Hi Anton,
in fact the role name in AutoRegister scope doesn't really matter, it
just have to exist (to return True)
If the AutoRegister scope return something then the next step is
NodeInfoForAutoReg.
In this scope (NodeInfoForAutoReg) packetfence will try to instantiate
a portal profile to compute the role.
So if you have no rule that match in NodeInfoForAutoReg then you will
have to create a portal profile that will match on specific parameter
(like the SSID).
Don't forget that in the NodeInfoForAutoReg scope is the device never
registered then there is no node.category.
Regards
Fabrice
Le 2016-05-20 02:24, Anton Dreyer a écrit :
Hi Fabrice
Thanks for taking the time to answer.
This is exactly what I am not sure how to accomplish. I have 2x AD
sources in the portal profile. Is It possible to set the 2 roles in
the auto register portion? By doing
/[1:normalnetwork]/
/scope = AutoRegister/
/role = admin_wlan/
do you not set everyone to admin_wlan? How do I manage to
differentiate between the roles/sources?
Thanks again
Regards
Anton
*From:*Fabrice Durand [mailto:[email protected]]
*Sent:* Thursday, 19 May 2016 4:27 PM
*To:* [email protected]
*Subject:* Re: [PacketFence-users] Auto registration
Hello Anton,
the fact is the role in not yet set in the AutoRegister scope:
[1:normalnetwork&is_staff]
scope = AutoRegister
role = admin_wlan
[2:normalnetwork&is_student]
scope = AutoRegister
role = student_wlan
So do that instead:
[1:normalnetwork]
scope = AutoRegister
role = admin_wlan
And when it will go in the normal flow (NodeInfoForAutoReg after
AutoRegister) it will try to instantiate the portal (Filter
SSID:ess_pf_Dot1x) and try to match with you AD source.
Of course you must have a portal profile with SSID:ess_pf_Dot1x and
assign the AD source on it.
Regards
Fabrice
Le 2016-05-19 09:44, Anton Dreyer a écrit :
Good day
I was hoping I could get a little assistance regarding auto
registration on the 802.1x network (skipping the whole portal part)
The examples for auto registration I have found seem to have a
single, default role. You guys helped me to put together the top
part of the filter below a couple of months ago to deregister
someone connecting to the open network:
Would it be a terrible ask to help writing a filter to
autoregister on the secure ssid? I am guessing it would look
something like this?:
[regnetwork]
filter = ssid
operator = is
value = ess_pf_MacAuth
[is_staff]
filter = node_info.category
operator = is
value = admin_wlan
[is_student]
filter = node_info.category
operator = is
value = student_wlan
#unregister all staff nodes when connecting to open ssid
[unregnode:regnetwork&is_staff]
scope = NormalVlan
role = registration
action = deregister_node
action_param = mac = $mac
#unregister all student nodes when connecting to open ssid
[unregnode:regnetwork&is_student]
scope = NormalVlan
role = registration
action = deregister_node
# ------------ the code above works, new code below
--------------------
#autoregister on Dot1x
[normalnetwork]
filter = ssid
operator = is
value = ess_pf_Dot1x
[1:normalnetwork&is_staff]
scope = AutoRegister
role = admin_wlan
[2:normalnetwork&is_student]
scope = AutoRegister
role = student_wlan
[autoreg]
filter = node_info
attribute = autoreg
operator = match
value = yes
[3:autoreg]
scope = NormalVlan
action = register_node
action_param = mac = $mac
---
Thanks in advance!
Anton
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x135)
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
