Re: [PacketFence-users] no Disconnect-ACK auth status

[Sonali Gulia via PacketFence-users]

Yes we are using snmp for deauthentication and both read write permission
are given already but still it didn’t work

On Mon, 12 Jul 2021 at 3:13 PM, Quiniou-Briand, Nicolas 
wrote:

> Hello,
>
>
>
> PacketFence is trying to use SNMP to deregister your device because it
> seems that:
>
> 1. you don’t define a Deauthentication method different than SNMP in your
> PacketFence switch configuration
>
> or
>
> 2. switch module used only support deauthentication using SNMP
>
>
>
> If 1 is true, you need to configure correctly SNMP on switch and
> PacketFence side. PacketFence will need a community write to deauthenticate.
>
>
>
> *Nicolas Quiniou-Briand*
> *Product Support Engineer*
>
> *Office:* +33156696210
>
> Akamai Technologies
> 145 Broadway
> 
> Cambridge, MA 02142
> 
>
> Connect with Us:
>
>   
>   
>   
> 
>
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] no Disconnect-ACK auth status

[Quiniou-Briand, Nicolas via PacketFence-users]

Hello,

In that case, you will not see Disconnect-ACK messages because you need to use 
RADIUS to deauthenticate.

Nicolas Quiniou-Briand
Product Support Engineer

[cid:image001.png@01D7772B.AB3FE770]


Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142


Connect with Us:

[cid:image002.jpg@01D7772B.AB3FE770] 
[cid:image003.png@01D7772B.AB3FE770]   
[cid:image004.png@01D7772B.AB3FE770]   
[cid:image005.png@01D7772B.AB3FE770] 
  
[cid:image006.png@01D7772B.AB3FE770] 
  
[cid:image007.png@01D7772B.AB3FE770] 



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Problem with Internet-Access and open WLAN

[Zestermann, Ronald via PacketFence-users]

Hi,


we use packetfence 10.3 on a Debian 9 to secure an open WLAN. Users are 
authenticated via RADIUS (on Active Directory).
The client is assigned an IP address and the login to the portal works and the 
device is visible as registered. But the client does not get internet access 
after activation.


Where could the mistake be?



Our setup:



Pf.conf

[general]

domain=.

hostname=

timezone=Europe/Berlin

[database]

pass=xx

[inline]

ports_redirect=80/tcp,443/tcp,8080/tcp

interfaceSNAT=ens33

[captive_portal]

network_detection_ip=192.168.203.1

secure_redirect=disabled

[advanced]

language=de_DE

configurator=disabled

[dns_configuration]

record_dns_in_sql=enabled

[interface ens32]

type=management

ip=192.168.8.2

mask=255.255.255.224

[interface ens33]

enforcement=inlinel2

type=internal

ip=192.168.203.1

mask=255.255.255.0

[interface ens34]

ip=192.168.8.34

ipv6_address=2003:00d4:1f17:9500:020c:29ff:fe31:e3b7

type=other

mask=255.255.255.224

ipv6_prefix=64



Networks.conf

[192.168.203.0]

nat_enabled=enabled

gateway=192.168.203.1

dns=192.168.203.1

pool_backend=memory

nat_dns=disabled

netflow_accounting_enabled=enabled

domain-name=inlinel2...

dhcp_start=192.168.203.10

dhcp_max_lease_time=86400

dhcp_default_lease_time=86400

coa=disabled

type=inlinel2

netmask=255.255.255.0

split_network=disabled

fake_mac_enabled=disabled

dhcp_end=192.168.203.246

named=enabled

dhcpd=enabled

id=192.168.203.0

algorithm=1

portal_fqdn=..

tenant_id=1



[192.168.8.32]

dhcpd=disabled

dhcp_end=192.168.8.54

split_network=disabled

netmask=255.255.255.224

type=other

coa=disabled

dhcp_default_lease_time=86400

dhcp_max_lease_time=86400

dhcp_start=192.168.8.42

nat_dns=disabled

netflow_accounting_enabled=disabled

pool_backend=memory

gateway=192.168.8.34

nat_enabled=disabled



cat /proc/sys/net/ipv4/ip_forward

1

Kernel-IP-Routentabelle
ZielRouter  Genmask Flags Metric RefUse Iface
default 192.168.8.620.0.0.0 UG0  00 ens34
localnet0.0.0.0 255.255.255.224 U 0  00 ens32
192.168.8.320.0.0.0 255.255.255.224 U 0  00 ens34
192.168.203.0   0.0.0.0 255.255.255.0   U 0  00 ens33

su - pf
$ sudo ipset -L
Name: PF-iL2_ID1_192.168.203.0
Type: bitmap:ip
Revision: 3
Header: range 192.168.203.0-192.168.203.255 timeout 86400
Size in memory: 120
References: 2
Members:
192.168.203.211 timeout 86110

Name: PF-iL2_ID3_192.168.203.0
Type: bitmap:ip
Revision: 3
Header: range 192.168.203.0-192.168.203.255 timeout 86400
Size in memory: 120
References: 2
Members:

Name: PF-iL2_ID2_192.168.203.0
Type: bitmap:ip
Revision: 3
Header: range 192.168.203.0-192.168.203.255 timeout 86400
Size in memory: 120
References: 2
Members:

Name: PF-iL2_ID5_192.168.203.0
Type: bitmap:ip
Revision: 3
Header: range 192.168.203.0-192.168.203.255 timeout 86400
Size in memory: 120
References: 2
Members:

Name: PF-iL2_ID4_192.168.203.0
Type: bitmap:ip
Revision: 3
Header: range 192.168.203.0-192.168.203.255 timeout 86400
Size in memory: 120
References: 2
Members:

Name: pfsession_Unreg_192.168.203.0
Type: bitmap:ip,mac
Revision: 3
Header: range 192.168.203.0-192.168.203.255 timeout 86400
Size in memory: 112
References: 1
Members:
192.168.203.124,54:72:4F:1D:8D:36 timeout 79687

Name: pfsession_Reg_192.168.203.0
Type: bitmap:ip,mac
Revision: 3
Header: range 192.168.203.0-192.168.203.255 timeout 86400
Size in memory: 112
References: 1
Members:

192.168.203.211,7C:B2:7D:69:4D:E4 timeout 86110 <<- registered client

Name: pfsession_Isol_192.168.203.0
Type: bitmap:ip,mac
Revision: 3
Header: range 192.168.203.0-192.168.203.255 timeout 86400
Size in memory: 112
References: 1
Members:

Name: pfsession_passthrough
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 224
References: 4
Members:
172.217.13.99,tcp:443
172.217.13.99,tcp:80

Name: pfsession_isol_passthrough
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 96
References: 4
Members:





mit besten Grüßen

Ronald Zestermann
SB System/Netzwerk
--
Landkreis Sächsische Schweiz-Osterzgebirge
Bereich Landrat
Haupt- und Personalamt
Referat Informationstechnik (IT)
Schloßhof 2/4
01796 Pirna
Tel.: 03501 515-4132
Fax: 03501 515-84132
mail: ronald.zesterm...@landratsamt-pirna.de
http://www.landratsamt-pirna.de/
--
Kein Zugang für elektronisch signierte sowie für verschlüsselte elektronische 
Dokumente!
Voraussetzungen, Bedingungen und Einschränkungen für die Zugangseröffnung für 
signierte und/oder verschlüsselte elektronische Dokumente unter: 
www.landratsamt-pirna.de

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge

Re: [PacketFence-users] no Disconnect-ACK auth status

[Sonali Gulia via PacketFence-users]

do i need to do something in switch setup regarding this ?? if you can
elaborate this

On Mon, Jul 12, 2021 at 6:09 PM Quiniou-Briand, Nicolas 
wrote:

> Hello,
>
>
>
> In that case, you will not see Disconnect-ACK messages because you need to
> use RADIUS to deauthenticate.
>
>
>
> *Nicolas Quiniou-Briand*
> *Product Support Engineer*
>
> *Office:* +33156696210
>
> Akamai Technologies
> 145 Broadway
> Cambridge, MA 02142
>
> Connect with Us:
>
>   
>   
>   
> 
>
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] R: R: R: Login invalid, local user create from sposor access

[Quiniou-Briand, Nicolas via PacketFence-users]

Hello Stefano,

> After the access by approve from sponsor, the guest user receive a e-mail 
> whit the account create after the login, but this account whit the e-mail 
> address of the guest user doesn't work

I understand that you want to use account created at this step but you didn’t 
answer my previous question:

Once your guest has received an email, you want him to connect on 
SAT-WIFI_Guest using 802.1X ?

Nicolas Quiniou-Briand
Product Support Engineer

[cid:image001.png@01D77717.839B5FB0]


Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142


Connect with Us:

[cid:image002.jpg@01D77717.839B5FB0] 
[cid:image003.png@01D77717.839B5FB0]   
[cid:image004.png@01D77717.839B5FB0]   
[cid:image005.png@01D77717.839B5FB0] 
  
[cid:image006.png@01D77717.839B5FB0] 
  
[cid:image007.png@01D77717.839B5FB0] 





___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN Enforcement with MAC address authentication

[Thapeli Matsabu via PacketFence-users]

Hi Nicolas,

I will install a new certificate. I thought when you install PF, it installs 
with certificate.

 

 

Kind regards,

Thapeli

 

 

From: Quiniou-Briand, Nicolas  
Sent: 12 July 2021 11:22 AM
To: Thapeli Matsabu ; 
packetfence-users@lists.sourceforge.net; 'Fabrice Durand' 
Subject: RE: [PacketFence-users] VLAN Enforcement with MAC address 
authentication

 

Hello Thapeli,

 

According to radius.log, it looks like you have a SSL issue.

Your node needs to have CA certificate that signed PacketFence RADIUS 
certificate in its certificate store or directly PacketFence RADIUS certificate.

 


Nicolas Quiniou-Briand
Product Support Engineer






Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142




Connect with Us:

       
      
   
 



 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] R: R: R: R: Login invalid, local user create from sposor access

[Stefano Motti via PacketFence-users]

Ah ops, not have seen is in clear the password.
Anyway that I need is to do the function of authentication access in wi-fi, 
From the config file you can see I have 4 way:

  1.  LDAP from server,
  2.  Guest account local,
  3.  Guest account by sponsor approve,
  4.  Guest access by the mail domain approve.
After the access by approve from sponsor, the guest user receive a e-mail whit 
the account create after the login, but this account whit the e-mail address of 
the guest user doesn't work.


Da: Quiniou-Briand, Nicolas 
Inviato: giovedì 1 luglio 2021 11:50
A: Stefano Motti ; Zammit, Ludovic 

Cc: packetfence-users@lists.sourceforge.net
Oggetto: RE: [PacketFence-users] R: R: R: Login invalid, local user create from 
sposor access

Hello,

Thanks for configuration files.
First of all, you send authentication.conf files with passwords inside it. Not 
sure it was expected.

The way you configure connection profiles is diffcult to understand.
Once your guest has received an email, you want him to connect on 
SAT-WIFI_Guest using 802.1X ?
If yes, you need:
- to remove “network:172.25.255.0/24" on your connection profile filter
- to enable PacketFence local authentication for 802.1X (see [1])

If no, please give more details on what you want to achieve.

[1] 
https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_eap_local_user_authentication

Nicolas Quiniou-Briand
Product Support Engineer

[cid:image001.png@01D77715.DE351BC0]


Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142


Connect with Us:

[cid:image002.jpg@01D77715.DE351BC0]
 [cid:image003.png@01D77715.DE351BC0] 

  [cid:image004.png@01D77715.DE351BC0] 

  [cid:image005.png@01D77715.DE351BC0] 

  [cid:image006.png@01D77715.DE351BC0] 

  [cid:image007.png@01D77715.DE351BC0] 




From: Stefano Motti 
mailto:stefano.mo...@dastech.biz>>
Sent: Tuesday, June 29, 2021 2:22 PM
To: Quiniou-Briand, Nicolas mailto:nquin...@akamai.com>>; 
Zammit, Ludovic mailto:luza...@akamai.com>>
Cc: 
packetfence-users@lists.sourceforge.net
Subject: R: [PacketFence-users] R: R: R: Login invalid, local user create from 
sposor access


>What do you mean here ? Where do you try to connect using account created ?
I Try to connect to the network, PF managed, whit the user created by Packet 
fence system when I login on sponsor mode. received the e-mail whit the 
credential, but this credential whit “@” don’t work.

Attach the config file you require.

Da: Quiniou-Briand, Nicolas mailto:nquin...@akamai.com>>
Inviato: lunedì 28 giugno 2021 14:01
A: 
packetfence-users@lists.sourceforge.net;
 Zammit, Ludovic mailto:luza...@akamai.com>>
Cc: Stefano Motti mailto:stefano.mo...@dastech.biz>>
Oggetto: RE: [PacketFence-users] R: R: R: Login invalid, local user create from 
sposor access

Hello Stefano,

> if I try to connect give me an error

What do you mean here ? Where do you try to connect using account created ?
Please provide:
- profiles.conf
- pf.conf
- authentication.conf

Be sure to remove all secrets from these files.

Nicolas Quiniou-Briand
Product Support Engineer

[cid:image001.png@01D77715.DE351BC0]


Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142


Connect with Us:

[cid:image002.jpg@01D77715.DE351BC0]
 [cid:image003.png@01D77715.DE351BC0] 

  [cid:image004.png@01D77715.DE351BC0] 

Re: [PacketFence-users] Errors on PacketFence

[Ezeh Victor via PacketFence-users]

Ok, thanks.

On Mon, 12 Jul 2021 at 10:28, Quiniou-Briand, Nicolas 
wrote:

> > I currently just run an instance of Packetfence not yet a cluster.
>
>
>
> In that case, you should not have any warning in dashboard related to
> haproxy-db because this service is not used on a standalone instance.
>
> You probably enable this service at some point.
>
>
>
> *Nicolas Quiniou-Briand*
> *Product Support Engineer*
>
> *Office:* +33156696210
>
> Akamai Technologies
> 145 Broadway
> Cambridge, MA 02142
>
> Connect with Us:
>
>   
>   
>   
> 
>
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Editing Email template

[Ezeh Victor via PacketFence-users]

Hi Nicolas,

These are the templates available on the box as see below;

[image: image.png]

These are seen in the directory
*/usr/local/pf/html/captive-portal/templates/emails.*

Where can I find the emails-guest_sponsor_* templates?

On Mon, 12 Jul 2021 at 10:38, Quiniou-Briand, Nicolas 
wrote:

> Hello,
>
>
>
> The template you are editing is not used during a sponsor workflow.
>
> You need to edit emails-guest_sponsor_* templates.
>
>
>
> *Nicolas Quiniou-Briand*
> *Product Support Engineer*
>
> *Office:* +33156696210
>
> Akamai Technologies
> 145 Broadway
> Cambridge, MA 02142
>
> Connect with Us:
>
>   
>   
>   
> 
>
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN Enforcement with MAC address authentication

[Quiniou-Briand, Nicolas via PacketFence-users]

Hello Thapeli,

According to radius.log, it looks like you have a SSL issue.
Your node needs to have CA certificate that signed PacketFence RADIUS 
certificate in its certificate store or directly PacketFence RADIUS certificate.

Nicolas Quiniou-Briand
Product Support Engineer

[cid:image001.png@01D77710.2615BD60]


Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142


Connect with Us:

[cid:image002.jpg@01D77710.2615BD60] 
[cid:image003.png@01D77710.2615BD60]   
[cid:image004.png@01D77710.2615BD60]   
[cid:image005.png@01D77710.2615BD60] 
  
[cid:image006.png@01D77710.2615BD60] 
  
[cid:image007.png@01D77710.2615BD60] 



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Editing Email template

[Quiniou-Briand, Nicolas via PacketFence-users]

Hello,

The template you are editing is not used during a sponsor workflow.
You need to edit emails-guest_sponsor_* templates.

Nicolas Quiniou-Briand
Product Support Engineer

[cid:image001.png@01D77712.577D8700]


Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142


Connect with Us:

[cid:image002.jpg@01D77712.577D8700] 
[cid:image003.png@01D77712.577D8700]   
[cid:image004.png@01D77712.577D8700]   
[cid:image005.png@01D77712.577D8700] 
  
[cid:image006.png@01D77712.577D8700] 
  
[cid:image007.png@01D77712.577D8700] 



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] no Disconnect-ACK auth status

[Quiniou-Briand, Nicolas via PacketFence-users]

Hello,

PacketFence is trying to use SNMP to deregister your device because it seems 
that:
1. you don’t define a Deauthentication method different than SNMP in your 
PacketFence switch configuration
or
2. switch module used only support deauthentication using SNMP

If 1 is true, you need to configure correctly SNMP on switch and PacketFence 
side. PacketFence will need a community write to deauthenticate.

Nicolas Quiniou-Briand
Product Support Engineer

[cid:image001.png@01D77713.195EDBD0]


Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142


Connect with Us:

[cid:image002.jpg@01D77713.195EDBD0] 
[cid:image003.png@01D77713.195EDBD0]   
[cid:image004.png@01D77713.195EDBD0]   
[cid:image005.png@01D77713.195EDBD0] 
  
[cid:image006.png@01D77713.195EDBD0] 
  
[cid:image007.png@01D77713.195EDBD0] 



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Errors on PacketFence

[Quiniou-Briand, Nicolas via PacketFence-users]

> I currently just run an instance of Packetfence not yet a cluster.

In that case, you should not have any warning in dashboard related to 
haproxy-db because this service is not used on a standalone instance.
You probably enable this service at some point.

Nicolas Quiniou-Briand
Product Support Engineer

[cid:image001.png@01D77711.09BD9DD0]


Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142


Connect with Us:

[cid:image002.jpg@01D77711.09BD9DD0] 
[cid:image003.png@01D77711.09BD9DD0]   
[cid:image004.png@01D77711.09BD9DD0]   
[cid:image005.png@01D77711.09BD9DD0] 
  
[cid:image006.png@01D77711.09BD9DD0] 
  
[cid:image007.png@01D77711.09BD9DD0] 



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users