So I'm working remotely at the moment. The floating address I have configured
is 00:11:22:33:44:55 and I'm using the portal preview feature, so if that's not
going to work I understand, although I did also test it on site. I can't see
anything mentioning the vlan filter in the log. It's as follows:
Feb 16 09:52:24 httpd.portal(58307) WARN: [mac:unknown] Unable to match MAC
address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:24 httpd.portal(58307) INFO: [mac:unknown] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:24 httpd.portal(58307) WARN: [mac:00:11:22:33:44:55] Unable to
match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:24 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:24 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Instantiate
profile Internal (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:25 httpd.portal(58301) WARN: [mac:unknown] Unable to match MAC
address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:25 httpd.portal(58301) INFO: [mac:unknown] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:25 httpd.portal(58301) WARN: [mac:00:11:22:33:44:55] Unable to
match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:25 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:25 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] Instantiate
profile Internal (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:25 httpd.portal(58300) WARN: [mac:unknown] Unable to match MAC
address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:25 httpd.portal(58300) INFO: [mac:unknown] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:25 httpd.portal(58300) WARN: [mac:00:11:22:33:44:55] Unable to
match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:25 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:25 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] Instantiate
profile Internal (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:32 httpd.portal(58307) WARN: [mac:unknown] Unable to match MAC
address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:32 httpd.portal(58307) INFO: [mac:unknown] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:32 httpd.portal(58307) WARN: [mac:00:11:22:33:44:55] Unable to
match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:32 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:32 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Instantiate
profile Internal (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55]
Authenticating user using sources : ASD
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] [ASD]
Authentication successful for jsayce
(pf::Authentication::Source::LDAPSource::authenticate)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55]
Authentication successful for 'jsayce' in source ASD (AD)
(pf::authentication::authenticate)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] User jsayce
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Successfully
authenticated jsayce
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] User jsayce
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58307) WARN: [mac:00:11:22:33:44:55] Calling match
with empty/invalid rule class. Defaulting to 'authentication'
(pf::authentication::match)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Using sources
ASD for matching (pf::authentication::match)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Matched rule
(AuthAD) in source ASD, returning actions. (pf::Authentication::Source::match)
Feb 16 09:52:33 httpd.portal(58307) WARN: [mac:00:11:22:33:44:55] The DAY is
today or before today. Setting date to next year (pf::config::try {...} )
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] User jsayce
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58307) WARN: [mac:00:11:22:33:44:55] Calling match
with empty/invalid rule class. Defaulting to 'authentication'
(pf::authentication::match)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Using sources
ASD for matching (pf::authentication::match)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Matched rule
(AuthAD) in source ASD, returning actions. (pf::Authentication::Source::match)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58301) WARN: [mac:unknown] Unable to match MAC
address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:unknown] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58301) WARN: [mac:00:11:22:33:44:55] Unable to
match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] Instantiate
profile Internal (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] User jsayce
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] No
provisioner found for 00:11:22:33:44:55. Continuing.
(captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] User jsayce
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] User jsayce
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] violation
1300003 force-closed for 00:11:22:33:44:55
(pf::violation::violation_force_close)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58300) WARN: [mac:unknown] Unable to match MAC
address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:unknown] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58300) WARN: [mac:00:11:22:33:44:55] Unable to
match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] Instantiate
profile Internal (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] Releasing
device (captiveportal::PacketFence::DynamicRouting::Module::Root::release)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] User default
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58300) WARN: [mac:00:11:22:33:44:55] Unable to
match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] re-evaluating
access (manage_register called) (pf::enforcement::reevaluate_access)
Feb 16 09:52:33 httpd.portal(58300) WARN: [mac:00:11:22:33:44:55] Can't
re-evaluate access because no open locationlog entry was found
(pf::enforcement::reevaluate_access)
-----Original Message-----
From: Durand fabrice via PacketFence-users
[mailto:[email protected]]
Sent: 16 February 2018 03:08
To: John Sayce via PacketFence-users <[email protected]>
Cc: Durand fabrice <[email protected]>
Subject: Re: [PacketFence-users] Radius Filter
You suppose to see in the packetfence.log file if the filter match, do you see
it ?
Le 2018-02-09 à 11:28, John Sayce via PacketFence-users a écrit :
> I've given it a go but it doesn't seem to apply.
>
> I simplified it further to:
>
> [mac]
> filter = node_info.mac
> operator = match
> value = 00:11:22:33:44:55
>
> [2:mac]
> scope = RegisteredRole
> role = REJECT
>
> This didn't seem to apply either. Am I missing something obvious? Is there
> a way to debug this?
>
> John
>
> -----Original Message-----
> From: Fabrice Durand via PacketFence-users
> [mailto:[email protected]]
> Sent: 06 February 2018 14:06
> To: [email protected]
> Cc: Fabrice Durand <[email protected]>
> Subject: Re: [PacketFence-users] Radius Filter
>
> Hello John,
>
> something like that in the vlan filters should work:
>
>
> [ssid]
> filter = ssid
> operator = is
> value = OPENSSID
>
> [role]
> filter = node_info.category
> operator = match
> value = SOMEROLE
>
> [1:ssid&role]
> scope = RegisteredRole
> role = REJECT
>
>
> Regards
>
> Fabrice
>
>
>
> Le 2018-02-06 à 08:46, John Sayce via PacketFence-users a écrit :
>> I'm looking for a little guidance. I've got two SSIDs, one open and
>> one secured. They both use mac auth against packetfence. I don't
>> want the clients that are registered for certain roles to connect to
>> the unsecured SSID. Can I use a radius filter (or possibly a vlan
>> filter) to match the SSID and role to reject the clients? Something
>> like
>>
>> [ssid]
>> filter = ssid
>> operator = is
>> value = OPENSSID
>>
>> [role]
>> filter = user_role
>> operator = is
>> value = SOMEROLE
>>
>> [1:ssid&role]
>> scope = returnRadiusAccessAccept
>> merge_answer = no
>> answer1 = RLM_MODULE_REJECT?
>>
>> Not really sure how to reject the radius request.
>>
>> Thanks
>> John Sayce
>>
>> ----------------------------------------------------------------------
>> -------- Check out the vibrant tech community on one of the world's
>> most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> --
> Fabrice Durand
> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc.
> :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
