Re: [PacketFence-users] Radius Condition

2014-12-23 Thread Matteo Pidalà 
Remove from mail list me please


regards

2014-12-23 14:41 GMT+01:00 Fabrice DURAND :

> Hello Josh,
>
> the better thing to do is to test with pftest and see if the rules match.
>
> Regards
> Fabrice
>
> Le 2014-12-22 10:35, Nathan, Josh a écrit :
> > Anymore thoughts about this? I tested the login with the condition
> > "Current Time is after 01:00" and that worked, but trying to do
> > anything with the username seems to always fail.
> >
> > Thanks,
> > Joshua Nathan
> > IT Administrator
> > Black Forest Academy
> > +49 (0) 7626-916123
> >
> > On Thu, Dec 11, 2014 at 9:45 AM, Nathan, Josh
> > mailto:josh.nat...@bfacademy.de>> wrote:
> >
> > Thanks for your reply Juan,
> >
> > But if you look, you should see from the excerpt of my conf file
> > that I do, indeed, have a role.  The role is "staff".  Further, it
> > does correctly assign the role if I remove any conditions I have
> > regarding the username (I'll admit that I haven't tried other
> > types of conditions as those aren't pertinent to my goal).  From
> > the logs, you can see that the username I tried to authenticate
> > with was "jnathan", and even in the most basic condition I tried
> > (the condition of the username being "jnathan"), it then fails to
> > assign the role... as if the condition always fails.
> >
> > So as it stands, the Rule itself works (sees that I have a legit
> > username and password, and assigns the proper role).  However,
> > when I assign a Condition to the rule, it fails.  Maybe I'm typing
> > it in wrong?  I've tried with no quotes, single quotes, double
> > quotes... When looking at the conf file in Vim, I don't see any
> > erroneous characters or extra whitespace...
> >
> > The end goal is to have a single Radius database that houses all
> > usernames and passwords, where our username pattern determines
> > which role someone is assigned.
> >
> > Thanks,
> > Joshua Nathan
> > IT Administrator
> > Black Forest Academy
> > +49 (0) 7626-916123 
> >
> > On Wed, Dec 10, 2014 at 6:43 PM, Juan Camilo Valencia
> >  > > wrote:
> >
> > Hi Josh,
> >
> > Take a look to this log line
> > "Dec 10 10:42:14 httpd.portal(10615) WARN: No role specified
> > or found for pid jnathan (MAC 00:1d:72:35:1b:15); assume
> > maximum number of registered nodes is reached
> > (pf::node::is_max_reg_nodes_reached)"
> >
> > That means that you don´t have a role assigned for the user
> > that you are using, you can assigned when you create the rule
> > and assign that role to a vlan id in your switch, the problem
> > is that without a role PF assume that you reach a maximum of
> > devices authorized for the pid and doesn´t assign a functional
> > vlan, I think that your rule is corrected created except for
> > the role, try to create a role and that should solve the problem.
> >
> > I hope that this help you solve the problem.
> >
> > Best Regards,
> >
> > On Wed, Dec 10, 2014 at 5:09 AM, Nathan, Josh
> > mailto:josh.nat...@bfacademy.de>>
> > wrote:
> >
> > OK, I've also discovered the in httpd.admin.log file:
> >
> > Dec 10 10:41:14 httpd.admin(6919) INFO:
> > [00:1d:72:35:1b:15] re-evaluating access (node_modify
> > called) (pf::enforcement::reevaluate_access)
> > Dec 10 10:41:14 httpd.admin(6919) INFO: Instantiate a new
> > iptables modification method. pf::ipset
> > (pf::inline::get_technique)
> > _/*Dec 10 10:41:15 httpd.admin(6919) ERROR: Use of
> > uninitialized value $all_or_any in string eq at
> >
>  /usr/local/pf/html/pfappserver/lib/pfappserver/Model/Search/Node.pm
> > line 73.
> >  (pfappserver::__ANON__)*/_
> > Dec 10 10:41:34 httpd.admin(6919) INFO: status 200
> > (pfappserver::Controller::Configuration::pf_section)
> > Dec 10 10:41:59 httpd.admin(6919) INFO: set_role
> > (pfappserver::Base::Form::Authentication::Action::validate)
> > Dec 10 10:41:59 httpd.admin(6919) INFO:
> > set_access_duration
> > (pfappserver::Base::Form::Authentication::Action::validate)
> >
> > Thanks,
> > Joshua Nathan
> > IT Administrator
> > Black Forest Academy
> > +49 (0) 7626-916123 
> >
> > On Wed, Dec 10, 2014 at 10:46 AM, Nathan, Josh
> >  > > wrote:
> >
> > OK, here're the packetfence logs for my login with NO
> > conditions set (works... user gains Internet access):
> >
> > Dec 10 10:37:31 httpd.portal(6988) INFO:
> > Authentication successful for jnathan in sou

Re: [PacketFence-users] Packetfence as "simple" freeradius server

2014-11-26 Thread Matteo Pidalà 
Sorry Guys,
I don't wanna exchange you/team as free support. :-)

But do you have in case any other suggestion about this?

Regards

Matteo

2014-11-13 15:39 GMT+01:00 Matteo Pidalà :

> Hallo Fabrice,
> thanks for your answer.
>
> BTW, correct. I've already followed the manual in order to make
> dynamic_clients available. (really it was already configured like this in
> 4.5.0 ova version).
> See above the logs and configuration of ASA and Packetfence both.
>
> Here one extract:
> Tue Nov 11 05:48:13 2014 : Info: rlm_perl: MAC address is empty or invalid
> in this request. It could be normal on certain radius calls
>
> Regards in advance.
>
> Matteo
>
>
>
> 2014-11-12 14:19 GMT+01:00 Fabrice DURAND :
>
>>  Hello Matteo,
>>
>> In the documentation
>> http://www.packetfence.org/downloads/PacketFence/doc/PacketFence_Administration_Guide-4.5.1.pdf
>> page 33 it explain how you can enable Local user Authentication for radius,
>> so it mean that each local user can be use as a 802.1x user for freeradius.
>>
>> Regards
>> Fabrice
>>
>> Le 2014-11-12 05:33, Matteo Pidalà a écrit :
>>
>> Hallo everybody,
>> some one can help or give me some suggestion about this implementation?
>>
>>  Many regards
>>
>>  Matteo
>>
>> 2014-11-11 12:12 GMT+01:00 Matteo Pidalà :
>>
>>> Here some code in add:
>>>
>>>  *CISCO ASA:*
>>>  ASA-LAB/pri/act(config)# sh run aaa-server PACKETFENCE
>>> aaa-server PACKETFENCE protocol radius
>>> aaa-server PACKETFENCE (inside) host 10.129.187.216
>>>  key *
>>>  authentication-port 1812
>>>  accounting-port 1813
>>>
>>>  *LOG CISCO ASA:*
>>>  ASA-LAB/pri/act(config)# test aaa-server authentication PACKETFENCE
>>> USername t$
>>>  Server IP Address or name: 10.129.187.216
>>> INFO: Attempting Authentication test to IP address <10.129.187.216>
>>> (timeout: 12 seconds)
>>> radius mkreq: 0x8043
>>> alloc_rip 0xcc683d08
>>> new request 0x8043 --> 227 (0xcc683d08)
>>> got user 'test'
>>> got password
>>> add_req 0xcc683d08 session 0x8043 id 227
>>> RADIUS_REQUEST
>>> radius.c: rad_mkpkt
>>>
>>>  *RADIUS packet decode (authentication request)*
>>>
>>>  --
>>> Raw packet data (length = 62).
>>> 01 e3 00 3e 61 8e 8e ba f9 47 db d5 c2 ed f0 15|  ...>aG..
>>> 71 c2 cf b7 01 06 74 65 73 74 02 12 14 92 60 4d|  q.test`M
>>> 2b 39 34 c0 33 f0 11 ed a8 ca 61 af 04 06 0a 81|  +94.3.a.
>>> bb 03 05 06 00 00 01 0a 3d 06 00 00 00 05  |  =.
>>>
>>>  Parsed packet data.
>>> Radius: Code = 1 (0x01)
>>> Radius: Identifier = 227 (0xE3)
>>> Radius: Length = 62 (0x003E)
>>> Radius: Vector: 618E8EBAF947DBD5C2EDF01571C2CFB7
>>> Radius: Type = 1 (0x01) User-Name
>>> Radius: Length = 6 (0x06)
>>> Radius: Value (String) =
>>> 74 65 73 74|  test
>>> Radius: Type = 2 (0x02) User-Password
>>> Radius: Length = 18 (0x12)
>>> Radius: Value (String) =
>>> 14 92 60 4d 2b 39 34 c0 33 f0 11 ed a8 ca 61 af|  ..`M+94.3.a.
>>> Radius: Type = 4 (0x04) NAS-IP-Address
>>> Radius: Length = 6 (0x06)
>>> Radius: Value (IP Address) = 10.129.187.3 (0x0A81BB03)
>>> Radius: Type = 5 (0x05) NAS-Port
>>> Radius: Length = 6 (0x06)
>>> Radius: Value (Hex) = 0x10A
>>> Radius: Type = 61 (0x3D) NAS-Port-Type
>>> Radius: Length = 6 (0x06)
>>> Radius: Value (Hex) = 0x5
>>> send pkt 10.129.187.216/1812
>>> rip 0xcc683d08 state 7 id 227
>>> rad_vrfy() : response message verified
>>> rip 0xcc683d08
>>>  : chall_state ''
>>>  : state 0x7
>>>  : reqauth:
>>>  61 8e 8e ba f9 47 db d5 c2 ed f0 15 71 c2 cf b7
>>>  : info 0xcc683e40
>>>  session_id 0x8043
>>>  request_id 0xe3
>>>  user 'test'
>>>  response '***'
>>>  app 0
>>>  reason 0
>>>  skey 'cisco'
>>>  sip 10.129.187.216
>>>  type 1
>>>
>>>  *RADIUS packet decode (response)*
>>>
>>>  --
>>> Raw packet data (length = 20).
>>> 03 e3 00 14 7e 58 89 e0 be 69 a1 76 6c de 19 24|  ~X...i.vl..$
&g

Re: [PacketFence-users] Packetfence as "simple" freeradius server

2014-11-13 Thread Matteo Pidalà 
Hallo Fabrice,
thanks for your answer.

BTW, correct. I've already followed the manual in order to make
dynamic_clients available. (really it was already configured like this in
4.5.0 ova version).
See above the logs and configuration of ASA and Packetfence both.

Here one extract:
Tue Nov 11 05:48:13 2014 : Info: rlm_perl: MAC address is empty or invalid
in this request. It could be normal on certain radius calls

Regards in advance.

Matteo



2014-11-12 14:19 GMT+01:00 Fabrice DURAND :

>  Hello Matteo,
>
> In the documentation
> http://www.packetfence.org/downloads/PacketFence/doc/PacketFence_Administration_Guide-4.5.1.pdf
> page 33 it explain how you can enable Local user Authentication for radius,
> so it mean that each local user can be use as a 802.1x user for freeradius.
>
> Regards
> Fabrice
>
> Le 2014-11-12 05:33, Matteo Pidalà a écrit :
>
> Hallo everybody,
> some one can help or give me some suggestion about this implementation?
>
>  Many regards
>
>  Matteo
>
> 2014-11-11 12:12 GMT+01:00 Matteo Pidalà :
>
>> Here some code in add:
>>
>>  *CISCO ASA:*
>>  ASA-LAB/pri/act(config)# sh run aaa-server PACKETFENCE
>> aaa-server PACKETFENCE protocol radius
>> aaa-server PACKETFENCE (inside) host 10.129.187.216
>>  key *
>>  authentication-port 1812
>>  accounting-port 1813
>>
>>  *LOG CISCO ASA:*
>>  ASA-LAB/pri/act(config)# test aaa-server authentication PACKETFENCE
>> USername t$
>>  Server IP Address or name: 10.129.187.216
>> INFO: Attempting Authentication test to IP address <10.129.187.216>
>> (timeout: 12 seconds)
>> radius mkreq: 0x8043
>> alloc_rip 0xcc683d08
>> new request 0x8043 --> 227 (0xcc683d08)
>> got user 'test'
>> got password
>> add_req 0xcc683d08 session 0x8043 id 227
>> RADIUS_REQUEST
>> radius.c: rad_mkpkt
>>
>>  *RADIUS packet decode (authentication request)*
>>
>>  --
>> Raw packet data (length = 62).
>> 01 e3 00 3e 61 8e 8e ba f9 47 db d5 c2 ed f0 15|  ...>aG..
>> 71 c2 cf b7 01 06 74 65 73 74 02 12 14 92 60 4d|  q.test`M
>> 2b 39 34 c0 33 f0 11 ed a8 ca 61 af 04 06 0a 81|  +94.3.a.
>> bb 03 05 06 00 00 01 0a 3d 06 00 00 00 05  |  =.
>>
>>  Parsed packet data.
>> Radius: Code = 1 (0x01)
>> Radius: Identifier = 227 (0xE3)
>> Radius: Length = 62 (0x003E)
>> Radius: Vector: 618E8EBAF947DBD5C2EDF01571C2CFB7
>> Radius: Type = 1 (0x01) User-Name
>> Radius: Length = 6 (0x06)
>> Radius: Value (String) =
>> 74 65 73 74|  test
>> Radius: Type = 2 (0x02) User-Password
>> Radius: Length = 18 (0x12)
>> Radius: Value (String) =
>> 14 92 60 4d 2b 39 34 c0 33 f0 11 ed a8 ca 61 af|  ..`M+94.3.a.
>> Radius: Type = 4 (0x04) NAS-IP-Address
>> Radius: Length = 6 (0x06)
>> Radius: Value (IP Address) = 10.129.187.3 (0x0A81BB03)
>> Radius: Type = 5 (0x05) NAS-Port
>> Radius: Length = 6 (0x06)
>> Radius: Value (Hex) = 0x10A
>> Radius: Type = 61 (0x3D) NAS-Port-Type
>> Radius: Length = 6 (0x06)
>> Radius: Value (Hex) = 0x5
>> send pkt 10.129.187.216/1812
>> rip 0xcc683d08 state 7 id 227
>> rad_vrfy() : response message verified
>> rip 0xcc683d08
>>  : chall_state ''
>>  : state 0x7
>>  : reqauth:
>>  61 8e 8e ba f9 47 db d5 c2 ed f0 15 71 c2 cf b7
>>  : info 0xcc683e40
>>  session_id 0x8043
>>  request_id 0xe3
>>  user 'test'
>>  response '***'
>>  app 0
>>  reason 0
>>  skey 'cisco'
>>  sip 10.129.187.216
>>  type 1
>>
>>  *RADIUS packet decode (response)*
>>
>>  --
>> Raw packet data (length = 20).
>> 03 e3 00 14 7e 58 89 e0 be 69 a1 76 6c de 19 24|  ~X...i.vl..$
>> 56 bf 24 8b|  V.$.
>>
>>  Parsed packet data.
>> Radius: Code = 3 (0x03)
>> Radius: Identifier = 227 (0xE3)
>> Radius: Length = 20 (0x0014)
>> Radius: Vector: 7E5889E0BE69A1766CDE192456BF248B
>> rad_procpkt: REJECT
>> RADIUS_DELETE
>> remove_req 0xcc683d08 session 0x8043 id 227
>> free_rip 0xcc683d08
>> radius: send queue empty
>> *ERROR: Authentication Rejected: AAA failure*
>>
>>  *PACKETFENCE:*
>>
>>  [10.129.187.3]
>> RoleMap=N
>> mode=production
>> VlanMap=N
>> AccessListMap=N
>> description=ASA
>

Re: [PacketFence-users] Packetfence as "simple" freeradius server

2014-11-12 Thread Matteo Pidalà 
Hallo everybody,
some one can help or give me some suggestion about this implementation?

Many regards

Matteo

2014-11-11 12:12 GMT+01:00 Matteo Pidalà :

> Here some code in add:
>
> *CISCO ASA:*
> ASA-LAB/pri/act(config)# sh run aaa-server PACKETFENCE
> aaa-server PACKETFENCE protocol radius
> aaa-server PACKETFENCE (inside) host 10.129.187.216
>  key *
>  authentication-port 1812
>  accounting-port 1813
>
> *LOG CISCO ASA:*
> ASA-LAB/pri/act(config)# test aaa-server authentication PACKETFENCE
> USername t$
> Server IP Address or name: 10.129.187.216
> INFO: Attempting Authentication test to IP address <10.129.187.216>
> (timeout: 12 seconds)
> radius mkreq: 0x8043
> alloc_rip 0xcc683d08
> new request 0x8043 --> 227 (0xcc683d08)
> got user 'test'
> got password
> add_req 0xcc683d08 session 0x8043 id 227
> RADIUS_REQUEST
> radius.c: rad_mkpkt
>
> *RADIUS packet decode (authentication request)*
>
> --
> Raw packet data (length = 62).
> 01 e3 00 3e 61 8e 8e ba f9 47 db d5 c2 ed f0 15|  ...>aG..
> 71 c2 cf b7 01 06 74 65 73 74 02 12 14 92 60 4d|  q.test`M
> 2b 39 34 c0 33 f0 11 ed a8 ca 61 af 04 06 0a 81|  +94.3.a.
> bb 03 05 06 00 00 01 0a 3d 06 00 00 00 05  |  =.
>
> Parsed packet data.
> Radius: Code = 1 (0x01)
> Radius: Identifier = 227 (0xE3)
> Radius: Length = 62 (0x003E)
> Radius: Vector: 618E8EBAF947DBD5C2EDF01571C2CFB7
> Radius: Type = 1 (0x01) User-Name
> Radius: Length = 6 (0x06)
> Radius: Value (String) =
> 74 65 73 74|  test
> Radius: Type = 2 (0x02) User-Password
> Radius: Length = 18 (0x12)
> Radius: Value (String) =
> 14 92 60 4d 2b 39 34 c0 33 f0 11 ed a8 ca 61 af|  ..`M+94.3.a.
> Radius: Type = 4 (0x04) NAS-IP-Address
> Radius: Length = 6 (0x06)
> Radius: Value (IP Address) = 10.129.187.3 (0x0A81BB03)
> Radius: Type = 5 (0x05) NAS-Port
> Radius: Length = 6 (0x06)
> Radius: Value (Hex) = 0x10A
> Radius: Type = 61 (0x3D) NAS-Port-Type
> Radius: Length = 6 (0x06)
> Radius: Value (Hex) = 0x5
> send pkt 10.129.187.216/1812
> rip 0xcc683d08 state 7 id 227
> rad_vrfy() : response message verified
> rip 0xcc683d08
>  : chall_state ''
>  : state 0x7
>  : reqauth:
>  61 8e 8e ba f9 47 db d5 c2 ed f0 15 71 c2 cf b7
>  : info 0xcc683e40
>  session_id 0x8043
>  request_id 0xe3
>  user 'test'
>  response '***'
>  app 0
>  reason 0
>  skey 'cisco'
>  sip 10.129.187.216
>  type 1
>
> *RADIUS packet decode (response)*
>
> --
> Raw packet data (length = 20).
> 03 e3 00 14 7e 58 89 e0 be 69 a1 76 6c de 19 24|  ~X...i.vl..$
> 56 bf 24 8b|  V.$.
>
> Parsed packet data.
> Radius: Code = 3 (0x03)
> Radius: Identifier = 227 (0xE3)
> Radius: Length = 20 (0x0014)
> Radius: Vector: 7E5889E0BE69A1766CDE192456BF248B
> rad_procpkt: REJECT
> RADIUS_DELETE
> remove_req 0xcc683d08 session 0x8043 id 227
> free_rip 0xcc683d08
> radius: send queue empty
> *ERROR: Authentication Rejected: AAA failure*
>
> *PACKETFENCE:*
>
> [10.129.187.3]
> RoleMap=N
> mode=production
> VlanMap=N
> AccessListMap=N
> description=ASA
> *type=Cisco::Catalyst_3560   --> invented... cause cisco ASA doesn't exit.*
> VoIPEnabled=N
> radiusSecret=cisco
> deauthMethod=RADIUS
>
>
> *LOG PACKETFENCE:*
> Tue Nov 11 05:47:40 2014 : Info: Ready to process requests.
> Tue Nov 11 05:48:13 2014 : Auth: Login OK: [test] (from client
> 10.129.187.3 port 266)
> Tue Nov 11 05:48:13 2014 : Info: rlm_perl: MAC address is empty or invalid
> in this request. It could be normal on certain radius calls
>
>
>
> If you need some other information, let me know.
>
> regards
>
> Matteo
>
> 2014-11-10 18:31 GMT+01:00 Matteo Pidalà :
>
>> Hallo everybody.
>> I used a lot packetfence with registration, isolation vlans (NAC dot1x
>> etc..) in big network environment with great satisfaction.
>>
>> Now, for one another project, I need to install one packetfence
>> environment, (the already prepared image OVM one) for one "simple" scenario.
>> Packetfence infact, should works as "radius service" with accounting for
>> user authentication sending by one Cisco ASA.
>>
>> Summarize scenario is:
>> - Cisco ASA --> Cut-Through --> with aaa-server radius configured pointed
>> to Packetfence
>> - Packetfence manage the authentication and stati

Re: [PacketFence-users] Packetfence as "simple" freeradius server

2014-11-11 Thread Matteo Pidalà 
Here some code in add:

*CISCO ASA:*
ASA-LAB/pri/act(config)# sh run aaa-server PACKETFENCE
aaa-server PACKETFENCE protocol radius
aaa-server PACKETFENCE (inside) host 10.129.187.216
 key *
 authentication-port 1812
 accounting-port 1813

*LOG CISCO ASA:*
ASA-LAB/pri/act(config)# test aaa-server authentication PACKETFENCE
USername t$
Server IP Address or name: 10.129.187.216
INFO: Attempting Authentication test to IP address <10.129.187.216>
(timeout: 12 seconds)
radius mkreq: 0x8043
alloc_rip 0xcc683d08
new request 0x8043 --> 227 (0xcc683d08)
got user 'test'
got password
add_req 0xcc683d08 session 0x8043 id 227
RADIUS_REQUEST
radius.c: rad_mkpkt

*RADIUS packet decode (authentication request)*

--
Raw packet data (length = 62).
01 e3 00 3e 61 8e 8e ba f9 47 db d5 c2 ed f0 15|  ...>aG..
71 c2 cf b7 01 06 74 65 73 74 02 12 14 92 60 4d|  q.test`M
2b 39 34 c0 33 f0 11 ed a8 ca 61 af 04 06 0a 81|  +94.3.a.
bb 03 05 06 00 00 01 0a 3d 06 00 00 00 05  |  =.

Parsed packet data.
Radius: Code = 1 (0x01)
Radius: Identifier = 227 (0xE3)
Radius: Length = 62 (0x003E)
Radius: Vector: 618E8EBAF947DBD5C2EDF01571C2CFB7
Radius: Type = 1 (0x01) User-Name
Radius: Length = 6 (0x06)
Radius: Value (String) =
74 65 73 74|  test
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
14 92 60 4d 2b 39 34 c0 33 f0 11 ed a8 ca 61 af|  ..`M+94.3.a.
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.129.187.3 (0x0A81BB03)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x10A
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 10.129.187.216/1812
rip 0xcc683d08 state 7 id 227
rad_vrfy() : response message verified
rip 0xcc683d08
 : chall_state ''
 : state 0x7
 : reqauth:
 61 8e 8e ba f9 47 db d5 c2 ed f0 15 71 c2 cf b7
 : info 0xcc683e40
 session_id 0x8043
 request_id 0xe3
 user 'test'
 response '***'
 app 0
 reason 0
 skey 'cisco'
 sip 10.129.187.216
 type 1

*RADIUS packet decode (response)*

--
Raw packet data (length = 20).
03 e3 00 14 7e 58 89 e0 be 69 a1 76 6c de 19 24|  ~X...i.vl..$
56 bf 24 8b|  V.$.

Parsed packet data.
Radius: Code = 3 (0x03)
Radius: Identifier = 227 (0xE3)
Radius: Length = 20 (0x0014)
Radius: Vector: 7E5889E0BE69A1766CDE192456BF248B
rad_procpkt: REJECT
RADIUS_DELETE
remove_req 0xcc683d08 session 0x8043 id 227
free_rip 0xcc683d08
radius: send queue empty
*ERROR: Authentication Rejected: AAA failure*

*PACKETFENCE:*

[10.129.187.3]
RoleMap=N
mode=production
VlanMap=N
AccessListMap=N
description=ASA
*type=Cisco::Catalyst_3560   --> invented... cause cisco ASA doesn't exit.*
VoIPEnabled=N
radiusSecret=cisco
deauthMethod=RADIUS


*LOG PACKETFENCE:*
Tue Nov 11 05:47:40 2014 : Info: Ready to process requests.
Tue Nov 11 05:48:13 2014 : Auth: Login OK: [test] (from client 10.129.187.3
port 266)
Tue Nov 11 05:48:13 2014 : Info: rlm_perl: MAC address is empty or invalid
in this request. It could be normal on certain radius calls



If you need some other information, let me know.

regards

Matteo

2014-11-10 18:31 GMT+01:00 Matteo Pidalà :

> Hallo everybody.
> I used a lot packetfence with registration, isolation vlans (NAC dot1x
> etc..) in big network environment with great satisfaction.
>
> Now, for one another project, I need to install one packetfence
> environment, (the already prepared image OVM one) for one "simple" scenario.
> Packetfence infact, should works as "radius service" with accounting for
> user authentication sending by one Cisco ASA.
>
> Summarize scenario is:
> - Cisco ASA --> Cut-Through --> with aaa-server radius configured pointed
> to Packetfence
> - Packetfence manage the authentication and statistics for radius users
> created statically.
> - I don't wanna use project like "daloradius" or something like this...
> For me is really better packetfence also without NAC implementation... ;-)
>
> Now...I don't know precisely how to build this environment, in
> particularly:
> - Can i create the user directly from the static users menu with the
> attributes about expired data, users limit simultaneous logged, etc..?
> - and the most important thing that I didn't find... In which way can I
> configure the "nas" system for grant the packetfence able to speak with my
> ASA?
>
>
> I will forward some script configuration, (maybe usefully also for other
> users, not so much in internet for now), but from now, for now I need

[PacketFence-users] Packetfence as "simple" freeradius server

2014-11-10 Thread Matteo Pidalà 
Hallo everybody.
I used a lot packetfence with registration, isolation vlans (NAC dot1x
etc..) in big network environment with great satisfaction.

Now, for one another project, I need to install one packetfence
environment, (the already prepared image OVM one) for one "simple" scenario.
Packetfence infact, should works as "radius service" with accounting for
user authentication sending by one Cisco ASA.

Summarize scenario is:
- Cisco ASA --> Cut-Through --> with aaa-server radius configured pointed
to Packetfence
- Packetfence manage the authentication and statistics for radius users
created statically.
- I don't wanna use project like "daloradius" or something like this... For
me is really better packetfence also without NAC implementation... ;-)

Now...I don't know precisely how to build this environment, in particularly:
- Can i create the user directly from the static users menu with the
attributes about expired data, users limit simultaneous logged, etc..?
- and the most important thing that I didn't find... In which way can I
configure the "nas" system for grant the packetfence able to speak with my
ASA?


I will forward some script configuration, (maybe usefully also for other
users, not so much in internet for now), but from now, for now I need just
some feedback and information from you.


Many regards in advance

Matteo
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Hostapd (openwrt) and 802.1x authentication possible?

2014-08-04 Thread Matteo Pidalà 
Great post...
It's interesting also for me!!!

Anyway Hugo I will take carefully later what you wrote.

See you...

Matteo
Inviato da iPhone

> Am 29/lug/2014 um 22:14 schrieb Hugo Rodenburg :
> 
> Hi list,
> 
> I'm trying to configure packetfence with an local user database (SQL or 
> freeradius users file) for authenticating hostapd (running on openwrt) using 
> 802.1x authentication.
> It might be quite obvious how this should work, but this is not clear to me.
> 
> I have:
> - configured the packetfence switch as type "hostapd" and configured an 
> radius secret etc. for the access point
> - configured hostapd to use the packetfence server for radius authentication 
> and accounting.
> - added a user to pf/raddb/users (radtest Cleartext-Password := "radtest")
> - basic configuration of roles and vlans within packetfence (working when 
> using portal login)
> 
> When I connect, I can authenticate succesfully using the radtest account. 
> However, radius returns the vlan of the registration vlan (as seen in the 
> hostapd log).
> I tried fiddling with the authentication source from within the webinterface, 
> to get the right role assigned, but am not sure how this is supposed to work. 
> And what I should configure when using the internal freeradius server.
> 
> I've read the Administration guide multiple times, and tried searching this 
> list, but I cannot get a clear picture.
> I've had a succesful setup in the past using the captive portal, but would 
> like to switch to 802.1x authentication for the wifi network. From what I've 
> read, this should be quite simple.
> 
> Am I missing something obvious here?
> Is this perhaps not (yet) supported using the hostapd switch template in some 
> way?
> 
> I hope someone can enlighten me.
> Please ask if something is missing or unclear.
> 
> Thank you in advance.
> 
> Regards,
> Hugo
> 
> --
> Infragistics Professional
> Build stunning WinForms apps today!
> Reboot your WinForms applications with our WinForms controls. 
> Build a bridge from your legacy apps to the future.
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 4.3 and Facebook Oauth2

2014-07-16 Thread Matteo Pidalà 
Hi Andreas,

I have interest on this problem. Shall I ask you some question?
- What's not working in your environment? Cause the error for me is not
belonging to the rule node.
- And for the other wireless devices is working well without warning?
- Did you use also Ipad or mac for this test?

Many regards

Matteo


2014-07-15 20:42 GMT+02:00 Andreas Schacht :

> Hi Derek,
>
> normally yes, but if i set one of this roles  than the wifi client can
> access to internet without authentication.
> Or im understanding something wrong ?!?
>
> Mit freundlichen Grüßen
>
> Andreas
>
>
> Am 15.07.2014 um 18:16 schrieb Derek Wuelfrath :
>
> Hello Andrea,
>
> I have to set a Rule in my Facebook Source. But in the Rule Option have
> set:
> *Error!* You must set an access duration or an unregistration date when
> setting a role.
>
>
> The error message is fairly self-explaining… When you set a role in a rule
> (as explained by Julien), you also need to set either and access duration
> or an unregistration date.
>
> Cheers!
> dw.
>
> --
> Derek Wuelfrath
> dwuelfr...@inverse.ca :: www.inverse.ca
> +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
> On Jul 9, 2014, at 8:47 AM, Andreas Schacht  wrote:
>
> Hi,
>
> after testing the PF System i come to a point which i don’t understand.
> I have to set a Rule in my Facebook Source. But in the Rule Option have
> set:
> *Error!* You must set an access duration or an unregistration date when
> setting a role.
>
> When i do this, the Authentication thru Facebook is not more in Function
> and i get access thru PF.
> Where im thinking wrong ?
>
> Mit freundlichen Grüßen
>
> Andreas
>
>
> Am 04.07.2014 um 13:44 schrieb Julien Semaan :
>
> Hi Andreas,
>
> All services are currently necessary.
>
> pfsetvlan is probably the one using the most memory. You can adjust the
> number of threads it starts in conf/pf.conf by adding the following
>
> [vlan]
> nbtraphandlerthreads = 5
>
> You can adjust this number depending on the number of clients you have.
> pfsetvlan should be used only for deauthentication in your setup so you
> shouldn't see a performance downgrade but this will make pfsetvlan use
> less resources.
>
> On 14-07-03 08:32 AM, Andreas Schacht wrote:
>
> Hi,
>
> can somebody tell me which Service can be Disabled to save recourses in PF.
> I just need the Oauth2 feature for WiFi.
>
>
> Mit freundlichen Grüßen
>
> Andreas
>
> Am 03.07.2014 um 01:14 schrieb Durand fabrice :
>
> Hi Andreas,
>
> allow_android_devices and allowed_devices will be to new options for
> incoming MDM feature.
>
> Regards
> Fabrice
>
> Le 2014-07-02 18:37, Andreas Schacht a écrit :
>
> Hi Julien,
>
> thank you, it was this role option.
> Now it works and need some fine tune.
>
> Can somebody explain this Options ?
>
> root@privileg:~# cat /usr/local/pf/conf/profiles.conf
> [default]
> description=Default Profile
> logo=/common/packetfence-cp.png
> billing_engine=disabled
> redirecturl=http://www.packetfence.org/
> always_use_redirecturl=disabled
> mandatory_fields=custom_field_1
> locale=en_US
> nbregpages=0
> allow_android_devices=0 <—— This Option
> allowed_devices=  <——— This Option
> sources=Privileg
> root@privileg:~#
>
>
> Mit freundlichen Grüßen
>
> Andreas
>
>
> Am 02.07.2014 um 23:19 schrieb Julien Semaan :
>
> Hi Andreas,
>
> You need to set a role for the nodes in your facebook source.
>
> In the sources page at the bottom you can add a catch all rule that will
> set the access duration and the role of the node.
>
> On 14-07-02 04:58 PM, Andreas Schacht wrote:
>
> Hi,
>
> after checking the Log files i have found this Part:
> ==> /usr/local/pf/logs/packetfence.log <==
> Jul 02 22:53:50 httpd.portal(4094) ERROR: Error while setting locale to
> en_US.utf8. Is the locale generated on your system?
> (captiveportal::PacketFence::Controller::Root::setupLanguage)
> Jul 02 22:53:53 httpd.portal(4094) INFO: OAuth2 successfull, register and
> release for username andreas.*@facebook.com
> (captiveportal::PacketFence::Controller::Oauth2::oauth2Result)
> Jul 02 22:53:54 httpd.portal(4094) WARN: No role specified or found for
> pid andreas.***@facebook.com (MAC 40:b3:95:ff:ff:ff); assume maximum
> number of registered nodes is reached (pf::node::is_max_reg_nodes_reached)
> Am 02.07.2014 um 21:07 schrieb Andreas Schacht :
>
> Can somebody explain to wich Roles i have to Setup ?
>
> Mit freundlichen Grüßen
>
> Andreas
>
>
> Hi,
>
> i have setup a Debian with PF 4.3 and hostapd from Scratch in Inline mode.
> Everything works fine till the Point when i connect with Mobile Device
> (IOS 7.1), i can authorize with Facebook but
> then i get the message, i have reach the limit of nodes per user.
> Have somebody a Idea whats wrong is ?
>
> Mit freundlichen Grüßen
>
> Andreas
>
> --
> Open source business process management suite bui

Re: [PacketFence-users] SSID message Error on PF from Cisco ap1242 and iphone mobile phone

2014-07-08 Thread Matteo Pidalà 
Perfect!
It's working well!!

Thank you!

Matteo


2014-07-03 15:30 GMT+02:00 Matteo Pidalà :

> ah ok! I will try next week, I will be far away from my server until
> Monday...
>
> Thanks once again Fabrice,
>
> regards
>
> Matteo
>
>
> 2014-07-03 1:10 GMT+02:00 Durand fabrice :
>
>  My fault, it´s just a little syntax error, try this:
>>
>>
>> sub extractSsid {
>> my ($this, $radius_request) = @_;
>> my $logger = Log::Log4perl::get_logger(ref($this));
>>
>> if (defined($radius_request->{'Cisco-AVPair'})) {
>> if (ref($radius_request->{'Cisco-AVPair'}) eq 'ARRAY') {
>> foreach my $ciscoAVPair
>> (@{$radius_request->{'Cisco-AVPair'}}) {
>> $logger->trace("Cisco-AVPair: ".$ciscoAVPair);
>>
>> if ($ciscoAVPair =~ /^ssid=(.*)$/) { # ex: Cisco-AVPair =
>> "ssid=PacketFence-Secure"
>> return $1;
>> } else {
>> $logger->info("Unable to extract SSID of
>> Cisco-AVPair: ".$ciscoAVPair);
>> }
>> }
>> } else {
>> if ($radius_request->{'Cisco-AVPair'} =~ /^ssid=(.*)$/) { #
>> ex: Cisco-AVPair = "ssid=PacketFence-Secure"
>> return $1;
>> } else {
>> $logger->info("Unable to extract SSID of Cisco-AVPair:
>> ".$radius_request->{'Cisco-AVPair'});
>>
>>     }
>> }
>> }
>>
>> $logger->warn(
>> "Unable to extract SSID for module " . ref($this) . ". SSID-based
>> VLAN assignments won't work. "
>> . "Make sure you enable Vendor Specific Attributes (VSA) on the
>> AP if you want them to work."
>> );
>> return;
>> }
>>
>> Fabrice
>>
>> Le 2014-07-02 16:21, Matteo Pidalà a écrit :
>>
>> Hi Fabrice,
>> I'm sorry to disturb you once again, but after the function change, I
>> receive a new error from packetfence.log after trying to connect my laptop
>> in wifi:
>>  *Jul 03 00:19:33 httpd.webservices(3047) INFO: Unable to extract MAC
>> from Called-Station-Id: 0021.1be9.8770
>> (pf::radius::extractApMacFromRadiusRequest)*
>> *Jul 03 00:19:33 httpd.webservices(3047) ERROR: Can not load perl module
>> for switch 10.0.1.10, type: pf::Switch::Cisco::Aironet_1242. Either the
>> type is unknown or the perl module has compilation errors. Read the
>> following message for details:  (pf::SwitchFactory::instantiate)*
>> *Jul 03 00:19:33 httpd.webservices(3047) WARN: Can't instantiate switch
>> 10.0.1.10. This request will be failed. Are you sure your switches.conf is
>> correct? (pf::radius::authorize)*
>> *Jul 03 00:19:36 httpd.webservices(3047) INFO: Unable to extract MAC from
>> Called-Station-Id: 0021.1be9.8770
>> (pf::radius::extractApMacFromRadiusRequest)*
>> *Jul 03 00:19:36 httpd.webservices(3047) ERROR: Can not load perl module
>> for switch 10.0.1.10, type: pf::Switch::Cisco::Aironet_1242. Either the
>> type is unknown or the perl module has compilation errors. Read the
>> following message for details:  (pf::SwitchFactory::instantiate)*
>> *Jul 03 00:19:36 httpd.webservices(3047) WARN: Can't instantiate switch
>> 10.0.1.10. This request will be failed. Are you sure your switches.conf is
>> correct? (pf::radius::authorize)*
>> *Jul 03 00:19:39 httpd.webservices(3047) INFO: Unable to extract MAC from
>> Called-Station-Id: 0021.1be9.8770
>> (pf::radius::extractApMacFromRadiusRequest)*
>> *Jul 03 00:19:39 httpd.webservices(3047) ERROR: Can not load perl module
>> for switch 10.0.1.10, type: pf::Switch::Cisco::Aironet_1242. Either the
>> type is unknown or the perl module has compilation errors. Read the
>> following message for details:  (pf::SwitchFactory::instantiate)*
>> *Jul 03 00:19:39 httpd.webservices(3047) WARN: Can't instantiate switch
>> 10.0.1.10. This request will be failed. Are you sure your switches.conf is
>> correct? (pf::radius::authorize)*
>> *Jul 03 00:19:43 httpd.webservices(3047) INFO: Unable to extract MAC from
>> Called-Station-Id: 0021.1be9.8770
>> (pf::radius::extractApMacFromRadiusRequest)*
>> *Jul 03 00:19:43 httpd.webservices(3047) ERROR: Can not load perl module
>> for switch 10.0.1.10, type: pf::Switch::Cisco::Aironet_1242. Either the
>> type is unknown or the perl module has compilation errors. Read

Re: [PacketFence-users] Error instaling packetfence

2014-07-03 Thread Matteo Pidalà 
Hi,
did you follow the first wizard configuration on the web interface?
>From there you can start from the beginning the sqlserver and the users
that PF would use for the database connection.

Regards

Matteo


2014-07-03 15:44 GMT+02:00 David Martinez :

> Hi I'm new in packetfence,
> I Installed the PF but there is a error when I try to start the service.
>
> unable to connect to database: Access denied for user 'pf'@'localhost'
> (using password: YES) at /usr/local/pf/lib/pf/iplog.pm line 70.
>
> Any Idea What Can be?
>
> Thanks in advance
>
>
> --
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SSID message Error on PF from Cisco ap1242 and iphone mobile phone

2014-07-03 Thread Matteo Pidalà 
ah ok! I will try next week, I will be far away from my server until
Monday...

Thanks once again Fabrice,

regards

Matteo


2014-07-03 1:10 GMT+02:00 Durand fabrice :

>  My fault, it´s just a little syntax error, try this:
>
>
> sub extractSsid {
> my ($this, $radius_request) = @_;
> my $logger = Log::Log4perl::get_logger(ref($this));
>
> if (defined($radius_request->{'Cisco-AVPair'})) {
> if (ref($radius_request->{'Cisco-AVPair'}) eq 'ARRAY') {
> foreach my $ciscoAVPair (@{$radius_request->{'Cisco-AVPair'}})
> {
> $logger->trace("Cisco-AVPair: ".$ciscoAVPair);
>
> if ($ciscoAVPair =~ /^ssid=(.*)$/) { # ex: Cisco-AVPair =
> "ssid=PacketFence-Secure"
> return $1;
> } else {
> $logger->info("Unable to extract SSID of Cisco-AVPair:
> ".$ciscoAVPair);
> }
> }
> } else {
> if ($radius_request->{'Cisco-AVPair'} =~ /^ssid=(.*)$/) { #
> ex: Cisco-AVPair = "ssid=PacketFence-Secure"
> return $1;
> } else {
> $logger->info("Unable to extract SSID of Cisco-AVPair:
> ".$radius_request->{'Cisco-AVPair'});
>
> }
> }
> }
>
> $logger->warn(
> "Unable to extract SSID for module " . ref($this) . ". SSID-based
> VLAN assignments won't work. "
> . "Make sure you enable Vendor Specific Attributes (VSA) on the AP
> if you want them to work."
> );
> return;
> }
>
> Fabrice
>
> Le 2014-07-02 16:21, Matteo Pidalà a écrit :
>
> Hi Fabrice,
> I'm sorry to disturb you once again, but after the function change, I
> receive a new error from packetfence.log after trying to connect my laptop
> in wifi:
>  *Jul 03 00:19:33 httpd.webservices(3047) INFO: Unable to extract MAC
> from Called-Station-Id: 0021.1be9.8770
> (pf::radius::extractApMacFromRadiusRequest)*
> *Jul 03 00:19:33 httpd.webservices(3047) ERROR: Can not load perl module
> for switch 10.0.1.10, type: pf::Switch::Cisco::Aironet_1242. Either the
> type is unknown or the perl module has compilation errors. Read the
> following message for details:  (pf::SwitchFactory::instantiate)*
> *Jul 03 00:19:33 httpd.webservices(3047) WARN: Can't instantiate switch
> 10.0.1.10. This request will be failed. Are you sure your switches.conf is
> correct? (pf::radius::authorize)*
> *Jul 03 00:19:36 httpd.webservices(3047) INFO: Unable to extract MAC from
> Called-Station-Id: 0021.1be9.8770
> (pf::radius::extractApMacFromRadiusRequest)*
> *Jul 03 00:19:36 httpd.webservices(3047) ERROR: Can not load perl module
> for switch 10.0.1.10, type: pf::Switch::Cisco::Aironet_1242. Either the
> type is unknown or the perl module has compilation errors. Read the
> following message for details:  (pf::SwitchFactory::instantiate)*
> *Jul 03 00:19:36 httpd.webservices(3047) WARN: Can't instantiate switch
> 10.0.1.10. This request will be failed. Are you sure your switches.conf is
> correct? (pf::radius::authorize)*
> *Jul 03 00:19:39 httpd.webservices(3047) INFO: Unable to extract MAC from
> Called-Station-Id: 0021.1be9.8770
> (pf::radius::extractApMacFromRadiusRequest)*
> *Jul 03 00:19:39 httpd.webservices(3047) ERROR: Can not load perl module
> for switch 10.0.1.10, type: pf::Switch::Cisco::Aironet_1242. Either the
> type is unknown or the perl module has compilation errors. Read the
> following message for details:  (pf::SwitchFactory::instantiate)*
> *Jul 03 00:19:39 httpd.webservices(3047) WARN: Can't instantiate switch
> 10.0.1.10. This request will be failed. Are you sure your switches.conf is
> correct? (pf::radius::authorize)*
> *Jul 03 00:19:43 httpd.webservices(3047) INFO: Unable to extract MAC from
> Called-Station-Id: 0021.1be9.8770
> (pf::radius::extractApMacFromRadiusRequest)*
> *Jul 03 00:19:43 httpd.webservices(3047) ERROR: Can not load perl module
> for switch 10.0.1.10, type: pf::Switch::Cisco::Aironet_1242. Either the
> type is unknown or the perl module has compilation errors. Read the
> following message for details:  (pf::SwitchFactory::instantiate)*
> *Jul 03 00:19:43 httpd.webservices(3047) WARN: Can't instantiate switch
> 10.0.1.10. This request will be failed. Are you sure your switches.conf is
> correct? (pf::radius::authorize)*
>
>  The configuration is still like my first mail.
>
>  Any suggestion are welcome!!
>
>  Regards
>
>  Mattteo
>
>
> 2014-07-01 23:49 GMT+02:00 Durand fabrice :
>
>>  Hel

Re: [PacketFence-users] SSID message Error on PF from Cisco ap1242 and iphone mobile phone

2014-07-02 Thread Matteo Pidalà 
Hi Fabrice,
I'm sorry to disturb you once again, but after the function change, I
receive a new error from packetfence.log after trying to connect my laptop
in wifi:
*Jul 03 00:19:33 httpd.webservices(3047) INFO: Unable to extract MAC from
Called-Station-Id: 0021.1be9.8770
(pf::radius::extractApMacFromRadiusRequest)*
*Jul 03 00:19:33 httpd.webservices(3047) ERROR: Can not load perl module
for switch 10.0.1.10, type: pf::Switch::Cisco::Aironet_1242. Either the
type is unknown or the perl module has compilation errors. Read the
following message for details:  (pf::SwitchFactory::instantiate)*
*Jul 03 00:19:33 httpd.webservices(3047) WARN: Can't instantiate switch
10.0.1.10. This request will be failed. Are you sure your switches.conf is
correct? (pf::radius::authorize)*
*Jul 03 00:19:36 httpd.webservices(3047) INFO: Unable to extract MAC from
Called-Station-Id: 0021.1be9.8770
(pf::radius::extractApMacFromRadiusRequest)*
*Jul 03 00:19:36 httpd.webservices(3047) ERROR: Can not load perl module
for switch 10.0.1.10, type: pf::Switch::Cisco::Aironet_1242. Either the
type is unknown or the perl module has compilation errors. Read the
following message for details:  (pf::SwitchFactory::instantiate)*
*Jul 03 00:19:36 httpd.webservices(3047) WARN: Can't instantiate switch
10.0.1.10. This request will be failed. Are you sure your switches.conf is
correct? (pf::radius::authorize)*
*Jul 03 00:19:39 httpd.webservices(3047) INFO: Unable to extract MAC from
Called-Station-Id: 0021.1be9.8770
(pf::radius::extractApMacFromRadiusRequest)*
*Jul 03 00:19:39 httpd.webservices(3047) ERROR: Can not load perl module
for switch 10.0.1.10, type: pf::Switch::Cisco::Aironet_1242. Either the
type is unknown or the perl module has compilation errors. Read the
following message for details:  (pf::SwitchFactory::instantiate)*
*Jul 03 00:19:39 httpd.webservices(3047) WARN: Can't instantiate switch
10.0.1.10. This request will be failed. Are you sure your switches.conf is
correct? (pf::radius::authorize)*
*Jul 03 00:19:43 httpd.webservices(3047) INFO: Unable to extract MAC from
Called-Station-Id: 0021.1be9.8770
(pf::radius::extractApMacFromRadiusRequest)*
*Jul 03 00:19:43 httpd.webservices(3047) ERROR: Can not load perl module
for switch 10.0.1.10, type: pf::Switch::Cisco::Aironet_1242. Either the
type is unknown or the perl module has compilation errors. Read the
following message for details:  (pf::SwitchFactory::instantiate)*
*Jul 03 00:19:43 httpd.webservices(3047) WARN: Can't instantiate switch
10.0.1.10. This request will be failed. Are you sure your switches.conf is
correct? (pf::radius::authorize)*

The configuration is still like my first mail.

Any suggestion are welcome!!

Regards

Mattteo


2014-07-01 23:49 GMT+02:00 Durand fabrice :

>  Hello Matteo,
>
> can you edit Aironet.pm and replace the function extractSsid with that
> code and retry :
>
>
> sub extractSsid {
> my ($this, $radius_request) = @_;
> my $logger = Log::Log4perl::get_logger(ref($this));
>
> if (defined($radius_request->{'Cisco-AVPair'})) {
> if (ref($radius_request->{'Cisco-AVPair'}) eq 'ARRAY') {
> foreach my $ciscoAVPair (@{$radius_request->{'Cisco-AVPair'}})
> {
> $logger->trace("Cisco-AVPair: ".$ciscoAVPair);
>
> if ($ciscoAVPair =~ /^ssid=(.*)$/) { # ex: Cisco-AVPair =
> "ssid=PacketFence-Secure"
> return $1;
> } else {
> $logger->info("Unable to extract SSID of Cisco-AVPair:
> ".$ciscoAVPair);
> }
> }
> } else {
> if ($radius_request->{'Cisco-AVPair'} =~ /^ssid=(.*)$/) { #
> ex: Cisco-AVPair = "ssid=PacketFence-Secure"
> return $1;
> } else {
> $logger->info("Unable to extract SSID of Cisco-AVPair:
> ".$ciscoAVPair);
> }
> }
> }
>
> $logger->warn(
> "Unable to extract SSID for module " . ref($this) . ". SSID-based
> VLAN assignments won't work. "
> . "Make sure you enable Vendor Specific Attributes (VSA) on the AP
> if you want them to work."
> );
> return;
> }
>
>
> Of course restart httpd.webservices service.
>
> Regards
> Fabrice
>
> Le 2014-07-01 17:36, Matteo Pidalà a écrit :
>
> Hi everybody!
> I reached one satisfied environment of Packetfence, with some switches and
> users working with 802.1x authentication with captive portal self
> registration.
> That's great... thanks once again for this fantastic product.
>
>  Anyway right now I have one issue for the Wireless part.
>
>  I have (for now), one cisco Aironet 1242 that

Re: [PacketFence-users] SSID message Error on PF from Cisco ap1242 and iphone mobile phone

2014-07-02 Thread Matteo Pidalà 
Hi Fabrice,
thank you very much for your prompt answer.
Today evening I will try to perform this change.

I try to modify the script following the error in the logs, but it was not
like yours and the system was not working ;-)

In case, seems a "general" issue / workaround. Is it possible add it on the
official documentation?

Regards

Matteo


2014-07-01 23:49 GMT+02:00 Durand fabrice :

>  Hello Matteo,
>
> can you edit Aironet.pm and replace the function extractSsid with that
> code and retry :
>
>
> sub extractSsid {
> my ($this, $radius_request) = @_;
> my $logger = Log::Log4perl::get_logger(ref($this));
>
> if (defined($radius_request->{'Cisco-AVPair'})) {
> if (ref($radius_request->{'Cisco-AVPair'}) eq 'ARRAY') {
> foreach my $ciscoAVPair (@{$radius_request->{'Cisco-AVPair'}})
> {
> $logger->trace("Cisco-AVPair: ".$ciscoAVPair);
>
> if ($ciscoAVPair =~ /^ssid=(.*)$/) { # ex: Cisco-AVPair =
> "ssid=PacketFence-Secure"
> return $1;
> } else {
> $logger->info("Unable to extract SSID of Cisco-AVPair:
> ".$ciscoAVPair);
> }
> }
> } else {
> if ($radius_request->{'Cisco-AVPair'} =~ /^ssid=(.*)$/) { #
> ex: Cisco-AVPair = "ssid=PacketFence-Secure"
> return $1;
> } else {
> $logger->info("Unable to extract SSID of Cisco-AVPair:
> ".$ciscoAVPair);
> }
> }
> }
>
> $logger->warn(
> "Unable to extract SSID for module " . ref($this) . ". SSID-based
> VLAN assignments won't work. "
> . "Make sure you enable Vendor Specific Attributes (VSA) on the AP
> if you want them to work."
> );
> return;
> }
>
>
> Of course restart httpd.webservices service.
>
> Regards
> Fabrice
>
> Le 2014-07-01 17:36, Matteo Pidalà a écrit :
>
> Hi everybody!
> I reached one satisfied environment of Packetfence, with some switches and
> users working with 802.1x authentication with captive portal self
> registration.
> That's great... thanks once again for this fantastic product.
>
>  Anyway right now I have one issue for the Wireless part.
>
>  I have (for now), one cisco Aironet 1242 that should be perfectly
> compatible with pf.
>
>  *I receive this strange message from the troubleshooting that I did:*
> *Jul 02 01:19:29 httpd.webservices(4128) INFO: Unable to extract MAC from
> Called-Station-Id: 0021.1be9.8770
> (pf::radius::extractApMacFromRadiusRequest)*
>  *Jul 02 01:19:29 httpd.webservices(4128) INFO: handling radius autz
> request: from switch_ip => 10.0.1.10, connection_type =>
> Wireless-802.11-NoEAP,switch_mac => , mac => 04:f7:e4:f3:d6:99, port =>
> 270, username => 04f7e4f3d699 (pf::radius::authorize)*
> *Jul 02 01:19:29 httpd.webservices(4128) ERROR: radius authorize failed
> with error: Can't use string ("ssid=Public") as an ARRAY ref while "strict
> refs" in use at /usr/local/pf/lib/pf/Switch/Cisco/Aironet.pm line 206.*
> * (pf::api::radius_authorize)*
> *Jul 02 01:19:32 httpd.webservices(4128) INFO: Unable to extract MAC from
> Called-Station-Id: 0021.1be9.8770
> (pf::radius::extractApMacFromRadiusRequest)*
> *Jul 02 01:19:32 httpd.webservices(4128) INFO: handling radius autz
> request: from switch_ip => 10.0.1.10, connection_type =>
> Wireless-802.11-NoEAP,switch_mac => , mac => 04:f7:e4:f3:d6:99, port =>
> 271, username => 04f7e4f3d699 (pf::radius::authorize)*
> *Jul 02 01:19:32 httpd.webservices(4128) ERROR: radius authorize failed
> with error: Can't use string ("ssid=Public") as an ARRAY ref while "strict
> refs" in use at /usr/local/pf/lib/pf/Switch/Cisco/Aironet.pm line 206.*
> * (pf::api::radius_authorize)*
>
>
>  *From the switch:*
>  **Mar  1 06:04:41.138: %DOT11-7-AUTH_FAILED: Station 04f7.e4f3.d699
> Authentication failed*
> **Mar  1 06:04:49.713: %DOT11-7-AUTH_FAILED: Station 04f7.e4f3.d699
> Authentication failed*
>
>
>  *The extract focused configuration is this:*
>  #
> # Copyright 2006-2008 Inverse inc.
> #
> # See the enclosed file COPYING for license information (GPL).
> # If you did not receive this file, see
> # http://www.fsf.org/licensing/licenses/gpl.html
>
>  [default]
> description=Switches Default Values
> vlans=1,2,3,4,5,10,20,30,35,40,50,60,100,110,120
> normalVlan=100
> registrationVlan=110
> isolationVlan=120
> macDetectionVlan=4
> voiceVlan=5

[PacketFence-users] SSID message Error on PF from Cisco ap1242 and iphone mobile phone

2014-07-01 Thread Matteo Pidalà 
Hi everybody!
I reached one satisfied environment of Packetfence, with some switches and
users working with 802.1x authentication with captive portal self
registration.
That's great... thanks once again for this fantastic product.

Anyway right now I have one issue for the Wireless part.

I have (for now), one cisco Aironet 1242 that should be perfectly
compatible with pf.

*I receive this strange message from the troubleshooting that I did:*
*Jul 02 01:19:29 httpd.webservices(4128) INFO: Unable to extract MAC from
Called-Station-Id: 0021.1be9.8770
(pf::radius::extractApMacFromRadiusRequest)*
*Jul 02 01:19:29 httpd.webservices(4128) INFO: handling radius autz
request: from switch_ip => 10.0.1.10, connection_type =>
Wireless-802.11-NoEAP,switch_mac => , mac => 04:f7:e4:f3:d6:99, port =>
270, username => 04f7e4f3d699 (pf::radius::authorize)*
*Jul 02 01:19:29 httpd.webservices(4128) ERROR: radius authorize failed
with error: Can't use string ("ssid=Public") as an ARRAY ref while "strict
refs" in use at /usr/local/pf/lib/pf/Switch/Cisco/Aironet.pm line 206.*
* (pf::api::radius_authorize)*
*Jul 02 01:19:32 httpd.webservices(4128) INFO: Unable to extract MAC from
Called-Station-Id: 0021.1be9.8770
(pf::radius::extractApMacFromRadiusRequest)*
*Jul 02 01:19:32 httpd.webservices(4128) INFO: handling radius autz
request: from switch_ip => 10.0.1.10, connection_type =>
Wireless-802.11-NoEAP,switch_mac => , mac => 04:f7:e4:f3:d6:99, port =>
271, username => 04f7e4f3d699 (pf::radius::authorize)*
*Jul 02 01:19:32 httpd.webservices(4128) ERROR: radius authorize failed
with error: Can't use string ("ssid=Public") as an ARRAY ref while "strict
refs" in use at /usr/local/pf/lib/pf/Switch/Cisco/Aironet.pm line 206.*
* (pf::api::radius_authorize)*


*From the switch:*
**Mar  1 06:04:41.138: %DOT11-7-AUTH_FAILED: Station 04f7.e4f3.d699
Authentication failed*
**Mar  1 06:04:49.713: %DOT11-7-AUTH_FAILED: Station 04f7.e4f3.d699
Authentication failed*


*The extract focused configuration is this:*
#
# Copyright 2006-2008 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html

[default]
description=Switches Default Values
vlans=1,2,3,4,5,10,20,30,35,40,50,60,100,110,120
normalVlan=100
registrationVlan=110
isolationVlan=120
macDetectionVlan=4
voiceVlan=5
inlineVlan=6
inlineTrigger=
normalRole=normal
registrationRole=registration
isolationRole=isolation
macDetectionRole=macDetection
voiceRole=voice
inlineRole=inline
VoIPEnabled=no
VlanMap=Y
RoleMap=Y
mode=testing
macSearchesMaxNb=30
macSearchesSleepInterval=2
uplink=dynamic
#
# Command Line Interface
#
# cliTransport could be: Telnet, SSH or Serial
cliTransport=Telnet
cliUser=
cliPwd=
cliEnablePwd=
#
# SNMP section
#
# PacketFence -> Switch
SNMPVersion=3
SNMPUserNameRead=readUser
SNMPAuthProtocolRead=MD5
SNMPAuthPasswordRead=authpwdread
SNMPPrivProtocolRead=AES
SNMPPrivPasswordRead=privpwdread
SNMPUserNameWrite=writeUser
SNMPAuthProtocolWrite=MD5
SNMPAuthPasswordWrite=authpwdwrite
SNMPPrivProtocolWrite=AES
SNMPPrivPasswordWrite=privpwdwrite
# Switch -> PacketFence
SNMPVersionTrap=3
SNMPUserNameTrap=readUser
SNMPAuthProtocolTrap=MD5
SNMPAuthPasswordTrap=authpwdread
SNMPPrivProtocolTrap=AES
SNMPPrivPasswordTrap=privpwdread
#
# Web Services Interface
#
# wsTransport could be: http or https
wsTransport=http
wsUser=
wsPwd=
#
# RADIUS NAS Client config
#
# RADIUS shared secret with switch
radiusSecret=udifiusdbfdbsuisdbfidbs

[10.0.1.4]
mode=production
defaultVlan=100
deauthMethod=SNMP
description=core
type=Cisco::Catalyst_3560
VoIPEnabled=N
uplink=1,2,3,4,5,6,7,8,9,10
defaultRole=default
guestVlan=100
gamingRole=guest
guestRole=guest
gamingVlan=100
wsPwd=cisco
wsUser=cisco
SNMPEngineID=AA5ED139B81D4A328D18ACD1
[10.0.1.10]
SNMPVersion=2c
SNMPCommunityRead=public
SNMPCommunityWrite=private
SNMPVersionTrap=2c
SNMPCommunityTrap=public
mode=production
description=AP
type=Cisco::Aironet_1242


*AP Configuration:*

aaa group server radius rad_eap
 server 10.0.1.3 auth-port 1812 acct-port 1813
aaa group server radius rad_mac
 server 10.0.1.3 auth-port 1812 acct-port 1813

aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods group rad_mac

snmp-server community public RO
snmp-server community private RW
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps aaa_server
radius-server host 10.0.1.3 auth-port 1812 acct-port 1813 key 7
ljljlkjlkjlkjjklkjljkljkljlj74F08090127
radius-server vsa send accounting
radius-server vsa send authentication



If you need something else...
in the meantime... thanks in advance for your further support!!!

Regards

Matteo
--
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, a

[PacketFence-users] Captive portal webpage is working. But not the self registration page

2014-06-22 Thread Matteo Pidalà 
Hallo everybody,
finally I solved some problem about the NAC configuration between cisco
3560 and packet-fence and right now I'm able to switch normally between
registration vlan and normal vlan.

Anyway, after the user registration "self-one", I'm able to browse
(correctly), Internet for 10 minutes.
Then, I'm looking for my mail and follow the link correctly sent by packet
fence, but now the problem and doubt appears:

- *Could not open the confirmation link page:*
  I was thinking DNS error... but I try to configure static the resolution
on file host and nothing is working the same
  But in any case... The normal vlan is one vlan routed from my core
switch. (no matter with packet-fence), but then, here, which DNS Should I
configure here? I try with management IP address, normal vlan ip address
and registraton ip address but nothing is working.

For now I stop here. No Warning or Error messages appear in
"packetfence.log", I don't know if I have to try somewhere else.
If you will need some other configuration to send, let me know!

Many regards in advance to all!

Matteo
--
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packet Fence with cisco 3560 switch... Headache experience

2014-06-10 Thread Matteo Pidalà 
Hi Duran,
thanks for the prompt answer.
I will try this evening when I will reach my lab.

Anyway,, first the first thing Why Should I switch the port in access
vlan 100 in the beginning? Isn't the SNMP that it will write "vlan 100",
after the user registration from packetfence?

Regards

Matteo


2014-06-10 2:52 GMT+02:00 Durand fabrice :

>  Hi Matteo,
>
> comment bellow
>
> Le 2014-06-09 18:15, Matteo Pidalà a écrit :
>
> Hallo everybody,
> this is my first message about PacketFence world.
>
>  I will involve the expert or the member of the list, in order to help me
> to leave this headache about the configuration that affect me from
> different weeks!
> Before involve you, I try a lot of configuration... nope...
> Then, I will explain all point of my project trying to keep all details in
> fast way:
>
>  *---DESIGN:*
> "normal lab..." Packet fence + Cisco 3560
> VLAN 100 guest (normal)
> VLAN 110 registration
> VLAN 120 isolation
>
>  *Ports configuration on 3560---:*
>  interface FastEthernet0/23
>  description GUEST-REGISTRATION
>  switchport mode access
>  no snmp trap link-status
>  dot1x mac-auth-bypass
>  dot1x pae authenticator
>  dot1x port-control auto
>  dot1x timeout tx-period 5
>  dot1x reauthentication
>  spanning-tree portfast
>  *FIRST NOTE: Group of "authentication command on 3560 "not exist!!"*
>
>   *It depend of the ios:*
> *http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/command/reference/3560cr/cli1.html
> <http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/command/reference/3560cr/cli1.html>*
>
>  *Switch.conf*
>  [10.0.1.4]
> mode=production
> cliUser=cisco
> #vlans=100,110,120
> defaultVlan=100
> #normalVlan=100
> deauthMethod=RADIUS
> description=core
> type=Cisco::Catalyst_3560
> cliPwd=cisco
> VoIPEnabled=N
> cliEnablePwd=cisco
> uplink=1,2,3,4,5,6,7,8,9,10
> radiusSecret=firstconf
> defaultRole=default
> guestVlan=100
> gamingRole=guest
> guestRole=guest
> gamingVlan=100
> wsPwd=cisco
> wsUser=cisco
> SNMPVersion=2c
> SNMPEngineID=AA5ED139B81D4A328D18ACD1
> SNMPUserNameRead=readUser
> SNMPUserNameWrite=writeUser
> SNMPVersionTrap=2c
>
>  *---HOW WORKS AND HOW DOESN'T WORK---*
> 1) Guest pc successful redirect on packetfence portal to make
> self-registration.
> 2) In our example He choices to self-mail address
> 3) packetfence with radius and dot1x set correctly the registration vlan
> 4) now... the problem.
> after the registration, user could be switched to normal vlan (100),
> in order to browse and
> activate the user follow his mail.
> BUT... the vlan switch mode access 100... NEVER HAPPEND.
>
>   There is no switch mode access vlan 100, let check logs/radius.log to
> see what has been return by packetfence for your mac address or use radiusd
> -d /usr/local/pf/raddb/ -X .
>
>
>  *--HERE BELOVE SOME LOGS AND DEBUG--*
>
>  ---Dot1xdebugon--switch-
>  00:43:07: dot1x-ev:RADIUS provided VLAN name 110 to interface
> FastEthernet0/21
> 00:43:07: dot1x-ev:dot1x_switch_pm_port_set_vlan: Setting vlan 110 on
> interface FastEthernet0/21
> 00:43:07: dot1x-ev:Successfully assigned VLAN 110 to interface
> FastEthernet0/21
> 00:43:07: dot1x-sm:Posting AUTHC_SUCCESS on Client=3246578
> 00:43:07: dot1x_auth Fa0: during state auth_authc_result, got event
> 22(authcSuccess)
> 00:43:07: @@@ dot1x_auth Fa0: auth_authc_result -> auth_authz_success
> 00:43:07: dot1x-sm:Fa0/21:0016.d49e.51b5:auth_authz_success_enter called
> *00:43:07: dot1x-ev:dot1x_switch_addr_add: Added MAC 0016.d49e.51b5 to
> vlan 110 on interface FastEthernet0/21*
> 00:43:07: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is
> disabled on Fa0/21
> 00:43:07: dot1x-registry:** dot1x_switch_vp_statechange:
> 00:43:07: dot1x-ev:vlan 110 vp is added on the interface FastEthernet0/21
> 00:43:07: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is
> disabled on Fa0/21
> 00:43:07: dot1x-ev:dot1x_switch_port_authorized: set dot1x ask handler on
> interface FastEthernet0/21
> 00:43:07: dot1x-ev:Received successful Authz complete for 0016.d49e.51b5
> 00:43:07: dot1x-sm:Posting AUTHZ_SUCCESS on Client=3246578
> 00:43:07: dot1x_auth Fa0: during state auth_authz_success, got event
> 25(authzSuccess)
> 00:43:07: @@@ dot1x_auth Fa0: auth_authz_success -> auth_authenticated
> 00:43:07: dot1x-sm:Fa0/21:0016.d49e.51b5:auth_authenticated_enter called
> 00:43:07: dot1x-sm:Fa0/21:0016.d49e.51b5:dot1x_auth_start_reauth_timer
> called
> 00:43:07: dot1x-ev:Start REAUTHENTICATION tim

[PacketFence-users] Packet Fence with cisco 3560 switch... Headache experience

2014-06-09 Thread Matteo Pidalà 
Hallo everybody,
this is my first message about PacketFence world.

I will involve the expert or the member of the list, in order to help me to
leave this headache about the configuration that affect me from different
weeks!
Before involve you, I try a lot of configuration... nope...
Then, I will explain all point of my project trying to keep all details in
fast way:

*---DESIGN:*
"normal lab..." Packet fence + Cisco 3560
VLAN 100 guest (normal)
VLAN 110 registration
VLAN 120 isolation

*Ports configuration on 3560---:*
interface FastEthernet0/23
 description GUEST-REGISTRATION
 switchport mode access
 no snmp trap link-status
 dot1x mac-auth-bypass
 dot1x pae authenticator
 dot1x port-control auto
 dot1x timeout tx-period 5
 dot1x reauthentication
 spanning-tree portfast
*FIRST NOTE: Group of "authentication command on 3560 "not exist!!"*

*Switch.conf*
[10.0.1.4]
mode=production
cliUser=cisco
#vlans=100,110,120
defaultVlan=100
#normalVlan=100
deauthMethod=RADIUS
description=core
type=Cisco::Catalyst_3560
cliPwd=cisco
VoIPEnabled=N
cliEnablePwd=cisco
uplink=1,2,3,4,5,6,7,8,9,10
radiusSecret=firstconf
defaultRole=default
guestVlan=100
gamingRole=guest
guestRole=guest
gamingVlan=100
wsPwd=cisco
wsUser=cisco
SNMPVersion=2c
SNMPEngineID=AA5ED139B81D4A328D18ACD1
SNMPUserNameRead=readUser
SNMPUserNameWrite=writeUser
SNMPVersionTrap=2c

*---HOW WORKS AND HOW DOESN'T WORK---*
1) Guest pc successful redirect on packetfence portal to make
self-registration.
2) In our example He choices to self-mail address
3) packetfence with radius and dot1x set correctly the registration vlan
4) now... the problem.
after the registration, user could be switched to normal vlan (100), in
order to browse and
activate the user follow his mail.
BUT... the vlan switch mode access 100... NEVER HAPPEND.

*--HERE BELOVE SOME LOGS AND DEBUG--*

---Dot1xdebugon--switch-
00:43:07: dot1x-ev:RADIUS provided VLAN name 110 to interface
FastEthernet0/21
00:43:07: dot1x-ev:dot1x_switch_pm_port_set_vlan: Setting vlan 110 on
interface FastEthernet0/21
00:43:07: dot1x-ev:Successfully assigned VLAN 110 to interface
FastEthernet0/21
00:43:07: dot1x-sm:Posting AUTHC_SUCCESS on Client=3246578
00:43:07: dot1x_auth Fa0: during state auth_authc_result, got event
22(authcSuccess)
00:43:07: @@@ dot1x_auth Fa0: auth_authc_result -> auth_authz_success
00:43:07: dot1x-sm:Fa0/21:0016.d49e.51b5:auth_authz_success_enter called
*00:43:07: dot1x-ev:dot1x_switch_addr_add: Added MAC 0016.d49e.51b5 to vlan
110 on interface FastEthernet0/21*
00:43:07: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is
disabled on Fa0/21
00:43:07: dot1x-registry:** dot1x_switch_vp_statechange:
00:43:07: dot1x-ev:vlan 110 vp is added on the interface FastEthernet0/21
00:43:07: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is
disabled on Fa0/21
00:43:07: dot1x-ev:dot1x_switch_port_authorized: set dot1x ask handler on
interface FastEthernet0/21
00:43:07: dot1x-ev:Received successful Authz complete for 0016.d49e.51b5
00:43:07: dot1x-sm:Posting AUTHZ_SUCCESS on Client=3246578
00:43:07: dot1x_auth Fa0: during state auth_authz_success, got event
25(authzSuccess)
00:43:07: @@@ dot1x_auth Fa0: auth_authz_success -> auth_authenticated
00:43:07: dot1x-sm:Fa0/21:0016.d49e.51b5:auth_authenticated_enter called
00:43:07: dot1x-sm:Fa0/21:0016.d49e.51b5:dot1x_auth_start_reauth_timer
called
00:43:07: dot1x-ev:Start REAUTHENTICATION timer
00:43:07: dot1x-ev:Using locally configured value of 3600 for
reauthentication timer
00:43:07: dot1x-ev:Nothing to send to the client 0016.d49e.51b5

Packetfence.log
Jun 10 03:02:20 pfcmd.pl(2785) INFO: generating
/usr/local/pf/var/conf/snmptrapd.conf
(pf::services::manager::snmptrapd::generateConfig)
Jun 10 03:02:20 pfcmd.pl(2785) INFO: Daemon snmptrapd took 0.161 seconds to
start. (pf::services::manager::launchService)
Jun 10 03:02:22 pfsetvlan(2798) INFO: pfsetvlan starting and writing 2801
to /usr/local/pf/var/run/pfsetvlan.pid (pf::services::util::createpid)
Jun 10 03:02:22 pfsetvlan(2798) INFO: Process started (main::)
Jun 10 03:02:22 pfcmd.pl(2785) INFO: Daemon pfsetvlan took 1.905 seconds to
start. (pf::services::manager::launchService)
Jun 10 03:02:27 pfcmd.pl(2811) INFO: pidof -x memcached returned 2586
(pf::services::manager::pidFromFile)
Jun 10 03:02:27 pfcmd.pl(2811) INFO: verifying process 2586
(pf::services::manager::removeStalePid)
Jun 10 03:02:27 pfcmd.pl(2811) INFO: pidof -x memcached returned 2586
(pf::services::manager::pidFromFile)
Jun 10 03:02:27 pfcmd.pl(2811) INFO: pidof -x memcached returned 2586
(pf::services::manager::pidFromFile)
Jun 10 03:02:27 pfcmd.pl(2811) INFO: pidof -x httpd.admin returned 2595
(pf::services::manager::pidFromFile)
Jun 10 03:02:27 pfcmd.pl(2811) INFO: verifying process 2595
(pf::services::manager::removeStalePid)
Jun 10 03:02:27 pfcmd.pl(2811) INFO: pidof -x httpd.admin returned 2595
(pf::services::manager::pidFromFile)
Jun 10 03:02:27 pfc

Re: [PacketFence-users] Port Security and 802.1X/MAB

2014-06-09 Thread Matteo Pidalà 
Hi,
Maybe I'm not the correct person, cause I've just open one case for one
problem and configuration on packetfance with cisco 3560 :-)

Anyway:
I saw that you specify the access vlan for this port. This is not needed I
think. dot1x will make this work for you.
Just to configure "Normal" vlan in packetfence switch configuration, in
order to forward the correct information to the switch.
Try to do this...

Anyway, some other question that maybe will help me too:
1) I have also cisco 3560, but no possibility to perform commands that
start with "authentication xxx" ...In which way were you able to do this?
2) Why do you wanna MAB? Isn't enough dot1x + SNMP in order to send and
change port configuration?
ok... in my case is not working at all... I able to see the portal...
make the self registration... but the last and "dream" switch vlan is not
working! :-S :-<

NOTE:
If Our configuration is similar what do you think to share the
information and files configuration between us?

Regards

Matteo


2014-06-09 22:03 GMT+02:00 Ali Tekeoglu :

> Hello PacketFence users,
>
> I am wondering if "Port-Security" and "802.1X/MAB" are supposed to be
> used together or if they are mutually exclusive ?
>
> I use 802.1X/MAB and PortSecurity on my Cisco 3560 switch,
> When a new client appears on the configured port, 802.1X fails as
> expected and the new client authenticates through MAB and gets
> assigned an IP address(from Registration VLAN) by PacketFence.
>
> However, it can not reach to the Captive Portal even though the
> httpd.portal is running and listening.
> I am guessing Port-Security on the switch is blocking my client to
> reach to the server.
>
>
> Here is the configuration of my port that a client plugs into;
>
> !
> interface FastEthernet0/33
>  switchport access vlan 4
>  switchport mode access
>  switchport port-security maximum 1 vlan access
>  switchport port-security
>  switchport port-security violation restrict
>  switchport port-security mac-address 0200.0001.0033 vlan access
>  authentication order dot1x mab
>  authentication priority dot1x mab
>  authentication port-control auto
>  authentication periodic
>  authentication timer restart 10800
>  authentication timer reauthenticate 7200
>  mab
>  no snmp trap link-status
>  dot1x pae authenticator
>  dot1x timeout quiet-period 2
>  dot1x timeout tx-period 3
> !
>
>
> Thank you so much beforehand for your help and suggestions...
>
>
> --ali
>
>
> --
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
> http://p.sf.net/sfu/hpccsystems
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users