Re: [PacketFence-users] How to use username rewriting in v11?

[David Harvey via PacketFence-users]

Borderline thread hijack, but as it's on topic:

Is it possible to use the radius username rewrite functionality  in
combination with "Dot1x recompute role from portal"

Thanks,

David

On Tue, Sep 7, 2021 at 9:50 AM Cristian Mammoli via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Thanks, the macros was the missing bit to get what I wanted :-)
>
> Il 06/09/2021 19:47, Fabrice Durand ha scritto:
>
> Hello,
>
> you have to use the preprocess scope in the radius filter.
> In addition you can use the macro
> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_filter_engine_macro
>
> Regards
> Fabrice
>
>
> Le lun. 6 sept. 2021 à 12:07, Cristian Mammoli via PacketFence-users <
> packetfence-users@lists.sourceforge.net> a écrit :
>
>> COuld you please provide an example on how to configure a radius filter
>> to rewrite username?
>>
>> I'm referring to this:
>> https://github.com/inverse-inc/packetfence/pull/6293
>>
>> Thanks
>>
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
> --
>
> *Cristian Mammoli*
> Network and Computer Systems Administrator
>
> T. +39 0731719822
> www.apra.it
>
> [image: Apra Spa]
> 
> [image: linksocial]
>
> *Avviso sulla tutela di informazioni riservate.* Questo messaggio è stato
> spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli eventuali
> allegati, potrebbero contenere informazioni di carattere estremamente
> riservato e confidenziale. Qualora non foste i destinatari designati,
> vogliate cortesemente informarci immediatamente con lo stesso mezzo ed
> eliminare il messaggio e i relativi eventuali allegati, senza trattenerne
> copia.
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>


-- 
David Harvey
Director of Internal Technology, Thought Machine

Data Classification: Public

*Web*: www.thoughtmachine.net

-- 
Thought Machine Group a limited company registered in England & Wales.
Registered number: 4277. 
Registered Office: 5 New Street Square, 
London EC4A 3TW 
.


The content of this email is confidential and intended for the recipient 
specified in message only. It is strictly forbidden to share any part of 
this message with any third party, without a written consent of the sender. 
If you received this message by mistake, please reply to this message and 
follow with its deletion, so that we can ensure such a mistake does not 
occur in the future.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Recomputing the role of existing nodes without portal interaction

[David Harvey via PacketFence-users]

Thread necromancy but i'm still struggling with this same problem and
hoping someone might have tackled the same.

This original problem statement is perhaps the most accurate:

"Is there a way to recalculate the role for a node from its owner
information using an existing LDAP  authentication source?"

Cheers,

David

On Thu, Mar 11, 2021 at 7:45 PM David Harvey 
wrote:

> Hi again!
>
> 802.1x (EAP-TLS), but with machine certificates so there isn't a user
> attribute that's currently clearly associated with the certificates..
> Thanks as ever,
>
> David
>
> On Thu, 11 Mar 2021, 13:08 Ludovic Zammit,  wrote:
>
>> Hello David,
>>
>> Are you doing 802.1x or Mac authentication ?
>>
>> Thanks,
>>
>>
>> Ludovic Zammit
>> lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>> (http://packetfence.org)
>>
>>
>>
>>
>>
>>
>>
>>
>> On Mar 11, 2021, at 7:44 AM, David Harvey 
>> wrote:
>>
>> Thanks Ludovic,
>>
>> I've been having some difficulty on the bulk import of users to ensure
>> they're created, but that's another problem for another thread ;)
>> For existing users if I import using the `./pfcmd import nodes` method I
>> still have to pick between them using a default role value , or specifying
>> it in the csv directly.
>> ```[default-role=] is the default role when none is defined via
>> the import file.
>> When none is specified, it defaults to node_import.category in
>> pf.conf
>>
>> Is there a way to  ensure that an updated node keeps its current role or
>> recalculates against the owner?
>>
>> Thanks again for your help,
>> David
>>
>> On Mon, Mar 8, 2021 at 8:02 PM Ludovic Zammit  wrote:
>>
>>> Hello David,
>>>
>>> Make sure all those users are already created before the import or use
>>> “default”.
>>>
>>> Thanks,
>>>
>>>
>>> Ludovic Zammit
>>> lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>>> (http://packetfence.org)
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Feb 26, 2021, at 12:31 PM, David Harvey via PacketFence-users <
>>> packetfence-users@lists.sourceforge.net> wrote:
>>>
>>> Experimenting on the same topic I have also found inconsistent behaviour
>>> with "./pfcmd import nodes /tmp/testimport.csv columns=mac,pid,category"
>>>
>>> 00:54:E8:61:32:00,auser,developer
>>> 00:F0:5D:18:93:00,anotheruser,developer
>>> 00:9a:4c:51:b7:00,andanotherone,developer
>>> 00:d8:00:e8:a5:00,opsuser,ops
>>>
>>> It seems to only set the role (category) every second run if they're all
>>> the same role, on alternate runs it unsets role altogether for the nodes.
>>> If I attempt a mix of roles is seems to set one role type and unsets the
>>> other!
>>> I hope that I can avoid setting the role here altogether given my
>>> initial query on using the existing source and mechanisms, but thought it
>>> worth mentioning.
>>>
>>> pf 10.2.0 On Debian 9.13
>>> Thanks,
>>> David
>>>
>>> On Fri, Feb 26, 2021 at 2:59 PM David Harvey 
>>> wrote:
>>>
>>>> Dear Packetfence users,
>>>>
>>>> I'm looking for advice on updating my node owners whilst preserving or
>>>> recalculating roles.
>>>> With many new users working from home, their nodes have been registered
>>>> as a default owner, with the role being manually set. Although I have a
>>>> configured LDAP source which applies roles correctly to portal users, the
>>>> users haven't been present to login through the portal.
>>>>
>>>> I'm looking to update the ownership with asset data that maps MAC to
>>>> user using /pfcmd import nodes, but to do so requires the roles to be
>>>> available on the csv file, or otherwise to set a default value.
>>>>
>>>> Is there a way to recalculate the role for a node from its owner
>>>> information using an existing LDAP  authentication source? Sadly I don't
>>>> think I can use "dot1x recompute role from portal" as my  my certs are
>>>> machine certs and don't have the owner/pid present. I"ve been struggling to
>>>> find in

Re: [PacketFence-users] Recomputing the role of existing nodes without portal interaction

[David Harvey via PacketFence-users]

Thanks for the swift response.

PKI in use is dogtag as part of the FreeIPA/IdM suite. We're using host
certs there though, so don't have any user identifying attributes baked
into the certs which we can use to do the dot1x recompute role magic.

That's kind of why I was hoping we can do an auth triggered, or even CRONd
recompute using the PID/user that packetfence already has stored for the
node against the working LDAP sources we have for role assignment.

Does this make sense?
Thanks,
David


On Fri, Jul 30, 2021 at 1:54 PM Zammit, Ludovic  wrote:

> Hello David,
>
> Using EAP TLS is different from EAP PEAP because in EAP TLS we don’t trust
> the username sent by the device since it can be changed on the fly.
>
> PF will trust attributes from the certificate like:
>
> PacketFence-UserNameAttribute
> TLS-Client-Cert-Subject-Alt-Name-Upn
> TLS-Client-Cert-Common-Name
>
> (Configuration > System Configuration > RADIUS > General)
>
> Which PKI are you using ?
>
> If you are using the AD CS, the username would like a DN, so in your LDAP
> source switch from samaccountname look up to dishtinguishedName.
>
> Thanks,
>
> *Ludovic Zammit*
> *Product Support Engineer Principal*
> *Cell:* +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us: <https://community.akamai.com> <http://blogs.akamai.com>
> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies>
> <http://www.linkedin.com/company/akamai-technologies>
> <http://www.youtube.com/user/akamaitechnologies?feature=results_main>
>
> On Mar 11, 2021, at 2:45 PM, David Harvey 
> wrote:
>
> Hi again!
>
> 802.1x (EAP-TLS), but with machine certificates so there isn't a user
> attribute that's currently clearly associated with the certificates..
> Thanks as ever,
>
> David
>
> On Thu, 11 Mar 2021, 13:08 Ludovic Zammit,  wrote:
>
>> Hello David,
>>
>> Are you doing 802.1x or Mac authentication ?
>>
>> Thanks,
>>
>>
>> Ludovic Zammit
>> lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>> (http://packetfence.org)
>>
>>
>>
>>
>>
>>
>>
>>
>> On Mar 11, 2021, at 7:44 AM, David Harvey 
>> wrote:
>>
>> Thanks Ludovic,
>>
>> I've been having some difficulty on the bulk import of users to ensure
>> they're created, but that's another problem for another thread ;)
>> For existing users if I import using the `./pfcmd import nodes` method I
>> still have to pick between them using a default role value , or specifying
>> it in the csv directly.
>> ```[default-role=] is the default role when none is defined via
>> the import file.
>> When none is specified, it defaults to node_import.category in
>> pf.conf
>>
>> Is there a way to  ensure that an updated node keeps its current role or
>> recalculates against the owner?
>>
>> Thanks again for your help,
>> David
>>
>> On Mon, Mar 8, 2021 at 8:02 PM Ludovic Zammit  wrote:
>>
>>> Hello David,
>>>
>>> Make sure all those users are already created before the import or use
>>> “default”.
>>>
>>> Thanks,
>>>
>>>
>>> Ludovic Zammit
>>> lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>>> (http://packetfence.org)
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Feb 26, 2021, at 12:31 PM, David Harvey via PacketFence-users <
>>> packetfence-users@lists.sourceforge.net> wrote:
>>>
>>> Experimenting on the same topic I have also found inconsistent behaviour
>>> with "./pfcmd import nodes /tmp/testimport.csv columns=mac,pid,category"
>>>
>>> 00:54:E8:61:32:00,auser,developer
>>> 00:F0:5D:18:93:00,anotheruser,developer
>>> 00:9a:4c:51:b7:00,andanotherone,developer
>>> 00:d8:00:e8:a5:00,opsuser,ops
>>>
>>> It seems to only set the role (category) every second run if they're all
>>> the same role, on alternate runs it unsets role altogether for the nodes.
>>> If I attempt a mix of roles is seems to set one role type and unsets the
>>> other!
>>> I hope that I can avoid setting the role here altogether given my
>>> initial query on using the existing source and mechanisms, but thought it
>>> worth mentioning.
>>>
&

Re: [PacketFence-users] Distributed clusters and topologies

[David Harvey via PacketFence-users]

Hi Ludovic,

Sorry for lack of up front information, and thanks for your response.
Out of band enforcement with multiple roles/VLANs on a single SSID or wired
switch ports using 802.1x (EAP-TLS).
Currently served from primary site hence refresh is to move it to somewhere
more central and remove the site as a point of failure.

>From my digging into previous threads so far it looks like another good
approach may be to have discrete instances (clustered or not) in a regional
VPC, but to use a provisioning method like the one discussed here
<https://sourceforge.net/p/packetfence/mailman/message/36724974/> using an
asset database for sourcing MAC and users from.
I haven't dabbled in provisioners much yet, but my understanding is that a
client with a valid cert could then autoregister using the asset
information to derive roles and offer a pretty seamless and consistent user
experience despite the instances not speaking to one and other.

Best,
David


On Fri, Apr 23, 2021 at 1:29 PM Zammit, Ludovic  wrote:

> Hello David,
>
> How’s your PacketFence deployment looks like ?
>
> How many SSIDs? Open ? 802.1x ? Are you doing wired authentication ?
> Remote registration sites?
>
> Thanks,
>
> *Ludovic Zammit*
> *Product Support Engineer Principal*
> *Cell:* +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us: <https://community.akamai.com> <http://blogs.akamai.com>
> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies>
> <http://www.linkedin.com/company/akamai-technologies>
> <http://www.youtube.com/user/akamaitechnologies?feature=results_main>
>
> On Apr 22, 2021, at 1:16 PM, David Harvey via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> I'm starting to wonder if I dreamed this now...
> I thought I recalled seeing a diagram or guide to a distributed topology
> featuring clustering and some kind of local caching, but I can't locate it
> anywhere, so thinking I may have confused it with something else now..
>
> We're looking to refresh our packetfence deployment, with instance(s)
> installed on a cloud provider VPC which would be reachable from on-prem via
> site to site tunnels or ideally with on-prem caching.
>
> Ideally we would have instances or caches in different regions that can
> remain in sync to reduce latency from having all of the pieces in close
> proximity.
>
> Loosely like what is described under the title "The good: Technology++"
> on  slide 13 here:
> https://www.defcon.org/images/defcon-19/dc-19-presentations/Bilodeau/DEFCON-19-Bilodeau-PacketFence.pdf
> <https://urldefense.com/v3/__https://www.defcon.org/images/defcon-19/dc-19-presentations/Bilodeau/DEFCON-19-Bilodeau-PacketFence.pdf__;!!GjvTz_vk!Hum2Oh0CzTvZLg9tXNUu6ILtuvc7Jtqw9mjxsHTUkwgHTcjv5IDDGBqRyTZ7kjdy$>
>
> Any tips?
>
> Thanks as ever,
>
> David
>
> Thought Machine Group a limited company registered in England & Wales.
> Registered number: 4277.
> Registered Office: 5 New Street Square, London EC4A 3TW
> <https://urldefense.com/v3/__https://maps.google.com/?q=5*New*Street*Square,*London*EC4A*3TW=gmail=g__;KysrKysr!!GjvTz_vk!Hum2Oh0CzTvZLg9tXNUu6ILtuvc7Jtqw9mjxsHTUkwgHTcjv5IDDGBqRyTvermvP$>
> .
>
> The content of this email is confidential and intended for the recipient
> specified in message only. It is strictly forbidden to share any part of
> this message with any third party, without a written consent of the sender.
> If you received this message by mistake, please reply to this message and
> follow with its deletion, so that we can ensure such a mistake does not
> occur in the future.
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
>
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!Hum2Oh0CzTvZLg9tXNUu6ILtuvc7Jtqw9mjxsHTUkwgHTcjv5IDDGBqRyYihIYCc$
>
>
>

-- 
David Harvey
Director of Internal Technology, Thought Machine

Data Classification: Public

-- 
Thought Machine Group a limited company registered in England & Wales.
Registered number: 4277. 
Registered Office: 5 New Street Square, 
London EC4A 3TW 
<https://maps.google.com/?q=5+New+Street+Square,+London+EC4A+3TW=gmail=g>.


The content of this email is confidential and intended for the recipient 
specified in message only. It is strictly forbidden to share any part of 
this message with any third party, without a written consent of the sender. 
If you received this message by mistake, please reply to this message and 
follow with its deletion, so that we can ensure such a mistake does not 
occur in the future.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Distributed clusters and topologies

[David Harvey via PacketFence-users]

I'm starting to wonder if I dreamed this now...
I thought I recalled seeing a diagram or guide to a distributed topology
featuring clustering and some kind of local caching, but I can't locate it
anywhere, so thinking I may have confused it with something else now..

We're looking to refresh our packetfence deployment, with instance(s)
installed on a cloud provider VPC which would be reachable from on-prem via
site to site tunnels or ideally with on-prem caching.

Ideally we would have instances or caches in different regions that can
remain in sync to reduce latency from having all of the pieces in close
proximity.

Loosely like what is described under the title "The good: Technology++" on
slide 13 here:
https://www.defcon.org/images/defcon-19/dc-19-presentations/Bilodeau/DEFCON-19-Bilodeau-PacketFence.pdf

Any tips?

Thanks as ever,

David

-- 
Thought Machine Group a limited company registered in England & Wales.
Registered number: 4277. 
Registered Office: 5 New Street Square, 
London EC4A 3TW 
.


The content of this email is confidential and intended for the recipient 
specified in message only. It is strictly forbidden to share any part of 
this message with any third party, without a written consent of the sender. 
If you received this message by mistake, please reply to this message and 
follow with its deletion, so that we can ensure such a mistake does not 
occur in the future.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Recomputing the role of existing nodes without portal interaction

[David Harvey via PacketFence-users]

Hi again!

802.1x (EAP-TLS), but with machine certificates so there isn't a user
attribute that's currently clearly associated with the certificates..
Thanks as ever,

David

On Thu, 11 Mar 2021, 13:08 Ludovic Zammit,  wrote:

> Hello David,
>
> Are you doing 802.1x or Mac authentication ?
>
> Thanks,
>
>
> Ludovic Zammit
> lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org)
>
>
>
>
>
>
>
>
> On Mar 11, 2021, at 7:44 AM, David Harvey 
> wrote:
>
> Thanks Ludovic,
>
> I've been having some difficulty on the bulk import of users to ensure
> they're created, but that's another problem for another thread ;)
> For existing users if I import using the `./pfcmd import nodes` method I
> still have to pick between them using a default role value , or specifying
> it in the csv directly.
> ```[default-role=] is the default role when none is defined via the
> import file.
> When none is specified, it defaults to node_import.category in
> pf.conf
>
> Is there a way to  ensure that an updated node keeps its current role or
> recalculates against the owner?
>
> Thanks again for your help,
> David
>
> On Mon, Mar 8, 2021 at 8:02 PM Ludovic Zammit  wrote:
>
>> Hello David,
>>
>> Make sure all those users are already created before the import or use
>> “default”.
>>
>> Thanks,
>>
>>
>> Ludovic Zammit
>> lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>> (http://packetfence.org)
>>
>>
>>
>>
>>
>>
>>
>>
>> On Feb 26, 2021, at 12:31 PM, David Harvey via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>> Experimenting on the same topic I have also found inconsistent behaviour
>> with "./pfcmd import nodes /tmp/testimport.csv columns=mac,pid,category"
>>
>> 00:54:E8:61:32:00,auser,developer
>> 00:F0:5D:18:93:00,anotheruser,developer
>> 00:9a:4c:51:b7:00,andanotherone,developer
>> 00:d8:00:e8:a5:00,opsuser,ops
>>
>> It seems to only set the role (category) every second run if they're all
>> the same role, on alternate runs it unsets role altogether for the nodes.
>> If I attempt a mix of roles is seems to set one role type and unsets the
>> other!
>> I hope that I can avoid setting the role here altogether given my initial
>> query on using the existing source and mechanisms, but thought it worth
>> mentioning.
>>
>> pf 10.2.0 On Debian 9.13
>> Thanks,
>> David
>>
>> On Fri, Feb 26, 2021 at 2:59 PM David Harvey 
>> wrote:
>>
>>> Dear Packetfence users,
>>>
>>> I'm looking for advice on updating my node owners whilst preserving or
>>> recalculating roles.
>>> With many new users working from home, their nodes have been registered
>>> as a default owner, with the role being manually set. Although I have a
>>> configured LDAP source which applies roles correctly to portal users, the
>>> users haven't been present to login through the portal.
>>>
>>> I'm looking to update the ownership with asset data that maps MAC to
>>> user using /pfcmd import nodes, but to do so requires the roles to be
>>> available on the csv file, or otherwise to set a default value.
>>>
>>> Is there a way to recalculate the role for a node from its owner
>>> information using an existing LDAP  authentication source? Sadly I don't
>>> think I can use "dot1x recompute role from portal" as my  my certs are
>>> machine certs and don't have the owner/pid present. I"ve been struggling to
>>> find info on the "MAC auth computer role from portal" option.
>>>
>>> Thanks in advance,
>>>
>>> David
>>>
>>>
>>> --
>>> Data Classification: Public
>>>
>>>
>>
>> --
>>
>>
>
>
> Thought Machine Group a limited company registered in England & Wales.
> Registered number: 4277.
> Registered Office: 5 New Street Square, London EC4A 3TW
> <https://maps.google.com/?q=5+New+Street+Square,+London+EC4A+3TW=gmail=g>
> .
>
> The content of this email is confidential and intended for the recipient
> specified in message only. It is strictly forbidden to share any part of
> this message with any third party, without a written consent of the sender.
> If you received this message by

Re: [PacketFence-users] Recomputing the role of existing nodes without portal interaction

[David Harvey via PacketFence-users]

Thanks Ludovic,

I've been having some difficulty on the bulk import of users to ensure
they're created, but that's another problem for another thread ;)
For existing users if I import using the `./pfcmd import nodes` method I
still have to pick between them using a default role value , or specifying
it in the csv directly.
```[default-role=] is the default role when none is defined via the
import file.
When none is specified, it defaults to node_import.category in
pf.conf

Is there a way to  ensure that an updated node keeps its current role or
recalculates against the owner?

Thanks again for your help,
David

On Mon, Mar 8, 2021 at 8:02 PM Ludovic Zammit  wrote:

> Hello David,
>
> Make sure all those users are already created before the import or use
> “default”.
>
> Thanks,
>
>
> Ludovic Zammit
> lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org)
>
>
>
>
>
>
>
>
> On Feb 26, 2021, at 12:31 PM, David Harvey via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> Experimenting on the same topic I have also found inconsistent behaviour
> with "./pfcmd import nodes /tmp/testimport.csv columns=mac,pid,category"
>
> 00:54:E8:61:32:00,auser,developer
> 00:F0:5D:18:93:00,anotheruser,developer
> 00:9a:4c:51:b7:00,andanotherone,developer
> 00:d8:00:e8:a5:00,opsuser,ops
>
> It seems to only set the role (category) every second run if they're all
> the same role, on alternate runs it unsets role altogether for the nodes.
> If I attempt a mix of roles is seems to set one role type and unsets the
> other!
> I hope that I can avoid setting the role here altogether given my initial
> query on using the existing source and mechanisms, but thought it worth
> mentioning.
>
> pf 10.2.0 On Debian 9.13
> Thanks,
> David
>
> On Fri, Feb 26, 2021 at 2:59 PM David Harvey 
> wrote:
>
>> Dear Packetfence users,
>>
>> I'm looking for advice on updating my node owners whilst preserving or
>> recalculating roles.
>> With many new users working from home, their nodes have been registered
>> as a default owner, with the role being manually set. Although I have a
>> configured LDAP source which applies roles correctly to portal users, the
>> users haven't been present to login through the portal.
>>
>> I'm looking to update the ownership with asset data that maps MAC to user
>> using /pfcmd import nodes, but to do so requires the roles to be
>> available on the csv file, or otherwise to set a default value.
>>
>> Is there a way to recalculate the role for a node from its owner
>> information using an existing LDAP  authentication source? Sadly I don't
>> think I can use "dot1x recompute role from portal" as my  my certs are
>> machine certs and don't have the owner/pid present. I"ve been struggling to
>> find info on the "MAC auth computer role from portal" option.
>>
>> Thanks in advance,
>>
>> David
>>
>>
>> --
>> Data Classification: Public
>>
>>
>
> --
>
>

-- 
Thought Machine Group a limited company registered in England & Wales.
Registered number: 4277. 
Registered Office: 5 New Street Square, 
London EC4A 3TW 
<https://maps.google.com/?q=5+New+Street+Square,+London+EC4A+3TW=gmail=g>.


The content of this email is confidential and intended for the recipient 
specified in message only. It is strictly forbidden to share any part of 
this message with any third party, without a written consent of the sender. 
If you received this message by mistake, please reply to this message and 
follow with its deletion, so that we can ensure such a mistake does not 
occur in the future.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Recomputing the role of existing nodes without portal interaction

[David Harvey via PacketFence-users]

Hi again,

Just checking if anyone had any ideas on this one:
TL;DR - Is there a mechanism for firing a "recompute node role from owner"
task against existing auth sources without users logging in through the
portal?

Thanks,
David
On Fri, Feb 26, 2021 at 2:59 PM David Harvey 
wrote:

> Dear Packetfence users,
>
> I'm looking for advice on updating my node owners whilst preserving or
> recalculating roles.
> With many new users working from home, their nodes have been registered as
> a default owner, with the role being manually set. Although I have a
> configured LDAP source which applies roles correctly to portal users, the
> users haven't been present to login through the portal.
>
> I'm looking to update the ownership with asset data that maps MAC to user
> using /pfcmd import nodes, but to do so requires the roles to be
> available on the csv file, or otherwise to set a default value.
>
> Is there a way to recalculate the role for a node from its owner
> information using an existing LDAP  authentication source? Sadly I don't
> think I can use "dot1x recompute role from portal" as my  my certs are
> machine certs and don't have the owner/pid present. I"ve been struggling to
> find info on the "MAC auth computer role from portal" option.
>
> Thanks in advance,
>
> David
>
>
> --
> Data Classification: Public
>
>

-- 
Thought Machine Group a limited company registered in England & Wales.
Registered number: 4277. 
Registered Office: 5 New Street Square, 
London EC4A 3TW 
.


The content of this email is confidential and intended for the recipient 
specified in message only. It is strictly forbidden to share any part of 
this message with any third party, without a written consent of the sender. 
If you received this message by mistake, please reply to this message and 
follow with its deletion, so that we can ensure such a mistake does not 
occur in the future.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Recomputing the role of existing nodes without portal interaction

[David Harvey via PacketFence-users]

Experimenting on the same topic I have also found inconsistent behaviour
with "./pfcmd import nodes /tmp/testimport.csv columns=mac,pid,category"

00:54:E8:61:32:00,auser,developer

00:F0:5D:18:93:00,anotheruser,developer

00:9a:4c:51:b7:00,andanotherone,developer

00:d8:00:e8:a5:00,opsuser,ops

It seems to only set the role (category) every second run if they're all
the same role, on alternate runs it unsets role altogether for the nodes.
If I attempt a mix of roles is seems to set one role type and unsets the
other!
I hope that I can avoid setting the role here altogether given my initial
query on using the existing source and mechanisms, but thought it worth
mentioning.

pf 10.2.0 On Debian 9.13
Thanks,
David

On Fri, Feb 26, 2021 at 2:59 PM David Harvey 
wrote:

> Dear Packetfence users,
>
> I'm looking for advice on updating my node owners whilst preserving or
> recalculating roles.
> With many new users working from home, their nodes have been registered as
> a default owner, with the role being manually set. Although I have a
> configured LDAP source which applies roles correctly to portal users, the
> users haven't been present to login through the portal.
>
> I'm looking to update the ownership with asset data that maps MAC to user
> using /pfcmd import nodes, but to do so requires the roles to be
> available on the csv file, or otherwise to set a default value.
>
> Is there a way to recalculate the role for a node from its owner
> information using an existing LDAP  authentication source? Sadly I don't
> think I can use "dot1x recompute role from portal" as my  my certs are
> machine certs and don't have the owner/pid present. I"ve been struggling to
> find info on the "MAC auth computer role from portal" option.
>
> Thanks in advance,
>
> David
>
>
> --
> Data Classification: Public
>
>

-- 
David Harvey
Director of Internal Technology, Thought Machine

Data Classification: Confidential

*Email*: da...@thoughtmachine.net
*Web*: www.thoughtmachine.net

-- 
Thought Machine Group a limited company registered in England & Wales.
Registered number: 4277. 
Registered Office: 5 New Street Square, 
London EC4A 3TW 
.


The content of this email is confidential and intended for the recipient 
specified in message only. It is strictly forbidden to share any part of 
this message with any third party, without a written consent of the sender. 
If you received this message by mistake, please reply to this message and 
follow with its deletion, so that we can ensure such a mistake does not 
occur in the future.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Recomputing the role of existing nodes without portal interaction

[David Harvey via PacketFence-users]

Dear Packetfence users,

I'm looking for advice on updating my node owners whilst preserving or
recalculating roles.
With many new users working from home, their nodes have been registered as
a default owner, with the role being manually set. Although I have a
configured LDAP source which applies roles correctly to portal users, the
users haven't been present to login through the portal.

I'm looking to update the ownership with asset data that maps MAC to user
using /pfcmd import nodes, but to do so requires the roles to be
available on the csv file, or otherwise to set a default value.

Is there a way to recalculate the role for a node from its owner
information using an existing LDAP  authentication source? Sadly I don't
think I can use "dot1x recompute role from portal" as my  my certs are
machine certs and don't have the owner/pid present. I"ve been struggling to
find info on the "MAC auth computer role from portal" option.

Thanks in advance,

David


-- 
Data Classification: Public

-- 
Thought Machine Group a limited company registered in England & Wales.
Registered number: 4277. 
Registered Office: 5 New Street Square, 
London EC4A 3TW 
.


The content of this email is confidential and intended for the recipient 
specified in message only. It is strictly forbidden to share any part of 
this message with any third party, without a written consent of the sender. 
If you received this message by mistake, please reply to this message and 
follow with its deletion, so that we can ensure such a mistake does not 
occur in the future.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Debian 10 support?

[David Harvey via PacketFence-users]

Hey folks, couldn't find anything to easily track this with, just curious
as to if there's an ETA on this?

On Sat, 18 Apr 2020, 01:11 Durand fabrice via PacketFence-users, <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Sam,
>
> it's in the road map, Centos 8 too.
>
> Regards
>
> Fabrice
> Le 20-04-17 à 08 h 37, Sam via PacketFence-users a écrit :
>
> Hi
>
> Now that PacketFence 10 was released, is Debian 10 going to be supported
> any time soon? I'm thinking about setting up PF for our company, and I'd
> prefer to use Debian 10 over 9.
> --
> Sam
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>

-- 
Thought Machine Group a limited company registered in England & Wales.

Registered number: 4277. 
Registered Office: 5 New Street Square, 
London EC4A 3TW 
.



The content of this email is confidential and intended for the recipient 
specified in message only. It is strictly forbidden to share any part of 
this message with any third party, without a written consent of the sender. 
If you received this message by mistake, please reply to this message and 
follow with its deletion, so that we can ensure such a mistake does not 
occur in the future.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Allowing different access levels for MAB vs EAP-TLS clients

[David Harvey via PacketFence-users]

Hi all, any pointers at all?

On Thu, Jan 30, 2020 at 10:54 PM David Harvey 
wrote:

> Dear Packetfencers,
>
> I've been struggling with this logic for a while, so I'm going to admit
> defeat and defer to the wisdom of the list.
>
> Aim:
> Allow a maximum or predefined VLAN allocation for MAB users. So those with
> expired certs or otherwise broken 802.1x profiles can get to a useful
> remediation state.
>
> In practice,
>
>- EAP-TLS users would continue to be assigned their role based VLANs,
>- Broken, or new installed machines that are registered but have no
>cert can reach a lesser priv'd vlan.
>
> I currently have a functional setup where users get allocated their VLANs
> properly regardless of if they do MAB or EAP, but I've not for love nor
> money been able to work out how to discriminate between the two
> effectively. I know I can auto-register  EAP clients, but for that to be
> useful unregistering them would have to leave them in a state where MAB
> could still do useful things!
> Can anyone outline how to achieve this?
>
>
> Thanks as ever in advance,
>
> David
>

-- 




Thought Machine Group a limited company registered in England & Wales.

Registered number: 4277. 
Registered Office: 5 New Street Square, 
London EC4A 3TW 
.



The content of this email is confidential and intended for the recipient 
specified in message only. It is strictly forbidden to share any part of 
this message with any third party, without a written consent of the sender. 
If you received this message by mistake, please reply to this message and 
follow with its deletion, so that we can ensure such a mistake does not 
occur in the future.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Allowing different access levels for MAB vs EAP-TLS clients

[David Harvey via PacketFence-users]

Dear Packetfencers,

I've been struggling with this logic for a while, so I'm going to admit
defeat and defer to the wisdom of the list.

Aim:
Allow a maximum or predefined VLAN allocation for MAB users. So those with
expired certs or otherwise broken 802.1x profiles can get to a useful
remediation state.

In practice,

   - EAP-TLS users would continue to be assigned their role based VLANs,
   - Broken, or new installed machines that are registered but have no cert
   can reach a lesser priv'd vlan.

I currently have a functional setup where users get allocated their VLANs
properly regardless of if they do MAB or EAP, but I've not for love nor
money been able to work out how to discriminate between the two
effectively. I know I can auto-register  EAP clients, but for that to be
useful unregistering them would have to leave them in a state where MAB
could still do useful things!
Can anyone outline how to achieve this?


Thanks as ever in advance,

David

-- 




Thought Machine Group a limited company registered in England & Wales.

Registered number: 4277. 
Registered Office: 5 New Street Square, 
London EC4A 3TW 
.



The content of this email is confidential and intended for the recipient 
specified in message only. It is strictly forbidden to share any part of 
this message with any third party, without a written consent of the sender. 
If you received this message by mistake, please reply to this message and 
follow with its deletion, so that we can ensure such a mistake does not 
occur in the future.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Mandatory element ip or netmask on interface

[David Harvey via PacketFence-users]

Anybody else had to deal with a similar situation?

On Wed, Sep 11, 2019 at 4:06 PM David Harvey 
wrote:

> Dear Packetfencers,
>
> I've finally taken the plunge on version 9 and it's looking great!
> Hoping you may be able to advise on the following.
>
> Previously I followed some advice for 8.3 for dhcp sniffing which was
> largely:
> Make a promiscuous or static interface for relevant vlans with no iP set
> (setting IP resulted in routes coming up which were not desired)
> Add as type dhcp-listener in pf.conf;
>
> Since upgrading to 9, it appears this is no longer an acceptable config:
>
> "Missing mandatory element ip or netmask on interface eth4.7 at
> /usr/local/pf/lib/pfconfig/namespaces/interfaces.pm line 107."
>
> Has the advised methodology changed?
> I should note this was required as our dhcp runs from a switch and has
> direct VLAN access, so dhcp helpers/forwarders cannot be used effectively.
>
> Many thanks as always,
>
> David
>
>

-- 
David Harvey
Director of Internal Technology, Thought Machine

Data Classification: Private

*Email*: da...@thoughtmachine.net
*Web*: www.thoughtmachine.net

-- 




Thought Machine Group a limited company registered in England & Wales.

Registered number: 4277. 
Registered Office: 5 New Street Square, 
London EC4A 3TW 
.



The content of this email is confidential and intended for the recipient 
specified in message only. It is strictly forbidden to share any part of 
this message with any third party, without a written consent of the sender. 
If you received this message by mistake, please reply to this message and 
follow with its deletion, so that we can ensure such a mistake does not 
occur in the future.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Mandatory element ip or netmask on interface

[David Harvey via PacketFence-users]

Dear Packetfencers,

I've finally taken the plunge on version 9 and it's looking great!
Hoping you may be able to advise on the following.

Previously I followed some advice for 8.3 for dhcp sniffing which was
largely:
Make a promiscuous or static interface for relevant vlans with no iP set
(setting IP resulted in routes coming up which were not desired)
Add as type dhcp-listener in pf.conf;

Since upgrading to 9, it appears this is no longer an acceptable config:

"Missing mandatory element ip or netmask on interface eth4.7 at
/usr/local/pf/lib/pfconfig/namespaces/interfaces.pm line 107."

Has the advised methodology changed?
I should note this was required as our dhcp runs from a switch and has
direct VLAN access, so dhcp helpers/forwarders cannot be used effectively.

Many thanks as always,

David

-- 




Thought Machine Group a limited company registered in England & Wales.

Registered number: 4277. 
Registered Office: 5 New Street Square, 
London EC4A 3TW 
.



The content of this email is confidential and intended for the recipient 
specified in message only. It is strictly forbidden to share any part of 
this message with any third party, without a written consent of the sender. 
If you received this message by mistake, please reply to this message and 
follow with its deletion, so that we can ensure such a mistake does not 
occur in the future.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Hi IPv4 socket usage to LDAP and pfstats

[David Harvey via PacketFence-users]

Detail I should have included: pf 8.1.0 on Debian

Detail I have since seen (IPs remove/swapped out for IPSCRUBBED):

Aug 10 12:23:37 pf pfstats[26534]: t=2018-08-10T12:23:37+0100 lvl=info
msg="Calling Unified API on uri:
https://127.0.0.1:/api/v1/dhcp/stats/eth1/IPSCRUBBED; pid=26534
Aug 10 12:23:37 pf pfstats[26534]: t=2018-08-10T12:23:37+0100 lvl=eror
msg="API error: Get https://127.0.0.1:/api/v1/dhcp/stats/eth1/IPSCRUBBED:
dial tcp 127.0.0.1:: socket: too many open files" pid=26534
Aug 10 12:23:37 pf pfstats[26534]: t=2018-08-10T12:23:37+0100 lvl=info
msg="Calling Unified API on uri:
https://127.0.0.1:/api/v1/dhcp/stats/eth2/1IPSCRUBBED; pid=26534
Aug 10 12:23:37 pf pfstats[26534]: t=2018-08-10T12:23:37+0100 lvl=eror
msg="API error: Get https://127.0.0.1:/api/v1/dhcp/stats/eth2/IPSCRUBBED:
dial tcp 127.0.0.1:: socket: too many open files" pid=26534
Aug 10 12:23:37 pf pfstats[26534]: t=2018-08-10T12:23:37+0100 lvl=info
msg="Calling Unified API on uri:
https://127.0.0.1:/api/v1/dhcp/stats/eth3/IPSCRUBBED; pid=26534
Aug 10 12:23:37 pf pfstats[26534]: t=2018-08-10T12:23:37+0100 lvl=eror
msg="API error: Get https://127.0.0.1:/api/v1/dhcp/stats/eth3IPSCRUBBED:
dial tcp 127.0.0.1:: socket: too many open files" pid=26534
Aug 10 12:23:37 pf pfstats[26534]: t=2018-08-10T12:23:37+0100 lvl=info
msg="Calling Unified API on uri: https://127.0.0.1:/api/v1/queues/stats;
pid=26534
Aug 10 12:23:37 pf pfstats[26534]: t=2018-08-10T12:23:37+0100 lvl=eror
msg="API error: Get https://127.0.0.1:/api/v1/queues/stats: dial tcp
127.0.0.1:: socket: too many open files" pid=26534
Aug 10 12:23:38 pf pfstats[26534]: t=2018-08-10T12:23:38+0100 lvl=eror
msg="Cannot connect to pfconfig socket..." pid=26534
Aug 10 12:23:38 pf pfstats[26534]: t=2018-08-10T12:23:38+0100 lvl=eror
msg="Cannot connect to pfconfig socket..." pid=26534
Aug 10 12:23:38 pf pfstats[26534]: t=2018-08-10T12:23:38+0100 lvl=eror
msg="Cannot connect to pfconfig socket..." pid=26534
Aug 10 12:23:39 pf pfstats[26534]: t=2018-08-10T12:23:39+0100 lvl=eror
msg="Cannot connect to pfconfig socket..." pid=26534
Aug 10 12:23:39 pf pfstats[26534]: t=2018-08-10T12:23:39+0100 lvl=eror
msg="Cannot connect to pfconfig socket..." pid=26534
Aug 10 12:23:39 pf pfstats[26534]: t=2018-08-10T12:23:39+0100 lvl=eror
msg="Cannot connect to pfconfig socket..." pid=26534
Aug 10 12:23:40 pf pfstats[26534]: t=2018-08-10T12:23:40+0100 lvl=eror
msg="Cannot connect to pfconfig socket..." pid=26534
Aug 10 12:23:40 pf pfstats[26534]: t=2018-08-10T12:23:40+0100 lvl=eror
msg="Cannot connect to pfconfig socket..." pid=26534
Aug 10 12:23:40 pf pfstats[26534]: t=2018-08-10T12:23:40+0100 lvl=eror
msg="Cannot connect to pfconfig socket..." pid=26534
Aug 10 12:23:41 pf pfstats[26534]: t=2018-08-10T12:23:41+0100 lvl=eror
msg="Cannot connect to pfconfig socket..." pid=26534
Aug 10 12:23:41 pf pfstats[26534]: t=2018-08-10T12:23:41+0100 lvl=eror
msg="Cannot connect to pfconfig socket..." pid=26534
Aug 10 12:23:41 pf pfstats[26534]: t=2018-08-10T12:23:41+0100 lvl=eror
msg="Cannot connect to pfconfig socket..." pid=26534
Aug 10 12:23:42 pf pfstats[26534]: t=2018-08-10T12:23:42+0100 lvl=eror
msg="Cannot connect to pfconfig socket..." pid=26534
Aug 10 12:23:42 pf pfstats[26534]: t=2018-08-10T12:23:42+0100 lvl=eror
msg="Cannot connect to pfconfig socket..." pid=26534
Aug 10 12:23:42 pf pfstats[26534]: t=2018-08-10T12:23:42+0100 lvl=eror
msg="Cannot connect to pfconfig socket..." pid=26534
Aug 10 12:23:43 pf pfstats[26534]: t=2018-08-10T12:23:43+0100 lvl=eror
msg="Cannot connect to pfconfig socket..." pid=26534
Aug 10 12:23:43 pf pfstats[26534]: t=2018-08-10T12:23:43+0100 lvl=eror
msg="Cannot connect to pfconfig socket..." pid=26534
Aug 10 12:23:43 pf pfstats[26534]: t=2018-08-10T12:23:43+0100 lvl=eror
msg="Cannot connect to pfconfig socket..." pid=26534

Which seems to sort itself out after:

Aug 10 12:24:17 pf pfstats[26534]: t=2018-08-10T12:24:17+0100 lvl=eror
msg="Cannot connect to pfconfig socket..." pid=26534
Aug 10 12:24:17 pf pfstats[26534]: panic: Can't connect to pfconfig socket
Aug 10 12:24:17 pf pfstats[26534]: goroutine 37 [running]:
Aug 10 12:24:17 pf pfstats[26534]:
github.com/inverse-inc/packetfence/go/pfconfigdriver.connectSocket(0x8a0820,
0xc42026d0b0, 0x444707, 0x0)
Aug 10 12:24:17 pf pfstats[26534]:
/tmp/buildd/packetfence-8.1.0/debian/tmp.7VfKM79Nh5/src/
github.com/inverse-inc/packetfence/go/pfconfigdriver/fetch.go:95 +0x190
Aug 10 12:24:17 pf pfstats[26534]:
github.com/inverse-inc/packetfence/go/pfconfigdriver.FetchSocket(0x8a0820,
0xc42026d0b0, 0xc42227a000, 0x55, 0x7ee8d4, 0x4, 0x74034c)
Aug 10 12:24:17 pf pfstats[26534]:
/tmp/buildd/packetfence-8.1.0/debian/tmp.7VfKM79Nh5/src/
github.com/inverse-inc/packetfence/go/pfconfigdriver/fetch.go:114 +0x4d
Aug 10 12:24:17 pf pfstats[26534]:
github.com/inverse-inc/packetfence/go/pfconfigdriver.FetchDecodeSocket(0x8a0820,
0xc42026d0b0, 0x89e9c0, 0xc4230dea80, 0x0, 0x0)
Aug 10 12:24:17 pf pfstats[26534]:

[PacketFence-users] Hi IPv4 socket usage to LDAP and pfstats

[David Harvey via PacketFence-users]

Hi again!

I'm investigating some latency issues with RADIUS being a bit lumpy and
noticed that the number of open IPv4 sockets was incredibly high.


Checking on netstat -anp showed a vast number of pfstats -> LDAP:636
conencitnos (and yes I use LDAP as a portal auth source).  The drop off is
after restarting pfstats.

Any idea if this is working as expected or if some total connections
setting I might have missed could be at play?

Appreciating your time as ever.

David
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive portal 400 Bad Request 'json' or 'msgpack' parameter is required

[David Harvey via PacketFence-users]

How embarrassing, I'm stuck again..

I can't identify exactly when this occurred, but somewhere between the
upgrade to 8.1 and fixing the portal content as mentioned in previous
threads (largely reverting to default HTML files) I have found myself
unable to load the portal.  It loads OK in the admin interface under the
preview condition, but when attempting to load it from a client on
registration I see the following:

400 Bad Request
'json' or 'msgpack' parameter is required

haproxy-portal httpd.portal load OK in services...

Has anyone seen similar or does anyone have any leads?

As ever grateful,

David
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] portal accept terms button

[David Harvey via PacketFence-users]

PEBCAK...

A couple of edits I had made (one adding text to signin.html, and one that
predated me made to challenge.html) had blocked pages from being upgraded
and in doing so confused the button schema and workflow of AUP being before
and now not on the same page as signin.

Thanks to the as ever helpful inverse.ca for leading me back on track.

David

On Wed, Jul 18, 2018 at 10:10 AM, David Harvey 
wrote:

> Has anyone else observed this, or can anyone offer advice on what I could
> check further?
>
> On Mon, Jul 16, 2018 at 4:31 PM, David Harvey 
> wrote:
>
>> Dear Packetfence users,
>>
>> Since the 8.0 update (and I'm now on 8.1.0) I've been having problems
>> with the portal and AUP/accept button state (used to be a tick box IIRC or
>> certainly made it clear when it was selected).
>>
>> I believe is relates to /usr/local/pf/html/common/s
>> css/_components.buttons.scss
>>
>> > ="fields[aup]" id="aup" value="1" class="hide">I accept the terms
>> 
>>
>> The issue is that it's impossible to tell when the button has been
>> pressed (See below).  The button reacts on mouse-over and changes hue a
>> little, but remains identical whether it has been clicked or not.  I find
>> it hard to believe no-one else would have observed this, so I wander what I
>> might have done in the portal settings to upset the gods of button state?
>>
>>
>>
>> Kind regards,
>>
>> David
>>
>>
>> 
>>
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] portal accept terms button

[David Harvey via PacketFence-users]

Has anyone else observed this, or can anyone offer advice on what I could
check further?

On Mon, Jul 16, 2018 at 4:31 PM, David Harvey 
wrote:

> Dear Packetfence users,
>
> Since the 8.0 update (and I'm now on 8.1.0) I've been having problems with
> the portal and AUP/accept button state (used to be a tick box IIRC or
> certainly made it clear when it was selected).
>
> I believe is relates to /usr/local/pf/html/common/
> scss/_components.buttons.scss
>
> I accept the terms
> 
>
> The issue is that it's impossible to tell when the button has been pressed
> (See below).  The button reacts on mouse-over and changes hue a little, but
> remains identical whether it has been clicked or not.  I find it hard to
> believe no-one else would have observed this, so I wander what I might have
> done in the portal settings to upset the gods of button state?
>
>
>
> Kind regards,
>
> David
>
>
> 
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] portal accept terms button

[David Harvey via PacketFence-users]

Dear Packetfence users,

Since the 8.0 update (and I'm now on 8.1.0) I've been having problems with
the portal and AUP/accept button state (used to be a tick box IIRC or
certainly made it clear when it was selected).

I believe is relates
to /usr/local/pf/html/common/scss/_components.buttons.scss

I accept the terms


The issue is that it's impossible to tell when the button has been pressed
(See below).  The button reacts on mouse-over and changes hue a little, but
remains identical whether it has been clicked or not.  I find it hard to
believe no-one else would have observed this, so I wander what I might have
done in the portal settings to upset the gods of button state?



Kind regards,

David



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] LDAP

[David Harvey via PacketFence-users]

Not sure how much the standalone 389 directory lets you do from it's admin
interface, but a simple FreeIPA install (which includes 389) is also pretty
quick and easy to setup, and has a very comprehensive interface.  It may
contain way more features than you want though!
Alternatively, I know QNAP NAS' have some builtin LDAP server bits, as I
imagine other NAS' would do, so if you have one on premise may be worth
checking out..

On Wed, May 23, 2018 at 11:38 PM, Durand fabrice via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> I think about this one http://directory.fedoraproject.org/ who is coming
> with an admin interface.
>
> https://www.ehowstuff.com/setup-389-directory-server-on-centos-7/
>
> Le 2018-05-23 à 15:56, Jason 'XenoPhage' Frisvold via PacketFence-users a
> écrit :
>
> Hi all,
>
>   I’m looking for a quick and simple LDAP install I can use with 
> packetfence as a temporary authentication source.  Before I stand up an 
> openldap server, or perhaps openldap in a container, is anyone using 
> something that’s quicker to stand up and get running?  I’d love something 
> with an interface I can use to add users, change passwords, etc.
>
> Thanks,
>
> ---
> Jason 'XenoPhage' frisvoldxenoph...@godshell.com
> ---
>
> "Any sufficiently advanced magic is indistinguishable from technology."
> - Niven's Inverse of Clarke's Third Law
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Dot1x fails on the switch but packetfence claims success!

[David Harvey via PacketFence-users]

Fabrice, you are an absolute legend again. Thank you for curing my headache.
Next I need to work out why my other switch without the role behaves
anyway, but that's something I'm happy to explore, and might be a
difference in how the IOS versions handle responses :).

Thank you again so much for your help,

David

On Thu, Mar 15, 2018 at 12:19 AM, Durand fabrice via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello David,
>
> i think it's because of that:
>
> Added role developer to the returned RADIUS Access-Accept
>
> developer role mean that you have a developer acl on the switch.
>
> So in the switch config (pf side) remove the developer role by switch role
> attribute and retry.
>
> Regards
>
> Fabrice
>
>
>
> Le 2018-03-14 à 14:37, David Harvey via PacketFence-users a écrit :
>
> Dear list,
>
> I've been fighting with this all day, so excuse the brain fart..
> Recently added another cisco 3750x to my fleet. The only difference is
> that it's on IOS 15.2(4), where the others which work are on 15.0.
>
> I've cloned the config of a functioning install, and cross referenced it
> against the network config guide, also attempted re-entering my RADIUS
> password into the radius server section.  As far as packetfence is
> concerned they use the common RADIUS values/switch defaults.
>
> radius server pfnac
>  address ipv4 10.23.5.150 auth-port 1812 acct-port 1813
>  automate-tester username keepalive ignore-acct-port idle-time 3
>  key 7 SOMEVALUE
> !
>
>  and the aaa server in case the encrypted versions were mangled.
>
> aaa server radius dynamic-author
>  client 10.23.5.150 server-key 7 SOMEVALUE
>  port 3799
> !
>
> I've also tried "#no radius-server vsa send accounting " as it is on by
> default in 15.2 (fails either way)
>
> Now what I'm trying to get my head around, is why on the cisco console I
> get:
>
> %DOT1X-5-FAIL: Authentication failed for client (b6c3.97fe.c2c2) on
> Interface Gi1/0/17 AuditSessionID 0A170508002F014
>
> But in pf it all looks sane with eithe MAC or 802.1x auth:
>
> Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
> [mac:b6:c3:97:fe:c2:c2] handling radius autz request: from switch_ip =>
> (10.23.5.8), connection_type => WIRED_MAC_AUTH,switch_mac =>
> (6c:20:56:ad:70:93), mac => [b6:c3:97:fe:c2:c2], port => 10119, username =>
> "b6c397fec2c2" (pf::radius::authorize)
> Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
> [mac:b6:c3:97:fe:c2:c2] Instantiate profile default (pf::Connection::
> ProfileFactory::_from_profile)
> Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
> [mac:b6:c3:97:fe:c2:c2] Connection type is WIRED_MAC_AUTH. Getting role
> from node_info (pf::role::getRegisteredRole)
> Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
> [mac:b6:c3:97:fe:c2:c2] Username was defined "b6c397fec2c2" - returning
> role 'developer' (pf::role::getRegisteredRole)
> Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
> [mac:b6:c3:97:fe:c2:c2] PID: "david-tm00035-laptop.thomac.net", Status:
> reg Returned VLAN: (undefined), Role: developer (pf::role::fetchRoleForNode)
> Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
> [mac:b6:c3:97:fe:c2:c2] (10.23.5.8) Added VLAN 70 to the returned RADIUS
> Access-Accept (pf::Switch::returnRadiusAccessAccept)
> Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
> [mac:b6:c3:97:fe:c2:c2] (10.23.5.8) Added role developer to the returned
> RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
> Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
> [mac:b6:c3:97:fe:c2:c2] (10.23.5.8) Adding access list : permit ip any any
> to the RADIUS reply (pf::Switch::Cisco::Catalyst_2960::
> returnRadiusAccessAccept)
> Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
> [mac:b6:c3:97:fe:c2:c2] (10.23.5.8) Added access lists to the RADIUS reply.
> (pf::Switch::Cisco::Catalyst_2960::returnRadiusAccessAccept)
>
> I'd love to understand some potential causes - I suspected: replies not
> being received by switch, replies being misinterpreted by switch, but my
> attempts to make sense of it have so far failed!
>
> Any help much appreciated.
>
> David
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/list

[PacketFence-users] Dot1x fails on the switch but packetfence claims success!

[David Harvey via PacketFence-users]

Dear list,

I've been fighting with this all day, so excuse the brain fart..
Recently added another cisco 3750x to my fleet. The only difference is that
it's on IOS 15.2(4), where the others which work are on 15.0.

I've cloned the config of a functioning install, and cross referenced it
against the network config guide, also attempted re-entering my RADIUS
password into the radius server section.  As far as packetfence is
concerned they use the common RADIUS values/switch defaults.

radius server pfnac
 address ipv4 10.23.5.150 auth-port 1812 acct-port 1813
 automate-tester username keepalive ignore-acct-port idle-time 3
 key 7 SOMEVALUE
!

 and the aaa server in case the encrypted versions were mangled.

aaa server radius dynamic-author
 client 10.23.5.150 server-key 7 SOMEVALUE
 port 3799
!

I've also tried "#no radius-server vsa send accounting " as it is on by
default in 15.2 (fails either way)

Now what I'm trying to get my head around, is why on the cisco console I
get:

%DOT1X-5-FAIL: Authentication failed for client (b6c3.97fe.c2c2) on
Interface Gi1/0/17 AuditSessionID 0A170508002F014

But in pf it all looks sane with eithe MAC or 802.1x auth:

Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
[mac:b6:c3:97:fe:c2:c2] handling radius autz request: from switch_ip =>
(10.23.5.8), connection_type => WIRED_MAC_AUTH,switch_mac =>
(6c:20:56:ad:70:93), mac => [b6:c3:97:fe:c2:c2], port => 10119, username =>
"b6c397fec2c2" (pf::radius::authorize)
Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
[mac:b6:c3:97:fe:c2:c2] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)
Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
[mac:b6:c3:97:fe:c2:c2] Connection type is WIRED_MAC_AUTH. Getting role
from node_info (pf::role::getRegisteredRole)
Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
[mac:b6:c3:97:fe:c2:c2] Username was defined "b6c397fec2c2" - returning
role 'developer' (pf::role::getRegisteredRole)
Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
[mac:b6:c3:97:fe:c2:c2] PID: "david-tm00035-laptop.thomac.net", Status: reg
Returned VLAN: (undefined), Role: developer (pf::role::fetchRoleForNode)
Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
[mac:b6:c3:97:fe:c2:c2] (10.23.5.8) Added VLAN 70 to the returned RADIUS
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
[mac:b6:c3:97:fe:c2:c2] (10.23.5.8) Added role developer to the returned
RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
[mac:b6:c3:97:fe:c2:c2] (10.23.5.8) Adding access list : permit ip any any
to the RADIUS reply
(pf::Switch::Cisco::Catalyst_2960::returnRadiusAccessAccept)
Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
[mac:b6:c3:97:fe:c2:c2] (10.23.5.8) Added access lists to the RADIUS reply.
(pf::Switch::Cisco::Catalyst_2960::returnRadiusAccessAccept)

I'd love to understand some potential causes - I suspected: replies not
being received by switch, replies being misinterpreted by switch, but my
attempts to make sense of it have so far failed!

Any help much appreciated.

David
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Role Assignment (G Suite/SAML)

[David Harvey via PacketFence-users]

I switched from GSuite Auth to LDAP for almost exactly this reason.. using
LDAP groups makes it very easy. I didn't find a way of making it work with
GSuite, but someone else here may have been more adventurous or creative!
It "should" be technically possible with enough hacking, as the federated
Auth method for making Amazon AWS console work with GSuite entails setting
some user attributes on the Google side which AWS maps to a role...

On 7 Feb 2018 23:05, "Timothy Mullican via PacketFence-users" <
packetfence-users@lists.sourceforge.net> wrote:

> All,
>
> I am trying to implement PacketFence on my network. I have added G Suite
> and SAML as an authentication method and that works. The problem I have is
> that we have several departments that operate on different VLANs. Is it
> possible to use certain attributes from a SAML source to determine the
> user's role (VLAN)? I can return a SAML attribute containing the user's
> group, but I don't think PacketFence supports using this out of the box to
> determine their role. Then I could manually map the returned group to a
> role in PacketFence. If not, how do you assign roles for users? Active
> Directory groups?
>
> Currently we have several SSIDs that are each mapped to specific VLANs.
> Then the user connects to a a specific SSID to get on a specific VLAN.
> Greatly appreciate any feedback.
>
> Thank you,
> Tim
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Restarting swicthports errors

[David Harvey via PacketFence-users]

Thank you Christian, my visual scour of the subject list hadn't focused me
onto your thread, so appreciate the pointer - apologies for poor archive
digging @list!

On Mon, Feb 5, 2018 at 8:22 AM, Cristian Mammoli via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hi, see my post "[PacketFence-users] pfappserver::Controller::Node broken
> after update to 7.4" of 01-29
>
> Il 02/02/2018 16:43, David Harvey via PacketFence-users ha scritto:
>
>> Sorry for all the mailing list spam. I've been having a bit of a
>> packetfence tinkering week!
>>
>> Since upgrading to packetfence 7.4 followed by applying the Unifi patch
>> 2735.patch <https://patch-diff.githubusercontent.com/raw/inverse-inc/
>> packetfence/pull/2735.patch> (the latter probably unrelated given the
>> files it touches), i've been seeing failures when attempting to restart
>> swithcports from the GUI.  On screen I get
>>
>> "Error!An error condition has occured. See server side logs for details."
>>
>>
>>
> --
>
> *Cristian Mammoli*
> System Administrator
>
> T.  +39 0731 719822
> www.apra.it <http://www.apra.it>
>
>
> ApraSpa
>
> linksocial
>
> *Avviso sulla tutela di informazioni riservate.* Questo messaggio è stato
> spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli eventuali
> allegati, potrebbero contenere informazioni di carattere estremamente
> riservato e confidenziale. Qualora non foste i destinatari designati,
> vogliate cortesemente informarci immediatamente con lo stesso mezzo ed
> eliminare il messaggio e i relativi eventuali allegati, senza trattenerne
> copia.
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

[David Harvey via PacketFence-users]

Update:
My changes in the unifi config.properties weren't being pushed due to a
failure on my part to understand how the item/line numbers work :)
"Note that each line has it's own number just before the equals sign, so
for a second customization you would enter 2, etc."
<https://help.ubnt.com/hc/en-us/articles/205223330-UniFi-How-to-make-persistent-changes-to-UAP-s-system-cfg>
It seems to be working a bit better now, with somewhat more of a delay
switching than expected, and the kicks not being accepted consistently -
order of events perhaps (not liking two kicks in a row?)

Feb  2 16:06:24 pf pfqueue: pfqueue(3962) INFO: [mac:78:31:c1:cb:12:dc]
Switched status on the Unifi controller using command kick-sta
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
Feb  2 16:06:54 pf pfqueue: pfqueue(3977) ERROR: [mac:78:31:c1:cb:12:dc]
Can't send request on the Unifi controller: 400 Bad Request
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)


On Fri, Feb 2, 2018 at 2:59 PM, David Harvey <da...@thoughtmachine.net>
wrote:

> Yes, thank you Tim,
>
> I've reverted my manual hacks of Unifi.pm in favour of applying the patch
> which seems to be successful in maintaining the same behaviour as the
> manual changes had.  I'm seeing a failure on other (cisco) switches to
> restart switchports, but I think that is unrelated, or relates to recent
> packetfence upgrade perhaps.
> I've also now added the changes in the draft documentation to my unifi
> controller in order to try and disable pmksa caching, and enabling dynamic
> VLAN assignment.  So far however the wireless clients have not been
> reliably being de-authed, and usually stubbornly remain on the same VLAN. I
> suspect I've got something wrong on the unifi side of things as just like
> fdurand notes in https://community.ubnt.com/t5/UniFi-Wireless/Feature-
> request-disable-pmksa-caching/m-p/2112479#M257628 I cannot see the
> relevant config updates applied at the AP level after updating them on the
> controller as prescribed.
>
> On with the digging and ideas always welcome. Great to see how many people
> are stuck getting in to making this work.
>
> Best,
>
> David
>
> On Fri, Feb 2, 2018 at 7:14 AM, E.P. via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hi Tim,
>>
>> As usual, your comments are invaluable ;)
>>
>> Looking at the guide which is in asciidoc to see how to properly deal
>> with Unifi. Would be nice to see pictures as they are missing.
>>
>> Also, do I need to replace IP addresses for AP in the switches.conf with
>> their MAC addresses ?
>>
>>
>>
>> Eugene
>>
>>
>>
>> *From:* Timothy Mullican via PacketFence-users [mailto:
>> packetfence-users@lists.sourceforge.net]
>> *Sent:* Thursday, February 01, 2018 9:11 AM
>> *To:* packetfence-users@lists.sourceforge.net
>> *Cc:* Timothy Mullican; Frederic Hermann
>> *Subject:* Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of
>> Band
>>
>>
>>
>> By the way,
>>
>> Fabrice Durand already added code to do this in pull request #2735 on
>> github. See https://patch-diff.githubusercontent.com/raw/inverse-
>> inc/packetfence/pull/2735.patch
>>
>> You can apply that patch to get it working. Also see
>> https://github.com/inverse-inc/packetfence/blob/ae18f50b
>> 4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_
>> Devices_Configuration_Guide.asciidoc for the updated documentation. You
>> can read though my earlier thread to see the steps I took to get it
>> working.
>>
>>
>>
>> Tim
>>
>> Sent from mobile phone
>>
>>
>> On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>> This has been a fantastic resource for the thread I recently started
>> (sorry for the repetition in it)
>>
>> I would add:
>>
>> I've added kick-sta to replace both the authorize and unauthorize guest
>> commands in Unifi.pm
>>
>>
>>
>> It transpired my in house cert was upsetting things until I updated ca
>> certs on the debian container I'm using. The symptom was the following in
>> packetfence.log:
>>
>> before:
>>
>> Can't login on the Unifi controller: 500 Can't connect to
>> 10.100.103.33:8443 (certificate verify failed)
>> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
>>
>> after:
>>
>> Switched status on the Unifi controller using command kick-sta
>> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
>>
>>
>>
>> After th

[PacketFence-users] Restarting swicthports errors

[David Harvey via PacketFence-users]

Sorry for all the mailing list spam. I've been having a bit of a
packetfence tinkering week!

Since upgrading to packetfence 7.4 followed by applying the Unifi patch
2735.patch

(the
latter probably unrelated given the files it touches), i've been seeing
failures when attempting to restart swithcports from the GUI.  On screen I
get

"Error! An error condition has occured. See server side logs for details."

And consulting logs reveals:

Feb  2 13:26:17 pf httpd_admin: httpd.admin(21612) ERROR: [mac:unknown]
Caught exception in pfappserver::Controller::Node->bulk_restart_switchport
"Can't use an undefined value as a subroutine reference at
/usr/local/pf/lib/CHI/Driver/DBI.pm line 43." (pfappser
ver::PacketFence::Controller::Root::end)
Feb  2 13:26:34 pf httpd_admin: httpd.admin(21612) ERROR: [mac:unknown]
Caught exception in pfappserver::Controller::Node->bulk_restart_switchport
"Can't use an undefined value as a subroutine reference at
/usr/local/pf/lib/CHI/Driver/DBI.pm line 43." (pfappser
ver::PacketFence::Controller::Root::end)
Feb  2 13:29:02 pf httpd_admin: httpd.admin(21612) ERROR: [mac:unknown]
Caught exception in pfappserver::Controller::Node->bulk_restart_switchport
"Can't use an undefined value as a subroutine reference at
/usr/local/pf/lib/CHI/Driver/DBI.pm line 43." (pfappser
ver::PacketFence::Controller::Root::end)
Feb  2 13:37:46 pf httpd_admin: httpd.admin(21612) INFO: [mac:unknown]
Instantiate profile default (pf::Connection::ProfileFactory::_from_profile)
Feb  2 13:38:57 pf httpd_admin: httpd.admin(21612) INFO: [mac:unknown]
Instantiate profile default (pf::Connection::ProfileFactory::_from_profile)
Feb  2 13:42:27 pf httpd_admin: httpd.admin(21630) INFO: [mac:unknown] Hard
expiring resource : config::Profiles (pfconfig::manager::expire)
Feb  2 13:42:27 pf httpd_admin: httpd.admin(21630) INFO: [mac:unknown]
Connecting to MySQL database (pfconfig::backend::mysql::_get_db)
Feb  2 13:42:27 pf httpd_admin: httpd.admin(21630) INFO: [mac:unknown]
Expiring child resource FilterEngine::Profile. Master resource is
config::Profiles (pfconfig::manager::expire)
Feb  2 13:42:27 pf httpd_admin: httpd.admin(21630) INFO: [mac:unknown] Hard
expiring resource : FilterEngine::Profile (pfconfig::manager::expire)
Feb  2 13:42:27 pf httpd_admin: httpd.admin(21630) INFO: [mac:unknown]
Expiring child resource resource::URI_Filters. Master resource is
config::Profiles (pfconfig::manager::expire)
Feb  2 13:42:27 pf httpd_admin: httpd.admin(21630) INFO: [mac:unknown] Hard
expiring resource : resource::URI_Filters (pfconfig::manager::expire)
Feb  2 13:42:27 pf httpd_admin: httpd.admin(21630) ERROR: [mac:unknown] OK
(pf::ConfigStore::commit)

So with my basic understanding I assumed there is a MAC passing, or MAC to
switchport mapping issue.  Checking the node MAC address -> location tab,
does show up to date session information :-/

Any ideas!?

Many thanks in advance,

David
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

[David Harvey via PacketFence-users]

Yes, thank you Tim,

I've reverted my manual hacks of Unifi.pm in favour of applying the patch
which seems to be successful in maintaining the same behaviour as the
manual changes had.  I'm seeing a failure on other (cisco) switches to
restart switchports, but I think that is unrelated, or relates to recent
packetfence upgrade perhaps.
I've also now added the changes in the draft documentation to my unifi
controller in order to try and disable pmksa caching, and enabling dynamic
VLAN assignment.  So far however the wireless clients have not been
reliably being de-authed, and usually stubbornly remain on the same VLAN. I
suspect I've got something wrong on the unifi side of things as just like
fdurand notes in
https://community.ubnt.com/t5/UniFi-Wireless/Feature-request-disable-pmksa-caching/m-p/2112479#M257628
I cannot see the relevant config updates applied at the AP level after
updating them on the controller as prescribed.

On with the digging and ideas always welcome. Great to see how many people
are stuck getting in to making this work.

Best,

David

On Fri, Feb 2, 2018 at 7:14 AM, E.P. via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hi Tim,
>
> As usual, your comments are invaluable ;)
>
> Looking at the guide which is in asciidoc to see how to properly deal with
> Unifi. Would be nice to see pictures as they are missing.
>
> Also, do I need to replace IP addresses for AP in the switches.conf with
> their MAC addresses ?
>
>
>
> Eugene
>
>
>
> *From:* Timothy Mullican via PacketFence-users [mailto:packetfence-users@
> lists.sourceforge.net]
> *Sent:* Thursday, February 01, 2018 9:11 AM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Timothy Mullican; Frederic Hermann
> *Subject:* Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of
> Band
>
>
>
> By the way,
>
> Fabrice Durand already added code to do this in pull request #2735 on
> github. See https://patch-diff.githubusercontent.com/raw/
> inverse-inc/packetfence/pull/2735.patch
>
> You can apply that patch to get it working. Also see https://github.com/
> inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f
> 2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc for
> the updated documentation. You can read though my earlier thread to see the
> steps I took to get it working.
>
>
>
> Tim
>
> Sent from mobile phone
>
>
> On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> This has been a fantastic resource for the thread I recently started
> (sorry for the repetition in it)
>
> I would add:
>
> I've added kick-sta to replace both the authorize and unauthorize guest
> commands in Unifi.pm
>
>
>
> It transpired my in house cert was upsetting things until I updated ca
> certs on the debian container I'm using. The symptom was the following in
> packetfence.log:
>
> before:
>
> Can't login on the Unifi controller: 500 Can't connect to
> 10.100.103.33:8443 (certificate verify failed)
> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
>
> after:
>
> Switched status on the Unifi controller using command kick-sta
> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
>
>
>
> After this the kick events come through and I get a brief drop in packets
> whilst pinging.  I'm still fighting the final issue - which is increasing
> the duration of the kick, or ensuring a full re-auth occurs, as currently
> the device I'm testing with drops packets, but remains on the same VLAN
> still until the device is toggled.
>
>
>
> Thanks for the guidance and let me know if you face/overcame anything
> similar.
>
>
>
> Cheers,
>
>
>
> David
>
>
>
>
>
> On Mon, Jul 17, 2017 at 3:54 PM, Frederic Hermann via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> > De: "Michael Westergaard via PacketFence-users" <
> packetfence-users@lists.sourceforge.net>
> Hi Michael,
>
>
> > I am trying to see if Packetfence is a proper way to do NAC with Unifi
> UAP-AC
> > with dynamic VLAN. According to the new Unifi Controller 5.5.19 release,
> > Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence
> is using
> > for authenticating users over wireless and then changing the VLAN.
>
> > However I cannot find any documentation anywhere if this is possible in
> > Packetfence Documentation?
>
> > Especially Packetfence Out of Band (Dynamic VLAN) with Unifi. Have
> anybody been
> > able to make it work?
>
> We made some test a few weeks ago, and we've been able to manage an Unifi
> controler u

Re: [PacketFence-users] Unifi APs and CoA

[David Harvey via PacketFence-users]

Many thanks for the tips. With your guidance I've been following the
"Packetfence RADIUS and Unifi Out of Band" and am 90% of the way there.
For anyone curious, please check in on that thread, as it's got more of the
case history and steps outlined.

Best,

David

On Thu, Feb 1, 2018 at 1:39 AM, Timothy Mullican <tjmullic...@yahoo.com>
wrote:

> David,
> Your understanding is correct. Currently the UniFi only supports
> deauthenticating a client using the controller API and not using CoA. It is
> possible to enable RADIUS CoA for a single SSID and frequency, but this may
> not be useful for you. This is because the UniFi runs a separate hostapd
> instance for all of the different SSIDs and frequencies. See:
> https://community.ubnt.com/t5/UniFi-Wireless/RADIUS-Interi
> <https://community.ubnt.com/t5/UniFi-Wireless/RADIUS-Interim-updates/m-p/1860205/highlight/true#M216003>
> m-updates/m-p/1860205/highlight/true#M216003
> <https://community.ubnt.com/t5/UniFi-Wireless/RADIUS-Interim-updates/m-p/1860205/highlight/true#M216003>
>
> Sent from mobile phone
>
> On Jan 31, 2018, at 17:46, Durand fabrice via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> Hello David,
>
> the unifi AP is not yet correctly supported, there is some code about that
> but you have to do some custom config on the Unifi controller.
> Have a look at the mailing list archive about unifi.
>
> Regards
> Fabrice
>
> Le 2018-01-31 à 13:02, David Harvey via PacketFence-users a écrit :
>
> I should also note. I've just changed our APs from switch type hostapd to
> ubiquity::unify, added the controller IP (a docker image in my case), and
> also attempted to add the webservices field as details in the
> documentation:
>
> wsTransport=HTTPS
> wsUser=admin
> wsPwd=admin
>
>
> On Wed, Jan 31, 2018 at 6:00 PM, David Harvey <da...@thoughtmachine.net>
> wrote:
>
>> Hi packetfence users,
>>
>> I just wanted to confirm a feature (or my undertsnading of).
>>
>> I'm using unifi access points with great success for portal login paired
>> with EAP-TLS.
>>
>> Unregistered clients with certs land on the registration VLAN, and then
>> have their proper vlans assigned by the portal login.
>> After the portal login has been performed the client needs the wifi
>> toggling off and on at present to reauth and get put onto the correct VLAN.
>> subsequent reconnects work fine...
>>
>> If I've read the archives correctly, the wifi down/up is required becuase
>> CoA is not supported by unifi, nor does the controller allow RADIUS
>> disconnect events to force a client to reauth.
>> Have I understood correctly, and is there any other magic I could try in
>> order to smooth the portal sign in experience?
>>
>> Thanks in advnce,
>>
>> David
>>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

[David Harvey via PacketFence-users]

This has been a fantastic resource for the thread I recently started (sorry
for the repetition in it)
I would add:
I've added kick-sta to replace both the authorize and unauthorize guest
commands in Unifi.pm

It transpired my in house cert was upsetting things until I updated ca
certs on the debian container I'm using. The symptom was the following in
packetfence.log:
before:
Can't login on the Unifi controller: 500 Can't connect to 10.100.103.33:8443
(certificate verify failed)
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
after:
Switched status on the Unifi controller using command kick-sta
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)

After this the kick events come through and I get a brief drop in packets
whilst pinging.  I'm still fighting the final issue - which is increasing
the duration of the kick, or ensuring a full re-auth occurs, as currently
the device I'm testing with drops packets, but remains on the same VLAN
still until the device is toggled.

Thanks for the guidance and let me know if you face/overcame anything
similar.

Cheers,

David


On Mon, Jul 17, 2017 at 3:54 PM, Frederic Hermann via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> > De: "Michael Westergaard via PacketFence-users" <
> packetfence-users@lists.sourceforge.net>
> Hi Michael,
>
>
> > I am trying to see if Packetfence is a proper way to do NAC with Unifi
> UAP-AC
> > with dynamic VLAN. According to the new Unifi Controller 5.5.19 release,
> > Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence
> is using
> > for authenticating users over wireless and then changing the VLAN.
>
> > However I cannot find any documentation anywhere if this is possible in
> > Packetfence Documentation?
>
> > Especially Packetfence Out of Band (Dynamic VLAN) with Unifi. Have
> anybody been
> > able to make it work?
>
> We made some test a few weeks ago, and we've been able to manage an Unifi
> controler using Radius mode ( rather than the Portal mode described in
> PacketFence documentation).
>
> This allow you to use dynamic VLAN with WPA2-Enterprise, as it seems that
> dynamic VLAN are only available in secure mode on unifi.
>
> The only change we had to do (on the packetfence side) was
>
>
> That means you have to configure your AP type as "Unifi Controller" in
> packetfence, and set the Deauth method to "HTTPS", instead of Radius.
> Of course you will also define the unifi controller IP in the same
> location.
> Then you will have to edit (or override) the Unifi.pm module to change the
> webservice command used to auth/deauth users : this is in the
> "_deauthenticateMacWithHTTP" method, and you should use the "kick-sta"
> unifi command through the webservice, instead of the
> "authorize-guest/unauthorise-guest".
>
> Hope this help,
>
> Regards
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unifi APs and CoA

[David Harvey via PacketFence-users]

I should also note. I've just changed our APs from switch type hostapd to
ubiquity::unify, added the controller IP (a docker image in my case), and
also attempted to add the webservices field as details in the documentation:

wsTransport=HTTPS
wsUser=admin
wsPwd=admin


On Wed, Jan 31, 2018 at 6:00 PM, David Harvey 
wrote:

> Hi packetfence users,
>
> I just wanted to confirm a feature (or my undertsnading of).
>
> I'm using unifi access points with great success for portal login paired
> with EAP-TLS.
>
> Unregistered clients with certs land on the registration VLAN, and then
> have their proper vlans assigned by the portal login.
> After the portal login has been performed the client needs the wifi
> toggling off and on at present to reauth and get put onto the correct VLAN.
> subsequent reconnects work fine...
>
> If I've read the archives correctly, the wifi down/up is required becuase
> CoA is not supported by unifi, nor does the controller allow RADIUS
> disconnect events to force a client to reauth.
> Have I understood correctly, and is there any other magic I could try in
> order to smooth the portal sign in experience?
>
> Thanks in advnce,
>
> David
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Unifi APs and CoA

[David Harvey via PacketFence-users]

Hi packetfence users,

I just wanted to confirm a feature (or my undertsnading of).

I'm using unifi access points with great success for portal login paired
with EAP-TLS.

Unregistered clients with certs land on the registration VLAN, and then
have their proper vlans assigned by the portal login.
After the portal login has been performed the client needs the wifi
toggling off and on at present to reauth and get put onto the correct VLAN.
subsequent reconnects work fine...

If I've read the archives correctly, the wifi down/up is required becuase
CoA is not supported by unifi, nor does the controller allow RADIUS
disconnect events to force a client to reauth.
Have I understood correctly, and is there any other magic I could try in
order to smooth the portal sign in experience?

Thanks in advnce,

David
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] packetfence-pki on Debian Jessie

[David Harvey via PacketFence-users]

I feel like there are clues here which almost have me there:

[wsgi:warn] [pid 31927] mod_wsgi: Compiled for Python/2.7.8.
[Thu Jun 22 16:32:35.008061 2017] [wsgi:warn] [pid 31927] mod_wsgi: Runtime
using Python/2.7.9.
[Thu Jun 22 16:32:35.008275 2017] [wsgi:alert] [pid 31927] (2)No such file
or directory: mod_wsgi (pid=31927): Couldn't bind unix domain socket
'/var/run/apache2/wsgi.31927.0.1.sock'.
[Thu Jun 22 16:32:35.009096 2017] [mpm_prefork:notice] [pid 31927] AH00163:
Apache/2.4.10 (Debian) OpenSSL/1.0.2k mod_wsgi/4.3.0 Python/2.7.9
configured -- resuming normal operations
[Thu Jun 22 16:32:35.009109 2017] [core:notice] [pid 31927] AH00094:
Command line: '/usr/sbin/apache2 -f
/usr/local/packetfence-pki/conf/httpd.conf'

And indeed there is no /var/run/apache2/wsgi.31927.0.1.sock

On Thu, Jun 22, 2017 at 4:17 PM, David Harvey 
wrote:

> FWIW, I also get the same bad request error after forcing apt with:
> dpkg -i --ignore-depends=python-django-bootstrap3
> packetfence-pki_1.0.4_all.deb
>
> On Thu, Jun 22, 2017 at 4:06 PM, David Harvey 
> wrote:
>
>> Hi packetfence users,
>>
>> I've been attmepting to experiment with packetfence-pki, but have fallen
>> at the first hurdle. Namely there doesn't seem to be a Debian Jessie
>> package avialable as advertised at https://packetfence.org/doc
>> /PacketFence_PKI_Quick_Install_Guide.html (section 3.1)
>> http://inverse.ca/downloads/PacketFence/debian/pool/jessie/p/
>>
>> I attempted to install the generic deb, but predictably it wouldn't
>> accept the pip installed version of django-bootstrap3 as apt doesn't know
>> about "python-django-bootstrap3".
>>
>> Attempted to install from source
>>  which looked promising
>> until there was no service file that came with make install, so using an
>> init.d script (/etc/init.d/packetfence-pki.dpkg-new) admittedly origin
>> unknown I managed to get to complaints over
>> /usr/local/packetfence-pki/conf/server.crt and 
>> /usr/local/packetfence-pki/conf/server.key.
>> I dutifully copied the packetfence ones, and although the service starts, I
>> get a bad request 400 error when visiting https://server:9393.
>>
>> Now I understand I've mangled the instructions massively, so is there
>> a) A correct way to do this on Jessie any more?
>> b) A way of breathing life into my Frankenstein's monster?
>>
>> Thanks in advance,
>>
>> David
>>
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] packetfence-pki on Debian Jessie

[David Harvey via PacketFence-users]

Hi packetfence users,

I've been attmepting to experiment with packetfence-pki, but have fallen at
the first hurdle. Namely there doesn't seem to be a Debian Jessie package
avialable as advertised at
https://packetfence.org/doc/PacketFence_PKI_Quick_Install_Guide.html
(section 3.1)
http://inverse.ca/downloads/PacketFence/debian/pool/jessie/p/

I attempted to install the generic deb, but predictably it wouldn't accept
the pip installed version of django-bootstrap3 as apt doesn't know about
"python-django-bootstrap3".

Attempted to install from source
 which looked promising
until there was no service file that came with make install, so using an
init.d script (/etc/init.d/packetfence-pki.dpkg-new) admittedly origin
unknown I managed to get to complaints over
/usr/local/packetfence-pki/conf/server.crt
and /usr/local/packetfence-pki/conf/server.key. I dutifully copied the
packetfence ones, and although the service starts, I get a bad request 400
error when visiting https://server:9393.

Now I understand I've mangled the instructions massively, so is there
a) A correct way to do this on Jessie any more?
b) A way of breathing life into my Frankenstein's monster?

Thanks in advance,

David
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] packetfence-pki on Debian Jessie

[David Harvey via PacketFence-users]

FWIW, I also get the same bad request error after forcing apt with:
dpkg -i --ignore-depends=python-django-bootstrap3
packetfence-pki_1.0.4_all.deb

On Thu, Jun 22, 2017 at 4:06 PM, David Harvey 
wrote:

> Hi packetfence users,
>
> I've been attmepting to experiment with packetfence-pki, but have fallen
> at the first hurdle. Namely there doesn't seem to be a Debian Jessie
> package avialable as advertised at https://packetfence.org/
> doc/PacketFence_PKI_Quick_Install_Guide.html (section 3.1)
> http://inverse.ca/downloads/PacketFence/debian/pool/jessie/p/
>
> I attempted to install the generic deb, but predictably it wouldn't accept
> the pip installed version of django-bootstrap3 as apt doesn't know about
> "python-django-bootstrap3".
>
> Attempted to install from source
>  which looked promising
> until there was no service file that came with make install, so using an
> init.d script (/etc/init.d/packetfence-pki.dpkg-new) admittedly origin
> unknown I managed to get to complaints over
> /usr/local/packetfence-pki/conf/server.crt and 
> /usr/local/packetfence-pki/conf/server.key.
> I dutifully copied the packetfence ones, and although the service starts, I
> get a bad request 400 error when visiting https://server:9393.
>
> Now I understand I've mangled the instructions massively, so is there
> a) A correct way to do this on Jessie any more?
> b) A way of breathing life into my Frankenstein's monster?
>
> Thanks in advance,
>
> David
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users