With Louis @ Inverse's help this has been resolved (I highly recommend the support contract BTW).
I know have an extra condition in my vlan_vilter.conf to stop the mac_auth requests hitting my visiting user condition by forcing the visiting_user to match the ssid also. It is now as follows: [home_user] filter = username operator = match value = ^(.+@cardiffmet\.ac\.uk$|.+@uwic\.ac\.uk$) [visiting_user] filter = username operator = match_not value = ^(.+@cardiffmet\.ac\.uk$|.+@uwic\.ac\.uk$) [eduroam] filter = ssid operator = is value = eduroam [autoreg:home_user] scope = AutoRegister role = eduroam_home [autoreg:visiting_user&eduroam] scope = AutoRegister role = eduroam_visitors [2:home_user] scope = NormalVlan role = eduroam_home action = modify_node action_param = mac = $mac , unregdate = 2015-09-0923:59:59 [2:visiting_user&eduroam] scope = NormalVlan role = eduroam_visitors action = modify_node action_param = mac = $mac , unregdate = 2015-09-0923:59:59 From: Morris, Andi [mailto:[email protected]] Sent: 19 August 2015 13:36 To: '[email protected]' Subject: Re: [PacketFence-users] Using vlan_filter & device registration Apologies, I meant to put the extract from the packetfence.log: Aug 19 13:21:27 httpd.aaa(8977) INFO: [00:26:b6:da:18:42] handling radius autz request: from switch_ip => (192.168.142.13), connection_type => Wireless-802.11-NoEAP,switch_mac => (00:3a:98:d0:1e:c0), mac => [00:26:b6:da:18:42], port => 13, username => "00:26:b6:da:18:42" (pf::radius::authorize) Aug 19 13:21:27 httpd.aaa(8977) INFO: [00:26:b6:da:18:42] Match Vlan rule: autoreg:visiting_user (pf::vlan::filter::test) Aug 19 13:21:27 httpd.aaa(8977) INFO: [00:26:b6:da:18:42] autoregister a node that is already registered, do nothing. (pf::node::node_register) Aug 19 13:21:27 httpd.aaa(8977) WARN: Can't find provisioner for 00:26:b6:da:18:42 since we don't have it's OS (pf::Portal::Profile::findProvisioner) Aug 19 13:21:27 httpd.aaa(8977) INFO: [00:26:b6:da:18:42] Can't find provisioner (pf::vlan::getNormalVlan) Aug 19 13:21:27 httpd.aaa(8977) INFO: [00:26:b6:da:18:42] Match Vlan rule: 2:visiting_user (pf::vlan::filter::test) Aug 19 13:21:27 httpd.aaa(8977) INFO: [00:26:b6:da:18:42] PID: "default", Status: reg Returned VLAN: 145, Role: eduroam_visitors (pf::vlan::fetchVlanForNode) Aug 19 13:21:27 httpd.webservices(9127) WARN: invalid date 2015-09-0923:59:59 (pf::util::valid_date) Aug 19 13:21:27 httpd.webservices(9127) WARN: We were unable to calculate the access duration (pf::config::access_duration) Aug 19 13:21:27 httpd.aaa(8977) INFO: [00:26:b6:da:18:42] (192.168.142.13) Returning ACCEPT with VLAN 145 and role (pf::Switch::returnRadiusAccessAccept) Cheers, Andi From: Morris, Andi [mailto:[email protected]] Sent: 19 August 2015 13:28 To: [email protected]<mailto:[email protected]> Subject: [PacketFence-users] Using vlan_filter & device registration Hi all, I'm having an issue on a new PF box running 5.0.1 (this is the version we have in dev). Currently I'm using vlan_filters to decide whether a user is a home user, or an eduroam visiting user, and assign the correct role based on this. However I've just added the device-registration option, and the vlan_filter is taking over this, registering the device with the owner as "default". I presume this is something to do with my regex filtering within vlan_filter.conf as the device matches the visiting_user filter, and is given this vlan instead of the one it should be given. I've tried to account for this by telling the filter not to trigger when the username is a mac address, which it appears to be when the device logs in, but I'm still seeing this match the visiting_user filter. My vlan_filter.conf is: [home_user] filter = username operator = match value = ^(.+@cardiffmet\.ac\.uk$|.+@uwic\.ac\.uk$<mailto:.+@cardiffmet\.ac\.uk$|.+@uwic\.ac\.uk$>) [visiting_user] filter = username operator = match_not value = ^(.+@cardiffmet\.ac\.uk$|.+@uwic\.ac\.uk$|([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$)<mailto:.+@cardiffmet\.ac\.uk$|.+@uwic\.ac\.uk$|(%5b0-9A-F%5d%7b2%7d%5b:-%5d)%7b5%7d(%5b0-9A-F%5d%7b2%7d)$)> [autoreg:home_user] scope = AutoRegister role = eduroam_home [autoreg:visiting_user] scope = AutoRegister role = eduroam_visitors [2:home_user] scope = NormalVlan role = eduroam_home action = modify_node action_param = mac = $mac , unregdate = 2015-09-0923:59:59 [2:visiting_user] scope = NormalVlan role = eduroam_visitors action = modify_node action_param = mac = $mac , unregdate = 2015-09-0923:59:59 Anyone have any ideas about this? Cheers, Andi ------------------------------------- Andi Morris IT Security Officer Cardiff Metropolitan University T: 02920 205720 E: [email protected]<mailto:[email protected]> -------------------------------------- ________________________________ [Image removed by sender. Cardiff Metropolitan University - 150 years of nurturing talent]<http://www.cardiffmet.ac.uk/cardiffmet150>
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
