PacketFence 4.0.x Game System Registration

I came across a little snafu in the Gaming System registration in Packetfence 4.0.X. In PacketFence you can have a page that allows users to register systems that don't have web browsers on them. You can access it by https://<packetfence ip>/gaming-registration .

Great since Xbox's are notorious for not getting registered, due to collision in the OS fingerprinting. This is a well documented problem. In my previous install they would fingerprint to OEM Wireless Router, this time it seems RIM BlackBerry. Either way they miss my auto-registration violation rule, which I may just get rid of.

So trouble started when several students tried to register their Xbox's using the registration page.

 They would authentication to the first page then enter the MAC address:

 Then it would throw this error:

So what gives looks valid. Turns out there is a file: <PF install dir>/lib/pf/web/gaming.pm Which has a list of the first part of MAC addresses allowed to be entered into this page. Added the first 3 octets of the address to the file in the correct spot. Save the file and you are back in business.

I recommend that you verify the manufacturer  of the mac. I use this site: http://www.coffer.com/mac_find/ this allows you to verify that it is a microsoft mac. Hope this helps if you come across this problem.

Packetfence 4.0.5 - Notes

Packetfence 4.0.5 was released on 8-12-2013. Slight bit of craziness, since there were a couple problems with it. But Inverse issued patches within hours. Now the downloaded version is stable and works fairly well.

I however ran into a couple bumps with that upgrade/patch.

First one was I ran into this bug: http://www.packetfence.org/bugs/view.php?id=1676
Which basically the radius server was throwing SOAP errors and would not return the correct vlan, and then after a few hours just stop running. The patch listed here: https://github.com/inverse-inc/packetfence/commit/4861189ba7faf680eef257d5b1c157d7260fe0de  Was missing/didn't apply to the update. So I found the line in the source and edited it to reflect the change. This resolved the issue and the radius server has been running since.

The other was the retrieval for role for gaming device registration. This was a quick two lines added to module described here: https://github.com/inverse-inc/packetfence/commit/36bacc02289afb01a1abd38420585c7f792a4511

At this point I have to freeze the code, no more updates as this is completely in production. And the students are back on campus. The only changes I think we be made are page edits to fix the wording or add more information to the pages.

Update to this post:

After experiencing some problems, I found that my installation is still at 4.0.1 - which is why these patches were not there. Only a certain part of PF was upgraded. Not anything to make it matter.
 {Link to new post when done}

Packetfence Guest Email Domains Check - Updated

So in my quest for latest version of Packetfence 4.0.x I am enabling the guest access. This is done so that guest account creation for wireless will be reduced to only the special cases. The user contact info is captured so I know who is on the network from a rough perspective.

Inside of Packetfence the guest module check the email against the local domain of the packetfence server so you can block your normal users from getting guest accounts. Since they expire in a short fashion and a limited network access it really does the trick.

I ran into a little problem, multiple email domains which need to be blocked. After a post to the listserv and a response that indicated to look in the guest.pm module here is what I did:

my $email_type = pf::Authentication::Source::EmailSource->meta->get_attribute('type')->default;
    my $source = &pf::authentication::getAuthenticationSourceByType($email_type);
    if ($source) {
        unless (isenabled($source->{allow_localdomain})) {
            # You should not register as a guest if you are part of the local network
            my $localdomain = $Config{'general'}{'domain'};

# Added explicated second domain for check below 

my $localdomain1 = ‘second domain name’;

            if ($cgi->param('email') =~ /[@.]$localdomain$/i) {
                return ($FALSE, $GUEST::ERROR_EMAIL_UNAUTHORIZED_AS_GUEST, [ $localdomain ]);
}

if ($cgi->param('email') =~ /[@.]$localdomain1$/i) {
                return ($FALSE, $GUEST::ERROR_EMAIL_UNAUTHORIZED_AS_GUEST, [ $localdomain1 ]);
            }
        }
    }

I added a second check for another explicitly defined domain $localdomain1 yes I could change that but it was quick and dirty. Added is the code in orange. 

Tested and this does exactly what I wanted it to. Just thought I would share.

Updated: 7-25-2013

On the advice of Inverse, I took the above code blob with the surrounding sub and transferred it to the custom.pm and changed the section to reference the pf::web::guest so that this new sub would take precedence.

Thanks again to the Inverse Team.

Packetfence 4.0.1 - First load

As the summer window of working on projects before the day students return is rapidly shrinking, I needed to start on my Packetfence upgrade. If you read my blog before you may know I am a pretty big user of it.

As I wrote back in May it is a fresh install, no direct upgrade path. Getting started, I loaded up a vm with CentOS 6.4 and started down the PacketFence Admin Guide to install. The install guide is fairly straightforward to follow. There is a section on install which on RHEL/CentOS system you have to add additional repos to get things going.

Great been here, not sure I remember the last one from the last install. Ok no big deal, right? I hit a small roadblock with this one. There is only 1 copy of that repo, and it was down. Argh!

Read some more into the doc:

 Debian and Ubuntu
All the PacketFence dependencies are available through the official repositories.

Ok scrap the CentOS 6 install, load up Debian and lets rock. Everything went smooth after that.

PacketFence install within 15 minutes of Debian system being up.

Initial Impressions:

Web Configurator: Awesome to help get things setup.
New Admin Portal: Awesome, leaps and bounds better than 3.5x, the amount you can change inside the interface is great.  I was editing the AUP_Text and save and refreshing the captive portal with the changes live. (Couldn't do that before.)

System performance: Not in production yet so can't say.

The interface is snappy. The search is great with the ease that you can add on more rules to search for to narrow down the person/node that you are looking for.

Guest management is just what I was looking for.

This is NAC that Excites. Hats off to the Inverse.ca team for this work.

PacketFence 4.0

Well, the Inverse team released a new version of PacketFence. Current release is 4.0. This is a jump up from 3.6.1. http://www.packetfence.org/news/2013/article/packetfence-40-released.html


Highlights from the news release:

New Features

• Brand new Perl-based Web administrative interface using the Catalyst framework
• New violation actions to set the node's role and deregister it
• Support for scanning dot1x connections for auto-registration by EAP-Type
• Support for auto registering dot1x node based of the EAP-Type
• New searchable MAC Addresses module to query all existing OUI prefixes
• New advanced search capabilities for nodes and users
• New memory object caching subsystem for configuration files
• Ubuntu packages

Enhancements

• Authentication sources can now be managed directly from the GUI
• Roles (previously called categories) are now computed dynamically using authentication sources
• Portal profiles and portal pages are now managed from the GUI
• Fingerprints and User Agents modules are now searchable
• Translated all remediation pages to French
• Updated Brazilian Portuguese and Spanish translations

Lots of good features listed. I am looking forward to the new admin ui. That is something in the current version which needed help. A heavily loaded system moved slow trying to admin it. 

New search is something which was needed. If you didn't get it quite right the first time you could be sitting a while when waiting for the results to load.

Overall the list of changes looks like a big step forward in usability for the system.

A big gotcha listed in the release notes is the recommendation to start with a fresh install. With the major rewrite it would be difficult to just upgrade in place. See UPGRADE document.

I will be starting my migration in the next month or so. I plan on posting a review once I get my system updated.