Re: [PacketFence-users] Machine Authentication

2020-07-05 Thread Bill Handler via PacketFence-users 
For the machine auth, are you using the machine account (host/machinename)?

I’d still do it via GPO, but only have the GPO enforce to your test machine(s). 
 Also, make sure that wireless autoconfig is enabled.  That’s bitten me before.

Thanks,

Bill

Sent from my iPad

On Jul 5, 2020, at 11:30 AM, Michael Brown 
mailto:michaelbrow...@yahoo.com>> wrote:

I am just trying to manually connect to the network for now.  Was holding off 
on the GP because I am still testing.

I have no problem connecting to the wifi network via 802.1x packetfence when 
using a domain username/password.  I have a separate Authentication Source 
defined for users who are  members of the Domain Users group.  When this 
Authentication Source is used when attempting to join the wifi network and I 
use a Domain User member username and password to log in, everything works 
fine.  The problem is when I am trying to connect using just machine 
authentication and the Domain Computers Authentication Source.






On Saturday, July 4, 2020, 10:44:40 PM EDT, Bill Handler 
mailto:bhand...@pcsknox.com>> wrote:


Group Policy for 802.1x - under Computer in GPO Editor, security settings, 
wireless.  You can set up so GPO has the end system connects to the SSID and 
authenticates via 802.1x.

Set up your AD server as the authentication source in PF.  It’s explained in 
the install doc.

Lots of google articles show how to set up the GPO for your end systems.


Thanks,



Bill

Sent from my iPad

On Jul 4, 2020, at 10:38 PM, Michael Brown via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:

A Windows Domain group policy? That does what? Push out wifi network?

I have Windows NPS setup and computers can join wifi successfully based on 
their Domain Computers membership.  No special settings are needed, you just 
click connect from the regular Windows wifi settings and it authenticated 
without ever prompting the user for any input.  Trying to achieve this via 
packetfence so I can get rid of NPS.

Thanks.


On Saturday, July 4, 2020, 08:25:25 PM EDT, G PL via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:


Hello,
Probably a Group policy is missing for  the computer configuration.
Regards

Le mar. 30 juin 2020 à 22:20, Michael Brown via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 a écrit :
Hi Guys,

I am trying to get machine authentication working so that if a machine is a 
member of the Active Directory Domain Computers group it will join wifi without 
prompting the user for anything.

The access points are all Meraki.


On packetfence I have the following:
Connection Profile
Automatically register devices is turned on
Connection Type = Wireless-802.11 EAP

Authentication Profile
Relam: Host
Group Membership > is a member of > CN=Domain 
Computers,CN=Users,DC=x,DC=local
Role > Default
Access Duration > 1hr
Username Attribute = servicePrincipalName


On a domain device that is a member of Domain Computers, when I choose to join 
the wireless network it is prompting me for a username and password.

Any ideas on how I can get the Domain Computer devices to auto join?

Thanks a lot.
Mike





___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Machine Authentication

2020-07-05 Thread Bill Handler via PacketFence-users 
Group Policy for 802.1x - under Computer in GPO Editor, security settings, 
wireless.  You can set up so GPO has the end system connects to the SSID and 
authenticates via 802.1x.

Set up your AD server as the authentication source in PF.  It’s explained in 
the install doc.

Lots of google articles show how to set up the GPO for your end systems.

Thanks,

Bill

Sent from my iPad

On Jul 4, 2020, at 10:38 PM, Michael Brown via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:

A Windows Domain group policy? That does what? Push out wifi network?

I have Windows NPS setup and computers can join wifi successfully based on 
their Domain Computers membership.  No special settings are needed, you just 
click connect from the regular Windows wifi settings and it authenticated 
without ever prompting the user for any input.  Trying to achieve this via 
packetfence so I can get rid of NPS.

Thanks.


On Saturday, July 4, 2020, 08:25:25 PM EDT, G PL via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:


Hello,
Probably a Group policy is missing for  the computer configuration.
Regards

Le mar. 30 juin 2020 à 22:20, Michael Brown via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 a écrit :
Hi Guys,

I am trying to get machine authentication working so that if a machine is a 
member of the Active Directory Domain Computers group it will join wifi without 
prompting the user for anything.

The access points are all Meraki.


On packetfence I have the following:
Connection Profile
Automatically register devices is turned on
Connection Type = Wireless-802.11 EAP

Authentication Profile
Relam: Host
Group Membership > is a member of > CN=Domain 
Computers,CN=Users,DC=x,DC=local
Role > Default
Access Duration > 1hr
Username Attribute = servicePrincipalName


On a domain device that is a member of Domain Computers, when I choose to join 
the wireless network it is prompting me for a username and password.

Any ideas on how I can get the Domain Computer devices to auto join?

Thanks a lot.
Mike





___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Role mapped to Tagged VLANs

2020-05-14 Thread Bill Handler via PacketFence-users 
Ludovic,

I created a new switch template via the CLI as outlined in the Developer’s 
Guide found here:  
https://packetfence.org/downloads/PacketFence/doc/PacketFence_Developers_Guide.pdf

The Guide states that it is for v10, and has a date of April 2020, so it’s 
likely the newest version…  I took the “Full Working Example” listed on page 
12, modified it to fit the switch and the specific vendor attribute for the 
acceptVlan section.  After running the scripts afterwards to make the switch 
definition available, I noted that in the Web GUI, there was no attribute value 
for the vendor specific attributes – the textbox/display was missing, just as 
in issue #5424<https://github.com/inverse-inc/packetfence/issues/5424>.  The 
vendor attribute/value is still not passed from RADIUS though as seen 
previously in the radiusd.log file or in the GUI RADIUS Response.

It seems that any vendor specific radius attribute I’ve attempted is not passed 
to the switch…

Thanks,

Bill

From: Bill Handler via PacketFence-users 

Sent: Tuesday, May 12, 2020 8:45 AM
To: Ludovic Zammit 
Cc: Bill Handler ; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Role mapped to Tagged VLANs

I did.  I set the switch type to the new template and rebooted both PF and the 
switch to be sure… After reboot PF showed the type as the new template.  It was 
after the reboot that I took the screenshots.  Just changing the switch back to 
the default Extreme template and the VLAN is populated – when using the 
‘private-id’ attribute.

Thanks,

Bill


From: Ludovic Zammit mailto:lzam...@inverse.ca>>
Sent: Tuesday, May 12, 2020 8:12 AM
To: Bill Handler mailto:bhand...@pcsknox.com>>
Cc: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] Role mapped to Tagged VLANs

Hello Bill,

Out of curiosity, did you select and apply that template that you created to 
your switch ?

Thanks,

Ludovic Zammit

lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<http://www.inverse.ca>

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)



On May 11, 2020, at 4:24 PM, Bill Handler 
mailto:bhand...@pcsknox.com>> wrote:

Ludovic,

Made a custom template, but it does not seem to be passing the RADIUS Attribute…

This is the Template I’ve created:



The Extreme-Netlogin-Extended-Vlan attribute does not seem to be being passed 
to the switch… within the Auditing window for the end-system I see:



For the canned Extreme Template RADIUS shows:

I changed the VLAN within the config to ‘Data’ to ensure it was being read…

The radiusd.log shows:

[root@pf428 logs]#  cat -t 50 radius.log | grep VLAN
cat: 50: No such file or directory
May 11 04:40:29 pf428 auth[3321]: [mac:78:45:c4:1d:7b:e9] Accepted user: 
host/pf-test.pcsknox.com<http://pf-test.pcsknox.com/>and returned VLAN 200
May 11 05:40:28 pf428 auth[3321]: [mac:78:45:c4:1d:7b:e9] Accepted user: 
host/pf-test.pcsknox.com<http://pf-test.pcsknox.com/>and returned VLAN 200
May 11 06:40:27 pf428 auth[3321]: [mac:78:45:c4:1d:7b:e9] Accepted user: 
host/pf-test.pcsknox.com<http://pf-test.pcsknox.com/>and returned VLAN 200
May 11 06:46:27 pf428 auth[3321]: [mac:a0:d3:c1:12:b6:a2] Accepted user: 
host/TRAINING-SD03.pcsknox.com<http://training-sd03.pcsknox.com/> and returned 
VLAN 200
May 11 07:40:26 pf428 auth[3321]: [mac:78:45:c4:1d:7b:e9] Accepted user: 
host/pf-test.pcsknox.com<http://pf-test.pcsknox.com/>and returned VLAN 200
May 11 08:40:25 pf428 auth[3321]: [mac:78:45:c4:1d:7b:e9] Accepted user: 
host/pf-test.pcsknox.com<http://pf-test.pcsknox.com/>and returned VLAN 200
May 11 09:40:24 pf428 auth[3321]: [mac:78:45:c4:1d:7b:e9] Accepted user: 
host/pf-test.pcsknox.com<http://pf-test.pcsknox.com/>and returned VLAN 200
May 11 10:40:23 pf428 auth[3321]: [mac:78:45:c4:1d:7b:e9] Accepted user: 
host/pf-test.pcsknox.com<http://pf-test.pcsknox.com/>and returned VLAN 200
May 11 11:40:22 pf428 auth[3321]: [mac:78:45:c4:1d:7b:e9] Accepted user: 
host/pf-test.pcsknox.com<http://pf-test.pcsknox.com/>and returned VLAN 200
May 11 12:40:21 pf428 auth[3321]: [mac:78:45:c4:1d:7b:e9] Accepted user: 
host/pf-test.pcsknox.com<http://pf-test.pcsknox.com/>and returned VLAN 200
May 11 13:40:19 pf428 auth[3321]: [mac:78:45:c4:1d:7b:e9] Accepted user: 
host/pf-test.pcsknox.com<http://pf-test.pcsknox.com/>and returned VLAN 200
May 11 14:40:18 pf428 auth[3321]: [mac:78:45:c4:1d:7b:e9] Accepted user: 
host/pf-test.pcsknox.com<http://pf-test.pcsknox.com/>and returned VLAN 200
May 11 15:40:17 pf428 auth[3321]: [mac:78:45:c4:1d:7b:e9] Accepted user: 
host/pf-test.pcsknox.com<http://pf-test.pcsknox.com/>and returned VLAN 200
May 11 15:47:26 pf428 auth[3321]: [mac:78:45:c4:1d:7b:e9] Accepted user:  and 
returned VLAN
May 11 15:47:27 pf428 auth[3321]: [ma

Re: [PacketFence-users] Role mapped to Tagged VLANs

2020-05-12 Thread Bill Handler via PacketFence-users 
 [mac:78:45:c4:1d:7b:e9] Accepted user: 
host/pf-test.pcsknox.com<http://pf-test.pcsknox.com/>and returned VLAN
May 11 16:08:52 pf428 auth[3357]: [mac:78:45:c4:1d:7b:e9] Accepted user: 
host/pf-test.pcsknox.com<http://pf-test.pcsknox.com/>and returned VLAN
May 11 16:09:37 pf428 auth[3357]: [mac:78:45:c4:1d:7b:e9] Accepted user:  and 
returned VLAN Data
May 11 16:09:38 pf428 auth[3357]: [mac:78:45:c4:1d:7b:e9] Accepted user: 
host/pf-test.pcsknox.com<http://pf-test.pcsknox.com/>and returned VLAN Data
May 11 16:10:38 pf428 auth[3357]: [mac:78:45:c4:1d:7b:e9] Accepted user: 
host/pf-test.pcsknox.com<http://pf-test.pcsknox.com/>and returned VLAN Data
May 11 16:16:33 pf428 auth[3357]: [mac:78:45:c4:1d:7b:e9] Accepted user:  and 
returned VLAN Data
May 11 16:16:33 pf428 auth[3357]: [mac:78:45:c4:1d:7b:e9] Accepted user: 
host/pf-test.pcsknox.com<http://pf-test.pcsknox.com/>and returned VLAN Data
May 11 16:17:33 pf428 auth[3357]: [mac:78:45:c4:1d:7b:e9] Accepted user: 
host/pf-test.pcsknox.com<http://pf-test.pcsknox.com/>and returned VLAN Data
May 11 16:18:34 pf428 auth[3357]: [mac:78:45:c4:1d:7b:e9] Accepted user: 
host/pf-test.pcsknox.com<http://pf-test.pcsknox.com/>and returned VLAN Data


The end-system is being authenticated, but when using the Extreme Attribute, it 
is not returning anything from RADIUS, and leaves the VLAN blank in the log…

Any help is appreciated

Thanks,

Bill

From: Ludovic Zammit mailto:lzam...@inverse.ca>>
Sent: Thursday, May 7, 2020 8:34 AM
To: Bill Handler mailto:bhand...@pcsknox.com>>
Cc: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] Role mapped to Tagged VLANs

Hello Bill,

If you are using PacketFence v10 we have implemented switch templates.

It’s under Configuration > Integration > Switch Templates

You can check out how the Cisco::Switch is done with the voice scope:



Or the HP::Switch :


If you don’t have PacketFence v10, you would need to create you own switch 
module in perl.

Thanks,

Ludovic Zammit

lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<http://www.inverse.ca/>

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) 
and PacketFence (http://packetfence.org<http://packetfence.org/>)







On May 7, 2020, at 5:31 AM, Bill Handler 
mailto:bhand...@pcsknox.com>> wrote:

Understood, what I was meaning is how do we add the VSAs to PacketFence to 
enhance/expand the functionality?  Or set custom attributes for the certain 
vendors’ equipment?
Thanks,

Bill

Sent from my iPad

On May 6, 2020, at 9:33 PM, Ludovic Zammit 
mailto:lzam...@inverse.ca>> wrote:
Each vendor have specific ones.

It’s the way they support voice, check their radius attributes documentation.

Thanks,



On May 6, 2020, at 7:51 PM, Bill Handler 
mailto:bhand...@pcsknox.com>> wrote:
 Ludovic,

How do we add vendor-specific VSAs?
Thanks,

Bill

Sent from my iPad

On May 6, 2020, at 8:09 AM, Ludovic Zammit 
mailto:lzam...@inverse.ca>> wrote:
Hello Bill,

You would have to rely on the Radius VOIP capabilities of those network 
equipment.

PacketFence supports VOIP on HP/ Aruba switches. On the Aruba AP you would have 
to process the VOIP as a normal VLAN. You can try to check the VOIP flag under 
a mac address and connect it on a HP/ Aruba switch. You would need to have your 
voice VLAN marked as a voice clan under your switch.

As per Extreme switch, we don’t support voice VSA.

Thanks,

Ludovic Zammit

lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<http://www.inverse.ca/>

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) 
and PacketFence (http://packetfence.org<http://packetfence.org/>)







On May 6, 2020, at 8:00 AM, Bill Handler 
mailto:bhand...@pcsknox.com>> wrote:

Extreme Networks and HP/Aruba switches/APs with a variety of VoIP phones - 
yealink Avaya polycom etc
Sent from my iPhone



On May 6, 2020, at 6:53 AM, Ludovic Zammit 
mailto:lzam...@inverse.ca>> wrote:
 Hello Bill,

Which kind of equipment are you using ?

Thanks,

Ludovic Zammit

lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<http://www.inverse.ca/>

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) 
and PacketFence (http://packetfence.org<http://packetfence.org/>)







On May 5, 2020, at 6:02 PM, Bill Handler via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:

Team,

Is there a way to push a tagged VLAN to the switch when a device authenticates? 
 For example a VoIP phone, or AP.  We’ve tested with a phone with a PC on the 
passthrough  port. The PC authenticates fine on the correct VLAN, but we don’t

Re: [PacketFence-users] Cannot Joing Packetfence V10 to windows active directory

2020-05-11 Thread Bill Handler via PacketFence-users 
Charbel,

The first thing I’d check is the DNS settings.  Are you using your domain’s DNS 
servers for PacketFence?

Thanks,

Bill

From: Charbel Rizk via PacketFence-users 

Sent: Monday, May 11, 2020 7:43 AM
To: packetfence-users@lists.sourceforge.net
Cc: Charbel Rizk 
Subject: [PacketFence-users] Cannot Joing Packetfence V10 to windows active 
directory

Dear All,

I have got a problem with Packetfence V10.0.0, I try to add Windows Active 
Directory by I got the message:

Joining WinAD domain failed
Failed to join domain: failed to find DC for domain BRILIB - {Operation Failed} 
The requested operation was unsuccessful.


Anyone can help?

Best regards,
Charbel
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Role mapped to Tagged VLANs

2020-05-07 Thread Bill Handler via PacketFence-users 
Ludovic,

How do we add vendor-specific VSAs?

Thanks,

Bill

Sent from my iPad

On May 6, 2020, at 8:09 AM, Ludovic Zammit 
mailto:lzam...@inverse.ca>> wrote:

Hello Bill,

You would have to rely on the Radius VOIP capabilities of those network 
equipment.

PacketFence supports VOIP on HP/ Aruba switches. On the Aruba AP you would have 
to process the VOIP as a normal VLAN. You can try to check the VOIP flag under 
a mac address and connect it on a HP/ Aruba switch. You would need to have your 
voice VLAN marked as a voice clan under your switch.

As per Extreme switch, we don’t support voice VSA.

Thanks,

Ludovic Zammit
lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)




On May 6, 2020, at 8:00 AM, Bill Handler 
mailto:bhand...@pcsknox.com>> wrote:

Extreme Networks and HP/Aruba switches/APs with a variety of VoIP phones - 
yealink Avaya polycom etc

Sent from my iPhone

On May 6, 2020, at 6:53 AM, Ludovic Zammit 
mailto:lzam...@inverse.ca>> wrote:

 Hello Bill,

Which kind of equipment are you using ?

Thanks,

Ludovic Zammit
lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) 
and PacketFence (http://packetfence.org<http://packetfence.org/>)




On May 5, 2020, at 6:02 PM, Bill Handler via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:

Team,

Is there a way to push a tagged VLAN to the switch when a device authenticates? 
 For example a VoIP phone, or AP.  We’ve tested with a phone with a PC on the 
passthrough  port. The PC authenticates fine on the correct VLAN, but we don’t 
know how to configure PF to send the phone VLAN as tagged to the switch.

Thanks,

Bill
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Role mapped to Tagged VLANs

2020-05-07 Thread Bill Handler via PacketFence-users 
Understood, what I was meaning is how do we add the VSAs to PacketFence to 
enhance/expand the functionality?  Or set custom attributes for the certain 
vendors’ equipment?

Thanks,

Bill

Sent from my iPad

On May 6, 2020, at 9:33 PM, Ludovic Zammit 
mailto:lzam...@inverse.ca>> wrote:

Each vendor have specific ones.

It’s the way they support voice, check their radius attributes documentation.

Thanks,

On May 6, 2020, at 7:51 PM, Bill Handler 
mailto:bhand...@pcsknox.com>> wrote:

 Ludovic,

How do we add vendor-specific VSAs?

Thanks,

Bill

Sent from my iPad

On May 6, 2020, at 8:09 AM, Ludovic Zammit 
mailto:lzam...@inverse.ca>> wrote:

Hello Bill,

You would have to rely on the Radius VOIP capabilities of those network 
equipment.

PacketFence supports VOIP on HP/ Aruba switches. On the Aruba AP you would have 
to process the VOIP as a normal VLAN. You can try to check the VOIP flag under 
a mac address and connect it on a HP/ Aruba switch. You would need to have your 
voice VLAN marked as a voice clan under your switch.

As per Extreme switch, we don’t support voice VSA.

Thanks,

Ludovic Zammit
lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)




On May 6, 2020, at 8:00 AM, Bill Handler 
mailto:bhand...@pcsknox.com>> wrote:

Extreme Networks and HP/Aruba switches/APs with a variety of VoIP phones - 
yealink Avaya polycom etc

Sent from my iPhone

On May 6, 2020, at 6:53 AM, Ludovic Zammit 
mailto:lzam...@inverse.ca>> wrote:

 Hello Bill,

Which kind of equipment are you using ?

Thanks,

Ludovic Zammit
lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) 
and PacketFence (http://packetfence.org<http://packetfence.org/>)




On May 5, 2020, at 6:02 PM, Bill Handler via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:

Team,

Is there a way to push a tagged VLAN to the switch when a device authenticates? 
 For example a VoIP phone, or AP.  We’ve tested with a phone with a PC on the 
passthrough  port. The PC authenticates fine on the correct VLAN, but we don’t 
know how to configure PF to send the phone VLAN as tagged to the switch.

Thanks,

Bill
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Role mapped to Tagged VLANs

2020-05-06 Thread Bill Handler via PacketFence-users 
Extreme Networks and HP/Aruba switches/APs with a variety of VoIP phones - 
yealink Avaya polycom etc

Sent from my iPhone

On May 6, 2020, at 6:53 AM, Ludovic Zammit  wrote:

 Hello Bill,

Which kind of equipment are you using ?

Thanks,

Ludovic Zammit
lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)




On May 5, 2020, at 6:02 PM, Bill Handler via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:

Team,

Is there a way to push a tagged VLAN to the switch when a device authenticates? 
 For example a VoIP phone, or AP.  We’ve tested with a phone with a PC on the 
passthrough  port. The PC authenticates fine on the correct VLAN, but we don’t 
know how to configure PF to send the phone VLAN as tagged to the switch.

Thanks,

Bill
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Role mapped to Tagged VLANs

2020-05-05 Thread Bill Handler via PacketFence-users 
Team,

Is there a way to push a tagged VLAN to the switch when a device authenticates? 
 For example a VoIP phone, or AP.  We’ve tested with a phone with a PC on the 
passthrough  port. The PC authenticates fine on the correct VLAN, but we don’t 
know how to configure PF to send the phone VLAN as tagged to the switch. 

Thanks,
 
Bill
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x Computer and User Authentication

2020-04-30 Thread Bill Handler via PacketFence-users 
Ludovic,

That resolved it!!  Thanks!!

Thanks,

Bill

From: Ludovic Zammit 
Sent: Thursday, April 30, 2020 7:52 AM
To: Bill Handler 
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] 802.1x Computer and User Authentication

Hello Bill,

It looks like when it’s doing the user authentication the EAP authentication 
happens correctly but the Authorization does not work by not matching your rule 
in your AD source.

Could you paste a user authentication from the logs/packetfence.log? Remove 
personal infos. My guess is that your real is not strip thus it’s not passing 
the correct username to ad source and not matching.

Thanks,

Ludovic Zammit

lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<http://www.inverse.ca>

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)





On Apr 29, 2020, at 4:48 PM, Bill Handler via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:

Checking on if this is possible with PacketFence (using v10)…

For 802.1x authentication, we have set up for Users and Computers to 
authenticate.  Currently, when a machine accesses the network it is 
automatically authenticated and gets the Machine role (we’re working with 
Windows 10 and GPO).  When a user logs onto that machine, the user is 
authenticated, that user becomes the ‘Owner’ of that device – listed in the 
nodes section and RADIUS Audit Log Entry, however, the end-system/node keeps 
the machine role, and does not get the user’s role.

Within the connection profile for 802.1x, we have the sources set so that the 
source for user auth (AD) is set above the machine auth, so it should get the 
role from the user auth source.  I’ve verified using pftest and that user is 
authenticating against that role.

We’ve used another NAC solution and when a user logs into the machine under the 
same circumstances, the role flips to the user role.

What I think happens/is supposed to happen is when a user logs into the 
machine, the machine logs out/deauthenticates so the user role is applied to 
the user.  That is not happening with PacketFence.

Any ideas on how to make this happen?

Thanks,

Bill
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x Computer and User Authentication

2020-04-30 Thread Bill Handler via PacketFence-users 
Ludvic,

Thanks for the quick reply…

Looking in the log, I think I found the issue in this log entry:

Apr 30 08:58:19 PFserver packetfence_httpd.aaa: httpd.aaa(2385) INFO: 
[mac:XX:XX:XX:XX:XX:XX] Role has already been computed and we don't want to 
recompute it. Getting role from node_info (pf::role::getRegisteredRole)

Here is a screenshot of my 802.1x profile settings, which I think are correct – 
but I’m probably wrong lol  :

[cid:image002.jpg@01D61ECF.7654F0B0]


Thanks,

Bill

From: Ludovic Zammit 
Sent: Thursday, April 30, 2020 7:52 AM
To: Bill Handler 
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] 802.1x Computer and User Authentication

Hello Bill,

It looks like when it’s doing the user authentication the EAP authentication 
happens correctly but the Authorization does not work by not matching your rule 
in your AD source.

Could you paste a user authentication from the logs/packetfence.log? Remove 
personal infos. My guess is that your real is not strip thus it’s not passing 
the correct username to ad source and not matching.

Thanks,

Ludovic Zammit

lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<http://www.inverse.ca>

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)





On Apr 29, 2020, at 4:48 PM, Bill Handler via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:

Checking on if this is possible with PacketFence (using v10)…

For 802.1x authentication, we have set up for Users and Computers to 
authenticate.  Currently, when a machine accesses the network it is 
automatically authenticated and gets the Machine role (we’re working with 
Windows 10 and GPO).  When a user logs onto that machine, the user is 
authenticated, that user becomes the ‘Owner’ of that device – listed in the 
nodes section and RADIUS Audit Log Entry, however, the end-system/node keeps 
the machine role, and does not get the user’s role.

Within the connection profile for 802.1x, we have the sources set so that the 
source for user auth (AD) is set above the machine auth, so it should get the 
role from the user auth source.  I’ve verified using pftest and that user is 
authenticating against that role.

We’ve used another NAC solution and when a user logs into the machine under the 
same circumstances, the role flips to the user role.

What I think happens/is supposed to happen is when a user logs into the 
machine, the machine logs out/deauthenticates so the user role is applied to 
the user.  That is not happening with PacketFence.

Any ideas on how to make this happen?

Thanks,

Bill
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 802.1x Computer and User Authentication

2020-04-30 Thread Bill Handler via PacketFence-users 
Ludovic,

See below:

[root@pf428 conf]# cat realm.conf
# Copyright (C) Inverse inc.
[1 DEFAULT]
permit_custom_attributes=disabled
radius_auth_proxy_type=keyed-balance
radius_auth_compute_in_pf=enabled
eduroam_radius_auth=
domain=PCS
eduroam_radius_auth_proxy_type=keyed-balance
eduroam_radius_acct=
radius_acct_proxy_type=load-balance
radius_auth=
eduroam_radius_auth_compute_in_pf=enabled
eduroam_radius_acct_proxy_type=load-balance
radius_acct=

[1 NULL]
permit_custom_attributes=disabled
radius_auth_proxy_type=keyed-balance
radius_auth_compute_in_pf=enabled
eduroam_radius_auth=
domain=PCS
eduroam_radius_auth_proxy_type=keyed-balance
eduroam_radius_acct=
radius_acct_proxy_type=load-balance
radius_auth=
eduroam_radius_auth_compute_in_pf=enabled
eduroam_radius_acct_proxy_type=load-balance
radius_acct=
[root@pf428 conf]#

Thanks,

Bill

From: Ludovic Zammit 
Sent: Thursday, April 30, 2020 9:22 AM
To: Bill Handler 
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] 802.1x Computer and User Authentication

Could you post the conf/realm.conf ?

cat /usr/local/pf/conf/realm.conf

Thanks,

Ludovic Zammit

lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<http://www.inverse.ca>

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)





On Apr 30, 2020, at 9:19 AM, Bill Handler 
mailto:bhand...@pcsknox.com>> wrote:

Ludvic,

For that authentication it shows Realm default – my Domain is listed in both 
the default and null realms.

Thanks,

Bill

From: Ludovic Zammit mailto:lzam...@inverse.ca>>
Sent: Thursday, April 30, 2020 9:16 AM
To: Bill Handler mailto:bhand...@pcsknox.com>>
Cc: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] 802.1x Computer and User Authentication

Bill,

What’s the realm assign with your connection if you look it up in the Auditing 
tab in the web admin ?

Is that realm stripping in radius authorization ?

Thanks,

Ludovic Zammit

lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<http://www.inverse.ca/>

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) 
and PacketFence (http://packetfence.org<http://packetfence.org/>)







On Apr 30, 2020, at 9:12 AM, Bill Handler 
mailto:bhand...@pcsknox.com>> wrote:

Ludvic,

Thanks for the quick reply…

Looking in the log, I think I found the issue in this log entry:

Apr 30 08:58:19 PFserver packetfence_httpd.aaa: httpd.aaa(2385) INFO: 
[mac:XX:XX:XX:XX:XX:XX] Role has already been computed and we don't want to 
recompute it. Getting role from node_info (pf::role::getRegisteredRole)

Here is a screenshot of my 802.1x profile settings, which I think are correct – 
but I’m probably wrong lol  :




Thanks,

Bill

From: Ludovic Zammit mailto:lzam...@inverse.ca>>
Sent: Thursday, April 30, 2020 7:52 AM
To: Bill Handler mailto:bhand...@pcsknox.com>>
Cc: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] 802.1x Computer and User Authentication

Hello Bill,

It looks like when it’s doing the user authentication the EAP authentication 
happens correctly but the Authorization does not work by not matching your rule 
in your AD source.

Could you paste a user authentication from the logs/packetfence.log? Remove 
personal infos. My guess is that your real is not strip thus it’s not passing 
the correct username to ad source and not matching.

Thanks,

Ludovic Zammit

lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<http://www.inverse.ca/>

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) 
and PacketFence (http://packetfence.org<http://packetfence.org/>)









On Apr 29, 2020, at 4:48 PM, Bill Handler via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:

Checking on if this is possible with PacketFence (using v10)…

For 802.1x authentication, we have set up for Users and Computers to 
authenticate.  Currently, when a machine accesses the network it is 
automatically authenticated and gets the Machine role (we’re working with 
Windows 10 and GPO).  When a user logs onto that machine, the user is 
authenticated, that user becomes the ‘Owner’ of that device – listed in the 
nodes section and RADIUS Audit Log Entry, however, the end-system/node keeps 
the machine role, and does not get the user’s role.

Within the connection profile for 802.1x, we have the sources set so that the 
source for user auth (AD) is set above the machine auth, so it should get the 
role from the user auth source.  I’ve verified using pftest and that user is 
authenticating against that role.

We’ve used another NAC solution and when a user logs into the m

Re: [PacketFence-users] 802.1x Computer and User Authentication

2020-04-30 Thread Bill Handler via PacketFence-users 
Ludvic,

For that authentication it shows Realm default – my Domain is listed in both 
the default and null realms.

Thanks,

Bill

From: Ludovic Zammit 
Sent: Thursday, April 30, 2020 9:16 AM
To: Bill Handler 
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] 802.1x Computer and User Authentication

Bill,

What’s the realm assign with your connection if you look it up in the Auditing 
tab in the web admin ?

Is that realm stripping in radius authorization ?

Thanks,

Ludovic Zammit

lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<http://www.inverse.ca>

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)





On Apr 30, 2020, at 9:12 AM, Bill Handler 
mailto:bhand...@pcsknox.com>> wrote:

Ludvic,

Thanks for the quick reply…

Looking in the log, I think I found the issue in this log entry:

Apr 30 08:58:19 PFserver packetfence_httpd.aaa: httpd.aaa(2385) INFO: 
[mac:XX:XX:XX:XX:XX:XX] Role has already been computed and we don't want to 
recompute it. Getting role from node_info (pf::role::getRegisteredRole)

Here is a screenshot of my 802.1x profile settings, which I think are correct – 
but I’m probably wrong lol  :




Thanks,

Bill

From: Ludovic Zammit mailto:lzam...@inverse.ca>>
Sent: Thursday, April 30, 2020 7:52 AM
To: Bill Handler mailto:bhand...@pcsknox.com>>
Cc: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] 802.1x Computer and User Authentication

Hello Bill,

It looks like when it’s doing the user authentication the EAP authentication 
happens correctly but the Authorization does not work by not matching your rule 
in your AD source.

Could you paste a user authentication from the logs/packetfence.log? Remove 
personal infos. My guess is that your real is not strip thus it’s not passing 
the correct username to ad source and not matching.

Thanks,

Ludovic Zammit

lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<http://www.inverse.ca/>

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) 
and PacketFence (http://packetfence.org<http://packetfence.org/>)







On Apr 29, 2020, at 4:48 PM, Bill Handler via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:

Checking on if this is possible with PacketFence (using v10)…

For 802.1x authentication, we have set up for Users and Computers to 
authenticate.  Currently, when a machine accesses the network it is 
automatically authenticated and gets the Machine role (we’re working with 
Windows 10 and GPO).  When a user logs onto that machine, the user is 
authenticated, that user becomes the ‘Owner’ of that device – listed in the 
nodes section and RADIUS Audit Log Entry, however, the end-system/node keeps 
the machine role, and does not get the user’s role.

Within the connection profile for 802.1x, we have the sources set so that the 
source for user auth (AD) is set above the machine auth, so it should get the 
role from the user auth source.  I’ve verified using pftest and that user is 
authenticating against that role.

We’ve used another NAC solution and when a user logs into the machine under the 
same circumstances, the role flips to the user role.

What I think happens/is supposed to happen is when a user logs into the 
machine, the machine logs out/deauthenticates so the user role is applied to 
the user.  That is not happening with PacketFence.

Any ideas on how to make this happen?

Thanks,

Bill
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] 802.1x Computer and User Authentication

2020-04-29 Thread Bill Handler via PacketFence-users 
Checking on if this is possible with PacketFence (using v10)...

For 802.1x authentication, we have set up for Users and Computers to 
authenticate.  Currently, when a machine accesses the network it is 
automatically authenticated and gets the Machine role (we're working with 
Windows 10 and GPO).  When a user logs onto that machine, the user is 
authenticated, that user becomes the 'Owner' of that device - listed in the 
nodes section and RADIUS Audit Log Entry, however, the end-system/node keeps 
the machine role, and does not get the user's role.

Within the connection profile for 802.1x, we have the sources set so that the 
source for user auth (AD) is set above the machine auth, so it should get the 
role from the user auth source.  I've verified using pftest and that user is 
authenticating against that role.

We've used another NAC solution and when a user logs into the machine under the 
same circumstances, the role flips to the user role.

What I think happens/is supposed to happen is when a user logs into the 
machine, the machine logs out/deauthenticates so the user role is applied to 
the user.  That is not happening with PacketFence.

Any ideas on how to make this happen?

Thanks,

Bill
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting - http vs https

2020-04-29 Thread Bill Handler via PacketFence-users 
the code here: 
https://github.com/inverse-inc/packetfence/blob/541c6c8545195881b136bc55edb7cd531594061d/html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Authentication/OAuth.pm
 )


you have these two logging entries in the code: (you might need to increase the 
logging level to debug).

get_logger->info("OAuth2 successfull for username ".$self->username);
$self->source->lookup_from_provider_info($self->username, $info);

pf::auth_log::record_completed_oauth($self->source->id, 
$self->current_mac, $pid, $pf::auth_log::COMPLETED, $self->app->profile->name);

$self->update_person_from_fields();

$self->done();
}
else {
get_logger->info("OAuth2: failed to validate the token, redireting to 
login page.");
get_logger->debug(sub { use Data::Dumper; "OAuth2 failed response : 
".Dumper($response) });
pf::auth_log::change_record_status($self->source->id, 
$self->current_mac, $pf::auth_log::FAILED, $self->app->profile->name);
$self->app->flash->{error} = "OAuth2 Error: Failed to validate the 
token, please retry";
$self->landing();


good luck!




Cheers




On Thu, Apr 23, 2020 at 3:04 AM Jonathan Nathanson 
mailto:jmhnathan...@gmail.com>> wrote:
I had this very similar problem recently. Does A3 manage DHCP in the reg VLAN?

The role should be assigned following a disconnect / COA packet sent to the 
client device to get them to reconnect, I believe.

You should do a packet trace and check. You might also want to check 
corresponding log entries in httpd.portal.error to see if you can spot the 
issue there.

Jonathan

On Thu, 23 Apr 2020 at 01:32, Bill Handler via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
I’m running on v10, using the default whitelist in the Google Auth config.  The 
end system is talking to google, verified with wireshark, and by inputting 
wrong password.

The end system’s role never gets updated, even though I have a catchall rule in 
place that should move it to a different VLAN.

I have not done a packet capture on server’s interface yet.  The end system 
stays as unregistered, so the issue may be authenticating the token between PF 
and google.

I’ve only tested using Chrome and Firefox browsers and only if Chrome is used 
does the redirect show accounts.blogger.com<http://accounts.blogger.com> in the 
address field after entering the google account credentials.

Both browser windows show the you may need to login to your network with a 
button; the button sends you back to the AUP.

Is there a certain log that I would be able to see PF talking to google, or 
just checking wireshark packets?
Thanks,

Bill

Sent from my iPad

On Apr 22, 2020, at 5:15 PM, Diego Garcia del Rio 
mailto:garc...@gmail.com>> wrote:
Just to be sure, do you have all the proper whitelists as well? Its weird that 
the user is directed to accounts.blogger.com<http://accounts.blogger.com>... 
Also, you should be able to see your PF server making a request to google to 
validate the returned token.


On which version of PF are you? I've been using google auth successfully all 
the way up to 9.2 (I haven tested anything newer though).

Also, not sure the logic you're using but you might want to check that the 
google source is assigning a role to the device in question..



On Wed, Apr 22, 2020 at 5:51 PM Bill Handler via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
Running into an issue with Google oauth2 authentication via Captive Portal…


  *   Have it configured and set as an External Authentication Source
  *   Have all the correct settings on Google Developer site

What’s happening is that after entering the username/password in the Google 
display on the captive portal, the user is not put into the correct 
VLAN/redirected.  Authentication via AD/SMS/E-Mail works without issue.

If using Chrome Browser, user is redirected to 
accounts.blogger.com<http://accounts.blogger.com> with a long string 
afterwards, within Firefox, the url shows as the portal url with “?code=” with 
a long string – this is the token from Google I believe, based on some of the 
documentation.

The user stays in the registration VLAN and is not moved to the correct role.  
Not sure where to check to see why the user is not moving.

Any help is appreciated.

Thanks,

Bill

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting - http vs https

2020-04-29 Thread Bill Handler via PacketFence-users 
 what log file the logging entries you pointed out go to.  I 
was in the logs folder and ran a ‘cat *.log | grep OAuth’ but came back with no 
results.

Jonathan,

We’re not using the A3 variant from HiveManger/Extreme IQ, I’m just working 
with PacketFence straight (Although we are an Extreme Networks partner and the 
AeroHive gear is part of our offerings now… ).  PacketFence is only handing out 
DHCP on the registration VLAN, our internal DHCP is handing out IPs on our data 
vlan, Firewall is handing out IPs on guest and phone vlans.  But, we’re never 
getting that far – the end-system is not being given the role and stays as 
unregistered.

httpd.portal.error Log has no entries for today.  I did a packet capture from 
the PF server and did see some traffic going to/from Google IP addresses, but 
it was TLS or TCP Acks and I could not tell what the payload was…

Thanks,

Bill

From: Diego Garcia del Rio mailto:garc...@gmail.com>>
Sent: Thursday, April 23, 2020 10:43 AM
To: Jonathan Nathanson mailto:jmhnathan...@gmail.com>>
Cc: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>;
 Bill Handler mailto:bhand...@pcsknox.com>>
Subject: Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting

Hi Jonathan, Bill,

The device will get the role indeed after a disconnect / CoA but given Bill 
mentions that his other auth methods work... I would be surprised that CoA 
fails for this. Also, he should still be seeing the device having the new role.

Below is my config of the google authentication source (old GUI, sorry).




also, i seem to be using the OLD user information scheme / url:

(look here: 
https://github.com/inverse-inc/packetfence/commit/8f38c0e5b51ff5daf83f1720aef8253059fa1a96)

i am using this:
has 'scope' => (isa => 'Str', is => 'rw', default => 
'https://www.googleapis.com/auth/userinfo.email');
has 'protected_resource_url' => (isa => 'Str', is => 'rw', default => 
'https://www.googleapis.com/oauth2/v2/userinfo');

instead of the new defaults which are these:
has 'scope' => (isa => 'Str', is => 'rw', default => 'openid email profile');
has 'protected_resource_url' => (isa => 'Str', is => 'rw', default => 
'https://openidconnect.googleapis.com/v1/userinfo');


basically it looks like this:




So maybe your authorized scope in google is for this old schema and not the new 
open-id one?

Also, keep in mind that accessing the google login portal from mobile devices 
can be tricky. Google blacklists the "embedded"  browsers of most phones so you 
need to launch chrome manually or contact google to get an exception for your 
specific APP ID.

Also, check your logs for any phrase like this: "OAuth2 Error: Failed to get 
the token"

(look at the code here: 
https://github.com/inverse-inc/packetfence/blob/541c6c8545195881b136bc55edb7cd531594061d/html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Authentication/OAuth.pm
 )


you have these two logging entries in the code: (you might need to increase the 
logging level to debug).

get_logger->info("OAuth2 successfull for username ".$self->username);
$self->source->lookup_from_provider_info($self->username, $info);

pf::auth_log::record_completed_oauth($self->source->id, 
$self->current_mac, $pid, $pf::auth_log::COMPLETED, $self->app->profile->name);

$self->update_person_from_fields();

$self->done();
}
else {
get_logger->info("OAuth2: failed to validate the token, redireting to 
login page.");
get_logger->debug(sub { use Data::Dumper; "OAuth2 failed response : 
".Dumper($response) });
pf::auth_log::change_record_status($self->source->id, 
$self->current_mac, $pf::auth_log::FAILED, $self->app->profile->name);
$self->app->flash->{error} = "OAuth2 Error: Failed to validate the 
token, please retry";
$self->landing();


good luck!




Cheers




On Thu, Apr 23, 2020 at 3:04 AM Jonathan Nathanson 
mailto:jmhnathan...@gmail.com>> wrote:
I had this very similar problem recently. Does A3 manage DHCP in the reg VLAN?

The role should be assigned following a disconnect / COA packet sent to the 
client device to get them to reconnect, I believe.

You should do a packet trace and check. You might also want to check 
corresponding log entries in httpd.portal.error to see if you can spot the 
issue there.

Jonathan

On Thu, 23 Apr 2020 at 01:32, Bill Handler via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
I’m running on v10, using the default whitelist in the Google Auth config.  The 
end system is talking to google, verified with wireshark, and by inputting 
wrong password.

The end system’s role never gets updated, even though I have a catchall rule in 
place t

Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting - DNS Issue?

2020-04-29 Thread Bill Handler via PacketFence-users 
e: (you might need to increase the 
logging level to debug).

get_logger->info("OAuth2 successfull for username ".$self->username);
$self->source->lookup_from_provider_info($self->username, $info);

pf::auth_log::record_completed_oauth($self->source->id, 
$self->current_mac, $pid, $pf::auth_log::COMPLETED, $self->app->profile->name);

$self->update_person_from_fields();

$self->done();
}
else {
get_logger->info("OAuth2: failed to validate the token, redireting to 
login page.");
get_logger->debug(sub { use Data::Dumper; "OAuth2 failed response : 
".Dumper($response) });
pf::auth_log::change_record_status($self->source->id, 
$self->current_mac, $pf::auth_log::FAILED, $self->app->profile->name);
$self->app->flash->{error} = "OAuth2 Error: Failed to validate the 
token, please retry";
$self->landing();


good luck!




Cheers




On Thu, Apr 23, 2020 at 3:04 AM Jonathan Nathanson 
mailto:jmhnathan...@gmail.com>> wrote:
I had this very similar problem recently. Does A3 manage DHCP in the reg VLAN?

The role should be assigned following a disconnect / COA packet sent to the 
client device to get them to reconnect, I believe.

You should do a packet trace and check. You might also want to check 
corresponding log entries in httpd.portal.error to see if you can spot the 
issue there.

Jonathan

On Thu, 23 Apr 2020 at 01:32, Bill Handler via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
I’m running on v10, using the default whitelist in the Google Auth config.  The 
end system is talking to google, verified with wireshark, and by inputting 
wrong password.

The end system’s role never gets updated, even though I have a catchall rule in 
place that should move it to a different VLAN.

I have not done a packet capture on server’s interface yet.  The end system 
stays as unregistered, so the issue may be authenticating the token between PF 
and google.

I’ve only tested using Chrome and Firefox browsers and only if Chrome is used 
does the redirect show accounts.blogger.com<http://accounts.blogger.com> in the 
address field after entering the google account credentials.

Both browser windows show the you may need to login to your network with a 
button; the button sends you back to the AUP.

Is there a certain log that I would be able to see PF talking to google, or 
just checking wireshark packets?
Thanks,

Bill

Sent from my iPad

On Apr 22, 2020, at 5:15 PM, Diego Garcia del Rio 
mailto:garc...@gmail.com>> wrote:
Just to be sure, do you have all the proper whitelists as well? Its weird that 
the user is directed to accounts.blogger.com<http://accounts.blogger.com>... 
Also, you should be able to see your PF server making a request to google to 
validate the returned token.


On which version of PF are you? I've been using google auth successfully all 
the way up to 9.2 (I haven tested anything newer though).

Also, not sure the logic you're using but you might want to check that the 
google source is assigning a role to the device in question..



On Wed, Apr 22, 2020 at 5:51 PM Bill Handler via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
Running into an issue with Google oauth2 authentication via Captive Portal…


  *   Have it configured and set as an External Authentication Source
  *   Have all the correct settings on Google Developer site

What’s happening is that after entering the username/password in the Google 
display on the captive portal, the user is not put into the correct 
VLAN/redirected.  Authentication via AD/SMS/E-Mail works without issue.

If using Chrome Browser, user is redirected to 
accounts.blogger.com<http://accounts.blogger.com> with a long string 
afterwards, within Firefox, the url shows as the portal url with “?code=” with 
a long string – this is the token from Google I believe, based on some of the 
documentation.

The user stays in the registration VLAN and is not moved to the correct role.  
Not sure where to check to see why the user is not moving.

Any help is appreciated.

Thanks,

Bill

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting

2020-04-24 Thread Bill Handler via PacketFence-users 
onathan, Bill,

The device will get the role indeed after a disconnect / CoA but given Bill 
mentions that his other auth methods work... I would be surprised that CoA 
fails for this. Also, he should still be seeing the device having the new role.

Below is my config of the google authentication source (old GUI, sorry).




also, i seem to be using the OLD user information scheme / url:

(look here: 
https://github.com/inverse-inc/packetfence/commit/8f38c0e5b51ff5daf83f1720aef8253059fa1a96)

i am using this:
has 'scope' => (isa => 'Str', is => 'rw', default => 
'https://www.googleapis.com/auth/userinfo.email');
has 'protected_resource_url' => (isa => 'Str', is => 'rw', default => 
'https://www.googleapis.com/oauth2/v2/userinfo');

instead of the new defaults which are these:
has 'scope' => (isa => 'Str', is => 'rw', default => 'openid email profile');
has 'protected_resource_url' => (isa => 'Str', is => 'rw', default => 
'https://openidconnect.googleapis.com/v1/userinfo');


basically it looks like this:




So maybe your authorized scope in google is for this old schema and not the new 
open-id one?

Also, keep in mind that accessing the google login portal from mobile devices 
can be tricky. Google blacklists the "embedded"  browsers of most phones so you 
need to launch chrome manually or contact google to get an exception for your 
specific APP ID.

Also, check your logs for any phrase like this: "OAuth2 Error: Failed to get 
the token"

(look at the code here: 
https://github.com/inverse-inc/packetfence/blob/541c6c8545195881b136bc55edb7cd531594061d/html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Authentication/OAuth.pm
 )


you have these two logging entries in the code: (you might need to increase the 
logging level to debug).

get_logger->info("OAuth2 successfull for username ".$self->username);
$self->source->lookup_from_provider_info($self->username, $info);

pf::auth_log::record_completed_oauth($self->source->id, 
$self->current_mac, $pid, $pf::auth_log::COMPLETED, $self->app->profile->name);

$self->update_person_from_fields();

$self->done();
}
else {
get_logger->info("OAuth2: failed to validate the token, redireting to 
login page.");
get_logger->debug(sub { use Data::Dumper; "OAuth2 failed response : 
".Dumper($response) });
pf::auth_log::change_record_status($self->source->id, 
$self->current_mac, $pf::auth_log::FAILED, $self->app->profile->name);
$self->app->flash->{error} = "OAuth2 Error: Failed to validate the 
token, please retry";
$self->landing();


good luck!




Cheers




On Thu, Apr 23, 2020 at 3:04 AM Jonathan Nathanson 
mailto:jmhnathan...@gmail.com>> wrote:
I had this very similar problem recently. Does A3 manage DHCP in the reg VLAN?

The role should be assigned following a disconnect / COA packet sent to the 
client device to get them to reconnect, I believe.

You should do a packet trace and check. You might also want to check 
corresponding log entries in httpd.portal.error to see if you can spot the 
issue there.

Jonathan

On Thu, 23 Apr 2020 at 01:32, Bill Handler via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
I’m running on v10, using the default whitelist in the Google Auth config.  The 
end system is talking to google, verified with wireshark, and by inputting 
wrong password.

The end system’s role never gets updated, even though I have a catchall rule in 
place that should move it to a different VLAN.

I have not done a packet capture on server’s interface yet.  The end system 
stays as unregistered, so the issue may be authenticating the token between PF 
and google.

I’ve only tested using Chrome and Firefox browsers and only if Chrome is used 
does the redirect show accounts.blogger.com<http://accounts.blogger.com> in the 
address field after entering the google account credentials.

Both browser windows show the you may need to login to your network with a 
button; the button sends you back to the AUP.

Is there a certain log that I would be able to see PF talking to google, or 
just checking wireshark packets?
Thanks,

Bill

Sent from my iPad

On Apr 22, 2020, at 5:15 PM, Diego Garcia del Rio 
mailto:garc...@gmail.com>> wrote:
Just to be sure, do you have all the proper whitelists as well? Its weird that 
the user is directed to accounts.blogger.com<http://accounts.blogger.com>... 
Also, you should be able to see your PF server making a request to google to 
validate the returned token.


On which version of PF are you? I've been using google auth successfully all 
the way up to 9.2 (I haven tested anything newer though).

Also, not sure the logic you're using but you might want to check that the 
google sour

Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting

2020-04-24 Thread Bill Handler via PacketFence-users 
04 AM Jonathan Nathanson 
mailto:jmhnathan...@gmail.com>> wrote:
I had this very similar problem recently. Does A3 manage DHCP in the reg VLAN?

The role should be assigned following a disconnect / COA packet sent to the 
client device to get them to reconnect, I believe.

You should do a packet trace and check. You might also want to check 
corresponding log entries in httpd.portal.error to see if you can spot the 
issue there.

Jonathan

On Thu, 23 Apr 2020 at 01:32, Bill Handler via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
I’m running on v10, using the default whitelist in the Google Auth config.  The 
end system is talking to google, verified with wireshark, and by inputting 
wrong password.

The end system’s role never gets updated, even though I have a catchall rule in 
place that should move it to a different VLAN.

I have not done a packet capture on server’s interface yet.  The end system 
stays as unregistered, so the issue may be authenticating the token between PF 
and google.

I’ve only tested using Chrome and Firefox browsers and only if Chrome is used 
does the redirect show accounts.blogger.com<http://accounts.blogger.com> in the 
address field after entering the google account credentials.

Both browser windows show the you may need to login to your network with a 
button; the button sends you back to the AUP.

Is there a certain log that I would be able to see PF talking to google, or 
just checking wireshark packets?
Thanks,

Bill

Sent from my iPad

On Apr 22, 2020, at 5:15 PM, Diego Garcia del Rio 
mailto:garc...@gmail.com>> wrote:
Just to be sure, do you have all the proper whitelists as well? Its weird that 
the user is directed to accounts.blogger.com<http://accounts.blogger.com>... 
Also, you should be able to see your PF server making a request to google to 
validate the returned token.


On which version of PF are you? I've been using google auth successfully all 
the way up to 9.2 (I haven tested anything newer though).

Also, not sure the logic you're using but you might want to check that the 
google source is assigning a role to the device in question..



On Wed, Apr 22, 2020 at 5:51 PM Bill Handler via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
Running into an issue with Google oauth2 authentication via Captive Portal…


  *   Have it configured and set as an External Authentication Source
  *   Have all the correct settings on Google Developer site

What’s happening is that after entering the username/password in the Google 
display on the captive portal, the user is not put into the correct 
VLAN/redirected.  Authentication via AD/SMS/E-Mail works without issue.

If using Chrome Browser, user is redirected to 
accounts.blogger.com<http://accounts.blogger.com> with a long string 
afterwards, within Firefox, the url shows as the portal url with “?code=” with 
a long string – this is the token from Google I believe, based on some of the 
documentation.

The user stays in the registration VLAN and is not moved to the correct role.  
Not sure where to check to see why the user is not moving.

Any help is appreciated.

Thanks,

Bill

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting

2020-04-24 Thread Bill Handler via PacketFence-users 
thing is coming 
back by seeing the url in the end-system’s browser.  It seems like PF is not 
authenticating the token.

I am still unsure what log file the logging entries you pointed out go to.  I 
was in the logs folder and ran a ‘cat *.log | grep OAuth’ but came back with no 
results.

Jonathan,

We’re not using the A3 variant from HiveManger/Extreme IQ, I’m just working 
with PacketFence straight (Although we are an Extreme Networks partner and the 
AeroHive gear is part of our offerings now… ).  PacketFence is only handing out 
DHCP on the registration VLAN, our internal DHCP is handing out IPs on our data 
vlan, Firewall is handing out IPs on guest and phone vlans.  But, we’re never 
getting that far – the end-system is not being given the role and stays as 
unregistered.

httpd.portal.error Log has no entries for today.  I did a packet capture from 
the PF server and did see some traffic going to/from Google IP addresses, but 
it was TLS or TCP Acks and I could not tell what the payload was…

Thanks,

Bill

From: Diego Garcia del Rio mailto:garc...@gmail.com>>
Sent: Thursday, April 23, 2020 10:43 AM
To: Jonathan Nathanson mailto:jmhnathan...@gmail.com>>
Cc: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>;
 Bill Handler mailto:bhand...@pcsknox.com>>
Subject: Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting

Hi Jonathan, Bill,

The device will get the role indeed after a disconnect / CoA but given Bill 
mentions that his other auth methods work... I would be surprised that CoA 
fails for this. Also, he should still be seeing the device having the new role.

Below is my config of the google authentication source (old GUI, sorry).




also, i seem to be using the OLD user information scheme / url:

(look here: 
https://github.com/inverse-inc/packetfence/commit/8f38c0e5b51ff5daf83f1720aef8253059fa1a96)

i am using this:
has 'scope' => (isa => 'Str', is => 'rw', default => 
'https://www.googleapis.com/auth/userinfo.email');
has 'protected_resource_url' => (isa => 'Str', is => 'rw', default => 
'https://www.googleapis.com/oauth2/v2/userinfo');

instead of the new defaults which are these:
has 'scope' => (isa => 'Str', is => 'rw', default => 'openid email profile');
has 'protected_resource_url' => (isa => 'Str', is => 'rw', default => 
'https://openidconnect.googleapis.com/v1/userinfo');


basically it looks like this:




So maybe your authorized scope in google is for this old schema and not the new 
open-id one?

Also, keep in mind that accessing the google login portal from mobile devices 
can be tricky. Google blacklists the "embedded"  browsers of most phones so you 
need to launch chrome manually or contact google to get an exception for your 
specific APP ID.

Also, check your logs for any phrase like this: "OAuth2 Error: Failed to get 
the token"

(look at the code here: 
https://github.com/inverse-inc/packetfence/blob/541c6c8545195881b136bc55edb7cd531594061d/html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Authentication/OAuth.pm
 )


you have these two logging entries in the code: (you might need to increase the 
logging level to debug).

get_logger->info("OAuth2 successfull for username ".$self->username);
$self->source->lookup_from_provider_info($self->username, $info);

pf::auth_log::record_completed_oauth($self->source->id, 
$self->current_mac, $pid, $pf::auth_log::COMPLETED, $self->app->profile->name);

$self->update_person_from_fields();

$self->done();
}
else {
get_logger->info("OAuth2: failed to validate the token, redireting to 
login page.");
get_logger->debug(sub { use Data::Dumper; "OAuth2 failed response : 
".Dumper($response) });
pf::auth_log::change_record_status($self->source->id, 
$self->current_mac, $pf::auth_log::FAILED, $self->app->profile->name);
$self->app->flash->{error} = "OAuth2 Error: Failed to validate the 
token, please retry";
$self->landing();


good luck!




Cheers




On Thu, Apr 23, 2020 at 3:04 AM Jonathan Nathanson 
mailto:jmhnathan...@gmail.com>> wrote:
I had this very similar problem recently. Does A3 manage DHCP in the reg VLAN?

The role should be assigned following a disconnect / COA packet sent to the 
client device to get them to reconnect, I believe.

You should do a packet trace and check. You might also want to check 
corresponding log entries in httpd.portal.error to see if you can spot the 
issue there.

Jonathan

On Thu, 23 Apr 2020 at 01:32, Bill Handler via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
I’m running on v10, using the default whitelist in the Google Auth config.  The 
end system is talking to google, verified with wireshark, and by inputti

Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting

2020-04-23 Thread Bill Handler via PacketFence-users 
packet sent to the 
client device to get them to reconnect, I believe.

You should do a packet trace and check. You might also want to check 
corresponding log entries in httpd.portal.error to see if you can spot the 
issue there.

Jonathan

On Thu, 23 Apr 2020 at 01:32, Bill Handler via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
I’m running on v10, using the default whitelist in the Google Auth config.  The 
end system is talking to google, verified with wireshark, and by inputting 
wrong password.

The end system’s role never gets updated, even though I have a catchall rule in 
place that should move it to a different VLAN.

I have not done a packet capture on server’s interface yet.  The end system 
stays as unregistered, so the issue may be authenticating the token between PF 
and google.

I’ve only tested using Chrome and Firefox browsers and only if Chrome is used 
does the redirect show accounts.blogger.com<http://accounts.blogger.com> in the 
address field after entering the google account credentials.

Both browser windows show the you may need to login to your network with a 
button; the button sends you back to the AUP.

Is there a certain log that I would be able to see PF talking to google, or 
just checking wireshark packets?
Thanks,

Bill

Sent from my iPad

On Apr 22, 2020, at 5:15 PM, Diego Garcia del Rio 
mailto:garc...@gmail.com>> wrote:
Just to be sure, do you have all the proper whitelists as well? Its weird that 
the user is directed to accounts.blogger.com<http://accounts.blogger.com>... 
Also, you should be able to see your PF server making a request to google to 
validate the returned token.


On which version of PF are you? I've been using google auth successfully all 
the way up to 9.2 (I haven tested anything newer though).

Also, not sure the logic you're using but you might want to check that the 
google source is assigning a role to the device in question..



On Wed, Apr 22, 2020 at 5:51 PM Bill Handler via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
Running into an issue with Google oauth2 authentication via Captive Portal…


  *   Have it configured and set as an External Authentication Source
  *   Have all the correct settings on Google Developer site

What’s happening is that after entering the username/password in the Google 
display on the captive portal, the user is not put into the correct 
VLAN/redirected.  Authentication via AD/SMS/E-Mail works without issue.

If using Chrome Browser, user is redirected to 
accounts.blogger.com<http://accounts.blogger.com> with a long string 
afterwards, within Firefox, the url shows as the portal url with “?code=” with 
a long string – this is the token from Google I believe, based on some of the 
documentation.

The user stays in the registration VLAN and is not moved to the correct role.  
Not sure where to check to see why the user is not moving.

Any help is appreciated.

Thanks,

Bill

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting

2020-04-22 Thread Bill Handler via PacketFence-users 
I’m running on v10, using the default whitelist in the Google Auth config.  The 
end system is talking to google, verified with wireshark, and by inputting 
wrong password.

The end system’s role never gets updated, even though I have a catchall rule in 
place that should move it to a different VLAN.

I have not done a packet capture on server’s interface yet.  The end system 
stays as unregistered, so the issue may be authenticating the token between PF 
and google.

I’ve only tested using Chrome and Firefox browsers and only if Chrome is used 
does the redirect show accounts.blogger.com<http://accounts.blogger.com> in the 
address field after entering the google account credentials.

Both browser windows show the you may need to login to your network with a 
button; the button sends you back to the AUP.

Is there a certain log that I would be able to see PF talking to google, or 
just checking wireshark packets?

Thanks,

Bill

Sent from my iPad

On Apr 22, 2020, at 5:15 PM, Diego Garcia del Rio 
mailto:garc...@gmail.com>> wrote:

Just to be sure, do you have all the proper whitelists as well? Its weird that 
the user is directed to accounts.blogger.com<http://accounts.blogger.com>... 
Also, you should be able to see your PF server making a request to google to 
validate the returned token.


On which version of PF are you? I've been using google auth successfully all 
the way up to 9.2 (I haven tested anything newer though).

Also, not sure the logic you're using but you might want to check that the 
google source is assigning a role to the device in question..



On Wed, Apr 22, 2020 at 5:51 PM Bill Handler via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
Running into an issue with Google oauth2 authentication via Captive Portal…


  *   Have it configured and set as an External Authentication Source
  *   Have all the correct settings on Google Developer site

What’s happening is that after entering the username/password in the Google 
display on the captive portal, the user is not put into the correct 
VLAN/redirected.  Authentication via AD/SMS/E-Mail works without issue.

If using Chrome Browser, user is redirected to 
accounts.blogger.com<http://accounts.blogger.com> with a long string 
afterwards, within Firefox, the url shows as the portal url with “?code=” with 
a long string – this is the token from Google I believe, based on some of the 
documentation.

The user stays in the registration VLAN and is not moved to the correct role.  
Not sure where to check to see why the user is not moving.

Any help is appreciated.

Thanks,

Bill

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Google oauth2 - Behavior/Troubleshooting

2020-04-22 Thread Bill Handler via PacketFence-users 
Running into an issue with Google oauth2 authentication via Captive Portal...


  *   Have it configured and set as an External Authentication Source
  *   Have all the correct settings on Google Developer site

What's happening is that after entering the username/password in the Google 
display on the captive portal, the user is not put into the correct 
VLAN/redirected.  Authentication via AD/SMS/E-Mail works without issue.

If using Chrome Browser, user is redirected to accounts.blogger.com with a long 
string afterwards, within Firefox, the url shows as the portal url with 
"?code=" with a long string - this is the token from Google I believe, based on 
some of the documentation.

The user stays in the registration VLAN and is not moved to the correct role.  
Not sure where to check to see why the user is not moving.

Any help is appreciated.

Thanks,

Bill

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] POC Radius auth with Juniper switches

2020-04-15 Thread Bill Handler via PacketFence-users 
Kevin,

Is the machine domain joined?  I found that when I was logging in with a domain 
machine via 802.1x, if I used the domain name in my username either domain\user 
or u...@domain.com, it would fail. When I just used the username it succeeded

Thanks,

Bill

Sent from my iPhone

On Apr 15, 2020, at 5:56 PM, Kevin MacNeil via PacketFence-users 
 wrote:

I am working on a proof of concept for Packetfence for our production Juniper 
environment of ~200 switches. I have EX4200's in my test lab and have used the 
Juniper example 
https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_juniper
 in the network device configuration guide. Otherwise I have followed the 
installation guide. I was able to join to my local AD domain, which I then 
added to the default and null realms. I configured a new internal AD 
authentication source and the connection test works as expected. I added the 
catchall rule per the instructions. I created a new 802.1x connection profile 
as well per the instructions. I created a new switch group using the 
Juniper::EX type. However after configuring my Windows 10 test box I am getting 
the following error, "Network device does not support this mode of operation."

FWIW I have tried both the 12.3 and 15.1 versions of JUNOS with the same 
result. I'm guessing this is an easy problem but I'm not sure what is wrong. 
Any and all help appreciated.


Request Time
0
RADIUS Request
User-Name = "test\\kevin"
NAS-IP-Address = 192.168.98.3
NAS-Port = 75
State = 0x4cc4fae04dcce0c184a03c0a51cb6cd7
Called-Station-Id = "00:23:9c:00:0c:c0"
Calling-Station-Id = "08:00:27:0a:b3:58"
NAS-Identifier = "labsw3"
NAS-Port-Type = Ethernet
Acct-Session-Id = "8O2.1x81ab013900042681"
Event-Timestamp = "Apr 15 2020 17:04:26 EDT"
EAP-Message = 0x020800061a03
NAS-Port-Id = "ge-0/0/9.0"
FreeRADIUS-Proxied-To = 127.0.0.1
EAP-Type = MSCHAPv2
Stripped-User-Name = "kevin"
Realm = "default"
PacketFence-Domain = "TEST"
PacketFence-KeyBalanced = "4f50863fad315484ff895de9b971f63b"
PacketFence-Radius-Ip = "192.168.13.41"
PacketFence-NTLMv2-Only = ""
Module-Failure-Message = "rest: Server returned:"
Module-Failure-Message = "rest: 
{\"control:PacketFence-Authorization-Status\":\"allow\",\"control:PacketFence-Switch-Id\":\"192.168.98.3\",\"control:PacketFence-Switch-Ip-Address\":\"192.168.98.3\",\"control:PacketFence-UserName\":\"testkevin\",\"control:PacketFence-Request-Time\":1586984666,\"control:PacketFence-Connection-Type\":\"Ethernet-EAP\",\"control:PacketFence-IfIndex\":75,\"control:PacketFence-Mac\":\"08:00:27:0a:b3:58\",\"Reply-Message\":\"Network
 device does not support this mode of 
operation\",\"control:PacketFence-Eap-Type\":26,\"control:PacketFence-Switch-Mac\":\"00:23:9c:00:0c:c0\"}"
User-Password = "**"
SQL-User-Name = "testkevin"
RADIUS Reply
EAP-Message = 0x03080004
Message-Authenticator = 0x
User-Name = "test\\kevin"


interfaces {
interface-range access-ports {
member-range ge-0/0/2 to ge-0/0/23;
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
}

protocols {
dot1x {
authenticator {
authentication-profile-name packetfence;
interface {
access-ports {
supplicant multiple;
mac-radius;
}
}
}
}
}

access {
radius-server {
192.168.13.41 {
port 1812;
secret "secret";
}
}

profile packetfence {
authentication-order radius;
radius {
authentication-server 192.168.13.41;
accounting-server 192.168.13.41;
}
accounting {
order radius;
accounting-stop-on-failure;
accounting-stop-on-access-deny;
}
}
}

ethernet-switching-options {
secure-access-port {
interface access-ports {
mac-limit 2 action drop;
}
}
}

snmp {
name "labsw3";
description juniper;
location EX;
contact "kevin@test.local";
client-list list0 {
192.168.13.41/32;
}
community public {
authorization read-only;
client-list-name list0;
}
community private {
authorization read-write;
client-list-name list0;
}
}





___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Question about PF ZEN on Hyper-V

2020-04-14 Thread Bill Handler via PacketFence-users 
The installation documentation mentions that the ZEN VM can be deployed on 
Hyper-V, however, there is only an OVA file to download.  Is there another 
location to d/l the Hyper-V VM?

Thanks,

Bill

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users