OK, here're the packetfence logs for my login with NO conditions set
(works... user gains Internet access):
Dec 10 10:37:31 httpd.portal(6988) INFO: Authentication successful for
jnathan in source RadiusTest (RADIUS) (pf::authentication::authenticate)
Dec 10 10:37:31 httpd.portal(6988) INFO: Matched rule (RadiusStaff) in
source RadiusTest, returning actions. (pf::Authentication::Source::match)
Dec 10 10:37:31 httpd.portal(6988) INFO: Matched rule (RadiusStaff) in
source RadiusTest, returning actions. (pf::Authentication::Source::match)
Dec 10 10:37:31 httpd.portal(6988) INFO: person jnathan modified to jnathan
(pf::person::person_modify)
Dec 10 10:37:31 httpd.portal(6988) INFO: [00:1d:72:35:1b:15] re-evaluating
access (manage_register called) (pf::enforcement::reevaluate_access)
Dec 10 10:37:31 httpd.portal(6988) INFO: Instantiate a new iptables
modification method. pf::ipset (pf::inline::get_technique)
Dec 10 10:37:31 httpd.webservices(6992) INFO: Instantiate a new iptables
modification method. pf::ipset (pf::inline::get_technique)
Dec 10 10:37:32 httpd.webservices(6992) INFO: [00:1d:72:35:1b:15] stated
changed, adapting firewall rules for proper enforcement
(pf::inline::performInlineEnforcement)
Here're the logs when ANY condition I've tried is set (doesn't work... user
NOT granted Internet access):
Dec 10 10:42:14 httpd.portal(10615) INFO: Authentication successful for
jnathan in source RadiusTest (RADIUS) (pf::authentication::authenticate)
Dec 10 10:42:14 httpd.portal(10615) WARN: No role specified or found for
pid jnathan (MAC 00:1d:72:35:1b:15); assume maximum number of registered
nodes is reached (pf::node::is_max_reg_nodes_reached)
For the sake of testing, I set a very simple rule. Here's the entry from
my Authentication.conf file:
[RadiusTest]
description=FreeRadius Server
secret=<my secret>
port=1812
type=RADIUS
host=<my radius server>
[RadiusTest rule RadiusStaff]
description=Check if Staff Account
match=all
action0=set_role=staff
action1=set_access_duration=1W
condition0=username,equals,jnathan
Ultimately, I'd like to use a regular expression rather than an "equals".
I'd like to use something akin to: [a-zA-Z]$
Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-916123
On Tue, Dec 9, 2014 at 9:31 PM, Nathan, Josh <[email protected]>
wrote:
> I know it works without the condition. I did test that. And I can see in
> the PacketFence logs that the username and password do authenticate
> correctly. I'd send you the mentioned log files, but for my time zone, I'm
> already home. I can send those tomorrow.
>
> But... I tested it without any conditions, and it worked fine. Even with
> the condition, it all says that authentication was successful, it just
> follows it up with the warning that there is no "role" assignment.
>
> Thanks,
> Joshua Nathan
> IT Administrator
> Black Forest Academy
> +49 (0) 7626-916123
>
> On Tue, Dec 9, 2014 at 4:43 PM, Louis Munro <[email protected]> wrote:
>
>> On 2014-12-09, at 9:04 , "Nathan, Josh" <[email protected]> wrote:
>>
>> > Hello,
>> >
>> > I'm trying to authenticate users against a Radius database, but if I
>> add a condition to the rule, I keep getting this message in the logs along
>> with the "Sorry!" page:
>> >
>> > httpd.portal(6978) WARN: No role specified or found for pid jnathan
>> (MAC 00:1d:72:35:1b:15); assume maximum number of registered nodes is
>> reached (pf::node::is_max_reg_nodes_reached)
>> >
>> > I would like to set it as a regular expression so that if the username
>> ends with a letter, they have one role, and if they end with a number they
>> have a different role.
>> >
>> > However, right now even setting it so that if the "username" either
>> "contains" or "equals" 'jnathan', I get this message, let alone trying to
>> use a regular expression.
>> >
>> > Any help? How do I get these conditions working?
>>
>>
>> Hi Joshua,
>> Before diving into conditions it helps to make sure the authentication
>> actually succeeds and the source is well configured.
>> Can you post the contents of your conf/authenticaton.conf file (stripped
>> of passwords and such), especially the section that defines the RADIUS
>> source?
>>
>> You also need to check to see what else is in the logs. Clearly your rule
>> was not matched, but that's not enough information to go on.
>>
>> Try defining a catchall rule first.
>> Don't add any conditions.
>> If your rule is still not matched then the problem is not with the rule
>> itself.
>>
>> Regards,
>> --
>> Louis Munro
>> [email protected] :: www.inverse.ca
>> +1.514.447.4918 x125 :: +1 (866) 353-6153 x125
>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
>> www.packetfence.org)
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
>
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
