Re: [PacketFence-users] 802.1x and radius error : Reading winbind reply failed

[Louis Munro]

> On Sep 9, 2016, at 4:53 PM, Jason 'XenoPhage' Frisvold 
>  wrote:
> 
> That option isn't checked..  And I'm having some trouble understanding
> what exactly it does.  Does this effectively disable the portal for
> 802.1x scenarios?  If so, how do I handle a guest network in that situation?

Yes, it automatically registers the devices with the credentials sent in the 
802.1x authentication itself.

You should probably create two portal profiles.
One that matches your 802.1x network, and one that doesn't.
Only apply the "autoregister" option to the 802.1x profile.

Profiles can be assigned based on criteria such as SSID, connection type, 
switch (controller) etc.
It should be possible to have a portal that only matches your dot1x traffic.

Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x and radius error : Reading winbind reply failed

[Jason 'XenoPhage' Frisvold]

On 9/8/16 9:11 AM, Louis Munro wrote:
> Hi Jason,
> 
> Hi you auto-registering your devices?
> There's an option for that in the portal profile configuration.

That option isn't checked..  And I'm having some trouble understanding
what exactly it does.  Does this effectively disable the portal for
802.1x scenarios?  If so, how do I handle a guest network in that situation?

Thanks,

-- 
---
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
---

"Any sufficiently advanced magic is indistinguishable from technology."
- Niven's Inverse of Clarke's Third Law



signature.asc
Description: OpenPGP digital signature
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Server Load metric

[Matt Zagrabelny]

On Fri, Sep 9, 2016 at 2:37 PM, Sallee, Jake  wrote:
> I always assumed that came from the same source that 'top' pulls from.
>
>
> If I am correct then the number represents the workload of your system. In 
> simplified terms you want this number to always be less than the number of 
> processor cores in your system.
>
>
> If you have a quad core system and you have a system load of 3.00 then you 
> are effectively running 3 of your cores at 100%.
>
>
> If in a quad core system you have a value of 8.00 this means that you have 
> overloaded your system and there are 4 processes waiting while 4 other 
> processes are fully utilizing all the cores on your system.
>
>
> Here is a bit more explanation if your interested.
>
>
> http://www.howtogeek.com/194642/understanding-the-load-average-on-linux-and-other-unix-like-systems/
>
>
> TL;DR: the load score should always be less than the number of logical cores 
> in your system, if its not then your system is overworked and you need to do 
> something about it.

Load average is more complex than number of (logical or otherwise)
CPUs vs the load average number. The reason being load takes into
account the processor state of "waiting for disk I/O".

From man proc:

   /proc/loadavg
  The  first  three  fields  in this file are load average
figures giving the number of jobs in the run
  queue (state R) or waiting for disk I/O (state D)
averaged over 1, 5, and 15 minutes.  They  are  the
  same as the load average numbers given by uptime(1) and
other programs.  The fourth field consists of
  two numbers separated by a slash (/).  The first of
these is the number of currently runnable  kernel
  scheduling entities (processes, threads).  The value
after the slash is the number of kernel schedul‐
  ing entities that currently exist on the system.  The
fifth field is the PID of the process that  was
  most recently created on the system.

Thus, you could have a high load average and throw a bunch of CPUs at
the issue and it doesn't change the problem one bit. It could be IO
bound.

As far as my experience goes, when load is driven up, it is almost
always due to IO saturation, not CPU saturation. However, I don't have
much experience with PF systems, so they might have CPU saturation
issues.

-m

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Server Load metric

[Sallee, Jake]

I always assumed that came from the same source that 'top' pulls from.


If I am correct then the number represents the workload of your system. In 
simplified terms you want this number to always be less than the number of 
processor cores in your system.


If you have a quad core system and you have a system load of 3.00 then you are 
effectively running 3 of your cores at 100%.


If in a quad core system you have a value of 8.00 this means that you have 
overloaded your system and there are 4 processes waiting while 4 other 
processes are fully utilizing all the cores on your system.


Here is a bit more explanation if your interested.


http://www.howtogeek.com/194642/understanding-the-load-average-on-linux-and-other-unix-like-systems/


TL;DR: the load score should always be less than the number of logical cores in 
your system, if its not then your system is overworked and you need to do 
something about it.


Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

From: Tim DeNike 
Sent: Friday, September 9, 2016 2:11 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Server Load metric

2.0 concurrently active processes.  Represents Unix load average. If you are 
multicore, 2.0 is really nothing to worry about.

Sent from my iPhone

On Sep 9, 2016, at 11:53 AM, Torry, Andrew 
> wrote:

Can anyone enlighten me as to what the vertical scale on the 'Server Load' 
graph represents.
I am really not sure if I should worry about a server load above 2.0 or not. Is 
it about to break or what?

Andrew



-
   Falmouth Exeter Plus
-

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Server Load metric

[Tim DeNike]

2.0 concurrently active processes.  Represents Unix load average. If you
are multicore, 2.0 is really nothing to worry about.

Sent from my iPhone

On Sep 9, 2016, at 11:53 AM, Torry, Andrew 
wrote:

Can anyone enlighten me as to what the vertical scale on the 'Server Load'
graph represents.
I am really not sure if I should worry about a server load above 2.0 or
not. Is it about to break or what?

Andrew



-
   Falmouth Exeter Plus
-

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Windows 10 & Kaspersky (off-topic)

[Tim DeNike]

Price-reliability-performance-features. Pick 3.

How much internet bandwidth do you use?   They are priced reasonably by
actual expected throughout.  Our 5050 ha pair was damn expensive, but we
use them to firewall between all our VRFs including between the campus and
servers.  So having 5-10gig throughput is a requirement.

However. The lower end models that do 1g of throughout aren't really that
expensive.  Multi gig/10gig ports is where the price really goes up.
 100mbit models are only a couple grand.

Sent from my iPhone

On Sep 9, 2016, at 1:16 PM, Sallee, Jake  wrote:

Palo Alto. Will do it all.


PA is nice, but good golly Ms. Molly are they proud of them.

I couldn't afford one if I sold all my major organs ... sad day.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Tim DeNike 
Sent: Thursday, September 8, 2016 2:33 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Windows 10 & Kaspersky

Palo Alto. Will do it all. Including block connections to ssl sites
based on content of the flow.  Ie:  matching  cerificates in the
handshake.

Sent from my iPhone

On Sep 8, 2016, at 12:44 PM, Sallee, Jake  wrote:

Solving the issue is simple. Block the traffic.


When the traffic is being tunneled out via dest port 443 over SSL to a
seemingly random list of servers blocking it is difficult.


We do block all access to DNS servers that are not on-campus, so thoe
people who come in with static 8.8.8.8 and 8.8.4.4 and such notice pretty
quick that nothing works; but that is operating under the assumption that
the standard DNS ports are being used.


I am looking for a DNS proxy that I can put in place to intercept and reply
to DNS requests, so if anyone knows of one please feel free to drop me a
line.


I know the technology exists I just haven't gotten around to it yet. My
working theory is to use a route map on my edge router to relay all the
requests to a DNS server I controll running BIND. But alas, this requires
time which I do not have at the moment and running tests that can
potentially take down our production network is frowned upon.


Jake Sallee

Godfather of Bandwidth

System Engineer

University of Mary Hardin-Baylor

WWW.UMHB.EDU


900 College St.

Belton, Texas

76513


Fone: 254-295-4658

Phax: 254-295-4221




From: Tim DeNike 

Sent: Wednesday, September 7, 2016 7:32 PM

To: packetfence-users@lists.sourceforge.net

Subject: Re: [PacketFence-users] Windows 10 & Kaspersky


Solving the issue is simple. Block the traffic. The rest will work

itself out.  People need to learn to not do things that break the

Internet.  Using 3rd party DNS servers like that causes decreased

performance of the interwebzz.


Sent from my iPhone


On Sep 7, 2016, at 6:54 PM, Sallee, Jake  wrote:


I didn't see anyone else reply to this so here is what we are seeing.



Scenario 1: (less likely)



Some AV vendors (Kaspersky being one) are installing a DNS proxy with the
AV software and are tunneling all DNS traffic to their own servers.  I did
some research a while ago into this and found the traffic was being
tunneled out via port 443 but I do not remember who the AV vendor was at
the time.



We run split horizon DNS so the effects of this DNS proxy are rather
serious; not only does it break our onboarding process, but it also denies
access to most of our campus resources while the user is actually on campus.



Sometimes it is a setting (in some versions of Norton) but other times it
is just there and cannot be disabled as far as I can tell (as is the case
with Kaspersky).



Interestingly enough, stopping the Kaspersky services does not seem to fix
the issue and we have to either uninstall the AV or manually register the
user.



Scenario 2: (more likely)



There is an option to disable the built-in Windows DNS Client service when
you install Kaspersky.   If the user checked that it can cause DNS issues
as well.  You can check the Windows services manager and see if the DNS
Client service is stopped and disabled, if it is that could be your issue.



By default it should be set to automatic start and restart on all failures
and should be running as "Network Service"



Conclusion:



It is a pain and we have no way of solving this issue, I am open to ideas
though if anyone has them.



Also, if anyone has a direct line to the folks at Kaspersky and/or the
other vendors who are doing this ... tell them from me they deserve a swift
kick in the naughty bits for all the trouble they are causing.



Jake Sallee

Godfather of Bandwidth

System Engineer

University of Mary Hardin-Baylor

WWW.UMHB.EDU


900 College St.

Belton, Texas

76513


Fone: 254-295-4658

Phax: 

Re: [PacketFence-users] Windows 10 & Kaspersky (off-topic)

[Sallee, Jake]

> Palo Alto. Will do it all.

PA is nice, but good golly Ms. Molly are they proud of them.

I couldn't afford one if I sold all my major organs ... sad day.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Tim DeNike 
Sent: Thursday, September 8, 2016 2:33 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Windows 10 & Kaspersky

Palo Alto. Will do it all. Including block connections to ssl sites
based on content of the flow.  Ie:  matching  cerificates in the
handshake.

Sent from my iPhone

On Sep 8, 2016, at 12:44 PM, Sallee, Jake  wrote:

>> Solving the issue is simple. Block the traffic.
>
> When the traffic is being tunneled out via dest port 443 over SSL to a 
> seemingly random list of servers blocking it is difficult.
>
> We do block all access to DNS servers that are not on-campus, so thoe people 
> who come in with static 8.8.8.8 and 8.8.4.4 and such notice pretty quick that 
> nothing works; but that is operating under the assumption that the standard 
> DNS ports are being used.
>
> I am looking for a DNS proxy that I can put in place to intercept and reply 
> to DNS requests, so if anyone knows of one please feel free to drop me a line.
>
> I know the technology exists I just haven't gotten around to it yet. My 
> working theory is to use a route map on my edge router to relay all the 
> requests to a DNS server I controll running BIND. But alas, this requires 
> time which I do not have at the moment and running tests that can potentially 
> take down our production network is frowned upon.
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
>
> 
> From: Tim DeNike 
> Sent: Wednesday, September 7, 2016 7:32 PM
> To: packetfence-users@lists.sourceforge.net
> Subject: Re: [PacketFence-users] Windows 10 & Kaspersky
>
> Solving the issue is simple. Block the traffic. The rest will work
> itself out.  People need to learn to not do things that break the
> Internet.  Using 3rd party DNS servers like that causes decreased
> performance of the interwebzz.
>
> Sent from my iPhone
>
>> On Sep 7, 2016, at 6:54 PM, Sallee, Jake  wrote:
>>
>> I didn't see anyone else reply to this so here is what we are seeing.
>>
>>
>> Scenario 1: (less likely)
>>
>>
>> Some AV vendors (Kaspersky being one) are installing a DNS proxy with the AV 
>> software and are tunneling all DNS traffic to their own servers.  I did some 
>> research a while ago into this and found the traffic was being tunneled out 
>> via port 443 but I do not remember who the AV vendor was at the time.
>>
>>
>> We run split horizon DNS so the effects of this DNS proxy are rather 
>> serious; not only does it break our onboarding process, but it also denies 
>> access to most of our campus resources while the user is actually on campus.
>>
>>
>> Sometimes it is a setting (in some versions of Norton) but other times it is 
>> just there and cannot be disabled as far as I can tell (as is the case with 
>> Kaspersky).
>>
>>
>> Interestingly enough, stopping the Kaspersky services does not seem to fix 
>> the issue and we have to either uninstall the AV or manually register the 
>> user.
>>
>>
>> Scenario 2: (more likely)
>>
>>
>> There is an option to disable the built-in Windows DNS Client service when 
>> you install Kaspersky.   If the user checked that it can cause DNS issues as 
>> well.  You can check the Windows services manager and see if the DNS Client 
>> service is stopped and disabled, if it is that could be your issue.
>>
>>
>> By default it should be set to automatic start and restart on all failures 
>> and should be running as "Network Service"
>>
>>
>> Conclusion:
>>
>>
>> It is a pain and we have no way of solving this issue, I am open to ideas 
>> though if anyone has them.
>>
>>
>> Also, if anyone has a direct line to the folks at Kaspersky and/or the other 
>> vendors who are doing this ... tell them from me they deserve a swift kick 
>> in the naughty bits for all the trouble they are causing.
>>
>>
>> Jake Sallee
>> Godfather of Bandwidth
>> System Engineer
>> University of Mary Hardin-Baylor
>> WWW.UMHB.EDU
>>
>> 900 College St.
>> Belton, Texas
>> 76513
>>
>> Fone: 254-295-4658
>> Phax: 254-295-4221
>> 
>> From: Thomas, Gregory A 
>> Sent: Wednesday, September 7, 2016 1:14 PM
>> To: packetfence-users@lists.sourceforge.net
>> Subject: [PacketFence-users] Windows 10 & Kaspersky
>>
>> All,
>>
>> Is any one else having problems with Windows 10 and Kaspersky AV?
>>
>> I am having multiple folks that can connect to the 

Re: [PacketFence-users] Server Load metric

[Louis Munro]

> On Sep 9, 2016, at 11:52 AM, Torry, Andrew  wrote:
> 
> Can anyone enlighten me as to what the vertical scale on the 'Server Load' 
> graph represents.
> I am really not sure if I should worry about a server load above 2.0 or not. 
> Is it about to break or what?


It's the load average of your system.

The same thing that you would see in top or even just running "w".

Googling around brings this up:
http://superuser.com/questions/23498/what-does-load-average-mean-in-unix-linux 


Note that any discussion of the load has to consider the number of CPU cores 
available.
I.e. a load of 2 on a 4 cores machine is not the same thing as on a single core 
one.

Regards,
--
Louis Munro
lmu...@inverse.ca   ::  www.inverse.ca 
 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Server Load metric

[Torry, Andrew]

Can anyone enlighten me as to what the vertical scale on the 'Server Load' 
graph represents.
I am really not sure if I should worry about a server load above 2.0 or not. Is 
it about to break or what?

Andrew



-
Falmouth Exeter Plus
-

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users