Hello John,
your test looks good to me and the rules are ok.
LDAP connection expire just mean that PacketFence will re-bind to the LDAP.
What i will do is the following:
[802.1x]
filter=connection_type:Wireless-802.11-EAP,connection_type:Wireless-802.11-NoEAP
sources=Test,Test_User
autoregister=enabled
locale=
access_registration_when_registered=disabled
reuse_dot1x_credentials=enabled
root_module=test
[Test]
description=Test
dynamic_routing_module=AuthModule
port=389
scope=sub
stripped_user_name=no
basedn=DC=asd,DC=local
binddn=********
email_attribute=mail
password=********
usernameattribute=servicePrincipalName
connection_timeout=10
type=AD
encryption=none
host=10.16.2.2
[Test_User]
description=Test_User
dynamic_routing_module=AuthModule
port=389
scope=sub
stripped_user_name=no
basedn=DC=asd,DC=local
binddn=********
email_attribute=mail
password=********
usernameattribute=sAMAccountName
connection_timeout=10
type=AD
encryption=none
host=10.16.2.2
As you can see there is 2 sources, one for machine and the other one for
user auth, so the username host/IT-L-HP250.asd.local will match in the
Test (not in Test_User) source then it will compute the rule defined in
Test , if it's the username jtest1 then it will match in Test_User (Not
in Test) and compute the rules defined in Test_User.
Also pftest is usefull even if you don't know the password, the
authentication will fail but the authorization will return the rules
that match.
Last thing, if you strip the username then per example if you defined a
realm (asd.local) and the username is like [email protected] then the ldap
search will contain sAMAccountName=bob, if you don't strip then it will
be [email protected]
Regards
Fabrice
Le 2018-08-13 à 06:16, John Sayce via PacketFence-users a écrit :
I think I've got it working but I haven’t tested it very thoroughly so I may be
mistaken. I think there's still something I'm doing wrong.
I'm using a regex match on the distinguished name still. I started testing it
with group membership as I thought using the distinguished name might have been
the issue but it still didn't work so I don't think that's the case.
If I test it, I create a user account and have the Username Attribute in the
authentication source set to sAMAccountName. This seems to work fine:
Aug 13 10:01:50 pftest(18774) INFO: [Test] Authentication successful for jtest1
(pf::Authentication::Source::LDAPSource::authenticate)
Aug 13 10:01:50 pftest(18774) INFO: Using sources Test for matching
(pf::authentication::match)
Aug 13 10:01:50 pftest(18774) INFO: Matched rule (Youth) in source Test,
returning actions. (pf::Authentication::Source::match)
Aug 13 10:01:50 pftest(18774) INFO: Using sources Test for matching
(pf::authentication::match)
The following may require more testing to confirm it's all correct and the
results are consistently reproducible:
When I switch to using machine authentication, I can't test using pftest with
the correct password and I'm kind of guessing what to put in the username field
for testing. When I have the Username Attribute set to servicePrincipalName
and I test with 'host/' followed by the fqdn of the host, for example
'host/IT-L-HP250.asd.local' this works. But when I try this by connecting to
the wireless network packetfence doesn't match my rule. (I was testing on
Saturday so I'm not sure exactly which section of the log to pick out so I
might need to try this again to get more informaiton.)
So I looked in active directory at the attributes and servicePrincipalName is a
multi-value field so I didn't know if this was causing an issue?
So I changed the Username Attribute to 'name' (although I'm also not sure what
the issue with sAMAccountName is.) Now the previous test with pftest fails so
I switched to using simply the hostname 'IT-L-HP250' which again matches the
rule but fails the authentication due to now knowing the password. However in
this configuration when I tried connecting to the wireless it worked but I got
the same errors in the log. This is the log of a successful authentication and
matching the rule
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] handling radius autz request: from switch_ip
=> (10.16.20.102), connection_type => Wireless-802.11-EAP,switch_mac => (e8:39:35:65:87:56), mac
=> [80:56:f2:15:b8:a9], port => 88, username => "host/IT-L-HP250.asd.local", ssid =>
test (pf::radius::authorize)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] is doing machine
auth with account 'host/IT-L-HP250.asd.local'. (pf::radius::authorize)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Instantiate
profile 802.1x (pf::Portal::ProfileFactory::_from_profile)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Memory
configuration is not valid anymore for key resource::authentication_sources in
local cached_hash (pfconfig::cached::is_valid)
Aug 11 11:48:56 httpd.aaa(12652) WARN: [mac:80:56:f2:15:b8:a9] Calling match
with empty/invalid rule class. Defaulting to 'authentication'
(pf::authentication::match)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Using sources
Test for matching (pf::authentication::match)
Aug 11 11:48:56 httpd.aaa(12652) ERROR: [mac:80:56:f2:15:b8:a9] Error binding
'Connection reset by peer' (pf::LDAP::bind)
Aug 11 11:48:56 httpd.aaa(12652) WARN: [mac:80:56:f2:15:b8:a9] LDAP connection
expired (pf::LDAP::expire_if)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Matched rule
(Internal) in source Test, returning actions.
(pf::Authentication::Source::match)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Using sources
Test for matching (pf::authentication::match)
Aug 11 11:48:56 httpd.aaa(12652) ERROR: [mac:80:56:f2:15:b8:a9] Error binding
'Connection reset by peer' (pf::LDAP::bind)
Aug 11 11:48:56 httpd.aaa(12652) WARN: [mac:80:56:f2:15:b8:a9] LDAP connection
expired (pf::LDAP::expire_if)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Matched rule
(Internal) in source Test, returning actions.
(pf::Authentication::Source::match)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] violation
1300003 force-closed for 80:56:f2:15:b8:a9
(pf::violation::violation_force_close)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Instantiate
profile 802.1x (pf::Portal::ProfileFactory::_from_profile)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Using sources
Test for matching (pf::authentication::match)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Matched rule
(Internal) in source Test, returning actions.
(pf::Authentication::Source::match)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Using sources
Test for matching (pf::authentication::match)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Matched rule
(Internal) in source Test, returning actions.
(pf::Authentication::Source::match)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Username was defined
"host/IT-L-HP250.asd.local" - returning role 'RUFCInternal'
(pf::role::getRegisteredRole)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] PID:
"host/IT-L-HP250.asd.local", Status: reg Returned VLAN: (undefined), Role:
RUFCInternal (pf::role::fetchRoleForNode)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] (10.16.20.102)
Added VLAN 15 to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Aug 11 11:48:57 httpd.aaa(12652) INFO: [mac:b8:03:05:a8:92:e7] Updating
locationlog from accounting request (pf::api::handle_accounting_metadata)
Now the "Error binding 'Connection reset by peer' (pf::LDAP::bind)" seem fairly
critical, but it still seems to be working.
I've got "Use stripped username" ticked and I'm now wondering if this might be the issue? I did
lots of testing changing the "Base DN" and "Scope" fields along with the rule criteria.
I can't say I got consistent results. Sometimes it seemed to work, and sometimes not, but this may have been
because I was making other mistakes.
I've attached sanitised versions of profiles.conf and authentication.conf
Thanks
-----Original Message-----
From: Durand fabrice via PacketFence-users
[mailto:[email protected]]
Sent: 11 August 2018 02:52
To: [email protected]
Cc: Durand fabrice <[email protected]>
Subject: Re: [PacketFence-users] 802.1x, Roles/Dynamic VLAN & Certificates.....
Hello John,
in the packetfence.log file you will be able to see which source the username
match.
Also you can use pftest authentication bob "" to test the rules.
If you want you can send me the authentication.conf (remove confidential data),
profiles.conf file and i will probably what is the issue.
Regards
Fabrice
Le 2018-08-09 à 08:16, John Sayce via PacketFence-users a écrit :
Sorry, I realised it's not setting the role because I was using the attribute
sAMAccountName rather than servicePrincipalName.
However I'm still not quite sure how to apply two different roles as discussed
in Section 8. I've added both sources with different roles to my profile but
it appears to authenticate with the first source ignoring the Base DN.
-----Original Message-----
From: John Sayce via PacketFence-users
[mailto:[email protected]]
Sent: 09 August 2018 08:02
To: '[email protected]'
<[email protected]>
Cc: John Sayce <[email protected]>
Subject: Re: [PacketFence-users] 802.1x, Roles/Dynamic VLAN & Certificates.....
Got the certificate sorted, that was pretty straight forward when I actually
follow things though.
I am still having issues with role assignment. At the moment I've only got one
role and one authentication source with a rule to apply a role without any
conditions in my authentication source, but the role doesn't apply. I'm not
really sure how to debug things though?
I followed section 5.5 to create a connection profile
https://packetfence.org/doc/PacketFence_Installation_Guide.html#_confi
guring_the_connection_profile
Ideally I'd like to do something like section 8,
https://packetfence.org/doc/PacketFence_Installation_Guide.html#_intro
duction_to_role_based_access_control
Such that there are two authentication sources with different "Base DN" and
this leads to the application of two different roles.
John
-----Original Message-----
From: Durand fabrice via PacketFence-users
[mailto:[email protected]]
Sent: 04 August 2018 02:19
To: [email protected]
Cc: Durand fabrice <[email protected]>
Subject: Re: [PacketFence-users] 802.1x, Roles/Dynamic VLAN & Certificates.....
Hello John,
Le 2018-08-03 à 11:18, John Sayce via PacketFence-users a écrit :
Hi,
I’ve setup 802.1x for my wireless. I initially started using NPS but it didn't
have the flexibility I wanted for dynamic VLAN assignment. So I've setup
packetfence and my clients can authenticate but they're not getting assigned
the roles I'd like, to then go in the appropriate VLAN.
Specifically I want to assign roles based on organisational unit. Am I
correct, that the (best) way to do this is to create an active directory source
for each role with a rule that then checks the distinguished name to get the
organisational unit with the action to assign the appropriate role? As I say,
at the moment this doesn't appear to work, but I haven't tried to debug it yet,
so I might have made a silly mistake somewhere.
As i remember a dn cannot be use for a ldapsearch
(https://www.openldap.org/lists/openldap-software/200503/msg00520.html
)
but maybe i am wrong.
The better way to test it will be to configure a rule like distingishName regex
ou=blablabla and use pftest to see if the rule match.
Btw i prefer to use groupMembership for that.
Initially I setup the client to skip verification of the server's certificate to see the
radius requests coming in. Later I re-enabled the verification and added the
certificates to the trusted root store but received an error about a valid trust anchor
for this profile. I believe I can override this by specifying the specific certificate
in group policy but I didn't really understand the error message. Ultimately I have a
Microsoft PKI setup so I'd like to assign a certificate from this. The manual says I
then edit the "/usr/local/pf/conf/radiusd/eap.conf" and point the relevant
settings at the certificates files approved by my Microsoft PKI. Is that sufficient?
And will I still get the error about a valid trust anchor? I don't believe I encountered
that issue with NPS.
NPS know the microsoft pki, so by default i think there is already a
certificate for it.
So you will need to generate a certificate on the pki for the radius server
(https://github.com/inverse-inc/packetfence/blob/devel/docs/pki/microsoft.asciidoc#radius-certificate-generation).
With that you will probably don't have anymore the vlaid trust anchor with the
device joined to the domain but you will still have it for the rest (you need
to install the CA public key on each devices).
Regards
Fabrice
Thanks
John
---------------------------------------------------------------------
-
-------- Check out the vibrant tech community on one of the world's
most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
----------------------------------------------------------------------
-------- Check out the vibrant tech community on one of the world's
most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
----------------------------------------------------------------------
-------- Check out the vibrant tech community on one of the world's
most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
----------------------------------------------------------------------
-------- Check out the vibrant tech community on one of the world's
most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most engaging tech
sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
