Re: [PacketFence-users] Issue with iptables and cllustering

[Durand fabrice via PacketFence-users]

Hello Chuck,


is it a cluster of 3 ?


Because the line 313 refer to @ha_ints which is used for a cluster of 2 
(old cluster config).


Did you defined ha interfaces in pf.conf ?


Regards

Fabrice



Le 21-01-04 à 09 h 14, Chuck Gentry via PacketFence-users a écrit :
Every since I have configured a cluster, I am unable to start the 
iptables module.


Error that I am receiving in the journal.
Can't locate object method "STORE" via package 
"pfconfig::cached_array" at /usr/local/pf/lib/pf/iptables.pm line 313. 
(pf::iptables::generate_filter_if_src_to_chain)


PF version 10.2.0, ZEN deployment

Things to note, I have 3 VLAN interfaces configured, type: other, 
portal, registration.  I am not using any of these interfaces at the 
moment.  I was just playing around with them. They are in the cluster.conf


Thank you in advance.


*Confidentiality Notice*: This email message, including any 
attachments, is for the sole use of the intended recipient(s) and may 
contain confidential and privileged information. Any unauthorized 
review, use, disclosure or distribution is prohibited. If you are not 
the intended recipient, please contact the sender by reply email and 
destroy all copies of the original message.




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] online/offline status remain unkown

[Ludovic Zammit via PacketFence-users]

Hello,

The online/offline status is based on RADIUS Accounting.

RADIUS Accounting type = Start = Online

RADIUS Accounting type = Stop = Offline

Make sure that the PF server receives the start and stop with:

tcpdump -i any port 1813 -

Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On Jan 5, 2021, at 10:26 AM, Sonali Gulia via PacketFence-users 
>  wrote:
> 
> hi all,
> 
> after  starting pfacct service 
> in  same switch  bandwidth_accounting tables showing online/offline status 
> for few nodes but for few it still remain unkown .
> i checked all my configuration but  bandwidth_accounting table remain empty 
> for few nodes while there is no issue in switch config because its working 
> fine for few nodes.
> 
> some endpoint which are connected with voip both using single port it shows 
> online for voip but unkown for system .
> 
> also after some time when system goes off it shows off status but after some 
> time it goes unkown (it maybe because of cleanup timing)
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Mikrotik COA

[Fabrice Durand via PacketFence-users]

Hello Enrique,

use_tunneled_reply is a freeradius attribute but i don't think it's 
related to the issue (it's the authentication part).


(https://github.com/inverse-inc/packetfence/blob/devel/conf/radiusd/eap.conf.example)

The issue is when the CoA is sent.

Regards

Fabrice



Le 21-01-08 à 11 h 36, Enrique Gross a écrit :

Fabrice, Adrian, PF users

Happy 2021!

I have received feedback from Mikrotik Support regarding Error-Cause = 
Unsupported-Extension:


Hello,

Thank you for contacting MikroTik Support and sorry for the late
reply.

Yes, it seems that's the case, with using wrong attributes, as
Error 406 means an unsupported extension.

As a test, you could try enabling "use_tunneled_reply" on your
RADIUS server.

If it still doesn't work, please let us know and send us a
Supout.rif made while the issue is present - like in your screenshot.

Best regards,
Guntis G.


 Where i can enable "use_tunneled_reply" on packetfence so i can test 
this?


My TK support on Mikrotik is still open, a good opportunity to send 
them any testing.


Thanks, Enrique.



El dom, 20 dic 2020 a las 19:27, Adrian D'Atri-Guiran via 
PacketFence-users (>) escribió:


Hi Fabrice,

It seems to me that mikrotik also requires the IP address.  When I
submit anything that doesn't have the Framed-Ip-Address as part of
the query, i see "Radius disconnect with no ip provided" in radius
logs (see attached).

https://forum.mikrotik.com/viewtopic.php?t=6672

On Tue, Dec 15, 2020 at 11:55 AM Fabrice Durand
mailto:fdur...@inverse.ca>> wrote:

Hello Adrian,

if you can try with other mac format to see if one works.

like:

5c:e0:c5:c1:d6:fd

5C:E0:C5:C1:D6:FD

5c-e0-c5-c1-d6-fd

5C-E0-C5-C1-D6-FD

5ce0c5c1d6fd

5CE0C5C1D6FD

Regards

Fabrice


Le 20-12-15 à 13 h 06, Adrian D'Atri-Guiran a écrit :

Hi Fabrice,

I played around with it a bit further, and here's a working test:
echo "Framed-IP-Address=10.5.50.2" | radclient -x
10.2.2.1:3799  disconnect secret
Sent Disconnect-Request Id 44 from 0.0.0.0:37354
 to 10.2.2.1:3799
 length 26
        Framed-IP-Address = 10.5.50.2
Received Disconnect-ACK Id 44 from 10.2.2.1:3799
 to 10.2.2.254:37354
 length 30
        NAS-Identifier = "MikroTik"

Where 10.5.50.2 is the client IP. and 10.2.2.1 is the ip of
my main mikrotik router that manages the hotspot.  This
command instantly deauthenticated the client, but did not
remove the client's Cookie.  For this reason I believe that
we should have "cookie" disabled under Hotspot -> Server
Profiles -> Login -> Login By (uncheck Cookie).

My problem is I don't know how to fix Mikrotik.pm how do I
access the client IP? I want to do something like:
'Framed-IP-Address' => "$client_ip_address",
on:

https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Mikrotik.pm#L230



Also I guess we must be careful here because in some
scenarios if the client has been assigned a new IP and
packetfence is not yet aware of it, this could break. MAC
address would probably be better for deauthenticating, but I
haven't managed to get that working yet.

Thanks!
-Adrian


On Mon, Dec 14, 2020 at 6:02 PM Adrian D'Atri-Guiran
mailto:adrian.datri.gui...@gmail.com>> wrote:

Thank you,

>btw you can try to add:
>'Calling-Station-Id' => $mac,
I have attempted this and the result was a new error (and
client remains authenticated on the mikrotik hotspot):

Dec 14 20:58:08 radius pfqueue: pfqueue(4868) WARN:
[mac:5c:e0:c5:c1:d6:fd] Unable to pull accounting history
for device 5c:e0:c5:c1:d6:fd. The history set doesn't
exist yet.
(pf::accounting_events_history::latest_mac_history)
Dec 14 20:58:08 radius pfqueue: pfqueue(4868) WARN:
[mac:5c:e0:c5:c1:d6:fd] Unable to pull accounting history
for device 5c:e0:c5:c1:d6:fd. The history set doesn't
exist yet.
(pf::accounting_events_history::latest_mac_history)
Dec 14 20:58:18 radius packetfence_httpd.webservices:
httpd.webservices() INFO: [mac:5c:e0:c5:c1:d6:fd]
[5c:e0:c5:c1:d6:fd] DesAssociating mac on switch
(10.2.2.1) (pf::api::desAssociate)
Dec 14 20:58:18 radius packetfence_httpd.webservices:

Re: [PacketFence-users] Captive Portal Balance F5

[Domingos Varela via PacketFence-users]

Hi,

Please, someone who has managed to configure the portal with the F5 can
help me, I have been trying for many months without success, the
information available on the site about this integration is insufficient.
Thanks

Regards
Cumprimentos,

*Domingos Varela*
Tel. +244 923 229 330 | Luanda - Angola


Domingos Varela  escreveu no dia quarta, 6/05/2020
à(s) 00:32:

> Hello,
>
> Did anyone here manage to configure the Pf captive portal on F5?
> I have tried and I have not had successes.
> We are already in the version 10.0 and the documentation on the F5 is the
> same and has not worked.
> Thanks
> Regards
>
> Cumprimentos,
>
> *Domingos Varela*
> Tel. +244 923 229 330 | Luanda - Angola
>
>
> Domingos Varela  escreveu no dia quarta,
> 19/02/2020 à(s) 14:47:
>
>> Hello,
>>
>> Is there any person in this group who has managed or has F5 to balance
>> the PF?
>> I’ve been trying for a long time and without being asked, the group’s
>> staff even gave some inputs, but then they gave up.
>>
>> Can anyone help with this setup so that future implementations are easier
>> for everyone?
>> Thanks
>>
>> Regards
>>
>> Cumprimentos,
>>
>> *Domingos Varela*
>> Tel. +244 923 229 330 | Luanda - Angola
>>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Mikrotik COA

[Enrique Gross via PacketFence-users]

 Fabrice, Adrian, PF users

Happy 2021!

I have received feedback from Mikrotik Support regarding Error-Cause =
Unsupported-Extension:

Hello,
>
> Thank you for contacting MikroTik Support and sorry for the late reply.
>
> Yes, it seems that's the case, with using wrong attributes, as Error 406
> means an unsupported extension.
>
> As a test, you could try enabling "use_tunneled_reply" on your RADIUS
> server.
>
> If it still doesn't work, please let us know and send us a Supout.rif made
> while the issue is present - like in your screenshot.
>
> Best regards,
> Guntis G.
>

 Where i can enable "use_tunneled_reply" on packetfence so i can test this?

My TK support on Mikrotik is still open, a good opportunity to send them
any testing.

Thanks, Enrique.



El dom, 20 dic 2020 a las 19:27, Adrian D'Atri-Guiran via PacketFence-users
() escribió:

> Hi Fabrice,
>
> It seems to me that mikrotik also requires the IP address.  When I submit
> anything that doesn't have the Framed-Ip-Address as part of the query, i
> see "Radius disconnect with no ip provided" in radius logs (see attached).
>
> https://forum.mikrotik.com/viewtopic.php?t=6672
>
> On Tue, Dec 15, 2020 at 11:55 AM Fabrice Durand 
> wrote:
>
>> Hello Adrian,
>>
>> if you can try with other mac format to see if one works.
>>
>> like:
>>
>> 5c:e0:c5:c1:d6:fd
>>
>> 5C:E0:C5:C1:D6:FD
>>
>> 5c-e0-c5-c1-d6-fd
>>
>> 5C-E0-C5-C1-D6-FD
>>
>> 5ce0c5c1d6fd
>>
>> 5CE0C5C1D6FD
>>
>> Regards
>>
>> Fabrice
>>
>>
>> Le 20-12-15 à 13 h 06, Adrian D'Atri-Guiran a écrit :
>>
>> Hi Fabrice,
>>
>> I played around with it a bit further, and here's a working test:
>> echo "Framed-IP-Address=10.5.50.2" | radclient -x 10.2.2.1:3799
>> disconnect secret
>> Sent Disconnect-Request Id 44 from 0.0.0.0:37354 to 10.2.2.1:3799 length
>> 26
>> Framed-IP-Address = 10.5.50.2
>> Received Disconnect-ACK Id 44 from 10.2.2.1:3799 to 10.2.2.254:37354
>> length 30
>> NAS-Identifier = "MikroTik"
>>
>> Where 10.5.50.2 is the client IP. and 10.2.2.1 is the ip of my main
>> mikrotik router that manages the hotspot.  This command instantly
>> deauthenticated the client, but did not remove the client's Cookie.  For
>> this reason I believe that we should have "cookie" disabled under Hotspot
>> -> Server Profiles -> Login -> Login By (uncheck Cookie).
>>
>> My problem is I don't know how to fix Mikrotik.pm how do I access the
>> client IP? I want to do something like:
>> 'Framed-IP-Address' => "$client_ip_address",
>> on:
>> https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/
>> Mikrotik.pm#L230
>>
>> Also I guess we must be careful here because in some scenarios if the
>> client has been assigned a new IP and packetfence is not yet aware of it,
>> this could break. MAC address would probably be better for
>> deauthenticating, but I haven't managed to get that working yet.
>>
>> Thanks!
>> -Adrian
>>
>>
>> On Mon, Dec 14, 2020 at 6:02 PM Adrian D'Atri-Guiran <
>> adrian.datri.gui...@gmail.com> wrote:
>>
>>> Thank you,
>>>
>>> >btw you can try to add:
>>> >'Calling-Station-Id' => $mac,
>>> I have attempted this and the result was a new error (and client remains
>>> authenticated on the mikrotik hotspot):
>>>
>>> Dec 14 20:58:08 radius pfqueue: pfqueue(4868) WARN:
>>> [mac:5c:e0:c5:c1:d6:fd] Unable to pull accounting history for device
>>> 5c:e0:c5:c1:d6:fd. The history set doesn't exist yet.
>>> (pf::accounting_events_history::latest_mac_history)
>>> Dec 14 20:58:08 radius pfqueue: pfqueue(4868) WARN:
>>> [mac:5c:e0:c5:c1:d6:fd] Unable to pull accounting history for device
>>> 5c:e0:c5:c1:d6:fd. The history set doesn't exist yet.
>>> (pf::accounting_events_history::latest_mac_history)
>>> Dec 14 20:58:18 radius packetfence_httpd.webservices:
>>> httpd.webservices() INFO: [mac:5c:e0:c5:c1:d6:fd] [5c:e0:c5:c1:d6:fd]
>>> DesAssociating mac on switch (10.2.2.1) (pf::api::desAssociate)
>>> Dec 14 20:58:18 radius packetfence_httpd.webservices:
>>> httpd.webservices() INFO: [mac:5c:e0:c5:c1:d6:fd] deauthenticating
>>> 5c:e0:c5:c1:d6:fd (pf::Switch::Mikrotik::radiusDisconnect)
>>> Dec 14 20:58:18 radius packetfence_httpd.webservices:
>>> httpd.webservices() INFO: [mac:5c:e0:c5:c1:d6:fd] controllerIp is set,
>>> we will use controller 10.2.2.1 to perform deauth
>>> (pf::Switch::Mikrotik::radiusDisconnect)
>>> Dec 14 20:58:18 radius packetfence_httpd.webservices:
>>> httpd.webservices() WARN: [mac:5c:e0:c5:c1:d6:fd] Unable to perform
>>> RADIUS Disconnect-Request. Disconnect-NAK received with Error-Cause:
>>> Unsupported-Extension. (pf::Switch::Mikrotik::radiusDisconnect)
>>> Dec 14 20:58:18 radius packetfence_httpd.webservices:
>>> httpd.webservices() INFO: [mac:5c:e0:c5:c1:d6:fd] [5c:e0:c5:c1:d6:fd]
>>> DesAssociating mac on switch (10.2.2.1) (pf::api::desAssociate)
>>> Dec 14 20:58:18 radius packetfence_httpd.webservices:
>>> httpd.webservices() INFO: [mac:5c:e0:c5:c1:d6:fd] deauthenticating
>>> 5c:e0:c5:c1:d6:fd 

[PacketFence-users] online/offline status remain unkown

[Sonali Gulia via PacketFence-users]

hi all,

after  starting pfacct service
in  same switch  bandwidth_accounting tables showing online/offline status
for few nodes but for few it still remain unkown .
i checked all my configuration but  bandwidth_accounting table remain empty
for few nodes while there is no issue in switch config because its working
fine for few nodes.

some endpoint which are connected with voip both using single port it shows
online for voip but unkown for system .

also after some time when system goes off it shows off status but after
some time it goes unkown (it maybe because of cleanup timing)
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users