[PacketFence-users] Generate security event on MSCHAPv2 connections

[Cristian Mammoli via PacketFence-users]

We are gradually phasing out EAP-MSCHAPv2. We configured EAP-TLS via GPO but we 
couldn't find an easy way to see which devices are still using MSCHAPv2 without 
going into each device detail or in the audit log.

Is there a way to trigger a security event when an EAP-MSCHAPv2 authentication 
occurs?

Regards

Cristian
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] R: Lots of No response from remote host "containers-gateway.internal" after upgrading to 12

[Cristian Mammoli via PacketFence-users]

I even run tcpdump while those messages are getting logged and no snmp traffic 
is leaving the box at all…

Cristian Mammoli
Network and Computer Systems Administrator
T. +39 0731719822
www.apra.it <https://www.apra.it>
[cid:image004.png@01D8C9DF.E7E58BA0]
<https://www.apra.it/>
[cid:image011.png@01D8C9DF.E7E58BA0]
Avviso sulla tutela di informazioni riservate. Questo messaggio è stato spedito 
da Apra spa o da una delle aziende del Gruppo. Esso e gli eventuali allegati, 
potrebbero contenere informazioni di carattere estremamente riservato e 
confidenziale. Qualora non foste i destinatari designati, vogliate cortesemente 
informarci immediatamente con lo stesso mezzo ed eliminare il messaggio e i 
relativi eventuali allegati, senza trattenerne copia.

Da: Semaan, Julien 
Inviato: venerdì 16 settembre 2022 14:12
A: packetfence-users@lists.sourceforge.net
Cc: Cristian Mammoli 
Oggetto: Re: [PacketFence-users] Lots of No response from remote host 
"containers-gateway.internal" after upgrading to 12

Hi,

Can you try to test the SNMP connection using:
snmpwalk -v2c -c YOUR_COMMUNITY X.X.X.X

If the issue is limited to only 2 switches but others are working, then that 
could mean the issue is the SNMP configuration.

Cheers,


Julien Semaan
Lead Architect
[signature_3605412274]
Office: +1.613.670.8430
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:
[signature_2538758933]<https://community.akamai.com/> [signature_2741597720] 
<http://blogs.akamai.com/>  [signature_1207859241] <https://twitter.com/akamai> 
 [signature_1974633505] <http://www.facebook.com/AkamaiTechnologies>  
[signature_1647737611] <http://www.linkedin.com/company/akamai-technologies>  
[signature_2640052983] 
<http://www.youtube.com/user/akamaitechnologies?feature=results_main>


From: Cristian Mammoli via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
Reply-To: 
"packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>"
 
mailto:packetfence-users@lists.sourceforge.net>>
Date: Friday, September 16, 2022 at 6:39 AM
To: 
"packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>"
 
mailto:packetfence-users@lists.sourceforge.net>>
Cc: Cristian Mammoli mailto:c.mamm...@apra.it>>
Subject: [PacketFence-users] Lots of No response from remote host 
"containers-gateway.internal" after upgrading to 12

Hi, after upgrading to 12.0 I noticed I have lots of:

httpd.aaa-docker-wrapper[33685]: httpd.aaa(7) ERROR: [mac:b0:22:7a:e3:ed:88] 
error creating SNMP v2c read connection to X.X.X.X: No response from remote 
host "containers-gateway.internal" (pf::Switch::connectRead)

Where X.X.X.X are IP addresses of a couple of switches
In those 2 switches we are having issues about users getting radius reject with:

Reason
rest: Request failed: 28 - Timeout was reached

Cristian Mammoli
Network and Computer Systems Administrator
T. +39 0731719822
www.apra.it 
<https://urldefense.com/v3/__https:/www.apra.it__;!!GjvTz_vk!Tv9QsMTBxU6j_OBTABoTtXj-kxJM8GBGJaFFOJqoVIMz7d2z0uGLxj-AKgIkKzv-ZgkpPedyl0OAfkyewKXyJOktGwC8pohVfe3X$>
[cid:image019.png@01D8C9DF.E7E58BA0]
<https://urldefense.com/v3/__https:/www.apra.it/__;!!GjvTz_vk!Tv9QsMTBxU6j_OBTABoTtXj-kxJM8GBGJaFFOJqoVIMz7d2z0uGLxj-AKgIkKzv-ZgkpPedyl0OAfkyewKXyJOktGwC8pgroPFFe$>
[cid:image020.png@01D8C9DF.E7E58BA0]
Avviso sulla tutela di informazioni riservate. Questo messaggio è stato spedito 
da Apra spa o da una delle aziende del Gruppo. Esso e gli eventuali allegati, 
potrebbero contenere informazioni di carattere estremamente riservato e 
confidenziale. Qualora non foste i destinatari designati, vogliate cortesemente 
informarci immediatamente con lo stesso mezzo ed eliminare il messaggio e i 
relativi eventuali allegati, senza trattenerne copia.

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] R: Lots of No response from remote host "containers-gateway.internal" after upgrading to 12

[Cristian Mammoli via PacketFence-users]

No, the configuration is correct, anyway I checked and it works:
root@srvpf:/usr/local/pf# snmpwalk -v2c -c public 192.168.16.40
iso.3.6.1.2.1.1.1.0 = STRING: "Cisco IOS Software, C2960X Software 
(C2960X-UNIVERSALK9-M), Version 15.2(2)E8, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Mon 22-Jan-18 04:41 by prod_rel_team"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.9.1.1208
iso.3.6.1.2.1.1.3.0 = Timeticks: (1081620638) 125 days, 4:30:06.38
…

Anyway, after restarting packetfence it worked for a while and now started 
giving the same message on another switch




Cristian Mammoli
Network and Computer Systems Administrator
T. +39 0731719822
www.apra.it <https://www.apra.it>
[cid:image004.png@01D8C9DE.DBF79C30]
<https://www.apra.it/>
[cid:image011.png@01D8C9DE.DBF79C30]
Avviso sulla tutela di informazioni riservate. Questo messaggio è stato spedito 
da Apra spa o da una delle aziende del Gruppo. Esso e gli eventuali allegati, 
potrebbero contenere informazioni di carattere estremamente riservato e 
confidenziale. Qualora non foste i destinatari designati, vogliate cortesemente 
informarci immediatamente con lo stesso mezzo ed eliminare il messaggio e i 
relativi eventuali allegati, senza trattenerne copia.

Da: Semaan, Julien 
Inviato: venerdì 16 settembre 2022 14:07
A: packetfence-users@lists.sourceforge.net
Cc: Cristian Mammoli 
Oggetto: Re: [PacketFence-users] Lots of No response from remote host 
"containers-gateway.internal" after upgrading to 12

Hi,

Can you try to test the SNMP connection using:
snmpwalk -v2c -c YOUR_COMMUNITY X.X.X.X

If the issue is limited to only 2 switches but others are working, then that 
could mean the issue is the SNMP configuration.

Cheers,

Julien Semaan
Lead Architect
[signature_153475510]
Office: +1.613.670.8430
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:
[signature_4202228881]<https://community.akamai.com/> [signature_1036202314] 
<http://blogs.akamai.com/>  [signature_1108004849] <https://twitter.com/akamai> 
 [signature_1663767090] <http://www.facebook.com/AkamaiTechnologies>  
[signature_1102838030] <http://www.linkedin.com/company/akamai-technologies>  
[signature_3945344201] 
<http://www.youtube.com/user/akamaitechnologies?feature=results_main>


From: Cristian Mammoli via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
Reply-To: 
"packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>"
 
mailto:packetfence-users@lists.sourceforge.net>>
Date: Friday, September 16, 2022 at 6:39 AM
To: 
"packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>"
 
mailto:packetfence-users@lists.sourceforge.net>>
Cc: Cristian Mammoli mailto:c.mamm...@apra.it>>
Subject: [PacketFence-users] Lots of No response from remote host 
"containers-gateway.internal" after upgrading to 12

Hi, after upgrading to 12.0 I noticed I have lots of:

httpd.aaa-docker-wrapper[33685]: httpd.aaa(7) ERROR: [mac:b0:22:7a:e3:ed:88] 
error creating SNMP v2c read connection to X.X.X.X: No response from remote 
host "containers-gateway.internal" (pf::Switch::connectRead)

Where X.X.X.X are IP addresses of a couple of switches
In those 2 switches we are having issues about users getting radius reject with:

Reason
rest: Request failed: 28 - Timeout was reached

Cristian Mammoli
Network and Computer Systems Administrator
T. +39 0731719822
www.apra.it 
<https://urldefense.com/v3/__https:/www.apra.it__;!!GjvTz_vk!Tv9QsMTBxU6j_OBTABoTtXj-kxJM8GBGJaFFOJqoVIMz7d2z0uGLxj-AKgIkKzv-ZgkpPedyl0OAfkyewKXyJOktGwC8pohVfe3X$>
[cid:image019.png@01D8C9DE.DBF79C30]
<https://urldefense.com/v3/__https:/www.apra.it/__;!!GjvTz_vk!Tv9QsMTBxU6j_OBTABoTtXj-kxJM8GBGJaFFOJqoVIMz7d2z0uGLxj-AKgIkKzv-ZgkpPedyl0OAfkyewKXyJOktGwC8pgroPFFe$>
[cid:image020.png@01D8C9DE.DBF79C30]
Avviso sulla tutela di informazioni riservate. Questo messaggio è stato spedito 
da Apra spa o da una delle aziende del Gruppo. Esso e gli eventuali allegati, 
potrebbero contenere informazioni di carattere estremamente riservato e 
confidenziale. Qualora non foste i destinatari designati, vogliate cortesemente 
informarci immediatamente con lo stesso mezzo ed eliminare il messaggio e i 
relativi eventuali allegati, senza trattenerne copia.

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Lots of No response from remote host "containers-gateway.internal" after upgrading to 12

[Cristian Mammoli via PacketFence-users]

Hi, after upgrading to 12.0 I noticed I have lots of:

httpd.aaa-docker-wrapper[33685]: httpd.aaa(7) ERROR: [mac:b0:22:7a:e3:ed:88] 
error creating SNMP v2c read connection to X.X.X.X: No response from remote 
host "containers-gateway.internal" (pf::Switch::connectRead)

Where X.X.X.X are IP addresses of a couple of switches
In those 2 switches we are having issues about users getting radius reject with:

Reason
rest: Request failed: 28 - Timeout was reached

Cristian Mammoli
Network and Computer Systems Administrator
T. +39 0731719822
www.apra.it 
[cid:image001.png@01D8C9C6.88A37170]

[cid:image002.png@01D8C9C6.88A37170]
Avviso sulla tutela di informazioni riservate. Questo messaggio è stato spedito 
da Apra spa o da una delle aziende del Gruppo. Esso e gli eventuali allegati, 
potrebbero contenere informazioni di carattere estremamente riservato e 
confidenziale. Qualora non foste i destinatari designati, vogliate cortesemente 
informarci immediatamente con lo stesso mezzo ed eliminare il messaggio e i 
relativi eventuali allegati, senza trattenerne copia.

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] radiusd frequent segfaults

[Cristian Mammoli via PacketFence-users]

No more crashes in the last hour!

Il 17/09/2021 11:56, Cristian Mammoli via PacketFence-users ha scritto:
Anyway I managed to build 3.0.23 with the patches I linked. Since FR 
crashes every couple of minutes I'll get an answer shortly ;-)


Il 17/09/2021 11:44, Quiniou-Briand, Nicolas ha scritto:


Hello Cristian,

I will let Fabrice confirm but for me, Fabrice was aware about this 
bug and rebuild FreeRADIUS with that fix.


*Nicolas Quiniou-Briand*
*Product Support Engineer***




*Office:* +33156696210



Akamai Technologies
145 Broadway
Cambridge, MA 02142





Connect with Us:



<https://community.akamai.com/><http://blogs.akamai.com/><https://twitter.com/akamai><http://www.facebook.com/AkamaiTechnologies><http://www.linkedin.com/company/akamai-technologies><http://www.youtube.com/user/akamaitechnologies?feature=results_main>





--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it <https://www.apra.it>

Apra Spa
<https://www.apra.it/>
linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e 
gli eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i 
destinatari designati, vogliate cortesemente informarci immediatamente 
con lo stesso mezzo ed eliminare il messaggio e i relativi eventuali 
allegati, senza trattenerne copia.




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it <https://www.apra.it>

Apra Spa
<https://www.apra.it/>
linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] radiusd frequent segfaults

[Cristian Mammoli via PacketFence-users]

Anyway I managed to build 3.0.23 with the patches I linked. Since FR 
crashes every couple of minutes I'll get an answer shortly ;-)


Il 17/09/2021 11:44, Quiniou-Briand, Nicolas ha scritto:


Hello Cristian,

I will let Fabrice confirm but for me, Fabrice was aware about this 
bug and rebuild FreeRADIUS with that fix.


*Nicolas Quiniou-Briand*
*Product Support Engineer***




*Office:* +33156696210



Akamai Technologies
145 Broadway
Cambridge, MA 02142





Connect with Us:









--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it 

Apra Spa

linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] radiusd frequent segfaults

[Cristian Mammoli via PacketFence-users]

Thanks Nicolas, can you share where to get the sources to build your 
version of freeradius?


Il 17/09/2021 11:44, Quiniou-Briand, Nicolas ha scritto:


Hello Cristian,

I will let Fabrice confirm but for me, Fabrice was aware about this 
bug and rebuild FreeRADIUS with that fix.


*Nicolas Quiniou-Briand*
*Product Support Engineer***




*Office:* +33156696210



Akamai Technologies
145 Broadway
Cambridge, MA 02142





Connect with Us:









--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it 

Apra Spa

linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] radiusd frequent segfaults

[Cristian Mammoli via PacketFence-users]

Ok, the bug I'm hitting likely is this: 
https://github.com/FreeRADIUS/freeradius-server/issues/4129 (also see: 
http://lists.freeradius.org/pipermail/freeradius-users/2021-July/100336.html)


The commit that should fix the issue are:
https://github.com/FreeRADIUS/freeradius-server/commit/4d4af808a7b25c307d53f3e99e4727b89b110f8c
https://github.com/FreeRADIUS/freeradius-server/commit/8e204e3b6ab408106a422a55dc32e00a67e12ef3

I'm rebuilding FR and I'll keep you posted

Il 17/09/2021 09:10, Cristian Mammoli via PacketFence-users ha scritto:
Hi guys, I'm going to open an issue upstream. Could you possibly share 
the .spec file you use for building freeradius?

I didn't find in the repo or on github

Thanks

Il 15/09/2021 18:24, Cristian Mammoli via PacketFence-users ha scritto:
Hi, after upgrading to v11 I noticed tha radiusd auth 
(packetfence-radiusd-auth systemd unit) frequenty exits with SEGV or 
ABRT and gets restarted by systemd:


Sep 15 11:29:04 srvpf.apra.it kernel: traps: radiusd[344149] general 
protection fault ip:42c6a8 sp:7f95a9c1aad0 error:0 in 
radiusd[40+6f000]
Sep 15 11:46:15 srvpf.apra.it kernel: traps: radiusd[351051] general 
protection fault ip:42c6a8 sp:7f6cdf4f1ad0 error:0 in 
radiusd[40+6f000]
Sep 15 12:22:22 srvpf.apra.it kernel: traps: radiusd[364681] general 
protection fault ip:42c6a8 sp:7f4b503a1ad0 error:0 in 
radiusd[40+6f000]
Sep 15 12:38:46 srvpf.apra.it kernel: traps: radiusd[369964] general 
protection fault ip:42c100 sp:7fbe190ceac8 error:0 in 
radiusd[40+6f000]
Sep 15 12:47:43 srvpf.apra.it kernel: traps: radiusd[373100] general 
protection fault ip:42c6a8 sp:7fe6dc7c8ad0 error:0 in 
radiusd[40+6f000]
Sep 15 13:15:41 srvpf.apra.it kernel: traps: radiusd[379014] general 
protection fault ip:42c6a8 sp:7f6fe8b2fad0 error:0 in 
radiusd[40+6f000]
Sep 15 13:38:15 srvpf.apra.it kernel: traps: radiusd[383774] general 
protection fault ip:42c6a8 sp:7f0439542ad0 error:0 in 
radiusd[40+6f000]
Sep 15 14:57:48 srvpf.apra.it kernel: traps: radiusd[404495] general 
protection fault ip:42c6a8 sp:7f4aa7d8cad0 error:0 in 
radiusd[40+6f000]
Sep 15 15:04:48 srvpf.apra.it kernel: traps: radiusd[406785] general 
protection fault ip:42c6a8 sp:7feb508c2ad0 error:0 in 
radiusd[40+6f000]
Sep 15 15:12:14 srvpf.apra.it kernel: traps: radiusd[410202] general 
protection fault ip:42c6a8 sp:7f2280066ad0 error:0 in 
radiusd[40+6f000]
Sep 15 16:05:07 srvpf.apra.it kernel: traps: radiusd[427480] general 
protection fault ip:42c6a8 sp:7f1038cf3ad0 error:0 in 
radiusd[40+6f000]
Sep 15 16:29:25 srvpf.apra.it kernel: traps: radiusd[432827] general 
protection fault ip:42c6a8 sp:7f282a736ad0 error:0 in 
radiusd[40+6f000]
Sep 15 16:40:03 srvpf.apra.it kernel: traps: radiusd[435608] general 
protection fault ip:42c6a8 sp:7f5ea01c2ad0 error:0 in 
radiusd[40+6f000]
Sep 15 17:53:55 srvpf.apra.it kernel: traps: radiusd[455854] general 
protection fault ip:42c6a8 sp:7f43c94a2ad0 error:0 in 
radiusd[40+6f000]
Sep 15 18:12:14 srvpf.apra.it kernel: traps: radiusd[4338] general 
protection fault ip:42c6a8 sp:7f1b71beaad0 error:0 in 
radiusd[40+6f000]


In the journal I have:
Sep 15 18:12:14 srvpf.apra.it auth[4323]: [mac:] Rejected user: dummy
Sep 15 18:12:14 srvpf.apra.it auth[4323]: (84) Rejected in post-auth: 
[dummy] (from client 192.168.16.42/32 port 0)
Sep 15 18:12:14 srvpf.apra.it auth[4323]: (84) Login incorrect (rest: 
Server returned:): [dummy] (from client 192.168.16.42/32 port 0)
*Sep 15 18:12:14 srvpf.apra.it systemd[1]: 
packetfence-radiusd-auth.service: Main process exited, code=killed, 
status=11/SEGV**
**Sep 15 18:12:14 srvpf.apra.it systemd[1]: 
packetfence-radiusd-auth.service: Failed with result 'signal'.*
Sep 15 18:12:14 srvpf.apra.it systemd[1]: 
packetfence-radiusd-auth.service: Service RestartSec=100ms expired, 
scheduling restart.
Sep 15 18:12:14 srvpf.apra.it systemd[1]: 
packetfence-radiusd-auth.service: Scheduled restart job, restart 
counter is at 1.
Sep 15 18:12:14 srvpf.apra.it systemd[1]: Stopped PacketFence 
FreeRADIUS authentication multi-protocol authentication server.
Sep 15 18:12:14 srvpf.apra.it systemd[1]: Starting PacketFence 
FreeRADIUS authentication multi-protocol authentication server...



I tried a few debug steps but I'm lost
I managed to produce a core dump if anyone could please have a look...

TIA

--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it <https://www.apra.it>

Apra Spa
<https://www.apra.it/>
linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e 
gli eventuali allegati, potrebbero contenere informazioni di 
carattere estremamente riservato e confidenziale. Qualora non foste i 
destinatari designati, vogliate cortesemente informarci 
immediatamente con lo stesso mezzo ed eliminare il messaggio e i 
relativi eventuali allegati, senza tratt

Re: [PacketFence-users] radiusd frequent segfaults

[Cristian Mammoli via PacketFence-users]

Hi guys, I'm going to open an issue upstream. Could you possibly share 
the .spec file you use for building freeradius?

I didn't find in the repo or on github

Thanks

Il 15/09/2021 18:24, Cristian Mammoli via PacketFence-users ha scritto:
Hi, after upgrading to v11 I noticed tha radiusd auth 
(packetfence-radiusd-auth systemd unit) frequenty exits with SEGV or 
ABRT and gets restarted by systemd:


Sep 15 11:29:04 srvpf.apra.it kernel: traps: radiusd[344149] general 
protection fault ip:42c6a8 sp:7f95a9c1aad0 error:0 in 
radiusd[40+6f000]
Sep 15 11:46:15 srvpf.apra.it kernel: traps: radiusd[351051] general 
protection fault ip:42c6a8 sp:7f6cdf4f1ad0 error:0 in 
radiusd[40+6f000]
Sep 15 12:22:22 srvpf.apra.it kernel: traps: radiusd[364681] general 
protection fault ip:42c6a8 sp:7f4b503a1ad0 error:0 in 
radiusd[40+6f000]
Sep 15 12:38:46 srvpf.apra.it kernel: traps: radiusd[369964] general 
protection fault ip:42c100 sp:7fbe190ceac8 error:0 in 
radiusd[40+6f000]
Sep 15 12:47:43 srvpf.apra.it kernel: traps: radiusd[373100] general 
protection fault ip:42c6a8 sp:7fe6dc7c8ad0 error:0 in 
radiusd[40+6f000]
Sep 15 13:15:41 srvpf.apra.it kernel: traps: radiusd[379014] general 
protection fault ip:42c6a8 sp:7f6fe8b2fad0 error:0 in 
radiusd[40+6f000]
Sep 15 13:38:15 srvpf.apra.it kernel: traps: radiusd[383774] general 
protection fault ip:42c6a8 sp:7f0439542ad0 error:0 in 
radiusd[40+6f000]
Sep 15 14:57:48 srvpf.apra.it kernel: traps: radiusd[404495] general 
protection fault ip:42c6a8 sp:7f4aa7d8cad0 error:0 in 
radiusd[40+6f000]
Sep 15 15:04:48 srvpf.apra.it kernel: traps: radiusd[406785] general 
protection fault ip:42c6a8 sp:7feb508c2ad0 error:0 in 
radiusd[40+6f000]
Sep 15 15:12:14 srvpf.apra.it kernel: traps: radiusd[410202] general 
protection fault ip:42c6a8 sp:7f2280066ad0 error:0 in 
radiusd[40+6f000]
Sep 15 16:05:07 srvpf.apra.it kernel: traps: radiusd[427480] general 
protection fault ip:42c6a8 sp:7f1038cf3ad0 error:0 in 
radiusd[40+6f000]
Sep 15 16:29:25 srvpf.apra.it kernel: traps: radiusd[432827] general 
protection fault ip:42c6a8 sp:7f282a736ad0 error:0 in 
radiusd[40+6f000]
Sep 15 16:40:03 srvpf.apra.it kernel: traps: radiusd[435608] general 
protection fault ip:42c6a8 sp:7f5ea01c2ad0 error:0 in 
radiusd[40+6f000]
Sep 15 17:53:55 srvpf.apra.it kernel: traps: radiusd[455854] general 
protection fault ip:42c6a8 sp:7f43c94a2ad0 error:0 in 
radiusd[40+6f000]
Sep 15 18:12:14 srvpf.apra.it kernel: traps: radiusd[4338] general 
protection fault ip:42c6a8 sp:7f1b71beaad0 error:0 in 
radiusd[40+6f000]


In the journal I have:
Sep 15 18:12:14 srvpf.apra.it auth[4323]: [mac:] Rejected user: dummy
Sep 15 18:12:14 srvpf.apra.it auth[4323]: (84) Rejected in post-auth: 
[dummy] (from client 192.168.16.42/32 port 0)
Sep 15 18:12:14 srvpf.apra.it auth[4323]: (84) Login incorrect (rest: 
Server returned:): [dummy] (from client 192.168.16.42/32 port 0)
*Sep 15 18:12:14 srvpf.apra.it systemd[1]: 
packetfence-radiusd-auth.service: Main process exited, code=killed, 
status=11/SEGV**
**Sep 15 18:12:14 srvpf.apra.it systemd[1]: 
packetfence-radiusd-auth.service: Failed with result 'signal'.*
Sep 15 18:12:14 srvpf.apra.it systemd[1]: 
packetfence-radiusd-auth.service: Service RestartSec=100ms expired, 
scheduling restart.
Sep 15 18:12:14 srvpf.apra.it systemd[1]: 
packetfence-radiusd-auth.service: Scheduled restart job, restart 
counter is at 1.
Sep 15 18:12:14 srvpf.apra.it systemd[1]: Stopped PacketFence 
FreeRADIUS authentication multi-protocol authentication server.
Sep 15 18:12:14 srvpf.apra.it systemd[1]: Starting PacketFence 
FreeRADIUS authentication multi-protocol authentication server...



I tried a few debug steps but I'm lost
I managed to produce a core dump if anyone could please have a look...

TIA

--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it <https://www.apra.it>

Apra Spa
<https://www.apra.it/>
linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e 
gli eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i 
destinatari designati, vogliate cortesemente informarci immediatamente 
con lo stesso mezzo ed eliminare il messaggio e i relativi eventuali 
allegati, senza trattenerne copia.




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it <https://www.apra.it>

Apra Spa
<https://www.apra.it/>
linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere i

[PacketFence-users] radiusd frequent segfaults

[Cristian Mammoli via PacketFence-users]

Hi, after upgrading to v11 I noticed tha radiusd auth 
(packetfence-radiusd-auth systemd unit) frequenty exits with SEGV or 
ABRT and gets restarted by systemd:


Sep 15 11:29:04 srvpf.apra.it kernel: traps: radiusd[344149] general 
protection fault ip:42c6a8 sp:7f95a9c1aad0 error:0 in radiusd[40+6f000]
Sep 15 11:46:15 srvpf.apra.it kernel: traps: radiusd[351051] general 
protection fault ip:42c6a8 sp:7f6cdf4f1ad0 error:0 in radiusd[40+6f000]
Sep 15 12:22:22 srvpf.apra.it kernel: traps: radiusd[364681] general 
protection fault ip:42c6a8 sp:7f4b503a1ad0 error:0 in radiusd[40+6f000]
Sep 15 12:38:46 srvpf.apra.it kernel: traps: radiusd[369964] general 
protection fault ip:42c100 sp:7fbe190ceac8 error:0 in radiusd[40+6f000]
Sep 15 12:47:43 srvpf.apra.it kernel: traps: radiusd[373100] general 
protection fault ip:42c6a8 sp:7fe6dc7c8ad0 error:0 in radiusd[40+6f000]
Sep 15 13:15:41 srvpf.apra.it kernel: traps: radiusd[379014] general 
protection fault ip:42c6a8 sp:7f6fe8b2fad0 error:0 in radiusd[40+6f000]
Sep 15 13:38:15 srvpf.apra.it kernel: traps: radiusd[383774] general 
protection fault ip:42c6a8 sp:7f0439542ad0 error:0 in radiusd[40+6f000]
Sep 15 14:57:48 srvpf.apra.it kernel: traps: radiusd[404495] general 
protection fault ip:42c6a8 sp:7f4aa7d8cad0 error:0 in radiusd[40+6f000]
Sep 15 15:04:48 srvpf.apra.it kernel: traps: radiusd[406785] general 
protection fault ip:42c6a8 sp:7feb508c2ad0 error:0 in radiusd[40+6f000]
Sep 15 15:12:14 srvpf.apra.it kernel: traps: radiusd[410202] general 
protection fault ip:42c6a8 sp:7f2280066ad0 error:0 in radiusd[40+6f000]
Sep 15 16:05:07 srvpf.apra.it kernel: traps: radiusd[427480] general 
protection fault ip:42c6a8 sp:7f1038cf3ad0 error:0 in radiusd[40+6f000]
Sep 15 16:29:25 srvpf.apra.it kernel: traps: radiusd[432827] general 
protection fault ip:42c6a8 sp:7f282a736ad0 error:0 in radiusd[40+6f000]
Sep 15 16:40:03 srvpf.apra.it kernel: traps: radiusd[435608] general 
protection fault ip:42c6a8 sp:7f5ea01c2ad0 error:0 in radiusd[40+6f000]
Sep 15 17:53:55 srvpf.apra.it kernel: traps: radiusd[455854] general 
protection fault ip:42c6a8 sp:7f43c94a2ad0 error:0 in radiusd[40+6f000]
Sep 15 18:12:14 srvpf.apra.it kernel: traps: radiusd[4338] general 
protection fault ip:42c6a8 sp:7f1b71beaad0 error:0 in radiusd[40+6f000]


In the journal I have:
Sep 15 18:12:14 srvpf.apra.it auth[4323]: [mac:] Rejected user: dummy
Sep 15 18:12:14 srvpf.apra.it auth[4323]: (84) Rejected in post-auth: 
[dummy] (from client 192.168.16.42/32 port 0)
Sep 15 18:12:14 srvpf.apra.it auth[4323]: (84) Login incorrect (rest: 
Server returned:): [dummy] (from client 192.168.16.42/32 port 0)
*Sep 15 18:12:14 srvpf.apra.it systemd[1]: 
packetfence-radiusd-auth.service: Main process exited, code=killed, 
status=11/SEGV**
**Sep 15 18:12:14 srvpf.apra.it systemd[1]: 
packetfence-radiusd-auth.service: Failed with result 'signal'.*
Sep 15 18:12:14 srvpf.apra.it systemd[1]: 
packetfence-radiusd-auth.service: Service RestartSec=100ms expired, 
scheduling restart.
Sep 15 18:12:14 srvpf.apra.it systemd[1]: 
packetfence-radiusd-auth.service: Scheduled restart job, restart counter 
is at 1.
Sep 15 18:12:14 srvpf.apra.it systemd[1]: Stopped PacketFence FreeRADIUS 
authentication multi-protocol authentication server.
Sep 15 18:12:14 srvpf.apra.it systemd[1]: Starting PacketFence 
FreeRADIUS authentication multi-protocol authentication server...



I tried a few debug steps but I'm lost
I managed to produce a core dump if anyone could please have a look...

TIA

--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it 

Apra Spa

linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Saved searches gone?

[Cristian Mammoli via PacketFence-users]

I noticed that I can't save node searches anymore (can't find the button 
at all)

Is it an issue with my setup??


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Issue I noticed upgrading to v11

[Cristian Mammoli via PacketFence-users]

Thanks, another thing I noticed was not imported is the Fingerbank api key

Keep up the good work

Il 08/09/2021 14:06, Quiniou-Briand, Nicolas ha scritto:


Hello,

1. Issue has been solved by Julien in maintenance [1]

You need to reinstall latest packetfence-export package on your 10.3 
installation.


2 and 4. I updated documentation, it need to be rebuilt.

4. We will push a fix for WMI in maintenance.

[1] 
https://github.com/inverse-inc/packetfence/commit/6d502b7b9b602e5a72521c0b9729e475fed79df8 



*Nicolas Quiniou-Briand*
*Product Support Engineer***




*Office:* +33156696210



Akamai Technologies
145 Broadway
Cambridge, MA 02142





Connect with Us:









--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it 

Apra Spa

linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Issue I noticed upgrading to v11

[Cristian Mammoli via PacketFence-users]

Il 07/09/2021 12:55, Quiniou-Briand, Nicolas ha scritto:


Hello Cristian,

First of all, thanks for your feedback.

1. Regarding /oauth/access_token and 
/common/network-access-detection.gif, could you re-run the export 
script like this:


#v+

bash -x /usr/local/pf/addons/full-import/export.sh /tmp/export.tgz

#v-

and send **only** the output of “Computing additional files” section ?



Computing additional files that are referenced in the configuration
++ /usr/local/pf/addons/full-import/find-extra-files.pl
+ add_files='/common/network-access-detection.gif
/oauth/access_token
/usr/local/pf/html/common/logo_NAC.png
/usr/local/pf/html/common/logo_NAC.png
/usr/local/pf/html/common/logo_NAC.png
/usr/local/pf/html/common/logo_NAC.png
/usr/local/pf/raddb/certs/server.crt
/usr/local/pf/raddb/certs/ca.pem'
+ for f in '$add_files'
+ grep '^/usr/local/pf/'
+ dirname /common/network-access-detection.gif
+ echo 'Found reference to external file that is outside the PF 
directory (/common/network-access-detection.gif)'
Found reference to external file that is outside the PF directory 
(/common/network-access-detection.gif)

++ dirname /common/network-access-detection.gif
+ base_dir=/common
+ mkdir -p .//common
+ check_code 0
+ '[' 0 -ne 0 ']'
+ cp -a /common/network-access-detection.gif .//common/
+ check_code 0
+ '[' 0 -ne 0 ']'
+ echo /common/network-access-detection.gif
+ for f in '$add_files'
+ grep '^/usr/local/pf/'
+ dirname /oauth/access_token
+ echo 'Found reference to external file that is outside the PF 
directory (/oauth/access_token)'
Found reference to external file that is outside the PF directory 
(/oauth/access_token)

++ dirname /oauth/access_token
+ base_dir=/oauth
+ mkdir -p .//oauth
+ check_code 0
+ '[' 0 -ne 0 ']'
+ cp -a /oauth/access_token .//oauth/
+ check_code 0
+ '[' 0 -ne 0 ']'
+ echo /oauth/access_token
+ for f in '$add_files'
+ dirname /usr/local/pf/html/common/logo_NAC.png
+ grep '^/usr/local/pf/'
+ echo 'Found reference to external file that is in the PF directory 
(/usr/local/pf/html/common/logo_NAC.png)'
Found reference to external file that is in the PF directory 
(/usr/local/pf/html/common/logo_NAC.png)

+ echo /usr/local/pf/html/common/logo_NAC.png
+ for f in '$add_files'
+ grep '^/usr/local/pf/'
+ dirname /usr/local/pf/html/common/logo_NAC.png
+ echo 'Found reference to external file that is in the PF directory 
(/usr/local/pf/html/common/logo_NAC.png)'
Found reference to external file that is in the PF directory 
(/usr/local/pf/html/common/logo_NAC.png)

+ echo /usr/local/pf/html/common/logo_NAC.png
+ for f in '$add_files'
+ grep '^/usr/local/pf/'
+ dirname /usr/local/pf/html/common/logo_NAC.png
+ echo 'Found reference to external file that is in the PF directory 
(/usr/local/pf/html/common/logo_NAC.png)'
Found reference to external file that is in the PF directory 
(/usr/local/pf/html/common/logo_NAC.png)

+ echo /usr/local/pf/html/common/logo_NAC.png
+ for f in '$add_files'
+ grep '^/usr/local/pf/'
+ dirname /usr/local/pf/html/common/logo_NAC.png
+ echo 'Found reference to external file that is in the PF directory 
(/usr/local/pf/html/common/logo_NAC.png)'
Found reference to external file that is in the PF directory 
(/usr/local/pf/html/common/logo_NAC.png)

+ echo /usr/local/pf/html/common/logo_NAC.png
+ for f in '$add_files'
+ grep '^/usr/local/pf/'
+ dirname /usr/local/pf/raddb/certs/server.crt
+ echo 'Found reference to external file that is in the PF directory 
(/usr/local/pf/raddb/certs/server.crt)'
Found reference to external file that is in the PF directory 
(/usr/local/pf/raddb/certs/server.crt)

+ echo /usr/local/pf/raddb/certs/server.crt
+ for f in '$add_files'
+ grep '^/usr/local/pf/'
+ dirname /usr/local/pf/raddb/certs/ca.pem
+ echo 'Found reference to external file that is in the PF directory 
(/usr/local/pf/raddb/certs/ca.pem)'
Found reference to external file that is in the PF directory 
(/usr/local/pf/raddb/certs/ca.pem)

+ echo /usr/local/pf/raddb/certs/ca.pem
+ main_splitter

4. Regarding WMI scan filter, did you notice some issues if you keep 
settings in place ?


We didn’t provide any upgrade script to remove deprecated WMI 
configuration or to ignore it. If it’s a problem, we will see how we 
can handle that.



Connection profiles didn't work untile I removed the reference

Sep  6 15:38:42 srvpf packetfence_httpd.aaa[2706]: httpd.aaa(2010) INFO: 
[mac:00:04:13:25:47:9a] Found authentication source(s) : 
'apra-user-auth-dc01' for realm 'null' 
(pf::config::util::filter_authentication_sources)
Sep  6 15:38:42 srvpf packetfence_httpd.aaa[2706]: httpd.aaa(2010) INFO: 
[mac:00:04:13:25:47:9a] security_event 133 force-closed for 
00:04:13:25:47:9a (pf::security_event::security_event_force_close)
Sep  6 15:38:42 srvpf packetfence_httpd.aaa[2706]: httpd.aaa(2010) INFO: 
[mac:00:04:13:25:47:9a] Instantiate profile apra-wired-portal 
(pf::Connection::ProfileFactory::_from_profile)
Sep  6 15:38:42 srvpf packetfence_httpd.aaa[2706]: httpd.aaa(2010) WARN: 

Re: [PacketFence-users] How to use username rewriting in v11?

[Cristian Mammoli via PacketFence-users]

Thanks, the macros was the missing bit to get what I wanted :-)

Il 06/09/2021 19:47, Fabrice Durand ha scritto:

Hello,

you have to use the preprocess scope in the radius filter.
In addition you can use the macro 
https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_filter_engine_macro 
<https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_filter_engine_macro>


Regards
Fabrice


Le lun. 6 sept. 2021 à 12:07, Cristian Mammoli via PacketFence-users 
<mailto:packetfence-users@lists.sourceforge.net>> a écrit :


COuld you please provide an example on how to configure a radius
filter
to rewrite username?

I'm referring to this:
https://github.com/inverse-inc/packetfence/pull/6293
<https://github.com/inverse-inc/packetfence/pull/6293>

Thanks


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>



--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it <https://www.apra.it>

Apra Spa
<https://www.apra.it/>
linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] How to use username rewriting in v11?

[Cristian Mammoli via PacketFence-users]

COuld you please provide an example on how to configure a radius filter 
to rewrite username?


I'm referring to this: https://github.com/inverse-inc/packetfence/pull/6293

Thanks


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Issue I noticed upgrading to v11

[Cristian Mammoli via PacketFence-users]

Hi guys, I don't if an issue on GH would be a better place to post. In 
case let me know


Today I upgraded from 10.3 on CentOS 7 to v11 on CentOS 8

A few issue I noticed that imho should be taken care or documented:

* The export script tries to copy /oauth/access_token and 
/common/network-access-detection.gif as if they are normale files


* After importing, Active Directory Domains need to be rejoined
* Radius profiles (TLS, EAP, OCSP etc.) are not imported and need to be 
recreated
* WMI scan filter have been dropped I guess, but all references in 
connection profiles need to be cleaned up manually

* pf-maint.pl is gone

Regards
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Tenant drop down show in web interface after upgrade from 8.1. 10.3

[Cristian Mammoli via PacketFence-users]

Solved!

Thanks!

Il 09/07/2021 11:50, Cristian Mammoli via PacketFence-users ha scritto:

Yes, they are identical, I'll try to change one and keep you updated

Il 09/07/2021 11:10, Quiniou-Briand, Nicolas ha scritto:


Hello,

> No both web interface and api users are admin but the password is 
not 'admin'


1. What do you mean by web interface and API users ?
2. Did you define a webservice user and password in `pf.conf` under 
[webservices] section ? If yes, are these credentials identical to 
admin credentials to login on web admin ? If yes, you need to change 
password for admin user used to reach web admin and it will solve 
your issue.


*Nicolas Quiniou-Briand*
*Product Support Engineer***




*Office:* +33156696210



Akamai Technologies
145 Broadway
Cambridge, MA 02142





Connect with Us:



<https://community.akamai.com/><http://blogs.akamai.com/><https://twitter.com/akamai><http://www.facebook.com/AkamaiTechnologies><http://www.linkedin.com/company/akamai-technologies><http://www.youtube.com/user/akamaitechnologies?feature=results_main>





--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it <https://www.apra.it>

Apra Spa
<https://www.apra.it/>
linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e 
gli eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i 
destinatari designati, vogliate cortesemente informarci immediatamente 
con lo stesso mezzo ed eliminare il messaggio e i relativi eventuali 
allegati, senza trattenerne copia.




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it <https://www.apra.it>

Apra Spa
<https://www.apra.it/>
linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Tenant drop down show in web interface after upgrade from 8.1. 10.3

[Cristian Mammoli via PacketFence-users]

Yes, they are identical, I'll try to change one and keep you updated

Il 09/07/2021 11:10, Quiniou-Briand, Nicolas ha scritto:


Hello,

> No both web interface and api users are admin but the password is 
not 'admin'


1. What do you mean by web interface and API users ?
2. Did you define a webservice user and password in `pf.conf` under 
[webservices] section ? If yes, are these credentials identical to 
admin credentials to login on web admin ? If yes, you need to change 
password for admin user used to reach web admin and it will solve your 
issue.


*Nicolas Quiniou-Briand*
*Product Support Engineer***




*Office:* +33156696210



Akamai Technologies
145 Broadway
Cambridge, MA 02142





Connect with Us:









--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it 

Apra Spa

linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Tenant drop down show in web interface after upgrade from 8.1. 10.3

[Cristian Mammoli via PacketFence-users]

No both web interface and api users are admin but the password is not 
'admin'


Il 09/07/2021 08:06, Quiniou-Briand, Nicolas ha scritto:


Hello Cristian,

It could be related to [1].

Is it possible that you use default admin password: ‘admin’ ?

[1] https://github.com/inverse-inc/packetfence/issues/5545 



*Nicolas Quiniou-Briand*
*Product Support Engineer***




*Office:* +33156696210



Akamai Technologies
145 Broadway
Cambridge, MA 02142





Connect with Us:









--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it 

Apra Spa

linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Tenant drop down show in web interface after upgrade from 8.1. 10.3

[Cristian Mammoli via PacketFence-users]

[root@PacketFence-ZEN pf]# rpm -qa|grep packetfence
packetfence-release-2.1.0-20210414154410.286398790.0007.v10.3.0.el7.noarch
packetfence-10.3.0-20210414154410.286398790.0007.v10.3.0.el7.x86_64
[root@PacketFence-ZEN pf]#
[root@PacketFence-ZEN pf]# ls -rtl /usr/local/pf/.patches/
total 244
-rw-r--r-- 1 root root 146099 Nov  5  2018 
3861c9403e0fcc4cc517a8e73ed2eb013469db21-79fe515f83cbe82d1ec93623948f55b3efa31ffa.diff
-rw-r--r-- 1 root root   1156 Nov  6  2018 
79fe515f83cbe82d1ec93623948f55b3efa31ffa-f2278abab32d248527599b1f25300e9e8b9c80f4.diff
-rw-r--r-- 1 root root  13042 Nov  7  2018 
f2278abab32d248527599b1f25300e9e8b9c80f4-f17b5f6d6747ff4891cb523a70816f2d7b93c2d8.diff
-rw-r--r-- 1 root root  77143 Jul  1 17:12 
03f8a65714be7915ddd8b2b5d007488c0b7154cb-8fb1c23017b626992f8bb1bad71ea13aba012928.diff
-rw-r--r-- 1 root root   3850 Jul  7 11:49 
8fb1c23017b626992f8bb1bad71ea13aba012928-668c4c65ab29fc75c69c2e506fa7eacca5548dc6.diff

[root@PacketFence-ZEN pf]#
[root@PacketFence-ZEN pf]# ls -rtl /usr/local/pf/html/pfappserver/root/
total 6784
-rw-r--r--   1 pf   pf  1288 Apr 14 18:06 vue.config.js
-rw-r--r--   1 pf   pf  4330 Apr 14 18:06 README.md
-rw-r--r--   1 pf   pf   560 Apr 14 18:06 Makefile
-rw-r--r--   1 pf   pf   137 Apr 14 18:06 babel.config.js
-rw-r--r--   1 pf   pf    601661 Apr 14 18:06 package-lock.json
-rw-r--r--   1 pf   pf  1969 Apr 14 18:06 package.json
drwxr-xr-x   6 pf   pf    88 Jun 29 20:37 
dist-pre-maintenance-1625651443
drwxr-xr-x   6 pf   pf    88 Jul  1 17:04 
dist-pre-maintenance-1625152408

drwxr-xr-x   3 pf   pf   298 Jul  1 17:04 doc
drwxr-xr-x   2 pf   pf    80 Jul  1 17:04 errors
drwxr-xr-x.  2 pf   pf   121 Jul  1 17:04 interface
drwxr-xr-x   2 pf   pf    43 Jul  1 17:04 public
drwxr-xr-x  12 pf   pf   187 Jul  1 17:04 src
drwxr-xr-x.  2 pf   pf    72 Jul  1 17:04 pfqueue
drwxr-xr-x.  2 pf   pf    28 Jul  1 17:04 node
drwxr-xr-x.  2 pf   pf    31 Jul  1 17:04 graph
drwxr-xr-x.  3 pf   pf    20 Jul  1 17:04 config
drwxr-xr-x   6 root root  88 Jul  7 09:29 dist
-rw-r--r--   1 pf   pf   6319388 Jul  7 11:50 dist.tgz
[root@PacketFence-ZEN pf]#
[root@PacketFence-ZEN pf]# ls -rtl 
/usr/local/pf/html/pfappserver/root/dist/js

total 26348
-rw-r--r-- 1 root root  165527 Jul  7 09:29 Users.8913ddb8.js.map
-rw-r--r-- 1 root root   57913 Jul  7 09:29 Users.8913ddb8.js
-rw-r--r-- 1 root root 2437941 Jul  7 09:29 Reports.e0729914.js.map
-rw-r--r-- 1 root root  987223 Jul  7 09:29 Reports.e0729914.js
-rw-r--r-- 1 root root 3285924 Jul  7 09:29 Nodes.b9758fb5.js.map
-rw-r--r-- 1 root root  813840 Jul  7 09:29 Nodes.b9758fb5.js
-rw-r--r-- 1 root root   28134 Jul  7 09:29 Import.8d5ecb72.js.map
-rw-r--r-- 1 root root    8309 Jul  7 09:29 Import.8d5ecb72.js
-rw-r--r-- 1 root root  297436 Jul  7 09:29 Fingerbank.5907532a.js.map
-rw-r--r-- 1 root root  104767 Jul  7 09:29 Fingerbank.5907532a.js
-rw-r--r-- 1 root root   80701 Jul  7 09:29 Editor~Users.b40d72b9.js.map
-rw-r--r-- 1 root root   37379 Jul  7 09:29 Editor~Users.b40d72b9.js
-rw-r--r-- 1 root root   53954 Jul  7 09:29 Editor.de2f30d0.js.map
-rw-r--r-- 1 root root   19467 Jul  7 09:29 Editor.de2f30d0.js
-rw-r--r-- 1 root root  193753 Jul  7 09:29 Configurator.2ff6a558.js.map
-rw-r--r-- 1 root root   65736 Jul  7 09:29 Configurator.2ff6a558.js
-rw-r--r-- 1 root root   55335 Jul  7 09:29 
Configuration~Configurator~Fingerbank.a0ad8089.js.map
-rw-r--r-- 1 root root   20858 Jul  7 09:29 
Configuration~Configurator~Fingerbank.a0ad8089.js
-rw-r--r-- 1 root root   58324 Jul  7 09:29 
Configuration~Configurator.8ff5eea2.js.map
-rw-r--r-- 1 root root   23889 Jul  7 09:29 
Configuration~Configurator.8ff5eea2.js

-rw-r--r-- 1 root root 5438276 Jul  7 09:29 Configuration.649cb0af.js.map
-rw-r--r-- 1 root root 2308935 Jul  7 09:29 Configuration.649cb0af.js
-rw-r--r-- 1 root root 4739617 Jul  7 09:29 chunk-vendors.18e01d5f.js.map
-rw-r--r-- 1 root root 1217879 Jul  7 09:29 chunk-vendors.18e01d5f.js
-rw-r--r-- 1 root root  300716 Jul  7 09:29 chunk-4a5f46a6.d9c728ec.js.map
-rw-r--r-- 1 root root   71567 Jul  7 09:29 chunk-4a5f46a6.d9c728ec.js
-rw-r--r-- 1 root root  18 Jul  7 09:29 Auditing.7c98371d.js.map
-rw-r--r-- 1 root root   34648 Jul  7 09:29 Auditing.7c98371d.js
-rw-r--r-- 1 root root 2793619 Jul  7 09:29 app.3a442e71.js.map
-rw-r--r-- 1 root root 1092388 Jul  7 09:29 app.3a442e71.js
[root@PacketFence-ZEN pf]#


Il 07/07/2021 16:39, Quiniou-Briand, Nicolas ha scritto:


rpm -qa|grep packetfence

ls -rtl /usr/local/pf/.patches/

ls -rtl /usr/local/pf/html/pfappserver/root/

ls -rtl /usr/local/pf/html/pfappserver/root/dist/js



--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it 

Apra Spa

linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere 

Re: [PacketFence-users] Tenant drop down show in web interface after upgrade from 8.1. 10.3

[Cristian Mammoli via PacketFence-users]

I tried in incognito, but it happens even with another browser

Here is the token_info property:
{
    "item": {
    "admin_actions": [
    "NODES_DELETE",
    "REALM_CREATE",
    "TRAFFIC_SHAPING_DELETE",
    "PFCRON_UPDATE",
    "AUDITING_READ",
    "PORTAL_MODULE_DELETE",
    "INTERFACES_READ",
    "RADIUS_LOG_READ",
    "SYSLOG_READ",
    "USERS_SET_BANDWIDTH_BALANCE",
    "USERS_MARK_AS_SPONSOR",
    "USERS_READ",
    "PKI_PROVIDER_DELETE",
    "DNS_LOG_UPDATE",
    "REALM_DELETE",
    "NODES_UPDATE",
    "CONNECTION_PROFILES_UPDATE",
    "USERS_ROLES_READ",
    "SECURITY_EVENTS_UPDATE",
    "PKI_PROVIDER_CREATE",
    "DNS_LOG_READ",
    "FIREWALL_SSO_CREATE",
    "DHCP_OPTION_82_UPDATE",
    "USERS_SOURCES_UPDATE",
    "PROVISIONING_DELETE",
    "TENANT_MASTER",
    "PFDETECT_DELETE",
    "USERS_CREATE",
    "CONNECTION_PROFILES_DELETE",
    "SECURITY_EVENTS_READ",
    "USERS_SET_ROLE",
    "WMI_CREATE",
    "NODES_READ",
    "SCAN_CREATE",
    "FLOATING_DEVICES_CREATE",
    "PKI_DELETE",
    "USERS_CREATE_MULTIPLE",
    "ADMIN_API_AUDIT_LOG_READ",
    "WMI_UPDATE",
    "SYSTEM_UPDATE",
    "SWITCHES_DELETE",
    "FINGERBANK_READ",
    "USERS_READ_SPONSORED",
    "SCAN_DELETE",
    "PKI_UPDATE",
    "DOMAIN_CREATE",
    "WRIX_CREATE",
    "PKI_PROVIDER_UPDATE",
    "INTERFACES_DELETE",
    "DHCP_OPTION_82_READ",
    "NODES_CREATE",
    "CONFIGURATION_MAIN_UPDATE",
    "INTERFACES_CREATE",
    "PFCRON_CREATE",
    "FLOATING_DEVICES_DELETE",
    "SCAN_UPDATE",
    "PORTAL_MODULE_CREATE",
    "FINGERBANK_CREATE",
    "WMI_DELETE",
    "FILTERS_UPDATE",
    "USERS_ROLES_CREATE",
    "USERS_ROLES_UPDATE",
    "SCAN_READ",
    "CONNECTION_PROFILES_CREATE",
    "PROVISIONING_UPDATE",
    "PKI_PROVIDER_READ",
    "PKI_READ",
    "PROVISIONING_READ",
    "MSE_READ",
    "PFCRON_READ",
    "PKI_CREATE",
    "DNS_LOG_CREATE",
    "WMI_READ",
    "ADMIN_ROLES_CREATE",
    "BILLING_TIER_CREATE",
    "SERVICES_CREATE",
    "PFDETECT_CREATE",
    "ADMIN_ROLES_READ",
    "PORTAL_MODULE_UPDATE",
    "SWITCHES_CREATE",
    "DOMAIN_DELETE",
    "DOMAIN_READ",
    "WRIX_READ",
    "FIREWALL_SSO_UPDATE",
    "USERS_SOURCES_DELETE",
    "SELF_SERVICE_READ",
    "CONFIGURATION_MAIN_READ",
    "SWITCHES_UPDATE",
    "FINGERBANK_DELETE",
    "USERS_SET_UNREG_DATE",
    "SERVICES_UPDATE",
    "SYSLOG_CREATE",
    "INTERFACES_UPDATE",
    "USERS_SET_ACCESS_DURATION",
    "USERS_CREATE_OVERWRITE",
    "BILLING_TIER_READ",
    "RADIUS_LOG_UPDATE",
    "PROVISIONING_CREATE",
    "SELF_SERVICE_UPDATE",
    "DNS_LOG_DELETE",
    "USERS_SOURCES_CREATE",
    "ADMIN_ROLES_UPDATE",
    "SYSLOG_UPDATE",
    "SECURITY_EVENTS_CREATE",
    "DHCP_OPTION_82_DELETE",
    "SWITCHES_READ",
    "TRAFFIC_SHAPING_READ",
    "PFDETECT_READ",
    "SWITCH_LOGIN_READ",
    "FILTERS_READ",
    "SYSLOG_DELETE",
    "WRIX_UPDATE",
    "REPORTS_READ",
    "USERS_DELETE",
    "FLOATING_DEVICES_READ",
    "SWITCH_LOGIN_WRITE",
    "SYSTEM_CREATE",
    "SELF_SERVICE_DELETE",
    "CONNECTION_PROFILES_READ",
    "RADIUS_LOG_DELETE",
    "MAC_READ",
    "MAC_UPDATE",
    "USERS_SET_ACCESS_LEVEL",
    "USERS_SET_TENANT_ID",
    "REALM_UPDATE",
    "BILLING_TIER_DELETE",
    "RADIUS_LOG_CREATE",
    "USERS_ROLES_DELETE",
    "SECURITY_EVENTS_DELETE",
    "USERS_UPDATE",
    "FINGERBANK_UPDATE",
    "TRAFFIC_SHAPING_UPDATE",
    "FIREWALL_SSO_READ",
    "PFDETECT_UPDATE",
    "USERS_SET_TIME_BALANCE",
    "WRIX_DELETE",
    "SYSTEM_READ",
    "TRAFFIC_SHAPING_CREATE",
    "FLOATING_DEVICES_UPDATE",
    "DHCP_OPTION_82_CREATE",
    "SYSTEM_DELETE",
    "CONFIGURATION_MAIN_CREATE",
    "PORTAL_MODULE_READ",
    "DOMAIN_UPDATE",
    "USERS_SOURCES_READ",
    "BILLING_TIER_UPDATE",
    "REALM_READ",
    "SERVICES_READ",
    "SERVICES_DELETE",
    "FIREWALL_SSO_DELETE",
    

Re: [PacketFence-users] Tenant drop down show in web interface after upgrade from 8.1. 10.3

[Cristian Mammoli via PacketFence-users]

1. Did you manage tenants on this instance ?



Nope


2. Could you paste here results of following commands:

#v+

mysql -u $(perl -I/usr/local/pf/lib -Mpf::db -e 'print 
$pf::db::DB_Config->{user}') -p$(perl -I/usr/local/pf/lib -Mpf::db -e 
'print $pf::db::DB_Config->{pass}') -h $(perl -I/usr/local/pf/lib 
-Mpf::db -e 'print $pf::db::DB_Config->{host}') pf


select tenant_id from password where pid='admin';

select * from tenant;

#v-



[root@PacketFence-ZEN ~]# mysql -u $(perl -I/usr/local/pf/lib -Mpf::db 
-e 'print $pf::db::DB_Config->{user}') -p$(perl -I/usr/local/pf/lib 
-Mpf::db -e 'print $pf::db::DB_Config->{pass}') -h $(perl 
-I/usr/local/pf/lib -Mpf::db -e 'print $pf::db::DB_Config->{host}') pf

Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 148328
Server version: 10.2.37-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input 
statement.


MariaDB [pf]>
MariaDB [pf]> select tenant_id from password where pid='admin';
+---+
| tenant_id |
+---+
| 1 |
+---+
1 row in set (0.00 sec)

MariaDB [pf]>
MariaDB [pf]> select * from tenant;
++-++-+
| id | name    | portal_domain_name | domain_name |
++-++-+
|  0 | global  | NULL   | NULL    |
|  1 | default | NULL   | NULL    |
++-++-+
2 rows in set (0.00 sec)

MariaDB [pf]>


Please compare with your similar upgrade if you see some differences.


Same output :(

Also you can look at web browser console when you login on PacketFence 
webadmin to check response body of /api/v1/token_info call.

You should see which tenant has been assigned.


All I can see in the console windows is:
"DevTools failed to load source map: Could not load content for 
https://nac.pedini.it:1443/dist/dygraph.min.js.map: HTTP error: status 
code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE"




*Nicolas Quiniou-Briand*
*Product Support Engineer***




*Office:* +33156696210



Akamai Technologies
145 Broadway
Cambridge, MA 02142





Connect with Us:









--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it 

Apra Spa

linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Tenant drop down show in web interface after upgrade from 8.1. 10.3

[Cristian Mammoli via PacketFence-users]

Yes, I run pf-maint.pl and rebooted

Il 05/07/2021 14:42, Quiniou-Briand, Nicolas ha scritto:


Hello Cristian,

Could you confirm that you applied latest maintenance patches and 
restarted all services on your updated installation ?


*Nicolas Quiniou-Briand*
*Product Support Engineer***




*Office:* +33156696210



Akamai Technologies
145 Broadway
Cambridge, MA 02142





Connect with Us:









--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it 

Apra Spa

linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Tenant drop down show in web interface after upgrade from 8.1. 10.3

[Cristian Mammoli via PacketFence-users]

Hi, after upgrading a setup from 8.1 to 10.3 (following all the steps 
ofc) I can select the tenant in the web interface




Of course the global tenant is completely empty but is always selected 
by default


This didn't happen in another similar update, the tenant is "default" 
and cannot be changed
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Empty NTLM redis cache

[Cristian Mammoli via PacketFence-users]

[root@srvpf conf]# cat domain.conf
[APRA]
ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(userAccountControl:1.2.840.113556.1.4.803:=2
ntlm_cache=enabled
registration=1
ntlm_cache_expiry=2592000
dns_name=APRA.IT
dns_servers=192.168.0.7,192.168.0.76
ou=Computers
ntlm_cache_on_connection=enabled
workgroup=APRA
ntlm_cache_batch_one_at_a_time=disabled
sticky_dc=*
ad_server=*
ntlm_cache_batch=enabled
server_name=%h
ntlm_cache_source=apra-user-auth-dc01
bind_pass=xx
bind_dn=xx
status=enabled
ntlmv2_only=0

[root@srvpf conf]# cat authentication.conf
[local]
description=Local Users
type=SQL
realms=null
dynamic_routing_module=AuthModule

[sms]
description=Registrazione SMS
sms_carriers=100999
type=SMS
create_local_account=no
set_access_level_action=
local_account_logins=0
pin_code_length=6
dynamic_routing_module=AuthModule
sms_activation_timeout=10m
message=PIN: $pin
password_length=8
hash_passwords=bcrypt
set_access_durations_action=
local_account_expiration=0s

[sms rule catchall]
action0=set_role=guest
status=enabled
match=all
class=authentication
action1=set_access_duration=1D

[email]
description=Registrazione E-mail
email_activation_timeout=10m
type=Email
allow_localdomain=no
create_local_account=no
set_access_level_action=
local_account_logins=0
dynamic_routing_module=AuthModule
password_length=8
hash_passwords=bcrypt
local_account_expiration=0s

[email rule catchall]
action0=set_role=guest
match=all
class=authentication
action1=set_access_duration=1D
status=enabled

[sponsor]
description=Registrazione Sponsor
type=SponsorEmail
allow_localdomain=yes
create_local_account=no
set_access_level_action=
local_account_logins=0
sponsorship_bcc=
email_activation_timeout=30m
validate_sponsor=yes
dynamic_routing_module=AuthModule
password_length=8
lang=
hash_passwords=bcrypt
sources=
register_on_activation=disabled
local_account_expiration=0s

[sponsor rule catchall]
action0=set_role=consultants
match=all
class=authentication
action1=set_access_duration=7D
status=enabled

[null]
description=Null Source
type=Null
email_required=no
set_access_level_action=
dynamic_routing_module=AuthModule

[null rule catchall]
action0=set_role=guest
match=all
class=authentication
action1=set_access_duration=1D
description=catchall
status=enabled

[facebook]
create_local_account=no
access_token_param=access_token
client_secret=xxx
access_token_path=/oauth/access_token
set_access_level_action=
protected_resource_url=https://graph.facebook.com/me?fields=id,name,email,first_name,last_name
scope=email
local_account_logins=0
client_id=700428460151401
description=Registrazione Facebook
domains=*.facebook.com,*.fbcdn.net,*.akamaihd.net,*.akamaiedge.net,*.edgekey.net,*.akamai.net
site=https://graph.facebook.com
redirect_url=https://nac.apra.it/oauth2/callback
type=Facebook
dynamic_routing_module=AuthModule
password_length=8
hash_passwords=bcrypt
local_account_expiration=0s

[facebook rule catchall]
action0=set_role=guest
match=all
class=authentication
action1=set_access_duration=1D
status=enabled

[apra-machine-auth-dc01]
cache_match=0
realms=apra,apra.it,default,null
basedn=dc=apra,dc=it
password=xx
set_access_level_action=
scope=sub
email_attribute=mail
usernameattribute=servicePrincipalName
connection_timeout=5
binddn=cn=packetfence,cn=Users,dc=apra,dc=it
encryption=starttls
port=389
description=Apra Machine authentication
host=192.168.0.7,192.168.0.76
type=AD
read_timeout=10
write_timeout=5
monitor=1
dynamic_routing_module=AuthModule
shuffle=1
searchattributes=
set_access_durations_action=
dead_duration=60

[apra-machine-auth-dc01 rule DomainComputers]
action0=set_role=machineauth
status=enabled
match=all
class=authentication
action1=set_access_duration=10Y

[apra-user-auth-dc01]
cache_match=0
realms=apra,apra.it,default,null
basedn=dc=apra,dc=it
password=xx
set_access_level_action=
scope=sub
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=5
binddn=cn=packetfence,cn=Users,dc=apra,dc=it
encryption=starttls
port=389
description=Apra User authentication
host=192.168.0.7,192.168.0.76
type=AD
read_timeout=10
write_timeout=5
monitor=1
dynamic_routing_module=AuthModule
shuffle=1
searchattributes=
set_access_durations_action=
dead_duration=60

[apra-user-auth-dc01 rule Administrator]
action0=set_access_level=ALL
condition0=memberOf,equals,CN=Apra Admins,OU=Admins,OU=Utenti,DC=apra,DC=it
status=enabled
match=any
condition1=sAMAccountName,equals,nms
class=administration
action1=mark_as_sponsor=1

[apra-user-auth-dc01 rule Sponsors]
action0=mark_as_sponsor=1
status=enabled
match=all
class=administration

[apra-user-auth-dc01 rule Voice]
action0=set_role=voice
condition0=sAMAccountName,equals,voice
status=enabled
match=all
class=authentication
action1=set_access_duration=10Y

[apra-user-auth-dc01 rule Staff_IT]
action0=set_role=staff_it
condition0=memberOf,equals,CN=Tecnici,OU=Gruppi apra,OU=Utenti,DC=apra,DC=it

Re: [PacketFence-users] Switch authentication grants access *with any password* as long as the username is correct (10.3)

[Cristian Mammoli via PacketFence-users]

Great, thanks for the quick patch

Il 28/04/2021 04:25, Fabrice Durand via PacketFence-users ha scritto:

Hello Cristian,

thanks for the raport.
On my side i was able to replicate the issue and i pushed a fix in the 
maintenance branch.
So you can run /usr/local/pf/addons/pf-main.pl  and 
restart httpd.aaa service.


Regards
Fabrice


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Switch authentication grants access *with any password* as long as the username is correct (10.3)

[Cristian Mammoli via PacketFence-users]

Hi, I noticed that after the upgrade to 10.3 I can authenticate to the 
devices cli with any password ()

I reverted to 10.2 and it works correctly:

auth.conf:
[apra-user-auth-dc01]
cache_match=0
realms=apra,apra.it,default,null
basedn=dc=apra,dc=it
password=
set_access_level_action=
scope=sub
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=5
binddn=cn=packetfence,cn=Users,dc=apra,dc=it
encryption=starttls
port=389
description=Apra User authentication
host=192.168.0.7,192.168.0.76
type=AD
read_timeout=10
write_timeout=5
monitor=1
dynamic_routing_module=AuthModule
shuffle=1
searchattributes=
set_access_durations_action=

[apra-user-auth-dc01 rule Administrator]
action0=set_access_level=ALL
condition0=memberOf,equals,CN=Apra Admins,OU=Admins,OU=Utenti,DC=apra,DC=it
status=enabled
match=any
condition1=sAMAccountName,equals,nms
class=administration
action1=mark_as_sponsor=1

[group switch_jesi_accesso]
description=Switch Jesi Accesso
VoIPEnabled=Y
registrationVlan=112
SNMPCommunityWrite=
guestVlan=99
deauthMethod=RADIUS
type=Cisco::Catalyst_2960
employeesVlan=24
isolationVlan=113
radiusSecret=
SNMPVersion=2c
consultantsVlan=24
voiceVlan=14
machineauthVlan=24
defaultVlan=1
staff_itVlan=24
printersVlan=1
ap_managementVlan=-1
videosorveglianzaVlan=21
always_trigger=1
cliAccess=Y
adiacentVlan=17
uplink_dynamic=0


As long as a user is member of the "CN=Apra 
Admins,OU=Admins,OU=Utenti,DC=apra,DC=it" any password is accepted, on 
any type of switch.


This is a log from 10.3 (with wrong password):
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) WARN: 
[mac:58:03:fb:51:bc:35] Trying to match IP address with an invalid MAC 
address 'undef' (pf::ip4log::mac2ip)
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO: 
[mac:58:03:fb:51:bc:35] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO: 
[mac:58:03:fb:51:bc:35] Found authentication source(s) : 
'local,apra-machine-auth-dc01,apra-user-auth-dc01' for realm 'null' 
(pf::config::util::filter_authentication_sources)
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO: 
[mac:58:03:fb:51:bc:35] Using sources local, apra-machine-auth-dc01, 
apra-user-auth-dc01 for matching (pf::authentication::match2)
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) WARN: 
[mac:58:03:fb:51:bc:35] [apra-user-auth-dc01 Administrator] Searching 
for (&(sAMAccountName=c.mammoli.adm)(|(memberOf=CN=Apra 
Admins,OU=Admins,OU=Utenti,DC=apra,DC=it)(sAMAccountName=nms))), from 
dc=apra,dc=it, with scope sub 
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO: 
[mac:58:03:fb:51:bc:35] LDAP testing connection (pf::LDAP::expire_if)
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO: 
[mac:58:03:fb:51:bc:35] Matched rule (Administrator) in source 
apra-user-auth-dc01, returning actions. 
(pf::Authentication::Source::match_rule)
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO: 
[mac:58:03:fb:51:bc:35] Matched rule (Administrator) in source 
apra-user-auth-dc01, returning actions. (pf::Authentication::Source::match)
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO: 
[mac:58:03:fb:51:bc:35] User c.mammoli.adm logged in 192.168.16.48 with 
write access (pf::Switch::Cisco::returnAuthorizeWrite)


10.2 (wrong password):
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN: 
[mac:d0:22:be:5f:2c:35] Trying to match IP address with an invalid MAC 
address 'undef' (pf::ip4log::mac2ip)
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO: 
[mac:d0:22:be:5f:2c:35] Found authentication source(s) : 
'local,apra-machine-auth-dc01,apra-user-auth-dc01' for realm 'null' 
(pf::config::util::filter_authentication_sources)
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN: 
[mac:d0:22:be:5f:2c:35] Use of uninitialized value in numeric ne (!=) at 
/usr/local/pf/lib/pf/radius.pm line 921.
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN: 
[mac:d0:22:be:5f:2c:35] Use of uninitialized value in numeric ne (!=) at 
/usr/local/pf/lib/pf/radius.pm line 921.
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO: 
[mac:d0:22:be:5f:2c:35] LDAP testing connection (pf::LDAP::expire_if)
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN: 
[mac:d0:22:be:5f:2c:35] [apra-machine-auth-dc01] No entries found (0) 
with filter (servicePrincipalName=c.mammoli.adm) from dc=apra,dc=it on 
192.168.0.7:389 (pf::Authentication::Source::LDAPSource::authenticate)
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO: 
[mac:d0:22:be:5f:2c:35] LDAP testing connection (pf::LDAP::expire_if)
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN: 
[mac:d0:22:be:5f:2c:35] [apra-user-auth-dc01] User 

Re: [PacketFence-users] Empty NTLM redis cache

[Cristian Mammoli via PacketFence-users]

It works, i tried clearing my user and loggin in reconnecting via wifi 
and it's populated again.

What is the purpose of the redis cache then??

The initial bulk load anyway is not working...

cat /usr/local/pf/var/cache/ntlm_cache_users/APRA.valid-users.txt|wc -l
1643
[root@srvpf ~]# /usr/local/pf/bin/pfcmd cache ntlm_cache_username_lookup 
list|wc -l

202

Why only 202 records?

Il 27/04/2021 11:42, Quiniou-Briand, Nicolas ha scritto:


Hello,

> Maybe you mean /usr/local/pf/bin/pfcmd cache 
ntlm_cache_username_lookup list?


Yes, sorry.

> I get a bunch of user and computer accounts (215 total) in the format

DOMAIN.sAMAccountName and DOMAIN.userPrincipalName

I think it means that your NTLM cache is working.

You can try to clear cache and see if it populates again correctly.

#v+

pfcmd cache ntlm_cache_username_lookup clear

#v+

*Nicolas Quiniou-Briand*
*Product Support Engineer***




*Office:* +33156696210



Akamai Technologies
145 Broadway
Cambridge, MA 02142





Connect with Us:









--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it 

Apra Spa

linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Empty NTLM redis cache

[Cristian Mammoli via PacketFence-users]

[root@srvpf pf]# /usr/local/pf/bin/pfcmd cache 
ntlm_cache_username_lookup_list

invalid arguments

Maybe you mean /usr/local/pf/bin/pfcmd cache ntlm_cache_username_lookup 
list?


[root@srvpf pf]# /usr/local/pf/bin/pfcmd cache 
ntlm_cache_username_lookup list


I get a bunch of user and computer accounts (215 total) in the format
DOMAIN.sAMAccountName and DOMAIN.userPrincipalName

I can send the output offlist if you need it

Il 26/04/2021 12:35, Quiniou-Briand, Nicolas ha scritto:


/usr/local/pf/bin/pfcmd cache ntlm_cache_username_lookup_list



--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it 

Apra Spa

linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Empty NTLM redis cache

[Cristian Mammoli via PacketFence-users]

Hi, I configured the ntlm cache feature years ago and never looked back.
Today I checked the redis instance that should hold the nt hashes and it 
is empty:


[root@srvpf ~]# redis-cli -h localhost -p 6383
localhost:6383> keys *
(empty list or set)
localhost:6383>

But I have no errors in the log:

[root@srvpf ~]# grep ntlm /usr/local/pf/logs/packetfence.log | sed 
's/user .* /user REDACTED /g' | tail -n 30
Apr 26 10:19:56 srvpf pfqueue: pfqueue(13153) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:20:16 srvpf pfqueue: pfqueue(4995) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:20:22 srvpf pfqueue: pfqueue(10776) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:20:47 srvpf pfqueue: pfqueue(12589) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:21:00 srvpf pfqueue: pfqueue(4675) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:21:03 srvpf pfqueue: pfqueue(10776) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:21:12 srvpf pfqueue: pfqueue(13153) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:21:43 srvpf pfqueue: pfqueue(4995) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:21:53 srvpf pfqueue: pfqueue(8822) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:22:30 srvpf pfqueue: pfqueue(10776) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:23:08 srvpf pfqueue: pfqueue(6490) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:23:43 srvpf pfqueue: pfqueue(10776) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:23:48 srvpf pfqueue: pfqueue(8822) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:23:53 srvpf pfqueue: pfqueue(4995) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:26:39 srvpf pfqueue: pfqueue(6490) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:26:41 srvpf pfqueue: pfqueue(8822) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:26:52 srvpf pfqueue: pfqueue(6490) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:27:03 srvpf pfqueue: pfqueue(16282) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:27:27 srvpf pfqueue: pfqueue(15510) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:27:31 srvpf pfqueue: pfqueue(16282) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:27:45 srvpf pfqueue: pfqueue(12589) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:29:50 srvpf pfqueue: pfqueue(8822) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:30:01 srvpf pfqueue: pfqueue(16282) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:31:01 srvpf pfqueue: pfqueue(17327) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:33:08 srvpf pfqueue: pfqueue(8822) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:33:15 srvpf pfqueue: pfqueue(13153) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:35:43 srvpf pfqueue: pfqueue(12589) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:35:48 srvpf pfqueue: pfqueue(10776) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)
Apr 26 10:35:57 srvpf pfqueue: pfqueue(8180) INFO: [mac:unknown] Cached 
user REDACTED (pf::domain::ntlm_cache::cache_user)


I noticed that even if i stop redis_ntlm_cache, the logs keeps saying 
"Cached user ecc."


How is it possible??

Thanks


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] ANN: PacketFence v10.3

[Cristian Mammoli via PacketFence-users]

I'm giving it a try, but I think you need to check the ntlm cache feature:

/usr/local/pf/lib/pf/domain/ntlm_cache.pm line 242
foreach my $server (split(/\s*,\s*/, $source->{host})) {

You are splitting $source->{host} as a string but it is an array already

hth

Il 14/04/2021 21:15, Ludovic Marcotte via PacketFence-users ha scritto:


The Inverse team is pleased to announce the immediate availability of 
PacketFence v10.3. This is a major release with new features, 
enhancements and bug fixes. This release is considered ready for 
production use and upgrading from previous versions is strongly advised.



  What is PacketFence?

PacketFence is a fully supported, trusted, Free and Open Source 
Network Access Control (NAC) solution. Boasting an impressive feature 
set, PacketFence can be used to effectively secure small to very large 
heterogeneous networks.


Among the features provided by PacketFence, there are:

  * powerful BYOD (Bring Your Own Device) capabilities
  * multiple enforcement methods including Role-Based Access Control
(RBAC) and hotspot-style
  * built-in network behaviour anomaly detection
  * state-of-the art devices identification with Fingerbank
  * compliance checks for endpoints present on your network
  * integration with various vulnerability scanners, intrusion
detection solutions, security agents and firewalls
  * bandwidth accounting for all devices
  * ... and many more!

A complete overview of the solution is available from the official 
website:https://packetfence.org/about.html 




  Changes Since Previous Release

*New Features*

  * Static routes management via admin gui
  * Aruba CX support
  * Aruba 2930M Web Authentication and Dynamic ACL support (#6158)
  * Meraki DPSK support
  * Ruckus DPSK support
 *

Support for Ruckus SmartZone MAC authentication in non-proxy modes
(#6201)

  * Bluesocket support (#5878)
 *

Support for SCEP inpfpki(#6213)

*Enhancements*

  * Improved the failover mechanisms when an Active Directory or LDAP
server is detected as dead
  * Expiration of the local accounts created on the portal can now be
set on the source level
  * pfacct and radiusd-acct can now both be enabled together
(radiusd-acct proxies to pfacct)
  * Added CoA support to Aerohive module
  * Added role based enforcement (Filter-Id) support to Extreme module
  * Use Called-Station-SSID attribute as the SSID when possible
  * Added CLI login support to Huawei switch template
  * Added detectionBypass in DNS resolver (#6028)
  * Improve support of Android Agent for EAP-TLS and EAP-PEAP
  * Improve CLI login support on HP and Aruba switches
  * Use the "Authorization" header when performing API calls to Github
in the OAuth context
  * Replace xsltproc/fop by asciidoctor-pdf (#5968)
 *

FortiGate Role Based Enforcement (#5645)

  * Add support for roles (RBAC) for Ruckus WLAN controllers (#2530)
  * Upgrade to go version 1.15 (#6044)
  * Build ready-to-use Vagrant images for integration tests and send
them to Vagrant cloud (#6099)
  * Documentation to configure Security Onion 2.3.10
  * Added integration tests for 802.1X wireless and wireless MAC
authentication (#6114)
  * Restrict create, update, and delete operations to the default and
global tenant users (#6075)
  * Remove pftest MySQL tuner (#6130)
 *

Allow NetFlow address to be configured (#6139)

  * Deprecated fencing whitelist
  * Description field for L2 and routed networks (#5829)
  * Updated Stripe integration to use Stripe Elements (API v3) (#6121)
  * Added Cisco WLC 9800 configuration documentation
  * Inheritance on parent role on Role and Web Auth
  * Enhance CLI login on SG300 switches
  * Enable/disable the natting traffic for inline networks
  * Remove unused table userlog (#6170)
  * Clarifications on Ruckus Role-by-Role capabilities (#6201)
  * DNS/IP attributes in pfpki certificates (#6213)
  * Additional template attributes in certificate profile (#6213)
  * Remove unused table inline_accounting (#6171)
  * Make pfdhcplistener tenant aware (#6204)
 *

Upgrade to MariaDB 10.2.37 (#6149)

*Bug Fixes*

  * Switch defined by MAC address are not processed by pfacct in
cluster mode (#5969)
  * Restart switchport return TRUE if MAC address is not found in
locationlog for bouncePortCoA (#6013)
  * Switch template: CLI authorize attributes ignored (#6009)
  * ubiquiti_ap_mac_to_ip task doesn't update expires_at column in
chi_cache table (#6004)
  * A switch can't override switch group values using default switch
group values (#5998)
  * web admin: timer_expire and ocsp_timeout are not displayed
correctly (#5961)
  * web admin: Realm can't be selected as a filter on a connection
profile (#5959)
  * API: remove a source doesn't remove rules from authentication.conf
(#5958)
  * web admin: high-availability setting is not display correctly when
editing an interface (#5963)
  * SSIDs 

Re: [PacketFence-users] FortiGate External portal issue

[Cristian Mammoli via PacketFence-users]

Another thing I noticed is that "parseExternalPortalRequest" in 
FortiGate.pm is missing the "ssid" param:



[root@srvpf Fortinet]# diff -Naur FortiGate.pm.orig FortiGate.pm
--- FortiGate.pm.orig   2021-01-25 17:35:37.370005954 +0100
+++ FortiGate.pm    2021-01-25 17:36:47.399675637 +0100
@@ -81,6 +81,7 @@
 client_mac  => clean_mac($req->param('usermac')),
 client_ip   => $req->param('userip'),
 grant_url   => $req->param('post'),
+    ssid    => $req->param('ssid'),
 status_code => '200',
 synchronize_locationlog => $TRUE,
 connection_type => $WEBAUTH_WIRELESS,


Il 25/01/2021 14:07, Ludovic Zammit ha scritto:

Thanks!
Ludovic Zammit
lzam...@inverse.ca  <mailto:lzam...@inverse.ca>  ::  +1.514.447.4918 (x145) 
::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)




On Jan 21, 2021, at 11:08 AM, Cristian Mammoli via PacketFence-users 
<mailto:packetfence-users@lists.sourceforge.net>> wrote:


Here it is:

User-Name = "84:b1:53:xx:xx:xx"

User-Password = "**"

NAS-IP-Address = xx.xx.10.20

Service-Type = Login-User

Called-Station-Id = "70:4c:a5:xx:xx:xx:Test-Guest"

Calling-Station-Id = "84:b1:53:xx:xx:xx"

NAS-Identifier = "X"

NAS-Port-Type = Virtual

Acct-Session-Id = "143b7541"

Event-Timestamp = "Jan 21 2021 16:56:22 CET"

Connect-Info = "web-auth"

Fortinet-Vdom-Name = "root"

Fortinet-SSID = "Test-Guest"

Fortinet-AP-Name = "FP221ETFxx"

Stripped-User-Name = "84:b1:53:xx:xx:xx"

Realm = "null"

FreeRADIUS-Client-IP-Address = xx.xx.10.20

Called-Station-SSID = "Test-Guest"

PacketFence-KeyBalanced = "xxx"

PacketFence-Radius-Ip = "xx.xx.xx.xx"

SQL-User-Name = "84:b1:53:xx:xx:xx"


Il 21/01/2021 11:40, Cristian Mammoli via PacketFence-users ha scritto:
Unfortunately we ended up editing FortiGate.pm to force it to 
consider every connection as Wireless

I don't have the unit and the ap we used to test anymore

I'll try to get in touch with the end user to get a radius dump

Il 20/01/2021 13:51, Ludovic Zammit ha scritto:

Hello Cristian,

Probably because the Fortigate is not sending all the normal radius 
attributes.


Could you show the radius request sent by the Fortigate?

Thanks,
Ludovic Zammit
lzam...@inverse.ca  <mailto:lzam...@inverse.ca>  ::  +1.514.447.4918 (x145) 
::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)




On Dec 2, 2020, at 6:24 AM, Cristian Mammoli via PacketFence-users 
<mailto:packetfence-users@lists.sourceforge.net>> wrote:


Hi, following this post 
https://www.mail-archive.com/packetfence-users@lists.sourceforge.net/msg15338.html 
I managed to get it (almost) working
The final missing piece is the fact that when the Firewall tries 
to autheticate the device using the username/password provided by 
post is sets

NAS-Port-Type => Virtual
This confuses packetfence which thinks this is a CLI connection 
and REJECTS it


Commenting out this section ./pf/Connection.pm
    if ($nas_port_type =~ /^virtual/i) {
    $self->transport("Virtual");
    $self->isCLI($TRUE);
    }

The type falls back to Wired and Packetfence accepts the credentials

How can I rewrite/suppress/ignore the Nas-Port-Type attribute or 
force the connection type to not be considered CLI?

--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it <https://www.apra.it/>


<https://www.apra.it/>


*Avviso sulla tutela di informazioni riservate.* Questo messaggio 
è stato spedito da Apra spa o da una delle aziende del Gruppo. 
Esso e gli eventuali allegati, potrebbero contenere informazioni 
di carattere estremamente riservato e confidenziale. Qualora non 
foste i destinatari designati, vogliate cortesemente informarci 
immediatamente con lo stesso mezzo ed eliminare il messaggio e i 
relativi eventuali allegati, senza trattenerne copia.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net 
<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users




--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it <https://www.apra.it/>


<https://www.apra.it/>


*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e 
gli eventuali allegati, potrebbero contenere informazioni di 
carattere estremamente riservato e confidenzia

Re: [PacketFence-users] FortiGate External portal issue

[Cristian Mammoli via PacketFence-users]

Here it is:

User-Name = "84:b1:53:xx:xx:xx"

User-Password = "**"

NAS-IP-Address = xx.xx.10.20

Service-Type = Login-User

Called-Station-Id = "70:4c:a5:xx:xx:xx:Test-Guest"

Calling-Station-Id = "84:b1:53:xx:xx:xx"

NAS-Identifier = "X"

NAS-Port-Type = Virtual

Acct-Session-Id = "143b7541"

Event-Timestamp = "Jan 21 2021 16:56:22 CET"

Connect-Info = "web-auth"

Fortinet-Vdom-Name = "root"

Fortinet-SSID = "Test-Guest"

Fortinet-AP-Name = "FP221ETFxx"

Stripped-User-Name = "84:b1:53:xx:xx:xx"

Realm = "null"

FreeRADIUS-Client-IP-Address = xx.xx.10.20

Called-Station-SSID = "Test-Guest"

PacketFence-KeyBalanced = "xxxxxxxxxxxxxxx"

PacketFence-Radius-Ip = "xx.xx.xx.xx"

SQL-User-Name = "84:b1:53:xx:xx:xx"


Il 21/01/2021 11:40, Cristian Mammoli via PacketFence-users ha scritto:
Unfortunately we ended up editing FortiGate.pm to force it to consider 
every connection as Wireless

I don't have the unit and the ap we used to test anymore

I'll try to get in touch with the end user to get a radius dump

Il 20/01/2021 13:51, Ludovic Zammit ha scritto:

Hello Cristian,

Probably because the Fortigate is not sending all the normal radius 
attributes.


Could you show the radius request sent by the Fortigate?

Thanks,
Ludovic Zammit
lzam...@inverse.ca  <mailto:lzam...@inverse.ca>  ::  +1.514.447.4918 (x145) 
::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)




On Dec 2, 2020, at 6:24 AM, Cristian Mammoli via PacketFence-users 
<mailto:packetfence-users@lists.sourceforge.net>> wrote:


Hi, following this post 
https://www.mail-archive.com/packetfence-users@lists.sourceforge.net/msg15338.html 
I managed to get it (almost) working
The final missing piece is the fact that when the Firewall tries to 
autheticate the device using the username/password provided by post 
is sets

NAS-Port-Type => Virtual
This confuses packetfence which thinks this is a CLI connection and 
REJECTS it


Commenting out this section ./pf/Connection.pm
    if ($nas_port_type =~ /^virtual/i) {
    $self->transport("Virtual");
    $self->isCLI($TRUE);
    }

The type falls back to Wired and Packetfence accepts the credentials

How can I rewrite/suppress/ignore the Nas-Port-Type attribute or 
force the connection type to not be considered CLI?

--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it <https://www.apra.it/>


<https://www.apra.it/>


*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e 
gli eventuali allegati, potrebbero contenere informazioni di 
carattere estremamente riservato e confidenziale. Qualora non foste 
i destinatari designati, vogliate cortesemente informarci 
immediatamente con lo stesso mezzo ed eliminare il messaggio e i 
relativi eventuali allegati, senza trattenerne copia.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net 
<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users




--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it <https://www.apra.it>

Apra Spa
<https://www.apra.it/>
linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e 
gli eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i 
destinatari designati, vogliate cortesemente informarci immediatamente 
con lo stesso mezzo ed eliminare il messaggio e i relativi eventuali 
allegati, senza trattenerne copia.




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it <https://www.apra.it>

Apra Spa
<https://www.apra.it/>
linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] FortiGate External portal issue

[Cristian Mammoli via PacketFence-users]

Unfortunately we ended up editing FortiGate.pm to force it to consider 
every connection as Wireless

I don't have the unit and the ap we used to test anymore

I'll try to get in touch with the end user to get a radius dump

Il 20/01/2021 13:51, Ludovic Zammit ha scritto:

Hello Cristian,

Probably because the Fortigate is not sending all the normal radius 
attributes.


Could you show the radius request sent by the Fortigate?

Thanks,
Ludovic Zammit
lzam...@inverse.ca  <mailto:lzam...@inverse.ca>  ::  +1.514.447.4918 (x145) 
::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)




On Dec 2, 2020, at 6:24 AM, Cristian Mammoli via PacketFence-users 
<mailto:packetfence-users@lists.sourceforge.net>> wrote:


Hi, following this post 
https://www.mail-archive.com/packetfence-users@lists.sourceforge.net/msg15338.html 
I managed to get it (almost) working
The final missing piece is the fact that when the Firewall tries to 
autheticate the device using the username/password provided by post 
is sets

NAS-Port-Type => Virtual
This confuses packetfence which thinks this is a CLI connection and 
REJECTS it


Commenting out this section ./pf/Connection.pm
    if ($nas_port_type =~ /^virtual/i) {
    $self->transport("Virtual");
    $self->isCLI($TRUE);
    }

The type falls back to Wired and Packetfence accepts the credentials

How can I rewrite/suppress/ignore the Nas-Port-Type attribute or 
force the connection type to not be considered CLI?

--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it <https://www.apra.it/>


<https://www.apra.it/>


*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e 
gli eventuali allegati, potrebbero contenere informazioni di 
carattere estremamente riservato e confidenziale. Qualora non foste i 
destinatari designati, vogliate cortesemente informarci 
immediatamente con lo stesso mezzo ed eliminare il messaggio e i 
relativi eventuali allegati, senza trattenerne copia.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net 
<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users




--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it <https://www.apra.it>

Apra Spa
<https://www.apra.it/>
linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] FortiGate External portal issue

[Cristian Mammoli via PacketFence-users]

ci guardo


Il 15/12/2020 10:56, Cristian Mammoli via PacketFence-users ha scritto:

Anyone?

Thanks

Il 02/12/2020 12:24, Cristian Mammoli via PacketFence-users ha scritto:
Hi, following this post 
https://www.mail-archive.com/packetfence-users@lists.sourceforge.net/msg15338.html 
I managed to get it (almost) working
The final missing piece is the fact that when the Firewall tries to 
autheticate the device using the username/password provided by post 
is sets

NAS-Port-Type => Virtual
This confuses packetfence which thinks this is a CLI connection and 
REJECTS it


Commenting out this section ./pf/Connection.pm
    if ($nas_port_type =~ /^virtual/i) {
    $self->transport("Virtual");
    $self->isCLI($TRUE);
    }

The type falls back to Wired and Packetfence accepts the credentials

How can I rewrite/suppress/ignore the Nas-Port-Type attribute or 
force the connection type to not be considered CLI?

--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it <https://www.apra.it>

Apra Spa
<https://www.apra.it/>
linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e 
gli eventuali allegati, potrebbero contenere informazioni di 
carattere estremamente riservato e confidenziale. Qualora non foste i 
destinatari designati, vogliate cortesemente informarci 
immediatamente con lo stesso mezzo ed eliminare il messaggio e i 
relativi eventuali allegati, senza trattenerne copia.




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it <https://www.apra.it>

Apra Spa
<https://www.apra.it/>
linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e 
gli eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i 
destinatari designati, vogliate cortesemente informarci immediatamente 
con lo stesso mezzo ed eliminare il messaggio e i relativi eventuali 
allegati, senza trattenerne copia.




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it <https://www.apra.it>

Apra Spa
<https://www.apra.it/>
linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] FortiGate External portal issue

[Cristian Mammoli via PacketFence-users]

Anyone?

Thanks

Il 02/12/2020 12:24, Cristian Mammoli via PacketFence-users ha scritto:
Hi, following this post 
https://www.mail-archive.com/packetfence-users@lists.sourceforge.net/msg15338.html 
I managed to get it (almost) working
The final missing piece is the fact that when the Firewall tries to 
autheticate the device using the username/password provided by post is 
sets

NAS-Port-Type => Virtual
This confuses packetfence which thinks this is a CLI connection and 
REJECTS it


Commenting out this section ./pf/Connection.pm
    if ($nas_port_type =~ /^virtual/i) {
    $self->transport("Virtual");
    $self->isCLI($TRUE);
    }

The type falls back to Wired and Packetfence accepts the credentials

How can I rewrite/suppress/ignore the Nas-Port-Type attribute or force 
the connection type to not be considered CLI?

--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it <https://www.apra.it>

Apra Spa
<https://www.apra.it/>
linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e 
gli eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i 
destinatari designati, vogliate cortesemente informarci immediatamente 
con lo stesso mezzo ed eliminare il messaggio e i relativi eventuali 
allegati, senza trattenerne copia.




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it <https://www.apra.it>

Apra Spa
<https://www.apra.it/>
linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] FortiGate External portal issue

[Cristian Mammoli via PacketFence-users]

Hi, following this post 
https://www.mail-archive.com/packetfence-users@lists.sourceforge.net/msg15338.html 
I managed to get it (almost) working
The final missing piece is the fact that when the Firewall tries to 
autheticate the device using the username/password provided by post is sets

NAS-Port-Type => Virtual
This confuses packetfence which thinks this is a CLI connection and 
REJECTS it


Commenting out this section ./pf/Connection.pm
    if ($nas_port_type =~ /^virtual/i) {
    $self->transport("Virtual");
    $self->isCLI($TRUE);
    }

The type falls back to Wired and Packetfence accepts the credentials

How can I rewrite/suppress/ignore the Nas-Port-Type attribute or force 
the connection type to not be considered CLI?

--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it 

Apra Spa

linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] pfacct crash after update to 10.0

[Cristian Mammoli via PacketFence-users]

Thanks guys, keep up the good work

Il 20/04/2020 16:17, Nicolas Quiniou-Briand via PacketFence-users ha 
scritto:

Hello Cristian,

Thanks for reporting this issue. It has been fixed in maintenance and 
we are uploading a new pfacct binary.


When following pipeline [1] passed, you can run pf-maint.pl to get a 
patched pfacct.


[1] 
https://gitlab.com/inverse-inc/packetfence/-/commit/1bb6989574d8d69f4ef99ceaab6b6a3d2fc7cfd9


--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it 

Apra Spa

linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] pfacct crash after update to 10.0

[Cristian Mammoli via PacketFence-users]

Hi, after upgrading to pf 10 pfacct crashes after short time:

Apr 20 14:59:09 srvpf pfacct: panic: runtime error: slice bounds out of 
range [:17] with capacity 13

Apr 20 14:59:09 srvpf pfacct: goroutine 77 [running]:
Apr 20 14:59:09 srvpf pfacct: main.(*PfAcct).RADIUSSecret(0xc72340, 
0x9303e0, 0xc000258580, 0x92c2c0, 0xc00034a000, 0xcc, 0x1d5, 
0x1e0, 0xc0004a1680, 0x4, ...)
Apr 20 14:59:09 srvpf pfacct: 
/builds/inverse-inc/packetfence/go/acct/radius.go:270 +0x6b6
Apr 20 14:59:09 srvpf pfacct: 
github.com/inverse-inc/go-radius.(*PacketServer).Serve.func2(0xc00056d380, 
0xc000273a40, 0xc000277170, 0x9326a0, 0xc12778, 0xcc, 0x1d5, 
0x1e0, 0x92c2c0, 0xc00034a000)
Apr 20 14:59:09 srvpf pfacct: 
/root/go/pkg/mod/github.com/inverse-inc/go-radius@v0.0.0-20200310093817-85565fe93aa5/server-packet.go:136 
+0xe2
Apr 20 14:59:09 srvpf pfacct: created by 
github.com/inverse-inc/go-radius.(*PacketServer).Serve
Apr 20 14:59:09 srvpf pfacct: 
/root/go/pkg/mod/github.com/inverse-inc/go-radius@v0.0.0-20200310093817-85565fe93aa5/server-packet.go:133 
+0x3e5
Apr 20 14:59:09 srvpf pfacct[20900]: t=2020-04-20T14:59:09+0200 lvl=info 
msg="Setting log level to INFO"
Apr 20 14:59:09 srvpf pfacct[20900]: t=2020-04-20T14:59:09+0200 lvl=info 
msg="File descriptor limit is: 4096" pid=20900
Apr 20 14:59:09 srvpf pfacct[20900]: t=2020-04-20T14:59:09+0200 lvl=info 
msg="Setting log level to INFO"
Apr 20 14:59:09 srvpf pfacct[20900]: t=2020-04-20T14:59:09+0200 lvl=info 
msg="Setting log level to INFO"
Apr 20 14:59:09 srvpf pfacct[20900]: t=2020-04-20T14:59:09+0200 lvl=info 
msg="Starting listening to netflow at '127.0.0.1:2056'" pid=20900
Apr 20 14:59:11 srvpf pfacct: panic: runtime error: slice bounds out of 
range [:17] with capacity 13

Apr 20 14:59:11 srvpf pfacct: goroutine 27 [running]:
Apr 20 14:59:11 srvpf pfacct: main.(*PfAcct).RADIUSSecret(0xc80340, 
0x9303e0, 0xc00025e340, 0x92c2c0, 0xc0002eaed0, 0xc00035, 0x1d5, 
0x1e0, 0x0, 0x0, ...)
Apr 20 14:59:11 srvpf pfacct: 
/builds/inverse-inc/packetfence/go/acct/radius.go:270 +0x6b6
Apr 20 14:59:11 srvpf pfacct: 
github.com/inverse-inc/go-radius.(*PacketServer).Serve.func2(0xc000328480, 
0xc00022a650, 0xc0002489f0, 0x9326a0, 0xc127a8, 0xc00035, 0x1d5, 
0x1e0, 0x92c2c0, 0xc0002eaed0)
Apr 20 14:59:11 srvpf pfacct: 
/root/go/pkg/mod/github.com/inverse-inc/go-radius@v0.0.0-20200310093817-85565fe93aa5/server-packet.go:136 
+0xe2
Apr 20 14:59:11 srvpf pfacct: created by 
github.com/inverse-inc/go-radius.(*PacketServer).Serve
Apr 20 14:59:11 srvpf pfacct: 
/root/go/pkg/mod/github.com/inverse-inc/go-radius@v0.0.0-20200310093817-85565fe93aa5/server-packet.go:133 
+0x3e5
Apr 20 14:59:11 srvpf pfacct[20912]: t=2020-04-20T14:59:11+0200 lvl=info 
msg="Setting log level to INFO"
Apr 20 14:59:11 srvpf pfacct[20912]: t=2020-04-20T14:59:11+0200 lvl=info 
msg="File descriptor limit is: 4096" pid=20912
Apr 20 14:59:11 srvpf pfacct[20912]: t=2020-04-20T14:59:11+0200 lvl=info 
msg="Setting log level to INFO"
Apr 20 14:59:11 srvpf pfacct[20912]: t=2020-04-20T14:59:11+0200 lvl=info 
msg="Setting log level to INFO"
Apr 20 14:59:11 srvpf pfacct[20912]: t=2020-04-20T14:59:11+0200 lvl=info 
msg="Starting listening to netflow at '127.0.0.1:2056'" pid=20912
Apr 20 14:59:12 srvpf pfacct: panic: runtime error: slice bounds out of 
range [:17] with capacity 13

Apr 20 14:59:12 srvpf pfacct: goroutine 12 [running]:
Apr 20 14:59:12 srvpf pfacct: main.(*PfAcct).RADIUSSecret(0xc80340, 
0x9303e0, 0xc0002961c0, 0x92c2c0, 0xc00036c1b0, 0xc000386000, 0x1dc, 
0x1e0, 0x0, 0x0, ...)
Apr 20 14:59:12 srvpf pfacct: 
/builds/inverse-inc/packetfence/go/acct/radius.go:270 +0x6b6
Apr 20 14:59:12 srvpf pfacct: 
github.com/inverse-inc/go-radius.(*PacketServer).Serve.func2(0xc000366200, 
0xc0002be278, 0xc0002a22a0, 0x9326a0, 0xc000472378, 0xc000386000, 0x1dc, 
0x1e0, 0x92c2c0, 0xc00036c1b0)
Apr 20 14:59:12 srvpf pfacct: 
/root/go/pkg/mod/github.com/inverse-inc/go-radius@v0.0.0-20200310093817-85565fe93aa5/server-packet.go:136 
+0xe2
Apr 20 14:59:12 srvpf pfacct: created by 
github.com/inverse-inc/go-radius.(*PacketServer).Serve
Apr 20 14:59:12 srvpf pfacct: 
/root/go/pkg/mod/github.com/inverse-inc/go-radius@v0.0.0-20200310093817-85565fe93aa5/server-packet.go:133 
+0x3e5
Apr 20 14:59:12 srvpf pfacct[20936]: t=2020-04-20T14:59:12+0200 lvl=info 
msg="Setting log level to INFO"
Apr 20 14:59:12 srvpf pfacct[20936]: t=2020-04-20T14:59:12+0200 lvl=info 
msg="File descriptor limit is: 4096" pid=20936
Apr 20 14:59:12 srvpf pfacct[20936]: t=2020-04-20T14:59:12+0200 lvl=info 
msg="Setting log level to INFO"
Apr 20 14:59:12 srvpf pfacct[20936]: t=2020-04-20T14:59:12+0200 lvl=info 
msg="Setting log level to INFO"
Apr 20 14:59:12 srvpf pfacct[20936]: t=2020-04-20T14:59:12+0200 lvl=info 
msg="Starting listening to netflow at '127.0.0.1:2056'" pid=20936
Apr 20 14:59:13 srvpf pfacct: panic: runtime error: slice bounds out of 
range [:17] with capacity 13

Apr 20 14:59:13 srvpf pfacct: goroutine 52 

[PacketFence-users] Disable netdata alerts

[Cristian Mammoli via PacketFence-users]

Hi everyone, is it possible to disable netdata email alerts? We already 
have a monitoring solution in place.


Thanks

C.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] dns filter not working with inline deployment

[Cristian Mammoli via PacketFence-users]

PF Version: 9.3 (ZEN)
I have 3 nics:
eth0: 192.168.50.9/24 (management)
eth1: 192.168.11.100/24 (outside network)
eth2: 192.168.10.254/24 (inline, portal)

gw: 192.168.11.254
inline snat interface: eth1
portal fqdn: nac.mydomain.tld

When clients connect to the inline network they get redirected to the 
portal and can register. Unfortunately since we use email activation 
they need to access the portal even after registration to confirm the link.
Since nac.mydomain.tld is not resolvable from internet I created an 
entry in dns_filters.conf:


[portal]
filter = qname
operator = is
value = nac.mydomain.tld
[1:portal]
scope = inline
answer = 30 IN A 192.168.10.254
rcode = NOERROR

But after registration i can't resolve the record anymore and I get NXDOMAIN

As a workaround I modified pfdns.conf:
...
[% inline %]
    hosts {
    192.168.10.254 nac.mydomain.tld  <---
    fallthrough
    }
...

Am I missing something??

--

*Cristian Mammoli*
Network and Computer Systems Administrator

T.+39 0731719822
www.apra.it 

Apra Spa

linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco ASA VPN Configuration in PF 9.0

[Cristian Mammoli via PacketFence-users]

Hi, I tried this way
[asa]
filter = switch._ip
operator = is
value = 10.11.10.254

[autoregister_vpn:asa]
scope = RegistrationRole
action = register_node
role = default
action_param = mac = $mac, pid = ${radius_request.User-Name}, category = 
test


But $radius_request->{'Called-Station-Id'} does not get expanded (I 
tried with $radius_request->{'Called-Station-Id'} as well)


[asa]
filter = switch._ip
operator = is
value = 10.11.10.254

[autoregister_vpn2:asa]
scope = AutoRegister
role = test

[autoregister_vpn3:asa]
scope = NodeInfoForAutoReg
role = test

But the node does not autoregister. Anyway, even if it worked, I do I 
trigger e role re-evalution based on LDAP group membership (without the 
portal)


Thanks

Il 04/06/2019 14:24, Ludovic Zammit ha scritto:

Hello Cristian,

You could use VLAN filters or RADIUS filters. They are some examples 
in the conf/vlan_filters.conf and conf/radius_fitlers.conf


Thanks,
Ludovic Zammit
lzam...@inverse.ca  <mailto:lzam...@inverse.ca>  ::  +1.514.447.4918 (x145) 
::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)




On Jun 4, 2019, at 8:06 AM, Cristian Mammoli via PacketFence-users 
<mailto:packetfence-users@lists.sourceforge.net>> wrote:


Ok, finally I got the portal registration going. The redirect ACL 
should be defined in the "role by switch role" registration role 
while http://pfip/Cisco::ASA should be the registration role in "Role 
by Webauth URL"


What if I want to bypass the portal completely and assign role based 
on the radius authentication?


I tried to flag "Automatically register devices" in the connection 
profile like I do with 802.1x but the vpn client stays unregistered:


Jun  4 13:59:12 PacketFence-ZEN packetfence_httpd.aaa: 
httpd.aaa(2480) INFO: [mac:[undef]] Unable to extract MAC from 
Called-Station-Id: 89.97.236.20 
(pf::radius::extractApMacFromRadiusRequest)
Jun  4 13:59:12 PacketFence-ZEN packetfence_httpd.aaa: 
httpd.aaa(2480) INFO: [mac:[undef]] Instantiate profile testasa 
(pf::Connection::ProfileFactory::_from_profile)
Jun  4 13:59:12 PacketFence-ZEN packetfence_httpd.aaa: 
httpd.aaa(2480) INFO: [mac:[undef]] Found authentication source(s) : 
'AuthAD' for realm 'null' 
(pf::config::util::filter_authentication_sources)
Jun  4 13:59:12 PacketFence-ZEN packetfence_httpd.aaa: 
httpd.aaa(2480) INFO: [mac:[undef]] is of status unreg; belongs into 
registration VLAN (pf::role::getRegistrationRole)
Jun  4 13:59:12 PacketFence-ZEN packetfence_httpd.aaa: 
httpd.aaa(2480) INFO: [mac:[undef]] LDAP testing connection 
(pf::LDAP::expire_if)
Jun  4 13:59:12 PacketFence-ZEN packetfence_httpd.aaa: 
httpd.aaa(2480) INFO: [mac:[undef]] [AuthAD] Authentication 
successful for c.mammoli 
(pf::Authentication::Source::LDAPSource::authenticate)
Jun  4 13:59:12 PacketFence-ZEN packetfence_httpd.aaa: 
httpd.aaa(2480) INFO: [mac:[undef]] Authentication successful for 
c.mammoli in source AuthAD (AD) (pf::authentication::authenticate)
Jun  4 13:59:12 PacketFence-ZEN packetfence_httpd.aaa: 
httpd.aaa(2480) INFO: [mac:[undef]] Updating locationlog from 
accounting request (pf::api::handle_accounting_metadata)
Jun  4 13:59:12 PacketFence-ZEN packetfence_httpd.aaa: 
httpd.aaa(2480) INFO: [mac:[undef]] Unable to extract MAC from 
Called-Station-Id: 89.97.236.20 
(pf::radius::extractApMacFromRadiusRequest)
Jun  4 13:59:12 PacketFence-ZEN packetfence_httpd.aaa: 
httpd.aaa(2480) INFO: [mac:[undef]] Unable to extract MAC from 
Called-Station-Id: 89.97.236.20 
(pf::radius::extractApMacFromRadiusRequest)
Jun  4 13:59:13 PacketFence-ZEN packetfence_httpd.aaa: 
httpd.aaa(2480) INFO: [mac:[undef]] Unable to extract MAC from 
Called-Station-Id: 89.97.236.20 
(pf::radius::extractApMacFromRadiusRequest)
Jun  4 13:59:13 PacketFence-ZEN packetfence_httpd.aaa: 
httpd.aaa(2480) WARN: [mac:[undef]] Use of uninitialized value 
$conn_type in bitwise and (&) at /usr/local/pf/lib/pf/radius.pm line 660.

 (pf::radius::_translateNasPortToIfIndex)
Jun  4 13:59:13 PacketFence-ZEN packetfence_httpd.aaa: 
httpd.aaa(2480) WARN: [mac:[undef]] Use of uninitialized value 
$conn_type in bitwise and (&) at /usr/local/pf/lib/pf/radius.pm line 663.

 (pf::radius::_translateNasPortToIfIndex)


Il 03/06/2019 18:05, Cristian Mammoli via PacketFence-users ha scritto:

Ok, a little bit of info:

The redirect acl on the example is unused, as well as the vpn 
profile, so they should be removed by the docs

The plugin relies on the
mdm-tlv=device-mac=
radius attribute from the client and since I was testing using 
OpenConnect and not the official AnyConnect client it didn't work 
and PF could not see my MAC



Il 03/06/2019 12:29, Cristian Mammoli via PacketFence-users ha scritto:

This is a debug log of a vpn connection.
Things I noticed:
There is no MAC address associated with the request and in Audit I 
see the remote IP address as MAC address. Is it correct?
Connecti

Re: [PacketFence-users] Cisco ASA VPN Configuration in PF 9.0

[Cristian Mammoli via PacketFence-users]

Ok, finally I got the portal registration going. The redirect ACL should 
be defined in the "role by switch role" registration role while 
http://pfip/Cisco::ASA should be the registration role in "Role by 
Webauth URL"


What if I want to bypass the portal completely and assign role based on 
the radius authentication?


I tried to flag "Automatically register devices" in the connection 
profile like I do with 802.1x but the vpn client stays unregistered:


Jun  4 13:59:12 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2480) 
INFO: [mac:[undef]] Unable to extract MAC from Called-Station-Id: 
89.97.236.20 (pf::radius::extractApMacFromRadiusRequest)
Jun  4 13:59:12 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2480) 
INFO: [mac:[undef]] Instantiate profile testasa 
(pf::Connection::ProfileFactory::_from_profile)
Jun  4 13:59:12 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2480) 
INFO: [mac:[undef]] Found authentication source(s) : 'AuthAD' for realm 
'null' (pf::config::util::filter_authentication_sources)
Jun  4 13:59:12 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2480) 
INFO: [mac:[undef]] is of status unreg; belongs into registration VLAN 
(pf::role::getRegistrationRole)
Jun  4 13:59:12 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2480) 
INFO: [mac:[undef]] LDAP testing connection (pf::LDAP::expire_if)
Jun  4 13:59:12 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2480) 
INFO: [mac:[undef]] [AuthAD] Authentication successful for c.mammoli 
(pf::Authentication::Source::LDAPSource::authenticate)
Jun  4 13:59:12 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2480) 
INFO: [mac:[undef]] Authentication successful for c.mammoli in source 
AuthAD (AD) (pf::authentication::authenticate)
Jun  4 13:59:12 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2480) 
INFO: [mac:[undef]] Updating locationlog from accounting request 
(pf::api::handle_accounting_metadata)
Jun  4 13:59:12 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2480) 
INFO: [mac:[undef]] Unable to extract MAC from Called-Station-Id: 
89.97.236.20 (pf::radius::extractApMacFromRadiusRequest)
Jun  4 13:59:12 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2480) 
INFO: [mac:[undef]] Unable to extract MAC from Called-Station-Id: 
89.97.236.20 (pf::radius::extractApMacFromRadiusRequest)
Jun  4 13:59:13 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2480) 
INFO: [mac:[undef]] Unable to extract MAC from Called-Station-Id: 
89.97.236.20 (pf::radius::extractApMacFromRadiusRequest)
Jun  4 13:59:13 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2480) 
WARN: [mac:[undef]] Use of uninitialized value $conn_type in bitwise and 
(&) at /usr/local/pf/lib/pf/radius.pm line 660.

 (pf::radius::_translateNasPortToIfIndex)
Jun  4 13:59:13 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2480) 
WARN: [mac:[undef]] Use of uninitialized value $conn_type in bitwise and 
(&) at /usr/local/pf/lib/pf/radius.pm line 663.

 (pf::radius::_translateNasPortToIfIndex)


Il 03/06/2019 18:05, Cristian Mammoli via PacketFence-users ha scritto:

Ok, a little bit of info:

The redirect acl on the example is unused, as well as the vpn profile, 
so they should be removed by the docs

The plugin relies on the
mdm-tlv=device-mac=
radius attribute from the client and since I was testing using 
OpenConnect and not the official AnyConnect client it didn't work and 
PF could not see my MAC



Il 03/06/2019 12:29, Cristian Mammoli via PacketFence-users ha scritto:

This is a debug log of a vpn connection.
Things I noticed:
There is no MAC address associated with the request and in Audit I 
see the remote IP address as MAC address. Is it correct?
Connection profile is not instantiated, instead, all authentication 
sources are tried in order
PF complains no roles are returned by the authentication source but 
the auth source DOES, see previous mails



Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] application/json (pf::WebAPI::handler)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] invalid MAC: empty (pf::util::valid_mac)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] instantiating new pf::radius object (pf::radius::new)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) INFO: 
[mac:[undef]] Unable to extract MAC from Called-Station-Id: 
89.97.236.20 (pf::radius::extractApMacFromRadiusRequest)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] instantiating switch (pf::radius::switch_access)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] cache get for namespace='switch.overlay', 
key='10.11.10.254', cache='DBI', time='1ms': MISS (not in cache) 
(CHI::Driver::_log_get_result)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] instantiating new pf::access_filter::switch 
(pf::access_filter::new)
Jun  3 12:24:26 

Re: [PacketFence-users] Cisco ASA VPN Configuration in PF 9.0

[Cristian Mammoli via PacketFence-users]

Ok, a little bit of info:

The redirect acl on the example is unused, as well as the vpn profile, 
so they should be removed by the docs

The plugin relies on the
mdm-tlv=device-mac=
radius attribute from the client and since I was testing using 
OpenConnect and not the official AnyConnect client it didn't work and PF 
could not see my MAC



Il 03/06/2019 12:29, Cristian Mammoli via PacketFence-users ha scritto:

This is a debug log of a vpn connection.
Things I noticed:
There is no MAC address associated with the request and in Audit I see 
the remote IP address as MAC address. Is it correct?
Connection profile is not instantiated, instead, all authentication 
sources are tried in order
PF complains no roles are returned by the authentication source but 
the auth source DOES, see previous mails



Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] application/json (pf::WebAPI::handler)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] invalid MAC: empty (pf::util::valid_mac)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] instantiating new pf::radius object (pf::radius::new)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) INFO: 
[mac:[undef]] Unable to extract MAC from Called-Station-Id: 
89.97.236.20 (pf::radius::extractApMacFromRadiusRequest)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] instantiating switch (pf::radius::switch_access)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] cache get for namespace='switch.overlay', 
key='10.11.10.254', cache='DBI', time='1ms': MISS (not in cache) 
(CHI::Driver::_log_get_result)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] instantiating new pf::access_filter::switch 
(pf::access_filter::new)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] No engine found for instantiate_module 
(pf::access_filter::test)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] creating new pf::Switch::Cisco::ASA object 
(pf::SwitchFactory::instantiate)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] Extracting username 'c.mammoli' from RADIUS attribute 
User-Name (pf::Switch::parseRequestUsername)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] Extracting username 'c.mammoli' from RADIUS attribute 
User-Name (pf::Switch::parseRequestUsername)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] Stripping username is enabled in this context (radius). 
Will return a split username and realm. 
(pf::config::util::strip_username_if_needed)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] Authenticating 'c.mammoli' from source(s) local, 
apra-machine-auth-dc01, apra-user-auth-dc01, apra-vpn-auth-dc01 
(pf::authentication::authenticate)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] cache get for namespace='Default', 
key='ARRAY(0x55dd536f26e8)', cache='RawMemory', time='0ms': MISS (not 
in cache) (CHI::Driver::_log_get_result)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] cache set for namespace='Default', 
key='["192.168.0.76","read_timeout","10","write_timeout","5","timeout","5","encryption","starttls","port","389"]', 
size=1, expires='never', cache='RawMemory', time='0ms' 
(CHI::Driver::_log_set_result)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] [apra-machine-auth-dc01] Using LDAP connection to 
192.168.0.76 (pf::Authentication::Source::LDAPSource::_connect)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) WARN: 
[mac:[undef]] [apra-machine-auth-dc01] No entries found (0) with 
filter (servicePrincipalName=c.mammoli) from dc=apra,dc=it on 
192.168.0.76:389 (pf::Authentication::Source::LDAPSource::authenticate)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) INFO: 
[mac:[undef]] LDAP testing connection (pf::LDAP::expire_if)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] cache get for namespace='Default', 
key='ARRAY(0x55dd5386cfd0)', cache='RawMemory', time='0ms': HIT 
(CHI::Driver::_log_get_result)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] [apra-user-auth-dc01] Using LDAP connection to 
192.168.0.76 (pf::Authentication::Source::LDAPSource::_connect)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) INFO: 
[mac:[undef]] [apra-user-auth-dc01] Authentication successful for 
c.mammoli (pf::Authentication::Source::LDAPSource::authenticate)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) INFO: 
[mac:[undef]]

Re: [PacketFence-users] Cisco ASA VPN Configuration in PF 9.0

[Cristian Mammoli via PacketFence-users]

10.254) supports roles. Evaluating 
role to be returned (pf::Switch::returnRadiusAccessAccept)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] (10.11.10.254) Received undefined role. No Role added to 
RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] Network device (10.11.10.254) supports roles. Evaluating 
role to be returned (pf::Switch::Cisco::ASA::returnAuthorizeVPN)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] (10.11.10.254) Received undefined role. No Role added to 
RADIUS Access-Accept (pf::Switch::Cisco::ASA::returnAuthorizeVPN)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) WARN: 
[mac:[undef]] Use of uninitialized value $roleName in hash element at 
/usr/local/pf/lib/pf/Switch.pm line 783.

 (pf::Switch::getRoleByName)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) WARN: 
[mac:[undef]] Use of uninitialized value $roleName in concatenation (.) 
or string at /usr/local/pf/lib/pf/Switch.pm line 786.

 (pf::Switch::getRoleByName)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] instantiating new pf::access_filter::radius 
(pf::access_filter::new)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] application/json (pf::WebAPI::handler)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] Entering handling of accounting metadata 
(pf::api::handle_accounting_metadata)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) INFO: 
[mac:[undef]] Updating locationlog from accounting request 
(pf::api::handle_accounting_metadata)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] instantiating new pf::radius object (pf::radius::new)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) INFO: 
[mac:[undef]] Unable to extract MAC from Called-Station-Id: 89.97.236.20 
(pf::radius::extractApMacFromRadiusRequest)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] instantiating switch 
(pf::radius::update_locationlog_accounting)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] cache get for namespace='switch.overlay', 
key='10.11.10.254', cache='DBI', time='1ms': MISS (not in cache) 
(CHI::Driver::_log_get_result)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] instantiating new pf::access_filter::switch 
(pf::access_filter::new)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] No engine found for instantiate_module 
(pf::access_filter::test)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] creating new pf::Switch::Cisco::ASA object 
(pf::SwitchFactory::instantiate)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] Setting current tenant ID to 1 (pf::dal::set_tenant)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] Not handling iplog update because we're not configured to 
do so on accounting packets. (pf::api::handle_accounting_metadata)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] Not handling scan engines because we're not configured to 
do so on accounting packets or the IP address (Framed-IP-Address) is 
missing from the packet. (pf::api::handle_accounting_metadata)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] instantiating new pf::radius object (pf::radius::new)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) INFO: 
[mac:[undef]] Unable to extract MAC from Called-Station-Id: 89.97.236.20 
(pf::radius::extractApMacFromRadiusRequest)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] instantiating switch (pf::radius::accounting)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] cache get for namespace='switch.overlay', 
key='10.11.10.254', cache='DBI', time='0ms': MISS (not in cache) 
(CHI::Driver::_log_get_result)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] instantiating new pf::access_filter::switch 
(pf::access_filter::new)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] No engine found for instantiate_module 
(pf::access_filter::test)
Jun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] creating new pf::Switch::Cisco::ASA object 
(pf::SwitchFactory::instantiate)
^CJun  3 12:24:26 srvpf packetfence_httpd.aaa: httpd.aaa(28389) DEBUG: 
[mac:[undef]] Setting current tenant ID


Il 03/06/2019 10:36, Cristian Mammoli via PacketFence-users ha scritto:

Hi, is it possible to have further info on the new VPN feature?
The docs are lacking info:

I tried again from scratch on a

Re: [PacketFence-users] Cisco ASA VPN Configuration in PF 9.0

[Cristian Mammoli via PacketFence-users]

Hi, is it possible to have further info on the new VPN feature?
The docs are lacking info:

I tried again from scratch on a Cisco ASA and the example config refers 
a vpn client profile that does not exists by default:


 anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml


Please, can you share some additional information and examples?


Il 24/05/2019 14:49, Cristian Mammoli via PacketFence-users ha scritto:

Hi Fabrice, any chance I can get a little bit more info on this topic?

Thanks for your time

Il 18/05/2019 09:33, Cristian Mammoli via PacketFence-users ha scritto:
Hi Fabrice, the auth source is already in use for wired and wireless 
access and has role assignment working:


Testing authentication for "c.mammoli"

Authenticating against 'apra-user-auth-dc01' in context 'admin'
  Authentication SUCCEEDED against apra-user-auth-dc01 
(Authentication successfu l.)

  Matched against apra-user-auth-dc01 for 'authentication' rules
    set_role : staff_it
    set_access_duration : 10Y
  Matched against apra-user-auth-dc01 for 'administration' rules
    set_access_level : ALL
    mark_as_sponsor : 1

Authenticating against 'apra-user-auth-dc01' in context 'portal'
  Authentication SUCCEEDED against apra-user-auth-dc01 
(Authentication successfu l.)

  Matched against apra-user-auth-dc01 for 'authentication' rules
    set_role : staff_it
    set_access_duration : 10Y
  Matched against apra-user-auth-dc01 for 'administration' rules
    set_access_level : ALL
    mark_as_sponsor : 1



In authentication.conf:

[apra-user-auth-dc01]
cache_match=0
realms=apra,apra.it,default,null
basedn=dc=apra,dc=it
password=XX
set_access_level_action=
scope=sub
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=5
binddn=cn=packetfence,cn=Users,dc=apra,dc=it
encryption=starttls
port=389
description=Apra User authentication
host=192.168.0.7,192.168.0.76
type=AD
read_timeout=10
write_timeout=5
monitor=1
dynamic_routing_module=AuthModule
shuffle=1
searchattributes=

[apra-user-auth-dc01 rule Administrator]
action0=set_access_level=ALL
condition0=memberOf,equals,CN=Tecnici,OU=Gruppi 
apra,OU=Utenti,DC=apra,DC=it

match=all
class=administration
action1=mark_as_sponsor=1

[apra-user-auth-dc01 rule Sponsors]
action0=mark_as_sponsor=1
match=all
class=administration

[apra-user-auth-dc01 rule Voice]
action0=set_role=voice
condition0=sAMAccountName,equals,voice
match=all
class=authentication
action1=set_access_duration=10Y

[apra-user-auth-dc01 rule Staff_IT]
action0=set_role=staff_it
condition0=memberOf,equals,CN=Tecnici,OU=Gruppi 
apra,OU=Utenti,DC=apra,DC=it

match=all
class=authentication
action1=set_access_duration=10Y

[apra-user-auth-dc01 rule Employees]
action0=set_role=employees
match=all
class=authentication
action1=set_access_duration=10Y

Regards


Il 17/05/2019 19:38, Fabrice Durand via PacketFence-users ha scritto:

Hello Cristian,

first you need to fix your authentication source apra-user-auth-dc01 
and add a authentication rule that return a role and an access 
duration. (use:  /usr/local/pf/bin/pftest authentication c.mammoli 
bob  apra-user-auth-dc01)


After that you should be able to see a role associated to your 
device and probably something better in the radius audit log and we 
will see for the next steps.


Regards

Fabrice


Le 19-05-17 à 12 h 37, Cristian Mammoli via PacketFence-users a écrit :

Cisco ASA VPN Configuration in 9.0

Hi, I'm trying to configure our ASA for VPN authentication but the 
docs are a little bit vague considering this is a new concept


Steps I did:

* Added the asa in the switch group, configured PSK etc
* Configured access list in "Role by Access List"
* Added a connection profile with the following filter: switch=ip address>

* I used an existing authentication source with LDAP role assignment
* Configured the Packetfence Radius server in the ASA and the vpn 
as in the example provided


Now what?

I can connect via vpn and surf the Internet
In the audit log I see my authentication:

Request Time
0
RADIUS Request
User-Name = "c.mammoli"
User-Password = "**"
NAS-IP-Address = 10.11.10.254
NAS-Port = 186806272
Called-Station-Id = "X.X.X.X"
Calling-Station-Id = "5.90.220.187"
NAS-Port-Type = Virtual
Tunnel-Client-Endpoint:0 = "5.90.220.187"
Event-Timestamp = "May 17 2019 18:27:47 CEST"
Cisco-AVPair = "audit-session-id=0a0b0afe0b2270005cdee105"
Cisco-AVPair = "ip:source-ip=5.90.220.187"
Cisco-AVPair = "coa-push=true"
ASA-TunnelGroupName = "VPN"
ASA-ClientType = AnyConnect-Client-SSL-VPN
Stripped-User-Name = "c.mammoli"
Realm = "null"
FreeRADIUS-Client-IP-Address = 10.11.10.254
SQL-User-Name = "c.mammoli"

RADIUS Reply

But the reply is empty

In the logs:
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] Unable to extract MAC 
from Called-Station-Id: 89.97.236.20 
(pf::radius::extrac

Re: [PacketFence-users] Cisco ASA VPN Configuration in PF 9.0

[Cristian Mammoli via PacketFence-users]

Hi Fabrice, any chance I can get a little bit more info on this topic?

Thanks for your time

Il 18/05/2019 09:33, Cristian Mammoli via PacketFence-users ha scritto:
Hi Fabrice, the auth source is already in use for wired and wireless 
access and has role assignment working:


Testing authentication for "c.mammoli"

Authenticating against 'apra-user-auth-dc01' in context 'admin'
  Authentication SUCCEEDED against apra-user-auth-dc01 (Authentication 
successfu l.)

  Matched against apra-user-auth-dc01 for 'authentication' rules
    set_role : staff_it
    set_access_duration : 10Y
  Matched against apra-user-auth-dc01 for 'administration' rules
    set_access_level : ALL
    mark_as_sponsor : 1

Authenticating against 'apra-user-auth-dc01' in context 'portal'
  Authentication SUCCEEDED against apra-user-auth-dc01 (Authentication 
successfu l.)

  Matched against apra-user-auth-dc01 for 'authentication' rules
    set_role : staff_it
    set_access_duration : 10Y
  Matched against apra-user-auth-dc01 for 'administration' rules
    set_access_level : ALL
    mark_as_sponsor : 1



In authentication.conf:

[apra-user-auth-dc01]
cache_match=0
realms=apra,apra.it,default,null
basedn=dc=apra,dc=it
password=XX
set_access_level_action=
scope=sub
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=5
binddn=cn=packetfence,cn=Users,dc=apra,dc=it
encryption=starttls
port=389
description=Apra User authentication
host=192.168.0.7,192.168.0.76
type=AD
read_timeout=10
write_timeout=5
monitor=1
dynamic_routing_module=AuthModule
shuffle=1
searchattributes=

[apra-user-auth-dc01 rule Administrator]
action0=set_access_level=ALL
condition0=memberOf,equals,CN=Tecnici,OU=Gruppi 
apra,OU=Utenti,DC=apra,DC=it

match=all
class=administration
action1=mark_as_sponsor=1

[apra-user-auth-dc01 rule Sponsors]
action0=mark_as_sponsor=1
match=all
class=administration

[apra-user-auth-dc01 rule Voice]
action0=set_role=voice
condition0=sAMAccountName,equals,voice
match=all
class=authentication
action1=set_access_duration=10Y

[apra-user-auth-dc01 rule Staff_IT]
action0=set_role=staff_it
condition0=memberOf,equals,CN=Tecnici,OU=Gruppi 
apra,OU=Utenti,DC=apra,DC=it

match=all
class=authentication
action1=set_access_duration=10Y

[apra-user-auth-dc01 rule Employees]
action0=set_role=employees
match=all
class=authentication
action1=set_access_duration=10Y

Regards


Il 17/05/2019 19:38, Fabrice Durand via PacketFence-users ha scritto:

Hello Cristian,

first you need to fix your authentication source apra-user-auth-dc01 
and add a authentication rule that return a role and an access 
duration. (use:  /usr/local/pf/bin/pftest authentication c.mammoli 
bob  apra-user-auth-dc01)


After that you should be able to see a role associated to your device 
and probably something better in the radius audit log and we will see 
for the next steps.


Regards

Fabrice


Le 19-05-17 à 12 h 37, Cristian Mammoli via PacketFence-users a écrit :

Cisco ASA VPN Configuration in 9.0

Hi, I'm trying to configure our ASA for VPN authentication but the 
docs are a little bit vague considering this is a new concept


Steps I did:

* Added the asa in the switch group, configured PSK etc
* Configured access list in "Role by Access List"
* Added a connection profile with the following filter: switch=ip address>

* I used an existing authentication source with LDAP role assignment
* Configured the Packetfence Radius server in the ASA and the vpn as 
in the example provided


Now what?

I can connect via vpn and surf the Internet
In the audit log I see my authentication:

Request Time
0
RADIUS Request
User-Name = "c.mammoli"
User-Password = "**"
NAS-IP-Address = 10.11.10.254
NAS-Port = 186806272
Called-Station-Id = "X.X.X.X"
Calling-Station-Id = "5.90.220.187"
NAS-Port-Type = Virtual
Tunnel-Client-Endpoint:0 = "5.90.220.187"
Event-Timestamp = "May 17 2019 18:27:47 CEST"
Cisco-AVPair = "audit-session-id=0a0b0afe0b2270005cdee105"
Cisco-AVPair = "ip:source-ip=5.90.220.187"
Cisco-AVPair = "coa-push=true"
ASA-TunnelGroupName = "VPN"
ASA-ClientType = AnyConnect-Client-SSL-VPN
Stripped-User-Name = "c.mammoli"
Realm = "null"
FreeRADIUS-Client-IP-Address = 10.11.10.254
SQL-User-Name = "c.mammoli"

RADIUS Reply

But the reply is empty

In the logs:
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] Unable to extract MAC 
from Called-Station-Id: 89.97.236.20 
(pf::radius::extractApMacFromRadiusRequest)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] LDAP testing 
connection (pf::LDAP::expire_if)
httpd.aaa(6766) WARN: [mac:c4:86:e9:96:61:e1] 
[apra-machine-auth-dc01] No entries found (0) with filter 
(servicePrincipalName=c.mammoli) from dc=apra,dc=it on 
192.168.0.76:389 (pf::Authentication::Source::LDAPSource::authenticate)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] LDAP testing 
connection (pf::L

[PacketFence-users] Cisco ASA VPN Configuration in PF 9.0

[Cristian Mammoli via PacketFence-users]

Cisco ASA VPN Configuration in 9.0

Hi, I'm trying to configure our ASA for VPN authentication but the docs 
are a little bit vague considering this is a new concept


Steps I did:

* Added the asa in the switch group, configured PSK etc
* Configured access list in "Role by Access List"
* Added a connection profile with the following filter: switch=address>

* I used an existing authentication source with LDAP role assignment
* Configured the Packetfence Radius server in the ASA and the vpn as in 
the example provided


Now what?

I can connect via vpn and surf the Internet
In the audit log I see my authentication:

Request Time
0
RADIUS Request
User-Name = "c.mammoli"
User-Password = "**"
NAS-IP-Address = 10.11.10.254
NAS-Port = 186806272
Called-Station-Id = "X.X.X.X"
Calling-Station-Id = "5.90.220.187"
NAS-Port-Type = Virtual
Tunnel-Client-Endpoint:0 = "5.90.220.187"
Event-Timestamp = "May 17 2019 18:27:47 CEST"
Cisco-AVPair = "audit-session-id=0a0b0afe0b2270005cdee105"
Cisco-AVPair = "ip:source-ip=5.90.220.187"
Cisco-AVPair = "coa-push=true"
ASA-TunnelGroupName = "VPN"
ASA-ClientType = AnyConnect-Client-SSL-VPN
Stripped-User-Name = "c.mammoli"
Realm = "null"
FreeRADIUS-Client-IP-Address = 10.11.10.254
SQL-User-Name = "c.mammoli"

RADIUS Reply

But the reply is empty

In the logs:
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] Unable to extract MAC from 
Called-Station-Id: 89.97.236.20 (pf::radius::extractApMacFromRadiusRequest)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] LDAP testing connection 
(pf::LDAP::expire_if)
httpd.aaa(6766) WARN: [mac:c4:86:e9:96:61:e1] [apra-machine-auth-dc01] 
No entries found (0) with filter (servicePrincipalName=c.mammoli) from 
dc=apra,dc=it on 192.168.0.76:389 
(pf::Authentication::Source::LDAPSource::authenticate)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] LDAP testing connection 
(pf::LDAP::expire_if)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] [apra-user-auth-dc01] 
Authentication successful for c.mammoli 
(pf::Authentication::Source::LDAPSource::authenticate)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] Authentication successful 
for c.mammoli in source apra-user-auth-dc01 (AD) 
(pf::authentication::authenticate)
httpd.aaa(6766) WARN: [mac:c4:86:e9:96:61:e1] Use of uninitialized value 
$roleName in hash element at /usr/local/pf/lib/pf/Switch.pm line 783.


httpd.aaa(6766) WARN: [mac:c4:86:e9:96:61:e1] Use of uninitialized value 
$roleName in concatenation (.) or string at 
/usr/local/pf/lib/pf/Switch.pm line 786.

 (pf::Switch::getRoleByName)

It looks like the connection profile isn't even matched, and all 
authentication sources are tried even if I only specified one


BTW, what is the redirect acl int he docs used for?? It is not applied 
anywhere and I can't see it int he ASA.pm code


The docs say: "You can force VPN users to authenticate first on the 
captive portal and based on the role of the device allow it and/or set 
dynamic ACL."
Is the portal authentication a requirement? I would like to authenticate 
users and assign a dynamic ACL without external portal authentication


Thanks

C.





___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Duplicate usernames with and without domain part

[Cristian Mammoli via PacketFence-users]

Hi, I already brought this up in the past and Fabrice said it was in the 
roadmap, sorry to ask it again:


Is it possibile to register usernames of people authenticated via 
ntlm_auth *without* the domain part?


Actually I have the same user registered twice in PF:

As "DOMAIN\user" when auto-registered with 802.1x (for example with 
Windows PCs)
As "user" when registered via the portal (for example for smartphones, 
apple devices ecc)


Is there an issue on github to follow?

Thanks

C.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Username format for portal and automatically registered devices

[Cristian Mammoli via PacketFence-users]

Hi guys, sorry for the necroposting: is this issue fixed with the new 
realm strip options in 8.0?

Or it is for a different thing?


Thanks


Il 19/10/2017 16:42, Fabrice Durand via PacketFence-users ha scritto:

Hello Cristian,

btw it's in the road map.

Regards

Fabrice



Le 2017-10-19 à 05:31, Cristian Mammoli via PacketFence-users a écrit :

Hello Fabrice, thanks. I was afraid I was doing something wrong.
I could possibly play with "radius-server domain-stripping" option on
IOS switches but I agree this should be handled by PF.

Il 18/10/2017 17:22, Fabrice Durand via PacketFence-users ha scritto:

Hello Cristian,

It is but because the supplicant send DOMAIN\Username and the portal use
the sAMAccountName.

The solution could be to use another attribute that contain the
DOMAIN\Username but i am not sure it exist on the active directory and i
am not sure that user will be happy to fill DOMAIN\Username on the
portal.

We talked about that internally and we will probably play with the realm
/ username to detect that the user is the same and don't try to add
twice the same user.

Regards

Fabrice


--

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--

*Cristian Mammoli*
System Administrator

T.  +39 0731 719822
www.apra.it <http://www.apra.it>


ApraSpa

linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Frequent haproxy portal segfaults

[Cristian Mammoli via PacketFence-users]

Hi, multiple times a day haproxy-portal segfaults. I had to configure a 
"watchdog" to restart it:


dmesg:
[313974.875103] haproxy[1983]: segfault at 581d9e1d ip 560257f6d1d2 
sp 7ffca504d770 error 4 in haproxy[560257ed2000+101000]
[314296.013258] haproxy[11239]: segfault at 3575a81d ip 55b7354e91d2 
sp 7ffebde0a0b0 error 4 in haproxy[55b73544e000+101000]
[345500.600770] haproxy[5437]: segfault at 395181d ip 5584036e01d2 
sp 7ffdde48cc00 error 4 in haproxy[558403645000+101000]
[347232.808143] haproxy[11087]: segfault at a1f31e1d ip 5605a1cc51d2 
sp 7fff45eb6a00 error 4 in haproxy[5605a1c2a000+101000]
[347611.306720] haproxy[17569]: segfault at f75a0e1d ip 55a8f73341d2 
sp 7ffc724dc360 error 4 in haproxy[55a8f7299000+101000]
[347909.722693] haproxy[18572]: segfault at cc7b781d ip 557acc5461d2 
sp 7ffef0991110 error 4 in haproxy[557acc4ab000+101000]


journalctl -u packetfence-haproxy-portal.service:
Jun 05 09:41:27 srvpf.apra.it systemd[1]: Starting PacketFence HAProxy 
Load Balancer for the captive portal...
Jun 05 09:41:29 srvpf.apra.it packetfence[17557]: WARN pfcmd.pl(17557): 
requesting member ips for an undefined interface... 
(pf::cluster::members_ips)
Jun 05 09:41:29 srvpf.apra.it packetfence[17557]: WARN pfcmd.pl(17557): 
requesting member ips for an undefined interface... 
(pf::cluster::members_ips)
Jun 05 09:41:29 srvpf.apra.it packetfence[17557]: WARN pfcmd.pl(17557): 
requesting member ips for an undefined interface... 
(pf::cluster::members_ips)
Jun 05 09:41:29 srvpf.apra.it packetfence[17557]: WARN pfcmd.pl(17557): 
requesting member ips for an undefined interface... 
(pf::cluster::members_ips)

Jun 05 09:41:29 srvpf.apra.it pfcmd[17557]: service|command
Jun 05 09:41:29 srvpf.apra.it pfcmd[17557]: haproxy-portal|config generated
Jun 05 09:41:29 srvpf.apra.it systemd[1]: Started PacketFence HAProxy 
Load Balancer for the captive portal.
Jun 05 09:41:29 srvpf.apra.it haproxy-systemd-wrapper[17564]: 
haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f 
/usr/local/pf/var/conf/haproxy-portal.conf -p /usr/local/pf/var/run/
Jun 05 09:41:47 srvpf.apra.it haproxy-systemd-wrapper[17564]: 
haproxy-systemd-wrapper: exit, haproxy RC=0


cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)

cat /usr/local/pf/conf/pf-release
PacketFence 8.0.1

yum info haproxy
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: it.centos.contactlab.it
 * extras: it.centos.contactlab.it
 * updates: it.centos.contactlab.it
Installed Packages
Name    : haproxy
Arch    : x86_64
Version : 1.6.11
Release : 1.2
Size    : 3.1 M
Repo    : installed
From repo   : packetfence


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Redundant authentication sources

[Cristian Mammoli via PacketFence-users]

I tried and it works but it breaks the new status dashboard:



And I have lots of:
May 14 10:29:32 srvpf /usr/local/pf/bin/pfstats[2069]: 
t=2018-05-14T10:29:32+0200 lvl=eror msg="Error connecting to LDAP 
source: LDAP Result Code 200 \"Network Error\": dial tcp: lookup 
192.168.0.7,192.168.0.76: no such host" pid=2069
May 14 10:29:42 srvpf /usr/local/pf/bin/pfstats[2069]: 
t=2018-05-14T10:29:42+0200 lvl=eror msg="Error connecting to LDAP 
source: LDAP Result Code 200 \"Network Error\": dial tcp: lookup 
192.168.0.7,192.168.0.76: no such host" pid=2069
May 14 10:29:42 srvpf /usr/local/pf/bin/pfstats[2069]: 
t=2018-05-14T10:29:42+0200 lvl=eror msg="Error connecting to LDAP 
source: LDAP Result Code 200 \"Network Error\": dial tcp: lookup 
192.168.0.7,192.168.0.76: no such host" pid=2069


In the logs

Il 09/05/2018 16:32, Fabrice Durand via PacketFence-users ha scritto:

Hello Cristian,

in fact you can set a comma delimited list of ip addresses in the source.

Regards

Fabrice



Le 2018-05-08 à 04:54, Cristian Mammoli via PacketFence-users a écrit :
Hi, what's the correct way to have redundant authentication sources? 
There is no way to specify multiple hosts.


I ended up declaring them twice with different servers and using both 
in connection profiles but I don't know if this is the correct way to 
go:


apra-machine-auth-dc01      Apra Machine authentication DC01 AD
apra-machine-auth-dc02      Apra Machine authentication DC02 AD
apra-user-auth-dc01      Apra Machine authentication DC01     AD
apra-user-auth-dc02      Apra Machine authentication DC02     AD

Thanks

C.

-- 


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



-- 


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--

*Cristian Mammoli*
System Administrator

T.  +39 0731 719822
www.apra.it <http://www.apra.it>


ApraSpa

linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Redundant authentication sources

[Cristian Mammoli via PacketFence-users]

Hi, what's the correct way to have redundant authentication sources? 
There is no way to specify multiple hosts.


I ended up declaring them twice with different servers and using both in 
connection profiles but I don't know if this is the correct way to go:


apra-machine-auth-dc01      Apra Machine authentication DC01     AD
apra-machine-auth-dc02      Apra Machine authentication DC02     AD
apra-user-auth-dc01      Apra Machine authentication DC01     AD
apra-user-auth-dc02      Apra Machine authentication DC02     AD

Thanks

C.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Portal fqdn resolution from isolation and registration vlan

[Cristian Mammoli via PacketFence-users]

Il 05/05/2018 04:25, Durand fabrice via PacketFence-users ha scritto:
So i did the change and the new binary will be available tomorrow there: 
http://inverse.ca/downloads/PacketFence/CentOS7/binaries/maintenance/8.0/


Regards

Fabrice



Thanks Fabrice, i'll do some tests ASAP. I need to download pfdns and 
overwrite mine I guess.


Just another confirmation if possible. Do I need the portal interface to 
access the portal *after* a device has been registered? For example 
email registration, when a device is moved to the guest vlan to check 
the email?




Regards

C.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Portal fqdn resolution from isolation and registration vlan

[Cristian Mammoli via PacketFence-users]

It seems that trying to resolve a domain returns the registration vlan 
IP (192.168.112.254) while trying to resolve the portal FQDN returns the 
portal interface IP (*192.168.114.254*)

Probably the 2nd query is forwarded upstream for some reason

C:\Windows\system32>nslookup www.pippo.com
Server: 254.112.168.192.in-addr.arpa
Address: 192.168.112.254

*Nome: www.pippo.com**
**Addresses: 192.168.112.254**
**192.168.112.254*


C:\Windows\system32>nslookup nac.apra.it
Server: 254.112.168.192.in-addr.arpa
Address: 192.168.112.254

*Nome: nac.apra.it**
**Address: 192.168.114.254*


C:\Windows\system32>


May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 
20:cf:30:36:88:15 passthrough
May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 - 
[03/May/2018:15:17:29 +0200] "A IN 
www.pippo.com.vlan-registration.apra.it. udp 57 false 512" NXDOMAIN 
qr,aa,rd,ra 115 4.506862ms
May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 
20:cf:30:36:88:15 passthrough
May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 - 
[03/May/2018:15:17:29 +0200] " IN 
www.pippo.com.vlan-registration.apra.it. udp 57 false 512" NXDOMAIN 
qr,aa,rd,ra 115 5.510869ms
May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 
20:cf:30:36:88:15 passthrough
May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 - 
[03/May/2018:15:17:29 +0200] "A IN www.pippo.com.apra.it. udp 39 false 
512" NXDOMAIN qr,aa,rd,ra 97 4.253698ms
May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 
20:cf:30:36:88:15 passthrough
May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 - 
[03/May/2018:15:17:29 +0200] " IN www.pippo.com.apra.it. udp 39 
false 512" NXDOMAIN qr,aa,rd,ra 97 4.34452ms
May 03 15:17:30 srvpf.apra.it pfdns[2301]: Returned portal for MAC 
20:cf:30:36:88:15 with IP 192.168.112.33
May 03 15:17:30 srvpf.apra.it pfdns[2301]: 192.168.112.33 - 
[03/May/2018:15:17:30 +0200] "A IN www.pippo.com. udp 31 false 512" 
NOERROR qr,aa,rd 47 4.200221ms
May 03 15:17:30 srvpf.apra.it pfdns[2301]: Returned portal for MAC 
20:cf:30:36:88:15 with IP 192.168.112.33
May 03 15:17:30 srvpf.apra.it pfdns[2301]: 192.168.112.33 - 
[03/May/2018:15:17:30 +0200] " IN www.pippo.com. udp 31 false 512" 
NOERROR qr,aa,rd 47 5.50361ms
May 03 15:17:33 srvpf.apra.it pfdns[2301]: Returned portal for MAC 
20:cf:30:36:88:15 with IP 192.168.112.33
May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - 
[03/May/2018:15:17:33 +0200] "PTR IN 254.112.168.192.in-addr.arpa. udp 
46 false 512" NOERROR qr,aa,rd 62 3.463945ms
May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 
20:cf:30:36:88:15 passthrough
May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - 
[03/May/2018:15:17:33 +0200] "A IN 
nac.apra.it.vlan-registration.apra.it. udp 55 false 512" NXDOMAIN 
qr,aa,rd,ra 113 3.784624ms
May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 
20:cf:30:36:88:15 passthrough
May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - 
[03/May/2018:15:17:33 +0200] " IN 
nac.apra.it.vlan-registration.apra.it. udp 55 false 512" NXDOMAIN 
qr,aa,rd,ra 113 4.101483ms
May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 
20:cf:30:36:88:15 passthrough
May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - 
[03/May/2018:15:17:33 +0200] "A IN nac.apra.it.apra.it. udp 37 false 
512" NXDOMAIN qr,aa,rd,ra 95 3.522312ms
May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 
20:cf:30:36:88:15 passthrough
May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - 
[03/May/2018:15:17:33 +0200] " IN nac.apra.it.apra.it. udp 37 false 
512" NXDOMAIN qr,aa,rd,ra 95 4.039791ms
May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 
20:cf:30:36:88:15 passthrough
May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - 
[03/May/2018:15:17:33 +0200] "A IN nac.apra.it. udp 29 false 512" 
NOERROR qr,aa,rd,ra 45 20.000424ms
May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 
20:cf:30:36:88:15 passthrough
May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - 
[03/May/2018:15:17:33 +0200] " IN nac.apra.it. udp 29 false 512" 
NOERROR qr,aa,rd,ra 87 3.211035ms


Il 03/05/2018 14:34, Fabrice Durand via PacketFence-users ha scritto:


Weird, it's suppose to return the portal ip.

Can you do this on a laptop:

nslookup nac.apra.it

and on the same time on the packetfence server : journalctl -f | grep dns

And give me the result.

Regards

Fabrice



Le 2018-05-03 à 03:44, Cristian Mammoli via PacketFence-users a écrit :

Indeed it was this way on 7.4 :( But it stopped working on 8.0 :(

[root@srvpf conf]# cat pf.conf
[general]
#
# general.domain
#
# Domain name of PacketFence system.
domain=apra.it
#
# general.hostname
#
# Hostname of PacketFence system.  This is concatenated with the 
domain in Apache rewriting rules and therefore must be resolvable by 
clients.

[PacketFence-users] New go binaries and pf-maint

[Cristian Mammoli via PacketFence-users]

Before 8.0 I simply run addons/pf-maint.pl, applied the patches and 
restarted the services


How do I do now that there are go binaries involved? I see pf-maint.pl 
patches the sources in go/ and there is a addons/packages/build-go.sh


Do I have to run that?

Ty

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Portal fqdn resolution from isolation and registration vlan

[Cristian Mammoli via PacketFence-users]

Ok, then I have a problem:

I created a dns record for nac.apra.it on my corporate dns server that 
points to the portal interface (nac.apra.it is 
general.hostname+general.domain in pf.conf)


But even from an unregistered device pfdns resolves with this ip address 
instead of replying with its own ip in the registration o isolation vlan


I had to add an iptables rule to allow reaching the portal interface ip 
address from the isolation and registration vlan.


Of course the dns server passed to the clients in those vlan is 
packetfence (default configuration)



I tried deleting the portal interface and remove the A record from my 
corporate DNS server but them pfdns answers with NXDOMAIN when queried 
from an unregistered device.


In 7.4 this configuration worked (I erroneously thought that the portal 
interface was required but probably it wasn't used at all)


This is my pfdns.conf:

Display all 147 possibilities? (y or n)
[root@srvpf addons]# cat /usr/local/pf/conf/pfdns.conf
.:54 {
[% domain %]

proxy . /etc/resolv.conf
}

# all other domains are subject to interception
:53 {
    pfdns {
    }
    # Anything not handled by pfdns will be resolved normally
[% domain %]
[% inline %]

    # Default to system resolv.conf file
    proxy . /etc/resolv.conf
    log stdout
    errors
}

resolv.conf contains my corp dns servers

Regards

C.


Il 30/04/2018 14:59, Fabrice Durand via PacketFence-users ha scritto:

Hello Cristian,

pfdns is suppose to resolv the portal fqdn if the device is unreg or if
there is a violation.

Also if there is a passthrough that match the portal fqdn name then it
will forward the request to another server.

Portal interface is just an interface with the portal on it, it
generally use for web auth.
Regards
Fabrice


Le 2018-04-27 à 09:34, Cristian Mammoli via PacketFence-users a écrit :

Hi, isn't pfdns supposed to resolve the portal FQDN from isolation and
registration vlan? I'm using 8.0

ATM for me isn't working:

My pf.conf is:

[general]
#
# general.domain
#
# Domain name of PacketFence system.
domain=apra.it
#
# general.hostname
#
# Hostname of PacketFence system.  This is concatenated with the
domain in Apache rewriting rules and therefore must be resolvable by
clients.
hostname=nac

But the requests for "nac.apra.it" are forwarded upstream.

Btw, whats the network interface type "portal" for? Are the client
supposed to reach this interface for the portal? Is it mandatory?

Thanks

C.

--

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--

*Cristian Mammoli*
System Administrator

T.  +39 0731 719822
www.apra.it <http://www.apra.it>


ApraSpa

linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Portal fqdn resolution from isolation and registration vlan

[Cristian Mammoli via PacketFence-users]

Hi, isn't pfdns supposed to resolve the portal FQDN from isolation and 
registration vlan? I'm using 8.0


ATM for me isn't working:

My pf.conf is:

[general]
#
# general.domain
#
# Domain name of PacketFence system.
domain=apra.it
#
# general.hostname
#
# Hostname of PacketFence system.  This is concatenated with the domain 
in Apache rewriting rules and therefore must be resolvable by clients.

hostname=nac

But the requests for "nac.apra.it" are forwarded upstream.

Btw, whats the network interface type "portal" for? Are the client 
supposed to reach this interface for the portal? Is it mandatory?


Thanks

C.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Restarting swicthports errors

[Cristian Mammoli via PacketFence-users]

Hi, see my post "[PacketFence-users] pfappserver::Controller::Node 
broken after update to 7.4" of 01-29


Il 02/02/2018 16:43, David Harvey via PacketFence-users ha scritto:
Sorry for all the mailing list spam. I've been having a bit of a 
packetfence tinkering week!


Since upgrading to packetfence 7.4 followed by applying the Unifi 
patch 2735.patch 
 (the 
latter probably unrelated given the files it touches), i've been 
seeing failures when attempting to restart swithcports from the GUI.  
On screen I get


"Error!An error condition has occured. See server side logs for details."




--

*Cristian Mammoli*
System Administrator

T.  +39 0731 719822
www.apra.it 


ApraSpa

linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] pfappserver::Controller::Node broken after update to 7.4

[Cristian Mammoli via PacketFence-users]

Same goes with the WMI tab in the node properties.

Il 29/01/2018 13:17, Cristian Mammoli via PacketFence-users ha scritto:
Hi, after updating to 7.4 I have the following issues in the admin 
portal:


Restart switchport on the node details show:
*Error!* An error occured while contacting the server. Please try 
again later. 

...

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Bandwidth statistics make no sense (Cisco 2960x)

[Cristian Mammoli via PacketFence-users]

Thank you very much Fabrice, greatly appreciated. I'll schedule an 
upgrade on a test switch.


Maybe the bug is related to this: 
https://quickview.cloudapps.cisco.com/quickview/bug/CSCve85309 ?


Il 15/11/2017 22:50, Fabrice Durand via PacketFence-users ha scritto:

Hello Cristian,

so i am able to replicate it and it looks to be a bug with the ios version.

Let's say i have a nothing connected on the port Gi1/0/8, if i do that:

Switch#sh interfaces gigabitEthernet 1/0/8
GigabitEthernet1/0/8 is administratively down, line protocol is down
(disabled)
   Hardware is Gigabit Ethernet, address is dca5.f434.5508 (bia
dca5.f434.5508)
   MTU 1500 bytes, BW 1 Kbit/sec, DLY 1000 usec,
  reliability 255/255, txload 1/255, rxload 1/255
   Encapsulation ARPA, loopback not set
   Keepalive set (10 sec)
   Auto-duplex, Auto-speed, media type is 10/100/1000BaseTX
   input flow-control is off, output flow-control is unsupported
   ARP type: ARPA, ARP Timeout 04:00:00
   Last input 00:07:35, output 00:07:05, output hang never
   Last clearing of "show interface" counters never
   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
   Queueing strategy: fifo
   Output queue: 0/40 (size/max)
   5 minute input rate 0 bits/sec, 0 packets/sec
   5 minute output rate 0 bits/sec, 0 packets/sec
  484517 packets input, 59890752 bytes, 0 no buffer
  Received 266453 broadcasts (221983 multicasts)
  0 runts, 0 giants, 0 throttles
  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
  0 watchdog, 221983 multicast, 0 pause input
  0 input packets with dribble condition detected
  618866 packets output, 72946865 bytes, 0 underruns
  0 output errors, 0 collisions, 35 interface resets
  0 unknown protocol drops
  0 babbles, 0 late collision, 0 deferred
  0 lost carrier, 0 no carrier, 0 pause output
  0 output buffer failures, 0 output buffers swapped out

I have 59890752 bytes in and 72946865 bytes out.


I plug a laptop on it, pf receive a accounting packet with in 0 and out
0 (normal).

If i shutdown the port then pf receive a accounting packet with 59890752
(a little bit more) bytes in and 72946865 (a little bit more) bytes out.

++---++---++-+-+--+-+--+
| id | acctsessionid | username   | nasipaddress  |
acctstatustype | timestamp   | acctinputoctets |
acctoutputoctets | acctsessiontime | acctuniqueid |
++---++---++-+-+--+-+--+
|  3 | 005C  | host/inverse-8.inverse.inc | 172.20.135.77 |
Start  | 2017-11-15 16:19:21 |   0 |
0 |   0 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
|  6 | 005C  | host/inverse-8.inverse.inc | 172.20.135.77 |
Stop   | 2017-11-15 16:19:28 |59665537 |
72749820 |   7 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
|  9 | 005D  | host/inverse-8.inverse.inc | 172.20.135.77 |
Start  | 2017-11-15 16:19:31 |   0 |
0 |   0 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
| 12 | 005D  | host/inverse-8.inverse.inc | 172.20.135.77 |
Stop   | 2017-11-15 16:36:05 |59846611 |
72909854 | 994 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
| 15 | 0060  | host/inverse-8.inverse.inc | 172.20.135.77 |
Start  | 2017-11-15 16:36:26 |   0 |
0 |   0 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
| 18 | 0060  | host/inverse-8.inverse.inc | 172.20.135.77 |
Stop   | 2017-11-15 16:36:57 |59869432 |
72929035 |  30 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
| 21 | 0061  | host/inverse-8.inverse.inc | 172.20.135.77 |
Start  | 2017-11-15 16:38:25 |   0 |
0 |   0 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
| 24 | 0061  | host/inverse-8.inverse.inc | 172.20.135.77 |
Stop   | 2017-11-15 16:38:56 |59890752 |
72946865 |  31 | 8cf6eb6093c8ef5f8f5b94ebe8e81265 |
++---++---++-+-+--+-+--+

So it looks that the in/out bytes are never reseted and the switch send
the in/out bytes since the switch started.

What i can recommend is there is a new ios version then upgrade, if it
doesn't fix the issue then open a TAC with cisco.

Regards

Fabrice



Le 2017-11-15 à 06:09, Cristian Mammoli via PacketFence-users a écrit :

Ok this my Notebook wifi adapter (E4:B3:18:2C:E0:C0) and 192.168.7.221
is a Cisco WLC. No problem here, the accounting data looks ok:

MariaDB [pf]> select * fro

Re: [PacketFence-users] Bandwidth statistics make no sense (Cisco 2960x)

[Cristian Mammoli via PacketFence-users]

Ok this my Notebook wifi adapter (E4:B3:18:2C:E0:C0) and 192.168.7.221 
is a Cisco WLC. No problem here, the accounting data looks ok:


MariaDB [pf]> select * from radacct_log where 
acctuniqueid="c16c078f963c875d37013c5cba979106";

++--+-+---++-+-+--+-+--+
| id | acctsessionid| username| 
nasipaddress  | acctstatustype | timestamp   | acctinputoctets | 
acctoutputoctets | acctsessiontime | acctuniqueid |

++--+-+---++-+-+--+-+--+
| 145688 | 5a042efb/e4:b3:18:2c:e0:c0/7093  | APRA=5C=5Cc.mammoli | 
192.168.7.221 | Start  | 2017-11-09 11:33:31 |   0 
|0 |   0 | c16c078f963c875d37013c5cba979106 |
| 145705 | 5a042efb/e4:b3:18:2c:e0:c0/7093  | APRA=5C=5Cc.mammoli | 
192.168.7.221 | Interim-Update | 2017-11-09 11:35:03 |5803 
| 8401 |  93 | c16c078f963c875d37013c5cba979106 |
| 145784 | 5a042efb/e4:b3:18:2c:e0:c0/7093  | APRA=5C=5Cc.mammoli | 
192.168.7.221 | Stop   | 2017-11-09 11:40:29 |  223227 
|44823 | 326 | c16c078f963c875d37013c5cba979106 |
| 183214 | 5a0aa387/e4:b3:18:2c:e0:c0/11165 | APRA=5C=5Cc.mammoli | 
192.168.7.221 | Start  | 2017-11-14 09:04:24 |   0 
|0 |   0 | c16c078f963c875d37013c5cba979106 |
| 183481 | 5a0aa387/e4:b3:18:2c:e0:c0/11165 | APRA=5C=5Cc.mammoli | 
192.168.7.221 | Stop   | 2017-11-14 09:15:25 | 6705186 
| 63346445 | 661 | c16c078f963c875d37013c5cba979106 |

++--+-+---++-+-+--+-+--+
5 rows in set (0.00 sec)

This is my ethernet Adapter (84:7B:EB:4A:52:05), here the traffic looks 
"out of scale", the same happens for everyone on this switches.


MariaDB [pf]> select * from radacct_log where 
acctuniqueid="085b986ead6b7d9a6951d1486493d889";

++---+-+---++-+-+--+-+--+
| id | acctsessionid | username| nasipaddress  | 
acctstatustype | timestamp   | acctinputoctets | 
acctoutputoctets | acctsessiontime | acctuniqueid |

++---+-+---++-+-+--+-+--+
| 143611 | 1212  | APRA=5C=5Cc.mammoli | 192.168.16.43 | 
Start  | 2017-11-09 09:01:15 |   0 |
0 |   0 | 085b986ead6b7d9a6951d1486493d889 |
| 143612 | 1212  | APRA=5C=5Cc.mammoli | 192.168.16.43 | 
Interim-Update | 2017-11-09 09:01:15 | 2512995005 |   2056003245 
|   0 | 085b986ead6b7d9a6951d1486493d889 |
| 143613 | 1212  | APRA=5C=5Cc.mammoli | 192.168.16.43 | 
Interim-Update | 2017-11-09 09:01:15 | 2512995005 |   2056003245 
|   0 | 085b986ead6b7d9a6951d1486493d889 |
| 144184 | 1212  | APRA=5C=5Cc.mammoli | 192.168.16.43 | 
Stop   | 2017-11-09 09:32:36 | 6535801 | 64990835 
|1881 | 085b986ead6b7d9a6951d1486493d889 |
| 144373 | 1217  | APRA=5C=5Cc.mammoli | 192.168.16.43 | 
Start  | 2017-11-09 09:45:34 |   0 |
0 |   0 | 085b986ead6b7d9a6951d1486493d889 |
| 146834 | 1217  | APRA=5C=5Cc.mammoli | 192.168.16.43 | 
Interim-Update | 2017-11-09 12:46:07 | 2543121066 |   2372276848 
|   0 | 085b986ead6b7d9a6951d1486493d889 |
| 149206 | 1217  | APRA=5C=5Cc.mammoli | 192.168.16.43 | 
Interim-Update | 2017-11-09 15:46:40 | 29469179 |261831473 
|   0 | 085b986ead6b7d9a6951d1486493d889 |
| 149848 | 1217  | APRA=5C=5Cc.mammoli | 192.168.16.43 | 
Stop   | 2017-11-09 16:40:12 | 7283459 | 86594327 
|3212 | 085b986ead6b7d9a6951d1486493d889 |

++---+-+---++-+-+--+-+--+
8 rows in set (0.00 sec)

MariaDB [pf]> select * from radacct_log where 
acctuniqueid="a707be366d38eae790c9baf62fb087df";

Re: [PacketFence-users] Bandwidth statistics make no sense (Cisco 2960x)

[Cristian Mammoli via PacketFence-users]

Hi Fabrice, could you please give me an hint to start looking whats 
going wrong here? How is bandwidth calculated and where?


Thanks in advance

Il 19/10/2017 18:22, Cristian Mammoli via PacketFence-users ha scritto:

If you mean PacketFence is 7.3.0
If you mean IOS: Cisco IOS Software, C2960X Software 
(C2960X-UNIVERSALK9-M), Version 15.2(2)E6, RELEASE SOFTWARE (fc1)



Il 19/10/2017 16:41, Fabrice Durand via PacketFence-users ha scritto:

Hello Cristian,

which version are you running ?

Regards

Fabrice




-- 


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Mammoli Cristian
System administrator
T. +39 0731 22911
Via Brodolini 6 | 60035 Jesi (an)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Bandwidth statistics make no sense (Cisco 2960x)

[Cristian Mammoli via PacketFence-users]

If you mean PacketFence is 7.3.0
If you mean IOS: Cisco IOS Software, C2960X Software 
(C2960X-UNIVERSALK9-M), Version 15.2(2)E6, RELEASE SOFTWARE (fc1)



Il 19/10/2017 16:41, Fabrice Durand via PacketFence-users ha scritto:

Hello Cristian,

which version are you running ?

Regards

Fabrice




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Bandwidth statistics make no sense (Cisco 2960x)

[Cristian Mammoli via PacketFence-users]

Hi, I received an alert from packetfence with the following content:

Detect  : No Antivirus software installed

Last Session   :
Session Start   : 2017-10-19 15:41:21

Bandwidth Statistics :
Today   : 128.78 GB (IN: 31.46 GB // OUT: 97.32 GB )
This Week   : 128.78 GB (IN: 31.46 GB // OUT: 97.32 GB )
This Month  : 128.78 GB (IN: 31.46 GB // OUT: 97.32 GB )
This Year   : 128.78 GB (IN: 31.46 GB // OUT: 97.32 GB )

Time Connected   :
Today   : 208.13 Minutes
This Week   : 208.13 Minutes
This Month  : 208.13 Minutes
This Year   : 208.13 Minutes

Apart from the antivirus staff the time connected values are correct, but the 
bandwidth make no sense to me. I suppose the switch is sending wrong accounting 
data, or PF is expecting them in another scale.

Any help?

Thanks

Cristian


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Username format for portal and automatically registered devices

[Cristian Mammoli via PacketFence-users]

Hello Fabrice, thanks. I was afraid I was doing something wrong.
I could possibly play with "radius-server domain-stripping" option on 
IOS switches but I agree this should be handled by PF.


Il 18/10/2017 17:22, Fabrice Durand via PacketFence-users ha scritto:

Hello Cristian,

It is but because the supplicant send DOMAIN\Username and the portal use
the sAMAccountName.

The solution could be to use another attribute that contain the
DOMAIN\Username but i am not sure it exist on the active directory and i
am not sure that user will be happy to fill DOMAIN\Username on the portal.

We talked about that internally and we will probably play with the realm
/ username to detect that the user is the same and don't try to add
twice the same user.

Regards

Fabrice



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Username format for portal and automatically registered devices

[Cristian Mammoli via PacketFence-users]

Hi, sorry to dig this up... Could someone please explain if this 
behaviour is expected or not?


Thank you

Il 02/08/2017 17:59, Cristian Mammoli via PacketFence-users ha scritto:
Of course I checked "Use stripped username" and added "strip to the 
realm option.


Il 02/08/2017 15:26, Cristian Mammoli via PacketFence-users ha scritto:

Hi, in my POC I'm trying the following setup:
If a computer does not support 802.1x should be presented with the 
captive portal where the user can register the device, access the 
production network and join the domain

Once joined 802.1x is configured and enabled via GPO.
With 802.1x enabled the user should not be presented with the portal 
and the device should be autoregistered


The problem is that if I register the device with the portal the 
username format is just "username". If I autoregister a 802.1x 
capable device the user format is DOMAIN\username. A s I consequence 
I have "duplicate" usernames


Furthermore the powershell scripts specified in the "Active Directory 
Integration" section of the admin guide try to deregister devices 
owned by "user", not "DOMAIN\user"


[gruppoapra-macauth]
filter_match_style=all
locale=
filter=connection_type:WIRED_MAC_AUTH,switch_group:switch-jesi-accesso
description=Gruppo Apra MAC Authentication
sources=gruppoapra-auth,email,sponsor,sms
redirecturl=http://www.apra.it/
logo=/common/logo_apra.jpg
root_module=apra_root_portal_policy

[gruppoapra-dot1x]
filter_match_style=all
locale=
filter=switch_group:switch-jesi-accesso,connection_type:Ethernet-EAP
description=Gruppo Apra 802.1x
sources=gruppoapra-auth
reuse_dot1x_credentials=enabled
autoregister=enabled
redirecturl=http://www.apra.it/
logo=/common/logo_apra.jpg
root_module=apra_root_portal_policy






--
Mammoli Cristian
System administrator
T. +39 0731 22911
Via Brodolini 6 | 60035 Jesi (an)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Error communicatin with Nessus

[Cristian Mammoli via PacketFence-users]

100024  self closes when there is no wmi violation.
When there is a violation triggered by the scan engine with action_param 
= mac = $mac, tid = 12, type = INTERNAL then it does not close 
itself. I configured the violation to allow the user to self remediate 
(e.g. uninstall an unwanted software) end re-enable network access.



Il 10/08/2017 16:44, Akala Kehinde ha scritto:

Hi Cristian,

The 100024 id doesn't trigger. No logs, nothin. Only the 100025 does.
Just to be sure of the Reg. and Post Reg scan operations, the Reg.scan 
works just when authenticating and the Post Reg. after authentication. 
And does the violation (the wmi violation itself) self close when you 
don't fix it?




--
Mammoli Cristian
System administrator
T. +39 0731 22911
Via Brodolini 6 | 60035 Jesi (an)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] OpenVAS v9 integration

[Cristian Mammoli via PacketFence-users]

Thanks for the clarification Fabrice

Il 11/08/2017 02:05, Durand fabrice via PacketFence-users ha scritto:

Not yet but probably in futur version.




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Error communicatin with Nessus

[Cristian Mammoli via PacketFence-users]

WMI works for me on production network, what issues are you having?

Il 10/08/2017 14:37, Akala Kehinde ha scritto:

Hi Cristian,

Took me some time too to have the WMI scan running, but even only 
works for pre-reg. Failed for Reg and Post-reg scans.Had any success 
with that?


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Error communicatin with Nessus

[Cristian Mammoli via PacketFence-users]

Hi Akala, the result is the same for the ssl_options. It only tells LWP 
UserAgent to not verify the hostname. I just wanted to avoid editing 
something external to packetfence.


I attached my nessus6.pm, but try to update 
/usr/share/perl5/vendor_perl/Net/Nessus/REST.pm with the latest upstream 
version like I did.


Furhermore, if you manage to get the scan running, there is another 
problem you will face: the violation reported by nessus6 will be ignored 
because there is no nessus6 type in lib/pf/factory/condition/violation.pm


I fixed it this way:

--- lib/pf/factory/condition/violation.pm.orig  2017-08-10 
12:14:46.302911023 +0200
+++ lib/pf/factory/condition/violation.pm   2017-08-10 
12:55:01.346003541 +0200

@@ -37,6 +37,7 @@
 'mac'   => {type => 'regex', key => 'mac'},
 'mac_vendor'=> {type => 'equals',key => 
'mac_vendor_id'},
 'nessus'=> {type => 'equals',key => 
'last_nessus_id',  event => $TRUE},
+'nessus6'   => {type => 'equals',key => 
'last_nessus6_id', event => $TRUE},
 'openvas'   => {type => 'equals',key => 
'last_openvas_id', event => $TRUE},
 'metadefender'  => {type => 'equals',key => 
'last_metadefender_id',event => $TRUE},
 'provisioner'   => {type => 'equals',key => 
'last_provisioner_id', event => $TRUE},


and added the ids as nessus6 in my violation

Il 10/08/2017 13:43, Akala Kehinde ha scritto:

Hi Christian,

Is the ssl config change you made in the nessus6.pm 
 file necessary, because I only made the change in 
the REST.pm file, and I could connect.
But the issue I am having is with the "scanner name doesn't exist" 
even after settign as "Local Scanner".
Can you send me your nessu6.pm  file. Want to 
compare with mine.
package pf::scan::nessus6;

=head1 NAME

pf::scan::nessus6

=cut

=head1 DESCRIPTION

pf::scan::nessus6 is a module to add Nessus v6 scanning option.

=cut

use strict;
use warnings;

use Log::Log4perl;
use Readonly;

use base ('pf::scan');

use pf::config;
use pf::scan;
use pf::util;
use pf::node;
use pf::constants::scan qw($SCAN_VID $PRE_SCAN_VID $POST_SCAN_VID 
$STATUS_STARTED);
use Net::Nessus::REST;

sub description { 'Nessus6 Scanner' }

=head1 SUBROUTINES

=over

=item new

Create a new Nessus6 scanning object with the required attributes

=cut

sub new {
my ( $class, %data ) = @_;
my $logger = Log::Log4perl::get_logger(__PACKAGE__);

$logger->debug("instantiating new ". __PACKAGE__ . " object");

my $self = bless {
'_id'  => undef,
'_host'=> undef,
'_port'=> undef,
'_username'=> undef,
'_password'=> undef,
'_scanIp'  => undef,
'_scanMac' => undef,
'_report'  => undef,
'_file'=> undef,
'_policy'  => undef,
'_type'=> undef,
'_status'  => undef,
'_scannername' => undef,
'_format'  => 'csv',
'_oses'=> undef,
'_categories'  => undef,
}, $class;

foreach my $value ( keys %data ) {
$self->{'_' . $value} = $data{$value};
}

return $self;
}

=item startScan

=cut

# WARNING: A lot of extra single quoting has been done to fix perl taint mode 
issues: #1087
sub startScan {
my ( $self ) = @_;
my $logger = Log::Log4perl::get_logger(__PACKAGE__);

# nessus scan setup
my $id  = $self->{_id};
my $hostaddr= $self->{_scanIp};
my $mac = $self->{_scanMac};
my $host= $self->{_ip};
my $port= $self->{_port};
my $user= $self->{_username};
my $pass= $self->{_password};
my $nessus_clientpolicy = $self->{_nessus_clientpolicy};
my $scanner_name= $self->{_scannername};
my $format  = $self->{_format};

my $nessus = Net::Nessus::REST->new(url => 'https://'.$host.':'.$port, 
ssl_opts => { verify_hostname => 0 });
$nessus->create_session(username => $user, password => $pass);

# Verify nessus policy ID on the server, nessus remote scanner id, set scan 
name and launch the scan

my $policy_id = $nessus->get_policy_id(name => $nessus_clientpolicy);
if ($policy_id eq "") {
$logger->warn("Nessus policy doesnt exist ".$nessus_clientpolicy);
return 1;
}

my $scanner_id = $nessus->get_scanner_id(name => $scanner_name);
if ($scanner_id eq ""){
$logger->warn("Nessus scanner name doesn't exist ".$scanner_id);
return 1;
}

#This is neccesary because the way of the new nessus API works, if the scan 
fails most likely
# is in this function.
my $policy_uuid = $nessus->get_template_id( name => 'custom', type => 
'scan');

Re: [PacketFence-users] Error communicatin with Nessus

[Cristian Mammoli via PacketFence-users]

I'm getting the same error. Nessus is running and I can connect with
wget https://127.0.0.1:8834 --no-check-certificate
Even a simple test program such as this fails with the same error even 
if the data is correct:


use Net::Nessus::REST;

my $nessus = Net::Nessus::REST->new(
url => 'https://localhost:8834'
);

$nessus->create_session(
username => 'admin',
password => '123',
);

[root@srvpf ~]# perl test.pl
communication error: Can't connect to localhost:8834 at test.pl line 7.

There is no trace of the connection in the nessus logs

Il 01/08/2017 16:52, Juan Camilo Valencia via PacketFence-users ha scritto:

Hi Akala,

Nessus has a log that you can verify from the server perspective to 
try figure it out what is going on, if I'm not wrong is in 
/opt/nessus/var/nessus/log/ and is something realted with server in 
its name, try to tail that log while you try to do the connection from 
packetfence and you can have more information about it. Also can you 
locate
/usr/share/perl5/vendor_perl/Net/Nessus/REST.pm and paste it, probably 
you are using a package outside inverse repo and that package has a 
little modification to bypass some SSL verification for 
self-certificate servers, which generic package does not have.


I hope this can help you a little bit.

Best Regards,


2017-07-31 13:30 GMT-05:00 Akala Kehinde via PacketFence-users 
>:


Hello Fabrice,

Still can"t get my head around this.. Seems to me like an API
communication problem or any more ideas to what the problem might be.

Regards,
Kehinde

On Sat, Jul 29, 2017 at 8:53 AM, Akala Kehinde
> wrote:

Hello Fabrice,

I still get the same error, kindly see logs below:

[root@pfence logs]# netstat -nlp | grep 8834
tcp0  0 0.0.0.0:8834 
 0.0.0.0:*   LISTEN  1761/nessusd

tcp6   0  0 :::8834   :::*LISTEN
 1761/nessusd
[root@pfence logs]#

Jul 29 08:51:53 pfence pfqueue: pfqueue(13223) INFO:
[mac:00:50:ff:25:ce:00] Instantiate profile SNS
(pf::Connection::ProfileFactory::_from_profile)
Jul 29 08:51:53 pfence pfqueue: pfqueue(13223) INFO:
[mac:00:50:ff:25:ce:00] violation 125 already exists for
00:50:ff:25:ce:00, not adding again (pf::violation::violation_add)
Jul 29 08:51:54 pfence pfqueue: pfqueue(13223) INFO:
[mac:00:50:ff:25:ce:00] Instantiate profile SNS
(pf::Connection::ProfileFactory::_from_profile)
Jul 29 08:51:54 pfence pfqueue: pfqueue(13223) INFO:
[mac:00:50:ff:25:ce:00] New ID generated: 15013423ce00
(pf::util::generate_id)
Jul 29 08:51:54 pfence pfqueue: pfqueue(13223) ERROR:
[mac:00:50:ff:25:ce:00] communication error: Can't connect to
127.0.0.1:8834  at
/usr/local/pf/lib/pf/scan/nessus6.pm  line 96.
 (pf::api::can_fork::notify)



Regards,
Kehinde

On Fri, Jul 28, 2017 at 8:22 PM, Fabrice Durand via
PacketFence-users > wrote:

Hello Akala,

if nessus run on the same server then try 127.0.0.1 for
the server ip.

Also what return : netstat -nlp | grep 8834

Regards

Fabrice



Le 2017-07-28 à 12:09, Akala Kehinde via PacketFence-users
a écrit :

Just FYI, the Nessus server runs on the PF server.

Regards,
Kehinde

On Fri, Jul 28, 2017 at 5:53 PM, Akala Kehinde
>
wrote:

Hallo Guys,

Quick one..
I get this error when PF tries triggering a violation:

Checked line 96 and seems it's an error with the
creds, but creds is right. Or is the creds not
supposed to be that on the Nessus server?

Jul  8 13:57:58 pfence pfqueue: pfqueue(10450) INFO:
[mac:00:50:ff:25:ce:00] New ID generated:
149951507810ce00 (pf::util::generate_id)
Jul  8 13:57:58 pfence pfqueue: pfqueue(10450) ERROR:
[mac:00:50:ff:25:ce:00] communication error: Can't
connect to 172.16.100.10:8834
 at
/usr/local/pf/lib/pf/scan/nessus6.pm
 line 96.
 (pf::api::can_fork::notify)


Regards,
Kehinde

Regards,
Kehinde

[PacketFence-users] OpenVAS v9 integration

[Cristian Mammoli via PacketFence-users]

Does Packetfence work with OpenVAS-9 (Greenbone OS 4)?

--
Mammoli Cristian
System administrator
T. +39 0731 22911
Via Brodolini 6 | 60035 Jesi (an)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] passthrough only opens ports 80 and 443 even if proto and port are defined

[Cristian Mammoli via PacketFence-users]

I fixed it this but I'm not sure I'm breaking something else:

[root@srvpf pf]# diff -Naur sbin/pfdns.orig sbin/pfdns
--- sbin/pfdns.orig 2017-08-08 18:40:40.006571993 +0200
+++ sbin/pfdns  2017-08-08 18:42:53.040963724 +0200
@@ -448,7 +448,7 @@
 my $query_non_filtered = resolve_with_cache("A", $qname);
 my @ip_port_pairs;
 if ($query_non_filtered) {
-push @ip_port_pairs, 
format_query_to_ip_port($query_non_filtered, $HTTP_PORT, $HTTPS_PORT);
+push @ip_port_pairs, 
format_query_to_ip_port($query_non_filtered, $HTTP_PORT, $HTTPS_PORT, 
@$ports);

 push @ans, $query_non_filtered->answer;
 if (@ans) {
 $results{rcode} = "NOERROR";


Il 08/08/2017 17:44, Cristian Mammoli via PacketFence-users ha scritto:
Poking in the code I found that pfdns calls matches_passthrough in 
lib/pf/util/dns.pm which returns the following (with data dumper): 



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] passthrough only opens ports 80 and 443 even if proto and port are defined

[Cristian Mammoli via PacketFence-users]

Poking in the code I found that pfdns calls matches_passthrough in 
lib/pf/util/dns.pm which returns the following (with data dumper):


1,
$VAR1 = [
  'tcp:8080'
];

But it does not work
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] passthrough only opens ports 80 and 443 even if proto and port are defined

[Cristian Mammoli via PacketFence-users]

Hi, I don't know if I'm hitting a bug or I'm missing something. I'm 
using 7.2 (ZEN), enabled passthrough and configured it like this:


[root@srvpf ~]# grep ^passt /usr/local/pf/conf/pf.conf
passthrough=enabled
passthroughs=*.facebook.com,*.fbcdn.net,*.akamaihd.net,portquiz.net:tcp:8080

Notice that the last one has a port defined. Unfortunetely the only 
ports opened are 80 and 443:


[root@srvpf ~]# ipset list pfsession_passthrough
Name: pfsession_passthrough
Type: hash:ip,port
Revision: 2
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16592
References: 2
Members:
178.33.250.62,tcp:80
178.33.250.62,tcp:443

Where 178.33.250.62 is the ip address of portquiz.net

This is a log snippet of pfdns in TRACE mode

Aug  8 17:04:15 srvpf pfdns: pfdns(3121) DEBUG: [mac:[undef]] pfdns: 
caught SIGTERM - terminating (main::normal_sighandler)
Aug  8 17:04:15 srvpf pfdns: pfdns(3121) DEBUG: [mac:[undef]] pfdns: 
caught SIGTERM - terminating (main::normal_sighandler)
Aug  8 17:04:15 srvpf pfdns: pfdns(3121) DEBUG: [mac:[undef]] pfdns: 
caught SIGTERM - terminating (main::normal_sighandler)
Aug  8 17:04:15 srvpf pfdns: pfdns(3121) DEBUG: [mac:[undef]] pfdns: 
caught SIGTERM - terminating (main::normal_sighandler)
Aug  8 17:04:15 srvpf pfdns: pfdns(3121) DEBUG: [mac:[undef]] pfdns: 
caught SIGTERM - terminating (main::normal_sighandler)
Aug  8 17:04:15 srvpf pfdns: pfdns(3121) INFO: [mac:[undef]] stopping 
pfdns (main::END)
Aug  8 17:04:23 srvpf pfdns: pfdns(4628) DEBUG: [mac:[undef]] invalid 
IP:  from __ANON__ (pf::util::valid_ip)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) TRACE: [mac:[undef]] Memory 
configuration is still valid for key resource::SwitchTypesConfigured in 
local cached_hash (pfconfig::cached::is_valid)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) DEBUG: [mac:[undef]] cache get 
for namespace='configfiles', key='/usr/local/pf/conf/pf.conf', 
cache='Redis:l1_cache', time='0ms': MISS (not in cache) 
(CHI::Driver::_log_get_result)
Aug  8 17:04:25 srvpf pfdns: pfdns(4628) DEBUG: [mac:[undef]] cache get 
for namespace='Default', key='HASH(0x3e4b210)', cache='RawMemory', 
time='0ms': MISS (not in cache) 

Re: [PacketFence-users] wmi query without result, how do I trigger an action

[Cristian Mammoli via PacketFence-users]

Hi Fabrice, as I wrote in the previous reply I found the issue with my 
configuration (a missing dot in the value statement). I still get the 
warning when the query does not return results but the violation gets 
correctly triggered.


I can send you the debug lines anyway if you want

Ty

Il 08/08/2017 14:43, Fabrice Durand via PacketFence-users ha scritto:

Hello Cristian,

can you put the log of pfqueue in TRACE and retry , you will have more
debug to understand what happen.

Edit conf/log/conf.d/pfqueue.conf

### pfqueue logger ###
log4perl.rootLogger = TRACE, QUEUE_SYSLOG

Regards
Fabrice



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] wmi query without result, how do I trigger an action

[Cristian Mammoli via PacketFence-users]

It turns out (at least in my checks) that value is matched with a 
regexp. Indeed using ".*" instead of "*" works. I don't get why  the 
scan "FireWall" which is shipped by Packetfence is configured this way:


[firewall]
attribute = Name
operator = match
value = *

Il 07/08/2017 15:23, Cristian Mammoli via PacketFence-users ha scritto:
Hi, this is pretty trivial I think but I didn't find a way to make it 
work.
I want to trigger a violation when a client has no antivirus 
installed, i configured a wmi rule like this:


[custom_Antivirus]
request=select * from AntiVirusProduct
namespace=ROOT\SecurityCenter2
action= <But it does not work, I think the problem is that the query does not 
return any result and I get inthe logs:


pfqueue(7319) ERROR: [mac:20:cf:30:36:7c:bb] No WMI header given in 
string '' (pf::scan::wmi::rules::parseResult)



-- 


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Mammoli Cristian
System administrator
T. +39 0731 22911
Via Brodolini 6 | 60035 Jesi (an)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] wmi query without result, how do I trigger an action

[Cristian Mammoli via PacketFence-users]

Hi, this is pretty trivial I think but I didn't find a way to make it work.
I want to trigger a violation when a client has no antivirus installed, 
i configured a wmi rule like this:


[custom_Antivirus]
request=select * from AntiVirusProduct
namespace=ROOT\SecurityCenter2
action= 

Re: [PacketFence-users] Assign role based on device class

[Cristian Mammoli via PacketFence-users]

It works perfectly, thanks!

Il 04/08/2017 14:59, Fabrice Durand via PacketFence-users ha scritto:

Hello Cristian,

you can do that:

[smartphones_by_devclass]
filter = node_info.device_class
operator = is
value = Smartphones/PDAs/Tablets

[employees_ssid]
filter = ssid
operator = is
value = aprapfdot1x

[set_smartphone_role:smartphones_by_devclass_ssid]
scope = RegisteredRole
role = smartphones
action = modify_node
action_param = mac = $mac, category = smartphones




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Assign role based on device class

[Cristian Mammoli via PacketFence-users]

I saw one can set a role using a "violation" but this is not a real 
violation. The role is set but the device is put into the isolation vlan 
if I set "Re-evealuate". The violation should set the role, "self-close" 
and reevaluate.

Anyway I cannot restrict the violation to only one SSID like I would like

Another way is via vlan_filters like this:

[smartphones_by_devclass]
filter = node_info.device_class
operator = is
value = Smartphones/PDAs/Tablets

[employees_ssid]
filter = ssid
operator = is
value = aprapfdot1x

[set_smartphone_role:smartphones_by_devclass_ssid]
scope = RegisteredRole
role = smartphones

It works but the role is not reflected in the gui, furthemore there is 
no way to "override" this behaviour for some device.


What I would like to achieve is:
Corporate smartphones are assigned the smartphone role and put in the 
appropriate vlan BY DEFAULT, but I should be able to override this if needed


Ty
Il 03/08/2017 14:20, Cristian Mammoli via PacketFence-users ha scritto:
Hi, is it possible to assign a role based on the device class as shown 
in the nodes page?


I would like to put all corporate smartphones in a dedicated vlan but 
I didn't find a way to do it.
Smartphones are authenticated with 802.1x, I tried to assign a role in 
the authentication source based on the computer name "start with 
android-" but it is ignored.




--
Mammoli Cristian
System administrator
T. +39 0731 22911
Via Brodolini 6 | 60035 Jesi (an)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Assign role based on device class

[Cristian Mammoli via PacketFence-users]

Hi, is it possible to assign a role based on the device class as shown 
in the nodes page?


I would like to put all corporate smartphones in a dedicated vlan but I 
didn't find a way to do it.
Smartphones are authenticated with 802.1x, I tried to assign a role in 
the authentication source based on the computer name "start with 
android-" but it is ignored.


 Thanks


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Username format for portal and automatically registered devices

[Cristian Mammoli via PacketFence-users]

Of course I checked "Use stripped username" and added "strip to the 
realm option.


Il 02/08/2017 15:26, Cristian Mammoli via PacketFence-users ha scritto:

Hi, in my POC I'm trying the following setup:
If a computer does not support 802.1x should be presented with the 
captive portal where the user can register the device, access the 
production network and join the domain

Once joined 802.1x is configured and enabled via GPO.
With 802.1x enabled the user should not be presented with the portal 
and the device should be autoregistered


The problem is that if I register the device with the portal the 
username format is just "username". If I autoregister a 802.1x capable 
device the user format is DOMAIN\username. A s I consequence I have 
"duplicate" usernames


Furthermore the powershell scripts specified in the "Active Directory 
Integration" section of the admin guide try to deregister devices 
owned by "user", not "DOMAIN\user"


[gruppoapra-macauth]
filter_match_style=all
locale=
filter=connection_type:WIRED_MAC_AUTH,switch_group:switch-jesi-accesso
description=Gruppo Apra MAC Authentication
sources=gruppoapra-auth,email,sponsor,sms
redirecturl=http://www.apra.it/
logo=/common/logo_apra.jpg
root_module=apra_root_portal_policy

[gruppoapra-dot1x]
filter_match_style=all
locale=
filter=switch_group:switch-jesi-accesso,connection_type:Ethernet-EAP
description=Gruppo Apra 802.1x
sources=gruppoapra-auth
reuse_dot1x_credentials=enabled
autoregister=enabled
redirecturl=http://www.apra.it/
logo=/common/logo_apra.jpg
root_module=apra_root_portal_policy




--
Mammoli Cristian
System administrator
T. +39 0731 22911
Via Brodolini 6 | 60035 Jesi (an)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Question about machine authentication and 802.1x

[Cristian Mammoli via PacketFence-users]

 Hi, in the admin guide section 9.2.1 is specified:

*If you would like to differentiate user authentication and machine 
authentication using Active Directory, one way to do it is by creating a 
second authentication sources, for machines:*


Is this a best prectice? What if don't configure an authentication 
source for machine authentication?
How should it be called? In the example bot the user source and the 
machine source are named "ad1"


And if use a dedicated source should I create a realm with the machine 
authentication source and one with the users one?


Where should I reference the machine authentication source?

Now (with only user authentication) I see that if a computer has both 
machine and user authentication it gets registered with owner 
"host/COMPUTERNAME.domain" until a user logons

Is this normal?

Thanks

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Username format for portal and automatically registered devices

[Cristian Mammoli via PacketFence-users]

Hi, in my POC I'm trying the following setup:
If a computer does not support 802.1x should be presented with the 
captive portal where the user can register the device, access the 
production network and join the domain

Once joined 802.1x is configured and enabled via GPO.
With 802.1x enabled the user should not be presented with the portal and 
the device should be autoregistered


The problem is that if I register the device with the portal the 
username format is just "username". If I autoregister a 802.1x capable 
device the user format is DOMAIN\username. A s I consequence I have 
"duplicate" usernames


Furthermore the powershell scripts specified in the "Active Directory 
Integration" section of the admin guide try to deregister devices owned 
by "user", not "DOMAIN\user"


[gruppoapra-macauth]
filter_match_style=all
locale=
filter=connection_type:WIRED_MAC_AUTH,switch_group:switch-jesi-accesso
description=Gruppo Apra MAC Authentication
sources=gruppoapra-auth,email,sponsor,sms
redirecturl=http://www.apra.it/
logo=/common/logo_apra.jpg
root_module=apra_root_portal_policy

[gruppoapra-dot1x]
filter_match_style=all
locale=
filter=switch_group:switch-jesi-accesso,connection_type:Ethernet-EAP
description=Gruppo Apra 802.1x
sources=gruppoapra-auth
reuse_dot1x_credentials=enabled
autoregister=enabled
redirecturl=http://www.apra.it/
logo=/common/logo_apra.jpg
root_module=apra_root_portal_policy


--
Mammoli Cristian
System administrator
T. +39 0731 22911
Via Brodolini 6 | 60035 Jesi (an)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Add support for LLDP on Cisco Switches

[Cristian Mammoli via PacketFence-users]

Yes, I noticed. The problem indeed was the regexp used to match the mac 
address of the phone, not the missing support:


https://github.com/inverse-inc/packetfence/issues/2524

Il 31/07/2017 14:42, Kylián Martin ha scritto:

Hi,
from what i know so far - perl module for 2960 extends the module for 2950 so 
LLDP is supported by PF for 2960 (and other) platforms.

Ing. Martin Kylián
specialista pro správu sítě a bezpečnost

E kyli...@plzen.eu
T +420 378 035 108
M +420 777 247 298
W www.sitmp.cz

Správa informačních technologií města Plzně
Dominikánská 4, 301 00  Plzeň





-Original Message-
From: Cristian Mammoli via PacketFence-users [mailto:packetfence-
us...@lists.sourceforge.net]
Sent: Monday, July 31, 2017 11:30 AM
To: packetfence-users@lists.sourceforge.net
Cc: Cristian Mammoli
Subject: [PacketFence-users] Add support for LLDP on Cisco Switches

Hi, looking at the code it seems that LLDP is only supported in Cisco 2950:

[root@srvpf ~]# grep -r supportsLldp /usr/local/pf/lib/pf/Switch/Cisco
/usr/local/pf/lib/pf/Switch/Cisco/Aironet.pm:sub supportsLldp { return
$FALSE; }
/usr/local/pf/lib/pf/Switch/Cisco/Catalyst_2950.pm:sub supportsLldp {
return $TRUE; }
/usr/local/pf/lib/pf/Switch/Cisco/WLC.pm:sub supportsLldp { return $FALSE;
}

I'm using snom phones on Cisco 2960 and they support LLDP only (not
CDP). Configuring the switch with "lldp run" they work fine (voice vlan
correctly assigned).

Why is the support disabled for (almost) all Cisco gear?
--
Mammoli Cristian
System administrator
T. +39 0731 22911
Via Brodolini 6 | 60035 Jesi (an)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Mammoli Cristian
System administrator
T. +39 0731 22911
Via Brodolini 6 | 60035 Jesi (an)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive portal redirection not working

[Cristian Mammoli via PacketFence-users]

Actually I don't know what went wrong, I wiped my installation e used 
the ZEN appliance (configured in the same way I did) and it works fine


Il 28/07/2017 17:04, Ortega Gustavo Martin via PacketFence-users ha scritto:

Hello.
Execute "netstat -anp | grep :443" and see if the captive portal is bind to the 
network address and interface correct.



Gustavo Martín Ortega
por favor, no imprima este correo a menos que sea necesario

-Mensaje original-
De: Antoine Amacher via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Enviado el: viernes, 28 de julio de 2017 11:06 a. m.
Para: packetfence-users@lists.sourceforge.net
CC: Antoine Amacher
Asunto: Re: [PacketFence-users] Captive portal redirection not working

Hello Cristian,

When you say "the pc gets the correct ip address", is it given by PacketFence? 
Make sure the DNS and gateway are the interface registration of PacketFence.

Make sure you do not have any ACL on the switch or network that could conflict 
with it.

Try to reach the portal and see if the IP of the test device is hitting the 
portal look into logs/httpd.portal.access

Thanks


On 07/28/2017 08:00 AM, Cristian Mammoli via PacketFence-users wrote:

Hi, installed the latest pf on CentOS 7 following the official
documentation, I configured a mangement, registration, isolation and
portal interfaces. I joined the server to a AD domain, configured an
authentication source and a connection profile and configured a switch
(Cisco 2960x) with 8021.x+MAB.


Then I tried plugging a win7 notebook not yet joined to the domain in
the switch port and packetfence correctly puts it in the registration
vlan:

Jul 28 13:56:33 srvpf packetfence_httpd.aaa: httpd.aaa(12173) INFO:
[mac:20:cf:30:36:7c:bb] handling radius autz request: from switch_ip
=> (192.168.16.44), connection_type => WIRED_MAC_AUTH,switch_mac =>
(2c:86:d2:5d:47:81), mac => [20:cf:30:36:7c:bb], port => 10101,
username => "20cf30367cbb" (pf::radius::authorize) Jul 28 13:56:33
srvpf packetfence_httpd.aaa: httpd.aaa(12173) INFO:
[mac:20:cf:30:36:7c:bb] Instantiate profile gruppoapra
(pf::Connection::ProfileFactory::_from_profile)
Jul 28 13:56:33 srvpf packetfence_httpd.aaa: httpd.aaa(12173) INFO:
[mac:20:cf:30:36:7c:bb] is of status unreg; belongs into registration
VLAN (pf::role::getRegistrationRole) Jul 28 13:56:33 srvpf
packetfence_httpd.aaa: httpd.aaa(12173) INFO:
[mac:20:cf:30:36:7c:bb] (192.168.16.44) Added VLAN 112 to the returned
RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)


The pc gets the correct ip address but from there there is no
redirection to the captive portal, I can ping the packefence ip
address on the registration vlan but nothing else. If I try to open a
browser I get connection refused to every url


I'm new to packetfence so I'm probably missing somethin obviuos but
any help would be greatly appreciated

--


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
Check out the vibrant tech community on one of the world's most engaging tech 
sites, Slashdot.org! http://sdm.link/slashdot 
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

El contenido del presente mensaje y sus anexos es privado, confidencial y de 
exclusivo uso para el destinatario referenciado. Puede contener informacion 
privilegiada o amparada por el secreto profesional o por disposiciones legales 
y/o reglamentarias vigentes. Cualquier modificacion, retransmision, 
diseminacion o divulgacion de su informacion se encuentra expresamente 
prohibida y su uso inadecuado puede derivar en responsabilidad civil para el 
usuario o configurar los delitos previstos en los articulos 153 a 157 del 
Codigo Penal. Si no fuere uno de los destinatarios consignados o lo hubiere 
recibido por error, Ud. NO ESTA AUTORIZADO a utilizar total o parcialmente, 
copiar, enviar, revelar, imprimir, divulgar de manera alguna el contenido del 
presente mensaje o el de sus adjuntos. En consecuencia, tenga a bien 
comunicarselo inmediatamente al emisor y ELIMINARLO. ANSES no garantiza la 
seguridad, integridad, exactitud u oportunidad de lo transmitido por este medio 
ni se responsabiliza de posibles perjuicios derivados de la captura, 
incorporaciones de virus o cu

[PacketFence-users] Add support for LLDP on Cisco Switches

[Cristian Mammoli via PacketFence-users]

Hi, looking at the code it seems that LLDP is only supported in Cisco 2950:

[root@srvpf ~]# grep -r supportsLldp /usr/local/pf/lib/pf/Switch/Cisco
/usr/local/pf/lib/pf/Switch/Cisco/Aironet.pm:sub supportsLldp { return 
$FALSE; }
/usr/local/pf/lib/pf/Switch/Cisco/Catalyst_2950.pm:sub supportsLldp { 
return $TRUE; }

/usr/local/pf/lib/pf/Switch/Cisco/WLC.pm:sub supportsLldp { return $FALSE; }

I'm using snom phones on Cisco 2960 and they support LLDP only (not 
CDP). Configuring the switch with "lldp run" they work fine (voice vlan 
correctly assigned).


Why is the support disabled for (almost) all Cisco gear?
--
Mammoli Cristian
System administrator
T. +39 0731 22911
Via Brodolini 6 | 60035 Jesi (an)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive portal redirection not working

[Cristian Mammoli via PacketFence-users]

Hi,  installed the latest pf on CentOS 7 following the official 
documentation, I configured a mangement, registration, isolation and 
portal interfaces. I joined the server to a AD domain, configured an 
authentication source and a connection profile and configured a switch 
(Cisco 2960x) with 8021.x+MAB.



Then I tried plugging a win7 notebook not yet joined to the domain in 
the switch port and packetfence correctly puts it in the registration vlan:


Jul 28 13:56:33 srvpf packetfence_httpd.aaa: httpd.aaa(12173) INFO: 
[mac:20:cf:30:36:7c:bb] handling radius autz request: from switch_ip => 
(192.168.16.44), connection_type => WIRED_MAC_AUTH,switch_mac => 
(2c:86:d2:5d:47:81), mac => [20:cf:30:36:7c:bb], port => 10101, username 
=> "20cf30367cbb" (pf::radius::authorize)
Jul 28 13:56:33 srvpf packetfence_httpd.aaa: httpd.aaa(12173) INFO: 
[mac:20:cf:30:36:7c:bb] Instantiate profile gruppoapra 
(pf::Connection::ProfileFactory::_from_profile)
Jul 28 13:56:33 srvpf packetfence_httpd.aaa: httpd.aaa(12173) INFO: 
[mac:20:cf:30:36:7c:bb] is of status unreg; belongs into registration 
VLAN (pf::role::getRegistrationRole)
Jul 28 13:56:33 srvpf packetfence_httpd.aaa: httpd.aaa(12173) INFO: 
[mac:20:cf:30:36:7c:bb] (192.168.16.44) Added VLAN 112 to the returned 
RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)



The pc gets the correct ip address but from there there is no 
redirection to the captive portal, I can ping the packefence ip address 
on the registration vlan but nothing else. If I try to open a browser I 
get connection refused to every url



I'm new to packetfence so I'm probably missing somethin obviuos but any 
help would be greatly appreciated


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users