Hi Josh,
Take a look to this log line
"Dec 10 10:42:14 httpd.portal(10615) WARN: No role specified or found for
pid jnathan (MAC 00:1d:72:35:1b:15); assume maximum number of registered
nodes is reached (pf::node::is_max_reg_nodes_reached)"
That means that you don´t have a role assigned for the user that you are
using, you can assigned when you create the rule and assign that role to a
vlan id in your switch, the problem is that without a role PF assume that
you reach a maximum of devices authorized for the pid and doesn´t assign a
functional vlan, I think that your rule is corrected created except for the
role, try to create a role and that should solve the problem.
I hope that this help you solve the problem.
Best Regards,
On Wed, Dec 10, 2014 at 5:09 AM, Nathan, Josh <[email protected]>
wrote:
> OK, I've also discovered the in httpd.admin.log file:
>
> Dec 10 10:41:14 httpd.admin(6919) INFO: [00:1d:72:35:1b:15] re-evaluating
> access (node_modify called) (pf::enforcement::reevaluate_access)
> Dec 10 10:41:14 httpd.admin(6919) INFO: Instantiate a new iptables
> modification method. pf::ipset (pf::inline::get_technique)
>
> *Dec 10 10:41:15 httpd.admin(6919) ERROR: Use of uninitialized value
> $all_or_any in string eq at
> /usr/local/pf/html/pfappserver/lib/pfappserver/Model/Search/Node.pm line
> 73. (pfappserver::__ANON__)*
> Dec 10 10:41:34 httpd.admin(6919) INFO: status 200
> (pfappserver::Controller::Configuration::pf_section)
> Dec 10 10:41:59 httpd.admin(6919) INFO: set_role
> (pfappserver::Base::Form::Authentication::Action::validate)
> Dec 10 10:41:59 httpd.admin(6919) INFO: set_access_duration
> (pfappserver::Base::Form::Authentication::Action::validate)
>
> Thanks,
> Joshua Nathan
> IT Administrator
> Black Forest Academy
> +49 (0) 7626-916123
>
> On Wed, Dec 10, 2014 at 10:46 AM, Nathan, Josh <[email protected]>
> wrote:
>
>> OK, here're the packetfence logs for my login with NO conditions set
>> (works... user gains Internet access):
>>
>> Dec 10 10:37:31 httpd.portal(6988) INFO: Authentication successful for
>> jnathan in source RadiusTest (RADIUS) (pf::authentication::authenticate)
>> Dec 10 10:37:31 httpd.portal(6988) INFO: Matched rule (RadiusStaff) in
>> source RadiusTest, returning actions. (pf::Authentication::Source::match)
>> Dec 10 10:37:31 httpd.portal(6988) INFO: Matched rule (RadiusStaff) in
>> source RadiusTest, returning actions. (pf::Authentication::Source::match)
>> Dec 10 10:37:31 httpd.portal(6988) INFO: person jnathan modified to
>> jnathan (pf::person::person_modify)
>> Dec 10 10:37:31 httpd.portal(6988) INFO: [00:1d:72:35:1b:15]
>> re-evaluating access (manage_register called)
>> (pf::enforcement::reevaluate_access)
>> Dec 10 10:37:31 httpd.portal(6988) INFO: Instantiate a new iptables
>> modification method. pf::ipset (pf::inline::get_technique)
>> Dec 10 10:37:31 httpd.webservices(6992) INFO: Instantiate a new iptables
>> modification method. pf::ipset (pf::inline::get_technique)
>> Dec 10 10:37:32 httpd.webservices(6992) INFO: [00:1d:72:35:1b:15] stated
>> changed, adapting firewall rules for proper enforcement
>> (pf::inline::performInlineEnforcement)
>>
>> Here're the logs when ANY condition I've tried is set (doesn't work...
>> user NOT granted Internet access):
>>
>> Dec 10 10:42:14 httpd.portal(10615) INFO: Authentication successful for
>> jnathan in source RadiusTest (RADIUS) (pf::authentication::authenticate)
>> Dec 10 10:42:14 httpd.portal(10615) WARN: No role specified or found for
>> pid jnathan (MAC 00:1d:72:35:1b:15); assume maximum number of registered
>> nodes is reached (pf::node::is_max_reg_nodes_reached)
>>
>>
>> For the sake of testing, I set a very simple rule. Here's the entry from
>> my Authentication.conf file:
>>
>> [RadiusTest]
>> description=FreeRadius Server
>> secret=<my secret>
>> port=1812
>> type=RADIUS
>> host=<my radius server>
>>
>> [RadiusTest rule RadiusStaff]
>> description=Check if Staff Account
>> match=all
>> action0=set_role=staff
>> action1=set_access_duration=1W
>> condition0=username,equals,jnathan
>>
>> Ultimately, I'd like to use a regular expression rather than an
>> "equals". I'd like to use something akin to: [a-zA-Z]$
>>
>> Thanks,
>> Joshua Nathan
>> IT Administrator
>> Black Forest Academy
>> +49 (0) 7626-916123
>>
>> On Tue, Dec 9, 2014 at 9:31 PM, Nathan, Josh <[email protected]>
>> wrote:
>>
>>> I know it works without the condition. I did test that. And I can see
>>> in the PacketFence logs that the username and password do authenticate
>>> correctly. I'd send you the mentioned log files, but for my time zone, I'm
>>> already home. I can send those tomorrow.
>>>
>>> But... I tested it without any conditions, and it worked fine. Even
>>> with the condition, it all says that authentication was successful, it just
>>> follows it up with the warning that there is no "role" assignment.
>>>
>>> Thanks,
>>> Joshua Nathan
>>> IT Administrator
>>> Black Forest Academy
>>> +49 (0) 7626-916123
>>>
>>> On Tue, Dec 9, 2014 at 4:43 PM, Louis Munro <[email protected]> wrote:
>>>
>>>> On 2014-12-09, at 9:04 , "Nathan, Josh" <[email protected]>
>>>> wrote:
>>>>
>>>> > Hello,
>>>> >
>>>> > I'm trying to authenticate users against a Radius database, but if I
>>>> add a condition to the rule, I keep getting this message in the logs along
>>>> with the "Sorry!" page:
>>>> >
>>>> > httpd.portal(6978) WARN: No role specified or found for pid jnathan
>>>> (MAC 00:1d:72:35:1b:15); assume maximum number of registered nodes is
>>>> reached (pf::node::is_max_reg_nodes_reached)
>>>> >
>>>> > I would like to set it as a regular expression so that if the
>>>> username ends with a letter, they have one role, and if they end with a
>>>> number they have a different role.
>>>> >
>>>> > However, right now even setting it so that if the "username" either
>>>> "contains" or "equals" 'jnathan', I get this message, let alone trying to
>>>> use a regular expression.
>>>> >
>>>> > Any help? How do I get these conditions working?
>>>>
>>>>
>>>> Hi Joshua,
>>>> Before diving into conditions it helps to make sure the authentication
>>>> actually succeeds and the source is well configured.
>>>> Can you post the contents of your conf/authenticaton.conf file
>>>> (stripped of passwords and such), especially the section that defines the
>>>> RADIUS source?
>>>>
>>>> You also need to check to see what else is in the logs. Clearly your
>>>> rule was not matched, but that's not enough information to go on.
>>>>
>>>> Try defining a catchall rule first.
>>>> Don't add any conditions.
>>>> If your rule is still not matched then the problem is not with the rule
>>>> itself.
>>>>
>>>> Regards,
>>>> --
>>>> Louis Munro
>>>> [email protected] :: www.inverse.ca
>>>> +1.514.447.4918 x125 :: +1 (866) 353-6153 x125
>>>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
>>>> www.packetfence.org)
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>>>> with Interactivity, Sharing, Native Excel Exports, App Integration &
>>>> more
>>>> Get technology previously reserved for billion-dollar corporations, FREE
>>>>
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>>> _______________________________________________
>>>> PacketFence-users mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>
>>>
>>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
*“Choose a job you love, and you will never have to work a day in your
life”*
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
