I take it I would need to change my switch port settings for this?
Thanks
On 30 Jan 2015 15:47, "Fabrice DURAND" <[email protected]> wrote:
> Hi,
>
> you are doing mac-auth, not eap.
>
> WIRED_MAC_AUTH
>
> Regards
> Fabrice
>
> Le 2015-01-30 10:41, Steve Allen a écrit :
> > Hi
> >
> > Here is the results in the log file:
> >
> > ==== *When laptop boots up* ====
> > Jan 30 15:38:12 httpd.webservices(1671) INFO: [18:a9:05:e6:43:ac]
> > handling radius autz request: from switch_ip => (192.168.10.253),
> > connection_type => WIRED_MAC_AUTH,switch_mac => (0c:68:03:80:fb:15),
> > mac => [18:a9:05:e6:43:ac], port => 10121, username => "18a905e643ac"
> > (pf::radius::authorize)
> > Jan 30 15:38:12 httpd.webservices(1671) INFO: [18:a9:05:e6:43:ac] is
> > of status unreg; belongs into registration VLAN
> > (pf::vlan::getRegistrationVlan)
> > Jan 30 15:38:12 httpd.webservices(1671) INFO: [18:a9:05:e6:43:ac]
> > (192.168.10.253) Returning ACCEPT with VLAN 20 and role
> > (pf::Switch::Cisco::Catalyst_2960::returnRadiusAccessAccept)
> >
> >
> > ==== *When the users presses crtl+alt+del and logs in with AD account*
> > ====
> > Jan 30 15:38:44 httpd.webservices(1671) INFO: [18:a9:05:e6:43:ac]
> > handling radius autz request: from switch_ip => (192.168.10.253),
> > connection_type => WIRED_MAC_AUTH,switch_mac => (0c:68:03:80:fb:15),
> > mac => [18:a9:05:e6:43:ac], port => 10121, username => "18a905e643ac"
> > (pf::radius::authorize)
> > Jan 30 15:38:44 httpd.webservices(1671) INFO: [18:a9:05:e6:43:ac] is
> > of status unreg; belongs into registration VLAN
> > (pf::vlan::getRegistrationVlan)
> > Jan 30 15:38:44 httpd.webservices(1671) INFO: [18:a9:05:e6:43:ac]
> > (192.168.10.253) Returning ACCEPT with VLAN 20 and role
> > (pf::Switch::Cisco::Catalyst_2960::returnRadiusAccessAccept)
> >
> >
> > On 30 January 2015 at 13:33, Fabrice DURAND <[email protected]
> > <mailto:[email protected]>> wrote:
> >
> > Hello Steve,
> >
> > the custom file look ok.
> >
> > Can you post the packetfence.log where i can see the radius request
> > coming for the mac address ? (From the request to the vlan
> > returned by pf).
> >
> > Regards
> > Fabrice
> >
> >
> >
> > Le 2015-01-30 06:38, Steve Allen a écrit :
> > > Hi
> > >
> > > I don't seem to be able to get this work. If I watch the logs when
> a
> > > laptop with 802.1x enabled boots up and logs in the logs show the
> > > response of regestration VLAN.
> > >
> > > Please could someone review my custom.pm <http://custom.pm>
> > <http://custom.pm> file. I
> > > think I have enabled AutoReg but not 100% sure.
> > >
> > > Thanks
> > >
> > > ====================================
> > > ===== */usr/local/pf/lib/pf/vlan/custom.pm <http://custom.pm>
> > <http://custom.pm>* =====
> > > ====================================
> > > [root@packetfence vlan]# cat custom.pm <http://custom.pm>
> > <http://custom.pm>
> > > package pf::vlan::custom;
> > >
> > > =head1 NAME
> > >
> > > pf::vlan::custom - Object oriented module for VLAN isolation
> > oriented
> > > functions
> > >
> > > =head1 SYNOPSIS
> > >
> > > The pf::vlan::custom module implements VLAN isolation oriented
> > > functions that are custom
> > > to a particular setup.
> > >
> > > This module extends pf::vlan
> > >
> > > =cut
> > >
> > > use strict;
> > > use warnings;
> > >
> > > use Log::Log4perl;
> > > use threads;
> > > use threads::shared;
> > > use pf::log;
> > >
> > > use base ('pf::vlan');
> > >
> > > use pf::config;
> > > use pf::node qw(node_attributes node_exist node_modify);
> > > use pf::Switch::constants;
> > > use pf::util;
> > > use pf::violation qw(violation_count_trap violation_exist_open
> > > violation_view_top);
> > >
> > > use pf::authentication;
> > > use pf::Authentication::constants;
> > > use pf::Portal::ProfileFactory;
> > > use pf::vlan::filter;
> > >
> > > our $VERSION = 1.04;
> > >
> > >
> > > =head1 SUBROUTINES
> > >
> > > =cut
> > >
> > > =head2 shouldAutoRegister
> > >
> > > This is an example of how to redefine a method for custom purposes.
> > >
> > > See pf::vlan::shouldAutoRegister for full original method.
> > >
> > > =cut
> > >
> > > sub shouldAutoRegister{
> > > #$mac is MAC address
> > > #$switch_in_autoreg_mode is set to 1 if switch is in
> > registration mode
> > > #$violation_autoreg is set to 1 if called from a violation with
> > > autoreg action
> > > #$isPhone is set to 1 if device is considered an IP Phone.
> > > #$conn_type is set to the connnection type expressed as the
> > > constant in pf::config
> > > #$user_name is set to the RADIUS User-Name attribute (802.1X
> > > Username or MAC address under MAC Authentication)
> > > #$ssid is set to the wireless ssid (will be empty if radius and
> > > not wireless, undef if not radius)
> > > my ($this, $mac, $switch_in_autoreg_mode, $violation_autoreg,
> > > $isPhone, $conn_type, $user_name, $ssid, $eap_type, $switch, $port,
> > > $radius_request) = @_;
> > >
> > > my $logger = get_logger;
> > > # CUSTOM: We want to auto-register 802.1x connections
> > > # Since they already have validated credentials through EAP
> > to do
> > > 802.1X
> > > if (defined($conn_type) && (($conn_type & $EAP) == $EAP)) {
> > > $logger->trace("returned yes because it's a 802.1X
> > client that
> > > successfully authenticated already");
> > > return 1;
> > > }
> > > # \CUSTOM
> > >
> > > # Otherwise, call parent method
> > > return $this->SUPER::shouldAutoRegister($mac,
> > > $switch_in_autoreg_mode, $violation_autoreg, $isPhone, $conn_type,
> > > $user_name, $ssid, $eap_type, $switch, $port, $radius_request);
> > > }
> > >
> > >
> > > =head1 AUTHOR
> > >
> > > Inverse inc. <[email protected] <mailto:[email protected]>
> > <mailto:[email protected] <mailto:[email protected]>>>
> > >
> > > =head1 COPYRIGHT
> > >
> > > Copyright (C) 2005-2013 Inverse inc.
> > >
> > > =head1 LICENSE
> > >
> > > This program is free software; you can redistribute it and/or
> > > modify it under the terms of the GNU General Public License
> > > as published by the Free Software Foundation; either version 2
> > > of the License, or (at your option) any later version.
> > >
> > > This program is distributed in the hope that it will be useful,
> > > but WITHOUT ANY WARRANTY; without even the implied warranty of
> > > MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > > GNU General Public License for more details.
> > >
> > > You should have received a copy of the GNU General Public License
> > > along with this program; if not, write to the Free Software
> > > Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
> > 02110-1301,
> > > USA.
> > >
> > > =cut
> > >
> > > 1;
> > >
> > > # vim: set shiftwidth=4:
> > > # vim: set expandtab:
> > > # vim: set backspace=indent,eol,start:
> > >
> > > =========================
> > >
> > >
> > >
> > > On 28 January 2015 at 22:54, Durand fabrice <[email protected]
> > <mailto:[email protected]>
> > > <mailto:[email protected] <mailto:[email protected]>>> wrote:
> > >
> > > Hi Steve,
> > >
> > > yes it´s possible, in your ad source create a rule that
> > match the
> > > group dn. (memberof).
> > >
> > > Also use adsiedit.msc on your AD to see excatly the ldap
> > attributes.
> > >
> > > Regards
> > > Fabrice
> > >
> > >
> > > Le 2015-01-28 01:53, Steve Allen a écrit :
> > > > Hi
> > > >
> > > > Can anyone advise if this it is possible to do this by AD
> > security
> > > > group?
> > > >
> > > > If you could point me in the right direction for
> > documentation.
> > > >
> > > > Thanks On 26 Jan 2015 12:17, "Steve Allen"
> > > > <[email protected] <mailto:[email protected]>
> > <mailto:[email protected]
> > <mailto:[email protected]>>> wrote:
> > > >
> > > >> Hi
> > > >>
> > > >> I'm finally getting time to test this out now.
> > > >>
> > > >> So far its going really well and I can set VLANs based on
> > which
> > > >> OU a user or computer is in.
> > > >>
> > > >> Is it possible to do set the role/VLAN based on an AD
> > security
> > > >> group?
> > > >>
> > > >> Kind regards,
> > > >>
> > > >>
> > > >> On 23 November 2014 at 09:33, Steve Allen
> > > >> <[email protected] <mailto:[email protected]>
> > <mailto:[email protected]
> > <mailto:[email protected]>>> wrote:
> > > >>
> > > >>> That sounds exactly like what I'm looking for.
> > > >>>
> > > >>> Thank you for the info! On 22 Nov 2014 23:31, "Durand
> > fabrice"
> > > >>> <[email protected] <mailto:[email protected]>
> > <mailto:[email protected] <mailto:[email protected]>>> wrote:
> > > >>>
> > > >>>> Hi Allen,
> > > >>>>
> > > >>>> in fact it´s really simple, when you join a domain with a
> > > >>>> windows machine then a machine account is created. So
> > in the
> > > >>>> 802.1x supplicant (windows side) you can choose to do
> > > >>>> machine and user auth. So when the computer start, it do
> > > >>>> machine auth and when the user enter his username and
> > > >>>> password then a new 802,1x connection is done with the
> user
> > > >>>> credential (when you logoff then it become machine auth).
> > > >>>>
> > > >>>> Where the config you have to do in packetfence:
> > > >>>>
> > > >>>>
> > > >>>>
> > >
> >
> https://github.com/inverse-inc/packetfence/blob/stable/docs/PacketFence_Administration_Guide.asciidoc#example
> > > >>>>
> > > >>>>
> > > >>>>
> > > Also check
> > > >>>>
> > >
> >
> https://github.com/inverse-inc/packetfence/blob/stable/lib/pf/vlan/custom.pm
> > > >>>>
> > > >>>>
> > > to enable autoreg ( shouldAutoRegister).
> > > >>>>
> > > >>>> Regards Fabrice
> > > >>>>
> > > >>>> Le 2014-11-22 18:09, Steve Allen a écrit :
> > > >>>>
> > > >>>> Hi Durand
> > > >>>>
> > > >>>> Could you expand on what that is?
> > > >>>>
> > > >>>> I've not come across that yet
> > > >>>>
> > > >>>> Thanks Steve On 22 Nov 2014 14:29, "Durand fabrice"
> > > >>>> <[email protected] <mailto:[email protected]>
> > <mailto:[email protected] <mailto:[email protected]>>> wrote:
> > > >>>>
> > > >>>>> Hi,
> > > >>>>>
> > > >>>>> why don´t you use machine authentication and user
> > > >>>>> authentication with autoreg enabled ?
> > > >>>>>
> > > >>>>> Regards Fabrice
> > > >>>>>
> > > >>>>> Le 2014-11-22 04:47, Steve Allen a écrit :
> > > >>>>>
> > > >>>>> Hi
> > > >>>>>
> > > >>>>> We are a few months away from rolling out PacketFence to
> > > >>>>> our network and I would like to make sure we are
> following
> > > >>>>> the best practises to ensure it is as secure as possible.
> > > >>>>>
> > > >>>>> At the moment we have tested and it works great with
> Cisco
> > > >>>>> 2960 switches and 802.1x.
> > > >>>>>
> > > >>>>> My next testing is it use laptops that are connected to a
> > > >>>>> Windows Server 2008r2 domain.
> > > >>>>>
> > > >>>>> Currently the laptops have very limited access when they
> > > >>>>> boot up as they start off in the registration VLAN.
> > > >>>>>
> > > >>>>> My question today is regarding computer start up group
> > > >>>>> policies on domain machines.
> > > >>>>>
> > > >>>>> I have read you can change some group policies settings
> so
> > > >>>>> when the users presses ctrl,alt+del and logs in with
> their
> > > >>>>> AD username and password this also "triggers" the 802.1x
> > > >>>>> process to put them in the correct VLAN. This is
> obviously
> > > >>>>> after the computer has booted up.
> > > >>>>>
> > > >>>>> Does anyone have any documentation on what I need to
> allow
> > > >>>>> in the registration VLAN so I don't break Group Policies
> > > >>>>> start up policies?
> > > >>>>>
> > > >>>>> Thanks,
> > > >>>>>
> > > >>>>> -- Regards,
> > > >>>>>
> > > >>>>> Steve Allen
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > >
> >
> ------------------------------------------------------------------------------
> > > >>>>>
> > > >>>>>
> > > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT
> > Server
> > > >>>>> from Actuate! Instantly Supercharge Your Business Reports
> > > >>>>> and Dashboards with Interactivity, Sharing, Native Excel
> > > >>>>> Exports, App Integration & more Get technology previously
> > > >>>>> reserved for billion-dollar corporations,
> > > >>>>>
> > >
> > FREEhttp://
> pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> > <
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> >
> > > <
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> >
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > _______________________________________________
> > > >>>>> PacketFence-users mailing
> > > >>>>>
> > >
> > [email protected]://
> lists.sourceforge.net/lists/listinfo/packetfence-users
> > <http://lists.sourceforge.net/lists/listinfo/packetfence-users>
> > > <http://lists.sourceforge.net/lists/listinfo/packetfence-users
> >
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > >
> >
> ------------------------------------------------------------------------------
> > > >>>>> Download BIRT iHub F-Type - The Free Enterprise-Grade
> BIRT
> > > >>>>> Server from Actuate! Instantly Supercharge Your Business
> > > >>>>> Reports and Dashboards with Interactivity, Sharing,
> Native
> > > >>>>> Excel Exports, App Integration & more Get technology
> > > >>>>> previously reserved for billion-dollar corporations, FREE
> > > >>>>>
> > > >>>>>
> > >
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> > > >>>>>
> > > >>>>>
> > > _______________________________________________
> > > >>>>> PacketFence-users mailing list
> > > >>>>> [email protected]
> > <mailto:[email protected]>
> > > <mailto:[email protected]
> > <mailto:[email protected]>>
> > > >>>>>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> > > >>>>>
> > > >>>>>
> > > >>>>
> > > >>>>
> > > >>>>>
> > >
> >
> ------------------------------------------------------------------------------
> > > >>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT
> > > >>>> Server from Actuate! Instantly Supercharge Your Business
> > > >>>> Reports and Dashboards with Interactivity, Sharing, Native
> > > >>>> Excel Exports, App Integration & more Get technology
> > > >>>> previously reserved for billion-dollar corporations,
> > > >>>>
> > >
> > FREEhttp://
> pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> > <
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> >
> > >
> > <
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> >
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>>
> > > _______________________________________________
> > > >>>> PacketFence-users mailing
> > > >>>>
> > >
> > [email protected]://
> lists.sourceforge.net/lists/listinfo/packetfence-users
> > <http://lists.sourceforge.net/lists/listinfo/packetfence-users>
> > > <http://lists.sourceforge.net/lists/listinfo/packetfence-users
> >
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>>
> > >
> >
> ------------------------------------------------------------------------------
> > > >>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT
> > > >>>> Server from Actuate! Instantly Supercharge Your Business
> > > >>>> Reports and Dashboards with Interactivity, Sharing, Native
> > > >>>> Excel Exports, App Integration & more Get technology
> > > >>>> previously reserved for billion-dollar corporations, FREE
> > > >>>>
> > > >>>>
> > >
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> > > >>>>
> > > >>>>
> > > _______________________________________________
> > > >>>> PacketFence-users mailing list
> > > >>>> [email protected]
> > <mailto:[email protected]>
> > > <mailto:[email protected]
> > <mailto:[email protected]>>
> > > >>>>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> > > >>>>
> > > >>>>
> > > >>
> > > >>
> > > >>
> > > >>>>
> > > --
> > > >> Regards,
> > > >>
> > > >> Steve Allen
> > > >>
> > > >>
> > > >>
> > > >
> > > >
> > > >
> > > >
> > >
> >
> ------------------------------------------------------------------------------
> > > >
> > > >
> > > Dive into the World of Parallel Programming. The Go Parallel
> > Website,
> > > > sponsored by Intel and developed in partnership with Slashdot
> > > > Media, is your hub for all things parallel software
> > development,
> > > > from weekly thought leadership blogs to news, videos, case
> > studies,
> > > > tutorials and more. Take a look and join the conversation
> now.
> > > > http://goparallel.sourceforge.net/
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > PacketFence-users
> > > > mailing list [email protected]
> > <mailto:[email protected]>
> > > <mailto:[email protected]
> > <mailto:[email protected]>>
> > > >
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> > > >
> > >
> > >
> >
> ------------------------------------------------------------------------------
> > > Dive into the World of Parallel Programming. The Go Parallel
> > Website,
> > > sponsored by Intel and developed in partnership with Slashdot
> > > Media, is your
> > > hub for all things parallel software development, from
> > weekly thought
> > > leadership blogs to news, videos, case studies, tutorials and
> > > more. Take a
> > > look and join the conversation now.
> > http://goparallel.sourceforge.net/
> > > _______________________________________________
> > > PacketFence-users mailing list
> > > [email protected]
> > <mailto:[email protected]>
> > > <mailto:[email protected]
> > <mailto:[email protected]>>
> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> > >
> > >
> > >
> > >
> > > --
> > > Regards,
> > >
> > > Steve Allen
> > >
> > >
> > >
> > >
> > >
> >
>
> ------------------------------------------------------------------------------
> > > Dive into the World of Parallel Programming. The Go Parallel
> > Website,
> > > sponsored by Intel and developed in partnership with Slashdot
> > Media, is your
> > > hub for all things parallel software development, from weekly
> > thought
> > > leadership blogs to news, videos, case studies, tutorials and
> > more. Take a
> > > look and join the conversation now.
> > http://goparallel.sourceforge.net/
> > >
> > >
> > > _______________________________________________
> > > PacketFence-users mailing list
> > > [email protected]
> > <mailto:[email protected]>
> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >
> >
> > --
> > Fabrice Durand
> > [email protected] <mailto:[email protected]> :: +1.514.447.4918
> > <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca
> > <http://www.inverse.ca>
> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
> > PacketFence (http://packetfence.org)
> >
> >
> >
>
> ------------------------------------------------------------------------------
> > Dive into the World of Parallel Programming. The Go Parallel Website,
> > sponsored by Intel and developed in partnership with Slashdot
> > Media, is your
> > hub for all things parallel software development, from weekly thought
> > leadership blogs to news, videos, case studies, tutorials and
> > more. Take a
> > look and join the conversation now.
> http://goparallel.sourceforge.net/
> > _______________________________________________
> > PacketFence-users mailing list
> > [email protected]
> > <mailto:[email protected]>
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >
> >
> >
> >
> > --
> > Regards,
> >
> > Steve Allen
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Dive into the World of Parallel Programming. The Go Parallel Website,
> > sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> > hub for all things parallel software development, from weekly thought
> > leadership blogs to news, videos, case studies, tutorials and more. Take
> a
> > look and join the conversation now. http://goparallel.sourceforge.net/
> >
> >
> > _______________________________________________
> > PacketFence-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice Durand
> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (
> http://packetfence.org)
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
