[PacketFence-users] Eduroam - Configuration - Regarding

[Thirunavukkarasu Palanisamy via PacketFence-users]

Hi Team,

Greetings of the day

In the documentation the following information are provided for the eduroam
configuration
Installation Guide (packetfence.org)


---



*13.3.1. Local authenticationInternal Eduroam authentication The controller
sends the RADIUS authentication to PacketFence on port 11812.**a. My
question is, is the port number correct? *
In that case we need to configure the "PF as authentication server" in WLC
with port number 11812


*13.3.2. Configure the Eduroam source**Associate the Radius sources you
previously configured in 'Eduroam RADIUS AUTH' section, define the radius
listening port and keep the type to Keyed Balance.*
By default the 11812 defined as port in the configuration page
*b .Is changing the port required or can we leave it as 11812? *
*-*
*13.3.3. Create the connection profile to authenticate external students*

*Create a connection profile named External Eduroam authentication Check
Automatically register devices then create a Realm filter eduroam. Make
sure to add the previously created Eduroam source to match on the external
users.*
*c. Can we configure the following?*
Filters all
SSID -- eduroam
Realm -- eduroam
-
*d. Will the requests coming from FLR listen only on the Management IP
(RADIUS) of the PF or by the additional interface with RADIUS option? or
both will listen?*

Thanks & Regards,
Thirunavukkarasu

-- 
_-_
*_TANUVAS_*
*The contents of this message are confidential and are not be 
shared with outside parties without prior permission*
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam port 11812 not working

[Zammit, Ludovic via PacketFence-users]

Hello Anne,

When you are connecting from another University / Eduroam SSID, the incoming 
connection would come from the Eduroam servers so, you will need to have a 
public IP address that sent out the radius authentication to your PF on port 
1812 and not 11812.

Local SSID radius -> 11812
Eduroam online servers -> Public IP:1812 -> PacketFence management:1812

Create a connection profile with a realm eduroam.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us: <https://community.akamai.com/>  
<http://blogs.akamai.com/>  <https://twitter.com/akamai>  
<http://www.facebook.com/AkamaiTechnologies>  
<http://www.linkedin.com/company/akamai-technologies>  
<http://www.youtube.com/user/akamaitechnologies?feature=results_main>

> On Jan 25, 2023, at 8:10 AM, Anne Dijkstra  
> wrote:
> 
> Hi Ludovic,
> 
> Thanks, that was the trick  I accidentally configured the internal eduroam 
> source instead of the exclusive source haha.
> 
> I have only 1 issue for now:
> The domain is ubboemmius.net <http://ubboemmius.net/>, and is configured in 
> the realm default. This realm is added to the eduroam ' exclusive source'. 
> That means when I connecting to eduroam as an AD user (local user), they use 
> the default realm. That is working for now.
> 
> But when I connecting with an account from an other organization to our 
> eduroam SSID, the logging has error with reason 'chrooted_mschap: Program 
> returned code (1) and output 'The attempted logon is invalid. This is either 
> due to a bad username or authentication information. (0xc06d)'
> It looks like the Radius request does not proxy to eduroam.
> The name of the SSID is "UE-eduroam" because It's a test SSID and when I set 
> the name of the SSID to 'eduroam' everyone is connecting ;p
> 
> This is the log:
> 
> 
> 
> This is the eduroam connection profile:
> 
> 
> 
> And this is the exclusive authentication source:
> 
> 
> 
> So:
> 
> AD user on our eduroam: Works
> AD user @ another school: Works
> User from another school on our eduroam: Not working
> 
> 
> Any ideas? 
> 
> Met vriendelijke groet,
> 
> 
> 
> Anne Dijkstra 
> 
>  
> Noorderpoort
> Dienst Facilities
> Postbus 169
> 9700 AD Groningen
> Muntinglaan 3
> 9727 JT Groningen
> 
> T
> +31 88 230 9204
> E
> ab.dijks...@noorderpoort.nl <mailto:ab.dijks...@noorderpoort.nl>
> I
> www.noorderpoort.nl 
> <https://urldefense.com/v3/__http://www.noorderpoort.nl/__;!!GjvTz_vk!Ty0R3ldoMyY_17TKdmD6xAwlIp4poUVzx9PYLE9JC9XhkMrP9Iu8DawtFpKzBz7IXpukcsQ7sr8DJCGHe4qCg02EAw$>
> Van: Zammit, Ludovic
> Verzonden: Dinsdag, 24 Januari, 2023 18:06
> Aan: PacketFence-users
> CC: Tomasz Karczewski; Anne Dijkstra
> Onderwerp: Re: [PacketFence-users] Eduroam port 11812 not working
> 
> Hello Anne,
> 
> Make sure you configured the Eduroam source in PF and attached it to a 
> connection profile.
> 
> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_eduroam 
> <https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_eduroam>
> 
> Don’t to forget to restart radiusd so all services would be there to listen 
> on 11812
> 
> /usr/local/pf/bin/pfcmd service radiusd restart
> 
> Thanks,
> 
> Ludovic Zammit
> Product Support Engineer Principal Lead
> 
> Cell: +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:   <https://community.akamai.com/>  
> <http://blogs.akamai.com/>  
> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!Ty0R3ldoMyY_17TKdmD6xAwlIp4poUVzx9PYLE9JC9XhkMrP9Iu8DawtFpKzBz7IXpukcsQ7sr8DJCGHe4p5DPzTNg$>
>   
> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!Ty0R3ldoMyY_17TKdmD6xAwlIp4poUVzx9PYLE9JC9XhkMrP9Iu8DawtFpKzBz7IXpukcsQ7sr8DJCGHe4okj8h1XA$>
>   
> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!Ty0R3ldoMyY_17TKdmD6xAwlIp4poUVzx9PYLE9JC9XhkMrP9Iu8DawtFpKzBz7IXpukcsQ7sr8DJCGHe4qYyJ5wig$>
>   
> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!Ty0R3ldoMyY_17TKdmD6xAwlIp4poUVzx9PYLE9JC9XhkMrP9Iu8DawtFpKzBz7IXpukcsQ7sr8DJCGHe4qUX-LREw$>
> 
>> On Jan 24, 2023, at 7:08 AM, Anne Dijkstra via PacketFence-users 
>> > <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>> 
>> Hi Tomasz,
>> 
>> Thank you for your reply.
>> Now the eduroam ext source is configured with port 11812 and

Re: [PacketFence-users] Eduroam port 11812 not working

[Zammit, Ludovic via PacketFence-users]

Hello Anne,

Make sure you configured the Eduroam source in PF and attached it to a 
connection profile.

https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_eduroam 
<https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_eduroam>

Don’t to forget to restart radiusd so all services would be there to listen on 
11812

/usr/local/pf/bin/pfcmd service radiusd restart

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us: <https://community.akamai.com/>  
<http://blogs.akamai.com/>  <https://twitter.com/akamai>  
<http://www.facebook.com/AkamaiTechnologies>  
<http://www.linkedin.com/company/akamai-technologies>  
<http://www.youtube.com/user/akamaitechnologies?feature=results_main>

> On Jan 24, 2023, at 7:08 AM, Anne Dijkstra via PacketFence-users 
>  wrote:
> 
> Hi Tomasz,
> 
> Thank you for your reply.
> Now the eduroam ext source is configured with port 11812 and I set port 11812 
> in our WiFi controller.
> But as I mentioned in my previous e-mail, when I make an authentication 
> request from the WiFi controller to Packetfence on port 11812, it does 
> nothing. The WiFi controller has error "Connection time out". 
> When I start TCPdump on the Packetfence server I only see incoming packets 
> from the WiFi controller, but no reply.
> So it looks like Packetfence does not reply on port 11812.
> 
> Thank you!
> 
> Met vriendelijke groet,
> 
> 
> Anne Dijkstra 
> 
> Van: puz...@man.olsztyn.pl <mailto:puz...@man.olsztyn.pl> namens Tomasz 
> Karczewski
> Verzonden: Dinsdag, 24 Januari, 2023 08:55
> Aan: packetfence-users@lists.sourceforge.net 
> <mailto:packetfence-users@lists.sourceforge.net>
> CC: Anne Dijkstra
> Onderwerp: RE: [*Suspicious Email*] [PacketFence-users] Eduroam port 11812 
> not working
> 
> 1812 is for external eduroam servers.
> 11812 is for network devices (NAS).
>  
> Tomasz Karczewski
> Administrator Sieci
>  
> 
>  
> tkarczew...@man.olsztyn.pl <mailto:tkarczew...@man.olsztyn.pl>
> http://www.man.olsztyn.pl <http://www.man.olsztyn.pl/>  
> http://www.uwm.edu.pl <http://www.uwm.edu.pl/>
> tel. (89) 523 45 55  fax. (89) 523 43 47
>  
> Ośrodek Eksploatacji i Zarządzania
> Miejską Siecią Komputerową OLMAN w Olsztynie
> Uniwersytet Warmińsko-Mazurski w Olsztynie
>  
> From: Anne Dijkstra via PacketFence-users 
>  <mailto:packetfence-users@lists.sourceforge.net>> 
> Sent: Saturday, January 21, 2023 5:54 PM
> To: packetfence-users@lists.sourceforge.net 
> <mailto:packetfence-users@lists.sourceforge.net>
> Cc: Anne Dijkstra  <mailto:ab.dijks...@noorderpoort.nl>>
> Subject: [*Suspicious Email*] [PacketFence-users] Eduroam port 11812 not 
> working
>  
> Good evening everyone,
>  
> We are replacing our Microsoft NPS Servers with Packetfence. All is working 
> :) but we are running into a problem with eduroam.
> I followed the manual exactly. So I created a internal source (the eduroam 
> servers), an external source and connection profiles.
> If I understand correctly, I must use port 11812 for the eduroam external 
> source and add Packetfence radius server IP with port 11812 to the WiFi 
> controller.
> But when I make an authentication request from the WiFi controller to 
> Packetfence on port 11812, it does nothing. The WiFi controller has error 
> "Connection time out". 
> When I start TCPdump on the Packetfence server I only see incoming packets 
> from the WiFi controller, but no reply.
> Moreover, the incoming eduroam packets from the world to our environment is 
> working (So an employee or student on an eduroam location that is not ours).
>  
> I hope you can help me!
> Thanks for your replies.
>  
>  
> Regards,
> 
> Anne Dijkstra 
> 
>  
> Noorderpoort aanvaardt geen aansprakelijkheid voor de inhoud en aan deze mail 
> kunnen geen rechten worden ontleend.
> Noorderpoort aanvaardt geen aansprakelijkheid voor de inhoud en aan deze mail 
> kunnen geen rechten worden 
> ontleend.___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> <mailto:PacketFence-users@lists.sourceforge.net>
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!QVpMY9H-dxt4-zlpId-d2QNnHRX_0srCBCQkb6B47hAy-646c7BL1hWNHzqZXCdk5CehMznfZnTgta5woLG7TXWWCMBMsGAMFytwdw$
>  
> <https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!QVpMY9H-dxt4-zlpId-d2QNnHRX_0srCBCQkb6B47hAy-646c7BL1hWNHzqZXCdk5CehMznfZnTgta5woLG7TXWWCMBMsGAMFytwdw$>
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam port 11812 not working

[Anne Dijkstra via PacketFence-users]

Hi Tomasz,

Thank you for your reply.
Now the eduroam ext source is configured with port 11812 and I set port 11812 
in our WiFi controller.
But as I mentioned in my previous e-mail, when I make an authentication request 
from the WiFi controller to Packetfence on port 11812, it does nothing. The 
WiFi controller has error "Connection time out".

When I start TCPdump on the Packetfence server I only see incoming packets from 
the WiFi controller, but no reply.

So it looks like Packetfence does not reply on port 11812.


Thank you!

Met vriendelijke groet,


Anne Dijkstra

Van: puz...@man.olsztyn.pl namens Tomasz Karczewski
Verzonden: Dinsdag, 24 Januari, 2023 08:55
Aan: packetfence-users@lists.sourceforge.net
CC: Anne Dijkstra
Onderwerp: RE: [*Suspicious Email*] [PacketFence-users] Eduroam port 11812 not 
working


1812 is for external eduroam servers.

11812 is for network devices (NAS).



Tomasz Karczewski

Administrator Sieci



[cid:image001.jpg@01D92FD1.9EE86140]



tkarczew...@man.olsztyn.pl

http://www.man.olsztyn.pl  http://www.uwm.edu.pl

tel. (89) 523 45 55  fax. (89) 523 43 47



Ośrodek Eksploatacji i Zarządzania

Miejską Siecią Komputerową OLMAN w Olsztynie

Uniwersytet Warmińsko-Mazurski w Olsztynie



From: Anne Dijkstra via PacketFence-users 

Sent: Saturday, January 21, 2023 5:54 PM
To: packetfence-users@lists.sourceforge.net
Cc: Anne Dijkstra 
Subject: [*Suspicious Email*] [PacketFence-users] Eduroam port 11812 not working



Good evening everyone,



We are replacing our Microsoft NPS Servers with Packetfence. All is working :) 
but we are running into a problem with eduroam.

I followed the manual exactly. So I created a internal source (the eduroam 
servers), an external source and connection profiles.

If I understand correctly, I must use port 11812 for the eduroam external 
source and add Packetfence radius server IP with port 11812 to the WiFi 
controller.

But when I make an authentication request from the WiFi controller to 
Packetfence on port 11812, it does nothing. The WiFi controller has error 
"Connection time out".

When I start TCPdump on the Packetfence server I only see incoming packets from 
the WiFi controller, but no reply.

Moreover, the incoming eduroam packets from the world to our environment is 
working (So an employee or student on an eduroam location that is not ours).



I hope you can help me!

Thanks for your replies.





Regards,

Anne Dijkstra



Noorderpoort aanvaardt geen aansprakelijkheid voor de inhoud en aan deze mail 
kunnen geen rechten worden ontleend.

Noorderpoort aanvaardt geen aansprakelijkheid voor de inhoud en aan deze mail 
kunnen geen rechten worden ontleend.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Eduroam port 11812 not working

[Anne Dijkstra via PacketFence-users]

Good evening everyone,

We are replacing our Microsoft NPS Servers with Packetfence. All is working :) 
but we are running into a problem with eduroam.
I followed the manual exactly. So I created a internal source (the eduroam 
servers), an external source and connection profiles.
If I understand correctly, I must use port 11812 for the eduroam external 
source and add Packetfence radius server IP with port 11812 to the WiFi 
controller.
But when I make an authentication request from the WiFi controller to 
Packetfence on port 11812, it does nothing. The WiFi controller has error 
"Connection time out".
When I start TCPdump on the Packetfence server I only see incoming packets from 
the WiFi controller, but no reply.
Moreover, the incoming eduroam packets from the world to our environment is 
working (So an employee or student on an eduroam location that is not ours).

I hope you can help me!
Thanks for your replies.


Regards,
Anne Dijkstra

Noorderpoort aanvaardt geen aansprakelijkheid voor de inhoud en aan deze mail 
kunnen geen rechten worden ontleend.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam - without the AD and with LDAP - is possible or not in the NAC?

[Nikunj Vacchani via PacketFence-users]

Restart the winbind service.

Thanks & Regards,
Nikunj Vachhani.
Network Engineer.
99091 10490

From: P.Thirunavukkarasu via PacketFence-users 

Sent: 28 November 2022 11:34 AM
To: packetfence-users 
Cc: P.Thirunavukkarasu 
Subject: [PacketFence-users] Eduroam - without the AD and with LDAP - is 
possible or not in the NAC?

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.

Hi Team,
Greetings
Eduroam configuration, without the AD, is possible or not in the NAC?

The authentication source is LDAP.

The following is the RADIUS log message noticed in the auditing
Module-Failure-Message = "mschap: Reading winbind reply failed! (0xc001)"
Regards,
Thirunavukkarasu

DISCLAIMER : The content of this email is confidential and intended for the 
recipient specified in message only. It is strictly forbidden to share any part 
of this message with any third party, without a written consent of the sender. 
If you received this message by mistake, please reply to this message and 
follow with its deletion, so that we can ensure such a mistake does not occur 
in the future.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Eduroam - without the AD and with LDAP - is possible or not in the NAC?

[P.Thirunavukkarasu via PacketFence-users]

Hi Team,
Greetings
Eduroam configuration, without the AD, is possible or not in the NAC?

The authentication source is LDAP.

The following is the RADIUS log message noticed in the auditing
Module-Failure-Message = "mschap: Reading winbind reply failed!
(0xc001)"
Regards,
Thirunavukkarasu
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] eduroam+packetfence with Google LDAP authentication

[P.Thirunavukkarasu via PacketFence-users]

My packetfence server version is 11.2 and I want to configure packetfence
as an eduroam server with Google Secure LDAP as a user database

When I try to log in as an eduroam user, the reply is *access reject.*

The error is as follows



*Event Type: Radius-Access-RequestReason: mschap: Program returned code (1)
and output 'Reading winbind reply failed!
(0xc001)'Module-Failure-Message = "mschap: Program returned code (1)
and output 'Reading winbind reply failed!
(0xc001)'"Module-Failure-Message = "mschap: Reading winbind reply
failed! (0xc001)"*

any help would be appreciated
thank you

Thirunavukkarasu
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] eduroam - local users - rejected in roaming

[P.Thirunavukkarasu via PacketFence-users]

Hi Team,
Our local users roaming in other Universities are rejected with the
following message
*Module-Failure-Message = "Attribute \"User-Password\" is required for
authentication"*
We are using the Google LDAPs as the user directory,  but the
"User-Password" is the attribute of AD.
How to make this work with Google LDAPs?
Regards
Thirunavukkarasu
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] eduroam+packetfence with Google LDAP authentication

[P.Thirunavukkarasu via PacketFence-users]

My packetfence server version is 11.2 and I want to configure packetfence
as an eduroam server with Google Secure LDAP as a user database

Few doubts about the configuration
*The first one is...*
>From my understanding, for eduroam, there is no need to create a separate
connection profile to authenticate internal students.
They can use the local connection profile and local authentication sources
https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_eduroam

*The next one is *
When I try to log in with my device, I always get access reject.
The error is as follows



*Event Type: Radius-Access-RequestReason: mschap: Program returned code (1)
and output 'Reading winbind reply failed!
(0xc001)'Module-Failure-Message = "mschap: Program returned code (1)
and output 'Reading winbind reply failed!
(0xc001)'"Module-Failure-Message = "mschap: Reading winbind reply
failed! (0xc001)"*
please give me some advice.
thank you
Thirunavukkarasu
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Eduroam - Port forwarding

[P.Thirunavukkarasu via PacketFence-users]

Hi Team,
Please clarify me regarding eduroam port forwarding

We configured two interfaces in NAC
One NIC for management
Another one is configured as other with Radius

My question is Port forwarding of  1812, 1813 to management IP or to the
radius IP

I forwarded the port to the radius IP
Ref:
https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_eduroam
*"Eduroam sends the RADIUS authentication to a public IP address (NAT/PAT)
bound to PacketFence on the management IP address (Management VIP for a
cluster) on port 1812"*.

Regards
Thirunavukkarasu
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] EDUROAM RADSEC

[Marek Hrbáč via PacketFence-users]

Hello,
iam trying to implement eduroam authentication in my network. But i have
problem with communication with the main radius server (radius1.eduroam.cz)
through RADSEC. I see in logs that radius1.eduroam is sending auth requests
to my radius but it ignoring them:

 Ignoring request to auth+acct proto tcp address 10.51.0.27 port 2083 (TLS)
bound to server packetfence from unknown client 195.113.187.22 port 56455
proto tcp
Jun 21 07:26:32 pfnc auth[60904]: Ignoring request to auth+acct proto tcp
address 10.51.0.27 port 2083 (TLS) bound to server packetfence from unknown
client 195.113.187.22 port 46445 proto tcp

i added ip address to switch clients. Can someone help me with this?

Thank you
Marek Hrbac
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam configuration - SSID filter and REALM Filter

[P.Thirunavukkarasu via PacketFence-users]

Hi Fabrice,
Greetings of the day
Changed the configuration as follows..."*Realm Filter eduroam*"
[image: image.png]

FYKI in our setup we are not using any AD DC. Our authentication sources
are Google LDAPs and MS AAD.
Hence not configured the Domain (not listed any domain) in the *Default and
NULL Realms*, and left it as blank.
[image: image.png]
Thanks and Regards
Thirunavukkarasu
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] eduroam - Reading winbind reply failed - Regardingg

[P.Thirunavukkarasu via PacketFence-users]

Hi Team,
The eduroam users are not connected with the SSID eduroam through
packetfence.
The same users are connected thro the standalone freeRADIUS server on
centos (VM).
The radius log in the NAC shows as follows

*Module-Failure-Message = "mschap: Program returned code (1) and output
'Reading winbind reply failed! (0xc001)'"Module-Failure-Message =
"mschap: Reading winbind reply failed! (0xc001)"*
How to resolve this?
With thanks
Thirunavukkarasu
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam configuration - SSID filter and REALM Filter

[P.Thirunavukkarasu via PacketFence-users]

Thanks Fabrice...
[image: image.png]
There is such an option in the filter to select. Should I create a Realm
"eduroam" in the realms section?
Regards,
Thirunavukkarasu
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam configuration - SSID filter and REALM Filter

[Fabrice Durand via PacketFence-users]

Just like that:

[image: image.png]

Le dim. 20 mars 2022 à 07:39, P.Thirunavukkarasu 
a écrit :

> Hi Fabrice,
> Thank you and Sorry for the question...
>
> *Create the connection profile for outbound authentication*
> *"Create the Connection Profile named External Eduroam authentication
> Check Automatically register devices then create a REALM filter Eduroam.
> Next, make sure to add the Eduroam source previously created"*
>
> [image: image.png]
>
> Then how to create the *Realm filter Eduroam*? I am not clear...
> Regards,
> Thirunavukkarasu
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam configuration - SSID filter and REALM Filter

[P.Thirunavukkarasu via PacketFence-users]

Hi Fabrice,
Thank you and Sorry for the question...

*Create the connection profile for outbound authentication*
*"Create the Connection Profile named External Eduroam authentication Check
Automatically register devices then create a REALM filter Eduroam. Next,
make sure to add the Eduroam source previously created"*

[image: image.png]

Then how to create the *Realm filter Eduroam*? I am not clear...
Regards,
Thirunavukkarasu
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam configuration - SSID filter and REALM Filter

[P.Thirunavukkarasu via PacketFence-users]

Hi Fabrice,
Thank you
*"Create a connection profile named Local and external Eduroam
authentication Check Automatically register devices then create a SSID
filter Eduroam. Make sure to add the Active Directory source to match on
the local users."*
[image: image.png]
Then how to create the SSID filter Eduroam? I am not clear...
Regards,
Thirunavukkarasu
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam configuration - SSID filter and REALM Filter

[Fabrice Durand via PacketFence-users]

Hello Thirunavukkarasu,

the realm eduroam is define in the freeradius unlang, so if the logic
detect that it´s an outbound authentication then the realm eduroam will be
added in the request.
For the DEFAULT one you should use your domain for that.

Regards
Fabrice


Le ven. 18 mars 2022 à 09:45, P.Thirunavukkarasu via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi Team,
> The corrected one for my previous email...
>
> Plz help me in solving the problem stated below
>
> From the installation guide
> *13.3.3. Create the connection profile for local authentication*
> Go to Configuration → Policies and Access Control → Connection Profiles →
> New Connection Profile.
> Create a connection profile named Local and external Eduroam
> authentication Check Automatically register devices then create a *SSID
> filter Eduroam*. Make sure to add the Active Directory source to match on
> the local users.
>
> *13.3.5. Create the connection profile for outbound authentication*
> Go to Configuration → Policies and Access Control → Connection Profiles →
> New Connection Profile.
> Create the Connection Profile named External Eduroam authentication Check
> Automatically register devices then create a *REALM filter Eduroam*.
> Next, make sure to add the Eduroam source previously created.
>
> *My questions are *
>
>1. Should I create a REALM named *Eduroam *for Realm filter Eduroam?
>2. Any configurations are required in the default realm?
>
> Ref:
> https://www.packetfence.org/support/faq/packetfence-and-eduroam.html
>
>
>
>
>
>
>
> *realm DEFAULT { ignore_null = yes type = radius accthost
> = eduroam1.ns.utk.edu  authhost
> = eduroam1.ns.utk.edu  secret =
> SHARED-SECRET-UPSTREAM nostrip}*
> Regards,
> Thirunavukkarasu
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Eduroam configuration - SSID filter and REALM FIlter

[P.Thirunavukkarasu via PacketFence-users]

Hi Team,
Plz help me in solving the problem stated below

>From the installation guide
*13.3.3. Create the connection profile for local authentication*
Go to Configuration → Policies and Access Control → Connection Profiles →
New Connection Profile.
Create a connection profile named Local and external Eduroam authentication
Check Automatically register devices then create a *SSID filter Eduroam*.
Make sure to add the Active Directory source to match on the local users.

*13.3.5. Create the connection profile for outbound authentication*
Go to Configuration → Policies and Access Control → Connection Profiles →
New Connection Profile.
Create the Connection Profile named External Eduroam authentication Check
Automatically register devices then create a *REALM filter Eduroam*. Next,
make sure to add the Eduroam source previously created.

*My questions are *

   1. Should I create a REALM named *Eduroam* in the Reams for SSID filter
   Eduroam?
   2. Any configurations are required in the default realm?
   3. If yes, how to point the acchost and authhost to eduroam in Default
   Realm?

Ref:
https://www.packetfence.org/support/faq/packetfence-and-eduroam.html







*realm DEFAULT { ignore_null = yes type = radius accthost =
eduroam1.ns.utk.edu  authhost =
eduroam1.ns.utk.edu  secret =
SHARED-SECRET-UPSTREAM nostrip}*
Regards,
Thirunavukkarasu
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Eduroam configuration - SSID filter and REALM Filter

[P.Thirunavukkarasu via PacketFence-users]

Hi Team,
The corrected one for my previous email...

Plz help me in solving the problem stated below

>From the installation guide
*13.3.3. Create the connection profile for local authentication*
Go to Configuration → Policies and Access Control → Connection Profiles →
New Connection Profile.
Create a connection profile named Local and external Eduroam authentication
Check Automatically register devices then create a *SSID filter Eduroam*.
Make sure to add the Active Directory source to match on the local users.

*13.3.5. Create the connection profile for outbound authentication*
Go to Configuration → Policies and Access Control → Connection Profiles →
New Connection Profile.
Create the Connection Profile named External Eduroam authentication Check
Automatically register devices then create a *REALM filter Eduroam*. Next,
make sure to add the Eduroam source previously created.

*My questions are *

   1. Should I create a REALM named *Eduroam *for Realm filter Eduroam?
   2. Any configurations are required in the default realm?

Ref:
https://www.packetfence.org/support/faq/packetfence-and-eduroam.html







*realm DEFAULT { ignore_null = yes type = radius accthost
= eduroam1.ns.utk.edu  authhost
= eduroam1.ns.utk.edu  secret =
SHARED-SECRET-UPSTREAM nostrip}*
Regards,
Thirunavukkarasu
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam as authentication source

[DOMINEAUX Philippe via PacketFence-users]

Thank you very much for the explanations.
It seems that this is the 2 information I was missing to complete the 
configuration.
So, with your help, I have successfully configured eduroam on my site.
Maybe you could add more details in the Installation Guide to help people like 
who were facing issues with that specific but very popular use cases.
By the way, long life to packetfence. It’s such a great tool.

DOMINEAUX Philippe

-

Hello Philippe,

Eduroam will only work for 802.1x not for doing chap/pap.

So in order to make it work you need to have a secure ssid called eduroam and 
use the port 11812 for the radius server.

In the eduroam authentication source you also need to define your local realm 
(create your realm and associate it to your Domain) in order to keep the 
authentication local.

Regards

Fabrice


Le 19-07-16 à 05 h 32, DOMINEAUX Philippe via PacketFence-users a écrit :
Hello,

I’ve just configured a fresh new installation of packetfence (9.0.1) and I’m 
trying to make it work with Eduroam.
Following the documentation I’ve created an exclusive source to declare Eduroam 
radius servers for my country

  *   rad1.eduroam.fr ( 1812 )
  *   rad2.eduroam.fr ( 1812 )
  *   leave the Authentication listening port to default 11812

I’ve also followed the documentation (Getting Started chapter) to configure an 
Active Directory server.
The documentation made me configure the DEFAULT and the NULL Realm using the 
Active Directory as Domain.
And it works like a charm if I use mydomain credentials on the captive portal 
or/and using the dot1x authentication.

But nothing works for Eduroam.

I’ve tried to configure a Connection Profile to catch the foreign eduroam 
authentication requests, but If I specify Eduroam as an authentication source, 
the radius logs give me :
“No authentication source found for this username”.

Do you have any clue to make it work ?
Thanks.

__

DOMINEAUX Philippe







___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users

--

Fabrice Durand

fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  
www.inverse.ca

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam as authentication source

[Fabrice Durand via PacketFence-users]

Hello Philippe,

Eduroam will only work for 802.1x not for doing chap/pap.

So in order to make it work you need to have a secure ssid called 
eduroam and use the port 11812 for the radius server.


In the eduroam authentication source you also need to define your local 
realm (create your realm and associate it to your Domain) in order to 
keep the authentication local.


Regards

Fabrice


Le 19-07-16 à 05 h 32, DOMINEAUX Philippe via PacketFence-users a écrit :


Hello,

I’ve just configured a fresh new installation of packetfence (9.0.1) 
and I’m trying to make it work with Eduroam.


Following the documentation I’ve created an exclusive source to 
declare Eduroam radius servers for my country


  * rad1.eduroam.fr ( 1812 )
  * rad2.eduroam.fr ( 1812 )
  * leave the Authentication listening port to default 11812

I’ve also followed the documentation (Getting Started chapter) to 
configure an Active Directory server.


The documentation made me configure the DEFAULT and the NULL Realm 
using the Active Directory as Domain.


And it works like a charm if I use mydomain credentials on the captive 
portal or/and using the dot1x authentication.


But nothing works for Eduroam.

I’ve tried to configure a Connection Profile to catch the foreign 
eduroam authentication requests, but If I specify Eduroam as an 
authentication source, the radius logs give me :


“No authentication source found for this username”.

Do you have any clue to make it work ?

Thanks.

__

DOMINEAUX Philippe



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam as authentication source

[Martijn Langendoen via PacketFence-users]

Hi,

I had the same problem until I realized that in our wifi controller must add a 
radius server wich is PF and the port 11812.

After that it works!

From: DOMINEAUX Philippe via PacketFence-users 

Sent: dinsdag 16 juli 2019 11:33
To: packetfence-users@lists.sourceforge.net
Cc: DOMINEAUX Philippe 
Subject: [PacketFence-users] Eduroam as authentication source

Hello,

I’ve just configured a fresh new installation of packetfence (9.0.1) and I’m 
trying to make it work with Eduroam.
Following the documentation I’ve created an exclusive source to declare Eduroam 
radius servers for my country

  *   rad1.eduroam.fr ( 1812 )
  *   rad2.eduroam.fr ( 1812 )
  *   leave the Authentication listening port to default 11812

I’ve also followed the documentation (Getting Started chapter) to configure an 
Active Directory server.
The documentation made me configure the DEFAULT and the NULL Realm using the 
Active Directory as Domain.
And it works like a charm if I use mydomain credentials on the captive portal 
or/and using the dot1x authentication.

But nothing works for Eduroam.

I’ve tried to configure a Connection Profile to catch the foreign eduroam 
authentication requests, but If I specify Eduroam as an authentication source, 
the radius logs give me :
“No authentication source found for this username”.

Do you have any clue to make it work ?
Thanks.

__

DOMINEAUX Philippe

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Eduroam as authentication source

[DOMINEAUX Philippe via PacketFence-users]

Hello,

I’ve just configured a fresh new installation of packetfence (9.0.1) and I’m 
trying to make it work with Eduroam.
Following the documentation I’ve created an exclusive source to declare Eduroam 
radius servers for my country

  *   rad1.eduroam.fr ( 1812 )
  *   rad2.eduroam.fr ( 1812 )
  *   leave the Authentication listening port to default 11812

I’ve also followed the documentation (Getting Started chapter) to configure an 
Active Directory server.
The documentation made me configure the DEFAULT and the NULL Realm using the 
Active Directory as Domain.
And it works like a charm if I use mydomain credentials on the captive portal 
or/and using the dot1x authentication.

But nothing works for Eduroam.

I’ve tried to configure a Connection Profile to catch the foreign eduroam 
authentication requests, but If I specify Eduroam as an authentication source, 
the radius logs give me :
“No authentication source found for this username”.

Do you have any clue to make it work ?
Thanks.

__

DOMINEAUX Philippe


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam and PF 9.0.1

[Lupe Silva via PacketFence-users]

I have worked something out.  In following the packetfence/eduroam guide I
had changed the accthost to the eduroam servers in the US.   I also had
those same servers in the Exclusive Source.  I was getting errors about
servers being defined already.   In looking at the proxy.conf.inc files, I
reverse engineered what I thought might work and it is working now.  So I
modified the DEFUALT realm options to the following:

 ignore_null = yes
 type = radius
 auth_pool = eduroam_auth_pool
 nostrip


Let me know if there will be any issues with this or if there is a
better solution.



Lupe Silva



On Tue, Jun 18, 2019 at 2:55 PM Lupe Silva  wrote:

> I am setting up Eduroam on PF 9.0.1 and I have created the Exclusive
> Source for Eduroam.   I configured my firewall and I am successful in
> getting Eduroam servers to validate our ID's.
>
> Now I am trying to make the "eduroam" SSID on our wireless.  I looked at
> https://packetfence.org/support/faq/packetfence-and-eduroam.html and I am
> not sure if that is still current for this new version of PF.  In looking
> at the config files and it seems like I need to create an "eduroam" realm
> in the PF GUI.  Am I on the right track?
>
> Is there anything else?
>
> Thanks again for a great product.
>
>
> Lupe Silva
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam local login

[Durand fabrice via PacketFence-users]

Hello Will,

it looks to be a sort of warning:

Wed Nov 21 15:01:01 2018 : Debug: (14) if (Realm == "eduroam") {
Wed Nov 21 15:01:01 2018 : ERROR: (14) Failed retrieving values 
required to evaluate condition


So Realm is empty in this case.

I don't think it will cause an issue.

Regards

Fabrice


Le 18-11-21 à 10 h 10, Will Halsall via PacketFence-users a écrit :


Hi Fabrice,

Have include the logs for user 0...@farn-ct.ac.uk this test user 
had the same results.


Thanks

*From:*Fabrice Durand via PacketFence-users 


*Sent:* 21 November 2018 14:44
*To:* packetfence-users@lists.sourceforge.net
*Cc:* Fabrice Durand 
*Subject:* Re: [PacketFence-users] Eduroam local login

Hello Will,

it's not enough, i need to see the raddebug for this user.

Regards

Fabrice

Le 18-11-21 à 07 h 05, Will Halsall via PacketFence-users a écrit :

Hi Fabrie,

The patch worked fine and users can now authenticate with their
userPrincilalName . the only thing to note is that there is one
error in the radius Auth log entry as follows:

Module-Failure-Message = "Failed retrieving values required to
evaluate condition"

SQL-User-Name = 20217...@farn-ct.ac.uk <mailto:20217...@farn-ct.ac.uk>

Also  the node status in the audit log is N/A as follows:

40:33:1a:47:ab:1e N/A   0 20217...@farn-ct.ac.uk
<mailto:20217...@farn-ct.ac.uk>  
2018-11-21 11:42:14 172.16.36.30     Wireles

Thanks for your help

WillH

*From:*Durand fabrice via PacketFence-users

<mailto:packetfence-users@lists.sourceforge.net>
*Sent:* 20 November 2018 04:35
*To:* packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Cc:* Durand fabrice  <mailto:fdur...@inverse.ca>
*Subject:* Re: [PacketFence-users] Eduroam local login

Hello Will,

yes but it's not yet available in packetfence 8.2.

If you want to test you can use the following PR
https://github.com/inverse-inc/packetfence/pull/3429
<https://github.com/inverse-inc/packetfence/pull/3429> :

cd /usr/local/pf

curl

https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/3429.diff
| patch -p1 --dry-run

If no error:

curl

https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/3429.diff
| patch -p1

cp conf/radiusd/ldap_packetfence.conf.example
conf/radiusd/ldap_packetfence.conf

cp conf/radiusd/packetfence-tunnel.example
conf/radiusd/packetfence-tunnel

bin/pfcmd pfconfig clear_backend

bin/pfcmd configreload hard

bin/pfcmd service pf restart

After that, check in the admin gui in the realm configuration and
select the ldap source to use to resolve the samaccountname
attribute, then edit the ldap authentication source to select the
username attribute to resolve the samaccountname (userPrincipalName)

So the logic will be the following, you will use the
userPrincipalName attribute to authenticate
(w.hals...@farn-ct.ac.uk <mailto:w.hals...@farn-ct.ac.uk> ) then
freeradius will do a ldap search to find the samaccountname based
on the userprincipalname=w.hals...@farn-ct.ac.uk
<mailto:userprincipalname=w.hals...@farn-ct.ac.uk> and do a
ntlm_auth with the result of the search.

The last thing will be to use an ldap source (clone the previous
one if needed) and use userPrincipalName as the user attribute to
create some rules (role/access duration)

Regards

Fabrice

Le 18-11-19 à 09 h 03, Will Halsall via PacketFence-users a écrit :

Hi Fabrice,

Thankyou yes that now works if I use the
@farn-ct.ac.uk
<mailto:samaccountn...@farn-ct.ac.uk>

Can I modify this to use the userPrincipalName (mail address)
w.hals...@farn-ct.ac.uk <mailto:w.hals...@farn-ct.ac.uk> by
either using ldap or using ldap with a filter to retrieve the
sAMAccountName

Thanks

Will H

*From:*Fabrice Durand via PacketFence-users

<mailto:packetfence-users@lists.sourceforge.net>
*Sent:* 14 November 2018 20:08
*To:* packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Cc:* Fabrice Durand 
<mailto:fdur...@inverse.ca>
*Subject:* Re: [PacketFence-users] Eduroam local login

Hello Will,

i think it's because the username is not stripped on the
ntlm_auth call.

Can you strip it in the farn-ct-ac-uk realm config ?

It's like that right now:

realm farn-ct.ac.uk {
 nostrip
}

Regards

Fabrice

Le 18-11-14 à 11 h 34, Will Halsall via PacketFence-users a
écrit :

Hi Folks

I have configured a E

Re: [PacketFence-users] Eduroam local login

[Fabrice Durand via PacketFence-users]

Hello Will,

it's not enough, i need to see the raddebug for this user.

Regards

Fabrice


Le 18-11-21 à 07 h 05, Will Halsall via PacketFence-users a écrit :


Hi Fabrie,

The patch worked fine and users can now authenticate with their 
userPrincilalName . the only thing to note is that there is one error 
in the radius Auth log entry as follows:


Module-Failure-Message = "Failed retrieving values required to 
evaluate condition"


SQL-User-Name = 20217...@farn-ct.ac.uk <mailto:20217...@farn-ct.ac.uk>

Also  the node status in the audit log is N/A as follows:

40:33:1a:47:ab:1e N/A   0     20217...@farn-ct.ac.uk 
  2018-11-21 11:42:14 172.16.36.30 
    Wireles


Thanks for your help

WillH

*From:*Durand fabrice via PacketFence-users 


*Sent:* 20 November 2018 04:35
*To:* packetfence-users@lists.sourceforge.net
*Cc:* Durand fabrice 
*Subject:* Re: [PacketFence-users] Eduroam local login

Hello Will,

yes but it's not yet available in packetfence 8.2.

If you want to test you can use the following PR 
https://github.com/inverse-inc/packetfence/pull/3429 
<https://github.com/inverse-inc/packetfence/pull/3429> :


cd /usr/local/pf

curl 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/3429.diff 
| patch -p1 --dry-run


If no error:

curl 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/3429.diff 
| patch -p1


cp conf/radiusd/ldap_packetfence.conf.example 
conf/radiusd/ldap_packetfence.conf


cp conf/radiusd/packetfence-tunnel.example conf/radiusd/packetfence-tunnel

bin/pfcmd pfconfig clear_backend

bin/pfcmd configreload hard

bin/pfcmd service pf restart

After that, check in the admin gui in the realm configuration and 
select the ldap source to use to resolve the samaccountname attribute, 
then edit the ldap authentication source to select the username 
attribute to resolve the samaccountname (userPrincipalName)


So the logic will be the following, you will use the userPrincipalName 
attribute to authenticate (w.hals...@farn-ct.ac.uk 
<mailto:w.hals...@farn-ct.ac.uk> ) then freeradius will do a ldap 
search to find the samaccountname based on the 
userprincipalname=w.hals...@farn-ct.ac.uk 
<mailto:userprincipalname=w.hals...@farn-ct.ac.uk> and do a ntlm_auth 
with the result of the search.


The last thing will be to use an ldap source (clone the previous one 
if needed) and use userPrincipalName as the user attribute to create 
some rules (role/access duration)


Regards

Fabrice

Le 18-11-19 à 09 h 03, Will Halsall via PacketFence-users a écrit :

Hi Fabrice,

Thankyou yes that now works if I use the
@farn-ct.ac.uk <mailto:samaccountn...@farn-ct.ac.uk>

Can I modify this to use the userPrincipalName (mail address)
w.hals...@farn-ct.ac.uk <mailto:w.hals...@farn-ct.ac.uk> by either
using ldap or using ldap with a filter to retrieve the sAMAccountName

Thanks

Will H

*From:*Fabrice Durand via PacketFence-users

<mailto:packetfence-users@lists.sourceforge.net>
*Sent:* 14 November 2018 20:08
*To:* packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Cc:* Fabrice Durand  <mailto:fdur...@inverse.ca>
*Subject:* Re: [PacketFence-users] Eduroam local login

Hello Will,

i think it's because the username is not stripped on the ntlm_auth
call.

Can you strip it in the farn-ct-ac-uk realm config ?

It's like that right now:

realm farn-ct.ac.uk {
 nostrip
}

Regards

Fabrice

Le 18-11-14 à 11 h 34, Will Halsall via PacketFence-users a écrit :

Hi Folks

I have configured a Eduroam Exclusive Source and the access
point but am able to login a local user. I have included the
radius eduroam debug logs. Would it be possible for someone to
have a look to see if they can spot what I am doing wrong

Thanks

Will Halsall

<https://www.farn-ct.ac.uk/about/Events>

This message is intended only for the use of the person(s) to
whom it is addressed, and may contain privileged and
confidential information.
If it has come to you in error, please contact the sender as
soon as possible,
and note that you must take no action based on the content,
nor must you copy,
distribute, or show the content to any other person.


In accordance with its legal obligations, Farnborough College of
Technology reserves the right to monitor the content of
e-mails sent and
received, but will not do so routinely.





___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/list

Re: [PacketFence-users] Eduroam local login

[Will Halsall via PacketFence-users]

Hi Fabrie,

The patch worked fine and users can now authenticate with their 
userPrincilalName . the only thing to note is that there is one error in the 
radius Auth log entry as follows:

Module-Failure-Message = "Failed retrieving values required to evaluate 
condition"
SQL-User-Name = 20217...@farn-ct.ac.uk<mailto:20217...@farn-ct.ac.uk>

Also  the node status in the audit log is N/A as follows:

40:33:1a:47:ab:1e N/A   0 20217...@farn-ct.ac.uk
   2018-11-21 11:42:14  172.16.36.30 Wireles

Thanks for your help


WillH

From: Durand fabrice via PacketFence-users 

Sent: 20 November 2018 04:35
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice 
Subject: Re: [PacketFence-users] Eduroam local login


Hello Will,

yes but it's not yet available in packetfence 8.2.

If you want to test you can use the following PR 
https://github.com/inverse-inc/packetfence/pull/3429 :

cd /usr/local/pf

curl 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/3429.diff
 | patch -p1 --dry-run

If no error:

curl 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/3429.diff
 | patch -p1

cp conf/radiusd/ldap_packetfence.conf.example conf/radiusd/ldap_packetfence.conf

cp conf/radiusd/packetfence-tunnel.example conf/radiusd/packetfence-tunnel

bin/pfcmd pfconfig clear_backend

bin/pfcmd configreload hard

bin/pfcmd service pf restart

After that, check in the admin gui in the realm configuration and select the 
ldap source to use to resolve the samaccountname attribute, then edit the ldap 
authentication source to select the username attribute to resolve the 
samaccountname (userPrincipalName)

So the logic will be the following, you will use the userPrincipalName 
attribute to authenticate 
(w.hals...@farn-ct.ac.uk<mailto:w.hals...@farn-ct.ac.uk> ) then freeradius will 
do a ldap search to find the samaccountname based on the 
userprincipalname=w.hals...@farn-ct.ac.uk<mailto:userprincipalname=w.hals...@farn-ct.ac.uk>
 and do a ntlm_auth with the result of the search.

The last thing will be to use an ldap source (clone the previous one if needed) 
and use userPrincipalName as the user attribute to create some rules 
(role/access duration)

Regards

Fabrice




Le 18-11-19 à 09 h 03, Will Halsall via PacketFence-users a écrit :
Hi Fabrice,


Thankyou yes that now works if I use the 
@farn-ct.ac.uk<mailto:samaccountn...@farn-ct.ac.uk>

Can I modify this to use the userPrincipalName (mail address) 
w.hals...@farn-ct.ac.uk<mailto:w.hals...@farn-ct.ac.uk> by either using ldap or 
using ldap with a filter to retrieve the sAMAccountName


Thanks



Will H


From: Fabrice Durand via PacketFence-users 
<mailto:packetfence-users@lists.sourceforge.net>
Sent: 14 November 2018 20:08
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: Fabrice Durand <mailto:fdur...@inverse.ca>
Subject: Re: [PacketFence-users] Eduroam local login


Hello Will,

i think it's because the username is not stripped on the ntlm_auth call.

Can you strip it in the farn-ct-ac-uk realm config ?



It's like that right now:

realm farn-ct.ac.uk {
 nostrip
}

Regards

Fabrice


Le 18-11-14 à 11 h 34, Will Halsall via PacketFence-users a écrit :
Hi Folks


I have configured a Eduroam Exclusive Source and the access point but am able 
to login a local user. I have included the radius eduroam debug logs. Would it 
be possible for someone to have a look to see if they can spot what I am doing 
wrong


Thanks


Will Halsall

[http://fcot5.farn-ct.ac.uk/Email_Signature_Open_Events.jpg]<https://www.farn-ct.ac.uk/about/Events>

This message is intended only for the use of the person(s) to
whom it is addressed, and may contain privileged and confidential information.
If it has come to you in error, please contact the sender as soon as possible,
and note that you must take no action based on the content, nor must you copy,
distribute, or show the content to any other person.


In accordance with its legal obligations, Farnborough College of
Technology reserves the right to monitor the content of e-mails sent and
received, but will not do so routinely.





___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users

--

Fabrice Durand

fdur...@inverse.ca<mailto:fdur...@inverse.ca> ::  +1.514.447.4918 (x135) ::  
www.inverse.ca<http://www.inverse.ca>

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)




___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/list

Re: [PacketFence-users] Eduroam local login

[Durand fabrice via PacketFence-users]

Hello Will,

yes but it's not yet available in packetfence 8.2.

If you want to test you can use the following PR 
https://github.com/inverse-inc/packetfence/pull/3429 :


cd /usr/local/pf

curl 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/3429.diff 
| patch -p1 --dry-run


If no error:

curl 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/3429.diff 
| patch -p1


cp conf/radiusd/ldap_packetfence.conf.example 
conf/radiusd/ldap_packetfence.conf


cp conf/radiusd/packetfence-tunnel.example conf/radiusd/packetfence-tunnel

bin/pfcmd pfconfig clear_backend

bin/pfcmd configreload hard

bin/pfcmd service pf restart

After that, check in the admin gui in the realm configuration and select 
the ldap source to use to resolve the samaccountname attribute, then 
edit the ldap authentication source to select the username attribute to 
resolve the samaccountname (userPrincipalName)


So the logic will be the following, you will use the userPrincipalName 
attribute to authenticate (w.hals...@farn-ct.ac.uk ) then freeradius 
will do a ldap search to find the samaccountname based on the 
userprincipalname=w.hals...@farn-ct.ac.uk and do a ntlm_auth with the 
result of the search.


The last thing will be to use an ldap source (clone the previous one if 
needed) and use userPrincipalName as the user attribute to create some 
rules (role/access duration)


Regards

Fabrice



Le 18-11-19 à 09 h 03, Will Halsall via PacketFence-users a écrit :


Hi Fabrice,

Thankyou yes that now works if I use the 
@farn-ct.ac.uk <mailto:samaccountn...@farn-ct.ac.uk>


Can I modify this to use the userPrincipalName (mail address) 
w.hals...@farn-ct.ac.uk <mailto:w.hals...@farn-ct.ac.uk> by either 
using ldap or using ldap with a filter to retrieve the sAMAccountName


Thanks

Will H

*From:*Fabrice Durand via PacketFence-users 


*Sent:* 14 November 2018 20:08
*To:* packetfence-users@lists.sourceforge.net
*Cc:* Fabrice Durand 
*Subject:* Re: [PacketFence-users] Eduroam local login

Hello Will,

i think it's because the username is not stripped on the ntlm_auth call.

Can you strip it in the farn-ct-ac-uk realm config ?

It's like that right now:

realm farn-ct.ac.uk {
 nostrip
}

Regards

Fabrice

Le 18-11-14 à 11 h 34, Will Halsall via PacketFence-users a écrit :

Hi Folks

I have configured a Eduroam Exclusive Source and the access point
but am able to login a local user. I have included the radius
eduroam debug logs. Would it be possible for someone to have a
look to see if they can spot what I am doing wrong

Thanks

Will Halsall

<https://www.farn-ct.ac.uk/about/Events>

This message is intended only for the use of the person(s) to
whom it is addressed, and may contain privileged and confidential
information.
If it has come to you in error, please contact the sender as soon
as possible,
and note that you must take no action based on the content, nor
must you copy,
distribute, or show the content to any other person.


In accordance with its legal obligations, Farnborough College of
Technology reserves the right to monitor the content of e-mails
sent and
received, but will not do so routinely.




___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Fabrice Durand
fdur...@inverse.ca  <mailto:fdur...@inverse.ca>  ::  +1.514.447.4918 (x135) 
::www.inverse.ca  <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam local login

[Fabrice Durand via PacketFence-users]

Hello Will,

i think it's because the username is not stripped on the ntlm_auth call.

Can you strip it in the farn-ct-ac-uk realm config ?


It's like that right now:

realm farn-ct.ac.uk {
 nostrip
}

Regards

Fabrice


Le 18-11-14 à 11 h 34, Will Halsall via PacketFence-users a écrit :


Hi Folks

I have configured a Eduroam Exclusive Source and the access point but 
am able to login a local user. I have included the radius eduroam 
debug logs. Would it be possible for someone to have a look to see if 
they can spot what I am doing wrong


Thanks

Will Halsall



This message is intended only for the use of the person(s) to
whom it is addressed, and may contain privileged and confidential 
information.
If it has come to you in error, please contact the sender as soon as 
possible,
and note that you must take no action based on the content, nor must 
you copy,

distribute, or show the content to any other person.


In accordance with its legal obligations, Farnborough College of
Technology reserves the right to monitor the content of e-mails sent and
received, but will not do so routinely.



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] eduroam+packetfence with openldap authentication

[jabang konate via PacketFence-users]

hello fabrice,
im sorry late inform you, last day im in vacation.

i try this morning your patch, and it works.

On Fri, Jun 8, 2018 at 9:06 PM, Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Jabang,
>
> it should be fixed with this patch:
>
> https://github.com/inverse-inc/packetfence/pull/3236/commits/
> 79c77b7419aaa53cf9fec30ff5c1e2014ec13ddd.diff
>
> Let me know if it works.
>
> Regards
>
> Fabrice
>
> Le 2018-06-07 à 00:44, jabang konate via PacketFence-users a écrit :
>
> hi fabrice.
>
> when second device want to connect with same username.
>
> attach my log for first device connected, second devices log try to
> connect , and radius log when second try to connect.
>
> Regards
> Jabang
>
>
>
> On Wed, Jun 6, 2018 at 8:55 PM, Fabrice Durand via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hello Janbang,
>>
>> can you confirm that when you reach the limit the role is set to REJECT ?
>>
>> I searched in the code and didn't found any place where we set the role
>> REJECT if the user reach the limit.
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2018-06-04 à 00:05, jabang konate via PacketFence-users a écrit :
>>
>> hi fabrice
>>
>> any update for this issue?
>>
>> On Thu, May 31, 2018 at 4:41 PM, jabang konate 
>> wrote:
>>
>>> hi fabrice.
>>>
>>> i already try the code and it work well.
>>> i try with limit 1 node per user with DEFAULT role.
>>>
>>> but i have something strange.
>>>
>>> when user rejected/denied by the packetfence, i saw user will be in
>>> REJECT role.
>>> and then i try to deregister the first device from nodes tab, then i try
>>> again with my second device with REJECT role and i still can't connect with
>>> my network and still with REJECT role.
>>> i must configure manual in nodes tab to apply role DEFAULT to my REJECT
>>> device, and then try to reconnect again to get acess to network.
>>>
>>> is it normal ?
>>>
>>> here my packetfence log.
>>>
>>>
>>>
>>>
>>>
>>> On Wed, May 30, 2018 at 7:42 PM, Fabrice Durand via PacketFence-users <
>>> packetfence-users@lists.sourceforge.net> wrote:
>>>
 Hello Jabang,

 thanks for testing it.

 Also for the limitation, i did some work on that not a long time ago
 and it should be fixed by https://patch-diff.githubuserc
 ontent.com/raw/inverse-inc/packetfence/pull/3236.diff

 Can you test it too and let me know.

 Regards

 Fabrice



 Le 2018-05-30 à 00:23, jabang konate via PacketFence-users a écrit :

 hi fabrice
 thanks a lot and great work.

 now i can login with my local realm and remote realm from other
 university.

 i have  another question,is it possible to limit device node per user
 in eduroam?
 i try with default role to limit 2 devices, but when third devices
 login with the same username , user can still login but with blank role in
 packetfence web.






 On Tue, May 29, 2018 at 11:36 PM, Fabrice Durand via PacketFence-users
  wrote:

> Hello Jabang,
>
> can you try that:
>
> https://github.com/inverse-inc/packetfence/compare/fix/eduro
> am_standalone.diff
>
> Regards
>
> Fabrice
>
>
>
> Le 2018-05-25 à 03:50, jabang konate via PacketFence-users a écrit :
>
> hi fabrice,
> ok i will wait for patch
>
> thank you
>
> On Fri, May 25, 2018 at 1:33 AM, Fabrice Durand via PacketFence-users
>  wrote:
>
>> Ok there is a bug, i need to fix it.
>>
>>
>>
>> Le 2018-05-24 à 11:33, jabang konate via PacketFence-users a écrit :
>>
>> hi fabrice.
>>
>> 10.18.23.60 is ip National Roaming Operator  eduroam in my Country.
>>
>> attach my eduroam config file.
>>
>>
>> On Thu, May 24, 2018 at 7:43 PM, Fabrice Durand via PacketFence-users
>>  wrote:
>>
>>> What is 10.18.23.60 ?
>>>
>>> can you share with me your file 
>>> /usr/local/pf/raddb/sites-enabled/eduroam
>>> ?
>>>
>>> Le 2018-05-24 à 00:46, jabang konate via PacketFence-users a écrit :
>>>
>>> Hi fabrice,
>>> today i try again with my packetfence.
>>>
>>> in packetfence-tunnel configuration i change configuration like
>>> this,
>>>if (update) {
>>> update control {
>>>  := No
>>> }
>>> }
>>>  }
>>> because from the output i don't see "ok", and then now i can login
>>> with my ldap account but with port 1812 in my access point, but not 
>>> using
>>> port 11812.
>>> if i'm using 11812 my request always forward to Realm eduroam my
>>> home server, and not forward the request to packetfence virtual server
>>> (sites-enabled/packetfence then site-enabled/packetfence-tunnel) as
>>> you said in scenario 1.
>>>
>>> (1) Thu May 24 11:06:15 2018: 

Re: [PacketFence-users] Eduroam unable to process request local REALM from other university

[jabang konate via PacketFence-users]

hi fabrice.

thanks a lot it work.

Regards.
Jabang

On Wed, Jun 6, 2018 at 9:49 PM, Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Jabang,
>
> your issue is because in the Ruckus radius request it miss the
> NAS-Port-Type attribute.
>
>
> Can you try that:
>
> diff --git a/lib/pf/Switch.pm b/lib/pf/Switch.pm
> index 22bd94288..db9ee3921 100644
> --- a/lib/pf/Switch.pm
> +++ b/lib/pf/Switch.pm
> @@ -3015,7 +3015,7 @@ sub parseRequest {
> ? clean_mac($radius_request->{'
> Calling-Station-Id'}[0])
> : clean_mac($radius_request->{'
> Calling-Station-Id'});
>  my $user_name   = $radius_request->{'TLS-Client-Cert-Common-Name'}
> || $radius_request->{'User-Name'};
> -my $nas_port_type   = $radius_request->{'NAS-Port-Type'};
> +my $nas_port_type   = ( defined($radius_request->{'NAS-Port-Type'})
> ? $radius_request->{'NAS-Port-Type'} : ( 
> defined($radius_request->{'Called-Station-SSID'})
> ? "Wireless-802.11" : undef ) );
>  my $port= $radius_request->{'NAS-Port'};
>  my $eap_type= ( exists($radius_request->{'EAP-Type'}) ?
> $radius_request->{'EAP-Type'} : 0 );
>  my $nas_port_id = ( defined($radius_request->{'NAS-Port-Id'}) ?
> $radius_request->{'NAS-Port-Id'} : undef );
>
>
> Regards
>
> Fabrice
>
>
>
> Le 2018-06-05 à 23:45, jabang konate via PacketFence-users a écrit :
>
> im using packetfence 8.0.1
>
> my user from other university complain can't connect to eduroam with local
> REALM my university.
>
> from raddebug output i see error message like this.
>
> (79) Wed Jun  6 10:17:11 2018: ERROR: rest: Server returned:
> (79) Wed Jun  6 10:17:11 2018: ERROR: rest: {"Reply-Message":"Network
> device does not support this mode of operation","control:
> PacketFence-Eap-Type":26,"control:PacketFence-
> Authorization-Status":"allow","control:PacketFence-Mac":"64:
> cc:2e:4f:39:3b","control:PacketFence-Switch-Ip-Address"
> :"10.43.1.2","control:PacketFence-Request-Time":1528255031,"control:
> PacketFence-UserName":"ae...@xyz.edu","control:PacketFence-
> Connection-Type":"Ethernet-EAP","control:PacketFence-
> Switch-Mac":"38:ff:36:c2:33:69","control:PacketFence-
> Switch-Id":"10.43.1.2"}
>
> packetfence log:
>
> Jun  6 10:16:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2986)
> INFO: [mac:64:cc:2e:4f:39:3b] handling radius autz request: from switch_ip
> => (10.43.1.2), connection_type => Ethernet-EAP,switch_mac =>
> (38:ff:36:c2:33:69), mac => [64:cc:2e:4f:39:3b], port => , username => "
> ae...@xyz.edu" (pf::radius::authorize)
> Jun  6 10:16:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2986)
> ERROR: [mac:64:cc:2e:4f:39:3b] Wired 802.1X is not supported on switch type
> pf::Switch::Ruckus. Please let us know what hardware you are using.
> (pf::Switch::supportsWiredDot1x)
> Jun  6 10:16:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2986)
> WARN: [mac:64:cc:2e:4f:39:3b] (10.43.1.2) Sending REJECT since switch is
> unsupported (pf::radius::_switchUnsupportedReply)
> Jun  6 10:17:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2986)
> WARN: [mac:64:cc:2e:4f:39:3b] Use of uninitialized value $nas_port in
> concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 2545.
>  (pf::Switch::NasPortToIfIndex)
> Jun  6 10:17:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2986)
> WARN: [mac:64:cc:2e:4f:39:3b] Use of uninitialized value $port in
> concatenation (.) or string at /usr/local/pf/lib/pf/radius.pm line 179.
>  (pf::radius::authorize)
> Jun  6 10:17:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2986)
> INFO: [mac:64:cc:2e:4f:39:3b] handling radius autz request: from switch_ip
> => (10.43.1.2), connection_type => Ethernet-EAP,switch_mac =>
> (38:ff:36:c2:33:69), mac => [64:cc:2e:4f:39:3b], port => , username => "
> ae...@xyz.edu" (pf::radius::authorize)
> Jun  6 10:17:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2986)
> ERROR: [mac:64:cc:2e:4f:39:3b] Wired 802.1X is not supported on switch type
> pf::Switch::Ruckus. Please let us know what hardware you are using.
> (pf::Switch::supportsWiredDot1x)
> Jun  6 10:17:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2986)
> WARN: [mac:64:cc:2e:4f:39:3b] (10.43.1.2) Sending REJECT since switch is
> unsupported (pf::radius::_switchUnsupportedReply)
>
> please give me some advice.
> thanks.
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> 

Re: [PacketFence-users] Eduroam unable to process request local REALM from other university

[Fabrice Durand via PacketFence-users]

Hello Jabang,

your issue is because in the Ruckus radius request it miss the 
NAS-Port-Type attribute.



Can you try that:

diff --git a/lib/pf/Switch.pm b/lib/pf/Switch.pm
index 22bd94288..db9ee3921 100644
--- a/lib/pf/Switch.pm
+++ b/lib/pf/Switch.pm
@@ -3015,7 +3015,7 @@ sub parseRequest {
    ? 
clean_mac($radius_request->{'Calling-Station-Id'}[0])
    : 
clean_mac($radius_request->{'Calling-Station-Id'});
 my $user_name   = 
$radius_request->{'TLS-Client-Cert-Common-Name'} || 
$radius_request->{'User-Name'};

-    my $nas_port_type   = $radius_request->{'NAS-Port-Type'};
+    my $nas_port_type   = ( defined($radius_request->{'NAS-Port-Type'}) 
? $radius_request->{'NAS-Port-Type'} : ( 
defined($radius_request->{'Called-Station-SSID'}) ? "Wireless-802.11" : 
undef ) );

 my $port    = $radius_request->{'NAS-Port'};
 my $eap_type    = ( exists($radius_request->{'EAP-Type'}) ? 
$radius_request->{'EAP-Type'} : 0 );
 my $nas_port_id = ( defined($radius_request->{'NAS-Port-Id'}) 
? $radius_request->{'NAS-Port-Id'} : undef );



Regards

Fabrice



Le 2018-06-05 à 23:45, jabang konate via PacketFence-users a écrit :

im using packetfence 8.0.1

my user from other university complain can't connect to eduroam with 
local REALM my university.


from raddebug output i see error message like this.

(79) Wed Jun  6 10:17:11 2018: ERROR: rest: Server returned:
(79) Wed Jun  6 10:17:11 2018: ERROR: rest: {"Reply-Message":"Network 
device does not support this mode of 
operation","control:PacketFence-Eap-Type":26,"control:PacketFence-Authorization-Status":"allow","control:PacketFence-Mac":"64:cc:2e:4f:39:3b","control:PacketFence-Switch-Ip-Address":"10.43.1.2","control:PacketFence-Request-Time":1528255031,"control:PacketFence-UserName":"ae...@xyz.edu 
","control:PacketFence-Connection-Type":"Ethernet-EAP","control:PacketFence-Switch-Mac":"38:ff:36:c2:33:69","control:PacketFence-Switch-Id":"10.43.1.2"}


packetfence log:

Jun  6 10:16:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2986) 
INFO: [mac:64:cc:2e:4f:39:3b] handling radius autz request: from 
switch_ip => (10.43.1.2), connection_type => Ethernet-EAP,switch_mac 
=> (38:ff:36:c2:33:69), mac => [64:cc:2e:4f:39:3b], port => , username 
=> "ae...@xyz.edu " (pf::radius::authorize)
Jun  6 10:16:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2986) 
ERROR: [mac:64:cc:2e:4f:39:3b] Wired 802.1X is not supported on switch 
type pf::Switch::Ruckus. Please let us know what hardware you are 
using. (pf::Switch::supportsWiredDot1x)
Jun  6 10:16:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2986) 
WARN: [mac:64:cc:2e:4f:39:3b] (10.43.1.2) Sending REJECT since switch 
is unsupported (pf::radius::_switchUnsupportedReply)
Jun  6 10:17:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2986) 
WARN: [mac:64:cc:2e:4f:39:3b] Use of uninitialized value $nas_port in 
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 2545.

 (pf::Switch::NasPortToIfIndex)
Jun  6 10:17:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2986) 
WARN: [mac:64:cc:2e:4f:39:3b] Use of uninitialized value $port in 
concatenation (.) or string at /usr/local/pf/lib/pf/radius.pm 
 line 179.

 (pf::radius::authorize)
Jun  6 10:17:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2986) 
INFO: [mac:64:cc:2e:4f:39:3b] handling radius autz request: from 
switch_ip => (10.43.1.2), connection_type => Ethernet-EAP,switch_mac 
=> (38:ff:36:c2:33:69), mac => [64:cc:2e:4f:39:3b], port => , username 
=> "ae...@xyz.edu " (pf::radius::authorize)
Jun  6 10:17:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2986) 
ERROR: [mac:64:cc:2e:4f:39:3b] Wired 802.1X is not supported on switch 
type pf::Switch::Ruckus. Please let us know what hardware you are 
using. (pf::Switch::supportsWiredDot1x)
Jun  6 10:17:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2986) 
WARN: [mac:64:cc:2e:4f:39:3b] (10.43.1.2) Sending REJECT since switch 
is unsupported (pf::radius::_switchUnsupportedReply)


please give me some advice.
thanks.


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! 

[PacketFence-users] Eduroam unable to process request local REALM from other university

[jabang konate via PacketFence-users]

im using packetfence 8.0.1

my user from other university complain can't connect to eduroam with local
REALM my university.

from raddebug output i see error message like this.

(79) Wed Jun  6 10:17:11 2018: ERROR: rest: Server returned:
(79) Wed Jun  6 10:17:11 2018: ERROR: rest: {"Reply-Message":"Network
device does not support this mode of
operation","control:PacketFence-Eap-Type":26,"control:PacketFence-Authorization-Status":"allow","control:PacketFence-Mac":"64:cc:2e:4f:39:3b","control:PacketFence-Switch-Ip-Address":"10.43.1.2","control:PacketFence-Request-Time":1528255031,"control:PacketFence-UserName":"
ae...@xyz.edu
","control:PacketFence-Connection-Type":"Ethernet-EAP","control:PacketFence-Switch-Mac":"38:ff:36:c2:33:69","control:PacketFence-Switch-Id":"10.43.1.2"}

packetfence log:

Jun  6 10:16:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2986)
INFO: [mac:64:cc:2e:4f:39:3b] handling radius autz request: from switch_ip
=> (10.43.1.2), connection_type => Ethernet-EAP,switch_mac =>
(38:ff:36:c2:33:69), mac => [64:cc:2e:4f:39:3b], port => , username => "
ae...@xyz.edu" (pf::radius::authorize)
Jun  6 10:16:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2986)
ERROR: [mac:64:cc:2e:4f:39:3b] Wired 802.1X is not supported on switch type
pf::Switch::Ruckus. Please let us know what hardware you are using.
(pf::Switch::supportsWiredDot1x)
Jun  6 10:16:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2986)
WARN: [mac:64:cc:2e:4f:39:3b] (10.43.1.2) Sending REJECT since switch is
unsupported (pf::radius::_switchUnsupportedReply)
Jun  6 10:17:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2986)
WARN: [mac:64:cc:2e:4f:39:3b] Use of uninitialized value $nas_port in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 2545.
 (pf::Switch::NasPortToIfIndex)
Jun  6 10:17:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2986)
WARN: [mac:64:cc:2e:4f:39:3b] Use of uninitialized value $port in
concatenation (.) or string at /usr/local/pf/lib/pf/radius.pm line 179.
 (pf::radius::authorize)
Jun  6 10:17:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2986)
INFO: [mac:64:cc:2e:4f:39:3b] handling radius autz request: from switch_ip
=> (10.43.1.2), connection_type => Ethernet-EAP,switch_mac =>
(38:ff:36:c2:33:69), mac => [64:cc:2e:4f:39:3b], port => , username => "
ae...@xyz.edu" (pf::radius::authorize)
Jun  6 10:17:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2986)
ERROR: [mac:64:cc:2e:4f:39:3b] Wired 802.1X is not supported on switch type
pf::Switch::Ruckus. Please let us know what hardware you are using.
(pf::Switch::supportsWiredDot1x)
Jun  6 10:17:11 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2986)
WARN: [mac:64:cc:2e:4f:39:3b] (10.43.1.2) Sending REJECT since switch is
unsupported (pf::radius::_switchUnsupportedReply)

please give me some advice.
thanks.
(79) Wed Jun  6 10:17:11 2018: Debug:   User-Name = "ae...@xyz.edu"
(79) Wed Jun  6 10:17:11 2018: Debug:   Calling-Station-Id = "64-CC-2E-4F-39-3B"
(79) Wed Jun  6 10:17:11 2018: Debug:   NAS-IP-Address = 10.43.1.2
(79) Wed Jun  6 10:17:11 2018: Debug:   Called-Station-Id = 
"38-FF-36-C2-33-69:eduroam"
(79) Wed Jun  6 10:17:11 2018: Debug:   NAS-Identifier = "38-FF-36-C2-33-69"
(79) Wed Jun  6 10:17:11 2018: Debug:   EAP-Message = 
0x0208002b190017030100207800450c2f957824b9747d285f35b4bfb1a1714f27697c43619591d46a9f04b5
(79) Wed Jun  6 10:17:11 2018: Debug:   State = 
0x70b0dfa877b8c6efcac40832d6116756
(79) Wed Jun  6 10:17:11 2018: Debug:   Message-Authenticator = 
0x6b35bdb3c5284feb0f9c21eff24ae78b
(79) Wed Jun  6 10:17:11 2018: Debug:   Proxy-State = 0x3831
(79) Wed Jun  6 10:17:11 2018: Debug:   Proxy-State = 0x3534
(79) Wed Jun  6 10:17:11 2018: Debug: session-state: No cached attributes
(79) Wed Jun  6 10:17:11 2018: Debug: # Executing section authorize from file 
/usr/local/pf/raddb/sites-enabled/eduroam
(79) Wed Jun  6 10:17:11 2018: Debug:   authorize {
(79) Wed Jun  6 10:17:11 2018: Debug: update {
(79) Wed Jun  6 10:17:11 2018: Debug:   EXPAND %{Packet-Src-IP-Address}
(79) Wed Jun  6 10:17:11 2018: Debug:  --> 103.220.23.60
(79) Wed Jun  6 10:17:11 2018: Debug:   EXPAND %l
(79) Wed Jun  6 10:17:11 2018: Debug:  --> 1528255031
(79) Wed Jun  6 10:17:11 2018: Debug: } # update = noop
(79) Wed Jun  6 10:17:11 2018: Debug: policy rewrite_calling_station_id {
(79) Wed Jun  6 10:17:11 2018: Debug:   if ( && 
( =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
 {
(79) Wed Jun  6 10:17:11 2018: Debug:   if ( && 
( =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
  -> TRUE
(79) Wed Jun  6 10:17:11 2018: Debug:   if ( && 
( =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
  {
(79) Wed Jun  6 10:17:11 

Re: [PacketFence-users] eduroam+packetfence with openldap authentication

[jabang konate via PacketFence-users]

hi fabrice

any update for this issue?

On Thu, May 31, 2018 at 4:41 PM, jabang konate 
wrote:

> hi fabrice.
>
> i already try the code and it work well.
> i try with limit 1 node per user with DEFAULT role.
>
> but i have something strange.
>
> when user rejected/denied by the packetfence, i saw user will be in REJECT
> role.
> and then i try to deregister the first device from nodes tab, then i try
> again with my second device with REJECT role and i still can't connect with
> my network and still with REJECT role.
> i must configure manual in nodes tab to apply role DEFAULT to my REJECT
> device, and then try to reconnect again to get acess to network.
>
> is it normal ?
>
> here my packetfence log.
>
>
>
>
>
> On Wed, May 30, 2018 at 7:42 PM, Fabrice Durand via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hello Jabang,
>>
>> thanks for testing it.
>>
>> Also for the limitation, i did some work on that not a long time ago and
>> it should be fixed by https://patch-diff.githubuserc
>> ontent.com/raw/inverse-inc/packetfence/pull/3236.diff
>>
>> Can you test it too and let me know.
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2018-05-30 à 00:23, jabang konate via PacketFence-users a écrit :
>>
>> hi fabrice
>> thanks a lot and great work.
>>
>> now i can login with my local realm and remote realm from other
>> university.
>>
>> i have  another question,is it possible to limit device node per user in
>> eduroam?
>> i try with default role to limit 2 devices, but when third devices login
>> with the same username , user can still login but with blank role in
>> packetfence web.
>>
>>
>>
>>
>>
>>
>> On Tue, May 29, 2018 at 11:36 PM, Fabrice Durand via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>>> Hello Jabang,
>>>
>>> can you try that:
>>>
>>> https://github.com/inverse-inc/packetfence/compare/fix/eduro
>>> am_standalone.diff
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>>
>>>
>>> Le 2018-05-25 à 03:50, jabang konate via PacketFence-users a écrit :
>>>
>>> hi fabrice,
>>> ok i will wait for patch
>>>
>>> thank you
>>>
>>> On Fri, May 25, 2018 at 1:33 AM, Fabrice Durand via PacketFence-users <
>>> packetfence-users@lists.sourceforge.net> wrote:
>>>
 Ok there is a bug, i need to fix it.



 Le 2018-05-24 à 11:33, jabang konate via PacketFence-users a écrit :

 hi fabrice.

 10.18.23.60 is ip National Roaming Operator  eduroam in my Country.

 attach my eduroam config file.


 On Thu, May 24, 2018 at 7:43 PM, Fabrice Durand via PacketFence-users <
 packetfence-users@lists.sourceforge.net> wrote:

> What is 10.18.23.60 ?
>
> can you share with me your file /usr/local/pf/raddb/sites-enabled/eduroam
> ?
>
> Le 2018-05-24 à 00:46, jabang konate via PacketFence-users a écrit :
>
> Hi fabrice,
> today i try again with my packetfence.
>
> in packetfence-tunnel configuration i change configuration like
> this,
>if (update) {
> update control {
>  := No
> }
> }
>  }
> because from the output i don't see "ok", and then now i can login
> with my ldap account but with port 1812 in my access point, but not using
> port 11812.
> if i'm using 11812 my request always forward to Realm eduroam my home
> server, and not forward the request to packetfence virtual server
> (sites-enabled/packetfence then site-enabled/packetfence-tunnel) as
> you said in scenario 1.
>
> (1) Thu May 24 11:06:15 2018: Debug: suffix: Checking for suffix after
> "@"
> (1) Thu May 24 11:06:15 2018: Debug: suffix: Looking up realm "
> xyz.ac.id" for User-Name = "testu...@xyz.ac.id"
> (1) Thu May 24 11:06:15 2018: Debug: suffix: Found realm "xyz.ac.id"
> (1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Stripped-User-Name
> = "testuser"
> (1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Realm = "xyz.ac.id
> "
> (1) Thu May 24 11:06:15 2018: Debug: suffix: Authentication realm is
> LOCAL
> (1) Thu May 24 11:06:15 2018: Debug: [suffix] = ok
> (1) Thu May 24 11:06:15 2018: Debug: ntdomain: Request already has
> destination realm set.  Ignoring
> (1) Thu May 24 11:06:15 2018: Debug: [ntdomain] = noop
> (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) {
> (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/)  -> TRUE
> (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/)  {
> (1) Thu May 24 11:06:15 2018: Debug:   update control {
> (1) Thu May 24 11:06:15 2018: Debug:   } # update control = noop
> (1) Thu May 24 11:06:15 2018: Debug: } # if (User-Name =~ /@/)  =
> noop
> (1) Thu May 24 11:06:15 2018: Debug: ... skipping else: Preceding
> "if" was taken
> (1) Thu May 24 11:06:15 2018: Debug: eap: Request is supposed to be
> 

Re: [PacketFence-users] eduroam+packetfence with openldap authentication

[jabang konate via PacketFence-users]

hi fabrice.

i already try the code and it work well.
i try with limit 1 node per user with DEFAULT role.

but i have something strange.

when user rejected/denied by the packetfence, i saw user will be in REJECT
role.
and then i try to deregister the first device from nodes tab, then i try
again with my second device with REJECT role and i still can't connect with
my network and still with REJECT role.
i must configure manual in nodes tab to apply role DEFAULT to my REJECT
device, and then try to reconnect again to get acess to network.

is it normal ?

here my packetfence log.





On Wed, May 30, 2018 at 7:42 PM, Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Jabang,
>
> thanks for testing it.
>
> Also for the limitation, i did some work on that not a long time ago and
> it should be fixed by https://patch-diff.githubusercontent.com/raw/
> inverse-inc/packetfence/pull/3236.diff
>
> Can you test it too and let me know.
>
> Regards
>
> Fabrice
>
>
>
> Le 2018-05-30 à 00:23, jabang konate via PacketFence-users a écrit :
>
> hi fabrice
> thanks a lot and great work.
>
> now i can login with my local realm and remote realm from other university.
>
> i have  another question,is it possible to limit device node per user in
> eduroam?
> i try with default role to limit 2 devices, but when third devices login
> with the same username , user can still login but with blank role in
> packetfence web.
>
>
>
>
>
>
> On Tue, May 29, 2018 at 11:36 PM, Fabrice Durand via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hello Jabang,
>>
>> can you try that:
>>
>> https://github.com/inverse-inc/packetfence/compare/fix/eduro
>> am_standalone.diff
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2018-05-25 à 03:50, jabang konate via PacketFence-users a écrit :
>>
>> hi fabrice,
>> ok i will wait for patch
>>
>> thank you
>>
>> On Fri, May 25, 2018 at 1:33 AM, Fabrice Durand via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>>> Ok there is a bug, i need to fix it.
>>>
>>>
>>>
>>> Le 2018-05-24 à 11:33, jabang konate via PacketFence-users a écrit :
>>>
>>> hi fabrice.
>>>
>>> 10.18.23.60 is ip National Roaming Operator  eduroam in my Country.
>>>
>>> attach my eduroam config file.
>>>
>>>
>>> On Thu, May 24, 2018 at 7:43 PM, Fabrice Durand via PacketFence-users <
>>> packetfence-users@lists.sourceforge.net> wrote:
>>>
 What is 10.18.23.60 ?

 can you share with me your file /usr/local/pf/raddb/sites-enabled/eduroam
 ?

 Le 2018-05-24 à 00:46, jabang konate via PacketFence-users a écrit :

 Hi fabrice,
 today i try again with my packetfence.

 in packetfence-tunnel configuration i change configuration like
 this,
if (update) {
 update control {
  := No
 }
 }
  }
 because from the output i don't see "ok", and then now i can login with
 my ldap account but with port 1812 in my access point, but not using port
 11812.
 if i'm using 11812 my request always forward to Realm eduroam my home
 server, and not forward the request to packetfence virtual server
 (sites-enabled/packetfence then site-enabled/packetfence-tunnel) as
 you said in scenario 1.

 (1) Thu May 24 11:06:15 2018: Debug: suffix: Checking for suffix after
 "@"
 (1) Thu May 24 11:06:15 2018: Debug: suffix: Looking up realm "
 xyz.ac.id" for User-Name = "testu...@xyz.ac.id"
 (1) Thu May 24 11:06:15 2018: Debug: suffix: Found realm "xyz.ac.id"
 (1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Stripped-User-Name
 = "testuser"
 (1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Realm = "xyz.ac.id"
 (1) Thu May 24 11:06:15 2018: Debug: suffix: Authentication realm is
 LOCAL
 (1) Thu May 24 11:06:15 2018: Debug: [suffix] = ok
 (1) Thu May 24 11:06:15 2018: Debug: ntdomain: Request already has
 destination realm set.  Ignoring
 (1) Thu May 24 11:06:15 2018: Debug: [ntdomain] = noop
 (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) {
 (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/)  -> TRUE
 (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/)  {
 (1) Thu May 24 11:06:15 2018: Debug:   update control {
 (1) Thu May 24 11:06:15 2018: Debug:   } # update control = noop
 (1) Thu May 24 11:06:15 2018: Debug: } # if (User-Name =~ /@/)  =
 noop
 (1) Thu May 24 11:06:15 2018: Debug: ... skipping else: Preceding
 "if" was taken
 (1) Thu May 24 11:06:15 2018: Debug: eap: Request is supposed to be
 proxied to Realm eduroam. Not doing EAP.
 (1) Thu May 24 11:06:15 2018: Debug: [eap] = noop

 attach my radiusd-eduroam.sock log and picture of my configurutiaon
 exclusive source eduroam .

 Regards.


 On Thu, May 24, 2018 at 12:49 

Re: [PacketFence-users] eduroam+packetfence with openldap authentication

[Fabrice Durand via PacketFence-users]

Hello Jabang,

thanks for testing it.

Also for the limitation, i did some work on that not a long time ago and 
it should be fixed by 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/3236.diff


Can you test it too and let me know.

Regards

Fabrice



Le 2018-05-30 à 00:23, jabang konate via PacketFence-users a écrit :

hi fabrice
thanks a lot and great work.

now i can login with my local realm and remote realm from other 
university.


i have  another question,is it possible to limit device node per user 
in eduroam?
i try with default role to limit 2 devices, but when third devices 
login with the same username , user can still login but with blank 
role in packetfence web.







On Tue, May 29, 2018 at 11:36 PM, Fabrice Durand via PacketFence-users 
> wrote:


Hello Jabang,

can you try that:


https://github.com/inverse-inc/packetfence/compare/fix/eduroam_standalone.diff



Regards

Fabrice



Le 2018-05-25 à 03:50, jabang konate via PacketFence-users a écrit :

hi fabrice,
ok i will wait for patch

thank you

On Fri, May 25, 2018 at 1:33 AM, Fabrice Durand via
PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> wrote:

Ok there is a bug, i need to fix it.



Le 2018-05-24 à 11:33, jabang konate via PacketFence-users a
écrit :

hi fabrice.

10.18.23.60 is ip National Roaming Operator  eduroam in my
Country.

attach my eduroam config file.


On Thu, May 24, 2018 at 7:43 PM, Fabrice Durand via
PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> wrote:

What is 10.18.23.60 ?

can you share with me your file
/usr/local/pf/raddb/sites-enabled/eduroam ?


Le 2018-05-24 à 00:46, jabang konate via
PacketFence-users a écrit :

Hi fabrice,
today i try again with my packetfence.

in packetfence-tunnel configuration i change
configuration like this,
if (update) {
update control {
 := No
        }
        }
 }
because from the output i don't see "ok", and then now
i can login with my ldap account but with port 1812 in
my access point, but not using port 11812.
if i'm using 11812 my request always forward to Realm
eduroam my home server, and not forward the request to
packetfence virtual server (sites-enabled/packetfence
then site-enabled/packetfence-tunnel) as you said in
scenario 1.

(1) Thu May 24 11:06:15 2018: Debug: suffix: Checking
for suffix after "@"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Looking up
realm "xyz.ac.id " for User-Name =
"testu...@xyz.ac.id "
(1) Thu May 24 11:06:15 2018: Debug: suffix: Found
realm "xyz.ac.id "
(1) Thu May 24 11:06:15 2018: Debug: suffix: Adding
Stripped-User-Name = "testuser"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Adding
Realm = "xyz.ac.id "
(1) Thu May 24 11:06:15 2018: Debug: suffix:
Authentication realm is LOCAL
(1) Thu May 24 11:06:15 2018: Debug: [suffix] = ok
(1) Thu May 24 11:06:15 2018: Debug: ntdomain: Request
already has destination realm set.  Ignoring
(1) Thu May 24 11:06:15 2018: Debug: [ntdomain] = noop
(1) Thu May 24 11:06:15 2018: Debug: if (User-Name
=~ /@/) {
(1) Thu May 24 11:06:15 2018: Debug: if (User-Name
=~ /@/) -> TRUE
(1) Thu May 24 11:06:15 2018: Debug: if (User-Name
=~ /@/) {
(1) Thu May 24 11:06:15 2018: Debug:   update control {
(1) Thu May 24 11:06:15 2018: Debug:   } # update
control = noop
(1) Thu May 24 11:06:15 2018: Debug: } # if
(User-Name =~ /@/) = noop
(1) Thu May 24 11:06:15 2018: Debug: ... skipping
else: Preceding "if" was taken
(1) Thu May 24 11:06:15 2018: Debug: eap: Request is
supposed to be proxied to Realm eduroam. Not doing EAP.
(1) Thu May 24 11:06:15 2018: Debug: [eap] = noop

attach my radiusd-eduroam.sock log and picture of my
configurutiaon exclusive source eduroam .

Regards.


On Thu, May 24, 2018 at 12:49 AM, Fabrice Durand via
PacketFence-users
mailto:packetfence-users@lists.sourceforge.net>> wrote:



Le 2018-05-23 à 13:36, jabang 

Re: [PacketFence-users] eduroam+packetfence with openldap authentication

[jabang konate via PacketFence-users]

hi fabrice
thanks a lot and great work.

now i can login with my local realm and remote realm from other university.

i have  another question,is it possible to limit device node per user in
eduroam?
i try with default role to limit 2 devices, but when third devices login
with the same username , user can still login but with blank role in
packetfence web.






On Tue, May 29, 2018 at 11:36 PM, Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Jabang,
>
> can you try that:
>
> https://github.com/inverse-inc/packetfence/compare/fix/
> eduroam_standalone.diff
>
> Regards
>
> Fabrice
>
>
>
> Le 2018-05-25 à 03:50, jabang konate via PacketFence-users a écrit :
>
> hi fabrice,
> ok i will wait for patch
>
> thank you
>
> On Fri, May 25, 2018 at 1:33 AM, Fabrice Durand via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Ok there is a bug, i need to fix it.
>>
>>
>>
>> Le 2018-05-24 à 11:33, jabang konate via PacketFence-users a écrit :
>>
>> hi fabrice.
>>
>> 10.18.23.60 is ip National Roaming Operator  eduroam in my Country.
>>
>> attach my eduroam config file.
>>
>>
>> On Thu, May 24, 2018 at 7:43 PM, Fabrice Durand via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>>> What is 10.18.23.60 ?
>>>
>>> can you share with me your file /usr/local/pf/raddb/sites-enabled/eduroam
>>> ?
>>>
>>> Le 2018-05-24 à 00:46, jabang konate via PacketFence-users a écrit :
>>>
>>> Hi fabrice,
>>> today i try again with my packetfence.
>>>
>>> in packetfence-tunnel configuration i change configuration like this,
>>>if (update) {
>>> update control {
>>>  := No
>>> }
>>> }
>>>  }
>>> because from the output i don't see "ok", and then now i can login with
>>> my ldap account but with port 1812 in my access point, but not using port
>>> 11812.
>>> if i'm using 11812 my request always forward to Realm eduroam my home
>>> server, and not forward the request to packetfence virtual server
>>> (sites-enabled/packetfence then site-enabled/packetfence-tunnel) as you
>>> said in scenario 1.
>>>
>>> (1) Thu May 24 11:06:15 2018: Debug: suffix: Checking for suffix after
>>> "@"
>>> (1) Thu May 24 11:06:15 2018: Debug: suffix: Looking up realm "xyz.ac.id"
>>> for User-Name = "testu...@xyz.ac.id"
>>> (1) Thu May 24 11:06:15 2018: Debug: suffix: Found realm "xyz.ac.id"
>>> (1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Stripped-User-Name =
>>> "testuser"
>>> (1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Realm = "xyz.ac.id"
>>> (1) Thu May 24 11:06:15 2018: Debug: suffix: Authentication realm is
>>> LOCAL
>>> (1) Thu May 24 11:06:15 2018: Debug: [suffix] = ok
>>> (1) Thu May 24 11:06:15 2018: Debug: ntdomain: Request already has
>>> destination realm set.  Ignoring
>>> (1) Thu May 24 11:06:15 2018: Debug: [ntdomain] = noop
>>> (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) {
>>> (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/)  -> TRUE
>>> (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/)  {
>>> (1) Thu May 24 11:06:15 2018: Debug:   update control {
>>> (1) Thu May 24 11:06:15 2018: Debug:   } # update control = noop
>>> (1) Thu May 24 11:06:15 2018: Debug: } # if (User-Name =~ /@/)  =
>>> noop
>>> (1) Thu May 24 11:06:15 2018: Debug: ... skipping else: Preceding
>>> "if" was taken
>>> (1) Thu May 24 11:06:15 2018: Debug: eap: Request is supposed to be
>>> proxied to Realm eduroam. Not doing EAP.
>>> (1) Thu May 24 11:06:15 2018: Debug: [eap] = noop
>>>
>>> attach my radiusd-eduroam.sock log and picture of my configurutiaon
>>> exclusive source eduroam .
>>>
>>> Regards.
>>>
>>>
>>> On Thu, May 24, 2018 at 12:49 AM, Fabrice Durand via PacketFence-users <
>>> packetfence-users@lists.sourceforge.net> wrote:
>>>


 Le 2018-05-23 à 13:36, jabang konate via PacketFence-users a écrit :

 Hi fabrice.

 Thanks for speedy response.

 > so i am not sure what you try to do with the ldap module.
 ldap module for configuration user with openldap right? i read in EAP
 Authentication against OpenLDAP.

 yes, the only difference is that you have to disable NTLM-Auth if ldap
 return ok to avoid "ERROR: mschap: Program returned code (1) and output
 'Reading winbind reply failed! (0xc001)'".



 > You have 3 scenarios:
 yes i want like that,

 I will try again and will share the results on this topic.

 thank you for your advice fabrice.


 On Thu, May 24, 2018 at 12:22 AM, Fabrice Durand via PacketFence-users
  wrote:

> Hello Jabang,
>
> so i am not sure what you try to do with the ldap module.
>
> You have 3 scenarios:
>
> 1: a user from your university connect on the ssid eduroam from your
> university.  (the ap/controller use the port 11812)
> You need to configure the 

Re: [PacketFence-users] eduroam+packetfence with openldap authentication

[Fabrice Durand via PacketFence-users]

Hello Jabang,

can you try that:

https://github.com/inverse-inc/packetfence/compare/fix/eduroam_standalone.diff

Regards

Fabrice



Le 2018-05-25 à 03:50, jabang konate via PacketFence-users a écrit :

hi fabrice,
ok i will wait for patch

thank you

On Fri, May 25, 2018 at 1:33 AM, Fabrice Durand via PacketFence-users 
> wrote:


Ok there is a bug, i need to fix it.



Le 2018-05-24 à 11:33, jabang konate via PacketFence-users a écrit :

hi fabrice.

10.18.23.60 is ip National Roaming Operator eduroam in my Country.

attach my eduroam config file.


On Thu, May 24, 2018 at 7:43 PM, Fabrice Durand via
PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> wrote:

What is 10.18.23.60 ?

can you share with me your file
/usr/local/pf/raddb/sites-enabled/eduroam ?


Le 2018-05-24 à 00:46, jabang konate via PacketFence-users a
écrit :

Hi fabrice,
today i try again with my packetfence.

in packetfence-tunnel configuration i change configuration
like this,
if (update) {
        update control {
 := No
        }
        }
 }
because from the output i don't see "ok", and then now i can
login with my ldap account but with port 1812 in my access
point, but not using port 11812.
if i'm using 11812 my request always forward to Realm
eduroam my home server, and not forward the request to
packetfence virtual server (sites-enabled/packetfence then
site-enabled/packetfence-tunnel) as you said in scenario 1.

(1) Thu May 24 11:06:15 2018: Debug: suffix: Checking for
suffix after "@"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Looking up
realm "xyz.ac.id " for User-Name =
"testu...@xyz.ac.id "
(1) Thu May 24 11:06:15 2018: Debug: suffix: Found realm
"xyz.ac.id "
(1) Thu May 24 11:06:15 2018: Debug: suffix: Adding
Stripped-User-Name = "testuser"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Realm =
"xyz.ac.id "
(1) Thu May 24 11:06:15 2018: Debug: suffix: Authentication
realm is LOCAL
(1) Thu May 24 11:06:15 2018: Debug: [suffix] = ok
(1) Thu May 24 11:06:15 2018: Debug: ntdomain: Request
already has destination realm set. Ignoring
(1) Thu May 24 11:06:15 2018: Debug: [ntdomain] = noop
(1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) {
(1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~
/@/) -> TRUE
(1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) {
(1) Thu May 24 11:06:15 2018: Debug:   update control {
(1) Thu May 24 11:06:15 2018: Debug:   } # update
control = noop
(1) Thu May 24 11:06:15 2018: Debug: } # if (User-Name
=~ /@/)  = noop
(1) Thu May 24 11:06:15 2018: Debug: ... skipping else:
Preceding "if" was taken
(1) Thu May 24 11:06:15 2018: Debug: eap: Request is
supposed to be proxied to Realm eduroam. Not doing EAP.
(1) Thu May 24 11:06:15 2018: Debug: [eap] = noop

attach my radiusd-eduroam.sock log and picture of my
configurutiaon exclusive source eduroam .

Regards.


On Thu, May 24, 2018 at 12:49 AM, Fabrice Durand via
PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> wrote:



Le 2018-05-23 à 13:36, jabang konate via
PacketFence-users a écrit :

Hi fabrice.

Thanks for speedy response.

> so i am not sure what you try to do with the ldap module.
ldap module for configuration user with openldap right?
i read in EAP Authentication against OpenLDAP.

yes, the only difference is that you have to disable
NTLM-Auth if ldap return ok to avoid "ERROR: mschap:
Program returned code (1) and output 'Reading winbind
reply failed! (0xc001)'".




> You have 3 scenarios:
yes i want like that,

I will try again and will share the results on this topic.

thank you for your advice fabrice.


On Thu, May 24, 2018 at 12:22 AM, Fabrice Durand via
PacketFence-users
mailto:packetfence-users@lists.sourceforge.net>> wrote:

Hello Jabang,

so i am not sure what you try to do with the ldap
module.

You have 3 scenarios:

1: a user from your university connect on the ssid
eduroam from your university. (the ap/controller
use the port 11812)

You need to configure the local 

Re: [PacketFence-users] eduroam+packetfence with openldap authentication

[jabang konate via PacketFence-users]

hi fabrice,
ok i will wait for patch

thank you

On Fri, May 25, 2018 at 1:33 AM, Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Ok there is a bug, i need to fix it.
>
>
>
> Le 2018-05-24 à 11:33, jabang konate via PacketFence-users a écrit :
>
> hi fabrice.
>
> 10.18.23.60 is ip National Roaming Operator  eduroam in my Country.
>
> attach my eduroam config file.
>
>
> On Thu, May 24, 2018 at 7:43 PM, Fabrice Durand via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> What is 10.18.23.60 ?
>>
>> can you share with me your file /usr/local/pf/raddb/sites-enabled/eduroam
>> ?
>>
>> Le 2018-05-24 à 00:46, jabang konate via PacketFence-users a écrit :
>>
>> Hi fabrice,
>> today i try again with my packetfence.
>>
>> in packetfence-tunnel configuration i change configuration like this,
>>if (update) {
>> update control {
>>  := No
>> }
>> }
>>  }
>> because from the output i don't see "ok", and then now i can login with
>> my ldap account but with port 1812 in my access point, but not using port
>> 11812.
>> if i'm using 11812 my request always forward to Realm eduroam my home
>> server, and not forward the request to packetfence virtual server
>> (sites-enabled/packetfence then site-enabled/packetfence-tunnel) as you
>> said in scenario 1.
>>
>> (1) Thu May 24 11:06:15 2018: Debug: suffix: Checking for suffix after "@"
>> (1) Thu May 24 11:06:15 2018: Debug: suffix: Looking up realm "xyz.ac.id"
>> for User-Name = "testu...@xyz.ac.id"
>> (1) Thu May 24 11:06:15 2018: Debug: suffix: Found realm "xyz.ac.id"
>> (1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Stripped-User-Name =
>> "testuser"
>> (1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Realm = "xyz.ac.id"
>> (1) Thu May 24 11:06:15 2018: Debug: suffix: Authentication realm is LOCAL
>> (1) Thu May 24 11:06:15 2018: Debug: [suffix] = ok
>> (1) Thu May 24 11:06:15 2018: Debug: ntdomain: Request already has
>> destination realm set.  Ignoring
>> (1) Thu May 24 11:06:15 2018: Debug: [ntdomain] = noop
>> (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) {
>> (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/)  -> TRUE
>> (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/)  {
>> (1) Thu May 24 11:06:15 2018: Debug:   update control {
>> (1) Thu May 24 11:06:15 2018: Debug:   } # update control = noop
>> (1) Thu May 24 11:06:15 2018: Debug: } # if (User-Name =~ /@/)  = noop
>> (1) Thu May 24 11:06:15 2018: Debug: ... skipping else: Preceding
>> "if" was taken
>> (1) Thu May 24 11:06:15 2018: Debug: eap: Request is supposed to be
>> proxied to Realm eduroam. Not doing EAP.
>> (1) Thu May 24 11:06:15 2018: Debug: [eap] = noop
>>
>> attach my radiusd-eduroam.sock log and picture of my configurutiaon
>> exclusive source eduroam .
>>
>> Regards.
>>
>>
>> On Thu, May 24, 2018 at 12:49 AM, Fabrice Durand via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>>>
>>>
>>> Le 2018-05-23 à 13:36, jabang konate via PacketFence-users a écrit :
>>>
>>> Hi fabrice.
>>>
>>> Thanks for speedy response.
>>>
>>> > so i am not sure what you try to do with the ldap module.
>>> ldap module for configuration user with openldap right? i read in EAP
>>> Authentication against OpenLDAP.
>>>
>>> yes, the only difference is that you have to disable NTLM-Auth if ldap
>>> return ok to avoid "ERROR: mschap: Program returned code (1) and output
>>> 'Reading winbind reply failed! (0xc001)'".
>>>
>>>
>>>
>>> > You have 3 scenarios:
>>> yes i want like that,
>>>
>>> I will try again and will share the results on this topic.
>>>
>>> thank you for your advice fabrice.
>>>
>>>
>>> On Thu, May 24, 2018 at 12:22 AM, Fabrice Durand via PacketFence-users <
>>> packetfence-users@lists.sourceforge.net> wrote:
>>>
 Hello Jabang,

 so i am not sure what you try to do with the ldap module.

 You have 3 scenarios:

 1: a user from your university connect on the ssid eduroam from your
 university.  (the ap/controller use the port 11812)
 You need to configure the local realm (let's say myuniversity.org) in
 the eduroam authentication source and configure ldap in packetfence-tunnel.
 So when this user will try to connect on the eduroam ssid with
 u...@myuniversity.org then the eduroam virtual server will detect the
 realm myuniversity.org and forward the request to packetfence virtual
 server (sites-enabled/packetfence then site-enabled/packetfence-tunne
 l).
 And in packetfence-tunnel you have something like that:

 ```
 authorize {
 suffix
 ntdomain
 eap {
 ok = return
 }
 files
 ldap
 if (ok) {
 update control {
  := No
 }
 }
 }
 ```

Re: [PacketFence-users] eduroam+packetfence with openldap authentication

[Fabrice Durand via PacketFence-users]

Ok there is a bug, i need to fix it.



Le 2018-05-24 à 11:33, jabang konate via PacketFence-users a écrit :

hi fabrice.

10.18.23.60 is ip National Roaming Operator  eduroam in my Country.

attach my eduroam config file.


On Thu, May 24, 2018 at 7:43 PM, Fabrice Durand via PacketFence-users 
> wrote:


What is 10.18.23.60 ?

can you share with me your file
/usr/local/pf/raddb/sites-enabled/eduroam ?


Le 2018-05-24 à 00:46, jabang konate via PacketFence-users a écrit :

Hi fabrice,
today i try again with my packetfence.

in packetfence-tunnel configuration i change configuration like
this,
if (update) {
        update control {
         := No
        }
        }
 }
because from the output i don't see "ok", and then now i can
login with my ldap account but with port 1812 in my access point,
but not using port 11812.
if i'm using 11812 my request always forward to Realm eduroam my
home server, and not forward the request to packetfence virtual
server (sites-enabled/packetfence then
site-enabled/packetfence-tunnel) as you said in scenario 1.

(1) Thu May 24 11:06:15 2018: Debug: suffix: Checking for suffix
after "@"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Looking up realm
"xyz.ac.id " for User-Name =
"testu...@xyz.ac.id "
(1) Thu May 24 11:06:15 2018: Debug: suffix: Found realm
"xyz.ac.id "
(1) Thu May 24 11:06:15 2018: Debug: suffix: Adding
Stripped-User-Name = "testuser"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Realm =
"xyz.ac.id "
(1) Thu May 24 11:06:15 2018: Debug: suffix: Authentication realm
is LOCAL
(1) Thu May 24 11:06:15 2018: Debug: [suffix] = ok
(1) Thu May 24 11:06:15 2018: Debug: ntdomain: Request already
has destination realm set. Ignoring
(1) Thu May 24 11:06:15 2018: Debug: [ntdomain] = noop
(1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) {
(1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) 
-> TRUE
(1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/)  {
(1) Thu May 24 11:06:15 2018: Debug: update control {
(1) Thu May 24 11:06:15 2018: Debug:   } # update control = noop
(1) Thu May 24 11:06:15 2018: Debug: } # if (User-Name =~
/@/)  = noop
(1) Thu May 24 11:06:15 2018: Debug: ... skipping else:
Preceding "if" was taken
(1) Thu May 24 11:06:15 2018: Debug: eap: Request is supposed to
be proxied to Realm eduroam. Not doing EAP.
(1) Thu May 24 11:06:15 2018: Debug: [eap] = noop

attach my radiusd-eduroam.sock log and picture of my
configurutiaon exclusive source eduroam .

Regards.


On Thu, May 24, 2018 at 12:49 AM, Fabrice Durand via
PacketFence-users > wrote:



Le 2018-05-23 à 13:36, jabang konate via PacketFence-users a
écrit :

Hi fabrice.

Thanks for speedy response.

> so i am not sure what you try to do with the ldap module.
ldap module for configuration user with openldap right? i
read in EAP Authentication against OpenLDAP.

yes, the only difference is that you have to disable
NTLM-Auth if ldap return ok to avoid "ERROR: mschap: Program
returned code (1) and output 'Reading winbind reply failed!
(0xc001)'".




> You have 3 scenarios:
yes i want like that,

I will try again and will share the results on this topic.

thank you for your advice fabrice.


On Thu, May 24, 2018 at 12:22 AM, Fabrice Durand via
PacketFence-users > wrote:

Hello Jabang,

so i am not sure what you try to do with the ldap module.

You have 3 scenarios:

1: a user from your university connect on the ssid
eduroam from your university.  (the ap/controller use
the port 11812)

You need to configure the local realm (let's say
myuniversity.org ) in the
eduroam authentication source and configure ldap in
packetfence-tunnel.
So when this user will try to connect on the eduroam
ssid with u...@myuniversity.org
 then the eduroam virtual
server will detect the realm myuniversity.org
 and forward the request to
packetfence virtual server (sites-enabled/packetfence
then site-enabled/packetfence-tunnel).
And in packetfence-tunnel 

Re: [PacketFence-users] eduroam+packetfence with openldap authentication

[jabang konate via PacketFence-users]

hi fabrice.

10.18.23.60 is ip National Roaming Operator  eduroam in my Country.

attach my eduroam config file.


On Thu, May 24, 2018 at 7:43 PM, Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> What is 10.18.23.60 ?
>
> can you share with me your file /usr/local/pf/raddb/sites-enabled/eduroam
> ?
>
> Le 2018-05-24 à 00:46, jabang konate via PacketFence-users a écrit :
>
> Hi fabrice,
> today i try again with my packetfence.
>
> in packetfence-tunnel configuration i change configuration like this,
>if (update) {
> update control {
>  := No
> }
> }
>  }
> because from the output i don't see "ok", and then now i can login with my
> ldap account but with port 1812 in my access point, but not using port
> 11812.
> if i'm using 11812 my request always forward to Realm eduroam my home
> server, and not forward the request to packetfence virtual server
> (sites-enabled/packetfence then site-enabled/packetfence-tunnel) as you
> said in scenario 1.
>
> (1) Thu May 24 11:06:15 2018: Debug: suffix: Checking for suffix after "@"
> (1) Thu May 24 11:06:15 2018: Debug: suffix: Looking up realm "xyz.ac.id"
> for User-Name = "testu...@xyz.ac.id"
> (1) Thu May 24 11:06:15 2018: Debug: suffix: Found realm "xyz.ac.id"
> (1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Stripped-User-Name =
> "testuser"
> (1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Realm = "xyz.ac.id"
> (1) Thu May 24 11:06:15 2018: Debug: suffix: Authentication realm is LOCAL
> (1) Thu May 24 11:06:15 2018: Debug: [suffix] = ok
> (1) Thu May 24 11:06:15 2018: Debug: ntdomain: Request already has
> destination realm set.  Ignoring
> (1) Thu May 24 11:06:15 2018: Debug: [ntdomain] = noop
> (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) {
> (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/)  -> TRUE
> (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/)  {
> (1) Thu May 24 11:06:15 2018: Debug:   update control {
> (1) Thu May 24 11:06:15 2018: Debug:   } # update control = noop
> (1) Thu May 24 11:06:15 2018: Debug: } # if (User-Name =~ /@/)  = noop
> (1) Thu May 24 11:06:15 2018: Debug: ... skipping else: Preceding "if"
> was taken
> (1) Thu May 24 11:06:15 2018: Debug: eap: Request is supposed to be
> proxied to Realm eduroam. Not doing EAP.
> (1) Thu May 24 11:06:15 2018: Debug: [eap] = noop
>
> attach my radiusd-eduroam.sock log and picture of my configurutiaon
> exclusive source eduroam .
>
> Regards.
>
>
> On Thu, May 24, 2018 at 12:49 AM, Fabrice Durand via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>>
>>
>> Le 2018-05-23 à 13:36, jabang konate via PacketFence-users a écrit :
>>
>> Hi fabrice.
>>
>> Thanks for speedy response.
>>
>> > so i am not sure what you try to do with the ldap module.
>> ldap module for configuration user with openldap right? i read in EAP
>> Authentication against OpenLDAP.
>>
>> yes, the only difference is that you have to disable NTLM-Auth if ldap
>> return ok to avoid "ERROR: mschap: Program returned code (1) and output
>> 'Reading winbind reply failed! (0xc001)'".
>>
>>
>>
>> > You have 3 scenarios:
>> yes i want like that,
>>
>> I will try again and will share the results on this topic.
>>
>> thank you for your advice fabrice.
>>
>>
>> On Thu, May 24, 2018 at 12:22 AM, Fabrice Durand via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>>> Hello Jabang,
>>>
>>> so i am not sure what you try to do with the ldap module.
>>>
>>> You have 3 scenarios:
>>>
>>> 1: a user from your university connect on the ssid eduroam from your
>>> university.  (the ap/controller use the port 11812)
>>> You need to configure the local realm (let's say myuniversity.org) in
>>> the eduroam authentication source and configure ldap in packetfence-tunnel.
>>> So when this user will try to connect on the eduroam ssid with
>>> u...@myuniversity.org then the eduroam virtual server will detect the
>>> realm myuniversity.org and forward the request to packetfence virtual
>>> server (sites-enabled/packetfence then site-enabled/packetfence-tunnel).
>>> And in packetfence-tunnel you have something like that:
>>>
>>> ```
>>> authorize {
>>> suffix
>>> ntdomain
>>> eap {
>>> ok = return
>>> }
>>> files
>>> ldap
>>> if (ok) {
>>> update control {
>>>  := No
>>> }
>>> }
>>> }
>>> ```
>>>
>>> 2: u...@myuniversity.org is in travel and connect on the ssid eduroam
>>> in montreal university
>>> The local montreal radius server will forward to eduroam and eduroam
>>> will forward to your packetfence server on the port 1812 (you need to
>>> configure that on the eduroam side).
>>>
>>> 3: u...@univmontreal.org is connecting on your ssid eduroam, the realm
>>> in unknow then the request will be forwarded to eduroam 

Re: [PacketFence-users] eduroam+packetfence with openldap authentication

[Fabrice Durand via PacketFence-users]

What is 10.18.23.60 ?

can you share with me your file /usr/local/pf/raddb/sites-enabled/eduroam ?


Le 2018-05-24 à 00:46, jabang konate via PacketFence-users a écrit :

Hi fabrice,
today i try again with my packetfence.

in packetfence-tunnel configuration i change configuration like this,
if (update) {
        update control {
         := No
        }
        }
 }
because from the output i don't see "ok", and then now i can login 
with my ldap account but with port 1812 in my access point, but not 
using port 11812.
if i'm using 11812 my request always forward to Realm eduroam my home 
server, and not forward the request to packetfence virtual server 
(sites-enabled/packetfence then site-enabled/packetfence-tunnel) as 
you said in scenario 1.


(1) Thu May 24 11:06:15 2018: Debug: suffix: Checking for suffix after "@"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Looking up realm 
"xyz.ac.id " for User-Name = "testu...@xyz.ac.id 
"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Found realm "xyz.ac.id 
"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Stripped-User-Name 
= "testuser"
(1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Realm = "xyz.ac.id 
"

(1) Thu May 24 11:06:15 2018: Debug: suffix: Authentication realm is LOCAL
(1) Thu May 24 11:06:15 2018: Debug: [suffix] = ok
(1) Thu May 24 11:06:15 2018: Debug: ntdomain: Request already has 
destination realm set.  Ignoring

(1) Thu May 24 11:06:15 2018: Debug: [ntdomain] = noop
(1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) {
(1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/)  -> TRUE
(1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/)  {
(1) Thu May 24 11:06:15 2018: Debug:   update control {
(1) Thu May 24 11:06:15 2018: Debug:   } # update control = noop
(1) Thu May 24 11:06:15 2018: Debug: } # if (User-Name =~ /@/)  = noop
(1) Thu May 24 11:06:15 2018: Debug: ... skipping else: Preceding 
"if" was taken
(1) Thu May 24 11:06:15 2018: Debug: eap: Request is supposed to be 
proxied to Realm eduroam. Not doing EAP.

(1) Thu May 24 11:06:15 2018: Debug: [eap] = noop

attach my radiusd-eduroam.sock log and picture of my configurutiaon 
exclusive source eduroam .


Regards.


On Thu, May 24, 2018 at 12:49 AM, Fabrice Durand via PacketFence-users 
> wrote:




Le 2018-05-23 à 13:36, jabang konate via PacketFence-users a écrit :

Hi fabrice.

Thanks for speedy response.

> so i am not sure what you try to do with the ldap module.
ldap module for configuration user with openldap right? i read in
EAP Authentication against OpenLDAP.

yes, the only difference is that you have to disable NTLM-Auth if
ldap return ok to avoid "ERROR: mschap: Program returned code (1)
and output 'Reading winbind reply failed! (0xc001)'".




> You have 3 scenarios:
yes i want like that,

I will try again and will share the results on this topic.

thank you for your advice fabrice.


On Thu, May 24, 2018 at 12:22 AM, Fabrice Durand via
PacketFence-users > wrote:

Hello Jabang,

so i am not sure what you try to do with the ldap module.

You have 3 scenarios:

1: a user from your university connect on the ssid eduroam
from your university.  (the ap/controller use the port 11812)

You need to configure the local realm (let's say
myuniversity.org ) in the eduroam
authentication source and configure ldap in packetfence-tunnel.
So when this user will try to connect on the eduroam ssid
with u...@myuniversity.org 
then the eduroam virtual server will detect the realm
myuniversity.org  and forward the
request to packetfence virtual server
(sites-enabled/packetfence then site-enabled/packetfence-tunnel).
And in packetfence-tunnel you have something like that:

```
authorize {
    suffix
    ntdomain
    eap {
    ok = return
    }
    files
    ldap
        if (ok) {
        update control {
 := No
        }
        }
    }
```

2: u...@myuniversity.org  is in
travel and connect on the ssid eduroam in montreal university
The local montreal radius server will forward to eduroam and
eduroam will forward to your packetfence server on the port
1812 (you need to configure that on the eduroam side).

3: u...@univmontreal.org 

Re: [PacketFence-users] eduroam+packetfence with openldap authentication

[Fabrice Durand via PacketFence-users]

Le 2018-05-23 à 13:36, jabang konate via PacketFence-users a écrit :

Hi fabrice.

Thanks for speedy response.

> so i am not sure what you try to do with the ldap module.
ldap module for configuration user with openldap right? i read in EAP 
Authentication against OpenLDAP.
yes, the only difference is that you have to disable NTLM-Auth if ldap 
return ok to avoid "ERROR: mschap: Program returned code (1) and output 
'Reading winbind reply failed! (0xc001)'".



> You have 3 scenarios:
yes i want like that,

I will try again and will share the results on this topic.

thank you for your advice fabrice.


On Thu, May 24, 2018 at 12:22 AM, Fabrice Durand via PacketFence-users 
> wrote:


Hello Jabang,

so i am not sure what you try to do with the ldap module.

You have 3 scenarios:

1: a user from your university connect on the ssid eduroam from
your university.  (the ap/controller use the port 11812)

You need to configure the local realm (let's say myuniversity.org
) in the eduroam authentication source
and configure ldap in packetfence-tunnel.
So when this user will try to connect on the eduroam ssid with
u...@myuniversity.org  then the
eduroam virtual server will detect the realm myuniversity.org
 and forward the request to packetfence
virtual server (sites-enabled/packetfence then
site-enabled/packetfence-tunnel).
And in packetfence-tunnel you have something like that:

```
authorize {
    suffix
    ntdomain
    eap {
    ok = return
    }
    files
    ldap
        if (ok) {
        update control {
         := No
        }
        }
    }
```

2: u...@myuniversity.org  is in
travel and connect on the ssid eduroam in montreal university
The local montreal radius server will forward to eduroam and
eduroam will forward to your packetfence server on the port 1812
(you need to configure that on the eduroam side).

3: u...@univmontreal.org  is
connecting on your ssid eduroam, the realm in unknow then the
request will be forwarded to eduroam then eduroam forward to the
montreal radius server.

Is it what you want to do ?

Regards
Fabrice



Le 2018-05-23 à 12:57, jabang konate via PacketFence-users a écrit :

Thanks Fabrice, let me clear my goals first. i'm still confuse
which file i must to configure packetfence-tunnel or eduroam file
in sites-available.
my packetfence will be act as manage eduroam user so i will use
port 11812 in my access point.

here's my step how i configure my eduroam in packetfence.
1. setting my local REALM.
2. configure exclusive source eduroam, add my local realm at step
1. then create authentication rules "catch all" role default
access duration 12 hours.
3. add switch configuration
4. configure ldap module in freeradius
5. configure file packetfence-tunnel ? or eduroam ?
6. restart freeradius and iptables

in step 5 im still confuse if i'm using 11812 so i must configure
eduroam file or still packetfence-tunnel ?



On Wed, May 23, 2018 at 10:55 PM, Fabrice Durand via
PacketFence-users > wrote:

If it's a server for eduroam (like the eduroam servers use
this server for your domain) then 1812, if it's to manage
eduroam user how connect on a eduroam ssid then 11812.


Also what you can do in packetfence-tunnel


    #  The ldap module reads passwords from the LDAP database.
    ldap
    if (ok) {
    update control {
 := No
    }
    }

Regards

Fabrice




Le 2018-05-23 à 11:38, jabang konate via PacketFence-users a
écrit :

thanks for your reply fabrice.
here i attach my packetfence-tunnel file.

and which port should i use for my access point 1812 or
11812 in radius configuration for eduroam?
thank you

On Wed, May 23, 2018 at 7:33 PM, Fabrice Durand via
PacketFence-users > wrote:

Hello Jabang,

can you paste your packetfence-tunnel file ?

Regards

Fabrice



Le 2018-05-23 à 04:08, jabang konate via
PacketFence-users a écrit :

my packetfence server version is 8.0.1 and i want to
configure packetfence as an eduroam server with
openldap as user database,
then i look 

Re: [PacketFence-users] eduroam+packetfence with openldap authentication

[jabang konate via PacketFence-users]

Hi fabrice.

Thanks for speedy response.

> so i am not sure what you try to do with the ldap module.
ldap module for configuration user with openldap right? i read in EAP
Authentication against OpenLDAP.

> You have 3 scenarios:
yes i want like that,

I will try again and will share the results on this topic.

thank you for your advice fabrice.


On Thu, May 24, 2018 at 12:22 AM, Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Jabang,
>
> so i am not sure what you try to do with the ldap module.
>
> You have 3 scenarios:
>
> 1: a user from your university connect on the ssid eduroam from your
> university.  (the ap/controller use the port 11812)
> You need to configure the local realm (let's say myuniversity.org) in the
> eduroam authentication source and configure ldap in packetfence-tunnel.
> So when this user will try to connect on the eduroam ssid with
> u...@myuniversity.org then the eduroam virtual server will detect the
> realm myuniversity.org and forward the request to packetfence virtual
> server (sites-enabled/packetfence then site-enabled/packetfence-tunnel).
> And in packetfence-tunnel you have something like that:
>
> ```
> authorize {
> suffix
> ntdomain
> eap {
> ok = return
> }
> files
> ldap
> if (ok) {
> update control {
>  := No
> }
> }
> }
> ```
>
> 2: u...@myuniversity.org is in travel and connect on the ssid eduroam in
> montreal university
> The local montreal radius server will forward to eduroam and eduroam will
> forward to your packetfence server on the port 1812 (you need to configure
> that on the eduroam side).
>
> 3: u...@univmontreal.org is connecting on your ssid eduroam, the realm in
> unknow then the request will be forwarded to eduroam then eduroam forward
> to the montreal radius server.
>
> Is it what you want to do ?
>
> Regards
> Fabrice
>
>
>
> Le 2018-05-23 à 12:57, jabang konate via PacketFence-users a écrit :
>
> Thanks Fabrice, let me clear my goals first. i'm still confuse which file
> i must to configure packetfence-tunnel or eduroam file in sites-available.
> my packetfence will be act as manage eduroam user so i will use port 11812
> in my access point.
>
> here's my step how i configure my eduroam in packetfence.
> 1. setting my local REALM.
> 2. configure exclusive source eduroam, add my local realm at step 1. then
> create authentication rules "catch all" role default access duration 12
> hours.
> 3. add switch configuration
> 4. configure ldap module in freeradius
> 5. configure file packetfence-tunnel ? or eduroam ?
> 6. restart freeradius and iptables
>
> in step 5 im still confuse if i'm using 11812 so i must configure eduroam
> file or still packetfence-tunnel ?
>
>
>
> On Wed, May 23, 2018 at 10:55 PM, Fabrice Durand via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> If it's a server for eduroam (like the eduroam servers use this server
>> for your domain) then 1812, if it's to manage eduroam user how connect on a
>> eduroam ssid then 11812.
>>
>>
>> Also what you can do in packetfence-tunnel
>>
>>
>> #  The ldap module reads passwords from the LDAP database.
>> ldap
>> if (ok) {
>> update control {
>>  := No
>> }
>> }
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>>
>> Le 2018-05-23 à 11:38, jabang konate via PacketFence-users a écrit :
>>
>> thanks for your reply fabrice.
>> here i attach my packetfence-tunnel file.
>>
>> and which port should i use for my access point 1812 or 11812 in radius
>> configuration for eduroam?
>> thank you
>>
>> On Wed, May 23, 2018 at 7:33 PM, Fabrice Durand via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>>> Hello Jabang,
>>>
>>> can you paste your packetfence-tunnel file ?
>>> Regards
>>>
>>> Fabrice
>>>
>>>
>>>
>>> Le 2018-05-23 à 04:08, jabang konate via PacketFence-users a écrit :
>>>
>>> my packetfence server version is 8.0.1 and i want to configure
>>> packetfence as an eduroam server with openldap as user database,
>>> then i look into documentation eduroam section from packetfence and EAP
>>> Authentication against OpenLDAP.
>>>
>>> when im try to login with my laptop, i always get access reject.
>>>
>>> from log i see i can connect with my ldap server, then i see error like
>>> this
>>> (7) Wed May 23 14:32:55 2018: ERROR: mschap: Program returned code (1)
>>> and output 'Reading winbind reply failed! (0xc001)'
>>> (7) Wed May 23 14:32:55 2018: Debug: mschap: External script failed
>>> (7) Wed May 23 14:32:55 2018: ERROR: mschap: External script says:
>>> Reading winbind reply failed! (0xc001)
>>>
>>> is it the root cause why i alwayas get access reject?
>>> then i check winbindd service is not running, but i cant start winbindd
>>> service
>>> (Service 'winbindd' is not managed by PacketFence. Therefore, no action
>>> will be performed)

Re: [PacketFence-users] eduroam+packetfence with openldap authentication

[Fabrice Durand via PacketFence-users]

Hello Jabang,

so i am not sure what you try to do with the ldap module.

You have 3 scenarios:

1: a user from your university connect on the ssid eduroam from your 
university.  (the ap/controller use the port 11812)


You need to configure the local realm (let's say myuniversity.org) in 
the eduroam authentication source and configure ldap in packetfence-tunnel.
So when this user will try to connect on the eduroam ssid with 
u...@myuniversity.org then the eduroam virtual server will detect the 
realm myuniversity.org and forward the request to packetfence virtual 
server (sites-enabled/packetfence then site-enabled/packetfence-tunnel).

And in packetfence-tunnel you have something like that:

```
authorize {
    suffix
    ntdomain
    eap {
    ok = return
    }
    files
    ldap
        if (ok) {
        update control {
         := No
        }
        }
    }
```

2: u...@myuniversity.org is in travel and connect on the ssid eduroam in 
montreal university
The local montreal radius server will forward to eduroam and eduroam 
will forward to your packetfence server on the port 1812 (you need to 
configure that on the eduroam side).


3: u...@univmontreal.org is connecting on your ssid eduroam, the realm 
in unknow then the request will be forwarded to eduroam then eduroam 
forward to the montreal radius server.


Is it what you want to do ?

Regards
Fabrice


Le 2018-05-23 à 12:57, jabang konate via PacketFence-users a écrit :
Thanks Fabrice, let me clear my goals first. i'm still confuse which 
file i must to configure packetfence-tunnel or eduroam file in 
sites-available.
my packetfence will be act as manage eduroam user so i will use port 
11812 in my access point.


here's my step how i configure my eduroam in packetfence.
1. setting my local REALM.
2. configure exclusive source eduroam, add my local realm at step 1. 
then create authentication rules "catch all" role default access 
duration 12 hours.

3. add switch configuration
4. configure ldap module in freeradius
5. configure file packetfence-tunnel ? or eduroam ?
6. restart freeradius and iptables

in step 5 im still confuse if i'm using 11812 so i must configure 
eduroam file or still packetfence-tunnel ?




On Wed, May 23, 2018 at 10:55 PM, Fabrice Durand via PacketFence-users 
> wrote:


If it's a server for eduroam (like the eduroam servers use this
server for your domain) then 1812, if it's to manage eduroam user
how connect on a eduroam ssid then 11812.


Also what you can do in packetfence-tunnel


    #  The ldap module reads passwords from the LDAP database.
    ldap
    if (ok) {
    update control {
 := No
    }
    }

Regards

Fabrice




Le 2018-05-23 à 11:38, jabang konate via PacketFence-users a écrit :

thanks for your reply fabrice.
here i attach my packetfence-tunnel file.

and which port should i use for my access point 1812 or 11812 in
radius configuration for eduroam?
thank you

On Wed, May 23, 2018 at 7:33 PM, Fabrice Durand via
PacketFence-users > wrote:

Hello Jabang,

can you paste your packetfence-tunnel file ?

Regards

Fabrice



Le 2018-05-23 à 04:08, jabang konate via PacketFence-users a
écrit :

my packetfence server version is 8.0.1 and i want to
configure packetfence as an eduroam server with openldap as
user database,
then i look into documentation eduroam section from
packetfence and EAP Authentication against OpenLDAP.

when im try to login with my laptop, i always get access reject.

from log i see i can connect with my ldap server, then i see
error like this
(7) Wed May 23 14:32:55 2018: ERROR: mschap: Program
returned code (1) and output 'Reading winbind reply failed!
(0xc001)'
(7) Wed May 23 14:32:55 2018: Debug: mschap: External script
failed
(7) Wed May 23 14:32:55 2018: ERROR: mschap: External script
says: Reading winbind reply failed! (0xc001)

is it the root cause why i alwayas get access reject?
then i check winbindd service is not running, but i cant
start winbindd service
(Service 'winbindd' is not managed by PacketFence.
Therefore, no action will be performed)

attach my radius log.
please give me some advice.
thank you



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot


___
PacketFence-users 

Re: [PacketFence-users] eduroam+packetfence with openldap authentication

[jabang konate via PacketFence-users]

Thanks Fabrice, let me clear my goals first. i'm still confuse which file i
must to configure packetfence-tunnel or eduroam file in sites-available.
my packetfence will be act as manage eduroam user so i will use port 11812
in my access point.

here's my step how i configure my eduroam in packetfence.
1. setting my local REALM.
2. configure exclusive source eduroam, add my local realm at step 1. then
create authentication rules "catch all" role default access duration 12
hours.
3. add switch configuration
4. configure ldap module in freeradius
5. configure file packetfence-tunnel ? or eduroam ?
6. restart freeradius and iptables

in step 5 im still confuse if i'm using 11812 so i must configure eduroam
file or still packetfence-tunnel ?



On Wed, May 23, 2018 at 10:55 PM, Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> If it's a server for eduroam (like the eduroam servers use this server for
> your domain) then 1812, if it's to manage eduroam user how connect on a
> eduroam ssid then 11812.
>
>
> Also what you can do in packetfence-tunnel
>
>
> #  The ldap module reads passwords from the LDAP database.
> ldap
> if (ok) {
> update control {
>  := No
> }
> }
>
> Regards
>
> Fabrice
>
>
>
>
> Le 2018-05-23 à 11:38, jabang konate via PacketFence-users a écrit :
>
> thanks for your reply fabrice.
> here i attach my packetfence-tunnel file.
>
> and which port should i use for my access point 1812 or 11812 in radius
> configuration for eduroam?
> thank you
>
> On Wed, May 23, 2018 at 7:33 PM, Fabrice Durand via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hello Jabang,
>>
>> can you paste your packetfence-tunnel file ?
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2018-05-23 à 04:08, jabang konate via PacketFence-users a écrit :
>>
>> my packetfence server version is 8.0.1 and i want to configure
>> packetfence as an eduroam server with openldap as user database,
>> then i look into documentation eduroam section from packetfence and EAP
>> Authentication against OpenLDAP.
>>
>> when im try to login with my laptop, i always get access reject.
>>
>> from log i see i can connect with my ldap server, then i see error like
>> this
>> (7) Wed May 23 14:32:55 2018: ERROR: mschap: Program returned code (1)
>> and output 'Reading winbind reply failed! (0xc001)'
>> (7) Wed May 23 14:32:55 2018: Debug: mschap: External script failed
>> (7) Wed May 23 14:32:55 2018: ERROR: mschap: External script says:
>> Reading winbind reply failed! (0xc001)
>>
>> is it the root cause why i alwayas get access reject?
>> then i check winbindd service is not running, but i cant start winbindd
>> service
>> (Service 'winbindd' is not managed by PacketFence. Therefore, no action
>> will be performed)
>>
>> attach my radius log.
>> please give me some advice.
>> thank you
>>
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>>
>> ___
>> PacketFence-users mailing 
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org)
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! 

Re: [PacketFence-users] eduroam+packetfence with openldap authentication

[jabang konate via PacketFence-users]

Thanks Fabrice, let me clear my goals first. i'm still confuse which file i
must to configure packetfence-tunnel or eduroam file in sites-available.
my packetfence will be act as manage eduroam user so i will use port 11812
in my access point.

here's my step how i configure my eduroam in packetfence.
1. setting my local REALM.
2. configure exclusive source eduroam, add my local realm at step 1. then
create authentication rules "catch all" role default access duration 12
hours.
3. add switch configuration
4. configure ldap module in freeradius
5. configure file packetfence-tunnel ? or eduroam ?
6. restart freeradius and iptables

in step 5 im still confuse if i'm using 11812 so i must configure eduroam
file or still packetfence-tunnel ?



On Wed, May 23, 2018 at 10:55 PM, Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> If it's a server for eduroam (like the eduroam servers use this server for
> your domain) then 1812, if it's to manage eduroam user how connect on a
> eduroam ssid then 11812.
>
>
> Also what you can do in packetfence-tunnel
>
>
> #  The ldap module reads passwords from the LDAP database.
> ldap
> if (ok) {
> update control {
>  := No
> }
> }
>
> Regards
>
> Fabrice
>
>
>
>
> Le 2018-05-23 à 11:38, jabang konate via PacketFence-users a écrit :
>
> thanks for your reply fabrice.
> here i attach my packetfence-tunnel file.
>
> and which port should i use for my access point 1812 or 11812 in radius
> configuration for eduroam?
> thank you
>
> On Wed, May 23, 2018 at 7:33 PM, Fabrice Durand via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hello Jabang,
>>
>> can you paste your packetfence-tunnel file ?
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2018-05-23 à 04:08, jabang konate via PacketFence-users a écrit :
>>
>> my packetfence server version is 8.0.1 and i want to configure
>> packetfence as an eduroam server with openldap as user database,
>> then i look into documentation eduroam section from packetfence and EAP
>> Authentication against OpenLDAP.
>>
>> when im try to login with my laptop, i always get access reject.
>>
>> from log i see i can connect with my ldap server, then i see error like
>> this
>> (7) Wed May 23 14:32:55 2018: ERROR: mschap: Program returned code (1)
>> and output 'Reading winbind reply failed! (0xc001)'
>> (7) Wed May 23 14:32:55 2018: Debug: mschap: External script failed
>> (7) Wed May 23 14:32:55 2018: ERROR: mschap: External script says:
>> Reading winbind reply failed! (0xc001)
>>
>> is it the root cause why i alwayas get access reject?
>> then i check winbindd service is not running, but i cant start winbindd
>> service
>> (Service 'winbindd' is not managed by PacketFence. Therefore, no action
>> will be performed)
>>
>> attach my radius log.
>> please give me some advice.
>> thank you
>>
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>>
>> ___
>> PacketFence-users mailing 
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org)
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! 

Re: [PacketFence-users] eduroam+packetfence with openldap authentication

[Fabrice Durand via PacketFence-users]

If it's a server for eduroam (like the eduroam servers use this server 
for your domain) then 1812, if it's to manage eduroam user how connect 
on a eduroam ssid then 11812.



Also what you can do in packetfence-tunnel


    #  The ldap module reads passwords from the LDAP database.
    ldap
    if (ok) {
    update control {
     := No
    }
    }

Regards

Fabrice




Le 2018-05-23 à 11:38, jabang konate via PacketFence-users a écrit :

thanks for your reply fabrice.
here i attach my packetfence-tunnel file.

and which port should i use for my access point 1812 or 11812 in 
radius configuration for eduroam?

thank you

On Wed, May 23, 2018 at 7:33 PM, Fabrice Durand via PacketFence-users 
> wrote:


Hello Jabang,

can you paste your packetfence-tunnel file ?

Regards

Fabrice



Le 2018-05-23 à 04:08, jabang konate via PacketFence-users a écrit :

my packetfence server version is 8.0.1 and i want to configure
packetfence as an eduroam server with openldap as user database,
then i look into documentation eduroam section from packetfence
and EAP Authentication against OpenLDAP.

when im try to login with my laptop, i always get access reject.

from log i see i can connect with my ldap server, then i see
error like this
(7) Wed May 23 14:32:55 2018: ERROR: mschap: Program returned
code (1) and output 'Reading winbind reply failed! (0xc001)'
(7) Wed May 23 14:32:55 2018: Debug: mschap: External script failed
(7) Wed May 23 14:32:55 2018: ERROR: mschap: External script
says: Reading winbind reply failed! (0xc001)

is it the root cause why i alwayas get access reject?
then i check winbindd service is not running, but i cant start
winbindd service
(Service 'winbindd' is not managed by PacketFence. Therefore, no
action will be performed)

attach my radius log.
please give me some advice.
thank you



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users





--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users





--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] eduroam+packetfence with openldap authentication

[jabang konate via PacketFence-users]

thanks for your reply fabrice.
here i attach my packetfence-tunnel file.

and which port should i use for my access point 1812 or 11812 in radius
configuration for eduroam?
thank you

On Wed, May 23, 2018 at 7:33 PM, Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Jabang,
>
> can you paste your packetfence-tunnel file ?
> Regards
>
> Fabrice
>
>
>
> Le 2018-05-23 à 04:08, jabang konate via PacketFence-users a écrit :
>
> my packetfence server version is 8.0.1 and i want to configure packetfence
> as an eduroam server with openldap as user database,
> then i look into documentation eduroam section from packetfence and EAP
> Authentication against OpenLDAP.
>
> when im try to login with my laptop, i always get access reject.
>
> from log i see i can connect with my ldap server, then i see error like
> this
> (7) Wed May 23 14:32:55 2018: ERROR: mschap: Program returned code (1) and
> output 'Reading winbind reply failed! (0xc001)'
> (7) Wed May 23 14:32:55 2018: Debug: mschap: External script failed
> (7) Wed May 23 14:32:55 2018: ERROR: mschap: External script says: Reading
> winbind reply failed! (0xc001)
>
> is it the root cause why i alwayas get access reject?
> then i check winbindd service is not running, but i cant start winbindd
> service
> (Service 'winbindd' is not managed by PacketFence. Therefore, no action
> will be performed)
>
> attach my radius log.
> please give me some advice.
> thank you
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>


packetfence-tunnel
Description: Binary data
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] eduroam

[Fabrice Durand via PacketFence-users]

Hello Will,



Le 2018-04-28 à 18:09, Will Halsall via PacketFence-users a écrit :
>
> Hi Folks
>
>  
>
>  
>
> Having a problem getting packetfence 7.4 to work with .ac.uk radius
> servers
>
>  
>
> 1.   Server 1 and server 2 have different secrets and I cannot see
> a way of configuring this
>
It's suppose to be the same for both servers.
Btw it's not really complicate to add it in PacketFence.
>
>  
>
> 2.   Tests even from one of the servers with the correct secret
> configured will not work. The radius-eduroam log gives the following
>
>  
>
> Apr 28 22:55:02 packetfence eduroam[2397]: (64) Login incorrect (Home
> Server says so): [0...@farn-ct.ac.uk] (from client 194.82.174.185
> port 0 cli 02:00:0
>
> 0:00:00:01)
>
> Apr 28 22:55:02 packetfence eduroam[2397]: rlm_sql (sql): Closing
> connection (5): Hit idle_timeout, was idle for 200 seconds
>
> Apr 28 22:55:02 packetfence eduroam[2397]: rlm_sql (sql): Closing
> connection (6): Hit idle_timeout, was idle for 200 seconds
>
> Apr 28 22:55:02 packetfence eduroam[2397]: rlm_sql (sql): Opening
> additional connection (7), 1 of 64 pending slots used
>
> Apr 28 22:55:02 packetfence eduroam[2397]: Need 2 more connections to
> reach min connections (3)
>
> Apr 28 22:55:02 packetfence eduroam[2397]: rlm_sql (sql): Opening
> additional connection (8), 1 of 63 pending slots used
>
> Apr 28 22:55:02 packetfence eduroam[2397]: [mac:02:00:00:00:00:01]
> Rejected user: 0...@farn-ct.ac.uk 
>
>  
>
> The radius logs from edurome.uk says the following:
>
>     reject_acc
>
>   
>
> 2018-04-28 21:55:04
>
>   
>
> roaming0
>
>   
>
> INFO
>
>   
>
> Access rejected for 0...@farn-ct.ac.uk: Loop detected
>
>  
>
> Any help would be appreciated
>
>  
>
Is 0...@farn-ct.ac.uk a local user ? if it the case then you need to
define farn-ct.ac.uk as a local realm in the eduroam source.
Regards
Fabrice


>  
>
> Thanks
>
>  
>
> Will
>
>  
>
>  
>
>  
>
> 
>
> This message is intended only for the use of the person(s) to
> whom it is addressed, and may contain privileged and confidential
> information.
> If it has come to you in error, please contact the sender as soon as
> possible,
> and note that you must take no action based on the content, nor must
> you copy,
> distribute, or show the content to any other person.
>
>
> In accordance with its legal obligations, Farnborough College of
> Technology reserves the right to monitor the content of e-mails sent and
> received, but will not do so routinely.
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] eduroam authentication

[Fabrice Durand via PacketFence-users]

Hello Will,

it looks that the authentication fail in the chroot.

What you can try is the following:

chroot /chroots/RadiusAD

wbinfo -u

ntlm_auth --userbane=helpdesk --password=...

And let me know the result.

Regards

Fabrice



Le 2018-05-02 à 03:39, Will Halsall via PacketFence-users a écrit :


Hi Folks

I am still having problems with the eduroam authentication to our AD 
domain. I am now getting rejected although the username and password 
are correct


Below are the radius logs for the test and was wondering if anyone 
could shed some light on my problem


Thanks

Will Halsall

ap: Finished EAP session with state 0xdecad538decdcfad

(7) eap: Previous EAP request found for state 0xdecad538decdcfad, 
released from the list


(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)

(7) eap: Calling submodule eap_mschapv2 to process data

(7) eap_mschapv2: # Executing group from file 
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel


(7) eap_mschapv2: Auth-Type MS-CHAP {

(7) packetfence: $RAD_REQUEST{'User-Name'} = :User-Name -> 
'helpd...@farn-ct.ac.uk'


(7) packetfence: $RAD_REQUEST{'NAS-IP-Address'} = 
:NAS-IP-Address -> '127.0.0.1'


(7) packetfence: $RAD_REQUEST{'Service-Type'} = :Service-Type 
-> 'Authenticate-Only'


(7) packetfence: $RAD_REQUEST{'Framed-MTU'} = :Framed-MTU -> 
'1400'


(7) packetfence: $RAD_REQUEST{'State'} = :State -> 
'0xdecad538decdcfad2cf97d0726a24922'


(7) packetfence: $RAD_REQUEST{'Calling-Station-Id'} = 
:Calling-Station-Id -> '02:00:00:00:00:01'


(7) packetfence: $RAD_REQUEST{'NAS-Identifier'} = 
:NAS-Identifier -> 'eduroamUK-test'


(7) packetfence: $RAD_REQUEST{'NAS-Port-Type'} = 
:NAS-Port-Type -> 'Wireless-802.11'


(7) packetfence: $RAD_REQUEST{'Event-Timestamp'} = 
:Event-Timestamp -> 'May  2 2018 00:06:23 BST'


(7) packetfence: $RAD_REQUEST{'Connect-Info'} = :Connect-Info 
-> 'eduroam UK test'


(7) packetfence: $RAD_REQUEST{'EAP-Message'} = :EAP-Message -> 
'0x020700511a0207004c319f14a65ad77f1546d8aca5f2196626dbff9d32e6c1679c7f27c071374f109360595818fb0202de960068656c706465736b406661726e2d63742e61632e756b'


(7) packetfence: $RAD_REQUEST{'Operator-Name'} = 
:Operator-Name -> '1eduroam.uk'


(7) packetfence: $RAD_REQUEST{'FreeRADIUS-Proxied-To'} = 
:FreeRADIUS-Proxied-To -> '127.0.0.1'


(7) packetfence: $RAD_REQUEST{'MS-CHAP-Challenge'} = 
:MS-CHAP-Challenge -> '0xc7f5b2bc7fe7c7b528641a052426ae7a'


(7) packetfence: $RAD_REQUEST{'MS-CHAP2-Response'} = 
:MS-CHAP2-Response -> 
'0x07659f14a65ad77f1546d8aca5f2196626dbff9d32e6c1679c7f27c071374f109360595818fb0202de96'


(7) packetfence: $RAD_REQUEST{'EAP-Type'} = :EAP-Type -> 
'MSCHAPv2'


(7) packetfence: $RAD_REQUEST{'Realm'} = :Realm -> 'farn-ct.ac.uk'

(7) packetfence: $RAD_REQUEST{'MS-CHAP-User-Name'} = 
:MS-CHAP-User-Name -> 'helpd...@farn-ct.ac.uk'


(7) packetfence: $RAD_REQUEST{'PacketFence-Domain'} = 
:PacketFence-Domain -> 'RadiusAD'


(7) packetfence: $RAD_CHECK{'Auth-Type'} = :Auth-Type -> 'eap'

(7) packetfence: $RAD_CHECK{'Proxy-To-Realm'} = 
:Proxy-To-Realm -> 'LOCAL'


(7) packetfence: $RAD_CHECK{'Tmp-Integer-2'} = :Tmp-Integer-2 
-> '0'


(7) packetfence: $RAD_CONFIG{'Auth-Type'} = :Auth-Type -> 'eap'

(7) packetfence: $RAD_CONFIG{'Proxy-To-Realm'} = 
:Proxy-To-Realm -> 'LOCAL'


(7) packetfence: $RAD_CONFIG{'Tmp-Integer-2'} = :Tmp-Integer-2 
-> '0'


(7) packetfence: :NAS-Port-Type = 
$RAD_REQUEST{'NAS-Port-Type'} -> 'Wireless-802.11'


(7) packetfence: :Service-Type = $RAD_REQUEST{'Service-Type'} 
-> 'Authenticate-Only'


(7) packetfence: :Operator-Name = 
$RAD_REQUEST{'Operator-Name'} -> '1eduroam.uk'


(7) packetfence: :State = $RAD_REQUEST{'State'} -> 
'0xdecad538decdcfad2cf97d0726a24922'


(7) packetfence: :FreeRADIUS-Proxied-To = 
$RAD_REQUEST{'FreeRADIUS-Proxied-To'} -> '127.0.0.1'


(7) packetfence: :Connect-Info = $RAD_REQUEST{'Connect-Info'} 
-> 'eduroam UK test'


(7) packetfence: :Realm = $RAD_REQUEST{'Realm'} -> 'farn-ct.ac.uk'

(7) packetfence: :EAP-Type = $RAD_REQUEST{'EAP-Type'} -> 
'MSCHAPv2'


(7) packetfence: :NAS-IP-Address = 
$RAD_REQUEST{'NAS-IP-Address'} -> '127.0.0.1'


(7) packetfence: :Calling-Station-Id = 
$RAD_REQUEST{'Calling-Station-Id'} -> '02:00:00:00:00:01'


(7) packetfence: :MS-CHAP-User-Name = 
$RAD_REQUEST{'MS-CHAP-User-Name'} -> 'helpd...@farn-ct.ac.uk'


(7) packetfence: :MS-CHAP-Challenge = 
$RAD_REQUEST{'MS-CHAP-Challenge'} -> '0xc7f5b2bc7fe7c7b528641a052426ae7a'


(7) packetfence: :PacketFence-Domain = 
$RAD_REQUEST{'PacketFence-Domain'} -> 'RadiusAD'


(7) packetfence: :User-Name = $RAD_REQUEST{'User-Name'} -> 
'helpd...@farn-ct.ac.uk'


(7) packetfence: :NAS-Identifier = 
$RAD_REQUEST{'NAS-Identifier'} -> 'eduroamUK-test'


(7) packetfence: :Event-Timestamp = 
$RAD_REQUEST{'Event-Timestamp'} -> 'May  2 2018 00:06:23 BST'


(7) packetfence: :EAP-Message = $RAD_REQUEST{'EAP-Message'} -> 

[PacketFence-users] eduroam authentication

[Will Halsall via PacketFence-users]

Hi Folks

I am still having problems with the eduroam authentication to our AD domain. I 
am now getting rejected although the username and password are correct

Below are the radius logs for the test and was wondering if anyone could shed 
some light on my problem


Thanks

Will Halsall

ap: Finished EAP session with state 0xdecad538decdcfad
(7) eap: Previous EAP request found for state 0xdecad538decdcfad, released from 
the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file 
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
(7) eap_mschapv2:   Auth-Type MS-CHAP {
(7) packetfence:   $RAD_REQUEST{'User-Name'} = :User-Name -> 
'helpd...@farn-ct.ac.uk'
(7) packetfence:   $RAD_REQUEST{'NAS-IP-Address'} = :NAS-IP-Address -> 
'127.0.0.1'
(7) packetfence:   $RAD_REQUEST{'Service-Type'} = :Service-Type -> 
'Authenticate-Only'
(7) packetfence:   $RAD_REQUEST{'Framed-MTU'} = :Framed-MTU -> '1400'
(7) packetfence:   $RAD_REQUEST{'State'} = :State -> 
'0xdecad538decdcfad2cf97d0726a24922'
(7) packetfence:   $RAD_REQUEST{'Calling-Station-Id'} = 
:Calling-Station-Id -> '02:00:00:00:00:01'
(7) packetfence:   $RAD_REQUEST{'NAS-Identifier'} = :NAS-Identifier -> 
'eduroamUK-test'
(7) packetfence:   $RAD_REQUEST{'NAS-Port-Type'} = :NAS-Port-Type -> 
'Wireless-802.11'
(7) packetfence:   $RAD_REQUEST{'Event-Timestamp'} = :Event-Timestamp 
-> 'May  2 2018 00:06:23 BST'
(7) packetfence:   $RAD_REQUEST{'Connect-Info'} = :Connect-Info -> 
'eduroam UK test'
(7) packetfence:   $RAD_REQUEST{'EAP-Message'} = :EAP-Message -> 
'0x020700511a0207004c319f14a65ad77f1546d8aca5f2196626dbff9d32e6c1679c7f27c071374f109360595818fb0202de960068656c706465736b406661726e2d63742e61632e756b'
(7) packetfence:   $RAD_REQUEST{'Operator-Name'} = :Operator-Name -> 
'1eduroam.uk'
(7) packetfence:   $RAD_REQUEST{'FreeRADIUS-Proxied-To'} = 
:FreeRADIUS-Proxied-To -> '127.0.0.1'
(7) packetfence:   $RAD_REQUEST{'MS-CHAP-Challenge'} = 
:MS-CHAP-Challenge -> '0xc7f5b2bc7fe7c7b528641a052426ae7a'
(7) packetfence:   $RAD_REQUEST{'MS-CHAP2-Response'} = 
:MS-CHAP2-Response -> 
'0x07659f14a65ad77f1546d8aca5f2196626dbff9d32e6c1679c7f27c071374f109360595818fb0202de96'
(7) packetfence:   $RAD_REQUEST{'EAP-Type'} = :EAP-Type -> 'MSCHAPv2'
(7) packetfence:   $RAD_REQUEST{'Realm'} = :Realm -> 'farn-ct.ac.uk'
(7) packetfence:   $RAD_REQUEST{'MS-CHAP-User-Name'} = 
:MS-CHAP-User-Name -> 'helpd...@farn-ct.ac.uk'
(7) packetfence:   $RAD_REQUEST{'PacketFence-Domain'} = 
:PacketFence-Domain -> 'RadiusAD'
(7) packetfence:   $RAD_CHECK{'Auth-Type'} = :Auth-Type -> 'eap'
(7) packetfence:   $RAD_CHECK{'Proxy-To-Realm'} = :Proxy-To-Realm -> 
'LOCAL'
(7) packetfence:   $RAD_CHECK{'Tmp-Integer-2'} = :Tmp-Integer-2 -> '0'
(7) packetfence:   $RAD_CONFIG{'Auth-Type'} = :Auth-Type -> 'eap'
(7) packetfence:   $RAD_CONFIG{'Proxy-To-Realm'} = :Proxy-To-Realm -> 
'LOCAL'
(7) packetfence:   $RAD_CONFIG{'Tmp-Integer-2'} = :Tmp-Integer-2 -> '0'
(7) packetfence: :NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 
'Wireless-802.11'
(7) packetfence: :Service-Type = $RAD_REQUEST{'Service-Type'} -> 
'Authenticate-Only'
(7) packetfence: :Operator-Name = $RAD_REQUEST{'Operator-Name'} -> 
'1eduroam.uk'
(7) packetfence: :State = $RAD_REQUEST{'State'} -> 
'0xdecad538decdcfad2cf97d0726a24922'
(7) packetfence: :FreeRADIUS-Proxied-To = 
$RAD_REQUEST{'FreeRADIUS-Proxied-To'} -> '127.0.0.1'
(7) packetfence: :Connect-Info = $RAD_REQUEST{'Connect-Info'} -> 
'eduroam UK test'
(7) packetfence: :Realm = $RAD_REQUEST{'Realm'} -> 'farn-ct.ac.uk'
(7) packetfence: :EAP-Type = $RAD_REQUEST{'EAP-Type'} -> 'MSCHAPv2'
(7) packetfence: :NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> 
'127.0.0.1'
(7) packetfence: :Calling-Station-Id = 
$RAD_REQUEST{'Calling-Station-Id'} -> '02:00:00:00:00:01'
(7) packetfence: :MS-CHAP-User-Name = $RAD_REQUEST{'MS-CHAP-User-Name'} 
-> 'helpd...@farn-ct.ac.uk'
(7) packetfence: :MS-CHAP-Challenge = $RAD_REQUEST{'MS-CHAP-Challenge'} 
-> '0xc7f5b2bc7fe7c7b528641a052426ae7a'
(7) packetfence: :PacketFence-Domain = 
$RAD_REQUEST{'PacketFence-Domain'} -> 'RadiusAD'
(7) packetfence: :User-Name = $RAD_REQUEST{'User-Name'} -> 
'helpd...@farn-ct.ac.uk'
(7) packetfence: :NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 
'eduroamUK-test'
(7) packetfence: :Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 
'May  2 2018 00:06:23 BST'
(7) packetfence: :EAP-Message = $RAD_REQUEST{'EAP-Message'} -> 
'0x020700511a0207004c319f14a65ad77f1546d8aca5f2196626dbff9d32e6c1679c7f27c071374f109360595818fb0202de960068656c706465736b406661726e2d63742e61632e756b'
(7) packetfence: :MS-CHAP2-Response = $RAD_REQUEST{'MS-CHAP2-Response'} 
-> 
'0x07659f14a65ad77f1546d8aca5f2196626dbff9d32e6c1679c7f27c071374f109360595818fb0202de96'
(7) packetfence: :Framed-MTU = $RAD_REQUEST{'Framed-MTU'} -> '1400'
(7) packetfence: :Auth-Type = $RAD_CHECK{'Auth-Type'} -> 

[PacketFence-users] eduroam

[Will Halsall via PacketFence-users]

Hi Folks


Having a problem getting packetfence 7.4 to work with .ac.uk radius servers


1.   Server 1 and server 2 have different secrets and I cannot see a way of 
configuring this


2.   Tests even from one of the servers with the correct secret configured 
will not work. The radius-eduroam log gives the following



Apr 28 22:55:02 packetfence eduroam[2397]: (64) Login incorrect (Home Server 
says so): [0...@farn-ct.ac.uk] (from client 194.82.174.185 port 0 cli 
02:00:0

0:00:00:01)

Apr 28 22:55:02 packetfence eduroam[2397]: rlm_sql (sql): Closing connection 
(5): Hit idle_timeout, was idle for 200 seconds

Apr 28 22:55:02 packetfence eduroam[2397]: rlm_sql (sql): Closing connection 
(6): Hit idle_timeout, was idle for 200 seconds

Apr 28 22:55:02 packetfence eduroam[2397]: rlm_sql (sql): Opening additional 
connection (7), 1 of 64 pending slots used

Apr 28 22:55:02 packetfence eduroam[2397]: Need 2 more connections to reach min 
connections (3)

Apr 28 22:55:02 packetfence eduroam[2397]: rlm_sql (sql): Opening additional 
connection (8), 1 of 63 pending slots used

Apr 28 22:55:02 packetfence eduroam[2397]: [mac:02:00:00:00:00:01] Rejected 
user: 0...@farn-ct.ac.uk



The radius logs from edurome.uk says the following:
reject_acc

2018-04-28 21:55:04

roaming0

INFO

Access rejected for 0...@farn-ct.ac.uk: Loop detected




Any help would be appreciated





Thanks



Will




[http://fcot5.farn-ct.ac.uk/Email_Signature_Open_Events.jpg] 


This message is intended only for the use of the person(s) to
whom it is addressed, and may contain privileged and confidential information.
If it has come to you in error, please contact the sender as soon as possible,
and note that you must take no action based on the content, nor must you copy,
distribute, or show the content to any other person.


In accordance with its legal obligations, Farnborough College of
Technology reserves the right to monitor the content of e-mails sent and
received, but will not do so routinely.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] eduroam and PF

[Max McGrath]

Hi all -

I'd be interested in hearing from anyone who uses PF and eduroam together.

We've been on PF for a couple years now and I am just starting to
investigate eduroam.  How easy to the two systems tie into each other?

What considerations should I take as far as VLANs, subnets, etc... when
dealing with eduroam?

Thanks!

Max
--
Max McGrath
Network Administrator
Carthage College
262-552-5512
mmcgr...@carthage.edu
--
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15utm_medium=emailutm_campaign=VA_SF___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] eduroam home users being processed by packetfence

[Morris, Andi]

Hi,
I have a packetfence setup, version 4.2.2, which is configured to proxy 
visiting users out to our eduroam ORPS servers, and process local users here. 
This is all working well and we have a record of what users are on the wireless 
on our campus. However, there's an issue with our users connecting in from 
other institutions, where it looks like Packetfence is rejecting the radius 
request because it doesn't know about the switch.

I have the setup as per the admin guide. My orps servers are declared in my 
clients.conf file with shortnames configured:
client orpsserver1.internal {
ipaddr = 192.168.1.1
secret = *
shortname = orps01
}
client orpsserver2.internal {
ipaddr = 192.168.1.2
secret = 
shortname = orps02
}

And I have packetfence-tunnel configured to skip packetfence if the request 
comes from the orps servers:
post-auth {
 exec
 # we skip packetfence when the request is coming from the eduroam 
servers
 if ( %{client:shortname} != orps01  \
 %{client:shortname} != orps02 ) {
 packetfence
 }
 Post-Auth-Type REJECT {
 attr_filter.access_reject
 }
}

However I'm seeing the following in my radius logs when home users try to 
connect in from outside:
Wed Jul 16 16:21:41 2014 : Auth: Login OK: [sm12...@cardiffmet.ac.uk] (from 
client orps01 port 0 cli cc-fa-00-f4-4a-c3 via TLS tunnel)
Wed Jul 16 16:21:41 2014 : Auth: Login OK: [sm12...@cardiffmet.ac.uk] (from 
client orps01 port 0 cli cc-fa-00-f4-4a-c3)
Wed Jul 16 16:21:41 2014 : Info: rlm_perl: request from cc:fa:00:f4:4a:c3 port  
was not accepted but a proper error code was provided. Check server side logs 
for details

The eduroam test site shows the following log entries for remote requests:
Jul 16 15:10:11 194.83.56.233 radiator: INFO: Access rejected for 
sm18...@cardiffmet.ac.uk: Switch is not managed by PacketFence

Packetfence.log shows:
Jul 16 15:46:12 httpd.webservices(29980) WARN: Request type was not set. There 
is a problem with the NAS, your radius config or rlm_perl packetfence.pm 
FreeRADIUS module. (pf::Switch::_identifyConnectionType)
Jul 16 15:46:12 httpd.webservices(29980) INFO: We decided not to act on this 
radius call. Stop handling request from 127.0.0.1. (pf::radius::authorize)

Should I be declaring localhost as a known switch, or should I be bypassing 
packetfence for remote radius requests in a different way?

Cheers,
Andi
-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.ukmailto:amor...@cardiffmet.ac.uk
--

--
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] eduroam home users being processed by packetfence

[Morris, Andi]

OK, after analysing some radius debug logs it looks like packetfence is being 
called from the post-auth section of the sites-enabled/packetfence server:
post-auth {
 exec
 if (!EAP-Type || (EAP-Type != 21  EAP-Type != 25)|| (User-Name =~ 
/^.*\@.+/  User-Name !~ /^.*\@cardiffmet.ac.uk/)|| (User-Name =~ /^.*\@.+/  
User-Name !~ /^.*\@uwic.ac.uk/)) {
packetfence
 }

Post-Auth-Type REJECT {
 attr_filter.access_reject
 }
}

I put this in, so that the visiting users (users from other organisations at 
our university) would have their devices automatically registered in 
packetfence. If I comment out the above section our users at remote 
institutions now authenticate, but visiting users don't show up in the 
packetfence.

Looks like I need to tweak the above code somehow.

Any suggestions?

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 17 July 2014 09:33
To: packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] eduroam home users being processed by packetfence

Hi,
I have a packetfence setup, version 4.2.2, which is configured to proxy 
visiting users out to our eduroam ORPS servers, and process local users here. 
This is all working well and we have a record of what users are on the wireless 
on our campus. However, there's an issue with our users connecting in from 
other institutions, where it looks like Packetfence is rejecting the radius 
request because it doesn't know about the switch.

I have the setup as per the admin guide. My orps servers are declared in my 
clients.conf file with shortnames configured:
client orpsserver1.internal {
ipaddr = 192.168.1.1
secret = *
shortname = orps01
}
client orpsserver2.internal {
ipaddr = 192.168.1.2
secret = 
shortname = orps02
}

And I have packetfence-tunnel configured to skip packetfence if the request 
comes from the orps servers:
post-auth {
 exec
 # we skip packetfence when the request is coming from the eduroam 
servers
 if ( %{client:shortname} != orps01  \
 %{client:shortname} != orps02 ) {
 packetfence
 }
 Post-Auth-Type REJECT {
 attr_filter.access_reject
 }
}

However I'm seeing the following in my radius logs when home users try to 
connect in from outside:
Wed Jul 16 16:21:41 2014 : Auth: Login OK: [sm12...@cardiffmet.ac.uk] (from 
client orps01 port 0 cli cc-fa-00-f4-4a-c3 via TLS tunnel)
Wed Jul 16 16:21:41 2014 : Auth: Login OK: [sm12...@cardiffmet.ac.uk] (from 
client orps01 port 0 cli cc-fa-00-f4-4a-c3)
Wed Jul 16 16:21:41 2014 : Info: rlm_perl: request from cc:fa:00:f4:4a:c3 port  
was not accepted but a proper error code was provided. Check server side logs 
for details

The eduroam test site shows the following log entries for remote requests:
Jul 16 15:10:11 194.83.56.233 radiator: INFO: Access rejected for 
sm18...@cardiffmet.ac.ukmailto:sm18...@cardiffmet.ac.uk: Switch is not 
managed by PacketFence

Packetfence.log shows:
Jul 16 15:46:12 httpd.webservices(29980) WARN: Request type was not set. There 
is a problem with the NAS, your radius config or rlm_perl packetfence.pm 
FreeRADIUS module. (pf::Switch::_identifyConnectionType)
Jul 16 15:46:12 httpd.webservices(29980) INFO: We decided not to act on this 
radius call. Stop handling request from 127.0.0.1. (pf::radius::authorize)

Should I be declaring localhost as a known switch, or should I be bypassing 
packetfence for remote radius requests in a different way?

Cheers,
Andi
-
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.ukmailto:amor...@cardiffmet.ac.uk
--

--
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] eduroam home users being processed by packetfence

[Morris, Andi]

Resolved:

I changed the logic in the sites-enabled/packetfence server to:
post-auth {
 exec
 if (!EAP-Type\
   || (EAP-Type != EAP-TTLS  EAP-Type != PEAP)\
|| (User-Name =~ /^.*\@.+/  (User-Name !~ 
/^.*@cardiffmet.ac.uk/ || User-Name !~ /^.*\@uwic.ac.uk/))\
 ( %{client:shortname} != orps01  %{client:shortname} 
!= orps02 ))\
{
packetfence
 }

Post-Auth-Type REJECT {
 attr_filter.access_reject
 }
}

This now skips packetfence if the request comes from my orps servers, but also 
logs visiting users that are at our institution.

I noticed that the post-auth section has changed recently to include:
update control {
PacketFence-RPC-Server = ${rpc_server}
   PacketFence-RPC-Port = ${rpc_port}
PacketFence-RPC-User = ${rpc_user}
PacketFence-RPC-Pass = ${rpc_pass}
PacketFence-RPC-Proto = ${rpc_proto}
}

Are these something that I should be putting into the logic above? It seems to 
be working without, but I want to make sure there's no knock on effect anywhere.

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 17 July 2014 10:16
To: 'packetfence-users@lists.sourceforge.net'
Subject: Re: [PacketFence-users] eduroam home users being processed by 
packetfence

OK, after analysing some radius debug logs it looks like packetfence is being 
called from the post-auth section of the sites-enabled/packetfence server:
post-auth {
 exec
 if (!EAP-Type || (EAP-Type != 21  EAP-Type != 25)|| (User-Name =~ 
/^.*\@.+/  User-Name !~ /^.*\@cardiffmet.ac.uk/)|| (User-Name =~ /^.*\@.+/  
User-Name !~ /^.*\@uwic.ac.uk/)) {
packetfence
 }

Post-Auth-Type REJECT {
 attr_filter.access_reject
 }
}

I put this in, so that the visiting users (users from other organisations at 
our university) would have their devices automatically registered in 
packetfence. If I comment out the above section our users at remote 
institutions now authenticate, but visiting users don't show up in the 
packetfence.

Looks like I need to tweak the above code somehow.

Any suggestions?

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 17 July 2014 09:33
To: 
packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] eduroam home users being processed by packetfence

Hi,
I have a packetfence setup, version 4.2.2, which is configured to proxy 
visiting users out to our eduroam ORPS servers, and process local users here. 
This is all working well and we have a record of what users are on the wireless 
on our campus. However, there's an issue with our users connecting in from 
other institutions, where it looks like Packetfence is rejecting the radius 
request because it doesn't know about the switch.

I have the setup as per the admin guide. My orps servers are declared in my 
clients.conf file with shortnames configured:
client orpsserver1.internal {
ipaddr = 192.168.1.1
secret = *
shortname = orps01
}
client orpsserver2.internal {
ipaddr = 192.168.1.2
secret = 
shortname = orps02
}

And I have packetfence-tunnel configured to skip packetfence if the request 
comes from the orps servers:
post-auth {
 exec
 # we skip packetfence when the request is coming from the eduroam 
servers
 if ( %{client:shortname} != orps01  \
 %{client:shortname} != orps02 ) {
 packetfence
 }
 Post-Auth-Type REJECT {
 attr_filter.access_reject
 }
}

However I'm seeing the following in my radius logs when home users try to 
connect in from outside:
Wed Jul 16 16:21:41 2014 : Auth: Login OK: [sm12...@cardiffmet.ac.uk] (from 
client orps01 port 0 cli cc-fa-00-f4-4a-c3 via TLS tunnel)
Wed Jul 16 16:21:41 2014 : Auth: Login OK: [sm12...@cardiffmet.ac.uk] (from 
client orps01 port 0 cli cc-fa-00-f4-4a-c3)
Wed Jul 16 16:21:41 2014 : Info: rlm_perl: request from cc:fa:00:f4:4a:c3 port  
was not accepted but a proper error code was provided. Check server side logs 
for details

The eduroam test site shows the following log entries for remote requests:
Jul 16 15:10:11 194.83.56.233 radiator: INFO: Access rejected for 
sm18...@cardiffmet.ac.ukmailto:sm18...@cardiffmet.ac.uk: Switch is not 
managed by PacketFence

Packetfence.log shows:
Jul 16 15:46:12 httpd.webservices(29980) WARN: Request type was not set. There 
is a problem with the NAS, your radius config or rlm_perl packetfence.pm 
FreeRADIUS module. (pf::Switch::_identifyConnectionType)
Jul 16 15:46:12 httpd.webservices(29980) INFO: We decided not to act on this 
radius call. Stop handling request from 127.0.0.1. (pf::radius::authorize)

Should I be declaring localhost as a known

Re: [PacketFence-users] Eduroam ...

[Derek Wuelfrath]

Rich,
will have a look. Thanks for comment.
On 2013-02-07 10:31 AM, Rich Graves wrote:
 (Inverse friends: this should get a mention in the PacketFence and Eduroam 
 FAQ entry.)

-- 
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Eduroam ...

[Jan Behrend]

Hi list,

I have a working, valid eduroam radius server.  Now I am trying to
consolidate this eduroam server into our PF infrastructure.  I followed
the FAQ to integrate eduroam into PF.
Unfortunately I am still stuck:

When I try to log into the WPA enterprise (802.1x) WLAN my freeradius is
having trouble to obtain the NT-Password.  The hash resides in our LDAP,
but does PF take care of retrieving it, or do I need to configure the
connection from the freeradius to the LDAP myself?

After logging into the WPA enterprise (802.1x) WLAN, is the person
supposed to able to log into the PF cative portal with the same eduroam
credentials as well, or does he need to have a second pair of
username/password for the PF login?

If you need more information, please let me know.

Cheers Jan
-- 
MAX-PLANCK-INSTITUT fuer Radioastronomie
Jan Behrend - Rechenzentrum

Auf dem Huegel 69, D-53121 Bonn
Tel: +49 (228) 525 359, Fax: +49 (228) 525 229
jbehr...@mpifr-bonn.mpg.de http://www.mpifr-bonn.mpg.de


Die digitale Unterschrift dieser Mail kann durch das Zertifikat der
DFN Global Hierarchie überprüft werden:
https://ca.mpg.de/certs/root-DGP/deutsche-telekom-ca2-root-cert.der
Weitere Informationen zur CA der MPG finden Sie unter: https://ca.mpg.de




smime.p7s
Description: S/MIME Cryptographic Signature
--
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam ...

[Rich Graves]

 When I try to log into the WPA enterprise (802.1x) WLAN my freeradius is
 having trouble to obtain the NT-Password.  The hash resides in our LDAP,
 but does PF take care of retrieving it, or do I need to configure the
 connection from the freeradius to the LDAP myself?

To debug, killall radiusd; radiusd -X (with same arguments otherwise)

If you are using a Samba server emulating a Windows domain controller, you can 
follow the standard directions for Windows and ntlm_auth. If you are intending 
to get hashes directly from LDAP, I have not done that, but it would be 
FreeRADIUS's job. (It's unclear: do you have an existing, working RADIUS server 
that you would like PF to use? Or are you customizing the FR server included in 
PF? I would recommend the latter.)

 After logging into the WPA enterprise (802.1x) WLAN, is the person
 supposed to able to log into the PF cative portal with the same eduroam
 credentials as well, or does he need to have a second pair of
 username/password for the PF login?

You will need to add a subroutine to /usr/local/pf/(varies by 
version)/vlan/custom.pm, and then eduroam clients will bypass the captive 
portal. It is against Eduroam policy to ask for institutional credentials in 
web forms. 
http://www.eduroam.org/downloads/docs/advisory/eduroamOT-user-advisory-001.pdf

(Inverse friends: this should get a mention in the PacketFence and Eduroam 
FAQ entry.)

sub shouldAutoRegister {
##$mac is MAC address
##$switch_in_autoreg_mode is set to 1 if switch is in registration mode
##$violation_autoreg is set to 1 if called from a violation with autoreg 
action
##$isPhone is set to 1 if device is considered an IP Phone.
##$conn_type is set to the connnection type expressed as the constant in 
pf::config
##$user_name is set to the RADIUS User-Name attribute (802.1X Username or 
MAC address under MAC Authentication)
##$ssid is set to the wireless ssid (will be empty if radius and not 
wireless, undef if not radius)
my ($this, $mac, $switch_in_autoreg_mode, $violation_autoreg, $isPhone, 
$conn_type, $user_name, $ssid) = @_;
my $logger = Log::Log4perl-get_logger();
## custom example: auto-register 802.1x users
## Since they already have validated credentials through EAP to do 802.1X
if (defined($conn_type) and (($conn_type  $EAP) == $EAP)) {
$logger-trace(returned yes because it's a 802.1X client that 
successfully authenticated already);
return 1;
}

# otherwise don't autoreg
return 0;
}


--
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam and Guest Logins

[Jan Behrend]

On 02/04/2013 09:26 PM, Rich Graves wrote:
 Well, Europe is about 5 years ahead of US .edu's, so your sense of what's 
 normal for eduroam is better than mine. I'm surprised, though. If the same 
 person visits mpifr-bonn and uni-bonn and cam.uk, they might need three 
 different passwords, and they must accept three different certificates for 
 three different RADIUS servers. It starts to get less simple, and less secure.
 
 We simply let guests who don't have eduroam at home on our open 
 Registration SSID. When they log on, PacketFence changes their VLAN (or 
 firewall rules, if you're running in-line). We find that we need an open SSID 
 anyway because some devices (mainly gaming consoles and older smartphones) 
 still do not support WPA2-Enterprise/802.1X. We have also had a few visitors 
 whose corporate IT security policies prevent them from accepting 802.1X 
 certificates.
 
 If you are concerned about guest wireless privacy, consider:
 
 - Turn on WEP or WPA2-PSK for your Registration SSID (supported by more 
 devices than WPA2-Enterprise)
 - If it's easy to get a Guest account, does encryption really help? An 
 attacker could ARP-spoof almost as easily.
 

Hi Rich,

Thanks again for your insight.  I agree, an open WLAN it shall be.  As
captain Adama used to state: So say we all!

Cheers Jan

-- 
MAX-PLANCK-INSTITUT fuer Radioastronomie
Jan Behrend - Rechenzentrum

Auf dem Huegel 69, D-53121 Bonn
Tel: +49 (228) 525 359, Fax: +49 (228) 525 229
jbehr...@mpifr-bonn.mpg.de http://www.mpifr-bonn.mpg.de


Die digitale Unterschrift dieser Mail kann durch das Zertifikat der
DFN Global Hierarchie überprüft werden:
https://ca.mpg.de/certs/root-DGP/deutsche-telekom-ca2-root-cert.der
Weitere Informationen zur CA der MPG finden Sie unter: https://ca.mpg.de




smime.p7s
Description: S/MIME Cryptographic Signature
--
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Eduroam and Guest Logins

[Jan Behrend]

Hi,

I have integrated eduroam in my PF setup.  The problem now occurs,
that guest logins which use their email address as login name (PID) are
now proxied to the superior eduroam radius server because the email is
not recognized as a guest login but rather taken as a foreign realm.

How can I make freeradius check the login name against the local DB
before proxying away although the login contains a '@'?

Cheers Jan

-- 
MAX-PLANCK-INSTITUT fuer Radioastronomie
Jan Behrend - Rechenzentrum

Auf dem Huegel 69, D-53121 Bonn
Tel: +49 (228) 525 359, Fax: +49 (228) 525 229
jbehr...@mpifr-bonn.mpg.de http://www.mpifr-bonn.mpg.de


Die digitale Unterschrift dieser Mail kann durch das Zertifikat der
DFN Global Hierarchie überprüft werden:
https://ca.mpg.de/certs/root-DGP/deutsche-telekom-ca2-root-cert.der
Weitere Informationen zur CA der MPG finden Sie unter: https://ca.mpg.de




smime.p7s
Description: S/MIME Cryptographic Signature
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam and Guest Logins

[Durand Fabrice]

Hello,
in your proxy.conf, add :
realm domain_name {
}

Where domain_name is your domaine name.

Regards
Fabrice

Le 2013-02-04 10:59, Jan Behrend a écrit :

Hi,

I have integrated eduroam in my PF setup.  The problem now occurs,
that guest logins which use their email address as login name (PID) are
now proxied to the superior eduroam radius server because the email is
not recognized as a guest login but rather taken as a foreign realm.

How can I make freeradius check the login name against the local DB
before proxying away although the login contains a '@'?

Cheers Jan



--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam and Guest Logins

[Rich Graves]

Are you allowing locally authenticated guests to use your eduroam SSID? 
That's unusual. Typically, guests go on an open SSID.

If your guests use a 802.1X SSID other than eduroam, then I think you should be 
able to short-circuit the proxy logic based on ESSID. For example, my 
controllers put it in Aruba-Essid-Name. See freeradius detail logs and the man 
page for unlang.
-- 
Rich Graves http://claimid.com/rcgraves
Carleton.edu Sr UNIX and Security Admin

--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam and Guest Logins

[Jan Behrend]

On 02/04/2013 06:01 PM, Durand Fabrice wrote:
 in your proxy.conf, add :
 realm domain_name {
 }
 
 Where domain_name is your domaine name.

Hi Durand,

thank for your answer.  I have my own domain correctly proxied to the
local radius instance.  The problem is, I cannot distinguish between an
eduroam user using u...@my-home-institution.org and the another person
having a sponsor in our institute using the email
u...@my-other-home-institution.org but both using the eduroam SSID.

Cheers Jan

-- 
MAX-PLANCK-INSTITUT fuer Radioastronomie
Jan Behrend - Rechenzentrum

Auf dem Huegel 69, D-53121 Bonn
Tel: +49 (228) 525 359, Fax: +49 (228) 525 229
jbehr...@mpifr-bonn.mpg.de http://www.mpifr-bonn.mpg.de



smime.p7s
Description: S/MIME Cryptographic Signature
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Eduroam and Guest Logins

[Rich Graves]

Well, Europe is about 5 years ahead of US .edu's, so your sense of what's 
normal for eduroam is better than mine. I'm surprised, though. If the same 
person visits mpifr-bonn and uni-bonn and cam.uk, they might need three 
different passwords, and they must accept three different certificates for 
three different RADIUS servers. It starts to get less simple, and less secure.

We simply let guests who don't have eduroam at home on our open Registration 
SSID. When they log on, PacketFence changes their VLAN (or firewall rules, if 
you're running in-line). We find that we need an open SSID anyway because some 
devices (mainly gaming consoles and older smartphones) still do not support 
WPA2-Enterprise/802.1X. We have also had a few visitors whose corporate IT 
security policies prevent them from accepting 802.1X certificates.

If you are concerned about guest wireless privacy, consider:

- Turn on WEP or WPA2-PSK for your Registration SSID (supported by more devices 
than WPA2-Enterprise)
- If it's easy to get a Guest account, does encryption really help? An attacker 
could ARP-spoof almost as easily.
-- 
Rich Graves http://claimid.com/rcgraves
Carleton.edu Sr UNIX and Security Admin

--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users