Hello Adrian, Le 2015-04-07 14:18, Calugaru Adrian a écrit : > Thank you Fabrice, that worked but I still need your advice. > > Now all my requests are going into the new profile with the > Ethernet-EAP type and if the computer is not authenticated the switch > port goes into unauthorized. If eap failled then freeradius will return Access reject > Does PF looks at the authentication response and if it's Access > Rejected to put the interface into the Registration vlan ? > No, in fact the reject is made by freeradius, so freeradius will never ask packetfence for anything. > What I'm trying to do is, configure dot1x authentication on all switch > ports and: > - if it's a domain computer and successfully authenticate to put the > port into the authorized vlan (VID:10) Ok so you have to autoregister the device when the username match host/
[machineauth] filter = username operator = match value = host\/ [EthernetEAP] filter = connection_type operator = match value = Ethernet-EAP [1:EthernetEAP&machineauth] scope = AutoRegister role = default Then it will match your portal (filter connection_type = Ethernet-EAP) and match your AD auth source for machine and apply the rule you defined (catch_all -> set role ...) > - if the computer authentication fails to put the port into the > Registration vlan (VID:20) and use User authentication to login on the > portal. Once authenticated to put the port in vlan 10 (authorized) It'more something like if user authentication is successful then you have to hit the portal. Because there is no vlan filter for this case it will be the normal workflow. > - if the computer is not a domain computer (with dot1x or without) to > put the port into Registration vlan and use local users to > authenticate. Once authenticated to put the port into Guest vlan (VID:255) > I don't know which type of switch you are using but have a look at Mac Authentication Bypass (Cisco MAB). If there is no supplicant on the laptop then the autentication on the switch port will be mac auth instead of peap. So you can have another portal profile but with this time a filter connection_type = WIRED_MAC_AUTH (or Ethernet-NoEAP) and assign the local source (Radius server source) for this portal. > As authentication mechanism I'm using a Radius server which is > configured as Source. > > Thank you > Adrian > Regards Fabrice > ------------------------------------------------------------------------ > *From:* "[email protected]" > <[email protected]> > *To:* [email protected] > *Sent:* Monday, April 6, 2015 4:10 PM > *Subject:* PacketFence-users Digest, Vol 84, Issue 13 > > Send PacketFence-users mailing list submissions to > [email protected] > <mailto:[email protected]> > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/packetfence-users > or, via email, send a message with subject or body 'help' to > [email protected] > <mailto:[email protected]> > > You can reach the person managing the list at > [email protected] > <mailto:[email protected]> > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of PacketFence-users digest..." > > > Today's Topics: > > 1. Dot1.x Computer authentication (Calugaru Adrian) > 2. Re: Dot1.x Computer authentication (Durand fabrice) > 3. Modify the email sent for guest email registration? > (Howell, Michael) > 4. (no subject) (Dennis Brown) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 3 Apr 2015 19:14:39 +0000 (UTC) > From: Calugaru Adrian <[email protected] > <mailto:[email protected]>> > Subject: [PacketFence-users] Dot1.x Computer authentication > To: "[email protected] > <mailto:[email protected]>" > <[email protected] > <mailto:[email protected]>> > Message-ID: > <[email protected] > <mailto:[email protected]>> > Content-Type: text/plain; charset="utf-8" > > Hi Fabrice, > > I've tried to create a real named "host" but it sees the host/ as part > of the hostname/username not like a domain. > Maybe is it was sending host\ instead of host/ would work. > As an alternative I was thinking on changing the script checking for a > @ in the request and try to check domain.com. > Any other ideas ? > Thank youAdrian > ? > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 2 > Date: Fri, 03 Apr 2015 18:40:08 -0400 > From: Durand fabrice <[email protected] <mailto:[email protected]>> > Subject: Re: [PacketFence-users] Dot1.x Computer authentication > To: [email protected] > <mailto:[email protected]> > Message-ID: <[email protected] > <mailto:[email protected]>> > Content-Type: text/plain; charset="windows-1252" > > Hi Adrian, > > my bad, i am a little bit tired ;-) > > In fact it doesn't really matter to match the SUBDOMAIN realm for > machine authentication, let me explain why. > > For user auth we need to strip the username (SUBDOMAIN/user) to be able > to match the username without the domain on the sAMAccountName attribute > (ldap search with sAMAccountName=user). > For machine authentication we need to match the complete username with > the servicePrincipalName attribute > (servicePrincipalName=host/IIR0010020.subdomain.domain.com) > > Even if you use the SUBDOMAIN or LOCAL realm the request will come in > packetfence. > > So what you need to do is: > Create 2 AD authentication source like here : > https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Administration_Guide.asciidoc#example > Create a new portal profile, with filter connection_type = Ethernet-EAP > Assign the 2 authentication source to this portal > And select use stripped username > > Then when you will try to connect with dot1x, if it's a user auth then > the specific portal profile you create will match (connection_type = > Ethernet-EAP) > Then the stripped username will match on the user AD source and the rule > you defined will be applied. > > If you connect with dot1x machine auth, the same specific portal profile > you created will match (connection_type = Ethernet-EAP) > Then the username will failled on the AD user authentication source but > will match on the AD machine authentication source and the rules you > defined will be applied. > > > It's just an example of a configuration you can use but other workflow > are possible and are just limited by your imagination ;-) (2 portal > profiles, filter by realm, filter by username ...) > > Regards > Fabrice > > Le 2015-04-03 15:14, Calugaru Adrian a ?crit : > > Hi Fabrice, > > > > I've tried to create a real named "host" but it sees the host/ as part > > of the hostname/username not like a domain. > > Maybe is it was sending host\ instead of host/ would work. > > > > As an alternative I was thinking on changing the script checking for a > > @ in the request and try to check domain.com. > > Any other ideas ? > > > > Thank you > > Adrian > > > > > > > ------------------------------------------------------------------------------ > > Dive into the World of Parallel Programming The Go Parallel Website, > sponsored > > by Intel and developed in partnership with Slashdot Media, is your > hub for all > > things parallel software development, from weekly thought leadership > blogs to > > news, videos, case studies, tutorials and more. Take a look and join the > > conversation now. http://goparallel.sourceforge.net/ > > > > > > _______________________________________________ > > PacketFence-users mailing list > > [email protected] > <mailto:[email protected]> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 3 > Date: Mon, 6 Apr 2015 09:00:52 -0400 > From: "Howell, Michael" <[email protected] > <mailto:[email protected]>> > Subject: [PacketFence-users] Modify the email sent for guest email > registration? > To: "[email protected] > <mailto:[email protected]>" > <[email protected] > <mailto:[email protected]>> > Message-ID: > > <3683d5923b324e4685cbfdaef9101f1e25269e6...@nhc0564.nhc.network.local > <mailto:3683d5923b324e4685cbfdaef9101f1e25269e6...@nhc0564.nhc.network.local>> > Content-Type: text/plain; charset="us-ascii" > > Does anyone know how to modify the email sent for guest email > registration? I'd like to modify the subject can the content. > > > > > Thanks, > > > Mike Howell > > > > This message is confidential, intended only for the named recipient(s) > and may contain information that is privileged or exempt from > disclosure under applicable law. Any patient health information must > be delivered immediately to intended recipient(s). If you are not the > intended recipient(s), you are notified that the dissemination, > distribution or copying of this message is strictly prohibited. If you > receive this message in error, or are not the named recipient(s), > please notify the sender at either the e-mail address or telephone > number above and discard this e-mail. Thank you. > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 4 > Date: Mon, 6 Apr 2015 08:09:36 -0500 > From: Dennis Brown <[email protected] <mailto:[email protected]>> > Subject: [PacketFence-users] (no subject) > To: [email protected] > <mailto:[email protected]> > Message-ID: > > <CAOSPv5tHkrfQHPLMXciM-e6H5cJDPyZRpoHLGg=swfs+a_a...@mail.gmail.com > <mailto:[email protected]>> > Content-Type: text/plain; charset="utf-8" > > All, > > Having an issue starting RADIUSD after updating to version 4.7.0 > > When running "/usr/sbin/radiusd -X" I am getting the below errors. > > First Error message: > "Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 (in > range 1.0.1 - 1.0.1f). Security advisory CVE-2014-0160 (Heartbleed) For > more information see http://heartbleed.com <http://heartbleed.com/>" > > Fixed by adding "allow_vulnerable_openssl = yes" to security sub section > > Second Error message: > /etc/raddb/sql.conf[1]: Instantiation failed for module "sql" > /etc/raddb/sites-enabled/packetfence[32]: Failed to find "sql" in the > "modules" section. > /etc/raddb/sites-enabled/packetfence[29]: Errors parsing accounting > section. > > Please help? > > OS: CentOS 6.6 > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > ------------------------------------------------------------------------------ > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > Develop your own process in accordance with the BPMN 2 standard > Learn Process modeling best practices with Bonita BPM through live > exercises > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- > event?utm_ > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > > ------------------------------ > > _______________________________________________ > PacketFence-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > End of PacketFence-users Digest, Vol 84, Issue 13 > ************************************************* > > > > > ------------------------------------------------------------------------------ > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > Develop your own process in accordance with the BPMN 2 standard > Learn Process modeling best practices with Bonita BPM through live exercises > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
0xF78F957E.asc
Description: application/pgp-keys
------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
