Anymore thoughts about this? I tested the login with the condition "Current Time is after 01:00" and that worked, but trying to do anything with the username seems to always fail.
Thanks, Joshua Nathan IT Administrator Black Forest Academy +49 (0) 7626-916123 On Thu, Dec 11, 2014 at 9:45 AM, Nathan, Josh <[email protected]> wrote: > Thanks for your reply Juan, > > But if you look, you should see from the excerpt of my conf file that I > do, indeed, have a role. The role is "staff". Further, it does correctly > assign the role if I remove any conditions I have regarding the username > (I'll admit that I haven't tried other types of conditions as those aren't > pertinent to my goal). From the logs, you can see that the username I > tried to authenticate with was "jnathan", and even in the most basic > condition I tried (the condition of the username being "jnathan"), it then > fails to assign the role... as if the condition always fails. > > So as it stands, the Rule itself works (sees that I have a legit username > and password, and assigns the proper role). However, when I assign a > Condition to the rule, it fails. Maybe I'm typing it in wrong? I've tried > with no quotes, single quotes, double quotes... When looking at the conf > file in Vim, I don't see any erroneous characters or extra whitespace... > > The end goal is to have a single Radius database that houses all usernames > and passwords, where our username pattern determines which role someone is > assigned. > > Thanks, > Joshua Nathan > IT Administrator > Black Forest Academy > +49 (0) 7626-916123 > > On Wed, Dec 10, 2014 at 6:43 PM, Juan Camilo Valencia < > [email protected]> wrote: > >> Hi Josh, >> >> Take a look to this log line >> "Dec 10 10:42:14 httpd.portal(10615) WARN: No role specified or found >> for pid jnathan (MAC 00:1d:72:35:1b:15); assume maximum number of >> registered nodes is reached (pf::node::is_max_reg_nodes_reached)" >> >> That means that you don´t have a role assigned for the user that you are >> using, you can assigned when you create the rule and assign that role to a >> vlan id in your switch, the problem is that without a role PF assume that >> you reach a maximum of devices authorized for the pid and doesn´t assign a >> functional vlan, I think that your rule is corrected created except for the >> role, try to create a role and that should solve the problem. >> >> I hope that this help you solve the problem. >> >> Best Regards, >> >> On Wed, Dec 10, 2014 at 5:09 AM, Nathan, Josh <[email protected]> >> wrote: >> >>> OK, I've also discovered the in httpd.admin.log file: >>> >>> Dec 10 10:41:14 httpd.admin(6919) INFO: [00:1d:72:35:1b:15] >>> re-evaluating access (node_modify called) >>> (pf::enforcement::reevaluate_access) >>> Dec 10 10:41:14 httpd.admin(6919) INFO: Instantiate a new iptables >>> modification method. pf::ipset (pf::inline::get_technique) >>> >>> *Dec 10 10:41:15 httpd.admin(6919) ERROR: Use of uninitialized value >>> $all_or_any in string eq at >>> /usr/local/pf/html/pfappserver/lib/pfappserver/Model/Search/Node.pm line >>> 73. (pfappserver::__ANON__)* >>> Dec 10 10:41:34 httpd.admin(6919) INFO: status 200 >>> (pfappserver::Controller::Configuration::pf_section) >>> Dec 10 10:41:59 httpd.admin(6919) INFO: set_role >>> (pfappserver::Base::Form::Authentication::Action::validate) >>> Dec 10 10:41:59 httpd.admin(6919) INFO: set_access_duration >>> (pfappserver::Base::Form::Authentication::Action::validate) >>> >>> Thanks, >>> Joshua Nathan >>> IT Administrator >>> Black Forest Academy >>> +49 (0) 7626-916123 >>> >>> On Wed, Dec 10, 2014 at 10:46 AM, Nathan, Josh <[email protected] >>> > wrote: >>> >>>> OK, here're the packetfence logs for my login with NO conditions set >>>> (works... user gains Internet access): >>>> >>>> Dec 10 10:37:31 httpd.portal(6988) INFO: Authentication successful for >>>> jnathan in source RadiusTest (RADIUS) (pf::authentication::authenticate) >>>> Dec 10 10:37:31 httpd.portal(6988) INFO: Matched rule (RadiusStaff) in >>>> source RadiusTest, returning actions. (pf::Authentication::Source::match) >>>> Dec 10 10:37:31 httpd.portal(6988) INFO: Matched rule (RadiusStaff) in >>>> source RadiusTest, returning actions. (pf::Authentication::Source::match) >>>> Dec 10 10:37:31 httpd.portal(6988) INFO: person jnathan modified to >>>> jnathan (pf::person::person_modify) >>>> Dec 10 10:37:31 httpd.portal(6988) INFO: [00:1d:72:35:1b:15] >>>> re-evaluating access (manage_register called) >>>> (pf::enforcement::reevaluate_access) >>>> Dec 10 10:37:31 httpd.portal(6988) INFO: Instantiate a new iptables >>>> modification method. pf::ipset (pf::inline::get_technique) >>>> Dec 10 10:37:31 httpd.webservices(6992) INFO: Instantiate a new >>>> iptables modification method. pf::ipset (pf::inline::get_technique) >>>> Dec 10 10:37:32 httpd.webservices(6992) INFO: [00:1d:72:35:1b:15] >>>> stated changed, adapting firewall rules for proper enforcement >>>> (pf::inline::performInlineEnforcement) >>>> >>>> Here're the logs when ANY condition I've tried is set (doesn't work... >>>> user NOT granted Internet access): >>>> >>>> Dec 10 10:42:14 httpd.portal(10615) INFO: Authentication successful for >>>> jnathan in source RadiusTest (RADIUS) (pf::authentication::authenticate) >>>> Dec 10 10:42:14 httpd.portal(10615) WARN: No role specified or found >>>> for pid jnathan (MAC 00:1d:72:35:1b:15); assume maximum number of >>>> registered nodes is reached (pf::node::is_max_reg_nodes_reached) >>>> >>>> >>>> For the sake of testing, I set a very simple rule. Here's the entry >>>> from my Authentication.conf file: >>>> >>>> [RadiusTest] >>>> description=FreeRadius Server >>>> secret=<my secret> >>>> port=1812 >>>> type=RADIUS >>>> host=<my radius server> >>>> >>>> [RadiusTest rule RadiusStaff] >>>> description=Check if Staff Account >>>> match=all >>>> action0=set_role=staff >>>> action1=set_access_duration=1W >>>> condition0=username,equals,jnathan >>>> >>>> Ultimately, I'd like to use a regular expression rather than an >>>> "equals". I'd like to use something akin to: [a-zA-Z]$ >>>> >>>> Thanks, >>>> Joshua Nathan >>>> IT Administrator >>>> Black Forest Academy >>>> +49 (0) 7626-916123 >>>> >>>> On Tue, Dec 9, 2014 at 9:31 PM, Nathan, Josh <[email protected]> >>>> wrote: >>>> >>>>> I know it works without the condition. I did test that. And I can >>>>> see in the PacketFence logs that the username and password do authenticate >>>>> correctly. I'd send you the mentioned log files, but for my time zone, >>>>> I'm >>>>> already home. I can send those tomorrow. >>>>> >>>>> But... I tested it without any conditions, and it worked fine. Even >>>>> with the condition, it all says that authentication was successful, it >>>>> just >>>>> follows it up with the warning that there is no "role" assignment. >>>>> >>>>> Thanks, >>>>> Joshua Nathan >>>>> IT Administrator >>>>> Black Forest Academy >>>>> +49 (0) 7626-916123 >>>>> >>>>> On Tue, Dec 9, 2014 at 4:43 PM, Louis Munro <[email protected]> wrote: >>>>> >>>>>> On 2014-12-09, at 9:04 , "Nathan, Josh" <[email protected]> >>>>>> wrote: >>>>>> >>>>>> > Hello, >>>>>> > >>>>>> > I'm trying to authenticate users against a Radius database, but if >>>>>> I add a condition to the rule, I keep getting this message in the logs >>>>>> along with the "Sorry!" page: >>>>>> > >>>>>> > httpd.portal(6978) WARN: No role specified or found for pid jnathan >>>>>> (MAC 00:1d:72:35:1b:15); assume maximum number of registered nodes is >>>>>> reached (pf::node::is_max_reg_nodes_reached) >>>>>> > >>>>>> > I would like to set it as a regular expression so that if the >>>>>> username ends with a letter, they have one role, and if they end with a >>>>>> number they have a different role. >>>>>> > >>>>>> > However, right now even setting it so that if the "username" either >>>>>> "contains" or "equals" 'jnathan', I get this message, let alone trying to >>>>>> use a regular expression. >>>>>> > >>>>>> > Any help? How do I get these conditions working? >>>>>> >>>>>> >>>>>> Hi Joshua, >>>>>> Before diving into conditions it helps to make sure the >>>>>> authentication actually succeeds and the source is well configured. >>>>>> Can you post the contents of your conf/authenticaton.conf file >>>>>> (stripped of passwords and such), especially the section that defines the >>>>>> RADIUS source? >>>>>> >>>>>> You also need to check to see what else is in the logs. Clearly your >>>>>> rule was not matched, but that's not enough information to go on. >>>>>> >>>>>> Try defining a catchall rule first. >>>>>> Don't add any conditions. >>>>>> If your rule is still not matched then the problem is not with the >>>>>> rule itself. >>>>>> >>>>>> Regards, >>>>>> -- >>>>>> Louis Munro >>>>>> [email protected] :: www.inverse.ca >>>>>> +1.514.447.4918 x125 :: +1 (866) 353-6153 x125 >>>>>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence ( >>>>>> www.packetfence.org) >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server >>>>>> from Actuate! Instantly Supercharge Your Business Reports and >>>>>> Dashboards >>>>>> with Interactivity, Sharing, Native Excel Exports, App Integration & >>>>>> more >>>>>> Get technology previously reserved for billion-dollar corporations, >>>>>> FREE >>>>>> >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk >>>>>> _______________________________________________ >>>>>> PacketFence-users mailing list >>>>>> [email protected] >>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>> >>>>> >>>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server >>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards >>> with Interactivity, Sharing, Native Excel Exports, App Integration & more >>> Get technology previously reserved for billion-dollar corporations, FREE >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> >> >> >> -- >> >> *“Choose a job you love, and you will never have to work a day in your >> life”* >> >> >> ------------------------------------------------------------------------------ >> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server >> from Actuate! Instantly Supercharge Your Business Reports and Dashboards >> with Interactivity, Sharing, Native Excel Exports, App Integration & more >> Get technology previously reserved for billion-dollar corporations, FREE >> >> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
