Re: [PacketFence-users] 回复: 802.1x auth failed
Kimiko, Yes for the first question. Aruba requires you to use Profile in the Aruba configuration, you will need to create roles, they do not have to be the same names as in PF, you make the link between roles in PF and roles in Aruba in your switches configuration in PacketFence. If you use the automatically register, after being authenticate in dot1x devices should go to their production vlan. Check out the network configuration guide https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_aruba You should find the information about how to configure the Aruba. Thanks On 09/08/2017 10:26 AM, Kimiko_Yan wrote: Hi Antoine, Do you mean the "Automatically register devices" check in my "radius_auth" connection profile ? I read the explanation besides and maybe you are right, I'll try it in my PoC environment later. But there is another question: even if pf set my device to registration role, why Aruba AC assigned my with normal VLAN's IP ? I thought registration role should have registration vlan's IP (ip in 192.168.2.0/24) I'm not sure if my Aruba AC was wrongly configured. I checked a little but not found any role named "registration" or "employees" in Aruba AC. The Aruba configuration is too complicated... I have to check with our network engineer with that. -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] 802.1x auth failed
Hello Kimiko, I am thinking that you do not have a rule to apply a role at the moment, so you validate the dot1x on PF, but that's just the authentication part, authentication =/= registration. You could enable the autoreg, on the connection profile secure, so anyone who success to authenticate in dot1x will be automatically register on PF. Else you will need to authenticate twice, once for the concoction and once on the portal of PF. Thanks On 09/08/2017 05:24 AM, Kimiko_Yan via PacketFence-users wrote: Hi Now I have successfully accomplished 802.1x local auth with newly created user "test124", but now the question is, why it always showed "is of status unreg" and just put the device into registration role. The user has finished 802.1x auth and the device should be put into default(employees) role as I defined...Why not now ? My switch config??profiles config and packetfence.log is as below: # more profiles.conf [mac-auth] locale= filter=ssid:pf-public sources=email redirecturl=https://172.30.1.5/ always_use_redirecturl=enabled [802.1x] locale= filter=ssid:pf-secure sources=radius always_use_redirecturl=enabled redirecturl=http://172.30.1.5 #more switches.conf [172.30.1.250] deauthMethod=RADIUS description=Aruba AC type=Aruba RoleMap=Y mode=production ExternalPortalEnforcement=Y defaultRole=employees guestRole=internet-only wsPwd=admin1 cliUser=admin wsTransport=HTTPS wsUser=admin defaultVlan=801 radiusSecret=hahahaha SNMPCommunityRead=pftest SNMPCommunityWrite=pftest SNMPVersion=2c cliPwd=admin1 cliEnablePwd=admin1 VlanMap=N #tail -f packetfence.log Sep 8 16:55:12 bogon packetfence_httpd.aaa: httpd.aaa(10971) INFO: [mac:64:b0:a6:d3:24:bd] handling radius autz request: from switch_ip => (172.30.1.250), connection_type => Wireless-802.11-EAP,switch_mac => (00:0b:86:b7:78:6f), mac => [64:b0:a6:d3:24:bd], port => 0, username => "test123", ssid => pf-secure (pf::radius::authorize) Sep 8 16:55:12 bogon packetfence_httpd.aaa: httpd.aaa(10971) INFO: [mac:64:b0:a6:d3:24:bd] Instantiate profile 802.1x (pf::Connection::ProfileFactory::_from_profile) Sep 8 16:55:12 bogon packetfence_httpd.aaa: httpd.aaa(10971) INFO: [mac:64:b0:a6:d3:24:bd] is of status unreg; belongs into registration VLAN (pf::role::getRegistrationRole) Sep 8 16:55:12 bogon packetfence_httpd.aaa: httpd.aaa(10971) INFO: [mac:64:b0:a6:d3:24:bd] (172.30.1.250) Added role registrationto the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Bandwidth limit
https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users> -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Howto: Migrate Packetfence 6 and Packetfence-pki from server
Hello Rokkhan, You will need to migrate the content of your sqlite3 BD which is holding CA, users certs and everything you configured on the PKI. So you need to either transfer the DB file, or transfer the content. The sqlite3 db is in /usr/local/packetfence-pki/db/ Let us know if that help. Thanks On 09/06/2017 12:02 PM, Rokkhan via PacketFence-users wrote: Hi, Due to some performance issues with Centos6 and Packetfence-PKI, I have installed a new server on Centos 7. I am doing some test and it is working OK, but how should I migrate users, nodes, CA certificate and user-certificates generated with pf6 and packetfence-pki from centos 6 to centos 7 server? Greetings. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Problem with radius certificate. Time to renew.
Hello Dominic, try to apply the maintenance perl addons/pf-maint.pl This should fix the actual issue. To renew the certificate you can do it via openssl commands. create a conf_file.cnf in which you need the following: [cert] extendedKeyUsage = serverAuth then do this command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -config conf_file.cnf then fill in the requested informations and move your certificate/key to replace the old one. Thanks On 08/14/2017 10:56 AM, dominic--- via PacketFence-users wrote: Hi All, I am running version 6.2.1 on CentOS with great success. Untill today! After a restart of the system Packetfence services fail to start. service packetfence start Redirecting to /bin/systemctl start packetfence.service Job for packetfence.service failed because the control process exited with error code. See "systemctl status packetfence.service" and "journalctl -xe" for details. [root@pf pf]# [root@pf pf]# [root@pf pf]# systemctl status packetfence.service ● packetfence.service - PacketFence Service Loaded: loaded (/usr/lib/systemd/system/packetfence.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Mon 2017-08-14 16:52:00 CEST; 46s ago Process: 2940 ExecStart=/usr/local/pf/bin/pfcmd service pf start (code=exited, status=255) Aug 14 16:51:39 pf.kalmar.se pfcmd[2940]: [Mon Aug 14 16:51:39 2017] pfappserver.pm: Cannot determine desired terminal width, using default of 80 columns Aug 14 16:51:40 pf.kalmar.se pfcmd[2940]: AH00548: NameVirtualHost has no effect and will be removed in the next release /usr/local/pf/var/conf/httpd.conf.d/httpd.admin:194 Aug 14 16:51:52 pf.kalmar.se pfcmd[2940]: httpd.admin|start Aug 14 16:51:52 pf.kalmar.se pfcmd[2940]: Checking configuration sanity... Aug 14 16:51:59 pf.kalmar.se pfcmd[2940]: FATAL - The certificate used by FreeRADIUS (/usr/local/pf/raddb/certs/server.crt) has expired. Aug 14 16:51:59 pf.kalmar.se pfcmd[2940]: Regenerate a new self-signed certificate or update your current certificate. Aug 14 16:51:59 pf.kalmar.se systemd[1]: packetfence.service: control process exited, code=exited status=255 Aug 14 16:52:00 pf.kalmar.se systemd[1]: Failed to start PacketFence Service. Aug 14 16:52:00 pf.kalmar.se systemd[1]: Unit packetfence.service entered failed state. Aug 14 16:52:00 pf.kalmar.se systemd[1]: packetfence.service failed. [root@pf pf]# S it seems i have a problem with the radius cert? Does anyone know how to renew this certificate? best regards Dominic Kilbride -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Captive portal redirection not working
Hello Cristian, When you say "the pc gets the correct ip address", is it given by PacketFence? Make sure the DNS and gateway are the interface registration of PacketFence. Make sure you do not have any ACL on the switch or network that could conflict with it. Try to reach the portal and see if the IP of the test device is hitting the portal look into logs/httpd.portal.access Thanks On 07/28/2017 08:00 AM, Cristian Mammoli via PacketFence-users wrote: Hi, installed the latest pf on CentOS 7 following the official documentation, I configured a mangement, registration, isolation and portal interfaces. I joined the server to a AD domain, configured an authentication source and a connection profile and configured a switch (Cisco 2960x) with 8021.x+MAB. Then I tried plugging a win7 notebook not yet joined to the domain in the switch port and packetfence correctly puts it in the registration vlan: Jul 28 13:56:33 srvpf packetfence_httpd.aaa: httpd.aaa(12173) INFO: [mac:20:cf:30:36:7c:bb] handling radius autz request: from switch_ip => (192.168.16.44), connection_type => WIRED_MAC_AUTH,switch_mac => (2c:86:d2:5d:47:81), mac => [20:cf:30:36:7c:bb], port => 10101, username => "20cf30367cbb" (pf::radius::authorize) Jul 28 13:56:33 srvpf packetfence_httpd.aaa: httpd.aaa(12173) INFO: [mac:20:cf:30:36:7c:bb] Instantiate profile gruppoapra (pf::Connection::ProfileFactory::_from_profile) Jul 28 13:56:33 srvpf packetfence_httpd.aaa: httpd.aaa(12173) INFO: [mac:20:cf:30:36:7c:bb] is of status unreg; belongs into registration VLAN (pf::role::getRegistrationRole) Jul 28 13:56:33 srvpf packetfence_httpd.aaa: httpd.aaa(12173) INFO: [mac:20:cf:30:36:7c:bb] (192.168.16.44) Added VLAN 112 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) The pc gets the correct ip address but from there there is no redirection to the captive portal, I can ping the packefence ip address on the registration vlan but nothing else. If I try to open a browser I get connection refused to every url I'm new to packetfence so I'm probably missing somethin obviuos but any help would be greatly appreciated -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Bad Request 400 on Packetfence PKI
Hi, Can you make sure the pki is properly started, ps -edf | grep packetfence-pki netstat -nlp | grep 9393 and that iptables is allowing it: iptables -S | grep 9393 Thanks On 07/28/2017 06:53 AM, Akala Kehinde via PacketFence-users wrote: Hello Guys, I get a Bad Request 400 when I try accessing https://172.16.100.2:9393/ i.e. the PKI server interface on PF 7.2. Any idea what might be wrong? Regards, Kehinde -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Provisioner Setup necessary for hidden and non-hidden SSIDs??
Hello Kehinde, It depends what you need the provisioner for, but to be honest, the best use case of the provisioner is to provide client with certificates to then authenticate on a EAP-TLS connection. If you are using hidden SSID, I think it is nice for the client to not have to configure manually the SSID. For let say a WPA2-Entreprise PEAP not hidden, no I don't think it is necessary. The use is also that it avoid users mistakes while configuring it. Let us know if that help. Thanks On 07/17/2017 08:57 AM, Akala Kehinde via PacketFence-users wrote: Hello guys, First would like to thank the Packetfence team for the great work done so far and the continuous effort put in to make the solution even better. I have a quick question regarding the Provisioner configuration and how to set it up with mobile phones. Assuming SSID is not hidden, after the provisoner is configured on PF and the provisioner is tied to a Connection Profile, is the provisioner setup here needed since I can easily login from the captive portal. And assuming SSID is hidden, will the mobile user need to setup this manually at first time, and when browsing at first time, a link to the Play Store will be displayed where the Packetfence agent can be installed or how is the setup going to be like on the mobile phone? In summary, is there any real use for the provisioner since I can set it up manually at first run and save my settings for subsequent use. Regards, Kehinde -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Packetfence in webauth enforcement
Hello Aaron, WebAuth will be almost look like the VLAN enforcement, what will changed is mainly what we returned to the switch request and the fact that PF is NOT the DHCP/DNS while registering. The part you are looking for is mainly how to configure your controller to work in WebAuth, i.e. if using Cisco WLC look at this documentation https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_wireless_lan_controller_wlc_web_auth Make sure that your management interface has 'portal' has an additional daemon, or that you have a portal interface. Thanks On 07/15/2017 04:40 PM, Aaron Ridgewell via PacketFence-users wrote: Hi all. I apologise if this has been posted before. I am trying to use packetfence in webauth enforcement mode. I can see admin guides for inline and oob but not for webauth. I am looking to use this for email guest registration. Can someone point me in the right direction for a guide to setting up webauth with email registration? Thanks Aaron Sent from my iPhone -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Authentication Source question
Hello Will, The source EAP-TLS is here just to validate that the certificate client and server have the same issuer, that is it, nothing else. Now it will allow you to establish rules based on certificates attributes, CN for instance. Thanks On 07/14/2017 09:29 AM, Will Halsall via PacketFence-users wrote: Hi Folks, I have configured mspki on our system but was wondering about the Authentication Source setup. Initially I used AD with the attribute ServicePrincipalName but the noticed there was an EAPTLS Source so configured that as well. Both work so I was wondering which approach is the best to use and how the Authentication Source EAPTLS works as there is very little to set up just a name and rules Thanks WillH <https://www.farn-ct.ac.uk/about/Events> This message is intended only for the use of the person(s) to whom it is addressed, and may contain privileged and confidential information. If it has come to you in error, please contact the sender as soon as possible, and note that you must take no action based on the content, nor must you copy, distribute, or show the content to any other person. In accordance with its legal obligations, Farnborough College of Technology reserves the right to monitor the content of e-mails sent and received, but will not do so routinely. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Recommended Linux Distro for PF
Hello Steve, CentOS is our "main" distribution we use, so we would recommend this one. Thanks On 07/12/2017 03:56 PM, Steve Allen via PacketFence-users wrote: Hello All I've followed PacketFence for awhile now but never had enough time to put it into a production network. I'm hoping to do this in the very near future and my first question is related to the OS to choose. Based on your own experiences which Linux distro would you recommend; CentOS or Debian? Is one more stable/reliable than the other? Is one easier to maintain/update PF? Any insight would be helpful. Thanks -- *Steve Allen* *SJA Networks* Email: steve.al...@sjanetworks.co.uk <mailto:steve.al...@sjanetworks.co.uk> Mobile: 07500 008196 This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and then delete your copy of the email. The views expressed in this email are the views of the individual and may not reflect the views of SJA Networks. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Unable to view the web configuration page after installation
Hello, The httpd and haproxy process are not running. Try this: /usr/local/pf/bin/pfcmd service httpd.admin start Thanks On 07/10/2017 01:13 AM, Muralidhar Bg via PacketFence-users wrote: Hi, I installed packetfence following the instructions on https://packetfence.org/doc/PacketFence_Administration_Guide.html <https://packetfence.org/doc/PacketFence_Administration_Guide.html> After installation I tried opening the https://@ip_of_packetfence:1443/configurator <https://@ip_of_packetfence:1443/configurator> page on my server I get "unable to connect" error on the browser. Also find the status of packetfence as given below $ /usr/local/pf/bin/pfcmd service pf status carbon-cache|1|0 carbon-relay|1|0 collectd|1|0 dhcpd|0|0 haproxy|1|0 httpd.aaa|1|0 httpd.admin|1|0 httpd.collector|0|0 httpd.dispatcher|1|0 httpd.graphite|1|0 httpd.parking|1|0 httpd.portal|1|0 httpd.proxy|0|0 httpd.webservices|1|0 iptables|1|0 keepalived|0|0 p0f|1|0 pfbandwidthd|0|0 pfdetect||0 pfdhcplistener|1|0 pfdns|0|0 pffilter|1|0 pfmon|1|0 pfqueue|1|0 pfsetvlan|0|0 pfsso|1|0 radiusd-acct|1|0 radiusd-auth|1|0 radsniff|1|0 redis_ntlm_cache|0|0 redis_queue|1|0 routes|0|-1 snmptrapd|0|0 statsd|1|0 winbindd|0|0 On further investigation I found out that mysql is not working as well (error as give below): $ ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2 "No such file or directory") mysql and the rest of the dependencies were installed by running the packetfence installation command. I am running centOS 7 on my server. Please help! -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Machine authentication
Lucas, Map the domain on which they should authenticate with the REALM LOCAL. In configuration -> policies and access control -> realms Thanks On 07/07/2017 11:15 AM, luca comes via PacketFence-users wrote: Hi all, I'm trying to do machine authentication vs Windows AD but it doesn't work. I've created the domain and the realm but in the radius debug log I can see that it is not catching the correct realm: (20) Fri Jul 7 16:29:45 2017: Debug: Received Access-Request Id 103 from 10.10.10.4:1645 to 172.27.17.5:1812 length 226 (20) Fri Jul 7 16:29:45 2017: Debug: User-Name = "host/LAB3-NB.dm.loc" (20) Fri Jul 7 16:29:45 2017: Debug: Service-Type = Framed-User (20) Fri Jul 7 16:29:45 2017: Debug: Framed-MTU = 1500 (20) Fri Jul 7 16:29:45 2017: Debug: Called-Station-Id = "00-22-91-6F-B8-81" (20) Fri Jul 7 16:29:45 2017: Debug: Calling-Station-Id = "00-9C-02-92-EA-B0" (20) Fri Jul 7 16:29:45 2017: Debug: EAP-Message = 0x0201001801686f73742f4c4142332d4e422e646d2e6c6f63 (20) Fri Jul 7 16:29:45 2017: Debug: Message-Authenticator = 0xcf9553149f5c843907b87d3758e0b7d8 (20) Fri Jul 7 16:29:45 2017: Debug: Cisco-AVPair = "audit-session-id=0A0A0A0400DEBBDF4BBE" (20) Fri Jul 7 16:29:45 2017: Debug: NAS-Port-Type = Ethernet (20) Fri Jul 7 16:29:45 2017: Debug: NAS-Port = 50101 (20) Fri Jul 7 16:29:45 2017: Debug: NAS-Port-Id = "GigabitEthernet1/0/1" (20) Fri Jul 7 16:29:45 2017: Debug: NAS-IP-Address = 10.10.10.4 (20) Fri Jul 7 16:29:46 2017: Debug: suffix: Checking for suffix after "@" (20) Fri Jul 7 16:29:46 2017: Debug: suffix: No '@' in User-Name = "host/LAB3-NB.dm.loc", skipping NULL due to config. (20) Fri Jul 7 16:29:46 2017: Debug: [suffix] = noop (20) Fri Jul 7 16:29:46 2017: Debug: ntdomain: Checking for prefix before "\" (20) Fri Jul 7 16:29:46 2017: Debug: ntdomain: No '\' in User-Name = "host/LAB3-NB.dm.loc", looking up realm NULL (20) Fri Jul 7 16:29:46 2017: Debug: ntdomain: Found realm "null" (20) Fri Jul 7 16:29:46 2017: Debug: ntdomain: Adding Stripped-User-Name = "host/LAB3-NB.dm.loc" (20) Fri Jul 7 16:29:46 2017: Debug: ntdomain: Adding Realm = "null" (20) Fri Jul 7 16:29:46 2017: Debug: ntdomain: Authentication realm is LOCAL (20) Fri Jul 7 16:29:46 2017: Debug: [ntdomain] = ok How can I solve this? Obviously the machine is correctly joined to the domain below the servicePrincipalName associated: TERMSRV/LAB3-NB.dm.loc TERMSRV/LAB3-NB RestrictedKrbHost/LAB3-NB HOST/LAB3-NB RestrictedKrbHost/LAB3-NB.dm.loc HOST/LAB3-NB.dm.loc Anyone that can suggest me what to check? Thank you in advance. Luca Inviato da Outlook <http://aka.ms/weboutlook> -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Unable to save authentication setting
Hello Will, It could be a permission issue(if it is try: bin/pfcmd fixpermissions), or something to do with pfconfig or even something else, it is a bit hard to tell with only this message. You could always try to manually write it from the file conf/authentication.conf, but typo are not kind in this file so make sure to use an existing example. When done, try: bin/pfmcd configreload hard, and the source should appear on the admin interface. Thanks On 07/06/2017 04:13 AM, Will Halsall via PacketFence-users wrote: Hi All, Just a bit more information. This saving authentication source in PF 7.0.0 worked fine but when i come to add another source since upgrading to pf7.1.0 gives the below error in the httpd.admin.log httpd.admin.log:Jul 5 19:16:21 packetfence httpd_admin: httpd.admin(2612) ERROR: [mac:unknown] Error writing authentication configuration (pf::ConfigStore::Authentication::writeAuthenticationConfigFile) the GUI gives the following: is there any other way of adding a authentication source? *From:*Will Halsall via PacketFence-users [mailto:packetfence-users@lists.sourceforge.net] *Sent:* Wednesday, July 5, 2017 7:22 PM *To:* packetfence-users@lists.sourceforge.net *Cc:* Will Halsall *Subject:* [PacketFence-users] Unable to save authentication setting When I try to save an Authentication Source I get the following error: PF 7.1.0 httpd.admin.log:Jul 5 19:16:21 packetfence httpd_admin: httpd.admin(2612) ERROR: [mac:unknown] Error writing authentication configuration (pf::ConfigStore::Authentication::writeAuthenticationConfigFile) <https://www.farn-ct.ac.uk/about/Events> This message is intended only for the use of the person(s) to whom it is addressed, and may contain privileged and confidential information. If it has come to you in error, please contact the sender as soon as possible, and note that you must take no action based on the content, nor must you copy, distribute, or show the content to any other person. In accordance with its legal obligations, Farnborough College of Technology reserves the right to monitor the content of e-mails sent and received, but will not do so routinely. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] mspki computer authentication
Hello Will, The certificate exchange looks fine, do you have an AD computer auth source? (using ServicePrincipalName as an attribute) Also is the CA in the radiusd/eap.conf, and is it installed on the client? You could also try to run RADIUS in debug to have more infos: raddebug -f /usr/local/pf/var/run/radiusd.sock -t3600 Thanks On 07/05/2017 11:13 AM, Will Halsall via PacketFence-users wrote: Hi All, I have tried to setup mspki to use ad computer authentication and have folloed the Qick instaolation guide but cannot get the clients to work. The client is a windows 10 domain laptop The server is PF 7.1.0 The CA is installed on windows2012R2 When I try to connect I get the following in the radius log. Could anyone advise on how to go about resolving this issue or if its even possible? Willh RADIUS Request User-Name = "host/Stuart-PC.college.farnborough" NAS-IP-Address = 172.16.36.30 NAS-Port = 0 Service-Type = Login-User Framed-MTU = 1100 State = 0x7e1adcc07913d16fa3fa9452e2e3aa94 Called-Station-Id = "04:bd:88:c4:e2:60" Calling-Station-Id = "00:24:2b:60:ff:79" NAS-Identifier = "IAP Cluster FCOT" NAS-Port-Type = Wireless-802.11 Event-Timestamp = "Jul 5 2017 16:00:37 BST" EAP-Message = 0x020900060d00 Message-Authenticator = 0x5cf158a0b8216591e4a2125a9c68ee90 Aruba-Essid-Name = "test" Aruba-Location-Id = "N2 - outside" Aruba-AP-Group = "IAP Cluster" EAP-Type = TLS Stripped-User-Name = "host/Stuart-PC.college.farnborough" Realm = "null" FreeRADIUS-Client-IP-Address = 172.16.36.30 Called-Station-SSID = "test" Tmp-String-1 = "00242b60ff79" TLS-Cert-Serial = "72c5b6d2120648b44e26747040ed5949" TLS-Cert-Expiration = "220701135414Z" TLS-Cert-Issuer = "/DC=farnborough/DC=college/CN=azure" TLS-Cert-Subject = "/DC=farnborough/DC=college/CN=azure" TLS-Cert-Common-Name = "azure" TLS-Client-Cert-Serial = "7d0060dfebbdb604c4cc8200020060" TLS-Client-Cert-Expiration = "190705141544Z" TLS-Client-Cert-Issuer = "/DC=farnborough/DC=college/CN=azure" TLS-Client-Cert-Subject = "/CN=Stuart-PC.college.farnborough" TLS-Client-Cert-Common-Name = "Stuart-PC.college.farnborough" TLS-Client-Cert-X509v3-Extended-Key-Usage = "TLS Web Server Authentication TLS Web Client Authentication" TLS-Client-Cert-X509v3-Subject-Key-Identifier = "6D:D8:A4:E6:C5:9F:BC:58:D1:A9:89:AE:A6:D4:C1:60:F4:C2:DF:F2" TLS-Client-Cert-X509v3-Authority-Key-Identifier = "keyid:81:0F:70:98:FB:13:46:81:60:6E:0C:46:EC:DA:B8:64:47:E9:6A:8C\n" TLS-Client-Cert-Subject-Alt-Name-Dns = "Stuart-PC.college.farnborough" Module-Failure-Message = "rest: Server returned:" Module-Failure-Message = "rest: {\"control:PacketFence-Authorization-Status\":\"allow\"}" User-Password = "**" SQL-User-Name = "host/Stuart-PC.college.farnborough" RADIUS Reply MS-MPPE-Recv-Key = 0x10c55a8412cf0b3fc533006069e474e5933f2778dc0bb095abe95eef2ac56f1d MS-MPPE-Send-Key = 0x5e2d706a0e612d4797052c9a8d0e1eb8a4fe42afada4b42d24176d025157fa6a EAP-MSK = 0x10c55a8412cf0b3fc533006069e474e5933f2778dc0bb095abe95eef2ac56f1d5e2d706a0e612d4797052c9a8d0e1eb8a4fe42afada4b42d24176d025157fa6a EAP-EMSK = 0xc5bfd638609e0698282b0bf2de29ddf6b9fdf7139a9f904b7b3ad26fc2d15ea55533869cdd945115bb9ec75e0662627807100d8aae044f3232bd63f3c1f22282 EAP-Session-Id = 0x0d595cff1448a9ab1b5f34620219363a29ba87e4f2ff3058941f15a081ef0de171595cff15d2572d184a352a5e88a3b0af21328a83b299dec4f4ca938c86f0941f EAP-Message = 0x03090004 Message-Authenticator = 0x Stripped-User-Name = "host/Stuart-PC.college.farnborough" <https://www.farn-ct.ac.uk/about/Events> This message is intended only for the use of the person(s) to whom it is addressed, and may contain privileged and confidential information. If it has come to you in error, please contact the sender as soon as possible, and note that you must take no action based on the content, nor must you copy, distribute, or show the content to any other person. In accordance with its legal obligations, Farnborough College of Technology reserves the right to monitor the content of e-mails sent and received, but will not do so routinely. ---------- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.invers
Re: [PacketFence-users] Question about collaboration PacketFence and Nessus
Hello Jacek, I am not sure where you should find the Nessus ID for the trigger, but what you have seems to be right. Your whole configuration looks fine. For the error you get it seems to be a bug in the code, try to apply the following patch, restart pfqueue and try again. diff --git a/lib/pf/scan/nessus6.pm b/lib/pf/scan/nessus6.pm index ec15b57..17043d9 100644 --- a/lib/pf/scan/nessus6.pm +++ b/lib/pf/scan/nessus6.pm @@ -103,7 +103,7 @@ sub startScan { return 1; } -my $scanner_id = $nessus->get_scanner_id(name => $scanner_name); +my $scanner_id = $nessus->get_scan_id(name => $scanner_name); if ($scanner_id eq ""){ $logger->warn("Nessus scanner name doesn't exist ".$scanner_id); return 1; You could create a file nessus_patch.diff and use the patch command to apply it: patch -p1 < nessus_patch.diff Let us know if that help, Thanks On 06/28/2017 11:39 AM, Jacek Kurek via PacketFence-users wrote: Hi All, I have a problem with configuration. Of course I read documentation and tutorials but it isn't resolve my problem. Could you help me with that? My purpose is builiding that configuration (PF+Nessus) which in when I plug to the switch some vulnerable host (e.g. witch wannacry vulnerability) then Nessus is detecting it and moving that host to separate VLAN. I have installed and configured PacketFence. I'm using test switch which is Cisco Catalyst 2960G. PF was configure in vlan enforcement and VLAN enforcement works fine. Next, I installed Nessus 6. I'm added new account for collaborating with PacketFence and I created new scanner and new policy in Nessus (both are called "wannacry_audit"). Next in PacketFence I created new scaner. I chose Nessus6 and I filled all required gaps, also name of the scaner and policy. Next I go to Violation configuration. _My first question is: can I use existing violation called "Nessus Scan" or I should create a new violation with different (new) ID?_ Because I'm wasn't sure, I modified existing "Nessus scan". _Next question: how and where I could find ID of the scaner which should be added to triggers?_ I'm found in Nessus subdirectory file which should be related witch the type of scanner which I chose (WannaCry Ransomware (MS17-010 / CVE-2017-0144). The file is //opt/nessus/lib/nessus/plugins/smb_nt_ms17-010.nasl/. The file includes a line "script_id(97737);". I suppose that 97737 is the ID which I having to write as trigger in the violation. So I did it. Next configuration step which I made was editing of default configuration profile and adding defined scanner (wannacry_audit) to the profile. Finally I connected to the switch port laptop with out-of-date Windows XP system. Unfortunately in a log file packetfence.log I saw every time error lines such as below (I bolded it): Jun 22 22:54:19 pf pfqueue: pfqueue(2083) INFO: [mac:00:24:e8:xx:xx:xx] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Jun 22 22:54:19 pf pfqueue: pfqueue(2083) INFO: [mac:00:24:e8:xx:xx:xx] grace expired on violation 124 for node 00:24:e8:xx:xx:xx (pf::violation::violation_add) Jun 22 22:54:19 pf pfqueue: pfqueue(2083) INFO: [mac:00:24:e8:xx:xx:xx] violation 124 added for 00:24:e8:xx:xx:xx (pf::violation::violation_add) Jun 22 22:54:19 pf pfqueue: pfqueue(2083) INFO: [mac:00:24:e8:xx:xx:xx] executing action 'log' on class 124 (pf::action::action_execute) Jun 22 22:54:19 pf pfqueue: pfqueue(2083) INFO: [mac:00:24:e8:xx:xx:xx] /usr/local/pf/logs/violation.log 2017-06-22 22:54:19: Post Reg System Scan (124) detected on node 00:24:e8:xx:xx:xx (192.168.0.11) (pf::action::action_log) Jun 22 22:54:20 pf pfqueue: pfqueue(2083) INFO: [mac:00:24:e8:xx:xx:xx] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Jun 22 22:54:20 pf pfqueue: pfqueue(2083) INFO: [mac:00:24:e8:xx:xx:xx] New ID generated: 149816486064eeff (pf::util::generate_id) *_Jun 22 22:54:21 pf pfqueue: pfqueue(2083) ERROR: [mac:00:24:e8:xx:xx:xx] Can't locate object method "get_scanner_id" via package "Net::Nessus::REST" at /usr/local/pf/lib/pf/scan/nessus6.pm line 106. (pf::api::can_fork::notify)_* Could you tell me what's the problem? I was trying to modifying configuration on a different way (both on PacketFence and on Nessus), but every time the error happened and vulnerability scanner doesn't work. Best regards, Jacek Kurek -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca ::
Re: [PacketFence-users] mab+802.1x authentication
Hello Lucas, You have to use another source yes, if it is for a 'Guest' access then why not using the email, SMS or sponsor source for instance. Add the sources you want to be able to authenticate with in the connection profile. If you do not add any sources, ALL configured sources will be available. Also make sure you are testing with a client which is not in the domain. Thnaks On 06/07/2017 08:47 AM, luca comes via PacketFence-users wrote: Hi Antoine, I'm doing more tests but it's not so clear point 2. To match the new connection profile I need to specify also a source other than the connection type filter? In that case which type of source should I add? I want that clients not 802.1x able or outside of my domain take a specific profile and put them on the registration VLAN. At the moment I've created a new connection profile as you suggested and configured the swithc to use mab after 802.1x timeout but the clients are always registered and assigned to a role specified in another connection profile. Luca Inviato da Outlook <http://aka.ms/weboutlook> *Da:* Antoine Amacher <aamac...@inverse.ca> *Inviato:* mercoledì 31 maggio 2017 22:19 *A:* packetfence-users@lists.sourceforge.net *Oggetto:* Re: [PacketFence-users] mab+802.1x authentication Hello Lucas, 1. I am pretty Windows does favor UserAuthentication if a User is logged in and "User or Machine" is selected in the supplicant. You could also setup the connection has UserAuth only, but then you lose your Machine Authentication. Have a look in VLANfilters, there is a case example where we want the endpoint to have a machine account before allowed UserAuthentication. Which means every device matching this filter will have to do Machine Auth first, then User Auth. You could also reduce the timeout for 802.1x re-auth on the switch configuration, which would foce a re-authentication from the device. 2. To force a profile to be used when the connection is MAB, simply add a filter in the connection profile: 'Connection Type: WIRED_MAC_AUTH'. Thanks On 05/31/2017 03:24 AM, luca comes wrote: Hi Antoine, I then tried and machine auth is working fine. The main problem is that when a user login it's not moved on the right VLAN. Debugging 802.1x requests on the switch I can see that dot1x timeout and it scale on mab authentication. So I have two questions: 1. Is there a way to force the client to send the user? I've configured it with the option user or machine authentication. Could it be a client's bug? I'm testing on a Windows 10 machine at the moment, I will try the same on a Windows 8 client; 2. When it switch on mab authentication it gets owner default and take a profile (named Test at the moment) but I don't understnad how to associate the profile associated to the mab auth; Thanks Luca Inviato da Outlook <http://aka.ms/weboutlook> ------------ *Da:* Antoine Amacher <aamac...@inverse.ca> *Inviato:* martedì 30 maggio 2017 15:39 *A:* packetfence-users@lists.sourceforge.net *Oggetto:* Re: [PacketFence-users] mab+802.1x authentication Hello Luca, For this case make sure the authentication type selected on the supplicant is "User authentication or Machine authentication", make sure both user and machine AD sources are enable on the connection profile. This will allow for the machine to do MachineAuth when nobody is logged in on the machine, and when a User logged in it will do User authentication. So during MachineAuth, the device will be assign to VLAN X -> Only AD, when user logged in, the device will be assign to VLAN Y -> User VLAN. Thanks On 05/30/2017 04:17 AM, luca comes wrote: hi Antoine, thank you for your help. I tried with the new profile and I can do machine authentication now. But I have a problem, at the first step I do machine auth to put the hosts on a dedicated VLAN that can see only active directory and nothing more. At this step the user can authenticate on the machine or change AD password and so on. But when the user is logged on I want put them on another VLAN based on the role associated to the AD group? At the moment the user is authenticated so I can see the node status registered to the user with the correct role but no VLAN change is made. Is that possible? Luca Inviato da Outlook <http://aka.ms/weboutlook> ------------ *Da:* Antoine Amacher <aamac...@inverse.ca> *Inviato:* lunedì 29 maggio 2017 17:55 *A:* packetfence-users@lists.sourceforge.net *Oggetto:* Re: [PacketFence-users] mab+802.1x authentication Hello Lucas, To use MachineAuthentication, create an AD source like the one used for your UserAuthentiction, replace the Username attribute: "sA
Re: [PacketFence-users] New PF 7.0 Cluster Configuration Question
sk 2017-05-31 15:53:27 140202702010112 [Note] WSREP: forgetting c23cc2a6 (tcp://10.18.0.38:4567) 2017-05-31 15:53:27 140202693617408 [Note] WSREP: New COMPONENT: primary = yes, bootstrap = no, my_idx = 1, memb_num = 2 2017-05-31 15:53:27 140202693617408 [Note] WSREP: STATE EXCHANGE: Waiting for state UUID. 2017-05-31 15:53:28 140202702010112 [Note] WSREP: (d53696c2, 'tcp://0.0.0.0:4567') connection established to c23cc2a6 tcp://10.18.0.38:4567 2017-05-31 15:53:28 140202702010112 [Warning] WSREP: discarding established (time wait) c23cc2a6 (tcp://10.18.0.38:4567) 2017-05-31 15:53:30 140202702010112 [Note] WSREP: cleaning up c23cc2a6 (tcp://10.18.0.38:4567) -- Peter Reilly Wycliffe Bible Translators peter_rei...@wycliffe.org -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] mab+802.1x authentication
Hello Lucas, 1. I am pretty Windows does favor UserAuthentication if a User is logged in and "User or Machine" is selected in the supplicant. You could also setup the connection has UserAuth only, but then you lose your Machine Authentication. Have a look in VLANfilters, there is a case example where we want the endpoint to have a machine account before allowed UserAuthentication. Which means every device matching this filter will have to do Machine Auth first, then User Auth. You could also reduce the timeout for 802.1x re-auth on the switch configuration, which would foce a re-authentication from the device. 2. To force a profile to be used when the connection is MAB, simply add a filter in the connection profile: 'Connection Type: WIRED_MAC_AUTH'. Thanks On 05/31/2017 03:24 AM, luca comes wrote: Hi Antoine, I then tried and machine auth is working fine. The main problem is that when a user login it's not moved on the right VLAN. Debugging 802.1x requests on the switch I can see that dot1x timeout and it scale on mab authentication. So I have two questions: 1. Is there a way to force the client to send the user? I've configured it with the option user or machine authentication. Could it be a client's bug? I'm testing on a Windows 10 machine at the moment, I will try the same on a Windows 8 client; 2. When it switch on mab authentication it gets owner default and take a profile (named Test at the moment) but I don't understnad how to associate the profile associated to the mab auth; Thanks Luca Inviato da Outlook <http://aka.ms/weboutlook> -------- *Da:* Antoine Amacher <aamac...@inverse.ca> *Inviato:* martedì 30 maggio 2017 15:39 *A:* packetfence-users@lists.sourceforge.net *Oggetto:* Re: [PacketFence-users] mab+802.1x authentication Hello Luca, For this case make sure the authentication type selected on the supplicant is "User authentication or Machine authentication", make sure both user and machine AD sources are enable on the connection profile. This will allow for the machine to do MachineAuth when nobody is logged in on the machine, and when a User logged in it will do User authentication. So during MachineAuth, the device will be assign to VLAN X -> Only AD, when user logged in, the device will be assign to VLAN Y -> User VLAN. Thanks On 05/30/2017 04:17 AM, luca comes wrote: hi Antoine, thank you for your help. I tried with the new profile and I can do machine authentication now. But I have a problem, at the first step I do machine auth to put the hosts on a dedicated VLAN that can see only active directory and nothing more. At this step the user can authenticate on the machine or change AD password and so on. But when the user is logged on I want put them on another VLAN based on the role associated to the AD group? At the moment the user is authenticated so I can see the node status registered to the user with the correct role but no VLAN change is made. Is that possible? Luca Inviato da Outlook <http://aka.ms/weboutlook> ------------ *Da:* Antoine Amacher <aamac...@inverse.ca> *Inviato:* lunedì 29 maggio 2017 17:55 *A:* packetfence-users@lists.sourceforge.net *Oggetto:* Re: [PacketFence-users] mab+802.1x authentication Hello Lucas, To use MachineAuthentication, create an AD source like the one used for your UserAuthentiction, replace the Username attribute: "sAMAccountName" by "ServicePrincipalName". That will allow you to do MachineAuthentication. Make sure to add this source on your connection profile. If the machine is in the domain with a valid machine account then it will be able to authenticate. To properly test MachineAuthentication, make sure that it is allowed or enforced in the 802.1x supplicant configuration. Thanks On 05/29/2017 11:34 AM, luca comes wrote: Hi Pedro, yes I think so but I don't understand how to do this. I need to do a new connection profile for it? At the moment I have only one connection profile other than the default that take care of users. I'm really confused. Thanks Luca Inviato da Outlook <http://aka.ms/weboutlook> *Da:* Pedro Simões <pedro.sim...@layer8.pt> *Inviato:* lunedì 29 maggio 2017 17:06 *A:* packetfence-users@lists.sourceforge.net *Oggetto:* Re: [PacketFence-users] mab+802.1x authentication I think for that scenario you need to use machine authentication. *From:*luca comes [mailto:lucaco...@hotmail.it] *Sent:* Monday, May 29, 2017 3:12 PM *To:* packetfence-users@lists.sourceforge.net *Subject:* [PacketFence-users] mab+802.1x authentication Hi all, I succesfully configured last release of PF with Cisco Catalyst 3750G to perform 802.1x a
Re: [PacketFence-users] mab+802.1x authentication
Hello Luca, For this case make sure the authentication type selected on the supplicant is "User authentication or Machine authentication", make sure both user and machine AD sources are enable on the connection profile. This will allow for the machine to do MachineAuth when nobody is logged in on the machine, and when a User logged in it will do User authentication. So during MachineAuth, the device will be assign to VLAN X -> Only AD, when user logged in, the device will be assign to VLAN Y -> User VLAN. Thanks On 05/30/2017 04:17 AM, luca comes wrote: hi Antoine, thank you for your help. I tried with the new profile and I can do machine authentication now. But I have a problem, at the first step I do machine auth to put the hosts on a dedicated VLAN that can see only active directory and nothing more. At this step the user can authenticate on the machine or change AD password and so on. But when the user is logged on I want put them on another VLAN based on the role associated to the AD group? At the moment the user is authenticated so I can see the node status registered to the user with the correct role but no VLAN change is made. Is that possible? Luca Inviato da Outlook <http://aka.ms/weboutlook> -------- *Da:* Antoine Amacher <aamac...@inverse.ca> *Inviato:* lunedì 29 maggio 2017 17:55 *A:* packetfence-users@lists.sourceforge.net *Oggetto:* Re: [PacketFence-users] mab+802.1x authentication Hello Lucas, To use MachineAuthentication, create an AD source like the one used for your UserAuthentiction, replace the Username attribute: "sAMAccountName" by "ServicePrincipalName". That will allow you to do MachineAuthentication. Make sure to add this source on your connection profile. If the machine is in the domain with a valid machine account then it will be able to authenticate. To properly test MachineAuthentication, make sure that it is allowed or enforced in the 802.1x supplicant configuration. Thanks On 05/29/2017 11:34 AM, luca comes wrote: Hi Pedro, yes I think so but I don't understand how to do this. I need to do a new connection profile for it? At the moment I have only one connection profile other than the default that take care of users. I'm really confused. Thanks Luca Inviato da Outlook <http://aka.ms/weboutlook> *Da:* Pedro Simões <pedro.sim...@layer8.pt> *Inviato:* lunedì 29 maggio 2017 17:06 *A:* packetfence-users@lists.sourceforge.net *Oggetto:* Re: [PacketFence-users] mab+802.1x authentication I think for that scenario you need to use machine authentication. *From:*luca comes [mailto:lucaco...@hotmail.it] *Sent:* Monday, May 29, 2017 3:12 PM *To:* packetfence-users@lists.sourceforge.net *Subject:* [PacketFence-users] mab+802.1x authentication Hi all, I succesfully configured last release of PF with Cisco Catalyst 3750G to perform 802.1x authentication over my AD Domain. I'm studying the solution because the intention is to deploy it on all my sites (more or less 15 sites and 1000 users). Actually the server is located on our datacenter in out-of-band deployment and locally on my test site I've configured registration and isolation VLAN even if they are not used in 802.1x environment. The problem now is that I need to permit AD authentication on PC's where credentials are not in client's cache but at the begininning neither IP traffic nor DHCP is permitted so users can't access the network. I thought that a solution could be perform to factor authentication so at the start of the process I could use MAB authentication and put them on the registration VLAN opened to access the AD. But then I need to do 802.1x user authentication without pass through the registration portal, is that possible? Is there a better way to deploy a solution like that? Thank you in advance Luca -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org!http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca ::www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net
Re: [PacketFence-users] mab+802.1x authentication
Hello Lucas, To use MachineAuthentication, create an AD source like the one used for your UserAuthentiction, replace the Username attribute: "sAMAccountName" by "ServicePrincipalName". That will allow you to do MachineAuthentication. Make sure to add this source on your connection profile. If the machine is in the domain with a valid machine account then it will be able to authenticate. To properly test MachineAuthentication, make sure that it is allowed or enforced in the 802.1x supplicant configuration. Thanks On 05/29/2017 11:34 AM, luca comes wrote: Hi Pedro, yes I think so but I don't understand how to do this. I need to do a new connection profile for it? At the moment I have only one connection profile other than the default that take care of users. I'm really confused. Thanks Luca Inviato da Outlook <http://aka.ms/weboutlook> *Da:* Pedro Simões <pedro.sim...@layer8.pt> *Inviato:* lunedì 29 maggio 2017 17:06 *A:* packetfence-users@lists.sourceforge.net *Oggetto:* Re: [PacketFence-users] mab+802.1x authentication I think for that scenario you need to use machine authentication. *From:*luca comes [mailto:lucaco...@hotmail.it] *Sent:* Monday, May 29, 2017 3:12 PM *To:* packetfence-users@lists.sourceforge.net *Subject:* [PacketFence-users] mab+802.1x authentication Hi all, I succesfully configured last release of PF with Cisco Catalyst 3750G to perform 802.1x authentication over my AD Domain. I'm studying the solution because the intention is to deploy it on all my sites (more or less 15 sites and 1000 users). Actually the server is located on our datacenter in out-of-band deployment and locally on my test site I've configured registration and isolation VLAN even if they are not used in 802.1x environment. The problem now is that I need to permit AD authentication on PC's where credentials are not in client's cache but at the begininning neither IP traffic nor DHCP is permitted so users can't access the network. I thought that a solution could be perform to factor authentication so at the start of the process I could use MAB authentication and put them on the registration VLAN opened to access the AD. But then I need to do 802.1x user authentication without pass through the registration portal, is that possible? Is there a better way to deploy a solution like that? Thank you in advance Luca -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Custom iptables rule?
Hello Jes, You can write your line in conf/iptables.conf, this file will be used to generate the iptables configuration when PacketFence start. Thanks On 05/18/2017 08:29 AM, Jes Kasper Klittum wrote: Hey guys, I can see that Packetfence use iptables to handle traffic, and that poses a problem for me, as I need port 6556 to be open from my OMD monitoring host. How do I accomplish this without breaking Packetfence? Can I just add to /usr/local/pf/conf/iptables.conf, or will this file be overwritten when restarting Packetfence? Med venlig hilsen / Best regards, *BISCA A/S* ** *Jes Kasper Klittum* Head of IT Ahornvej 1, DK-4780 Stege Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: cid:image007.jpg@01CAF055.69C6C0C0 *+45 3162 3495* Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: cid:image003.gif@01CB1D08.1D793E20*+45 7211 0495* *j...@bisca.com <mailto:j...@bisca.com>* Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: cid:image006.gif@01C6DD14.4F21AFD0www.bisca.com Logo (002) P**Please consider the environment before printing this e-mail. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] PF do not start after upgrade
0 libwind0-heimdal libwmiclient1 libwww-curl-perl| | libwww-mechanize-perl libwww-twilio-api-perl libxmlrpc-lite-perl libxmlsec1 libxmlsec1-openssl| | libyaml-libyaml-perl libyaml-perl libyaml-syck-perl libyaml-tiny-perl libzip2 lvm2 mariadb-common| | mariadb-server-core-10.1 mysql-common nodejs openssl-blacklist-extra owfs-common p0f packetfence-config| | packetfence-doc packetfence-golang-daemon packetfence-ntlm-wrapper packetfence-pfcmd-suid| | packetfence-redis-cache perltidy python-characteristic python-django python-django-common| | python-django-tagging python-mysqldb python-pam python-pyasn1-modules python-pyparsing python-serial| | python-service-identity python-simplejson python-sqlparse python-twisted-bin python-twisted-core| | python-whisper redis-server redis-tools rrdtool rsync samba samba-dsdb-modules samba-vfs-modules snmp snmpd| | snmptrapfmt socat sqlite3 sscep sudo tdb-tools vlan winbind wmi-client| |Veuillez utiliser « apt-get autoremove » pour les supprimer.| |Les paquets supplémentaires suivants seront installés : | |||freeradius freeradius-ldap freeradius-mysql freeradius-redis freeradius-rest freeradius-utils golang-1.7-go| | golang-1.7-src libcrypt-cbc-perl libcrypt-rijndael-perl libfreeradius3 liblua5.3-0 libmariadbclient18| | libmysqlclient18 mariadb-server-core-10.1 packetfence-doc packetfence-golang-daemon| |Paquets suggérés :| | freeradius-postgresql freeradius-krb5 bzr git mercurial subversion| |Paquets recommandés :| | g++ gcc libc6-dev pkg-config| |Les paquets suivants seront ENLEVÉS :| | mysql-client-5.5 mysql-server mysql-server-5.5 mysql-server-core-5.5 packetfence| |Les NOUVEAUX paquets suivants seront installés :| | golang-1.7-go golang-1.7-src libcrypt-cbc-perl libcrypt-rijndael-perl liblua5.3-0 libmariadbclient18| | mariadb-server-core-10.1 packetfence-doc packetfence-golang-daemon| |Les paquets suivants seront mis à jour :| |||freeradius freeradius-ldap freeradius-mysql freeradius-redis freeradius-rest freeradius-utils libfreeradius3| |||libmysqlclient18| |8 mis à jour, 9 nouvellement installés, 5 à enlever et 2 non mis à jour.| |2 partiellement installés ou enlevés.| |Il est nécessaire de prendre 51,2 Mo dans les archives.| |Après cette opération, 17,5 Mo d'espace disque supplémentaires seront utilisés.| |Souhaitez-vous continuer ? [O/n] n| |Annulation.| May you have any clues about this issue ? I tried several actions found randomly on Google, with no luck :-( Thx again for your help :-) Regards Greg Thanks a lot everyone. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Admin not listening on 1443 on ZEN 7.0
Hello Akala, you tried to execute conf/ssl/server.pem instead of writing in the file. try this: cat /usr/local/pf/conf/ssl/server.crt /usr/local/pf/conf/ssl/server.key > /usr/local/pf/conf/ssl/server.pem thanks On 05/09/2017 03:16 PM, Akala Kehinde wrote: Hi Everyone, Newly installed Zen 7.0, but portal isn't working. Haproxy is running but can't find any host listening on 1443 Seem to be a certificate issue, tried replacing the .pem file with the .crt and .key files but was denied access. [root@packetfence ssl]# netstat -ant | grep 1443 [root@packetfence ssl]# [root@packetfence ssl]# cat /usr/local/pf/conf/ssl/server.crt /usr/local/pf/conf/ssl/server.key | /usr/local/pf/conf/ssl/server.pem -bash: /usr/local/pf/conf/ssl/server.pem: Permission denied [root@packetfence ssl]# ps -efd | grep haproxy haproxy 1248 1 0 11:33 ?00:00:00 haproxy -f /usr/local/pf/var/conf/haproxy.conf haproxy 1249 1 0 11:33 ?00:00:00 haproxy -f /usr/local/pf/var/conf/haproxy.conf root 1833 1 0 11:40 ?00:00:00 /usr/sbin/haproxy-systemd-wrapper -f /usr/local/pf/var/conf/haproxy.conf -p /usr/local/pf/var/run/haproxy.pid haproxy 1836 1833 0 11:40 ?00:00:00 /usr/sbin/haproxy -f /usr/local/pf/var/conf/haproxy.conf -p /usr/local/pf/var/run/haproxy.pid -Ds haproxy 1837 1836 0 11:40 ?00:00:00 /usr/sbin/haproxy -f /usr/local/pf/var/conf/haproxy.conf -p /usr/local/pf/var/run/haproxy.pid -Ds haproxy 1838 1836 0 11:40 ?00:00:00 /usr/sbin/haproxy -f /usr/local/pf/var/conf/haproxy.conf -p /usr/local/pf/var/run/haproxy.pid -Ds root 7037 661 0 12:46 pts/000:00:00 grep --color=auto haproxy [root@packetfence ssl]# Zen 6.5 worked like a charm but can't get around d portal issues on 7.0. Any help is appreciated here.. Regards, Kehinde -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] PF 7.0.0 - Connection Profile Preview not working as designed
Hello Andrew, Did you re-apply the maintenance? Is this happening when you click 'Preview" via the connection profile list or when you are in the configuration of a connection profile or both case? Thanks On 05/04/2017 10:10 AM, Torry, Andrew wrote: I am pretty sure this is a bug as I have rebuilt a new server and still have the same issue. The ‘Preview’ option in the admin GUI displays the ‘Default’ profile for all profiles. Regards Andrew *From:*Torry, Andrew [mailto:andrew.to...@fxplus.ac.uk] *Sent:* 27 April 2017 14:01 *To:* packetfence-users@lists.sourceforge.net *Subject:* Re: [PacketFence-users] packetfence-zen 7.0.0 Hi Fabrice, Running pf-maint.pl has fixed the 501 error so that the PREVIEW button now works for all profiles but they are now all displaying a preview of the ‘default’ profile no matter which profile I am actually previewing. If I change the portal module chain for the default profile I see the same chain with all the others regardless of their actual settings. The customised ‘layout.html’ file in alternative profiles is being ignored too in the previews (Change to colour scheme for instance). The logo setting in the profile is also being ignored as well when previewing. Andrew *From:*Fabrice Durand [mailto:fdur...@inverse.ca] *Sent:* 27 April 2017 13:37 *To:* packetfence-users@lists.sourceforge.net *Subject:* Re: [PacketFence-users] packetfence-zen 7.0.0 Hello Andrew, it has been fixed in the maintenance branch, let's run pf-maint.pl. Regards Fabrice Le 2017-04-27 à 04:51, Torry, Andrew a écrit : Hi again folks, I just realised that the ‘Preview’ button that does work after opening the connection profile in the GUI is not previewing the selected profile at all but is actually just previewing the ‘default’ profile regardless of which profile is opened in the GUI. Any ideas what might be wrong. Andrew *Andrew**Torry* Senior Infrastructure Engineer Tel: 01326 370760 Email: andrew.to...@fxplus.ac.uk <mailto:andrew.to...@fxplus.ac.uk> Falmouth Exeter Plus Twitter <https://twitter.com/falmouthexeter> Facebook <https://www.facebook.com/falmouthexeter> Instagram <https://www.instagram.com/falmouthexeterplus/> YouTube <https://www.youtube.com/channel/UC5-Jq4vTOhWgYoJJDYrZHWw> Falmouth University Falmouth Exeter Plus is an exempt charity established by Falmouth University and the University of Exeter to deliver their shared Higher Education services in Cornwall. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org!http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135) ::www.inverse.ca <http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] oauth2
MJ, For the source, I'll advise you to take the twitter one as an example which is simple. If you need help to develop it, you can contact us at supp...@inverse.ca. We could develop it if OpenID is something used a lot, and if there is a common interest into it. Thanks On 05/01/2017 03:15 PM, lists wrote: > Hi Antoine, > > Thanks for your reply, also on this OpenID Connect subject. > > There is a small wordpress addon that does exactly that: > https://github.com/daggerhart/openid-connect-generic > > The only things you needed to configure it, are your own OpenID Connect > server specifics, such as issuer, authorization_endpoint, > token_endpoint, etc, etc. > > And those are usually in the docs of whatever product you like. > > Using that plugin, it was actually very easy to configure wordpress > against the keycloak openid connect. (in fact: MUCH easier than SAML!) > > But I will try if I can concoct a keycloak-specific new source myself, > as we have sponsored quite some projects lately, and our funding is not > endless... ;-) > > MJ > > On 1-5-2017 20:26, Antoine Amacher wrote: >> Hello MJ, >> >> We do not have a 'generic' OAuth2 source, as each OAuth2 has is own API, >> parameters to authorize, get the token are different, sometimes it >> require a scope, sometimes a token parameter, sometimes none. >> >> Create a new OAuth source is not too complicated if we have a test >> account and adequate documentation, but will require a bit of code. I do >> like the idea of generic, but I am not sure it will be that generic >> because of arguments stated earlier. >> >> The best option here seems to develop a new source for Keycloak OpenID, >> unless we rework the way how OAuth2 sources are coded. >> > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] captive portal customization
Hello MJ, You are able to change those via the Portal Modules (Advanced Access Configuration -> Portal Modules, if you are running 7.0.0). Look for the modules "default_login_policy" and " default_guest_policy", you can change how they are called via the description field. Thanks On 05/01/2017 01:21 PM, lists wrote: > Hi, > > I like the way to customize the captive portal, nowadays. Nice > improvements since the version 5.6.1 we're still on. > > One question: > > Can we customize the way authentication methodes are called? (under > "Select an authentication method") > > (we use only two: "Username/password" and "Guest signup", but we would > like to adjust their names a little bit) > > MJ > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] oauth2
Hello MJ, We do not have a 'generic' OAuth2 source, as each OAuth2 has is own API, parameters to authorize, get the token are different, sometimes it require a scope, sometimes a token parameter, sometimes none. Create a new OAuth source is not too complicated if we have a test account and adequate documentation, but will require a bit of code. I do like the idea of generic, but I am not sure it will be that generic because of arguments stated earlier. The best option here seems to develop a new source for Keycloak OpenID, unless we rework the way how OAuth2 sources are coded. Thanks On 05/01/2017 02:14 PM, lists wrote: > Hi, > > Last question for today! :-) > > We are running RedHat's Keycloak, a saml / openid connect / oauth2 IDP, > and would like to use OpenID Connect to authenticate our users. We have > noticed that packetfence has SAML auth support, true, but SAML is so > much harder to setup than OpenID Connect. > > And since packetfence supports all kinds of OAuth2 clients... is there a > way to configure a packetfence usersource aganist a generic OAuth2 > server, such as the RedHat Keycloak IDP? > > Best regards, > MJ > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] packetfence-zen 7.0.0
David, Management is a RADIUS interface by default, it's like adding a portal daemon to a registration interface, it does it already. But yeah we might add a check in the GUI, to not add radius on management and portal on reg for instance. Thanks On 04/25/2017 10:33 PM, David Murrell wrote: Hi, I'm trying out the new version, and I've found if I set the management interface to have a extra radius daemon, like this: Inline image 1 radiusd won't start, because its already listening on that address: server packetfence-cli { # from file /usr/local/pf/raddb/sites-enabled/packetfence-cli # Loading authenticate {...} # Loading authorize {...} # Loading post-proxy {...} # Loading post-auth {...} } # server packetfence-cli auth: Opening IP addresses and Ports listen { type = "auth" virtual_server = "packetfence" ipaddr = 127.0.0.1 port = 18120 } listen { type = "auth" virtual_server = "packetfence" ipaddr = 1.2.3.4 port = 0 } listen { type = "auth" virtual_server = "packetfence" ipaddr = 1.2.3.4 port = 0 Failed binding to auth address 1.2.3.4 port 1812 bound to server packetfence: Address already in use /usr/local/pf/raddb/auth.conf[23]: Error binding to port for 1.2.3.4 port 1812 It's possibly worth fixing that in the gui so as to stop autofoot shooting? Cheers, David -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Redirecting Issues with Captive Portal
Hi Kehinde, This usually means that the radiusDisconnect or CoA did not receive a proper answer from the switch or no new RADIUS request have been sent, so PacketFence doesn't know if the device has been moved to another VLAN. If the message disappear after trying to connect/reconnect the device to the switch or SSID, then it should be your issue. Thanks On 04/16/2017 02:15 PM, Akala Kehinde wrote: Hi All. On transfer to the registration VLAN I get this error.. "Unable to detect network connectivity. Try restarting your web browser or opening a new tab to see if your access has been succesfully enabled"... even though there is internet connection but redirection doesn't work.. I guess this is a know issue, anyone with a fix to this.?? Regards, Kehinde -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Possible to override the default profile?
Hello Kehinde, That is not something we do since conditions have always worked. If your device matches the default portal profile, then I expect your condition to nor be exact for the match. Try something simple like a SSID or a Switch match for your custom portal profile. Then implement multiple conditions if needed. Thanks On 04/16/2017 02:06 PM, Akala Kehinde wrote: Hi All, Have problems with Packetfence identifying a custom profile defined. Always matches the default profile first, and there is no way to reorder the default profile. Any ways to have like a "default deny" instead of a "default accept" .. Regards, Kehinde -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Authentication against Active Directory [NOT PROTECTIVELY MARKED]
Hello Stephen, The account to join the domain need be Domain Admin, the password will not be saved. (used once) The account to do the authentication via the source LDAP from PacketFence need be a read-only account. (used at every connection attempt) Thanks On 03/24/2017 08:07 AM, Stephen Ware wrote: *This email has been classified as:**NOT PROTECTIVELY MARKED* Hi there, I’m fairly new to PF and have just set up v6.5.0 on CentOS 7. I have the basics working on a standalone setup and the next step is to integrate PF into a Windows domain with the ultimate aim of doing certificate-based authentication using 802.1X on all wired connections. My question involves the domain admin level account used for querying AD when using the built-in FreeRADIUS and authenticating against Active Directory. The PF Administration Guide states the account must be a domain account, “*Username* is the username that will be used for binding to the server. This account must be a domain administrator.” There are obvious security risks when using domain administrator accounts so I was hoping to use a non-administrator account. I have other situations where applications are doing AD lookups and authentication that work ok with read-only accounts. Why does PF require domain administrator level? Steve This email and any files transmitted with it are intended solely for the named recipient and may contain sensitive, confidential or protectively marked material up to the central government classification of "RESTRICTED" which must be handled accordingly. If you have received this e-mail in error, please immediately notify the sender by e-mail and delete from your system, unless you are the named recipient (or authorised to receive it for the recipient) you are not permitted to copy, use, store, publish, disseminate or disclose it to anyone else. E-mail transmission cannot be guaranteed to be secure or error-free as it could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses and therefore the Council accept no liability for any such errors or omissions. Unless explicitly stated otherwise views or opinions expressed in this email are solely those of the author and do not necessarily represent those of the Council and are not intended to be legally binding. All Council network traffic and GCSX traffic may be subject to recording and/or monitoring in accordance with relevant legislation. South Tyneside Council, Town Hall & Civic Offices, Westoe Road, South Shields, Tyne & Wear, NE33 2RL, Tel: 0191 427 1717, Website: www.southtyneside.gov.uk -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Android Provisioner profile error
Hello Dean, Just to let you know I tested it on my side and it works fine(using MSPKI), are you prompted for the user certificate password when the app is installing the profile? The app does not 'tell' you the user certificate has been installed, even if it's still doing it. What happen when you try to connect to the provisioned SSID after the profile was installed? Does it fail? Ask you for the user certificate? Others? Thanks On 02/25/2017 10:22 PM, Dean Holland wrote: What's the next step now, send a copy of the XML profile to someone to test with? On Sun, 19 Feb 2017, 7:31 PM Dean Holland <speeds...@haveacry.com <mailto:speeds...@haveacry.com>> wrote: Hi Antoine, Yes - iOS works, I unregistered a device, cleared it's user and role, deleted the existing wireless profile and was able to register it again and install the wireless profile. I've tried with three different Android tablets and OS versions - 5.1, 6.0 and 7.0. In all cases the agent only installs the CA certificate. Dean On Sat, 18 Feb 2017, 2:25 AM Antoine Amacher <aamac...@inverse.ca <mailto:aamac...@inverse.ca>> wrote: Hello Dean, Does the provisioning works on other platform, for instance windows or IOS? Did you try with different android versions/devices? Thanks On 02/16/2017 08:42 PM, Dean Holland wrote: I have tried again with 6.5 and the Android agent still only installs a CA cert. I have verified the CA certificate in the profile is that in the chain for FreeRADIUS and the client certificate. I'm not sure what else I can do to help diagnose this, if I send an XML profile to someone off-list would that help? Dean On Sun, 29 Jan 2017, 11:36 AM Dean Holland <speeds...@haveacry.com <mailto:speeds...@haveacry.com>> wrote: Thanks Fabrice. One step closer now! It looks like the user certificate is in the XML profile, but after entering the generated password the agent only asks to install one CA certificate - it doesn't seem to find the user certificate in the profile. On Sun, 29 Jan 2017, 9:57 AM Durand fabrice <fdur...@inverse.ca <mailto:fdur...@inverse.ca>> wrote: Hello Dean, i has been fixed in devel, it was because of an apache filter. cd /usr/local/pf wget https://github.com/inverse-inc/packetfence/commit/1a84821125d197025f9cc12941d2aeb7ee6deb72.diff patch -p1 < 1a84821125d197025f9cc12941d2aeb7ee6deb72.diff And don't forget to rename apache_filters.conf.example to apache_filters.conf and do a pfcmd configreload hard Regards Fabrice Le 2017-01-28 à 20:45, Dean Holland a écrit : So I changed the httpd.portal.tt <http://httpd.portal.tt> file to use RSA ciphers for TLS, which allowed me to decrypt a packet capture of the registration interface with Wireshark, the agent is getting a 501 error from the portal. HTTP trace follows. GET /profile.xml HTTP/1.1 User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; Nexus 7 Build/LMY47V) Host: www.packetfence.org <http://www.packetfence.org> Connection: Keep-Alive Accept-Encoding: gzip HTTP/1.1 501 Not Implemented Date: Sun, 29 Jan 2017 01:34:52 GMT Server: Apache X-DNS-Prefetch-Control: off Allow: Content-Length: 202 Connection: close Content-Type: text/html; charset=iso-8859-1 501 Not Implemented Not Implemented GET to /profile.xml not supported. Dean On Fri, Jan 6, 2017 at 9:27 AM Dean Holland <speeds...@haveacry.com <mailto:speeds...@haveacry.com>> wrote: Hi Fabrice, Correct - nothing in that log file either. On Fri, Jan 6, 2017 at 8:12 AM Durand fabrice <fdur...@inverse.ca <mailto:fdur...@inverse.ca>> wrote: it's normal that it's an iphone profile since the android app use the same format. Nothing in httpd.portal.catalyst too ? Le 2017-01-05 à 01:46, De
Re: [PacketFence-users] Android Provisioner profile error
(pf::Authentication::Source::LDAPSource::search_attributes_in_subclass) Jan 04 16:08:17 httpd.portal(7757) INFO: [mac:unknown] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) Jan 04 16:08:17 httpd.portal(7757) INFO: [mac:30:85:a9:4b:5b:e7] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) Jan 04 16:08:17 httpd.portal(7757) INFO: [mac:30:85:a9:4b:5b:e7] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) Jan 04 16:08:17 httpd.portal(7757) INFO: [mac:30:85:a9:4b:5b:e7] Found provisioner android-haveacry for 30:85:a9:4b:5b:e7 (captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child) Jan 04 16:08:17 httpd.portal(7757) INFO: [mac:30:85:a9:4b:5b:e7] User dean has authenticated on the portal. (Class::MOP::Class:::after) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org!http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org!http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org!http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine A
Re: [PacketFence-users] PF 6.5 Radiusd service not starting
Hello Michael, Can you verify if you have a raddb/mode-availables/mschap.rpmnew ? If yes do the following: mv raddb/mode-availables/mschap.rpmnew raddb/mode-availables/mschap Thanks On 02/16/2017 10:50 AM, Campanaro, Michael wrote: Hello, I just upgraded my PF servers from version 6.4.0 to 6.5.0 this morning and followed the upgrade document while doing so. Everything went fine but now my radiusd service isn't starting on either of my servers. These are the messages I'm getting in the radius log: Thu Feb 16 10:39:16 2017 : Info: rlm_sql (pfguest): Attempting to connect to database "pf" Thu Feb 16 10:39:16 2017 : Info: rlm_sql (pfsponsor): Attempting to connect to database "pf" Thu Feb 16 10:39:16 2017 : Info: rlm_sql (pfsms): Attempting to connect to database "pf" Thu Feb 16 10:39:16 2017 : Info: rlm_sql (pflocal): Attempting to connect to database "pf" Thu Feb 16 10:39:16 2017 : Warning: rlm_sql (sql_reject): groupmemb_query is empty. Please delete it from the configuration Thu Feb 16 10:39:16 2017 : Warning: rlm_sql (sql_reject): authorize_check_query is empty. Please delete it from the configuration Thu Feb 16 10:39:16 2017 : Info: rlm_sql (sql_reject): Attempting to connect to database "pf" Thu Feb 16 10:39:16 2017 : Info: Loaded virtual server Thu Feb 16 10:39:16 2017 : Info: Loaded virtual server dynamic_clients Thu Feb 16 10:39:16 2017 : Info: Loaded virtual server packetfence Thu Feb 16 10:39:16 2017 : Error: raddb//sites-enabled/packetfence-tunnel[182]: Failed to find "mschap_local" as a module or policy. Thu Feb 16 10:39:16 2017 : Error: raddb//sites-enabled/packetfence-tunnel[182]: Please verify that the configuration exists in raddb//mods-enabled/mschap_local. Thu Feb 16 10:39:16 2017 : Error: raddb//sites-enabled/packetfence-tunnel[182]: Failed to parse "mschap_local" subsection. Thu Feb 16 10:39:16 2017 : Error: raddb//sites-enabled/packetfence-tunnel[181]: Failed to parse "if" subsection. Thu Feb 16 10:39:16 2017 : Error: Failed to load virtual server packetfence-tunnel Any help would be greatly appreciated. Thanks, -Mike -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] PacketFence-users Digest, Vol 106, Issue 41
Hello Erik, you should try to look for the logs on the WLC side, you might have more information of why the CoA is not accepted, at least see if the CoA is received by the WLC. Can you also link the 10.0.12.2 and the default section of conf/switches.conf ? Thanks On 02/14/2017 01:06 PM, Eric Koons wrote: Thanks for the recommendation to look in pfqueue.log. Seems like it is failing. I’ve changed ports to 3799 and 1700 and neither works. I’ve also tried changing the shared secret. Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29] [28:cf:e9:14:7a:29] DesAssociating mac on switch (10.0.12.2) (pf::api::desAssociate) Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29] deauthenticating (pf::Switch::Cisco::WLC::radiusDisconnect) Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29] controllerIp is set, we will use controller 10.0.12.2 to perform deauth (pf::Switch::Cisco::WLC::radiusDisconnect) Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29] Memory configuration is not valid anymore for key interfaces::management_network in local cached_hash (pfconfig::cached::is_valid) Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29] Returning ACCEPT with Role: Authorize_any (pf::Switch::Cisco::WLC::try {...} ) Feb 14 13:05:01 pfqueue(10131) WARN: [mac:28:cf:e9:14:7a:29] Unable to perform RADIUS CoA-Request on (10.0.12.2): Timeout waiting for a reply from 10.0.12.2 on port 1700 at /usr/local/pf/lib/pf/util/radius.pm line 162. (pf::Switch::Cisco::WLC::catch {...} ) Feb 14 13:05:01 pfqueue(10131) ERROR: [mac:28:cf:e9:14:7a:29] Wrong RADIUS secret or unreachable network device (10.0.12.2)... On some Cisco Wireless Controllers you might have to set disconnectPort=1700 as some versions ignore the CoA requests on port 3799 (pf::Switch::Cisco::WLC::catch {...} ) Feb 14 13:05:06 pfqueue(9465) ERROR: [mac:18:66:da:81:67:01] Can't bind : IO::Socket::INET: connect: Connection refused Eric Koons Sr. Network Engineer | CCNA: Routing and Switching Service Electric Cable TV and Communications | www.sectv.com <http://www.sectv.com> eko...@sectv.com <mailto:eko...@sectv.com> Office: 610-841-8355 Mobile: 610-533-6834 Fax: 610-797-2445 On Feb 14, 2017, at 11:24 AM, packetfence-users-requ...@lists.sourceforge.net <mailto:packetfence-users-requ...@lists.sourceforge.net> wrote: Send PacketFence-users mailing list submissions to packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/packetfence-users or, via email, send a message with subject or body 'help' to packetfence-users-requ...@lists.sourceforge.net You can reach the person managing the list at packetfence-users-ow...@lists.sourceforge.net When replying, please edit your Subject line so it is more specific than "Re: Contents of PacketFence-users digest..." Today's Topics: 1. Re: Issue with Guest network on Packetfence 6.5 and Cisco WLC controller (Antoine Amacher) -- Message: 1 Date: Tue, 14 Feb 2017 11:24:21 -0500 From: Antoine Amacher <aamac...@inverse.ca> Subject: Re: [PacketFence-users] Issue with Guest network on Packetfence 6.5 and Cisco WLC controller To: packetfence-users@lists.sourceforge.net Message-ID: <71e6dc2b-6cf3-4e22-3b4c-2d2da2bee...@inverse.ca> Content-Type: text/plain; charset="windows-1252" Hello Eric, While upgrading from 6.1.2 to 6.5 there are multiples changes to WebAuth, did you follow the UPGRADE.asciidoc? For instance your WLC(in Switches) need to have "External Portal Enforcement" checked. If everything has been applied, make sure you are still sending the CoA on the right port. On the WLC it should be 3799 or 1700(depending on the version of the WLC). Also have a look in logs/pfqueue.log it should tell you if the CoA has been received and taken into account by the WLC. Thanks On 02/14/2017 10:40 AM, Eric Koons wrote: So, the scenario I?m about to explain worked fine on PacketFence 6.1.2. The only thing that changed was I upgraded Packetfence to 6.5. I have an open SSID guest wifi network. It?s authenticated with an SMS pin via packetfence. The issue is that it appears after successful authentication Packetfence is not sending the COA or Radius notification to the cisco WLC to change the ACL for the client. The only way to get it work is to disassociate from the wireless network on the client and than re-associate, than I get full network access. I?ve attached the packetfence log file. Any help is appreciated. Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] Instantiate profile SEGuestPortal (pf::Portal::ProfileFactory::_from_profile) Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] [28:cf:e9:14:7a:29] Activation code sent to email
Re: [PacketFence-users] Issue with Guest network on Packetfence 6.5 and Cisco WLC controller
t required (current Role = registration but should be in Role guest) (pf::enforcement::_should_we_reassign_vlan) Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] switch port is (10.0.12.2) ifIndex 1 connection type: WiFi MAC Auth (pf::enforcement::_vlan_reevaluation) Feb 13 13:37:14 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] External captive portal detected ! (captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession) Feb 13 13:37:14 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] Detected external portal client. Using the IP 192.168.200.26 address in it's session. (captiveportal::PacketFence::Model::Portal::Session::_build_clientIp) Feb 13 13:37:14 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] Instantiate profile SEGuestPortal (pf::Portal::ProfileFactory::_from_profile) Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] handling radius autz request: from switch_ip => (10.0.12.2), connection_type => Wireless-802.11-NoEAP,switch_mac => (2c:3f:38:f6:82:80), mac => [28:cf:e9:14:7a:29], port => 1, username => "28cfe9147a29", ssid => SEGuest (pf::radius::authorize) Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Instantiate profile SEGuestPortal (pf::Portal::ProfileFactory::_from_profile) Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Connection type is WIRELESS_MAC_AUTH. Getting role from node_info (pf::role::getRegisteredRole) Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Username was defined "28cfe9147a29" - returning role 'guest' (pf::role::getRegisteredRole) Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] PID: "6105336834", Status: reg Returned VLAN: (undefined), Role: guest (pf::role::fetchRoleForNode) Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] (10.0.12.2) Added VLAN 154 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] (10.0.12.2) Added role Authorize_any to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Updating locationlog from accounting request (pf::api::handle_accounting_metadata) Eric Koons Sr. Network Engineer | CCNA: Routing and Switching Service Electric Cable TV and Communications | www.sectv.com <http://www.sectv.com> eko...@sectv.com <mailto:eko...@sectv.com> Office: 610-841-8355 Mobile: 610-533-6834 Fax: 610-797-2445 -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Wired Domain-Joined Machine Authentication
Philip, Successful authentication =/= registration. Try to define a specific portal profile for user which connect via MachineAuth and check the box "Automatically register devices" on this portal profile. You could also add an AutoRegister filter via the VLAN filter, example are provided in the vlan_filter.example Thanks On 02/08/2017 11:54 AM, Philip Damian-Grint wrote: Hi Antoine, I reinstalled with PF 6.5.0-1, joined the server to AD, and machine authentication now works for a domain-joined PC. The only problem is that after a successful authentication, PF always places the port into the registration VLAN. It seems to ignore all sources, realms etc, and only look at the registration role on the switch itself. Is there something different I need to do for this release? On 6 February 2017 at 18:30, Antoine Amacher <aamac...@inverse.ca <mailto:aamac...@inverse.ca>> wrote: Philip, If you joined the domain via realm or samba from the CLI, there is a configuration issue to handle machine authentication. It is fixed in 6.5, running the migrate.pl <http://migrate.pl> should fix your issue. Thanks On 02/06/2017 12:21 PM, Philip Damian-Grint wrote: Hi Antoine, Thank you for responding. So I have a source for machine authentication which uses servicePrincipalName. I find the instructions unclear for configuring the realm - I have a default realm which references my machine authentication source, but with nothing in the Domain field. I am following option 1b in the admin guide so I haven't run the migrate.pl <http://migrate.pl> task, but rather joined to the domain using Samba. Is this not correct? On 6 February 2017 at 16:40, Antoine Amacher <aamac...@inverse.ca <mailto:aamac...@inverse.ca>> wrote: Hello Philip You are trying to do Machine Authentication, make sure the "Username Attribute" you are looking for in your AD source is servicePrincipalName(machine auth) and not sAMAccountName(user auth). Also make sure your realm are configured. Let us know if that help. Thanks On 02/06/2017 10:22 AM, Philip Damian-Grint wrote: Hello mailing list, Running Packetfence 6.4.0-1 on Centos 7.3.1611 Test switch is Cisco 2960 running 15.0(1)SE3 I have joined the server to our AD domain net ads testjoin returns "Join is OK" I have enabled winbind, and ntlm_auth successfully authenticates domain users. I have issued a certificate from our AD PKI to the PF server, and also copied the CA cert into a separate eap-tls folder as suggested, then updated eap.conf - radiusd seems to be happy with it. I am trying to get dot1x *wired* machine authentication working for domain-joined machines. When I connect a domain-joined computer to a dot1x port the radiusd log shows: mschap: Program returned code (1) and output 'Logon failure (0xc06d)' I have seen elsewhere in the mailing lists a few responses by Louis Munro around troubleshooting this with ntlm_auth, and certainly running ntlm_auth with the challenge and response shown in the log is giving me the same error. Not sure to go with this - I think I probably don't understand my options on machine authentication in terms of certificate vs machine account/password, and therefore have an incomplete config. Would anyone be able to nudge me a little further along? I think I would like authentication by certificate for domain-joined machines to work, unless you can recommend otherwise. -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org!http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users> -- Antoine Amacher aamac...@inverse.ca <mailto:aamac...@inverse.ca> ::www.inverse.ca <http://www.inverse.ca> +1.514.447.4918 x130 <tel:%28514%29%20447-4918> ::+1 (866) 353-6153 x130 <tel:%28866%29%20353-6153> Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu>) and PacketFence (www.packetfence.org <http://www.packetfence.org>) -- Check out the vi
Re: [PacketFence-users] Wired Domain-Joined Machine Authentication
Philip, If you joined the domain via realm or samba from the CLI, there is a configuration issue to handle machine authentication. It is fixed in 6.5, running the migrate.pl should fix your issue. Thanks On 02/06/2017 12:21 PM, Philip Damian-Grint wrote: Hi Antoine, Thank you for responding. So I have a source for machine authentication which uses servicePrincipalName. I find the instructions unclear for configuring the realm - I have a default realm which references my machine authentication source, but with nothing in the Domain field. I am following option 1b in the admin guide so I haven't run the migrate.pl <http://migrate.pl> task, but rather joined to the domain using Samba. Is this not correct? On 6 February 2017 at 16:40, Antoine Amacher <aamac...@inverse.ca <mailto:aamac...@inverse.ca>> wrote: Hello Philip You are trying to do Machine Authentication, make sure the "Username Attribute" you are looking for in your AD source is servicePrincipalName(machine auth) and not sAMAccountName(user auth). Also make sure your realm are configured. Let us know if that help. Thanks On 02/06/2017 10:22 AM, Philip Damian-Grint wrote: Hello mailing list, Running Packetfence 6.4.0-1 on Centos 7.3.1611 Test switch is Cisco 2960 running 15.0(1)SE3 I have joined the server to our AD domain net ads testjoin returns "Join is OK" I have enabled winbind, and ntlm_auth successfully authenticates domain users. I have issued a certificate from our AD PKI to the PF server, and also copied the CA cert into a separate eap-tls folder as suggested, then updated eap.conf - radiusd seems to be happy with it. I am trying to get dot1x *wired* machine authentication working for domain-joined machines. When I connect a domain-joined computer to a dot1x port the radiusd log shows: mschap: Program returned code (1) and output 'Logon failure (0xc06d)' I have seen elsewhere in the mailing lists a few responses by Louis Munro around troubleshooting this with ntlm_auth, and certainly running ntlm_auth with the challenge and response shown in the log is giving me the same error. Not sure to go with this - I think I probably don't understand my options on machine authentication in terms of certificate vs machine account/password, and therefore have an incomplete config. Would anyone be able to nudge me a little further along? I think I would like authentication by certificate for domain-joined machines to work, unless you can recommend otherwise. -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org!http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users> -- Antoine Amacher aamac...@inverse.ca <mailto:aamac...@inverse.ca> ::www.inverse.ca <http://www.inverse.ca> +1.514.447.4918 x130 <tel:%28514%29%20447-4918> ::+1 (866) 353-6153 x130 <tel:%28866%29%20353-6153> Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu>) and PacketFence (www.packetfence.org <http://www.packetfence.org>) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users> -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot__
Re: [PacketFence-users] Wired Domain-Joined Machine Authentication
Hello Philip You are trying to do Machine Authentication, make sure the "Username Attribute" you are looking for in your AD source is servicePrincipalName(machine auth) and not sAMAccountName(user auth). Also make sure your realm are configured. Let us know if that help. Thanks On 02/06/2017 10:22 AM, Philip Damian-Grint wrote: Hello mailing list, Running Packetfence 6.4.0-1 on Centos 7.3.1611 Test switch is Cisco 2960 running 15.0(1)SE3 I have joined the server to our AD domain net ads testjoin returns "Join is OK" I have enabled winbind, and ntlm_auth successfully authenticates domain users. I have issued a certificate from our AD PKI to the PF server, and also copied the CA cert into a separate eap-tls folder as suggested, then updated eap.conf - radiusd seems to be happy with it. I am trying to get dot1x *wired* machine authentication working for domain-joined machines. When I connect a domain-joined computer to a dot1x port the radiusd log shows: mschap: Program returned code (1) and output 'Logon failure (0xc06d)' I have seen elsewhere in the mailing lists a few responses by Louis Munro around troubleshooting this with ntlm_auth, and certainly running ntlm_auth with the challenge and response shown in the log is giving me the same error. Not sure to go with this - I think I probably don't understand my options on machine authentication in terms of certificate vs machine account/password, and therefore have an incomplete config. Would anyone be able to nudge me a little further along? I think I would like authentication by certificate for domain-joined machines to work, unless you can recommend otherwise. -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Packetfence DHCP/roles
Hello Stuart, If you want to use VLAN 55 as your registration VLAN, make sure the DHCP is enabled on the interface 55 of PacketFence, and this interface is set a registration interface. If GeneralStaff is your 'production' role, then try to return VLAN 1 for this role instead. Thanks On 02/01/2017 09:59 AM, Stuart McWatt wrote: Hi Antoine, Thank you for your response. VLAN 55 is for registration and VLAN 56 is for isolation. VLAN1 is our production VLAN. We have got GeneralStaff in VLAN55 for registration. Should Generalstaff be in VLAN 1 (our production VLAN)? Thanks Stuart *From:* Antoine Amacher <aamac...@inverse.ca> *Sent:* 01 February 2017 14:13 *To:* packetfence-users@lists.sourceforge.net *Subject:* Re: [PacketFence-users] Packetfence DHCP/roles Hello Stuart, PacketFence is not a DHCP server for other VLAN than registration / isolation, if I followed properly VLAN 55 is your production VLAN for 'GeneralStaff', this mean you must have your own DHCP server in the VLAN 55. Thanks On 02/01/2017 04:42 AM, Stuart McWatt wrote: Hi, We are trying to set up a new Packetfence server and are having problems somewhere between the ‘roles’ and client Windows machine picking up a relevant IP address from the pf server. AD is successfully added as a user source and there are basic rules added, the rule conditions are for AD group membership so if an AD user account is in a group which matches the rule then its assigned a role. The Windows client becomes ‘registered’ and is put into a relevant role ‘GeneralStaff’ for this situation. In PacketFence within Network-Switches area, our Cisco switch has the ‘Role by VLAN ID’ = ‘General Staff’ and is configured for VLAN 55 (Registration). So when I connect my laptop, it is registered and is put into the ‘GeneralStaff’ role but I do not get an IP address associated with VLAN 55 (infact I get a 169 IP address). I can ping all the VLAN interfaces etc so network connectivity is fine and in Network – Interfaces the VLANs have been configured eg vlan55 10.55.55.10 255.255.255.0 Registration. We are slightly confused why the packetfence does not give my laptop a VLAN 55 address? Do we need to create separate DHCP scopes for each VLAN? Thanks for any help you can provide in advance it would be very much appreciated. -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org!http://sdm.link/slashdot Slashdot: News for nerds, stuff that matters <http://sdm.link/slashdot> sdm.link Slashdot: News for nerds, stuff that matters. Timely news source for technology related news with a heavy slant towards Linux and Open Source issues. ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca ::www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] R: R: R: R: Issue authenticathing WPA2 WLAN
Hi Luca, Upon receiving a RADIUS request we are trying to strip the username if there is a REALM in (i.e: ASSL10), if when sending your request there is no realm, it will try to loggin using the REALM NULL/DEFAULT, this is why you need to link the domain to those REALM. You do not have to delete your REALM ASSL10 btw, leave it be. Without adding the domain to those, you should have been able to login using ASSL10\ in front of your username. Thanks On 01/30/2017 12:28 PM, Luca Messori wrote: Hi Antoine, thank you very much for your help. I have the client authenticated doing the same thing that you suggested for the domain DEFAULT. What that I don’t understand is why! Have a nice day */Luca Messori/* _ Descrizione: mead *Mead Informatica Srl* *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522 393306 Tel. +39 049 8702540 Fax +39 049 8706249 http://www.meadinformatica.it <http://www.meadinformatica.it/> --- Questo messaggio puo' contenere informazioni di carattere riservato e confidenziale. Qualora non foste i destinatari, vi preghiamo di notificarcelo e di provvedere ad eliminare il messaggio, con gli eventuali allegati, senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del contenuto di questo mesaggio espone il responsabile alle conseguenze civili e penali. This message may contain information which is confidential or privileged. if you are not the intended recipient, please immediately notify us and destroy this message and any attachments without retaining a copy. Any unauthorized use of this message can expose the responsabile party to civil and/or criminal penalties. Descrizione: Descrizione: cid:696372015@22072008-1A64 *Da:*Antoine Amacher [mailto:aamac...@inverse.ca] *Inviato:* lunedì 30 gennaio 2017 14:52 *A:* packetfence-users@lists.sourceforge.net *Oggetto:* Re: [PacketFence-users] R: R: R: Issue authenticathing WPA2 WLAN Hello Luca, When you see winbind isn't started, it is actually running. When doing a domain join via the admin interface, winbind is started in a chroot, that allow you to have 1 winbind daemon by domain. So you should not need to start it manually. Go in the section configuration -> realm and add ASSL10 as the domain for the realm NULL. Thanks On 01/29/2017 01:10 PM, Luca Messori wrote: Hi Fabrice, I trie to start winbondd manually; this is the output: [root@mitelwifi samba]# /usr/sbin/winbindd -s /etc/samba/ASSL10.conf -S -F winbindd version 3.6.23-36.el6_8 started. Copyright Andrew Tridgell and the Samba Team 1992-2011 initialize_winbindd_cache: clearing cache and re-creating with version number 2 Could not fetch our SID - did we join? unable to initialize domain list Kindly regards */Luca Messori/* _ Descrizione: mead *Mead Informatica Srl* *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522 393306 Tel. +39 049 8702540 Fax +39 049 8706249 http://www.meadinformatica.it --- Questo messaggio puo' contenere informazioni di carattere riservato e confidenziale. Qualora non foste i destinatari, vi preghiamo di notificarcelo e di provvedere ad eliminare il messaggio, con gli eventuali allegati, senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del contenuto di questo mesaggio espone il responsabile alle conseguenze civili e penali. This message may contain information which is confidential or privileged. if you are not the intended recipient, please immediately notify us and destroy this message and any attachments without retaining a copy. Any unauthorized use of this message can expose the responsabile party to civil and/or criminal penalties. Descrizione: Descrizione: cid:696372015@22072008-1A64 *Da:*Fabrice Durand [mailto:fdur...@inverse.ca] *Inviato:* venerdì 27 gennaio 2017 19:42 *A:* packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> *Oggetto:* Re: [PacketFence-users] R: R: Issue authenticathing WPA2 WLAN Hi Luca, it still miss the assl10 realm, can you share your realm.conf file ? Does winbind is running ? Did you restart radiusd after adding the realm ? Regards Fabrice Le 2017-01-27 à 12:22, Luca Messori a écrit : Hi Fabrice, we have reconfigured the Realm and we have done some new test but we have the following error: (7) Fri Jan 27 12:00:12 2017: ERROR: mschap: External script says: Reading winbind reply failed! (0xc001) (7) Fri Jan 27 12:00:12 2017: ER
Re: [PacketFence-users] Radiusd does not start after upgrade to 6.4
Chris, Verify on your switch that your client is in the VLAN 210. Watching your logs, 210 seems a production VLAN, PacketFence do not deliver DHCP on your production VLAN, this has to be your own DHCP server. Thanks On 01/30/2017 10:39 AM, Chris Abel wrote: Ok so I ended up fixing my radius issue by copying over radius.conf.example into my radius.conf file. Radius now starts and clients seem to be authenticating. My problem now is that my clients get a self assign IP. What is the best way to troubleshoot this? When I connect to my AP, the packetfence log shows this: Jan 30 10:33:49 httpd.aaa(3246) INFO: [mac:68:a8:6d:40:51:de] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) Jan 30 10:33:49 httpd.aaa(3246) INFO: [mac:68:a8:6d:40:51:de] Match rule 1:staffwireless (pf::access_filter::test) Jan 30 10:33:49 httpd.aaa(3246) INFO: [mac:68:a8:6d:40:51:de] autoregister a node that is already registered, do nothing. (pf::node::node_register) Jan 30 10:33:49 httpd.aaa(3246) INFO: [mac:68:a8:6d:40:51:de] Connection type is WIRELESS_MAC_AUTH. Getting role from node_info (pf::role::getRegisteredRole) Jan 30 10:33:49 httpd.aaa(3246) INFO: [mac:68:a8:6d:40:51:de] Username was defined "68a86d4051de" - returning role 'Staff' (pf::role::getRegisteredRole) Jan 30 10:33:49 httpd.aaa(3246) INFO: [mac:68:a8:6d:40:51:de] PID: "default", Status: reg Returned VLAN: (undefined), Role: Staff (pf::role::fetchRoleForNode) Jan 30 10:33:49 httpd.aaa(3246) INFO: [mac:68:a8:6d:40:51:de] (10.128.4.16) Added VLAN 210 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Jan 30 10:33:49 httpd.aaa(3246) INFO: [mac:00:26:08:fa:35:f7] Updating locationlog from accounting request (pf::api::handle_accounting_metadata) I am concerned with this: "Returned VLAN: (undefined)," Is that the right behavior? I see that it sends the correct vlan on the next line though. On Mon, Jan 30, 2017 at 9:18 AM, Chris Abel <ca...@wildwoodprograms.org <mailto:ca...@wildwoodprograms.org>> wrote: I've copied the raddb folder from the source of packetfence. This is what I get now: root@packetfence:/usr/local/pf# freeradius -X -d raddb/ -n auth FreeRADIUS Version 3.0.13 Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file raddb//dictionary including configuration file raddb//auth.conf including configuration file raddb//radiusd.conf including configuration file raddb//proxy.conf including configuration file raddb//proxy.conf.inc including configuration file raddb//clients.conf including configuration file raddb//clients.conf.inc including files in directory raddb//modules/ raddb//radiusd.conf[90]: Failed reading directory raddb//modules/: No such file or directory Errors reading or parsing raddb//auth.conf There is no modules directory in raddb on my server or in the source of packetfence. On Mon, Jan 30, 2017 at 8:59 AM, Chris Abel <ca...@wildwoodprograms.org <mailto:ca...@wildwoodprograms.org>> wrote: Hi Antoine, The command is also not found in /usr/local/pf. I'm using debian so I'm not sure if that makes a difference. I can use the freeradius command though. This is what I get: root@packetfence:/usr/local/pf# freeradius -X -d raddb/ -n auth FreeRADIUS Version 3.0.13 Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file raddb//dictionary including configuration file raddb//auth.conf including configuration file raddb//radiusd.conf including configuration file raddb//proxy.conf Unable to open file "raddb//proxy.conf": No such file or directory Errors reading or parsing raddb//auth.conf On Mon, Jan 30, 2017 at 8:53 AM, Antoine Amacher <aamac...@inverse.ca <mailto:aamac...@inverse.ca>> wrote: Hello Chris, Try the following from /usr/local/pf radiusd -X -d raddb/ -n auth thanks On 01/29/2017 08:44 PM, Chris Abel wrote: Also, nothing appears in radius.log On Sun, Jan 29, 2017 at 8:42 PM, Chris Abel <ca...@wildwoodprograms.org <mailto:ca...@wildwoodprograms.org>> wrote: I'm having a really hard time after my packetfence upgrade. I can't seem to get radius to start. When I
Re: [PacketFence-users] Cisco 3650 switch configuration problem - integrated Wireless Lan Controller WLC
Hello Lukasz, If you have access to a web interface for the built in WLC you can have all information on how to do configure it here: https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_cisco_2 Section 5.9.4 or 5.10. If you only have a CLI you will need to find the matching CLI commands, you have some examples on how to do it on AP not on WLC section 5.9.1 Thanks On 01/30/2017 06:01 AM, Łukasz KRAJNIK wrote: > Hello > > I am new with PacketFence - but basically what i want to achieve is to > configure Cisco 3650 with build in Wireless Lan Controller to work with > PacketFence. > > I read all packetfence support documentation and already I believe that > correctly I configured wired MAB AUTHENTICATION , > > precisely now I can connect new laptop to cisco 3650 and whet > authentication order is set to mab dot1x this laptop authenticate and > VLAN is set to register, after I open browser and authenticate with > local prepared test user > > I am redirecting to default VLAN. But now I need to configure wireless > connection. How can I do it when my WLC is on the same box with 3650 switch? > > Could anyone advice me what should I do in such configuration??? > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Radiusd does not start after upgrade to 6.4
Hello Chris, Try the following from /usr/local/pf radiusd -X -d raddb/ -n auth thanks On 01/29/2017 08:44 PM, Chris Abel wrote: Also, nothing appears in radius.log On Sun, Jan 29, 2017 at 8:42 PM, Chris Abel <ca...@wildwoodprograms.org <mailto:ca...@wildwoodprograms.org>> wrote: I'm having a really hard time after my packetfence upgrade. I can't seem to get radius to start. When I try "service packetfence start" I get this: radiusd-acct|not started radiusd|not started packetfence.log reports this: Jan 29 20:38:06 pfcmd.pl <http://pfcmd.pl>(5346) INFO: Daemon radiusd-acct took 0.039 seconds to start. (pf::services::manager::launchService) Jan 29 20:38:06 pfcmd.pl <http://pfcmd.pl>(5346) INFO: Daemon radiusd took 0.039 seconds to start. (pf::services::manager::launchService) I tried running "radius -X" but I get command not found. I'm not sure where to go from here, but I need to try to get this working ASAP. Thanks for any help you can provide. -- Chris Abel Systems and Network Administrator Wildwood Programs 2995 Curry Road Extension Schenectady, NY 12303 518-836-2341 IMPORTANT NOTICE: This message and any attachments are solely for the intended recipient and may contain confidential information, which is, or may be, legally privileged or otherwise protected by law from further disclosure. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this email and any attachments is prohibited. If you have received this communication in error, please notify the sender by reply email and immediately and permanently delete this email and any attachments. -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] R: R: R: Issue authenticathing WPA2 WLAN
___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Packet Fence configuration to work With Cisco WLC WebAuth
Hello, /Question 1 - for captive configuration do i need to enable enforcement and vlan, and if so which option do i choose/ The captive portal will be available no matter which enforcement you chose, VLAN, Inline or WebAuth. /Q1 who many interface are suppose to created and they be on same network/ Please clarify. /Q Can captive portal be on the same network as management IP and if so i do i configure that./ Using WebAuth for instance, you need to enable portal on the management interface. Configuration -> Network -> Interfaces and Network -> click on your interface, Additionnal listening daemon(s) -> Portal /Q4 What configuration should have on WLC / https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_cisco_2 if using WebAuth: https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_wireless_lan_controller_wlc_web_auth /Q 4 What configuration should have to guest authenticated through sponsor email or local user/ https://packetfence.org/doc/PacketFence_Administration_Guide.html#_guests_management Thanks On 01/24/2017 10:36 AM, Sadiq Hussein wrote: Dear Colleague I am new in PacketFence 6.4 i want use with Cisco WLC 5500 to manage guest user through captive portal. I hve go through the Admin and Network documentation to try and configure PacketFence but nothing seem to work. Question 1 - for captive configuration do i need to enable enforcement and vlan, and if so which option do i choose Q1 who many interface are suppose to created and they be on same network Q Can captive portal be on the same network as management IP and if so i do i configure that. Q4 What configuration should have on WLC Q 4 What configuration should have to guest authenticated through sponsor email or local user Please assist Regards Sadiq Hussein -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] problem with source definition
Denis I forgot to ask is this a debian or CentOS install? Thanks On 01/17/2017 09:13 AM, Antoine Amacher wrote: > Hello Denis, > > Have a look in httpd.admin.catalyst and httpd.admin.error logs also, if > you find anything. Look for 'ERROR' > > You can increase the log level via conf/log.conf.d/httpd.admin.conf, > change INFO for DEBUG (l2) and WARN for DEBUG (l5). then restart your > httpd.admin process. That will increase the output in the log by a LOT. > > Is this a standalone or cluster installation? > > I tried to recreate your process on a 6.4, I did not encounter this > issue.(cluster setup) > > Thanks > > > On 01/17/2017 06:33 AM, Denis Bonnenfant wrote: >> Le 16/01/2017 à 18:51, Antoine Amacher a écrit : >>> Hello Denis, >>> >>> Make sure your ad-blocker(if you have one) is disable for the admin of >>> PF, it may, sometimes create weird interactions and not allow you to >>> access a source to edit for instance. >>> >> There are no adbockers, proxies or other things that may interfer with >> interface. I tested with different computers, OS and browsers. refreshed >> cache, removed cookies, etc... >> >>> What does logs/httpd.admin.log tells you when the error appear? >>> >> Nothing. No messages, but maybe log level can be increased ? >> To be more precise, the exact process : >> >> - create a new ldap or any other type of source : OK >> - add a rule inside : OK >> - go back to main page >> - go to source page, open the source, >> - click save : the error is displayed >> - delete source : OK >> - create a new one OK >> - modify it : error >> >> >> >> -- >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >> ___ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Packetfence ping not working.
Hello, This message has nothing related to PacketFence and is a standard error for Linux, Google your error message your answer will come by itself. Thanks On 01/17/2017 05:50 AM, Networker 2b wrote: Hi, Trying to do tcp dump but its giving this message. tcpdump: eth0: You don't have permission to capture on that device (socket: Operation not permitted) On Sun, Jan 15, 2017 at 10:11 AM, Networker 2b <networke...@gmail.com <mailto:networke...@gmail.com>> wrote: Hi , My packetfence setup is in initial stages.I configured with the following ip addresses and interfaces but the ping from and to the server is working only on the Management interface. Other interfaces are not able to be pinged from from the network . Management interface eth0 ip 10.45.1.60/24 <http://10.45.1.60/24> Isolation eth0.2 172.16.2.251/24 <http://172.16.2.251/24> Registration eth0.3 172.16.3.251/24 <http://172.16.3.251/24> Normaleth 0.4 172.16.4.251/24 <http://172.16.4.251/24> The core switch attached to packetfence server is having the below ip addresses. int vlan 100 10.45.1.250/24 <http://10.45.1.250/24> int vlan 2 172.16.2.250/24 <http://172.16.2.250/24> int vlan 3 172.16.3.250/24 <http://172.16.3.250/24> int vlan 4 172.16.4.250/24 <http://172.16.4.250/24> Any help is highly appreciated. Regards, Muhammad Farooq Network Engineer -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] eap.conf
nd SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] problem with source definition
Hello Denis, Have a look in httpd.admin.catalyst and httpd.admin.error logs also, if you find anything. Look for 'ERROR' You can increase the log level via conf/log.conf.d/httpd.admin.conf, change INFO for DEBUG (l2) and WARN for DEBUG (l5). then restart your httpd.admin process. That will increase the output in the log by a LOT. Is this a standalone or cluster installation? I tried to recreate your process on a 6.4, I did not encounter this issue.(cluster setup) Thanks On 01/17/2017 06:33 AM, Denis Bonnenfant wrote: > > Le 16/01/2017 à 18:51, Antoine Amacher a écrit : >> Hello Denis, >> >> Make sure your ad-blocker(if you have one) is disable for the admin of >> PF, it may, sometimes create weird interactions and not allow you to >> access a source to edit for instance. >> > There are no adbockers, proxies or other things that may interfer with > interface. I tested with different computers, OS and browsers. refreshed > cache, removed cookies, etc... > >> What does logs/httpd.admin.log tells you when the error appear? >> > Nothing. No messages, but maybe log level can be increased ? >> > To be more precise, the exact process : > > - create a new ldap or any other type of source : OK > - add a rule inside : OK > - go back to main page > - go to source page, open the source, > - click save : the error is displayed > - delete source : OK > - create a new one OK > - modify it : error > > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] problem with source definition
Hello Denis, Make sure your ad-blocker(if you have one) is disable for the admin of PF, it may, sometimes create weird interactions and not allow you to access a source to edit for instance. What does logs/httpd.admin.log tells you when the error appear? Thanks On 01/16/2017 11:38 AM, denis wrote: Hello, With PF 6.4, I have a problem with sources configuration : - The first time a source is configured, a rule can be added and everything is ok. - when a second rule is added to this source, and "save" button clicked, an error is displayed : "*Error!* The authentication source was not found" removing rule or source doesn't solve the problem, in fact all the interface seems to be dead, the only way is recover is to restart the services. Here is a a exemple of my conf file : [se3] description=test port=389 stripped_user_name=yes type=LDAP connection_timeout=5 basedn=ou=People,dc=xxx,dc=org email_attribute=mail scope=sub dynamic_routing_module=AuthModule binddn=cn=,dc=xxx,dc=org password= host=172.x.x.x usernameattribute=uid encryption=none [se3 rule eleve] description=dd class=authentication match=any action0=set_role=mobiles_eleves action1=set_access_duration=12h condition0=uid,is member of,cn=eleves,ou=groups,dc=xxx,dc=org [se3 rule profs] description=p class=authentication match=any action0=set_role=mobiles_profs action1=set_access_duration=12h condition0=uid,is member of,cn=profs,ou=Groups,dc=xxx,dc=org The same rules were working perfectly with PF 4.6 Denis -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Freeradius Telnet 1812 and 1813 fails
Hello Grant, If your switch has the proper RADIUS secret and he is able to talk to the management interface, then you should be all set. You could try the following, 1. Ensure that communication is working (ping between mgmt interface and switch IP) 2. ensure that RADIUS receive requests from the switch, (tcpdump -i mgmt.interface port 1812) 2. verify /usr/local/pf/logs/radius.log for error, 3. launch a raddebug and try to log for error. (raddebug -f /usr/local/pf/var/run/radiusd.socks -t 3600) Let us know if that's help Thanks On 12/16/2016 09:29 AM, Grant Hathaway wrote: Hello, The Packetfence server is up and running with AD bind and we can see devices checking in via DHCP but not via the test switch, the test switch is a Cisco 3750 and I can see it in packetfence in Configuration/switches. We have 3 VLANS configured on the switch and packetfence however we are not sure whether the switch and server are communicating with each other and are unsure where the logs are in packetfence in order to troubleshoot the connection issue? The plan is to test packetfence by plugging a device into a network port on the switch, and see how the roles work in each VLAN. We can telnet and SSH to the server succesfully on normal ports (22 and 23) from the switch but when we telnet to ports 1812/1813 it rejects the connection *No response from (10.25.3.122:1812,1813) for id 1645/16* ** Ports 1812 and 1813 udp are definitely listening on the packetfence server but telnet fails*. *Is there something we need to configure in freeradius to accept incoming connections? Thanks G ** Grant Hathaway Network and Infrastructure Analyst Certas Energy UK Limited The Switch 1-7 The Grove - Slough - SL1 1QP Phone : 01753756965 - Mobile : 07920075818 grant.hatha...@certasenergy.co.uk <mailto:grant.hatha...@certasenergy.co.uk> -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Fresh install of pf on debian 8
ain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination I don't know what to do now. Can anyone help me?? Tks a lot Best regards Daniel -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org!http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users> -- Fabrice Durand fdur...@inverse.ca <mailto:fdur...@inverse.ca> ::+1.514.447.4918 <tel:%28514%29%20447-4918> (x135) ::www.inverse.ca <http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users> -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Fresh install of pf on debian 8
Hello Daniel, The admin interface should reachable in https only, try this https://your.ip:1443/configurator Try to find errors in the following logs: /usr/local/pf/logs/packetfence.log, /usr/local/pf/logs/httpd.admin.log Let us know if that's help. Thanks On 12/15/2016 08:57 AM, Daniel Picon wrote: Hello all, First of all, sorry for my bad english, I hope you can understand my question. i just decovered about packetfence yesterday, reading about it on some google searches. To test it, I got a server and put a fresh install of debian on it, just the basic choices + ssh server, nothing else. Then, following the instructions on https://packetfence.org/support/faq/article/how-to-install-packetfence-on-debian.html I installed packetfence with no erros. But, when I tried to access de configurator, I can't access it. I tried with http and https, and the browser keeping try to load, but nothing happening I did a scan with nmap and the port 1443 is open and listening. some commands that I executed and they out: # /usr/local/pf/bin/pfcmd service httpd.admin status Smartmatch is experimental at /usr/local/pf/lib/pf/cluster.pm <http://cluster.pm> line 588. service|shouldBeStarted|pid httpd.admin|1|41888 # service packetfence-config status● packetfence-config.service - PacketFence Config Service Loaded: loaded (/lib/systemd/system/packetfence-config.service; enabled) Active: active (running) since Qui 2016-12-15 11:21:39 BRST; 31min ago Main PID: 41876 (pfconfig) CGroup: /system.slice/packetfence-config.service └─41876 pfconfig Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading resource::fqdn Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading resource::guest_se...n Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading resource::local_secret Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading resource::reverse_fqdn Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading resource::stats_levels Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading resource::switches...p Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading resource::switches...t Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading resource::switches...s Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading resource::trapping...e Dez 15 11:21:39 firewall-novo pfconfig[41871]: -- Hint: Some lines were ellipsized, use -l to show in full. # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination I don't know what to do now. Can anyone help me?? Tks a lot Best regards Daniel -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Please verify the provided MAC address
Hello Morgan, The way how this works is you usually provide MAC vendor in the oui file. For instance you want to allow Xbox to register, add the following list inside conf/allowed_device_oui.txt: 00:12:5A # Microsoft-Xbox 00:0D:3A # Microsoft-Xbox 00:50:F2 # Microsoft-Xbox 00:17:FA # Microsoft-Xbox 00:1D:D8 # Microsoft-Xbox 00:22:48 # Microsoft-Xbox Example are available from conf/allowed_device_oui.txt.example As long as the first 6 digits of the MAC you are trying to register are in the file, then the device will be able to register via the device-registration page. Let us know is that help. Thanks On 12/08/2016 12:08 PM, Morgan, Joel P. wrote: > It looks like blanking the file /usr/local/pf/conf/allowed_device_oui.txt > doesn't allow any MAC to register. Renaming the file allows any MAC to > register. > > -Original Message- > From: Morgan, Joel P. > Sent: Thursday, December 8, 2016 10:01 AM > To: 'packetfence-users@lists.sourceforge.net' > <packetfence-users@lists.sourceforge.net> > Subject: Please verify the provided MAC address > > I'm using PF version 6.2.1 on CentOS 6.8. > > When manually registering a device using the device-registration URL I get an > error when I submit the MAC address. > > "Please verify the provided MAC address." > > A tail of packetfence.log gives the following output. > > Dec 08 09:23:44 httpd.portal(2555) WARN: [mac:unknown] Unable to match MAC > address to IP '192.168.1.10' (pf::iplog::ip2mac) Dec 08 09:23:44 > httpd.portal(2555) INFO: [mac:unknown] Instantiate profile default > (pf::Portal::ProfileFactory::_from_profile) > Dec 08 09:23:44 httpd.portal(2555) WARN: [mac:unknown] Unable to match MAC > address to IP '192.168.1.10' (pf::iplog::ip2mac) Dec 08 09:23:44 > httpd.portal(2555) WARN: [mac:0] Unable to match MAC address to IP > '192.168.1.10' (pf::iplog::ip2mac) Dec 08 09:23:44 httpd.portal(2555) INFO: > [mac:0] Instantiate profile default > (pf::Portal::ProfileFactory::_from_profile) > Dec 08 09:23:44 httpd.portal(2555) WARN: [mac:0] Unable to match MAC address > to IP '192.168.1.10' (pf::iplog::ip2mac) Dec 08 09:23:44 httpd.portal(2555) > INFO: [mac:0] Instantiate profile default > (pf::Portal::ProfileFactory::_from_profile) > > The file /usr/local/pf/conf/allowed_device_oui.txt is empty. > > Does anyone have any suggestions for fixing this? > > -- > Developer Access Program for Intel Xeon Phi Processors > Access to Intel Xeon Phi processor-based developer platforms. > With one year of Intel Parallel Studio XE. > Training and support from Colfax. > Order your platform today.http://sdm.link/xeonphi > _______ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Adding roles from CLI
Hello Bob, The roles are not stored in a config files, they are store in the DB in the table "node_category". So you would need to add some SQL queries to add a new role. Thanks On 12/13/2016 11:29 AM, B McLellan wrote: Hi, I've been looking at creating a script to deploy multiple PacketFence instances. I have pretty much everything in place now there's just one thing that is still puzzling me. Is there away to create 'roles' from the CLI using pfcmd? In which config files are the roles stored? I can only see references to the roles which have associated rules in the authentication.conf file. Any hints gratefully received. ;) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] How to create own billing source?
Hello Rolando, Documentation about the billing source is available here, https://packetfence.org/doc/PacketFence_Administration_Guide.html#_billing_engine There are examples on how to configure a PayPal, Stripe and Authorize.net source. Thanks On 12/14/2016 01:50 AM, Rolando Palencia wrote: > Hi, > > How to create own billing source? > > Regards, > > Rolando > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Configuration Files
Hello Walt, We have configuration example (https://packetfence.org/doc/PacketFence_Administration_Guide.html#_freeradius_configuration section 9.7.1b) of those file if you want to join manually a domain. While joining the domain via the administration interface they are built off template available in /usr/local/pf/addons/AD/{smb.krb5}.tt Thanks On 12/01/2016 06:46 PM, nspacketfe...@lydian.org wrote: > How do files such as /etc/krb5.conf and /etc/samba/* get generated? > Where does the raw data reside? > > Thanks > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] PacketFence PKI
esolution Error: Package: packetfence-pki-1.0.4-1.el6.noarch (packetfence-extra) Requires: django-countries Error: Package: packetfence-pki-1.0.4-1.el6.noarch (packetfence-extra) Requires: python-django-rest-framework Error: Package: packetfence-pki-1.0.4-1.el6.noarch (packetfence-extra) Requires: python-pyasn1-modules >= 0.1.7 Error: Package: packetfence-pki-1.0.4-1.el6.noarch (packetfence-extra) Requires: python-django-bootstrap3 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest [root@localhost ~]# Is there a problem with using the PacketFence-PKI? Is it not supported anymore? I really need to get this going in the next 2 weeks as I’m looking to get this connected to our Meru Wi-Fi and sorting out guest access before Christmas. Thanks for any advice. Regards Darren Morgan Systems Manager Oundle School *ü***Please consider the environment before printing this e-mail This email is sent from either Oundle School or Laxton Junior School for The Corporation of Oundle School and is intended only for the addressee named above. The Corporation of Oundle School is a Charity incorporated under Royal Charter RC000396 and charity number 309921. www.oundleschool.org.uk <http://www.oundleschool.org.uk> Scanned by iCritical. -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] ldap/ad source with SSL
Hello Andi, What you looking for is https://packetfence.org/doc/PacketFence_Administration_Guide.html#_authentication section 9.2.1 There is no certificate to configure for the source LDAP in itself. SSL/Start TLS depends on how your LDAP is configured to receive the connection for binding. The configuration of the certificate to authenticate(RADIUS) has to be configured /usr/local/pf/conf/radiusd/eap.conf under the section TLS. Thanks On 11/25/2016 04:36 AM, Morris, Andi wrote: Hi all, Hopefully just a quick one. I can’t find a mention anywhere of how to setup LDAPS as a source. I can see that you can select SSL as part of the AD source, however I’m not sure where to configure the certificate for this. Any pointers? Cheers, Andi - Andi Morris IT Security Officer Cardiff Metropolitan University T: 02920 205720 E: amor...@cardiffmet.ac.uk <mailto:amor...@cardiffmet.ac.uk> Skype for Business: amor...@cardiffmet.ac.uk -- Cardiff Metropolitan University - Queens Anniversary Prizes 2015 <http://www.cardiffmet.ac.uk/news/Pages/Cardiff-Met-research-recognised-in-Queens-Anniversary-Prizes-for-Higher-and-Further-Education.aspx> -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] PKI Install guide
To let you know what cause your issue, it seems you had python-django installed independently and the dependencies we needed(for packetfence-pki) were not available for the version you had installed, so that's why it failed to install the package. Thanks On 10/21/2016 10:31 AM, Morgan, Darren wrote: Many thanks, That worked. Darren *From:*Antoine Amacher [mailto:aamac...@inverse.ca] *Sent:* 21 October 2016 15:07 *To:* packetfence-users@lists.sourceforge.net *Subject:* Re: [PacketFence-users] PKI Install guide Morgan, try the following: rpm -e python-django --nodeps yum install packetfence-pki --enablerepo=packetfence-extra Let us know if that help Thanks On 10/21/2016 09:59 AM, Morgan, Darren wrote: Hi Antoine, I’ve tried installing the PKI, but come up with some errors (Listed below) Any ideas? I’ve checked and the latest verion of Python-Django is installed (yum info python-django run output at end of email) ~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~ [root@OS-PF ~]# yum install packetfence-pki --enablerepo=packetfence-extra, packetfence Loaded plugins: fastestmirror, security Setting up Install Process Loading mirror speeds from cached hostfile * base: mirrors.ukfast.co.uk * extras: mirrors.coreix.net * updates: mirrors.ukfast.co.uk Resolving Dependencies --> Running transaction check ---> Package packetfence-pki.noarch 0:1.0.4-1.el6 will be installed --> Processing Dependency: python-pyasn1-modules >= 0.1.7 for package: packetfence-pki-1.0.4-1.el6.noarch --> Processing Dependency: python-django-bootstrap3 for package: packetfence-pki-1.0.4-1.el6.noarch --> Processing Dependency: python-django-rest-framework for package: packetfence-pki-1.0.4-1.el6.noarch --> Processing Dependency: python-ldap for package: packetfence-pki-1.0.4-1.el6.noarch --> Processing Dependency: django-countries for package: packetfence-pki-1.0.4-1.el6.noarch --> Running transaction check ---> Package packetfence-pki.noarch 0:1.0.4-1.el6 will be installed --> Processing Dependency: python-pyasn1-modules >= 0.1.7 for package: packetfence-pki-1.0.4-1.el6.noarch --> Processing Dependency: python-django-bootstrap3 for package: packetfence-pki-1.0.4-1.el6.noarch --> Processing Dependency: python-django-rest-framework for package: packetfence-pki-1.0.4-1.el6.noarch --> Processing Dependency: django-countries for package: packetfence-pki-1.0.4-1.el6.noarch ---> Package python-ldap.x86_64 0:2.3.10-1.el6 will be installed --> Finished Dependency Resolution Error: Package: packetfence-pki-1.0.4-1.el6.noarch (packetfence-extra) Requires: django-countries Error: Package: packetfence-pki-1.0.4-1.el6.noarch (packetfence-extra) Requires: python-django-rest-framework Error: Package: packetfence-pki-1.0.4-1.el6.noarch (packetfence-extra) Requires: python-pyasn1-modules >= 0.1.7 Error: Package: packetfence-pki-1.0.4-1.el6.noarch (packetfence-extra) Requires: python-django-bootstrap3 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles –nodigest ~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~ [root@OS-PF ~]# yum info python-django Loaded plugins: fastestmirror, security Loading mirror speeds from cached hostfile * base: mirrors.ukfast.co.uk * extras: mirrors.coreix.net * updates: mirrors.ukfast.co.uk Installed Packages Name: python-django Arch: noarch Version : 1.6.11 Release : 10.3 Size: 15 M Repo: installed From repo : packetfence Summary : A high-level Python Web framework URL : http://www.djangoproject.com/ <http://www.djangoproject.com/> License : BSD Description : Django is a high-level Python Web framework that encourages rapid : development and a clean, pragmatic design. It focuses on automating as : much as possible and adhering to the DRY (Don't Repeat Yourself) : principle. ~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~ Regards Darren *From:*Morgan, Darren [mailto:dmor...@oundleschool.org.uk] *Sent:* 21 October 2016 14:36 *To:* packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> *Subject:* Re: [PacketFence-users] PKI Install guide Thanks Antoine, Regards Darren *From:*Antoine Amacher [mailto:aamac...@inverse.ca] *Sent:* 21 October 2016 14:17 *To:* pac
Re: [PacketFence-users] PKI Install guide
Morgan, try the following: rpm -e python-django --nodeps yum install packetfence-pki --enablerepo=packetfence-extra Let us know if that help Thanks On 10/21/2016 09:59 AM, Morgan, Darren wrote: Hi Antoine, I’ve tried installing the PKI, but come up with some errors (Listed below) Any ideas? I’ve checked and the latest verion of Python-Django is installed (yum info python-django run output at end of email) ~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~ [root@OS-PF ~]# yum install packetfence-pki --enablerepo=packetfence-extra, packetfence Loaded plugins: fastestmirror, security Setting up Install Process Loading mirror speeds from cached hostfile * base: mirrors.ukfast.co.uk * extras: mirrors.coreix.net * updates: mirrors.ukfast.co.uk Resolving Dependencies --> Running transaction check ---> Package packetfence-pki.noarch 0:1.0.4-1.el6 will be installed --> Processing Dependency: python-pyasn1-modules >= 0.1.7 for package: packetfence-pki-1.0.4-1.el6.noarch --> Processing Dependency: python-django-bootstrap3 for package: packetfence-pki-1.0.4-1.el6.noarch --> Processing Dependency: python-django-rest-framework for package: packetfence-pki-1.0.4-1.el6.noarch --> Processing Dependency: python-ldap for package: packetfence-pki-1.0.4-1.el6.noarch --> Processing Dependency: django-countries for package: packetfence-pki-1.0.4-1.el6.noarch --> Running transaction check ---> Package packetfence-pki.noarch 0:1.0.4-1.el6 will be installed --> Processing Dependency: python-pyasn1-modules >= 0.1.7 for package: packetfence-pki-1.0.4-1.el6.noarch --> Processing Dependency: python-django-bootstrap3 for package: packetfence-pki-1.0.4-1.el6.noarch --> Processing Dependency: python-django-rest-framework for package: packetfence-pki-1.0.4-1.el6.noarch --> Processing Dependency: django-countries for package: packetfence-pki-1.0.4-1.el6.noarch ---> Package python-ldap.x86_64 0:2.3.10-1.el6 will be installed --> Finished Dependency Resolution Error: Package: packetfence-pki-1.0.4-1.el6.noarch (packetfence-extra) Requires: django-countries Error: Package: packetfence-pki-1.0.4-1.el6.noarch (packetfence-extra) Requires: python-django-rest-framework Error: Package: packetfence-pki-1.0.4-1.el6.noarch (packetfence-extra) Requires: python-pyasn1-modules >= 0.1.7 Error: Package: packetfence-pki-1.0.4-1.el6.noarch (packetfence-extra) Requires: python-django-bootstrap3 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles –nodigest ~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~ [root@OS-PF ~]# yum info python-django Loaded plugins: fastestmirror, security Loading mirror speeds from cached hostfile * base: mirrors.ukfast.co.uk * extras: mirrors.coreix.net * updates: mirrors.ukfast.co.uk Installed Packages Name: python-django Arch: noarch Version : 1.6.11 Release : 10.3 Size: 15 M Repo: installed From repo : packetfence Summary : A high-level Python Web framework URL : http://www.djangoproject.com/ License : BSD Description : Django is a high-level Python Web framework that encourages rapid : development and a clean, pragmatic design. It focuses on automating as : much as possible and adhering to the DRY (Don't Repeat Yourself) : principle. ~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~ Regards Darren *From:*Morgan, Darren [mailto:dmor...@oundleschool.org.uk] *Sent:* 21 October 2016 14:36 *To:* packetfence-users@lists.sourceforge.net *Subject:* Re: [PacketFence-users] PKI Install guide Thanks Antoine, Regards Darren *From:*Antoine Amacher [mailto:aamac...@inverse.ca] *Sent:* 21 October 2016 14:17 *To:* packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> *Subject:* Re: [PacketFence-users] PKI Install guide Hello Morgan, The guide is available here: https://packetfence.org/doc/PacketFence_PKI_Quick_Install_Guide.html Thank you On 10/21/2016 04:31 AM, Morgan, Darren wrote: Hi, Apologies if this has been answered before but I’m trying to find the latest PKI install guide for PF 6.3.0. I want to install it on the same server as we have PF ZEN 6.3.0 running at the minute. Regards Darren Morgan Systems Manager Oundle School *ü***Please consider the environment before printing this e-mail This email is sent from either Oundle School or Laxton Junior School for The Corporation of Oundle School and is intended only for the addressee named above. The Corporation of Oundle School is a Charity incorporated under Royal Charter RC000396 and
Re: [PacketFence-users] MySQL login fails
Hello Rob, Are you able to manually log in the DB as pf and root? Is this happening every time before reaching step4 on the configurator? Please make sure the pf password are right in conf/pf.conf and conf/pfconfig.conf If you need to retest it and your PacketFence *IS NOT* in production, you could log as root in the database and run the following: drop database pf; drop database pf_graphite; After that rerun the configurator and it will ask you to setup a password for the user pf. To make sure everything is working fine try a simple password which is not affected by keyboard map, for instance a series of number. I'll let you know how to change it after if needed. Thanks On 10/21/2016 06:56 AM, B McLellan wrote: Thanks Holger, MySQL is definitely up and listening on 3306. I can login fine from the console. There are no special chars in the password which may cause issues (i did have this issue initially with the default root password due the @ and " being switched on my UK keyboard ;-) ). The fact that this is happening on both a ZEN deploy and an install from deb indicates to me that there's either a bug in the latest version of something about my environment that PF doesn't like. Rob On 21 October 2016 at 10:47, <holger.patz...@t-systems.com <mailto:holger.patz...@t-systems.com>> wrote: Hi, are you sure, the database is up at all? And you are using the same character sets, when typing blind into the web-interface as when setting it up in the console? This sort of error is seldom for Americans, but for people from the rest of the world one has to take care of this… Bye, Holger *Von:*B McLellan [mailto:bob.mclel...@gmail.com <mailto:bob.mclel...@gmail.com>] *Gesendet:* Donnerstag, 20. Oktober 2016 13:24 *An:* packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> *Betreff:* [PacketFence-users] MySQL login fails Hi, I'm trying to run the initial config on a new packetfence install and I get as far as step 4 'Packetfence' but clicking the continue button does not progress to the next step. In /usr/local/pf/logs/packetfence.log I see FATAL: unable to connect to database: Access denied for user 'pf'@'localhost' (using password: YES) at /usr/local/pf/lib/pf/version.pm <http://version.pm> line 42. This doesn't make sense as I'm sure the password I supplied is correct. I've even tried restarting mysql with --skip-grant-tables to be sure that auth isn't causing an issue. This has happened on and a Debian Jessie install using the deb package and on a ZEN deployment. Has anyone else seen this behaviour? Am I doing something stupid in the setup? Bob -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users> -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] PKI Install guide
Hello Morgan, The guide is available here: https://packetfence.org/doc/PacketFence_PKI_Quick_Install_Guide.html Thank you On 10/21/2016 04:31 AM, Morgan, Darren wrote: Hi, Apologies if this has been answered before but I’m trying to find the latest PKI install guide for PF 6.3.0. I want to install it on the same server as we have PF ZEN 6.3.0 running at the minute. Regards Darren Morgan Systems Manager Oundle School *ü***Please consider the environment before printing this e-mail This email is sent from either Oundle School or Laxton Junior School for The Corporation of Oundle School and is intended only for the addressee named above. The Corporation of Oundle School is a Charity incorporated under Royal Charter RC000396 and charity number 309921. www.oundleschool.org.uk <http://www.oundleschool.org.uk> Scanned by iCritical. -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Windows7 802.1x
Hello Holger, Are they switch to right VLAN after authentication? (You could try to authenticate a client which have issues and add a static IP in the expected range) Do you see a pattern for clients that are not getting an IP, same network card, same model, etc. Try to trace one client who have issues in packetfence.log to make sure the flow is fine. Also look at your DHCP leases, this could be due at not enough address in the pool. Thanks On 10/17/2016 10:18 AM, holger.patz...@t-systems.com wrote: Hi Folks, does anyone of you use 802.1x auth with Windows 7? Our Clients sometimes don’t get an IP-Adress after auth. (They are already authenticated successfully) Bye, Holger -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Can't join packetfence to domain for RADIUS
Hello Alex, You can have a look under /chroots/DOMAIN-NAME/var/log/sambaDOMAIN-NAME/log.winbind Thanks On 10/13/2016 11:28 PM, Alex Fishel wrote: Hello all, I upgraded the server as suggested but it hasn't seemed to make a difference yet. Is there a log file that could be examined to diagnose the problem? Thanks! -- Alex Fishel -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] monit setup guide for PF
Jake, We do not have a guide for it, but we did wrote some scripts to preconfigure monit, Have a look in: /usr/local/pf/addons/monit/ you should find waht you are looking for. Thanks On 10/13/2016 11:01 PM, Sallee, Jake wrote: > Does anyone have a setup guide for using monit with Packetfence? > > I know it can be done, but I can't seem to find any docs on it. > > Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > WWW.UMHB.EDU > > 900 College St. > Belton, Texas > 76513 > > Fone: 254-295-4658 > Phax: 254-295-4221 > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] web configurator - I dun goofed
Hello Jake, It is expected to have only the httpd.admin and packetfence-config start after a fresh install. With the admin start the server should listen on 1443 tho. To be certain could you do: netstat -nlp | grep 1443 and also make sure iptables is disable. If this is a centos7, systemctl stop firewalld. If you encounter issues and you don't have any configuration set, you could do a yum reinstall. Which will reinstall the package and start the expected services to access the configurator. Thanks On 10/13/2016 12:55 PM, Sallee, Jake wrote: > I need to get to the web configurator ... but I kinda messed up. > > I went through the normal install procedure (Install OS -> install updates -> > install PF) > > Here is where I goofed: I rebooted the server because it installed a new > kernel. Now I can't get to the web configurator. > > I tried making sure the packetfence-config and packetfence services are > started (they are) but the server is not listening on port 1443. > > The only service that is running is the httpd.admin service (all the other > services fail to start) and when I try to start the pf services i get an > error starting mysql ... since ... you know ... I haven't set it up yet. > > How do I proceed? > > Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > WWW.UMHB.EDU > > 900 College St. > Belton, Texas > 76513 > > Fone: 254-295-4658 > Phax: 254-295-4221 > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Can't join packetfence to domain for RADIUS
Hello Alex, Can you be a bit more precise on your issue, do you have the error while trying to add the domain? Or just while trying to connect to PacketFence administration interface? Also since your setup is not in production, I would advise you to update to 6.3. (fixs for the domain join have been add) Thanks, On 10/13/2016 01:09 AM, Alex Fishel wrote: Hello all, I am running PacketFence 6.2.1 in a virtual machine on ESXi, using VLAN isolation. I want to be able to use RADIUS so that I may use a wireless access point with my PacketFence setup. One of the first steps in this process seems to be to set up a domain for RADIUS. I have followed the steps in the administration guide to the letter and have so far not been able to connect. I get an error message "There was a problem connecting to the server, please try again later." I have tried the troubleshooting steps in the administration guide and they do not seem to be helping either. Are there any "gotchas" to be aware of when setting this up? My guess is that I either need to set something else up first or I am just not entering the data correctly. Any help is greatly appreciated. Thank you! -- Alex Fishel -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] MSPKI: unfinished request in component post-auth module packetfence
Stefan, If you don't see the rule in packetfence.log it means that it is not being trigger, either something is not matching, or there is a tpo i the rul. In the last case you should see a message like: "error while building rule XXX" in the packetfence.log. Just to be sure after deploying a rule in vlan_filter.conf, you need to do "bin/pfcmd configreload hard" which will force your configuration to be reloaded. It seems to me that the filter is not applied. Thanks On Friday, October 07, 2016 02:55 EDT, "Marold, Stefan"wrote: Hello Antoine, after using 'bin/pfcmd checkup', I see the following line in packetfence.log: Oct 07 02:34:19 pfcmd.pl(2179) INFO: Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) When the user authenticates, I don't see any messages related to "1:EthernetEAP" in packetfence.log: Oct 07 02:39:57 httpd.aaa(1754) INFO: [mac:74:2b:62:6d:47:d4] handling radius autz request: from switch_ip => (172.20.10.118), connection_type => Ethernet-EAP,switch_mac => (54:4a:00:88:a8:01), mac => [74:2b:62:6d:47:d4], port => 10101, username => "D1527.dorsten.local" (pf::radius::authorize) Oct 07 02:39:57 httpd.aaa(1754) INFO: [mac:74:2b:62:6d:47:d4] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) Oct 07 02:39:58 httpd.aaa(1754) INFO: [mac:74:2b:62:6d:47:d4] is of status unreg; belongs into registration VLAN (pf::role::getRegistrationRole) Oct 07 02:39:58 httpd.aaa(1754) INFO: [mac:74:2b:62:6d:47:d4] (172.20.10.118) Added VLAN 11 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Oct 07 02:40:00 httpd.aaa(1754) INFO: [mac:74:2b:62:6d:47:d4] Updating locationlog from accounting request (pf::api::handle_accounting_metadata) Oct 07 02:40:02 httpd.portal(2202) INFO: [mac:[undef]] Instantiate a new iptables modification method. pf::ipset (pf::inline::get_technique) Oct 07 02:40:02 httpd.portal(2037) INFO: [mac:[undef]] Instantiate a new iptables modification method. pf::ipset (pf::inline::get_technique) Oct 07 02:40:02 httpd.portal(2038) INFO: [mac:[undef]] Instantiate a new iptables modification method. pf::ipset (pf::inline::get_technique) I also tried to add the following rule, but it seems to have no effect: [2:EthernetEAP] scope = NodeInfoForAutoReg role = default action = modify_node action_param = mac = $mac, status = reg, access_duration = 12H, role = default BTW does the absence of "EAP-Type => EAP-TLS" in packetfence.log means the EAP-Type is not "EAP-TLS"? Regards Stefan -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] MSPKI: unfinished request in component post-auth module packetfence
Hello Stefan, What do you see in the logs/packetfence.log upon using 'bin/pfcmd checkup', and do you see the filter being trigger when the user authenticate? Look for "1:EthernetEAP" in the packetfence.log. Thanks. On Thursday, October 06, 2016 10:36 EDT, "Marold, Stefan"wrote: Hi Antoine, Thank you very much for your answer. Yes, the status of the client is unreg. I've configured an AD source with a catch-all rule and thought, this will register the nodes automatically. But after reading the documentation again, I think it is only for captive portal. I tried to configure AutoRegister as you suggested, but I think there is an error in my configuration. With the following configuration, I expect the client will be autoregistered with role 'default', vlan 477. Instead, it is still unreg, vlan 11. [root@PacketFence-6_2_1 ~]# cat /usr/local/pf/conf/vlan_filters.conf|egrep -v "^#" [EthernetEAP] filter = connection_type operator = is value = Ethernet-EAP [EAPTLS] filter = radius_request attribute = EAP-Type operator = is value = EAP-TLS [1:EthernetEAP] scope = AutoRegister role = default [root@PacketFence-6_2_1 ~]# /usr/local/pf/bin/pfcmd checkup Checking configuration sanity... tail -f /usr/local/pf/logs/radius.log Thu Oct 6 09:56:37 2016 : Error: (10) Ignoring duplicate packet from client 172.20.10.118 port 1645 - ID: 216 due to unfinished request in component post-auth module packetfence Thu Oct 6 09:56:39 2016 : Error: (10) Ignoring duplicate packet from client 172.20.10.118 port 1645 - ID: 216 due to unfinished request in component post-auth module packetfence Thu Oct 6 09:56:41 2016 : Error: (10) Ignoring duplicate packet from client 172.20.10.118 port 1645 - ID: 216 due to unfinished request in component post-auth module packetfence Thu Oct 6 09:56:43 2016 : Error: (10) Ignoring duplicate packet from client 172.20.10.118 port 1645 - ID: 216 due to unfinished request in component post-auth module packetfence Thu Oct 6 09:56:44 2016 : Auth: rlm_perl: Returning vlan 11 to request from 74:2b:62:6d:47:d4 port 50101 Thu Oct 6 09:56:44 2016 : rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK) Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 905 seconds Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 905 seconds Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 905 seconds Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 905 seconds Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 905 seconds Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 905 seconds Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Opening additional connection (6), 1 of 64 pending slots used Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Need 2 more connections to reach 10 spares Thu Oct 6 09:56:44 2016 : Info: rlm_sql (sql): Opening additional connection (7), 1 of 63 pending slots used Thu Oct 6 09:56:35 2016 : [mac:74:2b:62:6d:47:d4] Accepted user: and returned VLAN 11 Thu Oct 6 09:56:44 2016 : Auth: (10) Login OK: [host/D1527.dorsten.local] (from client 172.20.10.118 port 50101 cli 74:2b:62:6d:47:d4) Best regards Stefan -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] MSPKI: unfinished request in component post-auth module packetfence
Hello Stefan, What is status of the node in PacketFence after he connect via EAP-TLS? If the status is unreg, you could simply add a vlan filter that AutoRegister nodes when they connect via EAP-TLS. Examples are available in /usr/local/pf/conf/vlan_filters.conf, we could provide some if necessary. Thank you On 10/05/2016 11:11 AM, Marold, Stefan wrote: Hello all, I’m using PacketFence ZEN 6.2.1 and want to authenticate clients with our MSPKI. I followed the instructions in https://packetfence.org/doc/PacketFence_MSPKI_Quick_Install_Guide.html up to ‘3.2.2 RADIUS EAP-TLS and MSPKI’ except enabling oscp. However, the clients are always put into the registration vlan instead of the default vlan: [root@PacketFence-6_2_1 logs]# tail -f /usr/local/pf/logs/radius.log Wed Oct 5 10:48:55 2016 : Warning: rlm_sql (sql_reject): authorize_check_query is empty. Please delete it from the configuration Wed Oct 5 10:48:55 2016 : Info: rlm_sql (sql_reject): Attempting to connect to database "pf" Wed Oct 5 10:48:55 2016 : Warning: [raddb//mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay"found in filter list for realm "DEFAULT". Wed Oct 5 10:48:55 2016 : Warning: [raddb//mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". Wed Oct 5 10:48:55 2016 : Info: Loaded virtual server Wed Oct 5 10:48:55 2016 : Info: Loaded virtual server packetfence-tunnel Wed Oct 5 10:48:55 2016 : Info: Loaded virtual server packetfence-cli Wed Oct 5 10:48:55 2016 : Info: Loaded virtual server dynamic_clients Wed Oct 5 10:48:55 2016 : Info: Loaded virtual server packetfence Wed Oct 5 10:48:55 2016 : Info: Ready to process requests Wed Oct 5 10:49:39 2016 : Error: (10) Ignoring duplicate packet from client 172.20.10.118 port 1645 - ID: 133 due to unfinished request in component post-auth module packetfence Wed Oct 5 10:49:41 2016 : Error: (10) Ignoring duplicate packet from client 172.20.10.118 port 1645 - ID: 133 due to unfinished request in component post-auth module packetfence Wed Oct 5 10:49:41 2016 : Auth: rlm_perl: Returning vlan 11 to request from 74:2b:62:6d:47:d4 port 50101 Wed Oct 5 10:49:41 2016 : rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK) Wed Oct 5 10:49:42 2016 : Info: rlm_sql (sql): Need 4 more connections to reach 10 spares Wed Oct 5 10:49:42 2016 : Info: rlm_sql (sql): Opening additional connection (6), 1 of 58 pending slots used Wed Oct 5 10:49:37 2016 : [mac:74:2b:62:6d:47:d4] Accepted user: and returned VLAN 11 Wed Oct 5 10:49:42 2016 : Auth: (10) Login OK: [host/D1527.dorsten.local] (from client 172.20.10.118 port 50101 cli 74:2b:62:6d:47:d4) I don’t know how to debug the error ‘due to unfinished request in component post-auth module packetfence‘. However, openssl is able to verify the certificate: [root@PacketFence-6_2_1 logs]# openssl verify -CAfile /usr/local/pf/conf/ssl/tls_certs/ca.pem ~/d1527.cer /root/d1527.cer: OK [root@PacketFence-6_2_1 logs]# openssl verify -CApath /usr/local/pf/conf/ssl/tls_certs ~/d1527.cer /root/d1527.cer: OK I’ve managed to get it working with PacketFence 5.1.0 but not with the current version. Can anyone help? Kind regards Stefan -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Reregister if SSID is changing
Hello Tobias, There is a reevaluate happening every time a user connect to a SSID as long as there is a new RADIUS request coming in. Now for what you want to do, you could create a set of rules in your source of authentication, AD I presume, and use the condition SSID. Send back the role guest if the SSID is guest, or apply your normal rules if the SSID is internal. Let us know if that help. Thanks, On 09/21/2016 05:46 AM, Tobias Friede wrote: Hi, is it possible to reevaluate acces everytime, a client/user make a reconnect on our wifi? Greetings Tobias 2016-09-02 11:36 GMT+02:00 Tobias Friede <t.fri...@gmail.com <mailto:t.fri...@gmail.com>>: Hi, No one with an Idea how to fix my problem? Or is it better to use two packetfence servers, one for internal authentification and one for hotspot services? Greetings Tobias 2016-09-01 9:20 GMT+02:00 Tobias Friede <t.fri...@gmail.com <mailto:t.fri...@gmail.com>>: > Hi, > > I have the following problem. I have 2 SSIDs: > Guest and Internal. > > The Guest WiFi is OPEN an just secured with a captive page. The > internal is secured wit 802.1x EAP-TLS > If a user connects to the guest wifi and log in with a guest account, > our Aerohive APS and Cisco WLC will move them to the correct vLAN. > Everything seems to be fine. Unregistration via PF interface works > fine too, so CoA is working. > > But If a user moves to the internal WiFi, the VLAN doesn't change back > to the internal vLAN. > The client still remains in guest VLAN, I think, because the client is > registered for the guest user account. > Is there any solution to solve this? > > > > Greetings > Tobias -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] How to configure packetfence for 802.1x wireless with Ruckus WLC
Hello Sulabh, All our guides including what you are looking for are available here: https://packetfence.org/support/index.html#/documentation https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_ruckus https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_juniper Thank you for your interest in PacketFence. On 09/25/2016 12:15 PM, sulabh khanal wrote: Hello, I want to use packetfence with 802.1x wireless support for Ruckus WLC and Juniper 2200 switch. I would like to know what configurations I need to do on packetfence as well as Ruckus WLC and Juniper 2200. I am using Ruckus ZD 1200 with Ruckus ZoneFlex R500 Access Point. I am a beginner at using PacketFence and would like a step by step instructions for configuration. Regards, Sulabh -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Fingerbank API key not working
For the local combination it is normal that it is empty , unless you created some. On 09/15/2016 06:03 PM, Jason 'XenoPhage' Frisvold wrote: On 9/15/16 16:33, Antoine Amacher wrote: Jason, You can check your fingerbank local db: sqlite3 /usr/local/fingerbank/db/fingerbank_Local.db .schema If the result is not promising you can re-instantiate your local db by doing: make init-db-local (from the folder /usr/local/fingerbank/) Let us know if that's help. Schema looks just fine to me.. There's nothing in the combination table, but it's there. I'm trying to dig through the code a bit to understand what's going on .. Trying to unravel things. It's been a while since I did OO Perl though.. :P Thanks -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Fingerbank API key not working
Jason, You can check your fingerbank local db: sqlite3 /usr/local/fingerbank/db/fingerbank_Local.db .schema If the result is not promising you can re-instantiate your local db by doing: make init-db-local (from the folder /usr/local/fingerbank/) Let us know if that's help. Thanks On 09/15/2016 02:58 PM, Jason 'XenoPhage' Frisvold wrote: On 9/15/16 12:56, Antoine Amacher wrote: The permissions on Fingerbank config file are the one expected. You could always run: "/usr/local/pf/bin/pfcmd fixpermissions" to ensure permissions are rights everywhere. Additionally, when I try to hit other links, I'm getting an error that the server isn't running.. Is that something I need to explicitly start? Which links? In the Fingerbank section of the admin? You might want to have a look into /usr/local/pf/logs/httpd.admin.{log,catalyst,error}, you could get the information about the error. Which version of PacketFence are you running? You could try to run the maintenance; "perl /usr/local/pf/addons/pf-maint.pl". Let us know if that help. Ok, tried both and restarted packetfence when I was done.. Still getting the error : " Error! An error occured while contacting the server. Please try again later. " And here's what I'm seeing in the http.admin.* logs : ==> logs/httpd.admin.error <== [Thu Sep 15 14:53:28 2016] -e: Argument "" isn't numeric in numeric le (<=) at /usr/local/pf/html/pfappserver/root/macros.inc line 25. [Thu Sep 15 14:53:28 2016] -e: Argument "" isn't numeric in subtraction (-) at /usr/local/pf/html/pfappserver/root/macros.inc line 25. [Thu Sep 15 14:53:28 2016] -e: Argument "" isn't numeric in numeric le (<=) at /usr/local/pf/html/pfappserver/root/macros.inc line 25. [Thu Sep 15 14:53:28 2016] -e: Argument "" isn't numeric in subtraction (-) at /usr/local/pf/html/pfappserver/root/macros.inc line 25. ==> logs/httpd.admin.log <== Sep 15 14:53:28 httpd.admin(710) ERROR: Cannot read from 'Combination' table in schema 'Local'. Cannot search (pfappserver::Base::Model::Fingerbank::readAll) Sep 15 14:53:28 httpd.admin(710) ERROR: Cannot read from 'Combination' table in schema 'Local'. Cannot search (pfappserver::PacketFence::Controller::Root::end) So it looks like there's no database table for this? I did try to run all of the updates as well. And if I try to save from the settings page, I see this : ==> logs/httpd.admin.error <== [Thu Sep 15 14:54:37 2016] -e: Use of uninitialized value in substitution (s///) at /usr/local/pf/html/pfappserver/lib/pfappserver/Form/Config/Fingerbank/Settings.pm line 35. [Thu Sep 15 14:54:37 2016] -e: Use of uninitialized value $type in string eq at /usr/local/pf/html/pfappserver/lib/pfappserver/Form/Config/Fingerbank/Settings.pm line 48. [Thu Sep 15 14:54:37 2016] -e: Use of uninitialized value in string eq at /usr/local/fingerbank/lib/fingerbank/Config.pm line 191. [Thu Sep 15 14:54:37 2016] -e: Use of uninitialized value in concatenation (.) or string at /usr/local/fingerbank/lib/fingerbank/Config.pm line 194. [Thu Sep 15 14:54:37 2016] -e: Use of uninitialized value in string eq at /usr/local/fingerbank/lib/fingerbank/Config.pm line 191. [Thu Sep 15 14:54:37 2016] -e: Use of uninitialized value in concatenation (.) or string at /usr/local/fingerbank/lib/fingerbank/Config.pm line 194. Thanks -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Fingerbank API key not working
The permissions on Fingerbank config file are the one expected. You could always run: "/usr/local/pf/bin/pfcmd fixpermissions" to ensure permissions are rights everywhere. Additionally, when I try to hit other links, I'm getting an error that the server isn't running.. Is that something I need to explicitly start? Which links? In the Fingerbank section of the admin? You might want to have a look into /usr/local/pf/logs/httpd.admin.{log,catalyst,error}, you could get the information about the error. Which version of PacketFence are you running? You could try to run the maintenance; "perl /usr/local/pf/addons/pf-maint.pl". Let us know if that help. Thanks On 09/15/2016 12:09 PM, Jason 'XenoPhage' Frisvold wrote: On 9/15/16 11:53, Antoine Amacher wrote: Hello Jason, This is a bug: https://github.com/inverse-inc/packetfence/issues/1519 You would need to update your fingerbank package to a version superior of 2.2.0. You can verify with: rpm -qa | grep fingerbank Hrm... [root@packetfence0 logs]# rpm -qa | grep fingerbank fingerbank-2.3.1-1.1.noarch In case you want a manual fix with no update package you can edit the file /usr/local/fingerbank/conf/fingerbank.conf and add the following inside: [upstream] api_key=YOUR API KEY That worked, but when I try to save the settings afterwards, I get an error that it can't write to the fingerbank.conf file.. That file seems to be owned by fingerbank : -rw-rw-r--. 1 fingerbank fingerbank 60 Sep 15 12:05 /usr/local/fingerbank/conf/fingerbank.conf I don't see anything running as fingerbank, and it doesn't look like there are any other users in the fingerbank group.. perhaps that's the issue? Additionally, when I try to hit other links, I'm getting an error that the server isn't running.. Is that something I need to explicitly start? Thanks, -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Fingerbank API key not working
Hello Jason, This is a bug: https://github.com/inverse-inc/packetfence/issues/1519 You would need to update your fingerbank package to a version superior of 2.2.0. You can verify with: rpm -qa | grep fingerbank In case you want a manual fix with no update package you can edit the file /usr/local/fingerbank/conf/fingerbank.conf and add the following inside: [upstream] api_key=YOUR API KEY Thanks On 09/15/2016 11:35 AM, Jason 'XenoPhage' Frisvold wrote: Hi! I'm trying to set up the Fingerbank config on our packetfence instance, but I'm running into a problem. I've registered on the website as requested and obtained my key. However, when I add the key to packetfence and click onboard, it submits as expected and reloads the page with no key listed. And the rest of the fingerbank functionality informs me that fingerbank isn't configured. Is there some trick I'm missing here, or have I run into a bug? Thanks, -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Problem with network connectivity test after successful VLAN change.
Hello Dominic, You are right for the test for internet connectivity, all we do is requesting a small gif from inverse.ca, it could be an issue with MacOS which does not manage to renew it's IP in time, could also be a browser cache issue. You could try to raise up the redirection_timer for instance (progression bar while getting redirected on the portal), under the section trapping in configuration. To be sure of the issue you should do a packet capture on one of the Mac which have issue, and from there you should be able to see, if the issue come from the address which is taking time to get renew or a browser cache issue for instance. Thanks On 08/24/2016 08:26 AM, Dominic Kilbride wrote: Hi Antoine, Thank you for answering. YES the CoA is properly applied and the client ends up in the production VLAN. Im using VLAN enforcement. It seems to be only the test that fails, despite the client being moved to the correct Vlan with CoA. The Clint then displays the error text even though it is connected to the internet as configured. Im wondering how the connectivity test is run? I understand that if you are using the default ip address then the clients web browser will try to fetch a small img file from the inverse web server … But how is this done? Is this compatible with all browser and client versions? Windows 10 is working great for me but I’m having problems with MacOS. Could it be a timeout problem? Like the client trys too early to get the image? And the change to production Vlan occures later? Any suggestions? Best regards Dominic - Hellp Dominic Is your CoA properly applied? Do you obtain an IP in your new VLAN (production)? Are you using VLAN or WebAuth enforcement type? If VLAN enforcement, you could try to lower the DHCP lease in the registration VLAN, to force an earlier re-auth. Also make sure the configuration 'Allow AAA override' in the SSID configuration on the WLC. Thanks On 08/23/2016 07:42 AM, Dominic Kilbride wrote: > Hi all, > Im running 6.2 on CentOS and am having the following problems. > > After successful registration and CoA on my Cisco WLC the client ends up at > the … > ‘Unable to detect network connectivity. Try to restarting your web browser or > opening a new tab to see if your access has been successfully enabled.’ > > Im an using the default method using the address of the inverse web server > for the control. The test seems to be failing despite a working connection! > > Is there som time-out that can be adjusted? Can the detection method be > bypassed as a workaround? > > Thanks in advance > > Dominic Kilbride > -- > ___ > PacketFence-users mailing list >PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> >https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca <http://inverse.ca> ::www.inverse.ca <http://www.inverse.ca> +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu>) and PacketFence (www.packetfence.org <http://www.packetfence.org>) -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] device-registration page
Hello Paul, There have been changes in PacketFence 6.1 for the device-registration page. You could try to update to 6.1 or later and see if this was a bug related issue. I tested this on devel version and this is not happening to me, I used an AD account to login in the device-registration page and then register a device. I will probably test it with your version (6.0.3) just to confirm. Also note that you need to empty the file conf/allowed_device_oui.txt to be able to register any device type from the device-registration page. Make sure to do the following if you make any change to conf/allowed_device_oui.txt; bin/pfcmd configreload hard bin/pfcmd service httpd.portal restart Thanks On 08/24/2016 08:53 AM, Paul Coates wrote: > Yes that is the page we have enabled. The source is set to our active > directory. We can see the authentication on that page working from the > packetfence logs. The problem is when a user logins in on that page and > registers their MAC, they get the message that it registered OK, but > unless they already have an entry in the person table in the pf database > (i.e. the Users list), the MAC registration is actually stored as unreg > and assigned to user default, not the person who logged into the site. > Logging into the site does not add an entry to the Users list which I > believe is a bug. This is a new CentOS 6 build for this project. > > We are thinking about populating the person table each day from a script > as a work around if we can't find why this happens. > > Paul > > On 24/08/16 12:04, Torry, Andrew wrote: >> There is a specific web page that enabled 'Device Registration'. >> You need to 'Enable' it in the Configuration->Registration >> >> Your users then go to https://YOURPACKETFENCE/Device-Registration >> where they enter a username and password. >> >> The credentials they can use must be matched by one of your defined >> authentication >> SOURCES (or the local user database or both). >> >> The portal asks you for credentials then for the MAC address of the device >> before >> registering it. >> >> Andrew >> >> >> >> >> - >>Falmouth University >> - >> >> -Original Message- >> From: Paul Coates [mailto:paul.coa...@ncl.ac.uk] >> Sent: 23 August 2016 13:44 >> To: packetfence-users@lists.sourceforge.net >> Subject: [PacketFence-users] device-registration page >> >> We are attempting to configure PacketFence 6.0.3 to provide student >> halls access using a captive portal/802.1x/MAC Auth. We have an issue >> with the /device-registration interface. I have been using the form to >> add additional devices OK, then I asked a colleague (Jon) to try it and >> all his registrations appear in the Nodes page as unregistered and the >> owner is default. >> >> I have used the captive portal to test it and I appear in the list of >> Users. Jon has not and is not in the user list. I had assumed when he >> logs in on the /device-registration page he would be added to the Users >> list automatically, but he is not. Is this a bug? If not how can I >> change the behavior to automatically create the user? >> >> I'm thinking of the scenario of a student turning up with a game console >> but no PC/laptop, so does not have a device he can register via the >> captive portal. A work around seems to be manually creating a user for >> this student with a fake password (since you need to enter one), then >> under the portal profile set the Sources to just use the Active >> Directory to authenticate users. >> >> Thanks, >> >> Paul >> >> -- >> Paul Coates, Newcastle University, Network Team >> >> >> -- >> ___ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> -- >> _______ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > -- > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Problem with network connectivity test after successful VLAN change.
Hellp Dominic Is your CoA properly applied? Do you obtain an IP in your new VLAN (production)? Are you using VLAN or WebAuth enforcement type? If VLAN enforcement, you could try to lower the DHCP lease in the registration VLAN, to force an earlier re-auth. Also make sure the configuration 'Allow AAA override' in the SSID configuration on the WLC. Thanks On 08/23/2016 07:42 AM, Dominic Kilbride wrote: > Hi all, > Im running 6.2 on CentOS and am having the following problems. > > After successful registration and CoA on my Cisco WLC the client ends up at > the … > ‘Unable to detect network connectivity. Try to restarting your web browser or > opening a new tab to see if your access has been successfully enabled.’ > > Im an using the default method using the address of the inverse web server > for the control. The test seems to be failing despite a working connection! > > Is there som time-out that can be adjusted? Can the detection method be > bypassed as a workaround? > > Thanks in advance > > Dominic Kilbride > -- > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Aerohive
Hello Jason, Which version of PacketFence are you running? Also when using RoleBased, was your 'RoleMap' selected? Are you using the AeroHIVE AP switch module? In the meantime I will test it over here and let you know my finding. Thanks On 08/15/2016 06:31 PM, Guntharp, Jason W. wrote: I did try it returning the profile name. Aerohive HM radius test returns a different value per mode: VlanId will return Vlan:0=0 RoleBased will return "None" Yet clients steer fine. No profile assignment though, which is needed to correctly throttle applications, etc. Any ideas? Jason Sent from my iPhone On Aug 15, 2016, at 1:32 PM, Antoine Amacher <aamac...@inverse.ca <mailto:aamac...@inverse.ca>> wrote: Hello Jason, User profile based "should" work, although when testing on our side it was not working properly so we took the decision to write the guide with returning VLAN. Did you try to put the the User-Profile name instead of the VLAN to return? (in the VLAN section) Thanks On Monday, August 15, 2016 13:36 EDT, "Guntharp, Jason W." <jwgunth...@iccms.edu <mailto:jwgunth...@iccms.edu>> wrote: Could anyone weigh in on Aerohive integration? I have completed the Aerohive/PacketFence setup using https://packetfence.org/doc/PacketFence_Aerohive_Quick_Install_Guide.html. The behavior is as expected with VLAN enforcement and PacketFence steers devices to the correct VLAN, but Aerohive is not mapping the user/device to the correct user profile based on what it receives from PacketFence. Our Aerohive engineer mentioned that HiveManager is needing: Tunnel-Type = GRE, Tunnel-Medium-Type = IPv4, Tunnel-Private-Group-ID = The guide does mention PacketFence supporting the user profile mappings. Could anyone offer any guidance? Thanks, Jason Guntharp Network Administrator Itawamba Community College -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Provisioner error when using EAP-TLS
Hello Solomon, Which version of PacketFence is currently installed on your setup? Do the device have the configuration passed to in PEAP, does your SSID exists as configured on your testing device with the expected settings? Thanks On 08/11/2016 09:07 AM, Solomon Seal wrote: When I set the provisioners to use EAP-TLS (only tested with a mspki) I get the following error: - Caught exception in captiveportal::Controller::Root->dynamic_application "Can't locate object method "current_module" via package "captiveportal::DynamicRouting::Module::Provisioning" at /usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module.pm line 236." - When I set the provisoner to PEAP, I do not get an error, but devices never connect after loading the configuration. I have tested this on iOS and Android. I see no other errors in the logs. Following th MSPKI guide I successfully tested everything in the debugging section. Here is my (privacy filterd/sanitized) pki_provider.conf: [App-CA] country=US server_cert_path=/usr/local/pf/conf/ssl/tls_certs/pf_domain_edu.cer ca_cert_path=/usr/local/pf/conf/ssl/tls_certs/ca.cer locality=City state=State organizational_unit=Information Technology Services url=http://10.1.1.136/CertSrv/mscep/ type=scep cn_attribute=pid organization=ORG Here is a sanitized provisioners.conf (android): [android] eap_type=13 can_sign_profile=0 security_type=WPA description=Android broadcast=1 server_certificate_path=/usr/local/pf/conf/ssl/tls_certs/pf_domain_edu.cer oses= type=android category= pki_provider=App-CA ssid=ITS Testing I have setup portal modules following the guide section titled "Mixing login and Secure SSID on-boarding on the portal". Ideas? -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] authentication on portal captive trough LDAP
Oumy, To be able to use the tab Auditing(assuming this what you are talking about) you need to have an RADIUS accounting configuration working. Thanks On 08/03/2016 08:56 AM, Oumy Coulibaly wrote: hello Fabrice, yes that was that i fix it now. But i can't get access log i mean auditing interface of the web admin are empty. any idea of where the problem can come from? -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] change the background colors on the portal fro PF 6.2
Hello Joel, look toward html/common/scss/_settings.colors.scss You should also have a look at the following, if you need to do some customization with the css: https://packetfence.org/doc/PacketFence_Developers_Guide.html#_captive_portal Thank you On Thursday, July 21, 2016 13:56 EDT, "Morgan, Joel P."wrote: I upgraded from 5.7 to 6.2. How do you change the background colors on the new portal? I would like to use our organization's colors. -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] issus on debian using packetfence
Hello Oumy, PacketFence have a rule in iptables that allow ssh going through on your management interface so no, PacketFence does not block it. You might want to try to disable your iptables see if the issue come from there. Thanks On 07/19/2016 11:08 AM, Oumy Coulibaly wrote: Hi there, i've installing packetfence on a debian7 it work fine but when i try to connect to my debian using SSH it is not possible, when i ping the server from my cmd also there is no problem also i can have access to packetfence trough my web browser. Before installing packetfence i was able to connect with SSH mode to my debian from my computer but after installed packetfence it isn't possible so does packetfence block it? -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: +1.514.447.4918 *130 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] DNS Resolution of Captive Portal after granting Access
Hello Till, I am not sure how your authentication by social media is working but why not use OAuth2 sources? You could also add any domains you want to authorize to the pass through list, in this way people will be in the registration VLAN with access to authorized sites. If you need sites to enable for your social media access, you can check in the OAuth sources, each have a predefined list. Thanks On 07/14/2016 12:03 AM, g4-l...@tonarchiv.ch wrote: > Hi there, > > We wrote our own captive portal, which allows the user to get verified > by social networks. For this reason we give him temporary access first > so he can reach the social network login pages. > > But now we have the problem that he can not be directed back to the > captive portal as long as he as the temporary Internet access. The > reason is that DNS resolution of captive portal (i.e. PF server) does > not work anymore. > > Because we are using a public DNS server, we can not add the captive > portal IP (which is a local one in the LAN) to this DNS. > > Is there a way to tell Packetfence to continue trapping and resolving > DNS requests of the captive portal's name, as long as we grant temporary > Internet access to the user? > This would solve our problem. > > Or is there another way to resolve the PF name without using a local DNS? > > Best regards, > Till > > -- > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > patterns at an interface-level. Reveals which users, apps, and protocols are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity planning > reports.http://sdm.link/zohodev2dev > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: +1.514.447.4918 *130 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Cisco Catalyst 3550 - Registration VLAN
ze) Jun 17 09:50:29 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] is of status unreg; belongs into registration VLAN (pf::role::getRegistrationRole) Jun 17 09:50:29 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] (192.168.1.14) Added VLAN 260 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Jun 17 09:50:29 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] (192.168.1.14) Added role registration to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Any thoughts? Please advise, Vianney -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohomanageengine ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca <mailto:aamac...@inverse.ca> :: +1.514.447.4918 *130 ::www.inverse.ca <http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu>) and PacketFence (www.packetfence.org <http://www.packetfence.org>) -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohomanageengine ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohomanageengine _______ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: +1.514.447.4918 *130 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohomanageengine___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Cisco Catalyst 3550 - Registration VLAN
Hello Vianney, First check out your switch configuration(tab roles) at the moment you have switch by role and switch by VLAN selected, you should remove "role mapping by switch role". PacketFence seems to answer to the switch RADIUS request properly. Is VLAN 260 your production VLAN, if yes it spanned to this port? Remember that PacketFence IS NOT a DHCP server on your production VLAN, we assume that you have your own server for that. Thank you On 06/17/2016 09:38 AM, Vianney Amador wrote: Hi guys, I am pretty much new to this world of Packagefence, I am testing this using a Cisco Catalyst 3550 with the latest IOS available. I created my registration, isolation and normal VLANs on both the PF server interface and Switch. I added this switch on PF using the parameters specified on the official documentation, also set up the switch using the 3550 (802.1x with MAB) configuration. Created a source for Active Directory authentication. I setup one of the ports on the switch with the parameters for the registration VLAN, the PC (Windows 10) automatically acquired an IP address from this subnet, so when I opened the browser forced me to authenticate, so I put it my AD credentials and got authenticated. When I connect the same PC on a port setup as specified on the official documentation, the PC WILL NOT get an IP address: switchport mode access dot1x mac-auth-bypass dot1x pae authenticator dot1x port-control auto dot1x violation-mode protect dot1x timeout quiet-period 2 dot1x timeout reauth-period 7200 dot1x timeout tx-period 3 dot1x reauthentication Here is the log from the packetfense.log: Jun 17 09:50:05 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] handling radius autz request: from switch_ip => (192.168.1.14), connection_type => WIRED_MAC_AUTH,switch_mac => (00:11:92:b1:81:86), mac => [28:d2:44:08:2c:68], port => 6, username => "28d244082c68" (pf::radius::authorize) Jun 17 09:50:05 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] is of status unreg; belongs into registration VLAN (pf::role::getRegistrationRole) Jun 17 09:50:05 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] (192.168.1.14) Added VLAN 260 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Jun 17 09:50:05 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] (192.168.1.14) Added role registration to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Jun 17 09:50:20 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] handling radius autz request: from switch_ip => (192.168.1.14), connection_type => WIRED_MAC_AUTH,switch_mac => (00:11:92:b1:81:86), mac => [28:d2:44:08:2c:68], port => 6, username => "28d244082c68" (pf::radius::authorize) Jun 17 09:50:20 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] is of status unreg; belongs into registration VLAN (pf::role::getRegistrationRole) Jun 17 09:50:20 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] (192.168.1.14) Added VLAN 260 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Jun 17 09:50:20 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] (192.168.1.14) Added role registration to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Jun 17 09:50:29 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] handling radius autz request: from switch_ip => (192.168.1.14), connection_type => WIRED_MAC_AUTH,switch_mac => (00:11:92:b1:81:86), mac => [28:d2:44:08:2c:68], port => 6, username => "28d244082c68" (pf::radius::authorize) Jun 17 09:50:29 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] is of status unreg; belongs into registration VLAN (pf::role::getRegistrationRole) Jun 17 09:50:29 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] (192.168.1.14) Added VLAN 260 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Jun 17 09:50:29 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] (192.168.1.14) Added role registration to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Any thoughts? Please advise, Vianney -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohomanageengine ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: +1.514.447.4918 *130 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -
Re: [PacketFence-users] Change "Acceptable use policy" value
Hello Pierrick, to change the text you can go to html/captive-portal/templates/aup_text.html, if you want the change the term "Acceptable Use Policy" you should go in the translate file conf/locale/en/LC_MESSAGES/packetfence.po line 47, change the msgstr for the term you want. Thank you On 06/13/2016 08:56 AM, prost pierrick wrote: Hello, Does someone know where i can change the «Acceptable Use Policy » value ? nothing on documentation about it .. strange. Regards. Pierrick Prost CNRS- DR07 -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: +1.514.447.4918 *130 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Can not configure Fingerbank
Hello Leonel, This is a known issue not fixed at the moment, you can go in /usr/local/fingerbank/config/fingerbank.conf and add the following: [upstream] api_key=YOUR API KEY Then try to reload the Fingerbank Settings page. thank you On Friday, June 03, 2016 14:51 EDT, Leonel Bonitowrote: Hi Team, I'm entering the API key and when I press on the "Get Aboard!" button, nothing happens and the Textbox becomes empty. Some logs: - httpd.admin.audit.log {"status":200,"context":"/config/fingerbank/settings/onboard","action":"onboard","user":"admin","happened_at":"Fri Jun 3 15:41:17 2016"} - httpd.admin.log Jun 03 15:40:59 httpd.admin(1973) WARN: Fingerbank API key is not configured. Running with limited features (pfappserver::PacketFence::Controller::Config::Fingerbank::Settings::check_for_api_key) Jun 03 15:41:17 httpd.admin(1976) WARN: Fingerbank API key is not configured. Running with limited features (pfappserver::PacketFence::Controller::Config::Fingerbank::Settings::check_for_api_key) I’m running PF ZEN 6.0.1 There's something I can do? Thanks! Regards, Leonel -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Tradução PT-BR
Hello Filipe, If you are looking for the file where the translation is done, look over /usr/local/pf/conf/locale/pt_BR/LC_MESSAGES/packetfence.po. You will need to execute the following in your cli after making change to the file: for TRANSLATION in de en es fr he_IL it nl pl_PL pt_BR; do /usr/bin/msgfmt conf/locale/$TRANSLATION/LC_MESSAGES/packetfence.po --output-file conf/locale/$TRANSLATION/LC_MESSAGES/packetfence.mo; done If you want to contribute to the translation I'll advise you to make a request to be able to translate here: https://www.transifex.com/inverse/packetfence/ Thank you On 05/30/2016 12:47 PM, felipe santos dos santos wrote: > Olá pessoal boa tarde, > Gostaria de saber onde posso encontrar tradução do portal e > gerenciamento para Português? > -- Antoine Amacher aamac...@inverse.ca :: +1.514.447.4918 *130 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Windows Computer Certificates instead of hostnames
Hello Holger, 1. You cannot do EAP-TLS + PEAP on a supplicant, it will be either one or the other. The combination of certificate and user/pw is not possible then. That being said you can do an EAP-TLS Computer + User Auth, which would first authenticate the computer with hostname and his matching computer certificate and then authenticate the user with the user certificate as soon as it login. You will need to look into EAP-TLS configuration for the server also, the main point being, your RADIUS and clients certificate needs to be issued from the same CA. There is an example on how to configure EAP-TLS with working certificate over here: http://packetfence.org/doc/PacketFence_MSPKI_Quick_Install_Guide.html#_step_2_configuring_packetfence This example is with MSPKI but can be apply to any PKI. For the filter there is an example matching what I explain, (ComputerAuth + UserAuth if ComputerAuth is valid) in the vlan_filters.conf.example file under the folder /usr/local/pf/conf 2. The other option would be to do EAP-TLS as ComputerAuth only and use the portal for a Username/PW authentication. In this case you would not need to set any filter(via the filtering engine), once your EAP-TLS has authenticated, you should be redirected on the portal, since the EAP-TLS will only grant you access to be able to talk with PacketFence, unless you have a rule that register device which authenticate via EAP-TLS. You could then create a portal profile using the filter connection-type Ethernet-EAP and/or Wireless-802.11-EAP, and add here your required source of authentication for the Username/PW. This way you will have the combination wanted, the user will have to enter his credentials after his computer was validated on the network via a certificate. Thank you On 05/30/2016 11:22 AM, holger.patz...@t-systems.com wrote: Hi folks, anyone who can help me with the following task: I want to authenticate Clients with Windows Computer Certificates (not “hostname”) and Username/pw. -How do I configure the first ? -And how do the filter have to look for combining it with the user auth? Thanks, Holger -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: +1.514.447.4918 *130 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Captive Portal.
Hello Sohaib, You need to reach your registration interface, not the management one as your X.X.X.X address, unless your management interface has 'portal' (as an additional listening daemon). For the redirection, make sure you land in the registration VLAN when you plug/connect your device, are you able to ping the registration interface from there? "DHCP is working fine since I get a valid ip address after. " Is this IP you getting provided by PacketFence? Thank you On 05/30/2016 08:04 AM, Sohaib Afourid wrote: Hello, I am using Packetfence for a school project, with 802.1X authentication using MYSQL and AD. Everything seems to be working fine so far. The only issue I am facing right now is the Captive Portal, once I successfully authenticate, I get redirected to the registration VLAN, DHCP is working fine since I get a valid ip address after. To my understanding, packetfence should redirect me to a captive portal to register my device (automatically), that does not happen, and even if i try to access the captive portal manually (using https://X.X.X.X/captive-portal <https://x.x.x.x/captive-portal>with X.X.X.X being my management ip adress) it fails. Can you please guide me through a solution. Where should i start looking ? <https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail> Garanti sans virus. www.avast.com <https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail> -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: +1.514.447.4918 *130 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] PKfence help for validate architecture (VLAN trunk, no Vlan assignement, No NAT)
| X X | | VLAN Eduroam|| VLAN employee | | XX X X | | | |VLAN guest| |XXX XXXX | | | |VLAN Eduroam | | XX XXX | | | | | | ++ ++ +---+ Regards Pierrick Prost CNRS Rhones Alpes France -- Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135) ::www.inverse.ca <http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) -- Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: +1.514.447.4918 *130 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Best wifi device for openWrt / Packetfence give me your feedbacks boys !
Hello Pierrick, we did test it with an Ubiquiti Nanostation N2. The switch module in PacketFence is Hostapd, so if you manage to have another device where you can install it, you could always give a try. For Mikrotik it should work on CAPsMAN enabled APs, tested on v6.18. Thank you On 05/25/2016 06:32 AM, PROST pierrick wrote: I looked to microtik, “wAP AC” are very interesting! Have to test you packetFence with these models? Version of routerOS is compatible ? Pierrick *De :*PROST pierrick *Envoyé :* mercredi 25 mai 2016 11:13 *À :* packetfence-users@lists.sourceforge.net *Objet :* RE: [PacketFence-users] Best wifi device for openWrt / Packetfence give me your feedbacks boys ! Hy antoine, thanks for this feedback, witch ubiquiti device have you try ? Pierrick *De :*Antoine Amacher [mailto:aamac...@inverse.ca] *Envoyé :* mardi 24 mai 2016 15:21 *À :* packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> *Objet :* Re: [PacketFence-users] Best wifi device for openWrt / Packetfence give me your feedbacks boys ! Hello Pierrick, This was tested only with Ubiquity on our side, you can try to do it on other devices but we can't confirm that it will work. Thanks On 05/24/2016 08:38 AM, PROST pierrick wrote: Hi everyone, We want buy and deploy packet fence with out of band configuration…. We are looking for new wifi device with OpenWRT 14.07 compatibility to math with this documentation http://packetfence.org/doc/PacketFence_OpenWrt-Hostapd_Quick_Install_Guide.html Have you some feedbacks ? Ubiquity ? Linksys ? Microtik ? Have good day ! Pierrick Prost CNRS -- Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca <mailto:aamac...@inverse.ca> :: +1.514.447.4918 *130 ::www.inverse.ca <http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu>) and PacketFence (www.packetfence.org <http://www.packetfence.org>) -- Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: +1.514.447.4918 *130 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Best wifi device for openWrt / Packetfence give me your feedbacks boys !
Hello Pierrick, This was tested only with Ubiquity on our side, you can try to do it on other devices but we can't confirm that it will work. Thanks On 05/24/2016 08:38 AM, PROST pierrick wrote: Hi everyone, We want buy and deploy packet fence with out of band configuration…. We are looking for new wifi device with OpenWRT 14.07 compatibility to math with this documentation http://packetfence.org/doc/PacketFence_OpenWrt-Hostapd_Quick_Install_Guide.html Have you some feedbacks ? Ubiquity ? Linksys ? Microtik ? Have good day ! Pierrick Prost CNRS -- Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: +1.514.447.4918 *130 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Captive Portal Disclaimer Text
Hello Manfred, you can change it in /usr/local/pf/html/captive-portal/templates/aup_text.html Thank you. On 05/20/2016 03:45 AM, Schannen, Manfred wrote: Hello, i´m testing ZEN 6.0.1, VMWare, and i am looking fort he file where the „disclaimer text“ can be changed? Thanks -- Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: +1.514.447.4918 *130 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Default sponsor email in PF 6.0.1.
Hello, If you want to modify the email send for the sponsor access, look toward /usr/local/pf/conf/templates/email-guest_sponsor_action_you_want _to_modify.html (activation/confirmation) Thank you On 05/16/2016 04:22 AM, Воробьёв Андрей wrote: How can I configure default sponsor email in 6.0.1. I could easily do it in 5.7 editing guest.html. -- Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: +1.514.447.4918 *130 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users