date:20201008

Re: [PacketFence-users] Packetfence set role by mac not user...

2020-10-08 Thread Maile Halatuituia via PacketFence-users

Hi Fetagunken
I have same issue and got fixed by what Ludovic suggest here, my switch default 
801.x is mac-auth, I have to change it to eap then it works fine.

From: Ludovic Zammit via PacketFence-users 

Sent: Friday, 9 October 2020 1:22 AM
To: Fetakungen Virtual Adventurer 
Cc: Ludovic Zammit ; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Packetfence set role by mac not user...

Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: 
[mac:08:f1:ea:3f:11:40] handling radius autz request: from switch_ip => 
(10.0.10.11), connection_type => Ethernet-NoEAP,switch_mac => 
(08:f1:ea:64:c4:00), mac => [08:f1:ea:3f:11:40], port => 8, username => 
"vim-foradsgatan-d1s1-a1@.local" 
(pf::radius::authorize)

It’s definitely a wired mac authentication.

Maybe the EAP Type is wrong on your switch, it should be EAP PEAP MSCHAPv2 and 
not EAP PAP, CHAP or MD5.

You should see  connection_type => Ethernet-EAP. Check the EAP Type in the 
auditing section.

Thanks,

Ludovic Zammit

lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  
www.inverse.ca

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

On Oct 7, 2020, at 5:26 PM, Fetakungen Virtual Adventurer 
mailto:fetakun...@gabenpirates.com>> wrote:

This is what I don’t understand why does it state this ?...

Oct  7 23:24:16 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(79281) INFO: 
[mac:f8:60:f0:33:00:80] Found authentication source(s) : 'VEMAB' for realm 
'default' (pf::config::util::filter_authentication_sources)
Oct  7 23:24:16 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(79281) WARN: 
[mac:f8:60:f0:33:00:80] No category computed for autoreg 
(pf::role::getNodeInfoForAutoReg)
Oct  7 23:24:16 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(79281) INFO: 
[mac:f8:60:f0:33:00:80] Found authentication source(s) : 'VEMAB' for realm 
'default' (pf::config::util::filter_authentication_sources)
Oct  7 23:24:16 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(79281) INFO: 
[mac:f8:60:f0:33:00:80] Connection type is MAC-AUTH.Getting role from node_info 
(pf::role::getRegisteredRole)

Connection type is MAC-AUTH.

Since it’s a user calling in it’s clearly NOT MAC-ATH

0_0

BR,
Anton.
Från: Ludovic Zammit mailto:lzam...@inverse.ca>>
Skickat: den 29 september 2020 18:54
Till: Fetakungen Virtual Adventurer 
mailto:fetakun...@gabenpirates.com>>
Kopia: 
packetfence-users@lists.sourceforge.net
Ämne: Re: [PacketFence-users] Packetfence set role by mac not user...

It looks like that you try to match a UPN (UserPrincipalName) so maybe try to 
not strip the username in the realm.

Is 
vim-foradsgatan-d1s1-a1@.local 
the UPN for that object?

It looks like that connection match on the default realm, so don’t strip the 
username on the default realm.

Thanks,

Ludovic Zammit

lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  
www.inverse.ca

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) 
and PacketFence (http://packetfence.org)

On Sep 28, 2020, at 8:08 PM, Fetakungen Virtual Adventurer 
mailto:fetakun...@gabenpirates.com>> wrote:

Here is the complete auth.conf

# Copyright (C) Inverse inc.
[local]
description=Local Users
type=SQL
dynamic_routing_module=AuthModule

[sms]
description=SMS-based registration
sms_carriers=100056,100057,100061,100058,100059,100060,100062,100063,100071,100064,100116,100066,100117,100112,100067,100065,100068,100069,100070,100118,100115,100072,100073,100074,100075,100076,100077,100085,100086,100080,100079,100081,100083,100082,100084,100087,100088,100111,100089,100090,1
00091,100092,100093,100094,100095,100096,100098,100097,100099,100100,100101,100113,100102,100103,100104,100106,100105,100107,100108,100109,100114,100110,100078,100119,100120,100121,100122,100123,100124,100125,100126,100127,100128
type=SMS
create_local_account=no
local_account_logins=0
message=PIN: $pin
hash_passwords=bcrypt
sms_activation_timeout=10m
dynamic_routing_module=AuthModule
password_length=8
pin_code_length=6

[sms rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
status=enabled

[email]
description=Email-based registration
email_activation_timeout=10m
type=Email
allow_localdomain=yes
create_local_account=no
local_account_logins=0
dynamic_routing_module=AuthModule
hash_passwords=bcrypt
password_length=8

[email rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
status=enabled

[sponsor]
description=Sponsor-based registration
type=SponsorEmail
allow_localdomain=yes
create_local_account=no
hash_passwords=bcrypt
dynamic_routing_module=AuthModule
local_account_logins=0
password_length=8

[PacketFence-users] Issues with browsers Chromium and Google Chrome in management GUI PF 10.2

2020-10-08 Thread Tony W via PacketFence-users

Hi Guys,

Just installed PF 10.2 on CentOS7, applied all patches and started setting
up the same way as I usually do in PF 10.1. I usually use the latest
version of Google Chrome.

I did the initial "configurator" configuration and there were no issues
using the Chrome browser.

Once I went through setting everything up, I noticed a number of issues
with the GUI. I tested with Chromium and Google Chrome, same issues. Tried
restarting, reloading...no go.

Then I tried Firefox and it appears to work just fine.

My Chromium: Version 85.0.4183.121
My Google Chrome: Version 86.0.4240.75

Both running on the latest version of Ubuntu 16.04 LTS. All updates applied.

My Firefox: 81.0
It is also running on the same Ubuntu as the other 2 browsers.

Issues found so far:

Can not import Users as the drop down menus can not scroll up and down,
making selection impossible. In addition, after selecting some entries, no
further selection possible. It looks like something is hogging all the
resources and the browsers "gets stuck".

In "Configuration -> User -> Connection Profiles -> Files", it is not
possible to edit any files. The black editor window does not appear. In
fact nothing happens when selecting a file in Chromium or Chrome.

It works just fine in Firefox.

Chromium and Chrome still work just fine when accessing the admin GUI of
PF10.1
What has changed?

Have any other users seen this behaviour?
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Connection Profile and SSID Filter

2020-10-08 Thread Louis Scaringella via PacketFence-users

Any other filter used such as switch filter on the connection profile works and 
matches fine but not the SSID filter.

I just don’t understand why the portal profile would be different from the 
Httpd aaa profile that it matches fine.

Thank you,

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks
785-342-7903

> On Oct 8, 2020, at 3:28 PM, Louis Scaringella 
>  wrote:
>
> Ok, thanks. I followed your instructions and rebooted.
>
> Here is the new log:
>
> Oct 8 14:06:19 localhost packetfence_httpd.aaa: httpd.aaa(2066) INFO: 
> [mac:00:24:d6:5b:30:bc] Unable to extract SSID of Called-Station-Id: 
> 20:4c:03:58:99:8a (pf::Switch::extractSSIDFromCalledStationId)
> Oct 8 14:06:19 localhost packetfence_httpd.aaa: httpd.aaa(2066) INFO: 
> [mac:00:24:d6:5b:30:bc] handling radius autz request: from switch_ip => 
> (198.18.255.64), connection_type => Wireless-802.11-NoEAP,switch_mac => 
> (20:4c:03:58:99:8a), mac => [00:24:d6:5b:30:bc], port => 0, username => 
> "00-24-d6-5b-30-bc", ssid => Lab-Open-Guest (pf::radius::authorize)
> Oct 8 14:06:19 localhost packetfence_httpd.aaa: httpd.aaa(2066) INFO: 
> [mac:00:24:d6:5b:30:bc] Instantiate profile Lab-Aruba-OpenGuest-copy 
> (pf::Connection::ProfileFactory::_from_profile)
> Oct 8 14:06:19 localhost packetfence_httpd.aaa: httpd.aaa(2066) INFO: 
> [mac:00:24:d6:5b:30:bc] Match rule MAC-Auth (pf::access_filter::test)
> Oct 8 14:06:19 localhost packetfence_httpd.aaa: httpd.aaa(2066) INFO: 
> [mac:00:24:d6:5b:30:bc] vlan filter match ; belongs into REJECT VLAN 
> (pf::role::getRegistrationRole)
> Oct 8 14:06:19 localhost packetfence_httpd.aaa: httpd.aaa(2066) INFO: 
> [mac:00:24:d6:5b:30:bc] According to rules in fetchRoleForNode this node must 
> be kicked out. Returning USERLOCK (pf::Switch::Template::handleRadiusDeny)
>
> I switched my switch back to “Aruba Wireless Controller” template. Should I 
> be doing that or what should I have configured here?
>
> It does look like it now shows the SSID here.
>
> Louis Scaringella
> Security Systems Engineer
> Yellow Dog Networks, Inc
> 785-342-7903
>
>> On Oct 8, 2020, at 1:47 PM, Fabrice Durand  wrote:
>>
>> Revert the change in Switch.pm then do:
>>
>> cd /usr/local/pf/
>>
>> curl 
>> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/5903.diff
>>  | patch -p1
>>
>>> Le 20-10-08 à 14 h 43, Louis Scaringella a écrit :
>>> What should I do with that file you sent? Add that to switch.pm or replace 
>>> it?
>>>
>>> Louis Scaringella
>>> Security Systems Engineer
>>> Yellow Dog Networks, Inc
>>> 785-342-7903
>>>
 On Oct 8, 2020, at 1:41 PM, Fabrice Durand  wrote:

 Hello Louis,

 let's take a look at 
 https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/5903.diff

 Also it can happen when per example the registration network is an inline 
 network.

 Regards

 Fabrice


 Le 20-10-08 à 14 h 37, Louis Scaringella a écrit :
> What would cause the httpd.aaa process to match the correct profile but 
> then the httpd.portal to match the default?
> Does it not use the same criteria and filters as the connection profile 
> does?
>
> The only change here between scenarios is the SSID filter added to the 
> connection profile so something just isn’t right here.
>
> Louis Scaringella
> Security Systems Engineer
> Yellow Dog Networks, Inc
> 785-342-7903
>
>> On Oct 8, 2020, at 12:11 PM, Louis Scaringella via PacketFence-users 
>>  wrote:
>>
>> From the Aruba.pm switch file I see this:
>>
>>
>> sub extractSsid {
>>   my ($self, $radius_request) = @_;
>>   my $logger = $self->logger;
>>
>>   # Aruba-Essid-Name VSA
>>   if (defined($radius_request->{'Aruba-Essid-Name'})) {
>>   return $radius_request->{'Aruba-Essid-Name'};
>>   }
>>
>>   $logger->warn(
>>   "Unable to extract SSID for module " . ref($self) . ". SSID-based 
>> VLAN assignments won't work. "
>>   . "Please let us know so we can add support for it."
>>   );
>>   return;
>>
>> It looks to be searching for the Aruba-ESSID-NAME instead of 
>> Called-Station-SSID. Do you think we’d have to change the switch.pm to 
>> reflect that instead then?
>>
>> Louis Scaringella
>> Security Systems Engineer
>> Yellow Dog Networks, Inc
>> 785-342-7903
>>
>>> On Oct 7, 2020, at 1:58 PM, Fabrice Durand  wrote:
>>>
>>> It looks to be a bug in the switch template.
>>>
>>> Right now there is no method to extract the ssid in other attributes 
>>> than colling-station-id.
>>>
>>> We will make a patch to update the default method to extract the ssid 
>>> from Called-Station-SSID.
>>>
>>> Le 20-10-07 à 14 h 19, Louis Scaringella a écrit :
 Here is the request:

 RADIUS Request
 User-Name = "00-24-d6-5b-30-bc"

Re: [PacketFence-users] Connection Profile and SSID Filter

2020-10-08 Thread Louis Scaringella via PacketFence-users

What would cause the httpd.aaa process to match the correct profile but then 
the httpd.portal to match the default?
Does it not use the same criteria and filters as the connection profile does?

The only change here between scenarios is the SSID filter added to the 
connection profile so something just isn’t right here.

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903

> On Oct 8, 2020, at 12:11 PM, Louis Scaringella via PacketFence-users 
>  wrote:
>
> From the Aruba.pm switch file I see this:
>
>
> sub extractSsid {
>my ($self, $radius_request) = @_;
>my $logger = $self->logger;
>
># Aruba-Essid-Name VSA
>if (defined($radius_request->{'Aruba-Essid-Name'})) {
>return $radius_request->{'Aruba-Essid-Name'};
>}
>
>$logger->warn(
>"Unable to extract SSID for module " . ref($self) . ". SSID-based VLAN 
> assignments won't work. "
>. "Please let us know so we can add support for it."
>);
>return;
>
> It looks to be searching for the Aruba-ESSID-NAME instead of 
> Called-Station-SSID. Do you think we’d have to change the switch.pm to 
> reflect that instead then?
>
> Louis Scaringella
> Security Systems Engineer
> Yellow Dog Networks, Inc
> 785-342-7903
>
>> On Oct 7, 2020, at 1:58 PM, Fabrice Durand  wrote:
>>
>> It looks to be a bug in the switch template.
>>
>> Right now there is no method to extract the ssid in other attributes than 
>> colling-station-id.
>>
>> We will make a patch to update the default method to extract the ssid from 
>> Called-Station-SSID.
>>
>> Le 20-10-07 à 14 h 19, Louis Scaringella a écrit :
>>> Here is the request:
>>>
>>> RADIUS Request
>>> User-Name = "00-24-d6-5b-30-bc"
>>> User-Password = "**"
>>> NAS-IP-Address = 198.18.255.64
>>> NAS-Port = 0
>>> Service-Type = Call-Check
>>> Called-Station-Id = "20:4c:03:58:99:8a"
>>> Calling-Station-Id = "00:24:d6:5b:30:bc"
>>> NAS-Port-Type = Wireless-802.11
>>> Event-Timestamp = "Oct  7 2020 13:14:28 CDT"
>>> Message-Authenticator = 0x0ba983427b333601e7704e6fbfc6739d
>>> Aruba-Essid-Name = "Lab-Open-Guest"
>>> Aruba-Location-Id = "Lab AP-A0:E4"
>>> Aruba-AP-Group = "default"
>>> Stripped-User-Name = "00-24-d6-5b-30-bc"
>>> Realm = "null"
>>> FreeRADIUS-Client-IP-Address = 198.18.255.64
>>> Called-Station-SSID = "Lab-Open-Guest"
>>> PacketFence-KeyBalanced = "8a61332855442ed4efb3a8b31b7b9e13"
>>> PacketFence-Radius-Ip = "198.18.255.132"
>>> SQL-User-Name = "00-24-d6-5b-30-bc”
>>>
>>> It seems to show under the Called-Station-SSID as well as Aruba-ESSID-NAME.
>>>
>>> Louis Scaringella
>>> Security Systems Engineer
>>> Yellow Dog Networks, Inc
>>> 785-342-7903
>>>
 On Oct 7, 2020, at 1:17 PM, Fabrice Durand  wrote:

 Check in the radius audit log for the radius request and check if one of 
 the attribute contain the SSID.

 If the SSID is defined in one of the attribute then we will be able to fix 
 it , if no then check on the aruba side if there a way to push it. (it's 
 by default)

 Le 20-10-07 à 14 h 12, Louis Scaringella a écrit :
> Here it is. It appears it isn’t able to extract the SSID from the Aruba 
> Controller. This is ArubaOS 8.6 running on the controller.
>
> Any ideas to workaround this? It even says to let you all know so you can 
> add support for it. I appreciate all you do to keep this product awesome!
>
> Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
> [mac:00:24:d6:5b:30:bc] Unable to extract SSID of Called-Station-Id: 
> 20:4c:03:58:99:8a (pf::Switch::extractSsid)
> Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) WARN: 
> [mac:00:24:d6:5b:30:bc] Unable to extract SSID for module 
> pf::Switch::Template. SSID-based VLAN assignments won't work. Please let 
> us know so we can add support for it. (pf::Switch::extractSsid)
> Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
> [mac:00:24:d6:5b:30:bc] handling radius autz request: from switch_ip => 
> (198.18.255.64), connection_type => Wireless-802.11-NoEAP,switch_mac => 
> (20:4c:03:58:99:8a), mac => [00:24:d6:5b:30:bc], port => 0, username => 
> "00-24-d6-5b-30-bc" (pf::radius::authorize)
> Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
> [mac:00:24:d6:5b:30:bc] Instantiate profile default 
> (pf::Connection::ProfileFactory::_from_profile)
> Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
> [mac:00:24:d6:5b:30:bc] Match rule MAC-Auth (pf::access_filter::test)
> Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
> [mac:00:24:d6:5b:30:bc] vlan filter match ; belongs into REJECT VLAN 
> (pf::role::getRegistrationRole)
> Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
> [mac:00:24:d6:5b:30:bc] According to rules in fetchRoleForNode this node 
> must be kicked out. Returning

Re: [PacketFence-users] Connection Profile and SSID Filter

2020-10-08 Thread Louis Scaringella via PacketFence-users

Although it seems to now find the SSID, when I add the SSID filter back to my 
connection profile, it once again doesn’t instantiate the correct profile for 
the httpd.portal:

Oct 8 14:30:22 localhost packetfence_httpd.aaa: httpd.aaa(2066) INFO: 
[mac:00:24:d6:5b:30:bc] Unable to extract SSID of Called-Station-Id: 
20:4c:03:58:99:8a (pf::Switch::extractSSIDFromCalledStationId)
Oct 8 14:30:22 localhost packetfence_httpd.aaa: httpd.aaa(2066) INFO: 
[mac:00:24:d6:5b:30:bc] handling radius autz request: from switch_ip => 
(198.18.255.64), connection_type => Wireless-802.11-NoEAP,switch_mac => 
(20:4c:03:58:99:8a), mac => [00:24:d6:5b:30:bc], port => 0, username => 
"00-24-d6-5b-30-bc", ssid => Lab-Open-Guest (pf::radius::authorize)
Oct 8 14:30:22 localhost packetfence_httpd.aaa: httpd.aaa(2066) INFO: 
[mac:00:24:d6:5b:30:bc] Instantiate profile Lab-Aruba-OpenGuest-copy 
(pf::Connection::ProfileFactory::_from_profile)
Oct 8 14:30:22 localhost packetfence_httpd.aaa: httpd.aaa(2066) INFO: 
[mac:00:24:d6:5b:30:bc] Match rule MAC-Auth (pf::access_filter::test)
Oct 8 14:30:22 localhost packetfence_httpd.aaa: httpd.aaa(2066) INFO: 
[mac:00:24:d6:5b:30:bc] vlan filter match ; belongs into REJECT VLAN 
(pf::role::getRegistrationRole)
Oct 8 14:30:22 localhost packetfence_httpd.aaa: httpd.aaa(2066) INFO: 
[mac:00:24:d6:5b:30:bc] According to rules in fetchRoleForNode this node must 
be kicked out. Returning USERLOCK (pf::Switch::Template::handleRadiusDeny)
Oct 8 14:30:31 localhost packetfence_httpd.portal: httpd.portal(2626) INFO: 
[mac:00:24:d6:5b:30:bc] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)

Any ideas here?

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903

> On Oct 8, 2020, at 2:10 PM, Louis Scaringella 
>  wrote:
>
> Ok, thanks. I followed your instructions and rebooted.
>
> Here is the new log:
>
> Oct 8 14:06:19 localhost packetfence_httpd.aaa: httpd.aaa(2066) INFO: 
> [mac:00:24:d6:5b:30:bc] Unable to extract SSID of Called-Station-Id: 
> 20:4c:03:58:99:8a (pf::Switch::extractSSIDFromCalledStationId)
> Oct 8 14:06:19 localhost packetfence_httpd.aaa: httpd.aaa(2066) INFO: 
> [mac:00:24:d6:5b:30:bc] handling radius autz request: from switch_ip => 
> (198.18.255.64), connection_type => Wireless-802.11-NoEAP,switch_mac => 
> (20:4c:03:58:99:8a), mac => [00:24:d6:5b:30:bc], port => 0, username => 
> "00-24-d6-5b-30-bc", ssid => Lab-Open-Guest (pf::radius::authorize)
> Oct 8 14:06:19 localhost packetfence_httpd.aaa: httpd.aaa(2066) INFO: 
> [mac:00:24:d6:5b:30:bc] Instantiate profile Lab-Aruba-OpenGuest-copy 
> (pf::Connection::ProfileFactory::_from_profile)
> Oct 8 14:06:19 localhost packetfence_httpd.aaa: httpd.aaa(2066) INFO: 
> [mac:00:24:d6:5b:30:bc] Match rule MAC-Auth (pf::access_filter::test)
> Oct 8 14:06:19 localhost packetfence_httpd.aaa: httpd.aaa(2066) INFO: 
> [mac:00:24:d6:5b:30:bc] vlan filter match ; belongs into REJECT VLAN 
> (pf::role::getRegistrationRole)
> Oct 8 14:06:19 localhost packetfence_httpd.aaa: httpd.aaa(2066) INFO: 
> [mac:00:24:d6:5b:30:bc] According to rules in fetchRoleForNode this node must 
> be kicked out. Returning USERLOCK (pf::Switch::Template::handleRadiusDeny)
>
> I switched my switch back to “Aruba Wireless Controller” template. Should I 
> be doing that or what should I have configured here?
>
> It does look like it now shows the SSID here.
>
> Louis Scaringella
> Security Systems Engineer
> Yellow Dog Networks, Inc
> 785-342-7903
>
>> On Oct 8, 2020, at 1:47 PM, Fabrice Durand  wrote:
>>
>> Revert the change in Switch.pm then do:
>>
>> cd /usr/local/pf/
>>
>> curl 
>> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/5903.diff
>>  | patch -p1
>>
>> Le 20-10-08 à 14 h 43, Louis Scaringella a écrit :
>>> What should I do with that file you sent? Add that to switch.pm or replace 
>>> it?
>>>
>>> Louis Scaringella
>>> Security Systems Engineer
>>> Yellow Dog Networks, Inc
>>> 785-342-7903
>>>
 On Oct 8, 2020, at 1:41 PM, Fabrice Durand  wrote:

 Hello Louis,

 let's take a look at 
 https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/5903.diff

 Also it can happen when per example the registration network is an inline 
 network.

 Regards

 Fabrice

 Le 20-10-08 à 14 h 37, Louis Scaringella a écrit :
> What would cause the httpd.aaa process to match the correct profile but 
> then the httpd.portal to match the default?
> Does it not use the same criteria and filters as the connection profile 
> does?
>
> The only change here between scenarios is the SSID filter added to the 
> connection profile so something just isn’t right here.
>
> Louis Scaringella
> Security Systems Engineer
> Yellow Dog Networks, Inc
> 785-342-7903
>
>> On Oct 8, 2020, at 12:11 PM, Louis Scaringella via PacketFence-users 
>>  wrote:
>>
>> From the Aruba.pm

Re: [PacketFence-users] Connection Profile and SSID Filter

2020-10-08 Thread Louis Scaringella via PacketFence-users

Ok, thanks. I followed your instructions and rebooted.

Here is the new log:

Oct 8 14:06:19 localhost packetfence_httpd.aaa: httpd.aaa(2066) INFO: 
[mac:00:24:d6:5b:30:bc] Unable to extract SSID of Called-Station-Id: 
20:4c:03:58:99:8a (pf::Switch::extractSSIDFromCalledStationId)
Oct 8 14:06:19 localhost packetfence_httpd.aaa: httpd.aaa(2066) INFO: 
[mac:00:24:d6:5b:30:bc] handling radius autz request: from switch_ip => 
(198.18.255.64), connection_type => Wireless-802.11-NoEAP,switch_mac => 
(20:4c:03:58:99:8a), mac => [00:24:d6:5b:30:bc], port => 0, username => 
"00-24-d6-5b-30-bc", ssid => Lab-Open-Guest (pf::radius::authorize)
Oct 8 14:06:19 localhost packetfence_httpd.aaa: httpd.aaa(2066) INFO: 
[mac:00:24:d6:5b:30:bc] Instantiate profile Lab-Aruba-OpenGuest-copy 
(pf::Connection::ProfileFactory::_from_profile)
Oct 8 14:06:19 localhost packetfence_httpd.aaa: httpd.aaa(2066) INFO: 
[mac:00:24:d6:5b:30:bc] Match rule MAC-Auth (pf::access_filter::test)
Oct 8 14:06:19 localhost packetfence_httpd.aaa: httpd.aaa(2066) INFO: 
[mac:00:24:d6:5b:30:bc] vlan filter match ; belongs into REJECT VLAN 
(pf::role::getRegistrationRole)
Oct 8 14:06:19 localhost packetfence_httpd.aaa: httpd.aaa(2066) INFO: 
[mac:00:24:d6:5b:30:bc] According to rules in fetchRoleForNode this node must 
be kicked out. Returning USERLOCK (pf::Switch::Template::handleRadiusDeny)

I switched my switch back to “Aruba Wireless Controller” template. Should I be 
doing that or what should I have configured here?

It does look like it now shows the SSID here.

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903

> On Oct 8, 2020, at 1:47 PM, Fabrice Durand  wrote:
>
> Revert the change in Switch.pm then do:
>
> cd /usr/local/pf/
>
> curl 
> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/5903.diff
>  | patch -p1
>
> Le 20-10-08 à 14 h 43, Louis Scaringella a écrit :
>> What should I do with that file you sent? Add that to switch.pm or replace 
>> it?
>>
>> Louis Scaringella
>> Security Systems Engineer
>> Yellow Dog Networks, Inc
>> 785-342-7903
>>
>>> On Oct 8, 2020, at 1:41 PM, Fabrice Durand  wrote:
>>>
>>> Hello Louis,
>>>
>>> let's take a look at 
>>> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/5903.diff
>>>
>>> Also it can happen when per example the registration network is an inline 
>>> network.
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>>
>>> Le 20-10-08 à 14 h 37, Louis Scaringella a écrit :
 What would cause the httpd.aaa process to match the correct profile but 
 then the httpd.portal to match the default?
 Does it not use the same criteria and filters as the connection profile 
 does?

 The only change here between scenarios is the SSID filter added to the 
 connection profile so something just isn’t right here.

 Louis Scaringella
 Security Systems Engineer
 Yellow Dog Networks, Inc
 785-342-7903

> On Oct 8, 2020, at 12:11 PM, Louis Scaringella via PacketFence-users 
>  wrote:
>
> From the Aruba.pm switch file I see this:
>
>
> sub extractSsid {
>my ($self, $radius_request) = @_;
>my $logger = $self->logger;
>
># Aruba-Essid-Name VSA
>if (defined($radius_request->{'Aruba-Essid-Name'})) {
>return $radius_request->{'Aruba-Essid-Name'};
>}
>
>$logger->warn(
>"Unable to extract SSID for module " . ref($self) . ". SSID-based 
> VLAN assignments won't work. "
>. "Please let us know so we can add support for it."
>);
>return;
>
> It looks to be searching for the Aruba-ESSID-NAME instead of 
> Called-Station-SSID. Do you think we’d have to change the switch.pm to 
> reflect that instead then?
>
> Louis Scaringella
> Security Systems Engineer
> Yellow Dog Networks, Inc
> 785-342-7903
>
>> On Oct 7, 2020, at 1:58 PM, Fabrice Durand  wrote:
>>
>> It looks to be a bug in the switch template.
>>
>> Right now there is no method to extract the ssid in other attributes 
>> than colling-station-id.
>>
>> We will make a patch to update the default method to extract the ssid 
>> from Called-Station-SSID.
>>
>> Le 20-10-07 à 14 h 19, Louis Scaringella a écrit :
>>> Here is the request:
>>>
>>> RADIUS Request
>>> User-Name = "00-24-d6-5b-30-bc"
>>> User-Password = "**"
>>> NAS-IP-Address = 198.18.255.64
>>> NAS-Port = 0
>>> Service-Type = Call-Check
>>> Called-Station-Id = "20:4c:03:58:99:8a"
>>> Calling-Station-Id = "00:24:d6:5b:30:bc"
>>> NAS-Port-Type = Wireless-802.11
>>> Event-Timestamp = "Oct  7 2020 13:14:28 CDT"
>>> Message-Authenticator = 0x0ba983427b333601e7704e6fbfc6739d
>>> Aruba-Essid-Name = "Lab-Open-Guest"
>>> Aruba-Location-Id = "Lab AP-A0:E4"
>>> Aruba-AP-Group = "default"
>>> Stripped-User-Name =

Re: [PacketFence-users] Connection Profile and SSID Filter

2020-10-08 Thread Louis Scaringella via PacketFence-users

What should I do with that file you sent? Add that to switch.pm or replace it?

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903

> On Oct 8, 2020, at 1:41 PM, Fabrice Durand  wrote:
>
> Hello Louis,
>
> let's take a look at 
> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/5903.diff
>
> Also it can happen when per example the registration network is an inline 
> network.
>
> Regards
>
> Fabrice
>
>
> Le 20-10-08 à 14 h 37, Louis Scaringella a écrit :
>> What would cause the httpd.aaa process to match the correct profile but then 
>> the httpd.portal to match the default?
>> Does it not use the same criteria and filters as the connection profile does?
>>
>> The only change here between scenarios is the SSID filter added to the 
>> connection profile so something just isn’t right here.
>>
>> Louis Scaringella
>> Security Systems Engineer
>> Yellow Dog Networks, Inc
>> 785-342-7903
>>
>>> On Oct 8, 2020, at 12:11 PM, Louis Scaringella via PacketFence-users 
>>>  wrote:
>>>
>>> From the Aruba.pm switch file I see this:
>>>
>>>
>>> sub extractSsid {
>>>my ($self, $radius_request) = @_;
>>>my $logger = $self->logger;
>>>
>>># Aruba-Essid-Name VSA
>>>if (defined($radius_request->{'Aruba-Essid-Name'})) {
>>>return $radius_request->{'Aruba-Essid-Name'};
>>>}
>>>
>>>$logger->warn(
>>>"Unable to extract SSID for module " . ref($self) . ". SSID-based 
>>> VLAN assignments won't work. "
>>>. "Please let us know so we can add support for it."
>>>);
>>>return;
>>>
>>> It looks to be searching for the Aruba-ESSID-NAME instead of 
>>> Called-Station-SSID. Do you think we’d have to change the switch.pm to 
>>> reflect that instead then?
>>>
>>> Louis Scaringella
>>> Security Systems Engineer
>>> Yellow Dog Networks, Inc
>>> 785-342-7903
>>>
 On Oct 7, 2020, at 1:58 PM, Fabrice Durand  wrote:

 It looks to be a bug in the switch template.

 Right now there is no method to extract the ssid in other attributes than 
 colling-station-id.

 We will make a patch to update the default method to extract the ssid from 
 Called-Station-SSID.

 Le 20-10-07 à 14 h 19, Louis Scaringella a écrit :
> Here is the request:
>
> RADIUS Request
> User-Name = "00-24-d6-5b-30-bc"
> User-Password = "**"
> NAS-IP-Address = 198.18.255.64
> NAS-Port = 0
> Service-Type = Call-Check
> Called-Station-Id = "20:4c:03:58:99:8a"
> Calling-Station-Id = "00:24:d6:5b:30:bc"
> NAS-Port-Type = Wireless-802.11
> Event-Timestamp = "Oct  7 2020 13:14:28 CDT"
> Message-Authenticator = 0x0ba983427b333601e7704e6fbfc6739d
> Aruba-Essid-Name = "Lab-Open-Guest"
> Aruba-Location-Id = "Lab AP-A0:E4"
> Aruba-AP-Group = "default"
> Stripped-User-Name = "00-24-d6-5b-30-bc"
> Realm = "null"
> FreeRADIUS-Client-IP-Address = 198.18.255.64
> Called-Station-SSID = "Lab-Open-Guest"
> PacketFence-KeyBalanced = "8a61332855442ed4efb3a8b31b7b9e13"
> PacketFence-Radius-Ip = "198.18.255.132"
> SQL-User-Name = "00-24-d6-5b-30-bc”
>
> It seems to show under the Called-Station-SSID as well as 
> Aruba-ESSID-NAME.
>
> Louis Scaringella
> Security Systems Engineer
> Yellow Dog Networks, Inc
> 785-342-7903
>
>> On Oct 7, 2020, at 1:17 PM, Fabrice Durand  wrote:
>>
>> Check in the radius audit log for the radius request and check if one of 
>> the attribute contain the SSID.
>>
>> If the SSID is defined in one of the attribute then we will be able to 
>> fix it , if no then check on the aruba side if there a way to push it. 
>> (it's by default)
>>
>> Le 20-10-07 à 14 h 12, Louis Scaringella a écrit :
>>> Here it is. It appears it isn’t able to extract the SSID from the Aruba 
>>> Controller. This is ArubaOS 8.6 running on the controller.
>>>
>>> Any ideas to workaround this? It even says to let you all know so you 
>>> can add support for it. I appreciate all you do to keep this product 
>>> awesome!
>>>
>>> Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
>>> [mac:00:24:d6:5b:30:bc] Unable to extract SSID of Called-Station-Id: 
>>> 20:4c:03:58:99:8a (pf::Switch::extractSsid)
>>> Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) WARN: 
>>> [mac:00:24:d6:5b:30:bc] Unable to extract SSID for module 
>>> pf::Switch::Template. SSID-based VLAN assignments won't work. Please 
>>> let us know so we can add support for it. (pf::Switch::extractSsid)
>>> Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
>>> [mac:00:24:d6:5b:30:bc] handling radius autz request: from switch_ip => 
>>> (198.18.255.64), connection_type => Wireless-802.11-NoEAP,switch_mac => 
>>> (20:4c:03:58:99:8a), mac => [00:24:d6:5b:30:bc], port => 0, username => 
>>>

Re: [PacketFence-users] Connection Profile and SSID Filter

2020-10-08 Thread Louis Scaringella via PacketFence-users

I don’t have any inline interfaces or config in this environment. PacketFence 
has a single IP address on one interface and is used for Radius, management, 
and the portal in this case.

Choosing the “Aruba” switch template vs the “Aruba Wireless Controller’ 
template in my switch config seems to have at least found the SSID value now 
and no longer see errors in the log about the SSID.


Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903

> On Oct 8, 2020, at 1:41 PM, Fabrice Durand  wrote:
>
> Hello Louis,
>
> let's take a look at 
> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/5903.diff
>
> Also it can happen when per example the registration network is an inline 
> network.
>
> Regards
>
> Fabrice
>
>
> Le 20-10-08 à 14 h 37, Louis Scaringella a écrit :
>> What would cause the httpd.aaa process to match the correct profile but then 
>> the httpd.portal to match the default?
>> Does it not use the same criteria and filters as the connection profile does?
>>
>> The only change here between scenarios is the SSID filter added to the 
>> connection profile so something just isn’t right here.
>>
>> Louis Scaringella
>> Security Systems Engineer
>> Yellow Dog Networks, Inc
>> 785-342-7903
>>
>>> On Oct 8, 2020, at 12:11 PM, Louis Scaringella via PacketFence-users 
>>>  wrote:
>>>
>>> From the Aruba.pm switch file I see this:
>>>
>>>
>>> sub extractSsid {
>>>my ($self, $radius_request) = @_;
>>>my $logger = $self->logger;
>>>
>>># Aruba-Essid-Name VSA
>>>if (defined($radius_request->{'Aruba-Essid-Name'})) {
>>>return $radius_request->{'Aruba-Essid-Name'};
>>>}
>>>
>>>$logger->warn(
>>>"Unable to extract SSID for module " . ref($self) . ". SSID-based 
>>> VLAN assignments won't work. "
>>>. "Please let us know so we can add support for it."
>>>);
>>>return;
>>>
>>> It looks to be searching for the Aruba-ESSID-NAME instead of 
>>> Called-Station-SSID. Do you think we’d have to change the switch.pm to 
>>> reflect that instead then?
>>>
>>> Louis Scaringella
>>> Security Systems Engineer
>>> Yellow Dog Networks, Inc
>>> 785-342-7903
>>>
 On Oct 7, 2020, at 1:58 PM, Fabrice Durand  wrote:

 It looks to be a bug in the switch template.

 Right now there is no method to extract the ssid in other attributes than 
 colling-station-id.

 We will make a patch to update the default method to extract the ssid from 
 Called-Station-SSID.

 Le 20-10-07 à 14 h 19, Louis Scaringella a écrit :
> Here is the request:
>
> RADIUS Request
> User-Name = "00-24-d6-5b-30-bc"
> User-Password = "**"
> NAS-IP-Address = 198.18.255.64
> NAS-Port = 0
> Service-Type = Call-Check
> Called-Station-Id = "20:4c:03:58:99:8a"
> Calling-Station-Id = "00:24:d6:5b:30:bc"
> NAS-Port-Type = Wireless-802.11
> Event-Timestamp = "Oct  7 2020 13:14:28 CDT"
> Message-Authenticator = 0x0ba983427b333601e7704e6fbfc6739d
> Aruba-Essid-Name = "Lab-Open-Guest"
> Aruba-Location-Id = "Lab AP-A0:E4"
> Aruba-AP-Group = "default"
> Stripped-User-Name = "00-24-d6-5b-30-bc"
> Realm = "null"
> FreeRADIUS-Client-IP-Address = 198.18.255.64
> Called-Station-SSID = "Lab-Open-Guest"
> PacketFence-KeyBalanced = "8a61332855442ed4efb3a8b31b7b9e13"
> PacketFence-Radius-Ip = "198.18.255.132"
> SQL-User-Name = "00-24-d6-5b-30-bc”
>
> It seems to show under the Called-Station-SSID as well as 
> Aruba-ESSID-NAME.
>
> Louis Scaringella
> Security Systems Engineer
> Yellow Dog Networks, Inc
> 785-342-7903
>
>> On Oct 7, 2020, at 1:17 PM, Fabrice Durand  wrote:
>>
>> Check in the radius audit log for the radius request and check if one of 
>> the attribute contain the SSID.
>>
>> If the SSID is defined in one of the attribute then we will be able to 
>> fix it , if no then check on the aruba side if there a way to push it. 
>> (it's by default)
>>
>> Le 20-10-07 à 14 h 12, Louis Scaringella a écrit :
>>> Here it is. It appears it isn’t able to extract the SSID from the Aruba 
>>> Controller. This is ArubaOS 8.6 running on the controller.
>>>
>>> Any ideas to workaround this? It even says to let you all know so you 
>>> can add support for it. I appreciate all you do to keep this product 
>>> awesome!
>>>
>>> Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
>>> [mac:00:24:d6:5b:30:bc] Unable to extract SSID of Called-Station-Id: 
>>> 20:4c:03:58:99:8a (pf::Switch::extractSsid)
>>> Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) WARN: 
>>> [mac:00:24:d6:5b:30:bc] Unable to extract SSID for module 
>>> pf::Switch::Template. SSID-based VLAN assignments won't work. Please 
>>> let us know so we can add support for it. (pf::Switch::extractSsid)
>>> Oct  7 13:08:35

Re: [PacketFence-users] Connection Profile and SSID Filter

2020-10-08 Thread Fabrice Durand via PacketFence-users


Revert the change in Switch.pm then do:

cd /usr/local/pf/

curl 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/5903.diff 
| patch -p1


Le 20-10-08 à 14 h 43, Louis Scaringella a écrit :

What should I do with that file you sent? Add that to switch.pm or replace it?

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903


On Oct 8, 2020, at 1:41 PM, Fabrice Durand  wrote:

Hello Louis,

let's take a look at 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/5903.diff

Also it can happen when per example the registration network is an inline 
network.

Regards

Fabrice


Le 20-10-08 à 14 h 37, Louis Scaringella a écrit :

What would cause the httpd.aaa process to match the correct profile but then 
the httpd.portal to match the default?
Does it not use the same criteria and filters as the connection profile does?

The only change here between scenarios is the SSID filter added to the 
connection profile so something just isn’t right here.

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903


On Oct 8, 2020, at 12:11 PM, Louis Scaringella via PacketFence-users 
 wrote:

 From the Aruba.pm switch file I see this:


sub extractSsid {
my ($self, $radius_request) = @_;
my $logger = $self->logger;

# Aruba-Essid-Name VSA
if (defined($radius_request->{'Aruba-Essid-Name'})) {
return $radius_request->{'Aruba-Essid-Name'};
}

$logger->warn(
"Unable to extract SSID for module " . ref($self) . ". SSID-based VLAN 
assignments won't work. "
. "Please let us know so we can add support for it."
);
return;

It looks to be searching for the Aruba-ESSID-NAME instead of 
Called-Station-SSID. Do you think we’d have to change the switch.pm to reflect 
that instead then?

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903


On Oct 7, 2020, at 1:58 PM, Fabrice Durand  wrote:

It looks to be a bug in the switch template.

Right now there is no method to extract the ssid in other attributes than 
colling-station-id.

We will make a patch to update the default method to extract the ssid from 
Called-Station-SSID.

Le 20-10-07 à 14 h 19, Louis Scaringella a écrit :

Here is the request:

RADIUS Request
User-Name = "00-24-d6-5b-30-bc"
User-Password = "**"
NAS-IP-Address = 198.18.255.64
NAS-Port = 0
Service-Type = Call-Check
Called-Station-Id = "20:4c:03:58:99:8a"
Calling-Station-Id = "00:24:d6:5b:30:bc"
NAS-Port-Type = Wireless-802.11
Event-Timestamp = "Oct  7 2020 13:14:28 CDT"
Message-Authenticator = 0x0ba983427b333601e7704e6fbfc6739d
Aruba-Essid-Name = "Lab-Open-Guest"
Aruba-Location-Id = "Lab AP-A0:E4"
Aruba-AP-Group = "default"
Stripped-User-Name = "00-24-d6-5b-30-bc"
Realm = "null"
FreeRADIUS-Client-IP-Address = 198.18.255.64
Called-Station-SSID = "Lab-Open-Guest"
PacketFence-KeyBalanced = "8a61332855442ed4efb3a8b31b7b9e13"
PacketFence-Radius-Ip = "198.18.255.132"
SQL-User-Name = "00-24-d6-5b-30-bc”

It seems to show under the Called-Station-SSID as well as Aruba-ESSID-NAME.

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903


On Oct 7, 2020, at 1:17 PM, Fabrice Durand  wrote:

Check in the radius audit log for the radius request and check if one of the 
attribute contain the SSID.

If the SSID is defined in one of the attribute then we will be able to fix it , 
if no then check on the aruba side if there a way to push it. (it's by default)

Le 20-10-07 à 14 h 12, Louis Scaringella a écrit :

Here it is. It appears it isn’t able to extract the SSID from the Aruba 
Controller. This is ArubaOS 8.6 running on the controller.

Any ideas to workaround this? It even says to let you all know so you can add 
support for it. I appreciate all you do to keep this product awesome!

Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
[mac:00:24:d6:5b:30:bc] Unable to extract SSID of Called-Station-Id: 
20:4c:03:58:99:8a (pf::Switch::extractSsid)
Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) WARN: 
[mac:00:24:d6:5b:30:bc] Unable to extract SSID for module pf::Switch::Template. 
SSID-based VLAN assignments won't work. Please let us know so we can add 
support for it. (pf::Switch::extractSsid)
Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: [mac:00:24:d6:5b:30:bc] handling 
radius autz request: from switch_ip => (198.18.255.64), connection_type => 
Wireless-802.11-NoEAP,switch_mac => (20:4c:03:58:99:8a), mac => [00:24:d6:5b:30:bc], port => 0, 
username => "00-24-d6-5b-30-bc" (pf::radius::authorize)
Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
[mac:00:24:d6:5b:30:bc] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
[mac:00:24:d6:5b:30:bc] Match rule MAC-Auth (pf::access_filter::test)
Oct  7 13:08:35 localhost

Re: [PacketFence-users] Connection Profile and SSID Filter

2020-10-08 Thread Fabrice Durand via PacketFence-users


Hello Louis,

let's take a look at 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/5903.diff


Also it can happen when per example the registration network is an 
inline network.


Regards

Fabrice


Le 20-10-08 à 14 h 37, Louis Scaringella a écrit :

What would cause the httpd.aaa process to match the correct profile but then 
the httpd.portal to match the default?
Does it not use the same criteria and filters as the connection profile does?

The only change here between scenarios is the SSID filter added to the 
connection profile so something just isn’t right here.

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903


On Oct 8, 2020, at 12:11 PM, Louis Scaringella via PacketFence-users 
 wrote:

 From the Aruba.pm switch file I see this:


sub extractSsid {
my ($self, $radius_request) = @_;
my $logger = $self->logger;

# Aruba-Essid-Name VSA
if (defined($radius_request->{'Aruba-Essid-Name'})) {
return $radius_request->{'Aruba-Essid-Name'};
}

$logger->warn(
"Unable to extract SSID for module " . ref($self) . ". SSID-based VLAN 
assignments won't work. "
. "Please let us know so we can add support for it."
);
return;

It looks to be searching for the Aruba-ESSID-NAME instead of 
Called-Station-SSID. Do you think we’d have to change the switch.pm to reflect 
that instead then?

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903


On Oct 7, 2020, at 1:58 PM, Fabrice Durand  wrote:

It looks to be a bug in the switch template.

Right now there is no method to extract the ssid in other attributes than 
colling-station-id.

We will make a patch to update the default method to extract the ssid from 
Called-Station-SSID.

Le 20-10-07 à 14 h 19, Louis Scaringella a écrit :

Here is the request:

RADIUS Request
User-Name = "00-24-d6-5b-30-bc"
User-Password = "**"
NAS-IP-Address = 198.18.255.64
NAS-Port = 0
Service-Type = Call-Check
Called-Station-Id = "20:4c:03:58:99:8a"
Calling-Station-Id = "00:24:d6:5b:30:bc"
NAS-Port-Type = Wireless-802.11
Event-Timestamp = "Oct  7 2020 13:14:28 CDT"
Message-Authenticator = 0x0ba983427b333601e7704e6fbfc6739d
Aruba-Essid-Name = "Lab-Open-Guest"
Aruba-Location-Id = "Lab AP-A0:E4"
Aruba-AP-Group = "default"
Stripped-User-Name = "00-24-d6-5b-30-bc"
Realm = "null"
FreeRADIUS-Client-IP-Address = 198.18.255.64
Called-Station-SSID = "Lab-Open-Guest"
PacketFence-KeyBalanced = "8a61332855442ed4efb3a8b31b7b9e13"
PacketFence-Radius-Ip = "198.18.255.132"
SQL-User-Name = "00-24-d6-5b-30-bc”

It seems to show under the Called-Station-SSID as well as Aruba-ESSID-NAME.

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903


On Oct 7, 2020, at 1:17 PM, Fabrice Durand  wrote:

Check in the radius audit log for the radius request and check if one of the 
attribute contain the SSID.

If the SSID is defined in one of the attribute then we will be able to fix it , 
if no then check on the aruba side if there a way to push it. (it's by default)

Le 20-10-07 à 14 h 12, Louis Scaringella a écrit :

Here it is. It appears it isn’t able to extract the SSID from the Aruba 
Controller. This is ArubaOS 8.6 running on the controller.

Any ideas to workaround this? It even says to let you all know so you can add 
support for it. I appreciate all you do to keep this product awesome!

Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
[mac:00:24:d6:5b:30:bc] Unable to extract SSID of Called-Station-Id: 
20:4c:03:58:99:8a (pf::Switch::extractSsid)
Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) WARN: 
[mac:00:24:d6:5b:30:bc] Unable to extract SSID for module pf::Switch::Template. 
SSID-based VLAN assignments won't work. Please let us know so we can add 
support for it. (pf::Switch::extractSsid)
Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: [mac:00:24:d6:5b:30:bc] handling 
radius autz request: from switch_ip => (198.18.255.64), connection_type => 
Wireless-802.11-NoEAP,switch_mac => (20:4c:03:58:99:8a), mac => [00:24:d6:5b:30:bc], port => 0, 
username => "00-24-d6-5b-30-bc" (pf::radius::authorize)
Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
[mac:00:24:d6:5b:30:bc] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
[mac:00:24:d6:5b:30:bc] Match rule MAC-Auth (pf::access_filter::test)
Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
[mac:00:24:d6:5b:30:bc] vlan filter match ; belongs into REJECT VLAN 
(pf::role::getRegistrationRole)
Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
[mac:00:24:d6:5b:30:bc] According to rules in fetchRoleForNode this node must 
be kicked out. Returning USERLOCK (pf::Switch::Template::handleRadiusDeny)
Oct  7 13:08:44 localhost packetfence_httpd.portal: httpd.portal(2655) INFO:

Re: [PacketFence-users] Connection Profile and SSID Filter

2020-10-08 Thread Louis Scaringella via PacketFence-users

I updated this and didn’t work. Here is the log again:

Oct 8 11:16:15 localhost packetfence_httpd.aaa: httpd.aaa(2088) INFO: 
[mac:00:24:d6:5b:30:bc] Unable to extract SSID of Called-Station-Id: 
20:4c:03:58:99:8a (pf::Switch::extractSsid)
Oct 8 11:16:15 localhost packetfence_httpd.aaa: httpd.aaa(2088) WARN: 
[mac:00:24:d6:5b:30:bc] Unable to extract SSID for module pf::Switch::Template. 
SSID-based VLAN assignments won't work. Please let us know so we can add 
support for it. (pf::Switch::extractSsid)
Oct 8 11:16:15 localhost packetfence_httpd.aaa: httpd.aaa(2088) INFO: 
[mac:00:24:d6:5b:30:bc] handling radius autz request: from switch_ip => 
(198.18.255.64), connection_type => Wireless-802.11-NoEAP,switch_mac => 
(20:4c:03:58:99:8a), mac => [00:24:d6:5b:30:bc], port => 0, username => 
"00-24-d6-5b-30-bc" (pf::radius::authorize)
Oct 8 11:16:15 localhost packetfence_httpd.aaa: httpd.aaa(2088) INFO: 
[mac:00:24:d6:5b:30:bc] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Oct 8 11:16:15 localhost packetfence_httpd.aaa: httpd.aaa(2088) INFO: 
[mac:00:24:d6:5b:30:bc] Match rule MAC-Auth (pf::access_filter::test)
Oct 8 11:16:15 localhost packetfence_httpd.aaa: httpd.aaa(2088) INFO: 
[mac:00:24:d6:5b:30:bc] vlan filter match ; belongs into REJECT VLAN 
(pf::role::getRegistrationRole)
Oct 8 11:16:15 localhost packetfence_httpd.aaa: httpd.aaa(2088) INFO: 
[mac:00:24:d6:5b:30:bc] According to rules in fetchRoleForNode this node must 
be kicked out. Returning USERLOCK (pf::Switch::Template::handleRadiusDeny)

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903

> On Oct 7, 2020, at 1:58 PM, Fabrice Durand  wrote:
>
> It looks to be a bug in the switch template.
>
> Right now there is no method to extract the ssid in other attributes than 
> colling-station-id.
>
> We will make a patch to update the default method to extract the ssid from 
> Called-Station-SSID.
>
> Le 20-10-07 à 14 h 19, Louis Scaringella a écrit :
>> Here is the request:
>>
>> RADIUS Request
>> User-Name = "00-24-d6-5b-30-bc"
>> User-Password = "**"
>> NAS-IP-Address = 198.18.255.64
>> NAS-Port = 0
>> Service-Type = Call-Check
>> Called-Station-Id = "20:4c:03:58:99:8a"
>> Calling-Station-Id = "00:24:d6:5b:30:bc"
>> NAS-Port-Type = Wireless-802.11
>> Event-Timestamp = "Oct  7 2020 13:14:28 CDT"
>> Message-Authenticator = 0x0ba983427b333601e7704e6fbfc6739d
>> Aruba-Essid-Name = "Lab-Open-Guest"
>> Aruba-Location-Id = "Lab AP-A0:E4"
>> Aruba-AP-Group = "default"
>> Stripped-User-Name = "00-24-d6-5b-30-bc"
>> Realm = "null"
>> FreeRADIUS-Client-IP-Address = 198.18.255.64
>> Called-Station-SSID = "Lab-Open-Guest"
>> PacketFence-KeyBalanced = "8a61332855442ed4efb3a8b31b7b9e13"
>> PacketFence-Radius-Ip = "198.18.255.132"
>> SQL-User-Name = "00-24-d6-5b-30-bc”
>>
>> It seems to show under the Called-Station-SSID as well as Aruba-ESSID-NAME.
>>
>> Louis Scaringella
>> Security Systems Engineer
>> Yellow Dog Networks, Inc
>> 785-342-7903
>>
>>> On Oct 7, 2020, at 1:17 PM, Fabrice Durand  wrote:
>>>
>>> Check in the radius audit log for the radius request and check if one of 
>>> the attribute contain the SSID.
>>>
>>> If the SSID is defined in one of the attribute then we will be able to fix 
>>> it , if no then check on the aruba side if there a way to push it. (it's by 
>>> default)
>>>
>>> Le 20-10-07 à 14 h 12, Louis Scaringella a écrit :
 Here it is. It appears it isn’t able to extract the SSID from the Aruba 
 Controller. This is ArubaOS 8.6 running on the controller.

 Any ideas to workaround this? It even says to let you all know so you can 
 add support for it. I appreciate all you do to keep this product awesome!

 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
 [mac:00:24:d6:5b:30:bc] Unable to extract SSID of Called-Station-Id: 
 20:4c:03:58:99:8a (pf::Switch::extractSsid)
 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) WARN: 
 [mac:00:24:d6:5b:30:bc] Unable to extract SSID for module 
 pf::Switch::Template. SSID-based VLAN assignments won't work. Please let 
 us know so we can add support for it. (pf::Switch::extractSsid)
 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
 [mac:00:24:d6:5b:30:bc] handling radius autz request: from switch_ip => 
 (198.18.255.64), connection_type => Wireless-802.11-NoEAP,switch_mac => 
 (20:4c:03:58:99:8a), mac => [00:24:d6:5b:30:bc], port => 0, username => 
 "00-24-d6-5b-30-bc" (pf::radius::authorize)
 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
 [mac:00:24:d6:5b:30:bc] Instantiate profile default 
 (pf::Connection::ProfileFactory::_from_profile)
 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
 [mac:00:24:d6:5b:30:bc] Match rule MAC-Auth (pf::access_filter::test)
 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO:

Re: [PacketFence-users] Packetfence set role by mac not user...

2020-10-08 Thread Fetakungen Virtual Adventurer via PacketFence-users

Well the HP swtiches as supplicants does not support EAP, they only supp chap 
md5…

Still the username SHOULD match the role ?

BR,
Anton.

Från: Ludovic Zammit 
Skickat: den 8 oktober 2020 14:22
Till: Fetakungen Virtual Adventurer 
Kopia: packetfence-users@lists.sourceforge.net
Ämne: Re: [PacketFence-users] Packetfence set role by mac not user...

Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: 
[mac:08:f1:ea:3f:11:40] handling radius autz request: from switch_ip => 
(10.0.10.11), connection_type => Ethernet-NoEAP,switch_mac => 
(08:f1:ea:64:c4:00), mac => [08:f1:ea:3f:11:40], port => 8, username => 
"vim-foradsgatan-d1s1-a1@.local" 
(pf::radius::authorize)

It’s definitely a wired mac authentication.

Maybe the EAP Type is wrong on your switch, it should be EAP PEAP MSCHAPv2 and 
not EAP PAP, CHAP or MD5.

You should see  connection_type => Ethernet-EAP. Check the EAP Type in the 
auditing section.

Thanks,

Ludovic Zammit

lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  
www.inverse.ca

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)





On Oct 7, 2020, at 5:26 PM, Fetakungen Virtual Adventurer 
mailto:fetakun...@gabenpirates.com>> wrote:

This is what I don’t understand why does it state this ?...

Oct  7 23:24:16 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(79281) INFO: 
[mac:f8:60:f0:33:00:80] Found authentication source(s) : 'VEMAB' for realm 
'default' (pf::config::util::filter_authentication_sources)
Oct  7 23:24:16 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(79281) WARN: 
[mac:f8:60:f0:33:00:80] No category computed for autoreg 
(pf::role::getNodeInfoForAutoReg)
Oct  7 23:24:16 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(79281) INFO: 
[mac:f8:60:f0:33:00:80] Found authentication source(s) : 'VEMAB' for realm 
'default' (pf::config::util::filter_authentication_sources)
Oct  7 23:24:16 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(79281) INFO: 
[mac:f8:60:f0:33:00:80] Connection type is MAC-AUTH.Getting role from node_info 
(pf::role::getRegisteredRole)

Connection type is MAC-AUTH.

Since it’s a user calling in it’s clearly NOT MAC-ATH

0_0

BR,
Anton.
Från: Ludovic Zammit mailto:lzam...@inverse.ca>>
Skickat: den 29 september 2020 18:54
Till: Fetakungen Virtual Adventurer 
mailto:fetakun...@gabenpirates.com>>
Kopia: 
packetfence-users@lists.sourceforge.net
Ämne: Re: [PacketFence-users] Packetfence set role by mac not user...

It looks like that you try to match a UPN (UserPrincipalName) so maybe try to 
not strip the username in the realm.

Is 
vim-foradsgatan-d1s1-a1@.local 
the UPN for that object?

It looks like that connection match on the default realm, so don’t strip the 
username on the default realm.

Thanks,

Ludovic Zammit

lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  
www.inverse.ca

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) 
and PacketFence (http://packetfence.org)







On Sep 28, 2020, at 8:08 PM, Fetakungen Virtual Adventurer 
mailto:fetakun...@gabenpirates.com>> wrote:

Here is the complete auth.conf

# Copyright (C) Inverse inc.
[local]
description=Local Users
type=SQL
dynamic_routing_module=AuthModule

[sms]
description=SMS-based registration
sms_carriers=100056,100057,100061,100058,100059,100060,100062,100063,100071,100064,100116,100066,100117,100112,100067,100065,100068,100069,100070,100118,100115,100072,100073,100074,100075,100076,100077,100085,100086,100080,100079,100081,100083,100082,100084,100087,100088,100111,100089,100090,1
00091,100092,100093,100094,100095,100096,100098,100097,100099,100100,100101,100113,100102,100103,100104,100106,100105,100107,100108,100109,100114,100110,100078,100119,100120,100121,100122,100123,100124,100125,100126,100127,100128
type=SMS
create_local_account=no
local_account_logins=0
message=PIN: $pin
hash_passwords=bcrypt
sms_activation_timeout=10m
dynamic_routing_module=AuthModule
password_length=8
pin_code_length=6

[sms rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
status=enabled

[email]
description=Email-based registration
email_activation_timeout=10m
type=Email
allow_localdomain=yes
create_local_account=no
local_account_logins=0
dynamic_routing_module=AuthModule
hash_passwords=bcrypt
password_length=8

[email rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
status=enabled

[sponsor]
description=Sponsor-based registration
type=SponsorEmail
allow_localdomain=yes
create_local_account=no
hash_passwords=bcrypt
dynamic_routing_module=AuthModule
local_account_logins=0
password_length=8
sources=
email_activation_timeout=30m
validate_sponsor=yes
lang=

Re: [PacketFence-users] Connection Profile and SSID Filter

2020-10-08 Thread Louis Scaringella via PacketFence-users

I tried that and rebooted and it still shows me hitting the default profile and 
same error in the PacketFence.log file.

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903

> On Oct 7, 2020, at 1:58 PM, Fabrice Durand  wrote:
>
> It looks to be a bug in the switch template.
>
> Right now there is no method to extract the ssid in other attributes than 
> colling-station-id.
>
> We will make a patch to update the default method to extract the ssid from 
> Called-Station-SSID.
>
> Le 20-10-07 à 14 h 19, Louis Scaringella a écrit :
>> Here is the request:
>>
>> RADIUS Request
>> User-Name = "00-24-d6-5b-30-bc"
>> User-Password = "**"
>> NAS-IP-Address = 198.18.255.64
>> NAS-Port = 0
>> Service-Type = Call-Check
>> Called-Station-Id = "20:4c:03:58:99:8a"
>> Calling-Station-Id = "00:24:d6:5b:30:bc"
>> NAS-Port-Type = Wireless-802.11
>> Event-Timestamp = "Oct  7 2020 13:14:28 CDT"
>> Message-Authenticator = 0x0ba983427b333601e7704e6fbfc6739d
>> Aruba-Essid-Name = "Lab-Open-Guest"
>> Aruba-Location-Id = "Lab AP-A0:E4"
>> Aruba-AP-Group = "default"
>> Stripped-User-Name = "00-24-d6-5b-30-bc"
>> Realm = "null"
>> FreeRADIUS-Client-IP-Address = 198.18.255.64
>> Called-Station-SSID = "Lab-Open-Guest"
>> PacketFence-KeyBalanced = "8a61332855442ed4efb3a8b31b7b9e13"
>> PacketFence-Radius-Ip = "198.18.255.132"
>> SQL-User-Name = "00-24-d6-5b-30-bc”
>>
>> It seems to show under the Called-Station-SSID as well as Aruba-ESSID-NAME.
>>
>> Louis Scaringella
>> Security Systems Engineer
>> Yellow Dog Networks, Inc
>> 785-342-7903
>>
>>> On Oct 7, 2020, at 1:17 PM, Fabrice Durand  wrote:
>>>
>>> Check in the radius audit log for the radius request and check if one of 
>>> the attribute contain the SSID.
>>>
>>> If the SSID is defined in one of the attribute then we will be able to fix 
>>> it , if no then check on the aruba side if there a way to push it. (it's by 
>>> default)
>>>
>>> Le 20-10-07 à 14 h 12, Louis Scaringella a écrit :
 Here it is. It appears it isn’t able to extract the SSID from the Aruba 
 Controller. This is ArubaOS 8.6 running on the controller.

 Any ideas to workaround this? It even says to let you all know so you can 
 add support for it. I appreciate all you do to keep this product awesome!

 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
 [mac:00:24:d6:5b:30:bc] Unable to extract SSID of Called-Station-Id: 
 20:4c:03:58:99:8a (pf::Switch::extractSsid)
 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) WARN: 
 [mac:00:24:d6:5b:30:bc] Unable to extract SSID for module 
 pf::Switch::Template. SSID-based VLAN assignments won't work. Please let 
 us know so we can add support for it. (pf::Switch::extractSsid)
 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
 [mac:00:24:d6:5b:30:bc] handling radius autz request: from switch_ip => 
 (198.18.255.64), connection_type => Wireless-802.11-NoEAP,switch_mac => 
 (20:4c:03:58:99:8a), mac => [00:24:d6:5b:30:bc], port => 0, username => 
 "00-24-d6-5b-30-bc" (pf::radius::authorize)
 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
 [mac:00:24:d6:5b:30:bc] Instantiate profile default 
 (pf::Connection::ProfileFactory::_from_profile)
 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
 [mac:00:24:d6:5b:30:bc] Match rule MAC-Auth (pf::access_filter::test)
 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
 [mac:00:24:d6:5b:30:bc] vlan filter match ; belongs into REJECT VLAN 
 (pf::role::getRegistrationRole)
 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
 [mac:00:24:d6:5b:30:bc] According to rules in fetchRoleForNode this node 
 must be kicked out. Returning USERLOCK 
 (pf::Switch::Template::handleRadiusDeny)
 Oct  7 13:08:44 localhost packetfence_httpd.portal: httpd.portal(2655) 
 INFO: [mac:00:24:d6:5b:30:bc] Instantiate profile default 
 (pf::Connection::ProfileFactory::_from_profile)
 Oct  7 13:08:51 localhost packetfence_httpd.portal: httpd.portal(2656) 
 INFO: [mac:00:24:d6:5b:30:bc] Instantiate profile default 
 (pf::Connection::ProfileFactory::_from_profile)
 Oct  7 13:08:52 localhost packetfence_httpd.portal: httpd.portal(2657) 
 INFO: [mac:00:24:d6:5b:30:bc] Instantiate profile default 
 (pf::Connection::ProfileFactory::_from_profile)
 Oct  7 13:08:57 localhost packetfence_httpd.portal: httpd.portal(2656) 
 INFO: [mac:00:24:d6:5b:30:bc] Instantiate profile default 
 (pf::Connection::ProfileFactory::_from_profile)
 Oct  7 13:08:57 localhost packetfence_httpd.portal: httpd.portal(2657) 
 INFO: [mac:00:24:d6:5b:30:bc] Instantiate profile default 
 (pf::Connection::ProfileFactory::_from_profile)
 Oct  7 13:08:59 localhost packetfence_httpd.portal: httpd.portal(2656) 
 INFO:

Re: [PacketFence-users] Connection Profile and SSID Filter

2020-10-08 Thread Louis Scaringella via PacketFence-users

From the Aruba.pm switch file I see this:

sub extractSsid {
my ($self, $radius_request) = @_;
my $logger = $self->logger;

# Aruba-Essid-Name VSA
if (defined($radius_request->{'Aruba-Essid-Name'})) {
return $radius_request->{'Aruba-Essid-Name'};
}

$logger->warn(
"Unable to extract SSID for module " . ref($self) . ". SSID-based VLAN 
assignments won't work. "
. "Please let us know so we can add support for it."
);
return;

It looks to be searching for the Aruba-ESSID-NAME instead of 
Called-Station-SSID. Do you think we’d have to change the switch.pm to reflect 
that instead then?

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903

> On Oct 7, 2020, at 1:58 PM, Fabrice Durand  wrote:
>
> It looks to be a bug in the switch template.
>
> Right now there is no method to extract the ssid in other attributes than 
> colling-station-id.
>
> We will make a patch to update the default method to extract the ssid from 
> Called-Station-SSID.
>
> Le 20-10-07 à 14 h 19, Louis Scaringella a écrit :
>> Here is the request:
>>
>> RADIUS Request
>> User-Name = "00-24-d6-5b-30-bc"
>> User-Password = "**"
>> NAS-IP-Address = 198.18.255.64
>> NAS-Port = 0
>> Service-Type = Call-Check
>> Called-Station-Id = "20:4c:03:58:99:8a"
>> Calling-Station-Id = "00:24:d6:5b:30:bc"
>> NAS-Port-Type = Wireless-802.11
>> Event-Timestamp = "Oct  7 2020 13:14:28 CDT"
>> Message-Authenticator = 0x0ba983427b333601e7704e6fbfc6739d
>> Aruba-Essid-Name = "Lab-Open-Guest"
>> Aruba-Location-Id = "Lab AP-A0:E4"
>> Aruba-AP-Group = "default"
>> Stripped-User-Name = "00-24-d6-5b-30-bc"
>> Realm = "null"
>> FreeRADIUS-Client-IP-Address = 198.18.255.64
>> Called-Station-SSID = "Lab-Open-Guest"
>> PacketFence-KeyBalanced = "8a61332855442ed4efb3a8b31b7b9e13"
>> PacketFence-Radius-Ip = "198.18.255.132"
>> SQL-User-Name = "00-24-d6-5b-30-bc”
>>
>> It seems to show under the Called-Station-SSID as well as Aruba-ESSID-NAME.
>>
>> Louis Scaringella
>> Security Systems Engineer
>> Yellow Dog Networks, Inc
>> 785-342-7903
>>
>>> On Oct 7, 2020, at 1:17 PM, Fabrice Durand  wrote:
>>>
>>> Check in the radius audit log for the radius request and check if one of 
>>> the attribute contain the SSID.
>>>
>>> If the SSID is defined in one of the attribute then we will be able to fix 
>>> it , if no then check on the aruba side if there a way to push it. (it's by 
>>> default)
>>>
>>> Le 20-10-07 à 14 h 12, Louis Scaringella a écrit :
 Here it is. It appears it isn’t able to extract the SSID from the Aruba 
 Controller. This is ArubaOS 8.6 running on the controller.

 Any ideas to workaround this? It even says to let you all know so you can 
 add support for it. I appreciate all you do to keep this product awesome!

 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
 [mac:00:24:d6:5b:30:bc] Unable to extract SSID of Called-Station-Id: 
 20:4c:03:58:99:8a (pf::Switch::extractSsid)
 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) WARN: 
 [mac:00:24:d6:5b:30:bc] Unable to extract SSID for module 
 pf::Switch::Template. SSID-based VLAN assignments won't work. Please let 
 us know so we can add support for it. (pf::Switch::extractSsid)
 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
 [mac:00:24:d6:5b:30:bc] handling radius autz request: from switch_ip => 
 (198.18.255.64), connection_type => Wireless-802.11-NoEAP,switch_mac => 
 (20:4c:03:58:99:8a), mac => [00:24:d6:5b:30:bc], port => 0, username => 
 "00-24-d6-5b-30-bc" (pf::radius::authorize)
 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
 [mac:00:24:d6:5b:30:bc] Instantiate profile default 
 (pf::Connection::ProfileFactory::_from_profile)
 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
 [mac:00:24:d6:5b:30:bc] Match rule MAC-Auth (pf::access_filter::test)
 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
 [mac:00:24:d6:5b:30:bc] vlan filter match ; belongs into REJECT VLAN 
 (pf::role::getRegistrationRole)
 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
 [mac:00:24:d6:5b:30:bc] According to rules in fetchRoleForNode this node 
 must be kicked out. Returning USERLOCK 
 (pf::Switch::Template::handleRadiusDeny)
 Oct  7 13:08:44 localhost packetfence_httpd.portal: httpd.portal(2655) 
 INFO: [mac:00:24:d6:5b:30:bc] Instantiate profile default 
 (pf::Connection::ProfileFactory::_from_profile)
 Oct  7 13:08:51 localhost packetfence_httpd.portal: httpd.portal(2656) 
 INFO: [mac:00:24:d6:5b:30:bc] Instantiate profile default 
 (pf::Connection::ProfileFactory::_from_profile)
 Oct  7 13:08:52 localhost packetfence_httpd.portal: httpd.portal(2657) 
 INFO: [mac:00:24:d6:5b:30:bc] Instantiate profile default

Re: [PacketFence-users] Connection Profile and SSID Filter

2020-10-08 Thread Louis Scaringella via PacketFence-users

Sorry for the flood, but I think I made some progress with this although I 
still think we need to address the Aruba Wireless Controller switch template.

I changed my switch template from Aruba Wireless Controller to just Aruba and 
it sounds like now it does at least see the SSID. However, in my connection 
profile when I add the SSID filter to this, it still doesn’t match the HTTP 
portal for the proper connection profile. Here are logs comparing the two 
scenarios:

With SSID filter. We can see it starts the “default” profile even though above 
it matches the proper Lab-Aruba-OpenGuest-copy profile. The default portal is 
what the user then sees.

Oct 8 13:01:27 localhost packetfence_httpd.aaa: httpd.aaa(2087) INFO: 
[mac:00:24:d6:5b:30:bc] handling radius autz request: from switch_ip => 
(198.18.255.64), connection_type => Wireless-802.11-NoEAP,switch_mac => 
(20:4c:03:58:99:8a), mac => [00:24:d6:5b:30:bc], port => 0, username => 
"00-24-d6-5b-30-bc", ssid => Lab-Open-Guest (pf::radius::authorize)
Oct 8 13:01:27 localhost packetfence_httpd.aaa: httpd.aaa(2087) INFO: 
[mac:00:24:d6:5b:30:bc] Instantiate profile Lab-Aruba-OpenGuest-copy 
(pf::Connection::ProfileFactory::_from_profile)
Oct 8 13:01:27 localhost packetfence_httpd.aaa: httpd.aaa(2087) INFO: 
[mac:00:24:d6:5b:30:bc] Match rule MAC-Auth (pf::access_filter::test)
Oct 8 13:01:27 localhost packetfence_httpd.aaa: httpd.aaa(2087) INFO: 
[mac:00:24:d6:5b:30:bc] vlan filter match ; belongs into REJECT VLAN 
(pf::role::getRegistrationRole)
Oct 8 13:01:27 localhost packetfence_httpd.aaa: httpd.aaa(2087) INFO: 
[mac:00:24:d6:5b:30:bc] According to rules in fetchRoleForNode this node must 
be kicked out. Returning USERLOCK (pf::Switch::handleRadiusDeny)
Oct 8 13:01:57 localhost packetfence_httpd.portal: httpd.portal(2687) INFO: 
[mac:00:24:d6:5b:30:bc] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Oct 8 13:01:57 localhost pfipset[1941]: t=2020-10-08T13:01:57-0500 lvl=info 
msg="No Inline Network bypass ipsets reload" pid=1941

Without SSID Filter. We can see that it starts the proper 
Lab-Aruba-OpenGuest-copy profile and the correct portal associated with that.

Oct 8 13:03:39 localhost packetfence_httpd.aaa: httpd.aaa(2087) INFO: 
[mac:00:24:d6:5b:30:bc] handling radius autz request: from switch_ip => 
(198.18.255.64), connection_type => Wireless-802.11-NoEAP,switch_mac => 
(20:4c:03:58:99:8a), mac => [00:24:d6:5b:30:bc], port => 0, username => 
"00-24-d6-5b-30-bc", ssid => Lab-Open-Guest (pf::radius::authorize)
Oct 8 13:03:39 localhost packetfence_httpd.aaa: httpd.aaa(2087) INFO: 
[mac:00:24:d6:5b:30:bc] Instantiate profile Lab-Aruba-OpenGuest-copy 
(pf::Connection::ProfileFactory::_from_profile)
Oct 8 13:03:39 localhost packetfence_httpd.aaa: httpd.aaa(2087) INFO: 
[mac:00:24:d6:5b:30:bc] Match rule MAC-Auth (pf::access_filter::test)
Oct 8 13:03:39 localhost packetfence_httpd.aaa: httpd.aaa(2087) INFO: 
[mac:00:24:d6:5b:30:bc] vlan filter match ; belongs into REJECT VLAN 
(pf::role::getRegistrationRole)
Oct 8 13:03:39 localhost packetfence_httpd.aaa: httpd.aaa(2087) INFO: 
[mac:00:24:d6:5b:30:bc] According to rules in fetchRoleForNode this node must 
be kicked out. Returning USERLOCK (pf::Switch::handleRadiusDeny)
Oct 8 13:03:49 localhost packetfence_httpd.portal: httpd.portal(2689) INFO: 
[mac:00:24:d6:5b:30:bc] Instantiate profile Lab-Aruba-OpenGuest-copy 
(pf::Connection::ProfileFactory::_from_profile)

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903

> On Oct 7, 2020, at 1:58 PM, Fabrice Durand  wrote:
>
> It looks to be a bug in the switch template.
>
> Right now there is no method to extract the ssid in other attributes than 
> colling-station-id.
>
> We will make a patch to update the default method to extract the ssid from 
> Called-Station-SSID.
>
> Le 20-10-07 à 14 h 19, Louis Scaringella a écrit :
>> Here is the request:
>>
>> RADIUS Request
>> User-Name = "00-24-d6-5b-30-bc"
>> User-Password = "**"
>> NAS-IP-Address = 198.18.255.64
>> NAS-Port = 0
>> Service-Type = Call-Check
>> Called-Station-Id = "20:4c:03:58:99:8a"
>> Calling-Station-Id = "00:24:d6:5b:30:bc"
>> NAS-Port-Type = Wireless-802.11
>> Event-Timestamp = "Oct  7 2020 13:14:28 CDT"
>> Message-Authenticator = 0x0ba983427b333601e7704e6fbfc6739d
>> Aruba-Essid-Name = "Lab-Open-Guest"
>> Aruba-Location-Id = "Lab AP-A0:E4"
>> Aruba-AP-Group = "default"
>> Stripped-User-Name = "00-24-d6-5b-30-bc"
>> Realm = "null"
>> FreeRADIUS-Client-IP-Address = 198.18.255.64
>> Called-Station-SSID = "Lab-Open-Guest"
>> PacketFence-KeyBalanced = "8a61332855442ed4efb3a8b31b7b9e13"
>> PacketFence-Radius-Ip = "198.18.255.132"
>> SQL-User-Name = "00-24-d6-5b-30-bc”
>>
>> It seems to show under the Called-Station-SSID as well as Aruba-ESSID-NAME.
>>
>> Louis Scaringella
>> Security Systems Engineer
>> Yellow Dog Networks, Inc
>> 785-342-7903
>>
>>> On Oct 7, 2020, at 1:17 PM, Fabrice Durand  wrote:
>>>
>>> Check in the radius

Re: [PacketFence-users] Connection Profile and SSID Filter

2020-10-08 Thread Louis Scaringella via PacketFence-users

To think of it, why does this show Switch template used when I have configured 
the “Aruba Wireless Controller” template to be used for this switch in the 
“Switch” section of PacketFence. Shouldn’t it be using the Aruba template?

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903

> On Oct 7, 2020, at 1:58 PM, Fabrice Durand  wrote:
>
> It looks to be a bug in the switch template.
>
> Right now there is no method to extract the ssid in other attributes than 
> colling-station-id.
>
> We will make a patch to update the default method to extract the ssid from 
> Called-Station-SSID.
>
> Le 20-10-07 à 14 h 19, Louis Scaringella a écrit :
>> Here is the request:
>>
>> RADIUS Request
>> User-Name = "00-24-d6-5b-30-bc"
>> User-Password = "**"
>> NAS-IP-Address = 198.18.255.64
>> NAS-Port = 0
>> Service-Type = Call-Check
>> Called-Station-Id = "20:4c:03:58:99:8a"
>> Calling-Station-Id = "00:24:d6:5b:30:bc"
>> NAS-Port-Type = Wireless-802.11
>> Event-Timestamp = "Oct  7 2020 13:14:28 CDT"
>> Message-Authenticator = 0x0ba983427b333601e7704e6fbfc6739d
>> Aruba-Essid-Name = "Lab-Open-Guest"
>> Aruba-Location-Id = "Lab AP-A0:E4"
>> Aruba-AP-Group = "default"
>> Stripped-User-Name = "00-24-d6-5b-30-bc"
>> Realm = "null"
>> FreeRADIUS-Client-IP-Address = 198.18.255.64
>> Called-Station-SSID = "Lab-Open-Guest"
>> PacketFence-KeyBalanced = "8a61332855442ed4efb3a8b31b7b9e13"
>> PacketFence-Radius-Ip = "198.18.255.132"
>> SQL-User-Name = "00-24-d6-5b-30-bc”
>>
>> It seems to show under the Called-Station-SSID as well as Aruba-ESSID-NAME.
>>
>> Louis Scaringella
>> Security Systems Engineer
>> Yellow Dog Networks, Inc
>> 785-342-7903
>>
>>> On Oct 7, 2020, at 1:17 PM, Fabrice Durand  wrote:
>>>
>>> Check in the radius audit log for the radius request and check if one of 
>>> the attribute contain the SSID.
>>>
>>> If the SSID is defined in one of the attribute then we will be able to fix 
>>> it , if no then check on the aruba side if there a way to push it. (it's by 
>>> default)
>>>
>>> Le 20-10-07 à 14 h 12, Louis Scaringella a écrit :
 Here it is. It appears it isn’t able to extract the SSID from the Aruba 
 Controller. This is ArubaOS 8.6 running on the controller.

 Any ideas to workaround this? It even says to let you all know so you can 
 add support for it. I appreciate all you do to keep this product awesome!

 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
 [mac:00:24:d6:5b:30:bc] Unable to extract SSID of Called-Station-Id: 
 20:4c:03:58:99:8a (pf::Switch::extractSsid)
 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) WARN: 
 [mac:00:24:d6:5b:30:bc] Unable to extract SSID for module 
 pf::Switch::Template. SSID-based VLAN assignments won't work. Please let 
 us know so we can add support for it. (pf::Switch::extractSsid)
 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
 [mac:00:24:d6:5b:30:bc] handling radius autz request: from switch_ip => 
 (198.18.255.64), connection_type => Wireless-802.11-NoEAP,switch_mac => 
 (20:4c:03:58:99:8a), mac => [00:24:d6:5b:30:bc], port => 0, username => 
 "00-24-d6-5b-30-bc" (pf::radius::authorize)
 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
 [mac:00:24:d6:5b:30:bc] Instantiate profile default 
 (pf::Connection::ProfileFactory::_from_profile)
 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
 [mac:00:24:d6:5b:30:bc] Match rule MAC-Auth (pf::access_filter::test)
 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
 [mac:00:24:d6:5b:30:bc] vlan filter match ; belongs into REJECT VLAN 
 (pf::role::getRegistrationRole)
 Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
 [mac:00:24:d6:5b:30:bc] According to rules in fetchRoleForNode this node 
 must be kicked out. Returning USERLOCK 
 (pf::Switch::Template::handleRadiusDeny)
 Oct  7 13:08:44 localhost packetfence_httpd.portal: httpd.portal(2655) 
 INFO: [mac:00:24:d6:5b:30:bc] Instantiate profile default 
 (pf::Connection::ProfileFactory::_from_profile)
 Oct  7 13:08:51 localhost packetfence_httpd.portal: httpd.portal(2656) 
 INFO: [mac:00:24:d6:5b:30:bc] Instantiate profile default 
 (pf::Connection::ProfileFactory::_from_profile)
 Oct  7 13:08:52 localhost packetfence_httpd.portal: httpd.portal(2657) 
 INFO: [mac:00:24:d6:5b:30:bc] Instantiate profile default 
 (pf::Connection::ProfileFactory::_from_profile)
 Oct  7 13:08:57 localhost packetfence_httpd.portal: httpd.portal(2656) 
 INFO: [mac:00:24:d6:5b:30:bc] Instantiate profile default 
 (pf::Connection::ProfileFactory::_from_profile)
 Oct  7 13:08:57 localhost packetfence_httpd.portal: httpd.portal(2657) 
 INFO: [mac:00:24:d6:5b:30:bc] Instantiate profile default

Re: [PacketFence-users] Configuration is lost when setting an interface to registration and adding portal-deamon

2020-10-08 Thread Ludovic Zammit via PacketFence-users

Hello,

Send a screenshot of your configuration.

Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On Oct 8, 2020, at 7:35 AM, Geert Heremans via PacketFence-users 
>  wrote:
> 
> Hello
> 
> I'm trying to configure a NIC to act as the registration network and to put a 
> captive portal on it for device registration.
> 
> When I adding a NIC the role Registration and save whenlooking back the NIC 
> is always set into the other mode. Also adding a listener demon like portal 
> won't work. The settings aren't saved on the NIC.
> 
> It happens both with a virtual NIC (working on Hyper-V) or assigning the role 
> to a VLAN on a NIC.
> 
> Best regards,
> Geert
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Connection Profile and SSID Filter

2020-10-08 Thread Fabrice Durand via PacketFence-users


Try that, it should work.


edit lib/pf/Switch.pm and replace extractSsid function with:


sub extractSsid {
    my ($self, $radius_request) = @_;
    my $logger = $self->logger;

    # it's put in Called-Station-Id
    # ie: Called-Station-Id = "aa-bb-cc-dd-ee-ff:Secure SSID" or 
"aa:bb:cc:dd:ee:ff:Secure SSID"

    if (defined($radius_request->{'Called-Station-Id'})) {
    if ($radius_request->{'Called-Station-Id'} =~ /^
    # below is MAC Address with supported separators: :, - or 
nothing

[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}
: # : delimiter
(.*) # SSID
    $/ix) {
    return $1;
    } else {
    $logger->info("Unable to extract SSID of Called-Station-Id: 
".$radius_request->{'Called-Station-Id'});

    }
    } elsif (defined($radius_request->{'Called-Station-SSID'})) {
    return $radius_request->{'Called-Station-SSID'};
    }

    $logger->warn(
    "Unable to extract SSID for module " . ref($self) . ". 
SSID-based VLAN assignments won't work. "

    . "Please let us know so we can add support for it."
    );
    return;
}



Le 20-10-07 à 16 h 02, Louis Scaringella a écrit :

Is the information in the request sufficient for this to be fixed? I can 
provide anything else you may need on the Aruba side to help.

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903


On Oct 7, 2020, at 1:12 PM, Louis Scaringella via PacketFence-users 
 wrote:

Here it is. It appears it isn’t able to extract the SSID from the Aruba 
Controller. This is ArubaOS 8.6 running on the controller.

Any ideas to workaround this? It even says to let you all know so you can add 
support for it. I appreciate all you do to keep this product awesome!

Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
[mac:00:24:d6:5b:30:bc] Unable to extract SSID of Called-Station-Id: 
20:4c:03:58:99:8a (pf::Switch::extractSsid)
Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) WARN: 
[mac:00:24:d6:5b:30:bc] Unable to extract SSID for module pf::Switch::Template. 
SSID-based VLAN assignments won't work. Please let us know so we can add 
support for it. (pf::Switch::extractSsid)
Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: [mac:00:24:d6:5b:30:bc] handling 
radius autz request: from switch_ip => (198.18.255.64), connection_type => 
Wireless-802.11-NoEAP,switch_mac => (20:4c:03:58:99:8a), mac => [00:24:d6:5b:30:bc], port => 0, 
username => "00-24-d6-5b-30-bc" (pf::radius::authorize)
Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
[mac:00:24:d6:5b:30:bc] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
[mac:00:24:d6:5b:30:bc] Match rule MAC-Auth (pf::access_filter::test)
Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
[mac:00:24:d6:5b:30:bc] vlan filter match ; belongs into REJECT VLAN 
(pf::role::getRegistrationRole)
Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
[mac:00:24:d6:5b:30:bc] According to rules in fetchRoleForNode this node must 
be kicked out. Returning USERLOCK (pf::Switch::Template::handleRadiusDeny)
Oct  7 13:08:44 localhost packetfence_httpd.portal: httpd.portal(2655) INFO: 
[mac:00:24:d6:5b:30:bc] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Oct  7 13:08:51 localhost packetfence_httpd.portal: httpd.portal(2656) INFO: 
[mac:00:24:d6:5b:30:bc] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Oct  7 13:08:52 localhost packetfence_httpd.portal: httpd.portal(2657) INFO: 
[mac:00:24:d6:5b:30:bc] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Oct  7 13:08:57 localhost packetfence_httpd.portal: httpd.portal(2656) INFO: 
[mac:00:24:d6:5b:30:bc] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Oct  7 13:08:57 localhost packetfence_httpd.portal: httpd.portal(2657) INFO: 
[mac:00:24:d6:5b:30:bc] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Oct  7 13:08:59 localhost packetfence_httpd.portal: httpd.portal(2656) INFO: 
[mac:00:24:d6:5b:30:bc] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Oct  7 13:09:00 localhost packetfence_httpd.portal: httpd.portal(2656) INFO: 
[mac:00:24:d6:5b:30:bc] User default has authenticated on the portal. 
(Class::MOP::Class:::after)
Oct  7 13:09:00 localhost packetfence_httpd.portal: httpd.portal(2656) INFO: 
[mac:00:24:d6:5b:30:bc] User default has authenticated on the portal. 
(Class::MOP::Class:::after)
Oct  7 13:09:00 localhost packetfence_httpd.portal: httpd.portal(2656) WARN: 
[mac:00:24:d6:5b:30:bc] Calling match with empty/invalid rule class. Defaulting 
to 'authentication' (pf::authentication::match)
Oct  7 13:09:00 localhost packetfence_httpd.portal:

Re: [PacketFence-users] Packetfence set role by mac not user...

2020-10-08 Thread Ludovic Zammit via PacketFence-users

Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: 
[mac:08:f1:ea:3f:11:40] handling radius autz request: from switch_ip => 
(10.0.10.11), connection_type => Ethernet-NoEAP,switch_mac => 
(08:f1:ea:64:c4:00), mac => [08:f1:ea:3f:11:40], port => 8, username => 
"vim-foradsgatan-d1s1-a1@.local 
" (pf::radius::authorize)

It’s definitely a wired mac authentication.

Maybe the EAP Type is wrong on your switch, it should be EAP PEAP MSCHAPv2 and 
not EAP PAP, CHAP or MD5.

You should see  connection_type => Ethernet-EAP. Check the EAP Type in the 
auditing section.

Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On Oct 7, 2020, at 5:26 PM, Fetakungen Virtual Adventurer 
>  wrote:
> 
> This is what I don’t understand why does it state this ?...
> 
> Oct  7 23:24:16 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(79281) INFO: 
> [mac:f8:60:f0:33:00:80] Found authentication source(s) : 'VEMAB' for realm 
> 'default' (pf::config::util::filter_authentication_sources)
> Oct  7 23:24:16 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(79281) WARN: 
> [mac:f8:60:f0:33:00:80] No category computed for autoreg 
> (pf::role::getNodeInfoForAutoReg)
> Oct  7 23:24:16 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(79281) INFO: 
> [mac:f8:60:f0:33:00:80] Found authentication source(s) : 'VEMAB' for realm 
> 'default' (pf::config::util::filter_authentication_sources)
> Oct  7 23:24:16 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(79281) INFO: 
> [mac:f8:60:f0:33:00:80] Connection type is MAC-AUTH.Getting role from 
> node_info (pf::role::getRegisteredRole)
>  
> Connection type is MAC-AUTH.
>  
> Since it’s a user calling in it’s clearly NOT MAC-ATH
>  
> 0_0
>  
> BR,
> Anton.
> Från: Ludovic Zammit mailto:lzam...@inverse.ca>> 
> Skickat: den 29 september 2020 18:54
> Till: Fetakungen Virtual Adventurer 
> Kopia: packetfence-users@lists.sourceforge.net
> Ämne: Re: [PacketFence-users] Packetfence set role by mac not user...
>  
> It looks like that you try to match a UPN (UserPrincipalName) so maybe try to 
> not strip the username in the realm.
>  
> Is vim-foradsgatan-d1s1-a1@.local 
>  the UPN for that object?
>  
> It looks like that connection match on the default realm, so don’t strip the 
> username on the default realm.
>  
> Thanks,
> 
> Ludovic Zammit
> lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
> www.inverse.ca 
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu 
> ) and PacketFence (http://packetfence.org 
> ) 
>  
> 
> 
> 
> 
> On Sep 28, 2020, at 8:08 PM, Fetakungen Virtual Adventurer 
> mailto:fetakun...@gabenpirates.com>> wrote:
>  
> Here is the complete auth.conf
>  
> # Copyright (C) Inverse inc.
> [local]
> description=Local Users
> type=SQL
> dynamic_routing_module=AuthModule
>  
> [sms]
> description=SMS-based registration
> sms_carriers=100056,100057,100061,100058,100059,100060,100062,100063,100071,100064,100116,100066,100117,100112,100067,100065,100068,100069,100070,100118,100115,100072,100073,100074,100075,100076,100077,100085,100086,100080,100079,100081,100083,100082,100084,100087,100088,100111,100089,100090,1
> 00091,100092,100093,100094,100095,100096,100098,100097,100099,100100,100101,100113,100102,100103,100104,100106,100105,100107,100108,100109,100114,100110,100078,100119,100120,100121,100122,100123,100124,100125,100126,100127,100128
> type=SMS
> create_local_account=no
> local_account_logins=0
> message=PIN: $pin
> hash_passwords=bcrypt
> sms_activation_timeout=10m
> dynamic_routing_module=AuthModule
> password_length=8
> pin_code_length=6
>  
> [sms rule catchall]
> description=
> class=authentication
> match=all
> action0=set_role=guest
> action1=set_access_duration=1D
> status=enabled
>  
> [email]
> description=Email-based registration
> email_activation_timeout=10m
> type=Email
> allow_localdomain=yes
> create_local_account=no
> local_account_logins=0
> dynamic_routing_module=AuthModule
> hash_passwords=bcrypt
> password_length=8
>  
> [email rule catchall]
> description=
> class=authentication
> match=all
> action0=set_role=guest
> action1=set_access_duration=1D
> status=enabled
>  
> [sponsor]
> description=Sponsor-based registration
> type=SponsorEmail
> allow_localdomain=yes
> create_local_account=no
> hash_passwords=bcrypt
> dynamic_routing_module=AuthModule
> local_account_logins=0
> password_length=8
> sources=
> email_activation_timeout=30m
> validate_sponsor=yes
> lang=
>  
> [sponsor rule catchall]
> description=
> class=authentication
> match=all
> action0=set_role=guest
> action1=set_access_duration=1D
> status=enabled
>  
> [null]
>

[PacketFence-users] Configuration is lost when setting an interface to registration and adding portal-deamon

2020-10-08 Thread Geert Heremans via PacketFence-users

Hello

I'm trying to configure a NIC to act as the registration network and to put
a captive portal on it for device registration.

When I adding a NIC the role Registration and save whenlooking back the NIC
is always set into the other mode. Also adding a listener demon like portal
won't work. The settings aren't saved on the NIC.

It happens both with a virtual NIC (working on Hyper-V) or assigning the
role to a VLAN on a NIC.

Best regards,
Geert
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Connection Profile and SSID Filter

2020-10-08 Thread Fabrice Durand via PacketFence-users


It looks to be a bug in the switch template.

Right now there is no method to extract the ssid in other attributes 
than colling-station-id.


We will make a patch to update the default method to extract the ssid 
from Called-Station-SSID.


Le 20-10-07 à 14 h 19, Louis Scaringella a écrit :

Here is the request:

RADIUS Request
User-Name = "00-24-d6-5b-30-bc"
User-Password = "**"
NAS-IP-Address = 198.18.255.64
NAS-Port = 0
Service-Type = Call-Check
Called-Station-Id = "20:4c:03:58:99:8a"
Calling-Station-Id = "00:24:d6:5b:30:bc"
NAS-Port-Type = Wireless-802.11
Event-Timestamp = "Oct  7 2020 13:14:28 CDT"
Message-Authenticator = 0x0ba983427b333601e7704e6fbfc6739d
Aruba-Essid-Name = "Lab-Open-Guest"
Aruba-Location-Id = "Lab AP-A0:E4"
Aruba-AP-Group = "default"
Stripped-User-Name = "00-24-d6-5b-30-bc"
Realm = "null"
FreeRADIUS-Client-IP-Address = 198.18.255.64
Called-Station-SSID = "Lab-Open-Guest"
PacketFence-KeyBalanced = "8a61332855442ed4efb3a8b31b7b9e13"
PacketFence-Radius-Ip = "198.18.255.132"
SQL-User-Name = "00-24-d6-5b-30-bc”

It seems to show under the Called-Station-SSID as well as Aruba-ESSID-NAME.

Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903


On Oct 7, 2020, at 1:17 PM, Fabrice Durand  wrote:

Check in the radius audit log for the radius request and check if one of the 
attribute contain the SSID.

If the SSID is defined in one of the attribute then we will be able to fix it , 
if no then check on the aruba side if there a way to push it. (it's by default)

Le 20-10-07 à 14 h 12, Louis Scaringella a écrit :

Here it is. It appears it isn’t able to extract the SSID from the Aruba 
Controller. This is ArubaOS 8.6 running on the controller.

Any ideas to workaround this? It even says to let you all know so you can add 
support for it. I appreciate all you do to keep this product awesome!

Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
[mac:00:24:d6:5b:30:bc] Unable to extract SSID of Called-Station-Id: 
20:4c:03:58:99:8a (pf::Switch::extractSsid)
Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) WARN: 
[mac:00:24:d6:5b:30:bc] Unable to extract SSID for module pf::Switch::Template. 
SSID-based VLAN assignments won't work. Please let us know so we can add 
support for it. (pf::Switch::extractSsid)
Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: [mac:00:24:d6:5b:30:bc] handling 
radius autz request: from switch_ip => (198.18.255.64), connection_type => 
Wireless-802.11-NoEAP,switch_mac => (20:4c:03:58:99:8a), mac => [00:24:d6:5b:30:bc], port => 0, 
username => "00-24-d6-5b-30-bc" (pf::radius::authorize)
Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
[mac:00:24:d6:5b:30:bc] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
[mac:00:24:d6:5b:30:bc] Match rule MAC-Auth (pf::access_filter::test)
Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
[mac:00:24:d6:5b:30:bc] vlan filter match ; belongs into REJECT VLAN 
(pf::role::getRegistrationRole)
Oct  7 13:08:35 localhost packetfence_httpd.aaa: httpd.aaa(2063) INFO: 
[mac:00:24:d6:5b:30:bc] According to rules in fetchRoleForNode this node must 
be kicked out. Returning USERLOCK (pf::Switch::Template::handleRadiusDeny)
Oct  7 13:08:44 localhost packetfence_httpd.portal: httpd.portal(2655) INFO: 
[mac:00:24:d6:5b:30:bc] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Oct  7 13:08:51 localhost packetfence_httpd.portal: httpd.portal(2656) INFO: 
[mac:00:24:d6:5b:30:bc] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Oct  7 13:08:52 localhost packetfence_httpd.portal: httpd.portal(2657) INFO: 
[mac:00:24:d6:5b:30:bc] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Oct  7 13:08:57 localhost packetfence_httpd.portal: httpd.portal(2656) INFO: 
[mac:00:24:d6:5b:30:bc] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Oct  7 13:08:57 localhost packetfence_httpd.portal: httpd.portal(2657) INFO: 
[mac:00:24:d6:5b:30:bc] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Oct  7 13:08:59 localhost packetfence_httpd.portal: httpd.portal(2656) INFO: 
[mac:00:24:d6:5b:30:bc] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Oct  7 13:09:00 localhost packetfence_httpd.portal: httpd.portal(2656) INFO: 
[mac:00:24:d6:5b:30:bc] User default has authenticated on the portal. 
(Class::MOP::Class:::after)
Oct  7 13:09:00 localhost packetfence_httpd.portal: httpd.portal(2656) INFO: 
[mac:00:24:d6:5b:30:bc] User default has authenticated on the portal. 
(Class::MOP::Class:::after)
Oct  7 13:09:00 localhost packetfence_httpd.portal: httpd.portal(2656) WARN: 
[mac:00:24:d6:5b:30:bc] Calling match with empty/invalid rule class. Defaulting 
to 'authentication'

Re: [PacketFence-users] Packetfence set role by mac not user...

2020-10-08 Thread Fetakungen Virtual Adventurer via PacketFence-users

This is what I don’t understand why does it state this ?...

Oct  7 23:24:16 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(79281) INFO: 
[mac:f8:60:f0:33:00:80] Found authentication source(s) : 'VEMAB' for realm 
'default' (pf::config::util::filter_authentication_sources)
Oct  7 23:24:16 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(79281) WARN: 
[mac:f8:60:f0:33:00:80] No category computed for autoreg 
(pf::role::getNodeInfoForAutoReg)
Oct  7 23:24:16 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(79281) INFO: 
[mac:f8:60:f0:33:00:80] Found authentication source(s) : 'VEMAB' for realm 
'default' (pf::config::util::filter_authentication_sources)
Oct  7 23:24:16 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(79281) INFO: 
[mac:f8:60:f0:33:00:80] Connection type is MAC-AUTH. Getting role from 
node_info (pf::role::getRegisteredRole)

Connection type is MAC-AUTH.

Since it’s a user calling in it’s clearly NOT MAC-ATH

0_0

BR,
Anton.
Från: Ludovic Zammit 
Skickat: den 29 september 2020 18:54
Till: Fetakungen Virtual Adventurer 
Kopia: packetfence-users@lists.sourceforge.net
Ämne: Re: [PacketFence-users] Packetfence set role by mac not user...

It looks like that you try to match a UPN (UserPrincipalName) so maybe try to 
not strip the username in the realm.

Is 
vim-foradsgatan-d1s1-a1@.local 
the UPN for that object?

It looks like that connection match on the default realm, so don’t strip the 
username on the default realm.

Thanks,

Ludovic Zammit

lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  
www.inverse.ca

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)





On Sep 28, 2020, at 8:08 PM, Fetakungen Virtual Adventurer 
mailto:fetakun...@gabenpirates.com>> wrote:

Here is the complete auth.conf

# Copyright (C) Inverse inc.
[local]
description=Local Users
type=SQL
dynamic_routing_module=AuthModule

[sms]
description=SMS-based registration
sms_carriers=100056,100057,100061,100058,100059,100060,100062,100063,100071,100064,100116,100066,100117,100112,100067,100065,100068,100069,100070,100118,100115,100072,100073,100074,100075,100076,100077,100085,100086,100080,100079,100081,100083,100082,100084,100087,100088,100111,100089,100090,1
00091,100092,100093,100094,100095,100096,100098,100097,100099,100100,100101,100113,100102,100103,100104,100106,100105,100107,100108,100109,100114,100110,100078,100119,100120,100121,100122,100123,100124,100125,100126,100127,100128
type=SMS
create_local_account=no
local_account_logins=0
message=PIN: $pin
hash_passwords=bcrypt
sms_activation_timeout=10m
dynamic_routing_module=AuthModule
password_length=8
pin_code_length=6

[sms rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
status=enabled

[email]
description=Email-based registration
email_activation_timeout=10m
type=Email
allow_localdomain=yes
create_local_account=no
local_account_logins=0
dynamic_routing_module=AuthModule
hash_passwords=bcrypt
password_length=8

[email rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
status=enabled

[sponsor]
description=Sponsor-based registration
type=SponsorEmail
allow_localdomain=yes
create_local_account=no
hash_passwords=bcrypt
dynamic_routing_module=AuthModule
local_account_logins=0
password_length=8
sources=
email_activation_timeout=30m
validate_sponsor=yes
lang=

[sponsor rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
status=enabled

[null]
description=Null Source
type=Null
email_required=no
dynamic_routing_module=AuthModule

[null rule catchall]
description=catchall
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
status=enabled

[X]
realms=default,local,null,X
cache_match=0
set_access_durations_action=
usernameattribute=UserPrincipalName
scope=sub
port=389
email_attribute=mail
read_timeout=10
basedn=DC=x,DC=LOCAL
shuffle=0
host=.local
connection_timeout=1
description=.local
type=AD
encryption=none
monitor=1
write_timeout=5
searchattributes=uid,distinguishedName,memberOf,sAMAccountName
binddn=CN=###
password=###
dynamic_routing_module=AuthModule

[x rule SWITCH]
action1=set_access_duration=1D
match=all
action0=set_role=Office_Switch
condition0=memberOf,equals,CN=ACCESS_SWITCH,OU=NETWORK_DEVICES,OU=Devices,OU=x,DC=x,DC=local
class=authentication
status=enabled

[x rule GUEST]
action1=set_access_duration=5D
match=all
class=authentication
action0=set_role=guest
status=enabled

[file1]
description=Legacy Source
path=/usr/local/pf/conf/admin.conf
type=Htpasswd
realms=null
dynamic_routing_module=AuthModule

[file1 rule admins]
description=All admins
class=administration
match=all
action0=set_access_level=ALL
status=enabled

Från: Ludovic Zammit mailto:lzam...@inverse.ca>>
Skickat: den 28

Re: [PacketFence-users] Packetfence set role by mac not user...

[PacketFence-users] Issues with browsers Chromium and Google Chrome in management GUI PF 10.2

Re: [PacketFence-users] Connection Profile and SSID Filter

Re: [PacketFence-users] Connection Profile and SSID Filter

Re: [PacketFence-users] Connection Profile and SSID Filter

Re: [PacketFence-users] Connection Profile and SSID Filter

Re: [PacketFence-users] Connection Profile and SSID Filter

Re: [PacketFence-users] Connection Profile and SSID Filter

Re: [PacketFence-users] Connection Profile and SSID Filter

Re: [PacketFence-users] Connection Profile and SSID Filter

Re: [PacketFence-users] Connection Profile and SSID Filter

Re: [PacketFence-users] Packetfence set role by mac not user...

Re: [PacketFence-users] Connection Profile and SSID Filter

Re: [PacketFence-users] Connection Profile and SSID Filter

Re: [PacketFence-users] Connection Profile and SSID Filter

Re: [PacketFence-users] Connection Profile and SSID Filter

Re: [PacketFence-users] Configuration is lost when setting an interface to registration and adding portal-deamon

Re: [PacketFence-users] Connection Profile and SSID Filter

Re: [PacketFence-users] Packetfence set role by mac not user...

[PacketFence-users] Configuration is lost when setting an interface to registration and adding portal-deamon

Re: [PacketFence-users] Connection Profile and SSID Filter

Re: [PacketFence-users] Packetfence set role by mac not user...

22 matches

Site Navigation

Mail list logo

Footer information