Ok there is a bug, i need to fix it.
Le 2018-05-24 à 11:33, jabang konate via PacketFence-users a écrit :
hi fabrice.
10.18.23.60 is ip National Roaming Operator eduroam in my Country.
attach my eduroam config file.
On Thu, May 24, 2018 at 7:43 PM, Fabrice Durand via PacketFence-users
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>> wrote:
What is 10.18.23.60 ?
can you share with me your file
/usr/local/pf/raddb/sites-enabled/eduroam ?
Le 2018-05-24 à 00:46, jabang konate via PacketFence-users a écrit :
Hi fabrice,
today i try again with my packetfence.
in packetfence-tunnel configuration i change configuration like
this,
if (update) {
update control {
&MS-CHAP-Use-NTLM-Auth := No
}
}
}
because from the output i don't see "ok", and then now i can
login with my ldap account but with port 1812 in my access point,
but not using port 11812.
if i'm using 11812 my request always forward to Realm eduroam my
home server, and not forward the request to packetfence virtual
server (sites-enabled/packetfence then
site-enabled/packetfence-tunnel) as you said in scenario 1.
(1) Thu May 24 11:06:15 2018: Debug: suffix: Checking for suffix
after "@"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Looking up realm
"xyz.ac.id <http://xyz.ac.id>" for User-Name =
"testu...@xyz.ac.id <mailto:testu...@xyz.ac.id>"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Found realm
"xyz.ac.id <http://xyz.ac.id>"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Adding
Stripped-User-Name = "testuser"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Realm =
"xyz.ac.id <http://xyz.ac.id>"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Authentication realm
is LOCAL
(1) Thu May 24 11:06:15 2018: Debug: [suffix] = ok
(1) Thu May 24 11:06:15 2018: Debug: ntdomain: Request already
has destination realm set. Ignoring
(1) Thu May 24 11:06:15 2018: Debug: [ntdomain] = noop
(1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) {
(1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/)
-> TRUE
(1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) {
(1) Thu May 24 11:06:15 2018: Debug: update control {
(1) Thu May 24 11:06:15 2018: Debug: } # update control = noop
(1) Thu May 24 11:06:15 2018: Debug: } # if (User-Name =~
/@/) = noop
(1) Thu May 24 11:06:15 2018: Debug: ... skipping else:
Preceding "if" was taken
(1) Thu May 24 11:06:15 2018: Debug: eap: Request is supposed to
be proxied to Realm eduroam. Not doing EAP.
(1) Thu May 24 11:06:15 2018: Debug: [eap] = noop
attach my radiusd-eduroam.sock log and picture of my
configurutiaon exclusive source eduroam .
Regards.
On Thu, May 24, 2018 at 12:49 AM, Fabrice Durand via
PacketFence-users <packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>> wrote:
Le 2018-05-23 à 13:36, jabang konate via PacketFence-users a
écrit :
Hi fabrice.
Thanks for speedy response.
> so i am not sure what you try to do with the ldap module.
ldap module for configuration user with openldap right? i
read in EAP Authentication against OpenLDAP.
yes, the only difference is that you have to disable
NTLM-Auth if ldap return ok to avoid "ERROR: mschap: Program
returned code (1) and output 'Reading winbind reply failed!
(0xc0000001)'".
> You have 3 scenarios:
yes i want like that,
I will try again and will share the results on this topic.
thank you for your advice fabrice.
On Thu, May 24, 2018 at 12:22 AM, Fabrice Durand via
PacketFence-users <packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>> wrote:
Hello Jabang,
so i am not sure what you try to do with the ldap module.
You have 3 scenarios:
1: a user from your university connect on the ssid
eduroam from your university. (the ap/controller use
the port 11812)
You need to configure the local realm (let's say
myuniversity.org <http://myuniversity.org>) in the
eduroam authentication source and configure ldap in
packetfence-tunnel.
So when this user will try to connect on the eduroam
ssid with u...@myuniversity.org
<mailto:u...@myuniversity.org> then the eduroam virtual
server will detect the realm myuniversity.org
<http://myuniversity.org> and forward the request to
packetfence virtual server (sites-enabled/packetfence
then site-enabled/packetfence-tunnel).
And in packetfence-tunnel you have something like that:
```
authorize {
suffix
ntdomain
eap {
ok = return
}
files
ldap
if (ok) {
update control {
&MS-CHAP-Use-NTLM-Auth := No
}
}
}
```
2: u...@myuniversity.org <mailto:u...@myuniversity.org>
is in travel and connect on the ssid eduroam in montreal
university
The local montreal radius server will forward to eduroam
and eduroam will forward to your packetfence server on
the port 1812 (you need to configure that on the eduroam
side).
3: u...@univmontreal.org <mailto:u...@univmontreal.org>
is connecting on your ssid eduroam, the realm in unknow
then the request will be forwarded to eduroam then
eduroam forward to the montreal radius server.
Is it what you want to do ?
Regards
Fabrice
Le 2018-05-23 à 12:57, jabang konate via
PacketFence-users a écrit :
Thanks Fabrice, let me clear my goals first. i'm still
confuse which file i must to configure
packetfence-tunnel or eduroam file in sites-available.
my packetfence will be act as manage eduroam user so i
will use port 11812 in my access point.
here's my step how i configure my eduroam in packetfence.
1. setting my local REALM.
2. configure exclusive source eduroam, add my local
realm at step 1. then create authentication rules
"catch all" role default access duration 12 hours.
3. add switch configuration
4. configure ldap module in freeradius
5. configure file packetfence-tunnel ? or eduroam ?
6. restart freeradius and iptables
in step 5 im still confuse if i'm using 11812 so i must
configure eduroam file or still packetfence-tunnel ?
On Wed, May 23, 2018 at 10:55 PM, Fabrice Durand via
PacketFence-users
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>> wrote:
If it's a server for eduroam (like the eduroam
servers use this server for your domain) then 1812,
if it's to manage eduroam user how connect on a
eduroam ssid then 11812.
Also what you can do in packetfence-tunnel
# The ldap module reads passwords from the
LDAP database.
ldap
if (ok) {
update control {
&MS-CHAP-Use-NTLM-Auth := No
}
}
Regards
Fabrice
Le 2018-05-23 à 11:38, jabang konate via
PacketFence-users a écrit :
thanks for your reply fabrice.
here i attach my packetfence-tunnel file.
and which port should i use for my access point
1812 or 11812 in radius configuration for eduroam?
thank you
On Wed, May 23, 2018 at 7:33 PM, Fabrice Durand
via PacketFence-users
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>>
wrote:
Hello Jabang,
can you paste your packetfence-tunnel file ?
Regards
Fabrice
Le 2018-05-23 à 04:08, jabang konate via
PacketFence-users a écrit :
my packetfence server version is 8.0.1 and i
want to configure packetfence as an eduroam
server with openldap as user database,
then i look into documentation eduroam
section from packetfence and EAP
Authentication against OpenLDAP.
when im try to login with my laptop, i always
get access reject.
from log i see i can connect with my ldap
server, then i see error like this
(7) Wed May 23 14:32:55 2018: ERROR: mschap:
Program returned code (1) and output 'Reading
winbind reply failed! (0xc0000001)'
(7) Wed May 23 14:32:55 2018: Debug: mschap:
External script failed
(7) Wed May 23 14:32:55 2018: ERROR: mschap:
External script says: Reading winbind reply
failed! (0xc0000001)
is it the root cause why i alwayas get access
reject?
then i check winbindd service is not running,
but i cant start winbindd service
(Service 'winbindd' is not managed by
PacketFence. Therefore, no action will be
performed)
attach my radius log.
please give me some advice.
thank you
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's
most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of
the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
--
Fabrice Durand
fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918
(x135) ::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the
world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
--
Fabrice Durand
fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918
(x135) ::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the
world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
--
Fabrice Durand
fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135)
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
--
Fabrice Durand
fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135)
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users