Re: [PacketFence-users] Creating PF 7 cluster radiusd errors
an undefined interface... (pf::cluster::members_ips) > May 3 14:10:06 packetfence packetfence: FATAL radsniff-wrapper(5635): Use of > uninitialized value $_ in concatenation (.) or string at > /usr/local/pf/lib/pf/services/manager/radsniff.pm line 45. > (pf::services::manager::radsniff::make_filter) > May 3 14:10:07 packetfence packetfence: INFO pfcmd.pl(5590): generating > /usr/local/pf/var/conf/ssl-certificates.conf > (pf::services::manager::httpd::generateCommonConfig) > May 3 14:10:07 packetfence packetfence: INFO pfcmd.pl(5590): generating > /usr/local/pf/var/conf/captive-portal-common > (pf::services::manager::httpd::generateCommonConfig) > May 3 14:10:07 packetfence packetfence: WARN radsniff-wrapper(5641): > requesting member ips for an undefined interface... (pf::cluster::members_ips) > May 3 14:10:07 packetfence packetfence: FATAL radsniff-wrapper(5641): Use of > uninitialized value $_ in concatenation (.) or string at > /usr/local/pf/lib/pf/services/manager/radsniff.pm line 45. > (pf::services::manager::radsniff::make_filter) > May 3 14:10:10 packetfence packetfence: WARN pfcmd.pl(5633): requesting > member ips for an undefined interface... (pf::cluster::m > ... > > Any help greatly appreciated. > Thanks > Darryl > > > > >>>> CONFIDENTIALITY NOTICE <<< > This electronic mail (e-mail) message, including any and/or all attachments, > is for the sole use of the intended recipient(s), and may contain > confidential and/or privileged information, pertaining to business conducted > under the direction and supervision of EarthColor, Inc. All e-mail messages, > which may have been established as expressed views and/or opinions (stated > either within the e-mail message or any of its attachments), are left to the > sole responsibility of that of the sender, and are not necessarily attributed > to EarthColor, Inc. Unauthorized interception, review, use, disclosure or > distribution of any such information contained within this e-mail message > and/or its attachment(s), is(are) strictly prohibited. If you are not the > intended recipient, please contact the sender by replying to this e-mail > message, along with the destruction of all copies of the original e-mail > message (along with any attachments). > > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Thierry Laurion tlaur...@inverse.ca :: +1.514.447.4918 *120 :: https://inverse.ca Inverse inc. :: Leaders behind SOGo (https://sogo.nu) and PacketFence (https://packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] generated chroot config for samba / krb5
Hi MJ, 1-In PacketFence Admin, under domains configuration, clone your current domain configuration. 2- Change the IP address of the ActiveDirectory Server by it's DNS name. Rejoin the domain from each PacketFence server. 3-Make sure that the DNS server in the configuration can resolve that domain name. (If you need multiple DNS server, this got introduced recently: https://github.com/inverse-inc/packetfence/pull/2223/files) The resulting configuration change: /etc/krb5.conf: [...] [libdefaults] default_realm = domainname.local [...] /chroots/domainname/etc/samba/domainname.conf [...] password server = domainname.local Uppercase/Lowercase realm is not problematic. Regards, -- Thierry Laurion tlaur...@inverse.ca :: +1.514.447.4918 *120 :: https://inverse.ca Inverse inc. :: Leaders behind SOGo (https://sogo.nu) and PacketFence (https://packetfence.org) On 05/10/2017 02:55 AM, lists wrote: > Hi, > > No reactions. Could anyone then please tell me how to make such > adjustments in our own installation, in a permanent way? > > As in: we can edit .conf files in the chroot, but how can we make sure > they STAY the way we like them? > > MJ > > On 8-5-2017 13:20, lists wrote: >> Hi, >> >> I would like to ask for some feedback on the generated samba configs in >> the chroot in packetfence. >> >> The generated smb.conf includes a "password server = dc.ad.company.com". >> On the samba mailinglist, it's always recommened to use the auto >> discovery (using DNS) to locate the DCs. This will make use of ALL DC's, >> plus there's no need edit the config file, when you make changes to your >> DCs. >> >> The packetfence generated krb5.conf does also not seem to use >> autodiscover, but the same specific DC again. Samba folks recommend >> krb5.conf to contain just: >> >>> [libdefaults] >>> default_realm = SAMDOM.EXAMPLE.COM >>> dns_lookup_realm = false >>> dns_lookup_kdc = true >> (note also the UPPERCASE realm) >> >> (see https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member) >> >> But perhaps packetfence has valid reasons to not use those recommended >> settings..? >> >> Our concern is: we have three DCs, and packetfence only uses one. We >> would like to have failover for samba and krb, and use all DCs. How can >> we enable that behaviour in a packetfence-friendly way? >> >> MJ >> >> -- >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> ___ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Guest Network
So it is VLAN enforcement though webauth? https://packetfence.org/doc/PacketFence_Administration_Guide.html#_vlan_assignment_techniques Regards, Thierry On 03/23/2017 04:11 PM, John Sayce wrote: > ?Ah thanks. Yes, vlan enforcement with web auth. IP helper to packetfence > seems nice and easy. > > > > > > ________ > From: Thierry Laurion <tlaur...@inverse.ca> > Sent: 23 March 2017 20:06 > To: packetfence-users@lists.sourceforge.net > Subject: Re: [PacketFence-users] Guest Network > > > Hi John, > > It seems like there is no IP helper configured for PacketFence to be able to > know and link MAC to the IP address it knows. > > https://packetfence.org/doc/PacketFence_Administration_Guide.html#_production_dhcp_access > > > > Is it VLAN enformenent/webauth? > > What type of equipment is configured? > > Regards, > > -- > Thierry Laurion > tlaur...@inverse.ca<mailto:tlaur...@inverse.ca> :: +1.514.447.4918 *120 :: > https://inverse.ca<https://inverse.ca/> > Inverse inc. :: Leaders behind SOGo (https://sogo.nu<https://sogo.nu/>) and > PacketFence (https://packetfence.org<https://packetfence.org/>) > > On 03/23/2017 12:37 PM, John Sayce wrote: > > I'm looking for some advice on the best configuration for my packetfence > guest network. When I navigate to the portal I get "error: not found in the > database" and the status page still doesn't recognise the device as the mac > address is '0'. I feel like I'm missing something obivous, Is there meant to > be a link somehow to the guest network or its DHCP server? > > Regards > John Sayce > > > > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Thierry Laurion tlaur...@inverse.ca :: +1.514.447.4918 *120 :: https://inverse.ca Inverse inc. :: Leaders behind SOGo (https://sogo.nu) and PacketFence (https://packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Guest Network
Hi John, It seems like there is no IP helper configured for PacketFence to be able to know and link MAC to the IP address it knows. https://packetfence.org/doc/PacketFence_Administration_Guide.html#_production_dhcp_access Is it VLAN enformenent/webauth? What type of equipment is configured? Regards, -- Thierry Laurion tlaur...@inverse.ca :: +1.514.447.4918 *120 :: https://inverse.ca Inverse inc. :: Leaders behind SOGo (https://sogo.nu) and PacketFence (https://packetfence.org) On 03/23/2017 12:37 PM, John Sayce wrote: > I'm looking for some advice on the best configuration for my packetfence > guest network. When I navigate to the portal I get "error: not found in the > database" and the status page still doesn't recognise the device as the mac > address is '0'. I feel like I'm missing something obivous, Is there meant to > be a link somehow to the guest network or its DHCP server? > > Regards > John Sayce > > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Installing OpenVAS on PacketFence ZEN 6.5
Hi Andrew, Quite interestingly, OpenVAS 9 just got released today after more then two years of development! http://www.openvas.org/news.html#openvas9 There is a Perl implementation of omp, that even if old, might work and permit the replacement of our calls to the omp binary: http://search.cpan.org/~wneessen/OpenVAS-OMP_0.04/lib/OpenVAS/OMP.pm Regards, Thierry On 03/08/2017 01:07 PM, Thierry Laurion wrote: > Hi Andrew, > > Unfortunately, there is a conflict between OpenVAS and PacketFence > dependency against required wmi support. OpenVAS obsoletes wmi package > dependency and replaces it with openvas-smb, while PacketFence still > requires wmi through perl-Net-WMIClient module usage. > > > There is no trivial solution to this problem or direct workaround. > > * One solution would be to replace perl-Net-WMIClient code with python > code and impacket library to do wmi calls. > > * Another solution would be to validate if OpenVAS API is available > without OpenVAS-client (omp) usage, and replace accordingly how we > communicate with the remote OpenVAS manager to request scans, > callbacks and reports. > > > May I ask you how you planned to use OpenVAS in your specific deployment? > > * If it was for pre-registration or registration scanning: > OpenVAS/Nessus scans can take anywhere between seconds to minutes > before finishing a scan of a host. Meanwhile, that endpoint would be > stuck in registration until the scan finishes and the results are > validated for violations. For preregistration/ registration scans, > it is recommended to define wmi scans instead, which would validate > for example that the endpoint that connects is compliant with the > domain prevention policies. Those quick tests could be the > validation that the remote computer has a proper activated firewall, > an up to date antivirus and so on. Else, a violation could be raised > and linked actions, applied. > * If it was for post-registration, then your scenario would fit for a > vulnerability scan since not impacting the user desiring to have > network access, but the endpoint would already be in your production > environment at at the moment of scanning for vulnerabilities. > PacketFence scanning requires some violation triggers to be defined, > which are specific OIDs (alerts) that would not be tolerated. > > Regards, > Thierry > On 02/27/2017 11:28 AM, Torry, Andrew wrote: >> Hi Folks, >> >> I was really hoping this would be working by now but I still cannot > get the OpenVAS scanner functionality to work. >> I have installed OpenVAS-CLI and the support libraries from the ATOMIC > repository but >> my scan jobs fail because the OpenVAS application itself is not > installed:- >> [root@PacketFence-6_5_0 ~]# omp >> omp: error while loading shared libraries: libopenvas_omp.so.8: cannot > open shared object file: No such file or directory >> [root@PacketFence-6_5_0 ~]# >> >> When I install OpenVAS I get this:- >> >> [root@PacketFence-6_5_0 ~]# yum install openvas --enablerepo=atomic >> Loaded plugins: fastestmirror >> Setting up Install Process >> Loading mirror speeds from cached hostfile >> * atomic: www4.atomicorp.com >> * base: mirror.as29550.net >> * extras: mirror.as29550.net >> * updates: mirror.as29550.net >> Resolving Dependencies >> --> Running transaction check >> ---> Package openvas.noarch 0:1.0-17.el6.art will be installed >> --> Processing Dependency: wapiti for package: > openvas-1.0-17.el6.art.noarch >> --> Processing Dependency: openvas-scanner for package: > openvas-1.0-17.el6.art.noarch >> --> Processing Dependency: openvas-manager for package: > openvas-1.0-17.el6.art.noarch >> --> Processing Dependency: nmap for package: openvas-1.0-17.el6.art.noarch >> --> Processing Dependency: nikto for package: > openvas-1.0-17.el6.art.noarch >> --> Processing Dependency: ncrack for package: > openvas-1.0-17.el6.art.noarch >> --> Processing Dependency: haveged for package: > openvas-1.0-17.el6.art.noarch >> --> Processing Dependency: greenbone-security-assistant for package: > openvas-1.0-17.el6.art.noarch >> --> Processing Dependency: dirb for package: openvas-1.0-17.el6.art.noarch >> --> Running transaction check >> ---> Package dirb.x86_64 0:221-2.el6.art will be installed >> ---> Package greenbone-security-assistant.x86_64 0:6.0.11-27.el6.art > will be installed >> --> Processing Dependency: libmicrohttpd for package: > greenbone-security-assistant-6.0.11-27.el6.art.x86_64 >> --> Processing Dependenc
Re: [PacketFence-users] Installing OpenVAS on PacketFence ZEN 6.5
_64 > --> Finished Dependency Resolution > Error: Package: perl-Net-WMIClient-0.62-0.x86_64 (@packetfence) >Requires: libasync_wmi_lib.so.0()(64bit) >Removing: wmi-1.3.14-4.centos6.x86_64 (@packetfence) >libasync_wmi_lib.so.0()(64bit) >Obsoleted By: openvas-smb-1.0.1-1.el6.art.x86_64 (atomic) >Not found >Updated By: wmi-1.3.14-4.el6.art.x86_64 (atomic) >libasync_wmi_lib.so.0()(64bit) >Available: wmi-1.3.14-3.el6.art.x86_64 (atomic) >libasync_wmi_lib.so.0()(64bit) > You could try using --skip-broken to work around the problem > You could try running: rpm -Va --nofiles --nodigest > [root@PacketFence-6_5_0 ~]# > > > What do I need to do to get OpenVAS scanning to work > > Andrew > > > - > Falmouth Exeter Plus > - > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Thierry Laurion tlaur...@inverse.ca :: +1.514.447.4918 *120 :: https://inverse.ca Inverse inc. :: Leaders behind SOGo (https://sogo.nu) and PacketFence (https://packetfence.org) On 02/27/2017 11:28 AM, Torry, Andrew wrote: > Hi Folks, > > I was really hoping this would be working by now but I still cannot get the > OpenVAS scanner functionality to work. > > I have installed OpenVAS-CLI and the support libraries from the ATOMIC > repository but > my scan jobs fail because the OpenVAS application itself is not installed:- > > [root@PacketFence-6_5_0 ~]# omp > omp: error while loading shared libraries: libopenvas_omp.so.8: cannot open > shared object file: No such file or directory > [root@PacketFence-6_5_0 ~]# > > When I install OpenVAS I get this:- > > [root@PacketFence-6_5_0 ~]# yum install openvas --enablerepo=atomic > Loaded plugins: fastestmirror > Setting up Install Process > Loading mirror speeds from cached hostfile > * atomic: www4.atomicorp.com > * base: mirror.as29550.net > * extras: mirror.as29550.net > * updates: mirror.as29550.net > Resolving Dependencies > --> Running transaction check > ---> Package openvas.noarch 0:1.0-17.el6.art will be installed > --> Processing Dependency: wapiti for package: openvas-1.0-17.el6.art.noarch > --> Processing Dependency: openvas-scanner for package: > openvas-1.0-17.el6.art.noarch > --> Processing Dependency: openvas-manager for package: > openvas-1.0-17.el6.art.noarch > --> Processing Dependency: nmap for package: openvas-1.0-17.el6.art.noarch > --> Processing Dependency: nikto for package: openvas-1.0-17.el6.art.noarch > --> Processing Dependency: ncrack for package: openvas-1.0-17.el6.art.noarch > --> Processing Dependency: haveged for package: openvas-1.0-17.el6.art.noarch > --> Processing Dependency: greenbone-security-assistant for package: > openvas-1.0-17.el6.art.noarch > --> Processing Dependency: dirb for package: openvas-1.0-17.el6.art.noarch > --> Running transaction check > ---> Package dirb.x86_64 0:221-2.el6.art will be installed > ---> Package greenbone-security-assistant.x86_64 0:6.0.11-27.el6.art will be > installed > --> Processing Dependency: libmicrohttpd for package: > greenbone-security-assistant-6.0.11-27.el6.art.x86_64 > --> Processing Dependency: libopenvas_omp.so.8()(64bit) for package: > greenbone-security-assistant-6.0.11-27.el6.art.x86_64 > --> Processing Dependency: libopenvas_misc.so.8()(64bit) for package: > greenbone-security-assistant-6.0.11-27.el6.art.x86_64 > --> Processing Dependency: libopenvas_base.so.8()(64bit) for package: > greenbone-security-assistant-6.0.11-27.el6.art.x86_64 > --> Processing Dependency: libmicrohttpd.so.10()(64bit) for package: > greenbone-security-assistant-6.0.11-27.el6.art.x86_64 > ---> Package haveged.x86_64 0:1.3-2.el6.art will be installed > ---> Package ncrack.x86_64 0:0.3-0.2.ALPHA.el6.art will be installed > ---> Package nikto.noarch 1:2.1.6-12.el6.art will be installed > --> Processing Dependency: perl-JSON-PP for package: > 1:nikto-2.1.6-12.el6.art.noarch > ---> Package nmap.x86_64 2:6.47-8.el6.art will be installed > --> Processing Dependency: nmap-ncat = 2:6.47-8.el6.art for package: > 2:nmap-6.47-8.el6.art.x86_64 > ---> Package openvas-manager.x86_64 0:6.0.9-36.el6.art will be installed > --> Processing Dependency: doxygen for package: > openvas-manager-6.0.9-36.el6.art.x8
Re: [PacketFence-users] hostapd/Openwrt with Multiple SSIDs on same vlan Bug
Hi Chris, On 02/07/2017 11:51 AM, Chris Abel wrote: > There has been a bug with the hostapd.sh script that packetfence provides. > I've posted about it before, but I'm curious if there is any work on > resolving it? When 2 SSID's are configured and a node connects to both > SSIDs and put into the same vlan, networking breaks and they are given a > self assigned IP. "It’s known that you can’t put 2 SSIDs with the same dae server at the same time. The deauthentication will not work on the second SSID. " SRC: https://packetfence.org/doc/PacketFence_OpenWrt-Hostapd_Quick_Install_Guide.html It's a limitation from Hostapd. Does that answer your question? -- Thierry Laurion tlaur...@inverse.ca :: +1.514.447.4918 *120 :: https://inverse.ca Inverse inc. :: Leaders behind SOGo (https://sogo.nu) and PacketFence (https://packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Cluster help
Hi Michael, Please share your cluster.conf. On 01/26/2017 01:33 PM, Campanaro, Michael wrote: > > So I just ran the command 'service packetfence-config restart' and > then restarted the packetfence services on both servers. They started > and I'm able to access the admin gui from the cluster's virtual > management IP. But the radiusd service, p0f service and now dhcpd > service won't start and PF won't function as intended. I'm getting a > lot of errors like this in packetfence.log: > > > Jan 26 13:26:03 pfcmd.pl(29925) ERROR: Couldn't connect to MySQL > database to access L2. This is a major problem ! Check the MySQL > section in /usr/local/pf/conf/pfconfig.conf and make sure your > database schema is up to date ! (pfconfig::backend::mysql::_db_error) > Jan 26 13:26:04 pfcmd.pl(29925) ERROR: Caught error DBI > connect('database=pf;host=127.0.0.1;port=3306','pf',...) failed: Can't > connect to MySQL server on '127.0.0.1' (111) at > /usr/local/pf/lib/pfconfig/backend/mysql.pm line 45. > Jan 26 13:26:04 pfcmd.pl(29925) ERROR: Couldn't connect to MySQL > database to access L2. This is a major problem ! Check the MySQL > section in /usr/local/pf/conf/pfconfig.conf and make sure your > database schema is up to date ! (pfconfig::backend::mysql::_db_error) > Jan 26 13:26:04 pfcmd.pl(29925) ERROR: Caught error DBI > connect('database=pf;host=127.0.0.1;port=3306','pf',...) failed: Can't > connect to MySQL server on '127.0.0.1' (111) at > /usr/local/pf/lib/pfconfig/backend/mysql.pm line 45. > Jan 26 13:26:04 pfcmd.pl(29925) ERROR: Couldn't connect to MySQL > database to access L2. This is a major problem ! Check the MySQL > section in /usr/local/pf/conf/pfconfig.conf and make sure your > database schema is up to date ! (pfconfig::backend::mysql::_db_error) > [root@packetfence usr]# > Here we see that haproxy is still not functioning properly by not providing mysql access. > > I'm also getting this error in my radius log: > > Thu Jan 26 13:27:22 2017 : Error: Errors reading > raddb//mods-config/attr_filter/access_reject > Thu Jan 26 13:27:22 2017 : Error: raddb//mods-enabled/attr_filter[28]: > Instantiation failed for module "attr_filter.access_reject" > > > > Thank you, > > > -Mike > > > *From:* Campanaro, Michael <campan...@morrisville.edu> > *Sent:* Thursday, January 26, 2017 1:15 PM > *To:* packetfence-users@lists.sourceforge.net > *Subject:* Re: [PacketFence-users] Cluster help > > > Hey Thierry, > > > This is what happens when I run that command: > > > [root@packetfence usr]# /usr/local/pf/bin/pfcmd service haproxy restart > service|command > haproxy|already stopped > Can't use an undefined value as a HASH reference at > /usr/local/pf/lib/pf/services/manager/httpd_admin.pm line 48. > Have haproxy started? ("netstat -laputen|grep 3306" shows haproxy running and accepting requests?) Then you should restart packetfence-redis-cache, packetfence-config and then packetfence. The admin tries to access management IP of the cluster (line 48) but it can't; Normal if there is no config cache and no DB access. > > > I tried restarting both packetfence server earlier and now PF on both > servers refuses to start. These are some of the errors I'm seeing in > packetfence.log: > > > [root@packetfence usr]# tail /usr/local/pf/logs/packetfence.log > Jan 26 13:08:59 pfcmd.pl(26100) ERROR: Could not write namespace > resource::switches_list to L2 cache ! (pfconfig::manager::cache_resource) > Jan 26 13:08:59 pfcmd.pl(26100) ERROR: Caught error DBI > connect('database=pf;host=127.0.0.1;port=3306','pf',...) failed: Can't > connect to MySQL server on '127.0.0.1' (111) at > /usr/local/pf/lib/pfconfig/backend/mysql.pm line 45. > while connecting to database. (pfconfig::backend::mysql::_get_db) > Jan 26 13:08:59 pfcmd.pl(26100) ERROR: Couldn't connect to MySQL > database to access L2. This is a major problem ! Check the MySQL > section in /usr/local/pf/conf/pfconfig.conf and make sure your > database schema is up to date ! (pfconfig::backend::mysql::_db_error) > Jan 26 13:09:00 pfcmd.pl(26100) INFO: Memory configuration is not > valid anymore for key interfaces::management_network(packetfence) in > local cached_hash (pfconfig::cached::is_valid) > Jan 26 13:09:00 pfcmd.pl(26100) INFO: Memory configuration is not > valid anymore for key resource::cluster_hosts in local cached_hash > (pfconfig::cached::is_valid) > Jan 26 13:09:00 pfcmd.pl(26100) FATAL: Can't use an undefined value as > a HASH reference at > /usr/local/pf/lib/pf/services/manager/httpd_admin.pm line 48. > (pf::services::manager::httpd_admin::vhosts) > Jan 26 13:11:37 pfcmd.pl(26571
Re: [PacketFence-users] Cluster help
Hi Michael, On 01/26/2017 10:51 AM, Campanaro, Michael wrote: > > Fabrice, > > > I have made some progress and at this point the drives are formatted > as ext3, the PCS corosync cluster settings are all set and I've tested > a failover and it works. I'm no longer locked out of my PF admin gui > but I'm still getting mysql errors. I've noticed on the services tab > in the admin interface that my radiusd and p0f services are no longer > starting. > > > The following is output from my master server: > > > Netstat output: > > [root@packetfence lib]# netstat -nlp|grep 3306 > tcp0 0 10.100.10.54:3306 0.0.0.0:* > LISTEN 26674/mysqld haproxy shoulkd be running and listening here on 127.0.0.1. Restart it. cd /usr/local/pf bin/pfcmd service haproxy restart > > > > /etc/my/cnf: > > [root@packetfence lib]# cat /etc/my.cnf > [mysqld] > bind_address=10.100.10.54 > datadir=/var/lib/mysql > socket=/var/lib/mysql/mysql.sock > > symbolic-links=0 > > [mysqld_safe] > log-error=/var/log/mariadb/mariadb.log > pid-file=/var/run/mariadb/mariadb.pid > > !includedir /etc/my.cnf.d > > > pf.conf: > > [root@packetfence lib]# cat /usr/local/pf/conf/pf.conf > [general] > > domain=mydomain.local > > dnsservers=10.100.10.30,10.100.10.31,127.0.0.1 > > dhcpservers=10.100.10.30,127.0.0.1 > > timezone=America/New_York > > [guests_admin_registration] > > access_duration_choices=1h,3h,12h,1D,2D,3D,5D,10D,30D,1Y > > [alerting] > > emailaddr=techservi...@mydomain.com > > [database] > host=127.0.0.1 > pass=mypassword > > [monitoring] > db_host=127.0.0.1 > > [services] > > pfsetvlan=enabled > > snmptrapd=enabled > > [captive_portal] > > network_detection_ip=10.100.10.54 > > secure_redirect=disabled > > [omapi] > > key_base64=JQtM8Oy/gDgXIdiuqyxuSw== > > [interface ens32] > ip=10.100.10.54 > type=management,high-availibility > mask=255.255.0.0 > > [interface ens33.2] > enforcement=vlan > ip=10.2.10.10 > type=internal > mask=255.255.255.0 > gateway=10.2.10.10 > > pfconfig.conf: > [root@packetfence lib]# cat /usr/local/pf/conf/pfconfig.conf > [general] > backend=mysql > > [mysql] > host=127.0.0.1 > user=pf > pass=mypassword > db=pf > port=3306 > > -Mike > > > > > *From:* Fabrice Durand <fdur...@inverse.ca> > *Sent:* Thursday, January 26, 2017 8:56 AM > *To:* packetfence-users@lists.sourceforge.net > *Subject:* Re: [PacketFence-users] Cluster help > > > Hello Michael, > > > it depend how you format the partition, so if it's ext3 then mount it > as an ext3. > > Also when you start the database can you check where it listen ? > (netstat -nlp| grep 3306) > > Also can you paste my.cnf and pf.conf, pfconfig.conf ? > > > Regards > > Fabrice > > > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Thierry Laurion tlaur...@inverse.ca :: +1.514.447.4918 *120 :: https://inverse.ca Inverse inc. :: Leaders behind SOGo (https://sogo.nu) and PacketFence (https://packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Cluster help
Hi, On what distribution are you? Centos7? On 01/25/2017 02:05 PM, Campanaro, Michael wrote: > > I've been trying to cluster together two Packetfence 6.4 servers > together and have been getting nothing but trouble in my attempts. I'm > following the Clustering guide word for word but can't seem to get it > to work. Everything goes fine up until the point of finalizing the > DRBD portion. When I create the ext4 filesystem for /dev/drbd0 and > then try to mount it at /var/lib/mysql as per the guide, it mounts in > read only mode. I cannot move my SQL files back into the folder nor > can I write anything to it. I've tried remounting the drive as > read-write but I get an error saying the drive is write protected. > I suspect that both your servers are secondary, which could explain why you have read only partitions. Please do a cat /proc/drbd on both servers and post results. -- Thierry Laurion tlaur...@inverse.ca :: +1.514.447.4918 *120 :: https://inverse.ca Inverse inc. :: Leaders behind SOGo (https://sogo.nu) and PacketFence (https://packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] trouble with passthrough configuration
Hi, Have you restarted packetfence after activating the passthroughs? Have you applied maintenance through: cd /usr/local/pf/ perl addons/pf-maint.pl Regards, -- Thierry Laurion tlaur...@inverse.ca :: +1.514.447.4918 *120 :: https://inverse.ca Inverse inc. :: Leaders behind SOGo (https://sogo.nu) and PacketFence (https://packetfence.org) On 01/10/2017 03:26 PM, Antônio Vinícius wrote: > I've got the same problem with passthrough, but no answer: > > https://sourceforge.net/p/packetfence/mailman/message/35511813/ > > > Antonio > > > 2017-01-10 13:20 GMT-02:00 Virginie Girou <virginie.gi...@ut-capitole.fr>: >> Hello, >> >> I have a packetfence 6.4 in inline mode with routed_postrouting and a >> captive portal. >> I'm trying to allow unregistred to access a few domains : >> In "trapping" section I 've enabled "Passthrough" and I've added domains >> first in "Passthroughs" field, secondly under "Proxy Passthroughs". >> >> When I test I never access the domain, only the registration page of >> captiveportal. >> >> Only in the second case I can see in packetfence.log : >> "[mac:[undef]] URI '/' (URL: http://x/) match proxy passthrough >> configuration. (pf::web::dispatcher::_handler) >>[mac:unknown] Instantiate profile default >> (pf::Portal::ProfileFactory::_from_profile) >>[mac:x] Instantiate profile default >> (pf::Portal::ProfileFactory::_from_profile)" >> >> but il doesn't work. >> >> Is there another parameter I missed ? >> >> Best regards, >> >> -- >> Virginie Girou >> Equipe systeme >> DSI - UT1 Capitole >> >> >> -- >> Developer Access Program for Intel Xeon Phi Processors >> Access to Intel Xeon Phi processor-based developer platforms. >> With one year of Intel Parallel Studio XE. >> Training and support from Colfax. >> Order your platform today. http://sdm.link/xeonphi >> ___ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > -- > Developer Access Program for Intel Xeon Phi Processors > Access to Intel Xeon Phi processor-based developer platforms. > With one year of Intel Parallel Studio XE. > Training and support from Colfax. > Order your platform today. http://sdm.link/xeonphi > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Security Onion alerts not triggering
Hi, The "detect" trigger matches numerical SIDs found in Snort and Suricata generated "alert" logs, which have a different format then the "digested" logs of SecurityOnion. As an exemple, here is the kind of logs that Suricata and Snort generates when in "alert" mode: '07/28/2015-09:09:59.431113 [**] [1:2221002:1] SURICATA HTTP request field missing colon [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.220.10.186:44196 -> 199.167.22.51:8000' You should use "suricata_event" triggers in your SecurityOnion related violations, which match text and are more generic. Modify the violation 153for it to match "ET P2P Vuze BT UDP Connection". That would be a broader match and would also generate a violation for the following SIDs: sid-msg.map:2010140 || ET P2P Vuze BT UDP Connection || url,doc.emergingthreats.net/2010140 || url,vuze.com sid-msg.map:2010141 || ET P2P Vuze BT UDP Connection (2) || url,doc.emergingthreats.net/2010141 || url,vuze.com sid-msg.map:2010142 || ET P2P Vuze BT UDP Connection (3) || url,doc.emergingthreats.net/2010142 sid-msg.map:2010143 || ET P2P Vuze BT UDP Connection (4) || url,doc.emergingthreats.net/2010143 sid-msg.map:2010144 || ET P2P Vuze BT UDP Connection (5) || url,doc.emergingthreats.net/2010144 || url,vuze.com Regards, Thierry Laurion > > An update, I’m now getting the alerts hitting pfdetect, but they’re > still not triggering the violation with the same ID. > > pfdetect.log shows: > > Oct 07 15:23:40 pfdetect(11814) INFO: alert received: 'Oct 7 14:23:40 > idsman01 securityonion_ids: 14:23:40 pid(24921) Alert Received: 0 1 > policy-violation idshalls01-eth0-7 {2016-10-07 14:23:39} 21 173773 {ET > P2P Vuze BT UDP Connection} 10.6.198.173 24.122.228.33 17 10600 65344 > 1 2010140 6 92 92 > > ' (main::_run_detector) > > > > > > The relevant section of violation.conf is: > > [153] > > trigger=detect::2010140 > > actions=email_admin,reevaluate_access,log > > max_enable=10 > > desc=P2P Vuze2 > > enabled=Y > > template=p2p > > grace=2h > > > > > > *From:*Morris, Andi [mailto:amor...@cardiffmet.ac.uk] > *Sent:* 07 October 2016 14:56 > *To:* packetfence-users@lists.sourceforge.net > *Subject:* [PacketFence-users] Security Onion alerts not triggering > > > > Hi all, > > I have configured my security onion server to send alerts to my > packetfence server (version 6.2.1), and I can see that they’re getting > there through TCPdump. > > > > IDS server: > > 13:37:02.260031 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 240 > > 13:37:02.260216 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243 > > 13:37:12.271539 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241 > > 13:37:57.325078 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242 > > 13:37:57.326236 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243 > > 13:38:07.342397 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243 > > 13:38:37.377503 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241 > > 13:38:55.401715 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 > > 13:38:55.401858 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 > > 13:38:55.401895 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 > > 13:38:55.401921 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 > > 13:39:03.412383 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241 > > 13:39:07.418010 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284 > > 13:39:07.418098 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284 > > 13:39:07.418113 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284 > > 13:39:07.418132 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284 > > 13:39:07.418153 IP idsserver.internal.domain.35871 > > pac