Hello,
If you are doing machine authentication with auto registration, you can not
switch a node role because it will be recomputed on every radius request.
You could use the bypass role if you want to drop the device into a specific
role. You will find in Under Nodes > MAC > Bypass Role.
For your AD source, if you are doing machine authentication on a microsoft AD,
make sure that you are checking the correct LDAP attribute.
Username Attribute = servicePrincipalName
Thanks,
Ludovic Zammit
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) ::
www.inverse.ca <http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>)
and PacketFence (http://packetfence.org <http://packetfence.org/>)
> On Aug 14, 2017, at 9:10 AM, Sokolowski, Darryl <[email protected]> wrote:
>
> Hi Ludovic. Thanks. I'm using machine authentication against active
> directory. Right now I'm trying to get a catch all rule to assign a role just
> to make sure I have that part working, so that I can ultimately assign
> different roles according to the OU that the machine account resides in.
> Right now I'm not testing for the ou, just assigning a role to test that my
> rule works.
>
> In the packetfence log I see the authentication success, but no role
> assignment.
>
> Machine auth works, as I can autoregister and I get on the management
> network, but any role I put in the authentication rule doesn't get assigned
> to the machine.
>
> Thanks
> Darryl
>
>
>
>
> -------- Original message --------
> From: Ludovic Zammit via PacketFence-users
> <[email protected]>
> Date: 8/14/17 7:47 AM (GMT-05:00)
> To: [email protected]
> Cc: Ludovic Zammit <[email protected]>
> Subject: Re: [PacketFence-users] Machine authentication not getting role
>
> PS: /usr/local/pf/bin/pftest authentication username password
>
> You can put "" if you don't want to display the password in the CLI.
>
> Thanks,
> Ludovic Zammit
> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) ::
> www.inverse.ca <http://www.inverse.ca/>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu
> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org
> <http://packetfence.org/>)
>
>
>
>> On Aug 14, 2017, at 7:43 AM, Ludovic Zammit via PacketFence-users
>> <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>> Hello,
>>
>> Are you doing user authentication ? If yes, please check the tool
>> /usr/local/pf/bin/pftest username password you will see if your username
>> bring any access settings.
>>
>> If you check in the /usr/local/pf/logs/packetfence.log you should be able to
>> see all the action taken after the radius request.
>>
>> Thanks,
>> Ludovic Zammit
>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) ::
>> www.inverse.ca <http://www.inverse.ca/>
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu
>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org
>> <http://packetfence.org/>)
>>
>>
>>
>>> On Aug 11, 2017, at 4:13 PM, Sokolowski, Darryl via PacketFence-users
>>> <[email protected]
>>> <mailto:[email protected]>> wrote:
>>>
>>> Hi everyone,
>>> Can anyone help me with this please?
>>> I have the machine authentication source looking at active directory, and
>>> a rule to assign role and access duration.
>>> I am able to automatically register the device via machine authentication,
>>> but I can’t get the role assigned when it registers.
>>> On the switch I see
>>> %AUTHMGR-5-START: Starting 'dot1x' for client
>>> %DOT1X-5-SUCCESS: Authentication successful for client
>>> %AUTHMGR-5-SUCCESS: Authorization succeeded for client
>>>
>>> But the role is not sent.
>>>
>>> Raddebug shows the correct realm is identified and used, and the machine
>>> authentication source is defined in the realm.
>>>
>>> In the nodes in packetfence, I see the node is registered with the owner as
>>> the machine name but no role is assigned.
>>>
>>> I don’t know what I’m missing.
>>>
>>> Thanks
>>> Darryl
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org <http://slashdot.org/>!
>>> http://sdm.link/slashdot_______________________________________________
>>> <http://sdm.link/slashdot_______________________________________________>
>>> PacketFence-users mailing list
>>> [email protected]
>>> <mailto:[email protected]>
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org <http://slashdot.org/>!
>> http://sdm.link/slashdot_______________________________________________
>> <http://sdm.link/slashdot_______________________________________________>
>> PacketFence-users mailing list
>> [email protected]
>> <mailto:[email protected]>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> >>> CONFIDENTIALITY NOTICE <<<
>
> This electronic mail (e-mail) message, including any and/or all attachments,
> is for the sole use of the intended recipient(s), and may contain
> confidential and/or privileged information, pertaining to business conducted
> under the direction and supervision of EarthColor, Inc. All e-mail messages,
> which may have been established as expressed views and/or opinions (stated
> either within the e-mail message or any of its attachments), are left to the
> sole responsibility of that of the sender, and are not necessarily attributed
> to EarthColor, Inc. Unauthorized interception, review, use, disclosure or
> distribution of any such information contained within this e-mail message
> and/or its attachment(s), is(are) strictly prohibited. If you are not the
> intended recipient, please contact the sender by replying to this e-mail
> message, along with the destruction of all copies of the original e-mail
> message (along with any attachments).
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
