---------- Forwarded message ----------
From: Gary Stansbury <[email protected]>
Date: Tue, Sep 26, 2017 at 2:44 PM
Subject: auto-registration via vlan_filters.conf in pf 7.3
To: [email protected]
Has the logic changed or been deprecated for vlan_filters.conf? On brand
new devices (or devices which I manually removed from the database), when
they first authenticate they are immediately identified as 'of status
unreg' and none of the filters from vlan_filters.conf ever get applied
(which means they never get autoregistered).
dvpf2:~/gospace/src/github.com/inverse-inc/packetfence/go # tailf
/usr/local/pf/logs/packetfence.log | egrep -i '8a.13'
Sep 26 14:20:00 dvpf2 packetfence_httpd.aaa: httpd.aaa(16086) INFO:
[mac:ac:22:0b:44:8a:13] handling radius autz request: from switch_ip =>
(10.99.240.20), connection_type => Wireless-802.11-EAP,switch_mac =>
(40:18:b1:fb:d2:e9), mac => [ac:22:0b:44:8a:13], port => 0, username =>
"gilesh", ssid => TCSS-BYOD-Test99 (pf::radius::authorize)
Sep 26 14:20:01 dvpf2 packetfence_httpd.aaa: httpd.aaa(16086) INFO:
[mac:ac:22:0b:44:8a:13] Instantiate profile default (pf::Connection::
ProfileFactory::_from_profile)
Sep 26 14:20:01 dvpf2 packetfence_httpd.aaa: httpd.aaa(16086) INFO:
[mac:ac:22:0b:44:8a:13] is of status unreg; belongs into registration VLAN
(pf::role::getRegistrationRole)
Sep 26 14:20:01 dvpf2 packetfence_httpd.aaa: httpd.aaa(16086) INFO:
[mac:ac:22:0b:44:8a:13] External portal enforcement either not supported
'1' or not configured 'N' on network equipment '10.99.240.20' (pf::Switch::
externalPortalEnforcement)
Sep 26 14:20:01 dvpf2 packetfence_httpd.aaa: httpd.aaa(16086) INFO:
[mac:ac:22:0b:44:8a:13] (10.99.240.20) Returning ACCEPT with Role: 220
(pf::Switch::AeroHIVE::returnRadiusAccessAccept)
Sep 26 14:20:40 dvpf2 packetfence_httpd.aaa: httpd.aaa(16086) INFO:
[mac:ac:22:0b:44:8a:13] handling radius autz request: from switch_ip =>
(10.99.240.20), connection_type => Wireless-802.11-EAP,switch_mac =>
(40:18:b1:fb:d2:d5), mac => [ac:22:0b:44:8a:13], port => 0, username =>
"gilesh", ssid => TCSS-BYOD-Test99 (pf::radius::authorize)
On devices which are already registered, my vlan_filters.conf *does* get
processed and the actions properly applied.
Sep 26 14:14:57 dvpf2 packetfence_httpd.aaa: httpd.aaa(16086) INFO:
[mac:2c:59:8a:13:7a:7f] Instantiate profile default (pf::Connection::
ProfileFactory::_from_profile)
Sep 26 14:14:57 dvpf2 packetfence_httpd.aaa: httpd.aaa(16086) INFO:
[mac:2c:59:8a:13:7a:7f] Match rule autoreg:notempl&byod
(pf::access_filter::test)
Sep 26 14:14:57 dvpf2 packetfence_httpd.aaa: httpd.aaa(16086) INFO:
[mac:2c:59:8a:13:7a:7f] Found authentication source(s) :
'local,file1,wvdc2,wvdc1' for realm 'DEFAULT' (pf::config::util::filter_
authentication_sources)
Sep 26 14:14:57 dvpf2 packetfence_httpd.aaa: httpd.aaa(16086) WARN:
[mac:2c:59:8a:13:7a:7f] Calling match with empty/invalid rule class.
Defaulting to 'authentication' (pf::authentication::match2)
Sep 26 14:14:57 dvpf2 packetfence_httpd.aaa: httpd.aaa(16086) INFO:
[mac:2c:59:8a:13:7a:7f] Using sources local, file1, wvdc2, wvdc1 for
matching (pf::authentication::match2)
Sep 26 14:14:57 dvpf2 packetfence_httpd.aaa: httpd.aaa(16086) INFO:
[mac:2c:59:8a:13:7a:7f] Match rule auth:notempl&byod¬chromebook
(pf::access_filter::test)
Sep 26 14:14:57 dvpf2 packetfence_httpd.aaa: httpd.aaa(16086) INFO:
[mac:2c:59:8a:13:7a:7f] PID: "[email protected]",
Status: reg Returned VLAN: (undefined), Role: guest
(pf::role::fetchRoleForNode)
Sep 26 14:14:59 dvpf2 packetfence_httpd.aaa: httpd.aaa(16086) INFO:
[mac:2c:59:8a:13:7a:7f] External portal enforcement either not supported
'1' or not configured 'N' on network equipment '10.15.240.62' (pf::Switch::
externalPortalEnforcement)
Sep 26 14:14:59 dvpf2 packetfence_httpd.aaa: httpd.aaa(16086) INFO:
[mac:2c:59:8a:13:7a:7f] (10.15.240.62) Returning ACCEPT with Role: 210
(pf::Switch::AeroHIVE::returnRadiusAccessAccept)
Sep 26 14:14:59 dvpf2 packetfence_httpd.aaa: httpd.aaa(16086) INFO:
[mac:2c:59:8a:13:7a:7f] violation 1300003 force-closed for
2c:59:8a:13:7a:7f (pf::violation::violation_force_close)
Sep 26 14:14:59 dvpf2 packetfence_httpd.aaa: httpd.aaa(16086) INFO:
[mac:2c:59:8a:13:7a:7f] Instantiate profile default (pf::Connection::
ProfileFactory::_from_profile)
This behavior seems to be a change from what I experienced in 6.5 and in
7.2, where I made judicious use of vlan_filters.conf to autoregister
various devices to their proper homes. FWIW here is my vlan_filters.conf.
As you can see I even made a very simple filter to catch one test device by
MAC (the device I provided the output for above in fact) and it doesn't
even get processed.
[testmac]
filter = node_info.mac
operator = is
value = ac:22:0b:44:8a:13
[autoreg]
filter=node_info.autoreg
operator=is
value=yes
[WirelessEAP]
filter = connection_type
operator = is
value = Wireless-802.11-EAP
[machineauth]
filter = user_name
operator = match
value = host/
[notempl]
filter=node_info.category
operator=is_not
value=employee
[notreg]
filter=node_info.status
operator=is_not
value=reg
[byod]
filter=ssid
operator=is
value=TCSS-BYOD
[chromebook]
filter=user_name
operator=is
value=chromebook
[notchromebook]
filter=user_name
operator=is_not
value=chromebook
[byod99]
filter=ssid
operator=is
value=TCSS-BYOD-Test99
[testmac]
scope=AutoRegister
role=guest
[updatecb1:chromebook¬empl&autoreg]
scope=RegisteredRole
role=employee
action=modify_node
action_param=mac=$mac,autoreg=no,notes='',category=employee
[update:chromebook¬empl]
scope=RegisteredRole
role=employee
action=modify_node
action_param=mac=$mac,category=employee
[u1:WirelessEAP&machineauth¬empl&autoreg]
scope=RegisteredRole
role=employee
action=modify_node
action_param=mac=$mac,autoreg=no,notes='',category=employee
[update2:WirelessEAP&machineauth¬empl]
scope=RegisteredRole
role=employee
action=modify_node
action_param=mac=$mac,category=employee
###Machine Auth Autoregister (for onboarding new domain-joined pc) ###
[1:WirelessEAP&machineauth¬reg]
scope = AutoRegister
role = employee
[2:WirelessEAP&machineauth]
scope = NodeInfoForAutoReg
role = employee
###Autoregister BYOD as guest###
[autoreg:notempl&byod]
scope=AutoRegister
role=guest
[autoreg:notempl&byod99]
scope=AutoRegister
role=guest
[autoreg:notreg&byod]
scope=AutoRegister
role=guest
[autoreg:notreg&byod99]
scope=AutoRegister
role=guest
[autoreg:notreg&byod]
scope=AutoRegister
role=guest
[autoreg:notreg&byod99]
scope=AutoRegister
role=guest
###Autoreg Chromebook as employee (for onboarding chromebooks)###
[autoreg:notempl&chromebook]
scope=RegisteredRole
role=employee
[autoreg:chromebook¬reg]
scope=AutoRegister
role=employee
[autoreg:chromebook]
scope=NodeInfoForAutoReg
role=employee
###Catchall to force all to guest by default###
[auth:notempl&byod¬chromebook]
scope=RegisteredRole
role=guest
[auth:notempl&byod99¬chromebook]
scope=RegisteredRole
role=guest
Any idea what I can do to fix it? Got a lot of BYOD folks getting dropped
into the registration vlan and stuck there till I get it fixed.
Thanks,
--
Gary Stansbury
Network Engineer
Troup County Board of Education, LaGrange, GA
706-594-3928 <(706)%20594-3928>
--
Gary Stansbury
Network Engineer
Troup County Board of Education, LaGrange, GA
706-594-3928
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
