packetfence-users — PacketFence users forum list

[PacketFence-users] Moxa RKS-G4028 (Next-gen OS v4.x) integration experience

[Daniel C. <dan...@gm...>]

Hi all,


I'm scoping a deployment of PacketFence for an OT network segmentation project. The wired access layer is built on Moxa industrial switches — specifically the RKS-G4028 series running Next-gen OS v4.x. Before committing to PacketFence as the NAC platform I'd like to hear from anyone who has done (or attempted) integration with this hardware.


Use case:

- 802.1X EAP-TLS authentication for service laptops (Windows in AD domain, certificates from Microsoft AD CS or other)

- Dynamic VLAN assignment via RADIUS (RFC 3580 Tunnel-* attributes)

- No captive portal, no BYOD in current scope

- Likely future need: RADIUS CoA for SIEM-driven quarantine


Specific questions:


1. Has anyone successfully integrated Moxa RKS-G4028 (or any Moxa managed switch on Next-gen OS v4.x) with PacketFence? If so, which switch module did you use — Generic, or something more specific?

2. Does Moxa Next-gen OS v4.x reliably honor RADIUS-assigned dynamic VLAN (Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID)? Public Moxa documentation is not explicit on this and I'd rather hear from someone who tested it than guess.

3. Does it support RADIUS CoA/Disconnect-Request (UDP 3799)?

4. Any gotchas with MAC Authentication Bypass (MAB) on this platform — particularly around how Moxa names the feature and whether reauthentication intervals work as expected?

5. SNMP integration — does PacketFence's SNMP-based port management work with Moxa MIBs out of the box, or does it require custom OIDs?


If nobody has direct experience with RKS-G4028 specifically, experience with other Moxa managed switches (EDS series, MRX) would also be useful — I'd like to understand whether Moxa as a vendor is generally workable with PacketFence or if I should be looking at alternatives.


Thanks in advance,

Daniel

[PacketFence-users] Applying daily time limits for guest users Web-auth

[Christos N. <nt...@uo...>]

Hello,

 

We are using Packetfence to implement a captive portal for authenticating
guest users connecting via WiFi and being authenticated via Web auth
(external portal). The guest user can register using email and SMS. The WiFi
equipment is a Huawei Wireless LAN Controller. We have completed the
implementation and it works fine.

Now we want to apply a daily time limit, different for each type of user.
So, on our two authentication sources I applied the attributes:

*	Email source: access-duration: 1 day, time-balance: 3 hours
*	SMS source: access-duration: 1 day, time-balance: 12 hours

But the behavior is as follows: after the time-balance has been consumed, a
time-expiration security event is created but it has no release date. Now
the guest user is stuck in quarantine. The only remediation is for the
portal administrator to manually release the security event and the user can
connect again. We obviously cannot do that for our (hundreds of expected)
daily users.

I tried to edit the time-expiration security event and enable the 'dynamic
window' but it has no effect.

The only thing that kinda works it to set a time value in the 'window'
property of the time-expiration security event, but that is not desirable
since:

*	we cannot distinguish between email/SMS-registered users,
*	window time starts counting after the user has exhausted time
time-balance which can be anytime during the day.

 

So, is there another way to implement daily time limits for my guest users.
It should be straightforward and I don't see why such a feature-rich and
powerful NAC suite as Packetfence is would not be able to do it.

 

Thanks

 

Christos Ntokos

-----------------------------------------------------------------

Network Services and Infrastructure Department

Digital Governance Unit, University of Ioannina, GR

 

 

[PacketFence-users] saving switch gives an error, but then the works as expected

[Massimiliano B. <mas...@la...>]

Hello,

in the last version of 15.0, in a cluster environment, if I try to save 
a normal switch it gives an error "Unknown error, check server side logs 
for details."

In the logs I can see an error with ProxySQL not having access to the 
DB. I have ProxySQL disabled, and if I try to create/save the switch by 
cli, it works without errors.

The error:
MySQL_Session.cpp:5815:handler___status_CONNECTING_CLIENT___STATE_SERVER_HANDSHAKE(): 
[ERROR] ProxySQL Error: Access denied for user 'pf'@'100.64.0.1' (using 
password: YES)

I found some other people having this problem, but I can't find a 
workaround for that. Has anyone solved this?

Regards,
Massimiliano

-- 
Massimiliano Ballerini
Laboratori Guglielmo Marconi
Via Porrettana, 123 - 40037 Pontecchio Marconi (BO)
e-mail: mas...@la...
web: http://www.labs.it
mob: +39 349 2600513

[PacketFence-users] problem rebooting packetfence-iptables.service in latest version

[Massimiliano B. <mas...@la...>]

Hello,

I just installed PacketFence on Debian 12, latest version. It is a 
cluster installation with 3 nodes.

Differently from all other installations I have, it seems I cannot 
restart the packetfence-iptables or the pf service: if I try the VM just 
stops responding and I have to reset it form virtualizer.

 From what I can see from the virtualizer console, stopping the iptables 
services causes all firewall rules to be dropped, but the default for 
INPUT and FORWARD chains is DROP, so the pfcmd restart command loses 
connection itself with the docker and never recovers.
If I login from virtualizer console as root and manually change both 
chains to ACCEPT, the pfcmd restart command instantly recovers, 
otherwise it prints outs from time to time "cannot reach database" or 
other logs like that, but then it never recovers or finish.

Some things I noticed also:

  * service ip6tables says it is needed in this configuration, but the
    cluster guide make you disable ipv6 on all nodes, that service can't
    start then
  * if I modify the base iptables files to use ACCEPT as default in
    FORWARD and INPUT rules, and put a -j DROP at the bottom, then the
    reboot of all services goes smoothly

Have any of you noticed anything similar in last version?

Regards,
Massimiliano



-- 
Massimiliano Ballerini
Laboratori Guglielmo Marconi
Via Porrettana, 123 - 40037 Pontecchio Marconi (BO)
e-mail:mas...@la...
web:http://www.labs.it
mob: +39 349 2600513

Re: [PacketFence-users] Issue with 802.1X Authentication and AD Integration in PacketFence v1

[Zammit, L. <lu...@ak...>]

Hello there,

Make sure that the WORKGROUP is correct, that the OU where you create the PacketFence computer account has no restrictions and that the computer password respect the domain password complicity policy.

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:	 <https://community.akamai.com/>  <http://blogs.akamai.com/>  <https://twitter.com/akamai>  <http://www.facebook.com/AkamaiTechnologies>  <http://www.linkedin.com/company/akamai-technologies>  <http://www.youtube.com/user/akamaitechnologies?feature=results_main>

> On Apr 2, 2026, at 6:11 AM, Luca Messori via PacketFence-users <pac...@li...> wrote:
> 
> This Message Is From an External Sender
> This message came from outside your organization.
> Hi all,
> I have the same issue using PF 15 and user auth  PEAP (mschapv2).
> 
> Did you resolve this issue?
> How did you resolve it?
> 
> Thank you very much
> 
> 
> 
> 
> 
> <30y_2_05f4b20d-97f6-493b-b95a-8217ad40d290.png>	
> Luca Messori
> Solution Architect
> l.m...@me... <mailto:l.m...@me...>
> Phone: +390522265843 <tel:+390522265843> Mobile: +393351442007 <tel:+393351442007>	
> MEAD Informatica s.r.l. - Via G.Ferraris, 2, 42122  Reggio Emilia  RE - Tel: +390522265950
> <banner_63af738f-e6d3-4349-b22a-7c07b83ab925.png> <https://urldefense.com/v3/__https://click.meadinformatica.it/index.aspx?d=20260402101139&a=...@ak...;pac...@li...&s=l...@me...&e=evento1&m=1__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sWO4krEjw$>
> <fb_logo_97aca8b0-c725-45d6-b2d8-bf654d5981ef.png> <https://urldefense.com/v3/__https://it-it.facebook.com/meadinformatica/__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sXGaF4CDg$>  <ln_5a89b05f-4a1f-45e1-bbd8-06fb2ed838b5.png> <https://urldefense.com/v3/__https://it.linkedin.com/company/mead-informatica__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sVrPwCb6Q$>  <yt_logo_1c5256aa-17c0-4262-aae7-ea5a07437927.png> <https://urldefense.com/v3/__https://youtube.com/embed/uR83yD9n9_I?autoplay=1__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sUhkxV-Pg$>  <site_ce438972-3fa9-412f-a61a-d29e3867516b.png> <https://urldefense.com/v3/__https://www.meadinformatica.it__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sXuvBt-Cg$>
> Aiutaci a migliorare; ti basta 1 click	<face_4_87abb270-ce3f-469f-94cc-57b652b5cc27.png> <https://urldefense.com/v3/__https://click.meadinformatica.it/index.aspx?d=20260402101139&a=...@ak...;pac...@li...&s=l...@me...&f=9__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sXBc4IaCQ$>  <face_3_74e58a94-1eea-424c-8518-e24d1de640dc.png> <https://urldefense.com/v3/__https://click.meadinformatica.it/index.aspx?d=20260402101139&a=...@ak...;pac...@li...&s=l...@me...&f=7__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sWVmi60nA$>  <face_2_6950612e-2208-40a2-8380-933eef34a506.png> <https://urldefense.com/v3/__https://click.meadinformatica.it/index.aspx?d=20260402101139&a=...@ak...;pac...@li...&s=l...@me...&f=4__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sW3YBCgrw$>  <face_1_6e17133e-7935-42be-88a0-816e781c8489.png> <https://urldefense.com/v3/__https://click.meadinformatica.it/index.aspx?d=20260402101139&a=...@ak...;pac...@li...&s=l...@me...&f=0__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sXJvBeoIg$>GDPR 2016/679 Il presente messaggio e gli eventuali suoi allegati sono di natura aziendale, prevalentemente confidenziale e sono visionabili solo dal destinatario di posta elettronica. La risposta o l’eventuale invio spontaneo da parte vostra di e-mail al nostro indirizzo potrebbero non assicurare la confidenzialità potendo essere viste da altri soggetti appartenenti all’Azienda oltre che al firmatario della presente, per finalità di sicurezza informatica, amministrative e allo scopo del continuo svolgimento dell’attività aziendale. Qualora questo messaggio vi fosse pervenuto per errore, vi preghiamo di cancellarlo dal vostro sistema e chiediamo di darne cortesemente comunicazione al mittente. La Vs. mail è in ns. possesso in quanto da Voi fornitaci tramite comunicazione scritta, telefonica, telematica o direttamente oralmente. Essa è utilizzata esclusivamente per fornirVi informazioni sulla ns. attività e sui servizi da noi offerti. Non sarà ceduta a terzi in nessun caso salvo approvazione da parte Vostra. Il Titolare del trattamento è Mead Informatica srl, contattabile alla mail in...@me... <mailto:in...@me...>. I ns. sistemi informativi e le ns. procedure interne sono conformi alle norme e garantiamo la presenza di adeguate misure tecniche ed organizzative costantemente aggiornate. 
> Da: Mahmoud Mabrouk via PacketFence-users <pac...@li... <mailto:pac...@li...>>
> Inviato: giovedì 6 febbraio 2025 19:41
> A: Ma, Zhihao <zm...@ak... <mailto:zm...@ak...>>
> Cc: Mahmoud Mabrouk <mah...@gm... <mailto:mah...@gm...>>; pac...@li... <mailto:pac...@li...><pac...@li... <mailto:pac...@li...>>
> Oggetto: Re: [PacketFence-users] Issue with 802.1X Authentication and AD Integration in PacketFence v1
>  
> Request Time
> 
> RADIUS Request
> Event-Timestamp = "Feb  6 2025 18:39:18 UTC",
> FreeRADIUS-Client-IP-Address = "192.168.110.50",
> Module-Failure-Message = "rest: Server returned:",
> Module-Failure-Message = "rest: {"Reply-Message":"CLI or VPN Access is not allowed by PacketFence on this switch","control:PacketFence-Authorization-Status":"allow"}",
> NAS-IP-Address = "192.168.110.50",
> PacketFence-KeyBalanced = "86318e52f5ed4801abe1d13d509443de",
> PacketFence-Radius-Ip = "192.168.11.206",
> Realm = "null",
> Stripped-User-Name = "ali",
> User-Name = "ali",
> User-Password = "******"
> 
> RADIUS Reply
> REST-HTTP-Status-Code = "401"
> 
> On Thu, Feb 6, 2025 at 5:12 PM Ma, Zhihao <zm...@ak... <mailto:zm...@ak...>> wrote:
> Hi Mahmoud
> 
> After the configuration, you’ll need to (re) start packetfence-ntlm-auth-api
> 
> And do a machine account test (or refresh the domain lists to see if the joining status is green)
> 
> Taking a look at packetfence logs would probably give you the exact reason of an authentication failure
> 
>  
> Thabks
> 
>  
> -- 
> 
> Zhihao Ma
> Software Engineer Senior
> 
> <image001.png>
> 
> Office: +1 613 714 6311
> 
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> 
> Connect with Us:
> 
> <image002.png> <https://community.akamai.com/> <image003.png> <http://blogs.akamai.com/> <image004.png> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sUZemlV_w$> <image005.png> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sXTJRL0-g$> <image006.png> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sVEIaA5Hw$> <image007.png> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sXrqexOwQ$>	
>  
>  
> From: Mahmoud Mabrouk via PacketFence-users <pac...@li... <mailto:pac...@li...>>
> Reply-To: "pac...@li... <mailto:pac...@li...>" <pac...@li... <mailto:pac...@li...>>
> Date: Thursday, February 6, 2025 at 10:05
> To: "pac...@li... <mailto:pac...@li...>" <pac...@li... <mailto:pac...@li...>>
> Cc: Mahmoud Mabrouk <mah...@gm... <mailto:mah...@gm...>>
> Subject: [PacketFence-users] Issue with 802.1X Authentication and AD Integration in PacketFence v1
> 
>  
> Hi everyone, I'm currently working on integrating PacketFence version 14 with Active Directory for 802. 1X authentication based on user group membership. I've followed the steps in the documentation, but I'm encountering an issue
> 
> ZjQcmQRYFpfptBannerStart
> 
> This Message Is From an External Sender
> 
> This message came from outside your organization.
> 
> ZjQcmQRYFpfptBannerEnd
> 
> Hi everyone,
>  
> I'm currently working on integrating PacketFence version 14 with Active Directory for 802.1X authentication based on user group membership. I've followed the steps in the documentation, but I'm encountering an issue where users are not being authenticated correctly.
>  
> Here are the details:
> - PacketFence version: 14
> - AD domain: example.com <https://urldefense.com/v3/__http:/example.com__;!!GjvTz_vk!Sy138QxgdETnHiB_4n0vskWatX1_hRQCR_PDqWMgJuvpy_etWuf2jkD0iyAdI9xZy-RFpaMe-Or4E2tWi-AID4pwPs2cCdU$>
> - Error message: "Authentication failed for user [username]"
>  
> Steps I've taken so far:
> 1. Configured the AD domain in PacketFence.
> 2. Set up RADIUS authentication.
> 3. Configured 802.1X authentication.
>  
> Any help or suggestions would be greatly appreciated!
>  
> Thank you,
> Mahmoud
> _______________________________________________
> PacketFence-users mailing list
> Pac...@li... <mailto:Pac...@li...>
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!WGQwe92aqZtoWqdGpClttkKXonNbKlK90jCf4ifX0jsexbVi6MZvVleJAQarmpIec_XQ8Rk_YOx6GjOZfX1lfGQL4cE21sUM7HY74A$

[PacketFence-users] Ubiquiti Unifi integration with PacketFence 4.10

[Osman S. <os...@bi...>]

Dear PacketFence users,

I am testing a PacketFence (v13.x) deployment. My wired Cisco setup 
works, but I am struggling with the Ubiquiti UniFi integration using 
*local PacketFence users*.

*The Error:* When a client tries to connect via EAP-TTLS, the RADIUS log 
shows: |Login incorrect: [test] (from client [IP-UniFi]/32 port 0 cli 
[MAC-laptop] via TLS tunnel)| |eap: Failed continuing EAP TTLS (21) 
session. EAP sub-module failed|

*Setup details:*

  *

    *Switch Type:* Ubiquiti::Unifi

  *

    *Authentication Source:* Local (PacketFence local database)

  *

    *Encryption:* EAP-TTLS (Inner tunnel authentication seems to fail)

I have verified that the user "test" exists locally and the credentials 
are correct. The TLS tunnel itself seems to establish, but the 
authentication inside the tunnel fails.

Are there specific inner-tunnel settings (like PAP vs MSCHAPv2) required 
for local PacketFence users to work with UniFi APs?

Kind regards,

Osman

[PacketFence-users] Can't enable Tracking Config Service

[Rashaad N. <Ras...@ne...>]

All 5 nodes of my cluster are on Packetfence 14.0.0

I have an issue where (for the most part) I can start the servce but can not enable the service itself. The GUI indicates that this service is required for my configuration, but I have been unable to get it started and running on all nodes consistently.

My journalctl output shows:

journalctl -u packetfence-tracking-config.service
-- Logs begin at Sun 2026-04-05 20:22:42 CDT, end at Mon 2026-04-06 11:27:11 CDT. --
Apr 06 11:27:02 packetfence1.com systemd[1]: Starting PacketFence Configuration Change Tracking...
Apr 06 11:27:02 packetfence1.com bash[2928144]: On branch master
Apr 06 11:27:02 packetfence1.com bash[2928144]: nothing to commit, working tree clean
Apr 06 11:27:02 packetfence1.com systemd[1]: packetfence-tracking-config.service: Main process exited, code=exited, status=1/FAILURE
Apr 06 11:27:02 packetfence1.com systemd[1]: packetfence-tracking-config.service: Failed with result 'exit-code'.
Apr 06 11:27:02 packetfence1.com systemd[1]: Failed to start PacketFence Configuration Change Tracking.

And this is one other error I saw being listed

On branch master
Untracked files:
(use "git add <file>..." to include in what will be committed)
server.csr
server.key
ssl/radius_default_tls-common.crt
ssl/radius_default_tls-common.key
ssl/radius_default_tls-common.pem
ssl/radius_default_tls-eap-fast.crt
ssl/radius_default_tls-eap-fast.key
ssl/radius_default_tls-eap-fast.pem
system_init_key

Trying to enable from the GUI I just get a generic error of

"packetfence Failed to enable services tracking-config. See the server error logs for more information."

[PacketFence-users] R: Issue with 802.1X Authentication and AD Integration in PacketFence v1

[Luca M. <l.m...@me...>]

Hi all,
I have the same issue using PF 15 and user auth  PEAP (mschapv2).

Did you resolve this issue?
How did you resolve it?

Thank you very much





[cid:30y_2_05f4b20d-97f6-493b-b95a-8217ad40d290.png]
Luca Messori
Solution Architect
l.m...@me...<mailto:l.m...@me...>
Phone: +390522265843<tel:+390522265843> Mobile: +393351442007<tel:+393351442007>

MEAD Informatica s.r.l. - Via G.Ferraris, 2, 42122  Reggio Emilia  RE - Tel: +390522265950
[cid:banner_63af738f-e6d3-4349-b22a-7c07b83ab925.png] <https://click.meadinformatica.it/index.aspx?d=20260402101139&a=...@ak...;pac...@li...&s=l...@me...&e=evento1&m=1>
[cid:fb_logo_97aca8b0-c725-45d6-b2d8-bf654d5981ef.png]<https://it-it.facebook.com/meadinformatica/>  [cid:ln_5a89b05f-4a1f-45e1-bbd8-06fb2ed838b5.png] <https://it.linkedin.com/company/mead-informatica>   [cid:yt_logo_1c5256aa-17c0-4262-aae7-ea5a07437927.png] <https://youtube.com/embed/uR83yD9n9_I?autoplay=1>   [cid:site_ce438972-3fa9-412f-a61a-d29e3867516b.png] <https://www.meadinformatica.it>
        Aiutaci a migliorare; ti basta 1 click  [cid:face_4_87abb270-ce3f-469f-94cc-57b652b5cc27.png] <https://click.meadinformatica.it/index.aspx?d=20260402101139&a=...@ak...;pac...@li...&s=l...@me...&f=9>   [cid:face_3_74e58a94-1eea-424c-8518-e24d1de640dc.png] <https://click.meadinformatica.it/index.aspx?d=20260402101139&a=...@ak...;pac...@li...&s=l...@me...&f=7>   [cid:face_2_6950612e-2208-40a2-8380-933eef34a506.png] <https://click.meadinformatica.it/index.aspx?d=20260402101139&a=...@ak...;pac...@li...&s=l...@me...&f=4>   [cid:face_1_6e17133e-7935-42be-88a0-816e781c8489.png] <https://click.meadinformatica.it/index.aspx?d=20260402101139&a=...@ak...;pac...@li...&s=l...@me...&f=0>

GDPR 2016/679 Il presente messaggio e gli eventuali suoi allegati sono di natura aziendale, prevalentemente confidenziale e sono visionabili solo dal destinatario di posta elettronica. La risposta o l’eventuale invio spontaneo da parte vostra di e-mail al nostro indirizzo potrebbero non assicurare la confidenzialità potendo essere viste da altri soggetti appartenenti all’Azienda oltre che al firmatario della presente, per finalità di sicurezza informatica, amministrative e allo scopo del continuo svolgimento dell’attività aziendale. Qualora questo messaggio vi fosse pervenuto per errore, vi preghiamo di cancellarlo dal vostro sistema e chiediamo di darne cortesemente comunicazione al mittente. La Vs. mail è in ns. possesso in quanto da Voi fornitaci tramite comunicazione scritta, telefonica, telematica o direttamente oralmente. Essa è utilizzata esclusivamente per fornirVi informazioni sulla ns. attività e sui servizi da noi offerti. Non sarà ceduta a terzi in nessun caso salvo approvazione da parte Vostra. Il Titolare del trattamento è Mead Informatica srl, contattabile alla mail in...@me.... I ns. sistemi informativi e le ns. procedure interne sono conformi alle norme e garantiamo la presenza di adeguate misure tecniche ed organizzative costantemente aggiornate.
________________________________
Da: Mahmoud Mabrouk via PacketFence-users <pac...@li...>
Inviato: giovedì 6 febbraio 2025 19:41
A: Ma, Zhihao <zm...@ak...>
Cc: Mahmoud Mabrouk <mah...@gm...>; pac...@li... <pac...@li...>
Oggetto: Re: [PacketFence-users] Issue with 802.1X Authentication and AD Integration in PacketFence v1

Request Time

RADIUS Request
Event-Timestamp = "Feb  6 2025 18:39:18 UTC",
FreeRADIUS-Client-IP-Address = "192.168.110.50",
Module-Failure-Message = "rest: Server returned:",
Module-Failure-Message = "rest: {"Reply-Message":"CLI or VPN Access is not allowed by PacketFence on this switch","control:PacketFence-Authorization-Status":"allow"}",
NAS-IP-Address = "192.168.110.50",
PacketFence-KeyBalanced = "86318e52f5ed4801abe1d13d509443de",
PacketFence-Radius-Ip = "192.168.11.206",
Realm = "null",
Stripped-User-Name = "ali",
User-Name = "ali",
User-Password = "******"

RADIUS Reply
REST-HTTP-Status-Code = "401"

On Thu, Feb 6, 2025 at 5:12 PM Ma, Zhihao <zm...@ak...<mailto:zm...@ak...>> wrote:

Hi Mahmoud

After the configuration, you’ll need to (re) start packetfence-ntlm-auth-api

And do a machine account test (or refresh the domain lists to see if the joining status is green)

Taking a look at packetfence logs would probably give you the exact reason of an authentication failure



Thabks



--

Zhihao Ma
Software Engineer Senior


[cid:ii_194dc90fdd44cff311]



Office: +1 613 714 6311


Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142



Connect with Us:


[cid:ii_194dc90fdd45b16b22]<https://community.akamai.com/> [cid:ii_194dc90fdd4692e333] <http://blogs.akamai.com/>  [cid:ii_194dc90fdd47745b44] <https://twitter.com/akamai>  [cid:ii_194dc90fdd4855d355] <http://www.facebook.com/AkamaiTechnologies>  [cid:ii_194dc90fdd49374b66] <http://www.linkedin.com/company/akamai-technologies>  [cid:ii_194dc90fdd4a18c377] <http://www.youtube.com/user/akamaitechnologies?feature=results_main>






From: Mahmoud Mabrouk via PacketFence-users <pac...@li...<mailto:pac...@li...>>
Reply-To: "pac...@li...<mailto:pac...@li...>" <pac...@li...<mailto:pac...@li...>>
Date: Thursday, February 6, 2025 at 10:05
To: "pac...@li...<mailto:pac...@li...>" <pac...@li...<mailto:pac...@li...>>
Cc: Mahmoud Mabrouk <mah...@gm...<mailto:mah...@gm...>>
Subject: [PacketFence-users] Issue with 802.1X Authentication and AD Integration in PacketFence v1



Hi everyone, I'm currently working on integrating PacketFence version 14 with Active Directory for 802. 1X authentication based on user group membership. I've followed the steps in the documentation, but I'm encountering an issue

ZjQcmQRYFpfptBannerStart

This Message Is From an External Sender


This message came from outside your organization.




ZjQcmQRYFpfptBannerEnd

Hi everyone,



I'm currently working on integrating PacketFence version 14 with Active Directory for 802.1X authentication based on user group membership. I've followed the steps in the documentation, but I'm encountering an issue where users are not being authenticated correctly.



Here are the details:

- PacketFence version: 14

- AD domain: example.com<https://urldefense.com/v3/__http:/example.com__;!!GjvTz_vk!Sy138QxgdETnHiB_4n0vskWatX1_hRQCR_PDqWMgJuvpy_etWuf2jkD0iyAdI9xZy-RFpaMe-Or4E2tWi-AID4pwPs2cCdU$>

- Error message: "Authentication failed for user [username]"



Steps I've taken so far:

1. Configured the AD domain in PacketFence.

2. Set up RADIUS authentication.

3. Configured 802.1X authentication.



Any help or suggestions would be greatly appreciated!



Thank you,

Mahmoud

Re: [PacketFence-users] Request for final config steps

[Nagasuki <nag...@gm...>]

Hello Community,

Please, anybody with a working implementation of VLAN enforcement setup
please reply me.

Specifically, I'm looking for a clearer instructions on how to configure
PacketFence for the following scenario:
‎- User plugs into wired port
‎- 802.1X login (AD credentials)
‎- If device is not registered → forced into Registration VLAN
‎- Captive portal appears
‎- User logs in again → device registered
‎- PacketFence reauthenticates device
‎Based on AD group:
‎Staff → VLAN 251
‎Student → VLAN 253
‎- WiFi is connected on an in-line interface

The installation guide is not beginner-friendly and tends to be confusing.

I will greatly appreciate anybody who can point me in the right direction.

Regards,
Nagasuki


On Sun, Mar 29, 2026, 19:52 Nagasuki <nag...@gm...> wrote:

> Hello. I am in the process of implementing PacketFence, and my intention
> is to deploy a setup that does the following:
> ‎
> ‎- User plugs into wired port
> ‎- 802.1X login (AD credentials)
> ‎- If device is not registered → forced into Registration VLAN
> ‎- Captive portal appears
> ‎- User logs in again → device registered
> ‎- PacketFence reauthenticates device
> ‎Based on AD group:
> ‎Staff → VLAN 251
> ‎Student → VLAN 253
> ‎- WiFi is connected on an in-line interface
> ‎
> ‎So far I have done:
> ‎1. Configuration of management interfaces and IP
>
> ‎2. Configured a second trunk interface and on it I specified
> sub-interface IPs and VLANing for isolation and registration networks
>
> ‎3. Specified VLANs without IPs (and type 'Other' for two more VLANs that
> will be normal VLANs each for staff and students
>
> ‎4. On the physical switch, I configured a trunk port going to the
> PacketFence second interface, plus an access port going to the PacketFence
> management network. I also configured two test access ports with 802.1x
> fully configured for VLAN enforcement
>
> ‎5. In PacketFence, I joined domain and also specified base and bind DNs.
> These are all confirmed to be working
>
> ‎6. I also added a test switch, created two additional roles that I intend
> to map staff and students' VLANs to. On the switch (in PacketFence), I also
> further configured the roles and specified VLAN IDs for registration,
> isolation, staff, students, and guest
>
> ‎7. I have also associated both the default and null realms with my domain
> ‎
> ‎Please guide me step by step to configure the remaining componets for my
> deployment.
> ‎
> ‎Regards,
> ‎Nagasuki
>

[PacketFence-users] Request for final config steps

[Nagasuki <nag...@gm...>]

Hello. I am in the process of implementing PacketFence, and my intention is
to deploy a setup that does the following:
‎
‎- User plugs into wired port
‎- 802.1X login (AD credentials)
‎- If device is not registered → forced into Registration VLAN
‎- Captive portal appears
‎- User logs in again → device registered
‎- PacketFence reauthenticates device
‎Based on AD group:
‎Staff → VLAN 251
‎Student → VLAN 253
‎- WiFi is connected on an in-line interface
‎
‎So far I have done:
‎1. Configuration of management interfaces and IP

‎2. Configured a second trunk interface and on it I specified sub-interface
IPs and VLANing for isolation and registration networks

‎3. Specified VLANs without IPs (and type 'Other' for two more VLANs that
will be normal VLANs each for staff and students

‎4. On the physical switch, I configured a trunk port going to the
PacketFence second interface, plus an access port going to the PacketFence
management network. I also configured two test access ports with 802.1x
fully configured for VLAN enforcement

‎5. In PacketFence, I joined domain and also specified base and bind DNs.
These are all confirmed to be working

‎6. I also added a test switch, created two additional roles that I intend
to map staff and students' VLANs to. On the switch (in PacketFence), I also
further configured the roles and specified VLAN IDs for registration,
isolation, staff, students, and guest

‎7. I have also associated both the default and null realms with my domain
‎
‎Please guide me step by step to configure the remaining componets for my
deployment.
‎
‎Regards,
‎Nagasuki

[PacketFence-users] Packetfence DPSK generation and login with users DPSK

[Miguel v. L. <Mig...@Qu...>]

Hello,
We have configured PacketFence DPSK on our Fortinet equipment.
I created a provisioner for DPSK and assigned it to a new connection profile.
Unfortunately, we are unable to authenticate using the PSK that we configured in the user account. We receive the following error:

2026-03-27T16:14:13.737687+01:00 SERVER httpd.aaa-docker-wrapper[3375]: httpd.aaa(7) WARN: [mac:ea:5c:63:0a:b4:92] Trying to match IP address with an invalid MAC address 'undef' (pf::ip4log::mac2ip)
2026-03-27T16:14:13.737951+01:00 SERVER httpd.aaa-docker-wrapper[3375]: httpd.aaa(7) INFO: [mac:ea:5c:63:0a:b4:92] Instantiate profile PROFILE_IoT_DPSK (pf::Connection::ProfileFactory::_from_profile)
2026-03-27T16:14:13.738791+01:00 SERVER httpd.aaa-docker-wrapper[3375]: httpd.aaa(7) INFO: [mac:ea:5c:63:0a:b4:92] Found authentication source(s) : 'local,file1,EAP-TLS-PROFILE' for realm 'null' (pf::config::util::filter_authentication_sources)
2026-03-27T16:14:13.738954+01:00 SERVER httpd.aaa-docker-wrapper[3375]: httpd.aaa(7) INFO: [mac:ea:5c:63:0a:b4:92] MFA Pre Authentication (pf::radius::mfa_pre_auth)
2026-03-27T16:14:13.739479+01:00 SERVER httpd.aaa-docker-wrapper[3375]: httpd.aaa(7) INFO: [mac:ea:5c:63:0a:b4:92] Instantiate profile PROFILE_IoT_DPSK (pf::Connection::ProfileFactory::_from_profile)
2026-03-27T16:14:13.740137+01:00 SERVER httpd.aaa-docker-wrapper[3375]: httpd.aaa(7) INFO: [mac:ea:5c:63:0a:b4:92] Found authentication source(s) : 'local,file1,EAP-TLS-PROFILE' for realm 'null' (pf::config::util::filter_authentication_sources)
2026-03-27T16:14:13.740517+01:00 SERVER httpd.aaa-docker-wrapper[3375]: httpd.aaa(7) INFO: [mac:ea:5c:63:0a:b4:92] Using sources local, file1, EAP-TLS-PROFILE for matching (pf::authentication::match2)
2026-03-27T16:14:13.762864+01:00 SERVER httpd.aaa-docker-wrapper[3375]: httpd.aaa(7) INFO: [mac:ea:5c:63:0a:b4:92] Password validation failed for 60-45-2E-75-BD-D1: passwords don't match (pf::password::validate_password)
2026-03-27T16:14:13.763145+01:00 SERVER httpd.aaa-docker-wrapper[3375]: httpd.aaa(7) ERROR: [mac:ea:5c:63:0a:b4:92] unable to read password file '/usr/local/pf/conf/admin.conf' (pf::Authentication::Source::HtpasswdSource::authenticate)
2026-03-27T16:14:13.763480+01:00 SERVER httpd.aaa-docker-wrapper[3375]: httpd.aaa(7) INFO: [mac:ea:5c:63:0a:b4:92] User 60-45-2E-75-BD-D1 tried to login in 10.237.51.254 but authentication failed (pf::radius::authenticate)
2026-03-27T16:14:15.255941+01:00 SERVER httpd.aaa-docker-wrapper[3375]: httpd.aaa(7) INFO: [mac:ea:5c:63:0a:b4:92] handling radius autz request: from switch_ip => (10.237.51.254), connection_type => Ethernet-NoEAP,switch_mac => (Unknown), mac => [0], port => (Unknown), username => "60-45-2E-75-BD-D1" (pf::radius::switch_access)

Additionally, should the DPSK be generated automatically?
The documentation is not very clear on this point.
Does anyone have experience with this setup?



Bedrijfsvertrouwelijk (BVT1)

[PacketFence-users] sms carriers

[Miguel v. L. <Mig...@Qu...>]

Hello,
I would like to explore options for SMS carriers in PacketFence.
At the moment, only Twilio and Clickatell seem to be supported via API integration, and with the current "SMS" option there is no place to configure carrier details.
Does anyone have experience with how this works, and whether it's possible to use a random online provider as long as it supports API calls?

Thanks in advance,

Miguel



Bedrijfsvertrouwelijk (BVT1)

[PacketFence-users] sms carriers

[Miguel v. L. <Mig...@Qu...>]

Hello,
I would like to explore options for SMS carriers in PacketFence.
At the moment, only Twilio and Clickatell seem to be supported via API integration, and with the current "SMS" option there is no place to configure carrier details.
Does anyone have experience with how this works, and whether it's possible to use a random online provider as long as it supports API calls?

Thanks in advance,

Miguel



Bedrijfsvertrouwelijk (BVT1)

[PacketFence-users] sms carriers

[Miguel v. L. <Mig...@Qu...>]

Hello,
I would like to explore options for SMS carriers in PacketFence.
At the moment, only Twilio and Clickatell seem to be supported via API integration, and with the current "SMS" option there is no place to configure carrier details.
Does anyone have experience with how this works, and whether it's possible to use a random online provider as long as it supports API calls?

Thanks in advance,

Miguel



Bedrijfsvertrouwelijk (BVT1)

[PacketFence-users] sms carriers

[Miguel v. L. <Mig...@Qu...>]

Hello,
I would like to explore options for SMS carriers in PacketFence.
At the moment, only Twilio and Clickatell seem to be supported via API integration, and with the current "SMS" option there is no place to configure carrier details.
Does anyone have experience with how this works, and whether it's possible to use a random online provider as long as it supports API calls?

Thanks in advance,

Miguel



Bedrijfsvertrouwelijk (BVT1)

Re: [PacketFence-users] PacketFence not parsing Framed-IP-Address

[Keith N. <kn...@wc...>]

I figured this out.

I needed to enable “Update the epilog using the account” under Configuration > System Configuration > Main Configuration > Advanced.
This is in the documentation but not in the most convenient location.

After I enabled that the IP Address of the clients are now being logged.

Keith Nelson | WCG
Director, Solutions Engineering

From: Keith Nelson via PacketFence-users <pac...@li...>
Date: Friday, March 13, 2026 at 04:51
To: pac...@li... <pac...@li...>
Cc: Keith Nelson <kn...@wc...>
Subject: [PacketFence-users] PacketFence not parsing Framed-IP-Address

CAUTION: This email originated from outside of the organization.
Do not click links or open attachments unless you recognize the sender and know the content is safe.
If you believe the contents of this email may be unsafe, report it immediately by clicking the WCG Phish Alert Button (PAB).

I have a new install of PacketFence 15.0 using the ISO Image.

I have a Meraki AP configured at working using cert based EAP-TLS with both RAD and RADACCT configured.

The issue I’m trying to figure out is that PacketFence is ignoring (or somewhere dropping) the Framed-IP-Address AVP in the radius accounting messages.
I did a packet capture on the PacketFence server and have confirmed that the AP is sending the correct information in the packets and the server is receiving the correct information from a network layer.

Any guidance would be greatly appreciated. Thank you


Keith Nelson | WCG
Director, Solutions Engineering

[PacketFence-users] PacketFence not parsing Framed-IP-Address

[Keith N. <kn...@wc...>]

I have a new install of PacketFence 15.0 using the ISO Image.

I have a Meraki AP configured at working using cert based EAP-TLS with both RAD and RADACCT configured.

The issue I’m trying to figure out is that PacketFence is ignoring (or somewhere dropping) the Framed-IP-Address AVP in the radius accounting messages.
I did a packet capture on the PacketFence server and have confirmed that the AP is sending the correct information in the packets and the server is receiving the correct information from a network layer.

Any guidance would be greatly appreciated. Thank you


Keith Nelson | WCG
Director, Solutions Engineering

[PacketFence-users] R: Pakcetfence Cluster AD issue

[Luca M. <l.m...@me...>]

Hi Renato,
I have a problem setting the slave node.
I'm trying to set the server-id variable but all my tries doesn't work (after restarting mariadb I have server_id=1).
Can you tell me how/whetre did you set the server-id?




[cid:30y_2_79ddfa65-067f-4a77-802b-4fa23798c9e4.png]
Luca Messori
Solution Architect
l.m...@me...<mailto:l.m...@me...>
Phone: +390522265843<tel:+390522265843> Mobile: +393351442007<tel:+393351442007>

MEAD Informatica s.r.l. - Via G.Ferraris, 2, 42122  Reggio Emilia  RE - Tel: +390522265950
[cid:banner_74a338bf-5f3f-4627-9c8f-21935dccfb5c.png] <https://click.meadinformatica.it/index.aspx?d=20260310103229&a=p...@li...&s=l...@me...&e=evento2&m=1>
[cid:fb_logo_1f3b8236-0bc8-4116-9039-b600d22861b4.png]<https://it-it.facebook.com/meadinformatica/>  [cid:ln_a4670ff9-e7b7-4ebb-a3bb-4efabb72476a.png] <https://it.linkedin.com/company/mead-informatica>   [cid:yt_logo_a1a16aa7-86b1-49b1-a5fc-af149d2d7840.png] <https://youtube.com/embed/uR83yD9n9_I?autoplay=1>   [cid:site_9ffcc4a3-8d18-42f9-b36e-cb8e284a61ce.png] <https://www.meadinformatica.it>
        Aiutaci a migliorare; ti basta 1 click  [cid:face_4_2b92a71b-043a-46fe-a617-487ba86f0db1.png] <https://click.meadinformatica.it/index.aspx?d=20260310103229&a=p...@li...&s=l...@me...&f=9>   [cid:face_3_d9f6fb45-adb0-46b3-833d-8b1646ea6c98.png] <https://click.meadinformatica.it/index.aspx?d=20260310103229&a=p...@li...&s=l...@me...&f=7>   [cid:face_2_ff3bf04b-1e96-4c25-aa6a-3a6e0951a732.png] <https://click.meadinformatica.it/index.aspx?d=20260310103229&a=p...@li...&s=l...@me...&f=4>   [cid:face_1_6fcd164c-c86a-4a52-91ce-6ec59e62073f.png] <https://click.meadinformatica.it/index.aspx?d=20260310103229&a=p...@li...&s=l...@me...&f=0>


GDPR 2016/679 Il presente messaggio e gli eventuali suoi allegati sono di natura aziendale, prevalentemente confidenziale e sono visionabili solo dal destinatario di posta elettronica. La risposta o l'eventuale invio spontaneo da parte vostra di e-mail al nostro indirizzo potrebbero non assicurare la confidenzialità potendo essere viste da altri soggetti appartenenti all'Azienda oltre che al firmatario della presente, per finalità di sicurezza informatica, amministrative e allo scopo del continuo svolgimento dell'attività aziendale. Qualora questo messaggio vi fosse pervenuto per errore, vi preghiamo di cancellarlo dal vostro sistema e chiediamo di darne cortesemente comunicazione al mittente. La Vs. mail è in ns. possesso in quanto da Voi fornitaci tramite comunicazione scritta, telefonica, telematica o direttamente oralmente. Essa è utilizzata esclusivamente per fornirVi informazioni sulla ns. attività e sui servizi da noi offerti. Non sarà ceduta a terzi in nessun caso salvo approvazione da parte Vostra. Il Titolare del trattamento è Mead Informatica srl, contattabile alla mail in...@me.... I ns. sistemi informativi e le ns. procedure interne sono conformi alle norme e garantiamo la presenza di adeguate misure tecniche ed organizzative costantemente aggiornate.
________________________________
Da: Renato Pereira via PacketFence-users <pac...@li...>
Inviato: mercoledì 10 settembre 2025 19:02
A: pac...@li... <pac...@li...>
Cc: Renato Pereira <ren...@gm...>
Oggetto: Re: [PacketFence-users] Pakcetfence Cluster AD issue

Hello Everyone,

Today I configured the slave DB, to try and fix this issue. But when I break the connection between the clusters I can't login in DC2, I tried with AD user and local user.

on the master for the slave cluster looks fine:

MariaDB [(none)]> SHOW SLAVE STATUS;
+----------------------------------+-------------+-------------+-------------+---------------+--------------------+---------------------+------------------------------+---------------+-----------------------+------------------+-------------------+-----------------+---------------------+--------------------+------------------------+-------------------------+-----------------------------+------------+------------+--------------+---------------------+-----------------+-----------------+----------------+---------------+--------------------+--------------------+--------------------+-----------------+-------------------+----------------+-----------------------+-------------------------------+---------------+---------------+----------------+----------------+-----------------------------+------------------+----------------+--------------------+------------+-------------------------------------------------+-------------------------+-----------------------------+---------------+-----------+---------------------+--------------------------------------------------------+------------------+--------------------------------+----------------------------+
| Slave_IO_State                   | Master_Host | Master_User | Master_Port | Connect_Retry | Master_Log_File    | Read_Master_Log_Pos | Relay_Log_File               | Relay_Log_Pos | Relay_Master_Log_File | Slave_IO_Running | Slave_SQL_Running | Replicate_Do_DB | Replicate_Ignore_DB | Replicate_Do_Table | Replicate_Ignore_Table | Replicate_Wild_Do_Table | Replicate_Wild_Ignore_Table | Last_Errno | Last_Error | Skip_Counter | Exec_Master_Log_Pos | Relay_Log_Space | Until_Condition | Until_Log_File | Until_Log_Pos | Master_SSL_Allowed | Master_SSL_CA_File | Master_SSL_CA_Path | Master_SSL_Cert | Master_SSL_Cipher | Master_SSL_Key | Seconds_Behind_Master | Master_SSL_Verify_Server_Cert | Last_IO_Errno | Last_IO_Error | Last_SQL_Errno | Last_SQL_Error | Replicate_Ignore_Server_Ids | Master_Server_Id | Master_SSL_Crl | Master_SSL_Crlpath | Using_Gtid | Gtid_IO_Pos                                     | Replicate_Do_Domain_Ids | Replicate_Ignore_Domain_Ids | Parallel_Mode | SQL_Delay | SQL_Remaining_Delay | Slave_SQL_Running_State                                | Slave_DDL_Groups | Slave_Non_Transactional_Groups | Slave_Transactional_Groups |
+----------------------------------+-------------+-------------+-------------+---------------+--------------------+---------------------+------------------------------+---------------+-----------------------+------------------+-------------------+-----------------+---------------------+--------------------+------------------------+-------------------------+-----------------------------+------------+------------+--------------+---------------------+-----------------+-----------------+----------------+---------------+--------------------+--------------------+--------------------+-----------------+-------------------+----------------+-----------------------+-------------------------------+---------------+---------------+----------------+----------------+-----------------------------+------------------+----------------+--------------------+------------+-------------------------------------------------+-------------------------+-----------------------------+---------------+-----------+---------------------+--------------------------------------------------------+------------------+--------------------------------+----------------------------+
| Waiting for master to send event | 10.58.0.20  | pfcluster   |        3306 |            60 | mariadb-bin.000834 |                5348 | BRAFORVM009-relay-bin.000002 |           779 | mariadb-bin.000834    | Yes              | Yes               |                 |                     |                    |                        |                         |                             |          0 |            |            0 |                5348 |            1094 | None            |                |             0 | No                 |                    |                    |                 |                   |                |                     0 | No                            |             0 |               |              0 |                |                             |                1 |                |                    | Slave_Pos  | 1-1-156,171573269-1-3751235,171573273-1-6470340 |                         |                             | optimistic    |         0 |                NULL | Slave has read all relay log; waiting for more updates |                0 |                              0 |                          0 |
+----------------------------------+-------------+-------------+-------------+---------------+--------------------+---------------------+------------------------------+---------------+-----------------------+------------------+-------------------+-----------------+---------------------+--------------------+------------------------+-------------------------+-----------------------------+------------+------------+--------------+---------------------+-----------------+-----------------+----------------+---------------+--------------------+--------------------+--------------------+-----------------+-------------------+----------------+-----------------------+-------------------------------+---------------+---------------+----------------+----------------+-----------------------------+------------------+----------------+--------------------+------------+-------------------------------------------------+-------------------------+-----------------------------+---------------+-----------+---------------------+--------------------------------------------------------+------------------+--------------------------------+----------------------------+
1 row in set (0.000 sec)

MariaDB [(none)]>


Em sex., 5 de set. de 2025 às 07:02, Renato Pereira <ren...@gm...<mailto:ren...@gm...>> escreveu:
Hello everyone,

We have a packetfence cluster L3 working perfectly with 3 nodes in the cloud and 2 onsite, in both there are AD configured ( 2 in each one).  The local packetfence has priority and I can see it authenticate the users.

In the authentication source I configured the 4 servers and I can validate.In the Active Directory Domain if I access each one I can see they can join in the domain
Today we had a problem with the link between the local site and the cloud, at this moment the local packetfence couldn't authenticate the users locally, during the problem I checked the Active Directory Domain and the local servers couldn't join to the domain.
I checked the local AD servers and I can see the machine accounts.
After a few minutes, the link was returned and all the servers now are working well.

My question is, how can I set my deployment for when the link to the primary cluster down the local cluster keeps authentication.

[PacketFence-users] VOIP-Device on Juniper Port

[Schüller D. <den...@nu...>]

Hey,
does anyone know how to correctly set up a VoIP device on a Juniper switch with PacketFence?

Currently when I connect a VoIP phone, it is detected as a voice device, so "VoIP over IP" is set to true and the role changes to "voice". The interface also gets the correct voice VLAN.
However, the data VLAN stays at VLAN 1, but it should be assigned to a different VLAN ID.

Does anyone know how to configure the correct data VLAN for the device?


Thanks!




Grüße aus der Grünen Hölle / Regards from the Green Hell
i. A. Dennis Schüller
Systembetreuung | IT
den...@nu...
T +49 2691 302-9885 | M +49 151 571 320 36
Nürburgring 1927 GmbH & Co. KG | Otto-Flimm-Str. | 53520 Nürburg | nuerburgring.de
[Key_Visual_Email_Abbinder.jpg]<https://nuerburgring.de/news/strikes-statt-rundenzeiten-nuerburgring-eroeffnet-neues-bowlingcenter-im-ring-carre>
Bitte schonen Sie unsere Umwelt und drucken die E-Mail nur aus, wenn es wirklich notwendig ist.
Please consider the environment before printing this email.

Unsere Datenschutzerklärung finden Sie hier<https://nuerburgring.de/info/company/privacy-policy>  | You can find our privacy policy here.<https://nuerburgring.de/info/company/privacy-policy>

[PacketFence-users] Question about multisite

[Luca M. <l.m...@me...>]

Hi all,
I have a multisite environnement and I would like to create a single management server and a single server on each site.
So, I wouldn't like to create a cluster in the central site but only a management server and a NAC server configured as slave (master is the management).
All the other servers are slave.
Is it a supported architecture?
Can I avoid the galera cluster configuration in this way?

Thank you very much



[cid:30y_2_05f4b20d-97f6-493b-b95a-8217ad40d290.png]
Luca Messori
Solution Architect
l.m...@me...<mailto:l.m...@me...>
Phone: +390522265843<tel:+390522265843> Mobile: +393351442007<tel:+393351442007>

MEAD Informatica s.r.l. - Via G.Ferraris, 2, 42122  Reggio Emilia  RE - Tel: +390522265950
[cid:banner_63af738f-e6d3-4349-b22a-7c07b83ab925.png] <https://click.meadinformatica.it/index.aspx?d=20260305100628&a=p...@li...&s=l...@me...&e=evento1&m=1>
[cid:fb_logo_97aca8b0-c725-45d6-b2d8-bf654d5981ef.png]<https://it-it.facebook.com/meadinformatica/>  [cid:ln_5a89b05f-4a1f-45e1-bbd8-06fb2ed838b5.png] <https://it.linkedin.com/company/mead-informatica>   [cid:yt_logo_1c5256aa-17c0-4262-aae7-ea5a07437927.png] <https://youtube.com/embed/uR83yD9n9_I?autoplay=1>   [cid:site_ce438972-3fa9-412f-a61a-d29e3867516b.png] <https://www.meadinformatica.it>
        Aiutaci a migliorare; ti basta 1 click  [cid:face_4_87abb270-ce3f-469f-94cc-57b652b5cc27.png] <https://click.meadinformatica.it/index.aspx?d=20260305100628&a=p...@li...&s=l...@me...&f=9>   [cid:face_3_74e58a94-1eea-424c-8518-e24d1de640dc.png] <https://click.meadinformatica.it/index.aspx?d=20260305100628&a=p...@li...&s=l...@me...&f=7>   [cid:face_2_6950612e-2208-40a2-8380-933eef34a506.png] <https://click.meadinformatica.it/index.aspx?d=20260305100628&a=p...@li...&s=l...@me...&f=4>   [cid:face_1_6e17133e-7935-42be-88a0-816e781c8489.png] <https://click.meadinformatica.it/index.aspx?d=20260305100628&a=p...@li...&s=l...@me...&f=0>

GDPR 2016/679 Il presente messaggio e gli eventuali suoi allegati sono di natura aziendale, prevalentemente confidenziale e sono visionabili solo dal destinatario di posta elettronica. La risposta o l'eventuale invio spontaneo da parte vostra di e-mail al nostro indirizzo potrebbero non assicurare la confidenzialità potendo essere viste da altri soggetti appartenenti all'Azienda oltre che al firmatario della presente, per finalità di sicurezza informatica, amministrative e allo scopo del continuo svolgimento dell'attività aziendale. Qualora questo messaggio vi fosse pervenuto per errore, vi preghiamo di cancellarlo dal vostro sistema e chiediamo di darne cortesemente comunicazione al mittente. La Vs. mail è in ns. possesso in quanto da Voi fornitaci tramite comunicazione scritta, telefonica, telematica o direttamente oralmente. Essa è utilizzata esclusivamente per fornirVi informazioni sulla ns. attività e sui servizi da noi offerti. Non sarà ceduta a terzi in nessun caso salvo approvazione da parte Vostra. Il Titolare del trattamento è Mead Informatica srl, contattabile alla mail in...@me.... I ns. sistemi informativi e le ns. procedure interne sono conformi alle norme e garantiamo la presenza di adeguate misure tecniche ed organizzative costantemente aggiornate.

Re: [PacketFence-users] Localization of captive portal

[Christos N. <nt...@uo...>]

“[…]Unfortunately, there is no updated information in the PacketFence documentation how the Docker-based PacketFence is working and what to do to edit the perl code or other files.”

 

Actually the above is not entirely  true, there are instructions on how to apply changes in the Perl code to the Docker containers in this documentation: https://www.packetfence.org/doc/PacketFence_Developers_Guide.html#_containers_recipes

There is still no documentation to understand which containers are affected by the Pel code inside /usr/local/pf/lib/pf.

But for the localization case, I think the httpd.portal and pfperl-api containers should be the ones that need rebuild.

 

 

Christos Ntokos

-----------------------------------------------------------------

Network Services and Infrastructure Department

Digital Governance Unit, University of Ioannina

 

 

Re: [PacketFence-users] Localization of captive portal

[Christos N. <nt...@uo...>]

Hello,

 

We were also struggling to add a new language (Greek) to PacketFence.

It turns out that except adding and compiling a new packetfence.po file, you also need to edit the perl code.

Specifically, you need to edit the file lib/pf/web/constants.pm and add the new language in the Array variable LOCALES (line 201):

Readonly::Array our @LOCALES =>

  (

   qw(en_US es_ES fr_FR fr_CA de_DE he_IL it_IT nb_NO nl_NL pl_PL pt_BR tr_TR)

  );

 

The problem with changing the perl code is that any changes you make in the .pm perl files inside /usr/local/pf/lib have no effect, since PacketFence started using Docker containers (version 11.2 and later, I think). So you need to find the Docker mapped folders where the /usr/local/pf/lib files are copied.

Unfortunately, there is no updated information in the PacketFence documentation how the Docker-based PacketFence is working and what to do to edit the perl code or other files.

 

 

Christos Ntokos

-----------------------------------------------------------------

Network Services and Infrastructure Department

Digital Governance Unit, University of Ioannina

 

 

[PacketFence-users] My revoked certificates still seem to work

[Maximilian D. <cyb...@ya...>]

Greetings fellow PacketFence users,

I’ve been getting to learn PacketFence on my own by a combination of experiments and reading the manual and have gotten myself almost across the finish line.  I’ve gotten clustering set up, and the EAP-TLS pipeline set up as well as device provisioning.  Everything works with the exception of two issues I encountered, which are pretty show-stopping.

The first issue is, clients logging in with the certificate they were issued for some reason is triggering packetfence to arbitrarily revoke said certificates.  The revocation reason is KeyCompromise.  I also observed PacketFence making many failed insertions into the pki_revoked_certs table with empty data, so I’m not precluding the possibility of a bug.  I haven’t figured out what is triggering this behavior, and AFACT, the logs aren’t being meaningful to me.

The second issue, revoked certificates still seem to work.

If anyone has any idea on what could be triggering this, and why revoked certificates aren’t actually getting denied by the RADIUS server, I would be really grateful.  I’m running PF 15.0, if that helps.

Best, 

Maximilian Doerr

[PacketFence-users] PacketFence -SophosUG

[ondur k. <on...@gm...>]

Hello PacketFence community,

We are preparing for a PacketFence NAC deployment and we want to confirm
compatibility and set realistic expectations.

Do you have experience running PacketFence with the Sophos devices listed
below? If yes, which NAC functions work well, and which ones have limits?

Network equipment in scope

   -

   Firewalls: Sophos XGS2100, Sophos XGS107W
   -

   Switches: Sophos CS110-48FP, Sophos CS110-24FP
   -

   Access Points: Sophos APX320
   -

   Also present in the environment: Cisco Catalyst 3750, Cisco 2911

What we want to achieve

   -

   Wired and wireless access control (802.1X and/or MAB)
   -

   Guest captive portal
   -

   BYOD onboarding portal
   -

   Device identification and profiling
   -

   Dynamic enforcement (VLAN assignment, re-auth, quarantine, ACL options)
   -

   Posture and compliance checks (if feasible)

Questions for the community

   1.

   Compatibility and real-world behavior


   -

   Does PacketFence integrate cleanly with Sophos CS110 switches and Sophos
   APX320 for NAC workflows?
   -

   Which features work reliably with Sophos in production: 802.1X, MAB,
   RADIUS accounting, CoA, dynamic VLAN changes, ACL enforcement?
   -

   Are there any known limitations or special configuration steps for
   Sophos XGS firewalls in a PacketFence deployment?


   2.

   Profiling and enforcement approach


   -

   What profiling sources work best in this Sophos environment (SNMP, DHCP
   fingerprinting, RADIUS, Nmap, MAC OUI)?
   -

   What enforcement pattern works best: VLANs, quarantine VLAN, switch
   ACLs, firewall policy, or a hybrid approach?


   3.

   Posture and compliance checks


   -

   Are posture checks practical with PacketFence in this setup?
   -

   If yes, what approach works: agent-based checks, MDM integration, or EDR
   integration?
   -

   What checks are realistic to promise to stakeholders?

What we are doing on our side

   -

   We will run PacketFence in a lab to test these use cases and share
   internal results.
   -

   We are preparing a customer expectations checklist and a technical
   proposal listing what is feasible and what needs other tools.

Any deployment notes, sample configs, or lessons learned for Sophos CS110
and APX320 integrations would help us a lot.

[PacketFence-users] PacketFence Cloud is Here - Early Access Now Open

[Petrus, A. <ap...@ak...>]

PacketFence Community,

After 20+ years of building the most trusted NAC solution, we're excited
to announce *PacketFence Cloud* - enterprise-grade Network Access Control
delivered as a managed service.

*Self-hosted PacketFence remains free.* Cloud is built on the exact same
engine - we've just removed the operational burden of managing MariaDB,
FreeRADIUS, Apache, and Linux clustering yourself.


WHY CLOUD?

  - *Zero infrastructure:* No servers, no OS patching, no capacity planning
  - *Automatic HA:* Built-in high availability and disaster recovery
  - *Always current:* Automatic updates without maintenance windows
  - *Offline resilient:* Local RADIUS caching keeps auth working during outages
  - *Scale elastically:* From 100 to 1,500,000+ endpoints


PERFECT FOR ORGANIZATIONS WHO:

  - Love PacketFence but lack dedicated staff to maintain it
  - Face compliance audits requiring guaranteed uptime SLAs
  - Want to shift from CapEx (servers) to OpEx (subscription)
  - Need multi-site deployment without the complexity


EARLY ACCESS

We're opening PacketFence Cloud to a select group of organizations first.
Early adopters get priority onboarding, direct access to our engineering
team during setup, and *six months free* to evaluate the platform.

  >> Request Early Access:
     https://www.packetfence.com/contacts/?package=cloud-professional

  >> Learn more:
     https://www.packetfence.com/cloud/


LIVE WEBINAR

Join us for a live demo and Q&A session.

  Date: March 23rd, 9:30 AM EST
  Register: https://akamai.webex.com/weblink/register/r59558c02e439407c40853ae101529e65


---

Prefer self-hosted? PacketFence self-hosted remains free.

  Download: https://www.packetfence.com/download/
  Documentation: https://www.packetfence.com/docs/
  Community: https://www.packetfence.com/community/

---

Andrei Petrus,
Director, Product Management
Akamai Technologies Inc.
https://www.packetfence.com