[PacketFence-users] create node error...

2018-08-08 Thread Auger, Ivan (ITS) via PacketFence-users 
Packetfence 8.1:

ERROR: [mac:unknown] Caught exception in pfappserver::Controller::Node->create 
"Can't locate object method "roles" via package 
"pfappserver::Form::Node::Create::Import" at 
/usr/local/pf/lib/pfappserver/Form/Node/Create/Import.pm line 123." 
(pfappserver::PacketFence::Controller::Root::end)

This used to work in 8.0

Ivan Auger

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] admin interface - 3 groups of AD users with different access?

2018-05-02 Thread Auger, Ivan (ITS) via PacketFence-users 

I have one group of AD users that need full admin access (source is 
h1adnetwork), one group that needs Node Manager and Violation Manager (source 
is h1ad), and the rest of AD users should get no access.  I am running pf 8, 
same issue in pf 7.4.
 
Issue is that this works only for the first group, when evaluating a user in 
2nd group, I get access denied.  I want it to continue evaluating until it 
matches rules for authentication/administration  - here is the relevant section 
from pftest (somehow, I need to test for group membership in the 
“Authentication” step below so that it fails?):
 
Authenticating against 'h1adnetwork' in context 'admin'
  Authentication SUCCEEDED against h1adnetwork (Authentication successful.)
  Did not match against h1adnetwork for 'authentication' rules
  Did not match against h1adnetwork for 'administration' rules
 
Authenticating against 'h1adnetwork' in context 'portal'
  Authentication SUCCEEDED against h1adnetwork (Authentication successful.)
  Did not match against h1adnetwork for 'authentication' rules
  Did not match against h1adnetwork for 'administration' rules
 
Authenticating against 'h1ad' in context 'admin'
  Authentication SUCCEEDED against h1ad (Authentication successful.)
  Matched against h1ad for 'authentication' rules
    set_role : eusadmin
    set_unreg_date : 2020-12-31
  Matched against h1ad for 'administration' rules
    set_access_level : Violation Manager,Node Manager
 
 
 
Ivan Auger
 
 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] admin interface - 3 groups of AD users with different access?

2018-05-02 Thread Auger, Ivan (ITS) via PacketFence-users 
I have one group of AD users that need full admin access (source is 
h1adnetwork), one group that needs Node Manager and Violation Manager (source 
is h1ad), and the rest of AD users should get no access.  I am running pf 8, 
same issue in pf 7.4.

Issue is that this works only for the first group, when evaluating a user in 
2nd group, I get access denied.  I want it to continue evaluating until it 
matches rules for authentication/administration  - here is the relevant section 
from pftest (somehow, I need to test for group membership in the 
"Authentication" step below so that it fails?):

Authenticating against 'h1adnetwork' in context 'admin'
  Authentication SUCCEEDED against h1adnetwork (Authentication successful.)
  Did not match against h1adnetwork for 'authentication' rules
  Did not match against h1adnetwork for 'administration' rules

Authenticating against 'h1adnetwork' in context 'portal'
  Authentication SUCCEEDED against h1adnetwork (Authentication successful.)
  Did not match against h1adnetwork for 'authentication' rules
  Did not match against h1adnetwork for 'administration' rules

Authenticating against 'h1ad' in context 'admin'
  Authentication SUCCEEDED against h1ad (Authentication successful.)
  Matched against h1ad for 'authentication' rules
set_role : eusadmin
set_unreg_date : 2020-12-31
  Matched against h1ad for 'administration' rules
set_access_level : Violation Manager,Node Manager



Ivan Auger
Asst Dir Inf Tech Serv 1

Office of Information Technology Services
Biggs Lab, D280, Albany NY 12201
p: (518) 473-0773  |  c: (518) 300-0439 | 
ivan.au...@its.ny.gov


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] packetfence 7.3 configuration wizard - radius?

2018-01-04 Thread Auger, Ivan (ITS) via PacketFence-users 
nd in the 
request.
#
# allowed values: {no, yes}
#
stripped_names = no

#  Log authentication requests to the log file.
#
#  allowed values: {no, yes}
#
auth = yes

#  Log passwords with the authentication requests.
#  auth_badpass  - logs password if it's rejected
#  auth_goodpass - logs password if it's correct
#
#  allowed values: {no, yes}
#
auth_badpass = no
auth_goodpass = no

#  Log additional text at the end of the "Login OK" messages.
#  for these to work, the "auth" and "auth_goodpass" or 
"auth_badpass"
#  configurations above have to be set to "yes".
#
#  The strings below are dynamically expanded, which means that
#  you can put anything you want in them.  However, note that
#  this expansion can be slow, and can negatively impact server
#  performance.
#
#  msg_goodpass = ""
#  msg_badpass = ""

#  The message when the user exceeds the Simultaneous-Use limit.
#
msg_denied = "You are already logged in - access denied"
}
$






From: Fabrice Durand via PacketFence-users 
<packetfence-users@lists.sourceforge.net>
Reply-To: "packetfence-users@lists.sourceforge.net" 
<packetfence-users@lists.sourceforge.net>
Date: Thursday, January 4, 2018 at 12:44 PM
To: "packetfence-users@lists.sourceforge.net" 
<packetfence-users@lists.sourceforge.net>
Cc: Fabrice Durand <fdur...@inverse.ca>
Subject: Re: [PacketFence-users] packetfence 7.3 configuration wizard - radius?


ATTENTION: This email came from an external source. Do not open attachments or 
click on links from unknown senders or unexpected emails.


Can you also paste the file /usr/local/pf/raddb/auth.conf ?

Le 2018-01-03 à 16:52, Auger, Ivan (ITS) via PacketFence-users a écrit :
Here you go:

[root@esppkfence ~]# /usr/local/pf/bin/pfcmd service radiusd generateconfig
service|command
radiusd-acct|config generated
radiusd-auth|config generated
[root@esppkfence ~]# /usr/sbin/radiusd -d /usr/local/pf/raddb  -n auth -fxx -l 
stdout
FreeRADIUS Version 3.1.0
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /usr/local/pf/raddb/dictionary
including configuration file /usr/local/pf/raddb/auth.conf
including configuration file /usr/local/pf/raddb/radiusd.conf
including configuration file /usr/local/pf/raddb/proxy.conf
including configuration file /usr/local/pf/raddb/proxy.conf.inc
including configuration file /usr/local/pf/raddb/clients.conf
including configuration file /usr/local/pf/raddb/clients.conf.inc
including files in directory /usr/local/pf/raddb/mods-enabled/
including configuration file /usr/local/pf/raddb/mods-enabled/always
including configuration file /usr/local/pf/raddb/mods-enabled/attr_filter
including configuration file /usr/local/pf/raddb/mods-enabled/cache_eap
including configuration file /usr/local/pf/raddb/mods-enabled/cache_ntlm
including configuration file /usr/local/pf/raddb/mods-enabled/cache_password
including configuration file /usr/local/pf/raddb/mods-enabled/chap
including configuration file /usr/local/pf/raddb/mods-enabled/detail
including configuration file /usr/local/pf/raddb/mods-enabled/detail.log
including configuration file /usr/local/pf/raddb/mods-enabled/digest
including configuration file /usr/local/pf/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/pf/raddb/mods-enabled/eap
including configuration file /usr/local/pf/raddb/mods-enabled/echo
including configuration file /usr/local/pf/raddb/mods-enabled/exec
including configuration file /usr/local/pf/raddb/mods-enabled/expiration
including configuration file /usr/local/pf/raddb/mods-enabled/expr
including configuration file /usr/local/pf/raddb/mods-enabled/files
including configuration file /usr/local/pf/raddb/mods-enabled/linelog
including configuration file /usr/local/pf/raddb/mods-enabled/logintime
including configuration file /usr/local/pf/raddb/mods-enabled/mschap
including configuration file /usr/local/pf/raddb/mods-enabled/ntlm_auth
including configuration fi

Re: [PacketFence-users] packetfence 7.3 configuration wizard - radius?

2018-01-03 Thread Auger, Ivan (ITS) via PacketFence-users 
-enabled/packetfence
including configuration file 
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
including configuration file /usr/local/pf/raddb/sites-enabled/packetfence-cli
main {
security {
user = "pf"
   group = "pf"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/usr/local/pf/var"
logdir = "/usr/local/pf/logs"
run_dir = "/usr/local/pf/var/run"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/usr/local/pf/var"
sbindir = "/usr/sbin"
logdir = "/usr/local/pf/logs"
run_dir = "/usr/local/pf/var/run"
libdir = "/usr/lib64/freeradius"
radacctdir = "/usr/local/pf/logs/radacct"
hostname_lookups = no
max_request_time = 10
cleanup_delay = 5
continuation_timeout = 15
max_requests = 2
pidfile = "/usr/local/pf/var/run/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.00
status_server = yes
allow_vulnerable_openssl = "yes"
}
}
auth:  Loading Realms and Home Servers 
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.00
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
  limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
  }
  coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
  }
}
Ignoring "response_window = 20.00", forcing to "response_window = 10.00"
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm default {
}
realm local {
}
realm null {
}
auth:  Loading Clients 
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
  limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
  }
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
  limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
  }
}
client dynamic {
ipaddr = 0.0.0.0/0
require_message_authenticator = no
  limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
  }
dynamic_clients = "dynamic_clients"
lifetime = 300
}
Debugger not attached
thread pool {
start_servers = 0
max_servers = 64
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
   cleanup_delay = 5
max_queue_size = 65536
auto_limit_acct = no
}
/usr/local/pf/raddb/auth.conf[6]: Listeners of type 'auth' MUST be defined in a 
server.
[root@esppkfence ~]#

Ivan Auger
Asst Dir Inf Tech Serv 1

Office of Information Technology Services
Biggs Lab, D280, Albany NY 12201
p: (518) 473-0773  |  c: (518) 300-0439 | 
ivan.au...@its.ny.gov<mailto:pam.l...@its.ny.gov>


From: Fabrice Durand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Sent: Wednesday, January 03, 2018 10:11 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand <fdur...@inverse.ca>
Subject: Re: [PacketFence-users] packetfence 7.3 configuration wizard - radius?


ATTENTION: This email came from an external source. Do not open attachments or 
click on links from unknown senders or unexpected emails.


Hello Ivan,

what you can do is the following:

/usr/local/pf/bin/pfcmd service radiusd generateconfig

/usr/sbin/radiusd -d /usr/local/pf/raddb  -n auth -fxx -l stdout

And paste the debug if the service is not able to start.

Regards

Fabrice



Le 2018-01-03 à 09:31, Auger, Ivan (ITS) via PacketFence-users a écrit :
Selected radius enforcement in configuration wizard

[PacketFence-users] packetfence 7.3 configuration wizard - radius?

2018-01-03 Thread Auger, Ivan (ITS) via PacketFence-users 
Selected radius enforcement in configuration wizard - radius does not start in 
last step - everything else starts.  Is there something additional that needs 
to be defined in /usr/local/pf/conf/pf.conf or in /usr/local/pf/conf/raddb 
template directory?

Thanks
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users