Hi Gábor,
You’ll have to show us your conf/authentication.conf and conf/profiles.conf
files if you want us to be able to answer those questions.
Everything depends on them.
Regards,
--
Louis Munro
[email protected] :: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
> On Mar 7, 2016, at 5:57 , BARÓCSI Gábor <[email protected]> wrote:
>
> Hi,
>
> I managed to do make a successful authentication to a win AD.
> 802.1x on client side is set to authenticate with username. That works fine,
> a source is set up to a win AD checking if user's sAMaccountName exists in
> the subtree.
> I checked the LDAP query-s on the DC's side.
> The problem is, that I also set up Rules in the Source. Rule's class is
> authentication. It has only one condition, sAMaccountname is member of
> GroupName
> Action:
> Set_role CompanyRoleForEmployee
>
> I see that there is no ldap query for testing if the user is in the GroupName
> group. Is that a problem?
> I set up autoregister in order to not use the captive portal. Now I have two
> problems. The group membership is not tested and the client is not set any
> vlan. Ofcourse I have already set a vlan for Employees, and if I assign the
> client by hand, it is set to the Employee vlan and gets an IP.
>
> In my pflog I see this:
>
> Mar 07 11:53:36 httpd.aaa(21823) INFO: [mac:ec:f4:bb:10:ad:b7] Realm source
> is configured in the realm MYDOMAINISHERE but is not in the portal profile.
> Ignoring it and using the portal profile sources.
> (pf::config::util::get_user_sources)
> Mar 07 11:53:36 httpd.aaa(21823) WARN: [mac:ec:f4:bb:10:ad:b7] Calling match
> with empty/invalid rule class. Defaulting to 'authentication'
> (pf::authentication::match)
> Mar 07 11:53:36 httpd.aaa(21823) INFO: [mac:ec:f4:bb:10:ad:b7] autoregister a
> node that is already registered, do nothing. (pf::node::node_register)
> Mar 07 11:53:37 httpd.aaa(21823) INFO: [mac:ec:f4:bb:10:ad:b7] Instantiate
> profile default (pf::Portal::ProfileFactory::_from_profile)
> Mar 07 11:53:37 httpd.aaa(21823) INFO: [mac:ec:f4:bb:10:ad:b7] Role has
> already been computed and we don't want to recompute it. Getting role from
> node_info (pf::role::getRegisteredRole)
> Mar 07 11:53:37 httpd.aaa(21823) INFO: [mac:ec:f4:bb:10:ad:b7] Username was
> NOT defined or unable to match a role - returning node based role ''
> (pf::role::getRegisteredRole)
> Mar 07 11:53:37 httpd.aaa(21823) INFO: [mac:ec:f4:bb:10:ad:b7] PID: "
> MYDOMAINISHERE \\gbarocsi", Status: reg Returned VLAN: (undefined), Role:
> (pf::role::fetchRoleForNode)
> Mar 07 11:53:37 httpd.aaa(21823) WARN: [mac:ec:f4:bb:10:ad:b7] No parameter
> Vlan found in conf/switches.conf for the switch 10.1.12.49
> (pf::Switch::getVlanByName)
> Mar 07 11:53:37 httpd.aaa(21823) INFO: [mac:ec:f4:bb:10:ad:b7] (10.1.12.49)
> Returning ACCEPT with VLAN 0 (pf::Switch::returnRadiusAccessAccept)
>
>
> What am I missing? Please help.
>
> Gábor Barócsi
> Network and System Engineer
>
>
>
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://makebettercode.com/inteldaal-eval
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://makebettercode.com/inteldaal-eval
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
