Aah, perfect! I don’t know what I was doing wrong. I had been failing
previously, and I removed my rule and started over again and this time it
worked!
Now I can assign the role according to what OU the machine account resides in
and assign a different role according to that ou.
This may be a basic question, but what’s the difference between “contains” and
“regexp” when writing the conditions?
“contains” does not match on my ou name, but “regexp” does.
Thanks a million!
Darryl
From: Ludovic Zammit [mailto:[email protected]]
Sent: Monday, August 14, 2017 2:57 PM
To: Sokolowski, Darryl <[email protected]>
Cc: [email protected]
Subject: Re: [PacketFence-users] Machine authentication not getting role
Hello Darryl,
Sorry I was not that clear, I admit it.
If you want to auto-register domain joined computers without seeing the captive
portal, configure the following:
- an AD source with Username Attribute = servicePrincipalName with a rule that
will match and give role and an unreg date
[AD]
description=Microsoft Active Directory
password=*********
scope=sub
binddn=cn=administrator,cn=users,dc=domain,dc=local
basedn=cn=users,dc=inverse,dc=local
email_attribute=mail
usernameattribute=serviceprincipalname
connection_timeout=5
stripped_user_name=yes
encryption=none
dynamic_routing_module=AuthModule
port=389
type=AD
host=10.0.0.1
[AD rule catchall]
class=authentication
match=all
action0=set_access_duration=1h
action1=set_role=default
- Configure your domain:
[mylovelyAD]
ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(userAccountControl:1.2.840.113556.1.4.803:=2))))
ntlm_cache=disabled
dns_server=10.0.0.1
registration=0
ntlm_cache_expiry=3600
dns_name=domain.local
ou=Computers
bind_pass=
ntlm_cache_on_connection=disabled
bind_dn=
workgroup=inverse
ad_server=10.0.0.1
ntlm_cache_batch_one_at_a_time=disabled
ntlm_cache_batch=disabled
server_name=unicorn13
dns_servers=10.0.0.1
sticky_dc=*
- Configure the REALMs:
[DEFAULT]
domain=mylovelyAD
[NULL]
domain=mylovelyAD
- Configure a connection profile that matches the Switch,SSID,etc...
[SecureSSID]
locale=
filter=ssid:PF-Secure
description=Secure-SSID
sources=mylovelyAD
autoregister=enabled
- Keep in mind that if you edit your file by the CLI, you will need to push the
new config with:
/usr/local/pf/bin/pfcmd configreload hard
Once you have done that config restart PF:
/usr/local/pf/bin/pfcmd service pf restart
Here what should happen:
- Radius request from your equipment
- PF authenticate your computer against the AD and brings the role default
- PF return the VLAN ID for the default role on your equipment based on the
switches.conf
- VLAN applied on the connection
- DHCP in that VLAN
- Access on the network
You don't need to switch a role for each device manually, if the device match
the catchall rule you're golden!
I skipped a lot of steps but I hope it will help you.
Thanks!
Ludovic Zammit
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x145) ::
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
On Aug 14, 2017, at 2:22 PM, Sokolowski, Darryl
<[email protected]<mailto:[email protected]>> wrote:
Hi, thanks.
Forgive me for my questions, the concept of NAC is new to me.
I guess I am still confused about assigning (or not assigning) the role. “you
cannot switch a node role because it will be recomputed on every radius
request” has me confused. What is the role being computed from? I was under the
impression from reading, that the role could be “automatically” computed and
assigned by using various LDAP or AD attributes. And so having it recomputed is
a good thing, because if it finds a change in the AD, then it would compute it
to the new role based on the AD attributes.
From what you said here, it sounds like I would have to edit each node record
to assign the role manually?
Am I thinking about this the wrong way?
Thanks
Darryl
From: Ludovic Zammit [mailto:[email protected]]
Sent: Monday, August 14, 2017 10:43 AM
To: Sokolowski, Darryl <[email protected]<mailto:[email protected]>>
Cc:
[email protected]<mailto:[email protected]>
Subject: Re: [PacketFence-users] Machine authentication not getting role
Hello,
If you are doing machine authentication with auto registration, you can not
switch a node role because it will be recomputed on every radius request.
You could use the bypass role if you want to drop the device into a specific
role. You will find in Under Nodes > MAC > Bypass Role.
For your AD source, if you are doing machine authentication on a microsoft AD,
make sure that you are checking the correct LDAP attribute.
Username Attribute = servicePrincipalName
Thanks,
Ludovic Zammit
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x145) ::
www.inverse.ca<http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>)
and PacketFence (http://packetfence.org<http://packetfence.org/>)
On Aug 14, 2017, at 9:10 AM, Sokolowski, Darryl
<[email protected]<mailto:[email protected]>> wrote:
Hi Ludovic. Thanks. I'm using machine authentication against active directory.
Right now I'm trying to get a catch all rule to assign a role just to make sure
I have that part working, so that I can ultimately assign different roles
according to the OU that the machine account resides in. Right now I'm not
testing for the ou, just assigning a role to test that my rule works.
In the packetfence log I see the authentication success, but no role assignment.
Machine auth works, as I can autoregister and I get on the management network,
but any role I put in the authentication rule doesn't get assigned to the
machine.
Thanks
Darryl
-------- Original message --------
From: Ludovic Zammit via PacketFence-users
<[email protected]<mailto:[email protected]>>
Date: 8/14/17 7:47 AM (GMT-05:00)
To:
[email protected]<mailto:[email protected]>
Cc: Ludovic Zammit <[email protected]<mailto:[email protected]>>
Subject: Re: [PacketFence-users] Machine authentication not getting role
PS: /usr/local/pf/bin/pftest authentication username password
You can put "" if you don't want to display the password in the CLI.
Thanks,
Ludovic Zammit
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x145) ::
www.inverse.ca<http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>)
and PacketFence (http://packetfence.org<http://packetfence.org/>)
On Aug 14, 2017, at 7:43 AM, Ludovic Zammit via PacketFence-users
<[email protected]<mailto:[email protected]>>
wrote:
Hello,
Are you doing user authentication ? If yes, please check the tool
/usr/local/pf/bin/pftest username password you will see if your username bring
any access settings.
If you check in the /usr/local/pf/logs/packetfence.log you should be able to
see all the action taken after the radius request.
Thanks,
Ludovic Zammit
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x145) ::
www.inverse.ca<http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>)
and PacketFence (http://packetfence.org<http://packetfence.org/>)
On Aug 11, 2017, at 4:13 PM, Sokolowski, Darryl via PacketFence-users
<[email protected]<mailto:[email protected]>>
wrote:
Hi everyone,
Can anyone help me with this please?
I have the machine authentication source looking at active directory, and a
rule to assign role and access duration.
I am able to automatically register the device via machine authentication, but
I can’t get the role assigned when it registers.
On the switch I see
%AUTHMGR-5-START: Starting 'dot1x' for client
%DOT1X-5-SUCCESS: Authentication successful for client
%AUTHMGR-5-SUCCESS: Authorization succeeded for client
But the role is not sent.
Raddebug shows the correct realm is identified and used, and the machine
authentication source is defined in the realm.
In the nodes in packetfence, I see the node is registered with the owner as the
machine name but no role is assigned.
I don’t know what I’m missing.
Thanks
Darryl
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://slashdot.org/>!
http://sdm.link/slashdot_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://slashdot.org/>!
http://sdm.link/slashdot_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
________________________________
>>> CONFIDENTIALITY NOTICE <<<
This electronic mail (e-mail) message, including any and/or all attachments, is
for the sole use of the intended recipient(s), and may contain confidential
and/or privileged information, pertaining to business conducted under the
direction and supervision of EarthColor, Inc. All e-mail messages, which may
have been established as expressed views and/or opinions (stated either within
the e-mail message or any of its attachments), are left to the sole
responsibility of that of the sender, and are not necessarily attributed to
EarthColor, Inc. Unauthorized interception, review, use, disclosure or
distribution of any such information contained within this e-mail message
and/or its attachment(s), is(are) strictly prohibited. If you are not the
intended recipient, please contact the sender by replying to this e-mail
message, along with the destruction of all copies of the original e-mail
message (along with any attachments).
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
