[PacketFence-users] Local account
Hello. Using PF 5.2 on Centos 6.6 in inline mode. I had few questions regarding local account creation. - How long is the local account valid for after it's been created?- Can the local account details (username and password that's sent in the email) be used to enable access again, after the access time period has expired? Thanks -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf
Or setup a portal profile. Do you want people to register devices on this ssid? Sent from my iPhone On Aug 6, 2015, at 9:12 AM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Good morning - I have a SSID resnet, and would like all users to be forced to vlan 10, no matter their role. I do have a role resnet that is defined in my device configurations to vlan 10. Would this be the correct rule for a vlan_filters.conf? [resnet-ssid] filter = ssid operator = is value = resnet [1:resnet-ssid] scope = NormalVlan role = resnet - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf
Well, I'm sticking to the original subject, here trying to get a vlan filter to work - resnet-ssid] filter = ssid operator = is value = resnet [1:resnet-ssid] scope = NormalVlan role = resnet I do not see any sort of info in the packetfence.log... I wonder if there's a pf.conf command that directs PF to look for and run the vlan_filters.conf stuff... - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu On Thu, Aug 6, 2015 at 12:13 PM, Tim DeNike tim.den...@mcc.edu wrote: That's on the user. If they don't use the installer we provide that sets up all the certificates and trusts. Otherwise it really doesn't matter. If I went and setup a hotspot near your campus with a ssid of resnet and made the portal look the same as yours I could probably have dozens or hundreds of passwords by the end of the day. Perfect world would be doing certificate auth but it took me long enough just to get them to think about dropping psk networks. ;) Sent from my iPhone On Aug 6, 2015, at 11:27 AM, Chris Abel ca...@wildwoodprograms.org wrote: We just use portal profiles because of all the security holes with 802.1x. One such example that still works especially well for mobile devices: https://www.defcon.org/images/defcon-21/dc-21-presentations/djwishbone-PuNk1nPo0p/DEFCON-21-djwishbone-PuNk1nPo0p-BYO-Disaster-Updated.pdf Hopefully your 802.1x credentials aren't the same credentials for other online services. Not sure how to accomplish what you're trying to do. Sorry. On Thu, Aug 6, 2015 at 11:16 AM, Tim DeNike tim.den...@mcc.edu wrote: That's why I use different roles for 1x and portal login. I don't assign the role to the device for portal login, just register and dynamically assign. Then I have a rule to deny association for registered devices with no role to the insecure ssids. Once someone connects with 1x, that device isn't allowed on Mac auth until the next day (expire the registration). My goal is to always keep people on 1x and only use portal for devices that can't use 1x for some reason. But we don't have dorms so the situation is a little different. Sent from my iPhone On Aug 6, 2015, at 11:11 AM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Our regular SSID is 802.1x. There is no portal profile, if I'm not mistaken. I have a portal profile for resnet, and that works fine for unregistered devices. I just want registered device (such as ones that connected to the 802.1x regular ssid first) to connect to a different vlan (resnet) when they connect to the resnet ssid. I don't actually want to modify the node. Just switch it to a different vlan. - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu On Thu, Aug 6, 2015 at 10:55 AM, Chris Abel ca...@wildwoodprograms.org wrote: Yes, this is for auto registration. If you still want unregistered users to hit the registration page, why don't you add the resnet SSID to the portal profile you have for your regular SSID? On Thu, Aug 6, 2015 at 10:35 AM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Thanks, Chris! Does the AutoRegister automatically register the user, then? I don't necessarily want that. I still want them to get stuck on a registration page if they are not registered... - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu On Thu, Aug 6, 2015 at 10:30 AM, Chris Abel ca...@wildwoodprograms.org wrote: Pete, I think you'll want something like this: [resnet-ssid] filter = ssid operator = is value = resnet [1:resnet-ssid] scope = AutoRegister role = resnet [2:resnet-ssid] scope = NormalVlan role = resnet action = modify_node action_param = mac = $mac, category = resnet On Thu, Aug 6, 2015 at 9:27 AM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Hi Tim. Yes, users could register on this SSID as well. But, a device may have been registered on a separate SSID, and then try to connect to this network. Student connects to our regular SSID, and registers. Gets a role of student Student goes to residence hall Student connects to SSID resnet. This is where I want them to vlan switch to the resnet vlan. Normally identified by role resnet - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu On Thu, Aug 6, 2015 at 9:14 AM, Tim DeNike tim.den...@mcc.edu wrote: Or setup a portal profile. Do you want people to register devices on this ssid? Sent from my iPhone On Aug 6, 2015, at 9:12 AM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Good morning - I have a SSID resnet, and would like all users to be forced to vlan 10, no matter their role. I do have a role resnet that is defined in my device configurations to vlan 10. Would this be the correct rule for a vlan_filters.conf? [resnet-ssid] filter = ssid operator = is value = resnet
Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf
A few possibilities: is the SSID called “resnet” (case matters)? is the AP/controller actually sending the SSID name in the radius request? is PacketFence able to parse that SSID as sent? I suggest raising the log level to “DEBUG”. That should show if the SSID is correctly detected. VLAN filters are automatically run on every authentication. You may want to restart to make sure the new ones are applied if you changed them. On Aug 6, 2015, at 1:45 PM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Well, I'm sticking to the original subject, here trying to get a vlan filter to work - resnet-ssid] filter = ssid operator = is value = resnet [1:resnet-ssid] scope = NormalVlan role = resnet I do not see any sort of info in the packetfence.log... I wonder if there's a pf.conf command that directs PF to look for and run the vlan_filters.conf stuff... -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf
Hi, thanks, Louis! I had restarted PF during my config process before. I just did it again to change the log level, and BAM, it started to work! You can see it in the logs/packetfence.log file now: Aug 06 14:13:06 httpd.aaa(46816) INFO: [mac] Match Vlan rule: 1:resnet (pf::vlan::filter::test) Aug 06 14:13:06 httpd.aaa(46816) INFO: [mac] PID: , Status: reg. Returned VLAN: xx (pf::vlan::fetchVlanForNode) Aug 06 14:13:06 httpd.aaa(46816) INFO: [mac] (ip.ip.ip.ip) Returning ACCEPT with VLAN xx and role (pf::Switch::returnRadiusAccessAccept) NICE! I'm unsure why it was not happening before. maybe I had some syntax wrong or something. For the record, here's my config: # If the user connects to ssid resnet then set their vlan to role resnet # [resnet] filter = ssid operator = is value = resnet [1:resnet] scope = NormalVlan role = resnet # Note that if an unregistered user connects to this SSID, they will use my defined resnet portal. They get a login, and will get a role assigned as per the norm. But, will still get pushed into the resnet vlan when connecting. Just what I was looking for. Thanks everyone for your help - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu On Thu, Aug 6, 2015 at 2:03 PM, Louis Munro lmu...@inverse.ca wrote: A few possibilities: - is the SSID called “resnet” (case matters)? - is the AP/controller actually sending the SSID name in the radius request? - is PacketFence able to parse that SSID as sent? I suggest raising the log level to “DEBUG”. That should show if the SSID is correctly detected. VLAN filters are automatically run on every authentication. You may want to restart to make sure the new ones are applied if you changed them. On Aug 6, 2015, at 1:45 PM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Well, I'm sticking to the original subject, here trying to get a vlan filter to work - resnet-ssid] filter = ssid operator = is value = resnet [1:resnet-ssid] scope = NormalVlan role = resnet I do not see any sort of info in the packetfence.log... I wonder if there's a pf.conf command that directs PF to look for and run the vlan_filters.conf stuff... -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf
Hi Tim. Yes, users could register on this SSID as well. But, a device may have been registered on a separate SSID, and then try to connect to this network. Student connects to our regular SSID, and registers. Gets a role of student Student goes to residence hall Student connects to SSID resnet. This is where I want them to vlan switch to the resnet vlan. Normally identified by role resnet - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu On Thu, Aug 6, 2015 at 9:14 AM, Tim DeNike tim.den...@mcc.edu wrote: Or setup a portal profile. Do you want people to register devices on this ssid? Sent from my iPhone On Aug 6, 2015, at 9:12 AM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Good morning - I have a SSID resnet, and would like all users to be forced to vlan 10, no matter their role. I do have a role resnet that is defined in my device configurations to vlan 10. Would this be the correct rule for a vlan_filters.conf? [resnet-ssid] filter = ssid operator = is value = resnet [1:resnet-ssid] scope = NormalVlan role = resnet - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf
Pete, I think you'll want something like this: [resnet-ssid] filter = ssid operator = is value = resnet [1:resnet-ssid] scope = AutoRegister role = resnet [2:resnet-ssid] scope = NormalVlan role = resnet action = modify_node action_param = mac = $mac, category = resnet On Thu, Aug 6, 2015 at 9:27 AM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Hi Tim. Yes, users could register on this SSID as well. But, a device may have been registered on a separate SSID, and then try to connect to this network. Student connects to our regular SSID, and registers. Gets a role of student Student goes to residence hall Student connects to SSID resnet. This is where I want them to vlan switch to the resnet vlan. Normally identified by role resnet - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu On Thu, Aug 6, 2015 at 9:14 AM, Tim DeNike tim.den...@mcc.edu wrote: Or setup a portal profile. Do you want people to register devices on this ssid? Sent from my iPhone On Aug 6, 2015, at 9:12 AM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Good morning - I have a SSID resnet, and would like all users to be forced to vlan 10, no matter their role. I do have a role resnet that is defined in my device configurations to vlan 10. Would this be the correct rule for a vlan_filters.conf? [resnet-ssid] filter = ssid operator = is value = resnet [1:resnet-ssid] scope = NormalVlan role = resnet - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Chris Abel Systems and Network Administrator Wildwood Programs 2995 Curry Road Extension Schenectady, NY 12303 518-836-2341 -- IMPORTANT NOTICE: This message and any attachments are solely for the intended recipient and may contain confidential information, which is, or may be, legally privileged or otherwise protected by law from further disclosure. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this email and any attachments is prohibited. If you have received this communication in error, please notify the sender by reply email and immediately and permanently delete this email and any attachments. -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf
Yes, this is for auto registration. If you still want unregistered users to hit the registration page, why don't you add the resnet SSID to the portal profile you have for your regular SSID? On Thu, Aug 6, 2015 at 10:35 AM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Thanks, Chris! Does the AutoRegister automatically register the user, then? I don't necessarily want that. I still want them to get stuck on a registration page if they are not registered... - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu On Thu, Aug 6, 2015 at 10:30 AM, Chris Abel ca...@wildwoodprograms.org wrote: Pete, I think you'll want something like this: [resnet-ssid] filter = ssid operator = is value = resnet [1:resnet-ssid] scope = AutoRegister role = resnet [2:resnet-ssid] scope = NormalVlan role = resnet action = modify_node action_param = mac = $mac, category = resnet On Thu, Aug 6, 2015 at 9:27 AM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Hi Tim. Yes, users could register on this SSID as well. But, a device may have been registered on a separate SSID, and then try to connect to this network. Student connects to our regular SSID, and registers. Gets a role of student Student goes to residence hall Student connects to SSID resnet. This is where I want them to vlan switch to the resnet vlan. Normally identified by role resnet - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu On Thu, Aug 6, 2015 at 9:14 AM, Tim DeNike tim.den...@mcc.edu wrote: Or setup a portal profile. Do you want people to register devices on this ssid? Sent from my iPhone On Aug 6, 2015, at 9:12 AM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Good morning - I have a SSID resnet, and would like all users to be forced to vlan 10, no matter their role. I do have a role resnet that is defined in my device configurations to vlan 10. Would this be the correct rule for a vlan_filters.conf? [resnet-ssid] filter = ssid operator = is value = resnet [1:resnet-ssid] scope = NormalVlan role = resnet - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Chris Abel Systems and Network Administrator Wildwood Programs 2995 Curry Road Extension Schenectady, NY 12303 518-836-2341 IMPORTANT NOTICE: This message and any attachments are solely for the intended recipient and may contain confidential information, which is, or may be, legally privileged or otherwise protected by law from further disclosure. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this email and any attachments is prohibited. If you have received this communication in error, please notify the sender by reply email and immediately and permanently delete this email and any attachments. -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Chris Abel Systems and Network Administrator Wildwood Programs 2995 Curry Road Extension Schenectady, NY 12303 518-836-2341 -- IMPORTANT NOTICE: This message and any attachments are solely for the intended recipient and may contain confidential information, which is, or may be, legally privileged or otherwise protected by law from further disclosure. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this email and any attachments is prohibited. If you have received this communication in error, please notify the sender by reply email and immediately and permanently delete this email and any
Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf
Our regular SSID is 802.1x. There is no portal profile, if I'm not mistaken. I have a portal profile for resnet, and that works fine for unregistered devices. I just want registered device (such as ones that connected to the 802.1x regular ssid first) to connect to a different vlan (resnet) when they connect to the resnet ssid. I don't actually want to modify the node. Just switch it to a different vlan. - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu On Thu, Aug 6, 2015 at 10:55 AM, Chris Abel ca...@wildwoodprograms.org wrote: Yes, this is for auto registration. If you still want unregistered users to hit the registration page, why don't you add the resnet SSID to the portal profile you have for your regular SSID? On Thu, Aug 6, 2015 at 10:35 AM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Thanks, Chris! Does the AutoRegister automatically register the user, then? I don't necessarily want that. I still want them to get stuck on a registration page if they are not registered... - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu On Thu, Aug 6, 2015 at 10:30 AM, Chris Abel ca...@wildwoodprograms.org wrote: Pete, I think you'll want something like this: [resnet-ssid] filter = ssid operator = is value = resnet [1:resnet-ssid] scope = AutoRegister role = resnet [2:resnet-ssid] scope = NormalVlan role = resnet action = modify_node action_param = mac = $mac, category = resnet On Thu, Aug 6, 2015 at 9:27 AM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Hi Tim. Yes, users could register on this SSID as well. But, a device may have been registered on a separate SSID, and then try to connect to this network. Student connects to our regular SSID, and registers. Gets a role of student Student goes to residence hall Student connects to SSID resnet. This is where I want them to vlan switch to the resnet vlan. Normally identified by role resnet - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu On Thu, Aug 6, 2015 at 9:14 AM, Tim DeNike tim.den...@mcc.edu wrote: Or setup a portal profile. Do you want people to register devices on this ssid? Sent from my iPhone On Aug 6, 2015, at 9:12 AM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Good morning - I have a SSID resnet, and would like all users to be forced to vlan 10, no matter their role. I do have a role resnet that is defined in my device configurations to vlan 10. Would this be the correct rule for a vlan_filters.conf? [resnet-ssid] filter = ssid operator = is value = resnet [1:resnet-ssid] scope = NormalVlan role = resnet - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Chris Abel Systems and Network Administrator Wildwood Programs 2995 Curry Road Extension Schenectady, NY 12303 518-836-2341 IMPORTANT NOTICE: This message and any attachments are solely for the intended recipient and may contain confidential information, which is, or may be, legally privileged or otherwise protected by law from further disclosure. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this email and any attachments is prohibited. If you have received this communication in error, please notify the sender by reply email and immediately and permanently delete this email and any attachments. -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Chris Abel Systems and Network Administrator Wildwood Programs 2995 Curry Road
Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf
That's why I use different roles for 1x and portal login. I don't assign the role to the device for portal login, just register and dynamically assign. Then I have a rule to deny association for registered devices with no role to the insecure ssids. Once someone connects with 1x, that device isn't allowed on Mac auth until the next day (expire the registration). My goal is to always keep people on 1x and only use portal for devices that can't use 1x for some reason. But we don't have dorms so the situation is a little different. Sent from my iPhone On Aug 6, 2015, at 11:11 AM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Our regular SSID is 802.1x. There is no portal profile, if I'm not mistaken. I have a portal profile for resnet, and that works fine for unregistered devices. I just want registered device (such as ones that connected to the 802.1x regular ssid first) to connect to a different vlan (resnet) when they connect to the resnet ssid. I don't actually want to modify the node. Just switch it to a different vlan. - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu On Thu, Aug 6, 2015 at 10:55 AM, Chris Abel ca...@wildwoodprograms.org wrote: Yes, this is for auto registration. If you still want unregistered users to hit the registration page, why don't you add the resnet SSID to the portal profile you have for your regular SSID? On Thu, Aug 6, 2015 at 10:35 AM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Thanks, Chris! Does the AutoRegister automatically register the user, then? I don't necessarily want that. I still want them to get stuck on a registration page if they are not registered... - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu On Thu, Aug 6, 2015 at 10:30 AM, Chris Abel ca...@wildwoodprograms.org wrote: Pete, I think you'll want something like this: [resnet-ssid] filter = ssid operator = is value = resnet [1:resnet-ssid] scope = AutoRegister role = resnet [2:resnet-ssid] scope = NormalVlan role = resnet action = modify_node action_param = mac = $mac, category = resnet On Thu, Aug 6, 2015 at 9:27 AM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Hi Tim. Yes, users could register on this SSID as well. But, a device may have been registered on a separate SSID, and then try to connect to this network. Student connects to our regular SSID, and registers. Gets a role of student Student goes to residence hall Student connects to SSID resnet. This is where I want them to vlan switch to the resnet vlan. Normally identified by role resnet - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu On Thu, Aug 6, 2015 at 9:14 AM, Tim DeNike tim.den...@mcc.edu wrote: Or setup a portal profile. Do you want people to register devices on this ssid? Sent from my iPhone On Aug 6, 2015, at 9:12 AM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Good morning - I have a SSID resnet, and would like all users to be forced to vlan 10, no matter their role. I do have a role resnet that is defined in my device configurations to vlan 10. Would this be the correct rule for a vlan_filters.conf? [resnet-ssid] filter = ssid operator = is value = resnet [1:resnet-ssid] scope = NormalVlan role = resnet - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Chris Abel Systems and Network Administrator Wildwood Programs 2995 Curry Road Extension Schenectady, NY 12303 518-836-2341 IMPORTANT NOTICE: This message and any attachments are solely for the intended recipient and may contain confidential information, which is, or may be, legally privileged or otherwise protected by law from further disclosure. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this email and any attachments is prohibited. If you have received this communication in error, please notify the sender by reply email and immediately and permanently delete this email and any
Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf
Thanks, Chris! Does the AutoRegister automatically register the user, then? I don't necessarily want that. I still want them to get stuck on a registration page if they are not registered... - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu On Thu, Aug 6, 2015 at 10:30 AM, Chris Abel ca...@wildwoodprograms.org wrote: Pete, I think you'll want something like this: [resnet-ssid] filter = ssid operator = is value = resnet [1:resnet-ssid] scope = AutoRegister role = resnet [2:resnet-ssid] scope = NormalVlan role = resnet action = modify_node action_param = mac = $mac, category = resnet On Thu, Aug 6, 2015 at 9:27 AM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Hi Tim. Yes, users could register on this SSID as well. But, a device may have been registered on a separate SSID, and then try to connect to this network. Student connects to our regular SSID, and registers. Gets a role of student Student goes to residence hall Student connects to SSID resnet. This is where I want them to vlan switch to the resnet vlan. Normally identified by role resnet - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu On Thu, Aug 6, 2015 at 9:14 AM, Tim DeNike tim.den...@mcc.edu wrote: Or setup a portal profile. Do you want people to register devices on this ssid? Sent from my iPhone On Aug 6, 2015, at 9:12 AM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Good morning - I have a SSID resnet, and would like all users to be forced to vlan 10, no matter their role. I do have a role resnet that is defined in my device configurations to vlan 10. Would this be the correct rule for a vlan_filters.conf? [resnet-ssid] filter = ssid operator = is value = resnet [1:resnet-ssid] scope = NormalVlan role = resnet - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Chris Abel Systems and Network Administrator Wildwood Programs 2995 Curry Road Extension Schenectady, NY 12303 518-836-2341 IMPORTANT NOTICE: This message and any attachments are solely for the intended recipient and may contain confidential information, which is, or may be, legally privileged or otherwise protected by law from further disclosure. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this email and any attachments is prohibited. If you have received this communication in error, please notify the sender by reply email and immediately and permanently delete this email and any attachments. -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf
That's on the user. If they don't use the installer we provide that sets up all the certificates and trusts. Otherwise it really doesn't matter. If I went and setup a hotspot near your campus with a ssid of resnet and made the portal look the same as yours I could probably have dozens or hundreds of passwords by the end of the day. Perfect world would be doing certificate auth but it took me long enough just to get them to think about dropping psk networks. ;) Sent from my iPhone On Aug 6, 2015, at 11:27 AM, Chris Abel ca...@wildwoodprograms.org wrote: We just use portal profiles because of all the security holes with 802.1x. One such example that still works especially well for mobile devices: https://www.defcon.org/images/defcon-21/dc-21-presentations/djwishbone-PuNk1nPo0p/DEFCON-21-djwishbone-PuNk1nPo0p-BYO-Disaster-Updated.pdf Hopefully your 802.1x credentials aren't the same credentials for other online services. Not sure how to accomplish what you're trying to do. Sorry. On Thu, Aug 6, 2015 at 11:16 AM, Tim DeNike tim.den...@mcc.edu wrote: That's why I use different roles for 1x and portal login. I don't assign the role to the device for portal login, just register and dynamically assign. Then I have a rule to deny association for registered devices with no role to the insecure ssids. Once someone connects with 1x, that device isn't allowed on Mac auth until the next day (expire the registration). My goal is to always keep people on 1x and only use portal for devices that can't use 1x for some reason. But we don't have dorms so the situation is a little different. Sent from my iPhone On Aug 6, 2015, at 11:11 AM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Our regular SSID is 802.1x. There is no portal profile, if I'm not mistaken. I have a portal profile for resnet, and that works fine for unregistered devices. I just want registered device (such as ones that connected to the 802.1x regular ssid first) to connect to a different vlan (resnet) when they connect to the resnet ssid. I don't actually want to modify the node. Just switch it to a different vlan. - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu On Thu, Aug 6, 2015 at 10:55 AM, Chris Abel ca...@wildwoodprograms.org wrote: Yes, this is for auto registration. If you still want unregistered users to hit the registration page, why don't you add the resnet SSID to the portal profile you have for your regular SSID? On Thu, Aug 6, 2015 at 10:35 AM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Thanks, Chris! Does the AutoRegister automatically register the user, then? I don't necessarily want that. I still want them to get stuck on a registration page if they are not registered... - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu On Thu, Aug 6, 2015 at 10:30 AM, Chris Abel ca...@wildwoodprograms.org wrote: Pete, I think you'll want something like this: [resnet-ssid] filter = ssid operator = is value = resnet [1:resnet-ssid] scope = AutoRegister role = resnet [2:resnet-ssid] scope = NormalVlan role = resnet action = modify_node action_param = mac = $mac, category = resnet On Thu, Aug 6, 2015 at 9:27 AM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Hi Tim. Yes, users could register on this SSID as well. But, a device may have been registered on a separate SSID, and then try to connect to this network. Student connects to our regular SSID, and registers. Gets a role of student Student goes to residence hall Student connects to SSID resnet. This is where I want them to vlan switch to the resnet vlan. Normally identified by role resnet - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu On Thu, Aug 6, 2015 at 9:14 AM, Tim DeNike tim.den...@mcc.edu wrote: Or setup a portal profile. Do you want people to register devices on this ssid? Sent from my iPhone On Aug 6, 2015, at 9:12 AM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote: Good morning - I have a SSID resnet, and would like all users to be forced to vlan 10, no matter their role. I do have a role resnet that is defined in my device configurations to vlan 10. Would this be the correct rule for a vlan_filters.conf? [resnet-ssid] filter = ssid operator = is value = resnet [1:resnet-ssid] scope = NormalVlan role = resnet - Pete Hoffswell - Network Manager pete.hoffsw...@davenport.edu http://www.davenport.edu -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users --
Re: [PacketFence-users] Getting the following perl dependency errors upgrading PF 4.2.2 to 5.3.1
Hello Will, because in all the Redhat's packets are not in a single repo you probably have to subscribe to more repo/channels. https://access.redhat.com/solutions/11312 Or use Centos 6 repo just for the dependencies. Regards Fabrice Le 2015-08-05 17:02, Rossing, Will a écrit : Getting the following perl dependency errors upgrading PF 4.2.2 to 5.3.1, on Redhat 6. Any ideas would be much appreciated -Will Error: Package: perl-SQL-Abstract-1.78-1.of.el6.noarch (PacketFence) Requires: perl(Test::Deep) Error: Package: perl-DBIx-Class-0.08270-1.of.el6.noarch (PacketFence) Requires: perl(Module::Find) = 0.07 Error: Package: perl-String-ToIdentifier-EN-0.11-1.of.el6.noarch (PacketFence) Requires: perl(Text::Unidecode) = 0.04 Error: Package: perl-Catalyst-Model-DBIC-Schema-0.59-1.of.el6.noarch (PacketFence) Requires: perl(Tie::IxHash) You could try using --skip-broken to work around the problem -- Will Rossing /Manager, Network Services / | 218.723.6729 | wross...@css.edu mailto:wross...@css.edu -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users