packetfence-users — PacketFence users forum list

[PacketFence-users] problem rebooting packetfence-iptables.service in latest version

[Massimiliano B. <mas...@la...>]

Hello,

I just installed PacketFence on Debian 12, latest version. It is a 
cluster installation with 3 nodes.

Differently from all other installations I have, it seems I cannot 
restart the packetfence-iptables or the pf service: if I try the VM just 
stops responding and I have to reset it form virtualizer.

 From what I can see from the virtualizer console, stopping the iptables 
services causes all firewall rules to be dropped, but the default for 
INPUT and FORWARD chains is DROP, so the pfcmd restart command loses 
connection itself with the docker and never recovers.
If I login from virtualizer console as root and manually change both 
chains to ACCEPT, the pfcmd restart command instantly recovers, 
otherwise it prints outs from time to time "cannot reach database" or 
other logs like that, but then it never recovers or finish.

Some things I noticed also:

  * service ip6tables says it is needed in this configuration, but the
    cluster guide make you disable ipv6 on all nodes, that service can't
    start then
  * if I modify the base iptables files to use ACCEPT as default in
    FORWARD and INPUT rules, and put a -j DROP at the bottom, then the
    reboot of all services goes smoothly

Have any of you noticed anything similar in last version?

Regards,
Massimiliano



-- 
Massimiliano Ballerini
Laboratori Guglielmo Marconi
Via Porrettana, 123 - 40037 Pontecchio Marconi (BO)
e-mail:mas...@la...
web:http://www.labs.it
mob: +39 349 2600513

Re: [PacketFence-users] Issue with 802.1X Authentication and AD Integration in PacketFence v1

[Zammit, L. <lu...@ak...>]

Hello there,

Make sure that the WORKGROUP is correct, that the OU where you create the PacketFence computer account has no restrictions and that the computer password respect the domain password complicity policy.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:	 <https://community.akamai.com/>  <http://blogs.akamai.com/>  <https://twitter.com/akamai>  <http://www.facebook.com/AkamaiTechnologies>  <http://www.linkedin.com/company/akamai-technologies>  <http://www.youtube.com/user/akamaitechnologies?feature=results_main>

> On Apr 2, 2026, at 6:11 AM, Luca Messori via PacketFence-users <pac...@li...> wrote:
> 
> This Message Is From an External Sender
> This message came from outside your organization.
> Hi all,
> I have the same issue using PF 15 and user auth  PEAP (mschapv2).
> 
> Did you resolve this issue?
> How did you resolve it?
> 
> Thank you very much
> 
> 
> 
> 
> 
> <30y_2_05f4b20d-97f6-493b-b95a-8217ad40d290.png>	
> Luca Messori
> Solution Architect
> l.m...@me... <mailto:l.m...@me...>
> Phone: +390522265843 <tel:+390522265843> Mobile: +393351442007 <tel:+393351442007>	
> MEAD Informatica s.r.l. - Via G.Ferraris, 2, 42122  Reggio Emilia  RE - Tel: +390522265950
> <banner_63af738f-e6d3-4349-b22a-7c07b83ab925.png> <https://urldefense.com/v3/__https://click.meadinformatica.it/index.aspx?d=20260402101139&a=...@ak...;pac...@li...&s=l...@me...&e=evento1&m=1__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sWO4krEjw$>
> <fb_logo_97aca8b0-c725-45d6-b2d8-bf654d5981ef.png> <https://urldefense.com/v3/__https://it-it.facebook.com/meadinformatica/__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sXGaF4CDg$>  <ln_5a89b05f-4a1f-45e1-bbd8-06fb2ed838b5.png> <https://urldefense.com/v3/__https://it.linkedin.com/company/mead-informatica__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sVrPwCb6Q$>  <yt_logo_1c5256aa-17c0-4262-aae7-ea5a07437927.png> <https://urldefense.com/v3/__https://youtube.com/embed/uR83yD9n9_I?autoplay=1__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sUhkxV-Pg$>  <site_ce438972-3fa9-412f-a61a-d29e3867516b.png> <https://urldefense.com/v3/__https://www.meadinformatica.it__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sXuvBt-Cg$>
> Aiutaci a migliorare; ti basta 1 click	<face_4_87abb270-ce3f-469f-94cc-57b652b5cc27.png> <https://urldefense.com/v3/__https://click.meadinformatica.it/index.aspx?d=20260402101139&a=...@ak...;pac...@li...&s=l...@me...&f=9__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sXBc4IaCQ$>  <face_3_74e58a94-1eea-424c-8518-e24d1de640dc.png> <https://urldefense.com/v3/__https://click.meadinformatica.it/index.aspx?d=20260402101139&a=...@ak...;pac...@li...&s=l...@me...&f=7__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sWVmi60nA$>  <face_2_6950612e-2208-40a2-8380-933eef34a506.png> <https://urldefense.com/v3/__https://click.meadinformatica.it/index.aspx?d=20260402101139&a=...@ak...;pac...@li...&s=l...@me...&f=4__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sW3YBCgrw$>  <face_1_6e17133e-7935-42be-88a0-816e781c8489.png> <https://urldefense.com/v3/__https://click.meadinformatica.it/index.aspx?d=20260402101139&a=...@ak...;pac...@li...&s=l...@me...&f=0__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sXJvBeoIg$>GDPR 2016/679 Il presente messaggio e gli eventuali suoi allegati sono di natura aziendale, prevalentemente confidenziale e sono visionabili solo dal destinatario di posta elettronica. La risposta o l’eventuale invio spontaneo da parte vostra di e-mail al nostro indirizzo potrebbero non assicurare la confidenzialità potendo essere viste da altri soggetti appartenenti all’Azienda oltre che al firmatario della presente, per finalità di sicurezza informatica, amministrative e allo scopo del continuo svolgimento dell’attività aziendale. Qualora questo messaggio vi fosse pervenuto per errore, vi preghiamo di cancellarlo dal vostro sistema e chiediamo di darne cortesemente comunicazione al mittente. La Vs. mail è in ns. possesso in quanto da Voi fornitaci tramite comunicazione scritta, telefonica, telematica o direttamente oralmente. Essa è utilizzata esclusivamente per fornirVi informazioni sulla ns. attività e sui servizi da noi offerti. Non sarà ceduta a terzi in nessun caso salvo approvazione da parte Vostra. Il Titolare del trattamento è Mead Informatica srl, contattabile alla mail in...@me... <mailto:in...@me...>. I ns. sistemi informativi e le ns. procedure interne sono conformi alle norme e garantiamo la presenza di adeguate misure tecniche ed organizzative costantemente aggiornate. 
> Da: Mahmoud Mabrouk via PacketFence-users <pac...@li... <mailto:pac...@li...>>
> Inviato: giovedì 6 febbraio 2025 19:41
> A: Ma, Zhihao <zm...@ak... <mailto:zm...@ak...>>
> Cc: Mahmoud Mabrouk <mah...@gm... <mailto:mah...@gm...>>; pac...@li... <mailto:pac...@li...><pac...@li... <mailto:pac...@li...>>
> Oggetto: Re: [PacketFence-users] Issue with 802.1X Authentication and AD Integration in PacketFence v1
>  
> Request Time
> 
> RADIUS Request
> Event-Timestamp = "Feb  6 2025 18:39:18 UTC",
> FreeRADIUS-Client-IP-Address = "192.168.110.50",
> Module-Failure-Message = "rest: Server returned:",
> Module-Failure-Message = "rest: {"Reply-Message":"CLI or VPN Access is not allowed by PacketFence on this switch","control:PacketFence-Authorization-Status":"allow"}",
> NAS-IP-Address = "192.168.110.50",
> PacketFence-KeyBalanced = "86318e52f5ed4801abe1d13d509443de",
> PacketFence-Radius-Ip = "192.168.11.206",
> Realm = "null",
> Stripped-User-Name = "ali",
> User-Name = "ali",
> User-Password = "******"
> 
> RADIUS Reply
> REST-HTTP-Status-Code = "401"
> 
> On Thu, Feb 6, 2025 at 5:12 PM Ma, Zhihao <zm...@ak... <mailto:zm...@ak...>> wrote:
> Hi Mahmoud
> 
> After the configuration, you’ll need to (re) start packetfence-ntlm-auth-api
> 
> And do a machine account test (or refresh the domain lists to see if the joining status is green)
> 
> Taking a look at packetfence logs would probably give you the exact reason of an authentication failure
> 
>  
> Thabks
> 
>  
> -- 
> 
> Zhihao Ma
> Software Engineer Senior
> 
> <image001.png>
> 
> Office: +1 613 714 6311
> 
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> 
> Connect with Us:
> 
> <image002.png> <https://community.akamai.com/> <image003.png> <http://blogs.akamai.com/> <image004.png> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sUZemlV_w$> <image005.png> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sXTJRL0-g$> <image006.png> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sVEIaA5Hw$> <image007.png> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sXrqexOwQ$>	
>  
>  
> From: Mahmoud Mabrouk via PacketFence-users <pac...@li... <mailto:pac...@li...>>
> Reply-To: "pac...@li... <mailto:pac...@li...>" <pac...@li... <mailto:pac...@li...>>
> Date: Thursday, February 6, 2025 at 10:05
> To: "pac...@li... <mailto:pac...@li...>" <pac...@li... <mailto:pac...@li...>>
> Cc: Mahmoud Mabrouk <mah...@gm... <mailto:mah...@gm...>>
> Subject: [PacketFence-users] Issue with 802.1X Authentication and AD Integration in PacketFence v1
> 
>  
> Hi everyone, I'm currently working on integrating PacketFence version 14 with Active Directory for 802. 1X authentication based on user group membership. I've followed the steps in the documentation, but I'm encountering an issue
> 
> ZjQcmQRYFpfptBannerStart
> 
> This Message Is From an External Sender
> 
> This message came from outside your organization.
> 
> ZjQcmQRYFpfptBannerEnd
> 
> Hi everyone,
>  
> I'm currently working on integrating PacketFence version 14 with Active Directory for 802.1X authentication based on user group membership. I've followed the steps in the documentation, but I'm encountering an issue where users are not being authenticated correctly.
>  
> Here are the details:
> - PacketFence version: 14
> - AD domain: example.com <https://urldefense.com/v3/__http:/example.com__;!!GjvTz_vk!Sy138QxgdETnHiB_4n0vskWatX1_hRQCR_PDqWMgJuvpy_etWuf2jkD0iyAdI9xZy-RFpaMe-Or4E2tWi-AID4pwPs2cCdU$>
> - Error message: "Authentication failed for user [username]"
>  
> Steps I've taken so far:
> 1. Configured the AD domain in PacketFence.
> 2. Set up RADIUS authentication.
> 3. Configured 802.1X authentication.
>  
> Any help or suggestions would be greatly appreciated!
>  
> Thank you,
> Mahmoud
> _______________________________________________
> PacketFence-users mailing list
> Pac...@li... <mailto:Pac...@li...>
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sUM7HY74A$

[PacketFence-users] Ubiquiti Unifi integration with PacketFence 4.10

[Osman S. <os...@bi...>]

Dear PacketFence users,

I am testing a PacketFence (v13.x) deployment. My wired Cisco setup 
works, but I am struggling with the Ubiquiti UniFi integration using 
*local PacketFence users*.

*The Error:* When a client tries to connect via EAP-TTLS, the RADIUS log 
shows: |Login incorrect: [test] (from client [IP-UniFi]/32 port 0 cli 
[MAC-laptop] via TLS tunnel)| |eap: Failed continuing EAP TTLS (21) 
session. EAP sub-module failed|

*Setup details:*

  *

    *Switch Type:* Ubiquiti::Unifi

  *

    *Authentication Source:* Local (PacketFence local database)

  *

    *Encryption:* EAP-TTLS (Inner tunnel authentication seems to fail)

I have verified that the user "test" exists locally and the credentials 
are correct. The TLS tunnel itself seems to establish, but the 
authentication inside the tunnel fails.

Are there specific inner-tunnel settings (like PAP vs MSCHAPv2) required 
for local PacketFence users to work with UniFi APs?

Kind regards,

Osman

[PacketFence-users] Can't enable Tracking Config Service

[Rashaad N. <Ras...@ne...>]

All 5 nodes of my cluster are on Packetfence 14.0.0

I have an issue where (for the most part) I can start the servce but can not enable the service itself. The GUI indicates that this service is required for my configuration, but I have been unable to get it started and running on all nodes consistently.

My journalctl output shows:

journalctl -u packetfence-tracking-config.service
-- Logs begin at Sun 2026-04-05 20:22:42 CDT, end at Mon 2026-04-06 11:27:11 CDT. --
Apr 06 11:27:02 packetfence1.com systemd[1]: Starting PacketFence Configuration Change Tracking...
Apr 06 11:27:02 packetfence1.com bash[2928144]: On branch master
Apr 06 11:27:02 packetfence1.com bash[2928144]: nothing to commit, working tree clean
Apr 06 11:27:02 packetfence1.com systemd[1]: packetfence-tracking-config.service: Main process exited, code=exited, status=1/FAILURE
Apr 06 11:27:02 packetfence1.com systemd[1]: packetfence-tracking-config.service: Failed with result 'exit-code'.
Apr 06 11:27:02 packetfence1.com systemd[1]: Failed to start PacketFence Configuration Change Tracking.

And this is one other error I saw being listed

On branch master
Untracked files:
(use "git add <file>..." to include in what will be committed)
server.csr
server.key
ssl/radius_default_tls-common.crt
ssl/radius_default_tls-common.key
ssl/radius_default_tls-common.pem
ssl/radius_default_tls-eap-fast.crt
ssl/radius_default_tls-eap-fast.key
ssl/radius_default_tls-eap-fast.pem
system_init_key

Trying to enable from the GUI I just get a generic error of

"packetfence Failed to enable services tracking-config. See the server error logs for more information."

[PacketFence-users] R: Issue with 802.1X Authentication and AD Integration in PacketFence v1

[Luca M. <l.m...@me...>]

Hi all,
I have the same issue using PF 15 and user auth  PEAP (mschapv2).

Did you resolve this issue?
How did you resolve it?

Thank you very much





[cid:30y_2_05f4b20d-97f6-493b-b95a-8217ad40d290.png]
Luca Messori
Solution Architect
l.m...@me...<mailto:l.m...@me...>
Phone: +390522265843<tel:+390522265843> Mobile: +393351442007<tel:+393351442007>

MEAD Informatica s.r.l. - Via G.Ferraris, 2, 42122  Reggio Emilia  RE - Tel: +390522265950
[cid:banner_63af738f-e6d3-4349-b22a-7c07b83ab925.png] <https://click.meadinformatica.it/index.aspx?d=20260402101139&a=...@ak...;pac...@li...&s=l...@me...&e=evento1&m=1>
[cid:fb_logo_97aca8b0-c725-45d6-b2d8-bf654d5981ef.png]<https://it-it.facebook.com/meadinformatica/>  [cid:ln_5a89b05f-4a1f-45e1-bbd8-06fb2ed838b5.png] <https://it.linkedin.com/company/mead-informatica>   [cid:yt_logo_1c5256aa-17c0-4262-aae7-ea5a07437927.png] <https://youtube.com/embed/uR83yD9n9_I?autoplay=1>   [cid:site_ce438972-3fa9-412f-a61a-d29e3867516b.png] <https://www.meadinformatica.it>
        Aiutaci a migliorare; ti basta 1 click  [cid:face_4_87abb270-ce3f-469f-94cc-57b652b5cc27.png] <https://click.meadinformatica.it/index.aspx?d=20260402101139&a=...@ak...;pac...@li...&s=l...@me...&f=9>   [cid:face_3_74e58a94-1eea-424c-8518-e24d1de640dc.png] <https://click.meadinformatica.it/index.aspx?d=20260402101139&a=...@ak...;pac...@li...&s=l...@me...&f=7>   [cid:face_2_6950612e-2208-40a2-8380-933eef34a506.png] <https://click.meadinformatica.it/index.aspx?d=20260402101139&a=...@ak...;pac...@li...&s=l...@me...&f=4>   [cid:face_1_6e17133e-7935-42be-88a0-816e781c8489.png] <https://click.meadinformatica.it/index.aspx?d=20260402101139&a=...@ak...;pac...@li...&s=l...@me...&f=0>

GDPR 2016/679 Il presente messaggio e gli eventuali suoi allegati sono di natura aziendale, prevalentemente confidenziale e sono visionabili solo dal destinatario di posta elettronica. La risposta o l’eventuale invio spontaneo da parte vostra di e-mail al nostro indirizzo potrebbero non assicurare la confidenzialità potendo essere viste da altri soggetti appartenenti all’Azienda oltre che al firmatario della presente, per finalità di sicurezza informatica, amministrative e allo scopo del continuo svolgimento dell’attività aziendale. Qualora questo messaggio vi fosse pervenuto per errore, vi preghiamo di cancellarlo dal vostro sistema e chiediamo di darne cortesemente comunicazione al mittente. La Vs. mail è in ns. possesso in quanto da Voi fornitaci tramite comunicazione scritta, telefonica, telematica o direttamente oralmente. Essa è utilizzata esclusivamente per fornirVi informazioni sulla ns. attività e sui servizi da noi offerti. Non sarà ceduta a terzi in nessun caso salvo approvazione da parte Vostra. Il Titolare del trattamento è Mead Informatica srl, contattabile alla mail in...@me.... I ns. sistemi informativi e le ns. procedure interne sono conformi alle norme e garantiamo la presenza di adeguate misure tecniche ed organizzative costantemente aggiornate.
________________________________
Da: Mahmoud Mabrouk via PacketFence-users <pac...@li...>
Inviato: giovedì 6 febbraio 2025 19:41
A: Ma, Zhihao <zm...@ak...>
Cc: Mahmoud Mabrouk <mah...@gm...>; pac...@li... <pac...@li...>
Oggetto: Re: [PacketFence-users] Issue with 802.1X Authentication and AD Integration in PacketFence v1

Request Time

RADIUS Request
Event-Timestamp = "Feb  6 2025 18:39:18 UTC",
FreeRADIUS-Client-IP-Address = "192.168.110.50",
Module-Failure-Message = "rest: Server returned:",
Module-Failure-Message = "rest: {"Reply-Message":"CLI or VPN Access is not allowed by PacketFence on this switch","control:PacketFence-Authorization-Status":"allow"}",
NAS-IP-Address = "192.168.110.50",
PacketFence-KeyBalanced = "86318e52f5ed4801abe1d13d509443de",
PacketFence-Radius-Ip = "192.168.11.206",
Realm = "null",
Stripped-User-Name = "ali",
User-Name = "ali",
User-Password = "******"

RADIUS Reply
REST-HTTP-Status-Code = "401"

On Thu, Feb 6, 2025 at 5:12 PM Ma, Zhihao <zm...@ak...<mailto:zm...@ak...>> wrote:

Hi Mahmoud

After the configuration, you’ll need to (re) start packetfence-ntlm-auth-api

And do a machine account test (or refresh the domain lists to see if the joining status is green)

Taking a look at packetfence logs would probably give you the exact reason of an authentication failure



Thabks



--

Zhihao Ma
Software Engineer Senior


[cid:ii_194dc90fdd44cff311]



Office: +1 613 714 6311


Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142



Connect with Us:


[cid:ii_194dc90fdd45b16b22]<https://community.akamai.com/> [cid:ii_194dc90fdd4692e333] <http://blogs.akamai.com/>  [cid:ii_194dc90fdd47745b44] <https://twitter.com/akamai>  [cid:ii_194dc90fdd4855d355] <http://www.facebook.com/AkamaiTechnologies>  [cid:ii_194dc90fdd49374b66] <http://www.linkedin.com/company/akamai-technologies>  [cid:ii_194dc90fdd4a18c377] <http://www.youtube.com/user/akamaitechnologies?feature=results_main>






From: Mahmoud Mabrouk via PacketFence-users <pac...@li...<mailto:pac...@li...>>
Reply-To: "pac...@li...<mailto:pac...@li...>" <pac...@li...<mailto:pac...@li...>>
Date: Thursday, February 6, 2025 at 10:05
To: "pac...@li...<mailto:pac...@li...>" <pac...@li...<mailto:pac...@li...>>
Cc: Mahmoud Mabrouk <mah...@gm...<mailto:mah...@gm...>>
Subject: [PacketFence-users] Issue with 802.1X Authentication and AD Integration in PacketFence v1



Hi everyone, I'm currently working on integrating PacketFence version 14 with Active Directory for 802. 1X authentication based on user group membership. I've followed the steps in the documentation, but I'm encountering an issue

ZjQcmQRYFpfptBannerStart

This Message Is From an External Sender


This message came from outside your organization.




ZjQcmQRYFpfptBannerEnd

Hi everyone,



I'm currently working on integrating PacketFence version 14 with Active Directory for 802.1X authentication based on user group membership. I've followed the steps in the documentation, but I'm encountering an issue where users are not being authenticated correctly.



Here are the details:

- PacketFence version: 14

- AD domain: example.com<https://urldefense.com/v3/__http:/example.com__;!!GjvTz_vk!Sy138QxgdETnHiB_4n0vskWatX1_hRQCR_PDqWMgJuvpy_etWuf2jkD0iyAdI9xZy-RFpaMe-Or4E2tWi-AID4pwPs2cCdU$>

- Error message: "Authentication failed for user [username]"



Steps I've taken so far:

1. Configured the AD domain in PacketFence.

2. Set up RADIUS authentication.

3. Configured 802.1X authentication.



Any help or suggestions would be greatly appreciated!



Thank you,

Mahmoud

Re: [PacketFence-users] Request for final config steps

[Nagasuki <nag...@gm...>]

Hello Community,

Please, anybody with a working implementation of VLAN enforcement setup
please reply me.

Specifically, I'm looking for a clearer instructions on how to configure
PacketFence for the following scenario:
‎- User plugs into wired port
‎- 802.1X login (AD credentials)
‎- If device is not registered → forced into Registration VLAN
‎- Captive portal appears
‎- User logs in again → device registered
‎- PacketFence reauthenticates device
‎Based on AD group:
‎Staff → VLAN 251
‎Student → VLAN 253
‎- WiFi is connected on an in-line interface

The installation guide is not beginner-friendly and tends to be confusing.

I will greatly appreciate anybody who can point me in the right direction.

Regards,
Nagasuki


On Sun, Mar 29, 2026, 19:52 Nagasuki <nag...@gm...> wrote:

> Hello. I am in the process of implementing PacketFence, and my intention
> is to deploy a setup that does the following:
> ‎
> ‎- User plugs into wired port
> ‎- 802.1X login (AD credentials)
> ‎- If device is not registered → forced into Registration VLAN
> ‎- Captive portal appears
> ‎- User logs in again → device registered
> ‎- PacketFence reauthenticates device
> ‎Based on AD group:
> ‎Staff → VLAN 251
> ‎Student → VLAN 253
> ‎- WiFi is connected on an in-line interface
> ‎
> ‎So far I have done:
> ‎1. Configuration of management interfaces and IP
>
> ‎2. Configured a second trunk interface and on it I specified
> sub-interface IPs and VLANing for isolation and registration networks
>
> ‎3. Specified VLANs without IPs (and type 'Other' for two more VLANs that
> will be normal VLANs each for staff and students
>
> ‎4. On the physical switch, I configured a trunk port going to the
> PacketFence second interface, plus an access port going to the PacketFence
> management network. I also configured two test access ports with 802.1x
> fully configured for VLAN enforcement
>
> ‎5. In PacketFence, I joined domain and also specified base and bind DNs.
> These are all confirmed to be working
>
> ‎6. I also added a test switch, created two additional roles that I intend
> to map staff and students' VLANs to. On the switch (in PacketFence), I also
> further configured the roles and specified VLAN IDs for registration,
> isolation, staff, students, and guest
>
> ‎7. I have also associated both the default and null realms with my domain
> ‎
> ‎Please guide me step by step to configure the remaining componets for my
> deployment.
> ‎
> ‎Regards,
> ‎Nagasuki
>

[PacketFence-users] Request for final config steps

[Nagasuki <nag...@gm...>]

Hello. I am in the process of implementing PacketFence, and my intention is
to deploy a setup that does the following:
‎
‎- User plugs into wired port
‎- 802.1X login (AD credentials)
‎- If device is not registered → forced into Registration VLAN
‎- Captive portal appears
‎- User logs in again → device registered
‎- PacketFence reauthenticates device
‎Based on AD group:
‎Staff → VLAN 251
‎Student → VLAN 253
‎- WiFi is connected on an in-line interface
‎
‎So far I have done:
‎1. Configuration of management interfaces and IP

‎2. Configured a second trunk interface and on it I specified sub-interface
IPs and VLANing for isolation and registration networks

‎3. Specified VLANs without IPs (and type 'Other' for two more VLANs that
will be normal VLANs each for staff and students

‎4. On the physical switch, I configured a trunk port going to the
PacketFence second interface, plus an access port going to the PacketFence
management network. I also configured two test access ports with 802.1x
fully configured for VLAN enforcement

‎5. In PacketFence, I joined domain and also specified base and bind DNs.
These are all confirmed to be working

‎6. I also added a test switch, created two additional roles that I intend
to map staff and students' VLANs to. On the switch (in PacketFence), I also
further configured the roles and specified VLAN IDs for registration,
isolation, staff, students, and guest

‎7. I have also associated both the default and null realms with my domain
‎
‎Please guide me step by step to configure the remaining componets for my
deployment.
‎
‎Regards,
‎Nagasuki

[PacketFence-users] Packetfence DPSK generation and login with users DPSK

[Miguel v. L. <Mig...@Qu...>]

Hello,
We have configured PacketFence DPSK on our Fortinet equipment.
I created a provisioner for DPSK and assigned it to a new connection profile.
Unfortunately, we are unable to authenticate using the PSK that we configured in the user account. We receive the following error:

2026-03-27T16:14:13.737687+01:00 SERVER httpd.aaa-docker-wrapper[3375]: httpd.aaa(7) WARN: [mac:ea:5c:63:0a:b4:92] Trying to match IP address with an invalid MAC address 'undef' (pf::ip4log::mac2ip)
2026-03-27T16:14:13.737951+01:00 SERVER httpd.aaa-docker-wrapper[3375]: httpd.aaa(7) INFO: [mac:ea:5c:63:0a:b4:92] Instantiate profile PROFILE_IoT_DPSK (pf::Connection::ProfileFactory::_from_profile)
2026-03-27T16:14:13.738791+01:00 SERVER httpd.aaa-docker-wrapper[3375]: httpd.aaa(7) INFO: [mac:ea:5c:63:0a:b4:92] Found authentication source(s) : 'local,file1,EAP-TLS-PROFILE' for realm 'null' (pf::config::util::filter_authentication_sources)
2026-03-27T16:14:13.738954+01:00 SERVER httpd.aaa-docker-wrapper[3375]: httpd.aaa(7) INFO: [mac:ea:5c:63:0a:b4:92] MFA Pre Authentication (pf::radius::mfa_pre_auth)
2026-03-27T16:14:13.739479+01:00 SERVER httpd.aaa-docker-wrapper[3375]: httpd.aaa(7) INFO: [mac:ea:5c:63:0a:b4:92] Instantiate profile PROFILE_IoT_DPSK (pf::Connection::ProfileFactory::_from_profile)
2026-03-27T16:14:13.740137+01:00 SERVER httpd.aaa-docker-wrapper[3375]: httpd.aaa(7) INFO: [mac:ea:5c:63:0a:b4:92] Found authentication source(s) : 'local,file1,EAP-TLS-PROFILE' for realm 'null' (pf::config::util::filter_authentication_sources)
2026-03-27T16:14:13.740517+01:00 SERVER httpd.aaa-docker-wrapper[3375]: httpd.aaa(7) INFO: [mac:ea:5c:63:0a:b4:92] Using sources local, file1, EAP-TLS-PROFILE for matching (pf::authentication::match2)
2026-03-27T16:14:13.762864+01:00 SERVER httpd.aaa-docker-wrapper[3375]: httpd.aaa(7) INFO: [mac:ea:5c:63:0a:b4:92] Password validation failed for 60-45-2E-75-BD-D1: passwords don't match (pf::password::validate_password)
2026-03-27T16:14:13.763145+01:00 SERVER httpd.aaa-docker-wrapper[3375]: httpd.aaa(7) ERROR: [mac:ea:5c:63:0a:b4:92] unable to read password file '/usr/local/pf/conf/admin.conf' (pf::Authentication::Source::HtpasswdSource::authenticate)
2026-03-27T16:14:13.763480+01:00 SERVER httpd.aaa-docker-wrapper[3375]: httpd.aaa(7) INFO: [mac:ea:5c:63:0a:b4:92] User 60-45-2E-75-BD-D1 tried to login in 10.237.51.254 but authentication failed (pf::radius::authenticate)
2026-03-27T16:14:15.255941+01:00 SERVER httpd.aaa-docker-wrapper[3375]: httpd.aaa(7) INFO: [mac:ea:5c:63:0a:b4:92] handling radius autz request: from switch_ip => (10.237.51.254), connection_type => Ethernet-NoEAP,switch_mac => (Unknown), mac => [0], port => (Unknown), username => "60-45-2E-75-BD-D1" (pf::radius::switch_access)

Additionally, should the DPSK be generated automatically?
The documentation is not very clear on this point.
Does anyone have experience with this setup?



Bedrijfsvertrouwelijk (BVT1)

[PacketFence-users] sms carriers

[Miguel v. L. <Mig...@Qu...>]

Hello,
I would like to explore options for SMS carriers in PacketFence.
At the moment, only Twilio and Clickatell seem to be supported via API integration, and with the current "SMS" option there is no place to configure carrier details.
Does anyone have experience with how this works, and whether it's possible to use a random online provider as long as it supports API calls?

Thanks in advance,

Miguel



Bedrijfsvertrouwelijk (BVT1)

[PacketFence-users] sms carriers

[Miguel v. L. <Mig...@Qu...>]

Hello,
I would like to explore options for SMS carriers in PacketFence.
At the moment, only Twilio and Clickatell seem to be supported via API integration, and with the current "SMS" option there is no place to configure carrier details.
Does anyone have experience with how this works, and whether it's possible to use a random online provider as long as it supports API calls?

Thanks in advance,

Miguel



Bedrijfsvertrouwelijk (BVT1)

[PacketFence-users] sms carriers

[Miguel v. L. <Mig...@Qu...>]

Hello,
I would like to explore options for SMS carriers in PacketFence.
At the moment, only Twilio and Clickatell seem to be supported via API integration, and with the current "SMS" option there is no place to configure carrier details.
Does anyone have experience with how this works, and whether it's possible to use a random online provider as long as it supports API calls?

Thanks in advance,

Miguel



Bedrijfsvertrouwelijk (BVT1)

[PacketFence-users] sms carriers

[Miguel v. L. <Mig...@Qu...>]

Hello,
I would like to explore options for SMS carriers in PacketFence.
At the moment, only Twilio and Clickatell seem to be supported via API integration, and with the current "SMS" option there is no place to configure carrier details.
Does anyone have experience with how this works, and whether it's possible to use a random online provider as long as it supports API calls?

Thanks in advance,

Miguel



Bedrijfsvertrouwelijk (BVT1)

Re: [PacketFence-users] PacketFence not parsing Framed-IP-Address

[Keith N. <kn...@wc...>]

I figured this out.

I needed to enable “Update the epilog using the account” under Configuration > System Configuration > Main Configuration > Advanced.
This is in the documentation but not in the most convenient location.

After I enabled that the IP Address of the clients are now being logged.

Keith Nelson | WCG
Director, Solutions Engineering

From: Keith Nelson via PacketFence-users <pac...@li...>
Date: Friday, March 13, 2026 at 04:51
To: pac...@li... <pac...@li...>
Cc: Keith Nelson <kn...@wc...>
Subject: [PacketFence-users] PacketFence not parsing Framed-IP-Address

CAUTION: This email originated from outside of the organization.
Do not click links or open attachments unless you recognize the sender and know the content is safe.
If you believe the contents of this email may be unsafe, report it immediately by clicking the WCG Phish Alert Button (PAB).

I have a new install of PacketFence 15.0 using the ISO Image.

I have a Meraki AP configured at working using cert based EAP-TLS with both RAD and RADACCT configured.

The issue I’m trying to figure out is that PacketFence is ignoring (or somewhere dropping) the Framed-IP-Address AVP in the radius accounting messages.
I did a packet capture on the PacketFence server and have confirmed that the AP is sending the correct information in the packets and the server is receiving the correct information from a network layer.

Any guidance would be greatly appreciated. Thank you


Keith Nelson | WCG
Director, Solutions Engineering

[PacketFence-users] PacketFence not parsing Framed-IP-Address

[Keith N. <kn...@wc...>]

I have a new install of PacketFence 15.0 using the ISO Image.

I have a Meraki AP configured at working using cert based EAP-TLS with both RAD and RADACCT configured.

The issue I’m trying to figure out is that PacketFence is ignoring (or somewhere dropping) the Framed-IP-Address AVP in the radius accounting messages.
I did a packet capture on the PacketFence server and have confirmed that the AP is sending the correct information in the packets and the server is receiving the correct information from a network layer.

Any guidance would be greatly appreciated. Thank you


Keith Nelson | WCG
Director, Solutions Engineering

[PacketFence-users] R: Pakcetfence Cluster AD issue

[Luca M. <l.m...@me...>]

Hi Renato,
I have a problem setting the slave node.
I'm trying to set the server-id variable but all my tries doesn't work (after restarting mariadb I have server_id=1).
Can you tell me how/whetre did you set the server-id?




[cid:30y_2_79ddfa65-067f-4a77-802b-4fa23798c9e4.png]
Luca Messori
Solution Architect
l.m...@me...<mailto:l.m...@me...>
Phone: +390522265843<tel:+390522265843> Mobile: +393351442007<tel:+393351442007>

MEAD Informatica s.r.l. - Via G.Ferraris, 2, 42122  Reggio Emilia  RE - Tel: +390522265950
[cid:banner_74a338bf-5f3f-4627-9c8f-21935dccfb5c.png] <https://click.meadinformatica.it/index.aspx?d=20260310103229&a=p...@li...&s=l...@me...&e=evento2&m=1>
[cid:fb_logo_1f3b8236-0bc8-4116-9039-b600d22861b4.png]<https://it-it.facebook.com/meadinformatica/>  [cid:ln_a4670ff9-e7b7-4ebb-a3bb-4efabb72476a.png] <https://it.linkedin.com/company/mead-informatica>   [cid:yt_logo_a1a16aa7-86b1-49b1-a5fc-af149d2d7840.png] <https://youtube.com/embed/uR83yD9n9_I?autoplay=1>   [cid:site_9ffcc4a3-8d18-42f9-b36e-cb8e284a61ce.png] <https://www.meadinformatica.it>
        Aiutaci a migliorare; ti basta 1 click  [cid:face_4_2b92a71b-043a-46fe-a617-487ba86f0db1.png] <https://click.meadinformatica.it/index.aspx?d=20260310103229&a=p...@li...&s=l...@me...&f=9>   [cid:face_3_d9f6fb45-adb0-46b3-833d-8b1646ea6c98.png] <https://click.meadinformatica.it/index.aspx?d=20260310103229&a=p...@li...&s=l...@me...&f=7>   [cid:face_2_ff3bf04b-1e96-4c25-aa6a-3a6e0951a732.png] <https://click.meadinformatica.it/index.aspx?d=20260310103229&a=p...@li...&s=l...@me...&f=4>   [cid:face_1_6fcd164c-c86a-4a52-91ce-6ec59e62073f.png] <https://click.meadinformatica.it/index.aspx?d=20260310103229&a=p...@li...&s=l...@me...&f=0>


GDPR 2016/679 Il presente messaggio e gli eventuali suoi allegati sono di natura aziendale, prevalentemente confidenziale e sono visionabili solo dal destinatario di posta elettronica. La risposta o l'eventuale invio spontaneo da parte vostra di e-mail al nostro indirizzo potrebbero non assicurare la confidenzialità potendo essere viste da altri soggetti appartenenti all'Azienda oltre che al firmatario della presente, per finalità di sicurezza informatica, amministrative e allo scopo del continuo svolgimento dell'attività aziendale. Qualora questo messaggio vi fosse pervenuto per errore, vi preghiamo di cancellarlo dal vostro sistema e chiediamo di darne cortesemente comunicazione al mittente. La Vs. mail è in ns. possesso in quanto da Voi fornitaci tramite comunicazione scritta, telefonica, telematica o direttamente oralmente. Essa è utilizzata esclusivamente per fornirVi informazioni sulla ns. attività e sui servizi da noi offerti. Non sarà ceduta a terzi in nessun caso salvo approvazione da parte Vostra. Il Titolare del trattamento è Mead Informatica srl, contattabile alla mail in...@me.... I ns. sistemi informativi e le ns. procedure interne sono conformi alle norme e garantiamo la presenza di adeguate misure tecniche ed organizzative costantemente aggiornate.
________________________________
Da: Renato Pereira via PacketFence-users <pac...@li...>
Inviato: mercoledì 10 settembre 2025 19:02
A: pac...@li... <pac...@li...>
Cc: Renato Pereira <ren...@gm...>
Oggetto: Re: [PacketFence-users] Pakcetfence Cluster AD issue

Hello Everyone,

Today I configured the slave DB, to try and fix this issue. But when I break the connection between the clusters I can't login in DC2, I tried with AD user and local user.

on the master for the slave cluster looks fine:

MariaDB [(none)]> SHOW SLAVE STATUS;
+----------------------------------+-------------+-------------+-------------+---------------+--------------------+---------------------+------------------------------+---------------+-----------------------+------------------+-------------------+-----------------+---------------------+--------------------+------------------------+-------------------------+-----------------------------+------------+------------+--------------+---------------------+-----------------+-----------------+----------------+---------------+--------------------+--------------------+--------------------+-----------------+-------------------+----------------+-----------------------+-------------------------------+---------------+---------------+----------------+----------------+-----------------------------+------------------+----------------+--------------------+------------+-------------------------------------------------+-------------------------+-----------------------------+---------------+-----------+---------------------+--------------------------------------------------------+------------------+--------------------------------+----------------------------+
| Slave_IO_State                   | Master_Host | Master_User | Master_Port | Connect_Retry | Master_Log_File    | Read_Master_Log_Pos | Relay_Log_File               | Relay_Log_Pos | Relay_Master_Log_File | Slave_IO_Running | Slave_SQL_Running | Replicate_Do_DB | Replicate_Ignore_DB | Replicate_Do_Table | Replicate_Ignore_Table | Replicate_Wild_Do_Table | Replicate_Wild_Ignore_Table | Last_Errno | Last_Error | Skip_Counter | Exec_Master_Log_Pos | Relay_Log_Space | Until_Condition | Until_Log_File | Until_Log_Pos | Master_SSL_Allowed | Master_SSL_CA_File | Master_SSL_CA_Path | Master_SSL_Cert | Master_SSL_Cipher | Master_SSL_Key | Seconds_Behind_Master | Master_SSL_Verify_Server_Cert | Last_IO_Errno | Last_IO_Error | Last_SQL_Errno | Last_SQL_Error | Replicate_Ignore_Server_Ids | Master_Server_Id | Master_SSL_Crl | Master_SSL_Crlpath | Using_Gtid | Gtid_IO_Pos                                     | Replicate_Do_Domain_Ids | Replicate_Ignore_Domain_Ids | Parallel_Mode | SQL_Delay | SQL_Remaining_Delay | Slave_SQL_Running_State                                | Slave_DDL_Groups | Slave_Non_Transactional_Groups | Slave_Transactional_Groups |
+----------------------------------+-------------+-------------+-------------+---------------+--------------------+---------------------+------------------------------+---------------+-----------------------+------------------+-------------------+-----------------+---------------------+--------------------+------------------------+-------------------------+-----------------------------+------------+------------+--------------+---------------------+-----------------+-----------------+----------------+---------------+--------------------+--------------------+--------------------+-----------------+-------------------+----------------+-----------------------+-------------------------------+---------------+---------------+----------------+----------------+-----------------------------+------------------+----------------+--------------------+------------+-------------------------------------------------+-------------------------+-----------------------------+---------------+-----------+---------------------+--------------------------------------------------------+------------------+--------------------------------+----------------------------+
| Waiting for master to send event | 10.58.0.20  | pfcluster   |        3306 |            60 | mariadb-bin.000834 |                5348 | BRAFORVM009-relay-bin.000002 |           779 | mariadb-bin.000834    | Yes              | Yes               |                 |                     |                    |                        |                         |                             |          0 |            |            0 |                5348 |            1094 | None            |                |             0 | No                 |                    |                    |                 |                   |                |                     0 | No                            |             0 |               |              0 |                |                             |                1 |                |                    | Slave_Pos  | 1-1-156,171573269-1-3751235,171573273-1-6470340 |                         |                             | optimistic    |         0 |                NULL | Slave has read all relay log; waiting for more updates |                0 |                              0 |                          0 |
+----------------------------------+-------------+-------------+-------------+---------------+--------------------+---------------------+------------------------------+---------------+-----------------------+------------------+-------------------+-----------------+---------------------+--------------------+------------------------+-------------------------+-----------------------------+------------+------------+--------------+---------------------+-----------------+-----------------+----------------+---------------+--------------------+--------------------+--------------------+-----------------+-------------------+----------------+-----------------------+-------------------------------+---------------+---------------+----------------+----------------+-----------------------------+------------------+----------------+--------------------+------------+-------------------------------------------------+-------------------------+-----------------------------+---------------+-----------+---------------------+--------------------------------------------------------+------------------+--------------------------------+----------------------------+
1 row in set (0.000 sec)

MariaDB [(none)]>


Em sex., 5 de set. de 2025 às 07:02, Renato Pereira <ren...@gm...<mailto:ren...@gm...>> escreveu:
Hello everyone,

We have a packetfence cluster L3 working perfectly with 3 nodes in the cloud and 2 onsite, in both there are AD configured ( 2 in each one).  The local packetfence has priority and I can see it authenticate the users.

In the authentication source I configured the 4 servers and I can validate.In the Active Directory Domain if I access each one I can see they can join in the domain
Today we had a problem with the link between the local site and the cloud, at this moment the local packetfence couldn't authenticate the users locally, during the problem I checked the Active Directory Domain and the local servers couldn't join to the domain.
I checked the local AD servers and I can see the machine accounts.
After a few minutes, the link was returned and all the servers now are working well.

My question is, how can I set my deployment for when the link to the primary cluster down the local cluster keeps authentication.

[PacketFence-users] VOIP-Device on Juniper Port

[Schüller D. <den...@nu...>]

Hey,
does anyone know how to correctly set up a VoIP device on a Juniper switch with PacketFence?

Currently when I connect a VoIP phone, it is detected as a voice device, so "VoIP over IP" is set to true and the role changes to "voice". The interface also gets the correct voice VLAN.
However, the data VLAN stays at VLAN 1, but it should be assigned to a different VLAN ID.

Does anyone know how to configure the correct data VLAN for the device?


Thanks!




Grüße aus der Grünen Hölle / Regards from the Green Hell
i. A. Dennis Schüller
Systembetreuung | IT
den...@nu...
T +49 2691 302-9885 | M +49 151 571 320 36
Nürburgring 1927 GmbH & Co. KG | Otto-Flimm-Str. | 53520 Nürburg | nuerburgring.de
[Key_Visual_Email_Abbinder.jpg]<https://nuerburgring.de/news/strikes-statt-rundenzeiten-nuerburgring-eroeffnet-neues-bowlingcenter-im-ring-carre>
Bitte schonen Sie unsere Umwelt und drucken die E-Mail nur aus, wenn es wirklich notwendig ist.
Please consider the environment before printing this email.

Unsere Datenschutzerklärung finden Sie hier<https://nuerburgring.de/info/company/privacy-policy>  | You can find our privacy policy here.<https://nuerburgring.de/info/company/privacy-policy>

[PacketFence-users] Question about multisite

[Luca M. <l.m...@me...>]

Hi all,
I have a multisite environnement and I would like to create a single management server and a single server on each site.
So, I wouldn't like to create a cluster in the central site but only a management server and a NAC server configured as slave (master is the management).
All the other servers are slave.
Is it a supported architecture?
Can I avoid the galera cluster configuration in this way?

Thank you very much



[cid:30y_2_05f4b20d-97f6-493b-b95a-8217ad40d290.png]
Luca Messori
Solution Architect
l.m...@me...<mailto:l.m...@me...>
Phone: +390522265843<tel:+390522265843> Mobile: +393351442007<tel:+393351442007>

MEAD Informatica s.r.l. - Via G.Ferraris, 2, 42122  Reggio Emilia  RE - Tel: +390522265950
[cid:banner_63af738f-e6d3-4349-b22a-7c07b83ab925.png] <https://click.meadinformatica.it/index.aspx?d=20260305100628&a=p...@li...&s=l...@me...&e=evento1&m=1>
[cid:fb_logo_97aca8b0-c725-45d6-b2d8-bf654d5981ef.png]<https://it-it.facebook.com/meadinformatica/>  [cid:ln_5a89b05f-4a1f-45e1-bbd8-06fb2ed838b5.png] <https://it.linkedin.com/company/mead-informatica>   [cid:yt_logo_1c5256aa-17c0-4262-aae7-ea5a07437927.png] <https://youtube.com/embed/uR83yD9n9_I?autoplay=1>   [cid:site_ce438972-3fa9-412f-a61a-d29e3867516b.png] <https://www.meadinformatica.it>
        Aiutaci a migliorare; ti basta 1 click  [cid:face_4_87abb270-ce3f-469f-94cc-57b652b5cc27.png] <https://click.meadinformatica.it/index.aspx?d=20260305100628&a=p...@li...&s=l...@me...&f=9>   [cid:face_3_74e58a94-1eea-424c-8518-e24d1de640dc.png] <https://click.meadinformatica.it/index.aspx?d=20260305100628&a=p...@li...&s=l...@me...&f=7>   [cid:face_2_6950612e-2208-40a2-8380-933eef34a506.png] <https://click.meadinformatica.it/index.aspx?d=20260305100628&a=p...@li...&s=l...@me...&f=4>   [cid:face_1_6e17133e-7935-42be-88a0-816e781c8489.png] <https://click.meadinformatica.it/index.aspx?d=20260305100628&a=p...@li...&s=l...@me...&f=0>

GDPR 2016/679 Il presente messaggio e gli eventuali suoi allegati sono di natura aziendale, prevalentemente confidenziale e sono visionabili solo dal destinatario di posta elettronica. La risposta o l'eventuale invio spontaneo da parte vostra di e-mail al nostro indirizzo potrebbero non assicurare la confidenzialità potendo essere viste da altri soggetti appartenenti all'Azienda oltre che al firmatario della presente, per finalità di sicurezza informatica, amministrative e allo scopo del continuo svolgimento dell'attività aziendale. Qualora questo messaggio vi fosse pervenuto per errore, vi preghiamo di cancellarlo dal vostro sistema e chiediamo di darne cortesemente comunicazione al mittente. La Vs. mail è in ns. possesso in quanto da Voi fornitaci tramite comunicazione scritta, telefonica, telematica o direttamente oralmente. Essa è utilizzata esclusivamente per fornirVi informazioni sulla ns. attività e sui servizi da noi offerti. Non sarà ceduta a terzi in nessun caso salvo approvazione da parte Vostra. Il Titolare del trattamento è Mead Informatica srl, contattabile alla mail in...@me.... I ns. sistemi informativi e le ns. procedure interne sono conformi alle norme e garantiamo la presenza di adeguate misure tecniche ed organizzative costantemente aggiornate.

Re: [PacketFence-users] Localization of captive portal

[Christos N. <nt...@uo...>]

“[…]Unfortunately, there is no updated information in the PacketFence documentation how the Docker-based PacketFence is working and what to do to edit the perl code or other files.”

 

Actually the above is not entirely  true, there are instructions on how to apply changes in the Perl code to the Docker containers in this documentation: https://www.packetfence.org/doc/PacketFence_Developers_Guide.html#_containers_recipes

There is still no documentation to understand which containers are affected by the Pel code inside /usr/local/pf/lib/pf.

But for the localization case, I think the httpd.portal and pfperl-api containers should be the ones that need rebuild.

 

 

Christos Ntokos

-----------------------------------------------------------------

Network Services and Infrastructure Department

Digital Governance Unit, University of Ioannina

 

 

Re: [PacketFence-users] Localization of captive portal

[Christos N. <nt...@uo...>]

Hello,

 

We were also struggling to add a new language (Greek) to PacketFence.

It turns out that except adding and compiling a new packetfence.po file, you also need to edit the perl code.

Specifically, you need to edit the file lib/pf/web/constants.pm and add the new language in the Array variable LOCALES (line 201):

Readonly::Array our @LOCALES =>

  (

   qw(en_US es_ES fr_FR fr_CA de_DE he_IL it_IT nb_NO nl_NL pl_PL pt_BR tr_TR)

  );

 

The problem with changing the perl code is that any changes you make in the .pm perl files inside /usr/local/pf/lib have no effect, since PacketFence started using Docker containers (version 11.2 and later, I think). So you need to find the Docker mapped folders where the /usr/local/pf/lib files are copied.

Unfortunately, there is no updated information in the PacketFence documentation how the Docker-based PacketFence is working and what to do to edit the perl code or other files.

 

 

Christos Ntokos

-----------------------------------------------------------------

Network Services and Infrastructure Department

Digital Governance Unit, University of Ioannina

 

 

[PacketFence-users] My revoked certificates still seem to work

[Maximilian D. <cyb...@ya...>]

Greetings fellow PacketFence users,

I’ve been getting to learn PacketFence on my own by a combination of experiments and reading the manual and have gotten myself almost across the finish line.  I’ve gotten clustering set up, and the EAP-TLS pipeline set up as well as device provisioning.  Everything works with the exception of two issues I encountered, which are pretty show-stopping.

The first issue is, clients logging in with the certificate they were issued for some reason is triggering packetfence to arbitrarily revoke said certificates.  The revocation reason is KeyCompromise.  I also observed PacketFence making many failed insertions into the pki_revoked_certs table with empty data, so I’m not precluding the possibility of a bug.  I haven’t figured out what is triggering this behavior, and AFACT, the logs aren’t being meaningful to me.

The second issue, revoked certificates still seem to work.

If anyone has any idea on what could be triggering this, and why revoked certificates aren’t actually getting denied by the RADIUS server, I would be really grateful.  I’m running PF 15.0, if that helps.

Best, 

Maximilian Doerr

[PacketFence-users] PacketFence -SophosUG

[ondur k. <on...@gm...>]

Hello PacketFence community,

We are preparing for a PacketFence NAC deployment and we want to confirm
compatibility and set realistic expectations.

Do you have experience running PacketFence with the Sophos devices listed
below? If yes, which NAC functions work well, and which ones have limits?

Network equipment in scope

   -

   Firewalls: Sophos XGS2100, Sophos XGS107W
   -

   Switches: Sophos CS110-48FP, Sophos CS110-24FP
   -

   Access Points: Sophos APX320
   -

   Also present in the environment: Cisco Catalyst 3750, Cisco 2911

What we want to achieve

   -

   Wired and wireless access control (802.1X and/or MAB)
   -

   Guest captive portal
   -

   BYOD onboarding portal
   -

   Device identification and profiling
   -

   Dynamic enforcement (VLAN assignment, re-auth, quarantine, ACL options)
   -

   Posture and compliance checks (if feasible)

Questions for the community

   1.

   Compatibility and real-world behavior


   -

   Does PacketFence integrate cleanly with Sophos CS110 switches and Sophos
   APX320 for NAC workflows?
   -

   Which features work reliably with Sophos in production: 802.1X, MAB,
   RADIUS accounting, CoA, dynamic VLAN changes, ACL enforcement?
   -

   Are there any known limitations or special configuration steps for
   Sophos XGS firewalls in a PacketFence deployment?


   2.

   Profiling and enforcement approach


   -

   What profiling sources work best in this Sophos environment (SNMP, DHCP
   fingerprinting, RADIUS, Nmap, MAC OUI)?
   -

   What enforcement pattern works best: VLANs, quarantine VLAN, switch
   ACLs, firewall policy, or a hybrid approach?


   3.

   Posture and compliance checks


   -

   Are posture checks practical with PacketFence in this setup?
   -

   If yes, what approach works: agent-based checks, MDM integration, or EDR
   integration?
   -

   What checks are realistic to promise to stakeholders?

What we are doing on our side

   -

   We will run PacketFence in a lab to test these use cases and share
   internal results.
   -

   We are preparing a customer expectations checklist and a technical
   proposal listing what is feasible and what needs other tools.

Any deployment notes, sample configs, or lessons learned for Sophos CS110
and APX320 integrations would help us a lot.

[PacketFence-users] PacketFence Cloud is Here - Early Access Now Open

[Petrus, A. <ap...@ak...>]

PacketFence Community,

After 20+ years of building the most trusted NAC solution, we're excited
to announce *PacketFence Cloud* - enterprise-grade Network Access Control
delivered as a managed service.

*Self-hosted PacketFence remains free.* Cloud is built on the exact same
engine - we've just removed the operational burden of managing MariaDB,
FreeRADIUS, Apache, and Linux clustering yourself.


WHY CLOUD?

  - *Zero infrastructure:* No servers, no OS patching, no capacity planning
  - *Automatic HA:* Built-in high availability and disaster recovery
  - *Always current:* Automatic updates without maintenance windows
  - *Offline resilient:* Local RADIUS caching keeps auth working during outages
  - *Scale elastically:* From 100 to 1,500,000+ endpoints


PERFECT FOR ORGANIZATIONS WHO:

  - Love PacketFence but lack dedicated staff to maintain it
  - Face compliance audits requiring guaranteed uptime SLAs
  - Want to shift from CapEx (servers) to OpEx (subscription)
  - Need multi-site deployment without the complexity


EARLY ACCESS

We're opening PacketFence Cloud to a select group of organizations first.
Early adopters get priority onboarding, direct access to our engineering
team during setup, and *six months free* to evaluate the platform.

  >> Request Early Access:
     https://www.packetfence.com/contacts/?package=cloud-professional

  >> Learn more:
     https://www.packetfence.com/cloud/


LIVE WEBINAR

Join us for a live demo and Q&A session.

  Date: March 23rd, 9:30 AM EST
  Register: https://akamai.webex.com/weblink/register/r59558c02e439407c40853ae101529e65


---

Prefer self-hosted? PacketFence self-hosted remains free.

  Download: https://www.packetfence.com/download/
  Documentation: https://www.packetfence.com/docs/
  Community: https://www.packetfence.com/community/

---

Andrei Petrus,
Director, Product Management
Akamai Technologies Inc.
https://www.packetfence.com

Re: [PacketFence-users] Automate the update of the Radius and admin certificates

[Rein v. ‘t V. <re...@va...>]

<html class="apple-mail-supports-explicit-dark-mode"><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">Also: a few things to note:<div><br></div><div>Use pkcs#1 format, and RSA. Otherwise libSSL throws a fit. (It will work though)</div><div><br></div><div><br id="lineBreakAtBeginningOfSignature"><div dir="ltr">Sent from my iPhone</div><div dir="ltr"><br><blockquote type="cite">On 30 Jan 2026, at 17.08, Fabrice Durand via PacketFence-users &lt;pac...@li...&gt; wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><div dir="ltr">Hello Michael,<div><br></div><div>Those are the path of the certificates to be updated:</div><div><a href="https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/file_paths.pm#L348-L353">https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/file_paths.pm#L348-L353</a></div><div>Once you updated the certs, you have to restart for the web:</div><div>haproxy-portal and haproxy-admin api-frontend</div><div>and for radius:</div><div>radiusd-load_balancer' radiusd-acct radiusd-auth radiusd-eduroam</div><div><a href="https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/ssl.pm#L52-L67">https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/ssl.pm#L52-L67</a></div><div><br></div><div>Regards</div><div>Fabrice</div><div><br></div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">Le&nbsp;lun. 19 janv. 2026 à&nbsp;10:30, Michael York via PacketFence-users &lt;<a href="mailto:pac...@li...">pac...@li...</a>&gt; a écrit&nbsp;:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="msg2940260830198144161">




<div dir="ltr">
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Running a cluster of 3 version 14.1 servers.&nbsp;&nbsp;</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
I am trying to automate the process of updating the Radius and admin certificates using the ACME protocol.<br>
I cannot use the Lets' Encrypt option directly. The servers are not directly connected to the web in anyway that would make this possible. nor do I want them to be.<br>
I have the option to use the DNS integration with cloudflare for the verification and use this and use that successfully on other systems.</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Basically looking for the correct way to inject the new certificate into the cluster config safely and have the services restart.<br>
<br>
Any help would be great!</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Thanks</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
<br>
</div>
<p style="font-size:10pt;font-family:&quot;Times New Roman&quot;"></p>
<table style="width:900px" cellspacing="0" cellpadding="0" border="0">
  <tbody>
  <tr>
    <td style="font-size:10pt;font-family:&quot;Times New Roman&quot;;width:95px;padding-bottom:10px;padding-top:10px" valign="middle" rowspan="2" align="center"><span style="color:rgb(255,255,255)"><div>&lt;Riverview_Logo_d2a36e0a-069b-4ddf-931b-d2251d96a25d.png&gt;</div>.</span></td>
    <td style="font-size:10pt;font-family:&quot;Times New Roman&quot;;width:5px;padding-bottom:10px;padding-top:10px" valign="top" rowspan="2"><span style="color:rgb(255,255,255)">.</span></td>
    <td style="width:800px;padding-bottom:5px;padding-top:10px" valign="top"><span style="color:rgb(19,19,19);font-family:&quot;Times New Roman&quot;;font-size:14pt"><strong style="font-family:&quot;Times New Roman&quot;;color:rgb(9,78,147)"> 
      Michael York </strong><br></span><span style="color:rgb(154,154,154);font-family:&quot;Times New Roman&quot;;font-size:14pt">ICT Infrastructure Services Manager</span> 
      <br><strong style="color:rgb(9,78,147);font-family:&quot;Times New Roman&quot;;font-size:10pt">Saint 
      Ignatius' College Riverview</strong><br><font color="#094e93" face="Times New Roman">Cammeraigal Country</font><br><font color="#094e93" face="Times New Roman">115 Tambourine Bay Road, Riverview, NSW 2066</font><br><font color="#094e93" face="Times New Roman"><span style="font-size:9pt">+61 2 9882 8513</span></font><br><font color="#094e93" face="Times New Roman"><span style="font-size:9pt"></span></font></td></tr>
  <tr>
    <td style="font-size:9pt;font-family:&quot;Times New Roman&quot;;width:700px;padding-bottom:10px" valign="bottom">
      <p style="font-size:9pt;font-family:&quot;Times New Roman&quot;"><div>&lt;Riverview_Line_058c02b8-c4dc-423f-b051-7025e7209800.png&gt;</div>
      <br><strong style="font-family:&quot;Times New Roman&quot;;color:rgb(9,78,147)">As much as you can do, so much dare to do.</strong></p>
      </td></tr></tbody></table>

<table style="width:900px" cellspacing="0" cellpadding="0" border="0">
    <tbody>
      <tr>
        <td>
          
        </td>
      </tr>
       <tr>
         <td>
            <p style="font-size:9pt">At Riverview, we value the wellbeing of our staff. If your enquiry has been received outside standard school hours, our staff may not be available to respond to your email. We will endeavour to respond as promptly as possible.</p>
            <p style="font-size:9pt">Thank you for your understanding and cooperation.</p>
         </td>
       </tr>
    </tbody>
</table>      
</div>

_______________________________________________<br>
PacketFence-users mailing list<br>
<a href="mailto:Pac...@li..." target="_blank">Pac...@li...</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/packetfence-users" rel="noreferrer" target="_blank">https://lists.sourceforge.net/lists/listinfo/packetfence-users</a><br>
</div></blockquote></div>
<span>_______________________________________________</span><br><span>PacketFence-users mailing list</span><br><span>Pac...@li...</span><br><span>https://lists.sourceforge.net/lists/listinfo/packetfence-users</span><br></div></blockquote></div></body></html>

[PacketFence-users] Sem acesso ao Instagram e Facebook com packetfence.

[FLÁVIO S. <adm...@gm...>]

Hello everyone, When I try to access Instagram or Facebook via the wireless
network using the PacketFence 13.2 portal, Meta's server doesn't allow the
site to load and gives a certificate error message. In PacketFence, I use a
certificate with a CA from a certification company. Does anyone know how to
fix this?
Thank You.
Regards.

[PacketFence-users] Radius filter

[Enrique G. <eg...@jc...>]

 Hi

I have been trying to configure a filter to rewrite Called-Station-Id as we
are receiving "00:00:00:00:00:00:ssid", but I'm not sure if it's possible
and if I'm doing it right. I can see rule matches on packetfence.log but i
can validate if the attribute is rewritten. Or maybe the rule is not good.

[TEST]
description=rw unifi request
merge_answer=yes
scopes=preProcess
radius_status=RLM_MODULE_OK
condition=radius_request.Called-Station-Id == "00:00:00:00:00:00:regtest\"
top_op=and
status=enabled
answer.0=control:Called-Station-Id = $radius_request.Nas-Identifier

Thanks in advance, Enrique