Hello Fabrice,
I'm doing wired authentication with cisco switches, packetfence is in vlan
enforcement mode.
I want to authenticate PCs via dot1x, since my cisco switches support dot1x
(and mab too, but let's talk about dot1x now; also, we are not talking about
captive portal in this issue).
I configured the mschap module in raddb of Packetfence, winbind, ntlm_auth and
all.
The radius server is authenticating the computers just fine (machine
authentication).
At this point, packetfence must answer with a vlan (number or name) to the
switch. But, without further configurations, packetfence put the computer in
the isolation vlan because packetfence doesn't know which vlan to answer (no
role).
I need to set the role of the PC to make packetfence answer with a vlan, i.e.,
I need rules so that packetfence set the role of the authenticated node.
Via web, under user source section, or via the config file authentication.conf,
I can create authentication sources and rules that are executed when an
authentication method matches, for example, put the computer in a specific
role. That is JUST what I need.
Now, since I already authenticated the PC via ntlm_auth, I don't need to
configure another user source, I just need to make packetfence use a rule to
put the node in a role.
There are "internal sources", "external sources" and "exclusive sources".
At this step, because my PC are already authenticated via ntlm_auth in the
mschap module, I don't want to authenticate the PC another time, I just want
that, if the connetion type is EAP then put the node in a role.
So I used a Blackhole source.
Under "Exclusive Sources" via the web configurator. The rule is:
"if any f the following conditions are met: 'connection type is Ethernet EAP'
then Perform the following actions: 'set role default'"
that packetfence traduces in the file authentication.conf this way:
[fallback-dot1x rule internal-net]
description=
match=any
action0=set_role=default
action1=set_access_duration=1h
condition0=connection_type,is,Ethernet-EAP
Good. But it was not working. The rule is just never matched. It turned out
that packetfence 4.7.0 filter away the "exclusive sources". This is done
exactly in this point in the code: at line 68 in the file
lib/pf/Portal/ProfileFactory.pm in the sub _from_profile that I write here for
clarity:
> unless ( defined $sources && ref($sources) eq 'ARRAY' && @$sources ) {
> $profile{'sources'} = $sources = [
> map { $_->id }
> grep { $_->class ne 'exclusive' }
> @{ pf::authentication::getAllAuthenticationSources() }
> ];
> }
>
You see here that the code just exclude via a map grep the "exclusive sources".
That took me several hours to debug. Now I fixed it for my installation and
eveything is working just fine as I wanted.
It is true that the configurator webpage says: "Each portal profile must be
associated with one or multiple authentication sources while 802.1X connections
use the ordered internal sources to determine which role to use. External
sources are never used with 802.1X connections.", i.e., there is no "Exclusive
sources" mentions, but I think that code snippet I pointed out just filter the
"exclusive sources" globally, in any part of packetfence.
I just wanted to know why the filter in the code to exclude the exclusive
sources I needed.
Is there a technical reason? are they not supported yet? Why it is not a config
that you can override?
Thanks,
Diego
----- Original Message -----
From: "Durand fabrice" <[email protected]>
To: [email protected]
Sent: Friday, March 27, 2015 2:48:05 PM
Subject: Re: [PacketFence-users] exclusive sources
Hello Diego,
do you have a little bit more details about what you want to achieve ?
(With more details i will probably be able to have a more precise answer)
Blackhole is use per example when you connect to an ssid and hit the
portal and you will see just an AUP without login button.
It's generaly used when you want to manually register devices and tell
the user that try to connect the procedure to allow the device (like
call the support...)
Regards
Fabrice
Le 2015-03-27 07:29, Diego Bonfigli a écrit :
> Hi all,
> I'm using packetfence 4.7.0.
>
> I wanted to known why "exclusive sources" in user authentication are disabled
> in the code.
> The file lib/pf/Portal/ProfileFactory.pm has a sub, sub _from_profile, where
> you exclude that source:
>
> unless ( defined $sources && ref($sources) eq 'ARRAY' && @$sources ) {
> $profile{'sources'} = $sources = [
> map { $_->id }
> grep { $_->class ne 'exclusive' }
> @{ pf::authentication::getAllAuthenticationSources() }
> ];
> }
>
> I'm using ntlm_auth to do dot1x machine authentication, and, if I don't use
> any source specified in packetfence (the one that you define in
> authentication.conf), a node is not put in any role, so I need the exclusive
> source Blackhole.
>
> Why is that way? Is there a technical reason? are they not supported yet? Why
> it is not a config that you can override?
>
> Diego
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Dr. Diego Bonfigli
tel: 366 5898323
email: [email protected]
Laboratori Guglielmo Marconi - www.labs.it
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
