Re: [PacketFence-users] Session-Timeout.

[Arthur Emerson III]

On Sep 2, 2014, at 10:19 AM, Tim DeNike tim.den...@mcc.edu wrote:

 If I wanted to assign a Session-Timeout for the registration network (To boot 
 campers), where would the best place be for me to do that?

Can you devise a method to automatically set a violation on them???

Our typical campers are repeat devices, such as outside contractors'
employees and helicopter parents who are here every day.  There also
seem to be a lot of Epson and HP wifi printers showing up in the dorm
areas this year.  Setting a violation on them after a pre-defined 
self-registration opportunity window seems to be the best way to handle
our situation.  I'm looking at the PF 3.6=4.4 upgrade in the next few
weeks, and would like to add this functionality before I go live with
4.4 if it is possible...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] PF 4.4 release date?

[Arthur Emerson III]

On Aug 28, 2014, at 8:33 AM, Fabrice DURAND fdur...@inverse.ca wrote:

 wait for the 4.4, we included vlan filter based on the radius request so you 
 will be able to write your own rules based on all the radius attributes.

Fabrice,

How long of a wait are we talking about for 4.4?  I just grabbed the 4.3
ZEN image yesterday to start our PF 3.61 - 4.x upgrade, and am wondering
if I should hold off if the 4.4 release is imminent in the next few 
weeks...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unusual DHCP Traffic Levels

[Arthur Emerson III]

On Aug 22, 2014, at 8:58 PM, Tim DeNike 
tim.den...@mcc.edumailto:tim.den...@mcc.edu wrote:

Unplug it?  :)

So it's just generating traffic to the registration portal?  Does the traffic 
really matter?

No, but the web server log files grow fast enough where it could be
considered a DoS on some networks.  Oh, and unplugging it only works
if it is connected to a wired port.  If it is a wireless device, the
Bypass VLAN setting for an individual node on PF 3.6 will certainly
/dev/null the rogue device onto an unrouted segment.

Jake's list forgot my personal favorite PoE :-) adapter cable:

http://i791.photobucket.com/albums/yy193/vreihen/E3A904DF-672F-44A6-8650-BB425724433B_zpsdekymwqm.jpg

On a serious note for those of us in academia, we made procedure
change here that now has all students coming to campus on one day
instead of spreading it across two days.  The result is that
our default /24 registration VLAN is full of campers who either
didn't register yet or are parents/siblings with smartphones set
to auto-associate to an SSID and never intend to register.  If
you haven't done so yet and aren't watching your students check in
while reading this, now would be a good time to increase your
own registration VLAN to a /22 or larger to accommodate this
situation on your own campus...

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edumailto:emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11

--
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] RADIUS Access-request but no Access-accept

[Arthur Emerson III]

On Aug 20, 2014, at 12:24 PM, Sallee, Jake jake.sal...@umhb.edu wrote:

 You guys are awesome!  It was the RADIUS secret, there was a space that 
 somehow got at the end of the radius secret on the switch ... apparently 
 cisco interprets the white space at the end of the radius server key as part 
 of the key its self.

I wanted to add a second thank you to Jake for pointing the white space
problem out!  We have had one Cisco 2960 stack (of many) that refused to
do MAB, even though the config was cut/pasted from a running stack.
Re-typing all of the SNMP account stuff manually fixed our problem as
well.  Is this worthy of a note in the Cisco section of the devices
manual???

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VoIP vs non-VoIP VLAN's/netowrks

[Arthur Emerson III]

On Aug 7, 2014, at 5:58 PM, Boris Epstein 
borepst...@gmail.commailto:borepst...@gmail.com wrote:

Throughout the PacketFence Network Devices Configuration Guide ( 
http://www.packetfence.org/downloads/PacketFence/doc/PacketFence_Network_Devices_Configuration_Guide-4.3.0.pdf
 ) there are numerous references to VoIP VLAN's. What are the differences 
between them and non-VoIP VLAN's?

A common VoIP implementation has the phone plugged into a switch port,
and then a computer plugged into the VoIP phone via a switch/hub
integrated into the phone.  They usually use two different VLANs, and
sometimes the phone even strips the VLAN tags off for the connected PC
as it passes the data through.  Having two different devices plugged
into one switch port with some switch vendors' MAC authentication tools
may require special handling, hence the with-VoIP and without-VoIP
settings on those switches...

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edumailto:emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11

--
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Wake on LAN with PacketFence (Extreme Network Swtiches)

[Arthur Emerson III]

On Aug 8, 2014, at 10:23 AM, Stormont, Stephen (IMS) stormo...@imsweb.com 
wrote:

 We finally got PacketFence up and running with some great help from Tim, but 
 are now having an issue with Wake on LAN.  Desktop PCs are in the 172.22.34.x 
 subnet after PacketFence registration (this is the same subnet they had been 
 in before we implemented PacketFence).  Now the PCs sit in the 172.22.38.x 
 (MAC_Registration) subnet when off.  Wake on LAN requests are no longer being 
 sent to those PCs and we can't quite figure out where the disconnect lies.

The disconnect lies in the fact that standard WoL packets are
ethernet frames on a local L2 segment, and not IP packets that
can be routed by L3.  You need to send them via whatever VLAN
your computers are switched to when powered off.  (There are
some ways to make them cross subnets, but I suspect that you are
not using one of them.)

I'm trying to blank out my Extreme days, but seem to recall
their switches having protocol-based VLANs as an option.
(config vlan_name protocol IP?) In other words, you could pull
IP traffic off of a port and send it via an IP VLAN, but leave
L2 packets like early NetWare pass through on the port's default
VLAN.  Just mentioning it as a possible additional hurdle with
the WoL broadcast packets.

 We don't have ip forwarding enabled on the 172.22.38.x subnet although we 
 did have it on the 172.22.34.x subnet.  Could that be the issue?  Wouldn't 
 enabling it on the MAC_Registration VLAN circumvent the PacketFence security?

It probably wouldn't completely circumvent it unless your Extreme
switch has the same gateway IP address that you're handing out via
DHCP on the MAC_Registration subnet, but it does enable a simple
escape should any user/computer/virus be smart enough to look for
an alternate gateway IP address...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Installing Packetfence on Amazon EC2

[Arthur Emerson III]

On Jul 2, 2014, at 6:58 PM, Moe Alsmadi malsm...@gmail.com wrote:

 I have been trying for days to install packetfence on a ubuntu instance on 
 Amazon EC with no luck. Anyone can assist in a way or a cocument of how I can 
 make that possible if its possible.

Forgive my ignorance on Amazon EC cloud hosting, but one of the
requirements for PF in most environments is to sit on the local
layer 2 ethernet subnet (registration subnet) that clients will
initially be connecting on.  Does Amazon's hosting solution allow
you to do this?  If not, you will need to provide DHCP services on
the registration network (as a minimum), and the DHCP response will
need to hand out DNS server IP's that point at your PF box's fake
DNS server so that all of the redirects work...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Installing Packetfence on Amazon EC2

[Arthur Emerson III]

On Jul 3, 2014, at 9:17 AM, Moe Alsmadi 
malsm...@gmail.commailto:malsm...@gmail.com wrote:

 It does allow you to create 2 subnets through there vpc Yes

Layer 2 subnets -- as in sits on your local ethernet with no routers
between your local network and the virtual interface in the cloud,
seeing raw ethernet (not IP) packets?  How do they tunnel this data???

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edumailto:emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11

--
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Failed to Deploy OVF (PF ZEN)

[Arthur Emerson III]

On Jun 30, 2014, at 10:53 PM, Bradley, Timothy tbrad...@millerschool.org 
wrote:
 
 there is a networking issue with this zen imageit will not bind to any 
 nics..anyone having this issue with 4.3 zen?

It is a RedHat problem with cloned VM's, which cause the image to keep
the old adapters and add the new (cloned) ones as higher eth# devices.
The list archives and Google have the fix instructions...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 4.3 Setup

[Arthur Emerson III]

On Jun 27, 2014, at 4:02 PM, Thomas, Gregory A 
thom...@uwp.edumailto:thom...@uwp.edu wrote:

First, I wanted to gather Name and Email, so I setup a new profile on the 
selected VLAN (and the default) with mandatory fields. Nothing shows up. The 
only thing I can think of is that it due to my source being Active Directory. 
Yes, that should be in active directory, but throughout the year, Housing will 
have guests and camps, so collecting a name would be nice.

We are still running PF 3.61 here, so this may not apply to 4.3.

When a user registers via an Active Directory (AD) account, PF
does not populate any of the user fields in its own user database
besides the AD logon ID (sAMAccountName).  I do not know if this
is what you are encountering with your missing data.

For guests, camps, contractors, and other non-institutional users,
we make them self-register through the guest portal with SMS or
e-mail verification.  No AD account required, and all of the
names and contact info are populated in PF's user database.

I was forced to put PF into production to solve an emergency problem
that popped up, before I had finished configuring it.  The last
thing that I was working on before it went live was having both
the guest logon credentials and AD credentials both work as
authentication sources in the portal.  I chose to go with AD as
the only auth source when I could only get one or the other working,
meaning that the pre-arrival sponsor guest credential functions in
PF are not functional.  It's either AD (employee/student) or
self-registration as a guest on our networks.

We have also developed a unique guest policy that required a little
code tweaking.  Anyone who registers as a guest gets 3 days of
access, and then they are unregistered.  To prevent us from becoming
the ISP to the entire neighborhood, the unregistration process
sets a 30-day Guest Access Expired violation on the MAC address,
preventing immediate re-registration of any guest device that has
over-stayed its welcome (without spoofing the MAC)...

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edumailto:emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11

--
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] unregistering a device

[Arthur Emerson III]

On Jun 24, 2014, at 4:59 PM, Boris Epstein borepst...@gmail.com wrote:

 One issue still remains, though - when I unplug the cable for a node 
 altogether the status of the corresponding port on the switch does not change 
 even thoughit is supposed to go into the MAC verification VLAN. So this is 
 what remains to be sorted out.

I was under the impression that the port only changed as a result of a
link up on the port -- not on a link down...
  
-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Ghost MAC Address

[Arthur Emerson III]

On Jun 24, 2014, at 4:45 PM, Thomas, Gregory A 
thom...@uwp.edumailto:thom...@uwp.edu wrote:

...I type that in and it redirects to a page that says the MAC address is being 
authorized. It will then fail as it does not find an authorized MAC address in 
the system. If I refresh the browser, it will then display a different MAC 
address. I check the admin site and I can see that Packetfence has authorized 
the machine’s real MAC, and now had added this ghost MAC address which is not 
authorized. If I manually authorized this ghost address, the device will go 
right on through l you would suspect.

Stupid question - does the ghost MAC address start with 00:50:56
(VMware OUI)?  If so, your second connection is coming via NAT,
because the inline client is now live and has no reason to refresh
the registration page.  Try going to an Internet URL without the
ghost MAC registered and see if it works...

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edumailto:emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11

--
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Apple iOS8 Generates random MACs

[Arthur Emerson III]

On Jun 18, 2014, at 4:41 PM, Fletcher Haynes fhay...@willamette.edu wrote:

 I'm also a developer, but am somewhat hesitant to put the iOS 8 beta on my 
 personal iPhone. I'm strongly considering it in this case, though, cause if 
 this does somehow end up causing problems on our network...well, I'd prefer 
 to be able to fix them before students return in the fall. =)

I threw caution to the wind this morning, and installed iOS Beta 2
on my personal iPhone5.  No problems with Meru or PF so far, with
a footnote that it was already registered so I did not go through
the PF guest portal at all.

On the not-PF iOS front, Google Chrome crashes after a few seconds,
even with yesterday's update to fix iOS8 problems installed.  Pandora
works fine. :-)  The second reboot after installation caused it to 
pop up a blizzard of notification windows for old SMS messages that
I never opened because I don't use text messaging.  Long story short,
unless you have better tools available to do testing beyond my simple
basic usage test, I don't recommend installing it on anything but a
test device right now...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing  Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MAC Address Format

[Arthur Emerson III]

On May 16, 2014, at 2:21 PM, Curtis K. Larsen curtis.k.lar...@utah.edu wrote:
 
 I then connected my device and got the captive portal - so it did not work  
 (which is what I expected).  So now the question... How do I keep the help 
 desk and end users from registering nodes with the wrong format?  it seems 
 there should be an error message that tells them that the format is not valid 
 shouldn't there?  Let me know.

Client-side web browser validation is apparently what you're looking for.

I'll add a second question and ask if a feature request would be welcome
to convert the standard MAC address formats on the back end, rather than
torture the users with using the correct format (or *gasp!* individual MAC
byte fields that you can't cut/paste to) on the web form?  I've lost count
how many times I've had to convert MAC addresses from Microsoft's cut/paste
hyphens to colons when using PF's search boxes, and it gets annoying after
a while...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free.
http://p.sf.net/sfu/SauceLabs
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Rogue DHCP Alerts

[Arthur Emerson III]

On May 13, 2014, at 8:10 PM, Jason Frisvold xenoph...@godshell.com wrote:

 Are you sure they're not rogues?  We're seeing a lot of this on wireless
 and it appears to be misbehaving android phones...

Ditto here with PF 3.6 and certain Android devices, including one that
is issued to a co-worker.  I haven't dug into the problem much, but
suspect that the problem is that Android is trying to contact the last
DHCP server it spoke to when it wakes up, even though it is on a
different SSID/network.  PF's rogue DHCP detector sees those packets
addressed to an unknown DHCP server, and it sets off the rogue alarm
when in fact there's no server answering.  It seems to happen most
after we close for a break or long weekend, since the students go home
and then come back with phones that are still looking for their home
router's 192.168.1.1 DHCP server.

In many cases, I've noticed that the IP address history doesn't show
the offending device getting a valid DHCP address on our network, so
I just put them into 24-hour quarantine (send them to the timeout
corner) and they usually come back and work properly after that...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free.
http://p.sf.net/sfu/SauceLabs
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Routed Networks and and missing routes

[Arthur Emerson III]

On Mar 20, 2014, at 7:15 PM, Lupe Silva 
lupe.si...@gmail.commailto:lupe.si...@gmail.com wrote:

We have our own dhcp servers already setup so I do not want DHCP from PF, and I 
believe this is core of my issue.

You *do* want PF to provide DHCP services...but only to your registration
and possibly isolation VLAN.  Let your production network's DHCP server
handle the production network, with the appropriate PF listeners as you
currently have configured.  Since PF has (should have) an interface
directly on your registration VLAN, no routing is required and everything
just magically works.

If the problem is that you are not able to present the registration/isolation
VLAN to your remote sites and need to do it via routed subnets, perhaps
the best solution would be to setup a point-to-point L2 tunnel for these
VLANs using one of the Cisco tools since you have their hardware at
both ends?

i.e:  route add -net 10.10.20.0/255http://10.10.20.0/255 gw 10.1.20.1 dev 
eth0.2

FWIW, the last time that I looked at the CIDR spec, /255 was not a
valid IPv4 mask...

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edumailto:emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11

--
Learn Graph Databases - Download FREE O'Reilly Book
Graph Databases is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] How to deal with violation

[Arthur Emerson III]

On Mar 12, 2014, at 3:37 PM, forbmsyn forbm...@gmail.com wrote:
 
 I was expecting it will be switched back to Isolation vlan after 10
 minutes, so that the device can be scanned again, but it didn't happen.
 
 Is there anything else I need to check?

At least with PF 3.6, the maintenance task that performs expirations
doesn't run every minute.  If you're looking at a stopwatch waiting
for exactly 10 minutes and zero seconds to pass, try being patient for
a while and see if the node gets locked out again after half an hour
or so.

Can PF scan it on the production network without having to go through
the captive portal again?  If so, perhaps the best path is to run the
scan on the production network and only re-quarrantine if it fails
again.  If you aren't letting new clients on until they are clean,
you should probably also be checking old clients to ensure that
they remain clean after registration...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Learn Graph Databases - Download FREE O'Reilly Book
Graph Databases is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] How to deal with violation

[Arthur Emerson III]

I believe that the common practice is to allow a small subsets
of known networks required to update operating systems and virus
scanners through to your remediation or isolation VLAN.

I believe that there is also a PF setting that allows certain
violations to be overridden for a short period of time via the
captive portal, so that the client has access to the Internet long
enough to install patches.  If they don't, it nags them again and
ultimately shuts them down if they skip it too many times.  We don't
use the feature, so I cannot comment on the specifics or how it
works...

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edumailto:emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11

On Mar 10, 2014, at 7:03 PM, forbmsyn 
forbm...@gmail.commailto:forbm...@gmail.com wrote:

Hi experts,

Can you please share me with your experience in dealing with the violation?

In my case, when a violation was triggered after the Nessus scanning finished, 
the switch port was put into isolation vlan. At the same time there was a 
message shown on client's browser like below:

Quarantine Established! Windows Patches Are Not Up-to-Date. Due to the threat 
this poses for other systems on the network, network connectivity has been 
disabled until corrective action is taken. 

The question is: Because the isolation vlan does not have internet access, how 
do the client address the problem, for example, download patch?

If I give the isolation vlan access to internet by connecting the isolation 
vlan to other vlan which has internet access, then the above warning message 
won't appear on client's system.

How do I let the client know that their system has security issue and need 
address, and at the same time they can have access to internet to fix the 
problem?

What is your network design in your real scenario?

Thanks a lot in advance.

--
Learn Graph Databases - Download FREE O'Reilly Book
Graph Databases is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Per SSID VLAN - Meru Networks

[Arthur Emerson III]

On Mar 6, 2014, at 10:20 AM, Tim DeNike tim.den...@mcc.edu wrote:

 We are on SD 5.3.xyz right now and RADIUS deauth does work.
 
 Drop this in a file called /usr/local/pf/lib/pf/SNMP/Meru/MC_MCC.pm
 
 Minus the cut lines obviously.  In switch config, you'll have the option for 
 Meru MC_MCC.  It will do radius de-auths instead of the Telnet/SSH method.  
 Much faster, much lighter weight.

Tim,

Do I have to do anything else to use the code that you provided?  I
dropped it in my PF 3.6 system in the path you specified, checked the
file permissions, and restarted all PF services.  When I checked in the
GUI switch configuration, Meru MC_MCC did not show up as an available
type.  I manually edited switches.conf, changing Meru::MC to 
Meru::MC_MCC for both Meru controllers, set both to Radius deauth
and restarted all PF services again, but a registration change still
would not be forced to the client.  Another fire popped up, so I had to
fall back to the original config and couldn't dig any deeper.

When I was looking at the logs, I noticed that the *original* deauth
code is throwing this error with Meru's 5.3 firmware:

Mar 11 13:21:07 pfcmd_vlan(3289) ERROR: Unable to deauthenticate 
aa:bb:cc:6a:17:43: Command response matched device error string at 
/usr/local/pf/lib/pf/SNMP/Meru.pm line 207 
(pf::SNMP::Meru::deauthenticateMacDefault)

Mar 11 13:21:07 pfsetvlan(2) WARN: Problem trying to run command: 
/usr/local/pf/bin/pfcmd_vlan -deauthenticate -switch 10.x.y.z -mac 
aa:bb:cc:6a:17:43 called from handleTrap. Child exited with non-zero value 255 
(pf::util::pf_run)

I suspected that there was something funky with deauth since we did the
Meru 5.3 upgrade a few weeks ago, and even checked to make sure that
the SSH tokens didn't get changed for the PF user.  Hence, the new-found
urgency to get the RADUIS deauth working while I still have a few days
of spring break left...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Learn Graph Databases - Download FREE O'Reilly Book
Graph Databases is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Per SSID VLAN - Meru Networks

[Arthur Emerson III]

On Mar 6, 2014, at 9:28 AM, Tim DeNike tim.den...@mcc.edu wrote:

 Awesome. I have a case open with them about that right now.   Spring
 break next week. I'll post a new module with radius deauth and that
 extract said sub soon!

Was RADIUS deauth the reason why we have to use ssh to force disconnects?
I thought that it was something missing from SNMP, but I'm probably going
crazy.  I know that it was a long-standing feature request in Meru's
product roadmap, and it would be nice if this was included in the V6
release.

As for upgrading to V6, we'll be sitting on the sidelines until
summer waiting to hear about problems encountered by early adopters.
Maybe it is just our user base, but we encounter weird connectivity
problems with a fresh handful of odd devices every time that a new
controller update is applied.

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Subversion Kills Productivity. Get off Subversion  Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951iu=/4140/ostg.clktrk
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Per SSID VLAN - Meru Networks

[Arthur Emerson III]

Thanks for sharing the code!  I'll put it on my to-do list of spring
break projects for next week, bumping the ever-tempting flee winter
for some place warm off of the bottom...

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edumailto:emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


On Mar 6, 2014, at 10:20 AM, Tim DeNike 
tim.den...@mcc.edumailto:tim.den...@mcc.edu wrote:

Actually, looking through the code, no patch will be required for MAC-based 
SSID evaluation, its already there and should work (It already does with 802.1x)

We are on SD 5.3.xyz right now and RADIUS deauth does work.

Drop this in a file called /usr/local/pf/lib/pf/SNMP/Meru/MC_MCC.pm

Minus the cut lines obviously.  In switch config, you'll have the option for 
Meru MC_MCC.  It will do radius de-auths instead of the Telnet/SSH method.  
Much faster, much lighter weight.


^CUT^^^

package pf::SNMP::Meru::MC_MCC;

=head1 NAME

pf::SNMP::Meru::MC_MCC - Object oriented module to access MC series controllers

=head1 SYNOPSIS

Known to work with RADIUS deauth on System Director 5.3

=head1 STATUS

=cut

use strict;
use warnings;
use Log::Log4perl;

use base ('pf::SNMP::Meru');

sub description { 'Meru MC_MCC' }

sub deauthTechniques {
my ($this, $method) = @_;
my $logger = Log::Log4perl::get_logger( ref($this) );
my $default = $SNMP::RADIUS;
my %tech = (
$SNMP::RADIUS = \deauthenticateMacRadius,
);

if (!defined($method) || !defined($tech{$method})) {
$method = $default;
}
return $method,$tech{$method};
}
sub deauthenticateMacRadius {
my ( $self, $mac, $is_dot1x ) = @_;
my $logger = Log::Log4perl::get_logger( ref($self) );

if ( !$self-isProductionMode() ) {
$logger-info(not in production mode... we won't perform 
deauthentication);
return 1;
}

$logger-debug(deauthenticate $mac using RADIUS Disconnect-Request deauth 
method);
return $self-radiusDisconnect($mac);
}
=head1 AUTHOR

Tim DeNike tim.den...@mcc.edumailto:tim.den...@mcc.edu

=cut

1;


^CUT^^^


--
Subversion Kills Productivity. Get off Subversion  Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951iu=/4140/ostg.clktrk___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Vlan was automatically switched.

[Arthur Emerson III]

On Mar 4, 2014, at 6:51 PM, forbmsyn forbm...@gmail.com wrote:
 
 However after about10 minutes, the switch port which the device was plugged 
 in was changed to vlan 9 automatically.  I did not make any changes on 
 PacketFence, and did not get a chance to update the client device yet. I 
 think the device should still stay at vlan 3 until the problem is fixed. How 
 come the vlan of the switch port was changed? 

[snip]

 Mar 04 14:53:46 pfmon(0) INFO: running expire check (main::cleanup)
 Mar 04 14:53:46 pfmon(0) INFO: checking registered nodes for expiration 
 (main::cleanup)
 Mar 04 14:53:46 pfmon(0) INFO: checking violations for expiration 
 (main::cleanup)
 Mar 04 14:53:46 pfmon(0) INFO: violation 111 force-closed for 
 dc:0e:a1:8a:d4:8f (pf::violation::violation_force_close)

It appears that your violation had an expiration date/time when set...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Subversion Kills Productivity. Get off Subversion  Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951iu=/4140/ostg.clktrk
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] PF Architecture Flowchart Poster?

[Arthur Emerson III]

Has anyone ever produced a poster-sized flowchart documenting how
the various modules used by PF interact with each other, switches,
clients, etc?  Something along the lines of what Microsoft provides
for their enterprise apps like Exchange or Lync:

http://www.microsoft.com/en-us/download/details.aspx?id=6797

The biggest barrier to entry with PF is knowing where to start, and
anyone who has been a member of this list for a few months or longer
can see all of the questions from potential deployment sites that don't
have the big picture of how everything interacts, where/how it should
be deployed in an existing network, and whether or not they should
deploy inline versus VLAN switching.  

I have never stumbled across something like this for PF, and was just
thinking that a simple poster explaining how everything interacts
would be useful to help people troubleshoot...and as a planning tool
to drive further adoption from those who are overwhelmed by the
different options available and give up because they think that PF
is too complex to implement without consulting help...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Subversion Kills Productivity. Get off Subversion  Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951iu=/4140/ostg.clktrk
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Question about Packetfence

[Arthur Emerson III]

On Feb 25, 2014, at 1:18 PM, Sallee, Jake jake.sal...@umhb.edu wrote:
 
 To answer your question about PF sending an email when a cable is unplugged, 
 the answer is, I do not know for sure but I do not think so.  
 
 The problem is that physical topology changes to the network are handled by a 
 different OSI layer than the one that PF normally uses.
 
 That is not to say that you could not fairly easily make such a feature if 
 you wanted to, but you would want to seriously investigate why you want such 
 a feature.  What problem are you trying to solve?  Is there another way to 
 address the problem.

I think that a better way to do this is to have each switch send an
SNMP trap to a network monitoring program separate from PF, which can
then filter the traps and send alerts via e-mail as needed based on
pre-defined rules.

One possible use of this type of alert is to monitor 24/7 devices like
large screen smart televisions being used for electronic signage, to
send an e-mail to your campus security/police when the ethernet cable
is disconnected if somebody decides that one of those TV's would be
better for watching football games in their living room.  Smart video
projectors hanging in class/conference rooms are another theft target
that could be similarly monitored for immediate security/police 
response...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis  security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071iu=/4140/ostg.clktrk
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] No connect on Virtual Interface with Registration-VLAN

[Arthur Emerson III]

On Feb 15, 2014, at 1:39 AM, Tim-Ole t...@izsr.de wrote:

 
 The client is at port 2.

[snip]

 So, we sat port 2 and port 8 on the Netgear to tagged w/VLAN 20
 (= the registration VLAN). 


Port #2 (client) should be *untagged*.  PF's VLAN enforcement will tell
your switch to change the port from the registration VLAN (untagged) to
the production VLAN (untagged) when the client is authenticated...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151iu=/4140/ostg.clktrk
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Ping client from outside vlan iptables problem

[Arthur Emerson III]

I don't use inline mode, but am under the impression that it works
using NAT.  If I am correct, your initial observation is exactly
what should be expected in a healthy NAT configuration!

This PF FAQ entry may be of interest:

http://www.packetfence.org/support/faqs/article/how-can-we-route-instead-of-nat-through-packetfence-in-inline-enforcement.html

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edumailto:emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


On Feb 12, 2014, at 3:31 PM, David Rice 
rice.dav...@gmail.commailto:rice.dav...@gmail.com wrote:

So, it looks like the issue I am having is that traffic in iptables isn't 
forwarding the outside traffic to the registered devices insides of the 
packetfence vlan.  I was able to allow all outside traffic to forward 
regardless of whether the device was registered or not, but allowing it to 
forward only to registered devices has been a bit tricky.

Is there anyone that has any ideas?


On Tue, Feb 11, 2014 at 3:55 PM, David Rice 
rice.dav...@gmail.commailto:rice.dav...@gmail.com wrote:
Hello,
I recently ran into an issue.  I would like to be able to ping to devices in a 
PacketFence (inline mode) vlan.  Something in the iptables rules is preventing 
me from doing this.  I am able to ping from the device inside the vlan out, but 
I can't ping from outside the vlan back in.  When I stop iptables rules it is 
able to complete the ping, so it is something specific with iptables, but I 
don't know what.

any help would be appreciated.

--
David Rice


--
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151iu=/4140/ostg.clktrk___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Sponsor no allowed to access the activation link

[Arthur Emerson III]

Assuming that the link sent to the sponsor has an encrypted token
(like the message sent to users during self-registration to confirm
their e-mail address is valid), I think that this is a reasonable
feature request for the production branch.

Somebody might even be crazy^H^H^H inclined :-) to think that also
providing a configurable second option of having a Cc: of all sponsor
e-mails sent to their help desk staff would be a nice additional
feature, so that the help desk folks could also click on the link to
approve the access in absence of the sponsor without having to give
the help desk staff access to PF's management interface...

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edumailto:emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


On Jan 17, 2014, at 10:15 AM, forbmsyn 
forbm...@gmail.commailto:forbm...@gmail.com wrote:

Hi Fabrice,

Because the link was sent to the sponsor's email so the sponsor is supposed be 
responsible for the action.

But I think your concern is reasonable too. I just wanted to know if there is 
such a config to simplify the procedure because our management team was asking.

Thank you!

Regards,
Jacky

On Fri, Jan 17, 2014 at 8:04 AM, Fabrice DURAND 
fdur...@inverse.camailto:fdur...@inverse.ca wrote:
But how do you check that the guy who click on the link is the real sponsor ?

Fabrice


--
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments  Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431iu=/4140/ostg.clktrk___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PFDNS The saga continues

[Arthur Emerson III]

On Dec 9, 2013, at 10:20 AM, Sallee, Stephen (Jake) jake.sal...@umhb.edu 
wrote:
 
 All the crashes have been ~3:30am, it may be that is when PF is doing its log 
 rotations, compressions, etc. and the CPU may be getting taxed causing the 
 system clock to drift outside  of some critical zone causing the DNSSec 
 portion of PFDNS to crash.

Silly question - did you check to see if oom-killer needed to free RAM
during the log rotate process, and decided that PF's DNS daemon was
going to be the victim?

If you have PF running on a VM, I guess that you could throw some
more RAM at it and see if it fails again.  Then again, it is the end
of the semester, and this may only be a placebo fix if the real cause
is network load or a rogue client that will soon be gone for a month
or so...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET,  PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x support on a Cisco Catalyst 6500 platform

[Arthur Emerson III]

On Nov 19, 2013, at 9:27 PM, Thomas Tsai 
tt...@canyonpartners.commailto:tt...@canyonpartners.com wrote

 But… has anyone had any luck on doing this?  Has anyone tried using the 4500 
 series module or some other fashion?

FWIW, our 4500 series switch seems to have a lot in common with Cisco's 3750x
stackable switches.  I don't deal with them enough to know if they share the
same firmware files, though.  Don't know anything about the 6500, but
suspect that it isn't the same hardware generation as the 4500 and 3750x...

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edumailto:emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11

--
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PFDNS crashing every few seconds HELP! [UPDATE]

[Arthur Emerson III]

Sallee, Stephen (Jake) jake.sal...@umhb.edu wrote:

Strange. I wonder why ntp would effect pfdns ... I double checked and
everything seems right, thanks for the heads of though.

DNSSEC requires an accurate time reference, per ISC and Bind9.
Does pfdns have DNSSEC support (or unused DNSSEC code) in it?
Just grasping at straws to see if this explains the problem
you're seeing...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511iu=/4140/ostg.clktrk
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Upgrade to 4.0.5-2 status and lingering issues

[Arthur Emerson III]

On 8/13/13 11:36 AM, Jason Frisvold xenoph...@godshell.com wrote:


HEY DEVS : THIS LIST SHOULD BE IN A DATABASE AND HAVE A GUI INTERFACE TO
UPDATE!  Just sayin...  :)

...and a checkbox to ignore it and just register any MAC address that
the user inputs.  Just my $0.02, which I suspect rounds down to zero
under Canada's new penniless cash-rounding rules... :-)

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with 2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031iu=/4140/ostg.clktrk
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Register as a different user

[Arthur Emerson III]

David Rice rice.dav...@gmail.com wrote:
 
 Is there a way for someone in an administrative role to register
 a device as a different user?  Like, for example, the admin was
 setting up a computer lab, but they want the registered user to
 be the person that runs the lab.

Was the bulk import feature removed from PF 4.x?  It let you import
a whole lab, and specify who the owner was for the entire batch.

The one caveat is that the owner's person record needed to exist
in PF before running the import, but the same thing goes with changing
the owner of a node in PF 3.6.x...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711iu=/4140/ostg.clktrk
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SMS activation issue [SOLVED]

[Arthur Emerson III]

Sallee, Stephen   (Jake) jake.sal...@umhb.edu wrote:
 
 So PF is fine Š it seems as though my IP has been blacklisted through
 spamhaus and several other spam list sites.  Well Š looks like I¹m off
 to email land to get this fixed.

Dollars to donuts, one of your users fell for a phishing scam,
and their user account is being used by some enterprising chaps
from Nigeria to scam others.  If I'm correct, your outbound
mail queues will quickly reveal the offending user account.
Good luck with the cleanup...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


 


--
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711iu=/4140/ostg.clktrk
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SMS activation issue [SOLVED]

[Arthur Emerson III]

Sallee, Stephen (Jake) jake.sal...@umhb.edu wrote:

I almost want to leave it, I have wanted to shut down SMTP from my public
NAT for a long time but each time I do, some users throw a fit because
they have software that wants to act as a SMTP server ... BUT ... this
way, it still doesn't work ... and, I can say I didn't do it.

Is that bad?

I have blocked all inbound and outbound port 25 traffic on
our networks for years, except for the legitimate SMTP servers.
We even use outbound port 25 traps from our firewall to
quarantine infected computers before other methods detect them.
If you Google around, you will find that most ISP's these days
block port 25, and tell their customers to relay through port
465 or 587 authenticated with whoever their mailbox provider
is.  There are dozens of web sites showing how to set up SMTP
relaying through a Gmail account.

Many moons ago, I served on a panel at a (USA) Federal Trade
Commission event about spam and e-mail authentication in
Washington, DC.  During a lunch break one day, I met a
network engineer from a branch of our military, and suggested
that everyone blocking port 25 at their border routers was
the cleanest fix to the spam problem.  He said good luck
with that, because the military doesn't even have a map of
their authorized SMTP servers and the last thing that he'd
want to do from a career perspective is block some general's
personal e-mail server.  Once the shock passed about the
military not knowing who is using their networks, I had an
even scarier thought.  These are the same people that are
keeping track of nuclear weapons!

We had problems with peer-to-peer piracy like many other schools,
but being a private institution are a little more hesitant than
a public school to block something that might annoy the students
without a good reason.  After years of playing DMCA take-down
games, I pulled a report from our packet shaper showing that
only 6 students were active P2P users.  There were not riots in
the hallways when they came back from Easter break and none of
their P2P software worked any more.

Anyway, let me bring all of this rambling back to a point.
My suggestion is to log everyone using port 25 for a week,
and see how many people are impacted.  If it is as few as I
suspect, do something that even our mighty military can't and
block port 25 on your network...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711iu=/4140/ostg.clktrk
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 3.6.1 Gaming console self-registration problem

[Arthur Emerson III]

On 7/29/13 5:50 PM, Stephen Wittstruck switt...@mines.edu wrote:

Hi again Arthur,

Just found your Jan. 22 post, also.  Another good question raised, I
think.  Any updates?

If PF 3.6.1, I added lines 85 and 86 below to
/usr/local/pf/html/captive-portal/register-gaming-device.cgi

0084: if($result) {
0085:my $cmd = $bin_dir./pfcmd_vlan -reevaluateAccess -mac  .
$device_mac;
0086:my $output = qx/$cmd/;
0087:pf::web::gaming::generate_landing_page($portalSession,$msg);
0088:$portalSession-session-delete();

I'm not a programmer, but it works for us to solve the problem...


-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711iu=/4140/ostg.clktrk
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Re-visiting skip_mode?

[Arthur Emerson III]

On 7/29/13 4:40 PM, Stephen Wittstruck switt...@mines.edu wrote:

Hi Arthur,

I just saw your Jan. 10 post (I optimistically keep unread digest posts
in my inbox..)  You've raised some very interesting points and I'm
wondering if you received any replies or have any updates.

What we ultimately wound up doing is to enable the guest
self-registration system, with either SMS or external e-mail
confirmation required.  Default guest access is 24 hours,
and can be manually extended if the guest has their campus
sponsor call our help desk.

The big gotcha is permanent guests from the neighborhood,
who keep re-registering every time their access expires.
Our fix for that was a quick code tweak to PF that trips
a new violation called Expired Guest when the guest
access expires, putting them into a 30-day quarantine.  The
result is that they can only have guest access one day per
month, and have 29 days of timeout to go and find another
network in town to poach Internet access from.

I didn't submit the changes I made back to the PF project,
but will gladly share the changes against PF 3.6.1 if anyone
is interested in using this logic...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711iu=/4140/ostg.clktrk
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Delete account when the access duration of its first registred node is expired?

[Arthur Emerson III]

On 7/23/13 4:36 AM, Florian Mirkes f.mir...@technisat.de wrote:

At the moment when you create a guest with the settings Set access
duration the node gets unregistred after that time, but you can simply
register it again with the same access code.

We have developed an interesting guest policy that you might
wish to consider using.  When someone registers for guest access,
they can only register one device per limit setting in PF.  When
their guest access expires, we trigger a violation on the device
that expires in 30 days and throws them into quarantine.  The
result is that the device can only be used on our guest network
once every 30 days.  This prevents permanent repeating guests,
which I suspect is your goal.  It took only a few lines of
additional code in PF 3.6.1 to make this work...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831iu=/4140/ostg.clktrk
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence configuration

[Arthur Emerson III]

On 7/19/13 3:10 AM, Ulrich Guimbi ulrich.gui...@keynectis.com wrote:
 
 Can you forward me what you send because I delete my email of packetfence
 users lists every day

To clarify Jake's response:

1) Open a web browser.

2) Visit this page: http://www.packetfence.org/support/community.html

3) Pick any one of THREE publicly-available web archives of
   this list's posts.

4) Search for Jake's post and/or keyword 2960 to find his
   response.

The Cisco 2960 series is the most common network switch in
use around the world, and the archives contain many posts
detailing the mistakes that others have made configuring
this switch and what they needed to do to resolve their
problems...

-Arthur


--
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831iu=/4140/ostg.clktrk
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] eth1 won¹t enable on Packetfence ZEN 4.0.0 ESX while running Step2 on setup wizard

[Arthur Emerson III]

I haven't downloaded ZEN 4.0.0 yet.  Does this gotcha
from ZEN 3.6.0 still apply?

VMware has a gotcha with RedHat-based VMs being copied
to new hosts.  When VMware changes the MAC address(es)
of the NIC(s) during cloning or copying, RHEL still has
the old ones in its config files.  The result is that it
creates new NIC(s) device(s) in Linux.  On my system, the
two NICs are eth3 and eth4 (and not eth0, eth1 or eth2).
I've seen the issue before with other cloned CentOS VMs,
so I just fixed it out of habit.

Here's three different articles describing fixes:

http://blog.agilinix.com/2011/10/no-ethernet-device-after-cloning-centosrhe
l-vm/


http://alexcline.net/2011/11/15/reconfiguring-network-interfaces-in-centosr
hel-systems-cloned-with-vcenter/


http://www.cyberciti.biz/tips/vmware-linux-lost-eth0-after-cloning-image.ht
ml

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edumailto:emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11



From: Raymond Samonte mon_samo...@yahoo.commailto:mon_samo...@yahoo.com
Reply-To: 
packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net
 
packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net
Date: Wednesday, May 15, 2013 5:16 PM
To: 
packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net
 
packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] eth1 won’t enable on Packetfence ZEN 4.0.0 ESX 
while running Step2 on setup wizard

Hi to all,
I’m not yet done testing Packetfence ZEN 3.6.1 but here comes 4.0.0…. Here’s 
what I’ve done:
1.   Install Packetfence ZEN 4.0.0 ovf file on VMWare esxi 5.1 and power on 
VM.
2.   Login using root as user and p@ck3tf3nc3 as password.
3.   Manually configure IP address of eth1 (10.0.10.1 /24) and restart 
network (service network restart).
4.   Open browser and access web gui. (https://10.0.10.1:1443/configurator).
5.   Run wizard. Step 1 – VLAN mode.
6.   Step 2 – Assign eth1 as management.
a.   Create VLAN for Registration (eth1.2 – 192.168.2.10/24)
b.  Create VLAN for Isolation (eth1.3 – 192.168.3.10/24)
c.   Create VLAN for Guest (eth1.5 – 192.168.5.10/24)
7.   Then the problem occurs.
a.   Eth1.2, eth1.3, eth1.5 are enable when created.
b.  Eth1 (physical) assigned as management cannot be enabled and it 
stay at “off” position.
8.   I continue the setup wizard until all steps is finished.
9.   Then I access the Packetfence Web Gui (https://10.0.10.1:1443/admin) 
and configure the switches, guest access and other settings.
10.   Finally, I restart the Packetfence VM (shutdown –r now) and when it boots 
up, I cannot access the web gui anymore (because eth1 is not enabled on setup 
wizard even though it is enabled when the packetfence boots up).
Eht1 === Management = Off Position (disabled) cannot be enabled.
Eth1.2 == =  Registration = On Position (enabled)
Eht1.3 ===  Isolation = On Position (enabled)
Eth1.5 ===  Guest = On Position (enabled)

Is there someone encounter same problem as mine using the new Packetfence ZEN 
4.0.0?
Hope someone could help me on this.

Best regards,
Mon
--
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Guest users stays at Normal VLAN

[Arthur Emerson III]

Raymond Samonte mon_samo...@yahoo.com wrote:
 
 But now I encounter another problem. Guest vlan doesn't
 have internet access.
 
 Should I edit the packetfence iptables to allow Guest vlan
 to access the internet?

PF can operate either inline mode, or by changing VLANs
on switch and wifi hardware externally.  We're handling
all VLAN access restrictions at the network switch hardware.
The only thing that PF manages for us is the registration
and quarantine VLANs.  If you want PF to handle managing
your guest VLAN, this would be via inline mode settings and
I have honestly never even looked at those manual pages...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Try New Relic Now  We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app,  servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Guest users stays at Normal VLAN

[Arthur Emerson III]

Raymond Samonte mon_samo...@yahoo.com wrote:
 
 1. Why is it the guest pc is asking an IP Address on the Normal
 VLAN dhcp server while on the 10 minute grace period for email
 activation? is it how packetfence works?

Yes, this is normal.  PF gives 10 minutes of live access
so that the guest can retrieve their external e-mail to
get the validation link.  The only reason for this e-mail
that I can think of is to validate the guest provided their
correct e-mail address, and didn't just make something up
to get access.

 2. When I confirm the email and activate the guest access,
 it does not re-assign to guest vlan but stays on the normal vlan.

Did you un-comment the guest VLAN code in lib/pf/vlan/custom.pm ???

I believe that this is the code where VLAN decisions are made,
and it needs slight customization to use the guest and custom
VLANs.

 3. I configured the guest access to 30mins but it doesn't block
 the internet access after the 30 mins period. Packetfence cut the
 access to 40mins before going again to the registration vlan.

The VLAN behavior is what happened here as well out of the box
when a guest timed out and didn't validate.  [I have since made
a few changes to the PF code so that any guest account that
expires (whether validated or not) has a 30-day violation set
so that the device cannot be re-registered again.  In other words,
a device can be a guest more than once per month, which eliminates
perpetual guests who just keep re-registering as they expire.]

Timing-wise, I believe that the PF task that expires nodes does
not run every minute.  The node stays live until the next expire
run cycle after the node expires, which drove me crazy when I was
testing expirations anticipating stopwatch accuracy...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Try New Relic Now  We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app,  servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Upgrading from 3.6.0 to 3.6.1

[Arthur Emerson III]

Dan Nelson dnel...@nutracorp.com wrote:
 
 [root@fennel pf]# mysql -u root -p pf -v  db/upgrade-3.5.0-3.6.1.sql
 Enter password:
 --
 INSERT INTO `node_category` (category_id,name,notes) VALUES
(3,gaming,Gaming
 devices)
 --
 
 ERROR 1062 (23000) at line 5: Duplicate entry '3' for key 1
 
 Can someone help me with this?

I reported this problem and a suggested fix as issue # 1624 back
in January:

http://www.packetfence.org/bugs/view.php?id=1624


As you have discovered, it only happens to installations that have
added custom node categories prior to the 3.6.1 upgrade...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis  visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN assignment and Cisco switches

[Arthur Emerson III]

Matthew Pikusa ic3s...@gmail.com wrote:
 
 Problem:
 After using the registration portal, Packetfence does not change
 the VLAN assignment of the PC¹s port to the ³Guest² VLAN.
 I am using a Cisco 3750G Stack with latest version of Packetfence.
 
 
 

Did you un-comment the guest VLAN code in lib/pf/vlan/custom.pm ???

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis  visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] ladp authentication

[Arthur Emerson III]

On 4/3/13 12:31 PM, Jeremy Schubert jschub...@shaw.ca wrote:

The example below is from the PF admin manual.
Is the ldapuser just a user I create that can bind to the directory?

Yes.  I believe that it needs the full LDAP Distinguished
Name (DN) to be spelled out.  For an AD example:

CN=John Smith,CN=Users,DC=domain,DC=org

And does ldap server refer to my domain controller?

Yes.

my $LDAPUserBase = ou=People,dc=domain,dc=org;
my $LDAPUserKey = uid;

You may want to change this to sAMAccountName instead of uid
for an AD server.

my $LDAPUserScope = one;

May need to be sub, depending on your LDAP tree layout...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] /tmp/cgisess_* files filled disk

[Arthur Emerson III]

Derek Wuelfrath dwuelfr...@inverse.ca wrote:

For the moment, the easier thing to do would be a cronjob to get rid of
theses files.
We implement a new way for handling theses sessions using memcached.
That will be part of PF4

Thanks for the cron workaround suggestion.  It finished the cleanup
that I was performing manually all day.  If you are changing the
way that sessions are handled in 4.0, it probably doesn't make
sense at this point to fix the problem in 3.x.

As a heads-up to everyone, this issue has been around since PF 2.0
and may rear its ugly head at your site without warning some day.
You should probably install the cron workaround as provided in the
bug tracker:

http://www.packetfence.org/bugs/view.php?id=1142

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco 3750X-POE SNMP 2C problem?

[Arthur Emerson III]

On 3/28/13 7:04 PM, Stephen Wittstruck switt...@mines.edu wrote:

P.s., what is the switch type you're using in switches.conf?  I've only
found one PF documentation for 3750's:

type = Cisco::Catalyst_3750

I set it up as a 2960, and followed the setup instructions for
stacked 2960/3750 switches on paper page #22 of the current
Network Devices Configuration Guide.  This is all that it
takes to get it working with MAC auth and SNMPv1:

[192.168.100.64]
type=Cisco::Catalyst_2960
mode=production
vlans=2,11,12,302,303,304,305
normalVlan=11
registrationVlan=302
isolationVlan=303
macDetectionVlan=304
guestVlan=305
customVlan1=11
customVlan2=2
customVlan3=2
customVlan4=11
deauthMethod=SNMP
cliTransport=SSH
SNMPCommunityTrap=**
SNMPUserNameTrap=
SNMPAuthProtocolTrap=
SNMPAuthPasswordTrap=
SNMPPrivProtocolTrap=
SNMPPrivPasswordTrap=
SNMPCommunityRead=***public***
SNMPCommunityWrite=**
SNMPEngineID=
SNMPUserNameRead=
SNMPAuthProtocolRead=
SNMPAuthPasswordRead=
SNMPPrivProtocolRead=
SNMPPrivPasswordRead=
SNMPUserNameWrite=
SNMPAuthProtocolWrite=
SNMPAuthPasswordWrite=
SNMPPrivProtocolWrite=
SNMPPrivPasswordWrite=
radiusSecret=**
controllerIp=


-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] /tmp/cgisess_* files filled disk

[Arthur Emerson III]

PF 3.6.0 ZEN, upgraded to 3.6.1.  PacketFence appears to
be leaving cgisess_[long_hex_string] files behind in /tmp .
It apparently overflowed the maximum amount of files allowed
in an EXT3 directory overnight, as PF was complaining about
not having free disk space despite there being 8 gigs free
according to df.

Someone else encountered this problem with PF 3.2 last
July, but nobody responded to his question about whether
these files should be purged daily.  I'll ask again, and
also add a second question about whether there is an
automated/scheduled maintenance routine in PF that is
supposed to be taking care of these files but is not
working on my system for some reason?

As I discovered this morning, the system will DoS itself
sooner or later when it can't open any more session files,
and the ls command won't even work in the /tmp folder
with that many files...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco 3750X-POE SNMP 2C problem?

[Arthur Emerson III]

Stephen Wittstruck switt...@mines.edu wrote:

Has anyone successfully used PF with Cisco 3750X-POE switches?  PF isn't
getting a response for a SNMP 2C connection.

We have PF 3.6.1 running against a stack of WS-C3750X-48PF-S POE
switches, IOS version 15.0(2)SE [C3750E-UNIVERSALK9-M].  Our PF is
currently using SNMPv1, though.  (Upgrading to v2/v3 is already on
our summer project cleanup list.)

As a troubleshooting step, can you fall back to v1 and see if the
problem is with the switch or the v2c configuration???

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Own the Future-Intelreg; Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game 
on Steam. $5K grand prize plus 10 genre and skill prizes. 
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unable to detect network connectivity.

[Arthur Emerson III]

berl...@firelands.com wrote:
 
 I think the problem might be with the snmp between the
 switch and packetfence, but I¹m not positive. I¹ve tried
 setting port-security snmp traps and up/down link traps
 and neither seem to work. I¹ve also tried SNMP 1, 2c,
 and 3. I can do an snmpwalk from the packetfence server
 to the switch.

We have a few newer 3750's here, along with a lot of
stacked 2960's.  The instructions for stacked 29xx/3750
switches (paper page #22 in the manual) worked fine for
us, which is more or less what Fabrice wrote.

One thing that I did notice was that the third octet of
the switch's IP address was 25, but the trap receiver
you set in the switch (for the PacketFence management IP)
had a third octet of 250. Is this a typo, or is it
correct???

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


 


--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unable to detect network connectivity.

[Arthur Emerson III]

berl...@firelands.com wrote:
 
 So what interface should the snmp-server host be
 set to? The management one?

Yes!

 Does anyone have a 3750 config that works?

Here is a basic one that works for us.  Note that to keep
things simple for troubleshooting, it is using SNMPv1.
Also note that it is based on the 2960 stack config, which
works the same on our 3750's:

[192.168.100.64]
type=Cisco::Catalyst_2960
mode=production
vlans=2,11,12,302,303,304,305
normalVlan=11
registrationVlan=302
isolationVlan=303
macDetectionVlan=304
guestVlan=305
customVlan1=11
customVlan2=2
customVlan3=2
customVlan4=11
deauthMethod=SNMP
cliTransport=SSH
SNMPCommunityTrap=**
SNMPUserNameTrap=
SNMPAuthProtocolTrap=
SNMPAuthPasswordTrap=
SNMPPrivProtocolTrap=
SNMPPrivPasswordTrap=
SNMPCommunityRead=***public***
SNMPCommunityWrite=**
SNMPEngineID=
SNMPUserNameRead=
SNMPAuthProtocolRead=
SNMPAuthPasswordRead=
SNMPPrivProtocolRead=
SNMPPrivPasswordRead=
SNMPUserNameWrite=
SNMPAuthProtocolWrite=
SNMPAuthPasswordWrite=
SNMPPrivProtocolWrite=
SNMPPrivPasswordWrite=
radiusSecret=**
controllerIp=

Notice how little info it takes for this to work!  Once
you have it working for SNMPv1, you can then upgrade it
to one of the more secure versions.

 I don¹t have a firewall between the two. If I send the
 traps to my management port I see the snmp string in
 my packet capture, but I still get nothing in my
 snmptrapd.log.

 

If you are using SNMPv1, it sounds like the strings
you used on both ends for SNMPCommunityTrap don't match.
Don't forget to restart PF after editing any config file
or making GUI config changes!  When I was doing the
initial testing here, I rebooted the server after every
change just to make sure that everything came back up...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] questions about use/design

[Arthur Emerson III]

Rachid Zarouali rzarou...@gmail.com wrote:
 
  2°) I assume we can make guest access (according the features), is
  it then possible to have only guest access to the internet with
  restricted ports and no other access to other resources in the
  network ? Not even pinging or scanning in the network ?
 
 maybe using packetfence in inline mode you can achieve it, i don't
 think you can do it with packetfence only in outband mode.
 
 = other may correct if i'm wrong ?

In VLAN-switching mode, this is all a function of the
wired network architecture.  Create a guest VLAN with all
of your restrictions, and have PF switch guests to it.
You may need to make a minor programming tweak to the
file lib/pf/vlan/custom.pm to make it switch to the
defined guest VLAN.  The code is in the file, but commented
out.

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] basic instalation questions

[Arthur Emerson III]

Stephen   (Jake) jake.sal...@umhb.edu wrote:
 
 For what its worth here are my specs:
 
 PF Server (everything except MySQL)
 Dell R210
 8 GB RAM
 120 GB HD (RAID 1)
 1 x Intel(R) Xeon(R) CPU X3430  @ 2.40GHz
 2 x 1Gb Ethernet (only one in use)
 
 MySQL server is exactly the same as the PF server, but only running
MySQL.
 
 With this setup I am running about 100 MySQL queries a second (steady,
bursting higher). 
 
 I currently have 10,492 registered devices and 11,541 un-registered
devices.
 PF version 3.5.1
 

Likewise FWIW, we're running PF 3.6.1 and MySQL on a
single VMware VM with:

4GB RAM
2 x virtual CPU
virtual disk files stored on VMFS iSCSI SAN

As of this moment, there are 4,800 registered devices,
3,867 unregistered devices, and we seem to hover around
49-50 SQL queries/second.  100% VLAN-switching, no inline
traffic.  The VM's CPU usage hasn't surpassed 15% yet,
including the spring registration rush which was also
our PF rollout.

I imagine that the system load could be dependent on what
types and quantities of switches and wireless network gear
you have, but at least in our environment I've been
mildly surprised at how frugal our PF VM is using the
available resources...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


 


--
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and remains a good choice in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packet fence with 3 interfaces

[Arthur Emerson III]

On 2/27/13 5:53 PM, Fabrice DURAND fdur...@inverse.ca wrote:
 
[38.xxx.xxx.152]
dns=128.xxx.xxx.9
gateway=38.1xxx.xxx.153
...
netmask=255.255.255.254
...
[interface eth2]
enforcement=inline
ip=38.xxx.xxx.153
type=internal
mask=255.255.255.254



There are a gazillion people studying for their Cisco CCNA
right now cringing when they see in writing the subnet mask
of 255.255.255.254!  Per their textbook, the smallest *usable*
subnet block is a /30, or mask 255.255.255.252.  Even on a
point-to-point link, you still need an IP address for:

The network itself: 38.xxx.xxx.152
Your host:  38.xxx.xxx.153
The remote host (gateway):  38.xxx.xxx.154
Broadcast:  38.xxx.xxx.155

This is where I'd start troubleshooting...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Setting up PacketFence Newbie

[Arthur Emerson III]

Gavin Pyle gp...@greenriver.edu wrote:
 
 Oh and you probably also need to issue the following commands
 if on a RH or CentOS system:
 
 
 chkconfig mysql on
 service mysql start
 

The server package is mysqld on both of the above lines. :-)

Depending on the package source, I have seen MySQL installers
set up the software so that it can only be accessed by the
local machine only.  This may be the problem with Josh's XP
VM.

Regarding where to run MySQL, the choice between an ancient desktop
OS at the end of its support lifetime versus an enterprise,
server-grade OS should be seriously considered if you plan to
use PF in production...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Problems with Guest Sponsor Login portal

[Arthur Emerson III]

Durand Fabrice fdur...@inverse.ca wrote:
 
 PacketFence is not able to find t...@mydomain.com in your ldap.
 So i suppose that your $LDAPUserKey is false.

If the LDAP directory you are using is Microsoft AD, I had
problems with some of the recommended PF defaults for LDAP
authentication.  If I recall correctly, this was the problem
line:

my $LDAPSponsorUserKey = userPrincipalName;

In AD, userPrincipalName looks an awful lot like an e-mail
address with its logo...@domain.tld format.  If your mail
system uses any other e-mail address format (such as
first.l...@domain.tld), this line causes the sponsor verification
to fail upon LDAP logon because it isn't the same as the
mail field.

These are the current lines from our running ldap.pm file:

my $LDAPUserKey = sAMAccountName;


my $LDAPSponsorUserKey = mail;

Let me throw in a disclaimer that I did some testing
of the sponsorship feature with these settings, but
we decided not to deploy the option for the time being.
I don't think it was ever tested in our final deployment,
so YMMV...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Import nodes in packetfence

[Arthur Emerson III]

Arthur Emerson III arthur.emer...@msmc.edu wrote:

You may have to script something with:

/usr/local/pf/bin/pfcmd person add [pid]

to populate the person table from the PID column of
your CSV file as the first step, and then script the
node addition with a second call to pfcmd to create
the node.  It really isn't more than a few lines of
BASH shell script to do this from the command line,
if somebody else doesn't have a cleaner solution...

I just looked at the web interface's bulk import
screen this morning, and saw that the file format
it accepts is only a list of MAC addresses, not a
CSV file. :-(

Assuming that you only want to run this as a one-time
import, the script below will do the job albeit slowly.

Format the input file as below, and stick it in
/tmp/file.csv:

01:11:22:33:44:55,user1,
01:23:45:67:89:01,user2,


(If you can create the file as a Unix/Linux text file
with LF line terminators instead of CR/LF, you can omit
the ending comma.)

With the CSV file in place, type this at a root shell
prompt:

cat /tmp/file.csv | while read line
do
  mac=`echo $line | cut -f1 -d,`
  pid=`echo $line | cut -f2 -d,`
  /usr/local/pf/bin/pfcmd person add $pid
  /usr/local/pf/bin/pfcmd node add $mac status=\reg\,pid=$pid
  echo Registered $mac to user $pid...
done

It added about one MAC address per second when I just
ran it on our live PF server.  If you just want to do
an initial one-time import and nobody has a better
solution, this will work as a last resort...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Import nodes in packetfence

[Arthur Emerson III]

Saqib Haleem saqib.hal...@ncp.edu.pk wrote:

I want to import nodes in bulk to packetfence for pre-registration. I
already have list of mac address of all the authorized computers.I want
to import those mac address with person identifiers (Pids) instead of
default pid 1, so that
i should have record of mac address with its person identifier.

I am far from the PF expert, but will ask if the PID
you're trying to import with the node already exists
in the person table?  In all of my testing to date I
have not found a way to create/edit a node's PID unless
the target PID is already in the person table.  The list
archives also point to several others who have found
node creates not happening as expected due to missing PID
entries.


Is there any method available  to  import persons record from active
directory.

I take it that getting every single person to login to
PF to create their person record defeats the purpose of
pre-registering the nodes? :-)  Making PF's captive portal
authenticate against AD is possible, and it creates the
base person PID record when they logon for the first time.
Annoyingly, this process does not populate names or any
of the other AD fields in PF's person table that I have
seen. :-(

You may have to script something with:

/usr/local/pf/bin/pfcmd person add [pid]

to populate the person table from the PID column of
your CSV file as the first step, and then script the
node addition with a second call to pfcmd to create
the node.  It really isn't more than a few lines of
BASH shell script to do this from the command line,
if somebody else doesn't have a cleaner solution...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Trying to test PacketFenceESX on ESXi 5

[Arthur Emerson III]

steve hinkley shink...@durhamnet.ca wrote:
 
 Can¹t get a NIC on PacketfenceESX on ESXi 5 any ideas?
 

If you are using the 3.6.0 ZEN VM distribution, it is
working fine for us on VMware ESXi 5.0.  The adapters
are configured as VMXNET3 if that helps.

VMware has a gotcha with RedHat-based VMs being copied
to new hosts.  When VMware changes the MAC address(es)
of the NIC(s) curing cloning or copying, RHEL still has
the old ones in its config files.  The result is that it
creates new NIC(s) device(s) in Linux.  On my system, the
two NICs are eth3 and eth4 (and not eth0, eth1 or eth2).
I've seen the issue before with other cloned CentOS VMs,
so I just fixed it out of habit.

Here's three different articles describing fixes:

http://blog.agilinix.com/2011/10/no-ethernet-device-after-cloning-centosrhe
l-vm/


http://alexcline.net/2011/11/15/reconfiguring-network-interfaces-in-centosr
hel-systems-cloned-with-vcenter/


http://www.cyberciti.biz/tips/vmware-linux-lost-eth0-after-cloning-image.ht
ml


I regret not writing down the exact steps used to get
it working and filing a PF documentation addendum, so please
consider doing so if you have the time...

-Arthur

-
Arthur Emerson III Email:  emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 11


--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users