Re: [PacketFence-users] R: R: network-access-detection

2017-08-08 Thread Fabrice Durand via PacketFence-users 
Hello Alessandro,

you probably missconfigured the dns.

Can you give me your networks.conf ?

Regards

Fabrice



Le 2017-08-07 à 11:51, Alessandro Canella via PacketFence-users a écrit :
>
> I’ve retried and checked traffic.
>
>  
>
> As wrotten, I’m in inline, users authenticate but GIF cannot be
> retrieved.
>
>  
>
> But not only : from a successful registered client, I cannot query
> DNS. And any other packet works fine….
>
>  
>
>  
>
> How I can check where is “deny” that stops me?
>
>  
>
>  
>
>  
>
> *Da:*Alessandro Canella via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* venerdì 4 agosto 2017 08.18
> *A:* Ludovic Zammit ;
> packetfence-users@lists.sourceforge.net
> *Cc:* Alessandro Canella 
> *Oggetto:* [PacketFence-users] R: network-access-detection
>
>  
>
> Hello Ludovic,
>
>  
>
> I’ve tried with Win10, tested with both IP (I know, if I test the
> first reachable is not correct…) I’ve leaved Vlan Enforce due to
> incopatibility of switches, so I’m in inline mode.
>
>  
>
> I will try to raise timeout to 90 secs and to open it by hand in new tab.
>
>  
>
> Later I will recap tests.
>
>  
>
> Thanks in advance.
>
>  
>
>  
>
>  
>
>  
>
>  
>
> *Da:*Ludovic Zammit [mailto:lzam...@inverse.ca]
> *Inviato:* giovedì 3 agosto 2017 19.40
> *A:* packetfence-users@lists.sourceforge.net
> 
> *Cc:* Alessandro Canella  >
> *Oggetto:* Re: [PacketFence-users] network-access-detection
>
>  
>
> Hello Alessandra,
>
>  
>
> Are you using Mac OS X ? Which PacketFence version are you using ?
>
>
> By default on the ZEN it will try to reach our public IP.
>
>  
>
> Once you get authorize after the registration process you will need to
> check if you have placed into the correct vlan (In VLAN enforcement
> mode) and got the proper IP address.
>
>  
>
> Check also if you have internet, it's known for Mac OS X devices that
> they are slow to release their IP and pickup the new one (~90secs).
>
>  
>
> Try to have a tab open on the network-access-detection.gif and see if
> it loads after the registration process.
>
>  
>
> Thanks,
>
> Ludovic Zammit
> lzam...@inverse.ca  ::  +1.514.447.4918
> (x145) ::  www.inverse.ca 
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
> PacketFence (http://packetfence.org)
>
>  
>
>  
>
>  
>
> On Aug 3, 2017, at 11:41 AM, Alessandro Canella via
> PacketFence-users  > wrote:
>
>  
>
> Hello all,
>
>  
>
> I still have problem
> detecting  /common/network-access-detection.gif after access is
> granted. I’m using ZEN version.
>
>  
>
> I’ve tried lot of different config. All seems fine, gif is
> reachable from both side of inline mode but “unable to detect” is
> the last portal page that I seen.
>
>  
>
> Any ideas about which log explore?
>
>  
>
>  
>
>  
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org
> ! 
> http://sdm.link/slashdot___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>  
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] wmi query without result, how do I trigger an action

2017-08-08 Thread Fabrice Durand via PacketFence-users 
Hello Cristian,

can you put the log of pfqueue in TRACE and retry , you will have more
debug to understand what happen.

Edit conf/log/conf.d/pfqueue.conf

### pfqueue logger ###
log4perl.rootLogger = TRACE, QUEUE_SYSLOG

Regards
Fabrice

Le 2017-08-07 à 09:23, Cristian Mammoli via PacketFence-users a écrit :
> Hi, this is pretty trivial I think but I didn't find a way to make it
> work.
> I want to trigger a violation when a client has no antivirus
> installed, i configured a wmi rule like this:
>
> [custom_Antivirus]
> request=select * from AntiVirusProduct
> namespace=ROOT\SecurityCenter2
> action= < [AntivirusPresent]
> attribute = displayName
> operator = match
> value = *
>
> [1:!AntivirusPresent]
> action=trigger_violation
> action_param = mac = $mac, tid = 12, type = INTERNAL
> EOT
> on_tab=1
>
> But it does not work, I think the problem is that the query does not
> return any result and I get inthe logs:
>
> pfqueue(7319) ERROR: [mac:20:cf:30:36:7c:bb] No WMI header given in
> string '' (pf::scan::wmi::rules::parseResult)
>
>
> --
>
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] wmi query without result, how do I trigger an action

2017-08-08 Thread Cristian Mammoli via PacketFence-users 
Hi Fabrice, as I wrote in the previous reply I found the issue with my 
configuration (a missing dot in the value statement). I still get the 
warning when the query does not return results but the violation gets 
correctly triggered.


I can send you the debug lines anyway if you want

Ty

Il 08/08/2017 14:43, Fabrice Durand via PacketFence-users ha scritto:

Hello Cristian,

can you put the log of pfqueue in TRACE and retry , you will have more
debug to understand what happen.

Edit conf/log/conf.d/pfqueue.conf

### pfqueue logger ###
log4perl.rootLogger = TRACE, QUEUE_SYSLOG

Regards
Fabrice



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] passthrough only opens ports 80 and 443 even if proto and port are defined

2017-08-08 Thread Cristian Mammoli via PacketFence-users 
Hi, I don't know if I'm hitting a bug or I'm missing something. I'm 
using 7.2 (ZEN), enabled passthrough and configured it like this:


[root@srvpf ~]# grep ^passt /usr/local/pf/conf/pf.conf
passthrough=enabled
passthroughs=*.facebook.com,*.fbcdn.net,*.akamaihd.net,portquiz.net:tcp:8080

Notice that the last one has a port defined. Unfortunetely the only 
ports opened are 80 and 443:


[root@srvpf ~]# ipset list pfsession_passthrough
Name: pfsession_passthrough
Type: hash:ip,port
Revision: 2
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16592
References: 2
Members:
178.33.250.62,tcp:80
178.33.250.62,tcp:443

Where 178.33.250.62 is the ip address of portquiz.net

This is a log snippet of pfdns in TRACE mode

Aug  8 17:04:15 srvpf pfdns: pfdns(3121) DEBUG: [mac:[undef]] pfdns: 
caught SIGTERM - terminating (main::normal_sighandler)
Aug  8 17:04:15 srvpf pfdns: pfdns(3121) DEBUG: [mac:[undef]] pfdns: 
caught SIGTERM - terminating (main::normal_sighandler)
Aug  8 17:04:15 srvpf pfdns: pfdns(3121) DEBUG: [mac:[undef]] pfdns: 
caught SIGTERM - terminating (main::normal_sighandler)
Aug  8 17:04:15 srvpf pfdns: pfdns(3121) DEBUG: [mac:[undef]] pfdns: 
caught SIGTERM - terminating (main::normal_sighandler)
Aug  8 17:04:15 srvpf pfdns: pfdns(3121) DEBUG: [mac:[undef]] pfdns: 
caught SIGTERM - terminating (main::normal_sighandler)
Aug  8 17:04:15 srvpf pfdns: pfdns(3121) INFO: [mac:[undef]] stopping 
pfdns (main::END)
Aug  8 17:04:23 srvpf pfdns: pfdns(4628) DEBUG: [mac:[undef]] invalid 
IP:  from __ANON__ (pf::util::valid_ip)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) DEBUG: [mac:[undef]] cache get 
for namespace='configfiles', key='/usr/local/pf/conf/pf.conf', 
cache='Redis:l1_cache', time='0ms': MISS (not in cache) 
(CHI::Driver::_log_get_result)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) DEBUG: [mac:[undef]] cache get 
for namespace='Default', key='HASH(0x3e4b210)', cache='RawMemory', 
time='0ms': MISS (not in cache)

Re: [PacketFence-users] passthrough only opens ports 80 and 443 even if proto and port are defined

2017-08-08 Thread Cristian Mammoli via PacketFence-users 
Poking in the code I found that pfdns calls matches_passthrough in 
lib/pf/util/dns.pm which returns the following (with data dumper):


1,
$VAR1 = [
  'tcp:8080'
];

But it does not work
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] passthrough only opens ports 80 and 443 even if proto and port are defined

2017-08-08 Thread Cristian Mammoli via PacketFence-users 

I fixed it this but I'm not sure I'm breaking something else:

[root@srvpf pf]# diff -Naur sbin/pfdns.orig sbin/pfdns
--- sbin/pfdns.orig 2017-08-08 18:40:40.006571993 +0200
+++ sbin/pfdns  2017-08-08 18:42:53.040963724 +0200
@@ -448,7 +448,7 @@
 my $query_non_filtered = resolve_with_cache("A", $qname);
 my @ip_port_pairs;
 if ($query_non_filtered) {
-push @ip_port_pairs, 
format_query_to_ip_port($query_non_filtered, $HTTP_PORT, $HTTPS_PORT);
+push @ip_port_pairs, 
format_query_to_ip_port($query_non_filtered, $HTTP_PORT, $HTTPS_PORT, 
@$ports);

 push @ans, $query_non_filtered->answer;
 if (@ans) {
 $results{rcode} = "NOERROR";


Il 08/08/2017 17:44, Cristian Mammoli via PacketFence-users ha scritto:
Poking in the code I found that pfdns calls matches_passthrough in 
lib/pf/util/dns.pm which returns the following (with data dumper): 



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Android wireless provisioning error

2017-08-08 Thread Akala Kehinde via PacketFence-users 
Hello guys,

I get this error while trying to do Android wireless provisioning, when I
click on the configure button on the PF android app:

Aug  8 19:42:38 egelsbach packetfence_httpd.portal: httpd.portal(9458)
INFO: [mac:f0:d7:aa:87:a6:ad] User default has authenticated on the portal.
(Class::MOP::Class:::after)
Aug  8 19:42:38 egelsbach packetfence_httpd.portal: httpd.portal(9458)
ERROR: [mac:f0:d7:aa:87:a6:ad] Caught exception in
captiveportal::Controller::WirelessProfile->index "Can't call method
"profile_template" on an undefined value at
/usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/Controller/WirelessProfile.pm
line 41." (captiveportal::PacketFence::Controller::Root::end)

Any ideas?

Regards,
Kehinde
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Packetfence with Meraki MR APs

2017-08-08 Thread Callahan, Tom via PacketFence-users 
I've dug as deep as possible into the mailing lists and documentation, and 
tried numerous different ways I've found to setup an SSID from a Meraki MR AP 
to utilize Packetfence, but I've had no luck.

My Network:
Packetfence has one interface which is a trunk

  *   Main IP: 10.4.1.125
  *   Registration: 10.10.81.5 (VLAN 801)
  *   Isolation: 10.10.82.5 (VLAN 802)

Meraki Device is 10.10.42.129

In Packetfence, I have the Meraki MR AP internal IP (10.10.42.129) added as a 
Switch, as type Meraki::MR_v2. Role by Switch Role has default as "Authorized 
devices" and Guest as "Guest". Role by Web Auth URL has registration set to 
http://10.10.81.5/Meraki::MR_v2

In the Meraki portal, I have followed all the steps in 
https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_meraki

When I try to connect to the SSID (PacketFenceTest), it prompts me for a 
password.

What am I doing wrong, or can someone point me in the right direction? My end 
goal is to have a single SSID that will provide Guest access if the device is 
not registered, or employee access if the device is registered.

Thanks,
---
Tom Callahan
Assistant Vice President, Infrastructure
The Baltimore Life Insurance Company
443.681.7695 (direct)
410.382.1093 (cell)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users