from:"Julien Semaan"

[PacketFence-users] PacketFence 9.0 and below incompatible with CentOS 7.7

2019-09-20 Thread Julien Semaan via PacketFence-users


To all PacketFence users,

Due to the release of CentOS 7.7 the Inverse team had to perform some 
packaging adjustments in order to make PacketFence compatible with the 
latest release of CentOS 7.7. For this reason it is not suggested to 
upgrade your operating system to CentOS 7.7 without upgrading 
PacketFence to version 9.1 at the same time.


If you decide to perform the upgrade to CentOS 7.7 without upgrading 
PacketFence to 9.1, you will need to perform the following preliminary 
steps before you perform your OS update through yum.


First, you need to disable systemd-logind which is currently causing 
issues with the `systemctl isolate` command:
# /bin/bash -c "/usr/bin/systemctl status user-0.slice | /usr/bin/egrep 
-o '─[0-9]+' | /usr/bin/sed 's/─//g' | /usr/bin/xargs -I{} /bin/bash -c 
'/usr/bin/kill -0 {} > /dev/null 2>/dev/null && /usr/bin/echo {} > 
/sys/fs/cgroup/systemd/tasks'"

# /usr/bin/systemctl stop systemd-logind
# /usr/bin/systemctl --now mask systemd-logind
# /usr/bin/systemctl daemon-reload

Then, you need to obtain the latest version of ipset in the repository
# yum update ipset --enablerepo=packetfence

More details can be obtained in the following Github issue:
https://github.com/inverse-inc/packetfence/issues/4822

Cheers!

--
Julien Semaan
jsem...@inverse.ca  ::  +1 (866) 353-6153 *155  ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] None of the web services start

2019-06-25 Thread Julien Semaan via PacketFence-users


Hi Eric,

I've adjusted the code, it was just a case of casting the hashref to a hash.

You can see the adjustment here:
https://github.com/inverse-inc/packetfence/commit/312941eee61707ba34c1a05f2ac3104cb73dc643

Its been pushed in the maintenance/9.0 branch meaning it can be applied 
via the usual maintenance patching process as long as you restore the 
code to what you had before you changed it.


Best Regards,

- Julien

On 6/24/19 10:59 AM, Eric Rolleman via PacketFence-users wrote:

My guess as to what is going on here is that 
$self->filterEngine->filter('Fingerbank', $f=ngerbank_args); could potentially 
return multiple values, but not key-value pairs. Under this assumption I change the 
code to this.

my @dhcp_filter_rule = ();
push(@dhcp_filter_rule,$self->filterEngine->filter('Fingerbank', 
$fingerbank_args));
unless ( $#dhcp_filter_rule > 0 ) {

I'm hoping someone can verify this is an okay change to make.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Deprecation of Fingerbank API v1

2019-01-15 Thread Julien Semaan via PacketFence-users


To all PacketFence users,

The first version of the Fingerbank API hosted on fingerbank.inverse.ca 
will be shutdown completely on July 1st 2019 after it was officially 
deprecated more than 1 year ago.


You will want to ensure you upgrade to a PacketFence version higher than 
8.0 which supports Fingerbank v2 and points to api.fingerbank.org for 
all API requests. If that is already the case, then no action is 
required. Modifying the API host in the Fingerbank configuration of your 
PacketFence installation will not work, you will absolutely need to 
upgrade your installation for device profiling to keep working. Failure 
to do so will cause unexpected behavior related to device profiling in 
your PacketFence installation. If you need help to upgrade from version 
7.4 or below to a recent version of PacketFence, Inverse can help you so 
please don't hesitate to contact us at supp...@inverse.ca.


On May 1st 2019, all web access to https://fingerbank.inverse.ca will be 
removed, the API will stay online until July 1st 2019, after which all 
API requests will return an HTTP status of "410 Gone".


Best Regards,

The Inverse team


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Fingerbank accuracy

2018-08-24 Thread Julien Semaan via PacketFence-users


Hi Max,

The sad thing is, Fingerbank is limited in the sense that when devices 
don't exhibit behaviors that seperate them from other devices, then its 
hard to accurately profile a device.


On top of this, the manufacturer (MAC vendor) who created the device is 
keeping its privacy, that makes it harder for Fingerbank.


If it was an RCA MAC vendor, then it would be easier to profile it, but 
given this device runs a generic linux kernel and is manufactured by a 
vendor who is keeping its privacy, its pretty hard to get accurate 
device profiling.


So, although we can accurately profile a lot of devices, we can't 
profile all of them, especially when it doesn't distinguish itself from 
the mass (where the mass in the IoT world is Linux running a generic 
DHCP client (udhcp in this case)).


You could create a local combination on your PF server that associates 
the "Private" MAC vendor with your prefered Fingerbank device in order 
to workaround the limitation of this device and to not have to allow all 
hardware manufacturers on your device registration page.


Best Regards,

--
Julien Semaan
jsem...@inverse.ca   ::  +1 (866) 353-6153 *155  ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)



On 2018-08-23 10:12 PM, Max McGrath via PacketFence-users wrote:

Hi all -

I have a student trying to register a device via the 
/device-registration page, but is unable to.


The device is showing up as 'Hardware Manufacturer' for its class and 
'Private' for its type:


image.png

This is clearly not very accurate.  For the time being I have allowed 
'Hardware Manufacturer' to be registered on the /device-registration 
page by adding it to the *Device Registration* config section.


What can I do to help the accuracy of Fingerbank in the future?  I'm 
being told that this is a Bluray player -- and am currently waiting to 
be told the make/model of it.


Mid-email the student got back to me...she is telling me it is a RCA 
BRC11072E - Blu-ray disc player.  I am taking her word on it as I have 
not physically seen the device!


Thanks!

Max
--
Max McGrath <http://www.linkedin.com/in/max-mcgrath-a299124b>
Infrastructure and Security Manager
Carthage College
262-551-
mmcgr...@carthage.edu <mailto:mmcgr...@carthage.edu>


This body part will be downloaded on demand.


This body part will be downloaded on demand.


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Updating fingerbank db?

2018-06-26 Thread Julien Semaan via PacketFence-users


Yes attachment is fine if its under 10MB

On 2018-06-26 04:35 PM, Steve Pfister wrote:
Just the fingerbank.log? It looks like it's a couple mb compressed. 
Can I email it to you as an attachment?


On 6/26/2018 4:31 PM, Julien Semaan wrote:

Can you post the logs that you're seeing for this MAC

--
Julien Semaan
jsem...@inverse.ca   ::  +1 (866) 353-6153 *155 ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)



On 2018-06-26 04:02 PM, Steve Pfister wrote:

Still seems strange another example:

MAC: e8:39:35:40:48:1c

log file occurrences:

fingerbank.log - 2881

pfdhcplistener.log - 10

packetfence.org - 7

On 6/26/2018 3:32 PM, Julien Semaan wrote:
I'd check in the pfdhcplistener.log and packetfence.log if you see 
multiple occurrences of this MAC address and what type of traffic 
is driving this high usage of Fingerbank. Very likely to be this 
device performing DHCP extremelly often.


Cheers!

--
Julien Semaan
jsem...@inverse.ca ::  +1 (866) 353-6153 *155 ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)



On 2018-06-26 03:22 PM, Steve Pfister wrote:
If we end up putting this in production use, and it looks like 
that may be likely, we'll most likely be getting a support contract.


On the device profiling, the only thing I'm not clear on is this. 
Here is an example line:


Jun 26 19:10:45 PacketFence-ZEN fingerbank-collector: [GIN] 
2018/06/26 - 19:10:45 | 200 | 118.321µs | 127.0.0.1 | GET 
/endpoint_data/b4:b5:2f:d4:be:8d


The end of the GET statement appears to be a MAC address. If you 
search this one log file, I find 35129 occurrences in this one log 
file alone. Should there be that many?


On 6/26/2018 2:44 PM, Julien Semaan wrote:
Likely, PacketFence is seeing DHCP traffic from your production 
networks which trigger device profiling.


You could obtain unlimited access to the API by having a valid 
support contract with Inverse


The available options are documented here: 
http://inverse.ca/#support-plans


It is recommended to have one if you're using PacketFence on a 
production network, and it does also encourage the project to 
have one.


Best Regards,

--
Julien Semaan
jsem...@inverse.ca ::  +1 (866) 353-6153 *155 ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)



On 2018-06-26 02:07 PM, Steve Pfister wrote:
I see... thank you. Do you know why we're getting frequent 
emails about exceeding the API hourly limit? The server isn't in 
production use yet, just a test user or two. The fingerbank.log 
file for today has 235K lines in it already, after around 14 hours.


On 6/26/2018 1:56 PM, Julien Semaan wrote:
Ownership is fine this way, pf is part of the fingerbank group 
so when the PacketFence processes start writing/updating the 
files after they're installed, it takes ownership of them.


As for the Local DB, it contains the overrides you create, so 
unless you're creating Fingerbank combinations on your PF 
server to override what Fingerbank would return, then this will 
not see much action.


Best Regards,

--
Julien Semaan
jsem...@inverse.ca ::  +1 (866) 353-6153 *155 ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and 
PacketFence (www.packetfence.org)



On 2018-06-26 01:53 PM, Steve Pfister wrote:
Thank you for your response. All the *.db files in that 
directory are updating now, except for fingerbank_Local.db. 
That file is the only *.db files with owner and group set to 
fingerbank. Should that be the way its set, or should it be 
root or pf, like the others?


On 6/26/2018 11:53 AM, Julien Semaan wrote:

Hi Steve,

We managed to track this down to a recent issue with the 
update of api.fingerbank.org


We have corrected the issue upstream, it should start 
updating again automatically.


Also, I confirmed I'm able to get a confirmation email, in 
the event its not working for you, I would say your PF server 
isn't configured correctly to send emails. Note that these 
are sent to the alerting email address in PacketFence.


Best Regards,

- Julien

On 2018-06-26 10:13 AM, Steve Pfister via PacketFence-users 
wrote:
The Fingerbank settings have an option 'Update Fingerbank 
DB'. This doesn't appear to be doing anything. It says 
something about an email which is never received and our 
/usr/local/fingerbank/db directory looks like:


drwxrwxr-x. 3 fingerbank fingerbank  264 Jun 26 14:11 .
drwxrwxr-x. 9 fingerbank fingerbank  150 Jun 26 13:55 ..
-rw-r--r--  1 root   root    4541212 Jun 26 14:11 
collector_endpoints.db
-rw-r--r--  1 root   root 123381 Jun 26 14:11 
collector_ip_maps.db
-rw-rw-r--. 1 fingerbank fingerbank    33792 May  9 18:14 
fingerbank_Local.db
-rw-rw-r--  1 fingerbank fingerbank 21027840 Apr 25 21:54 
fingerbank_Upstream.db
-rw-r--r--  1 pf pf 23364608 Jun  8 13:29 
fingerbank_Upstream.db_20180608_132952
-rw-r--r

Re: [PacketFence-users] Updating fingerbank db?

2018-06-26 Thread Julien Semaan via PacketFence-users


Can you post the logs that you're seeing for this MAC

--
Julien Semaan
jsem...@inverse.ca   ::  +1 (866) 353-6153 *155  ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)



On 2018-06-26 04:02 PM, Steve Pfister wrote:

Still seems strange another example:

MAC: e8:39:35:40:48:1c

log file occurrences:

fingerbank.log - 2881

pfdhcplistener.log - 10

packetfence.org - 7

On 6/26/2018 3:32 PM, Julien Semaan wrote:
I'd check in the pfdhcplistener.log and packetfence.log if you see 
multiple occurrences of this MAC address and what type of traffic is 
driving this high usage of Fingerbank. Very likely to be this device 
performing DHCP extremelly often.


Cheers!

--
Julien Semaan
jsem...@inverse.ca   ::  +1 (866) 353-6153 *155 ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)



On 2018-06-26 03:22 PM, Steve Pfister wrote:
If we end up putting this in production use, and it looks like that 
may be likely, we'll most likely be getting a support contract.


On the device profiling, the only thing I'm not clear on is this. 
Here is an example line:


Jun 26 19:10:45 PacketFence-ZEN fingerbank-collector: [GIN] 
2018/06/26 - 19:10:45 | 200 | 118.321µs | 127.0.0.1 | GET 
/endpoint_data/b4:b5:2f:d4:be:8d


The end of the GET statement appears to be a MAC address. If you 
search this one log file, I find 35129 occurrences in this one log 
file alone. Should there be that many?


On 6/26/2018 2:44 PM, Julien Semaan wrote:
Likely, PacketFence is seeing DHCP traffic from your production 
networks which trigger device profiling.


You could obtain unlimited access to the API by having a valid 
support contract with Inverse


The available options are documented here: 
http://inverse.ca/#support-plans


It is recommended to have one if you're using PacketFence on a 
production network, and it does also encourage the project to have 
one.


Best Regards,

--
Julien Semaan
jsem...@inverse.ca ::  +1 (866) 353-6153 *155 ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)



On 2018-06-26 02:07 PM, Steve Pfister wrote:
I see... thank you. Do you know why we're getting frequent emails 
about exceeding the API hourly limit? The server isn't in 
production use yet, just a test user or two. The fingerbank.log 
file for today has 235K lines in it already, after around 14 hours.


On 6/26/2018 1:56 PM, Julien Semaan wrote:
Ownership is fine this way, pf is part of the fingerbank group so 
when the PacketFence processes start writing/updating the files 
after they're installed, it takes ownership of them.


As for the Local DB, it contains the overrides you create, so 
unless you're creating Fingerbank combinations on your PF server 
to override what Fingerbank would return, then this will not see 
much action.


Best Regards,

--
Julien Semaan
jsem...@inverse.ca ::  +1 (866) 353-6153 *155 ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)



On 2018-06-26 01:53 PM, Steve Pfister wrote:
Thank you for your response. All the *.db files in that 
directory are updating now, except for fingerbank_Local.db. That 
file is the only *.db files with owner and group set to 
fingerbank. Should that be the way its set, or should it be root 
or pf, like the others?


On 6/26/2018 11:53 AM, Julien Semaan wrote:

Hi Steve,

We managed to track this down to a recent issue with the update 
of api.fingerbank.org


We have corrected the issue upstream, it should start updating 
again automatically.


Also, I confirmed I'm able to get a confirmation email, in the 
event its not working for you, I would say your PF server isn't 
configured correctly to send emails. Note that these are sent 
to the alerting email address in PacketFence.


Best Regards,

- Julien

On 2018-06-26 10:13 AM, Steve Pfister via PacketFence-users wrote:
The Fingerbank settings have an option 'Update Fingerbank DB'. 
This doesn't appear to be doing anything. It says something 
about an email which is never received and our 
/usr/local/fingerbank/db directory looks like:


drwxrwxr-x. 3 fingerbank fingerbank  264 Jun 26 14:11 .
drwxrwxr-x. 9 fingerbank fingerbank  150 Jun 26 13:55 ..
-rw-r--r--  1 root   root    4541212 Jun 26 14:11 
collector_endpoints.db
-rw-r--r--  1 root   root 123381 Jun 26 14:11 
collector_ip_maps.db
-rw-rw-r--. 1 fingerbank fingerbank    33792 May 9 18:14 
fingerbank_Local.db
-rw-rw-r--  1 fingerbank fingerbank 21027840 Apr 25 21:54 
fingerbank_Upstream.db
-rw-r--r--  1 pf pf 23364608 Jun 8 13:29 
fingerbank_Upstream.db_20180608_132952
-rw-r--r--  1 pf pf 23364608 Jun 8 13:38 
fingerbank_Upstream.db_20180608_133816
-rw-rw-r--  1 fingerbank fingerbank   98 Apr 25 21:54 
.gitignore

drwxrwsr-x. 2 fingerbank fingerbank 4096 Jun 26 13:55 upgrade
-rwxrwxr-x  1

Re: [PacketFence-users] Updating fingerbank db?

2018-06-26 Thread Julien Semaan via PacketFence-users

I'd check in the pfdhcplistener.log and packetfence.log if you see 
multiple occurrences of this MAC address and what type of traffic is 
driving this high usage of Fingerbank. Very likely to be this device 
performing DHCP extremelly often.


Cheers!

--
Julien Semaan
jsem...@inverse.ca   ::  +1 (866) 353-6153 *155  ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)



On 2018-06-26 03:22 PM, Steve Pfister wrote:
If we end up putting this in production use, and it looks like that 
may be likely, we'll most likely be getting a support contract.


On the device profiling, the only thing I'm not clear on is this. Here 
is an example line:


Jun 26 19:10:45 PacketFence-ZEN fingerbank-collector: [GIN] 2018/06/26 
- 19:10:45 | 200 | 118.321µs | 127.0.0.1 | GET 
/endpoint_data/b4:b5:2f:d4:be:8d


The end of the GET statement appears to be a MAC address. If you 
search this one log file, I find 35129 occurrences in this one log 
file alone. Should there be that many?


On 6/26/2018 2:44 PM, Julien Semaan wrote:
Likely, PacketFence is seeing DHCP traffic from your production 
networks which trigger device profiling.


You could obtain unlimited access to the API by having a valid 
support contract with Inverse


The available options are documented here: 
http://inverse.ca/#support-plans


It is recommended to have one if you're using PacketFence on a 
production network, and it does also encourage the project to have one.


Best Regards,

--
Julien Semaan
jsem...@inverse.ca   ::  +1 (866) 353-6153 *155 ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)



On 2018-06-26 02:07 PM, Steve Pfister wrote:
I see... thank you. Do you know why we're getting frequent emails 
about exceeding the API hourly limit? The server isn't in production 
use yet, just a test user or two. The fingerbank.log file for today 
has 235K lines in it already, after around 14 hours.


On 6/26/2018 1:56 PM, Julien Semaan wrote:
Ownership is fine this way, pf is part of the fingerbank group so 
when the PacketFence processes start writing/updating the files 
after they're installed, it takes ownership of them.


As for the Local DB, it contains the overrides you create, so 
unless you're creating Fingerbank combinations on your PF server to 
override what Fingerbank would return, then this will not see much 
action.


Best Regards,

--
Julien Semaan
jsem...@inverse.ca ::  +1 (866) 353-6153 *155 ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)



On 2018-06-26 01:53 PM, Steve Pfister wrote:
Thank you for your response. All the *.db files in that directory 
are updating now, except for fingerbank_Local.db. That file is the 
only *.db files with owner and group set to fingerbank. Should 
that be the way its set, or should it be root or pf, like the others?


On 6/26/2018 11:53 AM, Julien Semaan wrote:

Hi Steve,

We managed to track this down to a recent issue with the update 
of api.fingerbank.org


We have corrected the issue upstream, it should start updating 
again automatically.


Also, I confirmed I'm able to get a confirmation email, in the 
event its not working for you, I would say your PF server isn't 
configured correctly to send emails. Note that these are sent to 
the alerting email address in PacketFence.


Best Regards,

- Julien

On 2018-06-26 10:13 AM, Steve Pfister via PacketFence-users wrote:
The Fingerbank settings have an option 'Update Fingerbank DB'. 
This doesn't appear to be doing anything. It says something 
about an email which is never received and our 
/usr/local/fingerbank/db directory looks like:


drwxrwxr-x. 3 fingerbank fingerbank  264 Jun 26 14:11 .
drwxrwxr-x. 9 fingerbank fingerbank  150 Jun 26 13:55 ..
-rw-r--r--  1 root   root    4541212 Jun 26 14:11 
collector_endpoints.db
-rw-r--r--  1 root   root 123381 Jun 26 14:11 
collector_ip_maps.db
-rw-rw-r--. 1 fingerbank fingerbank    33792 May  9 18:14 
fingerbank_Local.db
-rw-rw-r--  1 fingerbank fingerbank 21027840 Apr 25 21:54 
fingerbank_Upstream.db
-rw-r--r--  1 pf pf 23364608 Jun  8 13:29 
fingerbank_Upstream.db_20180608_132952
-rw-r--r--  1 pf pf 23364608 Jun  8 13:38 
fingerbank_Upstream.db_20180608_133816
-rw-rw-r--  1 fingerbank fingerbank   98 Apr 25 21:54 
.gitignore

drwxrwsr-x. 2 fingerbank fingerbank 4096 Jun 26 13:55 upgrade
-rwxrwxr-x  1 fingerbank fingerbank 2253 Apr 25 21:54 
upgrade.pl


Does this look normal?


-- 


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Updating fingerbank db?

2018-06-26 Thread Julien Semaan via PacketFence-users

Likely, PacketFence is seeing DHCP traffic from your production networks 
which trigger device profiling.


You could obtain unlimited access to the API by having a valid support 
contract with Inverse


The available options are documented here: http://inverse.ca/#support-plans

It is recommended to have one if you're using PacketFence on a 
production network, and it does also encourage the project to have one.


Best Regards,

--
Julien Semaan
jsem...@inverse.ca   ::  +1 (866) 353-6153 *155  ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)



On 2018-06-26 02:07 PM, Steve Pfister wrote:
I see... thank you. Do you know why we're getting frequent emails 
about exceeding the API hourly limit? The server isn't in production 
use yet, just a test user or two. The fingerbank.log file for today 
has 235K lines in it already, after around 14 hours.


On 6/26/2018 1:56 PM, Julien Semaan wrote:
Ownership is fine this way, pf is part of the fingerbank group so 
when the PacketFence processes start writing/updating the files after 
they're installed, it takes ownership of them.


As for the Local DB, it contains the overrides you create, so unless 
you're creating Fingerbank combinations on your PF server to override 
what Fingerbank would return, then this will not see much action.


Best Regards,

--
Julien Semaan
jsem...@inverse.ca   ::  +1 (866) 353-6153 *155 ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)



On 2018-06-26 01:53 PM, Steve Pfister wrote:
Thank you for your response. All the *.db files in that directory 
are updating now, except for fingerbank_Local.db. That file is the 
only *.db files with owner and group set to fingerbank. Should that 
be the way its set, or should it be root or pf, like the others?


On 6/26/2018 11:53 AM, Julien Semaan wrote:

Hi Steve,

We managed to track this down to a recent issue with the update of 
api.fingerbank.org


We have corrected the issue upstream, it should start updating 
again automatically.


Also, I confirmed I'm able to get a confirmation email, in the 
event its not working for you, I would say your PF server isn't 
configured correctly to send emails. Note that these are sent to 
the alerting email address in PacketFence.


Best Regards,

- Julien

On 2018-06-26 10:13 AM, Steve Pfister via PacketFence-users wrote:
The Fingerbank settings have an option 'Update Fingerbank DB'. 
This doesn't appear to be doing anything. It says something about 
an email which is never received and our /usr/local/fingerbank/db 
directory looks like:


drwxrwxr-x. 3 fingerbank fingerbank  264 Jun 26 14:11 .
drwxrwxr-x. 9 fingerbank fingerbank  150 Jun 26 13:55 ..
-rw-r--r--  1 root   root    4541212 Jun 26 14:11 
collector_endpoints.db
-rw-r--r--  1 root   root 123381 Jun 26 14:11 
collector_ip_maps.db
-rw-rw-r--. 1 fingerbank fingerbank    33792 May  9 18:14 
fingerbank_Local.db
-rw-rw-r--  1 fingerbank fingerbank 21027840 Apr 25 21:54 
fingerbank_Upstream.db
-rw-r--r--  1 pf pf 23364608 Jun  8 13:29 
fingerbank_Upstream.db_20180608_132952
-rw-r--r--  1 pf pf 23364608 Jun  8 13:38 
fingerbank_Upstream.db_20180608_133816

-rw-rw-r--  1 fingerbank fingerbank   98 Apr 25 21:54 .gitignore
drwxrwsr-x. 2 fingerbank fingerbank 4096 Jun 26 13:55 upgrade
-rwxrwxr-x  1 fingerbank fingerbank 2253 Apr 25 21:54 upgrade.pl

Does this look normal?


-- 


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users






--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Updating fingerbank db?

2018-06-26 Thread Julien Semaan via PacketFence-users

Ownership is fine this way, pf is part of the fingerbank group so when 
the PacketFence processes start writing/updating the files after they're 
installed, it takes ownership of them.


As for the Local DB, it contains the overrides you create, so unless 
you're creating Fingerbank combinations on your PF server to override 
what Fingerbank would return, then this will not see much action.


Best Regards,

--
Julien Semaan
jsem...@inverse.ca   ::  +1 (866) 353-6153 *155  ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)



On 2018-06-26 01:53 PM, Steve Pfister wrote:
Thank you for your response. All the *.db files in that directory are 
updating now, except for fingerbank_Local.db. That file is the only 
*.db files with owner and group set to fingerbank. Should that be the 
way its set, or should it be root or pf, like the others?


On 6/26/2018 11:53 AM, Julien Semaan wrote:

Hi Steve,

We managed to track this down to a recent issue with the update of 
api.fingerbank.org


We have corrected the issue upstream, it should start updating again 
automatically.


Also, I confirmed I'm able to get a confirmation email, in the event 
its not working for you, I would say your PF server isn't configured 
correctly to send emails. Note that these are sent to the alerting 
email address in PacketFence.


Best Regards,

- Julien

On 2018-06-26 10:13 AM, Steve Pfister via PacketFence-users wrote:
The Fingerbank settings have an option 'Update Fingerbank DB'. This 
doesn't appear to be doing anything. It says something about an 
email which is never received and our /usr/local/fingerbank/db 
directory looks like:


drwxrwxr-x. 3 fingerbank fingerbank  264 Jun 26 14:11 .
drwxrwxr-x. 9 fingerbank fingerbank  150 Jun 26 13:55 ..
-rw-r--r--  1 root   root    4541212 Jun 26 14:11 
collector_endpoints.db
-rw-r--r--  1 root   root 123381 Jun 26 14:11 
collector_ip_maps.db
-rw-rw-r--. 1 fingerbank fingerbank    33792 May  9 18:14 
fingerbank_Local.db
-rw-rw-r--  1 fingerbank fingerbank 21027840 Apr 25 21:54 
fingerbank_Upstream.db
-rw-r--r--  1 pf pf 23364608 Jun  8 13:29 
fingerbank_Upstream.db_20180608_132952
-rw-r--r--  1 pf pf 23364608 Jun  8 13:38 
fingerbank_Upstream.db_20180608_133816

-rw-rw-r--  1 fingerbank fingerbank   98 Apr 25 21:54 .gitignore
drwxrwsr-x. 2 fingerbank fingerbank 4096 Jun 26 13:55 upgrade
-rwxrwxr-x  1 fingerbank fingerbank 2253 Apr 25 21:54 upgrade.pl

Does this look normal?


-- 


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Updating fingerbank db?

2018-06-26 Thread Julien Semaan via PacketFence-users


Hi Steve,

We managed to track this down to a recent issue with the update of 
api.fingerbank.org


We have corrected the issue upstream, it should start updating again 
automatically.


Also, I confirmed I'm able to get a confirmation email, in the event its 
not working for you, I would say your PF server isn't configured 
correctly to send emails. Note that these are sent to the alerting email 
address in PacketFence.


Best Regards,

- Julien

On 2018-06-26 10:13 AM, Steve Pfister via PacketFence-users wrote:
The Fingerbank settings have an option 'Update Fingerbank DB'. This 
doesn't appear to be doing anything. It says something about an email 
which is never received and our /usr/local/fingerbank/db directory 
looks like:


drwxrwxr-x. 3 fingerbank fingerbank  264 Jun 26 14:11 .
drwxrwxr-x. 9 fingerbank fingerbank  150 Jun 26 13:55 ..
-rw-r--r--  1 root   root    4541212 Jun 26 14:11 
collector_endpoints.db
-rw-r--r--  1 root   root 123381 Jun 26 14:11 
collector_ip_maps.db
-rw-rw-r--. 1 fingerbank fingerbank    33792 May  9 18:14 
fingerbank_Local.db
-rw-rw-r--  1 fingerbank fingerbank 21027840 Apr 25 21:54 
fingerbank_Upstream.db
-rw-r--r--  1 pf pf 23364608 Jun  8 13:29 
fingerbank_Upstream.db_20180608_132952
-rw-r--r--  1 pf pf 23364608 Jun  8 13:38 
fingerbank_Upstream.db_20180608_133816

-rw-rw-r--  1 fingerbank fingerbank   98 Apr 25 21:54 .gitignore
drwxrwsr-x. 2 fingerbank fingerbank 4096 Jun 26 13:55 upgrade
-rwxrwxr-x  1 fingerbank fingerbank 2253 Apr 25 21:54 upgrade.pl

Does this look normal?


-- 


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Re： The lack of "DRS_EXT_NONDOMAIN_NCS" parametercaused AD server reboot

2018-03-22 Thread Julien Semaan via PacketFence-users


Hi Yan,

Thanks for the very detailed explanations, not sure we could have got 
there ourselves without the support seeing how advanced the 
troubleshooting was.


I've opened an issue to get this bug more "official" and tracked in our 
official BTS.


That will be included in PacketFence 8.0, and I'll be backporting this 
in the maintenance patches of all 7.x versions


Cheers!

--
Julien Semaan
jsem...@inverse.ca   ::  +1 (866) 353-6153 *155  ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)



On 2018-03-22 02:50 AM, Yan wrote:

Hi Julien,

First of all thank you very much for your fix. Our developer also fix 
the dump script in the same way as you provided but your reply makes 
us feel more relieved.
About the root cause of this issue, it's detected by Microsoft 
support. And I asked him to offer the method and relative documents as 
below.

Just FYI. Thank you.

About the method to trace the issue, refer to below steps:

1.Configure WER in Lsass.exe process, dump the crash info when the 
crash happened.


Reg Add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error 
Reporting\LocalDumps" /f


Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error 
Reporting\LocalDumps" /V DumpFolder /t REG_SZ /D "*C:\CrashDumps*" /f


MD*C:\CrashDumps*

Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error 
Reporting\LocalDumps" /V DumpType /t REG_DWORD /D 2 /f


Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error 
Reporting\LocalDumps" /V DumpCount /t REG_DWORD /D 10 /f



2.After you have the dump file, check the dump stack. You can use 
"Windbg" or Microsoft public tool "Public Symbol".


Windbg:https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools

Symbol:https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/microsoft-public-symbols

3.If you find your issue stack is similar with below attached, then it 
might be the same issue.


0:060> kc

# Call Site

00 ntdll!ZwWaitForMultipleObjects

01 KERNELBASE!WaitForMultipleObjectsEx

02 KERNELBASE!WaitForMultipleObjects

03 kernel32!WerpReportFaultInternal

04 kernel32!WerpReportFault

05 KERNELBASE!UnhandledExceptionFilter

06 ntdll!TppExceptionFilter

07 ntdll!TppWorkerpInnerExceptionFilter

08 ntdll!TppWorkerThread$filt$5

09 ntdll!__C_specific_handler

0a ntdll!__GSHandlerCheck_SEH

0b ntdll!RtlpExecuteHandlerForException

0c ntdll!RtlDispatchException

0d ntdll!KiUserExceptionDispatch

0e ntdsai!draXlateNativeReplyToOutboundReply

0f ntdsai!IDL_DRSGetNCChanges

10 rpcrt4!Invoke

11 rpcrt4!NdrStubCall2

12 rpcrt4!NdrServerCall2

13 rpcrt4!DispatchToStubInCNoAvrf

14 rpcrt4!RPC_INTERFACE::DispatchToStubWorker

15 rpcrt4!RPC_INTERFACE::DispatchToStub

16 rpcrt4!OSF_SCALL::DispatchHelper

17 rpcrt4!OSF_SCALL::DispatchRPCCall

18 rpcrt4!OSF_SCALL::ProcessReceivedPDU

19 rpcrt4!OSF_SCALL::BeginRpcCall

1a rpcrt4!OSF_SCONNECTION::ProcessReceiveComplete

1b rpcrt4!ProcessConnectionServerReceivedEvent

1c rpcrt4!DispatchIOHelper

1d rpcrt4!CO_ConnectionThreadPoolCallback

1e KERNELBASE!BasepTpIoCallback

1f ntdll!TppIopExecuteCallback

20 ntdll!TppWorkerThread

21 kernel32!BaseThreadInitThunk

22 ntdll!RtlUserThreadStart


As for more specific reason, you might have to analysis the source 
code to trace.This issue only happens in some specific conditions. 
Normally if the replication request is from pure windows(and after 
win2000), it won't cause this crash issue.


Finally we don't have any public documents talking about this issue, 
but I find some documents related to DRSGetNCChanges.


4.1.10 IDL_DRSGetNCChanges (Opnum 3)

https://msdn.microsoft.com/en-us/library/dd207691.aspx

5.39 DRS_EXTENSIONS_INT

https://msdn.microsoft.com/en-us/library/cc228475.aspx



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Re： The lack of "DRS_EXT_NONDOMAIN_NCS" parametercaused AD server reboot

2018-03-21 Thread Julien Semaan via PacketFence-users

Hi Yan,

Actually this was easier to fix than I expected.

Here is the link to the patch:
https://github.com/inverse-inc/packetfence/commit/123dc79e7b8e72952a5963caebbbfd151947855e.diff

I tested it and I'm still able to perform the sync with the updated
script, we'll have to see if the MSFT segfault problematic returns.

Best Regards,

--
Julien Semaan
jsem...@inverse.ca :: +1 (866) 353-6153 *155 ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)

On 2018-03-21 08:22 AM, Julien Semaan wrote:

Hi Yan,

First, of all, thanks a lot for this very advanced troubleshooting. We
tried without success to get this problem reported to Microsoft by our
users without success.

For my personal curiosity, did you get this issue looked at through
Microsoft support directly ? Or through a developpers list they have ?
If its the latest, I'd like to know if you could share the location of
that post.

Now, for getting that fixed...

With what you've provided, it seems we only need to add
drsuapi.DRS_EXT_NONDOMAIN_NCS in the dwFlags inside secretsdump.py

I will perform a test to make sure the script still works with that
and then I'll post a link to the Github PR here so that you can patch
the environment.

I'm expecting the fix to be quite simple, what will likely be long is
the test which I should be able to complete before tomorrow (in N-A)

Best Regards,

- Julien Semaan

On 2018-03-19 11:52 PM, Yan via PacketFence-users wrote:
Sorry for my typo, the issue script is not
/usr/lib/python2.7/site-packages/impacket/dcerpc/v5/drsuapi.py ,it's
/usr/local/pf/addons/AD/secretsdump.py this script which lacked of
"DRS_EXT_NONDOMAIN_NCS" flag when sending replication to AD server
and caused AD server rebooting. Hope for your reply.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Re： The lack of "DRS_EXT_NONDOMAIN_NCS" parametercaused AD server reboot

2018-03-21 Thread Julien Semaan via PacketFence-users


Hi Yan,

First, of all, thanks a lot for this very advanced troubleshooting. We 
tried without success to get this problem reported to Microsoft by our 
users without success.


For my personal curiosity, did you get this issue looked at through 
Microsoft support directly ? Or through a developpers list they have ?
If its the latest, I'd like to know if you could share the location of 
that post.


Now, for getting that fixed...

With what you've provided, it seems we only need to add 
drsuapi.DRS_EXT_NONDOMAIN_NCS in the dwFlags inside secretsdump.py


I will perform a test to make sure the script still works with that and 
then I'll post a link to the Github PR here so that you can patch the 
environment.


I'm expecting the fix to be quite simple, what will likely be long is 
the test which I should be able to complete before tomorrow (in N-A)


Best Regards,

- Julien Semaan

On 2018-03-19 11:52 PM, Yan via PacketFence-users wrote:
Sorry for my typo, the issue script is not 
/usr/lib/python2.7/site-packages/impacket/dcerpc/v5/drsuapi.py ,it's 
/usr/local/pf/addons/AD/secretsdump.py this script which lacked of 
"DRS_EXT_NONDOMAIN_NCS" flag when sending replication to AD server and 
caused AD server rebooting. Hope for your reply.



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Why pfsso restarts itself recently ?

2017-12-22 Thread Julien Semaan via PacketFence-users


Ah,

I think I might guess what is happening, the new file is lacking the 
executable bit.


Do this before restarting the process:
# chmod +x /usr/local/pf/bin/pfhttpd

On 2017-12-22 07:33 AM, Julien Semaan via PacketFence-users wrote:

Hi Yan,

Could you do it again, but then, providing the output of this command 
after doing it so I have more context

# journalctl -u packetfence-pfsso --since="5 minutes ago"

Thanks,

--
Julien Semaan
jsem...@inverse.ca   ::  +1 (866) 353-6153 *155  ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


On 2017-12-21 09:20 PM, Yan wrote:


Hi Semaan,

I tried below steps on my backup pf server as you said but with no 
luck...When I issue "systemctl restart packetfence-pfsso" it failed. 
Below is related logs. Appreciate your reply.



[root@pf-wensi ~]# mv /usr/local/pf/bin/pfhttpd 
/usr/local/pf/bin/pfhttpd.bak20171222
[root@pf-wensi ~]# curl 
https://support.inverse.ca/~jsemaan/pfhttpd-2841> 
/usr/local/pf/bin/pfhttpd
?0?2 % Total ?0?2 ?0?2% Received % Xferd ?0?2Average Speed ?0?2 Time ?0?2 ?0?2Time ?0?2 ?0?2 
Time ?0?2Current
?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2Dload ?0?2Upload ?0?2 Total ?0?2 Spent ?0?2 
?0?2Left ?0?2Speed
100 18.5M ?0?2100 18.5M ?0?2 ?0?20 ?0?2 ?0?2 0 ?0?21068k ?0?20 ?0?20:00:17 ?0?20:00:17 --:--:-- 
1396k

[root@pf-wensi ~]# systemctl restart packetfence-pfsso
Job for packetfence-pfsso.service failed because the control process 
exited with error code. See "systemctl status 
packetfence-pfsso.service" and "journalctl -xe" for details.


[root@pf-wensi ~]# systemctl status packetfence-pfsso.service

?? packetfence-pfsso.service - PacketFence PFSSO Service

?0?2 ?0?2Loaded: loaded (/usr/lib/systemd/system/packetfence-pfsso.service; 
enabled; vendor preset: disabled)


?0?2 ?0?2Active: failed (Result: start-limit) since ?? 2017-12-22 09:58:24 
CST; 1min 7s ago


?0?2 Process: 8423 ExecStart=/usr/local/pf/bin/pfhttpd -conf 
/usr/local/pf/conf/caddy-services/pfsso.conf -log-name pfsso 
(code=exited, status=203/EXEC)


?0?2Main PID: 8423 (code=exited, status=203/EXEC)



12?? 22 09:58:23 pf-wensi systemd[1]: Failed to start PacketFence 
PFSSO Service.


12?? 22 09:58:23 pf-wensi systemd[1]: Unit packetfence-pfsso.service 
entered failed state.


12?? 22 09:58:23 pf-wensi systemd[1]: packetfence-pfsso.service failed.

12?? 22 09:58:24 pf-wensi systemd[1]: packetfence-pfsso.service 
holdoff time over, scheduling restart.


12?? 22 09:58:24 pf-wensi systemd[1]: start request repeated too 
quickly for packetfence-pfsso.service


12?? 22 09:58:24 pf-wensi systemd[1]: Failed to start PacketFence 
PFSSO Service.


12?? 22 09:58:24 pf-wensi systemd[1]: Unit packetfence-pfsso.service 
entered failed state.


12?? 22 09:58:24 pf-wensi systemd[1]: packetfence-pfsso.service failed.

Hint: Some lines were ellipsized, use -l to show in full.



packetfence.log
Dec 22 10:00:51 pf-wensi pfhttpd: http://localhost:8777
Dec 22 10:00:51 pf-wensi pfsso[9309]: t=2017-12-22T10:00:51+0800 
lvl=dbug msg="Resource is not valid anymore. Was loaded at 0001-01-01 
00:00:00 + UTC" pid=9309 
PfconfigObject=element|interfaces::management_network
Dec 22 10:00:51 pf-wensi pfsso[9309]: t=2017-12-22T10:00:51+0800 
lvl=dbug msg="Resource is not valid anymore. Was loaded at 0001-01-01 
00:00:00 + UTC" pid=9309 PfconfigObject=keys|config::Firewall_SSO
Dec 22 10:00:51 pf-wensi pfsso[9309]: t=2017-12-22T10:00:51+0800 
lvl=dbug msg="Resource is not valid anymore. Was loaded at 0001-01-01 
00:00:00 + UTC" pid=9309

Dec 22 10:00:51 pf-wensi pfhttpd: Using configured prefix: pfsso
Dec 22 10:00:51 pf-wensi pfhttpd: Using configured statsd protocol: udp
Dec 22 10:00:51 pf-wensi pfhttpd: Using configuration set log level: INFO
Dec 22 10:00:51 pf-wensi pfhttpd: Activating privacy features... done.


-- Original --
*From:* packetfence-users <packetfence-users@lists.sourceforge.net>
*Date:* ,12?? 21,2017 23:48
*To:* Julien Semaan <jsem...@inverse.ca>, packetfence-users 
<packetfence-users@lists.sourceforge.net>

*Cc:* Yan <1136723...@qq.com>
*Subject:* Re: [PacketFence-users] Why pfsso restarts itself recently ?


Hi Semaan,
My pf version is 7.3. My config file is as below. I just use syslog 
feature to send ip user mapping info to palo alto firewall. I don??t 
need to do sso via PF.


/usr/local/pf/conf/firewall_sso.con
[172.23.4.14]
transport=syslog
categories=default,employees
vsys=1
networks=172.0.0.0/8,10.97.0.0/16
port=443
cache_updates=0
username_format=$username
type=PaloAlto
cache_timeout=0

[172.22.3.13]
transport=syslog
categories=default,employees
vsys=1
networks=172.24.0.0/16
cache_timeout=0
port=443
cache_updates=0
username_format=$username
type=PaloAlto
#[192.168.1.254]
#type=FortiGate
#password=s3cr3t
#port=1813
#[192.168.1.253]
#type=Pa

Re: [PacketFence-users] Why pfsso restarts itself recently ?

2017-12-22 Thread Julien Semaan via PacketFence-users


Hi Yan,

Could you do it again, but then, providing the output of this command 
after doing it so I have more context

# journalctl -u packetfence-pfsso --since="5 minutes ago"

Thanks,

--
Julien Semaan
jsem...@inverse.ca   ::  +1 (866) 353-6153 *155  ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)



On 2017-12-21 09:20 PM, Yan wrote:


Hi Semaan,

I tried below steps on my backup pf server as you said but with no 
luck...When I issue "systemctl restart packetfence-pfsso" it failed. 
Below is related logs. Appreciate your reply.



[root@pf-wensi ~]# mv /usr/local/pf/bin/pfhttpd 
/usr/local/pf/bin/pfhttpd.bak20171222
[root@pf-wensi ~]# curl 
https://support.inverse.ca/~jsemaan/pfhttpd-2841> 
/usr/local/pf/bin/pfhttpd
?0?2 % Total ?0?2 ?0?2% Received % Xferd ?0?2Average Speed ?0?2 Time ?0?2 ?0?2Time ?0?2 ?0?2 Time 
?0?2Current
?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2Dload ?0?2Upload ?0?2 Total ?0?2 Spent ?0?2 ?0?2Left 
?0?2Speed

100 18.5M ?0?2100 18.5M ?0?2 ?0?20 ?0?2 ?0?2 0 ?0?21068k ?0?20 ?0?20:00:17 
?0?20:00:17 --:--:-- 1396k
[root@pf-wensi ~]# systemctl restart packetfence-pfsso
Job for packetfence-pfsso.service failed because the control process 
exited with error code. See "systemctl status 
packetfence-pfsso.service" and "journalctl -xe" for details.


[root@pf-wensi ~]# systemctl status packetfence-pfsso.service

?? packetfence-pfsso.service - PacketFence PFSSO Service

?0?2 ?0?2Loaded: loaded (/usr/lib/systemd/system/packetfence-pfsso.service; 
enabled; vendor preset: disabled)


?0?2 ?0?2Active: failed (Result: start-limit) since ?? 2017-12-22 09:58:24 
CST; 1min 7s ago


?0?2 Process: 8423 ExecStart=/usr/local/pf/bin/pfhttpd -conf 
/usr/local/pf/conf/caddy-services/pfsso.conf -log-name pfsso 
(code=exited, status=203/EXEC)


?0?2Main PID: 8423 (code=exited, status=203/EXEC)



12?? 22 09:58:23 pf-wensi systemd[1]: Failed to start PacketFence PFSSO 
Service.


12?? 22 09:58:23 pf-wensi systemd[1]: Unit packetfence-pfsso.service 
entered failed state.


12?? 22 09:58:23 pf-wensi systemd[1]: packetfence-pfsso.service failed.

12?? 22 09:58:24 pf-wensi systemd[1]: packetfence-pfsso.service holdoff 
time over, scheduling restart.


12?? 22 09:58:24 pf-wensi systemd[1]: start request repeated too 
quickly for packetfence-pfsso.service


12?? 22 09:58:24 pf-wensi systemd[1]: Failed to start PacketFence PFSSO 
Service.


12?? 22 09:58:24 pf-wensi systemd[1]: Unit packetfence-pfsso.service 
entered failed state.


12?? 22 09:58:24 pf-wensi systemd[1]: packetfence-pfsso.service failed.

Hint: Some lines were ellipsized, use -l to show in full.



packetfence.log
Dec 22 10:00:51 pf-wensi pfhttpd: http://localhost:8777
Dec 22 10:00:51 pf-wensi pfsso[9309]: t=2017-12-22T10:00:51+0800 
lvl=dbug msg="Resource is not valid anymore. Was loaded at 0001-01-01 
00:00:00 + UTC" pid=9309 
PfconfigObject=element|interfaces::management_network
Dec 22 10:00:51 pf-wensi pfsso[9309]: t=2017-12-22T10:00:51+0800 
lvl=dbug msg="Resource is not valid anymore. Was loaded at 0001-01-01 
00:00:00 + UTC" pid=9309 PfconfigObject=keys|config::Firewall_SSO
Dec 22 10:00:51 pf-wensi pfsso[9309]: t=2017-12-22T10:00:51+0800 
lvl=dbug msg="Resource is not valid anymore. Was loaded at 0001-01-01 
00:00:00 + UTC" pid=9309

Dec 22 10:00:51 pf-wensi pfhttpd: Using configured prefix: pfsso
Dec 22 10:00:51 pf-wensi pfhttpd: Using configured statsd protocol: udp
Dec 22 10:00:51 pf-wensi pfhttpd: Using configuration set log level: INFO
Dec 22 10:00:51 pf-wensi pfhttpd: Activating privacy features... done.


-- Original --
*From:* packetfence-users <packetfence-users@lists.sourceforge.net>
*Date:* ,12?? 21,2017 23:48
*To:* Julien Semaan <jsem...@inverse.ca>, packetfence-users 
<packetfence-users@lists.sourceforge.net>

*Cc:* Yan <1136723...@qq.com>
*Subject:* Re: [PacketFence-users] Why pfsso restarts itself recently ?


Hi Semaan,
My pf version is 7.3. My config file is as below. I just use syslog 
feature to send ip user mapping info to palo alto firewall. I don??t 
need to do sso via PF.


/usr/local/pf/conf/firewall_sso.con
[172.23.4.14]
transport=syslog
categories=default,employees
vsys=1
networks=172.0.0.0/8,10.97.0.0/16
port=443
cache_updates=0
username_format=$username
type=PaloAlto
cache_timeout=0

[172.22.3.13]
transport=syslog
categories=default,employees
vsys=1
networks=172.24.0.0/16
cache_timeout=0
port=443
cache_updates=0
username_format=$username
type=PaloAlto
#[192.168.1.254]
#type=FortiGate
#password=s3cr3t
#port=1813
#[192.168.1.253]
#type=PaloAlto
#key=
# Specific to the PaloAlto firewall , you must use a username and 
password to fetch the key to use (see PaloAlto documentation).


-- Original --
*From:* Julien Semaan <jsem...@inverse.ca&g

Re: [PacketFence-users] Why pfsso restarts itself recently ?

2017-12-21 Thread Julien Semaan via PacketFence-users


Hi Yan,

Turns out the issue was easier to replicate than expected and even 
better, the fix was easier than expected.


I've uploaded a new binary with the fix here:
https://support.inverse.ca/~jsemaan/pfhttpd

Here is how to apply the fix:
# mv /usr/local/pf/bin/pfhttpd /usr/local/pf/bin/pfhttpd.bak
# curl https://support.inverse.ca/~jsemaan/pfhttpd-2841 > 
/usr/local/pf/bin/pfhttpd

# systemctl restart packetfence-pfsso

If it fails to start, revert to the previous pfhttpd and let me know the 
errors in journalctl


This will be part of 7.4 so no need to worry about it for your future 
upgrade


Best Regards,

--
Julien Semaan
jsem...@inverse.ca   ::  +1 (866) 353-6153 *155  ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)



On 2017-12-21 10:53 AM, Yan wrote:

Glad to hear that. Thank you so much. Waiting for your good news.


-- Original --
*From:* Julien Semaan <jsem...@inverse.ca>
*Date:* ,12?? 21,2017 23:51
*To:* Yan <1136723...@qq.com>, packetfence-users 
<packetfence-users@lists.sourceforge.net>

*Subject:* Re: [PacketFence-users] Why pfsso restarts itself recently ?

Hi Yan,

That config confirms my theory, having user/IP mapping sent to your 
firewall is what we call SSO in PacketFence so you're technically 
doing it.


I've opened the following Github issue to track this problem:
https://github.com/inverse-inc/packetfence/issues/2847

I should be able to provide resolution before the end of the week and 
will update the mailing list + the Github issue


Best Regards,

-- Julien semaanjsem...@inverse.ca   ::  +1 (866) 353-6153 *155  
::www.inverse.caInverse inc. :: Leaders behind SOGo (www.sogo.nu) and 
PacketFence (www.packetfence.org)


On 2017-12-21 10:48 AM, Yan wrote:


Hi Semaan,
My pf version is 7.3. My config file is as below. I just use syslog 
feature to send ip user mapping info to palo alto firewall. I don??t 
need to do sso via PF.


/usr/local/pf/conf/firewall_sso.con
[172.23.4.14]
transport=syslog
categories=default,employees
vsys=1
networks=172.0.0.0/8,10.97.0.0/16
port=443
cache_updates=0
username_format=$username
type=PaloAlto
cache_timeout=0

[172.22.3.13]
transport=syslog
categories=default,employees
vsys=1
networks=172.24.0.0/16
cache_timeout=0
port=443
cache_updates=0
username_format=$username
type=PaloAlto
#[192.168.1.254]
#type=FortiGate
#password=s3cr3t
#port=1813
#[192.168.1.253]
#type=PaloAlto
#key=
# Specific to the PaloAlto firewall , you must use a username and 
password to fetch the key to use (see PaloAlto documentation).


-- Original ------
*From:* Julien Semaan <jsem...@inverse.ca>
*Date:* ,12?? 21,2017 23:36
*To:* Yan <1136723...@qq.com>, packetfence-users 
<packetfence-users@lists.sourceforge.net>

*Subject:* Re: [PacketFence-users] Why pfsso restarts itself recently ?

I have a theory of what could be happening.

Seems like the formatting of the usernames might be causing issues 
with multiple firewalls which you do seems to have.


Could you send me your /usr/local/pf/conf/firewall_sso.conf (with 
obfuscated secrets obviously)


Regards,

-- Julien semaanjsem...@inverse.ca   ::  +1 (866) 353-6153 *155  
::www.inverse.caInverse inc. :: Leaders behind SOGo (www.sogo.nu) and 
PacketFence (www.packetfence.org)


On 2017-12-21 10:24 AM, Yan wrote:

It??s the latest version, V7.3.


-- Original --
*From:* Julien Semaan <jsem...@inverse.ca>
*Date:* ,12?? 21,2017 23:23
*To:* packetfence-users <packetfence-users@lists.sourceforge.net>
*Cc:* Yan <1136723...@qq.com>
*Subject:* Re: [PacketFence-users] Why pfsso restarts itself recently ?

Hi Yan,

Could you provide your PacketFence version?

Thanks

-- Julien semaanjsem...@inverse.ca   ::  +1 (866) 353-6153 *155  
::www.inverse.caInverse inc. :: Leaders behind SOGo (www.sogo.nu) and 
PacketFence (www.packetfence.org)


On 2017-12-21 09:56 AM, Yan via PacketFence-users wrote:

Hi Fabrice,

Just after I sent out the mail, pfsso restarted again. I checked a 
long time to detect the exact stop time but not found any obvious 
log said pfsso stop. But I found below suspisious logs that might 
related to pfsso restart, and the time is very related to alert time.



-- Original --
*From:* packetfence-users <packetfence-users@lists.sourceforge.net>
*Date:* ,12?? 21,2017 21:36
*To:* packetfence-users <packetfence-users@lists.sourceforge.net>
*Cc:* Fabrice Durand <fdur...@inverse.ca>
*Subject:* Re: [PacketFence-users] Why pfsso restarts itself recently ?

Hello Yan,

can you have a look in journalctl when pfsso restart ? (and give me 
the log please)


Regards

Fabrice



Le 2017-12-21 ?? 08:26, Yan via PacketFence-users a ??crit :

Hi users,

Recently the pfsso service on our PF system always shutting down 
suddenly and then about one or two minutes it start

Re: [PacketFence-users] Why pfsso restarts itself recently ?

2017-12-21 Thread Julien Semaan via PacketFence-users


Hi Yan,

That config confirms my theory, having user/IP mapping sent to your 
firewall is what we call SSO in PacketFence so you're technically doing it.


I've opened the following Github issue to track this problem:
https://github.com/inverse-inc/packetfence/issues/2847

I should be able to provide resolution before the end of the week and 
will update the mailing list + the Github issue


Best Regards,

--
Julien Semaan
jsem...@inverse.ca   ::  +1 (866) 353-6153 *155  ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)



On 2017-12-21 10:48 AM, Yan wrote:


Hi Semaan,
My pf version is 7.3. My config file is as below. I just use syslog 
feature to send ip user mapping info to palo alto firewall. I don??t 
need to do sso via PF.


/usr/local/pf/conf/firewall_sso.con
[172.23.4.14]
transport=syslog
categories=default,employees
vsys=1
networks=172.0.0.0/8,10.97.0.0/16
port=443
cache_updates=0
username_format=$username
type=PaloAlto
cache_timeout=0

[172.22.3.13]
transport=syslog
categories=default,employees
vsys=1
networks=172.24.0.0/16
cache_timeout=0
port=443
cache_updates=0
username_format=$username
type=PaloAlto
#[192.168.1.254]
#type=FortiGate
#password=s3cr3t
#port=1813
#[192.168.1.253]
#type=PaloAlto
#key=
# Specific to the PaloAlto firewall , you must use a username and 
password to fetch the key to use (see PaloAlto documentation).


-- Original --
*From:* Julien Semaan <jsem...@inverse.ca>
*Date:* ,12?? 21,2017 23:36
*To:* Yan <1136723...@qq.com>, packetfence-users 
<packetfence-users@lists.sourceforge.net>

*Subject:* Re: [PacketFence-users] Why pfsso restarts itself recently ?

I have a theory of what could be happening.

Seems like the formatting of the usernames might be causing issues 
with multiple firewalls which you do seems to have.


Could you send me your /usr/local/pf/conf/firewall_sso.conf (with 
obfuscated secrets obviously)


Regards,

-- Julien semaanjsem...@inverse.ca   ::  +1 (866) 353-6153 *155  
::www.inverse.caInverse inc. :: Leaders behind SOGo (www.sogo.nu) and 
PacketFence (www.packetfence.org)


On 2017-12-21 10:24 AM, Yan wrote:

It??s the latest version, V7.3.


-- Original ------
*From:* Julien Semaan <jsem...@inverse.ca>
*Date:* ,12?? 21,2017 23:23
*To:* packetfence-users <packetfence-users@lists.sourceforge.net>
*Cc:* Yan <1136723...@qq.com>
*Subject:* Re: [PacketFence-users] Why pfsso restarts itself recently ?

Hi Yan,

Could you provide your PacketFence version?

Thanks

-- Julien semaanjsem...@inverse.ca   ::  +1 (866) 353-6153 *155  
::www.inverse.caInverse inc. :: Leaders behind SOGo (www.sogo.nu) and 
PacketFence (www.packetfence.org)


On 2017-12-21 09:56 AM, Yan via PacketFence-users wrote:

Hi Fabrice,

Just after I sent out the mail, pfsso restarted again. I checked a 
long time to detect the exact stop time but not found any obvious 
log said pfsso stop. But I found below suspisious logs that might 
related to pfsso restart, and the time is very related to alert time.



-- Original --
*From:* packetfence-users <packetfence-users@lists.sourceforge.net>
*Date:* ,12?? 21,2017 21:36
*To:* packetfence-users <packetfence-users@lists.sourceforge.net>
*Cc:* Fabrice Durand <fdur...@inverse.ca>
*Subject:* Re: [PacketFence-users] Why pfsso restarts itself recently ?

Hello Yan,

can you have a look in journalctl when pfsso restart ? (and give me 
the log please)


Regards

Fabrice



Le 2017-12-21 ?? 08:26, Yan via PacketFence-users a ??crit :

Hi users,

Recently the pfsso service on our PF system always shutting down 
suddenly and then about one or two minutes it start again without 
any help. Below is our monitor log from zabbix. Why would pf 
restart pfsso automatically ? There's no issue with other features 
so I don't know if I should do anything ?




--Check
 out the vibrant tech community on one of the world's mostengaging tech sites, 
Slashdot.org!http://sdm.link/slashdot


___PacketFence-users mailing 
listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users


-- Fabrice durandfdur...@inverse.ca  ::  +1.514.447.4918 (x135) 
::www.inverse.caInverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and 
PacketFence (http://packetfence.org)


This body part will be downloaded on demand.


This body part will be downloaded on demand.






--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Why pfsso restarts itself recently ?

2017-12-21 Thread Julien Semaan via PacketFence-users

I have a theory of what could be happening.

Seems like the formatting of the usernames might be causing issues with
multiple firewalls which you do seems to have.

Could you send me your /usr/local/pf/conf/firewall_sso.conf (with
obfuscated secrets obviously)

Regards,

--
Julien Semaan
jsem...@inverse.ca :: +1 (866) 353-6153 *155 ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)

On 2017-12-21 10:24 AM, Yan wrote:

It??s the latest version, V7.3.

-- Original --
*From:* Julien Semaan <jsem...@inverse.ca>
*Date:* ,12?? 21,2017 23:23
*To:* packetfence-users <packetfence-users@lists.sourceforge.net>
*Cc:* Yan <1136723...@qq.com>
*Subject:* Re: [PacketFence-users] Why pfsso restarts itself recently ?

Hi Yan,

Could you provide your PacketFence version?

Thanks

-- Julien semaanjsem...@inverse.ca :: +1 (866) 353-6153 *155
::www.inverse.caInverse inc. :: Leaders behind SOGo (www.sogo.nu) and
PacketFence (www.packetfence.org)

On 2017-12-21 09:56 AM, Yan via PacketFence-users wrote:

Hi Fabrice,

Just after I sent out the mail, pfsso restarted again. I checked a
long time to detect the exact stop time but not found any obvious log
said pfsso stop. But I found below suspisious logs that might related
to pfsso restart, and the time is very related to alert time.

-- Original --
*From:* packetfence-users <packetfence-users@lists.sourceforge.net>
*Date:* ,12?? 21,2017 21:36
*To:* packetfence-users <packetfence-users@lists.sourceforge.net>
*Cc:* Fabrice Durand <fdur...@inverse.ca>
*Subject:* Re: [PacketFence-users] Why pfsso restarts itself recently ?

Hello Yan,

can you have a look in journalctl when pfsso restart ? (and give me
the log please)

Regards

Fabrice

Le 2017-12-21 ?? 08:26, Yan via PacketFence-users a ??crit :

Hi users,

Recently the pfsso service on our PF system always shutting down
suddenly and then about one or two minutes it start again without
any help. Below is our monitor log from zabbix. Why would pf restart
pfsso automatically ? There's no issue with other features so I
don't know if I should do anything ?

--Check
out the vibrant tech community on one of the world's mostengaging tech sites,
Slashdot.org!http://sdm.link/slashdot

___PacketFence-users mailing
listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users

-- Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135)
::www.inverse.caInverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)

This body part will be downloaded on demand.

Re: [PacketFence-users] Why pfsso restarts itself recently ?

2017-12-21 Thread Julien Semaan via PacketFence-users

Hi Yan,

Could you provide your PacketFence version?

Thanks

--
Julien Semaan
jsem...@inverse.ca :: +1 (866) 353-6153 *155 ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)

On 2017-12-21 09:56 AM, Yan via PacketFence-users wrote:

Hi Fabrice,

Hello Yan,

can you have a look in journalctl when pfsso restart ? (and give me
the log please)

Regards

Fabrice

Le 2017-12-21 ?? 08:26, Yan via PacketFence-users a ??crit :

Hi users,

Recently the pfsso service on our PF system always shutting down
suddenly and then about one or two minutes it start again without any
help. Below is our monitor log from zabbix. Why would pf restart
pfsso automatically ? There's no issue with other features so I don't
know if I should do anything ?

--Check
out the vibrant tech community on one of the world's mostengaging tech sites,
Slashdot.org!http://sdm.link/slashdot

___PacketFence-users mailing
listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users

-- Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135)
::www.inverse.caInverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)

This body part will be downloaded on demand.

Re: [PacketFence-users] Error in saving new billing source

2016-12-16 Thread Julien Semaan

Hi Rolando,

What is a Pms source ?

That looks like you started creating your own billing module.

If so, then I can't know what you are doing wrong.

Just as a warning, if you start coding your own stuff in PacketFence, I
suggest you have strong programming skills and a good understanding of Perl.

Regards,

--
Julien Semaan
jsem...@inverse.ca :: +1 (866) 353-6153 *155 ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)

On 12/15/2016 10:53 PM, Rolando Palencia wrote:

Hi,

I got this from log httpd.admin.error when saving.

ERROR: Caught exception in
pfappserver::Controller::Config::Authentication::Source->update
"Attribute (local_account_logins) does not pass the type constraint
because: Validation failed for 'Str' with value undef at accessor
pf::Authentication::Source::PmsSource::local_account_logins (defined at
/usr/local/pf/lib/pf/Authentication/CreateLocalAccountRole.pm line 17)
line 4.
pf::Authentication::Source::PmsSource::local_account_logins('pf::Authentication::Source::PmsSource=HASH(0x7f49cb33c458)',
undef) called at
/usr/local/pf/html/pfappserver/lib/pfappserver/Model/Authentication/Source.pm
line 57

I hope you can help me.

Regards,

Roland

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Issues with SAML Authentication Source

2016-10-28 Thread Julien Semaan


Seems your IDP entity ID is wrong in the PacketFence config.
From the metadata you sent me it should be:
https://idp.pennkey.upenn.edu/idp/shibboleth

- Julien

On 10/28/2016 10:31 AM, Charles Rumford wrote:

On 10/28/16 10:24 AM, Julien Semaan wrote:

Could you post also:
/usr/local/pf/conf/saml/idp.pennkey.upenn.edu.xml

Attached.





--
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive. 
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Issues with SAML Authentication Source

2016-10-28 Thread Julien Semaan


Could you post also:
/usr/local/pf/conf/saml/idp.pennkey.upenn.edu.xml

Likely the answer to your issue is in that file

Thanks !

- Julien

On 10/25/2016 02:10 PM, Charles Rumford wrote:

On 10/25/16 2:02 PM, Julien Semaan wrote:

Hi Charles,

This look like either the metadata is not valid on the server or the entity ID
is not right in the source configuration.

If you post your metadata file as well as
/usr/local/pf/conf/authentication.conf, I could look at it.

[Weblofin]
description=weblogin
idp_ca_cert_path=/usr/local/pf/conf/saml/idp.pennkey.upenn.edu.crt
idp_entity_id=https://idp.pennkey.upenn.edu
idp_metadata_path=/usr/local/pf/conf/saml/idp.pennkey.upenn.edu.xml
username_attribute=urn:oid:1.3.6.1.4.1.5923.1.1.1.6
dynamic_routing_module=AuthModule
idp_cert_path=/usr/local/pf/conf/saml/idp.pennkey.upenn.edu.crt
sp_entity_id=siepata.net.isc.upenn.edu
type=SAML
authorization_source_id=local
sp_cert_path=/usr/local/pf/conf/saml/server.crt
sp_key_path=/usr/local/pf/conf/saml/server.key

Metadata is attached.



--
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive. 
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Issues with SAML Authentication Source

2016-10-25 Thread Julien Semaan


Hi Charles,

This look like either the metadata is not valid on the server or the 
entity ID is not right in the source configuration.


If you post your metadata file as well as 
/usr/local/pf/conf/authentication.conf, I could look at it.


Regards,

--
Julien Semaan
jsem...@inverse.ca   ::  +1 (866) 353-6153 *155  ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)



On 10/25/2016 11:36 AM, Charles Rumford wrote:

I'm currently trying to set up a SAML auth source. I have followed the
instructions in the admin guide, set up the trust with my identiy provider, but
when I try and use the SAML auth source I get the follow error on the portal:

Caught exception in captiveportal::Controller::Root->dynamic_application "Can't
create Single-Sign-On URL : The identifier of a provider is unknown to
#LassoServer. To register a provider in a #LassoServer object, you must use the
methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer()."

I'm using this auth source as the authentication method for doing device
registration. Poking around the internet I can't seem to find anything about the
issue.

Has anyone seen this before?



--
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive. 
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Fwd: Possible bug: Clustering with PF6.3.0

2016-10-21 Thread Julien Semaan


Hi Jake,

This shouldn't have happened as pf.conf values override the ones in 
pf.conf.defaults.


Can you post your broken pf.conf, its likely just that the db host 
config is misplaced.


Otherwise you'll have to change pf.conf.defaults every time you upgrade 
because it will get overwritten.


Cheers !

- Julien


 Forwarded Message 
Subject:[PacketFence-users] Possible bug: Clustering with PF6.3.0
Date:   Fri, 21 Oct 2016 03:19:12 +
From:   Sallee, Jake 
Reply-To:   packetfence-users@lists.sourceforge.net
To: packetfence 



I am not 100% sure of this but there may be a bug concerning clustering in 
PF6.3.0.

The clustering guide says to change the database section in the pf.conf file to include 
"host=127.0.0.1".

However for some reason when I am trying to start the PF services I get an 
error about the user pf is not able to connect using user pf@localhost.

I searched everywhere I could and stumbled across the host entry in the pf.conf.defaults 
file.  It was set to localhost, when I changed it to "127.0.0.1" the error went 
away.

Can anyone reproduce this?

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Security Onion alerts not triggering

2016-10-07 Thread Julien Semaan

Make sure you apply the maintenance branch 
(/usr/local/pf/addons/pf-maint.pl) as it contains fixes to a similar issue.


Regards,

- Julien

On 10/07/2016 10:26 AM, Morris, Andi wrote:


An update, I’m now getting the alerts hitting pfdetect, but they’re 
still not triggering the violation with the same ID.


pfdetect.log shows:

Oct 07 15:23:40 pfdetect(11814) INFO: alert received: 'Oct  7 14:23:40 
idsman01 securityonion_ids: 14:23:40 pid(24921)  Alert Received: 0 1 
policy-violation idshalls01-eth0-7 {2016-10-07 14:23:39} 21 173773 {ET 
P2P Vuze BT UDP Connection} 10.6.198.173 24.122.228.33 17 10600 65344 
1 2010140 6 92 92


' (main::_run_detector)

The relevant section of violation.conf is:

[153]

trigger=detect::2010140

actions=email_admin,reevaluate_access,log

max_enable=10

desc=P2P Vuze

enabled=Y

template=p2p

grace=2h

*From:*Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
*Sent:* 07 October 2016 14:56
*To:* packetfence-users@lists.sourceforge.net
*Subject:* [PacketFence-users] Security Onion alerts not triggering

Hi all,

I have configured my security onion server to send alerts to my 
packetfence server (version 6.2.1), and I can see that they’re getting 
there through TCPdump.


IDS server:

13:37:02.260031 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 240


13:37:02.260216 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243


13:37:12.271539 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241


13:37:57.325078 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242


13:37:57.326236 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243


13:38:07.342397 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243


13:38:37.377503 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241


13:38:55.401715 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282


13:38:55.401858 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282


13:38:55.401895 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282


13:38:55.401921 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282


13:39:03.412383 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241


13:39:07.418010 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284


13:39:07.418098 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284


13:39:07.418113 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284


13:39:07.418132 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284


13:39:07.418153 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242


13:39:07.418172 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242


13:39:22.434608 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242


PF server:

14:37:12.272395 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241


14:37:57.325970 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242


14:37:57.326980 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243


14:38:07.343228 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243


14:38:37.378338 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241


14:38:55.402550 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282


14:38:55.402583 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282


14:38:55.402610 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282


14:38:55.402632 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282


14:39:03.413187 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241


14:39:07.418795 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284


14:39:07.418819 IP

Re: [PacketFence-users] Changing name of Null authentication

2016-09-22 Thread Julien Semaan


Hi Michel,

We've addressed the issue in our development branch by using the 
description of the source in the title instead of concatenating the 
source type and the 'authentication' word.


You can apply the patch using :
# cd /usr/local/pf
# curl 
https://github.com/inverse-inc/packetfence/commit/a7bd713f56976e7511b05d9e01486bd420e2da50.patch 
| patch -p1

# /usr/local/pf/bin/pfcmd service httpd.portal restart

It will then show up as the source description as one would expect.

Best Regards,

- Julien

On 09/22/2016 06:56 AM, Pedersen Michel wrote:


Hi,

I’m experiencing the same issue as Dustin was with PacketFence 6.2.1 
and the naming of the Null source when using it for authentication.


Even though I’ve created a new source, given it the correct name and 
description and referred to this in Portal Module the name on the 
portal itself when registering a user shows up as “Null authentication”


Any way to change this? It’s not very “user friendly” to have the 
title of authentication page show up as “Null authentication”



Best regards
Michel Pedersen

*Norwegian Public Roads Administration*
*Postal address:* Statens vegvesen Vegdirektoratet, Postboks 8142 
Dep, 0033 OSLO

*Office address:* Brynsengfaret 6A, OSLO
*Mobile:* +47 99117502 *e-mail/Lync:* michel.peder...@vegvesen.no 

www.vegvesen.no *e-mail:* 
firmap...@vegvesen.no 


Please consider the environment before printing this e-mail

*Fra:*Dustin Berube [mailto:dustin.ber...@gmail.com]
*Sendt:* 22. juni 2016 21:52
*Til:* packetfence-users@lists.sourceforge.net
*Emne:* [PacketFence-users] Changing name of Null authentication

Good afternoon,

Is it possible to change the name of the null authentication on the 
captive portal pages (aup, submit, etc.)? I would like to change the 
name to "Guest Access" or something similar. Creating a new null 
source and changing the source for the portal profile didn't work.


I'm running Packetfence 6.0.1.1. Let me know if you need anything further.

Thanks,

Dustin



--


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Node Cleanup

2016-07-14 Thread Julien Semaan


Hi Jason,

This will purge only unregistered devices.

Regards,

- Julien

On 07/08/2016 10:50 AM, Guntharp, Jason W. wrote:


I’m trying to determine the best maintenance periods for DB cleanup. 
If I set the node cleanup window at 31 days will this purge every node 
or only nodes that are unregistered?


Example:

Locationlog Cleanup Window 30 days

Traplog Cleanup Window   30 days

RADIUS Audit Log Cleanup Window   30 days

Node Cleanup Window  31 days

Thanks,

Jason Guntharp

Network Administrator

Itawamba Community College

Office: (662) 862-8106

Email: jwgunth...@iccms.edu 



--
Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Julien
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] regarding meta data

2016-04-18 Thread Julien Semaan

Hi,

Depending on the identity provider you use, the way to get its cert will 
be different.

You need to either refer to the documentation of your IDP as to where 
you can download it or you could try to extract it from the IDP metadata.

In the case of SimpleSAMLPHP, the bse64 certificate is inside the 
 tag. This should be similar for another 
IDP.

Then you need to put it in a file, making sure it conforms to the x509 
standard (adding the BEGIN certificate and END certificate and any 
necessary new lines).

I would suggest looking around in your IDP to download it directly in 
the x509 format to put it on the server as its obviously easier.

Regards,

- Julien

On 04/18/2016 01:14 AM, shivendra reddy wrote:

Dear Louis,

We are trying to authenticate SAML authentication, so that we are able 
to download the Service provider metadata as per the packetfence 
administrative guide.

we have encountered that the IDP certificate is missing from the 
( /usr/local/pf/conf/ssl/ca-idp.crt).

how to get an IDP certificate and proceed to download the metadata?

please help me with this issue.

thanks and regards,
shivendra reddy M.

On Sun, Apr 17, 2016 at 3:30 AM, Louis Munro > wrote:

> On Apr 15, 2016, at 4:22 , shivendra reddy
> wrote:
>
> hello,
>
> i am using packetfence on centos with a network of 10 systems. I
want to know the call record data (CDR) or metadata of the nodes
registration, data usage etc.,
>
> where can i find them in the server

In the mysql database.

> and how to extract the details?

Using sql.

Make sure you send radius accounting to PacketFence if you want to
have that data in the first place.

Regards,
--
Louis Munro
lmu...@inverse.ca  :: www.inverse.ca

+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu
) and PacketFence (www.packetfence.org
)

--
Find and fix application performance issues faster with
Applications Manager
Applications Manager provides deep performance insights into
multiple tiers of
your business applications. It resolves application problems
quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Julien
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Floating Network Devices

2016-02-17 Thread Julien Semaan


Hi Max,

Floating devices are great and not great at the same time.

The principle behind it is to remove the security on a switchport to 
allow like you said, an AP or another special device to have access to 
an access VLAN or a trunk port without going through RADIUS.

The security is deactivated via SNMP.
And reactivated when an SNMP up trap is sent to PacketFence (using the 
glorious pfsetvlan service)


This means you need to activate pfsetvlan on your installation (which 
consumes quite a bit of RAM due to its threaded architecture).


Now enough with how it works and lets talk pro/cons.

Pros :
- You can plug your APs anywhere and they will simply work as long as 
the VLANs are spanning correctly. That makes your job easier.

- Thats about it...

Cons :
- Not supported on a lot of switches.
- Right now we support it on a few switches in port-security 
enforcement and on HP, Juniper and Cisco in Mac Authentication (RADIUS)

- This can will break because this mode is complex
- Should a trap not reach PacketFence or the one of the services 
fail for a few seconds, your switchport will be left in open mode. 
Meaning anybody can connect and access the AP network on that port.
- When a switch reboots, the SNMP traps can be delayed by the 
switch and the actions may not be taken in the exact order they should 
and that can mis-configure some ports.
- As stated above, it is complex. There is a lot of SNMP exchange 
and should any command be not executed properly by the switch, it will 
break the chain.
- As SNMP MIBs have a tendency to change for specialized features 
(like VLAN assignment or trunking), you may be forced to stay on an old 
firmware to keep support for this feature or may have Monday morning 
surprises after a firmware upgrade.


Now my 2 cents :
- Some specific use cases are good for this
- You have access points that you may lend to trusted employees so 
they can spin up an SSID for a specific use.
- You have a few 8 port switches you lend to people for some 
specific events
- Don't use this for your APs that always (or almost) stay at the same 
place because a misconfiguration in SNMP will have an immediate impact 
to dozens of users.


Cheers !

- Julien

On 02/17/2016 12:59 PM, Max McGrath wrote:

Hi all -

I'm interested about the floating network devices portion of 
PacketFence.  We currently do not use it but I'm curious about it's 
use with access points.


Does anybody put there entire fleet of APs under the floating devices 
config so all APs can be moved around without worrying about port 
config?  Or is it more meant for a small number of APs and other devices?


Max
--
Max McGrath 
Network Administrator
Carthage College
262-552-5512 
mmcgr...@carthage.edu 


--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Julien
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Upgrade from 5.4.0 to 5.5.2 Node Duplicates

2015-12-17 Thread Julien Semaan


Hi Dan,

For your issues of duplicate nodes, you are seeing them because multiple 
locationlog entries are opened for the same device


You can confirm it easily by executing the following query in your 
database :

mysql > select count(*) from node where voip='';

If the count is higher than 0 then you are affected by the issue 
described above


To fix it please do the following :
In your MySQL database
mysql > UPDATE node set voip='no' where voip='';

Then download the following script in /usr/local/pf/addons/ 
fix_duplicate_locationlog.pl

https://gist.github.com/julsemaan/6c7676561d2458e8288c

Then execute it :
perl /usr/local/pf/addons/fix_duplicate_locationlog.pl

This should close and reopen all your locationlog entries and your 
duplicate nodes won't appear anymore.


Obviously, the script comes without any warranty :)

Cheers !

- Julien

On 12/16/2015 01:53 PM, Dan Nelson wrote:


I upgraded from 5.4.0 to 5.5.2 .  There are a few things I had to 
correct after the upgrade.  Here is the list


Errors when trying to boot after upgrade

FATAL - unknown configuration parameter alerting.wins_server if you 
added the parameter yourself make sure it is present in 
conf/documentation.conf


FATAL - unknown configuration parameter alerting.admin_netbiosname if 
you added the parameter yourself make sure it is present in 
conf/documentation.conf


WARNING - invalid parameter billing_engine for profile default

In the Documenation.conf I had to add

[alerting.wins_server]

type=text

description=

Re: [PacketFence-users] Fingerbank user agent error

2015-12-16 Thread Julien Semaan


Can you verify in the httpd.admin.log and httpd.admin.catalyst log files ?

There should be an error there.

Please provide it.

- Julien

On 12/15/2015 10:58 PM, Hack, Daniel (DPIPWE) wrote:


Hi All,

We have Samsung Galaxy tablets that are not returning a result from 
Fingerbank, and hence aren’t able to be detected for the android 
provisioner. (Have updated to the latest fingerbank, but suspect 
‘en-au’ flavour isn’t widespread in Canada ).


Error is:

Cannot find any ID for 'User_Agent' with value 'Mozilla/5.0 (Linux; 
Android 4.4.2; en-au; SAMSUNG SM-T805Y Build/KOT49H) 
AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 
Safari/537.36' (fingerbank::Query::_getQueryKeyIDs)


Have tried to ‘Add User Agent’ via webgui, and get the error:

‘Error! An error condition has occurred. See server logs for details.’

Have looked for an error in packetfence.log and fingerbank.log but 
can’t find anything.


Is this a permissions problem?

How can we add this user agent locally, or to the upstream Fingerbank 
database?


The mac vendor for Samsung ‘9cd35b’ exists in the MAC vendor list.

Any suggestions welcome.

Thanks in advance,

Daniel

Network Administrator

Corporate Information Technology

DPIPWE

p: (03) 6165 4484

f: (03) 6224 1388

e: daniel.h...@dpipwe.tas.gov.au




CONFIDENTIALITY NOTICE AND DISCLAIMER
The information in this transmission may be confidential and/or 
protected by legal professional privilege, and is intended only for 
the person or persons to whom it is addressed. If you are not such a 
person, you are warned that any disclosure, copying or dissemination 
of the information is unauthorised. If you have received the 
transmission in error, please immediately contact this office by 
telephone, fax or email, to inform us of the error and to enable 
arrangements to be made for the destruction of the transmission, or 
its return at our cost. No liability is accepted for any unauthorised 
use of the information contained in this transmission.



--


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Julien
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PFQueue pfdhcplistener count very high

2015-12-15 Thread Julien Semaan


Hi Mathieu,

Looked at the pcap and it seems that it is a 20PPS which isn't extremely 
high and should be handled correctly.


I've made a patch to the Fingerbank library yesterday to improve 
caching. It should improve things, even fix them for good.


Update it using :
# yum update fingerbank

Make sure you have 2.1.1
# rpm -qa fingerbank

A patch in the PacketFence maintenance branch extends the caching 
lifetime of Fingerbank. Apply using :

# /usr/local/pf/addons/pf-maint.pl

Make sure fingerbank.pm has been updated :
# grep 86400 lib/pf/fingerbank.pm
use constant FINGERBANK_CACHE_EXPIRE => 86400;# Expires cache entry 
after 86400s (1 day)


Restart pfqueue + httpd.webservices

Flush the queues :
# redis-cli -p 6380 FLUSHALL

Check the counters and the load and see if it helps.

- Julien

On 12/15/2015 04:59 AM, Mathieu Dirkx wrote:

Hi all,

here is an update after changing the pfqueue workers.
The change in conf/pfqueue.conf doesn't keep the count under control.
I have kept a log the last few hours.
First column is a local timestamp, the second column is the PFQueue count.

08:000
08:150
08:30 5K8
08:45 5K3
09:00 7K1
09:1520K5
09:3036K7
09:4532K9
10:0031K0
10:1545K9
10:3077K4
10:4594K4

Here is the header from 'top'.
top - 10:53:31 up 18 days, 27 min,  2 users,  load average: 16.72, 16.92, 16.82
Tasks: 247 total,  17 running, 230 sleeping,   0 stopped,   0 zombie
Cpu0  : 84.4%us, 15.3%sy,  0.0%ni,  0.0%id,  0.0%wa,  0.0%hi,  0.3%si,  0.0%st
Cpu1  : 83.7%us, 15.9%sy,  0.0%ni,  0.0%id,  0.0%wa,  0.0%hi,  0.3%si,  0.0%st
Cpu2  : 84.1%us, 15.3%sy,  0.0%ni,  0.0%id,  0.0%wa,  0.0%hi,  0.7%si,  0.0%st
Cpu3  : 84.4%us, 14.9%sy,  0.0%ni,  0.0%id,  0.0%wa,  0.0%hi,  0.7%si,  0.0%st
Mem:   8061208k total,  7781764k used,   279444k free,33604k buffers
Swap:  3096572k total,  2939104k used,   157468k free,   413396k cached
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PFQueue pfdhcplistener count very high

2015-12-14 Thread Julien Semaan


On 12/14/2015 03:37 AM, Mathieu Dirkx wrote:

> I have stopped the pfqueue service, which returned the CPUload and log growth 
> to more normal values.
> Not sure about the consequences, but for now everything runs fine.

Not really good from what I see in your flow :)
Your Firewall SSO will not work anymore + the iplog update.

I took a quick look at what you sent and everything seems into order (we 
will investigate deeper shortly)

Let's try this :
In conf/pfqueue.conf, change :
[queue pfdhcplistener]
workers=8

To :
[queue pfdhcplistener]
workers=16

Next, start pfqueue :
bin/pfcmd service pfqueue start

We'll empty the current queue :
redis-cli -p 6380 FLUSHALL

And now, look and see if the counters of pfqueue go up in the 
Administration interface and if your load stays under control.

Now, my (wild) guess on your issue :
In 5.5.0, DHCP processing has been made asynchronous (and multi 
processed) as the single threaded approach was too slow and making 
things happen too late (ex : SSO was triggered minutes after a user 
connected)
Even with an extremelly high number of packets, DHCP processing couldn't 
take more than 1 CPU before (because of the single thread approach)
Now the async processing makes it possible to process more PPS. This 
means you may have *a lot* of DHCP packets to process and that the 
server is keeping up and likely processing more than it was before but 
takes resources doing that.

Could you provide a 1 hour pcap of your DHCP traffic (Send it to me if 
you don't want to post it on the list) :
timeout 3600 tcpdump -nlp -i any port 67 or 68 -w dhcp-piusx.pcap

- Julien

On 12/14/2015 03:37 AM, Mathieu Dirkx wrote:
> Hi all,
>
>> So try these things:
>> 1. Look at the logs/pfqueue.log and see what errors there may be.
>> Please post them here for our enlightenment.
> There are three different ERROR: messages in the log
> 1. Use of uninitialized value
> 2. Can't bind : IO::Socket::INET: connect: Interrupted system call
> 3. Can't bind : IO::Socket::INET: connect: Connection refused
>
> Here is a short section of the pfqueue.log
>
> Dec 09 17:00:00 pfqueue(13611) INFO: [mac:d0:a6:37:eb:45:ed] Node 
> d0:a6:37:eb:45:ed registered and allowed to pass the Firewall 
> (pf::firewallsso::FortiGate::action)
> Dec 09 17:00:00 pfqueue(13609) INFO: [mac:d0:a6:37:eb:45:ed] Node 
> d0:a6:37:eb:45:ed registered and allowed to pass the Firewall 
> (pf::firewallsso::FortiGate::action)
> Dec 09 17:00:01 pfqueue(13611) ERROR: [mac:00:1c:c5:74:db:c0] Can't bind : 
> IO::Socket::INET: connect: Interrupted system call
> Dec 09 17:00:22 pfqueue(13604) INFO: [mac:5c:8d:4e:27:73:a1] Node 
> 5c:8d:4e:27:73:a1 registered and allowed to pass the Firewall 
> (pf::firewallsso::FortiGate::action)
> Dec 09 17:00:22 pfqueue(13607) INFO: [mac:5c:8d:4e:27:73:a1] Node 
> 5c:8d:4e:27:73:a1 registered and allowed to pass the Firewall 
> (pf::firewallsso::FortiGate::action)
> Dec 09 17:01:09 pfqueue(13607) INFO: [mac:38:0f:4a:28:a7:a3] Node 
> 38:0f:4a:28:a7:a3 registered and allowed to pass the Firewall 
> (pf::firewallsso::FortiGate::action)
> Dec 09 17:01:09 pfqueue(13608) INFO: [mac:38:0f:4a:28:a7:a3] Node 
> 38:0f:4a:28:a7:a3 registered and allowed to pass the Firewall 
> (pf::firewallsso::FortiGate::action)
> Dec 09 17:01:22 pfqueue(13604) INFO: [mac:cc:3a:61:dd:6f:f5] Node 
> cc:3a:61:dd:6f:f5 registered and allowed to pass the Firewall 
> (pf::firewallsso::FortiGate::action)
> Dec 09 17:01:22 pfqueue(13606) INFO: [mac:cc:3a:61:dd:6f:f5] Node 
> cc:3a:61:dd:6f:f5 registered and allowed to pass the Firewall 
> (pf::firewallsso::FortiGate::action)
> Dec 09 17:02:02 pfqueue(13606) INFO: [mac:d0:a6:37:eb:45:ed] Node 
> d0:a6:37:eb:45:ed registered and allowed to pass the Firewall 
> (pf::firewallsso::FortiGate::action)
> Dec 09 17:02:02 pfqueue(13604) INFO: [mac:d0:a6:37:eb:45:ed] Node 
> d0:a6:37:eb:45:ed registered and allowed to pass the Firewall 
> (pf::firewallsso::FortiGate::action)
> Dec 09 17:02:03 pfqueue(13611) INFO: [mac:d0:a6:37:eb:45:ed] Node 
> d0:a6:37:eb:45:ed registered and allowed to pass the Firewall 
> (pf::firewallsso::FortiGate::action)
> Dec 09 17:02:03 pfqueue(13609) INFO: [mac:d0:a6:37:eb:45:ed] Node 
> d0:a6:37:eb:45:ed registered and allowed to pass the Firewall 
> (pf::firewallsso::FortiGate::action)
> Dec 09 17:02:27 pfqueue(13609) INFO: [mac:d0:a6:37:eb:45:ed] Node 
> d0:a6:37:eb:45:ed registered and allowed to pass the Firewall 
> (pf::firewallsso::FortiGate::action)
> Dec 09 17:02:27 pfqueue(13611) INFO: [mac:d0:a6:37:eb:45:ed] Node 
> d0:a6:37:eb:45:ed registered and allowed to pass the Firewall 
> (pf::firewallsso::FortiGate::action)
> Dec 09 17:02:29 pfqueue(13609) INFO: [mac:d0:a6:37:eb:45:ed] Node 
> d0:a6:37:eb:45:ed registered and allowed to pass the Firewall 
> (pf::firewallsso::FortiGate::action)
> Dec 09 17:02:29 pfqueue(13604) INFO: [mac:d0:a6:37:eb:45:ed] Node 
> d0:a6:37:eb:45:ed registered and allowed to pass the Firewall 
> (pf::firewallsso::FortiGate::action)
>

Re: [PacketFence-users] pfdhcplistener 5.5.0

2015-11-26 Thread Julien Semaan

Hi Christian,

We have a patch that would be a candidate for 5.5.1 and that would fix 
it for good.

Please see it attached to this mail.

Let us know if it works and it will be added to the next release.

Thanks !

- Julien

On 11/26/2015 09:49 AM, Louis Munro wrote:

Hi Christian,
This is indeed a corner case that is not well handled.

The original reason for that was that we assumed that you either use 
the PacketFence dhcpd for all or none of your networks.

If it’s all, then we should be receiving the ACKs.

If it’s none, then we needed to listen for DHCPREQUEST packets.

We try to process the minimum number of packets required to do the 
job, because in a large network that job quickly becomes expensive.

So in your case I can suggest a few ideas to fix it.

1. You could use the PacketFence dhcpd server on all your networks (if 
that is possible for you).
2. You could try using the UDP reflector 
(https://code.google.com/p/udp-reflector/) to send a copy of the ACKs 
to PacketFence.
3. You could patch PacketFence to handle the DHCPREQUESTS in those 
networks.
4. Look into using OMAPI to have PacketFence query your dhcp server 
for the leases.

I believe option 3 would be fastest to implement.

You could try this patch:

diff --git a/lib/pf/dhcp/processor.pm b/lib/pf/dhcp/processor.pm
index 5b6f6a8..36ee6fe 100644
--- a/lib/pf/dhcp/processor.pm
+++ b/lib/pf/dhcp/processor.pm
@@ -274,7 +274,7 @@ sub parse_dhcp_request {

 # We check if we are running without dhcpd
 # This means we don't see ACK so we need to act on requests
-if((!$self->{running_w_dhcpd} && 
!isenabled($Config{network}{force_listener_update_on_ack})) && 
(defined($client_ip) && defined($client_mac))){
+  if((!isenabled($Config{network}{force_listener_update_on_ack})) && 
(defined($client_ip) && defined($client_mac))){

 $self->handle_new_ip($client_mac, $client_ip, $lease_length);
 }

Let us know if it helps.
We’ll have to think of the best way of handling that particular case 
in the future.

Regards,
--
Louis Munro
lmu...@inverse.ca   :: www.inverse.ca 

+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) 
and PacketFence (www.packetfence.org )

On Nov 25, 2015, at 18:10 , Christian Hanster 
> wrote:

Hi Louis,

It’s me again and I found the problem finally. It has to do with the 
rewritten dhcplistener in the new release.

The new listener configuration is checking, if there is a dhcp server 
running on the interface. If this is the case then it will not work 
with dhcp-request packages. In my special case the problem was that I 
had running the dhcp server on the interface (inlinel2) but not for 
the inlinel3 network. So the listener was not processing the Request 
packages. It might be a bug but I do not know how to fix it because 
the pfdhcplistener is running on interface level. For me it worked 
when I switched off the dhcp-server on the interface. Probably I will 
let the dhcp be done by an other server in this network...

The problem is in line 332ff. in file processor.pm (Tag 5.5.0): 
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/dhcp/processor.pm

Thank you for your help!

Kind regards
Christian
On 25 Nov 2015, at 22:41, Christian Hanster 
> wrote:

Hi Louis,

No there are no lines with DHCPACK or OFFER. This is, because there 
are no such packets coming (seen in Tcpdump). Our setup is the 
following: remote client — LAN— router (with dnsmasq and a relay to 
PF) =VPN-Tunnel= VPN-Server —LAN—  PF-Server

So PF is not offering any leases to the remote clients but gets 
information from the dnsmasq which is configured as a relay. PF is 
configured as inlinel3 for the remote clients.

the networks.conf is therefore:
[192.168.2.0]
dns=192.168.2.254
dhcp_start=192.168.2.10
gateway=192.168.2.250
domain-name=inlinel2.endoo.eu 
nat_enabled=enabled
named=enabled
dhcp_max_lease_time=3600
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=192.168.2.246
type=inlinel2
netmask=255.255.255.0
dhcp_default_lease_time=3600

[10.1.13.0]
next_hop=192.168.2.2
domain-name=inlinel3.endoo.eu 
name=inlinel3.endoo.eu 
nat_enabled=1
named=enabled
dhcpd=disabled
fake_mac_enabled=0
type=inlinel3
netmask=255.255.255.0

The dhcp.conf:
# dhcpd configuration
# This file is manipulated on PacketFence's startup before being 
given to dhcpd

authoritative;
ddns-update-style none;
ignore client-updates;
log-facility local6;

# OMAPI for IP <-> MAC lookup
omapi-port 7911;
key pf_omapi_key {
  algorithm HMAC-MD5;
  secret "ghkxVADMEeYe8ikHCjkyu7hQ2abIA/SbcH8Ep6a4FGs=";
};
omapi-key pf_omapi_key;

failover peer "192.168.2.0/24" {
secondary;
address 192.168.2.250;
port 647;

Re: [PacketFence-users] Messed up status page

2015-08-12 Thread Julien Semaan

To reset the dashboard data (meaning you lose all previous data), you 
can remove all the content of the following directory
/usr/local/pf/var/graphite/whisper

Julien

On 08/11/2015 03:50 PM, Krzysztof Adamski wrote:
 I managed to mess up my status dashboard page. I was cloning one
 instance of a packetfence server and I didn't change the IP in the
 carbon.conf file before starting it.
 So now when I look at the pf1 dashboard I see pf2 data. Is there a way
 to recover this, or at least to reset the data so pf1 shows stats for
 itself?

 Thanks,
 K




--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] new gui domains config

2015-06-05 Thread Julien Semaan


Hi Mourik,

You can't use 'net ads testjoin' directly as you used before.

You need to call these in the isolated domain chroots
/usr/bin/sudo /sbin/ip netns exec OUR-WKGR /usr/bin/net ads testjoin -s 
/etc/samba/OUR-WKGR.conf


Then to test the authentication :
/usr/bin/sudo /usr/sbin/chroot /chroots/OUR-WKGR /usr/bin/ntlm_auth 
--username=YOUR_USERNAME


And you can check winbindd the log in :
/chroots/OUR-WKGR/var/log/sambamydomain/log.winbindd

On 06/05/2015 03:27 AM, mourik jan heupink wrote:


Hi,

No reaction on the files I showed below, so I'm guessing that means
those look rather ok..?

In short, this is the situation:

gui shows: test join success
cli shows: net ads testjoin Join to domain is NOT valid

-

root@pf:/# /usr/local/pf/bin/pfcmd service winbindd start
service|command
memcached|already started
httpd.admin|already started
Checking configuration sanity...
Unable to setup corepath for winbindd: No such file or directory

-

Jun 04 16:46:04 pfcmd.pl(10108) WARN: winbindd-OUR-WKGR.conf timed out
trying to start (pf::services::manager::postStartCleanu

-

* Where can I check what 'corepath' pfcmd is talking about?
* Where can I get more details on winbindd-OUR-WKGR.conf?

Regards,
MJ

On 06/04/2015 04:51 PM, heupink wrote:

Hi Louis, list,

In packetfence logs we see:
Jun 04 16:46:04 pfcmd.pl(10108) WARN: winbindd-OUR-WKGR.conf timed out
trying to start (pf::services::manager::postStartCleanu

Unable to setup corepath for winbindd: No such file or directory

As requested, the files:

root@pf:~# cat /etc/resolv.conf
domain company.com
nameserver x.y.z.14
nameserver x.y.z.15
nameserver x.y.z.16
nameserver x.y.z.1
(nb: first three are DC's)

root@pf:~# cat /etc/samba/smb.conf
   [global]
workgroup = OUR-WKGR
server string = Samba Server Version %v
security = ads
realm = SAMBA.COMPANY.COM
domain master = no
local master = no
preferred master = no
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
log file = /var/log/samba/log.%m
max log size = 50

root@pf:~# cat  /etc/krb5.conf
[libdefaults]
  default_realm = SAMBA.COMPANY.COM

# The following krb5.conf variables are only for MIT Kerberos.
  krb4_config = /etc/krb.conf
  krb4_realms = /etc/krb.realms
  kdc_timesync = 1
  ccache_type = 4
  forwardable = true
  proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#   default_tgs_enctypes = des3-hmac-sha1
#   default_tkt_enctypes = des3-hmac-sha1
#   permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
  v4_instance_resolve = false
  v4_name_convert = {
  host = {
  rcmd = host
  ftp = ftp
  }
  plain = {
  something = something-else
  }
  }
  fcc-mit-ticketflags = true

[realms]

SAMBA.COMPANY.COM = {
kdc = dc2.samba.company.com
admin_server = dc2.samba.company.com
default_domain = SAMBA.COMPANY.COM
}




[domain_realm]

SAMBA.COMPANY.COM = SAMBA.COMPANY.COM
.SAMBA.COMPANY.COM = SAMBA.COMPANY.COM




[login]
  krb4_convert = true
  krb4_get_tickets = false








--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Julien Semaan
jsem...@inverse.ca  ::  +1.514.447.4918 *155  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] pfmon does not perform tasks if no cluster is configured (pf 5.0.0)

2015-04-20 Thread Julien Semaan


Hi Diego,

You are right.

This has been fixed in our maintenance branch that you can apply using 
addons/pf-maint.pl


It will also be part of PF 5.0.1

Regards,

On 04/20/2015 07:32 AM, Diego Bonfigli wrote:

Hi,
  in a configuration with a single server, no cluster (e.g. 
cluster.conf has not be touched), pfmon does not run tasks because at 
start, /usr/local/pf/pfmon the start sub as you can see does not call 
registertasks() if management_ip is empty in clusetr.conf.


sub start {
my $vip_running = pf::cluster::is_management();
if($vip_running){
registertasks();
}
runtasks();
waitforit();
}


Diego


--
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15utm_medium=emailutm_campaign=VA_SF


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Julien Semaan
jsem...@inverse.ca  ::  +1.514.447.4918 *155  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15utm_medium=emailutm_campaign=VA_SF___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] http.aaa error in packetfence.log The 'month' parameter (undef) during radius authorize?

2015-03-25 Thread Julien Semaan


That is still vulnerable to this.

Make sure the date and role is set for the users and you'll be fine. 4.7 
fixes this for good.


On 03/25/2015 11:39 AM, Pete Hoffswell wrote:
AH!  Yes.  We are suffering from that problem now! Users are getting 
online with a default role, and an Owner name of 
host/machinename.ad.davenport.edu http://machinename.ad.davenport.edu


We are running 4.6.0

-
Pete Hoffswell - Network Manager
pete.hoffsw...@davenport.edu mailto:pete.hoffsw...@davenport.edu
http://www.davenport.edu


On Wed, Mar 25, 2015 at 11:32 AM, Julien Semaan jsem...@inverse.ca 
mailto:jsem...@inverse.ca wrote:


Hi Pete,

This has been fixed in a more recent version of PacketFence.

It's that the machine (host/username.ad.davenport.edu
http://username.ad.davenport.edu) is not matching any
unregistration date or access duration.

What version of PacketFence are you running ?


On 03/25/2015 10:57 AM, Pete Hoffswell wrote:

Good morning.

We are seeing this regularly in our packetfence log, and wonder
how to resolve.  I am unsure if it is actually causing issues
with our users.

Mar 25 10:42:13 httpd.aaa(28070) INFO: [6c:88:14:xx:xx:xx]
handling radius autz request: from switch_ip = (10.1.49.6),
connection_type = Wireless-802.11-EAP,switch_mac = (), mac =
[6c:88:14:xx:xx:xx], port = 13, username =
host/username.ad.davenport.edu
http://username.ad.davenport.edu (pf::radius::authorize)
Mar 25 10:42:13 httpd.aaa(28070) INFO: person
host/username.ad.davenport.edu http://username.ad.davenport.edu
modified to host/username.ad.davenport.edu
http://username.ad.davenport.edu (pf::person::person_modify)
Mar 25 10:42:13 httpd.aaa(28070) INFO: autoregister a node that
is already registered, do nothing. (pf::node::node_register)
Mar 25 10:42:13 httpd.aaa(28070) INFO: Can't find provisioner for
6c:88:14:xx:xx:xx (pf::vlan::getNormalVlan)
Mar 25 10:42:13 httpd.aaa(28070) WARN: The year was past, null or
undefined. We used current year (pf::config::dynamic_unreg_date)
Mar 25 10:42:20 httpd.aaa(28070) ERROR: radius authorize failed
with error: The 'month' parameter (undef) to DateTime::new was an
'undef', which is not one of the allowed types: scalar
 at /usr/lib64/perl5/vendor_perl/DateTime.pm line 201
DateTime::new(undef, 'year', 2015, 'month', undef, 'day',
undef, 'time_zone',
'DateTime::TimeZone::America::Detroit=HASH(0)', ...) called
at /usr/local/pf/lib/pf/config.pm http://config.pm line 914
pf::config::dynamic_unreg_date(undef) called at
/usr/local/pf/lib/pf/vlan.pm http://vlan.pm line 416
pf::vlan::getNormalVlan('pf::vlan::custom=HASH(0)',
'pf::Switch::Cisco::WLC=HASH(0)', 13, '6c:88:14:xx:xx:xx',
'HASH(0)', 385, 'host/username.ad.davenport.edu
http://username.ad.davenport.edu', 'DU', 'HASH(0)', ...)
called at /usr/local/pf/lib/pf/vlan.pm http://vlan.pm line 122
pf::vlan::fetchVlanForNode('pf::vlan::custom=HASH(0)',
'6c:88:14:xx:xx:xx', 'pf::Switch::Cisco::WLC=HASH(0)', 13,
385, 'host/username.ad.davenport.edu
http://username.ad.davenport.edu', 'DU', 'HASH(0)', undef,
...) called at /usr/local/pf/lib/pf/radius.pm http://radius.pm
line 182
pf::radius::authorize('pf::radius::custom=HASH(0)',
'HASH(0)') called at /usr/local/pf/lib/pf/api.pm
http://api.pm line 61
eval {...} called at /usr/local/pf/lib/pf/api.pm
http://api.pm line 60
pf::api::radius_authorize('pf::api', 'NAS-Port-Type',
'Wireless-802.11', 'Service-Type', 'Framed-User', 'Tunnel-Type',
'VLAN', 'Called-Station-Id', 'e8:ba:70:xx:xx:xx:DU', ...) called
at /usr/local/pf/lib/pf/WebAPI/MsgPack.pm line 61
eval {...} called at
/usr/local/pf/lib/pf/WebAPI/MsgPack.pm line 60
pf::WebAPI::MsgPack::handler('pf::WebAPI::MsgPack=HASH(0)',
'Apache2::RequestRec=SCALAR(0)') called at
/usr/local/pf/lib/pf/WebAPI.pm line 62
pf::WebAPI::handler('Apache2::RequestRec=SCALAR(0)') called
at -e line 0
eval {...} called at -e line 0
 (pf::api::radius_authorize)


This is a wireless user connecting to an 802.1x network, with a
backend source of Active Directory.

I wonder if there's a PF, radius, or AD setting that needs to be
tweaked.


-
Pete Hoffswell - Network Manager
pete.hoffsw...@davenport.edu mailto:pete.hoffsw...@davenport.edu
http://www.davenport.edu




--
Dive into the World of Parallel Programming The Go Parallel Website, 
sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for 
all
things parallel software development, from weekly thought leadership blogs 
to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now.http

Re: [PacketFence-users] Alerting Question

2014-10-02 Thread Julien Semaan


Hi Scott,

I guess it would be simpler to use sponsor based registration. The user 
will have to enter it's information in the portal and then it will send 
an e-mail to a sponsor that can activate it's network.


For your scenario, there is nothing in PacketFence that can allow you to 
do this currently out of the box.


Regards,

Julien

On 10/01/2014 01:21 PM, Scott Slagle wrote:


Here’s my scenario:

Packetfence is receiveing traps from a switch.

User plugs in laptop, packetfence receives the trap and MAC address, 
sets to registration vlan, however there is no dhcp on that vlan.


I need an alert from packetfence stating that a new node has attached 
to the network.


How can this be accomplished?

Thanks,

Scott



--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] loganalyzer

2014-09-30 Thread Julien Semaan


Hi Carlos,

I'd probably suggest you to move this out of the PacketFence config.

Add it in the normal apache directory and bind on a port like 8080 so 
you don't conflict with the PacketFence services.


This way you'll be isolated of the PacketFence config and you'll be able 
to configure it as you normally would.


Regards,

Julien

On 09/29/2014 04:15 PM, Carlos Eduardo de Siqueira wrote:

Hi Julien, now the error message has changed to

... Attempt to serve directory: /var/www/html/loganalyser/

and if I pointed to https://my-pfence-ip:1443/loganalyser/index.php 
https://my-pfence-ip:1443/loganalyzer/index.php, there are no error 
messages but PHP code appears on browser.


Sorry, I thought it was more simple to do this!

Regards,
CS

Atenciosamente,

Carlos Eduardo Vilas Boas de Siqueira
Analista de Suporte
Gerência de Rede
Centro de Informática e Automação do Estado de Santa Catarina.
48 3664-1359

2014-09-26 8:53 GMT-03:00 Julien Semaan jsem...@inverse.ca 
mailto:jsem...@inverse.ca:


Hi Carlos,

Add at line 158 of httpd.admin configuration file:
/loganalyser = {
 SetHandler = 'default-handler',
 },

Regards,

Julien


On 14-09-25 12:36 PM, Carlos Eduardo de Siqueira wrote:

Hi Julien,

Don't work!

I had to include mod_authz_host.so in httpd.admin because
Invalid command 'Order'.

After this Packetfence starts normally but browser says Page not
found!





Atenciosamente,

Carlos Eduardo Vilas Boas de Siqueira
Analista de Suporte
Gerência de Rede
Centro de Informática e Automação do Estado de Santa Catarina.
48 3664-1359 tel:48%203664-1359

2014-09-25 8:59 GMT-03:00 Julien Semaan jsem...@inverse.ca
mailto:jsem...@inverse.ca:

Hi Carlos,

Try adding this at line 149 (you'll see another alias)

Alias= '/loganalyser /var/www/html/loganalyzer/',

Also configure the directory outside of the Perl tags in
the config file.

Regards,

Julien


On 14-09-24 02:00 PM, Carlos Eduardo de Siqueira wrote:

Hi Julien,

Again

I put the line
Alias /loganalyzer/ /var/www/html/loganalyzer/
in httpd.admin

and again Page not found!!


Thanks for reply!

Atenciosamente,

Carlos Eduardo Vilas Boas de Siqueira
Analista de Suporte
Gerência de Rede
Centro de Informática e Automação do Estado de Santa Catarina.
48 3664-1359 tel:48%203664-1359

2014-09-24 8:49 GMT-03:00 Julien Semaan jsem...@inverse.ca
mailto:jsem...@inverse.ca:

Hi Carlos,

The configuration file you are editing is for the
captive portal.

You should be adding those to the httpd.admin
configuration file.

Regards,

Julien


On 14-09-22 05:38 PM, Carlos Eduardo de Siqueira wrote:

Hi,

I'm trying to use Loganalyzer to see packetfence logs.

I put this lines

Alias /loganalyzer/ /var/www/html/loganalyzer/
Directory /var/www/html/loganalyzer/
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
/Directory

in
/usr/local/pf/conf/httpd.conf.d/captive-portal-common.conf

Point to
https://my-pfence-ip:1443/loganalyzer

and

GET /loganalyzer HTTP/1.1 404

how can I set this up?

Regards
Carlos




--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS 
Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer

http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  
mailto:PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users




--
Meet PCI DSS 3.0 Compliance Requirements with EventLog
Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box
PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download
White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with
EventLog Analyzer

http://pubads.g.doubleclick.net/gampad

Re: [PacketFence-users] loganalyzer

2014-09-26 Thread Julien Semaan


Hi Carlos,

Add at line 158 of httpd.admin configuration file:
/loganalyser = {
 SetHandler = 'default-handler',
 },

Regards,

Julien

On 14-09-25 12:36 PM, Carlos Eduardo de Siqueira wrote:

Hi Julien,

Don't work!

I had to include mod_authz_host.so in httpd.admin because Invalid 
command 'Order'.


After this Packetfence starts normally but browser says Page not found!





Atenciosamente,

Carlos Eduardo Vilas Boas de Siqueira
Analista de Suporte
Gerência de Rede
Centro de Informática e Automação do Estado de Santa Catarina.
48 3664-1359

2014-09-25 8:59 GMT-03:00 Julien Semaan jsem...@inverse.ca 
mailto:jsem...@inverse.ca:


Hi Carlos,

Try adding this at line 149 (you'll see another alias)

Alias= '/loganalyser /var/www/html/loganalyzer/',

Also configure the directory outside of the Perl tags in the
config file.

Regards,

Julien


On 14-09-24 02:00 PM, Carlos Eduardo de Siqueira wrote:

Hi Julien,

Again

I put the line
Alias /loganalyzer/ /var/www/html/loganalyzer/
in httpd.admin

and again Page not found!!


Thanks for reply!

Atenciosamente,

Carlos Eduardo Vilas Boas de Siqueira
Analista de Suporte
Gerência de Rede
Centro de Informática e Automação do Estado de Santa Catarina.
48 3664-1359 tel:48%203664-1359

2014-09-24 8:49 GMT-03:00 Julien Semaan jsem...@inverse.ca
mailto:jsem...@inverse.ca:

Hi Carlos,

The configuration file you are editing is for the captive portal.

You should be adding those to the httpd.admin configuration file.

Regards,

Julien


On 14-09-22 05:38 PM, Carlos Eduardo de Siqueira wrote:

Hi,

I'm trying to use Loganalyzer to see packetfence logs.

I put this lines

Alias /loganalyzer/ /var/www/html/loganalyzer/
Directory /var/www/html/loganalyzer/
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
/Directory

in /usr/local/pf/conf/httpd.conf.d/captive-portal-common.conf

Point to
https://my-pfence-ip:1443/loganalyzer

and

GET /loganalyzer HTTP/1.1 404

how can I set this up?

Regards
Carlos




--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer

http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  
mailto:PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users




--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI
DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download
White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog
Analyzer

http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
mailto:PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users





--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  
mailto:PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS
Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http

Re: [PacketFence-users] loganalyzer

2014-09-25 Thread Julien Semaan


Hi Carlos,

Try adding this at line 149 (you'll see another alias)

Alias= '/loganalyser /var/www/html/loganalyzer/',

Also configure the directory outside of the Perl tags in the config file.

Regards,

Julien

On 14-09-24 02:00 PM, Carlos Eduardo de Siqueira wrote:

Hi Julien,

Again

I put the line
Alias /loganalyzer/ /var/www/html/loganalyzer/
in httpd.admin

and again Page not found!!


Thanks for reply!

Atenciosamente,

Carlos Eduardo Vilas Boas de Siqueira
Analista de Suporte
Gerência de Rede
Centro de Informática e Automação do Estado de Santa Catarina.
48 3664-1359

2014-09-24 8:49 GMT-03:00 Julien Semaan jsem...@inverse.ca 
mailto:jsem...@inverse.ca:


Hi Carlos,

The configuration file you are editing is for the captive portal.

You should be adding those to the httpd.admin configuration file.

Regards,

Julien


On 14-09-22 05:38 PM, Carlos Eduardo de Siqueira wrote:

Hi,

I'm trying to use Loganalyzer to see packetfence logs.

I put this lines

Alias /loganalyzer/ /var/www/html/loganalyzer/
Directory /var/www/html/loganalyzer/
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
/Directory

in /usr/local/pf/conf/httpd.conf.d/captive-portal-common.conf

Point to
https://my-pfence-ip:1443/loganalyzer

and

GET /loganalyzer HTTP/1.1 404

how can I set this up?

Regards
Carlos




--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  
mailto:PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users




--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS
Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
mailto:PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users




--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] loganalyzer

2014-09-24 Thread Julien Semaan


Hi Carlos,

The configuration file you are editing is for the captive portal.

You should be adding those to the httpd.admin configuration file.

Regards,

Julien

On 14-09-22 05:38 PM, Carlos Eduardo de Siqueira wrote:

Hi,

I'm trying to use Loganalyzer to see packetfence logs.

I put this lines

Alias /loganalyzer/ /var/www/html/loganalyzer/
Directory /var/www/html/loganalyzer/
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
/Directory

in /usr/local/pf/conf/httpd.conf.d/captive-portal-common.conf

Point to
https://my-pfence-ip:1443/loganalyzer

and

GET /loganalyzer HTTP/1.1 404

how can I set this up?

Regards
Carlos



--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Web admin dashboard error

2014-09-24 Thread Julien Semaan


Hi Andi,

Can you give me the output of logs/httpd.admin.log when you're doing 
that action.


Thanks,

Julien

On 14-09-23 09:03 AM, Morris, Andi wrote:


Hi,

I'm having an issue with our PacketFence setup, version 4.2.1. 
Everything seems to be working ok in the background, people are 
getting authenticated, and devices are getting auto-registered using 
dot1x credentials. Over the last few days students have started to 
come back, and usage of the system has increased dramatically. Around 
1000 devices registered in two days, however now the Dashboard screen 
of the web interface shows the error, Error! An error occurred while 
contacting the server. Please try again later.


I'm wondering if something is being overloaded somewhere, but memory 
and CPU usage on the box is looking ok. Clicking other areas in the 
admin UI works ok, so as a guess I would say that it's something to do 
with collecting the total number of nodes from the database perhaps.


I just want to be sure that there is nothing about to top out 
completely on the server. Looking in /var/log/messages I see a lot of 
the following:


Sep 23 13:45:18 pfence01 rsyslogd-2177: imuxsock lost 12 messages from 
pid 12846 due to rate-limiting


Sep 23 13:59:12 pfence01 rsyslogd-2177: imuxsock begins to drop 
messages from pid 12846 due to rate-limiting


Sep 23 13:59:13 pfence01 rsyslogd-2177: imuxsock lost 14 messages from 
pid 12846 due to rate-limiting


Sep 23 13:59:57 pfence01 rsyslogd-2177: imuxsock begins to drop 
messages from pid 12846 due to rate-limiting


Sep 23 14:00:01 pfence01 rsyslogd-2177: imuxsock lost 32 messages from 
pid 12846 due to rate-limiting


Sep 23 14:02:11 pfence01 rsyslogd-2177: imuxsock begins to drop 
messages from pid 12846 due to rate-limiting


Sep 23 14:02:13 pfence01 rsyslogd-2177: imuxsock lost 127 messages 
from pid 12846 due to rate-limiting


Pid 12846 is dhcpd.

-

Andi Morris

IT Security Officer
Cardiff Metropolitan University

T: 02920 205720
E: amor...@cardiffmet.ac.uk mailto:amor...@cardiffmet.ac.uk

--



--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] iptables exception

2014-09-15 Thread Julien Semaan


Hi Chris,

You can manually register the device MAC address in the administration 
interface.


Regards,

On 14-09-12 12:42 PM, Chris Heighway wrote:


Group,

I have an AP that needs cloud access but is also on the filtered 
side of our inline pf configuration for captive portal access (4.3.0 
on CentOS 6.5).  Since the AP cannot sign-in I need to allow it 
unfettered access to the internet though it is in the Trapping 
range.  I have tried adding the MAC of the Ethernet port to the 
whitelist with no luck.  My next step is to modify the iptables file 
however I do not completely understand the relationship between the 
/usr/local/pf/conf/iptables.conf and /etc/sysconfig/iptables.


Where do I add the permit for the AP?

Thank you,

Chris Heighway



--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Julien Semaan
jsem...@inverse.ca  ::  +1.514.447.4918 *155  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Regarding User Registraion

2014-09-02 Thread Julien Semaan


Hi Arun,

This is normal since temporary internet access is given to the user in 
order for him to retrieve the e-mail and click the link on the device he 
is currently using. Without it, the user wouldn't have access to the 
e-mail that was sent.


Regards,

On 14-09-01 08:15 AM, Arun Kumar wrote:

Hello,

I'm able to fix the mail issue.

But the other problem is still present. Before clicking on the 
activation link sent in the mail, I'm able to access internet 
(authentication was not done. Only user registration request was sent)


Can you suggest what might be wrong?

Regards,
Arun Kumar S


On Thu, Aug 28, 2014 at 12:43 PM, Arun Kumar arun.sun...@gmail.com 
mailto:arun.sun...@gmail.com wrote:


Hello,

I'm trying to configure PacketFence 4.3 version.

I've installed postfix mail server as well for the same.

When trying to  signup from the client, I get a notification
saying an email will be sent. But I did not receive it.

But the user is registered and able to connect to the internet.

Can anyone suggest what might be wrong?

-- 
Regards,

S. Arun Kumar




--
Regards,
S. Arun Kumar


--
Slashdot TV.
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Julien Semaan
jsem...@inverse.ca  ::  +1.514.447.4918 *155  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Regarding User Registraion

2014-09-02 Thread Julien Semaan


Hi Arun,

Make sure you set an access duration and a role to the user.

Also make sure the registration window of the user includes today when 
you create the user.


Regards,

On 14-09-02 02:48 AM, Arun Kumar wrote:

Hi,

Thanks for the response. My setup is working with user registration 
from client device.


When I try to add users from *Admin* side, and try to login as client, 
I get the error /*You have reached the maximum number of devices you 
are able to register with this username*/


I also tried by setting Access duration and still the issue is seen.

Any other param needs to be set?

Regards,
Arun Kumar S


On Mon, Sep 1, 2014 at 5:45 PM, Arun Kumar arun.sun...@gmail.com 
mailto:arun.sun...@gmail.com wrote:


Hello,

I'm able to fix the mail issue.

But the other problem is still present. Before clicking on the
activation link sent in the mail, I'm able to access internet
(authentication was not done. Only user registration request was sent)

Can you suggest what might be wrong?

Regards,
Arun Kumar S


On Thu, Aug 28, 2014 at 12:43 PM, Arun Kumar
arun.sun...@gmail.com mailto:arun.sun...@gmail.com wrote:

Hello,

I'm trying to configure PacketFence 4.3 version.

I've installed postfix mail server as well for the same.

When trying to  signup from the client, I get a notification
saying an email will be sent. But I did not receive it.

But the user is registered and able to connect to the internet.

Can anyone suggest what might be wrong?

-- 
Regards,

S. Arun Kumar




-- 
Regards,

S. Arun Kumar




--
Regards,
S. Arun Kumar


--
Slashdot TV.
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Julien Semaan
jsem...@inverse.ca  ::  +1.514.447.4918 *155  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MAB on Cisco 2960

2014-08-13 Thread Julien Semaan


Hi Juan,

Even though PacketFence will disconnect the device using RADIUS, it is 
still using SNMP to determine the type of the interface. That's why 
'doWeActOnThisTrap' returns false.


You will still need to configure SNMP at least for read-only when using 
RADIUS authentication/disconnection.


Regards,

On 14-08-12 06:17 PM, Juan Camilo Valencia wrote:

Hi Guys,

I recently move my configuration from port-security to MAB in a Cisco 
2960. In the port-security area, SNMP and SNMP-TRAPS were involve in 
all the process to change the VLAN, now what I understand is that for 
MAB is only RADIUS and RADIUS CoA involve in the change of the VLAN.


However what I'm seeing from packetfence.log is that for an unknown 
reason Packetefence is trying to create a SNMP read connection, even 
if I specifically said that the deauthentication method for the switch 
is RADIUS.


Here are the logs,


Aug 12 16:48:47 httpd.portal(820) INFO: re-evaluating access for node 
00:23:ae:10:d3:e8 (manage_register called) 
(pf::enforcement::reevaluate_access)
Aug 12 16:48:47 httpd.portal(820) INFO: switch port for 
00:23:ae:10:d3:e8 is 10.11.62.15 ifIndex 10003 connection type: Wired 
MAC Auth (pf::enforcement::_vlan_reevaluation)
Aug 12 16:48:51 pfsetvlan(41) INFO: local (127.0.0.1) trap for switch 
10.11.62.15 (main::parseTrap)
Aug 12 16:48:52 pfsetvlan(1) INFO: nb of items in queue: 1; nb of 
threads running: 0 (main::startTrapHandlers)
Aug 12 16:48:59 pfsetvlan(1) ERROR: error creating SNMP v3 read 
connection to 10.11.62.15 http://10.11.62.15: No response from 
remote host 10.11.62.15 (pf::Switch::connectRead)
Aug 12 16:48:59 pfsetvlan(1) INFO: reAssignVlan trap received on 
10.11.62.15 ifindex 10003 which is not ethernetCsmacd 
(pf::vlan::doWeActOnThisTrap)
Aug 12 16:48:59 pfsetvlan(1) INFO: doWeActOnThisTrap returns false. 
Stop reAssignVlan handling (main::handleTrap)

Aug 12 16:48:59 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)
Aug 12 16:49:03 httpd.portal(3307) INFO: mac : 00:23:ae:10:d3:e8 
(captiveportal::PacketFence::Controller::CaptivePortal::validateMac)
Aug 12 16:49:03 httpd.portal(3307) INFO: MAC 00:23:ae:10:d3:e8 
shouldn't reach here. Calling access re-evaluation. Make sure your 
network device configuration is correct. 
(captiveportal::PacketFence::Controller::CaptivePortal::unknownState)
Aug 12 16:49:03 httpd.portal(3307) INFO: re-evaluating access for node 
00:23:ae:10:d3:e8 (redir.cgi called) (pf::enforcement::reevaluate_access)
Aug 12 16:49:03 httpd.portal(3307) INFO: switch port for 
00:23:ae:10:d3:e8 is 10.11.62.15 ifIndex 10003 connection type: Wired 
MAC Auth (pf::enforcement::_vlan_reevaluation)
Aug 12 16:49:07 pfsetvlan(42) INFO: local (127.0.0.1) trap for switch 
10.11.62.15 (main::parseTrap)
Aug 12 16:49:08 pfsetvlan(3) INFO: nb of items in queue: 1; nb of 
threads running: 0 (main::startTrapHandlers)
Aug 12 16:49:16 pfsetvlan(3) ERROR: error creating SNMP v3 read 
connection to 10.11.62.15 http://10.11.62.15: No response from 
remote host 10.11.62.15 (pf::Switch::connectRead)
Aug 12 16:49:16 pfsetvlan(3) INFO: reAssignVlan trap received on 
10.11.62.15 ifindex 10003 which is not ethernetCsmacd 
(pf::vlan::doWeActOnThisTrap)
Aug 12 16:49:16 pfsetvlan(3) INFO: doWeActOnThisTrap returns false. 
Stop reAssignVlan handling (main::handleTrap)

Aug 12 16:49:16 pfsetvlan(3) INFO: finished (main::cleanupAfterThread)

I tough that maybe during the changes made to the configuration from 
SNMP to RADIUS there was something in the cache of the system, so I 
tryed several pfcmd commands to clear the cache of the system to be 
sure that is not something like that. The version that i'm running is 
4.3.0 with the latest patches. So here are my questions,


1. Is packetfence alway going to create an SNMP connection even if the 
entire procedure relays on RADIUS only?


2. If not, where can I look if I have something wrong?

3. Is there any possibility something in the cache?

4. I saw the code for the 2960 and there a few lines that put the 
default method of deauthentication to SNMP, could be this the problem? 
(I changed and didnto work anyway)



I hope if somebody can help me figure out what is going on

Best Regards from Colombia
Best Regards
--

*Choose a job you love, and you will never have to work a day in your 
life*



--


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Julien Semaan
jsem...@inverse.ca  ::  +1.514.447.4918 *155  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo

Re: [PacketFence-users] Netgear compatibility support

2014-08-05 Thread Julien Semaan


Hi Piotr,

The Netgear module should work with all the M series switches.
They need to support the firmware 10.0.1.27.

It has been tested on the M4100 so this model is known to be working.

Julien

On 14-08-03 07:20 PM, Piotr Smalira wrote:


Hello!

Could you provide information witch of the Netgear M Series Switches 
are supported by Packetfence 4.3+


Thanks in advance.

Piotr



--
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Remote Snort and PFAPI

2014-07-24 Thread Julien Semaan

This is fixed in the maintenance branch of PacketFence.

Run /usr/local/pf/addons/pf-maint.pl and restart packetfence.

Or you can apply the code changes from
https://github.com/inverse-inc/packetfence/commit/720e9f04193fbf0163497cfdacf8a9400a238e16

On 14-07-23 01:41 AM, Lupe Silva wrote:

I have setup a remote snort sensor on ubuntu 12.04 using the
packetfence-remote-snort package. It did not work and after some
diagnostics in looking at the code, i discovered that the snort alerts
output was not what packetfence was expecting. I modifeid snort.conf
by adding the line outputalert_fast: fix that issue.

Now I have another issue when it is connecting back to the packetfence
box, I get the following error on the remote sensor.

violation could not be added: soap:Client - Failed to access class
(PFAPI): Can't locate PFAPI.pm in @INC (@INC contains:) at (eval 995)
line 2.#012 -

I am running packetfence 4.3

I am slightly familiar with SOAP, and it may be that the uri,
http://www.packetfence.org/PFAPI, called when the SOAP client is
initiated, may no longer be valid. This is a guess.

Lupe Silva

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Julien Semaan
jsem...@inverse.ca :: +1.514.447.4918 *155 :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)

--
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 4.3 and Facebook Oauth2

2014-07-02 Thread Julien Semaan

Hi Andreas,

You need to set a role for the nodes in your facebook source.

In the sources page at the bottom you can add a catch all rule that will 
set the access duration and the role of the node.

On 14-07-02 04:58 PM, Andreas Schacht wrote:
 Hi,

 after checking the Log files i have found this Part:
 == /usr/local/pf/logs/packetfence.log ==
 Jul 02 22:53:50 httpd.portal(4094) ERROR: Error while setting locale to 
 en_US.utf8. Is the locale generated on your system? 
 (captiveportal::PacketFence::Controller::Root::setupLanguage)
 Jul 02 22:53:53 httpd.portal(4094) INFO: OAuth2 successfull, register and 
 release for username andreas.*@facebook.com 
 (captiveportal::PacketFence::Controller::Oauth2::oauth2Result)
 Jul 02 22:53:54 httpd.portal(4094) WARN: No role specified or found for pid 
 andreas.***@facebook.com (MAC 40:b3:95:ff:ff:ff); assume maximum number 
 of registered nodes is reached (pf::node::is_max_reg_nodes_reached)
 Am 02.07.2014 um 21:07 schrieb Andreas Schacht ascha...@gmx.de:

 Can somebody explain to wich Roles i have to Setup ?

 Mit freundlichen Grüßen

 Andreas


 Hi,

 i have setup a Debian with PF 4.3 and hostapd from Scratch in Inline mode.
 Everything works fine till the Point when i connect with Mobile Device (IOS 
 7.1), i can authorize with Facebook but
 then i get the message, i have reach the limit of nodes per user.
 Have somebody a Idea whats wrong is ?

 Mit freundlichen Grüßen

 Andreas
 --
 Open source business process management suite built on Java and Eclipse
 Turn processes into business applications with Bonita BPM Community Edition
 Quickly connect people, data, and systems into organized workflows
 Winner of BOSSIE, CODIE, OW2 and Gartner awards
 http://p.sf.net/sfu/Bonitasoft
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users

 --
 Open source business process management suite built on Java and Eclipse
 Turn processes into business applications with Bonita BPM Community Edition
 Quickly connect people, data, and systems into organized workflows
 Winner of BOSSIE, CODIE, OW2 and Gartner awards
 http://p.sf.net/sfu/Bonitasoft
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Julien Semaan
jsem...@inverse.ca  ::  +1.514.447.4918 *155  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

51 matches

Mail list logo