Hello Andi, I had to set up Eduroam working with PacketFence in multiple universities. I am happy community member are trying to also do it.
You can play with the username in the mschap module in /usr/local/pf/raddb/module/mschap. This is to answer to your question. If you can share me more details like workflow, how many SSID you have. I will be able to guide you to take the best of PacketFence. Best regards Loick -- [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) gtalk or skype : lpelet.inverse On Feb 3, 2014, at 10:57 AM, Morris, Andi <[email protected]> wrote: > Hi all, > I’m trying to get a working version of Packetfence 4.1 integrated with our > eduroam setup here and am hitting some stumbling blocks, usually with the > Roles section of Packetfence. I’m following the instructions on the > packetfence FAQ page. > > I have configured /usr/local/pf/raddb/proxy.conf so that NULL request and my > local realms are authenticated locally, and everything else gets proxied off > to our ORPS servers as follows: > > realm NULL { > authhost = LOCAL > accthost = LOCAL > } > > realm cardiffmet.ac.uk { > authhost=LOCAL > accthost=LOCAL > } > > realm uwic.ac.uk { > authhost=LOCAL > accthost=LOCAL > } > > > realm DEFAULT { > authhost = orpsserver1.domain.ac.uk > accthost = orpsserver2.domain.ac.uk > secret = testing123 > ignore_null = yes > type = radius > nostrip > } > > Testing this with a NULL user works fine, and PF updates the node to show the > username and puts the node in the correct vlan. Testing a remote user also > authenticates fine and the user is put into the correct vlan but the > information isn’t passed to packetfence. > > The next stage I have configured the post-auth section of > /usr/local/pf/raddb/sites-enabled/packetfence to show (I haven’t added my > secondary realm yet): > post-auth { > exec > if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25)|| (User-Name =~ > /^.*\@.+/ && User-Name !~ /^.*\@cardiffmet.ac.uk/)) { > packetfence > } > Post-Auth-Type REJECT { > attr_filter.access_reject > } > } > > And also packetfence-tunnel > post-auth { > exec > packetfence > Post-Auth-Type REJECT { > attr_filter.access_reject > } > } > > I am now seeing the visiting users hit the packetfence server but the > packetfence.log shows: > Feb 03 15:27:15 pf::WebAPI(7415) INFO: handling radius autz request: from > switch_ip => 192.168.142.13, connection_type => Wireless-802.11-EAP mac => > 00:26:b6:da:18:42, port => 13, username => [email protected] > (pf::radius::authorize) > Feb 03 15:27:16 pf::WebAPI(7415) INFO: autoregister a node that is already > registered, do nothing. (pf::node::node_register) > Feb 03 15:27:16 pf::WebAPI(7415) INFO: Username was NOT defined or unable to > match a role - returning node based role '' (pf::vlan::getNormalVlan) > Feb 03 15:27:16 pf::WebAPI(7415) WARN: No parameter Vlan found in > conf/switches.conf for the switch 192.168.142.13 (pf::SNMP::getVlanByName) > Feb 03 15:27:16 pf::WebAPI(7415) INFO: MAC: 00:26:b6:da:18:42, PID: > [email protected], Status: reg. Returned VLAN: > (pf::vlan::fetchVlanForNode) > Feb 03 15:27:16 pf::WebAPI(7415) WARN: new VLAN is not a managed VLAN -> > Returning FAIL. Is the target vlan in the vlans=... list? > (pf::radius::authorize) > > The same thing also happens when I declare the realm for my local users: > Feb 03 15:30:39 pf::WebAPI(7416) INFO: handling radius autz request: from > switch_ip => 192.168.142.13, connection_type => Wireless-802.11-EAP mac => > 00:26:b6:da:18:42, port => 13, username => [email protected] > (pf::radius::authorize) > Feb 03 15:30:41 pf::WebAPI(7416) INFO: autoregister a node that is already > registered, do nothing. (pf::node::node_register) > Feb 03 15:30:41 pf::WebAPI(7416) INFO: Username was NOT defined or unable to > match a role - returning node based role '' (pf::vlan::getNormalVlan) > Feb 03 15:30:41 pf::WebAPI(7416) WARN: No parameter Vlan found in > conf/switches.conf for the switch 192.168.142.13 (pf::SNMP::getVlanByName) > Feb 03 15:30:41 pf::WebAPI(7416) INFO: MAC: 00:26:b6:da:18:42, PID: > [email protected], Status: reg. Returned VLAN: > (pf::vlan::fetchVlanForNode) > Feb 03 15:30:41 pf::WebAPI(7416) WARN: new VLAN is not a managed VLAN -> > Returning FAIL. Is the target vlan in the vlans=... list? > (pf::radius::authorize) > > The only sources I have setup are the local users for web admin, and an > active directory source. > > [Active_Directory_1] > description=Active_Directory_1 > password=password > scope=sub > binddn=CN=ldappacketfence,CN=Users,DC=internal,DC=domain,DC=ac,DC=uk > basedn=OU=User Accounts,DC=internal,DC=domain,DC=ac,DC=uk > usernameattribute=sAMAccountName > encryption=none > port=389 > type=AD > host=192.168.0.1 > > [Active_Directory_1 rule Catch_all] > description= > match=all > action0=set_role=default > action1=set_unreg_date=2020-01-01 > > switches.conf shows: > [192.168.142.13] > controllerIp=192.168.142.13 > mode=production > SNMPCommunityRead=public > SNMPCommunityWrite=private > defaultVlan=62 > description=LL Wireless > SNMPVersionTrap=2c > type=Cisco::WLC_5500 > VoIPEnabled=N > radiusSecret=testing123 > SNMPVersion=2c > SNMPCommunityTrap=private > #SNMPVersion = 3 > #SNMPEngineID = 0000000000000 > #SNMPUserNameRead = readUser > #SNMPAuthProtocolRead = MD5 > #SNMPAuthPasswordRead = authpwdread > #SNMPPrivProtocolRead = DES > #SNMPPrivPasswordRead = privpwdread > #SNMPUserNameWrite = writeUser > #SNMPAuthProtocolWrite = MD5 > #SNMPAuthPasswordWrite = authpwdwrite > #SNMPPrivProtocolWrite = DES > #SNMPPrivPasswordWrite = privpwdwrite > #SNMPVersionTrap = 3 > #SNMPUserNameTrap = readUser > #SNMPAuthProtocolTrap = MD5 > #SNMPAuthPasswordTrap = authpwdread > #SNMPPrivProtocolTrap = DES > #SNMPPrivPasswordTrap = privpwdread > > So, is there a way to get PF to use the “Stripped-User-Name” from the radius > server, rather than the full username? If so, then would it enable me to use > the LDAP source to give my local users a certain vlan? > Also, how can I get a catch-all rule to apply to the visiting users, logging > their full username, and not the stripped user name. Ideally I would want > these users to be given a different role so that I can put them in a > different vlan. > > Cheers, > Andi > > ------------------------------------- > Andi Morris > IT Security Officer > Cardiff Metropolitan University > T: 02920 205720 > E: [email protected] > -------------------------------------- > > ------------------------------------------------------------------------------ > Managing the Performance of Cloud-Based Applications > Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. > Read the Whitepaper. > http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk_______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users
signature.asc
Description: Message signed with OpenPGP using GPGMail
------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
