Re: [PacketFence-users] PF 7 routed mode

2017-05-15 Thread luca comes 
Hi Torry,

yes I'm sending UDP reflector to the mgmt IP of the server and it works fine. I 
configured the helper address only for the registration/isolation VLAN but it 
doesn't works. I also tried to configure routed networks from the web gui as 
suggested by Tim in another post and infacts routes are added to the routing 
table but the process is still not working. I also noticed that the routes PF 
daemon doesn't start at all. Is it a bug?


Luca


Inviato da Outlook



Da: Torry, Andrew 
Inviato: venerdì 12 maggio 2017 18.12
A: packetfence-users@lists.sourceforge.net
Oggetto: Re: [PacketFence-users] PF 7 routed mode


Hi Luca,



Using UDP reflector makes the ip-helper option obsolete.



Does your UDP reflector send its data to the management IP? – It must as this 
is the interface the pfdhcplistener process listens on usually eth0.



Andrew



From: luca comes [mailto:lucaco...@hotmail.it]
Sent: 12 May 2017 16:19
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PF 7 routed mode



Hi Andrew,

I apologize but it's not so clear to me. For the MAC addresses identification 
I've installed UDP reflector on my production DHCP and that's working fine. The 
problem is that no dhcp requests are arriving to the server what helper address 
should I configure on my remote switches? At the moment I've configured the IP 
of the PF server on the registration VLAN but with this configuration the 
server should receive the request ont he registration interface and respond on 
the management? Underneath my switch configuration:



interface Vlan148
 description Isolation
 ip address 10.148.105.1 255.255.255.0
 ip helper-address 10.255.30.5

interface Vlan149
 description Registration
 ip address 10.149.105.1 255.255.255.0
 ip helper-address 10.255.20.5



And on the server side:



Interfaces:



[interface ens160]
ip=172.27.17.5
type=management
mask=255.255.255.0

[interface ens192.2446]
enforcement=vlan
ip=10.255.30.5
type=internal
mask=255.255.255.0

[interface ens192.2445]
enforcement=vlan
ip=10.255.20.5
type=internal
mask=255.255.255.0





Networks:



#
## Local PF Isolation VLAN ##
#
[10.255.30.0]
dns=10.255.30.5
dhcp_start=10.255.30.10
gateway=10.255.30.5
domain-name=vlan-isolation.datamanagement.it
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=disabled
dhcp_end=10.255.30.246
type=vlan-isolation
netmask=255.255.255.0
dhcp_default_lease_time=30


## Local PF Registration VLAN ##

[10.255.20.0]
dns=10.255.20.5
dhcp_start=10.255.20.10
gateway=10.255.20.5
domain-name=vlan-registration.datamanagement.it
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=disabled
dhcp_end=10.255.20.246
type=vlan-registration
netmask=255.255.255.0
dhcp_default_lease_time=30

#
## Remote Isolation VLAN ##
#
[10.148.105.0]
dns=10.255.30.5
dhcp_start=10.148.105.10
gateway=10.148.105.1
domain-name=vlan-isolation-ge.datamanagement.it
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=10.148.105.200
type=vlan-isolation
netmask=255.255.255.0
dhcp_default_lease_time=30



#
### Remote Registration VLAN ##
#
[10.149.105.0]
dns=10.255.20.5
dhcp_start=10.149.105.10
gateway=10.149.105.1
domain-name=vlan-registration-ge.datamanagement.it
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=10.149.105.200
type=vlan-registration
netmask=255.255.255.0
dhcp_default_lease_time=30
next_hop=10.255.20.231



Thank you in advance



Luca









Da: Torry, Andrew 
Inviato: venerdì 12 maggio 2017 16.12
A: packetfence-users@lists.sourceforge.net
Oggetto: Re: [PacketFence-users] PF 7 routed mode



Hi Luca,



In routed mode the PF is effectively ‘Out-of-band’ so you would not need to add 
local routes on the PF server

for your remote subnets since your PF will be using it’s default gateway to 
reach devices on them.



The IPTABLES should be automatically configured to allow the remote subnets to 
hit the captive portal (on your Registration interface)

on HTTP/HTTPS and also access the MGMT IP address for DNS (which is how the 
captive-portal works).



Remember that PF uses MAC addresses only for identifying NODES and in a routed 
environment your PF server will never see the

MAC address of the user’s device(s) unless you have set up that either:-



Your PF server is the DHCP server for your remote subnets (Can produce a big 
load on the PF server on big networks running over slow

WAN links).



or



Your PF server (MGMT interface) is configured as an IP-HELPER for your remo

[PacketFence-users] "pfdhcplistener"/"locationlog" issues....

2017-05-15 Thread Damiano Verzulli 
We're trying to setup a new PF box (6.5.1) to replace our current 5.3.1

One of the main reason for such an upgrade is that currently (5.3.1) we
experience several "pfdhcplistener" issues: it often "hang" preventing the
captive-portal to retrieve the MAC address of the "client" and, due to
this, preventing client to be properly managed (BTW: we are in "inline L2"
mode, where the PF-box acts as gateway for 25 different VLANs)

So we decided to try OMAPI, so that the captive-portal will ask directly
the dhcp server about the lease, without the needs of the "pfdhcplistener"
support.

While testing this new environmento (InlineL2 + captive portal + OMAPI and
_NO_ pfdhcplistener), we are fighting with a new problem: we have an
_EMPTY_ "locationlog" mysql table and, due to this, we have the captive
portal that, even if correctly show the remote MAC address in the footer of
the web page, right after the authentication, it raise an error (in the
LOGS) like this:

--
May 15 13:06:14 httpd.portal(3357) WARN: [mac:30:c7:ae:5f:21:59] Can't
re-evaluate access because no open locationlog entry was found
(pf::enforcement::reevaluate_access)
--

Actually it's correct, as the locationlog table is _EMPTY_ and there is
_NO_ sign, within the whole set of MySQL queries, about "insert" or "update".

After searching troughout the ML-Archive we saw previous issues related to
"missing locationlog entries" originated by missing/malfunctioning pdhcplister.

So we tryed to _RE-TURN-ON_ the previously shutted-down PFDHCPLISTENER
process and eveerything went fine. Now the locationlog is properly
populated, and we guess that this is due to the activity of pfdhcplistener.

So, in the end, the question is:

- do the pfdhcplistener service need to be running even if PF is relying on
OMAPI?

Thanks,
DV


-- 
Damiano Verzulli
e-mail: dami...@verzulli.it
---
possible?ok:while(!possible){open_mindedness++}
---
"Technical people tend to fall into two categories: Specialists
and Generalists. The Specialist learns more and more about a
narrower and narrower field, until he eventually, in the limit,
knows everything about nothing. The Generalist learns less and
less about a wider and wider field, until eventually he knows
nothing about everything." - William Stucke - AfrISPA
  http://elists.isoc.org/mailman/private/pubsoft/2007-December/001935.html



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Radius Server Authentication

2017-05-15 Thread Daniel Germann 
Hello Packetfence Users,

i've got a Problem with Packetfence. I'm using the Packetfence Zero 
Effort NAC v7 on a Server with an HP2500 Switch in Hybrid Enforcement. I 
want to use Bandwith Limitation and therefore i need the Radius 
Accounting. I set up a new Authentication Sources Radius with the 
localhost Address and set the secret on both Packetfence and Switch. I 
created a local User in the users file from radius and want to sign in 
but the radius server rejected. The log radius logs says:

May 15 08:14:02 PacketFence-ZEN auth[4384]: Need 1 more connections to 
reach min connections (3)
May 15 08:14:02 PacketFence-ZEN auth[4384]: rlm_rest (rest): Opening 
additional connection (11), 1 of 62 pending slots used
May 15 08:14:02 PacketFence-ZEN auth[4384]: Need 1 more connections to 
reach min connections (3)
May 15 08:14:02 PacketFence-ZEN auth[4384]: rlm_sql (sql): Opening 
additional connection (13), 1 of 62 pending slots used
May 15 08:14:02 PacketFence-ZEN auth[4384]: (12) Rejected in post-auth: 
[steve] (from client localhost port 12)
May 15 08:14:16 PacketFence-ZEN auth[4384]: (13) rest: ERROR: Server 
returned:
May 15 08:14:16 PacketFence-ZEN auth[4384]: (13) rest: ERROR: 
{"control:PacketFence-Authorization-Status":"allow","Reply-Message":"CLI 
Access is not allowed by PacketFence on this switch"}


Regards,

Daniel




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Installation

2017-05-15 Thread Dahir Abass 
Hello,


Am trying to deploy packetefence on my network. We have Brocade FastIron 
switches. I have installed the packetfence application and trying to configure 
the switch. I create the registration vlan, isolation and guest vlan. In 
addition I have 2 vlans for normal traffic and phone vlan. Could you point me 
in the right direction on switch port configuration. Am giving up yet am close.


Please help.


Jamal
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users