Hi
I don't seem to be able to get this work. If I watch the logs when a laptop
with 802.1x enabled boots up and logs in the logs show the response of
regestration VLAN.
Please could someone review my custom.pm file. I think I have enabled
AutoReg but not 100% sure.
Thanks
====================================
===== */usr/local/pf/lib/pf/vlan/custom.pm <http://custom.pm>* =====
====================================
[root@packetfence vlan]# cat custom.pm
package pf::vlan::custom;
=head1 NAME
pf::vlan::custom - Object oriented module for VLAN isolation oriented
functions
=head1 SYNOPSIS
The pf::vlan::custom module implements VLAN isolation oriented functions
that are custom
to a particular setup.
This module extends pf::vlan
=cut
use strict;
use warnings;
use Log::Log4perl;
use threads;
use threads::shared;
use pf::log;
use base ('pf::vlan');
use pf::config;
use pf::node qw(node_attributes node_exist node_modify);
use pf::Switch::constants;
use pf::util;
use pf::violation qw(violation_count_trap violation_exist_open
violation_view_top);
use pf::authentication;
use pf::Authentication::constants;
use pf::Portal::ProfileFactory;
use pf::vlan::filter;
our $VERSION = 1.04;
=head1 SUBROUTINES
=cut
=head2 shouldAutoRegister
This is an example of how to redefine a method for custom purposes.
See pf::vlan::shouldAutoRegister for full original method.
=cut
sub shouldAutoRegister{
#$mac is MAC address
#$switch_in_autoreg_mode is set to 1 if switch is in registration mode
#$violation_autoreg is set to 1 if called from a violation with autoreg
action
#$isPhone is set to 1 if device is considered an IP Phone.
#$conn_type is set to the connnection type expressed as the constant in
pf::config
#$user_name is set to the RADIUS User-Name attribute (802.1X Username
or MAC address under MAC Authentication)
#$ssid is set to the wireless ssid (will be empty if radius and not
wireless, undef if not radius)
my ($this, $mac, $switch_in_autoreg_mode, $violation_autoreg, $isPhone,
$conn_type, $user_name, $ssid, $eap_type, $switch, $port, $radius_request)
= @_;
my $logger = get_logger;
# CUSTOM: We want to auto-register 802.1x connections
# Since they already have validated credentials through EAP to do 802.1X
if (defined($conn_type) && (($conn_type & $EAP) == $EAP)) {
$logger->trace("returned yes because it's a 802.1X client that
successfully authenticated already");
return 1;
}
# \CUSTOM
# Otherwise, call parent method
return $this->SUPER::shouldAutoRegister($mac, $switch_in_autoreg_mode,
$violation_autoreg, $isPhone, $conn_type, $user_name, $ssid, $eap_type,
$switch, $port, $radius_request);
}
=head1 AUTHOR
Inverse inc. <[email protected]>
=head1 COPYRIGHT
Copyright (C) 2005-2013 Inverse inc.
=head1 LICENSE
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
USA.
=cut
1;
# vim: set shiftwidth=4:
# vim: set expandtab:
# vim: set backspace=indent,eol,start:
=========================
On 28 January 2015 at 22:54, Durand fabrice <[email protected]> wrote:
> Hi Steve,
>
> yes it´s possible, in your ad source create a rule that match the
> group dn. (memberof).
>
> Also use adsiedit.msc on your AD to see excatly the ldap attributes.
>
> Regards
> Fabrice
>
>
> Le 2015-01-28 01:53, Steve Allen a écrit :
> > Hi
> >
> > Can anyone advise if this it is possible to do this by AD security
> > group?
> >
> > If you could point me in the right direction for documentation.
> >
> > Thanks On 26 Jan 2015 12:17, "Steve Allen"
> > <[email protected]> wrote:
> >
> >> Hi
> >>
> >> I'm finally getting time to test this out now.
> >>
> >> So far its going really well and I can set VLANs based on which
> >> OU a user or computer is in.
> >>
> >> Is it possible to do set the role/VLAN based on an AD security
> >> group?
> >>
> >> Kind regards,
> >>
> >>
> >> On 23 November 2014 at 09:33, Steve Allen
> >> <[email protected]> wrote:
> >>
> >>> That sounds exactly like what I'm looking for.
> >>>
> >>> Thank you for the info! On 22 Nov 2014 23:31, "Durand fabrice"
> >>> <[email protected]> wrote:
> >>>
> >>>> Hi Allen,
> >>>>
> >>>> in fact it´s really simple, when you join a domain with a
> >>>> windows machine then a machine account is created. So in the
> >>>> 802.1x supplicant (windows side) you can choose to do
> >>>> machine and user auth. So when the computer start, it do
> >>>> machine auth and when the user enter his username and
> >>>> password then a new 802,1x connection is done with the user
> >>>> credential (when you logoff then it become machine auth).
> >>>>
> >>>> Where the config you have to do in packetfence:
> >>>>
> >>>>
> >>>>
> https://github.com/inverse-inc/packetfence/blob/stable/docs/PacketFence_Administration_Guide.asciidoc#example
> >>>>
> >>>>
> >>>>
> Also check
> >>>>
> https://github.com/inverse-inc/packetfence/blob/stable/lib/pf/vlan/custom.pm
> >>>>
> >>>>
> to enable autoreg ( shouldAutoRegister).
> >>>>
> >>>> Regards Fabrice
> >>>>
> >>>> Le 2014-11-22 18:09, Steve Allen a écrit :
> >>>>
> >>>> Hi Durand
> >>>>
> >>>> Could you expand on what that is?
> >>>>
> >>>> I've not come across that yet
> >>>>
> >>>> Thanks Steve On 22 Nov 2014 14:29, "Durand fabrice"
> >>>> <[email protected]> wrote:
> >>>>
> >>>>> Hi,
> >>>>>
> >>>>> why don´t you use machine authentication and user
> >>>>> authentication with autoreg enabled ?
> >>>>>
> >>>>> Regards Fabrice
> >>>>>
> >>>>> Le 2014-11-22 04:47, Steve Allen a écrit :
> >>>>>
> >>>>> Hi
> >>>>>
> >>>>> We are a few months away from rolling out PacketFence to
> >>>>> our network and I would like to make sure we are following
> >>>>> the best practises to ensure it is as secure as possible.
> >>>>>
> >>>>> At the moment we have tested and it works great with Cisco
> >>>>> 2960 switches and 802.1x.
> >>>>>
> >>>>> My next testing is it use laptops that are connected to a
> >>>>> Windows Server 2008r2 domain.
> >>>>>
> >>>>> Currently the laptops have very limited access when they
> >>>>> boot up as they start off in the registration VLAN.
> >>>>>
> >>>>> My question today is regarding computer start up group
> >>>>> policies on domain machines.
> >>>>>
> >>>>> I have read you can change some group policies settings so
> >>>>> when the users presses ctrl,alt+del and logs in with their
> >>>>> AD username and password this also "triggers" the 802.1x
> >>>>> process to put them in the correct VLAN. This is obviously
> >>>>> after the computer has booted up.
> >>>>>
> >>>>> Does anyone have any documentation on what I need to allow
> >>>>> in the registration VLAN so I don't break Group Policies
> >>>>> start up policies?
> >>>>>
> >>>>> Thanks,
> >>>>>
> >>>>> -- Regards,
> >>>>>
> >>>>> Steve Allen
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> ------------------------------------------------------------------------------
> >>>>>
> >>>>>
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> >>>>> from Actuate! Instantly Supercharge Your Business Reports
> >>>>> and Dashboards with Interactivity, Sharing, Native Excel
> >>>>> Exports, App Integration & more Get technology previously
> >>>>> reserved for billion-dollar corporations,
> >>>>> FREEhttp://
> pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> _______________________________________________
> >>>>> PacketFence-users mailing
> >>>>> [email protected]://
> lists.sourceforge.net/lists/listinfo/packetfence-users
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
>
> ------------------------------------------------------------------------------
> >>>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT
> >>>>> Server from Actuate! Instantly Supercharge Your Business
> >>>>> Reports and Dashboards with Interactivity, Sharing, Native
> >>>>> Excel Exports, App Integration & more Get technology
> >>>>> previously reserved for billion-dollar corporations, FREE
> >>>>>
> >>>>>
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> >>>>>
> >>>>>
> _______________________________________________
> >>>>> PacketFence-users mailing list
> >>>>> [email protected]
> >>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>>>
>
> ------------------------------------------------------------------------------
> >>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT
> >>>> Server from Actuate! Instantly Supercharge Your Business
> >>>> Reports and Dashboards with Interactivity, Sharing, Native
> >>>> Excel Exports, App Integration & more Get technology
> >>>> previously reserved for billion-dollar corporations,
> >>>> FREEhttp://
> pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> _______________________________________________
> >>>> PacketFence-users mailing
> >>>> [email protected]://
> lists.sourceforge.net/lists/listinfo/packetfence-users
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
>
> ------------------------------------------------------------------------------
> >>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT
> >>>> Server from Actuate! Instantly Supercharge Your Business
> >>>> Reports and Dashboards with Interactivity, Sharing, Native
> >>>> Excel Exports, App Integration & more Get technology
> >>>> previously reserved for billion-dollar corporations, FREE
> >>>>
> >>>>
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> >>>>
> >>>>
> _______________________________________________
> >>>> PacketFence-users mailing list
> >>>> [email protected]
> >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >>>>
> >>>>
> >>
> >>
> >>
> >>>>
> --
> >> Regards,
> >>
> >> Steve Allen
> >>
> >>
> >>
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> >
> >
> Dive into the World of Parallel Programming. The Go Parallel Website,
> > sponsored by Intel and developed in partnership with Slashdot
> > Media, is your hub for all things parallel software development,
> > from weekly thought leadership blogs to news, videos, case studies,
> > tutorials and more. Take a look and join the conversation now.
> > http://goparallel.sourceforge.net/
> >
> >
> >
> > _______________________________________________ PacketFence-users
> > mailing list [email protected]
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--
Regards,
Steve Allen
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
