[PacketFence-users] Local account

2015-08-06 Thread Andy A
Hello.
Using PF 5.2 on Centos 6.6 in inline mode. I had few questions regarding local 
account creation.
- How long is the local account valid for after it's been created?- Can the 
local account details (username and password that's sent in the email) be used 
to enable access again, after the access time period has expired?
Thanks


  --
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf

2015-08-06 Thread Tim DeNike
Or setup a portal profile.  Do you want people to register devices on this
ssid?

Sent from my iPhone

On Aug 6, 2015, at 9:12 AM, Pete Hoffswell pete.hoffsw...@davenport.edu
wrote:

Good morning -

I have a SSID resnet, and would like all users to be forced to vlan 10,
no matter their role.

I do have a role resnet that is defined in my device configurations to
vlan 10.

Would this be the correct rule for a vlan_filters.conf?


[resnet-ssid]
filter = ssid
operator = is
value = resnet

[1:resnet-ssid]
scope = NormalVlan
role = resnet


-
Pete Hoffswell - Network Manager
pete.hoffsw...@davenport.edu
http://www.davenport.edu

--

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf

2015-08-06 Thread Pete Hoffswell
Well, I'm sticking to the original subject, here trying to get a vlan
filter to work -

resnet-ssid]
filter = ssid
operator = is
value = resnet

[1:resnet-ssid]
scope = NormalVlan
role = resnet


I do not see any sort of info in the packetfence.log... I wonder if there's
a pf.conf command that directs PF to look for and run the vlan_filters.conf
stuff...



-
Pete Hoffswell - Network Manager
pete.hoffsw...@davenport.edu
http://www.davenport.edu


On Thu, Aug 6, 2015 at 12:13 PM, Tim DeNike tim.den...@mcc.edu wrote:

 That's on the user. If they don't use the installer we provide that sets
 up all the certificates and trusts.  Otherwise it really doesn't matter.
 If I went and setup a hotspot  near your campus with a ssid of resnet and
 made the portal look the same as yours I could probably have dozens or
 hundreds of passwords by the end of the day.

 Perfect world would be doing certificate auth but it took me long enough
 just to get them to think about dropping psk networks. ;)

 Sent from my iPhone

 On Aug 6, 2015, at 11:27 AM, Chris Abel ca...@wildwoodprograms.org
 wrote:

 We just use portal profiles because of all the security holes with 802.1x.
 One such example that still works especially well for mobile devices:
 https://www.defcon.org/images/defcon-21/dc-21-presentations/djwishbone-PuNk1nPo0p/DEFCON-21-djwishbone-PuNk1nPo0p-BYO-Disaster-Updated.pdf

 Hopefully your 802.1x credentials aren't the same credentials for other
 online services.

 Not sure how to accomplish what you're trying to do. Sorry.

 On Thu, Aug 6, 2015 at 11:16 AM, Tim DeNike tim.den...@mcc.edu wrote:

 That's why I use different roles for 1x and portal login.  I don't assign
 the role to the device for portal login, just register and dynamically
 assign. Then I have a rule to deny association for registered devices with
 no role to the insecure ssids.  Once someone connects with 1x, that device
 isn't allowed on Mac auth until the next day (expire the registration). My
 goal is to always keep people on 1x and only use portal for devices that
 can't use 1x for some reason.

 But we don't have dorms so the situation is a little different.

 Sent from my iPhone

 On Aug 6, 2015, at 11:11 AM, Pete Hoffswell pete.hoffsw...@davenport.edu
 wrote:

 Our regular SSID is 802.1x.  There is no portal profile, if I'm not
 mistaken.

 I have a portal profile for resnet, and that works fine for unregistered
 devices.

   I just want registered device (such as ones that connected to the
 802.1x regular ssid first) to connect to a different vlan (resnet) when
 they connect to the resnet ssid.

 I don't actually want to modify the node.  Just switch it to a different
 vlan.





 -
 Pete Hoffswell - Network Manager
 pete.hoffsw...@davenport.edu
 http://www.davenport.edu


 On Thu, Aug 6, 2015 at 10:55 AM, Chris Abel ca...@wildwoodprograms.org
 wrote:

 Yes, this is for auto registration.

 If you still want unregistered users to hit the registration page, why
 don't you add the resnet SSID to the portal profile you have for your
 regular SSID?

 On Thu, Aug 6, 2015 at 10:35 AM, Pete Hoffswell 
 pete.hoffsw...@davenport.edu wrote:

 Thanks, Chris!

 Does the AutoRegister automatically register the user, then?  I don't
 necessarily want that.  I still want them to get stuck on a registration
 page if they are not registered...

 -
 Pete Hoffswell - Network Manager
 pete.hoffsw...@davenport.edu
 http://www.davenport.edu


 On Thu, Aug 6, 2015 at 10:30 AM, Chris Abel ca...@wildwoodprograms.org
  wrote:

 Pete, I think you'll want something like this:

 [resnet-ssid]
 filter = ssid
 operator = is
 value = resnet

 [1:resnet-ssid]
 scope = AutoRegister
 role = resnet

 [2:resnet-ssid]
 scope = NormalVlan
 role = resnet
 action = modify_node
 action_param = mac = $mac, category = resnet

 On Thu, Aug 6, 2015 at 9:27 AM, Pete Hoffswell 
 pete.hoffsw...@davenport.edu wrote:

 Hi Tim.

  Yes, users could register on this SSID as well.  But, a device may
 have been registered on a separate SSID, and then try to connect to this
 network.

 Student connects to our regular SSID, and registers.  Gets a role of
 student
 Student goes to residence hall
 Student connects to SSID resnet.

 This is where I want them to vlan switch to the resnet vlan.
 Normally identified by role resnet





 -
 Pete Hoffswell - Network Manager
 pete.hoffsw...@davenport.edu
 http://www.davenport.edu


 On Thu, Aug 6, 2015 at 9:14 AM, Tim DeNike tim.den...@mcc.edu
 wrote:

 Or setup a portal profile.  Do you want people to register devices
 on this ssid?

 Sent from my iPhone

 On Aug 6, 2015, at 9:12 AM, Pete Hoffswell 
 pete.hoffsw...@davenport.edu wrote:

 Good morning -

 I have a SSID resnet, and would like all users to be forced to
 vlan 10, no matter their role.

 I do have a role resnet that is defined in my device
 configurations to vlan 10.

 Would this be the correct rule for a vlan_filters.conf?


 [resnet-ssid]
 filter = ssid
 operator = is
 value = resnet

 

Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf

2015-08-06 Thread Louis Munro
A few possibilities:

is the SSID called “resnet” (case matters)? 
is the AP/controller actually sending the SSID name in the radius request? 
is PacketFence able to parse that SSID as sent? 

I suggest raising the log level to “DEBUG”.
That should show if the SSID is correctly detected.

VLAN filters are automatically run on every authentication.
You may want to restart to make sure the new ones are applied if you changed 
them. 


On Aug 6, 2015, at 1:45 PM, Pete Hoffswell pete.hoffsw...@davenport.edu wrote:

 Well, I'm sticking to the original subject, here trying to get a vlan 
 filter to work - 
 
 resnet-ssid]
 filter = ssid
 operator = is
 value = resnet
 
 [1:resnet-ssid]
 scope = NormalVlan
 role = resnet
 
 
 I do not see any sort of info in the packetfence.log... I wonder if there's a 
 pf.conf command that directs PF to look for and run the vlan_filters.conf 
 stuff...






--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf

2015-08-06 Thread Pete Hoffswell
Hi, thanks, Louis!

I had restarted PF during my config process before.  I just did it again to
change the log level, and BAM, it started to work!

You can see it in the logs/packetfence.log file now:

Aug 06 14:13:06 httpd.aaa(46816) INFO: [mac] Match Vlan rule: 1:resnet
(pf::vlan::filter::test)
Aug 06 14:13:06 httpd.aaa(46816) INFO: [mac] PID: , Status: reg.
Returned VLAN: xx (pf::vlan::fetchVlanForNode)
Aug 06 14:13:06 httpd.aaa(46816) INFO: [mac] (ip.ip.ip.ip) Returning ACCEPT
with VLAN xx and role  (pf::Switch::returnRadiusAccessAccept)

NICE!

I'm unsure why it was not happening before.  maybe I had some syntax wrong
or something.

For the record, here's my config:


# If the user connects to ssid resnet then set their vlan to role resnet
#
[resnet]
filter = ssid
operator = is
value = resnet

[1:resnet]
scope = NormalVlan
role = resnet
#


Note that if an unregistered user connects to this SSID, they will use my
defined resnet portal.  They get a login, and will get a role assigned as
per the norm.  But, will still get pushed into the resnet vlan when
connecting.

Just what I was looking for.  Thanks everyone for your help



-
Pete Hoffswell - Network Manager
pete.hoffsw...@davenport.edu
http://www.davenport.edu


On Thu, Aug 6, 2015 at 2:03 PM, Louis Munro lmu...@inverse.ca wrote:

 A few possibilities:


- is the SSID called “resnet” (case matters)?
- is the AP/controller actually sending the SSID name in the radius
request?
- is PacketFence able to parse that SSID as sent?


 I suggest raising the log level to “DEBUG”.
 That should show if the SSID is correctly detected.

 VLAN filters are automatically run on every authentication.
 You may want to restart to make sure the new ones are applied if you
 changed them.


 On Aug 6, 2015, at 1:45 PM, Pete Hoffswell pete.hoffsw...@davenport.edu
 wrote:

 Well, I'm sticking to the original subject, here trying to get a vlan
 filter to work -

 resnet-ssid]
 filter = ssid
 operator = is
 value = resnet

 [1:resnet-ssid]
 scope = NormalVlan
 role = resnet


 I do not see any sort of info in the packetfence.log... I wonder if
 there's a pf.conf command that directs PF to look for and run the
 vlan_filters.conf stuff...








 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf

2015-08-06 Thread Pete Hoffswell
Hi Tim.

 Yes, users could register on this SSID as well.  But, a device may have
been registered on a separate SSID, and then try to connect to this network.

Student connects to our regular SSID, and registers.  Gets a role of
student
Student goes to residence hall
Student connects to SSID resnet.

This is where I want them to vlan switch to the resnet vlan.  Normally
identified by role resnet





-
Pete Hoffswell - Network Manager
pete.hoffsw...@davenport.edu
http://www.davenport.edu


On Thu, Aug 6, 2015 at 9:14 AM, Tim DeNike tim.den...@mcc.edu wrote:

 Or setup a portal profile.  Do you want people to register devices on this
 ssid?

 Sent from my iPhone

 On Aug 6, 2015, at 9:12 AM, Pete Hoffswell pete.hoffsw...@davenport.edu
 wrote:

 Good morning -

 I have a SSID resnet, and would like all users to be forced to vlan 10,
 no matter their role.

 I do have a role resnet that is defined in my device configurations to
 vlan 10.

 Would this be the correct rule for a vlan_filters.conf?


 [resnet-ssid]
 filter = ssid
 operator = is
 value = resnet

 [1:resnet-ssid]
 scope = NormalVlan
 role = resnet


 -
 Pete Hoffswell - Network Manager
 pete.hoffsw...@davenport.edu
 http://www.davenport.edu


 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users



 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf

2015-08-06 Thread Chris Abel
Pete, I think you'll want something like this:

[resnet-ssid]
filter = ssid
operator = is
value = resnet

[1:resnet-ssid]
scope = AutoRegister
role = resnet

[2:resnet-ssid]
scope = NormalVlan
role = resnet
action = modify_node
action_param = mac = $mac, category = resnet

On Thu, Aug 6, 2015 at 9:27 AM, Pete Hoffswell pete.hoffsw...@davenport.edu
 wrote:

 Hi Tim.

  Yes, users could register on this SSID as well.  But, a device may have
 been registered on a separate SSID, and then try to connect to this network.

 Student connects to our regular SSID, and registers.  Gets a role of
 student
 Student goes to residence hall
 Student connects to SSID resnet.

 This is where I want them to vlan switch to the resnet vlan.  Normally
 identified by role resnet





 -
 Pete Hoffswell - Network Manager
 pete.hoffsw...@davenport.edu
 http://www.davenport.edu


 On Thu, Aug 6, 2015 at 9:14 AM, Tim DeNike tim.den...@mcc.edu wrote:

 Or setup a portal profile.  Do you want people to register devices on
 this ssid?

 Sent from my iPhone

 On Aug 6, 2015, at 9:12 AM, Pete Hoffswell pete.hoffsw...@davenport.edu
 wrote:

 Good morning -

 I have a SSID resnet, and would like all users to be forced to vlan 10,
 no matter their role.

 I do have a role resnet that is defined in my device configurations to
 vlan 10.

 Would this be the correct rule for a vlan_filters.conf?


 [resnet-ssid]
 filter = ssid
 operator = is
 value = resnet

 [1:resnet-ssid]
 scope = NormalVlan
 role = resnet


 -
 Pete Hoffswell - Network Manager
 pete.hoffsw...@davenport.edu
 http://www.davenport.edu


 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users



 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users




 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users




-- 
Chris Abel
Systems and Network Administrator
Wildwood Programs
2995 Curry Road Extension
Schenectady, NY  12303
518-836-2341

-- 

IMPORTANT NOTICE: This message and any attachments are solely for the 
intended recipient and may contain confidential information, which is, or 
may be, legally privileged or otherwise protected by law from further 
disclosure. If you are not the intended recipient, any disclosure, copying, 
use, or distribution of the information included in this email and any 
attachments is prohibited. If you have received this communication in 
error, please notify the sender by reply email and immediately and 
permanently delete this email and any attachments.
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf

2015-08-06 Thread Chris Abel
Yes, this is for auto registration.

If you still want unregistered users to hit the registration page, why
don't you add the resnet SSID to the portal profile you have for your
regular SSID?

On Thu, Aug 6, 2015 at 10:35 AM, Pete Hoffswell 
pete.hoffsw...@davenport.edu wrote:

 Thanks, Chris!

 Does the AutoRegister automatically register the user, then?  I don't
 necessarily want that.  I still want them to get stuck on a registration
 page if they are not registered...

 -
 Pete Hoffswell - Network Manager
 pete.hoffsw...@davenport.edu
 http://www.davenport.edu


 On Thu, Aug 6, 2015 at 10:30 AM, Chris Abel ca...@wildwoodprograms.org
 wrote:

 Pete, I think you'll want something like this:

 [resnet-ssid]
 filter = ssid
 operator = is
 value = resnet

 [1:resnet-ssid]
 scope = AutoRegister
 role = resnet

 [2:resnet-ssid]
 scope = NormalVlan
 role = resnet
 action = modify_node
 action_param = mac = $mac, category = resnet

 On Thu, Aug 6, 2015 at 9:27 AM, Pete Hoffswell 
 pete.hoffsw...@davenport.edu wrote:

 Hi Tim.

  Yes, users could register on this SSID as well.  But, a device may have
 been registered on a separate SSID, and then try to connect to this network.

 Student connects to our regular SSID, and registers.  Gets a role of
 student
 Student goes to residence hall
 Student connects to SSID resnet.

 This is where I want them to vlan switch to the resnet vlan.  Normally
 identified by role resnet





 -
 Pete Hoffswell - Network Manager
 pete.hoffsw...@davenport.edu
 http://www.davenport.edu


 On Thu, Aug 6, 2015 at 9:14 AM, Tim DeNike tim.den...@mcc.edu wrote:

 Or setup a portal profile.  Do you want people to register devices on
 this ssid?

 Sent from my iPhone

 On Aug 6, 2015, at 9:12 AM, Pete Hoffswell 
 pete.hoffsw...@davenport.edu wrote:

 Good morning -

 I have a SSID resnet, and would like all users to be forced to vlan
 10, no matter their role.

 I do have a role resnet that is defined in my device configurations
 to vlan 10.

 Would this be the correct rule for a vlan_filters.conf?


 [resnet-ssid]
 filter = ssid
 operator = is
 value = resnet

 [1:resnet-ssid]
 scope = NormalVlan
 role = resnet


 -
 Pete Hoffswell - Network Manager
 pete.hoffsw...@davenport.edu
 http://www.davenport.edu


 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users



 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users




 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users




 --
 Chris Abel
 Systems and Network Administrator
 Wildwood Programs
 2995 Curry Road Extension
 Schenectady, NY  12303
 518-836-2341

 IMPORTANT NOTICE: This message and any attachments are solely for the
 intended recipient and may contain confidential information, which is, or
 may be, legally privileged or otherwise protected by law from further
 disclosure. If you are not the intended recipient, any disclosure, copying,
 use, or distribution of the information included in this email and any
 attachments is prohibited. If you have received this communication in
 error, please notify the sender by reply email and immediately and
 permanently delete this email and any attachments.

 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users




 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users




-- 
Chris Abel
Systems and Network Administrator
Wildwood Programs
2995 Curry Road Extension
Schenectady, NY  12303
518-836-2341

-- 

IMPORTANT NOTICE: This message and any attachments are solely for the 
intended recipient and may contain confidential information, which is, or 
may be, legally privileged or otherwise protected by law from further 
disclosure. If you are not the intended recipient, any disclosure, copying, 
use, or distribution of the information included in this email and any 
attachments is prohibited. If you have received this communication in 
error, please notify the sender by reply email and immediately and 
permanently delete this email and any 

Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf

2015-08-06 Thread Pete Hoffswell
Our regular SSID is 802.1x.  There is no portal profile, if I'm not
mistaken.

I have a portal profile for resnet, and that works fine for unregistered
devices.

  I just want registered device (such as ones that connected to the 802.1x
regular ssid first) to connect to a different vlan (resnet) when they
connect to the resnet ssid.

I don't actually want to modify the node.  Just switch it to a different
vlan.





-
Pete Hoffswell - Network Manager
pete.hoffsw...@davenport.edu
http://www.davenport.edu


On Thu, Aug 6, 2015 at 10:55 AM, Chris Abel ca...@wildwoodprograms.org
wrote:

 Yes, this is for auto registration.

 If you still want unregistered users to hit the registration page, why
 don't you add the resnet SSID to the portal profile you have for your
 regular SSID?

 On Thu, Aug 6, 2015 at 10:35 AM, Pete Hoffswell 
 pete.hoffsw...@davenport.edu wrote:

 Thanks, Chris!

 Does the AutoRegister automatically register the user, then?  I don't
 necessarily want that.  I still want them to get stuck on a registration
 page if they are not registered...

 -
 Pete Hoffswell - Network Manager
 pete.hoffsw...@davenport.edu
 http://www.davenport.edu


 On Thu, Aug 6, 2015 at 10:30 AM, Chris Abel ca...@wildwoodprograms.org
 wrote:

 Pete, I think you'll want something like this:

 [resnet-ssid]
 filter = ssid
 operator = is
 value = resnet

 [1:resnet-ssid]
 scope = AutoRegister
 role = resnet

 [2:resnet-ssid]
 scope = NormalVlan
 role = resnet
 action = modify_node
 action_param = mac = $mac, category = resnet

 On Thu, Aug 6, 2015 at 9:27 AM, Pete Hoffswell 
 pete.hoffsw...@davenport.edu wrote:

 Hi Tim.

  Yes, users could register on this SSID as well.  But, a device may
 have been registered on a separate SSID, and then try to connect to this
 network.

 Student connects to our regular SSID, and registers.  Gets a role of
 student
 Student goes to residence hall
 Student connects to SSID resnet.

 This is where I want them to vlan switch to the resnet vlan.  Normally
 identified by role resnet





 -
 Pete Hoffswell - Network Manager
 pete.hoffsw...@davenport.edu
 http://www.davenport.edu


 On Thu, Aug 6, 2015 at 9:14 AM, Tim DeNike tim.den...@mcc.edu wrote:

 Or setup a portal profile.  Do you want people to register devices on
 this ssid?

 Sent from my iPhone

 On Aug 6, 2015, at 9:12 AM, Pete Hoffswell 
 pete.hoffsw...@davenport.edu wrote:

 Good morning -

 I have a SSID resnet, and would like all users to be forced to vlan
 10, no matter their role.

 I do have a role resnet that is defined in my device configurations
 to vlan 10.

 Would this be the correct rule for a vlan_filters.conf?


 [resnet-ssid]
 filter = ssid
 operator = is
 value = resnet

 [1:resnet-ssid]
 scope = NormalVlan
 role = resnet


 -
 Pete Hoffswell - Network Manager
 pete.hoffsw...@davenport.edu
 http://www.davenport.edu


 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users



 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users




 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users




 --
 Chris Abel
 Systems and Network Administrator
 Wildwood Programs
 2995 Curry Road Extension
 Schenectady, NY  12303
 518-836-2341

 IMPORTANT NOTICE: This message and any attachments are solely for the
 intended recipient and may contain confidential information, which is, or
 may be, legally privileged or otherwise protected by law from further
 disclosure. If you are not the intended recipient, any disclosure, copying,
 use, or distribution of the information included in this email and any
 attachments is prohibited. If you have received this communication in
 error, please notify the sender by reply email and immediately and
 permanently delete this email and any attachments.

 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users




 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users




 --
 Chris Abel
 Systems and Network Administrator
 Wildwood Programs
 2995 Curry Road 

Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf

2015-08-06 Thread Tim DeNike
That's why I use different roles for 1x and portal login.  I don't assign
the role to the device for portal login, just register and dynamically
assign. Then I have a rule to deny association for registered devices with
no role to the insecure ssids.  Once someone connects with 1x, that device
isn't allowed on Mac auth until the next day (expire the registration). My
goal is to always keep people on 1x and only use portal for devices that
can't use 1x for some reason.

But we don't have dorms so the situation is a little different.

Sent from my iPhone

On Aug 6, 2015, at 11:11 AM, Pete Hoffswell pete.hoffsw...@davenport.edu
wrote:

Our regular SSID is 802.1x.  There is no portal profile, if I'm not
mistaken.

I have a portal profile for resnet, and that works fine for unregistered
devices.

  I just want registered device (such as ones that connected to the 802.1x
regular ssid first) to connect to a different vlan (resnet) when they
connect to the resnet ssid.

I don't actually want to modify the node.  Just switch it to a different
vlan.





-
Pete Hoffswell - Network Manager
pete.hoffsw...@davenport.edu
http://www.davenport.edu


On Thu, Aug 6, 2015 at 10:55 AM, Chris Abel ca...@wildwoodprograms.org
wrote:

 Yes, this is for auto registration.

 If you still want unregistered users to hit the registration page, why
 don't you add the resnet SSID to the portal profile you have for your
 regular SSID?

 On Thu, Aug 6, 2015 at 10:35 AM, Pete Hoffswell 
 pete.hoffsw...@davenport.edu wrote:

 Thanks, Chris!

 Does the AutoRegister automatically register the user, then?  I don't
 necessarily want that.  I still want them to get stuck on a registration
 page if they are not registered...

 -
 Pete Hoffswell - Network Manager
 pete.hoffsw...@davenport.edu
 http://www.davenport.edu


 On Thu, Aug 6, 2015 at 10:30 AM, Chris Abel ca...@wildwoodprograms.org
 wrote:

 Pete, I think you'll want something like this:

 [resnet-ssid]
 filter = ssid
 operator = is
 value = resnet

 [1:resnet-ssid]
 scope = AutoRegister
 role = resnet

 [2:resnet-ssid]
 scope = NormalVlan
 role = resnet
 action = modify_node
 action_param = mac = $mac, category = resnet

 On Thu, Aug 6, 2015 at 9:27 AM, Pete Hoffswell 
 pete.hoffsw...@davenport.edu wrote:

 Hi Tim.

  Yes, users could register on this SSID as well.  But, a device may
 have been registered on a separate SSID, and then try to connect to this
 network.

 Student connects to our regular SSID, and registers.  Gets a role of
 student
 Student goes to residence hall
 Student connects to SSID resnet.

 This is where I want them to vlan switch to the resnet vlan.  Normally
 identified by role resnet





 -
 Pete Hoffswell - Network Manager
 pete.hoffsw...@davenport.edu
 http://www.davenport.edu


 On Thu, Aug 6, 2015 at 9:14 AM, Tim DeNike tim.den...@mcc.edu wrote:

 Or setup a portal profile.  Do you want people to register devices on
 this ssid?

 Sent from my iPhone

 On Aug 6, 2015, at 9:12 AM, Pete Hoffswell 
 pete.hoffsw...@davenport.edu wrote:

 Good morning -

 I have a SSID resnet, and would like all users to be forced to vlan
 10, no matter their role.

 I do have a role resnet that is defined in my device configurations
 to vlan 10.

 Would this be the correct rule for a vlan_filters.conf?


 [resnet-ssid]
 filter = ssid
 operator = is
 value = resnet

 [1:resnet-ssid]
 scope = NormalVlan
 role = resnet


 -
 Pete Hoffswell - Network Manager
 pete.hoffsw...@davenport.edu
 http://www.davenport.edu


 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users



 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users




 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users




 --
 Chris Abel
 Systems and Network Administrator
 Wildwood Programs
 2995 Curry Road Extension
 Schenectady, NY  12303
 518-836-2341

 IMPORTANT NOTICE: This message and any attachments are solely for the
 intended recipient and may contain confidential information, which is, or
 may be, legally privileged or otherwise protected by law from further
 disclosure. If you are not the intended recipient, any disclosure, copying,
 use, or distribution of the information included in this email and any
 attachments is prohibited. If you have received this communication in
 error, please notify the sender by reply email and immediately and
 permanently delete this email and any 

Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf

2015-08-06 Thread Pete Hoffswell
Thanks, Chris!

Does the AutoRegister automatically register the user, then?  I don't
necessarily want that.  I still want them to get stuck on a registration
page if they are not registered...

-
Pete Hoffswell - Network Manager
pete.hoffsw...@davenport.edu
http://www.davenport.edu


On Thu, Aug 6, 2015 at 10:30 AM, Chris Abel ca...@wildwoodprograms.org
wrote:

 Pete, I think you'll want something like this:

 [resnet-ssid]
 filter = ssid
 operator = is
 value = resnet

 [1:resnet-ssid]
 scope = AutoRegister
 role = resnet

 [2:resnet-ssid]
 scope = NormalVlan
 role = resnet
 action = modify_node
 action_param = mac = $mac, category = resnet

 On Thu, Aug 6, 2015 at 9:27 AM, Pete Hoffswell 
 pete.hoffsw...@davenport.edu wrote:

 Hi Tim.

  Yes, users could register on this SSID as well.  But, a device may have
 been registered on a separate SSID, and then try to connect to this network.

 Student connects to our regular SSID, and registers.  Gets a role of
 student
 Student goes to residence hall
 Student connects to SSID resnet.

 This is where I want them to vlan switch to the resnet vlan.  Normally
 identified by role resnet





 -
 Pete Hoffswell - Network Manager
 pete.hoffsw...@davenport.edu
 http://www.davenport.edu


 On Thu, Aug 6, 2015 at 9:14 AM, Tim DeNike tim.den...@mcc.edu wrote:

 Or setup a portal profile.  Do you want people to register devices on
 this ssid?

 Sent from my iPhone

 On Aug 6, 2015, at 9:12 AM, Pete Hoffswell pete.hoffsw...@davenport.edu
 wrote:

 Good morning -

 I have a SSID resnet, and would like all users to be forced to vlan
 10, no matter their role.

 I do have a role resnet that is defined in my device configurations to
 vlan 10.

 Would this be the correct rule for a vlan_filters.conf?


 [resnet-ssid]
 filter = ssid
 operator = is
 value = resnet

 [1:resnet-ssid]
 scope = NormalVlan
 role = resnet


 -
 Pete Hoffswell - Network Manager
 pete.hoffsw...@davenport.edu
 http://www.davenport.edu


 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users



 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users




 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users




 --
 Chris Abel
 Systems and Network Administrator
 Wildwood Programs
 2995 Curry Road Extension
 Schenectady, NY  12303
 518-836-2341

 IMPORTANT NOTICE: This message and any attachments are solely for the
 intended recipient and may contain confidential information, which is, or
 may be, legally privileged or otherwise protected by law from further
 disclosure. If you are not the intended recipient, any disclosure, copying,
 use, or distribution of the information included in this email and any
 attachments is prohibited. If you have received this communication in
 error, please notify the sender by reply email and immediately and
 permanently delete this email and any attachments.

 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Force vlan for a particular SSID using vlan_filters.conf

2015-08-06 Thread Tim DeNike
That's on the user. If they don't use the installer we provide that sets up
all the certificates and trusts.  Otherwise it really doesn't matter.  If I
went and setup a hotspot  near your campus with a ssid of resnet and made
the portal look the same as yours I could probably have dozens or hundreds
of passwords by the end of the day.

Perfect world would be doing certificate auth but it took me long enough
just to get them to think about dropping psk networks. ;)

Sent from my iPhone

On Aug 6, 2015, at 11:27 AM, Chris Abel ca...@wildwoodprograms.org wrote:

We just use portal profiles because of all the security holes with 802.1x.
One such example that still works especially well for mobile devices:
https://www.defcon.org/images/defcon-21/dc-21-presentations/djwishbone-PuNk1nPo0p/DEFCON-21-djwishbone-PuNk1nPo0p-BYO-Disaster-Updated.pdf

Hopefully your 802.1x credentials aren't the same credentials for other
online services.

Not sure how to accomplish what you're trying to do. Sorry.

On Thu, Aug 6, 2015 at 11:16 AM, Tim DeNike tim.den...@mcc.edu wrote:

 That's why I use different roles for 1x and portal login.  I don't assign
 the role to the device for portal login, just register and dynamically
 assign. Then I have a rule to deny association for registered devices with
 no role to the insecure ssids.  Once someone connects with 1x, that device
 isn't allowed on Mac auth until the next day (expire the registration). My
 goal is to always keep people on 1x and only use portal for devices that
 can't use 1x for some reason.

 But we don't have dorms so the situation is a little different.

 Sent from my iPhone

 On Aug 6, 2015, at 11:11 AM, Pete Hoffswell pete.hoffsw...@davenport.edu
 wrote:

 Our regular SSID is 802.1x.  There is no portal profile, if I'm not
 mistaken.

 I have a portal profile for resnet, and that works fine for unregistered
 devices.

   I just want registered device (such as ones that connected to the 802.1x
 regular ssid first) to connect to a different vlan (resnet) when they
 connect to the resnet ssid.

 I don't actually want to modify the node.  Just switch it to a different
 vlan.





 -
 Pete Hoffswell - Network Manager
 pete.hoffsw...@davenport.edu
 http://www.davenport.edu


 On Thu, Aug 6, 2015 at 10:55 AM, Chris Abel ca...@wildwoodprograms.org
 wrote:

 Yes, this is for auto registration.

 If you still want unregistered users to hit the registration page, why
 don't you add the resnet SSID to the portal profile you have for your
 regular SSID?

 On Thu, Aug 6, 2015 at 10:35 AM, Pete Hoffswell 
 pete.hoffsw...@davenport.edu wrote:

 Thanks, Chris!

 Does the AutoRegister automatically register the user, then?  I don't
 necessarily want that.  I still want them to get stuck on a registration
 page if they are not registered...

 -
 Pete Hoffswell - Network Manager
 pete.hoffsw...@davenport.edu
 http://www.davenport.edu


 On Thu, Aug 6, 2015 at 10:30 AM, Chris Abel ca...@wildwoodprograms.org
 wrote:

 Pete, I think you'll want something like this:

 [resnet-ssid]
 filter = ssid
 operator = is
 value = resnet

 [1:resnet-ssid]
 scope = AutoRegister
 role = resnet

 [2:resnet-ssid]
 scope = NormalVlan
 role = resnet
 action = modify_node
 action_param = mac = $mac, category = resnet

 On Thu, Aug 6, 2015 at 9:27 AM, Pete Hoffswell 
 pete.hoffsw...@davenport.edu wrote:

 Hi Tim.

  Yes, users could register on this SSID as well.  But, a device may
 have been registered on a separate SSID, and then try to connect to this
 network.

 Student connects to our regular SSID, and registers.  Gets a role of
 student
 Student goes to residence hall
 Student connects to SSID resnet.

 This is where I want them to vlan switch to the resnet vlan.  Normally
 identified by role resnet





 -
 Pete Hoffswell - Network Manager
 pete.hoffsw...@davenport.edu
 http://www.davenport.edu


 On Thu, Aug 6, 2015 at 9:14 AM, Tim DeNike tim.den...@mcc.edu wrote:

 Or setup a portal profile.  Do you want people to register devices on
 this ssid?

 Sent from my iPhone

 On Aug 6, 2015, at 9:12 AM, Pete Hoffswell 
 pete.hoffsw...@davenport.edu wrote:

 Good morning -

 I have a SSID resnet, and would like all users to be forced to vlan
 10, no matter their role.

 I do have a role resnet that is defined in my device configurations
 to vlan 10.

 Would this be the correct rule for a vlan_filters.conf?


 [resnet-ssid]
 filter = ssid
 operator = is
 value = resnet

 [1:resnet-ssid]
 scope = NormalVlan
 role = resnet


 -
 Pete Hoffswell - Network Manager
 pete.hoffsw...@davenport.edu
 http://www.davenport.edu


 --

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users



 --

 

Re: [PacketFence-users] Getting the following perl dependency errors upgrading PF 4.2.2 to 5.3.1

2015-08-06 Thread Durand fabrice

Hello Will,

because in all the Redhat's packets are not in a single repo you 
probably have to subscribe to more repo/channels.

https://access.redhat.com/solutions/11312
Or use Centos 6 repo just for the dependencies.

Regards
Fabrice



Le 2015-08-05 17:02, Rossing, Will a écrit :
Getting the following perl dependency errors upgrading PF 4.2.2 to 
5.3.1, on Redhat 6.  Any ideas would be much appreciated  -Will


Error: Package: perl-SQL-Abstract-1.78-1.of.el6.noarch (PacketFence)
   Requires: perl(Test::Deep)
Error: Package: perl-DBIx-Class-0.08270-1.of.el6.noarch (PacketFence)
   Requires: perl(Module::Find) = 0.07
Error: Package: perl-String-ToIdentifier-EN-0.11-1.of.el6.noarch 
(PacketFence)

   Requires: perl(Text::Unidecode) = 0.04
Error: Package: perl-Catalyst-Model-DBIC-Schema-0.59-1.of.el6.noarch 
(PacketFence)

   Requires: perl(Tie::IxHash)
You could try using --skip-broken to work around the problem


--


Will Rossing
/Manager, Network Services / | 218.723.6729 | wross...@css.edu 
mailto:wross...@css.edu




--


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users