Short answer: For a computer account, you can do something like
"sAMAccountType equals 805306369" in auth sources to assign domain computer
accounts to a specific role.
Long answer:
Its weird. For some retarded reason, MS decided to make computers
authenticate with the servicePrincialName AD attribute instead of the
sAMAccountName.
I personally don't want to see the domain info for local auth be it user or
computer so I filter it out in radius before it hits packet fence.
if ( "%{request:User-Name}" =~ /^host\/(.*)\.mccad\.mcc\.edu$/i ||
"%{request:User-Name}" =~ /^.*host\/(.*)\%anonymous.*\.mcc\.edu$/i ) {
update request {
User-Name := "%{1}$"
Stripped-User-Name := "%{1}$"
Realm := "MCCAD"
}
}
if ( "%{request:User-Name}" =~ /^([a-z0-9.]{4,63})@mcc\.edu$/i ||
"%{request:User-Name}" =~ /^([a-z0-9.]{4,63})@mccad\.mcc\.edu$/i ||
"%{request:User-Name}" =~ /^MCCAD[\\]{1,2}([a-z0-9.]{4,63})$/i ) {
update request {
User-Name := "%{1}"
Stripped-User-Name := "%{1}"
Realm := "MCCAD"
}
}
}
And something similar in the inner tunnel to expose the username if they
are using an anonymous outer id.
This makes the user in PF shows as COMPUTERNAME$ instead of host/
computername.mccad.mcc.edu and local domain users always show as USERNAME
wether they 802.1x authenticate as [email protected], [email protected],
or MCCAD\USERNAME.
Big reason for doing this is both stupid and eduroam. Our users have had
it beat into their heads to login with just their username and no domain
component. I personally think this is stupid, but it is the way it is.
That may have been fine and dandy 10 years ago, but now with so much
federation going on, things like eduroam won't work if they don't do it
right.. Our eduroam is setup so it'll work with or without the domain
component for local users but i want it to always record to the same user
in PF wether they do a captive portal login or connect via 802.1x. If I
don't, then our firewall won't get updated with the right username for
group mappings.
Id be nice *HINT HINT* if PF could handle some of this natively.. Extend
the realms option to manipulate usernames in certain realms. They did part
of this with the REALM addition and allowing you to specify "Use stripped
username" in rules, but that doesn't function for other components of the
system like firewall SSO, etc.
On Wed, May 20, 2015 at 8:02 AM, <[email protected]> wrote:
> Hi,
>
> can anyone tell me, where the "Domain" Information in the pf-Radius log
> come from?
>
> The background is:
> When using the AD authentication as it is described in the PF-doku, and
> using the "user" authentication everything works fine and the entries in
> the radius log show up in the usual way: "<domain\\<username>". But using
> the Host authentication as described in the Dokumentation, it Does not.
> The enties in the log file look like this: "host/<fqhn>". Yes, the
> beginning is "host" and although with users it uses the "\\" here it uses
> "/".
> And no wonder the authentication fails with something similar to "host :
> unknown Domain" .
>
> Any hints ??
> (using pf 5.02 on debian 7 )
>
> Bye,
> Holger
>
> --
> Holger Patzelt
> E-Mail: [email protected]
>
>
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
