3 PM, Stormont, Stephen (IMS) <
stormo...@imsweb.com> wrote:
> We have VOIP phones, but they are on a totally different
> switch which we haven’t attempted to setup yet. No elrp or stp setup for
> us.
>
>
>
> *From:* Tim DeNike [mailto:tim.den...
You using VoIP phones at all? Elrp or stp? We use mac based vlans which
don't work with elrp or stp but I made packetfence handle loop prevention
by disabling ports if the edp or vrrp MAC address show up on a port.
Sent from my iPhone
On Aug 4, 2014, at 3:26 PM, "Stormont, Stephen (IMS)"
wrote
Got about 80 stacks using pf. The web services setup doesn't work. Use
radius netlogin. I don't have time right now but I can give you some good
pointers and a modified module that will let you use dynamic profiles.
Also. What version xos are you running and do you have any eaps rings?
Sent from
Anyone else having issues here? Everything works, until you create a new
source that can't possibly be matched by any other rule in any other source
(Points to different OUs for base), And that rule doesn't work, and it
causes other rules that were working to stop working.
Its really hard to expl
Just upgraded to 4.3 and I'm playing around with the SSO module. Ive been
using a radius script I wrote to manage IP mapping, but I'm hoping this
will handle Mac based user->IP mappings.
Anyways.. How do you configure it? I tried in the UI and it looks like it
adds the configs in, but it doesn't
None of our registration subnets have L2 connectivity to packet fence..
They are all routed. :D
On Thu, Jul 3, 2014 at 8:59 AM, Arthur Emerson III
wrote:
> On Jul 2, 2014, at 6:58 PM, Moe Alsmadi wrote:
>
> > I have been trying for days to install packetfence on a ubuntu instance
> on Amazon
I'm guessing the userid integration. I already do that for wireless users
with ours.
Sent from my iPhone
On Jun 18, 2014, at 10:04 PM, Max McGrath wrote:
I see in the New Features section of the next release: Fortinet FortiGate
and PaloAlto firewalls integration.
What exactly does this mean?
Dhcp relay or udp helper needs to send the dhcp request to the pf
management ip as well as the production dhcp server.
Sent from my iPhone
> On Jun 12, 2014, at 8:19 PM, Boris Epstein wrote:
>
> Hello all,
>
> I have my production VLAN on managed by my switch and for some reason the IP
> addres
Just use freeradius standalone. It's easy.
Sent from my iPhone
On Jun 5, 2014, at 3:41 PM, Pete Hoffswell
wrote:
Hi.
Has anyone successfully used the freeradius installation within packetfence
for cisco device access (telnet and ssh)?
Consider:
http://www.cisco.com/c/en/us/support/docs/secur
It's a bug in the pfdhcplistener. When a device tries to do a dhcp
rebind, pf has a logic bug that treats if as rogue when it should
ignore it. The phones aren't misbehaving.
Sent from my iPhone
> On May 13, 2014, at 8:15 PM, Jason Frisvold wrote:
>
> Curtis K. Larsen wrote:
>> Hello,
>>
>> I
Just wget the fingerprints file with proxy options set from command line.
Sent from my iPhone
> On May 7, 2014, at 5:01 AM, "Morris, Andi" wrote:
>
> Thanks, that does help for the fingerprints, however I'd still like to know
> if it is possible to configure PacketFence to sit behind a webproxy
Don't forget to put a new cert in place and change passwords!
Sent from my iPhone
On Apr 10, 2014, at 2:30 PM, Louis Munro wrote:
More on Heartbleed:
Adding insult to injury, it seems you also need to upgrade the
'libssl1.0.0' package on ubuntu.
Make sure the changelog mentions the fix to h
to increase the
resources available to my VMs at all.
On Fri, Mar 28, 2014 at 7:28 AM, Tim DeNike wrote:
> We have about 1 ports and 200 access points via a controller running
> on 2 pf vms that share a vmware fault tolerant SQL database. The only
> reason we have 2 vms is to
We have about 1 ports and 200 access points via a controller running on
2 pf vms that share a vmware fault tolerant SQL database. The only reason
we have 2 vms is to minimize downtime if a vmware host goes down. Your
proposed solution would be good for a "bazillion" ports. You don't need
much.
I couldn't say on 3.6. I started with 4.0 and am on 4.1 now.
Sent from my iPhone
> On Mar 11, 2014, at 5:14 PM, Arthur Emerson III
> wrote:
>
>> On Mar 6, 2014, at 10:20 AM, Tim DeNike wrote:
>>
>> We are on SD 5.3.xyz right now and RADIUS deauth does work.
n");
return 1;
}
$logger->debug("deauthenticate $mac using RADIUS Disconnect-Request
deauth method");
return $self->radiusDisconnect($mac);
}
=head1 AUTHOR
Tim DeNike
=cut
1;
^CUT^^^
On Thu, Mar 6, 2014 at 10:11 AM, Arthur Emerson III wrot
Awesome. I have a case open with them about that right now. Spring
break next week. I'll post a new module with radius deauth and that
extract said sub soon!
Sent from my iPhone
> On Mar 6, 2014, at 9:22 AM, Anton Dreyer wrote:
>
> Hi guys
>
> I am revisiting an old discussion regarding Meru.
Ill just throw this out there.. mDNS/Bonjour is a bad idea and very flakey
in any enterprise network. It typically doesn't work well with IGMP and
other multicast helpers. It was never designed for it.
Otherwise... The feature you are looking for would be part of roles in
packet fence. I don't
Just setup dhcp relay to send packets to pf and your real dhcp server.
Pf won't respond. Just sniff.
Sent from my iPhone
> On Oct 23, 2013, at 8:19 AM, Maverick Lamont wrote:
>
> Hi There,
>
> I am currently deploying Packetfence in a VLAN enforcement mode and the DHCP
> server runs on an ext
Looking into it a little further.. Shouldnt radius accounting stop messages
end up closing out the locationlog? Or does that only get closed out if
the port changes?
On Thu, Sep 12, 2013 at 10:15 AM, Tim DeNike wrote:
> upgrade from 4.0.2 to 4.0.6.
>
> 00:10:7f:1c:34:35 | 10.26.1.
e.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://www.packetfence.org)
>
> On 2013-09-10 8:29 AM, Tim DeNike wrote:
>
> RADIUS is authenticating fine, but the WebAPI no like...
>
> Sep 10 08:26:38 pf::WebAPI(29881) INFO: handling radius
upgrade from 4.0.2 to 4.0.6.
00:10:7f:1c:34:35 | 10.26.1.12 | 1012 | 98 | Ethernet-NoEAP |
00107F1C3435 | | 2013-09-06 11:08:22 | NULL |
| 00:10:7f:01:27:fb | 10.26.1.12 | 2023 | 11 | Ethernet-NoEAP |
00107F0127FB | | 2013-09-06 11:10:21 | NULL |
| 00:10:7f:01:27:fb | 1
Sep 10 08:26:38 pf::WebAPI(29881) INFO: autoregister a node that is already
registered, do nothing. (pf::node::node_register)
Sep 10 08:26:38 pf::WebAPI(29881) INFO: Found a match (CN=Tim DeNike,ETC
ETC ETC) (pf::Authentication::Source::LDAPSource::match_in_subclass)
Sep 10 08:26:38 pf::WebAPI(29881
Sounds stupid. But try less cores. If your host goes into a wait state for
an unavailable core it can cause pauses.
Your mileage may vary. ;)
Sent from my iPhone
On Sep 5, 2013, at 10:59 AM, Fletcher Haynes wrote:
Not to hijack Dave's thread, but I started having this issue again two days
ago.
Run a dhcp relay on the remote network and send the packets to pf
interface.
Sent from my iPhone
On Aug 21, 2013, at 8:16 AM, luis torres wrote:
Hi list,
heres my problem ..., have my PF in a routed network and I want to manage
the ips of a registration network that is in another router.
her
I was thinking more along the lines of getting full name, email, phone, etc
from AD attributes.
On Sat, Jul 27, 2013 at 1:38 PM, Ludovic Marcotte wrote:
> On 2013-07-26 3:04 AM, Florian Mirkes wrote:
> > For example, it would be much easier to set up a lot of sponsors, if you
> simply use a AD-G
I second this!
On Fri, Jul 26, 2013 at 3:04 AM, Florian Mirkes wrote:
> Hi all,
>
> is it possible to retrieve other user attributes than the username, if you
> use the AD Source? Like firstname, lastname or the mail address.
>
> For example, it would be much easier to set up a lot of sponsors,
The "Today" view always shows no data.
On Wed, Jul 17, 2013 at 7:49 AM, Francis Lachapelle
wrote:
> Hi Jason
>
> On 2013-07-15, at 1:19 PM, Jason Frisvold wrote:
>
> > I'm starting to dig a bit into some of the other features of PF now
> > that I have a working system up and running. In
Doesnt seem to do SRV record lookup if you want to allow AD login in
registration/isolation.
--
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from App
recent connection is in the location log and the others are closed out.
It seems like all the information is there to fashion simultaneous use
checking and use normal de-auth methods. right?
On Thu, Jul 11, 2013 at 11:08 AM, Tim DeNike wrote:
> We are using Mac radius. Reason being Mac ba
ave other thoughts. I guess the best way to validate all
> that is for you to test the scenarios.
>
> On 2013-07-11 10:40 AM, Tim DeNike wrote:
>> I was thinking about Mac spoofing.
>>
>> Sent from my iPhone
>>
>> On Jul 11, 2013, at 10:29 AM, Francois Gaudreault
&
ll as soon as you unplug
> the cable, session is gone anyway so..
>
>
> On 2013-07-11 9:51 AM, Tim DeNike wrote:
>> Havent tested it yet, but if the same mac shows up on another switch,
>> will PF
Havent tested it yet, but if the same mac shows up on another switch, will
PF de-auth the other session? What happens?
--
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with appl
Same here. Need acls
Sent from my iPhone
On Jul 10, 2013, at 7:03 PM, Fletcher Haynes wrote:
So in my continuing quest of setting up some PF4 servers, I've run into the
issue of needing to provide different levels of access to the admin
interface, and I can't find this documented anywhere in th
<
fgaudrea...@cloudops.com> wrote:
> That's why you can do it in radius/custom.pm ;)
>
> FG
>
> On 2013-07-02 10:39 AM, Tim DeNike wrote:
> > I'm sure I could do it there. But I like to keep upgrades as easy as
> > possible. :)
> >
> > Sent from
I'm sure I could do it there. But I like to keep upgrades as easy as
possible. :)
Sent from my iPhone
On Jul 2, 2013, at 10:00 AM, Francois Gaudreault
wrote:
That might be easier to do within the pf code instead of FR. If I am
right, look at radius.pm
FG
On 2013-07-02 8:28 AM, "
out a domain in PF, just assume the default domain
> associated with it... or tell the users to use the proper format.
>
> FG
>
> On 2013-07-01 9:38 AM, Tim DeNike wrote:
> > Just an off-hand question here. Can I take the stripped user-name and
> > ADD a domain to it?
>
Create tagged interface on pf box
Sent from my iPhone
On Jul 1, 2013, at 5:40 PM, Steve Bradley
wrote:
I do have that set. My issue is that my pf server is on VLAN 1. The
switch is set to untagged VLAN 1. How does the registration VLAN (VLAN 2)
get to the pf server? I can’t have 2 untagge
Just an off-hand question here. Can I take the stripped user-name and ADD
a domain to it?
Say users are authenticating via 802.1x as DOMAIN\user or just user (Which
maps to the same realm), but I also want them to be able to to auth as
u...@domain.name.
Id want to record all of it to one user in
Just use vlans on a single interface.
Sent from my iPhone
On Jun 29, 2013, at 4:08 PM, Dustin Schuemann wrote:
Do I have to forward the dhcp requests to packet fence or can I use the
auto register feature?
On Jun 29, 2013 3:01 PM, "Fabrice Durand" wrote:
> Hello Dustin,
> it could be done wi
Agreed. U would like to make more use of notes/details as well.
Manual creation would be helpful too.
Sent from my iPhone
On Jun 28, 2013, at 12:41 PM, Jason Frisvold wrote:
> Greetings,
>
>With our current NAC system we can manually add new devices via the
> GUI. We're able to add the MAC
You need a rule in auth sources to assign a role to the user.
Sent from my iPhone
On Jun 28, 2013, at 8:10 AM, Fletcher Haynes wrote:
Hello everyone,
I have auto registration of 802.1x clients working fine. However, I am now
seeing this in the logs:
Jun 27 11:15:56 pf::WebAPI(4980) INFO: auto
27; in the packetfence-tunnel virtual server with only
> a sleep in it...
>
> Francois
>
> On 2013-06-27 11:40 AM, Tim DeNike wrote:
> > Actually, i mean add .5 second delay for 802.1x auth. Id want that
> > auth to always come second. :D
> >
> >
> > On Thu,
urn RLM_MODULE_OK;
}
sub post_proxy {
return RLM_MODULE_OK;
}
sub xlat {
return RLM_MODULE_OK;
}
sub detach {
return RLM_MODULE_OK;
}
On Thu, Jun 27, 2013 at 1:26 PM, Tim DeNike wrote:
> Thats kind of what I was thinking. Just didnt know if someone thought of
> a better way.
>
>
> On
Actually, i mean add .5 second delay for 802.1x auth. Id want that auth to
always come second. :D
On Thu, Jun 27, 2013 at 10:24 AM, Tim DeNike wrote:
> My switches (Extreme) support mac auth and dot1x simultaneously. 99% of
> the time, it works fine because the dot1x response come
My switches (Extreme) support mac auth and dot1x simultaneously. 99% of
the time, it works fine because the dot1x response comes back maybe .1-.2
seconds after the mac auth response. If, for some reason, the mac auth
response comes second, the client gets joined to the right network based on
802.
Trying to figure out how best to deploy administration in our environment.
I was hoping there was a way where we could define administrative roles
that limited people to assigning certain roles. IE: Users in the AV
department were limited to the 2 roles that coorespond to VLANs that are
dedicate
Speaking of which. Why doesnt the "Today" dashboard populate?
On Tue, Jun 25, 2013 at 11:11 AM, Derek Wuelfrath wrote:
> Tim
>
> I've actually trashed that install at this point and gone back to 4.01 for
> the moment. I did notice this when I started with 4.x, so I'm expecting to
> see it again
Not a big deal. Just going to allocate 8gb to each PF instance now...
Thats only a couple days uptime and only 150 out of 1 ports running on
it.. lol..
On Thu, Jun 20, 2013 at 10:43 AM, Jason Frisvold wrote:
> Tim DeNike wrote:
> > 14663 root 20 0 2566m 1.2g 3520 S 0.0
14663 root 20 0 2566m 1.2g 3520 S 0.0 32.3 0:11.97 pfsetvlan
That right? Seems like a lot.
--
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
on 4.0.1, if I run pfcmd switchconfig get , I see some options that
arent available in the gui.
VOIPEnabled
vlans
roles (have roles defined in switch, but dont show up when command is run?)
normalVlan
What do all these mean/do?
-
have “OU=FAP,OU=FOO,DC=mcc,DC=edu” then you’re not
> going to be able to use “subtree” as the scope, but a little experimenting
> will probably get you through that.
>
> Hope that’s helpful.****
>
> Don
>
> ** **
>
> *From:* Tim DeNike [mailto:tim.den..
Deploying Packetfence in an AD environment with about 80,000 users. We
have users divided up into different OUs. I dont see a way to make a rule
act on the OU of the user, or match distinguishedname "contains".
A great deal of the users are only a member of the OU, and not a member of
any additi
201 - 253 of 253 matches
Mail list logo
