Thanks for your reply Juan,
But if you look, you should see from the excerpt of my conf file that I do,
indeed, have a role. The role is "staff". Further, it does correctly
assign the role if I remove any conditions I have regarding the username
(I'll admit that I haven't tried other types of conditions as those aren't
pertinent to my goal). From the logs, you can see that the username I
tried to authenticate with was "jnathan", and even in the most basic
condition I tried (the condition of the username being "jnathan"), it then
fails to assign the role... as if the condition always fails.
So as it stands, the Rule itself works (sees that I have a legit username
and password, and assigns the proper role). However, when I assign a
Condition to the rule, it fails. Maybe I'm typing it in wrong? I've tried
with no quotes, single quotes, double quotes... When looking at the conf
file in Vim, I don't see any erroneous characters or extra whitespace...
The end goal is to have a single Radius database that houses all usernames
and passwords, where our username pattern determines which role someone is
assigned.
Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-916123
On Wed, Dec 10, 2014 at 6:43 PM, Juan Camilo Valencia <
[email protected]> wrote:
> Hi Josh,
>
> Take a look to this log line
> "Dec 10 10:42:14 httpd.portal(10615) WARN: No role specified or found for
> pid jnathan (MAC 00:1d:72:35:1b:15); assume maximum number of registered
> nodes is reached (pf::node::is_max_reg_nodes_reached)"
>
> That means that you don´t have a role assigned for the user that you are
> using, you can assigned when you create the rule and assign that role to a
> vlan id in your switch, the problem is that without a role PF assume that
> you reach a maximum of devices authorized for the pid and doesn´t assign a
> functional vlan, I think that your rule is corrected created except for the
> role, try to create a role and that should solve the problem.
>
> I hope that this help you solve the problem.
>
> Best Regards,
>
> On Wed, Dec 10, 2014 at 5:09 AM, Nathan, Josh <[email protected]>
> wrote:
>
>> OK, I've also discovered the in httpd.admin.log file:
>>
>> Dec 10 10:41:14 httpd.admin(6919) INFO: [00:1d:72:35:1b:15] re-evaluating
>> access (node_modify called) (pf::enforcement::reevaluate_access)
>> Dec 10 10:41:14 httpd.admin(6919) INFO: Instantiate a new iptables
>> modification method. pf::ipset (pf::inline::get_technique)
>>
>> *Dec 10 10:41:15 httpd.admin(6919) ERROR: Use of uninitialized value
>> $all_or_any in string eq at
>> /usr/local/pf/html/pfappserver/lib/pfappserver/Model/Search/Node.pm line
>> 73. (pfappserver::__ANON__)*
>> Dec 10 10:41:34 httpd.admin(6919) INFO: status 200
>> (pfappserver::Controller::Configuration::pf_section)
>> Dec 10 10:41:59 httpd.admin(6919) INFO: set_role
>> (pfappserver::Base::Form::Authentication::Action::validate)
>> Dec 10 10:41:59 httpd.admin(6919) INFO: set_access_duration
>> (pfappserver::Base::Form::Authentication::Action::validate)
>>
>> Thanks,
>> Joshua Nathan
>> IT Administrator
>> Black Forest Academy
>> +49 (0) 7626-916123
>>
>> On Wed, Dec 10, 2014 at 10:46 AM, Nathan, Josh <[email protected]>
>> wrote:
>>
>>> OK, here're the packetfence logs for my login with NO conditions set
>>> (works... user gains Internet access):
>>>
>>> Dec 10 10:37:31 httpd.portal(6988) INFO: Authentication successful for
>>> jnathan in source RadiusTest (RADIUS) (pf::authentication::authenticate)
>>> Dec 10 10:37:31 httpd.portal(6988) INFO: Matched rule (RadiusStaff) in
>>> source RadiusTest, returning actions. (pf::Authentication::Source::match)
>>> Dec 10 10:37:31 httpd.portal(6988) INFO: Matched rule (RadiusStaff) in
>>> source RadiusTest, returning actions. (pf::Authentication::Source::match)
>>> Dec 10 10:37:31 httpd.portal(6988) INFO: person jnathan modified to
>>> jnathan (pf::person::person_modify)
>>> Dec 10 10:37:31 httpd.portal(6988) INFO: [00:1d:72:35:1b:15]
>>> re-evaluating access (manage_register called)
>>> (pf::enforcement::reevaluate_access)
>>> Dec 10 10:37:31 httpd.portal(6988) INFO: Instantiate a new iptables
>>> modification method. pf::ipset (pf::inline::get_technique)
>>> Dec 10 10:37:31 httpd.webservices(6992) INFO: Instantiate a new iptables
>>> modification method. pf::ipset (pf::inline::get_technique)
>>> Dec 10 10:37:32 httpd.webservices(6992) INFO: [00:1d:72:35:1b:15] stated
>>> changed, adapting firewall rules for proper enforcement
>>> (pf::inline::performInlineEnforcement)
>>>
>>> Here're the logs when ANY condition I've tried is set (doesn't work...
>>> user NOT granted Internet access):
>>>
>>> Dec 10 10:42:14 httpd.portal(10615) INFO: Authentication successful for
>>> jnathan in source RadiusTest (RADIUS) (pf::authentication::authenticate)
>>> Dec 10 10:42:14 httpd.portal(10615) WARN: No role specified or found for
>>> pid jnathan (MAC 00:1d:72:35:1b:15); assume maximum number of registered
>>> nodes is reached (pf::node::is_max_reg_nodes_reached)
>>>
>>>
>>> For the sake of testing, I set a very simple rule. Here's the entry
>>> from my Authentication.conf file:
>>>
>>> [RadiusTest]
>>> description=FreeRadius Server
>>> secret=<my secret>
>>> port=1812
>>> type=RADIUS
>>> host=<my radius server>
>>>
>>> [RadiusTest rule RadiusStaff]
>>> description=Check if Staff Account
>>> match=all
>>> action0=set_role=staff
>>> action1=set_access_duration=1W
>>> condition0=username,equals,jnathan
>>>
>>> Ultimately, I'd like to use a regular expression rather than an
>>> "equals". I'd like to use something akin to: [a-zA-Z]$
>>>
>>> Thanks,
>>> Joshua Nathan
>>> IT Administrator
>>> Black Forest Academy
>>> +49 (0) 7626-916123
>>>
>>> On Tue, Dec 9, 2014 at 9:31 PM, Nathan, Josh <[email protected]>
>>> wrote:
>>>
>>>> I know it works without the condition. I did test that. And I can see
>>>> in the PacketFence logs that the username and password do authenticate
>>>> correctly. I'd send you the mentioned log files, but for my time zone, I'm
>>>> already home. I can send those tomorrow.
>>>>
>>>> But... I tested it without any conditions, and it worked fine. Even
>>>> with the condition, it all says that authentication was successful, it just
>>>> follows it up with the warning that there is no "role" assignment.
>>>>
>>>> Thanks,
>>>> Joshua Nathan
>>>> IT Administrator
>>>> Black Forest Academy
>>>> +49 (0) 7626-916123
>>>>
>>>> On Tue, Dec 9, 2014 at 4:43 PM, Louis Munro <[email protected]> wrote:
>>>>
>>>>> On 2014-12-09, at 9:04 , "Nathan, Josh" <[email protected]>
>>>>> wrote:
>>>>>
>>>>> > Hello,
>>>>> >
>>>>> > I'm trying to authenticate users against a Radius database, but if I
>>>>> add a condition to the rule, I keep getting this message in the logs along
>>>>> with the "Sorry!" page:
>>>>> >
>>>>> > httpd.portal(6978) WARN: No role specified or found for pid jnathan
>>>>> (MAC 00:1d:72:35:1b:15); assume maximum number of registered nodes is
>>>>> reached (pf::node::is_max_reg_nodes_reached)
>>>>> >
>>>>> > I would like to set it as a regular expression so that if the
>>>>> username ends with a letter, they have one role, and if they end with a
>>>>> number they have a different role.
>>>>> >
>>>>> > However, right now even setting it so that if the "username" either
>>>>> "contains" or "equals" 'jnathan', I get this message, let alone trying to
>>>>> use a regular expression.
>>>>> >
>>>>> > Any help? How do I get these conditions working?
>>>>>
>>>>>
>>>>> Hi Joshua,
>>>>> Before diving into conditions it helps to make sure the authentication
>>>>> actually succeeds and the source is well configured.
>>>>> Can you post the contents of your conf/authenticaton.conf file
>>>>> (stripped of passwords and such), especially the section that defines the
>>>>> RADIUS source?
>>>>>
>>>>> You also need to check to see what else is in the logs. Clearly your
>>>>> rule was not matched, but that's not enough information to go on.
>>>>>
>>>>> Try defining a catchall rule first.
>>>>> Don't add any conditions.
>>>>> If your rule is still not matched then the problem is not with the
>>>>> rule itself.
>>>>>
>>>>> Regards,
>>>>> --
>>>>> Louis Munro
>>>>> [email protected] :: www.inverse.ca
>>>>> +1.514.447.4918 x125 :: +1 (866) 353-6153 x125
>>>>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
>>>>> www.packetfence.org)
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>>>> from Actuate! Instantly Supercharge Your Business Reports and
>>>>> Dashboards
>>>>> with Interactivity, Sharing, Native Excel Exports, App Integration &
>>>>> more
>>>>> Get technology previously reserved for billion-dollar corporations,
>>>>> FREE
>>>>>
>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>>>> _______________________________________________
>>>>> PacketFence-users mailing list
>>>>> [email protected]
>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>
>>>>
>>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
> --
>
> *“Choose a job you love, and you will never have to work a day in your
> life”*
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
