Re: [PacketFence-users] default SMS carrier
I would like to have an option to set the SMS carrier in the config and hide the option field all together as we use a single SMS carrier to send out SMS messages to guests (via the JANET SMS messaging service). - Falmouth University - -Original Message- From: Morgan, Joel P. [mailto:joel.mor...@mga.edu] Sent: 28 July 2016 19:37 To: packetfence-users@lists.sourceforge.net Subject: [PacketFence-users] default SMS carrier In the SMS form, is it possible to populate the default SMS carrier with a blank entry. I get a lot of undeliverable emails to "3 River Wireless" which is first on the list. I would like to make the default blank, so if they forget to select their carrier, it will show them an error. -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Vlan enforcement mode deployment
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Il 29/07/2016 03:14, Sallee, Jake ha scritto:
> Eloge:
>
> I have been running PF in production for years with a very similar
> setup to the one you have described.
I Jake,
I was tempted to answer myself with a "yes, it's possible. Definitely"
but then I re-read this sentence, in the original POST from Eloge:
- -
> [...] We have an hybrid network with WIFI and Wired connection with at
> some points CASCADED SWITCHES WITH MANAGED AND UNMANAGED EQUIPMENTS.
> [...]
- -
(caps added by me)
As in my network environment there are "unmanaged" switches as well
(...unfortunately!), I believed that this is a definitely NO-NO for a
VLAN deployment of PF.
Am I wrong?
Thanks,
DV
- --
Damiano Verzulli
e-mail: dami...@verzulli.it
- ---
possible?ok:while(!possible){open_mindedness++}
- ---
"Technical people tend to fall into two categories: Specialists
and Generalists. The Specialist learns more and more about a
narrower and narrower field, until he eventually, in the limit,
knows everything about nothing. The Generalist learns less and
less about a wider and wider field, until eventually he knows
nothing about everything." - William Stucke - AfrISPA
http://elists.isoc.org/mailman/private/pubsoft/2007-December/001935.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (GNU/Linux)
iEYEARECAAYFAlebNPcACgkQcwT9fsMT4Sy0qgCgodr+4gYxqZNE7H9MZBFxpaTA
KcgAoKEAcpQleWLMS5Z7rIPqMSBfX+8h
=fZhk
-END PGP SIGNATURE-
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Questions About Packetfence Out-of-band Wireless Only
Hello, I currently have a SOHO setup, Peplink Balance 105 router connected to a web managed Netgear switch (not supported by packetfence, but allows me to configure VLAN's). I recently bought a few Pepwave AP One access points and would like to secure only the wireless network using packetfence. I am testing with ZEN and have followed the Out-of-Band Deployment Quick Guide all the way up to section 6.1. The beginning of section 6.3 shows how to configure packetfence for a Cisco switch. Would I need to do something similar with packet fence to make it work with the Pepwave AP access points? If yes, can someone point me in the right direction please? I have also read section 5.2. about Unsupported Equipment and the Pepwave AP's support mac authentication along with 802.1x. The access points are also really easy to configure, my main issue is with the configuration of packetfence. Is it possible to secure wireless only without using a supported switch (as in my case, using a simple netgear switch that has VLAN functionality)? Also, what does the following clause mean: "On your production VLANs a copy of the DHCP traffic must reach PacketFence"? If all of my wireless clients are on VLAN 21, does that mean I'd need to forward DHCP traffic from VLAN 21 to the management VLAN (where packetfence resides)? Thank you, Eddie -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] question re feature #1246
Hi Will,
sorry for the delay.
Here the correct syntax (without spaces).
update {
&control:Tmp-Integer-2 :=
"%{myad:ldap:///dc=district,dc=acme,dc=com?badPwdCount?sub?sAMAccountName=%{Stripped-User-Name}}";
}
btw you will need to add a REALM in configuration -> Realms and restart
radius.
Regards
Fabrice
Le 2016-07-26 à 09:47, Will Halsall a écrit :
Hi Fabrice
This is the output of ‘radiusd -X -d /usr/local/pf/raddb -n auth’ the
showing the error I am getting:
including configuration file
/usr/local/pf/raddb/sites-enabled/packetfence-tunne l
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel[76]: Expecting
section start brace '{' after "&control: Tmp-Integer-2"
Errors reading or parsing /usr/local/pf/raddb/auth.conf
Thanks
WillH
*From:*Fabrice Durand [mailto:fdur...@inverse.ca]
*Sent:* Tuesday, July 26, 2016 1:30 PM
*To:* packetfence-users@lists.sourceforge.net
*Subject:* Re: [PacketFence-users] question re feature #1246
Hello Will,
can you give me the radius debug ?
Regards
Fabrice
Le 2016-07-26 à 07:22, Will Halsall a écrit :
Hi Fabrice,
I cannot get the syntax of the following command to work for me
would it be possible to advise on the correct syntax to use in the
authorize section of packetfence-tunnel.
*Add a test in authorize*
**
*update {*
*&control: Tmp-Integer-2 :=
"%{myad:ldap:///dc=district,dc=acme,dc=com
? badPwdCount?sub?uid=%u}"*
*}*
Thanks
Will halsall
*From:*Fabrice Durand [mailto:fdur...@inverse.ca]
*Sent:* Thursday, June 23, 2016 2:24 PM
*To:* packetfence-users@lists.sourceforge.net
*Subject:* Re: [PacketFence-users] question re feature #1246
Hello Will,
unfortunatly not yet but not really complicate to add.
First you need to define your ldap server in freeradius :
ldap myad {
server = "ldap.acme.com"
identity = "uid=admin,dc=acme,dc=com"
password = "password"
basedn = "dc=district,dc=acme,dc=com"
filter = "(uid=%{mschap:User-Name})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
keepalive {
# LDAP_OPT_X_KEEPALIVE_IDLE
idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES
probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL
interval = 3
}
}
Then in /usr/local/pf/raddb/sites-available/packetfence-tunnel
Add a test in authorize
update {
&control: Tmp-Integer-2 :=
"%{myad:ldap:///dc=district,dc=acme,dc=com
? badPwdCount?sub?uid=%u}"
}
if (%{Tmp-Integer-2} > "3") {
reject
}
I did not test but the logic is there.
Regards
Fabrice
Le 2016-06-23 08:08, Will Halsall a écrit :
Hi Folks,
Did feature #1246 ‘Avoid accounts being locked due to password
changes in AD’ make it into PF6.1.1? as option 3 would be very
useful for us?
Thanks
WillH
This message is intended only for the use of the person(s) to
whom it is addressed, and may contain privileged and
confidential information.
If it has come to you in error, please contact the sender as
soon as possible,
and note that you must take no action based on the content,
nor must you copy,
distribute, or show the content to any other person.
In accordance with its legal obligations, Farnborough College of
Technology reserves the right to monitor the content of
e-mails sent and
received, but will not do so routinely.
--
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135)
::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
This
Re: [PacketFence-users] question re feature #1246
Hi Fabrice,
Thank you very much for your help it seems to work a dream.
I had created my ldap relm /usr/local/pf/raddb/mods-enabled/ as you specified
and you can see when you start radiusd in debug mode it binds to the server but
I will try making a realm as you have advised
Thank you again for your help this will solve a lot of user problems for me
when password expire.
WillH
From: Fabrice Durand [mailto:fdur...@inverse.ca]
Sent: Friday, July 29, 2016 2:19 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] question re feature #1246
Hi Will,
sorry for the delay.
Here the correct syntax (without spaces).
update {
&control:Tmp-Integer-2 :=
"%{myad:ldap:///dc=district,dc=acme,dc=com?badPwdCount?sub?sAMAccountName=%{Stripped-User-Name}}"
}
btw you will need to add a REALM in configuration -> Realms and restart radius.
Regards
Fabrice
Le 2016-07-26 à 09:47, Will Halsall a écrit :
Hi Fabrice
This is the output of 'radiusd -X -d /usr/local/pf/raddb -n auth' the showing
the error I am getting:
including configuration file
/usr/local/pf/raddb/sites-enabled/packetfence-tunne
l
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel[76]: Expecting section
start brace '{' after "&control: Tmp-Integer-2"
Errors reading or parsing /usr/local/pf/raddb/auth.conf
Thanks
WillH
From: Fabrice Durand [mailto:fdur...@inverse.ca]
Sent: Tuesday, July 26, 2016 1:30 PM
To:
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] question re feature #1246
Hello Will,
can you give me the radius debug ?
Regards
Fabrice
Le 2016-07-26 à 07:22, Will Halsall a écrit :
Hi Fabrice,
I cannot get the syntax of the following command to work for me would it be
possible to advise on the correct syntax to use in the authorize section of
packetfence-tunnel.
Add a test in authorize
update {
&control: Tmp-Integer-2 :=
"%{myad:ldap:///dc=district,dc=acme,dc=com?
badPwdCount?sub?uid=%u}"
}
Thanks
Will halsall
From: Fabrice Durand [mailto:fdur...@inverse.ca]
Sent: Thursday, June 23, 2016 2:24 PM
To:
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] question re feature #1246
Hello Will,
unfortunatly not yet but not really complicate to add.
First you need to define your ldap server in freeradius :
ldap myad {
server = "ldap.acme.com"
identity = "uid=admin,dc=acme,dc=com"
password = "password"
basedn = "dc=district,dc=acme,dc=com"
filter = "(uid=%{mschap:User-Name})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
keepalive {
# LDAP_OPT_X_KEEPALIVE_IDLE
idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES
probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL
interval = 3
}
}
Then in /usr/local/pf/raddb/sites-available/packetfence-tunnel
Add a test in authorize
update {
&control: Tmp-Integer-2 :=
"%{myad:ldap:///dc=district,dc=acme,dc=com?
badPwdCount?sub?uid=%u}"
}
if (%{Tmp-Integer-2} > "3") {
reject
}
I did not test but the logic is there.
Regards
Fabrice
Le 2016-06-23 08:08, Will Halsall a écrit :
Hi Folks,
Did feature #1246 'Avoid accounts being locked due to password changes in AD'
make it into PF6.1.1? as option 3 would be very useful for us?
Thanks
WillH
This message is intended only for the use of the person(s) to
whom it is addressed, and may contain privileged and confidential information.
If it has come to you in error, please contact the sender as soon as possible,
and note that you must take no action based on the content, nor must you copy,
distribute, or show the content to any other person.
In accordance with its legal obligations, Farnborough College of
Technology reserves the right to monitor the content of e-mails sent and
received, but will not do so routinely.
--
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.n
[PacketFence-users] packetfence weird issus
hello all! Well i'm again , i have uninstalling packetfence from my debian 7 ( what was very hard...) then i install it again with some issues but i fix except one that are really killing me. when i do service packetfence start i get this: [] Starting packetfence:unknown command service Usage: pfcmd [options] Commands cache | manage the cache subsystem checkup | perform a sanity checkup and report any problems class | view violation classes configfiles | push or pull configfiles into/from database configreload| reload the configution floatingnetworkdeviceconfig | query/modify floating network devices configuration parameters help| show help for pfcmd commands ifoctetshistorymac | accounting history ifoctetshistoryswitch | accounting history ifoctetshistoryuser | accounting history import | bulk import of information into the database ipmachistory| IP/MAC history locationhistorymac | Switch/Port history locationhistoryswitch | Switch/Port history networkconfig | query/modify network configuration parameters node| manipulate node entries pfconfig| interact with pfconfig portalprofileconfig | query/modify portal profile configuration parameters reload | rebuild fingerprint or violations tables without restart service | start/stop/restart and get PF daemon status schedule| Nessus scan scheduling switchconfig| query/modify switches.conf configuration parameters version | output version information violationconfig | query/modify violations.conf configuration parameters Please view "pfcmd help " for details on each option and i can't have access to the web manager. i need help!! thanks Oumy -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Use both Inline & Vlan enforcement
Hi, I have a specific requirement that I want to use PF in both vlan enforcement and inline modes. I want to configure cisco switch so that clients are put in a normal vlan with local access to some subnets and when user successfuly logs in through captive portal to get internet access it will be assigned to a vlan which is configured to be inline mode from PF side. Can anybody confirm that this setup is possible or not? If yes, for my normal vlan which type should I choose...? Isolation with portal daemon, Registration? No difference? PF -- Cisco Catalyst 2960 -- Wired nodes Thanks -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Problem getting PF to work as expected
Hi experts, I'm having problems configuring PF in vlan enforcement. I am trying to authenticate using dot1x but it failovers to mab and albeit I can see in cisco logs that vlan2 (registration) is assigned but client does not get ip in vlan 2 range. I have tested with having dot1x disabled too but when I put user directly on registration vlan after successful login in captive portal user doesn't get reassigned to vlan 3 and captive portal shows an error "Unable to detect network connectivity. Try restarting your web browser or opening a new tab to see if your access has been successfully enabled. Honestly I haven't been able to run a working installation so far. I have tried inline and vlan enforcement using Zen all with no success! There are a few timeout errors in my cisco 2960 logs (I made them bold) but I made sure that both PF and cisco can see each other. I have also temporarily disabled PF iptables (iptables -F) and it didn't make any difference. Please help me out get PF working as expected. Thanks *show authentication sessions interface fastEthernet 0/1* Interface: FastEthernet0/1 MAC Address: 782b.cbd2.b26e IP Address: Unknown User-Name: 782bcbd2b26e * Status: Authz Failed* Domain: DATA Oper host mode: multi-domain Oper control dir: both Authorized By: Authentication Server Vlan Policy: N/A Session timeout: 10800s (local), Remaining: 10226s Timeout action: Reauthenticate Idle timeout: N/A Common Session ID: C0A86402005E01C16861 Acct Session ID: 0x01B5 Handle: 0x1E5F *radiusd.log* Fri Jul 29 18:03:21 2016 : Auth: rlm_perl: Returning vlan 2 to request from 78:2b:cb:d2:b2:6e port 50001 Fri Jul 29 18:03:21 2016 : rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK) Fri Jul 29 18:03:21 2016 : Info: rlm_sql (sql): Closing connection (53): Hit idle_timeout, was idle for 2182 seconds Fri Jul 29 18:03:21 2016 : Info: rlm_sql (sql): Closing connection (54): Hit idle_timeout, was idle for 2182 seconds Fri Jul 29 18:03:21 2016 : Info: rlm_sql (sql): Opening additional connection (55), 1 of 64 pending slots used Fri Jul 29 18:03:21 2016 : Info: rlm_sql (sql): Need 2 more connections to reach 10 spares Fri Jul 29 18:03:21 2016 : Info: rlm_sql (sql): Opening additional connection (56), 1 of 63 pending slots used Fri Jul 29 18:03:20 2016 : [mac:78:2b:cb:d2:b2:6e] Accepted user: and returned VLAN 2 Fri Jul 29 18:03:21 2016 : Auth: (65) Login OK: [782bcbd2b26e] (from client 192.168.100.2 port 50001 cli 78:2b:cb:d2:b2:6e) *packetfence.log* Jul 29 18:03:21 httpd.aaa(3552) INFO: [mac:78:2b:cb:d2:b2:6e] handling radius autz request: from switch_ip => (192.168.100.2), connection_type => WIRED_MAC_AUTH,switch_mac => (00:26:98:dd:2e:81), mac => [78:2b:cb:d2:b2:6e], port => 10001, username => "782bcbd2b26e" (pf::radius::authorize) Jul 29 18:03:21 httpd.aaa(3552) INFO: [mac:78:2b:cb:d2:b2:6e] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) Jul 29 18:03:21 httpd.aaa(3552) INFO: [mac:78:2b:cb:d2:b2:6e] is of status unreg; belongs into registration VLAN (pf::role::getRegistrationRole) Jul 29 18:03:21 httpd.aaa(3552) INFO: [mac:78:2b:cb:d2:b2:6e] (192.168.100.2) Added VLAN 2 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Jul 29 18:03:21 httpd.aaa(3552) INFO: [mac:78:2b:cb:d2:b2:6e] (192.168.100.2) Added role registration to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) *Cisco 2960 IOS 15.0(2)SE10 log of dot1x/mab authentication (tried with IOS 12.55 as well):* 004176: 08:10:32: dot1x-ev(Fa0/1): Interface state changed to UP 004177: 08:10:32: AAA/BIND(01BD): Bind i/f 004178: 08:10:32: dot1x_auth Fa0/1: initial state auth_initialize has enter 004179: 08:10:32: dot1x-sm(Fa0/1): 0x854E:auth_initialize_enter called 004180: 08:10:32: dot1x_auth Fa0/1: during state auth_initialize, got event 0(cfg_auto) 004181: 08:10:32: @@@ dot1x_auth Fa0/1: auth_initialize -> auth_disconnected 004182: 08:10:32: dot1x-sm(Fa0/1): 0x854E:auth_disconnected_enter called 004183: 08:10:32: dot1x_auth Fa0/1: idle during state auth_disconnected 004184: 08:10:32: @@@ dot1x_auth Fa0/1: auth_disconnected -> auth_restart 004185: 08:10:32: dot1x-sm(Fa0/1): 0x854E:auth_restart_enter called 004186: 08:10:32: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0x854E (..) 004187: 08:10:32: dot1x_auth_bend Fa0/1: initial state auth_bend_initialize has enter 004188: 08:10:32: dot1x-sm(Fa0/1): 0x854E:auth_bend_initialize_enter called 004189: 08:10:32: dot1x_auth_bend Fa0/1: initial state auth_bend_initialize has idle 004190: 08:10:32: dot1x_auth_bend Fa0/1: during state auth_bend_initialize, got event 16383(idle) 004191: 08:10:32: @@@ dot1x_auth_bend Fa0/1: auth_bend_initialize -> a
[PacketFence-users] Error! The authentication source was not found.
Hi guys, I get this error when I try to modify any of the settings of a user source in the admin interface. The only way to modify a source is by deleting and adding it again with different settings. I read that other users had the same issue, but there was no reply on their report, and as it seems, no solution. Is this a known bug and has it been fixed in 6.2.1? I'm using 6.2.0 at the moment. Kind regards, Till -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
