Dear Fabrice,
I'll wait release 8.3 because I need openvas integration and proxy. Do
you think that proxy can be set up through
web interface ?
Bye the way of your ldap consideration I basically agree with you about
the kind of protocol but It can't be applied
for some logical industry reason. For network athentication I must to
use radius.
Thanks a lot !
Best Regards
Enrico
Il 21/12/18 20:46, Fabrice Durand via PacketFence-users ha scritto:
Hello Enrico,
i thought that your goal was to use a ldap server for authentication,
anyway.
What you can do is to wait for the 8.3 release (in 2 weeks) which
include the code for radius proxy feature you will need to proxy rhe
request to another server.
Also your issue looks to be that you defined the realm DEFAULT twice
(proxy.conf.inc).
Regards
Fabrice
Le 18-12-21 à 09 h 41, Enrico Becchetti via PacketFence-users a écrit :
Hello Fabrice,
if you've got more time for me I tell you that a can't procede with
Ldap as backend.
This is my choice for reasons that not dependent on packetfence so I
need remains
to use PF to authenticate all users, wifi and cable, throught WPA
enterprise 802.1X
TTL and PAP but I'd like to use PF radius proxy feature. In detail I
have to use my old
radius server that I already running and I would like to forward to
this system all the authentication
requests that come from supplicants to PF.
In this new scenario I read some guide and I'd try to change
/usr/local/pf/raddb/proxy.conf add this lines:
realm DEFAULT {
type = radius
authhost = server1:1812
accthost = server1:1813
secret = XXXXXX
nostrip
}
after restart radius with pfcmd I always see the same error:
Service Status PID
Checking configuration sanity...
Job for packetfence-radiusd-acct.service failed because the control
process exited with error code. See "systemctl status
packetfence-radiusd-acct.service" and "journalctl -xe" for details.
packetfence-radiusd-acct.service stopped 0
Job for packetfence-radiusd-auth.service failed because the control
process exited with error code. See "systemctl status
packetfence-radiusd-auth.service" and "journalctl -xe" for details.
packetfence-radiusd-auth.service stopped 0
Do you have an example to post ?
Thanks a lot !
Very Best Regards
Enrico
Il 21/12/2018 02:29, Durand fabrice via PacketFence-users ha scritto:
Hello Enrico,
what i would do is the following:
edit /usr/local/pf/raddb/mods-available/ldap and add that:
ldap ldap_user {
server = "MyLDAP"
identity = "CN=readuser,CN=Users,DC=acme,DC=com"
password = password
basedn = "DC=acme,DC=com"
filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile = /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the cerificate
# can't be verified)
# "demand" (fail if the certificate doesn't verify.)
#
# The default is "allow"
# require_cert = "demand"
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
keepalive {
# LDAP_OPT_X_KEEPALIVE_IDLE
idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES
probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL
interval = 3
}
}
Then in /usr/local/pf/conf/radiusd/packetfence-tunnel here
(https://github.com/inverse-inc/packetfence/blob/devel/conf/radiusd/packetfence-tunnel.example#L117)
add:
ldap_user
and restart radiusd (pfcmd service radiusd restart)
So it will produce the following, freeradius will do a search for
the attribute "userPassword" based on the cn=becchett. If the
userPassword match one of the following format
https://freeradius.org/radiusd/man/rlm_pap.html then it will use it
as a "know good password" and will compare the password you gave
(password) with the one found in the ldap .
Let me know if it's ok, if no then paste the raddebug one more time.
Regards
Fabrice
Le 18-12-20 à 15 h 30, Enrico via PacketFence-users a écrit :
Dear Fabrice,
I looking at /usr/local/pf/raddb/sites-available/packetfence-tunnel
and/usr/local/pf/raddb/modules/ldap
I realized that this guide probably is related to an old Freeradius
, may be version 2.
This is because in my PF 8.2.1 setup both are missing.
I've got:
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
and
/usr/local/pf/raddb/mods-available/ldap
Can I follow your guide anyway even if it is probably related to a
different freeradius ?
Thanks !
Enrico
Il 20/12/18 21:06, Enrico ha scritto:
Dear All,
so If I understand I need to change Wireless-NOEAP to Wireless-EAP and
create, or change, /usr/local/pf/raddb/modules/ldap following
this guide: 16.3 EAP Authentication.....
but tell more about because this file
/usr/local/pf/raddb/sites-available/packetfence-tunnel
shows nothing about pap.
Is it normal that in this file there are only ldap and eap
authorize module ?
Thanks a lot again !!!
Best Regards
Enrico
Il 20/12/18 19:39, Fabrice Durand via PacketFence-users ha scritto:
Hello Enrico,
you need to add manually the ldap server in the freeradius
configuration.
(https://packetfence.org/doc/PacketFence_Installation_Guide.html#_eap_authentication_against_openldap)
Regards
Fabrice
Le 18-12-20 à 10 h 15, Enrico Becchetti via PacketFence-users a
écrit :
Hi all,
I again ask in this mailing list to finish the setup of my
PacketFence
server. I'm running Centos 7.6 x86 with
packetfence-8.2.1-3.el7.noarch and , as you can read from
the subject of this email, I need to activate 802.1X
authentication using TTLS and PAP.
I've one production vlan and PF in Inline mode for this network
, I 've also defined
"connection profile", "authentication sources","network device"
and so on.
You can see all of my settings here:
https://www.dropbox.com/s/rjc0j8mapt4ymzg/8021x.pdf?dl=0
PF must use my ldap server as backend. In fact all
authentication requests come from
AP and Switch must be forwarded to the ldap server. All
supplicants are configured with
TTLS and PAP security profile and I'ven't any Active Domain
controller.
In the following lines radius debug from packetfence:
(9) Thu Dec 20 15:09:35 2018: WARNING: You set Proxy-To-Realm
= local, but it is a LOCAL realm! Cancelling proxy request.
(9) Thu Dec 20 15:09:35 2018: ERROR: No Auth-Type found:
rejecting the user via Post-Auth-Type = Reject
log file is here:
https://www.dropbox.com/s/579hffpa4w6ff9z/radiusdebug.log?dl=0
Authentication Methods are set to:MD5,MSCHAPv2,PEAP,TLS,TTLS.
Someone has any ideas to fix it ?
Thank you in advance for your help.
Best Regards
Enrico
--
_______________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY)
Phone:+39 075 5852777 Mail: Enrico.Becchetti<at>pg.infn.it
_______________________________________________________________________
--
_______________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY)
Phone:+39 075 5852777 Mail: Enrico.Becchetti<at>pg.infn.it
_______________________________________________________________________
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
_______________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY)
Phone:+39 075 5852777 Mail: Enrico.Becchetti<at>pg.infn.it
______________________________________________________________________
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
_______________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY)
Phone:+39 075 5852777 Mail: Enrico.Becchetti<at>pg.infn.it
_______________________________________________________________________
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
