also followed some of the 
previous conversation/tips on 
www.mail-archive.com/packetfence-users@lists.sourceforge.net 
 
regarding on the issues and still no luck.


 My equipments are:
Unifi AP AC Pro
Unifi Controller v5.10.26
Latest Packetfence ZEN
Cisco Switch 2960x

Ldap server is phpLDAPadmin


I also did some testing with Active Directory, and it all went well. 
Easy peasy. Is there a way I can make it work with our openldap 
server? Would really appreciate your help on this.



Here are some of my configs:
/mods-available/ldap


ldap {
    server = "ldap.cloudstaff.com "
    identity = "uid=csldap,dc=cloudstaff,dc=com"
    password = 'HDZ+r8BC!4m6Qrk'
    password_header = "{ssha}"
    password_attribute = userPassword
    basedn = "dc=cloudstaff,dc=com"
    #filter = "(uid=%{mschap:User-Name})"
    filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
    ldap_connections_number = 5
    timeout = 4
    timelimit = 3
    net_timeout = 1
    tls {
    }
    dictionary_mapping = ${confdir}/ldap.attrmap
    edir_account_policy_check = no

    keepalive {
      # LDAP_OPT_X_KEEPALIVE_IDLE
      idle = 60

      # LDAP_OPT_X_KEEPALIVE_PROBES
      probes = 3

      # LDAP_OPT_X_KEEPALIVE_INTERVAL
      interval = 3
    }
  }


/conf/radiusd/packetfence-tunnel


# -*- text -*-
##
#
#       This is a virtual server that handles *only* inner tunnel
#       requests for EAP-TTLS and PEAP types.
#
#       $Id: c250afa30a78fe9ff7a97b6c9b8a7c3a419a6946 $
#
##

server packetfence-tunnel {


#  Authorization. First preprocess (hints and huntgroups files),
#  then realms, and finally look in the "users" file.
#
#  The order of the realm modules will determine the order that
#  we try to find a matching realm.
#
#  Make *sure* that 'preprocess' comes before any realm if you
#  need to setup hints for the remote radius server
authorize {
        # TTLS does not send an EAP-Message to be parsed so the eap module
        # cannot assign the EAP-Type
        if ( outer.EAP-Type == TTLS) {
                update request {
                         := TTLS
                }
        }
        packetfence-set-realm-if-machine
        packetfence-set-tenant-id
        #
        #  Take a User-Name, and perform some checks on it, for spaces 
and other
        #  invalid characters.  If the User-Name appears invalid, 
reject the

        #  request.
        #
        #  See policy.d/filter for the definition of the 
filter_username policy.

        #
        filter_username


        #
        #  If the users are logging in with an MS-CHAP-Challenge
        #  attribute for authentication, the mschap module will find
        #  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
        #  to the request, which will cause the server to then use
        #  the mschap module for authentication.

        # Uncomment if you need to reject user who already failed 
ntlm_auth (see packetfence-cache-ntlm-hit too)

        # packetfence-control-ntlm-failure

        mschap

        #
        #  If you are using multiple kinds of realms, you probably
        #  want to set "ignore_null = yes" for all of them.
        #  Otherwise, when the first style of realm doesn't match,
        #  the other styles won't be checked.
        #
        #  Note that proxying the inner tunnel authentication means
        #  that the user MAY use one identity in the outer session
        #  (e.g. "anonymous", and a different one here
        #  (e.g. "u...@example.com ").  The 
inner session will then be

        #  proxied elsewhere for authentication.  If you are not
        #  careful, this means that the user can cause you to forward
        #  the authentication to another RADIUS server, and have the
        #  accounting logs *not* sent to the other server. This makes
        #  it difficult to bill people for their network activity.
        #
        suffix
        ntdomain

%%userPrincipalName%%

        %%multi_domain%%

        %%redis_ntlm_cache_fetch%%

        %%authorize_filter%%
        #
        #  The "suffix" module takes care of stripping the domain
        #  (e.g. "@example.com ") from the 
User-Name attribute, and the

        #  next few lines ensure that the request is not proxied.
        #
        #  If you want the inner tunnel request to be proxied, delete
        

Re: [PacketFence-users] Multiple Devices on one Switchport

[Fabrice Durand via PacketFence-users]

Hello Benjamin,


i did some test and even if i have multiples device on the same switch 
port the locationlog is still open (for all of them).


Can you provide me more information about your setup ?

Like the switch module you are using, the log in packetfence.log when 
you connect multiples on the switch port (enable trace in httpd.aaa 
process: conf/log.conf.d/httpd.aaa.conf and edit the first line and 
replace INFO  with TRACE).



Regards

Fabrice



Le 19-08-29 à 10 h 06, Shirley, Benjamin a écrit :


Hi Fabrice,


curious to find out if you are able to reproduce and fix this... 
anyway thanks in advance for your support 



Benjamin


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Question on downloadable and dynamic ACLs

[Fabrice Durand via PacketFence-users]

Hello Ali,

in fact when you authenticate with 802.1x you authenticate the user and 
not the device.


So if you associate the user to a role then the role to an acl it mean 
user = ACL.


Also i checked the code of the module and it looks that it doesn't 
support dynamic ACL. Btw it looks to use the same kind of attributes 
than a cisco switch.


So the support of dynamic acl should be trivial.

Regards

Fabrice



Le 19-09-04 à 06 h 57, Amjad Ali via PacketFence-users a écrit :

Hello there,

We are working on a use case where downloadable and dynamic ACLs are 
used as separate features independent of web authentication.


The use case is simple, lets say we have an 802.1X user and I want to 
associate a dynamic or downloadable ACL with it when the 
authentication passes.


Our switch (Pica8) supports both dynamic and downloadable ACL's, I 
just need to know how we can deliver those ACLs with Access-Accept for 
both 802.1X and MAB.


I checked the device admin guide, the Role Mapping by Access List, but 
its on a per device assignment, we want a per user assignment.


Any suggestions would be very well appreciated.

Thanks
Ali




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Registration dhco

[Fabrice Durand via PacketFence-users]

Hello Domingas,

the packetfence.log should be enough.

Regards

Fabrice


Le 19-08-06 à 17 h 01, Domingos Varela a écrit :

Hi Patrice,

Which equipment do you want the logs from?
For more details I send the implementation diagram.
Thanks
Regards

Cumprimentos,*

Domingos Varela*
Tel. +244 923 229 330 | Luanda - Angola


Fabrice Durand via PacketFence-users 
<mailto:packetfence-users@lists.sourceforge.net>> escreveu no dia 
terça, 6/08/2019 à(s) 20:27:


Hello Domingos,

if the device receive an ip address from the production vlan then
it mean that there is a network miss-configuration.

Can you provide some logs ?

Regards

Fabrice


Le 19-08-05 à 10 h 17, Domingos Varela via PacketFence-users a écrit :

Hi,

I am using pf to authenticate wifi users on the network, but when
a user connects to the network he gets the IP from the data
network and not from the registration network.

Shouldn't users receive the IP from the registration network and
after logging in receive the io from the data network?

Thanks
Regards


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users


-- 
Fabrice Durand

fdur...@inverse.ca  <mailto:fdur...@inverse.ca>  ::  +1.514.447.4918 (x135) 
::www.inverse.ca  <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Scan Engine Doesn't Work

[Fabrice Durand via PacketFence-users]

Hello Fajar,

11:22:33:44:55:66 is the fake mac address when you use the portal preview.

You need to do your test with a real device.

Regards

Fabrice


Le 19-08-05 à 06 h 52, Fajar Zairy via PacketFence-users a écrit :

Hi everyone,
I have pf zen running on vmware with vlan enforcement
I've been struggling on my captive portal scan..
I can scan my devices with nessus just fine when I launch the policy 
directly from nessus admin page. But I cannot make my pf captive 
portal scan registering device using this nessus engine, the 
packetfence.log always says:


pfence pfqueue: pfqueue(7518) WARN: [mac:
11:22:33:44:55:66]
Can't find scan engine for 11:22:33:44:55:66 since we don't have it's OS

why is this happening? and how to fix this problem?
Please help me, I've been struggling with this for two weeks now


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Support for Statement of Health

[Fabrice Durand via PacketFence-users]

Hello Jonathan,

as you say you can use Nessus or OpenVAS or some MDM to check the 
compliance.


Regards

Fabrice


Le 19-08-02 à 13 h 14, Jonathan Geyer via PacketFence-users a écrit :


Packet Fence UG/Support,

I’ve been looking into how to perform health checks or statement of 
health checks against clients connecting over 802.1x. The 
documentation has very little information on this and I’m wondering if 
possibly we are looking in the wrong place. I know there is scanning 
integration where we can hook Nessus or OpenVAS and that would not be 
the best option for a health check process as there is delay from 
moving a host from Registration to either Isolation or what we have 
defined as a Approval VLAN that only consists of hosts with the same 
checks that are validated.


Thanks,

cid:image002.jpg@01D09A39.0F0EB5A0

*Jonathan Geyer | CCNP, CCDA, BCNP, CSSP, ITIL, ACSE*

Senior Network Engineer

191 Wyngate Dr.
Monroeville, PA 15146

mail: jge...@advanticom.com 
www: http://www.advanticom.com 
tel: 412-385-5069
fax: 412-385-5001

service: 412-385-5002

ISO-Advanticom-ISMS




Jonathan Geyer
Senior Network Engineer

Advanticom, Inc.

Tech One Park

191 Wyngate Drive

Monroeville, PA 15146



mail:jge...@advanticom.com 
www: http://www.advanticom.com
tel:412-385-5069 
fax: 412-385-5001

service:412-385-5002 




This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender. Please note that any views or opinions presented in this
email are solely those of the author and do not necessarily represent
those of the company. Finally, the recipient should check this email
and any attachments for the presence of viruses. The company accepts
no liability for any damage caused by any virus transmitted by this


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PacketFence and Wireless Integration

[Fabrice Durand via PacketFence-users]

Bonjour Julien,

si l'ap est managé par le contrôleur alors vous n'avez pas trop le choix 
d'utiliser celui-ci pour configurer votre AP.


Il me semble que vous pouvez définir localement le serveur radius a 
utiliser et mettre l'ap en mode flex-connect.


Cordialement

Fabrice


Le 19-08-01 à 11 h 04, MACONE Julien via PacketFence-users a écrit :


Bonjour Fabrice,

Merci de votre réponse.

Pour vous éclairer :

Nous avons des bornes Wi-fi Cisco, nous ne gérons pas du tout le 
contrôleur Wi-fi, celui-ci est sous la direction de la maison mère, 
néanmoins, les bornes se connectent à celui-ci pour récupérer la 
configuration initiale. Pour se connecter au contrôleur, elle passe 
donc par le réseau d’entreprise. Egalement, PacketFence, le Vlan 
Registration n’est pas dans le réseau d’entreprise (Sinon aucun 
intérêt de créer un NAC).


Partons donc de cette configuration :

Vlan entreprise = Vlan 1

Vlan Registration = Vlan 10 àCaptive Portal

  * Si ma borne est sur un port configurer en Vlan 1, alors les
utilisateurs ne passeront pas par PacketFence.
  * Si ma borne est sur un port configurer en Vlan 10, alors elle ne
pourra pas trouver le contrôleur et donc les utilisateurs n’auront
aucunement la possibilité de s’authentifier.

Je voulais donc savoir, étant nouveau sur PacketFence, est-il possible 
de mettre en place une exception pour la borne Wi-fi ?? La laisser 
dans le Vlan 1 mais toutes les connections qui s’y feront seront sur 
le Vlan 10 ? Ou une autre solution, une autre technique je ne sais 
pas.. :/


Cordialement, Julien.

*De :*Fabrice Durand via PacketFence-users 


*Envoyé :* jeudi 1 août 2019 15:43
*À :* packetfence-users@lists.sourceforge.net
*Cc :* Fabrice Durand 
*Objet :* Re: [PacketFence-users] PacketFence and Wireless Integration

Hello Julien,

not sure to understand your issue, you say that it's a standalone AP 
but connected to a controller.


If there is a controller then you probably need to configure the AP on 
the controller.


Vous pouvez continuer en français si vous voulez.

Regards

Fabrice

Le 19-08-01 à 08 h 41, MACONE Julien via PacketFence-users a écrit :

Hello there,

I’m a new PacketFence’s user and I’ve to ask you some questions
about Wireless configuration.

Forgive my english please..

So I’ve 4 Aruba 2540 Switchs, on those ones, I’ve a PacketFence
server connected to them and the authentication Radius is working
well in wired connection.

It means all ports are configured to be in the registered Vlan.

So actually, when someone is pluged, the captive portal woke up
and the credentials are asked. No probs !

But… i’ve 2 Cisco AiroNet 2802 series (Wireless hotspot) without
controller… The hotspot have to initiate connection with
controller (Location : Paris – Don’t have any hands on it) before
starting.

It means that I can’t put them to the registered Vlan because this
Vlan doesn’t have access to anything (except the PF server /
Captive Portal) and so the hotspot can’t start.

With this.. How is it possible to give access (Registered Vlan
should be good) to my wireless users thanks to the hotspot ?

How my ports have to be configured to enable the registered vlan
to pass through the hotspot and make my wireless users able to
authenticate to the captive portal ?

Huge thanks to future answers.

Nice Day,

Ju.




___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Fabrice Durand
fdur...@inverse.ca  <mailto:fdur...@inverse.ca>  ::  +1.514.447.4918 (x135) 
::www.inverse.ca  <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 9.0.1 - Captive portal Redirection delay ERROR pfperl-api(1886)

[Fabrice Durand via PacketFence-users]

Hello Roger,

try that:

/usr/local/pf/bin/pfcmd configreload hard

and retry

Regards

Fabrice


Le 19-08-01 à 08 h 41, Roger Faria via PacketFence-users a écrit :

Hi Everyone,

Seems like every time I change the redirection delay to anything other 
the its default "20s" the captive portal page crashes and it doesn't 
display the settings. I can see them on the and the logs display the 
following error listed below. has anyone experienced a similar problem?


ERROR pfperl-api(1886): Can't use string ("20s") as a HASH ref while 
"strict refs" in use at 
/usr/local/pf/lib/pf/UnifiedApi/Controller/Config.pm line 787. 
(Mojolicious::Plugin::DefaultHelpers::_development)


*Rogerio Faria*
Network Administrator
*IT**S**Information Technology**Services*
Bergen Community College
400 Paramus Rd, Paramus NJ 07652

rfa...@bergen.edu 
O:(201) 612-5367 


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] WMI Scan with One Host Only

[Fabrice Durand via PacketFence-users]

You don't have enough memory on your server.


Le 19-08-01 à 09 h 17, Zairy Fajar via PacketFence-users a écrit :
Yes I have it, if I use the account to do a remote wmi on Windows pc, 
it works..but packetfence cannot trigger any scan on Captive Portal .. 
also when I do wmic manually from the Packetfence server, it shows 
"Memory allocation error"..


On Thu, Aug 1, 2019, 8:09 PM Fabrice Durand via PacketFence-users 
<mailto:packetfence-users@lists.sourceforge.net>> wrote:


Hello Zairy,

you need to have an account that able to connect to wmi on the
remote laptop, so it's probably a local account.

Regards

Fabrice


Le 19-07-31 à 23 h 24, Zairy Fajar via PacketFence-users a écrit :

Ok i understand, but how do I configure WMI scan engine to scan
only one host which is not in the AD domain? ( It's only in the
default WORKGROUP)
I can't get the scan to work, the packetfence.log doesn't show
anything about scan

On Thu, Jul 18, 2019, 7:58 PM Fabrice Durand via
    PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> wrote:

It depend how you configure your violation.


Le 19-07-18 à 05 h 33, Chadwick Boseman via PacketFence-users
a écrit :

Hi Fabrice,
Thanks a lot for ur answer, really helpful!

One more thing I wanna ask is, if I do as you said

/"You need to create a wmi scan engine and add it in the
connection profile."/

When the client device triggers a violation, will it be
automatically moved to the isolation VLAN



    On Tue, Jul 16, 2019 at 8:16 PM Fabrice Durand via
PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> wrote:

Hello Chadwick,

Le 19-07-16 à 04 h 59, Chadwick Boseman via
PacketFence-users a écrit :

Hi All,
So I have a PF Zen up and running,

I have some questions regarding my understanding of
VLAN membership in PF:
1. When a new device (never connect / never register
before) is connected to the switch, it will be put into
the registration VLAN. And after they register their
device from the captive portal it will be moved to
guest VLAN automatically. Is this correct?? if not,
please explain to me


In fact the vlan you want.

2.  after the device's MAC is registered in the PF
server, does the user have to manually enable the
802.1x auth from their ethernet adapter? or can PF
actually automatically change the VLAN to
default/normal VLAN and activate the 802.1x auth?


The supplicant needs to be configured if you wants to do
802.1x, you can do it by GPO if you have a domain.

Also you can do provisioning with packetfence but only
for wireless right now.



i followed the pf installation guide , the captive
portal is configured to the bare minimum where the user
just need to agree to some policy, and the device then
registered. My VLANs are as follow :
Guest    :  VLAN 640
Registration :  VLAN 640
Normal/default : VLAN 625
Isolation    : VLAN 641

The guest and registration VLANs are the same because
the installation guide said
/"in Role by VLAN ID, set the registration and guest
VLAN ID to 20 - this will ensure unregistered clients
are initially put in VLAN 20 and avoid a VLAN change
once they properly authenticate from the captive portal"/

/It's for web authentication, not for vlan enforcement,
so the registration vlan needs to be different than the
guest vlan./


I want something more to do on the captive portal, so I
configured a WMI scan so when a client register their
device on the captive portal, WMI checks whether they
have an Antivirus installed or not..
I want that if the device doesn't have an AV installed,
it is moved to the isolation VLAN (That's the correct
behavior right?) so how do I achieve this?


You need to create a wmi scan engine and add it in the
connection profile.

Regards

Fabrice




Thanks a lot guys..I'll really appreciate any
explanation/answer


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users


-- 
Fabrice Durand