Fabrice,
Thank you for your reply. Here are some details about my configuration:
*Method of operation:* Inline.
*Sources: *Active Directory server located outside of the inline network
*Rules:* I have one starter rule set that evaluates the group membership of
the user logging in, and assigns them a specific role if they belong to a
particular Active Directory security group.
*Switches:* The switch is a CiscoCatalyst 2960. Each of the ports has been
configured according to the example in your "Inline Deployment with ESXi"
guide. Outside of the default VLAN, no other VLANs are configured yet.
*pftest results: *Running the script with demouser account(pw demouser)
allowed resulted in successes and matches against email, sponsor, and null
sources. For SMS, a match was made but authentication failed.
For Active Directory, an existing user(in my setup, an administrative
account called pf_admin) failed against Active Directory. I created a new
one and ran pftest again, and the same thing happened with the new
account. Both accounts fail with "Invalid login or password" and "Did not
match against Active_Directory" which is the name of my AD server in my
implementation.
I am thinking that maybe I need to try some different rules? Currently the
rule I have in place on the active directory source is as follows:
IF groupMembership IS MEMBER OF Test_Group PERFORM assign to Valid_users
role
Thank you,
On Fri, Feb 3, 2017 at 7:39 AM, <
[email protected]> wrote:
> Send PacketFence-users mailing list submissions to
> [email protected]
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> or, via email, send a message with subject or body 'help' to
> [email protected]
>
> You can reach the person managing the list at
> [email protected]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of PacketFence-users digest..."
>
>
> Today's Topics:
>
> 1. Re: login problems (Fabrice Durand)
> 2. Re: New Debian8/6.4 Install - Preferred Deployment of Web
> Auth v. VLAN (Fabrice Durand)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 3 Feb 2017 08:33:49 -0500
> From: Fabrice Durand <[email protected]>
> Subject: Re: [PacketFence-users] login problems
> To: [email protected]
> Message-ID: <[email protected]>
> Content-Type: text/plain; charset="windows-1252"
>
> Hello Alex,
>
> can you share a little bit more about your configuration ?
>
> Did you test with pftest binary in order to test your authentication
> sources ?
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-02-03 ? 00:51, Alex Fishel a ?crit :
> > Hello all,
> >
> > I have set up an inline PacketFence 6.4.0 ESXi but have so far been
> > unable to authenticate with any credentials, including the demouser
> > account. I also have an AD domain set up as a source, but those are
> > not working either. Does anyone know why demouser is not working?
> >
> > Your help is appreciated!
> >
> > --
> > Alex Fishel
> >
> >
> >
> >
> >
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> >
> >
> > _______________________________________________
> > PacketFence-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> --
> Fabrice Durand
> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (
> http://packetfence.org)
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 2
> Date: Fri, 3 Feb 2017 08:39:24 -0500
> From: Fabrice Durand <[email protected]>
> Subject: Re: [PacketFence-users] New Debian8/6.4 Install - Preferred
> Deployment of Web Auth v. VLAN
> To: [email protected]
> Message-ID: <[email protected]>
> Content-Type: text/plain; charset="windows-1252"
>
> Hello Cory,
>
>
> Le 2017-02-02 ? 22:39, Cory White a ?crit :
> > Small update - exported ZEN package into our VM environment - have
> > Out-fo-Band working on a test 2960G. Get reg, redirect then see Radius
> > config switch port and access - GREAT!.
> > questions
> > 1. I noticed if client device is on a configured port not on REG (Vl2)
> > by default. The Radius configures back to Vl2 but it takes a release
> > renew on the client device to get the PF VL2 IP from pf and start the
> > auth process - is this by design?
> Maybe you can try "authentication open" on the switch port config.
> Also do you know that you can do exactly the same thing (web auth) on
> the wire side too !
> > 2. I am having trouble with WebAuth portion on wireless side - I can
> > see log in packetfence.log without actually ever getting connected to
> > the SSID?
> >
> > Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] handling
> > radius autz request: from switch_ip => (10.218.0.2), connection_type
> > => Wireless-802.11-NoEAP,switch_mac => (a4:18:75:42:af:20), mac =>
> > [bc:9f:ef:56:b0:fc], port => 1, username => "bc9fef56b0fc", ssid =>
> > PF90 (pf::radius::authorize)
> > Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc]
> > Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> > Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] is of
> > status unreg; belongs into registration VLAN
> > (pf::role::getRegistrationRole)
> > Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc]
> > (10.218.0.2) Added role Pre_Auth to the returned RADIUS Access-Accept
> > (pf::Switch::returnRadiusAccessAccept)
> > Feb 02 22:19:47 httpd.aaa(1702) INFO: [mac:bc:9f:ef:56:b0:fc] Adding
> > web authentication redirection to reply using role: 'Pre_Auth' and
> > URL: 'http://10.218.100.100/sid93100c'
> > (pf::Switch::Cisco::WLC::returnRadiusAccessAccept)
> Change the registration url to that :
> registrationUrl=http://10.218.100.100/Cisco::WLC
> >
> > The log stops and I get the unable to connect dialog on my device
> > (never actual associate to SSID) - no logs are leading me anywhere
> > else unless I'm looking at the wrong ones. I used WEbAuth Device
> > Config Guide to no avail and am a bit stuck. My switches.conf is below
> > as well - 10.218.0.2 is WLC, 10.218.100.100 - pf admin gui
> >
> > [10.218.0.2]
> > mode=production
> > SNMPCommunityRead=harley
> > SNMPCommunityWrite=harleyrw
> > defaultVlan=10
> > deauthMethod=RADIUS
> > description=WLC
> > type=Cisco::WLC_5500
> > radiusSecret=packetfence
> > SNMPVersion=2c
> > ExternalPortalEnforcement=Y
> > defaultRole=Authorized
> > registrationRole=Pre_Auth
> > registrationUrl=http://10.218.100.100/<http://10.218.100.100/>
> > controllerIp=10.218.0.2
> > UrlMap=Y
> > VlanMap=N
> > controllerPort=3799
> >
> > [10.218.100.4]
> > mode=production
> > SNMPCommunityRead=harley
> > description=100.4
> > cliAccess=Y
> > SNMPCommunityWrite=harley
> > defaultVlan=10
> > deauthMethod=RADIUS
> > type=Cisco::Catalyst_2960G
> > radiusSecret=packetfence
> > SNMPVersion=2c
> > controllerPort=3799
> > RoleMap=N
> > ~
> >
> > Cory White
> > Xponet
> > P: 904.735.1600
> > E: [email protected] <mailto:[email protected]>
> >
> >
> > On Wed, Feb 1, 2017 at 10:10 AM, Cory White <[email protected]
> > <mailto:[email protected]>> wrote:
> >
> > Hello All -
> >
> > Been awhile since I posted for version 4 testing and inline
> > deployment. We did deploy PF sparingly in production environment
> > but have yet to go 'all-in' as a permanent replacement. Roughly
> > couple hundred users - we're looking for multiple thousands to
> > test now.
> >
> > Its been sometime and I'm revisiting PF with 6.4 release - I am
> > having some sticking points where I see communication between our
> > WLC and PF, can associate to SSID and see Pre-Auth ACL applied but
> > never get presented with a portal - "Unable to contact server
> > under iOS". Preview of default does not display and shows a 'too
> > many redirects error'.
> >
> > We're testing with dual NIC as eth0 is management interface and
> > eth1 being portal/vlan specific to SSID - is this possible or do I
> > need to use one trunked eth0 and add VLAN identifiers/deamon
> > assignments accordingly?
> >
> > We're running Cisco 5520 server WLC on latest 8.3 code so there
> > are some differences from documentation examples but straight
> > forward. We 'think' WebAuth is the way we want to test/deploy
> > leaving essentially the WLC do all the work on our backbone,
> > leaving PF just portal for to assign Auth ACLs. Is this possible
> > over multiple NICs and VLANs? Or is this a more inline thought
> > process where management, portal and SSID/VLAN need to reside on
> > one LAN to accomplish?
> >
> > Basically if we want to scale past one network for captive portal
> > (multiple guest VLANs) do we need to go with O-o-B VLAN
> > enforcement and still use WLC/server backbone for everything else
> > ILO WebAuth?
> >
> >
> > Cory White
> > Xponet
> > P: 904.735.1600 <tel:%28904%29%20735-1600>
> > E: [email protected] <mailto:[email protected]>
> >
> >
> >
> >
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> >
> >
> > _______________________________________________
> > PacketFence-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> Regards
> Fabrice
>
> --
> Fabrice Durand
> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (
> http://packetfence.org)
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
> ------------------------------
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> End of PacketFence-users Digest, Vol 106, Issue 13
> **************************************************
>
--
Alex Fishel
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
