Re: [PacketFence-users] Proper VLAN config

2017-08-28 Thread Moritz Schmid via PacketFence-users 
Hi Frabrice,

I think I managed to figure out most of the things I asked you but I hit 
another error:

As I told you I’d like to use vlan enforcement with hostapd. I changed my 
radius to local eap. I’m still able to register a device (when auto 
registration with radius credentials is activated) but after successful 
authentication nothing happens.

My log files:

Log of /usr/local/pf/logs/packetfence.log:
Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: 
[mac:90:8d:6c:7c:09:9b] handling radius autz request: from switch_ip => 
(10.0.0.105), connection_type => Wireless-802.11-EAP,switch_mac => 
(64:70:02:b5:d4:eb), mac => [90:8d:6c:7c:09:9b], port => 1, username => "john", 
ssid => LabTest (pf::radius::authorize)
Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: 
[mac:90:8d:6c:7c:09:9b] Instantiate profile MAWIFI 
(pf::Connection::ProfileFactory::_from_profile)
Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) WARN: 
[mac:90:8d:6c:7c:09:9b] Calling match with empty/invalid rule class. Defaulting 
to 'authentication' (pf::authentication::match2)
Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: 
[mac:90:8d:6c:7c:09:9b] Using sources local for matching 
(pf::authentication::match2)
Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: 
[mac:90:8d:6c:7c:09:9b] Using sources local for matching 
(pf::authentication::match2)
Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: 
[mac:90:8d:6c:7c:09:9b] Username was defined "john" - returning role 
'Mitarbeiter' (pf::role::getRegisteredRole)
Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: 
[mac:90:8d:6c:7c:09:9b] PID: "john", Status: reg Returned VLAN: (undefined), 
Role: Mitarbeiter (pf::role::fetchRoleForNode)
Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: 
[mac:90:8d:6c:7c:09:9b] (10.0.0.105) Added VLAN 100 to the returned RADIUS 
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: 
[mac:90:8d:6c:7c:09:9b] violation 133 force-closed for 90:8d:6c:7c:09:9b 
(pf::violation::violation_force_close)
Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: 
[mac:90:8d:6c:7c:09:9b] Instantiate profile MAWIFI 
(pf::Connection::ProfileFactory::_from_profile)
Aug 28 16:16:27 ba-pf-oob packetfence_httpd.aaa: httpd.aaa(1177) INFO: 
[mac:00:13:ce:ec:9e:27] Updating locationlog from accounting request 
(pf::api::handle_accounting_metadata)

And the log of hostapd:
Mon Aug 28 16:16:28 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b 
RADIUS: stopped accounting session 59A408DF-0015
Mon Aug 28 16:16:28 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b IEEE 
802.11: authenticated
Mon Aug 28 16:16:28 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b IEEE 
802.11: associated (aid 1)
Mon Aug 28 16:16:28 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b 
RADIUS: VLAN ID 100
Mon Aug 28 16:16:28 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b WPA: 
pairwise key handshake completed (RSN)
Mon Aug 28 16:16:28 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b 
RADIUS: starting accounting session 59A408DF-0016
Mon Aug 28 16:16:28 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b IEEE 
802.1X: authenticated - EAP type: 25 (PEAP)
Mon Aug 28 16:16:39 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b IEEE 
802.11: disassociated
Mon Aug 28 16:16:39 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b 
RADIUS: stopped accounting session 59A408DF-0016
Mon Aug 28 16:16:40 2017 daemon.info hostapd: wlan0: STA 90:8d:6c:7c:09:9b IEEE 
802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)

Regards,

Moritz


> On 26. Aug 2017, at 18:41, Moritz Schmid via PacketFence-users 
>  wrote:
> 
> Hello Fabrice,
> 
> Thanks for your reply but I’m still wrestling with the config at all and I’m 
> having so further questions.First let me tell you my plans. I’d like to use 
> pf in the vlan-enf mode with a openwrt router with hostapd and the radius 
> with local auth (for testing).
> 
> I configurated the network as I wrote in my last mail. So pf and the openwrt 
> ap are in the 10.0.0.x network without any vlan. I created a vlan each for 
> registration and isolation as described in this guide: 
> https://packetfence.org/doc/PacketFence_Out-of-Band_Deployment_Quick_Guide_ZEN.html#_configuring_your_packetfence_environment
>  and the linking of the ap after that guide 
> https://packetfence.org/doc/PacketFence_OpenWrt-Hostapd-15-05_Quick_Install_Guide.html
>  which contains two errors I’d like to report. The linking of the ap works 
> fine so far. Initially I plan to use default role which I allowed to register 
> up to 10 devices. Here my troubles are starting: Which Authentication Sources 
> shall use?
> 
> At the moment I’m using the default connection

Re: [PacketFence-users] Proper VLAN config

2017-08-28 Thread Moritz Schmid via PacketFence-users 
Hello Fabrice,

Thanks for your reply but I’m still wrestling with the config at all and I’m 
having so further questions.First let me tell you my plans. I’d like to use pf 
in the vlan-enf mode with a openwrt router with hostapd and the radius with 
local auth (for testing).

I configurated the network as I wrote in my last mail. So pf and the openwrt ap 
are in the 10.0.0.x network without any vlan. I created a vlan each for 
registration and isolation as described in this guide: 
https://packetfence.org/doc/PacketFence_Out-of-Band_Deployment_Quick_Guide_ZEN.html#_configuring_your_packetfence_environment
 and the linking of the ap after that guide 
https://packetfence.org/doc/PacketFence_OpenWrt-Hostapd-15-05_Quick_Install_Guide.html
 which contains two errors I’d like to report. The linking of the ap works fine 
so far. Initially I plan to use default role which I allowed to register up to 
10 devices. Here my troubles are starting: Which Authentication Sources shall 
use?

At the moment I’m using the default connection profile with the local source. 
If I connect a device via wifi to the network I can see the following lines in 
the log of hostapd:

Sat Aug 26 18:09:37 2017 daemon.info hostapd: wlan0: STA 00:13:ce:ec:9e:27 IEEE 
802.11: authenticated
Sat Aug 26 18:09:37 2017 daemon.info hostapd: wlan0: STA 00:13:ce:ec:9e:27 IEEE 
802.11: associated (aid 1)
Sat Aug 26 18:09:37 2017 daemon.info hostapd: wlan0: STA 00:13:ce:ec:9e:27 
RADIUS: starting accounting session 59A1541A-001E

If I check auto registration of new devices in the connection profile the 
device even gets registrated but no the wifi won’t connect. I stored the radius 
credentials as demanded in the /usr/local/pf/raddb/users file. Which point am I 
missing? Do I need further configurations? Honestly sometimes I’m feeling lost 
in the guides of pf.

Two last questions for my own understanding. The users section in pf web menu. 
Is it the “local” auth source? And If I use the auth source htpasswd do I need 
to create a user in the users section?

Best regards and sorry for the large amount of questions/problems

Moritz




 




> On 25. Aug 2017, at 18:49, Fabrice Durand via PacketFence-users 
>  wrote:
> 
> Hello Moritz,
> 
> just keep in mind that the registration and isolation vlan is managed by
> packetfence (dhcp/dns/gateway), after that the production vlan can be
> what you want.
> 
> Regards
> 
> Fabrice
> 
> 
> 
> Le 2017-08-25 à 10:39, Moritz Schmid via PacketFence-users a écrit :
>> Hey guys,
>> 
>> I’m new to pf and a little bit confused about a proper vlan setup for the 
>> vlan enforcement. So far I’d like to have my setup checked please. My 
>> Question: Is it possible that the management vlan and the “normal” aka 
>> production vlan are the same? I know it is possible to have several prod 
>> vlans but in my case I just want to have one.
>> 
>> In the Network Device Conf Guide its: Normal VLAN: 1, Registration VLAN: 2 & 
>> Isolation VLAN: 3
>> In the OoB Zen Guide its: Mgmt VLAN 1, Reg VLAN 2, Isolation VLAN 3 & Normal 
>> VLAN 10
>> 
>> My plans and my understanding is the following:
>> 
>> Pf server (following the guide):
>> Eth0 as  mgmt/normal withip 10.0.0.x
>> Eth0 vlan 2  as  registrationwith dhcp from pf (192.168.2.x)
>> Eth0 vlan3   as  isolation   withdhcp from pf 
>> (192.168.3.x)
>> 
>> Switch
>> Default vlan (1) with ip 10.0.0.x
>> …
>> …
>> 
>> On uplink (Port 1) which is in the default vlan 1 and Port 2 as the trunk 
>> port in all three vlans.
>> 
>> Regards,
>> Moritz
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 
> -- 
> Fabrice Durand
> fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org) 
> 
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

Re: [PacketFence-users] Proper VLAN config

2017-08-25 Thread Fabrice Durand via PacketFence-users 
Hello Moritz,

just keep in mind that the registration and isolation vlan is managed by
packetfence (dhcp/dns/gateway), after that the production vlan can be
what you want.

Regards

Fabrice



Le 2017-08-25 à 10:39, Moritz Schmid via PacketFence-users a écrit :
> Hey guys,
>
> I’m new to pf and a little bit confused about a proper vlan setup for the 
> vlan enforcement. So far I’d like to have my setup checked please. My 
> Question: Is it possible that the management vlan and the “normal” aka 
> production vlan are the same? I know it is possible to have several prod 
> vlans but in my case I just want to have one.
>
> In the Network Device Conf Guide its: Normal VLAN: 1, Registration VLAN: 2 & 
> Isolation VLAN: 3
> In the OoB Zen Guide its: Mgmt VLAN 1, Reg VLAN 2, Isolation VLAN 3 & Normal 
> VLAN 10
>
> My plans and my understanding is the following:
>
> Pf server (following the guide):
> Eth0  as  mgmt/normal withip 10.0.0.x
> Eth0 vlan 2   as  registrationwith dhcp from pf (192.168.2.x)
> Eth0 vlan 3   as  isolation   withdhcp from pf 
> (192.168.3.x)
>
> Switch
> Default vlan (1) with ip 10.0.0.x
> …
> …
>
> On uplink (Port 1) which is in the default vlan 1 and Port 2 as the trunk 
> port in all three vlans.
>
> Regards,
> Moritz
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users