Re: [PacketFence-users] 回复： 802.1x auth failed

[Antoine Amacher via PacketFence-users]

Kimiko,

Yes for the first question.

Aruba requires you to use Profile in the Aruba configuration, you will 
need to create roles, they do not have to be the same names as in PF, 
you make the link between roles in PF and roles in Aruba in your 
switches configuration in PacketFence.


If you use the automatically register, after being authenticate in dot1x 
devices should go to their production vlan.


Check out the network configuration guide 
https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_aruba


You should find the information about how to configure the Aruba.

Thanks


On 09/08/2017 10:26 AM, Kimiko_Yan wrote:

Hi Antoine,

Do you mean the "Automatically register devices" check in my 
"radius_auth" connection profile ?


I read the explanation besides and maybe you are right, I'll try it in 
my PoC environment later.


But there is another question: even if pf set my device to 
registration role, why Aruba AC assigned my with normal VLAN's IP ? I 
thought registration role should have registration vlan's IP (ip in 
192.168.2.0/24)


I'm not sure if my Aruba AC was wrongly configured. I checked a little 
but not found any role named "registration" or "employees" in Aruba 
AC. The Aruba configuration is too complicated... I have to check with 
our network engineer with that.




--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x auth failed

[Antoine Amacher via PacketFence-users]

Hello Kimiko,

I am thinking that you do not have a rule to apply a role at the moment, 
so you validate the dot1x on PF, but that's just the authentication 
part, authentication =/= registration.


You could enable the autoreg, on the connection profile secure, so 
anyone who success to authenticate in dot1x will be automatically 
register on PF. Else you will need to authenticate twice, once for the 
concoction and once on the portal of PF.


Thanks


On 09/08/2017 05:24 AM, Kimiko_Yan via PacketFence-users wrote:

Hi

Now I have successfully accomplished 802.1x local auth with newly 
created user "test124", but now the question is, why it always showed 
"is of status unreg" and just put the device into registration role. 
The user has finished 802.1x auth and the device should be put into 
default(employees) role as I defined...Why not now ?


My switch config??profiles config and packetfence.log is as below:

# more profiles.conf
[mac-auth]
locale=
filter=ssid:pf-public
sources=email
redirecturl=https://172.30.1.5/
always_use_redirecturl=enabled

[802.1x]
locale=
filter=ssid:pf-secure
sources=radius
always_use_redirecturl=enabled
redirecturl=http://172.30.1.5

#more switches.conf
[172.30.1.250]
deauthMethod=RADIUS
description=Aruba AC
type=Aruba
RoleMap=Y
mode=production
ExternalPortalEnforcement=Y
defaultRole=employees
guestRole=internet-only
wsPwd=admin1
cliUser=admin
wsTransport=HTTPS
wsUser=admin
defaultVlan=801
radiusSecret=hahahaha
SNMPCommunityRead=pftest
SNMPCommunityWrite=pftest
SNMPVersion=2c
cliPwd=admin1
cliEnablePwd=admin1
VlanMap=N


#tail -f packetfence.log
Sep  8 16:55:12 bogon packetfence_httpd.aaa: httpd.aaa(10971) INFO: 
[mac:64:b0:a6:d3:24:bd] handling radius autz request: from switch_ip 
=> (172.30.1.250), connection_type => Wireless-802.11-EAP,switch_mac 
=> (00:0b:86:b7:78:6f), mac => [64:b0:a6:d3:24:bd], port => 0, 
username => "test123", ssid => pf-secure (pf::radius::authorize)
Sep  8 16:55:12 bogon packetfence_httpd.aaa: httpd.aaa(10971) INFO: 
[mac:64:b0:a6:d3:24:bd] Instantiate profile 802.1x 
(pf::Connection::ProfileFactory::_from_profile)
Sep  8 16:55:12 bogon packetfence_httpd.aaa: httpd.aaa(10971) INFO: 
[mac:64:b0:a6:d3:24:bd] is of status unreg; belongs into registration 
VLAN (pf::role::getRegistrationRole)
Sep  8 16:55:12 bogon packetfence_httpd.aaa: httpd.aaa(10971) INFO: 
[mac:64:b0:a6:d3:24:bd] (172.30.1.250) Added role registrationto the 
returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Bandwidth limit

[Antoine Amacher via PacketFence-users]

   https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Howto: Migrate Packetfence 6 and Packetfence-pki from server

[Antoine Amacher via PacketFence-users]

Hello Rokkhan,

You will need to migrate the content of your sqlite3 BD which is holding 
CA, users certs and everything you configured on the PKI.


So you need to either transfer the DB file, or transfer the content.

The sqlite3 db is in /usr/local/packetfence-pki/db/

Let us know if that help.

Thanks


On 09/06/2017 12:02 PM, Rokkhan via PacketFence-users wrote:

Hi,

Due to some performance issues with Centos6 and Packetfence-PKI, I 
have installed a new server on Centos 7.


I am doing some test and it is working OK, but how should I migrate 
 users, nodes, CA certificate and user-certificates generated with pf6 
and packetfence-pki from centos 6 to centos 7 server?


Greetings.


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Problem with radius certificate. Time to renew.

[Antoine Amacher via PacketFence-users]

Hello Dominic,

try to apply the maintenance perl addons/pf-maint.pl

This should fix the actual issue.

To renew the certificate you can do it via openssl commands.

create a conf_file.cnf in which you need the following:

[cert]

extendedKeyUsage = serverAuth

then do this command:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 
365 -config conf_file.cnf


then fill in the requested informations and move your certificate/key to 
replace the old one.


Thanks

On 08/14/2017 10:56 AM, dominic--- via PacketFence-users wrote:


Hi All,

I am running version 6.2.1 on CentOS with great success. Untill today!

After a restart of the system Packetfence services fail to start.

 service packetfence start
Redirecting to /bin/systemctl start  packetfence.service
Job for packetfence.service failed because the control process exited 
with error code. See "systemctl status packetfence.service" and 
"journalctl -xe" for details.

[root@pf pf]#

[root@pf pf]#
[root@pf pf]# systemctl status packetfence.service
● packetfence.service - PacketFence Service
   Loaded: loaded (/usr/lib/systemd/system/packetfence.service; 
enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Mon 2017-08-14 16:52:00 
CEST; 46s ago
  Process: 2940 ExecStart=/usr/local/pf/bin/pfcmd service pf start 
(code=exited, status=255)


Aug 14 16:51:39 pf.kalmar.se pfcmd[2940]: [Mon Aug 14 16:51:39 2017] 
pfappserver.pm: Cannot determine desired terminal width, using default 
of 80 columns
Aug 14 16:51:40 pf.kalmar.se pfcmd[2940]: AH00548: NameVirtualHost has 
no effect and will be removed in the next release 
/usr/local/pf/var/conf/httpd.conf.d/httpd.admin:194

Aug 14 16:51:52 pf.kalmar.se pfcmd[2940]: httpd.admin|start
Aug 14 16:51:52 pf.kalmar.se pfcmd[2940]: Checking configuration sanity...
Aug 14 16:51:59 pf.kalmar.se pfcmd[2940]: FATAL - The certificate used 
by FreeRADIUS (/usr/local/pf/raddb/certs/server.crt) has expired.
Aug 14 16:51:59 pf.kalmar.se pfcmd[2940]: Regenerate a new self-signed 
certificate or update your current certificate.
Aug 14 16:51:59 pf.kalmar.se systemd[1]: packetfence.service: control 
process exited, code=exited status=255
Aug 14 16:52:00 pf.kalmar.se systemd[1]: Failed to start PacketFence 
Service.
Aug 14 16:52:00 pf.kalmar.se systemd[1]: Unit packetfence.service 
entered failed state.

Aug 14 16:52:00 pf.kalmar.se systemd[1]: packetfence.service failed.
[root@pf pf]#

S it seems i have a problem with the radius cert?

Does anyone know how to renew this certificate?

best regards

Dominic Kilbride



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive portal redirection not working

[Antoine Amacher via PacketFence-users]

Hello Cristian,

When you say "the pc gets the correct ip address", is it given by 
PacketFence? Make sure the DNS and gateway are the interface 
registration of PacketFence.


Make sure you do not have any ACL on the switch or network that could 
conflict with it.


Try to reach the portal and see if the IP of the test device is hitting 
the portal look into logs/httpd.portal.access


Thanks


On 07/28/2017 08:00 AM, Cristian Mammoli via PacketFence-users wrote:
Hi, installed the latest pf on CentOS 7 following the official 
documentation, I configured a mangement, registration, isolation and 
portal interfaces. I joined the server to a AD domain, configured an 
authentication source and a connection profile and configured a switch 
(Cisco 2960x) with 8021.x+MAB.



Then I tried plugging a win7 notebook not yet joined to the domain in 
the switch port and packetfence correctly puts it in the registration 
vlan:


Jul 28 13:56:33 srvpf packetfence_httpd.aaa: httpd.aaa(12173) INFO: 
[mac:20:cf:30:36:7c:bb] handling radius autz request: from switch_ip 
=> (192.168.16.44), connection_type => WIRED_MAC_AUTH,switch_mac => 
(2c:86:d2:5d:47:81), mac => [20:cf:30:36:7c:bb], port => 10101, 
username => "20cf30367cbb" (pf::radius::authorize)
Jul 28 13:56:33 srvpf packetfence_httpd.aaa: httpd.aaa(12173) INFO: 
[mac:20:cf:30:36:7c:bb] Instantiate profile gruppoapra 
(pf::Connection::ProfileFactory::_from_profile)
Jul 28 13:56:33 srvpf packetfence_httpd.aaa: httpd.aaa(12173) INFO: 
[mac:20:cf:30:36:7c:bb] is of status unreg; belongs into registration 
VLAN (pf::role::getRegistrationRole)
Jul 28 13:56:33 srvpf packetfence_httpd.aaa: httpd.aaa(12173) INFO: 
[mac:20:cf:30:36:7c:bb] (192.168.16.44) Added VLAN 112 to the returned 
RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)



The pc gets the correct ip address but from there there is no 
redirection to the captive portal, I can ping the packefence ip 
address on the registration vlan but nothing else. If I try to open a 
browser I get connection refused to every url



I'm new to packetfence so I'm probably missing somethin obviuos but 
any help would be greatly appreciated


-- 


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Bad Request 400 on Packetfence PKI

[Antoine Amacher via PacketFence-users]

Hi,

Can you make sure the pki is properly started,

ps -edf | grep packetfence-pki

netstat -nlp | grep 9393

and that iptables is allowing it:

iptables -S | grep 9393

Thanks


On 07/28/2017 06:53 AM, Akala Kehinde via PacketFence-users wrote:

Hello Guys,

I get a Bad Request 400 when I try accessing 
https://172.16.100.2:9393/ i.e. the PKI server interface on PF 7.2.


Any idea what might be wrong?

Regards,
Kehinde


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Provisioner Setup necessary for hidden and non-hidden SSIDs??

[Antoine Amacher via PacketFence-users]

Hello Kehinde,

It depends what you need the provisioner for, but to be honest, the best 
use case of the provisioner is to provide client with certificates to 
then authenticate on a EAP-TLS connection.


If you are using hidden SSID, I think it is nice for the client to not 
have to configure manually the SSID. For let say a WPA2-Entreprise PEAP 
not hidden, no I don't think it is necessary.


The use is also that it avoid users mistakes while configuring it.

Let us know if that help.

Thanks


On 07/17/2017 08:57 AM, Akala Kehinde via PacketFence-users wrote:

Hello guys,

First would like to thank the Packetfence team for the great work done 
so far and the continuous effort put in to make the solution even better.


I have a quick question regarding the Provisioner configuration and 
how to set it up with mobile phones.


Assuming SSID is not hidden, after the provisoner is configured on PF 
and the provisioner is tied to a Connection Profile, is the 
provisioner setup here needed since I can easily  login from the 
captive portal.


And assuming SSID is hidden, will the  mobile user need to setup this 
manually at first time, and when browsing at first time, a link  to 
the Play Store will be displayed where the Packetfence agent can be 
installed or how is the setup going to be like on the mobile phone?


In summary, is there any real use for the provisioner since I can set 
it up manually at first run and save my settings for subsequent use.



Regards,
Kehinde


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence in webauth enforcement

[Antoine Amacher via PacketFence-users]

Hello Aaron,

WebAuth will be almost look like the VLAN enforcement, what will changed 
is mainly what we returned to the switch request and the fact that PF is 
NOT the DHCP/DNS while registering.


The part you are looking for is mainly how to configure your controller 
to work in WebAuth, i.e. if using Cisco WLC look at this documentation 
https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_wireless_lan_controller_wlc_web_auth


Make sure that your management interface has 'portal' has an additional 
daemon, or that you have a portal interface.


Thanks


On 07/15/2017 04:40 PM, Aaron Ridgewell via PacketFence-users wrote:

Hi all.

I apologise if this has been posted before. I am trying to use packetfence in 
webauth enforcement mode. I can see admin guides for inline and oob but not for 
webauth.
I am looking to use this for email guest registration.
Can someone point me in the right direction for a guide to setting up webauth 
with email registration?

Thanks

Aaron

Sent from my iPhone
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Authentication Source question

[Antoine Amacher via PacketFence-users]

Hello Will,

The source EAP-TLS is here just to validate that the certificate client 
and server have the same issuer, that is it, nothing else. Now it will 
allow you to establish rules based on certificates attributes, CN for 
instance.


Thanks


On 07/14/2017 09:29 AM, Will Halsall via PacketFence-users wrote:


Hi Folks,

I have configured mspki on our system but was wondering about the 
Authentication Source setup. Initially I used AD with the attribute 
ServicePrincipalName but the noticed there was an EAPTLS Source so 
configured that as well. Both work so I was wondering which approach 
is the best to use and how the Authentication Source EAPTLS works as 
there is very little to set up just a name and rules


Thanks

WillH

<https://www.farn-ct.ac.uk/about/Events>

This message is intended only for the use of the person(s) to
whom it is addressed, and may contain privileged and confidential 
information.
If it has come to you in error, please contact the sender as soon as 
possible,
and note that you must take no action based on the content, nor must 
you copy,

distribute, or show the content to any other person.


In accordance with its legal obligations, Farnborough College of
Technology reserves the right to monitor the content of e-mails sent and
received, but will not do so routinely.



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Recommended Linux Distro for PF

[Antoine Amacher via PacketFence-users]

Hello Steve,

CentOS is our "main" distribution we use, so we would recommend this one.

Thanks


On 07/12/2017 03:56 PM, Steve Allen via PacketFence-users wrote:

Hello All

I've followed PacketFence for awhile now but never had enough time to 
put it into a production network.


I'm hoping to do this in the very near future and my first question is 
related to the OS to choose.


Based on your own experiences which Linux distro would you recommend; 
CentOS or Debian?


Is one more stable/reliable than the other?

Is one easier to maintain/update PF?

Any insight would be helpful.

Thanks

--

*Steve Allen*
*SJA Networks*

Email: steve.al...@sjanetworks.co.uk 
<mailto:steve.al...@sjanetworks.co.uk>

Mobile: 07500 008196




This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they 
are addressed. If you have received this email in error please notify 
the sender and then delete your copy of the email.


The views expressed in this email are the views of the individual and 
may not reflect the views of SJA Networks.





--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unable to view the web configuration page after installation

[Antoine Amacher via PacketFence-users]

Hello,

The httpd and haproxy process are not running.

Try this:

/usr/local/pf/bin/pfcmd service httpd.admin start

Thanks


On 07/10/2017 01:13 AM, Muralidhar Bg via PacketFence-users wrote:

Hi,

I installed packetfence following the instructions on 
https://packetfence.org/doc/PacketFence_Administration_Guide.html 
<https://packetfence.org/doc/PacketFence_Administration_Guide.html>


After installation I tried opening the 
https://@ip_of_packetfence:1443/configurator 
<https://@ip_of_packetfence:1443/configurator> page on my server


I get "unable to connect" error on the browser.

Also find the status of packetfence as given below
$ /usr/local/pf/bin/pfcmd service pf status
carbon-cache|1|0
carbon-relay|1|0
collectd|1|0
dhcpd|0|0
haproxy|1|0
httpd.aaa|1|0
httpd.admin|1|0
httpd.collector|0|0
httpd.dispatcher|1|0
httpd.graphite|1|0
httpd.parking|1|0
httpd.portal|1|0
httpd.proxy|0|0
httpd.webservices|1|0
iptables|1|0
keepalived|0|0
p0f|1|0
pfbandwidthd|0|0
pfdetect||0
pfdhcplistener|1|0
pfdns|0|0
pffilter|1|0
pfmon|1|0
pfqueue|1|0
pfsetvlan|0|0
pfsso|1|0
radiusd-acct|1|0
radiusd-auth|1|0
radsniff|1|0
redis_ntlm_cache|0|0
redis_queue|1|0
routes|0|-1
snmptrapd|0|0
statsd|1|0
winbindd|0|0

On further investigation I found out that mysql is not working as well 
(error as give below):


$ ERROR 2002 (HY000): Can't connect to local MySQL server through 
socket '/var/lib/mysql/mysql.sock' (2 "No such file or directory")


mysql and the rest of the dependencies were installed by running the 
packetfence installation command. I am running centOS 7 on my server. 
Please help!




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Machine authentication

[Antoine Amacher via PacketFence-users]

Lucas,


Map the domain on which they should authenticate with the REALM LOCAL.


In configuration -> policies and access control -> realms


Thanks


On 07/07/2017 11:15 AM, luca comes via PacketFence-users wrote:


Hi all,

I'm trying to do machine authentication vs Windows AD but it doesn't 
work. I've created the domain and the realm but in the radius debug 
log I can see that it is not catching the correct realm:




(20) Fri Jul  7 16:29:45 2017: Debug: Received Access-Request Id 103 
from 10.10.10.4:1645 to 172.27.17.5:1812 length 226

(20) Fri Jul  7 16:29:45 2017: Debug:   User-Name = "host/LAB3-NB.dm.loc"
(20) Fri Jul  7 16:29:45 2017: Debug:   Service-Type = Framed-User
(20) Fri Jul  7 16:29:45 2017: Debug:   Framed-MTU = 1500
(20) Fri Jul  7 16:29:45 2017: Debug:   Called-Station-Id = 
"00-22-91-6F-B8-81"
(20) Fri Jul  7 16:29:45 2017: Debug:   Calling-Station-Id = 
"00-9C-02-92-EA-B0"
(20) Fri Jul  7 16:29:45 2017: Debug:   EAP-Message = 
0x0201001801686f73742f4c4142332d4e422e646d2e6c6f63
(20) Fri Jul  7 16:29:45 2017: Debug:   Message-Authenticator = 
0xcf9553149f5c843907b87d3758e0b7d8
(20) Fri Jul  7 16:29:45 2017: Debug:   Cisco-AVPair = 
"audit-session-id=0A0A0A0400DEBBDF4BBE"

(20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port-Type = Ethernet
(20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port = 50101
(20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port-Id = 
"GigabitEthernet1/0/1"

(20) Fri Jul  7 16:29:45 2017: Debug:   NAS-IP-Address = 10.10.10.4




(20) Fri Jul  7 16:29:46 2017: Debug: suffix: Checking for suffix 
after "@"
(20) Fri Jul  7 16:29:46 2017: Debug: suffix: No '@' in User-Name = 
"host/LAB3-NB.dm.loc", skipping NULL due to config.

(20) Fri Jul  7 16:29:46 2017: Debug: [suffix] = noop
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Checking for prefix 
before "\"
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: No '\' in User-Name = 
"host/LAB3-NB.dm.loc", looking up realm NULL

(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Found realm "null"
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Adding 
Stripped-User-Name = "host/LAB3-NB.dm.loc"

(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Adding Realm = "null"
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Authentication realm 
is LOCAL

(20) Fri Jul  7 16:29:46 2017: Debug: [ntdomain] = ok


How can I solve this? Obviously the machine is correctly joined to the 
domain below the servicePrincipalName associated:



TERMSRV/LAB3-NB.dm.loc
TERMSRV/LAB3-NB
RestrictedKrbHost/LAB3-NB
HOST/LAB3-NB
RestrictedKrbHost/LAB3-NB.dm.loc
HOST/LAB3-NB.dm.loc


Anyone that can suggest me what to check?


Thank you in advance.


Luca


Inviato da Outlook <http://aka.ms/weboutlook>



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unable to save authentication setting

[Antoine Amacher via PacketFence-users]

Hello Will,

It could be a permission issue(if it is try: bin/pfcmd fixpermissions), 
or something to do with pfconfig or even something else, it is a bit 
hard to tell with only this message.


You could always try to manually write it from the file 
conf/authentication.conf, but typo are not kind in this file so make 
sure to use an existing example.


When done, try:

bin/pfmcd configreload hard, and the source should appear on the admin 
interface.


Thanks


On 07/06/2017 04:13 AM, Will Halsall via PacketFence-users wrote:


Hi All,

Just a bit more information.

This saving authentication source in PF 7.0.0 worked fine but when i 
come to add another source since upgrading to pf7.1.0 gives the below 
error in the httpd.admin.log


httpd.admin.log:Jul 5 19:16:21 packetfence httpd_admin: 
httpd.admin(2612) ERROR: [mac:unknown] Error writing authentication 
configuration 
(pf::ConfigStore::Authentication::writeAuthenticationConfigFile)


the GUI gives the following:

is there any other way of adding a authentication source?

*From:*Will Halsall via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]

*Sent:* Wednesday, July 5, 2017 7:22 PM
*To:* packetfence-users@lists.sourceforge.net
*Cc:* Will Halsall
*Subject:* [PacketFence-users] Unable to save authentication setting

When I try to save an Authentication Source I get the following error:

PF 7.1.0

httpd.admin.log:Jul  5 19:16:21 packetfence httpd_admin: 
httpd.admin(2612) ERROR: [mac:unknown] Error writing authentication 
configuration 
(pf::ConfigStore::Authentication::writeAuthenticationConfigFile)


<https://www.farn-ct.ac.uk/about/Events>

This message is intended only for the use of the person(s) to
whom it is addressed, and may contain privileged and confidential 
information.
If it has come to you in error, please contact the sender as soon as 
possible,
and note that you must take no action based on the content, nor must 
you copy,

distribute, or show the content to any other person.


In accordance with its legal obligations, Farnborough College of
Technology reserves the right to monitor the content of e-mails sent and
received, but will not do so routinely.



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] mspki computer authentication

[Antoine Amacher via PacketFence-users]

Hello Will,

The certificate exchange looks fine, do you have an AD computer auth 
source? (using ServicePrincipalName as an attribute)


Also is the CA in the radiusd/eap.conf, and is it installed on the client?

You could also try to run RADIUS in debug to have more infos:

raddebug -f /usr/local/pf/var/run/radiusd.sock -t3600

Thanks


On 07/05/2017 11:13 AM, Will Halsall via PacketFence-users wrote:


Hi All,

I have tried to setup mspki to use ad computer authentication and have 
folloed the Qick instaolation guide but cannot get the clients to work.


The client is a windows 10 domain laptop

The server is PF 7.1.0

The CA is installed on windows2012R2

When I try to connect I get the following in the radius log. Could 
anyone advise on how to go about resolving this issue or if its even 
possible?


Willh

RADIUS Request



User-Name = "host/Stuart-PC.college.farnborough"

NAS-IP-Address = 172.16.36.30

NAS-Port = 0

Service-Type = Login-User

Framed-MTU = 1100

State = 0x7e1adcc07913d16fa3fa9452e2e3aa94

Called-Station-Id = "04:bd:88:c4:e2:60"

Calling-Station-Id = "00:24:2b:60:ff:79"

NAS-Identifier = "IAP Cluster FCOT"

NAS-Port-Type = Wireless-802.11

Event-Timestamp = "Jul  5 2017 16:00:37 BST"

EAP-Message = 0x020900060d00

Message-Authenticator = 0x5cf158a0b8216591e4a2125a9c68ee90

Aruba-Essid-Name = "test"

Aruba-Location-Id = "N2 - outside"

Aruba-AP-Group = "IAP Cluster"

EAP-Type = TLS

Stripped-User-Name = "host/Stuart-PC.college.farnborough"

Realm = "null"

FreeRADIUS-Client-IP-Address = 172.16.36.30

Called-Station-SSID = "test"

Tmp-String-1 = "00242b60ff79"

TLS-Cert-Serial = "72c5b6d2120648b44e26747040ed5949"

TLS-Cert-Expiration = "220701135414Z"

TLS-Cert-Issuer = "/DC=farnborough/DC=college/CN=azure"

TLS-Cert-Subject = "/DC=farnborough/DC=college/CN=azure"

TLS-Cert-Common-Name = "azure"

TLS-Client-Cert-Serial = "7d0060dfebbdb604c4cc8200020060"

TLS-Client-Cert-Expiration = "190705141544Z"

TLS-Client-Cert-Issuer = "/DC=farnborough/DC=college/CN=azure"

TLS-Client-Cert-Subject = "/CN=Stuart-PC.college.farnborough"

TLS-Client-Cert-Common-Name = "Stuart-PC.college.farnborough"

TLS-Client-Cert-X509v3-Extended-Key-Usage = "TLS Web Server Authentication

TLS Web Client Authentication"

TLS-Client-Cert-X509v3-Subject-Key-Identifier = 
"6D:D8:A4:E6:C5:9F:BC:58:D1:A9:89:AE:A6:D4:C1:60:F4:C2:DF:F2"


TLS-Client-Cert-X509v3-Authority-Key-Identifier = 
"keyid:81:0F:70:98:FB:13:46:81:60:6E:0C:46:EC:DA:B8:64:47:E9:6A:8C\n"


TLS-Client-Cert-Subject-Alt-Name-Dns = "Stuart-PC.college.farnborough"

Module-Failure-Message = "rest: Server returned:"

Module-Failure-Message = "rest: 
{\"control:PacketFence-Authorization-Status\":\"allow\"}"


User-Password = "**"

SQL-User-Name = "host/Stuart-PC.college.farnborough"

RADIUS Reply



MS-MPPE-Recv-Key = 
0x10c55a8412cf0b3fc533006069e474e5933f2778dc0bb095abe95eef2ac56f1d


MS-MPPE-Send-Key = 
0x5e2d706a0e612d4797052c9a8d0e1eb8a4fe42afada4b42d24176d025157fa6a


EAP-MSK = 
0x10c55a8412cf0b3fc533006069e474e5933f2778dc0bb095abe95eef2ac56f1d5e2d706a0e612d4797052c9a8d0e1eb8a4fe42afada4b42d24176d025157fa6a


EAP-EMSK = 
0xc5bfd638609e0698282b0bf2de29ddf6b9fdf7139a9f904b7b3ad26fc2d15ea55533869cdd945115bb9ec75e0662627807100d8aae044f3232bd63f3c1f22282


EAP-Session-Id = 
0x0d595cff1448a9ab1b5f34620219363a29ba87e4f2ff3058941f15a081ef0de171595cff15d2572d184a352a5e88a3b0af21328a83b299dec4f4ca938c86f0941f


EAP-Message = 0x03090004

Message-Authenticator = 0x

Stripped-User-Name = "host/Stuart-PC.college.farnborough"

<https://www.farn-ct.ac.uk/about/Events>

This message is intended only for the use of the person(s) to
whom it is addressed, and may contain privileged and confidential 
information.
If it has come to you in error, please contact the sender as soon as 
possible,
and note that you must take no action based on the content, nor must 
you copy,

distribute, or show the content to any other person.


In accordance with its legal obligations, Farnborough College of
Technology reserves the right to monitor the content of e-mails sent and
received, but will not do so routinely.



----------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.invers

Re: [PacketFence-users] Question about collaboration PacketFence and Nessus

[Antoine Amacher via PacketFence-users]

Hello Jacek,

I am not sure where you should find the Nessus ID for the trigger, but 
what you have seems to be right.


Your whole configuration looks fine.

For the error you get it seems to be a bug in the code, try to apply the 
following patch, restart pfqueue and try again.


diff --git a/lib/pf/scan/nessus6.pm b/lib/pf/scan/nessus6.pm
index ec15b57..17043d9 100644
--- a/lib/pf/scan/nessus6.pm
+++ b/lib/pf/scan/nessus6.pm
@@ -103,7 +103,7 @@ sub startScan {
 return 1;
 }

-my $scanner_id = $nessus->get_scanner_id(name => $scanner_name);
+my $scanner_id = $nessus->get_scan_id(name => $scanner_name);
 if ($scanner_id eq ""){
 $logger->warn("Nessus scanner name doesn't exist ".$scanner_id);
 return 1;

You could create a file nessus_patch.diff and use the patch command to 
apply it:


patch -p1 < nessus_patch.diff

Let us know if that help,

Thanks

On 06/28/2017 11:39 AM, Jacek Kurek via PacketFence-users wrote:

Hi All,

I have a problem with configuration. Of course I read documentation 
and tutorials but it isn't resolve my problem. Could you help me with 
that?


My purpose is builiding that configuration (PF+Nessus) which in when I 
plug to the switch some vulnerable host (e.g. witch wannacry 
vulnerability) then Nessus is detecting it and moving that host to 
separate VLAN.


I have installed and configured PacketFence. I'm using test switch 
which is Cisco Catalyst 2960G. PF was configure in vlan enforcement 
and VLAN enforcement works fine.


Next, I installed Nessus 6. I'm added new account for collaborating 
with PacketFence and I created new scanner and new policy in Nessus 
(both are called "wannacry_audit"). Next in PacketFence I created new 
scaner. I chose Nessus6 and I filled all required gaps, also name of 
the scaner and policy. Next I go to Violation configuration. _My first 
question is: can I use existing violation called "Nessus Scan" or I 
should create a new violation with different (new) ID?_ Because I'm 
wasn't sure, I modified existing "Nessus scan". _Next question: how 
and where I could find ID of the scaner which should be added to 
triggers?_


I'm found in Nessus subdirectory file which should be related witch 
the type of scanner which I chose (WannaCry Ransomware (MS17-010 / 
CVE-2017-0144). The file is 
//opt/nessus/lib/nessus/plugins/smb_nt_ms17-010.nasl/. The file 
includes a line "script_id(97737);". I suppose that 97737 is the ID 
which I having to write as trigger in the violation. So I did it.


Next configuration step which I made was editing of default 
configuration profile and adding defined scanner (wannacry_audit) to 
the profile. Finally I connected to the switch port laptop with 
out-of-date Windows XP system. Unfortunately in a log file 
packetfence.log I saw every time error lines such as below (I bolded it):


Jun 22 22:54:19 pf pfqueue: pfqueue(2083) INFO: 
[mac:00:24:e8:xx:xx:xx] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Jun 22 22:54:19 pf pfqueue: pfqueue(2083) INFO: 
[mac:00:24:e8:xx:xx:xx] grace expired on violation 124 for node 
00:24:e8:xx:xx:xx (pf::violation::violation_add)
Jun 22 22:54:19 pf pfqueue: pfqueue(2083) INFO: 
[mac:00:24:e8:xx:xx:xx] violation 124 added for 00:24:e8:xx:xx:xx 
(pf::violation::violation_add)
Jun 22 22:54:19 pf pfqueue: pfqueue(2083) INFO: 
[mac:00:24:e8:xx:xx:xx] executing action 'log' on class 124 
(pf::action::action_execute)
Jun 22 22:54:19 pf pfqueue: pfqueue(2083) INFO: 
[mac:00:24:e8:xx:xx:xx] /usr/local/pf/logs/violation.log 2017-06-22 
22:54:19: Post Reg System Scan (124) detected on node 
00:24:e8:xx:xx:xx (192.168.0.11) (pf::action::action_log)
Jun 22 22:54:20 pf pfqueue: pfqueue(2083) INFO: 
[mac:00:24:e8:xx:xx:xx] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Jun 22 22:54:20 pf pfqueue: pfqueue(2083) INFO: 
[mac:00:24:e8:xx:xx:xx] New ID generated: 149816486064eeff 
(pf::util::generate_id)
*_Jun 22 22:54:21 pf pfqueue: pfqueue(2083) ERROR: 
[mac:00:24:e8:xx:xx:xx] Can't locate object method "get_scanner_id" 
via package "Net::Nessus::REST" at 
/usr/local/pf/lib/pf/scan/nessus6.pm line 106.

(pf::api::can_fork::notify)_*

Could you tell me what's the problem? I was trying to modifying 
configuration on a different way (both on PacketFence and on Nessus), 
but every time the error happened and vulnerability scanner doesn't work.


Best regards,
Jacek Kurek



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  

Re: [PacketFence-users] mab+802.1x authentication

[Antoine Amacher via PacketFence-users]

Hello Lucas,


You have to use another source yes, if it is for a 'Guest' access then 
why not using the email, SMS or sponsor source for instance. Add the 
sources you want to be able to authenticate with in the connection profile.


If you do not add any sources, ALL configured sources will be available.

Also make sure you are testing with a client which is not in the domain.


Thnaks


On 06/07/2017 08:47 AM, luca comes via PacketFence-users wrote:


Hi Antoine,

I'm doing more tests but it's not so clear point 2. To match the new 
connection profile I need to specify also a source other than the 
connection type filter? In that case which type of source should I 
add? I want that clients not 802.1x able or outside of my domain take 
a specific profile and put them on the registration VLAN. At the 
moment I've created a new connection profile as you suggested and 
configured the swithc to use mab after 802.1x timeout but the clients 
are always registered and assigned to a role specified in another 
connection profile.



Luca


Inviato da Outlook <http://aka.ms/weboutlook>




*Da:* Antoine Amacher <aamac...@inverse.ca>
*Inviato:* mercoledì 31 maggio 2017 22:19
*A:* packetfence-users@lists.sourceforge.net
*Oggetto:* Re: [PacketFence-users] mab+802.1x authentication

Hello Lucas,


1. I am pretty Windows does favor UserAuthentication if a User is 
logged in and "User or Machine" is selected in the supplicant.


You could also setup the connection has UserAuth only, but then you 
lose your Machine Authentication. Have a look in VLANfilters, there is 
a case example where we want the endpoint to have a machine account 
before allowed UserAuthentication. Which means every device matching 
this filter will have to do Machine Auth first, then User Auth.


You could also reduce the timeout for 802.1x re-auth on the switch 
configuration, which would foce a re-authentication from the device.



2. To force a profile to be used when the connection is MAB, simply 
add a filter in the connection profile: 'Connection Type: WIRED_MAC_AUTH'.



Thanks


On 05/31/2017 03:24 AM, luca comes wrote:


Hi Antoine,

I then tried and machine auth is working fine. The main problem is 
that when a user login it's not moved on the right VLAN. Debugging 
802.1x requests on the switch I can see that dot1x timeout and it 
scale on mab authentication. So I have two questions:



 1. Is there a way to force the client to send the user? I've
configured it with the option user or machine authentication.
Could it be a client's bug? I'm testing on a Windows 10 machine
at the moment, I will try the same on a Windows 8 client;
 2. When it switch on mab authentication it gets owner default and
take a profile (named Test at the moment) but I don't understnad
how to associate the profile associated to the mab auth;


Thanks


Luca


Inviato da Outlook <http://aka.ms/weboutlook>



------------
*Da:* Antoine Amacher <aamac...@inverse.ca>
*Inviato:* martedì 30 maggio 2017 15:39
*A:* packetfence-users@lists.sourceforge.net
*Oggetto:* Re: [PacketFence-users] mab+802.1x authentication

Hello Luca,


For this case make sure the authentication type selected on the 
supplicant is "User authentication or Machine authentication", make 
sure both user and machine AD sources are enable on the connection 
profile.


This will allow for the machine to do MachineAuth when nobody is 
logged in on the machine, and when a User logged in it will do User 
authentication.



So during MachineAuth, the device will be assign to VLAN X -> Only 
AD, when user logged in, the device will be assign to VLAN Y -> User 
VLAN.



Thanks


On 05/30/2017 04:17 AM, luca comes wrote:


hi Antoine,

thank you for your help. I tried with the new profile and I can do 
machine authentication now. But I have a problem, at the first step 
I do machine auth to put the hosts on a dedicated VLAN that can see 
only active directory and nothing more. At this step the user can 
authenticate on the machine or change AD password and so on. But 
when the user is logged on I want put them on another VLAN based on 
the role associated to the AD group? At the moment the user is 
authenticated so I can see the node status registered to the user 
with the correct role but no VLAN change is made. Is that possible?



Luca


Inviato da Outlook <http://aka.ms/weboutlook>



------------
*Da:* Antoine Amacher <aamac...@inverse.ca>
*Inviato:* lunedì 29 maggio 2017 17:55
*A:* packetfence-users@lists.sourceforge.net
*Oggetto:* Re: [PacketFence-users] mab+802.1x authentication

Hello Lucas,


To use MachineAuthentication, create an AD source like the one used 
for your UserAuthentiction, replace the Username attribute: 
"sA

Re: [PacketFence-users] New PF 7.0 Cluster Configuration Question

[Antoine Amacher]

sk
2017-05-31 15:53:27 140202702010112 [Note] WSREP: forgetting c23cc2a6 
(tcp://10.18.0.38:4567)
2017-05-31 15:53:27 140202693617408 [Note] WSREP: New COMPONENT: 
primary = yes, bootstrap = no, my_idx = 1, memb_num = 2
2017-05-31 15:53:27 140202693617408 [Note] WSREP: STATE EXCHANGE: 
Waiting for state UUID.
2017-05-31 15:53:28 140202702010112 [Note] WSREP: (d53696c2, 
'tcp://0.0.0.0:4567') connection established to c23cc2a6 
tcp://10.18.0.38:4567
2017-05-31 15:53:28 140202702010112 [Warning] WSREP: discarding 
established (time wait) c23cc2a6 (tcp://10.18.0.38:4567)
2017-05-31 15:53:30 140202702010112 [Note] WSREP:  cleaning up 
c23cc2a6 (tcp://10.18.0.38:4567)





--

Peter Reilly
Wycliffe Bible Translators
peter_rei...@wycliffe.org


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] mab+802.1x authentication

[Antoine Amacher]

Hello Lucas,


1. I am pretty Windows does favor UserAuthentication if a User is logged 
in and "User or Machine" is selected in the supplicant.


You could also setup the connection has UserAuth only, but then you lose 
your Machine Authentication. Have a look in VLANfilters, there is a case 
example where we want the endpoint to have a machine account before 
allowed UserAuthentication. Which means every device matching this 
filter will have to do Machine Auth first, then User Auth.


You could also reduce the timeout for 802.1x re-auth on the switch 
configuration, which would foce a re-authentication from the device.



2. To force a profile to be used when the connection is MAB, simply add 
a filter in the connection profile: 'Connection Type: WIRED_MAC_AUTH'.



Thanks


On 05/31/2017 03:24 AM, luca comes wrote:


Hi Antoine,

I then tried and machine auth is working fine. The main problem is 
that when a user login it's not moved on the right VLAN. Debugging 
802.1x requests on the switch I can see that dot1x timeout and it 
scale on mab authentication. So I have two questions:



 1. Is there a way to force the client to send the user? I've
configured it with the option user or machine authentication.
Could it be a client's bug? I'm testing on a Windows 10 machine at
the moment, I will try the same on a Windows 8 client;
 2. When it switch on mab authentication it gets owner default and
take a profile (named Test at the moment) but I don't understnad
how to associate the profile associated to the mab auth;


Thanks


Luca


Inviato da Outlook <http://aka.ms/weboutlook>



--------
*Da:* Antoine Amacher <aamac...@inverse.ca>
*Inviato:* martedì 30 maggio 2017 15:39
*A:* packetfence-users@lists.sourceforge.net
*Oggetto:* Re: [PacketFence-users] mab+802.1x authentication

Hello Luca,


For this case make sure the authentication type selected on the 
supplicant is "User authentication or Machine authentication", make 
sure both user and machine AD sources are enable on the connection 
profile.


This will allow for the machine to do MachineAuth when nobody is 
logged in on the machine, and when a User logged in it will do User 
authentication.



So during MachineAuth, the device will be assign to VLAN X -> Only AD, 
when user logged in, the device will be assign to VLAN Y -> User VLAN.



Thanks


On 05/30/2017 04:17 AM, luca comes wrote:


hi Antoine,

thank you for your help. I tried with the new profile and I can do 
machine authentication now. But I have a problem, at the first step I 
do machine auth to put the hosts on a dedicated VLAN that can see 
only active directory and nothing more. At this step the user can 
authenticate on the machine or change AD password and so on. But when 
the user is logged on I want put them on another VLAN based on the 
role associated to the AD group? At the moment the user is 
authenticated so I can see the node status registered to the user 
with the correct role but no VLAN change is made. Is that possible?



Luca


Inviato da Outlook <http://aka.ms/weboutlook>



------------
*Da:* Antoine Amacher <aamac...@inverse.ca>
*Inviato:* lunedì 29 maggio 2017 17:55
*A:* packetfence-users@lists.sourceforge.net
*Oggetto:* Re: [PacketFence-users] mab+802.1x authentication

Hello Lucas,


To use MachineAuthentication, create an AD source like the one used 
for your UserAuthentiction, replace the Username attribute: 
"sAMAccountName" by "ServicePrincipalName". That will allow you to do 
MachineAuthentication. Make sure to add this source on your 
connection profile.



If the machine is in the domain with a valid machine account then it 
will be able to authenticate.



To properly test MachineAuthentication, make sure that it is allowed 
or enforced in the 802.1x supplicant configuration.



Thanks


On 05/29/2017 11:34 AM, luca comes wrote:


Hi Pedro,

yes I think so but I don't understand how to do this. I need to do a 
new connection profile for it? At the moment I have only one 
connection profile other than the default that take care of users. 
I'm really confused.



Thanks


Luca


Inviato da Outlook <http://aka.ms/weboutlook>




*Da:* Pedro Simões <pedro.sim...@layer8.pt>
*Inviato:* lunedì 29 maggio 2017 17:06
*A:* packetfence-users@lists.sourceforge.net
*Oggetto:* Re: [PacketFence-users] mab+802.1x authentication

I think for that scenario you need to use machine authentication.

*From:*luca comes [mailto:lucaco...@hotmail.it]
*Sent:* Monday, May 29, 2017 3:12 PM
*To:* packetfence-users@lists.sourceforge.net
*Subject:* [PacketFence-users] mab+802.1x authentication

Hi all,

I succesfully configured last release of PF with Cisco Catalyst 
3750G to perform 802.1x a

Re: [PacketFence-users] mab+802.1x authentication

[Antoine Amacher]

Hello Luca,


For this case make sure the authentication type selected on the 
supplicant is "User authentication or Machine authentication", make sure 
both user and machine AD sources are enable on the connection profile.


This will allow for the machine to do MachineAuth when nobody is logged 
in on the machine, and when a User logged in it will do User 
authentication.



So during MachineAuth, the device will be assign to VLAN X -> Only AD, 
when user logged in, the device will be assign to VLAN Y -> User VLAN.



Thanks


On 05/30/2017 04:17 AM, luca comes wrote:


hi Antoine,

thank you for your help. I tried with the new profile and I can do 
machine authentication now. But I have a problem, at the first step I 
do machine auth to put the hosts on a dedicated VLAN that can see only 
active directory and nothing more. At this step the user can 
authenticate on the machine or change AD password and so on. But when 
the user is logged on I want put them on another VLAN based on the 
role associated to the AD group? At the moment the user is 
authenticated so I can see the node status registered to the user with 
the correct role but no VLAN change is made. Is that possible?



Luca


Inviato da Outlook <http://aka.ms/weboutlook>



--------
*Da:* Antoine Amacher <aamac...@inverse.ca>
*Inviato:* lunedì 29 maggio 2017 17:55
*A:* packetfence-users@lists.sourceforge.net
*Oggetto:* Re: [PacketFence-users] mab+802.1x authentication

Hello Lucas,


To use MachineAuthentication, create an AD source like the one used 
for your UserAuthentiction, replace the Username attribute: 
"sAMAccountName" by "ServicePrincipalName". That will allow you to do 
MachineAuthentication. Make sure to add this source on your connection 
profile.



If the machine is in the domain with a valid machine account then it 
will be able to authenticate.



To properly test MachineAuthentication, make sure that it is allowed 
or enforced in the 802.1x supplicant configuration.



Thanks


On 05/29/2017 11:34 AM, luca comes wrote:


Hi Pedro,

yes I think so but I don't understand how to do this. I need to do a 
new connection profile for it? At the moment I have only one 
connection profile other than the default that take care of users. 
I'm really confused.



Thanks


Luca


Inviato da Outlook <http://aka.ms/weboutlook>




*Da:* Pedro Simões <pedro.sim...@layer8.pt>
*Inviato:* lunedì 29 maggio 2017 17:06
*A:* packetfence-users@lists.sourceforge.net
*Oggetto:* Re: [PacketFence-users] mab+802.1x authentication

I think for that scenario you need to use machine authentication.

*From:*luca comes [mailto:lucaco...@hotmail.it]
*Sent:* Monday, May 29, 2017 3:12 PM
*To:* packetfence-users@lists.sourceforge.net
*Subject:* [PacketFence-users] mab+802.1x authentication

Hi all,

I succesfully configured last release of PF with Cisco Catalyst 3750G 
to perform 802.1x authentication over my AD Domain.


I'm studying the solution because the intention is to deploy it on 
all my sites (more or less 15 sites and 1000 users). Actually the 
server is located on our datacenter in out-of-band deployment and 
locally on my test site I've configured registration and isolation 
VLAN even if they are not used in 802.1x environment. The problem now 
is that I need to permit AD authentication on PC's where credentials 
are not in client's cache but at the begininning neither IP traffic 
nor DHCP is permitted so users can't access the network. I thought 
that a solution could be perform to factor authentication so at the 
start of the process I could use MAB authentication and put them on 
the registration VLAN opened to access the AD. But then I need to do 
802.1x user authentication without pass through the registration 
portal, is that possible? Is there a better way to deploy a solution 
like that?


Thank you in advance

Luca



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca   ::www.inverse.ca  
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130

Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net

Re: [PacketFence-users] mab+802.1x authentication

[Antoine Amacher]

Hello Lucas,


To use MachineAuthentication, create an AD source like the one used for 
your UserAuthentiction, replace the Username attribute: "sAMAccountName" 
by "ServicePrincipalName". That will allow you to do 
MachineAuthentication. Make sure to add this source on your connection 
profile.



If the machine is in the domain with a valid machine account then it 
will be able to authenticate.



To properly test MachineAuthentication, make sure that it is allowed or 
enforced in the 802.1x supplicant configuration.



Thanks


On 05/29/2017 11:34 AM, luca comes wrote:


Hi Pedro,

yes I think so but I don't understand how to do this. I need to do a 
new connection profile for it? At the moment I have only one 
connection profile other than the default that take care of users. I'm 
really confused.



Thanks


Luca


Inviato da Outlook <http://aka.ms/weboutlook>




*Da:* Pedro Simões <pedro.sim...@layer8.pt>
*Inviato:* lunedì 29 maggio 2017 17:06
*A:* packetfence-users@lists.sourceforge.net
*Oggetto:* Re: [PacketFence-users] mab+802.1x authentication

I think for that scenario you need to use machine authentication.

*From:*luca comes [mailto:lucaco...@hotmail.it]
*Sent:* Monday, May 29, 2017 3:12 PM
*To:* packetfence-users@lists.sourceforge.net
*Subject:* [PacketFence-users] mab+802.1x authentication

Hi all,

I succesfully configured last release of PF with Cisco Catalyst 3750G 
to perform 802.1x authentication over my AD Domain.


I'm studying the solution because the intention is to deploy it on all 
my sites (more or less 15 sites and 1000 users). Actually the server 
is located on our datacenter in out-of-band deployment and locally on 
my test site I've configured registration and isolation VLAN even if 
they are not used in 802.1x environment. The problem now is that I 
need to permit AD authentication on PC's where credentials are not in 
client's cache but at the begininning neither IP traffic nor DHCP is 
permitted so users can't access the network. I thought that a solution 
could be perform to factor authentication so at the start of the 
process I could use MAB authentication and put them on the 
registration VLAN opened to access the AD. But then I need to do 
802.1x user authentication without pass through the registration 
portal, is that possible? Is there a better way to deploy a solution 
like that?


Thank you in advance

Luca



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Custom iptables rule?

[Antoine Amacher]

Hello Jes,

You can write your line in conf/iptables.conf, this file will be used to 
generate the iptables configuration when PacketFence start.


Thanks


On 05/18/2017 08:29 AM, Jes Kasper Klittum wrote:


Hey guys,

I can see that Packetfence use iptables to handle traffic, and that 
poses a problem for me, as I need port 6556 to be open from my OMD 
monitoring host. How do I accomplish this without breaking Packetfence?


Can I just add to /usr/local/pf/conf/iptables.conf, or will this file 
be overwritten when restarting Packetfence?


Med venlig hilsen / Best regards,

*BISCA A/S*

**

*Jes Kasper Klittum*

Head of IT

Ahornvej 1,

DK-4780 Stege

Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: 
Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: 
Beskrivelse: Beskrivelse: cid:image007.jpg@01CAF055.69C6C0C0 *+45 3162 
3495*


Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: 
cid:image003.gif@01CB1D08.1D793E20*+45 7211 0495*


*j...@bisca.com <mailto:j...@bisca.com>*

Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: 
Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: 
Beskrivelse: Beskrivelse: cid:image006.gif@01C6DD14.4F21AFD0www.bisca.com


Logo (002)

P**Please consider the environment before printing this e-mail.



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF do not start after upgrade

[Antoine Amacher]

0 
libwind0-heimdal libwmiclient1 libwww-curl-perl|
|  libwww-mechanize-perl libwww-twilio-api-perl libxmlrpc-lite-perl 
libxmlsec1 libxmlsec1-openssl|
|  libyaml-libyaml-perl libyaml-perl libyaml-syck-perl 
libyaml-tiny-perl libzip2 lvm2 mariadb-common|
|  mariadb-server-core-10.1 mysql-common nodejs openssl-blacklist-extra 
owfs-common p0f packetfence-config|
|  packetfence-doc packetfence-golang-daemon packetfence-ntlm-wrapper 
packetfence-pfcmd-suid|
|  packetfence-redis-cache perltidy python-characteristic python-django 
python-django-common|
|  python-django-tagging python-mysqldb python-pam 
python-pyasn1-modules python-pyparsing python-serial|
|  python-service-identity python-simplejson python-sqlparse 
python-twisted-bin python-twisted-core|
|  python-whisper redis-server redis-tools rrdtool rsync samba 
samba-dsdb-modules samba-vfs-modules snmp snmpd|

|  snmptrapfmt socat sqlite3 sscep sudo tdb-tools vlan winbind wmi-client|
|Veuillez utiliser « apt-get autoremove » pour les supprimer.|
|Les paquets supplémentaires suivants seront installés : |
|||freeradius freeradius-ldap freeradius-mysql freeradius-redis 
freeradius-rest freeradius-utils golang-1.7-go|
|  golang-1.7-src libcrypt-cbc-perl libcrypt-rijndael-perl 
libfreeradius3 liblua5.3-0 libmariadbclient18|
|  libmysqlclient18 mariadb-server-core-10.1 packetfence-doc 
packetfence-golang-daemon|

|Paquets suggérés :|
|  freeradius-postgresql freeradius-krb5 bzr git mercurial subversion|
|Paquets recommandés :|
|  g++ gcc libc6-dev pkg-config|
|Les paquets suivants seront ENLEVÉS :|
|  mysql-client-5.5 mysql-server mysql-server-5.5 mysql-server-core-5.5 
packetfence|

|Les NOUVEAUX paquets suivants seront installés :|
|  golang-1.7-go golang-1.7-src libcrypt-cbc-perl 
libcrypt-rijndael-perl liblua5.3-0 libmariadbclient18|

|  mariadb-server-core-10.1 packetfence-doc packetfence-golang-daemon|
|Les paquets suivants seront mis à jour :|
|||freeradius freeradius-ldap freeradius-mysql freeradius-redis 
freeradius-rest freeradius-utils libfreeradius3|

|||libmysqlclient18|
|8 mis à jour, 9 nouvellement installés, 5 à enlever et 2 non mis à jour.|
|2 partiellement installés ou enlevés.|
|Il est nécessaire de prendre 51,2 Mo dans les archives.|
|Après cette opération, 17,5 Mo d'espace disque supplémentaires seront 
utilisés.|

|Souhaitez-vous continuer ? [O/n] n|
|Annulation.|

May you have any clues about this issue ? I tried several actions 
found randomly on Google, with no luck :-(


Thx again for your help :-)

Regards

Greg

Thanks a lot everyone.



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Admin not listening on 1443 on ZEN 7.0

[Antoine Amacher]

Hello Akala,

you tried to execute conf/ssl/server.pem instead of writing in the file.

try this:

cat /usr/local/pf/conf/ssl/server.crt /usr/local/pf/conf/ssl/server.key 
> /usr/local/pf/conf/ssl/server.pem


thanks


On 05/09/2017 03:16 PM, Akala Kehinde wrote:

Hi Everyone,

Newly installed Zen 7.0, but portal isn't working.
Haproxy is running but can't find any host listening on 1443
Seem to be a certificate issue, tried replacing the .pem file with the 
.crt and .key files but was denied access.


[root@packetfence ssl]#  netstat -ant | grep 1443
[root@packetfence ssl]#

[root@packetfence ssl]# cat /usr/local/pf/conf/ssl/server.crt 
/usr/local/pf/conf/ssl/server.key | /usr/local/pf/conf/ssl/server.pem

-bash: /usr/local/pf/conf/ssl/server.pem: Permission denied

[root@packetfence ssl]# ps -efd | grep haproxy
haproxy   1248 1  0 11:33 ?00:00:00 haproxy -f 
/usr/local/pf/var/conf/haproxy.conf
haproxy   1249 1  0 11:33 ?00:00:00 haproxy -f 
/usr/local/pf/var/conf/haproxy.conf
root  1833 1  0 11:40 ?00:00:00 
/usr/sbin/haproxy-systemd-wrapper -f 
/usr/local/pf/var/conf/haproxy.conf -p /usr/local/pf/var/run/haproxy.pid
haproxy   1836  1833  0 11:40 ?00:00:00 /usr/sbin/haproxy -f 
/usr/local/pf/var/conf/haproxy.conf -p 
/usr/local/pf/var/run/haproxy.pid -Ds
haproxy   1837  1836  0 11:40 ?00:00:00 /usr/sbin/haproxy -f 
/usr/local/pf/var/conf/haproxy.conf -p 
/usr/local/pf/var/run/haproxy.pid -Ds
haproxy   1838  1836  0 11:40 ?00:00:00 /usr/sbin/haproxy -f 
/usr/local/pf/var/conf/haproxy.conf -p 
/usr/local/pf/var/run/haproxy.pid -Ds

root  7037   661  0 12:46 pts/000:00:00 grep --color=auto haproxy
[root@packetfence ssl]#

Zen 6.5 worked like a charm but can't get around d portal issues on 7.0.
Any help is appreciated here..

Regards,
Kehinde


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 7.0.0 - Connection Profile Preview not working as designed

[Antoine Amacher]

Hello Andrew,

Did you re-apply the maintenance?

Is this happening when you click 'Preview" via the connection profile 
list or when you are in the configuration of a connection profile or 
both case?


Thanks


On 05/04/2017 10:10 AM, Torry, Andrew wrote:


I am pretty sure this is a bug as I have rebuilt a new server and 
still have the same issue.


The ‘Preview’ option in the admin GUI displays the ‘Default’ profile 
for all profiles.


Regards

Andrew

*From:*Torry, Andrew [mailto:andrew.to...@fxplus.ac.uk]
*Sent:* 27 April 2017 14:01
*To:* packetfence-users@lists.sourceforge.net
*Subject:* Re: [PacketFence-users] packetfence-zen 7.0.0

Hi Fabrice,

Running pf-maint.pl has fixed the 501 error so that the PREVIEW button 
now works for all profiles but they are now all


displaying  a preview of the ‘default’ profile no matter which profile 
I am actually previewing.


If I change the portal module chain for the default profile I see the 
same chain with all the others regardless of their actual settings.


The customised ‘layout.html’ file in alternative profiles is being 
ignored too in the previews (Change to colour scheme for instance).


The logo setting in the profile is also being ignored as well when 
previewing.


Andrew

*From:*Fabrice Durand [mailto:fdur...@inverse.ca]
*Sent:* 27 April 2017 13:37
*To:* packetfence-users@lists.sourceforge.net
*Subject:* Re: [PacketFence-users] packetfence-zen 7.0.0

Hello Andrew,

it has been fixed in the maintenance branch, let's run pf-maint.pl.

Regards

Fabrice

Le 2017-04-27 à 04:51, Torry, Andrew a écrit :

Hi again folks,

I just realised that the ‘Preview’ button that does work after
opening the connection profile in the GUI is not previewing the
selected profile

at all  but is actually just previewing the ‘default’ profile
regardless of which profile is opened in the GUI.

Any ideas what might be wrong.

Andrew

*Andrew**Torry*

Senior Infrastructure Engineer

Tel: 01326 370760

Email: andrew.to...@fxplus.ac.uk <mailto:andrew.to...@fxplus.ac.uk>



Falmouth Exeter Plus







Twitter <https://twitter.com/falmouthexeter>





Facebook <https://www.facebook.com/falmouthexeter>





Instagram <https://www.instagram.com/falmouthexeterplus/>





YouTube <https://www.youtube.com/channel/UC5-Jq4vTOhWgYoJJDYrZHWw>

Falmouth University

Falmouth Exeter Plus is an exempt charity established by Falmouth
University and the University of Exeter to deliver their shared
Higher Education services in Cornwall.




--

Check out the vibrant tech community on one of the world's most

engaging tech sites, Slashdot.org!http://sdm.link/slashdot



___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Fabrice Durand
fdur...@inverse.ca <mailto:fdur...@inverse.ca>  ::  +1.514.447.4918 (x135) 
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] oauth2

[Antoine Amacher]

MJ,

For the source, I'll advise you to take the twitter one as an example 
which is simple. If you need help to develop it, you can contact us at 
supp...@inverse.ca.

We could develop it if OpenID is something used a lot, and if there is a 
common interest into it.

Thanks


On 05/01/2017 03:15 PM, lists wrote:
> Hi Antoine,
>
> Thanks for your reply, also on this OpenID Connect subject.
>
> There is a small wordpress addon that does exactly that:
> https://github.com/daggerhart/openid-connect-generic
>
> The only things you needed to configure it, are your own OpenID Connect
> server specifics, such as issuer, authorization_endpoint,
> token_endpoint, etc, etc.
>
> And those are usually in the docs of whatever product you like.
>
> Using that plugin, it was actually very easy to configure wordpress
> against the keycloak openid connect. (in fact: MUCH easier than SAML!)
>
> But I will try if I can concoct a keycloak-specific new source myself,
> as we have sponsored quite some projects lately, and our funding is not
> endless... ;-)
>
> MJ
>
> On 1-5-2017 20:26, Antoine Amacher wrote:
>> Hello MJ,
>>
>> We do not have a 'generic' OAuth2 source, as each OAuth2 has is own API,
>> parameters to authorize, get the token are different, sometimes it
>> require a scope, sometimes a token parameter, sometimes none.
>>
>> Create a new OAuth source is not too complicated if we have a test
>> account and adequate documentation, but will require a bit of code. I do
>> like the idea of generic, but I am not sure it will be that generic
>> because of arguments stated earlier.
>>
>> The best option here seems to develop a new source for Keycloak OpenID,
>> unless we rework the way how OAuth2 sources are coded.
>>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] captive portal customization

[Antoine Amacher]

Hello MJ,

You are able to change those via the Portal Modules (Advanced Access 
Configuration -> Portal Modules, if you are running 7.0.0).

Look for the modules "default_login_policy" and " default_guest_policy", 
you can change how they are called via the description field.

Thanks


On 05/01/2017 01:21 PM, lists wrote:
> Hi,
>
> I like the way to customize the captive portal, nowadays. Nice
> improvements since the version 5.6.1 we're still on.
>
> One question:
>
> Can we customize the way authentication methodes are called? (under
> "Select an authentication method")
>
> (we use only two: "Username/password" and "Guest signup", but we would
> like to adjust their names a little bit)
>
> MJ
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] oauth2

[Antoine Amacher]

Hello MJ,

We do not have a 'generic' OAuth2 source, as each OAuth2 has is own API, 
parameters to authorize, get the token are different, sometimes it 
require a scope, sometimes a token parameter, sometimes none.

Create a new OAuth source is not too complicated if we have a test 
account and adequate documentation, but will require a bit of code. I do 
like the idea of generic, but I am not sure it will be that generic 
because of arguments stated earlier.

The best option here seems to develop a new source for Keycloak OpenID, 
unless we rework the way how OAuth2 sources are coded.

Thanks

On 05/01/2017 02:14 PM, lists wrote:
> Hi,
>
> Last question for today! :-)
>
> We are running RedHat's Keycloak, a saml / openid connect / oauth2 IDP,
> and would like to use OpenID Connect to authenticate our users. We have
> noticed that packetfence has SAML auth support, true, but SAML is so
> much harder to setup than OpenID Connect.
>
> And since packetfence supports all kinds of OAuth2 clients... is there a
> way to configure a packetfence usersource aganist a generic OAuth2
> server, such as the RedHat Keycloak IDP?
>
> Best regards,
> MJ
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] packetfence-zen 7.0.0

[Antoine Amacher]

David,

Management is a RADIUS interface by default, it's like adding a portal 
daemon to a registration interface, it does it already.


But yeah we might add a check in the GUI, to not add radius on 
management and portal on reg for instance.


Thanks


On 04/25/2017 10:33 PM, David Murrell wrote:

Hi,

I'm trying out the new version, and I've found if I set the management 
interface to have a extra radius daemon, like this:


Inline image 1


radiusd won't start, because its already listening on that address:

server packetfence-cli { # from file 
/usr/local/pf/raddb/sites-enabled/packetfence-cli

 # Loading authenticate {...}
 # Loading authorize {...}
 # Loading post-proxy {...}
 # Loading post-auth {...}
} # server packetfence-cli
auth:  Opening IP addresses and Ports 
listen {
type = "auth"
virtual_server = "packetfence"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
virtual_server = "packetfence"
ipaddr = 1.2.3.4
port = 0
}
listen {
type = "auth"
virtual_server = "packetfence"
ipaddr = 1.2.3.4
port = 0
Failed binding to auth address 1.2.3.4 port 1812 bound to server 
packetfence: Address already in use
/usr/local/pf/raddb/auth.conf[23]: Error binding to port for 1.2.3.4 
port 1812



It's possibly worth fixing that in the gui so as to stop autofoot 
shooting?


Cheers,
David






--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Redirecting Issues with Captive Portal

[Antoine Amacher]

Hi Kehinde,

This usually means that the radiusDisconnect or CoA did not receive a 
proper answer from the switch or no new RADIUS request have been sent, 
so PacketFence doesn't know if the device has been moved to another 
VLAN. If the message disappear after trying to connect/reconnect the 
device to the switch or SSID, then it should be your issue.


Thanks


On 04/16/2017 02:15 PM, Akala Kehinde wrote:

Hi All.

On transfer to the registration VLAN I get this error.. "Unable to 
detect network connectivity. Try restarting your web browser or 
opening a new tab to see if your access has been succesfully 
enabled"... even though there is internet connection but redirection 
doesn't work..


I guess this is a know issue, anyone with a fix to this.??

Regards,
Kehinde


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Possible to override the default profile?

[Antoine Amacher]

Hello Kehinde,

That is not something we do since conditions have always worked.

If your device matches the default portal profile, then I expect your 
condition to nor be exact for the match. Try something simple like a 
SSID or a Switch match for your custom portal profile. Then implement 
multiple conditions if needed.


Thanks

On 04/16/2017 02:06 PM, Akala Kehinde wrote:

Hi All,

Have problems with Packetfence identifying a custom profile defined. 
Always matches the default profile first, and there is no way to 
reorder the default profile.

Any ways to have like a "default deny" instead of a "default accept" ..

Regards,
Kehinde


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Authentication against Active Directory [NOT PROTECTIVELY MARKED]

[Antoine Amacher]

Hello Stephen,

The account to join the domain need be Domain Admin, the password will 
not be saved. (used once)


The account to do the authentication via the source LDAP from 
PacketFence need be a read-only account. (used at every connection attempt)


Thanks


On 03/24/2017 08:07 AM, Stephen Ware wrote:


*This email has been classified as:**NOT PROTECTIVELY MARKED*

Hi there,

I’m fairly new to PF and have just set up v6.5.0 on CentOS 7. I have 
the basics working on a standalone setup and the next step is to 
integrate PF into a Windows domain with the ultimate aim of doing 
certificate-based authentication using 802.1X on all wired connections.


My question involves the domain admin level account used for querying 
AD when using the built-in FreeRADIUS and authenticating against 
Active Directory.


The PF Administration Guide states the account must be a domain 
account, “*Username* is the username that will be used for binding to 
the server. This account must be a domain administrator.”


There are obvious security risks when using domain administrator 
accounts so I was hoping to use a non-administrator account. I have 
other situations where applications are doing AD lookups and 
authentication that work ok with read-only accounts. Why does PF 
require domain administrator level?


Steve


This email and any files transmitted with it are intended solely for 
the named recipient and may contain sensitive, confidential or 
protectively marked material up to the central government 
classification of "RESTRICTED" which must be handled accordingly. If 
you have received this e-mail in error, please immediately notify the 
sender by e-mail and delete from your system, unless you are the named 
recipient (or authorised to receive it for the recipient) you are not 
permitted to copy, use, store, publish, disseminate or disclose it to 
anyone else. E-mail transmission cannot be guaranteed to be secure or 
error-free as it could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses and therefore the 
Council accept no liability for any such errors or omissions. Unless 
explicitly stated otherwise views or opinions expressed in this email 
are solely those of the author and do not necessarily represent those 
of the Council and are not intended to be legally binding. All Council 
network traffic and GCSX traffic may be subject to recording and/or 
monitoring in accordance with relevant legislation. South Tyneside 
Council, Town Hall & Civic Offices, Westoe Road, South Shields, Tyne & 
Wear, NE33 2RL, Tel: 0191 427 1717, Website: www.southtyneside.gov.uk




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Android Provisioner profile error

[Antoine Amacher]

Hello Dean,

Just to let you know I tested it on my side and it works fine(using 
MSPKI), are you prompted for the user certificate password when the app 
is installing the profile?


The app does not 'tell' you the user certificate has been installed, 
even if it's still doing it.


What happen when you try to connect to the provisioned SSID after the 
profile was installed? Does it fail? Ask you for the user certificate? 
Others?


Thanks

On 02/25/2017 10:22 PM, Dean Holland wrote:


What's the next step now, send a copy of the XML profile to someone to 
test with?



On Sun, 19 Feb 2017, 7:31 PM Dean Holland <speeds...@haveacry.com 
<mailto:speeds...@haveacry.com>> wrote:


Hi Antoine,

Yes - iOS works, I unregistered a device, cleared it's user and
role, deleted the existing wireless profile and was able to
register it again and install the wireless profile.

I've tried with three different Android tablets and OS versions -
5.1, 6.0 and 7.0. In all cases the agent only installs the CA
certificate.

Dean


On Sat, 18 Feb 2017, 2:25 AM Antoine Amacher <aamac...@inverse.ca
<mailto:aamac...@inverse.ca>> wrote:

Hello Dean,

Does the provisioning works on other platform, for instance
windows or IOS?

Did you try with different android versions/devices?

Thanks


On 02/16/2017 08:42 PM, Dean Holland wrote:


I have tried again with 6.5 and the Android agent still only
installs a CA cert. I have verified the CA certificate in the
profile is that in the chain for FreeRADIUS and the client
certificate.

I'm not sure what else I can do to help diagnose this, if I
send an XML profile to someone off-list would that help?

Dean


On Sun, 29 Jan 2017, 11:36 AM Dean Holland
<speeds...@haveacry.com <mailto:speeds...@haveacry.com>> wrote:

Thanks Fabrice.

One step closer now! It looks like the user certificate
is in the XML profile, but after entering the generated
password the agent only asks to install one CA
certificate - it doesn't seem to find the user
certificate in the profile.


On Sun, 29 Jan 2017, 9:57 AM Durand fabrice
<fdur...@inverse.ca <mailto:fdur...@inverse.ca>> wrote:

Hello Dean,

i has been fixed in devel, it was because of an
apache filter.

cd /usr/local/pf

wget

https://github.com/inverse-inc/packetfence/commit/1a84821125d197025f9cc12941d2aeb7ee6deb72.diff

patch -p1 < 1a84821125d197025f9cc12941d2aeb7ee6deb72.diff

And don't forget to rename
apache_filters.conf.example to apache_filters.conf
and do a pfcmd configreload hard


Regards

Fabrice


Le 2017-01-28 à 20:45, Dean Holland a écrit :

So I changed the httpd.portal.tt
<http://httpd.portal.tt> file to use RSA ciphers for
TLS, which allowed me to decrypt a packet capture of
the registration interface with Wireshark, the agent
is getting a 501 error from the portal. HTTP trace
follows.

GET /profile.xml HTTP/1.1

User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1;
Nexus 7 Build/LMY47V)

Host: www.packetfence.org <http://www.packetfence.org>

Connection: Keep-Alive

Accept-Encoding: gzip


HTTP/1.1 501 Not Implemented

Date: Sun, 29 Jan 2017 01:34:52 GMT

Server: Apache

X-DNS-Prefetch-Control: off

Allow:

Content-Length: 202

Connection: close

Content-Type: text/html; charset=iso-8859-1






501 Not Implemented



Not Implemented

GET to /profile.xml not supported.







Dean

On Fri, Jan 6, 2017 at 9:27 AM Dean Holland
<speeds...@haveacry.com
<mailto:speeds...@haveacry.com>> wrote:

Hi Fabrice,

Correct - nothing in that log file either.

On Fri, Jan 6, 2017 at 8:12 AM Durand fabrice
<fdur...@inverse.ca <mailto:fdur...@inverse.ca>>
wrote:

it's normal that it's an iphone profile
since the android app use the same format.

Nothing in httpd.portal.catalyst too ?



Le 2017-01-05 à 01:46, De

Re: [PacketFence-users] Android Provisioner profile error

[Antoine Amacher]

  
(pf::Authentication::Source::LDAPSource::search_attributes_in_subclass)
Jan 04 16:08:17 httpd.portal(7757) INFO:
[mac:unknown] Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:17 httpd.portal(7757) INFO:
[mac:30:85:a9:4b:5b:e7] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:17 httpd.portal(7757) INFO:
[mac:30:85:a9:4b:5b:e7] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:17 httpd.portal(7757) INFO:
[mac:30:85:a9:4b:5b:e7] Found provisioner
android-haveacry for 30:85:a9:4b:5b:e7

(captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
Jan 04 16:08:17 httpd.portal(7757) INFO:
[mac:30:85:a9:4b:5b:e7] User dean has
authenticated on the portal.
(Class::MOP::Class:::after)



--
Check out the vibrant tech community on one of the world's 
most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Check out the vibrant tech community on one of
the world's most
engaging tech sites, SlashDot.org!

http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Check out the vibrant tech community on one of the
world's most
engaging tech sites, SlashDot.org!

http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!
http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine A

Re: [PacketFence-users] PF 6.5 Radiusd service not starting

[Antoine Amacher]

Hello Michael,


Can you verify if you have a raddb/mode-availables/mschap.rpmnew ?


If yes do the following:


mv raddb/mode-availables/mschap.rpmnew raddb/mode-availables/mschap


Thanks


On 02/16/2017 10:50 AM, Campanaro, Michael wrote:


Hello,


I just upgraded my PF servers from version 6.4.0 to 6.5.0 this morning 
and followed the upgrade document while doing so. Everything went fine 
but now my radiusd service isn't starting on either of my servers. 
These are the messages I'm getting in the radius log:



Thu Feb 16 10:39:16 2017 : Info: rlm_sql (pfguest): Attempting to 
connect to database "pf"
Thu Feb 16 10:39:16 2017 : Info: rlm_sql (pfsponsor): Attempting to 
connect to database "pf"
Thu Feb 16 10:39:16 2017 : Info: rlm_sql (pfsms): Attempting to 
connect to database "pf"
Thu Feb 16 10:39:16 2017 : Info: rlm_sql (pflocal): Attempting to 
connect to database "pf"
Thu Feb 16 10:39:16 2017 : Warning: rlm_sql (sql_reject): 
groupmemb_query is empty.  Please delete it from the configuration
Thu Feb 16 10:39:16 2017 : Warning: rlm_sql (sql_reject): 
authorize_check_query is empty.  Please delete it from the configuration
Thu Feb 16 10:39:16 2017 : Info: rlm_sql (sql_reject): Attempting to 
connect to database "pf"

Thu Feb 16 10:39:16 2017 : Info: Loaded virtual server 
Thu Feb 16 10:39:16 2017 : Info: Loaded virtual server dynamic_clients
Thu Feb 16 10:39:16 2017 : Info: Loaded virtual server packetfence
Thu Feb 16 10:39:16 2017 : Error: 
raddb//sites-enabled/packetfence-tunnel[182]: Failed to find 
"mschap_local" as a module or policy.
Thu Feb 16 10:39:16 2017 : Error: 
raddb//sites-enabled/packetfence-tunnel[182]: Please verify that the 
configuration exists in raddb//mods-enabled/mschap_local.
Thu Feb 16 10:39:16 2017 : Error: 
raddb//sites-enabled/packetfence-tunnel[182]: Failed to parse 
"mschap_local" subsection.
Thu Feb 16 10:39:16 2017 : Error: 
raddb//sites-enabled/packetfence-tunnel[181]: Failed to parse "if" 
subsection.
Thu Feb 16 10:39:16 2017 : Error: Failed to load virtual server 
packetfence-tunnel



Any help would be greatly appreciated.


Thanks,


-Mike




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PacketFence-users Digest, Vol 106, Issue 41

[Antoine Amacher]

Hello Erik,

you should try to look for the logs on the WLC side, you might have more 
information of why the CoA is not accepted, at least see if the CoA is 
received by the WLC.


Can you also link the 10.0.12.2 and the default section of 
conf/switches.conf ?


Thanks


On 02/14/2017 01:06 PM, Eric Koons wrote:
Thanks for the recommendation to look in pfqueue.log.  Seems like it 
is failing.  I’ve changed ports to 3799 and 1700 and neither works. 
 I’ve also tried changing the shared secret.



Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29] 
[28:cf:e9:14:7a:29] DesAssociating mac on switch (10.0.12.2) 
(pf::api::desAssociate)
Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29] 
deauthenticating (pf::Switch::Cisco::WLC::radiusDisconnect)
Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29] 
controllerIp is set, we will use controller 10.0.12.2 to perform 
deauth (pf::Switch::Cisco::WLC::radiusDisconnect)
Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29] Memory 
configuration is not valid anymore for key 
interfaces::management_network in local cached_hash 
(pfconfig::cached::is_valid)
Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29] Returning 
ACCEPT with Role: Authorize_any (pf::Switch::Cisco::WLC::try {...} )
Feb 14 13:05:01 pfqueue(10131) WARN: [mac:28:cf:e9:14:7a:29] Unable to 
perform RADIUS CoA-Request on (10.0.12.2): Timeout waiting for a reply 
from 10.0.12.2 on port 1700 at /usr/local/pf/lib/pf/util/radius.pm 
line 162. (pf::Switch::Cisco::WLC::catch {...} )
Feb 14 13:05:01 pfqueue(10131) ERROR: [mac:28:cf:e9:14:7a:29] Wrong 
RADIUS secret or unreachable network device (10.0.12.2)... On some 
Cisco Wireless Controllers you might have to set disconnectPort=1700 
as some versions ignore the CoA requests on port 3799 
(pf::Switch::Cisco::WLC::catch {...} )
Feb 14 13:05:06 pfqueue(9465) ERROR: [mac:18:66:da:81:67:01] Can't 
bind : IO::Socket::INET: connect: Connection refused


Eric Koons
Sr. Network Engineer | CCNA: Routing and Switching
Service Electric Cable TV and Communications | www.sectv.com 
<http://www.sectv.com>

eko...@sectv.com <mailto:eko...@sectv.com>
Office: 610-841-8355
Mobile: 610-533-6834
Fax: 610-797-2445






On Feb 14, 2017, at 11:24 AM, 
packetfence-users-requ...@lists.sourceforge.net 
<mailto:packetfence-users-requ...@lists.sourceforge.net> wrote:


Send PacketFence-users mailing list submissions to
packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net>


To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/packetfence-users
or, via email, send a message with subject or body 'help' to
packetfence-users-requ...@lists.sourceforge.net

You can reach the person managing the list at
packetfence-users-ow...@lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of PacketFence-users digest..."


Today's Topics:

  1. Re: Issue with Guest network on Packetfence 6.5 and Cisco WLC
 controller (Antoine Amacher)


--

Message: 1
Date: Tue, 14 Feb 2017 11:24:21 -0500
From: Antoine Amacher <aamac...@inverse.ca>
Subject: Re: [PacketFence-users] Issue with Guest network on
Packetfence 6.5 and Cisco WLC controller
To: packetfence-users@lists.sourceforge.net
Message-ID: <71e6dc2b-6cf3-4e22-3b4c-2d2da2bee...@inverse.ca>
Content-Type: text/plain; charset="windows-1252"

Hello Eric,

While upgrading from 6.1.2 to 6.5 there are multiples changes to
WebAuth, did you follow the UPGRADE.asciidoc? For instance your WLC(in
Switches) need to have "External Portal Enforcement" checked.

If everything has been applied, make sure you are still sending the CoA
on the right port. On the WLC it should be 3799 or 1700(depending on the
version of the WLC).

Also have a look in logs/pfqueue.log it should tell you if the CoA has
been received and taken into account by the WLC.

Thanks


On 02/14/2017 10:40 AM, Eric Koons wrote:

So, the scenario I?m about to explain worked fine on PacketFence
6.1.2.  The only thing that changed was I upgraded Packetfence to 6.5.
 I have an open SSID guest wifi network.  It?s authenticated with an
SMS pin via packetfence.  The issue is that it appears after
successful authentication Packetfence is not sending the COA or Radius
notification to the cisco WLC to change the ACL for the client.  The
only way to get it work is to disassociate from the wireless network
on the client and than re-associate, than I get full network access.

I?ve attached the packetfence log file.  Any help is appreciated.

Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
Instantiate profile SEGuestPortal
(pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
[28:cf:e9:14:7a:29] Activation code sent to email

Re: [PacketFence-users] Issue with Guest network on Packetfence 6.5 and Cisco WLC controller

[Antoine Amacher]

t required (current Role = registration but should be in 
Role guest) (pf::enforcement::_should_we_reassign_vlan)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] 
switch port is (10.0.12.2) ifIndex 1 connection type: WiFi MAC Auth 
(pf::enforcement::_vlan_reevaluation)
Feb 13 13:37:14 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] 
External captive portal detected ! 
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Feb 13 13:37:14 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] 
Detected external portal client. Using the IP 192.168.200.26 address 
in it's session. 
(captiveportal::PacketFence::Model::Portal::Session::_build_clientIp)
Feb 13 13:37:14 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] 
Instantiate profile SEGuestPortal 
(pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] handling 
radius autz request: from switch_ip => (10.0.12.2), connection_type => 
Wireless-802.11-NoEAP,switch_mac => (2c:3f:38:f6:82:80), mac => 
[28:cf:e9:14:7a:29], port => 1, username => "28cfe9147a29", ssid => 
SEGuest (pf::radius::authorize)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] 
Instantiate profile SEGuestPortal 
(pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] 
Connection type is WIRELESS_MAC_AUTH. Getting role from node_info 
(pf::role::getRegisteredRole)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Username 
was defined "28cfe9147a29" - returning role 'guest' 
(pf::role::getRegisteredRole)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] PID: 
"6105336834", Status: reg Returned VLAN: (undefined), Role: guest 
(pf::role::fetchRoleForNode)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] 
(10.0.12.2) Added VLAN 154 to the returned RADIUS Access-Accept 
(pf::Switch::returnRadiusAccessAccept)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] 
(10.0.12.2) Added role Authorize_any to the returned RADIUS 
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Updating 
locationlog from accounting request (pf::api::handle_accounting_metadata)



Eric Koons
Sr. Network Engineer | CCNA: Routing and Switching
Service Electric Cable TV and Communications | www.sectv.com 
<http://www.sectv.com>

eko...@sectv.com <mailto:eko...@sectv.com>
Office: 610-841-8355
Mobile: 610-533-6834
Fax: 610-797-2445








--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Wired Domain-Joined Machine Authentication

[Antoine Amacher]

Philip,

Successful authentication =/= registration. Try to define a specific 
portal profile for user which connect via MachineAuth and check the box 
"Automatically register devices" on this portal profile. You could also 
add an AutoRegister filter via the VLAN filter, example are provided in 
the vlan_filter.example


Thanks


On 02/08/2017 11:54 AM, Philip Damian-Grint wrote:

Hi Antoine,

I reinstalled with PF 6.5.0-1, joined the server to AD, and machine 
authentication now works for a domain-joined PC. The only problem is 
that after a successful authentication, PF always places the port into 
the registration VLAN. It seems to ignore all sources, realms etc, and 
only look at the registration role on the switch itself. Is there 
something different I need to do for this release?




On 6 February 2017 at 18:30, Antoine Amacher <aamac...@inverse.ca 
<mailto:aamac...@inverse.ca>> wrote:


Philip,

If you joined the domain via realm or samba from the CLI, there is
a configuration issue to handle machine authentication. It is
fixed in 6.5, running the migrate.pl <http://migrate.pl> should
fix your issue.

Thanks


On 02/06/2017 12:21 PM, Philip Damian-Grint wrote:

Hi Antoine,

Thank you for responding.

So I have a source for machine authentication which uses
servicePrincipalName.
I find the instructions unclear for configuring the realm - I
have a default realm which references my machine authentication
source, but with nothing in the Domain field. I am following
option 1b in the admin guide so I haven't run the migrate.pl
<http://migrate.pl> task, but rather joined to the domain using
Samba. Is this not correct?




On 6 February 2017 at 16:40, Antoine Amacher <aamac...@inverse.ca
<mailto:aamac...@inverse.ca>> wrote:

Hello Philip

You are trying to do Machine Authentication, make sure the
"Username Attribute" you are looking for in your AD source is
servicePrincipalName(machine auth) and not
sAMAccountName(user auth).

Also make sure your realm are configured.

Let us know if that help.

Thanks

On 02/06/2017 10:22 AM, Philip Damian-Grint wrote:

Hello mailing list,

Running Packetfence 6.4.0-1 on Centos 7.3.1611
Test switch is Cisco 2960 running 15.0(1)SE3

I have joined the server to our AD domain
net ads testjoin returns "Join is OK"
I have enabled winbind, and ntlm_auth successfully
authenticates domain users.
I have issued a certificate from our AD PKI to the PF
server, and also copied the CA cert into a separate eap-tls
folder as suggested, then updated eap.conf - radiusd seems
to be happy with it.

I am trying to get dot1x *wired* machine authentication
working for domain-joined machines.

When I connect a domain-joined computer to a dot1x port the
radiusd log shows:
mschap: Program returned code (1) and output 'Logon failure
(0xc06d)'

I have seen elsewhere in the mailing lists a few responses
by Louis Munro around troubleshooting this with ntlm_auth,
and certainly running ntlm_auth with the challenge and
response shown in the log is giving me the same error.

Not sure to go with this - I think I probably don't
understand my options on machine authentication
in terms of certificate vs machine account/password, and
therefore have an incomplete config.

Would anyone be able to nudge me a little further along? I
think I would like authentication by certificate for
domain-joined machines to work, unless you can recommend
otherwise.





--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>


-- 
Antoine Amacher
aamac...@inverse.ca <mailto:aamac...@inverse.ca>   ::www.inverse.ca <http://www.inverse.ca>  
+1.514.447.4918 x130 <tel:%28514%29%20447-4918>   ::+1 (866) 353-6153 x130 <tel:%28866%29%20353-6153>

Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu>) and 
PacketFence (www.packetfence.org <http://www.packetfence.org>)


--
Check out the vi

Re: [PacketFence-users] Wired Domain-Joined Machine Authentication

[Antoine Amacher]

Philip,

If you joined the domain via realm or samba from the CLI, there is a 
configuration issue to handle machine authentication. It is fixed in 
6.5, running the migrate.pl should fix your issue.


Thanks


On 02/06/2017 12:21 PM, Philip Damian-Grint wrote:

Hi Antoine,

Thank you for responding.

So I have a source for machine authentication which uses 
servicePrincipalName.
I find the instructions unclear for configuring the realm - I have a 
default realm which references my machine authentication source, but 
with nothing in the Domain field. I am following option 1b in the 
admin guide so I haven't run the migrate.pl <http://migrate.pl> task, 
but rather joined to the domain using Samba. Is this not correct?





On 6 February 2017 at 16:40, Antoine Amacher <aamac...@inverse.ca 
<mailto:aamac...@inverse.ca>> wrote:


Hello Philip

You are trying to do Machine Authentication, make sure the
"Username Attribute" you are looking for in your AD source is
servicePrincipalName(machine auth) and not sAMAccountName(user auth).

Also make sure your realm are configured.

Let us know if that help.

Thanks

On 02/06/2017 10:22 AM, Philip Damian-Grint wrote:

Hello mailing list,

Running Packetfence 6.4.0-1 on Centos 7.3.1611
Test switch is Cisco 2960 running 15.0(1)SE3

I have joined the server to our AD domain
net ads testjoin returns "Join is OK"
I have enabled winbind, and ntlm_auth successfully authenticates
domain users.
I have issued a certificate from our AD PKI to the PF server, and
also copied the CA cert into a separate eap-tls folder as
suggested, then updated eap.conf - radiusd seems to be happy with it.

I am trying to get dot1x *wired* machine authentication working
for domain-joined machines.

When I connect a domain-joined computer to a dot1x port the
radiusd log shows:
mschap: Program returned code (1) and output 'Logon failure
(0xc06d)'

I have seen elsewhere in the mailing lists a few responses by
Louis Munro around troubleshooting this with ntlm_auth, and
certainly running ntlm_auth with the challenge and response shown
in the log is giving me the same error.

Not sure to go with this - I think I probably don't understand my
options on machine authentication
in terms of certificate vs machine account/password, and
therefore have an incomplete config.

Would anyone be able to nudge me a little further along? I think
I would like authentication by certificate for domain-joined
machines to work, unless you can recommend otherwise.





--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>


-- 
Antoine Amacher
aamac...@inverse.ca <mailto:aamac...@inverse.ca>   ::www.inverse.ca <http://www.inverse.ca>  
+1.514.447.4918 x130 <tel:%28514%29%20447-4918>   ::+1 (866) 353-6153 x130 <tel:%28866%29%20353-6153>

Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu>) and 
PacketFence (www.packetfence.org <http://www.packetfence.org>)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___ PacketFence-users
mailing list PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users> 


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot__

Re: [PacketFence-users] Wired Domain-Joined Machine Authentication

[Antoine Amacher]

Hello Philip

You are trying to do Machine Authentication, make sure the "Username 
Attribute" you are looking for in your AD source is 
servicePrincipalName(machine auth) and not sAMAccountName(user auth).


Also make sure your realm are configured.

Let us know if that help.

Thanks

On 02/06/2017 10:22 AM, Philip Damian-Grint wrote:

Hello mailing list,

Running Packetfence 6.4.0-1 on Centos 7.3.1611
Test switch is Cisco 2960 running 15.0(1)SE3

I have joined the server to our AD domain
net ads testjoin returns "Join is OK"
I have enabled winbind, and ntlm_auth successfully authenticates 
domain users.
I have issued a certificate from our AD PKI to the PF server, and also 
copied the CA cert into a separate eap-tls folder as suggested, then 
updated eap.conf - radiusd seems to be happy with it.


I am trying to get dot1x *wired* machine authentication working for 
domain-joined machines.


When I connect a domain-joined computer to a dot1x port the radiusd 
log shows:

mschap: Program returned code (1) and output 'Logon failure (0xc06d)'

I have seen elsewhere in the mailing lists a few responses by Louis 
Munro around troubleshooting this with ntlm_auth, and certainly 
running ntlm_auth with the challenge and response shown in the log is 
giving me the same error.


Not sure to go with this - I think I probably don't understand my 
options on machine authentication
in terms of certificate vs machine account/password, and therefore 
have an incomplete config.


Would anyone be able to nudge me a little further along? I think I 
would like authentication by certificate for domain-joined machines to 
work, unless you can recommend otherwise.





--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence DHCP/roles

[Antoine Amacher]

Hello Stuart,


If you want to use VLAN 55 as your registration VLAN, make sure the DHCP 
is enabled on the interface 55 of PacketFence, and this interface is set 
a registration interface. If GeneralStaff is your 'production' role, 
then try to return VLAN 1 for this role instead.



Thanks


On 02/01/2017 09:59 AM, Stuart McWatt wrote:


Hi Antoine,


Thank you for your response.


VLAN 55 is for registration and VLAN 56 is for isolation. VLAN1 is our 
production VLAN.



We have got GeneralStaff in VLAN55 for registration. Should 
Generalstaff be in VLAN 1 (our production VLAN)?



Thanks

Stuart






*From:* Antoine Amacher <aamac...@inverse.ca>
*Sent:* 01 February 2017 14:13
*To:* packetfence-users@lists.sourceforge.net
*Subject:* Re: [PacketFence-users] Packetfence DHCP/roles

Hello Stuart,

PacketFence is not a DHCP server for other VLAN than registration / 
isolation, if I followed properly VLAN 55 is your production VLAN for 
'GeneralStaff', this mean you must have your own DHCP server in the 
VLAN 55.


Thanks


On 02/01/2017 04:42 AM, Stuart McWatt wrote:


Hi,

We are trying to set up a new Packetfence server and are having 
problems somewhere between the ‘roles’ and client Windows machine 
picking up a relevant IP address from the pf server.


AD is successfully added as a user source and there are basic rules 
added, the rule conditions are for AD group membership so if an AD 
user account is in a group which matches the rule then its assigned a 
role.


The Windows client becomes ‘registered’ and is put into a relevant 
role ‘GeneralStaff’ for this situation.  In PacketFence within 
Network-Switches area, our Cisco switch has the ‘Role by VLAN ID’ = 
‘General Staff’ and is configured for VLAN 55 (Registration).


So when I connect my laptop, it is registered and is put into the 
‘GeneralStaff’ role but I do not get an IP address associated with 
VLAN 55 (infact I get a 169 IP address).


I can ping all the VLAN interfaces etc so network connectivity is 
fine and in Network – Interfaces the VLANs have been 
configured eg vlan55 10.55.55.10 255.255.255.0 Registration. We are 
slightly confused why the packetfence does not give my laptop a VLAN 
55 address?


Do we need to create separate DHCP scopes for each VLAN?

Thanks for any help you can provide in advance it would be very much 
appreciated.




  ­­


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot
Slashdot: News for nerds, stuff that matters <http://sdm.link/slashdot>
sdm.link
Slashdot: News for nerds, stuff that matters. Timely news source for 
technology related news with a heavy slant towards Linux and Open 
Source issues.





___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca   ::www.inverse.ca  
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130

Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] R: R: R: R: Issue authenticathing WPA2 WLAN

[Antoine Amacher]

Hi Luca,

Upon receiving a RADIUS request we are trying to strip the username if 
there is a REALM in (i.e: ASSL10), if when sending your request there is 
no realm, it will try to loggin using the REALM NULL/DEFAULT, this is 
why you need to link the domain to those REALM.


You do not have to delete your REALM ASSL10 btw, leave it be.

Without adding the domain to those, you should have been able to login 
using ASSL10\ in front of your username.


Thanks

On 01/30/2017 12:28 PM, Luca Messori wrote:


Hi Antoine,

thank you very much for your help.

I have the client authenticated doing the same thing that you 
suggested for the domain DEFAULT.


What that I don’t understand is why!

Have a nice day

*/Luca Messori/*

_

Descrizione: mead

*Mead Informatica Srl*
*SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
Tel. +39 0522 265800 Tel. amm.ne 0522265940 -  Fax +39 0522 393306
Tel. +39 049 8702540   Fax +39 049 8706249

http://www.meadinformatica.it <http://www.meadinformatica.it/>

---

Questo messaggio puo' contenere informazioni di carattere riservato e 
confidenziale. Qualora non foste i destinatari, vi preghiamo di 
notificarcelo
e di provvedere ad eliminare il messaggio, con gli eventuali allegati, 
senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del 
contenuto
di questo mesaggio espone il responsabile alle conseguenze civili e 
penali.


This message may contain information which is confidential or 
privileged. if you are not the intended recipient, please immediately 
notify us
and destroy this message and any attachments without retaining a copy. 
Any unauthorized use of this message can expose the responsabile party

to civil and/or criminal penalties.

Descrizione: Descrizione: cid:696372015@22072008-1A64

*Da:*Antoine Amacher [mailto:aamac...@inverse.ca]
*Inviato:* lunedì 30 gennaio 2017 14:52
*A:* packetfence-users@lists.sourceforge.net
*Oggetto:* Re: [PacketFence-users] R: R: R: Issue authenticathing WPA2 
WLAN


Hello Luca,

When you see winbind isn't started, it is actually running. When doing 
a domain join via the admin interface, winbind is started in a chroot, 
that allow you to have 1 winbind daemon by domain. So you should not 
need to start it manually.


Go in the section configuration -> realm and add ASSL10 as the domain 
for the realm NULL.


Thanks

On 01/29/2017 01:10 PM, Luca Messori wrote:

Hi Fabrice,

I trie to start winbondd manually; this is the output:

[root@mitelwifi samba]# /usr/sbin/winbindd -s
/etc/samba/ASSL10.conf -S -F

winbindd version 3.6.23-36.el6_8 started.

Copyright Andrew Tridgell and the Samba Team 1992-2011

initialize_winbindd_cache: clearing cache and re-creating with
version number 2

Could not fetch our SID - did we join?

unable to initialize domain list

Kindly regards

*/Luca Messori/*

_

Descrizione: mead

*Mead Informatica Srl*
*SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522 393306
Tel. +39 049 8702540   Fax +39 049 8706249

http://www.meadinformatica.it

---

Questo messaggio puo' contenere informazioni di carattere
riservato e confidenziale. Qualora non foste i destinatari, vi
preghiamo di notificarcelo
e di provvedere ad eliminare il messaggio, con gli eventuali
allegati, senza trattenerne copia. Qualsivoglia utilizzo non
autorizzato del contenuto
di questo mesaggio espone il responsabile alle conseguenze civili
e penali.

This message may contain information which is confidential or
privileged. if you are not the intended recipient, please
immediately notify us
and destroy this message and any attachments without retaining a
copy. Any unauthorized use of this message can expose the
responsabile party
to civil and/or criminal penalties.

Descrizione: Descrizione: cid:696372015@22072008-1A64

*Da:*Fabrice Durand [mailto:fdur...@inverse.ca]
*Inviato:* venerdì 27 gennaio 2017 19:42
*A:* packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Oggetto:* Re: [PacketFence-users] R: R: Issue authenticathing
WPA2 WLAN

Hi Luca,

it still miss the assl10 realm, can you share your realm.conf file ?

Does winbind is running ?

Did you restart radiusd after adding the realm ?

Regards

Fabrice

Le 2017-01-27 à 12:22, Luca Messori a écrit :

Hi Fabrice,

we have reconfigured the Realm and we have done some new test
but we have the following error:

(7) Fri Jan 27 12:00:12 2017: ERROR: mschap: External script
says: Reading winbind reply failed! (0xc001)

(7) Fri Jan 27 12:00:12 2017: ER

Re: [PacketFence-users] Radiusd does not start after upgrade to 6.4

[Antoine Amacher]

Chris,

Verify on your switch that your client is in the VLAN 210.

Watching your logs, 210 seems a production VLAN, PacketFence do not 
deliver DHCP on your production VLAN, this has to be your own DHCP server.


Thanks


On 01/30/2017 10:39 AM, Chris Abel wrote:
Ok so I ended up fixing my radius issue by copying over 
radius.conf.example into my radius.conf file. Radius now starts and 
clients seem to be authenticating. My problem now is that my clients 
get a self assign IP. What is the best way to troubleshoot this? When 
I connect to my AP, the packetfence log shows this:


Jan 30 10:33:49 httpd.aaa(3246) INFO: [mac:68:a8:6d:40:51:de] 
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Jan 30 10:33:49 httpd.aaa(3246) INFO: [mac:68:a8:6d:40:51:de] Match 
rule 1:staffwireless (pf::access_filter::test)
Jan 30 10:33:49 httpd.aaa(3246) INFO: [mac:68:a8:6d:40:51:de] 
autoregister a node that is already registered, do nothing. 
(pf::node::node_register)
Jan 30 10:33:49 httpd.aaa(3246) INFO: [mac:68:a8:6d:40:51:de] 
Connection type is WIRELESS_MAC_AUTH. Getting role from node_info 
(pf::role::getRegisteredRole)
Jan 30 10:33:49 httpd.aaa(3246) INFO: [mac:68:a8:6d:40:51:de] Username 
was defined "68a86d4051de" - returning role 'Staff' 
(pf::role::getRegisteredRole)
Jan 30 10:33:49 httpd.aaa(3246) INFO: [mac:68:a8:6d:40:51:de] PID: 
"default", Status: reg Returned VLAN: (undefined), Role: Staff 
(pf::role::fetchRoleForNode)
Jan 30 10:33:49 httpd.aaa(3246) INFO: [mac:68:a8:6d:40:51:de] 
(10.128.4.16) Added VLAN 210 to the returned RADIUS Access-Accept 
(pf::Switch::returnRadiusAccessAccept)
Jan 30 10:33:49 httpd.aaa(3246) INFO: [mac:00:26:08:fa:35:f7] Updating 
locationlog from accounting request (pf::api::handle_accounting_metadata)



I am concerned with this:  "Returned VLAN: (undefined)," Is that the 
right behavior? I see that it sends the correct vlan on the next line 
though.


On Mon, Jan 30, 2017 at 9:18 AM, Chris Abel 
<ca...@wildwoodprograms.org <mailto:ca...@wildwoodprograms.org>> wrote:


I've copied the raddb folder from the source of packetfence. This
is what I get now:

root@packetfence:/usr/local/pf# freeradius -X -d raddb/ -n auth
FreeRADIUS Version 3.0.13
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file raddb//dictionary
including configuration file raddb//auth.conf
including configuration file raddb//radiusd.conf
including configuration file raddb//proxy.conf
including configuration file raddb//proxy.conf.inc
including configuration file raddb//clients.conf
including configuration file raddb//clients.conf.inc
including files in directory raddb//modules/
raddb//radiusd.conf[90]: Failed reading directory raddb//modules/:
No such file or directory
Errors reading or parsing raddb//auth.conf

There is no modules directory in raddb on my server or in the
source of packetfence.

On Mon, Jan 30, 2017 at 8:59 AM, Chris Abel
<ca...@wildwoodprograms.org <mailto:ca...@wildwoodprograms.org>>
wrote:

Hi Antoine,

The command is also not found in /usr/local/pf. I'm using
debian so I'm not sure if that makes a difference.

I can use the freeradius command though. This is what I get:

root@packetfence:/usr/local/pf# freeradius -X -d raddb/ -n auth

FreeRADIUS Version 3.0.13

Starting - reading configuration files ...

including dictionary file /usr/share/freeradius/dictionary

including dictionary file /usr/share/freeradius/dictionary.dhcp

including dictionary file /usr/share/freeradius/dictionary.vqp

including dictionary file raddb//dictionary

including configuration file raddb//auth.conf

including configuration file raddb//radiusd.conf

including configuration file raddb//proxy.conf

Unable to open file "raddb//proxy.conf": No such file or directory

Errors reading or parsing raddb//auth.conf


On Mon, Jan 30, 2017 at 8:53 AM, Antoine Amacher
<aamac...@inverse.ca <mailto:aamac...@inverse.ca>> wrote:

Hello Chris,

Try the following from /usr/local/pf

radiusd -X -d raddb/ -n auth

thanks


On 01/29/2017 08:44 PM, Chris Abel wrote:

Also, nothing appears in radius.log

On Sun, Jan 29, 2017 at 8:42 PM, Chris Abel
<ca...@wildwoodprograms.org
<mailto:ca...@wildwoodprograms.org>> wrote:

I'm having a really hard time after my packetfence
upgrade. I can't seem to get radius to start. When I
 

Re: [PacketFence-users] Cisco 3650 switch configuration problem - integrated Wireless Lan Controller WLC

[Antoine Amacher]

Hello Lukasz,

If you have access to a web interface for the built in WLC you can have 
all information on how to do configure it here:

https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_cisco_2

Section 5.9.4 or 5.10.

If you only have a CLI you will need to find the matching CLI commands, 
you have some examples on how to do it on AP not on WLC section 5.9.1

Thanks


On 01/30/2017 06:01 AM, Łukasz KRAJNIK wrote:
> Hello
>
> I am new with PacketFence - but basically what i want to achieve is to
> configure Cisco 3650 with build in Wireless Lan Controller to work with
> PacketFence.
>
> I read all packetfence support documentation and already I believe that
> correctly I configured wired MAB AUTHENTICATION ,
>
> precisely  now I can connect new laptop to cisco 3650 and whet
> authentication order is set to mab dot1x this laptop authenticate and
> VLAN is set to register, after I open browser and authenticate with
> local prepared test user
>
> I am redirecting to default VLAN.  But now I need to configure wireless
> connection. How can I do it when my WLC is on the same box with 3650 switch?
>
> Could anyone advice me what should I do in such configuration???
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Radiusd does not start after upgrade to 6.4

[Antoine Amacher]

Hello Chris,

Try the following from /usr/local/pf

radiusd -X -d raddb/ -n auth

thanks


On 01/29/2017 08:44 PM, Chris Abel wrote:

Also, nothing appears in radius.log

On Sun, Jan 29, 2017 at 8:42 PM, Chris Abel 
<ca...@wildwoodprograms.org <mailto:ca...@wildwoodprograms.org>> wrote:


I'm having a really hard time after my packetfence upgrade. I
can't seem to get radius to start. When I try "service packetfence
start" I get this:

radiusd-acct|not started

radiusd|not started


packetfence.log reports this:

Jan 29 20:38:06 pfcmd.pl <http://pfcmd.pl>(5346) INFO: Daemon
radiusd-acct took 0.039 seconds to start.
(pf::services::manager::launchService)

Jan 29 20:38:06 pfcmd.pl <http://pfcmd.pl>(5346) INFO: Daemon
radiusd took 0.039 seconds to start.
(pf::services::manager::launchService)


I tried running "radius -X" but I get command not found.


I'm not sure where to go from here, but I need to try to get this
working ASAP.

Thanks for any help you can provide.






--
Chris Abel
Systems and Network Administrator
Wildwood Programs
2995 Curry Road Extension
Schenectady, NY  12303
518-836-2341


IMPORTANT NOTICE: This message and any attachments are solely for the 
intended recipient and may contain confidential information, which is, 
or may be, legally privileged or otherwise protected by law from 
further disclosure. If you are not the intended recipient, any 
disclosure, copying, use, or distribution of the information included 
in this email and any attachments is prohibited. If you have received 
this communication in error, please notify the sender by reply email 
and immediately and permanently delete this email and any attachments.



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] R: R: R: Issue authenticathing WPA2 WLAN

[Antoine Amacher]

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packet Fence configuration to work With Cisco WLC WebAuth

[Antoine Amacher]

Hello,

/Question 1 - for captive configuration do i need to enable enforcement 
and vlan, and if so which option do i choose/


The captive portal will be available no matter which enforcement you 
chose, VLAN, Inline or WebAuth.


/Q1 who many interface are suppose to created and they be on same network/

Please clarify.

/Q Can captive portal be on the same network as management IP and if so 
i do i configure that./


Using WebAuth for instance, you need to enable portal on the management 
interface. Configuration -> Network -> Interfaces and Network -> click 
on your interface, Additionnal listening daemon(s) -> Portal


/Q4 What configuration should have on WLC /

https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_cisco_2

if using WebAuth:

https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_wireless_lan_controller_wlc_web_auth

/Q 4 What configuration  should have to guest authenticated through 
sponsor email or local user/


https://packetfence.org/doc/PacketFence_Administration_Guide.html#_guests_management

Thanks


On 01/24/2017 10:36 AM, Sadiq Hussein wrote:

Dear Colleague

I am new in PacketFence 6.4  i want use with Cisco WLC 5500 to manage 
guest user through captive portal.


I hve go through the Admin and Network documentation to try and 
configure PacketFence but nothing seem to work.


Question 1 - for captive configuration do i need to enable enforcement 
and vlan, and if so which option do i choose


Q1 who many interface are suppose to created and they be on same network

Q Can captive portal be on the same network as management IP and if so 
i do i configure that.


Q4 What configuration should have on WLC

Q 4 What configuration  should have to guest authenticated through 
sponsor email or local user


Please assist

Regards
Sadiq Hussein


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] problem with source definition

[Antoine Amacher]

Denis

I forgot to ask is this a debian or CentOS install?

Thanks


On 01/17/2017 09:13 AM, Antoine Amacher wrote:
> Hello Denis,
>
> Have a look in httpd.admin.catalyst and httpd.admin.error logs also, if
> you find anything. Look for 'ERROR'
>
> You can increase the log level via conf/log.conf.d/httpd.admin.conf,
> change INFO for DEBUG (l2) and WARN for DEBUG (l5). then restart your
> httpd.admin process. That will increase the output in the log by a LOT.
>
> Is this a standalone or cluster installation?
>
> I tried to recreate your process on a 6.4, I did not encounter this
> issue.(cluster setup)
>
> Thanks
>
>
> On 01/17/2017 06:33 AM, Denis Bonnenfant wrote:
>> Le 16/01/2017 à 18:51, Antoine Amacher a écrit :
>>> Hello Denis,
>>>
>>> Make sure your ad-blocker(if you have one) is disable for the admin of
>>> PF, it may, sometimes create weird interactions and not allow you to
>>> access a source to edit for instance.
>>>
>> There are no adbockers, proxies or other things that may interfer with
>> interface. I tested with different computers, OS and browsers. refreshed
>> cache, removed cookies, etc...
>>
>>> What does logs/httpd.admin.log tells you when the error appear?
>>>
>> Nothing. No messages, but maybe log level can be increased ?
>> To be more precise, the exact process :
>>
>> - create a new ldap or any other type of source : OK
>> - add a rule inside : OK
>> - go back to main page
>> - go to source page, open the source,
>> - click save : the error is displayed
>> - delete source : OK
>> - create a new one OK
>> - modify it : error
>>
>>
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence ping not working.

[Antoine Amacher]

Hello,

This message has nothing related to PacketFence and is a standard error 
for Linux, Google your error message your answer will come by itself.


Thanks


On 01/17/2017 05:50 AM, Networker 2b wrote:

Hi,

Trying to do tcp dump but its giving this message.
tcpdump: eth0: You don't have permission to capture on that device
(socket: Operation not permitted)



On Sun, Jan 15, 2017 at 10:11 AM, Networker 2b <networke...@gmail.com 
<mailto:networke...@gmail.com>> wrote:


Hi ,

My packetfence setup is in initial stages.I configured with the
following ip addresses and interfaces but the ping from and to the
server is working only on the  Management interface. Other
interfaces are not able to be pinged from from the network .

Management interface eth0 ip 10.45.1.60/24 <http://10.45.1.60/24>
Isolation eth0.2 172.16.2.251/24 <http://172.16.2.251/24>
Registration eth0.3 172.16.3.251/24
<http://172.16.3.251/24>
Normaleth 0.4 172.16.4.251/24
<http://172.16.4.251/24>

The core switch attached to packetfence server is having the below
ip addresses.

int vlan 100 10.45.1.250/24 <http://10.45.1.250/24>
int vlan 2 172.16.2.250/24 <http://172.16.2.250/24>
int vlan 3 172.16.3.250/24 <http://172.16.3.250/24>
int vlan 4 172.16.4.250/24 <http://172.16.4.250/24>

Any help is highly appreciated.

Regards,
Muhammad Farooq
Network Engineer




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] eap.conf

[Antoine Amacher]

nd SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

  ­­


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] problem with source definition

[Antoine Amacher]

Hello Denis,

Have a look in httpd.admin.catalyst and httpd.admin.error logs also, if 
you find anything. Look for 'ERROR'

You can increase the log level via conf/log.conf.d/httpd.admin.conf, 
change INFO for DEBUG (l2) and WARN for DEBUG (l5). then restart your 
httpd.admin process. That will increase the output in the log by a LOT.

Is this a standalone or cluster installation?

I tried to recreate your process on a 6.4, I did not encounter this 
issue.(cluster setup)

Thanks


On 01/17/2017 06:33 AM, Denis Bonnenfant wrote:
>
> Le 16/01/2017 à 18:51, Antoine Amacher a écrit :
>> Hello Denis,
>>
>> Make sure your ad-blocker(if you have one) is disable for the admin of
>> PF, it may, sometimes create weird interactions and not allow you to
>> access a source to edit for instance.
>>
> There are no adbockers, proxies or other things that may interfer with
> interface. I tested with different computers, OS and browsers. refreshed
> cache, removed cookies, etc...
>
>> What does logs/httpd.admin.log tells you when the error appear?
>>
> Nothing. No messages, but maybe log level can be increased ?
>>
> To be more precise, the exact process :
>
> - create a new ldap or any other type of source : OK
> - add a rule inside : OK
> - go back to main page
> - go to source page, open the source,
> - click save : the error is displayed
> - delete source : OK
> - create a new one OK
> - modify it : error
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] problem with source definition

[Antoine Amacher]

Hello Denis,

Make sure your ad-blocker(if you have one) is disable for the admin of 
PF, it may, sometimes create weird interactions and not allow you to 
access a source to edit for instance.


What does logs/httpd.admin.log tells you when the error appear?

Thanks


On 01/16/2017 11:38 AM, denis wrote:


Hello,

With PF 6.4, I have a problem with sources configuration :

- The first time a source is configured, a rule can be added and 
everything is ok.


- when a second rule is added to this source, and "save" button 
clicked, an error is displayed : "*Error!* The authentication source 
was not found"


removing rule or source doesn't solve the problem, in fact all the 
interface seems to be dead, the only way is recover is to restart the 
services.


Here is a a exemple of my conf file :

[se3]
description=test
port=389
stripped_user_name=yes
type=LDAP
connection_timeout=5
basedn=ou=People,dc=xxx,dc=org
email_attribute=mail
scope=sub
dynamic_routing_module=AuthModule
binddn=cn=,dc=xxx,dc=org
password=
host=172.x.x.x
usernameattribute=uid
encryption=none

[se3 rule eleve]
description=dd
class=authentication
match=any
action0=set_role=mobiles_eleves
action1=set_access_duration=12h
condition0=uid,is member of,cn=eleves,ou=groups,dc=xxx,dc=org

[se3 rule profs]
description=p
class=authentication
match=any
action0=set_role=mobiles_profs
action1=set_access_duration=12h
condition0=uid,is member of,cn=profs,ou=Groups,dc=xxx,dc=org

The same rules were working perfectly with PF 4.6

Denis




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Freeradius Telnet 1812 and 1813 fails

[Antoine Amacher]

Hello Grant,

If your switch has the proper RADIUS secret and he is able to talk to 
the management interface, then you should be all set.


You could try the following,

1. Ensure that communication is working (ping between mgmt interface and 
switch IP)


2. ensure that RADIUS receive requests from the switch, (tcpdump -i 
mgmt.interface port 1812)


2. verify /usr/local/pf/logs/radius.log for error,

3. launch a raddebug and try to log for error. (raddebug -f 
/usr/local/pf/var/run/radiusd.socks -t 3600)


Let us know if that's help

Thanks

On 12/16/2016 09:29 AM, Grant Hathaway wrote:


Hello,

The Packetfence server is up and running with AD bind and we can see 
devices checking in via DHCP but not via the test switch, the test 
switch is a Cisco 3750 and I can see it in packetfence in 
Configuration/switches. We have 3 VLANS configured on the switch and 
packetfence however we are not sure whether the switch and server are 
communicating with each other and are unsure where the logs are in 
packetfence in order to troubleshoot the connection issue?


The plan is to test packetfence by plugging a device into a network 
port on the switch, and see how the roles work in each VLAN.


We can telnet and SSH to the server succesfully on normal ports (22 
and 23) from the switch but when we telnet to ports 1812/1813 it 
rejects the connection


*No response from (10.25.3.122:1812,1813) for id 1645/16*

**

Ports 1812 and 1813 udp are definitely listening on the packetfence 
server but telnet fails*. *Is there something we need to configure in 
freeradius to accept incoming connections?


Thanks

G

**

Grant Hathaway
Network and Infrastructure Analyst

Certas Energy UK Limited
The Switch
1-7 The Grove - Slough - SL1 1QP
Phone : 01753756965 - Mobile : 07920075818
grant.hatha...@certasenergy.co.uk 
<mailto:grant.hatha...@certasenergy.co.uk>



  ­­


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Fresh install of pf on debian 8

[Antoine Amacher]

ain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I don't know what to do now. Can anyone help me??

Tks a lot
Best regards

Daniel



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>


-- 
Fabrice Durand

fdur...@inverse.ca <mailto:fdur...@inverse.ca>  ::+1.514.447.4918 
<tel:%28514%29%20447-4918>  (x135) ::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___ PacketFence-users
mailing list PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users> 


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Fresh install of pf on debian 8

[Antoine Amacher]

Hello Daniel,

The admin interface should reachable in https only, try this 
https://your.ip:1443/configurator


Try to find errors in the following logs: 
/usr/local/pf/logs/packetfence.log, /usr/local/pf/logs/httpd.admin.log


Let us know if that's help.

Thanks


On 12/15/2016 08:57 AM, Daniel Picon wrote:

Hello all,

First of all, sorry for my bad english, I hope you can understand my 
question.


i just decovered about packetfence yesterday, reading about it on some 
google searches.


To test it, I got a server and put a fresh install of debian on it, 
just the basic choices + ssh server, nothing else.
Then, following the instructions on 
https://packetfence.org/support/faq/article/how-to-install-packetfence-on-debian.html 
I installed packetfence with no erros.


But, when I tried to access de configurator, I can't access it. I 
tried with http and https, and the browser keeping try to load, but 
nothing happening


I did a scan with nmap and the port 1443 is open and listening.

some commands that I executed and they out:

# /usr/local/pf/bin/pfcmd service httpd.admin status
Smartmatch is experimental at /usr/local/pf/lib/pf/cluster.pm 
<http://cluster.pm> line 588.

service|shouldBeStarted|pid
httpd.admin|1|41888

# service packetfence-config status● packetfence-config.service - 
PacketFence Config Service
   Loaded: loaded (/lib/systemd/system/packetfence-config.service; 
enabled)

   Active: active (running) since Qui 2016-12-15 11:21:39 BRST; 31min ago
 Main PID: 41876 (pfconfig)
   CGroup: /system.slice/packetfence-config.service
   └─41876 pfconfig

Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading resource::fqdn
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading 
resource::guest_se...n
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading 
resource::local_secret
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading 
resource::reverse_fqdn
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading 
resource::stats_levels
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading 
resource::switches...p
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading 
resource::switches...t
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading 
resource::switches...s
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading 
resource::trapping...e

Dez 15 11:21:39 firewall-novo pfconfig[41871]: --
Hint: Some lines were ellipsized, use -l to show in full.

# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I don't know what to do now. Can anyone help me??

Tks a lot
Best regards

Daniel


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Please verify the provided MAC address

[Antoine Amacher]

Hello Morgan,

The way how this works is you usually provide MAC vendor in the oui 
file. For instance you want to allow Xbox to register, add the following 
list inside conf/allowed_device_oui.txt:

00:12:5A  # Microsoft-Xbox
00:0D:3A  # Microsoft-Xbox
00:50:F2  # Microsoft-Xbox
00:17:FA  # Microsoft-Xbox
00:1D:D8  # Microsoft-Xbox
00:22:48  # Microsoft-Xbox

Example are available from conf/allowed_device_oui.txt.example

As long as the first 6 digits of the MAC you are trying to register are 
in the file, then the device will be able to register via the 
device-registration page.

Let us know is that help.

Thanks

On 12/08/2016 12:08 PM, Morgan, Joel P. wrote:
> It looks like blanking the file /usr/local/pf/conf/allowed_device_oui.txt 
> doesn't allow any MAC to register. Renaming the file allows any MAC to 
> register.
>
> -Original Message-
> From: Morgan, Joel P.
> Sent: Thursday, December 8, 2016 10:01 AM
> To: 'packetfence-users@lists.sourceforge.net' 
> <packetfence-users@lists.sourceforge.net>
> Subject: Please verify the provided MAC address
>
> I'm using PF version 6.2.1 on CentOS 6.8.
>
> When manually registering a device using the device-registration URL I get an 
> error when I submit the MAC address.
>
> "Please verify the provided MAC address."
>
> A tail of packetfence.log gives the following output.
>
> Dec 08 09:23:44 httpd.portal(2555) WARN: [mac:unknown] Unable to match MAC 
> address to IP '192.168.1.10' (pf::iplog::ip2mac) Dec 08 09:23:44 
> httpd.portal(2555) INFO: [mac:unknown] Instantiate profile default 
> (pf::Portal::ProfileFactory::_from_profile)
> Dec 08 09:23:44 httpd.portal(2555) WARN: [mac:unknown] Unable to match MAC 
> address to IP '192.168.1.10' (pf::iplog::ip2mac) Dec 08 09:23:44 
> httpd.portal(2555) WARN: [mac:0] Unable to match MAC address to IP 
> '192.168.1.10' (pf::iplog::ip2mac) Dec 08 09:23:44 httpd.portal(2555) INFO: 
> [mac:0] Instantiate profile default 
> (pf::Portal::ProfileFactory::_from_profile)
> Dec 08 09:23:44 httpd.portal(2555) WARN: [mac:0] Unable to match MAC address 
> to IP '192.168.1.10' (pf::iplog::ip2mac) Dec 08 09:23:44 httpd.portal(2555) 
> INFO: [mac:0] Instantiate profile default 
> (pf::Portal::ProfileFactory::_from_profile)
>
> The file /usr/local/pf/conf/allowed_device_oui.txt is empty.
>
> Does anyone have any suggestions for fixing this?
>
> --
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today.http://sdm.link/xeonphi
> _______
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Adding roles from CLI

[Antoine Amacher]

Hello Bob,

The roles are not stored in a config files, they are store in the DB in 
the table "node_category".


So you would need to add some SQL queries to add a new role.

Thanks


On 12/13/2016 11:29 AM, B McLellan wrote:

Hi,

I've been looking at creating a script to deploy multiple PacketFence 
instances. I have pretty much everything in place now there's just one 
thing that is still puzzling me.
Is there away to create 'roles' from the CLI using pfcmd? In which 
config files are the roles stored?


I can only see references to the roles which have associated rules in 
the authentication.conf file.


Any hints gratefully received.

;)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] How to create own billing source?

[Antoine Amacher]

Hello Rolando,

Documentation about the billing source is available here, 
https://packetfence.org/doc/PacketFence_Administration_Guide.html#_billing_engine

There are examples on how to configure a PayPal, Stripe and 
Authorize.net source.

Thanks


On 12/14/2016 01:50 AM, Rolando Palencia wrote:
> Hi,
>
> How to create own billing source?
>
> Regards,
> 
> Rolando
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Configuration Files

[Antoine Amacher]

Hello Walt,

We have configuration example 
(https://packetfence.org/doc/PacketFence_Administration_Guide.html#_freeradius_configuration
 
section 9.7.1b) of those file if you want to join manually a domain.

While joining the domain via the administration interface they are built 
off template available in /usr/local/pf/addons/AD/{smb.krb5}.tt

Thanks


On 12/01/2016 06:46 PM, nspacketfe...@lydian.org wrote:
> How do files such as /etc/krb5.conf and /etc/samba/* get generated?
> Where does the raw data reside?
>
> Thanks
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PacketFence PKI

[Antoine Amacher]

esolution

Error: Package: packetfence-pki-1.0.4-1.el6.noarch (packetfence-extra)

   Requires: django-countries

Error: Package: packetfence-pki-1.0.4-1.el6.noarch (packetfence-extra)

   Requires: python-django-rest-framework

Error: Package: packetfence-pki-1.0.4-1.el6.noarch (packetfence-extra)

   Requires: python-pyasn1-modules >= 0.1.7

Error: Package: packetfence-pki-1.0.4-1.el6.noarch (packetfence-extra)

   Requires: python-django-bootstrap3

You could try using --skip-broken to work around the problem

You could try running: rpm -Va --nofiles --nodigest

[root@localhost ~]#

Is there a problem with using the PacketFence-PKI?  Is it not 
supported anymore?  I really need to get this going in the next 2 
weeks as I’m looking to get this connected to our Meru Wi-Fi and 
sorting out guest access before Christmas.


Thanks for any advice.

Regards

Darren Morgan

Systems Manager

Oundle School

*ü***Please consider the environment before printing this e-mail


This email is sent from either Oundle School or Laxton Junior School 
for The Corporation of Oundle School and is intended only for the 
addressee named above.  The Corporation of Oundle School is a Charity 
incorporated under Royal Charter RC000396 and charity number 309921. 
www.oundleschool.org.uk <http://www.oundleschool.org.uk>





Scanned by iCritical.



--


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] ldap/ad source with SSL

[Antoine Amacher]

Hello Andi,

What you looking for is 
https://packetfence.org/doc/PacketFence_Administration_Guide.html#_authentication 
section 9.2.1


There is no certificate to configure for the source LDAP in itself.

SSL/Start TLS depends on how your LDAP is configured to receive the 
connection for binding.


The configuration of the certificate to authenticate(RADIUS) has to be 
configured /usr/local/pf/conf/radiusd/eap.conf under the section TLS.


Thanks


On 11/25/2016 04:36 AM, Morris, Andi wrote:


Hi all,

Hopefully just a quick one. I can’t find a mention anywhere of how to 
setup LDAPS as a source. I can see that you can select SSL as part of 
the AD source, however I’m not sure where to configure the certificate 
for this. Any pointers?


Cheers,

Andi

-

Andi Morris

IT Security Officer
Cardiff Metropolitan University

T: 02920 205720
E: amor...@cardiffmet.ac.uk <mailto:amor...@cardiffmet.ac.uk>

Skype for Business: amor...@cardiffmet.ac.uk

--



Cardiff Metropolitan University - Queens Anniversary Prizes 2015 
<http://www.cardiffmet.ac.uk/news/Pages/Cardiff-Met-research-recognised-in-Queens-Anniversary-Prizes-for-Higher-and-Further-Education.aspx> 




--


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PKI Install guide

[Antoine Amacher]

To let you know what cause your issue,

it seems you had python-django installed independently and the 
dependencies we needed(for packetfence-pki) were not available for the 
version you had installed, so that's why it failed to install the package.


Thanks


On 10/21/2016 10:31 AM, Morgan, Darren wrote:


Many thanks,

That worked.

Darren

*From:*Antoine Amacher [mailto:aamac...@inverse.ca]
*Sent:* 21 October 2016 15:07
*To:* packetfence-users@lists.sourceforge.net
*Subject:* Re: [PacketFence-users] PKI Install guide

Morgan,

try the following:

rpm -e python-django --nodeps

yum install packetfence-pki --enablerepo=packetfence-extra

Let us know if that help

Thanks

On 10/21/2016 09:59 AM, Morgan, Darren wrote:

Hi Antoine,

I’ve tried installing the PKI, but come up with some errors
(Listed below)  Any ideas?  I’ve checked and the latest verion of
Python-Django is installed (yum info python-django run output at
end of email)


~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~

[root@OS-PF ~]# yum install packetfence-pki
--enablerepo=packetfence-extra, packetfence

Loaded plugins: fastestmirror, security

Setting up Install Process

Loading mirror speeds from cached hostfile

* base: mirrors.ukfast.co.uk

* extras: mirrors.coreix.net

* updates: mirrors.ukfast.co.uk

Resolving Dependencies

--> Running transaction check

---> Package packetfence-pki.noarch 0:1.0.4-1.el6 will be installed

--> Processing Dependency: python-pyasn1-modules >= 0.1.7 for
package: packetfence-pki-1.0.4-1.el6.noarch

--> Processing Dependency: python-django-bootstrap3 for package:
packetfence-pki-1.0.4-1.el6.noarch

--> Processing Dependency: python-django-rest-framework for
package: packetfence-pki-1.0.4-1.el6.noarch

--> Processing Dependency: python-ldap for package:
packetfence-pki-1.0.4-1.el6.noarch

--> Processing Dependency: django-countries for package:
packetfence-pki-1.0.4-1.el6.noarch

--> Running transaction check

---> Package packetfence-pki.noarch 0:1.0.4-1.el6 will be installed

--> Processing Dependency: python-pyasn1-modules >= 0.1.7 for
package: packetfence-pki-1.0.4-1.el6.noarch

--> Processing Dependency: python-django-bootstrap3 for package:
packetfence-pki-1.0.4-1.el6.noarch

--> Processing Dependency: python-django-rest-framework for
package: packetfence-pki-1.0.4-1.el6.noarch

--> Processing Dependency: django-countries for package:
packetfence-pki-1.0.4-1.el6.noarch

---> Package python-ldap.x86_64 0:2.3.10-1.el6 will be installed

--> Finished Dependency Resolution

Error: Package: packetfence-pki-1.0.4-1.el6.noarch (packetfence-extra)

Requires: django-countries

Error: Package: packetfence-pki-1.0.4-1.el6.noarch (packetfence-extra)

Requires: python-django-rest-framework

Error: Package: packetfence-pki-1.0.4-1.el6.noarch (packetfence-extra)

Requires: python-pyasn1-modules >= 0.1.7

Error: Package: packetfence-pki-1.0.4-1.el6.noarch (packetfence-extra)

Requires: python-django-bootstrap3

You could try using --skip-broken to work around the problem

You could try running: rpm -Va --nofiles –nodigest


~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~

[root@OS-PF ~]# yum info python-django

Loaded plugins: fastestmirror, security

Loading mirror speeds from cached hostfile

* base: mirrors.ukfast.co.uk

* extras: mirrors.coreix.net

* updates: mirrors.ukfast.co.uk

Installed Packages

Name: python-django

Arch: noarch

Version : 1.6.11

Release : 10.3

Size: 15 M

Repo: installed

From repo   : packetfence

Summary : A high-level Python Web framework

URL : http://www.djangoproject.com/
<http://www.djangoproject.com/>

License : BSD

Description : Django is a high-level Python Web framework that
encourages rapid

: development and a clean, pragmatic design. It
focuses on automating as

: much as possible and adhering to the DRY (Don't
Repeat Yourself)

: principle.


~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~

Regards

Darren

*From:*Morgan, Darren [mailto:dmor...@oundleschool.org.uk]
*Sent:* 21 October 2016 14:36
*To:* packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Subject:* Re: [PacketFence-users] PKI Install guide

Thanks Antoine,

Regards

Darren

*From:*Antoine Amacher [mailto:aamac...@inverse.ca]
*Sent:* 21 October 2016 14:17
*To:* pac

Re: [PacketFence-users] PKI Install guide

[Antoine Amacher]

Morgan,

try the following:

rpm -e python-django --nodeps

yum install packetfence-pki --enablerepo=packetfence-extra

Let us know if that help

Thanks


On 10/21/2016 09:59 AM, Morgan, Darren wrote:


Hi Antoine,

I’ve tried installing the PKI, but come up with some errors (Listed 
below)  Any ideas?  I’ve checked and the latest verion of 
Python-Django is installed (yum info python-django run output at end 
of email)


~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~

[root@OS-PF ~]# yum install packetfence-pki 
--enablerepo=packetfence-extra, packetfence


Loaded plugins: fastestmirror, security

Setting up Install Process

Loading mirror speeds from cached hostfile

* base: mirrors.ukfast.co.uk

* extras: mirrors.coreix.net

* updates: mirrors.ukfast.co.uk

Resolving Dependencies

--> Running transaction check

---> Package packetfence-pki.noarch 0:1.0.4-1.el6 will be installed

--> Processing Dependency: python-pyasn1-modules >= 0.1.7 for package: 
packetfence-pki-1.0.4-1.el6.noarch


--> Processing Dependency: python-django-bootstrap3 for package: 
packetfence-pki-1.0.4-1.el6.noarch


--> Processing Dependency: python-django-rest-framework for package: 
packetfence-pki-1.0.4-1.el6.noarch


--> Processing Dependency: python-ldap for package: 
packetfence-pki-1.0.4-1.el6.noarch


--> Processing Dependency: django-countries for package: 
packetfence-pki-1.0.4-1.el6.noarch


--> Running transaction check

---> Package packetfence-pki.noarch 0:1.0.4-1.el6 will be installed

--> Processing Dependency: python-pyasn1-modules >= 0.1.7 for package: 
packetfence-pki-1.0.4-1.el6.noarch


--> Processing Dependency: python-django-bootstrap3 for package: 
packetfence-pki-1.0.4-1.el6.noarch


--> Processing Dependency: python-django-rest-framework for package: 
packetfence-pki-1.0.4-1.el6.noarch


--> Processing Dependency: django-countries for package: 
packetfence-pki-1.0.4-1.el6.noarch


---> Package python-ldap.x86_64 0:2.3.10-1.el6 will be installed

--> Finished Dependency Resolution

Error: Package: packetfence-pki-1.0.4-1.el6.noarch (packetfence-extra)

Requires: django-countries

Error: Package: packetfence-pki-1.0.4-1.el6.noarch (packetfence-extra)

Requires: python-django-rest-framework

Error: Package: packetfence-pki-1.0.4-1.el6.noarch (packetfence-extra)

Requires: python-pyasn1-modules >= 0.1.7

Error: Package: packetfence-pki-1.0.4-1.el6.noarch (packetfence-extra)

Requires: python-django-bootstrap3

You could try using --skip-broken to work around the problem

You could try running: rpm -Va --nofiles –nodigest

~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~

[root@OS-PF ~]# yum info python-django

Loaded plugins: fastestmirror, security

Loading mirror speeds from cached hostfile

* base: mirrors.ukfast.co.uk

* extras: mirrors.coreix.net

* updates: mirrors.ukfast.co.uk

Installed Packages

Name: python-django

Arch: noarch

Version : 1.6.11

Release : 10.3

Size: 15 M

Repo: installed

From repo   : packetfence

Summary : A high-level Python Web framework

URL : http://www.djangoproject.com/

License : BSD

Description : Django is a high-level Python Web framework that 
encourages rapid


: development and a clean, pragmatic design. It focuses on 
automating as


: much as possible and adhering to the DRY (Don't Repeat 
Yourself)


: principle.

~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~

Regards

Darren

*From:*Morgan, Darren [mailto:dmor...@oundleschool.org.uk]
*Sent:* 21 October 2016 14:36
*To:* packetfence-users@lists.sourceforge.net
*Subject:* Re: [PacketFence-users] PKI Install guide

Thanks Antoine,

Regards

Darren

*From:*Antoine Amacher [mailto:aamac...@inverse.ca]
*Sent:* 21 October 2016 14:17
*To:* packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net>

*Subject:* Re: [PacketFence-users] PKI Install guide

Hello Morgan,

The guide is available here: 
https://packetfence.org/doc/PacketFence_PKI_Quick_Install_Guide.html


Thank you

On 10/21/2016 04:31 AM, Morgan, Darren wrote:

Hi,

Apologies if this has been answered before but I’m trying to find
the latest PKI install guide for PF 6.3.0.  I want to install it
on the same server as we have PF ZEN 6.3.0 running at the minute.

Regards

Darren Morgan

Systems Manager

Oundle School

*ü***Please consider the environment before printing this e-mail


This email is sent from either Oundle School or Laxton Junior
School for The Corporation of Oundle School and is intended only
for the addressee named above.  The Corporation of Oundle School
is a Charity incorporated under Royal Charter RC000396 and 

Re: [PacketFence-users] MySQL login fails

[Antoine Amacher]

Hello Rob,

Are you able to manually log in the DB as pf and root?

Is this happening every time before reaching step4 on the configurator?

Please make sure the pf password are right in conf/pf.conf and 
conf/pfconfig.conf


If you need to retest it and your PacketFence *IS NOT* in production, 
you could log as root in the database and run the following:


drop database pf;
drop database pf_graphite;

After that rerun the configurator and it will ask you to setup a 
password for the user pf. To make sure everything is working fine try a 
simple password which is not affected by keyboard map, for instance a 
series of number. I'll let you know how to change it after if needed.


Thanks

On 10/21/2016 06:56 AM, B McLellan wrote:

Thanks Holger,

MySQL is definitely up and listening on 3306. I can login fine from 
the console.
There are no special chars in the password which may cause issues (i 
did have this issue initially with the default root password due the @ 
and " being switched on my UK keyboard ;-) ).
The fact that this is happening on both a ZEN deploy and an install 
from deb indicates to me that there's either a bug in the latest 
version of something about my environment that PF doesn't like.


Rob

On 21 October 2016 at 10:47, <holger.patz...@t-systems.com 
<mailto:holger.patz...@t-systems.com>> wrote:


Hi,

are you sure, the database is up at all? And you are using the
same character sets, when typing blind into the web-interface as
when setting it up in the console?

This sort of error is seldom for Americans, but for people from
the rest of the world one has to take care of this…

Bye,

Holger

*Von:*B McLellan [mailto:bob.mclel...@gmail.com
<mailto:bob.mclel...@gmail.com>]
*Gesendet:* Donnerstag, 20. Oktober 2016 13:24
*An:* packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Betreff:* [PacketFence-users] MySQL login fails

Hi,

I'm trying to run the initial config on a new packetfence install
and I get as far as step 4 'Packetfence' but clicking the continue
button does not progress to the next step. In
/usr/local/pf/logs/packetfence.log I see

 FATAL: unable to connect to database: Access denied for user
'pf'@'localhost' (using password: YES) at
/usr/local/pf/lib/pf/version.pm <http://version.pm> line 42.

This doesn't make sense as I'm sure the password I supplied is
correct. I've even tried restarting mysql with --skip-grant-tables
to be sure that auth isn't causing an issue.

This has happened on and a Debian Jessie install using the deb
package and on a ZEN deployment. Has anyone else seen this
behaviour? Am I doing something stupid in the setup?

Bob



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PKI Install guide

[Antoine Amacher]

Hello Morgan,

The guide is available here: 
https://packetfence.org/doc/PacketFence_PKI_Quick_Install_Guide.html


Thank you


On 10/21/2016 04:31 AM, Morgan, Darren wrote:


Hi,

Apologies if this has been answered before but I’m trying to find the 
latest PKI install guide for PF 6.3.0.  I want to install it on the 
same server as we have PF ZEN 6.3.0 running at the minute.


Regards

Darren Morgan

Systems Manager

Oundle School

*ü***Please consider the environment before printing this e-mail


This email is sent from either Oundle School or Laxton Junior School 
for The Corporation of Oundle School and is intended only for the 
addressee named above.  The Corporation of Oundle School is a Charity 
incorporated under Royal Charter RC000396 and charity number 309921. 
www.oundleschool.org.uk <http://www.oundleschool.org.uk>





Scanned by iCritical.



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Windows7 802.1x

[Antoine Amacher]

Hello Holger,

Are they switch to right VLAN after authentication? (You could try to 
authenticate a client which have issues and add a static IP in the 
expected range)


Do you see a pattern for clients that are not getting an IP, same 
network card, same model, etc.


Try to trace one client who have issues in packetfence.log to make sure 
the flow is fine.


Also look at your DHCP leases, this could be due at not enough address 
in the pool.


Thanks


On 10/17/2016 10:18 AM, holger.patz...@t-systems.com wrote:


Hi Folks,

does anyone of you use 802.1x auth with Windows 7?

Our Clients sometimes don’t get an IP-Adress after auth.

(They are already authenticated successfully)

Bye,

Holger



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Can't join packetfence to domain for RADIUS

[Antoine Amacher]

Hello Alex,

You can have a look under 
/chroots/DOMAIN-NAME/var/log/sambaDOMAIN-NAME/log.winbind


Thanks


On 10/13/2016 11:28 PM, Alex Fishel wrote:

Hello all,

I upgraded the server as suggested but it hasn't seemed to make a 
difference yet.  Is there a log file that could be examined to 
diagnose the problem?


Thanks!

--
Alex Fishel





--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] monit setup guide for PF

[Antoine Amacher]

Jake,

We do not have a guide for it, but we did wrote some scripts to 
preconfigure monit,

Have a look in: /usr/local/pf/addons/monit/ you should find waht you are 
looking for.

Thanks


On 10/13/2016 11:01 PM, Sallee, Jake wrote:
> Does anyone have a setup guide for using monit with Packetfence?
>
> I know it can be done, but I can't seem to find any docs on it.
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] web configurator - I dun goofed

[Antoine Amacher]

Hello Jake,

It is expected to have only the httpd.admin and packetfence-config start 
after a fresh install.

With the admin start the server should listen on 1443 tho.

To be certain could you do: netstat -nlp | grep 1443 and also make sure 
iptables is disable. If this is a centos7, systemctl stop firewalld.

If you encounter issues and you don't have any configuration set, you 
could do a yum reinstall. Which will reinstall the package and start the 
expected services to access the configurator.

Thanks


On 10/13/2016 12:55 PM, Sallee, Jake wrote:
> I need to get to the web configurator ... but I kinda messed up.
>
> I went through the normal install procedure (Install OS -> install updates -> 
> install PF)
>
> Here is where I goofed: I rebooted the server because it installed a new 
> kernel.  Now I can't get to the web configurator.
>
> I tried making sure the packetfence-config and packetfence services are 
> started (they are) but the server is not listening on port 1443.
>
> The only service that is running is the httpd.admin service (all the other 
> services fail to start) and when I try to start the pf services i get an 
> error starting mysql ... since ... you know ... I haven't set it up yet.
>
> How do I proceed?
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Can't join packetfence to domain for RADIUS

[Antoine Amacher]

Hello Alex,

Can you be a bit more precise on your issue, do you have the error while 
trying to add the domain? Or just while trying to connect to PacketFence 
administration interface?


Also since your setup is not in production, I would advise you to update 
to 6.3. (fixs for the domain join have been add)


Thanks,


On 10/13/2016 01:09 AM, Alex Fishel wrote:

Hello all,

I am running PacketFence 6.2.1 in a virtual machine on ESXi, using 
VLAN isolation.  I want to be able to use RADIUS so that I may use a 
wireless access point with my PacketFence setup.  One of the first 
steps in this process seems to be to set up a domain for RADIUS.  I 
have followed the steps in the administration guide to the letter and 
have so far not been able to connect.  I get an error message "There 
was a problem connecting to the server, please try again later."


I have tried the troubleshooting steps in the administration guide and 
they do not seem to be helping either.   Are there any "gotchas" to be 
aware of when setting this up?  My guess is that I either need to set 
something else up first or I am just not entering the data correctly.


Any help is greatly appreciated.

Thank you!

--
Alex Fishel





--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MSPKI: unfinished request in component post-auth module packetfence

[Antoine Amacher]

Stefan,

If you don't see the rule in packetfence.log it means that it is not being 
trigger, either something is not matching, or there is a tpo i the rul.
In the last case you should see a message like: "error while building rule XXX" 
 in the packetfence.log. Just to be sure after deploying a rule in 
vlan_filter.conf, you need to do "bin/pfcmd configreload hard" which will force 
your configuration to be reloaded.

It seems to me that the filter is not applied.

Thanks

On Friday, October 07, 2016 02:55 EDT, "Marold, Stefan" 
 wrote:
 Hello Antoine,

after using 'bin/pfcmd checkup', I see the following line in packetfence.log:
Oct 07 02:34:19 pfcmd.pl(2179) INFO: Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)

When the user authenticates, I don't see any messages related to 
"1:EthernetEAP" in packetfence.log:
Oct 07 02:39:57 httpd.aaa(1754) INFO: [mac:74:2b:62:6d:47:d4] handling radius 
autz request: from switch_ip => (172.20.10.118), connection_type => 
Ethernet-EAP,switch_mac => (54:4a:00:88:a8:01), mac => [74:2b:62:6d:47:d4], 
port => 10101, username => "D1527.dorsten.local" (pf::radius::authorize)
Oct 07 02:39:57 httpd.aaa(1754) INFO: [mac:74:2b:62:6d:47:d4] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Oct 07 02:39:58 httpd.aaa(1754) INFO: [mac:74:2b:62:6d:47:d4] is of status 
unreg; belongs into registration VLAN (pf::role::getRegistrationRole)
Oct 07 02:39:58 httpd.aaa(1754) INFO: [mac:74:2b:62:6d:47:d4] (172.20.10.118) 
Added VLAN 11 to the returned RADIUS Access-Accept 
(pf::Switch::returnRadiusAccessAccept)
Oct 07 02:40:00 httpd.aaa(1754) INFO: [mac:74:2b:62:6d:47:d4] Updating 
locationlog from accounting request (pf::api::handle_accounting_metadata)
Oct 07 02:40:02 httpd.portal(2202) INFO: [mac:[undef]] Instantiate a new 
iptables modification method. pf::ipset (pf::inline::get_technique)
Oct 07 02:40:02 httpd.portal(2037) INFO: [mac:[undef]] Instantiate a new 
iptables modification method. pf::ipset (pf::inline::get_technique)
Oct 07 02:40:02 httpd.portal(2038) INFO: [mac:[undef]] Instantiate a new 
iptables modification method. pf::ipset (pf::inline::get_technique)

I also tried to add the following rule, but it seems to have no effect:
[2:EthernetEAP]
scope = NodeInfoForAutoReg
role = default
action = modify_node
action_param = mac = $mac, status = reg, access_duration = 12H, role = default

BTW does the absence of "EAP-Type => EAP-TLS" in packetfence.log means the 
EAP-Type is not "EAP-TLS"?

Regards
Stefan


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


 
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MSPKI: unfinished request in component post-auth module packetfence

[Antoine Amacher]

Hello Stefan,

What do you see in the logs/packetfence.log upon using 'bin/pfcmd checkup', and 
do you see the filter being trigger when the user authenticate?
Look for "1:EthernetEAP" in the packetfence.log.

Thanks.

On Thursday, October 06, 2016 10:36 EDT, "Marold, Stefan" 
 wrote:
 Hi Antoine,

Thank you very much for your answer. Yes, the status of the client is unreg. 
I've configured an AD source with a catch-all rule and thought, this will 
register the nodes automatically. But after reading the documentation again, I 
think it is only for captive portal.

I tried to configure AutoRegister as you suggested, but I think there is an 
error in my configuration. With the following configuration, I expect the 
client will be autoregistered with role 'default', vlan 477. Instead, it is 
still unreg, vlan 11.

[root@PacketFence-6_2_1 ~]# cat /usr/local/pf/conf/vlan_filters.conf|egrep -v 
"^#"
[EthernetEAP]
filter = connection_type
operator = is
value = Ethernet-EAP
[EAPTLS]
filter = radius_request
attribute = EAP-Type
operator = is
value = EAP-TLS
[1:EthernetEAP]
scope = AutoRegister
role = default

[root@PacketFence-6_2_1 ~]# /usr/local/pf/bin/pfcmd checkup Checking 
configuration sanity...

tail -f /usr/local/pf/logs/radius.log
Thu Oct 6 09:56:37 2016 : Error: (10) Ignoring duplicate packet from client 
172.20.10.118 port 1645 - ID: 216 due to unfinished request in component 
post-auth module packetfence
Thu Oct 6 09:56:39 2016 : Error: (10) Ignoring duplicate packet from client 
172.20.10.118 port 1645 - ID: 216 due to unfinished request in component 
post-auth module packetfence
Thu Oct 6 09:56:41 2016 : Error: (10) Ignoring duplicate packet from client 
172.20.10.118 port 1645 - ID: 216 due to unfinished request in component 
post-auth module packetfence
Thu Oct 6 09:56:43 2016 : Error: (10) Ignoring duplicate packet from client 
172.20.10.118 port 1645 - ID: 216 due to unfinished request in component 
post-auth module packetfence
Thu Oct 6 09:56:44 2016 : Auth: rlm_perl: Returning vlan 11 to request from 
74:2b:62:6d:47:d4 port 50101
Thu Oct 6 09:56:44 2016 : rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 
means OK)
Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (1): Hit 
idle_timeout, was idle for 905 seconds
Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (2): Hit 
idle_timeout, was idle for 905 seconds
Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (3): Hit 
idle_timeout, was idle for 905 seconds
Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (4): Hit 
idle_timeout, was idle for 905 seconds
Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (0): Hit 
idle_timeout, was idle for 905 seconds
Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (5): Hit 
idle_timeout, was idle for 905 seconds
Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Opening additional connection 
(6), 1 of 64 pending slots used
Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Need 2 more connections to reach 
10 spares
Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Opening additional connection 
(7), 1 of 63 pending slots used
Thu Oct 6 09:56:35 2016 : [mac:74:2b:62:6d:47:d4] Accepted user: and returned 
VLAN 11
Thu Oct 6 09:56:44 2016 : Auth: (10) Login OK: [host/D1527.dorsten.local] (from 
client 172.20.10.118 port 50101 cli 74:2b:62:6d:47:d4)

Best regards
Stefan


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


 
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MSPKI: unfinished request in component post-auth module packetfence

[Antoine Amacher]

Hello Stefan,

What is status of the node in PacketFence after he connect via EAP-TLS?

If the status is unreg, you could simply add a vlan filter that 
AutoRegister nodes when they connect via EAP-TLS.


Examples are available in /usr/local/pf/conf/vlan_filters.conf, we could 
provide some if necessary.


Thank you


On 10/05/2016 11:11 AM, Marold, Stefan wrote:


Hello all,

I’m using PacketFence ZEN 6.2.1 and want to authenticate clients with 
our MSPKI. I followed the instructions in 
https://packetfence.org/doc/PacketFence_MSPKI_Quick_Install_Guide.html 
up to ‘3.2.2 RADIUS EAP-TLS and MSPKI’ except enabling oscp.


However, the clients are always put into the registration vlan instead 
of the default vlan:


[root@PacketFence-6_2_1 logs]# tail -f /usr/local/pf/logs/radius.log

Wed Oct  5 10:48:55 2016 : Warning: rlm_sql (sql_reject): 
authorize_check_query is empty.  Please delete it from the configuration


Wed Oct  5 10:48:55 2016 : Info: rlm_sql (sql_reject): Attempting to 
connect to database "pf"


Wed Oct  5 10:48:55 2016 : Warning: 
[raddb//mods-config/attr_filter/access_reject]:11 Check item 
"FreeRADIUS-Response-Delay"found in filter list for realm "DEFAULT".


Wed Oct  5 10:48:55 2016 : Warning: 
[raddb//mods-config/attr_filter/access_reject]:11 Check item 
"FreeRADIUS-Response-Delay-USec"   found in filter list for realm 
"DEFAULT".


Wed Oct  5 10:48:55 2016 : Info: Loaded virtual server 

Wed Oct  5 10:48:55 2016 : Info: Loaded virtual server packetfence-tunnel

Wed Oct  5 10:48:55 2016 : Info: Loaded virtual server packetfence-cli

Wed Oct  5 10:48:55 2016 : Info: Loaded virtual server dynamic_clients

Wed Oct  5 10:48:55 2016 : Info: Loaded virtual server packetfence

Wed Oct  5 10:48:55 2016 : Info: Ready to process requests

Wed Oct  5 10:49:39 2016 : Error: (10) Ignoring duplicate packet from 
client 172.20.10.118 port 1645 - ID: 133 due to unfinished request in 
component post-auth module packetfence


Wed Oct  5 10:49:41 2016 : Error: (10) Ignoring duplicate packet from 
client 172.20.10.118 port 1645 - ID: 133 due to unfinished request in 
component post-auth module packetfence


Wed Oct  5 10:49:41 2016 : Auth: rlm_perl: Returning vlan 11 to 
request from 74:2b:62:6d:47:d4 port 50101


Wed Oct  5 10:49:41 2016 : rlm_perl: PacketFence RESULT RESPONSE CODE: 
2 (2 means OK)


Wed Oct  5 10:49:42 2016 : Info: rlm_sql (sql): Need 4 more 
connections to reach 10 spares


Wed Oct  5 10:49:42 2016 : Info: rlm_sql (sql): Opening additional 
connection (6), 1 of 58 pending slots used


Wed Oct  5 10:49:37 2016 : [mac:74:2b:62:6d:47:d4] Accepted user:  and 
returned VLAN 11


Wed Oct  5 10:49:42 2016 : Auth: (10) Login OK: 
[host/D1527.dorsten.local] (from client 172.20.10.118 port 50101 cli 
74:2b:62:6d:47:d4)


I don’t know how to debug the error ‘due to unfinished request in 
component post-auth module packetfence‘.


However, openssl is able to verify the certificate:

[root@PacketFence-6_2_1 logs]# openssl verify -CAfile 
/usr/local/pf/conf/ssl/tls_certs/ca.pem ~/d1527.cer


/root/d1527.cer: OK

[root@PacketFence-6_2_1 logs]# openssl verify -CApath 
/usr/local/pf/conf/ssl/tls_certs ~/d1527.cer


/root/d1527.cer: OK

I’ve managed to get it working with PacketFence 5.1.0 but not with the 
current version. Can anyone help?


Kind regards

Stefan



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Reregister if SSID is changing

[Antoine Amacher]

Hello Tobias,

There is a reevaluate happening every time a user connect to a SSID as 
long as there is a new RADIUS request coming in.


Now for what you want to do, you could create a set of rules in your 
source of authentication, AD I presume, and use the condition SSID. Send 
back the role guest if the SSID is guest, or apply your normal rules if 
the SSID is internal.


Let us know if that help.

Thanks,


On 09/21/2016 05:46 AM, Tobias Friede wrote:

Hi,

is it possible to reevaluate acces everytime, a client/user make a 
reconnect on our wifi?



Greetings
Tobias

2016-09-02 11:36 GMT+02:00 Tobias Friede <t.fri...@gmail.com 
<mailto:t.fri...@gmail.com>>:


Hi,

No one with an Idea how to fix my problem?
Or is it better to use two packetfence servers, one for internal
authentification and one for hotspot services?

Greetings
Tobias

2016-09-01 9:20 GMT+02:00 Tobias Friede <t.fri...@gmail.com
<mailto:t.fri...@gmail.com>>:
> Hi,
>
> I have the following problem. I have 2 SSIDs:
> Guest and Internal.
>
> The Guest WiFi is OPEN an just secured with a captive page. The
> internal is secured wit 802.1x EAP-TLS
> If a user connects to the guest wifi and log in with a guest
account,
> our Aerohive APS and Cisco WLC will move them to the correct vLAN.
> Everything seems to be fine. Unregistration via PF interface works
> fine too, so CoA is working.
>
> But If a user moves to the internal WiFi, the VLAN doesn't
change back
> to the internal vLAN.
> The client still remains in guest VLAN, I think, because the
client is
> registered for the guest user account.
> Is there any solution to solve this?
>
>
>
> Greetings
> Tobias




--


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] How to configure packetfence for 802.1x wireless with Ruckus WLC

[Antoine Amacher]

Hello Sulabh,

All our guides including what you are looking for are available here:

https://packetfence.org/support/index.html#/documentation

https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_ruckus

https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_juniper

Thank you for your interest in PacketFence.


On 09/25/2016 12:15 PM, sulabh khanal wrote:

Hello,

I want to use packetfence with 802.1x wireless support for Ruckus WLC 
and Juniper 2200 switch. I would like to know what configurations I 
need to do on packetfence as well as Ruckus WLC and Juniper 2200. I am 
using Ruckus ZD 1200 with Ruckus ZoneFlex R500 Access Point. I am a 
beginner at using PacketFence and would like a step by step 
instructions for configuration.


Regards,
Sulabh


--


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Fingerbank API key not working

[Antoine Amacher]

For the local combination it is normal that it is empty , unless you 
created some.



On 09/15/2016 06:03 PM, Jason 'XenoPhage' Frisvold wrote:

On 9/15/16 16:33, Antoine Amacher wrote:

Jason,

You can check your fingerbank local db:

sqlite3 /usr/local/fingerbank/db/fingerbank_Local.db
.schema

If the result is not promising you can re-instantiate your local db by
doing:
make init-db-local
(from the folder /usr/local/fingerbank/)

Let us know if that's help.

Schema looks just fine to me..  There's nothing in the combination
table, but it's there.

I'm trying to dig through the code a bit to understand what's going on
..  Trying to unravel things.  It's been a while since I did OO Perl
though..  :P


Thanks



--


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Fingerbank API key not working

[Antoine Amacher]

Jason,

You can check your fingerbank local db:

sqlite3 /usr/local/fingerbank/db/fingerbank_Local.db
.schema

If the result is not promising you can re-instantiate your local db by 
doing:

make init-db-local
(from the folder /usr/local/fingerbank/)

Let us know if that's help.

Thanks

On 09/15/2016 02:58 PM, Jason 'XenoPhage' Frisvold wrote:

On 9/15/16 12:56, Antoine Amacher wrote:

The permissions on Fingerbank config file are the one expected.

You could always run: "/usr/local/pf/bin/pfcmd fixpermissions" to ensure
permissions are rights everywhere.

Additionally, when I try to hit other links, I'm getting an error that
the server isn't running..  Is that something I need to explicitly start?

Which links? In the Fingerbank section of the admin? You might want to
have a look into /usr/local/pf/logs/httpd.admin.{log,catalyst,error},
you could get the information about the error.

Which version of PacketFence are you running? You could try to run the
maintenance; "perl /usr/local/pf/addons/pf-maint.pl".

Let us know if that help.

Ok, tried both and restarted packetfence when I was done..  Still
getting the error :

" Error! An error occured while contacting the server. Please try again
later. "

And here's what I'm seeing in the http.admin.* logs :

==> logs/httpd.admin.error <==
[Thu Sep 15 14:53:28 2016] -e: Argument "" isn't numeric in numeric le
(<=) at /usr/local/pf/html/pfappserver/root/macros.inc line 25.
[Thu Sep 15 14:53:28 2016] -e: Argument "" isn't numeric in subtraction
(-) at /usr/local/pf/html/pfappserver/root/macros.inc line 25.
[Thu Sep 15 14:53:28 2016] -e: Argument "" isn't numeric in numeric le
(<=) at /usr/local/pf/html/pfappserver/root/macros.inc line 25.
[Thu Sep 15 14:53:28 2016] -e: Argument "" isn't numeric in subtraction
(-) at /usr/local/pf/html/pfappserver/root/macros.inc line 25.

==> logs/httpd.admin.log <==
Sep 15 14:53:28 httpd.admin(710) ERROR: Cannot read from 'Combination'
table in schema 'Local'. Cannot search
(pfappserver::Base::Model::Fingerbank::readAll)
Sep 15 14:53:28 httpd.admin(710) ERROR: Cannot read from 'Combination'
table in schema 'Local'. Cannot search
(pfappserver::PacketFence::Controller::Root::end)

So it looks like there's no database table for this?  I did try to run
all of the updates as well.

And if I try to save from the settings page, I see this :

==> logs/httpd.admin.error <==
[Thu Sep 15 14:54:37 2016] -e: Use of uninitialized value in
substitution (s///) at
/usr/local/pf/html/pfappserver/lib/pfappserver/Form/Config/Fingerbank/Settings.pm
line 35.
[Thu Sep 15 14:54:37 2016] -e: Use of uninitialized value $type in
string eq at
/usr/local/pf/html/pfappserver/lib/pfappserver/Form/Config/Fingerbank/Settings.pm
line 48.
[Thu Sep 15 14:54:37 2016] -e: Use of uninitialized value in string eq
at /usr/local/fingerbank/lib/fingerbank/Config.pm line 191.
[Thu Sep 15 14:54:37 2016] -e: Use of uninitialized value in
concatenation (.) or string at
/usr/local/fingerbank/lib/fingerbank/Config.pm line 194.
[Thu Sep 15 14:54:37 2016] -e: Use of uninitialized value in string eq
at /usr/local/fingerbank/lib/fingerbank/Config.pm line 191.
[Thu Sep 15 14:54:37 2016] -e: Use of uninitialized value in
concatenation (.) or string at
/usr/local/fingerbank/lib/fingerbank/Config.pm line 194.


Thanks



--


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Fingerbank API key not working

[Antoine Amacher]

The permissions on Fingerbank config file are the one expected.

You could always run: "/usr/local/pf/bin/pfcmd fixpermissions" to ensure 
permissions are rights everywhere.


Additionally, when I try to hit other links, I'm getting an error that
the server isn't running..  Is that something I need to explicitly start?

Which links? In the Fingerbank section of the admin? You might want to 
have a look into /usr/local/pf/logs/httpd.admin.{log,catalyst,error}, 
you could get the information about the error.


Which version of PacketFence are you running? You could try to run the 
maintenance; "perl /usr/local/pf/addons/pf-maint.pl".


Let us know if that help.

Thanks

On 09/15/2016 12:09 PM, Jason 'XenoPhage' Frisvold wrote:

On 9/15/16 11:53, Antoine Amacher wrote:

Hello Jason,

This is a bug: https://github.com/inverse-inc/packetfence/issues/1519
You would need to update your fingerbank package to a version superior
of 2.2.0.
You can verify with: rpm -qa | grep fingerbank

Hrm...

[root@packetfence0 logs]# rpm -qa | grep fingerbank
fingerbank-2.3.1-1.1.noarch


In case you want a manual fix with no update package you can edit the
file /usr/local/fingerbank/conf/fingerbank.conf and add the following
inside:

[upstream]
api_key=YOUR API KEY

That worked, but when I try to save the settings afterwards, I get an
error that it can't write to the fingerbank.conf file..  That file seems
to be owned by fingerbank :

-rw-rw-r--. 1 fingerbank fingerbank 60 Sep 15 12:05
/usr/local/fingerbank/conf/fingerbank.conf

I don't see anything running as fingerbank, and it doesn't look like
there are any other users in the fingerbank group..  perhaps that's the
issue?

Additionally, when I try to hit other links, I'm getting an error that
the server isn't running..  Is that something I need to explicitly start?

Thanks,



--


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Fingerbank API key not working

[Antoine Amacher]

Hello Jason,

This is a bug: https://github.com/inverse-inc/packetfence/issues/1519
You would need to update your fingerbank package to a version superior 
of 2.2.0.

You can verify with: rpm -qa | grep fingerbank

In case you want a manual fix with no update package you can edit the 
file /usr/local/fingerbank/conf/fingerbank.conf and add the following 
inside:


[upstream]
api_key=YOUR API KEY

Thanks

On 09/15/2016 11:35 AM, Jason 'XenoPhage' Frisvold wrote:

Hi!

I'm trying to set up the Fingerbank config on our packetfence instance,
but I'm running into a problem.  I've registered on the website as
requested and obtained my key.  However, when I add the key to
packetfence and click onboard, it submits as expected and reloads the
page with no key listed.  And the rest of the fingerbank functionality
informs me that fingerbank isn't configured.

Is there some trick I'm missing here, or have I run into a bug?

Thanks,



--


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Problem with network connectivity test after successful VLAN change.

[Antoine Amacher]

Hello Dominic,

You are right for the test for internet connectivity, all we do is 
requesting a small gif from inverse.ca, it could be an issue with MacOS 
which does not manage to renew it's IP in time, could also be a browser 
cache issue.


You could try to raise up the redirection_timer for instance 
(progression bar while getting redirected on the portal), under the 
section trapping in configuration.


To be sure of the issue you should do a packet capture on one of the Mac 
which have issue, and from there you should be able to see, if the issue 
come from the address which is taking time to get renew or a browser 
cache issue for instance.


Thanks

On 08/24/2016 08:26 AM, Dominic Kilbride wrote:

Hi Antoine,
Thank you for answering.
YES the CoA is properly applied and the client ends up in the production VLAN. 
Im using VLAN enforcement.
It seems to be only the test that fails, despite the client being moved to the 
correct Vlan with CoA. The Clint then displays the error text even though it is 
connected to the internet as configured.
Im wondering how the connectivity test is run? I understand that if you are 
using the default ip address then the clients web browser will try to fetch a 
small img file from the inverse web server … But how is this done? Is this 
compatible with all browser and client versions? Windows 10 is working great 
for me but I’m having problems with MacOS.
Could it be a timeout problem? Like the client trys too early to get the image? 
And the change to production Vlan occures later?
Any suggestions?
Best regards
Dominic
-
Hellp Dominic

Is your CoA properly applied? Do you obtain an IP in your new VLAN
(production)?
Are you using VLAN or WebAuth enforcement type?

If VLAN enforcement, you could try to lower the DHCP lease in the
registration VLAN, to force an earlier re-auth.

Also make sure the configuration 'Allow AAA override' in the SSID
configuration on the WLC.

Thanks

On 08/23/2016 07:42 AM, Dominic Kilbride wrote:
> Hi all,
> Im running 6.2 on CentOS and am having the following problems.
>
> After successful registration and CoA on my Cisco WLC the client ends up at
> the …
> ‘Unable to detect network connectivity. Try to restarting your web browser or
> opening a new tab to see if your access has been successfully enabled.’
>
> Im an using the default method using the address of the inverse web server
> for the control. The test seems to be failing despite a working connection!
>
> Is there som time-out that can be adjusted? Can the detection method be
> bypassed as a workaround?
>
> Thanks in advance
>
> Dominic Kilbride
> --
> ___
> PacketFence-users mailing list
>PacketFence-users@lists.sourceforge.net 
<mailto:PacketFence-users@lists.sourceforge.net>

>https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Antoine Amacher
aamac...@inverse.ca <http://inverse.ca>   ::www.inverse.ca 
<http://www.inverse.ca>
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu>) and 
PacketFence
(www.packetfence.org <http://www.packetfence.org>)



--


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] device-registration page

[Antoine Amacher]

Hello Paul,

There have been changes in PacketFence 6.1 for the device-registration page.
You could try to update to 6.1 or later and see if this was a bug 
related issue.

I tested this on devel version and this is not happening to me, I used 
an AD account to login in the device-registration page and then register 
a device. I will probably test it with your version (6.0.3) just to confirm.

Also note that you need to empty the file conf/allowed_device_oui.txt to 
be able to register any device type from the device-registration page.

Make sure to do the following if you make any change to 
conf/allowed_device_oui.txt;
bin/pfcmd configreload hard
bin/pfcmd service httpd.portal restart

Thanks

On 08/24/2016 08:53 AM, Paul Coates wrote:
> Yes that is the page we have enabled. The source is set to our active
> directory. We can see the authentication on that page working from the
> packetfence logs. The problem is when a user logins in on that page and
> registers their MAC, they get the message that it registered OK, but
> unless they already have an entry in the person table in the pf database
> (i.e. the Users list), the MAC registration is actually stored as unreg
> and assigned to user default, not the person who logged into the site.
> Logging into the site does not add an entry to the Users list which I
> believe is a bug. This is a new CentOS 6 build for this project.
>
> We are thinking about populating the person table each day from a script
> as a work around if we can't find why this happens.
>
> Paul
>
> On 24/08/16 12:04, Torry, Andrew wrote:
>> There is a specific web page that enabled 'Device Registration'.
>> You need to 'Enable' it in the Configuration->Registration
>>
>> Your users then go to https://YOURPACKETFENCE/Device-Registration
>> where they enter a username and password.
>>
>> The credentials they can use must be matched by one of your defined 
>> authentication
>> SOURCES (or the local user database or both).
>>
>> The portal asks you for credentials then for the MAC address of the device 
>> before
>> registering it.
>>
>> Andrew
>>
>>
>>
>>
>> -
>>Falmouth University
>> -
>>
>> -Original Message-
>> From: Paul Coates [mailto:paul.coa...@ncl.ac.uk]
>> Sent: 23 August 2016 13:44
>> To: packetfence-users@lists.sourceforge.net
>> Subject: [PacketFence-users] device-registration page
>>
>> We are attempting to configure PacketFence 6.0.3 to provide student
>> halls access using a captive portal/802.1x/MAC Auth. We have an issue
>> with the /device-registration interface. I have been using the form to
>> add additional devices OK, then I asked a colleague (Jon) to try it and
>> all his registrations appear in the Nodes page as unregistered and the
>> owner is default.
>>
>> I have used the captive portal to test it and I appear in the list of
>> Users. Jon has not and is not in the user list. I had assumed when he
>> logs in on the /device-registration page he would be added to the Users
>> list automatically, but he is not. Is this a bug? If not how can I
>> change the behavior to automatically create the user?
>>
>> I'm thinking of the scenario of a student turning up with a game console
>> but no PC/laptop, so does not have a device he can register via the
>> captive portal. A work around seems to be manually creating a user for
>> this student with a fake password (since you need to enter one), then
>> under the portal profile set the Sources to just use the Active
>> Directory to authenticate users.
>>
>> Thanks,
>>
>> Paul
>>
>> --
>> Paul Coates, Newcastle University, Network Team
>>
>>
>> --
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> --
>> _______
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Problem with network connectivity test after successful VLAN change.

[Antoine Amacher]

Hellp Dominic

Is your CoA properly applied? Do you obtain an IP in your new VLAN 
(production)?

Are you using VLAN or WebAuth enforcement type?

If VLAN enforcement, you could try to lower the DHCP lease in the 
registration VLAN, to force an earlier re-auth.

Also make sure the configuration 'Allow AAA override' in the SSID 
configuration on the WLC.

Thanks

On 08/23/2016 07:42 AM, Dominic Kilbride wrote:
> Hi all,
> Im running 6.2 on CentOS and am having the following problems.
>
> After successful registration and CoA on my Cisco WLC the client ends up at 
> the …
> ‘Unable to detect network connectivity. Try to restarting your web browser or 
> opening a new tab to see if your access has been successfully enabled.’
>
> Im an using the default method using the address of the inverse web server 
> for the control. The test seems to be failing despite a working connection!
>
> Is there som time-out that can be adjusted? Can the detection method be 
> bypassed as a workaround?
>
> Thanks in advance
>
> Dominic Kilbride
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Aerohive

[Antoine Amacher]

Hello Jason,

Which version of PacketFence are you running?
Also when using RoleBased, was your 'RoleMap' selected?
Are you using the AeroHIVE AP switch module?

In the meantime I will test it over here and let you know my finding.

Thanks

On 08/15/2016 06:31 PM, Guntharp, Jason W. wrote:

I did try it returning the profile name.
Aerohive HM radius test returns a different value per mode:

VlanId will return Vlan:0=0
RoleBased will return "None"

Yet clients steer fine. No profile assignment though, which is needed 
to correctly throttle applications, etc.


Any ideas?
Jason

Sent from my iPhone

On Aug 15, 2016, at 1:32 PM, Antoine Amacher <aamac...@inverse.ca 
<mailto:aamac...@inverse.ca>> wrote:



Hello Jason,

User profile based "should" work, although when testing on our side 
it was not working properly so we took the decision to write the 
guide with returning VLAN.


Did you try to put the the User-Profile name instead of the VLAN to 
return? (in the VLAN section)


Thanks

On Monday, August 15, 2016 13:36 EDT, "Guntharp, Jason W." 
<jwgunth...@iccms.edu <mailto:jwgunth...@iccms.edu>> wrote:


Could anyone weigh in on Aerohive integration?

I have completed the Aerohive/PacketFence setup using 
https://packetfence.org/doc/PacketFence_Aerohive_Quick_Install_Guide.html. 
The behavior is as expected with VLAN enforcement and PacketFence 
steers devices to the correct VLAN, but Aerohive is not mapping the 
user/device to the correct user profile based on what it receives 
from PacketFence. Our Aerohive engineer mentioned that HiveManager is 
needing:


Tunnel-Type = GRE,

Tunnel-Medium-Type = IPv4,

Tunnel-Private-Group-ID =

The guide does mention PacketFence supporting the user profile 
mappings. Could anyone offer any guidance?


Thanks,

Jason Guntharp

Network Administrator

Itawamba Community College




--
What NetFlow Analyzer can do for you? Monitors network bandwidth and 
traffic
patterns at an interface-level. Reveals which users, apps, and 
protocols are

consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. http://sdm.link/zohodev2dev
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net 
<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users



--


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Provisioner error when using EAP-TLS

[Antoine Amacher]

Hello Solomon,

Which version of PacketFence is currently installed on your setup?

Do the device have the configuration passed to in PEAP, does your SSID 
exists as configured on your testing device with the expected settings?


Thanks

On 08/11/2016 09:07 AM, Solomon Seal wrote:
When I set the provisioners to use EAP-TLS (only tested with a mspki) 
I get the following error:

-
Caught exception in 
captiveportal::Controller::Root->dynamic_application "Can't locate 
object method "current_module" via package 
"captiveportal::DynamicRouting::Module::Provisioning" at 
/usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module.pm 
line 236."

-

When I set the provisoner to PEAP, I do not get an error, but devices 
never connect after loading the configuration. I have tested this on 
iOS and Android. I see no other errors in the logs. Following th MSPKI 
guide I successfully tested everything in the debugging section.


Here is my (privacy filterd/sanitized) pki_provider.conf:

[App-CA]
country=US
server_cert_path=/usr/local/pf/conf/ssl/tls_certs/pf_domain_edu.cer
ca_cert_path=/usr/local/pf/conf/ssl/tls_certs/ca.cer
locality=City
state=State
organizational_unit=Information Technology Services
url=http://10.1.1.136/CertSrv/mscep/
type=scep
cn_attribute=pid
organization=ORG


Here is a sanitized provisioners.conf (android):

[android]
eap_type=13
can_sign_profile=0
security_type=WPA
description=Android
broadcast=1
server_certificate_path=/usr/local/pf/conf/ssl/tls_certs/pf_domain_edu.cer
oses=
type=android
category=
pki_provider=App-CA
ssid=ITS Testing


I have setup portal modules following the guide section titled "Mixing 
login and Secure SSID on-boarding on the portal".


Ideas?



--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. http://sdm.link/zohodev2dev


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. http://sdm.link/zohodev2dev___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] authentication on portal captive trough LDAP

[Antoine Amacher]

Oumy,


To be able to use the tab Auditing(assuming this what you are talking 
about) you need to have an RADIUS accounting configuration working.



Thanks


On 08/03/2016 08:56 AM, Oumy Coulibaly wrote:

hello Fabrice,
yes that  was that i fix it now. But i can't get access log i mean 
auditing interface of the web admin are empty. any idea of where the 
problem can come from?



--


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] change the background colors on the portal fro PF 6.2

[Antoine Amacher]

Hello Joel,

look toward html/common/scss/_settings.colors.scss 

You should also have a look at the following, if you need to do some 
customization with the css: 
https://packetfence.org/doc/PacketFence_Developers_Guide.html#_captive_portal

Thank you

On Thursday, July 21, 2016 13:56 EDT, "Morgan, Joel P."  
wrote:
 I upgraded from 5.7 to 6.2. How do you change the background colors on the new 
portal? I would like to use our organization's colors.

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


 
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] issus on debian using packetfence

[Antoine Amacher]

Hello Oumy,

PacketFence have a rule in iptables that allow ssh going through on your 
management interface so no, PacketFence does not block it. You might 
want to try to disable your iptables see if the issue come from there.


Thanks

On 07/19/2016 11:08 AM, Oumy Coulibaly wrote:

Hi there,
i've installing packetfence on a debian7 it work fine but when i try 
to connect to my debian using SSH it is not possible, when i ping the 
server from my cmd also there is no problem also i can have access to 
packetfence trough my web browser.
Before installing packetfence i was able to connect with SSH mode to 
my debian from my computer but after installed packetfence it isn't 
possible so does packetfence block it?



--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  +1.514.447.4918 *130  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] DNS Resolution of Captive Portal after granting Access

[Antoine Amacher]

Hello Till,

I am not sure how your authentication by social media is working but why 
not use OAuth2 sources?

You could also add any domains you want to authorize to the pass through 
list, in this way people will be in the registration VLAN with access to 
authorized sites. If you need sites to enable for your social media 
access, you can check in the OAuth sources, each have a predefined list.

Thanks

On 07/14/2016 12:03 AM, g4-l...@tonarchiv.ch wrote:
> Hi there,
>
> We wrote our own captive portal, which allows the user to get verified
> by social networks. For this reason we give him temporary access first
> so he can reach the social network login pages.
>
> But now we have the problem that he can not be directed back to the
> captive portal as long as he as the temporary Internet access. The
> reason is that DNS resolution of captive portal (i.e. PF server) does
> not work anymore.
>
> Because we are using a public DNS server, we can not add the captive
> portal IP (which is a local one in the LAN) to this DNS.
>
> Is  there a way to tell Packetfence to continue trapping and resolving
> DNS requests of the captive portal's name, as long as we grant temporary
> Internet access to the user?
> This would solve our problem.
>
> Or is there another way to resolve the PF name without using a local DNS?
>
> Best regards,
> Till
>
> --
> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> patterns at an interface-level. Reveals which users, apps, and protocols are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity planning
> reports.http://sdm.link/zohodev2dev
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Antoine Amacher
aamac...@inverse.ca  ::  +1.514.447.4918 *130  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco Catalyst 3550 - Registration VLAN

[Antoine Amacher]

ze)
Jun 17 09:50:29 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] is
of status unreg; belongs into registration VLAN
(pf::role::getRegistrationRole)
Jun 17 09:50:29 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68]
(192.168.1.14) Added VLAN 260 to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Jun 17 09:50:29 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68]
(192.168.1.14) Added role registration to the returned RADIUS
Access-Accept (pf::Switch::returnRadiusAccessAccept)




Any thoughts?


Please advise,
Vianney








--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning
reports.http://sdm.link/zohomanageengine



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
    <mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca <mailto:aamac...@inverse.ca>   ::  +1.514.447.4918 *130  
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu>) and 
PacketFence (www.packetfence.org <http://www.packetfence.org>)

-- 
What NetFlow Analyzer can do for you? Monitors network bandwidth and 
traffic patterns at an interface-level. Reveals which users, apps, and 
protocols are consuming the most bandwidth. Provides multi-vendor 
support for NetFlow, J-Flow, sFlow and other flows. Make informed 
decisions using capacity planning reports. 
http://sdm.link/zohomanageengine
___ PacketFence-users 
mailing list PacketFence-users@lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports. http://sdm.link/zohomanageengine


_______
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  +1.514.447.4918 *130  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports. http://sdm.link/zohomanageengine___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco Catalyst 3550 - Registration VLAN

[Antoine Amacher]

Hello Vianney,

First check out your switch configuration(tab roles) at the moment you 
have switch by role and switch by VLAN selected, you should remove "role 
mapping by switch role".


PacketFence seems to answer to the switch RADIUS request properly.

Is VLAN 260 your production VLAN, if yes it spanned to this port?

Remember that PacketFence IS NOT a DHCP server on your production VLAN, 
we assume that you have your own server for that.


Thank you

On 06/17/2016 09:38 AM, Vianney Amador wrote:

Hi guys,

I am pretty much new to this world of Packagefence, I am testing this 
using a Cisco Catalyst 3550 with the latest IOS available.


I created my registration, isolation and normal VLANs on both the PF 
server interface and Switch.


I added this switch on PF using the parameters specified on the 
official documentation, also set up the switch using the 3550 (802.1x 
with MAB) configuration.


Created a source for Active Directory authentication.

I setup one of the ports on the switch with the parameters for the 
registration VLAN, the PC (Windows 10) automatically acquired an IP 
address from this subnet, so when I opened the browser forced me to 
authenticate, so I put it my AD credentials and got authenticated.


When I connect the same PC on a port setup as specified on the 
official documentation, the PC WILL NOT get an IP address:


switchport mode access
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
dot1x timeout quiet-period 2
dot1x timeout reauth-period 7200
dot1x timeout tx-period 3
dot1x reauthentication


Here is the log from the packetfense.log:

Jun 17 09:50:05 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] handling 
radius autz request: from switch_ip => (192.168.1.14), connection_type 
=> WIRED_MAC_AUTH,switch_mac => (00:11:92:b1:81:86), mac => 
[28:d2:44:08:2c:68], port => 6, username => "28d244082c68" 
(pf::radius::authorize)
Jun 17 09:50:05 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] is of 
status unreg; belongs into registration VLAN 
(pf::role::getRegistrationRole)
Jun 17 09:50:05 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] 
(192.168.1.14) Added VLAN 260 to the returned RADIUS Access-Accept 
(pf::Switch::returnRadiusAccessAccept)
Jun 17 09:50:05 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] 
(192.168.1.14) Added role registration to the returned RADIUS 
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Jun 17 09:50:20 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] handling 
radius autz request: from switch_ip => (192.168.1.14), connection_type 
=> WIRED_MAC_AUTH,switch_mac => (00:11:92:b1:81:86), mac => 
[28:d2:44:08:2c:68], port => 6, username => "28d244082c68" 
(pf::radius::authorize)
Jun 17 09:50:20 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] is of 
status unreg; belongs into registration VLAN 
(pf::role::getRegistrationRole)
Jun 17 09:50:20 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] 
(192.168.1.14) Added VLAN 260 to the returned RADIUS Access-Accept 
(pf::Switch::returnRadiusAccessAccept)
Jun 17 09:50:20 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] 
(192.168.1.14) Added role registration to the returned RADIUS 
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Jun 17 09:50:29 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] handling 
radius autz request: from switch_ip => (192.168.1.14), connection_type 
=> WIRED_MAC_AUTH,switch_mac => (00:11:92:b1:81:86), mac => 
[28:d2:44:08:2c:68], port => 6, username => "28d244082c68" 
(pf::radius::authorize)
Jun 17 09:50:29 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] is of 
status unreg; belongs into registration VLAN 
(pf::role::getRegistrationRole)
Jun 17 09:50:29 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] 
(192.168.1.14) Added VLAN 260 to the returned RADIUS Access-Accept 
(pf::Switch::returnRadiusAccessAccept)
Jun 17 09:50:29 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] 
(192.168.1.14) Added role registration to the returned RADIUS 
Access-Accept (pf::Switch::returnRadiusAccessAccept)





Any thoughts?


Please advise,
Vianney







--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports. http://sdm.link/zohomanageengine


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  +1.514.447.4918 *130  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

-

Re: [PacketFence-users] Change "Acceptable use policy" value

[Antoine Amacher]

Hello Pierrick,

to change the text you can go to 
html/captive-portal/templates/aup_text.html, if you want the change the 
term "Acceptable Use Policy" you should go in the translate file 
conf/locale/en/LC_MESSAGES/packetfence.po line 47, change the msgstr for 
the term you want.


Thank you

On 06/13/2016 08:56 AM, prost pierrick wrote:


Hello,

Does someone know where i can change the «Acceptable Use Policy » 
value ? nothing on documentation about it .. strange.


Regards.

Pierrick Prost

CNRS- DR07



--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  +1.514.447.4918 *130  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Can not configure Fingerbank

[Antoine Amacher]

Hello Leonel,

This is a known issue not fixed at the moment,

you can go in /usr/local/fingerbank/config/fingerbank.conf and add the 
following:
[upstream]
api_key=YOUR API KEY

Then try to reload the Fingerbank Settings page.

thank you
On Friday, June 03, 2016 14:51 EDT, Leonel Bonito 
 wrote:
  
Hi Team,


 
I'm entering the API key and when I press on the "Get Aboard!" button, nothing 
happens and the Textbox becomes empty.


 
Some logs:

- httpd.admin.audit.log

{"status":200,"context":"/config/fingerbank/settings/onboard","action":"onboard","user":"admin","happened_at":"Fri
 Jun  3 15:41:17 2016"}


 
- httpd.admin.log

Jun 03 15:40:59 httpd.admin(1973) WARN: Fingerbank API key is not configured. 
Running with limited features 
(pfappserver::PacketFence::Controller::Config::Fingerbank::Settings::check_for_api_key)

Jun 03 15:41:17 httpd.admin(1976) WARN: Fingerbank API key is not configured. 
Running with limited features 
(pfappserver::PacketFence::Controller::Config::Fingerbank::Settings::check_for_api_key)


 
I’m running PF ZEN 6.0.1


 
There's something I can do?


 
Thanks!


 
Regards,

Leonel



 
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Tradução PT-BR

[Antoine Amacher]

Hello Filipe,

If you are looking for the file where the translation is done, look over 
/usr/local/pf/conf/locale/pt_BR/LC_MESSAGES/packetfence.po.

You will need to execute the following in your cli after making change 
to the file:
for TRANSLATION in de en es fr he_IL it nl pl_PL pt_BR; do 
/usr/bin/msgfmt conf/locale/$TRANSLATION/LC_MESSAGES/packetfence.po 
--output-file conf/locale/$TRANSLATION/LC_MESSAGES/packetfence.mo; done

If you want to contribute to the translation I'll advise you to make a 
request to be able to translate here:
https://www.transifex.com/inverse/packetfence/

Thank you

On 05/30/2016 12:47 PM, felipe santos dos santos wrote:
> Olá pessoal boa tarde,
> Gostaria de saber onde posso encontrar tradução do portal e 
> gerenciamento para Português?
>

-- 
Antoine Amacher
aamac...@inverse.ca  ::  +1.514.447.4918 *130  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Windows Computer Certificates instead of hostnames

[Antoine Amacher]

Hello Holger,

1. You cannot do EAP-TLS + PEAP on a supplicant, it will be either one 
or the other. The combination of certificate and user/pw is not possible 
then.


That being said you can do an EAP-TLS Computer + User Auth, which would 
first authenticate the computer with hostname and his matching computer 
certificate and then authenticate the user with the user certificate as 
soon as it login.


You will need to look into EAP-TLS configuration for the server also, 
the main point being, your RADIUS and clients certificate needs to be 
issued from the same CA. There is an example on how to configure EAP-TLS 
with working certificate over here: 
http://packetfence.org/doc/PacketFence_MSPKI_Quick_Install_Guide.html#_step_2_configuring_packetfence 


This example is with MSPKI but can be apply to any PKI.

For the filter there is an example matching what I explain, 
(ComputerAuth + UserAuth if ComputerAuth is valid) in the 
vlan_filters.conf.example file under the folder /usr/local/pf/conf


2. The other option would be to do EAP-TLS as ComputerAuth only and use 
the portal for a Username/PW authentication.


In this case you would not need to set any filter(via the filtering 
engine), once your EAP-TLS has authenticated, you should be redirected 
on the portal, since the EAP-TLS will only grant you access to be able 
to talk with PacketFence, unless you have a rule that register device 
which authenticate via EAP-TLS.
You could then create a portal profile using the filter connection-type 
Ethernet-EAP and/or Wireless-802.11-EAP, and add here your required 
source of authentication for the Username/PW.


This way you will have the combination wanted, the user will have to 
enter his credentials after his computer was validated on the network 
via a certificate.


Thank you

On 05/30/2016 11:22 AM, holger.patz...@t-systems.com wrote:


Hi folks,

anyone who can help me with the following task:

I want to authenticate Clients with Windows Computer Certificates (not 
“hostname”) and Username/pw.


-How do I configure the first ?

-And how do the filter have to look for combining it with the user auth?

Thanks,

Holger



--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  +1.514.447.4918 *130  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal.

[Antoine Amacher]

Hello Sohaib,

You need to reach your registration interface, not the management one as 
your X.X.X.X address, unless your management interface has 'portal' (as 
an additional listening daemon).


For the redirection, make sure you land in the registration VLAN when 
you plug/connect your device, are you able to ping the registration 
interface from there?


"DHCP is working fine since I get a valid ip address after. "
Is this IP you getting provided by PacketFence?

Thank you


On 05/30/2016 08:04 AM, Sohaib Afourid wrote:

Hello,
I am using Packetfence for  a school project, with 802.1X 
authentication using MYSQL and AD. Everything seems to be working fine 
so far. The only issue I am facing right now is the Captive Portal, 
once I successfully authenticate, I get redirected to the registration 
VLAN, DHCP is working fine since I get a valid ip address after. To my 
understanding, packetfence should redirect me to a captive portal to 
register my device (automatically), that does not happen, and even if 
i try to access the captive portal manually (using 
https://X.X.X.X/captive-portal <https://x.x.x.x/captive-portal>with 
X.X.X.X being my management ip adress) it fails.

Can you please guide me through a solution.
Where should i start looking ?

<https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail> 
	Garanti sans virus. www.avast.com 
<https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail> 





--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  +1.514.447.4918 *130  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PKfence help for validate architecture (VLAN trunk, no Vlan assignement, No NAT)

[Antoine Amacher]

| X X


| |  VLAN Eduroam||  VLAN
employee |   | XX   X  X

| |  | |VLAN guest|
|XXX XXXX

| |  | |VLAN Eduroam  |
|   XX  XXX 

| |  | | 
|   |


++ ++
+---+

Regards

Pierrick Prost

CNRS Rhones Alpes

France





--

Mobile security can be enabling, not merely restricting. Employees who

bring their own devices (BYOD) to work are irked by the imposition of MDM

restrictions. Mobile Device Manager Plus allows you to control only the

apps on BYO-devices by containerizing them, leaving personal data untouched!

https://ad.doubleclick.net/ddm/clk/304595813;131938128;j




___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Fabrice Durand
fdur...@inverse.ca <mailto:fdur...@inverse.ca>  ::  +1.514.447.4918 (x135) 
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)


--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  +1.514.447.4918 *130  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Best wifi device for openWrt / Packetfence give me your feedbacks boys !

[Antoine Amacher]

Hello Pierrick,

we did test it with an Ubiquiti Nanostation N2. The switch module in 
PacketFence is Hostapd, so if you manage to have another device where 
you can install it, you could always give a try.


For Mikrotik it should work on CAPsMAN enabled APs, tested on v6.18.

Thank you


On 05/25/2016 06:32 AM, PROST pierrick wrote:


I looked to microtik,  “wAP AC” are very interesting!  Have to test 
you packetFence with these models? Version of routerOS  is compatible ?


Pierrick

*De :*PROST pierrick
*Envoyé :* mercredi 25 mai 2016 11:13
*À :* packetfence-users@lists.sourceforge.net
*Objet :* RE: [PacketFence-users] Best wifi device for openWrt / 
Packetfence give me your feedbacks boys !


Hy antoine, thanks for this feedback, witch ubiquiti device have you try ?

Pierrick

*De :*Antoine Amacher [mailto:aamac...@inverse.ca]
*Envoyé :* mardi 24 mai 2016 15:21
*À :* packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net>
*Objet :* Re: [PacketFence-users] Best wifi device for openWrt / 
Packetfence give me your feedbacks boys !


Hello Pierrick,

This was tested only with Ubiquity on our side, you can try to do it 
on other devices but we can't confirm that it will work.


Thanks

On 05/24/2016 08:38 AM, PROST pierrick wrote:

Hi everyone,

We want buy and deploy packet fence with out of band
configuration…. We are looking for new wifi device with OpenWRT
14.07 compatibility to math with this documentation


http://packetfence.org/doc/PacketFence_OpenWrt-Hostapd_Quick_Install_Guide.html

Have you some feedbacks ? Ubiquity ? Linksys ? Microtik ?

Have good day !

Pierrick Prost

CNRS




--

Mobile security can be enabling, not merely restricting. Employees who

bring their own devices (BYOD) to work are irked by the imposition of MDM

restrictions. Mobile Device Manager Plus allows you to control only the

apps on BYO-devices by containerizing them, leaving personal data untouched!

https://ad.doubleclick.net/ddm/clk/304595813;131938128;j



___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Antoine Amacher
aamac...@inverse.ca <mailto:aamac...@inverse.ca>   ::  +1.514.447.4918 *130  
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu>) and 
PacketFence (www.packetfence.org <http://www.packetfence.org>)


--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  +1.514.447.4918 *130  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Best wifi device for openWrt / Packetfence give me your feedbacks boys !

[Antoine Amacher]

Hello Pierrick,

This was tested only with Ubiquity on our side, you can try to do it on 
other devices but we can't confirm that it will work.


Thanks

On 05/24/2016 08:38 AM, PROST pierrick wrote:


Hi everyone,

We want buy and deploy packet fence with out of band configuration…. 
We are looking for new wifi device with OpenWRT 14.07 compatibility to 
math with this documentation


http://packetfence.org/doc/PacketFence_OpenWrt-Hostapd_Quick_Install_Guide.html

Have you some feedbacks ? Ubiquity ? Linksys ? Microtik ?

Have good day !

Pierrick Prost

CNRS



--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  +1.514.447.4918 *130  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Disclaimer Text

[Antoine Amacher]

Hello Manfred,

you can change it in 
/usr/local/pf/html/captive-portal/templates/aup_text.html


Thank you.

On 05/20/2016 03:45 AM, Schannen, Manfred wrote:


Hello,

i´m testing ZEN 6.0.1, VMWare, and i am looking fort he file where the

„disclaimer text“ can be changed?

Thanks



--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  +1.514.447.4918 *130  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Default sponsor email in PF 6.0.1.

[Antoine Amacher]

Hello,

If you want to modify the email send for the sponsor access, look toward 
/usr/local/pf/conf/templates/email-guest_sponsor_action_you_want 
_to_modify.html (activation/confirmation)


Thank you

On 05/16/2016 04:22 AM, Воробьёв Андрей wrote:


How can I configure default sponsor email in 6.0.1.

I could easily do it in 5.7 editing guest.html.



--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  +1.514.447.4918 *130  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users