Thanks! That worked for me also. Just to be aware of the proper groups.
Now I'm going to start all the things with SoH and authentication on WiFi :) Gábor Barócsi Network and System Engineer -----Original Message----- From: Esteban Veloso [mailto:[email protected]] Sent: 2016. március 8. 14:00 To: [email protected] Subject: Re: [PacketFence-users] 802.1x how to set authenticated user to a Role Dear: Thank you so much for this orientation. Effectively with this form of comparison I can get a match by any of the groups defined in the hierarchical structure of the AD. Thus I can perform even better filters to assign roles to users, since I can apply both principal branch criteria as for a specific sub department. Thank you so much for this information. Best regards. Esteban A. Veloso Fuentes Seguridad, Comunicaciones y Servicios Criticos Departamento de Tecnologías de la Información y la Comunicación (TIC) Presidencia de la República (56-2) 26904885 www.gob.cl -----Mensaje original----- De: Thomas, Gregory A [mailto:[email protected]] Enviado el: lunes, 7 de marzo de 2016 13:19 Para: [email protected] Asunto: Re: [PacketFence-users] 802.1x how to set authenticated user to a Role I set groups from AD. Since our population can part of so many groups, I have set in the rule of the source: memberOf - matches regexp - [GroupName] So far I have not have had any problems. Hope this helps -- Gregory A. Thomas Student Life IT Support Manager University of Wisconsin-Parkside [email protected] Office: (262) 595-2432 Cell: (262) 854-0105 -----Original Message----- From: Esteban Veloso [mailto:[email protected]] Sent: Monday, March 7, 2016 8:51 AM To: [email protected] Subject: Re: [PacketFence-users] 802.1x how to set authenticated user to a Role Hello dears: I also had problems with achieving this authentication. So far we have only achieved positive in the case of using the department as a key, but this implies that this field should be consistent in the AD. The evidence suggests Fabrice've tried a few minutes ago, without success. When trying to match by groups or OU's, it was not possible, to the point that I almost combinatorial tested. I think there's something with the syntax. By capturing traffic between PF and AD, I see PF receives all the data, groups that pertenence, the full DN, etc. But I failed to do match with a user test. So far it has only been possible by comparing, connection type, cn, department and mail, are others I've tried, but I want to make it work with parameters in the DN. Best regards, I will be very attentive to this thread of conversation. Esteban A. Veloso Fuentes Seguridad, Comunicaciones y Servicios Criticos Departamento de Tecnologías de la Información y la Comunicación (TIC) Presidencia de la República (56-2) 26904885 www.gob.cl -----Mensaje original----- De: Fabrice DURAND [mailto:[email protected]] Enviado el: lunes, 7 de marzo de 2016 11:01 Para: [email protected] Asunto: Re: [PacketFence-users] 802.1x how to set authenticated user to a Role Hi Gábor, what you can try is memberOf is_memberof cn=group,dc=..... And check with pftest if you rule match. Regards Fabrice Le 2016-03-07 05:57, BARÓCSI Gábor a écrit : > Hi, > > I managed to do make a successful authentication to a win AD. > 802.1x on client side is set to authenticate with username. That works fine, > a source is set up to a win AD checking if user's sAMaccountName exists in > the subtree. > I checked the LDAP query-s on the DC's side. > The problem is, that I also set up Rules in the Source. Rule's class > is authentication. It has only one condition, sAMaccountname is member > of GroupName > Action: > Set_role CompanyRoleForEmployee > > I see that there is no ldap query for testing if the user is in the GroupName > group. Is that a problem? > I set up autoregister in order to not use the captive portal. Now I have two > problems. The group membership is not tested and the client is not set any > vlan. Ofcourse I have already set a vlan for Employees, and if I assign the > client by hand, it is set to the Employee vlan and gets an IP. > > In my pflog I see this: > > Mar 07 11:53:36 httpd.aaa(21823) INFO: [mac:ec:f4:bb:10:ad:b7] Realm > source is configured in the realm MYDOMAINISHERE but is not in the > portal profile. Ignoring it and using the portal profile sources. > (pf::config::util::get_user_sources) > Mar 07 11:53:36 httpd.aaa(21823) WARN: [mac:ec:f4:bb:10:ad:b7] Calling > match with empty/invalid rule class. Defaulting to 'authentication' > (pf::authentication::match) Mar 07 11:53:36 httpd.aaa(21823) INFO: > [mac:ec:f4:bb:10:ad:b7] autoregister a node that is already > registered, do nothing. (pf::node::node_register) Mar 07 11:53:37 > httpd.aaa(21823) INFO: [mac:ec:f4:bb:10:ad:b7] Instantiate profile > default (pf::Portal::ProfileFactory::_from_profile) > Mar 07 11:53:37 httpd.aaa(21823) INFO: [mac:ec:f4:bb:10:ad:b7] Role > has already been computed and we don't want to recompute it. Getting > role from node_info (pf::role::getRegisteredRole) Mar 07 11:53:37 > httpd.aaa(21823) INFO: [mac:ec:f4:bb:10:ad:b7] Username was NOT > defined or unable to match a role - returning node based role '' > (pf::role::getRegisteredRole) Mar 07 11:53:37 httpd.aaa(21823) INFO: > [mac:ec:f4:bb:10:ad:b7] PID: " MYDOMAINISHERE \\gbarocsi", Status: reg > Returned VLAN: (undefined), Role: (pf::role::fetchRoleForNode) Mar 07 > 11:53:37 httpd.aaa(21823) WARN: [mac:ec:f4:bb:10:ad:b7] No parameter > Vlan found in conf/switches.conf for the switch 10.1.12.49 > (pf::Switch::getVlanByName) Mar 07 11:53:37 httpd.aaa(21823) INFO: > [mac:ec:f4:bb:10:ad:b7] (10.1.12.49) Returning ACCEPT with VLAN 0 > (pf::Switch::returnRadiusAccessAccept) > > > What am I missing? Please help. > > Gábor Barócsi > Network and System Engineer > > > > > > ---------------------------------------------------------------------- > -------- > Transform Data into Opportunity. > Accelerate data analysis in your applications with Intel Data > Analytics Acceleration Library. > Click to learn more. > http://makebettercode.com/inteldaal-eval > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://makebettercode.com/inteldaal-eval _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://makebettercode.com/inteldaal-eval _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://makebettercode.com/inteldaal-eval _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140 _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
