Ok there is a bug, i need to fix it.
Le 2018-05-24 à 11:33, jabang konate via PacketFence-users a écrit :
hi fabrice. 10.18.23.60 is ip National Roaming Operator eduroam in my Country. attach my eduroam config file.On Thu, May 24, 2018 at 7:43 PM, Fabrice Durand via PacketFence-users <packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net>> wrote:What is 10.18.23.60 ? can you share with me your file /usr/local/pf/raddb/sites-enabled/eduroam ? Le 2018-05-24 à 00:46, jabang konate via PacketFence-users a écrit :Hi fabrice, today i try again with my packetfence. in packetfence-tunnel configuration i change configuration like this, if (update) { update control { &MS-CHAP-Use-NTLM-Auth := No } } } because from the output i don't see "ok", and then now i can login with my ldap account but with port 1812 in my access point, but not using port 11812. if i'm using 11812 my request always forward to Realm eduroam my home server, and not forward the request to packetfence virtual server (sites-enabled/packetfence then site-enabled/packetfence-tunnel) as you said in scenario 1. (1) Thu May 24 11:06:15 2018: Debug: suffix: Checking for suffix after "@" (1) Thu May 24 11:06:15 2018: Debug: suffix: Looking up realm "xyz.ac.id <http://xyz.ac.id>" for User-Name = "testu...@xyz.ac.id <mailto:testu...@xyz.ac.id>" (1) Thu May 24 11:06:15 2018: Debug: suffix: Found realm "xyz.ac.id <http://xyz.ac.id>" (1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Stripped-User-Name = "testuser" (1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Realm = "xyz.ac.id <http://xyz.ac.id>" (1) Thu May 24 11:06:15 2018: Debug: suffix: Authentication realm is LOCAL (1) Thu May 24 11:06:15 2018: Debug: [suffix] = ok (1) Thu May 24 11:06:15 2018: Debug: ntdomain: Request already has destination realm set. Ignoring (1) Thu May 24 11:06:15 2018: Debug: [ntdomain] = noop (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) { (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) -> TRUE (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) { (1) Thu May 24 11:06:15 2018: Debug: update control { (1) Thu May 24 11:06:15 2018: Debug: } # update control = noop (1) Thu May 24 11:06:15 2018: Debug: } # if (User-Name =~ /@/) = noop (1) Thu May 24 11:06:15 2018: Debug: ... skipping else: Preceding "if" was taken (1) Thu May 24 11:06:15 2018: Debug: eap: Request is supposed to be proxied to Realm eduroam. Not doing EAP. (1) Thu May 24 11:06:15 2018: Debug: [eap] = noop attach my radiusd-eduroam.sock log and picture of my configurutiaon exclusive source eduroam . Regards. On Thu, May 24, 2018 at 12:49 AM, Fabrice Durand via PacketFence-users <packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net>> wrote: Le 2018-05-23 à 13:36, jabang konate via PacketFence-users a écrit :Hi fabrice. Thanks for speedy response. > so i am not sure what you try to do with the ldap module. ldap module for configuration user with openldap right? i read in EAP Authentication against OpenLDAP.yes, the only difference is that you have to disable NTLM-Auth if ldap return ok to avoid "ERROR: mschap: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'".> You have 3 scenarios: yes i want like that, I will try again and will share the results on this topic. thank you for your advice fabrice. On Thu, May 24, 2018 at 12:22 AM, Fabrice Durand via PacketFence-users <packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net>> wrote: Hello Jabang, so i am not sure what you try to do with the ldap module. You have 3 scenarios: 1: a user from your university connect on the ssid eduroam from your university. (the ap/controller use the port 11812) You need to configure the local realm (let's say myuniversity.org <http://myuniversity.org>) in the eduroam authentication source and configure ldap in packetfence-tunnel. So when this user will try to connect on the eduroam ssid with u...@myuniversity.org <mailto:u...@myuniversity.org> then the eduroam virtual server will detect the realm myuniversity.org <http://myuniversity.org> and forward the request to packetfence virtual server (sites-enabled/packetfence then site-enabled/packetfence-tunnel). And in packetfence-tunnel you have something like that: ``` authorize { suffix ntdomain eap { ok = return } files ldap if (ok) { update control { &MS-CHAP-Use-NTLM-Auth := No } } } ``` 2: u...@myuniversity.org <mailto:u...@myuniversity.org> is in travel and connect on the ssid eduroam in montreal university The local montreal radius server will forward to eduroam and eduroam will forward to your packetfence server on the port 1812 (you need to configure that on the eduroam side). 3: u...@univmontreal.org <mailto:u...@univmontreal.org> is connecting on your ssid eduroam, the realm in unknow then the request will be forwarded to eduroam then eduroam forward to the montreal radius server. Is it what you want to do ? Regards Fabrice Le 2018-05-23 à 12:57, jabang konate via PacketFence-users a écrit :Thanks Fabrice, let me clear my goals first. i'm still confuse which file i must to configure packetfence-tunnel or eduroam file in sites-available. my packetfence will be act as manage eduroam user so i will use port 11812 in my access point. here's my step how i configure my eduroam in packetfence. 1. setting my local REALM. 2. configure exclusive source eduroam, add my local realm at step 1. then create authentication rules "catch all" role default access duration 12 hours. 3. add switch configuration 4. configure ldap module in freeradius 5. configure file packetfence-tunnel ? or eduroam ? 6. restart freeradius and iptables in step 5 im still confuse if i'm using 11812 so i must configure eduroam file or still packetfence-tunnel ? On Wed, May 23, 2018 at 10:55 PM, Fabrice Durand via PacketFence-users <packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net>> wrote: If it's a server for eduroam (like the eduroam servers use this server for your domain) then 1812, if it's to manage eduroam user how connect on a eduroam ssid then 11812. Also what you can do in packetfence-tunnel # The ldap module reads passwords from the LDAP database. ldap if (ok) { update control { &MS-CHAP-Use-NTLM-Auth := No } } Regards Fabrice Le 2018-05-23 à 11:38, jabang konate via PacketFence-users a écrit :thanks for your reply fabrice. here i attach my packetfence-tunnel file. and which port should i use for my access point 1812 or 11812 in radius configuration for eduroam? thank you On Wed, May 23, 2018 at 7:33 PM, Fabrice Durand via PacketFence-users <packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net>> wrote: Hello Jabang, can you paste your packetfence-tunnel file ? Regards Fabrice Le 2018-05-23 à 04:08, jabang konate via PacketFence-users a écrit :my packetfence server version is 8.0.1 and i want to configure packetfence as an eduroam server with openldap as user database, then i look into documentation eduroam section from packetfence and EAP Authentication against OpenLDAP. when im try to login with my laptop, i always get access reject. from log i see i can connect with my ldap server, then i see error like this (7) Wed May 23 14:32:55 2018: ERROR: mschap: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)' (7) Wed May 23 14:32:55 2018: Debug: mschap: External script failed (7) Wed May 23 14:32:55 2018: ERROR: mschap: External script says: Reading winbind reply failed! (0xc0000001) is it the root cause why i alwayas get access reject? then i check winbindd service is not running, but i cant start winbindd service (Service 'winbindd' is not managed by PacketFence. Therefore, no action will be performed) attach my radius log. please give me some advice. thank you ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org!http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users>------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users> ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org!http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users>-- Fabrice Durandfdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135) ::www.inverse.ca <http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users> ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org!http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users>-- Fabrice Durandfdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135) ::www.inverse.ca <http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users> ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org!http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users>-- Fabrice Durandfdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135) ::www.inverse.ca <http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users> ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org!http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users>-- Fabrice Durandfdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135) ::www.inverse.ca <http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users> ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
-- Fabrice Durand fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
