[PacketFence-users] updating my.cnf on a separate DB servers

2017-03-13 Thread Morris, Andi 
Hi all,
In previous PF environments I've always performed MySQL tuning by updating 
my.cnf, stopping PF services and then restarting. If I have a separate DB 
server to the PF server can I get away with just restarting MySQL on the DB 
server, or do I still need to stop and start the services on the PF servers?

Cheers,
Andi


[Cardiff Metropolitan University - Queens Anniversary Prizes 
2015]
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] upgrade 6.2.1-6.4 - radius no longer starting

2017-01-05 Thread Morris, Andi 
Thanks Julien,
I tried that yesterday and it did resolve the issue. Thanks for confirming.

Cheers,
Andi

From: Julien Semaan [mailto:jsem...@inverse.ca]
Sent: 04 January 2017 19:17
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] upgrade 6.2.1-6.4 - radius no longer starting

Hi Andi,

These realms are coming from conf/realm.conf.defaults and they are now built-in 
realms.

Any options you had for the realms in that file need to be ported into the 
PacketFence configuration (editing it from the admin takes care of handling 
what comes from the defaults and what is specific to your setup)

In your case, just add the following to the default realm options:
auth_pool = eduroam
nostrip

Cheers

- Julien
On 2017-01-03 11:26 AM, Morris, Andi wrote:
Hi all,
upgrading my 6.2.1 to 6.4 running CentOS 7.3.1611 release today has resulted in 
my radiusd and radiusd-acct services not starting.

Firstly I was getting the following error:
service|command
httpd.admin|already started
Checking configuration sanity...
WARNING - Cannot open the following certificate 
%%install_dir%%/raddb/certs/pfenceha.crt
radiusd-acct|not started
radiusd|not started

so I found the line in eap.conf and edited so it showed:
certificate_file = [% install_dir %]/raddb/certs/pfenceha.crt

after reloading the config and restarting the pf services I no longer see the 
error, however the radius services will still not start.

Running radiusd -X -d /usr/local/pf/raddb I could see the debug bombing out 
because the default realm was being declared twice:

snip-
   mrc = 5
mrd = 30
  }
}
WARNING: Ignoring "response_window = 30.00", forcing to "response_window = 
10.00"
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm default {
}
realm local {
}
realm null {
}
realm cardiffmet.ac.uk {
authhost = LOCAL
accthost = LOCAL
}
realm uwic.ac.uk {
authhost = LOCAL
accthost = LOCAL
}
home_server_pool eduroam {
type = client-balance
home_server = orps03.cardiffmet.ac.uk
home_server = orps04.cardiffmet.ac.uk
}
realm DEFAULT {
auth_pool = eduroam
nostrip
} # realm DEFAULT
snip

Further investigating showed that this is being pulled from 
raddb/proxy.conf.inc:

# This file is generated from a template at 
/usr/local/pf/conf/radiusd/proxy.conf.inc
# Any changes made to this file will be lost on restart

# Eduroam integration is not configured

realm default {

}
realm local {

}
realm null {

}

home_server orps03.cardiffmet.ac.uk {
type = auth
ipaddr = 193.62.96.44
port = 1812
secret = *
require_message_authenticator = yes
}

home_server orps04.cardiffmet.ac.uk {
type = auth
ipaddr = 193.62.96.45
port = 1812
secret = **
require_message_authenticator = yes
}



home_server_pool eduroam {
type = client-balance
home_server = orps03.cardiffmet.ac.uk
home_server = orps04.cardiffmet.ac.uk
}

realm cardiffmet.ac.uk {
authhost=LOCAL
accthost=LOCAL
}

realm uwic.ac.uk {
authhost=LOCAL
accthost=LOCAL
}

realm DEFAULT {
auth_pool = eduroam
nostrip
}

However, as this file is generated on the fly, I don't know where these initial 
realm declarations are coming from! I've tried removing the reference to those 
three domains in the admin GUI under config/radius/realms, but they still 
reappear after reloading the config and restarting the services.

It's probably worth noting that this is an eduroam config, but not using the 
packetfence built in eduroam config (yet).

Cheers,
Andi


[Cardiff Metropolitan University - Queens AnniversaryPrizes 
2015]<http://www.cardiffmet.ac.uk/news/Pages/Cardiff-Met-research-recognised-in-Queens-Anniversary-Prizes-for-Higher-and-Further-Education.aspx>



--

Check out the vibrant tech community on one of the world's most

engaging tech sites, SlashDot.org! http://sdm.link/slashdot




___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] upgrade 6.2.1-6.4 - radius no longer starting

2017-01-03 Thread Morris, Andi 
Hi all,
upgrading my 6.2.1 to 6.4 running CentOS 7.3.1611 release today has resulted in 
my radiusd and radiusd-acct services not starting.

Firstly I was getting the following error:
service|command
httpd.admin|already started
Checking configuration sanity...
WARNING - Cannot open the following certificate 
%%install_dir%%/raddb/certs/pfenceha.crt
radiusd-acct|not started
radiusd|not started

so I found the line in eap.conf and edited so it showed:
certificate_file = [% install_dir %]/raddb/certs/pfenceha.crt

after reloading the config and restarting the pf services I no longer see the 
error, however the radius services will still not start.

Running radiusd -X -d /usr/local/pf/raddb I could see the debug bombing out 
because the default realm was being declared twice:

snip-
   mrc = 5
mrd = 30
  }
}
WARNING: Ignoring "response_window = 30.00", forcing to "response_window = 
10.00"
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm default {
}
realm local {
}
realm null {
}
realm cardiffmet.ac.uk {
authhost = LOCAL
accthost = LOCAL
}
realm uwic.ac.uk {
authhost = LOCAL
accthost = LOCAL
}
home_server_pool eduroam {
type = client-balance
home_server = orps03.cardiffmet.ac.uk
home_server = orps04.cardiffmet.ac.uk
}
realm DEFAULT {
auth_pool = eduroam
nostrip
} # realm DEFAULT
snip

Further investigating showed that this is being pulled from 
raddb/proxy.conf.inc:

# This file is generated from a template at 
/usr/local/pf/conf/radiusd/proxy.conf.inc
# Any changes made to this file will be lost on restart

# Eduroam integration is not configured

realm default {

}
realm local {

}
realm null {

}

home_server orps03.cardiffmet.ac.uk {
type = auth
ipaddr = 193.62.96.44
port = 1812
secret = *
require_message_authenticator = yes
}

home_server orps04.cardiffmet.ac.uk {
type = auth
ipaddr = 193.62.96.45
port = 1812
secret = **
require_message_authenticator = yes
}



home_server_pool eduroam {
type = client-balance
home_server = orps03.cardiffmet.ac.uk
home_server = orps04.cardiffmet.ac.uk
}

realm cardiffmet.ac.uk {
authhost=LOCAL
accthost=LOCAL
}

realm uwic.ac.uk {
authhost=LOCAL
accthost=LOCAL
}

realm DEFAULT {
auth_pool = eduroam
nostrip
}

However, as this file is generated on the fly, I don't know where these initial 
realm declarations are coming from! I've tried removing the reference to those 
three domains in the admin GUI under config/radius/realms, but they still 
reappear after reloading the config and restarting the services.

It's probably worth noting that this is an eduroam config, but not using the 
packetfence built in eduroam config (yet).

Cheers,
Andi


[Cardiff Metropolitan University - Queens Anniversary Prizes 
2015]
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PacketFence v7 - Will clustering be easier?

2016-12-13 Thread Morris, Andi 
Hi,
I’ve used PF in a clustered environment previously (version 5) and had more 
downtime because of it than I did without. This wasn’t directly an issue with 
PacketFence, but with the way that DRDB ties in with the Linux kernel, and how 
to maintain an up to date kernel whilst running this technology.

Personally I’m hoping that the upcoming version 7 clustering will resolve my 
worries around this, as currently we’re relying on VMWare to help to mitigate 
the single point of failure that is currently our database server. It certainly 
sounds very promising.

Cheers,
Andi

From: Tobias Friede [mailto:t.fri...@gmail.com]
Sent: 13 December 2016 14:41
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PacketFence v7 - Will clustering be easier?

2016-12-12 22:43 GMT+01:00 Tim DeNike 
>:
Umm As far as clusters go, packetfence is pretty damn easy IMHO..

Mhh, I tried many installations and followed the Cluster Guide.
I always stuck at the point, where the filesystem is created on the 
DRBD-Cluster.
I just get I/O errors after mounting the partition  Maybe the Documentation 
is not up to date?



Greetings
Tobias





On Mon, Dec 12, 2016 at 3:47 PM, Tobias Friede 
> wrote:
Hi,

nice announcement, thanks for your great work !

From: Ludovic Marcotte >
>Database Clustering - PacketFence v7 will make use of MariaDB Galera Cluster. 
>Each PacketFence server will hold a copy of the database and any >cluster 
>member detaching itself from the clustered environment will still work and 
>handle endpoint connections gracefully. It will automatically >resynchronize 
>itself to the cluster when network connectivity is restored;

The big question is: will clustering be easier than in packetfence 6.x?

The complicated cluster integration is one of the biggest disadvantage of 
packetfence, that's why we cluster Packetfence with VMware technologies and not 
with build in features.
But VMware helps only in case of hardware and network issues and not in case of 
software issues, so I would prefer an integrated cluster mechanism.


Greetings from Germany
Tobias






--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



[Cardiff Metropolitan University - Queens Anniversary Prizes 
2015]
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Fortigate SSO

2016-11-22 Thread Morris, Andi 
Hi all,
I'm trying to configure our Packetfence Guest setup (6.2.1) to send radius 
accounting data to our fortigates in order to see the username in the firewall 
logs, rather than just the IP. As far as I can see everything is configured 
correctly, as per the guide here:
https://packetfence.org/downloads/PacketFence/doc/PacketFence_FortiGate_Quick_Install_Guide-5.0.0.pdf

But I'm not seeing the relevant data in the firewall logs. I know the 
accounting data is reaching Packetfence from my WLC as I can see the 
online/offline status of each node, but I can't tell what information is being 
passed on.

Which log file do I need to look at to find whether the data is indeed being 
sent? I'm presuming pfqueue.log, but I don't see anything related in there.

Cheers,
Andi

-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.uk
Skype for Business: amor...@cardiffmet.ac.uk
--

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal and SSL - Unresolvable task?

2016-11-21 Thread Morris, Andi 
Hi all,
A quick update on this, disabling the Captive Portal Bypass mechanism option 
and keeping wispr enabled seems to have resolved this.

More testing to be done, but it looks good so far.

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 15 November 2016 09:24
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Captive Portal and SSL - Unresolvable task?

HI all,
Sorry to bump an old ish topic, but this is an issue we're seeing a lot of. 
Users are seeing the HSTS error when trying to connect to our Guest network and 
I'm not sure the best way around this, if there's any way at all.

In our config (6.2.1) we have both captive portal detection bypass and WISPr 
enabled. However to my understanding one is in contradiction to the other. 
Don't we want the device to recognise that it's in a captive portal in order to 
display the WISPr page?

The snippet from our pf.conf shows:
[captive_portal]
#
# captive_portal.detection_mecanism_bypass
#
# Bypass the captive-portal detection mechanism of some browsers / end-points 
by proxying the detection request.
detection_mecanism_bypass=enabled
#
# captive_portal.detection_mecanism_urls
#
# Comma-delimited list of URLs known to be used by devices to detect the 
presence
# of a captive portal and trigger their captive portal mechanism.
detection_mecanism_urls=http://connectivitycheck.gstatic.com/generate_204

Cheers,
Andi


From: g4-l...@tonarchiv.ch<mailto:g4-l...@tonarchiv.ch> 
[mailto:g4-l...@tonarchiv.ch]
Sent: 16 August 2016 01:36
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] Captive Portal and SSL - Unresolvable task?




On 15.08.2016 16:30, Louis Munro wrote:

On Aug 14, 2016, at 4:51 PM, g4-l...@tonarchiv.ch<mailto:g4-l...@tonarchiv.ch> 
wrote:

Can you please explain me in a few words what the option 
captive_portal.wispr_redirection does? What happens on a WISPr capable device 
when we use packetfence with captive portal, and this option is enabled?

It will return a XML WISPr payload to the device instead of an html page, 
telling it where to login.
The device should then open it's WISPr client and connect to the provided URL.

If you disable that option, WISPr will not be detected or acted upon.

So what we see in the end is our captive portal nevertheless? But it is not 
possible to tell a WISPr client to open a real browser and redirect him to a 
page at the end, when Internet has been granted?

And - last question - :  This captive portal detection mechanism and WISPr are 
depending on each other? I.e. when i enable the option "Captive Portal 
detection mechanism bypass" then WISPr ability of Packetfence can not be 
triggered?

Thank you for your help, I appreciate this very much!
Till
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal and SSL - Unresolvable task?

2016-11-15 Thread Morris, Andi 
HI all,
Sorry to bump an old ish topic, but this is an issue we're seeing a lot of. 
Users are seeing the HSTS error when trying to connect to our Guest network and 
I'm not sure the best way around this, if there's any way at all.

In our config (6.2.1) we have both captive portal detection bypass and WISPr 
enabled. However to my understanding one is in contradiction to the other. 
Don't we want the device to recognise that it's in a captive portal in order to 
display the WISPr page?

The snippet from our pf.conf shows:
[captive_portal]
#
# captive_portal.detection_mecanism_bypass
#
# Bypass the captive-portal detection mechanism of some browsers / end-points 
by proxying the detection request.
detection_mecanism_bypass=enabled
#
# captive_portal.detection_mecanism_urls
#
# Comma-delimited list of URLs known to be used by devices to detect the 
presence
# of a captive portal and trigger their captive portal mechanism.
detection_mecanism_urls=http://connectivitycheck.gstatic.com/generate_204

Cheers,
Andi


From: g4-l...@tonarchiv.ch [mailto:g4-l...@tonarchiv.ch]
Sent: 16 August 2016 01:36
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Captive Portal and SSL - Unresolvable task?




On 15.08.2016 16:30, Louis Munro wrote:

On Aug 14, 2016, at 4:51 PM, g4-l...@tonarchiv.ch 
wrote:

Can you please explain me in a few words what the option 
captive_portal.wispr_redirection does? What happens on a WISPr capable device 
when we use packetfence with captive portal, and this option is enabled?

It will return a XML WISPr payload to the device instead of an html page, 
telling it where to login.
The device should then open it's WISPr client and connect to the provided URL.

If you disable that option, WISPr will not be detected or acted upon.

So what we see in the end is our captive portal nevertheless? But it is not 
possible to tell a WISPr client to open a real browser and redirect him to a 
page at the end, when Internet has been granted?

And - last question - :  This captive portal detection mechanism and WISPr are 
depending on each other? I.e. when i enable the option "Captive Portal 
detection mechanism bypass" then WISPr ability of Packetfence can not be 
triggered?

Thank you for your help, I appreciate this very much!
Till
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Security Onion alerts not triggering

2016-10-14 Thread Morris, Andi 
Hi,
I do have a security onion parser, however I’m not running the maintenance 
branch as this is a production system. I’m guessing I’m hitting the issue that 
Julien said is fixed in the maintenance branch.

Cheers,
Andi

From: Thierry Laurion [mailto:tlaur...@inverse.ca]
Sent: 13 October 2016 17:20
To: Morris, Andi <amor...@cardiffmet.ac.uk>; 
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Security Onion alerts not triggering


Hi,

I created a unit test (https://github.com/inverse-inc/packetfence/pull/1759) 
and can validate that the "security_onion" syslog parser still works correctly 
directly from the log you previously gave, and that the "detect" violation 
trigger still works fine and fires on parsed SIDs.



Clarifications from previous post:

The "detect" violation trigger serves to test upon unified 
Snort/Suricata/SecurityOnion outputs and find the SID part of the message 
extracted from the different syslog parsers configured on your system.
The "suricata_event" violation trigger serves to test upon unified 
Snort/Suricata/SecurityOnion outputs and find the "message" part of the message 
extracted from the different syslog parsers configured on your system.



Can you validate that you have a "security_onion" syslog parser configured in 
the GUI, as define at section 13.1.3 here:

https://packetfence.org/doc/PacketFence_Administration_Guide.html#_blocking_malicious_activities_with_violations



Else I cannot understand why your usage of "detect" violation trigger was not 
working previously if you have ran the maintenance. I'm glad it works, though.

Thierry


On 10/13/2016 10:04 AM, Thierry Laurion wrote:

I investigated a little more with my coworker and you seem to have found a bug! 
:)

You should be able to use the detect trigger with SIDs if the SecurityOnion 
syslog parser is activated, which seems to be the case.

I will return to you once it is fixed; it seems that SecurityOnion changed its 
format or something!

I will reply to the list when done. Thanks for reporting.

Thierry

On 10/13/2016 09:48 AM, Morris, Andi wrote:
Apologies, I thought I did. I didn’t mean to email you directly. I’ll update 
the list now.

Cheers,
Andi

From: Thierry Laurion [mailto:tlaur...@inverse.ca]
Sent: 13 October 2016 14:47
To: Morris, Andi <amor...@cardiffmet.ac.uk><mailto:amor...@cardiffmet.ac.uk>
Subject: Re: [PacketFence-users] Security Onion alerts not triggering




My pleasure!

You should write that to the list, so that the whole community knows it worked.

Thanks,

On 10/13/2016 05:44 AM, Morris, Andi wrote:
Thanks Thierry, this fixed my issue.

Chers,
Andi

From: Thierry Laurion [mailto:tlaur...@inverse.ca]
Sent: 07 October 2016 18:09
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: Morris, Andi <amor...@cardiffmet.ac.uk><mailto:amor...@cardiffmet.ac.uk>
Subject: Re: [PacketFence-users] Security Onion alerts not triggering

Hi,

The "detect" trigger matches numerical SIDs found in Snort and Suricata 
generated "alert" logs, which have a different format then the "digested" logs 
of SecurityOnion.

As an exemple, here is the kind of logs that Suricata and Snort generates when 
in "alert" mode:
'07/28/2015-09:09:59.431113  [**] [1:2221002:1] SURICATA HTTP request field 
missing colon [**] [Classification: Generic Protocol Command Decode] [Priority: 
3] {TCP} 10.220.10.186:44196 -> 199.167.22.51:8000'


You should use "suricata_event" triggers in your SecurityOnion related 
violations, which match text and are more generic.

Modify the violation 153 for it to match "ET P2P Vuze BT UDP Connection". 
That would  be a broader match and would also generate a violation for the 
following SIDs:
sid-msg.map:2010140 || ET P2P Vuze BT UDP Connection || 
url,doc.emergingthreats.net/2010140 || url,vuze.com
sid-msg.map:2010141 || ET P2P Vuze BT UDP Connection (2) || 
url,doc.emergingthreats.net/2010141 || url,vuze.com
sid-msg.map:2010142 || ET P2P Vuze BT UDP Connection (3) || 
url,doc.emergingthreats.net/2010142
sid-msg.map:2010143 || ET P2P Vuze BT UDP Connection (4) || 
url,doc.emergingthreats.net/2010143
sid-msg.map:2010144 || ET P2P Vuze BT UDP Connection (5) || 
url,doc.emergingthreats.net/2010144 || url,vuze.com


Regards,
Thierry Laurion
An update, I’m now getting the alerts hitting pfdetect, but they’re still not 
triggering the violation with the same ID.
pfdetect.log shows:
Oct 07 15:23:40 pfdetect(11814) INFO: alert received: 'Oct  7 14:23:40 idsman01 
securityonion_ids: 14:23:40 pid(24921)  Alert Received: 0 1 policy-violation 
idshalls01-eth0-7 {2016-10-07 14:23:39} 21 173773 {ET P2P Vuze BT UDP 
Connection} 10.6.198.173 24.122.228.33 17 10600 65344 1 2010140 6 92 92
' (main::_run_detector)


The relevant section of violation.conf is:
[

Re: [PacketFence-users] Security Onion alerts not triggering

2016-10-13 Thread Morris, Andi 
Thanks Thierry, this fixed my issue.

Cheers,
Andi


From: Thierry Laurion [mailto:tlaur...@inverse.ca]
Sent: 07 October 2016 18:09
To: packetfence-users@lists.sourceforge.net
Cc: Morris, Andi <amor...@cardiffmet.ac.uk>
Subject: Re: [PacketFence-users] Security Onion alerts not triggering

Hi,

The "detect" trigger matches numerical SIDs found in Snort and Suricata 
generated "alert" logs, which have a different format then the "digested" logs 
of SecurityOnion.

As an exemple, here is the kind of logs that Suricata and Snort generates when 
in "alert" mode:
'07/28/2015-09:09:59.431113  [**] [1:2221002:1] SURICATA HTTP request field 
missing colon [**] [Classification: Generic Protocol Command Decode] [Priority: 
3] {TCP} 10.220.10.186:44196 -> 199.167.22.51:8000'


You should use "suricata_event" triggers in your SecurityOnion related 
violations, which match text and are more generic.

Modify the violation 153 for it to match "ET P2P Vuze BT UDP Connection". 
That would  be a broader match and would also generate a violation for the 
following SIDs:
sid-msg.map:2010140 || ET P2P Vuze BT UDP Connection || 
url,doc.emergingthreats.net/2010140 || url,vuze.com
sid-msg.map:2010141 || ET P2P Vuze BT UDP Connection (2) || 
url,doc.emergingthreats.net/2010141 || url,vuze.com
sid-msg.map:2010142 || ET P2P Vuze BT UDP Connection (3) || 
url,doc.emergingthreats.net/2010142
sid-msg.map:2010143 || ET P2P Vuze BT UDP Connection (4) || 
url,doc.emergingthreats.net/2010143
sid-msg.map:2010144 || ET P2P Vuze BT UDP Connection (5) || 
url,doc.emergingthreats.net/2010144 || url,vuze.com


Regards,
Thierry Laurion
An update, I’m now getting the alerts hitting pfdetect, but they’re still not 
triggering the violation with the same ID.
pfdetect.log shows:
Oct 07 15:23:40 pfdetect(11814) INFO: alert received: 'Oct  7 14:23:40 idsman01 
securityonion_ids: 14:23:40 pid(24921)  Alert Received: 0 1 policy-violation 
idshalls01-eth0-7 {2016-10-07 14:23:39} 21 173773 {ET P2P Vuze BT UDP 
Connection} 10.6.198.173 24.122.228.33 17 10600 65344 1 2010140 6 92 92
' (main::_run_detector)


The relevant section of violation.conf is:
[153]
trigger=detect::2010140
actions=email_admin,reevaluate_access,log
max_enable=10
desc=P2P Vuze2
enabled=Y
template=p2p
grace=2h


From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 07 October 2016 14:56
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: [PacketFence-users] Security Onion alerts not triggering

Hi all,
I have configured my security onion server to send alerts to my packetfence 
server (version 6.2.1), and I can see that they’re getting there through 
TCPdump.

IDS server:
13:37:02.260031 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 240
13:37:02.260216 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
13:37:12.271539 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
13:37:57.325078 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
13:37:57.326236 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
13:38:07.342397 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
13:38:37.377503 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
13:38:55.401715 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
13:38:55.401858 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
13:38:55.401895 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
13:38:55.401921 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
13:39:03.412383 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
13:39:07.418010 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
13:39:07.418098 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
13:39:07.418113 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
13:39:07.418132 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
13:39:07.418153 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
13:39:07.418172 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog:

Re: [PacketFence-users] Security Onion alerts not triggering

2016-10-07 Thread Morris, Andi 
An update, I'm now getting the alerts hitting pfdetect, but they're still not 
triggering the violation with the same ID.
pfdetect.log shows:
Oct 07 15:23:40 pfdetect(11814) INFO: alert received: 'Oct  7 14:23:40 idsman01 
securityonion_ids: 14:23:40 pid(24921)  Alert Received: 0 1 policy-violation 
idshalls01-eth0-7 {2016-10-07 14:23:39} 21 173773 {ET P2P Vuze BT UDP 
Connection} 10.6.198.173 24.122.228.33 17 10600 65344 1 2010140 6 92 92
' (main::_run_detector)


The relevant section of violation.conf is:
[153]
trigger=detect::2010140
actions=email_admin,reevaluate_access,log
max_enable=10
desc=P2P Vuze
enabled=Y
template=p2p
grace=2h


From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 07 October 2016 14:56
To: packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] Security Onion alerts not triggering

Hi all,
I have configured my security onion server to send alerts to my packetfence 
server (version 6.2.1), and I can see that they're getting there through 
TCPdump.

IDS server:
13:37:02.260031 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 240
13:37:02.260216 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
13:37:12.271539 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
13:37:57.325078 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
13:37:57.326236 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
13:38:07.342397 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
13:38:37.377503 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
13:38:55.401715 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
13:38:55.401858 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
13:38:55.401895 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
13:38:55.401921 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
13:39:03.412383 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
13:39:07.418010 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
13:39:07.418098 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
13:39:07.418113 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
13:39:07.418132 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
13:39:07.418153 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
13:39:07.418172 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
13:39:22.434608 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
PF server:
14:37:12.272395 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
14:37:57.325970 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
14:37:57.326980 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
14:38:07.343228 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
14:38:37.378338 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
14:38:55.402550 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
14:38:55.402583 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
14:38:55.402610 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
14:38:55.402632 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
14:39:03.413187 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
14:39:07.418795 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
14:39:07.418819 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
14:39:07.418836 IP idsserver.internal.domain.35871 > 
packetfence.internal.d

[PacketFence-users] Security Onion alerts not triggering

2016-10-07 Thread Morris, Andi 
Hi all,
I have configured my security onion server to send alerts to my packetfence 
server (version 6.2.1), and I can see that they're getting there through 
TCPdump.

IDS server:
13:37:02.260031 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 240
13:37:02.260216 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
13:37:12.271539 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
13:37:57.325078 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
13:37:57.326236 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
13:38:07.342397 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
13:38:37.377503 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
13:38:55.401715 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
13:38:55.401858 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
13:38:55.401895 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
13:38:55.401921 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
13:39:03.412383 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
13:39:07.418010 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
13:39:07.418098 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
13:39:07.418113 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
13:39:07.418132 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
13:39:07.418153 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
13:39:07.418172 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
13:39:22.434608 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
PF server:
14:37:12.272395 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
14:37:57.325970 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
14:37:57.326980 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
14:38:07.343228 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
14:38:37.378338 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
14:38:55.402550 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
14:38:55.402583 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
14:38:55.402610 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
14:38:55.402632 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
14:39:03.413187 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
14:39:07.418795 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
14:39:07.418819 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
14:39:07.418836 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
14:39:07.418865 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
14:39:07.418922 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
14:39:07.418927 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242

I've configured the rsyslog as per the packetfence docs, and created the syslog 
parser and the violations I'd like to trigger. However the violation isn't 
triggering when I can see from the sguild.log on the IDS server that it's being 
seen. Looking at pfdetect.log I can see the following which suggests that for 
some reason the syslogger isn't sending the alert to packetfence:
Oct 07 14:46:41 pfdetect(11814) INFO: pfdetect starting and writing 11814 to 
/usr/local/pf/var/run/pfdetect.pid (pf::services::util::createpid)
Oct 07

Re: [PacketFence-users] maintenance script with remote database

2016-09-29 Thread Morris, Andi 
Hi Louis,
The error was to do with calls for log4perl.pm coming from the 
databasecleaner.pl script. I can get the exact error if you need it.

Yes, I have now commented out the DB dump from the main script and am running 
that separately. As mentioned, this means that if I want the script to clean up 
the tables, and optimise I still need the mariadb daemon to be running on the 
packetfence server. I was basically wondering whether this is a required check 
in this situation.

Cheers,
Andi

From: Louis Munro [mailto:lmu...@inverse.ca]
Sent: 28 September 2016 17:44
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] maintenance script with remote database


On Sep 28, 2016, at 11:55 AM, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Apologies, I mean the database cleaner script being run remotely, not the 
optimisation.



What was the error?
Of course, if you run the database backup script on another server you will 
need to copy to database-cleaner script and all it's dependencies to it.

It may be simpler to edit the backup script to only run the cleaner and not 
dump the database and then run it from the PF server.


Regards,
--
Louis Munro
lmu...@inverse.ca<mailto:lmu...@inverse.ca>  ::  
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] maintenance script with remote database

2016-09-28 Thread Morris, Andi 
Apologies, I mean the database cleaner script being run remotely, not the 
optimisation.

From: Morris, Andi
Sent: 28 September 2016 16:52
To: 'packetfence-users@lists.sourceforge.net' 
<packetfence-users@lists.sourceforge.net>
Subject: RE: [PacketFence-users] maintenance script with remote database

Hi Louis,
I’ve edited the script with the variables and the backup works fine on the DB 
server, it’s the optimisation that isn’t. However, presuming that running the 
optimisation commands doesn’t dump the database locally first that should be ok 
to run from the pf app server I guess. Although that does still mean I need to 
have mariadb running on the packetfence server.

I’ll keep playing with the script remotely to see what I can do.

Cheers,
Andi

From: Louis Munro [mailto:lmu...@inverse.ca]
Sent: 28 September 2016 16:02
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] maintenance script with remote database


On Sep 28, 2016, at 10:34 AM, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Hi Louis,
That makes sense, but in practice I get errors when running this on a server 
that hasn’t had packetfence installed as there are calls to log4perl.pm files 
in the database-clearner.pl script.


You would need to edit it to fill in some variables, like the db name, username 
and password.
Don't be afraid to play with the script.
There's nothing really fancy in there.


Out of interest, what’s the danger of running this script from a packetfence 
server against a remote db server? Is it likely to cause an issue?


The issue is that it would have to copy the database over the network and dump 
the copy on the server you are running it from.
While that is doable, it is not really recommended.
You might end up saturating the link between those two servers during the dump.

Regards,
--
Louis Munro
lmu...@inverse.ca<mailto:lmu...@inverse.ca>  ::  
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] maintenance script with remote database

2016-09-28 Thread Morris, Andi 
Hi Louis,
I’ve edited the script with the variables and the backup works fine on the DB 
server, it’s the optimisation that isn’t. However, presuming that running the 
optimisation commands doesn’t dump the database locally first that should be ok 
to run from the pf app server I guess. Although that does still mean I need to 
have mariadb running on the packetfence server.

I’ll keep playing with the script remotely to see what I can do.

Cheers,
Andi

From: Louis Munro [mailto:lmu...@inverse.ca]
Sent: 28 September 2016 16:02
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] maintenance script with remote database


On Sep 28, 2016, at 10:34 AM, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Hi Louis,
That makes sense, but in practice I get errors when running this on a server 
that hasn’t had packetfence installed as there are calls to log4perl.pm files 
in the database-clearner.pl script.


You would need to edit it to fill in some variables, like the db name, username 
and password.
Don't be afraid to play with the script.
There's nothing really fancy in there.



Out of interest, what’s the danger of running this script from a packetfence 
server against a remote db server? Is it likely to cause an issue?


The issue is that it would have to copy the database over the network and dump 
the copy on the server you are running it from.
While that is doable, it is not really recommended.
You might end up saturating the link between those two servers during the dump.

Regards,
--
Louis Munro
lmu...@inverse.ca<mailto:lmu...@inverse.ca>  ::  
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] maintenance script with remote database

2016-09-28 Thread Morris, Andi 
Hi Louis,
That makes sense, but in practice I get errors when running this on a server 
that hasn’t had packetfence installed as there are calls to log4perl.pm files 
in the database-clearner.pl script.

Out of interest, what’s the danger of running this script from a packetfence 
server against a remote db server? Is it likely to cause an issue?

Cheers,
Andi

From: Louis Munro [mailto:lmu...@inverse.ca]
Sent: 28 September 2016 14:26
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] maintenance script with remote database

Hi Andi,

The script will run but not backup the database if it's not running locally.
That is what the check for the `hostname`.pid does.

It will only backup the PF files that are present locally in that case.

I suggest you run that script on the database server itself.

The script does not send an email on it's own.
Cron may send one, depending on how it's configured.

Makes sense?


On Sep 27, 2016, at 9:14 AM, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Hi,
An update to this. It does seem to work well if the packetfence server is also 
running the mariadb service. Mine wasn’t as there’s no need for it if the 
database is on a remote server. Starting it meant that I could run the 
maintenance job and see the backups being created, aswell as the optimisation 
being run.

Would you like me to log this as an issue on github?

On a related note, I can see that issue 1415 
https://github.com/inverse-inc/packetfence/issues/1415 mentions an email that 
is generated when this script is run. I’ve never had that email. Is it 
something that should be sent to the user designated for PF alerts? If not, is 
there scope for this to be added as an option?

Cheers,
Andi


Regards,
--
Louis Munro
lmu...@inverse.ca<mailto:lmu...@inverse.ca>  ::  
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] maintenance script with remote database

2016-09-27 Thread Morris, Andi 
Hi,
An update to this. It does seem to work well if the packetfence server is also 
running the mariadb service. Mine wasn't as there's no need for it if the 
database is on a remote server. Starting it meant that I could run the 
maintenance job and see the backups being created, aswell as the optimisation 
being run.

Would you like me to log this as an issue on github?

On a related note, I can see that issue 1415 
https://github.com/inverse-inc/packetfence/issues/1415 mentions an email that 
is generated when this script is run. I've never had that email. Is it 
something that should be sent to the user designated for PF alerts? If not, is 
there scope for this to be added as an option?

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 21 September 2016 10:16
To: packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] maintenance script with remote database

Hi all,
I've recently moved to a setup which has a remote database server, and I was 
wondering whether the regular addons/database-backup-and-maintenance.sh file 
will still run from the packetfence server to the remote DB server. I can see 
the flags inside the script calling for the database hostname, so I assume it 
does, however when I scheduled it to run last night I didn't get a DB dump 
saved, whereas I did get the files dump, so I'm also concerned that the table 
optimisation wouldn't run, and these are likely to get pretty large if not.

Cheers,
Andi
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] maintenance script with remote database

2016-09-21 Thread Morris, Andi 
Hi all,
I've recently moved to a setup which has a remote database server, and I was 
wondering whether the regular addons/database-backup-and-maintenance.sh file 
will still run from the packetfence server to the remote DB server. I can see 
the flags inside the script calling for the database hostname, so I assume it 
does, however when I scheduled it to run last night I didn't get a DB dump 
saved, whereas I did get the files dump, so I'm also concerned that the table 
optimisation wouldn't run, and these are likely to get pretty large if not.

Cheers,
Andi
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] parking violation bug?

2016-09-15 Thread Morris, Andi 
Nobody else has seen this then? I can't work out why my parking violations are 
triggering after such a short period.

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 07 September 2016 12:50
To: packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] parking violation bug?

Hi all,
I've setup parking to trap devices that have been in the setup portal for over 
3600 seconds, however I noticed a huge amount of users were triggering the 
violation. After doing some testing with my own phone I found that this was 
triggering after just 9 minutes.

I can't see how I've set this up wrong, there's not very much to actually setup!

Has anyone else seen this?

Cheers,
Andi
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Block port scanning

2016-09-15 Thread Morris, Andi 
You could use snort to trigger on signatures related to port scanning and send 
the culprit into the isolation VLAN.

Cheers,
Andi

From: Jonathan Brown [mailto:jbr...@fmcllc.com]
Sent: 14 September 2016 16:27
To: packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] Block port scanning

How would I block any host that tries to port scan my network into an isolated 
VLAN?

Sincerely,

Jonathan Brown

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] parking violation bug?

2016-09-07 Thread Morris, Andi 
Hi all,
I've setup parking to trap devices that have been in the setup portal for over 
3600 seconds, however I noticed a huge amount of users were triggering the 
violation. After doing some testing with my own phone I found that this was 
triggering after just 9 minutes.

I can't see how I've set this up wrong, there's not very much to actually setup!

Has anyone else seen this?

Cheers,
Andi
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Users connecting to registration network getting "not found in database" message

2016-08-22 Thread Morris, Andi 
Hi all,
I'm getting some strange errors when smartphones connect to my registration 
network in order to register themselves as a guest. They see an error saying 
that their device was not found in the packetfence database.

Interestingly the IP address displayed on the user's screen was 192.168.225.28, 
but if I look in the nodes page of the GUI I see the same mac address has 
192.168.225.29. The MAC address displayed on the device was 0

After scanning the mailing list I found that OMAPI was suggested to be setup to 
rectify this, which has been done, but I'm still getting the error.

Some packetfence.log snippet from the time the device was connecting is below:
Aug 22 14:23:59 httpd.portal(4566) WARN: [mac:0] Unable to match MAC address to 
IP '192.168.225.28' (pf::iplog::ip2mac)
Aug 22 14:23:59 httpd.portal(4566) INFO: [mac:0] Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
Aug 22 14:23:59 httpd.portal(4566) WARN: [mac:0] Unable to match MAC address to 
IP '192.168.225.28' (pf::iplog::ip2mac)
Aug 22 14:23:59 httpd.portal(4566) INFO: [mac:0] Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
Aug 22 14:23:59 httpd.portal(4566) INFO: [mac:0] Updating node user_agent with 
useragent: 'Mozilla/5.0 (Linux; Android 6.0; LG-H815 Build/MRA58K) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile 
Safari/537.36' 
(captiveportal::PacketFence::DynamicRouting::Application::process_user_agent)
Aug 22 14:23:59 httpd.portal(4566) INFO: [mac:0] database query failed with: 
Duplicate entry '0' for key 'PRIMARY' (errno: 1062) (pf::db::db_query_execute)
Aug 22 14:23:59 httpd.portal(4566) INFO: [mac:0] violation not added, MAC 0 is 
invalid! trigger useragent::105 (pf::violation::violation_trigger)
Aug 22 14:23:59 httpd.portal(4566) INFO: [mac:0] violation not added, MAC 0 is 
invalid! trigger useragent::4 (pf::violation::violation_trigger)
Aug 22 14:23:59 httpd.portal(4566) INFO: [mac:0] violation not added, MAC 0 is 
invalid! trigger useragent::404 (pf::violation::violation_trigger)
Aug 22 14:23:59 httpd.portal(4566) INFO: [mac:0] violation not added, MAC 0 is 
invalid! trigger useragent::300 (pf::violation::violation_trigger)
Aug 22 14:23:59 httpd.portal(4566) INFO: [mac:0] violation not added, MAC 0 is 
invalid! trigger useragent::403 (pf::violation::violation_trigger)
Aug 22 14:23:59 httpd.portal(4566) INFO: [mac:0] violation not added, MAC 0 is 
invalid! trigger useragent::100 (pf::violation::violation_trigger)
Aug 22 14:24:01 httpd.portal(4396) INFO: [mac:5c:70:a3:45:f1:a1] Dealing with a 
endpoint / browser with captive-portal detection capabilities while having 
captive-portal detection mechanism bypass enabled. Proxying 
(pf::web::dispatcher::handler)
Aug 22 14:24:49 httpd.portal(4396) INFO: [mac:5c:70:a3:45:f1:a1] Dealing with a 
endpoint / browser with captive-portal detection capabilities while having 
captive-portal detection mechanism bypass enabled. Proxying 
(pf::web::dispatcher::handler)
Aug 22 14:26:17 httpd.portal(4566) INFO: [mac:0] Dealing with a endpoint / 
browser with captive-portal detection capabilities while having captive-portal 
detection mechanism bypass enabled. Proxying (pf::web::dispatcher::handler)
Aug 22 14:26:20 httpd.portal(5040) INFO: [mac:5c:70:a3:45:f1:a1] Dealing with a 
endpoint / browser with captive-portal detection capabilities while having 
captive-portal detection mechanism bypass enabled. Proxying 
(pf::web::dispatcher::handler)
Aug 22 14:26:51 httpd.portal(5036) INFO: [mac:unknown] Memory configuration is 
not valid anymore for key resource::stats_levels in local cached_hash 
(pfconfig::cached::is_valid)
Aug 22 14:26:51 httpd.portal(5036) WARN: [mac:unknown] Unable to match MAC 
address to IP '192.168.225.28' (pf::iplog::ip2mac)
Aug 22 14:26:51 httpd.portal(5036) INFO: [mac:unknown] Instantiate profile 
default (pf::Portal::ProfileFactory::_from_profile)
Aug 22 14:26:51 httpd.portal(5036) WARN: [mac:unknown] Unable to match MAC 
address to IP '192.168.225.28' (pf::iplog::ip2mac)
Aug 22 14:26:51 httpd.portal(5036) WARN: [mac:0] Unable to match MAC address to 
IP '192.168.225.28' (pf::iplog::ip2mac)
Aug 22 14:26:51 httpd.portal(5036) INFO: [mac:0] Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
Aug 22 14:26:51 httpd.portal(5036) WARN: [mac:0] Unable to match MAC address to 
IP '192.168.225.28' (pf::iplog::ip2mac)
Aug 22 14:26:51 httpd.portal(5036) INFO: [mac:0] Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
Aug 22 14:26:51 httpd.portal(5036) WARN: [mac:unknown] Unable to match MAC 
address to IP '192.168.225.28' (pf::iplog::ip2mac)
Aug 22 14:26:51 httpd.portal(5036) INFO: [mac:unknown] Instantiate profile 
default (pf::Portal::ProfileFactory::_from_profile)
Aug 22 14:26:51 httpd.portal(5036) WARN: [mac:unknown] Unable to match MAC 
address to IP '192.168.225.28' (pf::iplog::ip2mac)
Aug 22 14:26:51 httpd.portal(5036) WARN: [mac:0] Unable to match MAC address to 
IP

[PacketFence-users] Error running configurator in 6.2.1

2016-08-09 Thread Morris, Andi 
Hi all,
I'm getting a similar issue on two separate CentOS 7 servers that I've setup 
today. I get through the configurator up until the service start section, but 
when I do httpd.graphite never starts. Restarting the services from the CLI 
gets the following result:

bin/pfcmd service pf restart
service|command
keepalived|already stopped
httpd.graphite|already stopped
radsniff|already stopped
statsd|already stopped
collectd|already stopped
carbon-relay|already stopped
carbon-cache|already stopped
pfbandwidthd|already stopped
p0f|already stopped
suricata|already stopped
snort|already stopped
pfdetect|already stopped
pfmon|already stopped
httpd.webservices|stop
dhcpd|stop
httpd.portal|stop
httpd.parking|stop
httpd.proxy|already stopped
pfdhcplistener_eno16777984|stop
pfdhcplistener_eno50336512|stop
pfdhcplistener_eno33557248|stop
pfdns|stop
pfqueue|stop
snmptrapd|already stopped
pfsetvlan|already stopped
radiusd|stop
radiusd-acct|stop
httpd.aaa|stop
redis_queue|stop
iptables|stop
haproxy|already stopped
httpd.admin|stop
AH00548: NameVirtualHost has no effect and will be removed in the next release 
/usr/local/pf/var/conf/httpd.conf.d/httpd.admin:194
httpd.admin|start
Checking configuration sanity...
iptables|start
redis_queue|start
AH00548: NameVirtualHost has no effect and will be removed in the next release 
/usr/local/pf/var/conf/httpd.conf.d/httpd.aaa:169
httpd.aaa|start
radiusd-acct|start
radiusd|start
pfqueue|start
pfdns|start
pfdhcplistener_eno33557248|start
pfdhcplistener_eno50336512|start
pfdhcplistener_eno16777984|start
httpd.parking|start
AH00548: NameVirtualHost has no effect and will be removed in the next release 
/usr/local/pf/var/conf/httpd.conf.d/httpd.portal:243
httpd.portal|start
dhcpd|start
AH00548: NameVirtualHost has no effect and will be removed in the next release 
/usr/local/pf/var/conf/httpd.conf.d/httpd.webservices:169
httpd.webservices|start
pfmon|start
p0f|start
Starting carbon-cache (instance a)
carbon-cache|start
Starting carbon-relay (instance a)
carbon-relay|start
collectd|start
statsd|start
radsniff|start
[Tue Aug  9 15:49:44 2016] pfcmd.pl: Use of uninitialized value $result in 
pattern match (m//) at /usr/local/pf/lib/pf/services/manager/httpd.pm line 79.



in packetfence.log

Aug 09 15:49:33 pfcmd.pl(12061) INFO: Daemon httpd.webservices took 3.646 
seconds to start. (pf::services::manager::launchService)
Aug 09 15:49:40 pfcmd.pl(12061) INFO: Daemon pfmon took 3.918 seconds to start. 
(pf::services::manager::launchService)
Aug 09 15:49:40 pfcmd.pl(12061) INFO: Daemon p0f took 0.124 seconds to start. 
(pf::services::manager::launchService)
Aug 09 15:49:41 pfcmd.pl(12061) INFO: Daemon carbon-cache took 0.557 seconds to 
start. (pf::services::manager::launchService)
Aug 09 15:49:42 pfcmd.pl(12061) INFO: Daemon carbon-relay took 0.582 seconds to 
start. (pf::services::manager::launchService)
Aug 09 15:49:42 pfcmd.pl(12061) INFO: Daemon collectd took 0.101 seconds to 
start. (pf::services::manager::launchService)
Aug 09 15:49:42 pfcmd.pl(12061) INFO: Daemon statsd took 0.029 seconds to 
start. (pf::services::manager::launchService)
Aug 09 15:49:42 pfcmd.pl(12061) INFO: Daemon radsniff took 0.255 seconds to 
start. (pf::services::manager::launchService)
Aug 09 15:49:43 pfcmd.pl(12061) WARN: Problem trying to run command: LANG=C 
/usr/sbin/httpd -v called from manager::httpd::apache_version. OS Error: Cannot 
allocate memory (pf::util::pf_run)
Aug 09 15:49:44 pfcmd.pl(12061) INFO: Daemon httpd.graphite took 0.000 seconds 
to start. (pf::services::manager::launchService)

Trying to manually start that service from CLI gets:
# bin/pfcmd service httpd.graphite start
service|command
httpd.admin|already started
Checking configuration sanity...
[Tue Aug  9 15:55:50 2016] pfcmd.pl: Use of uninitialized value $result in 
pattern match (m//) at /usr/local/pf/lib/pf/services/manager/httpd.pm line 79.
[Tue Aug  9 15:55:50 2016] pfcmd.pl: Use of uninitialized value $result in 
pattern match (m//) at /usr/local/pf/lib/pf/services/manager/httpd.pm line 79.
httpd.graphite|not started


Any clues what this might be? The only thing I'm doing out of the ordinary that 
I can think of is shrinking the subnets of the registration and isolation 
networks right down as this is just a dev environment. This meant that some 
manual reconfig of the dhcp start and end ranges in networks.conf was required.

Cheers,
Andi


[Cardiff Metropolitan University - Queens Anniversary Prizes 
2015]
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed

[PacketFence-users] Load balancing and HA for Packetfence 6.x

2016-08-04 Thread Morris, Andi 
Hi all,
Just curious what the communities' solutions were for high availability with 
their packetfence setups. We've recently purchased some hardware load 
balancers, which gives us more options for load balancing than we had 
previously, so I was considering the following setup?

1 x database server (running on VMWare with replication of the server also in 
place for HA)
2 x app servers (running all the PF services apart from the DB)

The load balancers sending all traffic to the first server to avoid deadlocks 
with the database, but with a health check to switch services over to the 
second app server.

If was to do this, what services would I need to load balance between the two 
app servers? Apache and radius are the obvious ones, but do I need to consider 
DHCP, DNS, etc for the portals? Are there any other extras that might be 
running under the hood that I might miss? Are violations stored in the 
database? It's no big deal if these wouldn't get transferred, but it would be 
nice if possible.

Another option, in the interim, will be to have the same server setup, but the 
switches setup with two radius servers, so that radius requests bounce to the 
second server should the first not be available for whatever reason. Our main 
concern is for the already setup and registered users to retain their 
connection to the network, I'm less worried about people being able to access 
the registration portal.

Does anyone else have any ideas or suggestions for a highly available setup? I 
did run the heartbeat and DRDB cluster scenario before, but I found that this 
caused more problems than it resolved to be honest.

Cheers,
Andi

-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.uk
--



[Cardiff Metropolitan University - Queens Anniversary Prizes 
2015]
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] sponsored access

2016-07-13 Thread Morris, Andi 
Any thoughts on this guys?

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 08 July 2016 15:19
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] sponsored access

Apologies for the barrage of emails. I think this is now something to do with 
the captive portal detection on androids, as it seems that after about 20-30 
seconds of being in the captive portal the device then decides it has no 
internet access, which timing wise coincides with roughly the amount of time 
that was taking place between sending the sponsored request and the staff 
member accepting the invite (in production this will actually be a lot longer).

Looking at httpd.portal.access log I see the following:
192.168.225.28 - - [07/Jul/2016:14:35:11 +0100] "GET /generate_204 HTTP/1.1" 
302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)"
192.168.225.28 - - [07/Jul/2016:14:35:19 +0100] "GET /generate_204 HTTP/1.1" 
302 1147 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5 Build/MOB30M; wv) 
AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/51.0.2704.81 Mobile 
Safari/537.36"
192.168.225.28 - - [07/Jul/2016:14:35:20 +0100] "GET /generate_204 HTTP/1.1" 
302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)"
192.168.225.28 - - [07/Jul/2016:14:35:20 +0100] "GET /generate_204 HTTP/1.1" 
302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)"
192.168.225.28 - - [07/Jul/2016:14:35:20 +0100] "GET /generate_204 HTTP/1.1" 
302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)"
192.168.225.28 - - [07/Jul/2016:14:35:20 +0100] "GET /generate_204 HTTP/1.1" 
302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)"
192.168.225.28 - - [07/Jul/2016:14:35:21 +0100] "GET /generate_204 HTTP/1.1" 
302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)"
192.168.225.28 - - [07/Jul/2016:14:35:23 +0100] "GET /generate_204 HTTP/1.1" 
302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)"

Which looks to me like one of the generate_204 gets is actually getting a 302 
response back.

I do have the Captive Portal detection mechanism bypass option ticked, so I'm 
not sure why this is still receiving a redirect.

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 08 July 2016 14:32
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] sponsored access

As an update, this isn't happening with a laptop, so might be something to do 
with the Android device, but something is definitely stopping it communicating 
with whatever part of the internet it requires as soon as it is pending 
approval.

Maybe a particular entry needs to be added to the captive portal detection for 
this OS version?

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 07 July 2016 15:15
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: [PacketFence-users] sponsored access

Hi all,
I'm having trouble with my sponsored guest access where the registration isn't 
completing until the guest node leaves and then reconnects to the captive 
portal, when packetfence then sees the registered mac address and puts the node 
in the correct vlan.

This doesn't seem to be happening with my email registered guests.

Log snippet of the point until the registration process halts:
Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:unknown] Unable to match MAC 
address to IP '192.168.42.42' (pf::iplog::ip2mac)
Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:unknown] Instantiate profile 
default (pf::Portal::ProfileFactory::_from_profile)
Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:unknown] Unable to match MAC 
address to IP '192.168.42.42' (pf::iplog::ip2mac)
Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:0] Unable to match MAC address 
to IP '192.168.42.42' (pf::iplog::ip2mac)
Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:0] Unable to match MAC address 
to IP '192.168.42.42' (pf::iplog::ip2mac)
Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] [cc:fa:00:f4:4a:c3] 
Activation code sent to email 
amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk> from 
andi.mor...@gmail.com<mailto:andi.mor...@gmail.com> successfully verified.  for 
activation type: sponsor (pf::activation::validate_code)
Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] Sponsor needs

Re: [PacketFence-users] sponsored access

2016-07-08 Thread Morris, Andi 
Apologies for the barrage of emails. I think this is now something to do with 
the captive portal detection on androids, as it seems that after about 20-30 
seconds of being in the captive portal the device then decides it has no 
internet access, which timing wise coincides with roughly the amount of time 
that was taking place between sending the sponsored request and the staff 
member accepting the invite (in production this will actually be a lot longer).

Looking at httpd.portal.access log I see the following:
192.168.225.28 - - [07/Jul/2016:14:35:11 +0100] "GET /generate_204 HTTP/1.1" 
302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)"
192.168.225.28 - - [07/Jul/2016:14:35:19 +0100] "GET /generate_204 HTTP/1.1" 
302 1147 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5 Build/MOB30M; wv) 
AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/51.0.2704.81 Mobile 
Safari/537.36"
192.168.225.28 - - [07/Jul/2016:14:35:20 +0100] "GET /generate_204 HTTP/1.1" 
302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)"
192.168.225.28 - - [07/Jul/2016:14:35:20 +0100] "GET /generate_204 HTTP/1.1" 
302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)"
192.168.225.28 - - [07/Jul/2016:14:35:20 +0100] "GET /generate_204 HTTP/1.1" 
302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)"
192.168.225.28 - - [07/Jul/2016:14:35:20 +0100] "GET /generate_204 HTTP/1.1" 
302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)"
192.168.225.28 - - [07/Jul/2016:14:35:21 +0100] "GET /generate_204 HTTP/1.1" 
302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)"
192.168.225.28 - - [07/Jul/2016:14:35:23 +0100] "GET /generate_204 HTTP/1.1" 
302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)"

Which looks to me like one of the generate_204 gets is actually getting a 302 
response back.

I do have the Captive Portal detection mechanism bypass option ticked, so I'm 
not sure why this is still receiving a redirect.

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 08 July 2016 14:32
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] sponsored access

As an update, this isn't happening with a laptop, so might be something to do 
with the Android device, but something is definitely stopping it communicating 
with whatever part of the internet it requires as soon as it is pending 
approval.

Maybe a particular entry needs to be added to the captive portal detection for 
this OS version?

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 07 July 2016 15:15
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: [PacketFence-users] sponsored access

Hi all,
I'm having trouble with my sponsored guest access where the registration isn't 
completing until the guest node leaves and then reconnects to the captive 
portal, when packetfence then sees the registered mac address and puts the node 
in the correct vlan.

This doesn't seem to be happening with my email registered guests.

Log snippet of the point until the registration process halts:
Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:unknown] Unable to match MAC 
address to IP '192.168.42.42' (pf::iplog::ip2mac)
Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:unknown] Instantiate profile 
default (pf::Portal::ProfileFactory::_from_profile)
Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:unknown] Unable to match MAC 
address to IP '192.168.42.42' (pf::iplog::ip2mac)
Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:0] Unable to match MAC address 
to IP '192.168.42.42' (pf::iplog::ip2mac)
Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:0] Unable to match MAC address 
to IP '192.168.42.42' (pf::iplog::ip2mac)
Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] [cc:fa:00:f4:4a:c3] 
Activation code sent to email 
amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk> from 
andi.mor...@gmail.com<mailto:andi.mor...@gmail.com> successfully verified.  for 
activation type: sponsor (pf::activation::validate_code)
Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] Sponsor needs to authenticate 
in order to activate guest. Guest token: 3386be07684696d271b7f891b6a729d7 
(captiveportal::PacketFence::Controller::Activate::Email::doSponsorRegistration)
Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:unknown] Memory configuration is 
not valid anymore

Re: [PacketFence-users] sponsored access

2016-07-08 Thread Morris, Andi 
As an update, this isn't happening with a laptop, so might be something to do 
with the Android device, but something is definitely stopping it communicating 
with whatever part of the internet it requires as soon as it is pending 
approval.

Maybe a particular entry needs to be added to the captive portal detection for 
this OS version?

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 07 July 2016 15:15
To: packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] sponsored access

Hi all,
I'm having trouble with my sponsored guest access where the registration isn't 
completing until the guest node leaves and then reconnects to the captive 
portal, when packetfence then sees the registered mac address and puts the node 
in the correct vlan.

This doesn't seem to be happening with my email registered guests.

Log snippet of the point until the registration process halts:
Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:unknown] Unable to match MAC 
address to IP '192.168.42.42' (pf::iplog::ip2mac)
Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:unknown] Instantiate profile 
default (pf::Portal::ProfileFactory::_from_profile)
Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:unknown] Unable to match MAC 
address to IP '192.168.42.42' (pf::iplog::ip2mac)
Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:0] Unable to match MAC address 
to IP '192.168.42.42' (pf::iplog::ip2mac)
Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:0] Unable to match MAC address 
to IP '192.168.42.42' (pf::iplog::ip2mac)
Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] [cc:fa:00:f4:4a:c3] 
Activation code sent to email amor...@cardiffmet.ac.uk from 
andi.mor...@gmail.com successfully verified.  for activation type: sponsor 
(pf::activation::validate_code)
Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] Sponsor needs to authenticate 
in order to activate guest. Guest token: 3386be07684696d271b7f891b6a729d7 
(captiveportal::PacketFence::Controller::Activate::Email::doSponsorRegistration)
Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:unknown] Memory configuration is 
not valid anymore for key interfaces::management_network in local cached_hash 
(pfconfig::cached::is_valid)
Jul 07 14:39:31 httpd.portal(22552) WARN: [mac:unknown] Unable to match MAC 
address to IP '192.168.42.42' (pf::iplog::ip2mac)
Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:unknown] Instantiate profile 
default (pf::Portal::ProfileFactory::_from_profile)
Jul 07 14:39:31 httpd.portal(22552) WARN: [mac:unknown] Unable to match MAC 
address to IP '192.168.42.42' (pf::iplog::ip2mac)
Jul 07 14:39:31 httpd.portal(22552) WARN: [mac:0] Unable to match MAC address 
to IP '192.168.42.42' (pf::iplog::ip2mac)
Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
Jul 07 14:39:31 httpd.portal(22552) WARN: [mac:0] Unable to match MAC address 
to IP '192.168.42.42' (pf::iplog::ip2mac)
Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] [cc:fa:00:f4:4a:c3] 
Activation code sent to email amor...@cardiffmet.ac.uk from 
andi.mor...@gmail.com successfully verified.  for activation type: sponsor 
(pf::activation::validate_code)
Jul 07 14:39:31 httpd.portal(22552) ERROR: [mac:0] unable to read password file 
'/usr/local/pf/conf/admin.conf' 
(pf::Authentication::Source::HtpasswdSource::authenticate)
Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] [DCLL01] Authentication 
successful for sm18818 (pf::Authentication::Source::LDAPSource::authenticate)
Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Authentication successful for 
'sm18818' in source DCLL01 (AD) (pf::authentication::authenticate)
Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Successfully authenticated 
sm18818/192.168.42.42/0 
(captiveportal::PacketFence::Controller::Authenticate::authenticationLogin)
Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Using sources DCLL01 for 
matching (pf::authentication::match)
Jul 07 14:39:31 httpd.portal(22552) WARN: [mac:0] Calling match with 
empty/invalid rule class. Defaulting to 'authentication' 
(pf::authentication::match)
Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Using sources sponsor for 
matching (pf::authentication::match)
Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Matched rule (Staff_Sponsor) 
in source sponsor, returning actions. (pf::Authentication::Source::match)
Jul 07 14:39:32 httpd.portal(22552) INFO: [mac:0] a new temporary account has 
been requested for andi.mor...@gmail.com. Deleting previous entry 
(pf::password::generate)
Jul 07 14:39:32 httpd.portal(22552) INFO: [mac:0] new temporary

[PacketFence-users] sponsored access

2016-07-07 Thread Morris, Andi 
Hi all,
I'm having trouble with my sponsored guest access where the registration isn't 
completing until the guest node leaves and then reconnects to the captive 
portal, when packetfence then sees the registered mac address and puts the node 
in the correct vlan.

This doesn't seem to be happening with my email registered guests.

Log snippet of the point until the registration process halts:
Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:unknown] Unable to match MAC 
address to IP '192.168.42.42' (pf::iplog::ip2mac)
Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:unknown] Instantiate profile 
default (pf::Portal::ProfileFactory::_from_profile)
Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:unknown] Unable to match MAC 
address to IP '192.168.42.42' (pf::iplog::ip2mac)
Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:0] Unable to match MAC address 
to IP '192.168.42.42' (pf::iplog::ip2mac)
Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:0] Unable to match MAC address 
to IP '192.168.42.42' (pf::iplog::ip2mac)
Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] [cc:fa:00:f4:4a:c3] 
Activation code sent to email amor...@cardiffmet.ac.uk from 
andi.mor...@gmail.com successfully verified.  for activation type: sponsor 
(pf::activation::validate_code)
Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] Sponsor needs to authenticate 
in order to activate guest. Guest token: 3386be07684696d271b7f891b6a729d7 
(captiveportal::PacketFence::Controller::Activate::Email::doSponsorRegistration)
Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:unknown] Memory configuration is 
not valid anymore for key interfaces::management_network in local cached_hash 
(pfconfig::cached::is_valid)
Jul 07 14:39:31 httpd.portal(22552) WARN: [mac:unknown] Unable to match MAC 
address to IP '192.168.42.42' (pf::iplog::ip2mac)
Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:unknown] Instantiate profile 
default (pf::Portal::ProfileFactory::_from_profile)
Jul 07 14:39:31 httpd.portal(22552) WARN: [mac:unknown] Unable to match MAC 
address to IP '192.168.42.42' (pf::iplog::ip2mac)
Jul 07 14:39:31 httpd.portal(22552) WARN: [mac:0] Unable to match MAC address 
to IP '192.168.42.42' (pf::iplog::ip2mac)
Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
Jul 07 14:39:31 httpd.portal(22552) WARN: [mac:0] Unable to match MAC address 
to IP '192.168.42.42' (pf::iplog::ip2mac)
Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] [cc:fa:00:f4:4a:c3] 
Activation code sent to email amor...@cardiffmet.ac.uk from 
andi.mor...@gmail.com successfully verified.  for activation type: sponsor 
(pf::activation::validate_code)
Jul 07 14:39:31 httpd.portal(22552) ERROR: [mac:0] unable to read password file 
'/usr/local/pf/conf/admin.conf' 
(pf::Authentication::Source::HtpasswdSource::authenticate)
Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] [DCLL01] Authentication 
successful for sm18818 (pf::Authentication::Source::LDAPSource::authenticate)
Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Authentication successful for 
'sm18818' in source DCLL01 (AD) (pf::authentication::authenticate)
Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Successfully authenticated 
sm18818/192.168.42.42/0 
(captiveportal::PacketFence::Controller::Authenticate::authenticationLogin)
Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Using sources DCLL01 for 
matching (pf::authentication::match)
Jul 07 14:39:31 httpd.portal(22552) WARN: [mac:0] Calling match with 
empty/invalid rule class. Defaulting to 'authentication' 
(pf::authentication::match)
Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Using sources sponsor for 
matching (pf::authentication::match)
Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Matched rule (Staff_Sponsor) 
in source sponsor, returning actions. (pf::Authentication::Source::match)
Jul 07 14:39:32 httpd.portal(22552) INFO: [mac:0] a new temporary account has 
been requested for andi.mor...@gmail.com. Deleting previous entry 
(pf::password::generate)
Jul 07 14:39:32 httpd.portal(22552) INFO: [mac:0] new temporary account 
successfully generated (pf::password::generate)

At this point the node is still marked as unregistered in the admin GUI and the 
device is saying that registration is pending approval.

I've noticed that as soon as the sponsor email gets sent the node reports as 
losing internet access, which is why I think the transaction never finishes. I 
wonder if there is something strange going on when the node is pending 
registration.

I'm running version 6.2.0 on CentOS and the device I'm testing with is an 
Android

Re: [PacketFence-users] Still a problem with registration process

2016-06-10 Thread Morris, Andi 
Hi Louis,
I went ahead and downloaded the two files from the devel branch, and ran the 
patch. It complained that the changes were already in the file, so I chose to 
skip those parts and the patch applied successfully.

I've just tested and my email validation seems to be working ok now.

Thanks for your help. I'll try to wait until 6.1 is released before pushing 
this into production. A horrible question I know, but do you know a rough 
timescale for this release?

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 10 June 2016 09:20
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Still a problem with registration process

Thanks Louis,

That makes sense, I've never been brave enough to run a devel version.

I've created empty upgrade-X.X.X-X.Y.Z.sql  and pf-schema-X.Y.Z.sql , but now 
I'm getting a different error when running the dry run patch command.

patch -p1 --dry-run https://github.com/inverse-inc/packetfence/tree/devel/db page or will they 
contain extra changes that I won't need?

Cheers,
Andi

From: Louis Munro [mailto:lmu...@inverse.ca]
Sent: 09 June 2016 19:16
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Still a problem with registration process



On Jun 8, 2016, at 6:02 , Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Hi Louis,
I needed to reinstall as I messed something up, so this is with the patch file 
on a completely CentOS 7.2.1511 vanilla 6.0.3 installation just after 
completing the configurator.

patch -p1 --dry-run mailto:lmu...@inverse.ca>  ::  
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)



[Image removed by sender. Cardiff Metropolitan University - Queens Anniversary 
Prizes 
2015]<http://www.cardiffmet.ac.uk/news/Pages/Cardiff-Met-research-recognised-in-Queens-Anniversary-Prizes-for-Higher-and-Further-Education.aspx>
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Still a problem with registration process

2016-06-10 Thread Morris, Andi 
Thanks Louis,

That makes sense, I've never been brave enough to run a devel version.

I've created empty upgrade-X.X.X-X.Y.Z.sql  and pf-schema-X.Y.Z.sql , but now 
I'm getting a different error when running the dry run patch command.

patch -p1 --dry-run https://github.com/inverse-inc/packetfence/tree/devel/db page or will they 
contain extra changes that I won't need?

Cheers,
Andi

From: Louis Munro [mailto:lmu...@inverse.ca]
Sent: 09 June 2016 19:16
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Still a problem with registration process



On Jun 8, 2016, at 6:02 , Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Hi Louis,
I needed to reinstall as I messed something up, so this is with the patch file 
on a completely CentOS 7.2.1511 vanilla 6.0.3 installation just after 
completing the configurator.

patch -p1 --dry-run mailto:lmu...@inverse.ca>  ::  
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)



[Cardiff Metropolitan University - Queens Anniversary Prizes 
2015]<http://www.cardiffmet.ac.uk/news/Pages/Cardiff-Met-research-recognised-in-Queens-Anniversary-Prizes-for-Higher-and-Further-Education.aspx>
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SAML authentication

2016-06-10 Thread Morris, Andi 
Ah I see. Hopefully it's something that can be looked at for the future. 
There's a big single sign-on push here, and this would be a big tick in this 
project for me.

Cheers,
Andi

From: Julien [mailto:jsem...@inverse.ca]
Sent: 09 June 2016 21:28
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] SAML authentication

Hi Andi,

SAML is not currently available as a login option when granting sponsorship.

So you're not mis-configuring it. Its just not there :)

- Julien
On 2016-06-08 11:53 AM, Morris, Andi wrote:
Hi,
I'm trying to setup SAML authentication for my users connecting to sponsor a 
guest, and also potentially for my admin users, however I can't seem to get 
packetfence to attempt to authenticate the users with this source. I've even 
tried pushing the SAML section right to the top of the authentication.conf file.

The SAML conf is as below:
[Shib_dev]
description=Shib_dev
idp_ca_cert_path=/usr/local/pf/conf/ssl/idp.crt
idp_entity_id=https://idp.dev.cardiffmet.ac.uk/idp/shibboleth
idp_metadata_path=/usr/local/pf/conf/ssl/cardiffmet-dev-metadata.xml
username_attribute=urn:mace:shibboleth:2.0:attribute:encoder
dynamic_routing_module=AuthModule
idp_cert_path=/usr/local/pf/conf/ssl/idp.crt
sp_entity_id=https://pfguestdev.internal.uwic.ac.uk
type=SAML
authorization_source_id=DC1
sp_cert_path=/usr/local/pf/conf/ssl/server.crt
sp_key_path=/usr/local/pf/conf/ssl/server.key

[local]
description=Local Users
dynamic_routing_module=AuthModule
type=SQL

[file1]
description=Legacy Source
stripped_user_name=yes
path=/usr/local/pf/conf/admin.conf
dynamic_routing_module=AuthModule
type=Htpasswd

[file1 rule admins]
description=All admins
class=administration
match=all
action0=set_access_level=ALL

[DC1]
description=dc1
password=password
scope=sub
binddn=CN=ldappacketfence,CN=Users,DC=internal
basedn=OU=User Accounts,DC=internal
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=5
stripped_user_name=yes
encryption=none
cache_match=1
dynamic_routing_module=AuthModule
port=389
type=AD
host=192.168.1.1

[DCLL01 rule Admin]
description=
class=administration
match=any
action0=set_access_level=ALL
action1=mark_as_sponsor=1
condition0=sAMAccountName,equals,admin

[DCLL01 rule All_staff]
description=
class=administration
match=any
action0=mark_as_sponsor=1
condition0=memberOf,equals,CN=STAFF,OU=User Accounts,DC=internal

I'm not expecting the actual SAML auth to work first time, but it doesn't 
appear to be even trying to send the request to my IdP server.

Cheers,
Andi


[Image removed by sender. Cardiff Metropolitan University - Queens Anniversary  
  Prizes 
2015]<http://www.cardiffmet.ac.uk/news/Pages/Cardiff-Met-research-recognised-in-Queens-Anniversary-Prizes-for-Higher-and-Further-Education.aspx>



--

What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic

patterns at an interface-level. Reveals which users, apps, and protocols are

consuming the most bandwidth. Provides multi-vendor support for NetFlow,

J-Flow, sFlow and other flows. Make informed decisions using capacity

planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e




___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] SAML authentication

2016-06-08 Thread Morris, Andi 
Hi,
I'm trying to setup SAML authentication for my users connecting to sponsor a 
guest, and also potentially for my admin users, however I can't seem to get 
packetfence to attempt to authenticate the users with this source. I've even 
tried pushing the SAML section right to the top of the authentication.conf file.

The SAML conf is as below:
[Shib_dev]
description=Shib_dev
idp_ca_cert_path=/usr/local/pf/conf/ssl/idp.crt
idp_entity_id=https://idp.dev.cardiffmet.ac.uk/idp/shibboleth
idp_metadata_path=/usr/local/pf/conf/ssl/cardiffmet-dev-metadata.xml
username_attribute=urn:mace:shibboleth:2.0:attribute:encoder
dynamic_routing_module=AuthModule
idp_cert_path=/usr/local/pf/conf/ssl/idp.crt
sp_entity_id=https://pfguestdev.internal.uwic.ac.uk
type=SAML
authorization_source_id=DC1
sp_cert_path=/usr/local/pf/conf/ssl/server.crt
sp_key_path=/usr/local/pf/conf/ssl/server.key

[local]
description=Local Users
dynamic_routing_module=AuthModule
type=SQL

[file1]
description=Legacy Source
stripped_user_name=yes
path=/usr/local/pf/conf/admin.conf
dynamic_routing_module=AuthModule
type=Htpasswd

[file1 rule admins]
description=All admins
class=administration
match=all
action0=set_access_level=ALL

[DC1]
description=dc1
password=password
scope=sub
binddn=CN=ldappacketfence,CN=Users,DC=internal
basedn=OU=User Accounts,DC=internal
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=5
stripped_user_name=yes
encryption=none
cache_match=1
dynamic_routing_module=AuthModule
port=389
type=AD
host=192.168.1.1

[DCLL01 rule Admin]
description=
class=administration
match=any
action0=set_access_level=ALL
action1=mark_as_sponsor=1
condition0=sAMAccountName,equals,admin

[DCLL01 rule All_staff]
description=
class=administration
match=any
action0=mark_as_sponsor=1
condition0=memberOf,equals,CN=STAFF,OU=User Accounts,DC=internal

I'm not expecting the actual SAML auth to work first time, but it doesn't 
appear to be even trying to send the request to my IdP server.

Cheers,
Andi


[Cardiff Metropolitan University - Queens Anniversary Prizes 
2015]
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Still a problem with registration process

2016-06-07 Thread Morris, Andi 
When applying that patch do I need to rename the x.y.z files in the diff file 
to match my current version, and then create the relevant files? My patch dry 
run is failing because the files don’t currently exist.

Apologies, I’m a git/patch noob

Cheers,
Andi



From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 07 June 2016 10:33
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Still a problem with registration process

Thanks Louis,
I’ll take a look at that patch. Personally my system is only in development, so 
future upgrades likely won’t affect me as I’m more likely to rebuild than 
upgrade, and I’ll possibly wait until 6.1 before pushing to production.

For Andrew, I believe he has active users on his system, but has implemented 
his own fix.

Cheers,
Andi

From: Louis Munro [mailto:lmu...@inverse.ca]
Sent: 06 June 2016 20:27
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Still a problem with registration process



On Jun 6, 2016, at 11:05 , Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

When setting the reverse proxy to forward the original IP the packetfence 
server doesn’t seem to respond to the incoming request.

Tcpdump output of the packetfence server shows:
16:01:51.644525 IP 
host86-176-129-66.range86-176.btcentralplus.com<http://host86-176-129-66.range86-176.btcentralplus.com/>.51863
 > pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 166613653, win 8192, 
options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
16:01:54.648694 IP 
host86-176-129-66.range86-176.btcentralplus.com<http://host86-176-129-66.range86-176.btcentralplus.com/>.51863
 > pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 166613653, win 8192, 
options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
16:02:00.654695 IP 
host86-176-129-66.range86-176.btcentralplus.com<http://host86-176-129-66.range86-176.btcentralplus.com/>.51863
 > pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 166613653, win 65535, 
options [mss 1460,nop,nop,sackOK], length 0
16:02:12.668769 IP 
host86-176-129-66.range86-176.btcentralplus.com<http://host86-176-129-66.range86-176.btcentralplus.com/>.51863
 > pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 3670114485, win 8192, 
options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
16:02:15.677516 IP 
host86-176-129-66.range86-176.btcentralplus.com<http://host86-176-129-66.range86-176.btcentralplus.com/>.51863
 > pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 3670114485, win 8192, 
options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
16:02:21.683543 IP 
host86-176-129-66.range86-176.btcentralplus.com<http://host86-176-129-66.range86-176.btcentralplus.com/>.51863
 > pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 3670114485, win 8192, 
options [mss 1460,nop,nop,sackOK], length 0
16:02:33.697445 IP 
host86-176-129-66.range86-176.btcentralplus.com<http://host86-176-129-66.range86-176.btcentralplus.com/>.51863
 > pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 317933843, win 8192, 
options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
16:02:36.706367 IP 
host86-176-129-66.range86-176.btcentralplus.com<http://host86-176-129-66.range86-176.btcentralplus.com/>.51863
 > pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 317933843, win 8192, 
options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
16:02:42.712373 IP 
host86-176-129-66.range86-176.btcentralplus.com<http://host86-176-129-66.range86-176.btcentralplus.com/>.51863
 > pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 317933843, win 8192, 
options [mss 1460,nop,nop,sackOK], length 0

So the https request is reaching the server, however there is nothing at all in 
the packetfence.log




Hi Andy,
This looks like a possible case of iptables dropping the packets wouldn’t you 
say?



There’s an upcoming fix for this issue (#1522 on github) in the current devel 
branch (which will in time become 6.1):

If your are running 6.0.x it might be worth looking into.
This code will end up being part of your PF whenever you upgrade.

Be carefull to take a look at “db/upgrade-X.X.X-X.Y.Z.sql”.
We had to alter the “activation” table.

If you do apply this, you’ll have to remember to comment that one change in the 
database upgrade script on the day you move to 6.1 for real.
Mysql will not let you apply the same change twice.

Regards,
--
Louis Munro
lmu...@inverse.ca<mailto:lmu...@inverse.ca>  ::  
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)



[Image removed by sender. Cardiff Metropolitan University - Queens Anniversary 
Prizes 
2015]<http://www.cardif

Re: [PacketFence-users] Still a problem with registration process

2016-06-07 Thread Morris, Andi 
Thanks Louis,
I’ll take a look at that patch. Personally my system is only in development, so 
future upgrades likely won’t affect me as I’m more likely to rebuild than 
upgrade, and I’ll possibly wait until 6.1 before pushing to production.

For Andrew, I believe he has active users on his system, but has implemented 
his own fix.

Cheers,
Andi

From: Louis Munro [mailto:lmu...@inverse.ca]
Sent: 06 June 2016 20:27
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Still a problem with registration process



On Jun 6, 2016, at 11:05 , Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

When setting the reverse proxy to forward the original IP the packetfence 
server doesn’t seem to respond to the incoming request.

Tcpdump output of the packetfence server shows:
16:01:51.644525 IP 
host86-176-129-66.range86-176.btcentralplus.com<http://host86-176-129-66.range86-176.btcentralplus.com/>.51863
 > pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 166613653, win 8192, 
options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
16:01:54.648694 IP 
host86-176-129-66.range86-176.btcentralplus.com<http://host86-176-129-66.range86-176.btcentralplus.com/>.51863
 > pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 166613653, win 8192, 
options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
16:02:00.654695 IP 
host86-176-129-66.range86-176.btcentralplus.com<http://host86-176-129-66.range86-176.btcentralplus.com/>.51863
 > pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 166613653, win 65535, 
options [mss 1460,nop,nop,sackOK], length 0
16:02:12.668769 IP 
host86-176-129-66.range86-176.btcentralplus.com<http://host86-176-129-66.range86-176.btcentralplus.com/>.51863
 > pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 3670114485, win 8192, 
options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
16:02:15.677516 IP 
host86-176-129-66.range86-176.btcentralplus.com<http://host86-176-129-66.range86-176.btcentralplus.com/>.51863
 > pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 3670114485, win 8192, 
options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
16:02:21.683543 IP 
host86-176-129-66.range86-176.btcentralplus.com<http://host86-176-129-66.range86-176.btcentralplus.com/>.51863
 > pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 3670114485, win 8192, 
options [mss 1460,nop,nop,sackOK], length 0
16:02:33.697445 IP 
host86-176-129-66.range86-176.btcentralplus.com<http://host86-176-129-66.range86-176.btcentralplus.com/>.51863
 > pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 317933843, win 8192, 
options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
16:02:36.706367 IP 
host86-176-129-66.range86-176.btcentralplus.com<http://host86-176-129-66.range86-176.btcentralplus.com/>.51863
 > pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 317933843, win 8192, 
options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
16:02:42.712373 IP 
host86-176-129-66.range86-176.btcentralplus.com<http://host86-176-129-66.range86-176.btcentralplus.com/>.51863
 > pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 317933843, win 8192, 
options [mss 1460,nop,nop,sackOK], length 0

So the https request is reaching the server, however there is nothing at all in 
the packetfence.log




Hi Andy,
This looks like a possible case of iptables dropping the packets wouldn’t you 
say?



There’s an upcoming fix for this issue (#1522 on github) in the current devel 
branch (which will in time become 6.1):

If your are running 6.0.x it might be worth looking into.
This code will end up being part of your PF whenever you upgrade.

Be carefull to take a look at “db/upgrade-X.X.X-X.Y.Z.sql”.
We had to alter the “activation” table.

If you do apply this, you’ll have to remember to comment that one change in the 
database upgrade script on the day you move to 6.1 for real.
Mysql will not let you apply the same change twice.

Regards,
--
Louis Munro
lmu...@inverse.ca<mailto:lmu...@inverse.ca>  ::  
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)



[Cardiff Metropolitan University - Queens Anniversary Prizes 
2015]<http://www.cardiffmet.ac.uk/news/Pages/Cardiff-Met-research-recognised-in-Queens-Anniversary-Prizes-for-Higher-and-Further-Education.aspx>
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https:

Re: [PacketFence-users] Still a problem with registration process

2016-06-06 Thread Morris, Andi 
When setting the reverse proxy to forward the original IP the packetfence 
server doesn’t seem to respond to the incoming request.

Tcpdump output of the packetfence server shows:
16:01:51.644525 IP host86-176-129-66.range86-176.btcentralplus.com.51863 > 
pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 166613653, win 8192, 
options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
16:01:54.648694 IP host86-176-129-66.range86-176.btcentralplus.com.51863 > 
pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 166613653, win 8192, 
options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
16:02:00.654695 IP host86-176-129-66.range86-176.btcentralplus.com.51863 > 
pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 166613653, win 65535, 
options [mss 1460,nop,nop,sackOK], length 0
16:02:12.668769 IP host86-176-129-66.range86-176.btcentralplus.com.51863 > 
pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 3670114485, win 8192, 
options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
16:02:15.677516 IP host86-176-129-66.range86-176.btcentralplus.com.51863 > 
pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 3670114485, win 8192, 
options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
16:02:21.683543 IP host86-176-129-66.range86-176.btcentralplus.com.51863 > 
pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 3670114485, win 8192, 
options [mss 1460,nop,nop,sackOK], length 0
16:02:33.697445 IP host86-176-129-66.range86-176.btcentralplus.com.51863 > 
pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 317933843, win 8192, 
options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
16:02:36.706367 IP host86-176-129-66.range86-176.btcentralplus.com.51863 > 
pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 317933843, win 8192, 
options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
16:02:42.712373 IP host86-176-129-66.range86-176.btcentralplus.com.51863 > 
pfguestdev.internal.uwic.ac.uk.https: Flags [S], seq 317933843, win 8192, 
options [mss 1460,nop,nop,sackOK], length 0

So the https request is reaching the server, however there is nothing at all in 
the packetfence.log

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 06 June 2016 15:55
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Still a problem with registration process

On my current reverse proxy solution there’s very little config that can be 
done. I can forward the original host header and/or I can proxy the request 
with the original IP or the proxied IP.

When I choose to send the original IP the requests don’t seem to ever reach the 
server, so I’m currently playing around with that.

I presume this check is something new to 6.0.x? If we can’t work around my 
current proxy appliance, is there a way to disable this check? We should have a 
new reverse proxy solution very soon which may provide many more options, 
however that may be a few months off. Obviously I can’t answer for Andrew here 
either, I don’t know his situation.

Cheers,
Andi

From: Louis Munro [mailto:lmu...@inverse.ca]
Sent: 06 June 2016 15:31
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Still a problem with registration process



On Jun 6, 2016, at 10:19 , Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Hi Andrew,
I’m also seeing the exact same issue. Users choose to register by email, then 
click the email validation link and get a message to say they must use the same 
device to validate.

My packetfence.log looks just like yours but I also noticed in mine that I see 
my reverse proxy appliance IP address in the log, which is where I think 
packetfence is failing to match the mac address:


I don’t know whether this is a similar situation with your setup or not.

I’m just playing with the transparency settings on the reverse proxy to see if 
that will help.

PacketFence tries to detect which device is connecting to the portal http 
server based on the incoming IP of the connection.
Proxying is indeed likely to break it.

Can you have the Proxy send a header with the origin IP such as X-Forwarded-for?


Regards,
--
Louis Munro
lmu...@inverse.ca<mailto:lmu...@inverse.ca>  ::  
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)


[Image removed by sender. Cardiff Metropolitan University - Queens Anniversary 
Prizes 
2015]<http://www.cardiffmet.ac.uk/news/Pages/Cardiff-Met-research-recognised-in-Queens-Anniversary-Prizes-for-Higher-and-Further-Education.aspx>
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and proto

Re: [PacketFence-users] Still a problem with registration process

2016-06-06 Thread Morris, Andi 
On my current reverse proxy solution there’s very little config that can be 
done. I can forward the original host header and/or I can proxy the request 
with the original IP or the proxied IP.

When I choose to send the original IP the requests don’t seem to ever reach the 
server, so I’m currently playing around with that.

I presume this check is something new to 6.0.x? If we can’t work around my 
current proxy appliance, is there a way to disable this check? We should have a 
new reverse proxy solution very soon which may provide many more options, 
however that may be a few months off. Obviously I can’t answer for Andrew here 
either, I don’t know his situation.

Cheers,
Andi

From: Louis Munro [mailto:lmu...@inverse.ca]
Sent: 06 June 2016 15:31
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Still a problem with registration process



On Jun 6, 2016, at 10:19 , Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Hi Andrew,
I’m also seeing the exact same issue. Users choose to register by email, then 
click the email validation link and get a message to say they must use the same 
device to validate.

My packetfence.log looks just like yours but I also noticed in mine that I see 
my reverse proxy appliance IP address in the log, which is where I think 
packetfence is failing to match the mac address:


I don’t know whether this is a similar situation with your setup or not.

I’m just playing with the transparency settings on the reverse proxy to see if 
that will help.

PacketFence tries to detect which device is connecting to the portal http 
server based on the incoming IP of the connection.
Proxying is indeed likely to break it.

Can you have the Proxy send a header with the origin IP such as X-Forwarded-for?


Regards,
--
Louis Munro
lmu...@inverse.ca<mailto:lmu...@inverse.ca>  ::  
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)


[Cardiff Metropolitan University - Queens Anniversary Prizes 
2015]<http://www.cardiffmet.ac.uk/news/Pages/Cardiff-Met-research-recognised-in-Queens-Anniversary-Prizes-for-Higher-and-Further-Education.aspx>
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Mandatory fields on guest signup page

2016-06-03 Thread Morris, Andi 
Hi Derek,
It really does seem much more customisable. A great advance (again!). Well done 
all.

Cheers,
Andi

From: Derek Wuelfrath [mailto:dwuelfr...@inverse.ca]
Sent: 03 June 2016 15:15
To: ML PF <packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] Mandatory fields on guest signup page

Andi,

The new portal config methods introduced in version 6 allows a lot more of 
customization!
You may want to create two distinct modules, one for each case, and the end 
users will be offered the choice between the two. That way, you’ll be able to 
get what you want without having to introduce custom code.

Cheers!
-dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca<mailto:dwuelfr...@inverse.ca> :: +1.514.447.4918 (x110) 
:: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)

On Jun 3, 2016, at 03:19, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Hi Derek,
I’ve done this by editing the HTML code within the portal pages.

I’m going to try this using the new portal config methods in version 6.x today 
and see if that does what I need. If not, then custom code may be what’s 
required.

Cheers,
Andi

From: Derek Wuelfrath [mailto:dwuelfr...@inverse.ca]
Sent: 02 June 2016 21:15
To: ML PF 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Subject: Re: [PacketFence-users] Mandatory fields on guest signup page

Hello Andi,

I’ve been battling with customising the interface for the Guest wifi signup 
page here and management want it to be as simple as possible. I’m getting there 
with the rough design, but I now have an issue due to me duplicating the email 
address input field, which the system doesn’t like as it’s a mandatory field.

How have you achieved that ? Using custom code or only by GUI configuration ?

Is there a way I can tell packetfence to accept either one of the email fields?

We could do it using custom code and have different IDs for both email fields.
Validation step would ensure that either one of the two is not empty and then 
the process step would take the appropriate value..
Again, that would be some custom code but is easily feasible.

Cheers!
-dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca<mailto:dwuelfr...@inverse.ca> :: +1.514.447.4918 (x110) 
:: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu/>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org/>)

On Jun 2, 2016, at 06:18, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Hi all,
I’ve been battling with customising the interface for the Guest wifi signup 
page here and management want it to be as simple as possible. I’m getting there 
with the rough design, but I now have an issue due to me duplicating the email 
address input field, which the system doesn’t like as it’s a mandatory field.

For an example I’ve attached a screenshot of my interface as it stands at the 
moment.

The reason I want to duplicate the email field is so that it’s less confusing 
for users, so there’s just an email box for self signups, and the email and 
staff sponsorship box together, for the sponsored signups.

Is there a way I can tell packetfence to accept either one of the email fields?

Cheers,
Andi

-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>
--



[Image removed by sender. Cardiff Metropolitan University - Queens Anniversary 
Prizes 
2015]<http://www.cardiffmet.ac.uk/news/Pages/Cardiff-Met-research-recognised-in-Queens-Anniversary-Prizes-for-Higher-and-Further-Education.aspx>
 --
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. 
https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flo

[PacketFence-users] Access to portal for guest activation

2016-06-03 Thread Morris, Andi 
Hi all,
On version <6.0.3 I was able to access the management IP on port 443 in order 
for sponsors to activate guests. However, now I'm seeing the server refuse the 
connection. Looking at the output for netstat I'm not seeing the management 
interface listening on ports 80 or 443.

Do I have to enable something for this, or should I be pointing these users at 
the registration IP in order to activate the guest users?

Cheers,
Andi

-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.uk
--



[Cardiff Metropolitan University - Queens Anniversary Prizes 
2015]
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Mandatory fields on guest signup page

2016-06-03 Thread Morris, Andi 
Hi Derek,
I’ve done this by editing the HTML code within the portal pages.

I’m going to try this using the new portal config methods in version 6.x today 
and see if that does what I need. If not, then custom code may be what’s 
required.

Cheers,
Andi

From: Derek Wuelfrath [mailto:dwuelfr...@inverse.ca]
Sent: 02 June 2016 21:15
To: ML PF <packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] Mandatory fields on guest signup page

Hello Andi,

I’ve been battling with customising the interface for the Guest wifi signup 
page here and management want it to be as simple as possible. I’m getting there 
with the rough design, but I now have an issue due to me duplicating the email 
address input field, which the system doesn’t like as it’s a mandatory field.

How have you achieved that ? Using custom code or only by GUI configuration ?

Is there a way I can tell packetfence to accept either one of the email fields?

We could do it using custom code and have different IDs for both email fields.
Validation step would ensure that either one of the two is not empty and then 
the process step would take the appropriate value..
Again, that would be some custom code but is easily feasible.

Cheers!
-dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca<mailto:dwuelfr...@inverse.ca> :: +1.514.447.4918 (x110) 
:: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)

On Jun 2, 2016, at 06:18, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Hi all,
I’ve been battling with customising the interface for the Guest wifi signup 
page here and management want it to be as simple as possible. I’m getting there 
with the rough design, but I now have an issue due to me duplicating the email 
address input field, which the system doesn’t like as it’s a mandatory field.

For an example I’ve attached a screenshot of my interface as it stands at the 
moment.

The reason I want to duplicate the email field is so that it’s less confusing 
for users, so there’s just an email box for self signups, and the email and 
staff sponsorship box together, for the sponsored signups.

Is there a way I can tell packetfence to accept either one of the email fields?

Cheers,
Andi

-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>
--



[Cardiff Metropolitan University - Queens Anniversary Prizes 
2015]<http://www.cardiffmet.ac.uk/news/Pages/Cardiff-Met-research-recognised-in-Queens-Anniversary-Prizes-for-Higher-and-Further-Education.aspx>
 --
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. 
https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Mandatory fields on guest signup page

2016-06-02 Thread Morris, Andi 
I should have mentioned that this is version 5.7.0 for the moment. Perhaps this 
is easier with the new version 6 interface? I'll happily update if this is the 
case as my system is just in dev at the moment.

Cheers,
Andi

From: Morris, Andi
Sent: 02 June 2016 11:19
To: packetfence-users@lists.sourceforge.net
Subject: Mandatory fields on guest signup page

Hi all,
I've been battling with customising the interface for the Guest wifi signup 
page here and management want it to be as simple as possible. I'm getting there 
with the rough design, but I now have an issue due to me duplicating the email 
address input field, which the system doesn't like as it's a mandatory field.

For an example I've attached a screenshot of my interface as it stands at the 
moment.

The reason I want to duplicate the email field is so that it's less confusing 
for users, so there's just an email box for self signups, and the email and 
staff sponsorship box together, for the sponsored signups.

Is there a way I can tell packetfence to accept either one of the email fields?

Cheers,
Andi

-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>
--



[Cardiff Metropolitan University - Queens Anniversary Prizes 
2015]<http://www.cardiffmet.ac.uk/news/Pages/Cardiff-Met-research-recognised-in-Queens-Anniversary-Prizes-for-Higher-and-Further-Education.aspx>
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] computer / user auth when onsite and offsite

2016-05-04 Thread Morris, Andi 
I can now see that the filter you gave me does somehow differentiate this.

Can you please explain what the "operator = defined" line actually does? It 
doesn't seem to matter what I put in the value section. Is this looking to see 
whether Packetfence has the computer name in its database?

Cheers,
Andi

-Original Message-----
From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk] 
Sent: 04 May 2016 15:00
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] computer / user auth when onsite and offsite

Essentially the logic would be:

If domain_PC
- add to domain_PC role
If domain_PC && domain_user
- add to domain_PC role
If domain_user && !domain_PC
- add to byod_home role
If eduroam_visitor
- add to byod_visitor role

Cheers,
Andi

-Original Message-
From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk] 
Sent: 04 May 2016 14:37
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] computer / user auth when onsite and offsite

Hi Fabrice,
Thanks for your reply.

That looks good, although I'd need to add all of our individual computer 
accounts in that OU to the rule. Is it possible to do any kind of Distinguished 
Name match in the vlan filters? I was trying to do this with sources as this 
can do the ldap lookup, but I couldn't get it to work.

Cheers,
Andi

-Original Message-
From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: 04 May 2016 14:09
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] computer / user auth when onsite and offsite

Hello Andi,

if machine_account is set then it mean that it did machine authentication.
So in your filter you can use the attribute node.machine_account, like that:

[machine] 
filter = node_info
attribute = machine_account
operator = defined  
 │
value = robert



Regards
Fabrice

Le Mercredi, Mai 04, 2016 08:53 EDT, "Morris, Andi" <amor...@cardiffmet.ac.uk> 
a écrit: 
 
> Hi all,
> 
> I'm trying to work out a way to have domain PCs to authenticate with computer 
> auth, but the device falling back to user auth so that if it's offsite it 
> will use the user auth credentials to authenticate at other eduroam sites. 
> What's happening at the moment is that the device authenticates using machine 
> auth before the user logs in, which is great, however once the user logs in 
> the user authentication takes over, and packetfence gives the relevant user 
> role and the vlan is changed to the byod vlan.
> 
> What I'd like to do would be for packetfence to check if that user is logging 
> in using a domain PC, and if so give it one role, and if they're using a non 
> domain PC to give the byod role.
> 
> Is there a way using filters, or sources to achieve this? I currently use 
> vlan_filters to autoreg devices, and to work out if a user is an eduroam 
> visitor to our network. We use sources to evaluate if the device is a 
> computer auth from a certain OU, and another source to evaluate if the user 
> is a local user.
> 
> authentication.conf:
> 
> [AD]
> description=DC1
> password=password
> scope=sub
> binddn=CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=com
> basedn=OU=User Accounts, DC=internal,DC=domain,DC=com
> email_attribute=mail
> usernameattribute=sAMAccountName
> connection_timeout=5
> stripped_user_name=yes
> encryption=none
> dynamic_routing_module=AuthModule
> port=389
> type=AD
> host=192.168.1.1
> 
> [AD rule Full_Web_Admin]
> description=
> class=administration
> match=any
> action0=set_access_level=ALL
> condition0=memberOf,is member 
> of,CN=Admins,OU=Staff,DC=internal,DC=domain,DC=com
> 
> [AD rule Helpdesk_Access]
> description=
> class=administration
> match=any
> action0=set_access_level=Node Manager
> condition0=memberOf,is member of, 
> CN=Helpdesk,OU=Staff,DC=internal,DC=domain,DC=com
> 
> [Windows_10_beta]
> description=Test for Windows 10 PCs
> password=password
> scope=sub
> binddn= CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=com
> basedn= OU=Computer Accounts, DC=internal,DC=domain,DC=com
> email_attribute=mail
> usernameattribute=servicePrincipalName
> connection_timeout=5
> stripped_user_name=no
> encryption=none
> dynamic_routing_module=AuthModule
> port=389
> type=AD
> host=192.168.1.1
> 
> [Windows_10_beta rule Domain_PCs]
> description=
> class=authentication
> match=all
> action0=set_role=domain_PCs
> action1=set_access_duration=6M
> 
> [home_users]
> description=home_users
> password=password
> scope=sub
> binddn= CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=com
> basedn= OU=User Accounts, DC=internal,DC=domain,DC=com
> email_attribute=mail
>

Re: [PacketFence-users] computer / user auth when onsite and offsite

2016-05-04 Thread Morris, Andi 
Essentially the logic would be:

If domain_PC
- add to domain_PC role
If domain_PC && domain_user
- add to domain_PC role
If domain_user && !domain_PC
- add to byod_home role
If eduroam_visitor
- add to byod_visitor role

Cheers,
Andi

-Original Message-----
From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk] 
Sent: 04 May 2016 14:37
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] computer / user auth when onsite and offsite

Hi Fabrice,
Thanks for your reply.

That looks good, although I'd need to add all of our individual computer 
accounts in that OU to the rule. Is it possible to do any kind of Distinguished 
Name match in the vlan filters? I was trying to do this with sources as this 
can do the ldap lookup, but I couldn't get it to work.

Cheers,
Andi

-Original Message-
From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: 04 May 2016 14:09
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] computer / user auth when onsite and offsite

Hello Andi,

if machine_account is set then it mean that it did machine authentication.
So in your filter you can use the attribute node.machine_account, like that:

[machine] 
filter = node_info
attribute = machine_account
operator = defined  
 │
value = robert



Regards
Fabrice

Le Mercredi, Mai 04, 2016 08:53 EDT, "Morris, Andi" <amor...@cardiffmet.ac.uk> 
a écrit: 
 
> Hi all,
> 
> I'm trying to work out a way to have domain PCs to authenticate with computer 
> auth, but the device falling back to user auth so that if it's offsite it 
> will use the user auth credentials to authenticate at other eduroam sites. 
> What's happening at the moment is that the device authenticates using machine 
> auth before the user logs in, which is great, however once the user logs in 
> the user authentication takes over, and packetfence gives the relevant user 
> role and the vlan is changed to the byod vlan.
> 
> What I'd like to do would be for packetfence to check if that user is logging 
> in using a domain PC, and if so give it one role, and if they're using a non 
> domain PC to give the byod role.
> 
> Is there a way using filters, or sources to achieve this? I currently use 
> vlan_filters to autoreg devices, and to work out if a user is an eduroam 
> visitor to our network. We use sources to evaluate if the device is a 
> computer auth from a certain OU, and another source to evaluate if the user 
> is a local user.
> 
> authentication.conf:
> 
> [AD]
> description=DC1
> password=password
> scope=sub
> binddn=CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=com
> basedn=OU=User Accounts, DC=internal,DC=domain,DC=com
> email_attribute=mail
> usernameattribute=sAMAccountName
> connection_timeout=5
> stripped_user_name=yes
> encryption=none
> dynamic_routing_module=AuthModule
> port=389
> type=AD
> host=192.168.1.1
> 
> [AD rule Full_Web_Admin]
> description=
> class=administration
> match=any
> action0=set_access_level=ALL
> condition0=memberOf,is member 
> of,CN=Admins,OU=Staff,DC=internal,DC=domain,DC=com
> 
> [AD rule Helpdesk_Access]
> description=
> class=administration
> match=any
> action0=set_access_level=Node Manager
> condition0=memberOf,is member of, 
> CN=Helpdesk,OU=Staff,DC=internal,DC=domain,DC=com
> 
> [Windows_10_beta]
> description=Test for Windows 10 PCs
> password=password
> scope=sub
> binddn= CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=com
> basedn= OU=Computer Accounts, DC=internal,DC=domain,DC=com
> email_attribute=mail
> usernameattribute=servicePrincipalName
> connection_timeout=5
> stripped_user_name=no
> encryption=none
> dynamic_routing_module=AuthModule
> port=389
> type=AD
> host=192.168.1.1
> 
> [Windows_10_beta rule Domain_PCs]
> description=
> class=authentication
> match=all
> action0=set_role=domain_PCs
> action1=set_access_duration=6M
> 
> [home_users]
> description=home_users
> password=password
> scope=sub
> binddn= CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=com
> basedn= OU=User Accounts, DC=internal,DC=domain,DC=com
> email_attribute=mail
> usernameattribute=sAMAccountName
> connection_timeout=5
> stripped_user_name=yes
> encryption=none
> dynamic_routing_module=AuthModule
> port=389
> type=AD
> host=192.168.1.1
> 
> [home_users rule home_users]
> description=
> class=authentication
> match=all
> action0=set_role=eduroam_home_byod
> action1=set_access_duration=3M
> 
> 
> vlan_filters.conf
> 
> [machineauth]
> filter = user_name
> operator = match
> value = host/
> 
> [visiting_user]
> filter

Re: [PacketFence-users] computer / user auth when onsite and offsite

2016-05-04 Thread Morris, Andi 
Hi Fabrice,
Thanks for your reply.

That looks good, although I'd need to add all of our individual computer 
accounts in that OU to the rule. Is it possible to do any kind of Distinguished 
Name match in the vlan filters? I was trying to do this with sources as this 
can do the ldap lookup, but I couldn't get it to work.

Cheers,
Andi

-Original Message-
From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: 04 May 2016 14:09
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] computer / user auth when onsite and offsite

Hello Andi,

if machine_account is set then it mean that it did machine authentication.
So in your filter you can use the attribute node.machine_account, like that:

[machine] 
filter = node_info
attribute = machine_account
operator = defined  
 │
value = robert



Regards
Fabrice

Le Mercredi, Mai 04, 2016 08:53 EDT, "Morris, Andi" <amor...@cardiffmet.ac.uk> 
a écrit: 
 
> Hi all,
> 
> I'm trying to work out a way to have domain PCs to authenticate with computer 
> auth, but the device falling back to user auth so that if it's offsite it 
> will use the user auth credentials to authenticate at other eduroam sites. 
> What's happening at the moment is that the device authenticates using machine 
> auth before the user logs in, which is great, however once the user logs in 
> the user authentication takes over, and packetfence gives the relevant user 
> role and the vlan is changed to the byod vlan.
> 
> What I'd like to do would be for packetfence to check if that user is logging 
> in using a domain PC, and if so give it one role, and if they're using a non 
> domain PC to give the byod role.
> 
> Is there a way using filters, or sources to achieve this? I currently use 
> vlan_filters to autoreg devices, and to work out if a user is an eduroam 
> visitor to our network. We use sources to evaluate if the device is a 
> computer auth from a certain OU, and another source to evaluate if the user 
> is a local user.
> 
> authentication.conf:
> 
> [AD]
> description=DC1
> password=password
> scope=sub
> binddn=CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=com
> basedn=OU=User Accounts, DC=internal,DC=domain,DC=com
> email_attribute=mail
> usernameattribute=sAMAccountName
> connection_timeout=5
> stripped_user_name=yes
> encryption=none
> dynamic_routing_module=AuthModule
> port=389
> type=AD
> host=192.168.1.1
> 
> [AD rule Full_Web_Admin]
> description=
> class=administration
> match=any
> action0=set_access_level=ALL
> condition0=memberOf,is member 
> of,CN=Admins,OU=Staff,DC=internal,DC=domain,DC=com
> 
> [AD rule Helpdesk_Access]
> description=
> class=administration
> match=any
> action0=set_access_level=Node Manager
> condition0=memberOf,is member of, 
> CN=Helpdesk,OU=Staff,DC=internal,DC=domain,DC=com
> 
> [Windows_10_beta]
> description=Test for Windows 10 PCs
> password=password
> scope=sub
> binddn= CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=com
> basedn= OU=Computer Accounts, DC=internal,DC=domain,DC=com
> email_attribute=mail
> usernameattribute=servicePrincipalName
> connection_timeout=5
> stripped_user_name=no
> encryption=none
> dynamic_routing_module=AuthModule
> port=389
> type=AD
> host=192.168.1.1
> 
> [Windows_10_beta rule Domain_PCs]
> description=
> class=authentication
> match=all
> action0=set_role=domain_PCs
> action1=set_access_duration=6M
> 
> [home_users]
> description=home_users
> password=password
> scope=sub
> binddn= CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=com
> basedn= OU=User Accounts, DC=internal,DC=domain,DC=com
> email_attribute=mail
> usernameattribute=sAMAccountName
> connection_timeout=5
> stripped_user_name=yes
> encryption=none
> dynamic_routing_module=AuthModule
> port=389
> type=AD
> host=192.168.1.1
> 
> [home_users rule home_users]
> description=
> class=authentication
> match=all
> action0=set_role=eduroam_home_byod
> action1=set_access_duration=3M
> 
> 
> vlan_filters.conf
> 
> [machineauth]
> filter = user_name
> operator = match
> value = host/
> 
> [visiting_user]
> filter = user_name
> operator = regex_not
> value = 
> ^(.+@[Cc][Aa][Rr][Dd][Ii][Ff][Ff][Mm][Ee][Tt]\.[Aa][Cc]\.[Uu][Kk]$|.+@[Uu][Ww][Ii][Cc]\.[Aa][Cc]\.[Uu][Kk]$)
> 
> [eduroam_dev]
> filter = ssid
> operator = is
> value = eduroam_dev
> 
> [autoreg:home_user]
> scope = AutoRegister
> role = eduroam_home_byod
> 
> [autoreg:machineauth]
> scope = AutoRegister
> role = domain_PCs
> 
> [autoreg:visiting_user_dev&!machineauth]
&g

[PacketFence-users] computer / user auth when onsite and offsite

2016-05-04 Thread Morris, Andi 
Hi all,

I'm trying to work out a way to have domain PCs to authenticate with computer 
auth, but the device falling back to user auth so that if it's offsite it will 
use the user auth credentials to authenticate at other eduroam sites. What's 
happening at the moment is that the device authenticates using machine auth 
before the user logs in, which is great, however once the user logs in the user 
authentication takes over, and packetfence gives the relevant user role and the 
vlan is changed to the byod vlan.

What I'd like to do would be for packetfence to check if that user is logging 
in using a domain PC, and if so give it one role, and if they're using a non 
domain PC to give the byod role.

Is there a way using filters, or sources to achieve this? I currently use 
vlan_filters to autoreg devices, and to work out if a user is an eduroam 
visitor to our network. We use sources to evaluate if the device is a computer 
auth from a certain OU, and another source to evaluate if the user is a local 
user.

authentication.conf:

[AD]
description=DC1
password=password
scope=sub
binddn=CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=com
basedn=OU=User Accounts, DC=internal,DC=domain,DC=com
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=5
stripped_user_name=yes
encryption=none
dynamic_routing_module=AuthModule
port=389
type=AD
host=192.168.1.1

[AD rule Full_Web_Admin]
description=
class=administration
match=any
action0=set_access_level=ALL
condition0=memberOf,is member of,CN=Admins,OU=Staff,DC=internal,DC=domain,DC=com

[AD rule Helpdesk_Access]
description=
class=administration
match=any
action0=set_access_level=Node Manager
condition0=memberOf,is member of, 
CN=Helpdesk,OU=Staff,DC=internal,DC=domain,DC=com

[Windows_10_beta]
description=Test for Windows 10 PCs
password=password
scope=sub
binddn= CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=com
basedn= OU=Computer Accounts, DC=internal,DC=domain,DC=com
email_attribute=mail
usernameattribute=servicePrincipalName
connection_timeout=5
stripped_user_name=no
encryption=none
dynamic_routing_module=AuthModule
port=389
type=AD
host=192.168.1.1

[Windows_10_beta rule Domain_PCs]
description=
class=authentication
match=all
action0=set_role=domain_PCs
action1=set_access_duration=6M

[home_users]
description=home_users
password=password
scope=sub
binddn= CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=com
basedn= OU=User Accounts, DC=internal,DC=domain,DC=com
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=5
stripped_user_name=yes
encryption=none
dynamic_routing_module=AuthModule
port=389
type=AD
host=192.168.1.1

[home_users rule home_users]
description=
class=authentication
match=all
action0=set_role=eduroam_home_byod
action1=set_access_duration=3M


vlan_filters.conf

[machineauth]
filter = user_name
operator = match
value = host/

[visiting_user]
filter = user_name
operator = regex_not
value = 
^(.+@[Cc][Aa][Rr][Dd][Ii][Ff][Ff][Mm][Ee][Tt]\.[Aa][Cc]\.[Uu][Kk]$|.+@[Uu][Ww][Ii][Cc]\.[Aa][Cc]\.[Uu][Kk]$)

[eduroam_dev]
filter = ssid
operator = is
value = eduroam_dev

[autoreg:home_user]
scope = AutoRegister
role = eduroam_home_byod

[autoreg:machineauth]
scope = AutoRegister
role = domain_PCs

[autoreg:visiting_user_dev&!machineauth]
scope = AutoRegister
role = eduroam_visitors

[2:visiting_user_dev&!machineauth]
scope = RegisteredRole
role = eduroam_visitors
action = modify_node
action_param = mac = $mac, category = eduroam_visitors, unregdate = 1M

Cheers,
Andi


[Cardiff Metropolitan University - 150 years of nurturing 
talent]
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] more vlan filter questions

2016-04-29 Thread Morris, Andi 
That's amazing, thanks Fabrice. It's like I'd tried every combination apart 
from the most obvious one.

Cheers again.

From: Durand fabrice [mailto:fdur...@inverse.ca]
Sent: 29 April 2016 12:41
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] more vlan filter questions

Hello Andi,

Yes it's possible, just do that:
[2:home_user]
scope = RegisteredRole
role = eduroam_home
action = modify_node
action_param = mac = $mac, category = eduroam_home, unregdate = 3M

unregdate can be a date (2022-01-01 12:00) or an access duration (1h, 1D, 
1WR+1D)

Regards
Fabrice



Le 2016-04-29 06:55, Morris, Andi a écrit :
Hi again all,
Is there a way to set access duration in vlan filters? I can see the options 
there, but I can't get them to work.

Currently I evaluate the node role each time the user is authenticated using:

[2:home_user]
scope = RegisteredRole
role = eduroam_home
action = modify_node
action_param = mac = $mac, category = eduroam_home

and I'd like the access duration to be set each time this happens.

e.g.
if node role = home user
give access duration of 3 months

if node role = visitor
give access duration of 1 month

This should be calculated each time the node access the system, therefore old 
nodes will eventually expire and get removed from the database. Whereas 
currently a user can connect once, and the node remains registered forever.

Cheers,
Andi


[Image removed by sender. Cardiff Metropolitan University - 150 years of 
nurturingtalent]<http://www.cardiffmet.ac.uk/cardiffmet150>



--

Find and fix application performance issues faster with Applications Manager

Applications Manager provides deep performance insights into multiple tiers of

your business applications. It resolves application problems quickly and

reduces your MTTR. Get your free trial!

https://ad.doubleclick.net/ddm/clk/302982198;130105516;z




___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] more vlan filter questions

2016-04-29 Thread Morris, Andi 
Hi again all,
Is there a way to set access duration in vlan filters? I can see the options 
there, but I can't get them to work.

Currently I evaluate the node role each time the user is authenticated using:

[2:home_user]
scope = RegisteredRole
role = eduroam_home
action = modify_node
action_param = mac = $mac, category = eduroam_home

and I'd like the access duration to be set each time this happens.

e.g.
if node role = home user
give access duration of 3 months

if node role = visitor
give access duration of 1 month

This should be calculated each time the node access the system, therefore old 
nodes will eventually expire and get removed from the database. Whereas 
currently a user can connect once, and the node remains registered forever.

Cheers,
Andi


[Cardiff Metropolitan University - 150 years of nurturing 
talent]
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] autoreg with vlan filter not working

2016-04-29 Thread Morris, Andi 
That's excellent! Thanks very much James.

Cheers,
Andi

From: James Rouzier [mailto:jrouz...@inverse.ca]
Sent: 28 April 2016 18:58
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] autoreg with vlan filter not working


Hey Andi,

In PF 5.5.0 match and match_not was changed from a regex to a just a match or 
not a match.

There is a new operator regex but regex_not operator slipped through the cracks 
until now!

You can apply the following patch to add support for the regex_not operator.

cd /usr/local/pf

curl 
https://github.com/inverse-inc/packetfence/commit/0dd1dd63e7fe3493e50bf94d557161df577704a9.diff
 | patch -p1

However if you do not want to patch your install you can do the following.
[visiting_user_not]
filter = username
operator = regex
value = 
^(.+@[Cc][Aa][Rr][Dd][Ii][Ff][Ff][Mm][Ee][Tt]\.[Aa][Cc]\.[Uu][Kk]$|.+@[Uu][Ww][Ii][Cc]\.[Aa][Cc]\.[Uu][Kk]$<mailto:.+@[Cc][Aa][Rr][Dd][Ii][Ff][Ff][Mm][Ee][Tt]%5C.%5bAa%5d%5bCc%5d%5C.%5bUu%5d%5bKk%5d$%7C.+@%5bUu%5d%5bWw%5d%5bIi%5d%5bCc%5d%5C.%5bAa%5d%5bCc%5d%5C.%5bUu%5d%5bKk%5d$>)


[autoreg:!visiting_user_not]
scope = AutoRegister
role = visitor_welcome





James Rouzier

jrouz...@inverse.ca<mailto:jrouz...@inverse.ca> :: +1.514.447.4918 (x115)  ::  
http://www.inverse.ca

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://www.packetfence.org)
On 2016-04-28 12:44 PM, Morris, Andi wrote:
Hey all,
A bump of an old topic, but it still seems to be the case. Somewhere since 
version 5.0.1 the vlan_filters has changed as it works as below in that 
version, but I couldn't get it to work with version 5.7.0 or now with 6.0.

I can get a positive match using 'user_name' and 'regex' as you can see from 
the previous emails, however I used to use a 'match_not' with 'username' and 
this is no longer recognised. Is there a similar syntax change that I can do 
make this rule work?

[visiting_user]
filter = username
operator = match_not
value = 
^(.+@[Cc][Aa][Rr][Dd][Ii][Ff][Ff][Mm][Ee][Tt]\.[Aa][Cc]\.[Uu][Kk]$|.+@[Uu][Ww][Ii][Cc]\.[Aa][Cc]\.[Uu][Kk]$<mailto:.+@[Cc][Aa][Rr][Dd][Ii][Ff][Ff][Mm][Ee][Tt]%5C.%5bAa%5d%5bCc%5d%5C.%5bUu%5d%5bKk%5d$%7C.+@%5bUu%5d%5bWw%5d%5bIi%5d%5bCc%5d%5C.%5bAa%5d%5bCc%5d%5C.%5bUu%5d%5bKk%5d$>)

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 03 March 2016 13:54
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] autoreg with vlan filter not working

Bingo! Thanks Fabrice.

From: Fabrice DURAND [mailto:fdur...@inverse.ca]
Sent: 03 March 2016 13:34
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] autoreg with vlan filter not working

let's try with regex but user_name instead of username.

Fabrice

Le 2016-03-03 08:19, Morris, Andi a écrit :
Hi Fabrice,
No luck there sorry. I changed that, restarted packetfence, packetfence-config 
and also performed a configreload hard but I still see the following in the 
packetfence.log:

Mar 03 13:17:18 httpd.aaa(8299) INFO: [mac:30:10:b3:13:be:37] handling radius 
autz request: from switch_ip => (192.168.142.13), connection_type => 
Wireless-802.11-EAP,switch_mac => (00:3a:98:d0:1e:c0), mac => 
[30:10:b3:13:be:37], port => 13, username => 
"testu...@cardiffmet.ac.uk"<mailto:testu...@cardiffmet.ac.uk>, ssid => 
eduroam_dev (pf::radius::authorize)
Mar 03 13:17:18 httpd.aaa(8299) INFO: [mac:30:10:b3:13:be:37] is of status 
unreg; belongs into registration VLAN (pf::role::getRegistrationRole)
Mar 03 13:17:18 httpd.aaa(8299) INFO: [mac:30:10:b3:13:be:37] (192.168.142.13) 
Added VLAN 60 to the returned RADIUS reply 
(pf::Switch::returnRadiusAccessAccept)
Mar 03 13:17:18 httpd.aaa(8299) INFO: [mac:30:10:b3:13:be:37] (192.168.142.13) 
Returning ACCEPT with VLAN 60  (pf::Switch::returnRadiusAccessAccept)

Cheers,
Andi

From: Durand fabrice [mailto:fdur...@inverse.ca]
Sent: 03 March 2016 12:29
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] autoreg with vlan filter not working

Hi Andi,

replace match by regex.

Regards
Fabrice


Le 2016-03-03 06:43, Morris, Andi a écrit :
Hi,
Running version 5.7.0 on CentOS.

I'm trying to get autoreg working through vlan_filters like I have on my 5.0.1 
production install but it doesn't seem to be taking effect and new devices are 
being sent into the registration network after a radius access-accept message.

My vlan filter is as below, which is directly lifted from my 5.0.1 config. Has 
anything changed with vlan filters? I've tried switching 'match' for 'regex' as 
I've seen that mentioned in the documentation and on this list. The only major 
different in my config on the newer version is that I'm using the built-in 
domain/realm config in the GUI, which I didn't do on my 5.0.1 install. I'm

Re: [PacketFence-users] autoreg with vlan filter not working

2016-04-28 Thread Morris, Andi 
Hey all,
A bump of an old topic, but it still seems to be the case. Somewhere since 
version 5.0.1 the vlan_filters has changed as it works as below in that 
version, but I couldn't get it to work with version 5.7.0 or now with 6.0.

I can get a positive match using 'user_name' and 'regex' as you can see from 
the previous emails, however I used to use a 'match_not' with 'username' and 
this is no longer recognised. Is there a similar syntax change that I can do 
make this rule work?

[visiting_user]
filter = username
operator = match_not
value = 
^(.+@[Cc][Aa][Rr][Dd][Ii][Ff][Ff][Mm][Ee][Tt]\.[Aa][Cc]\.[Uu][Kk]$|.+@[Uu][Ww][Ii][Cc]\.[Aa][Cc]\.[Uu][Kk]$<mailto:.+@[Cc][Aa][Rr][Dd][Ii][Ff][Ff][Mm][Ee][Tt]\.%5bAa%5d%5bCc%5d\.%5bUu%5d%5bKk%5d$|.+@%5bUu%5d%5bWw%5d%5bIi%5d%5bCc%5d\.%5bAa%5d%5bCc%5d\.%5bUu%5d%5bKk%5d$>)

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 03 March 2016 13:54
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] autoreg with vlan filter not working

Bingo! Thanks Fabrice.

From: Fabrice DURAND [mailto:fdur...@inverse.ca]
Sent: 03 March 2016 13:34
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] autoreg with vlan filter not working

let's try with regex but user_name instead of username.

Fabrice

Le 2016-03-03 08:19, Morris, Andi a écrit :
Hi Fabrice,
No luck there sorry. I changed that, restarted packetfence, packetfence-config 
and also performed a configreload hard but I still see the following in the 
packetfence.log:

Mar 03 13:17:18 httpd.aaa(8299) INFO: [mac:30:10:b3:13:be:37] handling radius 
autz request: from switch_ip => (192.168.142.13), connection_type => 
Wireless-802.11-EAP,switch_mac => (00:3a:98:d0:1e:c0), mac => 
[30:10:b3:13:be:37], port => 13, username => 
"testu...@cardiffmet.ac.uk"<mailto:testu...@cardiffmet.ac.uk>, ssid => 
eduroam_dev (pf::radius::authorize)
Mar 03 13:17:18 httpd.aaa(8299) INFO: [mac:30:10:b3:13:be:37] is of status 
unreg; belongs into registration VLAN (pf::role::getRegistrationRole)
Mar 03 13:17:18 httpd.aaa(8299) INFO: [mac:30:10:b3:13:be:37] (192.168.142.13) 
Added VLAN 60 to the returned RADIUS reply 
(pf::Switch::returnRadiusAccessAccept)
Mar 03 13:17:18 httpd.aaa(8299) INFO: [mac:30:10:b3:13:be:37] (192.168.142.13) 
Returning ACCEPT with VLAN 60  (pf::Switch::returnRadiusAccessAccept)

Cheers,
Andi

From: Durand fabrice [mailto:fdur...@inverse.ca]
Sent: 03 March 2016 12:29
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] autoreg with vlan filter not working

Hi Andi,

replace match by regex.

Regards
Fabrice

Le 2016-03-03 06:43, Morris, Andi a écrit :
Hi,
Running version 5.7.0 on CentOS.

I'm trying to get autoreg working through vlan_filters like I have on my 5.0.1 
production install but it doesn't seem to be taking effect and new devices are 
being sent into the registration network after a radius access-accept message.

My vlan filter is as below, which is directly lifted from my 5.0.1 config. Has 
anything changed with vlan filters? I've tried switching 'match' for 'regex' as 
I've seen that mentioned in the documentation and on this list. The only major 
different in my config on the newer version is that I'm using the built-in 
domain/realm config in the GUI, which I didn't do on my 5.0.1 install. I'm not 
sure if that has a bearing as I'm trying to filter on the realm name.

[home_user]
filter = username
operator = match
value = 
^(.+@[Cc][Aa][Rr][Dd][Ii][Ff][Ff][Mm][Ee][Tt]\.[Aa][Cc]\.[Uu][Kk]$|.+@[Uu][Ww][Ii][Cc]\.[Aa][Cc]\.[Uu][Kk]$<mailto:.+@[Cc][Aa][Rr][Dd][Ii][Ff][Ff][Mm][Ee][Tt]\.%5bAa%5d%5bCc%5d\.%5bUu%5d%5bKk%5d$|.+@%5bUu%5d%5bWw%5d%5bIi%5d%5bCc%5d\.%5bAa%5d%5bCc%5d\.%5bUu%5d%5bKk%5d$>)

[autoreg:home_user]
scope = AutoRegister
role = eduroam_home

realm.conf is:
[cardiffmet.ac.uk]
domain=myDomainlabel
options=strip

[uwic.ac.uk]
domain= myDomainlabel
options=strip

Cheers,
Andi

-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>
--



[Image removed by sender. Cardiff Metropolitan  University 
- 150 years of nurturing talent]<http://www.cardiffmet.ac.uk/cardiffmet150>



--

Site24x7 APM Insight: Get Deep Visibility into Application Performance

APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month

Monitor end-to-end web transactions and take corrective actions now

Troubleshoot faster and improve end-user experience. Signup Now!

http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140




___

[PacketFence-users] Logging into captive portal against AD with username@realm

2016-03-29 Thread Morris, Andi 
Hi,
Hopefully just a quick one.

I know it's pretty easy to setup Packetfence to be able to authenticate users 
against active directory in order to register devices using their standard 
account name, however I was wondering whether it's possible to allow the user 
to login/register in the captive portal using 
usern...@realm.ac.uk but still against our active 
directory database i.e. packetfence drops the realm and just checks against the 
stripped username as it would with a radius request.

The reason being is that it's for our eduroam setup, and I'd rather users 
authenticate against the captive portal with the same 
usern...@realm.ac.uk that they would when logging 
into eduroam manually, just for standardisation. It will be confusing for users 
to login to the captive portal using just username, and then 
usern...@realm.ac.uk when connecting to the main 
network.

Cheers,
Andi


[Cardiff Metropolitan University - 150 years of nurturing 
talent]
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] mschap rejecting known good user

2016-03-29 Thread Morris, Andi 
Apologies for the delay.

This was resolved off list using the commercial support route (highly 
recommended!).

Cheers,
Andi

From: and...@jonesy.com.au [mailto:and...@jonesy.com.au]
Sent: 23 March 2016 20:51
To: packetfence-users@lists.sourceforge.net; Tobias Friede <t.fri...@gmail.com>
Subject: Re: [PacketFence-users] mschap rejecting known good user

Are your domain controllers configured to allow NTLMv2?

It's a security policy setting, configured in the default domain controller 
policy, usually.

Andrew
On 24 March 2016 3:31:22 AM AEDT, Tobias Friede 
<t.fri...@gmail.com<mailto:t.fri...@gmail.com>> wrote:
Hi,

looks a little bit like the problem I have with authentication against an 
Active Directory.

The Credentials are correct and I get back an NT-Key, but FreeRadius tells me: 
MS-CHAP2-Response is incorrect
Can you try this?

chroot /chroot/CMetDomain ntlm_auth --username=testuser 
--challenge=ddd77a598cbc5038 
--nt-response=ad6d3d357eafbfaa11185d03da4a1771b1222c9f7a6c581f --request-nt-key

2016-03-23 15:28 GMT+01:00 Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>>:
Hi all,
I’m looking to port our current working 5.0.1 packetfence system over to a 
newer version. We use it as a NAC system for our eduroam wireless 
infrastructure, and it has always worked well in previous versions.

For this version I’ve gone down the route of using the built in domain and 
realm config of packetfence, I’m not sure whether this is where I’m going 
wrong. I’m getting access-rejects for known good users from the chrooted mschap 
module when doing this, as below:

++? if (PacketFence-Domain)
? Evaluating (PacketFence-Domain) -> TRUE
++? if (PacketFence-Domain) -> TRUE
++if (PacketFence-Domain) {
[chrooted_mschap] Creating challenge hash with username: 
testu...@cardiffmet.ac.uk<mailto:testu...@cardiffmet.ac.uk>
[chrooted_mschap] Client is using MS-CHAPv2 for 
testu...@cardiffmet.ac.uk<mailto:testu...@cardiffmet.ac.uk>, we need NT-Password
[chrooted_mschap]   expand: /chroots/%{PacketFence-Domain} -> 
/chroots/CMetDomain
[chrooted_mschap]   expand: %{Stripped-User-Name} -> testuser
[chrooted_mschap]   expand: 
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}} -> 
--username=testuser
[chrooted_mschap] Creating challenge hash with username: 
testu...@cardiffmet.ac.uk<mailto:testu...@cardiffmet.ac.uk>
[chrooted_mschap]   expand: --challenge=%{mschap:Challenge:-00} -> 
--challenge=ddd77a598cbc5038
[chrooted_mschap]   expand: --nt-response=%{mschap:NT-Response:-00} -> 
--nt-response=ad6d3d357eafbfaa11185d03da4a1771b1222c9f7a6c581f
Exec output: Access denied (0xc022)
Exec plaintext: Access denied (0xc022)
[chrooted_mschap] Exec: program returned: 1
[chrooted_mschap] External script failed.
[chrooted_mschap] FAILED: MS-CHAP2-Response is incorrect
+++[chrooted_mschap] = reject
++} # if (PacketFence-Domain) = reject
+} # group MS-CHAP = reject
[eap] Freeing handler
++[eap] = reject
+} # group authenticate = reject
Failed to authenticate the user.
Login incorrect (chrooted_mschap: External script says Access denied 
(0xc022)): [testu...@cardiffmet.ac.uk<mailto:testu...@cardiffmet.ac.uk>] 
(from client 192.168.142.13 port 13 cli 30:10:b3:13:be:37 via TLS tunnel)

I’ve had to modify the chrooted mschap module so that the stripped user name is 
the one queried, but I’m still getting rejected. I think that the line below 
from the excerpt above maybe the key:
[chrooted_mschap] Creating challenge hash with username: 
testu...@cardiffmet.ac.uk<mailto:testu...@cardiffmet.ac.uk>

My realm config is:
[cardiffmet.ac.uk<http://cardiffmet.ac.uk>]
domain=CMetDomain
options=strip
source=DCLL02

I’ve attached the full obfuscated radius debug log in case there’s something 
there.

As mentioned above, I’m not sure the built in realm & domain options are the 
best way to get this working for eduroam, as I will need to also add other 
servers to the proxy.conf etc.

Cheers,
Andi

-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720<tel:02920%20205720>
E: amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>
--



[Cardiff Metropolitan University - 150 years of nurturing 
talent]<http://www.cardiffmet.ac.uk/cardiffmet150>

--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351=/4140
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/pack

Re: [PacketFence-users] dot1x auth when soh is enabled

2016-03-19 Thread Morris, Andi 
Hi Louis,
Co-incidentally earlier today I had a conversation with a colleague about 
getting posture checking with dot1x auth and windows clients and I suggested 
Packetfence for the solution. If you discontinue SoH, is there something on the 
roadmap that would be its equivalent?

Cheers,
Andi

From: Louis Munro [mailto:lmu...@inverse.ca]
Sent: 17 March 2016 13:51
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] dot1x auth when soh is enabled


On Mar 17, 2016, at 8:33 , Diego Bonfigli 
> wrote:

so the question is: is it the right behavior? If that's the case, it could be a 
problem because since Windows 10 NAP is no longer supported and we cannot 
enforce NAP configuration in all of our clients.

As you say, SoH is essentially dead.
My advice to all is to forget about it unless you have a network on which you 
are sure that only supported clients will connect.

We are considering removing support for it in the next release.

Regards,
--
Louis Munro
lmu...@inverse.ca  ::  
www.inverse.ca
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and 
PacketFence (www.packetfence.org)


[Cardiff Metropolitan University - 150 years of nurturing 
talent]
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Sponsor Registration

2016-03-19 Thread Morris, Andi 
Hi Brian,
1 - The sponsor is recorded against the owner of the device. Maybe this works 
for you?

2 - You could use SAML authentication for single sign on if you have a SAML 
based IdP e.g. ADFS/Shibboleth. This would mean that your sponsors wouldn't 
have to keep logging in.

Cheers,
Andi

-Original Message-
From: Brian Ott [mailto:brian@oicr.on.ca]
Sent: 16 March 2016 13:41
To: packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] Sponsor Registration

Hello,

I'm looking to have Packetfence be our primary captive portal but we need to 
meet a few requirements first. One is that when a user registers with a sponsor 
we were wondering if its possible for the following.

1. Keep a record of the sponsor in Node Information? I notice there is no field 
for this in the database but it would be nice to know who was the sponsor.

2. Do not require sponsors to login. We sometimes have 20+ guests for meetings 
and it would be annoying for our sponsors to keep logging in.
Just clicking the activation link would be enough. Any other solution for bulk 
additions would be great as well.

If these two things are possible would someone kindly assist?

Thanks,


--

Brian Ott
Unix System Administrator

Ontario Institute for Cancer Research
MaRS Centre, South Tower
101 College Street, Suite 800
Toronto, Ontario, Canada M5G 0A3

Telephone:647-260-7977
Email:  brian@oicr.on.ca
www.oicr.on.ca



This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies.
Opinions, conclusions or other information contained in this message may not be 
that of the organization.

--
Transform Data into Opportunity.
Accelerate data analysis in your applications with Intel Data Analytics 
Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


[Cardiff Metropolitan University - 150 years of nurturing 
talent]

--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] dot1x auth when soh is enabled

2016-03-19 Thread Morris, Andi 
Thanks Louis,
MDM is being looked at as part of a separate project, but the WMI solution is 
certainly possible. I’ll have a look around that.

Cheers,
Andi

From: Louis Munro [mailto:lmu...@inverse.ca]
Sent: 17 March 2016 15:01
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] dot1x auth when soh is enabled


On Mar 17, 2016, at 10:41 , Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Hi Louis,
Co-incidentally earlier today I had a conversation with a colleague about 
getting posture checking with dot1x auth and windows clients and I suggested 
Packetfence for the solution. If you discontinue SoH, is there something on the 
roadmap that would be its equivalent?



Hi Andi,
We are probably not going to remove it entirely for now, but rather make it 
something optional that you may have to download separately.
The specifics are under discussion and your input is valued.

The problem is that even Microsoft has stopped supporting it.
So it’s only going to get more problematic as time marches on.

I would recommend you look into the PacketFence WMI integration or a Mobile 
Device Management solution (MDM) if you really need those features.
WMI is more work to set up but allows for finer grained checks.

MDM solutions are more expensive if you don’t count your own time (there is no 
free lunch I am afraid…) but can get you off the ground faster.
Some of them already integrate with PF (Opswat, MobileIron and Symantec SEPM) 
and we will be working on supporting others in the future.

It’s all about what you want to tradeoff. Your time or your money.

Best regards,
--
Louis Munro
lmu...@inverse.ca<mailto:lmu...@inverse.ca>  ::  
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)


[Cardiff Metropolitan University - 150 years of nurturing 
talent]<http://www.cardiffmet.ac.uk/cardiffmet150>
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] bypassing AUP

2016-03-15 Thread Morris, Andi 
Hi Antoine,
Thanks very much, I'll give that a shot.

Cheers
Andi

From: Antoine Amacher [mailto:aamac...@inverse.ca]
Sent: 15 March 2016 16:55
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] bypassing AUP

Hello Andi,

This is an example of what we usually do in login.html which you can reproduce 
in other pages.

[%# AUP %]
  
  

Comment the whole AUP section, and change the input as shown.

Thank you
On 03/15/2016 12:31 PM, Morris, Andi wrote:
Hi all,
I need to edit the registration form so that users don't see the AUP (this will 
be provided in a separate link). I've removed the section from the guest.html, 
but when I register I see an error telling me that I haven't accepted the AUP. 
Is there a way to override this check?

Cheers,
Andi

-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>
--



[Image removed by sender. Cardiff Metropolitan University - 150 years of 
nurturingtalent]<http://www.cardiffmet.ac.uk/cardiffmet150>



--

Transform Data into Opportunity.

Accelerate data analysis in your applications with

Intel Data Analytics Acceleration Library.

Click to learn more.

http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140




___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users



--

Antoine Amacher

aamac...@inverse.ca<mailto:aamac...@inverse.ca>  ::  +1.514.447.4918 *130  ::  
www.inverse.ca<http://www.inverse.ca>

Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] bypassing AUP

2016-03-15 Thread Morris, Andi 
Hi all,
I need to edit the registration form so that users don't see the AUP (this will 
be provided in a separate link). I've removed the section from the guest.html, 
but when I register I see an error telling me that I haven't accepted the AUP. 
Is there a way to override this check?

Cheers,
Andi

-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.uk
--



[Cardiff Metropolitan University - 150 years of nurturing 
talent]
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] autoreg with vlan filter not working

2016-03-03 Thread Morris, Andi 
Hi Fabrice,
No luck there sorry. I changed that, restarted packetfence, packetfence-config 
and also performed a configreload hard but I still see the following in the 
packetfence.log:

Mar 03 13:17:18 httpd.aaa(8299) INFO: [mac:30:10:b3:13:be:37] handling radius 
autz request: from switch_ip => (192.168.142.13), connection_type => 
Wireless-802.11-EAP,switch_mac => (00:3a:98:d0:1e:c0), mac => 
[30:10:b3:13:be:37], port => 13, username => "testu...@cardiffmet.ac.uk", ssid 
=> eduroam_dev (pf::radius::authorize)
Mar 03 13:17:18 httpd.aaa(8299) INFO: [mac:30:10:b3:13:be:37] is of status 
unreg; belongs into registration VLAN (pf::role::getRegistrationRole)
Mar 03 13:17:18 httpd.aaa(8299) INFO: [mac:30:10:b3:13:be:37] (192.168.142.13) 
Added VLAN 60 to the returned RADIUS reply 
(pf::Switch::returnRadiusAccessAccept)
Mar 03 13:17:18 httpd.aaa(8299) INFO: [mac:30:10:b3:13:be:37] (192.168.142.13) 
Returning ACCEPT with VLAN 60  (pf::Switch::returnRadiusAccessAccept)

Cheers,
Andi

From: Durand fabrice [mailto:fdur...@inverse.ca]
Sent: 03 March 2016 12:29
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] autoreg with vlan filter not working

Hi Andi,

replace match by regex.

Regards
Fabrice

Le 2016-03-03 06:43, Morris, Andi a écrit :
Hi,
Running version 5.7.0 on CentOS.

I'm trying to get autoreg working through vlan_filters like I have on my 5.0.1 
production install but it doesn't seem to be taking effect and new devices are 
being sent into the registration network after a radius access-accept message.

My vlan filter is as below, which is directly lifted from my 5.0.1 config. Has 
anything changed with vlan filters? I've tried switching 'match' for 'regex' as 
I've seen that mentioned in the documentation and on this list. The only major 
different in my config on the newer version is that I'm using the built-in 
domain/realm config in the GUI, which I didn't do on my 5.0.1 install. I'm not 
sure if that has a bearing as I'm trying to filter on the realm name.

[home_user]
filter = username
operator = match
value = 
^(.+@[Cc][Aa][Rr][Dd][Ii][Ff][Ff][Mm][Ee][Tt]\.[Aa][Cc]\.[Uu][Kk]$|.+@[Uu][Ww][Ii][Cc]\.[Aa][Cc]\.[Uu][Kk]$)

[autoreg:home_user]
scope = AutoRegister
role = eduroam_home

realm.conf is:
[cardiffmet.ac.uk]
domain=myDomainlabel
options=strip

[uwic.ac.uk]
domain= myDomainlabel
options=strip

Cheers,
Andi

-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>
--



[Image removed by sender. Cardiff Metropolitan University - 150 years of 
nurturingtalent]<http://www.cardiffmet.ac.uk/cardiffmet150>



--

Site24x7 APM Insight: Get Deep Visibility into Application Performance

APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month

Monitor end-to-end web transactions and take corrective actions now

Troubleshoot faster and improve end-user experience. Signup Now!

http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140




___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] autoreg with vlan filter not working

2016-03-03 Thread Morris, Andi 
Hi,
Running version 5.7.0 on CentOS.

I'm trying to get autoreg working through vlan_filters like I have on my 5.0.1 
production install but it doesn't seem to be taking effect and new devices are 
being sent into the registration network after a radius access-accept message.

My vlan filter is as below, which is directly lifted from my 5.0.1 config. Has 
anything changed with vlan filters? I've tried switching 'match' for 'regex' as 
I've seen that mentioned in the documentation and on this list. The only major 
different in my config on the newer version is that I'm using the built-in 
domain/realm config in the GUI, which I didn't do on my 5.0.1 install. I'm not 
sure if that has a bearing as I'm trying to filter on the realm name.

[home_user]
filter = username
operator = match
value = 
^(.+@[Cc][Aa][Rr][Dd][Ii][Ff][Ff][Mm][Ee][Tt]\.[Aa][Cc]\.[Uu][Kk]$|.+@[Uu][Ww][Ii][Cc]\.[Aa][Cc]\.[Uu][Kk]$)

[autoreg:home_user]
scope = AutoRegister
role = eduroam_home

realm.conf is:
[cardiffmet.ac.uk]
domain=myDomainlabel
options=strip

[uwic.ac.uk]
domain= myDomainlabel
options=strip

Cheers,
Andi

-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.uk
--



[Cardiff Metropolitan University - 150 years of nurturing 
talent]
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Installing with separate database server

2016-02-29 Thread Morris, Andi 
Hi,
I've no idea why, but a rebuild of the server fixed this. Cheers for your help.

Cheers,
Andi

-Original Message-
From: James Rouzier [mailto:jrouz...@inverse.ca] 
Sent: 26 February 2016 15:15
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Installing with separate database server

It seems that you have multiple p0f services running.

Kill them manually for now and try to restart.
Let me know if that helps

James Rouzier
jrouz...@inverse.ca :: +1.514.447.4918 (x115)  ::  http://www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://www.packetfence.org)

On 2016-02-26 9:58 AM, Morris, Andi wrote:
> Hi James,
> Yes, thanks, I've done that. Apologies my last email was terribly formatted 
> somehow.
>
> I still cannot start the services due to this kill error. I may just rebuild 
> the server and see if I can work out exactly when this starts to happen.
>
> Cheers,
> Andi
>
> -Original Message-
> From: James Rouzier [mailto:jrouz...@inverse.ca]
> Sent: 26 February 2016 14:57
> To: packetfence-users@lists.sourceforge.net
> Subject: Re: [PacketFence-users] Installing with separate database 
> server
>
> You would also need to update the database configuration in 
> conf/pfconfig.conf
>
> James Rouzier
> jrouz...@inverse.ca :: +1.514.447.4918 (x115)  ::  
> http://www.inverse.ca Inverse inc. :: Leaders behind SOGo 
> (http://www.sogo.nu) and PacketFence (http://www.packetfence.org)
>
> On 2016-02-26 7:13 AM, Morris, Andi wrote:
>> Thanks for your help Fabrice,
>>
>> OK, so this isn't working as it supposedly should.
>>
>> I've setup the schema and granted the priveleges on the db server.
>> After running through the configuration wizard on the main server I 
>> did a mysqldump and then imported that to the db server I can access 
>> the remote database by using mysql -u pf -p -h  pf When 
>> connected to the database I can run show tables and see the pf tables
>>
>> In pf.conf I've changed the hostname to reflect the remote server ip
>>
>> When trying to start the packetfence and packetfence-config services I could 
>> see that there was a L2 connection error to the database. Packetfence.log 
>> pointed me to the fact the packetfence-config was still pointing to the 
>> localhost (where the mysqld service was stopped).
>>
>> I added the host to pfconfig.conf and the packetfence-config service now 
>> starts.
>>
>> However, the packetfence services do not. When trying to start these I see:
>> Insecure dependency in kill while running with -T switch at 
>> /usr/local/pf/lib/pf/services/manager.pm line 544.
>>
>> Packetfence.log shows:
>> Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x iptables returned -1
>> (pf::services::manager::pidFromFile)
>> Feb 26 11:59:24 pfcmd.pl(1357) INFO: verifying process -1
>> (pf::services::manager::removeStalePid)
>> Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x iptables returned -1
>> (pf::services::manager::pidFromFile)
>> Feb 26 11:59:24 pfcmd.pl(1391) INFO: pidof -x collectd returned 1966
>> (pf::services::manager::pidFromFile)
>> Feb 26 11:59:24 pfcmd.pl(1357) WARN: Problem trying to run command:
>> iptables -S | grep input-management-if called from 
>> manager::iptables::isAlive. Child exited with non-zero value 1
>> (pf::util::pf_run) Feb 26 11:59:24 pfcmd.pl(1391) INFO: verifying 
>> process 1966 (pf::services::manager::removeStalePid)
>> Feb 26 11:59:24 pfcmd.pl(1357) INFO: removing stale pid file 
>> /usr/local/pf/var/run/iptables.pid
>> (pf::services::manager::removeStalePid)
>> Feb 26 11:59:24 pfcmd.pl(1391) INFO: pidof -x collectd returned 1966
>> (pf::services::manager::pidFromFile)
>> Feb 26 11:59:24 pfcmd.pl(1391) INFO: removing stale pid file 
>> /usr/local/pf/var/run/collectd.pid
>> (pf::services::manager::removeStalePid)
>> Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x pfqueue returned 1823
>> (pf::services::manager::pidFromFile)
>> Feb 26 11:59:24 pfcmd.pl(1357) INFO: verifying process 1823
>> (pf::services::manager::removeStalePid)
>> Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x pfqueue returned 1823
>> (pf::services::manager::pidFromFile)
>> Feb 26 11:59:24 pfcmd.pl(1357) INFO: removing stale pid file 
>> /usr/local/pf/var/run/pfqueue.pid
>> (pf::services::manager::removeStalePid)
>> Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x pfdhcplistener_eth1 
>> returned 1857 (pf::services::manager::pidFromFile)
>> Feb 26 11:59:24 pfcmd.pl(1357) INFO: verifying process 1857
>> (pf::services::manager::removeStalePid)
>> Feb 26 11:59:24 pfcmd.pl(1

Re: [PacketFence-users] Installing with separate database server

2016-02-26 Thread Morris, Andi 
Hi James,
Yes, thanks, I've done that. Apologies my last email was terribly formatted 
somehow.

I still cannot start the services due to this kill error. I may just rebuild 
the server and see if I can work out exactly when this starts to happen.

Cheers,
Andi

-Original Message-
From: James Rouzier [mailto:jrouz...@inverse.ca] 
Sent: 26 February 2016 14:57
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Installing with separate database server

You would also need to update the database configuration in conf/pfconfig.conf

James Rouzier
jrouz...@inverse.ca :: +1.514.447.4918 (x115)  ::  http://www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://www.packetfence.org)

On 2016-02-26 7:13 AM, Morris, Andi wrote:
> Thanks for your help Fabrice,
>
> OK, so this isn't working as it supposedly should.
>
> I've setup the schema and granted the priveleges on the db server.
> After running through the configuration wizard on the main server I 
> did a mysqldump and then imported that to the db server I can access 
> the remote database by using mysql -u pf -p -h  pf When 
> connected to the database I can run show tables and see the pf tables
>
> In pf.conf I've changed the hostname to reflect the remote server ip
>
> When trying to start the packetfence and packetfence-config services I could 
> see that there was a L2 connection error to the database. Packetfence.log 
> pointed me to the fact the packetfence-config was still pointing to the 
> localhost (where the mysqld service was stopped).
>
> I added the host to pfconfig.conf and the packetfence-config service now 
> starts.
>
> However, the packetfence services do not. When trying to start these I see:
> Insecure dependency in kill while running with -T switch at 
> /usr/local/pf/lib/pf/services/manager.pm line 544.
>
> Packetfence.log shows:
> Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x iptables returned -1 
> (pf::services::manager::pidFromFile)
> Feb 26 11:59:24 pfcmd.pl(1357) INFO: verifying process -1 
> (pf::services::manager::removeStalePid)
> Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x iptables returned -1 
> (pf::services::manager::pidFromFile)
> Feb 26 11:59:24 pfcmd.pl(1391) INFO: pidof -x collectd returned 1966 
> (pf::services::manager::pidFromFile)
> Feb 26 11:59:24 pfcmd.pl(1357) WARN: Problem trying to run command: 
> iptables -S | grep input-management-if called from 
> manager::iptables::isAlive. Child exited with non-zero value 1 
> (pf::util::pf_run) Feb 26 11:59:24 pfcmd.pl(1391) INFO: verifying 
> process 1966 (pf::services::manager::removeStalePid)
> Feb 26 11:59:24 pfcmd.pl(1357) INFO: removing stale pid file 
> /usr/local/pf/var/run/iptables.pid 
> (pf::services::manager::removeStalePid)
> Feb 26 11:59:24 pfcmd.pl(1391) INFO: pidof -x collectd returned 1966 
> (pf::services::manager::pidFromFile)
> Feb 26 11:59:24 pfcmd.pl(1391) INFO: removing stale pid file 
> /usr/local/pf/var/run/collectd.pid 
> (pf::services::manager::removeStalePid)
> Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x pfqueue returned 1823 
> (pf::services::manager::pidFromFile)
> Feb 26 11:59:24 pfcmd.pl(1357) INFO: verifying process 1823 
> (pf::services::manager::removeStalePid)
> Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x pfqueue returned 1823 
> (pf::services::manager::pidFromFile)
> Feb 26 11:59:24 pfcmd.pl(1357) INFO: removing stale pid file 
> /usr/local/pf/var/run/pfqueue.pid 
> (pf::services::manager::removeStalePid)
> Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x pfdhcplistener_eth1 
> returned 1857 (pf::services::manager::pidFromFile)
> Feb 26 11:59:24 pfcmd.pl(1357) INFO: verifying process 1857 
> (pf::services::manager::removeStalePid)
> Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x pfdhcplistener_eth1 
> returned 1857 (pf::services::manager::pidFromFile)
> Feb 26 11:59:24 pfcmd.pl(1357) INFO: removing stale pid file 
> /usr/local/pf/var/run/pfdhcplistener_eth1.pid 
> (pf::services::manager::removeStalePid)
> Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x pfdhcplistener_eth2 
> returned 1871 (pf::services::manager::pidFromFile)
> Feb 26 11:59:24 pfcmd.pl(1357) INFO: verifying process 1871 
> (pf::services::manager::removeStalePid)
> Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x pfdhcplistener_eth2 
> returned 1871 (pf::services::manager::pidFromFile)
> Feb 26 11:59:24 pfcmd.pl(1357) INFO: removing stale pid file 
> /usr/local/pf/var/run/pfdhcplistener_eth2.pid 
> (pf::services::manager::removeStalePid)
> Feb 26 11:59:24 pfcmd.pl(1391) INFO: pidof -x dhcpd returned 1879 
> (pf::services::manager::pidFromFile)
> Feb 26 11:59:24 pfcmd.pl(1391) INFO: verifying process 1879 
> (pf::services::manager::removeStalePid)
> Feb 26 11:59:24 pfcmd

Re: [PacketFence-users] Installing with separate database server

2016-02-26 Thread Morris, Andi 
Actually, this appears to be ingrained with the install (CentOS 6.7) as putting 
the two database references back also displays this message. I'm not sure how 
the services started ok when I first installed the server and ran through the 
wizard.

-Original Message-
From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk] 
Sent: 26 February 2016 12:18
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Installing with separate database server

Thanks for your help Fabrice,

OK, so this isn't working as it supposedly should.

I've setup the schema and granted the priveleges on the db server.
After running through the configuration wizard on the main server I did a 
mysqldump and then imported that to the db server I can access the remote 
database by using mysql -u pf -p -h  pf When connected to the 
database I can run show tables and see the pf tables

In pf.conf I've changed the hostname to reflect the remote server ip

When trying to start the packetfence and packetfence-config services I could 
see that there was a L2 connection error to the database. Packetfence.log 
pointed me to the fact the packetfence-config was still pointing to the 
localhost (where the mysqld service was stopped).

I added the host to pfconfig.conf and the packetfence-config service now starts.

However, the packetfence services do not. When trying to start these I see:
Insecure dependency in kill while running with -T switch at 
/usr/local/pf/lib/pf/services/manager.pm line 544.

Packetfence.log shows:
Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x iptables returned -1 
(pf::services::manager::pidFromFile)
Feb 26 11:59:24 pfcmd.pl(1357) INFO: verifying process -1 
(pf::services::manager::removeStalePid)
Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x iptables returned -1 
(pf::services::manager::pidFromFile)
Feb 26 11:59:24 pfcmd.pl(1391) INFO: pidof -x collectd returned 1966 
(pf::services::manager::pidFromFile)
Feb 26 11:59:24 pfcmd.pl(1357) WARN: Problem trying to run command: iptables -S 
| grep input-management-if called from manager::iptables::isAlive. Child exited 
with non-zero value 1 (pf::util::pf_run) Feb 26 11:59:24 pfcmd.pl(1391) INFO: 
verifying process 1966 (pf::services::manager::removeStalePid)
Feb 26 11:59:24 pfcmd.pl(1357) INFO: removing stale pid file 
/usr/local/pf/var/run/iptables.pid (pf::services::manager::removeStalePid)
Feb 26 11:59:24 pfcmd.pl(1391) INFO: pidof -x collectd returned 1966 
(pf::services::manager::pidFromFile)
Feb 26 11:59:24 pfcmd.pl(1391) INFO: removing stale pid file 
/usr/local/pf/var/run/collectd.pid (pf::services::manager::removeStalePid)
Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x pfqueue returned 1823 
(pf::services::manager::pidFromFile)
Feb 26 11:59:24 pfcmd.pl(1357) INFO: verifying process 1823 
(pf::services::manager::removeStalePid)
Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x pfqueue returned 1823 
(pf::services::manager::pidFromFile)
Feb 26 11:59:24 pfcmd.pl(1357) INFO: removing stale pid file 
/usr/local/pf/var/run/pfqueue.pid (pf::services::manager::removeStalePid)
Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x pfdhcplistener_eth1 returned 1857 
(pf::services::manager::pidFromFile)
Feb 26 11:59:24 pfcmd.pl(1357) INFO: verifying process 1857 
(pf::services::manager::removeStalePid)
Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x pfdhcplistener_eth1 returned 1857 
(pf::services::manager::pidFromFile)
Feb 26 11:59:24 pfcmd.pl(1357) INFO: removing stale pid file 
/usr/local/pf/var/run/pfdhcplistener_eth1.pid 
(pf::services::manager::removeStalePid)
Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x pfdhcplistener_eth2 returned 1871 
(pf::services::manager::pidFromFile)
Feb 26 11:59:24 pfcmd.pl(1357) INFO: verifying process 1871 
(pf::services::manager::removeStalePid)
Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x pfdhcplistener_eth2 returned 1871 
(pf::services::manager::pidFromFile)
Feb 26 11:59:24 pfcmd.pl(1357) INFO: removing stale pid file 
/usr/local/pf/var/run/pfdhcplistener_eth2.pid 
(pf::services::manager::removeStalePid)
Feb 26 11:59:24 pfcmd.pl(1391) INFO: pidof -x dhcpd returned 1879 
(pf::services::manager::pidFromFile)
Feb 26 11:59:24 pfcmd.pl(1391) INFO: verifying process 1879 
(pf::services::manager::removeStalePid)
Feb 26 11:59:24 pfcmd.pl(1391) INFO: pidof -x dhcpd returned 1879 
(pf::services::manager::pidFromFile)
Feb 26 11:59:24 pfcmd.pl(1391) INFO: removing stale pid file 
/usr/local/pf/var/run/dhcpd.pid (pf::services::manager::removeStalePid)
Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x pfdhcplistener_eth0 returned 1875 
(pf::services::manager::pidFromFile)
Feb 26 11:59:24 pfcmd.pl(1357) INFO: verifying process 1875 
(pf::services::manager::removeStalePid)
Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x pfdhcplistener_eth0 returned 1875 
(pf::services::manager::pidFromFile)
Feb 26 11:59:24 pfcmd.pl(1357) INFO: removing stale pid file 
/usr/local/pf/var/run/pfdhcplistener_eth0.pid 
(pf::services::manager::removeStalePid)
Feb 26 11:59

Re: [PacketFence-users] Installing with separate database server

2016-02-26 Thread Morris, Andi 
 p0f returned 1923 1921 
(pf::services::manager::pidFromFile)
Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x p0f returned 1923 1921 
(pf::services::manager::pidFromFile)
Feb 26 11:59:24 pfcmd.pl(1391) INFO: verifying process 1923 1921 
(pf::services::manager::removeStalePid)
Feb 26 11:59:24 pfcmd.pl(1357) INFO: verifying process 1923 1921 
(pf::services::manager::removeStalePid)
Feb 26 11:59:24 pfcmd.pl(1357) INFO: pidof -x p0f returned 1923 1921 
(pf::services::manager::pidFromFile)
Feb 26 11:59:24 pfcmd.pl(1391) INFO: pidof -x p0f returned 1923 1921 
(pf::services::manager::pidFromFile)
Feb 26 11:59:24 pfcmd.pl(1391) FATAL: Insecure dependency in kill while running 
with -T switch at /usr/local/pf/lib/pf/services/manager.pm line 544.
 (pf::services::manager::isAlive)
Feb 26 11:59:24 pfcmd.pl(1357) FATAL: Insecure dependency in kill while running 
with -T switch at /usr/local/pf/lib/pf/services/manager.pm line 544.
 (pf::services::manager::isAlive)
Feb 26 11:59:48 pfcmd.pl(1451) INFO: pidof -x p0f returned 1923 1921 
(pf::services::manager::pidFromFile)
Feb 26 11:59:48 pfcmd.pl(1451) INFO: verifying process 1923 1921 
(pf::services::manager::removeStalePid)
Feb 26 11:59:48 pfcmd.pl(1451) INFO: pidof -x p0f returned 1923 1921 
(pf::services::manager::pidFromFile)
Feb 26 11:59:48 pfcmd.pl(1451) FATAL: Insecure dependency in kill while running 
with -T switch at /usr/local/pf/lib/pf/services/manager.pm line 544.
 (pf::services::manager::isAlive)

What am I doing wrong?

Cheers,
Andi

-Original Message-
From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: 25 February 2016 16:03
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Installing with separate database server
Importance: Low

Yes exactly, mysql is a dependency but disable it when the system start.
 

Le Jeudi, Février 25, 2016 10:49 EST, "Morris, Andi" <amor...@cardiffmet.ac.uk> 
a écrit: 
 
> Thanks Fabrice,
> So for the actual packetfence server I just install as the complete package, 
> but just ignore/disable the local mysql installation?
> 
> Cheers,
> Andi
> 
> -Original Message-
> From: Fabrice Durand [mailto:fdur...@inverse.ca]
> Sent: 25 February 2016 15:29
> To: packetfence-users@lists.sourceforge.net
> Subject: Re: [PacketFence-users] Installing with separate database 
> server
> Importance: Low
> 
> Hello Andi,
> 
> you just need to install a mysql server (mysql, mariadb, gallera-cluster 
> ...), import db/pf-schema.sql.
> And:
> 
> GRANT SELECT,INSERT,UPDATE,DELETE,EXECUTE,LOCK TABLES ON pf.* TO 
> pf@172.20.20.1 IDENTIFIED BY packetfence; GRANT DROP ON pf.radius_nas 
> TO pf@172.20.20.1 IDENTIFIED BY packetfence; GRANT ALL PRIVILEGES ON 
> pf_graphite.* TO pf@172.20.20.1 IDENTIFIED BY packetfence;
> 
> 172.20.20.1 is your pf ip address.
> And change the db information in pf.conf (ie pf.conf.default).
> 
> Regards
> Fabrice
>  
> Le Jeudi, Février 25, 2016 08:15 EST, "Morris, Andi" 
> <amor...@cardiffmet.ac.uk> a écrit: 
>  
> > Hi all.
> > Just wondering what the best practice is for installing packetfence with a 
> > separate mysql database server. Do I need to install packetfence on the 
> > main server without the mysql elements? If so, what's the best way to do 
> > that so that I don't miss out a vital dependency when installing separate 
> > packages?
> > 
> > For the database server itself, is it best to install mysql from the 
> > packetfence repository? If so, again what are the packages required for 
> > this to run?
> > 
> > I'm aware of the schema scripts in /usr/local/pf/db and I've seen the 
> > command on this mailing list to set the necessary user permissions, is this 
> > info in any of the admin guides?
> > 
> > Cheers,
> > Andi
> > 
> > 
> > [Cardiff Metropolitan University - 150 years of nurturing 
> > talent]<http://www.cardiffmet.ac.uk/cardiffmet150>
> 
> 
> --
> 
> Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + 
> Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor 
> end-to-end web transactions and take corrective actions now Troubleshoot 
> faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> --
> 
> Site24x7 APM Insight: Get

Re: [PacketFence-users] Installing with separate database server

2016-02-25 Thread Morris, Andi 
Thanks Fabrice,
So for the actual packetfence server I just install as the complete package, 
but just ignore/disable the local mysql installation?

Cheers,
Andi

-Original Message-
From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: 25 February 2016 15:29
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Installing with separate database server
Importance: Low

Hello Andi,

you just need to install a mysql server (mysql, mariadb, gallera-cluster ...), 
import db/pf-schema.sql.
And:

GRANT SELECT,INSERT,UPDATE,DELETE,EXECUTE,LOCK TABLES ON pf.* TO pf@172.20.20.1 
IDENTIFIED BY packetfence; GRANT DROP ON pf.radius_nas TO pf@172.20.20.1 
IDENTIFIED BY packetfence; GRANT ALL PRIVILEGES ON pf_graphite.* TO 
pf@172.20.20.1 IDENTIFIED BY packetfence;

172.20.20.1 is your pf ip address.
And change the db information in pf.conf (ie pf.conf.default).

Regards
Fabrice
 
Le Jeudi, Février 25, 2016 08:15 EST, "Morris, Andi" <amor...@cardiffmet.ac.uk> 
a écrit: 
 
> Hi all.
> Just wondering what the best practice is for installing packetfence with a 
> separate mysql database server. Do I need to install packetfence on the main 
> server without the mysql elements? If so, what's the best way to do that so 
> that I don't miss out a vital dependency when installing separate packages?
> 
> For the database server itself, is it best to install mysql from the 
> packetfence repository? If so, again what are the packages required for this 
> to run?
> 
> I'm aware of the schema scripts in /usr/local/pf/db and I've seen the command 
> on this mailing list to set the necessary user permissions, is this info in 
> any of the admin guides?
> 
> Cheers,
> Andi
> 
> 
> [Cardiff Metropolitan University - 150 years of nurturing 
> talent]<http://www.cardiffmet.ac.uk/cardiffmet150>


--
Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + 
Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end 
web transactions and take corrective actions now Troubleshoot faster and 
improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Installing with separate database server

2016-02-25 Thread Morris, Andi 
Hi all.
Just wondering what the best practice is for installing packetfence with a 
separate mysql database server. Do I need to install packetfence on the main 
server without the mysql elements? If so, what's the best way to do that so 
that I don't miss out a vital dependency when installing separate packages?

For the database server itself, is it best to install mysql from the 
packetfence repository? If so, again what are the packages required for this to 
run?

I'm aware of the schema scripts in /usr/local/pf/db and I've seen the command 
on this mailing list to set the necessary user permissions, is this info in any 
of the admin guides?

Cheers,
Andi


[Cardiff Metropolitan University - 150 years of nurturing 
talent]
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Admin GUI - Node details slow.

2016-02-25 Thread Morris, Andi 
This looks good, thanks!

However, wouldn't you want to remove the logs by end date, rather than start 
date? Presuming some could still be open after 7 days.

Cheers,
Andi

-Original Message-
From: Bebbet van Dinges [mailto:beb...@bebbet.nl] 
Sent: 23 February 2016 12:40
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Admin GUI - Node details slow.

I've taken a look into it, and while it does what it is supposed to do.
Indeed it was quite cumbersome to run it like this in PHP.

After a deep dive into some MYSQL-FU this is what i came up with:

INSERT INTO `pf`.`iplog_archive`
SELECT * FROM `pf`.`iplog_history`
 WHERE start_time < (NOW() - INTERVAL 7 DAY)

Insert old rows into iplog_archive, based on the SELECT query. For the
deletion:

DELETE FROM `pf`.`iplog_history`
WHERE start_time <=
 (SELECT start_time FROM `pf`.`iplog_archive` ORDER BY start_time DESC LIMIT 1)

Delete from iplog_history, based on start time (the oldest.. well newest
entry) in iplog_archive, inline query

Can you test this aswell? My (still small) database does both in about
0,01 second, for 5000+ rows



On 17-2-2016 10:27, Bebbet van Dinges wrote:
> Hello Gregory,
> 
> Thank you very much for the script, if i have questions regarding it, 
> i'll give a shout!
> 
> Bebbet
> 
> On 16-2-2016 16:05, Thomas, Gregory A wrote:
>> The script is attached.
>>
>> I know it is not the prettiest or fastest. I was not looking for that, I 
>> needed something now, so here it is.
>>
>> Let me know offline if you have any questions.
>>
>> --
>> Gregory A. Thomas
>> Student Life Support Specialist
>> University of Wisconsin-Parkside
>> thom...@uwp.edu
>> 262.595.2432
>>
>> -Original Message-
>> From: Bebbet van Dinges [mailto:beb...@bebbet.nl]
>> Sent: Tuesday, February 16, 2016 6:08 AM
>> To: packetfence-users@lists.sourceforge.net
>> Subject: Re: [PacketFence-users] Admin GUI - Node details slow.
>>
>> Hello Gregory,
>>
>> I'm quite interested in this script you wrote, can you mail it to the list, 
>> or to me?
>>
>> Yours sincerely,
>> Bebbet
>>
>> On 12-1-2016 15:59, Thomas, Gregory A wrote:
>>> I had the same problem when I was running on a box with somewhat 
>>> limited resources and it did appear that it was the iplog_history 
>>> that was slowing it down.
>>
>>> I decided that I did not need the extended history in the GUI, but 
>>> wanted to keep it somewhere. I created a script that takes any 
>>> entries from the iplog_history over 8 days old and move them to a 
>>> new table with the same structure named iplog_archive  The task was 
>>> a bit slow, so I added an index on iplog_history.start_time. The 
>>> final line of the script is to optimize iplog_history.
>>
>>> This job runs every morning at 4AM. Since the putting this in place, 
>>> the GUI interface when looking at users and their devices is so 
>>> much faster. I know I lose some ability to find instant history, but 
>>> I still have it on the system if I really need to find it. To gain 
>>> easy access to the DB, I have an older version of phpMyAdmin (4.2.2 
>>> because newer version are not compatible with the CentOS Source 
>>> Distribution of MySQL)
>>
>>> -- Gregory A. Thomas Student Life Support Specialist University of 
>>> Wisconsin-Parkside thom...@uwp.edu 262.595.2432
>>
>>
>>> -Original Message- From: Morris, Andi 
>>> [mailto:amor...@cardiffmet.ac.uk] Sent: Tuesday, January 12, 2016
>>> 7:01 AM To: packetfence-users@lists.sourceforge.net Subject: Re:
>>> [PacketFence-users] Admin GUI - Node details slow.
>>
>>> Just to note, I also see this issue. If as a result of Jake's 
>>> question there comes some routine maintenance that should be done on 
>>> the database, please let me know.
>>
>>> I already run the built in maintenance script, but I notice that I 
>>> have several fragmented tables in the sql tuner results, I'm not 
>>> sure whether this is also having an adverse effect.
>>
>>> Cheers, Andi
>>
>>> -Original Message- From: Sallee, Jake 
>>> [mailto:jake.sal...@umhb.edu] Sent: 11 January 2016 23:54 To:
>>> packetfence-users@lists.sourceforge.net Subject: Re:
>>> [PacketFence-users] Admin GUI - Node details slow.
>>
>>> My iplog_hostory table is sitting @ 87,910,019 records : )
>>
>>> Slow query log shows this:  #
>>> Time: 160111 17:40:33 # User@Host: pf[pf] @

[PacketFence-users] Guest user default page

2016-02-04 Thread Morris, Andi 
Hi all,
Is there a way to make the default captive portal page the signup page rather 
than the login page?

As a spin off to this,  could the signup page then have a link on it pointing 
to the login page? So basically, the reverse of how it is out of the box?

Cheers,
Andi


[Cardiff Metropolitan University - 150 years of nurturing 
talent]
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Questions on violations and captive portal controls

2016-01-13 Thread Morris, Andi 
Hi all,
I'm looking to make some adjustments to how we have our PacketFence NAC 
solution setup which is controlling our eduroam wireless network. To start 
with, please let me explain our workflow:

User connects to open SSID, where they are redirected to our wifi setup portal 
containing several provisioning tools and user guidance. To do this I've edited 
the login.html page to redirect all users to this setup site, removing all 
manual registration procedures from the registration network.

Once the user device is configured, and they connect to eduroam, PacketFence 
auto-registers the device and the user is successfully on the network.

What I'm wondering is if it would be possible to put a time limit on the 
registration network, so that if a device sits in the registration network for 
(let's say) one hour, a violation is triggered. This violation directs users 
towards a page that explains that they either need to set their device up for 
the main eduroam network, or they need to tell their device to forget the setup 
network. This is because we see a lot of devices entering our captive portal, 
despite the fact that they are also configured for the main eduroam network. If 
the violation is triggered (let's say) three times, the device is then blocked 
from the registration network using a radius vlan set to -1.

-  My first question, is it possible to trigger one violation from 
another? I.e. when the captive portal access duration violation is triggered 
for the third time, PacketFence then triggers another violation which blocks 
the device from the network.

-  Secondly, is it actually possible to set a per-device time limit on 
the registration network?

Another thing I'd like to do would be to expire registered nodes that haven't 
been seen on the network for (let's say) 90 days, after which they are 
unregistered. Then, unregistered devices with no activity are cleared from the 
database every (let's say) 7 days. I'm pretty sure that this used to be 
possible back with PF version 3.x, but I can't seem to do this with version 5. 
This would likely help with our DB table size.

Also, I'd like to get PacketFence integrated with our Security Onion IDS setup 
to automate some violations, which I see is now possible with the latest 
version. The plan is to have different PacketFence environments per campus, but 
only one IDS server. My questions here are, is it possible to get the IDS 
sending the alerts to more than one PacketFence server (I appreciate that's 
probably a question more for Security Onion), and if so, what would happen if 
the IDS sent an alert to a PacketFence server set to trigger a violation for 
that signature, but the violating node isn't in that PacketFence environment.
e.g.
IDS sends all traffic to two servers: pf1 and pf2
Both servers have a violation set for rule ID 123456
Traffic is seen that triggers rule ID 123456 and both 
PacketFence servers react to isolate the offending device, however pf2 doesn't 
have any record of the device in its database. Does it just carry on and ignore 
the trigger, or will something strange happen?

As always, thanks everybody for your time and input. I do have the invaluable 
commercial support from Inverse, but I wondered if the wider PacketFence 
community had any potential solutions here.

Cheers,
Andi

-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.uk
--



[Cardiff Metropolitan University - 150 years of nurturing 
talent]
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Admin GUI - Node details slow.

2016-01-12 Thread Morris, Andi 
Just to note, I also see this issue. If as a result of Jake's question there 
comes some routine maintenance that should be done on the database, please let 
me know.

I already run the built in maintenance script, but I notice that I have several 
fragmented tables in the sql tuner results, I'm not sure whether this is also 
having an adverse effect.

Cheers,
Andi

-Original Message-
From: Sallee, Jake [mailto:jake.sal...@umhb.edu]
Sent: 11 January 2016 23:54
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Admin GUI - Node details slow.

My iplog_hostory table is sitting @ 87,910,019 records : )

Slow query log shows this:

# Time: 160111 17:40:33
# User@Host: pf[pf] @ localhost []
# Query_time: 81.359632  Lock_time: 0.75 Rows_sent: 25  Rows_examined: 4597 
use pf; SET timestamp=1452555633; SELECT * FROM
(SELECT *, UNIX_TIMESTAMP(start_time) AS start_timestamp, 
UNIX_TIMESTAMP(end_time) AS end_timestamp
FROM iplog
WHERE mac = '70:1a:04:ba:f4:a1'
ORDER BY start_time DESC) AS a
 UNION ALL
 SELECT * FROM
(SELECT *, UNIX_TIMESTAMP(start_time) AS start_timestamp, 
UNIX_TIMESTAMP(end_time) AS end_timestamp
FROM iplog_history
WHERE mac = '70:1a:04:ba:f4:a1'
ORDER BY start_time DESC) AS b
 ORDER BY start_time DESC LIMIT 25; 
=

I think it may be time to truncate this table.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221


From: Louis Munro [lmu...@inverse.ca]

Sent: Monday, January 11, 2016 12:29 PM

To: packetfence-users@lists.sourceforge.net

Subject: Re: [PacketFence-users] Admin GUI - Node details slow.











On Jan 11, 2016, at 9:28 , Sallee, Jake 
 wrote:


At
 this moment my radacct table is sitting at 4,439,397 rows and my radacct_log 
table is 18,638,591.  Could this be causing the issue?






Quite possibly.
I am saying this without checking but it seems like a likely culprit.

Can you turn on slow query logging on your database?
That should tell us more.


See http://dev.mysql.com/doc/refman/5.7/en/slow-query-log.html for  some 
details about that.

Regards,
--
Louis Munro
lmu...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)





--
Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + 
Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end 
web transactions and take corrective actions now Troubleshoot faster and 
improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


[Cardiff Metropolitan University - 150 years of nurturing 
talent]

--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Admin GUI - Node details slow.

2016-01-12 Thread Morris, Andi 
That sounds really interesting. I think I had something similar setup on an old 
box, but not on my current one. I don't think I need the iplog_history to go 
back more than a week either. I'm wondering whether something like this might 
actually take some load off my box too.

-Original Message-
From: Thomas, Gregory A [mailto:thom...@uwp.edu] 
Sent: 12 January 2016 15:24
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Admin GUI - Node details slow.

I had the same problem when I was running on a box with somewhat limited 
resources and it did appear that it was the iplog_history that was slowing it 
down.

I decided that I did not need the extended history in the GUI, but wanted to 
keep it somewhere. I created a script that takes any entries from the 
iplog_history over 8 days old and move them to a new table with the same 
structure named iplog_archive  The task was a bit slow, so I added an index on 
iplog_history.start_time. The final line of the script is to optimize 
iplog_history.

This job runs every morning at 4AM. Since the putting this in place, the GUI 
interface when looking at users and their devices is so much faster. I know 
I lose some ability to find instant history, but I still have it on the system 
if I really need to find it. To gain easy access to the DB, I have an older 
version of phpMyAdmin (4.2.2 because newer version are not compatible with the 
CentOS Source Distribution of MySQL)

--
Gregory A. Thomas
Student Life Support Specialist
University of Wisconsin-Parkside
thom...@uwp.edu
262.595.2432


-Original Message-
From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: Tuesday, January 12, 2016 7:01 AM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Admin GUI - Node details slow.

Just to note, I also see this issue. If as a result of Jake's question there 
comes some routine maintenance that should be done on the database, please let 
me know.

I already run the built in maintenance script, but I notice that I have several 
fragmented tables in the sql tuner results, I'm not sure whether this is also 
having an adverse effect.

Cheers,
Andi

-Original Message-
From: Sallee, Jake [mailto:jake.sal...@umhb.edu]
Sent: 11 January 2016 23:54
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Admin GUI - Node details slow.

My iplog_hostory table is sitting @ 87,910,019 records : )

Slow query log shows this:

# Time: 160111 17:40:33
# User@Host: pf[pf] @ localhost []
# Query_time: 81.359632  Lock_time: 0.75 Rows_sent: 25  Rows_examined: 4597 
use pf; SET timestamp=1452555633; SELECT * FROM
(SELECT *, UNIX_TIMESTAMP(start_time) AS start_timestamp, 
UNIX_TIMESTAMP(end_time) AS end_timestamp
FROM iplog
WHERE mac = '70:1a:04:ba:f4:a1'
ORDER BY start_time DESC) AS a
 UNION ALL
 SELECT * FROM
(SELECT *, UNIX_TIMESTAMP(start_time) AS start_timestamp, 
UNIX_TIMESTAMP(end_time) AS end_timestamp
FROM iplog_history
WHERE mac = '70:1a:04:ba:f4:a1'
ORDER BY start_time DESC) AS b
 ORDER BY start_time DESC LIMIT 25; 
=

I think it may be time to truncate this table.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221


From: Louis Munro [lmu...@inverse.ca]

Sent: Monday, January 11, 2016 12:29 PM

To: packetfence-users@lists.sourceforge.net

Subject: Re: [PacketFence-users] Admin GUI - Node details slow.











On Jan 11, 2016, at 9:28 , Sallee, Jake <jake.sal...@umhb.edu>
 wrote:


At
 this moment my radacct table is sitting at 4,439,397 rows and my radacct_log 
table is 18,638,591.  Could this be causing the issue?






Quite possibly.
I am saying this without checking but it seems like a likely culprit.

Can you turn on slow query logging on your database?
That should tell us more.


See http://dev.mysql.com/doc/refman/5.7/en/slow-query-log.html for  some 
details about that.

Regards,
--
Louis Munro
lmu...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)





--
Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + 
Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end 
web transactions and take corrective actions now Troubleshoot faster and 
improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

Re: [PacketFence-users] 5.0.2 is out

2016-01-08 Thread Morris, Andi 
Hi again,
I've found the bug and the fix on github. I'm not familiar with github at all 
though, can anyone please advise me how I can patch the files?

https://github.com/inverse-inc/packetfence/commit/d9c88a93aa11348d33d350e0871a3880e21126f1

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 07 January 2016 16:07
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] 5.0.2 is out

Hi all,
Sorry to bump a very old thread, but I'm running version 5.0.1 and am in no 
position to upgrade my current production system at the moment. I've also just 
started utilising violations in anger, and have found that users clicking the 
Enable Network button do not get put back on the main network, which I presume 
is the "Fixed broken violation release process" patch mentioned below.

Am I able to get just that patch to apply to my system? I presume if I run the 
/usr/local/pf/addons/pf-maint.pl now I would end up getting lots of extra 
patches that I've not tested on my setup here.

Cheers,
Andi

From: Louis Munro [mailto:lmu...@inverse.ca]
Sent: 04 May 2015 17:06
To: 
packetfence-annou...@lists.sourceforge.net<mailto:packetfence-annou...@lists.sourceforge.net>;
 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>;
 
packetfence-de...@lists.sourceforge.net<mailto:packetfence-de...@lists.sourceforge.net>
Subject: [PacketFence-devel] 5.0.2 is out

Hello list members,

We just released a minor update.
PF 5.0.2 is out.


This release is a bug fix only. No new features were introduced.

Enhancements


  *   Added availables options (submit unknowns and update database) to the 
Fingerbank Settings page.
  *   PacketFence will now leave clients.conf.inc empty if cluster mode is 
disabled.

Bug Fixes


  *   PacketFence will longer unregister a device in pending state if the 
device is hitting the portal more than once while in "pending" state.
  *   Fixed broken violation release process.
  *   Fixed multiple lines returning from pfconfig.
  *   Fixed undefined variables in portal template files.
  *   Fixed provisioners OS detection with Fingerbank.


If you are already running 5.0.1 you may get the same code and fixes by running 
the /usr/local/pf/addons/pf-maint.pl script which will apply the same patches.

This release is merely a convenience for people upgrading from earlier releases 
or installing from scratch.


See https://github.com/inverse-inc/packetfence/blob/stable/NEWS.asciidoc for 
details

Best regards from Inverse,
--
Louis Munro
lmu...@inverse.ca<mailto:lmu...@inverse.ca>  ::  
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)



[Cardiff Metropolitan University - 150 years of nurturing 
talent]<http://www.cardiffmet.ac.uk/cardiffmet150>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 5.0.2 is out

2016-01-08 Thread Morris, Andi 
Thanks very much Fabrice.

From: Durand fabrice [mailto:fdur...@inverse.ca]
Sent: 08 January 2016 12:48
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] 5.0.2 is out

Hello Andi,

cd /usr/local/pf
wget 
https://github.com/inverse-inc/packetfence/commit/d9c88a93aa11348d33d350e0871a3880e21126f1.diff
patch -p1 --dry-run < d9c88a93aa11348d33d350e0871a3880e21126f1.diff
all is ok, there is no conflict ?
patch -p1 < d9c88a93aa11348d33d350e0871a3880e21126f1.diff

bin/pfcmd service httpd.portal restart



Regards
Fabrice
Le 2016-01-08 07:06, Morris, Andi a écrit :
Hi again,
I've found the bug and the fix on github. I'm not familiar with github at all 
though, can anyone please advise me how I can patch the files?

https://github.com/inverse-inc/packetfence/commit/d9c88a93aa11348d33d350e0871a3880e21126f1

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 07 January 2016 16:07
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] 5.0.2 is out

Hi all,
Sorry to bump a very old thread, but I'm running version 5.0.1 and am in no 
position to upgrade my current production system at the moment. I've also just 
started utilising violations in anger, and have found that users clicking the 
Enable Network button do not get put back on the main network, which I presume 
is the "Fixed broken violation release process" patch mentioned below.

Am I able to get just that patch to apply to my system? I presume if I run the 
/usr/local/pf/addons/pf-maint.pl now I would end up getting lots of extra 
patches that I've not tested on my setup here.

Cheers,
Andi

From: Louis Munro [mailto:lmu...@inverse.ca]
Sent: 04 May 2015 17:06
To: 
packetfence-annou...@lists.sourceforge.net<mailto:packetfence-annou...@lists.sourceforge.net>;
 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>;
 
packetfence-de...@lists.sourceforge.net<mailto:packetfence-de...@lists.sourceforge.net>
Subject: [PacketFence-devel] 5.0.2 is out

Hello list members,

We just released a minor update.
PF 5.0.2 is out.


This release is a bug fix only. No new features were introduced.

Enhancements


  *   Added availables options (submit unknowns and update database) to the 
Fingerbank Settings page.
  *   PacketFence will now leave clients.conf.inc empty if cluster mode is 
disabled.

Bug Fixes


  *   PacketFence will longer unregister a device in pending state if the 
device is hitting the portal more than once while in "pending" state.
  *   Fixed broken violation release process.
  *   Fixed multiple lines returning from pfconfig.
  *   Fixed undefined variables in portal template files.
  *   Fixed provisioners OS detection with Fingerbank.


If you are already running 5.0.1 you may get the same code and fixes by running 
the /usr/local/pf/addons/pf-maint.pl script which will apply the same patches.

This release is merely a convenience for people upgrading from earlier releases 
or installing from scratch.


See https://github.com/inverse-inc/packetfence/blob/stable/NEWS.asciidoc for 
details

Best regards from Inverse,
--
Louis Munro
lmu...@inverse.ca<mailto:lmu...@inverse.ca>  ::  
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)



[Image removed by sender. Cardiff Metropolitan University - 150 years of
  nurturing talent]<http://www.cardiffmet.ac.uk/cardiffmet150>




--




___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 5.0.2 is out

2016-01-07 Thread Morris, Andi 
Hi all,
Sorry to bump a very old thread, but I'm running version 5.0.1 and am in no 
position to upgrade my current production system at the moment. I've also just 
started utilising violations in anger, and have found that users clicking the 
Enable Network button do not get put back on the main network, which I presume 
is the "Fixed broken violation release process" patch mentioned below.

Am I able to get just that patch to apply to my system? I presume if I run the 
/usr/local/pf/addons/pf-maint.pl now I would end up getting lots of extra 
patches that I've not tested on my setup here.

Cheers,
Andi

From: Louis Munro [mailto:lmu...@inverse.ca]
Sent: 04 May 2015 17:06
To: packetfence-annou...@lists.sourceforge.net; 
packetfence-users@lists.sourceforge.net; packetfence-de...@lists.sourceforge.net
Subject: [PacketFence-devel] 5.0.2 is out

Hello list members,

We just released a minor update.
PF 5.0.2 is out.


This release is a bug fix only. No new features were introduced.

Enhancements


  *   Added availables options (submit unknowns and update database) to the 
Fingerbank Settings page.
  *   PacketFence will now leave clients.conf.inc empty if cluster mode is 
disabled.

Bug Fixes


  *   PacketFence will longer unregister a device in pending state if the 
device is hitting the portal more than once while in "pending" state.
  *   Fixed broken violation release process.
  *   Fixed multiple lines returning from pfconfig.
  *   Fixed undefined variables in portal template files.
  *   Fixed provisioners OS detection with Fingerbank.


If you are already running 5.0.1 you may get the same code and fixes by running 
the /usr/local/pf/addons/pf-maint.pl script which will apply the same patches.

This release is merely a convenience for people upgrading from earlier releases 
or installing from scratch.


See https://github.com/inverse-inc/packetfence/blob/stable/NEWS.asciidoc for 
details

Best regards from Inverse,
--
Louis Munro
lmu...@inverse.ca  ::  
www.inverse.ca
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and 
PacketFence (www.packetfence.org)



[Cardiff Metropolitan University - 150 years of nurturing 
talent]
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] radius authorization interval

2015-11-12 Thread Morris, Andi 
Thanks for the advice.

I ran some tests yesterday and can see that each time the device reauths, it’s 
connected to a different AP. The device has remained completely static on my 
desk, and so isn’t a physical roaming thing. I’m not seeing deauths from 
packetfence though, so I’m happy to pass this over to the network team for them 
to investigate further.

Cheers,
Andi

From: Derek Wuelfrath [mailto:dwuelfr...@inverse.ca]
Sent: 11 November 2015 16:20
To: ML PF <packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] radius authorization interval

Hello Andi,

Thanks for your reply, as always.

Always a pleasure :)

I’m interested on the busy AP thing, I’ll check that out as it’s highly 
possible. I don’t think we manually set a maximum allowed client limit, but 
it’s possible there’s a default one.

Not 100% sure this is the problem but I’ve already saw on some network 
equipment, cases that when the “limit” was reached, oldest connections were 
being kicked out to allow newer…
I guess the logs on the WLC would help if it is the case.

There’s not much that can lead a device to reconnect…
PacketFence
PacketFence is sending some COA request when the device change state. Thoses 
requests are logged in the PacketFence log so we would see them...

WLC
- A timeout or a limit is reached which then lead the WLC to “kick” devices 
off. Logs on the WLC would help diagnose
- Roaming

Device itself
- The device is disconnecting from the associated radio for a reason or another…
- Roaming

Let me know if you find anything

Cheers!
dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca<mailto:dwuelfr...@inverse.ca> :: +1.514.447.4918 (x110) 
:: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)

On Nov 11, 2015, at 3:42 AM, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Hi Derek,
Thanks for your reply, as always.

I’ve reproduced this on another packetfence box where I can see the whole 
packetfence log without having to grep the output as there’s only one 
authenticated device registered for use on this box. I see the same thing 
there, reauth happening at certain intervals, although not as regular a pattern.

I’m interested on the busy AP thing, I’ll check that out as it’s highly 
possible. I don’t think we manually set a maximum allowed client limit, but 
it’s possible there’s a default one.

Cheers,
Andi

From: Derek Wuelfrath [mailto:dwuelfr...@inverse.ca]
Sent: 10 November 2015 18:46
To: ML PF 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Subject: Re: [PacketFence-users] radius authorization interval

Andi,

Quick question, maybe not related at all but still.
Is this happening on “busy” AP ? Do you know if there’s a lot of clients 
connected at the same time on the AP / radios of the AP ?
Do you have any sort of Maximum Allowed Clients configurations ? (Advanced 
section of the WLAN) ?

Cheers!
dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca<mailto:dwuelfr...@inverse.ca> :: +1.514.447.4918 (x110) 
:: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu/>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org/>)

On Nov 9, 2015, at 12:09 PM, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Hi all,
I’m getting reports of users being briefly disconnected from the wireless 
network every few minutes, which is something that didn’t used to happen when 
users were connected to another SSID using exactly the same hardware (Cisco 
WLC). I’m wondering if it’s something like radius authorization, as we see it 
on not just our dot1x SSID, but our SSID that is mac authenticated through PFs 
device registration setup.

According to users it’s around every 5 minutes, however looking at some logs 
for one client using the mac_auth network I can see it seems to re-auth every 
11/12 minutes. Log snippet below:

Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Can't find 
provisioner (pf::vlan::getNormalVlan)
Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Connection type is 
WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Username was defined 
"3059b782141a" - returning user based role 'gaming' (pf::vlan::getNormalVlan)
Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] PID: "st12345678", 
Status: reg Returned VLAN: 713, Role: gaming (pf::vlan::fetchVlanForNode)
Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] (192.168.1.1) 
Returning ACCEPT with VLAN 713 and role  (pf::Switch::returnRadiusAccessAccept)
Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] handling radius autz 
request: from switch_ip => (192.168.1.1), connectio

Re: [PacketFence-users] radius authorization interval

2015-11-11 Thread Morris, Andi 
Hi Derek,
Thanks for your reply, as always.

I’ve reproduced this on another packetfence box where I can see the whole 
packetfence log without having to grep the output as there’s only one 
authenticated device registered for use on this box. I see the same thing 
there, reauth happening at certain intervals, although not as regular a pattern.

I’m interested on the busy AP thing, I’ll check that out as it’s highly 
possible. I don’t think we manually set a maximum allowed client limit, but 
it’s possible there’s a default one.

Cheers,
Andi

From: Derek Wuelfrath [mailto:dwuelfr...@inverse.ca]
Sent: 10 November 2015 18:46
To: ML PF <packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] radius authorization interval

Andi,

Quick question, maybe not related at all but still.
Is this happening on “busy” AP ? Do you know if there’s a lot of clients 
connected at the same time on the AP / radios of the AP ?
Do you have any sort of Maximum Allowed Clients configurations ? (Advanced 
section of the WLAN) ?

Cheers!
dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca<mailto:dwuelfr...@inverse.ca> :: +1.514.447.4918 (x110) 
:: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)

On Nov 9, 2015, at 12:09 PM, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Hi all,
I’m getting reports of users being briefly disconnected from the wireless 
network every few minutes, which is something that didn’t used to happen when 
users were connected to another SSID using exactly the same hardware (Cisco 
WLC). I’m wondering if it’s something like radius authorization, as we see it 
on not just our dot1x SSID, but our SSID that is mac authenticated through PFs 
device registration setup.

According to users it’s around every 5 minutes, however looking at some logs 
for one client using the mac_auth network I can see it seems to re-auth every 
11/12 minutes. Log snippet below:

Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Can't find 
provisioner (pf::vlan::getNormalVlan)
Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Connection type is 
WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Username was defined 
"3059b782141a" - returning user based role 'gaming' (pf::vlan::getNormalVlan)
Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] PID: "st12345678", 
Status: reg Returned VLAN: 713, Role: gaming (pf::vlan::fetchVlanForNode)
Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] (192.168.1.1) 
Returning ACCEPT with VLAN 713 and role  (pf::Switch::returnRadiusAccessAccept)
Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] handling radius autz 
request: from switch_ip => (192.168.1.1), connection_type => 
Wireless-802.11-NoEAP,switch_mac => (e8:65:49:e9:2c:60), mac => 
[30:59:b7:82:14:1a], port => 13, username => "3059b782141a" 
(pf::radius::authorize)
Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Can't find 
provisioner (pf::vlan::getNormalVlan)
Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Connection type is 
WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Username was defined 
"3059b782141a" - returning user based role 'gaming' (pf::vlan::getNormalVlan)
Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] PID: "st12345678", 
Status: reg Returned VLAN: 713, Role: gaming (pf::vlan::fetchVlanForNode)
Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] (192.168.1.1) 
Returning ACCEPT with VLAN 713 and role  (pf::Switch::returnRadiusAccessAccept)
Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] handling radius autz 
request: from switch_ip => (192.168.1.1), connection_type => 
Wireless-802.11-NoEAP,switch_mac => (e8:65:49:e9:2c:60), mac => 
[30:59:b7:82:14:1a], port => 13, username => "3059b782141a" 
(pf::radius::authorize)
Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Can't find 
provisioner (pf::vlan::getNormalVlan)
Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Connection type is 
WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Username was defined 
"3059b782141a" - returning user based role 'gaming' (pf::vlan::getNormalVlan)
Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] PID: "st12345678", 
Status: reg Returned VLAN: 713, Role: gaming (pf::vlan::fetchVlanForNode)
Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] (192.168.1.1) 
Returning ACCEPT with VLAN 713 and role  (pf::Switch::returnRadiusAccessAccept)
Nov 09 12:32:58 httpd.aaa(30934) INF

[PacketFence-users] radius authorization interval

2015-11-09 Thread Morris, Andi 
Hi all,
I'm getting reports of users being briefly disconnected from the wireless 
network every few minutes, which is something that didn't used to happen when 
users were connected to another SSID using exactly the same hardware (Cisco 
WLC). I'm wondering if it's something like radius authorization, as we see it 
on not just our dot1x SSID, but our SSID that is mac authenticated through PFs 
device registration setup.

According to users it's around every 5 minutes, however looking at some logs 
for one client using the mac_auth network I can see it seems to re-auth every 
11/12 minutes. Log snippet below:

Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Can't find 
provisioner (pf::vlan::getNormalVlan)
Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Connection type is 
WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Username was defined 
"3059b782141a" - returning user based role 'gaming' (pf::vlan::getNormalVlan)
Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] PID: "st12345678", 
Status: reg Returned VLAN: 713, Role: gaming (pf::vlan::fetchVlanForNode)
Nov 09 11:55:59 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] (192.168.1.1) 
Returning ACCEPT with VLAN 713 and role  (pf::Switch::returnRadiusAccessAccept)
Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] handling radius autz 
request: from switch_ip => (192.168.1.1), connection_type => 
Wireless-802.11-NoEAP,switch_mac => (e8:65:49:e9:2c:60), mac => 
[30:59:b7:82:14:1a], port => 13, username => "3059b782141a" 
(pf::radius::authorize)
Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Can't find 
provisioner (pf::vlan::getNormalVlan)
Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Connection type is 
WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Username was defined 
"3059b782141a" - returning user based role 'gaming' (pf::vlan::getNormalVlan)
Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] PID: "st12345678", 
Status: reg Returned VLAN: 713, Role: gaming (pf::vlan::fetchVlanForNode)
Nov 09 12:07:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] (192.168.1.1) 
Returning ACCEPT with VLAN 713 and role  (pf::Switch::returnRadiusAccessAccept)
Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] handling radius autz 
request: from switch_ip => (192.168.1.1), connection_type => 
Wireless-802.11-NoEAP,switch_mac => (e8:65:49:e9:2c:60), mac => 
[30:59:b7:82:14:1a], port => 13, username => "3059b782141a" 
(pf::radius::authorize)
Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Can't find 
provisioner (pf::vlan::getNormalVlan)
Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Connection type is 
WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Username was defined 
"3059b782141a" - returning user based role 'gaming' (pf::vlan::getNormalVlan)
Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] PID: "st12345678", 
Status: reg Returned VLAN: 713, Role: gaming (pf::vlan::fetchVlanForNode)
Nov 09 12:18:33 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] (192.168.1.1) 
Returning ACCEPT with VLAN 713 and role  (pf::Switch::returnRadiusAccessAccept)
Nov 09 12:32:58 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] handling radius autz 
request: from switch_ip => (192.168.1.1), connection_type => 
Wireless-802.11-NoEAP,switch_mac => (e8:65:49:e9:2c:60), mac => 
[30:59:b7:82:14:1a], port => 13, username => "3059b782141a" 
(pf::radius::authorize)
Nov 09 12:32:58 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Can't find 
provisioner (pf::vlan::getNormalVlan)
Nov 09 12:32:58 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Connection type is 
WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
Nov 09 12:32:58 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Username was defined 
"3059b782141a" - returning user based role 'gaming' (pf::vlan::getNormalVlan)
Nov 09 12:32:58 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] PID: "st12345678", 
Status: reg Returned VLAN: 713, Role: gaming (pf::vlan::fetchVlanForNode)
Nov 09 12:32:58 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] (192.168.1.1) 
Returning ACCEPT with VLAN 713 and role  (pf::Switch::returnRadiusAccessAccept)
Nov 09 12:44:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] handling radius autz 
request: from switch_ip => (192.168.1.1), connection_type => 
Wireless-802.11-NoEAP,switch_mac => (e8:65:49:e9:2c:60), mac => 
[30:59:b7:82:14:1a], port => 13, username => "3059b782141a" 
(pf::radius::authorize)
Nov 09 12:44:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Can't find 
provisioner (pf::vlan::getNormalVlan)
Nov 09 12:44:16 httpd.aaa(30934) INFO: [30:59:b7:82:14:1a] Connection type is 
WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
Nov 09 12:44:16 httpd.aaa(30934) INFO:

Re: [PacketFence-users] Cisco Wireless LAN Controller WLC Session Timeout Setting

2015-11-05 Thread Morris, Andi 
Sorry for an old thread bump, but we see this also on Cisco WLCs. Some client 
devices will visibly disconnect the user from the network and then 
reauthenticate. We actually see it every few minutes.

We also have users saying that xbox live disconnects every few minutes when run 
through our mac-filtered packetfence SSID.

Our session-timeout settings on the SSIDs are at 1800, but this seems to occur 
much more frequently than that.

I’m yet to rule out the Cisco WLCs, however users have only mentioned it since 
they’ve been using the packetfence controlled SSID.

Did you manage to resolve your issue?

Cheers,
Andi

From: Tim DeNike [mailto:tim.den...@mcc.edu]
Sent: 14 September 2015 16:43
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco Wireless LAN Controller WLC Session 
Timeout Setting

Not Cisco specific, but I have seen some vendors supplicants actually pause or 
de-auth the client on a timeout re-authentication.  So the user essentially 
sees a disconnect just for the duration of the re-auth.

On Mon, Sep 14, 2015 at 11:03 AM, Tedder, Eric 
> wrote:
Do you use the AVC features on the WLC? I attempted to use AVC on the WLC and 
it caused me to much headache with issues like you are describing.


From: Pete Hoffswell 
[mailto:pete.hoffsw...@davenport.edu]
Sent: Monday, September 14, 2015 10:57 AM
To: 
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco Wireless LAN Controller WLC Session 
Timeout Setting

Thanks for the info, Eric -

It is quite possible I'm barking up the wrong tree on this issue.  Not a PF 
issue, in my thinking.

-
Pete Hoffswell - Network Manager
pete.hoffsw...@davenport.edu
http://www.davenport.edu

On Mon, Sep 14, 2015 at 10:53 AM, Tedder, Eric 
> wrote:
Pete,

I run multiple SSIDs with Packet Fence and 1800 is not a problem at my site. I 
also have an SSID with 420 set as my timeout without a problem.
I would suspect a bigger problem like maybe a web proxy or firewall/ACL 
restrictions. We us a 5508 running WLC 8.0.120.0 with a 4GB LAG and PF 4.7
All of this is with VLAN management.

Eric

From: Pete Hoffswell 
[mailto:pete.hoffsw...@davenport.edu]
Sent: Monday, September 14, 2015 9:57 AM
To: 
packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] Cisco Wireless LAN Controller WLC Session Timeout 
Setting

Hi everyone -

We currently run a WLAN session timeout setting of 1800 seconds (30 minutes). 
This is what is called for in the PacketFence Documentation.

We are having users complain of some disruption to real-time streams.  (Video 
conference, etc).  I think that if I turn off the session timeout, things might 
clear up a bit for them?

Would it be ok to turn off session timeout on my WLC's SSID?


-
Pete Hoffswell - Network Manager
pete.hoffsw...@davenport.edu
http://www.davenport.edu

--

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



[Cardiff Metropolitan University - 150 years of nurturing 
talent]
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Registered devices sitting in captive portal

2015-11-04 Thread Morris, Andi 
Yep that's right, the setup_wifi SSID is the registration vlan.

The logic below seems to make sense. I'll try to put this in place and see how 
we get on.

Cheers,
Andi

-Original Message-
From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: 04 November 2015 13:29
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Registered devices sitting in captive portal
Importance: Low

Ok so on the setup_wifi SSID it always return the reg vlan, right ?

So you have to deny reg device in the NormalVlan scope.

[reg_devices]
filter = node_info
operator = is
attribute = status
value = reg
 
[reg_network]
filter = ssid
operator = is
value = setup_wifi
 
[block_reg_devices:reg_devices_network]
scope = NormalVlan
role = blocked
 

Le Mercredi, Novembre 04, 2015 07:34 EST, "Morris, Andi" 
<amor...@cardiffmet.ac.uk> a écrit: 
 
> Thanks Fabrice.
> 
> "But i have a question, if the device is reg then it's suppose to go on a 
> production vlan, not the registration vlan ?!"
> 
> Yes this is exactly my issue. Devices are being setup and registered (through 
> autoreg the first time they connect), however my onboarding software is 
> having issues telling devices to forget the setup SSID, and so registered 
> devices are frequently connecting to the setup SSID instead of the production 
> SSID.
> 
> I know vlan_filters are also quite intensive work for the PF server, but I'm 
> hoping that it's less work than having 500 devices sitting in the captive 
> portal.
> 
> Can you see any reason why I shouldn't put this in place?
> 
> Cheers,
> Andi
> 
> From: Durand fabrice [mailto:fdur...@inverse.ca]
> Sent: 04 November 2015 12:05
> To: packetfence-users@lists.sourceforge.net
> Subject: Re: [PacketFence-users] Registered devices sitting in captive portal
> 
> Hello Andy,
> 
> let's try this:
> [reg_devices]
> filter = node_info
> operator = is
> attribute = status
> value = reg
> 
> [reg_network]
> filter = ssid
> operator = is
> value = setup_wifi
> 
> [block_reg_devices:reg_devices_network]
> scope = RegistrationVlan
> role = blocked
> 
> But i have a question, if the device is reg then it's suppose to go on a 
> production vlan, not the registration vlan ?!
> 
> Regards
> Fabrice
> 
> Le 2015-11-04 06:16, Morris, Andi a écrit :
> Now I have the vlan_filters in front of me, does this look doable?
> 
> [reg_devices]
> filter = node_info
> operator = is
> attribute = status
> value = reg
> 
> [reg_network]
> filter = ssid
> operator = is
> value = setup_wifi
> 
> [block_reg_devices:reg_devices_network]
> role = blocked
> 
> Cheers,
> Andi
> 
> From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
> Sent: 03 November 2015 20:08
> To: 
> packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
> Subject: [PacketFence-users] Registered devices sitting in captive portal
> 
> Hi all,
> I'm still having a large problem with devices sitting in my captive portal, 
> and as such using up a lot of PF resources. With others help on here I've 
> setup a violation that I can trigger if I see a device sitting in there for 
> too long, and I've managed to get any long term devices off the network in 
> that way, but the main problem I'm getting is with devices that are setup and 
> registered for my main SSID, however the setup SSID isn't forgotten on the 
> device, which means that as users roam around the devices switch between 
> networks frequently.
> 
> There are simply too many of these devices for me to capture and notify the 
> users manually (20,000 registered devices, 3000 main SSID and 500 in setup 
> SSID during peak times).
> 
> Is there a way, and is it advisable, to block a device from the registration 
> network once it is registered? Perhaps using vlan filters? Something like 
> (rough pseudo code sorry, I don't have the filters in front of me):
> 
> If
> SSID = setup_network
> device = registered
> 
> then
> role = blocked
> 
> Then outside of vlan filters the blocked role assigns the vlan of -1 in 
> switches.conf?
> 
> I know that if a device then need to get setup again they will need to 
> contact our helpdesk to get them unregistered (I can't get status page 
> working here), but at the moment I think that's a better solution than having 
> the PF box run out of CPU during peak hours.
> 
> Cheers,
> Andi
> 
> 
> 
> 
> [Image  removed by sender. Cardiff Metropolitan University - 
> 150  years of nurturing 
> talent]<http://w

Re: [PacketFence-users] Registered devices sitting in captive portal

2015-11-04 Thread Morris, Andi 
Thanks Fabrice.

"But i have a question, if the device is reg then it's suppose to go on a 
production vlan, not the registration vlan ?!"

Yes this is exactly my issue. Devices are being setup and registered (through 
autoreg the first time they connect), however my onboarding software is having 
issues telling devices to forget the setup SSID, and so registered devices are 
frequently connecting to the setup SSID instead of the production SSID.

I know vlan_filters are also quite intensive work for the PF server, but I'm 
hoping that it's less work than having 500 devices sitting in the captive 
portal.

Can you see any reason why I shouldn't put this in place?

Cheers,
Andi

From: Durand fabrice [mailto:fdur...@inverse.ca]
Sent: 04 November 2015 12:05
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Registered devices sitting in captive portal

Hello Andy,

let's try this:
[reg_devices]
filter = node_info
operator = is
attribute = status
value = reg

[reg_network]
filter = ssid
operator = is
value = setup_wifi

[block_reg_devices:reg_devices_network]
scope = RegistrationVlan
role = blocked

But i have a question, if the device is reg then it's suppose to go on a 
production vlan, not the registration vlan ?!

Regards
Fabrice

Le 2015-11-04 06:16, Morris, Andi a écrit :
Now I have the vlan_filters in front of me, does this look doable?

[reg_devices]
filter = node_info
operator = is
attribute = status
value = reg

[reg_network]
filter = ssid
operator = is
value = setup_wifi

[block_reg_devices:reg_devices_network]
role = blocked

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 03 November 2015 20:08
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: [PacketFence-users] Registered devices sitting in captive portal

Hi all,
I'm still having a large problem with devices sitting in my captive portal, and 
as such using up a lot of PF resources. With others help on here I've setup a 
violation that I can trigger if I see a device sitting in there for too long, 
and I've managed to get any long term devices off the network in that way, but 
the main problem I'm getting is with devices that are setup and registered for 
my main SSID, however the setup SSID isn't forgotten on the device, which means 
that as users roam around the devices switch between networks frequently.

There are simply too many of these devices for me to capture and notify the 
users manually (20,000 registered devices, 3000 main SSID and 500 in setup SSID 
during peak times).

Is there a way, and is it advisable, to block a device from the registration 
network once it is registered? Perhaps using vlan filters? Something like 
(rough pseudo code sorry, I don't have the filters in front of me):

If
SSID = setup_network
device = registered

then
role = blocked

Then outside of vlan filters the blocked role assigns the vlan of -1 in 
switches.conf?

I know that if a device then need to get setup again they will need to contact 
our helpdesk to get them unregistered (I can't get status page working here), 
but at the moment I think that's a better solution than having the PF box run 
out of CPU during peak hours.

Cheers,
Andi




[Image  removed by sender. Cardiff Metropolitan University - 
150  years of nurturing 
talent]<http://www.cardiffmet.ac.uk/cardiffmet150>




--




___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Registered devices sitting in captive portal

2015-11-04 Thread Morris, Andi 
Now I have the vlan_filters in front of me, does this look doable?

[reg_devices]
filter = node_info
operator = is
attribute = status
value = reg

[reg_network]
filter = ssid
operator = is
value = setup_wifi

[block_reg_devices:reg_devices_network]
role = blocked

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 03 November 2015 20:08
To: packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] Registered devices sitting in captive portal

Hi all,
I'm still having a large problem with devices sitting in my captive portal, and 
as such using up a lot of PF resources. With others help on here I've setup a 
violation that I can trigger if I see a device sitting in there for too long, 
and I've managed to get any long term devices off the network in that way, but 
the main problem I'm getting is with devices that are setup and registered for 
my main SSID, however the setup SSID isn't forgotten on the device, which means 
that as users roam around the devices switch between networks frequently.

There are simply too many of these devices for me to capture and notify the 
users manually (20,000 registered devices, 3000 main SSID and 500 in setup SSID 
during peak times).

Is there a way, and is it advisable, to block a device from the registration 
network once it is registered? Perhaps using vlan filters? Something like 
(rough pseudo code sorry, I don't have the filters in front of me):

If
SSID = setup_network
device = registered

then
role = blocked

Then outside of vlan filters the blocked role assigns the vlan of -1 in 
switches.conf?

I know that if a device then need to get setup again they will need to contact 
our helpdesk to get them unregistered (I can't get status page working here), 
but at the moment I think that's a better solution than having the PF box run 
out of CPU during peak hours.

Cheers,
Andi




[Image removed by sender. Cardiff Metropolitan University - 150 years of 
nurturing talent]<http://www.cardiffmet.ac.uk/cardiffmet150>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Registered devices sitting in captive portal

2015-11-03 Thread Morris, Andi 
Hi all,
I'm still having a large problem with devices sitting in my captive portal, and 
as such using up a lot of PF resources. With others help on here I've setup a 
violation that I can trigger if I see a device sitting in there for too long, 
and I've managed to get any long term devices off the network in that way, but 
the main problem I'm getting is with devices that are setup and registered for 
my main SSID, however the setup SSID isn't forgotten on the device, which means 
that as users roam around the devices switch between networks frequently.

There are simply too many of these devices for me to capture and notify the 
users manually (20,000 registered devices, 3000 main SSID and 500 in setup SSID 
during peak times).

Is there a way, and is it advisable, to block a device from the registration 
network once it is registered? Perhaps using vlan filters? Something like 
(rough pseudo code sorry, I don't have the filters in front of me):

If
SSID = setup_network
device = registered

then
role = blocked

Then outside of vlan filters the blocked role assigns the vlan of -1 in 
switches.conf?

I know that if a device then need to get setup again they will need to contact 
our helpdesk to get them unregistered (I can't get status page working here), 
but at the moment I think that's a better solution than having the PF box run 
out of CPU during peak hours.

Cheers,
Andi




[Cardiff Metropolitan University - 150 years of nurturing 
talent]
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Recommended setup for HA and efficiency

2015-10-23 Thread Morris, Andi 
That works brilliantly, however it’s only stopping devices connecting to the 
main network. The registration network is still accessible by devices.

From: Tim DeNike [mailto:tim.den...@mcc.edu]
Sent: 22 October 2015 16:25
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Recommended setup for HA and efficiency

Set the role vlan to -1. That should return reject.

Sent from my iPhone

On Oct 22, 2015, at 11:17 AM, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:
I’ve been working on this today, and have successfully created a manually 
triggered violation that sends the device to the macdetection vlan (id 4), 
which doesn’t exist on our network. However, I can see the violation 
triggering, and access briefly drops on my test device, but it always connects 
back up to the network without issue and continues as normal.

Would creating a real vlan, which has no route to the internet be a better way 
to go about this? Or am I doing something wrong by sending them to the mac 
detection vlan?

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 22 October 2015 09:45
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] Recommended setup for HA and efficiency

Thanks Arthur,
That’s a really interesting idea. I’ll see if I can find a way to spot devices 
that are hanging around for a while and set something like this up.

From: Arthur Emerson [mailto:arthur.emer...@msmc.edu]
Sent: 21 October 2015 18:38
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] Recommended setup for HA and efficiency

On 10/21/15, 12:35 PM, "Morris, Andi" 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Has anyone else run into this sort of issue with devices sitting in the captive 
portal, and if so how do you combat it?

I made a local portal user ID for unregistered devices that are hanging
around for too long without registering.  Once the device is manually
registered to that user, I set a violation on the device, which sends it
to an unused VLAN (mac-detect?).  You can do the same thing with RADIUS
VLAN settings for the special user, as long as the device gets sent to
the naughty room (isolated on a dead VLAN).

I never automated this process, but it shouldn't be too difficult...

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edu<mailto:emer...@msmc.edu>
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 8A



<http://www.cardiffmet.ac.uk/cardiffmet150>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Recommended setup for HA and efficiency

2015-10-23 Thread Morris, Andi 
All sorted, I needed to enable mac authentication on the setup network.

Thanks all.

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 23 October 2015 09:56
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Recommended setup for HA and efficiency

That works brilliantly, however it’s only stopping devices connecting to the 
main network. The registration network is still accessible by devices.

From: Tim DeNike [mailto:tim.den...@mcc.edu]
Sent: 22 October 2015 16:25
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] Recommended setup for HA and efficiency

Set the role vlan to -1. That should return reject.

Sent from my iPhone

On Oct 22, 2015, at 11:17 AM, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:
I’ve been working on this today, and have successfully created a manually 
triggered violation that sends the device to the macdetection vlan (id 4), 
which doesn’t exist on our network. However, I can see the violation 
triggering, and access briefly drops on my test device, but it always connects 
back up to the network without issue and continues as normal.

Would creating a real vlan, which has no route to the internet be a better way 
to go about this? Or am I doing something wrong by sending them to the mac 
detection vlan?

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 22 October 2015 09:45
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] Recommended setup for HA and efficiency

Thanks Arthur,
That’s a really interesting idea. I’ll see if I can find a way to spot devices 
that are hanging around for a while and set something like this up.

From: Arthur Emerson [mailto:arthur.emer...@msmc.edu]
Sent: 21 October 2015 18:38
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] Recommended setup for HA and efficiency

On 10/21/15, 12:35 PM, "Morris, Andi" 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Has anyone else run into this sort of issue with devices sitting in the captive 
portal, and if so how do you combat it?

I made a local portal user ID for unregistered devices that are hanging
around for too long without registering.  Once the device is manually
registered to that user, I set a violation on the device, which sends it
to an unused VLAN (mac-detect?).  You can do the same thing with RADIUS
VLAN settings for the special user, as long as the device gets sent to
the naughty room (isolated on a dead VLAN).

I never automated this process, but it shouldn't be too difficult...

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edu<mailto:emer...@msmc.edu>
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 8A



<http://www.cardiffmet.ac.uk/cardiffmet150>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] edited violations.conf outside of GUI - now errors

2015-10-22 Thread Morris, Andi 
I did have that file, I removed it and ran a configreload hard but I still get 
the error. I tried a service restart again, still nothing.

The file no longer exists, so it hasn't been recreated, I'm not sure if it was 
supposed to be.

From: Louis Munro [lmu...@inverse.ca]
Sent: 22 October 2015 20:29
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] edited violations.conf outside of GUI - now 
errors

Then try this:

Do you have a file called 
/usr/local/pf/var/cache/configfiles/d/4/+2fusr+2flocal+2fpf+2fconf+2fviolations+2econf.dat
 on your system?

Delete it and then run the configreload hard.


--
Louis Munro
lmu...@inverse.ca<mailto:lmu...@inverse.ca>  ::  
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)

On Oct 22, 2015, at 15:19 , Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Hi Louis,
I've tried this already unfortunately.

I've tried
configreload hard
service packetfence-config restart
service packetfence restart

I've tried removing the violation from the conf file completely, but still the 
same error. I'm presuming that it's a mismatch between the violations in the 
database and the configuration file perhaps?

I really hope this is fixable, and something simple!




[Cardiff Metropolitan University - 150 years of nurturing 
talent]<http://www.cardiffmet.ac.uk/cardiffmet150>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] edited violations.conf outside of GUI - now errors

2015-10-22 Thread Morris, Andi 
Still no good I'm afraid. All commands ran successfully. The dat files all look 
like they've been recreated, but there's no dat file for the violations.conf

[root@pfence03 pf]# ls -l 
var/cache/configfiles/d/c/+2fusr+2flocal+2fpf+2fconf+2fswitches+2econf.dat
-rw-rw 1 root pf 63536 Oct 22 20:48 
var/cache/configfiles/d/c/+2fusr+2flocal+2fpf+2fconf+2fswitches+2econf.dat

[root@pfence03 pf]# ls -l 
var/cache/configfiles/f/1/+2fusr+2flocal+2fpf+2fconf+2fpf-release.dat
-rw-rw 1 pf pf 31 Oct 22 20:50 
var/cache/configfiles/f/1/+2fusr+2flocal+2fpf+2fconf+2fpf-release.dat

[root@pfence03 pf]# ls -l 
var/cache/configfiles/4/4/+2fusr+2flocal+2fpf+2fconf+2fpf+2econf.dat
-rw-rw 1 root pf 66152 Oct 22 20:49 
var/cache/configfiles/4/4/+2fusr+2flocal+2fpf+2fconf+2fpf+2econf.dat

[root@pfence03 pf]# find var/cache/configfiles var/cache/configfilesdata/
var/cache/configfiles
var/cache/configfiles/4
var/cache/configfiles/4/4
var/cache/configfiles/4/4/+2fusr+2flocal+2fpf+2fconf+2fpf+2econf.dat
var/cache/configfiles/a
var/cache/configfiles/a/8
var/cache/configfiles/a/8/+2fusr+2flocal+2fpf+2fconf+2fauthentication+2econf.dat
var/cache/configfiles/5
var/cache/configfiles/5/3
var/cache/configfiles/f
var/cache/configfiles/f/1
var/cache/configfiles/f/1/+2fusr+2flocal+2fpf+2fconf+2fpf-release.dat
var/cache/configfiles/f/e
var/cache/configfiles/d
var/cache/configfiles/d/4
var/cache/configfiles/d/c
var/cache/configfiles/d/c/+2fusr+2flocal+2fpf+2fconf+2fswitches+2econf.dat
var/cache/configfiles/6
var/cache/configfiles/6/e
var/cache/configfiles/6/e/+2fusr+2flocal+2fpf+2fconf+2fpf+2econf+2edefaults.dat
var/cache/configfiles/6/6
var/cache/configfiles/8
var/cache/configfiles/8/4
var/cache/configfiles/9
var/cache/configfiles/9/e
var/cache/configfilesdata/
var/cache/configfilesdata/a
var/cache/configfilesdata/a/c
var/cache/configfilesdata/a/c/SwitchConfig.dat


From: Louis Munro [lmu...@inverse.ca]
Sent: 22 October 2015 20:46
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] edited violations.conf outside of GUI - now 
errors

Ok, let’s do some housecleaning then.

Stop all services including packetfence-config.
Make sure memcached is stopped.

Then delete the configuration files cache so it must be rebuilt:
# find  var/cache/configfiles var/cache/configfilesdata/  -type f -delete

Then restart all services.

Let me know if that helps.

Regards,
--
Louis Munro
lmu...@inverse.ca<mailto:lmu...@inverse.ca>  ::  
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)

On Oct 22, 2015, at 15:35 , Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

I did have that file, I removed it and ran a configreload hard but I still get 
the error. I tried a service restart again, still nothing.

The file no longer exists, so it hasn't been recreated, I'm not sure if it was 
supposed to be.

From: Louis Munro [lmu...@inverse.ca<mailto:lmu...@inverse.ca>]
Sent: 22 October 2015 20:29
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] edited violations.conf outside of GUI - now 
errors

Then try this:

Do you have a file called 
/usr/local/pf/var/cache/configfiles/d/4/+2fusr+2flocal+2fpf+2fconf+2fviolations+2econf.dat
 on your system?

Delete it and then run the configreload hard.


--
Louis Munro
lmu...@inverse.ca<mailto:lmu...@inverse.ca>  ::  
www.inverse.ca<http://www.inverse.ca/>
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu/>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org/>)

On Oct 22, 2015, at 15:19 , Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Hi Louis,
I've tried this already unfortunately.

I've tried
configreload hard
service packetfence-config restart
service packetfence restart

I've tried removing the violation from the conf file completely, but still the 
same error. I'm presuming that it's a mismatch between the violations in the 
database and the configuration file perhaps?

I really hope this is fixable, and something simple!




[Cardiff Metropolitan University - 150 years of nurturing 
talent]<http://www.cardiffmet.ac.uk/cardiffmet150> 
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--

Re: [PacketFence-users] Recommended setup for HA and efficiency

2015-10-22 Thread Morris, Andi 
Nice, thanks Tim. I’ll put that to my manager and see if we can do something 
like this.

Cheers,
Andi

From: Tim DeNike [mailto:tim.den...@mcc.edu]
Sent: 21 October 2015 17:51
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Recommended setup for HA and efficiency

Move MySQL to a different server on fast storage.  I run 2 MySQL vms in ha on 
ssd storage and that helps.

Sent from my iPhone

On Oct 21, 2015, at 12:37 PM, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:
Hi all,
I’ve recently come into some issues with the load on my PacketFence setup 
during peak times and so we’re now looking at seeing if we can split the 
service into separate components across servers, and also across our two sites 
for high availability.

Loads are currently around 2000 devices concurrently at peak times, all using 
802.1x through the freeradius mschap component to our backend active directory 
server. At peak times there are sometimes 500 devices sitting in the captive 
portal.

Our current setup is a VMWare server with 4vCPUs & 32GB of memory. Inverse have 
had a look and have suggested that our server is being battered by devices in 
our captive portal. However I’m not sure there’s much we can do to alleviate 
this, as it’s a BYOD environment, and we have little to no control over the 
devices that come into the network. I’ve added some apache filters to 501 
certain apps that are hitting the portal, but it doesn’t seem to be making a 
huge difference, and some apps are still hitting the portal even after the 501 
error is given.

So, some quick questions regarding this:

Will moving the MySQL component of the setup onto a dedicated server make a 
marked difference to the performance?

If I gave each university site a PF httpd/radius service, would they both need 
to access one single central MySQL server or would this cause deadlocks?

Is splitting PF into 3 separate components: apache, freeradius and MySQL also 
an option to bring server load down?

Has anyone else run into this sort of issue with devices sitting in the captive 
portal, and if so how do you combat it? Larger environments, what is your setup 
regarding PF hardware and services?

Cheers,
Andi


[Image removed by sender. Cardiff Metropolitan University - 150 years of 
nurturing talent]<http://www.cardiffmet.ac.uk/cardiffmet150>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Recommended setup for HA and efficiency

2015-10-22 Thread Morris, Andi 
Thanks Arthur,
That’s a really interesting idea. I’ll see if I can find a way to spot devices 
that are hanging around for a while and set something like this up.

From: Arthur Emerson [mailto:arthur.emer...@msmc.edu]
Sent: 21 October 2015 18:38
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Recommended setup for HA and efficiency

On 10/21/15, 12:35 PM, "Morris, Andi" 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Has anyone else run into this sort of issue with devices sitting in the captive 
portal, and if so how do you combat it?

I made a local portal user ID for unregistered devices that are hanging
around for too long without registering.  Once the device is manually
registered to that user, I set a violation on the device, which sends it
to an unused VLAN (mac-detect?).  You can do the same thing with RADIUS
VLAN settings for the special user, as long as the device gets sent to
the naughty room (isolated on a dead VLAN).

I never automated this process, but it shouldn't be too difficult...

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edu<mailto:emer...@msmc.edu>
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 8A



[Cardiff Metropolitan University - 150 years of nurturing 
talent]<http://www.cardiffmet.ac.uk/cardiffmet150>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] edited violations.conf outside of GUI - now errors

2015-10-22 Thread Morris, Andi 
That's got it!

Louis, I hope you're keeping a tally of all the beers I owe you when I visit 
Canada one day.

Thanks very much as always.

Out of interest, what is the best way of editing the violations.conf file? Is 
it ok to update the file over the cli usually? Do I just need to do a standard 
configreload after editing or do I need to restart the services? The 5.0.1 
admin guide suggests a service restart.

Cheers,
Andi

From: Louis Munro [lmu...@inverse.ca]
Sent: 22 October 2015 21:11
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] edited violations.conf outside of GUI - now 
errors

Then the file itself might be unreadable.
Check to see if you have a file called conf/violations.conf.example.

If you do, make a copy of the violations.conf and then copy the 
violations.conf.example on top on the problem file.
Then try reloading again.

--
Louis Munro
lmu...@inverse.ca<mailto:lmu...@inverse.ca>  ::  
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)

On Oct 22, 2015, at 15:56 , Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Still no good I'm afraid. All commands ran successfully. The dat files all look 
like they've been recreated, but there's no dat file for the violations.conf

[root@pfence03 pf]# ls -l 
var/cache/configfiles/d/c/+2fusr+2flocal+2fpf+2fconf+2fswitches+2econf.dat
-rw-rw 1 root pf 63536 Oct 22 20:48 
var/cache/configfiles/d/c/+2fusr+2flocal+2fpf+2fconf+2fswitches+2econf.dat

[root@pfence03 pf]# ls -l 
var/cache/configfiles/f/1/+2fusr+2flocal+2fpf+2fconf+2fpf-release.dat
-rw-rw 1 pf pf 31 Oct 22 20:50 
var/cache/configfiles/f/1/+2fusr+2flocal+2fpf+2fconf+2fpf-release.dat

[root@pfence03 pf]# ls -l 
var/cache/configfiles/4/4/+2fusr+2flocal+2fpf+2fconf+2fpf+2econf.dat
-rw-rw 1 root pf 66152 Oct 22 20:49 
var/cache/configfiles/4/4/+2fusr+2flocal+2fpf+2fconf+2fpf+2econf.dat

[root@pfence03 pf]# find var/cache/configfiles var/cache/configfilesdata/
var/cache/configfiles
var/cache/configfiles/4
var/cache/configfiles/4/4
var/cache/configfiles/4/4/+2fusr+2flocal+2fpf+2fconf+2fpf+2econf.dat
var/cache/configfiles/a
var/cache/configfiles/a/8
var/cache/configfiles/a/8/+2fusr+2flocal+2fpf+2fconf+2fauthentication+2econf.dat
var/cache/configfiles/5
var/cache/configfiles/5/3
var/cache/configfiles/f
var/cache/configfiles/f/1
var/cache/configfiles/f/1/+2fusr+2flocal+2fpf+2fconf+2fpf-release.dat
var/cache/configfiles/f/e
var/cache/configfiles/d
var/cache/configfiles/d/4
var/cache/configfiles/d/c
var/cache/configfiles/d/c/+2fusr+2flocal+2fpf+2fconf+2fswitches+2econf.dat
var/cache/configfiles/6
var/cache/configfiles/6/e
var/cache/configfiles/6/e/+2fusr+2flocal+2fpf+2fconf+2fpf+2econf+2edefaults.dat
var/cache/configfiles/6/6
var/cache/configfiles/8
var/cache/configfiles/8/4
var/cache/configfiles/9
var/cache/configfiles/9/e
var/cache/configfilesdata/
var/cache/configfilesdata/a
var/cache/configfilesdata/a/c
var/cache/configfilesdata/a/c/SwitchConfig.dat


From: Louis Munro [lmu...@inverse.ca<mailto:lmu...@inverse.ca>]
Sent: 22 October 2015 20:46
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] edited violations.conf outside of GUI - now 
errors

Ok, let’s do some housecleaning then.

Stop all services including packetfence-config.
Make sure memcached is stopped.

Then delete the configuration files cache so it must be rebuilt:
# find  var/cache/configfiles var/cache/configfilesdata/  -type f -delete

Then restart all services.

Let me know if that helps.

Regards,
--
Louis Munro
lmu...@inverse.ca<mailto:lmu...@inverse.ca>  ::  
www.inverse.ca<http://www.inverse.ca/>
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu/>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org/>)

On Oct 22, 2015, at 15:35 , Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

I did have that file, I removed it and ran a configreload hard but I still get 
the error. I tried a service restart again, still nothing.

The file no longer exists, so it hasn't been recreated, I'm not sure if it was 
supposed to be.

From: Louis Munro [lmu...@inverse.ca<mailto:lmu...@inverse.ca>]
Sent: 22 October 2015 20:29
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] edited violations.conf outside of GUI - now 
errors

Then try this:

Do you have a file called 
/usr/local/pf/var/cache/configfiles/d/4/+2fusr+2flocal+2fpf+2fconf+2fviolations+2econf.dat
 on your syst

Re: [PacketFence-users] Recommended setup for HA and efficiency

2015-10-22 Thread Morris, Andi 
I’ve been working on this today, and have successfully created a manually 
triggered violation that sends the device to the macdetection vlan (id 4), 
which doesn’t exist on our network. However, I can see the violation 
triggering, and access briefly drops on my test device, but it always connects 
back up to the network without issue and continues as normal.

Would creating a real vlan, which has no route to the internet be a better way 
to go about this? Or am I doing something wrong by sending them to the mac 
detection vlan?

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 22 October 2015 09:45
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Recommended setup for HA and efficiency

Thanks Arthur,
That’s a really interesting idea. I’ll see if I can find a way to spot devices 
that are hanging around for a while and set something like this up.

From: Arthur Emerson [mailto:arthur.emer...@msmc.edu]
Sent: 21 October 2015 18:38
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Recommended setup for HA and efficiency

On 10/21/15, 12:35 PM, "Morris, Andi" 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Has anyone else run into this sort of issue with devices sitting in the captive 
portal, and if so how do you combat it?

I made a local portal user ID for unregistered devices that are hanging
around for too long without registering.  Once the device is manually
registered to that user, I set a violation on the device, which sends it
to an unused VLAN (mac-detect?).  You can do the same thing with RADIUS
VLAN settings for the special user, as long as the device gets sent to
the naughty room (isolated on a dead VLAN).

I never automated this process, but it shouldn't be too difficult...

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edu<mailto:emer...@msmc.edu>
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 8A



[Image removed by sender. Cardiff Metropolitan University - 150 years of 
nurturing talent]<http://www.cardiffmet.ac.uk/cardiffmet150>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] edited violations.conf outside of GUI - now errors

2015-10-22 Thread Morris, Andi 
Hi all,
Firstly, sorry for all the mailing list entries recently, it never rains

Anyway, I created a violation earlier which went well, however since editing it 
on the CLI through violations.conf I can no longer get to certain parts of the 
admin GUI.

Httpd.admin.log shows:
Oct 22 17:20:30 httpd.admin(31004) ERROR: Caught exception in 
pfappserver::Controller::Node->search "/usr/local/pf/conf/violations.conf 
cannot be loaded at /usr/local/pf/lib/pf/config/cached.pm line 362." 
(pfappserver::PacketFence::Controller::Root::end)

Line 362 is (no surprise) the line before my violation entry. I've tried 
putting it back to how I think it was before the edit, however I'm still 
getting this after restarting the services.

The entry is:
[151]
priority=1
trigger=
actions=trap,log
desc=Sitting in captive portal
enabled=Y
template=portal
auto_enable=N
vlan=macDetection
whitelisted_categories=

Do I need to do something to push this into the database, or is there something 
up with the config? I'm on version 5.0.1 if it matters.

Cheers,
Andi

-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.uk
--



[Cardiff Metropolitan University - 150 years of nurturing 
talent]
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Recommended setup for HA and efficiency

2015-10-21 Thread Morris, Andi 
Hi all,
I've recently come into some issues with the load on my PacketFence setup 
during peak times and so we're now looking at seeing if we can split the 
service into separate components across servers, and also across our two sites 
for high availability.

Loads are currently around 2000 devices concurrently at peak times, all using 
802.1x through the freeradius mschap component to our backend active directory 
server. At peak times there are sometimes 500 devices sitting in the captive 
portal.

Our current setup is a VMWare server with 4vCPUs & 32GB of memory. Inverse have 
had a look and have suggested that our server is being battered by devices in 
our captive portal. However I'm not sure there's much we can do to alleviate 
this, as it's a BYOD environment, and we have little to no control over the 
devices that come into the network. I've added some apache filters to 501 
certain apps that are hitting the portal, but it doesn't seem to be making a 
huge difference, and some apps are still hitting the portal even after the 501 
error is given.

So, some quick questions regarding this:

-  Will moving the MySQL component of the setup onto a dedicated server 
make a marked difference to the performance?

-  If I gave each university site a PF httpd/radius service, would they 
both need to access one single central MySQL server or would this cause 
deadlocks?

-  Is splitting PF into 3 separate components: apache, freeradius and 
MySQL also an option to bring server load down?

Has anyone else run into this sort of issue with devices sitting in the captive 
portal, and if so how do you combat it? Larger environments, what is your setup 
regarding PF hardware and services?

Cheers,
Andi


[Cardiff Metropolitan University - 150 years of nurturing 
talent]
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Internet Explorer web admin access

2015-10-14 Thread Morris, Andi 
I'm getting trouble accessing the web admin interface when using IE11. This 
seems to be ok using PacketFence version 5.1, but not 5.3.1 or 5.4.0. Login 
access is ok, but the nodes and users tabs just sit there with the 3 dots just 
flashing as if the browser is waiting. The search box doesn't render properly 
either.

All other browsers seem to be ok.

I'm happy using Chrome, but we're trying to push a guest user registration form 
to staff, and a lot of them will have the default browser of IE11 unfortunately.

Happy to send screenshots if it helps.

Cheers,
Andi

-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.uk
--



[Cardiff Metropolitan University - 150 years of nurturing 
talent]
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] tweaking the create users page

2015-10-14 Thread Morris, Andi 
That’s got it, thanks. I just needed the following line:


All seems to be working perfectly now. Thanks very much.


From: Derek Wuelfrath [mailto:dwuelfr...@inverse.ca]
Sent: 13 October 2015 19:45
To: ML PF <packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] tweaking the create users page

Andi,

What is the “expiration” action type ?

Can you send me the whole file so I see what you are trying to do.

If you try to hide the “registration window” section use the followings:




For the “actions” section, the followings:







Cheers!
dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca<mailto:dwuelfr...@inverse.ca> :: +1.514.447.4918 (x110) 
:: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)

On Oct 13, 2015, at 9:22 AM, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Thanks Derek,
That’s been a really big help and I’m nearly there. What is the format for the 
date field? I’ve tried the following, but I get errors:




The errors I get when creating a user are:
Error! Expiration field is required
Error! ‘expiration’ is not a valid value

The values for dates I’ve tried are:
“-mm-dd”
“/mm/dd”
“-mm-dd hh:mm”
“/mm/dd hh:mm”

Cheers,
Andi


From: Derek Wuelfrath [mailto:dwuelfr...@inverse.ca]
Sent: 08 October 2015 18:00
To: ML PF 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Subject: Re: [PacketFence-users] tweaking the create users page

I’ll keep looking for ways to give the users a default unreg date.

Here’s how I usually do it:




Cheers!
dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca<mailto:dwuelfr...@inverse.ca> :: +1.514.447.4918 (x110) 
:: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu/>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org/>)

On Oct 8, 2015, at 12:04 PM, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Aha, I found the Actions array in /lib/pf/Authentication/constants.pm and 
changed the order. That means that the Actions now shows ‘Set access duration’ 
by default on the create screen, perfect.

I’ll keep looking for ways to give the users a default unreg date.

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 08 October 2015 16:32
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] tweaking the create users page

Thanks Derek,
I can see how that would work for a simple field such as Name, but I can’t work 
it out for the unregistration date.

  77   
   78 [% l('Registration 
Window') %]
   79 
   80   [% form.field('valid_from').render_element | none %] 
   81   [% form.field('expiration').render_element | none %]
   82 
   83   


I still need to swap access duration for the set role action too.


   85   

   86 [% l('Actions') %]

   87 

   88   

   89 

   90   [% FOREACH action IN form.field('actions').fields -%]

   91   <tr[% ' class="hidden"' IF loop.last %]>

   92 

   93   [% IF loop.last %]1[% ELSE %][% loop.index + 1 %][% 
END %]

   94 

   95 

   96   [% action.field('type').render_element | none %]

   97   [% action.field('value').render_element | none %]

   98 

   99 

  100   

  101   

  102 

  103   

  104   [% END -%]

  105   

  106 

  107   

  108 

  109   


From: Derek Wuelfrath [mailto:dwuelfr...@inverse.ca]
Sent: 08 October 2015 15:44
To: ML PF 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Subject: Re: [PacketFence-users] tweaking the create users page

I managed to hide the registration window from view, but the user couldn’t be 
created as this seems to be a required field. Is there a way I can make all 
created users have a certain registration window by default? I’m finding that 
having the registration time, and access duration is confusing to users.

Can you make the fields “hidden” with a value ?
That’s how I usually do it

Cheers!
dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca<mailto:dwuelfr...@inverse.ca> :: +1.514.447.4918 (x110) 
:: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu/>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org/>)

On Oct 7, 2015, at 11:38 AM, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Thanks Derek.

That was really helpful. I managed to hide the registration window from view, 
but the user couldn’t be

Re: [PacketFence-users] tweaking the create users page

2015-10-13 Thread Morris, Andi 
Thanks Derek,
That’s been a really big help and I’m nearly there. What is the format for the 
date field? I’ve tried the following, but I get errors:




The errors I get when creating a user are:
Error! Expiration field is required
Error! ‘expiration’ is not a valid value

The values for dates I’ve tried are:
“-mm-dd”
“/mm/dd”
“-mm-dd hh:mm”
“/mm/dd hh:mm”

Cheers,
Andi


From: Derek Wuelfrath [mailto:dwuelfr...@inverse.ca]
Sent: 08 October 2015 18:00
To: ML PF <packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] tweaking the create users page

I’ll keep looking for ways to give the users a default unreg date.

Here’s how I usually do it:




Cheers!
dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca<mailto:dwuelfr...@inverse.ca> :: +1.514.447.4918 (x110) 
:: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)

On Oct 8, 2015, at 12:04 PM, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Aha, I found the Actions array in /lib/pf/Authentication/constants.pm and 
changed the order. That means that the Actions now shows ‘Set access duration’ 
by default on the create screen, perfect.

I’ll keep looking for ways to give the users a default unreg date.

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 08 October 2015 16:32
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] tweaking the create users page

Thanks Derek,
I can see how that would work for a simple field such as Name, but I can’t work 
it out for the unregistration date.

  77   
   78 [% l('Registration 
Window') %]
   79 
   80   [% form.field('valid_from').render_element | none %] 
   81   [% form.field('expiration').render_element | none %]
   82 
   83   


I still need to swap access duration for the set role action too.


   85   

   86 [% l('Actions') %]

   87 

   88   

   89 

   90   [% FOREACH action IN form.field('actions').fields -%]

   91   <tr[% ' class="hidden"' IF loop.last %]>

   92 

   93   [% IF loop.last %]1[% ELSE %][% loop.index + 1 %][% 
END %]

   94 

   95 

   96   [% action.field('type').render_element | none %]

   97   [% action.field('value').render_element | none %]

   98 

   99 

  100   

  101   

  102 

  103   

  104   [% END -%]

  105   

  106 

  107   

  108 

  109   


From: Derek Wuelfrath [mailto:dwuelfr...@inverse.ca]
Sent: 08 October 2015 15:44
To: ML PF 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Subject: Re: [PacketFence-users] tweaking the create users page

I managed to hide the registration window from view, but the user couldn’t be 
created as this seems to be a required field. Is there a way I can make all 
created users have a certain registration window by default? I’m finding that 
having the registration time, and access duration is confusing to users.

Can you make the fields “hidden” with a value ?
That’s how I usually do it

Cheers!
dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca<mailto:dwuelfr...@inverse.ca> :: +1.514.447.4918 (x110) 
:: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu/>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org/>)

On Oct 7, 2015, at 11:38 AM, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Thanks Derek.

That was really helpful. I managed to hide the registration window from view, 
but the user couldn’t be created as this seems to be a required field. Is there 
a way I can make all created users have a certain registration window by 
default? I’m finding that having the registration time, and access duration is 
confusing to users.

Cheers,
Andi

From: Derek Wuelfrath [mailto:dwuelfr...@inverse.ca]
Sent: 01 October 2015 21:39
To: ML PF 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Subject: Re: [PacketFence-users] tweaking the create users page

Andi,

It is indeed possible to do it (it’s like zombocom, everything is possible). I 
actually did it for some specific use cases

You would need to create some custom code.

You could have a look at html/pfappserver/root/user/create.tt and add some 
“hidden” fields.

There’s of course, may have more file to check but basically, that should do it 
:)

Cheers!
dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca<mailto:dwuelfr...@inverse.ca> :: 
www.inverse.ca<http://www.inverse.ca/>
+1.514.447.4918 (x110) :: +1.866.353.6

Re: [PacketFence-users] tweaking the create users page

2015-10-13 Thread Morris, Andi 
Aha, I think I now see that this is not because of the format of the date, but 
because the ‘expiration’ field isn’t declared as an Action.

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 13 October 2015 14:33
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] tweaking the create users page

Thanks Derek,
That’s been a really big help and I’m nearly there. What is the format for the 
date field? I’ve tried the following, but I get errors:




The errors I get when creating a user are:
Error! Expiration field is required
Error! ‘expiration’ is not a valid value

The values for dates I’ve tried are:
“-mm-dd”
“/mm/dd”
“-mm-dd hh:mm”
“/mm/dd hh:mm”

Cheers,
Andi


From: Derek Wuelfrath [mailto:dwuelfr...@inverse.ca]
Sent: 08 October 2015 18:00
To: ML PF 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Subject: Re: [PacketFence-users] tweaking the create users page

I’ll keep looking for ways to give the users a default unreg date.

Here’s how I usually do it:




Cheers!
dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca<mailto:dwuelfr...@inverse.ca> :: +1.514.447.4918 (x110) 
:: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)

On Oct 8, 2015, at 12:04 PM, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Aha, I found the Actions array in /lib/pf/Authentication/constants.pm and 
changed the order. That means that the Actions now shows ‘Set access duration’ 
by default on the create screen, perfect.

I’ll keep looking for ways to give the users a default unreg date.

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 08 October 2015 16:32
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] tweaking the create users page

Thanks Derek,
I can see how that would work for a simple field such as Name, but I can’t work 
it out for the unregistration date.

  77   
   78 [% l('Registration 
Window') %]
   79 
   80   [% form.field('valid_from').render_element | none %] 
   81   [% form.field('expiration').render_element | none %]
   82 
   83   


I still need to swap access duration for the set role action too.


   85   

   86 [% l('Actions') %]

   87 

   88   

   89 

   90   [% FOREACH action IN form.field('actions').fields -%]

   91   <tr[% ' class="hidden"' IF loop.last %]>

   92 

   93   [% IF loop.last %]1[% ELSE %][% loop.index + 1 %][% 
END %]

   94 

   95 

   96   [% action.field('type').render_element | none %]

   97   [% action.field('value').render_element | none %]

   98 

   99 

  100   

  101   

  102 

  103   

  104   [% END -%]

  105   

  106 

  107   

  108 

  109   


From: Derek Wuelfrath [mailto:dwuelfr...@inverse.ca]
Sent: 08 October 2015 15:44
To: ML PF 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Subject: Re: [PacketFence-users] tweaking the create users page

I managed to hide the registration window from view, but the user couldn’t be 
created as this seems to be a required field. Is there a way I can make all 
created users have a certain registration window by default? I’m finding that 
having the registration time, and access duration is confusing to users.

Can you make the fields “hidden” with a value ?
That’s how I usually do it

Cheers!
dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca<mailto:dwuelfr...@inverse.ca> :: +1.514.447.4918 (x110) 
:: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu/>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org/>)

On Oct 7, 2015, at 11:38 AM, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Thanks Derek.

That was really helpful. I managed to hide the registration window from view, 
but the user couldn’t be created as this seems to be a required field. Is there 
a way I can make all created users have a certain registration window by 
default? I’m finding that having the registration time, and access duration is 
confusing to users.

Cheers,
Andi

From: Derek Wuelfrath [mailto:dwuelfr...@inverse.ca]
Sent: 01 October 2015 21:39
To: ML PF 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Subject: Re: [PacketFence-users] tweaking the create users page

Andi,

It is indeed possible to do it (it’s like zombocom, everything is possible). I 
actually did it for some specific use cases

You would

Re: [PacketFence-users] tweaking the create users page

2015-10-08 Thread Morris, Andi 
Thanks Derek,
I can see how that would work for a simple field such as Name, but I can’t work 
it out for the unregistration date.

  77   
   78 [% l('Registration 
Window') %]
   79 
   80   [% form.field('valid_from').render_element | none %] 
   81   [% form.field('expiration').render_element | none %]
   82 
   83   


I still need to swap access duration for the set role action too.


   85   

   86 [% l('Actions') %]

   87 

   88   

   89 

   90   [% FOREACH action IN form.field('actions').fields -%]

   91   <tr[% ' class="hidden"' IF loop.last %]>

   92 

   93   [% IF loop.last %]1[% ELSE %][% loop.index + 1 %][% 
END %]

   94 

   95 

   96   [% action.field('type').render_element | none %]

   97   [% action.field('value').render_element | none %]

   98 

   99 

  100   

  101   

  102 

  103   

  104   [% END -%]

  105   

  106 

  107   

  108 

  109   


From: Derek Wuelfrath [mailto:dwuelfr...@inverse.ca]
Sent: 08 October 2015 15:44
To: ML PF <packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] tweaking the create users page

I managed to hide the registration window from view, but the user couldn’t be 
created as this seems to be a required field. Is there a way I can make all 
created users have a certain registration window by default? I’m finding that 
having the registration time, and access duration is confusing to users.

Can you make the fields “hidden” with a value ?
That’s how I usually do it

Cheers!
dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca<mailto:dwuelfr...@inverse.ca> :: +1.514.447.4918 (x110) 
:: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)

On Oct 7, 2015, at 11:38 AM, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Thanks Derek.

That was really helpful. I managed to hide the registration window from view, 
but the user couldn’t be created as this seems to be a required field. Is there 
a way I can make all created users have a certain registration window by 
default? I’m finding that having the registration time, and access duration is 
confusing to users.

Cheers,
Andi

From: Derek Wuelfrath [mailto:dwuelfr...@inverse.ca]
Sent: 01 October 2015 21:39
To: ML PF 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Subject: Re: [PacketFence-users] tweaking the create users page

Andi,

It is indeed possible to do it (it’s like zombocom, everything is possible). I 
actually did it for some specific use cases

You would need to create some custom code.

You could have a look at html/pfappserver/root/user/create.tt and add some 
“hidden” fields.

There’s of course, may have more file to check but basically, that should do it 
:)

Cheers!
dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca<mailto:dwuelfr...@inverse.ca> :: 
www.inverse.ca<http://www.inverse.ca/>
+1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu/>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org/>)

On Oct 1, 2015, at 11:45, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Is there a way to remove the registration window option and make two actions 
appear by default (access duration and role) in the create users window? I’m 
trying to make this page as simple as possible for the staff creating users.

Cheers,
Andi

-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>
--



<http://www.cardiffmet.ac.uk/cardiffmet150> 
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Full-scale, agent-less Infrastructure Monitoring from a single dashboard
Integrate with 40+ ManageEngine ITSM Solutions for complete visibility
Physical-Virtual-Cloud Infrastructure monitoring from one console
Real user monitoring with APM Insights and performance trend reports
Learn More 
http://pubads.g.doubleclick.net/gampad/clk?id=247754911=/4140___
PacketFence-users mailing list
PacketFence-users@lists.so

Re: [PacketFence-users] tweaking the create users page

2015-10-08 Thread Morris, Andi 
Aha, I found the Actions array in /lib/pf/Authentication/constants.pm and 
changed the order. That means that the Actions now shows ‘Set access duration’ 
by default on the create screen, perfect.

I’ll keep looking for ways to give the users a default unreg date.

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 08 October 2015 16:32
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] tweaking the create users page

Thanks Derek,
I can see how that would work for a simple field such as Name, but I can’t work 
it out for the unregistration date.

  77   
   78 [% l('Registration 
Window') %]
   79 
   80   [% form.field('valid_from').render_element | none %] 
   81   [% form.field('expiration').render_element | none %]
   82 
   83   


I still need to swap access duration for the set role action too.


   85   

   86 [% l('Actions') %]

   87 

   88   

   89 

   90   [% FOREACH action IN form.field('actions').fields -%]

   91   <tr[% ' class="hidden"' IF loop.last %]>

   92 

   93   [% IF loop.last %]1[% ELSE %][% loop.index + 1 %][% 
END %]

   94 

   95 

   96   [% action.field('type').render_element | none %]

   97   [% action.field('value').render_element | none %]

   98 

   99 

  100   

  101   

  102 

  103   

  104   [% END -%]

  105   

  106 

  107   

  108 

  109   


From: Derek Wuelfrath [mailto:dwuelfr...@inverse.ca]
Sent: 08 October 2015 15:44
To: ML PF 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Subject: Re: [PacketFence-users] tweaking the create users page

I managed to hide the registration window from view, but the user couldn’t be 
created as this seems to be a required field. Is there a way I can make all 
created users have a certain registration window by default? I’m finding that 
having the registration time, and access duration is confusing to users.

Can you make the fields “hidden” with a value ?
That’s how I usually do it

Cheers!
dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca<mailto:dwuelfr...@inverse.ca> :: +1.514.447.4918 (x110) 
:: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)

On Oct 7, 2015, at 11:38 AM, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Thanks Derek.

That was really helpful. I managed to hide the registration window from view, 
but the user couldn’t be created as this seems to be a required field. Is there 
a way I can make all created users have a certain registration window by 
default? I’m finding that having the registration time, and access duration is 
confusing to users.

Cheers,
Andi

From: Derek Wuelfrath [mailto:dwuelfr...@inverse.ca]
Sent: 01 October 2015 21:39
To: ML PF 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Subject: Re: [PacketFence-users] tweaking the create users page

Andi,

It is indeed possible to do it (it’s like zombocom, everything is possible). I 
actually did it for some specific use cases

You would need to create some custom code.

You could have a look at html/pfappserver/root/user/create.tt and add some 
“hidden” fields.

There’s of course, may have more file to check but basically, that should do it 
:)

Cheers!
dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca<mailto:dwuelfr...@inverse.ca> :: 
www.inverse.ca<http://www.inverse.ca/>
+1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu/>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org/>)

On Oct 1, 2015, at 11:45, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Is there a way to remove the registration window option and make two actions 
appear by default (access duration and role) in the create users window? I’m 
trying to make this page as simple as possible for the staff creating users.

Cheers,
Andi

-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>
--



<http://www.cardiffmet.ac.uk/cardiffmet150> 
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] tweaking the create users page

2015-10-07 Thread Morris, Andi 
Thanks Derek.

That was really helpful. I managed to hide the registration window from view, 
but the user couldn’t be created as this seems to be a required field. Is there 
a way I can make all created users have a certain registration window by 
default? I’m finding that having the registration time, and access duration is 
confusing to users.

Cheers,
Andi

From: Derek Wuelfrath [mailto:dwuelfr...@inverse.ca]
Sent: 01 October 2015 21:39
To: ML PF <packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] tweaking the create users page

Andi,

It is indeed possible to do it (it’s like zombocom, everything is possible). I 
actually did it for some specific use cases

You would need to create some custom code.

You could have a look at html/pfappserver/root/user/create.tt and add some 
“hidden” fields.

There’s of course, may have more file to check but basically, that should do it 
:)

Cheers!
dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca<mailto:dwuelfr...@inverse.ca> :: 
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)

On Oct 1, 2015, at 11:45, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Is there a way to remove the registration window option and make two actions 
appear by default (access duration and role) in the create users window? I’m 
trying to make this page as simple as possible for the staff creating users.

Cheers,
Andi

-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>
--



[Image removed by sender. Cardiff Metropolitan University - 150 years of 
nurturing talent]<http://www.cardiffmet.ac.uk/cardiffmet150> 
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Full-scale, agent-less Infrastructure Monitoring from a single dashboard
Integrate with 40+ ManageEngine ITSM Solutions for complete visibility
Physical-Virtual-Cloud Infrastructure monitoring from one console
Real user monitoring with APM Insights and performance trend reports 
Learn More http://pubads.g.doubleclick.net/gampad/clk?id=247754911=/4140___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] tweaking the create users page

2015-10-01 Thread Morris, Andi 
Is there a way to remove the registration window option and make two actions 
appear by default (access duration and role) in the create users window? I'm 
trying to make this page as simple as possible for the staff creating users.

Cheers,
Andi

-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.uk
--



[Cardiff Metropolitan University - 150 years of nurturing 
talent]
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Using vlan_filter device registration - SOLVED

2015-08-20 Thread Morris, Andi 
With Louis @ Inverse's help this has been resolved (I highly recommend the 
support contract BTW).

I know have an extra condition in my vlan_vilter.conf to stop the mac_auth 
requests hitting my visiting user condition by forcing the visiting_user to 
match the ssid also. It is now as follows:

[home_user]
filter = username
operator = match
value = ^(.+@cardiffmet\.ac\.uk$|.+@uwic\.ac\.uk$)

[visiting_user]
filter = username
operator = match_not
value = ^(.+@cardiffmet\.ac\.uk$|.+@uwic\.ac\.uk$)

[eduroam]
filter = ssid
operator = is
value = eduroam

[autoreg:home_user]
scope = AutoRegister
role = eduroam_home

[autoreg:visiting_usereduroam]
scope = AutoRegister
role = eduroam_visitors

[2:home_user]
scope = NormalVlan
role = eduroam_home
action = modify_node
action_param = mac = $mac , unregdate = 2015-09-0923:59:59

[2:visiting_usereduroam]
scope = NormalVlan
role = eduroam_visitors
action = modify_node
action_param = mac = $mac , unregdate = 2015-09-0923:59:59

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 19 August 2015 13:36
To: 'packetfence-users@lists.sourceforge.net'
Subject: Re: [PacketFence-users] Using vlan_filter  device registration

Apologies, I meant to put the extract from the packetfence.log:

Aug 19 13:21:27 httpd.aaa(8977) INFO: [00:26:b6:da:18:42] handling radius autz 
request: from switch_ip = (192.168.142.13), connection_type = 
Wireless-802.11-NoEAP,switch_mac = (00:3a:98:d0:1e:c0), mac = 
[00:26:b6:da:18:42], port = 13, username = 00:26:b6:da:18:42 
(pf::radius::authorize)
Aug 19 13:21:27 httpd.aaa(8977) INFO: [00:26:b6:da:18:42] Match Vlan rule: 
autoreg:visiting_user (pf::vlan::filter::test)
Aug 19 13:21:27 httpd.aaa(8977) INFO: [00:26:b6:da:18:42] autoregister a node 
that is already registered, do nothing. (pf::node::node_register)
Aug 19 13:21:27 httpd.aaa(8977) WARN: Can't find provisioner for 
00:26:b6:da:18:42 since we don't have it's OS 
(pf::Portal::Profile::findProvisioner)
Aug 19 13:21:27 httpd.aaa(8977) INFO: [00:26:b6:da:18:42] Can't find 
provisioner (pf::vlan::getNormalVlan)
Aug 19 13:21:27 httpd.aaa(8977) INFO: [00:26:b6:da:18:42] Match Vlan rule: 
2:visiting_user (pf::vlan::filter::test)
Aug 19 13:21:27 httpd.aaa(8977) INFO: [00:26:b6:da:18:42] PID: default, 
Status: reg Returned VLAN: 145, Role: eduroam_visitors 
(pf::vlan::fetchVlanForNode)
Aug 19 13:21:27 httpd.webservices(9127) WARN: invalid date 2015-09-0923:59:59 
(pf::util::valid_date)
Aug 19 13:21:27 httpd.webservices(9127) WARN: We were unable to calculate the 
access duration (pf::config::access_duration)
Aug 19 13:21:27 httpd.aaa(8977) INFO: [00:26:b6:da:18:42] (192.168.142.13) 
Returning ACCEPT with VLAN 145 and role  (pf::Switch::returnRadiusAccessAccept)


Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 19 August 2015 13:28
To: 
packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] Using vlan_filter  device registration

Hi all,
I'm having an issue on a new PF box running 5.0.1 (this is the version we have 
in dev). Currently I'm using vlan_filters to decide whether a user is a home 
user, or an eduroam visiting user, and assign the correct role based on this. 
However I've just added the device-registration option, and the vlan_filter is 
taking over this, registering the device with the owner as default.

I presume this is something to do with my regex filtering within 
vlan_filter.conf as the device matches the visiting_user filter, and is given 
this vlan instead of the one it should be given. I've tried to account for this 
by telling the filter not to trigger when the username is a mac address, which 
it appears to be when the device logs in, but I'm still seeing this match the 
visiting_user filter.

My vlan_filter.conf is:
[home_user]
filter = username
operator = match
value = 
^(.+@cardiffmet\.ac\.uk$|.+@uwic\.ac\.uk$mailto:.+@cardiffmet\.ac\.uk$|.+@uwic\.ac\.uk$)

[visiting_user]
filter = username
operator = match_not
value = 
^(.+@cardiffmet\.ac\.uk$|.+@uwic\.ac\.uk$|([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$)mailto:.+@cardiffmet\.ac\.uk$|.+@uwic\.ac\.uk$|(%5b0-9A-F%5d%7b2%7d%5b:-%5d)%7b5%7d(%5b0-9A-F%5d%7b2%7d)$)

[autoreg:home_user]
scope = AutoRegister
role = eduroam_home

[autoreg:visiting_user]
scope = AutoRegister
role = eduroam_visitors

[2:home_user]
scope = NormalVlan
role = eduroam_home
action = modify_node
action_param = mac = $mac , unregdate = 2015-09-0923:59:59

[2:visiting_user]
scope = NormalVlan
role = eduroam_visitors
action = modify_node
action_param = mac = $mac , unregdate = 2015-09-0923:59:59

Anyone have any ideas about this?

Cheers,
Andi

-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.ukmailto:amor...@cardiffmet.ac.uk
--



[Image removed by sender. Cardiff Metropolitan University - 150 years of 
nurturing talent

[PacketFence-users] Using vlan_filter device registration

2015-08-19 Thread Morris, Andi 
Hi all,
I'm having an issue on a new PF box running 5.0.1 (this is the version we have 
in dev). Currently I'm using vlan_filters to decide whether a user is a home 
user, or an eduroam visiting user, and assign the correct role based on this. 
However I've just added the device-registration option, and the vlan_filter is 
taking over this, registering the device with the owner as default.

I presume this is something to do with my regex filtering within 
vlan_filter.conf as the device matches the visiting_user filter, and is given 
this vlan instead of the one it should be given. I've tried to account for this 
by telling the filter not to trigger when the username is a mac address, which 
it appears to be when the device logs in, but I'm still seeing this match the 
visiting_user filter.

My vlan_filter.conf is:
[home_user]
filter = username
operator = match
value = ^(.+@cardiffmet\.ac\.uk$|.+@uwic\.ac\.uk$)

[visiting_user]
filter = username
operator = match_not
value = 
^(.+@cardiffmet\.ac\.uk$|.+@uwic\.ac\.uk$|([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$)

[autoreg:home_user]
scope = AutoRegister
role = eduroam_home

[autoreg:visiting_user]
scope = AutoRegister
role = eduroam_visitors

[2:home_user]
scope = NormalVlan
role = eduroam_home
action = modify_node
action_param = mac = $mac , unregdate = 2015-09-0923:59:59

[2:visiting_user]
scope = NormalVlan
role = eduroam_visitors
action = modify_node
action_param = mac = $mac , unregdate = 2015-09-0923:59:59

Anyone have any ideas about this?

Cheers,
Andi

-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.ukmailto:amor...@cardiffmet.ac.uk
--



[Cardiff Metropolitan University - 150 years of nurturing 
talent]http://www.cardiffmet.ac.uk/cardiffmet150
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Using vlan_filter device registration

2015-08-19 Thread Morris, Andi 
Apologies, I meant to put the extract from the packetfence.log:

Aug 19 13:21:27 httpd.aaa(8977) INFO: [00:26:b6:da:18:42] handling radius autz 
request: from switch_ip = (192.168.142.13), connection_type = 
Wireless-802.11-NoEAP,switch_mac = (00:3a:98:d0:1e:c0), mac = 
[00:26:b6:da:18:42], port = 13, username = 00:26:b6:da:18:42 
(pf::radius::authorize)
Aug 19 13:21:27 httpd.aaa(8977) INFO: [00:26:b6:da:18:42] Match Vlan rule: 
autoreg:visiting_user (pf::vlan::filter::test)
Aug 19 13:21:27 httpd.aaa(8977) INFO: [00:26:b6:da:18:42] autoregister a node 
that is already registered, do nothing. (pf::node::node_register)
Aug 19 13:21:27 httpd.aaa(8977) WARN: Can't find provisioner for 
00:26:b6:da:18:42 since we don't have it's OS 
(pf::Portal::Profile::findProvisioner)
Aug 19 13:21:27 httpd.aaa(8977) INFO: [00:26:b6:da:18:42] Can't find 
provisioner (pf::vlan::getNormalVlan)
Aug 19 13:21:27 httpd.aaa(8977) INFO: [00:26:b6:da:18:42] Match Vlan rule: 
2:visiting_user (pf::vlan::filter::test)
Aug 19 13:21:27 httpd.aaa(8977) INFO: [00:26:b6:da:18:42] PID: default, 
Status: reg Returned VLAN: 145, Role: eduroam_visitors 
(pf::vlan::fetchVlanForNode)
Aug 19 13:21:27 httpd.webservices(9127) WARN: invalid date 2015-09-0923:59:59 
(pf::util::valid_date)
Aug 19 13:21:27 httpd.webservices(9127) WARN: We were unable to calculate the 
access duration (pf::config::access_duration)
Aug 19 13:21:27 httpd.aaa(8977) INFO: [00:26:b6:da:18:42] (192.168.142.13) 
Returning ACCEPT with VLAN 145 and role  (pf::Switch::returnRadiusAccessAccept)


Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 19 August 2015 13:28
To: packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] Using vlan_filter  device registration

Hi all,
I'm having an issue on a new PF box running 5.0.1 (this is the version we have 
in dev). Currently I'm using vlan_filters to decide whether a user is a home 
user, or an eduroam visiting user, and assign the correct role based on this. 
However I've just added the device-registration option, and the vlan_filter is 
taking over this, registering the device with the owner as default.

I presume this is something to do with my regex filtering within 
vlan_filter.conf as the device matches the visiting_user filter, and is given 
this vlan instead of the one it should be given. I've tried to account for this 
by telling the filter not to trigger when the username is a mac address, which 
it appears to be when the device logs in, but I'm still seeing this match the 
visiting_user filter.

My vlan_filter.conf is:
[home_user]
filter = username
operator = match
value = ^(.+@cardiffmet\.ac\.uk$|.+@uwic\.ac\.uk$)

[visiting_user]
filter = username
operator = match_not
value = 
^(.+@cardiffmet\.ac\.uk$|.+@uwic\.ac\.uk$|([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$)

[autoreg:home_user]
scope = AutoRegister
role = eduroam_home

[autoreg:visiting_user]
scope = AutoRegister
role = eduroam_visitors

[2:home_user]
scope = NormalVlan
role = eduroam_home
action = modify_node
action_param = mac = $mac , unregdate = 2015-09-0923:59:59

[2:visiting_user]
scope = NormalVlan
role = eduroam_visitors
action = modify_node
action_param = mac = $mac , unregdate = 2015-09-0923:59:59

Anyone have any ideas about this?

Cheers,
Andi

-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.ukmailto:amor...@cardiffmet.ac.uk
--



[Image removed by sender. Cardiff Metropolitan University - 150 years of 
nurturing talent]http://www.cardiffmet.ac.uk/cardiffmet150
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] FW: valid date

2015-08-18 Thread Morris, Andi 
Hi all,
Were there any thoughts on this? I'd love to get an unreg date working with 
vlan filters, but I can't seem to get it to happen. I constantly get the 
invalid date message when I use the format -mm-dd hh:mm or -dd-mm hh:mm.

It would be even better if I could get the system to dynamically calculate this 
date from the registration date.

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 12 May 2015 14:20
To: 'packetfence-users@lists.sourceforge.net'
Subject: Re: [PacketFence-users] valid date

Actually, to follow this up. Is there a way to set the unreg date for a set 
interval? E.G. 30 days from registration date?

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 12 May 2015 14:12
To: packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] valid date

Hi,
I'm trying to add an unregdate to my vlan_filters.conf, but I keep getting met 
with the error below in packetfence.log:

May 12 14:00:46 httpd.webservices(23481) WARN: invalid date 2015-05-1523:59 
(pf::util::valid_date)

My vlan_filter conf is:
[home_user]
filter = username
operator = match
value = ^(.+cardiffmet\.ac\.uk$|.+uwic\.ac\.uk$)

[autoreg:home_user]
scope = AutoRegister
role = Cardiff Met Staff/Student

[2:home_user]
scope = NormalVlan
role = Cardiff Met Staff/Student
action = modify_node
action_param = mac = $mac , unregdate = 2015-05-15 23:59

I've tried it in various formats, with and without quotation marks, but still 
no joy. I tried to translate the regex within pf/lib/pf/util.pm and I'm pretty 
sure I am submitting a valid date. Can someone point me in the right direction 
please?

Cheers,
Andi

-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.ukmailto:amor...@cardiffmet.ac.uk
--



[Image removed by sender. Cardiff Metropolitan University - 150 years of 
nurturing talent]http://www.cardiffmet.ac.uk/cardiffmet150
--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

  1   2   3   4   >