Hi all,
I'm trying to get a working version of Packetfence 4.1 integrated with our
eduroam setup here and am hitting some stumbling blocks, usually with the Roles
section of Packetfence. I'm following the instructions on the packetfence FAQ
page.
I have configured /usr/local/pf/raddb/proxy.conf so that NULL request and my
local realms are authenticated locally, and everything else gets proxied off to
our ORPS servers as follows:
realm NULL {
authhost = LOCAL
accthost = LOCAL
}
realm cardiffmet.ac.uk {
authhost=LOCAL
accthost=LOCAL
}
realm uwic.ac.uk {
authhost=LOCAL
accthost=LOCAL
}
realm DEFAULT {
authhost = orpsserver1.domain.ac.uk
accthost = orpsserver2.domain.ac.uk
secret = testing123
ignore_null = yes
type = radius
nostrip
}
Testing this with a NULL user works fine, and PF updates the node to show the
username and puts the node in the correct vlan. Testing a remote user also
authenticates fine and the user is put into the correct vlan but the
information isn't passed to packetfence.
The next stage I have configured the post-auth section of
/usr/local/pf/raddb/sites-enabled/packetfence to show (I haven't added my
secondary realm yet):
post-auth {
exec
if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25)|| (User-Name =~
/^.*\@.+/ && User-Name !~ /^.*\@cardiffmet.ac.uk/)) {
packetfence
}
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
And also packetfence-tunnel
post-auth {
exec
packetfence
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
I am now seeing the visiting users hit the packetfence server but the
packetfence.log shows:
Feb 03 15:27:15 pf::WebAPI(7415) INFO: handling radius autz request: from
switch_ip => 192.168.142.13, connection_type => Wireless-802.11-EAP mac =>
00:26:b6:da:18:42, port => 13, username => [email protected]
(pf::radius::authorize)
Feb 03 15:27:16 pf::WebAPI(7415) INFO: autoregister a node that is already
registered, do nothing. (pf::node::node_register)
Feb 03 15:27:16 pf::WebAPI(7415) INFO: Username was NOT defined or unable to
match a role - returning node based role '' (pf::vlan::getNormalVlan)
Feb 03 15:27:16 pf::WebAPI(7415) WARN: No parameter Vlan found in
conf/switches.conf for the switch 192.168.142.13 (pf::SNMP::getVlanByName)
Feb 03 15:27:16 pf::WebAPI(7415) INFO: MAC: 00:26:b6:da:18:42, PID:
[email protected], Status: reg. Returned VLAN:
(pf::vlan::fetchVlanForNode)
Feb 03 15:27:16 pf::WebAPI(7415) WARN: new VLAN is not a managed VLAN ->
Returning FAIL. Is the target vlan in the vlans=... list?
(pf::radius::authorize)
The same thing also happens when I declare the realm for my local users:
Feb 03 15:30:39 pf::WebAPI(7416) INFO: handling radius autz request: from
switch_ip => 192.168.142.13, connection_type => Wireless-802.11-EAP mac =>
00:26:b6:da:18:42, port => 13, username => [email protected]
(pf::radius::authorize)
Feb 03 15:30:41 pf::WebAPI(7416) INFO: autoregister a node that is already
registered, do nothing. (pf::node::node_register)
Feb 03 15:30:41 pf::WebAPI(7416) INFO: Username was NOT defined or unable to
match a role - returning node based role '' (pf::vlan::getNormalVlan)
Feb 03 15:30:41 pf::WebAPI(7416) WARN: No parameter Vlan found in
conf/switches.conf for the switch 192.168.142.13 (pf::SNMP::getVlanByName)
Feb 03 15:30:41 pf::WebAPI(7416) INFO: MAC: 00:26:b6:da:18:42, PID:
[email protected], Status: reg. Returned VLAN:
(pf::vlan::fetchVlanForNode)
Feb 03 15:30:41 pf::WebAPI(7416) WARN: new VLAN is not a managed VLAN ->
Returning FAIL. Is the target vlan in the vlans=... list?
(pf::radius::authorize)
The only sources I have setup are the local users for web admin, and an active
directory source.
[Active_Directory_1]
description=Active_Directory_1
password=password
scope=sub
binddn=CN=ldappacketfence,CN=Users,DC=internal,DC=domain,DC=ac,DC=uk
basedn=OU=User Accounts,DC=internal,DC=domain,DC=ac,DC=uk
usernameattribute=sAMAccountName
encryption=none
port=389
type=AD
host=192.168.0.1
[Active_Directory_1 rule Catch_all]
description=
match=all
action0=set_role=default
action1=set_unreg_date=2020-01-01
switches.conf shows:
[192.168.142.13]
controllerIp=192.168.142.13
mode=production
SNMPCommunityRead=public
SNMPCommunityWrite=private
defaultVlan=62
description=LL Wireless
SNMPVersionTrap=2c
type=Cisco::WLC_5500
VoIPEnabled=N
radiusSecret=testing123
SNMPVersion=2c
SNMPCommunityTrap=private
#SNMPVersion = 3
#SNMPEngineID = 0000000000000
#SNMPUserNameRead = readUser
#SNMPAuthProtocolRead = MD5
#SNMPAuthPasswordRead = authpwdread
#SNMPPrivProtocolRead = DES
#SNMPPrivPasswordRead = privpwdread
#SNMPUserNameWrite = writeUser
#SNMPAuthProtocolWrite = MD5
#SNMPAuthPasswordWrite = authpwdwrite
#SNMPPrivProtocolWrite = DES
#SNMPPrivPasswordWrite = privpwdwrite
#SNMPVersionTrap = 3
#SNMPUserNameTrap = readUser
#SNMPAuthProtocolTrap = MD5
#SNMPAuthPasswordTrap = authpwdread
#SNMPPrivProtocolTrap = DES
#SNMPPrivPasswordTrap = privpwdread
So, is there a way to get PF to use the "Stripped-User-Name" from the radius
server, rather than the full username? If so, then would it enable me to use
the LDAP source to give my local users a certain vlan?
Also, how can I get a catch-all rule to apply to the visiting users, logging
their full username, and not the stripped user name. Ideally I would want these
users to be given a different role so that I can put them in a different vlan.
Cheers,
Andi
-------------------------------------
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: [email protected]<mailto:[email protected]>
--------------------------------------
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
