Thanks Loick,
I've been pulled away onto other things at the moment, but I'll take a look at
the mschap module next opportunity, and will also send you some workflow of how
I would have it setup ideally.
Cheers,
Andi
From: Loick Pelet [mailto:[email protected]]
Sent: 04 February 2014 13:26
To: [email protected]
Subject: Re: [PacketFence-users] PF v4.1 and eduroam
Hello Andi,
I had to set up Eduroam working with PacketFence in multiple universities.
I am happy community member are trying to also do it.
You can play with the username in the mschap module in
/usr/local/pf/raddb/module/mschap.
This is to answer to your question.
If you can share me more details like workflow, how many SSID you have. I will
be able to guide you
to take the best of PacketFence.
Best regards
Loick
--
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x130) ::
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
gtalk or skype : lpelet.inverse
On Feb 3, 2014, at 10:57 AM, Morris, Andi
<[email protected]<mailto:[email protected]>> wrote:
Hi all,
I'm trying to get a working version of Packetfence 4.1 integrated with our
eduroam setup here and am hitting some stumbling blocks, usually with the Roles
section of Packetfence. I'm following the instructions on the packetfence FAQ
page.
I have configured /usr/local/pf/raddb/proxy.conf so that NULL request and my
local realms are authenticated locally, and everything else gets proxied off to
our ORPS servers as follows:
realm NULL {
authhost = LOCAL
accthost = LOCAL
}
realm cardiffmet.ac.uk<http://cardiffmet.ac.uk/> {
authhost=LOCAL
accthost=LOCAL
}
realm uwic.ac.uk<http://uwic.ac.uk/> {
authhost=LOCAL
accthost=LOCAL
}
realm DEFAULT {
authhost =
orpsserver1.domain.ac.uk<http://orpsserver1.domain.ac.uk/>
accthost =
orpsserver2.domain.ac.uk<http://orpsserver2.domain.ac.uk/>
secret = testing123
ignore_null = yes
type = radius
nostrip
}
Testing this with a NULL user works fine, and PF updates the node to show the
username and puts the node in the correct vlan. Testing a remote user also
authenticates fine and the user is put into the correct vlan but the
information isn't passed to packetfence.
The next stage I have configured the post-auth section of
/usr/local/pf/raddb/sites-enabled/packetfence to show (I haven't added my
secondary realm yet):
post-auth {
exec
if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25)|| (User-Name =~
/^.*\@.+/ && User-Name !~ /^.*\@cardiffmet.ac.uk/<http://cardiffmet.ac.uk/>)) {
packetfence
}
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
And also packetfence-tunnel
post-auth {
exec
packetfence
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
I am now seeing the visiting users hit the packetfence server but the
packetfence.log shows:
Feb 03 15:27:15 pf::WebAPI(7415) INFO: handling radius autz request: from
switch_ip => 192.168.142.13, connection_type => Wireless-802.11-EAP mac =>
00:26:b6:da:18:42, port => 13, username =>
[email protected]<mailto:[email protected]>
(pf::radius::authorize)
Feb 03 15:27:16 pf::WebAPI(7415) INFO: autoregister a node that is already
registered, do nothing. (pf::node::node_register)
Feb 03 15:27:16 pf::WebAPI(7415) INFO: Username was NOT defined or unable to
match a role - returning node based role '' (pf::vlan::getNormalVlan)
Feb 03 15:27:16 pf::WebAPI(7415) WARN: No parameter Vlan found in
conf/switches.conf for the switch 192.168.142.13 (pf::SNMP::getVlanByName)
Feb 03 15:27:16 pf::WebAPI(7415) INFO: MAC: 00:26:b6:da:18:42, PID:
[email protected]<mailto:[email protected]>, Status:
reg. Returned VLAN: (pf::vlan::fetchVlanForNode)
Feb 03 15:27:16 pf::WebAPI(7415) WARN: new VLAN is not a managed VLAN ->
Returning FAIL. Is the target vlan in the vlans=... list?
(pf::radius::authorize)
The same thing also happens when I declare the realm for my local users:
Feb 03 15:30:39 pf::WebAPI(7416) INFO: handling radius autz request: from
switch_ip => 192.168.142.13, connection_type => Wireless-802.11-EAP mac =>
00:26:b6:da:18:42, port => 13, username =>
[email protected]<mailto:[email protected]>
(pf::radius::authorize)
Feb 03 15:30:41 pf::WebAPI(7416) INFO: autoregister a node that is already
registered, do nothing. (pf::node::node_register)
Feb 03 15:30:41 pf::WebAPI(7416) INFO: Username was NOT defined or unable to
match a role - returning node based role '' (pf::vlan::getNormalVlan)
Feb 03 15:30:41 pf::WebAPI(7416) WARN: No parameter Vlan found in
conf/switches.conf for the switch 192.168.142.13 (pf::SNMP::getVlanByName)
Feb 03 15:30:41 pf::WebAPI(7416) INFO: MAC: 00:26:b6:da:18:42, PID:
[email protected]<mailto:[email protected]>, Status: reg.
Returned VLAN: (pf::vlan::fetchVlanForNode)
Feb 03 15:30:41 pf::WebAPI(7416) WARN: new VLAN is not a managed VLAN ->
Returning FAIL. Is the target vlan in the vlans=... list?
(pf::radius::authorize)
The only sources I have setup are the local users for web admin, and an active
directory source.
[Active_Directory_1]
description=Active_Directory_1
password=password
scope=sub
binddn=CN=ldappacketfence,CN=Users,DC=internal,DC=domain,DC=ac,DC=uk
basedn=OU=User Accounts,DC=internal,DC=domain,DC=ac,DC=uk
usernameattribute=sAMAccountName
encryption=none
port=389
type=AD
host=192.168.0.1
[Active_Directory_1 rule Catch_all]
description=
match=all
action0=set_role=default
action1=set_unreg_date=2020-01-01
switches.conf shows:
[192.168.142.13]
controllerIp=192.168.142.13
mode=production
SNMPCommunityRead=public
SNMPCommunityWrite=private
defaultVlan=62
description=LL Wireless
SNMPVersionTrap=2c
type=Cisco::WLC_5500
VoIPEnabled=N
radiusSecret=testing123
SNMPVersion=2c
SNMPCommunityTrap=private
#SNMPVersion = 3
#SNMPEngineID = 0000000000000
#SNMPUserNameRead = readUser
#SNMPAuthProtocolRead = MD5
#SNMPAuthPasswordRead = authpwdread
#SNMPPrivProtocolRead = DES
#SNMPPrivPasswordRead = privpwdread
#SNMPUserNameWrite = writeUser
#SNMPAuthProtocolWrite = MD5
#SNMPAuthPasswordWrite = authpwdwrite
#SNMPPrivProtocolWrite = DES
#SNMPPrivPasswordWrite = privpwdwrite
#SNMPVersionTrap = 3
#SNMPUserNameTrap = readUser
#SNMPAuthProtocolTrap = MD5
#SNMPAuthPasswordTrap = authpwdread
#SNMPPrivProtocolTrap = DES
#SNMPPrivPasswordTrap = privpwdread
So, is there a way to get PF to use the "Stripped-User-Name" from the radius
server, rather than the full username? If so, then would it enable me to use
the LDAP source to give my local users a certain vlan?
Also, how can I get a catch-all rule to apply to the visiting users, logging
their full username, and not the stripped user name. Ideally I would want these
users to be given a different role so that I can put them in a different vlan.
Cheers,
Andi
-------------------------------------
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: [email protected]<mailto:[email protected]>
--------------------------------------
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience. Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
