Hello John,

it can't work with portal preview since the filter use the radius request.

It must be a real test.

Regards

Fabrice



Le 2018-02-16 à 05:37, John Sayce via PacketFence-users a écrit :
So I'm working remotely at the moment.  The floating address I have configured 
is 00:11:22:33:44:55 and I'm using the portal preview feature, so if that's not 
going to work I understand, although I did also test it on site.  I can't see 
anything mentioning the vlan filter in the log.  It's as follows:

Feb 16 09:52:24 httpd.portal(58307) WARN: [mac:unknown] Unable to match MAC 
address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:24 httpd.portal(58307) INFO: [mac:unknown] Instantiate profile 
default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:24 httpd.portal(58307) WARN: [mac:00:11:22:33:44:55] Unable to 
match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:24 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:24 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile Internal (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:25 httpd.portal(58301) WARN: [mac:unknown] Unable to match MAC 
address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:25 httpd.portal(58301) INFO: [mac:unknown] Instantiate profile 
default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:25 httpd.portal(58301) WARN: [mac:00:11:22:33:44:55] Unable to 
match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:25 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:25 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile Internal (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:25 httpd.portal(58300) WARN: [mac:unknown] Unable to match MAC 
address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:25 httpd.portal(58300) INFO: [mac:unknown] Instantiate profile 
default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:25 httpd.portal(58300) WARN: [mac:00:11:22:33:44:55] Unable to 
match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:25 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:25 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile Internal (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:32 httpd.portal(58307) WARN: [mac:unknown] Unable to match MAC 
address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:32 httpd.portal(58307) INFO: [mac:unknown] Instantiate profile 
default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:32 httpd.portal(58307) WARN: [mac:00:11:22:33:44:55] Unable to 
match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:32 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:32 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile Internal (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] 
Authenticating user using sources : ASD 
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] [ASD] 
Authentication successful for jsayce 
(pf::Authentication::Source::LDAPSource::authenticate)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] 
Authentication successful for 'jsayce' in source ASD (AD) 
(pf::authentication::authenticate)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] User jsayce 
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source 
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source 
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Successfully 
authenticated jsayce 
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source 
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source 
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source 
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] User jsayce 
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58307) WARN: [mac:00:11:22:33:44:55] Calling match 
with empty/invalid rule class. Defaulting to 'authentication' 
(pf::authentication::match)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Using sources 
ASD for matching (pf::authentication::match)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Matched rule 
(AuthAD) in source ASD, returning actions. (pf::Authentication::Source::match)
Feb 16 09:52:33 httpd.portal(58307) WARN: [mac:00:11:22:33:44:55] The DAY is 
today or before today. Setting date to next year (pf::config::try {...} )
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source 
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] User jsayce 
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58307) WARN: [mac:00:11:22:33:44:55] Calling match 
with empty/invalid rule class. Defaulting to 'authentication' 
(pf::authentication::match)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Using sources 
ASD for matching (pf::authentication::match)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Matched rule 
(AuthAD) in source ASD, returning actions. (pf::Authentication::Source::match)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source 
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source 
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58301) WARN: [mac:unknown] Unable to match MAC 
address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:unknown] Instantiate profile 
default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58301) WARN: [mac:00:11:22:33:44:55] Unable to 
match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile Internal (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] User jsayce 
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] No 
provisioner found for 00:11:22:33:44:55. Continuing. 
(captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] User jsayce 
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] User jsayce 
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] violation 
1300003 force-closed for 00:11:22:33:44:55 
(pf::violation::violation_force_close)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58300) WARN: [mac:unknown] Unable to match MAC 
address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:unknown] Instantiate profile 
default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58300) WARN: [mac:00:11:22:33:44:55] Unable to 
match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile Internal (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] Releasing 
device (captiveportal::PacketFence::DynamicRouting::Module::Root::release)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] User default 
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58300) WARN: [mac:00:11:22:33:44:55] Unable to 
match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] re-evaluating 
access (manage_register called) (pf::enforcement::reevaluate_access)
Feb 16 09:52:33 httpd.portal(58300) WARN: [mac:00:11:22:33:44:55] Can't 
re-evaluate access because no open locationlog entry was found 
(pf::enforcement::reevaluate_access)

-----Original Message-----
From: Durand fabrice via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Sent: 16 February 2018 03:08
To: John Sayce via PacketFence-users <packetfence-users@lists.sourceforge.net>
Cc: Durand fabrice <fdur...@inverse.ca>
Subject: Re: [PacketFence-users] Radius Filter

You suppose to see in the packetfence.log file if the filter match, do you see 
it ?


Le 2018-02-09 à 11:28, John Sayce via PacketFence-users a écrit :
I've given it a go but it doesn't seem to apply.

I simplified it further to:

[mac]
filter = node_info.mac
operator = match
value = 00:11:22:33:44:55

[2:mac]
scope = RegisteredRole
role = REJECT

This didn't seem to apply either.  Am I missing something obvious?   Is there a 
way to debug this?

John

-----Original Message-----
From: Fabrice Durand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Sent: 06 February 2018 14:06
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand <fdur...@inverse.ca>
Subject: Re: [PacketFence-users] Radius Filter

Hello John,

something like that in the vlan filters should work:


[ssid]
filter = ssid
operator = is
value = OPENSSID

[role]
filter = node_info.category
operator = match
value = SOMEROLE

[1:ssid&role]
scope = RegisteredRole
role = REJECT


Regards

Fabrice



Le 2018-02-06 à 08:46, John Sayce via PacketFence-users a écrit :
I'm looking for a little guidance.  I've got two SSIDs, one open and
one secured.  They both use mac auth against packetfence.  I don't
want the clients that are registered for certain roles to connect to
the unsecured SSID.  Can I use a radius filter (or possibly a vlan
filter) to match the SSID and role to reject the clients?  Something
like

[ssid]
filter = ssid
operator = is
value = OPENSSID

[role]
filter = user_role
operator = is
value = SOMEROLE

[1:ssid&role]
scope = returnRadiusAccessAccept
merge_answer = no
answer1 =  RLM_MODULE_REJECT?

Not really sure how to reject the radius request.

Thanks
John Sayce

----------------------------------------------------------------------
-------- Check out the vibrant tech community on one of the world's
most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca Inverse inc. 
:: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to