Okay, Thanks. I've got it working now. I thought the problem was the same in a real world test, however the problem on site appeared to be one of our access points being difficult when receiving updates.
John -----Original Message----- From: Durand fabrice via PacketFence-users [mailto:packetfence-users@lists.sourceforge.net] Sent: 18 February 2018 18:45 To: packetfence-users@lists.sourceforge.net Cc: Durand fabrice <fdur...@inverse.ca> Subject: Re: [PacketFence-users] Radius Filter Hello John, it can't work with portal preview since the filter use the radius request. It must be a real test. Regards Fabrice Le 2018-02-16 à 05:37, John Sayce via PacketFence-users a écrit : > So I'm working remotely at the moment. The floating address I have > configured is 00:11:22:33:44:55 and I'm using the portal preview feature, so > if that's not going to work I understand, although I did also test it on > site. I can't see anything mentioning the vlan filter in the log. It's as > follows: > > Feb 16 09:52:24 httpd.portal(58307) WARN: [mac:unknown] Unable to > match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac) Feb 16 09:52:24 > httpd.portal(58307) INFO: [mac:unknown] Instantiate profile default > (pf::Portal::ProfileFactory::_from_profile) > Feb 16 09:52:24 httpd.portal(58307) WARN: [mac:00:11:22:33:44:55] > Unable to match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac) Feb > 16 09:52:24 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] > Instantiate profile default > (pf::Portal::ProfileFactory::_from_profile) > Feb 16 09:52:24 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] > Instantiate profile Internal > (pf::Portal::ProfileFactory::_from_profile) > Feb 16 09:52:25 httpd.portal(58301) WARN: [mac:unknown] Unable to > match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac) Feb 16 09:52:25 > httpd.portal(58301) INFO: [mac:unknown] Instantiate profile default > (pf::Portal::ProfileFactory::_from_profile) > Feb 16 09:52:25 httpd.portal(58301) WARN: [mac:00:11:22:33:44:55] > Unable to match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac) Feb > 16 09:52:25 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] > Instantiate profile default > (pf::Portal::ProfileFactory::_from_profile) > Feb 16 09:52:25 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] > Instantiate profile Internal > (pf::Portal::ProfileFactory::_from_profile) > Feb 16 09:52:25 httpd.portal(58300) WARN: [mac:unknown] Unable to > match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac) Feb 16 09:52:25 > httpd.portal(58300) INFO: [mac:unknown] Instantiate profile default > (pf::Portal::ProfileFactory::_from_profile) > Feb 16 09:52:25 httpd.portal(58300) WARN: [mac:00:11:22:33:44:55] > Unable to match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac) Feb > 16 09:52:25 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] > Instantiate profile default > (pf::Portal::ProfileFactory::_from_profile) > Feb 16 09:52:25 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] > Instantiate profile Internal > (pf::Portal::ProfileFactory::_from_profile) > Feb 16 09:52:32 httpd.portal(58307) WARN: [mac:unknown] Unable to > match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac) Feb 16 09:52:32 > httpd.portal(58307) INFO: [mac:unknown] Instantiate profile default > (pf::Portal::ProfileFactory::_from_profile) > Feb 16 09:52:32 httpd.portal(58307) WARN: [mac:00:11:22:33:44:55] > Unable to match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac) Feb > 16 09:52:32 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] > Instantiate profile default > (pf::Portal::ProfileFactory::_from_profile) > Feb 16 09:52:32 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] > Instantiate profile Internal > (pf::Portal::ProfileFactory::_from_profile) > Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] > Authenticating user using sources : ASD > (captiveportal::PacketFence::DynamicRouting::Module::Authentication::L > ogin::authenticate) Feb 16 09:52:33 httpd.portal(58307) INFO: > [mac:00:11:22:33:44:55] [ASD] Authentication successful for jsayce > (pf::Authentication::Source::LDAPSource::authenticate) > Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] > Authentication successful for 'jsayce' in source ASD (AD) > (pf::authentication::authenticate) > Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] User > jsayce has authenticated on the portal. (Class::MOP::Class:::after) > Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] > Found source ASD in session. (Class::MOP::Class:::around) Feb 16 > 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found > source ASD in session. (Class::MOP::Class:::around) Feb 16 09:52:33 > httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Successfully > authenticated jsayce > (captiveportal::PacketFence::DynamicRouting::Module::Authentication::L > ogin::authenticate) Feb 16 09:52:33 httpd.portal(58307) INFO: > [mac:00:11:22:33:44:55] Found source ASD in session. > (Class::MOP::Class:::around) Feb 16 09:52:33 httpd.portal(58307) INFO: > [mac:00:11:22:33:44:55] Found source ASD in session. > (Class::MOP::Class:::around) Feb 16 09:52:33 httpd.portal(58307) INFO: > [mac:00:11:22:33:44:55] Found source ASD in session. > (Class::MOP::Class:::around) Feb 16 09:52:33 httpd.portal(58307) INFO: > [mac:00:11:22:33:44:55] User jsayce has authenticated on the portal. > (Class::MOP::Class:::after) Feb 16 09:52:33 httpd.portal(58307) WARN: > [mac:00:11:22:33:44:55] Calling match with empty/invalid rule class. > Defaulting to 'authentication' (pf::authentication::match) Feb 16 > 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Using > sources ASD for matching (pf::authentication::match) Feb 16 09:52:33 > httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Matched rule > (AuthAD) in source ASD, returning actions. > (pf::Authentication::Source::match) > Feb 16 09:52:33 httpd.portal(58307) WARN: [mac:00:11:22:33:44:55] The > DAY is today or before today. Setting date to next year > (pf::config::try {...} ) Feb 16 09:52:33 httpd.portal(58307) INFO: > [mac:00:11:22:33:44:55] Found source ASD in session. > (Class::MOP::Class:::around) Feb 16 09:52:33 httpd.portal(58307) INFO: > [mac:00:11:22:33:44:55] User jsayce has authenticated on the portal. > (Class::MOP::Class:::after) Feb 16 09:52:33 httpd.portal(58307) WARN: > [mac:00:11:22:33:44:55] Calling match with empty/invalid rule class. > Defaulting to 'authentication' (pf::authentication::match) Feb 16 > 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Using > sources ASD for matching (pf::authentication::match) Feb 16 09:52:33 > httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Matched rule > (AuthAD) in source ASD, returning actions. > (pf::Authentication::Source::match) > Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] > Found source ASD in session. (Class::MOP::Class:::around) Feb 16 > 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found > source ASD in session. (Class::MOP::Class:::around) Feb 16 09:52:33 > httpd.portal(58301) WARN: [mac:unknown] Unable to match MAC address to > IP '10.8.5.8' (pf::iplog::ip2mac) Feb 16 09:52:33 httpd.portal(58301) > INFO: [mac:unknown] Instantiate profile default > (pf::Portal::ProfileFactory::_from_profile) > Feb 16 09:52:33 httpd.portal(58301) WARN: [mac:00:11:22:33:44:55] > Unable to match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac) Feb > 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] > Instantiate profile default > (pf::Portal::ProfileFactory::_from_profile) > Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] > Instantiate profile Internal > (pf::Portal::ProfileFactory::_from_profile) > Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] User > jsayce has authenticated on the portal. (Class::MOP::Class:::after) > Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] No > provisioner found for 00:11:22:33:44:55. Continuing. > (captiveportal::PacketFence::DynamicRouting::Module::Provisioning::exe > cute_child) Feb 16 09:52:33 httpd.portal(58301) INFO: > [mac:00:11:22:33:44:55] User jsayce has authenticated on the portal. > (Class::MOP::Class:::after) Feb 16 09:52:33 httpd.portal(58301) INFO: > [mac:00:11:22:33:44:55] User jsayce has authenticated on the portal. > (Class::MOP::Class:::after) Feb 16 09:52:33 httpd.portal(58301) INFO: > [mac:00:11:22:33:44:55] violation 1300003 force-closed for > 00:11:22:33:44:55 (pf::violation::violation_force_close) > Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] > Instantiate profile default > (pf::Portal::ProfileFactory::_from_profile) > Feb 16 09:52:33 httpd.portal(58300) WARN: [mac:unknown] Unable to > match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac) Feb 16 09:52:33 > httpd.portal(58300) INFO: [mac:unknown] Instantiate profile default > (pf::Portal::ProfileFactory::_from_profile) > Feb 16 09:52:33 httpd.portal(58300) WARN: [mac:00:11:22:33:44:55] > Unable to match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac) Feb > 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] > Instantiate profile default > (pf::Portal::ProfileFactory::_from_profile) > Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] > Instantiate profile Internal > (pf::Portal::ProfileFactory::_from_profile) > Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] > Releasing device > (captiveportal::PacketFence::DynamicRouting::Module::Root::release) > Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] User > default has authenticated on the portal. (Class::MOP::Class:::after) > Feb 16 09:52:33 httpd.portal(58300) WARN: [mac:00:11:22:33:44:55] > Unable to match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac) Feb > 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] > Instantiate profile default > (pf::Portal::ProfileFactory::_from_profile) > Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] > re-evaluating access (manage_register called) > (pf::enforcement::reevaluate_access) > Feb 16 09:52:33 httpd.portal(58300) WARN: [mac:00:11:22:33:44:55] > Can't re-evaluate access because no open locationlog entry was found > (pf::enforcement::reevaluate_access) > > -----Original Message----- > From: Durand fabrice via PacketFence-users > [mailto:packetfence-users@lists.sourceforge.net] > Sent: 16 February 2018 03:08 > To: John Sayce via PacketFence-users > <packetfence-users@lists.sourceforge.net> > Cc: Durand fabrice <fdur...@inverse.ca> > Subject: Re: [PacketFence-users] Radius Filter > > You suppose to see in the packetfence.log file if the filter match, do you > see it ? > > > Le 2018-02-09 à 11:28, John Sayce via PacketFence-users a écrit : >> I've given it a go but it doesn't seem to apply. >> >> I simplified it further to: >> >> [mac] >> filter = node_info.mac >> operator = match >> value = 00:11:22:33:44:55 >> >> [2:mac] >> scope = RegisteredRole >> role = REJECT >> >> This didn't seem to apply either. Am I missing something obvious? Is >> there a way to debug this? >> >> John >> >> -----Original Message----- >> From: Fabrice Durand via PacketFence-users >> [mailto:packetfence-users@lists.sourceforge.net] >> Sent: 06 February 2018 14:06 >> To: packetfence-users@lists.sourceforge.net >> Cc: Fabrice Durand <fdur...@inverse.ca> >> Subject: Re: [PacketFence-users] Radius Filter >> >> Hello John, >> >> something like that in the vlan filters should work: >> >> >> [ssid] >> filter = ssid >> operator = is >> value = OPENSSID >> >> [role] >> filter = node_info.category >> operator = match >> value = SOMEROLE >> >> [1:ssid&role] >> scope = RegisteredRole >> role = REJECT >> >> >> Regards >> >> Fabrice >> >> >> >> Le 2018-02-06 à 08:46, John Sayce via PacketFence-users a écrit : >>> I'm looking for a little guidance. I've got two SSIDs, one open and >>> one secured. They both use mac auth against packetfence. I don't >>> want the clients that are registered for certain roles to connect to >>> the unsecured SSID. Can I use a radius filter (or possibly a vlan >>> filter) to match the SSID and role to reject the clients? Something >>> like >>> >>> [ssid] >>> filter = ssid >>> operator = is >>> value = OPENSSID >>> >>> [role] >>> filter = user_role >>> operator = is >>> value = SOMEROLE >>> >>> [1:ssid&role] >>> scope = returnRadiusAccessAccept >>> merge_answer = no >>> answer1 = RLM_MODULE_REJECT? >>> >>> Not really sure how to reject the radius request. >>> >>> Thanks >>> John Sayce >>> >>> -------------------------------------------------------------------- >>> -- >>> -------- Check out the vibrant tech community on one of the world's >>> most engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> PacketFence-users mailing list >>> PacketFence-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> -- >> Fabrice Durand >> fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >> PacketFence (http://packetfence.org) >> >> >> --------------------------------------------------------------------- >> --------- Check out the vibrant tech community on one of the world's >> most engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> --------------------------------------------------------------------- >> --------- Check out the vibrant tech community on one of the world's >> most engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ---------------------------------------------------------------------- > -------- Check out the vibrant tech community on one of the world's > most engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ---------------------------------------------------------------------- > -------- Check out the vibrant tech community on one of the world's > most engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users