Hi all,
Just getting version 4.1 setup in a test environment and I am struggling to get
my head around the Roles configuration.
I have a Source set up to connect to my Active Directory, and this is correctly
assigning the Role according to the packetfence.log, however when I look in the
Nodes page on the webadmin the Role is displaying as empty.
Authenictation.conf is:
[local]
description=Local Users
type=SQL
[file1]
description=Legacy Source
path=/usr/local/pf/conf/admin.conf
type=Htpasswd
[file1 rule admins]
description=All admins
match=all
action0=set_access_level=ALL
[Active_Directory]
description=Active_Directory
password=**********
scope=sub
binddn=CN=*********,CN=Users,DC=internal,DC=test,DC=co,DC=uk
basedn=OU=User Accounts,DC=internal,DC=test,DC=co,DC=uk
usernameattribute=sAMAccountName
encryption=none
port=389
type=AD
host=192.168.0.1
[Active_Directory rule Admins]
description=
match=all
action0=set_access_level=ALL
action1=set_role=Staff
action2=set_unreg_date=2020-01-01
condition0=memberOf,is member of,PFAdmin
[Active_Directory rule Staff]
description=
match=any
action0=set_role=Staff
action1=set_unreg_date=2020-01-01
condition0=sAMAccountName,starts,sm
[Active_Directory rule Students]
description=
match=any
action0=set_role=Students
action1=set_unreg_date=2020-01-01
condition0=sAMAccountName,starts,st
[Active_Directory rule Default_Catch-All]
description=
match=all
action0=set_role=default
action1=set_unreg_date=2020-01-01
Packetfence.log shows:
Jan 06 11:45:54 pf::WebAPI(3546) INFO: handling radius autz request: from
switch_ip => 10.1.1.102, connection_type => Ethernet-EAP mac =>
00:24:54:42:86:04, port => 50002, username => sm12345 (pf::radius::authorize)
Jan 06 11:45:54 pf::WebAPI(3546) INFO: autoregister a node that is already
registered, do nothing. (pf::node::node_register)
Jan 06 11:45:54 pf::WebAPI(3546) ERROR: [Active_Directory] Unable to execute
search (|(member=CN=Morris
Andi,OU=abcdefg,,DC=internal,DC=test,DC=co,DC=uk)(uniqueMember= CN=Morris
Andi,OU=abcdefg,,DC=internal,DC=test,DC=co,DC=uk)(memberUid=CN=edupersonaffiliationstaff,CN=Users,DC=internal,DC=test,DC=co,DC=uk))
from PFAdmin on 192.168.0.1:389, we skip the condition (Bad filter).
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Jan 06 11:45:54 pf::WebAPI(3546) INFO: [Active_Directory Admins] Found a match
(CN=Morris Andi,OU=abcdefg,,DC=internal,DC=test,DC=co,DC=uk)
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Jan 06 11:45:54 pf::WebAPI(3546) INFO: Matched rule (Admins) in source
Active_Directory, returning actions. (pf::Authentication::Source::match)
Jan 06 11:45:54 pf::WebAPI(3546) INFO: Username was defined 'sm12345' -
returning user based role 'Staff' (pf::vlan::getNormalVlan)
Jan 06 11:45:54 pf::WebAPI(3546) INFO: MAC: 00:24:54:42:86:04, PID: sm12345,
Status: reg. Returned VLAN: 741 (pf::vlan::fetchVlanForNode)
Jan 06 11:45:54 pf::WebAPI(3546) WARN: Role-based Network Access Control is not
supported on network device type pf::SNMP::Cisco::Catalyst_2960.
(pf::SNMP::supportsRoleBasedEnforcement)
Jan 06 11:45:54 pfdhcplistener(3744) INFO: DHCPREQUEST from 00:24:54:42:86:04
(10.4.1.128) (main::parse_dhcp_request)
Jan 06 11:45:54 pfdhcplistener(3744) INFO: Unknown DHCP fingerprint:
1,15,3,6,44,46,47,31,33,121,249,43 (DHCP Message Type: DHCPREQUEST)
(main::process_fingerprint)
Jan 06 11:45:54 pfdhcplistener(3744) INFO: 00:24:54:42:86:04 requested an IP.
Unknown DHCP fingerprint. Modified node with last_dhcp = 2014-01-06
11:45:54,computername = Andi-Netbook,dhcp_fingerprint =
1,15,3,6,44,46,47,31,33,121,249,43 (main::listen_dhcp)
I am using the /usr/local/pf/lib/pf/vlan/custom.pm file to auto-register any
devices using the dot1x credentials, so I'm not sure whether this is causing
some confusion.
Cheers,
Andi
-------------------------------------
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: [email protected]<mailto:[email protected]>
--------------------------------------
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
