[PacketFence-users] Web-Auth

[Pedro Trindade via PacketFence-users]

I have a question regarding Web Auth on IOS devices,

So, after the authentication, the device is disconnected from the network
to be connected again.

However, in IOS devices I've been observing that the devices don't
automatically reconect.

Did anyone experience a similar problem?

Best Regards,

Pedro
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Domain Member check/violation

[Tougas , Joël via PacketFence-users]

Hi,

We are looking into Packetfence to detect and isolate all computers that aren't 
part of our Active Directory domain. I've looked through the documentation and 
haven't seen any such violation we could implement. Is this something feasible 
i.e. registering computers based on their domain membership? In a nutshell, I 
would like to auto-register all members of the domain (Windows and Macs as 
well) and assign the non-members to a separate VLAN.

Thanks for your help!

Joël Tougas
Analyste en sécurité informatique
Services informatiques - Bureau de la sécurité et de la gouvernance
tougas.j...@uqam.ca
514 987-3000, poste 8249
[lg_Service-informatique_Interne_COUL]
servicesinformatiques.uqam.ca
__

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] webauth enforcement with aerohive

[Annibal Abreu via PacketFence-users]

Hi

I have just installed packefence as Radius.

How do I change it to webauth enforment?

How to set aerohivew

Annibal Hoeschl Abreu
+55 (48) 3879.1652
+55 (48) 988.284.491
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] eduroam+packetfence with openldap authentication

[Fabrice Durand via PacketFence-users]

Ok there is a bug, i need to fix it.



Le 2018-05-24 à 11:33, jabang konate via PacketFence-users a écrit :

hi fabrice.

10.18.23.60 is ip National Roaming Operator  eduroam in my Country.

attach my eduroam config file.


On Thu, May 24, 2018 at 7:43 PM, Fabrice Durand via PacketFence-users 
> wrote:


What is 10.18.23.60 ?

can you share with me your file
/usr/local/pf/raddb/sites-enabled/eduroam ?


Le 2018-05-24 à 00:46, jabang konate via PacketFence-users a écrit :

Hi fabrice,
today i try again with my packetfence.

in packetfence-tunnel configuration i change configuration like
this,
if (update) {
        update control {
         := No
        }
        }
 }
because from the output i don't see "ok", and then now i can
login with my ldap account but with port 1812 in my access point,
but not using port 11812.
if i'm using 11812 my request always forward to Realm eduroam my
home server, and not forward the request to packetfence virtual
server (sites-enabled/packetfence then
site-enabled/packetfence-tunnel) as you said in scenario 1.

(1) Thu May 24 11:06:15 2018: Debug: suffix: Checking for suffix
after "@"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Looking up realm
"xyz.ac.id " for User-Name =
"testu...@xyz.ac.id "
(1) Thu May 24 11:06:15 2018: Debug: suffix: Found realm
"xyz.ac.id "
(1) Thu May 24 11:06:15 2018: Debug: suffix: Adding
Stripped-User-Name = "testuser"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Realm =
"xyz.ac.id "
(1) Thu May 24 11:06:15 2018: Debug: suffix: Authentication realm
is LOCAL
(1) Thu May 24 11:06:15 2018: Debug: [suffix] = ok
(1) Thu May 24 11:06:15 2018: Debug: ntdomain: Request already
has destination realm set. Ignoring
(1) Thu May 24 11:06:15 2018: Debug: [ntdomain] = noop
(1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) {
(1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) 
-> TRUE
(1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/)  {
(1) Thu May 24 11:06:15 2018: Debug: update control {
(1) Thu May 24 11:06:15 2018: Debug:   } # update control = noop
(1) Thu May 24 11:06:15 2018: Debug: } # if (User-Name =~
/@/)  = noop
(1) Thu May 24 11:06:15 2018: Debug: ... skipping else:
Preceding "if" was taken
(1) Thu May 24 11:06:15 2018: Debug: eap: Request is supposed to
be proxied to Realm eduroam. Not doing EAP.
(1) Thu May 24 11:06:15 2018: Debug: [eap] = noop

attach my radiusd-eduroam.sock log and picture of my
configurutiaon exclusive source eduroam .

Regards.


On Thu, May 24, 2018 at 12:49 AM, Fabrice Durand via
PacketFence-users > wrote:



Le 2018-05-23 à 13:36, jabang konate via PacketFence-users a
écrit :

Hi fabrice.

Thanks for speedy response.

> so i am not sure what you try to do with the ldap module.
ldap module for configuration user with openldap right? i
read in EAP Authentication against OpenLDAP.

yes, the only difference is that you have to disable
NTLM-Auth if ldap return ok to avoid "ERROR: mschap: Program
returned code (1) and output 'Reading winbind reply failed!
(0xc001)'".




> You have 3 scenarios:
yes i want like that,

I will try again and will share the results on this topic.

thank you for your advice fabrice.


On Thu, May 24, 2018 at 12:22 AM, Fabrice Durand via
PacketFence-users > wrote:

Hello Jabang,

so i am not sure what you try to do with the ldap module.

You have 3 scenarios:

1: a user from your university connect on the ssid
eduroam from your university.  (the ap/controller use
the port 11812)

You need to configure the local realm (let's say
myuniversity.org ) in the
eduroam authentication source and configure ldap in
packetfence-tunnel.
So when this user will try to connect on the eduroam
ssid with u...@myuniversity.org
 then the eduroam virtual
server will detect the realm myuniversity.org
 and forward the request to
packetfence virtual server (sites-enabled/packetfence
then site-enabled/packetfence-tunnel).
And in packetfence-tunnel 

Re: [PacketFence-users] eduroam+packetfence with openldap authentication

[jabang konate via PacketFence-users]

hi fabrice.

10.18.23.60 is ip National Roaming Operator  eduroam in my Country.

attach my eduroam config file.


On Thu, May 24, 2018 at 7:43 PM, Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> What is 10.18.23.60 ?
>
> can you share with me your file /usr/local/pf/raddb/sites-enabled/eduroam
> ?
>
> Le 2018-05-24 à 00:46, jabang konate via PacketFence-users a écrit :
>
> Hi fabrice,
> today i try again with my packetfence.
>
> in packetfence-tunnel configuration i change configuration like this,
>if (update) {
> update control {
>  := No
> }
> }
>  }
> because from the output i don't see "ok", and then now i can login with my
> ldap account but with port 1812 in my access point, but not using port
> 11812.
> if i'm using 11812 my request always forward to Realm eduroam my home
> server, and not forward the request to packetfence virtual server
> (sites-enabled/packetfence then site-enabled/packetfence-tunnel) as you
> said in scenario 1.
>
> (1) Thu May 24 11:06:15 2018: Debug: suffix: Checking for suffix after "@"
> (1) Thu May 24 11:06:15 2018: Debug: suffix: Looking up realm "xyz.ac.id"
> for User-Name = "testu...@xyz.ac.id"
> (1) Thu May 24 11:06:15 2018: Debug: suffix: Found realm "xyz.ac.id"
> (1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Stripped-User-Name =
> "testuser"
> (1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Realm = "xyz.ac.id"
> (1) Thu May 24 11:06:15 2018: Debug: suffix: Authentication realm is LOCAL
> (1) Thu May 24 11:06:15 2018: Debug: [suffix] = ok
> (1) Thu May 24 11:06:15 2018: Debug: ntdomain: Request already has
> destination realm set.  Ignoring
> (1) Thu May 24 11:06:15 2018: Debug: [ntdomain] = noop
> (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) {
> (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/)  -> TRUE
> (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/)  {
> (1) Thu May 24 11:06:15 2018: Debug:   update control {
> (1) Thu May 24 11:06:15 2018: Debug:   } # update control = noop
> (1) Thu May 24 11:06:15 2018: Debug: } # if (User-Name =~ /@/)  = noop
> (1) Thu May 24 11:06:15 2018: Debug: ... skipping else: Preceding "if"
> was taken
> (1) Thu May 24 11:06:15 2018: Debug: eap: Request is supposed to be
> proxied to Realm eduroam. Not doing EAP.
> (1) Thu May 24 11:06:15 2018: Debug: [eap] = noop
>
> attach my radiusd-eduroam.sock log and picture of my configurutiaon
> exclusive source eduroam .
>
> Regards.
>
>
> On Thu, May 24, 2018 at 12:49 AM, Fabrice Durand via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>>
>>
>> Le 2018-05-23 à 13:36, jabang konate via PacketFence-users a écrit :
>>
>> Hi fabrice.
>>
>> Thanks for speedy response.
>>
>> > so i am not sure what you try to do with the ldap module.
>> ldap module for configuration user with openldap right? i read in EAP
>> Authentication against OpenLDAP.
>>
>> yes, the only difference is that you have to disable NTLM-Auth if ldap
>> return ok to avoid "ERROR: mschap: Program returned code (1) and output
>> 'Reading winbind reply failed! (0xc001)'".
>>
>>
>>
>> > You have 3 scenarios:
>> yes i want like that,
>>
>> I will try again and will share the results on this topic.
>>
>> thank you for your advice fabrice.
>>
>>
>> On Thu, May 24, 2018 at 12:22 AM, Fabrice Durand via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>>> Hello Jabang,
>>>
>>> so i am not sure what you try to do with the ldap module.
>>>
>>> You have 3 scenarios:
>>>
>>> 1: a user from your university connect on the ssid eduroam from your
>>> university.  (the ap/controller use the port 11812)
>>> You need to configure the local realm (let's say myuniversity.org) in
>>> the eduroam authentication source and configure ldap in packetfence-tunnel.
>>> So when this user will try to connect on the eduroam ssid with
>>> u...@myuniversity.org then the eduroam virtual server will detect the
>>> realm myuniversity.org and forward the request to packetfence virtual
>>> server (sites-enabled/packetfence then site-enabled/packetfence-tunnel).
>>> And in packetfence-tunnel you have something like that:
>>>
>>> ```
>>> authorize {
>>> suffix
>>> ntdomain
>>> eap {
>>> ok = return
>>> }
>>> files
>>> ldap
>>> if (ok) {
>>> update control {
>>>  := No
>>> }
>>> }
>>> }
>>> ```
>>>
>>> 2: u...@myuniversity.org is in travel and connect on the ssid eduroam
>>> in montreal university
>>> The local montreal radius server will forward to eduroam and eduroam
>>> will forward to your packetfence server on the port 1812 (you need to
>>> configure that on the eduroam side).
>>>
>>> 3: u...@univmontreal.org is connecting on your ssid eduroam, the realm
>>> in unknow then the request will be forwarded to eduroam 

Re: [PacketFence-users] LDAP

[David Harvey via PacketFence-users]

Not sure how much the standalone 389 directory lets you do from it's admin
interface, but a simple FreeIPA install (which includes 389) is also pretty
quick and easy to setup, and has a very comprehensive interface.  It may
contain way more features than you want though!
Alternatively, I know QNAP NAS' have some builtin LDAP server bits, as I
imagine other NAS' would do, so if you have one on premise may be worth
checking out..

On Wed, May 23, 2018 at 11:38 PM, Durand fabrice via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> I think about this one http://directory.fedoraproject.org/ who is coming
> with an admin interface.
>
> https://www.ehowstuff.com/setup-389-directory-server-on-centos-7/
>
> Le 2018-05-23 à 15:56, Jason 'XenoPhage' Frisvold via PacketFence-users a
> écrit :
>
> Hi all,
>
>   I’m looking for a quick and simple LDAP install I can use with 
> packetfence as a temporary authentication source.  Before I stand up an 
> openldap server, or perhaps openldap in a container, is anyone using 
> something that’s quicker to stand up and get running?  I’d love something 
> with an interface I can use to add users, change passwords, etc.
>
> Thanks,
>
> ---
> Jason 'XenoPhage' frisvoldxenoph...@godshell.com
> ---
>
> "Any sufficiently advanced magic is indistinguishable from technology."
> - Niven's Inverse of Clarke's Third Law
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] eduroam+packetfence with openldap authentication

[Fabrice Durand via PacketFence-users]

What is 10.18.23.60 ?

can you share with me your file /usr/local/pf/raddb/sites-enabled/eduroam ?


Le 2018-05-24 à 00:46, jabang konate via PacketFence-users a écrit :

Hi fabrice,
today i try again with my packetfence.

in packetfence-tunnel configuration i change configuration like this,
if (update) {
        update control {
         := No
        }
        }
 }
because from the output i don't see "ok", and then now i can login 
with my ldap account but with port 1812 in my access point, but not 
using port 11812.
if i'm using 11812 my request always forward to Realm eduroam my home 
server, and not forward the request to packetfence virtual server 
(sites-enabled/packetfence then site-enabled/packetfence-tunnel) as 
you said in scenario 1.


(1) Thu May 24 11:06:15 2018: Debug: suffix: Checking for suffix after "@"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Looking up realm 
"xyz.ac.id " for User-Name = "testu...@xyz.ac.id 
"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Found realm "xyz.ac.id 
"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Stripped-User-Name 
= "testuser"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Realm = "xyz.ac.id 
"

(1) Thu May 24 11:06:15 2018: Debug: suffix: Authentication realm is LOCAL
(1) Thu May 24 11:06:15 2018: Debug: [suffix] = ok
(1) Thu May 24 11:06:15 2018: Debug: ntdomain: Request already has 
destination realm set.  Ignoring

(1) Thu May 24 11:06:15 2018: Debug: [ntdomain] = noop
(1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) {
(1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/)  -> TRUE
(1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/)  {
(1) Thu May 24 11:06:15 2018: Debug:   update control {
(1) Thu May 24 11:06:15 2018: Debug:   } # update control = noop
(1) Thu May 24 11:06:15 2018: Debug: } # if (User-Name =~ /@/)  = noop
(1) Thu May 24 11:06:15 2018: Debug: ... skipping else: Preceding 
"if" was taken
(1) Thu May 24 11:06:15 2018: Debug: eap: Request is supposed to be 
proxied to Realm eduroam. Not doing EAP.

(1) Thu May 24 11:06:15 2018: Debug: [eap] = noop

attach my radiusd-eduroam.sock log and picture of my configurutiaon 
exclusive source eduroam .


Regards.


On Thu, May 24, 2018 at 12:49 AM, Fabrice Durand via PacketFence-users 
> wrote:




Le 2018-05-23 à 13:36, jabang konate via PacketFence-users a écrit :

Hi fabrice.

Thanks for speedy response.

> so i am not sure what you try to do with the ldap module.
ldap module for configuration user with openldap right? i read in
EAP Authentication against OpenLDAP.

yes, the only difference is that you have to disable NTLM-Auth if
ldap return ok to avoid "ERROR: mschap: Program returned code (1)
and output 'Reading winbind reply failed! (0xc001)'".




> You have 3 scenarios:
yes i want like that,

I will try again and will share the results on this topic.

thank you for your advice fabrice.


On Thu, May 24, 2018 at 12:22 AM, Fabrice Durand via
PacketFence-users > wrote:

Hello Jabang,

so i am not sure what you try to do with the ldap module.

You have 3 scenarios:

1: a user from your university connect on the ssid eduroam
from your university.  (the ap/controller use the port 11812)

You need to configure the local realm (let's say
myuniversity.org ) in the eduroam
authentication source and configure ldap in packetfence-tunnel.
So when this user will try to connect on the eduroam ssid
with u...@myuniversity.org 
then the eduroam virtual server will detect the realm
myuniversity.org  and forward the
request to packetfence virtual server
(sites-enabled/packetfence then site-enabled/packetfence-tunnel).
And in packetfence-tunnel you have something like that:

```
authorize {
    suffix
    ntdomain
    eap {
    ok = return
    }
    files
    ldap
        if (ok) {
        update control {
 := No
        }
        }
    }
```

2: u...@myuniversity.org  is in
travel and connect on the ssid eduroam in montreal university
The local montreal radius server will forward to eduroam and
eduroam will forward to your packetfence server on the port
1812 (you need to configure that on the eduroam side).

3: u...@univmontreal.org