Hi all,
I believe I'm getting much closer with this, at least from the point of view of
being a home site. I'm yet to try it out as a simulated roaming user.
However the stumbling block I'm hitting now seems to be down to the
roles/sources in PacketFence. My credentials get authorized by the radius
server, whether it's the localhost for our users, or the ORPS>NRPS servers for
visiting users, however PacketFence is stopping the access because it can't
match the user to any rule in my local sources.
FREERADIUS DEBUG SNIPPET:
Login OK: [[email protected]] (from client 192.168.1.2 port 13 cli
00-26-b6-da-18-42 via TLS tunnel)
# Executing section post-auth from file
/usr/local/pf/raddb//sites-enabled/packetfence-tunnel
+- entering group post-auth {...}
++[exec] returns noop
rlm_perl: request from 00:26:b6:da:18:42 port 13 was not accepted but a proper
error code was provided. Check server side logs for details
rlm_perl: PacketFence RESULT RESPONSE CODE: 1 (2 means OK)
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Tunnel-Type = VLAN
rlm_perl: Added pair Called-Station-Id = d8-24-bd-e9-dc-80:eduroam_dev
rlm_perl: Added pair State = 0x3e944f163f9d550b3ec63332ee55a686
rlm_perl: Added pair Airespace-Wlan-Id = 9
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair Realm = cardiffmet.ac.uk
rlm_perl: Added pair EAP-Type = MS-CHAP-V2
rlm_perl: Added pair NAS-IP-Address = 192.168.1.2
rlm_perl: Added pair Tunnel-Private-Group-Id = 62
rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
rlm_perl: Added pair Calling-Station-Id = 00-26-b6-da-18-42
rlm_perl: Added pair Cisco-AVPair = audit-session-id=c0a88e0d000c1e585314a05f
rlm_perl: Added pair User-Name = [email protected]
rlm_perl: Added pair NAS-Identifier = llWAC5505
rlm_perl: Added pair EAP-Message = 0x020900061a03
rlm_perl: Added pair Stripped-User-Name = sm12345
rlm_perl: Added pair NAS-Port = 13
rlm_perl: Added pair Framed-MTU = 1300
rlm_perl: Added pair Reply-Message = New VLAN is not a managed VLAN
rlm_perl: Added pair User-Name = sm18818
rlm_perl: Added pair MS-MPPE-Recv-Key = 0xca3f5acc4733baf2a8155710b1ffe0a1
rlm_perl: Added pair MS-MPPE-Send-Key = 0xde65d3ad4d971ba14e5c9a09b23ad869
rlm_perl: Added pair EAP-Message = 0x03090004
rlm_perl: Added pair MS-MPPE-Encryption-Types = 0x00000004
rlm_perl: Added pair MS-MPPE-Encryption-Policy = 0x00000002
rlm_perl: Added pair Message-Authenticator = 0x00000000000000000000000000000000
rlm_perl: Added pair Auth-Type = EAP
++[packetfence] returns fail
} # server packetfence-tunnel
[peap] Got tunneled reply code 3
Reply-Message = "New VLAN is not a managed VLAN"
User-Name = "sm12345"
MS-MPPE-Recv-Key = 0xca3f5acc4733baf2a8155710b1ffe0a1
MS-MPPE-Send-Key = 0xde65d3ad4d971ba14e5c9a09b23ad869
EAP-Message = 0x03090004
MS-MPPE-Encryption-Types = 0x00000004
MS-MPPE-Encryption-Policy = 0x00000002
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
Reply-Message = "New VLAN is not a managed VLAN"
User-Name = "sm12345"
MS-MPPE-Recv-Key = 0xca3f5acc4733baf2a8155710b1ffe0a1
MS-MPPE-Send-Key = 0xde65d3ad4d971ba14e5c9a09b23ad869
EAP-Message = 0x03090004
MS-MPPE-Encryption-Types = 0x00000004
MS-MPPE-Encryption-Policy = 0x00000002
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
Packetfence.log snippet:
Mar 03 15:31:25 pf::WebAPI(19853) INFO: handling radius autz request: from
switch_ip => 192.168.1.2, connection_type => Wireless-802.11-EAP mac =>
00:26:b6:da:18:42, port => 13, username => [email protected]
(pf::radius::authorize)
Mar 03 15:31:28 pf::WebAPI(19853) INFO: autoregister a node that is already
registered, do nothing. (pf::node::node_register)
Mar 03 15:31:28 pf::WebAPI(19853) INFO: Username was NOT defined or unable to
match a role - returning node based role '' (pf::vlan::getNormalVlan)
Mar 03 15:31:28 pf::WebAPI(19853) WARN: No parameter Vlan found in
conf/switches.conf for the switch 192.168.1.2 (pf::SNMP::getVlanByName)
Mar 03 15:31:28 pf::WebAPI(19853) INFO: MAC: 00:26:b6:da:18:42, PID:
[email protected], Status: reg. Returned VLAN:
(pf::vlan::fetchVlanForNode)
Mar 03 15:31:28 pf::WebAPI(19853) WARN: new VLAN is not a managed VLAN ->
Returning FAIL. Is the target vlan in the vlans=... list?
(pf::radius::authorize)
Switches.conf:
[192.168.1.2]
controllerIp=192.168.1.2
mode=production
SNMPCommunityRead=public
SNMPCommunityWrite=private
defaultVlan=62
description=LL Wireless
SNMPVersionTrap=2c
type=Cisco::WLC_5500
VoIPEnabled=N
radiusSecret=testing123
SNMPVersion=2c
SNMPCommunityTrap=allegro
defaultRole=62
eduroam_visitorsVlan=62
eduroam_visitorsRole=62
StaffVlan=62
StaffRole=62
Authentication.conf snippet (everything else is commented out):
[local]
description=Local Users
type=SQL
[file1]
description=Legacy Source
path=/usr/local/pf/conf/admin.conf
type=Htpasswd
[file1 rule admins]
description=All admins
match=all
action0=set_access_level=ALL
[null]
description=Null Source
type=Null
email_required=no
[null rule eduroam_visitors]
match=all
action0=set_role=default
action1=set_unreg_date=2014-12-31
Is there a way I can create a NULL source, which will just look at the username
coming in, and if it contains @cardiffmet.ac.uk or @uwic.ac.uk assign a certain
role, and the switch then sets the vlan, and if it's anything else set to a
visitor vlan?
Cheers,
Andi
From: Morris, Andi [mailto:[email protected]]
Sent: 25 February 2014 11:47
To: '[email protected]'
Subject: Re: [PacketFence-users] PF v4.1 and eduroam
Hi Loick,
That is really helpful thank you.
I don't necessarily need Packetfence to assign the roles and vlans for visiting
users, however it would be good if those users and their nodes would be
registered in the packetfence database.
I've implemented the changes you've kindly put together, and it's not quite
there.
I've attached the debug files for both a local user and a visiting user. It
doesn't seem to know what to do to authorize the request if the
called-station-id matches, which it always does from anyone accessing eduroam
from our campus.
Ps, how will this work with our users logging in from other locations? If I
redirect our orps servers to point to the packetfence server for authentication
will packetfence still log the details, or will the user just get a simple
accept or deny?
Cheers,
Andi
From: Loick Pelet [mailto:[email protected]]
Sent: 21 February 2014 18:39
To:
[email protected]<mailto:[email protected]>
Subject: Re: [PacketFence-users] PF v4.1 and eduroam
Hello Andi,
My answer is in your mail body.
regards.
Loick
--
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x130) ::
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
gtalk or skype : lpelet.inverse
On Feb 20, 2014, at 7:39 AM, Morris, Andi
<[email protected]<mailto:[email protected]>> wrote:
Hi Loick,
The workflow I'm hoping to achieve is:
- User connects to open 'eduroam-setup' SSID. This redirects them to
the captive portal and gives them the options to download an Xpress Connect
wizard to configure their device for our eduroam network (certificate
deployment etc). Once setup the wizard then automatically connects the device
onto the eduroam SSID.
On this part, PacketFence does not handle anything (as the way you described
it).
- Once the user is authenticated, either locally, or by the users home
servers, PF auto-registers the device using the dot1x credentials, and gives
the device a certain role, depending on whether the user is a home user, or a
visiting user. This role will also mean that the device gets put onto a home or
visitors vlan (this is a requirement for our electronic resource licensing).
You will need to uncomment the shouldAutoRegister method in vlan/custom.pm to
auto register the devices (obviously).
Do you really need that PacketFence itself assign a role (then a vlan) or could
Freeradius can do it directly in the radius response? I have adapte piece of
code for you in attachement, if i does not fit your need we can do other way.
------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works.
Faster operations. Version large binaries. Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
