Something like that:
if (defined($node_info->{pid}) && $node_info->{pid} =~
/^.+cardiffmet\.ac\.uk$/i) {
return ($switch->getVlanByName('eduroam_local'),'eduroam_local');
}
else {
return ($switch->getVlanByName('eduroam_visitors'),'eduroam_visitors');
}
Le 2014-05-16 08:48, Morris, Andi a écrit :
Hi Fabrice,
Yes I agree. I can't work out why it works on my dev setup, but not my
live.
I'm running version 4.1.0 in both environments.
I'm not sure how to implement your advice for the for the custom
script I'm sorry.
I have:
if (defined($node_info->{pid}) && $node_info->{pid} =~
/^.+cardiffmet\.ac\.uk$/i) {
return $switch->getVlanByName('eduroam_local');
}
else {
return $switch->getVlanByName('eduroam_visitors');
}
Cheers,
Andi
*From:*Fabrice DURAND [mailto:[email protected]]
*Sent:* 16 May 2014 13:01
*To:* [email protected]
*Subject:* Re: [PacketFence-users] radius auth not working in debug
mode, but working in standard mode
Hello Andi,
it doesn´t look like a freeradius issue but a PacketFence issue.
Wish version are you running ?
Other thing, in your custom code you are returning just the vlan id
but you must return the vlan_id and the role_name:
return ($vlan, $role);
Regards
Fabrice
Le 2014-05-16 07:37, Morris, Andi a écrit :
Hi,
I've narrowed this down to the packetfence call in the post-auth
section of sites-enabled/packetfence-tunnel. If I comment this out
the authentication and authorization works in both normal and
debugging modes. With it in, it fails in debug and works in normal.
Any tips?
Cheers,
Andi
*From:*Morris, Andi [mailto:[email protected]]
*Sent:* 15 May 2014 15:07
*To:* [email protected]
<mailto:[email protected]>
*Subject:* [PacketFence-users] radius auth not working in debug
mode, but working in standard mode
Hi all,
Quite a weird one here I think.
I had my packetfence setup working with the default freeradius
snakeoil certificates, and have come to the point where I'm trying
to configure the more secure method. I have followed the steps at
Alan Dekok's
http://deployingradius.com/documents/configuration/certificates.html
site, and once I deploy the new root certificate to the client
everything works fine. However, when I run the radius server in
debug mode it doesn't work.
The only error that I can see in the debug output is:
rlm_perl: An error occurred while processing the authorize SOAP
request: syntax error at line 1, column 61, byte 61 at
/usr/lib64/perl5/vendor_perl/XML/Parser.pm line 187.
And the request seems to get rejected shortly after that.
The certificates were created by editing the ca.cnf and server.cnf
in /usr/local/pf/raddb/certs and then running 'make'. Once this
was complete I decrypted the passwords to stop freeradius asking
for the private key password each time the service was started,
and then copied them to /usr/local/pf/conf/ssl. Once in there I
edited /usr/local/pf/conf/radiusd/eap.conf and changed the below
lines to reflect my new certificates:
private_key_file = %%install_dir%%/conf/ssl/pfenceha.key
certificate_file = %%install_dir%%/conf/ssl/pfenceha.crt
It's all very confusing that it works with no issue when in normal
running mode. Debug mode is started using the following command:
radiusd --X --d /usr/local/pf/raddb
The only thing I can think is that when a /usr/local/pf/bin/pfcmd
service radiusd stop is performed is deloads some of the config
that packetfence inserts before radius is started. Is this right?
If so, is there a way to run radius in debug mode taking into
account the various packetfence config files?
I've attached a sanitised debug output. For reference I'm running
version 4.1.0, and have the eduroam config as explained in the 4.2
admin guide, with a slight tweak on the /sites-enabled/packetfence
virtual server so that I can see what visiting users are on my
network also:
post-auth {
exec
if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25)||
(User-Name =~ /^.*\@.+/ && User-Name !~ /^.*\@cardiffmet.ac.uk/)) {
packetfence
}
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
I also have a section in my vlan/custom.pm file to separate my
visiting users from home users into separate vlans:
sub getNormalVlan {
my ($this, $switch, $ifIndex, $mac, $node_info,
$connection_type, $user_name, $ssid) = @_;
my $logger = Log::Log4perl->get_logger(__PACKAGE__);
if (defined($node_info->{pid}) && $node_info->{pid} =~
/^.+cardiffmet\.ac\.uk$/i) {
return $switch->getVlanByName('eduroam_local');
}
else {
return $switch->getVlanByName('eduroam_visitors');
}
}
To add further insult to injury, this all works perfectly well on
my development server, running the same versions, and as far as I
can see the same configuration.
Can anybody help please?
Cheers,
Andi
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform
available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x135)
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
