Re: [PacketFence-users] Session-Timeout.
On Sep 2, 2014, at 10:19 AM, Tim DeNike tim.den...@mcc.edu wrote: If I wanted to assign a Session-Timeout for the registration network (To boot campers), where would the best place be for me to do that? Can you devise a method to automatically set a violation on them??? Our typical campers are repeat devices, such as outside contractors' employees and helicopter parents who are here every day. There also seem to be a lot of Epson and HP wifi printers showing up in the dorm areas this year. Setting a violation on them after a pre-defined self-registration opportunity window seems to be the best way to handle our situation. I'm looking at the PF 3.6=4.4 upgrade in the next few weeks, and would like to add this functionality before I go live with 4.4 if it is possible... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] PF 4.4 release date?
On Aug 28, 2014, at 8:33 AM, Fabrice DURAND fdur...@inverse.ca wrote: wait for the 4.4, we included vlan filter based on the radius request so you will be able to write your own rules based on all the radius attributes. Fabrice, How long of a wait are we talking about for 4.4? I just grabbed the 4.3 ZEN image yesterday to start our PF 3.61 - 4.x upgrade, and am wondering if I should hold off if the 4.4 release is imminent in the next few weeks... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Unusual DHCP Traffic Levels
On Aug 22, 2014, at 8:58 PM, Tim DeNike tim.den...@mcc.edumailto:tim.den...@mcc.edu wrote: Unplug it? :) So it's just generating traffic to the registration portal? Does the traffic really matter? No, but the web server log files grow fast enough where it could be considered a DoS on some networks. Oh, and unplugging it only works if it is connected to a wired port. If it is a wireless device, the Bypass VLAN setting for an individual node on PF 3.6 will certainly /dev/null the rogue device onto an unrouted segment. Jake's list forgot my personal favorite PoE :-) adapter cable: http://i791.photobucket.com/albums/yy193/vreihen/E3A904DF-672F-44A6-8650-BB425724433B_zpsdekymwqm.jpg On a serious note for those of us in academia, we made procedure change here that now has all students coming to campus on one day instead of spreading it across two days. The result is that our default /24 registration VLAN is full of campers who either didn't register yet or are parents/siblings with smartphones set to auto-associate to an SSID and never intend to register. If you haven't done so yet and aren't watching your students check in while reading this, now would be a good time to increase your own registration VLAN to a /22 or larger to accommodate this situation on your own campus... -Arthur - Arthur Emerson III Email: emer...@msmc.edumailto:emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] RADIUS Access-request but no Access-accept
On Aug 20, 2014, at 12:24 PM, Sallee, Jake jake.sal...@umhb.edu wrote: You guys are awesome! It was the RADIUS secret, there was a space that somehow got at the end of the radius secret on the switch ... apparently cisco interprets the white space at the end of the radius server key as part of the key its self. I wanted to add a second thank you to Jake for pointing the white space problem out! We have had one Cisco 2960 stack (of many) that refused to do MAB, even though the config was cut/pasted from a running stack. Re-typing all of the SNMP account stuff manually fixed our problem as well. Is this worthy of a note in the Cisco section of the devices manual??? -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] VoIP vs non-VoIP VLAN's/netowrks
On Aug 7, 2014, at 5:58 PM, Boris Epstein borepst...@gmail.commailto:borepst...@gmail.com wrote: Throughout the PacketFence Network Devices Configuration Guide ( http://www.packetfence.org/downloads/PacketFence/doc/PacketFence_Network_Devices_Configuration_Guide-4.3.0.pdf ) there are numerous references to VoIP VLAN's. What are the differences between them and non-VoIP VLAN's? A common VoIP implementation has the phone plugged into a switch port, and then a computer plugged into the VoIP phone via a switch/hub integrated into the phone. They usually use two different VLANs, and sometimes the phone even strips the VLAN tags off for the connected PC as it passes the data through. Having two different devices plugged into one switch port with some switch vendors' MAC authentication tools may require special handling, hence the with-VoIP and without-VoIP settings on those switches... -Arthur - Arthur Emerson III Email: emer...@msmc.edumailto:emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Wake on LAN with PacketFence (Extreme Network Swtiches)
On Aug 8, 2014, at 10:23 AM, Stormont, Stephen (IMS) stormo...@imsweb.com wrote: We finally got PacketFence up and running with some great help from Tim, but are now having an issue with Wake on LAN. Desktop PCs are in the 172.22.34.x subnet after PacketFence registration (this is the same subnet they had been in before we implemented PacketFence). Now the PCs sit in the 172.22.38.x (MAC_Registration) subnet when off. Wake on LAN requests are no longer being sent to those PCs and we can't quite figure out where the disconnect lies. The disconnect lies in the fact that standard WoL packets are ethernet frames on a local L2 segment, and not IP packets that can be routed by L3. You need to send them via whatever VLAN your computers are switched to when powered off. (There are some ways to make them cross subnets, but I suspect that you are not using one of them.) I'm trying to blank out my Extreme days, but seem to recall their switches having protocol-based VLANs as an option. (config vlan_name protocol IP?) In other words, you could pull IP traffic off of a port and send it via an IP VLAN, but leave L2 packets like early NetWare pass through on the port's default VLAN. Just mentioning it as a possible additional hurdle with the WoL broadcast packets. We don't have ip forwarding enabled on the 172.22.38.x subnet although we did have it on the 172.22.34.x subnet. Could that be the issue? Wouldn't enabling it on the MAC_Registration VLAN circumvent the PacketFence security? It probably wouldn't completely circumvent it unless your Extreme switch has the same gateway IP address that you're handing out via DHCP on the MAC_Registration subnet, but it does enable a simple escape should any user/computer/virus be smart enough to look for an alternate gateway IP address... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Installing Packetfence on Amazon EC2
On Jul 2, 2014, at 6:58 PM, Moe Alsmadi malsm...@gmail.com wrote: I have been trying for days to install packetfence on a ubuntu instance on Amazon EC with no luck. Anyone can assist in a way or a cocument of how I can make that possible if its possible. Forgive my ignorance on Amazon EC cloud hosting, but one of the requirements for PF in most environments is to sit on the local layer 2 ethernet subnet (registration subnet) that clients will initially be connecting on. Does Amazon's hosting solution allow you to do this? If not, you will need to provide DHCP services on the registration network (as a minimum), and the DHCP response will need to hand out DNS server IP's that point at your PF box's fake DNS server so that all of the redirects work... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Installing Packetfence on Amazon EC2
On Jul 3, 2014, at 9:17 AM, Moe Alsmadi malsm...@gmail.commailto:malsm...@gmail.com wrote: It does allow you to create 2 subnets through there vpc Yes Layer 2 subnets -- as in sits on your local ethernet with no routers between your local network and the virtual interface in the cloud, seeing raw ethernet (not IP) packets? How do they tunnel this data??? -Arthur - Arthur Emerson III Email: emer...@msmc.edumailto:emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Failed to Deploy OVF (PF ZEN)
On Jun 30, 2014, at 10:53 PM, Bradley, Timothy tbrad...@millerschool.org wrote: there is a networking issue with this zen imageit will not bind to any nics..anyone having this issue with 4.3 zen? It is a RedHat problem with cloned VM's, which cause the image to keep the old adapters and add the new (cloned) ones as higher eth# devices. The list archives and Google have the fix instructions... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] 4.3 Setup
On Jun 27, 2014, at 4:02 PM, Thomas, Gregory A thom...@uwp.edumailto:thom...@uwp.edu wrote: First, I wanted to gather Name and Email, so I setup a new profile on the selected VLAN (and the default) with mandatory fields. Nothing shows up. The only thing I can think of is that it due to my source being Active Directory. Yes, that should be in active directory, but throughout the year, Housing will have guests and camps, so collecting a name would be nice. We are still running PF 3.61 here, so this may not apply to 4.3. When a user registers via an Active Directory (AD) account, PF does not populate any of the user fields in its own user database besides the AD logon ID (sAMAccountName). I do not know if this is what you are encountering with your missing data. For guests, camps, contractors, and other non-institutional users, we make them self-register through the guest portal with SMS or e-mail verification. No AD account required, and all of the names and contact info are populated in PF's user database. I was forced to put PF into production to solve an emergency problem that popped up, before I had finished configuring it. The last thing that I was working on before it went live was having both the guest logon credentials and AD credentials both work as authentication sources in the portal. I chose to go with AD as the only auth source when I could only get one or the other working, meaning that the pre-arrival sponsor guest credential functions in PF are not functional. It's either AD (employee/student) or self-registration as a guest on our networks. We have also developed a unique guest policy that required a little code tweaking. Anyone who registers as a guest gets 3 days of access, and then they are unregistered. To prevent us from becoming the ISP to the entire neighborhood, the unregistration process sets a 30-day Guest Access Expired violation on the MAC address, preventing immediate re-registration of any guest device that has over-stayed its welcome (without spoofing the MAC)... -Arthur - Arthur Emerson III Email: emer...@msmc.edumailto:emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] unregistering a device
On Jun 24, 2014, at 4:59 PM, Boris Epstein borepst...@gmail.com wrote: One issue still remains, though - when I unplug the cable for a node altogether the status of the corresponding port on the switch does not change even thoughit is supposed to go into the MAC verification VLAN. So this is what remains to be sorted out. I was under the impression that the port only changed as a result of a link up on the port -- not on a link down... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Ghost MAC Address
On Jun 24, 2014, at 4:45 PM, Thomas, Gregory A thom...@uwp.edumailto:thom...@uwp.edu wrote: ...I type that in and it redirects to a page that says the MAC address is being authorized. It will then fail as it does not find an authorized MAC address in the system. If I refresh the browser, it will then display a different MAC address. I check the admin site and I can see that Packetfence has authorized the machine’s real MAC, and now had added this ghost MAC address which is not authorized. If I manually authorized this ghost address, the device will go right on through l you would suspect. Stupid question - does the ghost MAC address start with 00:50:56 (VMware OUI)? If so, your second connection is coming via NAT, because the inline client is now live and has no reason to refresh the registration page. Try going to an Internet URL without the ghost MAC registered and see if it works... -Arthur - Arthur Emerson III Email: emer...@msmc.edumailto:emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Apple iOS8 Generates random MACs
On Jun 18, 2014, at 4:41 PM, Fletcher Haynes fhay...@willamette.edu wrote: I'm also a developer, but am somewhat hesitant to put the iOS 8 beta on my personal iPhone. I'm strongly considering it in this case, though, cause if this does somehow end up causing problems on our network...well, I'd prefer to be able to fix them before students return in the fall. =) I threw caution to the wind this morning, and installed iOS Beta 2 on my personal iPhone5. No problems with Meru or PF so far, with a footnote that it was already registered so I did not go through the PF guest portal at all. On the not-PF iOS front, Google Chrome crashes after a few seconds, even with yesterday's update to fix iOS8 problems installed. Pandora works fine. :-) The second reboot after installation caused it to pop up a blizzard of notification windows for old SMS messages that I never opened because I don't use text messaging. Long story short, unless you have better tools available to do testing beyond my simple basic usage test, I don't recommend installing it on anything but a test device right now... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing Easy Data Exploration http://p.sf.net/sfu/hpccsystems ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] MAC Address Format
On May 16, 2014, at 2:21 PM, Curtis K. Larsen curtis.k.lar...@utah.edu wrote: I then connected my device and got the captive portal - so it did not work (which is what I expected). So now the question... How do I keep the help desk and end users from registering nodes with the wrong format? it seems there should be an error message that tells them that the format is not valid shouldn't there? Let me know. Client-side web browser validation is apparently what you're looking for. I'll add a second question and ask if a feature request would be welcome to convert the standard MAC address formats on the back end, rather than torture the users with using the correct format (or *gasp!* individual MAC byte fields that you can't cut/paste to) on the web form? I've lost count how many times I've had to convert MAC addresses from Microsoft's cut/paste hyphens to colons when using PF's search boxes, and it gets annoying after a while... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Rogue DHCP Alerts
On May 13, 2014, at 8:10 PM, Jason Frisvold xenoph...@godshell.com wrote: Are you sure they're not rogues? We're seeing a lot of this on wireless and it appears to be misbehaving android phones... Ditto here with PF 3.6 and certain Android devices, including one that is issued to a co-worker. I haven't dug into the problem much, but suspect that the problem is that Android is trying to contact the last DHCP server it spoke to when it wakes up, even though it is on a different SSID/network. PF's rogue DHCP detector sees those packets addressed to an unknown DHCP server, and it sets off the rogue alarm when in fact there's no server answering. It seems to happen most after we close for a break or long weekend, since the students go home and then come back with phones that are still looking for their home router's 192.168.1.1 DHCP server. In many cases, I've noticed that the IP address history doesn't show the offending device getting a valid DHCP address on our network, so I just put them into 24-hour quarantine (send them to the timeout corner) and they usually come back and work properly after that... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Routed Networks and and missing routes
On Mar 20, 2014, at 7:15 PM, Lupe Silva lupe.si...@gmail.commailto:lupe.si...@gmail.com wrote: We have our own dhcp servers already setup so I do not want DHCP from PF, and I believe this is core of my issue. You *do* want PF to provide DHCP services...but only to your registration and possibly isolation VLAN. Let your production network's DHCP server handle the production network, with the appropriate PF listeners as you currently have configured. Since PF has (should have) an interface directly on your registration VLAN, no routing is required and everything just magically works. If the problem is that you are not able to present the registration/isolation VLAN to your remote sites and need to do it via routed subnets, perhaps the best solution would be to setup a point-to-point L2 tunnel for these VLANs using one of the Cisco tools since you have their hardware at both ends? i.e: route add -net 10.10.20.0/255http://10.10.20.0/255 gw 10.1.20.1 dev eth0.2 FWIW, the last time that I looked at the CIDR spec, /255 was not a valid IPv4 mask... -Arthur - Arthur Emerson III Email: emer...@msmc.edumailto:emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] How to deal with violation
On Mar 12, 2014, at 3:37 PM, forbmsyn forbm...@gmail.com wrote: I was expecting it will be switched back to Isolation vlan after 10 minutes, so that the device can be scanned again, but it didn't happen. Is there anything else I need to check? At least with PF 3.6, the maintenance task that performs expirations doesn't run every minute. If you're looking at a stopwatch waiting for exactly 10 minutes and zero seconds to pass, try being patient for a while and see if the node gets locked out again after half an hour or so. Can PF scan it on the production network without having to go through the captive portal again? If so, perhaps the best path is to run the scan on the production network and only re-quarrantine if it fails again. If you aren't letting new clients on until they are clean, you should probably also be checking old clients to ensure that they remain clean after registration... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] How to deal with violation
I believe that the common practice is to allow a small subsets of known networks required to update operating systems and virus scanners through to your remediation or isolation VLAN. I believe that there is also a PF setting that allows certain violations to be overridden for a short period of time via the captive portal, so that the client has access to the Internet long enough to install patches. If they don't, it nags them again and ultimately shuts them down if they skip it too many times. We don't use the feature, so I cannot comment on the specifics or how it works... -Arthur - Arthur Emerson III Email: emer...@msmc.edumailto:emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 On Mar 10, 2014, at 7:03 PM, forbmsyn forbm...@gmail.commailto:forbm...@gmail.com wrote: Hi experts, Can you please share me with your experience in dealing with the violation? In my case, when a violation was triggered after the Nessus scanning finished, the switch port was put into isolation vlan. At the same time there was a message shown on client's browser like below: Quarantine Established! Windows Patches Are Not Up-to-Date. Due to the threat this poses for other systems on the network, network connectivity has been disabled until corrective action is taken. The question is: Because the isolation vlan does not have internet access, how do the client address the problem, for example, download patch? If I give the isolation vlan access to internet by connecting the isolation vlan to other vlan which has internet access, then the above warning message won't appear on client's system. How do I let the client know that their system has security issue and need address, and at the same time they can have access to internet to fix the problem? What is your network design in your real scenario? Thanks a lot in advance. -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Per SSID VLAN - Meru Networks
On Mar 6, 2014, at 10:20 AM, Tim DeNike tim.den...@mcc.edu wrote: We are on SD 5.3.xyz right now and RADIUS deauth does work. Drop this in a file called /usr/local/pf/lib/pf/SNMP/Meru/MC_MCC.pm Minus the cut lines obviously. In switch config, you'll have the option for Meru MC_MCC. It will do radius de-auths instead of the Telnet/SSH method. Much faster, much lighter weight. Tim, Do I have to do anything else to use the code that you provided? I dropped it in my PF 3.6 system in the path you specified, checked the file permissions, and restarted all PF services. When I checked in the GUI switch configuration, Meru MC_MCC did not show up as an available type. I manually edited switches.conf, changing Meru::MC to Meru::MC_MCC for both Meru controllers, set both to Radius deauth and restarted all PF services again, but a registration change still would not be forced to the client. Another fire popped up, so I had to fall back to the original config and couldn't dig any deeper. When I was looking at the logs, I noticed that the *original* deauth code is throwing this error with Meru's 5.3 firmware: Mar 11 13:21:07 pfcmd_vlan(3289) ERROR: Unable to deauthenticate aa:bb:cc:6a:17:43: Command response matched device error string at /usr/local/pf/lib/pf/SNMP/Meru.pm line 207 (pf::SNMP::Meru::deauthenticateMacDefault) Mar 11 13:21:07 pfsetvlan(2) WARN: Problem trying to run command: /usr/local/pf/bin/pfcmd_vlan -deauthenticate -switch 10.x.y.z -mac aa:bb:cc:6a:17:43 called from handleTrap. Child exited with non-zero value 255 (pf::util::pf_run) I suspected that there was something funky with deauth since we did the Meru 5.3 upgrade a few weeks ago, and even checked to make sure that the SSH tokens didn't get changed for the PF user. Hence, the new-found urgency to get the RADUIS deauth working while I still have a few days of spring break left... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Per SSID VLAN - Meru Networks
On Mar 6, 2014, at 9:28 AM, Tim DeNike tim.den...@mcc.edu wrote: Awesome. I have a case open with them about that right now. Spring break next week. I'll post a new module with radius deauth and that extract said sub soon! Was RADIUS deauth the reason why we have to use ssh to force disconnects? I thought that it was something missing from SNMP, but I'm probably going crazy. I know that it was a long-standing feature request in Meru's product roadmap, and it would be nice if this was included in the V6 release. As for upgrading to V6, we'll be sitting on the sidelines until summer waiting to hear about problems encountered by early adopters. Maybe it is just our user base, but we encounter weird connectivity problems with a fresh handful of odd devices every time that a new controller update is applied. -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Subversion Kills Productivity. Get off Subversion Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951iu=/4140/ostg.clktrk ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Per SSID VLAN - Meru Networks
Thanks for sharing the code! I'll put it on my to-do list of spring break projects for next week, bumping the ever-tempting flee winter for some place warm off of the bottom... -Arthur - Arthur Emerson III Email: emer...@msmc.edumailto:emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 On Mar 6, 2014, at 10:20 AM, Tim DeNike tim.den...@mcc.edumailto:tim.den...@mcc.edu wrote: Actually, looking through the code, no patch will be required for MAC-based SSID evaluation, its already there and should work (It already does with 802.1x) We are on SD 5.3.xyz right now and RADIUS deauth does work. Drop this in a file called /usr/local/pf/lib/pf/SNMP/Meru/MC_MCC.pm Minus the cut lines obviously. In switch config, you'll have the option for Meru MC_MCC. It will do radius de-auths instead of the Telnet/SSH method. Much faster, much lighter weight. ^CUT^^^ package pf::SNMP::Meru::MC_MCC; =head1 NAME pf::SNMP::Meru::MC_MCC - Object oriented module to access MC series controllers =head1 SYNOPSIS Known to work with RADIUS deauth on System Director 5.3 =head1 STATUS =cut use strict; use warnings; use Log::Log4perl; use base ('pf::SNMP::Meru'); sub description { 'Meru MC_MCC' } sub deauthTechniques { my ($this, $method) = @_; my $logger = Log::Log4perl::get_logger( ref($this) ); my $default = $SNMP::RADIUS; my %tech = ( $SNMP::RADIUS = \deauthenticateMacRadius, ); if (!defined($method) || !defined($tech{$method})) { $method = $default; } return $method,$tech{$method}; } sub deauthenticateMacRadius { my ( $self, $mac, $is_dot1x ) = @_; my $logger = Log::Log4perl::get_logger( ref($self) ); if ( !$self-isProductionMode() ) { $logger-info(not in production mode... we won't perform deauthentication); return 1; } $logger-debug(deauthenticate $mac using RADIUS Disconnect-Request deauth method); return $self-radiusDisconnect($mac); } =head1 AUTHOR Tim DeNike tim.den...@mcc.edumailto:tim.den...@mcc.edu =cut 1; ^CUT^^^ -- Subversion Kills Productivity. Get off Subversion Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951iu=/4140/ostg.clktrk___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Vlan was automatically switched.
On Mar 4, 2014, at 6:51 PM, forbmsyn forbm...@gmail.com wrote: However after about10 minutes, the switch port which the device was plugged in was changed to vlan 9 automatically. I did not make any changes on PacketFence, and did not get a chance to update the client device yet. I think the device should still stay at vlan 3 until the problem is fixed. How come the vlan of the switch port was changed? [snip] Mar 04 14:53:46 pfmon(0) INFO: running expire check (main::cleanup) Mar 04 14:53:46 pfmon(0) INFO: checking registered nodes for expiration (main::cleanup) Mar 04 14:53:46 pfmon(0) INFO: checking violations for expiration (main::cleanup) Mar 04 14:53:46 pfmon(0) INFO: violation 111 force-closed for dc:0e:a1:8a:d4:8f (pf::violation::violation_force_close) It appears that your violation had an expiration date/time when set... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Subversion Kills Productivity. Get off Subversion Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951iu=/4140/ostg.clktrk ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] PF Architecture Flowchart Poster?
Has anyone ever produced a poster-sized flowchart documenting how the various modules used by PF interact with each other, switches, clients, etc? Something along the lines of what Microsoft provides for their enterprise apps like Exchange or Lync: http://www.microsoft.com/en-us/download/details.aspx?id=6797 The biggest barrier to entry with PF is knowing where to start, and anyone who has been a member of this list for a few months or longer can see all of the questions from potential deployment sites that don't have the big picture of how everything interacts, where/how it should be deployed in an existing network, and whether or not they should deploy inline versus VLAN switching. I have never stumbled across something like this for PF, and was just thinking that a simple poster explaining how everything interacts would be useful to help people troubleshoot...and as a planning tool to drive further adoption from those who are overwhelmed by the different options available and give up because they think that PF is too complex to implement without consulting help... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Subversion Kills Productivity. Get off Subversion Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951iu=/4140/ostg.clktrk ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Question about Packetfence
On Feb 25, 2014, at 1:18 PM, Sallee, Jake jake.sal...@umhb.edu wrote: To answer your question about PF sending an email when a cable is unplugged, the answer is, I do not know for sure but I do not think so. The problem is that physical topology changes to the network are handled by a different OSI layer than the one that PF normally uses. That is not to say that you could not fairly easily make such a feature if you wanted to, but you would want to seriously investigate why you want such a feature. What problem are you trying to solve? Is there another way to address the problem. I think that a better way to do this is to have each switch send an SNMP trap to a network monitoring program separate from PF, which can then filter the traps and send alerts via e-mail as needed based on pre-defined rules. One possible use of this type of alert is to monitor 24/7 devices like large screen smart televisions being used for electronic signage, to send an e-mail to your campus security/police when the ethernet cable is disconnected if somebody decides that one of those TV's would be better for watching football games in their living room. Smart video projectors hanging in class/conference rooms are another theft target that could be similarly monitored for immediate security/police response... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071iu=/4140/ostg.clktrk ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] No connect on Virtual Interface with Registration-VLAN
On Feb 15, 2014, at 1:39 AM, Tim-Ole t...@izsr.de wrote: The client is at port 2. [snip] So, we sat port 2 and port 8 on the Netgear to tagged w/VLAN 20 (= the registration VLAN). Port #2 (client) should be *untagged*. PF's VLAN enforcement will tell your switch to change the port from the registration VLAN (untagged) to the production VLAN (untagged) when the client is authenticated... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151iu=/4140/ostg.clktrk ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Ping client from outside vlan iptables problem
I don't use inline mode, but am under the impression that it works using NAT. If I am correct, your initial observation is exactly what should be expected in a healthy NAT configuration! This PF FAQ entry may be of interest: http://www.packetfence.org/support/faqs/article/how-can-we-route-instead-of-nat-through-packetfence-in-inline-enforcement.html -Arthur - Arthur Emerson III Email: emer...@msmc.edumailto:emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 On Feb 12, 2014, at 3:31 PM, David Rice rice.dav...@gmail.commailto:rice.dav...@gmail.com wrote: So, it looks like the issue I am having is that traffic in iptables isn't forwarding the outside traffic to the registered devices insides of the packetfence vlan. I was able to allow all outside traffic to forward regardless of whether the device was registered or not, but allowing it to forward only to registered devices has been a bit tricky. Is there anyone that has any ideas? On Tue, Feb 11, 2014 at 3:55 PM, David Rice rice.dav...@gmail.commailto:rice.dav...@gmail.com wrote: Hello, I recently ran into an issue. I would like to be able to ping to devices in a PacketFence (inline mode) vlan. Something in the iptables rules is preventing me from doing this. I am able to ping from the device inside the vlan out, but I can't ping from outside the vlan back in. When I stop iptables rules it is able to complete the ping, so it is something specific with iptables, but I don't know what. any help would be appreciated. -- David Rice -- Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151iu=/4140/ostg.clktrk___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Sponsor no allowed to access the activation link
Assuming that the link sent to the sponsor has an encrypted token (like the message sent to users during self-registration to confirm their e-mail address is valid), I think that this is a reasonable feature request for the production branch. Somebody might even be crazy^H^H^H inclined :-) to think that also providing a configurable second option of having a Cc: of all sponsor e-mails sent to their help desk staff would be a nice additional feature, so that the help desk folks could also click on the link to approve the access in absence of the sponsor without having to give the help desk staff access to PF's management interface... -Arthur - Arthur Emerson III Email: emer...@msmc.edumailto:emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 On Jan 17, 2014, at 10:15 AM, forbmsyn forbm...@gmail.commailto:forbm...@gmail.com wrote: Hi Fabrice, Because the link was sent to the sponsor's email so the sponsor is supposed be responsible for the action. But I think your concern is reasonable too. I just wanted to know if there is such a config to simplify the procedure because our management team was asking. Thank you! Regards, Jacky On Fri, Jan 17, 2014 at 8:04 AM, Fabrice DURAND fdur...@inverse.camailto:fdur...@inverse.ca wrote: But how do you check that the guy who click on the link is the real sponsor ? Fabrice -- CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431iu=/4140/ostg.clktrk___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] PFDNS The saga continues
On Dec 9, 2013, at 10:20 AM, Sallee, Stephen (Jake) jake.sal...@umhb.edu wrote: All the crashes have been ~3:30am, it may be that is when PF is doing its log rotations, compressions, etc. and the CPU may be getting taxed causing the system clock to drift outside of some critical zone causing the DNSSec portion of PFDNS to crash. Silly question - did you check to see if oom-killer needed to free RAM during the log rotate process, and decided that PF's DNS daemon was going to be the victim? If you have PF running on a VM, I guess that you could throw some more RAM at it and see if it fails again. Then again, it is the end of the semester, and this may only be a placebo fix if the real cause is network load or a rogue client that will soon be gone for a month or so... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] 802.1x support on a Cisco Catalyst 6500 platform
On Nov 19, 2013, at 9:27 PM, Thomas Tsai tt...@canyonpartners.commailto:tt...@canyonpartners.com wrote But… has anyone had any luck on doing this? Has anyone tried using the 4500 series module or some other fashion? FWIW, our 4500 series switch seems to have a lot in common with Cisco's 3750x stackable switches. I don't deal with them enough to know if they share the same firmware files, though. Don't know anything about the 6500, but suspect that it isn't the same hardware generation as the 4500 and 3750x... -Arthur - Arthur Emerson III Email: emer...@msmc.edumailto:emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] PFDNS crashing every few seconds HELP! [UPDATE]
Sallee, Stephen (Jake) jake.sal...@umhb.edu wrote: Strange. I wonder why ntp would effect pfdns ... I double checked and everything seems right, thanks for the heads of though. DNSSEC requires an accurate time reference, per ISC and Bind9. Does pfdns have DNSSEC support (or unused DNSSEC code) in it? Just grasping at straws to see if this explains the problem you're seeing... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511iu=/4140/ostg.clktrk ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Upgrade to 4.0.5-2 status and lingering issues
On 8/13/13 11:36 AM, Jason Frisvold xenoph...@godshell.com wrote: HEY DEVS : THIS LIST SHOULD BE IN A DATABASE AND HAVE A GUI INTERFACE TO UPDATE! Just sayin... :) ...and a checkbox to ignore it and just register any MAC address that the user inputs. Just my $0.02, which I suspect rounds down to zero under Canada's new penniless cash-rounding rules... :-) -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with 2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031iu=/4140/ostg.clktrk ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Register as a different user
David Rice rice.dav...@gmail.com wrote: Is there a way for someone in an administrative role to register a device as a different user? Like, for example, the admin was setting up a computer lab, but they want the registered user to be the person that runs the lab. Was the bulk import feature removed from PF 4.x? It let you import a whole lab, and specify who the owner was for the entire batch. The one caveat is that the owner's person record needed to exist in PF before running the import, but the same thing goes with changing the owner of a node in PF 3.6.x... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711iu=/4140/ostg.clktrk ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] SMS activation issue [SOLVED]
Sallee, Stephen (Jake) jake.sal...@umhb.edu wrote: So PF is fine Š it seems as though my IP has been blacklisted through spamhaus and several other spam list sites. Well Š looks like I¹m off to email land to get this fixed. Dollars to donuts, one of your users fell for a phishing scam, and their user account is being used by some enterprising chaps from Nigeria to scam others. If I'm correct, your outbound mail queues will quickly reveal the offending user account. Good luck with the cleanup... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711iu=/4140/ostg.clktrk ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] SMS activation issue [SOLVED]
Sallee, Stephen (Jake) jake.sal...@umhb.edu wrote: I almost want to leave it, I have wanted to shut down SMTP from my public NAT for a long time but each time I do, some users throw a fit because they have software that wants to act as a SMTP server ... BUT ... this way, it still doesn't work ... and, I can say I didn't do it. Is that bad? I have blocked all inbound and outbound port 25 traffic on our networks for years, except for the legitimate SMTP servers. We even use outbound port 25 traps from our firewall to quarantine infected computers before other methods detect them. If you Google around, you will find that most ISP's these days block port 25, and tell their customers to relay through port 465 or 587 authenticated with whoever their mailbox provider is. There are dozens of web sites showing how to set up SMTP relaying through a Gmail account. Many moons ago, I served on a panel at a (USA) Federal Trade Commission event about spam and e-mail authentication in Washington, DC. During a lunch break one day, I met a network engineer from a branch of our military, and suggested that everyone blocking port 25 at their border routers was the cleanest fix to the spam problem. He said good luck with that, because the military doesn't even have a map of their authorized SMTP servers and the last thing that he'd want to do from a career perspective is block some general's personal e-mail server. Once the shock passed about the military not knowing who is using their networks, I had an even scarier thought. These are the same people that are keeping track of nuclear weapons! We had problems with peer-to-peer piracy like many other schools, but being a private institution are a little more hesitant than a public school to block something that might annoy the students without a good reason. After years of playing DMCA take-down games, I pulled a report from our packet shaper showing that only 6 students were active P2P users. There were not riots in the hallways when they came back from Easter break and none of their P2P software worked any more. Anyway, let me bring all of this rambling back to a point. My suggestion is to log everyone using port 25 for a week, and see how many people are impacted. If it is as few as I suspect, do something that even our mighty military can't and block port 25 on your network... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711iu=/4140/ostg.clktrk ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] 3.6.1 Gaming console self-registration problem
On 7/29/13 5:50 PM, Stephen Wittstruck switt...@mines.edu wrote: Hi again Arthur, Just found your Jan. 22 post, also. Another good question raised, I think. Any updates? If PF 3.6.1, I added lines 85 and 86 below to /usr/local/pf/html/captive-portal/register-gaming-device.cgi 0084: if($result) { 0085:my $cmd = $bin_dir./pfcmd_vlan -reevaluateAccess -mac . $device_mac; 0086:my $output = qx/$cmd/; 0087:pf::web::gaming::generate_landing_page($portalSession,$msg); 0088:$portalSession-session-delete(); I'm not a programmer, but it works for us to solve the problem... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711iu=/4140/ostg.clktrk ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Re-visiting skip_mode?
On 7/29/13 4:40 PM, Stephen Wittstruck switt...@mines.edu wrote: Hi Arthur, I just saw your Jan. 10 post (I optimistically keep unread digest posts in my inbox..) You've raised some very interesting points and I'm wondering if you received any replies or have any updates. What we ultimately wound up doing is to enable the guest self-registration system, with either SMS or external e-mail confirmation required. Default guest access is 24 hours, and can be manually extended if the guest has their campus sponsor call our help desk. The big gotcha is permanent guests from the neighborhood, who keep re-registering every time their access expires. Our fix for that was a quick code tweak to PF that trips a new violation called Expired Guest when the guest access expires, putting them into a 30-day quarantine. The result is that they can only have guest access one day per month, and have 29 days of timeout to go and find another network in town to poach Internet access from. I didn't submit the changes I made back to the PF project, but will gladly share the changes against PF 3.6.1 if anyone is interested in using this logic... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711iu=/4140/ostg.clktrk ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Delete account when the access duration of its first registred node is expired?
On 7/23/13 4:36 AM, Florian Mirkes f.mir...@technisat.de wrote: At the moment when you create a guest with the settings Set access duration the node gets unregistred after that time, but you can simply register it again with the same access code. We have developed an interesting guest policy that you might wish to consider using. When someone registers for guest access, they can only register one device per limit setting in PF. When their guest access expires, we trigger a violation on the device that expires in 30 days and throws them into quarantine. The result is that the device can only be used on our guest network once every 30 days. This prevents permanent repeating guests, which I suspect is your goal. It took only a few lines of additional code in PF 3.6.1 to make this work... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831iu=/4140/ostg.clktrk ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Packetfence configuration
On 7/19/13 3:10 AM, Ulrich Guimbi ulrich.gui...@keynectis.com wrote: Can you forward me what you send because I delete my email of packetfence users lists every day To clarify Jake's response: 1) Open a web browser. 2) Visit this page: http://www.packetfence.org/support/community.html 3) Pick any one of THREE publicly-available web archives of this list's posts. 4) Search for Jake's post and/or keyword 2960 to find his response. The Cisco 2960 series is the most common network switch in use around the world, and the archives contain many posts detailing the mistakes that others have made configuring this switch and what they needed to do to resolve their problems... -Arthur -- See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831iu=/4140/ostg.clktrk ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] eth1 won¹t enable on Packetfence ZEN 4.0.0 ESX while running Step2 on setup wizard
I haven't downloaded ZEN 4.0.0 yet. Does this gotcha from ZEN 3.6.0 still apply? VMware has a gotcha with RedHat-based VMs being copied to new hosts. When VMware changes the MAC address(es) of the NIC(s) during cloning or copying, RHEL still has the old ones in its config files. The result is that it creates new NIC(s) device(s) in Linux. On my system, the two NICs are eth3 and eth4 (and not eth0, eth1 or eth2). I've seen the issue before with other cloned CentOS VMs, so I just fixed it out of habit. Here's three different articles describing fixes: http://blog.agilinix.com/2011/10/no-ethernet-device-after-cloning-centosrhe l-vm/ http://alexcline.net/2011/11/15/reconfiguring-network-interfaces-in-centosr hel-systems-cloned-with-vcenter/ http://www.cyberciti.biz/tips/vmware-linux-lost-eth0-after-cloning-image.ht ml -Arthur - Arthur Emerson III Email: emer...@msmc.edumailto:emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 From: Raymond Samonte mon_samo...@yahoo.commailto:mon_samo...@yahoo.com Reply-To: packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net Date: Wednesday, May 15, 2013 5:16 PM To: packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net Subject: [PacketFence-users] eth1 won’t enable on Packetfence ZEN 4.0.0 ESX while running Step2 on setup wizard Hi to all, I’m not yet done testing Packetfence ZEN 3.6.1 but here comes 4.0.0…. Here’s what I’ve done: 1. Install Packetfence ZEN 4.0.0 ovf file on VMWare esxi 5.1 and power on VM. 2. Login using root as user and p@ck3tf3nc3 as password. 3. Manually configure IP address of eth1 (10.0.10.1 /24) and restart network (service network restart). 4. Open browser and access web gui. (https://10.0.10.1:1443/configurator). 5. Run wizard. Step 1 – VLAN mode. 6. Step 2 – Assign eth1 as management. a. Create VLAN for Registration (eth1.2 – 192.168.2.10/24) b. Create VLAN for Isolation (eth1.3 – 192.168.3.10/24) c. Create VLAN for Guest (eth1.5 – 192.168.5.10/24) 7. Then the problem occurs. a. Eth1.2, eth1.3, eth1.5 are enable when created. b. Eth1 (physical) assigned as management cannot be enabled and it stay at “off” position. 8. I continue the setup wizard until all steps is finished. 9. Then I access the Packetfence Web Gui (https://10.0.10.1:1443/admin) and configure the switches, guest access and other settings. 10. Finally, I restart the Packetfence VM (shutdown –r now) and when it boots up, I cannot access the web gui anymore (because eth1 is not enabled on setup wizard even though it is enabled when the packetfence boots up). Eht1 === Management = Off Position (disabled) cannot be enabled. Eth1.2 == = Registration = On Position (enabled) Eht1.3 === Isolation = On Position (enabled) Eth1.5 === Guest = On Position (enabled) Is there someone encounter same problem as mine using the new Packetfence ZEN 4.0.0? Hope someone could help me on this. Best regards, Mon -- AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Guest users stays at Normal VLAN
Raymond Samonte mon_samo...@yahoo.com wrote: But now I encounter another problem. Guest vlan doesn't have internet access. Should I edit the packetfence iptables to allow Guest vlan to access the internet? PF can operate either inline mode, or by changing VLANs on switch and wifi hardware externally. We're handling all VLAN access restrictions at the network switch hardware. The only thing that PF manages for us is the registration and quarantine VLANs. If you want PF to handle managing your guest VLAN, this would be via inline mode settings and I have honestly never even looked at those manual pages... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Try New Relic Now We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Guest users stays at Normal VLAN
Raymond Samonte mon_samo...@yahoo.com wrote: 1. Why is it the guest pc is asking an IP Address on the Normal VLAN dhcp server while on the 10 minute grace period for email activation? is it how packetfence works? Yes, this is normal. PF gives 10 minutes of live access so that the guest can retrieve their external e-mail to get the validation link. The only reason for this e-mail that I can think of is to validate the guest provided their correct e-mail address, and didn't just make something up to get access. 2. When I confirm the email and activate the guest access, it does not re-assign to guest vlan but stays on the normal vlan. Did you un-comment the guest VLAN code in lib/pf/vlan/custom.pm ??? I believe that this is the code where VLAN decisions are made, and it needs slight customization to use the guest and custom VLANs. 3. I configured the guest access to 30mins but it doesn't block the internet access after the 30 mins period. Packetfence cut the access to 40mins before going again to the registration vlan. The VLAN behavior is what happened here as well out of the box when a guest timed out and didn't validate. [I have since made a few changes to the PF code so that any guest account that expires (whether validated or not) has a 30-day violation set so that the device cannot be re-registered again. In other words, a device can be a guest more than once per month, which eliminates perpetual guests who just keep re-registering as they expire.] Timing-wise, I believe that the PF task that expires nodes does not run every minute. The node stays live until the next expire run cycle after the node expires, which drove me crazy when I was testing expirations anticipating stopwatch accuracy... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Try New Relic Now We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Upgrading from 3.6.0 to 3.6.1
Dan Nelson dnel...@nutracorp.com wrote: [root@fennel pf]# mysql -u root -p pf -v db/upgrade-3.5.0-3.6.1.sql Enter password: -- INSERT INTO `node_category` (category_id,name,notes) VALUES (3,gaming,Gaming devices) -- ERROR 1062 (23000) at line 5: Duplicate entry '3' for key 1 Can someone help me with this? I reported this problem and a suggested fix as issue # 1624 back in January: http://www.packetfence.org/bugs/view.php?id=1624 As you have discovered, it only happens to installations that have added custom node categories prior to the 3.6.1 upgrade... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] VLAN assignment and Cisco switches
Matthew Pikusa ic3s...@gmail.com wrote: Problem: After using the registration portal, Packetfence does not change the VLAN assignment of the PC¹s port to the ³Guest² VLAN. I am using a Cisco 3750G Stack with latest version of Packetfence. Did you un-comment the guest VLAN code in lib/pf/vlan/custom.pm ??? -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] ladp authentication
On 4/3/13 12:31 PM, Jeremy Schubert jschub...@shaw.ca wrote: The example below is from the PF admin manual. Is the ldapuser just a user I create that can bind to the directory? Yes. I believe that it needs the full LDAP Distinguished Name (DN) to be spelled out. For an AD example: CN=John Smith,CN=Users,DC=domain,DC=org And does ldap server refer to my domain controller? Yes. my $LDAPUserBase = ou=People,dc=domain,dc=org; my $LDAPUserKey = uid; You may want to change this to sAMAccountName instead of uid for an AD server. my $LDAPUserScope = one; May need to be sub, depending on your LDAP tree layout... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] /tmp/cgisess_* files filled disk
Derek Wuelfrath dwuelfr...@inverse.ca wrote: For the moment, the easier thing to do would be a cronjob to get rid of theses files. We implement a new way for handling theses sessions using memcached. That will be part of PF4 Thanks for the cron workaround suggestion. It finished the cleanup that I was performing manually all day. If you are changing the way that sessions are handled in 4.0, it probably doesn't make sense at this point to fix the problem in 3.x. As a heads-up to everyone, this issue has been around since PF 2.0 and may rear its ugly head at your site without warning some day. You should probably install the cron workaround as provided in the bug tracker: http://www.packetfence.org/bugs/view.php?id=1142 -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Cisco 3750X-POE SNMP 2C problem?
On 3/28/13 7:04 PM, Stephen Wittstruck switt...@mines.edu wrote: P.s., what is the switch type you're using in switches.conf? I've only found one PF documentation for 3750's: type = Cisco::Catalyst_3750 I set it up as a 2960, and followed the setup instructions for stacked 2960/3750 switches on paper page #22 of the current Network Devices Configuration Guide. This is all that it takes to get it working with MAC auth and SNMPv1: [192.168.100.64] type=Cisco::Catalyst_2960 mode=production vlans=2,11,12,302,303,304,305 normalVlan=11 registrationVlan=302 isolationVlan=303 macDetectionVlan=304 guestVlan=305 customVlan1=11 customVlan2=2 customVlan3=2 customVlan4=11 deauthMethod=SNMP cliTransport=SSH SNMPCommunityTrap=** SNMPUserNameTrap= SNMPAuthProtocolTrap= SNMPAuthPasswordTrap= SNMPPrivProtocolTrap= SNMPPrivPasswordTrap= SNMPCommunityRead=***public*** SNMPCommunityWrite=** SNMPEngineID= SNMPUserNameRead= SNMPAuthProtocolRead= SNMPAuthPasswordRead= SNMPPrivProtocolRead= SNMPPrivPasswordRead= SNMPUserNameWrite= SNMPAuthProtocolWrite= SNMPAuthPasswordWrite= SNMPPrivProtocolWrite= SNMPPrivPasswordWrite= radiusSecret=** controllerIp= -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] /tmp/cgisess_* files filled disk
PF 3.6.0 ZEN, upgraded to 3.6.1. PacketFence appears to be leaving cgisess_[long_hex_string] files behind in /tmp . It apparently overflowed the maximum amount of files allowed in an EXT3 directory overnight, as PF was complaining about not having free disk space despite there being 8 gigs free according to df. Someone else encountered this problem with PF 3.2 last July, but nobody responded to his question about whether these files should be purged daily. I'll ask again, and also add a second question about whether there is an automated/scheduled maintenance routine in PF that is supposed to be taking care of these files but is not working on my system for some reason? As I discovered this morning, the system will DoS itself sooner or later when it can't open any more session files, and the ls command won't even work in the /tmp folder with that many files... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Cisco 3750X-POE SNMP 2C problem?
Stephen Wittstruck switt...@mines.edu wrote: Has anyone successfully used PF with Cisco 3750X-POE switches? PF isn't getting a response for a SNMP 2C connection. We have PF 3.6.1 running against a stack of WS-C3750X-48PF-S POE switches, IOS version 15.0(2)SE [C3750E-UNIVERSALK9-M]. Our PF is currently using SNMPv1, though. (Upgrading to v2/v3 is already on our summer project cleanup list.) As a troubleshooting step, can you fall back to v1 and see if the problem is with the switch or the v2c configuration??? -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Own the Future-Intelreg; Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Unable to detect network connectivity.
berl...@firelands.com wrote: I think the problem might be with the snmp between the switch and packetfence, but I¹m not positive. I¹ve tried setting port-security snmp traps and up/down link traps and neither seem to work. I¹ve also tried SNMP 1, 2c, and 3. I can do an snmpwalk from the packetfence server to the switch. We have a few newer 3750's here, along with a lot of stacked 2960's. The instructions for stacked 29xx/3750 switches (paper page #22 in the manual) worked fine for us, which is more or less what Fabrice wrote. One thing that I did notice was that the third octet of the switch's IP address was 25, but the trap receiver you set in the switch (for the PacketFence management IP) had a third octet of 250. Is this a typo, or is it correct??? -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Unable to detect network connectivity.
berl...@firelands.com wrote: So what interface should the snmp-server host be set to? The management one? Yes! Does anyone have a 3750 config that works? Here is a basic one that works for us. Note that to keep things simple for troubleshooting, it is using SNMPv1. Also note that it is based on the 2960 stack config, which works the same on our 3750's: [192.168.100.64] type=Cisco::Catalyst_2960 mode=production vlans=2,11,12,302,303,304,305 normalVlan=11 registrationVlan=302 isolationVlan=303 macDetectionVlan=304 guestVlan=305 customVlan1=11 customVlan2=2 customVlan3=2 customVlan4=11 deauthMethod=SNMP cliTransport=SSH SNMPCommunityTrap=** SNMPUserNameTrap= SNMPAuthProtocolTrap= SNMPAuthPasswordTrap= SNMPPrivProtocolTrap= SNMPPrivPasswordTrap= SNMPCommunityRead=***public*** SNMPCommunityWrite=** SNMPEngineID= SNMPUserNameRead= SNMPAuthProtocolRead= SNMPAuthPasswordRead= SNMPPrivProtocolRead= SNMPPrivPasswordRead= SNMPUserNameWrite= SNMPAuthProtocolWrite= SNMPAuthPasswordWrite= SNMPPrivProtocolWrite= SNMPPrivPasswordWrite= radiusSecret=** controllerIp= Notice how little info it takes for this to work! Once you have it working for SNMPv1, you can then upgrade it to one of the more secure versions. I don¹t have a firewall between the two. If I send the traps to my management port I see the snmp string in my packet capture, but I still get nothing in my snmptrapd.log. If you are using SNMPv1, it sounds like the strings you used on both ends for SNMPCommunityTrap don't match. Don't forget to restart PF after editing any config file or making GUI config changes! When I was doing the initial testing here, I rebooted the server after every change just to make sure that everything came back up... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] questions about use/design
Rachid Zarouali rzarou...@gmail.com wrote: 2°) I assume we can make guest access (according the features), is it then possible to have only guest access to the internet with restricted ports and no other access to other resources in the network ? Not even pinging or scanning in the network ? maybe using packetfence in inline mode you can achieve it, i don't think you can do it with packetfence only in outband mode. = other may correct if i'm wrong ? In VLAN-switching mode, this is all a function of the wired network architecture. Create a guest VLAN with all of your restrictions, and have PF switch guests to it. You may need to make a minor programming tweak to the file lib/pf/vlan/custom.pm to make it switch to the defined guest VLAN. The code is in the file, but commented out. -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] basic instalation questions
Stephen (Jake) jake.sal...@umhb.edu wrote: For what its worth here are my specs: PF Server (everything except MySQL) Dell R210 8 GB RAM 120 GB HD (RAID 1) 1 x Intel(R) Xeon(R) CPU X3430 @ 2.40GHz 2 x 1Gb Ethernet (only one in use) MySQL server is exactly the same as the PF server, but only running MySQL. With this setup I am running about 100 MySQL queries a second (steady, bursting higher). I currently have 10,492 registered devices and 11,541 un-registered devices. PF version 3.5.1 Likewise FWIW, we're running PF 3.6.1 and MySQL on a single VMware VM with: 4GB RAM 2 x virtual CPU virtual disk files stored on VMFS iSCSI SAN As of this moment, there are 4,800 registered devices, 3,867 unregistered devices, and we seem to hover around 49-50 SQL queries/second. 100% VLAN-switching, no inline traffic. The VM's CPU usage hasn't surpassed 15% yet, including the spring registration rush which was also our PF rollout. I imagine that the system load could be dependent on what types and quantities of switches and wireless network gear you have, but at least in our environment I've been mildly surprised at how frugal our PF VM is using the available resources... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and remains a good choice in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Packet fence with 3 interfaces
On 2/27/13 5:53 PM, Fabrice DURAND fdur...@inverse.ca wrote: [38.xxx.xxx.152] dns=128.xxx.xxx.9 gateway=38.1xxx.xxx.153 ... netmask=255.255.255.254 ... [interface eth2] enforcement=inline ip=38.xxx.xxx.153 type=internal mask=255.255.255.254 There are a gazillion people studying for their Cisco CCNA right now cringing when they see in writing the subnet mask of 255.255.255.254! Per their textbook, the smallest *usable* subnet block is a /30, or mask 255.255.255.252. Even on a point-to-point link, you still need an IP address for: The network itself: 38.xxx.xxx.152 Your host: 38.xxx.xxx.153 The remote host (gateway): 38.xxx.xxx.154 Broadcast: 38.xxx.xxx.155 This is where I'd start troubleshooting... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Setting up PacketFence Newbie
Gavin Pyle gp...@greenriver.edu wrote: Oh and you probably also need to issue the following commands if on a RH or CentOS system: chkconfig mysql on service mysql start The server package is mysqld on both of the above lines. :-) Depending on the package source, I have seen MySQL installers set up the software so that it can only be accessed by the local machine only. This may be the problem with Josh's XP VM. Regarding where to run MySQL, the choice between an ancient desktop OS at the end of its support lifetime versus an enterprise, server-grade OS should be seriously considered if you plan to use PF in production... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Problems with Guest Sponsor Login portal
Durand Fabrice fdur...@inverse.ca wrote: PacketFence is not able to find t...@mydomain.com in your ldap. So i suppose that your $LDAPUserKey is false. If the LDAP directory you are using is Microsoft AD, I had problems with some of the recommended PF defaults for LDAP authentication. If I recall correctly, this was the problem line: my $LDAPSponsorUserKey = userPrincipalName; In AD, userPrincipalName looks an awful lot like an e-mail address with its logo...@domain.tld format. If your mail system uses any other e-mail address format (such as first.l...@domain.tld), this line causes the sponsor verification to fail upon LDAP logon because it isn't the same as the mail field. These are the current lines from our running ldap.pm file: my $LDAPUserKey = sAMAccountName; my $LDAPSponsorUserKey = mail; Let me throw in a disclaimer that I did some testing of the sponsorship feature with these settings, but we decided not to deploy the option for the time being. I don't think it was ever tested in our final deployment, so YMMV... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Import nodes in packetfence
Arthur Emerson III arthur.emer...@msmc.edu wrote: You may have to script something with: /usr/local/pf/bin/pfcmd person add [pid] to populate the person table from the PID column of your CSV file as the first step, and then script the node addition with a second call to pfcmd to create the node. It really isn't more than a few lines of BASH shell script to do this from the command line, if somebody else doesn't have a cleaner solution... I just looked at the web interface's bulk import screen this morning, and saw that the file format it accepts is only a list of MAC addresses, not a CSV file. :-( Assuming that you only want to run this as a one-time import, the script below will do the job albeit slowly. Format the input file as below, and stick it in /tmp/file.csv: 01:11:22:33:44:55,user1, 01:23:45:67:89:01,user2, (If you can create the file as a Unix/Linux text file with LF line terminators instead of CR/LF, you can omit the ending comma.) With the CSV file in place, type this at a root shell prompt: cat /tmp/file.csv | while read line do mac=`echo $line | cut -f1 -d,` pid=`echo $line | cut -f2 -d,` /usr/local/pf/bin/pfcmd person add $pid /usr/local/pf/bin/pfcmd node add $mac status=\reg\,pid=$pid echo Registered $mac to user $pid... done It added about one MAC address per second when I just ran it on our live PF server. If you just want to do an initial one-time import and nobody has a better solution, this will work as a last resort... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Import nodes in packetfence
Saqib Haleem saqib.hal...@ncp.edu.pk wrote: I want to import nodes in bulk to packetfence for pre-registration. I already have list of mac address of all the authorized computers.I want to import those mac address with person identifiers (Pids) instead of default pid 1, so that i should have record of mac address with its person identifier. I am far from the PF expert, but will ask if the PID you're trying to import with the node already exists in the person table? In all of my testing to date I have not found a way to create/edit a node's PID unless the target PID is already in the person table. The list archives also point to several others who have found node creates not happening as expected due to missing PID entries. Is there any method available to import persons record from active directory. I take it that getting every single person to login to PF to create their person record defeats the purpose of pre-registering the nodes? :-) Making PF's captive portal authenticate against AD is possible, and it creates the base person PID record when they logon for the first time. Annoyingly, this process does not populate names or any of the other AD fields in PF's person table that I have seen. :-( You may have to script something with: /usr/local/pf/bin/pfcmd person add [pid] to populate the person table from the PID column of your CSV file as the first step, and then script the node addition with a second call to pfcmd to create the node. It really isn't more than a few lines of BASH shell script to do this from the command line, if somebody else doesn't have a cleaner solution... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Trying to test PacketFenceESX on ESXi 5
steve hinkley shink...@durhamnet.ca wrote: Can¹t get a NIC on PacketfenceESX on ESXi 5 any ideas? If you are using the 3.6.0 ZEN VM distribution, it is working fine for us on VMware ESXi 5.0. The adapters are configured as VMXNET3 if that helps. VMware has a gotcha with RedHat-based VMs being copied to new hosts. When VMware changes the MAC address(es) of the NIC(s) curing cloning or copying, RHEL still has the old ones in its config files. The result is that it creates new NIC(s) device(s) in Linux. On my system, the two NICs are eth3 and eth4 (and not eth0, eth1 or eth2). I've seen the issue before with other cloned CentOS VMs, so I just fixed it out of habit. Here's three different articles describing fixes: http://blog.agilinix.com/2011/10/no-ethernet-device-after-cloning-centosrhe l-vm/ http://alexcline.net/2011/11/15/reconfiguring-network-interfaces-in-centosr hel-systems-cloned-with-vcenter/ http://www.cyberciti.biz/tips/vmware-linux-lost-eth0-after-cloning-image.ht ml I regret not writing down the exact steps used to get it working and filing a PF documentation addendum, so please consider doing so if you have the time... -Arthur - Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave.Fax:(845) 562-6762 Newburgh, NY 12550SneakerNet: Aquinas Hall Room 11 -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users