Re: [PacketFence-users] new gui domains config

2015-06-10 Thread heupink 
Nothing but silence on this subject.

Is this working for everybody?

On 6/8/2015 23:01, mourik jan heupink wrote:
> Hi,
>
> I removed all samba traces, reinstalled the backports version, created a
> domain/realm with different a name.
>
> So I'm seeing different directories under /chroots, and again: the
> testjoin succeeds, but authentication fails:
>
>> root@pf:~# /usr/bin/sudo /usr/sbin/chroot /chroots/new /usr/bin/ntlm_auth 
>> --username=my-user
>> Password:
>> could not obtain winbind separator!
>> Reading winbind reply failed! (0x01)
>> :  (0x0)
>> root@pf:~#
>
> But more fundamental I think, in /chroot/new/var/log/sambanew/log.winbindd:
>
>> [2015/06/08 22:55:04.473913,  0] 
>> ../lib/util/util.c:216(directory_create_or_exist)
>>mkdir failed on directory /var/run/samba/winbindd: No such file or 
>> directory
>> [2015/06/08 22:55:04.474091,  0] ../lib/util/become_daemon.c:124(exit_daemon)
>>STATUS=daemon failed to start: Winbindd failed to setup listeners, error 
>> code 32
>
> And winbindd is not running:
>> root@pf:~# ps aux | grep winb
>> root  4780  0.0  0.0   7836   880 pts/1S+   22:56   0:00 grep winb
>> root@pf:~#
>
> Any ideas?
>
> Note: this all worked fine in 5.0.x, when we manually had to configure
> radius/AD integration. For us, 5.10 has not been a real improvement so
> far. (though we like the statistics graphs in /admin)
>
> And something else: Is there an overview (docs?) somewhere, about the
> new directories /chroots, /AD and /ad? I feel they are not always
> removed when they are not needed anymore, plus I wonder what precisely
> they are for. (many mounts exist, since 5.10)
>
> MJ
>
>
> On 06/06/2015 12:47 PM, mourik jan heupink wrote:
>> Some more info:
>>
>> ./pfcmd service winbindd status
>> service|shouldBeStarted|pid
>> winbindd-INTECH.conf|1|0
>> root@pf:/usr/local/pf/bin#
>>
>> So, pfcmd does not detect winbindd as started, however:
>>
>>> root@pf:/chroots# ps aux | grep winbind
>>> root 19514  0.0  0.0 229788  3684 ?Ss   10:26   0:00 
>>> /usr/sbin/winbindd -D -s /etc/samba/OUR-WKGR.conf -l /var/log/sambaOUR-WKGR
>>> root 19515  0.0  0.1 239032  6236 ?S10:26   0:00 
>>> /usr/sbin/winbindd -D -s /etc/samba/OUR-WKGR.conf -l /var/log/sambaOUR-WKGR
>>> root 21559  0.0  0.0   7840   880 pts/1S+   12:35   0:00 grep 
>>> winbind
>>> root@pf:/chroots# cd /etc/samba/
>>
>> So winbindd seems to be actually running, only not DETECTED by pfcmd.
>>
>> Service watch then tries to restart it every five minutes, and obviously
>> that fails as well:
>>
>>   ERROR: winbindd is already running. File
>> /usr/local/pf/var/run/winbindd.pid exists and process id 19514 is running.
>>
>> GUI: status, services also reports winbindd as 'stopped'.
>>
>> Hope this gives some clues...?
>>
>> MJ
>>
>
>
> --
>


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Self-reg page as default in captive portal

2015-06-10 Thread Gary Ossewaarde 
Is there a way to make the self-registration page the default when users access 
the portal? The captive portal I want to do this on is used only for the guest 
wireless network. 

Additonally, is there a way to make self-reg more "wizardy" e.g., 
first page: Select how you would like to register: 
[button] Text Message 
[button] Email 
[button] Sponsor 

When you would click each button, you would go to another page that would have 
you accept the AUP and enter the required info for that type of registration. 

Thanks, 

Gary
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x authentication

2015-06-10 Thread Sohaib Afourid 
I guess it depends on the type of the violation, because when I applied a
bandwidth violation it got redirected to the registration vlan, but when i
applied a Rogue DHCP violation it got redirected to the isolation vlan. is
it possible to change that ? I mean which vlan should the client be
redirected to for each type of violation, if yes where can i change that ?
Regards.

2015-06-10 10:12 GMT+02:00 Sohaib Afourid :

> I also i have a new issue, when i register a device manually, I plug my
> client out and in back again, i authenticate and get redirected to the
> Normal vlan, but when i apply a violation, i get redirected to the
> registration vlan and not the isolation one.
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] guests_self_registration.access_duration

2015-06-10 Thread Gary Ossewaarde 
I'm installing a new packetfence install to replace my PacketFence 3.5.1 
install. In 3.5.1, I was able to set guests_self_registration.access_duration 
in Configuration > Guests_self_registration. 

I'm having trouble finding that in 5.1.0. Can anyone point me in the right 
direction? 

Thanks, 

Gary
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x authentication

2015-06-10 Thread Sohaib Afourid 
Hello Louis,
As requested here are the config files and arp output.

>>>arp -a from my centos PF server:

root@centos ~]# arp -a
WIN-2008.packetfence.local (172.16.202.20) at 08:00:27:8d:10:10 [ether] on
eth0
? (172.16.202.10) at c8:9c:1d:f4:82:c1 [ether] on eth0

>>>arp -a from my Windows 7 host:

Interface : 172.16.202.3 --- 0xb
  Adresse Internet  Adresse physique  Type
  172.16.202.10 c8-9c-1d-f4-82-c1 dynamique
  172.16.202.255ff-ff-ff-ff-ff-ff statique
  224.0.0.2201-00-5e-00-00-16 statique
  224.0.0.252   01-00-5e-00-00-fc statique
  239.255.255.250   01-00-5e-7f-ff-fa statique
  255.255.255.255   ff-ff-ff-ff-ff-ff statique

>>>arp -a from my client in the registration vlan with a static ip
172.16.210.25:

Interface : 172.16.210.25 --- 0xd
  Adresse Internet  Adresse physique  Type
  172.16.210.10 c8-9c-1d-f4-82-c4 dynamique
  172.16.210.255ff-ff-ff-ff-ff-ff statique
  224.0.0.2201-00-5e-00-00-16 statique
  224.0.0.252   01-00-5e-00-00-fc statique
  239.255.255.250   01-00-5e-7f-ff-fa statique

>>>show ip arp from my Cisco Catalyst switch:

Cisco3560#show ip arp
Protocol  Address  Age (min)  Hardware Addr   Type   Interface
Internet  172.16.202.3   75   2c41.38b4.9e50  ARPA   Vlan2
Internet  172.16.202.4   49   7c05.0756.f545  ARPA   Vlan2
Internet  172.16.202.50   0800.27f5.3567  ARPA   Vlan2
Internet  172.16.202.10   -   c89c.1df4.82c1  ARPA   Vlan2
Internet  172.16.202.20   0   0800.278d.1010  ARPA   Vlan2
Internet  172.16.207.10   -   c89c.1df4.82c2  ARPA   Vlan7
Internet  172.16.210.10   -   c89c.1df4.82c4  ARPA   Vlan10
Internet  172.16.210.25   0   7c05.0756.f545  ARPA   Vlan10
Internet  172.16.211.10   -   c89c.1df4.82c3  ARPA   Vlan11

>>>pf.conf

[general]
#
# general.domain
#
# Domain name of PacketFence system.
domain=packetfence.local
#
# general.hostname
#
# Hostname of PacketFence system.  This is concatenated with the domain in
Apache rewriting rules and therefore must be resolvable by clients.
hostname=centos
#
# general.dnsservers
#
# Comma-delimited list of DNS servers.  Passthroughs are created to allow
queries to these servers from even "trapped" nodes.
dnsservers=127.0.0.1, 172.16.202.
#
# general.dhcpservers
#
# Comma-delimited list of DHCP servers.  Passthroughs are created to allow
DHCP transactions from even "trapped" nodes.
dhcpservers=127.0.0.1,138.21.217.45,172.16.202.10

[trapping]
#
# trapping.range
#
# Comma-delimited list of address ranges/CIDR blocks that Snort/Suricata
will monitor/detect/trap on.  Gateway, network, and
# broadcast addresses are ignored.
range=172.16.202.0/24, 172.16.210.0/24, 172.16.211.0/24

[alerting]
#
# alerting.emailaddr
#
# Email address to which notifications of rogue DHCP servers, violations
with an action of "email", or any other
# PacketFence-related message goes to.
emailaddr=sohaibafou...@gmail.com

[database]
#
# database.pass
#
# Password for the mysql database used by PacketFence.
pass=*

[advanced]
#
# advanced.hash_passwords
#
# The algorithm to use to hash the passwords in the local database.
hash_passwords=plaintext

[interface eth0]
ip=172.16.202.5
type=management
mask=255.255.255.0

[interface eth0.10]
enforcement=vlan
ip=172.16.210.10
type=internal
mask=255.255.255.0

[interface eth0.11]
enforcement=vlan
ip=172.16.211.10
type=internal
mask=255.255.255.0


>>>networks.conf

[172.16.210.0]
dns=172.16.210.10
dhcp_start=172.16.210.1
gateway=172.16.210.10
domain-name=vlan-registration.centos.packetfence.local
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=172.16.210.246
type=vlan-registration
netmask=255.255.255.0
dhcp_default_lease_time=30

[172.16.211.0]
dns=172.16.211.10
dhcp_start=172.16.211.1
gateway=172.16.211.10
domain-name=vlan-isolation.centos.packetfence.local
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=172.16.211.246
type=vlan-isolation
netmask=255.255.255.0
dhcp_default_lease_time=30

>>>switches.conf (I don't know if my SNMP configuration is right)

#
# Copyright (C) 2005-2015 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
[default]
description=Switches Default Values
vlans=1,2,3,4,5,10,11,6
normalVlan=1
registrationVlan=10
isolationVlan=11
macDetectionVlan=4
voiceVlan=3
inlineVlan=5
inlineTrigger=
normalRole=normal
registrationRole=registration
isolationRole=isolation
macDetectionRole=macDetection
voiceRole=voice
inlineRole=inline
VoIPEnabled=N
VlanMap=Y
RoleMap=Y
mode=testing
macSearchesMaxNb=30
macSearchesSleepInterval=2
uplink=dynamic
#
# Command Line Interface
#
# cliTransport could be: Telnet, SSH or Serial
cliTransport=Telnet
#
# SNMP section
#

Re: [PacketFence-users] Packetfence SMS & Email Registration

2015-06-10 Thread Gary Ossewaarde 
I am using PacketFence with Aerohive, although not inline. I've found this 
guide extremely helpful - 
https://community.aerohive.com/aerohive/topics/aerohive-integration-with-packetfence

As for the SMS PIN, make sure you have a mailserver set up correctly and if the 
packetfence box is going to be your MTA, that an MTA is installed and 
configured properly. 

Gary


From: Lewis Jr, Kevin 
Sent: Tuesday, June 9, 2015 10:22 AM
To: packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users]  Packetfence SMS & Email Registration

Fabrice,

I finally have packet fence partially running. I rebuilt the box and changed 
the setup to be inline enforcement. I have two Aerohives and I couldn't find in 
the manual how to configure them for inline enforcement. Another issue I am 
facing is with the SMS pin verification. I am not receiving any messages from 
packet fence with a pin number and email is registration is doing the same too. 
I have verified that packet fence is able to access the internet and I've also 
verified that the inline vlan is able to access the internet.

Kevin Lewis,





This electronic mail message is intended exclusively for the individual or 
entity to which it is addressed. This message, together with any attachment, 
may contain confidential and privileged information. Any unauthorized review, 
use, print, retention, copy disclosure or distribution is strictly prohibited. 
If you have received this message in error, please immediately advise the 
sender by reply email message and delete all copies of this message. Thank you.

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x authentication

2015-06-10 Thread Sohaib Afourid 
I also i have a new issue, when i register a device manually, I plug my
client out and in back again, i authenticate and get redirected to the
Normal vlan, but when i apply a violation, i get redirected to the
registration vlan and not the isolation one.
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x authentication

2015-06-10 Thread Louis Munro 
One thing at a time.

Get the normal workflow to work before you try to get fancy.

--
Louis Munro
lmu...@inverse.ca  ::  www.inverse.ca 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

On Jun 10, 2015, at 4:12 , Sohaib Afourid  wrote:

> I also i have a new issue, when i register a device manually, I plug my 
> client out and in back again, i authenticate and get redirected to the Normal 
> vlan, but when i apply a violation, i get redirected to the registration vlan 
> and not the isolation one.
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x authentication

2015-06-10 Thread Louis Munro 
Where to begin…

On Jun 10, 2015, at 3:57 , Sohaib Afourid  wrote:

> Hello Louis,
> As requested here are the config files and arp output.
> 
> >>>arp -a from my centos PF server:
> 
> root@centos ~]# arp -a
> WIN-2008.packetfence.local (172.16.202.20) at 08:00:27:8d:10:10 [ether] on 
> eth0
> ? (172.16.202.10) at c8:9c:1d:f4:82:c1 [ether] on eth0
> 
> >>>arp -a from my client in the registration vlan with a static ip 
> >>>172.16.210.25:
> 
> Interface : 172.16.210.25 --- 0xd
>   Adresse Internet  Adresse physique  Type
>   172.16.210.10 c8-9c-1d-f4-82-c4 dynamique
>   172.16.210.255ff-ff-ff-ff-ff-ff statique
>   224.0.0.2201-00-5e-00-00-16 statique
>   224.0.0.252   01-00-5e-00-00-fc statique
>   239.255.255.250   01-00-5e-7f-ff-fa statique

So the server can see the broadcasts from the client and does reply to arp 
requests.

Does the server know of the client’s MAC under the same circumstances?
I.e. If you try to ping that static IP from the server when the client is in 
the registration VLAN, does it work?
Does the MAC of the windows machine show up in the arp table? 

Work your way up the protocol stack: arp has to work for layer 3 connectivity.
ip has to work for tcp to succeed etc.

Forget PF for a moment and just fix this.
Get the client and server to ping each other when in the same VLAN with a 
static configuration on each side.

tcpdump and wireshark can be very instructive.


> 
> >>>show ip arp from my Cisco Catalyst switch:
> 
> Cisco3560#show ip arp
> Protocol  Address  Age (min)  Hardware Addr   Type   Interface
> Internet  172.16.202.3   75   2c41.38b4.9e50  ARPA   Vlan2
> Internet  172.16.202.4   49   7c05.0756.f545  ARPA   Vlan2
> Internet  172.16.202.50   0800.27f5.3567  ARPA   Vlan2
> Internet  172.16.202.10   -   c89c.1df4.82c1  ARPA   Vlan2
> Internet  172.16.202.20   0   0800.278d.1010  ARPA   Vlan2
> Internet  172.16.207.10   -   c89c.1df4.82c2  ARPA   Vlan7
> Internet  172.16.210.10   -   c89c.1df4.82c4  ARPA   Vlan10
> Internet  172.16.210.25   0   7c05.0756.f545  ARPA   Vlan10
> Internet  172.16.211.10   -   c89c.1df4.82c3  ARPA   Vlan11
> 



I suggest you trim your pf.conf to the minimal working configuration.
Some suggestions follow:


> >>>pf.conf
> 
> [general]
> #
> # general.domain
> #
> # Domain name of PacketFence system.
> domain=packetfence.local
> #
> # general.hostname
> #
> # Hostname of PacketFence system.  This is concatenated with the domain in 
> Apache rewriting rules and therefore must be resolvable by clients.
> hostname=centos
> #
> # general.dnsservers
> #
> # Comma-delimited list of DNS servers.  Passthroughs are created to allow 
> queries to these servers from even "trapped" nodes.
> dnsservers=127.0.0.1, 172.16.202.
> #
> # general.dhcpservers
> #
> # Comma-delimited list of DHCP servers.  Passthroughs are created to allow 
> DHCP transactions from even "trapped" nodes.
> dhcpservers=127.0.0.1,138.21.217.45,172.16.202.10
> 

Remove everything here (general.dnsservers and general.dhcpservers). It’s not 
required for your configuration.


> [trapping]
> #
> # trapping.range
> #
> # Comma-delimited list of address ranges/CIDR blocks that Snort/Suricata will 
> monitor/detect/trap on.  Gateway, network, and 
> # broadcast addresses are ignored.
> range=172.16.202.0/24, 172.16.210.0/24, 172.16.211.0/24



Remove the trapping section. It is not relevant.

> 
> [interface eth0]
> ip=172.16.202.5
> type=management
> mask=255.255.255.0
> 
> [interface eth0.10]
> enforcement=vlan
> ip=172.16.210.10
> type=internal
> mask=255.255.255.0
> 
> [interface eth0.11]
> enforcement=vlan
> ip=172.16.211.10
> type=internal
> mask=255.255.255.0
> 
> 
> >>>networks.conf
> 
> [172.16.210.0]
> dns=172.16.210.10
> dhcp_start=172.16.210.1
> gateway=172.16.210.10
> domain-name=vlan-registration.centos.packetfence.local
> nat_enabled=disabled
> named=enabled
> dhcp_max_lease_time=30
> fake_mac_enabled=disabled
> dhcpd=enabled
> dhcp_end=172.16.210.246
> type=vlan-registration
> netmask=255.255.255.0
> dhcp_default_lease_time=30

Your dhcp start overlaps with your packetfence server IP.
Fix that. 

> 
> [172.16.211.0]
> dns=172.16.211.10
> dhcp_start=172.16.211.1

Same here.

> gateway=172.16.211.10
> domain-name=vlan-isolation.centos.packetfence.local
> nat_enabled=disabled
> named=enabled
> dhcp_max_lease_time=30
> fake_mac_enabled=disabled
> dhcpd=enabled
> dhcp_end=172.16.211.246
> type=vlan-isolation
> netmask=255.255.255.0
> dhcp_default_lease_time=30
> 
> >>>switches.conf (I don't know if my SNMP configuration is right)

SNMP is irrelevant. 
You are authenticating using RADIUS.


> 
> #
> # Copyright (C) 2005-2015 Inverse inc.
> #
> # See the enclosed file COPYING for license information (GPL).
> # If you did not receive this file, see
> # http://www.fsf.org/licensing/licenses/gpl.html
> [default]
> description=Switches Def

Re: [PacketFence-users] (no subject)

2015-06-10 Thread Louis Munro 
Hi Tracy,
Scaling packetfence requires some knowledge of not only the number of requests 
but also things such as database and authentication source latency.

You may well be constrained more by ntlm_auth times (if using Active-Directory 
for instance) than by the specs of the PacketFence servers themselves.

While LVS can be used as a load balancer, PF 5 includes an active/active mode 
that would at least load balance the radius traffic on it’s own.

So while 4 server may be enough, it’s impossible to say if it is right for you. 
There are too many variables. 
How much RAM/CPU will each of them have? 
How is your load spread (does it spike at specific times of the day or is that 
constant)? 
What authentication sources and rules are you using in the backend? AD 
authentication rarely goes much faster than 30 auths/seconds while pure LDAP is 
much faster.

I suggest you benchmark your setup as you build it. 
Try to see at how many auth/s does your radius start to eat all the CPU  (which 
means it is waiting for an authentication backend and queries are piling up).

Each large PacketFence installation is different in it’s own way.

Regards,
--
Louis Munro
lmu...@inverse.ca  ::  www.inverse.ca 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

On Jun 9, 2015, at 10:53 , Tracy Adams  wrote:

> Hi All,
> 
> I'm planning for deployment of about 4 packetfence servers. The servers
> will be doing authentication of WiFi clients. Not inline.
> My manager wants me to use LVS as the load balancer in front of the pf
> servers. Is this a good option, or does pf have a build in form of load
> balancing. I can put only 2 RADIUS servers IP into my wireless
> controllers.
> 
> Also I expect about 50K devices during peek times, is 4 pf servers enough
> or should I have more.
> 
> Thanks,
> Tracy
> 
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] scaling PF

2015-06-10 Thread Tracy Adams 
Hi Louis,

Thank you for your reply.

Since writing this email I have found out more information and now I have
more questions :-)

Now I know that our wireless controllers can have up to 17 RADIUS server
entries, so we have decided that we will be doing the load balancing by
staggering the order of the pf servers in the controllers.

All the pf servers will be VMWare guest, so we can scale the CPU and
memory are required. I will start with double the minimum specs.

We are authenticating against AD, I don't have any control of the AD
infrastructure, but I was told it will be able to handle any load that pf
will place on it. The group that is responsible for it will make it so.

We are using 802.1x for authentication, based on what I have observed in
my lab the clients keep authenticating all the time. I'm assuming that the
load is going to be constant and proportional to the number of client
devices. Currently anticipating 50K. So as the load increases I would be
spinning up more guests.

Now I'm coming to my main question. Should I have a db running on each pf
instance or should I have one db server. The main advantage of having a db
on each pf is avoiding a single point of failure. If I have one db server
then the redundancy would be provided by VMware HA of this db server. This
is what my manager is leaning to. What am I giving up by having a
distributed db over a centralized db (keeping in mind that all the pf is
doing is authenticating 802.1x sessions)?

Hope I'm not asking stupid questions,
Tracy

On Wed, June 10, 2015 10:25 am, Louis Munro wrote:
> Hi Tracy,
> Scaling packetfence requires some knowledge of not only the number of
> requests but also things such as database and authentication source
> latency.
>
> You may well be constrained more by ntlm_auth times (if using
> Active-Directory for instance) than by the specs of the PacketFence
> servers themselves.
>
> While LVS can be used as a load balancer, PF 5 includes an active/active
> mode that would at least load balance the radius traffic on it’s own.
>
> So while 4 server may be enough, it’s impossible to say if it is right for
> you. There are too many variables.
> How much RAM/CPU will each of them have?
> How is your load spread (does it spike at specific times of the day or is
> that constant)?
> What authentication sources and rules are you using in the backend? AD
> authentication rarely goes much faster than 30 auths/seconds while pure
> LDAP is much faster.
>
> I suggest you benchmark your setup as you build it.
> Try to see at how many auth/s does your radius start to eat all the CPU
> (which means it is waiting for an authentication backend and queries are
> piling up).
>
> Each large PacketFence installation is different in it’s own way.
>
> Regards,
> --
> Louis Munro
> lmu...@inverse.ca  ::  www.inverse.ca
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
> (www.packetfence.org)
>
> On Jun 9, 2015, at 10:53 , Tracy Adams  wrote:
>
>> Hi All,
>>
>> I'm planning for deployment of about 4 packetfence servers. The servers
>> will be doing authentication of WiFi clients. Not inline.
>> My manager wants me to use LVS as the load balancer in front of the pf
>> servers. Is this a good option, or does pf have a build in form of load
>> balancing. I can put only 2 RADIUS servers IP into my wireless
>> controllers.
>>
>> Also I expect about 50K devices during peek times, is 4 pf servers
>> enough
>> or should I have more.
>>
>> Thanks,
>> Tracy
>>
>> --
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Kerberos Authentication

2015-06-10 Thread Nicolas Gailly 
Hi,

I'm trying to setup PacketFence to authenticate users with Kerberos. I want
to be able to do it with 802.1x.
Just using Kerberos, NO LDAP,AD !!
- /etc/krb5.conf is configured, so when i manually type  "kinit username",
i can get a ticket (i.e. I can get authenticated)
- Added internal source kerberos using the web interface
- Added the radius domain using also the web interface.

When i plug using 802.1x with good credentials, the radiusd log simply show
:
Auth: Login incorrect: 

It doesn't seem to take into account kerberos authentication at all.
What did I miss ?

Thank you

-- 
Nicolas Gailly
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] scaling PF

2015-06-10 Thread Louis Munro 


On Jun 10, 2015, at 11:08 , Tracy Adams  wrote:

> Hi Louis,
> 
> Thank you for your reply.
> 
> Since writing this email I have found out more information and now I have
> more questions :-)
> 
> Now I know that our wireless controllers can have up to 17 RADIUS server
> entries, so we have decided that we will be doing the load balancing by
> staggering the order of the pf servers in the controllers.

That works, but…
It will not be as flexible as what you would get from configuring a FreeRADIUS 
load balancing proxy, which is what we do in PF.
You could run that proxy in LVS if you wanted to.

Rely on the controllers to do load balancing is a leap of faith.
Controllers may not actually really load balance and they may not fail-back if 
you need to temporarily shut down one server.

Just some things to keep in mind.

> 
> All the pf servers will be VMWare guest, so we can scale the CPU and
> memory are required. I will start with double the minimum specs.

Good. VMWare does buy you flexibility which is very useful when you have a 
large installation.


> 
> We are authenticating against AD, I don't have any control of the AD
> infrastructure, but I was told it will be able to handle any load that pf
> will place on it. The group that is responsible for it will make it so.

They always say that.
You’ll see…
I’m kidding but there are limitations to the ntlm protocol that mean that is 
does not scale as well as LDAP or Kerberos which is what they are probably used 
to.
Unfortunately, authenticating using PEAP does not work on AD using LDAP.


> 
> We are using 802.1x for authentication, based on what I have observed in
> my lab the clients keep authenticating all the time. I'm assuming that the
> load is going to be constant and proportional to the number of client
> devices. Currently anticipating 50K. So as the load increases I would be
> spinning up more guests.
> 

The clients should only authenticate when they connect or when the “reauth 
time” is up.
Make sure to set that to some reasonable value so that they are not 
authenticating every 5 minutes or so.



> Now I'm coming to my main question. Should I have a db running on each pf
> instance or should I have one db server. The main advantage of having a db
> on each pf is avoiding a single point of failure. If I have one db server
> then the redundancy would be provided by VMware HA of this db server. This
> is what my manager is leaning to. What am I giving up by having a
> distributed db over a centralized db (keeping in mind that all the pf is
> doing is authenticating 802.1x sessions)?


I would have a separate DB cluster of two servers if you don’t already have one.
If you have a DB on each server you have to figure out the clustering or they 
are to be separate installs with their own configuration (which opens a can of 
worms: if you register on one server, you won’t be registered on another).

I like simple database setups. Two servers for redundancy. 
Use either MySQL clustering if you are familiar with it or just replicate the 
storage over DRBD.
That works very well for some of our larger clients that have requirements 
comparable to yours.


> 
> Hope I'm not asking stupid questions,
> 

Not at all. 
These are interesting question to which the answer is (as to any interesting 
question):
it depends.

Regards,
--
Louis Munro
lmu...@inverse.ca  ::  www.inverse.ca 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x authentication

2015-06-10 Thread Sohaib Afourid 
Thank yoy Louis again.
I left my work place for now. I'll try all this first thing tomorrow.
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Kerberos Authentication

2015-06-10 Thread Louis Munro 


On Jun 10, 2015, at 11:13 , Nicolas Gailly  wrote:

> 
> It doesn't seem to take into account kerberos authentication at all.
> What did I miss ?

Two things come to mind:

The windows supplicant tries PEAP by default iirc. PEAP is not compatible with 
kerberos.
The radius server is not configured to authorize 802.1x using kerberos anyway.


The PacketFence sources are meant as authorization sources (mostly).
802.1x authentication has to succeed first (or you should use MAC 
authentication).
Getting 802.1x working in your case would require a kerberos compatible 
supplicant and configuring FreeRADIUS for it.


Regards,
--
Louis Munro
lmu...@inverse.ca  ::  www.inverse.ca 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] is there a recomendet installation

2015-06-10 Thread Louis Munro 

On Jun 9, 2015, at 11:11 , holger.patz...@t-systems.com wrote:
> 
> May be it would be helpful to test the pf installation at against “changing” 
> ADs (not just)INVERSE, because since 5.0 it is a pain in the a.. to get the 
> pf working against an own AD which is NOT called “INVERSE” (at least for a 
> dumbhead like me, it seems). “INVERSE” seems/seemed(?) to be hardcoded in 
> numerous places and neither the krb5.conf, nor the corresponding 
> winbind/samba config files looked like they should look like, if one compared 
> them to what the pf documentation says they should – for THAT Linux 
> distribution (eg. debian).
> There is no need for n ADs, just two and the second just to make sure, there 
> are no “INVERSE specifics” hardcoded. The more “rudimentary” the second is, 
> the easier it is to see, that the “INVERSE” settings are not “templated” for 
> everyone.
>  


Hi Holger,
As a follow up and so that others on the mailing list may follow, I am 
reposting what I just added to the github issue:

I just did a clean debian 7 install.
I configured two domains against two different AD DC, one on windows the other 
on samba4.
The default test domain is pftest.org (no inverse).

It works.
I can't replicate your problem.
Both ntlm_auth in chroots succeeds as well as 802.1x (tested with eapol_test).

Note that the default domain indicated in files such as 
/chroot/$DOMAIN/etc/krb5.conf is not necessarily the one used to authenticate 
the user. So whether it is inverse.anything is not actually relevant.

I would need to know more about what behaviour you are experiencing to help you.
You are not stating whether ntlm_auth succeeds or not and for what domain.

Actual configuration files and radius debugging output (freeradius -d 
/usr/local/pf/raddb/ -X ) would be helpful.
Particularly the conf/realms.conf, conf/domains.conf, 
/chroot/domain/etc/krb5.conf /chroot/domain/samba/smb.conf for each domain.

I am off to test on Ubuntu.


Regards,
--
Louis Munro
lmu...@inverse.ca  ::  www.inverse.ca 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] new gui domains config

2015-06-10 Thread Louis Munro 
On Jun 10, 2015, at 6:09 , heupink  wrote:

> Nothing but silence on this subject.
> 
> Is this working for everybody?

Hi MJ,

Remind me again which samba packages you are using? 

This part of the logs makes me suspect a path is incorrect:


> [2015/06/08 22:55:04.473913,  0] 
> ../lib/util/util.c:216(directory_create_or_exist)
>  mkdir failed on directory /var/run/samba/winbindd: No such file or directory


Try this. 

1. Open a shell in the chroot: 

# chroot /chroots/$DOMAIN/ bash 

2. Run windbind in foreground:

#  /usr/sbin/winbindd -F  -s /etc/samba/inverse.conf -S -d5 

3. Try to authenticate

This works for me on debian 7 and outputs a whole lot of debugging information.
The answer may be in there. 

Regards,
--
Louis Munro
lmu...@inverse.ca  ::  www.inverse.ca 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Broadcast Message

2015-06-10 Thread Thomas, Gregory A 
Is there a way to somehow broadcast a message to all user?

I am thinking of this for a couple of uses:

1.   I am in the process of setting up a new server and it will be down for 
a couple of hours as I transition from old to new. It would be nice to be able 
to send a notice to everyone about this.

2.   Now that we are in potential severe weather timeframe, our campus is 
really concerned with pushing notifications in virtually any format for safety. 
Is there a way to push a notification that has an expiration for something like 
a tornado warning?

Thanks for any input.

--
Gregory A. Thomas
IT Manager, Student Life
University of Wisconsin-Parkside
thom...@uwp.edu
262.595.2432

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] JSON RPC Querys...

2015-06-10 Thread Tim DeNike 
OK.. I can't seem to figure out how to PULL data from packet fence with the
web services API.

I can trigger events with it like so:

curl -v -H "Content-Type: application/json-rpc" -H "Request: register_node"
-X POST -d
'{"params":["mac","00:11:22:33:44:55","pid","timdenike","category","business"],"jsonrpc":"2.0","method":"register_node"}'
http://localhost:9090/

This does what you'd think.. Registers the node.

But how do I retrieve and use the "node_information" or "view_person" api
commands.

Im trying to integrate packet fence into an ISP billing/accounting system
and need to have the 2 fully talking.. Ive got it part way done.. Just
trying to fill in the gaps.
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Broadcast Message

2015-06-10 Thread Tim DeNike 
Could trigger a violation for everyone I suppose.

On Wed, Jun 10, 2015 at 5:05 PM, Thomas, Gregory A  wrote:

>  Is there a way to somehow broadcast a message to all user?
>
>
>
> I am thinking of this for a couple of uses:
>
> 1.   I am in the process of setting up a new server and it will be
> down for a couple of hours as I transition from old to new. It would be
> nice to be able to send a notice to everyone about this.
>
> 2.   Now that we are in potential severe weather timeframe, our
> campus is really concerned with pushing notifications in virtually any
> format for safety. Is there a way to push a notification that has an
> expiration for something like a tornado warning?
>
>
>
> Thanks for any input.
>
>
>
> --
>
> Gregory A. Thomas
>
> IT Manager, Student Life
>
> University of Wisconsin-Parkside
>
> thom...@uwp.edu
> 
>
> 262.595.2432
>
>
>
>
> --
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Self-reg page as default in captive portal

2015-06-10 Thread Leja, Maciej 
For your second question, the way you can do this is on the first page have URI 
links.  You can set these triggers by going to the “Portal Profiles” in 
configuration – select the new pages and in the Filter section specify you will 
look for a URI of “x” to be trigger on that first page.

My only issue is I had to start from scratch and lost the code the inverse guys 
did for the URI link on the first page… it was short but I’m far from a web 
devel so I cannot figure it out – was going to ask the mailing list soon.  If 
you figure it out let me know!

Thanks,
~Maciej


From: Gary Ossewaarde
Reply-To: 
"packetfence-users@lists.sourceforge.net"
Date: Wednesday, June 10, 2015 at 6:54 AM
To: 
"packetfence-users@lists.sourceforge.net"
Subject: [PacketFence-users] Self-reg page as default in captive portal

Is there a way to make the self-registration page the default when users access 
the portal? The captive portal I want to do this on is used only for the guest 
wireless network.

Additonally, is there a way to make self-reg more "wizardy" e.g.,
first page: Select how you would like to register:
[button] Text Message
[button] Email
[button] Sponsor

When you would click each button, you would go to another page that would have 
you accept the AUP and enter the required info for that type of registration.

Thanks,

Gary
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] guests_self_registration.access_duration

2015-06-10 Thread Gary Ossewaarde 
I figured this out (so for the mailing list and my future self’s sake), it’s 
set sort of in two places. 

First, if you want a duration different from one of the defaults 
(1h,3h,12h,1D,2D,3D,5D), it’s set in Configuration > Users > Access Duration. 

As for setting the duration, it’s per sources. In Configuration > Users > 
Sources, select the source you want to change (in my case, all), and click on 
the rules. My installation is pretty vanilla and the catchall rule works for 
me, so I select that rule and in there, under the “Perform the following 
actions” header, you can see where it sets the access duration. I had to do 
this in sms, email, and sponsor. 

Gary




On 6/10/15, 8:00 AM, "Gary Ossewaarde"  wrote:

>I'm installing a new packetfence install to replace my PacketFence 3.5.1 
>install. In 3.5.1, I was able to set guests_self_registration.access_duration 
>in Configuration > Guests_self_registration. 
>
>I'm having trouble finding that in 5.1.0. Can anyone point me in the right 
>direction? 
>
>Thanks, 
>
>Gary
>--
>___
>PacketFence-users mailing list
>PacketFence-users@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users