Here you are,
Initialy vlan_filters.conf was empty and the authorization request still
does not use ldap source (the log is attached)
Thaks
--------------------------------------------------------------------
vlan_filters.conf:
[EthernetEAP]
filter = connection_type
operator = match
value = Ethernet-EAP
[1:EthernetEAP]
scope = AutoRegister
role = Usuario
#[EthernetEAP]
#filter = connection_type
#operator = match
#value = Ethernet-EAP
#[1:EthernetEAP]
#scope = AutoRegister
#role = UsuarioBSU
---------------------------------------------------------------------
profiles.conf:
[default]
description=Default Profile
logo=/common/packetfence-cp.png
billing_engine=disabled
redirecturl=http://www.packetfence.org/
always_use_redirecturl=disabled
mandatory_fields=firstname,lastname,phone,email
locale=en_US
nbregpages=0
filter_match_style=any
block_interval=10m
sms_pin_retry_limit=0
sms_request_limit=0
login_attempt_limit=0
dot1x_recompute_role_from_portal=enabled
reuse_dot1x_credentials=0
sources=
provisioners=
[SW]
locale=
filter=switch:180.184.226.50
mandatory_fields=
sources=ad.uy.corp
---------------------------------------------------------------------
authentication.conf:
[local]
description=Local Users
type=SQL
[sms]
description=SMS-based registration
sms_carriers=100056,100057,100061,100058,100059,100060,100062,100063,100071,100064,100116,100066,100117,100112,100067,100065,100068,100069,100070,100118,100115,100072,100073,100074,100075,100076,100077,100085,100086,100080,100079,100081,100083,100082,100084,100087,100088,100111,100089,100090,100091,100092,100093,100094,100095,100096,100098,100097,100099,100100,100101,100113,100102,100103,100104,100106,100105,100107,100108,100109,100114,100110,100078
type=SMS
create_local_account=no
[sms rule catchall]
description=
match=all
action0=set_role=guest
action1=set_access_duration=1D
[email]
description=Email-based registration
email_activation_timeout=10m
type=Email
create_local_account=no
allow_localdomain=yes
[email rule catchall]
description=
match=all
action0=set_role=guest
action1=set_access_duration=1D
[sponsor]
description=Sponsor-based registration
type=SponsorEmail
create_local_account=no
allow_localdomain=yes
[sponsor rule catchall]
description=
match=all
action0=set_role=guest
action1=set_access_duration=1D
[null]
description=Null Source
type=Null
email_required=no
[tq]
description=ra
type=Null
email_required=no
[ad.domain.com]
description=Active Directory for domain.com
password=****
scope=sub
binddn=CN=***,OU=***,OU=Usuarios,DC=domain,DC=com
basedn=DC=domain,DC=com
usernameattribute=sAMAccountName
connection_timeout=5
stripped_user_name=no
encryption=ssl
cache_match=1
port=636
type=AD
host=x.x.x.x
[ad.domain.com rule Usuarios]
description= Users
match=all
action0=set_role=Usuario
------------------------------------------
Log with vlan_filters.conf empty:
Apr 02 17:50:18 httpd.aaa(5399) INFO: [44:37:e6:xx:xx:xx] handling radius
autz request: from switch_ip => (x.x.x.x), connection_type =>
Ethernet-EAP,switch_mac => (Unknown), mac => [44:37:e6:xx:xx:xx], port =>
10001, username => "DDDD\\uuuu" (pf::radius::authorize)
Apr 02 17:50:19 httpd.aaa(5399) INFO: Could not find any IP phones through
discovery protocols for ifIndex 10001 (pf::Switch::getPhonesDPAtIfIndex)
Apr 02 17:50:19 httpd.aaa(5399) INFO: [44:37:e6:xx:xx:xx] is of status
unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan)
Apr 02 17:50:19 httpd.aaa(5399) INFO: [44:37:e6:xx:xx:xx] (x.x.x.x)
Returning ACCEPT with VLAN 410 and role
(pf::Switch::Cisco::Catalyst_2960::returnRadiusAccessAccept)
2015-04-02 17:33 GMT-03:00 Durand fabrice <[email protected]>:
> Ok so you use vlan_filter too, so i need more details.
>
> Can you provide these files:
> vlan_filters.conf
> profile.conf
> authentication.conf
>
> Regards
> Fabrice
>
>
> Le 2015-04-02 16:07, Sergio Martinez Tagliafico a écrit :
>
> I have defined the filter with a ldap source (from the portal profile
> preview the authz run fine) but the internal source is not used.
>
> [default]
> description=Default Profile
> logo=/common/packetfence-cp.png
> billing_engine=disabled
> redirecturl=http://www.packetfence.org/
> always_use_redirecturl=disabled
> mandatory_fields=firstname,lastname,phone,email
> locale=en_US
> nbregpages=0
> filter_match_style=any
> block_interval=10m
> sms_pin_retry_limit=0
> sms_request_limit=0
> login_attempt_limit=0
> dot1x_recompute_role_from_portal=enabled
> reuse_dot1x_credentials=0
> sources=
> provisioners=
>
> [SW]
> locale=
> filter=switch:180.184.226.50
> mandatory_fields=
> sources=ad.domain.com
>
>
>
> Apr 02 16:58:04 httpd.aaa(5039) INFO: [44:37:e6:xx:xx:xx] handling
> radius autz request: from switch_ip => (x.x.x.x), connection_type =>
> Ethernet-EAP,switch_mac => (Unknown), mac => [44:37:e6:e3:86:1f], port =>
> 10001, username => "DDDD\\uuuu" (pf::radius::authorize)
> Apr 02 16:58:04 httpd.aaa(5039) INFO: Could not find any IP phones through
> discovery protocols for ifIndex 10001 (pf::Switch::getPhonesDPAtIfIndex)
> Apr 02 16:58:04 httpd.aaa(5039) INFO: [44:37:e6:xx:xx:xx] Match Vlan rule:
> 1:EthernetEAP (pf::vlan::filter::test)
> Apr 02 16:58:04 httpd.aaa(5039) WARN: Trying to compute the unreg date
> from an undefined value. Stopping processing and making unreg date
> undefined. (pf::config::dynamic_unreg_date)
>
>
> 2015-04-02 16:13 GMT-03:00 Durand fabrice <[email protected]>:
>
>> Hello Sergio,
>>
>> let's configure a portal profile with filter switch : x.x.x.x and add the
>> ldap source on it and retry.
>>
>> Regards
>> Fabrice
>>
>>
>>
>> Le 2015-04-02 15:07, Sergio Martinez Tagliafico a écrit :
>>
>> Hi friends,
>>
>> I am in my first experience with packetfence and i am getting some
>> issues.
>>
>> One of those is that I do not undertand why with 802.1x dos not use
>> internal sources. Below is the log when radius handle an authz request:
>>
>> Apr 02 15:29:21 httpd.aaa(3355) INFO: [44:37:e6:x:x:x] handling radius
>> autz request: from switch_ip => (x.x.x.x), connection_type =>
>> Ethernet-EAP,switch_mac => (Unknown), mac => [44:37:e6:x:x:x], port =>
>> 10001, username => "DDDD\\uuuu" (pf::radius::authorize)
>> Apr 02 15:29:21 httpd.aaa(3355) INFO: Could not find any IP phones
>> through discovery protocols for ifIndex 10001
>> (pf::Switch::getPhonesDPAtIfIndex)
>>
>> The authz is performed like is described in the Administration Guide,
>> under FreeRADIUS Configuration, but the internal sources (I have cofigure a
>> LDAP source) are not used.
>>
>> Can someone help me?
>>
>> Thanks in advance.
>> Sergio
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming The Go Parallel Website,
>> sponsored
>> by Intel and developed in partnership with Slashdot Media, is your hub for
>> all
>> things parallel software development, from weekly thought leadership blogs to
>> news, videos, case studies, tutorials and more. Take a look and join the
>> conversation now. http://goparallel.sourceforge.net/
>>
>>
>>
>> _______________________________________________
>> PacketFence-users mailing
>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming The Go Parallel Website,
>> sponsored
>> by Intel and developed in partnership with Slashdot Media, is your hub
>> for all
>> things parallel software development, from weekly thought leadership
>> blogs to
>> news, videos, case studies, tutorials and more. Take a look and join the
>> conversation now. http://goparallel.sourceforge.net/
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
