search

inverse-inc / packetfence

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.
https://packetfence.org
GNU General Public License v2.0
1.35k stars 286 forks source link

Timeout after registration, inline mode #3241

Open kartoflarz opened 6 years ago

kartoflarz commented 6 years ago

Helo,

I would like to share “bugs” which I’ve experienced with the version 8.0.1. I was using version 6.5 with works perfect. Now I’m trying to migrate to version 8.0.1 but it doesn’t seem to work well.

My implementation is inline with 2 inside vlans (inline mode) and outside eth0 interface (management). I’ve tried fresh installation on Centos 7 and the ZEN version, both shows the same 2 problems which I noticed:

  1. On some devices (phones, laptops) after logging in by username and password to the portal it shows timeout page. No webpage with information about granted access etc as it should have. When I restart the web browser I have the Internet access and user shows up as registered on the portal. Another devices work good, after logging in I have the information page about granted duration access etc. I don't know why some devices recieve timeout after logging in and some not.

I think that this is something related to DNS, apache service?

  1. When I manually deregister a device on the portal and connect that device to the network again I’m receiving the information webpage that access is already granted and I have the Internet access. But how if I had deregistered the device before ?

Sory if descriptions are not in details, just want to let you know about the problems in inline mode. Need to go back to 6.5 which works excellent in inline mode.

fdurand commented 6 years ago

It looks to be a dns issue. We probably have to raise TTL when the device ask for the fqdn of the portal.

fdurand commented 6 years ago

After investigation the ttl returned by pfdns is set to 0 (too short). The fix will be to set a ttl of 60s when the device ask for the fqdn of the portal.

fdurand commented 6 years ago

OK, the ttl fix is in maintenance, you can run pf-maint.pl to fetch the new pfdns binary and make a try.

kartoflarz commented 6 years ago

Thank you for your help. For now I can't do that. We are in full swing of very important event for 600 participants :) I wish I could tell you for which huge international organization I work for, you would be impressed where Packetfence is used :) I'll get back to that later and make a test. Thank you very much.

kartoflarz commented 6 years ago

Hello, again. Finally I have some time to check it. I made a fresh install of pf 8.1. Did you fix it in that version ? Because it's the same, still doesn't work. Or should I fallow with you instruction above ?

kartoflarz commented 6 years ago

Is it go/coredns/plugin/pfdns/pfdns.go from the list ? How to patch only that one file ? :)

The following are going to be patched addons/pf-maint.pl conf/haproxy-db.conf.example conf/monitoring/statsd.d/packetfence.conf.example conf/radiusd/eduroam.example conf/radiusd/packetfence-cli.example conf/radiusd/packetfence-tunnel.example conf/radiusd/packetfence.example conf/realm.conf.defaults conf/systemd/packetfence-httpd.aaa.service conf/systemd/packetfence-httpd.admin.service conf/systemd/packetfence-httpd.collector.service conf/systemd/packetfence-httpd.parking.service conf/systemd/packetfence-httpd.portal.service conf/systemd/packetfence-httpd.proxy.service conf/systemd/packetfence-httpd.webservices.service debian/rules go/api-frontend/aaa/authorization.go go/api-frontend/aaa/authorization_test.go go/coredns/plugin/pfdns/pfdns.go go/db/db.go go/dhcp/config.go go/dhcp/main.go go/dhcp/pool.go go/dhcp/rawClient.go go/dhcp/server.go go/dhcp/serverif.go go/dhcp/utils.go go/vendor/vendor.json html/captive-portal/lib/captiveportal/PacketFence/Controller/DeviceRegistration.pm html/captive-portal/lib/captiveportal/PacketFence/Controller/WirelessProfile.pm html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Application.pm html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Authentication.pm html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Authentication/Login.pm html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Authentication/Null.pm html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Choice.pm html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/TLSEnrollment.pm html/captive-portal/lib/captiveportal/PacketFence/Form/Authentication.pm html/captive-portal/lib/captiveportal/Role/MultiSource.pm html/captive-portal/templates/wireless-profile-tls.xml html/pfappserver/lib/pfappserver/Form/Config/Profile.pm html/pfappserver/lib/pfappserver/Form/Config/Provisioning/mobileconfig.pm html/pfappserver/lib/pfappserver/Form/Config/Source/Eduroam.pm html/pfappserver/lib/pfappserver/Form/Config/Source/SMS.pm html/pfappserver/lib/pfappserver/Form/Node/Create/Import.pm html/pfappserver/lib/pfappserver/Model/Services.pm html/pfappserver/lib/pfappserver/PacketFence/Controller/Node.pm html/pfappserver/root/graph/dashboard.tt html/pfappserver/root/node/search.tt html/pfappserver/root/pfqueue/cluster.tt html/pfappserver/root/pfqueue/index.tt html/pfappserver/root/pfqueue/stats.inc lib/pf/Authentication/Source/SMSSource.pm lib/pf/Authentication/Source/TwilioSource.pm lib/pf/ConfigStore/Source.pm lib/pf/Switch.pm lib/pf/Switch/ArubaSwitch.pm lib/pf/Switch/Brocade.pm lib/pf/Switch/Cisco/Catalyst_2950.pm lib/pf/Switch/Cisco/WLC.pm lib/pf/Switch/HP/Controller_MSM710.pm lib/pf/Switch/ThreeCom.pm lib/pf/Switch/Ubiquiti/Unifi.pm lib/pf/UnifiedApi.pm lib/pf/UnifiedApi/SearchBuilder/Nodes.pm lib/pf/accounting.pm lib/pf/api/can_fork.pm lib/pf/constants/syslog.pm lib/pf/dhcp/processor_v4.pm lib/pf/factory/condition/access_filter.pm lib/pf/fingerbank.pm lib/pf/lookup/person.pm lib/pf/parking.pm lib/pf/radius.pm lib/pf/registration.pm lib/pf/role.pm lib/pf/services/manager/netdata.pm lib/pf/task/person_lookup.pm lib/pf/util/webapi.pm lib/pf/web/util.pm lib/pfconfig/namespaces/FilterEngine/AccessScopes.pm lib/pfconfig/namespaces/config/Pf.pm lib/pfconfig/namespaces/interfaces.pm lib/pfconfig/namespaces/resource/network_config.pm raddb/mods-config/perl/packetfence-multi-domain.pm raddb/policy.d/packetfence

julsemaan commented 6 years ago

@kartoflarz

sbin/pfdns is a compiled binary so it won't appear in this list but when you apply pf-maint, you'll have the option of patching the binaries in a second step.

You can know something was changed in pfdns (and thus its binary), by seeing the following file has been changed: go/coredns/plugin/pfdns/pfdns.go

Hope that helps

kartoflarz commented 6 years ago

OK, patches applied. Only one error on one pach but not ralated to my problem i think (I use Centos 7):

patching file conf/systemd/packetfence-httpd.webservices.service can't find file to patch at input line 359 Perhaps you used the wrong -p or --strip option? The text leading up to this was:

|diff --git a/debian/rules b/debian/rules |index 554af54a029..19428ac43f8 100755 |--- a/debian/rules |+++ b/debian/rules

Now time for testing on laptops and phones. I'll let you know soon.

kartoflarz commented 6 years ago

Ok, all seems to be good. What now ? Will you add that option to stable realease ? Do I have patch each new installation ? Thanku you.

julsemaan commented 6 years ago

This will indeed be in the next official stable release (8.2)