Re: [PacketFence-users] packetfence and cisco switches

2016-12-15 Thread Tobias Friede 
Hi,

2016-12-15 17:06 GMT+01:00 Cuttler, Brian R (HEALTH) <
brian.cutt...@health.ny.gov>:
>
>
>
> I think I want the entry to remain dynamic, I want to prevent the entry
> from getting written into the config file when I “wr mem”, if I still
> have sticky mac addresses and write mem, don’t the entries get written into
> the boot file, so aging will not occur?
>

The entry is still written to the running config, there is no way to
prevent this (if you make a wr, the running config is just written to the
boot file).
If you enable aging, the dynamic learned mac adress is removed from your
config after the configured time.

>
>
> If I read this right (questionable) then rather than sticky secure I want
> dynamic secure, but those keywords don’t actually exist in the switch
> config. So I looking to find out if the approach is valid from a PF view
> and how exactly to implement on the individual switches/interfaces.
>

If you remove the sticky option, the dynamic learned Mac Adress is never
written to the running-config and of cource it's never written to the
memory.

Like Tim said, it's much better to use radius ;)



2016-12-15 0:39 GMT+01:00 Tim DeNike :

> Use RADIUS. Way better!
>
> That would be the best way ;)



>
> *From:* Tobias Friede [mailto:t.fri...@gmail.com]
> *Sent:* Wednesday, December 14, 2016 4:02 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] packetfence and cisco switches
>
>
>
> *ATTENTION: This email came from an external source. Do not open
> attachments or click on links from unknown senders or unexpected emails.*
>
> Hi,
>
>
>
> I think that's not possible because Port Security creates a static entry
> in the Mac Table of the switch.
>
> That's how port security is working ;)
>
>
>
> You could enable aging. That means if the client is inactive, the mac
> adress is removed from the switch port (after a specific time)
>
>
>
> => http://packetlife.net/blog/2010/may/3/port-security/
>
>
>
>
>
> Greetings
>
> Tobias
>
>
>
>
>
> 2016-12-14 19:57 GMT+01:00 Cuttler, Brian R (HEALTH) <
> brian.cutt...@health.ny.gov>:
>
> Packetfence users,
>
> We are using PF 5.0.2 and have a variety of Cisco switches in place.
>
> We have the access ports (vs trunk ports) configured with “sticky mac”
> addresses, and find (we per documentation) that when we make any changes to
> the switch config and save those changes “write memory” that the dynamic
> addresses of the end point devices get written into the switch boot config
> file.
>
> Typical changes we’d want to save are things like adding vlans to the
> trunk, adding a port description for a special end point device, adding a
> new vlan to the switch, etc.
>
> The problem we are seeing is that if a device (typical PC or printer) is
> moved to another port on the switch, then the MAC address of the device
> which is “dynamic” on the port, conflicts with the now static address on
> the old port.
>
> I am going to see if configuring a test switch with “dynamic secure”
> rather than “sticky secure”, I think just a matter of unsetting “sticky”
> for the interface.
>
> Does anyone have any experience with this?
>
> How do you prevent the learned MAC addresses from getting written into the
> config file?
>
> Thank you,
>
> Brian
>
>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Fresh install of pf on debian 8

2016-12-15 Thread Daniel Picon 
Antoine, it says that the admin is alredy started

# /usr/local/pf/bin/pfcmd service httpd.admin start
Smartmatch is experimental at /usr/local/pf/lib/pf/cluster.pm line 588.
service|command
httpd.admin|already started

but I still can't connect.
I get no timeout, but the page stay loading forever.



2016-12-15 14:19 GMT-02:00 Antoine Amacher :

> Daniel,
>
> The DB will be created while going through the configurator, try to start
> only the admin with /usr/local/pf/bin/pfcmd service httpd.admin start
>
> You should be able to start the admin without a DB.
>
> Let us know,
>
> thanks
>
> On 12/15/2016 11:14 AM, Daniel Picon wrote:
>
> Hi guys, tks for the quickly reply
>
> Fabrice, I tried to do what you told me, but when I try to start the pf
> service, I get this error:
>
> # systemctl status packetfence.service
> ● packetfence.service - PacketFence Service
>Loaded: loaded (/lib/systemd/system/packetfence.service; enabled)
>Active: failed (Result: exit-code) since Qui 2016-12-15 14:02:17 BRST;
> 1min 35s ago
>   Process: 56485 ExecStart=/usr/local/pf/bin/pfcmd service pf start
> (code=exited, status=255)
>
> Dez 15 14:02:08 firewall-novo pfcmd[56485]: Could not write namespace
> config...!
> Dez 15 14:02:09 firewall-novo pfcmd[56485]: httpd.admin|already started
> Dez 15 14:02:09 firewall-novo pfcmd[56485]: Checking configuration
> sanity...
> Dez 15 14:02:15 firewall-novo pfcmd[56485]: Could not write namespace
> config...!
> Dez 15 14:02:15 firewall-novo pfcmd[56485]: Could not write namespace
> config...!
> Dez 15 14:02:15 firewall-novo pfcmd[56485]: Could not write namespace
> config...!
> Dez 15 14:02:16 firewall-novo pfcmd[56485]: unable to connect to database:
> A
> Dez 15 14:02:17 firewall-novo systemd[1]: packetfence.service: control
> proce...5
> Dez 15 14:02:17 firewall-novo systemd[1]: Failed to start PacketFence
> Service.
> Dez 15 14:02:17 firewall-novo systemd[1]: Unit packetfence.service entered
> f
> Hint: Some lines were ellipsized, use -l to show in full.
>
> Antoine, I saw the files that you recommended and they indicated that the
> pf base wasn't created. On pf's install, it asked me for a root password
> for mysql, and I thought it would create the base, but, when I saw this
> error, I connected on mysql and the database isn't there.
>
> But, looking on google, I didn't understand if db would be created on
> instalation or after configuration, so I don't know if the fact of there is
> no db is a problem or not... =/
>
> Tks for the help guys. If you have another ideas, it would be apreciated.
>
> regards
>
> 2016-12-15 12:25 GMT-02:00 Fabrice Durand :
>
>> Hello Daniel,
>>
>> can you do something for me ?
>>
>> apt-get update
>>
>> apt-get install libposix-atfork-perl
>>
>> then service packetfence restart
>>
>> And let me know if it fixed your issue.
>>
>> Thanks
>>
>> Fabrice
>>
>>
>>
>> Le 2016-12-15 à 08:57, Daniel Picon a écrit :
>>
>> Hello all,
>>
>> First of all, sorry for my bad english, I hope you can understand my
>> question.
>>
>> i just decovered about packetfence yesterday, reading about it on some
>> google searches.
>>
>> To test it, I got a server and put a fresh install of debian on it, just
>> the basic choices + ssh server, nothing else.
>> Then, following the instructions on
>> 
>> https://packetfence.org/support/faq/article/how-to-install-packetfence-on-debian.html
>> I installed packetfence with no erros.
>>
>> But, when I tried to access de configurator, I can't access it. I tried
>> with http and https, and the browser keeping try to load, but nothing
>> happening
>>
>> I did a scan with nmap and the port 1443 is open and listening.
>>
>> some commands that I executed and they out:
>>
>> # /usr/local/pf/bin/pfcmd service httpd.admin status
>> Smartmatch is experimental at /usr/local/pf/lib/pf/cluster.pm line 588.
>> service|shouldBeStarted|pid
>> httpd.admin|1|41888
>>
>> # service packetfence-config status● packetfence-config.service -
>> PacketFence Config Service
>>Loaded: loaded (/lib/systemd/system/packetfence-config.service;
>> enabled)
>>Active: active (running) since Qui 2016-12-15 11:21:39 BRST; 31min ago
>>  Main PID: 41876 (pfconfig)
>>CGroup: /system.slice/packetfence-config.service
>>└─41876 pfconfig
>>
>> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading resource::fqdn
>> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
>> resource::guest_se...n
>> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
>> resource::local_secret
>> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
>> resource::reverse_fqdn
>> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
>> resource::stats_levels
>> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
>> resource::switches...p
>> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
>>

Re: [PacketFence-users] Fresh install of pf on debian 8

2016-12-15 Thread Daniel Picon 
Antoine, I tried to restart the admin, after install the package that
Fabrice indicated and now I could access de configurator. :)

Thank you so much guys, I will now try to config and, if I have some other
problem, I write again.

regards

2016-12-15 14:25 GMT-02:00 Daniel Picon :

> Antoine, it says that the admin is alredy started
>
> # /usr/local/pf/bin/pfcmd service httpd.admin start
> Smartmatch is experimental at /usr/local/pf/lib/pf/cluster.pm line 588.
> service|command
> httpd.admin|already started
>
> but I still can't connect.
> I get no timeout, but the page stay loading forever.
>
>
>
> 2016-12-15 14:19 GMT-02:00 Antoine Amacher :
>
>> Daniel,
>>
>> The DB will be created while going through the configurator, try to start
>> only the admin with /usr/local/pf/bin/pfcmd service httpd.admin start
>>
>> You should be able to start the admin without a DB.
>>
>> Let us know,
>>
>> thanks
>>
>> On 12/15/2016 11:14 AM, Daniel Picon wrote:
>>
>> Hi guys, tks for the quickly reply
>>
>> Fabrice, I tried to do what you told me, but when I try to start the pf
>> service, I get this error:
>>
>> # systemctl status packetfence.service
>> ● packetfence.service - PacketFence Service
>>Loaded: loaded (/lib/systemd/system/packetfence.service; enabled)
>>Active: failed (Result: exit-code) since Qui 2016-12-15 14:02:17 BRST;
>> 1min 35s ago
>>   Process: 56485 ExecStart=/usr/local/pf/bin/pfcmd service pf start
>> (code=exited, status=255)
>>
>> Dez 15 14:02:08 firewall-novo pfcmd[56485]: Could not write namespace
>> config...!
>> Dez 15 14:02:09 firewall-novo pfcmd[56485]: httpd.admin|already started
>> Dez 15 14:02:09 firewall-novo pfcmd[56485]: Checking configuration
>> sanity...
>> Dez 15 14:02:15 firewall-novo pfcmd[56485]: Could not write namespace
>> config...!
>> Dez 15 14:02:15 firewall-novo pfcmd[56485]: Could not write namespace
>> config...!
>> Dez 15 14:02:15 firewall-novo pfcmd[56485]: Could not write namespace
>> config...!
>> Dez 15 14:02:16 firewall-novo pfcmd[56485]: unable to connect to
>> database: A
>> Dez 15 14:02:17 firewall-novo systemd[1]: packetfence.service: control
>> proce...5
>> Dez 15 14:02:17 firewall-novo systemd[1]: Failed to start PacketFence
>> Service.
>> Dez 15 14:02:17 firewall-novo systemd[1]: Unit packetfence.service
>> entered f
>> Hint: Some lines were ellipsized, use -l to show in full.
>>
>> Antoine, I saw the files that you recommended and they indicated that the
>> pf base wasn't created. On pf's install, it asked me for a root password
>> for mysql, and I thought it would create the base, but, when I saw this
>> error, I connected on mysql and the database isn't there.
>>
>> But, looking on google, I didn't understand if db would be created on
>> instalation or after configuration, so I don't know if the fact of there is
>> no db is a problem or not... =/
>>
>> Tks for the help guys. If you have another ideas, it would be apreciated.
>>
>> regards
>>
>> 2016-12-15 12:25 GMT-02:00 Fabrice Durand :
>>
>>> Hello Daniel,
>>>
>>> can you do something for me ?
>>>
>>> apt-get update
>>>
>>> apt-get install libposix-atfork-perl
>>>
>>> then service packetfence restart
>>>
>>> And let me know if it fixed your issue.
>>>
>>> Thanks
>>>
>>> Fabrice
>>>
>>>
>>>
>>> Le 2016-12-15 à 08:57, Daniel Picon a écrit :
>>>
>>> Hello all,
>>>
>>> First of all, sorry for my bad english, I hope you can understand my
>>> question.
>>>
>>> i just decovered about packetfence yesterday, reading about it on some
>>> google searches.
>>>
>>> To test it, I got a server and put a fresh install of debian on it, just
>>> the basic choices + ssh server, nothing else.
>>> Then, following the instructions on
>>> 
>>> https://packetfence.org/support/faq/article/how-to-install-packetfence-on-debian.html
>>> I installed packetfence with no erros.
>>>
>>> But, when I tried to access de configurator, I can't access it. I tried
>>> with http and https, and the browser keeping try to load, but nothing
>>> happening
>>>
>>> I did a scan with nmap and the port 1443 is open and listening.
>>>
>>> some commands that I executed and they out:
>>>
>>> # /usr/local/pf/bin/pfcmd service httpd.admin status
>>> Smartmatch is experimental at /usr/local/pf/lib/pf/cluster.pm line 588.
>>> service|shouldBeStarted|pid
>>> httpd.admin|1|41888
>>>
>>> # service packetfence-config status● packetfence-config.service -
>>> PacketFence Config Service
>>>Loaded: loaded (/lib/systemd/system/packetfence-config.service;
>>> enabled)
>>>Active: active (running) since Qui 2016-12-15 11:21:39 BRST; 31min ago
>>>  Main PID: 41876 (pfconfig)
>>>CGroup: /system.slice/packetfence-config.service
>>>└─41876 pfconfig
>>>
>>> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading resource::fqdn
>>> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading

Re: [PacketFence-users] Fresh install of pf on debian 8

2016-12-15 Thread Daniel Picon 
Hi guys, tks for the quickly reply

Fabrice, I tried to do what you told me, but when I try to start the pf
service, I get this error:

# systemctl status packetfence.service
● packetfence.service - PacketFence Service
   Loaded: loaded (/lib/systemd/system/packetfence.service; enabled)
   Active: failed (Result: exit-code) since Qui 2016-12-15 14:02:17 BRST;
1min 35s ago
  Process: 56485 ExecStart=/usr/local/pf/bin/pfcmd service pf start
(code=exited, status=255)

Dez 15 14:02:08 firewall-novo pfcmd[56485]: Could not write namespace
config...!
Dez 15 14:02:09 firewall-novo pfcmd[56485]: httpd.admin|already started
Dez 15 14:02:09 firewall-novo pfcmd[56485]: Checking configuration sanity...
Dez 15 14:02:15 firewall-novo pfcmd[56485]: Could not write namespace
config...!
Dez 15 14:02:15 firewall-novo pfcmd[56485]: Could not write namespace
config...!
Dez 15 14:02:15 firewall-novo pfcmd[56485]: Could not write namespace
config...!
Dez 15 14:02:16 firewall-novo pfcmd[56485]: unable to connect to database:
A
Dez 15 14:02:17 firewall-novo systemd[1]: packetfence.service: control
proce...5
Dez 15 14:02:17 firewall-novo systemd[1]: Failed to start PacketFence
Service.
Dez 15 14:02:17 firewall-novo systemd[1]: Unit packetfence.service entered
f
Hint: Some lines were ellipsized, use -l to show in full.

Antoine, I saw the files that you recommended and they indicated that the
pf base wasn't created. On pf's install, it asked me for a root password
for mysql, and I thought it would create the base, but, when I saw this
error, I connected on mysql and the database isn't there.

But, looking on google, I didn't understand if db would be created on
instalation or after configuration, so I don't know if the fact of there is
no db is a problem or not... =/

Tks for the help guys. If you have another ideas, it would be apreciated.

regards

2016-12-15 12:25 GMT-02:00 Fabrice Durand :

> Hello Daniel,
>
> can you do something for me ?
>
> apt-get update
>
> apt-get install libposix-atfork-perl
>
> then service packetfence restart
>
> And let me know if it fixed your issue.
>
> Thanks
>
> Fabrice
>
>
>
> Le 2016-12-15 à 08:57, Daniel Picon a écrit :
>
> Hello all,
>
> First of all, sorry for my bad english, I hope you can understand my
> question.
>
> i just decovered about packetfence yesterday, reading about it on some
> google searches.
>
> To test it, I got a server and put a fresh install of debian on it, just
> the basic choices + ssh server, nothing else.
> Then, following the instructions on
> 
> https://packetfence.org/support/faq/article/how-to-
> install-packetfence-on-debian.html I installed packetfence with no erros.
>
> But, when I tried to access de configurator, I can't access it. I tried
> with http and https, and the browser keeping try to load, but nothing
> happening
>
> I did a scan with nmap and the port 1443 is open and listening.
>
> some commands that I executed and they out:
>
> # /usr/local/pf/bin/pfcmd service httpd.admin status
> Smartmatch is experimental at /usr/local/pf/lib/pf/cluster.pm line 588.
> service|shouldBeStarted|pid
> httpd.admin|1|41888
>
> # service packetfence-config status● packetfence-config.service -
> PacketFence Config Service
>Loaded: loaded (/lib/systemd/system/packetfence-config.service;
> enabled)
>Active: active (running) since Qui 2016-12-15 11:21:39 BRST; 31min ago
>  Main PID: 41876 (pfconfig)
>CGroup: /system.slice/packetfence-config.service
>└─41876 pfconfig
>
> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading resource::fqdn
> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
> resource::guest_se...n
> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
> resource::local_secret
> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
> resource::reverse_fqdn
> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
> resource::stats_levels
> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
> resource::switches...p
> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
> resource::switches...t
> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
> resource::switches...s
> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
> resource::trapping...e
> Dez 15 11:21:39 firewall-novo pfconfig[41871]: --
> Hint: Some lines were ellipsized, use -l to show in full.
>
> # iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source   destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source   destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source   destination
>
> I don't know what to do now. Can anyone help me??
>
> Tks a lot
> Best regards
>
> Daniel
>
>
> --
> Check out the vibrant tech community on one of

Re: [PacketFence-users] Fresh install of pf on debian 8

2016-12-15 Thread Antoine Amacher 

Daniel,

The DB will be created while going through the configurator, try to 
start only the admin with /usr/local/pf/bin/pfcmd service httpd.admin start


You should be able to start the admin without a DB.

Let us know,

thanks


On 12/15/2016 11:14 AM, Daniel Picon wrote:

Hi guys, tks for the quickly reply

Fabrice, I tried to do what you told me, but when I try to start the 
pf service, I get this error:


# systemctl status packetfence.service
● packetfence.service - PacketFence Service
   Loaded: loaded (/lib/systemd/system/packetfence.service; enabled)
   Active: failed (Result: exit-code) since Qui 2016-12-15 14:02:17 
BRST; 1min 35s ago
  Process: 56485 ExecStart=/usr/local/pf/bin/pfcmd service pf start 
(code=exited, status=255)


Dez 15 14:02:08 firewall-novo pfcmd[56485]: Could not write namespace 
config...!

Dez 15 14:02:09 firewall-novo pfcmd[56485]: httpd.admin|already started
Dez 15 14:02:09 firewall-novo pfcmd[56485]: Checking configuration 
sanity...
Dez 15 14:02:15 firewall-novo pfcmd[56485]: Could not write namespace 
config...!
Dez 15 14:02:15 firewall-novo pfcmd[56485]: Could not write namespace 
config...!
Dez 15 14:02:15 firewall-novo pfcmd[56485]: Could not write namespace 
config...!
Dez 15 14:02:16 firewall-novo pfcmd[56485]: unable to connect to 
database: A
Dez 15 14:02:17 firewall-novo systemd[1]: packetfence.service: control 
proce...5
Dez 15 14:02:17 firewall-novo systemd[1]: Failed to start PacketFence 
Service.
Dez 15 14:02:17 firewall-novo systemd[1]: Unit packetfence.service 
entered f

Hint: Some lines were ellipsized, use -l to show in full.

Antoine, I saw the files that you recommended and they indicated that 
the pf base wasn't created. On pf's install, it asked me for a root 
password for mysql, and I thought it would create the base, but, when 
I saw this error, I connected on mysql and the database isn't there.


But, looking on google, I didn't understand if db would be created on 
instalation or after configuration, so I don't know if the fact of 
there is no db is a problem or not... =/


Tks for the help guys. If you have another ideas, it would be apreciated.

regards

2016-12-15 12:25 GMT-02:00 Fabrice Durand >:


Hello Daniel,

can you do something for me ?

apt-get update

apt-get install libposix-atfork-perl

then service packetfence restart

And let me know if it fixed your issue.

Thanks

Fabrice



Le 2016-12-15 à 08:57, Daniel Picon a écrit :

Hello all,

First of all, sorry for my bad english, I hope you can understand
my question.

i just decovered about packetfence yesterday, reading about it on
some google searches.

To test it, I got a server and put a fresh install of debian on
it, just the basic choices + ssh server, nothing else.
Then, following the instructions on

https://packetfence.org/support/faq/article/how-to-install-packetfence-on-debian.html


I installed packetfence with no erros.

But, when I tried to access de configurator, I can't access it. I
tried with http and https, and the browser keeping try to load,
but nothing happening

I did a scan with nmap and the port 1443 is open and listening.

some commands that I executed and they out:

# /usr/local/pf/bin/pfcmd service httpd.admin status
Smartmatch is experimental at /usr/local/pf/lib/pf/cluster.pm
 line 588.
service|shouldBeStarted|pid
httpd.admin|1|41888

# service packetfence-config status● packetfence-config.service -
PacketFence Config Service
   Loaded: loaded
(/lib/systemd/system/packetfence-config.service; enabled)
   Active: active (running) since Qui 2016-12-15 11:21:39 BRST;
31min ago
 Main PID: 41876 (pfconfig)
   CGroup: /system.slice/packetfence-config.service
   └─41876 pfconfig

Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
resource::fqdn
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
resource::guest_se...n
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
resource::local_secret
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
resource::reverse_fqdn
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
resource::stats_levels
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
resource::switches...p
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
resource::switches...t
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
resource::switches...s
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
resource::trapping...e
Dez 15 11:21:39 firewall-novo pfconfig[41871]: --
Hint: Some lines were ellipsized, use -l to show in full.

# iptables -L
Chain INPUT (policy ACCEPT)

Re: [PacketFence-users] packetfence and cisco switches

2016-12-15 Thread Cuttler, Brian R (HEALTH) 
Tobias,

I think I want the entry to remain dynamic, I want to prevent the entry from 
getting written into the config file when I “wr mem”, if I still have sticky 
mac addresses and write mem, don’t the entries get written into the boot file, 
so aging will not occur?

If I read this right (questionable) then rather than sticky secure I want 
dynamic secure, but those keywords don’t actually exist in the switch config. 
So I looking to find out if the approach is valid from a PF view and how 
exactly to implement on the individual switches/interfaces.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/20ewa/configuration/guide/conf/port_sec.html

thank you,
Brian

From: Tobias Friede [mailto:t.fri...@gmail.com]
Sent: Wednesday, December 14, 2016 4:02 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] packetfence and cisco switches


ATTENTION: This email came from an external source. Do not open attachments or 
click on links from unknown senders or unexpected emails.

Hi,

I think that's not possible because Port Security creates a static entry in the 
Mac Table of the switch.
That's how port security is working ;)

You could enable aging. That means if the client is inactive, the mac adress is 
removed from the switch port (after a specific time)

=> http://packetlife.net/blog/2010/may/3/port-security/


Greetings
Tobias


2016-12-14 19:57 GMT+01:00 Cuttler, Brian R (HEALTH) 
>:

Packetfence users,

We are using PF 5.0.2 and have a variety of Cisco switches in place.

We have the access ports (vs trunk ports) configured with “sticky mac” 
addresses, and find (we per documentation) that when we make any changes to the 
switch config and save those changes “write memory” that the dynamic addresses 
of the end point devices get written into the switch boot config file.

Typical changes we’d want to save are things like adding vlans to the trunk, 
adding a port description for a special end point device, adding a new vlan to 
the switch, etc.

The problem we are seeing is that if a device (typical PC or printer) is moved 
to another port on the switch, then the MAC address of the device which is 
“dynamic” on the port, conflicts with the now static address on the old port.

I am going to see if configuring a test switch with “dynamic secure” rather 
than “sticky secure”, I think just a matter of unsetting “sticky” for the 
interface.

Does anyone have any experience with this?

How do you prevent the learned MAC addresses from getting written into the 
config file?

Thank you,

Brian



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PALO ALTO SSO and multiple VSYS

2016-12-15 Thread Tim DeNike 
copy /usr/local/pf/lib/pf/firewallsso/PaloAlto.pm to PaloAlto_Vsys1.pm

edit the file and add =vsys1 into the $webpage definition after
$action=set

Also change the package name and description.

restart PF and the new option should be available.

On Thu, Dec 15, 2016 at 6:51 AM, Tomasz Karczewski <
tkarczew...@man.olsztyn.pl> wrote:

> Hi,
>
>
>
> My PA SSO Works fine. I’ve got one question is there any way  to set user
> on another vsys than vsys1?
>
> I’ve got multi vsys environment and i tried to put user in another vsys
> but maybe I’m doing something wrong?
>
> User is putting always in vsys1.
>
>
>
> Tnx for reply.
>
>
>
> Tomasz Karczewski
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Node Cleanup

2016-12-15 Thread Guntharp, Jason W. 
Concerning the node cleanup window under maintenance, what is the behavior? 
What criteria is evaluated for node deletion?

[cid:image001.png@01D1EF29.30ED7120]
Jason Guntharp
Network Administrator
Information Services Department
602 West Hill Street
Fulton, MS  38843

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Fresh install of pf on debian 8

2016-12-15 Thread Antoine Amacher 

Hello Daniel,

The admin interface should reachable in https only, try this 
https://your.ip:1443/configurator


Try to find errors in the following logs: 
/usr/local/pf/logs/packetfence.log, /usr/local/pf/logs/httpd.admin.log


Let us know if that's help.

Thanks


On 12/15/2016 08:57 AM, Daniel Picon wrote:

Hello all,

First of all, sorry for my bad english, I hope you can understand my 
question.


i just decovered about packetfence yesterday, reading about it on some 
google searches.


To test it, I got a server and put a fresh install of debian on it, 
just the basic choices + ssh server, nothing else.
Then, following the instructions on 
https://packetfence.org/support/faq/article/how-to-install-packetfence-on-debian.html 
I installed packetfence with no erros.


But, when I tried to access de configurator, I can't access it. I 
tried with http and https, and the browser keeping try to load, but 
nothing happening


I did a scan with nmap and the port 1443 is open and listening.

some commands that I executed and they out:

# /usr/local/pf/bin/pfcmd service httpd.admin status
Smartmatch is experimental at /usr/local/pf/lib/pf/cluster.pm 
 line 588.

service|shouldBeStarted|pid
httpd.admin|1|41888

# service packetfence-config status● packetfence-config.service - 
PacketFence Config Service
   Loaded: loaded (/lib/systemd/system/packetfence-config.service; 
enabled)

   Active: active (running) since Qui 2016-12-15 11:21:39 BRST; 31min ago
 Main PID: 41876 (pfconfig)
   CGroup: /system.slice/packetfence-config.service
   └─41876 pfconfig

Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading resource::fqdn
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading 
resource::guest_se...n
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading 
resource::local_secret
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading 
resource::reverse_fqdn
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading 
resource::stats_levels
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading 
resource::switches...p
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading 
resource::switches...t
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading 
resource::switches...s
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading 
resource::trapping...e

Dez 15 11:21:39 firewall-novo pfconfig[41871]: --
Hint: Some lines were ellipsized, use -l to show in full.

# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I don't know what to do now. Can anyone help me??

Tks a lot
Best regards

Daniel


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Fresh install of pf on debian 8

2016-12-15 Thread Fabrice Durand 
Hello Daniel,

can you do something for me ?

apt-get update

apt-get install libposix-atfork-perl

then service packetfence restart

And let me know if it fixed your issue.

Thanks

Fabrice



Le 2016-12-15 à 08:57, Daniel Picon a écrit :
> Hello all,
>
> First of all, sorry for my bad english, I hope you can understand my
> question.
>
> i just decovered about packetfence yesterday, reading about it on some
> google searches.
>
> To test it, I got a server and put a fresh install of debian on it,
> just the basic choices + ssh server, nothing else.
> Then, following the instructions on
> https://packetfence.org/support/faq/article/how-to-install-packetfence-on-debian.html
> I installed packetfence with no erros.
>
> But, when I tried to access de configurator, I can't access it. I
> tried with http and https, and the browser keeping try to load, but
> nothing happening
>
> I did a scan with nmap and the port 1443 is open and listening.
>
> some commands that I executed and they out:
>
> # /usr/local/pf/bin/pfcmd service httpd.admin status
> Smartmatch is experimental at /usr/local/pf/lib/pf/cluster.pm
>  line 588.
> service|shouldBeStarted|pid
> httpd.admin|1|41888
>
> # service packetfence-config status● packetfence-config.service -
> PacketFence Config Service
>Loaded: loaded (/lib/systemd/system/packetfence-config.service;
> enabled)
>Active: active (running) since Qui 2016-12-15 11:21:39 BRST; 31min ago
>  Main PID: 41876 (pfconfig)
>CGroup: /system.slice/packetfence-config.service
>└─41876 pfconfig
>
> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading resource::fqdn
> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
> resource::guest_se...n
> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
> resource::local_secret
> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
> resource::reverse_fqdn
> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
> resource::stats_levels
> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
> resource::switches...p
> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
> resource::switches...t
> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
> resource::switches...s
> Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
> resource::trapping...e
> Dez 15 11:21:39 firewall-novo pfconfig[41871]: --
> Hint: Some lines were ellipsized, use -l to show in full.
>
> # iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source   destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source   destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source   destination 
>
> I don't know what to do now. Can anyone help me??
>
> Tks a lot
> Best regards
>
> Daniel
>
>
> --
> Check out the vibrant tech community on one of the world's most 
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] PALO ALTO SSO and multiple VSYS

2016-12-15 Thread Tomasz Karczewski 
Hi,

 

My PA SSO Works fine. I've got one question is there any way  to set user on
another vsys than vsys1?

I've got multi vsys environment and i tried to put user in another vsys but
maybe I'm doing something wrong?

User is putting always in vsys1.

 

Tnx for reply.

 

Tomasz Karczewski

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Fresh install of pf on debian 8

2016-12-15 Thread Daniel Picon 
Hello all,

First of all, sorry for my bad english, I hope you can understand my
question.

i just decovered about packetfence yesterday, reading about it on some
google searches.

To test it, I got a server and put a fresh install of debian on it, just
the basic choices + ssh server, nothing else.
Then, following the instructions on
https://packetfence.org/support/faq/article/how-to-install-packetfence-on-debian.html
I installed packetfence with no erros.

But, when I tried to access de configurator, I can't access it. I tried
with http and https, and the browser keeping try to load, but nothing
happening

I did a scan with nmap and the port 1443 is open and listening.

some commands that I executed and they out:

# /usr/local/pf/bin/pfcmd service httpd.admin status
Smartmatch is experimental at /usr/local/pf/lib/pf/cluster.pm line 588.
service|shouldBeStarted|pid
httpd.admin|1|41888

# service packetfence-config status● packetfence-config.service -
PacketFence Config Service
   Loaded: loaded (/lib/systemd/system/packetfence-config.service; enabled)
   Active: active (running) since Qui 2016-12-15 11:21:39 BRST; 31min ago
 Main PID: 41876 (pfconfig)
   CGroup: /system.slice/packetfence-config.service
   └─41876 pfconfig

Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading resource::fqdn
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
resource::guest_se...n
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
resource::local_secret
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
resource::reverse_fqdn
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
resource::stats_levels
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
resource::switches...p
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
resource::switches...t
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
resource::switches...s
Dez 15 11:21:39 firewall-novo pfconfig[41871]: Preloading
resource::trapping...e
Dez 15 11:21:39 firewall-novo pfconfig[41871]: --
Hint: Some lines were ellipsized, use -l to show in full.

# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source   destination

Chain FORWARD (policy ACCEPT)
target prot opt source   destination

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination

I don't know what to do now. Can anyone help me??

Tks a lot
Best regards

Daniel
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] DOT1x with LDAP Authenticaion

2016-12-15 Thread Etienne Vella 
Hi Fabrice,

Thanks for your help so far we managed to do alot of progress with regards
to packetfence and DOT1X. I have a small issue with machine authentication
. What i did so far from my end is that i've created a new AD source with a
different base DN for computers and user attribute servicePrincipalName.
Then I created a new Protal Profile with connnection_Type= Ethernet-EAP.  I
created a realm host but from the debug the 'Checking for prefix before "\"
is not maching Realm as the username is being sent as  host\ . and not
host/ . Any suggestions ?

Regards,
Etienne


On Fri, Nov 25, 2016 at 6:59 PM, Fabrice Durand  wrote:

> Hi Etienne,
>
> Ok so here what you have to do:
>
> Join packetfence to your domain.
>
> Create an authentication source with rule that will assign role based on
> group membership
>
> Create a firewall sso config to send accounting packetfence to your
> fortigate.
>
> That's all, there no need to tell the switch to send accounting packets ,
> PacketFence will do it for you.
>
> If you want i am available on the freenode irc #packetfence channel if you
> want more details.
>
> Regards
>
> Fabrice
>
>
>
> Le 2016-11-25 à 12:30, Etienne Vella a écrit :
>
> Hi Fabrice,
>
>
> The idea is to have a user to login via dot1x (wired/wireless) then
> PacketFence should check with Active Directory  re credentials then Before
> authenticating packet fence should check for a particular group to apply
> the vlan allocation rules. Once authenticated the switch would send
> accounting packets to Fortigate firewalls with modified class according
> according to the group which was met in the authentication part.
>
>
> If some one else has a better approach i'm very open for suggestions.  At
> the end we would like to have SSO from the network layer 2 till the
> firewall.
>
> Regards,
> Et
>
>
> On Fri, Nov 25, 2016 at 5:30 PM, Fabrice Durand 
> wrote:
>
>> Hi Etienne,
>>
>> Do you have an example of what you want to send and what is the firewall
>> type ?
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2016-11-25 à 11:02, Etienne Vella a écrit :
>>
>> Hi,
>>
>> Thanks for your reply but I'm not able to modify any classes there.
>>
>> Any ideas on how to do class mappings?
>>
>> Regards
>> Et
>>
>> On Fri, 25 Nov 2016, 15:59 Fabrice Durand,  wrote:
>>
>>> Hello Etienne,
>>>
>>> this feature is called firewall sso in PacketFence, have a look in
>>> COnfiguration -> Firewall SSO.
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>>
>>>
>>>
>>> Le 2016-11-25 à 07:07, Etienne Vella a écrit :
>>>
>>> Hi,
>>>
>>> I'm currently trying to deploy packetfence to be used with DOT1x and
>>> SSO. I managed to configure  Rules Under User Sources -> Active Directory.
>>> But I would like to some logic to assign a class in the radius accounting
>>> packets so that the firewall could assign that user to that particular
>>> group.  Basically in short I would need to modify the class of the
>>> accounting packets which are being sent to SSO with specific classes
>>> according to specific groups.  Basically we are in the process to eliminate
>>> Microsoft NAP for DOT1x
>>>
>>>
>>> Regards,
>>> Etienne
>>>
>>>
>>>
>>> --
>>>
>>> ___
>>> PacketFence-users mailing 
>>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>> --
>>> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  
>>> www.inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>>> (http://packetfence.org)
>>>
>>> --
>>> ___ PacketFence-users
>>> mailing list PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> --
>>
>> ___
>> PacketFence-users mailing 
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> --
>> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  
>> www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>> (http://packetfence.org)
>>
>> --
>> ___ PacketFence-users
>> mailing list PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> --
> Cheers Etienne
>
> --
>
> ___
> PacketFence-users mailing 
>