[PacketFence-users] parking violation bug?

[Morris, Andi]

Hi all,
I've setup parking to trap devices that have been in the setup portal for over 
3600 seconds, however I noticed a huge amount of users were triggering the 
violation. After doing some testing with my own phone I found that this was 
triggering after just 9 minutes.

I can't see how I've set this up wrong, there's not very much to actually setup!

Has anyone else seen this?

Cheers,
Andi
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Windows 10 & Kaspersky

[Thomas, Gregory A]

All,

Is any one else having problems with Windows 10 and Kaspersky AV?

I am having multiple folks that can connect to the network, but the browser 
reports: No Connection.

Any clues on what I may need to change on my side or advice to give them to 
connect.

--
Gregory A. Thomas
Student Life Support Specialist
University of Wisconsin-Parkside
thom...@uwp.edu
262.595.2432

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] 802.1x and radius error : Reading winbind reply failed

[Jason 'XenoPhage' Frisvold]

Hi all,

I'm trying to set up a new packetfence instance to authenticate via
802.1x.  I'm working on wired only right now but will be adding wireless
shortly.  I'm running into a problem, though, as shown in the error
pasted below.

I'm only looking to use users defined in the packetfence admin
interface, no external database as of right now.  What am I doing wrong?

==> logs/radius.log <==
Wed Sep  7 15:18:20 2016 : ERROR: (36) mschap: ERROR: Program returned
code (1) and output 'Reading winbind reply failed! (0xc001)'
Wed Sep  7 15:18:20 2016 : Auth: (36)   Login incorrect (mschap: Program
returned code (1) and output 'Reading winbind reply failed!
(0xc001)'): [testuser] (from client 192.168.10.10 port 50101 cli
xx:xx:xx:xx:xx:xx via TLS tunnel)
Wed Sep  7 15:18:20 2016 : Info: rlm_sql (sql): Closing connection (61):
Hit idle_timeout, was idle for 97 seconds
Wed Sep  7 15:18:20 2016 : Info: rlm_sql (sql): Closing connection (62):
Hit idle_timeout, was idle for 97 seconds
Wed Sep  7 15:18:20 2016 : Info: rlm_sql (sql): Opening additional
connection (63), 1 of 64 pending slots used
Wed Sep  7 15:18:20 2016 : Info: rlm_sql (sql): Need 2 more connections
to reach 10 spares
Wed Sep  7 15:18:20 2016 : Info: rlm_sql (sql): Opening additional
connection (64), 1 of 63 pending slots used
Wed Sep  7 15:18:20 2016 : Info: (37) eap_peap:   The users session was
previously rejected: returning reject (again.)
Wed Sep  7 15:18:20 2016 : Info: (37) eap_peap:   This means you need to
read the PREVIOUS messages in the debug output
Wed Sep  7 15:18:20 2016 : Info: (37) eap_peap:   to find out the reason
why the user was rejected
Wed Sep  7 15:18:20 2016 : Info: (37) eap_peap:   Look for "reject" or
"fail".  Those earlier messages will tell you
Wed Sep  7 15:18:20 2016 : Info: (37) eap_peap:   what went wrong, and
how to fix the problem
Wed Sep  7 15:18:20 2016 : Auth: (37) Login incorrect (eap: Failed
continuing EAP PEAP (25) session.  EAP sub-module failed): [testuser]
(from client 192.168.10.10 port 50101 cli xx:xx:xx:xx:xx:xx)
Wed Sep  7 15:18:20 2016 : [mac:xx:xx:xx:xx:xx:xx] Rejected user: testuser

Thanks,

-- 
---
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
---

"A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete
fools."
- The Hitchhikers Guide to the Galaxy



signature.asc
Description: OpenPGP digital signature
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x and radius error : Reading winbind reply failed

[Louis Munro]

Hi Jason,

It's trying to use winbind for authentication.
Assuming you want to use locally defined users, it should not do that.

Can you send the output to 

# radiusd -d /usr/local/pf/raddb -n auth -X 

Please?

It should tell us why it's doing that.


> On Sep 7, 2016, at 3:23 PM, Jason 'XenoPhage' Frisvold 
>  wrote:
> 
> Hi all,
> 
>   I'm trying to set up a new packetfence instance to authenticate via
> 802.1x.  I'm working on wired only right now but will be adding wireless
> shortly.  I'm running into a problem, though, as shown in the error
> pasted below.
> 
>   I'm only looking to use users defined in the packetfence admin
> interface, no external database as of right now.  What am I doing wrong?
> 
> ==> logs/radius.log <==
> Wed Sep  7 15:18:20 2016 : ERROR: (36) mschap: ERROR: Program returned
> code (1) and output 'Reading winbind reply failed! (0xc001)'
> Wed Sep  7 15:18:20 2016 : Auth: (36)   Login incorrect (mschap: Program
> returned code (1) and output 'Reading winbind reply failed!
> (0xc001)'): [testuser] (from client 192.168.10.10 port 50101 cli
> xx:xx:xx:xx:xx:xx via TLS tunnel)
> Wed Sep  7 15:18:20 2016 : Info: rlm_sql (sql): Closing connection (61):
> Hit idle_timeout, was idle for 97 seconds
> Wed Sep  7 15:18:20 2016 : Info: rlm_sql (sql): Closing connection (62):
> Hit idle_timeout, was idle for 97 seconds
> Wed Sep  7 15:18:20 2016 : Info: rlm_sql (sql): Opening additional
> connection (63), 1 of 64 pending slots used
> Wed Sep  7 15:18:20 2016 : Info: rlm_sql (sql): Need 2 more connections
> to reach 10 spares
> Wed Sep  7 15:18:20 2016 : Info: rlm_sql (sql): Opening additional
> connection (64), 1 of 63 pending slots used
> Wed Sep  7 15:18:20 2016 : Info: (37) eap_peap:   The users session was
> previously rejected: returning reject (again.)
> Wed Sep  7 15:18:20 2016 : Info: (37) eap_peap:   This means you need to
> read the PREVIOUS messages in the debug output
> Wed Sep  7 15:18:20 2016 : Info: (37) eap_peap:   to find out the reason
> why the user was rejected
> Wed Sep  7 15:18:20 2016 : Info: (37) eap_peap:   Look for "reject" or
> "fail".  Those earlier messages will tell you
> Wed Sep  7 15:18:20 2016 : Info: (37) eap_peap:   what went wrong, and
> how to fix the problem
> Wed Sep  7 15:18:20 2016 : Auth: (37) Login incorrect (eap: Failed
> continuing EAP PEAP (25) session.  EAP sub-module failed): [testuser]
> (from client 192.168.10.10 port 50101 cli xx:xx:xx:xx:xx:xx)
> Wed Sep  7 15:18:20 2016 : [mac:xx:xx:xx:xx:xx:xx] Rejected user: testuser
> 
> Thanks,




Regards,

--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x and radius error : Reading winbind reply failed

[Jason 'XenoPhage' Frisvold]

Interestingly, MAB works just fine.  After 802.1x fails I can open a web
page and log in via the packetfence portal ...

On 9/7/16 15:23, Jason 'XenoPhage' Frisvold wrote:
> Hi all,
> 
>   I'm trying to set up a new packetfence instance to authenticate via
> 802.1x.  I'm working on wired only right now but will be adding wireless
> shortly.  I'm running into a problem, though, as shown in the error
> pasted below.
> 
>   I'm only looking to use users defined in the packetfence admin
> interface, no external database as of right now.  What am I doing wrong?
> 
> ==> logs/radius.log <==
> Wed Sep  7 15:18:20 2016 : ERROR: (36) mschap: ERROR: Program returned
> code (1) and output 'Reading winbind reply failed! (0xc001)'
> Wed Sep  7 15:18:20 2016 : Auth: (36)   Login incorrect (mschap: Program
> returned code (1) and output 'Reading winbind reply failed!
> (0xc001)'): [testuser] (from client 192.168.10.10 port 50101 cli
> xx:xx:xx:xx:xx:xx via TLS tunnel)
> Wed Sep  7 15:18:20 2016 : Info: rlm_sql (sql): Closing connection (61):
> Hit idle_timeout, was idle for 97 seconds
> Wed Sep  7 15:18:20 2016 : Info: rlm_sql (sql): Closing connection (62):
> Hit idle_timeout, was idle for 97 seconds
> Wed Sep  7 15:18:20 2016 : Info: rlm_sql (sql): Opening additional
> connection (63), 1 of 64 pending slots used
> Wed Sep  7 15:18:20 2016 : Info: rlm_sql (sql): Need 2 more connections
> to reach 10 spares
> Wed Sep  7 15:18:20 2016 : Info: rlm_sql (sql): Opening additional
> connection (64), 1 of 63 pending slots used
> Wed Sep  7 15:18:20 2016 : Info: (37) eap_peap:   The users session was
> previously rejected: returning reject (again.)
> Wed Sep  7 15:18:20 2016 : Info: (37) eap_peap:   This means you need to
> read the PREVIOUS messages in the debug output
> Wed Sep  7 15:18:20 2016 : Info: (37) eap_peap:   to find out the reason
> why the user was rejected
> Wed Sep  7 15:18:20 2016 : Info: (37) eap_peap:   Look for "reject" or
> "fail".  Those earlier messages will tell you
> Wed Sep  7 15:18:20 2016 : Info: (37) eap_peap:   what went wrong, and
> how to fix the problem
> Wed Sep  7 15:18:20 2016 : Auth: (37) Login incorrect (eap: Failed
> continuing EAP PEAP (25) session.  EAP sub-module failed): [testuser]
> (from client 192.168.10.10 port 50101 cli xx:xx:xx:xx:xx:xx)
> Wed Sep  7 15:18:20 2016 : [mac:xx:xx:xx:xx:xx:xx] Rejected user: testuser
> 
> Thanks,
> 
> 
> 
> --
> 
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 

-- 
---
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
---

"A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete
fools."
- The Hitchhikers Guide to the Galaxy



signature.asc
Description: OpenPGP digital signature
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x and radius error : Reading winbind reply failed

[Louis Munro]

Also, check that you have enabled local auth by uncommenting line 98 in 
conf/radiusd/packetfence-tunnel.



> On Sep 7, 2016, at 3:31 PM, Louis Munro  wrote:
> 
> Hi Jason,
> 
> It's trying to use winbind for authentication.
> Assuming you want to use locally defined users, it should not do that.
> 
> Can you send the output to 
> 
> # radiusd -d /usr/local/pf/raddb -n auth -X 
> 
> Please?
> 
> It should tell us why it's doing that.
> 
> 
>> On Sep 7, 2016, at 3:23 PM, Jason 'XenoPhage' Frisvold 
>> mailto:xenoph...@godshell.com>> wrote:
>> 
>> Hi all,
>> 
>>  I'm trying to set up a new packetfence instance to authenticate via
>> 802.1x.  I'm working on wired only right now but will be adding wireless
>> shortly.  I'm running into a problem, though, as shown in the error
>> pasted below.
>> 
>>  I'm only looking to use users defined in the packetfence admin
>> interface, no external database as of right now.  What am I doing wrong?
>> 
>> ==> logs/radius.log <==
>> Wed Sep  7 15:18:20 2016 : ERROR: (36) mschap: ERROR: Program returned
>> code (1) and output 'Reading winbind reply failed! (0xc001)'
>> Wed Sep  7 15:18:20 2016 : Auth: (36)   Login incorrect (mschap: Program
>> returned code (1) and output 'Reading winbind reply failed!
>> (0xc001)'): [testuser] (from client 192.168.10.10 port 50101 cli
>> xx:xx:xx:xx:xx:xx via TLS tunnel)
>> Wed Sep  7 15:18:20 2016 : Info: rlm_sql (sql): Closing connection (61):
>> Hit idle_timeout, was idle for 97 seconds
>> Wed Sep  7 15:18:20 2016 : Info: rlm_sql (sql): Closing connection (62):
>> Hit idle_timeout, was idle for 97 seconds
>> Wed Sep  7 15:18:20 2016 : Info: rlm_sql (sql): Opening additional
>> connection (63), 1 of 64 pending slots used
>> Wed Sep  7 15:18:20 2016 : Info: rlm_sql (sql): Need 2 more connections
>> to reach 10 spares
>> Wed Sep  7 15:18:20 2016 : Info: rlm_sql (sql): Opening additional
>> connection (64), 1 of 63 pending slots used
>> Wed Sep  7 15:18:20 2016 : Info: (37) eap_peap:   The users session was
>> previously rejected: returning reject (again.)
>> Wed Sep  7 15:18:20 2016 : Info: (37) eap_peap:   This means you need to
>> read the PREVIOUS messages in the debug output
>> Wed Sep  7 15:18:20 2016 : Info: (37) eap_peap:   to find out the reason
>> why the user was rejected
>> Wed Sep  7 15:18:20 2016 : Info: (37) eap_peap:   Look for "reject" or
>> "fail".  Those earlier messages will tell you
>> Wed Sep  7 15:18:20 2016 : Info: (37) eap_peap:   what went wrong, and
>> how to fix the problem
>> Wed Sep  7 15:18:20 2016 : Auth: (37) Login incorrect (eap: Failed
>> continuing EAP PEAP (25) session.  EAP sub-module failed): [testuser]
>> (from client 192.168.10.10 port 50101 cli xx:xx:xx:xx:xx:xx)
>> Wed Sep  7 15:18:20 2016 : [mac:xx:xx:xx:xx:xx:xx] Rejected user: testuser
>> 
>> Thanks,
> 
> 
> 
> 
> Regards,
> 
> --
> Louis Munro
> lmu...@inverse.ca   ::  www.inverse.ca 
>  
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
> PacketFence (www.packetfence.org )
> 
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x and radius error : Reading winbind reply failed

[Jason 'XenoPhage' Frisvold]

On 9/7/16 15:36, Louis Munro wrote:
> Also, check that you have enabled local auth by uncommenting line 98 in
> conf/radiusd/packetfence-tunnel.

Ah, well..  That wasn't set properly..  Is that in the documentation
somewhere and I overlooked it?

I already owe you beer from that last time we did this dance.  We're
definitely going to have to meet up at some point so I can settle my
debt..  :P

>> It's trying to use winbind for authentication.
>> Assuming you want to use locally defined users, it should not do that.
>>
>> Can you send the output to 
>>
>> # radiusd -d /usr/local/pf/raddb -n auth -X 
>>
>> Please?
>>
>> It should tell us why it's doing that.

Ok, so the windbind error seems to have gone away.  I'm still rejected,
but now with a slightly different error :

Wed Sep  7 16:14:39 2016 : Auth: (8)   Login incorrect (mschap:
MS-CHAP2-Response is incorrect): [testuser] (from client 192.168.10.10
port 50101 cli xx:xx:xx:xx:xx:xx via TLS tunnel)
Wed Sep  7 16:14:39 2016 : Info: (9) eap_peap:   The users session was
previously rejected: returning reject (again.)
Wed Sep  7 16:14:39 2016 : Info: (9) eap_peap:   This means you need to
read the PREVIOUS messages in the debug output
Wed Sep  7 16:14:39 2016 : Info: (9) eap_peap:   to find out the reason
why the user was rejected
Wed Sep  7 16:14:39 2016 : Info: (9) eap_peap:   Look for "reject" or
"fail".  Those earlier messages will tell you
Wed Sep  7 16:14:39 2016 : Info: (9) eap_peap:   what went wrong, and
how to fix the problem
Wed Sep  7 16:14:39 2016 : Auth: (9) Login incorrect (eap: Failed
continuing EAP PEAP (25) session.  EAP sub-module failed): [testuser]
(from client 192.168.10.10 port 50101 cli xx:xx:xx:xx:xx:xx)

Before we go too much farther, I haven't changes the sources
configuration at all.  Is there anything in there I need to add/change?

The radiusd output is rather long.. The above error is in the radiusd
output as well, so that's likely what you're looking for..

-- 
---
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
---

"Any sufficiently advanced magic is indistinguishable from technology."
- Niven's Inverse of Clarke's Third Law



signature.asc
Description: OpenPGP digital signature
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x and radius error : Reading winbind reply failed

[Jason 'XenoPhage' Frisvold]

On 9/7/16 16:23, Jason 'XenoPhage' Frisvold wrote:
> Wed Sep  7 16:14:39 2016 : Auth: (8)   Login incorrect (mschap:
> MS-CHAP2-Response is incorrect): [testuser] (from client 192.168.10.10
> port 50101 cli xx:xx:xx:xx:xx:xx via TLS tunnel)

So, the googles tell me that this means that the password is incorrect.
But, since I set the password to password, and I've tried this test a
number of times, I'm pretty sure I'm not mistyping it.  Additionally, I
can log in via the web portal using a password of password.

So, I wonder if I've missed another configuration option somewhere that
would resolve this.  Any thoughts?

-- 
---
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
---

"Any sufficiently advanced magic is indistinguishable from technology."
- Niven's Inverse of Clarke's Third Law



signature.asc
Description: OpenPGP digital signature
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x and radius error : Reading winbind reply failed

[Louis Munro]

Try to find the radius debug section where it actually looks up the user in the 
database.

It may not be finding it, or finding another.
If the password is right, the username must be wrong...


> On Sep 7, 2016, at 4:49 PM, Jason 'XenoPhage' Frisvold 
>  wrote:
> 
> On 9/7/16 16:23, Jason 'XenoPhage' Frisvold wrote:
>> Wed Sep  7 16:14:39 2016 : Auth: (8)   Login incorrect (mschap:
>> MS-CHAP2-Response is incorrect): [testuser] (from client 192.168.10.10
>> port 50101 cli xx:xx:xx:xx:xx:xx via TLS tunnel)
> 
> So, the googles tell me that this means that the password is incorrect.
> But, since I set the password to password, and I've tried this test a
> number of times, I'm pretty sure I'm not mistyping it.  Additionally, I
> can log in via the web portal using a password of password.
> 
> So, I wonder if I've missed another configuration option somewhere that
> would resolve this.  Any thoughts?
> 
> -- 
> ---
> Jason 'XenoPhage' Frisvold
> xenoph...@godshell.com
> ---
> 
> "Any sufficiently advanced magic is indistinguishable from technology."
> - Niven's Inverse of Clarke's Third Law
> 
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x and radius error : Reading winbind reply failed

[Jason 'XenoPhage' Frisvold]

On 9/7/16 16:52, Louis Munro wrote:
> Try to find the radius debug section where it actually looks up the user
> in the database.
> 
> It may not be finding it, or finding another.
> If the password is right, the username must be wrong...

Ok, so looks like I found it here :

 (11) pflocal: Executing select query: SELECT 1, pid,
"Cleartext-Password", REPLACE(password,'{ntlm}',''), ":="   FROM
password   WHERE pid = 'jason'  AND NOT EXISTS
(SELECT pid FROM activation WHERE pid = 'testuser')

And the return is this :

 (11) pflocal:   Cleartext-Password :=
"{bcrypt}$2a$08$Z.0fN/wWUZZsya6Y7AXVf.F3kFHrFy4SnvKrPpSdpFtGcfEXMGhRK"

Which is what I see in the database as well.  That's obviously not a
cleartext password, though..  Is there an option I need to enable to
turn on cleartext passwords?

-- 
---
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
---

"A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete
fools."
- The Hitchhikers Guide to the Galaxy



signature.asc
Description: OpenPGP digital signature
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x and radius error : Reading winbind reply failed

[Jason 'XenoPhage' Frisvold]

On 9/7/16 17:04, Jason 'XenoPhage' Frisvold wrote:
> Which is what I see in the database as well.  That's obviously not a
> cleartext password, though..  Is there an option I need to enable to
> turn on cleartext passwords?

Aha..  found it.  Ok, so I have cleartext passwords now.  Just trying to
get 802.1x to behave now..

-- 
---
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
---

"A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete
fools."
- The Hitchhikers Guide to the Galaxy



signature.asc
Description: OpenPGP digital signature
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x and radius error : Reading winbind reply failed

[Jason 'XenoPhage' Frisvold]

On 9/7/16 17:22, Jason 'XenoPhage' Frisvold wrote:
> Aha..  found it.  Ok, so I have cleartext passwords now.  Just trying to
> get 802.1x to behave now..

Ok, so very close to having this working now.  I can log in via 802.1x,
the user/pass is checked, radius returns an accept.  However, the wrong
VLAN is being sent back.  It keeps sending the registration VLAN back
despite what I have set for the user.  The only thing that seems to make
a difference is if I "hard-code" the role for the device...  But I
thought that 802.1x would override that.

Am I missing a source entry?  Right now it's set to the default sources
and I'm not sure how to set up the rules to make this work..  Should I
be using EAPTLS or some other source for local 802.1x?  Or do I need to
manually configure each user in both the source rules and the user entries?

Thanks,

-- 
---
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
---

"Any sufficiently advanced magic is indistinguishable from technology."
- Niven's Inverse of Clarke's Third Law



signature.asc
Description: OpenPGP digital signature
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Windows 10 & Kaspersky

[Sallee, Jake]

I didn't see anyone else reply to this so here is what we are seeing.


Scenario 1: (less likely)


Some AV vendors (Kaspersky being one) are installing a DNS proxy with the AV 
software and are tunneling all DNS traffic to their own servers.  I did some 
research a while ago into this and found the traffic was being tunneled out via 
port 443 but I do not remember who the AV vendor was at the time.


We run split horizon DNS so the effects of this DNS proxy are rather serious; 
not only does it break our onboarding process, but it also denies access to 
most of our campus resources while the user is actually on campus.


Sometimes it is a setting (in some versions of Norton) but other times it is 
just there and cannot be disabled as far as I can tell (as is the case with 
Kaspersky).


Interestingly enough, stopping the Kaspersky services does not seem to fix the 
issue and we have to either uninstall the AV or manually register the user.


Scenario 2: (more likely)


There is an option to disable the built-in Windows DNS Client service when you 
install Kaspersky.   If the user checked that it can cause DNS issues as well.  
You can check the Windows services manager and see if the DNS Client service is 
stopped and disabled, if it is that could be your issue.


By default it should be set to automatic start and restart on all failures and 
should be running as "Network Service"


Conclusion:


It is a pain and we have no way of solving this issue, I am open to ideas 
though if anyone has them.


Also, if anyone has a direct line to the folks at Kaspersky and/or the other 
vendors who are doing this ... tell them from me they deserve a swift kick in 
the naughty bits for all the trouble they are causing.


Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

From: Thomas, Gregory A 
Sent: Wednesday, September 7, 2016 1:14 PM
To: packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] Windows 10 & Kaspersky

All,

Is any one else having problems with Windows 10 and Kaspersky AV?

I am having multiple folks that can connect to the network, but the browser 
reports: No Connection.

Any clues on what I may need to change on my side or advice to give them to 
connect.

--
Gregory A. Thomas
Student Life Support Specialist
University of Wisconsin-Parkside
thom...@uwp.edu
262.595.2432


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Windows 10 & Kaspersky

[Tim DeNike]

Solving the issue is simple. Block the traffic. The rest will work
itself out.  People need to learn to not do things that break the
Internet.  Using 3rd party DNS servers like that causes decreased
performance of the interwebzz.

Sent from my iPhone

> On Sep 7, 2016, at 6:54 PM, Sallee, Jake  wrote:
>
> I didn't see anyone else reply to this so here is what we are seeing.
>
>
> Scenario 1: (less likely)
>
>
> Some AV vendors (Kaspersky being one) are installing a DNS proxy with the AV 
> software and are tunneling all DNS traffic to their own servers.  I did some 
> research a while ago into this and found the traffic was being tunneled out 
> via port 443 but I do not remember who the AV vendor was at the time.
>
>
> We run split horizon DNS so the effects of this DNS proxy are rather serious; 
> not only does it break our onboarding process, but it also denies access to 
> most of our campus resources while the user is actually on campus.
>
>
> Sometimes it is a setting (in some versions of Norton) but other times it is 
> just there and cannot be disabled as far as I can tell (as is the case with 
> Kaspersky).
>
>
> Interestingly enough, stopping the Kaspersky services does not seem to fix 
> the issue and we have to either uninstall the AV or manually register the 
> user.
>
>
> Scenario 2: (more likely)
>
>
> There is an option to disable the built-in Windows DNS Client service when 
> you install Kaspersky.   If the user checked that it can cause DNS issues as 
> well.  You can check the Windows services manager and see if the DNS Client 
> service is stopped and disabled, if it is that could be your issue.
>
>
> By default it should be set to automatic start and restart on all failures 
> and should be running as "Network Service"
>
>
> Conclusion:
>
>
> It is a pain and we have no way of solving this issue, I am open to ideas 
> though if anyone has them.
>
>
> Also, if anyone has a direct line to the folks at Kaspersky and/or the other 
> vendors who are doing this ... tell them from me they deserve a swift kick in 
> the naughty bits for all the trouble they are causing.
>
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
> 
> From: Thomas, Gregory A 
> Sent: Wednesday, September 7, 2016 1:14 PM
> To: packetfence-users@lists.sourceforge.net
> Subject: [PacketFence-users] Windows 10 & Kaspersky
>
> All,
>
> Is any one else having problems with Windows 10 and Kaspersky AV?
>
> I am having multiple folks that can connect to the network, but the browser 
> reports: No Connection.
>
> Any clues on what I may need to change on my side or advice to give them to 
> connect.
>
> --
> Gregory A. Thomas
> Student Life Support Specialist
> University of Wisconsin-Parkside
> thom...@uwp.edu
> 262.595.2432
>
>
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users