[PacketFence-users] PF UniFi OOB, not using UniFi-controller?

[Joachim Tingvold via PacketFence-users]

Hi,

So, I've stumbled upon PF, and especially the work done around OOB for 
the UniFi system back in late 2017/early 2018. Much of this was based on 
the assumption on WPA2-PSK or WPA2-Ent (trying to work around the 
caching, etc).


The solution also relies on the UniFi controller to be reachable (since 
it utilizes the API to send the 'kick-sta' command). Not very optimal if 
you have redundant RADIUS and/or PF, but no redundant UniFi controller 
(which, AFAIK, is not possible yet, unless you have it as a VM). If you 
have a central/cloud UniFi-controller, you're also entirely dependent on 
Internet connectivity for this to work.


My question is; has anyone looked into doing the 'kick-sta' directly on 
the AP? (i.e. try UniFi-controller, and if fail, try the 'kick-sta' 
directly on the AP?).


Since the AP is the RADIUS client, PF should already know the IP for the 
AP, and could do the required 'iwpriv'-commands via SSH. Some rare 
race-conditions could occur, for example that the client roams before 
you send the command (sending it to the old AP), but it would still be 
better than nothing in the case of controller and/or Internet failure?


Added benefit would also be that you could do without the 
UniFi-controller running 24/7 (f.ex. in home environments), as you'd 
only rely on the controller for initial setup, and then only rely on the 
APs and PF after that.



Any thoughts? Would this be too… MacGyvery? (-:

--
Joachim


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF8.2 Cluster dashboard problem

[Ludovic Zammit via PacketFence-users]

Hello,

It’s normal, you will to have some data first to display them.

Try connecting some device and check after.

Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On Nov 29, 2018, at 9:11 AM, 流 沙 via PacketFence-users 
>  wrote:
> 
> Hello
>After I finished the cluster, there is no data in the Dashboard. The 
> PacketFence version is 8.2.0.
>  
> 
>  
>  
> 
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
> 
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Packetfence & H3C / HP Comware Switches / Interface Index not working right

[Schenkelberg, Martin via PacketFence-users]

Hi out there,

we are using H3C / HP Switches of Type H3C S5800-56C-PWR
Comware Software, Version 5.20, Release 1211P06

Packetfence ZEN is Version 8.0.1

In switch config we selected TYPE: H3C::S5120 which works fine if we manage a 
single switch.

In comware the ports are numberd like this:  Port 1: 1/0/1   Port 2:  1/0/2 
 etc.  Packetfence shows the portnumbers as Port1 Port2 etc.


The problem we have ist using two h3c switches configured as IRF Stack.

The port numbering ist now like this:

Switch 1 - Port 1  = 1/0/1
Switch 1  - Port 2  = 1/0/2
..
Switch 2 - Port 1  = 2/0/1
Switch 2 - Port 2  = 2/0/2
... and so on.


Clients on the first switch are detected with the right port number and VLAN 
assignment works.

Clients on the second switch are detected with a wrong port number:

Example:Interface 2/0/2 ist detected by packetfence as  port 33562643

In Packetfence Log the following is shown:

ov 29 13:43:21 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2462) WARN: 
[mac:24:be:05:ec:0c:b6] Unknown NAS-Port format. ifIndex translation could have 
failed. VLAN re-assignment and switch/port accounting will be affected. 
(pf::Switch::H3C::NasPortToIfIndex)
Nov 29 13:43:21 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2462) INFO: 
[mac:24:be:05:ec:0c:b6] handling radius autz request: from switch_ip => 
(172.20.226.55), connection_type => WIRED_MAC_AUTH,switch_mac => (Unknown), mac 
=> [24:be:05:ec:0c:b6], port => 33562634, username => "24-be-05-ec-0c-b6" 
(pf::radius::authorize)
Nov 29 13:43:21 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2462) INFO: 
[mac:24:be:05:ec:0c:b6] Instantiate profile hug_lan 
(pf::Connection::ProfileFactory::_from_profile)
Nov 29 13:43:21 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2462) INFO: 
[mac:24:be:05:ec:0c:b6] Connection type is WIRED_MAC_AUTH. Getting role from 
node_info (pf::role::getRegisteredRole)
Nov 29 13:43:21 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2462) INFO: 
[mac:24:be:05:ec:0c:b6] Username was defined "24-be-05-ec-0c-b6" - returning 
role 'Printer' (pf::role::getRegisteredRole)
Nov 29 13:43:21 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2462) INFO: 
[mac:24:be:05:ec:0c:b6] PID: "default", Status: reg Returned VLAN: (undefined), 
Role: Printer (pf::role::fetchRoleForNode)
Nov 29 13:43:22 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2462) INFO: 
[mac:24:be:05:ec:0c:b6] (172.20.226.55) Added VLAN 120 to the returned RADIUS 
Access-Accept (pf::Switch::returnRadiusAccessAccept)

The first VLAN Assignment after Port comes UP works, but a reassignment does 
not work.  If i unregister the Client in PF Gui nothing happens to the Switch 
Port.


Is there a way to fix this? By Google i found this old List entry:  
https://sourceforge.net/p/packetfence/mailman/message/29935686/


Best regards, Martin





Mit freundlichen Grüßen

Martin Schenkelberg
Systemadministrator

H&G Hansen & Gieraths
EDV Vertriebsgesellschaft mbH
Bornheimer Straße 42-52
D-53111 Bonn

Telefon   +49 228 9080-672
Telefax+49 228 9080-607

martin.schenkelb...@hug.de
www.hug.de

H&G Hansen & Gieraths EDV Vertriebsgesellschaft mbH,
Postfach 1605, 53006 Bonn, USt.IdNr. DE122121252
Geschäftsführer: Dr. H. Hellmuth Hansen
Sitz der Gesellschaft: Bonn, Amtsgericht Bonn HR B 4027


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] EAP-TLS Computer and User Auth

[Wifi Guy via PacketFence-users]

Good Morning all,

I have managed to get very far to date with my installation.

Howver I am struggling with the last piece of the puzzle, how to handle
BYOD device that authenticate via EAP-TLS (onboarding process) and
distinguishing that with corp users.

So I thought the best way to handle this is that for Corp users that
authenticate with EAP-TLS will use Machine Auth and be assigned into a
machine role and other users will be assigned into a BYOD policy. Is this
the best approach?

So to the setup I managed to get a reg vlan setup. This allows users who
are not part of the domain to authenticate via a CWP. There are
provisioners setup to assign the device the TLS cert. This works great! :)

For my corp machines, currently the GPO etc are setup. User and computer
certs are sent on domain join, so no issues with auto enrollment. Also the
machine has the SSID specified with TLS set and the option computer
authentication selected. In an ideal world I would be able to chain the
authentication (something like TEAP) where computer auth happens at login
and then user auth happens at login. But I cant see a way to do this
without breaking the BYOD issue?

My question is what should the GUI setup look like? Currently I have two
internal AD sources, one for computer auth (servicePrincipalName) and one
for user auth. For the documentation its not clear how the connection
profiles should look? What order things should be in and if I am looking at
this the wrong way.

Any advice, help etc would be much helpful.

WiFiGuy
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] SYSTEM RAM usage going down and up, high CPU Usage.

[Murilo Calegari via PacketFence-users]

Hi everyone,

Recently we've had a power outage and UPS system couldn't take it. This
caused PacketFence server to unexpectedly hard shutdown. I noticed on the
System Graphs that CPU Usage was quite high (this server is quite not in
production yet, I think there are maybe 6 people using it) and that System
RAM is going up and down. This behavior was not common before the power
outage, I'm worring that there might be some service that might be
continuously restarting.

Could someone help me debug this or is this normal behavior? PacketFence
8.2 is running on CentOS 7 with minimal installation.

[image: image.png]
[image: image.png]

Best regards,


Murilo Calegari de Souza
Estagiário da TI
Coordenadoria de Tecnologia da Informação
Instituto Federal do Espírito Santo – Campus Nova Venécia
27 3752 4311 ramal 43112
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Applying correct VLAN to users

[Bram Wittendorp via PacketFence-users]

Hi,

Since a month we are using PacketFence as the NAC-solution for our wireless 
network. However there is one problem that seems really persistent. When a user 
connects and has proceeded trough initial registration he or she needs to turn 
off wireless and turn it back-on. We use the Aruba IAP 305 Access Points.

Is there anything that can be done to eliminate the step of turning wireless 
off and on again?

Met vriendelijke groet,

Bram Wittendorp
Netwerk-/Systeembeheerder | RTV Drenthe

t: 0592 – 304 693
e: b.wittend...@rtvdrenthe.nl
[1504592219323_RTVdrenthe]
Beilerstraat 30, Assen
Postbus 999, 9400 AZ Assen

t : 0592-338080
www.rtvdrenthe.nl


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Duplicate usernames with and without domain part

[Cristian Mammoli via PacketFence-users]

Hi, I already brought this up in the past and Fabrice said it was in the 
roadmap, sorry to ask it again:


Is it possibile to register usernames of people authenticated via 
ntlm_auth *without* the domain part?


Actually I have the same user registered twice in PF:

As "DOMAIN\user" when auto-registered with 802.1x (for example with 
Windows PCs)
As "user" when registered via the portal (for example for smartphones, 
apple devices ecc)


Is there an issue on github to follow?

Thanks

C.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Phantom NIC

[mj via PacketFence-users]

Hi,

I guess the ip belongs to a net namespace, try:

 ip netns list

to see your namespaces, and then type:

 ip netns exec  ifconfig

to check it's details.

On our packetfence, the AD namespace has ip 169.254.0.1.

MJ

On 11/28/18 11:06 AM, Hancock, Jamie via PacketFence-users wrote:

Hi,

My PF development cluster has been offline for a while, since brining it all 
back online the main DB server has a phantom NIC, which has an automatically 
assigned IP address 169.254.0.3.

When I run the  systemctl status packetfence-mariadb command I get the 
following error:

[Warning] Hostname 'devclusterserver1 does not resolve to '10.10.10.10'.
[Note] Hostname 'pfappedull01.internal.uwic.ac.uk' has the following IP 
addresses:
[Note]  - 169.254.0.1

Please can you help?





[Cardiff Metropolitan University - Queens Anniversary Prizes 2015]


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users