Dear Talan,
Can you provide more details on how you're doing the authentication? Is
this radius with mac-auth on the SSID or are you doing "captive portal" in
the AP itself?
I have PF working fine with ruckus' smartzone (albeit 3.6.1 but I don't
expect any differences with 5.1) but I did have to
Just to be sure, do you have all the proper whitelists as well? Its weird
that the user is directed to accounts.blogger.com... Also, you should be
able to see your PF server making a request to google to validate the
returned token.
On which version of PF are you? I've been using google auth
succ
Hi bill
Please look at ALL the log files under /usr/local/pf/var/logs (the httpd
logs only cover the requests from the devices). There will be two requests
going to google.. one where Packetfence is doing NAT for the devices to be
onboarded (this is the traffic from the user's browser) and then an
let me check what I have configured. But i think you do need n API enabled.
On Fri, Apr 24, 2020 at 11:12 AM Bill Handler wrote:
> Again, apologies for my ignorance on this…
>
>
>
> When I created the Oauth credentials in the Google Developer site, I did
> not enable an API. I’m thinking I mis
Hi.. those errors are not errors. They are jus the logs of pfdns and its
still related to the user trying / reaching google.
you should look at the logs (especially packetfence.log) for any other
messages around the time. Most of the log messages SHOULD have the mac
address of the device trying to
Hi Bill
I haven't installed pf10 yet. But I think the key item is the fact that the
registration vlan DNS is not resolving to the correct PF address. Do you
have any nic or vlan configured with that IP?
You mention replacing the fqdn for that of the registration vlan. Is that
provisioned on your
Hi Bill
Interesting that of using http it works. I used publicly signed certs for
my portal. Self signed will just be chaos for the end users unless you can
push your root ca to the the devices beforehand (a managed fleet, which is
not my case)
Now it's clearer that you used the IP and it worked.
HI Bill
I guess that it might be messing things up when doing the https redirect if
you have the self-signed cert... the redirection back might be failing at
the browser level? So if you host the portal on http it all works fine?
what address is the pf server using for the registration vlan?
On
PS.. are you planning on using google oauth for your corporate users? or
just as guest portal? Cause remember that anyone with a google.com address
can join. I have a private branch of the google oauth that limits you to a
single google-apps domain and validates that users belong to it. I was in
th
Hi Bill
For 802.1x I'm really not in the loop I seem to recall having seen this
question (or something similar) floating around... but no clue.
For chromebooks... you might be able to use the new "secure LDAP" option
that google provides.. maybe I guess it all depends whether you want to
You need to contact google and request that your oauth client be
whitelisted for wifi login.
On Mon, Jun 29, 2020 at 9:44 AM Akram Abdallah via PacketFence-users
wrote:
>
> Hello ,
>
> When trying to use the Google Auth in Packetfence portal i get this message
> 403 : disallowed_useragent" error
Hi Everyone,
(sorry if it got double-posted, im not finding my previous email in the
archive nor did a get it back when posting)
Im trying to achieve the following:
On the captive portal, I'd have an admin user login and then select a Role
and access duration for a particular device. The role pa
Hi Everyone,
Im trying to achieve the following:
On the captive portal, I'd have an admin user login and then select a Role
and access duration for a particular device. The role part is easy as there
is a portal module specifically for it. But the Access duration /
unreg-date is a bit more comple
Hi Everyone,
Im trying to achieve the following:
On the captive portal, I'd have an admin user login and then select a Role
and access duration for a particular device.
I got it working but I think im relying on a bit of a bug for it to work.
The following is my relevant config:
[Select-Role]
By the way, I tried using the "stone_role" option but it didn't work.
I mean: I would first do the "select role" option in the chain and then the
"fixed role" to only set a duration but it doesnt seem to work...
On Sun, Jan 31, 2021 at 7:15 PM Diego Garcia del Rio
wrote:
> Hi Everyone,
>
> Im
Hi Pieter,
did you disable mac encryption on smartzone?
Its weird that the mac is not being found. To be honest, I have not used
the portal option myself yet so Im not of great help there. Any reason why
you wouldnt do the mac authentication option with the portal served
directly by packetfence?
Dear ludovic,
Any chance you guys can take a look at the PR I raised with quite a bit of
documentation for smartzone and ruckus in general? It's PR 6141
(I have one commit as root just pulling the repo forward which I'm not sure
how to get rid of so that the cla bot passes)
Cheers!
On Wed, Mar
Hi pieter-Jan
I am using the same scenario as you describe. Only that the unrecognized
devices get directed to the captive portal directly. (packetfence assigns a
registration vlan to unknown devices, then acts as a dhcp / dns server for
that vlan and clients get presented the portal). Then the us
let me know if you need any help... but I have it deployed just like that
at several schools and it works well.
On Thu, Mar 4, 2021 at 10:34 AM Lamont, Pieter-Jan <
pieterjan.lam...@sgsintpaulus.eu> wrote:
> Hello Diego
>
>
>
> That could also work in our environment . I’ll take a look at this
>
Hi Everyone!
Im having an issue where users seem to be entering (way too frequently) a
space in their ldap username field (im using an LDAP source and if there is
a space at the end, the realm / domain is not matched and thus no
authentication source is found).
is there anywhere in the code where
make sure you restart haproxy-portal after applying the new cert.
On Mon, Sep 13, 2021 at 5:41 PM Zestermann, Ronald via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:
> Hello,
>
>
>
> We use the CaptivePortal for a guest WLAN and would like to secure the
> CaptivePortal wi
not 100% sure.. but I believe you created an "app" in the azure portal for
the authentication to work? I was having similar issues until I explicitly,
as an administrator, gave consent to the app for all users (rather than
each user having to give individual consent).
I think I was getting a very
Hi Everyone,
I have a brand new node that was installed with PF 11.0. Everything is
working OK except that when I use the portal preview option, the main
portal opens, but as soon as I click on any of the actions, I get an error
message.
404 Site 127.0.0.1:8891 is not served on this interface
T
you should be able to easily do vlan per role.. .but you seem to be wanting
a vlan per user?
or you have 300 roles defined and each with its own vlan??
On Fri, Dec 10, 2021 at 12:22 PM jj c via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:
> Hi to all,
> is it possible to b
But how many roles are you defining ? Several hundred? If so then you're
probably misusing the roles. In that case, indeed, vlan-pool is what you
want.
The manual describes vlan-pools as the following:
For a VLAN pool instead of defining a VLAN identifier, you can set a value
like that: 20..23,27
You might want to add the vlan as some field in AD / ldap and then see if
there is any way to access that using the radius or vlan filters to push
the vlan to the user. Not sure it will be possible to be honest
On Fri, Dec 10, 2021, 13:29 jj c wrote:
> nice thank you for the clarification and
you need to manually upload the files and point to the path where those
files were uploaded. There is no GUI for the certificate upload like there
is for other certificates.
Given you only need to renew it every 3 years its not too bad, but indeed,
you need to manually upload it using SCP / SFP /
On packetfence 11 changing the pf.conf and /etc/sysconfig/network... (Or
your OS specific IP configuration) and then rebooting was enough for me. I
tried it on a non clustered pf 11.1 on Rocky Linux 8.4 just last week.
On Wed, Dec 15, 2021, 15:48 nick via PacketFence-users <
packetfence-users@l
Hello everyone
I am using a ruckus smartzone based setup with WISPR / hot-spot redirect on
the AP. (so packetfence is NOT the DHCP server nor is it really using an
isolation or registration vlan on packetfence) In fact, my packetfence
server is not co-located on the same site as the clients.
So u
/local/pf/go
> make go-env
> source ~/.bashrc
> make pfhttpd
> mv pfhrrpd ../sbin
> systemctl restart packetfence-httpd.dispatcher.service
>
> Regards
> Fabrice
>
>
> Le mer. 2 févr. 2022 à 03:37, Diego Garcia del Rio via PacketFence-users <
> packetfence-users@list
Dear Users / devs
I am using a portal where I use the "Password" authentication source and
other "local" authentication sources as well. And what I noticed is that
once the portal is loaded, the log indicates that "user XXX has logged into
the portal" (this is before the user selects any option to
you could create two authentication sources (both pointing to the same
LDAP), one which filters faculty and another students.(you would have to
play with the LDAP filters so that the user is not even found if it you
search for faculty using the student's authentication source)
and then you could pr
If you're trying this from a mobile phone (captive portal browser) then
yes, it will be blocked as google is blocking all embedded browsers and any
"not-full browsers". It means google authentication can't really be used
from mobile devices when accessed throguh the captive portal.
also, your auth
k where is your_portal_hostname is a dns record that allows
> you to reach the Packetfence machine itself from the Internet.
>
> So the customer must have a right internet domain?
>
> Also I understand that it must also have a valid https certificate, is
> that so?
>
>
>
&
his laptop and then be
> able to surf the Internet.
>
> Now let's see if I understand correctly:
>
> the Packetfence machine implemented locally at the customer must be
> reached from the internet using the url: https: // your_portal_hostname /
> oauth2 / callback where is
most of the defaults should work. For the username Attribute, 'uid'
should work.
when you click on the "test" button for the bindDn and password, does it
work?
make sure the ldap service is enabled as well (not just the credentials
generated). Its quite annoying as its not readily evident you
hav
Indeed. The realm is needed. Otherwise packetfence doesn't know against
which source to authenticate
On Fri, Jun 3, 2022, 14:29 P.Thirunavukkarasu via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:
> Hi Leonardo,
>
> In 'Bind DN' and 'Password' I have to enter the credentials
Hi Leonardo
On jexplorer don't use any certificate, since stunned handles that for
you. It's an "insecure to secure" TCP tunnel.
In jexplorer use 127.0.0.1:1636 as the server / port to connect
Select "no encryption" in jexplorer. And use the root path as the one
mentioned in the previous emails
Hi Luis,
(sorry to break the thread as I just joined the mailing list and can't
reply to the past message).
In my case, using the ZEN appliance, I noticed that the httpd.admin was
also timing out. If i started httpd manually with the config file, it would
take almost 3 minutes to start. I was pla
some configurations and anecdotal evidence points to VIPs playing a role.
>
> Best regards,
> --
> Louis Munro
> lmu...@inverse.ca :: www.inverse.ca
> +1.514.447.4918 x125 :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketF
Thanks.. I figured it couldn't be that bad as the server eventually
starts.
Thanks for the info.. I can help doing a profile or with any other
mechanism if it helps troubleshoot the slow start. Glad to help!
Best Regards,
Diego
On Wed, Jul 19, 2017 at 7:21 PM, Louis Munro wrote:
>
>
> On
Dear users,
I have a setup where users are being authenticated using mac-based auth
with radius. This is a system with Ruckus' ZD1200 and a few APs. Radius
auth works well and I have configured radius accounting as well. In fact, I
see the radius accounting packets being sent to PF -both interim a
ence (
> www.packetfence.org)
>
> On Jul 19, 2017, at 18:25, Diego Garcia del Rio via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> Dear users,
>
> I have a setup where users are being authenticated using mac-based auth
> with radius
rincipal | ac:37:43:a4:41:46 | Idle-Timeout |
> || 10.100.0.11 |
>
>
>
> Thanks !!!
>
>
>
>
> On Wed, Jul 19, 2017 at 7:29 PM, Louis Munro wrote:
>
>> Hi Diego,
>> Can you see if you have data in the radacct table?
>>
&g
20:58:11 | 2017-07-19 20:58:11 | 2017-07-19
>> 20:58:19 | NULL | 8 | RADIUS | CONNECT
>> 802.11g/n| CONNECT 802.11g/n| 49939 |63202 |
>> 58:b6:33:bf:4b:c8:principal | ac:37:43:a4:41:46 | Idle-Timeout |
>> |
Hi,
I have a quick question... I have a system setup with 7.2 where I am using
bandwidth accounting / violations. I have set a user limit of 512 mbytes
per day and then they get rate-limited to 256Kbit/s. When a user exceeds
its bandwidth, I have the option of remediating the violation, but the
vi
Regards
>
> Fabrice
>
>
>
> Le 2017-07-26 à 19:56, Diego Garcia del Rio via PacketFence-users a écrit :
>
> Hi,
>
> I have a quick question... I have a system setup with 7.2 where I am using
> bandwidth accounting / violations. I have set a user limit of 512 mbytes
&g
Hi Everyone,
I am trying to setup an environment where I am using Google Apps for
education as my main source of "authentication" data for the captive
portal. I am doing mac-based authentication of the devices and redirecting
users to a captive portal to do device self-registration.
Unfortunately
You can do this by assinging a new profile to the user as the action of the
bandwidth violation. Of course the capability to rate limit will depend on
the device doing the access. If its a fairly advanced wifi, you could do
it, but might be impossible or hard on wired switches (especially lower end
Hi Luca,
I don't have experience with the "inline mode" of PF. I haven't seen any
options to do bandwidth limiting in the UI though, so I would not keep my
hopes up.
What controller do you have?
On Thu, Sep 7, 2017 at 3:37 AM, luca comes via PacketFence-users <
packetfence-users@lists.sourcefor
Ciao Luca. I would imagine Aruba can do rate limits on the AP. You need to
find which radius vsa to send so that it can apply a profile to the user
and do the rate limit.
On Sep 8, 2017 07:02, "luca comes" wrote:
> Hi Diego,
>
> It's an Aruba appliance.
>
>
> Luca
>
>
> Inviato da Outlook
You can also do it directly without filters. I don't have access to my
system right now, but there was an option to map a user's profile to a
device profile. At least on the latest version of PF, the Aruba plugin has
support for "returnRoleAttribute" and it is specified in the radius VSA
called"Aru
Agree with Tim... Unless she's telling the phone to "forget" the network
each and every day...
On Tue, Sep 19, 2017 at 11:04 AM, Tim DeNike via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:
> MAC randomization (At least the way Ive seen it work) only randomizes the
> MAC whe
Hello everyone!
I just did a clean install of PF 8.1 on a Centos 7.5 and I am facing issues
trying to use any of the OAuth sources on the captive portal.
Basically, whenever I add any authentication source to the captive portal,
I get a "default" "new portal module" form (nothing specific to th
s more confusing though as I now rolled back to a
>> 7.4 install and I'm seeing the same issues (while other systems with 7.4
>> seem to be fine).
>>
>> Thanks for the support.
>>
>>
>> On Fri, Jul 20, 2018 at 11:24 PM Durand fabrice via PacketFence-users &
etfence-users@lists.sourceforge.net> wrote:
> Hello Diego,
>
> can you give your authentication.conf. profiles.conf and
> portal_modules.conf files ?
>
> Regards
>
> Fabrice
>
> Le 2018-07-20 à 16:25, Diego Garcia del Rio via PacketFence-users a écrit :
>
> Hell
>
>> can you give your authentication.conf. profiles.conf and
>> portal_modules.conf files ?
>>
>> Regards
>>
>> Fabrice
>>
>> Le 2018-07-20 à 16:25, Diego Garcia del Rio via PacketFence-users a
>> écrit :
>>
>> Hello everyone!
>>
>&g
t; description=catchall
>> class=authentication
>> match=all
>> action0=set_role=guest
>> action1=set_access_duration=1D
>> [root@localhost conf]#
>> [root@localhost conf]#
>> [root@localhost conf]# ls -lrta
>> total 3668
>>
>
>>> type=SponsorEmail
>>> allow_localdomain=yes
>>> create_local_account=no
>>>
>>> [sponsor rule catchall]
>>> description=
>>> class=authentication
>>> match=all
>>> action0=set_role=guest
>>> action1=set_access_duration=1D
>
Dear Thomas,
Sorry to revive a crazy old thread. But you can get google ouath to work
with iphones if you get google to whitelist your API client id. Its manual
but relatively straightforward.
You need to contact oauth-h...@google.com and provide them with your API
oauth ID.
Its working for me
Hello. Is there any way for the user to login to the "/status" part of the
captive portal with his oauth credentials instead of a local account?
We're trying to implement a case where we limit the number of devices per
role (eg, 2 devices). But to ease the burden on our IT staff, instead of
showin
use this
> account to login the status page.
>
> Regards
>
> Fabrice
>
>
>
> Le 2018-07-26 à 15:36, Diego Garcia del Rio via PacketFence-users a écrit :
>
> Hello. Is there any way for the user to login to the "/status" part of the
> captive portal with h
issue on github
> and we will look at it soon.
>
> Regards
>
> Fabrice
>
>
>
> Le 2018-07-27 à 22:01, Diego Garcia del Rio via PacketFence-users a écrit :
>
> Merçi Fabrice,
>
> I already have the "create local account" flag enabled. The accounts are
&g
Hello everyone,
I am seeing that on two different systems (on 8.1) all the stats show only
the last hour, regardless of how long the system has been running (and
the +/- zoom though it changes the timescale at the bottom -ever so
slightly-, no new data is loaded).
Is there a setting that has to b
:
> Hello Diego,
>
> you can adjust the value in the template:
>
>
> https://github.com/inverse-inc/packetfence/blob/devel/html/pfappserver/root/graph/dashboard.tt
>
>
> Cf doc: https://github.com/firehol/netdata/wiki/Custom-Dashboards
>
> Regards
>
> Fabrice
Are you using the captive portal capabilities of Ruckus? Otherwise, you can
use the "classic" radius based mac-authentication on smart-zone and have
either the APs or SZ send radius access requests to PF. On the raidus
response, customers will be assigned the portal vlan and the portal is
presented
I've seen similar issues with DHCP renews indeed. The system was not
properly updating the ip-mac binding information.
On Fri, Mar 22, 2019, 09:25 Rankin, Cory via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:
> Hello,
>
> Thank you for the reply. The client I am testing wit
Dear users,
When using google oAuth or any other oAuth external authentication, if we
do not enable the "require AUP" checkbox, the user is redirected straight
into google for example. I notice that this was done expressly as shown by
this code commit:
https://github.com/inverse-inc/packetfence/
Additionally, I think we should set the portal sessions to be "shorter".
They are currently set to 1 year and its quite problematic. I noticed there
is a setting under "chi.conf" to set the httpd.portal cache values (im
testing with 5 minutes). The default value is undefined which I'm not sure
what
Hi Leonardo,
TPLink is not one of the supported vendors for wifi. Not sure what you're
trying to achieve. Would PF just be a radius server for authentication? Im
not 100% sure you can use it that way, as you'd still have to configure the
"switch" to be a particular model / brand / vendor
You can
HI leonardo,
Im not sure what you're trying to do... but for plain radius authentication
you should use a simple radius server and that's it. In most cases, pf is
meant to be used to do 802.1x when acting as a radius server. PF
developers, please correct me if I'm wrong.
In most case, PF will not
not sure which wifi integration you're using (or is it wired?) but, at
least for Ruckus (and im sure others as well), when using web-auth it will
have the mac address in the redirect message and support a "remote"
authentication without any need to forward dhcp to packetfence.
(it can get tricky t
does the "test" button on the ldap google source work?
did you have the proper realm configured as well? (Is it stripping / adding
the correct value?)
I use the google workspace ldap source in several installations and it
works fine
On Thu, Sep 29, 2022 at 9:58 AM P.Thirunavukkarasu via Packet
You should look into using google LDAP.
Google Oauth is not really supported by google in the captive portal
browser of most phones now a days. Also, you can't limit the google
authentication to a single domain (I had posted some changes to support a
specific google domain but those never made it
Yes.. google ldap is just a setting under google's workspace.
I committed some additional documentation to PF's google ldap /
documentation here (its not in the public builds yet)
https://github.com/inverse-inc/packetfence/blob/devel/docs/installation/google_workspace_ldap.asciidoc
You need to e
im Guessing it might be related to the rfc7710bis / rfc8910 portal support
this means that via dhcp, the client is provided with an URL they can use
to check the status of the device in the portal (whether they are still
jailed or no)
normally this information is served on the same interface as
Hello,
I have a new setup using PF 12.2 (I have been using other PF versions with
no problem so far) and im seeing a strange behavior. I have a "relatively
complex" login flow, but nothing major (and the same setup used in other PF
versions / instances). Users are authenticating against google wor
Hi oliver
there are multiple, very different integration options with ruckus and
packetfence. While indeed, some of the documentation is quite old, it
should still be usable.
Is your pf server in the same "network" (i,e can you run vlans from the
APs or ZD -if using tunneling- to the pf server f
also, I just realised you mention Zone Director in the body of the email
but smartzone in the title.. which one is it.?
On Wed, Aug 30, 2023 at 2:25 PM Diego Garcia del Rio
wrote:
> Hi oliver
>
> there are multiple, very different integration options with ruckus and
> packetfence. While indeed,
sure. no problem
I can't guarantee timely response... but still...
On Wed, Aug 30, 2023 at 5:33 PM Oliver Pole wrote:
> Hey Diego,
> Sorry about that mistake, it was very late in the day when I wrote the
> initial message. I did indeed mean vSZ.
> I'm trying to get my Technical Director involve
Are you referring to Radius COA? from what it seems, no... it looks
like you're talking about AD COA.. meaning, when the user changes AD
groups you'd want him to automatically change state?
Right now I think the only option would be some sort of script.. that
performs the group membership change o
I was having similar issues on a fresh install of packetfence 13.1 on
rocky linux using the RPMs.
I had trouble creating the isolation and registration sub-interfaces
(vlans), with the config not sticking on the configurator.. as such,
the haproxy-portal config was not having the correct interfac
can you check which ip is being returned once you're outside the
registration network? (Im asuming you're using dns / fqdn to access
the portal after login)
from what i understand you're using inline enforcement, is that correct?
On Mon, May 13, 2024 at 12:36 PM Nate Tremmel wrote:
>
> This doe
so.. after troubleshooting a bit more.. somehow pfdns is not
responding the the 66.x ip for the fqdn of the portal. If you ask
pfdns for google.com or any other (while captive) it will reply with
the 66.x ip .. but for the fqdn of the portal itself, it fails.
see here for more details https://git
the only way to get proper google authentication is using the ldap
integration and your own google workspace domain (asuming you want to
authenticate users from the ualberta.ca domain). It wont work for
generic gmail.com users though
to do this, you need to enable Secure LDAP in the google workspa
Hi Giovanni
indeed.. if you're using it for guest access then what you describe is
really the only viable option or just bypass the authentication at
all. Are you using the google sign in just to collect the email
addresses for guests? you could alternatively use the email login
where the user
86 matches
Mail list logo