What is 10.18.23.60 ?
can you share with me your file /usr/local/pf/raddb/sites-enabled/eduroam ?
Le 2018-05-24 à 00:46, jabang konate via PacketFence-users a écrit :
Hi fabrice,
today i try again with my packetfence.
in packetfence-tunnel configuration i change configuration like this,
if (update) {
update control {
&MS-CHAP-Use-NTLM-Auth := No
}
}
}
because from the output i don't see "ok", and then now i can login
with my ldap account but with port 1812 in my access point, but not
using port 11812.
if i'm using 11812 my request always forward to Realm eduroam my home
server, and not forward the request to packetfence virtual server
(sites-enabled/packetfence then site-enabled/packetfence-tunnel) as
you said in scenario 1.
(1) Thu May 24 11:06:15 2018: Debug: suffix: Checking for suffix after "@"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Looking up realm
"xyz.ac.id <http://xyz.ac.id>" for User-Name = "testu...@xyz.ac.id
<mailto:testu...@xyz.ac.id>"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Found realm "xyz.ac.id
<http://xyz.ac.id>"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Stripped-User-Name
= "testuser"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Realm = "xyz.ac.id
<http://xyz.ac.id>"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Authentication realm is LOCAL
(1) Thu May 24 11:06:15 2018: Debug: [suffix] = ok
(1) Thu May 24 11:06:15 2018: Debug: ntdomain: Request already has
destination realm set. Ignoring
(1) Thu May 24 11:06:15 2018: Debug: [ntdomain] = noop
(1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) {
(1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) -> TRUE
(1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) {
(1) Thu May 24 11:06:15 2018: Debug: update control {
(1) Thu May 24 11:06:15 2018: Debug: } # update control = noop
(1) Thu May 24 11:06:15 2018: Debug: } # if (User-Name =~ /@/) = noop
(1) Thu May 24 11:06:15 2018: Debug: ... skipping else: Preceding
"if" was taken
(1) Thu May 24 11:06:15 2018: Debug: eap: Request is supposed to be
proxied to Realm eduroam. Not doing EAP.
(1) Thu May 24 11:06:15 2018: Debug: [eap] = noop
attach my radiusd-eduroam.sock log and picture of my configurutiaon
exclusive source eduroam .
Regards.
On Thu, May 24, 2018 at 12:49 AM, Fabrice Durand via PacketFence-users
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>> wrote:
Le 2018-05-23 à 13:36, jabang konate via PacketFence-users a écrit :
Hi fabrice.
Thanks for speedy response.
> so i am not sure what you try to do with the ldap module.
ldap module for configuration user with openldap right? i read in
EAP Authentication against OpenLDAP.
yes, the only difference is that you have to disable NTLM-Auth if
ldap return ok to avoid "ERROR: mschap: Program returned code (1)
and output 'Reading winbind reply failed! (0xc0000001)'".
> You have 3 scenarios:
yes i want like that,
I will try again and will share the results on this topic.
thank you for your advice fabrice.
On Thu, May 24, 2018 at 12:22 AM, Fabrice Durand via
PacketFence-users <packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>> wrote:
Hello Jabang,
so i am not sure what you try to do with the ldap module.
You have 3 scenarios:
1: a user from your university connect on the ssid eduroam
from your university. (the ap/controller use the port 11812)
You need to configure the local realm (let's say
myuniversity.org <http://myuniversity.org>) in the eduroam
authentication source and configure ldap in packetfence-tunnel.
So when this user will try to connect on the eduroam ssid
with u...@myuniversity.org <mailto:u...@myuniversity.org>
then the eduroam virtual server will detect the realm
myuniversity.org <http://myuniversity.org> and forward the
request to packetfence virtual server
(sites-enabled/packetfence then site-enabled/packetfence-tunnel).
And in packetfence-tunnel you have something like that:
```
authorize {
suffix
ntdomain
eap {
ok = return
}
files
ldap
if (ok) {
update control {
&MS-CHAP-Use-NTLM-Auth := No
}
}
}
```
2: u...@myuniversity.org <mailto:u...@myuniversity.org> is in
travel and connect on the ssid eduroam in montreal university
The local montreal radius server will forward to eduroam and
eduroam will forward to your packetfence server on the port
1812 (you need to configure that on the eduroam side).
3: u...@univmontreal.org <mailto:u...@univmontreal.org> is
connecting on your ssid eduroam, the realm in unknow then the
request will be forwarded to eduroam then eduroam forward to
the montreal radius server.
Is it what you want to do ?
Regards
Fabrice
Le 2018-05-23 à 12:57, jabang konate via PacketFence-users a
écrit :
Thanks Fabrice, let me clear my goals first. i'm still
confuse which file i must to configure packetfence-tunnel or
eduroam file in sites-available.
my packetfence will be act as manage eduroam user so i will
use port 11812 in my access point.
here's my step how i configure my eduroam in packetfence.
1. setting my local REALM.
2. configure exclusive source eduroam, add my local realm at
step 1. then create authentication rules "catch all" role
default access duration 12 hours.
3. add switch configuration
4. configure ldap module in freeradius
5. configure file packetfence-tunnel ? or eduroam ?
6. restart freeradius and iptables
in step 5 im still confuse if i'm using 11812 so i must
configure eduroam file or still packetfence-tunnel ?
On Wed, May 23, 2018 at 10:55 PM, Fabrice Durand via
PacketFence-users <packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>> wrote:
If it's a server for eduroam (like the eduroam servers
use this server for your domain) then 1812, if it's to
manage eduroam user how connect on a eduroam ssid then
11812.
Also what you can do in packetfence-tunnel
# The ldap module reads passwords from the LDAP
database.
ldap
if (ok) {
update control {
&MS-CHAP-Use-NTLM-Auth := No
}
}
Regards
Fabrice
Le 2018-05-23 à 11:38, jabang konate via
PacketFence-users a écrit :
thanks for your reply fabrice.
here i attach my packetfence-tunnel file.
and which port should i use for my access point 1812 or
11812 in radius configuration for eduroam?
thank you
On Wed, May 23, 2018 at 7:33 PM, Fabrice Durand via
PacketFence-users
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>> wrote:
Hello Jabang,
can you paste your packetfence-tunnel file ?
Regards
Fabrice
Le 2018-05-23 à 04:08, jabang konate via
PacketFence-users a écrit :
my packetfence server version is 8.0.1 and i want
to configure packetfence as an eduroam server with
openldap as user database,
then i look into documentation eduroam section
from packetfence and EAP Authentication against
OpenLDAP.
when im try to login with my laptop, i always get
access reject.
from log i see i can connect with my ldap server,
then i see error like this
(7) Wed May 23 14:32:55 2018: ERROR: mschap:
Program returned code (1) and output 'Reading
winbind reply failed! (0xc0000001)'
(7) Wed May 23 14:32:55 2018: Debug: mschap:
External script failed
(7) Wed May 23 14:32:55 2018: ERROR: mschap:
External script says: Reading winbind reply
failed! (0xc0000001)
is it the root cause why i alwayas get access reject?
then i check winbindd service is not running, but
i cant start winbindd service
(Service 'winbindd' is not managed by PacketFence.
Therefore, no action will be performed)
attach my radius log.
please give me some advice.
thank you
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the
world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
--
Fabrice Durand
fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918
(x135) ::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the
world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
--
Fabrice Durand
fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135)
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
--
Fabrice Durand
fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135)
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users