Hi Louis,
Thanks for your reply. It looks like I will need to rework how I wanted to
assign roles to users. Perhaps something like ldap to assign local users, then
a catch all guest rule for anything else, which would be suitable for our
eduroam visitors.
And you're correct, localhost isn't listening on 1812:
[root@pfencedev01 ~]# netstat -unlp | grep :1812
udp 0 0 192.168.101.56:1812 0.0.0.0:*
11736/radiusd
udp 0 0 127.0.0.1:18120 0.0.0.0:*
11736/radius
Thanks again,
Andi
From: Louis Munro [mailto:[email protected]]
Sent: 14 August 2013 14:50
To: [email protected]
Subject: Re: [PacketFence-users] Assigning role based on radius username
Hi Andy,
Unless you are doing something really special, you shouldn't have to add a
RADIUS source to your authentication.conf.
That would only create a loop if you were to send the request to the local FR
server (where it came from to begin with).
The RADIUS source is meant to query a separate RADIUS server, if you have one.
What you need is an authentication source that PF can query to assign a role to
the user (by this point username/password should have been done).
LDAP is the easiest one. You can define a rule that queries for that RADIUS
username and assign a role based on the groups the user is a member of. If you
assign a higher precedence to a rule that assigns it based on the username it
would do what you are looking for.
To be clear, the username that will be used to query the LDAP server (if any)
will be the RADIUS username. That's where the query gets it from.
As an aside, is FreeRADIUS even listening on localhost:1812?
I'll show you mine if you show me yours:
pf4test-lm root: /usr/local/pf
# netstat -unlp | grep :1812
udp 0 0 172.21.2.127:1812 0.0.0.0:*
12738/radiusd
udp 0 0 127.0.0.1:18120 0.0.0.0:*
12738/radiusd
Regards,
--
Louis Munro
[email protected]<mailto:[email protected]> ::
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 *125 :: +1 (866) 353-6153
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
On 2013-08-13, at 8:52 , "Morris, Andi"
<[email protected]<mailto:[email protected]>> wrote:
Hi all,
I appreciate that there's a lot going on with the last minute patching of new
versions etc, so there's no urgency with this as I'm just playing on a dev
network. I'm currently running 4.0.4-2 on a redhat 6.4 box
I'd like to get roles assigned depending on the username received from the
radius server, hopefully extending this out to separate our local users from
eduroam visitors, but at the moment my radius source doesn't seem to like the
rule I've applied to it and results in no matches:
[packetfence.log]
Aug 13 13:16:05 pf::WebAPI(3884) INFO: autoregister a node that is already
registered, do nothing. (pf::node::node_register)
Aug 13 13:16:05 pf::WebAPI(3884) INFO: Username was NOT defined or unable to
match a role - returning node based role '' (pf::vlan::getNormalVlan)
Aug 13 13:16:05 pf::WebAPI(3884) WARN: No parameter Vlan found in
conf/switches.conf for the switch 1.2.3.4 (pf::SNMP::getVlanByName)
Aug 13 13:16:05 pf::WebAPI(3884) WARN: Resolved VLAN for node is not properly
defined: Replacing with macDetectionVlan (pf::vlan::fetchVlanForNode)
Aug 13 13:16:05 pf::WebAPI(3884) INFO: MAC: 00:24:54:42:86:04, PID: sm12345,
Status: reg. Returned VLAN: 62 (pf::vlan::fetchVlanForNode)
Aug 13 13:16:05 pf::WebAPI(3884) WARN: Role-based Network Access Control is not
supported on network device type pf::SNMP::Cisco::Catalyst_2960.
(pf::SNMP::supportsRoleBasedEnforcement)
Aug 13 13:16:09 pf::WebAPI(3885) INFO: handling radius autz request: from
switch_ip => 1.2.3.4, connection_type => Ethernet-EAP mac => 00:24:54:42:86:04,
port => 50001, username => sm12345 (pf::radius::authorize)
My authentication.conf looks like:
[PF_Radius]
description=Packetfence Radius Server
secret=testing123
port=1812
type=RADIUS
host=127.0.0.1
[PF_Radius rule Staff_radius]
description=
match=all
action0=set_role=Staff
action1=set_unreg_date=2013-08-31
condition0=username,starts,sm
I'm trying to get any username beginning with 'sm' to be given the staff role.
Cheers,
Andi
-------------------------------------
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: [email protected]<mailto:[email protected]>
--------------------------------------
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
