Testing out PF 5.0. For the "Realms". I was hoping this would solve
something that I've previously been doing in radius policy.conf. This is
regarding 802.1x.
Not a big deal for me, I can make it work, but it might streamline the
process for other users down the road.
We want users to authenticate with their email address. [email protected]. We
also want [email protected] or MCCAD\username (Domain credentials) to
function. We also want just the username with no domain to function for
legacy purposes.
When I use realm and set PF auth source to use the stripped name for AD
authentication, it works fine, but it will still store the username in
packet fence as whatever was entered by the user, so you could potentially
have 4 different entries for every user.
On top of that, when I send IP information to our Palo Alto firewall with
PF, it needs to be sent as mccad\username to match group based firewall
policies. Right now I just modified the palo sso pm to accomplish this.
Ideally, for me... PF should use the stripped username not only for
authentication, but stored in the PF database that way. Any realm
specified in "Realms" should also be able to be mapped to a domain that
gets pre-pended (Or suffixed depending on your usage) before being sent to
the firewall.
This is what I am doing in policy.conf right now.
mcc_realm is applied in preacct and post-auth of packetfence server
(preacct for our custom user-ip mapping for palo) and post-auth section of
packetfence-tunnel
mcc_realm_inner is applied in authorize section of packetfence-tunnel
mcc_realm {
if ( "%{request:User-Name}" =~ /^host\/(.*)\.mccad\.mcc\.edu$/i
|| "%{request:User-Name}" =~ /^.*host\/(.*)\%anonymous.*\.mcc\.edu$/i ) {
update request {
User-Name := "%{1}$"
Stripped-User-Name := "%{1}$"
Realm := "MCCAD"
}
}
if ( "%{request:User-Name}" =~ /^([a-z0-9.]{4,63})@mcc\.edu$/i ||
"%{request:User-Name}" =~ /^([a-z0-9.]{4,63})@mccad\.mcc\.edu$/i ||
"%{request:User-Name}" =~ /^MCCAD[\\]{1,2}([a-z0-9.]{4,63})$/i ) {
update request {
User-Name := "%{1}"
Stripped-User-Name := "%{1}"
Realm := "MCCAD"
}
}
}
mcc_realm_inner {
if ( "%{request:User-Name}" =~ /^host\/(.*)\.mccad\.mcc\.edu$/i
|| "%{request:User-Name}" =~ /^.*host\/(.*)\%anonymous.*\.mcc\.edu$/i ) {
update request {
Stripped-User-Name := "%{1}$"
Realm := "MCCAD"
}
update outer.request {
User-Name := "%{1}$"
Realm := "MCCAD"
}
update reply {
User-Name := "%{1}$"
Realm := "MCCAD"
}
}
if ( "%{request:User-Name}" =~ /^([a-z0-9.]{4,63})@mcc\.edu$/i ||
"%{request:User-Name}" =~ /^([a-z0-9.]{4,63})@mccad\.mcc\.edu$/i ||
"%{request:User-Name}" =~ /^MCCAD[\\]{1,2}([a-z0-9.]{4,63})$/i ) {
update request {
Stripped-User-Name := "%{1}"
Realm := "MCCAD"
}
update outer.request {
User-Name := "%{1}"
Realm := "MCCAD"
}
update reply {
User-Name := "%{1}"
Realm := "MCCAD"
}
}
}
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
