Re: [PacketFence-users] SSL Cert error when host is behind captive-portal

2015-07-01 Thread Tim DeNike 
Allow passthru for OCSP/CRL checks for the cert in question.  Most are
already allowed.

On Wed, Jul 1, 2015 at 3:10 PM, Leja, Maciej  wrote:

>   Thanks for the response, that was my problem originally but I fixed
> that.  Now going to the admin portal shows the chain (host cert > inCommon
> > UserTrust RSA > AddTrust External CA root) so everything looks good on
> admin site.  But when getting to the portal when I have no internet
> connectivity, I get an error saying “Windows does not have enough
> information to verify this certificate” and on the path it shows “the
> issuer of this certificate could not be found…” yet in the details it shows
> the issuer is InCommon.  Not sure….
>
>
>   Thanks,
> ~Maciej
>
>
>   From: Dennis Bühring
> Reply-To: "packetfence-users@lists.sourceforge.net"
> Date: Wednesday, July 1, 2015 at 1:54 PM
> To: "packetfence-users@lists.sourceforge.net"
> Subject: Re: [PacketFence-users] SSL Cert error when host is behind
> captive-portal
>
>   Did you include the certificate chain ? i had to include the issuing
> (intermediate) CA to get rid of the warnings. The root-CA was already
> trusted on the clients (RapidSSL) but the intermediate had to be included
> for the clients to trust my certificate.
>
>  Not sure if this applies to your situation.
>
>  regards
> Dennis
>
> 2015-07-01 20:35 GMT+02:00 Leja, Maciej :
>
>>   Hey folks,
>>
>>  I set up a new legit ssl cert for the PF box – working for the admin
>> interface but users behind the captive portal are not allowed to validate
>> it (because they’re not online)….
>>
>>  Any ideas how to get around this so users don’t get the error in their
>> browser when hitting the captive portal?  I’m sure there’s a way around
>> whether that’s opening up the fw to allow users to get out (in that case
>> what do you let them get out to) …
>>
>>  Any help greatly appreciated – thanks!
>>
>>  ~Maciej
>>
>>
>> --
>> Don't Limit Your Business. Reach for the Cloud.
>> GigeNET's Cloud Solutions provide you with the tools and support that
>> you need to offload your IT needs and focus on growing your business.
>> Configured For All Businesses. Start Your Cloud Today.
>> https://www.gigenetcloud.com/
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
>  --
> ---
> oben Balken, unten Balken !
> ---
>
>
> --
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SSL Cert error when host is behind captive-portal

2015-07-01 Thread Leja, Maciej 
Thanks for the response, that was my problem originally but I fixed that.  Now 
going to the admin portal shows the chain (host cert > inCommon > UserTrust RSA 
> AddTrust External CA root) so everything looks good on admin site.  But when 
getting to the portal when I have no internet connectivity, I get an error 
saying “Windows does not have enough information to verify this certificate” 
and on the path it shows “the issuer of this certificate could not be found…” 
yet in the details it shows the issuer is InCommon.  Not sure….


Thanks,
~Maciej


From: Dennis Bühring
Reply-To: 
"packetfence-users@lists.sourceforge.net"
Date: Wednesday, July 1, 2015 at 1:54 PM
To: 
"packetfence-users@lists.sourceforge.net"
Subject: Re: [PacketFence-users] SSL Cert error when host is behind 
captive-portal

Did you include the certificate chain ? i had to include the issuing 
(intermediate) CA to get rid of the warnings. The root-CA was already trusted 
on the clients (RapidSSL) but the intermediate had to be included for the 
clients to trust my certificate.

Not sure if this applies to your situation.

regards
Dennis

2015-07-01 20:35 GMT+02:00 Leja, Maciej 
mailto:mle...@depaul.edu>>:
Hey folks,

I set up a new legit ssl cert for the PF box – working for the admin interface 
but users behind the captive portal are not allowed to validate it (because 
they’re not online)….

Any ideas how to get around this so users don’t get the error in their browser 
when hitting the captive portal?  I’m sure there’s a way around whether that’s 
opening up the fw to allow users to get out (in that case what do you let them 
get out to) …

Any help greatly appreciated – thanks!

~Maciej

--
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users




--
---
oben Balken, unten Balken !
---
--
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SSL Cert error when host is behind captive-portal

2015-07-01 Thread Dennis Bühring 
Did you include the certificate chain ? i had to include the issuing
(intermediate) CA to get rid of the warnings. The root-CA was already
trusted on the clients (RapidSSL) but the intermediate had to be included
for the clients to trust my certificate.

Not sure if this applies to your situation.

regards
Dennis

2015-07-01 20:35 GMT+02:00 Leja, Maciej :

>   Hey folks,
>
>  I set up a new legit ssl cert for the PF box – working for the admin
> interface but users behind the captive portal are not allowed to validate
> it (because they’re not online)….
>
>  Any ideas how to get around this so users don’t get the error in their
> browser when hitting the captive portal?  I’m sure there’s a way around
> whether that’s opening up the fw to allow users to get out (in that case
> what do you let them get out to) …
>
>  Any help greatly appreciated – thanks!
>
>  ~Maciej
>
>
> --
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>


-- 
---
oben Balken, unten Balken !
---
--
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] SSL Cert error when host is behind captive-portal

2015-07-01 Thread Leja, Maciej 
Hey folks,

I set up a new legit ssl cert for the PF box – working for the admin interface 
but users behind the captive portal are not allowed to validate it (because 
they’re not online)….

Any ideas how to get around this so users don’t get the error in their browser 
when hitting the captive portal?  I’m sure there’s a way around whether that’s 
opening up the fw to allow users to get out (in that case what do you let them 
get out to) …

Any help greatly appreciated – thanks!

~Maciej
--
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Disable DHCP detector on one network

2015-07-01 Thread Leonel Bonito 
Hi,

How can I disable DHCP detection in one of PF's networks?
I'm seeing nodes detected on Mgmt interface but I don't need it.

I'm running PF ZEN 5.1 updated to 5.2 with inline enforcement.

Thanks in advance.

Regards,

Leo
--
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] 802.1x machine accounts issue

2015-07-01 Thread mourik jan heupink 
Hi,

We have one last remaing issue (for the moment.) in our test-setup:

procurve 5400, 802.1x authentication, samba4 AD backend, packetfence 5.2.0.

I have added two user sources: ad-users (sAMAccountName) and
ad-computers (servicePrincipalName) on list number 2 and 3, below the
'default legacy source htpasswd'.

User authentication works, but machine auth does NOT work. Below is a
bit from the radius debug log. Manually running the ntln_auth command
(as root and as pf) gives the same result "Logon failure (0xc06d)"

Obviously the workstation in question IS joined to the domain, and on
the regular network, I can logon normally.

Could anyone tell me where to look at, to solve this? If more logs are
needed, just let me know.

Thanks in advance!

> # Executing section authorize from file 
> /usr/local/pf/raddb/sites-enabled/packetfence
> +group authorize {
> [suffix] No '@' in User-Name = "host/P002518.samba.company.com", skipping 
> NULL due to config.
> ++[suffix] = noop
> [ntdomain] No '\' in User-Name = "host/P002518.samba.company.com", looking up 
> realm NULL
> [ntdomain] Found realm "default"
> [ntdomain] Adding Stripped-User-Name = "host/P002518.samba.company.com"
> [ntdomain] Adding Realm = "default"
> [ntdomain] Authentication realm is LOCAL.
> ++[ntdomain] = ok
> ++[preprocess] = ok
> rlm_perl: Added pair HP-Capability-Advert = 0x011a000b28
> rlm_perl: Added pair HP-Capability-Advert = 0x011a000b2e
> rlm_perl: Added pair HP-Capability-Advert = 0x011a000b30
> rlm_perl: Added pair HP-Capability-Advert = 0x011a000b3d
> rlm_perl: Added pair HP-Capability-Advert = 0x0138
> rlm_perl: Added pair HP-Capability-Advert = 0x013a
> rlm_perl: Added pair HP-Capability-Advert = 0x0140
> rlm_perl: Added pair HP-Capability-Advert = 0x0141
> rlm_perl: Added pair HP-Capability-Advert = 0x0151
> rlm_perl: Added pair NAS-Port-Type = Ethernet
> rlm_perl: Added pair MS-RAS-Vendor = 11
> rlm_perl: Added pair Service-Type = Framed-User
> rlm_perl: Added pair Tunnel-Type = VLAN
> rlm_perl: Added pair State = 0xcc720d84c569141dda894508eb3f81d4
> rlm_perl: Added pair Called-Station-Id = 00-17-a4-b5-6e-00
> rlm_perl: Added pair Message-Authenticator = 0x42b57ae046a2e7f4ba0c6d07ad02
> rlm_perl: Added pair Connect-Info = CONNECT Ethernet 1000Mbps Full duplex
> rlm_perl: Added pair Realm = default
> rlm_perl: Added pair NAS-IP-Address = 192.87.143.248
> rlm_perl: Added pair Tunnel-Private-Group-Id = 1
> rlm_perl: Added pair NAS-Port-Id = A15
> rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
> rlm_perl: Added pair Calling-Station-Id = 2c-41-38-8f-f1-3a
> rlm_perl: Added pair PacketFence-Domain = intech
> rlm_perl: Added pair Framed-Protocol = PPP
> rlm_perl: Added pair User-Name = host/P002518.samba.company.com
> rlm_perl: Added pair NAS-Identifier = Procurve chassis
> rlm_perl: Added pair EAP-Message = 
> 0x021b007b1900170301007024aa739cc370cd329ca0ed130474c0b1d66515e137ced852b7456ca03fa0d4d70fadb69284d59f73fdbb5358c1c0165c50ee33cc986c3efdc2221b775c5003b5dd8ea0e142d26591dd6d97fd47e612c
> rlm_perl: Added pair Stripped-User-Name = host/P002518.samba.company.com
> rlm_perl: Added pair NAS-Port = 15
> rlm_perl: Added pair Framed-MTU = 1480
> ++[packetfence-multi-domain] = updated
> [eap] EAP packet type response id 27 length 123
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7 
> [peap] Done initial handshake
> [peap] eaptls_process returned 7 
> [peap] EAPTLS_OK
> [peap] Session established.  Decoding tunneled attributes.
> [peap] Peap state phase2
> [peap] EAP type mschapv2
> [peap] Got tunneled request
>   EAP-Message = 
> 0x021b005b1a021b005631bd6cee051bdb1f0eb317c91ad5ce988bf64841503030323531382e73616d62612e6d657269742e756e752e656475
> server packetfence {
> [peap] Setting User-Name to host/P002518.samba.company.com
> Sending tunneled request
>   EAP-Message = 
> 0x021b005b1a021b005631bd6cee051bdb1f0eb317c91ad5ce988bf64841ed148986f73742f503030323531382e73616d62612e6d657269742e756e752e656475
>   FreeRADIUS-Proxied-To = 127.0.0.1
>   User-Name = "host/P002518.samba.company.com"
>   State = 0xb1c5c8ddb1ded38d361204
>   HP-Capability-Advert += 0x011a000b28
>   HP-Capability-Advert += 0x011a000b2e
>   HP-Capability-Advert += 0x011a000b30
>   HP-Capability-Advert += 0x011a000b3d
>   HP-Capability-Advert += 0x0138
>   HP-Capability-Advert += 0x013a
>   HP-Capability-Advert += 0x0140
>   HP-Capability-Advert += 0x0141
>   HP-Capability-Advert += 0x0151
>   NAS-Port-Type = Ethernet
>   MS-RAS-Vendor = 11
>   Service-Type = Framed-User
>   Tunnel-Type:0 = VLAN
>   Called-Station-Id = "00-