Re: [PacketFence-users] how to deploy acl via radius attribute 26?

2024-08-28 Thread Fabrice Durand via PacketFence-users
Hello Joel,

in fact it's not yet implemented in the code.

If I do the code , can you test it ? (then it will be part of the code base
of PacketFence).

Regards
Fabrice


Le mer. 28 août 2024 à 08:37, 平嘉伟 via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi folks!
>
>  I have a pf 13.2 installation for wired 802.1x authentication
> with Huawei 57xx switches.
>
>  Test-pc: win10
>
>  Test-switch-model: Huawei S5720
>
>  Test-switch-vrp-verion: V200R011C10SPC600
>
>  802.1x authentication and role based vlan assignment working
> perfectly.
>
>
>
>  Now here is the thing:
>
>  I define an acl in [switch-group]-[roles]-[OA-MACHINE]-[access-list]
> for testing.
>
>  The acl is pretty simple and has been tested with Huawei switch:
>
>  acl 10001 deny dst-port 3389
>
>  meaning: deny if tcp destination port is 3389
>
>  after test-machine passed authentication , got correct
> role[OA-MACHINE] , the radius reply is:
>
>  BUT, there is no ACL info in reply!
>
>  After digging, I found radius-filter which is capable to send acl
> by using radius attribute 26-82 [Huawei data-filter], but it is hard to use.
>
>  On the other hand, [access-list] of [switch-group]-[roles] is
> much more user-friendly.
>
>  So, my question is:
>
> how to make pf send acl which is predefined in
> [switch-group]-[roles]-[SOME ROLE]-[access-list] to Huawei switch using
> radius attribute 26-82[Huawei data-filter]?
>
>
>
>  Any advice is appreciated.
>
>
>
>  Joel.
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Pfacct change bind IP

2024-06-13 Thread Fabrice Durand via PacketFence-users
In fact it doesn't work anymore:

https://github.com/inverse-inc/packetfence/issues/8170

The dirty fix is to edit that file and do the manual change
(/usr/local/pf/sbin/pfacct-docker-wrapper)


Le jeu. 13 juin 2024 à 12:16, Zammit, Ludovic via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello Nate,
>
> Tag the interface as radius in PF network, pfacct should listen on it.
>
> Thanks,
>
> *Ludovic Zammit*
> *Product Support Engineer Principal Lead*
> *Cell:* +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:  
>  
> 
> 
>
> On Jun 12, 2024, at 8:56 AM, Nate Tremmel via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> How can I change pfacct to bind to a different interface ip or to 0.0.0.0?
> It’s only on my management interface and my radius stuff needs to be on a
> different interface due to routing.
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
>
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!VbVE8b_netpKzs-GAvOltuO3FHUYyqMZHN6x5FHOUEODhqcrqTFlqrhtC1ts2dYLRdIV3ElLvOFGSNFtxmmuHe-vZuC0FL4sqC-Njg$
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] New Setup with Aruba CX

2024-06-06 Thread Fabrice Durand via PacketFence-users
It's what i used.


ntp server pool.ntp.org minpoll 4 maxpoll 4 iburst

ntp enable

!

!

!

!

radius-server host 192.168.254.254 key ciphertext
AQBdpV9beDVEkoo8WDy+tIcudTVeTDHZee+iJI+/O681Zx1/CwAAAI3aU+/QfiRaKT+l
tracking enable clearpass-username packetfence clearpass-password ciphertext
AQBapV9beDVEkoo8WDy+tIcudTVeTDHZee+iJI+/O681Zx1/CwAAAI3aU+/QfiRaKT+l

aaa authentication allow-fail-through

!

!

aaa group server radius packetfence

server 192.168.254.254

!

aaa accounting port-access start-stop interim group packetfence

aaa accounting port-access start-stop interim on-reauth

!

radius dyn-authorization enable

!

radius dyn-authorization client 192.168.254.254 time-window 65535 secret-key
ciphertext
AQBdpV9beDVEkoo8WDy+tIcudTVeTDHZee+iJI+/O681Zx1/CwAAAI3aU+/QfiRaKT+l

ssh server vrf default

ssh server vrf mgmt

vlan 1

vlan 2

name mgmt

vlan 3

name reg

interface mgmt

no shutdown

ip dhcp

port-access port-security enable

aaa authentication port-access mac-auth

enable

interface 1/1/1

no shutdown

no routing

vlan trunk native 1

vlan trunk allowed all

interface 1/1/2

no shutdown

no routing

vlan access 1

aaa authentication port-access auth-precedence mac-auth dot1x

aaa authentication port-access client-limit 3

aaa authentication port-access dot1x authenticator

cached-reauth

cached-reauth-period 60

max-eapol-requests 1

max-retries 1

quiet-period 5

discovery-period 10

enable

aaa authentication port-access mac-auth

enable

interface 1/1/3

no shutdown

no routing

vlan access 1

interface vlan 1

interface vlan 2

ip address 192.168.254.252/24

snmp-server community public

ip route 0.0.0.0/0 192.168.254.1

!

!

!

!

!

https-server vrf mgmt


Le jeu. 6 juin 2024 à 15:39, Chris Bentz via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
> I am sorry if this has been asked and answered hundreds of times but
> looking through the history I can not find the answer. We are working on a
> POC of PacketFence and I can connect Aruba switches running AOS but I have
> tried and tried to connect switches CX and can not get them to work. Does
> anyone have a config for an Aruba CX switch that is working that they are
> willing to share? I would just like to look it over and see where I am
> failing.
>
> *Chris Bentz*
>
> Network & Telecommunications Engineer
>
> *Wheaton College*
>
> Wheaton, IL 60187
>
> chris.be...@wheaton.edu
>
> 630.752.7375
>
>
>
> *CONFIDENTIALITY STATEMENT: This electronic message may contain
> confidential or privileged information.*
>
> *If you received this transmission in error, please reply to the sender to
> advise of the error and delete this message*
>
> *and any attachments. Unauthorized disclosure, copying, distribution, or
> use of the contents of this message is prohibited.*
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Malware detected during installation

2024-05-22 Thread Fabrice Durand via PacketFence-users
It's not a malware and it's part of the official debian packages:

https://packages.debian.org/search?searchon=names&keywords=impacket


Le mer. 22 mai 2024 à 09:02, Parvez Khan // Viva via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello Packetfence team,
>
> This is to inform you I'm facing the issues during installation
> python packages drop during installation due to  malicious reputations.
> Logs are attached with this email.
>
>
> Parvez Khan
> Sr. Manager - Network, Infra & Security
>
> 9821846061
> par...@vivaconnect.co
> 
> www.helo.ai 
> *Corporate Office* : Vivaplex, Plot No. C-7, MIDC, Street 22, Opp. Rolta
> Techno Park, Andheri (E), Mumbai- 400093, INDIA.
> *Vivaconnect Pvt.Ltd | ISO 9001:2015 & ISO 27001:2013 Certified Company.*
> “You don’t need to know all the alphabets of Security. The A, B, C of it
> will save you if you follow it: Always Be Careful.”
> Please do not share your Password, Passcode, OTP, API Key, Auth Tokens or
> any other confidential information with anyone for security reasons even if
> he/she claims to be from VivaConnect. We advise our customers to completely
> ignore such communications.
> This email is governed by the Disclaimer Terms of VivaConnect Pvt Ltd.
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] FreeRADIUS Debug

2024-05-22 Thread Fabrice Durand via PacketFence-users
raddebug -f /usr/local/pf/var/run/radiusd.sock -t 0

Le mer. 22 mai 2024 à 09:00, Brian Blater via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> From a google search I did the following to get FreeRADIUS into debug mode:
>
> In System Configuration | Services I stopped radiusd and
> radiusd-auth and tried using the following: freeradius -X -d
> /usr/local/pf/raddb -n auth
>
> That didn't work. What is the command to get FreeRADIUS into debug
> mode so I can look at what is happening on PF?
>
> thx
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Radius Issues with EAP TLS WiFi

2024-05-16 Thread Fabrice Durand via PacketFence-users
I don´t think you can query Azure AD with the machine name, like
https://graph.microsoft.com/v1.0/users/machine_xyz/memberOf (because it
ties to the users not the devices, maybe i am wrong).

But what you can do is the following:
https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_using_azure_ad_eap_tls_machine_authentication
Btw you will have to change the certificate to have the AAD_Device_ID as
the CN.

And last resort if it's not possible to recreate a cert then you can use a
EAPTLS source and check to see if the device certificate has been signed by
the correct CA.

Le jeu. 16 mai 2024 à 20:41, Adrian Damaschek via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Dose this also apply to using it with AzureAD, since i run a domainless
> setup, and it would be enough if it just went standalone where it validates
> via the certificate,
> And its not the domain name it gives there, its just the word "host/"
>
> Currently i cant manually even approve the device to connect as its
> returning a empty error with 401 on the radius reply.
>
> Regards
>
> From: Fabrice Durand via PacketFence-users <
> packetfence-users@lists.sourceforge.net>
> Sent: Wednesday, 15 May 2024 19:48
> To: packetfence-users@lists.sourceforge.net
> Cc: Fabrice Durand 
> Subject: Re: [PacketFence-users] Radius Issues with EAP TLS WiFi
>
>   This message was sent from an external sender.
>   Exercise strict caution when interacting with links or file
> attachments!
>
> Normally you shouldn't have to strip the host\ since you are able to
> search this attribute in the AD via the servicePrincipalName attribute.
>
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.packetfence.org%2Fdoc%2FPacketFence_Installation_Guide.html%23_using_the_corporate_machine_role&data=05%7C02%7Cadrian.damaschek%40technicondesign.com%7C40467814b8f243215c2508dc7508373f%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C638513925350705789%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=60Keqdpel5RL03jw5IlkZfYmOgyNXVUa1pWGqk%2BlZpQ%3D&reserved=0
>
> Le mer. 15 mai 2024 à 13:24, Adrian Damaschek via PacketFence-users
> <mailto:packetfence-users@lists.sourceforge.net> a écrit :
> Im trying to set up the NAC to provide certs over SCEP and then use that
> to allow Device Access to my WiFi network.
>
> It has to be Device level auth as they are used by multiple users and it’s
> the machine that should determine the access to the network.
>
> So there are two problems I am struggling with. One is that windows insist
> on adding host/ in front of the computer and I cant seem to be able to
> strip it with a filter but maybe I did the wrong thing with it
> My attempt was
>
> ${replace($radius_request.User-Name,"host\/","")}
>
> Scope was set to preprocess, for testing I set the value to be always
> TRUE, and I did try with and without merging the answer.
>
> Also when I try to log on package fence dose process it and rejects it,
> giving
>
> Module-Failure-Message = "rest: Server returned:",
>
> Also noticed in the reply that I get
>
> REST-HTTP-Status-Code = "401",
>
> Not sure if this is related to the host/ that windows puts in username of
> the initial request.
>
> Any tip on how to deal with this would be appreciated.
>
> Regards
> Adrian
>
> ___
> PacketFence-users mailing list
> mailto:PacketFence-users@lists.sourceforge.net
>
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users&data=05%7C02%7Cadrian.damaschek%40technicondesign.com%7C40467814b8f243215c2508dc7508373f%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C638513925350719255%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=58VHWw1vgRRpxHIT69tTfj0Xe%2ByDoOnj0taBjQ3jHyQ%3D&reserved=0
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Users are assigned the inline role instead of assigned the correct group

2024-05-15 Thread Fabrice Durand via PacketFence-users
check the packetfence.log when the device connects, it's probably coming
from authentication rule or in the switch config you played with the
"Inline Conditions"

Le mer. 15 mai 2024 à 13:26, Geert Heremans via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello everyone
>
> I'm setting up certificate based 2802.1x authentication for my Wifi
> clients. Via intune users are assigned a certificate (using SCEP on PF).
> My PF is configured out-of-band and is actually hosted outside the network
> on a VPS.
>
> The certificate (user) based authentication is working. I can connect to
> the Wifi network using the certificate. Only my user is assigned the*
> inline role* instead of the correct
> role configured in the authentication source.
>
> When  test the authentication using pftest and enter the username/password
> of the user I'm connecting with via a certificate I do get assigned the
> correct role.
>
> Where might I want to look for the misconfiguration?
>
> Best regards
> Geert
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Radius Issues with EAP TLS WiFi

2024-05-15 Thread Fabrice Durand via PacketFence-users
Normally you shouldn't have to strip the host\ since you are able to search
this attribute in the AD via the servicePrincipalName attribute.
https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_using_the_corporate_machine_role


Le mer. 15 mai 2024 à 13:24, Adrian Damaschek via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Im trying to set up the NAC to provide certs over SCEP and then use that
> to allow Device Access to my WiFi network.
>
> It has to be Device level auth as they are used by multiple users and it’s
> the machine that should determine the access to the network.
>
> So there are two problems I am struggling with. One is that windows insist
> on adding host/ in front of the computer and I cant seem to be able to
> strip it with a filter but maybe I did the wrong thing with it
> My attempt was
>
> ${replace($radius_request.User-Name,"host\/","")}
>
> Scope was set to preprocess, for testing I set the value to be always
> TRUE, and I did try with and without merging the answer.
>
> Also when I try to log on package fence dose process it and rejects it,
> giving
>
> Module-Failure-Message = "rest: Server returned:",
>
> Also noticed in the reply that I get
>
> REST-HTTP-Status-Code = "401",
>
> Not sure if this is related to the host/ that windows puts in username of
> the initial request.
>
> Any tip on how to deal with this would be appreciated.
>
> Regards
> Adrian
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] captive portal after 10 min of inactivity

2024-05-15 Thread Fabrice Durand via PacketFence-users
You can configure the the idle-timeout on the AP/Controller side to 10
minutes , configure the accounting too and on the PacketFence side in the
connection profile enable "Automatically deregister devices on accounting
stop"

Le mer. 15 mai 2024 à 13:27, leonardo.izzo--- via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi, the director of the school where I have to configure PF would like
> that after authenticating with a captive portal from a browser with Google
> Workstation credentials, after 10 minutes of inactivity this captive portal
> appears again. This is because they have many devices that do not belong to
> a specific teacher, but can pass from one teacher to another throughout the
> day. How can I solve it? Thank you
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] MAB configuration of Avaya ERS-4548GT switch

2024-05-15 Thread Fabrice Durand via PacketFence-users
Hello,

it's been a while i played with Avaya switches but this doc should still
work (
https://www.packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_802_1x_with_mac_authentication_bypass_and_voip
).

Regards
Fabrice


Le mer. 15 mai 2024 à 13:24, BEAUDOUIN Hugo (Stagiaire Infra) via
PacketFence-users  a écrit :

> Hello,
>
>
>
> I am taking the liberty of writing to the Mailing List because I
> encountered a problem with the Avaya ERS-4548GT switch. Indeed, I would
> like to configure the Mac Auth Bypass but I don’t find documentations about
> it. If anyone have a template or tips, I am interested. Thank you.
>
>
>
> Best Regards
>
> H.B.
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Unable to install no matter what

2024-04-18 Thread Fabrice Durand via PacketFence-users
yes it's strange 
when you try on the server , there is only one network card connected ?


Le jeu. 18 avr. 2024 à 10:25, Laboratorio Tronic via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Somehow on another computer the ZEN package is working, I'll try to
> configure it as a test, but my aim is to install it on the bare-metal
> machine with multiple NICs..
>
>
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Unable to install no matter what

2024-04-18 Thread Fabrice Durand via PacketFence-users
Hello Marco,

Do you have a proxy between packetfence and the internet ?
It sounds to me to be an external issue to packetfence.

Regards
Fabrice



Le jeu. 18 avr. 2024 à 08:35, Laboratorio Tronic via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello hive mind,
>  I'm not sure about how this kind of communication works but I'll
> give it a try.
> I'm coming from a painful experience with pfSense, being a newbie in the
> firewall/Nac field, took me ages to setup the software like I wanted it
> to work (considering the whole project is a non-profit one for a natural
> park I volunteer for, where a messed up network is already in place and
> I don't have much manoeuvring space to change it).
> Only AFTER I had it set up, I discovered the self-registration plugin
> for the captive portal is no longer unmaintained/working, so I thought
> I'd replace it all with PacketFence, which seems to have all I need.
>
> MY HARDWARE (for testing):
> - Intel Core i3 (2cores/4threads) 2,7GHz.
> - 8GB DDR4 RAM
> - 128GB SSD
> - 1 integrated Realtek Gigabit NIC
> - 2 PCIeX Intel Gigabit NICs (one of which linked to the router)
>
> WHAT I TRIED:
> - burning the ver.13 ISO on a disk and installing from scratch. -> in
> the middle of installation it doesn't find the repositories, no matter
> which country/preset I input..even inputting them manually will not
> work. Ignoring this step will led to the impossibility to retrieve the
> public key and continue installation. "Select and install software" step
> won't complete and stop the whole process.
>
> - installing Debian first and then following the guide on the site to
> install packetfence on it. -> Debian deployment goes well but the last
> step of the guide will not work: when I apt get install packetfence it
> says many packets are damaged/blocked, repositories won't contain them,
> they're no longer maintained, are deprecated or so on. Tried finding and
> installing all the packets manually but no luck so far.
>
> - Downloading the ZEN VM and launching it on VmWare player. -> boots up
> and then says to connect to an IP address which isn't even on the same
> subnet and anyway won't show any page when fetched by the browser.
>
> I'm really frustrated because every review/comment about PacketFence
> seems at least satisfied, if not enthusiastic..and I can't even get
> started.
> Anyone can help?
>
> Thanks in advance
>
> Marco
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Connect Okta to PacketFence

2024-03-15 Thread Fabrice Durand via PacketFence-users
Does it provide an ldap interface ?

Le ven. 15 mars 2024 à 20:45, Alex Diaz via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Is it possible to connect Okta to PacketFence?
>
> thanks
>
> *Alex Diaz*
> IT Manager
> -
> Learn more at kiavi.com 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Google SAML Integration

2024-03-15 Thread Fabrice Durand via PacketFence-users
do you have some logs ?

Le ven. 15 mars 2024 à 15:18, Christopher Jordan via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
> I'm trying to setup Google with SAML logins for the captive portal so
> depending on there role it will assign them to the correct VLAN. I know I
> can use Google LDAP authentication however this will not give me 2FA option
> on there Google Profile which we would like to have.
>
> I tried to use the Azure SAML walkthrough
> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_saml_authentication
> to mimic the Google setup however I can't get it to work.
>
> Can anybody show me how to configure it if possible?
>
> Thanks,
> Chris
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] PacketFence wont install

2024-03-15 Thread Fabrice Durand via PacketFence-users
Debian 12 is not yet supported, we are working on it.
Use Debian 11 instead

Le ven. 15 mars 2024 à 13:30, Alex Diaz via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
> I have a new Deian 12.5 env that I am trying to install PacketFence on but
> it is not working. I cannot see why I am running into this issue. Any help
> would be appreciated.
> I followed these instructions from PacketFence
> .
>
>
> Ran this apt-get update
>
> Get:1 file:/etc/apt/mirrors/debian.list Mirrorlist [38 B]
> Get:3 file:/etc/apt/mirrors/debian-security.list Mirrorlist [47 B]
> Hit:2 https://cdn-aws.deb.debian.org/debian bookworm InRelease
> Hit:4 https://cdn-aws.deb.debian.org/debian bookworm-updates InRelease
> Hit:5 https://cdn-aws.deb.debian.org/debian bookworm-backports InRelease
> Hit:6 https://cdn-aws.deb.debian.org/debian-security bookworm-security
> InRelease
> Hit:7 http://inverse.ca/downloads/PacketFence/debian/13.1 bullseye
> InRelease
> Reading package lists... Done
> W:
> http://inverse.ca/downloads/PacketFence/debian/13.1/dists/bullseye/InRelease:
> Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the
> DEPRECATION section in apt-key(8) for details.
>
> Then ran apt-get install packetfence and got this
>
> Reading package lists... Done
> Building dependency tree... Done
> Reading state information... Done
> Some packages could not be installed. This may mean that you have
> requested an impossible situation or if you are using the unstable
> distribution that some required packages have not yet been created
> or been moved out of Incoming.
> The following information may help to resolve the situation:
> The following packages have unmet dependencies:
> packetfence : Depends: freeradius (>= 3.2.1) but it is not going to be
> installed
> Depends: freeradius-ldap but it is not going to be installed
> Depends: freeradius-mysql but it is not going to be installed
> Depends: freeradius-utils but it is not going to be installed
> Depends: freeradius-rest but it is not going to be installed
> Depends: freeradius-redis but it is not going to be installed
> Depends: sscep (>= 0.9) but it is not going to be installed
> Depends: libcrypt-openssl-pkcs12-perl but it is not going to be installed
> Depends: libcrypt-smime-perl but it is not going to be installed
> Depends: python3-twisted-bin but it is not installable
> E: Unable to correct problems, you have held broken packages.
>
> *Alex Diaz*
> IT Manager
> -
> Learn more at kiavi.com 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] DA authentication problems

2024-03-15 Thread Fabrice Durand via PacketFence-users
I think you will need to delete the machine account on the AD side and
rejoin the packetfence server.

Le ven. 15 mars 2024 à 15:36, Nolberto Delgado via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> DA authentication problems
>
>
> Good morning, I am trying to authenticate access to the network using
> packketfence.
>
> I am using the installation guide to the letter with the same scenario
> presented in the guide.
>
> I have installed it in a hyper-v environment it did not work for me, I
> proceeded to install it in a vmware environment with the packetfence ZEN as
> the guide indicates but I have the same errors.
>
> Logs radius:
>
> Mar 15 09:02:13 tests auth[4569]: (9531) Login incorrect (chrooted_mschap:
> Invalid output from ntlm_auth: expecting 'NT_KEY: ' prefix): [TEST] (from
> client 192.168.89.26/32 port 50020 cli 00:e0:4c:36:00:00:cf via TLS
> tunnel)
> Mar 15 09:02:13 pruebas auth[4569]: (9532) Login incorrect (eap_peap: The
> users session was previously rejected: returning reject (again.)):
> [PRUEBASAS\test] (from client 192.168.89.26/32 port 50020 cli
> 00:e0:4c:36:00:cf)
>
>
> Error via web:
>
> ntlm auth api returned with HTTP code:401, test machine account
> failed.Access denied.
>
>
> In the windows server I have the radius client pointing to the packetfence
> ip, I don't know if this is a windows error or a packetfence error, I am
> waiting for your kind help.
>
> cordially
>
>
>
>
>
>
>
>
> *Nolberto Delgado Espinosa*
>
> Ingeniero de Implementación y Soporte
>
> www.sotelcom.co · i...@sotelcom.co
>
> Correo: nolberto.delg...@sotelcom.co
>
> Avenida 5an # 23dn - 68. Oficina 319-321
>
> PBX: (2) 524 6043 Ext: 109
>
> Centro Comercial Pasarela. Cali, Colombia
>
> Móvil: +57 3165246043 - 3003663525
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Empty Radius Audit Logs page

2024-01-23 Thread Fabrice Durand via PacketFence-users
Normally we fixed the issue in 13.0 (maintenance) and 13.1.

Once you upgrade to the latest version, be sure that you restarted all
services.

If it is still not working then can you paste the pfcron.log file to see if
there are any errors ?



Le mar. 23 janv. 2024 à 15:58, Thomas Michel via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Am Dienstag, dem 23.01.2024 um 20:02 + schrieb David Moore via
> PacketFence-users:
> >
> > I upgraded to PF 13.1 today, with hopes that the RADIUS Audit Logs
> > page would start to show info again but is still empty. This page has
> > not shown data since upgrading to PF 13.
> >
>
> I have a similar issue, not sure if related - The radius logs are empty
> until I restart pfcron. Then I have logs again for a couple of hours.
> After then, empty logs again until I restart pfcron again.
>
>
> Maybe you can give this a try to see if you run into the same problem?
>
> Regards,
> Thomas Michel.
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] CP Sponsor authentication module page configuration

2024-01-05 Thread Fabrice Durand via PacketFence-users
Hello Mourtouza,

yes it's possible and can be done in the locale file.
edit this file
https://github.com/inverse-inc/packetfence/blob/devel/conf/locale/fr/LC_MESSAGES/packetfence.po#L1352
and remplace "Courriel du sponsor" by "Email du Responsable Invité" and
save the file.

Once done:
cd /usr/local/pf/
make translation

and restart packetfence.

Regards
Fabrice


Le ven. 5 janv. 2024 à 08:17, Mourtouza AKBARALY via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
>
>
> I would like to know if there is a possibility to change fields name in
> the captive portal sponsor page login ?
>
> I have created a custom module for the sponsor login via the Advanced
> Access Configuration > Portal modules.
>
>
>
> I would like to change on the form, fields name that are showing :
>
>
>
> For “COURRIEL” I would like to show “Guest Email”
>
> &
>
> For “ COURRIEL DU SPONSOR” I would like to show “ Email du Responsable
> Invité”
>
>
>
>
>
> Thank you for your help 😊
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Cisco WLC and guest reconnect issue (CoA)

2024-01-05 Thread Fabrice Durand via PacketFence-users
Hello Levgen,

can you provide the packetfence.log snippet when you register on the portal
?

Regards
Fabrice


Le ven. 5 janv. 2024 à 08:18, Ievgen Lepekha via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi, all,
>
> Need help.
>
>
>
> I was integrate PacketFence 13 with Cisco WLC 3504, configured SSID with
> open+mac-filter (radius enabled), 2 ACL's.
>
> Guest on first connection are redirected to captive-portal.
>
> After registration PacketFence should return a new role, but this does not
> happen automatically, PF does not sent CoA packets to WLC, on Switch "Use
> CoA" enabled, CoA port is 1700(I've tried with port 3799 but nothing works
> - the same result).
>
>
>
> If manualy reсonnect device to SSID (disconnect/connect) then everything
> works (WLC will send a new RADIUS request and PacketFence should return a
> new role and necessary ACL).
>
>
>
> Help, please with Radius CoA for automatically change roles.
>
>
>
> In PF use default template "WLC"
>
> From TCPDUMP on PacketFence on ports 1700 and 3799 - nothing
>
> Also with radclient
>
> "radsniff -x -p 1700" - empty
>
>
>
> (Cisco Controller) >show radius summary
>
>
>
> Vendor Id Backward Compatibility. Disabled
>
> Call Station Id Case. lower
>
> Accounting Call Station Id Type.. Mac Address
>
> Auth Call Station Id Type AP's Radio MAC
> Address:SSID
>
> Extended Source Ports Support Enabled
>
> Aggressive Failover.. Disabled
>
> Keywrap.. Disabled
>
> Fallback Test:
>
> Test Mode Active
>
> Probe User Name.. cisco-probe
>
> Interval (in seconds) 300
>
> MAC Delimiter for Authentication Messages hyphen
>
> MAC Delimiter for Accounting Messages hyphen
>
> RADIUS Authentication Framed-MTU. 1300 Bytes
>
> AP Events Accounting. Disabled
>
>
>
> Authentication Servers
>
>
>
> Idx  Type  Server AddressPortState Tout  MgmtTout  RFC3576
> IPSec - state/Profile Name/RadiusRegionString
>
> ---      --        ---
> ---
>
> 6  * N  1812Enabled   5 5 Enabled   Disabled -
> /none
>
>
>
> Accounting Servers
>
>
>
> Idx  Type  Server AddressPortState Tout  MgmtTout  RFC3576
> IPSec - state/Profile Name/RadiusRegionString
>
> ---      --        ---
> ---
>
> 6  * N  1813Enabled   5 5 N/A   Disabled -
> /none
>
>
>
>
>
> (Cisco Controller) >show radius rfc3576 statistics
>
> RFC-3576 Servers:
>
> Server Index. 6
>
> Server Address... 
>
> Disconnect-Requests.. 0
>
> COA-Requests. 0
>
> Retransmitted Requests... 0
>
> Malformed Requests... 0
>
> Bad Authenticator Requests... 0
>
> Other Drops.. 0
>
> Sent Disconnect-Ack.. 0
>
> Sent Disconnect-Nak.. 0
>
> Sent CoA-Ack. 0
>
> Sent CoA-Nak. 0
>
> Best Regards,
>
> Yevgen Lepekha
>
> Network engineer
>
> ERC  Kyiv, Ukraine
>
> tel office: +380 44 230 34 74 (1132)
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] radiusd-auth not starting after upgrade from 12.0 to 13.0

2023-11-06 Thread Fabrice Durand via PacketFence-users
Hello Arun,

it's something that has been deprecated in PacketFence so no tenant anymore.
The issue you got was probably due to a packaging installation issue.

Regards
Fabrice


Le lun. 6 nov. 2023 à 06:06, Arun Kangle  a écrit :

> Hi Fabrice,
> Could you please let us know what was different in our setup that we had
> to use the no tenant based packetfence.example and packetfence-tunnel
> files? Please let us know the permanent fix.
>
> Thanks in advance,
> - Arun
>
> On Sun, Nov 5, 2023 at 8:51 PM Hubert Kupper via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hello,
>>
>>
>> I use the new packetfence.example but I also had to copy
>> packetfence-tunnel.example to packetfence-tunnel. Now it works well.
>>
>> Many thanks.
>>
>>
>> Regards, Hubert
>>
>>
>> Am 31.10.23 um 19:12 schrieb Fabrice Durand:
>>
>> So use this one then, it doesn't contain any references of
>> packetfence-set-tenant-id
>>
>>
>> https://github.com/inverse-inc/packetfence/blob/devel/conf/radiusd/packetfence.example
>>
>>
>> Le mar. 31 oct. 2023 à 13:23, Hubert Kupper via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> a écrit :
>>
>>> Hello,
>>>
>>>
>>> I did this and the result was the following:
>>>
>>> Oct 31 07:48:25 packetfence freeradius[14439]:
>>> /usr/local/pf/raddb/sites-enabled/packetfence[31]: Failed to find
>>> "packetfence-set-tenant-id" as a module or policy.
>>> Oct 31 07:48:25 packetfence freeradius[14439]:
>>> /usr/local/pf/raddb/sites-enabled/packetfence[31]: Please verify that the
>>> configuration exists in
>>> /usr/local/pf/raddb/mods-enabled/packetfence-set-tenant-id.
>>> Oct 31 07:48:25 packetfence freeradius[14439]:
>>> /usr/local/pf/raddb/sites-enabled/packetfence[14]: Errors parsing authorize
>>> section.
>>> Oct 31 07:48:25 packetfence systemd[1]:
>>> packetfence-radiusd-auth.service: Control process exited, code=exited,
>>> status=1/FAILURE
>>> Oct 31 07:48:25 packetfence systemd[1]:
>>> packetfence-radiusd-auth.service: Failed with result 'exit-code'.
>>> Oct 31 07:48:25 packe
>>>
>>>
>>> Regards
>>>
>>> Hubert
>>>
>>> Am 30.10.23 um 14:51 schrieb Fabrice Durand via PacketFence-users:
>>>
>>> Hello,
>>>
>>> it looks that the packetfence radius config didn't applied correctly.
>>>
>>> Go in /usr/local/pf/conf/radiusd/ and copy packetfence.example to
>>> packetfence and restart radiusd
>>>
>>> Regards
>>> Fabrice
>>>
>>>
>>> Le lun. 23 oct. 2023 à 07:59, Hubert Kupper via PacketFence-users <
>>> packetfence-users@lists.sourceforge.net> a écrit :
>>>
>>>> Hi,
>>>>
>>>>
>>>> after upgrade packetfence 12.0 to 13.0 the radiusd-auth is not
>>>> starting.
>>>> Syslog shows the following message:
>>>>
>>>> root@packetfence:/var/log# tail syslog
>>>> Oct 16 12:02:52 packetfence freeradius[16268]:
>>>> /usr/local/pf/raddb/sites-enabled/packetfence[31]: Please verify that
>>>> the configuration exists in
>>>> /usr/local/pf/raddb/mods-enabled/packetfence-set-tenant-id.
>>>> Oct 16 12:02:52 packetfence freeradius[16268]:
>>>> /usr/local/pf/raddb/sites-enabled/packetfence[14]: Errors parsing
>>>> authorize section.
>>>> Oct 16 12:02:52 packetfence systemd[1]:
>>>> packetfence-radiusd-auth.service: Control process exited, code=exited,
>>>> status=1/FAILURE
>>>> Oct 16 12:02:52 packetfence systemd[1]:
>>>> packetfence-radiusd-auth.service: Failed with result 'exit-code'.
>>>> Oct 16 12:02:52 packetfence systemd[1]: Failed to start PacketFence
>>>> FreeRADIUS authentication multi-protocol authentication server.
>>>> Oct 16 12:02:52 packetfence systemd[1]:
>>>> packetfence-radiusd-auth.service: Consumed 3.891s CPU time.
>>>> Oct 16 12:02:52 packetfence systemd[1]:
>>>> packetfence-radiusd-auth.service: Scheduled restart job, restart
>>>> counter
>>>> is at 98.
>>>> Oct 16 12:02:52 packetfence systemd[1]: Stopped PacketFence FreeRADIUS
>>>> authentication multi-protocol authentication server.
>>>> Oct 16 12:02:52 packetfence systemd[1]:
>>>> packetfence-radiusd-auth.service:

Re: [PacketFence-users] Cisco CBS 220 switch with packetfence

2023-10-31 Thread Fabrice Durand via PacketFence-users
so you can try with the Cisco::Cisco_IOS_15_0 switch module and do 802.1x

Le mar. 31 oct. 2023 à 15:31, Akram Abdallah  a
écrit :

> It supports 802.1x without mab
>
> On Tue, 31 Oct 2023, 8:01 pm Fabrice Durand,  wrote:
>
>> does it support radius mab/802.1x ?
>>
>> Le mar. 31 oct. 2023 à 13:22, Akram Abdallah via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> a écrit :
>>
>>> Is the Cisco CBS 220 switch compatible with Packetfence ?
>>>
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Query AzureAD Device Groups

2023-10-31 Thread Fabrice Durand via PacketFence-users
it could be something simple like allowing the graph api url change in the
admin gui.
Then you will choose between device check and user check.



Le mar. 31 oct. 2023 à 14:17, Corey Keeling (Shared Services - Staff) <
corey.keel...@parksidecc.org.uk> a écrit :

> From looking at that file you linked me to the %username in my case is the
> AzureAD deviceID of the machine as that’s what I have set the certificate
> subject too. CN={{DeviceID}}.
>
> That graph search is looking under users, so it won’t return any groups
> for my device. It would just error out.
>
> I imagine I could change that graph query in that file to one that
> searches groups instead but would need to test.
>
> Is there any planned support for device lookup?
>
> *Corey Keeling *| *Senior IT Technician*
>
>
>
> *All support requests to*
>
> Parkside: itserviced...@parksidecc.org.uk
>
> Coleridge: itserviced...@coleridgecc.org.uk
>
> Trumpington: itserviced...@trumpingtoncc.org.uk
>
> CAST: itserviced...@cambridgeast.org.uk
>
> Galfrid: itserviced...@thegalfridschool.org.uk
>
> Shared Services: sharedserv...@coleridgecc.org.uk
>
>
> [image: Image]
>
>
>
>
>
> --
> *From:* Fabrice Durand 
> *Sent:* Tuesday, October 31, 2023 6:06:11 PM
> *To:* packetfence-users@lists.sourceforge.net <
> packetfence-users@lists.sourceforge.net>
> *Cc:* Corey Keeling (Shared Services - Staff) <
> corey.keel...@parksidecc.org.uk>
> *Subject:* Re: [PacketFence-users] Query AzureAD Device Groups
>
> You don't often get email from oeufd...@gmail.com. Learn why this is
> important 
> Caution: This is an external email and may be malicious. Please take care
> when clicking links or opening attachments.
>
>
> If i am not wrong the Azure AD test the user and not the machine
>
> https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Authentication/Source/AzureADSource.pm#L28
>
> Regards
> Fabrice
>
>
> Le mar. 31 oct. 2023 à 13:23, Corey Keeling (Shared Services - Staff) via
> PacketFence-users  a écrit :
>
> Dear community,
>
> I have been setting up and testing out PacketFence for a number of weeks
> now and have it setup so that users can authenticate to our BYOD network
> using EAP-TLS. I also have it sort of setup to allow school azureAD devices
> to connect to our curriculum network using machine certificates. The second
> part only works if I don't set any conditions under my AzureAD
> authentication sources.
>
> I have tried to set a condition for membership of a AzureAD group using
> the memberof option either with the Object ID of the group or it's display
> name, but it doesn't seem to work. No role gets assigned so it fails to
> connect. There doesn't even seem to be any audit log of PacketFence trying
> to query a group on the app registration end.
>
>
> I know I can query the graph API via graph explorer and can find the
> groups my machine belongs too, but can PacketFence do something similar and
> if so, how?
>
> The query that I used.
>
> https://graph.microsoft.com/v1.0//devices(deviceId='{deviceid}')/memberOf
> 
>
> Regards
>
> *Corey Keeling *| *Senior IT Technician*
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] radiusd-auth not starting after upgrade from 12.0 to 13.0

2023-10-31 Thread Fabrice Durand via PacketFence-users
So use this one then, it doesn't contain any references of
packetfence-set-tenant-id

https://github.com/inverse-inc/packetfence/blob/devel/conf/radiusd/packetfence.example


Le mar. 31 oct. 2023 à 13:23, Hubert Kupper via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
>
> I did this and the result was the following:
>
> Oct 31 07:48:25 packetfence freeradius[14439]:
> /usr/local/pf/raddb/sites-enabled/packetfence[31]: Failed to find
> "packetfence-set-tenant-id" as a module or policy.
> Oct 31 07:48:25 packetfence freeradius[14439]:
> /usr/local/pf/raddb/sites-enabled/packetfence[31]: Please verify that the
> configuration exists in
> /usr/local/pf/raddb/mods-enabled/packetfence-set-tenant-id.
> Oct 31 07:48:25 packetfence freeradius[14439]:
> /usr/local/pf/raddb/sites-enabled/packetfence[14]: Errors parsing authorize
> section.
> Oct 31 07:48:25 packetfence systemd[1]: packetfence-radiusd-auth.service:
> Control process exited, code=exited, status=1/FAILURE
> Oct 31 07:48:25 packetfence systemd[1]: packetfence-radiusd-auth.service:
> Failed with result 'exit-code'.
> Oct 31 07:48:25 packe
>
>
> Regards
>
> Hubert
>
> Am 30.10.23 um 14:51 schrieb Fabrice Durand via PacketFence-users:
>
> Hello,
>
> it looks that the packetfence radius config didn't applied correctly.
>
> Go in /usr/local/pf/conf/radiusd/ and copy packetfence.example to
> packetfence and restart radiusd
>
> Regards
> Fabrice
>
>
> Le lun. 23 oct. 2023 à 07:59, Hubert Kupper via PacketFence-users <
> packetfence-users@lists.sourceforge.net> a écrit :
>
>> Hi,
>>
>>
>> after upgrade packetfence 12.0 to 13.0 the radiusd-auth is not starting.
>> Syslog shows the following message:
>>
>> root@packetfence:/var/log# tail syslog
>> Oct 16 12:02:52 packetfence freeradius[16268]:
>> /usr/local/pf/raddb/sites-enabled/packetfence[31]: Please verify that
>> the configuration exists in
>> /usr/local/pf/raddb/mods-enabled/packetfence-set-tenant-id.
>> Oct 16 12:02:52 packetfence freeradius[16268]:
>> /usr/local/pf/raddb/sites-enabled/packetfence[14]: Errors parsing
>> authorize section.
>> Oct 16 12:02:52 packetfence systemd[1]:
>> packetfence-radiusd-auth.service: Control process exited, code=exited,
>> status=1/FAILURE
>> Oct 16 12:02:52 packetfence systemd[1]:
>> packetfence-radiusd-auth.service: Failed with result 'exit-code'.
>> Oct 16 12:02:52 packetfence systemd[1]: Failed to start PacketFence
>> FreeRADIUS authentication multi-protocol authentication server.
>> Oct 16 12:02:52 packetfence systemd[1]:
>> packetfence-radiusd-auth.service: Consumed 3.891s CPU time.
>> Oct 16 12:02:52 packetfence systemd[1]:
>> packetfence-radiusd-auth.service: Scheduled restart job, restart counter
>> is at 98.
>> Oct 16 12:02:52 packetfence systemd[1]: Stopped PacketFence FreeRADIUS
>> authentication multi-protocol authentication server.
>> Oct 16 12:02:52 packetfence systemd[1]:
>> packetfence-radiusd-auth.service: Consumed 3.891s CPU time.
>> Oct 16 12:02:52 packetfence systemd[1]: Starting PacketFence FreeRADIUS
>> authentication multi-protocol authentication server...
>> root@packetfence:/var/log#
>>
>> In 12.0 all works fine.
>>
>> Regards, Hubert
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Cisco CBS 220 switch with packetfence

2023-10-31 Thread Fabrice Durand via PacketFence-users
does it support radius mab/802.1x ?

Le mar. 31 oct. 2023 à 13:22, Akram Abdallah via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Is the Cisco CBS 220 switch compatible with Packetfence ?
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] How to change the host name in PF?

2023-10-31 Thread Fabrice Durand via PacketFence-users
https://mgmt_ip:1443/admin#/configuration/general

and hostnamectl set-hostname server1

Regards
Fabrice


Le mar. 31 oct. 2023 à 13:23, Thirunavukkarasu Palanisamy via
PacketFence-users  a écrit :

> Hi Team,
> Greetings of the day
> I tried to change the hostname of the PF in web-admin.
> Even after the change the hostname is shown as 'packetfence"
> How to change it?
> Thanks & Regards,
> Thirunavukkarasu
>
>
>
> *-*
> *TANUVAS*
> *The contents of this message are confidential and are not be shared with
> outside parties without prior permission*
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Query AzureAD Device Groups

2023-10-31 Thread Fabrice Durand via PacketFence-users
If i am not wrong the Azure AD test the user and not the machine
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Authentication/Source/AzureADSource.pm#L28

Regards
Fabrice


Le mar. 31 oct. 2023 à 13:23, Corey Keeling (Shared Services - Staff) via
PacketFence-users  a écrit :

> Dear community,
>
> I have been setting up and testing out PacketFence for a number of weeks
> now and have it setup so that users can authenticate to our BYOD network
> using EAP-TLS. I also have it sort of setup to allow school azureAD devices
> to connect to our curriculum network using machine certificates. The second
> part only works if I don't set any conditions under my AzureAD
> authentication sources.
>
> I have tried to set a condition for membership of a AzureAD group using
> the memberof option either with the Object ID of the group or it's display
> name, but it doesn't seem to work. No role gets assigned so it fails to
> connect. There doesn't even seem to be any audit log of PacketFence trying
> to query a group on the app registration end.
>
>
> I know I can query the graph API via graph explorer and can find the
> groups my machine belongs too, but can PacketFence do something similar and
> if so, how?
>
> The query that I used.
>
> https://graph.microsoft.com/v1.0//devices(deviceId='{deviceid}')/memberOf
> 
>
> Regards
>
> *Corey Keeling *| *Senior IT Technician*
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] No internet in the Registration vlan

2023-10-31 Thread Fabrice Durand via PacketFence-users
Hello,

it's normal that you don't have internet access fron the registration vlan,
the goal is to hit the captive portal.

Regards
Fabrice


Le lun. 30 oct. 2023 à 06:56, Thirunavukkarasu Palanisamy via
PacketFence-users  a écrit :

> Hi Team,
> Plz go thro the configuration
> Registration vlan 2
> Isolation vlan 3
>
> There is no internet in the registration vlan
>
>
>
>
>
>
>
>
>
>
>
>
> *root@packetfence:~# routeKernel IP routing tableDestination Gateway
>   Genmask Flags Metric RefUse Ifacedefault
> 172.16.10.2 0.0.0.0 UG0  00 eth0100.64.0.0
>  0.0.0.0 255.255.255.0   U 0  00 docker0link-local
>  0.0.0.0 255.255.255.252 U 0  00
> TANUVASAD-b172.16.2.0  0.0.0.0 255.255.255.0   U 0  0
>  0 eth1.2172.16.3.0  0.0.0.0 255.255.255.0   U 0  0
>0 eth1.3172.16.10.0 0.0.0.0 255.255.255.0   U 0
>  00 eth0172.16.11.0 0.0.0.0 255.255.255.0   U 0
>  00 eth1172.16.30.0 0.0.0.0 255.255.255.0   U 0
>  00 eth1.30*
>
>
>
>
>
>
>
>
>
> *root@packetfence:~# ip route showdefault via 172.16.10.2 dev eth0
> onlink100.64.0.0/24  dev docker0 proto kernel scope
> link src 100.64.0.1169.254.0.0/30  dev TANUVASAD-b
> proto kernel scope link src 169.254.0.2172.16.2.0/24 
> dev eth1.2 proto kernel scope link src 172.16.2.1172.16.3.0/24
>  dev eth1.3 proto kernel scope link src
> 172.16.3.1172.16.10.0/24  dev eth0 proto kernel
> scope link src 172.16.10.103172.16.11.0/24  dev eth1
> proto kernel scope link src 172.16.11.10172.16.30.0/24
>  dev eth1.30 proto kernel scope link src 172.16.30.2*
>
> IP assigned by the PF DHCP to the clients in the registration vlan.
> any help would be greatly appreciated
> --
> Thanks & Regards,
> Thirunavukkarasu
>
>
>
> *-*
> *TANUVAS*
> *The contents of this message are confidential and are not be shared with
> outside parties without prior permission*
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] radiusd-auth not starting after upgrade from 12.0 to 13.0

2023-10-30 Thread Fabrice Durand via PacketFence-users
Hello,

it looks that the packetfence radius config didn't applied correctly.

Go in /usr/local/pf/conf/radiusd/ and copy packetfence.example to
packetfence and restart radiusd

Regards
Fabrice


Le lun. 23 oct. 2023 à 07:59, Hubert Kupper via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi,
>
>
> after upgrade packetfence 12.0 to 13.0 the radiusd-auth is not starting.
> Syslog shows the following message:
>
> root@packetfence:/var/log# tail syslog
> Oct 16 12:02:52 packetfence freeradius[16268]:
> /usr/local/pf/raddb/sites-enabled/packetfence[31]: Please verify that
> the configuration exists in
> /usr/local/pf/raddb/mods-enabled/packetfence-set-tenant-id.
> Oct 16 12:02:52 packetfence freeradius[16268]:
> /usr/local/pf/raddb/sites-enabled/packetfence[14]: Errors parsing
> authorize section.
> Oct 16 12:02:52 packetfence systemd[1]:
> packetfence-radiusd-auth.service: Control process exited, code=exited,
> status=1/FAILURE
> Oct 16 12:02:52 packetfence systemd[1]:
> packetfence-radiusd-auth.service: Failed with result 'exit-code'.
> Oct 16 12:02:52 packetfence systemd[1]: Failed to start PacketFence
> FreeRADIUS authentication multi-protocol authentication server.
> Oct 16 12:02:52 packetfence systemd[1]:
> packetfence-radiusd-auth.service: Consumed 3.891s CPU time.
> Oct 16 12:02:52 packetfence systemd[1]:
> packetfence-radiusd-auth.service: Scheduled restart job, restart counter
> is at 98.
> Oct 16 12:02:52 packetfence systemd[1]: Stopped PacketFence FreeRADIUS
> authentication multi-protocol authentication server.
> Oct 16 12:02:52 packetfence systemd[1]:
> packetfence-radiusd-auth.service: Consumed 3.891s CPU time.
> Oct 16 12:02:52 packetfence systemd[1]: Starting PacketFence FreeRADIUS
> authentication multi-protocol authentication server...
> root@packetfence:/var/log#
>
> In 12.0 all works fine.
>
> Regards, Hubert
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] PEAP-TLS Get's seen as EAP Mschapv2 without password.

2023-10-30 Thread Fabrice Durand via PacketFence-users
Hello,
is it possible to run raddebug and have the output ?

raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000

Thanks
Fabrice


Le lun. 30 oct. 2023 à 06:56, Anton Palmgård via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> *From:* Anton.P 
> *Sent:* Wednesday, October 18, 2023 10:33 PM
> *To:* PacketFence-users@lists.sourceforge.net <
> packetfence-users@lists.sourceforge.net>
> *Subject:* Re: PEAP-TLS Get's seen as EAP Mschapv2 without password.
>
> If i disable mschap i get
> eap: Tried to start unsupported EAP type MSCHAPv2 (26)
>
> The client is NOT configured wrong. We use PEAP-TLS at more or less all of
> our customers and the profile works fine with NPS on the same sites but
> want to migrate to Packetfence.
>
> BR,
> Anton.
>
> --
> *From:* Anton.P 
> *Sent:* Wednesday, October 18, 2023 10:20 PM
> *To:* PacketFence-users@lists.sourceforge.net <
> packetfence-users@lists.sourceforge.net>
> *Subject:* PEAP-TLS Get's seen as EAP Mschapv2 without password.
>
> Hi, i wonder if you've seen this...
>
> My issue is that setting Radius to PEAP-TLS.
>
> Setting Client to PEAP-TLS works fine with NPS , but with packetfence only
> EAP-TLS works. Trying to Connect with PEAP-TLS gives the following in the
> logs:
>
> "
> Reason
> VADV: Attribute "User-Password" is required for authentication"
>
> Oct 18 22:14:11 pf-1 auth[17079]: (21) Login incorrect (VADV: Attribute
> "User-Password" is required for authentication): [
> fetakun...@gabenpirates.com] (from client 10.4.10.211/32 port 0 cli
> 50:c2:e8:d6:69:cf via TLS tunnel)
> Oct 18 22:14:11 pf-1 auth[17079]: (23) Login incorrect (eap_peap: The
> users session was previously rejected: returning reject (again.)): [
> fetakun...@gabenpirates.com] (from client 10.4.10.211/32 port 0 cli
> 50:c2:e8:d6:69:cf)
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] VL: PF-Newbie: Radius MAC -Auth and RADIUS debug config

2023-10-23 Thread Fabrice Durand via PacketFence-users
Hello Jori,

you can use raddebug for that:

raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000

Regards
Fabrice


Le lun. 23 oct. 2023 à 08:00, Jori Luoto via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello everybody,
>
>
> I have installed Packetfence three weeks ago to Centos 8 Stream via yum
> without any visible problems, initial configuration steps went ok and UI
> works fine with no visible errors around.
>
> FreeRadius talks with switch ok (for example switch cli login works fine
> to Aruba AOS-CX's) but mac auth  seems to be problematic and I suppose
> either some of attributes is in wrong format or maybe some attributes will
> no go out to switch.
>
> How can I start internal Radius with -X to debug what’s going on there?
>
>
> Regs
> -Jori Luoto-
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] PacketFence - nodes with fixed ip

2023-08-02 Thread Fabrice Durand via PacketFence-users
Hello Daniel,

you can probably rely on the radius accounting.
Activate it and see if the ip address of the device appear in the request.
If it's the case then enable update iplog on radius accounting in
PacketFence.

Regards
Fabrice


Le mer. 2 août 2023 à 10:04, Krüger, Daniel via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
>
>
> currently I am using a commercial radius solution, the license will expire
> in some months.
>
>
>
> At the moment the radius is used in order to provide the correct vlans,
> based on client MACs, the clients have fixed and dynamic ip’s.
>
>
>
> Nodes with fixed ip’s doesn’t show their names and ip’s in the node view.
>
>
>
> What is the recommented procedure for nodes with fixed ip’s, in oder to
> show those details on the nodes page?
>
>
>
>
>
>
>
> Best regards
>
>
>
> Daniel Krüger
>
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Help on AD and Realms conf on PF cluster

2023-06-22 Thread Fabrice Durand via PacketFence-users
Hello Adrian,

in fact when the doc say to join then it a samba join.
So each servers needs to be joined to the domain (you should see a machine
account for each of them in the AD).

Regards
Fabrice


Le jeu. 22 juin 2023 à 11:54, Adrian Dessaigne via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello team !
>
> I have recentrly set up a new instance of PacketFence wich have 3 servers
> and clusturised using the "Clustering Guide".
> It work good and no issues on synching. However I'm confused on how you're
> supposed to configure the AD and the Realms on a cluster setup.
>
> In the install documentation, it's mentionned : "If you are using an
> Active/Active cluster, each member of the cluster must be joined
> separately. Please follow the instructions in the PacketFence Clustering
> Guide."
> But on the clustering guide : "Next, make sure to join domains through
> Configuration → Policies And Access Control → Domains → Active Directory
> Domains on each node"
>
> At first I tough the AD Domains configs weren't synchronised but they are.
> So am I supposed to add a domain for each servers ? (if I only add one,
> synch, and I then join one by one, the previous servers loose the link and
> the join don't work anymore).
>
> If I have to add 3 domains configuration, one for each server, how do I
> configure the realms since I can only bind one domain ?
>
> I tested a few configuration but none are suitable.
>
> What is the best practice and what's the good way to configure the AD +
> Realms on a cluster ?
>
> Thanks a lot for your answers.
> Greats,
> Adrian.
> EnregistrerEnregistrer
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] freeRADIUS Migration - PacketFence Deployment

2023-05-26 Thread Fabrice Durand via PacketFence-users
Hello Cory,

Yes, of course you can use PacketFence local authentication without any
Windows AD integration.
There are multiple ways but the simplest is to use the local PacketFence
database to authenticate the users.
It's also possible to interact with a LDAP server to do the 802.1x
authentication and PacketFence also provides an internal PKI to do eap-tls
auth.

For the "Authentication Source RADIUS", it depends how you use it, if it's
on the portal then it will do PAP authentication, but you can also use the
RADIUS source in the REALM section to proxy the request to another server.

Btw i don't see any blocking point for you to use PacketFence, but i
recommend starting with something simple (like mac-auth + portal then
802.1x after).

Regards
Fabrice



Le ven. 26 mai 2023 à 15:13, Cory White via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello -
>
> I've followed packetfence since 2015 but we never fully adopted its
> feature sets due to various reasons. Our original interest was for Captive
> Portals - but at the time it felt like overkill and we did not want in-band
> switch port management to deploy a simple 'coffee shop' portal.
>
> Times have changed and personally I thought Captive Portals would have
> died off in requests by now but they are more prevalent now than ever with
> BYOD and user-initiated on-boarding.
>
> Since COVID we have shifted into various vertical markets and are finding
> the need to consolidate our deployments into a more scalable
> resource/deployment for various installs in these markets. Our requirements
> -
>
>- Portal Page and User management - whether manually onboarded/import
>and/or through user initiated portal pages.
>- MAC bypass - manually bypass portals for authorized MAC identified
>hosts. If there is a user onboarding for this as well through already AUTH
>credentials that is a plus.
>- 802.1X auth for dynamically assigned VLANs (w/ and w/o MAC
>filtering) over wireless only - mix of vendors Unifi, Peplink, Cisco,
>Meraki, etc. Common thread is that all are managed through a controller -
>no autonomous APs.
>
> We currently employ Mikrotik hotspots and Peplink InControl portals -
> depending on the installation router. User accounts are added via script,
> API, ssh, etc manually not by a user request/portal interaction. All
> dynamic VLAN assignments/RADIUS attributes (radchecks, radreply,
> radgroupreply,etc) are handled in freeRADIUS based on user credentials -
> typically only a couple VLAN options, most of these installs have no more
> than 5 total VLANs.
>
> I've spun up a VM of 12.2, the maturation is impressive but documentation
> for our actual deployment needs to migrate from freeRADIUS stand-alone DB
> is non-existent - at least from my searching in the last week. I understand
> the concepts (I believe), my big question is using just 'local to
> Packetfence install' freeRADIUS possible as AUTH? We do not deploy
> anything Windows based - we are a UNIX/Open-Source/In-house DEV company. So
> AD is not an option, we do have some LDAP/freeRADIUS servers running for
> internal use (linux) but don't want to expose that cluster to end user
> accounts. I feel that the current version will suit our needs to do what we
> want for the most part and give us a unified platform; but can't really
> seem to find any documentation to move forward on testing.
>
> Specific to "Authentication Source RADIUS' - docs seem to skim over this
> as an option or its possible I need to be looking elsewhere? Any direction
> is appreciated - I've been testing with UniFi (which I know Ubiquiti has
> its own issues), I see it's a recent integration as well. I can see request
> come in but always rejected auth in wrong eap/mshcap (even though I've
> removed them as auth options). I also see my Internal RADIUS source
> constantly in 'wrong shared secret' ( client localhost).
>
> I'm going to migrate to a Cisco test lab to verify its not a tunnel,
> remote resource issue and keep everything in the same subnet (nodes/nas).
>
> Thank you for any assistance -
>
> Cory White
>
> Senior Network Engineer
> 904-735-1600
> c...@xpodigital.com
> www.xpodigital.com
> [image: facebook] 
> [image: twitter] 
> [image: linkedin] 
> [image: instagram] 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] (no subject)

2023-05-09 Thread Fabrice Durand via PacketFence-users
Hello,

what you can do is just to set -1 in the registration role (switch config),
then unregister devices will be rejected.

Regards
Fabrice


Le mar. 9 mai 2023 à 08:27, Mhmt U via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi All,
>
>
>
> I trying to configure packetfence that non-authenticated users shouldn’t
> allow in policies. I couldn’t find clear way to do it. Could you pls share
> with me the right document for it.
>
> For example, if a user/pc can’t authenticate from active directory, switch
> shouldn’t allow the pc. Or if mab doesn’t authenticate the pc, switch
> should block the port.
>
> Environment: packefence with radius, Huawei switch 5700 series
>
>
>
> Kindly,
>
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Captive Portal and DACLs problems on version 12.2 (Aruba 2930M)

2023-05-09 Thread Fabrice Durand via PacketFence-users
Hello Yassine,

I backported a fix for that on 12.2 , the new package should be available
tomorrow.

Regards
Fabrice


Le mar. 9 mai 2023 à 08:28, TISSIR, Yassine via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Still stuck on the same problem
> Any suggestion would be really appreciated
>
> Le lun. 3 avr. 2023 à 23:20, TISSIR, Yassine <56...@etu.he2b.be> a écrit :
>
>> Hello everyone ,
>> I'm currently testing packetfence for my company. I started with version
>> 11.2 but I decided to upgrade to 12.2 because of an issue that I think
>> prevented getting the captive portal to work in vlan enforcement mode (A
>> guest computer placed in the registration VLAN was redirected to
>> "packetfence.domain/captive-portal" that points to  66.70.255.147 but the
>> page was loading indefinitely). The problem is that after the update I have
>> the following error when trying to save ACLs for registration VLAN:
>>
>>  "AccessListMapping.0.accesslist: WARNING: Syntax error in
>> ACL:packetfence, near: >in<.
>> "config/switch/192.168.1.10"
>>
>> I also had an AD authentication source for the domain computers that
>> worked fine before the update, but stopped working now (Audit tab shows
>> successfuls authentications, but the computers don't get internet access
>> anymore).
>>
>> Here is my switches.conf :
>>
>> [default]
>> description=aruba sw
>> VlanMap=N
>> ExternalPortalEnforcement=Y
>> deauthOnPrevious=N
>> [192.168.1.10]
>> group=default
>> description=ARUBA 2930
>> wsPwd=xx
>> wsUser=xx
>> SNMPPrivProtocolWrite=md5
>> SNMPPrivProtocolRead=md5
>> SNMPAuthProtocolRead=md5
>> SNMPAuthProtocolWrite=md5
>> SNMPUserNameWrite=xx
>> SNMPVersion=3
>> SNMPUserNameRead=xx
>> SNMPAuthPasswordWrite=xx
>> SNMPAuthPasswordRead=xx
>> SNMPPrivPasswordRead=xx
>> SNMPPrivPasswordWrite=xx
>> SNMPEngineID=xx
>> SNMPPrivProtocolTrap=AES
>> SNMPUserNameTrap=xx
>> SNMPAuthProtocolTrap=md5
>> SNMPVersionTrap=3
>> SNMPAuthPasswordTrap=xx
>> SNMPPrivPasswordTrap=xx
>> guestVlan=10
>> defaultVlan=10
>> registrationVlan=20
>> type=Aruba::2930M
>> radiusSecret=xx
>> VlanMap=Y
>> coaPort=3799
>> isolationVlan=99
>> UserVlan=10
>> macDetectionVlan=20
>> ExternalPortalEnforcement=N
>> registrationUrl=http://192.168.1.4/Aruba::2930M
>> UrlMap=Y
>> AccessListMap=Y
>>
>>
>> The ACLS that I try to save are the one from the Network Devices
>> Configuration Guide for Aruba 2930 switch:
>>
>> permit in tcp from any to 192.168.1.4 80
>> permit in tcp from any to 192.168.1.4 443
>> deny in tcp from any to any 80 cpy
>> deny in tcp from any to any 443 cpy
>> permit in udp from any to any 53
>> permit in udp from any to any 67
>>
>> Any help would be really appreciated
>>
>>
>>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Administrative Rule RADIUS Reply

2023-04-28 Thread Fabrice Durand via PacketFence-users
Hello guys,

the issue looks to be the REST-Http-Status-Code and it should be 401.

I have checked the code and it looks to be ok.

Here (
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/radius.pm#L1045)
we return $RADIUS::RLM_MODULE_FAIL who should return a 401 (
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/radius/rest.pm#L53
)

I have to try to replicate it and i will be back to you.

Regards
Fabrice

Le ven. 28 avr. 2023 à 13:43, IT Mercenary via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Happy Friday!
>
> Using /usr/local/pf/bin/pftest authentication USERNAME  "", I can see that
> the user is matching the deny rule as desired.
>
> [image: image.png]
>
> Here is a screenshot of the authentication.conf file. I think this
> contains the relevant parts but let me know if I should send you the whole
> file.
>
> [image: image.png]
>
> Thanks!
>
> On Fri, Apr 28, 2023 at 5:29 AM Zammit, Ludovic 
> wrote:
>
>> Hello,
>>
>> You could use the command:
>>
>> /usr/local/pf/bin/pftest authentication USERNAME  ""
>>
>> You will see if you match properly your rule, it should bring
>> Administration right.
>>
>> Could you show me your conf/authentication.conf?
>>
>> Thanks,
>>
>> *Ludovic Zammit*
>> *Product Support Engineer Principal Lead*
>> *Cell:* +1.613.670.8432
>> Akamai Technologies - Inverse
>> 145 Broadway
>> Cambridge, MA 02142
>> Connect with Us:  
>>  
>> 
>> 
>>
>> On Apr 27, 2023, at 7:41 PM, IT Mercenary 
>> wrote:
>>
>> Hi All,
>>
>> I'm hoping for some guidance on how to change the Radius Reply for CLI
>> authentication when users are not a member of the specified group. The
>> group is being matched as the RADIUS reply indicates the right
>> administration rule is being matched (catch all).
>>
>> The behavior I was getting:
>>
>> 
>>
>> 
>>
>> Compared to what I'm getting now:
>> 
>>
>> 
>> Thanks!
>>
>> On Mon, Apr 24, 2023 at 6:45 AM IT Mercenary 
>> wrote:
>>
>>> Hi Ludovic,
>>>
>>> I've changed the group to use DN and equal, but I'm getting the same
>>> results. Is there a way to customize the behavior when an administrative
>>> user is authenticated but not authorized?
>>>
>>> Thanks!
>>>
>>> On Mon, Apr 24, 2023 at 5:32 AM Zammit, Ludovic 
>>> wrote:
>>>
 Hello there,

 It loos like the match regex operator does not work properly, in order
 to have a good match use the DistinguishName of the group object in the Ad
 in combinaison of the operator equals

 Memberof equals CN=MyGroup,OU=domain,OU=com

 Thanks,



 *Ludovic Zammit*
 *Product Support Engineer Principal Lead*
 *Cell:* +1.613.670.8432
 Akamai Technologies - Inverse
 145 Broadway
 Cambridge, MA 02142
 Connect with Us: 
 
 
 
 
 

 On Apr 21, 2023, at 1:45 PM, IT Mercenary via PacketFence-users <
 packetfence-users@lists.sourceforge.net> wrote:

 Hello,

 I have an administration rule for switch CLI access that is producing
 different results for users that are not a member of an AD group. Both
 switches are in a switch group with type based on the standard Cisco
 template. The desired result is being produced on appliance version 12.1.0
 and the undesired result on v12.2.0.

 *Administration Rules*
 

 *v12.1.0 Results*
 
 RADIUS Tab:
 

 *v12.2.0 Results*
 

 RADIUS Tab:
 


 Thanks!
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net

 https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!RJRooQcys6zdEdxUze4ob_Fdoh8f6vc2-IXTbp2iUXgzmcvH-3YEOBQRdtmbI7Lzb_CFnZNayskBCKtC7pOqRsEGTSZZOy4s7Q6HOQ$



>> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net

Re: [PacketFence-users] 802.1X fails authentication - No role computed by any sources - registration failed

2023-04-18 Thread Fabrice Durand via PacketFence-users
ah ah there is a guy who replied on reddit
https://www.reddit.com/r/PacketFence/comments/12pw62q/8021x_fails_authentication_no_role_computed_by/

Le mar. 18 avr. 2023 à 18:09, Dan Clancey via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello -
>
> I am currently in the process of evaluating packetfence as a NAC solution
> and am following the installation guide at
> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html to
> get started.
>
> After completing the steps in "Section 5: Getting Started." I connected a
> laptop to the configured switchport and the network adapter in windows
> states "Authentication Failed."
> I have confirmed that packetfence successfully joined the Domain and that
> the Authentication Source tests successfully.The sAMAccountName in AD
> matches DOMAIN\UserName listed below.
>
> When I check auditing I get the following information:
>
>> 04/17/2023 03:35 PM Accept 10.7.14.16 Unregistered b445065c08d7 10.248.0.5
>> 04/17/2023 03:35 PM Reject 10.7.14.16
>> Unregistered DOMAIN\UserName  10.248.0.5
>> 04/17/2023 03:35 PM Reject 10.7.14.16
>> Unregistered DOMAIN\UserName  10.248.0.5
>
>
> here is the output from packetfence.log:
>
> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
>> INFO: [mac:b4:45:06:5c:08:d7] handling radius autz request: from switch_ip
>> => (10.248.0.5), connection_type => Ethernet-EAP,switch_mac =>
>> (28:34:a2:1a:56:b0), mac => [b4:45:06:5c:08:d7], port => 10148, username =>
>> "DOMAIN\UserName" (pf::radius::authorize)
>> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
>> INFO: [mac:b4:45:06:5c:08:d7] Instantiate profile 8021x
>> (pf::Connection::ProfileFactory::_from_profile)
>> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
>> INFO: [mac:b4:45:06:5c:08:d7] Found authentication source(s) : 'DC01' for
>> realm 'default' (pf::config::util::filter_authentication_sources)
>> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
>> INFO: [mac:b4:45:06:5c:08:d7] Using sources DC01 for matching
>> (pf::authentication::match2)
>> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
>> WARN: [mac:b4:45:06:5c:08:d7] [DC01 catchall] Searching for
>> (sAMAccountName= DOMAIN\UserName  ), from DC=domain,DC=local, with scope
>> sub (pf::Authentication::Source::LDAPSource::match_in_subclass)
>> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
>> INFO: [mac:b4:45:06:5c:08:d7] No rules matches or no category defined for
>> the node, set it as unreg. (pf::role::getNodeInfoForAutoReg)
>> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
>> WARN: [mac:b4:45:06:5c:08:d7] No category computed for autoreg
>> (pf::role::getNodeInfoForAutoReg)
>> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
>> WARN: [mac:b4:45:06:5c:08:d7] No role specified or found for pid
>> DOMAIN\UserName  (MAC b4:45:06:5c:08:d7); assume maximum number of
>> registered nodes is reached (pf::node::is_max_reg_nodes_reached)
>> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
>> ERROR: [mac:b4:45:06:5c:08:d7] no role computed by any sources -
>> registration of b4:45:06:5c:08:d7 to  DOMAIN\UserName  failed
>> (pf::registration::setup_node_for_registration)
>> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
>> ERROR: [mac:b4:45:06:5c:08:d7] auto-registration of node failed no role
>> computed by any sources (pf::radius::authorize)
>> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
>> ERROR: [mac:b4:45:06:5c:08:d7] Database query failed with non retryable
>> error: Cannot add or update a child row: a foreign key constraint fails
>> (`pf`.`node`, CONSTRAINT `0_57` FOREIGN KEY (`pid`) REFERENCES `person`
>> (`pid`) ON DELETE CASCADE ON UPDATE CASCADE) (errno: 1452) [INSERT INTO
>> `node` ( `autoreg`, `bandwidth_balance`, `bypass_acls`, `bypass_role_id`,
>> `bypass_vlan`, `category_id`, `computername`, `detect_date`,
>> `device_class`, `device_manufacturer`, `device_score`, `device_type`,
>> `device_version`, `dhcp6_enterprise`, `dhcp6_fingerprint`,
>> `dhcp_fingerprint`, `dhcp_vendor`, `last_arp`, `last_dhcp`, `last_seen`,
>> `lastskip`, `mac`, `machine_account`, `notes`, `pid`, `regdate`,
>> `sessionid`, `status`, `time_balance`, `unregdate`, `user_agent`, `voip`)
>> VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
>> ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE KEY UPDATE `autoreg` = ?,
>> `last_seen` = ?, `pid` = ?]{yes, NULL, NULL, NULL, NULL, NULL, NULL,
>> 2023-04-17 14:46:50, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
>> -00-00 00:00:00, -00-00 00:00:00, 2023-04-17 15:35:12, -00-00
>> 00:00:00, b4:45:06:5c:08:d7, NULL, NULL,  DOMAIN\UserName , -00-00
>> 00:00:00, NULL, unreg, NULL, -00-00 00:00:00, NULL, no, yes, 2023-04-17
>> 15:35:12,  DOMAIN\UserName } (

Re: [PacketFence-users] greenbone-openvas integration no more possible?

2023-04-18 Thread Fabrice Durand via PacketFence-users
Hum yes, it's been a while we didn´t tested that , so the newest version is
not supported.

Le mar. 18 avr. 2023 à 18:08, sgiops sgiops via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello
>
> The PF documentation is still reporting that openvas is supported and the
> communication between PF end openvas still happens using the omp protocol.
> However greenbone use now a new communication protocol (gmp) so i suppose
> that is no more possible to integrate openvas with PF.
> Is that right?
>
> Regards
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] FW: winbox radius login

2023-04-05 Thread Fabrice Durand via PacketFence-users
I mean on the client side.

Le mer. 5 avr. 2023 à 04:25, Артур Беляков  a écrit :

> turned off ms-chapv2, but the error did not change
>
>
>
> --
> *От:* Fabrice Durand 
> *Отправлено:* 4 апреля 2023 г. 18:26:41
> *Кому:* Артур Беляков
> *Копия:* packetfence-users@lists.sourceforge.net
> *Тема:* Re: [PacketFence-users] FW: winbox radius login
>
> it looks that it's mschapv2 authentication, it's why it try to use
> ntlm_auth.
> If you can change it to pap to test.
>
>
> Le mar. 4 avr. 2023 à 10:58, Артур Беляков  a
> écrit :
>
>> I set up AD authentication source, is that not enough to work? h3c
>> authentication works
>> --
>> *От:* Fabrice Durand 
>> *Отправлено:* 4 апреля 2023 г. 17:25:23
>> *Кому:* packetfence-users@lists.sourceforge.net
>> *Копия:* Артур Беляков
>> *Тема:* Re: [PacketFence-users] FW: winbox radius login
>>
>> Hello,
>>
>> ntlm_auth is not able to communicate with winbindd, did you join the
>> server to the domain ?
>>
>> Regards
>> Fabrice
>>
>>
>> Le mar. 4 avr. 2023 à 10:19, Артур Беляков via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> a écrit :
>>
>>>
>>>
>>> hi, I'm trying to make authorization on winbox through AD, but it gives
>>> an error.
>>>
>>> I chose PacketFence::Standard as the type
>>>
>>> RADIUS Request
>>> MS-CHAP-Challenge = 0x61b729dbe6749d5eceae28b535d5255a NAS-Identifier =
>>> "" MS-CHAP2-Response =
>>> 0x8fd97b711e5af49f968d966fbc47bdb61f8960fe5945b6a9a52e332ff3993878bc91c9db6e2b68f9
>>>
>>> Realm = "null" FreeRADIUS-Client-IP-Address = Event-Timestamp = "Apr 4
>>> 2023 14:41:50 MSK"
>>> PacketFence-Radius-Ip = "" PacketFence-KeyBalanced =
>>> "26ac71433b08f7e8d7b2457e1f5c41ba" PacketFence-NTLMv2-Only = ""
>>> NAS-IP-Address = Stripped-User-Name = "" Calling-Station-Id = ""
>>> Service-Type = Login-User User-Name = ""
>>> Module-Failure-Message = "Failed retrieving values required to evaluate
>>> condition" Module-Failure-Message = "mschap: Program returned code (1) and
>>> output 'Reading winbind reply failed! (0xc001)'" Module-Failure-Message
>>> = "mschap: Reading winbind reply failed! (0xc001)" User-Password =
>>> "**" SQL-User-Name = ""
>>> RADIUS Reply
>>> MS-CHAP-Error = "\000E=691 R=0 C=8e9cadc84bb85e593454b1872b20fe77 V=3
>>> M=Authentication failed"
>>>
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] FW: winbox radius login

2023-04-05 Thread Fabrice Durand via PacketFence-users
it looks that it's mschapv2 authentication, it's why it try to use
ntlm_auth.
If you can change it to pap to test.


Le mar. 4 avr. 2023 à 10:58, Артур Беляков  a écrit :

> I set up AD authentication source, is that not enough to work? h3c
> authentication works
> --
> *От:* Fabrice Durand 
> *Отправлено:* 4 апреля 2023 г. 17:25:23
> *Кому:* packetfence-users@lists.sourceforge.net
> *Копия:* Артур Беляков
> *Тема:* Re: [PacketFence-users] FW: winbox radius login
>
> Hello,
>
> ntlm_auth is not able to communicate with winbindd, did you join the
> server to the domain ?
>
> Regards
> Fabrice
>
>
> Le mar. 4 avr. 2023 à 10:19, Артур Беляков via PacketFence-users <
> packetfence-users@lists.sourceforge.net> a écrit :
>
>>
>>
>> hi, I'm trying to make authorization on winbox through AD, but it gives
>> an error.
>>
>> I chose PacketFence::Standard as the type
>>
>> RADIUS Request
>> MS-CHAP-Challenge = 0x61b729dbe6749d5eceae28b535d5255a NAS-Identifier =
>> "" MS-CHAP2-Response =
>> 0x8fd97b711e5af49f968d966fbc47bdb61f8960fe5945b6a9a52e332ff3993878bc91c9db6e2b68f9
>>
>> Realm = "null" FreeRADIUS-Client-IP-Address = Event-Timestamp = "Apr 4
>> 2023 14:41:50 MSK"
>> PacketFence-Radius-Ip = "" PacketFence-KeyBalanced =
>> "26ac71433b08f7e8d7b2457e1f5c41ba" PacketFence-NTLMv2-Only = ""
>> NAS-IP-Address = Stripped-User-Name = "" Calling-Station-Id = ""
>> Service-Type = Login-User User-Name = ""
>> Module-Failure-Message = "Failed retrieving values required to evaluate
>> condition" Module-Failure-Message = "mschap: Program returned code (1) and
>> output 'Reading winbind reply failed! (0xc001)'" Module-Failure-Message
>> = "mschap: Reading winbind reply failed! (0xc001)" User-Password =
>> "**" SQL-User-Name = ""
>> RADIUS Reply
>> MS-CHAP-Error = "\000E=691 R=0 C=8e9cadc84bb85e593454b1872b20fe77 V=3
>> M=Authentication failed"
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] FW: winbox radius login

2023-04-04 Thread Fabrice Durand via PacketFence-users
Hello,

ntlm_auth is not able to communicate with winbindd, did you join the server
to the domain ?

Regards
Fabrice


Le mar. 4 avr. 2023 à 10:19, Артур Беляков via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

>
>
> hi, I'm trying to make authorization on winbox through AD, but it gives an
> error.
>
> I chose PacketFence::Standard as the type
>
> RADIUS Request
> MS-CHAP-Challenge = 0x61b729dbe6749d5eceae28b535d5255a NAS-Identifier = ""
> MS-CHAP2-Response =
> 0x8fd97b711e5af49f968d966fbc47bdb61f8960fe5945b6a9a52e332ff3993878bc91c9db6e2b68f9
>
> Realm = "null" FreeRADIUS-Client-IP-Address = Event-Timestamp = "Apr 4
> 2023 14:41:50 MSK"
> PacketFence-Radius-Ip = "" PacketFence-KeyBalanced =
> "26ac71433b08f7e8d7b2457e1f5c41ba" PacketFence-NTLMv2-Only = ""
> NAS-IP-Address = Stripped-User-Name = "" Calling-Station-Id = ""
> Service-Type = Login-User User-Name = ""
> Module-Failure-Message = "Failed retrieving values required to evaluate
> condition" Module-Failure-Message = "mschap: Program returned code (1) and
> output 'Reading winbind reply failed! (0xc001)'" Module-Failure-Message
> = "mschap: Reading winbind reply failed! (0xc001)" User-Password =
> "**" SQL-User-Name = ""
> RADIUS Reply
> MS-CHAP-Error = "\000E=691 R=0 C=8e9cadc84bb85e593454b1872b20fe77 V=3
> M=Authentication failed"
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] After restart of server packetfence service can never start

2023-04-04 Thread Fabrice Durand via PacketFence-users
Hello Filip,
do you have more logs to provide ?
like do a journalctl -f and paste it.

Regards
Fabrice


Le mar. 4 avr. 2023 à 10:18, Filip Miskic via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
> I'm using Debian 11 from AWS to spin up an instance of packetfence. I get
> to the end and it works no problem. Once the server is restarted I get.
>
> Can't connect to pfconfig on containers-gateway.internal:4 : Invalid
> argument
> -e(1703) ERROR: [1680535334.98744] Failed to connect to config service for
> namespace config::Pf()
>
> Not really sure what's going on. I've tried resetting the
> packetfence-config service as well as mariadb.
>
> Thanks.
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Job for packetfence-radiusd-eduroam.service failed because the control process exited with error code

2023-04-04 Thread Fabrice Durand via PacketFence-users
Hello,
you have something listening on the port 11812 yet, can you do that to see
what process is using it ? :

netstat -nlp| grep 11812

Regards
Fabrice


Le mar. 4 avr. 2023 à 10:19, P.Thirunavukkarasu via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi Team,
> Greetings of the day
>
> root@packetfence:~# /usr/local/pf/bin/pfcmd service radiusd restart
> Service StatusPID
> Checking configuration sanity...
> WARNING - internal network(s) not defined!
> packetfence-radiusd-auth.servicestarted   153248
> packetfence-radiusd-load_balancer.service   Service disabled
> packetfence-radiusd-acct.serviceService disabled
> *Job for packetfence-radiusd-eduroam.service failed because the control
> process exited with error code.*
> See "systemctl status packetfence-radiusd-eduroam.service" and "journalctl
> -xe" for details.
> packetfence-radiusd-eduroam.service stopped   0
> packetfence-radiusd-cli.service Service disabled
> root@packetfence:~#
>
> *The following is the log of the radius - eduroam*
> Apr  4 13:13:09 packetfence eduroam[153693]: Ignoring "response_window =
> 20.00", forcing to "response_window = 10.00"
> Apr  4 13:13:09 packetfence eduroam[153693]: Ignoring "response_window =
> 30.00", forcing to "response_window = 10.00"
> Apr  4 13:13:09 packetfence eduroam[153693]: Ignoring "response_window =
> 30.00", forcing to "response_window = 10.00"
> Apr  4 13:13:09 packetfence eduroam[153693]: Ignoring "response_window =
> 30.00", forcing to "response_window = 10.00"
> Apr  4 13:13:09 packetfence eduroam[153693]: Debugger not attached
> Apr  4 13:13:09 packetfence eduroam[153693]: systemd watchdog interval is
> 5.00 secs
> Apr  4 13:13:09 packetfence eduroam[153693]: Perl version: 5.32.0
> Apr  4 13:13:09 packetfence eduroam[153693]: Perl version: 5.32.0
> Apr  4 13:13:09 packetfence eduroam[153693]: Perl version: 5.32.0
> Apr  4 13:13:09 packetfence eduroam[153693]: Perl version: 5.32.0
> Apr  4 13:13:09 packetfence eduroam[153693]: Perl version: 5.32.0
> Apr  4 13:13:09 packetfence eduroam[153693]: rlm_redis: libhiredis
> version: 0.14.1
> Apr  4 13:13:09 packetfence eduroam[153693]: rlm_redis: libhiredis
> version: 0.14.1
> Apr  4 13:13:09 packetfence eduroam[153693]: rlm_sql (sql): Driver
> rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
> Apr  4 13:13:09 packetfence eduroam[153693]: rlm_sql (pfguest): Driver
> rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
> Apr  4 13:13:09 packetfence eduroam[153693]: rlm_sql (pfsponsor): Driver
> rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
> Apr  4 13:13:09 packetfence eduroam[153693]: rlm_sql (pfsms): Driver
> rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
> Apr  4 13:13:09 packetfence eduroam[153693]: rlm_sql (pflocal): Driver
> rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
> Apr  4 13:13:09 packetfence eduroam[153693]: rlm_sql (sql_reject): Driver
> rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
> Apr  4 13:13:09 packetfence eduroam[153693]: rlm_sql (sql_degraded):
> Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
> Apr  4 13:13:09 packetfence eduroam[153693]: rlm_rest: libcurl version:
> libcurl/7.74.0 OpenSSL/1.1.1n zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0
> libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.43.0 librtmp/2.3
> Apr  4 13:13:09 packetfence eduroam[153693]:
> [/usr/local/pf/raddb/mods-config/attr_filter/access_reject]:11 Check item
> "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
> Apr  4 13:13:09 packetfence eduroam[153693]:
> [/usr/local/pf/raddb/mods-config/attr_filter/access_reject]:11 Check item
> "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
> Apr  4 13:13:09 packetfence eduroam[153693]: rlm_ldap: libldap vendor:
> OpenLDAP, version: 20457
> Apr  4 13:13:11 packetfence eduroam[153693]: tls: Setting DH parameters
> from /usr/local/pf/raddb/certs/dh - this is no longer necessary.
> Apr  4 13:13:11 packetfence eduroam[153693]: tls: You should comment out
> the 'dh_file' configuration item.
> Apr  4 13:13:11 packetfence eduroam[153693]: tls: Setting DH parameters
> from /usr/local/pf/raddb/certs/dh - this is no longer necessary.
> Apr  4 13:13:11 packetfence eduroam[153693]: tls: You should comment out
> the 'dh_file' configuration item.
> Apr  4 13:13:11 packetfence eduroam[153693]: tls: Setting DH parameters
> from /usr/local/pf/raddb/certs/dh - this is no longer necessary.
> Apr  4 13:13:11 packetfence eduroam[153693]: tls: You should comment out
> the 'dh_file' configuration item.
> Apr  4 13:13:11 packetfence eduroam[153693]: tls: Setting DH parameters
> from /usr/local/pf/raddb/certs/dh - this is no longer necessary.
> Apr  4 13:13:11 packetfence eduroam[153693]: tls: You should comment out
> the 'dh_file' c

Re: [PacketFence-users] Impossible to change switch identifier via gui - workaround?

2023-03-31 Thread Fabrice Durand via PacketFence-users
Hello Yannik,

just clone the switch, set a different identifier then delete the old one.

Regards
Fabrice


Le ven. 31 mars 2023 à 15:10, Yannik Sembritzki via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Anybody have an idea which services to reload after editing
> switches.conf? Would be appreciated!
>
> On 19.03.23 14:37, Yannik Sembritzki via PacketFence-users wrote:
> > Hi,
> >
> > unfortunately changing the switch identifier (= ip address) via the
> > gui results in an item not found error.
> > It seems to erroneously write the change to the new identifier - which
> > does not exist yet.
> >
> > As a workaround I edited switches.conf - but how to I get packetfence
> > to pickup these changes without having to reboot the vm?
> >
> > Best regards
> > Yannik
> >
> >
> >
> > ___
> > PacketFence-users mailing list
> > PacketFence-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Add Session-Timeout attribute

2023-03-30 Thread Fabrice Durand via PacketFence-users
Hello,

check the radius filters.

Regards
Fabrice


Le lun. 27 mars 2023 à 20:04, jhyanagi via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello PacketFence users,
>
> Is there any way to add Session-Timeout as a RADIUS attribute?
>
> It looks like it could be possible if I modify *returnRadiusAccessAccept*
> in Switch module,
> I would like to know that this could be possible without touching the code.
>
> If modifying *returnRadiusAccessAccept* is the only option,
> Is it possible to add some configurable options?
>
> Please let me know more if this is possible.
>
> Thank you. Regards,
> jhyanagi
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] PF12.2 out-of-band routed mode not working - No DNS or Captive Portal

2023-03-17 Thread Fabrice Durand via PacketFence-users
Hello Andrew,
you will have to provide the networks,conf and pf.conf file in order to
understand the issue.
And what is 172.0.0.2 ? is it defined somewhere ?

Regards
Fabrice


Le ven. 17 mars 2023 à 16:39, Andrew Torry via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> RESTRICTED
>
> Hi Folks,
>
>
>
> Maybe someone can help me out? We have been using PF now for over 6 years
> and are very happy with it. But
>
> we need to upgrade it to stay in line with our security policies.
>
>
>
> We have a fully working 6.5 installation and a shadow 9.0 installation
> that are both working in out-of-band
>
> routed mode.
>
>
>
> The current PF servers have two NICs each:-
>
> Eth0   -  Management
> running the ‘portal’ daemon
>
> Eth1   -  Registration
>
>
>
> We have several routed networks (several wired ones and several centrally
> managed Wireless networks)
>
> The DHCP activity from these networks is ‘reflected’ from or network DHCP
> servers to the PF management interface so that the
>
> Nodes and IPLog tables are maintained correctly – effectively removing the
> need for the PF server to provide DHCP services.
>
>
>
> The network DHCP servers are configured to use the IP address of the
> registration interface (eth1) as the only name server.
>
>
>
> We are using ‘MAC Authentication Bypass’ on our Cisco switches and our
> WiFi estate is controlled by a Wireless Lan Controller.
>
>
>
> In order to upgrade to a newer version of PF we have been building out a
> new 12.2 server but we cannot get our routed test network
>
> to work despite it being configured precisely the same way as with the
> working networks and PF servers.
>
>
>
> We have a complete ‘connection profile’ in place and relevant other
> configuration to match the working servers.
>
>
>
> When connected to the registration network(s) of our existing PF server
> all DNS requests reply with the IP address of the management interface and
>
> display the captive portal to the end user as expected.
>
>
>
> When I connect to a routed registration network the new PF12 server is
> responding to all DNS requests with the IP address 172.0.0.2 which of
> course is not
>
> routed on our network in any shape or form.
>
>
>
> Is a fully routed ‘out-of-band’ solution no longer supported in 12.2 or am
> I missing something here.
>
>
>
> Regards
>
>
>
> Andrew
>
> RESTRICTED
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] DACL not applied to the switch interface

2023-03-16 Thread Fabrice Durand via PacketFence-users
Hello Mirko,

what switch module are you using in PacketFence for this switch ?
Can you try the Catalyst_2960 ?

Regards
Fabrice


Le jeu. 16 mars 2023 à 09:02, sgiops sgiops via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Just upgraded to 12.2 (i was on 12.1) but when i try to save teh switch
> role configuration i obtain the following error messages:
>
> "Unable to validate"
> "AccessListMapping.0.accesslist: ACLs not supported for switch"
>
> Any hint?
>
> Mirko
>
>
>
> Il giorno gio 16 mar 2023 alle ore 09:27 sgiops sgiops <
> thesgi...@gmail.com> ha scritto:
>
>> Hi all,
>>
>> i'm experiencing problems with DACL in my testing environment. I defined
>> the access list in Configuration -> Switches -> "my switch" -> Role mapping
>> by Access List.
>> The test access list mapped to the role is:
>>
>> deny tcp any 192.168.5.0 255.255.255.0
>> permit ip any any
>>
>> The authentication and the role mapping work well, the switch port is
>> correctly moved to the right vlan but no access list is applied to that
>> port.
>>
>> the testing switch is a Cisco C1000-8T-2G-L witch the ios
>> version 15.2(7)E4. The device tracking is enabled by default and is is
>> working.
>>
>> The switch port is configured as following:
>>  switchport mode access
>>  authentication order dot1x mab
>>  authentication priority dot1x mab
>>  authentication port-control auto
>>  authentication periodic
>>  authentication timer reauthenticate 7200
>>  authentication timer restart 10800
>>  authentication violation replace
>>  mab
>>  no snmp trap link-status
>>  dot1x pae authenticator
>>  dot1x timeout quiet-period 2
>>  dot1x timeout tx-period 3
>>
>> Could you please help me to trtoubleshoot and address this problem?
>>
>> Thanks
>>
>> Mirko
>>
>> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Unifi switch CoA support

2023-03-15 Thread Fabrice Durand via PacketFence-users
Based on the code, it's not supported (i did it a long time ago) and you
have to use the snmp method to reevaluate the access.
Btw if you are able to configure it on the switch side then the packetfence
switch module will need to be adapted.

Regards
Fabrice


Le mer. 15 mars 2023 à 16:29, Francis  a écrit :

> Oh, great! I was able to enable CoA for an Unifi AP with the legacy UI
> then I was able to configure PF. My PF configuration now works great to
> manage a wifi network.
>
> Now I wonder if CoA is also supported for unifi switch/wired networks? I
> would like to use 802.1x with device authentication and a captive portal
> for guest users. Can I use Unifi switches with PF? I can successfully
> authenticate my device to the radius server with 802.1x, but without CoA
> support, I understand that PF is unable to move the device to the required
> vlan (my device gets no IP from the dhcp server).
>
> Thank you!
>
>
> Le mar. 14 mars 2023 à 16:08, Fabrice Durand  a
> écrit :
>
>> Hello Francis,
>>
>> if i am not wrong you should be able to see the option if you switch to
>> the legacy view of the controller.
>> Also you can connect on the AP (ssh) and see if the port 3799 UDP is
>> listening.
>>
>> Regards
>>
>> Fabrice
>>
>>
>> Le mar. 14 mars 2023 à 15:50, Francis via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> a écrit :
>>
>>> Hello,
>>>
>>> I wonder if someone is using Unifi switches with packetfence? I
>>> understand I need to activate CoA support to make it working with PF.
>>>
>>> I found release notes that say it was added by Ubiquiti in version
>>> 5.12.22 of Unifi Controller. I found old screenshots that show the options
>>> but I fail to find it in the newest version (Unifi controller 7.3.83 with
>>> all firmware up to date).
>>>
>>> I found some posts in the UI forums of others wondering the same thing
>>> but they never got answers and Ubiquiti support failed to reply to my
>>> ticket for almost a week. So I wonder... maybe they just silently dropped
>>> CoA support?
>>>
>>> Thanks!
>>>
>>> --
>>> Francis
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Unable to 'preview' HTML files in 'Connection Profile->Files' in Admin GUI on PF12.1

2023-03-15 Thread Fabrice Durand via PacketFence-users
Hello Andrew,

i am able to reproduce on my side, we are looking on it.

Regards
Fabrice


Le mer. 15 mars 2023 à 08:32, Andrew Torry via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> RESTRICTED
>
> Is it just me but when I preview an entire profile it works fine but if I
> try and preview an individual HTML file it gives me an
>
> empty page.
>
>
>
> The URL I get for the whole profile preview is:-
>
>
>
> https:// address_of_PF_server>:1443/portal_preview/captive-portal?PORTAL=GUEST
>
>
>
> and I am able to move around and preview all the portal pages but if I try
> and preview say the PARKING security
>
> event page I get this:-
>
>
>
> https://  address_of_PF_server>:1443/config/profile/GUEST/preview/security_events/parked.html
>
>
>
> and this page connects but has no content.
>
>
>
> The template file used ‘parked.html’ is a simple copy of
> the ‘generic.html’ template with slightly more informative text.
>
>
>
> It works in 6.5 and 9.1 but cant see anything in PF11 or 12
>
>
>
> Does not seem to be browser dependent either a sit does this in
> Chrome/Edge and Firefox
>
>
>
> Andrew
>
>
>
>
>
> RESTRICTED
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] EAP-TLS Configuration

2023-03-15 Thread Fabrice Durand via PacketFence-users
So now create a client cert, install it on the device and try to connect
with the client certificate and check to see if the radius request has been
accepted. (Radius audit log and radius.log).
If it's ok then you can start to play with the connection profile and the
authentication source.



Le mer. 15 mars 2023 à 09:16, Mudrich, J.  a
écrit :

> Hallo Fabrice,
>
>
>
> thanks fort the reply.
>
> Internal PKI is already set up and I created a new cert for the
> RADIUS-Server and added the CA-Cert to the config. Everything is green here.
>
> What’s next?
>
> I added a new internal authentication source (EAPTLS) with Authentication
> Rule:
>
> Matches: all
>
> Conditions:
>
> SSID equals “MySSID”
>
> Actions:
>
> Role “MyRole”
>
> Access Duration 5 Days
>
>
>
> Is it advised to create a new connection profile or could I just use the
> default profile to start with?
>
>
>
> Kind regards
>
> Johannes
>
>
>
>
>
> *Von:* Fabrice Durand via PacketFence-users [mailto:
> packetfence-users@lists.sourceforge.net]
> *Gesendet:* Mittwoch, 15. März 2023 13:26
> *An:* packetfence-users@lists.sourceforge.net
> *Cc:* Fabrice Durand 
> *Betreff:* Re: [PacketFence-users] EAP-TLS Configuration
>
>
>
> Hello Johannes,
>
>
>
> in fact you can follow this to create the certificates needed for eap-tls.
> https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.packetfence.org%2fdoc%2fPacketFence%5fInstallation%5fGuide.html%23%5fcertificate%5fauthority%5fcreation&umid=E3706BCB-F6EF-8E05-80DF-86957D07AF20&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-89b6a79fa8e29690a0fb757f35a4e77ad72230b7
>
>
>
> Once you have created the ca certificate and applied it in the radius
> section.
>
>
>
> ```
>
> Once done copy the certificate in the clipboard from the Certificate
> Authorities list (Configuration → Integration → PKI → Certificate
> Authorities and click on *Copy Certificate*) then edit the RADIUS
> certificate section in Configuration → Systen Configuration → SSL
> Certificates → RADIUS → Edit and paste the public key in "Certificate
> Authority" and Save. (Don’t forget to restart radiusd-auth)
>
> This will authorize the EAP TLS authentications using the PKI issued
> certificates.
>
> ```
>
> Create a certificate template
> https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.packetfence.org%2fdoc%2fPacketFence%5fInstallation%5fGuide.html%23%5ftemplate%5fcreation&umid=E3706BCB-F6EF-8E05-80DF-86957D07AF20&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-47e8fdb284e6cf949b6f07f2c1b584fb27582f15
> and create a certificate for the end user.
>
> Once you have the pkcs12 file, import it on your device and configure the
> supplicant to use this certificate to connect to a secure ssid (it could be
> wired too).
>
>
>
> So when you will try to connect , you should be able to see the radius
> authentication in the radius audit log , the next steps will be to
> configure a EAPTLS or Authorize authentication source and assign it to a
> connection profile where you set the filter to sub_connection_type =
> EAP_TLS.
>
>
>
> Let me know if you are stuck at some point.
>
> Regards
>
> Fabrice
>
>
>
>
>
>
>
> Le mer. 15 mars 2023 à 07:45, Mudrich, J. via PacketFence-users <
> packetfence-users@lists.sourceforge.net> a écrit :
>
> Hello again,
>
>
>
> I’m trying to configure PF for EAP-TLS authentication. I couldn’t find any
> comprehensive guide or manual so I hope you can help.
>
> I would like to use the internal PKI. That’s what I already set up. Maybe
> someone can walk me through this?
>
>
>
> Some wild guesses:
>
> I think I need to set up an Authentication Source (internal -> EAPTLS)?
>
> Are there any changes needed in the RADIUS configuration (System
> Configuration -> Radius)?
>
> What’s with “PKI SSL Certificates”, do I need to add the internal PKIs CA
> there?
>
>
>
> Some additional thoughts: I can already see the devices I’d like to manage
> via EAP-TLS in my nodes list because of their DHCP broadcasts. Will these
> nodes then somehow be connected to the certificates issued by the internal
> PKI?
>
>
>
> Thanks and kind regards
>
> Johannes
>
>
>
> *Johannes Mudrich*
> Mitarbeiter
> IT
>
> Altmark-Klinikum gGmbH
> Ernst-von-Bergmann-Straße 22
> 39638 Gardelegen
>
> Tel.:
>
>  03907 791229
>
> Fax.:
>
>  03907 791248
>
> Mail:
>
>  j.mudr...@altmark-klinikum.de
>
>
>
> <https://www.salusaltmarkholding.de/>
>

Re: [PacketFence-users] EAP-TLS Configuration

2023-03-15 Thread Fabrice Durand via PacketFence-users
Hello Johannes,

in fact you can follow this to create the certificates needed for eap-tls.
https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_certificate_authority_creation

Once you have created the ca certificate and applied it in the radius
section.

```

Once done copy the certificate in the clipboard from the Certificate
Authorities list (Configuration → Integration → PKI → Certificate
Authorities and click on Copy Certificate) then edit the RADIUS certificate
section in Configuration → Systen Configuration → SSL Certificates → RADIUS
→ Edit and paste the public key in "Certificate Authority" and Save. (Don’t
forget to restart radiusd-auth)

This will authorize the EAP TLS authentications using the PKI issued
certificates.

```

Create a certificate template
https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_template_creation
and create a certificate for the end user.

Once you have the pkcs12 file, import it on your device and configure the
supplicant to use this certificate to connect to a secure ssid (it could be
wired too).


So when you will try to connect , you should be able to see the radius
authentication in the radius audit log , the next steps will be to
configure a EAPTLS or Authorize authentication source and assign it to a
connection profile where you set the filter to sub_connection_type =
EAP_TLS.


Let me know if you are stuck at some point.

Regards

Fabrice




Le mer. 15 mars 2023 à 07:45, Mudrich, J. via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello again,
>
>
>
> I’m trying to configure PF for EAP-TLS authentication. I couldn’t find any
> comprehensive guide or manual so I hope you can help.
>
> I would like to use the internal PKI. That’s what I already set up. Maybe
> someone can walk me through this?
>
>
>
> Some wild guesses:
>
> I think I need to set up an Authentication Source (internal -> EAPTLS)?
>
> Are there any changes needed in the RADIUS configuration (System
> Configuration -> Radius)?
>
> What’s with “PKI SSL Certificates”, do I need to add the internal PKIs CA
> there?
>
>
>
> Some additional thoughts: I can already see the devices I’d like to manage
> via EAP-TLS in my nodes list because of their DHCP broadcasts. Will these
> nodes then somehow be connected to the certificates issued by the internal
> PKI?
>
>
>
> Thanks and kind regards
>
> Johannes
>
>
> *Johannes Mudrich*
> Mitarbeiter
> IT
>
> Altmark-Klinikum gGmbH
> Ernst-von-Bergmann-Straße 22
> 39638 Gardelegen
>
> Tel.:  03907 791229
> Fax.:  03907 791248
> Mail:  j.mudr...@altmark-klinikum.de
>
>
>
>
>  
>
> Salus Altmark Holding gGmbH
> Tel.: +49 39325700
> Sitz der Gesellschaft:
> Seepark 5 | 39116 Magdeburg
> www.salusaltmarkholding.de
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Registergericht: AG Stendal: HRB 112594
> Geschäftsführer: Jürgen Richter
> Aufsichtsratsvorsitz: Wolfgang Beck
> Gemäß Art. 13 DSGVO informieren wir darüber, dass Ihre Daten elektronisch
> gespeichert werden. Nähere Informationen:
> www.salusaltmarkholding.de/datenschutz
> Ab Januar 2022 nehmen wir keine Mails mit doc-, xls- und ppt-Anhängen mehr
> an.
> Bitte verwenden Sie die aktuellen Office-Formate docx, xlsx, pptx oder pdf.
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Unifi switch CoA support

2023-03-14 Thread Fabrice Durand via PacketFence-users
Hello Francis,

if i am not wrong you should be able to see the option if you switch to the
legacy view of the controller.
Also you can connect on the AP (ssh) and see if the port 3799 UDP is
listening.

Regards

Fabrice


Le mar. 14 mars 2023 à 15:50, Francis via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
> I wonder if someone is using Unifi switches with packetfence? I understand
> I need to activate CoA support to make it working with PF.
>
> I found release notes that say it was added by Ubiquiti in version 5.12.22
> of Unifi Controller. I found old screenshots that show the options but I
> fail to find it in the newest version (Unifi controller 7.3.83 with all
> firmware up to date).
>
> I found some posts in the UI forums of others wondering the same thing but
> they never got answers and Ubiquiti support failed to reply to my ticket
> for almost a week. So I wonder... maybe they just silently dropped CoA
> support?
>
> Thanks!
>
> --
> Francis
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] packetfence newb here - basic setup question

2023-03-11 Thread Fabrice Durand via PacketFence-users
Hello Alex,

do you have the pfdhcp server running ?
Can you paste the networks.conf file ?
Regards
Fabrice


Le sam. 11 mars 2023 à 07:48, Alex Rubenstein via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> No clues here?
>
>
>
>
>
>
>
> *From:* Alex Rubenstein
> *Sent:* Thursday, March 2, 2023 10:04 AM
> *To:* packetfence-users@lists.sourceforge.net
> *Subject:* packetfence newb here - basic setup question
>
>
>
> So I have been setting up pf in my lab, purely in inline. It’s a VM under
> hyper-v, with a windows 10 vm “behind it” on an internal virtual switch
>
>
>
> I’ve done the basic inline config as described in the manual, but
> stumbling on what seems to be a very simple part.
>
>
>
> eth0 -> goes to the internet and is the management interface
>
> eth1 -> “inline layer 2” port (windows box behind here)
>
>
>
> when I go to config eth1 and add “portal” as an additional listening
> daemon, and save the config, the “portal” tag disappears. I also cannot get
> DHCP from this interface on the windows box. However, if I statically set
> an IP on the windows box, I can ping and get to the pf via web, but with an
> error “your connection was not found in the packetfence database. Please
> reboot to solve this issue”
>
>
>
> I tcpdump for dhcp on the pf, and I see the windows box’s DHCP request but
> the pf never responds.
>
>
>
> Like I said – new to this, just point me in the right direction and I’d be
> appreciative!
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Issue with PacketFence 12 and Cisco WLC

2023-02-27 Thread Fabrice Durand via PacketFence-users
Hello Andrew,
since it's just cisco wlc related, then you can put this function in WLC.pm
instead.
What you can do is to open a PR on github with your change, we will review
it and merge it in the code base.
Regards
Fabrice

Le lun. 27 févr. 2023 à 16:14, Andrew Torry via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> RESTRICTED
>
> Greetings fellow PF users,
>
>
>
> We have an issue that I was wondering if there is any chance of someone
> from the dev team to look at for me.
>
>
>
> The Cisco WLC provide for the transmission of the CalledStationID field of
> a RADIUS packet to be based on different formats:-
>
>
>
>
>
> In our specific case with a campus stretched out over a huge areas
> containing about 1300 AP’s it is very useful to have the RADIUS logs refer
> to the NAME of an AP rather than simply it’s MAC address.
>
>
>
> This works find with all our systems except PF.
>
>
>
> The code inside Switch.pm is hardwired to recognise XX:XX:XX:XX:XX:XX:SSID
> or :SSDI or XX-XX-XX-XX-XX-XX:SSID but rejects any other format
> (such as AP Name:SSID) above.
>
>
>
> This renders our WLC configuration incompatible with PF.
>
>
>
> There is a simple tweak to the code that we can perform by replacing the
> REGEXP in the code from:-
>
>
>
> sub extractSSIDFromCalledStationId {
>
> my ($self, $radius_request) = @_;
>
> # it's put in Called-Station-Id
>
> # ie: Called-Station-Id = "aa-bb-cc-dd-ee-ff:Secure SSID" or
> "aa:bb:cc:dd:ee:ff:Secure SSID"
>
> if (defined($radius_request->{'Called-Station-Id'})) {
>
> if ($radius_request->{'Called-Station-Id'} =~ /^
>
> # below is MAC Address with supported separators: :, - or
> nothing
>
>
> [a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}
>
> :
>   
>  #
> : delimiter
>
>
> (.*)
> # SSID
>
> $/ix) {
>
> return $1;
>
> } else {
>
> my $logger = $self->logger;
>
> $logger->info("Unable to extract SSID of Called-Station-Id:
> ".$radius_request->{'Called-Station-Id'});
>
> }
>
> }
>
>
>
> return undef;
>
> }
>
>
>
> To:-
>
>
>
> sub extractSSIDFromCalledStationId {
>
> my ($self, $radius_request) = @_;
>
> # it's put in Called-Station-Id
>
> # ie: Called-Station-Id = "aa-bb-cc-dd-ee-ff:Secure SSID" or
> "aa:bb:cc:dd:ee:ff:Secure SSID"
>
> if (defined($radius_request->{'Called-Station-Id'})) {
>
> if ($radius_request->{'Called-Station-Id'} =~ /^
>
> # below is MAC Address with supported separators: :, - or
> nothing
>
> #
> [a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}[-:]?[a-f0-9]{2}
>
> .*
>
> :
>  # : delimiter
>
>
> (.*)
> # SSID
>
> $/ix) {
>
> return $1;
>
> } else {
>
> my $logger = $self->logger;
>
> $logger->info("Unable to extract SSID of Called-Station-Id:
> ".$radius_request->{'Called-Station-Id'});
>
> }
>
> }
>
>
>
> return undef;
>
> }
>
>
>
> But we are reluctant to modify CORE code as this will be lost at upgrades.
>
>
>
> What would be nice is to have some sort of ‘Called-Station-ID format
> specifier’ included in the Configuration system.
>
>
>
> Andrew
>
> RESTRICTED
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Login incorrect for authentication process from Wondows login

2023-02-01 Thread Fabrice Durand via PacketFence-users
Hello Didier,

Rejected in post-auth means that it has been rejected by the logic in
PacketFence.
Verify in the packetfence.log file to see what happens exactly when the
device connects.

Regards
Fabrice


Le mer. 1 févr. 2023 à 07:24, Didier Walraet via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi everybody,
>
> We have a problem with authentication from Windows sessions.
>
> When I check with pftest it works :
>
> Authenticating against 'dcandenne' in context 'admin'
>   Authentication SUCCEEDED against dcandenne (Authentication successful.)
>   Matched against dcandenne for 'authentication' rule catchall
> set_role : default
> set_access_duration : 1D
>   Did not match against dcandenne for 'administration' rules
>
> Authenticating against 'dcandenne' in context 'portal'
>   Authentication SUCCEEDED against dcandenne (Authentication successful.)
>   Matched against dcandenne for 'authentication' rule catchall
> set_role : default
> set_access_duration : 1D
>
> When I test with eapol_test it works :
>
> EAPOL: SUPP_BE entering state RECEIVE
> Received 184 bytes from RADIUS server
> Received RADIUS message
> RADIUS message: code=2 (Access-Accept) identifier=9 length=184
>Attribute 1 (User-Name) length=24
>   Value: 'andenne\\administrateur'
>Attribute 26 (Vendor-Specific) length=58
>   Value:
> 01371134c13273280210014b8952df27af1d66ef0394150828ddd278c2f3d80b7dd3b9b73d86f83a263ac27392fa5212d77f55bb4b58
>Attribute 26 (Vendor-Specific) length=58
>   Value:
> 01371034cf04b7c73dd8aae9b040a0061f528848602d0fadc4ca1fc08fec82bec34b09131f81621125e838d23812afec44aa01c6ac66
>Attribute 79 (EAP-Message) length=6
>   Value: 038c0004
>Attribute 80 (Message-Authenticator) length=18
>   Value: 5b9fb6bccfe5dd977dd2dcf5039787f3
> STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
> request, round trip time 0.00 sec
>
> RADIUS packet matching with station
> MS-MPPE-Send-Key (sign) - hexdump(len=32): f8 f2 d3 fb 41 8e 70 62 33 4f
> e4 b4 86 f0 82 6a 02 dc b7 e2 70 52 8f bb 1d b9 6c 63 07 6d d8 05
> MS-MPPE-Recv-Key (crypt) - hexdump(len=32): de 31 38 73 0f 11 42 a6 1a c9
> 92 c8 be a8 10 14 62 b6 26 dc 8d 85 5c 63 7a fd 41 6b a8 09 6c cb
> decapsulated EAP packet (code=3 id=140 len=4) from RADIUS server: EAP
> Success
> EAPOL: Received EAP-Packet frame
> EAPOL: SUPP_BE entering state REQUEST
> EAPOL: getSuppRsp
> EAP: EAP entering state RECEIVED
> EAP: Received EAP-Success
> EAP: Status notification: completion (param=success)
> EAP: EAP entering state SUCCESS
> CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
> EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required
> WPA: EAPOL processing complete
> Cancelling authentication timeout
> State: DISCONNECTED -> COMPLETED
> EAPOL: SUPP_PAE entering state AUTHENTICATED
> EAPOL: SUPP_BE entering state RECEIVE
> EAPOL: SUPP_BE entering state SUCCESS
> EAPOL: SUPP_BE entering state IDLE
> eapol_sm_cb: result=1
> EAPOL: Successfully fetched key (len=32)
> PMK from EAPOL - hexdump(len=32): de 31 38 73 0f 11 42 a6 1a c9 92 c8 be
> a8 10 14 62 b6 26 dc 8d 85 5c 63 7a fd 41 6b a8 09 6c cb
> No EAP-Key-Name received from server
> WPA: Clear old PMK and PTK
> EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
> ENGINE: engine deinit
> MPPE keys OK: 1  mismatch: 0
> SUCCESS
>
> But when I try authentication from Windows, before opening of the user
> session, with user credentials domain\username, it doesn't work :
>
> Feb  1 09:00:11 packetfence auth[9916]: (3332)   Rejected in post-auth:
> [ANDENNE\Administrateur] (from client 10.185.2.154/32 port 1 cli
> 04:7b:cb:43:d9:37 via TLS tunnel)
> Feb  1 09:00:11 packetfence auth[9916]: (3332)   Login incorrect:
> [ANDENNE\Administrateur] (from client 10.185.2.154/32 port 1 cli
> 04:7b:cb:43:d9:37 via TLS tunnel)
> Feb  1 09:00:11 packetfence auth[9916]: () Login incorrect (eap_peap:
> The users session was previously rejected: returning reject (again.)):
> [ANDENNE\Administrateur] (from client 10.185.2.154/32 port 1 cli
> 04:7b:cb:43:d9:37)
> Feb  1 09:00:21 packetfence auth[9916]: (3343)   Rejected in post-auth:
> [ANDENNE\Administrateur] (from client 10.185.2.154/32 port 1 cli
> 04:7b:cb:43:d9:37 via TLS tunnel)
> Feb  1 09:00:21 packetfence auth[9916]: (3343)   Login incorrect:
> [ANDENNE\Administrateur] (from client 10.185.2.154/32 port 1 cli
> 04:7b:cb:43:d9:37 via TLS tunnel)
>
> When I test with same username on Linux system it works :
>
> Feb  1 08:52:55 packetfence auth[9916]: (3293)   Login OK:
> [administrateur] (from client 10.185.2.154/32 port 1 cli
> 04:0e:3c:f0:ed:5c via TLS tunnel)
> Feb  1 08:52:55 packetfence auth[9916]: (3294) Login OK: [administrateur]
> (from client 10.185.2.154/32 port 1 cli 04:0e:3c:f0:ed:5c)
> Feb  1 09:00:10 packetfence auth[9916]: Adding client 10.185.2.154/32
>
> Can anyone help me ?
>
> Best regards,
>
> Didier.
> --
>
> *Didi**er Wa*

Re: [PacketFence-users] Cluster auto sync

2023-02-01 Thread Fabrice Durand via PacketFence-users
Hello Alexander,

You can try to add files path in /usr/local/pf/conf/cluster-files.txt to
add extra files to sync.
Also you can do /usr/local/pf/bin/cluster/sync --as-master

Regards
Fabrice


Le mer. 1 févr. 2023 à 07:24, Alexander via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi people! Can you tell me by what principle the synchronization of
> configs in the cluster takes place?
> I need to understand:
> 1) How can I add files to the list for synchronization (because I do edits
> for freeipa locally, not through the GUI, and these files are not
> synchronized)
> 2) How can I start the synchronization of configs (controlled files) in
> the cluster through the terminal? I tried changing serial in
> /usr/local/pf/var/conf/config_version but that didn't help
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] How do I exempt autoregistration in a connection profile when node has role REJECT?

2022-12-29 Thread Fabrice Durand via PacketFence-users
Hello David,
you have multiple solutions.
The first one is to use the filter in the connection profile and the order
of the connection profiles.
So in advanced filter you can have category equals REJECT and ssid equals
secure_ssid and have an authentication source of type black_hole assigned
to it.

You can also do it with the vlan filter, in the nodeinfoforautoreg scope
with something similar to the filter i previously defined in the connection
profile and you will define the role REJECT at the end.

Regards
Fabrice



Le mer. 28 déc. 2022 à 15:44, David Herselman via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi,
>
>
>
> I have a connection profile setup to auto register nodes as a staffbyod
> role when certain conditions are met. This however then overwrites manual
> role assignments, for example when I manually update a node to have a role
> REJECT it gets reset as having a staffbyod role when it reconnects.
>
>
>
> I attempted to add a filter for last_node equals ‘REJECT’ and node_role
> equals ‘REJECT’ but this didn’t change the behaviour. Is there possibly a
> way to filter connection profiles assigning a role when the node is not
> unregistered?
>
>
>
> Herewith logs where the node is kicked off the network when the role is
> changed to ‘REJECT’ and the logs where the client is then recomputed as
> having the ‘staffbyod’ role when it reconnects:
>
> Dec 28 19:46:02 packetfence packetfence[1589245]: pfperl-api(1589245)
> INFO: re-evaluating access (admin_modify called)
> (pf::enforcement::reevaluate_access)
>
> Dec 28 19:46:02 packetfence packetfence[1589245]: pfperl-api(1589245)
> INFO: Instantiate profile 802.1x_EAP
> (pf::Connection::ProfileFactory::_from_profile)
>
> Dec 28 19:46:02 packetfence packetfence[1589245]: pfperl-api(1589245)
> INFO: VLAN reassignment is forced.
> (pf::enforcement::_should_we_reassign_vlan)
>
> Dec 28 19:46:02 packetfence packetfence[1589245]: pfperl-api(1589245)
> INFO: switch port is (172.16.10.53) ifIndex 0connection type: WiFi 802.1X
> (pf::enforcement::_vlan_reevaluation)
>
> Dec 28 19:46:03 packetfence packetfence_httpd.aaa[1554532]:
> httpd.aaa(759442) WARN: [mac:de:ad:be:ef:de:ad] Firewall SSO Notify
> (pf::api::firewallsso_accounting)
>
> Dec 28 19:46:03 packetfence packetfence_httpd.aaa[1554532]:
> httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Sending a firewall SSO
> 'Stop' request for MAC 'de:ad:be:ef:de:ad' and IP '10.239.239.28'
> (pf::firewallsso::do_sso)
>
> Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) INFO:
> [mac:de:ad:be:ef:de:ad] [de:ad:be:ef:de:ad] DesAssociating mac on switch
> (172.16.10.53) (pf::api::desAssociate)
>
> Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) INFO:
> [mac:de:ad:be:ef:de:ad] deauthenticating de:ad:be:ef:de:ad
> (pf::Switch::Mikrotik::radiusDisconnect)
>
> Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) ERROR:
> [mac:de:ad:be:ef:de:ad] Trying to save a NULL value in a non nullable field
> radius_audit_log.mac (pf::dal::validate_field)
>
> Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) ERROR:
> [mac:de:ad:be:ef:de:ad] Skipping invalid value (NULL) in when inserting
> field radius_audit_log.mac (pf::dal::_insert_data)
>
> Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) WARN:
> [mac:de:ad:be:ef:de:ad] Warning: 1364: Field 'mac' doesn't have a default
> value (pf::dal::db_execute)
>
> Dec 28 19:46:06 packetfence packetfence_httpd.aaa[1554532]:
> httpd.aaa(759442) WARN: [mac:00:22:4d:88:b0:9a] Use of uninitialized value
> $nas_port in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm
> line 2470. (pf::Switch::NasPortToIfIndex)
>
> Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]:
> httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] handling radius autz
> request: from switch_ip => (172.16.10.53), connection_type =>
> Wireless-802.11-EAP,switch_mac => (02:00:00:aa:00:01), mac =>
> [de:ad:be:ef:de:ad], port => 0, username => "joe.doe", ssid => RedactedWiFi
> (pf::radius::authorize)
>
> Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]:
> httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Instantiate profile
> 802.1x_EAP (pf::Connection::ProfileFactory::_from_profile)
>
> Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]:
> httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Found authentication
> source(s) : 'redactedad_users_byod' for realm 'null'
> (pf::config::util::filter_authentication_sources)
>
> Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]:
> httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Using sources
> redactedad_users_byod for matching (pf::authentication::match2)
>
> Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]:
> httpd.aaa(759442) WARN: [mac:de:ad:be:ef:de:ad] [redactedad_users_byod
> staff] Searching for
> (&(sAMAccountName=joe.doe)(memberOf=CN=redacted,OU=Redacted,OU=Security
> Groups,OU=Redacted,DC=ad,DC=redacted)), from
> OU=Users,OU=Redacted,DC=a

Re: [PacketFence-users] doubts MD5 configuration

2022-12-23 Thread Fabrice Durand via PacketFence-users
Hello,
it should work as is.
Can you post the raddebug output ?
raddebug -f /usr/local/pf/var/run/radius.sock -t 300

Fabrice


Le ven. 23 déc. 2022 à 18:25, Renato Pereira via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi all,
>
> I have same doubts, I need configured the device with MD5 but not work.
>
> Anyone could help me?
>
> Regards,
>
> --
> *De:* Adelmo Takemori via PacketFence-users <
> packetfence-users@lists.sourceforge.net>
> *Enviado:* quarta-feira, 21 de dezembro de 2022 10:05
> *Para:* packetfence-users@lists.sourceforge.net <
> packetfence-users@lists.sourceforge.net>
> *Cc:* Adelmo Takemori 
> *Assunto:* [PacketFence-users] (no subject)
>
>
> Hi
>
>
> I have some difficulties to authenticate devices with MD5, I tried with
> some access points and telephones, both of CISCO.
>
>
> Anyone could help me?
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] New with Captive portals

2022-12-13 Thread Fabrice Durand via PacketFence-users
Technically yes but PacketFence doesn´t support it with webauth.
What you can do since the server is in the cloud is to use the fqdn of the
server (i believe there is one by default) and use it as the captive portal
url.


Le mar. 13 déc. 2022 à 14:28, Ahiya Zadok  a écrit :

> Thank you, Fabrice.
>
> Is it possible to use the public IP rather than FQDN?
>
>
>
> Thanks again
>
>
>
> * A**hiya Zadok*
>  Co-Founder, VP Eng
>
> *IL: * (972) 522421464
>
>
>  *E: ah...@younity.io *
>
>
>
>
>
> *From:* Fabrice Durand 
> *Sent:* Tuesday, 13 December 2022 19:11
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Ahiya Zadok 
> *Subject:* Re: [PacketFence-users] New with Captive portals
>
>
>
> Hello Ahiya,
>
>
>
> you have to change the domain and hostname there:
>
> https://pf_mgmt_IP:1443/admin#/configuration/general
>
>
>
> Regards
>
> Fabrice
>
>
>
>
>
> Le lun. 12 déc. 2022 à 08:55, Ahiya Zadok via PacketFence-users <
> packetfence-users@lists.sourceforge.net> a écrit :
>
> Hi all
>
>
> I'm setting up a captive portal for the Unifi network using the
> PacketFence.
> I've installed the latest ZEN PF VM, and I'm using an Unifi controller ver
> 6.5.55.
> The controller and the PF are installed remotely (AWS), but all have full
> access between them and from the WAPs location.
> I've configured it according to the guides I've found online.
> • I use the default Role guest
> • Null as an authentication source
> • Created a "switch," type – Unifi controller
> • And create a guest connection profile
>
>
> But still, the clients cant open the redirection URL.
> I assume the prefix of this URL is the issue.
> PF url
>
> http://packetfence.packetfence.org/captive-portal?destination_url=http://x.x.x.x/guest/s/6qca4zw5/?ap=68:d7:9a:16:07:2a&id=d4:6d:6d:38:8d:80&t=1670850049&url=http://www.msftconnecttest.com%2Fredirect&ssid=test
>
> another very basic portal URL, that did work.
>
> http://x.x.x.x/guest/s/6qca4zw5/?ap=68:d7:9a:16:07:2a&id=d4:6d:6d:38:8d:80&t=1670850973&url=http://www.msftconnecttest.com%2Fredirect&ssid=test
>
>
> what am I missing here?
>
> Appreciated the help!!
> Thanks
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] issue with re-authentification after portal validation

2022-12-13 Thread Fabrice Durand via PacketFence-users
Hello Julien,

it looks that you enabled "Deauth on previous switch" in the switch
configuration for 172.16.252.100 (packetfence side).
Disable it and retry.
Regards
Fabrice


Le lun. 12 déc. 2022 à 08:55, Julien Dejean via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
>
>
> I configured packetfence for 802.1x, but for th mac using the portal i
> still have an issue to change vlan after portal authentification.
>
> I use an cisco sg300, with snmp for reauthentification. I used the
> configuration for this type of switch from
> https://www.packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_cisco_small_business_smb
>
>
>
> But when i succesful login on the portal nothing seems to appears between
> packetfence and the switch. I made a tcpdump trace but no traffic…
>
> If i disconnect the wired cable and reconnect it it’s ok, the vlan was
> changed. It ssems that the connection switch to packetfence is ok but no
> traffic from packetfence to the switch…
>
>
>
> I checked logs :
>
>
>
> Dec 12 11:45:41 packetfence auth[5127]: Adding client 172.16.252.100/32
>
> Dec 12 11:45:41 packetfence auth[5127]: (21818) Login OK: [54ee7556475a]
> (from client 172.16.252.100/32 port 51 cli 54:ee:75:56:47:5a)
>
> Dec 12 11:45:41 packetfence httpd.aaa-docker-wrapper[1936]: httpd.aaa(7)
> INFO: [mac:54:ee:75:56:47:5a] handling radius autz request: from switch_ip
> => (172.16.252.100), connection_type => Ethernet-NoEAP,switch_mac =>
> (80:e8:6f:b8:bc:1a), mac => [54:ee:75:56:47:5a], port => 51, username =>
> "54ee7556475a" (pf::radius::authorize)
>
> Dec 12 11:45:41 packetfence httpd.aaa-docker-wrapper[1936]: httpd.aaa(7)
> INFO: [mac:54:ee:75:56:47:5a] (172.16.252.100) Added VLAN 4 to the returned
> RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
>
> Dec 12 11:45:41 packetfence httpd.aaa-docker-wrapper[1936]: httpd.aaa(7)
> WARN: [mac:54:ee:75:56:47:5a] No parameter registrationRole found in
> conf/switches.conf for the switch 172.16.252.100 (pf::Switch::getRoleByName)
>
> Dec 12 11:46:13 packetfence httpd.portal-docker-wrapper[3205]:
> httpd.portal(371) WARN: [mac:54:ee:75:56:47:5a] previous location log entry
> not found for and 54:ee:75:56:47:5a 172.16.252.100
> (pf::enforcement::_vlan_reevaluation)
>
>
>
> I don’t where i can get more information on logs. Could you please give me
> some help ?
>
>
>
> Regards
>
>
>
> Cordialement,
>
> MACC
>
> Julien
>
> DEJEAN
>
> Administrateur systèmes et réseaux
>
> Service Informatique
>
> T. <+33(0)549025576>
>
>   <+33(0)549025576>
>
> +33 (0)5 49 02 55 76 <+33(0)549025576>
>
> 9, Rue Des Frères Lumière
>
> 86100
>
> CHATELLERAULT
>
> -
>
>
>
> France
>
>
>
> www.macc.fr
> 
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] From NPS to PacketFence - Regarding

2022-12-13 Thread Fabrice Durand via PacketFence-users
Hello Thirunavukkarasu,

yes you can do it, just add a new switch in PacketFence (use the generic
switch module) , set a radius shared secret and restart radiusd.

Regards
Fabrice


Le lun. 12 déc. 2022 à 08:55, P.Thirunavukkarasu via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi Team,
> Greetings of the day
> Can we configure the PacketFence to process the requests send by a NPS
> from a Remote Place
> In my case there is an NPS in a remote location. That NPS acts as a RADIUS
> server in that location.
> It receives the requests from NAS clients
> Can we configure the PacketFence to process the requests?
>
> Regards,
> Thirunavukkarasu
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] New with Captive portals

2022-12-13 Thread Fabrice Durand via PacketFence-users
Hello Ahiya,

you have to change the domain and hostname there:
https://pf_mgmt_IP:1443/admin#/configuration/general

Regards
Fabrice


Le lun. 12 déc. 2022 à 08:55, Ahiya Zadok via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi all
>
>
> I'm setting up a captive portal for the Unifi network using the
> PacketFence.
> I've installed the latest ZEN PF VM, and I'm using an Unifi controller ver
> 6.5.55.
> The controller and the PF are installed remotely (AWS), but all have full
> access between them and from the WAPs location.
> I've configured it according to the guides I've found online.
> • I use the default Role guest
> • Null as an authentication source
> • Created a "switch," type – Unifi controller
> • And create a guest connection profile
>
>
> But still, the clients cant open the redirection URL.
> I assume the prefix of this URL is the issue.
> PF url
>
> http://packetfence.packetfence.org/captive-portal?destination_url=http://x.x.x.x/guest/s/6qca4zw5/?ap=68:d7:9a:16:07:2a&id=d4:6d:6d:38:8d:80&t=1670850049&url=http://www.msftconnecttest.com%2Fredirect&ssid=test
>
> another very basic portal URL, that did work.
>
> http://x.x.x.x/guest/s/6qca4zw5/?ap=68:d7:9a:16:07:2a&id=d4:6d:6d:38:8d:80&t=1670850973&url=http://www.msftconnecttest.com%2Fredirect&ssid=test
>
>
> what am I missing here?
>
> Appreciated the help!!
> Thanks
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Upload speed on inline networks

2022-12-13 Thread Fabrice Durand via PacketFence-users
Hello Leonardo,

did you try the speed test directly on the packetfence server to compare ?

Regards
Fabrice


Le mar. 13 déc. 2022 à 11:31, Leonardo Izzo I.T.S. via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi, doing a speed test on PKF's inline networks, both wired and wireless,
> the download values ??are good, but the upload values ??are extremely low,
> almost unusable. How.can I fix it? Thank you
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] RADIUS Audit Logs - RADIUS Request empty

2022-12-08 Thread Fabrice Durand via PacketFence-users
Hello Guys,

the issue is because of the sql buffer is not big enough to store the
content of the request.
I tried to do a patch to raise the size in FreeRADIUS but it created issue
in the proxy module.
So it will be fixed when packetfence will use the FreeRADIUS v4 version.

Regards
Fabrice


Le jeu. 8 déc. 2022 à 15:04, merkhabha via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
> I reinstalled the host, add more cpus and memory and it worked.
>
> Regards
>
> Sent with Proton Mail  secure email.
>
> --- Original Message ---
> On Thursday, December 8th, 2022 at 8:24 AM, Renato Pereira via
> PacketFence-users  wrote:
>
> Hi all,
>
> I have same problem, I booted my cluster but not fixed.
>
> Regards,
> --
> *De:* P.Thirunavukkarasu via PacketFence-users <
> packetfence-users@lists.sourceforge.net>
> *Enviado:* quarta-feira, 7 de dezembro de 2022 07:12
> *Para:* packetfence-users@lists.sourceforge.net <
> packetfence-users@lists.sourceforge.net>
> *Cc:* P.Thirunavukkarasu 
> *Assunto:* Re: [PacketFence-users] RADIUS Audit Logs - RADIUS Request
> empty
>
> The same issue I was faced
> Then I restarted all services in PF and the issue resolved
> Regards,
> Thirunavukkarasu
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] ldap authentication failed

2022-11-23 Thread Fabrice Durand via PacketFence-users
Hello Nikunj,
you can use ldap for peap only if you can grab the password in clear text
or with NT-Hash

http://deployingradius.com/documents/protocols/compatibility.html

So how do you configure that ?

Or join the packetfence server to the domain.

Regards
Fabrice



Le mer. 23 nov. 2022 à 08:47, Nikunj Vacchani via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello
>
>
>
> I m able to authenticate with local user but I m not able to authenticate
> with my ldap server users,
>
>
>
> I m facing error,
>
>
>
> PacketFence-KeyBalanced = "1acc010ea4ece6928d7a7f0c37444c0f"
>
> PacketFence-Radius-Ip = "10.20.40.153"
>
> Event-Timestamp = "Nov 17 2022 12:42:35 IST"
>
> Acct-Session-Id = "05000132"
>
> NAS-Port = 53
>
> NAS-IP-Address = 11.11.11.240
>
> PacketFence-NTLMv2-Only = ""
>
> EAP-Message =
> 0x020800431a0208003e319e88dd03b1c260dbc55155c80f85eed0eed23b3c6bbfe523b45578ae1d11d4211d136139d7394e6a005252555c74657374
>
> FreeRADIUS-Proxied-To = 127.0.0.1
>
> EAP-Type = MSCHAPv2
>
> MS-CHAP2-Response =
> 0x08529e88dd03b1c260dbc55155c80f85eed0eed23b3c6bbfe523b45578ae1d11d4211d136139d7394e6a
>
> Calling-Station-Id = "54:05:db:0a:ae:a4"
>
> Stripped-User-Name = "test"
>
> User-Name = "RRU\\test"
>
> PacketFence-Outer-User = "RRU\\test"
>
> NAS-Port-Type = Ethernet
>
> PacketFence-Domain = "RRUAD01"
>
> MS-CHAP-Challenge = 0xa88d981c98c2e8b5e0512896662f75d3
>
> Realm = "default"
>
> MS-CHAP-User-Name = "RRU\\test"
>
> State = 0x0e2308c40e2b12014ce5e92689785f0a
>
> Module-Failure-Message = "chrooted_mschap: Program returned code (1) and
> output 'The attempted logon is invalid. This is either due to a bad
> username or authentication information. (0xc06d)'"
>
> Module-Failure-Message = "chrooted_mschap: External script says: The
> attempted logon is invalid. This is either due to a bad username or
> authentication information. (0xc06d)"
>
> Module-Failure-Message = "chrooted_mschap: MS-CHAP2-Response is incorrect"
>
> User-Password = "**"
>
> SQL-User-Name = "RRUtest"
>
> RADIUS Reply
>
> MS-CHAP-Error = "\010E=691 R=0 C=fefbe43603701f99844df4f72dfc01ac V=3
> M=Authentication rejected"
>
> EAP-Message = 0x04080004
>
> Message-Authenticator = 0x
>
>
>
>
>
> Anyone have idea, how to resolve this error.
>
>
>
> Thanks & Regards,
>
> Nikunj Vachhani.
>
> Network Engineer.
>
> 99091 10490
>
>
>
> *From:* Nikunj Vacchani via PacketFence-users <
> packetfence-users@lists.sourceforge.net>
> *Sent:* 16 November 2022 07:29 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Nikunj Vacchani 
> *Subject:* [PacketFence-users] ldap authentication failed
>
>
>
> CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
>
>
>
> Hello everyone,
>
>
>
> I m facing issue when I m trying to authenticate with LDAP user.
>
>
>
> ERROR,
>
>
>
> chrooted_mschap: Program returned code (1) and output 'The attempted logon
> is invalid. This is either due to a bad username or authentication
> information. (0xc06d)'
>
>
>
> how to resolve this issue.
>
>
>
> Thanks & Regards,
>
> Nikunj Vachhani.
>
> Network Engineer.
>
> 99091 10490
>
>
>
> DISCLAIMER : The content of this email is confidential and intended for
> the recipient specified in message only. It is strictly forbidden to share
> any part of this message with any third party, without a written consent of
> the sender. If you received this message by mistake, please reply to this
> message and follow with its deletion, so that we can ensure such a mistake
> does not occur in the future.
> DISCLAIMER : The content of this email is confidential and intended for
> the recipient specified in message only. It is strictly forbidden to share
> any part of this message with any third party, without a written consent of
> the sender. If you received this message by mistake, please reply to this
> message and follow with its deletion, so that we can ensure such a mistake
> does not occur in the future.
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] New v12.1 - RADIUS - Configure the Eduroam source

2022-11-23 Thread Fabrice Durand via PacketFence-users
Hello Thirunavukkarasu,

in the authentication source , add a new RADIUS source (like
tlrs1.eduroam.us ) and after create the eduroam source where you will
select the RADIUS source you created previously.

Regards
Fabrice


Le mer. 23 nov. 2022 à 08:46, P.Thirunavukkarasu via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi Team,
> Now in the document for v12.1 the following is the new addition.
> That it is given to configure each RADIUS source for eduroam servers
>
>
>
>
>
> *https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_eduroam
> First
> create RADIUS sources for each Eduroam servers you want to define.To do
> that click New internal source and choose RADIUS.Fill the Name,
> Description, Host, Port, Secret and disable Monitor. (The information to
> configure that source could be found on the Eduroam platform)*
> I am not clear in configuring the RADIUS sources for the eduroam
> Can anyone plz explain this?
> Regards,
> Thirunavukkarasu
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Disable default connection profile

2022-11-16 Thread Fabrice Durand via PacketFence-users
Hello James,

trying to remove the default profile is not a good idea since if no profile
matches then nothing will work.

The default is the last resort one if no one matches , so be sure to have
one who matches your filter (like the ssid) and keep the default one.

Regards
Fabrice

Le mer. 16 nov. 2022 à 08:30, James Andrewartha via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi,
>
> I'm trying to understand connection profiles, and so wanted to disable
> the default so it's not matched, or at least not matched first. But I
> can't disable it or reorder it. I tried this at the top of profiles.conf
> but that just disabled all the other profiles instead:
>
> [default]
> status=disabled
>
> Should I just be changing it to suit my own needs? Or could I delete
> profiles.conf.defaults?
>
> Thanks,
>
> --
> James Andrewartha
> Network & Projects Engineer
> Christ Church Grammar School
> Claremont, Western Australia
> Ph. (08) 9442 1757
> Mob. 0424 160 877
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Audit Logs History

2022-11-14 Thread Fabrice Durand via PacketFence-users
Hello Alexander,

have a look here:

https://mgmt_ip:1443/admin#/configuration/maintenance_task/radius_audit_log_cleanup

and change the window value.

Regards
Fabrice



Le lun. 14 nov. 2022 à 09:24, Alexander via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello. Please tell me how to set up the radius audit log history? I want
> to store 802.1x login history but it clears every other day
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] DHCP issues on registration network both 11.2 & 12.0

2022-11-11 Thread Fabrice Durand via PacketFence-users
Hello,
i was able to replicate and push a patch in the maintenance 12.0 to fix the
mysql pool backend.
https://github.com/inverse-inc/packetfence/commit/f4685bd3318cb2282a36654b7cdb3daa3583c3c3
https://github.com/inverse-inc/packetfence/commit/4e9ae1c39b7a33b0859fe3a7a93c9552c6e969c7

The maintenance should be available tomorrow.
Regards
Fabrice

Le jeu. 10 nov. 2022 à 05:02, Giacinto Caretto via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello, any suggestions?
>
> If it is useful I have the dhcp logs in debug mode.
>
> Thank you
>
> GC
>
>
>
> */*/*/*/*/*/*/*/*/*/*/*/*/*/*/
>
> Giacinto Caretto.
>
> TERIN-ICT-RETE
>
> giacinto.care...@enea.it
>
> ENEA - CR Brindisi
>
> */*/*/*/*/*/*/*/*/*/*/*/*/*/*
>
>
>
>
> --
>
> Questo messaggio e i suoi allegati sono indirizzati esclusivamente alle
> persone indicate e la casella di posta elettron ica da cui è stata inviata
> è da qualificarsi quale strumento aziendale.
>
> La diffusione, copia o qualsiasi altra azione derivante dalla conoscenza
> di queste informazioni sono rigorosamente viet ate (art. 616 c.p, D.Lgs. n.
> 196/2003 s.m.i. e GDPR Regolamento - UE 2016/679).
>
> Qualora abbiate ricevuto questo documento per errore siete cortesemente
> pregati di darne immediata comunicazione al mit tente e di provvedere alla
> sua distruzione. Grazie.
>
> This e-mail and any attachments is confidential and may contain privileged
> information intended for the addressee(s) on ly.
>
> Dissemination, copying, printing or use by anybody else is unauthorised
> (art. 616 c.p, D.Lgs. n. 196/2003 and subsequen t amendments and GDPR UE
> 2016/679).
>
> If you are not the intended recipient, please delete this message and any
> attachments and advise the sender by return e -mail. Thanks.
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Windows client automatically login using hostname and hit non-exist realm

2022-11-04 Thread Fabrice Durand via PacketFence-users
Hello Irvan,

yes it's normal, we did some unlang to mimic the way the realm is set when
packetfence receives a machine authentication.

https://github.com/inverse-inc/packetfence/blob/devel/raddb/policy.d/packetfence#L36

Regards
Fabrice


Le ven. 4 nov. 2022 à 08:34, Irvan via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello Ludovic,
>
> Thank you for your explanation.
> How about the realm? According to log, when windows sends computer account
> as login, Packetfence put it on Realm = "binus.local". But we never stup
> that realm.
> Is it normal to?
>
>
>
> Regards,
> Irvan.
>
> On Thu, Nov 3, 2022 at 12:16 AM Zammit, Ludovic 
> wrote:
>
>> Hello Irvan,
>>
>> It looks pretty normal that the windows sends the computer account
>> because it’s the default behavior.
>>
>> What is not normal, is that if you have at least one successful
>> authentication on the wifi with a username password, it should keep that
>> one and not re-ask again.
>>
>> All that can be configured on the SSID profile on windows.
>>
>> Thanks,
>>
>>
>> *Ludovic Zammit*
>> *Product Support Engineer Principal Lead*
>> *Cell:* +1.613.670.8432
>> Akamai Technologies - Inverse
>> 145 Broadway
>> Cambridge, MA 02142
>> Connect with Us:  
>>  
>> 
>> 
>>
>> On Nov 2, 2022, at 1:45 AM, Irvan via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>> Hello Everyone,
>>
>>
>> We have strange behaviour with Windows Client connecting to dot1x WiFi on
>> Packetfence using AD Authentication source.
>>
>> The symptoms are :
>>
>> - When the first time Windows client connect to SSID, it was asked for
>> username and password for login.
>> - But if client forget the SSID and try to reconnect, Windows never asked
>> username and password, it was automatically send hostname as login to
>> packetfence, and accepted by packetfence.
>> - The same thing happened when user comeback in the next day, Windows
>> send hostname as login instead of username and it also accepted by
>> packetfence
>>
>> We don't setup any machine auth, only user auth. Drill down to radius
>> log, we saw that hostname login hit a non-existe realm. Using username and
>> password client hit null realm. But when windows send hostname it hit
>> binus.local realm, which is never exist.
>>
>> Bellow are radius log and realm.conf
>>
>> 1. Using user auth
>> ===
>> Request Time
>> 0
>>
>> RADIUS Request
>> User-Name = "loudy.owen"
>> NAS-IP-Address = 10.21.36.41
>> NAS-Port = 4
>> Service-Type = Framed-User
>> State = 0x6067228e61c0382594e9daec37da5a60
>> Called-Station-Id = "90:3a:72:03:18:90:BinusWifi-Staff.1x"
>> Calling-Station-Id = "70:66:55:34:28:f3"
>> NAS-Identifier = "90-3A-72-03-18-90"
>> NAS-Port-Type = Wireless-802.11
>> Acct-Session-Id = "6361F1F4-03189001"
>> Acct-Multi-Session-Id = "88DA8FBC70CEC821"
>> Event-Timestamp = "Nov  2 2022 11:28:41 WIB"
>> Connect-Info = "CONNECT 802.11"
>> EAP-Message = 0x02a700061a03
>> Chargeable-User-Identity = 0x00
>> Location-Data = 0x31304944170d42696e7573205379616864616e
>> WLAN-Pairwise-Cipher = 1027076
>> WLAN-Group-Cipher = 1027076
>> WLAN-AKM-Suite = 1027073
>> FreeRADIUS-Proxied-To = 127.0.0.1
>> Ruckus-SSID = "BinusWifi-Staff.1x"
>> Ruckus-Wlan-Id = 508
>> Ruckus-Location = "Binus Syahdan"
>> Ruckus-SCG-CBlade-IP = 180933220
>> Ruckus-VLAN-ID = 1220
>> Ruckus-BSSID = 0x903a7243189d
>> Ruckus-Zone-Name = "AP-Zone-Syahdan"
>> Ruckus-Wlan-Name = "VlanPool2"
>> EAP-Type = MSCHAPv2
>> Stripped-User-Name = "loudy.owen"
>> Realm = "null"
>> Called-Station-SSID = "BinusWifi-Staff.1x"
>> PacketFence-Domain = "binus"
>> PacketFence-KeyBalanced = "10a6d36fd6ec338584a72fcbe75f86ba"
>> PacketFence-Radius-Ip = "10.200.210.87"
>> PacketFence-NTLMv2-Only = ""
>> PacketFence-Outer-User = "loudy.owen"
>> Attr-26.25053.155 = 0x5379616864616e2043616d707573
>> User-Password = "**"
>> SQL-User-Name = "loudy.owen"
>>
>> RADIUS Reply
>> EAP-Message = 0x03a70004
>> Message-Authenticator = 0x
>> User-Name = "loudy.owen"
>> REST-HTTP-Status-Code = 200
>>
>> ==
>>
>> 2. Using hostname
>> ===
>> Request Time
>> 0
>>
>> RADIUS Request
>> User-Name = "host/NB202007000166.binus.local"
>> NAS-IP-Address = 10.21.36.41
>> NAS-Port = 4
>> Service-Type = Framed-User
>> State = 0xb4483109b5402b5768b5cf1f24ad1e9e
>> Called-Station-Id = "90:3a:72:03:18:90:BinusWifi-Staff.1x"
>> Calling-Station-Id = "70:66:55:34:28:f3"
>> NAS-Identifier = "90-3A-72-03-18-90"
>> NAS-Port-Type = Wireless-802.11
>> Acct-Session-Id = "6361F350-03189001"
>> Acct-Multi-Session-Id = "3DD47C3ED408529E"
>> Event-Timestamp = "Nov  2 2022 11:34:26 WIB"
>> Connect-Info = "CONNECT 802.11"
>> EAP-Message = 0x

Re: [PacketFence-users] packetfence freeipa (ldap) mschapv2 not working

2022-10-31 Thread Fabrice Durand via PacketFence-users
The answer is in the packetfence.log file.
Paste it when you connect.

Le lun. 31 oct. 2022, 18 h 23, Alexander  a
écrit :

> thank you very much! I achieved what was described by changing the base
> config. i Get* [mschap] = ok. * But I am now getting a different error!
> Could you see the file attachment?
>
> (0) mschap: Found NT-Password
> (0) mschap: Client is using MS-CHAPv1 with NT-Password
> (0) mschap: adding MS-CHAPv1 MPPE keys
> *(0) [mschap] = ok*
>
> *..*
> (0) rest: Expanding URI components
> (0) rest: EXPAND http://containers-gateway.internal:7070
> (0) rest:--> http://containers-gateway.internal:7070
> (0) rest: EXPAND //radius/rest/authorize
> (0) rest:--> //radius/rest/authorize
> (0) rest: Sending HTTP POST to "
> http://containers-gateway.internal:7070//radius/rest/authorize";
> (0) rest: Encoding attribute "User-Name"
> (0) rest: Encoding attribute "NAS-IP-Address"
> (0) rest: Encoding attribute "NAS-Port"
> (0) rest: Encoding attribute "Event-Timestamp"
> (0) rest: Encoding attribute "Message-Authenticator"
> (0) rest: Encoding attribute "MS-CHAP-Response"
> (0) rest: Encoding attribute "MS-CHAP-Challenge"
> (0) rest: Encoding attribute "Stripped-User-Name"
> (0) rest: Encoding attribute "Realm"
> (0) rest: Encoding attribute "Module-Failure-Message"
> (0) rest: Encoding attribute "FreeRADIUS-Client-IP-Address"
> (0) rest: Encoding attribute "PacketFence-UserNameAttribute"
> (0) rest: Encoding attribute "PacketFence-KeyBalanced"
> (0) rest: Encoding attribute "PacketFence-Radius-Ip"
> (0) rest: Encoding attribute "PacketFence-NTLMv2-Only"
> (0) rest: Processing response header
>
>
>
>
> *(0) rest:   Status : 401 (Unauthorized)(0) rest:   Type   : json
> (application/json)(0) rest: Adding reply:REST-HTTP-Status-Code = "401"(0)
> rest: ERROR: Server returned:(0) rest: ERROR:
> {"control:PacketFence-Authorization-Status":"allow"}*
> rlm_rest (rest): Released connection (0)
> *..*
>
> пн, 31 окт. 2022 г. в 22:37, Fabrice Durand :
>
>> Hello Alexander,
>>
>> the difference is on the default radius config, it calls the ldap module
>> in the authorize section.
>>
>> You can follow this logic in
>> https://github.com/inverse-inc/packetfence/tree/devel/addons/nthash_AD_attribute
>> (it´s based on freeradius 2 but the logic is there)
>>
>> ```
>>
>> authorize {
>>
>> 
>> suffix
>> ntdomain
>> 
>> ldap
>> if (ok) {
>> update control {
>> MS-CHAP-Use-NTLM-Auth := No
>> }
>> }
>>
>> ```
>>
>> Regards
>>
>> Fabrice
>>
>>
>> Le lun. 31 oct. 2022 à 13:25, Alexander via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> a écrit :
>>
>>> Hello friends! I need help
>>>
>>> i am testing *local installed freeradius* configuration to work with
>>> freeipa (ldap) on nthash via mschap-v2
>>>
>>> what did i do for this:
>>>
>>> 1) yum install freeradius-ldap
>>> 2) ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
>>> 3) change /etc/raddb/mods-available/ldap
>>>
>>> server = ''server.dmosk.local"
>>> identity = 'uid=services,cn=users,cn=accounts,dc=test,dc=com'
>>> password = my_password
>>> base_dn = 'cn=users,cn=accounts,dc=test,dc=com'
>>> update {
>>> ...
>>> control:NT-Password := 'ipaNTHash'
>>> ...
>>> 4)change /etc/raddb/mods-available/eap
>>> ...
>>> default_eap_type = mschapv2
>>> ...
>>> 5) reload freeradius
>>> 6) TESTING:
>>> radtest -t mschap ldap_user test12345 localhost:1812 0 testing123
>>>
>>> and get Received *Access-ACCEPT*
>>>
>>> *Question:*
>>> Can anyone tell me how to set up this configuration on packetfence?
>>> I tried to do this, but it didn't work for me:
>>> 1. Create authentication source - LDAP - define server, identity,
>>> password, base_dn, Username Attribute. And checked through the test button
>>> 2. add update control:NT-Password := 'ipaNTHash' to file
>>> /usr/local/pf/raddb/mods-enabled/ldap_packetfence
>>> 3. change default_eap_type = mschapv2
>>> in /usr/local/pf/raddb/mods-enabled/eap
>>> 4. add to Standard Connection Profile sources ldap
>>> 5. tried adding default and null in tab stripping to Realms - ldap source
>>> 6. TESTING:
>>> radtest -t mschap ldap_user test12345 localhost:1812 0 testing123
>>> and get:
>>>
>>> Received Access-Reject Id 247 from 127.0.0.1:1812 to 127.0.0.1:56955
>>> length 61
>>> MS-CHAP-Error = "\000E=691 R=0 C=1cef2a7d250330ff V=2"
>>> (0) -: Expected Access-Accept got Access-Reject
>>>
>>> I do not understand what the problem is. I also attached the logs of
>>> freeradius running in debug mode(/usr/sbin/freeradius -d
>>> /usr/local/pf/raddb  -n auth -fxx -l stdout). See attachment. Pleae help me
>>>
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>
___
Packet

Re: [PacketFence-users] packetfence freeipa (ldap) mschapv2 not working

2022-10-31 Thread Fabrice Durand via PacketFence-users
Hello Alexander,

the difference is on the default radius config, it calls the ldap module in
the authorize section.

You can follow this logic in
https://github.com/inverse-inc/packetfence/tree/devel/addons/nthash_AD_attribute
(it´s based on freeradius 2 but the logic is there)

```

authorize {


suffix
ntdomain

ldap
if (ok) {
update control {
MS-CHAP-Use-NTLM-Auth := No
}
}

```

Regards

Fabrice


Le lun. 31 oct. 2022 à 13:25, Alexander via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello friends! I need help
>
> i am testing *local installed freeradius* configuration to work with
> freeipa (ldap) on nthash via mschap-v2
>
> what did i do for this:
>
> 1) yum install freeradius-ldap
> 2) ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
> 3) change /etc/raddb/mods-available/ldap
>
> server = ''server.dmosk.local"
> identity = 'uid=services,cn=users,cn=accounts,dc=test,dc=com'
> password = my_password
> base_dn = 'cn=users,cn=accounts,dc=test,dc=com'
> update {
> ...
> control:NT-Password := 'ipaNTHash'
> ...
> 4)change /etc/raddb/mods-available/eap
> ...
> default_eap_type = mschapv2
> ...
> 5) reload freeradius
> 6) TESTING:
> radtest -t mschap ldap_user test12345 localhost:1812 0 testing123
>
> and get Received *Access-ACCEPT*
>
> *Question:*
> Can anyone tell me how to set up this configuration on packetfence?
> I tried to do this, but it didn't work for me:
> 1. Create authentication source - LDAP - define server, identity,
> password, base_dn, Username Attribute. And checked through the test button
> 2. add update control:NT-Password := 'ipaNTHash' to file
> /usr/local/pf/raddb/mods-enabled/ldap_packetfence
> 3. change default_eap_type = mschapv2
> in /usr/local/pf/raddb/mods-enabled/eap
> 4. add to Standard Connection Profile sources ldap
> 5. tried adding default and null in tab stripping to Realms - ldap source
> 6. TESTING:
> radtest -t mschap ldap_user test12345 localhost:1812 0 testing123
> and get:
>
> Received Access-Reject Id 247 from 127.0.0.1:1812 to 127.0.0.1:56955
> length 61
> MS-CHAP-Error = "\000E=691 R=0 C=1cef2a7d250330ff V=2"
> (0) -: Expected Access-Accept got Access-Reject
>
> I do not understand what the problem is. I also attached the logs of
> freeradius running in debug mode(/usr/sbin/freeradius -d
> /usr/local/pf/raddb  -n auth -fxx -l stdout). See attachment. Pleae help me
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] How to change freeradius auth and acct ports?

2022-10-27 Thread Fabrice Durand via PacketFence-users
Hello Alexander,

it can be done in the configuration file
/usr/local/pf/conf/radiusd/auth.conf

```



Le jeu. 27 oct. 2022 à 08:20, Alexander via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

>
> Hello friends, please tell me, how to change auth and acct ports on
> freeradius in packetfence? I can log in and change in the virtual machine,
> but I'm not sure if this is normal
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] How to change freeradius auth and acct ports?

2022-10-27 Thread Fabrice Durand via PacketFence-users
listen {
ipaddr = [% ip %]
port = 1234
type = auth
virtual_server = [% virtual_server %]
}


Le jeu. 27 oct. 2022 à 08:39, Fabrice Durand  a écrit :

> Hello Alexander,
>
> it can be done in the configuration file
> /usr/local/pf/conf/radiusd/auth.conf
>
> ```
>
>
>
> Le jeu. 27 oct. 2022 à 08:20, Alexander via PacketFence-users <
> packetfence-users@lists.sourceforge.net> a écrit :
>
>>
>> Hello friends, please tell me, how to change auth and acct ports on
>> freeradius in packetfence? I can log in and change in the virtual machine,
>> but I'm not sure if this is normal
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Issues with machine authentication using MS-CHAPv2

2022-10-24 Thread Fabrice Durand via PacketFence-users
Hello Matthies,

can you provide the radius debug section where you can see the call to
ntlm_auth ?

Regards
Fabrice


Le lun. 24 oct. 2022 à 11:29, Matthies, Heiko via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
>
>
> I troubleshooted this issue a little further and discovered, that no there
> is no authentication sent to the domain controllers when using machine
> authentication. When switching to user auth, everything works fine and I
> see packages in the tcpdump.
>
> Is there something I’m missing? According to the official guide, this
> should work out of the box…
>
>
>
> Kind Regards
>
>
>
> Heiko Matthies
>
>
>
>
>
> 
>
>
> *ASAP Engineering GmbH* Sachsstraße 1A | 85080 Gaimersheim
> Tel. +49 8458 3389 252 <+49%208458%203389%20252> | Fax. +49 (8458) 3389
> 399
> heiko.matth...@asap.de | www.asap.de
>
> Geschäftsführer: Michael Neisen, Robert Werner, Christian Schweiger | Sitz
> der Gesellschaft: Gaimersheim | Amtsgericht: Ingolstadt HRB 5408
>
> Datenschutz: Ausführliche Informationen zum Umgang mit Ihren
> personenbezogenen Daten bei ASAP erhalten Sie auf unserer Website unter
> Datenschutz. 
>
> *Von:* Matthies, Heiko via PacketFence-users <
> packetfence-users@lists.sourceforge.net>
> *Gesendet:* Dienstag, 18. Oktober 2022 18:21
> *An:* packetfence-users@lists.sourceforge.net
> *Cc:* Matthies, Heiko 
> *Betreff:* [PacketFence-users] Issues with machine authentication using
> MS-CHAPv2
>
>
>
> Hello Guys,
>
>
>
> i’m trying to implement machine- and user authentication on Windows 10
> Clients via MS-CHAPv2 using Packetfence v11.1. While the user
> authentication works like a charm, I’m having trouble setting up the
> machine authentication. I got the following log information from the radius
> debug log:
>
>
>
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: Auth-Type
> MS-CHAP {
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'host/
> IN19NB-1003.group.asap.de'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '10.23.16.10'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '45'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'Framed-MTU'} = &request:Framed-MTU -> '1500'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'State'} = &request:State -> ''
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'Called-Station-Id'} = &request:Called-Station-Id ->
> '**'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id ->
> '**'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> '**'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Ethernet'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Oct 18 2022
> 18:52:46 CEST'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'EAP-Message'} = &request:EAP-Message ->
> ''
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'NAS-Port-Id'} = &request:NAS-Port-Id ->
> 'Tengigabitethernet1/0/45'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'EAP-Key-Name'} = &request:EAP-Key-Name -> '0x00'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'FreeRADIUS-Proxied-To'} = &request:FreeRADIUS-Proxied-To ->
> '127.0.0.1'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'MS-CHAP-Challenge'} = &request:MS-CHAP-Challenge ->
> ''
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'MS-CHAP2-Response'} = &request:MS-CHAP2-Response ->
> ''
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'EAP-Type'} = &request:EAP-Type -> 'MSCHAPv2'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'Realm'} = &request:Realm -> 'group.asap.de'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'MS-CHAP-User-Name'} = &request:MS-CHAP-User-Name -> 'host/
> IN19NB-1003.group.asap.de'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'PacketFence-Domain'} = &request:PacketFence-Domain -> 'group'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'PacketFence-KeyBalanced'} = &request:PacketFence-KeyBalanced
> -> ''

Re: [PacketFence-users] Multiple ACLs and Aruba 6300M

2022-10-24 Thread Fabrice Durand via PacketFence-users
Hello Regimantas,

alright, sorry for the delayed response.

So let's follow these steps and see what happens on the switch.

First edit this file (/usr/local/pf/raddb/mods-config/files/authorize) and
add at the end (replace 02-00-00-00-00-00-00 by the mac address of the
device you are testing with):

02-00-00-00-00-00 Auth-Type := Local, User-Password == 02-00-00-00-00-00
Nas-FILTER-Rule = "permit in tcp from any to host 10.10.10.101",
Nas-FILTER-Rule += "deny in tcp from any to any"

Then edit /usr/local/pf/conf/radiusd/packetfence and uncomment #files (line
104 on my side)

[% authorize_eap_choice %]

#
#  Read the 'users' file.  In v3, this is located in
#  raddb/mods-config/files/authorize
files

# Accept any non-eap request and send it to the packetfence
module for authorization
if ( !EAP-Message && "%{%{Control:Auth-type}:-No-MS_CHAP}"
!= "MS-CHAP") {
update {
&control:Auth-Type := Accept
}
}


Next you have to restart radiusd:

/usr/local/pf/bin/pfcmd service radiusd restart

Then connect your device on the switch port (mac auth and not 802.1x) and
you should be able to see the Nas-Filter-Rule attributes in the reply.


(0) Mon Oct 24 13:20:48 2022: Debug: Sent Access-Accept Id 85 from
172.105.98.135:1812 to 172.105.98.135:45454 length 108
(0) Mon Oct 24 13:20:48 2022: Debug:   NAS-Filter-Rule = "permit in tcp
from any to host 10.10.10.101"
(0) Mon Oct 24 13:20:48 2022: Debug:   NAS-Filter-Rule = "deny in tcp from
any to any"
(0) Mon Oct 24 13:20:48 2022: Debug:   Tunnel-Type = VLAN

(0) Mon Oct 24 13:20:48 2022: Debug:   Tunnel-Private-Group-Id = "2"

(0) Mon Oct 24 13:20:48 2022: Debug:   Tunnel-Medium-Type = IEEE-802

(0) Mon Oct 24 13:20:48 2022: Debug: Finished request

And check on the switch side if they apply correctly.

Let me know if it works, because as you can see there is no difference
between what packetfence returns and what we have in the reply from the
user file.

Regards
Fabrice



Le mar. 18 oct. 2022 à 08:42, Fabrice Durand  a écrit :

> Let me prepare on my side the config and i will share with you what needs
> to be done in the freeradius config.
> I will be back to you shortly.
>
>
> Le mar. 18 oct. 2022 à 08:38, Regimantas Pabrėža <
> regimantas.pabr...@limedika.lt> a écrit :
>
>> Sure I would like to get it resolved.
>>
>>
>>
>> 802.1X authentication is a new thing to me and I‘m currently testing it
>> so any help setting up FreeRADIUS is more than welcome 😊
>>
>>
>>
>> Pagarbiai,
>>
>> Regimantas Pabrėža
>> IT Administratorius
>>
>> Mob. +370 675 02148
>>
>>
>>
>> *From:* Fabrice Durand 
>> *Sent:* Tuesday, October 18, 2022 3:20 PM
>> *To:* packetfence-users@lists.sourceforge.net
>> *Cc:* Regimantas Pabrėža 
>> *Subject:* Re: [PacketFence-users] Multiple ACLs and Aruba 6300M
>>
>>
>>
>> Hello Regimantas,
>>
>>
>>
>> i would like to see this fixed since it´s a issue we saw a lot of time on
>> the mailing list.
>>
>> Since i don´t have a aruba switch on my side, is it possible to configure
>> freeradius to use the file to answer the radius request and see the result
>> with raddebug ?
>>
>> With that we will be able to compare and see exactly what happen.
>>
>>
>>
>> Btw += is unlang and is a way to append values in attributes (like an
>> array) and this is what we do internally in PacketFence.
>>
>>
>>
>> Let me know if you need help to setup the freeradius with the file.
>>
>>
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>>
>>
>> Le lun. 17 oct. 2022 à 08:38, Regimantas Pabrėža via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> a écrit :
>>
>> Hello,
>>
>>
>>
>> I‘m trying to push multiple ACLs from packetfence to aruba 6300m but only
>> the first line appears on the switch side
>>
>>
>>
>> Configuration on packetfence: Configuratoin -> Policies and Access
>> Control -> Switches -> Roles
>>
>>
>>
>> Radius reply on packetfence: Auditing -> RADIUS Audit Logs -> RADIUS
>>
>>
>>
>> Switch configuration:
>>
>>
>>
>>
>>
>> Does anyone managed to push multiple lines to Aruba 6300M ?
>>
>>
>>
>> Checking examples in documentation on hpe site I see one strange thing.
>> The first NAS-FILTER-Rule command has = (equal sign) and other
>> NAS-FILTER-Rule commands has += (plus and equal sign)
>>
>>
>>
>>
>>
>> Packetfence RADIUS reply shows both command with = (equal sign)
>>
>>
>>
>> Maybe that‘s the case but I don‘t know how to change it on packetfence
>>
>>
>>
>> Pagarbiai,
>>
>> Regimantas Pabrėža
>> IT Administratorius
>> UAB „Limedika“
>> Erdvės g. 51, Ramučiai, LT – 52114, Kauno raj*. *Lietuva
>> Mob. +370 675 02148
>>
>>
>>
>> Šis laiškas ir jo priedai skirtas tik nurodytam asmeniui, nes jame ir jo
>> prieduose esanti informacija yra konfidenciali ar riboto naudojimo. Jeigu
>> šis pranešimas arba jame esanti informacija yra skirta ne Jums, ją naudoti,
>> sp

Re: [PacketFence-users] Role-Based CLI Access

2022-10-18 Thread Fabrice Durand via PacketFence-users
You can only do that with tacacs not with radius.
The only thing you can do is to give read/write access to the switch, not
define the command you can use.

Le mar. 18 oct. 2022 à 16:33, DeSantos, Matthew via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> I’m also interested in this setup. Does anyone have a working example?
>
>
>
> *From:* Mr.Pine via PacketFence-users <
> packetfence-users@lists.sourceforge.net>
> *Sent:* Saturday, October 15, 2022 1:48 AM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Mr.Pine 
> *Subject:* [PacketFence-users] Role-Based CLI Access
>
>
>
> *CAUTION:* This email originated from outside of Jordan's.
>
>
>
> Hi,
>
> I want to know if pf can manage Role-Based CLI Access for cisco switch. for
> example define what commands are accepted and what configuration
> information is visible for users
>
> Any ideas?!
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] No DHCP working after Upgrade to PF12

2022-10-18 Thread Fabrice Durand via PacketFence-users
Hello Dennis,

we will investigate and be back with a patch.
Btw it looks like the issue appeared when we changed the db to utf8.

Regards
Fabrice


Le lun. 17 oct. 2022 à 09:50, Schüller Dennis via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hey All,
>
> I’ve updating our PF Cluster to the new Version 12.
>
> But now I don’t get any IP-Address in the Registration VLAN.
>
>
>
> That’s the pfdhcp general Log:
>
>
>
> Oct 17 15:42:12 pf4 pfdhcp[134498]: t=2022-10-17T15:42:12+0200 lvl=info
> msg="DHCPDISCOVER from 28:b2:bd:af:bf:f9 (hostname)" pid=134498
> mac=28:b2:bd:af:bf:f9
> Oct 17 15:42:12 pf4 pfdhcp[134498]: t=2022-10-17T15:42:12+0200 lvl=eror
> msg="sql: Scan error on column index 0, name \"@tmp_index\": converting
> NULL to int is unsupported" pid=134498 mac=28:b2:bd:af:bf:f9
>
>
>
>
>
> Any Ideas???
>
>
>
> Thanks a lot!
>
>
>
> Grüße aus der Grünen Hölle / Regards from the Green Hell
>
> *i. A.* *Dennis* *Schüller*
> Systembetreuung
> IT
>
> dennis.schuel...@nuerburgring.de
>
> T +49 (2691) 302 9885
> M +49 151 571 320 36
> F +49 2691 302 9897
>
> Nürburgring 1927
> GmbH & Co. KG
>
> Otto-Flimm-Straße
> 53520 Nürburg
> nuerburgring.de
>
> 
>
> Bitte schonen Sie unsere Umwelt und drucken die Email nur aus, wenn es
> wirklich notwendig ist!
> Please consider the environment before printing this email!
>
>
>
> --
> Diese Mail wurde auf Computerviren geprüft
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Multiple ACLs and Aruba 6300M

2022-10-18 Thread Fabrice Durand via PacketFence-users
Hello Regimantas,

i would like to see this fixed since it´s a issue we saw a lot of time on
the mailing list.
Since i don´t have a aruba switch on my side, is it possible to configure
freeradius to use the file to answer the radius request and see the result
with raddebug ?
With that we will be able to compare and see exactly what happen.

Btw += is unlang and is a way to append values in attributes (like an
array) and this is what we do internally in PacketFence.

Let me know if you need help to setup the freeradius with the file.

Regards
Fabrice


Le lun. 17 oct. 2022 à 08:38, Regimantas Pabrėža via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
>
>
> I‘m trying to push multiple ACLs from packetfence to aruba 6300m but only
> the first line appears on the switch side
>
>
>
> Configuration on packetfence: Configuratoin -> Policies and Access Control
> -> Switches -> Roles
>
>
>
> Radius reply on packetfence: Auditing -> RADIUS Audit Logs -> RADIUS
>
>
>
> Switch configuration:
>
>
>
>
>
> Does anyone managed to push multiple lines to Aruba 6300M ?
>
>
>
> Checking examples in documentation on hpe site I see one strange thing.
> The first NAS-FILTER-Rule command has = (equal sign) and other
> NAS-FILTER-Rule commands has += (plus and equal sign)
>
>
>
>
>
> Packetfence RADIUS reply shows both command with = (equal sign)
>
>
>
> Maybe that‘s the case but I don‘t know how to change it on packetfence
>
>
>
> Pagarbiai,
>
> Regimantas Pabrėža
> IT Administratorius
> UAB „Limedika“
> Erdvės g. 51, Ramučiai, LT – 52114, Kauno raj*. *Lietuva
> Mob. +370 675 02148
>
>
>
> Šis laiškas ir jo priedai skirtas tik nurodytam asmeniui, nes jame ir jo
> prieduose esanti informacija yra konfidenciali ar riboto naudojimo. Jeigu
> šis pranešimas arba jame esanti informacija yra skirta ne Jums, ją naudoti,
> spausdinti, dauginti, siųsti kitiems arba kitaip platinti yra griežtai
> draudžiama. Apie ne jums skirto laiško gavimą prašome informuoti siuntėją
> ir ištrinti laišką iš savo kompiuterio.
>
>
>
> CAUTION - This message and its attachments are intended for the addressee
> named above only and contain privileged or confidential information. If you
> are not the intended recipient of this message you must not use, print,
> copy, distribute or disclose it to anyone other than the addressee. If you
> have received this message in error please return the message to the sender
> by replying to it and then delete the message from your computer.
>
>
>
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Multiple ACLs and Aruba 6300M

2022-10-18 Thread Fabrice Durand via PacketFence-users
Let me prepare on my side the config and i will share with you what needs
to be done in the freeradius config.
I will be back to you shortly.


Le mar. 18 oct. 2022 à 08:38, Regimantas Pabrėža <
regimantas.pabr...@limedika.lt> a écrit :

> Sure I would like to get it resolved.
>
>
>
> 802.1X authentication is a new thing to me and I‘m currently testing it
> so any help setting up FreeRADIUS is more than welcome 😊
>
>
>
> Pagarbiai,
>
> Regimantas Pabrėža
> IT Administratorius
>
> Mob. +370 675 02148
>
>
>
> *From:* Fabrice Durand 
> *Sent:* Tuesday, October 18, 2022 3:20 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Regimantas Pabrėža 
> *Subject:* Re: [PacketFence-users] Multiple ACLs and Aruba 6300M
>
>
>
> Hello Regimantas,
>
>
>
> i would like to see this fixed since it´s a issue we saw a lot of time on
> the mailing list.
>
> Since i don´t have a aruba switch on my side, is it possible to configure
> freeradius to use the file to answer the radius request and see the result
> with raddebug ?
>
> With that we will be able to compare and see exactly what happen.
>
>
>
> Btw += is unlang and is a way to append values in attributes (like an
> array) and this is what we do internally in PacketFence.
>
>
>
> Let me know if you need help to setup the freeradius with the file.
>
>
>
> Regards
>
> Fabrice
>
>
>
>
>
> Le lun. 17 oct. 2022 à 08:38, Regimantas Pabrėža via PacketFence-users <
> packetfence-users@lists.sourceforge.net> a écrit :
>
> Hello,
>
>
>
> I‘m trying to push multiple ACLs from packetfence to aruba 6300m but only
> the first line appears on the switch side
>
>
>
> Configuration on packetfence: Configuratoin -> Policies and Access Control
> -> Switches -> Roles
>
>
>
> Radius reply on packetfence: Auditing -> RADIUS Audit Logs -> RADIUS
>
>
>
> Switch configuration:
>
>
>
>
>
> Does anyone managed to push multiple lines to Aruba 6300M ?
>
>
>
> Checking examples in documentation on hpe site I see one strange thing.
> The first NAS-FILTER-Rule command has = (equal sign) and other
> NAS-FILTER-Rule commands has += (plus and equal sign)
>
>
>
>
>
> Packetfence RADIUS reply shows both command with = (equal sign)
>
>
>
> Maybe that‘s the case but I don‘t know how to change it on packetfence
>
>
>
> Pagarbiai,
>
> Regimantas Pabrėža
> IT Administratorius
> UAB „Limedika“
> Erdvės g. 51, Ramučiai, LT – 52114, Kauno raj*. *Lietuva
> Mob. +370 675 02148
>
>
>
> Šis laiškas ir jo priedai skirtas tik nurodytam asmeniui, nes jame ir jo
> prieduose esanti informacija yra konfidenciali ar riboto naudojimo. Jeigu
> šis pranešimas arba jame esanti informacija yra skirta ne Jums, ją naudoti,
> spausdinti, dauginti, siųsti kitiems arba kitaip platinti yra griežtai
> draudžiama. Apie ne jums skirto laiško gavimą prašome informuoti siuntėją
> ir ištrinti laišką iš savo kompiuterio.
>
>
>
> CAUTION - This message and its attachments are intended for the addressee
> named above only and contain privileged or confidential information. If you
> are not the intended recipient of this message you must not use, print,
> copy, distribute or disclose it to anyone other than the addressee. If you
> have received this message in error please return the message to the sender
> by replying to it and then delete the message from your computer.
>
>
>
>
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Packetfence Authentication fails with Module-Failure-Message = "chrooted_mschap: No logon servers are currently available to service the logon request

2022-09-22 Thread Fabrice Durand via PacketFence-users
Hello Stephen,

it´s a reply from winbindd, so check if you server is correctly joined and
maybe restart packetfence-winbindd.
Also you can go in the chroot like that:

chroot /chroot/"you domain name"
wbinfo -P

it should return the connected AD server.

Regards
Fabrice


Le jeu. 22 sept. 2022 à 11:17, Stephen Tseen Fayum via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello
>
> I am new to Packetfence, and I am trying to set it up, but I am getting
> the following errors.
>
> Module-Failure-Message = "chrooted_mschap: Program returned code (1) and
> output 'No logon servers are currently available to service the logon
> request. (0xc05e)'" Module-Failure-Message = "chrooted_mschap: No logon
> servers are currently available to service the logon request. (0xc05e)"
>
> Can someone help me with this?
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Auth Failed with openldap 【2nd Try】

2022-09-22 Thread Fabrice Durand via PacketFence-users
Hello,

i think in the ldap config you need to enable that:

control:NT-Password := 'ntPassword'

and ntPassword is supposed to be the attribute in the ldap that matches the
user password.

Regards
Fabrice


Le mer. 21 sept. 2022 à 22:51, 梁伟俊  a écrit :

> Fabrice
>
> Thanks for your reply , the raddebug log & ldap config as attachment for
> your reference
>
> --
> Weijun Liang
> best regard,
>
>
> *发件人:* Fabrice Durand via PacketFence-users
> 
> *发送时间:* 2022-09-22 09:59
> *收件人:* packetfence-users 
> *抄送:* Fabrice Durand 
> *主题:* Re: [PacketFence-users]Auth Failed with openldap 【2nd Try】
> Hello,
>
> it´s something like that you have to follow.
>
> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_eap_authentication_against_openldap
>
> It´s been a long time i did that and it will probably needs to be adjusted.
>
> Let me know how it goes and provide me raddebug log if possible and i will
> try to help you.
>
> Regards
> Fabrice
>
>
> Le mer. 21 sept. 2022 à 11:54, 梁伟俊 via PacketFence-users <
> packetfence-users@lists.sourceforge.net> a écrit :
>
>> Hello
>>
>> Try it again
>>
>> --
>> liangwei...@dslyy.com
>>
>>
>> *发件人:* 梁伟俊 via PacketFence-users
>> 
>> *发送时间:* 2022-09-20 16:46
>> *收件人:* packetfence-users 
>> *抄送:* 梁伟俊 
>> *主题:* [PacketFence-users] Auth Failed with openldap
>> hello
>>
>> endpoint authenticate using Mschapv2 with openldap was failed ,
>> userpassword is plaintext in database , Is there any incorroect settings
>> there, please correct me, thanks
>>
>> (54) Tue Sep 20 14:30:07 2022: Debug:   Found Auth-Type = openldap
>> (54) Tue Sep 20 14:30:07 2022: Debug:   # Executing group from file
>> /usr/local/pf/raddb/sites-enabled/packetfence-tunnel
>> (54) Tue Sep 20 14:30:07 2022: Debug: Auth-Type openldap {
>> (54) Tue Sep 20 14:30:07 2022: WARNING: openldap: You have set "Auth-Type
>> := LDAP" somewhere
>> (54) Tue Sep 20 14:30:07 2022: WARNING: openldap:
>> *
>> (54) Tue Sep 20 14:30:07 2022: WARNING: openldap: * THAT CONFIGURATION IS
>> WRONG.  DELETE IT.
>> (54) Tue Sep 20 14:30:07 2022: WARNING: openldap: * YOU ARE PREVENTING
>> THE SERVER FROM WORKING
>> (54) Tue Sep 20 14:30:07 2022: WARNING: openldap:
>> *
>> (54) Tue Sep 20 14:30:07 2022: ERROR: openldap: Attribute "User-Password"
>> is required for authentication
>>
>> *Desktop informations :*
>>
>>- OS: win10
>>- use 802.1x
>>- PacketFence Version 12.0.0
>>
>> attach the config & erro log
>>
>>
>> --
>> best regard,
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Auth Failed with openldap 【2nd Try】

2022-09-21 Thread Fabrice Durand via PacketFence-users
Hello,

it´s something like that you have to follow.
https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_eap_authentication_against_openldap

It´s been a long time i did that and it will probably needs to be adjusted.

Let me know how it goes and provide me raddebug log if possible and i will
try to help you.

Regards
Fabrice


Le mer. 21 sept. 2022 à 11:54, 梁伟俊 via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello
>
> Try it again
>
> --
> liangwei...@dslyy.com
>
>
> *发件人:* 梁伟俊 via PacketFence-users 
> *发送时间:* 2022-09-20 16:46
> *收件人:* packetfence-users 
> *抄送:* 梁伟俊 
> *主题:* [PacketFence-users] Auth Failed with openldap
> hello
>
> endpoint authenticate using Mschapv2 with openldap was failed ,
> userpassword is plaintext in database , Is there any incorroect settings
> there, please correct me, thanks
>
> (54) Tue Sep 20 14:30:07 2022: Debug:   Found Auth-Type = openldap
> (54) Tue Sep 20 14:30:07 2022: Debug:   # Executing group from file
> /usr/local/pf/raddb/sites-enabled/packetfence-tunnel
> (54) Tue Sep 20 14:30:07 2022: Debug: Auth-Type openldap {
> (54) Tue Sep 20 14:30:07 2022: WARNING: openldap: You have set "Auth-Type
> := LDAP" somewhere
> (54) Tue Sep 20 14:30:07 2022: WARNING: openldap:
> *
> (54) Tue Sep 20 14:30:07 2022: WARNING: openldap: * THAT CONFIGURATION IS
> WRONG.  DELETE IT.
> (54) Tue Sep 20 14:30:07 2022: WARNING: openldap: * YOU ARE PREVENTING THE
> SERVER FROM WORKING
> (54) Tue Sep 20 14:30:07 2022: WARNING: openldap:
> *
> (54) Tue Sep 20 14:30:07 2022: ERROR: openldap: Attribute "User-Password"
> is required for authentication
>
> *Desktop informations :*
>
>- OS: win10
>- use 802.1x
>- PacketFence Version 12.0.0
>
> attach the config & erro log
>
>
> --
> best regard,
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] PacketFence captive portal quickstart

2022-09-21 Thread Fabrice Durand via PacketFence-users
Hello Marco,

you can try the inline setup.
One interface is configured as inline l2 and the other one as the
management interface (facing internet)
So when you plug something in the inline network you should be able to see
the portal. (it´s really the first thing you need to achieve)
Btw you will have to add more config in order to do SAML.

Regards
Fabrice


Le mar. 20 sept. 2022 à 14:23, Marco Naimoli via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi, I'm new to PacketFence; I've installed a new instance (ZEN) and would
> like to configure a
> (simple) captive portal with SAML authentication;
> it should be something like
> client --> PacketFence ---> internet
> Is this kind of setup supported ? In the documentation I find only
> examples that involves the configuration of a switch
> I've tried to configure it, but the client is never redirect to the
> Identity Provider (I've configured the passthrough with the Identity
> Provider hostname)
> Is there any example about a Captive portal setup other than the official
> documentation ?
> Thank you
> Marco
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] radius enforcement for captive portal on wifi controller

2022-09-19 Thread Fabrice Durand via PacketFence-users
Hello Leonardo,
it´s more like a cli/vpn authentication you are doing.
So you can try the OpenVPN switch module , use the port 1815 and assign the
authentication source to the default profile and you should be close.
Btw check the logs when packetfence receive the radius request (radius
audit logs and packetfence.log) and paste them.

Regards
Fabrice


Le lun. 19 sept. 2022 à 08:47, leonardo.izzo--- via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
> I have a wifi controller on which I want to implement a local captive
> portal but with authentication through an External Radius Server.
>
> In practice, the controller  one will be used for the captive portal and
> PacketFence in radius enforcement will be used for the External Radius
> Server.
>
>
>
> ** controller side **
>
> Authentication Mode: PAP
>
> "Authentication Server IP": the IP address of Packetfence
>
> "Authentication Port": 1812
>
> "Authentication Password": I entered a password of my choice
>
> "RADIUS Accounting": no
>
>
>
> ** Pf side **
>
> On the managing interface (which is the only interface of pf) I have
> selected 'radius' as "additionnal listening daemon".
>
> I created a switch object of type 'PacketFence :: Standard' and in the 'IP
> Address / MAC Address / Range (CIDR)' field I put the wifi controller ip
> and in the radius tab I entered the private shared password previously
> entered in the controller Wifi.
>
>
>
>
>
> If I want to use a certain source (es. Google Workspace) for the user
> database how do I set the connection profile to attach it to the listening
> radius on the management interface?
>
>
>
> Thank you
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] troubleshooting ideas Radius Authentication - 802.1X connections

2022-09-13 Thread Fabrice Durand via PacketFence-users
Hello Damian,

you can have a look at the radius audit log.
You will see an entry by connection.

Regards
Fabrice


Le mar. 13 sept. 2022 à 15:52, Damian Mendoza via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Setting up Packetfence with 802.1X authentication to lock down switch
> ports not being used.  Getting stuck on the 802.1x authentication or DHCP
> address is not being received.
>
>
>
> I added IP helper commands to the Cisco 3560-C switch.
>
>
>
> If an invalid username/password is used for the 802.1X authentication
> should a failure message be displayed? How can I test if Radius is
> authenticating?Log file?
>
>
>
>
>
> Thanks,
>
>
>
> Damian
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Latest PacketFence and Cisco 3560 switch - ran into issue connecting to network after Authentication

2022-09-13 Thread Fabrice Durand via PacketFence-users
Hello Damien,

it looks to be a deauth issue.
Can you paste the switches.conf (just the switch section you are testing
with) and the show run on the switch itself ?

Regards
Fabrice


Le mar. 13 sept. 2022 à 13:35, Damian Mendoza via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

>
>
> I added a Cisco switch 3560-C to new installation of Packetfence latest
> version, but it still shows unregistered node although packetfence
> authenticate it by radius server as shown in logs.
>
>
>
>
>
> On the Windows 10 PC browser I login and username and password accepted”
> -  Browser shows attempting to connect to the network:
>
>
>
> Error displayed:
>
>
>
> “Unable to detect network connectivity -  IP address shows stuck in
> registration vlan.   -   Try restarting your web browser or opening a new
> tab to see if your access has been successfully enabled”
>
>
>
>
>
> Any hints or ideas I can try?
>
>
>
>
>
> Thanks,
>
>
>
> Damian
>
>
>
>
>
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Deleted user, LDAP attributes not retrieved again on recreation

2022-09-13 Thread Fabrice Durand via PacketFence-users
Hello Alex,
there is a cache in PacketFence for that.
Try that:
/usr/local/pf/bin/pfcmd cache person_lookup clear

Regards
Fabrice



Le mar. 13 sept. 2022 à 09:52, Aleix Dorca Josa via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi,
>
> I have this minor issue that maybe someone here has faced before and can
> help me solve.
>
> - I am using PF 11.1.
> - When users authenticate, Name, Surname, and email are retrieved from an
> LDAP authentication source.
> - Then I proceed to delete the user.
> - If the user reauthenticates the LDAP information is not retrieved from
> the LDAP, leaving the user without email, Name and Surname.
>
> Any pointers?
>
> Thanks,
>
> Aleix.
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Ruckus cloud

2022-09-13 Thread Fabrice Durand via PacketFence-users
Hello Luka,

I did some work on that, 802.1x autoreg is ok but the external portal needs
some work.
I have a POC working but the PacketFence´s Radius server needs to be
reachable from the internet (radsec).

Regards
Fabrice


Le mar. 13 sept. 2022 à 09:52, Luka Hrvatin via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi,
>
> We would like to deploy Ruckus Cloud with PacketFence captive portal,
> is it possible?
> If it, is how?
>
> Regards,
> --
>
> LUKA HRVATIN
>
> IT SPECIALIST
>
> O7 - Ekipa2 d.o.o. | Ameriška ulica 8, 1000 Ljubljana, Slovenia
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Bypass for static ip host

2022-09-03 Thread Fabrice Durand via PacketFence-users
Hello, you can add it in the ipset session.
Check ipset -L to list the ipset session then ipset add 

Fabrice

Le sam. 3 sept. 2022, 08 h 46, Leonida via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi everyone, in an inline configuration I would have to let a host with
> static ip go out on the Internet without going through a captive portal and
> various authentication, basically a sort of bypass. How can I do? Thank you
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] [External] [External] Domain Joining PacketFence Fails

2022-08-23 Thread Fabrice Durand via PacketFence-users
the WORKGROUP is the pre-windows-2000 name and the dns_name is the dns
format.

If i am not wrong when you edit a user in Users and computers you should be
able to see both.


Le mar. 23 août 2022 à 15:52, Nate Breeden  a
écrit :

> Hey Fabrice,
>
>
>
> I just tried them in all caps, still the same result.
>
>
>
> As far as workgroup, would that not be my domain name? Also tried it
> without the .local in all caps, same thing happens there
>
>
>
>
>
> Thanks!
>
>
>
> *From:* Fabrice Durand 
> *Sent:* Tuesday, August 23, 2022 3:28 PM
> *To:* Nate Breeden 
> *Cc:* packetfence-users@lists.sourceforge.net
> *Subject:* Re: [External] [PacketFence-users] [External] Domain Joining
> PacketFence Fails
>
>
>
> This message was sent from outside the company, please use caution when
> clicking links or opening attachments unless you recognize the source of
> this email and know the content is safe.
>
>
>
> Iptables looks to be ok.
>
>
>
> But are you sure about workgroup=domain.Local ?
>
>
>
> Also put dns_name and workgroup in uppercase .
>
>
>
>
>
> Le mar. 23 août 2022 à 15:09, Nate Breeden  a
> écrit :
>
> [DOMAINNAME]
>
> dns_name= DOMAINNAME.Local
>
> dns_servers=10.0.1.15
>
> server_name=%h
>
> ou=Domain Computers
>
> ad_server=mydc1
>
> workgroup=domain.Local
>
> status=enabled
>
> sticky_dc=mydc1
>
> ntlm_cache_expiry=3600
>
> # Copyright (C) Inverse inc.
>
>
>
>
>
>
>
>
>
> Chain PREROUTING (policy ACCEPT 16868 packets, 1946K bytes)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain OUTPUT (policy ACCEPT 177K packets, 11M bytes)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain POSTROUTING (policy ACCEPT 177K packets, 11M bytes)
>
> pkts bytes target prot opt in out source
> destination
>
> 2   201 SNAT   all  --  *  eth0169.254.0.0/16
> 
> 0.0.0.0/0
> 
>   to:10.0.1.19
>
>
>
> Chain postrouting-inline-routed (0 references)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain postrouting-int-inline-if (0 references)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain prerouting-int-inline-if (0 references)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain prerouting-int-vlan-if (0 references)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> *From:* Fabrice Durand 
> *Sent:* Tuesday, August 23, 2022 2:36 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Nate Breeden 
> *Subject:* Re: [External] [PacketFence-users] [External] Domain Joining
> PacketFence Fails
>
>
>
> This message was sent from outside the company, please use caution when
> clicking links or opening attachments unless you recognize the source of
> this email and know the content is safe.
>
>
>
> Hello,
>
>
>
> can you show me the content of conf/domain.conf and also the result of
> iptables -L -n -v -t nat
>
>
>
> Regards
>
> Fabrice
>
>
>
>
>
>
>
> Le mar. 23 août 2022 à 14:25, Nate Breeden via PacketFence-users <
> packetfence-users@lists.sourceforge.net> a écrit :
>
> Hey Aaron,
>
>
>
> My DCs are using Server 2019, also have tried it with the firewall
> disabled and had the same result.
>
>
>
> Also thought this would be the easiest part of my install lol
>
>
>
>
>
> Thanks!
>
>
>
>
>
> *Nate Breeden Director of IT *Criswell Automotive
> F: (301) 212-4520
> O: (301) 212-4520
>
>
> [image: Criswell Automotive]
>
> CONFIDENTIALITY NOTICE:
> The contents of this email message and any attachments are intended solely
> for the addressee(s) and may contain confidential and/or privileged
> information and may be legally protected from disclosure. If you are not
> the intended recipient of this message or their agent, or if this message
> has been addressed to you in error, please immediately alert the sender by
> reply email and then delete this message and any attachments. If you are
> not the intended recipient, you are hereby notified that any use,
> dissemination, copying, or storage of this message or its attachments is
> strictly prohibited.
>
>
>
>
>
> *From:* Aaron Zuercher via PacketFence-users <
> packetfence-users@lists.sourceforge.net>
> *Sent:* Tuesday, August 23, 2022 11:25 AM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Aaron Zuercher 

Re: [PacketFence-users] [External] [External] Domain Joining PacketFence Fails

2022-08-23 Thread Fabrice Durand via PacketFence-users
Iptables looks to be ok.

But are you sure about workgroup=domain.Local ?

Also put dns_name and workgroup in uppercase .


Le mar. 23 août 2022 à 15:09, Nate Breeden  a
écrit :

> [DOMAINNAME]
>
> dns_name= DOMAINNAME.Local
>
> dns_servers=10.0.1.15
>
> server_name=%h
>
> ou=Domain Computers
>
> ad_server=mydc1
>
> workgroup=domain.Local
>
> status=enabled
>
> sticky_dc=mydc1
>
> ntlm_cache_expiry=3600
>
> # Copyright (C) Inverse inc.
>
>
>
>
>
>
>
>
>
> Chain PREROUTING (policy ACCEPT 16868 packets, 1946K bytes)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain OUTPUT (policy ACCEPT 177K packets, 11M bytes)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain POSTROUTING (policy ACCEPT 177K packets, 11M bytes)
>
> pkts bytes target prot opt in out source
> destination
>
> 2   201 SNAT   all  --  *  eth0169.254.0.0/16
> 0.0.0.0/0to:10.0.1.19
>
>
>
> Chain postrouting-inline-routed (0 references)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain postrouting-int-inline-if (0 references)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain prerouting-int-inline-if (0 references)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain prerouting-int-vlan-if (0 references)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> *From:* Fabrice Durand 
> *Sent:* Tuesday, August 23, 2022 2:36 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Nate Breeden 
> *Subject:* Re: [External] [PacketFence-users] [External] Domain Joining
> PacketFence Fails
>
>
>
> This message was sent from outside the company, please use caution when
> clicking links or opening attachments unless you recognize the source of
> this email and know the content is safe.
>
>
>
> Hello,
>
>
>
> can you show me the content of conf/domain.conf and also the result of
> iptables -L -n -v -t nat
>
>
>
> Regards
>
> Fabrice
>
>
>
>
>
>
>
> Le mar. 23 août 2022 à 14:25, Nate Breeden via PacketFence-users <
> packetfence-users@lists.sourceforge.net> a écrit :
>
> Hey Aaron,
>
>
>
> My DCs are using Server 2019, also have tried it with the firewall
> disabled and had the same result.
>
>
>
> Also thought this would be the easiest part of my install lol
>
>
>
>
>
> Thanks!
>
>
>
>
>
> *Nate Breeden Director of IT *Criswell Automotive
> F: (301) 212-4520
> O: (301) 212-4520
>
>
> [image: Criswell Automotive]
>
> CONFIDENTIALITY NOTICE:
> The contents of this email message and any attachments are intended solely
> for the addressee(s) and may contain confidential and/or privileged
> information and may be legally protected from disclosure. If you are not
> the intended recipient of this message or their agent, or if this message
> has been addressed to you in error, please immediately alert the sender by
> reply email and then delete this message and any attachments. If you are
> not the intended recipient, you are hereby notified that any use,
> dissemination, copying, or storage of this message or its attachments is
> strictly prohibited.
>
>
>
>
>
> *From:* Aaron Zuercher via PacketFence-users <
> packetfence-users@lists.sourceforge.net>
> *Sent:* Tuesday, August 23, 2022 11:25 AM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Aaron Zuercher 
> *Subject:* Re: [External] [PacketFence-users] Domain Joining PacketFence
> Fails
>
>
>
> This message was sent from outside the company, please use caution when
> clicking links or opening attachments unless you recognize the source of
> this email and know the content is safe.
>
>
>
> Nate,
>
> this part of my install was pretty straight forward.  What version of
> windows in your DC?   What about firewall blocking something?
>
>
>
> Aaron
>
>
>
> On Tue, Aug 23, 2022 at 7:34 AM Nate Breeden via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> When trying to domain join PacketForce, on the web GUI we receive “Failed
> to join domain: failed to find DC for domain Computers - The object was not
> found.”
>
>
>
> After searching through a bunch of articles, it looks like where it says
> “for domain Computers” should say “for domain MYDOMAIN”?
>
>
>
> Did a full reinstall of PacketFence thinking something was wrong with the
> install, but am still facing the same issue.
>
>
>
> In the actual Debian VM if I ping a hostname without the domain name it
> replies with the correct IP address, same thing when pining with the FQDN.
>
>
>
> Cat /etc/resolv.conf > this returns the proper DNS IP addresses for my
> domain
>
>
>
> Net ads status > this returns “ads_connect: No logon servers are currently
> available to service the logon request.” (X2)
>
>
>
>
>
> Also have tried tweaking each setting on the *Configuration >

Re: [PacketFence-users] [External] Domain Joining PacketFence Fails

2022-08-23 Thread Fabrice Durand via PacketFence-users
Hello,

can you show me the content of conf/domain.conf and also the result of
iptables -L -n -v -t nat

Regards
Fabrice



Le mar. 23 août 2022 à 14:25, Nate Breeden via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hey Aaron,
>
>
>
> My DCs are using Server 2019, also have tried it with the firewall
> disabled and had the same result.
>
>
>
> Also thought this would be the easiest part of my install lol
>
>
>
>
>
> Thanks!
>
>
>
>
>
> *Nate Breeden Director of IT *Criswell Automotive
> F: (301) 212-4520
> O: (301) 212-4520
>
>
> [image: Criswell Automotive]
>
> CONFIDENTIALITY NOTICE:
> The contents of this email message and any attachments are intended solely
> for the addressee(s) and may contain confidential and/or privileged
> information and may be legally protected from disclosure. If you are not
> the intended recipient of this message or their agent, or if this message
> has been addressed to you in error, please immediately alert the sender by
> reply email and then delete this message and any attachments. If you are
> not the intended recipient, you are hereby notified that any use,
> dissemination, copying, or storage of this message or its attachments is
> strictly prohibited.
>
>
>
>
>
> *From:* Aaron Zuercher via PacketFence-users <
> packetfence-users@lists.sourceforge.net>
> *Sent:* Tuesday, August 23, 2022 11:25 AM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Aaron Zuercher 
> *Subject:* Re: [External] [PacketFence-users] Domain Joining PacketFence
> Fails
>
>
>
> This message was sent from outside the company, please use caution when
> clicking links or opening attachments unless you recognize the source of
> this email and know the content is safe.
>
>
>
> Nate,
>
> this part of my install was pretty straight forward.  What version of
> windows in your DC?   What about firewall blocking something?
>
>
>
> Aaron
>
>
>
> On Tue, Aug 23, 2022 at 7:34 AM Nate Breeden via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> When trying to domain join PacketForce, on the web GUI we receive “Failed
> to join domain: failed to find DC for domain Computers - The object was not
> found.”
>
>
>
> After searching through a bunch of articles, it looks like where it says
> “for domain Computers” should say “for domain MYDOMAIN”?
>
>
>
> Did a full reinstall of PacketFence thinking something was wrong with the
> install, but am still facing the same issue.
>
>
>
> In the actual Debian VM if I ping a hostname without the domain name it
> replies with the correct IP address, same thing when pining with the FQDN.
>
>
>
> Cat /etc/resolv.conf > this returns the proper DNS IP addresses for my
> domain
>
>
>
> Net ads status > this returns “ads_connect: No logon servers are currently
> available to service the logon request.” (X2)
>
>
>
>
>
> Also have tried tweaking each setting on the *Configuration > Policies
> and Access Control > Domains > Active Directory Domains > [my identifier]*,
> including either using IP addresses/hostnames (for Active Directory server,
> Sticky DC), changing the admin credentials around (myadmin@domain.local,
> myadmin@domain, myadmin, mydomain\myadmin), have tweaked the “This
> server’s name” field, to either specify a name or utilize %h.
>
>
>
>
>
>
>
>
>
> Here is the log from /usr/local/pf/logs/packetfence.log (censored my
> server name and domain name)
>
>
>
> Aug 22 20:23:40 [myservername] pfqueue[12690]: pfqueue(12690) INFO:
> [mac:unknown] domain join : Failed to join domain: failed to find DC for
> domain Computers - The object was not found. (pf::domain::join_domain)
>
> Aug 22 20:23:44 [myservername] packetfence_winbindd-wrapper[13632]:
> winbindd-wrapper(13632) WARN: [mac:[undef]] Re-registering [mydomain]
> (main::child_sighandler)
>
> Aug 22 20:23:50 [myservername] packetfence_winbindd-wrapper[13632]:
> winbindd-wrapper(13632) WARN: [mac:[undef]] Re-registering [mydomain]
> (main::child_sighandler)
>
> Aug 22 20:23:56 [myservername] packetfence_winbindd-wrapper[13632]:
> winbindd-wrapper(13632) WARN: [mac:[undef]] Re-registering [mydomain]
> (main::child_sighandler)
>
> Aug 22 20:24:02 [myservername] packetfence_winbindd-wrapper[13632]:
> winbindd-wrapper(13632) WARN: [mac:[undef]] Re-registering [mydomain]
> (main::child_sighandler)
>
> Aug 22 20:24:08 [myservername] packetfence_winbindd-wrapper[13632]:
> winbindd-wrapper(13632) WARN: [mac:[undef]] Re-registering [mydomain]
> (main::child_sighandler)
>
> Aug 22 20:24:14 [myservername] packetfence_winbindd-wrapper[13632]:
> winbindd-wrapper(13632) WARN: [mac:[undef]] Re-registering [mydomain]
> (main::child_sighandler)
>
> Aug 22 20:24:20 [myservername] packetfence_winbindd-wrapper[13632]:
> winbindd-wrapper(13632) WARN: [mac:[undef]] Re-registering [mydomain]
> (main::child_sighandler)
>
> Aug 22 20:24:26 [myservername] packetfence_winbindd-wrapper[13632]:
> winbindd-wrapper(13632) WARN: [mac:[undef]] Re-registering [mydomain]
> (main::child_sighandler)

Re: [PacketFence-users] 802.1x computer + user

2022-05-22 Thread Fabrice Durand via PacketFence-users
create 2 connection profiles (802.1x and mac-auth) and 2 authentication
sources (one for secure and the other one for mac-auth).
Associate the first authentication source on the secure portal and the 2nd
one to the mac-auth portal.

Now you just need to play with the authentication rules on each source to
return a different role.




Le dim. 22 mai 2022 à 15:22, José Ramos  a
écrit :

> Hello Fabrice.
>
> Thanks a lot for your answer but as I said I managed to do it :)
> I have a second question since you are here :
> I would like to give VLAN x if AD user connects through 802.1x and VLAN y
> if AD user connects through portal. To me the best thing to do is to add a
> condition with Connection type in the AD-users authentication source. But
> the combobox is empty :'( which is a little bit problematic (I tried to add
> the connection type manually in authentication.conf but it did not work)
>
> This is not urgent.
>
> PS : I don't know if you using oeufd...@gmail.com is planned :D
>
>
> On Sun, May 22, 2022 at 8:43 PM Fabrice Durand  wrote:
>
>> Hello José,
>>
>> you have to combine 2 authentication sources, one for the user and the
>> other for the computer.
>> The difference between the 2 will be the username attribute , for user
>> it´s sAMAccountName and for computer it´s userPrincipalName (btw create
>> authentication rules for user and machines)
>>
>> So once you have the 2 authentication sources , assign them on the same
>> connection profile (per example the one you use to filter on the secure
>> ssid) .
>>
>>
>> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_using_the_corporate_machine_role
>>
>> Regards
>> Fabrice
>>
>>
>>
>>
>>
>> Le dim. 22 mai 2022 à 12:41, José Ramos via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> a écrit :
>>
>>> I went the wrong way actually I didn't want to do that.
>>> What I would like to do is give the user a role if he is on a domain
>>> computer.
>>> I guess it is just a condition in my AD-users authentication source.but
>>> I can't do it.
>>> Does someone have a suggestion ? :)
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] 802.1x role error

2022-05-22 Thread Fabrice Durand via PacketFence-users
Hello José,

IMO you should create 2 connection profiles, one for MAB (filter
connection_type = Ethernet-NoEAP) and another one for 802.1x (filter
connection_type = Ethernet-EAP).

Once done, assign the correct authentication source to the MAB profile
(sources you will see on the portal) .
On the other profile (802.1x) enable autoregistration and assign the
AD-users source on it.

So now you should be able to see in the logs:

INFO: [mac:00:0c:29:f6:0e:ac] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)

The next thing to verify is if the user account administrator return a role
when you try to authenticate.
To verify that use the cli with "pftest authentication  ..." and check the
result, it should be an issue with the authentication rule or maybe because
the realm (DOMAIN) is not stripped in radius.

Regards
Fabrice


Le dim. 22 mai 2022 à 11:32, José Ramos via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> I don't need help anymore on that !
>
> On Sat, May 21, 2022 at 2:22 PM José Ramos 
> wrote:
>
>> Hello ! I have configured 802.1x and mab. When I use mab and authenticate
>> with an AD user on the portal I'm put in the right VLAN of my
>> authentication source.
>>
>> 802.1x works aswell but always put me in VLAN 1 and does not assign
>> roles. I tried to enable stripped username in the DEFAULT realm but it does
>> not change anything. I also tried to strip from the switch but then the
>> authentication is refused.
>>
>> Can I get some help pls ? Thank you !
>>
>> Here are the logs :
>> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo
>> httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] handling radius autz request:
>> from switch_ip => (10.0.0.10), connection_type => Ethernet-EAP,switch_mac
>> => (aa:bb:cc:00:02:20), mac => [00:0c:29:f6:0e:ac], port => 3, username =>
>> "DOMAIN\Administrator" (pf::radius::authorize)
>> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo
>> httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] Instantiate profile default
>> (pf::Connection::ProfileFactory::_from_profile)
>> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo
>> httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] Found authentication
>> source(s) : 'AD-users' for realm 'default'
>> (pf::config::util::filter_authentication_sources)
>> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo
>> httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] Role has already been
>> computed and we don't want to recompute it.
>> (pf::role::getNodeInfoForAutoReg)
>> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn
>> httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] No category computed for
>> autoreg (pf::role::getNodeInfoForAutoReg)
>> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo
>> httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] Found authentication
>> source(s) : 'AD-users' for realm 'default'
>> (pf::config::util::filter_authentication_sources)
>> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo
>> httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] Role has already been
>> computed and we don't want to recompute it. Getting role from node_info
>> (pf::role::getRegisteredRole)
>> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn
>> httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] Use of uninitialized value
>> $role in concatenation (.) or string at /usr/local/pf/lib/pf/role.pm
>> line 489.
>> 0001-01-01T00:00:00Z
>> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo
>> httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] Username was NOT defined or
>> unable to match a role - returning node based role ''
>> (pf::role::getRegisteredRole)
>> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo
>> httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] PID: "default", Status: reg
>> Returned VLAN: (undefined), Role: (undefined) (pf::role::fetchRoleForNode)
>> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn
>> httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] Use of uninitialized value
>> $vlanName in hash element at /usr/local/pf/lib/pf/Switch.pm line 633.
>> 0001-01-01T00:00:00Z
>> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn
>> httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] Use of uninitialized value
>> $name in exists at /usr/local/pf/lib/pf/Switch.pm line 667.
>> 0001-01-01T00:00:00Z
>> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn
>> httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] Use of uninitialized value
>> $vlanName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm
>> line 640.
>> 0001-01-01T00:00:00Z
>> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn
>> httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] No parameter Vlan found in
>> conf/switches.conf for the switch 10.0.0.10 (pf::Switch::getVlanByName)
>> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn
>> httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] Use of uninitialized value
>> $rol

Re: [PacketFence-users] 802.1x computer + user

2022-05-22 Thread Fabrice Durand via PacketFence-users
Hello José,

you have to combine 2 authentication sources, one for the user and the
other for the computer.
The difference between the 2 will be the username attribute , for user it´s
sAMAccountName and for computer it´s userPrincipalName (btw create
authentication rules for user and machines)

So once you have the 2 authentication sources , assign them on the same
connection profile (per example the one you use to filter on the secure
ssid) .

https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_using_the_corporate_machine_role

Regards
Fabrice





Le dim. 22 mai 2022 à 12:41, José Ramos via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> I went the wrong way actually I didn't want to do that.
> What I would like to do is give the user a role if he is on a domain
> computer.
> I guess it is just a condition in my AD-users authentication source.but I
> can't do it.
> Does someone have a suggestion ? :)
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Radius Authentication Source Timeout for 2FA

2022-04-14 Thread Fabrice Durand via PacketFence-users
ok easy.

edit the rest.conf file in conf/radiusd
and at this line add (
https://github.com/inverse-inc/packetfence/blob/devel/conf/radiusd/rest.conf.example#L194
):
timeout = 60.00

Then restart radius-auth



Le jeu. 14 avr. 2022 à 21:49, Benjamin Shirley - Simplicity <
b.shir...@simplicity.ag> a écrit :

> Hi Fabrice,
>
>
>
> thanks for getting back to me. I have tried the settings but that does not
> solve the problem. Raddebug shows following information:
>
>
>
> (8) Fri Apr 15 03:45:53 2022: Debug: Finished request
>
> (7) Fri Apr 15 03:45:56 2022: ERROR: rest: Request failed: 28 - Timeout
> was reached
>
> (7) Fri Apr 15 03:45:56 2022: ERROR: rest: Server returned no data
>
> (7) Fri Apr 15 03:45:56 2022: Debug:   [rest] = fail
>
> (7) Fri Apr 15 03:45:56 2022: Debug: } # if (! EAP-Type || (EAP-Type
> != TTLS  && EAP-Type != PEAP) )  = fail
>
> (7) Fri Apr 15 03:45:56 2022: Debug:   } # post-auth = fail
>
> (7) Fri Apr 15 03:45:56 2022: Debug: Using Post-Auth-Type Reject
>
> (7) Fri Apr 15 03:45:56 2022: Debug: # Executing group from file
> /usr/local/pf/raddb/sites-enabled/packetfence
>
>
>
>
>
> Hope this information is any good!
>
>
>
> Kind regards
>
> Benjamin
>
>
>
>
>
>
>
>
>
> Benjamin Shirley . simplicity networks GmbH
>
>
>
> Heinrich-Hertz-Straße 2 . 59302 Oelde . Phone: +49 2522 8330 3124 .
> Mobile: +49 170 9496681
>
> E-Mail: b.shir...@simplicity.ag . Web: www.simplicity.ag
>
> USt-IdNr DE 210993280 . HRB 14936 Münster . Managing Director: Stefan
> Leewe
>
> We operate for *OPUS* and *someday*
>
>
> Think before you print!
>
>
>
>
>
>
>
> *Von: *Fabrice Durand 
> *Datum: *Freitag, 15. April 2022 um 03:18
> *An: *packetfence-users 
> *Cc: *Benjamin Shirley 
> *Betreff: *Re: [PacketFence-users] Radius Authentication Source Timeout
> for 2FA
>
>
>
> Hello Benjamin,
>
>
>
> first you need to raise the timeout value of the radius-auth service.
>
> You should be able to do it there:
>
>
>
>
> https://github.com/inverse-inc/packetfence/blob/devel/conf/radiusd/auth.conf.example#L23
>
>
>
> and add that:
>
>
>
> ```
>
> limit {
>   max_connections = 16
>   lifetime = 0
>   idle_timeout = 60
> }
>
> ```
>
>
>
> you probably have to add an option to the duo radius source too, like:
>
>
>
> response_timeouts = 30
>
>
>
> if it still not work then run raddebug to see where in freeradius it
> timeout.
>
>
>
> raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000
>
>
>
> Regards
>
> Fabrice
>
>
>
> Le jeu. 14 avr. 2022 à 14:22, Benjamin Shirley - Simplicity via
> PacketFence-users  a écrit :
>
> Hi @all,
>
> trying to bypass an issue i'm having using 2 different radius server
> (packetfence / duo authproxy) one for admin login purpose (DUO 2FA) and the
> other beeing packetfence for MAB in our network environment - which is a
> known bug in Dell OS6 Network Operating System - I had the idea to simply
> add the Duo Authproxy as an Radius Authentication Source in Packetfence
> meaning I only have to configure  1 radius authentication server on our
> switches.
>
>
> It works! I am able to proxy the authentication to the DUO Authproxy from
> within PF but there is a tiny problem I am not able to overcome and kindly
> ask for help.
>
>
>
> The problem is that RADIUS Authentication for the Shell-Access in PF times
> out so quickly I am hardly able to tap the push notification, open the DUO
> App and Confirm the Login Proccess, regardless to say that authentication
> via Phone Call will be impossible.
>
>
>
> Is there a way to configure a higher value of lets say 15 seconds
> somewhere maybe only for this one Authentication Source which is only used
> for the purpose of  2FA to our switches??
>
> Kind Regards
>
> Benjamin
>
>
>
>
>
> *Benjamin Shirley *. simplicity networks GmbH
>
>
>
> Heinrich-Hertz-Straße 2 . 59302 Oelde . Phone: +49 2522 8330 3124 .
> Mobile: +49 170 9496681
>
> E-Mail: b.shir...@simplicity.ag . Web: www.simplicity.ag
>
> USt-IdNr DE 210993280 . HRB 14936 Münster . Managing Director: Stefan
> Leewe
>
> We operate for *OPUS* and * someday*
>
>
>
> Think before you print!
>
>
>
>
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Aruba CX documentation

2022-04-14 Thread Fabrice Durand via PacketFence-users
Thanks, it will be really appreciated.

Le jeu. 14 avr. 2022 à 21:42, Karl Stevens  a écrit :

> Thanks Fabrice, I've found that too - I'm working through it and have it
> mostly working now.   Once I'm done I'll try to write up my findings and
> make a pull request on the Packetfence docs.
>
> On Thu, Apr 14, 2022 at 7:34 PM Fabrice Durand  wrote:
>
>> Hello Karl,
>>
>> the switch module has been tested but the configuration has never been
>> retrieved.
>>
>> I found some documentation about 802.1x mac-auth, you can try the
>> examples in this doc:
>>
>> https://www.arubanetworks.com/techdocs/AOS-CX/10.07/PDF/5200-7885.pdf
>>
>> Regards
>> Fabrice
>>
>> Le jeu. 14 avr. 2022 à 14:22, Karl Stevens via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> a écrit :
>>
>>> Hello,
>>>
>>> I'm trying to set up a new installation of Packetfence 11.2 with Aruba
>>> CX switches.   These are supposed to be supported since Packetfence 10.2,
>>> but I'm not able to find any documentation on them in the Network Devices
>>> Configuration Guide at
>>> https://www.packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_aruba
>>> (the only entry for Aruba is for the 2930M series, which has different
>>> syntax.)
>>>
>>> Is there any documentation for configuring this switch series for use by
>>> Packetfence?
>>>
>>> Thanks,
>>> Karl Stevens
>>>
>>>
>>> This email and any files transmitted with it are confidential and
>>> intended solely for the use of the individual or entity to whom they are
>>> addressed. If you have received this email in error please notify the
>>> system manager. This message contains confidential information and is
>>> intended only for the individual named. If you are not the named addressee
>>> you should not disseminate, distribute or copy this e-mail.
>>>
>>>
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>
>
> --
> Karl Stevens
> Greater St. Albert Roman Catholic School Division No. 734
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the system manager.
> This message contains confidential information and is intended only for the
> individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail.
>
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Aruba CX documentation

2022-04-14 Thread Fabrice Durand via PacketFence-users
Hello Karl,

the switch module has been tested but the configuration has never been
retrieved.

I found some documentation about 802.1x mac-auth, you can try the examples
in this doc:

https://www.arubanetworks.com/techdocs/AOS-CX/10.07/PDF/5200-7885.pdf

Regards
Fabrice

Le jeu. 14 avr. 2022 à 14:22, Karl Stevens via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
> I'm trying to set up a new installation of Packetfence 11.2 with Aruba CX
> switches.   These are supposed to be supported since Packetfence 10.2, but
> I'm not able to find any documentation on them in the Network Devices
> Configuration Guide at
> https://www.packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_aruba
> (the only entry for Aruba is for the 2930M series, which has different
> syntax.)
>
> Is there any documentation for configuring this switch series for use by
> Packetfence?
>
> Thanks,
> Karl Stevens
>
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the system manager.
> This message contains confidential information and is intended only for the
> individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail.
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


Re: [PacketFence-users] Packetfence config related fallback plan

2022-04-14 Thread Fabrice Durand via PacketFence-users
probably a misconfiguration issue.
https://www.packetfence.org/doc/PacketFence_Clustering_Guide.html#_packetfence_configuration_modification_first_server_only

Notice host=127.0.0.1

if you forgot that then it means that each server will use the local
database instance to insert and it will result with table lock.

Le jeu. 14 avr. 2022 à 14:22, Zammit, Ludovic via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello Misbah,
>
> We only an issue with chunk = ‘8192’ for EAP TLS and not EAP PEAP.
>
> I way too big to cover your entire cluster config on the mailing list, I
> will suggest you to take some consulting hours with Akamai and we will do a
> sanity check on your cluster to see why the database would disconnect.
>
> Thanks,
>
> *Ludovic Zammit*
> *Product Support Engineer Principal*
> *Cell:* +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:  
>  
> 
> 
>
> On Apr 13, 2022, at 7:14 PM, Misbah Hussaini 
> wrote:
>
> Hello Ludovic,
>
> Again we had an outage and this time it looks like DB had some sort of
> locking issues. The temp fix was to restart the mariadb service. I'm
> running PF 11.2 with 3 nodes cluster doing 802.1x and mac auth and I see
> below messages in packetfence.log at the time when the problem began and
> these messages continued till DB was restarted.
>
> *Packetfence.log:*
>
> *Apr 13 21:47:12 NAC1 pfqueue[3025858]: pfqueue(3025858) ERROR:
> [mac:unknown] Database query failed with non retryable error: Lock wait
> timeout exceeded; try restarting transaction (errno: 1205) [INSERT INTO
> `node` ( `autoreg`, `bandwidth_balance`, `bypass_role_id`, `bypass_vlan`,
> `category_id`, `computername`, `detect_date`, `device_class`,
> `device_manufacturer`, `device_score`, `device_type`, `device_version`,
> `dhcp6_enterprise`, `dhcp6_fingerprint`, `dhcp_fingerprint`, `dhcp_vendor`,
> `last_arp`, `last_dhcp`, `last_seen`, `lastskip`, `mac`, `machine_account`,
> `notes`, `pid`, `regdate`, `sessionid`, `status`, `tenant_id`,
> `time_balance`, `unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?,
> ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
> ?, ? ) ON DUPLICATE KEY UPDATE `last_dhcp` = ?, `tenant_id` = ?]{no, NULL,
> NULL, , NULL, SEPC4143C97B434, 2021-12-23 14:27:33, VoIP Device, Cisco
> Systems, Inc, 76, Cisco IP Phone CP-7945G, , , , 1,66,6,3,15,150,35, Cisco
> Systems, Inc. IP Phone CP-7945G, -00-00 00:00:00, 2022-04-13 21:46:21,
> 2021-12-24 20:10:12, -00-00 00:00:00, c4:14:3c:97:b4:34, NULL, ,
> default, -00-00 00:00:00, , unreg, 1, NULL, -00-00 00:00:00, , no,
> 2022-04-13 21:46:21, 1} (pf::dal::db_execute)*
> *Apr 13 21:47:12 NAC1 pfqueue[3025858]: pfqueue(3025858) ERROR:
> [mac:unknown] Unable to modify node 'c4:14:3c:97:b4:34
> (pf::node::node_modify)*
> Apr 13 21:47:28 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN:
> [mac:00:11:22:33:44:55] Unable to pull accounting history for device
> 00:11:22:33:44:55. The history set doesn't exist yet.
> (pf::accounting_events_history::latest_mac_history)
> Apr 13 21:47:38 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN:
> [mac:00:11:22:33:44:55] Unable to pull accounting history for device
> 00:11:22:33:44:55. The history set doesn't exist yet.
> (pf::accounting_events_history::latest_mac_history)
> Apr 13 21:47:42 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN:
> [mac:00:11:22:33:44:55] Unable to pull accounting history for device
> 00:11:22:33:44:55. The history set doesn't exist yet.
> (pf::accounting_events_history::latest_mac_history)
> Apr 13 21:47:52 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN:
> [mac:00:11:22:33:44:55] Unable to pull accounting history for device
> 00:11:22:33:44:55. The history set doesn't exist yet.
> (pf::accounting_events_history::latest_mac_history)
> Apr 13 21:47:53 NAC1 packetfence[3029093]: pfperl-api(2533174) INFO: Using
> 300 resolution threshold (pf::pfcron::task::cluster_check::run)
> Apr 13 21:47:53 NAC1 packetfence[3029094]: pfperl-api(2828317) INFO:
> processed 0 security_events during security_event maintenance
> (1649872073.11399 1649872073.12087)
> (pf::security_event::security_event_maintenance)
> Apr 13 21:47:53 NAC1 packetfence[3029094]: pfperl-api(2828317) INFO:
> processed 0 security_events during security_event maintenance
> (1649872073.12281 1649872073.12537)
> (pf::security_event::security_event_maintenance)
> Apr 13 21:47:53 NAC1 packetfence[3029095]: pfperl-api(2426219) INFO:
> getting security_events triggers for accounting cleanup
> (pf::accounting::acct_maintenance)
> Apr 13 21:47:53 NAC1 packetfence[3029093]: pfperl-api(2533174) INFO: All
> cluster members are running the same configuration version
> (pf::pfcron::task::c

  1   2   3   4   5   6   7   8   >