date:20160409

Re: [PacketFence-users] autoregister device - pf thinks it is coming from a secure connection and unregisters it.

2016-04-09 Thread Tim DeNike

Wpa2-psk isn't "secure".  Wpa2 802.1x is.  What it means is if a
device was previously auto registered (like via dot1x), then
unregister it when connecting to a Mac based ssid.

Probably better to do it with a null authentication source/portal
profile.  Might be other ways to do it, though.


Sent from my iPhone

> On Apr 9, 2016, at 5:04 PM, forums  wrote:
>
>
> I have setup a clean install of pf 5.7.0.  The only thing I have added
> is my wlc to the switches and a auto-register config I have placed in
> vlan_filters.conf.  It is below the logfile.
>
> It appears that it is working, however pf believes that the device is
> coming from a secured connection and then unregisters it.
> I am not sure what is triggering that.  I do have a wpa-psk wlan on the
> controller, however I have not updated the wlan config to use pf.  I
> only have a guest ssid that is doing mac auth to the packetfence box.
> The device I tested with was not on the secure ssid as I have not added
> the wireless key to it.
>
> pf.conf is pretty bare outside of the interfaces, database password,
> e-mail address and hostname.
>
> Am I just missing the "unreg it if..." option somewhere?
>
> Thank you
> Sean
>
>
> INFO: [mac:ac:5f:3e:a8:62:67] handling radius autz request: from
> switch_ip => (172.18.252.50), connection_type =>
> Wireless-802.11-NoEAP,switch_mac => (00:1c:0e:24:09:80), mac =>
> [ac:5f:3e:a8:62:67], port => 29, username => "ac5f3ea86267", ssid =>
> Guest (pf::radius::authorize)
> INFO: [mac:ac:5f:3e:a8:62:67] does not yet exist in database. Adding it
> now (pf::radius::authorize)
> INFO: [mac:ac:5f:3e:a8:62:67] Match rule 1:guestwifi
> (pf::access_filter::test)
> INFO: [mac:ac:5f:3e:a8:62:67] Instantiate profile default
> (pf::Portal::ProfileFactory::_from_profile)
> INFO: [mac:ac:5f:3e:a8:62:67] Instantiate profile default
> (pf::Portal::ProfileFactory::_from_profile)
> INFO: [mac:ac:5f:3e:a8:62:67] autoregister a node that is already
> registered, do nothing. (pf::node::node_register)
> INFO: [mac:ac:5f:3e:a8:62:67] Instantiate profile default
> (pf::Portal::ProfileFactory::_from_profile)
> INFO: [mac:ac:5f:3e:a8:62:67] Connection type is WIRELESS_MAC_AUTH.
> Getting role from node_info (pf::role::getRegisteredRole)
> INFO: [mac:ac:5f:3e:a8:62:67] Device is comming from a secure connection
> and has been auto registered, we unreg it and forward it to the
> portal(pf::role::getRegisteredRole)
> INFO: [mac:ac:5f:3e:a8:62:67] Username was defined "ac5f3ea86267" -
> returning role 'registration' (pf::role::getRegisteredRole)
> INFO: [mac:ac:5f:3e:a8:62:67] PID: "default", Status: reg Returned VLAN:
> (undefined), Role: registration (pf::role::fetchRoleForNode)
> INFO: [mac:ac:5f:3e:a8:62:67] (172.18.252.50) Added VLAN 100 to the
> returned RADIUS reply (pf::Switch::returnRadiusAccessAccept)
> INFO: [mac:ac:5f:3e:a8:62:67] (172.18.252.50) Added role registration to
> the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
> INFO: [mac:ac:5f:3e:a8:62:67] (172.18.252.50) Returning ACCEPT with VLAN
> 100 and role registration (pf::Switch::returnRadiusAccessAccept)
>
>
> vlan_filters.conf
>
> [guestwifi]
> filter = ssid
> operator = is
> value = Guest
>
> # Must autoreg every time
> [1:guestwifi]
> scope = AutoRegister
> role = guest
> action = register_node
> action_param = mac = $mac, category = guest, pid = admin, status =
> registered, unregdate = 2016-11-0123:59:59
>
> [2:guestwifi]
> scope = NormalVlan
> role = guest
>
>
>
>
> --
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
> gampad/clk?id=1444514301=/ca-pub-7940484522588532
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301=/ca-pub-7940484522588532
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] autoregister device - pf thinks it is coming from a secure connection and unregisters it.

2016-04-09 Thread forums


I have setup a clean install of pf 5.7.0.  The only thing I have added 
is my wlc to the switches and a auto-register config I have placed in 
vlan_filters.conf.  It is below the logfile.

It appears that it is working, however pf believes that the device is 
coming from a secured connection and then unregisters it.
I am not sure what is triggering that.  I do have a wpa-psk wlan on the 
controller, however I have not updated the wlan config to use pf.  I 
only have a guest ssid that is doing mac auth to the packetfence box.  
The device I tested with was not on the secure ssid as I have not added 
the wireless key to it.

pf.conf is pretty bare outside of the interfaces, database password, 
e-mail address and hostname.

Am I just missing the "unreg it if..." option somewhere?

Thank you
Sean


INFO: [mac:ac:5f:3e:a8:62:67] handling radius autz request: from 
switch_ip => (172.18.252.50), connection_type => 
Wireless-802.11-NoEAP,switch_mac => (00:1c:0e:24:09:80), mac => 
[ac:5f:3e:a8:62:67], port => 29, username => "ac5f3ea86267", ssid => 
Guest (pf::radius::authorize)
INFO: [mac:ac:5f:3e:a8:62:67] does not yet exist in database. Adding it 
now (pf::radius::authorize)
INFO: [mac:ac:5f:3e:a8:62:67] Match rule 1:guestwifi 
(pf::access_filter::test)
INFO: [mac:ac:5f:3e:a8:62:67] Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
INFO: [mac:ac:5f:3e:a8:62:67] Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
INFO: [mac:ac:5f:3e:a8:62:67] autoregister a node that is already 
registered, do nothing. (pf::node::node_register)
INFO: [mac:ac:5f:3e:a8:62:67] Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
INFO: [mac:ac:5f:3e:a8:62:67] Connection type is WIRELESS_MAC_AUTH. 
Getting role from node_info (pf::role::getRegisteredRole)
INFO: [mac:ac:5f:3e:a8:62:67] Device is comming from a secure connection 
and has been auto registered, we unreg it and forward it to the 
portal(pf::role::getRegisteredRole)
INFO: [mac:ac:5f:3e:a8:62:67] Username was defined "ac5f3ea86267" - 
returning role 'registration' (pf::role::getRegisteredRole)
INFO: [mac:ac:5f:3e:a8:62:67] PID: "default", Status: reg Returned VLAN: 
(undefined), Role: registration (pf::role::fetchRoleForNode)
INFO: [mac:ac:5f:3e:a8:62:67] (172.18.252.50) Added VLAN 100 to the 
returned RADIUS reply (pf::Switch::returnRadiusAccessAccept)
INFO: [mac:ac:5f:3e:a8:62:67] (172.18.252.50) Added role registration to 
the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
INFO: [mac:ac:5f:3e:a8:62:67] (172.18.252.50) Returning ACCEPT with VLAN 
100 and role registration (pf::Switch::returnRadiusAccessAccept)


vlan_filters.conf

[guestwifi]
filter = ssid
operator = is
value = Guest

# Must autoreg every time
[1:guestwifi]
scope = AutoRegister
role = guest
action = register_node
action_param = mac = $mac, category = guest, pid = admin, status = 
registered, unregdate = 2016-11-0123:59:59

[2:guestwifi]
scope = NormalVlan
role = guest




--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301=/ca-pub-7940484522588532
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unable to authenticate the Active Directory User

2016-04-09 Thread Durand fabrice


Hi,

Can you try to use the same credential on the laptop ?
Since Administrateur works on cli check if it works with radius.

Fabrice

Le 2016-04-09 10:58, TOURE Amidou Florian a écrit :
Hi all I have the same problem when trying to authenticate an AD user 
on Packetfence

I proceed like this :
Typing this command : raddebug -f /usr/local/pf/var/run/radiusd.sock 
and enabled radius and aaa debug on my switch.

ntlm_auth test gives me this :
[root@localhost toure]# ntlm_auth --request-nt-key --domain=HEH.BE 
--username=Administrateur --password Amidou=_1992

NT_STATUS_OK: Success (0x0)
[root@localhost toure]#

But on radiusd.log I have the same error :
Sat Apr  9 07:49:57 2016 : Auth: Login incorrect (mschap: External 
script says Logon failure (0xc06d)): [Prof-PC\\$
Sat Apr  9 07:49:57 2016 : Auth: Login incorrect: [Prof-PC\\Prof] 
(from client 192.168.1.5/255.255.255.0 port 50002 cl$
Sat Apr  9 07:51:23 2016 : Info:  ... adding new socket command file 
/usr/local/pf/var/run/radiusd.sock
Sat Apr  9 07:51:23 2016 : Info:  ... adding new socket command file 
/usr/local/pf/var/run/radiusd.sock
Sat Apr  9 07:51:23 2016 : Info:  ... adding new socket command file 
/usr/local/pf/var/run/radiusd.sock
Sat Apr  9 07:51:23 2016 : Info:  ... adding new socket command file 
/usr/local/pf/var/run/radiusd.sock

I have also started radius in debug mode.
Now I really don't know what I can resolv this.

Need help
Thanks




--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301=/ca-pub-7940484522588532


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301=/ca-pub-7940484522588532___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Unable to authenticate the Active Directory User

2016-04-09 Thread TOURE Amidou Florian

Hi all I have the same problem when trying to authenticate an AD user on 
PacketfenceI proceed like this : Typing this command : raddebug -f 
/usr/local/pf/var/run/radiusd.sock and enabled radius and aaa debug on my 
switch. ntlm_auth test gives me this :[root@localhost toure]# ntlm_auth 
--request-nt-key --domain=HEH.BE --username=Administrateur --password 
Amidou=_1992NT_STATUS_OK: Success (0x0)[root@localhost toure]# 
But on radiusd.log I have the same error : Sat Apr  9 07:49:57 2016 : Auth: 
Login incorrect (mschap: External script says Logon failure (0xc06d)): 
[Prof-PC\\$Sat Apr  9 07:49:57 2016 : Auth: Login incorrect: [Prof-PC\\Prof] 
(from client 192.168.1.5/255.255.255.0 port 50002 cl$Sat Apr  9 07:51:23 2016 : 
Info:  ... adding new socket command file /usr/local/pf/var/run/radiusd.sockSat 
Apr  9 07:51:23 2016 : Info:  ... adding new socket command file 
/usr/local/pf/var/run/radiusd.sockSat Apr  9 07:51:23 2016 : Info:  ... adding 
new socket command file /usr/local/pf/var/run/radiusd.sockSat Apr  9 07:51:23 
2016 : Info:  ... adding new socket command file 
/usr/local/pf/var/run/radiusd.sockI have also started radius in debug mode.Now 
I really don't know what I can resolv this.
Need help Thanks

--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301=/ca-pub-7940484522588532___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] autoregister device - pf thinks it is coming from a secure connection and unregisters it.

[PacketFence-users] autoregister device - pf thinks it is coming from a secure connection and unregisters it.

Re: [PacketFence-users] Unable to authenticate the Active Directory User

[PacketFence-users] Unable to authenticate the Active Directory User

4 matches

Site Navigation

Mail list logo

Footer information