hi fabrice,
ok i will wait for patch
thank you
On Fri, May 25, 2018 at 1:33 AM, Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:
> Ok there is a bug, i need to fix it.
>
>
>
> Le 2018-05-24 à 11:33, jabang konate via PacketFence-users a écrit :
>
> hi fabrice.
>
> 10.18.23.60 is ip National Roaming Operator eduroam in my Country.
>
> attach my eduroam config file.
>
>
> On Thu, May 24, 2018 at 7:43 PM, Fabrice Durand via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> What is 10.18.23.60 ?
>>
>> can you share with me your file /usr/local/pf/raddb/sites-enabled/eduroam
>> ?
>>
>> Le 2018-05-24 à 00:46, jabang konate via PacketFence-users a écrit :
>>
>> Hi fabrice,
>> today i try again with my packetfence.
>>
>> in packetfence-tunnel configuration i change configuration like this,
>> if (update) {
>> update control {
>> &MS-CHAP-Use-NTLM-Auth := No
>> }
>> }
>> }
>> because from the output i don't see "ok", and then now i can login with
>> my ldap account but with port 1812 in my access point, but not using port
>> 11812.
>> if i'm using 11812 my request always forward to Realm eduroam my home
>> server, and not forward the request to packetfence virtual server
>> (sites-enabled/packetfence then site-enabled/packetfence-tunnel) as you
>> said in scenario 1.
>>
>> (1) Thu May 24 11:06:15 2018: Debug: suffix: Checking for suffix after "@"
>> (1) Thu May 24 11:06:15 2018: Debug: suffix: Looking up realm "xyz.ac.id"
>> for User-Name = "testu...@xyz.ac.id"
>> (1) Thu May 24 11:06:15 2018: Debug: suffix: Found realm "xyz.ac.id"
>> (1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Stripped-User-Name =
>> "testuser"
>> (1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Realm = "xyz.ac.id"
>> (1) Thu May 24 11:06:15 2018: Debug: suffix: Authentication realm is LOCAL
>> (1) Thu May 24 11:06:15 2018: Debug: [suffix] = ok
>> (1) Thu May 24 11:06:15 2018: Debug: ntdomain: Request already has
>> destination realm set. Ignoring
>> (1) Thu May 24 11:06:15 2018: Debug: [ntdomain] = noop
>> (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) {
>> (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) -> TRUE
>> (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) {
>> (1) Thu May 24 11:06:15 2018: Debug: update control {
>> (1) Thu May 24 11:06:15 2018: Debug: } # update control = noop
>> (1) Thu May 24 11:06:15 2018: Debug: } # if (User-Name =~ /@/) = noop
>> (1) Thu May 24 11:06:15 2018: Debug: ... skipping else: Preceding
>> "if" was taken
>> (1) Thu May 24 11:06:15 2018: Debug: eap: Request is supposed to be
>> proxied to Realm eduroam. Not doing EAP.
>> (1) Thu May 24 11:06:15 2018: Debug: [eap] = noop
>>
>> attach my radiusd-eduroam.sock log and picture of my configurutiaon
>> exclusive source eduroam .
>>
>> Regards.
>>
>>
>> On Thu, May 24, 2018 at 12:49 AM, Fabrice Durand via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>>>
>>>
>>> Le 2018-05-23 à 13:36, jabang konate via PacketFence-users a écrit :
>>>
>>> Hi fabrice.
>>>
>>> Thanks for speedy response.
>>>
>>> > so i am not sure what you try to do with the ldap module.
>>> ldap module for configuration user with openldap right? i read in EAP
>>> Authentication against OpenLDAP.
>>>
>>> yes, the only difference is that you have to disable NTLM-Auth if ldap
>>> return ok to avoid "ERROR: mschap: Program returned code (1) and output
>>> 'Reading winbind reply failed! (0xc0000001)'".
>>>
>>>
>>>
>>> > You have 3 scenarios:
>>> yes i want like that,
>>>
>>> I will try again and will share the results on this topic.
>>>
>>> thank you for your advice fabrice.
>>>
>>>
>>> On Thu, May 24, 2018 at 12:22 AM, Fabrice Durand via PacketFence-users <
>>> packetfence-users@lists.sourceforge.net> wrote:
>>>
>>>> Hello Jabang,
>>>>
>>>> so i am not sure what you try to do with the ldap module.
>>>>
>>>> You have 3 scenarios:
>>>>
>>>> 1: a user from your university connect on the ssid eduroam from your
>>>> university. (the ap/controller use the port 11812)
>>>> You need to configure the local realm (let's say myuniversity.org) in
>>>> the eduroam authentication source and configure ldap in packetfence-tunnel.
>>>> So when this user will try to connect on the eduroam ssid with
>>>> u...@myuniversity.org then the eduroam virtual server will detect the
>>>> realm myuniversity.org and forward the request to packetfence virtual
>>>> server (sites-enabled/packetfence then site-enabled/packetfence-tunne
>>>> l).
>>>> And in packetfence-tunnel you have something like that:
>>>>
>>>> ```
>>>> authorize {
>>>> suffix
>>>> ntdomain
>>>> eap {
>>>> ok = return
>>>> }
>>>> files
>>>> ldap
>>>> if (ok) {
>>>> update control {
>>>> &MS-CHAP-Use-NTLM-Auth := No
>>>> }
>>>> }
>>>> }
>>>> ```
>>>>
>>>> 2: u...@myuniversity.org is in travel and connect on the ssid eduroam
>>>> in montreal university
>>>> The local montreal radius server will forward to eduroam and eduroam
>>>> will forward to your packetfence server on the port 1812 (you need to
>>>> configure that on the eduroam side).
>>>>
>>>> 3: u...@univmontreal.org is connecting on your ssid eduroam, the realm
>>>> in unknow then the request will be forwarded to eduroam then eduroam
>>>> forward to the montreal radius server.
>>>>
>>>> Is it what you want to do ?
>>>>
>>>> Regards
>>>> Fabrice
>>>>
>>>>
>>>>
>>>> Le 2018-05-23 à 12:57, jabang konate via PacketFence-users a écrit :
>>>>
>>>> Thanks Fabrice, let me clear my goals first. i'm still confuse which
>>>> file i must to configure packetfence-tunnel or eduroam file in
>>>> sites-available.
>>>> my packetfence will be act as manage eduroam user so i will use port
>>>> 11812 in my access point.
>>>>
>>>> here's my step how i configure my eduroam in packetfence.
>>>> 1. setting my local REALM.
>>>> 2. configure exclusive source eduroam, add my local realm at step 1.
>>>> then create authentication rules "catch all" role default access duration
>>>> 12 hours.
>>>> 3. add switch configuration
>>>> 4. configure ldap module in freeradius
>>>> 5. configure file packetfence-tunnel ? or eduroam ?
>>>> 6. restart freeradius and iptables
>>>>
>>>> in step 5 im still confuse if i'm using 11812 so i must configure
>>>> eduroam file or still packetfence-tunnel ?
>>>>
>>>>
>>>>
>>>> On Wed, May 23, 2018 at 10:55 PM, Fabrice Durand via PacketFence-users
>>>> <packetfence-users@lists.sourceforge.net> wrote:
>>>>
>>>>> If it's a server for eduroam (like the eduroam servers use this server
>>>>> for your domain) then 1812, if it's to manage eduroam user how connect on
>>>>> a
>>>>> eduroam ssid then 11812.
>>>>>
>>>>>
>>>>> Also what you can do in packetfence-tunnel
>>>>>
>>>>>
>>>>> # The ldap module reads passwords from the LDAP database.
>>>>> ldap
>>>>> if (ok) {
>>>>> update control {
>>>>> &MS-CHAP-Use-NTLM-Auth := No
>>>>> }
>>>>> }
>>>>>
>>>>> Regards
>>>>>
>>>>> Fabrice
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Le 2018-05-23 à 11:38, jabang konate via PacketFence-users a écrit :
>>>>>
>>>>> thanks for your reply fabrice.
>>>>> here i attach my packetfence-tunnel file.
>>>>>
>>>>> and which port should i use for my access point 1812 or 11812 in
>>>>> radius configuration for eduroam?
>>>>> thank you
>>>>>
>>>>> On Wed, May 23, 2018 at 7:33 PM, Fabrice Durand via PacketFence-users
>>>>> <packetfence-users@lists.sourceforge.net> wrote:
>>>>>
>>>>>> Hello Jabang,
>>>>>>
>>>>>> can you paste your packetfence-tunnel file ?
>>>>>> Regards
>>>>>>
>>>>>> Fabrice
>>>>>>
>>>>>>
>>>>>>
>>>>>> Le 2018-05-23 à 04:08, jabang konate via PacketFence-users a écrit :
>>>>>>
>>>>>> my packetfence server version is 8.0.1 and i want to configure
>>>>>> packetfence as an eduroam server with openldap as user database,
>>>>>> then i look into documentation eduroam section from packetfence and
>>>>>> EAP Authentication against OpenLDAP.
>>>>>>
>>>>>> when im try to login with my laptop, i always get access reject.
>>>>>>
>>>>>> from log i see i can connect with my ldap server, then i see error
>>>>>> like this
>>>>>> (7) Wed May 23 14:32:55 2018: ERROR: mschap: Program returned code
>>>>>> (1) and output 'Reading winbind reply failed! (0xc0000001)'
>>>>>> (7) Wed May 23 14:32:55 2018: Debug: mschap: External script failed
>>>>>> (7) Wed May 23 14:32:55 2018: ERROR: mschap: External script says:
>>>>>> Reading winbind reply failed! (0xc0000001)
>>>>>>
>>>>>> is it the root cause why i alwayas get access reject?
>>>>>> then i check winbindd service is not running, but i cant start
>>>>>> winbindd service
>>>>>> (Service 'winbindd' is not managed by PacketFence. Therefore, no
>>>>>> action will be performed)
>>>>>>
>>>>>> attach my radius log.
>>>>>> please give me some advice.
>>>>>> thank you
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> PacketFence-users mailing
>>>>>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------
>>>>>> ------------------
>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>> _______________________________________________
>>>>>> PacketFence-users mailing list
>>>>>> PacketFence-users@lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> PacketFence-users mailing
>>>>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>
>>>>>
>>>>> --
>>>>> Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135) ::
>>>>> www.inverse.ca
>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>>>> (http://packetfence.org)
>>>>>
>>>>>
>>>>> ------------------------------------------------------------
>>>>> ------------------
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>> _______________________________________________
>>>>> PacketFence-users mailing list
>>>>> PacketFence-users@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>
>>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> PacketFence-users mailing
>>>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>>
>>>> --
>>>> Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135) ::
>>>> www.inverse.ca
>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>>> (http://packetfence.org)
>>>>
>>>>
>>>> ------------------------------------------------------------
>>>> ------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> PacketFence-users mailing list
>>>> PacketFence-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>
>>>
>>>
>>> _______________________________________________
>>> PacketFence-users mailing
>>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>> --
>>> Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135) ::
>>> www.inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>> (http://packetfence.org)
>>>
>>>
>>> ------------------------------------------------------------
>>> ------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>>
>> _______________________________________________
>> PacketFence-users mailing
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>> --
>> Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135) ::
>> www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>> (http://packetfence.org)
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> PacketFence-users mailing
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
