Re: [PacketFence-users] NULL realm

[Durand fabrice via PacketFence-users]

Hello Eugene,

the NULL realm is located in realm.conf.defaults

Regards

Fabrice



Le 2018-01-23 à 14:14, E.P. via PacketFence-users a écrit :


Guys,

I wonder if I can make PF bypass NULL realm processing?

The reason is that we want to use only the user ID in the username field.

If we use like this then the authentication attempt hits NULL realm.

I tried to remove it from PF GUI but it still stays there.

Interesting that it is not listed in the realm.conf file

++

[root]@[PacketFence-ZEN conf]#cat realm.conf

[DEFAULT]

domain=optionsas

options=strip

[options]

domain=optionsad

[options.bc.ca]

domain=optionsad

+

Eugene



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] pf with ruckus smartzone not working for me

[Durand fabrice via PacketFence-users]

uip is suppose to be the client ip address : 
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Ruckus/SmartZone.pm#L51


can you force this parameter to be the ip ?


Le 2018-01-23 à 08:45, Support Procyon Networks a écrit :


Hello Fabrice,

Thanks for you reaction.

7.3.0

When the error happens I do web-auth,out of band, line where it hits 
the httpd.portal.access:


Jan 23 11:18:05 PacketFence-ZEN httpd_portal: 192.168.220.13 127.0.0.1 
- - [23/Jan/2018:11:18:05 +] "192.168.220.25" "GET 
/RuckusSmartZone?nbiIP=192.168.220.109_mac=ENCdedffb22233f6dee169d8339ea6a2325aaefa125bbcc857a=Un-Auth-SSL-Captive=packet73b=scg.ruckuswireless.com=packet73b=94:f6:65:34:b0:a0=https%3A%2F%2Fwww.nu.nl%2F=0=1=2=scg.ruckuswireless.com=jdi2xaFK89CJw7M8T-h4jHpXZCNLWwDE1zEIRFYPVpI_1516706284464=ENCb2579826807a64300d278fcdfdc57709 
HTTP/1.1" 302 1843 "-" "Mozilla/5.0 (Linux; Android 6.0.1; SM-G900F 
Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/63.0.3239.111 Mobile Safari/537.36" 141044


Jan 23 11:18:05 PacketFence-ZEN httpd_portal: 192.168.220.13 127.0.0.1 
- - [23/Jan/2018:11:18:05 +] "192.168.220.25" "GET 
/captive-portal?destination_url=https://www.nu.nl/=192.168.220.109_mac=ENCdedffb22233f6dee169d8339ea6a2325aaefa125bbcc857a=Un-Auth-SSL-Captive=packet73b=scg.ruckuswireless.com=packet73b=94:f6:65:34:b0:a0=https%3A%2F%2Fwww.nu.nl%2F=0=1=2=scg.ruckuswireless.com=jdi2xaFK89CJw7M8T-h4jHpXZCNLWwDE1zEIRFYPVpI_1516706284464=ENCb2579826807a64300d278fcdfdc57709 
HTTP/1.1" 500 926 "-" "Mozilla/5.0 (Linux; Android 6.0.1; SM-G900F 
Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/63.0.3239.111 Mobile Safari/537.36" 141713


192.168.220.13 = client

192.168.220.10 = vSCG/vSZ 3.6

Here the error the is in the browser:

Application error : Caught exception in 
captiveportal::Controller::Root->getLanguages "Can't call method 
"normalizedIP" on an undefined value at 
/usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/Model/Portal/Session.pm 
line 249." Caught exception in 
captiveportal::Controller::Root->setupLanguage "Can't use string ("0") 
as an ARRAY ref while "strict refs" in use at 
/usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/Controller/Root.pm 
line 189." Caught exception in 
captiveportal::Controller::Root->setupDynamicRouting "Can't call 
method "normalizedIP" on an undefined value at 
/usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/Model/Portal/Session.pm 
line 249." Caught exception in 
captiveportal::Controller::Root->dynamic_application "Can't call 
method "execute" on an undefined value at 
/usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/Controller/Root.pm 
line 156."


7.2.0

You stated : Also to reevaluate an access on Ruckus SmartZone 
packetfence use the web api of the controller, so you need to fill the 
webservice tab in the switch config (pf side).


I have done that, but no result, I don’t see any communation between 
pf and vSCG after or during  portal -> guest acces -> email based reg, 
after this I can see he doesn’t detect network, and ik cant browse, I 
can see with wireshare on the client side  he does connect with 
192.95.20.194, does a get for the gif, and gets a response. But still 
not auth by the Ruckus vSCG/vSZ.


Here my config for the vSCG/vSZ.

[192.168.220.109]

wsPwd=**

mode=production

ExternalPortalEnforcement=Y

description=scg36

type=Ruckus::SmartZone

radiusSecret=***

wsUser=ruckus

registrationVlan=-1

hope you can see what I am doing wrong.

Regard.

Barry

*From:*Fabrice Durand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]

*Sent:* 16 January 2018 15:53
*To:* packetfence-users@lists.sourceforge.net
*Cc:* Fabrice Durand 
*Subject:* Re: [PacketFence-users] pf with ruckus smartzone not 
working for me


Hello Barry,

when the error happen , is it when you try to do web-auth or out of 
band ? (if you have the httpd.portal.access lines when you hit the portal)


Because it looks that packetfence is not able to fetch your ip address.

Also to reevaluate an access on Ruckus SmartZone packetfence use the 
web api of the controller, so you need to fill the webservice tab in 
the switch config (pf side).


Regards

Fabrice

Le 2018-01-16 à 03:42, Support Procyon Networks via PacketFence-users 
a écrit :


Dear Reader,

I got problems to use pf in combination with a ruckus smartzone
controller, out of band, webauth. I want users who  connect to the
guest ssid to get the portal and register with there email.

I configured the smartzone controller according to
PacketFence_Network_Devices_Configuration_Guide. Rest of the
settings is all default.

When a client connect to the guest ssid he  gets a application
error  “Application error : Caught exception in
captiveportal::Controller::Root”  full error message is at the of
this mail.

This happens with when using pf 7.3

When 

Re: [PacketFence-users] Problem with captive portal and ruckus zonedirector

[Durand fabrice via PacketFence-users]

webauth


Le 2018-01-23 à 06:18, Fabricio Lorenzon via PacketFence-users a écrit :

Hello Fabrice, thanks for the answer.
So, if I choose hotspot, which enforcement mechanism should I use in 
wizard? Webauth or Radius Enforcement?


Regards

Fabricio

2018-01-23 0:56 GMT-02:00 Durand fabrice via PacketFence-users 
>:


Hello Fabricio,

you are mixing two concepts, inline and hotspot, so you have to
choose one of them.

If you choose inline then just assign the inline vlan to the ssid
without any radius config.

If you choose hotspot then assign a production vlan to the ssid
with radius/hotspot config (cf network admin guide).

Regards

Fabrice



Le 2018-01-22 à 11:13, Fabricio Lorenzon via PacketFence-users a
écrit :

Hello, I need help for the problem described below:

I am using packetfence in inline mode to authenticate users of
the wifi network through the captive portal integrated with
Facebook and Google in Oauth2 mode.
The packetfence server has a network interface with internet
access and one configured in inline mode for user access.
The access point (Ruckus) has a wlan in hotspot mode as described
in the "Network Devices Configuration Guide".
The moment the user connects in the WIFI network is directed is
directed to the inline interface of packetfence, accesses the
captive portal and can successfully authenticate using a google
or facebook account. The problem is that ruckus can not authorize
this user's access and the WIFI network remains with the message
"No internet access" and the device remains "unauthorized" in the
ruckus zonedirector web interface.

Thank's

Fabrício



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users





--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] users stay in registration VLAN after authentication success

[Durand fabrice via PacketFence-users]

Le 2018-01-23 à 04:41, tom lo a écrit :

Hi Fabrice,

We tried to uncheck the box "locationlog Close On Accounting Stop",
and restarted packetfence, but found the users are still stuck in
registration VLAN.
The queue count was zero at the moment.

We got the mysql output during each steps in the registration process.

1. When user connects to WiFi, there was a new locationlog, end_time
is -00-00 00:00:00.

2. After user go to captive portal, before doing any authentication,
the locationlog was changed with end_time marked.  (Does it mean the
locationlog was closed here?)
yes ... do you have the content of the httpd.portal.access when the user 
hit the portal ?


3. And right after authentication, no new locationlog and no change to
existing locationlog.
Warning messages "Can't re-evaluate access because no open locationlog
entry was found" shown in log

4. We let the device connected to WiFi, and after few minutes, the
device is moved to the working VLAN, a new locationlog shown, end_time
is -00-00 00:00:00.




### right after user connects to WiFi

+---+-+--+--+--+---+-+---+--+-+-+-+---++---++
| mac   | switch  | port | vlan | role |
connection_type   | connection_sub_type | dot1x_username| ssid
 | start_time  | end_time| switch_ip   |
switch_mac| stripped_user_name | realm | session_id |
+---+-+--+--+--+---+-+---+--+-+-+-+---++---++
| 7c:04:00:11:22:33 | 172.18.4.61 | 0| 501  | registration |
Wireless-802.11-NoEAP | NULL| 7c:04:00:11:22:33 |
SSID_A | 2018-01-23 11:31:32 | -00-00 00:00:00 | 172.18.4.61 |
84:18:3a:aa:bb:cc | 7c:04:00:11:22:33  | null  | NULL   |
+---+-+--+--+--+---+-+---+--+-+-+-+---++---++


###  after User goes to captive portal, before authentication

+---+-+--+--+--+---+-+---+--+-+-+-+---++---++
| mac   | switch  | port | vlan | role |
connection_type   | connection_sub_type | dot1x_username| ssid
 | start_time  | end_time| switch_ip   |
switch_mac| stripped_user_name | realm | session_id |
+---+-+--+--+--+---+-+---+--+-+-+-+---++---++
| 7c:04:00:11:22:33 | 172.18.4.61 | 0| 501  | registration |
Wireless-802.11-NoEAP | NULL| 7c:04:00:11:22:33 |
SSID_A | 2018-01-23 11:31:32 | 2018-01-23 11:32:10 | 172.18.4.61 |
84:18:3a:aa:bb:cc | 7c:04:00:11:22:33  | null  | NULL   |
+---+-+--+--+--+---+-+---+--+-+-+-+---++---++


###  right after authentication, User stuck in registration vlan, no
new locationlog entry

+---+-+--+--+--+---+-+---+--+-+-+-+---++---++
| mac   | switch  | port | vlan | role |
connection_type   | connection_sub_type | dot1x_username| ssid
 | start_time  | end_time| switch_ip   |
switch_mac| stripped_user_name | realm | session_id |
+---+-+--+--+--+---+-+---+--+-+-+-+---++---++
| 7c:04:00:11:22:33 | 172.18.4.61 | 0| 501  | registration |
Wireless-802.11-NoEAP | NULL| 7c:04:00:11:22:33 |
SSID_A | 2018-01-23 11:31:32 | 2018-01-23 11:32:10 | 172.18.4.61 |
84:18:3a:aa:bb:cc | 7c:04:00:11:22:33  | null  | NULL   |

Re: [PacketFence-users] Number of devices to connect to the network

[Durand fabrice via PacketFence-users]

Weird, i am not able to reproduce it, wish browser are you using ?

Fabrice


Le 2018-01-23 à 03:10, E.P. a écrit :


I figured it out, Fabrice. Thanks for the ldapsearch tool guidance but 
it was my haste as usual ;)


I set “Matches” parameter to “All” and it turned out that the reply 
for the query against AD returned a membership in more than one group.


And of course this condition didn’t evaluate as true. I changed it to 
“Any” and it is all good .


I guess Administration rule is not very important here but I found 
that the value for the “Access level” doesn’t show and I tried it in 
two different browsers:


Eugene

*From:*Durand fabrice [mailto:fdur...@inverse.ca]
*Sent:* Monday, January 22, 2018 6:59 PM
*To:* E.P.; packetfence-users@lists.sourceforge.net
*Subject:* Re: [PacketFence-users] Number of devices to connect to the 
network


Hello Eugene,

Use adsiedit.msc on the AD in order to have a ldap view of your AD and 
check the exact attribute/values.


On my side i use ldapsearch to fix that sort of issue 
(http://www.vinidox.com/ldap/querying-an-ldap-server-from-the-command-line-with-ldap-utils-ldapsearch-ldapadd-ldapmodify/)


Regards

Fabrice

Le 2018-01-22 à 16:54, E.P. a écrit :

I’m observing a weird behavior while doing it, Fabrice.

I did create a rule that should match for just one condition, i.e.
memberOf

The user I’m authenticating does belong to Users CN in AD and I
can authenticate normally, here’s the output of pftest
authentication it.tech XXX command

But for some reason rules are not matched. I even tried to set the
condition to distingishedName with value taken from AD

To be like this

What bothers me is that I don’t see any LDAP related details
coming from AD server while debugging radius and authenticating as
it.tech user.

Could it be the source of the problem ?

Eugene

*From:*Durand fabrice [mailto:fdur...@inverse.ca]
*Sent:* Friday, January 19, 2018 6:05 PM
*To:* E.P.; packetfence-users@lists.sourceforge.net

*Subject:* Re: [PacketFence-users] Number of devices to connect to
the network

In your AD authentication source, create a rule that match a staff
group and assign the staff role and an access duration. (memberof
equal cn=staff,dc=...)

Regards

Fabrice

Le 2018-01-17 à 01:07, E.P. a écrit :

Great!

That confirms my train of thought. But it is still not clear
to me how will it affect the user that authenticates against AD.

Yes, I have created a new role, called “staff” and yes, I have
set a limit of 2 devices for this role.

Then, the end-user just connects to SSID, authenticates and
gets on the network. How would I assign the user to the
“staff” role?

Is this where provisioners come to help ?

Eugene

*From:*Fabrice Durand via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net]
*Sent:* Tuesday, January 16, 2018 6:42 AM
*To:* packetfence-users@lists.sourceforge.net

*Cc:* Fabrice Durand
*Subject:* Re: [PacketFence-users] Number of devices to
connect to the network

Hello Eugene,

this is exactly where you have to control that.

So just set a limit on the roles where you want to limit the
number of devices per users.

Regards

Fabrice

Le 2018-01-16 à 02:01, E.P. via PacketFence-users a écrit :

It sounds close to the number of devices/nodes a user can
register which is configurable under
Configuration-Policies and access control-Roles, but we
don’t allow this luxury to anyone yet. Just regular
network admission control based on the active AD account

*From:*E.P. [mailto:ype...@gmail.com]
*Sent:* Monday, January 15, 2018 10:54 PM
*To:* packetfence-users@lists.sourceforge.net

*Subject:* Number of devices to connect to the network

Guys,

We are still at the early phases of PF deployment and only
now looking into AD based authentication for wireless devices

Is there any way to limit the number of user devices that
can be connected by one user?

Let’s say the user uses his/her laptop and roams around
remote sites where we provide WiFi with WPA2-Enterprise
and we also allow him/her use the phone (iPhone/Android).
No more devices to connect

Eugene







--

Check out the vibrant tech community on one of the world's most

engaging tech sites, 

Re: [PacketFence-users] Problem with Certificates

[Durand fabrice via PacketFence-users]

Hello Hubert,

Haproxy terminate the ssl connection , so the certificate must be use by 
haproxy.


Take a look there 
https://github.com/inverse-inc/packetfence/blob/devel/Makefile#L78 to 
see how to do it.


Regards

Fabrice



Le 2018-01-23 à 00:26, Hubert Kupper via PacketFence-users a écrit :

Hello,

we have the following problem:
We want to replace the packetfence certs with certs from our PKI 
provider because the security warnings confuse some of our users. We 
copied the certs to /conf/ssl, checked 
/conf/httpd.conf.d/ssl-certificates.conf and the hostname in pf.conf. 
All seems to be ok. After restarting packetfence the registration page 
for the users doesn't pop up. Packetfence.log shows no entries. When 
we use the original certs from packetfence, the registration page pop 
up and all things are fine. Did we forget a step when changing the certs?


Regards,
Hubert

-- 


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Issue defining interface type as management

[Durand fabrice via PacketFence-users]

More details maybe ?


Le 2018-01-23 à 02:24, Woody's Delve via PacketFence-users a écrit :

Hi

I am facing issue defining interface type as management
Because of that not able to move forward with the configuration.
I am using ZEN package i VMware for VLAN enforcement.

Thanks

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users