Re: [PacketFence-users] PacketFence, Meraki and CoA

2017-10-31 Thread Fabrice Durand via PacketFence-users 
Hello Gonzague,

can i see your switches.conf , because it looks that the switch module
is not instantiate.

Regards

Fabrice



Le 2017-10-31 à 05:04, Gonzague Dambricourt a écrit :
> Hey Fabrice thanks for the very quick reply :-)
>
> I have replaced the file (and rebooted Packetfence though I dunno if
> it was needed)
>
> For now I still get this :
> Oct 31 09:54:04 PacketFence-ZEN packetfence_httpd.portal:
> httpd.portal(4695) INFO: [mac:00:e1:4c:68:51:0c] Instantiate profile
> default (pf::Connection::ProfileFactory::_from_profile)
> Oct 31 09:54:04 PacketFence-ZEN packetfence_httpd.portal:
> httpd.portal(4695) INFO: [mac:00:e1:4c:68:51:0c] User default has
> authenticated on the portal. (Class::MOP::Class:::after)
> Oct 31 09:54:04 PacketFence-ZEN packetfence_httpd.portal:
> httpd.portal(4695) INFO: [mac:00:e1:4c:68:51:0c] Reevaluating access
> of device.
> (captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
> Oct 31 09:54:04 PacketFence-ZEN packetfence_httpd.portal:
> httpd.portal(4695) INFO: [mac:00:e1:4c:68:51:0c] re-evaluating access
> (manage_register called) (pf::enforcement::reevaluate_access)
> Oct 31 09:54:04 PacketFence-ZEN packetfence_httpd.portal:
> httpd.portal(4695) INFO: [mac:00:e1:4c:68:51:0c] VLAN reassignment is
> forced. (pf::enforcement::_should_we_reassign_vlan)
> Oct 31 09:54:04 PacketFence-ZEN packetfence_httpd.portal:
> httpd.portal(4695) INFO: [mac:00:e1:4c:68:51:0c] switch port is
> (00:18:0a:b3:fd:4f) ifIndex 1 connection type: Wired MAC Auth
> (pf::enforcement::_vlan_reevaluation)
> Oct 31 09:54:04 PacketFence-ZEN packetfence_httpd.portal:
> httpd.portal(4645) INFO: [mac:00:e1:4c:68:51:0c] Instantiate profile
> default (pf::Connection::ProfileFactory::_from_profile)
> *Oct 31 09:54:05 PacketFence-ZEN pfqueue: pfqueue(5134) WARN:
> [mac:00:e1:4c:68:51:0c] Until CoA is implemented we will bounce the
> port on VLAN re-assignment traps for MAC-Auth
> (pf::Switch::handleReAssignVlanTrapForWiredMacAuth)*
> Oct 31 09:54:09 PacketFence-ZEN pfqueue: pfqueue(5134) ERROR:
> [mac:00:e1:4c:68:51:0c] error creating SNMP v1 write connection to
> 192.168.10.128 : No response from remote host
> "192.168.10.128" (pf::Switch::connectWriteTo)
> Oct 31 09:54:17 PacketFence-ZEN pfqueue: pfqueue(5134) ERROR:
> [mac:00:e1:4c:68:51:0c] error creating SNMP v1 write connection to
> 192.168.10.128 : No response from remote host
> "192.168.10.128" (pf::Switch::connectWriteTo)
> Oct 31 09:55:41 PacketFence-ZEN pfqueue: pfqueue(5143) WARN:
> [mac:00:e1:4c:68:51:0c] Until CoA is implemented we will bounce the
> port on VLAN re-assignment traps for MAC-Auth
> (pf::Switch::handleReAssignVlanTrapForWiredMacAuth)
> Oct 31 09:55:45 PacketFence-ZEN pfqueue: pfqueue(5143) ERROR:
> [mac:00:e1:4c:68:51:0c] error creating SNMP v1 write connection to
> 192.168.10.128 : No response from remote host
> "192.168.10.128" (pf::Switch::connectWriteTo)
> Oct 31 09:55:53 PacketFence-ZEN pfqueue: pfqueue(5143) ERROR:
> [mac:00:e1:4c:68:51:0c] error creating SNMP v1 write connection to
> 192.168.10.128 : No response from remote host
> "192.168.10.128" (pf::Switch::connectWriteTo)
> Oct 31 09:56:08 PacketFence-ZEN pfqueue: pfqueue(5030) WARN:
> [mac:00:1c:2e:01:70:00] Use of uninitialized value in concatenation
> (.) or string at /usr/local/pf/lib/fingerbank/SourceMatcher.pm line 49.
>  (fingerbank::SourceMatcher::match_best)
>
> So it doesn't work yet or I did something wrong :-) 
> My switch settings are as follow :
>
> I added it with its MAC address , type MS220_8 / production mode /
> Desauth Method : RADIUS / CoA is ticked , I dont know if there is
> anything else I should set ?
>
> For 802.1X I did not bind Packetfence to an AD, I thought it could use
> the local user database ? 
>
> thanks
>
> On Mon, Oct 30, 2017 at 7:40 PM, Fabrice Durand via PacketFence-users
>  > wrote:
>
> Hello Gonzague,
>
> it will not really complicate to add the CoA support for Meraki
> switches in PacketFence.
>
> Can you try the attached switch module and let me know.
>
> Also for the 802.1x issue , did you joined the server to your AD ?
>
> Did you created realm associated to your domain ?
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-10-30 à 14:04, Gonzague Dambricourt via PacketFence-users
> a écrit :
>> Hi guys 
>>
>> I have installed the latest version of PacketFence (ZEN) on my
>> network do try integration with Cisco Meraki devices. I have both
>> MR access points and  a MS220 8 port switch 
>>
>> I found the Meraki::MS220_8 switch type for my switch .. but I
>> think it might be a package that was developed back when Meraki
>> didn't support CoA - Change of Authorization which is now
>> possible both on switches and access points
>> ( 
>> https://documentation.meraki.com/MS/Access_Control/Change_of_Authori

Re: [PacketFence-users] PacketFence, Meraki and CoA

2017-10-31 Thread Gonzague Dambricourt via PacketFence-users 
Hey Fabrice thanks for the very quick reply :-)

I have replaced the file (and rebooted Packetfence though I dunno if it was
needed)

For now I still get this :
Oct 31 09:54:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(4695) INFO: [mac:00:e1:4c:68:51:0c] Instantiate profile
default (pf::Connection::ProfileFactory::_from_profile)
Oct 31 09:54:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(4695) INFO: [mac:00:e1:4c:68:51:0c] User default has
authenticated on the portal. (Class::MOP::Class:::after)
Oct 31 09:54:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(4695) INFO: [mac:00:e1:4c:68:51:0c] Reevaluating access of
device.
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Oct 31 09:54:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(4695) INFO: [mac:00:e1:4c:68:51:0c] re-evaluating access
(manage_register called) (pf::enforcement::reevaluate_access)
Oct 31 09:54:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(4695) INFO: [mac:00:e1:4c:68:51:0c] VLAN reassignment is
forced. (pf::enforcement::_should_we_reassign_vlan)
Oct 31 09:54:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(4695) INFO: [mac:00:e1:4c:68:51:0c] switch port is
(00:18:0a:b3:fd:4f) ifIndex 1 connection type: Wired MAC Auth
(pf::enforcement::_vlan_reevaluation)
Oct 31 09:54:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(4645) INFO: [mac:00:e1:4c:68:51:0c] Instantiate profile
default (pf::Connection::ProfileFactory::_from_profile)
*Oct 31 09:54:05 PacketFence-ZEN pfqueue: pfqueue(5134) WARN:
[mac:00:e1:4c:68:51:0c] Until CoA is implemented we will bounce the port on
VLAN re-assignment traps for MAC-Auth
(pf::Switch::handleReAssignVlanTrapForWiredMacAuth)*
Oct 31 09:54:09 PacketFence-ZEN pfqueue: pfqueue(5134) ERROR:
[mac:00:e1:4c:68:51:0c] error creating SNMP v1 write connection to
192.168.10.128: No response from remote host "192.168.10.128"
(pf::Switch::connectWriteTo)
Oct 31 09:54:17 PacketFence-ZEN pfqueue: pfqueue(5134) ERROR:
[mac:00:e1:4c:68:51:0c] error creating SNMP v1 write connection to
192.168.10.128: No response from remote host "192.168.10.128"
(pf::Switch::connectWriteTo)
Oct 31 09:55:41 PacketFence-ZEN pfqueue: pfqueue(5143) WARN:
[mac:00:e1:4c:68:51:0c] Until CoA is implemented we will bounce the port on
VLAN re-assignment traps for MAC-Auth
(pf::Switch::handleReAssignVlanTrapForWiredMacAuth)
Oct 31 09:55:45 PacketFence-ZEN pfqueue: pfqueue(5143) ERROR:
[mac:00:e1:4c:68:51:0c] error creating SNMP v1 write connection to
192.168.10.128: No response from remote host "192.168.10.128"
(pf::Switch::connectWriteTo)
Oct 31 09:55:53 PacketFence-ZEN pfqueue: pfqueue(5143) ERROR:
[mac:00:e1:4c:68:51:0c] error creating SNMP v1 write connection to
192.168.10.128: No response from remote host "192.168.10.128"
(pf::Switch::connectWriteTo)
Oct 31 09:56:08 PacketFence-ZEN pfqueue: pfqueue(5030) WARN:
[mac:00:1c:2e:01:70:00] Use of uninitialized value in concatenation (.) or
string at /usr/local/pf/lib/fingerbank/SourceMatcher.pm line 49.
 (fingerbank::SourceMatcher::match_best)

So it doesn't work yet or I did something wrong :-)
My switch settings are as follow :

I added it with its MAC address , type MS220_8 / production mode / Desauth
Method : RADIUS / CoA is ticked , I dont know if there is anything else I
should set ?

For 802.1X I did not bind Packetfence to an AD, I thought it could use the
local user database ?

thanks

On Mon, Oct 30, 2017 at 7:40 PM, Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Gonzague,
>
> it will not really complicate to add the CoA support for Meraki switches
> in PacketFence.
>
> Can you try the attached switch module and let me know.
>
> Also for the 802.1x issue , did you joined the server to your AD ?
>
> Did you created realm associated to your domain ?
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-10-30 à 14:04, Gonzague Dambricourt via PacketFence-users a écrit :
>
> Hi guys
>
> I have installed the latest version of PacketFence (ZEN) on my network do
> try integration with Cisco Meraki devices. I have both MR access points and
>  a MS220 8 port switch
>
> I found the Meraki::MS220_8 switch type for my switch .. but I think it
> might be a package that was developed back when Meraki didn't support CoA -
> Change of Authorization which is now possible both on switches and access
> points ( https://documentation.meraki.com/MS/Access_Control/Change_
> of_Authorization_with_RADIUS_(CoA)_on_MS_Switches )
>
> So the result for now when I use wired auth on my switch is as follows :
>
> Oct 30 18:50:03 PacketFence-ZEN packetfence_httpd.portal:
> httpd.portal(3003) INFO: [mac:00:e1:4c:68:51:0c] VLAN reassignment is
> forced. (pf::enforcement::_should_we_reassign_vlan)
> Oct 30 18:50:03 PacketFence-ZEN packetfence_httpd.portal:
> httpd.portal(3003) INFO: [mac:00:e1:4c:68:51:0c] switch port is
> (00:18:0a:b3:fd:4f) ifIndex 1 connection type: Wired MAC Auth
> (pf::enforcement::_v

Re: [PacketFence-users] PacketFence, Meraki and CoA

2017-10-30 Thread Fabrice Durand via PacketFence-users 
Hello Gonzague,

it will not really complicate to add the CoA support for Meraki switches
in PacketFence.

Can you try the attached switch module and let me know.

Also for the 802.1x issue , did you joined the server to your AD ?

Did you created realm associated to your domain ?

Regards

Fabrice



Le 2017-10-30 à 14:04, Gonzague Dambricourt via PacketFence-users a écrit :
> Hi guys 
>
> I have installed the latest version of PacketFence (ZEN) on my network
> do try integration with Cisco Meraki devices. I have both MR access
> points and  a MS220 8 port switch 
>
> I found the Meraki::MS220_8 switch type for my switch .. but I think
> it might be a package that was developed back when Meraki didn't
> support CoA - Change of Authorization which is now possible both on
> switches and access points
> ( 
> https://documentation.meraki.com/MS/Access_Control/Change_of_Authorization_with_RADIUS_(CoA)_on_MS_Switches
> 
>  ) 
>
> So the result for now when I use wired auth on my switch is as follows :
>
> Oct 30 18:50:03 PacketFence-ZEN packetfence_httpd.portal:
> httpd.portal(3003) INFO: [mac:00:e1:4c:68:51:0c] VLAN reassignment is
> forced. (pf::enforcement::_should_we_reassign_vlan)
> Oct 30 18:50:03 PacketFence-ZEN packetfence_httpd.portal:
> httpd.portal(3003) INFO: [mac:00:e1:4c:68:51:0c] switch port is
> (00:18:0a:b3:fd:4f) ifIndex 1 connection type: Wired MAC Auth
> (pf::enforcement::_vlan_reevaluation)
> *Oct 30 18:50:04 PacketFence-ZEN pfqueue: pfqueue(3269) WARN:
> [mac:00:e1:4c:68:51:0c] Until CoA is implemented we will bounce the
> port on VLAN re-assignment traps for MAC-Auth
> (pf::Switch::handleReAssignVlanTrapForWiredMacAuth)*
> Oct 30 18:50:08 PacketFence-ZEN pfqueue: pfqueue(3269) ERROR:
> [mac:00:e1:4c:68:51:0c] error creating SNMP v1 write connection
> to 192.168.10.128 : No response from remote
> host "192.168.10.128" (pf::Switch::connectWriteTo)
>
> Is is difficult to fix the MS228_8.pm file so that it could use CoA ?
>
> I tried adding /use pf::util::radius qw(perform_coa); /to the file
> with the cute little hope it would do the trick but it doesn't seem to
> be enough.
>
> *Also unrelated but :*
> - With my ZEN config I cant use 802.1X ..  But I dont really get why,I
> get the following error :
> Module-Failure-Message = "mschap: Program returned code (1) and output
> 'Reading winbind reply failed! (0xc001)'"
> Module-Failure-Message = "mschap: External script says: Reading
> winbind reply failed! (0xc001)"
> Module-Failure-Message = "mschap: MS-CHAP2-Response is incorrect"
> User-Password = "**"
> Module-Failure-Message = "Failed retrieving values required to
> evaluate condition"
> - It would be awesome to have some sort of view of the switches
> status, like a "last heartbeat" or a way to see quickly the log events
> related to one of them
>
> Thanks a lot :-)
>
> Gonzague 
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 



MS220_8.pm
Description: Perl program
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] PacketFence, Meraki and CoA

2017-10-30 Thread Gonzague Dambricourt via PacketFence-users 
Hi guys

I have installed the latest version of PacketFence (ZEN) on my network do
try integration with Cisco Meraki devices. I have both MR access points and
 a MS220 8 port switch

I found the Meraki::MS220_8 switch type for my switch .. but I think it
might be a package that was developed back when Meraki didn't support CoA -
Change of Authorization which is now possible both on switches and access
points ( https://documentation.meraki.com/MS/Access_Control/
Change_of_Authorization_with_RADIUS_(CoA)_on_MS_Switches )

So the result for now when I use wired auth on my switch is as follows :

Oct 30 18:50:03 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3003) INFO: [mac:00:e1:4c:68:51:0c] VLAN reassignment is
forced. (pf::enforcement::_should_we_reassign_vlan)
Oct 30 18:50:03 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3003) INFO: [mac:00:e1:4c:68:51:0c] switch port is
(00:18:0a:b3:fd:4f) ifIndex 1 connection type: Wired MAC Auth
(pf::enforcement::_vlan_reevaluation)
*Oct 30 18:50:04 PacketFence-ZEN pfqueue: pfqueue(3269) WARN:
[mac:00:e1:4c:68:51:0c] Until CoA is implemented we will bounce the port on
VLAN re-assignment traps for MAC-Auth
(pf::Switch::handleReAssignVlanTrapForWiredMacAuth)*
Oct 30 18:50:08 PacketFence-ZEN pfqueue: pfqueue(3269) ERROR:
[mac:00:e1:4c:68:51:0c] error creating SNMP v1 write connection to
192.168.10.128: No response from remote host "192.168.10.128"
(pf::Switch::connectWriteTo)

Is is difficult to fix the MS228_8.pm file so that it could use CoA ?

I tried adding *use pf::util::radius qw(perform_coa); *to the file with the
cute little hope it would do the trick but it doesn't seem to be enough.

*Also unrelated but :*
- With my ZEN config I cant use 802.1X ..  But I dont really get why,I get
the following error :
Module-Failure-Message = "mschap: Program returned code (1) and output
'Reading winbind reply failed! (0xc001)'"
Module-Failure-Message = "mschap: External script says: Reading winbind
reply failed! (0xc001)"
Module-Failure-Message = "mschap: MS-CHAP2-Response is incorrect"
User-Password = "**"
Module-Failure-Message = "Failed retrieving values required to evaluate
condition"
- It would be awesome to have some sort of view of the switches status,
like a "last heartbeat" or a way to see quickly the log events related to
one of them

Thanks a lot :-)

Gonzague
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users